Updates from: 06/07/2021 03:05:51
Service Microsoft Docs article Related commit history on GitHub Change details
active-directory Expression Builder https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/app-provisioning/expression-builder.md
# Understand how expression builder in Application Provisioning works
-You can use expressions to map attributes. Previously, you had to create these expressions manually and enter them into the expression box. Expression builder is a tool you can use to help you create expressions.
+You can use [expressions](functions-for-customizing-application-data.md) to [map attributes](https://docs.microsoft.com/azure/active-directory/app-provisioning/customize-application-attributes). Previously, you had to create these expressions manually and enter them into the expression box. Expression builder is a tool you can use to help you create expressions.
:::image type="content" source="media/expression-builder/expression-builder.png" alt-text="The default expression builder page before selecting a function." lightbox="media/expression-builder/expression-builder.png"::: For reference on building expressions, see [Reference for writing expressions for attribute mappings](functions-for-customizing-application-data.md).
-## Finding expression builder
+## Finding the expression builder
In application provisioning, you use expressions for attribute mappings. You access Express Builder on the attribute-mapping page by selecting **Show advanced options** and then select **Expression builder**.
In application provisioning, you use expressions for attribute mappings. You acc
To use expression builder, select a function and attribute and then enter a suffix if needed. Then select **Add expression** to add the expression to the code box. To learn more about the functions available and how to use them, see [Reference for writing expressions for attribute mappings](functions-for-customizing-application-data.md).
-Test the expression by providing values and selecting **Test expression**. The output of the expression test will appear in the **View expression output** box.
+Test the expression by searching for a user or providing values and selecting **Test expression**. The output of the expression test will appear in the **View expression output** box.
When you're satisfied with the expression, move it to an attribute mapping. Copy and paste it into the expression box for the attribute mapping you're working on.
+## Known limitations
+* Extension attributes are not available for selection in the expression builder. However, extension attributes can be used in the attribute mapping expression.
+ ## Next steps [Reference for writing expressions for attribute mappings](functions-for-customizing-application-data.md)
active-directory On Premises Sql Connector Configure https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/app-provisioning/on-premises-sql-connector-configure.md
Previously updated : 05/28/2021 Last updated : 06/06/2021
To create a generic SQL connector use the following steps:
|Property|Description| |--|--| |User:Attribute Detection|This should be set to Table.|
- |User:Table/View/SP|his should contain Employees.|
+ |User:Table/View/SP|This should contain Employees.|
|User:Name of Multi-Values Table/Views|| |User:Stored Procedure Parameters|| |User:Provide SQL query for detecting object types||
To create a generic SQL connector use the following steps:
14. The ECMA host discovers the attributes supported by the target system. You can choose which of those attributes you would like to expose to Azure AD. These attributes can then be configured in the Azure portal for provisioning. On the **Select Attributes** page, select attributes from the drop-down to add. ![Enter attributes](.\media\on-premises-sql-connector-configure\sql-13.png)
-15. On the **Deprovisioning** page, review the deprovisioning information and make adjustments as necessary. Click Finish.
+15. On the **Deprovisioning** page, review the deprovisioning information and make adjustments as necessary. Attributes selected in the previous page will not be available to select in the deprovisioning page. Click Finish.
![Enter deprovisioning information](.\media\on-premises-sql-connector-configure\sql-14.png)
active-directory Tutorial Ecma Sql Connector https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/app-provisioning/tutorial-ecma-sql-connector.md
This tutorial describes the steps you need to perform to automatically provision and deprovision users from Azure AD into a SQL DB. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../app-provisioning/user-provisioning.md).
-This tutorial covers how to setup and use the generic SQL connector with the Azure AD ECMA Connector Host. Your test environment should mirror the environment presented below before attempting this tutorial.
-
-![Architecure](.\media\tutorial-ecma-sql-connector\sql-1.png)
--- SQL Server 2019 and SQL Server Management Studio is installed on APP1. -- Both VMs have connectivity to the internet.-- SQL Server Agent has been started-- You have an Azure AD tenant to test with. This tutorial uses ecmabmcontoso.onmicrosoft.com. Substitute your tenant with this one.-- You have 3 or 4 users created in your tenant for testing.-
-For additional information on setting up this environment, see [Tutorial: Basic Active Directory environment](../../active directory/cloud sync/tutorial-basic-ad-azure.md)
+This tutorial covers how to setup and use the generic SQL connector with the Azure AD ECMA Connector Host.
## Step 1 - Prepare the sample database On a server running SQL Server, run the SQL script found in [Appendix A](#appendix-a). This script creates a sample database with the name CONTOSO. This is the database that we will be provisioning users in to.
GO
## Next Steps -- [App provisioning](user-provisioning.md)
+- [Troubleshoot on-premises application provisioning](on-premises-ecma-troubleshoot.md)
+- [Review known limitations](known-issues.md)
+- [On-premises provisioning prerequisites](on-premises-ecma-prerequisites.md)
+- [Review prerequisites for on-premises provisioning](on-premises-ecma-prerequisites.md)
active-directory Authentication Flows App Scenarios https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/authentication-flows-app-scenarios.md
Scenarios that involve acquiring tokens also map to OAuth 2.0 authentication flo
<tr> <td><a href="scenario-desktop-acquire-token.md#command-line-tool-without-a-web-browser"><img alt="Browserless application" src="media/scenarios/device-code-flow-app.svg"></a></td> <td><a href="v2-oauth2-device-code.md">Device code</a></td>
- <td>Work or school accounts, personal accounts, and Azure AD B2C</td>
+ <td>Work or school accounts, personal accounts, but not Azure AD B2C</td>
</tr> <tr>
active-directory Reference Breaking Changes https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/reference-breaking-changes.md
The authentication system alters and adds features on an ongoing basis to improv
## Upcoming changes
+### The device code flow UX will now include an app confirmation prompt
+
+**Effective date**: June 2021.
+
+**Endpoints impacted**: v2.0 and v1.0
+
+**Protocol impacted**: The [device code flow](v2-oauth2-device-code.md)
+
+As a security improvement, the device code flow has been updated to add an additional prompt, which validates that the user is signing into the app they expect. This is added to help prevent phishing attacks.
+
+The prompt that appears looks like this:
++ ### Conditional Access will only trigger for explicitly requested scopes
-**Effective date**: May 2021, with gradual rollout starting in April.
+**Effective date**: August 2021, with gradual rollout starting in April.
**Endpoints impacted**: v2.0
If the app then requests `scope=files.readwrite`, the Conditional Access require
If the app then makes one last request for any of the three scopes (say, `scope=tasks.read`), Azure AD will see that the user has already completed the Conditional access policies needed for `files.readwrite`, and again issue a token with all three permissions in it. -
-### The device code flow UX will now include an app confirmation prompt
-
-**Effective date**: June 2021.
-
-**Endpoints impacted**: v2.0 and v1.0
-
-**Protocol impacted**: The [device code flow](v2-oauth2-device-code.md)
-
-As a security improvement, the device code flow has been updated to add an additional prompt, which validates that the user is signing into the app they expect. This is added to help prevent phishing attacks.
-
-The prompt that appears looks like this:
- ## May 2020 ### Bug fix: Azure AD will no longer URL encode the state parameter twice
active-directory Sample V2 Code https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/sample-v2-code.md
These samples show how to write a single-page application secured with Microsoft
> [!div class="mx-tdCol2BreakAll"] > | Language/<br/>Platform | Code sample | Description | Auth libraries | Auth flow | > | - | -- | | - | -- |
-> |Angular|[GitHub repo](https://github.com/Azure-Samples/ms-identity-javascript-angular-spa)| &#8226; Sign in users with AAD <br/>&#8226; Call Microsoft Graph | MSAL Angular | Auth code flow (with PKCE) |
> | Angular | [GitHub repo](https://github.com/Azure-Samples/ms-identity-javascript-angular-tutorial) | &#8226; [Sign in users](https://github.com/Azure-Samples/ms-identity-javascript-angular-tutorial/tree/main/1-Authentication/1-sign-in/README.md)<br/>&#8226; [Sign in users (B2C)](https://github.com/Azure-Samples/ms-identity-javascript-angular-tutorial/tree/main/1-Authentication/2-sign-in-b2c/README.md) <br/> &#8226; [Call Microsoft Graph](https://github.com/Azure-Samples/ms-identity-javascript-angular-tutorial/tree/main/2-Authorization-I/1-call-graph/README.md)<br/>&#8226; [Call .NET Core web API](https://github.com/Azure-Samples/ms-identity-javascript-angular-tutorial/tree/main/3-Authorization-II/1-call-api)<br/>&#8226; [Call .NET Core web API (B2C)](https://github.com/Azure-Samples/ms-identity-javascript-angular-tutorial/tree/main/3-Authorization-II/2-call-api-b2c)<br/>&#8226; [Call Microsoft Graph via OBO](https://github.com/Azure-Samples/ms-identity-javascript-angular-tutorial/tree/main/7-AdvancedScenarios/1-call-api-obo/README.md)<br/>&#8226; [Call .NET Core web API using PoP](https://github.com/Azure-Samples/ms-identity-javascript-angular-tutorial/tree/main/7-AdvancedScenarios/2-call-api-pop/README.md)<br/>&#8226; [Use App Roles for access control](https://github.com/Azure-Samples/ms-identity-javascript-angular-tutorial/tree/main/5-AccessControl/1-call-api-roles/README.md)<br/>&#8226; [Use Security Groups for access control](https://github.com/Azure-Samples/ms-identity-javascript-angular-tutorial/tree/main/5-AccessControl/2-call-api-groups/README.md)<br/>&#8226; [Deploy to Azure Storage & App Service](https://github.com/Azure-Samples/ms-identity-javascript-angular-tutorial/tree/main/4-Deployment/README.md)| MSAL Angular | &#8226; Auth code flow (with PKCE)<br/>&#8226; On-behalf-of (OBO) flow<br/>&#8226; Proof of Possession (PoP)|
-> | Blazor WebAssembly | [GitHub repo](https://github.com/Azure-Samples/ms-identity-blazor-wasm) | &#8226; Sign in users<br/>&#8226; Call Microsoft Graph | MSAL.js | Auth code flow (with PKCE) |
-> | JavaScript | [GitHub repo](https://github.com/Azure-Samples/ms-identity-javascript-v2) | &#8226; Sign in users<br/>&#8226; Call Microsoft Graph | MSAL.js | Auth code flow (with PKCE) |
-> | JavaScript | [GitHub repo](https://github.com/Azure-Samples/ms-identity-b2c-javascript-spa) | &#8226; Sign in users (B2C)<br/>&#8226; Call Node.js web API | MSAL.js | Auth code flow (with PKCE) |
+> | Blazor WebAssembly | [GitHub repo](https://github.com/Azure-Samples/ms-identity-blazor-wasm) | &#8226; [Sign in users](https://github.com/Azure-Samples/ms-identity-blazor-wasm/blob/main/WebApp-OIDC/MyOrg/README.md)<br/>&#8226; [Sign in users (B2C)](https://github.com/Azure-Samples/ms-identity-blazor-wasm/blob/main/WebApp-OIDC/B2C/README.md)<br/>&#8226; [Call Microsoft Graph](https://github.com/Azure-Samples/ms-identity-blazor-wasm/blob/main/WebApp-graph-user/Call-MSGraph/README.md)<br/>&#8226; [Deploy to Azure App Service](https://github.com/Azure-Samples/ms-identity-blazor-wasm/blob/main/Deploy-to-Azure/README.md) | MSAL.js | Auth code flow (with PKCE) |
> | JavaScript | [GitHub repo](https://github.com/Azure-Samples/ms-identity-javascript-tutorial) | &#8226; [Sign in users](https://github.com/Azure-Samples/ms-identity-javascript-tutorial/tree/main/1-Authentication/1-sign-in/README.md)<br/>&#8226; [Sign in users (B2C)](https://github.com/Azure-Samples/ms-identity-javascript-tutorial/tree/main/1-Authentication/2-sign-in-b2c/README.md) <br/> &#8226; [Call Microsoft Graph](https://github.com/Azure-Samples/ms-identity-javascript-tutorial/tree/main/2-Authorization-I/1-call-graph/README.md)<br/>&#8226; [Call Node.js web API](https://github.com/Azure-Samples/ms-identity-javascript-tutorial/tree/main/3-Authorization-II/1-call-api/README.md)<br/>&#8226; [Call Node.js web API (B2C)](https://github.com/Azure-Samples/ms-identity-javascript-tutorial/tree/main/3-Authorization-II/2-call-api-b2c/README.md)<br/>&#8226; [Call Microsoft Graph via OBO](https://github.com/Azure-Samples/ms-identity-javascript-tutorial/tree/main/4-AdvancedGrants/1-call-api-graph/README.md)<br/>&#8226; [Call Node.js web API via OBO & CA](https://github.com/Azure-Samples/ms-identity-javascript-tutorial/tree/main/4-AdvancedGrants/2-call-api-api-c)| MSAL.js | &#8226; Auth code flow (with PKCE)<br/>&#8226; On-behalf-of (OBO) flow<br/>&#8226; Conditional Access (CA) |
-> | React | [GitHub repo](https://github.com/Azure-Samples/ms-identity-javascript-react-spa) | &#8226; Sign in users<br/>&#8226; Call Microsoft Graph | MSAL React | Auth code flow (with PKCE) |
> | React | [GitHub repo](https://github.com/Azure-Samples/ms-identity-javascript-react-tutorial) | &#8226; [Sign in users](https://github.com/Azure-Samples/ms-identity-javascript-react-tutorial/tree/main/1-Authentication/1-sign-in/README.md)<br/>&#8226; [Sign in users (B2C)](https://github.com/Azure-Samples/ms-identity-javascript-react-tutorial/tree/main/1-Authentication/2-sign-in-b2c/README.md) <br/> &#8226; [Call Microsoft Graph](https://github.com/Azure-Samples/ms-identity-javascript-react-tutorial/tree/main/2-Authorization-I/1-call-graph/README.md)<br/>&#8226; [Call Node.js web API](https://github.com/Azure-Samples/ms-identity-javascript-react-tutorial/tree/main/3-Authorization-II/1-call-api)<br/>&#8226; [Call Node.js web API (B2C)](https://github.com/Azure-Samples/ms-identity-javascript-react-tutorial/tree/main/3-Authorization-II/2-call-api-b2c)<br/>&#8226; [Call Microsoft Graph via OBO](https://github.com/Azure-Samples/ms-identity-javascript-react-tutorial/tree/main/6-AdvancedScenarios/1-call-api-obo/README.md)<br/>&#8226; [Call Node.js web API using PoP](https://github.com/Azure-Samples/ms-identity-javascript-react-tutorial/tree/main/6-AdvancedScenarios/2-call-api-pop/README.md)<br/>&#8226; [Use App Roles for access control](https://github.com/Azure-Samples/ms-identity-javascript-react-tutorial/tree/main/5-AccessControl/1-call-api-roles/README.md)<br/>&#8226; [Use Security Groups for access control](https://github.com/Azure-Samples/ms-identity-javascript-react-tutorial/tree/main/5-AccessControl/2-call-api-groups/README.md)<br/>&#8226; [Deploy to Azure Storage & App Service](https://github.com/Azure-Samples/ms-identity-javascript-react-tutorial/tree/main/4-Deployment/1-deploy-storage/README.md)<br/>&#8226; [Deploy to Azure Static Web Apps](https://github.com/Azure-Samples/ms-identity-javascript-react-tutorial/tree/main/4-Deployment/2-deploy-static/README.md)| MSAL React | &#8226; Auth code flow (with PKCE)<br/>&#8226; On-behalf-of (OBO) flow<br/>&#8226; Conditional Access (CA)<br/>&#8226; Proof of Possession (PoP) | ## Web applications
active-directory 15Five Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/15five-tutorial.md
Previously updated : 01/17/2019 Last updated : 05/27/2021 # Tutorial: Azure Active Directory integration with 15Five
-In this tutorial, you learn how to integrate 15Five with Azure Active Directory (Azure AD).
-Integrating 15Five with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate 15Five with Azure Active Directory (Azure AD). When you integrate 15Five with Azure AD, you can:
-* You can control in Azure AD who has access to 15Five.
-* You can enable your users to be automatically signed-in to 15Five (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to 15Five.
+* Enable your users to be automatically signed-in to 15Five with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites
-To configure Azure AD integration with 15Five, you need the following items:
+To get started, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial [here](https://azure.microsoft.com/pricing/free-trial/)
-* 15Five single sign-on enabled subscription
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* 15Five single sign-on (SSO) enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* 15Five supports **SP** initiated SSO
+* 15Five supports **SP** initiated SSO.
-## Adding 15Five from the gallery
+## Add 15Five from the gallery
To configure the integration of 15Five into Azure AD, you need to add 15Five from the gallery to your list of managed SaaS apps.
-**To add 15Five from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add new application, click **New application** button on the top of dialog.
-
- ![The New application button](common/add-new-app.png)
-
-4. In the search box, type **15Five**, select **15Five** from result panel then click **Add** button to add the application.
-
- ![15Five in the results list](common/search-new-app.png)
-
-## Configure and test Azure AD single sign-on
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **15Five** in the search box.
+1. Select **15Five** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-In this section, you configure and test Azure AD single sign-on with 15Five based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in 15Five needs to be established.
+## Configure and test Azure AD SSO for 15Five
-To configure and test Azure AD single sign-on with 15Five, you need to complete the following building blocks:
+Configure and test Azure AD SSO with 15Five using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in 15Five.
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure 15Five Single Sign-On](#configure-15five-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create 15Five test user](#create-15five-test-user)** - to have a counterpart of Britta Simon in 15Five that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
+To configure and test Azure AD SSO with 15Five, perform the following steps:
-### Configure Azure AD single sign-on
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure 15Five SSO](#configure-15five-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create 15Five test user](#create-15five-test-user)** - to have a counterpart of B.Simon in 15Five that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-In this section, you enable Azure AD single sign-on in the Azure portal.
+## Configure Azure AD SSO
-To configure Azure AD single sign-on with 15Five, perform the following steps:
+Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **15Five** application integration page, select **Single sign-on**.
+1. In the Azure portal, on the **15Five** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
- ![Configure single sign-on link](common/select-sso.png)
-
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
-
- ![Single sign-on select mode](common/select-saml-option.png)
-
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
-
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
4. On the **Basic SAML Configuration** section, perform the following steps:
- ![15Five Domain and URLs single sign-on information](common/sp-identifier.png)
- a. In the **Sign on URL** text box, type a URL using the following pattern:
- `https://<companyname>.15five.com`
+ `https://<COMPANY_NAME>.15five.com`
b. In the **Identifier (Entity ID)** text box, type a URL using the following pattern:
- `https://<companyname>.15five.com/saml2/metadata/`
+ `https://<COMPANY_NAME>.15five.com/saml2/metadata/`
> [!NOTE] > These values are not real. Update these values with the actual Sign on URL and Identifier. Contact [15Five Client support team](https://www.15five.com/contact/) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
To configure Azure AD single sign-on with 15Five, perform the following steps:
![Copy configuration URLs](common/copy-configuration-urls.png)
- a. Login URL
-
- b. Azure Ad Identifier
-
- c. Logout URL
-
-### Configure 15Five Single Sign-On
-
-To configure single sign-on on **15Five** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [15Five support team](https://www.15five.com/contact/). They set this setting to have the SAML SSO connection set properly on both sides.
- ### Create an Azure AD test user
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field enter **BrittaSimon**.
-
- b. In the **User name** field type **brittasimon\@yourcompanydomain.extension**
- For example, BrittaSimon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
+In this section, you'll create a test user in the Azure portal called B.Simon.
- d. Click **Create**.
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
### Assign the Azure AD test user
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to 15Five.
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to 15Five.
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **15Five**.
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **15Five**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
- ![Enterprise applications blade](common/enterprise-applications.png)
+## Configure 15Five SSO
-2. In the applications list, select **15Five**.
-
- ![The 15Five link in the Applications list](common/all-applications.png)
-
-3. In the menu on the left, select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
-
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
-
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
-
-7. In the **Add Assignment** dialog click the **Assign** button.
+To configure single sign-on on **15Five** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [15Five support team](https://www.15five.com/contact/). They set this setting to have the SAML SSO connection set properly on both sides.
### Create 15Five test user
To enable Azure AD users to log in to 15Five, they must be provisioned into 15Fi
2. Go to **Manage Company**.
- ![Manage Company](./media/15five-tutorial/ic784675.png "Manage Company")
+ ![Manage Company](./media/15five-tutorial/profile.png "Manage Company")
3. Go to **People \> Add PEOPLE**.
- ![People](./media/15five-tutorial/ic784676.png "People")
+ ![People](./media/15five-tutorial/account.png "People")
4. In the **Add New Person** section, perform the following steps:
- ![Add New Person](./media/15five-tutorial/ic784677.png "Add New Person")
+ ![Add New Person](./media/15five-tutorial/add-person.png "Add New Person")
a. Type the **First Name**, **Last Name**, **Title**, **Email address** of a valid Azure Active Directory account you want to provision into the related textboxes.
To enable Azure AD users to log in to 15Five, they must be provisioned into 15Fi
> [!NOTE] > The Azure AD account holder receives an email including a link to confirm the account before it becomes active.
-### Test single sign-on
+## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
-When you click the 15Five tile in the Access Panel, you should be automatically signed in to the 15Five for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* Click on **Test this application** in Azure portal. This will redirect to 15Five Sign-on URL where you can initiate the login flow.
-## Additional Resources
+* Go to 15Five Sign-on URL directly and initiate the login flow from there.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+* You can use Microsoft My Apps. When you click the 15Five tile in the My Apps, this will redirect to 15Five Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure 15Five you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory A Cloud Guru Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/a-cloud-guru-tutorial.md
+
+ Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with A Cloud Guru | Microsoft Docs'
+description: Learn how to configure single sign-on between Azure Active Directory and A Cloud Guru.
++++++++ Last updated : 06/03/2021++++
+# Tutorial: Azure Active Directory single sign-on (SSO) integration with A Cloud Guru
+
+In this tutorial, you'll learn how to integrate A Cloud Guru with Azure Active Directory (Azure AD). When you integrate A Cloud Guru with Azure AD, you can:
+
+* Control in Azure AD who has access to A Cloud Guru.
+* Enable your users to be automatically signed-in to A Cloud Guru with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
+
+## Prerequisites
+
+To get started, you need the following items:
+
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* A Cloud Guru single sign-on (SSO) enabled subscription.
+
+## Scenario description
+
+In this tutorial, you configure and test Azure AD SSO in a test environment.
+
+* A Cloud Guru supports **SP and IDP** initiated SSO.
+* A Cloud Guru supports **Just In Time** user provisioning.
+
+## Adding A Cloud Guru from the gallery
+
+To configure the integration of A Cloud Guru into Azure AD, you need to add A Cloud Guru from the gallery to your list of managed SaaS apps.
+
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **A Cloud Guru** in the search box.
+1. Select **A Cloud Guru** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
++
+## Configure and test Azure AD SSO for A Cloud Guru
+
+Configure and test Azure AD SSO with A Cloud Guru using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in A Cloud Guru.
+
+To configure and test Azure AD SSO with A Cloud Guru, perform the following steps:
+
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure A Cloud Guru SSO](#configure-a-cloud-guru-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create A Cloud Guru test user](#create-a-cloud-guru-test-user)** - to have a counterpart of B.Simon in A Cloud Guru that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
+
+## Configure Azure AD SSO
+
+Follow these steps to enable Azure AD SSO in the Azure portal.
+
+1. In the Azure portal, on the **A Cloud Guru** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
+
+1. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, enter the values for the following fields:
+
+ a. In the **Identifier** text box, type a value using the following pattern:
+ `urn:auth0:acloudguru:<CLIENT_CONNECTION_NAME>`
+
+ b. In the **Reply URL** text box, type a URL using the following pattern:
+ `https://auth.acloud.guru/login/callback?connection=<CLIENT_CONNECTION_NAME>`
+
+1. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode:
+
+ In the **Sign-on URL** text box, type the URL:
+ `https://learn.acloud.guru/`
+
+ > [!NOTE]
+ > These values are not real. Update these values with the actual Identifier and Reply URL. Contact [A Cloud Guru Client support team](mailto:sso@acloud.guru) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+
+1. Your A Cloud Guru application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows an example for this. The default value of **Unique User Identifier(Name ID)** is **user.userprincipalname** but A Cloud Guru expects this to be mapped with the user's given name. For that you can use **user.givenname** attribute from the list or use the appropriate attribute value based on your organization configuration.
+
+ ![image](common/default-attributes.png)
+
+1. In addition to above, A Cloud Guru application expects few more attributes to be passed back in SAML response which are shown below. These attributes are also pre populated but you can review them as per your requirements.
+
+ | Name | Source Attribute|
+ | -- | |
+ | email | user.emailaddress |
+ | family_name | user.surname |
+ | given_name | user.givenname |
+
+1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (Base64)** and select **Download** to download the certificate and save it on your computer.
+
+ ![The Certificate download link](common/certificatebase64.png)
+
+1. On the **Set up A Cloud Guru** section, copy the appropriate URL(s) based on your requirement.
+
+ ![Copy configuration URLs](common/copy-configuration-urls.png)
+
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called B.Simon.
+
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
+
+### Assign the Azure AD test user
+
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to A Cloud Guru.
+
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **A Cloud Guru**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
+
+## Configure A Cloud Guru SSO
+
+To configure single sign-on on **A Cloud Guru** side, you need to send the downloaded **Certificate (Base64)** and appropriate copied URLs from Azure portal to [A Cloud Guru support team](mailto:sso@acloud.guru). They set this setting to have the SAML SSO connection set properly on both sides.
+
+### Create A Cloud Guru test user
+
+In this section, a user called Britta Simon is created in A Cloud Guru. A Cloud Guru supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in A Cloud Guru, a new one is created after authentication.
+
+## Test SSO
+
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+#### SP initiated:
+
+* Click on **Test this application** in Azure portal. This will redirect to A Cloud Guru Sign on URL where you can initiate the login flow.
+
+* Go to A Cloud Guru Sign-on URL directly and initiate the login flow from there.
+
+#### IDP initiated:
+
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the A Cloud Guru for which you set up the SSO
+
+You can also use Microsoft My Apps to test the application in any mode. When you click the A Cloud Guru tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the A Cloud Guru for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
+
+## Next steps
+
+Once you configure A Cloud Guru you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
++
active-directory Abstract Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/abstract-tutorial.md
Previously updated : 07/16/2019 Last updated : 05/31/2021
In this tutorial, you'll learn how to integrate Abstract with Azure Active Direc
* Enable your users to be automatically signed-in to Abstract with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* Abstract supports **SP and IDP** initiated SSO
+* Abstract supports **SP and IDP** initiated SSO.
-## Adding Abstract from the gallery
+## Add Abstract from the gallery
To configure the integration of Abstract into Azure AD, you need to add Abstract from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **Abstract** in the search box. 1. Select **Abstract** from results panel and then add the app. Wait a few seconds while the app is added to your tenant. -
-## Configure and test Azure AD single sign-on
+## Configure and test Azure AD SSO for Abstract
Configure and test Azure AD SSO with Abstract using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Abstract.
-To configure and test Azure AD SSO with Abstract, complete the following building blocks:
+To configure and test Azure AD SSO with Abstract, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
-2. **[Configure Abstract SSO](#configure-abstract-sso)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create Abstract test user](#create-abstract-test-user)** - to have a counterpart of Britta Simon in Abstract that is linked to the Azure AD representation of user.
-6. **[Test SSO](#test-sso)** - to verify whether the configuration works.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Abstract SSO](#configure-abstract-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Abstract test user](#create-abstract-test-user)** - to have a counterpart of B.Simon in Abstract that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-### Configure Azure AD SSO
+## Configure Azure AD SSO
Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **Abstract** application integration page, find the **Manage** section and select **Single sign-on**.
+1. In the Azure portal, on the **Abstract** application integration page, find the **Manage** section and select **Single sign-on**.
1. On the **Select a Single sign-on method** page, select **SAML**.
-1. On the **Set up Single Sign-On with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up Single Sign-On with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
Follow these steps to enable Azure AD SSO in the Azure portal.
1. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode:
- In the **Sign-on URL** text box, type a URL:
+ In the **Sign-on URL** text box, type the URL:
`https://app.abstract.com/signin` 4. On the **Set up Single Sign-On with SAML** page, In the **SAML Signing Certificate** section, click copy button to copy **App Federation Metadata Url** and save it on your computer. ![The Certificate download link](common/copy-metadataurl.png)
-### Configure Abstract SSO
-
-Make sure to retrieve your `App Federation Metadata Url` and the `Azure AD Identifier` from the Azure portal, as you will need those to configure SSO on Abstract.
-
-You will find those information on the **Set up Single Sign-On with SAML** page:
-
-* The `App Federation Metadata Url` is located in the **SAML Signing Certificate** section.
-* The `Azure AD Identifier` is located in the **Set up Abstract** section.
--
-You are now ready to configure SSO on Abstract:
-
->[!Note]
->You will need to authenticate with an organization Admin account to access the SSO settings on Abstract.
-
-1. Open the [Abstract web app](https://app.abstract.com/).
-2. Go to the **Permissions** page in the left side bar.
-3. In the **Configure SSO** section, enter your **Metadata URL** and **Entity ID**.
-4. Enter any manual exceptions you might have. Emails listed in the manual exceptions section will bypass SSO and be able to log in with email and password.
-5. Click **Save Changes**.
-
->[!Note]
->YouΓÇÖll need to use primary email addresses in the manual exceptions list. SSO activation will fail if the email you list is a userΓÇÖs secondary email. If that happens, youΓÇÖll see an error message with the primary email for the failing account. Add that primary email to the manual exceptions list after youΓÇÖve verified you know the user.
- ### Create an Azure AD test user In this section, you'll create a test user in the Azure portal called B.Simon.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **Abstract**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
- ![The "Users and groups" link](common/users-groups-blade.png)
+## Configure Abstract SSO
-1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+Make sure to retrieve your `App Federation Metadata Url` and the `Azure AD Identifier` from the Azure portal, as you will need those to configure SSO on Abstract.
- ![The Add User link](common/add-assign-user.png)
+You will find those information on the **Set up Single Sign-On with SAML** page:
-1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
-1. In the **Add Assignment** dialog, click the **Assign** button.
+* The `App Federation Metadata Url` is located in the **SAML Signing Certificate** section.
+* The `Azure AD Identifier` is located in the **Set up Abstract** section.
+
+You are now ready to configure SSO on Abstract:
+
+>[!Note]
+>You will need to authenticate with an organization Admin account to access the SSO settings on Abstract.
+
+1. Open the [Abstract web app](https://app.abstract.com/).
+2. Go to the **Permissions** page in the left side bar.
+3. In the **Configure SSO** section, enter your **Metadata URL** and **Entity ID**.
+4. Enter any manual exceptions you might have. Emails listed in the manual exceptions section will bypass SSO and be able to log in with email and password.
+5. Click **Save Changes**.
+
+>[!Note]
+>YouΓÇÖll need to use primary email addresses in the manual exceptions list. SSO activation will fail if the email you list is a userΓÇÖs secondary email. If that happens, youΓÇÖll see an error message with the primary email for the failing account. Add that primary email to the manual exceptions list after youΓÇÖve verified you know the user.
### Create Abstract test user
To test SSO on Abstract:
>You will need to authenticate with an organization Admin account to access the SSO settings on Abstract. This organization Admin account will need to be assigned to Abstract on the Azure portal.
-### Test SSO
+## Test SSO
+
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+#### SP initiated:
+
+* Click on **Test this application** in Azure portal. This will redirect to Abstract Sign on URL where you can initiate the login flow.
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+* Go to Abstract Sign-on URL directly and initiate the login flow from there.
-When you click the Abstract tile in the Access Panel, you should be automatically signed in to the Abstract for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+#### IDP initiated:
-## Additional Resources
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the Abstract for which you set up the SSO.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+You can also use Microsoft My Apps to test the application in any mode. When you click the Abstract tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Abstract for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure Abstract you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Checkpoint Infinity Portal Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/checkpoint-infinity-portal-tutorial.md
Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with CheckPoint Infinity Portal | Microsoft Docs'
-description: Learn how to configure single sign-on between Azure Active Directory and CheckPoint Infinity Portal.
+ Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with Check Point Infinity Portal | Microsoft Docs'
+description: Learn how to configure single sign-on between Azure Active Directory and Check Point Infinity Portal.
Previously updated : 05/24/2021 Last updated : 06/04/2021
-# Tutorial: Azure Active Directory single sign-on (SSO) integration with CheckPoint Infinity Portal
+# Tutorial: Azure Active Directory single sign-on (SSO) integration with Check Point Infinity Portal
-In this tutorial, you'll learn how to integrate CheckPoint Infinity Portal with Azure Active Directory (Azure AD). When you integrate CheckPoint Infinity Portal with Azure AD, you can:
+In this tutorial, you'll learn how to integrate Check Point Infinity Portal with Azure Active Directory (Azure AD). When you integrate Check Point Infinity Portal with Azure AD, you can:
-* Control in Azure AD who has access to CheckPoint Infinity Portal.
-* Enable your users to be automatically signed-in to CheckPoint Infinity Portal with their Azure AD accounts.
+* Control in Azure AD who has access to Check Point Infinity Portal.
+* Enable your users to be automatically signed-in to Check Point Infinity Portal with their Azure AD accounts.
* Manage your accounts in one central location - the Azure portal. ## Prerequisites
In this tutorial, you'll learn how to integrate CheckPoint Infinity Portal with
To get started, you need the following items: * An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
-* CheckPoint Infinity Portal single sign-on (SSO) enabled subscription.
+* Check Point Infinity Portal single sign-on (SSO) enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD SSO in a test environment.
-* CheckPoint Infinity Portal supports **SP** initiated SSO.
+* Check Point Infinity Portal supports **SP** initiated SSO.
-* CheckPoint Infinity Portal supports **Just In Time** user provisioning.
+* Check Point Infinity Portal supports **Just In Time** user provisioning.
+## Add Check Point Infinity Portal from the gallery
-## Adding CheckPoint Infinity Portal from the gallery
-
-To configure the integration of CheckPoint Infinity Portal into Azure AD, you need to add CheckPoint Infinity Portal from the gallery to your list of managed SaaS apps.
+To configure the integration of Check Point Infinity Portal into Azure AD, you need to add Check Point Infinity Portal from the gallery to your list of managed SaaS apps.
1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account. 1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**.
-1. In the **Add from the gallery** section, type **CheckPoint Infinity Portal** in the search box.
-1. Select **CheckPoint Infinity Portal** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-
+1. In the **Add from the gallery** section, type **Check Point Infinity Portal** in the search box.
+1. Select **Check Point Infinity Portal** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD SSO for CheckPoint Infinity Portal
+## Configure and test Azure AD SSO for Check Point Infinity Portal
-Configure and test Azure AD SSO with CheckPoint Infinity Portal using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in CheckPoint Infinity Portal.
+Configure and test Azure AD SSO with Check Point Infinity Portal using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Check Point Infinity Portal.
-To configure and test Azure AD SSO with CheckPoint Infinity Portal, perform the following steps:
+To configure and test Azure AD SSO with Check Point Infinity Portal, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature. 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon. 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
-1. **[Configure CheckPoint Infinity Portal SSO](#configure-checkpoint-infinity-portal-sso)** - to configure the single sign-on settings on application side.
- 1. **[Create CheckPoint Infinity Portal test user](#create-checkpoint-infinity-portal-test-user)** - to have a counterpart of B.Simon in CheckPoint Infinity Portal that is linked to the Azure AD representation of user.
+1. **[Configure Check Point Infinity Portal SSO](#configure-check-point-infinity-portal-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Check Point Infinity Portal test user](#create-check-point-infinity-portal-test-user)** - to have a counterpart of B.Simon in Check Point Infinity Portal that is linked to the Azure AD representation of user.
1. **[Test SSO](#test-sso)** - to verify whether the configuration works. ## Configure Azure AD SSO Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the Azure portal, on the **CheckPoint Infinity Portal** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **Check Point Infinity Portal** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**. 1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings. ![Edit Basic SAML Configuration](common/edit-urls.png)
-1. On the **Basic SAML Configuration** section, enter the values for the following fields:
+1. On the **Basic SAML Configuration** section, perform the following steps:
a. In the **Identifier** text box, type one of the following values:
Follow these steps to enable Azure AD SSO in the Azure portal.
![The Certificate download link](common/metadataxml.png)
-1. On the **Set up CheckPoint Infinity Portal** section, copy the appropriate URL(s) based on your requirement.
+1. On the **Set up Check Point Infinity Portal** section, copy the appropriate URL(s) based on your requirement.
![Copy configuration URLs](common/copy-configuration-urls.png)
In this section, you'll create a test user in the Azure portal called B.Simon.
### Assign the Azure AD test user
-In this section, you'll enable B.Simon to use Azure single sign-on by granting access to CheckPoint Infinity Portal.
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Check Point Infinity Portal.
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
-1. In the applications list, select **CheckPoint Infinity Portal**.
+1. In the applications list, select **Check Point Infinity Portal**.
1. In the app's overview page, find the **Manage** section and select **Users and groups**. 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog. 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen. 1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected. 1. In the **Add Assignment** dialog, click the **Assign** button.
-## Configure CheckPoint Infinity Portal SSO
+## Configure Check Point Infinity Portal SSO
1. On the Infinity Portal, click **Global Events > Account Settings**.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
c. Wait for Check Point to approve your DNS record. The registrar update of the DNS records can last for up to 30 minutes.
-### Create CheckPoint Infinity Portal test user
+### Create Check Point Infinity Portal test user
-In this section, a user called Britta Simon is created in CheckPoint Infinity Portal. CheckPoint Infinity Portal supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in CheckPoint Infinity Portal, a new one is created after authentication.
+In this section, a user called Britta Simon is created in Check Point Infinity Portal. Check Point Infinity Portal supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in Check Point Infinity Portal, a new one is created after authentication.
## Test SSO In this section, you test your Azure AD single sign-on configuration with following options.
-* Click on **Test this application** in Azure portal. This will redirect to CheckPoint Infinity Portal Sign-on URL where you can initiate the login flow.
+* Click on **Test this application** in Azure portal. This will redirect to Check Point Infinity Portal Sign-on URL where you can initiate the login flow.
-* Go to CheckPoint Infinity Portal Sign-on URL directly and initiate the login flow from there.
+* Go to Check Point Infinity Portal Sign-on URL directly and initiate the login flow from there.
-* You can use Microsoft My Apps. When you click the CheckPoint Infinity Portal tile in the My Apps, this will redirect to CheckPoint Infinity Portal Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
+* You can use Microsoft My Apps. When you click the Check Point Infinity Portal tile in the My Apps, this will redirect to Check Point Infinity Portal Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure CheckPoint Infinity Portal you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
+Once you configure Check Point Infinity Portal you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory Cloudtamer Io Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/cloudtamer-io-tutorial.md
+
+ Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with cloudtamer.io | Microsoft Docs'
+description: Learn how to configure single sign-on between Azure Active Directory and cloudtamer.io.
++++++++ Last updated : 06/03/2021++++
+# Tutorial: Azure Active Directory single sign-on (SSO) integration with cloudtamer.io
+
+In this tutorial, you'll learn how to integrate cloudtamer.io with Azure Active Directory (Azure AD). When you integrate cloudtamer.io with Azure AD, you can:
+
+* Control in Azure AD who has access to cloudtamer.io.
+* Enable your users to be automatically signed-in to cloudtamer.io with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
+
+## Prerequisites
+
+To get started, you need the following items:
+
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* cloudtamer.io single sign-on (SSO) enabled subscription.
+
+## Scenario description
+
+In this tutorial, you configure and test Azure AD SSO in a test environment.
+
+* cloudtamer.io supports **SP and IDP** initiated SSO.
+* cloudtamer.io supports **Just In Time** user provisioning.
++
+## Adding cloudtamer.io from the gallery
+
+To configure the integration of cloudtamer.io into Azure AD, you need to add cloudtamer.io from the gallery to your list of managed SaaS apps.
+
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **cloudtamer.io** in the search box.
+1. Select **cloudtamer.io** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
++
+## Configure and test Azure AD SSO for cloudtamer.io
+
+Configure and test Azure AD SSO with cloudtamer.io using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in cloudtamer.io.
+
+To configure and test Azure AD SSO with cloudtamer.io, perform the following steps:
+
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure cloudtamer.io SSO](#configure-cloudtamerio-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create cloudtamer.io test user](#create-cloudtamerio-test-user)** - to have a counterpart of B.Simon in cloudtamer.io that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
+
+## Configure Azure AD SSO
+
+Follow these steps to enable Azure AD SSO in the Azure portal.
+
+1. In the Azure portal, on the **cloudtamer.io** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
+
+1. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, enter the values for the following fields:
+
+ a. In the **Identifier** text box, type a URL using the following pattern:
+ `https://<CUSTOMERDOMAIN>.<EXTENSION>/api/v1/saml/auth/<id>`
+
+ b. In the **Reply URL** text box, type a URL using the following pattern:
+ `https://<CUSTOMERDOMAIN>.<EXTENSION>/api/v1/saml/callback`
+
+1. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode:
+
+ In the **Sign-on URL** text box, type a URL using the following pattern:
+ `https://<CUSTOMERDOMAIN>.<EXTENSION>/login`
+
+ > [!NOTE]
+ > These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact [cloudtamer.io Client support team](mailto:support@cloudtamer.io) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+
+1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Federation Metadata XML** and select **Download** to download the certificate and save it on your computer.
+
+ ![The Certificate download link](common/metadataxml.png)
+
+1. On the **Set up cloudtamer.io** section, copy the appropriate URL(s) based on your requirement.
+
+ ![Copy configuration URLs](common/copy-configuration-urls.png)
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called B.Simon.
+
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
+
+### Assign the Azure AD test user
+
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to cloudtamer.io.
+
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **cloudtamer.io**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
+
+## Configure cloudtamer.io SSO
+
+1. Log in to cloudtamer.io website as an administrator.
+
+1. Click on **+** plus icon at the top right corner and select **IDMS**.
+
+ ![Screenshot for IDMS create.](./media/cloudtamer-io-tutorial/idms-creation.png)
+
+1. Perform the following steps in the **Add IDMS** page:
+
+ ![Screenshot for IDMS adding.](./media/cloudtamer-io-tutorial/configuration.png)
+
+ a. Select **SAML2.0** as **IDMS TYPE** from the dropdown.
+
+ b. In the **IDMS Name** give a name that the users will recognize from the Login screen.
+
+ c. In the **IDENTITY PROVIDER ISSUER (ENTITY ID)** textbox, paste the **Identifier** value which you have copied from the Azure portal.
+
+ d. Open the downloaded **Federation Metadata XML** from the Azure portal into Notepad and paste the content into the **IDENTITY PROVIDER METADATA** textbox.
+
+ e. Copy **SERVICE PROVIDER ISSUER (ENTITY ID)** value, paste this value into the **Identifier** text box in the Basic SAML Configuration section in the Azure portal.
+
+ f. Copy **SERVICE PROVIDER ACS URL** value, paste this value into the **Reply URL** text box in the Basic SAML Configuration section in the Azure portal.
+
+ g. Click **Create IDMS**.
++
+### Create cloudtamer.io test user
+
+In this section, a user called Britta Simon is created in cloudtamer.io. cloudtamer.io supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in cloudtamer.io, a new one is created after authentication.
+
+## Test SSO
+
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+#### SP initiated:
+
+* Click on **Test this application** in Azure portal. This will redirect to cloudtamer.io Sign on URL where you can initiate the login flow.
+
+* Go to cloudtamer.io Sign-on URL directly and initiate the login flow from there.
+
+#### IDP initiated:
+
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the cloudtamer.io for which you set up the SSO
+
+You can also use Microsoft My Apps to test the application in any mode. When you click the cloudtamer.io tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the cloudtamer.io for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
++
+## Next steps
+
+Once you configure cloudtamer.io you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
++
active-directory Convercent Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/convercent-tutorial.md
Previously updated : 01/25/2019 Last updated : 06/02/2021 # Tutorial: Azure Active Directory integration with Convercent
-In this tutorial, you learn how to integrate Convercent with Azure Active Directory (Azure AD).
-Integrating Convercent with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate Convercent with Azure Active Directory (Azure AD). When you integrate Convercent with Azure AD, you can:
-* You can control in Azure AD who has access to Convercent.
-* You can enable your users to be automatically signed-in to Convercent (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to Convercent.
+* Enable your users to be automatically signed-in to Convercent with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites
-To configure Azure AD integration with Convercent, you need the following items:
+To get started, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial [here](https://azure.microsoft.com/pricing/free-trial/)
-* Convercent single sign-on enabled subscription
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* Convercent single sign-on (SSO) enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* Convercent supports **SP** and **IDP** initiated SSO
+* Convercent supports **SP** and **IDP** initiated SSO.
-## Adding Convercent from the gallery
+## Add Convercent from the gallery
To configure the integration of Convercent into Azure AD, you need to add Convercent from the gallery to your list of managed SaaS apps.
-**To add Convercent from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add new application, click **New application** button on the top of dialog.
-
- ![The New application button](common/add-new-app.png)
-
-4. In the search box, type **Convercent**, select **Convercent** from result panel then click **Add** button to add the application.
-
- ![Convercent in the results list](common/search-new-app.png)
-
-## Configure and test Azure AD single sign-on
-
-In this section, you configure and test Azure AD single sign-on with Convercent based on a test user called **Britta Simon**
-For single sign-on to work, a link relationship between an Azure AD user and the related user in Convercent needs to be established.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Convercent** in the search box.
+1. Select **Convercent** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-To configure and test Azure AD single sign-on with Convercent, you need to complete the following building blocks:
+## Configure and test Azure AD SSO for Convercent
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure Convercent Single Sign-On](#configure-convercent-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create Convercent test user](#create-convercent-test-user)** - to have a counterpart of Britta Simon in Convercent that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
+Configure and test Azure AD SSO with Convercent using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Convercent.
-### Configure Azure AD single sign-on
+To configure and test Azure AD SSO with Convercent, perform the following steps:
-In this section, you enable Azure AD single sign-on in the Azure portal.
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Convercent SSO](#configure-convercent-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Convercent test user](#create-convercent-test-user)** - to have a counterpart of B.Simon in Convercent that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-To configure Azure AD single sign-on with Convercent, perform the following steps:
+## Configure Azure AD SSO
-1. In the [Azure portal](https://portal.azure.com/), on the **Convercent** application integration page, select **Single sign-on**.
+Follow these steps to enable Azure AD SSO in the Azure portal.
- ![Configure single sign-on link](common/select-sso.png)
+1. In the Azure portal, on the **Convercent** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
-
- ![Single sign-on select mode](common/select-saml-option.png)
-
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
-
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
4. On the **Basic SAML Configuration** section, If you wish to configure the application in **IDP** initiated mode, perform the following step:
- ![Screenshot that shows the "Basic S A M L Configuration" section with the "Identifier (Entity ID)" field and "Save" button highlighted.](common/both-identifier.png)
- In the **Identifier** text box, type a URL using the following pattern:
- `https://<instancename>.convercent.com/`
+ `https://<INSTANCE_NAME>.convercent.com/`
5. Click **Set additional URLs** and perform the following steps if you wish to configure the application in **SP** initiated mode:
- ![Convercent Domain and URLs single sign-on information](common/both-advanced-urls.png)
- a. In the **Sign-on URL** text box, type a URL using the following pattern:
- `https://<instancename>.convercent.com/`
+ `https://<INSTANCE_NAME>.convercent.com/`
b. In the **Relay State** text box, type a URL using the following pattern:
- `https://<instancename>.convercent.com/`
+ `https://<INSTANCE_NAME>.convercent.com/`
> [!NOTE] > These values are not real. Update these values with the actual Identifier, Sign-On URL and Relay State. Contact [Convercent Client support team](http://support.convercent.com/) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
To configure Azure AD single sign-on with Convercent, perform the following step
![Copy configuration URLs](common/copy-configuration-urls.png)
- a. Login URL
-
- b. Azure Ad Identifier
-
- c. Logout URL
-
-### Configure Convercent Single Sign-On
-
-To configure single sign-on on **Convercent** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [Convercent support team](http://support.convercent.com/). They set this setting to have the SAML SSO connection set properly on both sides.
- ### Create an Azure AD test user
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field enter **BrittaSimon**.
-
- b. In the **User name** field type **brittasimon\@yourcompanydomain.extension**
- For example, BrittaSimon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
+In this section, you'll create a test user in the Azure portal called B.Simon.
- d. Click **Create**.
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
### Assign the Azure AD test user
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to Convercent.
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Convercent.
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Convercent**.
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Convercent**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
- ![Enterprise applications blade](common/enterprise-applications.png)
+## Configure Convercent SSO
-2. In the applications list, select **Convercent**.
-
- ![The Convercent link in the Applications list](common/all-applications.png)
-
-3. In the menu on the left, select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
+To configure single sign-on on **Convercent** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [Convercent support team](http://support.convercent.com/). They set this setting to have the SAML SSO connection set properly on both sides.
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
+### Create Convercent test user
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
+In this section, you create a user called Britta Simon in Convercent. Work with [Convercent support team](http://support.convercent.com/) to add the users in the Convercent platform. Users must be created and activated before you use single sign-on.
-7. In the **Add Assignment** dialog click the **Assign** button.
+## Test SSO
-### Create Convercent test user
+In this section, you test your Azure AD single sign-on configuration with following options.
-In this section, you create a user called Britta Simon in Convercent. Work with [Convercent support team](http://support.convercent.com/) to add the users in the Convercent platform. Users must be created and activated before you use single sign-on.
+#### SP initiated:
-### Test single sign-on
+* Click on **Test this application** in Azure portal. This will redirect to Convercent Sign on URL where you can initiate the login flow.
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+* Go to Convercent Sign-on URL directly and initiate the login flow from there.
-When you click the Convercent tile in the Access Panel, you should be automatically signed in to the Convercent for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+#### IDP initiated:
-## Additional resources
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the Convercent for which you set up the SSO.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+You can also use Microsoft My Apps to test the application in any mode. When you click the Convercent tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Convercent for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure Convercent you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Digicert Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/digicert-tutorial.md
Previously updated : 02/11/2021 Last updated : 05/31/2021 # Tutorial: Azure Active Directory integration with DigiCert
In this tutorial, you configure and test Azure AD single sign-on in a test envir
* DigiCert supports **IDP** initiated SSO.
+> [!NOTE]
+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
+ ## Add DigiCert from the gallery To configure the integration of DigiCert into Azure AD, you need to add DigiCert from the gallery to your list of managed SaaS apps.
Follow these steps to enable Azure AD SSO in the Azure portal.
4. On the **Basic SAML Configuration** section, perform the following steps:
- In the **Identifier** text box, type the URL:
- `https://www.digicert.com/sso`
+ a. In the **Identifier** text box, type the URL:
+ `https://www.digicert.com/account/sso/metadata`
+
+ b. In the **Reply URL** text box, type the URL:
+ `https://www.digicert.com/account/sso/`
+
+ c. In the **Sign on URL** text box, type a URL using the following pattern:
+ `https://www.digicert.com/account/sso/<FEDERATION_NAME>/login`
+
+ > [!NOTE]
+ > The Sign-on URL value is not real. Update this value with the actual Sign-on URL. Contact [DigiCert support team](mailto:support@digicert.com) to get the value. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
5. DigiCert application expects the SAML assertions in a specific format. Configure the following claims for this application. You can manage the values of these attributes from the **User Attributes** section on application integration page. On the **Set up Single Sign-On with SAML** page, click **Edit** button to open **User Attributes** dialog.
active-directory Direct Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/direct-tutorial.md
Previously updated : 04/01/2019 Last updated : 05/28/2021 # Tutorial: Azure Active Directory integration with direct
-In this tutorial, you learn how to integrate direct with Azure Active Directory (Azure AD).
-Integrating direct with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate direct with Azure Active Directory (Azure AD). When you integrate direct with Azure AD, you can:
-* You can control in Azure AD who has access to direct.
-* You can enable your users to be automatically signed-in to direct (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to direct.
+* Enable your users to be automatically signed-in to direct with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites To configure Azure AD integration with direct, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/)
-* direct single sign-on enabled subscription
+* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/).
+* direct single sign-on enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* direct supports **SP** and **IDP** initiated SSO
-
-## Adding direct from the gallery
-
-To configure the integration of direct into Azure AD, you need to add direct from the gallery to your list of managed SaaS apps.
-
-**To add direct from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add new application, click **New application** button on the top of dialog.
-
- ![The New application button](common/add-new-app.png)
+* direct supports **SP** and **IDP** initiated SSO.
-4. In the search box, type **direct**, select **direct** from result panel then click **Add** button to add the application.
+> [!NOTE]
+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
- ![direct in the results list](common/search-new-app.png)
+## Add direct from the gallery
-## Configure and test Azure AD single sign-on
-
-In this section, you configure and test Azure AD single sign-on with direct based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in direct needs to be established.
-
-To configure and test Azure AD single sign-on with direct, you need to complete the following building blocks:
-
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure direct Single Sign-On](#configure-direct-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create direct test user](#create-direct-test-user)** - to have a counterpart of Britta Simon in direct that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
+To configure the integration of direct into Azure AD, you need to add direct from the gallery to your list of managed SaaS apps.
-### Configure Azure AD single sign-on
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **direct** in the search box.
+1. Select **direct** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-In this section, you enable Azure AD single sign-on in the Azure portal.
+## Configure and test Azure AD SSO for direct
-To configure Azure AD single sign-on with direct, perform the following steps:
+Configure and test Azure AD SSO with direct using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in direct.
-1. In the [Azure portal](https://portal.azure.com/), on the **direct** application integration page, select **Single sign-on**.
+To configure and test Azure AD SSO with direct, perform the following steps:
- ![Configure single sign-on link](common/select-sso.png)
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure direct SSO](#configure-direct-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create direct test user](#create-direct-test-user)** - to have a counterpart of B.Simon in direct that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
+## Configure Azure AD SSO
- ![Single sign-on select mode](common/select-saml-option.png)
+Follow these steps to enable Azure AD SSO in the Azure portal.
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
+1. In the Azure portal, on the **direct** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
4. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, perform the following step:
- ![direct Domain and URLs single sign-on information](common/idp-identifier.png)
-
- In the **Identifier** text box, type a URL:
+ In the **Identifier** text box, type the URL:
`https://direct4b.com/` 5. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode:
- ![image](common/both-preintegrated-signon.png)
-
- In the **Sign-on URL** text box, type a URL:
+ In the **Sign-on URL** text box, type the URL:
`https://direct4b.com/sso` 6. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Federation Metadata XML** from the given options as per your requirement and save it on your computer.
To configure Azure AD single sign-on with direct, perform the following steps:
![Copy configuration URLs](common/copy-configuration-urls.png)
- a. Login URL
-
- b. Azure AD Identifier
-
- c. Logout URL
-
-### Configure direct Single Sign-On
-
-To configure single sign-on on **direct** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [direct support team](https://direct4b.com/ja/support.html#inquiry). They set this setting to have the SAML SSO connection set properly on both sides.
- ### Create an Azure AD test user
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
+In this section, you'll create a test user in the Azure portal called B.Simon.
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field enter **BrittaSimon**.
-
- b. In the **User name** field type brittasimon@yourcompanydomain.extension. For example, BrittaSimon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
-
- d. Click **Create**.
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
### Assign the Azure AD test user
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to direct.
-
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **direct**.
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to direct.
- ![Enterprise applications blade](common/enterprise-applications.png)
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **direct**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
-2. In the applications list, select **direct**.
+## Configure direct SSO
- ![The direct link in the Applications list](common/all-applications.png)
-
-3. In the menu on the left, select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
-
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
-
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
-
-7. In the **Add Assignment** dialog click the **Assign** button.
+To configure single sign-on on **direct** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [direct support team](https://direct4b.com/ja/support.html#inquiry). They set this setting to have the SAML SSO connection set properly on both sides.
### Create direct test user In this section, you create a user called Britta Simon in direct. Work with [direct support team](https://direct4b.com/ja/support.html#inquiry) to add the users in the direct platform. Users must be created and activated before you use single sign-on.
-### Test single sign-on
-
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
-
-1. If you wish to test in **IDP Initiated Mode**:
+## Test SSO
- When you click the **direct** tile in the Access Panel, you should get automatically signed-on to your **direct** application.
+In this section, you test your Azure AD single sign-on configuration with following options.
-2. If you wish to test in **SP Initiated Mode**:
+#### SP initiated:
- a. Click on the **direct** tile in the Access Panel and you will be redirected to the application sign-on page.
+* Click on **Test this application** in Azure portal. This will redirect to direct Sign on URL where you can initiate the login flow.
- b. Input your `subdomain` in the textbox displayed and select **Next**, and you should get automatically signed-on to your **direct** application .
+* Go to direct Sign-on URL directly and initiate the login flow from there.
-When you click the direct tile in the Access Panel, you should be automatically signed in to the direct for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+#### IDP initiated:
-## Additional Resources
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the direct for which you set up the SSO.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+You can also use Microsoft My Apps to test the application in any mode. When you click the direct tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the direct for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure direct you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Elionboarding Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/elionboarding-tutorial.md
Previously updated : 02/06/2019 Last updated : 05/28/2021 # Tutorial: Azure Active Directory integration with Eli Onboarding
-In this tutorial, you learn how to integrate Eli Onboarding with Azure Active Directory (Azure AD).
-Integrating Eli Onboarding with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate Eli Onboarding with Azure Active Directory (Azure AD). When you integrate Eli Onboarding with Azure AD, you can:
-* You can control in Azure AD who has access to Eli Onboarding.
-* You can enable your users to be automatically signed-in to Eli Onboarding (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to Eli Onboarding.
+* Enable your users to be automatically signed-in to Eli Onboarding with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites
-To configure Azure AD integration with Eli Onboarding, you need the following items:
+To get started, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial [here](https://azure.microsoft.com/pricing/free-trial/)
-* Eli Onboarding single sign-on enabled subscription
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* Eli Onboarding single sign-on (SSO) enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* Eli Onboarding supports **SP** initiated SSO
+* Eli Onboarding supports **SP** initiated SSO.
-## Adding Eli Onboarding from the gallery
+## Add Eli Onboarding from the gallery
To configure the integration of Eli Onboarding into Azure AD, you need to add Eli Onboarding from the gallery to your list of managed SaaS apps.
-**To add Eli Onboarding from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add new application, click **New application** button on the top of dialog.
-
- ![The New application button](common/add-new-app.png)
-
-4. In the search box, type **Eli Onboarding**, select **Eli Onboarding** from result panel then click **Add** button to add the application.
-
- ![Eli Onboarding in the results list](common/search-new-app.png)
-
-## Configure and test Azure AD single sign-on
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Eli Onboarding** in the search box.
+1. Select **Eli Onboarding** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-In this section, you configure and test Azure AD single sign-on with Eli Onboarding based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in Eli Onboarding needs to be established.
+## Configure and test Azure AD SSO for Eli Onboarding
-To configure and test Azure AD single sign-on with Eli Onboarding, you need to complete the following building blocks:
+Configure and test Azure AD SSO with Eli Onboarding using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Eli Onboarding.
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure Eli Onboarding Single Sign-On](#configure-eli-onboarding-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create Eli Onboarding test user](#create-eli-onboarding-test-user)** - to have a counterpart of Britta Simon in Eli Onboarding that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
+To configure and test Azure AD SSO with Eli Onboarding, perform the following steps:
-### Configure Azure AD single sign-on
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Eli Onboarding SSO](#configure-eli-onboarding-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Eli Onboarding test user](#create-eli-onboarding-test-user)** - to have a counterpart of B.Simon in Eli Onboarding that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-In this section, you enable Azure AD single sign-on in the Azure portal.
+## Configure Azure AD SSO
-To configure Azure AD single sign-on with Eli Onboarding, perform the following steps:
+Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **Eli Onboarding** application integration page, select **Single sign-on**.
+1. In the Azure portal, on the **Eli Onboarding** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
- ![Configure single sign-on link](common/select-sso.png)
-
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
-
- ![Single sign-on select mode](common/select-saml-option.png)
-
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
-
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
4. On the **Basic SAML Configuration** section, perform the following steps:
- ![Eli Onboarding Domain and URLs single sign-on information](common/sp-identifier.png)
- a. In the **Sign on URL** text box, type a URL using the following pattern: `https://<YOUR DOMAIN URL>/sso/saml/login`
To configure Azure AD single sign-on with Eli Onboarding, perform the following
![Copy configuration URLs](common/copy-configuration-urls.png)
- a. Login URL
-
- b. Azure Ad Identifier
-
- c. Logout URL
-
-### Configure Eli Onboarding Single Sign-On
-
-To configure single sign-on on **Eli Onboarding** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [Eli Onboarding support team](mailto:support@geteli.com). They set this setting to have the SAML SSO connection set properly on both sides.
- ### Create an Azure AD test user
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field enter **BrittaSimon**.
-
- b. In the **User name** field type **brittasimon\@yourcompanydomain.extension**
- For example, BrittaSimon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
+In this section, you'll create a test user in the Azure portal called B.Simon.
- d. Click **Create**.
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
### Assign the Azure AD test user
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to Eli Onboarding.
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Eli Onboarding.
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Eli Onboarding**.
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Eli Onboarding**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
- ![Enterprise applications blade](common/enterprise-applications.png)
+## Configure Eli Onboarding SSO
-2. In the applications list, select **Eli Onboarding**.
-
- ![The Eli Onboarding link in the Applications list](common/all-applications.png)
-
-3. In the menu on the left, select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
-
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
-
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
-
-7. In the **Add Assignment** dialog click the **Assign** button.
+To configure single sign-on on **Eli Onboarding** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [Eli Onboarding support team](mailto:support@geteli.com). They set this setting to have the SAML SSO connection set properly on both sides.
### Create Eli Onboarding test user In this section, you create a user called Britta Simon in Eli Onboarding. Work with [Eli Onboarding support team](mailto:support@geteli.com) to add the users in the Eli Onboarding platform. Users must be created and activated before you use single sign-on.
-### Test single sign-on
+## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
-When you click the Eli Onboarding tile in the Access Panel, you should be automatically signed in to the Eli Onboarding for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* Click on **Test this application** in Azure portal. This will redirect to Eli Onboarding Sign-on URL where you can initiate the login flow.
-## Additional Resources
+* Go to Eli Onboarding Sign-on URL directly and initiate the login flow from there.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+* You can use Microsoft My Apps. When you click the Eli Onboarding tile in the My Apps, this will redirect to Eli Onboarding Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure Eli Onboarding you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Ezofficeinventory Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/ezofficeinventory-tutorial.md
Previously updated : 02/12/2020 Last updated : 06/02/2021
In this tutorial, you'll learn how to integrate EZOfficeInventory with Azure Act
* Enable your users to be automatically signed-in to EZOfficeInventory with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* EZOfficeInventory supports **SP** initiated SSO
-* EZOfficeInventory supports **Just In Time** user provisioning
-* Once you configure EZOfficeInventory you can enforce session control, which protect exfiltration and infiltration of your organizationΓÇÖs sensitive data in real-time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
+* EZOfficeInventory supports **SP** initiated SSO.
+* EZOfficeInventory supports **Just In Time** user provisioning.
> [!NOTE] > Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
-## Adding EZOfficeInventory from the gallery
+## Add EZOfficeInventory from the gallery
To configure the integration of EZOfficeInventory into Azure AD, you need to add EZOfficeInventory from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **EZOfficeInventory** in the search box. 1. Select **EZOfficeInventory** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD single sign-on for EZOfficeInventory
+## Configure and test Azure AD SSO for EZOfficeInventory
Configure and test Azure AD SSO with EZOfficeInventory using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in EZOfficeInventory.
-To configure and test Azure AD SSO with EZOfficeInventory, complete the following building blocks:
+To configure and test Azure AD SSO with EZOfficeInventory, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature. 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
To configure and test Azure AD SSO with EZOfficeInventory, complete the followin
Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **EZOfficeInventory** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **EZOfficeInventory** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **EZOfficeInventory**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
1. In the **Add Assignment** dialog, click the **Assign** button. ## Configure EZOfficeInventory SSO
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. On the top-right corner of the page, click on **Profile** and then navigate to **Settings** > **Add Ons**.
- ![Screenshot that shows the "Settings" page with the "Add Ons" action selected.](./media/ezofficeinventory-tutorial/configure01.png)
+ ![Screenshot that shows the "Settings" page with the "Add Ons" action selected.](./media/ezofficeinventory-tutorial/settings.png)
1. Scroll down up to the **SAML Integration** section, perform the following steps:
- ![EZOfficeInventory configuration](./media/ezofficeinventory-tutorial/configure02.png)
+ ![EZOfficeInventory configuration](./media/ezofficeinventory-tutorial/integration.png)
a. Check the **Enabled** option.
In this section, a user called Britta Simon is created in EZOfficeInventory. EZO
## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
-
-When you click the EZOfficeInventory tile in the Access Panel, you should be automatically signed in to the EZOfficeInventory for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
-
-## Additional resources
+In this section, you test your Azure AD single sign-on configuration with following options.
-- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](./tutorial-list.md)
+* Click on **Test this application** in Azure portal. This will redirect to EZOfficeInventory Sign-on URL where you can initiate the login flow.
-- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md)
+* Go to EZOfficeInventory Sign-on URL directly and initiate the login flow from there.
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+* You can use Microsoft My Apps. When you click the EZOfficeInventory tile in the My Apps, this will redirect to EZOfficeInventory Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is session control in Microsoft Cloud App Security?](/cloud-app-security/proxy-intro-aad)
+## Next steps
-- [Try EZOfficeInventory with Azure AD](https://aad.portal.azure.com/)
+Once you configure EZOfficeInventory you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Float Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/float-tutorial.md
Previously updated : 04/23/2020 Last updated : 06/02/2021
In this tutorial, you'll learn how to integrate Float with Azure Active Director
* Enable your users to be automatically signed-in to Float with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* Float supports **SP and IDP** initiated SSO
-* Once you configure Float you can enforce session control, which protect exfiltration and infiltration of your organizationΓÇÖs sensitive data in real-time. Session control extend from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
+* Float supports **SP and IDP** initiated SSO.
+
+> [!NOTE]
+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
-## Adding Float from the gallery
+## Add Float from the gallery
To configure the integration of Float into Azure AD, you need to add Float from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **Float** in the search box. 1. Select **Float** from results panel and then add the app. Wait a few seconds while the app is added to your tenant. -
-## Configure and test Azure AD single sign-on for Float
+## Configure and test Azure AD SSO for Float
Configure and test Azure AD SSO with Float using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Float.
-To configure and test Azure AD SSO with Float, complete the following building blocks:
+To configure and test Azure AD SSO with Float, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature. 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
To configure and test Azure AD SSO with Float, complete the following building b
Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **Float** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **Float** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
-1. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, enter the values for the following fields:
+1. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, perform the following steps:
- a. In the **Identifier** text box, type this URL: `https://app.float.com/sso/metadata`.
+ a. In the **Identifier** text box, type the URL: `https://app.float.com/sso/metadata`.
- b. In the **Reply URL** text box, type a URL using the pattern `https://<hostname>.float.com/sso/azuread`.
+ b. In the **Reply URL** text box, type a URL using the following pattern: `https://<HOSTNAME>.float.com/sso/azuread`.
1. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode:
- In the **Sign-on URL** text box, type a URL in the pattern `https://<hostname>.float.com/login`.
+ In the **Sign-on URL** text box, type a URL using the following pattern: `https://<HOSTNAME>.float.com/login`.
> [!NOTE]
- > These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Replace <hostname> with your Float hostname. Contact [Float Client support team](mailto:support@float.com) if you are unsure. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+ > These values are not real. Update these values with the actual Reply URL and Sign-on URL. Replace <hostname> with your Float hostname. Contact [Float Client support team](mailto:support@float.com) if you are unsure. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
1. Float application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes.
Follow these steps to enable Azure AD SSO in the Azure portal.
1. On the **Set up Float** section, copy the appropriate URL(s) based on your requirement. ![Copy configuration URLs](common/copy-configuration-urls.png)+ ### Create an Azure AD test user In this section, you'll create a test user in the Azure portal called B.Simon.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **Float**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
1. In the **Add Assignment** dialog, click the **Assign** button. ## Configure Float SSO
-To configure single sign-on on **Float** side, visit the Float Team Settings section and select Configure from the Authentication module. Paste the Azure AD Login URL in the SAML 2.0 Endpoint URL field, paste the Azure AD Indentifier in the Identity Provider Issuer URL field, paste the full text from the downloaded **Certificate (Base64)** in the X.509 Certificate field, and Save.
+To configure single sign-on on **Float** side, visit the Float Team Settings section and select Configure from the Authentication module. Paste the Azure AD Login URL in the SAML 2.0 Endpoint URL field, paste the Azure AD Identifier in the Identity Provider Issuer URL field, paste the full text from the downloaded **Certificate (Base64)** in the X.509 Certificate field, and Save.
### Create Float test user
In this section, create a user called Britta Simon in Float. Add the user from t
## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
-When you click the Float tile in the Access Panel, you should be automatically signed in to the Float for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+#### SP initiated:
-## Additional resources
+* Click on **Test this application** in Azure portal. This will redirect to Float Sign on URL where you can initiate the login flow.
-- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](./tutorial-list.md)
+* Go to Float Sign-on URL directly and initiate the login flow from there.
-- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md)
+#### IDP initiated:
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the Float for which you set up the SSO.
-- [Try Float with Azure AD](https://aad.portal.azure.com/)
+You can also use Microsoft My Apps to test the application in any mode. When you click the Float tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Float for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is session control in Microsoft Cloud App Security?](/cloud-app-security/proxy-intro-aad)
+## Next steps
-- [How to protect Float with advanced visibility and controls](/cloud-app-security/proxy-intro-aad)
+Once you configure Float you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Glint Inc Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/glint-inc-tutorial.md
Previously updated : 09/09/2020 Last updated : 06/03/2021
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* Glint Inc supports **SP and IDP** initiated SSO
+* Glint Inc supports **SP and IDP** initiated SSO.
-## Adding Glint Inc from the gallery
+## Add Glint Inc from the gallery
To configure the integration of Glint Inc into Azure AD, you need to add Glint Inc from the gallery to your list of managed SaaS apps.
To configure the integration of Glint Inc into Azure AD, you need to add Glint I
1. In the **Add from the gallery** section, type **Glint Inc** in the search box. 1. Select **Glint Inc** from results panel and then add the app. Wait a few seconds while the app is added to your tenant. - ## Configure and test Azure AD SSO for Glint Inc Configure and test Azure AD SSO with Glint Inc using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Glint Inc.
-To configure and test Azure AD SSO with Glint Inc, complete the following building blocks:
+To configure and test Azure AD SSO with Glint Inc, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature. 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
Follow these steps to enable Azure AD SSO in the Azure portal.
1. In the Azure portal, on the **Glint Inc** application integration page, find the **Manage** section and select **single sign-on**. 1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
-1. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, enter the values for the following fields:
+1. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, perform the following steps:
a. In the **Identifier** text box, type a URL using the following pattern: `https://api.<REGION>.glintinc.com/api/client/<CUSTOMER_NAME>/token/saml2/consume/includeDeskLink`
Follow these steps to enable Azure AD SSO in the Azure portal.
1. On the **Set up Glint Inc** section, copy the appropriate URL(s) based on your requirement. ![Copy configuration URLs](common/copy-configuration-urls.png)+ ### Create an Azure AD test user In this section, you'll create a test user in the Azure portal called B.Simon.
In this section, you create a user called Britta Simon in Glint Inc. Work with 
In this section, you test your Azure AD single sign-on configuration with following options.
-#### SP-initiated:
+#### SP initiated:
* Click on **Test this application** in Azure portal. This will redirect to Glint Inc Sign on URL where you can initiate the login flow. * Go to Glint Inc Sign-on URL directly and initiate the login flow from there.
-#### IDP-initiated:
+#### IDP initiated:
-* Click on **Test this application** in Azure portal and you should be automatically signed in to the Glint Inc for which you set up the SSO
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the Glint Inc for which you set up the SSO.
-You can also use Microsoft Access Panel to test the application in any mode. When you click the Glint Inc tile in the Access Panel, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Glint Inc for which you set up the SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+You can also use Microsoft My Apps to test the application in any mode. When you click the Glint Inc tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Glint Inc for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure Glint Inc you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
+Once you configure Glint Inc you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Hootsuite Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/hootsuite-tutorial.md
Previously updated : 11/13/2019 Last updated : 05/31/2021
In this tutorial, you'll learn how to integrate Hootsuite with Azure Active Dire
* Enable your users to be automatically signed-in to Hootsuite with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment. --
-* Hootsuite supports **SP and IDP** initiated SSO
+* Hootsuite supports **SP and IDP** initiated SSO.
> [!NOTE] > Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
-## Adding Hootsuite from the gallery
+## Add Hootsuite from the gallery
To configure the integration of Hootsuite into Azure AD, you need to add Hootsuite from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **Hootsuite** in the search box. 1. Select **Hootsuite** from results panel and then add the app. Wait a few seconds while the app is added to your tenant. -
-## Configure and test Azure AD single sign-on for Hootsuite
+## Configure and test Azure AD SSO for Hootsuite
Configure and test Azure AD SSO with Hootsuite using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Hootsuite.
-To configure and test Azure AD SSO with Hootsuite, complete the following building blocks:
+To configure and test Azure AD SSO with Hootsuite, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature. 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
To configure and test Azure AD SSO with Hootsuite, complete the following buildi
Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **Hootsuite** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **Hootsuite** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
-1. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, enter the values for the following fields:
+1. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, perform the following step:
- In the **Reply URL** text box, type any one of the URL using the following pattern:
+ In the **Reply URL** text box, type a URL using one of the following patterns:
- ```http
- https://hootsuite.com/member/sso-complete
- https://hootsuite.com/sso/<ORG_ID>
- ```
+ | Reply URL |
+ ||
+ |`https://hootsuite.com/member/sso-complete`|
+ |`https://hootsuite.com/sso/<ORG_ID>`|
+ |
1. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode:
- In the **Sign-on URL** text box, type a URL:
+ In the **Sign-on URL** text box, type the URL:
`https://hootsuite.com/login` > [!NOTE]
- > These values are not real. Update these values with the actual Reply URL and Sign-On URL. Contact [Hootsuite Client support team](https://hootsuite.com/about/contact-us#) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+ > These values are not real. Update these values with the actual Reply URL. Contact [Hootsuite Client support team](https://hootsuite.com/about/contact-us#) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (Base64)** and select **Download** to download the certificate and save it on your computer.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **Hootsuite**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
1. In the **Add Assignment** dialog, click the **Assign** button. ## Configure Hootsuite SSO
In this section, you create a user called Britta Simon in Hootsuite. Work with 
## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+#### SP initiated:
+
+* Click on **Test this application** in Azure portal. This will redirect to Hootsuite Sign on URL where you can initiate the login flow.
-When you click the Hootsuite tile in the Access Panel, you should be automatically signed in to the Hootsuite for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* Go to Hootsuite Sign-on URL directly and initiate the login flow from there.
-## Additional resources
+#### IDP initiated:
-- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](./tutorial-list.md)
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the Hootsuite for which you set up the SSO.
-- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md)
+You can also use Microsoft My Apps to test the application in any mode. When you click the Hootsuite tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Hootsuite for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+## Next steps
-- [Try Hootsuite with Azure AD](https://aad.portal.azure.com/)
+Once you configure Hootsuite you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Learningpool Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/learningpool-tutorial.md
Title: 'Tutorial: Azure Active Directory integration with Learningpool Act | Microsoft Docs'
-description: Learn how to configure single sign-on between Azure Active Directory and Learningpool Act.
+ Title: 'Tutorial: Azure Active Directory integration with Learning Pool LMS | Microsoft Docs'
+description: Learn how to configure single sign-on between Azure Active Directory and Learning Pool LMS.
Previously updated : 02/25/2019 Last updated : 03/06/2021
-# Tutorial: Azure Active Directory integration with Learningpool Act
+# Tutorial: Azure Active Directory integration with Learning Pool LMS
-In this tutorial, you learn how to integrate Learningpool Act with Azure Active Directory (Azure AD).
-Integrating Learningpool Act with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate Learning Pool LMS with Azure Active Directory (Azure AD). When you integrate Learning Pool LMS with Azure AD, you can:
-* You can control in Azure AD who has access to Learningpool Act.
-* You can enable your users to be automatically signed-in to Learningpool Act (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to Learning Pool LMS.
+* Enable your users to be automatically signed-in to Learning Pool LMS with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites
-To configure Azure AD integration with Learningpool Act, you need the following items:
-
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial [here](https://azure.microsoft.com/pricing/free-trial/)
-* Learningpool Act single sign-on enabled subscription
-
-## Scenario description
-
-In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-
-* Learningpool Act supports **SP** initiated SSO
-
-## Adding Learningpool Act from the gallery
+To get started, you need the following items:
-To configure the integration of Learningpool Act into Azure AD, you need to add Learningpool Act from the gallery to your list of managed SaaS apps.
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* An active subscription to Learning Pool LMS with Single Sign-on.
-**To add Learningpool Act from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
+> [!NOTE]
+> When you start a single sign-on project, a member of the Learning Pool LMS Delivery team will guide you through this process. If you are not in contact with a member of the Learning Pool LMS Delivery team, speak to your Learning Pool LMS Account Manager.
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
+## Scenario description
- ![The Enterprise applications blade](common/enterprise-applications.png)
+In this tutorial, you configure and test Azure AD SSO in a test environment.
-3. To add new application, click **New application** button on the top of dialog.
+* Learning Pool LMS supports **SP** initiated SSO.
- ![The New application button](common/add-new-app.png)
+## Adding Learning Pool LMS from the gallery
-4. In the search box, type **Learningpool Act**, select **Learningpool Act** from result panel then click **Add** button to add the application.
+To configure the integration of Learning Pool LMS into Azure AD, you need to add Learning Pool LMS from the gallery to your list of managed SaaS apps.
- ![Learningpool Act in the results list](common/search-new-app.png)
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Learning Pool LMS** in the search box.
+1. Select **Learning Pool LMS** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD single sign-on
+## Configure and test Azure AD SSO for Learning Pool LMS
-In this section, you configure and test Azure AD single sign-on with Learningpool Act based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in Learningpool Act needs to be established.
+Configure and test Azure AD SSO with Learning Pool LMS with an existing Azure user. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Learning Pool LMS.
-To configure and test Azure AD single sign-on with Learningpool Act, you need to complete the following building blocks:
+To configure and test Azure AD SSO with Learning Pool LMS, perform the following steps:
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure Learningpool Act Single Sign-On](#configure-learningpool-act-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create Learningpool Act test user](#create-learningpool-act-test-user)** - to have a counterpart of Britta Simon in Learningpool Act that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+1. **[Assign an Azure AD user](#assign-an-azure-ad-user)** - to enable that user to use Azure AD single sign-on.
+1. **[Configure Learning Pool LMS SSO](#configure-learning-pool-lms-sso)** - to configure the single sign-on settings on application side.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-### Configure Azure AD single sign-on
+## Configure Azure AD SSO
-In this section, you enable Azure AD single sign-on in the Azure portal.
+Follow these steps to enable Azure AD SSO in the Azure portal.
-To configure Azure AD single sign-on with Learningpool Act, perform the following steps:
+1. In the Azure portal, on the **Learning Pool LMS** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
-1. In the [Azure portal](https://portal.azure.com/), on the **Learningpool Act** application integration page, select **Single sign-on**.
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
- ![Configure single sign-on link](common/select-sso.png)
+1. On the **Basic SAML Configuration** section, if you have **Service Provider metadata file**, perform the following steps:
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
+ a. Click **Upload metadata file**.
- ![Single sign-on select mode](common/select-saml-option.png)
+ ![Upload metadata file](common/upload-metadata.png)
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
+ b. Click on **folder logo** to select the metadata file and click **Upload**.
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+ ![choose metadata file](common/browse-upload-metadata.png)
-4. On the **Basic SAML Configuration** section, perform the following steps:
+ c. After the metadata file is successfully uploaded, the **Identifier** value gets auto populated in Basic SAML Configuration section.
- ![Learningpool Act Domain and URLs single sign-on information](common/sp-identifier.png)
-
- a. In the **Sign on URL** text box, type the URL:
+ In the **Sign-on URL** text box, type the URL:
`https://parliament.preview.Learningpool.com/auth/shibboleth/index.php`
- b. In the **Identifier (Entity ID)** text box, type a URL using the following pattern:
-
- ```http
- https://<subdomain>.Learningpool.com/shibboleth
- https://<subdomain>.preview.Learningpool.com/shibboleth
- ```
-
- > [!NOTE]
- > The Identifier value is not real. Update this value with the actual Identifier. Contact [Learningpool Act Client support team](https://www.learningpool.com/support) to get this value. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+ > [!Note]
+ > If the **Identifier** value does not get auto polulated, then please fill in the value manually according to your requirement.
-5. Your Learningpool Act application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes. Click **Edit** icon to open User Attributes dialog.
+5. You must send over at least one attribute which is used to match your Azure Users with the users on Learning Pool LMS. Normally, the default attributes are enough, but in some cases you may need to send over some custom attributes. The following screenshot shows the list of default attributes. Click the **Edit** icon to open the User Attributes dialog and add more attributes if required.
![Screenshot shows User Attributes with the Edit icon selected.](common/edit-attribute.png) 6. In the **User Claims** section on the **User Attributes** dialog, edit the claims by using **Edit icon** or add the claims by using **Add new claim** to configure SAML token attribute as shown in the image above and perform the following steps:
- | Name | Source Attribute|
- | - | -- |
- | urn:oid:1.2.840.113556.1.4.221 | user.userprincipalname |
- | urn:oid:2.5.4.42 | user.givenname |
- | urn:oid:0.9.2342.19200300.100.1.3 | user.mail |
- | urn:oid:2.5.4.4 | user.surname |
- | | |
- a. Click **Add new claim** to open the **Manage user claims** dialog. ![Screenshot shows User claims with the option to Add new claim.](common/new-save-attribute.png)
To configure Azure AD single sign-on with Learningpool Act, perform the followin
g. Click **Save**.
-7. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Federation Metadata XML** from the given options as per your requirement and save it on your computer.
-
- ![The Certificate download link](common/metadataxml.png)
-
-8. On the **Set up Learningpool Act** section, copy the appropriate URL(s) as per your requirement.
-
- ![Copy configuration URLs](common/copy-configuration-urls.png)
-
- a. Login URL
-
- b. Azure Ad Identifier
-
- c. Logout URL
-
-### Configure Learningpool Act Single Sign-On
-
-To configure single sign-on on **Learningpool Act** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [Learningpool Act support team](https://www.learningpool.com/support). They set this setting to have the SAML SSO connection set properly on both sides.
-
-### Create an Azure AD test user
+7. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click the Copy button by the **App Federation Metadata Url** and pass that Url back to the Learning Pool Delivery team.
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
+ ![The Certificate download link](common/copy-metadataurl.png)
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
+### Assign an Azure AD user
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field enter **BrittaSimon**.
-
- b. In the **User name** field type **brittasimon\@yourcompanydomain.extension**
- For example, BrittaSimon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
-
- d. Click **Create**.
-
-### Assign the Azure AD test user
-
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to Learningpool Act.
-
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Learningpool Act**.
-
- ![Enterprise applications blade](common/enterprise-applications.png)
-
-2. In the applications list, select **Learningpool Act**.
-
- ![The Learningpool Act link in the Applications list](common/all-applications.png)
-
-3. In the menu on the left, select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
-
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
-
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
-
-7. In the **Add Assignment** dialog click the **Assign** button.
-
-### Create Learningpool Act test user
-
-To enable Azure AD users to log in to Learningpool Act, they must be provisioned into Learningpool Act.
-
-There is no action item for you to configure user provisioning to Learningpool Act.
-Users need to be created by your [Learningpool Act support team](https://www.Learningpool.com/support).
-
-> [!NOTE]
-> You can use any other Learningpool Act user account creation tools or APIs provided by Learningpool Act to provision Azure AD user accounts.
+In this section, you'll enable an existing Azure AD user to use Azure single sign-on by granting access to Learning Pool LMS.
-### Test single sign-on
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Learning Pool LMS**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select a suitable user from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+## Configure Learning Pool LMS SSO
-When you click the Learningpool Act tile in the Access Panel, you should be automatically signed in to the Learningpool Act for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+The Learning Pool Delivery team will use the **App Federation Metadata Url** to configure the LMS to accept SAML2 connections. You will be asked to perform some testing steps to verify that the connection is configured correctly and the Learning Pool Delivery team will guide you through this process.
-## Additional Resources
+### Test SSO
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+You will be guided through the testing process by the Learning Pool Delivery team.
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure Learning Pool LMS you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory Lr Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/lr-tutorial.md
Previously updated : 04/14/2019 Last updated : 05/27/2021 # Tutorial: Azure Active Directory integration with LoginRadius
-In this tutorial, you learn how to integrate LoginRadius with Azure Active Directory (Azure AD).
+In this tutorial, you'll learn how to integrate LoginRadius with Azure Active Directory (Azure AD). When you integrate LoginRadius with Azure AD, you can:
-Integrating LoginRadius with Azure AD provides you with the following benefits:
-
-* You can control in Azure AD who has access to LoginRadius.
-* You can enable your users to be automatically signed-in to LoginRadius (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to LoginRadius.
+* Enable your users to be automatically signed-in to LoginRadius with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites To configure Azure AD integration with LoginRadius, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/)
-* A LoginRadius single sign-on enabled subscription
+* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/).
+* A LoginRadius single sign-on enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* LoginRadius supports **SP** initiated SSO
-
-## Adding LoginRadius from the gallery
-
-To configure the integration of LoginRadius into Azure AD, you need to add LoginRadius from the gallery to your list of managed SaaS apps.
-
-**To add LoginRadius from the gallery:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, select the **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Go to **Enterprise Applications**, and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add a new application, select the **New application** button:
-
- ![The New application button](common/add-new-app.png)
-
-4. In the search box, enter **LoginRadius**, select **LoginRadius** in the result panel, and then select the **Add** button to add the application.
-
- ![LoginRadius in the results list](common/search-new-app.png)
+* LoginRadius supports **SP** initiated SSO.
-## Configure and test Azure AD single sign-on
+> [!NOTE]
+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
-In this section, you configure and test Azure AD single sign-on with LoginRadius based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in LoginRadius needs to be established.
+## Add LoginRadius from the gallery
-To configure and test Azure AD single sign-on with LoginRadius, you need to complete the following building blocks:
-
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure LoginRadius Single Sign-On](#configure-loginradius-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create LoginRadius test user](#create-loginradius-test-user)** - to have a counterpart of Britta Simon in LoginRadius that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
-
-### Configure Azure AD single sign-on
-
-In this section, you enable Azure AD single sign-on in the Azure portal.
+To configure the integration of LoginRadius into Azure AD, you need to add LoginRadius from the gallery to your list of managed SaaS apps.
-To configure Azure AD single sign-on with LoginRadius, perform the following steps:
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **LoginRadius** in the search box.
+1. Select **LoginRadius** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-1. In the [Azure portal](https://portal.azure.com/), on the **LoginRadius** application integration page, select **Single sign-on**.
+## Configure and test Azure AD SSO for LoginRadius
- ![Configure single sign-on link](common/select-sso.png)
+Configure and test Azure AD SSO with LoginRadius using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in LoginRadius.
-2. On the **Select a Single sign-on method** pane, select **SAML/WS-Fed** mode to enable single sign-on.
+To configure and test Azure AD SSO with LoginRadius, perform the following steps:
- ![Single sign-on select mode](common/select-saml-option.png)
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure LoginRadius SSO](#configure-loginradius-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create LoginRadius test user](#create-loginradius-test-user)** - to have a counterpart of B.Simon in LoginRadius that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-3. On the **Set up Single Sign-On with SAML** page, select the **Edit** icon to open the **Basic SAML Configuration** pane.
+## Configure Azure AD SSO
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+Follow these steps to enable Azure AD SSO in the Azure portal.
-4. On the **Basic SAML Configuration** section:
+1. In the Azure portal, on the **LoginRadius** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
- ![LoginRadius Domain and URLs single sign-on information](common/sp-identifier.png)
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
- 1. In the **Sign on URL** text box, enter the URL `https://secure.loginradius.com/login`
+4. On the **Basic SAML Configuration** section, perform the following steps:
1. In the **Identifier (Entity ID)** text box, enter the URL `https://lr.hub.loginradius.com/` 1. In the **Reply URL (Assertion Consumer Service URL)** textbox, enter the LoginRadius ACS URL `https://lr.hub.loginradius.com/saml/serviceprovider/AdfsACS.aspx`
+ 1. In the **Sign on URL** text box, enter the URL `https://secure.loginradius.com/login`
+ 5. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, select **Download** to download the **Federation Metadata XML** from the given options as per your requirement and save it on your computer. ![The Certificate download link](common/metadataxml.png)
To configure Azure AD single sign-on with LoginRadius, perform the following ste
![Copy configuration URLs](common/copy-configuration-urls.png)
- - Login URL
+### Create an Azure AD test user
- - Azure AD Identifier
+In this section, you'll create a test user in the Azure portal called B.Simon.
- - Logout URL
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
+
+### Assign the Azure AD test user
+
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to LoginRadius.
-## Configure LoginRadius Single Sign-On
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **LoginRadius**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
+
+## Configure LoginRadius SSO
In this section, you enable Azure AD single sign-on in the LoginRadius Admin Console.
In this section, you enable Azure AD single sign-on in the LoginRadius Admin Con
3. Select the **Single Sign-On** tab, and then select **Azure AD**: ![Screenshot that shows the single-sign-on menu in the LoginRadius Team Management console](./media/loginradius-tutorial/azure-ad.png)+ 4. In the Azure AD setup page, complete the following steps: ![Screenshot that shows Azure Active Directory configuration in the LoginRadius Team Management console](./media/loginradius-tutorial/single-sign-on.png)
In this section, you enable Azure AD single sign-on in the LoginRadius Admin Con
> [!NOTE] > The **Email** field mapping is required. **FirstName** and **LastName** field mappings are optional.
-### Create an Azure AD test user
-
-The objective of this section is to create a test user called Britta Simon in the Azure portal.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In **User** properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- 1. In the **Name** field, enter **BrittaSimon**.
-
- 1. In the **User name** field, enter `brittasimon@yourcompanydomain.extension`. For example, BrittaSimon@contoso.com.
-
- 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
-
- 1. Select **Create**.
-
-### Assign the Azure AD test user
-
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to LoginRadius.
-
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **LoginRadius**.
-
- ![Enterprise applications blade](common/enterprise-applications.png)
-
-2. In the applications list, select **LoginRadius**.
-
- ![The LoginRadius link in the Applications list](common/all-applications.png)
-
-3. In the menu on the left, select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-4. Select the **Add user** button, then select **Users and groups** in the **Add Assignment** pane.
-
- ![The Add Assignment pane](common/add-assign-user.png)
-
-5. In the **Users and groups** pane, select **Britta Simon** in the **Users** list, then choose the **Select** button at the bottom of the screen.
-
-6. If you are expecting any role value in the SAML assertion, in the **Select Role** pane, select the appropriate role for the user from the list. Then, choose the **Select** button at the bottom of the screen.
-
-7. In the **Add Assignment** pane, select the **Assign** button.
- ### Create LoginRadius test user 1. Log in to your LoginRadius [Admin Console](https://adminconsole.loginradius.com/login) account.
In this section, you enable Britta Simon to use Azure single sign-on by granting
2. Go to your team management section in the LoginRadius Admin Console. ![Screenshot that shows the LoginRadius Admin Console](./media/loginradius-tutorial/team-management.png)+ 3. Select **Add Team Member** in the side menu to open the form. 4. In the **Add Team Member** form, you create a user called Britta Simon in your LoginRadius site by providing the user's details and assigning the permissions you want the user to have. To know more about the permissions based on roles, see the [Role Access Permissions](https://www.loginradius.com/docs/api/v2/admin-console/team-management/manage-team-members#roleaccesspermissions0) section of the LoginRadius [Manage Team Members](https://www.loginradius.com/docs/api/v2/admin-console/team-management/manage-team-members#roleaccesspermissions0) document. Users must be created and activated before you use single sign-on.
-### Test single sign-on
+## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration using MyApps.
1. In a browser, go to https://accounts.loginradius.com/auth.aspx and select **Fed SSO log in**. 2. Enter your LoginRadius app name, and then select **Login**. 3. It should open a pop-up for asking you to sign in to your Azure AD account. 4. After the authentication, your pop-up will close and you will be logged in to the LoginRadius Admin Console.
-## Additional Resources
--- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)--- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure LoginRadius you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Meta4 Global Hr Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/meta4-global-hr-tutorial.md
Previously updated : 05/09/2019 Last updated : 06/03/2021 # Tutorial: Azure Active Directory integration with Meta4 Global HR
-In this tutorial, you learn how to integrate Meta4 Global HR with Azure Active Directory (Azure AD).
-Integrating Meta4 Global HR with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate Meta4 Global HR with Azure Active Directory (Azure AD). When you integrate Meta4 Global HR with Azure AD, you can:
-* You can control in Azure AD who has access to Meta4 Global HR.
-* You can enable your users to be automatically signed-in to Meta4 Global HR (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to Meta4 Global HR.
+* Enable your users to be automatically signed-in to Meta4 Global HR with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites To configure Azure AD integration with Meta4 Global HR, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/)
-* Meta4 Global HR single sign-on enabled subscription
+* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/).
+* Meta4 Global HR single sign-on enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment.
+* Meta4 Global HR supports **SP and IDP** initiated SSO.
+> [!NOTE]
+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
-* Meta4 Global HR supports **SP and IDP** initiated SSO
---
-## Adding Meta4 Global HR from the gallery
+## Add Meta4 Global HR from the gallery
To configure the integration of Meta4 Global HR into Azure AD, you need to add Meta4 Global HR from the gallery to your list of managed SaaS apps.
-**To add Meta4 Global HR from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click the **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add a new application, click the **New application** button on the top of the dialog.
-
- ![The New application button](common/add-new-app.png)
-
-4. In the search box, type **Meta4 Global HR**, select **Meta4 Global HR** from the result panel then click the **Add** button to add the application.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Meta4 Global HR** in the search box.
+1. Select **Meta4 Global HR** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
- ![Meta4 Global HR in the results list](common/search-new-app.png)
+## Configure and test Azure AD SSO for Meta4 Global HR
-## Configure and test Azure AD single sign-on
+Configure and test Azure AD SSO with Meta4 Global HR using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Meta4 Global HR.
-In this section, you configure and test Azure AD single sign-on with Meta4 Global HR based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in Meta4 Global HR needs to be established.
+To configure and test Azure AD SSO with Meta4 Global HR, perform the following steps:
-To configure and test Azure AD single sign-on with Meta4 Global HR, you need to complete the following building blocks:
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Meta4 Global HR SSO](#configure-meta4-global-hr-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Meta4 Global HR test user](#create-meta4-global-hr-test-user)** - to have a counterpart of B.Simon in Meta4 Global HR that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure Meta4 Global HR Single Sign-On](#configure-meta4-global-hr-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create Meta4 Global HR test user](#create-meta4-global-hr-test-user)** - to have a counterpart of Britta Simon in Meta4 Global HR that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
+## Configure Azure AD SSO
-### Configure Azure AD single sign-on
+Follow these steps to enable Azure AD SSO in the Azure portal.
-In this section, you enable Azure AD single sign-on in the Azure portal.
+1. In the Azure portal, on the *Meta4 Global HR** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
-To configure Azure AD single sign-on with Meta4 Global HR, perform the following steps:
-
-1. In the [Azure portal](https://portal.azure.com/), on the **Meta4 Global HR** application integration page, select **Single sign-on**.
-
- ![Configure single sign-on link](common/select-sso.png)
-
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
-
- ![Single sign-on select mode](common/select-saml-option.png)
-
-3. On the **Set up Single Sign-On with SAML** page, click the **Edit** icon to open the **Basic SAML Configuration** dialog.
-
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
4. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, perform the following step:
- ![Screenshot shows the Basic SAML Configuration, where you can enter Reply U R L and select Save.](common/both-replyurl.png)
- In the **Reply URL** text box, type a URL using the following pattern: `https://<SUBDOMAIN>.meta4globalhr.com/saml.sso/SAML2/POST` 5. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode:
- ![Screenshot shows Set additional U R Ls where you can enter a Sign on U R L.](common/both-signonurl.png)
- In the **Sign-on URL** text box, type a URL using the following pattern: `https://<SUBDOMAIN>.meta4globalhr.com`
To configure Azure AD single sign-on with Meta4 Global HR, perform the following
![Copy configuration URLs](common/copy-configuration-urls.png)
- a. Login URL
-
- b. Azure AD Identifier
-
- c. Logout URL
-
-### Configure Meta4 Global HR Single Sign-On
-
-To configure single sign-on on **Meta4 Global HR** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [Meta4 Global HR support team](mailto:victors@meta4.com). They set this setting to have the SAML SSO connection set properly on both sides.
- ### Create an Azure AD test user
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field enter **BrittaSimon**.
-
- b. In the **User name** field type `brittasimon@yourcompanydomain.extension`. For example, BrittaSimon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
+In this section, you'll create a test user in the Azure portal called B.Simon.
- d. Click **Create**.
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
### Assign the Azure AD test user
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to Meta4 Global HR.
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Meta4 Global HR.
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Meta4 Global HR**.
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Meta4 Global HR**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
- ![Enterprise applications blade](common/enterprise-applications.png)
+## Configure Meta4 Global HR SSO
-2. In the applications list, select **Meta4 Global HR**.
-
- ![The Meta4 Global HR link in the Applications list](common/all-applications.png)
-
-3. In the menu on the left, select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
+To configure single sign-on on **Meta4 Global HR** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [Meta4 Global HR support team](mailto:victors@meta4.com). They set this setting to have the SAML SSO connection set properly on both sides.
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
+### Create Meta4 Global HR test user
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
+In this section, you create a user called Britta Simon in Meta4 Global HR. Work with [Meta4 Global HR support team](mailto:victors@meta4.com) to add the users in the Meta4 Global HR platform. Users must be created and activated before you use single sign-on.
-7. In the **Add Assignment** dialog click the **Assign** button.
+## Test SSO
-### Create Meta4 Global HR test user
+In this section, you test your Azure AD single sign-on configuration with following options.
-In this section, you create a user called Britta Simon in Meta4 Global HR. Work with [Meta4 Global HR support team](mailto:victors@meta4.com) to add the users in the Meta4 Global HR platform. Users must be created and activated before you use single sign-on.
+#### SP initiated:
-### Test single sign-on
+* Click on **Test this application** in Azure portal. This will redirect to Meta4 Global HR Sign on URL where you can initiate the login flow.
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+* Go to Meta4 Global HR Sign-on URL directly and initiate the login flow from there.
-When you click the Meta4 Global HR tile in the Access Panel, you should be automatically signed in to the Meta4 Global HR for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+#### IDP initiated:
-## Additional resources
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the Meta4 Global HR for which you set up the SSO.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+You can also use Microsoft My Apps to test the application in any mode. When you click the Meta4 Global HR tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Meta4 Global HR for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure Meta4 Global HR you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Nexsure Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/nexsure-tutorial.md
+
+ Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with Nexsure | Microsoft Docs'
+description: Learn how to configure single sign-on between Azure Active Directory and Nexsure.
++++++++ Last updated : 06/03/2021++++
+# Tutorial: Azure Active Directory single sign-on (SSO) integration with Nexsure
+
+In this tutorial, you'll learn how to integrate Nexsure with Azure Active Directory (Azure AD). When you integrate Nexsure with Azure AD, you can:
+
+* Control in Azure AD who has access to Nexsure.
+* Enable your users to be automatically signed-in to Nexsure with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
+
+## Prerequisites
+
+To get started, you need the following items:
+
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* Nexsure single sign-on (SSO) enabled subscription.
+
+## Scenario description
+
+In this tutorial, you configure and test Azure AD SSO in a test environment.
+
+* Nexsure supports **IDP** initiated SSO.
+
+## Add Nexsure from the gallery
+
+To configure the integration of Nexsure into Azure AD, you need to add Nexsure from the gallery to your list of managed SaaS apps.
+
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Nexsure** in the search box.
+1. Select **Nexsure** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
+
+## Configure and test Azure AD SSO for Nexsure
+
+Configure and test Azure AD SSO with Nexsure using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Nexsure.
+
+To configure and test Azure AD SSO with Nexsure, perform the following steps:
+
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Nexsure SSO](#configure-nexsure-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Nexsure test user](#create-nexsure-test-user)** - to have a counterpart of B.Simon in Nexsure that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
+
+## Configure Azure AD SSO
+
+Follow these steps to enable Azure AD SSO in the Azure portal.
+
+1. In the Azure portal, on the **Nexsure** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
+
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
+
+1. On the **Basic SAML Configuration** section, the user does not have to perform any step as the app is already pre-integrated with Azure.
+
+1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (Base64)** and select **Download** to download the certificate and save it on your computer.
+
+ ![The Certificate download link](common/certificatebase64.png)
+
+1. On the **Set up Nexsure** section, copy the appropriate URL(s) based on your requirement.
+
+ ![Copy configuration URLs](common/copy-configuration-urls.png)
+
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called B.Simon.
+
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
+
+### Assign the Azure AD test user
+
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Nexsure.
+
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Nexsure**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
+
+## Configure Nexsure SSO
+
+To configure single sign-on on **Nexsure** side, you need to send the downloaded **Certificate (Base64)** and appropriate copied URLs from Azure portal to [Nexsure support team](mailto:nexsure.support@xdti.com). They set this setting to have the SAML SSO connection set properly on both sides.
+
+### Create Nexsure test user
+
+In this section, you create a user called Britta Simon in Nexsure. Work with [Nexsure support team](mailto:nexsure.support@xdti.com) to add the users in the Nexsure platform. Users must be created and activated before you use single sign-on.
+
+## Test SSO
+
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+* Click on Test this application in Azure portal and you should be automatically signed in to the Nexsure for which you set up the SSO.
+
+* You can use Microsoft My Apps. When you click the Nexsure tile in the My Apps, you should be automatically signed in to the Nexsure for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
+
+## Next steps
+
+Once you configure Nexsure you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Nimblex Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/nimblex-tutorial.md
Previously updated : 03/18/2019 Last updated : 05/27/2021 # Tutorial: Azure Active Directory integration with Nimblex
-In this tutorial, you learn how to integrate Nimblex with Azure Active Directory (Azure AD).
-Integrating Nimblex with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate Nimblex with Azure Active Directory (Azure AD). When you integrate Nimblex with Azure AD, you can:
-* You can control in Azure AD who has access to Nimblex.
-* You can enable your users to be automatically signed-in to Nimblex (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to Nimblex.
+* Enable your users to be automatically signed-in to Nimblex with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites
-To configure Azure AD integration with Nimblex, you need the following items:
+To get started, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial [here](https://azure.microsoft.com/pricing/free-trial/)
-* Nimblex single sign-on enabled subscription
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* Nimblex single sign-on (SSO) enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* Nimblex supports **SP** initiated SSO
+* Nimblex supports **SP** initiated SSO.
-* Nimblex supports **Just In Time** user provisioning
+* Nimblex supports **Just In Time** user provisioning.
-## Adding Nimblex from the gallery
+## Add Nimblex from the gallery
To configure the integration of Nimblex into Azure AD, you need to add Nimblex from the gallery to your list of managed SaaS apps.
-**To add Nimblex from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add new application, click **New application** button on the top of dialog.
-
- ![The New application button](common/add-new-app.png)
-
-4. In the search box, type **Nimblex**, select **Nimblex** from result panel then click **Add** button to add the application.
-
- ![Nimblex in the results list](common/search-new-app.png)
-
-## Configure and test Azure AD single sign-on
-
-In this section, you configure and test Azure AD single sign-on with Nimblex based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in Nimblex needs to be established.
-
-To configure and test Azure AD single sign-on with Nimblex, you need to complete the following building blocks:
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Nimblex** in the search box.
+1. Select **Nimblex** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure Nimblex Single Sign-On](#configure-nimblex-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create Nimblex test user](#create-nimblex-test-user)** - to have a counterpart of Britta Simon in Nimblex that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
+## Configure and test Azure AD SSO for Nimblex
-### Configure Azure AD single sign-on
+Configure and test Azure AD SSO with Nimblex using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Nimblex.
-In this section, you enable Azure AD single sign-on in the Azure portal.
+To configure and test Azure AD SSO with Nimblex, perform the following steps:
-To configure Azure AD single sign-on with Nimblex, perform the following steps:
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Nimblex SSO](#configure-nimblex-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Nimblex test user](#create-nimblex-test-user)** - to have a counterpart of B.Simon in Nimblex that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-1. In the [Azure portal](https://portal.azure.com/), on the **Nimblex** application integration page, select **Single sign-on**.
+## Configure Azure AD SSO
- ![Configure single sign-on link](common/select-sso.png)
+Follow these steps to enable Azure AD SSO in the Azure portal.
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
+1. In the Azure portal, on the **Nimblex** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
- ![Single sign-on select mode](common/select-saml-option.png)
-
-3. On the **Set-up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
-
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
4. On the **Basic SAML Configuration** section, perform the following steps:
- ![Nimblex Domain and URLs single sign-on information](common/sp-identifier-reply.png)
- a. In the **Sign-on URL** text box, type a URL using the following pattern:
- `https://<YOUR APPLICATION PATH>/Login.aspx`
+ `https://<YOUR_APPLICATION_PATH>/Login.aspx`
b. In the **Identifier** box, type a URL using the following pattern:
- `https://<YOUR APPLICATION PATH>/`
+ `https://<YOUR_APPLICATION_PATH>/`
c. In the **Reply URL** text box, type a URL using the following pattern: `https://<path-to-application>/SamlReply.aspx`
To configure Azure AD single sign-on with Nimblex, perform the following steps:
![Copy configuration URLs](common/copy-configuration-urls.png)
- a. Login URL
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called B.Simon.
- b. Azure AD Identifier
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
- c. Logout URL
+### Assign the Azure AD test user
-### Configure Nimblex Single Sign-On
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to NAVEX One.
+
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **NAVEX One**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
+
+## Configure Nimblex SSO
1. In a different web browser window, sign in to Nimblex as a Security Administrator. 2. On the top right-side of the page, click **Settings** logo.
- ![Screenshot shows the Settings icon.](./media/nimblex-tutorial/tutorial_nimblex_settings.png)
+ ![Screenshot shows the Settings icon.](./media/nimblex-tutorial/settings.png)
3. On the **Control Panel** page, under **Security** section click **Single Sign-on**.
- ![Screenshot shows Single Sign-on selected from the Security menu.](./media/nimblex-tutorial/tutorial_nimblex_single.png)
+ ![Screenshot shows Single Sign-on selected from the Security menu.](./media/nimblex-tutorial/security.png)
4. On the **Manage Single Sign-On** page, select your instance name and click **Edit**.
- ![Screenshot shows Manage Single Sign-On where you can select Edit.](./media/nimblex-tutorial/tutorial_nimblex_saml.png)
+ ![Screenshot shows Manage Single Sign-On where you can select Edit.](./media/nimblex-tutorial/edit-tab.png)
5. On the **Edit SSO Provider** page, perform the following steps:
- ![Screenshot shows Edit S S O Provider where you can enter the values described.](./media/nimblex-tutorial/tutorial_nimblex_sso.png)
+ ![Screenshot shows Edit S S O Provider where you can enter the values described.](./media/nimblex-tutorial/certificate.png)
a. In the **Description** textbox, type your instance name.
To configure Azure AD single sign-on with Nimblex, perform the following steps:
d. Click **Save**.
-### Create an Azure AD test user
-
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field, enter **BrittaSimon**.
-
- b. In the **User name** field, type **brittasimon@yourcompanydomain.extension**
- For example, BrittaSimon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
-
- d. Click **Create**.
-
-### Assign the Azure AD test user
-
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to Nimblex.
-
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Nimblex**.
-
- ![Enterprise applications blade](common/enterprise-applications.png)
-
-2. In the applications list, select **Nimblex**.
-
- ![The Nimblex link in the Applications list](common/all-applications.png)
-
-3. In the menu on the left, select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
-
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
-
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog, select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
-
-7. In the **Add Assignment** dialog, click the **Assign** button.
- ### Create Nimblex test user In this section, a user called Britta Simon is created in Nimblex. Nimblex supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in Nimblex, a new one is created after authentication.
In this section, a user called Britta Simon is created in Nimblex. Nimblex suppo
>[!Note] >If you need to create a user manually, contact [Nimblex Client support team](mailto:support@ebms.com.au).
-### Test single sign-on
+## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
-When you click the Nimblex tile in the Access Panel, you should be automatically signed in to the Nimblex for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* Click on **Test this application** in Azure portal. This will redirect to Nimblex Sign-on URL where you can initiate the login flow.
-## Additional Resources
+* Go to Nimblex Sign-on URL directly and initiate the login flow from there.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+* You can use Microsoft My Apps. When you click the Nimblex tile in the My Apps, this will redirect to Nimblex Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure Nimblex you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Onit Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/onit-tutorial.md
Previously updated : 08/28/2019 Last updated : 05/31/2021
In this tutorial, you'll learn how to integrate Onit with Azure Active Directory
* Enable your users to be automatically signed-in to Onit with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* Onit supports **SP** initiated SSO
+* Onit supports **SP** initiated SSO.
-## Adding Onit from the gallery
+## Add Onit from the gallery
To configure the integration of Onit into Azure AD, you need to add Onit from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **Onit** in the search box. 1. Select **Onit** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD single sign-on for Onit
+## Configure and test Azure AD SSO for Onit
Configure and test Azure AD SSO with Onit using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Onit.
-To configure and test Azure AD SSO with Onit, complete the following building blocks:
+To configure and test Azure AD SSO with Onit, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature. 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
To configure and test Azure AD SSO with Onit, complete the following building bl
Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **Onit** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **Onit** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
-1. On the **Basic SAML Configuration** section, enter the values for the following fields:
+1. On the **Basic SAML Configuration** section, perform the following steps:
- a. In the **Sign on URL** text box, type a URL using the following pattern:
- `https://<sub-domain>.onit.com`
+ a. In the **Identifier (Entity ID)** text box, type a URL using the following pattern:
+ `https://<SUBDOMAIN>.onit.com`
- b. In the **Identifier (Entity ID)** text box, type a URL using the following pattern:
- `https://<sub-domain>.onit.com`
+ b. In the **Sign on URL** text box, type a URL using the following pattern:
+ `https://<SUBDOMAIN>.onit.com`
> [!NOTE] > These values are not real. Update these values with the actual Sign on URL and Identifier. Contact [Onit Client support team](https://www.onit.com/support) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **Onit**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
1. In the **Add Assignment** dialog, click the **Assign** button. ## Configure Onit SSO
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
2. In the menu on the top, click **Administration**.
- ![Screenshot that shows the menu at the top of the "M S S S O Test" page with the "Administration" action selected.](./media/onit-tutorial/IC791174.png "Administration")
+ ![Screenshot that shows the menu at the top of the "M S S S O Test" page with the "Administration" action selected.](./media/onit-tutorial/admin.png "Administration")
3. Click **Edit Corporation**.
- ![Edit Corporation](./media/onit-tutorial/IC791175.png "Edit Corporation")
+ ![Edit Corporation](./media/onit-tutorial/corporation.png "Edit Corporation")
4. Click the **Security** tab.
- ![Edit Company Information](./media/onit-tutorial/IC791176.png "Edit Company Information")
+ ![Edit Company Information](./media/onit-tutorial/security.png "Edit Company Information")
5. On the **Security** tab, perform the following steps:
- ![Single Sign-On](./media/onit-tutorial/IC791177.png "Single Sign-On")
+ ![Single Sign-On](./media/onit-tutorial/configuration.png "Single Sign-On")
a. As **Authentication Strategy**, select **Single Sign On and Password**.
In order to enable Azure AD users to log into Onit, they must be provisioned int
2. Click **Add User**.
- ![Administration](./media/onit-tutorial/IC791180.png "Administration")
+ ![Administration](./media/onit-tutorial/user.png "Administration")
3. On the **Add User** dialog page, perform the following steps:
- ![Add User](./media/onit-tutorial/IC791181.png "Add User")
+ ![Add User](./media/onit-tutorial/create-user.png "Add User")
a. Type the **Name** and the **Email Address** of a valid Azure AD account you want to provision into the related textboxes.
In order to enable Azure AD users to log into Onit, they must be provisioned int
## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
-When you click the Onit tile in the Access Panel, you should be automatically signed in to the Onit for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* Click on **Test this application** in Azure portal. This will redirect to Onit Sign-on URL where you can initiate the login flow.
-## Additional resources
+* Go to Onit Sign-on URL directly and initiate the login flow from there.
-- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](./tutorial-list.md)
+* You can use Microsoft My Apps. When you click the Onit tile in the My Apps, this will redirect to Onit Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure Onit you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
-- [Try Onit with Azure AD](https://aad.portal.azure.com/)
active-directory Postman Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/postman-tutorial.md
+
+ Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with Postman | Microsoft Docs'
+description: Learn how to configure single sign-on between Azure Active Directory and Postman.
++++++++ Last updated : 06/04/2021++++
+# Tutorial: Azure Active Directory single sign-on (SSO) integration with Postman
+
+In this tutorial, you'll learn how to integrate Postman with Azure Active Directory (Azure AD). When you integrate Postman with Azure AD, you can:
+
+* Control in Azure AD who has access to Postman.
+* Enable your users to be automatically signed-in to Postman with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
+
+## Prerequisites
+
+To get started, you need the following items:
+
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* Postman single sign-on (SSO) enabled subscription.
+
+## Scenario description
+
+In this tutorial, you configure and test Azure AD SSO in a test environment.
+
+* Postman supports **SP and IDP** initiated SSO.
+* Postman supports **Just In Time** user provisioning.
+
+> [!NOTE]
+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
+
+## Add Postman from the gallery
+
+To configure the integration of Postman into Azure AD, you need to add Postman from the gallery to your list of managed SaaS apps.
+
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Postman** in the search box.
+1. Select **Postman** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
+
+## Configure and test Azure AD SSO for Postman
+
+Configure and test Azure AD SSO with Postman using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Postman.
+
+To configure and test Azure AD SSO with Postman, perform the following steps:
+
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Postman SSO](#configure-postman-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Postman test user](#create-postman-test-user)** - to have a counterpart of B.Simon in Postman that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
+
+## Configure Azure AD SSO
+
+Follow these steps to enable Azure AD SSO in the Azure portal.
+
+1. In the Azure portal, on the **Postman** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
+
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
+
+1. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, perform the following step:
+
+ In the **Reply URL** text box, type a URL using the following pattern:
+ `https://identity.getpostman.com/sso/<INSTANCE_NAME>/callback`
+
+1. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode:
+
+ In the **Sign-on URL** text box, type a URL using the following pattern:
+ `https://identity.getpostman.com/sso/<INSTANCE_NAME>/init`
+
+ > [!NOTE]
+ > These values are not real. Update these values with the actual Reply URL and Sign-on URL. Contact [Postman Client support team](mailto:help@getpostman.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+
+1. Your Postman application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows an example for this. The default value of **Unique User Identifier** is **user.userprincipalname** but Postman expects this to be mapped with the user's email address. For that you can use **user.mail** attribute from the list or use the appropriate attribute value based on your organization configuration.
+
+ ![image](common/default-attributes.png)
+
+1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Federation Metadata XML** and select **Download** to download the certificate and save it on your computer.
+
+ ![The Certificate download link](common/metadataxml.png)
+
+1. On the **Set up Postman** section, copy the appropriate URL(s) based on your requirement.
+
+ ![Copy configuration URLs](common/copy-configuration-urls.png)
+
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called B.Simon.
+
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
+
+### Assign the Azure AD test user
+
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Postman.
+
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Postman**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
+
+## Configure Postman SSO
+
+To configure single sign-on on **Postman** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [Postman support team](mailto:help@getpostman.com). They set this setting to have the SAML SSO connection set properly on both sides.
+
+### Create Postman test user
+
+In this section, a user called Britta Simon is created in Postman. Postman supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in Postman, a new one is created after authentication.
+
+## Test SSO
+
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+#### SP initiated:
+
+* Click on **Test this application** in Azure portal. This will redirect to Postman Sign on URL where you can initiate the login flow.
+
+* Go to Postman Sign-on URL directly and initiate the login flow from there.
+
+#### IDP initiated:
+
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the Postman for which you set up the SSO.
+
+You can also use Microsoft My Apps to test the application in any mode. When you click the Postman tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Postman for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
+
+## Next steps
+
+Once you configure Postman you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Readcube Papers Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/readcube-papers-tutorial.md
+
+ Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with ReadCube Papers | Microsoft Docs'
+description: Learn how to configure single sign-on between Azure Active Directory and ReadCube Papers.
++++++++ Last updated : 06/03/2021++++
+# Tutorial: Azure Active Directory single sign-on (SSO) integration with ReadCube Papers
+
+In this tutorial, you'll learn how to integrate ReadCube Papers with Azure Active Directory (Azure AD). When you integrate ReadCube Papers with Azure AD, you can:
+
+* Control in Azure AD who has access to ReadCube Papers.
+* Enable your users to be automatically signed-in to ReadCube Papers with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
+
+## Prerequisites
+
+To get started, you need the following items:
+
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* ReadCube Papers single sign-on (SSO) enabled subscription.
+
+## Scenario description
+
+In this tutorial, you configure and test Azure AD SSO in a test environment.
+
+* ReadCube Papers supports **SP** initiated SSO.
+* ReadCube Papers supports **Just In Time** user provisioning.
+
+> [!NOTE]
+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
+
+## Add ReadCube Papers from the gallery
+
+To configure the integration of ReadCube Papers into Azure AD, you need to add ReadCube Papers from the gallery to your list of managed SaaS apps.
+
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **ReadCube Papers** in the search box.
+1. Select **ReadCube Papers** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
+
+## Configure and test Azure AD SSO for ReadCube Papers
+
+Configure and test Azure AD SSO with ReadCube Papers using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in ReadCube Papers.
+
+To configure and test Azure AD SSO with ReadCube Papers, perform the following steps:
+
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure ReadCube Papers SSO](#configure-readcube-papers-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create ReadCube Papers test user](#create-readcube-papers-test-user)** - to have a counterpart of B.Simon in ReadCube Papers that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
+
+## Configure Azure AD SSO
+
+Follow these steps to enable Azure AD SSO in the Azure portal.
+
+1. In the Azure portal, on the **ReadCube Papers** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
+
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
+
+1. On the **Basic SAML Configuration** section, perform the following step:
+
+ a. In the **Sign on URL** text box, type the URL:
+ `https://app.readcube.com`
+
+1. On the **Set up single sign-on with SAML** page, In the **SAML Signing Certificate** section, click copy button to copy **App Federation Metadata Url** and save it on your computer.
+
+ ![The Certificate download link](common/copy-metadataurl.png)
+
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called B.Simon.
+
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
+
+### Assign the Azure AD test user
+
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to ReadCube Papers.
+
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **ReadCube Papers**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
+
+## Configure ReadCube Papers SSO
+
+To configure single sign-on on **ReadCube Papers** side, you need to send the **App Federation Metadata Url** to [ReadCube Papers support team](mailto:support@readcube.com). They set this setting to have the SAML SSO connection set properly on both sides.
+
+### Create ReadCube Papers test user
+
+In this section, a user called Britta Simon is created in ReadCube Papers. ReadCube Papers supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in ReadCube Papers, a new one is created after authentication.
+
+## Test SSO
+
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+* Click on **Test this application** in Azure portal. This will redirect to ReadCube Papers Sign-on URL where you can initiate the login flow.
+
+* Go to ReadCube Papers Sign-on URL directly and initiate the login flow from there.
+
+* You can use Microsoft My Apps. When you click the ReadCube Papers tile in the My Apps, this will redirect to ReadCube Papers Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
+
+## Next steps
+
+Once you configure ReadCube Papers you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Sailpoint Identitynow Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/sailpoint-identitynow-tutorial.md
Previously updated : 11/04/2020 Last updated : 05/31/2021
In this tutorial, you'll learn how to integrate SailPoint IdentityNow with Azure
To get started, you need the following items: * An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
-* SailPoint IdentityNow single sign-on (SSO) enabled subscription.
+* SailPoint IdentityNow active subscription. If you do not have IdentityNow, please contact [SailPoint IdentityNow support team](mailto:support@sailpoint.com).
## Scenario description In this tutorial, you configure and test Azure AD SSO in a test environment.
-* SailPoint IdentityNow supports **SP and IDP** initiated SSO
+* SailPoint IdentityNow supports **SP and IDP** initiated SSO.
## Adding SailPoint IdentityNow from the gallery
To configure the integration of SailPoint IdentityNow into Azure AD, you need to
1. In the **Add from the gallery** section, type **SailPoint IdentityNow** in the search box. 1. Select **SailPoint IdentityNow** from results panel and then add the app. Wait a few seconds while the app is added to your tenant. - ## Configure and test Azure AD SSO for SailPoint IdentityNow Configure and test Azure AD SSO with SailPoint IdentityNow using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in SailPoint IdentityNow.
Follow these steps to enable Azure AD SSO in the Azure portal.
1. In the Azure portal, on the **SailPoint IdentityNow** application integration page, find the **Manage** section and select **single sign-on**. 1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
-1. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, enter the values for the following fields:
+1. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, perform the following steps:
a. In the **Identifier** text box, type a URL using the following pattern: `https://<TENANT_NAME>.identitynow.com/sp`
Follow these steps to enable Azure AD SSO in the Azure portal.
1. On the **Set up SailPoint IdentityNow** section, copy the appropriate URL(s) based on your requirement. ![Copy configuration URLs](common/copy-configuration-urls.png)+ ### Create an Azure AD test user In this section, you'll create a test user in the Azure portal called B.Simon.
In this section, you test your Azure AD single sign-on configuration with follow
#### SP initiated:
-1. Click on **Test this application** in Azure portal. This will redirect to SailPoint IdentityNow Sign on URL where you can initiate the login flow.
+* Click on **Test this application** in Azure portal. This will redirect to SailPoint IdentityNow Sign on URL where you can initiate the login flow.
-1. Go to SailPoint IdentityNow Sign-on URL directly and initiate the login flow from there.
+* Go to SailPoint IdentityNow Sign-on URL directly and initiate the login flow from there.
#### IDP initiated:
-* Click on **Test this application** in Azure portal and you should be automatically signed in to the SailPoint IdentityNow for which you set up the SSO
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the SailPoint IdentityNow for which you set up the SSO.
-You can also use Microsoft Access Panel to test the application in any mode. When you click the SailPoint IdentityNow tile in the Access Panel, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the SailPoint IdentityNow for which you set up the SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+You can also use Microsoft My Apps to test the application in any mode. When you click the SailPoint IdentityNow tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the SailPoint IdentityNow for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure SailPoint IdentityNow you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
+Once you configure SailPoint IdentityNow you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Segment Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/segment-tutorial.md
Previously updated : 06/18/2020 Last updated : 05/28/2021
In this tutorial, you'll learn how to integrate Segment with Azure Active Direct
* Enable your users to be automatically signed-in to Segment with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* Segment supports **SP and IDP** initiated SSO
-* Segment supports **Just In Time** user provisioning
-
-* Once you configure Segment you can enforce session control, which protect exfiltration and infiltration of your organizationΓÇÖs sensitive data in real-time. Session control extend from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
+* Segment supports **SP and IDP** initiated SSO.
+* Segment supports **Just In Time** user provisioning.
-## Adding Segment from the gallery
+## Add Segment from the gallery
To configure the integration of Segment into Azure AD, you need to add Segment from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **Segment** in the search box. 1. Select **Segment** from results panel and then add the app. Wait a few seconds while the app is added to your tenant. -
-## Configure and test Azure AD single sign-on for Segment
+## Configure and test Azure AD SSO for Segment
Configure and test Azure AD SSO with Segment using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Segment.
-To configure and test Azure AD SSO with Segment, complete the following building blocks:
+To configure and test Azure AD SSO with Segment, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature. 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
To configure and test Azure AD SSO with Segment, complete the following building
Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **Segment** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **Segment** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
-1. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, enter the values for the following fields:
+1. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, perform the following steps:
a. In the **Identifier** text box, type a URL using the following pattern: `urn:auth0:segment-prod:samlp-<CUSTOMER_VALUE>`
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **Segment**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
1. In the **Add Assignment** dialog, click the **Assign** button. ## Configure Segment SSO
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. Click on **Settings Icon** and scroll down to **AUTHENTICATION** and click on **Connections**.
- ![Screenshot that shows the "Settings" icon selected, and "Connections" selected from the "Authentication" menu.](./media/segment-tutorial/segment1.PNG)
+ ![Screenshot that shows the "Settings" icon selected, and "Connections" selected from the "Authentication" menu.](./media/segment-tutorial/connections.PNG)
1. Click on **Add new Connection**.
- ![Screenshot that shows the "Connections" section with the "Add new Connection" button selected.](./media/segment-tutorial/segment2.PNG)
+ ![Screenshot that shows the "Connections" section with the "Add new Connection" button selected.](./media/segment-tutorial/new-connections.PNG)
1. Select **SAML 2.0** as a connection to configure and click on **Select Connection** button.
- ![Screenshot that shows the "Choose a Connection" section with "S A M L 2.0" and the "Select Connection" button selected.](./media/segment-tutorial/segment3.PNG)
+ ![Screenshot that shows the "Choose a Connection" section with "S A M L 2.0" and the "Select Connection" button selected.](./media/segment-tutorial/select-connections.PNG)
1. On the following page, perform the following steps:
- ![Screenshot that shows the "Configure Identity Provider" page with the "Single Sign-On U R L" and "Audience U R L" text boxes highlighted, and the "Next" button selected.](./media/segment-tutorial/segment4.PNG)
+ ![Screenshot that shows the "Configure Identity Provider" page with the "Single Sign-On U R L" and "Audience U R L" text boxes highlighted, and the "Next" button selected.](./media/segment-tutorial/configure.PNG)
a. Copy the **Single Sign-On URL** value and paste it into the **Reply URL** box in the **Basic SAML Configuration** dialog box in the Azure portal.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
c. Click on **Next**.
- ![Segment Configuration](./media/segment-tutorial/segment5.PNG)
+ ![Segment Configuration](./media/segment-tutorial/certificate.PNG)
1. In the **SAML 2.0 Endpoint URL** box, paste the **Login URL** value that you copied from the Azure portal.
In this section, a user called B.Simon is created in Segment. Segment supports j
## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
-When you click the Segment tile in the Access Panel, you should be automatically signed in to the Segment for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+#### SP initiated:
-## Additional resources
+* Click on **Test this application** in Azure portal. This will redirect to Segment Sign on URL where you can initiate the login flow.
-- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](./tutorial-list.md)
+* Go to Segment Sign-on URL directly and initiate the login flow from there.
-- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md)
+#### IDP initiated:
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the Segment for which you set up the SSO.
-- [Try Segment with Azure AD](https://aad.portal.azure.com/)
+You can also use Microsoft My Apps to test the application in any mode. When you click the Segment tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Segment for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is session control in Microsoft Cloud App Security?](/cloud-app-security/proxy-intro-aad)
+## Next steps
-- [How to protect Segment with advanced visibility and controls](/cloud-app-security/proxy-intro-aad)
+Once you configure Segment you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Simple Sign Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/simple-sign-tutorial.md
Previously updated : 05/02/2019 Last updated : 06/03/2021 # Tutorial: Azure Active Directory integration with Simple Sign
-In this tutorial, you learn how to integrate Simple Sign with Azure Active Directory (Azure AD).
-Integrating Simple Sign with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate Simple Sign with Azure Active Directory (Azure AD). When you integrate Simple Sign with Azure AD, you can:
-* You can control in Azure AD who has access to Simple Sign.
-* You can enable your users to be automatically signed-in to Simple Sign (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to Simple Sign.
+* Enable your users to be automatically signed-in to Simple Sign with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites To configure Azure AD integration with Simple Sign, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/)
-* Simple Sign single sign-on enabled subscription
+* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/).
+* Simple Sign single sign-on enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* Simple Sign supports **IDP** initiated SSO
+* Simple Sign supports **IDP** initiated SSO.
-## Adding Simple Sign from the gallery
+## Add Simple Sign from the gallery
To configure the integration of Simple Sign into Azure AD, you need to add Simple Sign from the gallery to your list of managed SaaS apps.
-**To add Simple Sign from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add new application, click **New application** button on the top of dialog.
-
- ![The New application button](common/add-new-app.png)
-
-4. In the search box, type **Simple Sign**, select **Simple Sign** from result panel then click **Add** button to add the application.
-
- ![Simple Sign in the results list](common/search-new-app.png)
-
-## Configure and test Azure AD single sign-on
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Simple Sign** in the search box.
+1. Select **Simple Sign** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-In this section, you configure and test Azure AD single sign-on with Simple Sign based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in Simple Sign needs to be established.
+## Configure and test Azure AD SSO for Simple Sign
-To configure and test Azure AD single sign-on with Simple Sign, you need to complete the following building blocks:
+Configure and test Azure AD SSO with Simple Sign using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Simple Sign.
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure Simple Sign Single Sign-On](#configure-simple-sign-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create Simple Sign test user](#create-simple-sign-test-user)** - to have a counterpart of Britta Simon in Simple Sign that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
+To configure and test Azure AD SSO with Simple Sign, perform the following steps:
-### Configure Azure AD single sign-on
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Simple Sign SSO](#configure-simple-sign-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Simple Sign test user](#create-simple-sign-test-user)** - to have a counterpart of B.Simon in Simple Sign that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-In this section, you enable Azure AD single sign-on in the Azure portal.
+## Configure Azure AD SSO
-To configure Azure AD single sign-on with Simple Sign, perform the following steps:
+Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **Simple Sign** application integration page, select **Single sign-on**.
+1. In the Azure portal, on the **Simple Sign** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
- ![Configure single sign-on link](common/select-sso.png)
-
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
-
- ![Single sign-on select mode](common/select-saml-option.png)
-
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
-
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
4. On the **Set up Single Sign-On with SAML** page, perform the following steps:
- ![Simple Sign Domain and URLs single sign-on information](common/idp-intiated.png)
- a. In the **Identifier** text box, type a URL using the following pattern: `https://<SUBDOMAIN>.simplesign.io/saml/simplesamlphp/www/module.php/saml/sp/metadata.php/cloudfish-sp`
To configure Azure AD single sign-on with Simple Sign, perform the following ste
![Copy configuration URLs](common/copy-configuration-urls.png)
- a. Login URL
-
- b. Azure AD Identifier
-
- c. Logout URL
-
-### Configure Simple Sign Single Sign-On
-
-To configure single sign-on on **Simple Sign** side, you need to send the downloaded **Certificate (Base64)** and appropriate copied URLs from Azure portal to [Simple Sign support team](mailto:info@simplesign.io). They set this setting to have the SAML SSO connection set properly on both sides.
- ### Create an Azure AD test user
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
+In this section, you'll create a test user in the Azure portal called B.Simon.
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field enter **BrittaSimon**.
-
- b. In the **User name** field type `brittasimon@yourcompanydomain.extension`. For example, BrittaSimon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
-
- d. Click **Create**.
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
### Assign the Azure AD test user
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to Simple Sign.
-
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Simple Sign**.
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Simple Sign.
- ![Enterprise applications blade](common/enterprise-applications.png)
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Simple Sign**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
-2. In the applications list, select **Simple Sign**.
+## Configure Simple Sign SSO
- ![The Simple Sign link in the Applications list](common/all-applications.png)
-
-3. In the menu on the left, select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
-
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
-
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
-
-7. In the **Add Assignment** dialog click the **Assign** button.
+To configure single sign-on on **Simple Sign** side, you need to send the downloaded **Certificate (Base64)** and appropriate copied URLs from Azure portal to [Simple Sign support team](mailto:info@simplesign.io). They set this setting to have the SAML SSO connection set properly on both sides.
### Create Simple Sign test user In this section, you create a user called Britta Simon in Simple Sign. Work with [Simple Sign support team](mailto:info@simplesign.io) to add the users in the Simple Sign platform. Users must be created and activated before you use single sign-on.
-### Test single sign-on
-
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+## Test SSO
-When you click the Simple Sign tile in the Access Panel, you should be automatically signed in to the Simple Sign for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+In this section, you test your Azure AD single sign-on configuration with following options.
-## Additional Resources
+* Click on Test this application in Azure portal and you should be automatically signed in to the Simple Sign for which you set up the SSO.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+* You can use Microsoft My Apps. When you click the Simple Sign tile in the My Apps, you should be automatically signed in to the Simple Sign for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure Simple Sign you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Skytap Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/skytap-tutorial.md
Previously updated : 02/13/2020 Last updated : 05/28/2021
In this tutorial, you'll learn how to integrate Single Sign-on for Skytap with A
* Enable your users to be automatically signed in to Single Sign-on for Skytap with their Azure AD accounts. * Manage your accounts in one central location, the Azure portal.
-To learn more about software as a service (SaaS) app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment. * Single Sign-on for Skytap supports SP and IDP initiated SSO.
-* After you configure Single Sign-on for Skytap, you can enforce session control. This protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from conditional access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
## Add Single Sign-on for Skytap from the gallery To configure the integration of Single Sign-on for Skytap into Azure AD, you need to add Single Sign-on for Skytap from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) by using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal by using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Go to **Enterprise Applications** and then select **All Applications**. 1. To add a new application, select **New application**. 1. In the **Add from the gallery** section, type **Single Sign-on for Skytap** in the search box. 1. Select **Single Sign-on for Skytap** from the results panel, and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD single sign-on for Single Sign-on for Skytap
+## Configure and test Azure AD SSO for Single Sign-on for Skytap
Configure and test Azure AD SSO with Single Sign-on for Skytap by using a test user called **B.Simon**. For SSO to work, establish a linked relationship between an Azure AD user and the related user in Single Sign-on for Skytap. Here are the general steps to configure and test Azure AD SSO with Single Sign-on for Skytap: 1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** to enable your users to use this feature.-
- a. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** to test Azure AD single sign-on with B.Simon.
-
- b. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** to enable B.Simon to use Azure AD single sign-on.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** to enable B.Simon to use Azure AD single sign-on.
1. **[Configure Single Sign-on for Skytap SSO](#configure-single-sign-on-for-skytap-sso)** to configure the single sign-on settings on the application side.-
- a. **[Create a Single Sign-on for Skytap test user](#create-single-sign-on-for-skytap-test-user)** to have a counterpart of B.Simon in Single Sign-on for Skytap. This counterpart is linked to the Azure AD representation of the user.
+ 1. **[Create a Single Sign-on for Skytap test user](#create-single-sign-on-for-skytap-test-user)** to have a counterpart of B.Simon in Single Sign-on for Skytap. This counterpart is linked to the Azure AD representation of the user.
1. **[Test SSO](#test-sso)** to verify whether the configuration works. ## Configure Azure AD SSO Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **Single Sign-on for Skytap** application integration page, find the **Manage** section. Select **single sign-on**.
+1. In the Azure portal, on the **Single Sign-on for Skytap** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, select the pencil icon for **Basic SAML Configuration** to edit the settings.
-
- ![Screenshot of Set up single sign-on with SAML page, with pencil icon highlighted](common/edit-urls.png)
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
+
1. In the **Basic SAML Configuration** section, if you want to configure the application in **IDP** initiated mode, enter the values for the following fields: a. In the **Identifier** text box, type a URL that uses the following pattern: `http://pingone.com/<custom EntityID>`
- b. In the **Reply URL** text box, type a URL that uses the following pattern:
+ b. In the **Reply URL** text box, type the URL:
`https://sso.connect.pingidentity.com/sso/sp/ACS.saml2` 1. You can optionally select **Set additional URLs**, and perform the following steps to configure the application in **SP** initiated mode:
In this section, you create a test user in the Azure portal called B.Simon.
### Assign the Azure AD test user
-In this section, you enable B.Simon to use Azure single sign-on by granting access to Single Sign-on for Skytap.
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Single Sign-on for Skytap.
-1. In the Azure portal, select **Enterprise Applications** > **All applications**.
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
1. In the applications list, select **Single Sign-on for Skytap**.
-1. In the app's overview page, find the **Manage** section, and select **Users and groups**.
-
- ![Screenshot of the Manage section, with Users and groups highlighted](common/users-groups-blade.png)
-
-1. Select **Add user**. In the **Add Assignment** dialog box, select **Users and groups**.
-
- ![Screenshot of Users and groups page, with Add user highlighted](common/add-assign-user.png)
-
-1. In the **Users and groups** dialog box, select **B.Simon** from the users list. Then choose the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog box, select the appropriate role for the user from the list. Then choose the **Select** button at the bottom of the screen.
-1. In the **Add Assignment** dialog box, select **Assign**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
## Configure Single Sign-on for Skytap SSO To configure single sign-on on the Single Sign-on for Skytap side, you need to send the downloaded **Federation Metadata XML**, and appropriate copied URLs, from the Azure portal to the [Single Sign-on for Skytap Client support team](mailto:support@skytap.com). They configure this setting to have the SAML SSO connection set properly on both sides. - ### Create Single Sign-on for Skytap test user In this section, you create a user called B.Simon in Single Sign-on for Skytap. Work with the [Single Sign-on for Skytap Client support team](mailto:support@skytap.com) to add the users in the Single Sign-on for Skytap platform. You can't use single sign-on until you create and activate users. ## Test SSO
-In this section, you test your Azure AD single sign-on configuration by using Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+#### SP initiated:
+
+* Click on **Test this application** in Azure portal. This will redirect to Single Sign-on for Skytap Sign on URL where you can initiate the login flow.
-When you select the Single Sign-on for Skytap tile in Access Panel, you should be automatically signed in to the Single Sign-on for Skytap for which you set up SSO. For more information, see [Introduction to Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* Go to Single Sign-on for Skytap Sign-on URL directly and initiate the login flow from there.
-## Additional resources
+#### IDP initiated:
-- [Tutorials for integrating SaaS applications with Azure Active Directory](./tutorial-list.md)
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the Single Sign-on for Skytap for which you set up the SSO.
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+You can also use Microsoft My Apps to test the application in any mode. When you click the Single Sign-on for Skytap tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Single Sign-on for Skytap for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+## Next steps
-- [Try Slack with Azure AD](https://aad.portal.azure.com/)
+Once you configure Single Sign-on for Skytap you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Tangoe Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/tangoe-tutorial.md
Previously updated : 04/10/2019 Last updated : 06/02/2021 # Tutorial: Azure Active Directory integration with Tangoe Command Premium Mobile
-In this tutorial, you learn how to integrate Tangoe Command Premium Mobile with Azure Active Directory (Azure AD).
-Integrating Tangoe Command Premium Mobile with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate Tangoe Command Premium Mobile with Azure Active Directory (Azure AD). When you integrate Tangoe Command Premium Mobile with Azure AD, you can:
-* You can control in Azure AD who has access to Tangoe Command Premium Mobile.
-* You can enable your users to be automatically signed-in to Tangoe Command Premium Mobile (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to Tangoe Command Premium Mobile.
+* Enable your users to be automatically signed-in to Tangoe Command Premium Mobile with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites To configure Azure AD integration with Tangoe Command Premium Mobile, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/)
-* Tangoe Command Premium Mobile single sign-on enabled subscription
+* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/).
+* Tangoe Command Premium Mobile single sign-on enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* Tangoe Command Premium Mobile supports **SP** initiated SSO
-
-## Adding Tangoe Command Premium Mobile from the gallery
-
-To configure the integration of Tangoe Command Premium Mobile into Azure AD, you need to add Tangoe Command Premium Mobile from the gallery to your list of managed SaaS apps.
-
-**To add Tangoe Command Premium Mobile from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add new application, click **New application** button on the top of dialog.
+* Tangoe Command Premium Mobile supports **SP** initiated SSO.
- ![The New application button](common/add-new-app.png)
+> [!NOTE]
+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
-4. In the search box, type **Tangoe Command Premium Mobile**, select **Tangoe Command Premium Mobile** from result panel then click **Add** button to add the application.
+## Add Tangoe Command Premium Mobile from the gallery
- ![Tangoe Command Premium Mobile in the results list](common/search-new-app.png)
-
-## Configure and test Azure AD single sign-on
-
-In this section, you configure and test Azure AD single sign-on with Tangoe Command Premium Mobile based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in Tangoe Command Premium Mobile needs to be established.
-
-To configure and test Azure AD single sign-on with Tangoe Command Premium Mobile, you need to complete the following building blocks:
-
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure Tangoe Command Premium Mobile Single Sign-On](#configure-tangoe-command-premium-mobile-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create Tangoe Command Premium Mobile test user](#create-tangoe-command-premium-mobile-test-user)** - to have a counterpart of Britta Simon in Tangoe Command Premium Mobile that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
+To configure the integration of Tangoe Command Premium Mobile into Azure AD, you need to add Tangoe Command Premium Mobile from the gallery to your list of managed SaaS apps.
-### Configure Azure AD single sign-on
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Tangoe Command Premium Mobile** in the search box.
+1. Select **Tangoe Command Premium Mobile** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-In this section, you enable Azure AD single sign-on in the Azure portal.
+## Configure and test Azure AD SSO for Tangoe Command Premium Mobile
-To configure Azure AD single sign-on with Tangoe Command Premium Mobile, perform the following steps:
+Configure and test Azure AD SSO with Tangoe Command Premium Mobile using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Tangoe Command Premium Mobile.
-1. In the [Azure portal](https://portal.azure.com/), on the **Tangoe Command Premium Mobile** application integration page, select **Single sign-on**.
+To configure and test Azure AD SSO with Tangoe Command Premium Mobile, perform the following steps:
- ![Configure single sign-on link](common/select-sso.png)
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Tangoe Command Premium Mobile SSO](#configure-tangoe-command-premium-mobile-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Tangoe Command Premium Mobile test user](#create-tangoe-command-premium-mobile-test-user)** - to have a counterpart of B.Simon in Tangoe Command Premium Mobile that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
+## Configure Azure AD SSO
- ![Single sign-on select mode](common/select-saml-option.png)
+Follow these steps to enable Azure AD SSO in the Azure portal.
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
+1. In the Azure portal, on the **Tangoe Command Premium Mobile** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
4. On the **Basic SAML Configuration** section, perform the following steps:
- ![Tangoe Command Premium Mobile Domain and URLs single sign-on information](common/sp-reply.png)
- a. In the **Sign on URL** text box, type a URL using the following pattern:
- `https://sso.tangoe.com/sp/startSSO.ping?PartnerIdpId=<tenant issuer>&TARGET=<target page url>`
+ `https://sso.tangoe.com/sp/startSSO.ping?PartnerIdpId=<TENANT_ISSUER>&TARGET=<TARGET_PAGE_URL>`
- b. In the **Reply URL** text box, type a URL using the following pattern:
+ b. In the **Reply URL** text box, type the URL:
`https://sso.tangoe.com/sp/ACS.saml2` > [!NOTE]
- > These values are not real. Update these values with the actual Sign on URL and Reply URL. Contact [Tangoe Command Premium Mobile Client support team](https://www.tangoe.com/contact-us/) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+ > These values are not real. Update these values with the actual Sign on URL. Contact [Tangoe Command Premium Mobile Client support team](https://www.tangoe.com/contact-us/) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
5. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Federation Metadata XML** from the given options as per your requirement and save it on your computer.
To configure Azure AD single sign-on with Tangoe Command Premium Mobile, perform
![Copy configuration URLs](common/copy-configuration-urls.png)
- a. Login URL
-
- b. Azure AD Identifier
-
- c. Logout URL
-
-### Configure Tangoe Command Premium Mobile Single Sign-On
-
-To configure single sign-on on **Tangoe Command Premium Mobile** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [Tangoe Command Premium Mobile support team](https://www.tangoe.com/contact-us/). They set this setting to have the SAML SSO connection set properly on both sides.
- ### Create an Azure AD test user
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field enter **BrittaSimon**.
-
- b. In the **User name** field type `brittasimon@yourcompanydomain.extension`. For example, BrittaSimon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
+In this section, you'll create a test user in the Azure portal called B.Simon.
- d. Click **Create**.
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
### Assign the Azure AD test user
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to Tangoe Command Premium Mobile.
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Tangoe Command Premium Mobile.
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Tangoe Command Premium Mobile**.
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Tangoe Command Premium Mobile**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
- ![Enterprise applications blade](common/enterprise-applications.png)
+## Configure Tangoe Command Premium Mobile SSO
-2. In the applications list, select **Tangoe Command Premium Mobile**.
-
- ![The Tangoe Command Premium Mobile link in the Applications list](common/all-applications.png)
-
-3. In the menu on the left, select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
-
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
-
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
-
-7. In the **Add Assignment** dialog click the **Assign** button.
+To configure single sign-on on **Tangoe Command Premium Mobile** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [Tangoe Command Premium Mobile support team](https://www.tangoe.com/contact-us/). They set this setting to have the SAML SSO connection set properly on both sides.
### Create Tangoe Command Premium Mobile test user In this section, you create a user called Britta Simon in Tangoe Command Premium Mobile. Work with [Tangoe Command Premium Mobile support team](https://www.tangoe.com/contact-us/) to add the users in the Tangoe Command Premium Mobile platform. Users must be created and activated before you use single sign-on.
-### Test single sign-on
+## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
-When you click the Tangoe Command Premium Mobile tile in the Access Panel, you should be automatically signed in to the Tangoe Command Premium Mobile for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* Click on **Test this application** in Azure portal. This will redirect to Tangoe Command Premium Mobile Sign-on URL where you can initiate the login flow.
-## Additional Resources
+* Go to Tangoe Command Premium Mobile Sign-on URL directly and initiate the login flow from there.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+* You can use Microsoft My Apps. When you click the Tangoe Command Premium Mobile tile in the My Apps, this will redirect to Tangoe Command Premium Mobile Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure Tangoe Command Premium Mobile you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Templafy Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/templafy-tutorial.md
Previously updated : 06/23/2020 Last updated : 06/03/2021
In this tutorial, you'll learn how to integrate Templafy SAML2 with Azure Active
* Enable your users to be automatically signed-in to Templafy SAML2 with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* Templafy SAML2 supports **SP** initiated SSO
-* Templafy SAML2 supports **Just In Time** user provisioning
+* Templafy SAML2 supports **SP** initiated SSO.
+* Templafy SAML2 supports **Just In Time** user provisioning.
+
+> [!NOTE]
+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
-## Adding Templafy SAML2 from the gallery
+## Add Templafy SAML2 from the gallery
To configure the integration of Templafy SAML2 into Azure AD, you need to add Templafy SAML2 from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **Templafy SAML2** in the search box. 1. Select **Templafy SAML2** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD single sign-on for Templafy SAML2
+## Configure and test Azure AD SSO for Templafy SAML2
Configure and test Azure AD SSO with Templafy SAML2 using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Templafy SAML2.
-To configure and test Azure AD SSO with Templafy SAML2, complete the following building blocks:
+To configure and test Azure AD SSO with Templafy SAML2, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
- * **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
- * **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
1. **[Configure Templafy SAML2 SSO](#configure-templafy-saml2-sso)** - to configure the single sign-on settings on application side.
- * **[Create Templafy SAML2 test user](#create-templafy-saml2-test-user)** - to have a counterpart of B.Simon in Templafy SAML2 that is linked to the Azure AD representation of user.
+ 1. **[Create Templafy SAML2 test user](#create-templafy-saml2-test-user)** - to have a counterpart of B.Simon in Templafy SAML2 that is linked to the Azure AD representation of user.
1. **[Test SSO](#test-sso)** - to verify whether the configuration works. ## Configure Azure AD SSO Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **Templafy SAML2** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **Templafy SAML2** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
-1. On the **Basic SAML Configuration** section, enter the values for the following fields:
+1. On the **Basic SAML Configuration** section, perform the following step:
In the **Sign-on URL** text box, type a URL using the following pattern:
- `https://<CLIENTSUBDOMAIN>.templafy.com`
+ `https://<CLIENT_SUBDOMAIN>.templafy.com`
> [!NOTE] > The value is not real. Update the value with the actual Sign-On URL. Contact [Templafy SAML2 Client support team](mailto:support@templafy.com) to get the value. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **Templafy SAML2**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
1. In the **Add Assignment** dialog, click the **Assign** button. ## Configure Templafy SAML2 SSO
In this section, a user called B.Simon is created in Templafy SAML2. Templafy SA
## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
-
-When you click the Templafy SAML2 tile in the Access Panel, you should be automatically signed in to the Templafy SAML2 for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
-
-## Additional resources
+In this section, you test your Azure AD single sign-on configuration with following options.
-- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](./tutorial-list.md)
+* Click on **Test this application** in Azure portal. This will redirect to Templafy SAML2 Sign-on URL where you can initiate the login flow.
-- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md)
+* Go to Templafy SAML2 Sign-on URL directly and initiate the login flow from there.
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+* You can use Microsoft My Apps. When you click the Templafy SAML2 tile in the My Apps, this will redirect to Templafy SAML2 Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [Try Templafy SAML2 with Azure AD](https://aad.portal.azure.com/)
+## Next steps
-- [What is session control in Microsoft Cloud App Security?](/cloud-app-security/proxy-intro-aad)
+Once you configure Templafy SAML2 you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Terraform Cloud Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/terraform-cloud-tutorial.md
Previously updated : 12/18/2020 Last updated : 06/01/2021
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* Terraform Cloud supports **SP and IDP** initiated SSO
-* Terraform Cloud supports **Just In Time** user provisioning
+* Terraform Cloud supports **SP and IDP** initiated SSO.
+* Terraform Cloud supports **Just In Time** user provisioning.
-
-## Adding Terraform Cloud from the gallery
+## Add Terraform Cloud from the gallery
To configure the integration of Terraform Cloud into Azure AD, you need to add Terraform Cloud from the gallery to your list of managed SaaS apps.
To configure the integration of Terraform Cloud into Azure AD, you need to add T
1. In the **Add from the gallery** section, type **Terraform Cloud** in the search box. 1. Select **Terraform Cloud** from results panel and then add the app. Wait a few seconds while the app is added to your tenant. - ## Configure and test Azure AD SSO for Terraform Cloud Configure and test Azure AD SSO with Terraform Cloud using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Terraform Cloud.
Follow these steps to enable Azure AD SSO in the Azure portal.
1. In the Azure portal, on the **Terraform Cloud** application integration page, find the **Manage** section and select **single sign-on**. 1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png) 1. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, perform the following steps:
- In the **Identifier** text box, type a URL using the following pattern:
+ a. In the **Identifier** text box, type a URL using the following pattern:
`https://app.terraform.io/sso/saml/samlconf-<ID>/metadata`
+ b. In the **Reply URL** text box, type a URL using the following pattern:
+ `https://app.terraform.io/sso/saml/samlconf-<ID>/acs`
+ 1. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode: In the **Sign-on URL** text box, type the URL: `https://app.terraform.io/session` > [!NOTE]
- > The Identifier value is not real. Update the value with the actual Identifier. Contact [Terraform Cloud Client support team](mailto:tf-cloud@hashicorp.support) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+ > These values are not real. Update these values with the actual Identifier and Reply URL. Contact [Terraform Cloud Client support team](mailto:tf-cloud@hashicorp.support) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
1. On the **Set up single sign-on with SAML** page, In the **SAML Signing Certificate** section, click copy button to copy **App Federation Metadata Url** and save it on your computer. ![The Certificate download link](common/copy-metadataurl.png)+ ### Create an Azure AD test user In this section, you'll create a test user in the Azure portal called B.Simon.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
3. If you want to setup Terraform Cloud manually, in a different web browser window, sign in to your Terraform Cloud company site as an administrator.
-2. Go to the **Settings > SSO > Edit Settings**
+2. Go to the **Settings > SSO > Edit Settings**.
![Terraform Cloud settings](./media/terraform-cloud-tutorial/sso-settings.png)
In this section, you test your Azure AD single sign-on configuration with follow
#### IDP initiated:
-* Click on **Test this application** in Azure portal and you should be automatically signed in to the Terraform Cloud for which you set up the SSO
-
-You can also use Microsoft Access Panel to test the application in any mode. When you click the Terraform Cloud tile in the Access Panel, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Terraform Cloud for which you set up the SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the Terraform Cloud for which you set up the SSO.
+You can also use Microsoft My Apps to test the application in any mode. When you click the Terraform Cloud tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Terraform Cloud for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure Terraform Cloud you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
+Once you configure Terraform Cloud you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Ungerboeck Software Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/ungerboeck-software-tutorial.md
Previously updated : 06/19/2019 Last updated : 05/27/2021
In this tutorial, you'll learn how to integrate Ungerboeck Software with Azure A
* Enable your users to be automatically signed-in to Ungerboeck Software with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
-* An Azure AD subscription. If you don't have a subscription, you can get one-month free trial [here](https://azure.microsoft.com/pricing/free-trial/).
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
* Ungerboeck Software single sign-on (SSO) enabled subscription. ## Scenario description
-In this tutorial, you configure and test Azure AD SSO in a test environment. Ungerboeck Software supports **SP** initiated SSO.
+In this tutorial, you configure and test Azure AD SSO in a test environment.
+
+* Ungerboeck Software supports **SP** initiated SSO.
-## Adding Ungerboeck Software from the gallery
+## Add Ungerboeck Software from the gallery
To configure the integration of Ungerboeck Software into Azure AD, you need to add Ungerboeck Software from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **Ungerboeck Software** in the search box. 1. Select **Ungerboeck Software** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD single sign-on
+## Configure and test Azure AD SSO for Ungerboeck Software
Configure and test Azure AD SSO with Ungerboeck Software using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Ungerboeck Software.
-To configure and test Azure AD SSO with Ungerboeck Software, complete the following building blocks:
+To configure and test Azure AD SSO with Ungerboeck Software, perform the following steps:
-1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** to enable your users to use this feature.
-2. **[Configure Ungerboeck Software SSO](#configure-ungerboeck-software-sso)** to configure the SSO settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** to test Azure AD single sign-on with B.Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** to enable B.Simon to use Azure AD single sign-on.
-5. **[Create Ungerboeck Software test user](#create-ungerboeck-software-test-user)** to have a counterpart of B.Simon in Ungerboeck Software that is linked to the Azure AD representation of user.
-6. **[Test SSO](#test-sso)** to verify whether the configuration works.
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Ungerboeck Software SSO](#configure-ungerboeck-software-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Ungerboeck Software test user](#create-ungerboeck-software-test-user)** - to have a counterpart of B.Simon in Ungerboeck Software that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-### Configure Azure AD SSO
+## Configure Azure AD SSO
Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **Ungerboeck Software** application integration page, find the **Manage** section and select **Single sign-on**.
+1. In the Azure portal, on the **Ungerboeck Software** application integration page, find the **Manage** section and select **Single sign-on**.
1. On the **Select a Single sign-on method** page, select **SAML**.
-1. On the **Set up Single Sign-On with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up Single Sign-On with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
-1. On the **Basic SAML Configuration** page, enter the values for the following fields:
+1. On the **Basic SAML Configuration** page, perform the following steps:
1. In the **Sign on URL** text box, type a URL using the following pattern: `https://<SUBDOMAIN>.ungerboeck.com/prod`
- 1. In the **Identifier (Entity ID)** text box, type a URL using the following pattern:
+ 1. In the **Identifier (Entity ID)** text box, type a URL using one of the following patterns:
* **For production environment**:
Follow these steps to enable Azure AD SSO in the Azure portal.
![Copy configuration URLs](common/copy-configuration-urls.png)
- a. Login URL
-
- b. Azure AD Identifier
-
- c. Logout URL
-
-### Configure Ungerboeck Software SSO
-
-To configure single sign-on on **Ungerboeck Software** side, you need to send the **Thumbprint value** and appropriate copied URLs from Azure portal to [Ungerboeck Software support team](mailto:Rhonda.Jannings@ungerboeck.com). They set this setting to have the SAML SSO connection set properly on both sides.
- ### Create an Azure AD test user In this section, you'll create a test user in the Azure portal called B.Simon.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **Ungerboeck Software**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
1. In the **Add Assignment** dialog, click the **Assign** button.
+## Configure Ungerboeck Software SSO
+
+To configure single sign-on on **Ungerboeck Software** side, you need to send the **Thumbprint value** and appropriate copied URLs from Azure portal to [Ungerboeck Software support team](mailto:Rhonda.Jannings@ungerboeck.com). They set this setting to have the SAML SSO connection set properly on both sides.
+ ### Create Ungerboeck Software test user In this section, you create a user called B.Simon in Ungerboeck Software. Work with [Ungerboeck Software support team](mailto:Rhonda.Jannings@ungerboeck.com) to add the users in the Ungerboeck Software platform. Users must be created and activated before you use single sign-on.
-### Test SSO
+## Test SSO
+
+In this section, you test your Azure AD single sign-on configuration with following options.
-When you select the Ungerboeck Software tile in the Access Panel, you should be automatically signed in to the Ungerboeck Software for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* Click on **Test this application** in Azure portal. This will redirect to Ungerboeck Software Sign-on URL where you can initiate the login flow.
-## Additional Resources
+* Go to Ungerboeck Software Sign-on URL directly and initiate the login flow from there.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+* You can use Microsoft My Apps. When you click the Ungerboeck Software tile in the My Apps, this will redirect to Ungerboeck Software Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure Ungerboeck Software you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Zscalerprivateaccess Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/zscalerprivateaccess-tutorial.md
Previously updated : 03/03/2021 Last updated : 06/03/2021
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment. * Zscaler Private Access (ZPA) supports **SP** initiated SSO.
+* Zscaler Private Access (ZPA) supports [**Automated** user provisioning](zscaler-private-access-provisioning-tutorial.md).
+> [!NOTE]
+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
## Add Zscaler Private Access (ZPA) from the gallery
To configure the integration of Zscaler Private Access (ZPA) into Azure AD, you
1. In the **Add from the gallery** section, type **Zscaler Private Access (ZPA)** in the search box. 1. Select **Zscaler Private Access (ZPA)** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD SSO
+## Configure and test Azure AD SSO for Zscaler Private Access (ZPA)
Configure and test Azure AD SSO with Zscaler Private Access (ZPA) using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Zscaler Private Access (ZPA).
Follow these steps to enable Azure AD SSO in the Azure portal.
![Edit Basic SAML Configuration](common/edit-urls.png)
-1. On the **Basic SAML Configuration** page, enter the values for the following fields:
-
- 1. In the **Sign on URL** text box, type a URL using the following pattern:
- `https://samlsp.private.zscaler.com/auth/login?domain=<your-domain-name>`
+1. On the **Basic SAML Configuration** page, perform the following steps:
1. In the **Identifier (Entity ID)** text box, type the URL: `https://samlsp.private.zscaler.com/auth/metadata`
+ 1. In the **Sign on URL** text box, type a URL using the following pattern:
+ `https://samlsp.private.zscaler.com/auth/login?domain=<DOMAIN_NAME>`
+ > [!NOTE] > The **Sign on URL** value is not real. Update the value with the actual Sign on URL. Contact [Zscaler Private Access (ZPA) Client support team](https://help.zscaler.com/zpa-submit-ticket) to get the value. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
In this section, you create a user called Britta Simon in Zscaler Private Access (ZPA). Please work with [Zscaler Private Access (ZPA) support team](https://help.zscaler.com/zpa-submit-ticket) to add the users in the Zscaler Private Access (ZPA) platform.
+Zscaler Private Access (ZPA) also supports automatic user provisioning, you can find more details [here](zscaler-private-access-provisioning-tutorial.md) on how to configure automatic user provisioning.
+ ## Test SSO In this section, you test your Azure AD single sign-on configuration with following options.
active-directory Zscalerprivateaccessadministrator Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/zscalerprivateaccessadministrator-tutorial.md
Previously updated : 04/03/2019 Last updated : 05/31/2021 # Tutorial: Azure Active Directory integration with Zscaler Private Access Administrator
-In this tutorial, you learn how to integrate Zscaler Private Access Administrator with Azure Active Directory (Azure AD).
-Integrating Zscaler Private Access Administrator with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate Zscaler Private Access Administrator with Azure Active Directory (Azure AD). When you integrate Zscaler Private Access Administrator with Azure AD, you can:
-* You can control in Azure AD who has access to Zscaler Private Access Administrator.
-* You can enable your users to be automatically signed-in to Zscaler Private Access Administrator (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to Zscaler Private Access Administrator.
+* Enable your users to be automatically signed-in to Zscaler Private Access Administrator with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites To configure Azure AD integration with Zscaler Private Access Administrator, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/)
-* Zscaler Private Access Administrator single sign-on enabled subscription
+* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/).
+* Zscaler Private Access Administrator single sign-on enabled subscription.
> [!NOTE] > This integration is also available to use from Azure AD US Government Cloud environment. You can find this application in the Azure AD US Government Cloud Application Gallery and configure it in the same way as you do from public cloud.
To configure Azure AD integration with Zscaler Private Access Administrator, you
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* Zscaler Private Access Administrator supports **SP** and **IDP** initiated SSO
+* Zscaler Private Access Administrator supports **SP** and **IDP** initiated SSO.
-## Adding Zscaler Private Access Administrator from the gallery
+## Add Zscaler Private Access Administrator from the gallery
To configure the integration of Zscaler Private Access Administrator into Azure AD, you need to add Zscaler Private Access Administrator from the gallery to your list of managed SaaS apps.
-**To add Zscaler Private Access Administrator from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add new application, click **New application** button on the top of dialog.
-
- ![The New application button](common/add-new-app.png)
-
-4. In the search box, type **Zscaler Private Access Administrator**, select **Zscaler Private Access Administrator** from result panel then click **Add** button to add the application.
-
- ![Zscaler Private Access Administrator in the results list](common/search-new-app.png)
-
-## Configure and test Azure AD single sign-on
-
-In this section, you configure and test Azure AD single sign-on with Zscaler Private Access Administrator based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in Zscaler Private Access Administrator needs to be established.
-
-To configure and test Azure AD single sign-on with Zscaler Private Access Administrator, you need to complete the following building blocks:
-
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure Zscaler Private Access Administrator Single Sign-On](#configure-zscaler-private-access-administrator-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create Zscaler Private Access Administrator test user](#create-zscaler-private-access-administrator-test-user)** - to have a counterpart of Britta Simon in Zscaler Private Access Administrator that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Zscaler Private Access Administrator** in the search box.
+1. Select **Zscaler Private Access Administrator** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-### Configure Azure AD single sign-on
+## Configure and test Azure AD SSO for Zscaler Private Access Administrator
-In this section, you enable Azure AD single sign-on in the Azure portal.
+Configure and test Azure AD SSO with Zscaler Private Access Administrator using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Zscaler Private Access Administrator.
-To configure Azure AD single sign-on with Zscaler Private Access Administrator, perform the following steps:
+To configure and test Azure AD SSO with Zscaler Private Access Administrator, perform the following steps:
-1. In the [Azure portal](https://portal.azure.com/), on the **Zscaler Private Access Administrator** application integration page, select **Single sign-on**.
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Zscaler Private Access Administrator SSO](#configure-zscaler-private-access-administrator-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Zscaler Private Access Administrator test user](#create-zscaler-private-access-administrator-test-user)** - to have a counterpart of B.Simon in Zscaler Private Access Administrator that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
- ![Configure single sign-on link](common/select-sso.png)
+## Configure Azure AD SSO
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
+Follow these steps to enable Azure AD SSO in the Azure portal.
- ![Single sign-on select mode](common/select-saml-option.png)
+1. In the Azure portal, on the **Zscaler Private Access Administrator** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
-
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
4. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, perform the following steps:
- ![Screenshot shows Basic SAML Configuration where you can enter the values described.](common/idp-relay.png)
- a. In the **Identifier** text box, type a URL using the following pattern:
- `https://<subdomain>.private.zscaler.com/auth/metadata`
+ `https://<SUBDOMAIN>.private.zscaler.com/auth/metadata`
b. In the **Reply URL** text box, type a URL using the following pattern:
- `https://<subdomain>.private.zscaler.com/auth/sso`
+ `https://<SUBDOMAIN>.private.zscaler.com/auth/sso`
c. Click **Set additional URLs**.
- d. In the **Relay State** text box, type a URL:
+ d. In the **Relay State** text box, type a value:
`idpadminsso` 5. If you wish to configure the application in **SP** initiated mode, perform the following step:
- ![Screenshot shows Set additional U R Ls where you can enter a Sign on U R L.](common/both-signonurl.png)
- In the **Sign-on URL** text box, type a URL using the following pattern:
- `https://<subdomain>.private.zscaler.com/auth/sso`
+ `https://<SUBDOMAIN>.private.zscaler.com/auth/sso`
> [!NOTE] > These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact [Zscaler Private Access Administrator Client support team](https://help.zscaler.com/zpa-submit-ticket) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
To configure Azure AD single sign-on with Zscaler Private Access Administrator,
![Copy configuration URLs](common/copy-configuration-urls.png)
- a. Login URL
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called B.Simon.
+
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
- b. Azure AD Identifier
+### Assign the Azure AD test user
+
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Zscaler Private Access Administrator.
- c. Logout URL
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Zscaler Private Access Administrator**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
-### Configure Zscaler Private Access Administrator Single Sign-On
+## Configure Zscaler Private Access Administrator SSO
1. In a different web browser window, sign to Zscaler Private Access Administrator as an Administrator. 2. On the top, click **Administration** and navigate to **AUTHENTICATION** section click **IdP Configuration**.
- ![Zscaler Private Access Administrator admin](./media/zscalerprivateaccessadministrator-tutorial/tutorial_zscalerprivateaccessadministrator_admin.png)
+ ![Zscaler Private Access Administrator admin](./media/zscalerprivateaccessadministrator-tutorial/admin.png)
3. In the top right corner, click **Add IdP Configuration**.
- ![Zscaler Private Access Administrator addidp](./media/zscalerprivateaccessadministrator-tutorial/tutorial_zscalerprivateaccessadministrator_addpidp.png)
+ ![Zscaler Private Access Administrator addidp](./media/zscalerprivateaccessadministrator-tutorial/add-configuration.png)
4. On the **Add IdP Configuration** page perform the following steps:
- ![Zscaler Private Access Administrator idpselect](./media/zscalerprivateaccessadministrator-tutorial/tutorial_zscalerprivateaccessadministrator_idpselect.png)
+ ![Zscaler Private Access Administrator idpselect](./media/zscalerprivateaccessadministrator-tutorial/select-file.png)
a. Click **Select File** to upload the downloaded Metadata file from Azure AD in the **IdP Metadata File Upload** field. b. It reads the **IdP metadata** from Azure AD and populates all the fields information as shown below.
- ![Zscaler Private Access Administrator idpconfig](./media/zscalerprivateaccessadministrator-tutorial/idpconfig.png)
+ ![Zscaler Private Access Administrator idpconfig](./media/zscalerprivateaccessadministrator-tutorial/metadata.png)
c. Select **Single Sign On** as **Administrator**.
To configure Azure AD single sign-on with Zscaler Private Access Administrator,
e. Click **Save**.
-### Create an Azure AD test user
-
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field enter **BrittaSimon**.
-
- b. In the **User name** field type `brittasimon@yourcompanydomain.extension`. For example, BrittaSimon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
-
- d. Click **Create**.
-
-### Assign the Azure AD test user
-
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to Zscaler Private Access Administrator.
-
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Zscaler Private Access Administrator**.
-
- ![Enterprise applications blade](common/enterprise-applications.png)
-
-2. In the applications list, select **Zscaler Private Access Administrator**.
-
- ![The Zscaler Private Access Administrator link in the Applications list](common/all-applications.png)
-
-3. In the menu on the left, select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
-
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
-
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
-
-7. In the **Add Assignment** dialog click the **Assign** button.
- ### Create Zscaler Private Access Administrator test user To enable Azure AD users to sign in to Zscaler Private Access Administrator, they must be provisioned into Zscaler Private Access Administrator. In the case of Zscaler Private Access Administrator, provisioning is a manual task.
To enable Azure AD users to sign in to Zscaler Private Access Administrator, the
2. On the top, click **Administration** and navigate to **AUTHENTICATION** section click **IdP Configuration**.
- ![Zscaler Private Access Administrator admin](./media/zscalerprivateaccessadministrator-tutorial/tutorial_zscalerprivateaccessadministrator_admin.png)
+ ![Zscaler Private Access Administrator admin](./media/zscalerprivateaccessadministrator-tutorial/admin.png)
3. Click **Administrators** from left side of the menu.
- ![Zscaler Private Access Administrator administrator](./media/zscalerprivateaccessadministrator-tutorial/tutorial_zscalerprivateaccessadministrator_adminstrator.png)
+ ![Zscaler Private Access Administrator administrator](./media/zscalerprivateaccessadministrator-tutorial/administrator.png)
4. In the top right corner, click **Add Administrator**:
- ![Zscaler Private Access Administrator add admin](./media/zscalerprivateaccessadministrator-tutorial/tutorial_zscalerprivateaccessadministrator_addadmin.png)
+ ![Zscaler Private Access Administrator add admin](./media/zscalerprivateaccessadministrator-tutorial/add-administrator.png)
5. In the **Add Administrator** page, perform the following steps:
- ![Zscaler Private Access Administrator user admin](./media/zscalerprivateaccessadministrator-tutorial/tutorial_zscalerprivateaccessadministrator_useradmin.png)
+ ![Zscaler Private Access Administrator user admin](./media/zscalerprivateaccessadministrator-tutorial/user-admin.png)
a. In the **Username** textbox, enter the email of user like BrittaSimon@contoso.com.
To enable Azure AD users to sign in to Zscaler Private Access Administrator, the
h. Click **Save**.
-### Test single sign-on
+## Test SSO
+
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+#### SP initiated:
+
+* Click on **Test this application** in Azure portal. This will redirect to Zscaler Private Access Administrator Sign on URL where you can initiate the login flow.
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+* Go to Zscaler Private Access Administrator Sign-on URL directly and initiate the login flow from there.
-When you click the Zscaler Private Access Administrator tile in the Access Panel, you should be automatically signed in to the Zscaler Private Access Administrator for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+#### IDP initiated:
-## Additional Resources
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the Zscaler Private Access Administrator for which you set up the SSO.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+You can also use Microsoft My Apps to test the application in any mode. When you click the Zscaler Private Access Administrator tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Zscaler Private Access Administrator for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure Zscaler Private Access Administrator you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
aks Configure Azure Cni https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/configure-azure-cni.md
The following screenshot from the Azure portal shows an example of configuring t
> This preview feature is currently available in the following regions: > > * East US
+> * East US 2
+> * North Central US
> * West Central US
+> * West US
> * West US 2 > * Canada Central > * Australia East > * UK South
+> * North Europe
+> * West Europe
+> * Southeast Asia
A drawback with the traditional CNI is the exhaustion of pod IP addresses as the AKS cluster grows, resulting in the need to rebuild the entire cluster in a bigger subnet. The new dynamic IP allocation capability in Azure CNI solves this problem by allotting pod IPs from a subnet separate from the subnet hosting the AKS cluster. It offers the following benefits:
azure-government Compare Azure Government Global Azure https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-government/compare-azure-government-global-azure.md
The following Azure Security Center **features are not currently available** in
**Azure Security Center FAQ**
-For Azure Security Center FAQ, see [Azure Security Center frequently asked questions public documentation](../security-center/faq-general.md). Additional FAQ for Azure Security Center in Azure Government are listed below.
+For Azure Security Center FAQ, see [Azure Security Center frequently asked questions public documentation](../security-center/faq-general.yml). Additional FAQ for Azure Security Center in Azure Government are listed below.
**What will customers be charged for Azure Security Center in Azure Government?**</br> Azure Security Center's integrated cloud workload protection platform (CWPP), Azure Defender, brings advanced, intelligent, protection of your Azure and hybrid resources and workloads. Azure Defender is free for the first 30 days. Should you choose to continue to use public preview or generally available features of Azure Defender beyond 30 days, we automatically start to charge for the service.
azure-resource-manager Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/bicep/overview.md
To learn about Bicep, see the following video.
## Get started
-To start with Bicep, [install the tools](./install.md).
+To start with Bicep:
-After installing the tools, try the [quickstart](./quickstart-create-bicep-use-visual-studio-code.md), and the [Microsoft Learn Bicep modules](./learn-bicep.md).
+1. **Install the tools**. See [Set up Bicep development and deployment environments](./install.md). Alternatively, you can use [Bicep Playground](./decompile.md#side-by-side-view) to view Bicep and equivalent JSON side by side, or use the [VS Code Devcontainer/Codespaces repo](https://github.com/Azure/vscode-remote-try-bicep) to get a pre-configured authoring environment.
+2. **Complete the [quickstart](./quickstart-create-bicep-use-visual-studio-code.md) and the [Microsoft Learn Bicep modules](./learn-bicep.md)**.
-To view equivalent JSON and Bicep files side by side, see the [Bicep Playground](https://aka.ms/bicepdemo).
-
-If you have an existing ARM template that you would like to decompile to Bicep, see [Decompile ARM templates to Bicep](./decompile.md).
+To decompile an existing ARM template to Bicep, see [Decompile ARM templates to Bicep](./decompile.md).
Additional Bicep examples can be found in the [Bicep GitHub repo](https://github.com/Azure/bicep/tree/main/docs/examples).
azure-sql Authentication Azure Ad Only Authentication Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/authentication-azure-ad-only-authentication-tutorial.md
+
+ Title: Enable Azure Active Directory only authentication with Azure SQL
+description: This article guides you through enabling the Azure Active Directory (Azure AD) only authentication feature with Azure SQL Database and Azure SQL Managed Instance.
++++++ Last updated : 06/01/2021++
+# Tutorial: Enable Azure Active Directory only authentication with Azure SQL
++
+> [!NOTE]
+> The **Azure AD-only authentication** feature discussed in this article is in **public preview**.
+
+This article guides you through enabling the [Azure AD-only authentication](authentication-azure-ad-only-authentication.md) feature within Azure SQL Database and Azure SQL Managed Instance.
+
+In this tutorial, you learn how to:
+
+> [!div class="checklist"]
+> - Assign role to enable Azure AD-only authentication
+> - Enable Azure AD-only authentication using the Azure portal, Azure CLI, or PowerShell
+> - Check whether Azure AD-only authentication is enabled
+> - Test connecting to Azure SQL
+> - Disable Azure AD-only authentication using the Azure portal, Azure CLI, or PowerShell
++
+## Prerequisites
+
+- An Azure AD instance. For more information, see [Configure and manage Azure AD authentication with Azure SQL](authentication-aad-configure.md).
+- A SQL Database or SQL Managed Instance with a database, and logins or users. See [Quickstart: Create an Azure SQL Database single database](single-database-create-quickstart.md) if you haven't already created an Azure SQL Database, or [Quickstart: Create an Azure SQL Managed Instance](../managed-instance/instance-create-quickstart.md).
+
+## Assign role to enable Azure AD-only authentication
+
+In order to enable or disable Azure AD-only authentication, selected built-in roles are required for the Azure AD users executing these operations in this tutorial. We're going to assign the [SQL Security Manager](../../role-based-access-control/built-in-roles.md#sql-security-manager) role to the user in this tutorial.
+
+For more information on how to assign a role to an Azure AD account, see [Assign administrator and non-administrator roles to users with Azure Active Directory](../../active-directory/fundamentals/active-directory-users-assign-role-azure-portal.md)
+
+For more information on the required permission to enable or disable Azure AD-only authentication, see the [Permissions section of Azure AD-only authentication](authentication-azure-ad-only-authentication.md#permissions) article.
+
+1. In our example, we'll assign the **SQL Security Manager** role to the user `UserSqlSecurityManager@contoso.onmicrosoft.com`. Using privileged user that can assign Azure AD roles, sign into the [Azure portal](https://portal.zure.com).
+1. Go to your SQL server resource, and select **Access control (IAM)** in the menu. Select the **Add** button and then **Add role assignment** in the drop-down menu.
+
+ :::image type="content" source="media/authentication-azure-ad-only-authentication/azure-ad-only-authentication-access-control.png" alt-text="Access control pane in the Azure portal":::
+
+1. In the **Add role assignment** pane, select the Role **SQL Security Manager**, and select the user that you want to have the ability to enable or disable Azure AD-only authentication.
+
+ :::image type="content" source="media/authentication-azure-ad-only-authentication/azure-ad-only-authentication-access-control-add-role.png" alt-text="Add role assignment pane in the Azure portal":::
+
+1. Click **Save**.
+
+## Enable Azure AD-only authentication
+
+# [Portal](#tab/azure-portal)
+
+## Enable in SQL Database using Azure portal
+
+To enable Azure AD-only authentication auth in the Azure portal, see the steps below.
+
+1. Using the user with the [SQL Security Manager](../../role-based-access-control/built-in-roles.md#sql-security-manager) role, go to the [Azure portal](https://portal.zure.com).
+1. Go to your SQL server resource, and select **Azure Active Directory** under the **Settings** menu.
+
+ :::image type="content" source="media/authentication-azure-ad-only-authentication/azure-ad-only-authentication-portal.png" alt-text="Enable Azure AD only auth menu":::
+
+1. If you haven't added an **Azure Active Directory admin**, you'll need to set this before you can enable Azure AD-only authentication.
+1. Select the **Support only Azure Active Directory authentication for this server** checkbox.
+1. The **Enable Azure AD authentication only** popup will show. Click **Yes** to enable the feature and **Save** the setting.
+
+## Azure SQL Managed Instance
+
+Managing Azure AD-only authentication for SQL Managed Instance in the portal is currently not supported.
+
+# [Azure CLI](#tab/azure-cli)
+
+## Enable in SQL Database using Azure CLI
+
+To enable Azure AD-only authentication in Azure SQL Database using Azure CLI, see the commands below. [Install the latest version of Azure CLI](/cli/azure/install-azure-cli-windows). You must have Azure CLI version **2.14.2** or higher. For more information on these commands, see [az sql server ad-only-auth](/cli/azure/sql/server/ad-only-auth).
+
+For more information on managing Azure AD-only authentication using APIs, see [Managing Azure AD-only authentication using APIs](authentication-azure-ad-only-authentication.md#managing-azure-ad-only-authentication-using-apis).
+
+> [!NOTE]
+> The Azure AD admin must be set for the server before enabling Azure AD-only authentication. Otherwise, the Azure CLI command will fail.
+>
+> For permissions and actions required of the user performing these commands to enable Azure AD-only authentication, see the [Azure AD-only authentication](authentication-azure-ad-only-authentication.md#permissions) article.
+
+1. [Sign into Azure](/cli/azure/authenticate-azure-cli) using the account with the [SQL Security Manager](../../role-based-access-control/built-in-roles.md#sql-security-manager) role.
+
+ ```azurecli
+ az login
+ ```
+
+1. Run the following command, replacing `<myserver>` with your SQL server name, and `<myresource>` with your Azure Resource that holds the SQL server.
+
+ ```azurecli
+ az sql server ad-only-auth enable --resource-group <myresource> --name <myserver>
+ ```
+
+## Enable in SQL Managed Instance using Azure CLI
+
+To enable Azure AD-only authentication in Azure SQL Managed Instance using Azure CLI, see the commands below. [Install the latest version of Azure CLI](/cli/azure/install-azure-cli-windows).
+
+1. [Sign into Azure](/cli/azure/authenticate-azure-cli) using the account with the [SQL Security Manager](../../role-based-access-control/built-in-roles.md#sql-security-manager) role.
+
+ ```azurecli
+ az login
+ ```
+
+1. Run the following command, replacing `<myserver>` with your SQL server name, and `<myresource>` with your Azure Resource that holds the SQL server.
+
+ ```azurecli
+ az sql mi ad-only-auth enable --resource-group <myresource> --name <myserver>
+ ```
+
+# [PowerShell](#tab/azure-powershell)
+
+## Enable in SQL Database using PowerShell
+
+To enable Azure AD-only authentication in Azure SQL Database using PowerShell, see the commands below. [Az.Sql 2.10.0](https://www.powershellgallery.com/packages/Az.Sql/2.10.0) module or higher is required to execute these commands. For more information on these commands, see [Enable-AzSqlInstanceActiveDirectoryOnlyAuthentication](/powershell/module/az.sql/enable-azsqlinstanceactivedirectoryonlyauthentication).
+
+For more information on managing Azure AD-only authentication using APIs, see [Managing Azure AD-only authentication using APIs](authentication-azure-ad-only-authentication.md#managing-azure-ad-only-authentication-using-apis)
+
+> [!NOTE]
+> The Azure AD admin must be set for the server before enabling Azure AD-only authentication. Otherwise, the PowerShell command will fail.
+>
+> For permissions and actions required of the user performing these commands to enable Azure AD-only authentication, see the [Azure AD-only authentication](authentication-azure-ad-only-authentication.md#permissions) article. If the user has insufficient permissions, you will get the following error:
+>
+> ```output
+> Enable-AzSqlServerActiveDirectoryOnlyAuthentication : The client
+> 'UserSqlServerContributor@contoso.onmicrosoft.com' with object id
+> '<guid>' does not have authorization to perform
+> action 'Microsoft.Sql/servers/azureADOnlyAuthentications/write' over scope
+> '/subscriptions/<guid>...'
+> ```
+
+1. [Sign into Azure](/powershell/azure/authenticate-azureps) using the account with the [SQL Security Manager](../../role-based-access-control/built-in-roles.md#sql-security-manager) role.
+
+ ```powershell
+ Connect-AzAccount
+ ```
+
+1. Run the following command, replacing `<myserver>` with your SQL server name, and `<myresource>` with your Azure Resource that holds the SQL server.
+
+ ```powershell
+ Enable-AzSqlServerActiveDirectoryOnlyAuthentication -ServerName <myserver> -ResourceGroupName <myresource>
+ ```
+
+## Enable in SQL Managed Instance using PowerShell
+
+To enable Azure AD-only authentication in Azure SQL Managed Instance using PowerShell, see the commands below. [Az.Sql 2.10.0](https://www.powershellgallery.com/packages/Az.Sql/2.10.0) module or higher is required to execute these commands.
+
+For more information on managing Azure AD-only authentication using APIs, see [Managing Azure AD-only authentication using APIs](authentication-azure-ad-only-authentication.md#managing-azure-ad-only-authentication-using-apis).
++
+1. [Sign into Azure](/powershell/azure/authenticate-azureps) using the account with the [SQL Security Manager](../../role-based-access-control/built-in-roles.md#sql-security-manager) role.
+
+ ```powershell
+ Connect-AzAccount
+ ```
+
+1. Run the following command, replacing `<myinstance>` with your SQL Managed Instance name, and `<myresource>` with your Azure Resource that holds the SQL managed instance.
+
+ ```powershell
+ Enable-AzSqlInstanceActiveDirectoryOnlyAuthentication -InstanceName <myinstance> -ResourceGroupName <myresource>
+ ```
+++
+## Check the Azure AD-only authentication status
+
+Check whether Azure AD-only authentication is enabled for your server or instance.
+
+# [Portal](#tab/azure-portal)
+
+Go to your **SQL server** resource in the [Azure portal](https://portal.zure.com). Select **Azure Active Directory** under the **Settings** menu. Portal support for Azure AD-only authentication is only available for Azure SQL Database.
+
+# [Azure CLI](#tab/azure-cli)
+
+These commands can be used to check whether Azure AD-only authentication is enabled for your SQL Database logical server or SQL managed instance. Members of the [SQL Server Contributor](../../role-based-access-control/built-in-roles.md#sql-server-contributor) and [SQL Managed Instance Contributor](../../role-based-access-control/built-in-roles.md#sql-managed-instance-contributor) roles can use these commands to check the status of Azure AD-only authentication, but can't enable or disable the feature.
+
+## Check status in SQL Database
+
+1. [Sign into Azure](/cli/azure/authenticate-azure-cli) using the account with the [SQL Security Manager](../../role-based-access-control/built-in-roles.md#sql-security-manager) role. For more information on managing Azure AD-only authentication using APIs, see [Managing Azure AD-only authentication using APIs](authentication-azure-ad-only-authentication.md#managing-azure-ad-only-authentication-using-apis)
+
+ ```azurecli
+ az login
+ ```
+
+1. Run the following command, replacing `<myserver>` with your SQL server name, and `<myresource>` with your Azure Resource that holds the SQL server.
+
+ ```azurecli
+ az sql server ad-only-auth get --resource-group <myresource> --name <myserver>
+ ```
+
+1. You should see the following output:
+
+ ```json
+ {
+ "azureAdOnlyAuthentication": true,
+ "/subscriptions/<guid>/resourceGroups/mygroup/providers/Microsoft.Sql/servers/myserver/azureADOnlyAuthentications/Default",
+ "name": "Default",
+ "resourceGroup": "myresource",
+ "type": "Microsoft.Sql/servers"
+ }
+ ```
+
+## Check status in SQL Managed Instance
+
+1. [Sign into Azure](/cli/azure/authenticate-azure-cli) using the account with the [SQL Security Manager](../../role-based-access-control/built-in-roles.md#sql-security-manager) role.
+
+ ```azurecli
+ az login
+ ```
+
+1. Run the following command, replacing `<myserver>` with your SQL server name, and `<myresource>` with your Azure Resource that holds the SQL server.
+
+ ```azurecli
+ az sql mi ad-only-auth get --resource-group <myresource> --name <myserver>
+ ```
+
+1. You should see the following output:
+
+ ```json
+ {
+ "azureAdOnlyAuthentication": true,
+ "id": "/subscriptions/<guid>/resourceGroups/myresource/providers/Microsoft.Sql/managedInstances/myinstance/azureADOnlyAuthentications/Default",
+ "name": "Default",
+ "resourceGroup": "myresource",
+ "type": "Microsoft.Sql/managedInstances"
+ }
+ ```
+
+# [PowerShell](#tab/azure-powershell)
+
+These commands can be used to check whether Azure AD-only authentication is enabled for your SQL Database logical server or SQL managed instance. Members of the [SQL Server Contributor](../../role-based-access-control/built-in-roles.md#sql-server-contributor) and [SQL Managed Instance Contributor](../../role-based-access-control/built-in-roles.md#sql-managed-instance-contributor) roles can use these commands to check the status of Azure AD-only authentication, but can't enable or disable the feature.
+
+The status will return **True** if the feature is enabled, and **False** if disabled.
+
+## Check status in SQL Database
+
+1. [Sign into Azure](/powershell/azure/authenticate-azureps) using the account with the [SQL Security Manager](../../role-based-access-control/built-in-roles.md#sql-security-manager) role. For more information on managing Azure AD-only authentication using APIs, see [Managing Azure AD-only authentication using APIs](authentication-azure-ad-only-authentication.md#managing-azure-ad-only-authentication-using-apis)
+
+ ```powershell
+ Connect-AzAccount
+ ```
+
+1. Run the following command, replacing `<myserver>` with your SQL server name, and `<myresource>` with your Azure Resource that holds the SQL server.
+
+ ```powershell
+ Get-AzSqlServerActiveDirectoryOnlyAuthentication -ServerName <myserver> -ResourceGroupName <myresource>
+ ```
+
+## Check status in SQL Managed Instance
+
+1. [Sign into Azure](/powershell/azure/authenticate-azureps) using the account with the [SQL Security Manager](../../role-based-access-control/built-in-roles.md#sql-security-manager) role.
+
+ ```powershell
+ Connect-AzAccount
+ ```
+
+1. Run the following command, replacing `<myinstance>` with your SQL Managed Instance name, and `<myresource>` with your Azure Resource that holds the SQL managed instance.
+
+ ```powershell
+ Get-AzSqlInstanceActiveDirectoryOnlyAuthentication -InstanceName <myinstance> -ResourceGroupName <myresource>
+ ```
+++
+## Test SQL authentication with connection failure
+
+After enabling Azure AD-only authentication, test with [SQL Server Management Studio (SSMS)](/sql/ssms/download-sql-server-management-studio-ssms) to [connect to your SQL Database or Managed Instance](connect-query-ssms.md). Use SQL authentication for the connection.
+
+You should see a login failed message similar to the following output:
+
+```output
+Cannot connect to <myserver>.database.windows.net.
+Additional information:
+ Login failed for user 'username'. Reason: Azure Active Directory only authentication is enabled.
+ Please contact your system administrator. (Microsoft SQL Server, Error: 18456)
+```
+
+## Disable Azure AD-only authentication
+
+By disabling the Azure AD-only authentication feature, you allow both SQL authentication and Azure AD authentication for Azure SQL.
+
+# [Portal](#tab/azure-portal)
+
+1. Using the user with the [SQL Security Manager](../../role-based-access-control/built-in-roles.md#sql-security-manager) role, go to the [Azure portal](https://portal.zure.com).
+1. Go to your SQL server resource, and select **Azure Active Directory** under the **Settings** menu.
+1. To disable the Azure AD-only authentication feature, uncheck the **Support only Azure Active Directory authentication for this server** checkbox and **Save** the setting.
+
+Managing Azure AD-only authentication for SQL Managed Instance in the portal is currently not supported.
+
+# [Azure CLI](#tab/azure-cli)
+
+## Disable in SQL Database using Azure CLI
+
+To disable Azure AD-only authentication in Azure SQL Database using Azure CLI, see the commands below.
+
+1. [Sign into Azure](/cli/azure/authenticate-azure-cli) using the account with the [SQL Security Manager](../../role-based-access-control/built-in-roles.md#sql-security-manager) role.
+
+ ```azurecli
+ az login
+ ```
+
+1. Run the following command, replacing `<myserver>` with your SQL server name, and `<myresource>` with your Azure Resource that holds the SQL server.
+
+ ```azurecli
+ az sql server ad-only-auth disable --resource-group <myresource> --name <myserver>
+ ```
+
+1. After disabling Azure AD-only authentication, you should see the following output when you check the status:
+
+ ```json
+ {
+ "azureAdOnlyAuthentication": false,
+ "/subscriptions/<guid>/resourceGroups/mygroup/providers/Microsoft.Sql/servers/myserver/azureADOnlyAuthentications/Default",
+ "name": "Default",
+ "resourceGroup": "myresource",
+ "type": "Microsoft.Sql/servers"
+ }
+ ```
+
+## Disable in SQL Managed Instance using Azure CLI
+
+To disable Azure AD-only authentication in Azure SQL Managed Instance using Azure CLI, see the commands below.
+
+1. [Sign into Azure](/cli/azure/authenticate-azure-cli) using the account with the [SQL Security Manager](../../role-based-access-control/built-in-roles.md#sql-security-manager) role.
+
+ ```azurecli
+ az login
+ ```
+
+1. Run the following command, replacing `<myserver>` with your SQL server name, and `<myresource>` with your Azure Resource that holds the SQL server.
+
+ ```azurecli
+ az sql mi ad-only-auth disable --resource-group <myresource> --name <myserver>
+ ```
+
+1. After disabling Azure AD-only authentication, you should see the following output when you check the status:
+
+ ```json
+ {
+ "azureAdOnlyAuthentication": false,
+ "id": "/subscriptions/<guid>/resourceGroups/myresource/providers/Microsoft.Sql/managedInstances/myinstance/azureADOnlyAuthentications/Default",
+ "name": "Default",
+ "resourceGroup": "myresource",
+ "type": "Microsoft.Sql/managedInstances"
+ }
+ ```
+
+# [PowerShell](#tab/azure-powershell)
+
+## Disable in SQL Database using PowerShell
+
+To disable Azure AD-only authentication in Azure SQL Database using PowerShell, see the commands below.
+
+1. [Sign into Azure](/powershell/azure/authenticate-azureps) using the account with the [SQL Security Manager](../../role-based-access-control/built-in-roles.md#sql-security-manager) role.
+
+ ```powershell
+ Connect-AzAccount
+ ```
+
+1. Run the following command, replacing `<myserver>` with your SQL server name, and `<myresource>` with your Azure Resource that holds the SQL server.
+
+ ```powershell
+ Disable-AzSqlServerActiveDirectoryOnlyAuthentication -ServerName <myserver> -ResourceGroupName <myresource>
+ ```
+
+## Disable in SQL Managed Instance using PowerShell
+
+To disable Azure AD-only authentication in Azure SQL Managed Instance using PowerShell, see the commands below.
+
+1. [Sign into Azure](/powershell/azure/authenticate-azureps) using the account with the [SQL Security Manager](../../role-based-access-control/built-in-roles.md#sql-security-manager) role.
+
+ ```powershell
+ Connect-AzAccount
+ ```
+
+1. Run the following command, replacing `<myinstance>` with your SQL Managed Instance name, and `<myresource>` with your Azure Resource that holds the SQL managed instance.
+
+ ```powershell
+ Disable-AzSqlInstanceActiveDirectoryOnlyAuthentication -InstanceName <myinstance> -ResourceGroupName <myresource>
+ ```
+++
+## Test connecting to Azure SQL again
+
+After disabling Azure AD-only authentication, test connecting using a SQL authentication login. You should now be able to connect to your server or instance.
+
+## Next steps
+
+[Azure AD-only authentication with Azure SQL](authentication-azure-ad-only-authentication.md)
+++
azure-sql Authentication Azure Ad Only Authentication https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/authentication-azure-ad-only-authentication.md
+
+ Title: Azure Active Directory only authentication with Azure SQL
+description: This article provides information on the Azure Active Directory (Azure AD) only authentication feature with Azure SQL Database and Azure SQL Managed Instance.
++++++ Last updated : 06/01/2021++
+# Azure AD-only authentication with Azure SQL
++
+> [!NOTE]
+> The **Azure AD-only authentication** feature discussed in this article is in **public preview**.
+
+Azure AD-only authentication is a feature within [Azure SQL](../azure-sql-iaas-vs-paas-what-is-overview.md) that allows the service to only support Azure AD authentication, and is supported for [Azure SQL Database](sql-database-paas-overview.md) and [Azure SQL Managed Instance](../managed-instance/sql-managed-instance-paas-overview.md). SQL authentication is disabled when enabling Azure AD-only authentication in the Azure SQL environment, including connections from SQL server administrators, logins, and users. Only users using [Azure AD authentication](authentication-aad-overview.md) are authorized to connect to the server or database.
+
+Azure AD-only authentication can be enabled or disabled using the Azure portal, Azure CLI, PowerShell, or REST API. Azure AD-only authentication can also be configured during server creation with an ARM template.
+
+For more information on Azure SQL authentication, see [Authentication and authorization](logins-create-manage.md#authentication-and-authorization).
+
+> [!IMPORTANT]
+> Currently, you cannot manage Azure AD-only authentication in the Azure portal for Azure SQL Managed Instance. For a tutorial on different methods to enable Azure AD-only authentication, see [Tutorial: Enable Azure Active Directory only authentication with Azure SQL](authentication-azure-ad-only-authentication-tutorial.md).
+
+## Feature description
+
+When enabling Azure AD-only authentication, [SQL authentication](logins-create-manage.md#authentication-and-authorization) is disabled at the server level and prevents any authentication based on any SQL authentication credentials. SQL authentication users won't be able to connect to the Azure SQL logical server, including all of its databases. Although SQL authentication is disabled, new SQL authentication logins and users can still be created by Azure AD accounts with proper permissions. Newly created SQL authentication accounts won't be allowed to connect to the server. Enabling Azure AD-only authentication doesn't remove existing SQL authentication login and user accounts. The feature only prevents these accounts from connecting to the server, and any database created for this server.
+
+## Permissions
+
+Azure AD-only authentication can be enabled or disabled by Azure AD users who are members of high privileged [Azure AD built-in roles](../../role-based-access-control/built-in-roles.md), such as Azure subscription [Owners](../../role-based-access-control/built-in-roles.md#owner), [Contributors](../../role-based-access-control/built-in-roles.md#contributor), and [Global Administrators](../../active-directory/roles/permissions-reference.md#global-administrator). Additionally, the role [SQL Security Manager](../../role-based-access-control/built-in-roles.md#sql-security-manager) can also enable or disable the Azure AD-only authentication feature.
+
+The [SQL Server Contributor](../../role-based-access-control/built-in-roles.md#sql-server-contributor) and [SQL Managed Instance Contributor](../../role-based-access-control/built-in-roles.md#sql-managed-instance-contributor) roles won't have permissions to enable or disable the Azure AD-only authentication feature. This is consistent with the [Separation of Duties](security-best-practice.md#implement-separation-of-duties) approach, where users who can create an Azure SQL server or create an Azure AD admin, can't enable or disable security features.
+
+### Actions required
+
+The following actions are added to the [SQL Security Manager](../../role-based-access-control/built-in-roles.md#sql-security-manager) role to allow management of the Azure AD-only authentication feature.
+
+- Microsoft.Sql/servers/azureADOnlyAuthentications/*
+- Microsoft.Sql/servers/administrators/read - required only for users accessing the Azure portal **Azure Active Directory** menu
+- Microsoft.Sql/managedInstances/azureADOnlyAuthentications/*
+- Microsoft.Sql/managedInstances/read
+
+The above actions can also be added to a custom role to manage Azure AD-only authentication. For more information, see [Create and assign a custom role in Azure Active Directory](/azure/active-directory/roles/custom-create).
+
+## Managing Azure AD-only authentication using APIs
+
+> [!IMPORTANT]
+> The Azure AD admin must be set before enabling Azure AD-only authentication.
+
+# [Azure CLI](#tab/azure-cli)
+
+You must have Azure CLI version **2.14.2** or higher.
+
+`name` corresponds to the prefix of the server or instance name (for example, `myserver`) and `resource-group` corresponds to the resource the server belongs to (for example, `myresource`).
+
+## Azure SQL Database
+
+For more information, see [az sql server ad-only-auth](/cli/azure/sql/server/ad-only-auth).
+
+### Enable or disable in SQL Database
+
+**Enable**
+
+```azurecli
+az sql server ad-only-auth enable --resource-group myresource --name myserver
+```
+
+**Disable**
+
+```azurecli
+az sql server ad-only-auth disable --resource-group myresource --name myserver
+```
+
+### Check the status in SQL Database
+
+```azurecli
+az sql server ad-only-auth get --resource-group myresource --name myserver
+```
+
+## Azure SQL Managed Instance
+
+For more information, see [az sql mi ad-only-auth](/cli/azure/sql/mi/ad-only-auth).
+
+**Enable**
+
+```azurecli
+az sql mi ad-only-auth enable --resource-group myresource --name myserver
+```
+
+**Disable**
+
+```azurecli
+az sql mi ad-only-auth disable --resource-group myresource --name myserver
+```
+
+### Check the status in SQL Managed Instance
+
+```azurecli
+az sql mi ad-only-auth get --resource-group myresource --name myserver
+```
+
+# [PowerShell](#tab/azure-powershell)
+
+[Az.Sql 2.10.0](https://www.powershellgallery.com/packages/Az.Sql/2.10.0) module or higher is required.
+
+`ServerName` or `InstanceName` correspond to the prefix of the server name (for example, `myserver` or `myinstance`) and `ResourceGroupName` corresponds to the resource the server belongs to (for example, `myresource`).
+
+## Azure SQL Database
+
+### Enable or disable in SQL Database
+
+**Enable**
+
+For more information, see [Enable-AzSqlServerActiveDirectoryOnlyAuthentication](/powershell/module/az.sql/enable-azsqlserveractivedirectoryonlyauthentication). You can also run `get-help Enable-AzSqlServerActiveDirectoryOnlyAuthentication -full`.
+
+```powershell
+Enable-AzSqlServerActiveDirectoryOnlyAuthentication -ServerName myserver -ResourceGroupName myresource
+```
+
+You can also use the following command:
+
+```powershell
+Get-AzSqlServer -ServerName myserver | Enable-AzSqlServerActiveDirectoryOnlyAuthentication
+```
+
+**Disable**
+
+For more information, see [Disable-AzSqlServerActiveDirectoryOnlyAuthentication](/powershell/module/az.sql/disable-azsqlserveractivedirectoryonlyauthentication).
+
+```powershell
+Disable-AzSqlServerActiveDirectoryOnlyAuthentication -ServerName myserver -ResourceGroupName myresource
+```
+
+### Check the status in SQL Database
+
+```powershell
+Get-AzSqlServerActiveDirectoryOnlyAuthentication -ServerName myserver -ResourceGroupName myresource
+```
+
+You can also use the following command:
+
+```powershell
+Get-AzSqlServer -ServerName myserver | Get-AzSqlServerActiveDirectoryOnlyAuthentication
+```
+
+## Azure SQL Managed Instance
+
+### Enable or disable in SQL Managed Instance
+
+**Enable**
+
+For more information, see [Enable-AzSqlInstanceActiveDirectoryOnlyAuthentication](/powershell/module/az.sql/enable-azsqlinstanceactivedirectoryonlyauthentication).
+
+```powershell
+Enable-AzSqlInstanceActiveDirectoryOnlyAuthentication -InstanceName myinstance -ResourceGroupName myresource
+```
+
+You can also use the following command:
+
+```powershell
+Get-AzSqlInstance -InstanceName myinstance | Enable-AzSqlInstanceActiveDirectoryOnlyAuthentication
+```
+
+For more information on these PowerShell commands, run `get-help Enable-AzSqlInstanceActiveDirectoryOnlyAuthentication -full`.
+
+**Disable**
+
+For more information, see [Disable-AzSqlInstanceActiveDirectoryOnlyAuthentication](/powershell/module/az.sql/disable-azsqlinstanceactivedirectoryonlyauthentication).
+
+```powershell
+Disable-AzSqlInstanceActiveDirectoryOnlyAuthentication -InstanceName myinstance -ResourceGroupName myresource
+```
+
+### Check the status in SQL Managed Instance
+
+```powershell
+Get-AzSqlInstanceActiveDirectoryOnlyAuthentication -InstanceName myinstance -ResourceGroupName myresource
+```
+
+You can also use the following command:
+
+```powershell
+Get-AzSqlInstance -InstanceName myinstance | Get-AzSqlInstanceActiveDirectoryOnlyAuthentication
+```
+
+# [REST API](#tab/rest-api)
+
+The following parameters will need to be defined:
+
+- `<subscriptionId>` can be found by navigating to **Subscriptions** in the Azure portal.
+- `<myserver>` correspond to the prefix of the server or instance name (for example, `myserver`).
+- `<myresource>` corresponds to the resource the server belongs to (for example, `myresource`)
+
+To use latest MSAL, download it from https://www.powershellgallery.com/packages/MSAL.PS.
+
+```rest
+$subscriptionId = '<subscriptionId>'
+$serverName = "<myserver>"
+$resourceGroupName = "<myresource>"
+```
+
+## Azure SQL Database
+
+For more information, see the [Server Azure AD Only Authentications](/rest/api/sql/2021-02-01-preview/serverazureadonlyauthentications) REST API documentation.
+
+### Enable or disable in SQL Database
+
+**Enable**
+
+```rest
+$body = @{ properties = @{ azureADOnlyAuthentication = 1 } } | ConvertTo-Json
+Invoke-RestMethod -Uri "https://management.azure.com/subscriptions/$subscriptionId/resourceGroups/$resourceGroupName/providers/Microsoft.Sql/servers/$serverName/azureADOnlyAuthentications/default?api-version=2020-02-02-preview" -Method PUT -Headers $authHeader -Body $body -ContentType "application/json"
+```
+
+**Disable**
+
+```rest
+$body = @{ properties = @{ azureADOnlyAuthentication = 0 } } | ConvertTo-Json
+Invoke-RestMethod -Uri "https://management.azure.com/subscriptions/$subscriptionId/resourceGroups/$resourceGroupName/providers/Microsoft.Sql/servers/$serverName/azureADOnlyAuthentications/default?api-version=2020-02-02-preview" -Method PUT -Headers $authHeader -Body $body -ContentType "application/json"
+```
+
+### Check the status in SQL Database
+
+```rest
+Invoke-RestMethod -Uri "https://management.azure.com/subscriptions/$subscriptionId/resourceGroups/$resourceGroupName/providers/Microsoft.Sql/servers/$serverName/azureADOnlyAuthentications/default?api-version=2020-02-02-preview" -Method GET -Headers $authHeader | Format-List
+```
+
+## Azure SQL Managed Instance
+
+For more information, see the [Managed Instance Azure AD Only Authentications](/rest/api/sql/2021-02-01-preview/managedinstanceazureadonlyauthentications) REST API documentation.
+
+### Enable or disable in SQL Managed Instance
+
+**Enable**
+
+```rest
+$body = @{ properties = @{ azureADOnlyAuthentication = 1ΓÇ»} } | ConvertTo-Json
+Invoke-RestMethod -Uri "https://management.azure.com/subscriptions/$subscriptionId/resourceGroups/$resourceGroupName/providers/Microsoft.Sql/managedInstances/$serverName/azureADOnlyAuthentications/default?api-version=2020-02-02-preview" -Method PUT -Headers $authHeader -Body $body -ContentType "application/json"
+```
+
+**Disable**
+
+```rest
+$body = @{ properties = @{ azureADOnlyAuthentication = 0ΓÇ»} } | ConvertTo-Json
+Invoke-RestMethod -Uri "https://management.azure.com/subscriptions/$subscriptionId/resourceGroups/$resourceGroupName/providers/Microsoft.Sql/managedInstances/$serverName/azureADOnlyAuthentications/default?api-version=2020-02-02-preview" -Method PUT -Headers $authHeader -Body $body -ContentType "application/json"
+```
+
+### Check the status in SQL Managed Instance
+
+```rest
+Invoke-RestMethod -Uri "https://management.azure.com/subscriptions/$subscriptionId/resourceGroups/$resourceGroupName/providers/Microsoft.Sql/managedInstances/$serverName/azureADOnlyAuthentications/default?api-version=2020-02-02-preview" -Method GET -Headers $authHeader | Format-List
+```
+
+# [ARM Template](#tab/arm)
+
+- Input the Azure AD admin for the deployment. You will find the user Object ID by going to the [Azure portal](https://portal.azure.com) and navigating to your **Azure Active Directory** resource. Under **Manage**, select **Users**. Search for the user you want to set as the Azure AD admin for your Azure SQL server. Select the user, and under their **Profile** page, you will see the **Object ID**.
+- The Tenant ID can be found in the **Overview** page of your **Azure Active Directory** resource.
+
+## Azure SQL Database
+
+### Enable
+
+The below ARM Template enables Azure AD-only authentication in your Azure SQL Database. To disable Azure AD-only authentication, set the `azureADOnlyAuthentication` property to `false`.
+
+```json
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
+ "contentVersion": "1.0.0.1",
+ "parameters": {
+ "sqlServer_name": {
+ "type": "String"
+ },
+ "aad_admin_name": {
+ "type": "String"
+ },
+ "aad_admin_objectid": {
+ "type": "String"
+ },
+ "aad_admin_tenantid": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "type": "Microsoft.Sql/servers/administrators",
+ "apiVersion": "2020-02-02-preview",
+ "name": "[concat(parameters('sqlServer_name'), '/ActiveDirectory')]",
+ "properties": {
+ "administratorType": "ActiveDirectory",
+ "login": "[parameters('aad_admin_name')]",
+ "sid": "[parameters('aad_admin_objectid')]",
+ "tenantId": "[parameters('aad_admin_tenantId')]"
+ }
+ },
+ {
+ "type": "Microsoft.Sql/servers/azureADOnlyAuthentications",
+ "apiVersion": "2020-02-02-preview",
+ "name": "[concat(parameters('sqlServer_name'), '/Default')]",
+ "dependsOn": [
+ "[resourceId('Microsoft.Sql/servers/administrators', parameters('sqlServer_name'), 'ActiveDirectory')]"
+ ],
+ "properties": {
+ "azureADOnlyAuthentication": true
+ }
+ }
+ ]
+}
+```
+
+For more information, see [Microsoft.Sql servers/azureADOnlyAuthentications](/azure/templates/microsoft.sql/servers/azureadonlyauthentications).
+
+## Azure SQL Managed Instance
+
+### Enable
+
+The below ARM Template enables Azure AD-only authentication in your Azure SQL Managed Instance. To disable Azure AD-only authentication, set the `azureADOnlyAuthentication` property to `false`.
+
+```json
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
+ "contentVersion": "1.0.0.1",
+ "parameters": {
+ "instance": {
+ "type": "String"
+ },
+ "aad_admin_name": {
+ "type": "String"
+ },
+ "aad_admin_objectid": {
+ "type": "String"
+ },
+ "aad_admin_tenantid": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "type": "Microsoft.Sql/managedInstances/administrators",
+ "apiVersion": "2020-02-02-preview",
+ "name": "[concat(parameters('instance'), '/ActiveDirectory')]",
+ "properties": {
+ "administratorType": "ActiveDirectory",
+ "login": "[parameters('aad_admin_name')]",
+ "sid": "[parameters('aad_admin_objectid')]",
+ "tenantId": "[parameters('aad_admin_tenantId')]"
+ }
+ },
+ {
+ "type": "Microsoft.Sql/managedInstances/azureADOnlyAuthentications",
+ "apiVersion": "2020-02-02-preview",
+ "name": "[concat(parameters('instance'), '/Default')]",
+ "dependsOn": [
+ "[resourceId('Microsoft.Sql/managedInstances/administrators', parameters('instance'), 'ActiveDirectory')]"
+ ],
+ "properties": {
+ "azureADOnlyAuthentication": true
+ }
+ }
+ ]
+}
+
+```
+
+For more information, see [Microsoft.Sql managedInstances/azureADOnlyAuthentications](/azure/templates/microsoft.sql/managedinstances/azureadonlyauthentications).
+++
+### Checking Azure AD-only authentication using T-SQL
+
+The [SEVERPROPERTY](/sql/t-sql/functions/serverproperty-transact-sql) `IsExternalAuthenticationOnly` has been added to check if Azure AD-only authentication is enabled for your server or managed instance. `1` indicates that the feature is enabled, and `0` represents the feature is disabled.
+
+```sql
+SELECT SERVERPROPERTY('IsExternalAuthenticationOnly')
+```
+
+## Remarks
+
+- A [SQL Server Contributor](../../role-based-access-control/built-in-roles.md#sql-server-contributor) can set or remove an Azure AD admin, but can't set the **Azure Active Directory authentication only** setting. The [SQL Security Manager](../../role-based-access-control/built-in-roles.md#sql-security-manager) can't set or remove an Azure AD admin, but can set the **Azure Active Directory authentication only** setting. Only accounts with higher Azure RBAC roles or custom roles that contain both permissions can set or remove an Azure AD admin and set the **Azure Active Directory authentication only** setting. One such role is the [Contributor](/azure/role-based-access-control/built-in-roles#contributor) role.
+- After enabling or disabling **Azure Active Directory authentication only** in the Azure portal, an **Activity log** entry can be seen in the **SQL server** menu.
+ :::image type="content" source="media/authentication-azure-ad-only-authentication/azure-ad-only-authentication-portal-sql-server-activity-log.png" alt-text="Activity log entry in the Azure portal":::
+- The **Azure Active Directory authentication only** setting can only be enabled or disabled by users with the right permissions if the **Azure Active Directory admin** is specified. If the Azure AD admin isn't set, the **Azure Active Directory authentication only** setting remains inactive and cannot be enabled or disabled. Using APIs to enable Azure AD-only authentication will also fail if the Azure AD admin hasn't been set.
+- Changing an Azure AD admin when Azure AD-only authentication is enabled is supported for users with the appropriate permissions.
+- Changing an Azure AD admin and enabling or disabling Azure AD-only authentication is allowed in the Azure portal for users with the appropriate permissions. Both operations can be completed with one **Save** in the Azure portal. The Azure AD admin must be set in order to enable Azure AD-only authentication.
+- Removing an Azure AD admin when the Azure AD-only authentication feature is enabled isn't supported. Using an API to remove an Azure AD admin will fail if Azure AD-only authentication is enabled.
+ - If the **Azure Active Directory authentication only** setting is enabled, the **Remove admin** button is inactive in the Azure portal.
+- Removing an Azure AD admin and disabling the **Azure Active Directory authentication only** setting is allowed, but requires the right user permission to complete the operations. Both operations can be completed with one **Save** in the Azure portal.
+- Azure AD users with proper permissions can impersonate existing SQL users.
+ - Impersonation continues working between SQL authentication users even when the Azure AD-only authentication feature is enabled.
+
+## Known issues
+
+- When Azure AD-only authentication is enabled, the server administrator password cannot be reset. Currently, the password resent operation succeeds in portal but fails in the SQL engine. The failure is indicated in the server activity log. In order to reset the server admin password, the Azure AD-only authentication feature must be disabled.
++
+## Next steps
+
+> [!div class="nextstepaction"]
+> [Tutorial: Enable Azure Active Directory only authentication with Azure SQL](authentication-azure-ad-only-authentication-tutorial.md)
azure-sql Resource Limits Vcore Elastic Pools https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/resource-limits-vcore-elastic-pools.md
Previously updated : 04/16/2021 Last updated : 06/04/2021 # Resource limits for elastic pools using the vCore purchasing model [!INCLUDE[appliesto-sqldb](../includes/appliesto-sqldb.md)]
You can set the service tier, compute size (service objective), and storage amou
> [!IMPORTANT] > For scaling guidance and considerations, see [Scale an elastic pool](elastic-pool-scale.md).
+If all vCores of an elastic pool are busy, then each database in the pool receives an equal amount of compute resources to process queries. Azure SQL Database provides resource sharing fairness between databases by ensuring equal slices of compute time. Elastic pool resource sharing fairness is in addition to any amount of resource otherwise guaranteed to each database when the vCore min per database is set to a non-zero value.
+ ## General purpose - provisioned compute - Gen4 > [!IMPORTANT]
You can set the service tier, compute size (service objective), and storage amou
|Columnstore support|Yes|Yes|Yes|Yes|Yes|Yes| |In-memory OLTP storage (GB)|N/A|N/A|N/A|N/A|N/A|N/A| |Max data size (GB)|512|756|1536|1536|1536|2048|
-|Max log size|154|227|461|461|461|614|
+|Max log size <sup>2</sup>|154|227|461|461|461|614|
|TempDB max data size (GB)|32|64|96|128|160|192| |Storage type|Premium (Remote) Storage|Premium (Remote) Storage|Premium (Remote) Storage|Premium (Remote) Storage|Premium (Remote) Storage|Premium (Remote) Storage| |IO latency (approximate)|5-7 ms (write)<br>5-10 ms (read)|5-7 ms (write)<br>5-10 ms (read)|5-7 ms (write)<br>5-10 ms (read)|5-7 ms (write)<br>5-10 ms (read)|5-7 ms (write)<br>5-10 ms (read)|5-7 ms (write)<br>5-10 ms (read)|
-|Max data IOPS per pool <sup>2</sup> |400|800|1200|1600|2000|2400|
+|Max data IOPS per pool <sup>3</sup> |400|800|1200|1600|2000|2400|
|Max log rate per pool (MBps)|6|12|18|24|30|36|
-|Max concurrent workers per pool (requests) <sup>3</sup> |210|420|630|840|1050|1260|
-|Max concurrent logins per pool <sup>3</sup> |210|420|630|840|1050|1260|
+|Max concurrent workers per pool (requests) <sup>4</sup> |210|420|630|840|1050|1260|
+|Max concurrent logins per pool <sup>4</sup> |210|420|630|840|1050|1260|
|Max concurrent sessions|30,000|30,000|30,000|30,000|30,000|30,000| |Min/max elastic pool vCore choices per database|0, 0.25, 0.5, 1|0, 0.25, 0.5, 1, 2|0, 0.25, 0.5, 1...3|0, 0.25, 0.5, 1...4|0, 0.25, 0.5, 1...5|0, 0.25, 0.5, 1...6| |Number of replicas|1|1|1|1|1|1|
You can set the service tier, compute size (service objective), and storage amou
<sup>1</sup> See [Resource management in dense elastic pools](elastic-pool-resource-management.md) for additional considerations.
-<sup>2</sup> The maximum value for IO sizes ranging between 8 KB and 64 KB. Actual IOPS are workload-dependent. For details, see [Data IO Governance](resource-limits-logical-server.md#resource-governance).
+<sup>2</sup> For documented max data size values. Reducing max data size reduces max log size proportionally.
-<sup>3</sup> For the max concurrent workers (requests) for any individual database, see [Single database resource limits](resource-limits-vcore-single-databases.md). For example, if the elastic pool is using Gen5 and the max vCore per database is set at 2, then the max concurrent workers value is 200. If max vCore per database is set to 0.5, then the max concurrent workers value is 50 since on Gen5 there are a max of 100 concurrent workers per vCore. For other max vCore settings per database that are less 1 vCore or less, the number of max concurrent workers is similarly rescaled.
+<sup>3</sup> The maximum value for IO sizes ranging between 8 KB and 64 KB. Actual IOPS are workload-dependent. For details, see [Data IO Governance](resource-limits-logical-server.md#resource-governance).
+
+<sup>4</sup> For the max concurrent workers (requests) for any individual database, see [Single database resource limits](resource-limits-vcore-single-databases.md). For example, if the elastic pool is using Gen5 and the max vCore per database is set at 2, then the max concurrent workers value is 200. If max vCore per database is set to 0.5, then the max concurrent workers value is 50 since on Gen5 there are a max of 100 concurrent workers per vCore. For other max vCore settings per database that are less 1 vCore or less, the number of max concurrent workers is similarly rescaled.
### General purpose service tier: Generation 4 compute platform (part 2)
You can set the service tier, compute size (service objective), and storage amou
|Columnstore support|Yes|Yes|Yes|Yes|Yes|Yes| |In-memory OLTP storage (GB)|N/A|N/A|N/A|N/A|N/A|N/A| |Max data size (GB)|2048|2048|2048|2048|3584|4096|
-|Max log size (GB)|614|614|614|614|1075|1229|
+|Max log size (GB) <sup>2</sup>|614|614|614|614|1075|1229|
|TempDB max data size (GB)|224|256|288|320|512|768| |Storage type|Premium (Remote) Storage|Premium (Remote) Storage|Premium (Remote) Storage|Premium (Remote) Storage|Premium (Remote) Storage|Premium (Remote) Storage| |IO latency (approximate)|5-7 ms (write)<br>5-10 ms (read)|5-7 ms (write)<br>5-10 ms (read)|5-7 ms (write)<br>5-10 ms (read)|5-7 ms (write)<br>5-10 ms (read)|5-7 ms (write)<br>5-10 ms (read)|5-7 ms (write)<br>5-10 ms (read)|
-|Max data IOPS per pool <sup>2</sup>|2800|3200|3600|4000|6400|9600|
+|Max data IOPS per pool <sup>3</sup>|2800|3200|3600|4000|6400|9600|
|Max log rate per pool (MBps)|42|48|54|60|62.5|62.5|
-|Max concurrent workers per pool (requests) <sup>3</sup>|1470|1680|1890|2100|3360|5040|
-|Max concurrent logins pool (requests) <sup>3</sup>|1470|1680|1890|2100|3360|5040|
+|Max concurrent workers per pool (requests) <sup>4</sup>|1470|1680|1890|2100|3360|5040|
+|Max concurrent logins pool (requests) <sup>4</sup>|1470|1680|1890|2100|3360|5040|
|Max concurrent sessions|30,000|30,000|30,000|30,000|30,000|30,000| |Min/max elastic pool vCore choices per database|0, 0.25, 0.5, 1...7|0, 0.25, 0.5, 1...8|0, 0.25, 0.5, 1...9|0, 0.25, 0.5, 1...10|0, 0.25, 0.5, 1...10, 16|0, 0.25, 0.5, 1...10, 16, 24| |Number of replicas|1|1|1|1|1|1|
You can set the service tier, compute size (service objective), and storage amou
<sup>1</sup> See [Resource management in dense elastic pools](elastic-pool-resource-management.md) for additional considerations.
-<sup>2</sup> The maximum value for IO sizes ranging between 8 KB and 64 KB. Actual IOPS are workload-dependent. For details, see [Data IO Governance](resource-limits-logical-server.md#resource-governance).
+<sup>2</sup> For documented max data size values. Reducing max data size reduces max log size proportionally.
+
+<sup>3</sup> The maximum value for IO sizes ranging between 8 KB and 64 KB. Actual IOPS are workload-dependent. For details, see [Data IO Governance](resource-limits-logical-server.md#resource-governance).
-<sup>3</sup> For the max concurrent workers (requests) for any individual database, see [Single database resource limits](resource-limits-vcore-single-databases.md). For example, if the elastic pool is using Gen5 and the max vCore per database is set at 2, then the max concurrent workers value is 200. If max vCore per database is set to 0.5, then the max concurrent workers value is 50 since on Gen5 there are a max of 100 concurrent workers per vCore. For other max vCore settings per database that are less 1 vCore or less, the number of max concurrent workers is similarly rescaled.
+<sup>4</sup> For the max concurrent workers (requests) for any individual database, see [Single database resource limits](resource-limits-vcore-single-databases.md). For example, if the elastic pool is using Gen5 and the max vCore per database is set at 2, then the max concurrent workers value is 200. If max vCore per database is set to 0.5, then the max concurrent workers value is 50 since on Gen5 there are a max of 100 concurrent workers per vCore. For other max vCore settings per database that are less 1 vCore or less, the number of max concurrent workers is similarly rescaled.
## General purpose - provisioned compute - Gen5
You can set the service tier, compute size (service objective), and storage amou
|Columnstore support|Yes|Yes|Yes|Yes|Yes|Yes|Yes| |In-memory OLTP storage (GB)|N/A|N/A|N/A|N/A|N/A|N/A|N/A| |Max data size (GB)|512|756|1536|1536|1536|2048|2048|
-|Max log size (GB)|154|227|461|461|461|614|614|
+|Max log size (GB) <sup>2</sup>|154|227|461|461|461|614|614|
|TempDB max data size (GB)|64|128|192|256|320|384|448| |Storage type|Premium (Remote) Storage|Premium (Remote) Storage|Premium (Remote) Storage|Premium (Remote) Storage|Premium (Remote) Storage|Premium (Remote) Storage|Premium (Remote) Storage| |IO latency (approximate)|5-7 ms (write)<br>5-10 ms (read)|5-7 ms (write)<br>5-10 ms (read)|5-7 ms (write)<br>5-10 ms (read)|5-7 ms (write)<br>5-10 ms (read)|5-7 ms (write)<br>5-10 ms (read)|5-7 ms (write)<br>5-10 ms (read)|5-7 ms (write)<br>5-10 ms (read)|
-|Max data IOPS per pool <sup>2</sup>|800|1600|2400|3200|4000|4800|5600|
+|Max data IOPS per pool <sup>3</sup>|800|1600|2400|3200|4000|4800|5600|
|Max log rate per pool (MBps)|12|24|36|48|60|62.5|62.5|
-|Max concurrent workers per pool (requests) <sup>3</sup>|210|420|630|840|1050|1260|1470|
-|Max concurrent logins per pool (requests) <sup>3</sup>|210|420|630|840|1050|1260|1470|
+|Max concurrent workers per pool (requests) <sup>4</sup>|210|420|630|840|1050|1260|1470|
+|Max concurrent logins per pool (requests) <sup>4</sup>|210|420|630|840|1050|1260|1470|
|Max concurrent sessions|30,000|30,000|30,000|30,000|30,000|30,000|30,000| |Min/max elastic pool vCore choices per database|0, 0.25, 0.5, 1, 2|0, 0.25, 0.5, 1...4|0, 0.25, 0.5, 1...6|0, 0.25, 0.5, 1...8|0, 0.25, 0.5, 1...10|0, 0.25, 0.5, 1...12|0, 0.25, 0.5, 1...14| |Number of replicas|1|1|1|1|1|1|1|
You can set the service tier, compute size (service objective), and storage amou
<sup>1</sup> See [Resource management in dense elastic pools](elastic-pool-resource-management.md) for additional considerations.
-<sup>2</sup> The maximum value for IO sizes ranging between 8 KB and 64 KB. Actual IOPS are workload-dependent. For details, see [Data IO Governance](resource-limits-logical-server.md#resource-governance).
+<sup>2</sup> For documented max data size values. Reducing max data size reduces max log size proportionally.
-<sup>3</sup> For the max concurrent workers (requests) for any individual database, see [Single database resource limits](resource-limits-vcore-single-databases.md). For example, if the elastic pool is using Gen5 and the max vCore per database is set at 2, then the max concurrent workers value is 200. If max vCore per database is set to 0.5, then the max concurrent workers value is 50 since on Gen5 there are a max of 100 concurrent workers per vCore. For other max vCore settings per database that are less 1 vCore or less, the number of max concurrent workers is similarly rescaled.
+<sup>3</sup> The maximum value for IO sizes ranging between 8 KB and 64 KB. Actual IOPS are workload-dependent. For details, see [Data IO Governance](resource-limits-logical-server.md#resource-governance).
+
+<sup>4</sup> For the max concurrent workers (requests) for any individual database, see [Single database resource limits](resource-limits-vcore-single-databases.md). For example, if the elastic pool is using Gen5 and the max vCore per database is set at 2, then the max concurrent workers value is 200. If max vCore per database is set to 0.5, then the max concurrent workers value is 50 since on Gen5 there are a max of 100 concurrent workers per vCore. For other max vCore settings per database that are less 1 vCore or less, the number of max concurrent workers is similarly rescaled.
### General purpose service tier: Generation 5 compute platform (part 2)
You can set the service tier, compute size (service objective), and storage amou
|Columnstore support|Yes|Yes|Yes|Yes|Yes|Yes|Yes| |In-memory OLTP storage (GB)|N/A|N/A|N/A|N/A|N/A|N/A|N/A| |Max data size (GB)|2048|3072|3072|3072|4096|4096|4096|
-|Max log size (GB)|614|922|922|922|1229|1229|1229|
+|Max log size (GB) <sup>2</sup>|614|922|922|922|1229|1229|1229|
|TempDB max data size (GB)|512|576|640|768|1024|1280|2560| |Storage type|Premium (Remote) Storage|Premium (Remote) Storage|Premium (Remote) Storage|Premium (Remote) Storage|Premium (Remote) Storage|Premium (Remote) Storage|Premium (Remote) Storage| |IO latency (approximate)|5-7 ms (write)<br>5-10 ms (read)|5-7 ms (write)<br>5-10 ms (read)|5-7 ms (write)<br>5-10 ms (read)|5-7 ms (write)<br>5-10 ms (read)|5-7 ms (write)<br>5-10 ms (read)|5-7 ms (write)<br>5-10 ms (read)|5-7 ms (write)<br>5-10 ms (read)|
-|Max data IOPS per pool <sup>2</sup> |6,400|7,200|8,000|9,600|12,800|16,000|16,000|
+|Max data IOPS per pool <sup>3</sup> |6,400|7,200|8,000|9,600|12,800|16,000|16,000|
|Max log rate per pool (MBps)|62.5|62.5|62.5|62.5|62.5|62.5|62.5|
-|Max concurrent workers per pool (requests) <sup>3</sup>|1680|1890|2100|2520|3360|4200|8400|
-|Max concurrent logins per pool (requests) <sup>3</sup>|1680|1890|2100|2520|3360|4200|8400|
+|Max concurrent workers per pool (requests) <sup>4</sup>|1680|1890|2100|2520|3360|4200|8400|
+|Max concurrent logins per pool (requests) <sup>4</sup>|1680|1890|2100|2520|3360|4200|8400|
|Max concurrent sessions|30,000|30,000|30,000|30,000|30,000|30,000|30,000| |Min/max elastic pool vCore choices per database|0, 0.25, 0.5, 1...16|0, 0.25, 0.5, 1...18|0, 0.25, 0.5, 1...20|0, 0.25, 0.5, 1...20, 24|0, 0.25, 0.5, 1...20, 24, 32|0, 0.25, 0.5, 1...16, 24, 32, 40|0, 0.25, 0.5, 1...16, 24, 32, 40, 80| |Number of replicas|1|1|1|1|1|1|1|
You can set the service tier, compute size (service objective), and storage amou
<sup>1</sup> See [Resource management in dense elastic pools](elastic-pool-resource-management.md) for additional considerations.
-<sup>2</sup> The maximum value for IO sizes ranging between 8 KB and 64 KB. Actual IOPS are workload-dependent. For details, see [Data IO Governance](resource-limits-logical-server.md#resource-governance).
+<sup>2</sup> For documented max data size values. Reducing max data size reduces max log size proportionally.
+
+<sup>3</sup> The maximum value for IO sizes ranging between 8 KB and 64 KB. Actual IOPS are workload-dependent. For details, see [Data IO Governance](resource-limits-logical-server.md#resource-governance).
-<sup>3</sup> For the max concurrent workers (requests) for any individual database, see [Single database resource limits](resource-limits-vcore-single-databases.md). For example, if the elastic pool is using Gen5 and the max vCore per database is set at 2, then the max concurrent workers value is 200. If max vCore per database is set to 0.5, then the max concurrent workers value is 50 since on Gen5 there are a max of 100 concurrent workers per vCore. For other max vCore settings per database that are less 1 vCore or less, the number of max concurrent workers is similarly rescaled.
+<sup>4</sup> For the max concurrent workers (requests) for any individual database, see [Single database resource limits](resource-limits-vcore-single-databases.md). For example, if the elastic pool is using Gen5 and the max vCore per database is set at 2, then the max concurrent workers value is 200. If max vCore per database is set to 0.5, then the max concurrent workers value is 50 since on Gen5 there are a max of 100 concurrent workers per vCore. For other max vCore settings per database that are less 1 vCore or less, the number of max concurrent workers is similarly rescaled.
## General purpose - provisioned compute - Fsv2-series
You can set the service tier, compute size (service objective), and storage amou
|Columnstore support|Yes|Yes|Yes|Yes|Yes| |In-memory OLTP storage (GB)|N/A|N/A|N/A|N/A|N/A| |Max data size (GB)|1024|1024|1024|1024|1536|
-|Max log size (GB)|336|336|336|336|512|
+|Max log size (GB) <sup>2</sup>|336|336|336|336|512|
|TempDB max data size (GB)|37|46|56|65|74| |Storage type|Remote SSD|Remote SSD|Remote SSD|Remote SSD|Remote SSD| |IO latency (approximate)|5-7 ms (write)<br>5-10 ms (read)|5-7 ms (write)<br>5-10 ms (read)|5-7 ms (write)<br>5-10 ms (read)|5-7 ms (write)<br>5-10 ms (read)|5-7 ms (write)<br>5-10 ms (read)|
-|Max data IOPS per pool <sup>2</sup>|2560|3200|3840|4480|5120|
+|Max data IOPS per pool <sup>3</sup>|2560|3200|3840|4480|5120|
|Max log rate per pool (MBps)|48|60|62.5|62.5|62.5|
-|Max concurrent workers per pool (requests) <sup>3</sup>|400|500|600|700|800|
-|Max concurrent logins per pool (requests) <sup>3</sup>|800|1000|1200|1400|1600|
+|Max concurrent workers per pool (requests) <sup>4</sup>|400|500|600|700|800|
+|Max concurrent logins per pool (requests) <sup>4</sup>|800|1000|1200|1400|1600|
|Max concurrent sessions|30,000|30,000|30,000|30,000|30,000| |Min/max elastic pool vCore choices per database|0-8|0-10|0-12|0-14|0-16| |Number of replicas|1|1|1|1|1|
You can set the service tier, compute size (service objective), and storage amou
<sup>1</sup> See [Resource management in dense elastic pools](elastic-pool-resource-management.md) for additional considerations.
-<sup>2</sup> The maximum value for IO sizes ranging between 8 KB and 64 KB. Actual IOPS are workload-dependent. For details, see [Data IO Governance](resource-limits-logical-server.md#resource-governance).
+<sup>2</sup> For documented max data size values. Reducing max data size reduces max log size proportionally.
-<sup>3</sup> For the max concurrent workers (requests) for any individual database, see [Single database resource limits](resource-limits-vcore-single-databases.md). For example, if the elastic pool is using Gen5 and the max vCore per database is set at 2, then the max concurrent workers value is 200. If max vCore per database is set to 0.5, then the max concurrent workers value is 50 since on Gen5 there are a max of 100 concurrent workers per vCore. For other max vCore settings per database that are less 1 vCore or less, the number of max concurrent workers is similarly rescaled.
+<sup>3</sup> The maximum value for IO sizes ranging between 8 KB and 64 KB. Actual IOPS are workload-dependent. For details, see [Data IO Governance](resource-limits-logical-server.md#resource-governance).
+
+<sup>4</sup> For the max concurrent workers (requests) for any individual database, see [Single database resource limits](resource-limits-vcore-single-databases.md). For example, if the elastic pool is using Gen5 and the max vCore per database is set at 2, then the max concurrent workers value is 200. If max vCore per database is set to 0.5, then the max concurrent workers value is 50 since on Gen5 there are a max of 100 concurrent workers per vCore. For other max vCore settings per database that are less 1 vCore or less, the number of max concurrent workers is similarly rescaled.
### Fsv2-series compute generation (part 2)
You can set the service tier, compute size (service objective), and storage amou
|Columnstore support|Yes|Yes|Yes|Yes|Yes|Yes| |In-memory OLTP storage (GB)|N/A|N/A|N/A|N/A|N/A|N/A| |Max data size (GB)|1536|1536|1536|3072|3072|4096|
-|Max log size (GB)|512|512|512|1024|1024|1024|
+|Max log size (GB) <sup>2</sup>|512|512|512|1024|1024|1024|
|TempDB max data size (GB)|83|93|111|148|167|333| |Storage type|Remote SSD|Remote SSD|Remote SSD|Remote SSD|Remote SSD|Remote SSD| |IO latency (approximate)|5-7 ms (write)<br>5-10 ms (read)|5-7 ms (write)<br>5-10 ms (read)|5-7 ms (write)<br>5-10 ms (read)|5-7 ms (write)<br>5-10 ms (read)|5-7 ms (write)<br>5-10 ms (read)|5-7 ms (write)<br>5-10 ms (read)|
-|Max data IOPS per pool <sup>2</sup>|5760|6400|7680|10240|11520|12800|
+|Max data IOPS per pool <sup>3</sup>|5760|6400|7680|10240|11520|12800|
|Max log rate per pool (MBps)|62.5|62.5|62.5|62.5|62.5|62.5|
-|Max concurrent workers per pool (requests) <sup>3</sup>|900|1000|1200|1600|1800|3600|
-|Max concurrent logins per pool (requests) <sup>3</sup>|1800|2000|2400|3200|3600|7200|
+|Max concurrent workers per pool (requests) <sup>4</sup>|900|1000|1200|1600|1800|3600|
+|Max concurrent logins per pool (requests) <sup>4</sup>|1800|2000|2400|3200|3600|7200|
|Max concurrent sessions|30,000|30,000|30,000|30,000|30,000|30,000| |Min/max elastic pool vCore choices per database|0-18|0-20|0-24|0-32|0-36|0-72| |Number of replicas|1|1|1|1|1|1|
You can set the service tier, compute size (service objective), and storage amou
<sup>1</sup> See [Resource management in dense elastic pools](elastic-pool-resource-management.md) for additional considerations.
-<sup>2</sup> The maximum value for IO sizes ranging between 8 KB and 64 KB. Actual IOPS are workload-dependent. For details, see [Data IO Governance](resource-limits-logical-server.md#resource-governance).
+<sup>2</sup> For documented max data size values. Reducing max data size reduces max log size proportionally.
+
+<sup>3</sup> The maximum value for IO sizes ranging between 8 KB and 64 KB. Actual IOPS are workload-dependent. For details, see [Data IO Governance](resource-limits-logical-server.md#resource-governance).
-<sup>3</sup> For the max concurrent workers (requests) for any individual database, see [Single database resource limits](resource-limits-vcore-single-databases.md). For example, if the elastic pool is using Gen5 and the max vCore per database is set at 2, then the max concurrent workers value is 200. If max vCore per database is set to 0.5, then the max concurrent workers value is 50 since on Gen5 there are a max of 100 concurrent workers per vCore. For other max vCore settings per database that are less 1 vCore or less, the number of max concurrent workers is similarly rescaled.
+<sup>4</sup> For the max concurrent workers (requests) for any individual database, see [Single database resource limits](resource-limits-vcore-single-databases.md). For example, if the elastic pool is using Gen5 and the max vCore per database is set at 2, then the max concurrent workers value is 200. If max vCore per database is set to 0.5, then the max concurrent workers value is 50 since on Gen5 there are a max of 100 concurrent workers per vCore. For other max vCore settings per database that are less 1 vCore or less, the number of max concurrent workers is similarly rescaled.
## General purpose - provisioned compute - DC-series
You can set the service tier, compute size (service objective), and storage amou
|Columnstore support|Yes|Yes|Yes|Yes| |In-memory OLTP storage (GB)|N/A|N/A|N/A|N/A| |Max data size (GB)|756|1536|2048|2048|
-|Max log size (GB)|227|461|614|614|
+|Max log size (GB) <sup>2</sup>|227|461|614|614|
|TempDB max data size (GB)|64|128|192|256| |Storage type|Premium (Remote) Storage|Premium (Remote) Storage|Premium (Remote) Storage|Premium (Remote) Storage| |IO latency (approximate)|5-7 ms (write)<br>5-10 ms (read)|5-7 ms (write)<br>5-10 ms (read)|5-7 ms (write)<br>5-10 ms (read)|5-7 ms (write)<br>5-10 ms (read)|
-|Max data IOPS per pool <sup>2</sup>|800|1600|2400|3200|
+|Max data IOPS per pool <sup>3</sup>|800|1600|2400|3200|
|Max log rate per pool (MBps)|12|24|36|48|
-|Max concurrent workers per pool (requests) <sup>3</sup>|168|336|504|672|
-|Max concurrent logins per pool (requests) <sup>3</sup>|168|336|504|672|
+|Max concurrent workers per pool (requests) <sup>4</sup>|168|336|504|672|
+|Max concurrent logins per pool (requests) <sup>4</sup>|168|336|504|672|
|Max concurrent sessions|30,000|30,000|30,000|30,000| |Min/max elastic pool vCore choices per database|2|2...4|2...6|2...8| |Number of replicas|1|1|1|1|
You can set the service tier, compute size (service objective), and storage amou
<sup>1</sup> See [Resource management in dense elastic pools](elastic-pool-resource-management.md) for additional considerations.
-<sup>2</sup> The maximum value for IO sizes ranging between 8 KB and 64 KB. Actual IOPS are workload-dependent. For details, see [Data IO Governance](resource-limits-logical-server.md#resource-governance).
+<sup>2</sup> For documented max data size values. Reducing max data size reduces max log size proportionally.
-<sup>3</sup> For the max concurrent workers (requests) for any individual database, see [Single database resource limits](resource-limits-vcore-single-databases.md). For example, if the elastic pool is using Gen5 and the max vCore per database is set at 2, then the max concurrent workers value is 200. If max vCore per database is set to 0.5, then the max concurrent workers value is 50 since on Gen5 there are a max of 100 concurrent workers per vCore. For other max vCore settings per database that are less 1 vCore or less, the number of max concurrent workers is similarly rescaled.
+<sup>3</sup> The maximum value for IO sizes ranging between 8 KB and 64 KB. Actual IOPS are workload-dependent. For details, see [Data IO Governance](resource-limits-logical-server.md#resource-governance).
+
+<sup>4</sup> For the max concurrent workers (requests) for any individual database, see [Single database resource limits](resource-limits-vcore-single-databases.md). For example, if the elastic pool is using Gen5 and the max vCore per database is set at 2, then the max concurrent workers value is 200. If max vCore per database is set to 0.5, then the max concurrent workers value is 50 since on Gen5 there are a max of 100 concurrent workers per vCore. For other max vCore settings per database that are less 1 vCore or less, the number of max concurrent workers is similarly rescaled.
## Business critical - provisioned compute - Gen4
You can set the service tier, compute size (service objective), and storage amou
|In-memory OLTP storage (GB)|2|3|4|5|6| |Storage type|Local SSD|Local SSD|Local SSD|Local SSD|Local SSD| |Max data size (GB)|1024|1024|1024|1024|1024|
-|Max log size (GB)|307|307|307|307|307|
+|Max log size (GB) <sup>2</sup>|307|307|307|307|307|
|TempDB max data size (GB)|64|96|128|160|192| |[Max local storage size](resource-limits-logical-server.md#storage-space-governance) (GB)|1356|1356|1356|1356|1356| |IO latency (approximate)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)|
-|Max data IOPS per pool <sup>2</sup>|9,000|13,500|18,000|22,500|27,000|
+|Max data IOPS per pool <sup>3</sup>|9,000|13,500|18,000|22,500|27,000|
|Max log rate per pool (MBps)|20|30|40|50|60|
-|Max concurrent workers per pool (requests) <sup>3</sup>|420|630|840|1050|1260|
-|Max concurrent logins per pool (requests) <sup>3</sup>|420|630|840|1050|1260|
+|Max concurrent workers per pool (requests) <sup>4</sup>|420|630|840|1050|1260|
+|Max concurrent logins per pool (requests) <sup>4</sup>|420|630|840|1050|1260|
|Max concurrent sessions|30,000|30,000|30,000|30,000|30,000| |Min/max elastic pool vCore choices per database|0, 0.25, 0.5, 1, 2|0, 0.25, 0.5, 1...3|0, 0.25, 0.5, 1...4|0, 0.25, 0.5, 1...5|0, 0.25, 0.5, 1...6| |Number of replicas|4|4|4|4|4|
You can set the service tier, compute size (service objective), and storage amou
<sup>1</sup> See [Resource management in dense elastic pools](elastic-pool-resource-management.md) for additional considerations.
-<sup>2</sup> The maximum value for IO sizes ranging between 8 KB and 64 KB. Actual IOPS are workload-dependent. For details, see [Data IO Governance](resource-limits-logical-server.md#resource-governance).
+<sup>2</sup> For documented max data size values. Reducing max data size reduces max log size proportionally.
+
+<sup>3</sup> The maximum value for IO sizes ranging between 8 KB and 64 KB. Actual IOPS are workload-dependent. For details, see [Data IO Governance](resource-limits-logical-server.md#resource-governance).
-<sup>3</sup> For the max concurrent workers (requests) for any individual database, see [Single database resource limits](resource-limits-vcore-single-databases.md). For example, if the elastic pool is using Gen5 and the max vCore per database is set at 2, then the max concurrent workers value is 200. If max vCore per database is set to 0.5, then the max concurrent workers value is 50 since on Gen5 there are a max of 100 concurrent workers per vCore. For other max vCore settings per database that are less 1 vCore or less, the number of max concurrent workers is similarly rescaled.
+<sup>4</sup> For the max concurrent workers (requests) for any individual database, see [Single database resource limits](resource-limits-vcore-single-databases.md). For example, if the elastic pool is using Gen5 and the max vCore per database is set at 2, then the max concurrent workers value is 200. If max vCore per database is set to 0.5, then the max concurrent workers value is 50 since on Gen5 there are a max of 100 concurrent workers per vCore. For other max vCore settings per database that are less 1 vCore or less, the number of max concurrent workers is similarly rescaled.
### Business critical service tier: Generation 4 compute platform (part 2)
You can set the service tier, compute size (service objective), and storage amou
|In-memory OLTP storage (GB)|7|8|9.5|11|20|36| |Storage type|Local SSD|Local SSD|Local SSD|Local SSD|Local SSD|Local SSD| |Max data size (GB)|1024|1024|1024|1024|1024|1024|
-|Max log size (GB)|307|307|307|307|307|307|
+|Max log size (GB) <sup>2</sup>|307|307|307|307|307|307|
|TempDB max data size (GB)|224|256|288|320|512|768| |[Max local storage size](resource-limits-logical-server.md#storage-space-governance) (GB)|1356|1356|1356|1356|1356|1356| |IO latency (approximate)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)|
-|Max data IOPS per pool <sup>2</sup>|31,500|36,000|40,500|45,000|72,000|96,000|
+|Max data IOPS per pool <sup>3</sup>|31,500|36,000|40,500|45,000|72,000|96,000|
|Max log rate per pool (MBps)|70|80|80|80|80|80|
-|Max concurrent workers per pool (requests) <sup>3</sup>|1470|1680|1890|2100|3360|5040|
-|Max concurrent logins per pool (requests) <sup>3</sup>|1470|1680|1890|2100|3360|5040|
+|Max concurrent workers per pool (requests) <sup>4</sup>|1470|1680|1890|2100|3360|5040|
+|Max concurrent logins per pool (requests) <sup>4</sup>|1470|1680|1890|2100|3360|5040|
|Max concurrent sessions|30,000|30,000|30,000|30,000|30,000|30,000| |Min/max elastic pool vCore choices per database|0, 0.25, 0.5, 1...7|0, 0.25, 0.5, 1...8|0, 0.25, 0.5, 1...9|0, 0.25, 0.5, 1...10|0, 0.25, 0.5, 1...10, 16|0, 0.25, 0.5, 1...10, 16, 24| |Number of replicas|4|4|4|4|4|4|
You can set the service tier, compute size (service objective), and storage amou
<sup>1</sup> See [Resource management in dense elastic pools](elastic-pool-resource-management.md) for additional considerations.
-<sup>2</sup> The maximum value for IO sizes ranging between 8 KB and 64 KB. Actual IOPS are workload-dependent. For details, see [Data IO Governance](resource-limits-logical-server.md#resource-governance).
+<sup>2</sup> For documented max data size values. Reducing max data size reduces max log size proportionally.
-<sup>3</sup> For the max concurrent workers (requests) for any individual database, see [Single database resource limits](resource-limits-vcore-single-databases.md). For example, if the elastic pool is using Gen5 and the max vCore per database is set at 2, then the max concurrent workers value is 200. If max vCore per database is set to 0.5, then the max concurrent workers value is 50 since on Gen5 there are a max of 100 concurrent workers per vCore. For other max vCore settings per database that are less 1 vCore or less, the number of max concurrent workers is similarly rescaled.
+<sup>3</sup> The maximum value for IO sizes ranging between 8 KB and 64 KB. Actual IOPS are workload-dependent. For details, see [Data IO Governance](resource-limits-logical-server.md#resource-governance).
+
+<sup>4</sup> For the max concurrent workers (requests) for any individual database, see [Single database resource limits](resource-limits-vcore-single-databases.md). For example, if the elastic pool is using Gen5 and the max vCore per database is set at 2, then the max concurrent workers value is 200. If max vCore per database is set to 0.5, then the max concurrent workers value is 50 since on Gen5 there are a max of 100 concurrent workers per vCore. For other max vCore settings per database that are less 1 vCore or less, the number of max concurrent workers is similarly rescaled.
## Business critical - provisioned compute - Gen5
You can set the service tier, compute size (service objective), and storage amou
|Columnstore support|Yes|Yes|Yes|Yes|Yes|Yes| |In-memory OLTP storage (GB)|3.14|4.71|6.28|8.65|11.02|13.39| |Max data size (GB)|1024|1536|1536|1536|3072|3072|
-|Max log size (GB)|307|307|461|461|922|922|
+|Max log size (GB) <sup>2</sup>|307|307|461|461|922|922|
|TempDB max data size (GB)|128|192|256|320|384|448| |[Max local storage size](resource-limits-logical-server.md#storage-space-governance) (GB)|4829|4829|4829|4829|4829|4829| |Storage type|Local SSD|Local SSD|Local SSD|Local SSD|Local SSD|Local SSD| |IO latency (approximate)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)|
-|Max data IOPS per pool <sup>2</sup>|18,000|27,000|36,000|45,000|54,000|63,000|
+|Max data IOPS per pool <sup>3</sup>|18,000|27,000|36,000|45,000|54,000|63,000|
|Max log rate per pool (MBps)|60|90|120|120|120|120|
-|Max concurrent workers per pool (requests) <sup>3</sup>|420|630|840|1050|1260|1470|
-|Max concurrent logins per pool (requests) <sup>3</sup>|420|630|840|1050|1260|1470|
+|Max concurrent workers per pool (requests) <sup>4</sup>|420|630|840|1050|1260|1470|
+|Max concurrent logins per pool (requests) <sup>4</sup>|420|630|840|1050|1260|1470|
|Max concurrent sessions|30,000|30,000|30,000|30,000|30,000|30,000| |Min/max elastic pool vCore choices per database|0, 0.25, 0.5, 1...4|0, 0.25, 0.5, 1...6|0, 0.25, 0.5, 1...8|0, 0.25, 0.5, 1...10|0, 0.25, 0.5, 1...12|0, 0.25, 0.5, 1...14| |Number of replicas|4|4|4|4|4|4|
You can set the service tier, compute size (service objective), and storage amou
<sup>1</sup> See [Resource management in dense elastic pools](elastic-pool-resource-management.md) for additional considerations.
-<sup>2</sup> The maximum value for IO sizes ranging between 8 KB and 64 KB. Actual IOPS are workload-dependent. For details, see [Data IO Governance](resource-limits-logical-server.md#resource-governance).
+<sup>2</sup> For documented max data size values. Reducing max data size reduces max log size proportionally.
+
+<sup>3</sup> The maximum value for IO sizes ranging between 8 KB and 64 KB. Actual IOPS are workload-dependent. For details, see [Data IO Governance](resource-limits-logical-server.md#resource-governance).
-<sup>3</sup> For the max concurrent workers (requests) for any individual database, see [Single database resource limits](resource-limits-vcore-single-databases.md). For example, if the elastic pool is using Gen5 and the max vCore per database is set at 2, then the max concurrent workers value is 200. If max vCore per database is set to 0.5, then the max concurrent workers value is 50 since on Gen5 there are a max of 100 concurrent workers per vCore. For other max vCore settings per database that are less 1 vCore or less, the number of max concurrent workers is similarly rescaled.
+<sup>4</sup> For the max concurrent workers (requests) for any individual database, see [Single database resource limits](resource-limits-vcore-single-databases.md). For example, if the elastic pool is using Gen5 and the max vCore per database is set at 2, then the max concurrent workers value is 200. If max vCore per database is set to 0.5, then the max concurrent workers value is 50 since on Gen5 there are a max of 100 concurrent workers per vCore. For other max vCore settings per database that are less 1 vCore or less, the number of max concurrent workers is similarly rescaled.
### Business critical service tier: Generation 5 compute platform (part 2)
You can set the service tier, compute size (service objective), and storage amou
|Columnstore support|Yes|Yes|Yes|Yes|Yes|Yes|Yes| |In-memory OLTP storage (GB)|15.77|18.14|20.51|25.25|37.94|52.23|131.68| |Max data size (GB)|3072|3072|3072|4096|4096|4096|4096|
-|Max log size (GB)|922|922|922|1229|1229|1229|1229|
+|Max log size (GB) <sup>2</sup>|922|922|922|1229|1229|1229|1229|
|TempDB max data size (GB)|512|576|640|768|1024|1280|2560| |[Max local storage size](resource-limits-logical-server.md#storage-space-governance) (GB)|4829|4829|4829|4829|4829|4829|4829| |Storage type|Local SSD|Local SSD|Local SSD|Local SSD|Local SSD|Local SSD|Local SSD| |IO latency (approximate)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)|
-|Max data IOPS per pool <sup>2</sup>|72,000|81,000|90,000|108,000|144,000|180,000|256,000|
+|Max data IOPS per pool <sup>3</sup>|72,000|81,000|90,000|108,000|144,000|180,000|256,000|
|Max log rate per pool (MBps)|120|120|120|120|120|120|120|
-|Max concurrent workers per pool (requests) <sup>3</sup>|1680|1890|2100|2520|3360|4200|8400|
-|Max concurrent logins per pool (requests) <sup>3</sup>|1680|1890|2100|2520|3360|4200|8400|
+|Max concurrent workers per pool (requests) <sup>4</sup>|1680|1890|2100|2520|3360|4200|8400|
+|Max concurrent logins per pool (requests) <sup>4</sup>|1680|1890|2100|2520|3360|4200|8400|
|Max concurrent sessions|30,000|30,000|30,000|30,000|30,000|30,000|30,000| |Min/max elastic pool vCore choices per database|0, 0.25, 0.5, 1...16|0, 0.25, 0.5, 1...18|0, 0.25, 0.5, 1...20|0, 0.25, 0.5, 1...20, 24|0, 0.25, 0.5, 1...20, 24, 32|0, 0.25, 0.5, 1...20, 24, 32, 40|0, 0.25, 0.5, 1...20, 24, 32, 40, 80| |Number of replicas|4|4|4|4|4|4|4|
You can set the service tier, compute size (service objective), and storage amou
<sup>1</sup> See [Resource management in dense elastic pools](elastic-pool-resource-management.md) for additional considerations.
-<sup>2</sup> The maximum value for IO sizes ranging between 8 KB and 64 KB. Actual IOPS are workload-dependent. For details, see [Data IO Governance](resource-limits-logical-server.md#resource-governance).
+<sup>2</sup> For documented max data size values. Reducing max data size reduces max log size proportionally.
-<sup>3</sup> For the max concurrent workers (requests) for any individual database, see [Single database resource limits](resource-limits-vcore-single-databases.md). For example, if the elastic pool is using Gen5 and the max vCore per database is set at 2, then the max concurrent workers value is 200. If max vCore per database is set to 0.5, then the max concurrent workers value is 50 since on Gen5 there are a max of 100 concurrent workers per vCore. For other max vCore settings per database that are less 1 vCore or less, the number of max concurrent workers is similarly rescaled.
+<sup>3</sup> The maximum value for IO sizes ranging between 8 KB and 64 KB. Actual IOPS are workload-dependent. For details, see [Data IO Governance](resource-limits-logical-server.md#resource-governance).
+
+<sup>4</sup> For the max concurrent workers (requests) for any individual database, see [Single database resource limits](resource-limits-vcore-single-databases.md). For example, if the elastic pool is using Gen5 and the max vCore per database is set at 2, then the max concurrent workers value is 200. If max vCore per database is set to 0.5, then the max concurrent workers value is 50 since on Gen5 there are a max of 100 concurrent workers per vCore. For other max vCore settings per database that are less 1 vCore or less, the number of max concurrent workers is similarly rescaled.
## Business critical - provisioned compute - M-series
You can set the service tier, compute size (service objective), and storage amou
|Columnstore support|Yes|Yes|Yes|Yes|Yes|Yes| |In-memory OLTP storage (GB)|64|80|96|112|128|150| |Max data size (GB)|512|640|768|896|1024|1152|
-|Max log size (GB)|171|213|256|299|341|384|
+|Max log size (GB) <sup>2</sup>|171|213|256|299|341|384|
|TempDB max data size (GB)|256|320|384|448|512|576| |[Max local storage size](resource-limits-logical-server.md#storage-space-governance) (GB)|13836|13836|13836|13836|13836|13836| |Storage type|Local SSD|Local SSD|Local SSD|Local SSD|Local SSD|Local SSD| |IO latency (approximate)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)|
-|Max data IOPS per pool <sup>2</sup>|12,499|15,624|18,748|21,873|24,998|28,123|
+|Max data IOPS per pool <sup>3</sup>|12,499|15,624|18,748|21,873|24,998|28,123|
|Max log rate per pool (MBps)|48|60|72|84|96|108|
-|Max concurrent workers per pool (requests) <sup>3</sup>|800|1,000|1,200|1,400|1,600|1,800|
-|Max concurrent logins per pool (requests) <sup>3</sup>|800|1,000|1,200|1,400|1,600|1,800|
+|Max concurrent workers per pool (requests) <sup>4</sup>|800|1,000|1,200|1,400|1,600|1,800|
+|Max concurrent logins per pool (requests) <sup>4</sup>|800|1,000|1,200|1,400|1,600|1,800|
|Max concurrent sessions|30000|30000|30000|30000|30000|30000| |Min/max elastic pool vCore choices per database|0-8|0-10|0-12|0-14|0-16|0-18| |Number of replicas|4|4|4|4|4|4|
You can set the service tier, compute size (service objective), and storage amou
<sup>1</sup> See [Resource management in dense elastic pools](elastic-pool-resource-management.md) for additional considerations.
-<sup>2</sup> The maximum value for IO sizes ranging between 8 KB and 64 KB. Actual IOPS are workload-dependent. For details, see [Data IO Governance](resource-limits-logical-server.md#resource-governance).
+<sup>2</sup> For documented max data size values. Reducing max data size reduces max log size proportionally.
-<sup>3</sup> For the max concurrent workers (requests) for any individual database, see [Single database resource limits](resource-limits-vcore-single-databases.md). For example, if the elastic pool is using Gen5 and the max vCore per database is set at 2, then the max concurrent workers value is 200. If max vCore per database is set to 0.5, then the max concurrent workers value is 50 since on Gen5 there are a max of 100 concurrent workers per vCore. For other max vCore settings per database that are less 1 vCore or less, the number of max concurrent workers is similarly rescaled.
+<sup>3</sup> The maximum value for IO sizes ranging between 8 KB and 64 KB. Actual IOPS are workload-dependent. For details, see [Data IO Governance](resource-limits-logical-server.md#resource-governance).
-If all vCores of an elastic pool are busy, then each database in the pool receives an equal amount of compute resources to process queries. Azure SQL Database provides resource sharing fairness between databases by ensuring equal slices of compute time. Elastic pool resource sharing fairness is in addition to any amount of resource otherwise guaranteed to each database when the vCore min per database is set to a non-zero value.
+<sup>4</sup> For the max concurrent workers (requests) for any individual database, see [Single database resource limits](resource-limits-vcore-single-databases.md). For example, if the elastic pool is using Gen5 and the max vCore per database is set at 2, then the max concurrent workers value is 200. If max vCore per database is set to 0.5, then the max concurrent workers value is 50 since on Gen5 there are a max of 100 concurrent workers per vCore. For other max vCore settings per database that are less 1 vCore or less, the number of max concurrent workers is similarly rescaled.
### M-series compute generation (part 2)
If all vCores of an elastic pool are busy, then each database in the pool receiv
|Columnstore support|Yes|Yes|Yes|Yes|Yes| |In-memory OLTP storage (GB)|172|216|304|704|1768| |Max data size (GB)|1280|1536|2048|4096|4096|
-|Max log size (GB)|427|512|683|1024|1024|
+|Max log size (GB) <sup>2</sup>|427|512|683|1024|1024|
|TempDB max data size (GB)|640|768|1024|2048|4096| |[Max local storage size](resource-limits-logical-server.md#storage-space-governance) (GB)|13836|13836|13836|13836|13836| |Storage type|Local SSD|Local SSD|Local SSD|Local SSD|Local SSD| |IO latency (approximate)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)|
-|Max data IOPS per pool <sup>2</sup>|31,248|37,497|49,996|99,993|160,000|
+|Max data IOPS per pool <sup>3</sup>|31,248|37,497|49,996|99,993|160,000|
|Max log rate per pool (MBps)|120|144|192|264|264|
-|Max concurrent workers per pool (requests) <sup>3</sup>|2,000|2,400|3,200|6,400|12,800|
-|Max concurrent logins per pool (requests) <sup>3</sup>|2,000|2,400|3,200|6,400|12,800|
+|Max concurrent workers per pool (requests) <sup>4</sup>|2,000|2,400|3,200|6,400|12,800|
+|Max concurrent logins per pool (requests) <sup>4</sup>|2,000|2,400|3,200|6,400|12,800|
|Max concurrent sessions|30000|30000|30000|30000|30000| |Number of replicas|4|4|4|4|4| |Multi-AZ|No|No|No|No|No|
If all vCores of an elastic pool are busy, then each database in the pool receiv
<sup>1</sup> See [Resource management in dense elastic pools](elastic-pool-resource-management.md) for additional considerations.
-<sup>2</sup> The maximum value for IO sizes ranging between 8 KB and 64 KB. Actual IOPS are workload-dependent. For details, see [Data IO Governance](resource-limits-logical-server.md#resource-governance).
+<sup>2</sup> For documented max data size values. Reducing max data size reduces max log size proportionally.
-<sup>3</sup> For the max concurrent workers (requests) for any individual database, see [Single database resource limits](resource-limits-vcore-single-databases.md). For example, if the elastic pool is using Gen5 and the max vCore per database is set at 2, then the max concurrent workers value is 200. If max vCore per database is set to 0.5, then the max concurrent workers value is 50 since on Gen5 there are a max of 100 concurrent workers per vCore. For other max vCore settings per database that are less 1 vCore or less, the number of max concurrent workers is similarly rescaled.
+<sup>3</sup> The maximum value for IO sizes ranging between 8 KB and 64 KB. Actual IOPS are workload-dependent. For details, see [Data IO Governance](resource-limits-logical-server.md#resource-governance).
-If all vCores of an elastic pool are busy, then each database in the pool receives an equal amount of compute resources to process queries. Azure SQL Database provides resource sharing fairness between databases by ensuring equal slices of compute time. Elastic pool resource sharing fairness is in addition to any amount of resource otherwise guaranteed to each database when the vCore min per database is set to a non-zero value.
+<sup>4</sup> For the max concurrent workers (requests) for any individual database, see [Single database resource limits](resource-limits-vcore-single-databases.md). For example, if the elastic pool is using Gen5 and the max vCore per database is set at 2, then the max concurrent workers value is 200. If max vCore per database is set to 0.5, then the max concurrent workers value is 50 since on Gen5 there are a max of 100 concurrent workers per vCore. For other max vCore settings per database that are less 1 vCore or less, the number of max concurrent workers is similarly rescaled.
## Business critical - provisioned compute - DC-series
If all vCores of an elastic pool are busy, then each database in the pool receiv
|Columnstore support|Yes|Yes|Yes|Yes| |In-memory OLTP storage (GB)|1.7|3.7|5.9|8.2| |Max data size (GB)|768|768|768|768|
-|Max log size (GB)|230|230|230|230|
+|Max log size (GB) <sup>2</sup>|230|230|230|230|
|TempDB max data size (GB)|64|128|192|256| |[Max local storage size](resource-limits-logical-server.md#storage-space-governance) (GB)|1406|1406|1406|1406| |Storage type|Local SSD|Local SSD|Local SSD|Local SSD| |IO latency (approximate)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)|
-|Max data IOPS per pool <sup>2</sup>|15750|31500|47250|56000|
+|Max data IOPS per pool <sup>3</sup>|15750|31500|47250|56000|
|Max log rate per pool (MBps)|20|60|90|120|
-|Max concurrent workers per pool (requests) <sup>3</sup>|168|336|504|672|
-|Max concurrent logins per pool (requests) <sup>3</sup>|168|336|504|672|
+|Max concurrent workers per pool (requests) <sup>4</sup>|168|336|504|672|
+|Max concurrent logins per pool (requests) <sup>4</sup>|168|336|504|672|
|Max concurrent sessions|30,000|30,000|30,000|30,000| |Min/max elastic pool vCore choices per database|2|2...4|2...6|2...8| |Number of replicas|4|4|4|4|
If all vCores of an elastic pool are busy, then each database in the pool receiv
<sup>1</sup> See [Resource management in dense elastic pools](elastic-pool-resource-management.md) for additional considerations.
-<sup>2</sup> The maximum value for IO sizes ranging between 8 KB and 64 KB. Actual IOPS are workload-dependent. For details, see [Data IO Governance](resource-limits-logical-server.md#resource-governance).
+<sup>2</sup> For documented max data size values. Reducing max data size reduces max log size proportionally.
+
+<sup>3</sup> The maximum value for IO sizes ranging between 8 KB and 64 KB. Actual IOPS are workload-dependent. For details, see [Data IO Governance](resource-limits-logical-server.md#resource-governance).
-<sup>3</sup> For the max concurrent workers (requests) for any individual database, see [Single database resource limits](resource-limits-vcore-single-databases.md). For example, if the elastic pool is using Gen5 and the max vCore per database is set at 2, then the max concurrent workers value is 200. If max vCore per database is set to 0.5, then the max concurrent workers value is 50 since on Gen5 there are a max of 100 concurrent workers per vCore. For other max vCore settings per database that are less 1 vCore or less, the number of max concurrent workers is similarly rescaled.
+<sup>4</sup> For the max concurrent workers (requests) for any individual database, see [Single database resource limits](resource-limits-vcore-single-databases.md). For example, if the elastic pool is using Gen5 and the max vCore per database is set at 2, then the max concurrent workers value is 200. If max vCore per database is set to 0.5, then the max concurrent workers value is 50 since on Gen5 there are a max of 100 concurrent workers per vCore. For other max vCore settings per database that are less 1 vCore or less, the number of max concurrent workers is similarly rescaled.
## Database properties for pooled databases
azure-sql Resource Limits Vcore Single Databases https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/resource-limits-vcore-single-databases.md
Previously updated : 04/16/2021 Last updated : 06/04/2021 # Resource limits for single databases using the vCore purchasing model [!INCLUDE[appliesto-sqldb](../includes/appliesto-sqldb.md)]
This article provides the detailed resource limits for single databases in Azure
* For vCore resource limits, see [vCore resource limits - Azure SQL Database](resource-limits-vcore-single-databases.md) and [vCore resource limits - elastic pools](resource-limits-vcore-elastic-pools.md). * For more information regarding the different purchasing models, see [Purchasing models and service tiers](purchasing-models.md).
+> [!IMPORTANT]
+> Under some circumstances, you may need to shrink a database to reclaim unused space. For more information, see [Manage file space in Azure SQL Database](file-space-manage.md).
+ Each read-only replica has its own resources, such as vCores, memory, data IOPS, TempDB, workers, and sessions. Each read-only replica is subject to the resource limits detailed later in this article. You can set the service tier, compute size (service objective), and storage amount for a single database using:
The [serverless compute tier](serverless-tier-overview.md) is currently availabl
|Min-max vCores|0.5-1|0.5-2|0.5-4|0.75-6|1.0-8| |Min-max memory (GB)|2.02-3|2.05-6|2.10-12|2.25-18|3.00-24| |Min-max auto-pause delay (minutes)|60-10080|60-10080|60-10080|60-10080|60-10080|
-|Columnstore support|Yes*|Yes|Yes|Yes|Yes|
+|Columnstore support|Yes <sup>1</sup>|Yes|Yes|Yes|Yes|
|In-memory OLTP storage (GB)|N/A|N/A|N/A|N/A|N/A| |Max data size (GB)|512|1024|1024|1024|1536|
-|Max log size (GB)|154|307|307|307|461|
+|Max log size (GB) <sup>2</sup>|154|307|307|307|461|
|TempDB max data size (GB)|32|64|128|192|256| |Storage type|Remote SSD|Remote SSD|Remote SSD|Remote SSD|Remote SSD| |IO latency (approximate)|5-7 ms (write)<br>5-10 ms (read)|5-7 ms (write)<br>5-10 ms (read)|5-7 ms (write)<br>5-10 ms (read)|5-7 ms (write)<br>5-10 ms (read)|5-7 ms (write)<br>5-10 ms (read)|
-|Max data IOPS \*\*|320|640|1280|1920|2560|
+|Max data IOPS <sup>3</sup>|320|640|1280|1920|2560|
|Max log rate (MBps)|4.5|9|18|27|36| |Max concurrent workers (requests)|75|150|300|450|600| |Max concurrent sessions|30,000|30,000|30,000|30,000|30,000|
The [serverless compute tier](serverless-tier-overview.md) is currently availabl
|Read Scale-out|N/A|N/A|N/A|N/A|N/A| |Included backup storage|1X DB size|1X DB size|1X DB size|1X DB size|1X DB size|
-\* Service objectives with smaller max vcore configurations may have insufficient memory for creating and using column store indexes. If encountering performance problems with column store, increase the max vcore configuration to increase the max memory available.
-\*\* The maximum value for IO sizes ranging between 8 KB and 64 KB. Actual IOPS are workload-dependent. For details, see [Data IO Governance](resource-limits-logical-server.md#resource-governance).
+<sup>1</sup> Service objectives with smaller max vcore configurations may have insufficient memory for creating and using columnstore indexes. If encountering performance problems with columnstore, increase the max vcore configuration to increase the max memory available.
+
+<sup>2</sup> For documented max data size values. Reducing max data size reduces max log size proportionally.
+
+<sup>3</sup> The maximum value for IO sizes ranging between 8 KB and 64 KB. Actual IOPS are workload-dependent. For details, see [Data IO Governance](resource-limits-logical-server.md#resource-governance).
### Gen5 compute generation (part 2)
The [serverless compute tier](serverless-tier-overview.md) is currently availabl
|Columnstore support|Yes|Yes|Yes|Yes| |In-memory OLTP storage (GB)|N/A|N/A|N/A|N/A| |Max data size (GB)|1536|3072|3072|3072|
-|Max log size (GB)|461|461|461|922|
+|Max log size (GB) <sup>1</sup>|461|461|461|922|
|TempDB max data size (GB)|320|384|448|512| |Storage type|Remote SSD|Remote SSD|Remote SSD|Remote SSD| |IO latency (approximate)|5-7 ms (write)<br>5-10 ms (read)|5-7 ms (write)<br>5-10 ms (read)|5-7 ms (write)<br>5-10 ms (read)|5-7 ms (write)<br>5-10 ms (read)|
-|Max data IOPS *|3200|3840|4480|5120|
+|Max data IOPS <sup>2</sup>|3200|3840|4480|5120|
|Max log rate (MBps)|45|50|50|50| |Max concurrent workers (requests)|750|900|1050|1200| |Max concurrent sessions|30,000|30,000|30,000|30,000|
The [serverless compute tier](serverless-tier-overview.md) is currently availabl
|Read Scale-out|N/A|N/A|N/A|N/A| |Included backup storage|1X DB size|1X DB size|1X DB size|1X DB size|
-\* The maximum value for IO sizes ranging between 8 KB and 64 KB. Actual IOPS are workload-dependent. For details, see [Data IO Governance](resource-limits-logical-server.md#resource-governance).
+<sup>1</sup> For documented max data size values. Reducing max data size reduces max log size proportionally.
+
+<sup>2</sup> The maximum value for IO sizes ranging between 8 KB and 64 KB. Actual IOPS are workload-dependent. For details, see [Data IO Governance](resource-limits-logical-server.md#resource-governance).
### Gen5 compute generation (part 3)
The [serverless compute tier](serverless-tier-overview.md) is currently availabl
|Columnstore support|Yes|Yes|Yes|Yes|Yes| |In-memory OLTP storage (GB)|N/A|N/A|N/A|N/A|N/A| |Max data size (GB)|3072|3072|4096|4096|4096|
-|Max log size (GB)|922|922|1024|1024|1024|
+|Max log size (GB) <sup>1</sup>|922|922|1024|1024|1024|
|TempDB max data size (GB)|576|640|768|1024|1280| |Storage type|Remote SSD|Remote SSD|Remote SSD|Remote SSD|Remote SSD| |IO latency (approximate)|5-7 ms (write)<br>5-10 ms (read)|5-7 ms (write)<br>5-10 ms (read)|5-7 ms (write)<br>5-10 ms (read)|5-7 ms (write)<br>5-10 ms (read)|5-7 ms (write)<br>5-10 ms (read)|
-|Max data IOPS *|5760|6400|7680|10240|12800|
+|Max data IOPS <sup>2</sup>|5760|6400|7680|10240|12800|
|Max log rate (MBps)|50|50|50|50|50| |Max concurrent workers (requests)|1350|1500|1800|2400|3000| |Max concurrent sessions|30,000|30,000|30,000|30,000|30,000|
The [serverless compute tier](serverless-tier-overview.md) is currently availabl
|Read Scale-out|N/A|N/A|N/A|N/A|N/A| |Included backup storage|1X DB size|1X DB size|1X DB size|1X DB size|1X DB size|
-\* The maximum value for IO sizes ranging between 8 KB and 64 KB. Actual IOPS are workload-dependent. For details, see [Data IO Governance](resource-limits-logical-server.md#resource-governance).
+<sup>1</sup> For documented max data size values. Reducing max data size reduces max log size proportionally.
+
+<sup>2</sup> The maximum value for IO sizes ranging between 8 KB and 64 KB. Actual IOPS are workload-dependent. For details, see [Data IO Governance](resource-limits-logical-server.md#resource-governance).
## Hyperscale - provisioned compute - Gen4
The [serverless compute tier](serverless-tier-overview.md) is currently availabl
|Max log size (TB)|Unlimited |Unlimited |Unlimited |Unlimited |Unlimited |Unlimited | |TempDB max data size (GB)|32|64|96|128|160|192| |Storage type| [Note 1](#notes) |[Note 1](#notes)|[Note 1](#notes) |[Note 1](#notes) |[Note 1](#notes) |[Note 1](#notes) |
-|Max local SSD IOPS *|4000 |8000 |12000 |16000 |20000 |24000 |
+|Max local SSD IOPS <sup>1</sup>|4000 |8000 |12000 |16000 |20000 |24000 |
|Max log rate (MBps)|100 |100 |100 |100 |100 |100 | |IO latency (approximate)|[Note 2](#notes)|[Note 2](#notes)|[Note 2](#notes)|[Note 2](#notes)|[Note 2](#notes)|[Note 2](#notes)| |Max concurrent workers (requests)|200|400|600|800|1000|1200|
The [serverless compute tier](serverless-tier-overview.md) is currently availabl
|Backup storage retention|7 days|7 days|7 days|7 days|7 days|7 days| |||
-\* Besides local SSD IO, workloads will use remote [page server](service-tier-hyperscale.md#page-server) IO. Effective IOPS will depend on workload. For details, see [Data IO Governance](resource-limits-logical-server.md#resource-governance), and [Data IO in resource utilization statistics](hyperscale-performance-diagnostics.md#data-io-in-resource-utilization-statistics).
+<sup>1</sup> Besides local SSD IO, workloads will use remote [page server](service-tier-hyperscale.md#page-server) IO. Effective IOPS will depend on workload. For details, see [Data IO Governance](resource-limits-logical-server.md#resource-governance), and [Data IO in resource utilization statistics](hyperscale-performance-diagnostics.md#data-io-in-resource-utilization-statistics).
### Gen4 compute generation (part 2)
The [serverless compute tier](serverless-tier-overview.md) is currently availabl
|Max log size (TB)|Unlimited |Unlimited |Unlimited |Unlimited |Unlimited |Unlimited | |TempDB max data size (GB)|224|256|288|320|512|768| |Storage type| [Note 1](#notes) |[Note 1](#notes) |[Note 1](#notes) |[Note 1](#notes) |[Note 1](#notes) |[Note 1](#notes) |
-|Max local SSD IOPS *|28000 |32000 |36000 |40000 |64000 |76800 |
+|Max local SSD IOPS <sup>1</sup>|28000 |32000 |36000 |40000 |64000 |76800 |
|Max log rate (MBps)|100 |100 |100 |100 |100 |100 | |IO latency (approximate)|[Note 2](#notes)|[Note 2](#notes)|[Note 2](#notes)|[Note 2](#notes)|[Note 2](#notes)|[Note 2](#notes)| |Max concurrent workers (requests)|1400|1600|1800|2000|3200|4800|
The [serverless compute tier](serverless-tier-overview.md) is currently availabl
|Backup storage retention|7 days|7 days|7 days|7 days|7 days|7 days| |||
-\* Besides local SSD IO, workloads will use remote [page server](service-tier-hyperscale.md#page-server) IO. Effective IOPS will depend on workload. For details, see [Data IO Governance](resource-limits-logical-server.md#resource-governance), and [Data IO in resource utilization statistics](hyperscale-performance-diagnostics.md#data-io-in-resource-utilization-statistics).
+<sup>1</sup> Besides local SSD IO, workloads will use remote [page server](service-tier-hyperscale.md#page-server) IO. Effective IOPS will depend on workload. For details, see [Data IO Governance](resource-limits-logical-server.md#resource-governance), and [Data IO in resource utilization statistics](hyperscale-performance-diagnostics.md#data-io-in-resource-utilization-statistics).
## Hyperscale - provisioned compute - Gen5
The [serverless compute tier](serverless-tier-overview.md) is currently availabl
|Max log size (TB)|Unlimited |Unlimited |Unlimited |Unlimited |Unlimited |Unlimited |Unlimited | |TempDB max data size (GB)|64|128|192|256|320|384|448| |Storage type| [Note 1](#notes) |[Note 1](#notes)|[Note 1](#notes) |[Note 1](#notes) |[Note 1](#notes) |[Note 1](#notes) |[Note 1](#notes) |
-|Max local SSD IOPS *|8000 |16000 |24000 |32000 |40000 |48000 |56000 |
+|Max local SSD IOPS <sup>1</sup>|8000 |16000 |24000 |32000 |40000 |48000 |56000 |
|Max log rate (MBps)|100 |100 |100 |100 |100 |100 |100 | |IO latency (approximate)|[Note 2](#notes)|[Note 2](#notes)|[Note 2](#notes)|[Note 2](#notes)|[Note 2](#notes)|[Note 2](#notes)|[Note 2](#notes)| |Max concurrent workers (requests)|200|400|600|800|1000|1200|1400|
The [serverless compute tier](serverless-tier-overview.md) is currently availabl
|Backup storage retention|7 days|7 days|7 days|7 days|7 days|7 days|7 days| |||
-\* Besides local SSD IO, workloads will use remote [page server](service-tier-hyperscale.md#page-server) IO. Effective IOPS will depend on workload. For details, see [Data IO Governance](resource-limits-logical-server.md#resource-governance), and [Data IO in resource utilization statistics](hyperscale-performance-diagnostics.md#data-io-in-resource-utilization-statistics).
+<sup>1</sup> Besides local SSD IO, workloads will use remote [page server](service-tier-hyperscale.md#page-server) IO. Effective IOPS will depend on workload. For details, see [Data IO Governance](resource-limits-logical-server.md#resource-governance), and [Data IO in resource utilization statistics](hyperscale-performance-diagnostics.md#data-io-in-resource-utilization-statistics).
### Gen5 compute generation (part 2)
The [serverless compute tier](serverless-tier-overview.md) is currently availabl
|Max log size (TB)|Unlimited |Unlimited |Unlimited |Unlimited |Unlimited |Unlimited |Unlimited | |TempDB max data size (GB)|512|576|640|768|1024|1280|2560| |Storage type| [Note 1](#notes) |[Note 1](#notes)|[Note 1](#notes)|[Note 1](#notes) |[Note 1](#notes) |[Note 1](#notes) |[Note 1](#notes) |
-|Max local SSD IOPS *|64000 |72000 |80000 |96000 |128000 |160000 |204800 |
+|Max local SSD IOPS <sup>1</sup>|64000 |72000 |80000 |96000 |128000 |160000 |204800 |
|Max log rate (MBps)|100 |100 |100 |100 |100 |100 |100 | |IO latency (approximate)|[Note 2](#notes)|[Note 2](#notes)|[Note 2](#notes)|[Note 2](#notes)|[Note 2](#notes)|[Note 2](#notes)|[Note 2](#notes)| |Max concurrent workers (requests)|1600|1800|2000|2400|3200|4000|8000|
The [serverless compute tier](serverless-tier-overview.md) is currently availabl
|Backup storage retention|7 days|7 days|7 days|7 days|7 days|7 days|7 days| |||
-\* Besides local SSD IO, workloads will use remote [page server](service-tier-hyperscale.md#page-server) IO. Effective IOPS will depend on workload. For details, see [Data IO Governance](resource-limits-logical-server.md#resource-governance), and [Data IO in resource utilization statistics](hyperscale-performance-diagnostics.md#data-io-in-resource-utilization-statistics).
+<sup>1</sup> Besides local SSD IO, workloads will use remote [page server](service-tier-hyperscale.md#page-server) IO. Effective IOPS will depend on workload. For details, see [Data IO Governance](resource-limits-logical-server.md#resource-governance), and [Data IO in resource utilization statistics](hyperscale-performance-diagnostics.md#data-io-in-resource-utilization-statistics).
#### Notes
The [serverless compute tier](serverless-tier-overview.md) is currently availabl
|Max log size (TB)|Unlimited |Unlimited |Unlimited |Unlimited | |TempDB max data size (GB)|64|128|192|256| |Storage type| [Note 1](#notes) |[Note 1](#notes)|[Note 1](#notes) |[Note 1](#notes) |
-|Max local SSD IOPS *|14000|28000|42000|44800|
+|Max local SSD IOPS <sup>1</sup>|14000|28000|42000|44800|
|Max log rate (MBps)|100 |100 |100 |100 | |IO latency (approximate)|[Note 2](#notes)|[Note 2](#notes)|[Note 2](#notes)|[Note 2](#notes)| |Max concurrent workers (requests)|160|320|480|640|
The [serverless compute tier](serverless-tier-overview.md) is currently availabl
|Backup storage retention|7 days|7 days|7 days|7 days| |||
+<sup>1</sup> Besides local SSD IO, workloads will use remote [page server](service-tier-hyperscale.md#page-server) IO. Effective IOPS will depend on workload. For details, see [Data IO Governance](resource-limits-logical-server.md#resource-governance), and [Data IO in resource utilization statistics](hyperscale-performance-diagnostics.md#data-io-in-resource-utilization-statistics).
+ ### Notes **Note 1**: Hyperscale is a multi-tiered architecture with separate compute and storage components: [Hyperscale Service Tier Architecture](service-tier-hyperscale.md#distributed-functions-architecture)
The [serverless compute tier](serverless-tier-overview.md) is currently availabl
|Columnstore support|Yes|Yes|Yes|Yes|Yes|Yes| |In-memory OLTP storage (GB)|N/A|N/A|N/A|N/A|N/A|N/A| |Max data size (GB)|1024|1024|1536|1536|1536|3072|
-|Max log size (GB)|307|307|461|461|461|922|
+|Max log size (GB) <sup>1</sup>|307|307|461|461|461|922|
|TempDB max data size (GB)|32|64|96|128|160|192| |Storage type|Remote SSD|Remote SSD|Remote SSD|Remote SSD|Remote SSD|Remote SSD| |IO latency (approximate)|5-7 ms (write)<br>5-10 ms (read)|5-7 ms (write)<br>5-10 ms (read)|5-7 ms (write)<br>5-10 ms (read)|5-7 ms (write)<br>5-10 ms (read)|5-7 ms (write)<br>5-10 ms (read)|5-7 ms (write)<br>5-10 ms (read)|
-|Max data IOPS *|320|640|960|1280|1600|1920|
+|Max data IOPS <sup>2</sup>|320|640|960|1280|1600|1920|
|Max log rate (MBps)|4.5|9|13.5|18|22.5|27| |Max concurrent workers (requests)|200|400|600|800|1000|1200| |Max concurrent sessions|30,000|30,000|30,000|30,000|30,000|30,000|
The [serverless compute tier](serverless-tier-overview.md) is currently availabl
|Read Scale-out|N/A|N/A|N/A|N/A|N/A|N/A| |Included backup storage|1X DB size|1X DB size|1X DB size|1X DB size|1X DB size|1X DB size|
-\* The maximum value for IO sizes ranging between 8 KB and 64 KB. Actual IOPS are workload-dependent. For details, see [Data IO Governance](resource-limits-logical-server.md#resource-governance).
+<sup>1</sup> For documented max data size values. Reducing max data size reduces max log size proportionally.
+
+<sup>2</sup> The maximum value for IO sizes ranging between 8 KB and 64 KB. Actual IOPS are workload-dependent. For details, see [Data IO Governance](resource-limits-logical-server.md#resource-governance).
### Gen4 compute generation (part 2)
The [serverless compute tier](serverless-tier-overview.md) is currently availabl
|Columnstore support|Yes|Yes|Yes|Yes|Yes|Yes| |In-memory OLTP storage (GB)|N/A|N/A|N/A|N/A|N/A|N/A| |Max data size (GB)|3072|3072|3072|3072|4096|4096|
-|Max log size (GB)|922|922|922|922|1229|1229|
+|Max log size (GB) <sup>1</sup>|922|922|922|922|1229|1229|
|TempDB max data size (GB)|224|256|288|320|512|768| |Storage type|Remote SSD|Remote SSD|Remote SSD|Remote SSD|Remote SSD|Remote SSD| |IO latency (approximate)|5-7 ms (write)<br>5-10 ms (read)|5-7 ms (write)<br>5-10 ms (read)|5-7 ms (write)<br>5-10 ms (read)|5-7 ms (write)<br>5-10 ms (read)|5-7 ms (write)<br>5-10 ms (read)|5-7 ms (write)<br>5-10 ms (read)
-|Max data IOPS *|2240|2560|2880|3200|5120|7680|
+|Max data IOPS <sup>2</sup>|2240|2560|2880|3200|5120|7680|
|Max log rate (MBps)|31.5|36|40.5|45|50|50| |Max concurrent workers (requests)|1400|1600|1800|2000|3200|4800| |Max concurrent sessions|30,000|30,000|30,000|30,000|30,000|30,000|
The [serverless compute tier](serverless-tier-overview.md) is currently availabl
|Read Scale-out|N/A|N/A|N/A|N/A|N/A|N/A| |Included backup storage|1X DB size|1X DB size|1X DB size|1X DB size|1X DB size|1X DB size|
-\* The maximum value for IO sizes ranging between 8 KB and 64 KB. Actual IOPS are workload-dependent. For details, see [Data IO Governance](resource-limits-logical-server.md#resource-governance).
+<sup>1</sup> For documented max data size values. Reducing max data size reduces max log size proportionally.
+
+<sup>2</sup> The maximum value for IO sizes ranging between 8 KB and 64 KB. Actual IOPS are workload-dependent. For details, see [Data IO Governance](resource-limits-logical-server.md#resource-governance).
## General purpose - provisioned compute - Gen5
The [serverless compute tier](serverless-tier-overview.md) is currently availabl
|Columnstore support|Yes|Yes|Yes|Yes|Yes|Yes|Yes| |In-memory OLTP storage (GB)|N/A|N/A|N/A|N/A|N/A|N/A|N/A| |Max data size (GB)|1024|1024|1536|1536|1536|3072|3072|
-|Max log size (GB)|307|307|461|461|461|922|922|
+|Max log size (GB) <sup>1</sup>|307|307|461|461|461|922|922|
|TempDB max data size (GB)|64|128|192|256|320|384|384| |Storage type|Remote SSD|Remote SSD|Remote SSD|Remote SSD|Remote SSD|Remote SSD|Remote SSD| |IO latency (approximate)|5-7 ms (write)<br>5-10 ms (read)|5-7 ms (write)<br>5-10 ms (read)|5-7 ms (write)<br>5-10 ms (read)|5-7 ms (write)<br>5-10 ms (read)|5-7 ms (write)<br>5-10 ms (read)|5-7 ms (write)<br>5-10 ms (read)|5-7 ms (write)<br>5-10 ms (read)|
-|Max data IOPS *|640|1280|1920|2560|3200|3840|4480|
+|Max data IOPS <sup>2</sup>|640|1280|1920|2560|3200|3840|4480|
|Max log rate (MBps)|9|18|27|36|45|50|50| |Max concurrent workers (requests)|200|400|600|800|1000|1200|1400| |Max concurrent sessions|30,000|30,000|30,000|30,000|30,000|30,000|30,000|
The [serverless compute tier](serverless-tier-overview.md) is currently availabl
|Read Scale-out|N/A|N/A|N/A|N/A|N/A|N/A|N/A| |Included backup storage|1X DB size|1X DB size|1X DB size|1X DB size|1X DB size|1X DB size|1X DB size|
-\* The maximum value for IO sizes ranging between 8 KB and 64 KB. Actual IOPS are workload-dependent. For details, see [Data IO Governance](resource-limits-logical-server.md#resource-governance).
+<sup>1</sup> For documented max data size values. Reducing max data size reduces max log size proportionally.
+
+<sup>2</sup> The maximum value for IO sizes ranging between 8 KB and 64 KB. Actual IOPS are workload-dependent. For details, see [Data IO Governance](resource-limits-logical-server.md#resource-governance).
### Gen5 compute generation (part 2)
The [serverless compute tier](serverless-tier-overview.md) is currently availabl
|Columnstore support|Yes|Yes|Yes|Yes|Yes|Yes|Yes| |In-memory OLTP storage (GB)|N/A|N/A|N/A|N/A|N/A|N/A|N/A| |Max data size (GB)|3072|3072|3072|4096|4096|4096|4096|
-|Max log size (GB)|922|922|922|1024|1024|1024|1024|
+|Max log size (GB) <sup>1</sup>|922|922|922|1024|1024|1024|1024|
|TempDB max data size (GB)|512|576|640|768|1024|1280|2560| |Storage type|Remote SSD|Remote SSD|Remote SSD|Remote SSD|Remote SSD|Remote SSD|Remote SSD| |IO latency (approximate)|5-7 ms (write)<br>5-10 ms (read)|5-7 ms (write)<br>5-10 ms (read)|5-7 ms (write)<br>5-10 ms (read)|5-7 ms (write)<br>5-10 ms (read)|5-7 ms (write)<br>5-10 ms (read)|5-7 ms (write)<br>5-10 ms (read)|5-7 ms (write)<br>5-10 ms (read)|
-|Max data IOPS *|5120|5760|6400|7680|10240|12800|12800|
+|Max data IOPS <sup>2</sup>|5120|5760|6400|7680|10240|12800|12800|
|Max log rate (MBps)|50|50|50|50|50|50|50| |Max concurrent workers (requests)|1600|1800|2000|2400|3200|4000|8000| |Max concurrent sessions|30,000|30,000|30,000|30,000|30,000|30,000|30,000|
The [serverless compute tier](serverless-tier-overview.md) is currently availabl
|Read Scale-out|N/A|N/A|N/A|N/A|N/A|N/A|N/A| |Included backup storage|1X DB size|1X DB size|1X DB size|1X DB size|1X DB size|1X DB size|1X DB size|
-\* The maximum value for IO sizes ranging between 8 KB and 64 KB. Actual IOPS are workload-dependent. For details, see [Data IO Governance](resource-limits-logical-server.md#resource-governance).
+<sup>1</sup> For documented max data size values. Reducing max data size reduces max log size proportionally.
+
+<sup>2</sup> The maximum value for IO sizes ranging between 8 KB and 64 KB. Actual IOPS are workload-dependent. For details, see [Data IO Governance](resource-limits-logical-server.md#resource-governance).
## General purpose - provisioned compute - Fsv2-series
The [serverless compute tier](serverless-tier-overview.md) is currently availabl
|Columnstore support|Yes|Yes|Yes|Yes|Yes| |In-memory OLTP storage (GB)|N/A|N/A|N/A|N/A|N/A| |Max data size (GB)|1024|1024|1024|1024|1536|
-|Max log size (GB)|336|336|336|336|512|
+|Max log size (GB) <sup>1</sup>|336|336|336|336|512|
|TempDB max data size (GB)|37|46|56|65|74| |Storage type|Remote SSD|Remote SSD|Remote SSD|Remote SSD|Remote SSD| |IO latency (approximate)|5-7 ms (write)<br>5-10 ms (read)|5-7 ms (write)<br>5-10 ms (read)|5-7 ms (write)<br>5-10 ms (read)|5-7 ms (write)<br>5-10 ms (read)|5-7 ms (write)<br>5-10 ms (read)|
-|Max data IOPS *|2560|3200|3840|4480|5120|
+|Max data IOPS <sup>2</sup>|2560|3200|3840|4480|5120|
|Max log rate (MBps)|36|45|50|50|50| |Max concurrent workers (requests)|400|500|600|700|800| |Max concurrent logins|800|1000|1200|1400|1600|
The [serverless compute tier](serverless-tier-overview.md) is currently availabl
|Read Scale-out|N/A|N/A|N/A|N/A|N/A| |Included backup storage|1X DB size|1X DB size|1X DB size|1X DB size|1X DB size|
-\* The maximum value for IO sizes ranging between 8 KB and 64 KB. Actual IOPS are workload-dependent. For details, see [Data IO Governance](resource-limits-logical-server.md#resource-governance).
+<sup>1</sup> For documented max data size values. Reducing max data size reduces max log size proportionally.
+
+<sup>2</sup> The maximum value for IO sizes ranging between 8 KB and 64 KB. Actual IOPS are workload-dependent. For details, see [Data IO Governance](resource-limits-logical-server.md#resource-governance).
### Fsv2-series compute generation (part 2)
The [serverless compute tier](serverless-tier-overview.md) is currently availabl
|Columnstore support|Yes|Yes|Yes|Yes|Yes|Yes| |In-memory OLTP storage (GB)|N/A|N/A|N/A|N/A|N/A|N/A| |Max data size (GB)|1536|1536|1536|3072|3072|4096|
-|Max log size (GB)|512|512|512|1024|1024|1024|
+|Max log size (GB) <sup>1</sup>|512|512|512|1024|1024|1024|
|TempDB max data size (GB)|83|93|111|148|167|333| |Storage type|Remote SSD|Remote SSD|Remote SSD|Remote SSD|Remote SSD|Remote SSD| |IO latency (approximate)|5-7 ms (write)<br>5-10 ms (read)|5-7 ms (write)<br>5-10 ms (read)|5-7 ms (write)<br>5-10 ms (read)|5-7 ms (write)<br>5-10 ms (read)|5-7 ms (write)<br>5-10 ms (read)|5-7 ms (write)<br>5-10 ms (read)|
-|Max data IOPS *|5760|6400|7680|10240|11520|12800|
+|Max data IOPS <sup>2</sup>|5760|6400|7680|10240|11520|12800|
|Max log rate (MBps)|50|50|50|50|50|50| |Max concurrent workers (requests)|900|1000|1200|1600|1800|3600| |Max concurrent logins|1800|2000|2400|3200|3600|7200|
The [serverless compute tier](serverless-tier-overview.md) is currently availabl
|Read Scale-out|N/A|N/A|N/A|N/A|N/A|N/A| |Included backup storage|1X DB size|1X DB size|1X DB size|1X DB size|1X DB size|1X DB size|
-\* The maximum value for IO sizes ranging between 8 KB and 64 KB. Actual IOPS are workload-dependent. For details, see [Data IO Governance](resource-limits-logical-server.md#resource-governance).
+<sup>1</sup> For documented max data size values. Reducing max data size reduces max log size proportionally.
+
+<sup>2</sup> The maximum value for IO sizes ranging between 8 KB and 64 KB. Actual IOPS are workload-dependent. For details, see [Data IO Governance](resource-limits-logical-server.md#resource-governance).
## General purpose - provisioned compute - DC-series
The [serverless compute tier](serverless-tier-overview.md) is currently availabl
|Columnstore support|Yes|Yes|Yes|Yes| |In-memory OLTP storage (GB)|N/A|N/A|N/A|N/A| |Max data size (GB)|1024|1536|3072|3072|
-|Max log size (GB)|307|461|922|922|
+|Max log size (GB) <sup>1</sup>|307|461|922|922|
|TempDB max data size (GB)|64|128|192|256| |Storage type|Remote SSD|Remote SSD|Remote SSD|Remote SSD| |IO latency (approximate)|5-7 ms (write)<br>5-10 ms (read)|5-7 ms (write)<br>5-10 ms (read)|5-7 ms (write)<br>5-10 ms (read)|5-7 ms (write)<br>5-10 ms (read)|
-|Max data IOPS *|640|1280|1920|2560|
+|Max data IOPS <sup>2</sup>|640|1280|1920|2560|
|Max log rate (MBps)|9|18|27|36| |Max concurrent workers (requests)|160|320|480|640| |Max concurrent sessions|30,000|30,000|30,000|30,000|
The [serverless compute tier](serverless-tier-overview.md) is currently availabl
|Read Scale-out|N/A|N/A|N/A|N/A| |Included backup storage|1X DB size|1X DB size|1X DB size|1X DB size|
+<sup>1</sup> For documented max data size values. Reducing max data size reduces max log size proportionally.
-\* The maximum value for IO sizes ranging between 8 KB and 64 KB. Actual IOPS are workload-dependent. For details, see [Data IO Governance](resource-limits-logical-server.md#resource-governance).
+<sup>2</sup> The maximum value for IO sizes ranging between 8 KB and 64 KB. Actual IOPS are workload-dependent. For details, see [Data IO Governance](resource-limits-logical-server.md#resource-governance).
## Business critical - provisioned compute - Gen4
The [serverless compute tier](serverless-tier-overview.md) is currently availabl
|In-memory OLTP storage (GB)|1|2|3|4|5|6| |Storage type|Local SSD|Local SSD|Local SSD|Local SSD|Local SSD|Local SSD| |Max data size (GB)|1024|1024|1024|1024|1024|1024|
-|Max log size (GB)|307|307|307|307|307|307|
+|Max log size (GB) <sup>1</sup>|307|307|307|307|307|307|
|TempDB max data size (GB)|32|64|96|128|160|192| |[Max local storage size](resource-limits-logical-server.md#storage-space-governance) (GB)|1356|1356|1356|1356|1356|1356| |IO latency (approximate)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)|
-|Max data IOPS *|4,000|8,000|12,000|16,000|20,000|24,000|
+|Max data IOPS <sup>2</sup>|4,000|8,000|12,000|16,000|20,000|24,000|
|Max log rate (MBps)|8|16|24|32|40|48| |Max concurrent workers (requests)|200|400|600|800|1000|1200| |Max concurrent logins|200|400|600|800|1000|1200|
The [serverless compute tier](serverless-tier-overview.md) is currently availabl
|Read Scale-out|Yes|Yes|Yes|Yes|Yes|Yes| |Included backup storage|1X DB size|1X DB size|1X DB size|1X DB size|1X DB size|1X DB size|
-\* The maximum value for IO sizes ranging between 8 KB and 64 KB. Actual IOPS are workload-dependent. For details, see [Data IO Governance](resource-limits-logical-server.md#resource-governance).
+<sup>1</sup> For documented max data size values. Reducing max data size reduces max log size proportionally.
+
+<sup>2</sup> The maximum value for IO sizes ranging between 8 KB and 64 KB. Actual IOPS are workload-dependent. For details, see [Data IO Governance](resource-limits-logical-server.md#resource-governance).
### Gen4 compute generation (part 2)
The [serverless compute tier](serverless-tier-overview.md) is currently availabl
|In-memory OLTP storage (GB)|7|8|9.5|11|20|36| |Storage type|Local SSD|Local SSD|Local SSD|Local SSD|Local SSD|Local SSD| |Max data size (GB)|1024|1024|1024|1024|1024|1024|
-|Max log size (GB)|307|307|307|307|307|307|
+|Max log size (GB) <sup>1</sup>|307|307|307|307|307|307|
|TempDB max data size (GB)|224|256|288|320|512|768| |[Max local storage size](resource-limits-logical-server.md#storage-space-governance) (GB)|1356|1356|1356|1356|1356|1356| |IO latency (approximate)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)|
-|Max data IOPS |28,000|32,000|36,000|40,000|64,000|76,800|
+|Max data IOPS <sup>2</sup>|28,000|32,000|36,000|40,000|64,000|76,800|
|Max log rate (MBps)|56|64|64|64|64|64| |Max concurrent workers (requests)|1400|1600|1800|2000|3200|4800| |Max concurrent logins (requests)|1400|1600|1800|2000|3200|4800|
The [serverless compute tier](serverless-tier-overview.md) is currently availabl
|Read Scale-out|Yes|Yes|Yes|Yes|Yes|Yes| |Included backup storage|1X DB size|1X DB size|1X DB size|1X DB size|1X DB size|1X DB size|
-\* The maximum value for IO sizes ranging between 8 KB and 64 KB. Actual IOPS are workload-dependent. For details, see [Data IO Governance](resource-limits-logical-server.md#resource-governance).
+<sup>1</sup> For documented max data size values. Reducing max data size reduces max log size proportionally.
+
+<sup>2</sup> The maximum value for IO sizes ranging between 8 KB and 64 KB. Actual IOPS are workload-dependent. For details, see [Data IO Governance](resource-limits-logical-server.md#resource-governance).
## Business critical - provisioned compute - Gen5
The [serverless compute tier](serverless-tier-overview.md) is currently availabl
|Columnstore support|Yes|Yes|Yes|Yes|Yes|Yes|Yes| |In-memory OLTP storage (GB)|1.57|3.14|4.71|6.28|8.65|11.02|13.39| |Max data size (GB)|1024|1024|1536|1536|1536|3072|3072|
-|Max log size (GB)|307|307|461|461|461|922|922|
+|Max log size (GB) <sup>1</sup>|307|307|461|461|461|922|922|
|TempDB max data size (GB)|64|128|192|256|320|384|448| |[Max local storage size](resource-limits-logical-server.md#storage-space-governance) (GB)|4829|4829|4829|4829|4829|4829|4829| |Storage type|Local SSD|Local SSD|Local SSD|Local SSD|Local SSD|Local SSD|Local SSD| |IO latency (approximate)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)|
-|Max data IOPS *|8000|16,000|24,000|32,000|40,000|48,000|56,000|
+|Max data IOPS <sup>2</sup>|8000|16,000|24,000|32,000|40,000|48,000|56,000|
|Max log rate (MBps)|24|48|72|96|96|96|96| |Max concurrent workers (requests)|200|400|600|800|1000|1200|1400| |Max concurrent logins|200|400|600|800|1000|1200|1400|
The [serverless compute tier](serverless-tier-overview.md) is currently availabl
|Read Scale-out|Yes|Yes|Yes|Yes|Yes|Yes|Yes| |Included backup storage|1X DB size|1X DB size|1X DB size|1X DB size|1X DB size|1X DB size|1X DB size|
-\* The maximum value for IO sizes ranging between 8 KB and 64 KB. Actual IOPS are workload-dependent. For details, see [Data IO Governance](resource-limits-logical-server.md#resource-governance).
+<sup>1</sup> For documented max data size values. Reducing max data size reduces max log size proportionally.
+
+<sup>2</sup> The maximum value for IO sizes ranging between 8 KB and 64 KB. Actual IOPS are workload-dependent. For details, see [Data IO Governance](resource-limits-logical-server.md#resource-governance).
### Gen5 compute generation (part 2)
The [serverless compute tier](serverless-tier-overview.md) is currently availabl
|Columnstore support|Yes|Yes|Yes|Yes|Yes|Yes|Yes| |In-memory OLTP storage (GB)|15.77|18.14|20.51|25.25|37.94|52.23|131.64| |Max data size (GB)|3072|3072|3072|4096|4096|4096|4096|
-|Max log size (GB)|922|922|922|1024|1024|1024|1024|
+|Max log size (GB) <sup>1</sup>|922|922|922|1024|1024|1024|1024|
|TempDB max data size (GB)|512|576|640|768|1024|1280|2560| |[Max local storage size](resource-limits-logical-server.md#storage-space-governance) (GB)|4829|4829|4829|4829|4829|4829|4829| |Storage type|Local SSD|Local SSD|Local SSD|Local SSD|Local SSD|Local SSD|Local SSD| |IO latency (approximate)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)|
-|Max data IOPS *|64,000|72,000|80,000|96,000|128,000|160,000|204,800|
+|Max data IOPS <sup>2</sup>|64,000|72,000|80,000|96,000|128,000|160,000|204,800|
|Max log rate (MBps)|96|96|96|96|96|96|96| |Max concurrent workers (requests)|1600|1800|2000|2400|3200|4000|8000| |Max concurrent logins|1600|1800|2000|2400|3200|4000|8000|
The [serverless compute tier](serverless-tier-overview.md) is currently availabl
|Read Scale-out|Yes|Yes|Yes|Yes|Yes|Yes|Yes| |Included backup storage|1X DB size|1X DB size|1X DB size|1X DB size|1X DB size|1X DB size|1X DB size|
-\* The maximum value for IO sizes ranging between 8 KB and 64 KB. Actual IOPS are workload-dependent. For details, see [Data IO Governance](resource-limits-logical-server.md#resource-governance).
+<sup>1</sup> For documented max data size values. Reducing max data size reduces max log size proportionally.
+
+<sup>2</sup> The maximum value for IO sizes ranging between 8 KB and 64 KB. Actual IOPS are workload-dependent. For details, see [Data IO Governance](resource-limits-logical-server.md#resource-governance).
## Business critical - provisioned compute - M-series
The [serverless compute tier](serverless-tier-overview.md) is currently availabl
|Columnstore support|Yes|Yes|Yes|Yes|Yes|Yes| |In-memory OLTP storage (GB)|64|80|96|112|128|150| |Max data size (GB)|512|640|768|896|1024|1152|
-|Max log size (GB)|171|213|256|299|341|384|
+|Max log size (GB) <sup>1</sup>|171|213|256|299|341|384|
|TempDB max data size (GB)|256|320|384|448|512|576| |[Max local storage size](resource-limits-logical-server.md#storage-space-governance) (GB)|13836|13836|13836|13836|13836|13836| |Storage type|Local SSD|Local SSD|Local SSD|Local SSD|Local SSD|Local SSD| |IO latency (approximate)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)|
-|Max data IOPS *|12,499|15,624|18,748|21,873|24,998|28,123|
+|Max data IOPS <sup>2</sup>|12,499|15,624|18,748|21,873|24,998|28,123|
|Max log rate (MBps)|48|60|72|84|96|108| |Max concurrent workers (requests)|800|1,000|1,200|1,400|1,600|1,800| |Max concurrent logins|800|1,000|1,200|1,400|1,600|1,800|
The [serverless compute tier](serverless-tier-overview.md) is currently availabl
|Read Scale-out|Yes|Yes|Yes|Yes|Yes|Yes| |Included backup storage|1X DB size|1X DB size|1X DB size|1X DB size|1X DB size|1X DB size|
-\* The maximum value for IO sizes ranging between 8 KB and 64 KB. Actual IOPS are workload-dependent. For details, see [Data IO Governance](resource-limits-logical-server.md#resource-governance).
+<sup>1</sup> For documented max data size values. Reducing max data size reduces max log size proportionally.
-> [!IMPORTANT]
-> Under some circumstances, you may need to shrink a database to reclaim unused space. For more information, see [Manage file space in Azure SQL Database](file-space-manage.md).
+<sup>2</sup> The maximum value for IO sizes ranging between 8 KB and 64 KB. Actual IOPS are workload-dependent. For details, see [Data IO Governance](resource-limits-logical-server.md#resource-governance).
### M-series compute generation (part 2)
The [serverless compute tier](serverless-tier-overview.md) is currently availabl
|Columnstore support|Yes|Yes|Yes|Yes|Yes| |In-memory OLTP storage (GB)|172|216|304|704|1768| |Max data size (GB)|1280|1536|2048|4096|4096|
-|Max log size (GB)|427|512|683|1024|1024|
+|Max log size (GB) <sup>1</sup>|427|512|683|1024|1024|
|TempDB max data size (GB)|4096|2048|1024|768|640| |[Max local storage size](resource-limits-logical-server.md#storage-space-governance) (GB)|13836|13836|13836|13836|13836| |Storage type|Local SSD|Local SSD|Local SSD|Local SSD|Local SSD| |IO latency (approximate)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)|
-|Max data IOPS *|31,248|37,497|49,996|99,993|160,000|
+|Max data IOPS <sup>2</sup>|31,248|37,497|49,996|99,993|160,000|
|Max log rate (MBps)|120|144|192|264|264| |Max concurrent workers (requests)|2,000|2,400|3,200|6,400|12,800| |Max concurrent logins|2,000|2,400|3,200|6,400|12,800|
The [serverless compute tier](serverless-tier-overview.md) is currently availabl
|Read Scale-out|Yes|Yes|Yes|Yes|Yes| |Included backup storage|1X DB size|1X DB size|1X DB size|1X DB size|1X DB size|
-\* The maximum value for IO sizes ranging between 8 KB and 64 KB. Actual IOPS are workload-dependent. For details, see [Data IO Governance](resource-limits-logical-server.md#resource-governance).
+<sup>1</sup> For documented max data size values. Reducing max data size reduces max log size proportionally.
-> [!IMPORTANT]
-> Under some circumstances, you may need to shrink a database to reclaim unused space. For more information, see [Manage file space in Azure SQL Database](file-space-manage.md).
+<sup>2</sup> The maximum value for IO sizes ranging between 8 KB and 64 KB. Actual IOPS are workload-dependent. For details, see [Data IO Governance](resource-limits-logical-server.md#resource-governance).
## Business critical - provisioned compute - DC-series
The [serverless compute tier](serverless-tier-overview.md) is currently availabl
|Columnstore support|Yes|Yes|Yes|Yes| |In-memory OLTP storage (GB)|1.7|3.7|5.9|8.2| |Max data size (GB)|768|768|768|768|
-|Max log size (GB)|230|230|230|230|
+|Max log size (GB) <sup>1</sup>|230|230|230|230|
|TempDB max data size (GB)|64|128|192|256| |[Max local storage size](resource-limits-logical-server.md#storage-space-governance) (GB)|1406|1406|1406|1406| |Storage type|Local SSD|Local SSD|Local SSD|Local SSD| |IO latency (approximate)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)|1-2 ms (write)<br>1-2 ms (read)|
-|Max data IOPS *|14000|28000|42000|44800|
+|Max data IOPS <sup>2</sup>|14000|28000|42000|44800|
|Max log rate (MBps)|24|48|72|96| |Max concurrent workers (requests)|200|400|600|800| |Max concurrent logins|200|400|600|800|
The [serverless compute tier](serverless-tier-overview.md) is currently availabl
|Read Scale-out|No|No|No|No| |Included backup storage|1X DB size|1X DB size|1X DB size|1X DB size|
-\* The maximum value for IO sizes ranging between 8 KB and 64 KB. Actual IOPS are workload-dependent. For details, see [Data IO Governance](resource-limits-logical-server.md#resource-governance).
+<sup>1</sup> For documented max data size values. Reducing max data size reduces max log size proportionally.
+<sup>2</sup> The maximum value for IO sizes ranging between 8 KB and 64 KB. Actual IOPS are workload-dependent. For details, see [Data IO Governance](resource-limits-logical-server.md#resource-governance).
## Next steps
azure-video-analyzer Player Widget https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-video-analyzer/video-analyzer-docs/player-widget.md
In this section we will create a JWT token that we will use later in the documen
> [!NOTE] > If you are familiar with how to generate a JWT token based on either an RSA or ECC certificate then you can skip this section.
-1. Download the JWTTokenIssuer application located [here](https://github.com/Azure-Samples/video-analyzer-iot-edge-csharp/tree/main/src/jwt-token-issuer/readme.md).
+1. Download the JWTTokenIssuer application located [here](https://github.com/Azure-Samples/video-analyzer-iot-edge-csharp/tree/main/src/jwt-token-issuer/).
> [!NOTE] > For more information about configuring your audience values see this [article](./access-policies.md)
The package used to get the code into your application is an NPM package [here](
npm install @azure/video-analyzer/widgets ```
-Or you can import it within your application code using:
+Or you can import it within your application code using this for Typescript:
```typescript import { Player } from '@video-analyzer/widgets'; ```
+Or this for Javascript if you want to create a player widget dynamically:
+```javascript
+<script async type="module" src="https://unpkg.com/@azure/video-analyzer-widgets@latest/dist/global.min.js"></script>
+```
+ If you use this method to import, you will need to programatically create the player object after the import is complete. In the above example you added the module to the page using the `ava-player` HTML tag. To create a player object through code, you can do the following in either JavaScript: ```javascript
backup Backup Azure Restore Windows Server https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/backup/backup-azure-restore-windows-server.md
If you accidentally deleted a file and want to restore it to the same machine (f
![Screenshot of Recover Data Wizard Browse and Recover Files page (restore to same machine) - Confirm Recovery Volume Unmount](./media/backup-azure-restore-windows-server/samemachine_unmount_instantrestore.png) > [!Important]
- > If you don't select **Unmount**, the recovery volume will remain mounted for 6 hours from the time when it was mounted. However, the mount time is extended up to a maximum of 24 hours in the case of an ongoing file-copy. No backup operations will run while the volume is mounted. Any backup operation scheduled to run during the time when the volume is mounted will run after the recovery volume is unmounted.
+ > If you don't select **Unmount**, the recovery volume will remain mounted for 6 hours from the time when it was mounted. However, the mount time is extended to a maximum of 7 days in case of an ongoing file-copy. No backup operations will run while the volume is mounted. Any backup operation scheduled to run during the time when the volume is mounted will run after the recovery volume is unmounted.
> ## Use Instant Restore to restore data to an alternate machine
backup Troubleshoot Azure Files https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/backup/troubleshoot-azure-files.md
Retry the registration. If the problem persists, contact support.
- Ensure that the file share you're looking to protect hasn't been deleted. - Ensure that the Storage Account is a supported storage account for file share backup. You can refer to the [Support matrix for Azure file share backup](azure-file-share-support-matrix.md) to find supported Storage Accounts. - Check if the file share is already protected in the same Recovery Services vault.
+- Check the Network Routing setting of storage account to ensure that routing preference is set as Microsoft network routing .
### Backup file share configuration (or the protection policy configuration) is failing
Error Message: A backup job is already in progress for this file share.
- Wait for the existing backup job to finish and then try again. If you canΓÇÖt find a backup job in the Recovery Services vault, check other Recovery Services vaults in the same subscription.
+### UserErrorStorageAccountInternetRoutingNotSupported- Storage accounts with Internet routing configuration are not supported by Azure Backup
+
+Error Code: UserErrorStorageAccountInternetRoutingNotSupported
+
+Error Message: Storage accounts with Internet routing configuration are not supported by Azure Backup
+
+Ensure that the routing preference set for the storage account hosting backed up file share is Microsoft network routing.
+ ### FileshareBackupFailedWithAzureRpRequestThrottling/ FileshareRestoreFailedWithAzureRpRequestThrottling- File share backup or restore failed due to storage service throttling. This may be because the storage service is busy processing other requests for the given storage account Error Code: FileshareBackupFailedWithAzureRpRequestThrottling/ FileshareRestoreFailedWithAzureRpRequestThrottling
cloud-services-extended-support In Place Migration Powershell https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cloud-services-extended-support/in-place-migration-powershell.md
Get-AzResourceProvider -ProviderNamespace Microsoft.ClassicInfrastructureMigrate
Check the status of registration using the following: ```powershell
-Get-AzProviderFeature -FeatureName CloudServices
+Get-AzProviderFeature -FeatureName CloudServices -ProviderNamespace Microsoft.Compute
``` Make sure that RegistrationState is `Registered` for both before you proceed.
Select-AzureSubscription ΓÇôSubscriptionName "My Azure Subscription"
## 5) Migrate your Cloud Services
+Before starting the migration, understand how the [migration steps](https://docs.microsoft.com/azure/cloud-services-extended-support/in-place-migration-overview#migration-steps) works and what each step does.
+ * [Migrate a Cloud Service not in a virtual network](#51-option-1migrate-a-cloud-service-not-in-a-virtual-network) * [Migrate a Cloud Service in a virtual network](#51-option-2migrate-a-cloud-service-in-a-virtual-network)
$deployment = Get-AzureDeployment -ServiceName $serviceName
$deploymentName = $deployment.DeploymentName ```
-First, validate that you can migrate the Cloud Service by using the following commands:
+First, validate that you can migrate the Cloud Service by using the following commands. The command displays any errors that block migration.
```powershell $validate = Move-AzureService -Validate -ServiceName $serviceName -DeploymentName $deploymentName -CreateNewVirtualNetwork $validate.ValidationMessages ```
-The following command displays any warnings and errors that block migration. If validation is successful, you can move on to the Prepare step.
+If validation is successful or has just warnings, you can move on to the Prepare step.
```powershell Move-AzureService -Prepare -ServiceName $serviceName -DeploymentName $deploymentName -CreateNewVirtualNetwork ```
+Check the configuration for the prepared Cloud Service (extended support) by using either Azure PowerShell or the Azure portal. If you're not ready for migration and you want to go back to the old state, abort the migration.
+```powershell
+Move-AzureService -Abort -ServiceName $serviceName -DeploymentName $deploymentName -CreateNewVirtualNetwork
+```
+If you're ready to complete the migration, commit the migration
+
+```powershell
+Move-AzureService -Commit -ServiceName $serviceName -DeploymentName $deploymentName -CreateNewVirtualNetwork
+```
+ ### 5.1) Option 2 - Migrate a Cloud Service in a virtual network To migrate a Cloud Service in a virtual network, you migrate the virtual network. The Cloud Service automatically migrates with the virtual network.
The following command displays any warnings and errors that block migration. If
Move-AzureVirtualNetwork -Prepare -VirtualNetworkName $vnetName ```
-Check the configuration for the prepared Cloud Service by using either Azure PowerShell or the Azure portal. If you're not ready for migration and you want to go back to the old state, use the following command:
+Check the configuration for the prepared Cloud Service (extended support) by using either Azure PowerShell or the Azure portal. If you're not ready for migration and you want to go back to the old state, use the following command:
```powershell Move-AzureVirtualNetwork -Abort -VirtualNetworkName $vnetName
communication-services Calling Client Samples https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/communication-services/quickstarts/voice-video-calling/calling-client-samples.md
zone_pivot_groups: acs-plat-web-ios-android-windows
Get started with Azure Communication Services by using the Communication Services Calling SDK to add voice and video calling to your app. ::: zone pivot="platform-web" ::: zone-end ::: zone pivot="platform-android" ::: zone-end ::: zone pivot="platform-ios" ::: zone-end ::: zone pivot="platform-windows" ::: zone-end ## Clean up resources
communication-services Get Started Teams Interop https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/communication-services/quickstarts/voice-video-calling/get-started-teams-interop.md
zone_pivot_groups: acs-plat-web-ios-android-windows
Get started with Azure Communication Services by connecting your calling solution to Microsoft Teams using the JavaScript SDK. ::: zone pivot="platform-web" ::: zone-end ::: zone pivot="platform-windows" ::: zone-end ::: zone pivot="platform-android" ::: zone-end ::: zone pivot="platform-ios" ::: zone-end Functionality described in this document uses the General Availability version of the Communication Services SDKs. Teams Interoperability requires the Beta version of the Communication Services SDKs. The Beta SDKs can be explored on the [release notes page](https://github.com/Azure/Communication/tree/master/releasenotes).
communication-services Get Started With Video Calling https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/communication-services/quickstarts/voice-video-calling/get-started-with-video-calling.md
zone_pivot_groups: acs-plat-web-ios-android-windows
# QuickStart: Add 1:1 video calling to your app ::: zone pivot="platform-web" ::: zone-end ::: zone pivot="platform-android" ::: zone-end ::: zone pivot="platform-ios" ::: zone-end ::: zone pivot="platform-windows" ::: zone-end ## Clean up resources
communication-services Getting Started With Calling https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/communication-services/quickstarts/voice-video-calling/getting-started-with-calling.md
Get started with Azure Communication Services by using the Communication Service
[!INCLUDE [Emergency Calling Notice](../../includes/emergency-calling-notice-include.md)] ::: zone pivot="platform-windows" ::: zone-end ::: zone pivot="platform-web" ::: zone-end ::: zone pivot="platform-android" ::: zone-end ::: zone pivot="platform-ios" ::: zone-end ## Clean up resources
communication-services Pstn Call https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/communication-services/quickstarts/voice-video-calling/pstn-call.md
zone_pivot_groups: acs-plat-web-ios-android
Get started with Azure Communication Services by using the Communication Services Calling SDK to add PSTN calling to your app. ::: zone pivot="platform-web" ::: zone-end ::: zone pivot="platform-android" ::: zone-end ::: zone pivot="platform-ios" ::: zone-end ## Clean up resources
cosmos-db Choose Api https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cosmos-db/choose-api.md
+
+ Title: Choose an API in Azure Cosmos DB
+description: Learn how to choose between SQL/Core, MongoDB, Cassandra, Gremlin, and table APIs in Azure Cosmos DB based on your workload requirements.
++++ Last updated : 06/04/2021++
+# Choose an API in Azure Cosmos DB
+
+Azure Cosmos DB is a fully managed NoSQL database for modern app development. Azure Cosmos DB takes database administration off your hands with automatic management, updates, and patching. It also handles capacity management with cost-effective serverless and automatic scaling options that respond to application needs to match capacity with demand.
+
+## APIs in Azure Cosmos DB
+
+Azure Cosmos DB offers multiple database APIs, which include the Core (SQL) API, API for MongoDB, Cassandra API, Gremlin API, and Table API. By using these APIs, you can model real world data using documents, key-value, graph, and column-family data models. These APIs allow your applications to treat Azure Cosmos DB as if it were various other databases technologies, without the overhead of management, and scaling approaches. Using these APIs, Azure Cosmos DB helps you to use the ecosystems, tools, and skills you already have for data modeling and querying.
+
+All the APIs offer automatic scaling of storage and throughput, flexibility, and performance guarantees. There is no one best API, and you may choose any one of the APIs to build your application. This article will help you choose an API based on your workload and team requirements.
+
+## Considerations when choosing an API
+
+Core(SQL) API is native to Azure Cosmos DB.
+
+API for MongoDB, Cassandra, Gremlin, and Table implement the wire protocol of open-source database engines. These APIs are best suited if the following conditions are true:
+
+* If you have existing MongoDB, Cassandra, or Gremlin applications.
+* If you donΓÇÖt want to rewrite your entire data access layer.
+* If you want to use the open-source developer ecosystem, client-drivers, expertise, and resources for your database.
+* If you want to use the Azure Cosmos DB key features such as global distribution, elastic scaling of storage and throughput, performance, low latency, ability to run transactional and analytical workload, and use a fully managed platform.
+* If you are developing modernized apps on a multi-cloud environment.
+
+You can build new applications with these APIs or migrate your existing data. To run the migrated apps, change the connection string of your application and continue to run as before. When migrating existing apps, make sure to evaluate the feature support of these APIs.
+
+Based on your workload, you must choose the API that fits your requirement. The following image shows a flow chart on how to choose the right API when building new apps or migrating existing apps to Azure Cosmos DB:
++
+## Core(SQL) API
+
+This API stores data in document format. It offers the best end-to-end experience as we have full control over the interface, service, and the SDK client libraries. Any new feature that is rolled out to Azure Cosmos DB is first available on SQL API accounts. Azure Cosmos DB SQL API accounts provide support for querying items using the Structured Query Language (SQL) syntax, one of the most familiar and popular query languages to query JSON objects. To learn more about, see [getting started with SQL queries](sql-query-getting-started.md).
+
+If you are migrating from other databases such as Oracle, DynamoDB, HBase etc. and if you want to use the modernized technologies to build your apps, SQL API is the recommended option. SQL API supports analytics and offers performance isolation between operational and analytical workloads.
+
+## API for MongoDB
+
+This API stores data in a document structure, via BSON format. It is compatible with MongoDB wire protocol; however, it does not use any native MongoDB related code. This API is a great choice if you want to use the broader MongoDB ecosystem and skills, without compromising on using Azure Cosmos DBΓÇÖs features such as scaling, high availability, geo-replication, multiple write locations, automatic and transparent shard management, transparent replication between operational and analytical stores, and more.
+
+You can use your existing MongoDB apps with API for MongoDB by just changing the connection string. You can move any existing data using native MongoDB tools such as mongodump & mongorestore or using our Azure Database Migration tool. Tools, such as the MongoDB shell, [MongoDB Compass](mongodb-compass.md), and [Robo3T](mongodb-robomongo.md), can run queries and work with data as they do with native MongoDB.
+
+API for MongoDB is compatible with the 4.0, 3.6, and 3.2 MongoDB server versions. Server version 4.0 is recommended as it offers the best performance and full feature support. To learn more, see [API for MongoDB](mongodb-introduction.md) article.
+
+## Cassandra API
+
+This API stores data in column-oriented schema. Apache Cassandra offers a highly distributed, horizontally scaling approach to storing large volumes of data while offering a flexible approach to a column-oriented schema. Cassandra API in Azure Cosmos DB aligns with this philosophy to approaching distributed NoSQL databases. Cassandra API is wire protocol compatible with the Apache Cassandra. You should consider Cassandra API if you want to benefit the elasticity and fully managed nature of Azure Cosmos DB and still use most of the native Apache Cassandra features, tools, and ecosystem. This means on Cassandra API you donΓÇÖt need to manage the OS, Java VM, garbage collector, read/write performance, nodes, clusters, etc.
+
+You can use Apache Cassandra client drivers to connect to the Cassandra API. The Cassandra API enables you to interact with data using the Cassandra Query Language (CQL), and tools like CQL shell, Cassandra client drivers that you're already familiar with. Cassandra API currently only supports OLTP scenarios. Using Cassandra API, you can also use the unique features of Azure Cosmos DB such as change feed. To learn more, see [Cassandra API](cassandra-introduction.md) article.
+
+## Gremlin API
+
+This API allows users to make graph queries and stores data as edges and vertices. Use this API for scenarios involving dynamic data, data with complex relations, data that is too complex to be modeled with relational databases, and if you want to use the existing Gremlin ecosystem and skills. Azure Cosmos DB's Gremlin API combines the power of graph database algorithms with highly scalable, managed infrastructure. It provides a unique, flexible solution to most common data problems associated with lack of flexibility and relational approaches. Gremlin API currently only supports OLTP scenarios.
+
+Azure Cosmos DB's Gremlin API is based on the [Apache TinkerPop](https://tinkerpop.apache.org/) graph computing framework. Gremlin API uses the same Graph query language to ingest and query data. It uses the Azure Cosmos DBΓÇÖs partition strategy to do the read/write operations from the Graph database engine. Gremlin API has a wire protocol support with the open-source Gremlin, so you can use the open-source Gremlin SDKs to build your application. Azure Cosmos DB Gremlin API also works with Apache Spark and [GraphFrames](https://github.com/graphframes/graphframes) for complex analytical graph scenarios. To learn more, see [Gremlin API](graph-introduction.md) article.
+
+## Table API
+
+This API stores data in key/value format. If you are currently using Azure Table storage, you may see some limitations in latency, scaling, throughput, global distribution, index management, low query performance. Table API overcomes these limitations and itΓÇÖs recommended to migrate your app if you want to use the benefits of Azure Cosmos DB. Table API only supports OLTP scenarios.
+
+Applications written for Azure Table storage can migrate to the Table API with little code changes and take advantage of premium capabilities. To learn more, see [Table API](table-introduction.md) article.
+
+## Next steps
+
+* [Get started with Azure Cosmos DB SQL API](create-sql-api-dotnet.md)
+* [Get started with Azure Cosmos DB's API for MongoDB](create-mongodb-nodejs.md)
+* [Get started with Azure Cosmos DB Cassandra API](create-cassandra-dotnet.md)
+* [Get started with Azure Cosmos DB Gremlin API](create-graph-dotnet.md)
+* [Get started with Azure Cosmos DB Table API](create-table-dotnet.md)
cosmos-db Introduction https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cosmos-db/introduction.md
Previously updated : 05/07/2021 Last updated : 06/04/2021
Any [web, mobile, gaming, and IoT application](use-cases.md) that needs to handl
Get started with Azure Cosmos DB with one of our quickstarts:
+- Learn [how to choose an API](choose-api.md) in Azure Cosmos DB
- [Get started with Azure Cosmos DB SQL API](create-sql-api-dotnet.md) - [Get started with Azure Cosmos DB's API for MongoDB](create-mongodb-nodejs.md) - [Get started with Azure Cosmos DB Cassandra API](create-cassandra-dotnet.md)
hdinsight Apache Hadoop Linux Tutorial Get Started https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/hdinsight/hadoop/apache-hadoop-linux-tutorial-get-started.md
If you don't have an Azure subscription, create a [free account](https://azure.m
## Review the template
-The template used in this quickstart is from [Azure Quickstart Templates](https://azure.microsoft.com/resources/templates/101-hdinsight-linux-ssh-password/).
+The template used in this quickstart is from [Azure Quickstart Templates](https://azure.microsoft.com/resources/templates/hdinsight-linux-ssh-password/).
:::code language="json" source="~/quickstart-templates/quickstarts/microsoft.hdinsight/hdinsight-linux-ssh-password/azuredeploy.json":::
hdinsight Hdinsight Use Sqoop https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/hdinsight/hadoop/hdinsight-use-sqoop.md
In this article, you use these two datasets to test Sqoop import and export.
## <a name="create-cluster-and-sql-database"></a>Set up test environment
-The cluster, SQL database, and other objects are created through the Azure portal using an Azure Resource Manager template. The template can be found in [Azure quickstart templates](https://azure.microsoft.com/resources/templates/101-hdinsight-linux-with-sql-database/). The Resource Manager template calls a bacpac package to deploy the table schemas to a SQL database. The bacpac package is located in a public blob container, https://hditutorialdata.blob.core.windows.net/usesqoop/SqoopTutorial-2016-2-23-11-2.bacpac. If you want to use a private container for the bacpac files, use the following values in the template:
+The cluster, SQL database, and other objects are created through the Azure portal using an Azure Resource Manager template. The template can be found in [Azure quickstart templates](https://azure.microsoft.com/resources/templates/hdinsight-linux-with-sql-database/). The Resource Manager template calls a bacpac package to deploy the table schemas to a SQL database. The bacpac package is located in a public blob container, https://hditutorialdata.blob.core.windows.net/usesqoop/SqoopTutorial-2016-2-23-11-2.bacpac. If you want to use a private container for the bacpac files, use the following values in the template:
```json "storageKeyType": "Primary",
Now you've learned how to use Sqoop. To learn more, see:
* [Use Apache Hive with HDInsight](./hdinsight-use-hive.md) * [Upload data to HDInsight](../hdinsight-upload-data.md): Find other methods for uploading data to HDInsight/Azure Blob storage.
-* [Use Apache Sqoop to import and export data between Apache Hadoop on HDInsight and SQL Database](./apache-hadoop-use-sqoop-mac-linux.md)
+* [Use Apache Sqoop to import and export data between Apache Hadoop on HDInsight and SQL Database](./apache-hadoop-use-sqoop-mac-linux.md)
hdinsight Apache Hbase Provision Vnet https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/hdinsight/hbase/apache-hbase-provision-vnet.md
In this section, you create a Linux-based Apache HBase cluster with the dependen
> > `CLUSTERNAME` is replaced with the cluster name you provide when using the template.
-1. Select the following image to open the template in the Azure portal. The template is located in [Azure quickstart templates](https://azure.microsoft.com/resources/templates/101-hdinsight-hbase-linux-vnet/).
+1. Select the following image to open the template in the Azure portal. The template is located in [Azure quickstart templates](https://azure.microsoft.com/resources/templates/hdinsight-hbase-linux-vnet/).
<a href="https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2F101-hdinsight-hbase-linux-vnet%2Fazuredeploy.json" target="_blank"><img src="./media/apache-hbase-provision-vnet/hdi-deploy-to-azure1.png" alt="Deploy to Azure button for new cluster"></a>
hdinsight Quickstart Resource Manager Template https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/hdinsight/hbase/quickstart-resource-manager-template.md
If you don't have an Azure subscription, create a [free account](https://azure.m
## Review the template
-The template used in this quickstart is from [Azure Quickstart Templates](https://azure.microsoft.com/resources/templates/101-hdinsight-hbase-linux/).
+The template used in this quickstart is from [Azure Quickstart Templates](https://azure.microsoft.com/resources/templates/hdinsight-hbase-linux/).
:::code language="json" source="~/quickstart-templates/quickstarts/microsoft.hdinsight/hdinsight-hbase-linux/azuredeploy.json":::
hdinsight Hdinsight Create Virtual Network https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/hdinsight/hdinsight-create-virtual-network.md
The examples in this section demonstrate how to create network security group ru
The following Resource Management template creates a virtual network that restricts inbound traffic, but allows traffic from the IP addresses required by HDInsight. This template also creates an HDInsight cluster in the virtual network.
-* [Deploy a secured Azure Virtual Network and an HDInsight Hadoop cluster](https://azure.microsoft.com/resources/templates/101-hdinsight-secure-vnet/)
+* [Deploy a secured Azure Virtual Network and an HDInsight Hadoop cluster](https://azure.microsoft.com/resources/templates/hdinsight-secure-vnet/)
### Azure PowerShell
hdinsight Hdinsight Hadoop Linux Use Ssh Unix https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/hdinsight/hdinsight-hadoop-linux-use-ssh-unix.md
You're prompted for information during the key creation process. For example, wh
| Azure portal | Uncheck __Use cluster login password for SSH__, and then select __Public Key__ as the SSH authentication type. Finally, select the public key file or paste the text contents of the file in the __SSH public key__ field.</br>:::image type="content" source="./media/hdinsight-hadoop-linux-use-ssh-unix/create-hdinsight-ssh-public-key.png" alt-text="SSH public key dialog in HDInsight cluster creation"::: | | Azure PowerShell | Use the `-SshPublicKey` parameter of the [New-AzHdinsightCluster](/powershell/module/az.hdinsight/new-azhdinsightcluster) cmdlet and pass the contents of the public key as a string.| | Azure CLI | Use the `--sshPublicKey` parameter of the [`az hdinsight create`](/cli/azure/hdinsight#az_hdinsight_create) command and pass the contents of the public key as a string. |
-| Resource Manager Template | For an example of using SSH keys with a template, see [Deploy HDInsight on Linux with SSH key](https://azure.microsoft.com/resources/templates/quickstarts/microsoft.hdinsight/hdinsight-linux-ssh-publickey/). The `publicKeys` element in the [azuredeploy.json](https://github.com/Azure/azure-quickstart-templates/blob/master/quickstarts/microsoft.hdinsight/hdinsight-linux-ssh-publickey/azuredeploy.json) file is used to pass the keys to Azure when creating the cluster. |
+| Resource Manager Template | For an example of using SSH keys with a template, see [Deploy HDInsight on Linux with SSH key](https://azure.microsoft.com/resources/templates/hdinsight-linux-ssh-publickey/). The `publicKeys` element in the [azuredeploy.json](https://github.com/Azure/azure-quickstart-templates/blob/master/quickstarts/microsoft.hdinsight/hdinsight-linux-ssh-publickey/azuredeploy.json) file is used to pass the keys to Azure when creating the cluster. |
## Authentication: Password
SSH accounts can be secured using a password. When you connect to HDInsight usin
| Azure portal | By default, the SSH user account has the same password as the cluster login account. To use a different password, uncheck __Use cluster login password for SSH__, and then enter the password in the __SSH password__ field.</br>:::image type="content" source="./media/hdinsight-hadoop-linux-use-ssh-unix/create-hdinsight-ssh-password.png" alt-text="SSH password dialog in HDInsight cluster creation":::| | Azure PowerShell | Use the `--SshCredential` parameter of the [New-AzHdinsightCluster](/powershell/module/az.hdinsight/new-azhdinsightcluster) cmdlet and pass a `PSCredential` object that contains the SSH user account name and password. | | Azure CLI | Use the `--ssh-password` parameter of the [`az hdinsight create`](/cli/azure/hdinsight#az_hdinsight_create) command and provide the password value. |
-| Resource Manager Template | For an example of using a password with a template, see [Deploy HDInsight on Linux with SSH password](https://azure.microsoft.com/resources/templates/101-hdinsight-linux-ssh-password/). The `linuxOperatingSystemProfile` element in the [azuredeploy.json](https://github.com/Azure/azure-quickstart-templates/blob/master/quickstarts/microsoft.hdinsight/hdinsight-linux-ssh-password/azuredeploy.json) file is used to pass the SSH account name and password to Azure when creating the cluster.|
+| Resource Manager Template | For an example of using a password with a template, see [Deploy HDInsight on Linux with SSH password](https://azure.microsoft.com/resources/templates/hdinsight-linux-ssh-password/). The `linuxOperatingSystemProfile` element in the [azuredeploy.json](https://github.com/Azure/azure-quickstart-templates/blob/master/quickstarts/microsoft.hdinsight/hdinsight-linux-ssh-password/azuredeploy.json) file is used to pass the SSH account name and password to Azure when creating the cluster.|
### Change the SSH password
hdinsight Quickstart Resource Manager Template https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/hdinsight/interactive-query/quickstart-resource-manager-template.md
If you don't have an Azure subscription, create a [free account](https://azure.m
## Review the template
-The template used in this quickstart is from [Azure Quickstart Templates](https://azure.microsoft.com/resources/templates/101-hdinsight-interactive-hive/).
+The template used in this quickstart is from [Azure Quickstart Templates](https://azure.microsoft.com/resources/templates/hdinsight-interactive-hive/).
:::code language="json" source="~/quickstart-templates/quickstarts/microsoft.hdinsight/hdinsight-interactive-hive/azuredeploy.json":::
hdinsight Apache Kafka Quickstart Resource Manager Template https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/hdinsight/kafka/apache-kafka-quickstart-resource-manager-template.md
If you don't have an Azure subscription, create a [free account](https://azure.m
## Review the template
-The template used in this quickstart is from [Azure Quickstart Templates](https://azure.microsoft.com/resources/templates/101-hdinsight-kafka/).
+The template used in this quickstart is from [Azure Quickstart Templates](https://azure.microsoft.com/resources/templates/hdinsight-kafka/).
:::code language="json" source="~/quickstart-templates/quickstarts/microsoft.hdinsight/hdinsight-kafka/azuredeploy.json":::
You can also select the resource group name to open the resource group page, and
In this quickstart, you learned how to create an Apache Kafka cluster in HDInsight using an ARM template. In the next article, you learn how to create an application that uses the Apache Kafka Streams API and run it with Kafka on HDInsight. > [!div class="nextstepaction"]
-> [Use Apache Kafka streams API in Azure HDInsight](./apache-kafka-streams-api.md)
+> [Use Apache Kafka streams API in Azure HDInsight](./apache-kafka-streams-api.md)
hdinsight Quickstart Resource Manager Template https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/hdinsight/r-server/quickstart-resource-manager-template.md
If you don't have an Azure subscription, create a [free account](https://azure.m
## Review the template
-The template used in this quickstart is from [Azure Quickstart Templates](https://azure.microsoft.com/resources/templates/101-hdinsight-rserver/).
+The template used in this quickstart is from [Azure Quickstart Templates](https://azure.microsoft.com/resources/templates/hdinsight-rserver/).
:::code language="json" source="~/quickstart-templates/quickstarts/microsoft.hdinsight/hdinsight-rserver/azuredeploy.json":::
hdinsight Apache Spark Jupyter Spark Sql https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/hdinsight/spark/apache-spark-jupyter-spark-sql.md
If you don't have an Azure subscription, create a [free account](https://azure.m
## Review the template
-The template used in this quickstart is from [Azure Quickstart Templates](https://azure.microsoft.com/resources/templates/101-hdinsight-spark-linux).
+The template used in this quickstart is from [Azure Quickstart Templates](https://azure.microsoft.com/resources/templates/hdinsight-spark-linux/).
:::code language="json" source="~/quickstart-templates/quickstarts/microsoft.hdinsight/hdinsight-spark-linux/azuredeploy.json":::
healthcare-apis Carin Implementation Guide Blue Button Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/healthcare-apis/fhir/carin-implementation-guide-blue-button-tutorial.md
+
+ Title: Tutorial - CARIN Implementation Guide for Blue Button&#174; - Azure API for FHIR
+description: This tutorial walks through the steps of setting up the Azure API for FHIR to pass the Touchstone tests for the CARIN Implementation Guide for Blue Button (C4BB IG).
+++++++ Last updated : 05/27/2021++
+# CARIN Implementation Guide for Blue Button&#174;
+
+In this tutorial, we'll walk through setting up the Azure API for FHIR to pass the [Touchstone](https://touchstone.aegis.net/touchstone/) tests for the [CARIN Implementation Guide for Blue Button ](https://build.fhir.org/ig/HL7/carin-bb/https://docsupdatetracker.net/index.html) (C4BB IG).
+
+## Touchstone capability statement
+
+The first test that we'll focus on is testing the Azure API for FHIR against the [C4BB IG capability statement](https://touchstone.aegis.net/touchstone/testdefinitions?selectedTestGrp=/FHIRSandbox/CARIN/CARIN-4-BlueButton/00-Capability&activeOnly=false&contentEntry=TEST_SCRIPTS). If you run this test against the Azure API for FHIR without any updates, the test will fail due to missing search parameters and missing profiles.
++
+### Define search parameters
+
+As part of the C4BB IG, you'll need to define three [new search parameters](how-to-do-custom-search.md) for the `ExplanationOfBenefit` resource. Two of these are tested in the capability statement (type and service-date), and one is needed for `_include` searches (insurer).
+
+* [type](https://build.fhir.org/ig/HL7/carin-bb/SearchParameter-explanationofbenefit-type.json)
+* [service-date](https://build.fhir.org/ig/HL7/carin-bb/SearchParameter-explanationofbenefit-service-date.json)
+* [insurer](https://build.fhir.org/ig/HL7/carin-bb/SearchParameter-explanationofbenefit-insurer.json)
+
+> [!NOTE]
+> In the raw JSON for these search parameters, the name is set to `ExplanationOfBenefit_<SearchParameter Name>`. The Touchstone test is expecting that the name for these will be **type**, **service-date**, and **insurer**.
+
+The rest of the search parameters needed for the C4BB IG are defined by the base specification and are already available in the Azure API for FHIR without any additional updates.
+
+### Store profiles
+
+Outside of defining search parameters, the other update you need to make to pass this test is to load the [required profiles](validation-against-profiles.md). There are eight profiles defined within the C4BB IG.
+
+* [C4BB Coverage](https://build.fhir.org/ig/HL7/carin-bb/StructureDefinition-C4BB-Coverage.html)
+
+* [C4BB ExplanationOfBenefit Inpatient Institutional](https://build.fhir.org/ig/HL7/carin-bb/StructureDefinition-C4BB-ExplanationOfBenefit-Inpatient-Institutional.html)
+
+* [C4BB ExplanationOfBenefit Outpatient Institutional](https://build.fhir.org/ig/HL7/carin-bb/StructureDefinition-C4BB-ExplanationOfBenefit-Outpatient-Institutional.html)
+
+* [C4BB ExplanationOfBenefit Pharmacy](https://build.fhir.org/ig/HL7/carin-bb/StructureDefinition-C4BB-ExplanationOfBenefit-Pharmacy.html)
+
+* [C4BB ExplanationOfBenefit Professional NonClinician](https://build.fhir.org/ig/HL7/carin-bb/StructureDefinition-C4BB-ExplanationOfBenefit-Professional-NonClinician.html)
+
+* [C4BB Organization](https://build.fhir.org/ig/HL7/carin-bb/StructureDefinition-C4BB-Organization.html)
+
+* [C4BB Patient](https://build.fhir.org/ig/HL7/carin-bb/StructureDefinition-C4BB-Patient.html)
+
+* [C4BB Practitioner](https://build.fhir.org/ig/HL7/carin-bb/StructureDefinition-C4BB-Practitioner.html)
+
+### Sample rest file
+
+To assist with creation of these search parameters and profiles, we have a [sample http file](https://github.com/microsoft/fhir-server/blob/main/docs/rest/C4BB/C4BB.http) that includes all the steps outlined above in a single file. Once you've uploaded all the necessary profiles and search parameters, you can run the capability statement test in Touchstone.
++
+## Touchstone read test
+
+After testing the capabilities statement, we will test the [read capabilities](https://touchstone.aegis.net/touchstone/testdefinitions?selectedTestGrp=/FHIRSandbox/CARIN/CARIN-4-BlueButton/01-Read&activeOnly=false&contentEntry=TEST_SCRIPTS) of the Azure API for FHIR against the C4BB IG. This test is testing conformance against the eight profiles you loaded in the first test. You will need to have resources loaded that conform to the profiles. The best path would be to test against resources that you already have in your database, but we also have an [http file](https://github.com/microsoft/fhir-server/blob/main/docs/rest/C4BB/C4BB_Sample_Resources.http) available with sample resources pulled from the examples in the IG that you can use to create the resources and test against.
++
+## Touchstone EOB query test
+
+The next test we'll review is the [EOB query test](https://touchstone.aegis.net/touchstone/testdefinitions?selectedTestGrp=/FHIRSandbox/CARIN/CARIN-4-BlueButton/02-EOBQuery&activeOnly=false&contentEntry=TEST_SCRIPTS). If you've already completed the Read test, you have all the data loaded that you'll need. This test validates that you can search for specific patients and explanation of benefits resources using various parameters.
++
+## Touchstone error handling test
+
+The final test we'll walk through is testing [error handling](https://touchstone.aegis.net/touchstone/testdefinitions?selectedTestGrp=/FHIRSandbox/CARIN/CARIN-4-BlueButton/99-ErrorHandling&activeOnly=false&contentEntry=TEST_SCRIPTS). The only step you need to do is delete an ExplanationOfBenefit resource from your database and use the ID of the delete ExplanationOfBenfit resource in the test.
+++
+## Next steps
+
+In this tutorial, we walked through how to pass the CARIN IG for Blue Button tests in Touchstone. Next, you can review how to test the Da Vinci formulary tests.
+
+>[!div class="nextstepaction"]
+>[DaVinci Drug Formulary](davinci-drug-formulary-tutorial.md)
+
healthcare-apis Cms Tutorial Introduction https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/healthcare-apis/fhir/cms-tutorial-introduction.md
+
+ Title: Tutorial - Centers for Medicare and Medicaid Services (CMS) introduction - Azure API for FHIR
+description: This overview introduces a series of tutorials that pertains to the Center for Medicare and Medicaid Services (CMS) Interoperability and Patient Access rule.
+++++++ Last updated : 05/27/2021++
+# Centers for Medicare and Medicaid Services (CMS) Interoperability and Patient Access rule introduction
+
+In this series of tutorials, we'll cover a high-level summary of the Center for Medicare and Medicaid Services (CMS) Interoperability and Patient Access rule, and the technical requirements outlined in this rule. We'll walk through the various implementation guides referenced for this rule. We'll also provide details on how to configure the Azure API for FHIR to support these implementation guides.
++
+## Rule overview
+
+The CMS released the [Interoperability and Patient Access rule](https://www.cms.gov/Regulations-and-Guidance/Guidance/Interoperability/index) on May 1, 2020. This rule ensures free and secure data flow between all parties involved in patient care (patients, providers, and payers) to allow patients to access their health information when they need it. Interoperability has plagued the healthcare industry for decades, resulting in siloed data that causes negative health outcomes with higher and unpredictable costs for care. CMS is using their authority to regulate Medicare Advantage (MA), Medicaid, Children's Health Insurance Program (CHIP), and Qualified Health Plan (QHP) issuers on the Federally Facilitated Exchanges (FFEs) to enforce this rule.
+
+In August 2020, CMS detailed how organizations can meet the mandate. To ensure that data can be exchanged securely and in a standardized manner, CMS identified FHIR version R4 as the foundational standard required for the data exchange.
+
+There are three main pieces to the Interoperability and Patient Access ruling:
+
+* **Patient Access API (Required July 1, 2021)** ΓÇô CMS-regulated payers (as defined above) are required to implement and maintain a secure, standards-based API that allows patients to easily access their claims and encounter information, including cost, as well as a defined subset of their clinical information through third-party applications of their choice.
+
+* **Provider Directory API (Required July 1, 2021)** ΓÇô CMS-regulated payers are required by this portion of the rule to make provider directory information publicly available via a standards-based API. Through making this information available, third-party application developers will be able to create services that help patients find providers for specific care needs and clinicians find other providers for care coordination.
+
+* **Payer-to-Payer Data Exchange (Required January 1, 2022)** ΓÇô CMS-regulated payers are required to exchange certain patient clinical data at the patientΓÇÖs request with other payers. While there's no requirement to follow any kind of standard, applying FHIR to exchange this data is encouraged.
+
+## Key FHIR concepts
+
+As mentioned above, FHIR version R4 is required to meet this mandate. In addition, there have been several implementation guides developed that provide guidance for the rule. [Implementation guides](https://www.hl7.org/fhir/implementationguide.html) provide extra context on top of the base FHIR specification. This includes defining additional search parameters, profiles, extensions, operations, value sets, and code systems.
+
+The Azure API for FHIR has the following capabilities to help you configure your database for the various implementation guides:
+
+* [Support for RESTful interactions](fhir-features-supported.md)
+* [Storing and validating profiles](validation-against-profiles.md)
+* [Defining and indexing custom search parameters](how-to-do-custom-search.md)
+* [Converting data](convert-data.md)
+
+## Patient Access API Implementation Guides
+
+The Patient Access API describes adherence to four FHIR implementation guides.
+
+### [CARIN IG for Blue Button®](http://hl7.org/fhir/us/carin-bb/STU1/https://docsupdatetracker.net/index.html):
+
+Payers are required to make patients' claims and encounters data available according to the CARIN IG for Blue Button Implementation Guide (C4BB IG). The C4BB IG provides a set of resources that payers can display to consumers via a FHIR API and includes the details required for claims data in the Interoperability and Patient Access API. This implementation guide uses the ExplanationOfBenefit (EOB) Resource as the main resource, pulling in other resources as they are referenced.
+
+### [HL7 FHIR Da Vinci PDex IG](http://hl7.org/fhir/us/davinci-pdex/STU1/https://docsupdatetracker.net/index.html)
+
+The Payer Data Exchange Implementation Guide (PDex IG) is focused on ensuring that payers provide all relevant patient clinical data to meet the requirements for the Patient Access API. This uses the US Core profiles on R4 Resources and includes (at a minimum) encounters, providers, organizations, locations, dates of service, diagnoses, procedures, and observations. While this data may be available in FHIR format, it may also come from other systems in the format of claims data, HL7 V2 messages, and C-CDA documents.
+
+### [HL7 US Core IG](https://www.hl7.org/fhir/us/core/toc.html)
+
+The HL7 US Core Implementation Guide (US Core IG) is the backbone for the PDex IG described above. While the PDex IG limits some resources even further than the US Core IG, many resources just follow the standards in the US Core IG.
+
+### [HL7 FHIR Da Vinci - PDex US Drug Formulary IG](http://hl7.org/fhir/us/Davinci-drug-formulary/https://docsupdatetracker.net/index.html)
+
+Part D Medicare Advantage plans have to make formulary information available via the Patient API. They do this using the PDex US Drug Formulary Implementation Guide (USDF IG). The USDF IG defines a FHIR interface to a health insurerΓÇÖs drug formulary information, which is a list of brand-name and generic prescription drugs that a health insurer agrees to pay for. The main use case of this is so that patients can understand if there are alternative drug available to one that has been prescribed to them and to compare drug costs.
+
+## Provider Directory API Implementation Guide
+
+The Provider Directory API describes adherence to one implementation guide.
+
+### [HL7 Da Vinci PDex Plan Network IG](http://build.fhir.org/ig/HL7/davinci-pdex-plan-net/)
+
+This implementation guide defines a FHIR interface to a health insurerΓÇÖs insurance plans, their associated networks, and the organizations and providers that participate in these networks.
+
+## Touchstone
+
+To test adherence to the various implementation guides, [Touchstone](https://touchstone.aegis.net/touchstone/) is a great
+resource. Throughout the upcoming tutorials, we'll focus on ensuring that the Azure API for FHIR is configured to successfully pass various Touchstone tests. The Touchstone site has a lot of great documentation to help you get up and running.
+
+## Next steps
+
+Now that you have a basic understanding of the Interoperability and Patient Access rule, implementation guides, and available testing tool (Touchstone), weΓÇÖll walk through setting up the Azure API for FHIR for the CARIN Blue Button IG.
+
+>[!div class="nextstepaction"]
+>[CARIN Implementation Guide for Blue Button](https://build.fhir.org/ig/HL7/carin-bb/https://docsupdatetracker.net/index.html)
healthcare-apis Davinci Drug Formulary Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/healthcare-apis/fhir/davinci-drug-formulary-tutorial.md
+
+ Title: Tutorial - DaVinci Drug Formulary - Azure API for FHIR
+description: This tutorial walks through setting up the Azure API for FHIR to pass the Touchstone tests against the DaVinci Drug Formulary implementation guide.
+++++++ Last updated : 06/01/2021++
+# DaVinci Drug Formulary
+
+In this tutorial, we'll walk through setting up the Azure API for FHIR to pass the [Touchstone](https://touchstone.aegis.net/touchstone/) tests for the [DaVinci Payer Data Exchange US Drug Formulary Implementation Guide](http://hl7.org/fhir/us/Davinci-drug-formulary/).
+
+## Touchstone capability statement
+
+The first test that we'll focus on is testing the Azure API for FHIR against the [DaVinci Drug Formulary capability
+statement](https://touchstone.aegis.net/touchstone/testdefinitions?selectedTestGrp=/FHIRSandbox/DaVinci/FHIR4-0-1-Test/PDEX/Formulary/00-Capability&activeOnly=false&contentEntry=TEST_SCRIPTS). If you run this test without any updates, the test will fail due to
+missing search parameters and missing profiles.
+
+### Define search parameters
+
+As part of the DaVinci Drug Formulary IG, you'll need to define three [new search parameters](how-to-do-custom-search.md) for the FormularyDrug resource. All three of these are tested in the
+capability statement.
+
+- [DrugTier](http://hl7.org/fhir/us/davinci-drug-formulary/STU1.0.1/SearchParameter-DrugTier.json.html)
+
+- [DrugPlan](http://hl7.org/fhir/us/davinci-drug-formulary/STU1.0.1/SearchParameter-DrugPlan.json.html)
+
+- [DrugName](http://hl7.org/fhir/us/davinci-drug-formulary/STU1.0.1/SearchParameter-DrugName.json.html)
+
+The rest of the search parameters needed for the DaVinci Drug Formulary IG are defined by the base specification and are already available in the Azure API for FHIR without any more updates.
+
+### Store profiles
+
+Outside of defining search parameters, the only other update you need to make to pass this test is to load the [required profiles](validation-against-profiles.md). There are two profiles used as part of the DaVinci Drug Formulary IG.
+
+- [Formulary
+ Drug](http://hl7.org/fhir/us/davinci-drug-formulary/STU1.0.1/StructureDefinition-usdf-FormularyDrug.html)
+
+- [Formulary Coverage
+ Plan](http://hl7.org/fhir/us/davinci-drug-formulary/STU1.0.1/StructureDefinition-usdf-CoveragePlan.html)
+
+### Sample rest file
+
+To assist with creation of these search parameters and profiles, we have the [DaVinci Formulary](https://github.com/microsoft/fhir-server/blob/main/docs/rest/DaVinciFormulary/DaVinciFormulary.http) sample HTTP file on the open-source site that includes all the steps outlined above in a single file. Once you've uploaded all the necessary profiles and search parameters, you can run the capability statement test in Touchstone. You should get a successful run:
++
+## Touchstone query test
+
+The second test is the [query capabilities](https://touchstone.aegis.net/touchstone/testdefinitions?selectedTestGrp=/FHIRSandbox/DaVinci/FHIR4-0-1-Test/PDEX/Formulary/01-Query&activeOnly=false&contentEntry=TEST_SCRIPTS). This test validates that you can search for specific Coverage Plan and Drug resources using various parameters. The best path would be to test against resources that you already have in your database, but we also have the [DaVinciFormulary_Sample_Resources](https://github.com/microsoft/fhir-server/blob/main/docs/rest/DaVinciFormulary/DaVinciFormulary_Sample_Resources.http) HTTP file available with sample resources pulled from the examples in the IG that you can use to create the resources and test against.
++
+## Next steps
+
+In this tutorial, we walked through how to pass the DaVinci Payer Data Exchange US Drug Formulary in Touchstone. Next, you can learn how to test the Da Vinci PDex Implementation Guide in Touchstone.
+
+>[!div class="nextstepaction"]
+>[DaVinci PDex](davinci-pdex-tutorial.md)
healthcare-apis Davinci Pdex Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/healthcare-apis/fhir/davinci-pdex-tutorial.md
+
+ Title: Tutorial - DaVinci PDex - Azure API for FHIR
+description: This tutorial walks through setting up the Azure API for FHIR to pass tests for the Da Vinci Payer Data Exchange Implementation Guide.
+++++++ Last updated : 06/02/2021++
+# DaVinci PDex
+
+In this tutorial, we'll walk through setting up the Azure API for FHIR to pass the [Touchstone](https://touchstone.aegis.net/touchstone/) tests for the [Da Vinci Payer Data Exchange Implementation Guide](http://hl7.org/fhir/us/davinci-pdex/toc.html) (PDex IG).
+
+> [!NOTE]
+> For all these tests, we'll run them against the JSON tests. The Azure API for FHIR supports both JSON and XML, but it doesnΓÇÖt have separate endpoints to access JSON or XML. Because of this, all the XML tests will fail. If you want to view the capability statement in XML you simply pass the \_format parameter: \`GET
+{fhirurl}/metadata?\_format=xml\`
+
+## Touchstone capability statement
+
+The first set of tests that we'll focus on is testing the Azure API for FHIR against the PDex IG capability statement. These tests have three validation processes:
+
+* The first test just validates the basic capability statement against the IG requirements and will pass without any updates.
+
+* The second test validates all the profiles have been added for US Core. This test will pass without updates but will include a bunch of warnings. To have these warnings removed, you need to [load the US Core profiles](validation-against-profiles.md). We've created a [sample HTTP file](https://github.com/microsoft/fhir-server/blob/main/docs/rest/PayerDataExchange/USCore.http) that walks through creating all the profiles. You can also get the [profiles](http://hl7.org/fhir/us/core/STU3.1.1/profiles.html#profiles) from the HL7 site directly, which will have the most current versions.
+
+* The third test validates that the patient-everything operation is supported. Right now, this test will fail. The operation will be available in mid-June 2021 in the Azure API for FHIR and is available now in the open-source FHIR server on Cosmos DB. However, it is missing from the capability statement, so this test will fail until we release a fix to bug [1989](https://github.com/microsoft/fhir-server/issues/1989).
+
+
+
+## Touchstone $member-match test
+
+The [second test](https://touchstone.aegis.net/touchstone/testdefinitions?selectedTestGrp=/FHIRSandbox/DaVinci/FHIR4-0-1-Test/PDEX/PayerExchange/01-Member-Match&activeOnly=false&contentEntry=TEST_SCRIPTS) in the Payer Data Exchange section tests the existence of the [$member-match operation](http://hl7.org/fhir/us/davinci-hrex/2020Sep/OperationDefinition-member-match.html). You can read more about the $member-match operation in our [$member-match operation overview](tutorial-member-match.md).
+
+In this test, youΓÇÖll need to load some sample data for the test to pass. We have a rest file [here](https://github.com/microsoft/fhir-server/blob/main/docs/rest/PayerDataExchange/membermatch.http) with the patient and coverage linked that you will need for the test. Once this data is loaded, you'll be able to successfully pass this test. If the data is not loaded, you'll receive a 422 response due to not finding an exact match.
++
+## Touchstone patient by reference
+
+The next tests we'll review is the [patient by reference](https://touchstone.aegis.net/touchstone/testdefinitions?selectedTestGrp=/FHIRSandbox/DaVinci/FHIR4-0-1-Test/PDEX/PayerExchange/02-PatientByReference&activeOnly=false&contentEntry=TEST_SCRIPTS) tests. This set of tests validate that you can find a patient based on various search criteria. The best way to test the patient by reference will be to test against your own data, but we have uploaded a [sample resource file](https://github.com/microsoft/fhir-server/blob/main/docs/rest/PayerDataExchange/PDex_Sample_Data.http) that you can load to use as well.
++
+## Touchstone patient/$everything test
+
+The final test we'll walk through is testing patient-everything. For this test, you'll need to load a patient, and then you'll use that patientΓÇÖs ID to test that you can use the $everything operation to pull all data related to the patient.
+
+## Next steps
+
+In this tutorial, we walked through how to pass the Payer Exchange tests in Touchstone. Next, you can learn about all the Azure API for FHIR features.
+
+>[!div class="nextstepaction"]
+>[Supported features](fhir-features-supported.md)
healthcare-apis Patient Everything https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/healthcare-apis/fhir/patient-everything.md
+
+ Title: Use patient-everything in Azure API for FHIR
+description: This article explains how to use the patient-everything operation in the Azure API for FHIR
+++++ Last updated : 06/04/2021+++
+# Patient-everything in FHIR
+
+The [$patient-everything](https://www.hl7.org/fhir/patient-operation-everything.html) operation was created to provide a patient with access to their entire record or for a provider or other user to perform a bulk data download. This operation is used to return all the information related to one or more patients described in the resource or context on which this operation is invoked.
+
+## Use patient-everything
+To call patient-everything, use the following command:
+
+```json
+GET {FHIRURL}/Patient/{ID}/$everything
+```
+The Azure API for FHIR validates that it can find the patient matching the provided patient ID. If a result is found, the response will be a bundle of type ΓÇ£searchsetΓÇ¥ with the following information:
+* [Patient resource](https://www.hl7.org/fhir/patient.html)
+* Resources that are directly referenced by the Patient resource (except link)
+* Resources in the Patient's [compartment](https://www.hl7.org/fhir/compartmentdefinition-patient.html)
+* [Device resources](https://www.hl7.org/fhir/device.html) that reference the Patient resource
+
+
+> [!Note]
+> $patient-everything is available in the Open Source FHIR Server backed by Cosmos DB now and will be available in Azure API for FHIR before July 1st. The capability statement for the FHIR Server is missing support for $patient-everything, which is tracked here: Issue [1989](https://github.com/microsoft/fhir-server/issues/1989).
++
+## Patient-everything parameters
+The Azure API for FHIR supports the following query parameters. All of these parameters are optional:
+
+|Query parameter | Description|
+|--||
+| \_type | Allows you to specify which types of resources will be included in the response. For example, \_type=Encounter would return only `Encounter` resources associated with the patient. |
+| \_since | Will return only resources that have been modified since the time provided. |
+| start | Specifying the start date will pull in resources where there clinical date is after the specified start date. If no start date is provided, all records prior to the end date are in scope. |
+| end | Specifying the end date will pull in resources where there clinical date is before the specified end date. If no end date is provided, all records after the start date are in scope. |
+
+> [!Note]
+> You must specify an ID for a specific patient. If you need all data for all patients, see [$export](export-data.md).
++
+## Examples of $patient-everything
+
+Below are some additional examples of using the $patient-everything operation.
+
+To use $patient-everything to query a patientΓÇÖs ΓÇ£everythingΓÇ¥ between 2010 and 2020, use the following call:
+
+```json
+GET {FHIRURL}/Patient/{ID}/$everything?start=2010&end=2020
+```
+
+To use $patient-everything to query a patientΓÇÖs Observation and Encounter, use the following call:
+```json
+GET {FHIRURL}/Patient/{ID}/$everything_type=Observation,Encounter
+```
+
+To use $patient-everything to query a patientΓÇÖs ΓÇ£everythingΓÇ¥ since 2021-05-27T05:00:00Z, use the following call:
+
+```json
+GET {FHIRURL}/Patient/{ID}/$everything?_since=2021-05-27T05:00:00Z
+```
+
+If a Patient is found for each of these calls, you'll get back a 200 response with a Bundle of the corresponding resources.
+
+## Next step
+Now that you know how to use the patient-everything operation, you can learn about more search options on the overview of search guide.
+
+>[!div class="nextstepaction"]
+>[Overview of FHIR search](overview-of-search.md)
healthcare-apis Tutorial Member Match https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/healthcare-apis/fhir/tutorial-member-match.md
+
+ Title: Tutorial - $member-match operation - Azure API for FHIR
+description: This tutorial introduces the $member-match operation that's defined as part of the Da Vinci Health Record Exchange (HRex).
+++++++ Last updated : 06/01/2021++
+# $member-match operation
+
+[$member-match](http://hl7.org/fhir/us/davinci-hrex/2020Sep/OperationDefinition-member-match.html) is an operation that is defined as part of the Da Vinci Health Record Exchange (HRex). In this guide, we'll walk through what $member-match is and how to use it.
+
+## Overview of $member-match
+
+The $member-match operation was created to help with the payer-to-payer data exchange, by allowing a new payer to get a unique identifier for a patient from the patientΓÇÖs previous payer. The $member-match operation
+requires three pieces of information to be passed in the body of the request:
+
+* Patient demographics
+
+* The old coverage information
+
+* The new coverage information (not required based on our implementation)
+
+After the data is passed in, the Azure API for FHIR validates that it can find a patient that exactly matches the demographics passed in with the old coverage information passed in. If a result is found, the response will be a bundle with the original patient data plus a new identifier added in from the old payer, and the old coverage information.
+
+> [!NOTE]
+> The specification describes passing in and back the new
+coverage information. We've decided to omit that data to keep the results smaller.
+
+## Example of $member-match
+
+To use $member-match, use the following call:
+
+`POST {{fhirurl}}/Patient/$member-match`
+
+You'll need to include a parameters resource in the body that includes the patient, the old coverage, and the new coverage. To see a JSON representation, see [$member-match example request](http://hl7.org/fhir/us/davinci-hrex/2020Sep/Parameters-member-match-in.json.html).
+
+If a single match is found, you'll receive a 200 response with another identifier added:
++
+If the $member-match can't find a unique match, you'll receive a 422 response with an error code.
+
+## Next steps
+
+In this guide, you've learned about the $member-match operation. Next, you can learn about testing the Da Vinci Payer Data Exchange IG in Touchstone, which requires the $member-match operation.
+
+>[!div class="nextstepaction"]
+>[DaVinci PDex](davinci-pdex-tutorial.md)
iot-develop Quickstart Device Development https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/iot-develop/quickstart-device-development.md
The following tutorials are included in the getting started guide:
|Quickstart|Device| ||--| |[Getting started with the Microchip ATSAME54-XPRO Evaluation kit](https://go.microsoft.com/fwlink/p/?linkid=2129537) |[Microchip ATSAME54-XPRO](https://www.microchip.com/developmenttools/productdetails/atsame54-xpro)|
-|[Getting started with the Renesas Starter Kit+ for RX65N-2MB](https://github.com/azure-rtos/getting-started/tree/master/Renesas/RSK_RX65N_2MB) |[Renesas Starter Kit+ for RX65N-2MB](https://www.renesas.com/us/en/products/microcontrollers-microprocessors/rx-32-bit-performance-efficiency-mcus/rx65n-2mb-starter-kit-plus-renesas-starter-kit-rx65n-2mb)|
## Next steps After you complete a device-specific quickstart in this guide, explore the other device-specific articles and samples in the Azure RTOS getting started repo:
iot-develop Quickstart Devkit Mxchip Az3166 https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/iot-develop/quickstart-devkit-mxchip-az3166.md
Keep Termite open to monitor device output in the following steps.
To view the device status in IoT Central portal: 1. From the application dashboard, select **Devices** on the side navigation menu. 1. Confirm that the **Device status** is updated to **Provisioned**.
-1. Confirm that the **Device template** is updated to **Getting Started Guide**.
+1. Confirm that the **Device template** is updated to **MXCHIP Getting Started Guide**.
:::image type="content" source="media/quickstart-devkit-mxchip-az3166/iot-central-device-view-status.png" alt-text="View device status in IoT Central":::
iot-develop Quickstart Devkit Renesas Rx65n 2Mb https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/iot-develop/quickstart-devkit-renesas-rx65n-2mb.md
+
+ Title: Connect a Renesas RX65N-2MB to Azure IoT Central quickstart
+description: Use Azure RTOS embedded software to connect a Renesas RX65N-2MB device to Azure IoT and send telemetry.
+++
+ms.devlang: c
+ Last updated : 06/04/2021++
+# Quickstart: Connect a Renesas Starter Kit+ for RX65N-2MB to IoT Central
+
+**Applies to**: [Embedded device development](about-iot-develop.md#embedded-device-development)<br>
+**Total completion time**: 30 minutes
+
+[![Browse code](media/common/browse-code.svg)](https://github.com/azure-rtos/getting-started/tree/master/Renesas/RSK_RX65N_2MB)
+
+In this quickstart, you use Azure RTOS to connect the Renesas Starter Kit+ for RX65N-2MB (hereafter, the Renesas RX65N) to Azure IoT.
+
+You will complete the following tasks:
+
+* Install a set of embedded development tools for programming a Renesas RX65N in C
+* Build an image and flash it onto the Renesas RX65N
+* Use Azure IoT Central to create cloud components, view properties, view device telemetry, and call direct commands
+
+## Prerequisites
+
+* A PC running Microsoft Windows 10
+* [Git](https://git-scm.com/downloads) for cloning the repository
+* Hardware
+
+ > * The [Renesas Starter Kit+ for RX65N-2MB](https://www.renesas.com/products/microcontrollers-microprocessors/rx-32-bit-performance-efficiency-mcus/rx65n-2mb-starter-kit-plus-renesas-starter-kit-rx65n-2mb) (Renesas RX65N)
+ > * The [Renesas E2 emulator Lite](https://www.renesas.com/software-tool/e2-emulator-lite-rte0t0002lkce00000r)
+ > * 2 USB 2.0 A male to Mini USB male cables
+ > * The included 5V power supply
+ > * Ethernet cable
+ > * Wired Ethernet access
+
+## Prepare the development environment
+
+To set up your development environment, first you clone a GitHub repo that contains all the assets you need for the quickstart. Then you install a set of programming tools.
+
+### Clone the repo for the quickstart
+
+Clone the following repo to download all sample device code, setup scripts, and offline versions of the documentation. If you previously cloned this repo in another quickstart, you don't need to do it again.
+
+To clone the repo, run the following command:
+
+```shell
+git clone --recursive https://github.com/azure-rtos/getting-started.git
+```
+
+### Install the tools
+
+The cloned repo contains a setup script that installs and configures the required tools. If you installed these tools in another embedded device quickstart, you don't need to do it again.
+
+> [!NOTE]
+> The setup script installs the following tools:
+> * [CMake](https://cmake.org): Build
+> * [RX GCC](http://gcc-renesas.com/downloads/get.php?f=rx/8.3.0.202004-gnurx/gcc-8.3.0.202004-GNURX-ELF.exe): Compile
+> * [Termite](https://www.compuphase.com/software_termite.htm): Monitor serial port output for connected devices
+
+To install the tools:
+
+1. From File Explorer, navigate to the following path in the repo and run the setup script named *get-toolchain.bat*:
+
+ > *getting-started\tools\get-toolchain.bat*
+
+1. Add the RX compiler to the Windows Path:
+
+ > *%USERPROFILE%\AppData\Roaming\GCC for Renesas RX 8.3.0.202004-GNURX-ELF\rx-elf\rx-elf\bin*
+
+1. After the installation, open a new console window to recognize the configuration changes made by the setup script. Use this console to complete the remaining programming tasks in the quickstart. You can use Windows CMD, PowerShell, or Git Bash for Windows.
+1. Run the following commands to confirm that CMake version 3.14 or later is installed and the RX compiler path is set up correctly.
+
+ ```shell
+ cmake --version
+ rx-elf-gcc
+ ```
+To install the remaining tools:
+
+* Install [Renesas Flash Programmer](https://www.renesas.com/software-tool/renesas-flash-programmer-programming-gui). The Renesas Flash Programmer contains the drivers and tools needed to flash the Renesas RX65N via the Renesas E2 Lite.
++
+## Prepare the device
+
+To connect the Renesas RX65N to Azure, you'll modify a configuration file for Wi-Fi and Azure IoT settings, rebuild the image, and flash the image to the device.
+
+### Add configuration
+
+1. Open the following file in a text editor:
+
+ > *getting-started\Renesas\RSK_RX65N_2MB\app\azure_config.h*
+
+1. Set the Azure IoT device information constants to the values that you saved after you created Azure resources.
+
+ |Constant name|Value|
+ |-|--|
+ |`IOT_DPS_ID_SCOPE` |{*Your ID scope value*}|
+ |`IOT_DPS_REGISTRATION_ID` |{*Your Device ID value*}|
+ |`IOT_DEVICE_SAS_KEY` |{*Your Primary key value*}|
+
+1. Save and close the file.
+
+### Build the image
+
+In your console or in File Explorer, run the script *rebuild.bat* at the following path to build the image:
+
+> *getting-started\Renesas\RSK_RX65N_2MB\tools\rebuild.bat*
+
+After the build completes, confirm that the binary file was created in the following path:
+
+> *getting-started\Renesas\RSK_RX65N_2MB\build\app\rx65n_azure_iot.hex*
+
+### Connect the device
+
+> [!NOTE]
+> For more information about setting up and getting started with the Renesas RX65N, see [Renesas Starter Kit+ for RX65N-2MB Quick Start](https://www.renesas.com/document/man/e2studio-renesas-starter-kit-rx65n-2mb-quick-start-guide).
+
+1. Complete the following steps using the following image as a reference.
+
+ :::image type="content" source="media/quickstart-devkit-renesas-rx65n-2mb/renesas-rx65n.jpg" alt-text="Locate reset, power, ethernet, USB, and E1/E2Lite on the Renesas RX65N board":::
+
+1. Using the 5V power supply, connect the **Power Input** on the Renesas RX65N to an electrical outlet.
+
+1. Using the Ethernet cable, connect the **Ethernet** on the Renesas RX65N to your router.
+
+1. Using the first Mini USB cable, connect the **USB Serial** on the Renesas RX65N to your computer.
+
+1. Using the second Mini USB cable, connect the **E2 Lite USB Serial** on the Renesas E2 Lite to your computer.
+
+1. Using the supplied ribbon cable, connect the **E1/E2Lite** on the Renesas RX65N to the Renesas E2 Lite.
+
+### Flash the image
+
+1. Launch the *Renesas Flash Programmer* application from the Start menu.
+
+2. Select *New Project...* from the *File* menu, and enter the following settings:
+ * **Microcontroller**: RX65x
+ * **Project Name**: RX65N
+ * **Tool**: E2 emulator Lite
+
+ :::image type="content" source="media/quickstart-devkit-renesas-rx65n-2mb/rfp-new.png" alt-text="Renesas Flash Programmer, New Project":::
+
+3. Select the *Tool Details* button, and navigate to the *Reset Settings* tab.
+
+4. Select *Reset Pin as Hi-Z* and press the *OK* button.
+
+ :::image type="content" source="media/quickstart-devkit-renesas-rx65n-2mb/rfp-reset.png" alt-text="Renesas Flash Programmer, Reset Settings":::
+
+5. Press the *Connect* button and when prompted, check the *Auto Authentication* checkbox and then press *OK*.
+
+ :::image type="content" source="media/quickstart-devkit-renesas-rx65n-2mb/rfp-auth.png" alt-text="Renesas Flash Programmer, Authentication":::
+
+6. Select the *Browse...* button and locate the *rx65n_azure_iot.hex* file created in the previous section.
+
+7. Press *Start* to begin flashing. This process will take approximately 10 seconds.
+
+### Confirm device connection details
+
+You can use the **Termite** app to monitor communication and confirm that your device is set up correctly.
+> [!TIP]
+> If you have issues getting your device to initialize or connect after flashing, see [Troubleshooting](https://github.com/azure-rtos/getting-started/blob/master/docs/troubleshooting.md).
+
+1. Start **Termite**.
+1. Select **Settings**.
+1. In the **Serial port settings** dialog, check the following settings and update if needed:
+ * **Baud rate**: 115,200
+ * **Port**: The port that your Renesas RX65N is connected to. If there are multiple port options in the dropdown, you can find the correct port to use. Open Windows **Device Manager**, and view **Ports** to identify which port to use.
+
+ :::image type="content" source="media/quickstart-devkit-renesas-rx65n-2mb/termite-settings.png" alt-text="Confirm settings in the Termite app":::
+
+1. Select OK.
+1. Press the **Reset** button on the device.
+1. In the **Termite** app, check the following checkpoint values to confirm that the device is initialized and connected to Azure IoT.
+
+ ```output
+ Starting Azure thread
+
+ Initializing DHCP
+ IP address: 10.0.0.81
+ Mask: 255.255.255.0
+ Gateway: 10.0.0.1
+ SUCCESS: DHCP initialized
+
+ Initializing DNS client
+ DNS address: 10.0.0.1
+ SUCCESS: DNS client initialized
+
+ Initializing SNTP client
+ SNTP server 0.pool.ntp.org
+ SNTP IP address: 104.194.242.237
+ SNTP time update: May 28, 2021 22:53:27.54 UTC
+ SUCCESS: SNTP initialized
+
+ Initializing Azure IoT DPS client
+ DPS endpoint: global.azure-devices-provisioning.net
+ DPS ID scope: ***
+ Registration ID: mydevice
+ SUCCESS: Azure IoT DPS client initialized
+
+ Initializing Azure IoT Hub client
+ Hub hostname: ***.azure-devices.net
+ Device id: mydevice
+ Model id: dtmi:azurertos:devkit:gsg;1
+ Connected to IoT Hub
+ SUCCESS: Azure IoT Hub client initialized
+ ```
+
+Keep Termite open to monitor device output in the following steps.
+
+## Verify the device status
+
+To view the device status in IoT Central portal:
+1. From the application dashboard, select **Devices** on the side navigation menu.
+1. Confirm that the **Device status** is updated to **Provisioned**.
+1. Confirm that the **Device template** is updated to **Getting Started Guide**.
+
+ :::image type="content" source="media/quickstart-devkit-renesas-rx65n-2mb/iot-central-device-view-status.png" alt-text="View device status in IoT Central":::
+
+## View telemetry
+
+With IoT Central, you can view the flow of telemetry from your device to the cloud.
+
+To view telemetry in IoT Central portal:
+
+1. From the application dashboard, select **Devices** on the side navigation menu.
+1. Select the device from the device list.
+1. View the telemetry as the device sends messages to the cloud in the **Overview** tab.
+
+ :::image type="content" source="media/quickstart-devkit-renesas-rx65n-2mb/iot-central-device-telemetry.png" alt-text="View device telemetry in IoT Central":::
+
+ > [!NOTE]
+ > You can also monitor telemetry from the device by using the Termite app.
+
+## Call a direct method on the device
+
+You can also use IoT Central to call a direct method that you've implemented on your device. Direct methods have a name, and can optionally have a JSON payload, configurable connection, and method timeout. In this section, you call a method that enables you to turn an LED on or off.
+
+To call a method in IoT Central portal:
+
+1. Select the **Command** tab from the device page.
+1. In the **State** dropdown, select **True**, and then select **Run**. The LED light should turn on.
+
+ :::image type="content" source="media/quickstart-devkit-renesas-rx65n-2mb/iot-central-invoke-method.png" alt-text="Call a direct method on a device":::
+
+1. In the **State** dropdown, select **False**, and then select **Run**. The LED light should turn off.
+
+## View device information
+
+You can view the device information from IoT Central.
+
+Select **About** tab from the device page.
++
+## Troubleshoot
+
+If you experience issues building the device code, flashing the device, or connecting, see [Troubleshooting](https://github.com/azure-rtos/getting-started/blob/master/docs/troubleshooting.md).
+
+## Clean up resources
+
+If you no longer need the Azure resources created in this quickstart, you can delete them from the IoT Central portal.
+
+To remove the entire Azure IoT Central sample application and all its devices and resources:
+1. Select **Administration** > **Your application**.
+1. Select **Delete**.
+
+## Next steps
+
+In this quickstart, you built a custom image that contains Azure RTOS sample code, and then flashed the image to the Renesas RX65N device. You also used the IoT Central portal to create Azure resources, connect the Renesas RX65N securely to Azure, view telemetry, and send messages.
+
+As a next step, explore the following articles to learn more about using the IoT device SDKs to connect devices to Azure IoT.
+
+> [!div class="nextstepaction"]
+> [Connect a simulated device to IoT Central](quickstart-send-telemetry-central.md)
+> [!div class="nextstepaction"]
+> [Connect a simulated device to IoT Hub](quickstart-send-telemetry-iot-hub.md)
+
+> [!IMPORTANT]
+> Azure RTOS provides OEMs with components to secure communication and to create code and data isolation using underlying MCU/MPU hardware protection mechanisms. However, each OEM is ultimately responsible for ensuring that their device meets evolving security requirements.
+
iot-develop Quickstart Devkit Renesas Rx65n Cloud Kit https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/iot-develop/quickstart-devkit-renesas-rx65n-cloud-kit.md
+
+ Title: Connect a Renesas RX65N Cloud Kit to Azure IoT Central quickstart
+description: Use Azure RTOS embedded software to connect a Renesas RX65N Cloud kit device to Azure IoT and send telemetry.
+++
+ms.devlang: c
+ Last updated : 06/04/2021++
+# Quickstart: Connect a Renesas RX65N Cloud Kit to IoT Central
+
+**Applies to**: [Embedded device development](about-iot-develop.md#embedded-device-development)<br>
+**Total completion time**: 30 minutes
+
+[![Browse code](media/common/browse-code.svg)](https://github.com/azure-rtos/getting-started/tree/master/Renesas/RX65N_Cloud_Kit)
+
+In this quickstart, you use Azure RTOS to connect the Renesas RX65N Cloud Kit (hereafter, the Renesas RX65N) to Azure IoT.
+
+You will complete the following tasks:
+
+* Install a set of embedded development tools for programming a Renesas RX65N in C
+* Build an image and flash it onto the Renesas RX65N
+* Use Azure IoT Central to create cloud components, view properties, view device telemetry, and call direct commands
+
+## Prerequisites
+
+* A PC running Microsoft Windows 10
+* [Git](https://git-scm.com/downloads) for cloning the repository
+* Hardware
+
+ > * The [Renesas RX65N Cloud Kit](https://www.renesas.com/products/microcontrollers-microprocessors/rx-32-bit-performance-efficiency-mcus/rx65n-cloud-kit-renesas-rx65n-cloud-kit) (Renesas RX65N)
+ > * 2 USB 2.0 A male to Mini USB male cables
+ > * WiFi 2.4 GHz
+
+## Prepare the development environment
+
+To set up your development environment, first you clone a GitHub repo that contains all the assets you need for the quickstart. Then you install a set of programming tools.
+
+### Clone the repo for the quickstart
+
+Clone the following repo to download all sample device code, setup scripts, and offline versions of the documentation. If you previously cloned this repo in another quickstart, you don't need to do it again.
+
+To clone the repo, run the following command:
+
+```shell
+git clone --recursive https://github.com/azure-rtos/getting-started.git
+```
+
+### Install the tools
+
+The cloned repo contains a setup script that installs and configures the required tools. If you installed these tools in another embedded device quickstart, you don't need to do it again.
+
+> [!NOTE]
+> The setup script installs the following tools:
+> * [CMake](https://cmake.org): Build
+> * [RX GCC](http://gcc-renesas.com/downloads/get.php?f=rx/8.3.0.202004-gnurx/gcc-8.3.0.202004-GNURX-ELF.exe): Compile
+> * [Termite](https://www.compuphase.com/software_termite.htm): Monitor serial port output for connected devices
+
+To install the tools:
+
+1. From File Explorer, navigate to the following path in the repo and run the setup script named *get-toolchain-rx.bat*:
+
+ > *getting-started\tools\get-toolchain-rx.bat*
+
+1. Add the RX compiler to the Windows Path:
+
+ > *%USERPROFILE%\AppData\Roaming\GCC for Renesas RX 8.3.0.202004-GNURX-ELF\rx-elf\rx-elf\bin*
+
+1. After the installation, open a new console window to recognize the configuration changes made by the setup script. Use this console to complete the remaining programming tasks in the quickstart. You can use Windows CMD, PowerShell, or Git Bash for Windows.
+1. Run the following commands to confirm that CMake version 3.14 or later is installed and the RX compiler path is set up correctly.
+
+ ```shell
+ cmake --version
+ rx-elf-gcc --version
+ ```
+To install the remaining tools:
+
+* Install [Renesas Flash Programmer](https://www.renesas.com/software-tool/renesas-flash-programmer-programming-gui). The Renesas Flash Programmer contains the drivers and tools needed to flash the Renesas RX65N via the Renesas E2 Lite.
++
+## Prepare the device
+
+To connect the Renesas RX65N to Azure, you'll modify a configuration file for Wi-Fi and Azure IoT settings, rebuild the image, and flash the image to the device.
+
+### Add configuration
+
+1. Open the following file in a text editor:
+
+ > *getting-started\Renesas\RX65N_Cloud_Kit\app\azure_config.h*
+
+1. Set the Wi-Fi constants to the following values from your local environment.
+
+ |Constant name|Value|
+ |-|--|
+ |`WIFI_SSID` |{*Your Wi-Fi ssid*}|
+ |`WIFI_PASSWORD` |{*Your Wi-Fi password*}|
+ |`WIFI_MODE` |{*One of the enumerated Wi-Fi mode values in the file*}|
+
+1. Set the Azure IoT device information constants to the values that you saved after you created Azure resources.
+
+ |Constant name|Value|
+ |-|--|
+ |`IOT_DPS_ID_SCOPE` |{*Your ID scope value*}|
+ |`IOT_DPS_REGISTRATION_ID` |{*Your Device ID value*}|
+ |`IOT_DEVICE_SAS_KEY` |{*Your Primary key value*}|
+
+1. Save and close the file.
+
+### Build the image
+
+In your console or in File Explorer, run the script *rebuild.bat* at the following path to build the image:
+
+> *getting-started\Renesas\RX65N_Cloud_Kit\tools\rebuild.bat*
+
+After the build completes, confirm that the binary file was created in the following path:
+
+> *getting-started\Renesas\RX65N_Cloud_Kit\build\app\rx65n_azure_iot.hex*
+
+### Connect the device
+
+> [!NOTE]
+> For more information about setting up and getting started with the Renesas RX65N, see [Renesas RX65N Cloud Kit Quick Start](https://www.renesas.com/document/man/quick-start-guide-renesas-rx65n-cloud-kit).
+
+1. Complete the following steps using the following image as a reference.
+
+ :::image type="content" source="media/quickstart-devkit-renesas-rx65n-cloud-kit/renesas-rx65n.jpg" alt-text="Locate reset, USB, and E1/E2Lite on the Renesas RX65N board":::
+
+1. Remove the **EJ2** link from the board to enable the E2 Lite debugger. The link is located underneath the **USER SW** button.
+ > [!WARNING]
+ > Failure to remove this link will result in being unable to flash the device.
+
+1. Connect the **WiFi module** to the **Cloud Option Board**
+
+1. Using the first Mini USB cable, connect the **USB Serial** on the Renesas RX65N to your computer.
+
+1. Using the second Mini USB cable, connect the **USB E2 Lite** on the Renesas RX65N to your computer.
+
+### Flash the image
+
+1. Launch the *Renesas Flash Programmer* application from the Start menu.
+
+2. Select *New Project...* from the *File* menu, and enter the following settings:
+ * **Microcontroller**: RX65x
+ * **Project Name**: RX65N
+ * **Tool**: E2 emulator Lite
+ * **Interface**: FINE
+
+ :::image type="content" source="media/quickstart-devkit-renesas-rx65n-cloud-kit/rfp-new.png" alt-text="Renesas Flash Programmer, New Project":::
+
+3. Select the *Tool Details* button, and navigate to the *Reset Settings* tab.
+
+4. Select *Reset Pin as Hi-Z* and press the *OK* button.
+
+ :::image type="content" source="media/quickstart-devkit-renesas-rx65n-cloud-kit/rfp-reset.png" alt-text="Renesas Flash Programmer, Reset Settings":::
+
+5. Press the *Connect* button and, when prompted, check the *Auto Authentication* checkbox and then press *OK*.
+
+ :::image type="content" source="media/quickstart-devkit-renesas-rx65n-cloud-kit/rfp-auth.png" alt-text="Renesas Flash Programmer, Authentication":::
+
+6. Select the *Browse...* button and locate the *rx65n_azure_iot.hex* file created in the previous section.
+
+7. Press *Start* to begin flashing. This process will take approximately 10 seconds.
+
+### Confirm device connection details
+
+You can use the **Termite** app to monitor communication and confirm that your device is set up correctly.
+> [!TIP]
+> If you have issues getting your device to initialize or connect after flashing, see [Troubleshooting](https://github.com/azure-rtos/getting-started/blob/master/docs/troubleshooting.md).
+
+1. Start **Termite**.
+1. Select **Settings**.
+1. In the **Serial port settings** dialog, check the following settings and update if needed:
+ * **Baud rate**: 115,200
+ * **Port**: The port that your Renesas RX65N is connected to. If there are multiple port options in the dropdown, you can find the correct port to use. Open Windows **Device Manager**, and view **Ports** to identify which port to use.
+
+ :::image type="content" source="media/quickstart-devkit-renesas-rx65n-cloud-kit/termite-settings.png" alt-text="Confirm settings in the Termite app":::
+
+1. Select OK.
+1. Press the **Reset** button on the device.
+1. In the **Termite** app, check the following checkpoint values to confirm that the device is initialized and connected to Azure IoT.
+
+ ```output
+ Starting Azure thread
+
+ Initializing WiFi
+ Connecting to SSID 'iot'
+ SUCCESS: WiFi connected to iot
+
+ Initializing DHCP
+ IP address: 192.168.0.21
+ Gateway: 192.168.0.1
+ SUCCESS: DHCP initialized
+
+ Initializing DNS client
+ DNS address: 75.75.76.76
+ SUCCESS: DNS client initialized
+
+ Initializing SNTP client
+ SNTP server 0.pool.ntp.org
+ SNTP IP address: 45.79.214.107
+ SNTP time update: May 21, 2021 20:24:10.76 UTC
+ SUCCESS: SNTP initialized
+
+ Initializing Azure IoT DPS client
+ DPS endpoint: global.azure-devices-provisioning.net
+ DPS ID scope: ***
+ Registration ID: mydevice
+ SUCCESS: Azure IoT DPS client initialized
+
+ Initializing Azure IoT Hub client
+ Hub hostname: ***.azure-devices.net
+ Device id: mydevice
+ Model id: dtmi:azurertos:devkit:gsgrx65ncloud;1
+ Connected to IoT Hub
+ SUCCESS: Azure IoT Hub client initialized
+ ```
+
+Keep Termite open to monitor device output in the following steps.
+
+## Verify the device status
+
+To view the device status in IoT Central portal:
+1. From the application dashboard, select **Devices** on the side navigation menu.
+1. Confirm that the **Device status** is updated to **Provisioned**.
+1. Confirm that the **Device template** is updated to **RX65N Cloud Kit Getting Started Guide**.
+
+ :::image type="content" source="media/quickstart-devkit-renesas-rx65n-cloud-kit/iot-central-device-view-status.png" alt-text="View device status in IoT Central":::
+
+## View telemetry
+
+With IoT Central, you can view the flow of telemetry from your device to the cloud.
+
+To view telemetry in IoT Central portal:
+
+1. From the application dashboard, select **Devices** on the side navigation menu.
+1. Select the device from the device list.
+1. View the telemetry as the device sends messages to the cloud in the **Overview** tab.
+
+ :::image type="content" source="media/quickstart-devkit-renesas-rx65n-cloud-kit/iot-central-device-telemetry.png" alt-text="View device telemetry in IoT Central":::
+
+ > [!NOTE]
+ > You can also monitor telemetry from the device by using the Termite app.
+
+## Call a direct method on the device
+
+You can also use IoT Central to call a direct method that you've implemented on your device. Direct methods have a name, and can optionally have a JSON payload, configurable connection, and method timeout. In this section, you call a method that enables you to turn an LED on or off.
+
+To call a method in IoT Central portal:
+
+1. Select the **Command** tab from the device page.
+1. In the **State** dropdown, select **True**, and then select **Run**. The LED light should turn on.
+
+ :::image type="content" source="media/quickstart-devkit-renesas-rx65n-cloud-kit/iot-central-invoke-method.png" alt-text="Call a direct method on a device":::
+
+1. In the **State** dropdown, select **False**, and then select **Run**.. The LED light should turn off.
+
+## View device information
+
+You can view the device information from IoT Central.
+
+Select **About** tab from the device page.
++
+## Troubleshoot
+
+If you experience issues building the device code, flashing the device, or connecting, see [Troubleshooting](https://github.com/azure-rtos/getting-started/blob/master/docs/troubleshooting.md).
+
+## Clean up resources
+
+If you no longer need the Azure resources created in this quickstart, you can delete them from the IoT Central portal.
+
+To remove the entire Azure IoT Central sample application and all its devices and resources:
+1. Select **Administration** > **Your application**.
+1. Select **Delete**.
+
+## Next steps
+
+In this quickstart, you built a custom image that contains Azure RTOS sample code, and then flashed the image to the Renesas RX65N device. You also used the IoT Central portal to create Azure resources, connect the Renesas RX65N securely to Azure, view telemetry, and send messages.
+
+As a next step, explore the following articles to learn more about using the IoT device SDKs to connect devices to Azure IoT.
+
+> [!div class="nextstepaction"]
+> [Connect a simulated device to IoT Central](quickstart-send-telemetry-central.md)
+> [!div class="nextstepaction"]
+> [Connect a simulated device to IoT Hub](quickstart-send-telemetry-iot-hub.md)
+
+> [!IMPORTANT]
+> Azure RTOS provides OEMs with components to secure communication and to create code and data isolation using underlying MCU/MPU hardware protection mechanisms. However, each OEM is ultimately responsible for ensuring that their device meets evolving security requirements.
+
iot-develop Quickstart Devkit Stm B L475e https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/iot-develop/quickstart-devkit-stm-b-l475e.md
Title: Connect an ST Microelectronics B-L475E-IOT01A or B-L4S5I-IOTO1A to Azure IoT Central quickstart
-description: Use Azure RTOS embedded software to connect an ST Microelectronics B-L475E-IOT01A or B-L4S5I-IOTO1A device to Azure IoT and send telemetry.
+ Title: Connect an ST Microelectronics B-L475E-IOT01A or B-L4S5I-IOT01A to Azure IoT Central quickstart
+description: Use Azure RTOS embedded software to connect an ST Microelectronics B-L475E-IOT01A or B-L4S5I-IOT01A device to Azure IoT and send telemetry.
Last updated 06/02/2021
-# Quickstart: Connect an ST Microelectronics B-L475E-IOT01A or B-L4S5I-IOTO1A Discovery kit to IoT Central
+# Quickstart: Connect an ST Microelectronics B-L475E-IOT01A or B-L4S5I-IOT01A Discovery kit to IoT Central
**Applies to**: [Embedded device development](about-iot-develop.md#embedded-device-development)<br> **Total completion time**: 30 minutes
machine-learning How To Deploy Azure Container Instance https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/machine-learning/how-to-deploy-azure-container-instance.md
For more information on the classes, methods, and parameters used in this exampl
To deploy using the CLI, use the following command. Replace `mymodel:1` with the name and version of the registered model. Replace `myservice` with the name to give this service: ```azurecli-interactive
-az ml model deploy -m mymodel:1 -n myservice -ic inferenceconfig.json -dc deploymentconfig.json
+az ml model deploy -n myservice -m mymodel:1 --ic inferenceconfig.json --dc deploymentconfig.json
``` [!INCLUDE [deploymentconfig](../../includes/machine-learning-service-aci-deploy-config.md)]
See [how to manage resources in VS Code](how-to-manage-resources-vscode.md).
* [Use TLS to secure a web service through Azure Machine Learning](how-to-secure-web-service.md) * [Consume a ML Model deployed as a web service](how-to-consume-web-service.md) * [Monitor your Azure Machine Learning models with Application Insights](how-to-enable-app-insights.md)
-* [Collect data for models in production](how-to-enable-data-collection.md)
+* [Collect data for models in production](how-to-enable-data-collection.md)
machine-learning How To Train With Rest https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/machine-learning/how-to-train-with-rest.md
API_VERSION="2021-03-01-preview"
Running machine learning jobs requires compute resources. You can list your workspace's compute resources: ```bash
-curl "https://management.azure.com/subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RESOURCE_GROUP/providers/Microsoft.MachineLearningServices/workspaces/$WORKSPACE/computes?api-version=$API_VERSION \
+curl "https://management.azure.com/subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RESOURCE_GROUP/providers/Microsoft.MachineLearningServices/workspaces/$WORKSPACE/computes?api-version=$API_VERSION" \
--header "Authorization: Bearer $TOKEN" ```
machine-learning Team Data Science Process For Devops https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/machine-learning/team-data-science-process/team-data-science-process-for-devops.md
The following table provides level-based guidance to help complete the DevOps ob
| | | [This Microsoft Project template provides a time, resources and goals tracking for an Advanced Analytics project](https://buckwoody.wordpress.com/2017/08/17/a-data-science-microsoft-project-template-you-can-use-in-your-solutions/) | Microsoft Project | Intermediate | Understand Project Management Fundamentals | | | | [This Azure Data Catalog tutorial describes a system of registration and discovery for enterprise data assets](../../data-catalog/data-catalog-get-started.md) | Azure Data Catalog | Beginner | Familiarity with Data Sources and Structures | | | | [This Microsoft Virtual Academy course explains how to set up Dev-Test with Visual Studio Codespace and Microsoft Azure](https://mva.microsoft.com/training-courses/dev-test-with-visual-studio-online-and-microsoft-azure-8420?l=P7Ot1TKz_2104984382) | Visual Studio Codespace | Experienced | Software Development, familiarity with Dev/Test environments |
+| | | This Management Pack download for Microsoft System Center contains a Guidelines Document to assist in working with Azure assets | System Center | Intermediate | Experience with System Center for IT Management |
| | | [This document is intended for developer and operations teams to understand the benefits of PowerShell Desired State Configuration](/powershell/scripting/dsc/overview/dscforengineers) | PowerShell DSC | Intermediate | Experience with PowerShell coding, enterprise architectures, scripting | | | Code | [This download also contains documentation on using Visual Studio Codespace Code for creating Data Science and AI applications](https://code.visualstudio.com/) | Visual Studio Codespace | Intermediate | Software Development | | | | [This getting started site teaches you about DevOps and Visual Studio](https://www.visualstudio.com/devops/) | Visual Studio | Beginner | Software Development |
mariadb Quickstart Create Mariadb Server Database Arm Template https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/mariadb/quickstart-create-mariadb-server-database-arm-template.md
An Azure account with an active subscription. [Create one for free](https://azur
You create an Azure Database for MariaDB server with a defined set of compute and storage resources. To learn more, see [Azure Database for MariaDB pricing tiers](concepts-pricing-tiers.md). You create the server within an [Azure resource group](../azure-resource-manager/management/overview.md).
-The template used in this quickstart is from [Azure Quickstart Templates](https://azure.microsoft.com/resources/templates/101-managed-mariadb-with-vnet/).
+The template used in this quickstart is from [Azure Quickstart Templates](https://azure.microsoft.com/resources/templates/managed-mariadb-with-vnet/).
:::code language="json" source="~/quickstart-templates/quickstarts/microsoft.dbformariadb/managed-mariadb-with-vnet/azuredeploy.json":::
marketplace Create New Saas Offer Plans https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/marketplace/create-new-saas-offer-plans.md
The actions that are available in the **Action** column of the **Plan overview**
## Before you publish your offer
-If you haven't already done so, create a development and test (DEV) offer to test your offer before publishing your production offer live. To learn more, see [Create a development and test offer](create-saas-dev-test-offer.md).
+If you haven't already done so, create a development and test (DEV) offer to test your offer before publishing your production offer live. To learn more, see [Create a test SaaS offer](create-saas-dev-test-offer.md).
## Next steps
marketplace Create New Saas Offer https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/marketplace/create-new-saas-offer.md
As a commercial marketplace publisher, you can create a software as a service (S
If you havenΓÇÖt already done so, read [Plan a SaaS offer](plan-saas-offer.md). It will explain the technical requirements for your SaaS app, and the information and assets youΓÇÖll need when you create your offer. Unless you plan to publish a simple listing (**Contact me** listing option) in the commercial marketplace, your SaaS application must meet technical requirements around authentication. > [!IMPORTANT]
-> We recommend that you create a separate development/test (DEV) offer and a separate production (PROD) offer. This article describes how to create a PROD offer. For details about creating a DEV offer, see [Create a development and test offer](create-saas-dev-test-offer.md).
+> We recommend that you create a separate development/test (DEV) offer and a separate production (PROD) offer. This article describes how to create a PROD offer. For details about creating a DEV offer, see [Create a test SaaS offer](create-saas-dev-test-offer.md).
## Create a SaaS offer
marketplace Create Saas Dev Test Offer https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/marketplace/create-saas-dev-test-offer.md
Title: Create a test offer
+ Title: Create a test SaaS offer
description: Create a separate development offer for testing your production offer in Azure Marketplace.
Last updated 04/20/2021
-# Create a test offer
+# Create a test SaaS offer
To develop in a separate environment from your production offer, youΓÇÖll create a separate test and development (DEV) offer and a separate production (PROD) offer. For information about the benefits of using a separate DEV offer, see [Plan a SaaS offer](plan-saas-offer.md#test-offer).
marketplace What Is New https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/marketplace/what-is-new.md
Learn about important updates in Microsoft's commercial marketplace program. Thi
| Capabilities | Updated and reorganized the account management documentation to make it easier for independent software vendors (ISVs) to manage their commercial marketplace users and accounts. To learn more, see the following:<ul><li>[Create a new commercial marketplace account](create-account.md)</li><li>[Add new publishers](add-publishers.md)</li><li>[Manage your account](manage-account.md)</li><li>[Switch accounts](switch-accounts.md)</li><li>[Manage tenants](manage-tenants.md)</li><li>[Add and manage users](add-manage-users.md)</li><li>[Assign user roles](user-roles.md)</li><li>[Manage groups](manage-groups.md)</li><li>[Add and manage Azure AD applications](manage-aad-apps.md)</li></ul> | 2021-04-06 | | Capabilities | Reorganized and clarified the [commercial marketplace transact capabilities](marketplace-commercial-transaction-capabilities-and-considerations.md) documentation to help independent software vendors (ISVs) understand the difference between the various transactable and non-transactable options. | 2021-04-06 | | Policies | WeΓÇÖve updated the [commercial marketplace certification policies](/legal/marketplace/certification-policies). | 2021-04-02 |
-| Offers | New guidance for publishers to test their software as a service (SaaS) offers by creating separate development and production offers. To learn more, see [Create a test offer (SaaS)](create-saas-dev-test-offer.md). | 2021-03-25 |
+| Offers | New guidance for publishers to test their software as a service (SaaS) offers by creating separate development and production offers. To learn more, see [Create a test SaaS offer](create-saas-dev-test-offer.md). | 2021-03-25 |
| Co-sell | Improved documentation to help partners use the commercial marketplace to collaboratively sell (co-sell) their offers with Microsoft sales teams. To learn more, see the following topics:<ul><li>[Co-sell with Microsoft sales teams and partners overview](co-sell-overview.md)</li><li>[Co-sell requirements](co-sell-requirements.md)</li><li>[Configure co-sell for a commercial marketplace offer](co-sell-configure.md)</li><li>[Verify co-sell status of a commercial marketplace offer](co-sell-status.md)</li></ul> | 2021-03-17 | |
mysql Quickstart Create Mysql Server Database Using Arm Template https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/mysql/quickstart-create-mysql-server-database-using-arm-template.md
An Azure account with an active subscription. [Create one for free](https://azur
You create an Azure Database for MySQL server with a defined set of compute and storage resources. To learn more, see [Azure Database for MySQL pricing tiers](concepts-pricing-tiers.md). You create the server within an [Azure resource group](../azure-resource-manager/management/overview.md).
-The template used in this quickstart is from [Azure Quickstart Templates](https://azure.microsoft.com/resources/templates/101-managed-mysql-with-vnet/).
+The template used in this quickstart is from [Azure Quickstart Templates](https://azure.microsoft.com/resources/templates/managed-mysql-with-vnet/).
:::code language="json" source="~/quickstart-templates/quickstarts/microsoft.dbformysql/managed-mysql-with-vnet/azuredeploy.json":::
postgresql Concepts High Availability https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/postgresql/flexible-server/concepts-high-availability.md
Previously updated : 06/04/2021 Last updated : 06/07/2021 # High availability concepts in Azure Database for PostgreSQL - Flexible Server
After the failover, while a new standby server is being provisioned, application
3. Standby server is established in the same zone as the old primary server and the streaming replication is initiated. 4. Once the steady-state replication is established, the client application commits and writes are acknowledged after the data is persisted on both the sites.
-
+## On-demand failover
+
+Flexible server provides two methods for you to perform on-demand failover to the standby server. These are useful if you want to test the failover time and downtime impact for your applications and if you want to failover to the preferred availability zone.
+
+* **Forced failover**: You can use this option to simulate an unplanned outage scenario. This triggers a fault in the primary server and brings the primary server down. Applications loses connectivity to the server. The failover workflow is triggered which initiates the standby promote operation. Once the standby is all caught up with all transactions, it is promoted to be the primary server. DNS records are updated and your application can connect to the promoted primary server. Your application can continue to write to the primary while a new standby server is established in the background.
+
+* **Planned failover**: This option is for failing over to the standby server with reduced downtime. The standby server is first prepared to make sure it is caught up with recent transactions. The standby is then promoted and the connections to the primary is severed. DNS record is updated and the applications can connect to the newly promoted server. Your application can continue to write to the primary while a new standby server is established in the background. As the application continues to write to the primary server while the standby is being prepared, this method of failover provides reduced downtime experience.
+
+>[!NOTE]
+> It is recommended to perform planned failover during low activity period.
+
+>[!IMPORTANT]
+> * Please do not perform immediate, back-to-back failovers. Wait for at least 15-20 minutes between failovers, which will also allow the new standby server to be fully established.
+>
+> * The overall end-to-end operation time may be longer than the actual downtime experienced by the application. Please measure the downtime from the application perspective.
+
+See [this guide](how-to-manage-high-availability-portal.md) for step-by-step instructions.
+++ ## Point-in-time restore Flexible servers that are configured with high availability, log data is replicated in real time to the standby server. Any user errors on the primary server - such as an accidental drop of a table or incorrect data updates are replicated to the standby replica as well. So, you cannot use standby to recover from such logical errors. To recover from such errors, you have to perform point-in-time restore from the backup. Using flexible server's point-in-time restore capability, you can restore to the time before the error occurred. For databases configured with high availability, a new database server will be restored as a single zone flexible server with a new user-provided server name. You can use the restored server for few use cases:
postgresql Concepts Networking https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/postgresql/flexible-server/concepts-networking.md
Previously updated : 05/25/2021 Last updated : 06/04/2021 # Networking overview - Azure Database for PostgreSQL - Flexible Server
The following characteristics apply whether you choose to use the private access
* The server has a fully qualified domain name (fqdn). For the hostname property in connection strings, we recommend using the fqdn instead of an IP address. * Both options control access at the server-level, not at the database- or table-level. You would use PostgreSQLΓÇÖs roles properties to control database, table, and other object access.
+>[!NOTE]
+> Since Azure Database for PostgreSQL is a managed database service, users are not provided host or OS access to view or modify configuration files such as `pg_hba.conf`. The content of the file is automatically updated based on the network settings.
## Private access (VNet integration) Private access with virtual network (vnet) integration provides private and secure communication for your PostgreSQL flexible server.
Private DNS zone settings and VNET peering are independent of each other.
* If you want to connect to the flexible server from a client that is provisioned in another VNET, you have to link the private DNS zone with the VNET. See [how to link the virtual network](../../dns/private-dns-getstarted-portal.md#link-the-virtual-network) documentation. > [!NOTE]
-> Private DNS zone names that end with `private.postgres.database.azure.com` can only be linked.
+> Private DNS zone names that end with `postgres.database.azure.com` can only be linked.
### Unsupported virtual network scenarios
postgresql Concepts Server Parameters https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/postgresql/flexible-server/concepts-server-parameters.md
Azure Database for PostgreSQL provides a subset of configurable parameters for e
Azure Database for PostgreSQL server is pre-configured with optimal default values for each parameter on creation. Static parameters require a server restart and parameters that require superuser access cannot be configured by the user.
-In order to review which parameters are available to view or to modify, we recommend going into the Azure portal, and to the Server Parameters page. You can also configure parameters on a per-user or per-database basis using `ALTER DATABASE` or `ALTER ROLE` commands.
+In order to review which parameters are available to view or to modify, we recommend going into the Azure portal, and to the Server Parameters page. You can also configure parameters on a per-user or per-database basis using `ALTER DATABASE` or `ALTER ROLE` commands.
+
+>[!NOTE]
+> Since Azure Database for PostgreSQL is a managed database service, users are not provided host or OS access to view or modify configuration files such as `postgresql.conf`. The content of the file is automatically updated based on parameter changes in the Server Parameters page.
:::image type="content" source="./media/concepts-server-parameters/server-parameters.png" alt-text="Server parameters - portal":::
postgresql How To Manage High Availability Portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/postgresql/flexible-server/how-to-manage-high-availability-portal.md
Previously updated : 09/22/2020 Last updated : 06/07/2021 # Manage zone redundant high availability in Flexible Server
that is already configured with zone redundancy.
6. A notification will show up decommissioning of the high availability deployment is in progress.
+## Forced failover
+
+Follow these steps to force failover your primary to the standby flexible server. This will immediately bring the primary down and triggers a failover to the standby server. This is useful for cases like testing the unplanned outage failover time for your workload.
+
+1. In the [Azure portal](https://portal.azure.com/), select your existing flexible server that has high availability feature already enabled.
+2. On the flexible server page, click High Availability from the front panel to open high availability page.
+3. Check the Primary availability zone and the Standby availability zone
+4. Click on Forced Failover to initiate the manual failover procedure. A pop up will inform you on the potential downtime until the failover is complete. Read the message and click Ok.
+5. A notification will show up mentioning that failover is in progress.
+6. Once failover to the standby server is complete, a notification will pop up.
+7. Check the new Primary availability zone and the Standby availability zone.
+
+ :::image type="content" source="./media/how-to-manage-high-availability-portal/ha-forced-failover.png" alt-text="On-demand forced failover":::
+
+>[!IMPORTANT]
+> * Please do not perform immediate, back-to-back failovers. Wait for at least 15-20 minutes between failovers, which will also allow the new standby server to be fully established.
+>
+> * The overall end-to-end operation time as reported on the portal may be longer than the actual downtime experienced by the application. Please measure the downtime from the application perspective.
+
+## Planned failover
+
+Follow these steps to perform a planned failover from your primary to the standby flexible server. This will first prepare the standby server and performs the failover. This provides the least downtime as this performs a graceful failover to the standby server for situations like after a failover event, you want to bring the primary back to the preferred availability zone.
+1. In the [Azure portal](https://portal.azure.com/), select your existing flexible server that has high availability feature already enabled.
+2. On the flexible server page, click High Availability from the front panel to open high availability page.
+3. Check the Primary availability zone and the Standby availability zone
+4. Click on Planned Failover to initiate the manual failover procedure. A pop up will inform you the process. Read the message and click Ok.
+5. A notification will show up mentioning that failover is in progress.
+6. Once failover to the standby server is complete, a notification will pop up.
+7. Check the new Primary availability zone and the Standby availability zone.
+ :::image type="content" source="./media/how-to-manage-high-availability-portal/ha-planned-failover.png" alt-text="On-demand planned failover":::
+
+>[!IMPORTANT]
+>
+> * Please do not perform immediate, back-to-back failovers. Wait for at least 15-20 minutes between failovers, which will also allow the new standby server to be fully established.
+>
+> * It is recommended to perform planned failover during low activity period.
+>
+> * The overall end-to-end operation time may be longer than the actual downtime experienced by the application. Please measure the downtime from the application perspective.
++ ## Next steps - Learn about [business continuity](./concepts-business-continuity.md)
postgresql Howto Hyperscale Scale Grow https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/postgresql/howto-hyperscale-scale-grow.md
To change the vCores for all worker nodes, adjust the **vCores** slider under
adjusted independently. Adjust the **vCores** slider under **Configuration (coordinator node)**.
+## Increase storage on nodes
+
+In addition to adding new nodes, you can increase the disk space of existing
+nodes. Increasing disk space can allow you to do more with existing worker
+nodes before needing to add more worker nodes.
+
+To change the storage for all worker nodes, adjust the **storage** slider under
+**Configuration (per worker node)**. The coordinator node's storage can be
+adjusted independently. Adjust the **storage** slider under **Configuration
+(coordinator node)**.
+
+> [!NOTE]
+> Once increased and saved, the storage per node cannot be decreased using the
+> slider.
+ ## Next steps - Learn more about server group [performance
postgresql Howto Hyperscale Troubleshoot Read Only https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/postgresql/howto-hyperscale-troubleshoot-read-only.md
+
+ Title: Troubleshoot read-only access - Hyperscale (Citus) - Azure Database for PostgreSQL
+description: Learn why a Hyperscale (Citus) server group can become read-only, and what to do
+keywords: postgresql connection,read only
+++++ Last updated : 6/4/2021++
+# Troubleshoot read-only access to Azure Database for PostgreSQL - Hyperscale (Citus)
+
+PostgreSQL can't run on a machine without some free disk space. To maintain
+access to PostgreSQL servers, it's necessary to prevent the disk space from
+running out.
+
+In Hyperscale (Citus), nodes are set to a read-only (RO) state when the disk is
+almost full. Preventing writes stops the disk from continuing to fill, and
+keeps the node available for reads. During the read-only state, you can take
+measures to free more disk space.
+
+Specifically, a Hyperscale (Citus) node becomes read-only when it has less than
+5 GiB of free storage left. When the server becomes read-only, all existing
+sessions are disconnected, and uncommitted transactions are rolled back. Any
+write operations and transaction commits will fail, while read queries will
+continue to work.
+
+## Ways to recover write-access
+
+### On the coordinator node
+
+* [Increase storage
+ size](howto-hyperscale-scale-grow.md#increase-storage-on-nodes)
+ on the coordinator node, and/or
+* Distribute local tables to worker nodes, or drop data. For either option,
+ you'll need to run `SET SESSION CHARACTERISTICS AS TRANSACTION READ WRITE`
+ after you've connected to the database and before you execute other commands.
+
+### On a worker node
+
+* [Increase storage
+ size](howto-hyperscale-scale-grow.md#increase-storage-on-nodes)
+ on the worker nodes, and/or
+* [Rebalance data](howto-hyperscale-scale-rebalance.md) to other nodes, or drop
+ some data.
+ * For either option, you'll need to set the worker node as read-write
+ temporarily. Submit a support request to do this. Alternately, if you're
+ running a preview Hyperscale (Citus) server group you can connect directly to
+ worker nodes and use `SET SESSION CHARACTERISTICS` as described above for the
+ coordinator node.
+
+## Prevention
+
+We recommend that you set up an alert to notify you when server storage is
+approaching the threshold. That way you can act early to avoid getting into the
+read-only state. For more information, see the documentation about [recommended
+alerts](howto-hyperscale-alert-on-metric.md#suggested-alerts).
+
+## Next steps
+
+* [Set up Azure
+ alerts](howto-hyperscale-alert-on-metric.md#suggested-alerts)
+ for advance notice so you can take action before reaching the read-only state.
+* Learn about [disk
+ usage](https://www.postgresql.org/docs/current/diskusage.html) in PostgreSQL
+ documentation.
+* Learn about [session
+ characteristics](https://www.postgresql.org/docs/13/sql-set-transaction.html)
+ in PostgreSQL documentation.
purview Register Scan Azure Cosmos Database https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/purview/register-scan-azure-cosmos-database.md
On the **Register sources (Azure Cosmos DB (SQL API))** screen, do the following
4. Select a collection or create a new one (Optional). 5. Select **Register** to register the data source. - :::image type="content" source="media/register-scan-azure-cosmos-database/register-sources.png" alt-text="register sources options" border="true":::
To create and run a new scan, do the following:
1. You can scope your scan to specific databases by choosing the appropriate items in the list.
- :::image type="content" source="media/register-scan-azure-cosmos-database/cosmosdb-scope-your-scan.png" alt-text="Scope your scan":::
+ :::image type="content" source="media/register-scan-azure-cosmos-database/cosmos-database-scope-your-scan.png" alt-text="Scope your scan":::
1. Then select a scan rule set. You can choose between the system default, existing custom rule sets, or create a new rule set inline.
purview Register Scan On Premises Sql Server https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/purview/register-scan-on-premises-sql-server.md
To create and run a new scan, do the following:
1. Select the credential to connect to your data source.
- :::image type="content" source="media/register-scan-on-premises-sql-server/prem-sql-set-up-scan.png" alt-text="Set up scan":::
+ :::image type="content" source="media/register-scan-on-premises-sql-server/on-premises-sql-set-up-scan.png" alt-text="Set up scan":::
1. You can scope your scan to specific tables by choosing the appropriate items in the list.
- :::image type="content" source="media/register-scan-on-premises-sql-server/prem-sql-scope-your-scan.png" alt-text="Scope your scan":::
+ :::image type="content" source="media/register-scan-on-premises-sql-server/on-premises-sql-scope-your-scan.png" alt-text="Scope your scan":::
1. Then select a scan rule set. You can choose between the system default, existing custom rule sets, or create a new rule set inline.
- :::image type="content" source="media/register-scan-on-premises-sql-server/prem-sql-scan-rule-set.png" alt-text="Scan rule set":::
+ :::image type="content" source="media/register-scan-on-premises-sql-server/on-premises-sql-scan-rule-set.png" alt-text="Scan rule set":::
1. Choose your scan trigger. You can set up a schedule or run the scan once.
search Cognitive Search Concept Annotations Syntax https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/search/cognitive-search-concept-annotations-syntax.md
Before reviewing the syntax, let's revisit a few important concepts to better un
<a name="example-1"></a> ## Example 1: Simple annotation reference
-In Azure Blob storage, suppose you have a variety of files containing references to people's names that you want to extract using entity recognition. In the skill definition below, `"/document/content"` is the textual representation of the entire document, and "people" is an extraction of full names for entities identified as persons.
+In Azure Blob Storage, suppose you have a variety of files containing references to people's names that you want to extract using entity recognition. In the skill definition below, `"/document/content"` is the textual representation of the entire document, and "people" is an extraction of full names for entities identified as persons.
Because the default context is `"/document"`, the list of people can now be referenced as `"/document/people"`. In this specific case `"/document/people"` is an annotation, which could now be mapped to a field in an index, or used in another skill in the same skillset.
search Cognitive Search Concept Intro https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/search/cognitive-search-concept-intro.md
At the start of the pipeline, you have unstructured text or non-text content (su
![Document cracking phase](./media/cognitive-search-intro/document-cracking-phase-blowup.png "document cracking")
- Supported sources include Azure blob storage, Azure table storage, Azure SQL Database, and Azure Cosmos DB. Text-based content can be extracted from the following file types: PDFs, Word, PowerPoint, CSV files. For the full list, see [Supported formats](search-howto-indexing-azure-blob-storage.md#SupportedFormats). Indexing takes time so start with a small, representative data set and then build it up incrementally as your solution matures.
+ Supported sources include Azure Blob Storage, Azure Table Storage, Azure SQL Database, and Azure Cosmos DB. Text-based content can be extracted from the following file types: PDFs, Word, PowerPoint, CSV files. For the full list, see [Supported formats](search-howto-indexing-azure-blob-storage.md#SupportedFormats). Indexing takes time so start with a small, representative data set and then build it up incrementally as your solution matures.
### Step 2: Cognitive skills and enrichment phase
search Cognitive Search Custom Skill Form https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/search/cognitive-search-custom-skill-form.md
Start with the request body template below.
} ```
-Here you'll need to provide the URL of a form that has the same type as the forms you trained with. For testing purposes, you can use one of your training forms. If you followed the cURL quickstart, your forms will be located in an Azure blob storage account. Open Azure Storage Explorer, locate a form file, right-click it, and select **Get Shared Access Signature**. The next dialog window will provide a URL and SAS token. Enter these strings in the `"formUrl"` and `"formSasToken"` fields of your request body, respectively.
+Here you'll need to provide the URL of a form that has the same type as the forms you trained with. For testing purposes, you can use one of your training forms. If you followed the cURL quickstart, your forms will be located in an Azure Blob Storage account. Open Azure Storage Explorer, locate a form file, right-click it, and select **Get Shared Access Signature**. The next dialog window will provide a URL and SAS token. Enter these strings in the `"formUrl"` and `"formSasToken"` fields of your request body, respectively.
> [!div class="mx-imgBorder"] > ![Azure storage explorer; a pdf document is selected](media/cognitive-search-skill-form/form-sas.png)
-If you want to analyze a remote document that isn't in Azure blob storage, paste its URL in the `"formUrl"` field and leave the `"formSasToken"` field blank.
+If you want to analyze a remote document that isn't in Azure Blob Storage, paste its URL in the `"formUrl"` field and leave the `"formSasToken"` field blank.
> [!NOTE] > When the skill is integrated in a skillset, the URL and token will be provided by Cognitive Search.
search Cognitive Search Defining Skillset https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/search/cognitive-search-defining-skillset.md
Let's look at the first skill, which is the built-in [entity recognition skill](
* Outputs from the one skill can conflict with outputs from a different skill. If you have multiple skills returning a ```result``` property, you can use the ```targetName``` property of skill outputs to capture a named JSON output from a skill into a different property.
-* The skill has one input called "text", with a source input set to ```"/document/content"```. The skill (entity recognition) operates on the *content* field of each document, which is a standard field created by the Azure blob indexer.
+* The skill has one input called "text", with a source input set to ```"/document/content"```. The skill (entity recognition) operates on the *content* field of each document, which is a standard field created by the Azure Blob indexer.
* The skill has one output called ```"organizations"``` that is captured in a property ```orgs```. Outputs exist only during processing. To chain this output to a downstream skill's input, reference the output as ```"/document/orgs"```.
search Cognitive Search Quickstart Blob https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/search/cognitive-search-quickstart-blob.md
In the following steps, set up a blob container in Azure Storage to store hetero
1. In Container, click **Upload** to upload the sample files you downloaded in the first step. Notice that you have a wide range of content types, including images and application files that are not full text searchable in their native formats.
- :::image type="content" source="media/cognitive-search-quickstart-blob/sample-data.png" alt-text="Source files in Azure blob storage" border="false":::
+ :::image type="content" source="media/cognitive-search-quickstart-blob/sample-data.png" alt-text="Source files in Azure Blob Storage" border="false":::
You are now ready to move on the Import data wizard.
Query strings are case-sensitive so if you get an "unknown field" message, check
You've now created your first skillset and learned important concepts useful for prototyping an enriched search solution using your own data.
-Some key concepts that we hope you picked up include the dependency on Azure data sources. A skillset is bound to an indexer, and indexers are Azure and source-specific. Although this quickstart uses Azure Blob storage, other Azure data sources are possible. For more information, see [Indexers in Azure Cognitive Search](search-indexer-overview.md).
+Some key concepts that we hope you picked up include the dependency on Azure data sources. A skillset is bound to an indexer, and indexers are Azure and source-specific. Although this quickstart uses Azure Blob Storage, other Azure data sources are possible. For more information, see [Indexers in Azure Cognitive Search](search-indexer-overview.md).
Another important concept is that skills operate over content types, and when working with heterogeneous content, some inputs will be skipped. Also, large files or fields might exceed the indexer limits of your service tier. It's normal to see warnings when these events occur.
search Cognitive Search Tutorial Blob Dotnet https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/search/cognitive-search-tutorial-blob-dotnet.md
# Tutorial: Use .NET and AI to generate searchable content from Azure blobs
-If you have unstructured text or images in Azure Blob storage, an [AI enrichment pipeline](cognitive-search-concept-intro.md) can extract information and create new content for full-text search or knowledge mining scenarios.
+If you have unstructured text or images in Azure Blob Storage, an [AI enrichment pipeline](cognitive-search-concept-intro.md) can extract information and create new content for full-text search or knowledge mining scenarios.
In this tutorial, you will learn how to:
The skillset is attached to the indexer. It uses built-in skills from Microsoft
## Download sample data
-The sample data consists of 14 files of mixed content type that you will upload to Azure Blob storage in a later step.
+The sample data consists of 14 files of mixed content type that you will upload to Azure Blob Storage in a later step.
1. Open this [OneDrive folder](https://1drv.ms/f/s!As7Oy81M_gVPa-LCb5lC_3hbS-4) and on the top-left corner, click **Download** to copy the files to your computer.
You can also download the source code for this tutorial. Source code is in the *
## 1 - Create services
-This tutorial uses Azure Cognitive Search for indexing and queries, Cognitive Services on the backend for AI enrichment, and Azure Blob storage to provide the data. This tutorial stays under the free allocation of 20 transactions per indexer per day on Cognitive Services, so the only services you need to create are search and storage.
+This tutorial uses Azure Cognitive Search for indexing and queries, Cognitive Services on the backend for AI enrichment, and Azure Blob Storage to provide the data. This tutorial stays under the free allocation of 20 transactions per indexer per day on Cognitive Services, so the only services you need to create are search and storage.
If possible, create both in the same region and resource group for proximity and manageability. In practice, your Azure Storage account can be in any region.
search Cognitive Search Tutorial Blob Python https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/search/cognitive-search-tutorial-blob-python.md
# Tutorial: Use Python and AI to generate searchable content from Azure blobs
-If you have unstructured text or images in Azure Blob storage, an [AI enrichment pipeline](cognitive-search-concept-intro.md) can extract information and create new content that is useful for full-text search or knowledge mining scenarios. Although a pipeline can process images, this Python tutorial focuses on text, applying language detection and natural language processing to create new fields that you can leverage in queries, facets, and filters.
+If you have unstructured text or images in Azure Blob Storage, an [AI enrichment pipeline](cognitive-search-concept-intro.md) can extract information and create new content that is useful for full-text search or knowledge mining scenarios. Although a pipeline can process images, this Python tutorial focuses on text, applying language detection and natural language processing to create new fields that you can leverage in queries, facets, and filters.
This tutorial uses Python and the [Search REST APIs](/rest/api/searchservice/) to perform the following tasks: > [!div class="checklist"]
-> * Start with whole documents (unstructured text) such as PDF, HTML, DOCX, and PPTX in Azure Blob storage.
+> * Start with whole documents (unstructured text) such as PDF, HTML, DOCX, and PPTX in Azure Blob Storage.
> * Define a pipeline that extracts text, detects language, recognizes entities, and detects key phrases. > * Define an index to store the output (raw content, plus pipeline-generated name-value pairs). > * Execute the pipeline to start transformations and analysis, and to create and load the index.
If you don't have an Azure subscription, open a [free account](https://azure.mic
## 1 - Create services
-This tutorial uses Azure Cognitive Search for indexing and queries, Cognitive Services on the backend for AI enrichment, and Azure Blob storage to provide the data. This tutorial stays under the free allocation of 20 transactions per indexer per day on Cognitive Services, so the only services you need to create are search and storage.
+This tutorial uses Azure Cognitive Search for indexing and queries, Cognitive Services on the backend for AI enrichment, and Azure Blob Storage to provide the data. This tutorial stays under the free allocation of 20 transactions per indexer per day on Cognitive Services, so the only services you need to create are search and storage.
If possible, create both in the same region and resource group for proximity and manageability. In practice, your Azure Storage account can be in any region.
Since this tutorial only uses 7 transactions, you can skip resource provisioning
The third component is Azure Cognitive Search, which you can [create in the portal](search-create-service-portal.md). You can use the Free tier to complete this walk through.
-As with Azure Blob storage, take a moment to collect the access key. Further on, when you begin structuring requests, you will need to provide the endpoint and admin api-key used to authenticate each request.
+As with Azure Blob Storage, take a moment to collect the access key. Further on, when you begin structuring requests, you will need to provide the endpoint and admin api-key used to authenticate each request.
### Get an admin api-key and URL for Azure Cognitive Search
search Cognitive Search Tutorial Blob https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/search/cognitive-search-tutorial-blob.md
Title: 'Tutorial: REST and AI over Azure blobs'
-description: Step through an example of text extraction and natural language processing over content in Blob storage using Postman and the Azure Cognitive Search REST APIs.
+description: Step through an example of text extraction and natural language processing over content in Blob Storage using Postman and the Azure Cognitive Search REST APIs.
Last updated 11/17/2020
# Tutorial: Use REST and AI to generate searchable content from Azure blobs
-If you have unstructured text or images in Azure Blob storage, an [AI enrichment pipeline](cognitive-search-concept-intro.md) can extract information and create new content from blobs that are useful for full-text search or knowledge mining scenarios. Although a pipeline can process images, this REST tutorial focuses on text, applying language detection and natural language processing to create new fields that you can leverage in queries, facets, and filters.
+If you have unstructured text or images in Azure Blob Storage, an [AI enrichment pipeline](cognitive-search-concept-intro.md) can extract information and create new content from blobs that are useful for full-text search or knowledge mining scenarios. Although a pipeline can process images, this REST tutorial focuses on text, applying language detection and natural language processing to create new fields that you can leverage in queries, facets, and filters.
This tutorial uses Postman and the [Search REST APIs](/rest/api/searchservice/) to perform the following tasks:
If you don't have an Azure subscription, open a [free account](https://azure.mic
## Overview
-This tutorial uses C# and the Azure Cognitive Search REST APIs to create a data source, index, indexer, and skillset. You'll start with whole documents (unstructured text) such as PDF, HTML, DOCX, and PPTX in Azure Blob storage, and then run them through a skillset to extract entities, key phrases, and other text in the content files.
+This tutorial uses C# and the Azure Cognitive Search REST APIs to create a data source, index, indexer, and skillset. You'll start with whole documents (unstructured text) such as PDF, HTML, DOCX, and PPTX in Azure Blob Storage, and then run them through a skillset to extract entities, key phrases, and other text in the content files.
This skillset uses built-in skills based on Cognitive Services APIs. Steps in the pipeline include language detection on text, key phrase extraction, and entity recognition (organizations). New information is stored in new fields that you can leverage in queries, facets, and filters.
Optionally, you can also download the source code, a Postman collection file, fo
## 1 - Create services
-This tutorial uses Azure Cognitive Search for indexing and queries, Cognitive Services on the backend for AI enrichment, and Azure Blob storage to provide the data. This tutorial stays under the free allocation of 20 transactions per indexer per day on Cognitive Services, so the only services you need to create are search and storage.
+This tutorial uses Azure Cognitive Search for indexing and queries, Cognitive Services on the backend for AI enrichment, and Azure Blob Storage to provide the data. This tutorial stays under the free allocation of 20 transactions per indexer per day on Cognitive Services, so the only services you need to create are search and storage.
If possible, create both in the same region and resource group for proximity and manageability. In practice, your Azure Storage account can be in any region.
For this exercise, however, you can skip resource provisioning because Azure Cog
The third component is Azure Cognitive Search, which you can [create in the portal](search-create-service-portal.md). You can use the Free tier to complete this walkthrough.
-As with Azure Blob storage, take a moment to collect the access key. Further on, when you begin structuring requests, you will need to provide the endpoint and admin api-key used to authenticate each request.
+As with Azure Blob Storage, take a moment to collect the access key. Further on, when you begin structuring requests, you will need to provide the endpoint and admin api-key used to authenticate each request.
### Copy an admin api-key and URL for Azure Cognitive Search
search Cognitive Search Tutorial Debug Sessions https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/search/cognitive-search-tutorial-debug-sessions.md
Before you begin, have the following prerequisites in place:
## Set up your data
-This section creates the sample data set in Azure blob storage so that the indexer and skillset have content to work with.
+This section creates the sample data set in Azure Blob Storage so that the indexer and skillset have content to work with.
1. [Download sample data (clinical-trials-pdf-19)](https://github.com/Azure-Samples/azure-search-sample-data/tree/master/clinical-trials-pdf-19), consisting of 19 files.
search Knowledge Store Concept Intro https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/search/knowledge-store-concept-intro.md
Knowledge store is a feature of Azure Cognitive Search that persists output from
If you have used cognitive skills in the past, you already know that *skillsets* move a document through a sequence of enrichments. The outcome can be a search index, or projections in a knowledge store. The two outputs, search index and knowledge store, are products of the same pipeline; derived from the same inputs, but resulting in output that is structured, stored, and used in very different ways.
-Physically, a knowledge store is [Azure Storage](../storage/common/storage-account-overview.md), either Azure Table storage, Azure Blob storage, or both. Any tool or process that can connect to Azure Storage can consume the contents of a knowledge store.
+Physically, a knowledge store is [Azure Storage](../storage/common/storage-account-overview.md), either Azure Table Storage, Azure Blob Storage, or both. Any tool or process that can connect to Azure Storage can consume the contents of a knowledge store.
> [!VIDEO https://www.youtube.com/embed/XWzLBP8iWqg?version=3&start=235&end=426]
Projections can be articulated as tables, objects, or files.
The type of projection you specify in this structure determines the type of storage used by knowledge store.
-+ Table storage is used when you define `tables`. Define a table projection when you need tabular reporting structures for inputs to analytical tools or export as data frames to other data stores. You can specify multiple `tables` to get a subset or cross section of enriched documents. Within the same projection group, table relationships are preserved so that you can work with all of them.
++ Table Storage is used when you define `tables`. Define a table projection when you need tabular reporting structures for inputs to analytical tools or export as data frames to other data stores. You can specify multiple `tables` to get a subset or cross section of enriched documents. Within the same projection group, table relationships are preserved so that you can work with all of them. + Blob storage is used when you define `objects` or `files`. The physical representation of an `object` is a hierarchical JSON structure that represents an enriched document. A `file` is an image extracted from a document, transferred intact to Blob storage.
The REST API is one mechanism by which you can create a knowledge store programm
## How to connect with tools and apps
-Once the enrichments exist in storage, any tool or technology that connects to Azure Blob or Table storage can be used to explore, analyze, or consume the contents. The following list is a start:
+Once the enrichments exist in storage, any tool or technology that connects to Azure Blob or Table Storage can be used to explore, analyze, or consume the contents. The following list is a start:
+ [Storage Explorer](knowledge-store-view-storage-explorer.md) to view enriched document structure and content. Consider this as your baseline tool for viewing knowledge store contents.
search Knowledge Store Connect Power Bi https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/search/knowledge-store-connect-power-bi.md
Click **Get Power BI Template** on the **Add cognitive skills** page to retrieve
![Sample Azure Cognitive Search Power BI Template](media/knowledge-store-connect-power-bi/powerbi-sample-template-portal-only.png "Sample Power BI template") > [!NOTE]
-> Although the template is downloaded while the wizard is in mid-flight, you'll have to wait until the knowledge store is actually created in Azure Table storage before you can use it.
+> Although the template is downloaded while the wizard is in mid-flight, you'll have to wait until the knowledge store is actually created in Azure Table Storage before you can use it.
## Connect with Power BI
search Knowledge Store Create Rest https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/search/knowledge-store-create-rest.md
Last updated 11/18/2020
A knowledge store contains output from an Azure Cognitive Search enrichment pipeline for later analysis or other downstream processing. An AI-enriched pipeline accepts image files or unstructured text files, indexes them by using Azure Cognitive Search, applies AI enrichments from Cognitive Services (such as image analysis and natural language processing), and then saves the results to a knowledge store in Azure Storage. You can use tools like Power BI or Storage Explorer in the Azure portal to explore the knowledge store.
-In this article, you use the REST API interface to ingest, index, and apply AI enrichments to a set of hotel reviews. The hotel reviews are imported into Azure Blob storage. The results are saved as a knowledge store in Azure Table storage.
+In this article, you use the REST API interface to ingest, index, and apply AI enrichments to a set of hotel reviews. The hotel reviews are imported into Azure Blob Storage. The results are saved as a knowledge store in Azure Table Storage.
After you create the knowledge store, you can learn about how to access the knowledge store by using [Storage Explorer](knowledge-store-view-storage-explorer.md) or [Power BI](knowledge-store-connect-power-bi.md).
If you don't have an Azure subscription, create a [free account](https://azure.m
## Create services and load data
-This quickstart uses Azure Cognitive Search, Azure Blob storage, and [Azure Cognitive Services](https://azure.microsoft.com/services/cognitive-services/) for the AI.
+This quickstart uses Azure Cognitive Search, Azure Blob Storage, and [Azure Cognitive Services](https://azure.microsoft.com/services/cognitive-services/) for the AI.
Because the workload is so small, Cognitive Services is tapped behind the scenes to provide free processing for up to 20 transactions daily. Because the data set is so small, you can skip creating or attaching a Cognitive Services resource.
search Knowledge Store Projection Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/search/knowledge-store-projection-overview.md
Azure Cognitive Search enables content enrichment through built-in cognitive ski
Projections, a component of [knowledge store](knowledge-store-concept-intro.md), are views of enriched documents that can be saved to physical storage for knowledge mining purposes. A projection lets you "project" your data into a shape that aligns with your needs, preserving relationships so that tools like Power BI can read the data with no additional effort.
-Projections can be tabular, with data stored in rows and columns in Azure Table storage, or JSON objects stored in Azure Blob storage. You can define multiple projections of your data as it is being enriched. Multiple projections are useful when you want the same data shaped differently for individual use cases.
+Projections can be tabular, with data stored in rows and columns in Azure Table Storage, or JSON objects stored in Azure Blob Storage. You can define multiple projections of your data as it is being enriched. Multiple projections are useful when you want the same data shaped differently for individual use cases.
The knowledge store supports three types of projections:
Your projections have a lifecycle that is tied to the source data in your data s
After the indexer is run, you can read the projected data in the containers or tables you specified through projections.
-For analytics, exploration in Power BI is as simple as setting Azure Table storage as the data source. You can easily create a set of visualizations on your data using the relationships within.
+For analytics, exploration in Power BI is as simple as setting Azure Table Storage as the data source. You can easily create a set of visualizations on your data using the relationships within.
Alternatively, if you need to use the enriched data in a data science pipeline, you could [load the data from blobs into a Pandas DataFrame](../machine-learning/team-data-science-process/explore-data-blob.md).
search Knowledge Store Projections Examples https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/search/knowledge-store-projections-examples.md
There are three types of [projections](knowledge-store-projection-overview.md):
+ Objects + Files
-Table projections are stored in Azure Table storage. Object and file projections are written to blob storage, where object projections are saved as JSON files, and can contain content from the source document as well as any skill outputs or enrichments. The enrichment pipeline can also extract binaries like images, these binaries are projected as file projections. When a binary object is projected as an object projection, only the metadata associated with it is saved as a JSON blob.
+Table projections are stored in Azure Table Storage. Object and file projections are written to blob storage, where object projections are saved as JSON files, and can contain content from the source document as well as any skill outputs or enrichments. The enrichment pipeline can also extract binaries like images, these binaries are projected as file projections. When a binary object is projected as an object projection, only the metadata associated with it is saved as a JSON blob.
To understand the intersection between data shaping and projections, we'll use the following skillset as the basis for exploring various configurations. This skillset processes raw image and text content. Projections will be defined from the contents of the document and the outputs of the skills, for the desired scenarios.
search Samples Rest https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/search/samples-rest.md
Code samples from the Cognitive Search team demonstrate features and workflows.
| [custom-analyzers](https://github.com/Azure-Samples/azure-search-postman-samples/tree/master/custom-analyzers) | Source code for [Tutorial: Create a custom analyzer for phone numbers](tutorial-create-custom-analyzer.md). This article explains how to use analyzers to preserve patterns and special characters in searchable content.| | [knowledge-store](https://github.com/Azure-Samples/azure-search-postman-samples/tree/master/knowledge-store) | Source code for [Create a knowledge store using REST and Postman](knowledge-store-create-rest.md). This article explains the necessary steps for populating a knowledge store used for knowledge mining workflows. | | [projections](https://github.com/Azure-Samples/azure-search-postman-samples/tree/master/projections) | Source code for [How to shape and export enrichments](knowledge-store-projections-examples.md). This article explains how to specify the physical data structures in a knowledge store.|
-| [index-encrypted-blobs](https://github.com/Azure-Samples/azure-search-postman-samples/commit/f5ebb141f1ff98f571ab84ac59dcd6fd06a46718) | Source code for [How to index encrypted blobs using blob indexers and skillsets](search-howto-index-encrypted-blobs.md). This article shows how to index documents in Azure Blob storage that have been previously encrypted using Azure Key Vault. |
+| [index-encrypted-blobs](https://github.com/Azure-Samples/azure-search-postman-samples/commit/f5ebb141f1ff98f571ab84ac59dcd6fd06a46718) | Source code for [How to index encrypted blobs using blob indexers and skillsets](search-howto-index-encrypted-blobs.md). This article shows how to index documents in Azure Blob Storage that have been previously encrypted using Azure Key Vault. |
> [!Tip] > Try the [Samples browser](/samples/browse/?expanded=azure&languages=http&products=azure-cognitive-search) to search for Microsoft code samples in GitHub, filtered by product, service, and language.
search Search Blob Ai Integration https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/search/search-blob-ai-integration.md
Last updated 02/02/2021
# Use AI to process and analyze Blob content in Azure Cognitive Search
-Content in Azure Blob storage that's composed of images or long undifferentiated text can undergo deep learning analysis to reveal and extract valuable information useful for downstream applications. By using [AI enrichment](cognitive-search-concept-intro.md), you can:
+Content in Azure Blob Storage that's composed of images or long undifferentiated text can undergo deep learning analysis to reveal and extract valuable information useful for downstream applications. By using [AI enrichment](cognitive-search-concept-intro.md), you can:
+ Extract text from images using optical character recognition (OCR) + Produce a scene description or tags from a photo
In this article, we view AI enrichment through a wide lens so that you can quick
*AI enrichment* is part of the indexing architecture of Azure Cognitive Search that integrates machine learning models from Microsoft or custom learning models that you provide. It helps you implement end-to-end scenarios where you need to process blobs (both existing ones and new ones as they come in or are updated), crack open all file formats to extract images and text, extract the desired information using various AI capabilities, and index them in a search index for fast search, retrieval and exploration.
-Inputs are your blobs, in a single container, in Azure Blob storage. Blobs can be almost any kind of text or image data.
+Inputs are your blobs, in a single container, in Azure Blob Storage. Blobs can be almost any kind of text or image data.
Output is always a search index, used for fast text search, retrieval, and exploration in client applications. Additionally, output can also be a [*knowledge store*](knowledge-store-concept-intro.md) that projects enriched documents into Azure blobs or Azure tables for downstream analysis in tools like Power BI or in data science workloads.
In between is the pipeline architecture itself. The pipeline is based on the [*i
## Required resources
-In addition to Azure Blob storage and Azure Cognitive Search, you need a third service or mechanism that provides the AI:
+In addition to Azure Blob Storage and Azure Cognitive Search, you need a third service or mechanism that provides the AI:
+ For built-in AI, Cognitive Search integrates with Azure Cognitive Services vision and natural language processing APIs. You can [attach a Cognitive Services resource](cognitive-search-attach-cognitive-services.md) to add Optical Character Recognition (OCR), image analysis, or natural language processing (language detection, text translation, entity recognition, key phrase extraction).
In Azure Storage, a knowledge store has two manifestations: a blob container, or
+ A blob container captures enriched documents in their entirety, which is useful if you want to feed into other processes.
-+ In contrast, Table storage can accommodate physical projections of enriched documents. You can create slices or layers of enriched documents that include or exclude specific parts. For analysis in Power BI, the tables in Azure Table storage become the data source for further visualization and exploration.
++ In contrast, Table storage can accommodate physical projections of enriched documents. You can create slices or layers of enriched documents that include or exclude specific parts. For analysis in Power BI, the tables in Azure Table Storage become the data source for further visualization and exploration. An enriched document at the end of the pipeline differs from its original input version by the presence of additional fields containing new information that was extracted or generated during enrichment. As such, you can work with a combination of original and created content, regardless of which output structure you use.
search Search Blob Metadata Properties https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/search/search-blob-metadata-properties.md
Last updated 02/22/2021
# Content metadata properties used in Azure Cognitive Search
-SharePoint Online and Azure blob storage can contain various content, and many of those content types have metadata properties that can be useful to index. Just as you can create search fields for standard blob properties like **`metadata_storage_name`**, you can create fields for metadata properties that are specific to a document format.
+SharePoint Online and Azure Blob Storage can contain various content, and many of those content types have metadata properties that can be useful to index. Just as you can create search fields for standard blob properties like **`metadata_storage_name`**, you can create fields for metadata properties that are specific to a document format.
## Supported document formats
search Search Blob Storage Integration https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/search/search-blob-storage-integration.md
Title: Search over Azure Blob storage content
+ Title: Search over Azure Blob Storage content
description: Learn about extracting text from Azure blobs and making it full-text searchable in an Azure Cognitive Search index.
Last updated 05/14/2021
-# Search over Azure Blob storage content
+# Search over Azure Blob Storage content
-Searching across the variety of content types stored in Azure Blob storage can be a difficult problem to solve. In this article, review the basic workflow for extracting content and metadata from blobs and sending it to a search index in Azure Cognitive Search. The resulting index can be queried using full text search.
+Searching across the variety of content types stored in Azure Blob Storage can be a difficult problem to solve. In this article, review the basic workflow for extracting content and metadata from blobs and sending it to a search index in Azure Cognitive Search. The resulting index can be queried using full text search.
> [!NOTE] > Already familiar with the workflow and composition? [How to configure a blob indexer](search-howto-indexing-azure-blob-storage.md) is your next step.
Searching across the variety of content types stored in Azure Blob storage can b
Azure Cognitive Search is a search service that supports indexing and query workloads over user-defined indexes that contains your remote searchable content hosted in the cloud. Co-locating your searchable content with the query engine is necessary for performance, returning results at a speed users have come to expect from search queries.
-Cognitive Search integrates with Azure Blob storage at the indexing layer, importing your blob content as search documents that are indexed into *inverted indexes* and other query structures that support free form text queries and filter expressions. Because your blob content is indexed into a search index, you can use the full range of query features in Azure Cognitive Search to find information in your blob content.
+Cognitive Search integrates with Azure Blob Storage at the indexing layer, importing your blob content as search documents that are indexed into *inverted indexes* and other query structures that support free form text queries and filter expressions. Because your blob content is indexed into a search index, you can use the full range of query features in Azure Cognitive Search to find information in your blob content.
-Inputs are your blobs, in a single container, in Azure Blob storage. Blobs can be almost any kind of text data. If your blobs contain images, you can add [AI enrichment to blob indexing](search-blob-ai-integration.md) to create and extract text from images.
+Inputs are your blobs, in a single container, in Azure Blob Storage. Blobs can be almost any kind of text data. If your blobs contain images, you can add [AI enrichment to blob indexing](search-blob-ai-integration.md) to create and extract text from images.
Output is always an Azure Cognitive Search index, used for fast text search, retrieval, and exploration in client applications. In between is the indexing pipeline architecture itself. The pipeline is based on the *indexer* feature, discussed further on in this article.
Once the index is created and populated, it exists independently of your blob co
## Required resources
-You need both Azure Cognitive Search and Azure Blob storage. Within Blob storage, you need a container that provides source content.
+You need both Azure Cognitive Search and Azure Blob Storage. Within blob storage, you need a container that provides source content.
You can start directly in your Storage account portal page. In the left navigation page, under **Blob service** click **Add Azure Cognitive Search** to create a new service or select an existing one.
search Search Dotnet Sdk Migration Version 9 https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/search/search-dotnet-sdk-migration-version-9.md
Version 9 of the Azure Search .NET SDK targets 2019-05-06 version of Azure Searc
* [AI enrichment](cognitive-search-concept-intro.md) is the ability to extract text from images, blobs, and other unstructured data sources - enriching the content to make it more searchable in an Azure Search index. * Support for [complex types](search-howto-complex-data-types.md) allows you to model almost any nested JSON structure in an Azure Search index. * [Autocomplete](search-add-autocomplete-suggestions.md) provides an alternative to the **Suggest** API for implementing search-as-you-type behavior. Autocomplete "finishes" the word or phrase that a user is currently typing.
-* [JsonLines parsing mode](search-howto-index-json-blobs.md), part of Azure Blob indexing, creates one search document per JSON entity that is separated by a newline.
+* [JsonLines parsing mode](search-howto-index-json-blobs.md), part of blob indexing, creates one search document per JSON entity that is separated by a newline.
### New preview features in version 8.0-preview Version 8.0-preview of the Azure Search .NET SDK targets API version 2017-11-11-Preview. This version includes all the same features of version 9, plus:
search Search Features List https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/search/search-features-list.md
Azure Cognitive Search provides a full-text search engine, persistent storage of
| Category&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | Features | |-|-| |AI processing during indexing | [**AI enrichment**](cognitive-search-concept-intro.md) for image and text analysis can be applied to an indexing pipeline to extract text information from raw content. A few examples of [built-in skills](cognitive-search-predefined-skills.md) include optical character recognition (making scanned JPEGs searchable), entity recognition (identifying an organization, name, or location), and key phrase recognition. You can also [code custom skills](cognitive-search-create-custom-skill-example.md) to attach to the pipeline. You can also [integrate Azure Machine Learning authored skills](./cognitive-search-tutorial-aml-custom-skill.md). |
-| Storing enriched content for analysis and consumption in non-search scenarios | [**Knowledge store**](knowledge-store-concept-intro.md) is an alternative output of an indexing pipeline. Instead of sending tokenized terms to an index, you can send enriched documents created by the indexing pipeline to a knowledge store, resident in either Azure Blob storage or Table storage, depending on the configuration. Knowledge stores are created from AI-based indexing (skillsets). The purpose of a knowledge store is to support downstream analysis or processing. With new information and structures in a knowledge store, you can attach it to a machine learning process or connect from Power BI to explore the data.<br/><br/> |
+| Storing enriched content for analysis and consumption in non-search scenarios | [**Knowledge store**](knowledge-store-concept-intro.md) is an alternative output of an indexing pipeline. Instead of sending tokenized terms to an index, you can send enriched documents created by the indexing pipeline to a knowledge store, resident in either Azure Blob Storage or Table Storage, depending on the configuration. Knowledge stores are created from AI-based indexing (skillsets). The purpose of a knowledge store is to support downstream analysis or processing. With new information and structures in a knowledge store, you can attach it to a machine learning process or connect from Power BI to explore the data.<br/><br/> |
| Cached content | [**Incremental enrichment (preview)**](cognitive-search-incremental-indexing-conceptual.md) limits processing to just the documents that are changed by specific edits to the pipeline, using cached content for the parts of the pipeline that do not change. | ## Query and user experience
search Search How To Index Power Query Data Sources https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/search/search-how-to-index-power-query-data-sources.md
Before you start pulling data from one of the supported data sources, you'll wan
+ Azure Cognitive Search service + Azure Cognitive Search service set up in a [supported region](search-how-to-index-power-query-data-sources.md#regional-availability). + Ensure that the Azure Cognitive Search team has enabled your search service for the preview. You can sign up for the preview by filling out [this form](https://aka.ms/azure-cognitive-search/indexer-preview).
-+ Azure Blob storage account
- + A Blob storage account is required for the preview to be used as an intermediary for your data. The data will flow from your data source, then to Blob storage, then to the index. This requirement only exists with the initial gated preview.
++ Azure Blob Storage account
+ + A Blob Storage account is required for the preview to be used as an intermediary for your data. The data will flow from your data source, then to Blob Storage, then to the index. This requirement only exists with the initial gated preview.
## Getting started using the Azure portal The Azure portal provides support for the Power Query connectors. By sampling data and reading metadata on the container, the Import data wizard in Azure Cognitive Search can create a default index, map source fields to target index fields, and load the index in a single operation. Depending on the size and complexity of source data, you could have an operational full text search index in minutes.
search Search Howto Incremental Index https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/search/search-howto-incremental-index.md
Content-Type: application/json
api-key: [YOUR-ADMIN-KEY] ```
-After the indexer runs, you can find the cache in Azure Blob storage. The container name is in the following format: `ms-az-search-indexercache-<YOUR-CACHE-ID>`
+After the indexer runs, you can find the cache in Azure Blob Storage. The container name is in the following format: `ms-az-search-indexercache-<YOUR-CACHE-ID>`
> [!NOTE] > A reset and rerun of the indexer results in a full rebuild so that content can be cached. All cognitive enrichments will be rerun on all documents.
search Search Howto Index Changed Deleted Blobs https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/search/search-howto-index-changed-deleted-blobs.md
Title: Changed and deleted blobs
-description: After an initial search index build that imports from Azure Blob storage, subsequent indexing can pick up just those blobs that are changed or deleted. This article explains the details.
+description: After an initial search index build that imports from Azure Blob Storage, subsequent indexing can pick up just those blobs that are changed or deleted. This article explains the details.
Last updated 01/29/2021
# Change and deletion detection in blob indexing (Azure Cognitive Search)
-After an initial search index is created, you might want subsequent indexer jobs to only pick up new and changed documents. For search content that originates from Azure Blob storage or Azure Data Lake Storage Gen2, change detection occurs automatically when you use a schedule to trigger indexing. By default, the service reindexes only the changed blobs, as determined by the blob's `LastModified` timestamp. In contrast with other data sources supported by search indexers, blobs always have a timestamp, which eliminates the need to set up a change detection policy manually.
+After an initial search index is created, you might want subsequent indexer jobs to only pick up new and changed documents. For search content that originates from Azure Blob Storage or Azure Data Lake Storage Gen2, change detection occurs automatically when you use a schedule to trigger indexing. By default, the service reindexes only the changed blobs, as determined by the blob's `LastModified` timestamp. In contrast with other data sources supported by search indexers, blobs always have a timestamp, which eliminates the need to set up a change detection policy manually.
Although change detection is a given, deletion detection is not. If you want to detect deleted documents, make sure to use a "soft delete" approach. If you delete the blobs outright, corresponding documents will not be removed from the search index.
There are two ways to implement the soft delete approach:
+ [Soft delete using custom metadata](#soft-delete-using-custom-metadata) > [!NOTE]
-> Azure Data Lake Storage Gen2 allows directories to be renamed. When a directory is renamed the timestamps for the blobs in that directory do not get updated. As a result, the indexer will not reindex those blobs. If you need the blobs in a directory to be reindexed after a directory rename because they now have new URLs, you will need to update the `LastModified` timestamp for all the blobs in the directory so that the indexer knows to reindex them during a future run. The virtual directories in Azure blob storage cannot be changed so they do not have this issue.
+> Azure Data Lake Storage Gen2 allows directories to be renamed. When a directory is renamed the timestamps for the blobs in that directory do not get updated. As a result, the indexer will not reindex those blobs. If you need the blobs in a directory to be reindexed after a directory rename because they now have new URLs, you will need to update the `LastModified` timestamp for all the blobs in the directory so that the indexer knows to reindex them during a future run. The virtual directories in Azure Blob Storage cannot be changed so they do not have this issue.
## Native blob soft delete (preview)
-For this deletion detection approach, Cognitive Search depends on the [native blob soft delete](../storage/blobs/soft-delete-blob-overview.md) feature in Azure Blob storage to determine whether blobs have transitioned to a soft deleted state. When blobs are detected in this state, a search indexer uses this information to remove the corresponding document from the index.
+For this deletion detection approach, Cognitive Search depends on the [native blob soft delete](../storage/blobs/soft-delete-blob-overview.md) feature in Azure Blob Storage to determine whether blobs have transitioned to a soft deleted state. When blobs are detected in this state, a search indexer uses this information to remove the corresponding document from the index.
> [!IMPORTANT] > Support for native blob soft delete is in preview. Preview functionality is provided without a service level agreement, and is not recommended for production workloads. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). The [REST API version 2020-06-30-Preview](./search-api-preview.md) provides this feature. There is currently no portal or .NET SDK support.
For this deletion detection approach, Cognitive Search depends on the [native bl
### Prerequisites + [Enable soft delete for blobs](../storage/blobs/soft-delete-blob-enable.md).
-+ Blobs must be in an Azure Blob storage container. The Cognitive Search native blob soft delete policy is not supported for blobs from Azure Data Lake Storage Gen2.
++ Blobs must be in an Azure Blob Storage container. The Cognitive Search native blob soft delete policy is not supported for blobs from Azure Data Lake Storage Gen2. + Document keys for the documents in your index must be mapped to either be a blob property or blob metadata. + You must use the preview REST API (`api-version=2020-06-30-Preview`) to configure support for soft delete.
There are steps to follow in both Blob storage and Cognitive Search, but there a
} ```
-1. Once the indexer has processed the blob and deleted the document from the index, you can delete the blob in Azure Blob storage.
+1. Once the indexer has processed the blob and deleted the document from the index, you can delete the blob in Azure Blob Storage.
### Reindexing undeleted blobs (using custom metadata)
search Search Howto Index Csv Blobs https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/search/search-howto-index-csv-blobs.md
Title: Search over CSV blobs
-description: Extract and import CSV from Azure Blob storage using the delimitedText parsing mode.
+description: Extract and import CSV from Azure Blob Storage using the delimitedText parsing mode.
search Search Howto Index Encrypted Blobs https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/search/search-howto-index-encrypted-blobs.md
Title: Search over encrypted Azure Blob storage content
+ Title: Search over encrypted Azure Blob Storage content
description: Learn how to index and extract text from encrypted documents in Azure Blob Storage with Azure Cognitive Search.
Last updated 11/02/2020
This article shows you how to use [Azure Cognitive Search](search-what-is-azure-search.md) to index documents that have been previously encrypted within [Azure Blob Storage](../storage/blobs/storage-blobs-introduction.md) using [Azure Key Vault](../key-vault/general/overview.md). Normally, an indexer cannot extract content from encrypted files because it doesn't have access to the encryption key. However, by leveraging the [DecryptBlobFile](https://github.com/Azure-Samples/azure-search-power-skills/blob/master/Utils/DecryptBlobFile) custom skill followed by the [DocumentExtractionSkill](cognitive-search-skill-document-extraction.md), you can provide controlled access to the key to decrypt the files and then have content extracted from them. This unlocks the ability to index these documents without compromising the encryption status of your stored documents.
-Starting with previously encrypted whole documents (unstructured text) such as PDF, HTML, DOCX, and PPTX in Azure Blob storage, this guide uses Postman and the Search REST APIs to perform the following tasks:
+Starting with previously encrypted whole documents (unstructured text) such as PDF, HTML, DOCX, and PPTX in Azure Blob Storage, this guide uses Postman and the Search REST APIs to perform the following tasks:
> [!div class="checklist"] > * Define a pipeline that decrypts the documents and extracts text from them.
search Search Howto Index Json Blobs https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/search/search-howto-index-json-blobs.md
Title: Search over JSON blobs
-description: Crawl Azure JSON blobs for text content using the Azure Cognitive Search Blob indexer. Indexers automate data ingestion for selected data sources like Azure Blob storage.
+description: Crawl Azure JSON blobs for text content using the Azure Cognitive Search Blob indexer. Indexers automate data ingestion for selected data sources like Azure Blob Storage.
Last updated 02/01/2021
# How to index JSON blobs using a Blob indexer in Azure Cognitive Search
-This article shows you how to [configure a blob indexer](search-howto-indexing-azure-blob-storage.md) for blobs that consist of JSON documents. JSON blobs in Azure Blob storage commonly assume any of these forms:
+This article shows you how to [configure a blob indexer](search-howto-indexing-azure-blob-storage.md) for blobs that consist of JSON documents. JSON blobs in Azure Blob Storage commonly assume any of these forms:
+ A single JSON document + A JSON document containing an array of well-formed JSON elements
The following sections describe each mode in more detail. If you are unfamiliar
## Index single JSON documents (one per blob)
-By default, blob indexers parse JSON blobs as a single chunk of text, one search document for each blob in a container. If the JSON is structured, the search document can reflect that structure, with individual elements represented as individual fields. For example, assume you have the following JSON document in Azure Blob storage:
+By default, blob indexers parse JSON blobs as a single chunk of text, one search document for each blob in a container. If the JSON is structured, the search document can reflect that structure, with individual elements represented as individual fields. For example, assume you have the following JSON document in Azure Blob Storage:
```http {
You can also refer to individual array elements by using a zero-based index. For
+ [Define field mappings](search-indexer-field-mappings.md) + [Indexers overview](search-indexer-overview.md) + [How to index CSV blobs with a blob indexer](search-howto-index-csv-blobs.md)
-+ [Tutorial: Search semi-structured data from Azure Blob storage](search-semi-structured-data.md)
++ [Tutorial: Search semi-structured data from Azure Blob Storage](search-semi-structured-data.md)
search Search Howto Indexing Azure Blob Storage https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/search/search-howto-indexing-azure-blob-storage.md
# How to configure blob indexing in Cognitive Search
-A blob indexer is used for ingesting content from Azure Blob storage into a Cognitive Search index. Blob indexers are frequently used in [AI enrichment](cognitive-search-concept-intro.md), where an attached [skillset](cognitive-search-working-with-skillsets.md) adds image and natural language processing to create searchable content. But you can also use blob indexers without AI enrichment, to ingest content from text-based documents such as PDFs, Microsoft Office documents, and file formats.
+A blob indexer is used for ingesting content from Azure Blob Storage into a Cognitive Search index. Blob indexers are frequently used in [AI enrichment](cognitive-search-concept-intro.md), where an attached [skillset](cognitive-search-working-with-skillsets.md) adds image and natural language processing to create searchable content. But you can also use blob indexers without AI enrichment, to ingest content from text-based documents such as PDFs, Microsoft Office documents, and file formats.
This article shows you how to configure a blob indexer for either scenario. If you're unfamiliar with indexer concepts, start with [Indexers in Azure Cognitive Search](search-indexer-overview.md) and [Create a search indexer](search-howto-create-indexers.md) before diving into blob indexing.
search Search Howto Indexing Azure Tables https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/search/search-howto-indexing-azure-tables.md
Title: Search over Azure Table storage content
+ Title: Search over Azure Table Storage
-description: Learn how to index data stored in Azure Table storage with an Azure Cognitive Search indexer.
+description: Learn how to index data stored in Azure Table Storage with an Azure Cognitive Search indexer.
Last updated 07/11/2020
-# How to index tables from Azure Table storage with Azure Cognitive Search
+# How to index tables from Azure Table Storage with Azure Cognitive Search
-This article shows how to use Azure Cognitive Search to index data stored in Azure Table storage.
+This article shows how to use Azure Cognitive Search to index data stored in Azure Table Storage.
-## Set up Azure Table storage indexing
+## Set up Azure Table Storage indexing
-You can set up an Azure Table storage indexer by using these resources:
+You can set up an Azure Table Storage indexer by using these resources:
* [Azure portal](https://ms.portal.azure.com) * Azure Cognitive Search [REST API](/rest/api/searchservice/Indexer-operations)
search Search Howto Large Index https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/search/search-howto-large-index.md
Network data transfer speeds can be a limiting factor when indexing data. Indexi
+ Schedulers allow you to parcel out indexing at regular intervals so that you can spread it out over time. + Scheduled indexing can resume at the last known stopping point. If a data source is not fully crawled within a 24-hour window, the indexer will resume indexing on day two at wherever it left off.
-+ Partitioning data into smaller individual data sources enables parallel processing. You can break up source data into smaller components, such as into multiple containers in Azure Blob storage, and then create corresponding, multiple [data source objects](/rest/api/searchservice/create-data-source) in Azure Cognitive Search that can be indexed in parallel.
++ Partitioning data into smaller individual data sources enables parallel processing. You can break up source data into smaller components, such as into multiple containers in Azure Blob Storage, and then create corresponding, multiple [data source objects](/rest/api/searchservice/create-data-source) in Azure Cognitive Search that can be indexed in parallel. > [!NOTE] > Indexers are data-source-specific, so using an indexer approach is only viable for selected data sources on Azure: [SQL Database](search-howto-connecting-azure-sql-database-to-azure-search-using-indexers.md), [Blob storage](search-howto-indexing-azure-blob-storage.md), [Table storage](search-howto-indexing-azure-tables.md), [Cosmos DB](search-howto-index-cosmosdb.md).
For indexers, processing capacity is loosely based on one indexer subsystem for
2. You can run as many indexers in parallel as the number of search units in your service. In **Settings** > **Scale**, [increase replicas](search-capacity-planning.md) or partitions for parallel processing: one additional replica or partition for each indexer workload. Leave a sufficient number for existing query volume. Sacrificing query workloads for indexing is not a good tradeoff.
-3. Distribute data into multiple containers at a level that Azure Cognitive Search indexers can reach. This could be multiple tables in Azure SQL Database, multiple containers in Azure Blob storage, or multiple collections. Define one data source object for each table or container.
+3. Distribute data into multiple containers at a level that Azure Cognitive Search indexers can reach. This could be multiple tables in Azure SQL Database, multiple containers in Azure Blob Storage, or multiple collections. Define one data source object for each table or container.
4. Create and schedule multiple indexers to run in parallel:
search Search Howto Managed Identities Data Sources https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/search/search-howto-managed-identities-data-sources.md
When setting up a data source using a managed identity, you can change your data
The following data sources support setting up an indexer connection using managed identities.
-* [Azure Blob storage, Azure Data Lake Storage Gen2 (preview), Azure Table storage](search-howto-managed-identities-storage.md)
+* [Azure Blob Storage, Azure Data Lake Storage Gen2 (preview), Azure Table Storage](search-howto-managed-identities-storage.md)
* [Azure Cosmos DB](search-howto-managed-identities-cosmos-db.md) * [Azure SQL Database](search-howto-managed-identities-sql.md)
The following features do not currently support using managed identities to set
Learn more about how to set up an indexer connection using managed identities:
-* [Azure Blob storage, Azure Data Lake Storage Gen2 (preview), Azure Table storage](search-howto-managed-identities-storage.md)
+* [Azure Blob storage, Azure Data Lake Storage Gen2 (preview), Azure Table Storage](search-howto-managed-identities-storage.md)
* [Azure Cosmos DB](search-howto-managed-identities-cosmos-db.md) * [Azure SQL Database](search-howto-managed-identities-sql.md)
search Search Howto Managed Identities Storage https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/search/search-howto-managed-identities-storage.md
In this step you will give your Azure Cognitive Search service permission to rea
![Add role assignment](./media/search-managed-identities/add-role-assignment-storage.png "Add role assignment") 4. Select the appropriate role(s) based on the storage account type that you would like to index:
- 1. Azure Blob storage requires that you add your search service to the **Storage Blob Data Reader** role.
+ 1. Azure Blob Storage requires that you add your search service to the **Storage Blob Data Reader** role.
1. Azure Data Lake Storage Gen2 requires that you add your search service to the **Storage Blob Data Reader** role.
- 1. Azure Table storage requires that you add your search service to the **Reader and Data Access** role.
+ 1. Azure Table Storage requires that you add your search service to the **Reader and Data Access** role.
5. Leave **Assign access to** as **Azure AD user, group or service principal** 6. Search for your search service, select it, then select **Save**
- Example for Azure Blob storage and Azure Data Lake Storage Gen2:
+ Example for Azure Blob Storage and Azure Data Lake Storage Gen2:
![Add Storage Blob Data Reader role assignment](./media/search-managed-identities/add-role-assignment-storage-blob-data-reader.png "Add Storage Blob Data Reader role assignment")
- Example for Azure Table storage:
+ Example for Azure Table Storage:
![Add reader and data access role assignment](./media/search-managed-identities/add-role-assignment-reader-and-data-access.png "Add reader and data access role assignment")
search Search Import Data Portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/search/search-import-data-portal.md
The Import data wizard is started from the command bar on the service Overview p
![Import data command in portal](./medi2.png "Start the Import data wizard")
-You can also launch **Import data** from other Azure services, including Azure Cosmos DB, Azure SQL Database, SQL Managed Instance, and Azure Blob storage. Look for **Add Azure Cognitive Search** in the left-navigation pane on the service overview page.
+You can also launch **Import data** from other Azure services, including Azure Cosmos DB, Azure SQL Database, SQL Managed Instance, and Azure Blob Storage. Look for **Add Azure Cognitive Search** in the left-navigation pane on the service overview page.
<a name="index-definition"></a>
search Search Indexer Howto Access Trusted Service Exception https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/search/search-indexer-howto-access-trusted-service-exception.md
Last updated 05/11/2021
Indexers in an Azure Cognitive Search service that access data in Azure Storage accounts can make use of the [trusted service exception](../storage/common/storage-network-security.md#exceptions) capability to securely access data. This mechanism offers customers who are unable to grant [indexer access using IP firewall rules](search-indexer-howto-access-ip-restricted.md) a simple, secure, and free alternative for accessing data in storage accounts. > [!NOTE]
-> Support for accessing data in storage accounts through a trusted service exception is limited to Azure Blob storage and Azure Data Lake Gen2 storage. Azure Table storage is not supported.
+> Support for accessing data in storage accounts through a trusted service exception is limited to Azure Blob Storage and Azure Data Lake Gen2 storage. Azure Table Storage is not supported.
## Step 1: Configure a connection using a managed identity
search Search Monitor Usage https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/search/search-monitor-usage.md
Logged events captured by Azure Monitor are stored in the **AzureDiagnostics** t
Azure Monitor provides several storage options, and your choice determines how you can consume the data:
-* Choose Azure Blob storage if you want to [visualize log data](search-monitor-logs-powerbi.md) in a Power BI report.
+* Choose Azure Blob Storage if you want to [visualize log data](search-monitor-logs-powerbi.md) in a Power BI report.
* Choose Log Analytics if you want to explore data through Kusto queries. Azure Monitor has its own billing structure and the diagnostic logs referenced in this section have an associated cost. For more information, see [Usage and estimated costs in Azure Monitor](../azure-monitor//usage-estimated-costs.md).
search Search Semi Structured Data https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/search/search-semi-structured-data.md
If you don't have an Azure subscription, create a [free account](https://azure.m
## 1 - Create services
-This tutorial uses Azure Cognitive Search for indexing and queries, and Azure Blob storage to provide the data.
+This tutorial uses Azure Cognitive Search for indexing and queries, and Azure Blob Storage to provide the data.
If possible, create both in the same region and resource group for proximity and manageability. In practice, your Azure Storage account can be in any region.
After the upload completes, the files should appear in their own subfolder insid
The next resource is Azure Cognitive Search, which you can [create in the portal](search-create-service-portal.md). You can use the Free tier to complete this walkthrough.
-As with Azure Blob storage, take a moment to collect the access key. Further on, when you begin structuring requests, you will need to provide the endpoint and admin api-key used to authenticate each request.
+As with Azure Blob Storage, take a moment to collect the access key. Further on, when you begin structuring requests, you will need to provide the endpoint and admin api-key used to authenticate each request.
### Get a key and URL
search Search What Is Azure Search https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/search/search-what-is-azure-search.md
Azure Cognitive Search is well suited for the following application scenarios:
+ Easily implement search-related features: relevance tuning, faceted navigation, filters (including geo-spatial search), synonym mapping, and autocomplete.
-+ Transform large undifferentiated text or image files, or application files stored in Azure Blob storage or Cosmos DB, into searchable JSON documents. This is achieved during index through [cognitive skills](cognitive-search-concept-intro.md) that add external processing.
++ Transform large undifferentiated text or image files, or application files stored in Azure Blob Storage or Cosmos DB, into searchable JSON documents. This is achieved during index through [cognitive skills](cognitive-search-concept-intro.md) that add external processing. + Add linguistic or custom text analysis. If you have non-English content, Azure Cognitive Search supports both Lucene analyzers and Microsoft's natural language processors. You can also configure analyzers to achieve specialized processing of raw content, such as filtering out diacritics, or recognizing and preserving patterns in strings.
search Tutorial Multiple Data Sources https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/search/tutorial-multiple-data-sources.md
This tutorial has been updated to use the Azure.Search.Documents (version 11) pa
## 1 - Create services
-This tutorial uses Azure Cognitive Search for indexing and queries, Azure Cosmos DB for one data set, and Azure Blob storage for the second data set.
+This tutorial uses Azure Cognitive Search for indexing and queries, Azure Cosmos DB for one data set, and Azure Blob Storage for the second data set.
If possible, create all services in the same region and resource group for proximity and manageability. In practice, your services can be in any region.
This sample uses two small sets of data that describe seven fictional hotels. On
1. Copy a connection string from the **Keys** page into Notepad. You will need this for **appsettings.json** in a later step. If you did not use the suggested database name "hotel-rooms-db", copy the database name as well.
-### Azure Blob storage
+### Azure Blob Storage
1. Sign in to the [Azure portal](https://portal.azure.com), navigate to your Azure storage account, click **Blobs**, and then click **+ Container**.
security-center Defender For Container Registries Cicd https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/security-center/defender-for-container-registries-cicd.md
# Identify vulnerable container images in your CI/CD workflows
-> [!IMPORTANT]
-> In the first stages of this preview, access is only available through the [preview URL](https://ms.portal.azure.com/?feature.cicd=true#blade/Microsoft_Azure_Security/SecurityMenuBlade/5/0/).
- This page explains how to scan your Azure Container Registry-based container images with the integrated vulnerability scanner when they're built as part of your GitHub workflows. To set up the scanner, you'll need to enable **Azure Defender for container registries** and the CI/CD integration. When your CI/CD workflows push images to your registries, you can view registry scan results and a summary of CI/CD scan results.
security-center Defender For Sql On Machines Vulnerability Assessment https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/security-center/defender-for-sql-on-machines-vulnerability-assessment.md
Last updated 05/19/2021
-# Using the integrated vulnerability assessment scanner for your SQL servers
+# Scan your SQL servers for vulnerabilities
**Azure Defender for SQL servers on machines** extends the protections for your Azure-native SQL Servers to fully support hybrid environments and protect SQL servers (all supported version) hosted in Azure, other cloud environments, and even on-premises machines:
security-center Faq Azure Monitor Logs https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/security-center/faq-azure-monitor-logs.md
- Title: Azure Security Center FAQ - questions about existing Log Analytics agents
-description: This FAQ answers questions for customers already using the Log Analytics agent and considering Azure Security Center, a product that helps you prevent, detect, and respond to threats.
------ Previously updated : 02/25/2020----
-# FAQ for customers already using Azure Monitor logs<a name="existingloganalyticscust"></a>
-
-## Does Security Center override any existing connections between VMs and workspaces?
-
-If a VM already has the Log Analytics agent installed as an Azure extension, Security Center does not override the existing workspace connection. Instead, Security Center uses the existing workspace. The VM will be protected provided that the "Security" or "SecurityCenterFree" solution has been installed on the workspace to which it is reporting.
-
-A Security Center solution is installed on the workspace selected in the Data Collection screen if not present already, and the solution is applied only to the relevant VMs. When you add a solution, it's automatically deployed by default to all Windows and Linux agents connected to your Log Analytics workspace. [Solution Targeting](../azure-monitor/insights/solution-targeting.md) allows you to apply a scope to your solutions.
-
-> [!TIP]
-> If the Log Analytics agent is installed directly on the VM (not as an Azure extension), Security Center does not install the Log Analytics agent, and security monitoring is limited.
-
-## Does Security Center install solutions on my existing Log Analytics workspaces? What are the billing implications?
-When Security Center identifies that a VM is already connected to a workspace you created, Security Center enables solutions on this workspace according to your pricing configuration. The solutions are applied only to the relevant Azure VMs, via [solution targeting](../azure-monitor/insights/solution-targeting.md), so the billing remains the same.
--- **Azure Defender off** ΓÇô Security Center installs the "SecurityCenterFree" solution on the workspace. You won't be billed.-- **Azure Defender on** ΓÇô Security Center installs the 'Security' solution on the workspace.-
- ![Solutions on default workspace](./media/security-center-platform-migration-faq/solutions.png)
-
-## I already have workspaces in my environment, can I use them to collect security data?
-If a VM already has the Log Analytics agent installed as an Azure extension, Security Center uses the existing connected workspace. A Security Center solution is installed on the workspace if not present already, and the solution is applied only to the relevant VMs via [solution targeting](../azure-monitor/insights/solution-targeting.md).
-
-When Security Center installs the Log Analytics agent on VMs, it uses the default workspace(s) created by Security Center if Security Center isn't pointed to an existing workspace.
-
-## I already have security solution on my workspaces. What are the billing implications?
-The Security & Audit solution is used to enable **Azure Defender for servers**. If the Security & Audit solution is already installed on a workspace, Security Center uses the existing solution. There is no change in billing.
security-center Faq Data Collection Agents https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/security-center/faq-data-collection-agents.md
- Title: Azure Security Center FAQ - data collection and agents
-description: Frequently asked questions about data collection, agents, and workspaces for Azure Security Center, a product that helps you prevent, detect, and respond to threats
------ Previously updated : 11/15/2020----
-# FAQ - Questions about data collection, agents, and workspaces
-
-Security Center collects data from your Azure virtual machines (VMs), Virtual machine scale sets, IaaS containers, and non-Azure computers (including on-premises machines) to monitor for security vulnerabilities and threats. Data is collected using the Log Analytics agent, which reads various security-related configurations and event logs from the machine and copies the data to your workspace for analysis.
--
-## Am I billed for Azure Monitor logs on the workspaces created by Security Center?
-
-No. Workspaces created by Security Center, while configured for Azure Monitor logs per node billing, don't incur Azure Monitor logs charges. Security Center billing is always based on your Security Center security policy and the solutions installed on a workspace:
--- **Azure Defender off** ΓÇô Security Center enables the "SecurityCenterFree" solution on the default workspace. You won't be billed if Azure Defender is off.--- **Azure Defender on** ΓÇô Security Center enables the "Security" solution on the default workspace.-
-For pricing details in your currency of choice and according to your region, see [Security Center pricing](https://azure.microsoft.com/pricing/details/security-center/).
-
-> [!NOTE]
-> The log analytics pricing tier of workspaces created by Security Center does not affect Security Center billing.
---
-## What is the Log Analytics agent?
-
-To monitor for security vulnerabilities and threats, Azure Security Center depends on the [Log Analytics Agent](../azure-monitor/agents/log-analytics-agent.md) - this is the same agent used by the Azure Monitor service.
-
-The agent is sometimes referred to as the Microsoft Monitoring Agent (or "MMA").
-
-The agent collects various security-related configuration details and event logs from connected machines, and then copies the data to your Log Analytics workspace for further analysis. Examples of such data are: operating system type and version, operating system logs (Windows event logs), running processes, machine name, IP addresses, and logged in user.
-
-Ensure your machines are running one of the supported operating systems for the agent as described on the following pages:
-
-* [Log Analytics agent for Windows supported operating systems](../azure-monitor/agents/agents-overview.md#supported-operating-systems)
-
-* [Log Analytics agent for Linux supported operating systems](../azure-monitor/agents/agents-overview.md#supported-operating-systems)
-
-Learn more about the [data collected by the Log Analytics agent](security-center-enable-data-collection.md).
----
-## What qualifies a VM for automatic provisioning of the Log Analytics agent installation?
-
-Windows or Linux IaaS VMs qualify if:
--- The Log Analytics agent extension is not currently installed on the VM.-- The VM is in running state.-- The Windows or Linux [Azure Virtual Machine Agent](../virtual-machines/extensions/agent-windows.md) is installed.-- The VM is not used as an appliance such as web application firewall or next generation firewall.--
-## Where is the default Log Analytics workspace created?
-
-The location of the default workspace depends on your Azure region:
--- For VMs in the United States and Brazil the workspace location is the United States-- For VMs in Canada, the workspace location is Canada-- For VMs in Europe the workspace location is Europe-- For VMs in the UK the workspace location is the UK-- For VMs in East Asia and Southeast Asia the workspace location is Asia-- For VMs in Korea, the workspace location is Korea-- For VMs in India, the workspace location is India-- For VMs in Japan, the workspace location is Japan-- For VMs in China, the workspace location is China-- For VMs in Australia, the workspace location is Australia--
-## What security events are collected by the Log Analytics agent?
-
-For a full list of the security events collected by the agent, see [What event types are stored for the "Common" and "Minimal" security events settings?](security-center-enable-data-collection.md#what-event-types-are-stored-for-common-and-minimal).
-
-> [!IMPORTANT]
-> Note that for some services, such as Azure Firewall, if you have enabled logging and chosen a chatty resource to log (for example, setting the log to *verbose*) you may see significant impacts on your Log Analytics workspace storage needs.
--
-## Can I delete the default workspaces created by Security Center?
-
-**Deleting the default workspace is not recommended.** Security Center uses the default workspaces to store security data from your VMs. If you delete a workspace, Security Center is unable to collect this data and some security recommendations and alerts are unavailable.
-
-To recover, remove the Log Analytics agent on the VMs connected to the deleted workspace. Security Center reinstalls the agent and creates new default workspaces.
-
-## How can I use my existing Log Analytics workspace?
-
-You can select an existing Log Analytics workspace to store data collected by Security Center. To use your existing Log Analytics workspace:
--- The workspace must be associated with your selected Azure subscription.-- At a minimum, you must have read permissions to access the workspace.-
-To select an existing Log Analytics workspace:
-
-1. From Security Center's menu, select **Pricing & settings**.
-1. Select the relevant subscription.
-1. Open the **Auto provisioning** page.
-1. For the Log Analytics agent, select **Edit configuration**.
-
- :::image type="content" source="./media/security-center-enable-data-collection/edit-configuration-auto-deploy-agent.png" alt-text="The configuration of the Log Analytics agent to use when using auto deploy" lightbox="./media/security-center-enable-data-collection/edit-configuration-auto-deploy-agent.png":::
-
-1. Select **Connect Azure VMs to a different workspace** and choose your existing workspace.
-
- :::image type="content" source="./media/security-center-enable-data-collection/choose-workspace.png" alt-text="Selecting a non-default workspace for your Log Analytics agent to report to" lightbox="./media/security-center-enable-data-collection/choose-workspace.png":::
-
- > [!TIP]
- > The list only includes workspaces to which you have access and which are in your Azure subscription.
-
-1. Select **Save**. You will be asked if you would like to reconfigure monitored VMs.
-
- - Select **No** if you want the new workspace settings to **apply on new VMs only**. The new workspace settings only apply to new agent installations; newly discovered VMs that do not have the Log Analytics agent installed.
- - Select **Yes** if you want the new workspace settings to **apply on all VMs**. In addition, every VM connected to a Security Center created workspace is reconnected to the new target workspace.
-
- > [!NOTE]
- > If you select **Yes**, don't delete any workspaces created by Security Center until all VMs have been reconnected to the new target workspace. This operation fails if a workspace is deleted too early.
--
-## What if the Log Analytics agent was already installed as an extension on the VM?<a name="mmaextensioninstalled"></a>
-
-When the Monitoring Agent is installed as an extension, the extension configuration allows reporting to only a single workspace. Security Center does not override existing connections to user workspaces. Security Center will store security data from a VM in a workspace that is already connected, provided that the "Security" or "SecurityCenterFree" solution has been installed on it. Security Center may upgrade the extension version to the latest version in this process.
-
-For more information, see [Automatic provisioning in cases of a pre-existing agent installation](security-center-enable-data-collection.md#preexisting).
---
-## What if a Log Analytics agent is directly installed on the machine but not as an extension (Direct Agent)?<a name="directagentinstalled"></a>
-
-If the Log Analytics agent is installed directly on the VM (not as an Azure extension), Security Center will install the Log Analytics agent extension, and may upgrade the Log Analytics agent to the latest version.
-
-The agent installed will continue to report to its already configured workspace(s), and in addition will report to the workspace configured in Security Center (Multi-homing is supported on Windows machines).
-
-If the configured workspace is a user workspace (not Security Center's default workspace), you will need to install the "Security" or "SecurityCenterFree" solution on it for Security Center to start processing events from VMs and computers reporting to that workspace.
-
-For Linux machines, Agent multi-homing is not yet supported - hence, if an existing agent installation is detected, automatic provisioning will not occur and the machine's configuration will not be altered.
-
-For existing machines on subscriptions onboarded to Security Center before March 17 2019, when an existing agent will be detected, the Log Analytics agent extension will not be installed and the machine will not be affected. For these machines, see the "Resolve monitoring agent health issues on your machines" recommendation to resolve the agent installation issues on these machines
-
-For more information, see the next section [What happens if a System Center Operations Manager or OMS direct agent is already installed on my VM?](#scomomsinstalled)
-
-## What if a System Center Operations Manager agent is already installed on my VM?<a name="scomomsinstalled"></a>
-
-Security center will install the Log Analytics agent extension side by side to the existing System Center Operations Manager agent. The existing agent will continue to report to the System Center Operations Manager server normally. Note that the Operations Manager agent and Log Analytics agent share common run-time libraries, which will be updated to the latest version during this process. Note - If version 2012 of the Operations Manager agent is installed, do not turn on automatic provisioning (manageability capabilities can be lost when the Operations Manager server is also version 2012).
--
-## What is the impact of removing these extensions?
-
-If you remove the Microsoft Monitoring Extension, Security Center is not able to collect security data from the VM and some security recommendations and alerts are unavailable. Within 24 hours, Security Center determines that the VM is missing the extension and reinstalls the extension.
--
-## How do I stop the automatic agent installation and workspace creation?
-
-You can turn off automatic provisioning for your subscriptions in the security policy but this is not recommended. Turning off auto provisioning limits Security Center recommendations and alerts. To disable automatic provisioning:
-
-1. From Security Center's menu, select **Pricing & settings**.
-1. Select the relevant subscription.
-1. If your subscription has Azure Defender enabled, open **Azure Defender plans** and select **Azure Defender off**.
-
- :::image type="content" source="./media/security-center-platform-migration-faq/pricing-tier.png" alt-text="Enable or disable Azure Defender":::
-
-1. From the **Auto provisioning** page, Select pen and the turn off auto provisioning in the **Security policy ΓÇô Data collection** page.
-
- :::image type="content" source="./media/security-center-enable-data-collection/agent-toggles.png" alt-text="Enable auto deploy for the Log Analytics agent":::
-
-1. Select **Save**.
--
-## Should I opt out of the automatic agent installation and workspace creation?
-
-> [!NOTE]
-> Be sure to review sections [What are the implications of opting out?](#what-are-the-implications-of-opting-out-of-automatic-provisioning) and [recommended steps when opting out](#what-are-the-recommended-steps-when-opting-out-of-automatic-provisioning) if you choose to opt out of automatic provisioning.
-
-You may want to opt out of automatic provisioning if the following applies to you:
--- Automatic agent installation by Security Center applies to the entire subscription. You cannot apply automatic installation to a subset of VMs. If there are critical VMs that cannot be installed with the Log Analytics agent, then you should opt out of automatic provisioning.-- Installation of the Log Analytics agent extension updates the agent's version. This applies to a direct agent and a System Center Operations Manager agent (in the latter, the Operations Manager and Log Analytics agent share common runtime libraries - which will be updated in the process). If the installed Operations Manager agent is version 2012 and is upgraded, manageability capabilities can be lost when the Operations Manager server is also version 2012. Consider opting out of automatic provisioning if the installed Operations Manager agent is version 2012.-- If you have a custom workspace external to the subscription (a centralized workspace), then you should opt out of automatic provisioning. You can manually install the Log Analytics agent extension and connect it your workspace without Security Center overriding the connection.-- If you want to avoid creation of multiple workspaces per subscription and you have your own custom workspace within the subscription, then you have two options:-
- 1. You can opt out of automatic provisioning. After migration, set the default workspace settings as described in [How can I use my existing Log Analytics workspace?](#how-can-i-use-my-existing-log-analytics-workspace)
-
- 1. Or, you can allow the migration to complete, the Log Analytics agent to be installed on the VMs, and the VMs connected to the created workspace. Then, select your own custom workspace by setting the default workspace setting with opting in to reconfiguring the already installed agents. For more information, see [How can I use my existing Log Analytics workspace?](#how-can-i-use-my-existing-log-analytics-workspace)
--
-## What are the implications of opting out of automatic provisioning?
-
-When migration is complete, Security Center can't collect security data from the VM and some security recommendations and alerts are unavailable. If you opt out, install the Log Analytics agent manually. See [recommended steps when opting out](#what-are-the-recommended-steps-when-opting-out-of-automatic-provisioning).
--
-## What are the recommended steps when opting out of automatic provisioning?
-
-Manually install the Log Analytics agent extension so Security Center can collect security data from your VMs and provide recommendations and alerts. See [agent installation for Windows VM](../virtual-machines/extensions/oms-windows.md) or [agent installation for Linux VM](../virtual-machines/extensions/oms-linux.md) for guidance on installation.
-
-You can connect the agent to any existing custom workspace or Security Center created workspace. If a custom workspace does not have the "Security" or "SecurityCenterFree" solutions enabled, then you will need to apply a solution. To apply, select the custom workspace or subscription and apply a pricing tier via the **Security policy ΓÇô Pricing tier** page.
--
-Security Center will enable the correct solution on the workspace based on the selected pricing tier.
--
-## How do I remove OMS extensions installed by Security Center?<a name="remove-oms"></a>
-
-You can manually remove the Log Analytics agent. This is not recommended as it limits Security Center recommendations and alerts.
-
-> [!NOTE]
-> If data collection is enabled, Security Center will reinstall the agent after you remove it. You need to disable data collection before manually removing the agent. See How do I stop the automatic agent installation and workspace creation? for instructions on disabling data collection.
-
-To manually remove the agent:
-
-1. In the portal, open **Log Analytics**.
-
-1. On the Log Analytics page, select a workspace:
-
-1. Select the VMs that you don't want to monitor and select **Disconnect**.
-
- ![Remove the agent][3]
-
-> [!NOTE]
-> If a Linux VM already has a non-extension OMS agent, removing the extension removes the agent as well and you'll have to reinstall it.
--
-## How do I disable data collection?
-
-Automatic provisioning is highly recommended in order to get security alerts and recommendations about system updates, OS vulnerabilities, and endpoint protection. By default, auto-provisioning is disabled.
-
-If you've enabled it but now want to disable it:
-
-1. From [the Azure portal](https://portal.azure.com), open **Security Center** and select **Pricing and settings**.
-
-1. Select the subscription on which you want to disable automatic provisioning.
-
-1. Under **Auto provisioning**, turn off the toggle for the Log Analytics agent.
--
-## How do I enable data collection?
-
-You can enable data collection for your Azure subscription in the Security policy. To enable data collection. [Sign in to the Azure portal](https://portal.azure.com), select **Browse**, select **Security Center**, and select **Security policy**. Select the subscription that you wish to enable automatic provisioning. When you select a subscription **Security policy - Data collection** opens. Under **Auto provisioning**, select **On**.
--
-## What happens when data collection is enabled?
-
-When automatic provisioning is enabled, Security Center provisions the Log Analytics agent on all supported Azure VMs and any new ones that are created. Automatic provisioning is recommended but manual agent installation is also available. [Learn how to install the Log Analytics agent extension](../azure-monitor/vm/quick-collect-azurevm.md#enable-the-log-analytics-vm-extension).
-
-The agent enables the process creation event 4688 and the *CommandLine* field inside event 4688. New processes created on the VM are recorded by EventLog and monitored by Security Center's detection services. For more information on the details recorded for each new process, see [description fields in 4688](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4688#fields). The agent also collects the 4688 events created on the VM and stores them in search.
-
-The agent also enables data collection for [Adaptive Application Controls](security-center-adaptive-application.md), Security Center configures a local AppLocker policy in Audit mode to allow all applications. This policy will cause AppLocker to generate events, which are then collected and leveraged by Security Center. It is important to note that this policy will not be configured on any machines on which there is already a configured AppLocker policy.
-
-When Security Center detects suspicious activity on the VM, the customer is notified by email if [security contact information](security-center-provide-security-contact-details.md) has been provided. An alert is also visible in Security Center's security alerts dashboard.
--
-## Will Security Center work using an OMS gateway?
-
-Yes. Azure Security Center leverages Azure Monitor to collect data from Azure VMs and servers, using the Log Analytics agent.
-To collect the data, each VM and server must connect to the Internet using HTTPS. The connection can be direct, using a proxy, or through the [OMS Gateway](../azure-monitor/agents/gateway.md).
--
-## Does the Monitoring Agent impact the performance of my servers?
-
-The agent consumes a nominal amount of system resources and should have little impact on the performance. For more information on performance impact and the agent and extension, see the [planning and operations guide](security-center-planning-and-operations-guide.md#data-collection-and-storage).
----
-<!--Image references-->
-[2]: ./media/security-center-platform-migration-faq/data-collection.png
-[3]: ./media/security-center-platform-migration-faq/remove-the-agent.png
-[4]: ./media/security-center-platform-migration-faq/use-another-workspace.png
security-center Faq General https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/security-center/faq-general.md
- Title: Azure Security Center FAQ - General questions
-description: Frequently asked general questions about Azure Security Center, a product that helps you prevent, detect, and respond to threats
------ Previously updated : 02/25/2020----
-# FAQ - General questions about Azure Security Center
-
-## What is Azure Security Center?
-Azure Security Center helps you prevent, detect, and respond to threats with increased visibility into and control over the security of your resources. It provides integrated security monitoring and policy management across your subscriptions, helps detect threats that might otherwise go unnoticed, and works with a broad ecosystem of security solutions.
-
-Security Center uses the Log Analytics agent to collect and store data. For in-depth details, see [Data collection in Azure Security Center](security-center-enable-data-collection.md).
--
-## How do I get Azure Security Center?
-Azure Security Center is enabled with your Microsoft Azure subscription and accessed from the [Azure portal](https://azure.microsoft.com/features/azure-portal/). To access it, [sign in to the portal](https://portal.azure.com), select **Browse**, and scroll to **Security Center**.
--
-## Which Azure resources are monitored by Azure Security Center?
-Azure Security Center monitors the following Azure resources:
-
-* Virtual machines (VMs) (including [Cloud Services](../cloud-services/cloud-services-choose-me.md))
-* Virtual machine scale sets
-* Partner solutions integrated with your Azure subscription such as a web application firewall on VMs and on App Service Environment
-* [The many Azure PaaS services listed in the product overview](features-paas.md)
--
-## How can I see the current security state of my Azure resources?
-The **Security Center Overview** page shows the overall security posture of your environment broken down by Compute, Networking, Storage & data, and Applications. Each resource type has an indicator showing identified security vulnerabilities. Clicking each tile displays a list of security issues identified by Security Center, along with an inventory of the resources in your subscription.
---
-## What is a security initiative?
-A security initiative defines the set of controls (policies) that are recommended for resources within the specified subscription. In Azure Security Center, you assign initiatives for your Azure subscriptions according to your company's security requirements and the type of applications or sensitivity of the data in each subscription.
-
-The security policies enabled in Azure Security Center drive security recommendations and monitoring. Learn more in [What are security policies, initiatives, and recommendations?](security-policy-concept.md).
--
-## Who can modify a security policy?
-To modify a security policy, you must be a **Security Administrator** or an **Owner** of that subscription.
-
-To learn how to configure a security policy, see [Setting security policies in Azure Security Center](tutorial-security-policy.md).
--
-## What is a security recommendation?
-Azure Security Center analyzes the security state of your Azure resources. When potential security vulnerabilities are identified, recommendations are created. The recommendations guide you through the process of configuring the needed control. Examples are:
-
-* Provisioning of anti-malware to help identify and remove malicious software
-* [Network security groups](../virtual-network/network-security-groups-overview.md) and rules to control traffic to virtual machines
-* Provisioning of a web application firewall to help defend against attacks targeting your web applications
-* Deploying missing system updates
-* Addressing OS configurations that do not match the recommended baselines
-
-Only recommendations that are enabled in Security Policies are shown here.
--
-## What triggers a security alert?
-Azure Security Center automatically collects, analyzes, and fuses log data from your Azure resources, the network, and partner solutions like antimalware and firewalls. When threats are detected, a security alert is created. Examples include detection of:
-
-* Compromised virtual machines communicating with known malicious IP addresses
-* Advanced malware detected using Windows error reporting
-* Brute force attacks against virtual machines
-* Security alerts from integrated partner security solutions such as Anti-Malware or Web Application Firewalls
--
-## What's the difference between threats detected and alerted on by Microsoft Security Response Center versus Azure Security Center?
-The Microsoft Security Response Center (MSRC) performs select security monitoring of the Azure network and infrastructure and receives threat intelligence and abuse complaints from third parties. When MSRC becomes aware that customer data has been accessed by an unlawful or unauthorized party or that the customerΓÇÖs use of Azure does not comply with the terms for Acceptable Use, a security incident manager notifies the customer. Notification typically occurs by sending an email to the security contacts specified in Azure Security Center or the Azure subscription owner if a security contact is not specified.
-
-Security Center is an Azure service that continuously monitors the customerΓÇÖs Azure environment and applies analytics to automatically detect a wide range of potentially malicious activity. These detections are surfaced as security alerts in the Security Center dashboard.
security-center Faq Permissions https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/security-center/faq-permissions.md
- Title: Azure Security Center FAQ - questions about permissions
-description: This FAQ answers questions about permissions in Azure Security Center, a product that helps you prevent, detect, and respond to threats.
------ Previously updated : 02/25/2020----
-# Permissions
-
-## How do permissions work in Azure Security Center?
-
-Azure Security Center uses [Azure role-based access control (Azure RBAC)](../role-based-access-control/role-assignments-portal.md), which provides [built-in roles](../role-based-access-control/built-in-roles.md) that can be assigned to users, groups, and services in Azure.
-
-Security Center assesses the configuration of your resources to identify security issues and vulnerabilities. In Security Center, you only see information related to a resource when you are assigned the role of Owner, Contributor, or Reader for the subscription or resource group that a resource belongs to.
-
-See [Permissions in Azure Security Center](security-center-permissions.md) to learn more about roles and allowed actions in Security Center.
---
-## Who can modify a security policy?
-
-To modify a security policy, you must be a Security Admin or an Owner or Contributor of that subscription.
-
-To learn how to configure a security policy, see [Setting security policies in Azure Security Center](tutorial-security-policy.md).
security-center Faq Vms https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/security-center/faq-vms.md
- Title: Azure Security Center FAQ - questions about virtual machines
-description: Frequently asked questions about virtual machines in Azure Security Center, a product that helps you prevent, detect, and respond to threats
------ Previously updated : 02/25/2020----
-# FAQ - Questions about virtual machines
--
-## What types of virtual machines are supported?
-
-Monitoring and recommendations are available for virtual machines (VMs) created using both the [classic and Resource Manager deployment models](../azure-resource-manager/management/deployment-models.md).
-
-See [Supported platforms in Azure Security Center](security-center-os-coverage.md) for a list of supported platforms.
--
-## Why doesn't Azure Security Center recognize the antimalware solution running on my Azure VM?
-
-Azure Security Center has visibility into antimalware installed through Azure extensions. For example, Security Center is not able to detect antimalware that was pre-installed on an image you provided or if you installed antimalware on your virtual machines using your own processes (such as configuration management systems).
--
-## Why do I get the message "Missing Scan Data" for my VM?
-
-This message appears when there is no scan data for a VM. It can take some time (less than an hour) for scan data to populate after Data Collection is enabled in Azure Security Center. After the initial population of scan data, you may receive this message because there is no scan data at all or there is no recent scan data. Scans do not populate for a VM in a stopped state. This message could also appear if scan data has not populated recently (in accordance with the retention policy for the Windows agent, which has a default value of 30 days).
--
-## How often does Security Center scan for operating system vulnerabilities, system updates, and endpoint protection issues?
-
-Below are the latency times for Security Center scans of vulnerabilities, updates, and issues:
--- Operating system security configurations ΓÇô data is updated within 48 hours-- System updates ΓÇô data is updated within 24 hours-- Endpoint Protection issues ΓÇô data is updated within 8 hours-
-Security Center typically scans for new data every hour, and refreshes the recommendations accordingly.
-
-> [!NOTE]
-> Security Center uses the Log Analytics agent to collect and store data. To learn more, see [Azure Security Center Platform Migration](./security-center-enable-data-collection.md).
--
-## Why do I get the message "VM Agent is Missing?"
-
-The VM Agent must be installed on VMs to enable Data Collection. The VM Agent is installed by default for VMs that are deployed from the Azure Marketplace. For information on how to install the VM Agent on other VMs, see the blog post [VM Agent and Extensions](https://azure.microsoft.com/blog/vm-agent-and-extensions-part-2/).
security-center Release Notes Archive https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/security-center/release-notes-archive.md
The recommendations also include the Quick fix capability to help speed up the d
Learn more about these two new recommendations in the [Compute and app recommendations](recommendations-reference.md#recs-compute) table.
-Learn more about how Azure Security Center uses the agent in [What is the Log Analytics agent?](faq-data-collection-agents.md#what-is-the-log-analytics-agent).
+Learn more about how Azure Security Center uses the agent in [What is the Log Analytics agent?](/azure/security-center/faq-data-collection-agents#what-is-the-log-analytics-agent).
Learn more about [extensions for Azure Arc machines](../azure-arc/servers/manage-vm-extensions.md).
security-center Release Notes https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/security-center/release-notes.md
The new vulnerability scanning feature for container images, utilizing Trivy, he
Container scan reports are summarized in Azure Security Center, providing security teams better insight and understanding about the source of vulnerable container images and the workflows and repositories from where they originate.
-> [!IMPORTANT]
-> In the first stages of this preview, access is only available through the [preview URL](https://ms.portal.azure.com/?feature.cicd=true#blade/Microsoft_Azure_Security/SecurityMenuBlade/5/0/).
- Learn more in [Identify vulnerable container images in your CI/CD workflows](defender-for-container-registries-cicd.md). ### More Resource Graph queries available for some recommendations
security-center Security Center Enable Data Collection https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/security-center/security-center-enable-data-collection.md
To enable auto provisioning of the Log Analytics agent:
> [!TIP] > For questions regarding default workspaces, see: >
- > - [Am I billed for Azure Monitor logs on the workspaces created by Security Center?](faq-data-collection-agents.md#am-i-billed-for-azure-monitor-logs-on-the-workspaces-created-by-security-center)
- > - [Where is the default Log Analytics workspace created?](faq-data-collection-agents.md#where-is-the-default-log-analytics-workspace-created)
- > - [Can I delete the default workspaces created by Security Center?](faq-data-collection-agents.md#can-i-delete-the-default-workspaces-created-by-security-center)
+ > - [Am I billed for Azure Monitor logs on the workspaces created by Security Center?](/azure/security-center/faq-data-collection-agents#am-i-billed-for-azure-monitor-logs-on-the-workspaces-created-by-security-center)
+ > - [Where is the default Log Analytics workspace created?](/azure/security-center/faq-data-collection-agents#where-is-the-default-log-analytics-workspace-created)
+ > - [Can I delete the default workspaces created by Security Center?](/azure/security-center/faq-data-collection-agents#can-i-delete-the-default-workspaces-created-by-security-center)
- **Connect Azure VMs to a different workspace** - From the dropdown list, select the workspace to store collected data. The dropdown list includes all workspaces across all of your subscriptions. You can use this option to collect data from virtual machines running in different subscriptions and store it all in your selected workspace.
Here is a complete breakdown of the Security and App Locker event IDs for each s
| | 6273,6278,6416,6423,6424,8001,8002,8003,8004,8005,8006,8007,8222,26401,30004 | > [!NOTE]
-> - If you are using Group Policy Object (GPO), it is recommended that you enable audit policies Process Creation Event 4688 and the *CommandLine* field inside event 4688. For more information about Process Creation Event 4688, see Security Center's [FAQ](faq-data-collection-agents.md#what-happens-when-data-collection-is-enabled). For more information about these audit policies, see [Audit Policy Recommendations](/windows-server/identity/ad-ds/plan/security-best-practices/audit-policy-recommendations).
+> - If you are using Group Policy Object (GPO), it is recommended that you enable audit policies Process Creation Event 4688 and the *CommandLine* field inside event 4688. For more information about Process Creation Event 4688, see Security Center's [FAQ](/azure/security-center/faq-data-collection-agents#what-happens-when-data-collection-is-enabled). For more information about these audit policies, see [Audit Policy Recommendations](/windows-server/identity/ad-ds/plan/security-best-practices/audit-policy-recommendations).
> - To enable data collection for [Adaptive Application Controls](security-center-adaptive-application.md), Security Center configures a local AppLocker policy in Audit mode to allow all applications. This will cause AppLocker to generate events which are then collected and leveraged by Security Center. It is important to note that this policy will not be configured on any machines on which there is already a configured AppLocker policy. > - To collect Windows Filtering Platform [Event ID 5156](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=5156), you need to enable [Audit Filtering Platform Connection](/windows/security/threat-protection/auditing/audit-filtering-platform-connection) (Auditpol /set /subcategory:"Filtering Platform Connection" /Success:Enable) >
If the configured workspace is a user workspace (not Security Center's default w
- **A pre-existing VM extension is present**: - When the Monitoring Agent is installed as an extension, the extension configuration allows reporting to only a single workspace. Security Center does not override existing connections to user workspaces. Security Center will store security data from the VM in the workspace already connected, provided that the "Security" or "SecurityCenterFree" solution has been installed on it. Security Center may upgrade the extension version to the latest version in this process. - To see to which workspace the existing extension is sending data to, run the test to [Validate connectivity with Azure Security Center](/archive/blogs/yuridiogenes/validating-connectivity-with-azure-security-center). Alternatively, you can open Log Analytics workspaces, select a workspace, select the VM, and look at the Log Analytics agent connection.
- - If you have an environment where the Log Analytics agent is installed on client workstations and reporting to an existing Log Analytics workspace, review the list of [operating systems supported by Azure Security Center](security-center-os-coverage.md) to make sure your operating system is supported. For more information, see [Existing log analytics customers](./faq-azure-monitor-logs.md).
+ - If you have an environment where the Log Analytics agent is installed on client workstations and reporting to an existing Log Analytics workspace, review the list of [operating systems supported by Azure Security Center](security-center-os-coverage.md) to make sure your operating system is supported. For more information, see [Existing log analytics customers](./faq-azure-monitor-logs.yml).
## Disable auto provisioning <a name="offprovisioning"></a>
To turn off automatic provisioning of an agent:
> [!NOTE]
-> Disabling automatic provisioning does not remove the Log Analytics agent from Azure VMs where the agent was provisioned. For information on removing the OMS extension, see [How do I remove OMS extensions installed by Security Center](faq-data-collection-agents.md#remove-oms).
+> Disabling automatic provisioning does not remove the Log Analytics agent from Azure VMs where the agent was provisioned. For information on removing the OMS extension, see [How do I remove OMS extensions installed by Security Center](/azure/security-center/faq-data-collection-agents#remove-oms).
>
security-center Security Center Planning And Operations Guide https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/security-center/security-center-planning-and-operations-guide.md
In the next section, you will learn how to plan for each one of those areas and
> [!NOTE]
-> Read [Azure Security Center frequently asked questions (FAQ)](faq-general.md) for a list of common questions that can also be useful during the designing and planning phase.
+> Read [Azure Security Center frequently asked questions (FAQ)](faq-general.yml) for a list of common questions that can also be useful during the designing and planning phase.
## Security roles and access controls Depending on the size and structure of your organization, multiple individuals and teams may use Security Center to perform different security-related tasks. In the following diagram, you have an example of fictitious personas and their respective roles and security responsibilities:
The Log Analytics agent for Windows requires use TCP port 443. See the [Troubles
If at some point you want to disable Data Collection, you can turn it off in the security policy. However, because the Log Analytics agent may be used by other Azure management and monitoring services, the agent will not be uninstalled automatically when you turn off data collection in Security Center. You can manually uninstall the agent if needed. > [!NOTE]
-> To find a list of supported VMs, read the [Azure Security Center frequently asked questions (FAQ)](faq-vms.md).
+> To find a list of supported VMs, read the [Azure Security Center frequently asked questions (FAQ)](faq-vms.yml).
### Workspace
In this document, you learned how to plan for Security Center adoption. To learn
* [Managing and responding to security alerts in Azure Security Center](security-center-managing-and-responding-alerts.md) * [Monitoring partner solutions with Azure Security Center](./security-center-partner-integration.md) ΓÇö Learn how to monitor the health status of your partner solutions.
-* [Azure Security Center FAQ](faq-general.md) ΓÇö Find frequently asked questions about using the service.
+* [Azure Security Center FAQ](faq-general.yml) ΓÇö Find frequently asked questions about using the service.
* [Azure Security blog](/archive/blogs/azuresecurity/) ΓÇö Find blog posts about Azure security and compliance.
security-center Security Center Readiness Roadmap https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/security-center/security-center-readiness-roadmap.md
Articles
## Additional resources * [Security Center Documentation Page](./index.yml) * [Security Center REST API Documentation Page](/previous-versions/azure/reference/mt704034(v=azure.100))
-* [Azure Security Center frequently asked questions (FAQ)](./faq-general.md)
+* [Azure Security Center frequently asked questions (FAQ)](./faq-general.yml)
* [Security Center Pricing Page](https://azure.microsoft.com/pricing/details/security-center/) * [Identity security best practices](../security/fundamentals/identity-management-best-practices.md) * [Network security best practices](../security/fundamentals/network-best-practices.md)
security-center Security Center Troubleshooting Guide https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/security-center/security-center-troubleshooting-guide.md
In this document, you learned how to configure security policies in Azure Securi
* [Handling Security Incidents in Azure Security Center](security-center-incident.md) * [Azure Security Center detection capabilities](./security-center-alerts-overview.md) * [Monitoring partner solutions with Azure Security Center](./security-center-partner-integration.md) ΓÇö Learn how to monitor the health status of your partner solutions.
-* [Azure Security Center FAQ](faq-general.md) ΓÇö Find frequently asked questions about using the service
+* [Azure Security Center FAQ](faq-general.yml ΓÇö Find frequently asked questions about using the service
* [Azure Security Blog](/archive/blogs/azuresecurity/) ΓÇö Find blog posts about Azure security and compliance
security Secure Develop https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/security/develop/secure-develop.md
misuse of your application.
### Perform code reviews
-Before you check in code, conduct [code reviews](/azure/devops/learn/devops-at-microsoft/code-reviews-not-primarily-finding-bugs) to increase overall code quality and reduce the risk of creating bugs. You can use [Visual Studio](/azure/devops/repos/tfvc/get-code-reviewed-vs) to manage the code review process.
+Before you check in code, conduct code reviews to increase overall code quality and reduce the risk of creating bugs. You can use [Visual Studio](/azure/devops/repos/tfvc/get-code-reviewed-vs) to manage the code review process.
### Perform static code analysis
of AzSK, which makes SVTs available as a Visual Studio extension.
In the following articles, we recommend security controls and activities that can help you design and deploy secure applications. - [Design secure applications](secure-design.md)-- [Deploy secure applications](secure-deploy.md)
+- [Deploy secure applications](secure-deploy.md)
security Operational Best Practices https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/security/fundamentals/operational-best-practices.md
The following are best practices for network monitoring and available tools.
Use the following DevOps best practices to ensure that your enterprise and teams are productive and efficient. **Best practice**: Automate the build and deployment of services.
-**Detail**: [Infrastructure as code](/azure/devops/learn/what-is-infrastructure-as-code) is a set of techniques and practices that help IT pros remove the burden of day-to-day build and management of modular infrastructure. It enables IT pros to build and maintain their modern server environment in a way thatΓÇÖs like how software developers build and maintain application code.
+**Detail**: [Infrastructure as code](/devops/deliver/what-is-infrastructure-as-code) is a set of techniques and practices that help IT pros remove the burden of day-to-day build and management of modular infrastructure. It enables IT pros to build and maintain their modern server environment in a way thatΓÇÖs like how software developers build and maintain application code.
You can use [Azure Resource Manager](../../azure-resource-manager/templates/template-syntax.md) to provision your applications by using a declarative template. In a single template, you can deploy multiple services along with their dependencies. You use the same template to repeatedly deploy your application in every stage of the application lifecycle.
See [Azure security best practices and patterns](best-practices-and-patterns.md)
The following resources are available to provide more general information about Azure security and related Microsoft * [Azure Security Team Blog](/archive/blogs/azuresecurity/) - for up to date information on the latest in Azure Security
-* [Microsoft Security Response Center](https://technet.microsoft.com/library/dn440717.aspx) - where Microsoft security vulnerabilities, including issues with Azure, can be reported or via email to secure@microsoft.com
+* [Microsoft Security Response Center](https://technet.microsoft.com/library/dn440717.aspx) - where Microsoft security vulnerabilities, including issues with Azure, can be reported or via email to secure@microsoft.com
security Virtual Machines Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/security/fundamentals/virtual-machines-overview.md
Security Center helps you optimize and monitor the security of your virtual mach
Learn more: * [Introduction to Azure Security Center](../../security-center/security-center-introduction.md)
-* [Azure Security Center frequently asked questions](../../security-center/faq-general.md)
+* [Azure Security Center frequently asked questions](../../security-center/faq-general.yml)
* [Azure Security Center planning and operations](../../security-center/security-center-planning-and-operations-guide.md) ## Compliance
static-web-apps Functions Bring Your Own https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/static-web-apps/functions-bring-your-own.md
Azure Static Web Apps APIs are supported by two possible configurations: managed
This article demonstrates how to link an existing Azure Functions app to an Azure Static Web Apps resource.
+> [!NOTE]
+> Bring your own functions is only available in the Azure Static Web Apps Standard plan.
+ ## Example Consider an existing Azure Functions app that exposes an endpoint via the following location.
storage Storage Blob Static Website https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/storage/blobs/storage-blob-static-website.md
If you want to use headers to control caching, see [Control Azure CDN caching be
If you plan to host a website in multiple geographies, we recommend that you use a [Content Delivery Network](../../cdn/index.yml) for regional caching. Use [Azure Front Door](../../frontdoor/index.yml) if you want to serve different content in each region. It also provides failover capabilities. [Azure Traffic Manager](../../traffic-manager/index.yml) is not recommended if you plan to use a custom domain. Issues can arise because of how Azure Storage verifies custom domain names.
+## Permissions
+
+The permission to be able to enable static website is Microsoft.Storage/storageAccounts/blobServices/write or shared key. Built in roles that provide this access include Storage Account Contributor.
## Pricing
To enable metrics on your static website pages, see [Enable metrics on static we
* [Azure Functions](../../azure-functions/functions-overview.md) * [Azure App Service](../../app-service/overview.md) * [Build your first serverless web app](/azure/functions/tutorial-static-website-serverless-api-with-database)
-* [Tutorial: Host your domain in Azure DNS](../../dns/dns-delegate-domain-azure-dns.md)
+* [Tutorial: Host your domain in Azure DNS](../../dns/dns-delegate-domain-azure-dns.md)
synapse-analytics Concepts Data Factory Differences https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/synapse-analytics/data-integration/concepts-data-factory-differences.md
Check below table for features availability:
| | Time to Live | Γ£ô | Γ£ù | | **Pipelines Activities** | SSIS Package Activity | Γ£ô | Γ£ù | | | Support for Power Query Activity | Γ£ô | Γ£ù |
-| **Template Gallery and Knowledge Center** | Solution Templates | Γ£ô<br><small>*Azure Data Factory Template Gallery* | Γ£ô<br><small>*Synapse Workspace Knowledge Center* |
+| **Template Gallery and Knowledge center** | Solution Templates | Γ£ô<br><small>*Azure Data Factory Template Gallery* | Γ£ô<br><small>*Synapse Workspace Knowledge center* |
| **GIT Repository Integration** | GIT Integration | Γ£ô | Γ£ô | | **Monitoring** | Monitoring of Spark Jobs for Data Flow | Γ£ù | Γ£ô<br><small>*Leverage the Synapse Spark pools* | | | Integration with Azure Monitor | Γ£ô | Γ£ù |
synapse-analytics Get Started Knowledge Center https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/synapse-analytics/get-started-knowledge-center.md
Title: 'Tutorial: Get started explore the Synapse Knowledge Center'
-description: In this tutorial, you'll learn how to use the Synapse Knowledge Center.
+ Title: 'Tutorial: Get started explore the Synapse Knowledge center'
+description: In this tutorial, you'll learn how to use the Synapse Knowledge center.
Last updated 04/04/2021
# Explore the Synapse Knowledge center
-In this tutorial, you'll learn how to use the Synapse Studio Knowledge Center.
+In this tutorial, you'll learn how to use the Synapse Studio **Knowledge center**.
-## Finding to the Knowledge center
+## Finding the Knowledge center
-There are two ways of finding the Knowledge Center in Synapse Studio:
+There are two ways of finding the **Knowledge center** in Synapse Studio:
1. In the Home hub, near the top-right of the page click on **Learn**.
- 2. In the menu bar at the top, click **?** and then **Knowledge Center**.
+ 2. In the menu bar at the top, click **?** and then **Knowledge center**.
-Pick either method and open the **Knowledge Center**.
+Pick either method and open the **Knowledge center**.
## Exploring the Knowledge center
There are three items in this section:
## Gallery: A collection of sample datasets and sample code
-1. Go to the **Knowledge Center**, click **Browse gallery**.
+1. Go to the **Knowledge center**, click **Browse gallery**.
1. Select the **SQL scripts** tab at the top. 1. Select **Load the New York Taxicab dataset** Data ingestion sample, click **Continue**. 1. Under **SQL pool**, choose **Select an existing pool** and select **SQLPOOL1**, and select the **SQLPOOL1** database you created earlier.
synapse-analytics Get Started Monitor https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/synapse-analytics/get-started-monitor.md
Open Synapse Studio and navigate to the **Monitor** hub. Here, you can see a his
## Next steps > [!div class="nextstepaction"]
-> [Explore the Knowledge Center](get-started-knowledge-center.md)
+> [Explore the Knowledge center](get-started-knowledge-center.md)
virtual-machine-scale-sets Proximity Placement Groups https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/virtual-machine-scale-sets/proximity-placement-groups.md
Title: Proximity placement groups preview for virtual machine scale sets
+ Title: Proximity placement groups for virtual machine scale sets
description: Learn about creating and using proximity placement groups for Windows virtual machine scale sets in Azure.
-# Preview: Creating and using proximity placement groups using PowerShell
+# Creating and using proximity placement groups using PowerShell
To get VMs as close as possible, achieving the lowest possible latency, you should deploy your scale set within a [proximity placement group](../virtual-machines/co-location.md#proximity-placement-groups). A proximity placement group is a logical grouping used to make sure that Azure compute resources are physically located close to each other. Proximity placement groups are useful for workloads where low latency is a requirement.
-> [!IMPORTANT]
-> Proximity Placement Groups is currently in public preview.
-> This preview version is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.
-> For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
->
-> Proximity placement groups are not available in these regions during the preview: **Japan East**, **Australia East** and **India Central**.
- ## Create a proximity placement group Create a proximity placement group using the [New-AzProximityPlacementGroup](/powershell/module/az.compute/new-azproximityplacementgroup) cmdlet.
virtual-machines Maintenance Control Portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/virtual-machines/maintenance-control-portal.md
Maintenance control lets you decide when to apply updates to your isolated VMs a
1. Sign in to the Azure portal. 1. Search for **Maintenance Configurations**.-
- ![Screenshot showing how to open Maintenance Configurations](media/virtual-machines-maintenance-control-portal/maintenance-configurations-search.png)
+
+ :::image type="content" source="media/virtual-machines-maintenance-control-portal/maintenance-configurations-search-bar.png" alt-text="Screenshot showing how to open Maintenance Configurations":::
1. Click **Add**.
- ![Screenshot showing how to add a maintenance configuration](media/virtual-machines-maintenance-control-portal/maintenance-configurations-add.png)
+ :::image type="content" source="media/virtual-machines-maintenance-control-portal/maintenance-configurations-add-2.png" alt-text="Screenshot showing how to add a maintenance configuration":::
-1. Choose a subscription and resource group, provide a name for the configuration, and choose a region. Click **Next**.
+1. In the Basics tab, choose a subscription and resource group, provide a name for the configuration, choose a region, and select *Host* for the scope. Click **Next**.
+
+ :::image type="content" source="media/virtual-machines-maintenance-control-portal/maintenance-configurations-basics-tab.png" alt-text="Screenshot showing Maintenance Configuration basics":::
- ![Screenshot showing Maintenance Configuration basics](media/virtual-machines-maintenance-control-portal/maintenance-configurations-basics.png)
+1. In the Schedule tab, declare a scheduled window when Azure will apply the updates on your resources. Set a start date, maintenance window, and recurrence. Once you create a scheduled window you no longer have to apply the updates manually. Click **Next**.
-1. Add tags and values. Click **Next**.
+ > [!IMPORTANT]
+ > Maintenance window **duration** must be *2 hours* or longer. Maintenance **recurrence** must be set to repeat at least once in 35-days.
- ![Screenshot showing how to add tags to a maintenance configuration](media/virtual-machines-maintenance-control-portal/maintenance-configurations-tags.png)
+ :::image type="content" source="media/virtual-machines-maintenance-control-portal/maintenance-configurations-schedule-tab.png" alt-text="Screenshot showing Maintenance Configuration schedule":::
-1. Review the summary. Click **Create**.
+1. In the Assignment tab, assign resources now or skip this step and assign resources later after maintenance configuration deployment. Click **Next**.
- ![Screenshot showing how to create a maintenance configuration](media/virtual-machines-maintenance-control-portal/maintenance-configurations-create.png)
+1. Add tags and values. Click **Next**.
+
+ :::image type="content" source="media/virtual-machines-maintenance-control-portal/maintenance-configurations-tags-tab.png" alt-text="Screenshot showing how to add tags to a maintenance configuration":::
+
+1. Review the summary. Click **Create**.
1. After the deployment is complete, click **Go to resource**.
- ![Screenshot showing Maintenance Configuration deployment complete](media/virtual-machines-maintenance-control-portal/maintenance-configurations-deployment-complete.png)
## Assign the configuration
virtual-machines Hana Example Installation https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/virtual-machines/workloads/sap/hana-example-installation.md
Title: How to install HANA on SAP HANA on Azure (Large Instances) | Microsoft Docs
-description: How to install HANA on SAP HANA on Azure (Large Instances).
+ Title: Install HANA on SAP HANA on Azure (Large Instances) | Microsoft Docs
+description: Learn how to install HANA on SAP HANA on Azure (Large Instances).
documentationcenter:
vm-linux Previously updated : 09/10/2018- Last updated : 6/4/2021+ # Install HANA on SAP HANA on Azure (Large Instances)
-To install HANA on SAP HANA on Azure (Large Instances), you must first do the following:
-- You provide Microsoft with all the data to deploy for you on an SAP HANA Large Instance.-- You receive the SAP HANA Large Instance from Microsoft.-- You create an Azure virtual network that is connected to your on-premises network.-- You connect the ExpressRoute circuit for HANA Large Instances to the same Azure virtual network.-- You install an Azure virtual machine that you use as a jump box for HANA Large Instances.-- You ensure that you can connect from the jump box to your HANA Large Instance unit, and vice versa.-- You check whether all the necessary packages and patches are installed.-- You read the SAP notes and documentation about HANA installation on the operating system you're using. Make sure that the HANA release of choice is supported on the operating system release.
+In this article, we'll walk through installing HANA on SAP HANA on Azure Large Instances (otherwise known as BareMetal Infrastructure).
-The next section shows an example of downloading the HANA installation packages to the jump box virtual machine. In this case, the operating system is Windows.
+## Prerequisites
+
+To install HANA on SAP HANA on Azure (Large Instances), first:
+
+- Provide Microsoft with all the data to deploy for you on an SAP HANA Large Instance.
+- Receive the SAP HANA Large Instance from Microsoft.
+- Create an Azure virtual network that is connected to your on-premises network.
+- Connect the ExpressRoute circuit for HANA Large Instances to the same Azure virtual network.
+- Install an Azure virtual machine that you use as a jump box for HANA Large Instances.
+- Ensure that you can connect from the jump box to your HANA Large Instance and vice versa.
+- Check whether all the necessary packages and patches are installed.
+- Read the SAP notes and documentation about HANA installation on the operating system you're using. Make sure that the HANA release of choice is supported on the operating system release.
## Download the SAP HANA installation bits+
+Now let's download the HANA installation packages to the jump box virtual machine. In this example, the operating system is Windows.
+ The HANA Large Instance units aren't directly connected to the internet. You can't directly download the installation packages from SAP to the HANA Large Instance virtual machine. Instead, you download the packages to the jump box virtual machine. You need an SAP S-user or other user, which allows you to access the SAP Marketplace. 1. Sign in, and go to [SAP Service Marketplace](https://support.sap.com/en/https://docsupdatetracker.net/index.html). Select **Download Software** > **Installations and Upgrade** > **By Alphabetical Index**. Then select **Under H ΓÇô SAP HANA Platform Edition** > **SAP HANA Platform Edition 2.0** > **Installation**. Download the files shown in the following screenshot.
- ![Screenshot of the files to download](./media/hana-installation/image16_download_hana.PNG)
+ ![Screenshot of the HANA installation files to download.](./media/hana-installation/image16_download_hana.PNG)
2. In this example, we downloaded SAP HANA 2.0 installation packages. On the Azure jump box virtual machine, expand the self-extracting archives into the directory as shown below.
- ![Screenshot of self-extracting archive](./media/hana-installation/image17_extract_hana.PNG)
+ ![Screenshot of self-extracting archive.](./media/hana-installation/image17_extract_hana.PNG)
3. As the archives are extracted, copy the directory created by the extraction (in this case, 51052030). Copy the directory from the HANA Large Instance unit /hana/shared volume into a directory you created. > [!Important]
- > Don't copy the installation packages into the root or boot LUN, because space is limited and needs to be used by other processes as well.
+ > Don't copy the installation packages into the root or boot LUN. Space is limited and needs to be used by other processes as well.
## Install SAP HANA on the HANA Large Instance unit
-In order to install SAP HANA, sign in as user root. Only root has enough permissions to install SAP HANA. Set permissions on the directory you copied over into /hana/shared.
-
-```
-chmod ΓÇôR 744 <Installation bits folder>
-```
-
-If you want to install SAP HANA by using the graphical user interface setup, the gtk2 package needs to be installed on HANA Large Instances. To check whether it is installed, run the following command:
-
-```
-rpm ΓÇôqa | grep gtk2
-```
-(In later steps, we show the SAP HANA setup with the graphical user interface.)
+1. To install SAP HANA, sign in as user root. Only root has enough permissions to install SAP HANA. Set permissions on the directory you copied over into /hana/shared.
-Go into the installation directory, and navigate into the sub directory HDB_LCM_LINUX_X86_64.
+ ```
+ chmod ΓÇôR 744 <Installation bits folder>
+ ```
+
+ To install SAP HANA by using the graphical user interface setup, the gtk2 package needs to be installed on HANA Large Instances. To check whether it's installed, run the following command:
+
+ ```
+ rpm ΓÇôqa | grep gtk2
+ ```
-Out of that directory, start:
+ (In later steps, we show the SAP HANA setup with the graphical user interface.)
-```
-./hdblcmgui
-```
-At this point, you progress through a sequence of screens in which you provide the data for the installation. In this example, we are installing the SAP HANA database server and the SAP HANA client components. Therefore, our selection is **SAP HANA Database**.
+2. Go into the installation directory, and navigate into the sub directory HDB_LCM_LINUX_X86_64.
-![Screenshot of SAP HANA Lifecycle Management screen, with SAP HANA Database selected](./media/hana-installation/image18_hana_selection.PNG)
+ Out of that directory, start:
+
+ ```
+ ./hdblcmgui
+ ```
+3. Now you'll progress through a sequence of screens in which you provide the data for the installation. In this example, we're installing the SAP HANA database server and the SAP HANA client components. So our selection is **SAP HANA Database**.
-On the next screen, select **Install New System**.
+ ![Screenshot of SAP HANA Lifecycle Management screen, with SAP HANA Database selected.](./media/hana-installation/image18_hana_selection.PNG)
-![Screenshot of SAP HANA Lifecycle Management screen, with Install New System selected](./media/hana-installation/image19_select_new.PNG)
+4. Select **Install New System**.
-Next, select among several additional components that you can install.
+ ![Screenshot of SAP HANA Lifecycle Management screen, with Install New System selected.](./media/hana-installation/image19_select_new.PNG)
-![Screenshot of SAP HANA Lifecycle Management screen, with list of additional components](./media/hana-installation/image20_select_components.PNG)
+5. Select among several other components that you can install.
-Here, we choose the SAP HANA Client and the SAP HANA Studio. We also install a scale-up instance. Then choose **Single-Host System**.
+ ![Screenshot of SAP HANA Lifecycle Management screen, with list of additional components](./media/hana-installation/image20_select_components.PNG)
-![Screenshot of SAP HANA Lifecycle Management screen, with Single Host System selected](./media/hana-installation/image21_single_host.PNG)
+6. Choose the SAP HANA Client and the SAP HANA Studio. Also install a scale-up instance. Then select **Single-Host System**.
-Next, provide some data.
+ ![Screenshot of SAP HANA Lifecycle Management screen, with Single Host System selected.](./media/hana-installation/image21_single_host.PNG)
-![Screenshot of SAP HANA Lifecycle Management screen, with system properties fields to define](./media/hana-installation/image22_provide_sid.PNG)
+7. Next you'll provide some data. For the installation path, use the /hana/shared directory.
-> [!Important]
-> As HANA System ID (SID), you must provide the same SID as you provided Microsoft when you ordered the HANA Large Instance deployment. Choosing a different SID causes the installation to fail, due to access permission problems on the different volumes.
+ ![Screenshot of SAP HANA Lifecycle Management screen, with system properties fields to define.](./media/hana-installation/image22_provide_sid.PNG)
-For the installation path, use the /hana/shared directory. In the next step, you provide the locations for the HANA data files and the HANA log files.
+ > [!Important]
+ > As HANA System ID (SID), you must provide the same SID as you provided Microsoft when you ordered the HANA Large Instance deployment. Choosing a different SID causes the installation to fail, due to access permission problems on the different volumes.
+8. Provide the locations for the HANA data files and the HANA log files.
-![Screenshot of SAP HANA Lifecycle Management screen, with data and log area fields](./media/hana-installation/image23_provide_log.PNG)
+ ![Screenshot of SAP HANA Lifecycle Management screen, with data and log area fields](./media/hana-installation/image23_provide_log.PNG)
-> [!Note]
-> The SID you specified when you defined system properties (two screens ago) should match the SID of the mount points. If there is a mismatch, go back and adjust the SID to the value you have on the mount points.
+ > [!Note]
+ > The SID you specified when you defined system properties (two screens ago) should match the SID of the mount points. If there is a mismatch, go back and adjust the SID to the value you have on the mount points.
-In the next step, review the host name and eventually correct it.
+9. Review the host name and correct it as needed.
-![Screenshot of SAP HANA Lifecycle Management screen, with host name](./media/hana-installation/image24_review_host_name.PNG)
+ ![Screenshot of SAP HANA Lifecycle Management screen, with host name.](./media/hana-installation/image24_review_host_name.PNG)
-In the next step, you also need to retrieve data you gave to Microsoft when you ordered the HANA Large Instance deployment.
+10. Retrieve the data you gave to Microsoft when you ordered the HANA Large Instance deployment.
-![Screenshot of SAP HANA Lifecycle Management, with system administrator fields to define](./media/hana-installation/image25_provide_guid.PNG)
+ ![Screenshot of SAP HANA Lifecycle Management, with system administrator fields to define](./media/hana-installation/image25_provide_guid.PNG)
-> [!Important]
-> Provide the same **System Administrator User ID** and **ID of User Group** as you provided to Microsoft, as you order the unit deployment. Otherwise, the installation of SAP HANA on the HANA Large Instance unit fails.
+ > [!Important]
+ > Provide the **System Administrator User ID** and **ID of User Group** that you provided to Microsoft when you ordered the unit deployment. Otherwise, the installation of SAP HANA on the HANA Large Instance unit will fail.
-The next two screens are not shown here. They enable you to provide the password for the SYSTEM user of the SAP HANA database, and the password for the sapadm user. The latter is used for the SAP Host Agent that gets installed as part of the SAP HANA database instance.
+11. The next two screens aren't shown here. They enable you to provide the password for the SYSTEM user of the SAP HANA database, and the password for the sapadm user. The latter is used for the SAP Host Agent that gets installed as part of the SAP HANA database instance.
-After defining the password, you see a confirmation screen. check all the data listed, and continue with the installation. You reach a progress screen that documents the installation progress, like this one:
+ After defining the password, you see a confirmation screen. check all the data listed, and continue with the installation. You'll reach a progress screen that documents the installation progress, like this one:
-![Screenshot of SAP HANA Lifecycle Management screen, with installation progress indicators](./media/hana-installation/image27_show_progress.PNG)
+ ![Screenshot of SAP HANA Lifecycle Management screen, with installation progress indicators.](./media/hana-installation/image27_show_progress.PNG)
-As the installation finishes, you should see a screen like this one:
+12. As the installation finishes, you should see a screen like this one:
-![Screenshot of SAP HANA Lifecycle Management screen, indicating installation is finished](./media/hana-installation/image28_install_finished.PNG)
+ ![Screenshot of SAP HANA Lifecycle Management screen, indicating installation is finished.](./media/hana-installation/image28_install_finished.PNG)
-The SAP HANA instance should now be up and running, and ready for usage. You should be able to connect to it from SAP HANA Studio. Also make sure that you check for and apply the latest updates.
+ The SAP HANA instance should now be up and running, and ready for usage. You can connect to it from SAP HANA Studio. Make sure you check for and apply the latest updates.
## Next steps -- [SAP HANA Large Instances high availability and disaster recovery on Azure](hana-overview-high-availability-disaster-recovery.md)
+Learn about SAP HANA Large Instances high availability and disaster recovery on Azure.
+> [!div class="nextstepaction"]
+> [SAP HANA Large Instances high availability and disaster recovery on Azure](hana-overview-high-availability-disaster-recovery.md)
vpn-gateway Ikev2 Openvpn From Sstp https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/vpn-gateway/ikev2-openvpn-from-sstp.md
Previously updated : 09/03/2020 Last updated : 06/04/2021
A Point-to-Site (P2S) VPN gateway connection lets you create a secure connection
Point-to-site VPN can use one of the following protocols:
-* **OpenVPN&reg; Protocol**, an SSL/TLS based VPN protocol. An SSL VPN solution can penetrate firewalls, since most firewalls open TCP port 443 outbound, which SSL uses. OpenVPN can be used to connect from Android, iOS (versions 11.0 and above), Windows, Linux and Mac devices (OSX versions 10.13 and above).
+* **OpenVPN&reg; Protocol**, an SSL/TLS based VPN protocol. An SSL VPN solution can penetrate firewalls, since most firewalls open TCP port 443 outbound, which SSL uses. OpenVPN can be used to connect from Android, iOS (versions 11.0 and above), Windows, Linux and Mac devices (macOS versions 10.13 and above).
* **Secure Socket Tunneling Protocol (SSTP)**, a proprietary SSL-based VPN protocol. An SSL VPN solution can penetrate firewalls, since most firewalls open TCP port 443 outbound, which SSL uses. SSTP is only supported on Windows devices. Azure supports all versions of Windows that have SSTP (Windows 7 and later). **SSTP supports up to 128 concurrent connections only regardless of the gateway SKU**.
-* IKEv2 VPN, a standards-based IPsec VPN solution. IKEv2 VPN can be used to connect from Mac devices (OSX versions 10.11 and above).
+* IKEv2 VPN, a standards-based IPsec VPN solution. IKEv2 VPN can be used to connect from Mac devices (macOS versions 10.11 and above).
>[!NOTE]
vpn-gateway Point To Site About https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/vpn-gateway/point-to-site-about.md
A Point-to-Site (P2S) VPN gateway connection lets you create a secure connection
Point-to-site VPN can use one of the following protocols:
-* **OpenVPN® Protocol**, an SSL/TLS based VPN protocol. A TLS VPN solution can penetrate firewalls, since most firewalls open TCP port 443 outbound, which TLS uses. OpenVPN can be used to connect from Android, iOS (versions 11.0 and above), Windows, Linux, and Mac devices (OSX versions 10.13 and above).
+* **OpenVPN® Protocol**, an SSL/TLS based VPN protocol. A TLS VPN solution can penetrate firewalls, since most firewalls open TCP port 443 outbound, which TLS uses. OpenVPN can be used to connect from Android, iOS (versions 11.0 and above), Windows, Linux, and Mac devices (macOS versions 10.13 and above).
* Secure Socket Tunneling Protocol (SSTP), a proprietary TLS-based VPN protocol. A TLS VPN solution can penetrate firewalls, since most firewalls open TCP port 443 outbound, which TLS uses. SSTP is only supported on Windows devices. Azure supports all versions of Windows that have SSTP (Windows 7 and later).
-* IKEv2 VPN, a standards-based IPsec VPN solution. IKEv2 VPN can be used to connect from Mac devices (OSX versions 10.11 and above).
+* IKEv2 VPN, a standards-based IPsec VPN solution. IKEv2 VPN can be used to connect from Mac devices (macOS versions 10.11 and above).
>[!NOTE]
vpn-gateway Point To Site How To Radius Ps https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/vpn-gateway/point-to-site-how-to-radius-ps.md
Previously updated : 11/18/2020 Last updated : 06/04/2021
Point-to-Site connections do not require a VPN device or a public-facing IP addr
* SSTP is a TLS-based VPN tunnel that is supported only on Windows client platforms. It can penetrate firewalls, which makes it an ideal option to connect to Azure from anywhere. On the server side, we support SSTP versions 1.0, 1.1, and 1.2. The client decides which version to use. For Windows 8.1 and above, SSTP uses 1.2 by default.
-* OpenVPN® Protocol, an SSL/TLS based VPN protocol. A TLS VPN solution can penetrate firewalls, since most firewalls open TCP port 443 outbound, which TLS uses. OpenVPN can be used to connect from Android, iOS (versions 11.0 and above), Windows, Linux and Mac devices (OSX versions 10.13 and above).
+* OpenVPN® Protocol, an SSL/TLS based VPN protocol. A TLS VPN solution can penetrate firewalls, since most firewalls open TCP port 443 outbound, which TLS uses. OpenVPN can be used to connect from Android, iOS (versions 11.0 and above), Windows, Linux and Mac devices (macOS versions 10.13 and above).
-* IKEv2 VPN, a standards-based IPsec VPN solution. IKEv2 VPN can be used to connect from Mac devices (OSX versions 10.11 and above).
+* IKEv2 VPN, a standards-based IPsec VPN solution. IKEv2 VPN can be used to connect from Mac devices (macOS versions 10.11 and above).
P2S connections require the following:
vpn-gateway Point To Site Vpn Client Configuration Azure Cert https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/vpn-gateway/point-to-site-vpn-client-configuration-azure-cert.md
Title: 'Create & install P2S VPN client configuration files: certificate authentication'
-description: Learn how to generate and install VPN client configuration files for Windows, Linux (strongSwan), and macOS X. This article applies to VPN Gateway P2S configurations that use certificate authentication.
+description: Learn how to generate and install VPN client configuration files for Windows, Linux (strongSwan), and macOS. This article applies to VPN Gateway P2S configurations that use certificate authentication.
You can generate client configuration files using PowerShell, or by using the Az
[!INCLUDE [Windows instructions](../../includes/vpn-gateway-p2s-client-configuration-windows.md)]
-## <a name="installmac"></a>Mac (OS X)
+## <a name="installmac"></a>Mac (macOS)
You have to manually configure the native IKEv2 VPN client on every Mac that will connect to Azure. Azure does not provide mobileconfig file for native Azure certificate authentication. The **Generic** folder contains all of the information that you need for configuration. If you don't see the Generic folder in your download, it's likely that IKEv2 was not selected as a tunnel type. Note that the VPN gateway Basic SKU does not support IKEv2. Once IKEv2 is selected, generate the zip file again to retrieve the Generic folder.<br>The Generic folder contains the following files:
vpn-gateway Point To Site Vpn Client Configuration Radius https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/vpn-gateway/point-to-site-vpn-client-configuration-radius.md
Title: 'Azure VPN Gateway: Create & install VPN client config files - P2S RADIUS connections'
-description: Create Windows, OS X, and Linux VPN client configuration files for connections that use RADIUS authentication.
+description: Create Windows, macOS, and Linux VPN client configuration files for connections that use RADIUS authentication.
# Create and install VPN client configuration files for P2S RADIUS authentication
-To connect to a virtual network over point-to-site (P2S), you need to configure the client device that you'll connect from. You can create P2S VPN connections from Windows, OS X, and Linux client devices.
+To connect to a virtual network over point-to-site (P2S), you need to configure the client device that you'll connect from. You can create P2S VPN connections from Windows, macOS, and Linux client devices.
When you're using RADIUS authentication, there are multiple authentication options: username/password authentication, certificate authentication, and other authentication types. The VPN client configuration is different for each type of authentication. To configure the VPN client, you use client configuration files that contain the required settings. This article helps you create and install the VPN client configuration for the RADIUS authentication type that you want to use.
The configuration workflow for P2S RADIUS authentication is as follows:
> >
-To use the sections in this article, first decide which type of authentication you want to use: username/password, certificate, or other types of authentication. Each section has steps for Windows, OS X, and Linux (limited steps available at this time).
+To use the sections in this article, first decide which type of authentication you want to use: username/password, certificate, or other types of authentication. Each section has steps for Windows, macOS, and Linux (limited steps available at this time).
## <a name="adeap"></a>Username/password authentication
Get-AzVpnClientConfiguration -ResourceGroupName "TestRG" -Name "VNet1GW"
You can configure the following VPN clients: * [Windows](#adwincli)
-* [Mac (OS X)](#admaccli)
+* [Mac (macOS)](#admaccli)
* [Linux using strongSwan](#adlinuxcli) #### <a name="adwincli"></a>Windows VPN client setup
Use the following steps to configure the native Windows VPN client for certifica
2. To install the package, double-click it. If you see a SmartScreen pop-up, select **More info** > **Run anyway**. 3. On the client computer, browse to **Network Settings** and select **VPN**. The VPN connection shows the name of the virtual network that it connects to. 
-#### <a name="admaccli"></a>Mac (OS X) VPN client setup
+#### <a name="admaccli"></a>Mac (macOS) VPN client setup
1. Select the **VpnClientSetup mobileconfig** file and send it to each of the users. You can use email or another method.
Get-AzVpnClientConfiguration -ResourceGroupName "TestRG" -Name "VNet1GW" | fl
You can configure the following VPN clients: * [Windows](#certwincli)
-* [Mac (OS X)](#certmaccli)
+* [Mac (macOS)](#certmaccli)
* Linux (supported, no article steps yet) #### <a name="certwincli"></a>Windows VPN client setup
You can configure the following VPN clients:
2. Each client requires a client certificate for authentication. Install the client certificate. For information about client certificates, see [Client certificates for point-to-site](vpn-gateway-certificates-point-to-site.md). To install a certificate that was generated, see [Install a certificate on Windows clients](point-to-site-how-to-vpn-client-install-azure-cert.md). 3. On the client computer, browse to **Network Settings** and select **VPN**. The VPN connection shows the name of the virtual network that it connects to.
-#### <a name="certmaccli"></a>Mac (OS X) VPN client setup
+#### <a name="certmaccli"></a>Mac (macOS) VPN client setup
You must create a separate profile for every Mac device that connects to the Azure virtual network. This is because these devices require the user certificate for authentication to be specified in the profile. The **Generic** folder has all the information that's required to create a profile:
vpn-gateway Vpn Gateway Howto Point To Site Resource Manager Portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/vpn-gateway/vpn-gateway-howto-point-to-site-resource-manager-portal.md
Last updated 06/03/2021
-# Configure a Point-to-Site VPN connection to a VNet using Azure certificate authentication: Azure porta