Updates from: 06/08/2021 03:06:30
Service Microsoft Docs article Related commit history on GitHub Change details
active-directory-b2c Custom Policy Developer Notes https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/custom-policy-developer-notes.md
Previously updated : 05/27/2021 Last updated : 06/07/2021
The following table summarizes the Security Assertion Markup Language (SAML) app
| [Custom email verification](custom-email-mailjet.md) | NA | GA| | | [Customize the user interface with built-in templates](customize-ui.md) | GA| GA| | | [Customize the user interface with custom templates](customize-ui-with-html.md) | GA| GA| By using HTML templates. |
+| [Page layout version](page-layout.md) | GA | GA | |
| [JavaScript](javascript-and-page-layout.md) | GA | GA | | | [Embedded sign-in experience](embedded-login.md) | NA | Preview| By using the inline frame element `<iframe>`. | | [Password complexity](password-complexity.md) | GA | GA | |
active-directory-b2c Javascript And Page Layout https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/javascript-and-page-layout.md
Previously updated : 03/22/2021 Last updated : 06/07/2021
To specify a page layout version for your user flow pages:
1. In your Azure AD B2C tenant, select **User flows**. 1. Select your policy (for example, "B2C_1_SignupSignin") to open it.
-1. Select **Page layouts**. Choose a **Layout name**, and then choose the **Page Layout Version (Preview)**.
+1. Select **Page layouts**. Choose a **Layout name**, and then choose the **Page Layout Version**.
For information about the different page layout versions, see the [Page layout version change log](page-layout.md).
active-directory-b2c Page Layout https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/page-layout.md
Page layout packages are periodically updated to include fixes and improvements in their page elements. The following change log specifies the changes introduced in each version.
+> [!IMPORTANT]
+> Azure Active Directory B2C releases improvements and fixes with each new page layout version. We highly recommend you keep your page layout versions up-to-date so that all page elements reflect the latest security enhancements, accessibility standards, and your feedback.
+>
+ ## jQuery version Azure AD B2C page layout uses the following version of the [jQuery library](https://jquery.com/):
active-directory-b2c Partner Strata https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/partner-strata.md
Strata's Maverics integration includes the following components:
- **Azure AD B2C**: The authorization server that's responsible for verifying the user's credentials. Authenticated users may access on-premises apps using a local account stored in the Azure AD B2C directory. -- **An external social or enterprise IdP**: Could be any OpenID Connect provider, Facebook, Google, or GitHub. See information on using [external IdPs](./technical-overview.md#external-identity-providers) with Azure AD B2C.
+- **An external social or enterprise IdP**: Could be any OpenID Connect provider, Facebook, Google, or GitHub. For more information, see [Add an identity provider](./add-identity-provider.md).
- **Strata's Maverics Identity Orchestrator**: The service that orchestrates user sign-on and transparently passes identity to apps through HTTP headers.
active-directory-b2c Session Behavior https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/session-behavior.md
Previously updated : 04/22/2021 Last updated : 06/07/2021
When you want to sign the user out of the application, it isn't enough to clear
Upon a sign-out request, Azure AD B2C:
-1. Invalidates the Azure AD B2C cookie-based session.
::: zone pivot="b2c-user-flow"
-2. Attempts to sign out from federated identity providers
+1. Invalidates the Azure AD B2C cookie-based session.
+1. Attempts to sign out from federated identity providers
::: zone-end+ ::: zone pivot="b2c-custom-policy"
-3. Attempts to sign out from federated identity providers:
+1. Invalidates the Azure AD B2C cookie-based session.
+1. Attempts to sign out from federated identity providers:
- OpenId Connect - If the identity provider well-known configuration endpoint specifies an `end_session_endpoint` location. The sign-out request doesn't pass the `id_token_hint` parameter. If the federated identity provider requires this parameter, the sign-out request will fail. - OAuth2 - If the [identity provider metadata](oauth2-technical-profile.md#metadata) contains the `end_session_endpoint` location. - SAML - If the [identity provider metadata](identity-provider-generic-saml.md) contains the `SingleLogoutService` location.
-4. Optionally, signs-out from other applications. For more information, see the [Single sign-out](#single-sign-out) section.
+1. Optionally, signs-out from other applications. For more information, see the [Single sign-out](#single-sign-out) section.
> [!NOTE] > You can disable the sign out from federated identity providers, by setting the identity provider technical profile metadata `SingleLogoutEnabled` to `false`.
active-directory-b2c Technical Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/technical-overview.md
Previously updated : 05/14/2021 Last updated : 06/07/2021 # Technical and feature overview of Azure Active Directory B2C
-A companion to [About Azure Active Directory B2C](overview.md), this article provides a more in-depth introduction to the service. Discussed here are the primary resources you work with in the service, its features, and how these enable you to provide a fully custom identity experience for your customers in your applications.
+A companion to [About Azure Active Directory B2C](overview.md), this article provides a more in-depth introduction to the service. Discussed here are the primary resources you work with in the service, its features. Learn how these features enable you to provide a fully custom identity experience for your customers in your applications.
## Azure AD B2C tenant
The primary resources you work with in an Azure AD B2C tenant are:
* *Local* accounts that enable users to sign up and sign in with a username (or email address or other ID) and password. * **Keys** - Add and manage encryption keys for signing and validating tokens, client secrets, certificates, and passwords.
-An Azure AD B2C tenant is the first resource you need to create to get started with Azure AD B2C. Learn how in [Tutorial: Create an Azure Active Directory B2C tenant](tutorial-create-tenant.md).
+An Azure AD B2C tenant is the first resource you need to create to get started with Azure AD B2C. Learn how to:
+
+* [Create an Azure Active Directory B2C tenant](tutorial-create-tenant.md).
+* [Manage your Azure AD B2C tenant](tenant-management.md)
## Accounts in Azure AD B2C
A user with a consumer account can sign in with multiple identities. For example
![Consumer account identities](media/technical-overview/identities.png)<br/>*Figure: A single consumer account with multiple identities in Azure AD B2C*
-Azure AD B2C lets you manage common attributes of consumer account profiles. For example display name, surname, given name, city, and others. You can also extend the Azure AD schema to store additional information about your users. For example, their country/region of residency, preferred language, and preferences like whether they want to subscribe to a newsletter or enable multi-factor authentication.
- For more information, see [Overview of user accounts in Azure Active Directory B2C](user-overview.md).
-## External identity providers
+## Local account sign-in options
+
+Azure AD B2C provides various ways in which users can authenticate a user. Users can sign-in to a local account, by using username and password, phone verification (also known as password-less authentication). Email sign-up is enabled by default in your local account identity provider settings.
+
+For more information, see [Set up the local account identity provider](identity-provider-local.md).
+
+## User profile attributes
+
+Azure AD B2C lets you manage common attributes of consumer account profiles. For example display name, surname, given name, city, and others.
-You can configure Azure AD B2C to allow users to sign in to your application with credentials from external social or enterprise identity providers (IdP). Azure AD B2C supports external identity providers like Facebook, Microsoft account, Google, Twitter, and any identity provider that supports OAuth 1.0, OAuth 2.0, OpenID Connect, and SAML protocols.
+You can also extend the Azure AD schema to store additional information about your users. For example, their country/region of residency, preferred language, and preferences like whether they want to subscribe to a newsletter or enable multi-factor authentication. For more information, see:
+
+* [User profile attributes](user-profile-attributes.md)
+* [Add user attributes and customize user input in](configure-user-input.md)
+
+## Sign-in with external identity providers
+
+You can configure Azure AD B2C to allow users to sign in to your application with credentials from social and enterprise identity providers. Azure AD B2C can federate with identity providers that support OAuth 1.0, OAuth 2.0, OpenID Connect, and SAML protocols. For example, Facebook, Microsoft account, Google, Twitter, and AD-FS.
![External identity providers](media/technical-overview/external-idps.png)
To see how to add identity providers in Azure AD B2C, see [Add identity provider
## Identity experiences: user flows or custom policies
-The extensible policy framework of Azure AD B2C is its core strength. Policies describe your users' identity experiences such as sign up, sign in, and profile editing.
+In Azure AD B2C, you can define the business logic that users follow to gain access to your application. For example, you can determine the sequence of steps users follow when they sign in, sign up, edit a profile, or reset a password. After completing the sequence, the user acquires a token and gains access to your application.
-In Azure AD B2C, there are two primary paths you can take to provide these identity experiences: user flows and custom policies.
+In Azure AD B2C, there are two ways to provide identity user experiences:
* **User flows** are predefined, built-in, configurable policies that we provide so you can create sign-up, sign-in, and policy editing experiences in minutes. * **Custom policies** enable you to create your own user journeys for complex identity experience scenarios.
-Both user flows and custom policies are powered by the *Identity Experience Framework*, Azure AD B2C's policy orchestration engine.
+The following screenshot shows the user flow settings UI, versus custom policy configuration files.
+
+![Screenshot shows the user flow settings UI, versus custom policy configuration files.](media/technical-overview/user-flow-vs-custom-policy.png)
+
+Read the [User flows and custom policies overview](user-flow-overview.md) article. It gives an overview of user flows and custom policies, and helps you decide which method will work best for your business needs.
+
+## User interface
+
+In Azure AD B2C, you can craft your users' identity experiences so that the pages are shown blend seamlessly with the look and feel of your brand. You get nearly full control of the HTML and CSS content presented to your users when they proceed through your application's identity journeys. With this flexibility, you can maintain brand and visual consistency between your application and Azure AD B2C.
+
+![Screenshots of brand-customized sign-up sign-in page](media/technical-overview/seamless-ux.png)
+
+For information on UI customization, see:
+
+* [Customize the user interface](customize-ui.md)
+* [Customize the user interface with HTML templates](customize-ui-with-html.md)
+* [Enable JavaScript and select a page layout version](javascript-and-page-layout.md)
+
+## Custom domain
+
+You can customize your Azure AD B2C domain in the redirect URLs for Azure AD B2C. Custom domain allows you to create a seamless experience so that the pages are shown blend seamlessly with the domain name of your application.
+
+![Screenshots of Azure AD B2C custom domain](media/technical-overview/custom-domain.png)
+
+From the user's perspective, they remain in your domain during the sign-in process rather than redirecting to the Azure AD B2C default domain .b2clogin.com. For more information, see [Enable custom domains](custom-domain.md).
+
+## Localization
+
+Language customization in Azure AD B2C allows you to accommodate different languages to suit your customer needs. Microsoft provides the translations for 36 languages, but you can also provide your own translations for any language. Even if your experience is provided for only a single language, you can customize any text on the pages.
+
+![Three sign-up sign-in pages showing UI text in different languages](media/technical-overview/localization.png)
+
+See how localization works in [Language customization in Azure Active Directory B2C](language-customization.md).
+
+## Email verification
-### User flow
+Azure AD B2C ensures valid email addresses by requiring customers to verify them during the sign-up, and password reset flows. It also prevents malicious actors from using automated processes to generate fraudulent accounts in your applications.
-To help you quickly set up the most common identity tasks, the Azure portal includes several predefined and configurable policies called *user flows*.
+![Screenshots of Azure AD B2C email verification](media/technical-overview/email-verification.png)
-You can configure user flow settings like these to control identity experience behaviors in your applications:
+You can customize the email to users that sign up to use your applications. By using the third-party email provider, you can use your own email template and From: address and subject, as well as support localization and custom one-time password (OTP) settings. For more information, see:
-* Account types used for sign-in, such as social accounts like a Facebook, or local accounts that use an email address and password for sign-in
-* Attributes to be collected from the consumer, such as first name, postal code, or country/region of residency
-* Azure AD Multi-Factor Authentication (MFA)
-* Customization of the user interface
-* Set of claims in a token that your application receives after the user completes the user flow
-* Session management
-* ...and more.
+* [Custom email verification with Mailjet](custom-email-mailjet.md)
+* [Custom email verification with SendGrid](custom-email-sendgrid.md)
-Most of the common identity scenarios for apps can be defined and implemented effectively with user flows. We recommend that you use the built-in user flows unless you have complex user journey scenarios that require the full flexibility of custom policies.
+## Add your own business logic
-Learn more about user flows in [User flows in Azure Active Directory B2C](user-flow-overview.md).
+If you choose to use custom policies, you can integrate with a RESTful API in a user journey to add your own business logic to the journey. For example, Azure AD B2C can exchange data with a RESTful service to:
-### Custom policy
+* Display custom user-friendly error messages.
+* Validate user input to prevent malformed data from persisting in your user directory. For example, you can modify the data entered by the user, such as capitalizing their first name if they entered it in all lowercase.
+* Enrich user data by further integrating with your corporate line-of-business application.
+* Using RESTful calls, you can send push notifications, update corporate databases, run a user migration process, manage permissions, audit databases, and more.
-A custom policy is fully configurable and policy-driven. It orchestrates trust between entities in standard protocols. For example, OpenID Connect, OAuth, SAML, and a few non-standard ones, for example REST API-based system-to-system claims exchanges. The framework creates user-friendly, white-labeled experiences.
+Loyalty programs are another scenario enabled by Azure AD B2C's support for calling REST APIs. For example, your RESTful service can receive a user's email address, query your customer database, then return the user's loyalty number to Azure AD B2C.
-The custom policy gives you the ability to construct user journeys with any combination of steps. For example:
+The return data can be stored in the user's directory account in Azure AD B2C. The data then can be further evaluated in subsequent steps in the policy, or be included in the access token.
-* Federate with other identity providers
-* First- and third-party multi-factor authentication (MFA) challenges
-* Collect any user input
-* Integrate with external systems using REST API communication
+![Line-of-business integration in a mobile application](media/technical-overview/lob-integration.png)
-Each such user journey is defined by a policy, and you can build as many or as few policies as you need to enable the best user experience for your organization.
+You can add a REST API call at any step in the user journey defined by a custom policy. For example, you can call a REST API:
-![Diagram showing an example of a complex user journey enabled by IEF](media/technical-overview/custom-policy.png)
+* During sign-in, just before Azure AD B2C validates the credentials
+* Immediately after sign-in
+* Before Azure AD B2C creates a new account in the directory
+* After Azure AD B2C creates a new account in the directory
+* Before Azure AD B2C issues an access token
-Learn more about custom policies in [Custom policies in Azure Active Directory B2C](custom-policy-overview.md).
+To see how to use custom policies for RESTful API integration in Azure AD B2C, see [Integrate REST API claims exchanges in your Azure AD B2C custom policy](api-connectors-overview.md).
## Protocols and tokens
Multiple applications can use the same user flow or custom policy. A single appl
For example, to sign in to an application, the application uses the *sign up or sign in* user flow. After the user has signed in, they may want to edit their profile, so the application initiates another authorization request, this time using the *profile edit* user flow.
-## User experiences
+## Multi-factor authentication (MFA)
-In Azure AD B2C, you can craft your users' identity experiences so that the pages are shown blend seamlessly with the look and feel of your brand. You get nearly full control of the HTML and CSS content presented to your users when they proceed through your application's identity journeys. With this flexibility, you can maintain brand and visual consistency between your application and Azure AD B2C.
+Azure AD B2C multi-factor authentication (MFA) helps safeguard access to data and applications while maintaining simplicity for your users. It provides extra security by requiring a second form of authentication, and delivers strong authentication by offering a range of easy-to-use authentication methods.
-![Screenshots of brand-customized sign-up sign-in page](media/technical-overview/seamless-ux.png)
+Your users may or may not be challenged for MFA based on configuration decisions that you can make as an administrator.
-For information on UI customization, see [About user interface customization in Azure Active Directory B2C](customize-ui-with-html.md).
+See how to enable MFA in user flows in [Enable multi-factor authentication in Azure Active Directory B2C](multi-factor-authentication.md).
-## Localization
+## Conditional Access
-Language customization in Azure AD B2C allows you to accommodate different languages to suit your customer needs. Microsoft provides the translations for 36 languages, but you can also provide your own translations for any language. Even if your experience is provided for only a single language, you can customize any text on the pages.
+Azure AD Identity Protection risk-detection features, including risky users and risky sign-ins, are automatically detected and displayed in your Azure AD B2C tenant. You can create Conditional Access policies that use these risk detections to determine remediation actions and enforce organizational policies.
-![Three sign-up sign-in pages showing UI text in different languages](media/technical-overview/localization.png)
+![Conditional access flow](media/technical-overview/conditional-access-flow.png)
-See how localization works in [Language customization in Azure Active Directory B2C](language-customization.md).
+Azure AD B2C evaluates each sign-in event and ensures that all policy requirements are met before granting the user access. Risky users or sign-ins may be blocked, or challenged with a specific remediation like multi-factor authentication (MFA). For more information, see [Identity Protection and Conditional Access](conditional-access-identity-protection-overview.md).
-## Add your own business logic
+## Password complexity
-If you choose to use custom policies, you can integrate with a RESTful API in a user journey to add your own business logic to the journey. For example, Azure AD B2C can exchange data with a RESTful service to:
+During sign up or password reset, your users must supply a password that meets complexity rules. By default, Azure AD B2C enforces a strong password policy. Azure AD B2C also provides configuration options for specifying the complexity requirements of the passwords your customers use.
-* Display custom user-friendly error messages.
-* Validate user input to prevent malformed data from persisting in your user directory. For example, you can modify the data entered by the user, such as capitalizing their first name if they entered it in all lowercase.
-* Enrich user data by further integrating with your corporate line-of-business application.
-* Using RESTful calls, you can send push notifications, update corporate databases, run a user migration process, manage permissions, audit databases, and more.
+![Screenshot of password complexity user experience](media/technical-overview/password-complexity.png)
-Loyalty programs are another scenario enabled by Azure AD B2C's support for calling REST APIs. For example, your RESTful service can receive a user's email address, query your customer database, then return the user's loyalty number to Azure AD B2C.
+For more information, see [Configure complexity requirements for passwords in Azure AD B2C](password-complexity.md).
-The return data can be stored in the user's directory account in Azure AD B2C. The data then can be further evaluated in subsequent steps in the policy, or be included in the access token.
+## Force password reset
-![Line-of-business integration in a mobile application](media/technical-overview/lob-integration.png)
+As an Azure AD B2C tenant administrator, you can [reset a user's password](manage-users-portal.md#reset-a-users-password) if the user forgets their password. Or you would like to force them to reset the password periodically. For more information, see [Set up a force password reset flow](force-password-reset.md).
-You can add a REST API call at any step in the user journey defined by a custom policy. For example, you can call a REST API:
+![Force password reset flow](media/technical-overview/force-password-reset-flow.png)
-* During sign-in, just before Azure AD B2C validates the credentials
-* Immediately after sign-in
-* Before Azure AD B2C creates a new account in the directory
-* After Azure AD B2C creates a new account in the directory
-* Before Azure AD B2C issues an access token
+## Smart account lockout
-To see how to use custom policies for RESTful API integration in Azure AD B2C, see [Integrate REST API claims exchanges in your Azure AD B2C custom policy](api-connectors-overview.md).
+To prevent brute-force password guessing attempts, Azure AD B2C uses a sophisticated strategy to lock accounts based on the IP of the request, the passwords entered, and several other factors. The duration of the lockout is automatically increased based on risk and the number of attempts.
+
+![Account smart lockout](media/technical-overview/smart-lockout1.png)
+
+For more information about managing password protection settings, see [Mitigate credential attacks in Azure AD B2C](threat-management.md).
## Protect resources and customer identities
You can assign roles to control who can perform certain administrative actions i
For more information about Azure AD roles, including Azure AD B2C administration role support, see [Administrator role permissions in Azure Active Directory](../active-directory/roles/permissions-reference.md).
-### Multi-factor authentication (MFA)
-
-Azure AD B2C multi-factor authentication (MFA) helps safeguard access to data and applications while maintaining simplicity for your users. It provides additional security by requiring a second form of authentication, and delivers strong authentication by offering a range of easy-to-use authentication methods.
-
-Your users may or may not be challenged for MFA based on configuration decisions that you can make as an administrator.
-
-See how to enable MFA in user flows in [Enable multi-factor authentication in Azure Active Directory B2C](multi-factor-authentication.md).
-
-### Identity Protection and Conditional Access
-
-Azure AD Identity Protection risk-detection features, including risky users and risky sign-ins, are automatically detected and displayed in your Azure AD B2C tenant. You can create Conditional Access policies that use these risk detections to determine remediation actions and enforce organizational policies. See [Identity Protection and Conditional Access](conditional-access-identity-protection-overview.md).
-
-### Smart account lockout
-
-To prevent brute-force password guessing attempts, Azure AD B2C uses a sophisticated strategy to lock accounts based on the IP of the request, the passwords entered, and several other factors. The duration of the lockout is automatically increased based on risk and the number of attempts.
-
-![Account smart lockout](media/technical-overview/smart-lockout1.png)
-
-For more information about managing password protection settings, see [Mitigate credential attacks in Azure AD B2C](threat-management.md).
-
-### Password complexity
-
-During sign up or password reset, your users must supply a password that meets complexity rules. By default, Azure AD B2C enforces a strong password policy. Azure AD B2C also provides configuration options for specifying the complexity requirements of the passwords your customers use.
-
-You can configure password complexity requirements in both [user flows](password-complexity.md) and [custom policies](password-complexity.md).
- ## Auditing and logs
-Azure AD B2C emits audit logs containing activity information about its resources, issued tokens, and administrator access. You can use these audit logs to understand platform activity and diagnose issues. Audit log entries are available soon after the activity that generated the event occurs.
+Azure AD B2C emits audit logs containing activity information about its resources, issued tokens, and administrator access. You can use the audit logs to understand platform activity and diagnose issues. Audit log entries are available soon after the activity that generated the event occurs.
In an audit log, which is available for your Azure AD B2C tenant or for a particular user, you can find information including:
In an audit log, which is available for your Azure AD B2C tenant or for a partic
For more information on audit logs, see [Accessing Azure AD B2C audit logs](view-audit-logs.md).
-### Usage insights
+## Usage analytics
Azure AD B2C allows you to discover when people sign up or sign in to your app, where the users are located, and what browsers and operating systems they use.
active-directory-b2c Tutorial Create User Flows https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/tutorial-create-user-flows.md
Previously updated : 05/21/2021 Last updated : 06/07/2021 zone_pivot_groups: b2c-policy-type
A user flow lets you determine how users interact with your application when the
::: zone pivot="b2c-user-flow" - If you don't have one already, [create an Azure AD B2C tenant](tutorial-create-tenant.md) that is linked to your Azure subscription.-- [Register your application](tutorial-register-applications.md) in the tenant that you created so that it can communicate with Azure AD B2C.
+- [Register a web application](tutorial-register-applications.md), and [enable ID token implicit grant](tutorial-register-applications.md#enable-id-token-implicit-grant).
::: zone-end ::: zone pivot="b2c-custom-policy" - If you don't have one already, [create an Azure AD B2C tenant](tutorial-create-tenant.md) that is linked to your Azure subscription.-- [Register your application](tutorial-register-applications.md) in the tenant that you created so that it can communicate with Azure AD B2C.
+- [Register a web application](tutorial-register-applications.md), and [enable ID token implicit grant](tutorial-register-applications.md#enable-id-token-implicit-grant).
- [Create a Facebook application](identity-provider-facebook.md#create-a-facebook-application). Skip the prerequisites and the reset of the steps in the [Set up sign-up and sign-in with a Facebook account](identity-provider-facebook.md) article. Although a Facebook application is not required for using custom policies, it's used in this walkthrough to demonstrate enabling social login in a custom policy. ::: zone-end
active-directory Application Provisioning Configuration Api https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/app-provisioning/application-provisioning-configuration-api.md
Content-type: application/json
"value": [ { "id": "8b1025e4-1dd2-430b-a150-2ef79cd700f5",
- "displayName": "Amazon Web Services (AWS)",
+ "displayName": "AWS Single-Account Access",
"homePageUrl": "http://aws.amazon.com/", "supportedSingleSignOnModes": [ "password",
Content-type: application/json
"id": "gc532ff9-r265-ec76-861e-42e2970a8218", "activityDateTime": "2019-06-24T20:53:08Z", "tenantId": "7928d5b5-7442-4a97-ne2d-66f9j9972ecn",
- "jobId": "BoxOutDelta.7928d5b574424a97ne2d66f9j9972ecn",
"cycleId": "44576n58-v14b-70fj-8404-3d22tt46ed93", "changeId": "eaad2f8b-e6e3-409b-83bd-e4e2e57177d5", "action": "Create",
Content-type: application/json
}, "targetSystem": { "id": "cd22f60b-5f2d-1adg-adb4-76ef31db996b",
- "displayName": "Box",
+ "displayName": "AWS Contoso",
"details": { "ApplicationId": "f2764360-e0ec-5676-711e-cd6fc0d4dd61", "ServicePrincipalId": "chc46a42-966b-47d7-9774-576b1c8bd0b8",
- "ServicePrincipalDisplayName": "Box"
+ "ServicePrincipalDisplayName": "AWS Contoso"
} }, "initiatedBy": { "id": "", "displayName": "Azure AD Provisioning Service", "initiatorType": "system"
- },
- "sourceIdentity": {
- "id": "5e6c9rae-ab4d-5239-8ad0-174391d110eb",
- "displayName": "Self-service Pilot",
- "identityType": "Group",
- "details": {}
- },
- "targetIdentity": {
- "id": "",
- "displayName": "",
- "identityType": "Group",
- "details": {}
- },
- "statusInfo": {
- "@odata.type": "#microsoft.graph.statusDetails",
- "status": "failure",
- "errorCode": "BoxEntryConflict",
- "reason": "Message: Box returned an error response with the HTTP status code 409. This response indicates that a user or a group already exisits with the same name. This can be avoided by identifying and removing the conflicting user from Box via the Box administrative user interface, or removing the current user from the scope of provisioning either by removing their assignment to the Box application in Azure Active Directory or adding a scoping filter to exclude the user.",
- "additionalDetails": null,
- "errorCategory": "NonServiceFailure",
- "recommendedAction": null
- },
- "provisioningSteps": [
- {
- "name": "EntryImportAdd",
- "provisioningStepType": "import",
- "status": "success",
- "description": "Received Group 'Self-service Pilot' change of type (Add) from Azure Active Directory",
- "details": {}
- },
- {
- "name": "EntrySynchronizationAdd",
- "provisioningStepType": "matching",
- "status": "success",
- "description": "Group 'Self-service Pilot' will be created in Box (Group is active and assigned in Azure Active Directory, but no matching Group was found in Box)",
- "details": {}
- },
- {
- "name": "EntryExportAdd",
- "provisioningStepType": "export",
- "status": "failure",
- "description": "Failed to create Group 'Self-service Pilot' in Box",
- "details": {
- "ReportableIdentifier": "Self-service Pilot"
- }
- }
- ],
- "modifiedProperties": [
- {
- "displayName": "objectId",
- "oldValue": null,
- "newValue": "5e0c9eae-ad3d-4139-5ad0-174391d110eb"
- },
- {
- "displayName": "displayName",
- "oldValue": null,
- "newValue": "Self-service Pilot"
- },
- {
- "displayName": "mailEnabled",
- "oldValue": null,
- "newValue": "False"
- },
- {
- "displayName": "mailNickname",
- "oldValue": null,
- "newValue": "5ce25n9a-4c5f-45c9-8362-ef3da29c66c5"
- },
- {
- "displayName": "securityEnabled",
- "oldValue": null,
- "newValue": "True"
- },
- {
- "displayName": "Name",
- "oldValue": null,
- "newValue": "Self-service Pilot"
- }
+ }
] } ]
active-directory Functions For Customizing Application Data https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/app-provisioning/functions-for-customizing-application-data.md
Title: Reference for writing expressions for attribute mappings in Azure Active Directory Application Provisioning description: Learn how to use expression mappings to transform attribute values into an acceptable format during automated provisioning of SaaS app objects in Azure Active Directory. Includes a reference list of functions. --++
active-directory On Premises Application Provisioning Architecture https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/app-provisioning/on-premises-application-provisioning-architecture.md
Title: 'Azure AD on-premises application provisioning architecture | Microsoft D
description: Describes overview of on-premises application provisioning architecture. -+
active-directory On Premises Ecma Configure https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/app-provisioning/on-premises-ecma-configure.md
Title: 'Azure AD ECMA Connector Host configuration'
description: This article describes how to configure the Azure AD ECMA Connector Host. -+
active-directory On Premises Ecma Install https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/app-provisioning/on-premises-ecma-install.md
Title: 'Azure AD ECMA Connector Host installation'
description: This article describes how to install the Azure AD ECMA Connector Host. -+
active-directory On Premises Ecma Prerequisites https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/app-provisioning/on-premises-ecma-prerequisites.md
Title: 'Prerequisites for Azure AD ECMA Connector Host'
description: This article describes the prerequisites and hardware requirements you need for using the Azure AD ECMA Connector Host. -+
active-directory On Premises Ecma Troubleshoot https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/app-provisioning/on-premises-ecma-troubleshoot.md
Title: 'Troubleshooting issues with the ECMA Connector Host and Azure AD'
description: Describes how to troubleshoot various issues you may encounter when installing and using the ECMCA connector host. -+
active-directory On Premises Migrate Microsoft Identity Manager https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/app-provisioning/on-premises-migrate-microsoft-identity-manager.md
Title: 'Export a Microsoft Identity Manager connector for use with Azure AD ECMA
description: Describes how to create and export a connector from MIM Sync to be used with Azure AD ECMA Connector Host. -+
active-directory On Premises Scim Provisioning https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/app-provisioning/on-premises-scim-provisioning.md
Title: Azure AD on-premises app provisioning to SCIM-enabled apps
description: This article describes how to on-premises app provisioning to SCIM-enabled apps. -+
active-directory On Premises Sql Connector Configure https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/app-provisioning/on-premises-sql-connector-configure.md
Title: Azure AD ECMA Connector Host generic SQL connector configuration
description: This document describes how to configure the Azure AD ECMA Connector Host generic SQL connector. -+
active-directory Plan Cloud Hr Provision https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/app-provisioning/plan-cloud-hr-provision.md
Previously updated : 06/01/2021 Last updated : 06/07/2021
For high availability, you can deploy more than one Azure AD Connect provisionin
## Design HR provisioning app deployment topology
-Depending on the number of Active Directory domains involved in the inbound user provisioning configuration, you may consider one of the following deployment topologies.
+Depending on the number of Active Directory domains involved in the inbound user provisioning configuration, you may consider one of the following deployment topologies. Each topology diagram uses an example deployment scenario to highlight configuration aspects. Use the example that closely resembles your deployment requirement to determine the configuration that will meet your needs.
### Deployment topology 1: Single app to provision all users from Cloud HR to single on-premises Active Directory domain
This is the most common deployment topology. Use this topology, if you need to p
### Deployment topology 2: Separate apps to provision distinct user sets from Cloud HR to single on-premises Active Directory domain
-This topology supports business requirements where attribute mapping and provisioning logic differs based on user type (employee/contractor), user location or user's business unit. You can also use this topology to delegate the administration and maintenance of inbound user provisioning based on division or country basis.
+This topology supports business requirements where attribute mapping and provisioning logic differs based on user type (employee/contractor), user location or user's business unit. You can also use this topology to delegate the administration and maintenance of inbound user provisioning based on division or country.
:::image type="content" source="media/plan-cloud-hr-provision/topology-2-separate-apps-with-single-ad-domain.png" alt-text="Screenshot of separate apps to provision users from Cloud HR to single AD domain" lightbox="media/plan-cloud-hr-provision/topology-2-separate-apps-with-single-ad-domain.png":::
This topology supports business requirements where attribute mapping and provisi
* Setup two provisioning agent nodes for high availability and failover. * Create an HR2AD provisioning app for each distinct user set that you want to provision. * Use [scoping filters](define-conditional-rules-for-provisioning-user-accounts.md) in the provisioning app to define users to be processed by each app.
+* To handle the scenario where managers references need to be resolved across distinct user sets (e.g. contractors reporting to managers who are employees), you can create a separate HR2AD provisioning app for updating only the *manager* attribute. Set the scope of this app to all users.
* Configure [skip out of scope deletions flag](skip-out-of-scope-deletions.md) to prevent accidental account deactivations. > [!NOTE]
This topology supports business requirements where attribute mapping and provisi
### Deployment topology 3: Separate apps to provision distinct user sets from Cloud HR to multiple on-premises Active Directory domains (no cross-domain visibility)
-Use this topology to manage multiple independent child AD domains belonging to the same forest. It also offers the flexibility of delegating the administration of each provisioning job by domain boundary. For example: In the diagram below, *EMEA administrators* can independently manage the provisioning configuration of users belonging to the EMEA region.
+Use this topology to manage multiple independent child AD domains belonging to the same forest, if managers always exist in the same domain as the user and your unique ID generation rules for attributes like *userPrincipalName*, *samAccountName* and *mail* does not require a forest-wide lookup. It also offers the flexibility of delegating the administration of each provisioning job by domain boundary.
+
+For example: In the diagram below, the provisioning apps are setup for each geographic region: North America (NA), Europe, Middle East and Africa (EMEA) and Asia Pacific (APAC). Depending on the location, users are provisioned to the respective AD domain. Delegated administration of the provisioning app is possible so that *EMEA administrators* can independently manage the provisioning configuration of users belonging to the EMEA region.
:::image type="content" source="media/plan-cloud-hr-provision/topology-3-separate-apps-with-multiple-ad-domains-no-cross-domain.png" alt-text="Screenshot of separate apps to provision users from Cloud HR to multiple AD domains" lightbox="media/plan-cloud-hr-provision/topology-3-separate-apps-with-multiple-ad-domains-no-cross-domain.png":::
Use this topology to manage multiple independent child AD domains belonging to t
### Deployment topology 4: Separate apps to provision distinct user sets from Cloud HR to multiple on-premises Active Directory domains (with cross-domain visibility)
-Use this topology to manage multiple child AD domains with cross-domain visibility for resolving cross-domain manager references and checking for forest-wide uniqueness when generating values for attributes like *userPrincipalName*, *samAccountName* and *mail*.
+Use this topology to manage multiple independent child AD domains belonging to the same forest, if a user's manager may exist in the different domain and your unique ID generation rules for attributes like *userPrincipalName*, *samAccountName* and *mail* requires a forest-wide lookup.
+
+For example: In the diagram below, the provisioning apps are setup for each geographic region: North America (NA), Europe, Middle East and Africa (EMEA) and Asia Pacific (APAC). Depending on the location, users are provisioned to the respective AD domain. Cross-domain manager references and forest-wide lookup is handled by enabling referral chasing on the provisioning agent.
:::image type="content" source="media/plan-cloud-hr-provision/topology-4-separate-apps-with-multiple-ad-domains-cross-domain.png" alt-text="Screenshot of separate apps to provision users from Cloud HR to multiple AD domains with cross domain support" lightbox="media/plan-cloud-hr-provision/topology-4-separate-apps-with-multiple-ad-domains-cross-domain.png":::
Use this topology to manage multiple child AD domains with cross-domain visibili
* Configure [referral chasing](../cloud-sync/how-to-manage-registry-options.md#configure-referral-chasing) on the provisioning agent. * Use the [provisioning agent configuration wizard](../cloud-sync/how-to-install.md#install-the-agent) to register the parent AD domain and all child AD domains with your Azure AD tenant. * Create a separate HR2AD provisioning app for each target domain.
-* When configuring each provisioning app, select the parent AD domain from the dropdown of available AD domains.
+* When configuring each provisioning app, select the parent AD domain from the dropdown of available AD domains. This ensures forest-wide lookup while generating unique values for attributes like *userPrincipalName*, *samAccountName* and *mail*.
* Use *parentDistinguishedName* with expression mapping to dynamically create user in the correct child domain and [OU container](#configure-active-directory-ou-container-assignment). * Use [scoping filters](define-conditional-rules-for-provisioning-user-accounts.md) in the provisioning app to define users to be processed by each app.
+* To resolve cross-domain managers references, create a separate HR2AD provisioning app for updating only the *manager* attribute. Set the scope of this app to all users.
* Configure [skip out of scope deletions flag](skip-out-of-scope-deletions.md) to prevent accidental account deactivations. ### Deployment topology 5: Single app to provision all users from Cloud HR to multiple on-premises Active Directory domains (with cross-domain visibility)
-Use this topology if you want to use a single provisioning app to manage users belonging to all your child AD domains. This topology is recommended if provisioning rules are consistent across all domains and there is no requirement for delegated administration of provisioning jobs. This topology supports resolving cross-domain manager references and can perform forest-wide uniqueness check.
+Use this topology if you want to use a single provisioning app to manage users belonging to all your parent and child AD domains. This topology is recommended if provisioning rules are consistent across all domains and there is no requirement for delegated administration of provisioning jobs. This topology supports resolving cross-domain manager references and can perform forest-wide uniqueness check.
+
+For example: In the diagram below, a single provisioning app manages users present in three different child domains grouped by region: North America (NA), Europe, Middle East and Africa (EMEA) and Asia Pacific (APAC). The attribute mapping for *parentDistinguishedName* is used to dynamically create a user in the appropriate child domain. Cross-domain manager references and forest-wide lookup is handled by enabling referral chasing on the provisioning agent.
:::image type="content" source="media/plan-cloud-hr-provision/topology-5-single-app-with-multiple-ad-domains-cross-domain.png" alt-text="Screenshot of single app to provision users from Cloud HR to multiple AD domains with cross domain support" lightbox="media/plan-cloud-hr-provision/topology-5-single-app-with-multiple-ad-domains-cross-domain.png":::
Use this topology if you want to use a single provisioning app to manage users b
* Configure [referral chasing](../cloud-sync/how-to-manage-registry-options.md#configure-referral-chasing) on the provisioning agent. * Use the [provisioning agent configuration wizard](../cloud-sync/how-to-install.md#install-the-agent) to register the parent AD domain and all child AD domains with your Azure AD tenant. * Create a single HR2AD provisioning app for the entire forest.
-* When configuring the provisioning app, select the parent AD domain from the dropdown of available AD domains.
+* When configuring the provisioning app, select the parent AD domain from the dropdown of available AD domains. This ensures forest-wide lookup while generating unique values for attributes like *userPrincipalName*, *samAccountName* and *mail*.
* Use *parentDistinguishedName* with expression mapping to dynamically create user in the correct child domain and [OU container](#configure-active-directory-ou-container-assignment). * If you are using scoping filters, configure [skip out of scope deletions flag](skip-out-of-scope-deletions.md) to prevent accidental account deactivations.
active-directory Tutorial Ecma Sql Connector https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/app-provisioning/tutorial-ecma-sql-connector.md
Title: Azure AD ECMA Connector Host Generic SQL Connector tutorial
description: This tutorial describes how to use the On-premises application provisioning generic SQL connector. -+
active-directory Concept Mfa Licensing https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/authentication/concept-mfa-licensing.md
Previously updated : 06/02/2021 Last updated : 06/07/2021
Azure AD Multi-Factor Authentication can be used, and licensed, in a few differe
| [Azure AD Premium P1](../fundamentals/active-directory-get-started-premium.md) | You can use [Azure AD Conditional Access](../conditional-access/howto-conditional-access-policy-all-users-mfa.md) to prompt users for multi-factor authentication during certain scenarios or events to fit your business requirements. | | [Azure AD Premium P2](../fundamentals/active-directory-get-started-premium.md) | Provides the strongest security position and improved user experience. Adds [risk-based Conditional Access](../conditional-access/howto-conditional-access-policy-risk.md) to the Azure AD Premium P1 features that adapts to user's patterns and minimizes multi-factor authentication prompts. | | [All Microsoft 365 plans](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans) | Azure AD Multi-Factor Authentication can be enabled all users using [security defaults](../fundamentals/concept-fundamentals-security-defaults.md). Management of Azure AD Multi-Factor Authentication is through the Microsoft 365 portal. For an improved user experience, upgrade to Azure AD Premium P1 or P2 and use Conditional Access. For more information, see [secure Microsoft 365 resources with multi-factor authentication](/microsoft-365/admin/security-and-compliance/set-up-multi-factor-authentication). MFA can also be [enabled on a per-user basis](howto-mfa-userstates.md). |
-| [Azure AD free](../verifiable-credentials/how-to-create-a-free-developer-account.md) | You can use [security defaults](../fundamentals/concept-fundamentals-security-defaults.md) to enable multi-factor authentication for all users but you cannot enable Multi-Factor Authentication on per-user basis. You don't have granular control of enabled users or scenarios, but it does provide that additional security step.<br /> Even when security defaults aren't used to enable multi-factor authentication for everyone, users assigned the *Azure AD Global Administrator* role can be configured to use multi-factor authentication. This feature of the free tier makes sure the critical administrator accounts are protected by multi-factor authentication. |
+| [Azure AD free](../verifiable-credentials/how-to-create-a-free-developer-account.md) | You can use [security defaults](../fundamentals/concept-fundamentals-security-defaults.md) to prompt users for multi-factor authentication as needed but you don't have granular control of enabled users or scenarios, but it does provide that additional security step.<br /> Even when security defaults aren't used to enable multi-factor authentication for everyone, users assigned the *Azure AD Global Administrator* role can be configured to use multi-factor authentication. This feature of the free tier makes sure the critical administrator accounts are protected by multi-factor authentication. |
## Feature comparison of versions
active-directory Concepts Azure Multi Factor Authentication Prompts Session Lifetime https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/authentication/concepts-azure-multi-factor-authentication-prompts-session-lifetime.md
To give your users the right balance of security and ease of use by asking them
* Keep the *Remain signed-in* option enabled and guide your users to accept it. * For mobile devices scenarios, make sure your users use the Microsoft Authenticator app. This app is used as a broker to other Azure AD federated apps, and reduces authentication prompts on the device.
-Our research shows that these settings are right for most tenants. Some combinations of these settings, such as *Remember MFA* and *Remain singed-in*, can result in prompts for your users to authenticate too often. Regular reauthentication prompts are bad for user productivity and can make them more vulnerable to attacks.
+Our research shows that these settings are right for most tenants. Some combinations of these settings, such as *Remember MFA* and *Remain signed-in*, can result in prompts for your users to authenticate too often. Regular reauthentication prompts are bad for user productivity and can make them more vulnerable to attacks.
## Azure AD session lifetime configuration settings
active-directory Location Condition https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/conditional-access/location-condition.md
Previously updated : 04/28/2021 Last updated : 06/07/2021
If you select **Determine location by GPS coordinates (Preview)**, the user will
The first time the user is required to share their location from the Microsoft Authenticator app, the user will receive a notification in the app. The user will need to open the app and grant location permissions.
-For the next 24 hours, if the user is still accessing the resource and the user has granted the app permission to run in the background, the location will be shared silently once per hour from the device, so the user will not need to keep getting out their mobile device. After 24 hours, the user will need to open up the app and manually approve the notification.
+For the next 24 hours, if the user is still accessing the resource and granted the app permission to run in the background, the device's location is shared silently once per hour. After 24 hours, the user must open the app and approve the notification. Every time the user shares their GPS location, the app does jailbreak detection (Using the same logic as the Intune MAM SDK). If the device is jailbroken, the location is not considered valid and the user is not granted access.
+
+A Conditional Access policy with GPS-based named locations in report-only mode prompts users to share their GPS location, even though they are not blocked from signing in.
#### Include unknown countries/regions
active-directory Redemption Experience https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/external-identities/redemption-experience.md
There are some cases where the invitation email is recommended over a direct lin
- Sometimes the invited user object may not have an email address because of a conflict with a contact object (for example, an Outlook contact object). In this case, the user must click the redemption URL in the invitation email. - The user may sign in with an alias of the email address that was invited. (An alias is an additional email address associated with an email account.) In this case, the user must click the redemption URL in the invitation email.
-### Just-in-time redemption limitation with conflicting Contact object
-Sometimes the invited external guest user's email may conflict with an existing [Contact object](/graph/api/resources/contact?view=graph-rest-1.0&preserve-view=true), resulting in the guest user being created without a proxyAddress. This is a known limitation that prevents guest users from signing in or redeeming an invitation through a direct link using [SAML/WS-Fed IdP](/azure/active-directory/external-identities/direct-federation), [Microsoft Accounts](/azure/active-directory/external-identities/microsoft-account), [Google Federation](/azure/active-directory/external-identities/google-federation), or [Email One-Time Passcode](/azure/active-directory/external-identities/one-time-passcode) accounts.
-
-To unblock users who can't redeem an invitation due to a conflicting [Contact object](/graph/api/resources/contact?view=graph-rest-1.0&preserve-view=true), follow these steps:
-1. Delete the conflicting Contact object.
-2. Delete the guest user in the Azure portal (the user's "Invitation accepted" property should be in a pending state).
-3. Re-invite the guest user.
-4. Wait for the user to redeem invitation
-5. Add the user's Contact email back into Exchange and any DLs they should be a part of
- ## Redemption through the invitation email When you add a guest user to your directory by [using the Azure portal](./b2b-quickstart-add-guest-users-portal.md), an invitation email is sent to the guest in the process. You can also choose to send invitation emails when youΓÇÖre [using PowerShell](./b2b-quickstart-invite-powershell.md) to add guest users to your directory. HereΓÇÖs a description of the guestΓÇÖs experience when they redeem the link in the email.
When you add a guest user to your directory by [using the Azure portal](./b2b-qu
2. The guest selects **Accept invitation** in the email. 3. The guest will use their own credentials to sign in to your directory. If the guest does not have an account that can be federated to your directory and the [email one-time passcode (OTP)](./one-time-passcode.md) feature is not enabled; the guest is prompted to create a personal [MSA](https://support.microsoft.com/help/4026324/microsoft-account-how-to-create) or an [Azure AD self-service account](../enterprise-users/directory-self-service-signup.md). Refer to the [invitation redemption flow](#invitation-redemption-flow) for details. 4. The guest is guided through the [consent experience](#consent-experience-for-the-guest) described below.+
+## Redemption limitation with conflicting Contact object
+Sometimes the invited external guest user's email may conflict with an existing [Contact object](/graph/api/resources/contact?view=graph-rest-1.0&preserve-view=true), resulting in the guest user being created without a proxyAddress. This is a known limitation that prevents guest users from:
+- Redeeming an invitation through a direct link using [SAML/WS-Fed IdP](/azure/active-directory/external-identities/direct-federation), [Microsoft Accounts](/azure/active-directory/external-identities/microsoft-account), [Google Federation](/azure/active-directory/external-identities/google-federation), or [Email One-Time Passcode](/azure/active-directory/external-identities/one-time-passcode) accounts.
+- Redeeming an invitation through an invitation email redemption link using [SAML/WS-Fed IdP](/azure/active-directory/external-identities/direct-federation) and [Email One-Time Passcode](/azure/active-directory/external-identities/one-time-passcode) accounts.
+- Signing back into an application after redemption using [SAML/WS-Fed IdP](/azure/active-directory/external-identities/direct-federation) and [Google Federation](/azure/active-directory/external-identities/google-federation) accounts.
+
+To unblock users who can't redeem an invitation due to a conflicting [Contact object](/graph/api/resources/contact?view=graph-rest-1.0&preserve-view=true), follow these steps:
+1. Delete the conflicting Contact object.
+2. Delete the guest user in the Azure portal (the user's "Invitation accepted" property should be in a pending state).
+3. Re-invite the guest user.
+4. Wait for the user to redeem invitation
+5. Add the user's Contact email back into Exchange and any DLs they should be a part of
+ ## Invitation redemption flow When a user clicks the **Accept invitation** link in an [invitation email](invitation-email-elements.md), Azure AD automatically redeems the invitation based on the redemption flow as shown below:
active-directory Resilient End User Experience https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/fundamentals/resilient-end-user-experience.md
See the article that [compares user flows and custom polices](../../active-direc
## Choose multiple IDPs
-When using an [external identity provider](../../active-directory-b2c/technical-overview.md#external-identity-providers) such as Facebook, make sure to have a fallback plan in case the external provider becomes unavailable.
+When using an [external identity provider](../../active-directory-b2c/add-identity-provider.md) such as Facebook, make sure to have a fallback plan in case the external provider becomes unavailable.
### How to set up multiple IDPs
active-directory Concept Sign Ins https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/reports-monitoring/concept-sign-ins.md
This article gives you an overview of the sign-ins report.
## What can you do with it?
-You can use the the sign-ins log to find answers to questions like:
+You can use the sign-ins log to find answers to questions like:
- What is the sign-in pattern of a user?
active-directory Alcumus Info Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/alcumus-info-tutorial.md
Previously updated : 01/17/2019 Last updated : 06/03/2021 # Tutorial: Azure Active Directory integration with Alcumus Info Exchange
-In this tutorial, you learn how to integrate Alcumus Info Exchange with Azure Active Directory (Azure AD).
-Integrating Alcumus Info Exchange with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate Alcumus Info Exchange with Azure Active Directory (Azure AD). When you integrate Alcumus Info Exchange with Azure AD, you can:
-* You can control in Azure AD who has access to Alcumus Info Exchange.
-* You can enable your users to be automatically signed-in to Alcumus Info Exchange (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to Alcumus Info Exchange.
+* Enable your users to be automatically signed-in to Alcumus Info Exchange with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites
-To configure Azure AD integration with Alcumus Info Exchange, you need the following items:
+To get started, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial [here](https://azure.microsoft.com/pricing/free-trial/)
-* Alcumus Info Exchange single sign-on enabled subscription
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* Alcumus Info Exchange single sign-on (SSO) enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* Alcumus Info Exchange supports **IDP** initiated SSO
+* Alcumus Info Exchange supports **IDP** initiated SSO.
-## Adding Alcumus Info Exchange from the gallery
+## Add Alcumus Info Exchange from the gallery
To configure the integration of Alcumus Info Exchange into Azure AD, you need to add Alcumus Info Exchange from the gallery to your list of managed SaaS apps.
-**To add Alcumus Info Exchange from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add new application, click **New application** button on the top of dialog.
-
- ![The New application button](common/add-new-app.png)
-
-4. In the search box, type **Alcumus Info Exchange**, select **Alcumus Info Exchange** from result panel then click **Add** button to add the application.
-
- ![Alcumus Info Exchange in the results list](common/search-new-app.png)
-
-## Configure and test Azure AD single sign-on
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Alcumus Info Exchange** in the search box.
+1. Select **Alcumus Info Exchange** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-In this section, you configure and test Azure AD single sign-on with Alcumus Info Exchange based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in Alcumus Info Exchange needs to be established.
+## Configure and test Azure AD SSO for Alcumus Info Exchange
-To configure and test Azure AD single sign-on with Alcumus Info Exchange, you need to complete the following building blocks:
+Configure and test Azure AD SSO with Alcumus Info Exchange using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Alcumus Info Exchange.
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure Alcumus Info Exchange Single Sign-On](#configure-alcumus-info-exchange-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create Alcumus Info Exchange test user](#create-alcumus-info-exchange-test-user)** - to have a counterpart of Britta Simon in Alcumus Info Exchange that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
+To configure and test Azure AD SSO with Alcumus Info Exchange, perform the following steps:
-### Configure Azure AD single sign-on
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Alcumus Info Exchange SSO](#configure-alcumus-info-exchange-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Alcumus Info Exchange test user](#create-alcumus-info-exchange-test-user)** - to have a counterpart of B.Simon in Alcumus Info Exchange that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-In this section, you enable Azure AD single sign-on in the Azure portal.
+## Configure Azure AD SSO
-To configure Azure AD single sign-on with Alcumus Info Exchange, perform the following steps:
+Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **Alcumus Info Exchange** application integration page, select **Single sign-on**.
+1. In the Azure portal, on the **Alcumus Info Exchange** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
- ![Configure single sign-on link](common/select-sso.png)
-
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
-
- ![Single sign-on select mode](common/select-saml-option.png)
-
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
-
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
4. On the **Set up Single Sign-On with SAML** page, perform the following steps:
- ![Alcumus Info Exchange Domain and URLs single sign-on information](common/idp-intiated.png)
- a. In the **Identifier** text box, type a URL using the following pattern:
- `https://<subdomain>.info-exchange.com`
+ `https://<SUBDOMAIN>.info-exchange.com`
b. In the **Reply URL** text box, type a URL using the following pattern:
- `https://<subdomain>.info-exchange.com/Auth/`
+ `https://<SUBDOMAIN>.info-exchange.com/Auth/`
> [!NOTE] > These values are not real. Update these values with the actual Identifier and Reply URL. Contact [Alcumus Info Exchange Client support team](mailto:helpdesk@alcumusgroup.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
To configure Azure AD single sign-on with Alcumus Info Exchange, perform the fol
![Copy configuration URLs](common/copy-configuration-urls.png)
- a. Login URL
-
- b. Azure Ad Identifier
-
- c. Logout URL
-
-### Configure Alcumus Info Exchange Single Sign-On
-
-To configure single sign-on on **Alcumus Info Exchange** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [Alcumus Info Exchange support team](mailto:helpdesk@alcumusgroup.com). They set this setting to have the SAML SSO connection set properly on both sides.
- ### Create an Azure AD test user
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field enter **BrittaSimon**.
-
- b. In the **User name** field type **brittasimon\@yourcompanydomain.extension**
- For example, BrittaSimon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
+In this section, you'll create a test user in the Azure portal called B.Simon.
- d. Click **Create**.
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
### Assign the Azure AD test user
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to Alcumus Info Exchange.
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Alcumus Info Exchange.
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Alcumus Info Exchange**.
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Alcumus Info Exchange**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
- ![Enterprise applications blade](common/enterprise-applications.png)
+## Configure Alcumus Info Exchange SSO
-2. In the applications list, select **Alcumus Info Exchange**.
-
- ![The Alcumus Info Exchange link in the Applications list](common/all-applications.png)
-
-3. In the menu on the left, select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
-
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
-
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
-
-7. In the **Add Assignment** dialog click the **Assign** button.
+To configure single sign-on on **Alcumus Info Exchange** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [Alcumus Info Exchange support team](mailto:helpdesk@alcumusgroup.com). They set this setting to have the SAML SSO connection set properly on both sides.
### Create Alcumus Info Exchange test user In this section, you create a user called Britta Simon in Alcumus Info Exchange. Work with [Alcumus Info Exchange support team](mailto:helpdesk@alcumusgroup.com) to add the users in the Alcumus Info Exchange platform. Users must be created and activated before you use single sign-on.
-### Test single sign-on
-
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+## Test SSO
-When you click the Alcumus Info Exchange tile in the Access Panel, you should be automatically signed in to the Alcumus Info Exchange for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+In this section, you test your Azure AD single sign-on configuration with following options.
-## Additional Resources
+* Click on Test this application in Azure portal and you should be automatically signed in to the Alcumus Info Exchange for which you set up the SSO.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+* You can use Microsoft My Apps. When you click the Alcumus Info Exchange tile in the My Apps, you should be automatically signed in to the Alcumus Info Exchange for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure Alcumus Info Exchange you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Code42 Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/code42-tutorial.md
Previously updated : 02/21/2020 Last updated : 05/27/2021
In this tutorial, you'll learn how to integrate Code42 with Azure Active Directo
* Enable your users to be automatically signed-in to Code42 with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* Code42 supports **SP** initiated SSO
-* Once you configure Code42 you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
+* Code42 supports **SP** initiated SSO.
+
+> [!NOTE]
+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
-## Adding Code42 from the gallery
+## Add Code42 from the gallery
To configure the integration of Code42 into Azure AD, you need to add Code42 from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **Code42** in the search box. 1. Select **Code42** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD single sign-on for Code42
+## Configure and test Azure AD SSO for Code42
Configure and test Azure AD SSO with Code42 using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Code42.
-To configure and test Azure AD SSO with Code42, complete the following building blocks:
+To configure and test Azure AD SSO with Code42, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
- * **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
- * **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
1. **[Configure Code42 SSO](#configure-code42-sso)** - to configure the single sign-on settings on application side.
- * **[Create Code42 test user](#create-code42-test-user)** - to have a counterpart of B.Simon in Code42 that is linked to the Azure AD representation of user.
+ 1. **[Create Code42 test user](#create-code42-test-user)** - to have a counterpart of B.Simon in Code42 that is linked to the Azure AD representation of user.
1. **[Test SSO](#test-sso)** - to verify whether the configuration works. ## Configure Azure AD SSO Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **Code42** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **Code42** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
-1. On the **Basic SAML Configuration** section, enter the values for the following fields:
+1. On the **Basic SAML Configuration** section, perform the following step:
- In the **Sign-on URL** text box, type a URL:
+ In the **Sign-on URL** text box, type the URL:
`https://www.crashplan.com/console` 1. On the **Set up single sign-on with SAML** page, In the **SAML Signing Certificate** section, click copy button to copy **App Federation Metadata Url** and save it on your computer.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **Code42**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
1. In the **Add Assignment** dialog, click the **Assign** button. ## Configure Code42 SSO
In this section, you create a user called B.Simon in Code42. Work with [Code42 s
## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
-
-When you click the Code42 tile in the Access Panel, you should be automatically signed in to the Code42 for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
-
-## Additional resources
+In this section, you test your Azure AD single sign-on configuration with following options.
-- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](./tutorial-list.md)
+* Click on **Test this application** in Azure portal. This will redirect to Code42 Sign-on URL where you can initiate the login flow.
-- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md)
+* Go to Code42 Sign-on URL directly and initiate the login flow from there.
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+* You can use Microsoft My Apps. When you click the Code42 tile in the My Apps, this will redirect to Code42 Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [Try Code42 with Azure AD](https://aad.portal.azure.com/)
+## Next steps
-- [What is session control in Microsoft Cloud App Security?](/cloud-app-security/proxy-intro-aad)
+Once you configure Code42 you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Druva Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/druva-tutorial.md
Previously updated : 03/06/2020 Last updated : 06/02/2021
In this tutorial, you'll learn how to integrate Druva with Azure Active Director
* Enable your users to be automatically signed-in to Druva with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* Druva supports **IDP** initiated SSO
-* Once you configure Druva SSO you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
+* Druva supports **IDP** initiated SSO.
> [!NOTE] > Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
-## Adding Druva from the gallery
+## Add Druva from the gallery
To configure the integration of Druva into Azure AD, you need to add Druva from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **Druva** in the search box. 1. Select **Druva** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD single sign-on for Druva
+## Configure and test Azure AD SSO for Druva
Configure and test Azure AD SSO with Druva using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Druva.
-To configure and test Azure AD SSO with Druva, complete the following building blocks:
+To configure and test Azure AD SSO with Druva, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
- * **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
- * **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
1. **[Configure Druva SSO](#configure-druva-sso)** - to configure the single sign-on settings on application side.
- * **[Create Druva test user](#create-druva-test-user)** - to have a counterpart of B.Simon in Druva that is linked to the Azure AD representation of user.
+ 1. **[Create Druva test user](#create-druva-test-user)** - to have a counterpart of B.Simon in Druva that is linked to the Azure AD representation of user.
1. **[Test SSO](#test-sso)** - to verify whether the configuration works. ## Configure Azure AD SSO Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **Druva** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **Druva** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **Druva**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
1. In the **Add Assignment** dialog, click the **Assign** button. ## Configure Druva SSO
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. Click on the Druva logo on top left corner and then click **Druva Cloud Settings**.
- ![Settings](./media/druva-tutorial/ic795091.png "Settings")
+ ![Settings](./media/druva-tutorial/cloud.png "Settings")
1. On the **Single Sign-On** tab, click **Edit**.
- ![Screenshot that shows the "Access Settings - Single Sign-On" tab with the "Edit" button selected.](./media/druva-tutorial/ic795092.png "Single Sign-On Settings")
+ ![Screenshot that shows the "Access Settings - Single Sign-On" tab with the "Edit" button selected.](./media/druva-tutorial/edit-tab.png "Single Sign-On Settings")
1. On the **Edit Single Sign-On Settings** page, perform the following steps:
- ![Single Sign-On Settings](./media/druva-tutorial/ic795095.png "Single Sign-On Settings")
+ ![Single Sign-On Settings](./media/druva-tutorial/configuration.png "Single Sign-On Settings")
1. In **ID Provider Login URL** textbox, paste the value of **Login URL**, which you have copied from Azure portal.
- 1. Open your base-64 encoded certificate in notepad, copy the content of it into your clipboard, and then paste it to the **ID Provider Certificate** textbox
+ 1. Open your base-64 encoded certificate in notepad, copy the content of it into your clipboard, and then paste it to the **ID Provider Certificate** textbox.
> [!NOTE] > To Enable Single Sign-On for administrators, select **Administrators log into Druva Cloud through SSO provider** and **Allow failsafe access to Druva Cloud administrators(recommended)** checkboxes. Druva recommends to enable **Failsafe for Administrators** so that they have to access the DCP console in case of any failures in IdP. It also enables the administrators to use both SSO and DCP password to access the DCP console.
In this section, a user called B.Simon is created in Druva. Druva supports just-
## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
-
-When you click the Druva tile in the Access Panel, you should be automatically signed in to the Druva for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
-
-## Additional resources
--- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](./tutorial-list.md)
+In this section, you test your Azure AD single sign-on configuration with following options.
-- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md)
+* Click on Test this application in Azure portal and you should be automatically signed in to the Druva for which you set up the SSO.
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+* You can use Microsoft My Apps. When you click the Druva tile in the My Apps, you should be automatically signed in to the Druva for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [Try Druva with Azure AD](https://aad.portal.azure.com/)
+## Next steps
-- [What is session control in Microsoft Cloud App Security?](/cloud-app-security/proxy-intro-aad)
+Once you configure Druva you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Easysso For Bamboo Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/easysso-for-bamboo-tutorial.md
Previously updated : 12/21/2020 Last updated : 06/02/2021
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* EasySSO for Bamboo supports **SP and IDP** initiated SSO
-* EasySSO for Bamboo supports **Just In Time** user provisioning
+* EasySSO for Bamboo supports **SP and IDP** initiated SSO.
+* EasySSO for Bamboo supports **Just In Time** user provisioning.
-## Adding EasySSO for Bamboo from the gallery
+## Add EasySSO for Bamboo from the gallery
To configure the integration of EasySSO for Bamboo into Azure AD, you need to add EasySSO for Bamboo from the gallery to your list of managed SaaS apps.
To configure the integration of EasySSO for Bamboo into Azure AD, you need to ad
1. In the **Add from the gallery** section, type **EasySSO for Bamboo** in the search box. 1. Select **EasySSO for Bamboo** from results panel and then add the app. Wait a few seconds while the app is added to your tenant. - ## Configure and test Azure AD SSO for EasySSO for Bamboo Configure and test Azure AD SSO with EasySSO for Bamboo using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in EasySSO for Bamboo.
Follow these steps to enable Azure AD SSO in the Azure portal.
1. In the Azure portal, on the **EasySSO for Bamboo** application integration page, find the **Manage** section and select **single sign-on**. 1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
-1. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, enter the values for the following fields:
+1. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, perform the following steps:
a. In the **Identifier** text box, type a URL using the following pattern:
- `https://<server-base-url>/plugins/servlet/easysso/saml`
+ `https://<SERVER_BASE_URL>/plugins/servlet/easysso/saml`
b. In the **Reply URL** text box, type a URL using the following pattern:
- `https://<server-base-url>/plugins/servlet/easysso/saml`
+ `https://<SERVER_BASE_URL>/plugins/servlet/easysso/saml`
1. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode: In the **Sign-on URL** text box, type a URL using the following pattern:
- `https://<server-base-url>/login.jsp`
+ `https://<SERVER_BASE_URL>/login.jsp`
> [!NOTE] > These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact [EasySSO support team](mailto:support@techtime.co.nz) to get these values if in doubt. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **EasySSO for Bamboo**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen. 1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected. 1. In the **Add Assignment** dialog, click the **Assign** button.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
5. Now, locate **Certificate (Base64)** or **Metadata File** you have saved in the earlier steps of **Azure AD SSO** configuration. You have following options on how to proceed:
- a. Use the App Federation **Metadata File** you downloaded to local file on your computer. Select **Upload** radio button and follow the upload file dialog specific to your operating system
+ a. Use the App Federation **Metadata File** you downloaded to local file on your computer. Select **Upload** radio button and follow the upload file dialog specific to your operating system.
**OR**
In this section, a user called Britta Simon is created in Bamboo. EasySSO for Ba
However, if you do not wish to enable automatic user provisioning on the user first login, users must exist in backend User Directories the Bamboo instance make use of, such as LDAP or Atlassian Crowd.
-![User provisioning](./media/easysso-for-bamboo-tutorial/bamboo-admin-6.png)
+![User provisioning](./media/easysso-for-bamboo-tutorial/admin.png)
## Test SSO
In this section, you test your Azure AD single sign-on configuration using Bambo
This scenario presumes you have enabled **SAML Login Button** in **Look & Feel** tab in your Bamboo EasySSO configuration page (see above). Open your Bamboo login URL in browser incognito mode to avoid any interference with your existing sessions. Click **SAML Login** button and you will get redirected to Azure AD user authentication flow. Once successfully completed you will be redirected back to your Bamboo instance as authenticated user via SAML.
-There's a possibility you may encounter the following screen after getting redirected back from Azure AD
+There's a possibility you may encounter the following screen after getting redirected back from Azure AD.
![EasySSO failure screen](./media/easysso-for-bamboo-tutorial/bamboo-admin-8.png)
active-directory Expiration Reminder Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/expiration-reminder-tutorial.md
Previously updated : 01/17/2019 Last updated : 06/01/2021 # Tutorial: Azure Active Directory integration with Expiration Reminder
-In this tutorial, you learn how to integrate Expiration Reminder with Azure Active Directory (Azure AD).
-Integrating Expiration Reminder with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate Expiration Reminder with Azure Active Directory (Azure AD). When you integrate Expiration Reminder with Azure AD, you can:
-* You can control in Azure AD who has access to Expiration Reminder.
-* You can enable your users to be automatically signed-in to Expiration Reminder (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to Expiration Reminder.
+* Enable your users to be automatically signed-in to Expiration Reminder with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites
-To configure Azure AD integration with Expiration Reminder, you need the following items:
+To get started, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial [here](https://azure.microsoft.com/pricing/free-trial/)
-* Expiration Reminder single sign-on enabled subscription
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* Expiration Reminder single sign-on (SSO) enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* Expiration Reminder supports **SP** initiated SSO
-
-## Adding Expiration Reminder from the gallery
-
-To configure the integration of Expiration Reminder into Azure AD, you need to add Expiration Reminder from the gallery to your list of managed SaaS apps.
-
-**To add Expiration Reminder from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add new application, click **New application** button on the top of dialog.
+* Expiration Reminder supports **SP** initiated SSO.
- ![The New application button](common/add-new-app.png)
+> [!NOTE]
+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
-4. In the search box, type **Expiration Reminder**, select **Expiration Reminder** from result panel then click **Add** button to add the application.
+## Add Expiration Reminder from the gallery
- ![Expiration Reminder in the results list](common/search-new-app.png)
-
-## Configure and test Azure AD single sign-on
-
-In this section, you configure and test Azure AD single sign-on with Expiration Reminder based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in Expiration Reminder needs to be established.
-
-To configure and test Azure AD single sign-on with Expiration Reminder, you need to complete the following building blocks:
-
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure Expiration Reminder Single Sign-On](#configure-expiration-reminder-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create Expiration Reminder test user](#create-expiration-reminder-test-user)** - to have a counterpart of Britta Simon in Expiration Reminder that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
-
-### Configure Azure AD single sign-on
+To configure the integration of Expiration Reminder into Azure AD, you need to add Expiration Reminder from the gallery to your list of managed SaaS apps.
-In this section, you enable Azure AD single sign-on in the Azure portal.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Expiration Reminder** in the search box.
+1. Select **Expiration Reminder** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-To configure Azure AD single sign-on with Expiration Reminder, perform the following steps:
+## Configure and test Azure AD SSO for Expiration Reminder
-1. In the [Azure portal](https://portal.azure.com/), on the **Expiration Reminder** application integration page, select **Single sign-on**.
+Configure and test Azure AD SSO with Expiration Reminder using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Expiration Reminder.
- ![Configure single sign-on link](common/select-sso.png)
+To configure and test Azure AD SSO with Expiration Reminder, perform the following steps:
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Expiration Reminder SSO](#configure-expiration-reminder-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Expiration Reminder test user](#create-expiration-reminder-test-user)** - to have a counterpart of B.Simon in Expiration Reminder that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
- ![Single sign-on select mode](common/select-saml-option.png)
+## Configure Azure AD SSO
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
+Follow these steps to enable Azure AD SSO in the Azure portal.
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+1. In the Azure portal, on the **Expiration Reminder** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
-4. On the **Basic SAML Configuration** section, perform the following steps:
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
- ![Expiration Reminder Domain and URLs single sign-on information](common/sp-signonurl.png)
+4. On the **Basic SAML Configuration** section, perform the following step:
- In the **Sign-on URL** text box, type a URL:
+ In the **Sign-on URL** text box, type the URL:
`https://app.expirationreminder.net/account/sso` 5. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Certificate (Raw)** from the given options as per your requirement and save it on your computer.
To configure Azure AD single sign-on with Expiration Reminder, perform the follo
![Copy configuration URLs](common/copy-configuration-urls.png)
- a. Login URL
-
- b. Azure Ad Identifier
-
- c. Logout URL
-
-### Configure Expiration Reminder Single Sign-On
-
-To configure single sign-on on **Expiration Reminder** side, you need to send the downloaded **Certificate (Raw)** and appropriate copied URLs from Azure portal to [Expiration Reminder support team](mailto:support@expirationreminder.net). They set this setting to have the SAML SSO connection set properly on both sides.
- ### Create an Azure AD test user
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field enter **BrittaSimon**.
-
- b. In the **User name** field type **brittasimon\@yourcompanydomain.extension**
- For example, BrittaSimon@contoso.com
+In this section, you'll create a test user in the Azure portal called B.Simon.
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
-
- d. Click **Create**.
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
### Assign the Azure AD test user
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to Expiration Reminder.
-
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Expiration Reminder**.
-
- ![Enterprise applications blade](common/enterprise-applications.png)
-
-2. In the applications list, type and select **Expiration Reminder**.
-
- ![The Expiration Reminder link in the Applications list](common/all-applications.png)
-
-3. In the menu on the left, select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Expiration Reminder.
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Expiration Reminder**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
+## Configure Expiration Reminder SSO
-7. In the **Add Assignment** dialog click the **Assign** button.
+To configure single sign-on on **Expiration Reminder** side, you need to send the downloaded **Certificate (Raw)** and appropriate copied URLs from Azure portal to [Expiration Reminder support team](mailto:support@expirationreminder.net).
+They set this setting to have the SAML SSO connection set properly on both sides.
### Create Expiration Reminder test user In this section, you create a user called Britta Simon in Expiration Reminder. Work with [Expiration Reminder support team](mailto:support@expirationreminder.net) to add the users in the Expiration Reminder platform. Users must be created and activated before you use single sign-on.
-### Test single sign-on
+## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
-When you click the Expiration Reminder tile in the Access Panel, you should be automatically signed in to the Expiration Reminder for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* Click on **Test this application** in Azure portal. This will redirect to Expiration Reminder Sign-on URL where you can initiate the login flow.
-## Additional Resources
+* Go to Expiration Reminder Sign-on URL directly and initiate the login flow from there.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+* You can use Microsoft My Apps. When you click the Expiration Reminder tile in the My Apps, this will redirect to Expiration Reminder Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure Expiration Reminder you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Fastly Edge Cloud Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/fastly-edge-cloud-tutorial.md
Previously updated : 01/09/2020 Last updated : 06/02/2021
In this tutorial, you'll learn how to integrate Fastly Edge Cloud with Azure Act
* Enable your users to be automatically signed-in to Fastly Edge Cloud with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* Fastly Edge Cloud supports **IDP** initiated SSO
+* Fastly Edge Cloud supports **IDP** initiated SSO.
-## Adding Fastly Edge Cloud from the gallery
+## Add Fastly Edge Cloud from the gallery
To configure the integration of Fastly Edge Cloud into Azure AD, you need to add Fastly Edge Cloud from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **Fastly Edge Cloud** in the search box. 1. Select **Fastly Edge Cloud** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD single sign-on for Fastly Edge Cloud
+## Configure and test Azure AD SSO for Fastly Edge Cloud
Configure and test Azure AD SSO with Fastly Edge Cloud using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Fastly Edge Cloud.
-To configure and test Azure AD SSO with Fastly Edge Cloud, complete the following building blocks:
+To configure and test Azure AD SSO with Fastly Edge Cloud, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
- * **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
- * **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
1. **[Configure Fastly Edge Cloud SSO](#configure-fastly-edge-cloud-sso)** - to configure the single sign-on settings on application side.
- * **[Create Fastly Edge Cloud test user](#create-fastly-edge-cloud-test-user)** - to have a counterpart of B.Simon in Fastly Edge Cloud that is linked to the Azure AD representation of user.
+ 1. **[Create Fastly Edge Cloud test user](#create-fastly-edge-cloud-test-user)** - to have a counterpart of B.Simon in Fastly Edge Cloud that is linked to the Azure AD representation of user.
1. **[Test SSO](#test-sso)** - to verify whether the configuration works. ## Configure Azure AD SSO Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **Fastly Edge Cloud** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **Fastly Edge Cloud** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
-1. On the **Basic SAML Configuration** section, enter the values for the following fields:
+1. On the **Basic SAML Configuration** section, perform the following step:
In the **Identifier** text box, type a URL using the following pattern: `https://api.fastly.com/saml/<CUSTOM_IDENTIFIER>`
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **Fastly Edge Cloud**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
1. In the **Add Assignment** dialog, click the **Assign** button. ## Configure Fastly Edge Cloud SSO
In this section, you create a user called B.Simon in Fastly Edge Cloud. Work wit
## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
-
-When you click the Fastly Edge Cloud tile in the Access Panel, you should be automatically signed in to the Fastly Edge Cloud for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
-
-## Additional resources
+In this section, you test your Azure AD single sign-on configuration with following options.
-- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](./tutorial-list.md)
+* Click on Test this application in Azure portal and you should be automatically signed in to the Fastly Edge Cloud for which you set up the SSO.
-- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md)
+* You can use Microsoft My Apps. When you click the Fastly Edge Cloud tile in the My Apps, you should be automatically signed in to the Fastly Edge Cloud for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+## Next steps
-- [Try Fastly Edge Cloud with Azure AD](https://aad.portal.azure.com/)
+Once you configure Fastly Edge Cloud you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Fuse Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/fuse-tutorial.md
Previously updated : 02/18/2019 Last updated : 06/03/2021 # Tutorial: Azure Active Directory integration with Fuse
-In this tutorial, you learn how to integrate Fuse with Azure Active Directory (Azure AD).
-Integrating Fuse with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate Fuse with Azure Active Directory (Azure AD). When you integrate Fuse with Azure AD, you can:
-* You can control in Azure AD who has access to Fuse.
-* You can enable your users to be automatically signed-in to Fuse (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to Fuse.
+* Enable your users to be automatically signed-in to Fuse with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites
-To configure Azure AD integration with Fuse, you need the following items:
+To get started, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial [here](https://azure.microsoft.com/pricing/free-trial/)
-* Fuse single sign-on enabled subscription
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* Fuse single sign-on (SSO) enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* Fuse supports **SP** initiated SSO
-
-## Adding Fuse from the gallery
-
-To configure the integration of Fuse into Azure AD, you need to add Fuse from the gallery to your list of managed SaaS apps.
-
-**To add Fuse from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add new application, click **New application** button on the top of dialog.
+* Fuse supports **SP** initiated SSO.
- ![The New application button](common/add-new-app.png)
+> [!NOTE]
+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
-4. In the search box, type **Fuse**, select **Fuse** from result panel then click **Add** button to add the application.
+## Add Fuse from the gallery
- ![Fuse in the results list](common/search-new-app.png)
-
-## Configure and test Azure AD single sign-on
-
-In this section, you configure and test Azure AD single sign-on with Fuse based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in Fuse needs to be established.
-
-To configure and test Azure AD single sign-on with Fuse, you need to complete the following building blocks:
-
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure Fuse Single Sign-On](#configure-fuse-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create Fuse test user](#create-fuse-test-user)** - to have a counterpart of Britta Simon in Fuse that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
-
-### Configure Azure AD single sign-on
+To configure the integration of Fuse into Azure AD, you need to add Fuse from the gallery to your list of managed SaaS apps.
-In this section, you enable Azure AD single sign-on in the Azure portal.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Fuse** in the search box.
+1. Select **Fuse** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-To configure Azure AD single sign-on with Fuse, perform the following steps:
+## Configure and test Azure AD SSO for Fuse
-1. In the [Azure portal](https://portal.azure.com/), on the **Fuse** application integration page, select **Single sign-on**.
+Configure and test Azure AD SSO with Fuse using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Fuse.
- ![Configure single sign-on link](common/select-sso.png)
+To configure and test Azure AD SSO with Fuse, perform the following steps:
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Fuse SSO](#configure-fuse-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Fuse test user](#create-fuse-test-user)** - to have a counterpart of B.Simon in Fuse that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
- ![Single sign-on select mode](common/select-saml-option.png)
+## Configure Azure AD SSO
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
+Follow these steps to enable Azure AD SSO in the Azure portal.
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+1. In the Azure portal, on the **Fuse** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
-4. On the **Basic SAML Configuration** section, perform the following steps:
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
- ![Fuse Domain and URLs single sign-on information](common/sp-signonurl.png)
+4. On the **Basic SAML Configuration** section, perform the following step:
In the **Sign-on URL** text box, type a URL using the following pattern: `https://{tenantname}.fuseuniversal.com/`
To configure Azure AD single sign-on with Fuse, perform the following steps:
![Copy configuration URLs](common/copy-configuration-urls.png)
- a. Login URL
-
- b. Azure Ad Identifier
-
- c. Logout URL
-
-### Configure Fuse Single Sign-On
-
-To configure single sign-on on **Fuse** side, you need to send the downloaded **Certificate (Base64)** and appropriate copied URLs from Azure portal to [Fuse support team](mailto:support@fusion-universal.com). They set this setting to have the SAML SSO connection set properly on both sides.
- ### Create an Azure AD test user
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field enter **BrittaSimon**.
-
- b. In the **User name** field type **brittasimon\@yourcompanydomain.extension**
- For example, BrittaSimon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
+In this section, you'll create a test user in the Azure portal called B.Simon.
- d. Click **Create**.
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
### Assign the Azure AD test user
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to Fuse.
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Fuse.
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Fuse**.
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Fuse**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
- ![Enterprise applications blade](common/enterprise-applications.png)
+## Configure Fuse SSO
-2. In the applications list, select **Fuse**.
-
- ![The Fuse link in the Applications list](common/all-applications.png)
-
-3. In the menu on the left, select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
-
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
-
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
-
-7. In the **Add Assignment** dialog click the **Assign** button.
+To configure single sign-on on **Fuse** side, you need to send the downloaded **Certificate (Base64)** and appropriate copied URLs from Azure portal to [Fuse support team](mailto:support@fusion-universal.com). They set this setting to have the SAML SSO connection set properly on both sides.
### Create Fuse test user In this section, you create a user called Britta Simon in Fuse. Work with [Fuse support team](mailto:support@fusion-universal.com) to add the users in the Fuse platform. Users must be created and activated before you use single sign-on.
-### Test single sign-on
+## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
-When you click the Fuse tile in the Access Panel, you should be automatically signed in to the Fuse for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* Click on **Test this application** in Azure portal. This will redirect to Fuse Sign-on URL where you can initiate the login flow.
-## Additional Resources
+* Go to Fuse Sign-on URL directly and initiate the login flow from there.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+* You can use Microsoft My Apps. When you click the Fuse tile in the My Apps, this will redirect to Fuse Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure Fuse you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Goodpractice Toolkit Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/goodpractice-toolkit-tutorial.md
Previously updated : 03/12/2020 Last updated : 05/28/2021 # Tutorial: Azure Active Directory integration with Mind Tools Toolkit
-In this tutorial, you learn how to integrate Mind Tools Toolkit with Azure Active Directory (Azure AD).
-
-With this integration, you can:
+In this tutorial, you'll learn how to integrate Mind Tools Toolkit with Azure Active Directory (Azure AD). When you integrate Mind Tools Toolkit with Azure AD, you can:
* Control in Azure AD who has access to Mind Tools Toolkit. * Enable your users to be automatically signed in to Mind Tools Toolkit (single sign-on) with their Azure AD accounts. * Manage your accounts in one central location: the Azure portal.
-To learn more about software as a service (SaaS) app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To configure Azure AD integration with Mind Tools Toolkit, you need the following items:
In this tutorial, you configure and test Azure AD single sign-on in a test envir
* Mind Tools Toolkit supports SP-initiated SSO. * Mind Tools Toolkit supports just-in-time user provisioning.
-* After you configure Mind Tools Toolkit, you can enforce session control. This control protects exfiltration and infiltration of your organization's sensitive data in real time. Session control extends from conditional access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
+
+> [!NOTE]
+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
## Add Mind Tools Toolkit from the gallery To configure the integration of Mind Tools Toolkit into Azure AD, you need to add Mind Tools Toolkit from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) by using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal by using either a work or school account, or a personal Microsoft account.
1. On the leftmost navigation pane, select the **Azure Active Directory** service. 1. Go to **Enterprise Applications**, and then select **All Applications**. 1. To add a new application, select **New application**. 1. In the **Add from the gallery** section, enter **Mind Tools Toolkit** in the search box. 1. Select **Mind Tools Toolkit** from the search results, and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD single sign-on
-
-In this section, you configure and test Azure AD single sign-on with Mind Tools Toolkit by using a test user called **B.Simon**. For single sign-on to work, you must establish a linked relationship between an Azure AD user and the related user in Mind Tools Toolkit.
-
-To configure and test Azure AD single sign-on with Mind Tools Toolkit, complete the following building blocks:
+## Configure and test Azure AD SSO for Mind Tools Toolkit
-1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** to enable your users to use this feature.
- 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** to test Azure AD single sign-on with B.Simon.
- 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** to enable B.Simon to use Azure AD single sign-on.
-1. **[Configure Mind Tools Toolkit SSO](#configure-mind-tools-toolkit-sso)** to configure the single sign-on settings on the application side.
- 1. **[Create a Mind Tools Toolkit test user](#create-a-mind-tools-toolkit-test-user)** to have a counterpart of B.Simon in Mind Tools Toolkit. This counterpart is linked to the Azure AD representation of the user.
-1. **[Test SSO](#test-sso)** to verify whether the configuration works.
+Configure and test Azure AD SSO with Mind Tools Toolkit using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Mind Tools Toolkit.
-### Configure Azure AD SSO
+To configure and test Azure AD SSO with Mind Tools Toolkit, perform the following steps:
-In this section, you configure Azure AD single sign-on with Mind Tools Toolkit by following these steps:
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Mind Tools Toolkit SSO](#configure-mind-tools-toolkit-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Mind Tools Toolkit test user](#create-mind-tools-toolkit-test-user)** - to have a counterpart of B.Simon in Mind Tools Toolkit that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-1. In the [Azure portal](https://portal.azure.com/), on the **Mind Tools Toolkit** application integration page, select **Single sign-on**.
+## Configure Azure AD SSO
- ![The Manage section, with Single sign-on highlighted](common/select-sso.png)
+Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the **Select a Single sign-on method** dialog box, select **SAML/WS-Fed** to enable single sign-on.
+1. In the Azure portal, on the **Mind Tools Toolkit** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
- ![The Select a single sign-on method dialog box, with SAML highlighted](common/select-saml-option.png)
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
-1. On the **Set up Single Sign-On with SAML** page, select the pencil icon for **Basic SAML Configuration** to edit the settings.
-
- ![The Set up Single Sign-On with SAML page, with the pencil icon for Basic SAML Configuration highlighted](common/edit-urls.png)
-
-1. In the **Basic SAML Configuration** section, in the **Sign-on URL** box, enter a URL having the pattern `https://app.goodpractice.net/#/<subscriptionUrl>/s/<locationId>`.
+1. In the **Basic SAML Configuration** section, in the **Sign-on URL** box, enter a URL having the pattern `https://app.goodpractice.net/#/<subscriptionUrl>/s/<LOCATION_ID>`.
> [!NOTE] > The **Sign-on URL** value isn't real. Update the value with the actual sign-on URL. Contact the [Mind Tools Toolkit Client support team](mailto:support@goodpractice.com) to get the value.
In this section, you configure Azure AD single sign-on with Mind Tools Toolkit b
1. In the **Set up Mind Tools Toolkit** section, copy whichever of the following URLs you need.
- * **Login URL**
-
- * **Azure AD Identifier**
-
- * **Logout URL**
- ![The Set up Mind Tools Toolkit section, with the configuration URLs highlighted](common/copy-configuration-urls.png) ### Create an Azure AD test user
-In this section, you create a test user called B.Simon in the Azure portal:
+In this section, you'll create a test user in the Azure portal called B.Simon.
-1. On the leftmost side of the Azure portal, select **Azure Active Directory** > **Users** > **All users**.
-1. At the top of the screen, select **New user**.
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
1. In the **User** properties, follow these steps:
- 1. In the **Name** field, enter **B.Simon**.
- 1. In the **User name** field, enter **B.Simon@**_companydomain_**.**_extension_. For example, B.Simon@contoso.com.
- 1. Select the **Show password** check box, and then write down the value that's shown in the **Password** box.
- 1. Select **Create**.
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
### Assign the Azure AD test user
-In this section, you enable B.Simon to use Azure single sign-on by granting access to Mind Tools Toolkit.
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Mind Tools Toolkit.
-1. In the Azure portal, select **Enterprise Applications** > **All applications**.
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
1. In the applications list, select **Mind Tools Toolkit**.
-1. In the app's overview page, go to the **Manage** section, and select **Users and groups**.
-
- ![The Manage section, with Users and groups highlighted](common/users-groups-blade.png)
-
-1. Select **Add user**. In the **Add Assignment** dialog box, select **Users and groups**.
-
- ![The Users and groups window, with Add user highlighted](common/add-assign-user.png)
-
-1. In the **Users and groups** dialog box, select **B.Simon** from the users list. Then choose the **Select** button at the bottom of the screen.
-1. If you expect any role value in the SAML assertion, in the **Select Role** dialog box, select the appropriate role for the user from the list. Then choose the **Select** button at the bottom of the screen.
-1. In the **Add Assignment** dialog box, select **Assign**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
## Configure Mind Tools Toolkit SSO To configure single sign-on on the **Mind Tools Toolkit** side, send the downloaded **Federation Metadata XML** text and the previously copied URLs to the [Mind Tools Toolkit support team](mailto:support@goodpractice.com). They configure this setting to have the SAML SSO connection set properly on both sides.
-### Create a Mind Tools Toolkit test user
-
-In this section, you create a user called B.Simon in Mind Tools Toolkit.
-
-Mind Tools Toolkit supports just-in-time provisioning, which is enabled by default. There's no action for you to take in this section. If a user doesn't already exist in Mind Tools Toolkit, a new one is created when you attempt to access Mind Tools Toolkit.
-
-### Test SSO
-
-In this section, you test your Azure AD single sign-on configuration by using the My Apps portal.
+### Create Mind Tools Toolkit test user
-When you select the Mind Tools Toolkit tile in the My Apps portal, you are automatically signed in to the Mind Tools Toolkit for which you set up SSO. For more information about the My Apps portal, see [Introduction to the My Apps portal](../user-help/my-apps-portal-end-user-access.md).
+In this section, a user called B.Simon is created in Mind Tools Toolkit. Mind Tools Toolkit supports just-in-time user provisioning, which is enabled by default. There's no action item for you in this section. If a user doesn't already exist in Mind Tools Toolkit, a new one is created after authentication.
-## Additional resources
+## Test SSO
-- [Tutorials for integrating SaaS apps with Azure Active Directory](./tutorial-list.md)
+In this section, you test your Azure AD single sign-on configuration with following options.
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+* Click on **Test this application** in Azure portal. This will redirect to Mind Tools Toolkit Sign-on URL where you can initiate the login flow.
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+* Go to Mind Tools Toolkit Sign-on URL directly and initiate the login flow from there.
-- [Try Mind Tools Toolkit with Azure AD](https://aad.portal.azure.com/)
+* You can use Microsoft My Apps. When you click the Mind Tools Toolkit tile in the My Apps, this will redirect to Mind Tools Toolkit Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is session control in Microsoft Cloud App Security?](/cloud-app-security/proxy-intro-aad)
+## Next steps
-- [How to protect Mind Tools Toolkit with advanced visibility and controls](/cloud-app-security/proxy-intro-aad)
+Once you configure Mind Tools Toolkit you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Helpscout Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/helpscout-tutorial.md
Previously updated : 10/24/2019 Last updated : 05/28/2021 # Tutorial: Azure Active Directory integration with Help Scout
-In this tutorial, you learn how to integrate Help Scout with Azure Active Directory (Azure AD).
-Integrating Help Scout with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate Help Scout with Azure Active Directory (Azure AD). When you integrate Help Scout with Azure AD, you can:
-* You can control in Azure AD who has access to Help Scout.
-* You can enable your users to be automatically signed-in to Help Scout (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to Help Scout.
+* Enable your users to be automatically signed-in to Help Scout with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites To configure Azure AD integration with Help Scout, you need the following items: * An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
-* Help Scout single sign-on enabled subscription
+* Help Scout single sign-on enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* Help Scout supports **SP and IDP** initiated SSO
-* Help Scout supports **Just In Time** user provisioning
+* Help Scout supports **SP and IDP** initiated SSO.
+* Help Scout supports **Just In Time** user provisioning.
-## Adding Help Scout from the gallery
+## Add Help Scout from the gallery
To configure the integration of Help Scout into Azure AD, you need to add Help Scout from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **Help Scout** in the search box. 1. Select **Help Scout** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD single sign-on
+## Configure and test Azure AD SSO for Help Scout
-In this section, you configure and test Azure AD single sign-on with Help Scout based on a test user called **B.Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in Help Scout needs to be established.
+Configure and test Azure AD SSO with Help Scout using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Help Scout.
-To configure and test Azure AD single sign-on with Help Scout, you need to complete the following building blocks:
+To configure and test Azure AD SSO with Help Scout, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
- * **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
- * **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
1. **[Configure Help Scout SSO](#configure-help-scout-sso)** - to configure the single sign-on settings on application side.
- * **[Create Help Scout test user](#create-help-scout-test-user)** - to have a counterpart of B.Simon in Help Scout that is linked to the Azure AD representation of user.
+ 1. **[Create Help Scout test user](#create-help-scout-test-user)** - to have a counterpart of B.Simon in Help Scout that is linked to the Azure AD representation of user.
1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-### Configure Azure AD SSO
-
-In this section, you enable Azure AD single sign-on in the Azure portal.
-
-To configure Azure AD single sign-on with Help Scout, perform the following steps:
-
-1. In the [Azure portal](https://portal.azure.com/), on the **Help Scout** application integration page, select **Single sign-on**.
+## Configure Azure AD SSO
- ![Configure single sign-on link](common/select-sso.png)
+Follow these steps to enable Azure AD SSO in the Azure portal.
-1. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
+1. In the Azure portal, on the **Help Scout** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
- ![Single sign-on select mode](common/select-saml-option.png)
-
-1. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
-
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
1. On the **Basic SAML Configuration** section, If you wish to configure the application in **IDP** initiated mode, perform the following steps:
- ![Screenshot shows the Basic SAML Configuration, where you can enter Identifier, Reply U R L, and select Save.](common/idp-intiated.png)
- a. **Identifier** is the **Audience URI (Service Provider Entity ID)** from Help Scout, starts with `urn:` b. **Reply URL** is the **Post-back URL (Assertion Consumer Service URL)** from Help Scout, starts with `https://`
To configure Azure AD single sign-on with Help Scout, perform the following step
1. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode:
- ![Screenshot shows Set additional U R Ls where you can enter a Sign on U R L.](common/metadata-upload-additional-signon.png)
-
- In the **Sign-on URL** textbox, type a URL as: `https://secure.helpscout.net/members/login/`
+ In the **Sign-on URL** textbox, type the URL: `https://secure.helpscout.net/members/login/`
1. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Certificate (Base64)** from the given options as per your requirement and save it on your computer.
To configure Azure AD single sign-on with Help Scout, perform the following step
![Copy configuration URLs](common/copy-configuration-urls.png)
- a. Login URL
-
- b. Azure Ad Identifier
-
- c. Logout URL
- ### Create an Azure AD test user
-The objective of this section is to create a test user in the Azure portal called B.Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
+In this section, you'll create a test user in the Azure portal called B.Simon.
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field enter **B.Simon**.
-
- b. In the **User name** field type **B.Simon\@yourcompanydomain.extension**
- For example, B.Simon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
-
- d. Click **Create**.
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
### Assign the Azure AD test user
-In this section, you enable B.Simon to use Azure single sign-on by granting access to Help Scout.
-
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Help Scout**.
-
- ![Enterprise applications blade](common/enterprise-applications.png)
-
-2. In the applications list, select **Help Scout**.
-
- ![The Help Scout link in the Applications list](common/all-applications.png)
-
-3. In the menu on the left, select **Users and groups**.
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Help Scout.
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
-
-5. In the **Users and groups** dialog select **B.Simon** in the Users list, then click the **Select** button at the bottom of the screen.
-
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
-
-7. In the **Add Assignment** dialog click the **Assign** button.
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Help Scout**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
## Configure Help Scout SSO
In this section, you enable B.Simon to use Azure single sign-on by granting acce
1. Click on **Manage** from the top menu and then select **Company** from the dropdown menu.
- ![Screenshot shows the Manage menu with Company selected.](./media/helpscout-tutorial/settings1.png)
+ ![Screenshot shows the Manage menu with Company selected.](./media/helpscout-tutorial/settings.png)
1. Select **Authentication** from the left navigation pane.
- ![Screenshot shows Authentication selected.](./media/helpscout-tutorial/settings2.png)
+ ![Screenshot shows Authentication selected.](./media/helpscout-tutorial/authentication.png)
1. This takes you to the SAML settings section and perform the following steps:
- ![Screenshot shows the Single Sign-On tab where you enter the specified information.](./media/helpscout-tutorial/settings3.png)
+ ![Screenshot shows the Single Sign-On tab where you enter the specified information.](./media/helpscout-tutorial/configuration.png)
a. Copy the **Post-back URL (Assertion Consumer Service URL)** value and paste the value in the **Reply URL** text box in the **Basic SAML Configuration** section in the Azure portal.
In this section, you enable B.Simon to use Azure single sign-on by granting acce
1. Toggle **Enable SAML** on and perform the following steps:
- ![Screenshot shows the Single Sign-On tab where you enable SAML and add other information.](./media/helpscout-tutorial/settings4.png)
+ ![Screenshot shows the Single Sign-On tab where you enable SAML and add other information.](./media/helpscout-tutorial/information.png)
a. In **Single Sign-On URL** textbox, paste the value of **Login URL**, which you have copied from Azure portal.
In this section, you enable B.Simon to use Azure single sign-on by granting acce
In this section, a user called B.Simon is created in Help Scout. Help Scout supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in Help Scout, a new one is created after authentication.
-### Test SSO
+## Test SSO
+
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+#### SP initiated:
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+* Click on **Test this application** in Azure portal. This will redirect to Help Scout Sign on URL where you can initiate the login flow.
-When you click the Help Scout tile in the Access Panel, you should be automatically signed in to the Help Scout for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* Go to Help Scout Sign-on URL directly and initiate the login flow from there.
-## Additional Resources
+#### IDP initiated:
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the Help Scout for which you set up the SSO.
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+You can also use Microsoft My Apps to test the application in any mode. When you click the Help Scout tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Help Scout for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+## Next steps
-- [Try Help Scout with Azure AD](https://aad.portal.azure.com/)
+Once you configure Help Scout you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Hirevue Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/hirevue-tutorial.md
Previously updated : 02/15/2019 Last updated : 06/03/2021 # Tutorial: Azure Active Directory integration with HireVue
-In this tutorial, you learn how to integrate HireVue with Azure Active Directory (Azure AD).
-Integrating HireVue with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate HireVue with Azure Active Directory (Azure AD). When you integrate HireVue with Azure AD, you can:
-* You can control in Azure AD who has access to HireVue.
-* You can enable your users to be automatically signed-in to HireVue (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to HireVue.
+* Enable your users to be automatically signed-in to HireVue with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites
-To configure Azure AD integration with HireVue, you need the following items:
+To get started, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial [here](https://azure.microsoft.com/pricing/free-trial/)
-* HireVue single sign-on enabled subscription
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* HireVue single sign-on (SSO) enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* HireVue supports **SP** initiated SSO
+* HireVue supports **SP** initiated SSO.
-## Adding HireVue from the gallery
+## Add HireVue from the gallery
To configure the integration of HireVue into Azure AD, you need to add HireVue from the gallery to your list of managed SaaS apps.
-**To add HireVue from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add new application, click **New application** button on the top of dialog.
-
- ![The New application button](common/add-new-app.png)
-
-4. In the search box, type **HireVue**, select **HireVue** from result panel then click **Add** button to add the application.
-
- ![HireVue in the results list](common/search-new-app.png)
-
-## Configure and test Azure AD single sign-on
-
-In this section, you configure and test Azure AD single sign-on with HireVue based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in HireVue needs to be established.
-
-To configure and test Azure AD single sign-on with HireVue, you need to complete the following building blocks:
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **HireVue** in the search box.
+1. Select **HireVue** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure HireVue Single Sign-On](#configure-hirevue-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create HireVue test user](#create-hirevue-test-user)** - to have a counterpart of Britta Simon in HireVue that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
+## Configure and test Azure AD SSO for HireVue
-### Configure Azure AD single sign-on
+Configure and test Azure AD SSO with HireVue using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in HireVue.
-In this section, you enable Azure AD single sign-on in the Azure portal.
+To configure and test Azure AD SSO with HireVue, perform the following steps:
-To configure Azure AD single sign-on with HireVue, perform the following steps:
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure HireVue SSO](#configure-hirevue-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create HireVue test user](#create-hirevue-test-user)** - to have a counterpart of B.Simon in HireVue that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-1. In the [Azure portal](https://portal.azure.com/), on the **HireVue** application integration page, select **Single sign-on**.
+## Configure Azure AD SSO
- ![Configure single sign-on link](common/select-sso.png)
+Follow these steps to enable Azure AD SSO in the Azure portal.
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
+1. In the Azure portal, on the **HireVue** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
- ![Single sign-on select mode](common/select-saml-option.png)
-
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
-
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
4. On the **Basic SAML Configuration** section, perform the following steps:
- ![HireVue Domain and URLs single sign-on information](common/sp-identifier.png)
-
- a. In the **Sign on URL** text box, type a URL using the following pattern:
-
- | Environment | URL |
- |-||
- | Production | `https://<companyname>.hirevue.com` |
- | Staging | `https://<companyname>.stghv.com` |
-
- b. In the **Identifier (Entity ID)** text box, type a URL using the following pattern:
+ a. In the **Identifier (Entity ID)** text box, type a URN using one of the following values:
| Environment | URN | |-|--| | Production |`urn:federation:hirevue.com:saml:sp:prod` | | Staging | `urn:federation:hirevue.com:saml:sp:staging`|
+ b. In the **Sign on URL** text box, type a URL using one of the following patterns:
+
+ | Environment | URL |
+ |-||
+ | Production | `https://<COMPANY_NAME>.hirevue.com` |
+ | Staging | `https://<COMPANY_NAME>.stghv.com` |
+ > [!NOTE]
- > These values are not real. Update these values with the actual Sign on URL and Identifier. Contact [HireVue Client support team](mailto:samlsupport@hirevue.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+ > These values are not real. Update these values with the actual Identifier and Sign on URL. Contact [HireVue Client support team](mailto:samlsupport@hirevue.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
5. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Certificate (Base64)** from the given options as per your requirement and save it on your computer.
To configure Azure AD single sign-on with HireVue, perform the following steps:
![Copy configuration URLs](common/copy-configuration-urls.png)
- a. Login URL
-
- b. Azure Ad Identifier
-
- c. Logout URL
-
-### Configure HireVue Single Sign-On
-
-To configure single sign-on on **HireVue** side, you need to send the downloaded **Certificate (Base64)** and appropriate copied URLs from Azure portal to [HireVue support team](mailto:samlsupport@hirevue.com). They set this setting to have the SAML SSO connection set properly on both sides.
- ### Create an Azure AD test user
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
+In this section, you'll create a test user in the Azure portal called B.Simon.
- a. In the **Name** field enter **BrittaSimon**.
-
- b. In the **User name** field type **brittasimon\@yourcompanydomain.extension**
- For example, BrittaSimon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
-
- d. Click **Create**.
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
### Assign the Azure AD test user
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to HireVue.
-
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **HireVue**.
-
- ![Enterprise applications blade](common/enterprise-applications.png)
-
-2. In the applications list, select **HireVue**.
-
- ![The HireVue link in the Applications list](common/all-applications.png)
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to HireVue.
-3. In the menu on the left, select **Users and groups**.
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **HireVue**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
- ![The "Users and groups" link](common/users-groups-blade.png)
+## Configure HireVue SSO
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
-
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
-
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
-
-7. In the **Add Assignment** dialog click the **Assign** button.
+To configure single sign-on on **HireVue** side, you need to send the downloaded **Certificate (Base64)** and appropriate copied URLs from Azure portal to [HireVue support team](mailto:samlsupport@hirevue.com). They set this setting to have the SAML SSO connection set properly on both sides.
### Create HireVue test user In this section, you create a user called Britta Simon in HireVue. Work with [HireVue support team](mailto:samlsupport@hirevue.com) to add the users in the HireVue platform. Users must be created and activated before you use single sign-on.
-### Test single sign-on
+## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
-When you click the HireVue tile in the Access Panel, you should be automatically signed in to the HireVue for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* Click on **Test this application** in Azure portal. This will redirect to HireVue Sign-on URL where you can initiate the login flow.
-## Additional Resources
+* Go to HireVue Sign-on URL directly and initiate the login flow from there.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+* You can use Microsoft My Apps. When you click the HireVue tile in the My Apps, this will redirect to HireVue Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure HireVue you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Hrworks Single Sign On Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/hrworks-single-sign-on-tutorial.md
Previously updated : 01/02/2020 Last updated : 05/26/2021
In this tutorial, you'll learn how to integrate HRworks Single Sign-On with Azur
* Enable your users to be automatically signed-in to HRworks Single Sign-On with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* HRworks Single Sign-On supports **SP** initiated SSO
+* HRworks Single Sign-On supports **SP** initiated SSO.
+
+> [!NOTE]
+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
-## Adding HRworks Single Sign-On from the gallery
+## Add HRworks Single Sign-On from the gallery
To configure the integration of HRworks Single Sign-On into Azure AD, you need to add HRworks Single Sign-On from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **HRworks Single Sign-On** in the search box. 1. Select **HRworks Single Sign-On** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD single sign-on for HRworks Single Sign-On
+## Configure and test Azure AD SSO for HRworks Single Sign-On
Configure and test Azure AD SSO with HRworks Single Sign-On using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in HRworks Single Sign-On.
-To configure and test Azure AD SSO with HRworks Single Sign-On, complete the following building blocks:
+To configure and test Azure AD SSO with HRworks Single Sign-On, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
- * **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
- * **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
1. **[Configure HRworks Single Sign-On SSO](#configure-hrworks-single-sign-on-sso)** - to configure the single sign-on settings on application side.
- * **[Create HRworks Single Sign-On test user](#create-hrworks-single-sign-on-test-user)** - to have a counterpart of B.Simon in HRworks Single Sign-On that is linked to the Azure AD representation of user.
+ 1. **[Create HRworks Single Sign-On test user](#create-hrworks-single-sign-on-test-user)** - to have a counterpart of B.Simon in HRworks Single Sign-On that is linked to the Azure AD representation of user.
1. **[Test SSO](#test-sso)** - to verify whether the configuration works. ## Configure Azure AD SSO Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **HRworks Single Sign-On** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **HRworks Single Sign-On** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
-1. On the **Basic SAML Configuration** section, enter the values for the following fields:
+1. On the **Basic SAML Configuration** section, perform the following step:
In the **Sign-on URL** text box, type a URL using the following pattern:
- `https://login.hrworks.de/?companyId=<companyId>&directssologin=true`
+ `https://login.hrworks.de/?companyId=<COMPANY_ID>&directssologin=true`
> [!NOTE] > The value is not real. Update the value with the actual Sign-On URL. Contact [HRworks Single Sign-On Client support team](mailto:nadja.sommerfeld@hrworks.de) to get the value. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **HRworks Single Sign-On**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
1. In the **Add Assignment** dialog, click the **Assign** button. ## Configure HRworks Single Sign-On SSO
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. Click on **Administrator** > **Basics** > **Security** > **Single Sign-on** from the left side of menu bar and perform the following steps:
- ![Configure single sign-on](./media/hrworks-single-sign-on-tutorial/configure01.png)
+ ![Configure single sign-on](./media/hrworks-single-sign-on-tutorial/configure.png)
a. Check the **Use Single Sign-on** box.
To enable Azure AD users, sign in to HRworks Single Sign-On, they must be provis
1. Click on **Administrator** > **Persons** > **Persons** > **New person** from the left side of menu bar.
- ![Screenshot shows Screenshot shows H R works page with Persons and New person selected.](./media/hrworks-single-sign-on-tutorial/configure02.png)
+ ![Screenshot shows Screenshot shows H R works page with Persons and New person selected.](./media/hrworks-single-sign-on-tutorial/persons.png)
1. On the Pop-up, click **Next**.
- ![Screenshot shows a list of countries for you to choose from for the person.](./media/hrworks-single-sign-on-tutorial/configure03.png)
+ ![Screenshot shows a list of countries for you to choose from for the person.](./media/hrworks-single-sign-on-tutorial/new-person.png)
1. On the **Create new person with country for legal terms** pop-up, fill the respective details like **First name**, **Last name** and click **Create**.
- ![Screenshot shows text boxes where you can enter first and last names for the person.](./media/hrworks-single-sign-on-tutorial/configure04.png)
+ ![Screenshot shows text boxes where you can enter first and last names for the person.](./media/hrworks-single-sign-on-tutorial/create-person.png)
## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
-
-When you click the HRworks Single Sign-On tile in the Access Panel, you should be automatically signed in to the HRworks Single Sign-On for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+In this section, you test your Azure AD single sign-on configuration with following options.
-## Additional resources
+* Click on **Test this application** in Azure portal. This will redirect to HRworks Single Sign-On Sign-on URL where you can initiate the login flow.
-- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](./tutorial-list.md)
+* Go to HRworks Single Sign-On Sign-on URL directly and initiate the login flow from there.
-- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md)
+* You can use Microsoft My Apps. When you click the HRworks Single Sign-On tile in the My Apps, this will redirect to HRworks Single Sign-On Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+## Next steps
-- [Try HRworks Single Sign-On with Azure AD](https://aad.portal.azure.com/)
+Once you configure HRworks Single Sign-On you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Kantegassoforjira Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/kantegassoforjira-tutorial.md
Previously updated : 04/16/2019 Last updated : 05/27/2021 # Tutorial: Azure Active Directory integration with Kantega SSO for JIRA
-In this tutorial, you learn how to integrate Kantega SSO for JIRA with Azure Active Directory (Azure AD).
-Integrating Kantega SSO for JIRA with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate Kantega SSO for JIRA with Azure Active Directory (Azure AD). When you integrate Kantega SSO for JIRA with Azure AD, you can:
-* You can control in Azure AD who has access to Kantega SSO for JIRA.
-* You can enable your users to be automatically signed-in to Kantega SSO for JIRA (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to Kantega SSO for JIRA.
+* Enable your users to be automatically signed-in to Kantega SSO for JIRA with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites To configure Azure AD integration with Kantega SSO for JIRA, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/)
-* Kantega SSO for JIRA single sign-on enabled subscription
+* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/).
+
+* Kantega SSO for JIRA single sign-on enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* Kantega SSO for JIRA supports **SP and IDP** initiated SSO
+* Kantega SSO for JIRA supports **SP and IDP** initiated SSO.
-## Adding Kantega SSO for JIRA from the gallery
+## Add Kantega SSO for JIRA from the gallery
To configure the integration of Kantega SSO for JIRA into Azure AD, you need to add Kantega SSO for JIRA from the gallery to your list of managed SaaS apps.
-**To add Kantega SSO for JIRA from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add new application, click **New application** button on the top of dialog.
-
- ![The New application button](common/add-new-app.png)
-
-4. In the search box, type **Kantega SSO for JIRA**, select **Kantega SSO for JIRA** from result panel then click **Add** button to add the application.
-
- ![Kantega SSO for JIRA in the results list](common/search-new-app.png)
-
-## Configure and test Azure AD single sign-on
-
-In this section, you configure and test Azure AD single sign-on with Kantega SSO for JIRA based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in Kantega SSO for JIRA needs to be established.
-
-To configure and test Azure AD single sign-on with Kantega SSO for JIRA, you need to complete the following building blocks:
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Kantega SSO for JIRA** in the search box.
+1. Select **Kantega SSO for JIRA** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure Kantega SSO for JIRA Single Sign-On](#configure-kantega-sso-for-jira-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create Kantega SSO for JIRA test user](#create-kantega-sso-for-jira-test-user)** - to have a counterpart of Britta Simon in Kantega SSO for JIRA that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
+## Configure and test Azure AD SSO for Kantega SSO for JIRA
-### Configure Azure AD single sign-on
+Configure and test Azure AD SSO with Kantega SSO for JIRA using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Kantega SSO for JIRA.
-In this section, you enable Azure AD single sign-on in the Azure portal.
+To configure and test Azure AD SSO with Kantega SSO for JIRA, perform the following steps:
-To configure Azure AD single sign-on with Kantega SSO for JIRA, perform the following steps:
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Kantega SSO for JIRA SSO](#configure-kantega-sso-for-jira-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Kantega SSO for JIRA test user](#create-kantega-sso-for-jira-test-user)** - to have a counterpart of B.Simon in Kantega SSO for JIRA that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-1. In the [Azure portal](https://portal.azure.com/), on the **Kantega SSO for JIRA** application integration page, select **Single sign-on**.
+## Configure Azure AD SSO
- ![Configure single sign-on link](common/select-sso.png)
+Follow these steps to enable Azure AD SSO in the Azure portal.
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
+1. In the Azure portal, on the **Kantega SSO for JIRA** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
- ![Single sign-on select mode](common/select-saml-option.png)
-
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
-
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
4. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, perform the following steps:
- ![Screenshot that shows the "Basic S A M L Configuration" with the "Identifier" and "Reply U R L" textbox highlighted and the "Save" button selected.](common/idp-intiated.png)
- a. In the **Identifier** text box, type a URL using the following pattern:
- `https://<server-base-url>/plugins/servlet/no.kantega.saml/sp/<uniqueid>/login`
+ `https://<server-base-url>/plugins/servlet/no.kantega.saml/sp/<UNIQUE_ID>/login`
b. In the **Reply URL** text box, type a URL using the following pattern:
- `https://<server-base-url>/plugins/servlet/no.kantega.saml/sp/<uniqueid>/login`
+ `https://<server-base-url>/plugins/servlet/no.kantega.saml/sp/<UNIQUE_ID>/login`
5. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode:
- ![Kantega SSO for JIRA Domain and URLs single sign-on information](common/metadata-upload-additional-signon.png)
- In the **Sign-on URL** text box, type a URL using the following pattern:
- `https://<server-base-url>/plugins/servlet/no.kantega.saml/sp/<uniqueid>/login`
+ `https://<server-base-url>/plugins/servlet/no.kantega.saml/sp/<UNIQUE_ID>/login`
> [!NOTE] > These values are not real. Update these values with the actual Identifier, Reply URL, and Sign-On URL. These values are received during the configuration of Jira plugin, which is explained later in the tutorial.
To configure Azure AD single sign-on with Kantega SSO for JIRA, perform the foll
![Copy configuration URLs](common/copy-configuration-urls.png)
- a. Login URL
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called B.Simon.
- b. Azure AD Identifier
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
- c. Logout URL
+### Assign the Azure AD test user
-### Configure Kantega SSO for JIRA Single Sign-On
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Kantega SSO for JIRA.
+
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Kantega SSO for JIRA**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
+
+## Configure Kantega SSO for JIRA SSO
1. In a different web browser window, sign in to your JIRA on-premises server as an administrator.
-1. Hover on cog and click the **Add-ons**.
+1. However on cog and click the **Add-ons**.
- ![Screenshot that shows the "Cog" icon selected and "Add-ons" selected from the drop-down.](./media/kantegassoforjira-tutorial/addon1.png)
+ ![Screenshot that shows the "Cog" icon selected and "Add-ons" selected from the drop-down.](./media/kantegassoforjira-tutorial/settings.png)
1. Under Add-ons tab section, click **Find new add-ons**. Search **Kantega SSO for JIRA (SAML & Kerberos)** and click **Install** button to install the new SAML plugin.
- ![Screenshot that shows the "Find new Add-ons" section with "Kantego S S O for JIRA (S A M L & Kerberos)" in the search box and the "Install" button selected.](./media/kantegassoforjira-tutorial/addon2.png)
+ ![Screenshot that shows the "Find new Add-ons" section with "Kantego S S O for JIRA (S A M L & Kerberos)" in the search box and the "Install" button selected.](./media/kantegassoforjira-tutorial/install-tab.png)
1. The plugin installation starts.
- ![Screenshot that shows the plugin "Installing" dialog.](./media/kantegassoforjira-tutorial/addon3.png)
+ ![Screenshot that shows the plugin "Installing" dialog.](./media/kantegassoforjira-tutorial/installation.png)
1. Once the installation is complete. Click **Close**.
- ![Screenshot that shows the "Installed and ready to go!" dialog with the "Close" action selected.](./media/kantegassoforjira-tutorial/addon33.png)
+ ![Screenshot that shows the "Installed and ready to go!" dialog with the "Close" action selected.](./media/kantegassoforjira-tutorial/close-tab.png)
1. Click **Manage**.
- ![Screenshot that shows the "Kantega S S O" app page with the "Manage" button selected.](./media/kantegassoforjira-tutorial/addon34.png)
+ ![Screenshot that shows the "Kantega S S O" app page with the "Manage" button selected.](./media/kantegassoforjira-tutorial/manage-tab.png)
1. New plugin is listed under **INTEGRATIONS**. Click **Configure** to configure the new plugin.
- ![Screenshot that shows "INTEGRATIONS" in the left-side navigation menu highlighted and the "Configure" button selected in the "Manage add-ons" section.](./media/kantegassoforjira-tutorial/addon35.png)
+ ![Screenshot that shows "INTEGRATIONS" in the left-side navigation menu highlighted and the "Configure" button selected in the "Manage add-ons" section.](./media/kantegassoforjira-tutorial/integration.png)
1. In the **SAML** section. Select **Azure Active Directory (Azure AD)** from the **Add identity provider** dropdown.
- ![Screenshot that shows the "Add identity provider" drop-down with "Azure Active Directory (Azure A D)" selected.](./media/kantegassoforjira-tutorial/addon4.png)
+ ![Screenshot that shows the "Add identity provider" drop-down with "Azure Active Directory (Azure A D)" selected.](./media/kantegassoforjira-tutorial/identity-provider.png)
1. Select subscription level as **Basic**.
- ![Screenshot that shows the "Preparing Azure A D" section with "Basic" selected.](./media/kantegassoforjira-tutorial/addon5.png)
+ ![Screenshot that shows the "Preparing Azure A D" section with "Basic" selected.](./media/kantegassoforjira-tutorial/basic-tab.png)
1. On the **App properties** section, perform following steps:
- ![Screenshot that shows the "App properties" section with the "App I D U R L" textbox and copy button highlighted, and the "Next" button selected.](./media/kantegassoforjira-tutorial/addon6.png)
+ ![Screenshot that shows the "App properties" section with the "App I D U R L" textbox and copy button highlighted, and the "Next" button selected.](./media/kantegassoforjira-tutorial/properties.png)
1. Copy the **App ID URI** value and use it as **Identifier, Reply URL, and Sign-On URL** on the **Basic SAML Configuration** section in Azure portal.
To configure Azure AD single sign-on with Kantega SSO for JIRA, perform the foll
1. On the **Metadata import** section, perform following steps:
- ![Screenshot that shows the "Metadata import" section with "Metadata file on my computer" selected.](./media/kantegassoforjira-tutorial/addon7.png)
+ ![Screenshot that shows the "Metadata import" section with "Metadata file on my computer" selected.](./media/kantegassoforjira-tutorial/metadata.png)
1. Select **Metadata file on my computer**, and upload metadata file, which you have downloaded from Azure portal.
To configure Azure AD single sign-on with Kantega SSO for JIRA, perform the foll
1. On the **Name and SSO location** section, perform following steps:
- ![Screenshot that shows the "Name and S S O location" with the "Identity provider name" textbox highlighted, and the "Next" button selected.](./media/kantegassoforjira-tutorial/addon8.png)
+ ![Screenshot that shows the "Name and S S O location" with the "Identity provider name" textbox highlighted, and the "Next" button selected.](./media/kantegassoforjira-tutorial/location.png)
1. Add Name of the Identity Provider in **Identity provider name** textbox (e.g Azure AD).
To configure Azure AD single sign-on with Kantega SSO for JIRA, perform the foll
1. Verify the Signing certificate and click **Next**.
- ![Screenshot that shows the "Signature verification" section with the "Next" button selected.](./media/kantegassoforjira-tutorial/addon9.png)
+ ![Screenshot that shows the "Signature verification" section with the "Next" button selected.](./media/kantegassoforjira-tutorial/certificate.png)
1. On the **JIRA user accounts** section, perform following steps:
- ![Screenshot that shows the "JIRA user accounts" with the "Create users in JIRA's Internal Directory if needed" option highlighted and the "Next" button selected.](./media/kantegassoforjira-tutorial/addon10.png)
+ ![Screenshot that shows the "JIRA user accounts" with the "Create users in JIRA's Internal Directory if needed" option highlighted and the "Next" button selected.](./media/kantegassoforjira-tutorial/accounts.png)
1. Select **Create users in JIRA's internal Directory if needed** and enter the appropriate name of the group for users (can be multiple no. of groups separated by comma).
To configure Azure AD single sign-on with Kantega SSO for JIRA, perform the foll
1. Click **Finish**.
- ![Screenshot that shows the "Summary" section with teh "Finish" button selected.](./media/kantegassoforjira-tutorial/addon11.png)
+ ![Screenshot that shows the "Summary" section with teh "Finish" button selected.](./media/kantegassoforjira-tutorial/finish-tab.png)
1. On the **Known domains for Azure AD** section, perform following steps:
- ![Configure Single Sign-On](./media/kantegassoforjira-tutorial/addon12.png)
+ ![Configure Single Sign-On](./media/kantegassoforjira-tutorial/save-tab.png)
1. Select **Known domains** from the left panel of the page.
To configure Azure AD single sign-on with Kantega SSO for JIRA, perform the foll
3. Click **Save**.
-### Create an Azure AD test user
-
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- 1. In the **Name** field enter **BrittaSimon**.
-
- 1. In the **User name** field type `brittasimon@yourcompanydomain.extension`. For example, BrittaSimon@contoso.com
-
- 1. Select **Show password** check box, and then write down the value that's displayed in the Password box.
-
- 1. Click **Create**.
-
-### Assign the Azure AD test user
-
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to Kantega SSO for JIRA.
-
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Kantega SSO for JIRA**.
-
- ![Enterprise applications blade](common/enterprise-applications.png)
-
-2. In the applications list, select **Kantega SSO for JIRA**.
-
- ![The Kantega SSO for JIRA link in the Applications list](common/all-applications.png)
-
-3. In the menu on the left, select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
-
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
-
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
-
-7. In the **Add Assignment** dialog click the **Assign** button.
- ### Create Kantega SSO for JIRA test user To enable Azure AD users to sign in to JIRA, they must be provisioned into JIRA. In Kantega SSO for JIRA, provisioning is a manual task.
To enable Azure AD users to sign in to JIRA, they must be provisioned into JIRA.
1. Hover on cog and click the **User management**.
- ![Screenshot that shows the "Cog" icon selected, and "User management" selected from the drop-down.](./media/kantegassoforjira-tutorial/user1.png)
+ ![Screenshot that shows the "Cog" icon selected, and "User management" selected from the drop-down.](./media/kantegassoforjira-tutorial/user.png)
1. Under **User management** tab section, click **Create user**.
- ![Screenshot that shows the "User management" section with the "Create user" button selected.](./media/kantegassoforjira-tutorial/user2.png)
+ ![Screenshot that shows the "User management" section with the "Create user" button selected.](./media/kantegassoforjira-tutorial/create-user.png)
1. On the **ΓÇ£Create new userΓÇ¥** dialog page, perform the following steps:
- ![Add Employee](./media/kantegassoforjira-tutorial/user3.png)
+ ![Add Employee](./media/kantegassoforjira-tutorial/new-user.png)
1. In the **Email address** textbox, type the email address of user like Brittasimon@contoso.com.
To enable Azure AD users to sign in to JIRA, they must be provisioned into JIRA.
5. Click **Create user**.
-### Test single sign-on
+## Test SSO
+
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+#### SP initiated:
+
+* Click on **Test this application** in Azure portal. This will redirect to Kantega SSO for JIRA Sign on URL where you can initiate the login flow.
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+* Go to Kantega SSO for JIRA Sign-on URL directly and initiate the login flow from there.
-When you click the Kantega SSO for JIRA tile in the Access Panel, you should be automatically signed in to the Kantega SSO for JIRA for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+#### IDP initiated:
-## Additional Resources
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the Kantega SSO for JIRA for which you set up the SSO.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+You can also use Microsoft My Apps to test the application in any mode. When you click the Kantega SSO for JIRA tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Kantega SSO for JIRA for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure Kantega SSO for JIRA you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Kisi Physical Security Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/kisi-physical-security-tutorial.md
Previously updated : 06/08/2020 Last updated : 06/02/2021
In this tutorial, you'll learn how to integrate Kisi Physical Security with Azur
* Enable your users to be automatically signed-in to Kisi Physical Security with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* Kisi Physical Security supports **SP and IDP** initiated SSO
-* Kisi Physical Security supports **Just In Time** user provisioning
+* Kisi Physical Security supports **SP and IDP** initiated SSO.
+* Kisi Physical Security supports **Just In Time** user provisioning.
-* Once you configure Kisi Physical Security you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extend from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
+> [!NOTE]
+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
-## Adding Kisi Physical Security from the gallery
+## Add Kisi Physical Security from the gallery
To configure the integration of Kisi Physical Security into Azure AD, you need to add Kisi Physical Security from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **Kisi Physical Security** in the search box. 1. Select **Kisi Physical Security** from results panel and then add the app. Wait a few seconds while the app is added to your tenant. -
-## Configure and test Azure AD single sign-on for Kisi Physical Security
+## Configure and test Azure AD SSO for Kisi Physical Security
Configure and test Azure AD SSO with Kisi Physical Security using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Kisi Physical Security.
-To configure and test Azure AD SSO with Kisi Physical Security, complete the following building blocks:
+To configure and test Azure AD SSO with Kisi Physical Security, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature. 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
To configure and test Azure AD SSO with Kisi Physical Security, complete the fol
Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **Kisi Physical Security** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **Kisi Physical Security** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
-1. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, enter the values for the following fields:
+1. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, perform the following steps:
- a. In the **Identifier** text box, type a URL using the following pattern:
+ a. In the **Identifier** text box, type the URL:
`https://api.kisi.io/saml/metadata` b. In the **Reply URL** text box, type a URL using the following pattern:
Follow these steps to enable Azure AD SSO in the Azure portal.
`https://web.kisi.io/organizations/sign_in?domain=<DOMAIN>` > [!NOTE]
- > These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact [Kisi Physical Security Client support team](mailto:support@getkisi.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+ > These values are not real. Update these values with the actual Reply URL and Sign-on URL. Contact [Kisi Physical Security Client support team](mailto:support@getkisi.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
1. Kisi Physical Security application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **Kisi Physical Security**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
1. In the **Add Assignment** dialog, click the **Assign** button. ## Configure Kisi Physical Security SSO
In this section, a user called Britta Simon is created in Kisi Physical Security
## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
-When you click the Kisi Physical Security tile in the Access Panel, you should be automatically signed in to the Kisi Physical Security for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+#### SP initiated:
-## Additional resources
+* Click on **Test this application** in Azure portal. This will redirect to Kisi Physical Security Sign on URL where you can initiate the login flow.
-- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](./tutorial-list.md)
+* Go to Kisi Physical Security Sign-on URL directly and initiate the login flow from there.
-- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md)
+#### IDP initiated:
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the Kisi Physical Security for which you set up the SSO.
-- [Try Kisi Physical Security with Azure AD](https://aad.portal.azure.com/)
+You can also use Microsoft My Apps to test the application in any mode. When you click the Kisi Physical Security tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Kisi Physical Security for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is session control in Microsoft Cloud App Security?](/cloud-app-security/proxy-intro-aad)
+## Next steps
-- [How to protect Kisi Physical Security with advanced visibility and controls](/cloud-app-security/proxy-intro-aad)
+Once you configure Kisi Physical Security you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Kudos Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/kudos-tutorial.md
Previously updated : 03/26/2019 Last updated : 05/28/2021 # Tutorial: Azure Active Directory integration with Kudos
-In this tutorial, you learn how to integrate Kudos with Azure Active Directory (Azure AD).
-Integrating Kudos with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate Kudos with Azure Active Directory (Azure AD). When you integrate Kudos with Azure AD, you can:
-* You can control in Azure AD who has access to Kudos.
-* You can enable your users to be automatically signed-in to Kudos (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to Kudos.
+* Enable your users to be automatically signed-in to Kudos with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites To configure Azure AD integration with Kudos, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/)
-* Kudos single sign-on enabled subscription
+* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/).
+* Kudos single sign-on enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* Kudos supports **SP** initiated SSO
-
-## Adding Kudos from the gallery
-
-To configure the integration of Kudos into Azure AD, you need to add Kudos from the gallery to your list of managed SaaS apps.
-
-**To add Kudos from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add new application, click **New application** button on the top of dialog.
-
- ![The New application button](common/add-new-app.png)
-
-4. In the search box, type **Kudos**, select **Kudos** from result panel then click **Add** button to add the application.
+* Kudos supports **SP** initiated SSO.
- ![Kudos in the results list](common/search-new-app.png)
-
-## Configure and test Azure AD single sign-on
-
-In this section, you configure and test Azure AD single sign-on with Kudos based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in Kudos needs to be established.
-
-To configure and test Azure AD single sign-on with Kudos, you need to complete the following building blocks:
+> [!NOTE]
+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure Kudos Single Sign-On](#configure-kudos-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create Kudos test user](#create-kudos-test-user)** - to have a counterpart of Britta Simon in Kudos that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
+## Add Kudos from the gallery
-### Configure Azure AD single sign-on
+To configure the integration of Kudos into Azure AD, you need to add Kudos from the gallery to your list of managed SaaS apps.
-In this section, you enable Azure AD single sign-on in the Azure portal.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Kudos** in the search box.
+1. Select **Kudos** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-To configure Azure AD single sign-on with Kudos, perform the following steps:
+## Configure and test Azure AD SSO for Kudos
-1. In the [Azure portal](https://portal.azure.com/), on the **Kudos** application integration page, select **Single sign-on**.
+Configure and test Azure AD SSO with Kudos using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Kudos.
- ![Configure single sign-on link](common/select-sso.png)
+To configure and test Azure AD SSO with Kudos, perform the following steps:
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Kudos SSO](#configure-kudos-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Kudos test user](#create-kudos-test-user)** - to have a counterpart of B.Simon in Kudos that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
- ![Single sign-on select mode](common/select-saml-option.png)
+## Configure Azure AD SSO
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
+Follow these steps to enable Azure AD SSO in the Azure portal.
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+1. In the Azure portal, on the **Kudos** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
-4. On the **Basic SAML Configuration** section, perform the following steps:
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
- ![Kudos Domain and URLs single sign-on information](common/sp-signonurl.png)
+4. On the **Basic SAML Configuration** section, perform the following step:
In the **Sign-on URL** text box, type a URL using the following pattern:
- `https://<company>.kudosnow.com`
+ `https://<COMPANY>.kudosnow.com`
> [!NOTE] > The value is not real. Update the value with the actual Sign-On URL. Contact [Kudos Client support team](http://success.kudosnow.com/home) to get the value. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
To configure Azure AD single sign-on with Kudos, perform the following steps:
![Copy configuration URLs](common/copy-configuration-urls.png)
- a. Login URL
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called B.Simon.
+
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
+
+### Assign the Azure AD test user
- b. Azure AD Identifier
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Kudos.
- c. Logout URL
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Kudos**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
-### Configure Kudos Single Sign-On
+## Configure Kudos SSO
1. In a different web browser window, sign into your Kudos company site as an administrator. 1. In the menu on the top, click **Settings icon**.
- ![Settings](./media/kudos-tutorial/ic787806.png "Settings")
+ ![Settings](./media/kudos-tutorial/menu.png "Settings")
1. Click **Integrations > SSO** and perform the following steps:
- ![SSO](./media/kudos-tutorial/ic787807.png "SSO")
+ ![SSO](./media/kudos-tutorial/account.png "SSO")
a. In **Sign on URL** textbox, paste the value of **Login URL** which you have copied from Azure portal.
To configure Azure AD single sign-on with Kudos, perform the following steps:
e. Click **Save**.
-### Create an Azure AD test user
-
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field enter **BrittaSimon**.
-
- b. In the **User name** field type `brittasimon@yourcompanydomain.extension`
- For example, BrittaSimon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
-
- d. Click **Create**.
-
-### Assign the Azure AD test user
-
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to Kudos.
-
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Kudos**.
-
- ![Enterprise applications blade](common/enterprise-applications.png)
-
-2. In the applications list, select **Kudos**.
-
- ![The Kudos link in the Applications list](common/all-applications.png)
-
-3. In the menu on the left, select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
-
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
-
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
-
-7. In the **Add Assignment** dialog click the **Assign** button.
- ### Create Kudos test user In order to enable Azure AD users to sign in to Kudos, they must be provisioned into Kudos. In the case of Kudos, provisioning is a manual task.
In order to enable Azure AD users to sign in to Kudos, they must be provisioned
1. In the menu on the top, click **Settings icon**.
- ![Settings](./media/kudos-tutorial/ic787806.png "Settings")
+ ![Settings](./media/kudos-tutorial/menu.png "Settings")
1. Click **User Admin**. 1. Click the **Users** tab, and then click **Add a User**.
- ![User Admin](./media/kudos-tutorial/ic787809.png "User Admin")
+ ![User Admin](./media/kudos-tutorial/users.png "User Admin")
1. In the **Add a User** section, perform the following steps:
- ![Add a User](./media/kudos-tutorial/ic787810.png "Add a User")
+ ![Add a User](./media/kudos-tutorial/create-users.png "Add a User")
a. Type the **First Name**, **Last Name**, **Email** and other details of a valid Azure Active Directory account you want to provision into the related textboxes.
In order to enable Azure AD users to sign in to Kudos, they must be provisioned
> [!NOTE] > You can use any other Kudos user account creation tools or APIs provided by Kudos to provision Azure AD user accounts.
-### Test single sign-on
+## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
-When you click the Kudos tile in the Access Panel, you should be automatically signed in to the Kudos for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* Click on **Test this application** in Azure portal. This will redirect to Kudos Sign-on URL where you can initiate the login flow.
-## Additional Resources
+* Go to Kudos Sign-on URL directly and initiate the login flow from there.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+* You can use Microsoft My Apps. When you click the Kudos tile in the My Apps, this will redirect to Kudos Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure Kudos you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Linkedinelevate Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/linkedinelevate-tutorial.md
Previously updated : 10/21/2019 Last updated : 06/03/2021
In this tutorial, you'll learn how to integrate LinkedIn Elevate with Azure Acti
* Enable your users to be automatically signed-in to LinkedIn Elevate with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
+* LinkedIn Elevate supports **SP and IDP** initiated SSO.
+* LinkedIn Elevate supports **Just In Time** user provisioning.
+* LinkedIn Elevate supports [**Automated** user provisioning](linkedinelevate-provisioning-tutorial.md).
-
-* LinkedIn Elevate supports **SP and IDP** initiated SSO
-* LinkedIn Elevate supports **Just In Time** user provisioning
-* LinkedIn Elevate supports [**Automated** user provisioning](linkedinelevate-provisioning-tutorial.md)
-
-## Adding LinkedIn Elevate from the gallery
+## Add LinkedIn Elevate from the gallery
To configure the integration of LinkedIn Elevate into Azure AD, you need to add LinkedIn Elevate from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **LinkedIn Elevate** in the search box. 1. Select **LinkedIn Elevate** from results panel and then add the app. Wait a few seconds while the app is added to your tenant. -
-## Configure and test Azure AD single sign-on for LinkedIn Elevate
+## Configure and test Azure AD SSO for LinkedIn Elevate
Configure and test Azure AD SSO with LinkedIn Elevate using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in LinkedIn Elevate.
-To configure and test Azure AD SSO with LinkedIn Elevate, complete the following building blocks:
+To configure and test Azure AD SSO with LinkedIn Elevate, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature. 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
To configure and test Azure AD SSO with LinkedIn Elevate, complete the following
Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **LinkedIn Elevate** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **LinkedIn Elevate** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
-1. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, enter the values for the following fields:
+1. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, perform the following steps:
a. In the **Identifier** text box, enter the **Entity ID** value, you will copy Entity ID value from the Linkedin Portal explained later in this tutorial.
Follow these steps to enable Azure AD SSO in the Azure portal.
5. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode: In the **Sign-on URL** text box, type a URL using the following pattern:
- `https://www.linkedin.com/checkpoint/enterprise/login/<AccountId>?application=elevate&applicationInstanceId=<InstanceId>`
+ `https://www.linkedin.com/checkpoint/enterprise/login/<ACCOUNT_ID>?application=elevate&applicationInstanceId=<INSTANCE_ID>`
1. LinkedIn Elevate application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes, where as **nameidentifier** is mapped with **user.userprincipalname**. LinkedIn Elevate application expects nameidentifier to be mapped with **user.mail**, so you need to edit the attribute mapping by clicking on Edit icon and change the attribute mapping.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **LinkedIn Elevate**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
1. In the **Add Assignment** dialog, click the **Assign** button. ## Configure LinkedIn Elevate SSO
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In **Account Center**, click **Global Settings** under **Settings**. Also, select **Elevate - Elevate AAD Test** from the dropdown list.
- ![Screenshot shows the Global Settings where you can select Elevate A A D Test.](./media/linkedinelevate-tutorial/tutorial_linkedin_admin_01.png)
+ ![Screenshot shows the Global Settings where you can select Elevate A A D Test.](./media/linkedinelevate-tutorial/admin.png)
1. Click on **OR Click Here to load and copy individual fields from the form** and perform the following steps:
- ![Screenshot shows Single Sign-On where you can enter the values described.](./media/linkedinelevate-tutorial/tutorial_linkedin_admin_03.png)
+ ![Screenshot shows Single Sign-On where you can enter the values described.](./media/linkedinelevate-tutorial/test.png)
a. Copy **Entity ID** and paste it into the **Identifier** text box in the **Basic SAML Configuration** in the Azure portal.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. Go to **LinkedIn Admin Settings** section. Upload the XML file that you have downloaded from the Azure portal by clicking on the Upload XML file option.
- ![Screenshot shows Configure the LinkedIn service provider S S O settings where you can upload an X M L file.](./media/linkedinelevate-tutorial/tutorial_linkedin_metadata_03.png)
+ ![Screenshot shows Configure the LinkedIn service provider S S O settings where you can upload an X M L file.](./media/linkedinelevate-tutorial/metadata.png)
-1. Click **On** to enable SSO. SSO status will change from **Not Connected** to **Connected**
+1. Click **On** to enable SSO. SSO status will change from **Not Connected** to **Connected**.
- ![Screenshot shows Single Sign-On where you can select Automatically assign licenses.](./media/linkedinelevate-tutorial/tutorial_linkedin_admin_05.png)
+ ![Screenshot shows Single Sign-On where you can select Automatically assign licenses.](./media/linkedinelevate-tutorial/connected.png)
### Create LinkedIn Elevate test user LinkedIn Elevate Application supports Just in time user provisioning and after authentication users will be created in the application automatically. On the admin settings page on the LinkedIn Elevate portal flip the switch **Automatically Assign licenses** to active Just in time provisioning and this will also assign a license to the user. LinkedIn Elevate also supports automatic user provisioning, you can find more details [here](linkedinelevate-provisioning-tutorial.md) on how to configure automatic user provisioning.
- ![Creating an Azure AD test user](./media/linkedinelevate-tutorial/LinkedinUserprovswitch.png)
+ ![Creating an Azure AD test user](./media/linkedinelevate-tutorial/switch.png)
## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+#### SP initiated:
+
+* Click on **Test this application** in Azure portal. This will redirect to LinkedIn Elevate Sign on URL where you can initiate the login flow.
-When you click the LinkedIn Elevate tile in the Access Panel, you should be automatically signed in to the LinkedIn Elevate for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* Go to LinkedIn Elevate Sign-on URL directly and initiate the login flow from there.
-## Additional resources
+#### IDP initiated:
-- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](./tutorial-list.md)
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the LinkedIn Elevate for which you set up the SSO.
-- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md)
+You can also use Microsoft My Apps to test the application in any mode. When you click the LinkedIn Elevate tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the LinkedIn Elevate for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+## Next steps
-- [Try LinkedIn Elevate with Azure AD](https://aad.portal.azure.com/)
+Once you configure LinkedIn Elevate you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Liquidfiles Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/liquidfiles-tutorial.md
Previously updated : 04/14/2019 Last updated : 06/02/2021 # Tutorial: Azure Active Directory integration with LiquidFiles
-In this tutorial, you learn how to integrate LiquidFiles with Azure Active Directory (Azure AD).
-Integrating LiquidFiles with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate LiquidFiles with Azure Active Directory (Azure AD). When you integrate LiquidFiles with Azure AD, you can:
-* You can control in Azure AD who has access to LiquidFiles.
-* You can enable your users to be automatically signed-in to LiquidFiles (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to LiquidFiles.
+* Enable your users to be automatically signed-in to LiquidFiles with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites To configure Azure AD integration with LiquidFiles, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/)
-* LiquidFiles single sign-on enabled subscription
+* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/).
+* LiquidFiles single sign-on enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* LiquidFiles supports **SP** initiated SSO
+* LiquidFiles supports **SP** initiated SSO.
-## Adding LiquidFiles from the gallery
+## Add LiquidFiles from the gallery
To configure the integration of LiquidFiles into Azure AD, you need to add LiquidFiles from the gallery to your list of managed SaaS apps.
-**To add LiquidFiles from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add new application, click **New application** button on the top of dialog.
-
- ![The New application button](common/add-new-app.png)
-
-4. In the search box, type **LiquidFiles**, select **LiquidFiles** from result panel then click **Add** button to add the application.
-
- ![LiquidFiles in the results list](common/search-new-app.png)
-
-## Configure and test Azure AD single sign-on
-
-In this section, you configure and test Azure AD single sign-on with LiquidFiles based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in LiquidFiles needs to be established.
-
-To configure and test Azure AD single sign-on with LiquidFiles, you need to complete the following building blocks:
-
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure LiquidFiles Single Sign-On](#configure-liquidfiles-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create LiquidFiles test user](#create-liquidfiles-test-user)** - to have a counterpart of Britta Simon in LiquidFiles that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **LiquidFiles** in the search box.
+1. Select **LiquidFiles** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-### Configure Azure AD single sign-on
+## Configure and test Azure AD SSO for LiquidFiles
-In this section, you enable Azure AD single sign-on in the Azure portal.
+Configure and test Azure AD SSO with LiquidFiles using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in LiquidFiles.
-To configure Azure AD single sign-on with LiquidFiles, perform the following steps:
+To configure and test Azure AD SSO with LiquidFiles, perform the following steps:
-1. In the [Azure portal](https://portal.azure.com/), on the **LiquidFiles** application integration page, select **Single sign-on**.
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure LiquidFiles SSO](#configure-liquidfiles-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create LiquidFiles test user](#create-liquidfiles-test-user)** - to have a counterpart of B.Simon in LiquidFiles that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
- ![Configure single sign-on link](common/select-sso.png)
+## Configure Azure AD SSO
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
+Follow these steps to enable Azure AD SSO in the Azure portal.
- ![Single sign-on select mode](common/select-saml-option.png)
+1. In the Azure portal, on the **LiquidFiles** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
-
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
4. On the **Basic SAML Configuration** section, perform the following steps:
- ![LiquidFiles Domain and URLs single sign-on information](common/sp-identifier-reply.png)
-
- a. In the **Sign on URL** text box, type a URL using the following pattern:
- `https://<YOUR_SERVER_URL>/saml/init`
-
- b. In the **Identifier (Entity ID)** text box, type a URL using the following pattern:
+ a. In the **Identifier (Entity ID)** text box, type a URL using the following pattern:
`https://<YOUR_SERVER_URL>`
- c. In the **Reply URL** textbox, type a URL using the following pattern: `https://<YOUR_SERVER_URL>/saml/consume`
+ b. In the **Reply URL** textbox, type a URL using the following pattern: `https://<YOUR_SERVER_URL>/saml/consume`
+
+ c. In the **Sign on URL** text box, type a URL using the following pattern:
+ `https://<YOUR_SERVER_URL>/saml/init`
> [!NOTE]
- > These values are not real. Update these values with the actual Sign on URL and Identifier. Contact [LiquidFiles Client support team](https://www.liquidfiles.com/support.html) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+ > These values are not real. Update these values with the actual Identifier,Reply URL and Sign on URL. Contact [LiquidFiles Client support team](https://www.liquidfiles.com/support.html) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
5. In the **SAML Signing Certificate** section, click **Edit** button to open **SAML Signing Certificate** dialog.
To configure Azure AD single sign-on with LiquidFiles, perform the following ste
![Copy configuration URLs](common/copy-configuration-urls.png)
- a. Login URL
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called B.Simon.
+
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
- b. Azure AD Identifier
+### Assign the Azure AD test user
+
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to LiquidFiles.
- c. Logout URL
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **LiquidFiles**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
-### Configure LiquidFiles Single Sign-On
+## Configure LiquidFiles SSO
1. Sign-on to your LiquidFiles company site as administrator. 1. Click **Single Sign-On** in the **Admin > Configuration** from the menu.
-1. On the **Single Sign-On Configuration** page, perform the following steps
+1. On the **Single Sign-On Configuration** page, perform the following steps.
- ![Configure Single Sign-On](./media/liquidfiles-tutorial/tutorial_single_01.png)
+ ![Configure Single Sign-On](./media/liquidfiles-tutorial/configuration.png)
a. As **Single Sign On Method**, select **SAML 2**.
To configure Azure AD single sign-on with LiquidFiles, perform the following ste
c. In the **IDP Logout URL** textbox, paste the value of **Logout URL**, which you have copied from Azure portal.
- d. In the **IDP Cert Fingerprint** textbox, paste the **THUMBPRINT** value which you have copied from Azure portal..
+ d. In the **IDP Cert Fingerprint** textbox, paste the **THUMBPRINT** value which you have copied from Azure portal.
e. In the Name Identifier Format textbox, type the value `urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress`.
To configure Azure AD single sign-on with LiquidFiles, perform the following ste
g. Click **Save**.
-### Create an Azure AD test user
-
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field enter **BrittaSimon**.
-
- b. In the **User name** field type `brittasimon@yourcompanydomain.extension`. For example, BrittaSimon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
-
- d. Click **Create**.
-
-### Assign the Azure AD test user
-
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to LiquidFiles.
-
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **LiquidFiles**.
-
- ![Enterprise applications blade](common/enterprise-applications.png)
-
-2. In the applications list, select **LiquidFiles**.
-
- ![The LiquidFiles link in the Applications list](common/all-applications.png)
-
-3. In the menu on the left, select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
-
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
-
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
-
-7. In the **Add Assignment** dialog click the **Assign** button.
- ### Create LiquidFiles test user The objective of this section is to create a user called Britta Simon in LiquidFiles. Work with your LiquidFiles server administrator to get yourself added as a user before logging in to your LiquidFiles application.
-### Test single sign-on
+## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
-When you click the LiquidFiles tile in the Access Panel, you should be automatically signed in to the LiquidFiles for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* Click on **Test this application** in Azure portal. This will redirect to LiquidFiles Sign-on URL where you can initiate the login flow.
-## Additional Resources
+* Go to LiquidFiles Sign-on URL directly and initiate the login flow from there.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+* You can use Microsoft My Apps. When you click the LiquidFiles tile in the My Apps, this will redirect to LiquidFiles Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure LiquidFiles you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Panopto Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/panopto-tutorial.md
Previously updated : 03/17/2019 Last updated : 05/28/2021 # Tutorial: Azure Active Directory integration with Panopto
-In this tutorial, you learn how to integrate Panopto with Azure Active Directory (Azure AD).
-Integrating Panopto with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate Panopto with Azure Active Directory (Azure AD). When you integrate Panopto with Azure AD, you can:
-* You can control in Azure AD who has access to Panopto.
-* You can enable your users to be automatically signed-in to Panopto (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to Panopto.
+* Enable your users to be automatically signed-in to Panopto with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites
-To configure Azure AD integration with Panopto, you need the following items:
+To get started, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial [here](https://azure.microsoft.com/pricing/free-trial/)
-* Panopto single sign-on enabled subscription
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* Panopto single sign-on (SSO) enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* Panopto supports **SP** initiated SSO
-
-* Panopto supports **Just In Time** user provisioning
-
-## Adding Panopto from the gallery
-
-To configure the integration of Panopto into Azure AD, you need to add Panopto from the gallery to your list of managed SaaS apps.
-
-**To add Panopto from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add new application, click **New application** button on the top of dialog.
-
- ![The New application button](common/add-new-app.png)
+* Panopto supports **SP** initiated SSO.
-4. In the search box, type **Panopto**, select **Panopto** from result panel then click **Add** button to add the application.
+* Panopto supports **Just In Time** user provisioning.
- ![Panopto in the results list](common/search-new-app.png)
+> [!NOTE]
+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
-## Configure and test Azure AD single sign-on
+## Add Panopto from the gallery
-In this section, you configure and test Azure AD single sign-on with Panopto based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in Panopto needs to be established.
-
-To configure and test Azure AD single sign-on with Panopto, you need to complete the following building blocks:
-
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure Panopto Single Sign-On](#configure-panopto-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create Panopto test user](#create-panopto-test-user)** - to have a counterpart of Britta Simon in Panopto that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
+To configure the integration of Panopto into Azure AD, you need to add Panopto from the gallery to your list of managed SaaS apps.
-### Configure Azure AD single sign-on
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Panopto** in the search box.
+1. Select **Panopto** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-In this section, you enable Azure AD single sign-on in the Azure portal.
+## Configure and test Azure AD SSO for Panopto
-To configure Azure AD single sign-on with Panopto, perform the following steps:
+Configure and test Azure AD SSO with Panopto using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Panopto.
-1. In the [Azure portal](https://portal.azure.com/), on the **Panopto** application integration page, select **Single sign-on**.
+To configure and test Azure AD SSO with Panopto, perform the following steps:
- ![Configure single sign-on link](common/select-sso.png)
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Panopto SSO](#configure-panopto-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Panopto test user](#create-panopto-test-user)** - to have a counterpart of B.Simon in Panopto that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
+## Configure Azure AD SSO
- ![Single sign-on select mode](common/select-saml-option.png)
+Follow these steps to enable Azure AD SSO in the Azure portal.
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
+1. In the Azure portal, on the **Panopto** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
4. On the **Basic SAML Configuration** section, perform the following steps:
- ![Panopto Domain and URLs single sign-on information](common/sp-signonurl.png)
- In the **Sign-on URL** text box, type a URL using the following pattern:
- `https://<tenant-name>.panopto.com`
+ `https://<TENANT_NAME>.panopto.com`
> [!NOTE] > The value is not real. Update the value with the actual Sign-On URL. Contact [Panopto Client support team](mailto:support@panopto.com) to get the value. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
To configure Azure AD single sign-on with Panopto, perform the following steps:
![Copy configuration URLs](common/copy-configuration-urls.png)
- a. Login URL
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called B.Simon.
- b. Azure AD Identifier
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
- c. Logout URL
+### Assign the Azure AD test user
+
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Panopto.
+
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Panopto**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
-### Configure Panopto Single Sign-On
+## Configure Panopto SSO
1. In a different web browser window, log in to your Panopto company site as an administrator. 2. In the toolbar on the left, click **System**, and then click **Identity Providers**.
- ![System](./media/panopto-tutorial/ic777670.png "System")
+ ![System](./media/panopto-tutorial/toolbar.png "System")
3. Click **Add Provider**.
- ![Identity Providers](./media/panopto-tutorial/ic777671.png "Identity Providers")
+ ![Identity Providers](./media/panopto-tutorial/provider.png "Identity Providers")
4. In the SAML provider section, perform the following steps:
- ![SaaS configuration](./media/panopto-tutorial/ic777672.png "SaaS configuration")
+ ![SaaS configuration](./media/panopto-tutorial/configuration.png "SaaS configuration")
a. From the **Provider Type** list, select **SAML20**.
To configure Azure AD single sign-on with Panopto, perform the following steps:
5. Click **Save**.
-### Create an Azure AD test user
-
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field enter **BrittaSimon**.
-
- b. In the **User name** field type **brittasimon@yourcompanydomain.extension**
- For example, BrittaSimon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
-
- d. Click **Create**.
-
-### Assign the Azure AD test user
-
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to Panopto.
-
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Panopto**.
-
- ![Enterprise applications blade](common/enterprise-applications.png)
-
-2. In the applications list, select **Panopto**.
-
- ![The Panopto link in the Applications list](common/all-applications.png)
-
-3. In the menu on the left, select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
-
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
-
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
-
-7. In the **Add Assignment** dialog click the **Assign** button.
- ### Create Panopto test user In this section, a user called Britta Simon is created in Panopto. Panopto supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in Panopto, a new one is created after authentication.
In this section, a user called Britta Simon is created in Panopto. Panopto suppo
>You can use any other Panopto user account creation tools or APIs provided by Panopto to provision Azure AD user accounts. >
-### Test single sign-on
+## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
-When you click the Panopto tile in the Access Panel, you should be automatically signed in to the Panopto for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* Click on **Test this application** in Azure portal. This will redirect to Panopto Sign-on URL where you can initiate the login flow.
-## Additional Resources
+* Go to Panopto Sign-on URL directly and initiate the login flow from there.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+* You can use Microsoft My Apps. When you click the Panopto tile in the My Apps, this will redirect to Panopto Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure Panopto you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Picturepark Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/picturepark-tutorial.md
Previously updated : 04/18/2019 Last updated : 06/01/2021 # Tutorial: Azure Active Directory integration with Picturepark
-In this tutorial, you learn how to integrate Picturepark with Azure Active Directory (Azure AD).
-Integrating Picturepark with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate Picturepark with Azure Active Directory (Azure AD). When you integrate Picturepark with Azure AD, you can:
-* You can control in Azure AD who has access to Picturepark.
-* You can enable your users to be automatically signed-in to Picturepark (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to Picturepark.
+* Enable your users to be automatically signed-in to Picturepark with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites To configure Azure AD integration with Picturepark, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/)
-* Picturepark single sign-on enabled subscription
+* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/).
+* Picturepark single sign-on enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* Picturepark supports **SP** initiated SSO
+* Picturepark supports **SP** initiated SSO.
-## Adding Picturepark from the gallery
+## Add Picturepark from the gallery
To configure the integration of Picturepark into Azure AD, you need to add Picturepark from the gallery to your list of managed SaaS apps.
-**To add Picturepark from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add new application, click **New application** button on the top of dialog.
-
- ![The New application button](common/add-new-app.png)
-
-4. In the search box, type **Picturepark**, select **Picturepark** from result panel then click **Add** button to add the application.
-
- ![Picturepark in the results list](common/search-new-app.png)
-
-## Configure and test Azure AD single sign-on
-
-In this section, you configure and test Azure AD single sign-on with Picturepark based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in Picturepark needs to be established.
-
-To configure and test Azure AD single sign-on with Picturepark, you need to complete the following building blocks:
-
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure Picturepark Single Sign-On](#configure-picturepark-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create Picturepark test user](#create-picturepark-test-user)** - to have a counterpart of Britta Simon in Picturepark that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Picturepark** in the search box.
+1. Select **Picturepark** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-### Configure Azure AD single sign-on
+## Configure and test Azure AD SSO for Picturepark
-In this section, you enable Azure AD single sign-on in the Azure portal.
+Configure and test Azure AD SSO with Picturepark using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Picturepark.
-To configure Azure AD single sign-on with Picturepark, perform the following steps:
+To configure and test Azure AD SSO with Picturepark, perform the following steps:
-1. In the [Azure portal](https://portal.azure.com/), on the **Picturepark** application integration page, select **Single sign-on**.
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Picturepark SSO](#configure-picturepark-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Picturepark test user](#create-picturepark-test-user)** - to have a counterpart of B.Simon in Picturepark that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
- ![Configure single sign-on link](common/select-sso.png)
+## Configure Azure AD SSO
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
+Follow these steps to enable Azure AD SSO in the Azure portal.
- ![Single sign-on select mode](common/select-saml-option.png)
+1. In the Azure portal, on the **Picturepark** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
-
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
4. On the **Basic SAML Configuration** section, perform the following steps:
- ![Picturepark Domain and URLs single sign-on information](common/sp-identifier.png)
-
- a. In the **Sign on URL** text box, type a URL using the following pattern: `https://<companyname>.picturepark.com`
-
- b. In the **Identifier (Entity ID)** text box, type a URL using the following pattern:
+ a. In the **Identifier (Entity ID)** text box, type a URL using one of the following patterns:
- ```http
- https://<companyname>.current-picturepark.com
- https://<companyname>.picturepark.com
- https://<companyname>.next-picturepark.com
- ```
+ | Identifier URL |
+ ||
+ |`https://<COMPANY_NAME>.current-picturepark.com`|
+ |`https://<COMPANY_NAME>.picturepark.com`|
+ |`https://<COMPANY_NAME>.next-picturepark.com`|
+ |
+
+ b. In the **Sign on URL** text box, type a URL using the following pattern:
+ `https://<COMPANY_NAME>.picturepark.com`
> [!NOTE]
- > These values are not real. Update these values with the actual Sign on URL and Identifier. Contact [Picturepark Client support team](https://picturepark.com/company/picturepark-customer-support) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+ > These values are not real. Update these values with the actual Identifier and Sign on URL. Contact [Picturepark Client support team](https://picturepark.com/company/picturepark-customer-support) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
5. In the **SAML Signing Certificate** section, click **Edit** button to open **SAML Signing Certificate** dialog.
To configure Azure AD single sign-on with Picturepark, perform the following ste
> [!Note] > _my_directory_id_ is the tenant id of Azure AD subscription.
- ![Copy configuration URLs](./media/picturepark-tutorial/configurls.png)
+ ![Copy configuration URLs](./media/picturepark-tutorial/configure.png)
+
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called B.Simon.
- a. Azure AD Identifier
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
- b. Logout URL
+### Assign the Azure AD test user
+
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Picturepark.
+
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Picturepark**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
-### Configure Picturepark Single Sign-On
+## Configure Picturepark SSO
1. In a different web browser window, sign into your Picturepark company site as an administrator. 2. In the toolbar on the top, click **Administrative tools**, and then click **Management Console**.
- ![Management Console](./media/picturepark-tutorial/ic795062.png "Management Console")
+ ![Management Console](./media/picturepark-tutorial/tools.png "Management Console")
3. Click **Authentication**, and then click **Identity providers**.
- ![Authentication](./media/picturepark-tutorial/ic795063.png "Authentication")
+ ![Authentication](./media/picturepark-tutorial/identity-provider.png "Authentication")
4. In the **Identity provider configuration** section, perform the following steps:
- ![Identity provider configuration](./media/picturepark-tutorial/ic795064.png "Identity provider configuration")
+ ![Identity provider configuration](./media/picturepark-tutorial/add-configuration.png "Identity provider configuration")
a. Click **Add**.
To configure Azure AD single sign-on with Picturepark, perform the following ste
6. To set the **Emailaddress** attribute in the **Claim** textbox, type `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress` and click **Save**.
- ![Configuration](./media/picturepark-tutorial/ic795065.png "Configuration")
-
-### Create an Azure AD test user
-
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field enter **BrittaSimon**.
-
- b. In the **User name** field type `brittasimon@yourcompanydomain.extension`. For example, BrittaSimon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
-
- d. Click **Create**.
-
-### Assign the Azure AD test user
-
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to Picturepark.
-
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Picturepark**.
-
- ![Enterprise applications blade](common/enterprise-applications.png)
-
-2. In the applications list, select **Picturepark**.
-
- ![The Picturepark link in the Applications list](common/all-applications.png)
-
-3. In the menu on the left, select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
-
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
-
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
-
-7. In the **Add Assignment** dialog click the **Assign** button.
+ ![Configuration](./media/picturepark-tutorial/claim.png "Configuration")
### Create Picturepark test user
In order to enable Azure AD users to sign into Picturepark, they must be provisi
1. In the toolbar on the top, click **Administrative tools**, and then click **Users**.
- ![Users](./media/picturepark-tutorial/ic795067.png "Users")
+ ![Users](./media/picturepark-tutorial/user.png "Users")
1. In the **Users overview** tab, click **New**.
- ![User management](./media/picturepark-tutorial/ic795068.png "User management")
+ ![User management](./media/picturepark-tutorial/new-user.png "User management")
1. On the **Create User** dialog, perform the following steps of a valid Azure Active Directory User you want to provision:
- ![Create User](./media/picturepark-tutorial/ic795069.png "Create User")
+ ![Create User](./media/picturepark-tutorial/details.png "Create User")
a. In the **Email Address** textbox, type the **email address** of the user `BrittaSimon@contoso.com`.
In order to enable Azure AD users to sign into Picturepark, they must be provisi
>You can use any other Picturepark user account creation tools or APIs provided by Picturepark to provision Azure AD user accounts. >
-### Test single sign-on
+## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
-When you click the Picturepark tile in the Access Panel, you should be automatically signed in to the Picturepark for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* Click on **Test this application** in Azure portal. This will redirect to Picturepark Sign-on URL where you can initiate the login flow.
-## Additional Resources
+* Go to Picturepark Sign-on URL directly and initiate the login flow from there.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+* You can use Microsoft My Apps. When you click the Picturepark tile in the My Apps, this will redirect to Picturepark Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure Picturepark you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Pingboard Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/pingboard-tutorial.md
Previously updated : 03/25/2019 Last updated : 06/01/2021 # Tutorial: Azure Active Directory integration with Pingboard
-In this tutorial, you learn how to integrate Pingboard with Azure Active Directory (Azure AD).
-Integrating Pingboard with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate Pingboard with Azure Active Directory (Azure AD). When you integrate Pingboard with Azure AD, you can:
-* You can control in Azure AD who has access to Pingboard.
-* You can enable your users to be automatically signed-in to Pingboard (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to Pingboard.
+* Enable your users to be automatically signed-in to Pingboard with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites
-To configure Azure AD integration with Pingboard, you need the following items:
+To get started, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial [here](https://azure.microsoft.com/pricing/free-trial/)
-* Pingboard single sign-on enabled subscription
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* Pingboard single sign-on (SSO) enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* Pingboard supports **SP** and **IDP** initiated SSO
-
-* Pingboard supports [Automated user provisioning](./pingboard-provisioning-tutorial.md)
-
-## Adding Pingboard from the gallery
-
-To configure the integration of Pingboard into Azure AD, you need to add Pingboard from the gallery to your list of managed SaaS apps.
-
-**To add Pingboard from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add new application, click **New application** button on the top of dialog.
-
- ![The New application button](common/add-new-app.png)
-
-4. In the search box, type **Pingboard**, select **Pingboard** from result panel then click **Add** button to add the application.
+* Pingboard supports **SP** and **IDP** initiated SSO.
- ![Pingboard in the results list](common/search-new-app.png)
+* Pingboard supports [Automated user provisioning](./pingboard-provisioning-tutorial.md).
-## Configure and test Azure AD single sign-on
+> [!NOTE]
+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
-In this section, you configure and test Azure AD single sign-on with Pingboard based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in Pingboard needs to be established.
+## Add Pingboard from the gallery
-To configure and test Azure AD single sign-on with Pingboard, you need to complete the following building blocks:
-
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure Pingboard Single Sign-On](#configure-pingboard-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create Pingboard test user](#create-pingboard-test-user)** - to have a counterpart of Britta Simon in Pingboard that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
+To configure the integration of Pingboard into Azure AD, you need to add Pingboard from the gallery to your list of managed SaaS apps.
-### Configure Azure AD single sign-on
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Pingboard** in the search box.
+1. Select **Pingboard** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-In this section, you enable Azure AD single sign-on in the Azure portal.
+## Configure and test Azure AD SSO for Pingboard
-To configure Azure AD single sign-on with Pingboard, perform the following steps:
+Configure and test Azure AD SSO with Pingboard using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Pingboard.
-1. In the [Azure portal](https://portal.azure.com/), on the **Pingboard** application integration page, select **Single sign-on**.
+To configure and test Azure AD SSO with Pingboard, perform the following steps:
- ![Configure single sign-on link](common/select-sso.png)
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Pingboard SSO](#configure-pingboard-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Pingboard test user](#create-pingboard-test-user)** - to have a counterpart of B.Simon in Pingboard that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
+## Configure Azure AD SSO
- ![Single sign-on select mode](common/select-saml-option.png)
+Follow these steps to enable Azure AD SSO in the Azure portal.
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
+1. In the Azure portal, on the **Pingboard** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
4. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, perform the following steps:
- ![Screenshot that shows the "Basic S A M L Configuration" with the "Identifier" and "Reply U R L" text boxes highlighted and the "Save" button selected.](common/idp-intiated.png)
-
- a. In the **Identifier** text box, type a URL:
+ a. In the **Identifier** text box, type the URL:
`http://app.pingboard.com/sp` b. In the **Reply URL** text box, type a URL using the following pattern:
- `https://<entity-id>.pingboard.com/auth/saml/consume`
+ `https://<ENTITY_ID>.pingboard.com/auth/saml/consume`
5. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode:
- ![Pingboard Domain and URLs single sign-on information](common/metadata-upload-additional-signon.png)
- In the **Sign-on URL** text box, type a URL using the following pattern:
- `https://<sub-domain>.pingboard.com/sign_in`
+ `https://<SUBDOMAIN>.pingboard.com/sign_in`
> [!NOTE] > These values are not real. Update these values with the actual Reply URL and Sign-on URL. Contact [Pingboard Client support team](https://support.pingboard.com/) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
To configure Azure AD single sign-on with Pingboard, perform the following steps
![Copy configuration URLs](common/copy-configuration-urls.png)
- a. Login URL
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called B.Simon.
- b. Azure AD Identifier
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
- c. Logout URL
+### Assign the Azure AD test user
+
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Pingboard.
+
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Pingboard**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
-### Configure Pingboard Single Sign-On
+## Configure Pingboard SSO
1. To configure SSO on Pingboard side, open a new browser window and sign in to your Pingboard Account. You must be a Pingboard admin to set up single sign on. 2. From the top menu,, select **Apps > Integrations**
- ![Configure Single Sign-On](./media/pingboard-tutorial/Pingboard_integration.png)
+ ![Configure Single Sign-On](./media/pingboard-tutorial/integration.png)
3. On the **Integrations** page, find the **"Azure Active Directory"** tile, and click it.
- ![Pingboard Single Sign-On Integration](./media/pingboard-tutorial/Pingboard_aad.png)
+ ![Pingboard Single Sign-On Integration](./media/pingboard-tutorial/directory.png)
4. In the modal that follows click **"Configure"**
- ![Pingboard configuration button](./media/pingboard-tutorial/Pingboard_configure.png)
+ ![Pingboard configuration button](./media/pingboard-tutorial/configure.png)
5. On the following page, you notice that "Azure SSO Integration is enabled". Open the downloaded Metadata XML file in a notepad and paste the content in **IDP Metadata**.
- ![Pingboard SSO configuration screen](./media/pingboard-tutorial/Pingboard_sso_configure.png)
+ ![Pingboard SSO configuration screen](./media/pingboard-tutorial/metadata.png)
6. The file is validated, and if everything is correct, single sign-on will now be enabled.
-### Create an Azure AD test user
-
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field enter **BrittaSimon**.
-
- b. In the **User name** field type brittasimon@yourcompanydomain.extension. For example, BrittaSimon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
-
- d. Click **Create**.
-
-### Assign the Azure AD test user
-
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to Pingboard.
-
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Pingboard**.
-
- ![Enterprise applications blade](common/enterprise-applications.png)
-
-2. In the applications list, select **Pingboard**.
-
- ![The Pingboard link in the Applications list](common/all-applications.png)
-
-3. In the menu on the left, select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
-
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
-
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
-
-7. In the **Add Assignment** dialog click the **Assign** button.
- ### Create Pingboard test user The objective of this section is to create a user called Britta Simon in Pingboard. Pingboard supports automatic user provisioning, which is by default enabled. You can find more details [here](pingboard-provisioning-tutorial.md) on how to configure automatic user provisioning.
The objective of this section is to create a user called Britta Simon in Pingboa
2. Click **ΓÇ£Add EmployeeΓÇ¥** button on **Directory** page.
- ![Add Employee](./media/pingboard-tutorial/create_testuser_add.png)
+ ![Add Employee](./media/pingboard-tutorial/test-user.png)
3. On the **ΓÇ£Add EmployeeΓÇ¥** dialog page, perform the following steps:
- ![Invite People](./media/pingboard-tutorial/create_testuser_name.png)
+ ![Invite People](./media/pingboard-tutorial/create-name.png)
a. In the **Full Name** textbox, type the full name of user like **Britta Simon**.
The objective of this section is to create a user called Britta Simon in Pingboa
4. A confirmation screen comes up to confirm the addition of user.
- ![confirm](./media/pingboard-tutorial/create_testuser_confirm.png)
+ ![confirm](./media/pingboard-tutorial/confirm-user.png)
> [!NOTE] > The Azure Active Directory account holder receives an email and follows a link to confirm their account before it becomes active.
-### Test single sign-on
+## Test SSO
+
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+#### SP initiated:
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+* Click on **Test this application** in Azure portal. This will redirect to Pingboard Sign on URL where you can initiate the login flow.
-When you click the Pingboard tile in the Access Panel, you should be automatically signed in to the Pingboard for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* Go to Pingboard Sign-on URL directly and initiate the login flow from there.
-## Additional Resources
+#### IDP initiated:
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the Pingboard for which you set up the SSO.
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+You can also use Microsoft My Apps to test the application in any mode. When you click the Pingboard tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Pingboard for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+## Next steps
-- [Configure User Provisioning](./pingboard-provisioning-tutorial.md)
+Once you configure Pingboard you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Planview Enterprise One Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/planview-enterprise-one-tutorial.md
Previously updated : 03/12/2020 Last updated : 06/02/2021
In this tutorial, you'll learn how to integrate Planview Enterprise One with Azu
* Enable your users to be automatically signed-in to Planview Enterprise One with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* Planview Enterprise One supports **SP** initiated SSO
-* Once you configure Planview Enterprise One you can enforce Session Control, which protect exfiltration and infiltration of your organizationΓÇÖs sensitive data in real-time. Session Control extend from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad)
-
+* Planview Enterprise One supports **SP** initiated SSO.
-## Adding Planview Enterprise One from the gallery
+## Add Planview Enterprise One from the gallery
To configure the integration of Planview Enterprise One into Azure AD, you need to add Planview Enterprise One from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **Planview Enterprise One** in the search box. 1. Select **Planview Enterprise One** from results panel and then add the app. Wait a few seconds while the app is added to your tenant. -
-## Configure and test Azure AD single sign-on for Planview Enterprise One
+## Configure and test Azure AD SSO for Planview Enterprise One
Configure and test Azure AD SSO with Planview Enterprise One using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Planview Enterprise One.
-To configure and test Azure AD SSO with Planview Enterprise One, complete the following building blocks:
+To configure and test Azure AD SSO with Planview Enterprise One, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature. 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
To configure and test Azure AD SSO with Planview Enterprise One, complete the fo
Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **Planview Enterprise One** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **Planview Enterprise One** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
-1. On the **Basic SAML Configuration** section, enter the values for the following fields:
+1. On the **Basic SAML Configuration** section, perform the following steps:
- a. In the **Sign on URL** text box, type a URL using the following pattern:
+ a. In the **Identifier (Entity ID)** text box, type a URL using the following pattern:
`https://<SUBDOMAIN>.pvcloud.com/planview`
- b. In the **Identifier (Entity ID)** text box, type a URL using the following pattern:
+ b. In the **Sign on URL** text box, type a URL using the following pattern:
`https://<SUBDOMAIN>.pvcloud.com/planview` > [!NOTE]
- > These values are not real. Update these values with the actual Sign on URL and Identifier. Contact [Planview Enterprise One Client support team](mailto:customercare@planview.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+ > These values are not real. Update these values with the actual Identifier and Sign on URL. Contact [Planview Enterprise One Client support team](mailto:customercare@planview.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Federation Metadata XML** and select **Download** to download the certificate and save it on your computer.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **Planview Enterprise One**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
1. In the **Add Assignment** dialog, click the **Assign** button. ## Configure Planview Enterprise One SSO
In this section, you create a user called B.Simon in Planview Enterprise One. Wo
## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
-
-When you click the Planview Enterprise One tile in the Access Panel, you should be automatically signed in to the Planview Enterprise One for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
-
-## Additional resources
+In this section, you test your Azure AD single sign-on configuration with following options.
-- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](./tutorial-list.md)
+* Click on **Test this application** in Azure portal. This will redirect to Planview Enterprise One Sign-on URL where you can initiate the login flow.
-- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md)
+* Go to Planview Enterprise One Sign-on URL directly and initiate the login flow from there.
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+* You can use Microsoft My Apps. When you click the Planview Enterprise One tile in the My Apps, this will redirect to Planview Enterprise One Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [Try Planview Enterprise One with Azure AD](https://aad.portal.azure.com/)
+## Next steps
-- [What is session control in Microsoft Cloud App Security?](/cloud-app-security/proxy-intro-aad)
+Once you configure Planview Enterprise One you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Purelyhr Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/purelyhr-tutorial.md
Previously updated : 10/14/2019 Last updated : 05/26/2021
In this tutorial, you'll learn how to integrate PurelyHR with Azure Active Direc
* Enable your users to be automatically signed-in to PurelyHR with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* PurelyHR supports **SP and IDP** initiated SSO
-* PurelyHR supports **Just In Time** user provisioning
+* PurelyHR supports **SP and IDP** initiated SSO.
+* PurelyHR supports **Just In Time** user provisioning.
+
+> [!NOTE]
+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
-## Adding PurelyHR from the gallery
+## Add PurelyHR from the gallery
To configure the integration of PurelyHR into Azure AD, you need to add PurelyHR from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **PurelyHR** in the search box. 1. Select **PurelyHR** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD single sign-on for PurelyHR
+## Configure and test Azure AD SSO for PurelyHR
Configure and test Azure AD SSO with PurelyHR using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in PurelyHR.
-To configure and test Azure AD SSO with PurelyHR, complete the following building blocks:
+To configure and test Azure AD SSO with PurelyHR, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
- * **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
- * **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
1. **[Configure PurelyHR SSO](#configure-purelyhr-sso)** - to configure the single sign-on settings on application side.
- * **[Create PurelyHR test user](#create-purelyhr-test-user)** - to have a counterpart of B.Simon in PurelyHR that is linked to the Azure AD representation of user.
+ 1. **[Create PurelyHR test user](#create-purelyhr-test-user)** - to have a counterpart of B.Simon in PurelyHR that is linked to the Azure AD representation of user.
1. **[Test SSO](#test-sso)** - to verify whether the configuration works. ## Configure Azure AD SSO Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **PurelyHR** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **PurelyHR** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
-1. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, enter the values for the following fields:
+1. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, perform the following step:
In the **Reply URL** text box, type a URL using the following pattern:
- `https://<companyID>.purelyhr.com/sso-consume`
+ `https://<COMPANY_ID>.purelyhr.com/sso-consume`
1. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode: In the **Sign-on URL** text box, type a URL using the following pattern:
- `https://<companyID>.purelyhr.com/sso-initiate`
+ `https://<COMPANY_ID>.purelyhr.com/sso-initiate`
> [!NOTE] > These values are not real. Update these values with the actual Reply URL and Sign-On URL. Contact [PurelyHR Client support team](https://support.purelyhr.com/) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **PurelyHR**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
1. In the **Add Assignment** dialog, click the **Assign** button. ## Configure PurelyHR SSO
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. Paste the values in the boxes as described below-
- ![Configure Single Sign-On](./media/purelyhr-tutorial/purelyhr-dashboard-sso-settings.png)
+ ![Configure Single Sign-On](./media/purelyhr-tutorial/dashboard.png)
a. Open the **Certificate(Bas64)** downloaded from the Azure portal in notepad and copy the certificate value. Paste the copied value into the **X.509 Certificate** box.
Sign into your Velpic SAML company site as an administrator and perform followin
1. Click on Manage tab and go to Users section, then click on New button to add users.
- ![add user](./media/velpicsaml-tutorial/velpic_7.png)
+ ![add user](./media/purelyhr-tutorial/new-user.png)
2. On the **ΓÇ£Create New UserΓÇ¥** dialog page, perform the following steps.
- ![user](./media/velpicsaml-tutorial/velpic_8.png)
+ ![user](./media/purelyhr-tutorial/create-user.png)
a. In the **First Name** textbox, type the first name of B.
Sign into your Velpic SAML company site as an administrator and perform followin
## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+#### SP initiated:
+
+* Click on **Test this application** in Azure portal. This will redirect to PurelyHR Sign on URL where you can initiate the login flow.
-When you click the PurelyHR tile in the Access Panel, you should be automatically signed in to the PurelyHR for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* Go to PurelyHR Sign-on URL directly and initiate the login flow from there.
-## Additional resources
+#### IDP initiated:
-- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](./tutorial-list.md)
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the PurelyHR for which you set up the SSO.
-- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md)
+You can also use Microsoft My Apps to test the application in any mode. When you click the PurelyHR tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the PurelyHR for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+## Next steps
-- [Try PurelyHR with Azure AD](https://aad.portal.azure.com/)
+Once you configure PurelyHR you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Raumfurraum Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/raumfurraum-tutorial.md
Previously updated : 08/24/2020 Last updated : 05/26/2021
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* raum]f├╝r[raum supports **SP and IDP** initiated SSO
-* raum]f├╝r[raum supports **Just In Time** user provisioning
+* raum]f├╝r[raum supports **SP and IDP** initiated SSO.
+* raum]f├╝r[raum supports **Just In Time** user provisioning.
## Add raum]f├╝r[raum from the gallery
To configure the integration of raum]f├╝r[raum into Azure AD, you need to add ra
1. In the **Add from the gallery** section, type **raum]f├╝r[raum** in the search box. 1. Select **raum]f├╝r[raum** from results panel and then add the app. Wait a few seconds while the app is added to your tenant. - ## Configure and test Azure AD SSO for raum]f├╝r[raum Configure and test Azure AD SSO with raum]f├╝r[raum using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in raum]f├╝r[raum.
Follow these steps to enable Azure AD SSO in the Azure portal.
1. In the Azure portal, on the **raum]f├╝r[raum** application integration page, find the **Manage** section and select **single sign-on**. 1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
-1. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, enter the values for the following fields:
+1. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, perform the following steps:
a. In the **Identifier** text box, type a URL using one of the following patterns:
In this section, you test your Azure AD single sign-on configuration with follow
#### IDP initiated:
-* Click on **Test this application** in Azure portal and you should be automatically signed in to the raum]f├╝r[raum for which you set up the SSO
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the raum]f├╝r[raum for which you set up the SSO.
-You can also use Microsoft Access Panel to test the application in any mode. When you click the raum]f├╝r[raum tile in the Access Panel, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the raum]f├╝r[raum for which you set up the SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+You can also use Microsoft My Apps to test the application in any mode. When you click the raum]f├╝r[raum tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the raum]f├╝r[raum for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps Once you configure raum]f├╝r[raum you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory Rollbar Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/rollbar-tutorial.md
Previously updated : 03/15/2019 Last updated : 05/28/2021 # Tutorial: Azure Active Directory integration with Rollbar
-In this tutorial, you learn how to integrate Rollbar with Azure Active Directory (Azure AD).
-Integrating Rollbar with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate Rollbar with Azure Active Directory (Azure AD). When you integrate Rollbar with Azure AD, you can:
-* You can control in Azure AD who has access to Rollbar.
-* You can enable your users to be automatically signed-in to Rollbar (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to Rollbar.
+* Enable your users to be automatically signed-in to Rollbar with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites To configure Azure AD integration with Rollbar, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/)
-* Rollbar single sign-on enabled subscription
+* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/).
+* Rollbar single sign-on enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* Rollbar supports **SP and IDP** initiated SSO
-
-## Adding Rollbar from the gallery
-
-To configure the integration of Rollbar into Azure AD, you need to add Rollbar from the gallery to your list of managed SaaS apps.
-
-**To add Rollbar from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add new application, click **New application** button on the top of dialog.
-
- ![The New application button](common/add-new-app.png)
-
-4. In the search box, type **Rollbar**, select **Rollbar** from result panel then click **Add** button to add the application.
-
- ![Rollbar in the results list](common/search-new-app.png)
+* Rollbar supports **SP and IDP** initiated SSO.
-## Configure and test Azure AD single sign-on
+> [!NOTE]
+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
-In this section, you configure and test Azure AD single sign-on with Rollbar based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in Rollbar needs to be established.
+## Add Rollbar from the gallery
-To configure and test Azure AD single sign-on with Rollbar, you need to complete the following building blocks:
-
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure Rollbar Single Sign-On](#configure-rollbar-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create Rollbar test user](#create-rollbar-test-user)** - to have a counterpart of Britta Simon in Rollbar that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
+To configure the integration of Rollbar into Azure AD, you need to add Rollbar from the gallery to your list of managed SaaS apps.
-### Configure Azure AD single sign-on
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Rollbar** in the search box.
+1. Select **Rollbar** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-In this section, you enable Azure AD single sign-on in the Azure portal.
+## Configure and test Azure AD SSO for Rollbar
-To configure Azure AD single sign-on with Rollbar, perform the following steps:
+Configure and test Azure AD SSO with Rollbar using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Rollbar.
-1. In the [Azure portal](https://portal.azure.com/), on the **Rollbar** application integration page, select **Single sign-on**.
+To configure and test Azure AD SSO with Rollbar, perform the following steps:
- ![Configure single sign-on link](common/select-sso.png)
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Rollbar SSO](#configure-rollbar-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Rollbar test user](#create-rollbar-test-user)** - to have a counterpart of B.Simon in Rollbar that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
+## Configure Azure AD SSO
- ![Single sign-on select mode](common/select-saml-option.png)
+Follow these steps to enable Azure AD SSO in the Azure portal.
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
+1. In the Azure portal, on the **Rollbar** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
4. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, perform the following steps:
- ![Screenshot shows the Basic SAML Configuration, where you can enter Identifier, Reply U R L, and select Save.](common/idp-intiated.png)
- a. In the **Identifier** text box, type the URL: `https://saml.rollbar.com` b. In the **Reply URL** text box, type a URL using the following pattern:
- `https://rollbar.com/<accountname>/saml/sso/azure/`
+ `https://rollbar.com/<ACCOUNT_NAME>/saml/sso/azure/`
5. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode:
- ![Screenshot shows Set additional U R Ls where you can enter a Sign on U R L.](common/metadata-upload-additional-signon.png)
- In the **Sign-on URL** text box, type a URL using the following pattern:
- `https://rollbar.com/<accountname>/saml/login/azure/`
+ `https://rollbar.com/<ACCOUNT_NAME>/saml/login/azure/`
> [!NOTE] > These values are not real. Update these values with the actual Reply URL and Sign-On URL. Contact [Rollbar Client support team](mailto:support@rollbar.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
To configure Azure AD single sign-on with Rollbar, perform the following steps:
![Copy configuration URLs](common/copy-configuration-urls.png)
- a. Login URL
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called B.Simon.
- b. Azure AD Identifier
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
- c. Logout URL
+### Assign the Azure AD test user
-### Configure Rollbar Single Sign-On
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Rollbar.
+
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Rollbar**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
+
+## Configure Rollbar SSO
1. In a different web browser window, sign in to your Rollbar company site as an administrator.
To configure Azure AD single sign-on with Rollbar, perform the following steps:
1. Click **Identity Provider** under SECURITY.
- ![Screenshot shows Identity Provider selected under SECURITY.](./media/rollbar-tutorial/configure1.png)
+ ![Screenshot shows Identity Provider selected under SECURITY.](./media/rollbar-tutorial/security.png)
1. In the **SAML Identity Provider** section, perform the following steps:
- ![Screenshot shows the SAML Identity Provider where you can enter the values described.](./media/rollbar-tutorial/configure2.png)
+ ![Screenshot shows the SAML Identity Provider where you can enter the values described.](./media/rollbar-tutorial/configure.png)
a. Select **AZURE** from the **SAML Identity Provider** dropdown.
To configure Azure AD single sign-on with Rollbar, perform the following steps:
1. After clicking the save button, the screen will be like this:
- ![Screenshot shows the results in the SAML Identity Provider page.](./media/rollbar-tutorial/configure3.png)
+ ![Screenshot shows the results in the SAML Identity Provider page.](./media/rollbar-tutorial/identity-provider.png)
> [!NOTE] > In order to complete the following step, you must first add yourself as a user to the Rollbar app in Azure.
To configure Azure AD single sign-on with Rollbar, perform the following steps:
b. Click **Save**.
-### Create an Azure AD test user
-
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field enter **BrittaSimon**.
-
- b. In the **User name** field type `brittasimon@yourcompanydomain.extension`
- For example, BrittaSimon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
-
- d. Click **Create**.
-
-### Assign the Azure AD test user
-
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to Rollbar.
-
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Rollbar**.
-
- ![Enterprise applications blade](common/enterprise-applications.png)
-
-2. In the applications list, select **Rollbar**.
-
- ![The Rollbar link in the Applications list](common/all-applications.png)
-
-3. In the menu on the left, select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
-
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
-
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
-
-7. In the **Add Assignment** dialog click the **Assign** button.
- ### Create Rollbar test user To enable Azure AD users to sign in to Rollbar, they must be provisioned into Rollbar. In the case of Rollbar, provisioning is a manual task.
To enable Azure AD users to sign in to Rollbar, they must be provisioned into Ro
1. Click **Users**.
- ![Add Employee](./media/rollbar-tutorial/user1.png)
+ ![Add Employee](./media/rollbar-tutorial/user.png)
1. Click **Invite Team Members**.
- ![Screenshot shows the Invite Team Members option selected.](./media/rollbar-tutorial/user2.png)
+ ![Screenshot shows the Invite Team Members option selected.](./media/rollbar-tutorial/invite-user.png)
1. In the textbox, enter the name of user like **brittasimon\@contoso.com** and the click **Add/Invite**.
- ![Screenshot shows Add/Invite Members with an address provided.](./media/rollbar-tutorial/user3.png)
+ ![Screenshot shows Add/Invite Members with an address provided.](./media/rollbar-tutorial/add-user.png)
1. User receives an invitation and after accepting it they are created in the system.
-### Test single sign-on
+## Test SSO
+
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+#### SP initiated:
+
+* Click on **Test this application** in Azure portal. This will redirect to Rollbar Sign on URL where you can initiate the login flow.
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+* Go to Rollbar Sign-on URL directly and initiate the login flow from there.
-When you click the Rollbar tile in the Access Panel, you should be automatically signed in to the Rollbar for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+#### IDP initiated:
-## Additional Resources
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the Rollbar for which you set up the SSO.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+You can also use Microsoft My Apps to test the application in any mode. When you click the Rollbar tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Rollbar for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure Rollbar you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Saviynt Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/saviynt-tutorial.md
Previously updated : 09/03/2020 Last updated : 06/01/2021
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* Saviynt supports **SP and IDP** initiated SSO
-* Saviynt supports **Just In Time** user provisioning
+* Saviynt supports **SP and IDP** initiated SSO.
+* Saviynt supports **Just In Time** user provisioning.
## Add Saviynt from the gallery
To configure the integration of Saviynt into Azure AD, you need to add Saviynt f
1. In the **Add from the gallery** section, type **Saviynt** in the search box. 1. Select **Saviynt** from results panel and then add the app. Wait a few seconds while the app is added to your tenant. - ## Configure and test Azure AD SSO for Saviynt Configure and test Azure AD SSO with Saviynt using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Saviynt.
-To configure and test Azure AD SSO with Saviynt, perform following steps:
+To configure and test Azure AD SSO with Saviynt, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature. 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
Follow these steps to enable Azure AD SSO in the Azure portal.
1. In the Azure portal, on the **Saviynt** application integration page, find the **Manage** section and select **single sign-on**. 1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
-1. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, enter the values for the following fields:
+1. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, perform the following steps:
- a. In the **Identifier** text box, type a URL using the following pattern:
+ a. In the **Identifier** text box, type a value using the following pattern:
`Saviynt-<ID>` b. In the **Reply URL** text box, type a URL using the following pattern:
- `https://<SUBDOMAIN>.saviyntcloud.com/ECM/saml/SSO/alias/<SAVIYNT-ID>`
+ `https://<SUBDOMAIN>.saviyntcloud.com/ECM/saml/SSO/alias/<SAVIYNT_ID>`
1. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode:
In this section, you test your Azure AD single sign-on configuration with follow
#### IDP initiated:
-* Click on **Test this application** in Azure portal and you should be automatically signed in to the Saviynt for which you set up the SSO
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the Saviynt for which you set up the SSO.
-You can also use Microsoft Access Panel to test the application in any mode. When you click the Saviynt tile in the Access Panel, you should be automatically signed in to the Saviynt for which you set up the SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+You can also use Microsoft MyApps to test the application in any mode. When you click the Saviynt tile in the MyApps, you should be automatically signed in to the Saviynt for which you set up the SSO. For more information about the MyApps, see [Introduction to the MyApps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
active-directory Schoox Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/schoox-tutorial.md
Previously updated : 02/14/2019 Last updated : 06/02/2021 # Tutorial: Azure Active Directory integration with Schoox
-In this tutorial, you learn how to integrate Schoox with Azure Active Directory (Azure AD).
-Integrating Schoox with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate Schoox with Azure Active Directory (Azure AD). When you integrate Schoox with Azure AD, you can:
-* You can control in Azure AD who has access to Schoox.
-* You can enable your users to be automatically signed-in to Schoox (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to Schoox.
+* Enable your users to be automatically signed-in to Schoox with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites
-To configure Azure AD integration with Schoox, you need the following items:
+To get started, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial [here](https://azure.microsoft.com/pricing/free-trial/)
-* Schoox single sign-on enabled subscription
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* Schoox single sign-on (SSO) enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* Schoox supports **SP and IDP** initiated SSO
-
-## Adding Schoox from the gallery
-
-To configure the integration of Schoox into Azure AD, you need to add Schoox from the gallery to your list of managed SaaS apps.
-
-**To add Schoox from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add new application, click **New application** button on the top of dialog.
-
- ![The New application button](common/add-new-app.png)
+* Schoox supports **SP and IDP** initiated SSO.
-4. In the search box, type **Schoox**, select **Schoox** from result panel then click **Add** button to add the application.
+> [!NOTE]
+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
- ![Schoox in the results list](common/search-new-app.png)
+## Add Schoox from the gallery
-## Configure and test Azure AD single sign-on
-
-In this section, you configure and test Azure AD single sign-on with Schoox based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in Schoox needs to be established.
-
-To configure and test Azure AD single sign-on with Schoox, you need to complete the following building blocks:
-
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure Schoox Single Sign-On](#configure-schoox-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create Schoox test user](#create-schoox-test-user)** - to have a counterpart of Britta Simon in Schoox that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
+To configure the integration of Schoox into Azure AD, you need to add Schoox from the gallery to your list of managed SaaS apps.
-### Configure Azure AD single sign-on
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Schoox** in the search box.
+1. Select **Schoox** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-In this section, you enable Azure AD single sign-on in the Azure portal.
+## Configure and test Azure AD SSO for Schoox
-To configure Azure AD single sign-on with Schoox, perform the following steps:
+Configure and test Azure AD SSO with Schoox using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Schoox.
-1. In the [Azure portal](https://portal.azure.com/), on the **Schoox** application integration page, select **Single sign-on**.
+To configure and test Azure AD SSO with Schoox, perform the following steps:
- ![Configure single sign-on link](common/select-sso.png)
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Schoox SSO](#configure-schoox-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Schoox test user](#create-schoox-test-user)** - to have a counterpart of B.Simon in Schoox that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
+## Configure Azure AD SSO
- ![Single sign-on select mode](common/select-saml-option.png)
+Follow these steps to enable Azure AD SSO in the Azure portal.
-3. On the **Set-up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
+1. In the Azure portal, on the **Schoox** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
4. On the **Basic SAML Configuration** section, If you wish to configure the application in **IDP** initiated mode, perform the following step:
- ![Schoox Domain and URLs single sign-on information](common/idp-identifier.png)
-
- In the **Identifier** text box, type a URL:
+ In the **Identifier** text box, type the URL:
`https://saml.schoox.com/saml/adfsmetadata` 5. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode:
- ![image](common/both-preintegrated-signon.png)
- In the **Sign-on URL** text box, type a URL using the following pattern: `https://saml.schoox.com/saml/login?idpUrl=<entityID>`
To configure Azure AD single sign-on with Schoox, perform the following steps:
![Copy configuration URLs](common/copy-configuration-urls.png)
- a. Login URL
-
- b. Azure Ad Identifier
-
- c. Logout URL
-
-### Configure Schoox Single Sign-On
-
-To configure single sign-on on **Schoox** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [Schoox support team](https://www.schoox.com/help/). They set this setting to have the SAML SSO connection set properly on both sides.
- ### Create an Azure AD test user
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field, enter **BrittaSimon**.
-
- b. In the **User name** field, type **brittasimon\@yourcompanydomain.extension**
- For example, BrittaSimon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
+In this section, you'll create a test user in the Azure portal called B.Simon.
- d. Click **Create**.
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
### Assign the Azure AD test user
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to Schoox.
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Schoox.
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Schoox**.
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Schoox**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
- ![Enterprise applications blade](common/enterprise-applications.png)
+## Configure Schoox SSO
-2. In the applications list, select **Schoox**.
-
- ![The Schoox link in the Applications list](common/all-applications.png)
-
-3. In the menu on the left, select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
+To configure single sign-on on **Schoox** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [Schoox support team](https://www.schoox.com/help/). They set this setting to have the SAML SSO connection set properly on both sides.
-5. In the **Users and groups** dialo,g select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
+### Create Schoox test user
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog, select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
+In this section, you create a user called Britta Simon in Schoox. Work with [Schoox support team](https://www.schoox.com/help/) to add the users in the Schoox platform. Users must be created and activated before you use single sign-on.
-7. In the **Add Assignment** dialog, click the **Assign** button.
+## Test SSO
-### Create Schoox test user
+In this section, you test your Azure AD single sign-on configuration with following options.
-In this section, you create a user called Britta Simon in Schoox. Work with [Schoox support team](https://www.schoox.com/help/) to add the users in the Schoox platform. Users must be created and activated before you use single sign-on.
+#### SP initiated:
-### Test single sign-on
+* Click on **Test this application** in Azure portal. This will redirect to Schoox Sign on URL where you can initiate the login flow.
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+* Go to Schoox Sign-on URL directly and initiate the login flow from there.
-When you click the Schoox tile in the Access Panel, you should be automatically signed in to the Schoox for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+#### IDP initiated:
-## Additional resources
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the Schoox for which you set up the SSO.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+You can also use Microsoft My Apps to test the application in any mode. When you click the Schoox tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Schoox for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure Schoox you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Twingate Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/twingate-provisioning-tutorial.md
+
+ Title: 'Tutorial: Configure Twingate for automatic user provisioning with Azure Active Directory | Microsoft Docs'
+description: Learn how to automatically provision and de-provision user accounts from Azure AD to Twingate.
+
+documentationcenter: ''
+
+writer: Zhchia
++
+ms.assetid: 39476198-1ade-4c22-b880-111f4c30d823
+++
+ na
+ms.devlang: na
+ Last updated : 06/02/2021+++
+# Tutorial: Configure Twingate for automatic user provisioning
+
+This tutorial describes the steps you need to perform in both Twingate and Azure Active Directory (Azure AD) to configure automatic user provisioning. When configured, Azure AD automatically provisions and de-provisions users and groups to [Twingate](https://www.twingate.com/) using the Azure AD Provisioning service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../manage-apps/user-provisioning.md).
++
+## Capabilities Supported
+> [!div class="checklist"]
+> * Create users in Twingate
+> * Remove users in Twingate when they do not require access anymore
+> * Keep user attributes synchronized between Azure AD and Twingate
+> * Provision groups and group memberships in Twingate
+> * Single sign-on to Twingate (recommended)
+
+## Prerequisites
+
+The scenario outlined in this tutorial assumes that you already have the following prerequisites:
+
+* [An Azure AD tenant](https://docs.microsoft.com/azure/active-directory/develop/quickstart-create-new-tenant)
+* A user account in Azure AD with [permission](https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles) to configure provisioning (for example, Application Administrator, Cloud Application administrator, Application Owner, or Global Administrator).
+* A Twingate tenant in a product tier that supports identity provider integration. See [Twingate pricing](https://www.twingate.com/pricing/) for details on different product tiers.
+* A user account in Twingate with Admin permissions.
+
+## Step 1. Plan your provisioning deployment
+1. Learn about [how the provisioning service works](https://docs.microsoft.com/azure/active-directory/manage-apps/user-provisioning).
+2. Determine who will be in [scope for provisioning](https://docs.microsoft.com/azure/active-directory/manage-apps/define-conditional-rules-for-provisioning-user-accounts).
+3. Determine what data to [map between Azure AD and Twingate](https://docs.microsoft.com/azure/active-directory/manage-apps/customize-application-attributes).
+
+## Step 2. Configure Twingate to support provisioning with Azure AD
+
+1. Sign in to your [Twingate Admin Console](https://auth.twingate.com/).
+2. Navigate to **Settings > Identity Provider**
+3. Click on the `...` button to open the action menu. Select **Regenerate SCIM Token**. Note that this would invalidate your existing token if any.
+
+ ![Azure AD action menu](media/twingate-provisioning-tutorial/token.png)
+
+4. Copy the **SCIM Endpoint** and **SCIM token** from the modal. These values will be entered in the **Tenant URL** and **Secret Token** fields respectively in the Provisioning tab of your Twingate application in the Azure portal.
+
+ ![SCIM info modal](media/twingate-provisioning-tutorial/tenant.png)
++
+## Step 3. Add Twingate from the Azure AD application gallery
+
+Add Twingate from the Azure AD application gallery to start managing provisioning to Twingate. If you have previously setup Twingate for SSO, you can use the same application. However it is recommended that you create a separate app when testing out the integration initially. Learn more about adding an application from the gallery [here](https://docs.microsoft.com/azure/active-directory/manage-apps/add-gallery-app).
+
+## Step 4. Define who will be in scope for provisioning
+
+The Azure AD provisioning service allows you to scope who will be provisioned based on assignment to the application and or based on attributes of the user / group. If you choose to scope who will be provisioned to your app based on assignment, you can use the following [steps](../manage-apps/assign-user-or-group-access-portal.md) to assign users and groups to the application. If you choose to scope who will be provisioned based solely on attributes of the user or group, you can use a scoping filter as described [here](https://docs.microsoft.com/azure/active-directory/manage-apps/define-conditional-rules-for-provisioning-user-accounts).
+
+* When assigning users and groups to Twingate, you must select a role other than **Default Access**. Users with the Default Access role are excluded from provisioning and will be marked as not effectively entitled in the provisioning logs. If the only role available on the application is the default access role, you can [update the application manifest](https://docs.microsoft.com/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps) to add additional roles.
+
+* Start small. Test with a small set of users and groups before rolling out to everyone. When scope for provisioning is set to assigned users and groups, you can control this by assigning one or two users or groups to the app. When scope is set to all users and groups, you can specify an [attribute based scoping filter](https://docs.microsoft.com/azure/active-directory/manage-apps/define-conditional-rules-for-provisioning-user-accounts).
++
+## Step 5. Configure automatic user provisioning to Twingate
+
+This section guides you through the steps to configure the Azure AD provisioning service to create, update, and disable users and/or groups in Twingate based on user and/or group assignments in Azure AD.
+
+### To configure automatic user provisioning for Twingate in Azure AD:
+
+1. Sign in to the [Azure portal](https://portal.azure.com). Select **Enterprise Applications**, then select **All applications**.
+
+ ![Enterprise applications blade](common/enterprise-applications.png)
+
+2. In the applications list, select **Twingate**.
+
+ ![The Twingate link in the Applications list](common/all-applications.png)
+
+3. Select the **Provisioning** tab.
+
+ ![Provisioning tab](common/provisioning.png)
+
+4. Set the **Provisioning Mode** to **Automatic**.
+
+ ![Provisioning tab automatic](common/provisioning-automatic.png)
+
+5. Under the **Admin Credentials** section, input your Twingate Tenant URL and Secret Token. Click **Test Connection** to ensure Azure AD can connect to Twingate. If the connection fails, ensure your Twingate account has Admin permissions and try again.
+
+ ![Token](common/provisioning-testconnection-tenanturltoken.png)
+
+6. In the **Notification Email** field, enter the email address of a person or group who should receive the provisioning error notifications and select the **Send an email notification when a failure occurs** check box.
+
+ ![Notification Email](common/provisioning-notification-email.png)
+
+7. Select **Save**.
+
+8. Under the **Mappings** section, select **Synchronize Azure Active Directory Users to Twingate**.
+
+9. Review the user attributes that are synchronized from Azure AD to Twingate in the **Attribute-Mapping** section. The attributes selected as **Matching** properties are used to match the user accounts in Twingate for update operations. If you choose to change the [matching target attribute](https://docs.microsoft.com/azure/active-directory/manage-apps/customize-application-attributes), you will need to ensure that the Twingate API supports filtering users based on that attribute. Select the **Save** button to commit any changes.
+
+ |Attribute|Type|Supported For Filtering|
+ ||||
+ |externalId|String|&check;|
+ |userName|String|
+ |active|Boolean|
+ |emails[type eq "work"].value|String|
+ |name.givenName|String|
+ |name.familyName|String|
+
+10. Under the **Mappings** section, select **Synchronize Azure Active Directory Groups to Twingate**.
+
+11. Review the group attributes that are synchronized from Azure AD to Twingate in the **Attribute-Mapping** section. The attributes selected as **Matching** properties are used to match the groups in Twingate for update operations. Select the **Save** button to commit any changes.
+
+ |Attribute|Type|Supported For Filtering|
+ ||||
+ |externalId|String|&check;|
+ |displayName|String|
+ |members|Reference|
+
+12. To configure scoping filters, refer to the following instructions provided in the [Scoping filter tutorial](../manage-apps/define-conditional-rules-for-provisioning-user-accounts.md).
+
+13. To enable the Azure AD provisioning service for Twingate, change the **Provisioning Status** to **On** in the **Settings** section.
+
+ ![Provisioning Status Toggled On](common/provisioning-toggle-on.png)
+
+14. Define the users and/or groups that you would like to provision to Twingate by choosing the desired values in **Scope** in the **Settings** section.
+
+ ![Provisioning Scope](common/provisioning-scope.png)
+
+15. When you are ready to provision, click **Save**.
+
+ ![Saving Provisioning Configuration](common/provisioning-configuration-save.png)
+
+This operation starts the initial synchronization cycle of all users and groups defined in **Scope** in the **Settings** section. The initial cycle takes longer to perform than subsequent cycles, which occur approximately every 40 minutes as long as the Azure AD provisioning service is running.
+
+## Step 6. Monitor your deployment
+Once you've configured provisioning, use the following resources to monitor your deployment:
+
+1. Use the [provisioning logs](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-provisioning-logs) to determine which users have been provisioned successfully or unsuccessfully
+2. Check the [progress bar](https://docs.microsoft.com/azure/active-directory/app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user) to see the status of the provisioning cycle and how close it is to completion
+3. If the provisioning configuration seems to be in an unhealthy state, the application will go into quarantine. Learn more about quarantine states [here](https://docs.microsoft.com/azure/active-directory/manage-apps/application-provisioning-quarantine-status).
+
+## Additional resources
+
+* [Managing user account provisioning for Enterprise Apps](../manage-apps/configure-automatic-user-provisioning-portal.md)
+* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+
+## Next steps
+
+* [Learn how to review logs and get reports on provisioning activity](../manage-apps/check-status-user-account-provisioning.md)
active-directory Vtiger Crm Saml Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/vtiger-crm-saml-tutorial.md
Previously updated : 06/20/2019 Last updated : 05/31/2021
In this tutorial, you'll learn how to integrate Vtiger CRM (SAML) with Azure Act
* Enable your users to be automatically signed-in to Vtiger CRM (SAML) with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
-* An Azure AD subscription. If you don't have a subscription, you can get one-month free trial [here](https://azure.microsoft.com/pricing/free-trial/).
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
* Vtiger CRM (SAML) single sign-on (SSO) enabled subscription. ## Scenario description In this tutorial, you configure and test Azure AD SSO in a test environment.
-* Vtiger CRM (SAML) supports **SP** initiated SSO
-* Vtiger CRM (SAML) supports **Just In Time** user provisioning
+* Vtiger CRM (SAML) supports **SP** initiated SSO.
+* Vtiger CRM (SAML) supports **Just In Time** user provisioning.
-## Adding Vtiger CRM (SAML) from the gallery
+## Add Vtiger CRM (SAML) from the gallery
To configure the integration of Vtiger CRM (SAML) into Azure AD, you need to add Vtiger CRM (SAML) from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **Vtiger CRM (SAML)** in the search box. 1. Select **Vtiger CRM (SAML)** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD single sign-on
+## Configure and test Azure AD SSO for Vtiger CRM (SAML)
Configure and test Azure AD SSO with Vtiger CRM (SAML) using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Vtiger CRM (SAML).
-To configure and test Azure AD SSO with Vtiger CRM (SAML), complete the following building blocks:
+To configure and test Azure AD SSO with Vtiger CRM (SAML), perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
-2. **[Configure Vtiger CRM (SAML) SSO](#configure-vtiger-crm-saml-sso)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create Vtiger CRM (SAML) test user](#create-vtiger-crm-saml-test-user)** - to have a counterpart of Britta Simon in Vtiger CRM (SAML) that is linked to the Azure AD representation of user.
-6. **[Test SSO](#test-sso)** - to verify whether the configuration works.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Vtiger CRM (SAML) SSO](#configure-vtiger-crm-saml-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Vtiger CRM (SAML) test user](#create-vtiger-crm-saml-test-user)** - to have a counterpart of B.Simon in Vtiger CRM (SAML) that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
### Configure Azure AD SSO Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **Vtiger CRM (SAML)** application integration page, find the **Manage** section and select **Single sign-on**.
+1. In the Azure portal, on the **Vtiger CRM (SAML)** application integration page, find the **Manage** section and select **Single sign-on**.
1. On the **Select a Single sign-on method** page, select **SAML**.
-1. On the **Set up Single Sign-On with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up Single Sign-On with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
-1. On the **Basic SAML Configuration** page, enter the values for the following fields:
+1. On the **Basic SAML Configuration** page, perform the following steps:
- a. In the **Sign on URL** text box, type a URL using the following pattern:
+ a. In the **Identifier (Entity ID)** text box, type a URL using the following pattern:
+ `https://<CUSTOMER_INSTANCE>.od1.vtiger.com/sso/saml?acs`
- - `https://<customer_instance>.od1.vtiger.com`
- - `https://<customer_instance>.od2.vtiger.com`
- - `https://<customer_instance>.od1.vtiger.ws`
+ b. In the **Sign on URL** text box, type a URL using one of the following patterns:
- b. In the **Identifier (Entity ID)** text box, type a URL using the following pattern:
- `https://<customer_instance>.od1.vtiger.com/sso/saml?acs`
+ | Sign on URL |
+ ||
+ |`https://<CUSTOMER_INSTANCE>.od1.vtiger.com`|
+ |`https://<CUSTOMER_INSTANCE>.od2.vtiger.com`|
+ |`https://<CUSTOMER_INSTANCE>.od1.vtiger.ws`|
+ |
> [!NOTE] > These values are not real. Update these values with the actual Sign on URL and Identifier. Contact [Vtiger CRM (SAML) Client support team](mailto:support@vtiger.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
Follow these steps to enable Azure AD SSO in the Azure portal.
![Copy configuration URLs](common/copy-configuration-urls.png)
-### Configure Vtiger CRM (SAML) SSO
-
-To configure single sign-on on **Vtiger CRM (SAML)** side, you need to send the downloaded **Certificate (Base64)** and appropriate copied URLs from Azure portal to [Vtiger CRM (SAML) support team](mailto:support@vtiger.com). They set this setting to have the SAML SSO connection set properly on both sides.
- ### Create an Azure AD test user In this section, you'll create a test user in the Azure portal called B.Simon.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **Vtiger CRM (SAML)**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
1. In the **Add Assignment** dialog, click the **Assign** button.
+## Configure Vtiger CRM (SAML) SSO
+
+To configure single sign-on on **Vtiger CRM (SAML)** side, you need to send the downloaded **Certificate (Base64)** and appropriate copied URLs from Azure portal to [Vtiger CRM (SAML) support team](mailto:support@vtiger.com). They set this setting to have the SAML SSO connection set properly on both sides.
+ ### Create Vtiger CRM (SAML) test user In this section, a user called Britta Simon is created in Vtiger CRM (SAML). Vtiger CRM (SAML) supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in Vtiger CRM (SAML), a new one is created after authentication.
-### Test SSO
+## Test SSO
+
+In this section, you test your Azure AD single sign-on configuration with following options.
-When you select the Vtiger CRM (SAML) tile in the Access Panel, you should be automatically signed in to the Vtiger CRM (SAML) for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* Click on **Test this application** in Azure portal. This will redirect to Vtiger CRM (SAML) Sign-on URL where you can initiate the login flow.
-## Additional Resources
+* Go to Vtiger CRM (SAML) Sign-on URL directly and initiate the login flow from there.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+* You can use Microsoft My Apps. When you click the Vtiger CRM (SAML) tile in the My Apps, this will redirect to Vtiger CRM (SAML) Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure Vtiger CRM (SAML) you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Yardielearning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/yardielearning-tutorial.md
Previously updated : 04/03/2019 Last updated : 05/26/2021 # Tutorial: Azure Active Directory integration with Yardi eLearning
-In this tutorial, you learn how to integrate Yardi eLearning with Azure Active Directory (Azure AD).
-Integrating Yardi eLearning with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate Yardi eLearning with Azure Active Directory (Azure AD). When you integrate Yardi eLearning with Azure AD, you can:
-* You can control in Azure AD who has access to Yardi eLearning.
-* You can enable your users to be automatically signed in to Yardi eLearning (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to Yardi eLearning.
+* Enable your users to be automatically signed-in to Yardi eLearning with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites To configure Azure AD integration with Yardi eLearning, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/)
-* Yardi eLearning single sign-on enabled subscription
+* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/).
+* Yardi eLearning single sign-on enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* Yardi eLearning supports **SP** initiated SSO
+* Yardi eLearning supports **SP** initiated SSO.
-* Yardi eLearning supports **Just In Time** user provisioning
+* Yardi eLearning supports **Just In Time** user provisioning.
-## Adding Yardi eLearning from the gallery
+## Add Yardi eLearning from the gallery
To configure the integration of Yardi eLearning into Azure AD, you need to add Yardi eLearning from the gallery to your list of managed SaaS apps.
-**To add Yardi eLearning from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add new application, click **New application** button on the top of dialog.
-
- ![The New application button](common/add-new-app.png)
-
-4. In the search box, type **Yardi eLearning**, select **Yardi eLearning** from result panel then click **Add** button to add the application.
-
- ![Yardi eLearning in the results list](common/search-new-app.png)
-
-## Configure and test Azure AD single sign-on
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Yardi eLearning** in the search box.
+1. Select **Yardi eLearning** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-In this section, you configure and test Azure AD single sign-on with Yardi eLearning based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in Yardi eLearning needs to be established.
+## Configure and test Azure AD SSO for Yardi eLearning
-To configure and test Azure AD single sign-on with Yardi eLearning, you need to complete the following building blocks:
+Configure and test Azure AD SSO with Yardi eLearning using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Yardi eLearning.
-1. **[Configure Azure AD single sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure Yardi eLearning single sign-On](#configure-yardi-elearning-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create Yardi eLearning test user](#create-yardi-elearning-test-user)** - to have a counterpart of Britta Simon in Yardi eLearning that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
+To configure and test Azure AD SSO with Yardi eLearning, perform the following steps:
-### Configure Azure AD single sign-on
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Yardi eLearning SSO](#configure-yardi-elearning-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Yardi eLearning test user](#create-yardi-elearning-test-user)** - to have a counterpart of B.Simon in Yardi eLearning that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-In this section, you enable Azure AD single sign-on in the Azure portal.
+## Configure Azure AD SSO
-To configure Azure AD single sign-on with Yardi eLearning, perform the following steps:
+Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **Yardi eLearning** application integration page, select **Single sign-on**.
+1. In the Azure portal, on the **Yardi eLearning** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
- ![Configure single sign-on link](common/select-sso.png)
-
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
-
- ![Single sign-on select mode](common/select-saml-option.png)
-
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
-
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
4. On the **Basic SAML Configuration** section, perform the following steps:
- ![Yardi eLearning Domain and URLs single sign-on information](common/sp-identifier.png)
- a. In the **Sign on URL** text box, type a URL using the following pattern:
- `https://<companyname>.yardielearning.com/login`
+ `https://<COMPANY_NAME>.yardielearning.com/login`
b. In the **Identifier (Entity ID)** text box, type a URL using the following pattern:
- `https://<companyname>.yardielearning.com/trust`
+ `https://<COMPANY_NAME>.yardielearning.com/trust`
> [!NOTE] > These values are not real. Update these values with the actual Sign on URL and Identifier. Contact [Yardi eLearning Client support team](mailto:elearning@yardi.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
To configure Azure AD single sign-on with Yardi eLearning, perform the following
![Copy configuration URLs](common/copy-configuration-urls.png)
- a. Login URL
-
- b. Azure AD Identifier
-
- c. Logout URL
-
-### Configure Yardi eLearning Single Sign-On
-
-To configure single sign-on on **Yardi eLearning** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [Yardi eLearning support team](mailto:elearning@yardi.com). They set this setting to have the SAML SSO connection set properly on both sides.
- ### Create an Azure AD test user
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field enter **BrittaSimon**.
-
- b. In the **User name** field type `brittasimon@yourcompanydomain.extension`. For example, BrittaSimon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
+In this section, you'll create a test user in the Azure portal called B.Simon.
- d. Click **Create**.
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
### Assign the Azure AD test user
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to Yardi eLearning.
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Yardi eLearning.
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Yardi eLearning**.
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Yardi eLearning**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
- ![Enterprise applications blade](common/enterprise-applications.png)
+## Configure Yardi eLearning SSO
-2. In the applications list, select **Yardi eLearning**.
-
- ![The Yardi eLearning link in the Applications list](common/all-applications.png)
-
-3. In the menu on the left, select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
-
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
-
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
-
-7. In the **Add Assignment** dialog click the **Assign** button.
+To configure single sign-on on **Yardi eLearning** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [Yardi eLearning support team](mailto:elearning@yardi.com). They set this setting to have the SAML SSO connection set properly on both sides.
### Create Yardi eLearning test user
In this section, a user called Britta Simon is created in Yardi eLearning. Yardi
>[!NOTE] >If you need to create a user manually, you need to contact the [Yardi eLearning support team](mailto:elearning@yardi.com).
-### Test single sign-on
+## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
-When you click the Yardi eLearning tile in the Access Panel, you should be automatically signed in to the Yardi eLearning for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* Click on **Test this application** in Azure portal. This will redirect to Yardi eLearning Sign-on URL where you can initiate the login flow.
-## Additional resources
+* Go to Yardi eLearning Sign-on URL directly and initiate the login flow from there.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+* You can use Microsoft My Apps. When you click the Yardi eLearning tile in the My Apps, this will redirect to Yardi eLearning Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure Yardi eLearning you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Yodeck Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/yodeck-tutorial.md
Previously updated : 03/29/2019 Last updated : 06/02/2021 # Tutorial: Azure Active Directory integration with Yodeck
-In this tutorial, you learn how to integrate Yodeck with Azure Active Directory (Azure AD).
-Integrating Yodeck with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate Yodeck with Azure Active Directory (Azure AD). When you integrate Yodeck with Azure AD, you can:
-* You can control in Azure AD who has access to Yodeck.
-* You can enable your users to be automatically signed-in to Yodeck (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to Yodeck.
+* Enable your users to be automatically signed-in to Yodeck with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites To configure Azure AD integration with Yodeck, you need the following items: * An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/).
-* Yodeck single sign-on enabled subscription
+* Yodeck single sign-on enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* Yodeck supports **SP** and **IDP** initiated SSO
-
-## Adding Yodeck from the gallery
-
-To configure the integration of Yodeck into Azure AD, you need to add Yodeck from the gallery to your list of managed SaaS apps.
-
-**To add Yodeck from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add new application, click **New application** button on the top of dialog.
-
- ![The New application button](common/add-new-app.png)
-
-4. In the search box, type **Yodeck**, select **Yodeck** from result panel then click **Add** button to add the application.
-
- ![Yodeck in the results list](common/search-new-app.png)
-
-## Configure and test Azure AD single sign-on
+* Yodeck supports **SP** and **IDP** initiated SSO.
-In this section, you configure and test Azure AD single sign-on with Yodeck based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in Yodeck needs to be established.
+> [!NOTE]
+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
-To configure and test Azure AD single sign-on with Yodeck, you need to complete the following building blocks:
+## Add Yodeck from the gallery
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure Yodeck Single Sign-On](#configure-yodeck-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create Yodeck test user](#create-yodeck-test-user)** - to have a counterpart of Britta Simon in Yodeck that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
+To configure the integration of Yodeck into Azure AD, you need to add Yodeck from the gallery to your list of managed SaaS apps.
-### Configure Azure AD single sign-on
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Yodeck** in the search box.
+1. Select **Yodeck** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-In this section, you enable Azure AD single sign-on in the Azure portal.
+## Configure and test Azure AD SSO for Yodeck
-To configure Azure AD single sign-on with Yodeck, perform the following steps:
+Configure and test Azure AD SSO with Yodeck using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Yodeck.
-1. In the [Azure portal](https://portal.azure.com/), on the **Yodeck** application integration page, select **Single sign-on**.
+To configure and test Azure AD SSO with Yodeck, perform the following steps:
- ![Configure single sign-on link](common/select-sso.png)
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Yodeck SSO](#configure-yodeck-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Yodeck test user](#create-yodeck-test-user)** - to have a counterpart of B.Simon in Yodeck that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
+## Configure Azure AD SSO
- ![Single sign-on select mode](common/select-saml-option.png)
+Follow these steps to enable Azure AD SSO in the Azure portal.
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
+1. In the Azure portal, on the **Yodeck** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
4. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, perform the following step:
- ![Yodeck Domain and URLs single sign-on information](common/idp-identifier.png)
-
- In the **Identifier** text box, type a URL:
+ In the **Identifier** text box, type the URL:
`https://app.yodeck.com/api/v1/account/metadata/` 5. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode:
- ![Screenshot shows Basic SAML Configuration with the Upload metadata file link.](common/both-preintegrated-signon.png)
-
- In the **Sign-on URL** text box, type a URL:
+ In the **Sign-on URL** text box, type the URL:
`https://app.yodeck.com/login` 6. On the **Set up Single Sign-On with SAML** page, In the **SAML Signing Certificate** section, click copy button to copy **App Federation Metadata Url** and save it on your computer. ![The Certificate download link](common/copy-metadataurl.png)
-### Configure Yodeck Single Sign-On
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called B.Simon.
+
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
+
+### Assign the Azure AD test user
+
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Yodeck.
+
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Yodeck**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
+
+## Configure Yodeck SSO
1. To automate the configuration within **Yodeck**, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**.
To configure Azure AD single sign-on with Yodeck, perform the following steps:
1. Click on **User Settings** option form the top right corner of the page and select **Account Settings**.
- ![Screenshot shows with Account Settings selected for the user.](./media/yodeck-tutorial/configure1.png)
+ ![Screenshot shows with Account Settings selected for the user.](./media/yodeck-tutorial/account.png)
1. Select **SAML** and perform the following steps:
- ![Screenshot shows the SAML tab where you can perform these steps.](./media/yodeck-tutorial/configure2.png)
+ ![Screenshot shows the SAML tab where you can perform these steps.](./media/yodeck-tutorial/configure.png)
a. Select **Import from URL**.
To configure Azure AD single sign-on with Yodeck, perform the following steps:
d. Click **Save**.
-### Create an Azure AD test user
-
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field enter **BrittaSimon**.
-
- b. In the **User name** field type brittasimon@yourcompanydomain.extension. For example, BrittaSimon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
-
- d. Click **Create**.
-
-### Assign the Azure AD test user
-
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to Yodeck.
-
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Yodeck**.
-
- ![Enterprise applications blade](common/enterprise-applications.png)
-
-2. In the applications list, select **Yodeck**.
-
- ![The Yodeck link in the Applications list](common/all-applications.png)
-
-3. In the menu on the left, select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
-
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
-
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
-
-7. In the **Add Assignment** dialog click the **Assign** button.
- ### Create Yodeck test user To enable Azure AD users to sign in to Yodeck, they must be provisioned into Yodeck. In the case of Yodeck, provisioning is a manual task.
To enable Azure AD users to sign in to Yodeck, they must be provisioned into Yod
2. Click on **User Settings** option form the top right corner of the page and select **Users**.
- ![Screenshot shows with Users selected for the user.](./media/yodeck-tutorial/user1.png)
+ ![Screenshot shows with Users selected for the user.](./media/yodeck-tutorial/user.png)
3. Click on **+User** to open the **User Details** tab.
- ![Screenshot shows the Users button.](./media/yodeck-tutorial/user2.png)
+ ![Screenshot shows the Users button.](./media/yodeck-tutorial/user-details.png)
4. On the **User Details** dialog page, perform the following steps:
- ![Screenshot shows the User Details tab where you can perform these steps.](./media/yodeck-tutorial/user3.png)
+ ![Screenshot shows the User Details tab where you can perform these steps.](./media/yodeck-tutorial/user-page.png)
a. In the **First Name** textbox, type the first name of the user like **Britta**.
To enable Azure AD users to sign in to Yodeck, they must be provisioned into Yod
e. Click **Save**.
-### Test single sign-on
+## Test SSO
+
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+#### SP initiated:
+
+* Click on **Test this application** in Azure portal. This will redirect to Yodeck Sign on URL where you can initiate the login flow.
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+* Go to Yodeck Sign-on URL directly and initiate the login flow from there.
-When you click the Yodeck tile in the Access Panel, you should be automatically signed in to the Yodeck for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+#### IDP initiated:
-## Additional Resources
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the Yodeck for which you set up the SSO.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+You can also use Microsoft My Apps to test the application in any mode. When you click the Yodeck tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Yodeck for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure Yodeck you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
aks Ingress Basic https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/ingress-basic.md
apiVersion: networking.k8s.io/v1
kind: Ingress metadata: name: hello-world-ingress
- namespace: ingress-basic
annotations: kubernetes.io/ingress.class: nginx nginx.ingress.kubernetes.io/ssl-redirect: "false"
apiVersion: networking.k8s.io/v1
kind: Ingress metadata: name: hello-world-ingress-static
- namespace: ingress-basic
annotations: kubernetes.io/ingress.class: nginx nginx.ingress.kubernetes.io/ssl-redirect: "false"
spec:
Create the ingress resource using the `kubectl apply -f hello-world-ingress.yaml` command. ```
-$ kubectl apply -f hello-world-ingress.yaml
+$ kubectl apply -f hello-world-ingress.yaml --namespace ingress-basic
ingress.extensions/hello-world-ingress created ingress.extensions/hello-world-ingress-static created
aks Use Azure Ad Pod Identity https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/use-azure-ad-pod-identity.md
export IDENTITY_RESOURCE_ID="$(az identity show -g ${IDENTITY_RESOURCE_GROUP} -n
## Assign permissions for the managed identity
-The *IDENTITY_CLIENT_ID* managed identity must have Reader permissions in the resource group that contains the virtual machine scale set of your AKS cluster.
+The *IDENTITY_CLIENT_ID* managed identity must have Managed Identity Operator permissions in the resource group that contains the virtual machine scale set of your AKS cluster.
```azurecli-interactive NODE_GROUP=$(az aks show -g myResourceGroup -n myAKSCluster --query nodeResourceGroup -o tsv) NODES_RESOURCE_ID=$(az group show -n $NODE_GROUP -o tsv --query "id")
-az role assignment create --role "Reader" --assignee "$IDENTITY_CLIENT_ID" --scope $NODES_RESOURCE_ID
+az role assignment create --role "Managed Identity Operator" --assignee "$IDENTITY_CLIENT_ID" --scope $NODES_RESOURCE_ID
``` ## Create a pod identity
app-service App Service Web Tutorial Custom Domain https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/app-service-web-tutorial-custom-domain.md
You can automate management of custom domains with scripts by using the [Azure C
The following command adds a configured custom DNS name to an App Service app.
-```bash
+```azurecli
az webapp config hostname add \ --webapp-name <app-name> \ --resource-group <resource_group_name> \
app-service Overview Arc Integration https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/overview-arc-integration.md
Last updated 05/03/2021
# App Service, Functions, and Logic Apps on Azure Arc (Preview)
-You can run App Service, Functions, and Logic Apps an Azure Arc enabled Kubernetes cluster. The Kubernetes cluster can be on-premises or hosted in a third-party cloud. This approach lets app developers take advantage of the features of App Service. At the same time, it lets their IT administrators maintain corporate compliance by hosting the App Service apps on internal infrastructure. It also lets other IT operators safeguard their prior investments in other cloud providers by running App Service on existing Kubernetes clusters.
+You can run App Service, Functions, and Logic Apps on an Azure Arc enabled Kubernetes cluster. The Kubernetes cluster can be on-premises or hosted in a third-party cloud. This approach lets app developers take advantage of the features of App Service. At the same time, it lets their IT administrators maintain corporate compliance by hosting the App Service apps on internal infrastructure. It also lets other IT operators safeguard their prior investments in other cloud providers by running App Service on existing Kubernetes clusters.
> [!NOTE] > To learn how to set up your Kubernetes cluster for App Service, Functions, and Logic Apps, see [Create an App Service Kubernetes environment (Preview)](manage-create-arc-environment.md).
When creating a Kubernetes environment resource, some subscriptions may see a "N
## Next steps
-[Create an App Service Kubernetes environment (Preview)](manage-create-arc-environment.md)
+[Create an App Service Kubernetes environment (Preview)](manage-create-arc-environment.md)
automation Delete Account https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automation/delete-account.md
description: This article tells how to delete your Automation account across the
Previously updated : 04/15/2021 Last updated : 06/04/2021
Removing your Automation account can be done using one of the following methods
* Delete the resource group containing the Automation account. * Delete the resource group containing the Automation account and linked Azure Monitor Log Analytics workspace, if:
- * The account and workspace is dedicated to supporting Update Management, Change Tracking and Inventory, and/or Start/Stop VMs during off-hours.
+ * The account and workspace is dedicated to supporting Update Management, Change Tracking, and Inventory, and/or Start/Stop VMs during off-hours.
* The account is dedicated to process automation and integrated with a workspace to send runbook job status and job streams. * Unlink the Log Analytics workspace from the Automation account and delete the Automation account.
Removing your Automation account can be done using one of the following methods
This article tells you how to completely remove your Automation account through the Azure portal, using Azure PowerShell, the Azure CLI, or the REST API.
+## Prerequisite
+Verify there aren't any [Resource Manager locks](../azure-resource-manager/management/lock-resources.md) applied at the subscription, resource group, or resource, which prevents accidental deletion or modification of critical resources. If you've deployed the Start/Stop VMs during off-hours solution, it sets the lock level to **CanNotDelete** against several dependent resources in the Automation account (specifically its runbooks and variables). Remove any locks before deleting the Automation account.
+ > [!NOTE]
-> Before proceeding, verify there aren't any [Resource Manager locks](../azure-resource-manager/management/lock-resources.md) applied at the subscription, resource group, or resource which prevents accidental deletion or modification of critical resources. If you have deployed the Start/Stop VMs during off-hours solution, it sets the lock level to **CanNotDelete** against several dependent resources in the Automation account (specifically its runbooks and variables). Any locks need to be removed before you can delete the Automation account.
+> If you receive an error message similar to: `The link cannot be updated or deleted because it is linked to Update Management and/or ChangeTracking Solutions`, then your Automation account is linked to a Log Analytics workspace with either the Update Management and/or Change Tracking and Inventory features enabled. For more information, see [Delete a shared capability Automation account](#delete-a-shared-capability-automation-account), below.
## Delete the dedicated resource group
To delete your Automation account, and also the Log Analytics workspace if linke
## Delete a standalone Automation account
-If your Automation account is not linked to a Log Analytics workspace, perform the following steps to delete it.
+If your Automation account isn't linked to a Log Analytics workspace, perform the following steps to delete it.
# [Azure portal](#tab/azure-portal)
To delete your Automation account linked to a Log Analytics workspace in support
3. Select **Go to workspace**.
-4. Click **Solutions** under **General**.
+4. Select **Solutions** under **General**.
5. On the Solutions page, select one of the following based on the feature(s) deployed in the account:
azure-app-configuration Howto Integrate Azure Managed Service Identity https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-app-configuration/howto-integrate-azure-managed-service-identity.md
Azure App Configuration and its .NET Core, .NET Framework, and Java Spring clien
This article shows how you can take advantage of the managed identity to access App Configuration. It builds on the web app introduced in the quickstarts. Before you continue, [Create an ASP.NET Core app with App Configuration](./quickstart-aspnet-core-app.md) first.
-> [!NOTE]
-> This article uses Azure App Service as an example, but the same concept applies to any other Azure service that supports managed identity, for example, [Azure Kubernetes Service](../aks/use-azure-ad-pod-identity.md), [Azure Virtual Machine](../active-directory/managed-identities-azure-resources/qs-configure-portal-windows-vm.md), and [Azure Container Instances](../container-instances/container-instances-managed-identity.md). If your workload is hosted in one of those services, you can leverage the service's managed identity support, too.
-
-This article also shows how you can use the managed identity in conjunction with App Configuration's Key Vault references. With a single managed identity, you can seamlessly access both secrets from Key Vault and configuration values from App Configuration. If you wish to explore this capability, finish [Use Key Vault References with ASP.NET Core](./use-key-vault-references-dotnet-core.md) first.
+> [!IMPORTANT]
+> Managed Identity cannot be used to authenticate locally-running applications. Your application must be deployed to an Azure service that supports Managed Identity. This article uses Azure App Service as an example, but the same concept applies to any other Azure service that supports managed identity, for example, [Azure Kubernetes Service](../aks/use-azure-ad-pod-identity.md), [Azure Virtual Machine](../active-directory/managed-identities-azure-resources/qs-configure-portal-windows-vm.md), and [Azure Container Instances](../container-instances/container-instances-managed-identity.md). If your workload is hosted in one of those services, you can leverage the service's managed identity support, too.
You can use any code editor to do the steps in this tutorial. [Visual Studio Code](https://code.visualstudio.com/) is an excellent option available on the Windows, macOS, and Linux platforms.
In this article, you learn how to:
> [!div class="checklist"] > * Grant a managed identity access to App Configuration. > * Configure your app to use a managed identity when you connect to App Configuration.
-> * Optionally, configure your app to use a managed identity when you connect to Key Vault through an App Configuration Key Vault reference.
+ ## Prerequisites
To complete this tutorial, you must have:
To set up a managed identity in the portal, you first create an application and then enable the feature.
-1. Create an App Services instance in the [Azure portal](https://portal.azure.com) as you normally do. Go to it in the portal.
+1. Access your App Services resource in the [Azure portal](https://portal.azure.com). If you don't have an existing App Services resource to work with, create one.
1. Scroll down to the **Settings** group in the left pane, and select **Identity**.
To set up a managed identity in the portal, you first create an application and
![Add a managed identity](./media/add-managed-identity.png)
-1. Optional: If you wish to grant access to Key Vault as well, follow the directions in [Assign a Key Vault access policy](../key-vault/general/assign-access-policy-portal.md).
## Use a managed identity
To set up a managed identity in the portal, you first create an application and
> [!IMPORTANT] > `CreateHostBuilder` replaces `CreateWebHostBuilder` in .NET Core 3.0. Select the correct syntax based on your environment.
- ### [.NET Core 2.x](#tab/core2x)
+ ### [.NET Core 5.x](#tab/core5x)
```csharp
- public static IWebHostBuilder CreateWebHostBuilder(string[] args) =>
- WebHost.CreateDefaultBuilder(args)
- .ConfigureAppConfiguration((hostingContext, config) =>
- {
- var settings = config.Build();
- config.AddAzureAppConfiguration(options =>
- options.Connect(new Uri(settings["AppConfig:Endpoint"]), new ManagedIdentityCredential()));
- })
- .UseStartup<Startup>();
+ public static IHostBuilder CreateHostBuilder(string[] args) =>
+ Host.CreateDefaultBuilder(args)
+ .ConfigureWebHostDefaults(webBuilder =>
+ webBuilder.ConfigureAppConfiguration((hostingContext, config) =>
+ {
+ var settings = config.Build();
+ config.AddAzureAppConfiguration(options =>
+ options.Connect(new Uri(settings["AppConfig:Endpoint"]), new ManagedIdentityCredential()));
+ })
+ .UseStartup<Startup>());
``` ### [.NET Core 3.x](#tab/core3x)
To set up a managed identity in the portal, you first create an application and
public static IHostBuilder CreateHostBuilder(string[] args) => Host.CreateDefaultBuilder(args) .ConfigureWebHostDefaults(webBuilder =>
- {
webBuilder.ConfigureAppConfiguration((hostingContext, config) => { var settings = config.Build(); config.AddAzureAppConfiguration(options => options.Connect(new Uri(settings["AppConfig:Endpoint"]), new ManagedIdentityCredential()));
- });
- })
- .UseStartup<Startup>());
+ })
+ .UseStartup<Startup>());
```
-
-
- > [!NOTE]
- > In the case you want to use a **user-assigned managed identity**, be sure to specify the clientId when creating the [ManagedIdentityCredential](/dotnet/api/azure.identity.managedidentitycredential).
- >```
- >config.AddAzureAppConfiguration(options =>
- > options.Connect(new Uri(settings["AppConfig:Endpoint"]), new ManagedIdentityCredential(<your_clientId>)));
- >```
- >As explained in the [Managed Identities for Azure resources FAQs](../active-directory/managed-identities-azure-resources/managed-identities-faq.md#what-identity-will-imds-default-to-if-dont-specify-the-identity-in-the-request), there is a default way to resolve which managed identity is used. In this case, the Azure Identity library enforces you to specify the desired identity to avoid posible runtime issues in the future (for instance, if a new user-assigned managed identity is added or if the system-assigned managed identity is enabled). So, you will need to specify the clientId even if only one user-assigned managed identity is defined, and there is no system-assigned managed identity.
--
-1. To use both App Configuration values and Key Vault references, update *Program.cs* as shown below. This code calls `SetCredential` as part of `ConfigureKeyVault` to tell the config provider what credential to use when authenticating to Key Vault.
### [.NET Core 2.x](#tab/core2x)
To set up a managed identity in the portal, you first create an application and
.ConfigureAppConfiguration((hostingContext, config) => { var settings = config.Build();
- var credentials = new ManagedIdentityCredential();
- config.AddAzureAppConfiguration(options =>
- {
- options.Connect(new Uri(settings["AppConfig:Endpoint"]), credentials)
- .ConfigureKeyVault(kv =>
- {
- kv.SetCredential(credentials);
- });
- });
+ options.Connect(new Uri(settings["AppConfig:Endpoint"]), new ManagedIdentityCredential()));
}) .UseStartup<Startup>(); ```
- ### [.NET Core 3.x](#tab/core3x)
-
- ```csharp
- public static IHostBuilder CreateHostBuilder(string[] args) =>
- Host.CreateDefaultBuilder(args)
- .ConfigureWebHostDefaults(webBuilder =>
- {
- webBuilder.ConfigureAppConfiguration((hostingContext, config) =>
- {
- var settings = config.Build();
- var credentials = new ManagedIdentityCredential();
-
- config.AddAzureAppConfiguration(options =>
- {
- options.Connect(new Uri(settings["AppConfig:Endpoint"]), credentials)
- .ConfigureKeyVault(kv =>
- {
- kv.SetCredential(credentials);
- });
- });
- });
- })
- .UseStartup<Startup>());
- ```
- You can now access Key Vault references just like any other App Configuration key. The config provider will use the `ManagedIdentityCredential` to authenticate to Key Vault and retrieve the value.
- > [!NOTE]
- > The `ManagedIdentityCredential` works only in Azure environments of services that support managed identity authentication. It doesn't work in the local environment. Use [`DefaultAzureCredential`](/dotnet/api/azure.identity.defaultazurecredential) for the code to work in both local and Azure environments as it will fall back to a few authentication options including managed identity.
- >
- > In case you want to use a **user-asigned managed identity** with the `DefaultAzureCredential` when deployed to Azure, [specify the clientId](/dotnet/api/overview/azure/identity-readme#specifying-a-user-assigned-managed-identity-with-the-defaultazurecredential).
--
-## Deploy from local Git
-
-The easiest way to enable local Git deployment for your app with the Kudu build server is to use [Azure Cloud Shell](https://shell.azure.com).
-
-### Configure a deployment user
--
-### Enable local Git with Kudu
-If you don't have a local git repository for your app, you'll need to initialize one. To initialize a local git repository, run the following commands from your app's project directory:
-
-```cmd
-git init
-git add .
-git commit -m "Initial version"
-```
-
-To enable local Git deployment for your app with the Kudu build server, run [`az webapp deployment source config-local-git`](/cli/azure/webapp/deployment/#az_webapp_deployment_source_config_local_git) in Cloud Shell.
-
-```azurecli-interactive
-az webapp deployment source config-local-git --name <app_name> --resource-group <group_name>
-```
-
-This command gives you something similar to the following output:
-
-```json
-{
- "url": "https://<username>@<app_name>.scm.azurewebsites.net/<app_name>.git"
-}
-```
-
-### Deploy your project
-
-In the _local terminal window_, add an Azure remote to your local Git repository. Replace _\<url>_ with the URL of the Git remote that you got from [Enable local Git with Kudu](#enable-local-git-with-kudu).
-
-```bash
-git remote add azure <url>
-```
-
-Push to the Azure remote to deploy your app with the following command. When you're prompted for a password, enter the password you created in [Configure a deployment user](#configure-a-deployment-user). Don't use the password you use to sign in to the Azure portal.
-
-```bash
-git push azure main
-```
-
-You might see runtime-specific automation in the output, such as MSBuild for ASP.NET, `npm install` for Node.js, and `pip install` for Python.
-
-### Browse to the Azure web app
-
-Browse to your web app by using a browser to verify that the content is deployed.
-
-```bash
-http://<app_name>.azurewebsites.net
-```
-
-## Use managed identity in other languages
-
-App Configuration providers for .NET Framework and Java Spring also have built-in support for managed identity. You can use your store's URL endpoint instead of its full connection string when you configure one of these providers.
-
-For example, you can update the .NET Framework console app created in the quickstart to specify the following settings in the *App.config* file:
+ > If you want to use a **user-assigned managed identity**, be sure to specify the clientId when creating the [ManagedIdentityCredential](/dotnet/api/azure.identity.managedidentitycredential).
+ >```csharp
+ >config.AddAzureAppConfiguration(options =>
+ > {
+ > options.Connect(new Uri(settings["AppConfig:Endpoint"]), new ManagedIdentityCredential("<your_clientId>"))
+ > });
+ >```
+ >As explained in the [Managed Identities for Azure resources FAQs](../active-directory/managed-identities-azure-resources/known-issues.md), there is a default way to resolve which managed identity is used. In this case, the Azure Identity library enforces you to specify the desired identity to avoid posible runtime issues in the future (for instance, if a new user-assigned managed identity is added or if the system-assigned managed identity is enabled). So, you will need to specify the clientId even if only one user-assigned managed identity is defined, and there is no system-assigned managed identity.
+
+
-```xml
- <configSections>
- <section name="configBuilders" type="System.Configuration.ConfigurationBuildersSection, System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" restartOnExternalChanges="false" requirePermission="false" />
- </configSections>
+## Deploy your application
- <configBuilders>
- <builders>
- <add name="MyConfigStore" mode="Greedy" endpoint="${Endpoint}" type="Microsoft.Configuration.ConfigurationBuilders.AzureAppConfigurationBuilder, Microsoft.Configuration.ConfigurationBuilders.AzureAppConfiguration" />
- <add name="Environment" mode="Greedy" type="Microsoft.Configuration.ConfigurationBuilders.EnvironmentConfigBuilder, Microsoft.Configuration.ConfigurationBuilders.Environment" />
- </builders>
- </configBuilders>
+Using managed identities requires you to deploy your app to an Azure service. Managed identities can't be used for authentication of locally-running apps. To deploy the .NET Core app that you created in the [Create an ASP.NET Core app with App Configuration](./quickstart-aspnet-core-app.md) quickstart and modified to use managed identities, follow the guidance in [Publish your web app](/azure/app-service/quickstart-dotnetcore?tabs=netcore31&pivots=development-environment-vs#publish-your-web-app).
- <appSettings configBuilders="Environment,MyConfigStore">
- <add key="AppName" value="Console App Demo" />
- <add key="Endpoint" value ="Set via an environment variable - for example, dev, test, staging, or production endpoint." />
- </appSettings>
-```
+In addition to App Service, many other Azure services support managed identities. For more information, see [Services that support managed identities for Azure resources](/azure/active-directory/managed-identities-azure-resources/services-support-managed-identities).
## Clean up resources
azure-app-configuration Howto Labels Aspnet Core https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-app-configuration/howto-labels-aspnet-core.md
Title: Use per-environment configuration
+ Title: Use labels to provide per-environment configuration values.
-description: Use labels to provide per-environment configuration values.
+description: This article describes how to use labels to retrieve app configuration values for the environment in which the app is currently running.
Last updated 3/12/2020
-# Use labels to enable configurations for different environments
+# Use labels to provide per-environment configuration values.
Many applications need to use different configurations for different environments. Suppose that an application has a configuration value that defines the connection string to use for its back-end database. The application developers use a different database from the one used in production. The database connection string that the application uses must change as the application moves from development to production.
By default, Azure App Configuration only loads configuration values with no labe
In the previous section, you created a different configuration value for the development environment. You use the `HostingEnvironment.EnvironmentName` variable to dynamically determine which environment the app currently runs in. To learn more, see [Use multiple environments in ASP.NET Core](/aspnet/core/fundamentals/environments).
+Add a reference to the [Microsoft.Extensions.Configuration.AzureAppConfiguration](/dotnet/api/microsoft.extensions.configuration.azureappconfiguration) namespace in order to access the [KeyFilter](/dotnet/api/microsoft.extensions.configuration.azureappconfiguration.keyfilter) and [LabelFilter](/dotnet/api/microsoft.extensions.configuration.azureappconfiguration.labelfilter) classes.
+
+```csharp
+using Microsoft.Extensions.Configuration.AzureAppConfiguration;
+```
+ Load configuration values with the label corresponding to the current environment by passing the environment name into the `Select` method:
+### [.NET Core 5.x](#tab/core5x)
+
+```csharp
+ public static IHostBuilder CreateHostBuilder(string[] args) =>
+ Host.CreateDefaultBuilder(args)
+ .ConfigureWebHostDefaults(webBuilder =>
+ webBuilder.ConfigureAppConfiguration((hostingContext, config) =>
+ {
+ var settings = config.Build();
+ config.AddAzureAppConfiguration(options =>
+ options
+ .Connect(settings.GetConnectionString("AppConfig"))
+ // Load configuration values with no label
+ .Select(KeyFilter.Any, LabelFilter.Null)
+ // Override with any configuration values specific to current hosting env
+ .Select(KeyFilter.Any, hostingContext.HostingEnvironment.EnvironmentName)
+ );
+ })
+ .UseStartup<Startup>());
+```
+
+### [.NET Core 3.x](#tab/core3x)
+ ```csharp
- public static IHostBuilder CreateHostBuilder(string[] args) =>
- Host.CreateDefaultBuilder(args)
- .ConfigureWebHostDefaults(webBuilder =>
- webBuilder.ConfigureAppConfiguration((hostingContext, config) =>
- {
- var settings = config.Build();
- config.AddAzureAppConfiguration(options =>
- options
- .Connect(Environment.GetEnvironmentVariable("AppConfigConnectionString"))
- // Load configuration values with no label
- .Select(KeyFilter.Any, LabelFilter.Null)
- // Override with any configuration values specific to current hosting env
- .Select(KeyFilter.Any, hostingContext.HostingEnvironment.EnvironmentName)
- );
- })
- .UseStartup<Startup>());
+ public static IHostBuilder CreateHostBuilder(string[] args) =>
+ Host.CreateDefaultBuilder(args)
+ .ConfigureWebHostDefaults(webBuilder =>
+ webBuilder.ConfigureAppConfiguration((hostingContext, config) =>
+ {
+ var settings = config.Build();
+ config.AddAzureAppConfiguration(options =>
+ options
+ .Connect(settings.GetConnectionString("AppConfig"))
+ // Load configuration values with no label
+ .Select(KeyFilter.Any, LabelFilter.Null)
+ // Override with any configuration values specific to current hosting env
+ .Select(KeyFilter.Any, hostingContext.HostingEnvironment.EnvironmentName)
+ );
+ })
+ .UseStartup<Startup>());
```
+### [.NET Core 2.x](#tab/core2x)
+
+```csharp
+public static IWebHostBuilder CreateWebHostBuilder(string[] args) =>
+ WebHost.CreateDefaultBuilder(args)
+ .ConfigureAppConfiguration((hostingContext, config) =>
+ {
+ var settings = config.Build();
+ config.AddAzureAppConfiguration(options =>
+ options
+ .Connect(settings.GetConnectionString("AppConfig"))
+ // Load configuration values with no label
+ .Select(KeyFilter.Any, LabelFilter.Null)
+ // Override with any configuration values specific to current hosting env
+ .Select(KeyFilter.Any, hostingContext.HostingEnvironment.EnvironmentName)
+ );
+ })
+ .UseStartup<Startup>();
+```
+++ > [!IMPORTANT]
-> The preceding code snippet loads the App Configuration connection string from an environment variable named `AppConfigConnectionString`. Be sure that this environment variable is set properly.
+> The preceding code snippet uses the Secret Manager tool to load App Configuration connection string. For information storing the connection string using the Secret Manager, see [Quickstart for Azure App Configuration with ASP.NET Core](quickstart-aspnet-core-app.md).
The `Select` method is called twice. The first time, it loads configuration values with no label. Then, it loads configuration values with the label corresponding to the current environment. These environment-specific values override any corresponding values with no label. You don't need to define environment-specific values for every key. If a key doesn't have a value with a label corresponding to the current environment, it uses the value with no label.
azure-app-configuration Use Key Vault References Dotnet Core https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-app-configuration/use-key-vault-references-dotnet-core.md
Before you start this tutorial, install the [.NET Core SDK](https://dotnet.micro
1. Select the **Create a resource** option in the upper-left corner of the Azure portal: ![Screenshot shows the Create a resource option in the Azure portal.](./media/quickstarts/search-services.png)
-1. In the search box, enter **Key Vault**.
+1. In the search box, type **Key Vault** and select **Key Vault** from the drop-down.
1. From the results list, select **Key vaults** on the left. 1. In **Key vaults**, select **Add**. 1. On the right in **Create key vault**, provide the following information: - Select **Subscription** to choose a subscription.
- - In **Resource Group**, select **Create new** and enter a resource group name.
- - In **Key vault name**, a unique name is required. For this tutorial, enter **Contoso-vault2**.
+ - In **Resource Group**, enter an existing resource group name or select **Create new** and enter a resource group name.
+ - In **Key vault name**, a unique name is required.
- In the **Region** drop-down list, choose a location. 1. Leave the other **Create key vault** options with their default values.
-1. Select **Create**.
+1. Click **Review + Create**.
+1. The system will validate and display the data you entered. Click **Create**.
At this point, your Azure account is the only one authorized to access this new vault.
-![Screenshot shows your key vault.](./media/quickstarts/vault-properties.png)
## Add a secret to Key Vault
To add a secret to the vault, you need to take just a few additional steps. In t
- **Subscription**, **Resource group**, and **Key vault**: Enter the values corresponding to those in the key vault you created in the previous section. - **Secret**: Select the secret named **Message** that you created in the previous section.
-## Connect to Key Vault
-
-1. In this tutorial, you use a service principal for authentication to Key Vault. To create this service principal, use the Azure CLI [az ad sp create-for-rbac](/cli/azure/ad/sp#az_ad_sp_create_for_rbac) command:
-
- ```azurecli
- az ad sp create-for-rbac -n "http://mySP" --sdk-auth
- ```
-
- This operation returns a series of key/value pairs:
-
- ```console
- {
- "clientId": "7da18cae-779c-41fc-992e-0527854c6583",
- "clientSecret": "b421b443-1669-4cd7-b5b1-394d5c945002",
- "subscriptionId": "443e30da-feca-47c4-b68f-1636b75e16b3",
- "tenantId": "35ad10f1-7799-4766-9acf-f2d946161b77",
- "activeDirectoryEndpointUrl": "https://login.microsoftonline.com",
- "resourceManagerEndpointUrl": "https://management.azure.com/",
- "sqlManagementEndpointUrl": "https://management.core.windows.net:8443/",
- "galleryEndpointUrl": "https://gallery.azure.com/",
- "managementEndpointUrl": "https://management.core.windows.net/"
- }
- ```
-
-1. Run the following command to let the service principal access your key vault:
-
- ```cmd
- az keyvault set-policy -n <your-unique-keyvault-name> --spn <clientId-of-your-service-principal> --secret-permissions delete get list set --key-permissions create decrypt delete encrypt get list unwrapKey wrapKey
- ```
-
-1. Add environment variables to store the values of *clientId*, *clientSecret*, and *tenantId*.
-
- #### [Windows command prompt](#tab/cmd)
-
- ```cmd
- setx AZURE_CLIENT_ID <clientId-of-your-service-principal>
- setx AZURE_CLIENT_SECRET <clientSecret-of-your-service-principal>
- setx AZURE_TENANT_ID <tenantId-of-your-service-principal>
- ```
-
- #### [PowerShell](#tab/powershell)
-
- ```PowerShell
- $Env:AZURE_CLIENT_ID = <clientId-of-your-service-principal>
- $Env:AZURE_CLIENT_SECRET = <clientSecret-of-your-service-principal>
- $Env:AZURE_TENANT_ID = <tenantId-of-your-service-principal>
- ```
-
- #### [Bash](#tab/bash)
-
- ```bash
- export AZURE_CLIENT_ID = <clientId-of-your-service-principal>
- export AZURE_CLIENT_SECRET = <clientSecret-of-your-service-principal>
- export AZURE_TENANT_ID = <tenantId-of-your-service-principal>
- ```
-
-
-
- > [!NOTE]
- > These Key Vault credentials are used only within your application. Your application authenticates directly to Key Vault with these credentials. They are never passed to the App Configuration service.
-
-1. Restart your terminal to load these new environment variables.
+![Screen shot of the create a new Key Vault reference form](./media/create-key-vault-reference.png)
## Update your code to use a Key Vault reference
To add a secret to the vault, you need to take just a few additional steps. In t
1. Update the `CreateWebHostBuilder` method to use App Configuration by calling the `config.AddAzureAppConfiguration` method. Include the `ConfigureKeyVault` option, and pass the correct credentials to your Key Vault.
- #### [.NET Core 2.x](#tab/core2x)
+ #### [.NET Core 5.x](#tab/core5x)
```csharp
- public static IWebHostBuilder CreateWebHostBuilder(string[] args) =>
- WebHost.CreateDefaultBuilder(args)
- .ConfigureAppConfiguration((hostingContext, config) =>
+ public static IHostBuilder CreateHostBuilder(string[] args) =>
+ Host.CreateDefaultBuilder(args)
+ .ConfigureWebHostDefaults(webBuilder =>
+ webBuilder.ConfigureAppConfiguration((hostingContext, config) =>
{ var settings = config.Build();
To add a secret to the vault, you need to take just a few additional steps. In t
}); }); })
- .UseStartup<Startup>();
+ .UseStartup<Startup>());
``` #### [.NET Core 3.x](#tab/core3x)
To add a secret to the vault, you need to take just a few additional steps. In t
}) .UseStartup<Startup>()); ```
+
+ #### [.NET Core 2.x](#tab/core2x)
+
+ ```csharp
+ public static IWebHostBuilder CreateWebHostBuilder(string[] args) =>
+ WebHost.CreateDefaultBuilder(args)
+ .ConfigureAppConfiguration((hostingContext, config) =>
+ {
+ var settings = config.Build();
+
+ config.AddAzureAppConfiguration(options =>
+ {
+ options.Connect(settings["ConnectionStrings:AppConfig"])
+ .ConfigureKeyVault(kv =>
+ {
+ kv.SetCredential(new DefaultAzureCredential());
+ });
+ });
+ })
+ .UseStartup<Startup>();
+ ```
1. When you initialized the connection to App Configuration, you set up the connection to Key Vault by calling the `ConfigureKeyVault` method. After the initialization, you can access the values of Key Vault references in the same way you access the values of regular App Configuration keys.
To add a secret to the vault, you need to take just a few additional steps. In t
You access the value of the Key Vault reference **TestApp:Settings:KeyVaultMessage** in the same way as for the configuration value of **TestApp:Settings:Message**. +
+## Grant your app access to Key Vault
+
+Azure App Configuration won't access your Key Vault. Your app will read from Key Vault directly, so you need to grant your app read access to the secrets in your Key Vault. This way, the secret always stays with your app. The access can be granted using either the [Vault access policy ](/azure/key-vault/general/assign-access-policy-portal) or [Azure role-based access control](/azure/key-vault/general/rbac-guide).
+
+You use `DefaultAzureCredential` in your code above. It is an aggregated token credential that tries a number of credential types such as `ManagedIdentityCredential`, `SharedTokenCacheCredential`, `VisualStudioCredential`, etc. automatically. See [DefaultAzureCredential Class](/dotnet/api/azure.identity.defaultazurecredential?view=azure-dotnet) for more information. You can replace it with any credential type explicitly. However, using `DefaultAzureCredential` enables you to have the same code that runs in both local and Azure environments. For example, you grant your own credential access to your Key Vault. The `DefaultAzureCredential` will fall back to `SharedTokenCacheCredential` or `VisualStudioCredential` automatically when you use Visual Studio for local development. After your app is deployed to one of Azure services with managed identity enabled, such as App Service, Azure Kubernetes Service, or Azure Container Instance, you grant the managed identity of the Azure service permission to access to your Key Vault. The `DefaultAzureCredential` will use `ManagedIdentityCredential` automatically when your app is running in Azure. You can leverage the same managed identity to authenticate with both App Configuration and Key Vault. For more information, see [How to use managed identities to access App Configuration](/azure/azure-app-configuration/howto-integrate-azure-managed-service-identity).
+ ## Build and run the app locally 1. To build the app by using the .NET Core CLI, run the following command in the command shell:
To add a secret to the vault, you need to take just a few additional steps. In t
![Quickstart local app launch](./media/key-vault-reference-launch-local.png) ++ ## Clean up resources [!INCLUDE [azure-app-configuration-cleanup](../../includes/azure-app-configuration-cleanup.md)]
To learn how to automatically reload secrets and certificates from Key Vault, co
To learn how to use Managed Identity to streamline access to App Configuration and Key Vault, refer to the following tutorial: > [!div class="nextstepaction"]
-> [Managed identity integration](./howto-integrate-azure-managed-service-identity.md)
+> [Managed identity integration](./howto-integrate-azure-managed-service-identity.md)
azure-functions Functions Bindings Timer https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-functions/functions-bindings-timer.md
Here are some examples of NCRONTAB expressions you can use for the timer trigger
| `0 30 9 * Jan Mon` | at 9:30 AM every Monday in January | > [!NOTE]
-> NCRONTAB expression require a **six field** format. The sixth field position is a value for seconds which is placed at the beginning of the expression. Five field cron expressions are not supported in Azure.
+> NCRONTAB expression supports both **five field** and **six field** format. The sixth field position is a value for seconds which is placed at the beginning of the expression.
### NCRONTAB time zones
azure-monitor Alerts Dynamic Thresholds https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/alerts/alerts-dynamic-thresholds.md
We would love to hear your feedback, keep it coming at <azurealertsfeedback@micr
## Why and when is using dynamic condition type recommended?
-1. **Scalable Alerting** ΓÇô Dynamic threshold alert rules can create tailored thresholds for hundreds of metric series at a time, yet providing the same ease of defining an alert rule on a single metric. They give you fewer alert to create and manage. You can use either Azure portal or the Azure Resource Manager API to create them. The scalable approach is especially useful when dealing with metric dimensions or when applying to multiple resources, such as to all subscription resources. [Learn more about how to configure Metric Alerts with Dynamic Thresholds using templates](./alerts-metric-create-templates.md).
+1. **Scalable Alerting** ΓÇô Dynamic threshold alert rules can create tailored thresholds for hundreds of metric series at a time, yet providing the same ease of defining an alert rule on a single metric. They give you fewer alerts to create and manage. You can use either Azure portal or the Azure Resource Manager API to create them. The scalable approach is especially useful when dealing with metric dimensions or when applying to multiple resources, such as to all subscription resources. [Learn more about how to configure Metric Alerts with Dynamic Thresholds using templates](./alerts-metric-create-templates.md).
1. **Smart Metric Pattern Recognition** ΓÇô Using our ML technology, weΓÇÖre able to automatically detect metric patterns and adapt to metric changes over time, which may often include seasonality (hourly / daily / weekly). Adapting to the metricsΓÇÖ behavior over time and alerting based on deviations from its pattern relieves the burden of knowing the "right" threshold for each metric. The ML algorithm used in Dynamic Thresholds is designed to prevent noisy (low precision) or wide (low recall) thresholds that donΓÇÖt have an expected pattern.
Use the following information to interpret the previous chart.
- **Red dot with a black circle** - Shows the first metric value out of the allowed range. This is the value that fires a metric alert and puts it in an active state. - **Red dots**- Indicate additional measured values outside of the allowed range. They will not fire additional metric alerts, but the alert stays in the active. - **Red area** - Shows the time when the metric value was outside of the allowed range. The alert remains in the active state as long as subsequent measured values are out of the allowed range, but no new alerts are fired.-- **End of red area** - When the blue line is back inside the allowed values, the red area stops and the measured value line turns blue. The status of the metric alert fired at the time of the red dot with black outline is set to resolved.
+- **End of red area** - When the blue line is back inside the allowed values, the red area stops and the measured value line turns blue. The status of the metric alert fired at the time of the red dot with black outline is set to resolved.
azure-monitor Alerts Troubleshoot Log https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/alerts/alerts-troubleshoot-log.md
# Troubleshoot log alerts in Azure Monitor
-This article shows you how to resolve common issues with log alerts in Azure Monitor. It also provides solutions to common problems with the functionality and configuration of log alerts.
+This article describes how to resolve common issues with log alerts in Azure Monitor. It also provides solutions to common problems with the functionality and configuration of log alerts.
-Log alerts allow users to use a [Log Analytics](../logs/log-analytics-tutorial.md) query to evaluate resources logs every set frequency, and fire an alert based on the results. Rules can trigger one or more actions using [Action Groups](./action-groups.md). [Learn more about functionality and terminology of log alerts](alerts-unified-log.md).
+You can use log alerts to evaluate resources logs every set frequency by using a [Log Analytics](../logs/log-analytics-tutorial.md) query, and fire an alert that's based on the results. Rules can trigger one or more actions using [Action Groups](./action-groups.md). To learn more about functionality and terminology of log alerts, see [Log alerts in Azure Monitor](alerts-unified-log.md).
> [!NOTE]
-> This article doesn't consider cases where the Azure portal shows an alert rule triggered and a notification is not performed by an associated action group. For such cases, see the details on troubleshooting [here](./alerts-troubleshoot.md#action-or-notification-on-my-alert-did-not-work-as-expected).
+> This article doesn't consider cases where the Azure portal shows that an alert rule was triggered but a notification isn't received. For such cases, see [Action or notification on my alert did not work as expected](./alerts-troubleshoot.md#action-or-notification-on-my-alert-did-not-work-as-expected).
## Log alert didn't fire
Log alerts allow users to use a [Log Analytics](../logs/log-analytics-tutorial.m
Azure Monitor processes terabytes of customers' logs from across the world, which can cause [logs ingestion latency](../logs/data-ingestion-time.md).
-Logs are semi-structured data and inherently more latent than metrics. If you're experiencing more than 4-minutes delay in fired alerts, you should consider using [metric alerts](alerts-metric-overview.md). You can send data to the metric store from logs using [metric alerts for logs](alerts-metric-logs.md).
+Logs are semi-structured data and are inherently more latent than metrics. If you're experiencing more than a 4-minute delay in fired alerts, you should consider using [metric alerts](alerts-metric-overview.md). You can send data to the metric store from logs using [metric alerts for logs](alerts-metric-logs.md).
-The system retries the alert evaluation multiple times to mitigate latency. Once the data arrives, the alert fires, which in most cases don't equal the log record time.
+To mitigate latency, the system retries the alert evaluation multiple times. After the data arrives, the alert fires, which in most cases don't equal the log record time.
### Incorrect query time range configured
-Query time range is set in the rule condition definition. This field is called **Period** for workspaces and Application Insights, and called **Override query time range** for all other resource types. Like in log analytics, the time range limits query data to the specified period. Even if **ago** command is used in the query, the time range will apply.
+Query time range is set in the rule condition definition. For workspaces and Application Insights, this field is called **Period**. For all other resource types, it's called **Override query time range**. Like in log analytics, the time range limits query data to the specified period. Even if the **ago** command is used in the query, the time range will apply.
-For example, a query scans 60 minutes, when time range is 60 minutes, even if the text contains **ago(1d)**. The time range and query time filtering need to match. In the example case, changing the **Period** / **Override query time range** to one day, would work as expected.
+For example, a query scans 60 minutes when the time range is 60 minutes, even if the text contains **ago(1d)**. The time range and query time filtering need to match. In the example case, changing the **Period** / **Override query time range** to one day, works as expected.
![Time period](media/alerts-troubleshoot-log/LogAlertTimePeriod.png) ### Actions are muted in the alert rule
-Log alerts provide an option to mute fired alert actions for a set amount of time. This field is called **Suppress alerts** in workspaces and Application Insights. In all other resource types, it's called **Mute actions**.
+Log alerts provide an option to mute fired alert actions for a set amount of time. In workspaces and Application Insights, this field is called **Suppress alerts**. In all other resource types, it's called **Mute actions**.
-A common issue is that you think that the alert didn't fire the actions because of a service issue. Even tough it was muted by the rule configuration.
+A common issue is that you think that the alert didn't fire the actions because of a service issue, even though it was muted by the rule configuration.
![Suppress alerts](media/alerts-troubleshoot-log/LogAlertSuppress.png) ### Alert scope resource has been moved, renamed, or deleted
-When you author an alert rule, Log Analytics creates a permission snapshot for your user ID. This snapshot is saved in the rule and contains the rule scope resource Azure Resource Manager ID. If the rule scope resource moves, gets renamed, or deleted, all log alert rules referring to that resource will break. Alert rules will need to be recreated using the new Azure Resource Manager ID to work.
+When you author an alert rule, Log Analytics creates a permission snapshot for your user ID. This snapshot is saved in the rule and contains the rule scope resource, Azure Resource Manager ID. If the rule scope resource moves, gets renamed, or is deleted, all log alert rules that refer to that resource will break. To work correctly, alert rules need to be recreated using the new Azure Resource Manager ID.
### Metric measurement alert rule with splitting using the legacy Log Analytics API
-[Metric measurement](alerts-unified-log.md#calculation-of-measure-based-on-a-numeric-column-such-as-cpu-counter-value) is a type of log alert that is based on summarized time series results. These rules allow grouping by columns to [split alerts](alerts-unified-log.md#split-by-alert-dimensions). If you're using the legacy Log Analytics API, splitting won't work as expected. Choosing the grouping in the legacy API isn't supported.
+[Metric measurement](alerts-unified-log.md#calculation-of-measure-based-on-a-numeric-column-such-as-cpu-counter-value) is a type of log alert that's based on summarized time series results. You can use these rules to group by columns to [split alerts](alerts-unified-log.md#split-by-alert-dimensions). If you're using the legacy Log Analytics API, splitting doesn't work as expected because it doesn't support grouping.
-The current ScheduledQueryRules API allows you to set **Aggregate On** in [Metric measurement](alerts-unified-log.md#calculation-of-measure-based-on-a-numeric-column-such-as-cpu-counter-value) rules, which will work as expected. [Learn more about switching to the current ScheduledQueryRules API](../alerts/alerts-log-api-switch.md).
+You can use the current ScheduledQueryRules API to set **Aggregate On** in [Metric measurement](alerts-unified-log.md#calculation-of-measure-based-on-a-numeric-column-such-as-cpu-counter-value) rules, which work as expected. To learn more about switching to the current ScheduledQueryRules API, see [Upgrade to the current Log Alerts API from legacy Log Analytics Alert API]](../alerts/alerts-log-api-switch.md).
## Log alert fired unnecessarily
A configured [log alert rule in Azure Monitor](./alerts-log.md) might be trigger
Azure Monitor processes terabytes of customers' logs from across the world, which can cause [logs ingestion latency](../logs/data-ingestion-time.md).
-Logs are semi-structured data and inherently more latent than metrics. If you're experiencing many misfires in fired alerts, you should consider using [metric alerts](alerts-metric-overview.md). You can send data to the metric store from logs using [metric alerts for logs](alerts-metric-logs.md).
+Logs are semi-structured data and are inherently more latent than metrics. If you're experiencing many misfires in fired alerts, you should consider using [metric alerts](alerts-metric-overview.md). You can send data to the metric store from logs using [metric alerts for logs](alerts-metric-logs.md).
-Log alerts work best when you try to detect data in the logs. It works less well when you try to detect lack of data in the logs. For example, alerting on virtual machine heartbeat.
+Log alerts work best when you try to detect data in the logs. It works less well when you try to detect lack of data in the logs, like alerting on virtual machine heartbeat.
-While there are builtin capabilities to prevent false alerts, they can still occur on very latent data (over ~30 minutes) and data with latency spikes.
+There are built-in capabilities to prevent false alerts, but they can still occur on very latent data (over ~30 minutes) and data with latency spikes.
### Query optimization issues
SecurityEvent
| where EventID == 4624 ```
-If the intent of the user is to alert, when this event type happens, the alerting logic appends `count` to the query. The query that will run will be:
+If the intent of the user is to alert, when this event type happens, the alerting logic appends `count` to the query. The query that will run is:
``` Kusto SecurityEvent
SecurityEvent
| count ```
-There's no need to add alerting logic to the query and doing that may even cause issues. In the above example, if you include `count` in your query, it will always result in the value 1, since the alert service will do `count` of `count`.
+There's no need to add alerting logic to the query, and doing that may even cause issues. In the preceding example, if you include `count` in your query, it always results in the value **1**, because the alert service performs a `count` of `count`.
-The optimized query is what the log alert service runs. You can run the modified query in Log Analytics [portal](../logs/log-query-overview.md) or [API](/rest/api/loganalytics/).
+The log alert service runs the optimized query. You can run the modified query in the Log Analytics [portal](../logs/log-query-overview.md) or [API](/rest/api/loganalytics/).
-For workspaces and Application Insights, it's called **Query to be executed** in the condition pane. In all other resource types, select **See final alert Query** in the condition tab.
+For workspaces and Application Insights, it's called **Query to be executed** in the Condition pane. In all other resource types, select **See final alert Query** on the **Condition** tab.
![Query to be executed](media/alerts-troubleshoot-log/LogAlertPreview.png) ## Log alert was disabled
-The following sections list some reasons why Azure Monitor might disable a log alert rule. We also included an [example of the activity log that is sent when a rule is disabled](#activity-log-example-when-rule-is-disabled).
+The following sections list some reasons why Azure Monitor might disable a log alert rule. After those section, there's an [example of the activity log that is sent when a rule is disabled](#activity-log-example-when-rule-is-disabled).
### Alert scope no longer exists or was moved
-When the scope resources of an alert rule are no longer valid, execution of the rule fails. In this case, billing stops as well.
+When the scope resources of an alert rule are no longer valid, rule execution fails, and billing stops.
-Azure Monitor will disable the log alert after a week if it fails continuously.
+If a log alert fails continuously for a week, Azure Monitor disables it.
### Query used in a log alert isn't valid When a log alert rule is created, the query is validated for correct syntax. But sometimes, the query provided in the log alert rule can start to fail. Some common reasons are: -- Rules were created via the API and validation was skipped by the user.-- The query [runs on multiple resources](../logs/cross-workspace-query.md) and one or more of the resources was deleted or moved.
+- Rules were created via the API, and validation was skipped by the user.
+- The query [runs on multiple resources](../logs/cross-workspace-query.md), and one or more of the resources was deleted or moved.
- The [query fails](https://dev.loganalytics.io/documentation/Using-the-API/Errors) because: - The logging solution wasn't [deployed to the workspace](../insights/solutions.md#install-a-monitoring-solution), so tables aren't created.
- - Data stopped flowing to a table in the query for over 30 days.
- - [Custom logs tables](../agents/data-sources-custom-logs.md) aren't yet created, since data flow hasn't started.
-- Changes in [query language](/azure/kusto/query/) include a revised format for commands and functions. So the query provided earlier is no longer valid.
+ - Data stopped flowing to a table in the query for more than 30 days.
+ - [Custom logs tables](../agents/data-sources-custom-logs.md) aren't yet created, because the data flow hasn't started.
+- Changes in [query language](/azure/kusto/query/) include a revised format for commands and functions, so the query provided earlier is no longer valid.
-[Azure Advisor](../../advisor/advisor-overview.md) warns you about this behavior. It adds a recommendation about the log alert rule affected. The category used is 'High Availability' with medium impact and a description of 'Repair your log alert rule to ensure monitoring'.
+[Azure Advisor](../../advisor/advisor-overview.md) warns you about this behavior. It adds a recommendation about the affected log alert rule. The category used is 'High Availability' with medium impact and a description of 'Repair your log alert rule to ensure monitoring'.
## Alert rule quota was reached
-The number of log search alert rules per subscription and resource are subject to the quota limits described [here](../service-limits.md).
+For details about the number of log search alert rules per subscription and maximum limits of resources, see [Azure Monitor service limits](../service-limits.md).
### Recommended Steps
-If you've reached the quota limit, the following steps may help resolve the issue.
+If you've reached the quota limit, the following steps might help resolve the issue.
-1. Try deleting or disabling log search alert rules that arenΓÇÖt used anymore.
-1. Try to use [splitting of alerts by dimensions](alerts-unified-log.md#split-by-alert-dimensions) to reduce rules count. These rules can monitor many resources and detection cases.
+1. Delete or disable log search alert rules that arenΓÇÖt used anymore.
+1. Use [splitting of alerts by dimensions](alerts-unified-log.md#split-by-alert-dimensions) to reduce rules count. These rules can monitor many resources and detection cases.
1. If you need the quota limit to be increased, continue to open a support request, and provide the following information:
- - Subscription IDs and Resource IDs for which the quota limit needs to be increased.
- - Reason for quota increase.
- - Resource type for the quota increase: **Log Analytics**, **Application Insights**, and so on.
- - Requested quota limit.
-
+ - The Subscription IDs and Resource IDs for which the quota limit needs to be increased
+ - The reason for quota increase
+ - The resource type for the quota increase, such as **Log Analytics** or **Application Insights**
+ - The requested quota limit
### To check the current usage of new log alert rules #### From the Azure portal
-1. Open the *Alerts* screen, and select *Manage alert rules*
-2. Filter to the relevant subscription using the *Subscription* dropdown control
-3. Make sure NOT to filter to a specific resource group, resource type, or resource
-4. In the *Signal type* dropdown control, select 'Log Search'
-5. Verify that the *Status* dropdown control is set to ΓÇÿEnabledΓÇÖ
-6. The total number of log search alert rules will be displayed above the rules list
+1. On the Alerts screen, select **Manage alert rules**.
+1. In the **Subscription** dropdown control, filter to the subscription you want. (Make sure you don't filter to a specific resource group, resource type, or resource.)
+1. In the **Signal type** dropdown control, select **Log Search**.
+1. Verify that the **Status** dropdown control is set to **Enabled**.
+
+The total number of log search alert rules is displayed above the rules list.
#### From API
If you've reached the quota limit, the following steps may help resolve the issu
## Activity log example when rule is disabled
-If query fails for seven days continuously, Azure Monitor will disable the log alert and stop billing of the rule. You can find out the exact time when Azure Monitor disabled the log alert in the [Azure Activity Log](../../azure-resource-manager/management/view-activity-logs.md). See this example:
+If query fails for seven days continuously, Azure Monitor disables the log alert and stops the billing of the rule. You can see the exact time when Azure Monitor disabled the log alert in the [Azure activity log](../../azure-resource-manager/management/view-activity-logs.md).
+
+See this example:
```json {
azure-monitor Asp Net Core https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/app/asp-net-core.md
The example we'll use here is an [MVC application](/aspnet/core/tutorials/first-
## Supported scenarios
-The [Application Insights SDK for ASP.NET Core](https://nuget.org/packages/Microsoft.ApplicationInsights.AspNetCore) can monitor your applications no matter where or how they run. If your application is running and has network connectivity to Azure, telemetry can be collected. Application Insights monitoring is supported everywhere .NET Core is supported. Support covers:
-* **Operating system**: Windows, Linux, or Mac.
-* **Hosting method**: In process or out of process.
-* **Deployment method**: Framework dependent or self-contained.
-* **Web server**: IIS (Internet Information Server) or Kestrel.
-* **Hosting platform**: The Web Apps feature of Azure App Service, Azure VM, Docker, Azure Kubernetes Service (AKS), and so on.
-* **.NET Core version**: All officially [supported .NET Core versions](https://dotnet.microsoft.com/download/dotnet-core) that are not in preview.
-* **IDE**: Visual Studio, VS Code, or command line.
+The [Application Insights SDK for ASP.NET Core](https://nuget.org/packages/Microsoft.ApplicationInsights.AspNetCore) can monitor your applications no matter where or how they run. If your application is running and has network connectivity to Azure, telemetry can be collected. Application Insights monitoring is supported everywhere .NET Core is supported. Support covers the following:
+* **Operating system**: Windows, Linux, or Mac
+* **Hosting method**: In process or out of process
+* **Deployment method**: Framework dependent or self-contained
+* **Web server**: IIS (Internet Information Server) or Kestrel
+* **Hosting platform**: The Web Apps feature of Azure App Service, Azure VM, Docker, Azure Kubernetes Service (AKS), and so on
+* **.NET Core version**: All officially [supported .NET Core versions](https://dotnet.microsoft.com/download/dotnet-core) that are not in preview
+* **IDE**: Visual Studio, Visual Studio Code, or command line
> [!NOTE] > ASP.NET Core 3.1 requires [Application Insights 2.8.0](https://www.nuget.org/packages/Microsoft.ApplicationInsights.AspNetCore/2.8.0) or later.
The [Application Insights SDK for ASP.NET Core](https://nuget.org/packages/Micro
- A valid Application Insights instrumentation key. This key is required to send any telemetry to Application Insights. If you need to create a new Application Insights resource to get an instrumentation key, see [Create an Application Insights resource](./create-new-resource.md). > [!IMPORTANT]
-> [Connection Strings](./sdk-connection-string.md?tabs=net) are recommended over instrumentation keys. New Azure regions **require** the use of connection strings instead of instrumentation keys. Connection string identifies the resource that you want to associate your telemetry data with. It also allows you to modify the endpoints your resource will use as a destination for your telemetry. You will need to copy the connection string and add it to your application's code or to an environment variable.
+> [Connection Strings](./sdk-connection-string.md?tabs=net) are recommended over instrumentation keys. New Azure regions **require** using connection strings instead of instrumentation keys. Connection string identifies the resource that you want to associate your telemetry data with. It also allows you to modify the endpoints your resource will use as a destination for your telemetry. You will need to copy the connection string and add it to your application's code or to an environment variable.
## Enable Application Insights server-side telemetry (Visual Studio)
-For Visual Studio for Mac use the [manual guidance](#enable-application-insights-server-side-telemetry-no-visual-studio). Only the Windows version of Visual Studio supports this procedure.
+For Visual Studio for Mac, use the [manual guidance](#enable-application-insights-server-side-telemetry-no-visual-studio). Only the Windows version of Visual Studio supports this procedure.
1. Open your project in Visual Studio. > [!TIP]
- > If you want to, you can set up source control for your project so you can track all the changes that Application Insights makes. To enable source control, select **File** > **Add to Source Control**.
+ > To track all the changes that Application Insights makes, you can set up source control for your project. To set it up, select **File** > **Add to Source Control**.
2. Select **Project** > **Add Application Insights Telemetry**.
-3. Select **Get Started**. This selection's text might vary, depending on your version of Visual Studio. Some earlier versions use a **Start Free** button instead.
+3. Select **Get Started**. Depending on your version of Visual Studio, the name of this button might vary. In some earlier versions, it is named the **Start Free** button.
-4. Select your subscription. Then select **Resource** > **Register**.
+4. Select your subscription, and then select **Resource** > **Register**.
-5. After adding Application Insights to your project, check to confirm that you're using the latest stable release of the SDK. Go to **Project** > **Manage NuGet Packages** > **Microsoft.ApplicationInsights.AspNetCore**. If you need to, choose **Update**.
+5. After you add Application Insights to your project, check to confirm that you're using the latest stable release of the SDK. Go to **Project** > **Manage NuGet Packages** > **Microsoft.ApplicationInsights.AspNetCore**. If you need to, select **Update**.
![Screenshot showing where to select the Application Insights package for update](./media/asp-net-core/update-nuget-package.png)
-6. If you followed the optional tip and added your project to source control, go to **View** > **Team Explorer** > **Changes**. Then select each file to see a diff view of the changes made by Application Insights telemetry.
+6. If you added your project to source control, go to **View** > **Team Explorer** > **Changes**. You can select each file to see a diff view of the changes made by Application Insights telemetry.
## Enable Application Insights server-side telemetry (no Visual Studio)
For Visual Studio for Mac use the [manual guidance](#enable-application-insights
* `SET APPINSIGHTS_INSTRUMENTATIONKEY=putinstrumentationkeyhere`
- * `APPINSIGHTS_INSTRUMENTATIONKEY` is typically used in [Azure Web Apps](./azure-web-apps.md?tabs=net), but can also be used in all places where this SDK is supported. (If you are doing codeless web app monitoring, this format is required if you aren't using connection strings.)
+ * Typically, `APPINSIGHTS_INSTRUMENTATIONKEY` is used in [Azure Web Apps](./azure-web-apps.md?tabs=net), but it can also be used in all places where this SDK is supported. (If you're doing codeless web app monitoring, this format is required if you aren't using connection strings.)
- In lieu of setting instrumentation keys you can now also use [Connection Strings](./sdk-connection-string.md?tabs=net).
+ In lieu of setting instrumentation keys, you can now also use [Connection Strings](./sdk-connection-string.md?tabs=net).
> [!NOTE] > An instrumentation key specified in code wins over the environment variable `APPINSIGHTS_INSTRUMENTATIONKEY`, which wins over other options.
For Visual Studio for Mac use the [manual guidance](#enable-application-insights
### User secrets and other configuration providers If you want to store the instrumentation key in ASP.NET Core user secrets or retrieve it from another configuration provider, you can use the overload with a `Microsoft.Extensions.Configuration.IConfiguration` parameter. For example, `services.AddApplicationInsightsTelemetry(Configuration);`.
-Starting from Microsoft.ApplicationInsights.AspNetCore version [2.15.0](https://www.nuget.org/packages/Microsoft.ApplicationInsights.AspNetCore), calling `services.AddApplicationInsightsTelemetry()` will automatically read the instrumentation key from `Microsoft.Extensions.Configuration.IConfiguration` of the application. There is no need to explicitly provide the `IConfiguration`.
+Starting from Microsoft.ApplicationInsights.AspNetCore version [2.15.0](https://www.nuget.org/packages/Microsoft.ApplicationInsights.AspNetCore), calling `services.AddApplicationInsightsTelemetry()` automatically reads the instrumentation key from `Microsoft.Extensions.Configuration.IConfiguration` of the application. There is no need to explicitly provide the `IConfiguration`.
## Run your application
-Run your application and make requests to it. Telemetry should now flow to Application Insights. The Application Insights SDK automatically collects incoming web requests to your application, along with the following telemetry as well.
+Run your application and make requests to it. Telemetry should now flow to Application Insights. The Application Insights SDK automatically collects incoming web requests to your application, along with the following telemetry.
### Live Metrics
-[Live Metrics](./live-stream.md) can be used to quickly verify if Application Insights monitoring is configured correctly. While it might take a few minutes before telemetry starts appearing in the portal and analytics, Live Metrics would show CPU usage of the running process in near real-time. It can also show other telemetry like Requests, Dependencies, Traces, etc.
+[Live Metrics](./live-stream.md) can be used to quickly verify if Application Insights monitoring is configured correctly. It might take a few minutes for telemetry to appear in the portal and analytics, but Live Metrics shows CPU usage of the running process in near real time. It can also show other telemetry like Requests, Dependencies, and Traces.
### ILogger logs
-The default configuration collects `ILogger` logs of severity `Warning` and above. This configuration can be [customized](#how-do-i-customize-ilogger-logs-collection).
+The default configuration collects `ILogger` `Warning` logs and more severe logs. You can [customize this configuration](#how-do-i-customize-ilogger-logs-collection).
### Dependencies
Support for [performance counters](./performance-counters.md) in ASP.NET Core is
* SDK versions 2.4.1 and later collect performance counters if the application is running in Azure Web Apps (Windows). * SDK versions 2.7.1 and later collect performance counters if the application is running in Windows and targets `NETSTANDARD2.0` or later. * For applications targeting the .NET Framework, all versions of the SDK support performance counters.
-* SDK Versions 2.8.0 and later support cpu/memory counter in Linux. No other counter is supported in Linux. The recommended way to get system counters in Linux (and other non-Windows environments) is by using [EventCounters](#eventcounter)
+* SDK Versions 2.8.0 and later support cpu/memory counter in Linux. No other counter is supported in Linux. The recommended way to get system counters in Linux (and other non-Windows environments) is by using [EventCounters](#eventcounter).
### EventCounter
-`EventCounterCollectionModule` is enabled by default. The [EventCounter](eventcounters.md) tutorial has instructions on configuring the list of counters to be collected.
+By default, `EventCounterCollectionModule` is enabled. To learn how to configure the list of counters to be collected, see [EventCounters introduction](eventcounters.md).
## Enable client-side telemetry for web applications
The preceding steps are enough to help you start collecting server-side telemetr
</head> ```
-Alternatively to using the `FullScript` the `ScriptBody` is available starting in SDK v2.14. Use this if you need to control the `<script>` tag to set a Content Security Policy:
+As an alternative to using the `FullScript`, the `ScriptBody` is available starting in Application Insights SDK for ASP.NET Core version 2.14. Use this if you need to control the `<script>` tag to set a Content Security Policy:
```cshtml <script> // apply custom changes to this script tag.
Alternatively to using the `FullScript` the `ScriptBody` is available starting i
</script> ```
-The `.cshtml` file names referenced earlier are from a default MVC application template. Ultimately, if you want to properly enable client-side monitoring for your application, the JavaScript snippet must appear in the `<head>` section of each page of your application that you want to monitor. You can accomplish this goal for this application template by adding the JavaScript snippet to `_Layout.cshtml`.
+The `.cshtml` file names referenced earlier are from a default MVC application template. Ultimately, if you want to properly enable client-side monitoring for your application, the JavaScript snippet must appear in the `<head>` section of each page of your application that you want to monitor. To do this in this application template, add the JavaScript snippet to `_Layout.cshtml`.
-If your project doesn't include `_Layout.cshtml`, you can still add [client-side monitoring](./website-monitoring.md). You can do this by adding the JavaScript snippet to an equivalent file that controls the `<head>` of all pages within your app. Or you can add the snippet to multiple pages, but this solution is difficult to maintain and we generally don't recommend it.
+If your project doesn't include `_Layout.cshtml`, you can still add [client-side monitoring](./website-monitoring.md). To do this, add the JavaScript snippet to an equivalent file that controls the `<head>` of all pages within your app. Or you can add the snippet to multiple pages, but this solution is difficult to maintain and we generally don't recommend it.
## Configure the Application Insights SDK
-You can customize the Application Insights SDK for ASP.NET Core to change the default configuration. Users of the Application Insights ASP.NET SDK might be familiar with changing configuration by using `ApplicationInsights.config` or by modifying `TelemetryConfiguration.Active`. For ASP.NET Core, almost all configuration changes are done in the `ConfigureServices()` method of your `Startup.cs` class, unless you're directed otherwise. The following sections offer more information.
+You can customize the Application Insights SDK for ASP.NET Core to change the default configuration. Users of the Application Insights ASP.NET SDK might be familiar with changing configuration by using `ApplicationInsights.config` or by modifying `TelemetryConfiguration.Active`. For ASP.NET Core, make almost all configuration changes in the `ConfigureServices()` method of your `Startup.cs` class, unless you're directed otherwise. The following sections offer more information.
> [!NOTE] > In ASP.NET Core applications, changing configuration by modifying `TelemetryConfiguration.Active` isn't supported.
public void ConfigureServices(IServiceCollection services)
} ```
-Full List of settings in `ApplicationInsightsServiceOptions`
+This table has the full list of `ApplicationInsightsServiceOptions` settings:
|Setting | Description | Default ||-|-
Full List of settings in `ApplicationInsightsServiceOptions`
|RequestCollectionOptions.TrackExceptions | Enable/Disable reporting of unhandled Exception tracking by the Request collection module. | false in NETSTANDARD2.0 (because Exceptions are tracked with ApplicationInsightsLoggerProvider), true otherwise. |EnableDiagnosticsTelemetryModule | Enable/Disable `DiagnosticsTelemetryModule`. Disabling this will cause the following settings to be ignored; `EnableHeartbeat`, `EnableAzureInstanceMetadataTelemetryModule`, `EnableAppServicesHeartbeatTelemetryModule` | true
-See the [configurable settings in `ApplicationInsightsServiceOptions`](https://github.com/microsoft/ApplicationInsights-dotnet/blob/develop/NETCORE/src/Shared/Extensions/ApplicationInsightsServiceOptions.cs) for the most up-to-date list.
+For the most current list, see the [configurable settings in `ApplicationInsightsServiceOptions`](https://github.com/microsoft/ApplicationInsights-dotnet/blob/develop/NETCORE/src/Shared/Extensions/ApplicationInsightsServiceOptions.cs).
-### Configuration Recommendation for Microsoft.ApplicationInsights.AspNetCore SDK 2.15.0 & above
+### Configuration recommendation for Microsoft.ApplicationInsights.AspNetCore SDK 2.15.0 and later
-Starting from Microsoft.ApplicationInsights.AspNetCore SDK version [2.15.0](https://www.nuget.org/packages/Microsoft.ApplicationInsights.AspNetCore/2.15.0), the recommendation is to configure every setting available in `ApplicationInsightsServiceOptions`, including instrumentationkey using applications `IConfiguration` instance. The settings must be under the section "ApplicationInsights", as shown in the following example. The following section from appsettings.json configures instrumentation key, and also disable adaptive sampling and performance counter collection.
+In Microsoft.ApplicationInsights.AspNetCore SDK version [2.15.0](https://www.nuget.org/packages/Microsoft.ApplicationInsights.AspNetCore/2.15.0) and later, we recommend configuring every setting available in `ApplicationInsightsServiceOptions`, including **InstrumentationKey** using the application's `IConfiguration` instance. The settings must be under the section "ApplicationInsights", as shown in the following example. The following section from appsettings.json configures the instrumentation key and disables adaptive sampling and performance counter collection.
```json {
If `services.AddApplicationInsightsTelemetry(aiOptions)` is used, it overrides t
### Sampling
-The Application Insights SDK for ASP.NET Core supports both fixed-rate and adaptive sampling. Adaptive sampling is enabled by default.
+The Application Insights SDK for ASP.NET Core supports both fixed-rate and adaptive sampling. By default, adaptive sampling is enabled.
For more information, see [Configure adaptive sampling for ASP.NET Core applications](./sampling.md#configuring-adaptive-sampling-for-aspnet-core-applications). ### Adding TelemetryInitializers
-Use [telemetry initializers](./api-filtering-sampling.md#addmodify-properties-itelemetryinitializer) when you want to enrich telemetry with additional information.
+When you want to enrich telemetry with additional information, use [telemetry initializers](./api-filtering-sampling.md#addmodify-properties-itelemetryinitializer).
Add any new `TelemetryInitializer` to the `DependencyInjection` container as shown in the following code. The SDK automatically picks up any `TelemetryInitializer` that's added to the `DependencyInjection` container.
public void ConfigureServices(IServiceCollection services)
### Removing TelemetryInitializers
-Telemetry initializers are present by default. To remove all or specific telemetry initializers, use the following sample code *after* you call `AddApplicationInsightsTelemetry()`.
+By default, telemetry initializers are present. To remove all or specific telemetry initializers, use the following sample code *after* you call `AddApplicationInsightsTelemetry()`.
```csharp public void ConfigureServices(IServiceCollection services)
public void ConfigureServices(IServiceCollection services)
Application Insights uses telemetry modules to automatically collect useful telemetry about specific workloads without requiring manual tracking by user.
-The following automatic-collection modules are enabled by default. These modules are responsible for automatically collecting telemetry. You can disable or configure them to alter their default behavior.
+By default, the following automatic-collection modules are enabled. These modules are responsible for automatically collecting telemetry. You can disable or configure them to alter their default behavior.
-* `RequestTrackingTelemetryModule` - Collects RequestTelemetry from incoming web requests.
-* `DependencyTrackingTelemetryModule` - Collects [DependencyTelemetry](./asp-net-dependencies.md) from outgoing http calls and sql calls.
-* `PerformanceCollectorModule` - Collects Windows PerformanceCounters.
-* `QuickPulseTelemetryModule` - Collects telemetry for showing in Live Metrics portal.
-* `AppServicesHeartbeatTelemetryModule` - Collects heart beats (which are sent as custom metrics), about Azure App Service environment where application is hosted.
-* `AzureInstanceMetadataTelemetryModule` - Collects heart beats (which are sent as custom metrics), about Azure VM environment where application is hosted.
-* `EventCounterCollectionModule` - Collects [EventCounters.](eventcounters.md) This module is a new feature and is available in SDK Version 2.8.0 and higher.
+* `RequestTrackingTelemetryModule` - Collects RequestTelemetry from incoming web requests
+* `DependencyTrackingTelemetryModule` - Collects [DependencyTelemetry](./asp-net-dependencies.md) from outgoing http calls and sql calls
+* `PerformanceCollectorModule` - Collects Windows PerformanceCounters
+* `QuickPulseTelemetryModule` - Collects telemetry for showing in Live Metrics portal
+* `AppServicesHeartbeatTelemetryModule` - Collects heart beats (which are sent as custom metrics), about Azure App Service environment where application is hosted
+* `AzureInstanceMetadataTelemetryModule` - Collects heart beats (which are sent as custom metrics), about Azure VM environment where application is hosted
+* `EventCounterCollectionModule` - Collects [EventCounters](eventcounters.md); this module is a new feature and is available in SDK version 2.8.0 and later
To configure any default `TelemetryModule`, use the extension method `ConfigureTelemetryModule<T>` on `IServiceCollection`, as shown in the following example.
public void ConfigureServices(IServiceCollection services)
} ```
-Starting with 2.12.2 version, [`ApplicationInsightsServiceOptions`](#using-applicationinsightsserviceoptions) contains easy
-option to disable any of the default modules.
+In versions 2.12.2 and later, [`ApplicationInsightsServiceOptions`](#using-applicationinsightsserviceoptions) includes an easy option to disable any of the default modules.
### Configuring a telemetry channel
-The default [telemetry channel](./telemetry-channels.md) is `ServerTelemetryChannel`. You can override it as the following example shows.
+The default [telemetry channel](./telemetry-channels.md) is `ServerTelemetryChannel`. The following example shows how to override it.
```csharp using Microsoft.ApplicationInsights.Channel;
using Microsoft.ApplicationInsights.Channel;
### Disable telemetry dynamically
-If you want to disable telemetry conditionally and dynamically, you may resolve `TelemetryConfiguration` instance with ASP.NET Core dependency injection container anywhere in your code and set `DisableTelemetry` flag on it.
+If you want to disable telemetry conditionally and dynamically, you can resolve the `TelemetryConfiguration` instance with an ASP.NET Core dependency injection container anywhere in your code and set the `DisableTelemetry` flag on it.
```csharp public void ConfigureServices(IServiceCollection services)
If you want to disable telemetry conditionally and dynamically, you may resolve
} ```
-The above does not prevent any auto collection modules from collecting telemetry. Only the sending of telemetry to Application Insights gets disabled with the above approach. If a particular auto collection module is not desired, it is best to [remove the telemetry module](#configuring-or-removing-default-telemetrymodules)
+The preceding code sample prevents the sending of telemetry to Application Insights. It doesn't prevent any automatic collection modules from collecting telemetry. If you want to remove a particular auto collection module, see [remove the telemetry module](#configuring-or-removing-default-telemetrymodules).
## Frequently asked questions ### Does Application Insights support ASP.NET Core 3.X?
-Yes. Update to [Application Insights SDK for ASP.NET Core](https://nuget.org/packages/Microsoft.ApplicationInsights.AspNetCore) version 2.8.0 or higher. Older versions of the SDK do not support ASP.NET Core 3.X.
+Yes. Update to [Application Insights SDK for ASP.NET Core](https://nuget.org/packages/Microsoft.ApplicationInsights.AspNetCore) version 2.8.0 or later. Earlier versions of the SDK don't support ASP.NET Core 3.X.
-Also, if you are using Visual Studio based instructions from [here](#enable-application-insights-server-side-telemetry-visual-studio), update to the latest version of Visual Studio 2019 (16.3.0) to onboard. Previous versions of Visual Studio do not support automatic onboarding for ASP.NET Core 3.X apps.
+Also, if you're [enabling server-side telemetry based on Visual Studio](#enable-application-insights-server-side-telemetry-visual-studio), update to the latest version of Visual Studio 2019 (16.3.0) to onboard. Earlier versions of Visual Studio don't support automatic onboarding for ASP.NET Core 3.X apps.
### How can I track telemetry that's not automatically collected?
For more information about custom data reporting in Application Insights, see [A
### How do I customize ILogger logs collection?
-By default, only logs of severity `Warning` and above are automatically captured. To change this behavior, explicitly override the logging configuration for the provider `ApplicationInsights` as shown below.
-The following configuration allows ApplicationInsights to capture all logs of severity `Information` and above.
+By default, only `Warning` logs and more severe logs are automatically captured. To change this behavior, explicitly override the logging configuration for the provider `ApplicationInsights` as shown below.
+The following configuration allows ApplicationInsights to capture all `Information` logs and more severe logs.
```json {
The following configuration allows ApplicationInsights to capture all logs of se
} ```
-It is important to note that the following will not cause ApplicationInsights provider to capture `Information` logs. This is because SDK adds a default logging filter, instructing `ApplicationInsights` to capture only `Warning` and above. Because of this, an explicit override is required for ApplicationInsights.
+It's important to note that the following doesn't cause the ApplicationInsights provider to capture `Information` logs. It doesn't capture it because the SDK adds a default logging filter that instructs `ApplicationInsights` to capture only `Warning` logs and more severe logs. ApplicationInsights requires an explicit override.
```json {
It is important to note that the following will not cause ApplicationInsights pr
} ```
-Read more about [ILogger configuration](ilogger.md#control-logging-level).
+For more information, see [ILogger configuration](ilogger.md#control-logging-level).
### Some Visual Studio templates used the UseApplicationInsights() extension method on IWebHostBuilder to enable Application Insights. Is this usage still valid?
-While the extension method `UseApplicationInsights()` is still supported, it is marked obsolete in Application Insights SDK version 2.8.0 onwards. It will be removed in the next major version of the SDK. The recommended way to enable Application Insights telemetry is by using `AddApplicationInsightsTelemetry()` because it provides overloads to control some configuration. Also, in ASP.NET Core 3.X apps, `services.AddApplicationInsightsTelemetry()` is the only way to enable application insights.
+The extension method `UseApplicationInsights()` is still supported, but it's marked as obsolete in Application Insights SDK version 2.8.0 and later. It will be removed in the next major version of the SDK. To enable Application Insights telemetry, we recommend using `AddApplicationInsightsTelemetry()` because it provides overloads to control some configuration. Also, in ASP.NET Core 3.X apps, `services.AddApplicationInsightsTelemetry()` is the only way to enable Application Insights.
### I'm deploying my ASP.NET Core application to Web Apps. Should I still enable the Application Insights extension from Web Apps?
If the SDK is installed at build time as shown in this article, you don't need t
### Can I enable Application Insights monitoring by using tools like Status Monitor?
-No. [Status Monitor](./monitor-performance-live-website-now.md) and [Status Monitor v2](./status-monitor-v2-overview.md) currently support ASP.NET 4.x only.
+No. [Status Monitor](./monitor-performance-live-website-now.md) and [Status Monitor v2](./status-monitor-v2-overview.md) currently support only ASP.NET 4.x.
### If I run my application in Linux, are all features supported? Yes. Feature support for the SDK is the same in all platforms, with the following exceptions: * The SDK collects [Event Counters](./eventcounters.md) on Linux because [Performance Counters](./performance-counters.md) are only supported in Windows. Most metrics are the same.
-* Even though `ServerTelemetryChannel` is enabled by default, if the application is running in Linux or macOS, the channel doesn't automatically create a local storage folder to keep telemetry temporarily if there are network issues. Because of this limitation, telemetry is lost when there are temporary network or server issues. To work around this issue, configure a local folder for the channel:
+* Although `ServerTelemetryChannel` is enabled by default, if the application is running in Linux or macOS, the channel doesn't automatically create a local storage folder to keep telemetry temporarily if there are network issues. Because of this limitation, telemetry is lost when there are temporary network or server issues. To work around this issue, configure a local folder for the channel:
```csharp using Microsoft.ApplicationInsights.Channel;
using Microsoft.ApplicationInsights.WindowsServer.TelemetryChannel;
} ```
-This limitation is not applicable from [2.15.0](https://www.nuget.org/packages/Microsoft.ApplicationInsights.AspNetCore/2.15.0) and newer versions.
+This limitation is not applicable from version [2.15.0](https://www.nuget.org/packages/Microsoft.ApplicationInsights.AspNetCore/2.15.0) and later.
### Is this SDK supported for the new .NET Core 3.X Worker Service template applications?
-This SDK requires `HttpContext`, and hence does not work in any non-HTTP applications, including the .NET Core 3.X Worker Service applications. Refer to [this](worker-service.md) document for enabling application insights in such applications, using the newly released Microsoft.ApplicationInsights.WorkerService SDK.
+This SDK requires `HttpContext`; therefore, it doesn't work in any non-HTTP applications, including the .NET Core 3.X Worker Service applications. To enable Application Insights in such applications using the newly released Microsoft.ApplicationInsights.WorkerService SDK, see [Application Insights for Worker Service applications (non-HTTP applications)](worker-service.md).
## Open-source SDK * [Read and contribute to the code](https://github.com/microsoft/ApplicationInsights-dotnet).
-For the latest updates and bug fixes [consult the release notes](./release-notes.md).
+For the latest updates and bug fixes, see the [release notes](./release-notes.md).
## Next steps
azure-resource-manager Template Tutorial Quickstart Template https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/templates/template-tutorial-quickstart-template.md
This template works for deploying storage accounts and app service plans, but yo
1. Open [Azure Quickstart templates](https://azure.microsoft.com/resources/templates/) 1. In **Search**, enter _deploy linux web app_.
-1. Select the tile with the title **Deploy a basic Linux web app**. If you have trouble finding it, here's the [direct link](https://azure.microsoft.com/resources/templates/101-webapp-basic-linux/).
+1. Select the tile with the title **Deploy a basic Linux web app**. If you have trouble finding it, here's the [direct link](https://azure.microsoft.com/en-us/resources/templates/webapp-basic-linux/).
1. Select **Browse on GitHub**. 1. Select _azuredeploy.json_. 1. Review the template. In particular, look for the `Microsoft.Web/sites` resource.
azure-sql Automatic Tuning Email Notifications Configure https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/automatic-tuning-email-notifications-configure.md
ms.devlang: ---+++ Last updated 06/03/2019 # Email notifications for automatic tuning
azure-sql Automatic Tuning Enable https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/automatic-tuning-enable.md
ms.devlang: ---+++ Last updated 03/03/2021 # Enable automatic tuning in the Azure portal to monitor queries and improve workload performance
azure-sql Automatic Tuning Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/automatic-tuning-overview.md
ms.devlang: ---+++ Last updated 03/23/2021 # Automatic tuning in Azure SQL Database and Azure SQL Managed Instance
azure-sql Azure Defender For Sql https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/azure-defender-for-sql.md
Previously updated : 03/08/2021 Last updated : 06/07/2021 # Azure Defender for SQL [!INCLUDE[appliesto-sqldb-sqlmi-asa](../includes/appliesto-sqldb-sqlmi-asa.md)]
-Azure Defender for SQL is a unified package for advanced SQL security capabilities. Azure Defender is available for Azure SQL Database, Azure SQL Managed Instance, and Azure Synapse Analytics. It includes functionality for discovering and classifying sensitive data, surfacing and mitigating potential database vulnerabilities, and detecting anomalous activities that could indicate a threat to your database. It provides a single go-to location for enabling and managing these capabilities.
+Azure Defender for SQL is a unified package for advanced SQL security capabilities. Azure Defender is available for Azure SQL Database, Azure SQL Managed Instance, and Azure Synapse Analytics. It includes functionality for surfacing and mitigating potential database vulnerabilities, and detecting anomalous activities that could indicate a threat to your database. It provides a single go-to location for enabling and managing these capabilities.
## What are the benefits of Azure Defender for SQL?
To view and manage Azure Defender settings:
- Learn more about [Vulnerability Assessment](sql-vulnerability-assessment.md) - Learn more about [Advanced Threat Protection](threat-detection-configure.md)-- Learn more about [Azure Security Center](../../security-center/security-center-introduction.md)
+- Learn more about [Azure Security Center](../../security-center/security-center-introduction.md)
azure-sql Database Advisor Find Recommendations Portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/database-advisor-find-recommendations-portal.md
ms.devlang: ---+++ Last updated 12/19/2018 # Find and apply performance recommendations
azure-sql Database Advisor Implement Performance Recommendations https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/database-advisor-implement-performance-recommendations.md
ms.devlang: ---+++ Last updated 03/10/2020 # Database Advisor performance recommendations for Azure SQL Database
azure-sql File Space Manage https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/file-space-manage.md
Title: Azure SQL Database file space management
description: This page describes how to manage file space with single and pooled databases in Azure SQL Database, and provides code samples for how to determine if you need to shrink a single or a pooled database as well as how to perform a database shrink operation. -+ ms.devlang:
azure-sql Intelligent Insights Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/intelligent-insights-overview.md
ms.devlang: ---+++ Last updated 06/12/2020 # Intelligent Insights using AI to monitor and troubleshoot database performance (preview)
azure-sql Intelligent Insights Troubleshoot Performance https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/intelligent-insights-troubleshoot-performance.md
ms.devlang: ---+++ Last updated 1/14/2021 # Troubleshoot Azure SQL Database and Azure SQL Managed Instance performance issues with Intelligent Insights
azure-sql Intelligent Insights Use Diagnostics Log https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/intelligent-insights-use-diagnostics-log.md
ms.devlang: ---+++ Last updated 06/12/2020
The last part of the Intelligent Insights performance log pertains to the automa
"rootCauseAnalysis_s" : "High data IO caused performance to degrade. It seems that this database is missing some indexes that could help." ```
-You can use the Intelligent Insights performance log with [Azure Monitor logs]( https://docs.microsoft.com/azure/log-analytics/log-analytics-azure-sql) or a third-party solution for custom DevOps alerting and reporting capabilities.
+You can use the Intelligent Insights performance log with [Azure Monitor logs](/azure/log-analytics/log-analytics-azure-sql) or a third-party solution for custom DevOps alerting and reporting capabilities.
## Next steps
azure-sql Json Features https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/json-features.md
ms.devlang: ---+++ Last updated 04/19/2020 # Getting started with JSON features in Azure SQL Database and Azure SQL Managed Instance
azure-sql Ledger Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/ledger-overview.md
[!INCLUDE[appliesto-sqldb](../includes/appliesto-sqldb.md)] > [!NOTE]
-> Azure SQL Database ledger is currently in **public preview**.
+> Azure SQL Database ledger is currently in public preview, and available in West Central US.
Establishing trust around the integrity of data stored in database systems has been a long-standing problem for all organizations that manage financial, medical, or other sensitive data. The ledger feature of [Azure SQL Database](sql-database-paas-overview.md) provides tamper-evidence capabilities in your database, enabling the ability to cryptographically attest to other parties, such as auditors or other business parties, that your data hasn't been tampered with.
azure-sql Metrics Diagnostic Telemetry Logging Streaming Export Configure https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/metrics-diagnostic-telemetry-logging-streaming-export-configure.md
ms.devlang: sqldbrb=2 ---+++ Last updated 04/06/2020
azure-sql Query Performance Insight Use https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/query-performance-insight-use.md
ms.devlang: ---+++ Last updated 1/14/2021 # Query Performance Insight for Azure SQL Database
azure-sql Serverless Tier Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/serverless-tier-overview.md
Title: Serverless compute tier
description: This article describes the new serverless compute tier and compares it with the existing provisioned compute tier for Azure SQL Database. -+ ms.devlang:
azure-sql Threat Detection Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/threat-detection-overview.md
description: Advanced Threat Protection detects anomalous database activities in
--++ Previously updated : 12/01/2020 Last updated : 06/07/2021 tags: azure-synapse
-# Advanced Threat Protection for Azure SQL Database, SQL Managed Instance, and Azure Synapse Analytics
+# SQL Advanced Threat Protection
-Advanced Threat Protection for [Azure SQL Database](sql-database-paas-overview.md), [Azure SQL Managed Instance](../managed-instance/sql-managed-instance-paas-overview.md) and [Azure Synapse Analytics](../../synapse-analytics/sql-data-warehouse/sql-data-warehouse-overview-what-is.md) detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases.
+Advanced Threat Protection for [Azure SQL Database](sql-database-paas-overview.md), [Azure SQL Managed Instance](../managed-instance/sql-managed-instance-paas-overview.md), [Azure Synapse Analytics](../../synapse-analytics/sql-data-warehouse/sql-data-warehouse-overview-what-is.md), [SQL Server on Azure Virtual Machines](https://docs.microsoft.com/azure/azure-sql/virtual-machines/windows/sql-server-on-azure-vm-iaas-what-is-overview.md) and [Azure Arc enabled SQL Server](https://docs.microsoft.com/sql/sql-server/azure-arc/overview.ms) detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases.
-Advanced Threat Protection is part of the [Azure Defender for SQL](azure-defender-for-sql.md) offering, which is a unified package for advanced SQL security capabilities. Advanced Threat Protection can be accessed and managed via the central Azure Defender for SQL portal.
+Advanced Threat Protection is part of the [Azure Defender for SQL](https://docs.microsoft.com/azure/security-center/defender-for-sql-introduction.md) offering, which is a unified package for advanced SQL security capabilities. Advanced Threat Protection can be accessed and managed via the central Azure Defender for SQL portal.
## Overview
Click **Advanced Threat Protection alert** to launch the Azure Security Center a
- Learn more about [Azure Defender for SQL](azure-defender-for-sql.md). - Learn more about [Azure SQL Database auditing](../../azure-sql/database/auditing-overview.md) - Learn more about [Azure security center](../../security-center/security-center-introduction.md)-- For more information on pricing, see the [Azure SQL Database pricing page](https://azure.microsoft.com/pricing/details/sql-database/)
+- For more information on pricing, see the [Azure SQL Database pricing page](https://azure.microsoft.com/pricing/details/sql-database/)
azure-sql Identify Query Performance Issues https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/identify-query-performance-issues.md
ms.devlang: ---+++ Last updated 1/14/2021
azure-sql In Memory Sample https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/in-memory-sample.md
ms.devlang: --++ Last updated 12/18/2018
azure-sql Alerts Create https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/managed-instance/alerts-create.md
ms.devlang: ---+++ Last updated 05/04/2020 # Create alerts for Azure SQL Managed Instance using the Azure portal
azure-sql Frequently Asked Questions Faq https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/managed-instance/frequently-asked-questions-faq.md
ms.devlang: --++ Last updated 09/21/2020
azure-sql Instance Create Quickstart https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/managed-instance/instance-create-quickstart.md
ms.devlang: --++ Last updated 1/29/2021
azure-sql Long Term Backup Retention Configure https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/managed-instance/long-term-backup-retention-configure.md
Title: "Azure SQL Managed Instance: Long-term backup retention"
description: "Learn how to store and restore automated backups on separate Azure Blob storage containers for an Azure SQL Managed Instance using PowerShell." -+ ms.devlang:
azure-sql Virtual Cluster Delete https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/managed-instance/virtual-cluster-delete.md
ms.devlang: --++ Last updated 06/26/2019
azure-sql Sql Server To Sql Database Assessment Rules https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/migration-guides/database/sql-server-to-sql-database-assessment-rules.md
ms.devlang: ---+++ Last updated 12/15/2020 # Assessment rules for SQL Server to Azure SQL Database migration
azure-sql Sql Server To Sql Managed Instance Assessment Rules https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/migration-guides/managed-instance/sql-server-to-sql-managed-instance-assessment-rules.md
ms.devlang: ---+++ Last updated 12/15/2020 # Assessment rules for SQL Server to Azure SQL Managed Instance migration
azure-sql Availability Group Az Commandline Configure https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/virtual-machines/windows/availability-group-az-commandline-configure.md
Update-AzSqlVM -ResourceId $sqlvm2.ResourceId -SqlVM $sqlvmconfig2
+## Configure quorum
+
+Although the disk witness is the most resilient quorum option, it requires an Azure shared disk which imposes some limitations to the availability group. As such, the cloud witness is the recommended quorum solution for clusters hosting availability groups for SQL Server on Azure VMs.
+
+If you have an even number of votes in the cluster, configure the [quorum solution](hadr-cluster-quorum-configure-how-to.md) that best suits your business needs. For more information, see [Quorum with SQL Server VMs](hadr-windows-server-failover-cluster-overview.md#quorum).
+ ## Validate cluster
Remove-AzSqlVMGroup -ResourceGroupName "<resource group name>" -Name "<cluster n
## Next steps
-For more information, see the following articles:
-
-* [Overview of SQL Server VMs](sql-server-on-azure-vm-iaas-what-is-overview.md)
-* [FAQ for SQL Server VMs](frequently-asked-questions-faq.md)
-* [Release notes for SQL Server VMs](../../database/doc-changes-updates-release-notes.md)
-* [Switching licensing models for a SQL Server VM](licensing-model-azure-hybrid-benefit-ahb-change.md)
-* [Overview of Always On availability groups &#40;SQL Server&#41;](/sql/database-engine/availability-groups/windows/overview-of-always-on-availability-groups-sql-server)
-* [Configuration of a server instance for Always On availability groups &#40;SQL Server&#41;](/sql/database-engine/availability-groups/windows/configuration-of-a-server-instance-for-always-on-availability-groups-sql-server)
-* [Administration of an availability group &#40;SQL Server&#41;](/sql/database-engine/availability-groups/windows/administration-of-an-availability-group-sql-server)
-* [Monitoring of availability groups &#40;SQL Server&#41;](/sql/database-engine/availability-groups/windows/monitoring-of-availability-groups-sql-server)
-* [Overview of Transact-SQL statements for Always On availability groups &#40;SQL Server&#41;](/sql/database-engine/availability-groups/windows/transact-sql-statements-for-always-on-availability-groups)
-* [Overview of PowerShell cmdlets for Always On availability groups &#40;SQL Server&#41;](/sql/database-engine/availability-groups/windows/overview-of-powershell-cmdlets-for-always-on-availability-groups-sql-server)
+Once the availability group is deployed, consider optimizing the [HADR settings for SQL Server on Azure VMs](hadr-cluster-best-practices.md).
++
+To learn more, see:
+
+- [Windows Server Failover Cluster with SQL Server on Azure VMs](hadr-windows-server-failover-cluster-overview.md)
+- [Always On availability groups with SQL Server on Azure VMs](availability-group-overview.md)
+- [Always On availability groups overview](/sql/database-engine/availability-groups/windows/overview-of-always-on-availability-groups-sql-server)
azure-sql Availability Group Azure Portal Configure https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/virtual-machines/windows/availability-group-azure-portal-configure.md
To add more SQL Server VMs to the cluster, follow these steps:
You can check the status of your deployment in the **Activity log** which is accessible from the bell icon in the top navigation bar.
+## Configure quorum
+
+Although the disk witness is the most resilient quorum option, it requires an Azure shared disk which imposes some limitations to the availability group. As such, the cloud witness is the recommended quorum solution for clusters hosting availability groups for SQL Server on Azure VMs.
+
+If you have an even number of votes in the cluster, configure the [quorum solution](hadr-cluster-quorum-configure-how-to.md) that best suits your business needs. For more information, see [Quorum with SQL Server VMs](hadr-windows-server-failover-cluster-overview.md#quorum).
+ ## Modify availability group
This is an indication that the resource provider could not access the SQL Server
## Next steps
+Once the availability group is deployed, consider optimizing the [HADR settings for SQL Server on Azure VMs](hadr-cluster-best-practices.md).
-For more information about availability groups, see:
--- [Overview of availability groups](/sql/database-engine/availability-groups/windows/overview-of-always-on-availability-groups-sql-server)
-* [Administration of an availability group](/sql/database-engine/availability-groups/windows/administration-of-an-availability-group-sql-server)
-* [Monitoring of availability groups &#40;SQL Server&#41;](/sql/database-engine/availability-groups/windows/monitoring-of-availability-groups-sql-server)
-* [Availability group Transact-SQL statements ](/sql/database-engine/availability-groups/windows/transact-sql-statements-for-always-on-availability-groups)
-* [Availability groups PowerShell commands](/sql/database-engine/availability-groups/windows/overview-of-powershell-cmdlets-for-always-on-availability-groups-sql-server)
-For more information about SQL Server VMs, see:
+To learn more, see:
-* [Overview of SQL Server VMs](sql-server-on-azure-vm-iaas-what-is-overview.md)
-* [Release notes for SQL Server VMs](../../database/doc-changes-updates-release-notes.md)
-* [FAQ for SQL Server VMs](frequently-asked-questions-faq.md)
+- [Windows Server Failover Cluster with SQL Server on Azure VMs](hadr-windows-server-failover-cluster-overview.md)
+- [Always On availability groups with SQL Server on Azure VMs](availability-group-overview.md)
+- [Always On availability groups overview](/sql/database-engine/availability-groups/windows/overview-of-always-on-availability-groups-sql-server)
azure-sql Availability Group Clusterless Workgroup Configure https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/virtual-machines/windows/availability-group-clusterless-workgroup-configure.md
In this final step, configure the load balancer using either the [Azure portal](
## Next steps
-You can also use [Az SQL VM CLI](./availability-group-az-commandline-configure.md) to configure an availability group.
+Once the availability group is deployed, consider optimizing the [HADR settings for SQL Server on Azure VMs](hadr-cluster-best-practices.md).
++
+To learn more, see:
+
+- [Windows Server Failover Cluster with SQL Server on Azure VMs](hadr-windows-server-failover-cluster-overview.md)
+- [Always On availability groups with SQL Server on Azure VMs](availability-group-overview.md)
+- [Always On availability groups overview](/sql/database-engine/availability-groups/windows/overview-of-always-on-availability-groups-sql-server)
azure-sql Availability Group Distributed Network Name Dnn Listener Configure https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/virtual-machines/windows/availability-group-distributed-network-name-dnn-listener-configure.md
Before you complete the steps in this article, you should already have:
- Configured your [Always On availability group](availability-group-overview.md). - Installed the latest version of [PowerShell](/powershell/azure/install-az-ps). - Identified the unique port that you will use for the DNN listener. The port used for a DNN listener must be unique across all replicas of the availability group or failover cluster instance. No other connection can share the same port.
+- The client connecting to the DNN listener must support the `MultiSubnetFailover=True` parameter in the connection string.
DNN listeners are designed to listen on all IP addresses, but on a specific, uni
## Next steps
-To learn more about SQL Server HADR features in Azure, see [Availability groups](availability-group-overview.md) and [Failover cluster instance](failover-cluster-instance-overview.md). You can also learn [best practices](hadr-cluster-best-practices.md) for configuring your environment for high availability and disaster recovery.
+Once the availability group is deployed, consider optimizing the [HADR settings for SQL Server on Azure VMs](hadr-cluster-best-practices.md).
++
+To learn more, see:
+
+- [Windows Server Failover Cluster with SQL Server on Azure VMs](hadr-windows-server-failover-cluster-overview.md)
+- [Always On availability groups with SQL Server on Azure VMs](availability-group-overview.md)
+- [Always On availability groups overview](/sql/database-engine/availability-groups/windows/overview-of-always-on-availability-groups-sql-server)
+
azure-sql Availability Group Dnn Interoperability https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/virtual-machines/windows/availability-group-dnn-interoperability.md
There are certain SQL Server features that rely on a hard-coded virtual network
This article details SQL Server features and interoperability with the availability group DNN listener.
+## Behavior differences
+
+There are some behavior differences between the functionality of the VNN listener and DNN listener that are important to note:
+
+- **Failover time**: Failover time is faster when using a DNN listener since there is no need to wait for the network load balancer to detect the failure event and change its routing.
+- **Existing connections**: Connections made to a *specific database* within a failing-over availability group will close, but other connections to the primary replica will remain open since the DNN stays online during the failover process. This is different than a traditional VNN environment where all connections to the primary replica typically close when the availability group fails over, the listener goes offline, and the primary replica transitions to the secondary role. When using a DNN listener, you may need to adjust application connection strings to ensure that connections are redirected to the new primary replica upon failover.
+- **Open transactions**: Open transactions against a database in a failing-over availability group will close and roll back, and you need to *manually* reconnect. For example, in SQL Server Management Studio, close the query window and open a new one.
## Client drivers
Configure the linked server using the AG DNN listener name and port. If the port
## Next steps
-For more information, see:
+To learn more, see:
-- [Windows cluster technologies](/windows-server/failover-clustering/failover-clustering-overview) -- [Always on availability group](/sql/database-engine/availability-groups/windows/overview-of-always-on-availability-groups-sql-server)
+- [Always On availability groups with SQL Server on Azure VMs](availability-group-overview.md)
+- [Windows Server Failover Cluster with SQL Server on Azure VMs](hadr-windows-server-failover-cluster-overview.md)
+- [Always On availability groups overview](/sql/database-engine/availability-groups/windows/overview-of-always-on-availability-groups-sql-server)
+- [HADR settings for SQL Server on Azure VMs](hadr-cluster-best-practices.md)
azure-sql Availability Group Listener Powershell Configure https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/virtual-machines/windows/availability-group-listener-powershell-configure.md
Note the following guidelines on availability group listener in Azure using inte
* Create a service endpoint when using a standard load balancer with Azure Storage for the cloud witness. For more information, see [Grant access from a virtual network](../../../storage/common/storage-network-security.md?toc=%2fazure%2fvirtual-network%2ftoc.json#grant-access-from-a-virtual-network).
-## For more information
-
-For more information, see [Configure Always On availability group in Azure VM manually](availability-group-manually-configure-tutorial.md).
- ## PowerShell cmdlets Use the following PowerShell cmdlets to create an internal load balancer for Azure Virtual Machines.
Use the following PowerShell cmdlets to create an internal load balancer for Azu
* [New-AzLoadBalancerBackendAddressPoolConfig](/powershell/module/Azurerm.Network/New-AzureRmLoadBalancerBackendAddressPoolConfig) creates a backend address pool configuration for a load balancer. * [New-AzLoadBalancerProbeConfig](/powershell/module/Azurerm.Network/New-AzureRmLoadBalancerProbeConfig) creates a probe configuration for a load balancer. * [Remove-AzLoadBalancer](/powershell/module/Azurerm.Network/Remove-AzureRmLoadBalancer) removes a load balancer from an Azure resource group.+
+## Next steps
++
+To learn more, see:
+
+- [Windows Server Failover Cluster with SQL Server on Azure VMs](hadr-windows-server-failover-cluster-overview.md)
+- [Always On availability groups with SQL Server on Azure VMs](availability-group-overview.md)
+- [Always On availability groups overview](/sql/database-engine/availability-groups/windows/overview-of-always-on-availability-groups-sql-server)
+- [HADR settings for SQL Server on Azure VMs](hadr-cluster-best-practices.md)
azure-sql Availability Group Load Balancer Portal Configure https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/virtual-machines/windows/availability-group-load-balancer-portal-configure.md
If you have an Azure Network Security Group to restrict access, make sure that t
## Next steps -- [Configure a SQL Server Always On availability group on Azure virtual machines in different regions](availability-group-manually-configure-multiple-regions.md)
+To learn more, see:
+
+- [Windows Server Failover Cluster with SQL Server on Azure VMs](hadr-windows-server-failover-cluster-overview.md)
+- [Always On availability groups with SQL Server on Azure VMs](availability-group-overview.md)
+- [Always On availability groups overview](/sql/database-engine/availability-groups/windows/overview-of-always-on-availability-groups-sql-server)
+- [HADR settings for SQL Server on Azure VMs](hadr-cluster-best-practices.md)
azure-sql Availability Group Manually Configure Multiple Regions https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/virtual-machines/windows/availability-group-manually-configure-multiple-regions.md
For more information, see the following topics:
## Next steps
-* [Always On Availability Groups](/sql/database-engine/availability-groups/windows/always-on-availability-groups-sql-server)
-* [Azure Virtual Machines](../../../virtual-machines/index.yml)
-* [Azure Load Balancers](availability-group-manually-configure-tutorial.md#configure-internal-load-balancer)
-* [Azure Availability Sets](../../../virtual-machines/availability.md)
+To learn more, see:
+
+- [Windows Server Failover Cluster with SQL Server on Azure VMs](hadr-windows-server-failover-cluster-overview.md)
+- [Always On availability groups with SQL Server on Azure VMs](availability-group-overview.md)
+- [Always On availability groups overview](/sql/database-engine/availability-groups/windows/overview-of-always-on-availability-groups-sql-server)
+- [HADR settings for SQL Server on Azure VMs](hadr-cluster-best-practices.md)
azure-sql Availability Group Manually Configure Prerequisites Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/virtual-machines/windows/availability-group-manually-configure-prerequisites-tutorial.md
Before you proceed consider the following design decisions.
* **Storage - Azure Managed Disks**
- For the virtual machine storage, use Azure Managed Disks. Microsoft recommends Managed Disks for SQL Server virtual machines. Managed Disks handles storage behind the scenes. In addition, when virtual machines with Managed Disks are in the same availability set, Azure distributes the storage resources to provide appropriate redundancy. For additional information, see [Azure Managed Disks Overview](../../../virtual-machines/managed-disks-overview.md). For specifics about managed disks in an availability set, see [Use Managed Disks for VMs in an availability set](../../../virtual-machines/availability.md).
+ For the virtual machine storage, use Azure Managed Disks. Microsoft recommends Managed Disks for SQL Server virtual machines. Managed Disks handles storage behind the scenes. In addition, when virtual machines with Managed Disks are in the same availability set, Azure distributes the storage resources to provide appropriate redundancy. For more information, see [Azure Managed Disks Overview](../../../virtual-machines/managed-disks-overview.md). For specifics about managed disks in an availability set, see [Use Managed Disks for VMs in an availability set](../../../virtual-machines/availability.md).
* **Network - Private IP addresses in production**
Repeat these steps on the second SQL Server VM.
## Next steps
-* [Create a SQL Server Always On availability group on Azure Virtual Machines](availability-group-manually-configure-tutorial.md)
+Now that you've configured the prerequisites, get started with [configuring your availability group](availability-group-manually-configure-tutorial.md)
+
+To learn more, see:
+
+- [Windows Server Failover Cluster with SQL Server on Azure VMs](hadr-windows-server-failover-cluster-overview.md)
+- [Always On availability groups with SQL Server on Azure VMs](availability-group-overview.md)
+- [Always On availability groups overview](/sql/database-engine/availability-groups/windows/overview-of-always-on-availability-groups-sql-server)
+- [HADR settings for SQL Server on Azure VMs](hadr-cluster-best-practices.md)
azure-sql Availability Group Manually Configure Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/virtual-machines/windows/availability-group-manually-configure-tutorial.md
The SQLCMD connection automatically connects to whichever instance of SQL Server
## Next steps -- [Add an IP address to a load balancer for a second availability group](availability-group-listener-powershell-configure.md#Add-IP).
+- [Add an IP address to a load balancer for a second availability group](availability-group-listener-powershell-configure.md#Add-IP).
+
+To learn more, see:
+
+- [Windows Server Failover Cluster with SQL Server on Azure VMs](hadr-windows-server-failover-cluster-overview.md)
+- [Always On availability groups with SQL Server on Azure VMs](availability-group-overview.md)
+- [Always On availability groups overview](/sql/database-engine/availability-groups/windows/overview-of-always-on-availability-groups-sql-server)
+- [HADR settings for SQL Server on Azure VMs](hadr-cluster-best-practices.md)
azure-sql Availability Group Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/virtual-machines/windows/availability-group-overview.md
# Always On availability group on SQL Server on Azure VMs [!INCLUDE[appliesto-sqlvm](../../includes/appliesto-sqlvm.md)]
-This article introduces Always On availability groups for SQL Server on Azure Virtual Machines (VMs).
+This article introduces Always On availability groups (AG) for SQL Server on Azure Virtual Machines (VMs).
## Overview
-Always On availability groups on Azure Virtual Machines are similar to [Always On availability groups on-premises](/sql/database-engine/availability-groups/windows/always-on-availability-groups-sql-server). However, since the virtual machines are hosted in Azure, there are a few additional considerations as well, such as VM redundancy, and routing traffic on the Azure network.
+Always On availability groups on Azure Virtual Machines are similar to [Always On availability groups on-premises](/sql/database-engine/availability-groups/windows/always-on-availability-groups-sql-server), and rely on the underlying [Windows Server Failover Cluster](hadr-windows-server-failover-cluster-overview.md). However, since the virtual machines are hosted in Azure, there are a few additional considerations as well, such as VM redundancy, and routing traffic on the Azure network.
The following diagram illustrates an availability group for SQL Server on Azure VMs:
The following diagram illustrates an availability group for SQL Server on Azure
To increase redundancy and high availability, SQL Server VMs should either be in the same [availability set](../../../virtual-machines/availability-set-overview.md), or different [availability zones](../../../availability-zones/az-overview.md).
-Placing a set of VMs in the same availability set protects from outages within a datacenter caused by equipment failure (VMs within an Availability Set do not share resources) or from updates (VMs within an Availability Set are not updated at the same time).
-Availability Zones protect against the failure of an entire datacenter, with each Zone representing a set of datacenters within a region. By ensuring resources are placed in different Availability Zones, no datacenter-level outage can take all of your VMs offline.
+Placing a set of VMs in the same availability set protects from outages within a data center caused by equipment failure (VMs within an Availability Set do not share resources) or from updates (VMs within an availability set are not updated at the same time).
-When creating Azure VMs, you must choose between configuring Availability Sets vs Availability Zones. An Azure Vm cannot participate in both.
+Availability Zones protect against the failure of an entire data center, with each Zone representing a set of data centers within a region. By ensuring resources are placed in different Availability Zones, no data center-level outage can take all of your VMs offline.
+When creating Azure VMs, you must choose between configuring Availability Sets vs Availability Zones. An Azure VM cannot participate in both.
-## Connectivity
+While Availability Zones may provide better availability than Availability Sets (99.99% vs 99.95%), performance should also be a consideration. VMs within an Availability Set can be placed in a [proximity placement group](../../../virtual-machines/co-location.md) which guarantees that they are close to each other, minimizing network latency between them. VMs located in different Availability Zones will have greater network latency between them, which can increase the time it takes to synchronize data between the primary and secondary replica(s). This may cause delays on the primary replica as well as increase the chance of data loss in the event of an unplanned failover. It is important to test the proposed solution under load and ensure that it meets SLAs for both performance and availability.
-In a traditional on-premises deployment, clients connect to the availability group listener using the virtual network name (VNN), and the listener routes traffic to the appropriate SQL Server replica in the availability group. However, there is an extra requirement to route traffic on the Azure network.
+## Connectivity
-With SQL Server on Azure VMs, configure a [load balancer](availability-group-vnn-azure-load-balancer-configure.md) to route traffic to your availability group listener, or, if you're on SQL Server 2019 CU8 and later, you can configure a [distributed network name (DNN) listener](availability-group-distributed-network-name-dnn-listener-configure.md) to replace the traditional VNN availability group listener.
+You can configure a virtual network name, or a distributed network name for an availability group. [Review the differences between the two](hadr-windows-server-failover-cluster-overview.md) and then deploy either a [distributed network name (DNN)](availability-group-distributed-network-name-dnn-listener-configure.md) or a [virtual network name (VNN)](availability-group-vnn-azure-load-balancer-configure.md) for your availability group.
-For more details about cluster connectivity options, see [Route HADR connections to SQL Server on Azure VMs](hadr-cluster-best-practices.md#connectivity).
+Most SQL Server features work transparently with availability groups when using the DNN, but there are certain features that may require special consideration. See [AG and DNN interoperability](availability-group-dnn-interoperability.md) to learn more.
-### VNN listener
+Additionally, there are some behavior differences between the functionality of the VNN listener and DNN listener that are important to note:
-Use an [Azure Load Balancer](../../../load-balancer/load-balancer-overview.md) to route traffic from the client to the traditional availability group virtual network name (VNN) listener on the Azure network.
+- **Failover time**: Failover time is faster when using a DNN listener since there is no need to wait for the network load balancer to detect the failure event and change its routing.
+- **Existing connections**: Connections made to a *specific database* within a failing-over availability group will close, but other connections to the primary replica will remain open since the DNN stays online during the failover process. This is different than a traditional VNN environment where all connections to the primary replica typically close when the availability group fails over, the listener goes offline, and the primary replica transitions to the secondary role. When using a DNN listener, you may need to adjust application connection strings to ensure that connections are redirected to the new primary replica upon failover.
+- **Open transactions**: Open transactions against a database in a failing-over availability group will close and roll back, and you need to *manually* reconnect. For example, in SQL Server Management Studio, close the query window and open a new one.
-The load balancer holds the IP addresses for the VNN listener. If you have more than one availability group, each group requires a VNN listener. One load balancer can support multiple listeners.
+Setting up a VNN listener in Azure requires a load balancer. There are two main options for load balancers in Azure: external (public) or internal. The external (public) load balancer is internet-facing and is associated with a public virtual IP that's accessible over the internet. An internal load balancer supports only clients within the same virtual network. For either load balancer type, you must enable [Direct Server Return](../../../load-balancer/load-balancer-multivip-overview.md#rule-type-2-backend-port-reuse-by-using-floating-ip).
-To get started, see [configure a load balancer](availability-group-vnn-azure-load-balancer-configure.md).
+You can still connect to each availability replica separately by connecting directly to the service instance. Also, because availability groups are backward compatible with database mirroring clients, you can connect to the availability replicas like database mirroring partners as long as the replicas are configured similarly to database mirroring:
-### DNN listener
+* There's one primary replica and one secondary replica.
+* The secondary replica is configured as non-readable (**Readable Secondary** option set to **No**).
-SQL Server 2019 CU8 introduces support for the distributed network name (DNN) listener. The DNN listener replaces the traditional availability group listener, negating the need for an Azure Load Balancer to route traffic on the Azure network.
+Here's an example client connection string that corresponds to this database mirroring-like configuration using ADO.NET or SQL Server Native Client:
-The DNN listener is the recommended HADR connectivity solution in Azure as it simplifies deployment, reduces maintenance and cost, and reduces failover time in the event of a failure.
+```console
+Data Source=ReplicaServer1;Failover Partner=ReplicaServer2;Initial Catalog=AvailabilityDatabase;
+```
-Use the DNN listener to replace an existing VNN listener, or alternatively, use it in conjunction with an existing VNN listener so that your availability group has two distinct connection points - one using the VNN listener name (and port if non-default), and one using the DNN listener name and port. This could be useful for customers who want to avoid the load balancer failover latency but still take advantage of SQL Server features that depend on the VNN listener, such as distributed availability groups, service broker or filestream. To learn more, see [DNN listener and SQL Server feature interoperability](availability-group-dnn-interoperability.md)
+For more information on client connectivity, see:
-To get started, see [configure a DNN listener](availability-group-distributed-network-name-dnn-listener-configure.md).
+* [Using Connection String Keywords with SQL Server Native Client](/sql/relational-databases/native-client/applications/using-connection-string-keywords-with-sql-server-native-client)
+* [Connect Clients to a Database Mirroring Session (SQL Server)](/sql/database-engine/database-mirroring/connect-clients-to-a-database-mirroring-session-sql-server)
+* [Connecting to Availability Group Listener in Hybrid IT](/archive/blogs/sqlalwayson/connecting-to-availability-group-listener-in-hybrid-it)
+* [Availability Group Listeners, Client Connectivity, and Application Failover (SQL Server)](/sql/database-engine/availability-groups/windows/listeners-client-connectivity-application-failover)
+* [Using Database-Mirroring Connection Strings with Availability Groups](/sql/database-engine/availability-groups/windows/listeners-client-connectivity-application-failover)
+## Lease mechanism
-## Deployment
+For SQL Server, the AG resource DLL determines the health of the AG based on the AG lease mechanism and Always On health detection. The AG resource DLL exposes resource health through the *IsAlive* operation. The resource monitor polls IsAlive at the cluster heartbeat interval, which is set by the **CrossSubnetDelay** and **SameSubnetDelay** cluster-wide values. On a primary node, the cluster service initiates failover whenever the IsAlive call to the resource DLL returns that the AG is not healthy.
+
+The AG resource DLL monitors the status of internal SQL Server components. Sp_server_diagnostics reports the health of these components to SQL Server on an interval controlled by **HealthCheckTimeout**.
+
+Unlike other failover mechanisms, the SQL Server instance plays an active role in the lease mechanism. The lease mechanism is used as a *LooksAlive* validation between the Cluster resource host and the SQL Server process. The mechanism is used to ensure that the two sides (the Cluster Service and SQL Server service) are in frequent contact, checking each other's state and ultimately preventing a split-brain scenario.
+
+When configuring an AG in Azure VMs, there is often a need to configure these thresholds differently than they would be configured in an on-premises environment. To configure threshold settings according to best practices for Azure VMs, see the [cluster best practices](hadr-cluster-best-practices.md).
++
+## Network configuration
+
+On an Azure VM failover cluster, we recommend a single NIC per server (cluster node) and a single subnet. Azure networking has physical redundancy, which makes additional NICs and subnets unnecessary on an Azure VM failover cluster. Although the cluster validation report will issue a warning that the nodes are only reachable on a single network, this warning can be safely ignored on Azure VM failover clusters.
+
+## Basic availability group
+
+As basic availability group does not allow more than one secondary replica and there is no read access to the secondary replica, you can use the database mirroring connection strings for basic availability groups. Using the connection string eliminates the need to have listeners. Removing the listener dependency is helpful for availability groups on Azure VMs as it eliminates the need for a load balancer or having to add additional IPs to the load balancer when you have multiple listeners for additional databases.
+
+For example, to explicitly connect using TCP/IP to the AG database AdventureWorks on either Replica_A or Replica_B of a Basic AG (or any AG that that has only one secondary replica and the read access is not allowed in the secondary replica), a client application could supply the following database mirroring connection string to successfully connect to the AG
+
+`Server=Replica_A; Failover_Partner=Replica_B; Database=AdventureWorks; Network=dbmssocn`
++
+## Deployment options
There are multiple options for deploying an availability group to SQL Server on Azure VMs, some with more automation than others. The following table provides a comparison of the options available:
-| | Azure portal | Azure CLI / PowerShell | Quickstart Templates | Manual |
+| | [Azure portal](availability-group-azure-portal-configure.md), | [Azure CLI / PowerShell](./availability-group-az-commandline-configure.md) | [Quickstart Templates](availability-group-quickstart-template-configure.md) | [Manual](availability-group-manually-configure-prerequisites-tutorial.md) |
|||||| |**SQL Server version** |2016 + |2016 +|2016 +|2012 +| |**SQL Server edition** |Enterprise |Enterprise |Enterprise |Enterprise, Standard|
The following table provides a comparison of the options available:
|**Distributed AG with no AD**|No|No|No|Yes| |**Distributed AG with no cluster** |No|No|No|Yes|
-For more information, see [Azure portal](availability-group-azure-portal-configure.md), [Azure CLI / PowerShell](./availability-group-az-commandline-configure.md), [Quickstart Templates](availability-group-quickstart-template-configure.md), and [Manual](availability-group-manually-configure-prerequisites-tutorial.md).
-
-## Considerations
-
-On an Azure IaaS VM guest failover cluster, we recommend a single NIC per server (cluster node) and a single subnet. Azure networking has physical redundancy, which makes additional NICs and subnets unnecessary on an Azure IaaS VM guest cluster. Although the cluster validation report will issue a warning that the nodes are only reachable on a single network, this warning can be safely ignored on Azure IaaS VM guest failover clusters.
- ## Next steps Review the [HADR best practices](hadr-cluster-best-practices.md) and then get started with deploying your availability group using the [Azure portal](availability-group-azure-portal-configure.md), [Azure CLI / PowerShell](./availability-group-az-commandline-configure.md), [Quickstart Templates](availability-group-quickstart-template-configure.md) or [manually](availability-group-manually-configure-prerequisites-tutorial.md). Alternatively, you can deploy a [clusterless availability group](availability-group-clusterless-workgroup-configure.md) or an availability group in [multiple regions](availability-group-manually-configure-multiple-regions.md).+
+To learn more, see:
+
+- [Windows Server Failover Cluster with SQL Server on Azure VMs](hadr-windows-server-failover-cluster-overview.md)
+- [Always On availability groups overview](/sql/database-engine/availability-groups/windows/overview-of-always-on-availability-groups-sql-server)
azure-sql Availability Group Quickstart Template Configure https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/virtual-machines/windows/availability-group-quickstart-template-configure.md
Adding SQL Server VMs to the *SqlVirtualMachineGroups* resource group bootstraps
>[!NOTE] > Credentials provided during template deployment are stored only for the length of the deployment. After deployment finishes, those passwords are removed. You'll be asked to provide them again if you add more SQL Server VMs to the cluster.
+## Configure quorum
+Although the disk witness is the most resilient quorum option, it requires an Azure shared disk which imposes some limitations to the availability group. As such, the cloud witness is the recommended quorum solution for clusters hosting availability groups for SQL Server on Azure VMs.
+
+If you have an even number of votes in the cluster, configure the [quorum solution](hadr-cluster-quorum-configure-how-to.md) that best suits your business needs. For more information, see [Quorum with SQL Server VMs](hadr-windows-server-failover-cluster-overview.md#quorum).
## Validate cluster
After you make these changes, try to deploy the Azure quickstart template once m
## Next steps
-For more information, see the following articles:
+To learn more, see:
* [Overview of SQL Server VMs](sql-server-on-azure-vm-iaas-what-is-overview.md) * [FAQ for SQL Server VMs](frequently-asked-questions-faq.md)
azure-sql Availability Group Vnn Azure Load Balancer Configure https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/virtual-machines/windows/availability-group-vnn-azure-load-balancer-configure.md
For an alternative connectivity option for customers that are on SQL Server 2019
Before you complete the steps in this article, you should already have: -- Decided that Azure Load Balancer is the appropriate [connectivity option for your HADR solution](hadr-cluster-best-practices.md#connectivity).
+- Decided that Azure Load Balancer is the appropriate [connectivity option for your availability group](hadr-windows-server-failover-cluster-overview.md#virtual-network-name-vnn).
- Configured your [availability group listener](availability-group-overview.md).-- Installed the latest version of [PowerShell](/powershell/azure/install-az-ps).
+- Installed the latest version of [PowerShell](/powershell/scripting/install/installing-powershell-core-on-windows).
## Create load balancer
To set the cluster probe port parameter, update the variables in the following s
```powershell $ClusterNetworkName = "<Cluster Network Name>"
-$IPResourceName = "<SQL Server FCI / AG Listener IP Address Resource Name>"
+$IPResourceName = "<Availability group Listener IP Address Resource Name>"
$ILBIP = "<n.n.n.n>" [int]$ProbePort = <nnnnn>
After you set the cluster probe, you can see all the cluster parameters in Power
Get-ClusterResource $IPResourceName | Get-ClusterParameter ```
+## Modify connection string
-## Test failover
+For clients that support it, add the `MultiSubnetFailover=True` to the connection string. While the MultiSubnetFailover connection option is not required, it does provide the benefit of a faster subnet failover. This is because the client driver will attempt to open up a TCP socket for each IP address in parallel. The client driver will wait for the first IP to respond with success and once it does, will then use it for the connection.
+If your client does not support the MultiSubnetFailover parameter, you can modify the RegisterAllProvidersIP and HostRecordTTL settings to prevent connectivity delays post-failover.
-Test failover of the clustered resource to validate cluster functionality.
+Use PowerShell to modify the RegisterAllProvidersIp and HostRecordTTL settings:
+
+```powershell
+Get-ClusterResource yourListenerName | Set-ClusterParameter RegisterAllProvidersIP 0
+Get-ClusterResource yourListenerName|Set-ClusterParameter HostRecordTTL 300
+```
+
+To learn more, see the SQL Server [listener connection timeout](/troubleshoot/sql/availability-groups/listener-connection-times-out) documentation.
+> [!TIP]
+> - Set the MultiSubnetFailover parameter = true in the connection string even for HADR solutions that span a single subnet to support future spanning of subnets without the need to update connection strings.
+> - By default, clients cache cluster DNS records for 20 minutes. By reducing HostRecordTTL you reduce the Time to Live (TTL) for the cached record, legacy clients may reconnect more quickly. As such, reducing the HostRecordTTL setting may result in increased traffic to the DNS servers.
+
+## Test failover
+
+Test failover of the clustered resource to validate cluster functionality.
Take the following steps:
To test connectivity, sign in to another virtual machine in the same virtual net
## Next steps
-To learn more about SQL Server HADR features in Azure, see [Availability groups](availability-group-overview.md) and [Failover cluster instance](failover-cluster-instance-overview.md). You can also learn [best practices](hadr-cluster-best-practices.md) for configuring your environment for high availability and disaster recovery.
+Once the VNN is created, consider optimizing the [cluster settings for SQL Server VMs](hadr-cluster-best-practices.md).
+
+To learn more, see:
+
+- [Windows Server Failover Cluster with SQL Server on Azure VMs](hadr-windows-server-failover-cluster-overview.md)
+- [Always On availability groups with SQL Server on Azure VMs](availability-group-overview.md)
+- [Always On availability groups overview](/sql/database-engine/availability-groups/windows/overview-of-always-on-availability-groups-sql-server)
+- [HADR settings for SQL Server on Azure VMs](hadr-cluster-best-practices.md)
azure-sql Business Continuity High Availability Disaster Recovery Hadr Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/virtual-machines/windows/business-continuity-high-availability-disaster-recovery-hadr-overview.md
Availability zones are unique physical locations within an Azure region. Each zo
To configure high availability, place participating SQL Server virtual machines spread across availability zones in the region. There will be additional charges for network-to-network transfers between availability zones. For more information, see [Availability zones](../../../availability-zones/az-overview.md). -
-### Failover cluster behavior in Azure networking
-The non-RFC-compliant DHCP service in Azure can cause the creation of certain failover cluster configurations to fail. This failure happens because the cluster network name is assigned a duplicate IP address, such as the same IP address as one of the cluster nodes. This is an issue when you use availability groups, which depend on the Windows failover cluster feature.
-
-Consider the scenario when a two-node cluster is created and brought online:
-
-1. The cluster comes online, and then NODE1 requests a dynamically assigned IP address for the cluster network name.
-2. The DHCP service doesn't give any IP address other than NODE1's own IP address, because the DHCP service recognizes that the request comes from NODE1 itself.
-3. Windows detects that a duplicate address is assigned both to NODE1 and to the failover cluster's network name, and the default cluster group fails to come online.
-4. The default cluster group moves to NODE2. NODE2 treats NODE1's IP address as the cluster IP address and brings the default cluster group online.
-5. When NODE2 tries to establish connectivity with NODE1, packets directed at NODE1 never leave NODE2 because it resolves NODE1's IP address to itself. NODE2 can't establish connectivity with NODE1, and then loses quorum and shuts down the cluster.
-6. NODE1 can send packets to NODE2, but NODE2 can't reply. NODE1 loses quorum and shuts down the cluster.
-
-You can avoid this scenario by assigning an unused static IP address to the cluster network name in order to bring the cluster network name online. For example, you can use a link-local IP address like 169.254.1.1. To simplify this process, see [Configuring Windows failover cluster in Azure for availability groups](https://social.technet.microsoft.com/wiki/contents/articles/14776.configuring-windows-failover-cluster-in-windows-azure-for-alwayson-availability-groups.aspx).
-
-For more information, see [Configure availability groups in Azure (GUI)](./availability-group-quickstart-template-configure.md).
-
-### Support for availability group listeners
-Availability group listeners are supported on Azure VMs running Windows Server 2012 and later. This support is made possible by the use of load-balanced endpoints enabled on the Azure VMs that are availability group nodes. You must follow special configuration steps for the listeners to work for both client applications running in Azure and those running on-premises.
-
-There are two main options for setting up your listener: external (public) or internal. The external (public) listener uses an internet-facing load balancer and is associated with a public virtual IP that's accessible over the internet. An internal listener uses an internal load balancer and supports only clients within the same virtual network. For either load balancer type, you must enable Direct Server Return.
-
-If the availability group spans multiple Azure subnets (such as a deployment that crosses Azure regions), the client connection string must include `MultisubnetFailover=True`. This results in parallel connection attempts to the replicas in the different subnets. For instructions on setting up a listener, see [Configure an ILB listener for availability groups in Azure](availability-group-listener-powershell-configure.md).
--
-You can still connect to each availability replica separately by connecting directly to the service instance. Also, because availability groups are backward compatible with database mirroring clients, you can connect to the availability replicas like database mirroring partners as long as the replicas are configured similarly to database mirroring:
-
-* There's one primary replica and one secondary replica.
-* The secondary replica is configured as non-readable (**Readable Secondary** option set to **No**).
-
-Here's an example client connection string that corresponds to this database mirroring-like configuration using ADO.NET or SQL Server Native Client:
-
-```console
-Data Source=ReplicaServer1;Failover Partner=ReplicaServer2;Initial Catalog=AvailabilityDatabase;
-```
-
-For more information on client connectivity, see:
-
-* [Using Connection String Keywords with SQL Server Native Client](/sql/relational-databases/native-client/applications/using-connection-string-keywords-with-sql-server-native-client)
-* [Connect Clients to a Database Mirroring Session (SQL Server)](/sql/database-engine/database-mirroring/connect-clients-to-a-database-mirroring-session-sql-server)
-* [Connecting to Availability Group Listener in Hybrid IT](/archive/blogs/sqlalwayson/connecting-to-availability-group-listener-in-hybrid-it)
-* [Availability Group Listeners, Client Connectivity, and Application Failover (SQL Server)](/sql/database-engine/availability-groups/windows/listeners-client-connectivity-application-failover)
-* [Using Database-Mirroring Connection Strings with Availability Groups](/sql/database-engine/availability-groups/windows/listeners-client-connectivity-application-failover)
- ### Network latency in hybrid IT Deploy your HADR solution with the assumption that there might be periods of high network latency between your on-premises network and Azure. When you're deploying replicas to Azure, use asynchronous commit instead of synchronous commit for the synchronization mode. When you're deploying database mirroring servers both on-premises and in Azure, use the high-performance mode instead of the high-safety mode.
+See the [HADR configuration best practices](hadr-cluster-best-practices.md) for cluster and HADR settings that can help accommodate the cloud environment.
+ ### Geo-replication support Geo-replication in Azure disks does not support the data file and log file of the same database to be stored on separate disks. GRS replicates changes on each disk independently and asynchronously. This mechanism guarantees the write order within a single disk on the geo-replicated copy, but not across geo-replicated copies of multiple disks. If you configure a database to store its data file and its log file on separate disks, the recovered disks after a disaster might contain a more up-to-date copy of the data file than the log file, which breaks the write-ahead log in SQL Server and the ACID properties (atomicity, consistency, isolation, and durability) of transactions.
azure-sql Doc Changes Updates Release Notes https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/virtual-machines/windows/doc-changes-updates-release-notes.md
Last updated 04/25/2021
Azure allows you to deploy a virtual machine (VM) with an image of SQL Server built in. This article summarizes the documentation changes associated with new features and improvements in the recent releases of [SQL Server on Azure Virtual Machines](https://azure.microsoft.com/services/virtual-machines/sql-server/).
+## May 2021
+
+| Changes | Details |
+| | |
+| **HADR content refresh** | We've refreshed and enhanced our high availability and disaster recovery (HADR) content! There's now an [Overview of the Windows Server Failover Cluster](hadr-windows-server-failover-cluster-overview.md), as well as a consolidated [how-to configure quorum](hadr-cluster-quorum-configure-how-to.md) for SQL Server VMs. Additionally, we've enhanced the [cluster best practices](hadr-cluster-best-practices.md) with more comprehensive setting recommendations adopted to the cloud.|
+ ## April 2021 | Changes | Details | | | |
-| **Migrate high availability to VM** | Azure Migrate brings support to lift and shift your entire high availability solution to SQL Server on Azure VMs. Bring your [availability group](../../migration-guides/virtual-machines/sql-server-availability-group-to-sql-on-azure-vm.md) or your [failover cluster instance](../../migration-guides/virtual-machines/sql-server-failover-cluster-instance-to-sql-on-azure-vm.md) to SQL Server VMs using Azure Migrate today! |
+| **Migrate high availability to VM** | Azure Migrate brings support to lift and shift your entire high availability solution to SQL Server on Azure VMs! Bring your [availability group](../../migration-guides/virtual-machines/sql-server-availability-group-to-sql-on-azure-vm.md) or your [failover cluster instance](../../migration-guides/virtual-machines/sql-server-failover-cluster-instance-to-sql-on-azure-vm.md) to SQL Server VMs using Azure Migrate today! |
## March 2021
azure-sql Failover Cluster Instance Azure Shared Disks Manually Configure https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/virtual-machines/windows/failover-cluster-instance-azure-shared-disks-manually-configure.md
For more information, see [Failover cluster: Cluster Network Object](https://blo
## Configure quorum
-Configure the quorum solution that best suits your business needs. You can configure a [Disk Witness](/windows-server/failover-clustering/manage-cluster-quorum#configure-the-cluster-quorum), a [Cloud Witness](/windows-server/failover-clustering/deploy-cloud-witness), or a [File Share Witness](/windows-server/failover-clustering/manage-cluster-quorum#configure-the-cluster-quorum). For more information, see [Quorum with SQL Server VMs](hadr-cluster-best-practices.md#quorum).
+Since the disk witness is the most resilient quorum option, and the FCI solution uses Azure shared disks, it's recommended to configure a disk witness as the quorum solution.
+
+If you have an even number of votes in the cluster, configure the [quorum solution](hadr-cluster-quorum-configure-how-to.md) that best suits your business needs. For more information, see [Quorum with SQL Server VMs](hadr-windows-server-failover-cluster-overview.md#quorum).
## Validate cluster Validate the cluster in the UI or by using PowerShell.
New-AzSqlVM -Name $vm.Name -ResourceGroupName $vm.ResourceGroupName -Location $v
## Configure connectivity
-To route traffic appropriately to the current primary node, configure the connectivity option that's suitable for your environment. You can create an [Azure load balancer](failover-cluster-instance-vnn-azure-load-balancer-configure.md) or, if you're using SQL Server 2019 CU2 (or later) and Windows Server 2016 (or later), you can use the [distributed network name](failover-cluster-instance-distributed-network-name-dnn-configure.md) feature instead.
-
-For more details about cluster connectivity options, see [Route HADR connections to SQL Server on Azure VMs](hadr-cluster-best-practices.md#connectivity).
+You can configure a virtual network name, or a distributed network name for a failover cluster instance. [Review the differences between the two](hadr-windows-server-failover-cluster-overview.md#virtual-network-name-vnn) and then deploy either a [distributed network name](failover-cluster-instance-distributed-network-name-dnn-configure.md) or a [virtual network name](failover-cluster-instance-vnn-azure-load-balancer-configure.md) for your failover cluster instance.
## Limitations
If Azure shared disks are not the appropriate FCI storage solution for you, cons
To learn more, see an overview of [FCI with SQL Server on Azure VMs](failover-cluster-instance-overview.md) and [cluster configuration best practices](hadr-cluster-best-practices.md).
-For more information, see:
-- [Windows cluster technologies](/windows-server/failover-clustering/failover-clustering-overview) -- [SQL Server failover cluster instances](/sql/sql-server/failover-clusters/windows/always-on-failover-cluster-instances-sql-server)+
+To learn more, see:
+
+- [Windows Server Failover Cluster with SQL Server on Azure VMs](hadr-windows-server-failover-cluster-overview.md)
+- [Failover cluster instances with SQL Server on Azure VMs](failover-cluster-instance-overview.md)
+- [Failover cluster instance overview](/sql/sql-server/failover-clusters/windows/always-on-failover-cluster-instances-sql-server)
+- [HADR settings for SQL Server on Azure VMs](hadr-cluster-best-practices.md)
azure-sql Failover Cluster Instance Distributed Network Name Dnn Configure https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/virtual-machines/windows/failover-cluster-instance-distributed-network-name-dnn-configure.md
Before you complete the steps in this article, you should already have:
- Decided that the distributed network name is the appropriate [connectivity option for your HADR solution](hadr-cluster-best-practices.md#connectivity). - Configured your [failover cluster instances](failover-cluster-instance-overview.md). - Installed the latest version of [PowerShell](/powershell/azure/install-az-ps).
+- The client connecting to the DNN listener must support the `MultiSubnetFailover=True` parameter in the connection string.
## Create DNN resource
Alternatively, configure a network adapter in Azure to reserve the IP address us
## Next steps
-To learn more about SQL Server HADR features in Azure, see [Availability groups](availability-group-overview.md) and [Failover cluster instance](failover-cluster-instance-overview.md). You can also learn [best practices](hadr-cluster-best-practices.md) for configuring your environment for high availability and disaster recovery.
+To learn more, see:
+- [Windows Server Failover Cluster with SQL Server on Azure VMs](hadr-windows-server-failover-cluster-overview.md)
+- [Failover cluster instances with SQL Server on Azure VMs](failover-cluster-instance-overview.md)
+- [Failover cluster instance overview](/sql/sql-server/failover-clusters/windows/always-on-failover-cluster-instances-sql-server)
+- [HADR settings for SQL Server on Azure VMs](hadr-cluster-best-practices.md)
azure-sql Failover Cluster Instance Dnn Interoperability https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/virtual-machines/windows/failover-cluster-instance-dnn-interoperability.md
Then, create a network alias to map `vnnname\insta1` to `dnnlsnr\insta1`.
## Next steps
-For more information, see:
+To learn more, see:
-- [Windows cluster technologies](/windows-server/failover-clustering/failover-clustering-overview) -- [SQL Server failover cluster instances](/sql/sql-server/failover-clusters/windows/always-on-failover-cluster-instances-sql-server)
+- [Windows Server Failover Cluster with SQL Server on Azure VMs](hadr-windows-server-failover-cluster-overview.md)
+- [Failover cluster instances with SQL Server on Azure VMs](failover-cluster-instance-overview.md)
+- [Failover cluster instance overview](/sql/sql-server/failover-clusters/windows/always-on-failover-cluster-instances-sql-server)
+- [HADR settings for SQL Server on Azure VMs](hadr-cluster-best-practices.md)
azure-sql Failover Cluster Instance Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/virtual-machines/windows/failover-cluster-instance-overview.md
This article introduces feature differences when you're working with failover cl
## Overview
-SQL Server on Azure VMs uses Windows Server Failover Clustering (WSFC) functionality to provide local high availability through redundancy at the server-instance level: a failover cluster instance. An FCI is a single instance of SQL Server that's installed across WSFC (or simply the cluster) nodes and, possibly, across multiple subnets. On the network, an FCI appears to be an instance of SQL Server running on a single computer. But the FCI provides failover from one WSFC node to another if the current node becomes unavailable.
+SQL Server on Azure VMs uses [Windows Server Failover Clustering (WSFC)](hadr-windows-server-failover-cluster-overview.md) functionality to provide local high availability through redundancy at the server-instance level: a failover cluster instance. An FCI is a single instance of SQL Server that's installed across WSFC (or simply the cluster) nodes and, possibly, across multiple subnets. On the network, an FCI appears to be a single instance of SQL Server running on a single computer. But the FCI provides failover from one WSFC node to another if the current node becomes unavailable.
The rest of the article focuses on the differences for failover cluster instances when they're used with SQL Server on Azure VMs. To learn more about the failover clustering technology, see:
For shared storage and data replication solutions from Microsoft partners, conta
## Connectivity
-Failover cluster instances with SQL Server on Azure Virtual Machines use a [distributed network name (DNN)](failover-cluster-instance-distributed-network-name-dnn-configure.md) or
-a [virtual network name (VNN) with Azure Load Balancer](failover-cluster-instance-vnn-azure-load-balancer-configure.md) to route traffic to the SQL Server instance, regardless of which node currently owns the clustered resources. There are additional considerations when using certain features and the DNN with a SQL Server FCI. See [DNN interoperability with SQL Server FCI](failover-cluster-instance-dnn-interoperability.md) to learn more.
+You can configure a virtual network name, or a distributed network name for a failover cluster instance. [Review the differences between the two](hadr-windows-server-failover-cluster-overview.md#virtual-network-name-vnn) and then deploy either a [distributed network name](failover-cluster-instance-distributed-network-name-dnn-configure.md) or a [virtual network name](failover-cluster-instance-vnn-azure-load-balancer-configure.md) for your failover cluster instance.
-For more details about cluster connectivity options, see [Route HADR connections to SQL Server on Azure VMs](hadr-cluster-best-practices.md#connectivity).
+The distributed network name is recommended, if possible, as failover is faster, and the overhead and cost of managing the load balancer is eliminated.
+
+Most SQL Server features work transparently with FCIs when using the DNN, but there are certain features that may require special consideration. See [FCI and DNN interoperability](failover-cluster-instance-dnn-interoperability.md) to learn more.
## Limitations
On Azure Virtual Machines, MSDTC isn't supported for Windows Server 2016 or earl
Review [cluster configurations best practices](hadr-cluster-best-practices.md), and then you can [prepare your SQL Server VM for FCI](failover-cluster-instance-prepare-vm.md).
-For more information, see:
-- [Windows cluster technologies](/windows-server/failover-clustering/failover-clustering-overview) -- [SQL Server failover cluster instances](/sql/sql-server/failover-clusters/windows/always-on-failover-cluster-instances-sql-server)
+To learn more, see:
+
+- [Windows Server Failover Cluster with SQL Server on Azure VMs](hadr-windows-server-failover-cluster-overview.md)
+- [Failover cluster instance overview](/sql/sql-server/failover-clusters/windows/always-on-failover-cluster-instances-sql-server)
+
azure-sql Failover Cluster Instance Premium File Share Manually Configure https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/virtual-machines/windows/failover-cluster-instance-premium-file-share-manually-configure.md
Before you complete the instructions in this article, you should already have:
1. Use Remote Desktop Protocol (RDP) to connect to the SQL Server VM with the account that your SQL Server FCI will use for the service account. 1. Open an administrative PowerShell command console. 1. Run the commands that you saved earlier when you were working in the portal.
-1. Go to the share by using either File Explorer or the **Run** dialog box (select Windows + R). Use the network path `\\storageaccountname.file.core.windows.net\filesharename`. For example, `\\sqlvmstorageaccount.file.core.windows.net\sqlpremiumfileshare`
+1. Go to the share by using either File Explorer or the **Run** dialog box (Windows + R on your keyboard). Use the network path `\\storageaccountname.file.core.windows.net\filesharename`. For example, `\\sqlvmstorageaccount.file.core.windows.net\sqlpremiumfileshare`
1. Create at least one folder on the newly connected file share to place your SQL data files into. 1. Repeat these steps on each SQL Server VM that will participate in the cluster. > [!IMPORTANT] > - Consider using a separate file share for backup files to save the input/output operations per second (IOPS) and space capacity of this share for data and log files. You can use either a Premium or Standard File Share for backup files.
- > - If you're on Windows 2012 R2 or earlier, follow these same steps to mount the file share that you're going to use as the file share witness.
+ > - If you're on Windows 2012 R2 or earlier, you can follow similar steps to mount a file share you can use for the file share witness.
>
Before you complete the instructions in this article, you should already have:
Invoke-Command $nodes {Install-WindowsFeature Failover-Clustering -IncludeAllSubFeature -IncludeManagementTools} ```
-## Validate cluster
-
-Validate the cluster in the UI or by using PowerShell.
-
-To validate the cluster by using the UI, do the following on one of the virtual machines:
-
-1. Under **Server Manager**, select **Tools**, and then select **Failover Cluster Manager**.
-1. Under **Failover Cluster Manager**, select **Action**, and then select **Validate Configuration**.
-1. Select **Next**.
-1. Under **Select Servers or a Cluster**, enter the names of both virtual machines.
-1. Under **Testing options**, select **Run only tests I select**.
-1. Select **Next**.
-1. Under **Test Selection**, select all tests except for **Storage** and **Storage Spaces Direct**, as shown here:
-
- :::image type="content" source="media/failover-cluster-instance-premium-file-share-manually-configure/cluster-validation.png" alt-text="Select cluster validation tests":::
-
-1. Select **Next**.
-1. Under **Confirmation**, select **Next**.
-
-The **Validate a Configuration** wizard runs the validation tests.
-
-To validate the cluster by using PowerShell, run the following script from an administrator PowerShell session on one of the virtual machines:
-
- ```powershell
- Test-Cluster ΓÇôNode ("<node1>","<node2>") ΓÇôInclude "Inventory", "Network", "System Configuration"
- ```
-
-After you validate the cluster, create the failover cluster.
## Create failover cluster
For more information, see [Failover cluster: Cluster Network Object](https://blo
- ## Configure quorum
-Configure the quorum solution that best suits your business needs. You can configure a [Disk Witness](/windows-server/failover-clustering/manage-cluster-quorum#configure-the-cluster-quorum), a [Cloud Witness](/windows-server/failover-clustering/deploy-cloud-witness), or a [File Share Witness](/windows-server/failover-clustering/manage-cluster-quorum#configure-the-cluster-quorum). For more information, see [Quorum with SQL Server VMs](hadr-cluster-best-practices.md#quorum).
+Although the disk witness is the most resilient quorum option, it requires an Azure shared disk which imposes some limitations to the failover cluster instance when configured with premium file shares. As such, the cloud witness is the recommended quorum solution for this type of cluster configuration for SQL Server on Azure VMs. Otherwise, configure a file share witness.
+
+If you have an even number of votes in the cluster, configure the [quorum solution](hadr-cluster-quorum-configure-how-to.md) that best suits your business needs. For more information, see [Quorum with SQL Server VMs](hadr-windows-server-failover-cluster-overview.md#quorum).
+
+## Validate cluster
+
+Validate the cluster in the UI or by using PowerShell.
+
+To validate the cluster by using the UI, do the following on one of the virtual machines:
+
+1. Under **Server Manager**, select **Tools**, and then select **Failover Cluster Manager**.
+1. Under **Failover Cluster Manager**, select **Action**, and then select **Validate Configuration**.
+1. Select **Next**.
+1. Under **Select Servers or a Cluster**, enter the names of both virtual machines.
+1. Under **Testing options**, select **Run only tests I select**.
+1. Select **Next**.
+1. Under **Test Selection**, select all tests except for **Storage** and **Storage Spaces Direct**, as shown here:
+
+ :::image type="content" source="media/failover-cluster-instance-premium-file-share-manually-configure/cluster-validation.png" alt-text="Select cluster validation tests":::
+
+1. Select **Next**.
+1. Under **Confirmation**, select **Next**.
+
+The **Validate a Configuration** wizard runs the validation tests.
+
+To validate the cluster by using PowerShell, run the following script from an administrator PowerShell session on one of the virtual machines:
+
+ ```powershell
+ Test-Cluster ΓÇôNode ("<node1>","<node2>") ΓÇôInclude "Inventory", "Network", "System Configuration"
+ ```
+ ## Test cluster failover
New-AzSqlVM -Name $vm.Name -ResourceGroupName $vm.ResourceGroupName -Location $v
## Configure connectivity
-To route traffic appropriately to the current primary node, configure the connectivity option that's suitable for your environment. You can create an [Azure load balancer](failover-cluster-instance-vnn-azure-load-balancer-configure.md) or, if you're using SQL Server 2019 CU2 (or later) and Windows Server 2016 (or later), you can use the [distributed network name](failover-cluster-instance-distributed-network-name-dnn-configure.md) feature instead.
-
-For more details about cluster connectivity options, see [Route HADR connections to SQL Server on Azure VMs](hadr-cluster-best-practices.md#connectivity).
+You can configure a virtual network name, or a distributed network name for a failover cluster instance. [Review the differences between the two](hadr-windows-server-failover-cluster-overview.md#virtual-network-name-vnn) and then deploy either a [distributed network name](failover-cluster-instance-distributed-network-name-dnn-configure.md) or a [virtual network name](failover-cluster-instance-vnn-azure-load-balancer-configure.md) for your failover cluster instance.
## Limitations
If you haven't already done so, configure connectivity to your FCI with a [virtu
If premium file shares are not the appropriate FCI storage solution for you, consider creating your FCI by using [Azure shared disks](failover-cluster-instance-azure-shared-disks-manually-configure.md) or [Storage Spaces Direct](failover-cluster-instance-storage-spaces-direct-manually-configure.md) instead.
-To learn more, see an overview of [FCI with SQL Server on Azure VMs](failover-cluster-instance-overview.md) and [cluster configuration best practices](hadr-cluster-best-practices.md).
+To learn more, see:
+
+- [Windows Server Failover Cluster with SQL Server on Azure VMs](hadr-windows-server-failover-cluster-overview.md)
+- [Failover cluster instances with SQL Server on Azure VMs](failover-cluster-instance-overview.md)
+- [Failover cluster instance overview](/sql/sql-server/failover-clusters/windows/always-on-failover-cluster-instances-sql-server)
+- [HADR settings for SQL Server on Azure VMs](hadr-cluster-best-practices.md)
-For more information, see:
-- [Windows cluster technologies](/windows-server/failover-clustering/failover-clustering-overview) -- [SQL Server failover cluster instances](/sql/sql-server/failover-clusters/windows/always-on-failover-cluster-instances-sql-server)
azure-sql Failover Cluster Instance Prepare Vm https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/virtual-machines/windows/failover-cluster-instance-prepare-vm.md
Choose one of the following guides to configure the FCI environment that's appro
- [Configure FCI with a Premium file share](failover-cluster-instance-premium-file-share-manually-configure.md) - [Configure FCI with Storage Spaces Direct](failover-cluster-instance-storage-spaces-direct-manually-configure.md)
-To learn more, see an overview of [FCI with SQL Server on Azure VMs](failover-cluster-instance-overview.md) and [supported HADR configurations](hadr-cluster-best-practices.md).
-For additional information, see:
-- [Windows cluster technologies](/windows-server/failover-clustering/failover-clustering-overview) -- [SQL Server failover cluster instances](/sql/sql-server/failover-clusters/windows/always-on-failover-cluster-instances-sql-server)
+To learn more, see:
+
+- [Windows Server Failover Cluster with SQL Server on Azure VMs](hadr-windows-server-failover-cluster-overview.md)
+- [Failover cluster instances with SQL Server on Azure VMs](failover-cluster-instance-overview.md)
+- [Failover cluster instance overview](/sql/sql-server/failover-clusters/windows/always-on-failover-cluster-instances-sql-server)
+- [HADR settings for SQL Server on Azure VMs](hadr-cluster-best-practices.md)
azure-sql Failover Cluster Instance Storage Spaces Direct Manually Configure https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/virtual-machines/windows/failover-cluster-instance-storage-spaces-direct-manually-configure.md
Before you complete the instructions in this article, you should already have:
For more information about the next steps, see the instructions in the "Step 3: Configure Storage Spaces Direct" section of [Hyperconverged solution using Storage Spaces Direct in Windows Server 2016](/windows-server/storage/storage-spaces/deploy-storage-spaces-direct#step-3-configure-storage-spaces-direct). -
-## Validate the cluster
-
-Validate the cluster in the UI or by using PowerShell.
-
-To validate the cluster by using the UI, do the following on one of the virtual machines:
-
-1. Under **Server Manager**, select **Tools**, and then select **Failover Cluster Manager**.
-1. Under **Failover Cluster Manager**, select **Action**, and then select **Validate Configuration**.
-1. Select **Next**.
-1. Under **Select Servers or a Cluster**, enter the names of both virtual machines.
-1. Under **Testing options**, select **Run only tests I select**.
-1. Select **Next**.
-1. Under **Test Selection**, select all tests except for **Storage**, as shown here:
-
- ![Select cluster validation tests](./media/failover-cluster-instance-storage-spaces-direct-manually-configure/10-validate-cluster-test.png)
-
-1. Select **Next**.
-1. Under **Confirmation**, select **Next**.
-
- The **Validate a Configuration** wizard runs the validation tests.
-
-To validate the cluster by using PowerShell, run the following script from an administrator PowerShell session on one of the virtual machines:
-
- ```powershell
- Test-Cluster ΓÇôNode ("<node1>","<node2>") ΓÇôInclude "Storage Spaces Direct", "Inventory", "Network", "System Configuration"
- ```
-
-After you validate the cluster, create the failover cluster.
-- ## Create failover cluster To create the failover cluster, you need:
For more information, see [Failover cluster: Cluster Network Object](https://blo
## Configure quorum
-Configure the quorum solution that best suits your business needs. You can configure a [Disk Witness](/windows-server/failover-clustering/manage-cluster-quorum#configure-the-cluster-quorum), a [Cloud Witness](/windows-server/failover-clustering/deploy-cloud-witness), or a [File Share Witness](/windows-server/failover-clustering/manage-cluster-quorum#configure-the-cluster-quorum). For more information, see [Quorum with SQL Server VMs](hadr-cluster-best-practices.md#quorum).
+Although the disk witness is the most resilient quorum option, it's not supported for failover cluster instances configured with Storage Spaces Direct. As such, the cloud witness is the recommended quorum solution for this type of cluster configuration for SQL Server on Azure VMs. Otherwise, configure a file share witness.
+
+If you have an even number of votes in the cluster, configure the [quorum solution](hadr-cluster-quorum-configure-how-to.md) that best suits your business needs. For more information, see [Quorum with SQL Server VMs](hadr-windows-server-failover-cluster-overview.md#quorum).
+
+## Validate the cluster
+
+Validate the cluster in the UI or by using PowerShell.
+
+To validate the cluster by using the UI, do the following on one of the virtual machines:
+
+1. Under **Server Manager**, select **Tools**, and then select **Failover Cluster Manager**.
+1. Under **Failover Cluster Manager**, select **Action**, and then select **Validate Configuration**.
+1. Select **Next**.
+1. Under **Select Servers or a Cluster**, enter the names of both virtual machines.
+1. Under **Testing options**, select **Run only tests I select**.
+1. Select **Next**.
+1. Under **Test Selection**, select all tests except for **Storage**, as shown here:
+
+ ![Select cluster validation tests](./media/failover-cluster-instance-storage-spaces-direct-manually-configure/10-validate-cluster-test.png)
+
+1. Select **Next**.
+1. Under **Confirmation**, select **Next**.
+
+ The **Validate a Configuration** wizard runs the validation tests.
+
+To validate the cluster by using PowerShell, run the following script from an administrator PowerShell session on one of the virtual machines:
+
+ ```powershell
+ Test-Cluster ΓÇôNode ("<node1>","<node2>") ΓÇôInclude "Storage Spaces Direct", "Inventory", "Network", "System Configuration"
+ ```
+ ## Add storage
New-AzSqlVM -Name $vm.Name -ResourceGroupName $vm.ResourceGroupName -Location $v
## Configure connectivity
-To route traffic appropriately to the current primary node, configure the connectivity option that's suitable for your environment. You can create an [Azure load balancer](failover-cluster-instance-vnn-azure-load-balancer-configure.md) or, if you're using SQL Server 2019 CU2 (or later) and Windows Server 2016 (or later), you can use the [distributed network name](failover-cluster-instance-distributed-network-name-dnn-configure.md) feature instead.
-
-For more details about cluster connectivity options, see [Route HADR connections to SQL Server on Azure VMs](hadr-cluster-best-practices.md#connectivity).
+You can configure a virtual network name, or a distributed network name for a failover cluster instance. [Review the differences between the two](hadr-windows-server-failover-cluster-overview.md#virtual-network-name-vnn) and then deploy either a [distributed network name](failover-cluster-instance-distributed-network-name-dnn-configure.md) or a [virtual network name](failover-cluster-instance-vnn-azure-load-balancer-configure.md) for your failover cluster instance.
## Limitations - Azure virtual machines support Microsoft Distributed Transaction Coordinator (MSDTC) on Windows Server 2019 with storage on CSVs and a [standard load balancer](../../../load-balancer/load-balancer-overview.md). - Disks that have been attached as NTFS-formatted disks can be used with Storage Spaces Direct only if the disk eligibility option is unchecked, or cleared, when storage is being added to the cluster. - Only registering with the SQL IaaS Agent extension in [lightweight management mode](sql-server-iaas-agent-extension-automate-management.md#management-modes) is supported.
+- Failover cluster instances using Storage Spaces Direct as the shared storage do not support using a disk witness for the quorum of the cluster. Use a cloud witness instead.
## Next steps
If you haven't already done so, configure connectivity to your FCI with a [virtu
If Storage Spaces Direct isn't the appropriate FCI storage solution for you, consider creating your FCI by using [Azure shared disks](failover-cluster-instance-azure-shared-disks-manually-configure.md) or [Premium File Shares](failover-cluster-instance-premium-file-share-manually-configure.md) instead.
-To learn more, see an overview of [FCI with SQL Server on Azure VMs](failover-cluster-instance-overview.md) and [cluster configuration best practices](hadr-cluster-best-practices.md).
+To learn more, see:
-For more information, see:
-- [Windows cluster technologies](/windows-server/failover-clustering/failover-clustering-overview) -- [SQL Server failover cluster instances](/sql/sql-server/failover-clusters/windows/always-on-failover-cluster-instances-sql-server)
+- [Windows Server Failover Cluster with SQL Server on Azure VMs](hadr-windows-server-failover-cluster-overview.md)
+- [Failover cluster instances with SQL Server on Azure VMs](failover-cluster-instance-overview.md)
+- [Failover cluster instance overview](/sql/sql-server/failover-clusters/windows/always-on-failover-cluster-instances-sql-server)
+- [HADR settings for SQL Server on Azure VMs](hadr-cluster-best-practices.md)
azure-sql Failover Cluster Instance Vnn Azure Load Balancer Configure https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/virtual-machines/windows/failover-cluster-instance-vnn-azure-load-balancer-configure.md
-# Configure Azure Load Balancer for failover cluster instance VNN
+# Configure Azure Load Balancer for an FCI VNN
[!INCLUDE[appliesto-sqlvm](../../includes/appliesto-sqlvm.md)] On Azure Virtual Machines, clusters use a load balancer to hold an IP address that needs to be on one cluster node at a time. In this solution, the load balancer holds the IP address for the virtual network name (VNN) used by the clustered resource in Azure.
For an alternative connectivity option for SQL Server 2019 CU2 and later, consid
Before you complete the steps in this article, you should already have: -- Decided that Azure Load Balancer is the appropriate [connectivity option for your HADR solution](hadr-cluster-best-practices.md#connectivity).-- Configured your [availability group listener](availability-group-overview.md) or [failover cluster instances](failover-cluster-instance-overview.md). -- Installed the latest version of [PowerShell](/powershell/azure/install-az-ps). -
+- Determined that Azure Load Balancer is the appropriate [connectivity option for your FCI](hadr-windows-server-failover-cluster-overview.md#virtual-network-name-vnn).
+- Configured your [failover cluster instances](failover-cluster-instance-overview.md).
+- Installed the latest version of [PowerShell](/powershell/scripting/install/installing-powershell-core-on-windows).
## Create load balancer
Use the [Azure portal](https://portal.azure.com) to create the load balancer:
1. Associate the backend pool with the availability set that contains the VMs.
-1. Under **Target network IP configurations**, select **VIRTUAL MACHINE** and choose the virtual machines that will participate as cluster nodes. Be sure to include all virtual machines that will host the FCI or availability group.
+1. Under **Target network IP configurations**, select **VIRTUAL MACHINE** and choose the virtual machines that will participate as cluster nodes. Be sure to include all virtual machines that will host the FCI.
1. Select **OK** to create the backend pool.
To set the cluster probe port parameter, update the variables in the following s
```powershell $ClusterNetworkName = "<Cluster Network Name>"
-$IPResourceName = "<SQL Server FCI / AG Listener IP Address Resource Name>"
+$IPResourceName = "<SQL Server FCI IP Address Resource Name>"
$ILBIP = "<n.n.n.n>" [int]$ProbePort = <nnnnn>
After you set the cluster probe, you can see all the cluster parameters in Power
Get-ClusterResource $IPResourceName | Get-ClusterParameter ```
+## Modify connection string
+
+For clients that support it, add the `MultiSubnetFailover=True` to the connection string. While the MultiSubnetFailover connection option is not required, it does provide the benefit of a faster subnet failover. This is because the client driver will attempt to open up a TCP socket for each IP address in parallel. The client driver will wait for the first IP to respond with success and once it does, will then use it for the connection.
+
+If your client does not support the MultiSubnetFailover parameter, you can modify the RegisterAllProvidersIP and HostRecordTTL settings to prevent connectivity delays upon failover.
+
+Use PowerShell to modify the RegisterAllProvidersIp and HostRecordTTL settings:
+
+```powershell
+Get-ClusterResource yourFCIname | Set-ClusterParameter RegisterAllProvidersIP 0
+Get-ClusterResource yourFCIname | Set-ClusterParameter HostRecordTTL 300
+```
+
+To learn more, see the SQL Server [listener connection timeout](/troubleshoot/sql/availability-groups/listener-connection-times-out) documentation.
+
+> [!TIP]
+> - Set the MultiSubnetFailover parameter = true in the connection string even for HADR solutions that span a single subnet to support future spanning of subnets without the need to update connection strings.
+> - By default, clients cache cluster DNS records for 20 minutes. By reducing HostRecordTTL you reduce the Time to Live (TTL) for the cached record, legacy clients may reconnect more quickly. As such, reducing the HostRecordTTL setting may result in increased traffic to the DNS servers.
+ ## Test failover
To test connectivity, sign in to another virtual machine in the same virtual net
++ ## Next steps
-To learn more about SQL Server HADR features in Azure, see [Availability groups](availability-group-overview.md) and [Failover cluster instance](failover-cluster-instance-overview.md). You can also learn [best practices](hadr-cluster-best-practices.md) for configuring your environment for high availability and disaster recovery.
+To learn more, see:
+
+- [Windows Server Failover Cluster with SQL Server on Azure VMs](hadr-windows-server-failover-cluster-overview.md)
+- [Failover cluster instances with SQL Server on Azure VMs](failover-cluster-instance-overview.md)
+- [Failover cluster instance overview](/sql/sql-server/failover-clusters/windows/always-on-failover-cluster-instances-sql-server)
+- [HADR settings for SQL Server on Azure VMs](hadr-cluster-best-practices.md)
+
azure-sql Hadr Cluster Best Practices https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/virtual-machines/windows/hadr-cluster-best-practices.md
Title: Cluster configuration best practices
+ Title: HADR configuration best practices
description: "Learn about the supported cluster configurations when you configure high availability and disaster recovery (HADR) for SQL Server on Azure Virtual Machines, such as supported quorums or connection routing options." documentationCenter: na
vm-windows-sql-server Previously updated : "06/02/2020" Last updated : "04/25/2021"
-# Cluster configuration best practices (SQL Server on Azure VMs)
+# HADR configuration best practices (SQL Server on Azure VMs)
[!INCLUDE[appliesto-sqlvm](../../includes/appliesto-sqlvm.md)]
-A cluster is used for high availability and disaster recovery (HADR) with SQL Server on Azure Virtual Machines (VMs).
+A [Windows Server Failover Cluster](hadr-windows-server-failover-cluster-overview.md) is used for high availability and disaster recovery (HADR) with SQL Server on Azure Virtual Machines (VMs).
This article provides cluster configuration best practices for both [failover cluster instances (FCIs)](failover-cluster-instance-overview.md) and [availability groups](availability-group-overview.md) when you use them with SQL Server on Azure VMs.
+To learn more, see the other articles in this series: [Checklist](performance-guidelines-best-practices-checklist.md), [VM size](performance-guidelines-best-practices-vm-size.md), [Storage](performance-guidelines-best-practices-storage.md), [Security](security-considerations-best-practices.md), [HADR configuration](hadr-cluster-best-practices.md), [Collect baseline](performance-guidelines-best-practices-collect-baseline.md).
-## Networking
+## Checklist
-Use a single NIC per server (cluster node) and a single subnet. Azure networking has physical redundancy, which makes additional NICs and subnets unnecessary on an Azure virtual machine guest cluster. The cluster validation report will warn you that the nodes are reachable only on a single network. You can ignore this warning on Azure virtual machine guest failover clusters.
+Review the following checklist for a brief overview of the HADR best practices that the rest of the article covers in greater detail.
+
+For your Windows cluster, consider these best practices:
+
+* Change the cluster to less aggressive parameters to avoid unexpected outages from transient network failures or Azure platform maintenance. To learn more, see [heartbeat and threshold settings](#heartbeat-and-threshold). For Windows Server 2012 and later, use the following recommended values:
+ - **SameSubnetDelay**: 1 second
+ - **SameSubnetThreshold**: 40 heartbeats
+ - **CrossSubnetDelay**: 1 second
+ - **CrossSubnetThreshold**: 40 heartbeats
+* Place your VMs in an availability set or different availability zones. To learn more, see [VM availability settings](#vm-availability-settings).
+* Use a single NIC per cluster node and a single subnet.
+* Configure cluster [quorum voting](#quorum-voting) to use 3 or more odd number of votes. Do not assign votes to DR regions.
+* Carefully monitor [resource limits](#resource-limits) to avoid unexpected restarts or failovers due to resource constraints.
+ - Ensure your OS, drivers, and SQL Server are at the latest builds.
+ - Optimize performance for SQL Server on Azure VMs. Review the other sections in this article to learn more.
+ - Reduce or spread out workload to avoid resource limits.
+ - Move to a VM or disk that his higher limits to avoid constraints.
+
+For your SQL Server availability group or failover cluster instance, consider these best practices:
-### Tuning Failover Cluster Network Thresholds
+* If you're experiencing frequent unexpected failures, follow the performance best practices outlined in the rest of this article.
+* If optimizing SQL Server VM performance does not resolve your unexpected failovers, consider [relaxing the monitoring](#relaxed-monitoring) for the availability group or failover cluster instance. However, doing so may not address the underlying source of the issue and could mask symptoms by reducing the likelihood of failure. You may still need to investigate and address the underlying root cause. For Windows Server 2012 or higher, use the following recommended values:
+ - **Lease timeout**: Use this equation to calculate the maximum lease time out value:
+ `Lease timeout < (2 * SameSubnetThreshold * SameSubnetDelay)`.
+ Start with 40 seconds. If you're using the relaxed `SameSubnetThreshold` and `SameSubnetDelay` values recommended previously, do not exceed 80 seconds for the lease timeout value.
+ - **Max failures in a specified period**: Set this value to 6.
+* When using the virtual network name (VNN) to connect to your HADR solution, specify `MultiSubnetFailover = true` in the connection string, even if your cluster only spans one subnet.
+ - If the client does not support `MultiSubnetFailover = True` you may need to set `RegisterAllProvidersIP = 0` and `HostRecordTTL = 300` to cache client credentials for shorter durations. However, doing so may cause additional queries to the DNS server.
+- To connect to your HADR solution using the distributed network name (DNN), consider the following:
+ - You must use a client driver that supports `MultiSubnetFailover = True`, and this parameter must be in the connection string.
+ - Use a unique DNN port in the connection string when connecting to the DNN listener for an availability group.
+- Use a database mirroring connection string for a basic availability group to bypass the need for a load balancer or DNN.
+- Validate the sector size of your VHDs before deploying your high availability solution to avoid having misaligned I/Os. See [KB3009974](https://support.microsoft.com/topic/kb3009974-fix-slow-synchronization-when-disks-have-different-sector-sizes-for-primary-and-secondary-replica-log-files-in-sql-server-ag-and-logshipping-environments-ed181bf3-ce80-b6d0-f268-34135711043c) to learn more.
-When running Windows Failover Cluster nodes in Azure Vms with SQL Server AlwaysOn, changing the cluster setting to a more relaxed monitoring state is recommended. This will make the cluster much more stable and reliable. For details on this, see [IaaS with SQL AlwaysOn - Tuning Failover Cluster Network Thresholds](/windows-server/troubleshoot/iaas-sql-failover-cluster).
+
+## VM availability settings
+
+To reduce the impact of downtime, consider the following VM best availability settings:
+
+* Use proximity placement groups together with accelerated networking for lowest latency.
+* Place virtual machine cluster nodes in separate availability zones to protect from datacenter-level failures or in a single availability set for lower-latency redundancy within the same datacenter.
+* Use premium-managed OS and data disks for VMs in an availability set.
+* Configure each application tier into separate availability sets.
## Quorum Although a two-node cluster will function without a [quorum resource](/windows-server/storage/storage-spaces/understand-quorum), customers are strictly required to use a quorum resource to have production support. Cluster validation won't pass any cluster without a quorum resource.
-Technically, a three-node cluster can survive a single node loss (down to two nodes) without a quorum resource. But after the cluster is down to two nodes, there's a risk that the clustered resources will go offline in the case of a node loss or communication failure to prevent a split-brain scenario.
+Technically, a three-node cluster can survive a single node loss (down to two nodes) without a quorum resource. But after the cluster is down to two nodes, there's a risk that the clustered resources will go offline if a node loss or communication failure to prevent a split-brain scenario. Configuring a quorum resource will allow the cluster to continue online with only one node online.
-Configuring a quorum resource will allow the cluster to continue online with only one node online.
+The disk witness is the most resilient quorum option, but to use a disk witness on a SQL Server on Azure VM, you must use an Azure Shared Disk which imposes some limitations to the high availability solution. As such, use a disk witness when you're configuring your failover cluster instance with Azure Shared Disks, otherwise use a cloud witness whenever possible.
-The following table lists the quorum options available in the order recommended to use with an Azure VM, with the disk witness being the preferred choice:
+The following table lists the quorum options available for SQL Server on Azure VMs:
-
-||[Disk witness](/windows-server/failover-clustering/manage-cluster-quorum#configure-the-cluster-quorum) |[Cloud witness](/windows-server/failover-clustering/deploy-cloud-witness) |[File share witness](/windows-server/failover-clustering/manage-cluster-quorum#configure-the-cluster-quorum) |
+| |[Cloud witness](/windows-server/failover-clustering/deploy-cloud-witness) |[Disk witness](/windows-server/failover-clustering/manage-cluster-quorum#configure-the-cluster-quorum) |[File share witness](/windows-server/failover-clustering/manage-cluster-quorum#configure-the-cluster-quorum) |
|||||
-|**Supported OS**| All |Windows Server 2016+| All|
+|**Supported OS**| Windows Server 2016+ |All | All|
+- The **cloud witness** is ideal for deployments in multiple sites, multiple zones, and multiple regions. Use a cloud witness whenever possible, unless you're using a shared-storage cluster solution.
+- The **disk witness** is the most resilient quorum option and is preferred for any cluster that uses Azure Shared Disks (or any shared-disk solution like shared SCSI, iSCSI, or fiber channel SAN). A Clustered Shared Volume cannot be used as a disk witness.
+- The **fileshare witness** is suitable for when the disk witness and cloud witness are unavailable options.
-### Disk witness
+To get started, see [Configure cluster quorum](hadr-cluster-quorum-configure-how-to.md).
-A disk witness is a small clustered disk in the Cluster Available Storage group. This disk is highly available and can fail over between nodes. It contains a copy of the cluster database, with a default size that's usually less than 1 GB. The disk witness is the preferred quorum option for any cluster that uses Azure Shared Disks (or any shared-disk solution like shared SCSI, iSCSI, or fiber channel SAN). A Clustered Shared Volume cannot be used as a disk witness.
+## Quorum Voting
-Configure an Azure shared disk as the disk witness.
+It's possible to change the quorum vote of a node participating in a Windows Server Failover Cluster.
-To get started, see [Configure a disk witness](/windows-server/failover-clustering/manage-cluster-quorum#configure-the-cluster-quorum).
+When modifying the node vote settings, follow these guidelines:
+| Qurom voting guidelines |
+|-|
+| Start with each node having no vote by default. Each node should only have a vote with explicit justification.|
+| Enable votes for cluster nodes that host the primary replica of an availability group, or the preferred owners of a failover cluster instance. |
+| Enable votes for automatic failover owners. Each node that may host a primary replica or FCI as a result of an automatic failover should have a vote. |
+| If an availability group has more than one secondary replica, only enable votes for the replicas that have automatic failover. |
+| Disable votes for nodes that are in secondary disaster recovery sites. Nodes in secondary sites should not contribute to the decision of taking a cluster offline if there's nothing wrong with the primary site. |
+| Have an odd number of votes, with three quorum votes minimum. Add a [quorum witness](hadr-cluster-quorum-configure-how-to.md) for an additional vote if necessary in a two-node cluster. |
+| Reassess vote assignments post-failover. You don't want to fail over into a cluster configuration that doesn't support a healthy quorum. |
-**Supported OS**: All
+## Connectivity
-### Cloud witness
-A cloud witness is a type of failover cluster quorum witness that uses Microsoft Azure to provide a vote on cluster quorum. The default size is about 1 MB and contains just the time stamp. A cloud witness is ideal for deployments in multiple sites, multiple zones, and multiple regions.
+It's possible to configure either a virtual network name (VNN), or starting with SQL Server 2019, a distributed network name (DNN) for both failover cluster instances and availability group listeners.
-To get started, see [Configure a cloud witness](/windows-server/failover-clustering/deploy-cloud-witness#CloudWitnessSetUp).
+The distributed network name is the recommended connectivity option, when available:
+- The end-to-end solution is more robust since you no longer have to maintain the load balancer resource.
+- Eliminating the load balancer probes minimizes failover duration.
+- The DNN simplifies provisioning and management of the failover cluster instance or availability group listener with SQL Server on Azure VMs.
+If you're using using DNN, or using an AG or FCI that spans across multiple subnets, you must use a client driver that supports the MultiSubnetFailover parameter, and specify MultiSubnetFailover=True in the connection string. For availability groups, the connection string should contain the DNN port number (not required for FCI).
-**Supported OS**: Windows Server 2016 and later
+To learn more, see the [Windows Server Failover Cluster overview](hadr-windows-server-failover-cluster-overview.md#virtual-network-name-vnn).
+To configure connectivity, see the following articles:
+- Availability group: [Configure DNN](availability-group-distributed-network-name-dnn-listener-configure.md), [Configure VNN](availability-group-vnn-azure-load-balancer-configure.md)
+- Failover cluster instance: [Configure DNN](failover-cluster-instance-distributed-network-name-dnn-configure.md), [Configure VNN](failover-cluster-instance-vnn-azure-load-balancer-configure.md).
-### File share witness
+Most SQL Server features work transparently with FCI and availability groups when using the DNN, but there are certain features that may require special consideration. See [FCI and DNN interoperability](failover-cluster-instance-dnn-interoperability.md) and [AG and DNN interoperability](availability-group-dnn-interoperability.md) to learn more.
-A file share witness is an SMB file share that's typically configured on a file server running Windows Server. It maintains clustering information in a witness.log file, but doesn't store a copy of the cluster database. In Azure, you can you can configure an a file share on a separate virtual machine.
+>[!TIP]
+> Set the MultiSubnetFailover parameter = true in the connection string even for HADR solutions that span a single subnet to support future spanning of subnets without the need to update connection strings.
-To get started, see [Configure a file share witness](/windows-server/failover-clustering/manage-cluster-quorum#configure-the-cluster-quorum).
+## Heartbeat and threshold
+Change the cluster heartbeat and threshold settings to relaxed settings. The default heartbeat and threshold cluster settings are designed for highly tuned on-premises networks and do not consider the possibility of increased latency in a cloud environment. The heartbeat network is maintained with UDP 3343, which is traditionally far less reliable than TCP and more prone to incomplete conversations.
+
+Therefore, when running cluster nodes for SQL Server on Azure VM high availability solutions, change the cluster settings to a more relaxed monitoring state to avoid transient failures due to the increased possibility of network latency or failure, Azure maintenance, or hitting resource bottlenecks.
-**Supported OS**: Windows Server 2012 and later
+The delay and threshold settings have a cumulative effect to total health detection. For example, setting *CrossSubnetDelay* to send a heartbeat every 2 seconds and setting the *CrossSubnetThreshold* to 10 missed heartbeats before taking recovery means the cluster can have a total network tolerance of 20 seconds before recovery action is taken. In general, continuing to send frequent heartbeats but having greater thresholds is preferred.
-## Connectivity
+To ensure recovery during legitimate outages while providing greater tolerance for transient issues, relax your delay and threshold settings to the recommended values detailed in the following table:
+
+| Setting | Windows Server 2012 or later | Windows Server 2008R2 |
+|:|:-|:--|
+| SameSubnetDelay | 1 second | 2 second |
+| SameSubnetThreshold | 40 heartbeats | 10 heartbeats (max) |
+| CrossSubnetDelay | 1 second | 2 second |
+| CrossSubnetThreshold | 40 heartbeats | 20 heartbeats (max) |
++
+Use PowerShell to change your cluster parameters:
+
+# [Windows Server 2012-2019](#tab/windows2012)
++
+```powershell
+(get-cluster).SameSubnetThreshold = 40
+(get-cluster).CrossSubnetThreshold = 40
+```
+
+# [Windows Server 2008/R2](#tab/windows2008)
++
+```powershell
+(get-cluster).SameSubnetThreshold = 10
+(get-cluster).CrossSubnetThreshold = 20
+(get-cluster).SameSubnetDelay = 2000
+(get-cluster).CrossSubnetDelay = 2000
+```
+++
+Use PowerShell to verify your changes:
+
+```powershell
+get-cluster | fl *subnet*
+```
+
+Consider the following:
+
+* This change is immediate, restarting the cluster or any resources is not required.
+* Same subnet values should not be greater than cross subnet values.
+* SameSubnetThreshold <= CrossSubnetThreshold
+* SameSubnetDelay <= CrossSubnetDelay
+
+Choose relaxed values based on how much down time is tolerable and how long before a corrective action should occur depending on your application, business needs, and your environment. If you're not able to exceed the default Windows Server 2019 values, then at least try to match them, if possible:
+
+For reference, the following table details the default values:
++
+| Setting | Windows Server 2019 | Windows Server 2016 | Windows Server 2008 - 2012 R2 |
+|:|:-| |:-|
+| SameSubnetDelay | 1 second | 1 second | 1 second |
+| SameSubnetThreshold | 20 heartbeats | 10 heartbeats | 5 heartbeats |
+| CrossSubnetDelay | 1 second | 1 second | 1 second |
+| CrossSubnetThreshold | 20 heartbeats | 10 heartbeats | 5 heartbeats |
++
+To learn more, see [Tuning Failover Cluster Network Thresholds](/windows-server/troubleshoot/iaas-sql-failover-cluster).
+
+## Relaxed monitoring
-In a traditional on-premises network environment, a SQL Server failover cluster instance appears to be a single instance of SQL Server running on a single computer. Because the failover cluster instance fails over from node to node, the virtual network name (VNN) for the instance provides a unified connection point and allows applications to connect to the SQL Server instance without knowing which node is currently active. When a failover occurs, the virtual network name is registered to the new active node after it starts. This process is transparent to the client or application that's connecting to SQL Server, and this minimizes the downtime that the client or application experiences during a failure. Likewise, the availability group listener uses a VNN to route traffic to the appropriate replica.
+If tuning your cluster heartbeat and threshold settings as recommended is insufficient tolerance and you're still seeing failures due to transient issues rather than true outages, you can configure your AG or FCI monitoring to be more relaxed. In some scenarios, it may be beneficial to temporarily relax the monitoring for a period of time given the level of activity. For example, you may want to relax the monitoring when you're doing IO intensive workloads such as database backups, index maintenance, DBCC CHECKDB, etc. Once the activity is complete, set your monitoring to less relaxed values.
-Use a VNN with Azure Load Balancer or a distributed network name (DNN) to route traffic to the VNN of the failover cluster instance with SQL Server on Azure VMs or to replace the existing VNN listener in an availability group.
+> [!WARNING]
+> Changing these settings may mask an underlying problem, and should be used as a temporary solution to reduce, rather than eliminate, the likelihood of failure. Underlying issues should still be investigated and addressed.
+Start by increase the following parameters from their default values for relaxed monitoring, and adjust as necessary:
-The following table compares HADR connection supportability:
-| |**Virtual Network Name (VNN)** |**Distributed Network Name (DNN)** |
+|Parameter |Default value |Description |
||||
-|**Minimum OS version**| All | Windows Server 2016 |
-|**Minimum SQL Server version** |All |SQL Server 2019 CU2 (for FCI)<br/> SQL Server 2019 CU8 (for AG )|
-|**Supported HADR solution** | Failover cluster instance <br/> Availability group | Failover cluster instance <br/> Availability group|
+|**Healthcheck timeout**|60000 |Determines health of the primary replica or node. The cluster resource DLL sp_server_diagnostics returns results at an interval that equals 1/3 of the health-check timeout threshold. If sp_server_diagnostics is slow or is not returning information, the resource DLL will wait for the full interval of the health-check timeout threshold before determining that the resource is unresponsive, and initiating an automatic failover, if configured to do so. |
+|**Failure-Condition Level** | 2 | Conditions that trigger an automatic failover. There are five failure-condition levels, which range from the least restrictive (level one) to the most restrictive (level five) |
+Use Transact-SQL (T-SQL) to modify the health check and failure conditions for both AGs and FCIs.
-### Virtual Network Name (VNN)
+For availability groups:
-Because the virtual IP access point works differently in Azure, you need to configure [Azure Load Balancer](../../../load-balancer/index.yml) to route traffic to the IP address of the FCI nodes or the availability group listener. In Azure virtual machines, a load balancer holds the IP address for the VNN that the clustered SQL Server resources rely on. The load balancer distributes inbound flows that arrive at the front end, and then routes that traffic to the instances defined by the back-end pool. You configure traffic flow by using load-balancing rules and health probes. With SQL Server FCI, the back-end pool instances are the Azure virtual machines running SQL Server.
+```sql
+ALTER AVAILABILITY GROUP AG1 SET (HEALTH_CHECK_TIMEOUT =60000);
+ALTER AVAILABILITY GROUP AG1 SET (FAILURE_CONDITION_LEVEL = 2);
+```
-There is a slight failover delay when you're using the load balancer, because the health probe conducts alive checks every 10 seconds by default.
+For failover cluster instances:
-To get started, learn how to configure Azure Load Balancer for [failover cluster instance](failover-cluster-instance-vnn-azure-load-balancer-configure.md) or an [availability group](availability-group-vnn-azure-load-balancer-configure.md)
+```sql
+ALTER SERVER CONFIGURATION SET FAILOVER CLUSTER PROPERTY HealthCheckTimeout = 60000;
+ALTER SERVER CONFIGURATION SET FAILOVER CLUSTER PROPERTY FailureConditionLevel = 2;
+```
-**Supported OS**: All
-**Supported SQL version**: All
-**Supported HADR solution**: Failover cluster instance, and availability group
+Specific to **availability groups**, start with the following recommended parameters, and adjust as necessary:
+|Parameter |Default value |Description |
+||||
+|**Lease timeout**|40000|Prevents split-brain. |
+|**Session timeout**|20 |Checks communication issues between replicas. The session-timeout period is a replica property that controls how long (in seconds) that an availability replica waits for a ping response from a connected replica before considering the connection to have failed. By default, a replica waits 10 seconds for a ping response. This replica property applies to only the connection between a given secondary replica and the primary replica of the availability group. |
+| **Max failures in specified period** | 6 | Used to avoid indefinite movement of a clustered resource within multiple node failures. Too low of a value can lead to the availability group being in a failed state. Increase the value to prevent short disruptions from performance issues as too low a value can lead to the AG being in a failed state. |
-### Distributed Network Name (DNN)
+Before making any changes, consider the following:
+- Do not lower any timeout values below their default values.
+- Use this equation to calculate the maximum lease time out value:
+ `Lease timeout < (2 * SameSubnetThreshold * SameSubnetDelay)`.
+ Start with 40 seconds. If you're using the relaxed `SameSubnetThreshold` and `SameSubnetDelay` values recommended previously, do not exceed 80 seconds for the lease timeout value.
+- For synchronous-commit replicas, changing session-timeout to a high value can increase HADR_sync_commit waits.
-Distributed network name is a new Azure feature for SQL Server 2019. The DNN provides an alternative way for SQL Server clients to connect to the SQL Server failover cluster instance or availability group without using a load balancer.
+**Lease timeout**
-When a DNN resource is created, the cluster binds the DNS name with the IP addresses of all the nodes in the cluster. The SQL client will try to connect to each IP address in this list to find which resource to connect to. You can accelerate this process by specifying `MultiSubnetFailover=True` in the connection string. This setting tells the provider to try all IP addresses in parallel, so the client can connect to the FCI or listener instantly.
+Use the **Failover Cluster Manager** to modify the **lease timeout** settings for your availability group. See the SQL Server [availability group lease health check](/sql/database-engine/availability-groups/windows/availability-group-lease-healthcheck-timeout#lease-timeout) documentation for detailed steps.
-A distributed network name is recommended over a load balancer when possible because:
-- The end-to-end solution is more robust since you no longer have to maintain the load balancer resource. -- Eliminating the load balancer probes minimizes failover duration. -- The DNN simplifies provisioning and management of the failover cluster instance or availability group listener with SQL Server on Azure VMs.
+**Session timeout**
-Most SQL Server features work transparently with FCI and availability groups when using the DNN, but there are certain features that may require special consideration. See [FCI and DNN interoperability](failover-cluster-instance-dnn-interoperability.md) and [AG and DNN interoperability](availability-group-dnn-interoperability.md) to learn more.
+Use Transact-SQL (T-SQL) to modify the **session timeout** for an availability group:
+
+```sql
+ALTER AVAILABILITY GROUP AG1
+MODIFY REPLICA ON 'INSTANCE01' WITH (SESSION_TIMEOUT = 15);
+```
+
+**Max failures in specified period**
+
+Use the Failover Cluster Manager to modify the **Max failures in specified period** value:
+1. Select **Roles** in the navigation pane.
+1. Under **Roles**, right-click the clustered resource and choose **Properties**.
+1. Select the **Failover** tab, and increase the **Max failures in specified period** value as desired.
+
+## Resource limits
+
+VM or disk limits could result in a resource bottleneck that impacts the health of the cluster, and impedes the health check. If you're experiencing issues with resource limits, consider the following:
+
+* Ensure your OS, drivers, and SQL Server are at the latest builds.
+* Optimize SQL Server on Azure VM environment as described in the [performance guidelines](performance-guidelines-best-practices-checklist.md) for SQL Server on Azure Virtual Machines
+* Reduce or spread out the workload to reduce utilization without exceeding resource limits
+* Tune the SQL Server workload if there is any opportunity, such as
+ * Add/optimize indexes
+ * Update statistics if needed and if possible, with Full scan
+ * Use features like resource governor (starting with SQL Server 2014, enterprise only) to limit resource utilization during specific workloads, such as backups or index maintenance.
+* Move to a VM or disk that has higher limits to meet or exceed the demands of your workload.
+
+## Networking
+
+Use a single NIC per server (cluster node) and a single subnet. Azure networking has physical redundancy, which makes additional NICs and subnets unnecessary on an Azure virtual machine guest cluster. The cluster validation report will warn you that the nodes are reachable only on a single network. You can ignore this warning on Azure virtual machine guest failover clusters.
+
+The non-RFC-compliant DHCP service in Azure can cause the creation of certain failover cluster configurations to fail. This failure happens because the cluster network name is assigned a duplicate IP address, such as the same IP address as one of the cluster nodes. This is an issue when you use availability groups, which depend on the Windows failover cluster feature.
+
+Consider the scenario when a two-node cluster is created and brought online:
+
+1. The cluster comes online, and then NODE1 requests a dynamically assigned IP address for the cluster network name.
+2. The DHCP service doesn't give any IP address other than NODE1's own IP address, because the DHCP service recognizes that the request comes from NODE1 itself.
+3. Windows detects that a duplicate address is assigned both to NODE1 and to the failover cluster's network name, and the default cluster group fails to come online.
+4. The default cluster group moves to NODE2. NODE2 treats NODE1's IP address as the cluster IP address and brings the default cluster group online.
+5. When NODE2 tries to establish connectivity with NODE1, packets directed at NODE1 never leave NODE2 because it resolves NODE1's IP address to itself. NODE2 can't establish connectivity with NODE1, and then loses quorum and shuts down the cluster.
+6. NODE1 can send packets to NODE2, but NODE2 can't reply. NODE1 loses quorum and shuts down the cluster.
-To get started, learn to configure a distributed network name resource for [a failover cluster instance](failover-cluster-instance-distributed-network-name-dnn-configure.md) or an [availability group](availability-group-distributed-network-name-dnn-listener-configure.md)
+You can avoid this scenario by assigning an unused static IP address to the cluster network name in order to bring the cluster network name online. For example, you can use a link-local IP address like 169.254.1.1. To simplify this process, see [Configuring Windows failover cluster in Azure for availability groups](https://social.technet.microsoft.com/wiki/contents/articles/14776.configuring-windows-failover-cluster-in-windows-azure-for-alwayson-availability-groups.aspx).
-**Supported OS**: Windows Server 2016 and later
-**Supported SQL version**: SQL Server 2019 CU2 (FCI) and SQL Server 2019 CU8 (AG)
-**Supported HADR solution**: Failover cluster instance, and availability group
+For more information, see [Configure availability groups in Azure (GUI)](./availability-group-quickstart-template-configure.md).
-## Limitations
+## Known issues
-Consider the following limitations when you're working with FCI or availability groups and SQL Server on Azure Virtual Machines.
+Review the resolutions for some commonly known issues and errors:
-### MSDTC
+**Cluster node removed from membership**
-Azure Virtual Machines support Microsoft Distributed Transaction Coordinator (MSDTC) on Windows Server 2019 with storage on Clustered Shared Volumes (CSV) and [Azure Standard Load Balancer](../../../load-balancer/load-balancer-overview.md) or on SQL Server VMs that are using Azure shared disks.
-On Azure Virtual Machines, MSDTC isn't supported for Windows Server 2016 or earlier with Clustered Shared Volumes because:
+If the [Windows Cluster heartbeat and threshold settings](#heartbeat-and-threshold) are too aggressive for your environment, you may see following message in the system event log frequently.
-- The clustered MSDTC resource can't be configured to use shared storage. On Windows Server 2016, if you create an MSDTC resource, it won't show any shared storage available for use, even if storage is available. This issue has been fixed in Windows Server 2019.-- The basic load balancer doesn't handle RPC ports.
+```
+Error 1135
+Cluster node 'Node1' was removed from the active failover cluster membership.
+The Cluster service on this node may have stopped. This could also be due to the node having
+lost communication with other active nodes in the failover cluster. Run the Validate a
+Configuration Wizard to check your network configuration. If the condition persists, check
+for hardware or software errors related to the network adapters on this node. Also check for
+failures in any other network components to which the node is connected such as hubs, switches, or bridges.
+```
++
+For more information, review [Troubleshooting cluster issue with Event ID 1135.](/windows-server/troubleshoot/troubleshooting-cluster-event-id-1135)
++
+**Lease has expired** / **Lease is no longer valid**
++
+If [monitoring](#relaxed-monitoring) is too aggressive for your environment, you may see frequent AG or FCI restarts, failures, or failovers. Additionally for availability groups, you may see the following messages in the SQL Server error log:
+
+```
+Error 19407: The lease between availability group 'PRODAG' and the Windows Server Failover Cluster has expired.
+A connectivity issue occurred between the instance of SQL Server and the Windows Server Failover Cluster.
+To determine whether the availability group is failing over correctly, check the corresponding availability group
+resource in the Windows Server Failover Cluster
+```
+
+```
+Error 19419: The renewal of the lease between availability group '%.*ls' and the Windows Server Failover Cluster
+failed because the existing lease is no longer valid.
+```
+
+**Connection timeout**
+
+If the **session timeout** is too aggressive for your availability group environment, you may see following messages frequently:
+
+```
+Error 35201: A connection timeout has occurred while attempting to establish a connection to availability
+replica 'replicaname' with ID [availability_group_id]. Either a networking or firewall issue exists,
+or the endpoint address provided for the replica is not the database mirroring endpoint of the host server instance.
+```
+
+```
+Error 35206
+A connection timeout has occurred on a previously established connection to availability
+replica 'replicaname' with ID [availability_group_id]. Either a networking or a firewall issue
+exists, or the availability replica has transitioned to the resolving role.
+```
+
+**Not failing over group**
+++
+If the **Maximum Failures in the Specified Period** value is too low and you're experiencing intermittent failures due to transient issues, your availability group could end in a failed state. Increase this value to tolerate more transient failures.
+
+```
+Not failing over group <Resource name>, failoverCount 3, failoverThresholdSetting <Number>, computedFailoverThreshold 2.
+```
## Next steps
-After you've determined the appropriate best practices for your solution, get started by [preparing your SQL Server VM for FCI](failover-cluster-instance-prepare-vm.md) or by creating your availability group by using the [Azure portal](availability-group-azure-portal-configure.md), the [Azure CLI / PowerShell](./availability-group-az-commandline-configure.md), or [Azure quickstart templates](availability-group-quickstart-template-configure.md).
+To learn more, see:
+
+- [HADR settings for SQL Server on Azure VMs](hadr-cluster-best-practices.md)
+- [Windows Server Failover Cluster with SQL Server on Azure VMs](hadr-windows-server-failover-cluster-overview.md)
+- [Always On availability groups with SQL Server on Azure VMs](availability-group-overview.md)
+- [Windows Server Failover Cluster with SQL Server on Azure VMs](hadr-windows-server-failover-cluster-overview.md)
+- [Failover cluster instances with SQL Server on Azure VMs](failover-cluster-instance-overview.md)
+- [Failover cluster instance overview](/sql/sql-server/failover-clusters/windows/always-on-failover-cluster-instances-sql-server)
azure-sql Hadr Cluster Quorum Configure How To https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/virtual-machines/windows/hadr-cluster-quorum-configure-how-to.md
+
+ Title: Configure cluster quorum
+description: "Learn how to configure a disk witness, cloud witness, or a file share witness as quorum for a Windows Server Failover Cluster on SQL Server on Azure VMs. "
+
+documentationCenter: na
+
+editor:
+tags: azure-service-management
+++
+ vm-windows-sql-server
+ Last updated : "04/30/2021"++++
+# Configure cluster quorum for SQL Server on Azure VMs
+
+This article teaches you to configure one of the three quorum options for a Windows Server Failover Cluster running on SQL Server on Azure Virtual Machines (VMs) - a disk witness, a cloud witness, and a file share witness.
++
+## Overview
+
+The quorum for a cluster is determined by the number of voting elements that must be part of active cluster membership for the cluster to start properly or continue running. Configuring a quorum resource allows a two-node cluster to continue with only one node online. The Windows Server Failover Cluster is the underlying technology for the SQL Server on Azure VMs high availability options: [failover cluster instances (FCIs)](failover-cluster-instance-overview.md) and [availability groups (AGs)](availability-group-overview.md).
+
+The disk witness is the most resilient quorum option, but to use a disk witness on a SQL Server on Azure VM, you must use an Azure shared disk which imposes some limitations to the high availability solution. As such, use a disk witness when you're configuring your failover cluster instance with Azure shared disks, otherwise use a cloud witness whenever possible. If you are using Windows Server 2012 R2 or older which does not support cloud witness, you can use a file share witness.
+
+The following quorum options are available to use for SQL Server on Azure VMs:
+
+| |[Cloud witness](/windows-server/failover-clustering/deploy-cloud-witness) |[Disk witness](/windows-server/failover-clustering/manage-cluster-quorum#configure-the-cluster-quorum) |[File share witness](/windows-server/failover-clustering/manage-cluster-quorum#configure-the-cluster-quorum) |
+|||||
+|**Supported OS**| Windows Server 2016+ |All | All|
+
+To learn more about quorum, see the [Windows Server Failover Cluster overview](hadr-windows-server-failover-cluster-overview.md).
+
+## Cloud witness
+
+A cloud witness is a type of failover cluster quorum witness that uses Microsoft Azure storage to provide a vote on cluster quorum.
++
+The following table provides additional information and considerations about the cloud witness:
+
+| Witness type | Description | Requirements and recommendations |
+| | | |
+| Cloud witness | <ul><li> Uses Azure storage as the cloud witness, contains just the time stamp. </li><li> Ideal for deployments in multiple sites, multiple zones, and multiple regions.</li> <li> Creates well-known container `msft-cloud-witness` under the Microsoft Storage Account. </li> <li> Writes a single blob file with corresponding cluster's unique ID used as the file name of the blob file under the container </li> | <ul><li>Default size is 1 MB.</li><li> Use **General Purpose** for the account kind. Blob storage is not supported. </li><li> Use Standard storage. Azure Premium Storage is not supported. </li><li> Failover Clustering uses the blob file as the arbitration point, which requires some consistency guarantees when reading the data. Therefore you must select **Locally redundant storage** for **Replication** type.</li><li> Should be excluded from backups and antivirus scanning</li><li> A Disk witness isn't supported with Storage Spaces Direct</li> <li> Cloud Witness uses HTTPS (default port 443) to establish communication with Azure blob service. Ensure that HTTPS port is accessible via network Proxy. </li>|
+
+When configuring a Cloud Witness quorum resource for your Failover Cluster, consider:
+- Instead of storing the Access Key, your Failover Cluster will generate and securely store a Shared Access Security (SAS) token.
+- The generated SAS token is valid as long as the Access Key remains valid. When rotating the Primary Access Key, it is important to first update the Cloud Witness (on all your clusters that are using that Storage Account) with the Secondary Access Key before regenerating the Primary Access Key.
+- Cloud Witness uses HTTPS REST interface of the Azure Storage Account service. This means it requires the HTTPS port to be open on all cluster nodes.
++
+A cloud witness requires an Azure Storage Account. To configure a storage account, follow these steps:
+
+1. Sign in to the [Azure portal](https://portal.azure.com).
+2. On the Hub menu, select New -> Data + Storage -> Storage account.
+3. In the Create a storage account page, do the following:
+ 1. Enter a name for your storage account. Storage account names must be between 3 and 24 characters in length and may contain numbers and lowercase letters only. The storage account name must also be unique within Azure.
+ 2. For **Account kind**, select **General purpose**.
+ 3. For **Performance**, select **Standard**.
+ 2. For **Replication**, select **Local-redundant storage (LRS)**.
++
+Once your storage account is created, follow these steps to configure your cloud witness quorum resource for your failover cluster:
++
+# [PowerShell](#tab/powershell)
+
+The existing Set-ClusterQuorum PowerShell command has new parameters corresponding to Cloud Witness.
+
+You can configure cloud witness with the cmdlet [`Set-ClusterQuorum`](/powershell/module/failoverclusters/set-clusterquorum) using the PowerShell command:
+
+```PowerShell
+Set-ClusterQuorum -CloudWitness -AccountName <StorageAccountName> -AccessKey <StorageAccountAccessKey>
+```
+
+In the rare instance you need to use a different endpoint, use this PowerShell command:
+
+```PowerShell
+Set-ClusterQuorum -CloudWitness -AccountName <StorageAccountName> -AccessKey <StorageAccountAccessKey> -Endpoint <servername>
+```
+
+See the [cloud witness documentation](/windows-server/failover-clustering/deploy-cloud-witness) for help for finding the Storage Account AccessKey.
++
+# [Failover Cluster Manager](#tab/fcm-gui)
+
+Use the Quorum Configuration Wizard built into Failover Cluster Manager to configure your cloud witness. To do so, follow these steps:
+
+1. Open Failover Cluster Manager.
+
+2. Right-click the cluster -> **More Actions** -> **Configure Cluster Quorum Settings**. This launches the Configure Cluster Quorum wizard.
+
+ ![Snapshot of the menu path to Configure Cluster Quorum Settings in the Failover Cluster Manager UI](./media/hadr-create-quorum-windows-failover-cluster-how-to/cloud-witness-7.png)
+
+3. On the **Select Quorum Configurations** page, select **Select the quorum witness**.
+
+ ![Snapshot of the 'select the quorum witness' radio button in the Cluster Quorum wizard](./media/hadr-create-quorum-windows-failover-cluster-how-to/cloud-witness-8.png)
+
+4. On the **Select Quorum Witness** page, select **Configure a cloud witness**.
+
+ ![Snapshot of the appropriate radio button to select a cloud witness](./media/hadr-create-quorum-windows-failover-cluster-how-to/cloud-witness-9.png)
+
+5. On the **Configure Cloud Witness** page, enter the Azure Storage Account information. For help with finding this information, see the [cloud witness documentation](/windows-server/failover-clustering/deploy-cloud-witness).
+ 1. (Required parameter) Azure Storage Account Name.
+ 2. (Required parameter) Access Key corresponding to the Storage Account.
+ 1. When creating for the first time, use Primary Access Key
+ 2. When rotating the Primary Access Key, use Secondary Access Key
+ 3. (Optional parameter) If you intend to use a different Azure service endpoint (for example the Microsoft Azure service in China), then update the endpoint server name.
+
+ ![Snapshot of the Cloud Witness configuration pane in the Cluster Quorum wizard](./media/hadr-create-quorum-windows-failover-cluster-how-to/cloud-witness-10.png)
+
+
+6. Upon successful configuration of the cloud witness, you can view the newly created witness resource in the Failover Cluster Manager snap-in.
+
+ ![Successful configuration of Cloud Witness](./media/hadr-create-quorum-windows-failover-cluster-how-to/cloud-witness-11.png)
+
+++++
+## Disk witness
+
+A disk witness is a small clustered disk in the Cluster Available Storage group. This disk is highly available and can fail over between nodes.
+
+The disk witness is the recommended quorum option when used with a shared storage high availability solution, such as the failover cluster instance with Azure shared disks.
+
+The following table provides additional information and considerations about the quorum disk witness:
+
+| Witness type | Description | Requirements and recommendations |
+| | | |
+| Disk witness | <ul><li> Dedicated LUN that stores a copy of the cluster database</li><li> Most useful for clusters with shared (not replicated) storage</li> | <ul><li>Size of LUN must be at least 512 MB</li><li> Must be dedicated to cluster use and not assigned to a clustered role</li><li> Must be included in clustered storage and pass storage validation tests</li><li> Can't be a disk that is a Cluster Shared Volume (CSV)</li><li> Basic disk with a single volume</li><li> Doesn't need to have a drive letter</li><li> Can be formatted with NTFS or ReFS</li><li> Can be optionally configured with hardware RAID for fault tolerance</li><li> Should be excluded from backups and antivirus scanning</li><li> A Disk witness isn't supported with Storage Spaces Direct</li>|
+
+To use an Azure shared disk for the disk witness, you must first create the disk and mount it. To do so, follow the steps in the [Mount disk](failover-cluster-instance-azure-shared-disks-manually-configure.md#add-azure-shared-disk) section of the Azure shared disk failover cluster instance guide. The disk does not need to be premium.
+
+After your disk has been mounted, add it to the cluster storage with the following steps:
+
+1. Open Failover Cluster Manager.
+1. Select **Disks** under **Storage** on the left navigation pane.
+1. Select **Add Disk** under **Actions** on the right navigation pane.
+1. Select the Azure shared drive you just mounted and note the name, such as `Cluster Disk 3`.
+
+After your disk has been added as clustered storage, configure it as the disk witness using PowerShell:
++
+The existing Set-ClusterQuorum PowerShell command has new parameters corresponding to Cloud Witness.
+
+Use the path for the file share as the parameter for the disk witness when using the PowerShell cmdlet [`Set-ClusterQuorum`](/powershell/module/failoverclusters/set-clusterquorum):
+
+```PowerShell
+Set-ClusterQuorum -NodeAndDiskMajority "Cluster Disk 3"
+```
+
+You can also use the Failover Cluster manager; follow the same steps as for the cloud witness, but choose the disk witness as the quorum option instead.
++
+## File share witness
+
+A file share witness is an SMB file share that's typically configured on a file server running Windows Server. It maintains clustering information in a witness.log file, but doesn't store a copy of the cluster database. In Azure, you can configure a file share on a separate virtual machine.
+
+Configure a file share witness if a disk witness or a cloud witness are unavailable or unsupported in your environment.
+
+The following table provides additional information and considerations about the quorum file share witness:
+
+| Witness type | Description | Requirements and recommendations |
+| | | |
+| File share witness | <ul><li>SMB file share that is configured on a file server running Windows Server</li><li> Does not store a copy of the cluster database</li><li> Maintains cluster information only in a witness.log file</li><li> Most useful for multisite clusters with replicated storage </li> | <ul><li>Must have a minimum of 5 MB of free space</li><li> Must be dedicated to the single cluster and not used to store user or application data</li><li> Must have write permissions enabled for the computer object for the cluster name</li></ul><br>The following are additional considerations for a file server that hosts the file share witness:<ul><li>A single file server can be configured with file share witnesses for multiple clusters.</li><li> The file server must be on a site that is separate from the cluster workload. This allows equal opportunity for any cluster site to survive if site-to-site network communication is lost. If the file server is on the same site, that site becomes the primary site, and it is the only site that can reach the file share.</li><li> The file server can run on a virtual machine if the virtual machine is not hosted on the same cluster that uses the file share witness.</li><li> For high availability, the file server can be configured on a separate failover cluster. </li> |
+
+Once you have created your file share and properly configured permissions, mount the file share to your clustered nodes. You can follow the same general steps to mount the file share as described in the [mount file share](failover-cluster-instance-premium-file-share-manually-configure.md) section of the premium file share failover cluster instance how-to guide.
+
+After your file share has been properly configured and mounted, use PowerShell to add the file share as the quorum witness resource:
+
+```powershell
+Set-ClusterQuorum -FileShareWitness <UNC path to file share> -Credential $(Get-Credential)
+```
+
+You will be prompted for an account and password for a local (to the file share) non-admin account that has full admin rights to the share. The cluster will keep the name and password encrypted and not accessible by anyone.
+
+You can also use the Failover Cluster manager; follow the same steps as for the cloud witness, but choose the file share witness as the quorum option instead.
+
+## Change quorum voting
++
+It's possible to change the quorum vote of a node participating in a Windows Server Failover Cluster.
+
+When modifying the node vote settings, follow these guidelines:
+
+| Qurom voting guidelines |
+|-|
+| Start with each node having no vote by default. Each node should only have a vote with explicit justification.|
+| Enable votes for cluster nodes that host the primary replica of an availability group, or the preferred owners of a failover cluster instance. |
+| Enable votes for automatic failover owners. Each node that may host a primary replica or FCI as a result of an automatic failover should have a vote. |
+| If an availability group has more than one secondary replica, only enable votes for the replicas that have automatic failover. |
+| Disable votes for nodes that are in secondary disaster recovery sites. Nodes in secondary sites should not contribute to the decision of taking a cluster offline if there's nothing wrong with the primary site. |
+| Have an odd number of votes, with three quorum votes minimum. Add a [quorum witness](hadr-cluster-quorum-configure-how-to.md) for an additional vote if necessary in a two-node cluster. |
+| Reassess vote assignments post-failover. You don't want to fail over into a cluster configuration that doesn't support a healthy quorum. |
++++
+## Next Steps
+
+To learn more, see:
+
+- [HADR settings for SQL Server on Azure VMs](hadr-cluster-best-practices.md)
+- [Windows Server Failover Cluster with SQL Server on Azure VMs](hadr-windows-server-failover-cluster-overview.md)
+- [Always On availability groups with SQL Server on Azure VMs](availability-group-overview.md)
+- [Windows Server Failover Cluster with SQL Server on Azure VMs](hadr-windows-server-failover-cluster-overview.md)
+- [Failover cluster instances with SQL Server on Azure VMs](failover-cluster-instance-overview.md)
+- [Failover cluster instance overview](/sql/sql-server/failover-clusters/windows/always-on-failover-cluster-instances-sql-server)
azure-sql Hadr Windows Server Failover Cluster Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/virtual-machines/windows/hadr-windows-server-failover-cluster-overview.md
+
+ Title: Windows Server Failover Cluster overview
+description: "Learn about the differences with the Windows Server Failover Cluster technology when used with SQL Server on Azure VMs, such as availability groups, and failover cluster instances. "
+
+documentationCenter: na
+
+editor: monicar
+tags: azure-service-management
+++
+ vm-windows-sql-server
+ Last updated : "04/25/2021"++++
+# Windows Server Failover Cluster with SQL Server on Azure VMs
+
+This article describes the differences when using the Windows Server Failover Cluster feature with SQL Server on Azure VMs for high availability and disaster recovery (HADR), such as for Always On availability groups (AG) or failover cluster instances (FCI).
+
+To learn more about the Windows feature itself, see the [Windows Server Failover Cluster documentation](/windows-server/failover-clustering/failover-clustering-overview).
+
+## Overview
+
+SQL Server high availability solutions on Windows, such as Always On availability groups (AG) or failover cluster instances (FCI) rely on the underlying Windows Server Failover Clustering (WSFC) service.
+
+The cluster service monitors network connections and the health of nodes in the cluster. This monitoring is in addition to the health checks that SQL Server does as part of the availability group or failover cluster instance feature. If the cluster service is unable to reach the node, or if the AG or FCI role in the cluster becomes unhealthy, then the cluster service initiates appropriate recovery actions to recover and bring applications and services online, either on the same or on another node in the cluster.
+
+## Cluster health monitoring
+
+In order to provide high availability, the cluster must ensure the health of the different components that make up the clustered solution. The cluster service monitors the health of the cluster based on a number of system and network parameters in order to detect and respond to failures.
+
+Setting the threshold for declaring a failure is important in order to achieve a balance between promptly responding to a failure, and avoiding false failures.
+
+There are two strategies for monitoring:
+
+| Monitoring | Description |
+|-|-|
+| Aggressive | Provides rapid failure detection and recovery of hard failures, which delivers the highest levels of availability. The cluster service and SQL Server are both less forgiving of transient failure and in some situations may prematurely fail over resources when there are transient outages. Once failure is detected, the corrective action that follows may take extra time. |
+| Relaxed | Provides more forgiving failure detection with a greater tolerance for brief transient network issues. Avoids transient failures, but also introduces the risk of delaying the detection of a true failure. |
+
+Aggressive settings in a cluster environment in the cloud may lead to premature failures and longer outages, therefore a relaxed monitoring strategy is recommended for failover clusters on Azure VMs. To adjust threshold settings, see [cluster best practices](hadr-cluster-best-practices.md#relaxed-monitoring) for more detail.
+
+## Cluster heartbeat
+
+The primary settings that affect cluster heart beating and health detection between nodes:
+
+| Setting | Description |
+|-|-|
+| Delay | This defines the frequency at which cluster heartbeats are sent between nodes. The delay is the number of seconds before the next heartbeat is sent. Within the same cluster there can be different delay settings configured between nodes on the same subnet, and between nodes that are on different subnets. |
+| Threshold | The threshold is the number of heartbeats that can be missed before the cluster takes recovery action. Within the same cluster there can be different threshold settings configured between nodes on the same subnet, and between nodes that are on different subnets. |
+
+The default values for these settings may be too low for cloud environments, and could result in unnecessary failures due to transient network issues. To be more tolerant, use relaxed threshold settings for failover clusters in Azure VMs. See [cluster best practices](hadr-cluster-best-practices.md#heartbeat-and-threshold) for more detail.
+
+## Quorum
+
+Although a two-node cluster will function without a [quorum resource](/windows-server/storage/storage-spaces/understand-quorum), customers are strictly required to use a quorum resource to have production support. Cluster validation won't pass any cluster without a quorum resource.
+
+Technically, a three-node cluster can survive a single node loss (down to two nodes) without a quorum resource. But after the cluster is down to two nodes, there's a risk that the clustered resources will go offline to prevent a split-brain scenario if a node is lost or there's a communication failure between the nodes. Configuring a quorum resource will allow the cluster resources to remain online with only one node online.
+
+The disk witness is the most resilient quorum option, but to use a disk witness on a SQL Server on Azure VM, you must use an Azure Shared Disk which imposes some limitations to the high availability solution. As such, use a disk witness when you're configuring your failover cluster instance with Azure Shared Disks, otherwise use a cloud witness whenever possible.
+
+The following table lists the quorum options available for SQL Server on Azure VMs:
+
+| |[Cloud witness](/windows-server/failover-clustering/deploy-cloud-witness) |[Disk witness](/windows-server/failover-clustering/manage-cluster-quorum#configure-the-cluster-quorum) |[File share witness](/windows-server/failover-clustering/manage-cluster-quorum#configure-the-cluster-quorum) |
+|||||
+|**Supported OS**| Windows Server 2016+ |All | All|
+| **Description** | A cloud witness is a type of failover cluster quorum witness that uses Microsoft Azure to provide a vote on cluster quorum. The default size is about 1 MB and contains just the time stamp. A cloud witness is ideal for deployments in multiple sites, multiple zones, and multiple regions. Use a cloud witness whenever possible, unless you have a failover cluster solution with shared storage. | A disk witness is a small clustered disk in the Cluster Available Storage group. This disk is highly available and can fail over between nodes. It contains a copy of the cluster database, with a default size that's less than 1 GB. The disk witness is the preferred quorum option for any cluster that uses Azure Shared Disks (or any shared-disk solution like shared SCSI, iSCSI, or fiber channel SAN). A Clustered Shared Volume cannot be used as a disk witness. Configure an Azure shared disk as the disk witness. | A file share witness is an SMB file share that's typically configured on a file server running Windows Server. It maintains clustering information in a witness.log file, but doesn't store a copy of the cluster database. In Azure, you can configure a file share on a separate virtual machine within the same virtual network. Use a file share witness if a disk witness or cloud witness is unavailable in your environment. |
+
+To get started, see [Configure cluster quorum](hadr-cluster-quorum-configure-how-to.md).
++
+## Virtual network name (VNN)
+
+In a traditional on-premises environment, clustered resources such as failover cluster instances or Always On availability groups rely on the Virtual Network Name to route traffic to the appropriate target - either the failover cluster instance, or the listener of the Always On availability group. The virtual name binds the IP address in DNS, and clients can use either the virtual name or the IP address to connect to their high availability target, regardless of which node currently owns the resource. The VNN is a network name and address managed by the cluster, and the cluster service moves the network address from node to node during a failover event. During a failure, the address is taken offline on the original primary replica, and brought online on the new primary replica.
+
+On Azure Virtual Machines, an additional component is necessary to route traffic from the client to the Virtual Network Name of the clustered resource (failover cluster instance, or the listener of an availability group). In Azure, a load balancer holds the IP address for the VNN that the clustered SQL Server resources rely on and is necessary to route traffic to the appropriate high availability target. The load balancer also detects failures with the networking components and moves the address to a new host.
+
+The load balancer distributes inbound flows that arrive at the front end, and then routes that traffic to the instances defined by the back-end pool. You configure traffic flow by using load-balancing rules and health probes. With SQL Server FCI, the back-end pool instances are the Azure virtual machines running SQL Server, and with availability groups, the back-end pool is the listener. There is a slight failover delay when you're using the load balancer, because the health probe conducts alive checks every 10 seconds by default.
+
+To get started, learn how to configure Azure Load Balancer for a [failover cluster instance](failover-cluster-instance-vnn-azure-load-balancer-configure.md) or an [availability group](availability-group-vnn-azure-load-balancer-configure.md).
+
+**Supported OS**: All
+**Supported SQL version**: All
+**Supported HADR solution**: Failover cluster instance, and availability group
+
+Configuration of the VNN can be cumbersome, it's an additional source of failure, it can cause a delay in failure detection, and there is an overhead and cost associated with managing the additional resource. To address some of these limitations, SQL Server 2019 introduced support for the Distributed Network Name feature.
+
+## Distributed network name (DNN)
+
+Starting with SQL Server 2019, the Distributed Network Name feature provides an alternative way for SQL Server clients to connect to the SQL Server failover cluster instance or availability group listener without using a load balancer.
+
+When a DNN resource is created, the cluster binds the DNS name with the IP addresses of all the nodes in the cluster. The client will try to connect to each IP address in this list to find which resource to connect to. You can accelerate this process by specifying `MultiSubnetFailover=True` in the connection string. This setting tells the provider to try all IP addresses in parallel, so the client can connect to the FCI or listener instantly.
+
+A distributed network name is recommended over a load balancer when possible because:
+- The end-to-end solution is more robust since you no longer have to maintain the load balancer resource.
+- Eliminating the load balancer probes minimizes failover duration.
+- The DNN simplifies provisioning and management of the failover cluster instance or availability group listener with SQL Server on Azure VMs.
+
+Most SQL Server features work transparently with FCI and availability groups when using the DNN, but there are certain features that may require special consideration.
+
+**Supported OS**: Windows Server 2016 and later
+**Supported SQL version**: SQL Server 2019 CU2 (FCI) and SQL Server 2019 CU8 (AG)
+**Supported HADR solution**: Failover cluster instance, and availability group
+
+To get started, learn to configure a distributed network name resource for [a failover cluster instance](failover-cluster-instance-distributed-network-name-dnn-configure.md) or an [availability group](availability-group-distributed-network-name-dnn-listener-configure.md).
+
+There are additional considerations when using the DNN with other SQL Server features. See [FCI and DNN interoperability](failover-cluster-instance-dnn-interoperability.md) and [AG and DNN interoperability](availability-group-dnn-interoperability.md) to learn more.
+
+## Recovery actions
+
+The cluster service takes corrective action when a failure is detected. This could restart the resource on the existing node, or fail the resource over to another node. Once corrective measures are initiated, they make take some time to complete.
+
+For example, a restarted availability group comes online per the following sequence:
+
+1. Listener IP comes online
+1. Listener network name comes online
+1. Availability group comes online
+1. Individual databases go through recovery, which can take some time depending on a number of factors, such as the length of the redo log. Connections are routed by the listener only once the database is fully recovered. To learn more, see [Estimating failover time (RTO)](/sql/database-engine/availability-groups/windows/monitor-performance-for-always-on-availability-groups).
+
+Since recovery could take some time, aggressive monitoring set to detect a failure in 20 seconds could result in an outage of minutes if a transient event occurs (such as memory-preserving [Azure VM maintenance](#azure-platform-maintenance)). Setting the monitoring to a more relaxed value of 40 seconds can help avoid a longer interruption of service.
+
+To adjust threshold settings, see [cluster best practices](hadr-cluster-best-practices.md) for more detail.
++
+## Node location
+
+Nodes in a Windows cluster on virtual machines in Azure may be physically separated within the same Azure region, or they can be in different regions. The distance may introduce network latency, much like having cluster nodes spread between locations in your own facilities would. In cloud environments, the difference is that within a region you may not be aware of the distance between nodes. Moreover, some other factors like physical and virtual components, number of hops, etc. can also contribute to increased latency. If latency between the nodes is a concern, consider placing the nodes of the cluster within a [proximity placement group](../../../virtual-machines/co-location.md) to guarantee network proximity.
+
+## Resource limits
+
+When you configure an Azure VM, you determine the computing resources limits for the CPU, memory, and IO. Workloads that require more resources than the purchased Azure VM, or disk limits may cause VM performance issues. Performance degradation may result in a failed health check for either the cluster service, or for the SQL Server high availability feature. Resource bottlenecks may make the node or resource appear down to the cluster or SQL Server.
+
+Intensive SQL IO operations or maintenance operations such as backups, index, or statistics maintenance could cause the VM or disk to reach *IOPS* or *MBPS* throughput limits, which could make SQL Server unresponsive to an *IsAlive/LooksAlive* check.
+
+If your SQL Server is experiencing unexpected failovers, check to make sure you are following all [performance best practices](performance-guidelines-best-practices-checklist.md) and monitor the server for disk or VM-level capping.
+
+## Azure platform maintenance
+
+Like any other cloud service, Azure periodically updates its platform to improve the reliability, performance, and security of the host infrastructure for virtual machines. The purpose of these updates ranges from patching software components in the hosting environment to upgrading networking components or decommissioning hardware.
+
+Most platform updates don't affect customer VMs. When a no-impact update isn't possible, Azure chooses the update mechanism that's least impactful to customer VMs. Most nonzero-impact maintenance pauses the VM for less than 10 seconds. In certain cases, Azure uses memory-preserving maintenance mechanisms. These mechanisms pause the VM for up to 30 seconds and preserve the memory in RAM. The VM is then resumed, and its clock is automatically synchronized.
+
+Memory-preserving maintenance works for more than 90 percent of Azure VMs. It doesn't work for G, M, N, and H series. Azure increasingly uses live-migration technologies and improves memory-preserving maintenance mechanisms to reduce the pause durations. When the VM is live-migrated to a different host, some sensitive workloads like SQL Server, might show a slight performance degradation in the few minutes leading up to the VM pause.
+
+A resource bottleneck during platform maintenance may make the AG or FCI appear down to the cluster service. See the [resource limits](#resource-limits) section of this article to learn more.
+
+If you are using aggressive cluster monitoring, an extended VM pause may trigger a failover. A failover will often cause more downtime than the maintenance pause, so it is recommended to use relaxed monitoring to avoid triggering a failover while the VM is paused for maintenance. See the [cluster best practices](hadr-cluster-best-practices.md) for more information on setting cluster thresholds in Azure VMs.
+
+## Limitations
+
+Consider the following limitations when you're working with FCI or availability groups and SQL Server on Azure Virtual Machines.
+
+### MSDTC
+
+Azure Virtual Machines support Microsoft Distributed Transaction Coordinator (MSDTC) on Windows Server 2019 with storage on Clustered Shared Volumes (CSV) and [Azure Standard Load Balancer](../../../load-balancer/load-balancer-overview.md) or on SQL Server VMs that are using Azure shared disks.
+
+On Azure Virtual Machines, MSDTC isn't supported for Windows Server 2016 or earlier with Clustered Shared Volumes because:
+
+- The clustered MSDTC resource can't be configured to use shared storage. On Windows Server 2016, if you create an MSDTC resource, it won't show any shared storage available for use, even if storage is available. This issue has been fixed in Windows Server 2019.
+- The basic load balancer doesn't handle RPC ports.
+++
+## Next steps
+
+Now that you've familiarized yourself with the differences when using a Windows Failover Cluster with SQL Server on Azure VMs, learn about the high availability features [availability groups](availability-group-overview.md) or [failover cluster instances](failover-cluster-instance-overview.md). If you're ready to get started, be sure to review the [best practices](hadr-cluster-best-practices.md) for configuration recommendations.
azure-sql Performance Guidelines Best Practices Checklist https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/virtual-machines/windows/performance-guidelines-best-practices-checklist.md
Title: "Checklist: Performance best practices & guidelines"
+ Title: "Checklist: Best practices & guidelines"
description: Provides a quick checklist to review your best practices and guidelines to optimize the performance of your SQL Server on Azure Virtual Machine (VM). documentationcenter: na
-# Checklist: Performance best practices for SQL Server on Azure VMs
+# Checklist: Best practices for SQL Server on Azure VMs
[!INCLUDE[appliesto-sqlvm](../../includes/appliesto-sqlvm.md)] This article provides a quick checklist as a series of best practices and guidelines to optimize performance of your SQL Server on Azure Virtual Machines (VMs).
-For comprehensive details, see the other articles in this series: [VM size](performance-guidelines-best-practices-vm-size.md), [Storage](performance-guidelines-best-practices-storage.md), [Collect baseline](performance-guidelines-best-practices-collect-baseline.md).
+For comprehensive details, see the other articles in this series: [Checklist](performance-guidelines-best-practices-checklist.md), [VM size](performance-guidelines-best-practices-vm-size.md), [Storage](performance-guidelines-best-practices-storage.md), [Security](security-considerations-best-practices.md), [HADR configuration](hadr-cluster-best-practices.md), [Collect baseline](performance-guidelines-best-practices-collect-baseline.md).
## Overview
The following is a quick checklist of storage configuration best practices for r
- Always stop the SQL Server service before changing the cache settings of your disk. - For development and test workloads consider using standard storage. It is not recommended to use Standard HDD/SDD for production workloads. - [Credit-based Disk Bursting](../../../virtual-machines/disk-bursting.md#credit-based-bursting) (P1-P20) should only be considered for smaller dev/test workloads and departmental systems.-- Format your data disk to use 64 KB allocation unit size for all data files placed on a drive other than the temporary `D:\` drive (which has a default of 4 KB). SQL Server VMs deployed through Azure Marketplace come with data disks formatted with allocation unit size and interleave for the storage pool set to 64 KB.
+- Provision the storage account in the same region as the SQL Server VM.
+- Disable Azure geo-redundant storage (geo-replication) and use LRS (local redundant storage) on the storage account.
+- Format your data disk to use 64-KB allocation unit size for all data files placed on a drive other than the temporary `D:\` drive (which has a default of 4 KB). SQL Server VMs deployed through Azure Marketplace come with data disks formatted with allocation unit size and interleave for the storage pool set to 64 KB.
+ To learn more, see the comprehensive [Storage best practices](performance-guidelines-best-practices-storage.md).
The following is a quick checklist of best practices for SQL Server configuratio
- Enable [automatic tuning](/sql/relational-databases/automatic-tuning/automatic-tuning) on mission critical application databases. - Ensure that all [tempdb best practices](/sql/relational-databases/databases/tempdb-database#optimizing-tempdb-performance-in-sql-server) are followed. - Place tempdb on the ephemeral D:/ drive.-- [Use the recommended number of files](/troubleshoot/sql/performance/recommendations-reduce-allocation-contention#resolution), using multiple tempdb data files starting with 1 file per core, up to 8 files.
+- [Use the recommended number of files](/troubleshoot/sql/performance/recommendations-reduce-allocation-contention#resolution), using multiple tempdb data files starting with one file per core, up to eight files.
- Schedule SQL Server Agent jobs to run [DBCC CHECKDB](/sql/t-sql/database-console-commands/dbcc-checkdb-transact-sql#a-checking-both-the-current-and-another-database), [index reorganize](/sql/relational-databases/indexes/reorganize-and-rebuild-indexes#reorganize-an-index), [index rebuild](/sql/relational-databases/indexes/reorganize-and-rebuild-indexes#rebuild-an-index), and [update statistics](/sql/t-sql/statements/update-statistics-transact-sql#examples) jobs. - Monitor and manage the health and size of the SQL Server [transaction log file](/sql/relational-databases/logs/manage-the-size-of-the-transaction-log-file#Recommendations). - Take advantage of any new [SQL Server features](/sql/sql-server/what-s-new-in-sql-server-ver15) available for the version being used.
The following is a quick checklist of best practices for Azure-specific guidance
- Leverage [Azure Defender](../../../security-center/azure-defender.md), integrated with [Azure Security Center](https://azure.microsoft.com/services/security-center/), for specific [SQL Server VM coverage](../../../security-center/defender-for-sql-introduction.md) including vulnerability assessments, and just-in-time access, which reduces the attack service while allowing legitimate users to access virtual machines when necessary. To learn more, see [vulnerability assessments](../../../security-center/defender-for-sql-on-machines-vulnerability-assessment.md), [enable vulnerability assessments for SQL Server VMs](../../../security-center/defender-for-sql-on-machines-vulnerability-assessment.md) and [just-in-time access](../../../security-center/just-in-time-explained.md). - Leverage [Azure Advisor](../../../advisor/advisor-overview.md) to address [performance](../../../advisor/advisor-performance-recommendations.md), [cost](../../../advisor/advisor-cost-recommendations.md), [reliability](../../../advisor/advisor-high-availability-recommendations.md), [operational excellence](../../../advisor/advisor-operational-excellence-recommendations.md), and [security recommendations](../../../advisor/advisor-security-recommendations.md). - Leverage [Azure Monitor](../../../azure-monitor/vm/quick-monitor-azure-vm.md) to collect, analyze, and act on telemetry data from your SQL Server environment. This includes identifying infrastructure issues with [VM insights](../../../azure-monitor/vm/vminsights-overview.md) and monitoring data with [Log Analytics](../../../azure-monitor/logs/log-query-overview.md) for deeper diagnostics.-- Enable [Auto-shutdown](../../../automation/automation-solution-vm-management.md) for development and test environments.
+- Enable [Autoshutdown](../../../automation/automation-solution-vm-management.md) for development and test environments.
- Implement a high availability and disaster recovery (HADR) solution that meets your business continuity SLAs, see the [HADR options](business-continuity-high-availability-disaster-recovery-hadr-overview.md#deployment-architectures) options available for SQL Server on Azure VMs. - Use the Azure portal (support + troubleshooting) to evaluate [resource health](../../../service-health/resource-health-overview.md) and history; submit new support requests when needed.
+## HADR configuration
+
+High availability and disaster recovery (HADR) features, such as the [Always On availability group](availability-group-overview.md) and the [failover cluster instance](failover-cluster-instance-overview.md) rely on underlying [Windows Server Failover Cluster](hadr-windows-server-failover-cluster-overview.md) technology. Review the best practices for modifying your HADR settings to better support the cloud environment.
+
+For your Windows cluster, consider these best practices:
+
+* Change the cluster to less aggressive parameters to avoid unexpected outages from transient network failures or Azure platform maintenance. To learn more, see [heartbeat and threshold settings](hadr-cluster-best-practices.md#heartbeat-and-threshold). For Windows Server 2012 and later, use the following recommended values:
+ - **SameSubnetDelay**: 1 second
+ - **SameSubnetThreshold**: 40 heartbeats
+ - **CrossSubnetDelay**: 1 second
+ - **CrossSubnetThreshold**: 40 heartbeats
+* Place your VMs in an availability set or different availability zones. To learn more, see [VM availability settings](hadr-cluster-best-practices.md#vm-availability-settings).
+* Use a single NIC per cluster node and a single subnet.
+* Configure cluster [quorum voting](hadr-cluster-best-practices.md#quorum-voting) to use 3 or more odd number of votes. Do not assign votes to DR regions.
+* Carefully monitor [resource limits](hadr-cluster-best-practices.md#resource-limits) to avoid unexpected restarts or failovers due to resource constraints.
+ - Ensure your OS, drivers, and SQL Server are at the latest builds.
+ - Optimize performance for SQL Server on Azure VMs. Review the other sections in this article to learn more.
+ - Reduce or spread out workload to avoid resource limits.
+ - Move to a VM or disk that his higher limits to avoid constraints.
+
+For your SQL Server availability group or failover cluster instance, consider these best practices:
+
+* If you're experiencing frequent unexpected failures, follow the performance best practices outlined in the rest of this article.
+* If optimizing SQL Server VM performance does not resolve your unexpected failovers, consider [relaxing the monitoring](hadr-cluster-best-practices.md#relaxed-monitoring) for the availability group or failover cluster instance. However, doing so may not address the underlying source of the issue and could mask symptoms by reducing the likelihood of failure. You may still need to investigate and address the underlying root cause. For Windows Server 2012 or higher, use the following recommended values:
+ - **Lease timeout**: Use this equation to calculate the maximum lease time out value:
+ `Lease timeout < (2 * SameSubnetThreshold * SameSubnetDelay)`.
+ Start with 40 seconds. If you're using the relaxed `SameSubnetThreshold` and `SameSubnetDelay` values recommended previously, do not exceed 80 seconds for the lease timeout value.
+ - **Max failures in a specified period**: Set this value to 6.
+* When using the virtual network name (VNN) to connect to your HADR solution, specify `MultiSubnetFailover = true` in the connection string, even if your cluster only spans one subnet.
+ - If the client does not support `MultiSubnetFailover = True` you may need to set `RegisterAllProvidersIP = 0` and `HostRecordTTL = 300` to cache client credentials for shorter durations. However, doing so may cause additional queries to the DNS server.
+- To connect to your HADR solution using the distributed network name (DNN), consider the following:
+ - You must use a client driver that supports `MultiSubnetFailover = True`, and this parameter must be in the connection string.
+ - Use a unique DNN port in the connection string when connecting to the DNN listener for an availability group.
+- Use a database mirroring connection string for a basic availability group to bypass the need for a load balancer or DNN.
+- Validate the sector size of your VHDs before deploying your high availability solution to avoid having misaligned I/Os. See [KB3009974](https://support.microsoft.com/topic/kb3009974-fix-slow-synchronization-when-disks-have-different-sector-sizes-for-primary-and-secondary-replica-log-files-in-sql-server-ag-and-logshipping-environments-ed181bf3-ce80-b6d0-f268-34135711043c) to learn more.
++
+To learn more, see the comprehensive [HADR best practices](hadr-cluster-best-practices.md).
++ ## Next steps To learn more, see the other articles in this series:+ - [VM size](performance-guidelines-best-practices-vm-size.md) - [Storage](performance-guidelines-best-practices-storage.md)
+- [Security](security-considerations-best-practices.md)
+- [HADR settings](hadr-cluster-best-practices.md)
- [Collect baseline](performance-guidelines-best-practices-collect-baseline.md) For security best practices, see [Security considerations for SQL Server on Azure Virtual Machines](security-considerations-best-practices.md).
azure-sql Performance Guidelines Best Practices Collect Baseline https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/virtual-machines/windows/performance-guidelines-best-practices-collect-baseline.md
To learn more, see the other articles in this series:
- [Quick checklist](performance-guidelines-best-practices-checklist.md) - [VM size](performance-guidelines-best-practices-vm-size.md) - [Storage](performance-guidelines-best-practices-storage.md)
+- [Security](security-considerations-best-practices.md)
+- [HADR settings](hadr-cluster-best-practices.md)
For security best practices, see [Security considerations for SQL Server on Azure Virtual Machines](security-considerations-best-practices.md).
azure-sql Performance Guidelines Best Practices Storage https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/virtual-machines/windows/performance-guidelines-best-practices-storage.md
This article provides storage best practices and guidelines to optimize performa
There is typically a trade-off between optimizing for costs and optimizing for performance. This performance best practices series is focused on getting the *best* performance for SQL Server on Azure Virtual Machines. If your workload is less demanding, you might not require every recommended optimization. Consider your performance needs, costs, and workload patterns as you evaluate these recommendations.
-To learn more, see the other articles in this series: [Performance Checklist](performance-guidelines-best-practices-checklist.md), [VM size](performance-guidelines-best-practices-vm-size.md), and [Collect baseline](performance-guidelines-best-practices-collect-baseline.md).
+To learn more, see the other articles in this series: [Checklist](performance-guidelines-best-practices-checklist.md), [VM size](performance-guidelines-best-practices-vm-size.md), [Security](security-considerations-best-practices.md), [HADR configuration](hadr-cluster-best-practices.md), and [Collect baseline](performance-guidelines-best-practices-collect-baseline.md).
## Checklist
There are specific Azure Monitor metrics that are invaluable for discovering cap
To learn more about performance best practices, see the other articles in this series: - [Quick checklist](performance-guidelines-best-practices-checklist.md) - [VM size](performance-guidelines-best-practices-vm-size.md)
+- [Security](security-considerations-best-practices.md)
+- [HADR settings](hadr-cluster-best-practices.md)
- [Collect baseline](performance-guidelines-best-practices-collect-baseline.md) For security best practices, see [Security considerations for SQL Server on Azure Virtual Machines](security-considerations-best-practices.md).
azure-sql Performance Guidelines Best Practices Vm Size https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/virtual-machines/windows/performance-guidelines-best-practices-vm-size.md
This article provides VM size guidance a series of best practices and guidelines
There is typically a trade-off between optimizing for costs and optimizing for performance. This performance best practices series is focused on getting the *best* performance for SQL Server on Azure Virtual Machines. If your workload is less demanding, you might not require every recommended optimization. Consider your performance needs, costs, and workload patterns as you evaluate these recommendations.
+For comprehensive details, see the other articles in this series: [Checklist](performance-guidelines-best-practices-checklist.md), [Storage](performance-guidelines-best-practices-storage.md), [Security](security-considerations-best-practices.md), [HADR configuration](hadr-cluster-best-practices.md), [Collect baseline](performance-guidelines-best-practices-collect-baseline.md).
+ ## Checklist
For example, the [M64-32ms](../../../virtual-machines/constrained-vcpu.md) requi
To learn more, see the other articles in this series: - [Quick checklist](performance-guidelines-best-practices-checklist.md) - [Storage](performance-guidelines-best-practices-storage.md)
+- [Security](security-considerations-best-practices.md)
+- [HADR settings](hadr-cluster-best-practices.md)
- [Collect baseline](performance-guidelines-best-practices-collect-baseline.md) For security best practices, see [Security considerations for SQL Server on Azure Virtual Machines](security-considerations-best-practices.md).
azure-sql Security Considerations Best Practices https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/virtual-machines/windows/security-considerations-best-practices.md
This topic includes overall security guidelines that help establish secure acces
Azure complies with several industry regulations and standards that can enable you to build a compliant solution with SQL Server running in a virtual machine. For information about regulatory compliance with Azure, see [Azure Trust Center](https://azure.microsoft.com/support/trust-center/).
+For comprehensive details, see the other articles in this series: [Checklist](performance-guidelines-best-practices-checklist.md), [VM size](performance-guidelines-best-practices-vm-size.md), [Storage](performance-guidelines-best-practices-storage.md), [HADR configuration](hadr-cluster-best-practices.md), [Collect baseline](performance-guidelines-best-practices-collect-baseline.md).
## Control access to the SQL virtual machine
For more information about virtual machine security, see the [virtual machines s
## Next steps
-If you are also interested in best practices around performance, see [Performance Best Practices for SQL Server on Azure Virtual Machines](./performance-guidelines-best-practices-checklist.md).
+To learn more, see the other articles in this series:
+
+- [Quick checklist](performance-guidelines-best-practices-checklist.md)
+- [VM size](performance-guidelines-best-practices-vm-size.md)
+- [Storage](performance-guidelines-best-practices-storage.md)
+- [Security](security-considerations-best-practices.md)
+- [HADR settings](hadr-cluster-best-practices.md)
+- [Collect baseline](performance-guidelines-best-practices-collect-baseline.md)
+
+For other topics related to running SQL Server in Azure VMs, see [SQL Server on Azure Virtual Machines overview](sql-server-on-azure-vm-iaas-what-is-overview.md). If you have questions about SQL Server virtual machines, see the [Frequently Asked Questions](frequently-asked-questions-faq.md).
-For other topics related to running SQL Server in Azure VMs, see [SQL Server on Azure Virtual Machines overview](sql-server-on-azure-vm-iaas-what-is-overview.md). If you have questions about SQL Server virtual machines, see the [Frequently Asked Questions](frequently-asked-questions-faq.md).
azure-video-analyzer Detect Motion Record Video Clips Cloud https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-video-analyzer/video-analyzer-docs/detect-motion-record-video-clips-cloud.md
Within few seconds, you should see the following response in the OUTPUT window
Status code of 200 indicates that the pipeline topology was successfully deleted.
+## Playing back the recording
+
+You can examine the Video Analyzer video resource that was created by the live pipeline by logging in to the Azure portal and viewing the video.
+1. Open your web browser, and go to the [Azure portal](https://portal.azure.com/). Enter your credentials to sign in to the portal. The default view is your service dashboard.
+1. Locate your Video Analyzer account among the resources you have in your subscription, and open the account pane.
+1. Select **Videos** in the **Video Analyzers** list.
+1. You'll find a video listed with the name `sample-motion-video-camera001`. This is the name chosen in your pipeline topology file.
+1. Select the video.
+1. The video details page will open and the playback should start automatically.
+
+ <!--TODO: add image -- ![Video playback]() TODO: new screenshot is needed here -->
++
+> [!NOTE]
+> Because the source of the video was a container simulating a camera feed, the time stamps in the video are related to when you activated the live pipeline and when you deactivated it.
+
+ ## Clean up resources [!INCLUDE [prerequisites](./includes/common-includes/clean-up-resources.md)]
azure-video-analyzer Get Started Detect Motion Emit Events Portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-video-analyzer/video-analyzer-docs/get-started-detect-motion-emit-events-portal.md
When you create an Azure Video Analyzer account, you have to associate an Azure
``` 1. Select **Add** at the bottom of your screen 1. Select **Routes**
-1. Under **NAME**, enter **AVAToHub**, and under **VALUE**, enter **FROM /messages/modules/avaedge/outputs/* INTO $upstream**
+1. Under **NAME**, enter **AVAToHub**, and under **VALUE**, enter FROM /messages/modules/avaedge/outputs/* INTO $upstream
1. Select **Review + create**, then select **Create** and your **avaedge** edge module will be deployed ### Deploying RTSP camera simulator edge module
azure-video-analyzer Pipeline https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-video-analyzer/video-analyzer-docs/pipeline.md
The motion detection processor node enables you to detect motion in live video.
#### HTTP extension processor
-The HTTP extension processor node enables you to extend the pipeline to your own IoT Edge module. This node takes decoded video frames as input, and relays such frames to an HTTP REST endpoint exposed by your module, where you can analyze the frame with an AI model and return inference results back. Learn more about the [processor here](pipeline-extension.md#http-extension-processor). Additionally, this node has a built-in image formatter for scaling and encoding of video frames before they are relayed to the HTTP endpoint. The scaler has options for the image aspect ratio to be preserved, padded, or stretched. The image encoder supports JPEG, PNG, BMP, and RAW formats. Learn more about the [processor here](/pipeline-extension.md#grpc-extension-processor).
+The HTTP extension processor node enables you to extend the pipeline to your own IoT Edge module. This node takes decoded video frames as input, and relays such frames to an HTTP REST endpoint exposed by your module, where you can analyze the frame with an AI model and return inference results back. Additionally, this node has a built-in image formatter for scaling and encoding of video frames before they are relayed to the HTTP endpoint. The scaler has options for the image aspect ratio to be preserved, padded, or stretched. The image encoder supports JPEG, PNG, BMP, and RAW formats. Learn more about the [processor here](pipeline-extension.md#http-extension-processor).
#### gRPC extension processor
-The gRPC extension processor node takes decoded video frames as the input, and relays such frames to a [gRPC](pipeline-extension.md#grpc-extension-processor) endpoint exposed by your module. The node supports transferring of data using [shared memory](https://en.wikipedia.org/wiki/Shared_memory) or directly embedding the frame into the body of gRPC messages. Just like the HTTP extension process, this node also has a built-in image formatter for scaling and encoding of video frames before they are relayed to the gRPC endpoint. Learn more about the [processor here](/pipeline-extension.md#grpc-extension-processor).
+The gRPC extension processor node takes decoded video frames as the input, and relays such frames to a [gRPC](terminology.md#grpc) endpoint exposed by your module. The node supports transferring of data using [shared memory](https://en.wikipedia.org/wiki/Shared_memory) or directly embedding the frame into the body of gRPC messages. Just like the HTTP extension process, this node also has a built-in image formatter for scaling and encoding of video frames before they are relayed to the gRPC endpoint. Learn more about the [processor here](pipeline-extension.md#grpc-extension-processor).
#### Cognitive Services extension processor
azure-video-analyzer Record Event Based Live Video https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-video-analyzer/video-analyzer-docs/record-event-based-live-video.md
When you deactivate the live pipeline, the video sink node stops recording media
This event indicates that recording has stopped. The subject section in applicationProperties references the video sink node in the live pipeline, which generated this message. The body section contains information about the output location. In this case, it's the name of the Video Analyzer resource into which video is recorded.
-## Video Analyzer video resource
+## Playing back the recording
You can examine the Video Analyzer video resource that was created by the live pipeline by logging in to the Azure portal and viewing the video. 1. Open your web browser, and go to the [Azure portal](https://portal.azure.com/). Enter your credentials to sign in to the portal. The default view is your service dashboard. 1. Locate your Video Analyzer account among the resources you have in your subscription, and open the account pane. 1. Select **Videos** in the **Video Analyzers** list.-
- <!--TODO: add image -- ![Video Analyzers videos]() ./media/event-based-video-recording-tutorial/videos.png -->
1. You'll find a video listed with the name `sample-evr-video`. This is the name chosen in your pipeline topology file. 1. Select the video.
-1. On the video details page, select playback option <!-- TODO: fix this-->
+1. The video details page will open and the playback should start automatically.
<!--TODO: add image -- ![Video playback]() TODO: new screenshot is needed here -->
azure-video-analyzer Release Notes https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-video-analyzer/video-analyzer-docs/release-notes.md
This article provides you with information about:
<hr width=100%>
+## June 3, 2021
+
+The release tag for the June 2021 refresh of the module is
+
+```
+ mcr.microsoft.com/media/video-analyzer:1.0.1
+```
+> [!NOTE]
+> In the quickstarts and tutorials, the deployment manifests use a tag of 1 (video-analyzer:1). So simply redeploying such manifests should update the module on your edge devices when newer tags are released.
+
+### Module updates
+* Supports unicode characters in the credentials for connecting to an RTSP camera
+* Updates to enable detailed logs in debug mode
+
+<hr width=100%>
+ ## May 25, 2021 This release is the first public preview release of Azure Video Analyzer. The release tag is ```
- mcr.microsoft.com/media/video-analyzer:1.0.0
+mcr.microsoft.com/media/video-analyzer:1.0.0
```+ > [!NOTE] > In the quickstarts and tutorials, the deployment manifests use a tag of 1 (video-analyzer:1). So simply redeploying such manifests should update the module on your edge devices when newer tags are released.
backup Backup Azure Monitoring Built In Monitor https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/backup/backup-azure-monitoring-built-in-monitor.md
To inactivate/resolve an active alert, you can select the list item correspondin
## Azure Monitor alerts for Azure Backup (preview)
-Azure Backup also provides alerts via Azure Monitor, to enable users to have a consistent experience for alert management across different Azure services, including backup. With Azure Monitor alerts, you can route alerts to any notification channel supported by Azure Backup such as email, ITSM, Webhook, Logic App and so on.
+Azure Backup also provides alerts via Azure Monitor, to enable users to have a consistent experience for alert management across different Azure services, including backup. With Azure Monitor alerts, you can route alerts to any notification channel supported by Azure Monitor such as email, ITSM, Webhook, Logic App and so on.
-Currently, this feature is available for Azure Databases for PostgreSQL Server, Azure Blobs and Azure Managed Disks. Alerts are generated for the following scenarios and can be accessed by navigating to a Backup vault and clicking on the **Alerts** menu item:
+Currently, Azure Backup has made two main types of built-in alerts available:
-- Delete Backup Data-- Backup Failure (to get alerts for Backup Failure, you need to register the AFEC flag named **EnableAzureBackupJobFailureAlertsToAzureMonitor** via the preview portal)-- Restore Failure (to get alerts for Restore Failure, you need to register the AFEC flag named **EnableAzureBackupJobFailureAlertsToAzureMonitor** via the preview portal)
+* **Security Alerts**: For scenarios, such as deletion of backup data, or disabling of soft-delete functionality for a vault, security alerts (of severity Sev 0) are fired, and displayed in the Azure portal or consumed via other clients (PowerShell, CLI and REST API). Security alerts are generated by default and can't be turned off. However, you can control the scenarios for which the notifications (for example, emails) should be fired. For more information on how to configure notifications, see [Action rules](../azure-monitor/alerts/alerts-action-rules.md).
+* **Job Failure Alerts**: For scenarios, such as backup failure and restore failure, Azure Backup provides built-in alerts via Azure Monitor (of Severity Sev 1). Unlike security alerts, you can choose to turn off Azure Monitor alerts for job failure scenarios. For example, if you have already configured custom alert rules for job failures via Log Analytics, and don't need built-in alerts to be fired for every job failure. By default, alerts for job failures are turned off. Refer to the [section on turning on alerts for these scenarios](#turning-on-azure-monitor-alerts-for-job-failure-scenarios) for more details.
+
+The following table summarizes the different backup alerts currently available (in preview) via Azure Monitor and the supported workload/vault types:
+
+| **Alert Category** | **Alert Name** | **Supported workload types / vault types** | **Description** |
+| | - | | -- |
+| Security | Delete Backup Data | <li> Azure Virtual Machine <br><br> <li> SQL in Azure VM (non-AG scenarios) <br><br> <li> SAP HANA in Azure VM <br><br> <li> Azure Backup Agent <br><br> <li> DPM <br><br> <li> Azure Backup Server <br><br> <li> Azure Database for PostgreSQL Server <br><br> <li> Azure Blobs <br><br> <li> Azure Managed Disks | This alert is fired when a user stops backup and deletes backup data (Note ΓÇô If soft-delete feature is disabled for the vault, Delete Backup Data alert is not received) |
+| Security | Upcoming Purge | <li> Azure Virtual Machine <br><br> <li> SQL in Azure VM (non-AG scenarios) <br><br> <li> SAP HANA in Azure VM | For all workloads which support soft-delete, this alert is fired when the backup data for an item is 2 days away from being permanently purged by the Azure Backup service |
+| Security | Purge Complete | <li> Azure Virtual Machine <br><br> <li> SQL in Azure VM (non-AG scenarios) <br><br> <li> SAP HANA in Azure VM | Delete Backup Data |
+| Security | Soft Delete Disabled for Vault | Recovery Services vaults | This alert is fired when the soft-deleted backup data for an item has been permanently deleted by the Azure Backup service |
+| Jobs | Backup Failure | <li> Azure Virtual Machine <br><br> <li> SQL in Azure VM (non-AG scenarios) <br><br> <li> SAP HANA in Azure VM <br><br> <li> Azure Backup Agent <br><br> <li> Azure Files <br><br> <li> Azure Database for PostgreSQL Server <br><br> <li> Azure Blobs <br><br> <li> Azure Managed Disks | This alert is fired when a backup job failure has occurred. By default, alerts for backup failures are turned off. Refer to the [section on turning on alerts for this scenario](#turning-on-azure-monitor-alerts-for-job-failure-scenarios) for more details. |
+| Jobs | Restore Failure | <li> Azure Virtual Machine <br><br> <li> SQL in Azure VM (non-AG scenarios) <br><br> <li> SAP HANA in Azure VM <br><br> <li> Azure Backup Agent <br><br> <li> Azure Files <br><br> <li> Azure Database for PostgreSQL Server <br><br> <li> Azure Blobs <br><br> <li> Azure Managed Disks| This alert is fired when a restore job failure has occurred. By default, alerts for restore failures are turned off. Refer to the [section on turning on alerts for this scenario](#turning-on-azure-monitor-alerts-for-job-failure-scenarios) for more details. |
+
+### Turning on Azure Monitor alerts for job failure scenarios
+
+To opt-in to Azure Monitor alerts for backup failure and restore failure scenarios, follow the below steps:
+
+1. Navigate to the Azure portal and search for **Preview Features**.
+
+ ![Preview Features](media/backup-azure-monitoring-laworkspace/portal-preview-features.png)
+
+2. You can view the list of all preview features that are available for you to opt-in to.
+
+ * If you wish to receive job failure alerts for workloads backed up to Recovery Services vaults, select the flag named **EnableAzureBackupJobFailureAlertsToAzureMonitor** corresponding to Microsoft.RecoveryServices provider (column 3).
+ * If you wish to receive job failure alerts for workloads backed up to Backup vaults, select the flag named **EnableAzureBackupJobFailureAlertsToAzureMonitor** corresponding to Microsoft.DataProtection provider (column 3).
+
+ ![Alerts Preview](media/backup-azure-monitoring-laworkspace/alert-preview-feature-flags.png)
+
+3. Click **Register** to enable this feature for your subscription.
+ > [!NOTE]
+ > It may take up to 30 minutes for the registration to take effect. If you wish to enable this feature for multiple subscriptions, repeat the above process by selecting the relevant subscription at the top of the screen.
++
+### Viewing fired alerts in the Azure portal
+
+Once an alert is fired for a vault, you can view the alert in the Azure portal by navigating to the vault and clicking on the **Alerts** menu item. Clicking this shows a distribution of alerts by severity for this vault.
+
+![Viewing Alerts](media/backup-azure-monitoring-laworkspace/vault-azure-monitor-alerts.png)
+
+Clicking on any of the numbers opens up a list of all alerts fired with the given severity. You can click any of the alerts to get more details about the alert, such as the affected datasource, alert description and recommended action, and so on.
+
+![Alert Details](media/backup-azure-monitoring-laworkspace/azure-monitor-alert-details.png)
+
+You can change the state of an alert to **Acknowledged** or **Closed** by clicking on **Change Alert State**.
+
+![Change Alert State](media/backup-azure-monitoring-laworkspace/azure-monitor-change-alert-state.png)
For more information about Azure Monitor alerts, see [Overview of alerts in Azure](../azure-monitor/alerts/alerts-overview.md).
+### Configuring notifications for alerts
+
+To configure notifications for Azure Monitor alerts, you must create an action rule. The following steps demonstrate how to create an action rule to send email notifications to a given email address. Similar instructions will apply for routing these alerts to other notification channels, such as ITSM, webhook, logic app and so on.
+
+1. Navigate to **Azure Monitor** in the Azure portal. Click the **Alerts** menu item and select **Manage actions**.
+
+ ![Manage Actions](media/backup-azure-monitoring-laworkspace/azure-monitor-manage-actions.png)
+
+2. Navigate to the **Action rules (preview)** tab and click **New action rule**.
+
+ ![New Action Rule](media/backup-azure-monitoring-laworkspace/azure-monitor-create-action-rule.png)
+
+3. Select the scope for which the action rule should be applied. You can apply the action rule for all resources within a subscription. Optionally, you can also apply filters on the alerts, for example, to only generate notifications for alerts of a certain severity.
+
+ ![Action Rule Scope](media/backup-azure-monitoring-laworkspace/azure-monitor-action-rule-scope.png)
+
+4. Create an action group. An action group is the destination to which the notification for an alert should be sent, for example, an email address.
+
+ ![Create Action Group](media/backup-azure-monitoring-laworkspace/azure-monitor-create-action-group.png)
+
+5. On the **Basics** tab, select the name of the action group and the subscription and resource group under which it should be created.
+
+ ![Action Groups Basic](media/backup-azure-monitoring-laworkspace/azure-monitor-action-groups-basic.png)
+
+6. On the **Notifications** tab, select **Email/SMS message/Push/Voice** and enter the recipient email id.
+
+ ![Action Groups Notification](media/backup-azure-monitoring-laworkspace/azure-monitor-email.png)
+
+7. Click **Review+Create** and then **Create** to deploy the action group.
+
+8. Finally, save the action rule.
+
+[Learn more about Action Rules in Azure Monitor](../azure-monitor/alerts/alerts-action-rules.md)
++ ## Next steps [Monitor Azure Backup workloads using Azure Monitor](backup-azure-monitoring-use-azuremonitor.md)
backup Backup Azure Monitoring Use Azuremonitor https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/backup/backup-azure-monitoring-use-azuremonitor.md
The diagnostic data from the vault is pumped to the Log Analytics workspace with
- Across all solutions, the backup service's built-in alerts are pushed as soon as they're created. So they usually appear in the Log Analytics workspace after 20 to 30 minutes. - Across all solutions, on-demand backup jobs and restore jobs are pushed as soon as they *finish*.-- For all solutions except SQL backup, scheduled backup jobs are pushed as soon as they *finish*.-- For SQL backup, because log backups can occur every 15 minutes, information for all the completed scheduled backup jobs, including logs, is batched and pushed every 6 hours.
+- For all solutions except SQL and SAP HANA backup, scheduled backup jobs are pushed as soon as they *finish*.
+- For SQL and SAP HANA backup, because log backups can occur every 15 minutes, information for all the completed scheduled backup jobs, including logs, is batched and pushed every 6 hours.
- Across all solutions, other information such as the backup item, policy, recovery points, storage, and so on, is pushed at least *once per day.* - A change in the backup configuration (such as changing policy or editing policy) triggers a push of all related backup information.
+> [!NOTE]
+> The same delay applies to other destinations for diagnostics data, such as Storage accounts and Event Hubs.
+ ## Using the Recovery Services vault's activity logs > [!CAUTION]
backup Backup Azure Vms Encryption https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/backup/backup-azure-vms-encryption.md
Title: Back up and restore encrypted Azure VMs description: Describes how to back up and restore encrypted Azure VMs with the Azure Backup service. Previously updated : 06/01/2021 Last updated : 06/03/2021 # Back up and restore encrypted Azure virtual machines
The initial backup will run in accordance with the schedule, but you can run it
Azure Backup needs read-only access to back up the keys and secrets, along with the associated VMs. - Your Key Vault is associated with the Azure AD tenant of the Azure subscription. If you're a **Member user**, Azure Backup acquires access to the Key Vault without further action.-- If you're a **Guest user**, you must provide permissions for Azure Backup to access the key vault.
+- If you're a **Guest user**, you must provide permissions for Azure Backup to access the key vault. You need to have access to key vaults to configure Backup for encrypted VMs.
To set permissions:
backup Backup Vault Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/backup/backup-vault-overview.md
Sign in to the Azure portal at <https://portal.azure.com>.
### Create Backup vault 1. Type **Backup vaults** in the search box.
-1. Under **Services**, select **Backup vaults**.
-1. In the **Backup vaults** page, select **Add**.
-1. In the **Basics tab**, under **Project details**, make sure the correct subscription is selected and then choose **Create new** resource group. Type *myResourceGroup* for the name.
+2. Under **Services**, select **Backup vaults**.
+3. On the **Backup vaults** page, select **Add**.
+4. On the **Basics** tab, under **Project details**, make sure the correct subscription is selected and then choose **Create new** resource group. Type *myResourceGroup* for the name.
- ![Create new resource group](./media/backup-vault-overview/new-resource-group.png)
+ ![Create new resource group](./media/backup-vault-overview/new-resource-group.png)
-1. Under **Instance details**, type *myVault* for the **Backup vault name** and choose your region of choice, in this case *East US* for your **Region**.
-1. Now choose your **Storage redundancy**. Storage redundancy cannot be changed after protecting items to the vault.
-1. We recommend that if you're using Azure as a primary backup storage endpoint, continue to use the default **Geo-redundant** setting.
-1. If you don't use Azure as a primary backup storage endpoint, then choose **Locally redundant**, which reduces the Azure storage costs.
-1. Learn more about [geo](../storage/common/storage-redundancy.md#geo-redundant-storage) and [local](../storage/common/storage-redundancy.md#locally-redundant-storage) redundancy.
+5. Under **Instance details**, type *myVault* for the **Backup vault name** and choose your region of choice, in this case *East US* for your **Region**.
+6. Now choose your **Storage redundancy**. Storage redundancy cannot be changed after protecting items to the vault.
+7. We recommend that if you're using Azure as a primary backup storage endpoint, continue to use the default **Geo-redundant** setting.
+8. If you don't use Azure as a primary backup storage endpoint, choose **Locally redundant**, which reduces the Azure storage costs. Learn more about [geo](../storage/common/storage-redundancy.md#geo-redundant-storage) and [local](../storage/common/storage-redundancy.md#locally-redundant-storage) redundancy.
- ![Choose storage redundancy](./media/backup-vault-overview/storage-redundancy.png)
+ ![Choose storage redundancy](./media/backup-vault-overview/storage-redundancy.png)
-1. Select the Review + create button at the bottom of the page.
+9. Select the Review + create button at the bottom of the page.
![Select Review + Create](./media/backup-vault-overview/review-and-create.png)
If you try to delete the vault without removing the dependencies, you'll encount
>Cannot delete the Backup vault as there are existing backup instances or backup policies in the vault. Delete all backup instances and backup policies that are present in the vault and then try deleting the vault.
+Ensure that you cycle through the **Datasource type** filter options in **Backup center** to not miss any existing Backup Instance or policy that needs to be removed, before being able to delete the Backup Vault.
+
+![Datasource Types](./media/backup-vault-overview/datasource-types.png)
+ ### Proper way to delete a vault >[!WARNING]
cognitive-services Cognitive Services Apis Create Account Cli https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/cognitive-services-apis-create-account-cli.md
In this quickstart, you'll learn how to sign up for Azure Cognitive Services and
* A valid Azure subscription - [Create one](https://azure.microsoft.com/free/cognitive-services) for free. * The [Azure Command Line Interface(CLI)](/cli/azure/install-azure-cli)
+* [!INCLUDE [terms-azure-portal](./includes/quickstarts/terms-azure-portal.md)]
## Install the Azure CLI and sign in
cognitive-services Create Account Resource Manager Template https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/create-account-resource-manager-template.md
Create a resource using an Azure Resource Manager template (ARM template). This
* Access multiple Azure Cognitive Services with a single key and endpoint. * Consolidate billing from the services you use.
+* [!INCLUDE [terms-azure-portal](./includes/quickstarts/terms-azure-portal.md)]
[!INCLUDE [About Azure Resource Manager](../../includes/resource-manager-quickstart-introduction.md)]
communication-services Sdk Features https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/communication-services/concepts/chat/sdk-features.md
The following list presents the set of features which are currently available in
| | Update the content of your sent message | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | | | Delete a message you previously sent | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | | | Read receipts for messages that have been read by other participants in a chat | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ |
-| | Get notified when participants are actively typing a message in a chat thread | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ |
+| | Get notified when participants are actively typing a message in a chat thread | ✔️ | ❌ | ❌ | ❌ | ✔️ | ✔️ |
| | Get all messages in a chat thread | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | | | Send Unicode emojis as part of message content | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | |Real-time notifications (enabled by proprietary signaling package**)| Chat clients can subscribe to get real-time updates for incoming messages and other operations occurring in a chat thread. To see a list of supported updates for real-time notifications, see [Chat concepts](concepts.md#real-time-notifications) | ✔️ | ❌ | ❌ | ❌ | ✔️ | ✔️ |
communication-services Sdk Options https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/communication-services/concepts/sdk-options.md
Azure Communication Services capabilities are conceptually organized into six areas. Most areas have fully open-sourced SDKs programmed against published REST APIs that you can use directly over the Internet. The Calling SDK uses proprietary network interfaces and is currently closed-source. Samples and more technical details for SDKs are published in the [Azure Communication Services GitHub repo](https://github.com/Azure/communication).
+Development of Web-based Calling and Chat applications can be accelerated by [Azure Communication Services UI libraries](https://azure.github.io/communication-ui-library). The UI library provides production-ready UI components that you can drop into your applications.
+ ## REST APIs Communication Services APIs are documented alongside other Azure REST APIs in [docs.microsoft.com](/rest/api/azure/). This documentation will tell you how to structure your HTTP messages and offers guidance for using Postman. This documentation is also offered in Swagger format on [GitHub](https://github.com/Azure/azure-rest-api-specs). - ## SDKs | Assembly | Namespaces| Protocols | Capabilities |
Communication Services APIs are documented alongside other Azure REST APIs in [d
| Azure Resource Manager | Azure.ResourceManager.Communication | [REST](/rest/api/communication/communicationservice)| Provision and manage Communication Services resources| | Common | Azure.Communication.Common| REST | Provides base types for other SDKs | | Identity | Azure.Communication.Identity| [REST](/rest/api/communication/communicationidentity)| Manage users, access tokens|
-| Phone numbers _(beta)_| Azure.Communication.PhoneNumbers| [REST](/rest/api/communication/phonenumbers)| Acquire and manage phone numbers |
+| Phone numbers | Azure.Communication.PhoneNumbers| [REST](/rest/api/communication/phonenumbers)| Acquire and manage phone numbers |
| Chat | Azure.Communication.Chat| [REST](/rest/api/communication/) with proprietary signaling | Add real-time text based chat to your applications | | SMS| Azure.Communication.SMS | [REST](/rest/api/communication/sms)| Send and receive SMS messages| | Calling| Azure.Communication.Calling | Proprietary transport | Use voice, video, screen-sharing, and other real-time data communication capabilities |
+| UI Library| Azure.Communication.Calling | Open source | Production-ready UI components for chat and calling apps |
+
-The Azure Resource Manager, Identity, and SMS SDKs are focused on service integration, and in many cases security issues arise if you integrate these functions into end-user applications. The Common and Chat SDKs are suitable for service and client applications. The Calling SDK is designed for client applications. An SDK focused on service scenarios is in development.
+The Azure Resource Manager, Identity, and SMS SDKs are focused on service integration, and security issues may arise if you integrate these functions into end-user applications. The Common and Chat SDKs are suitable for service and client applications. The Calling SDK is designed for client applications.
### Languages and publishing locations
Publishing locations for individual SDK packages are detailed below.
| Chat | [npm](https://www.npmjs.com/package/@azure/communication-chat) | [NuGet](https://www.nuget.org/packages/Azure.Communication.Chat) | [PyPi](https://pypi.org/project/azure-communication-chat/) | [Maven](https://search.maven.org/search?q=a:azure-communication-chat) | [GitHub](https://github.com/Azure/azure-sdk-for-ios/releases) | [Maven](https://search.maven.org/search?q=a:azure-communication-chat) | - | | SMS | [npm](https://www.npmjs.com/package/@azure/communication-sms) | [NuGet](https://www.nuget.org/packages/Azure.Communication.Sms) | [PyPi](https://pypi.org/project/azure-communication-sms/) | [Maven](https://search.maven.org/artifact/com.azure/azure-communication-sms) | - | - | - | | Calling | [npm](https://www.npmjs.com/package/@azure/communication-calling) | [NuGet](https://www.nuget.org/packages/Azure.Communication.Calling) | - | - | [GitHub](https://github.com/Azure/Communication/releases) | [Maven](https://search.maven.org/artifact/com.azure.android/azure-communication-calling/) | - |
+| UI Library | [npm](https://www.npmjs.com/package/@azure/communication-react) | - | - | - | - | - | [GitHub](https://github.com/Azure/communication-ui-library), [Storybook](https://azure.github.io/communication-ui-library/?path=/story/overview--page) |
| Reference Documentation | [docs](https://azure.github.io/azure-sdk-for-js/communication.html) | [docs](https://azure.github.io/azure-sdk-for-net/communication.html) | - | [docs](http://azure.github.io/azure-sdk-for-java/communication.html) | [docs](/objectivec/communication-services/calling/) | [docs](/java/api/com.azure.android.communication.calling) | - |
communication-services Troubleshooting Info https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/communication-services/concepts/troubleshooting-info.md
The Azure Communication Services Calling SDK uses the following error codes to h
| Error code | Description | Action to take | | -- | | |
-| 403 | Forbidden / Authentication failure. | Ensure that your Communication Services token is valid and not expired. |
+| 403 | Forbidden / Authentication failure. | Ensure that your Communication Services token is valid and not expired. If you are using Teams Interoperability, make sure your Teams tenant has been added to the preview access allowlist. To enable/disable [Teams tenant interoperability](https://docs.microsoft.com/azure/communication-services/concepts/teams-interop), complete [this form](https://forms.office.com/Pages/ResponsePage.aspx?id=v4j5cvGGr0GRqy180BHbR21ouQM6BHtHiripswZoZsdURDQ5SUNQTElKR0VZU0VUU1hMOTBBMVhESS4u).|
| 404 | Call not found. | Ensure that the number you're calling (or call you're joining) exists. | | 408 | Call controller timed out. | Call Controller timed out waiting for protocol messages from user endpoints. Ensure clients are connected and available. | | 410 | Local media stack or media infrastructure error. | Ensure that you're using the latest SDK in a supported environment. |
communication-services Create Communication Resource https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/communication-services/quickstarts/create-communication-resource.md
Get started with Azure Communication Services by provisioning your first Communi
> [!WARNING]
-> Note that while Communication Services is available in multiple geographies, in order to get a phone number the resource must have a data location set to 'US'. Also note that communication resources cannot be transferred to a different subscription during public preview.
+> Note that while Communication Services is available in multiple geographies, in order to get a phone number the resource must have a data location set to 'US'. Also note that resource moves are not currently supported, but will be available soon.
+> Also note it is not possible to create a resource group at the same time as a resource for Azure Communication Services. When creating a resource, a resource group that has been created already must be used.
::: zone pivot="platform-azp" [!INCLUDE [Azure portal](./includes/create-resource-azp.md)]
After you add the environment variable, run `source ~/.bash_profile` from your c
## Clean up resources
-If you want to clean up and remove a Communication Services subscription, you can delete the resource or resource group. Deleting the resource group also deletes any other resources associated with it.
+If you want to clean up and remove a Communication Services subscription, you can delete the resource or resource group. Deleting the resource group also deletes any other resources associated with it.
-If you have any phone numbers assigned to your resource upon resource deletion, the phone numbers will be released from your resource automatically at the same time.
+If you have any phone numbers assigned to your resource upon resource deletion, the phone numbers will be released from your resource automatically at the same time.
+
+> [!Note]
+> Resource deletion is **permanent** and no data, including event gird filters, phone numbers, or other data tied to your resource, can be recovered if you delete the resource.
## Next steps
In this quickstart you learned how to:
> * Delete the resource > [!div class="nextstepaction"]
-> [Create your first user access tokens](access-tokens.md)
+> [Create your first user access tokens](access-tokens.md)
communication-services Telemetry Application Insights https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/communication-services/quickstarts/telemetry-application-insights.md
+
+ Title: Quickstart - Exporting SDK telemetry data to Application Insights
+
+description: Learn how to export Azure Communication Services SDK Telemetry Data to Application Insights.
++++ Last updated : 06/01/2021++
+zone_pivot_groups: acs-js-csharp-java-python
++
+# Quickstart: Using Azure OpenTelemetry Exporter to export SDK telemetry data to Application Insights
+
+The Azure OpenTelemetry Exporter is an SDK within [Azure Monitor](https://docs.microsoft.com/azure/azure-monitor/). It allows you to export tracing data using OpenTelemetry and send the data to [Application Insights](https://docs.microsoft.com/azure/azure-monitor/app/app-insights-overview). OpenTelemetry provides a standardized way for applications and frameworks to collect telemetry information.
+
+Azure Application Insights is a feature of Azure Monitor which is used to monitor live applications. It displays telemetry data about your application in a Microsoft Azure resource. The telemetry model is standardized so that it is possible to create platform and language-independent monitoring.
+++++
+The output of the app describes each action that is completed:
+<!cSpell:disable >
+```console
+Created an identity with ID: <identity-id>
+Issued an access token with 'chat' scope that expires at <expiry-data>
+```
+<!cSpell:enable >
+
+## View the telemetry data in Application Insights
+In order to analyze the telemetry data from the SDK, go to the `Performance` tab and then go to `Dependencies`. You will be able to see the `Create User Activity` and `Get Token Activity` that weΓÇÖve tracked.
++
+To view more detail, you can drill into the samples:
++
+In the drill-down view, there is more information about the Activity such as where it was called from, its timestamp, name, performance, type, etc. You can also see the Cloud role name and instance id that we defined in the sample code snippet above. Notice that the custom properties that were tracked also show up here:
++
+## Next Steps
+
+In this quickstart, you learned how to:
+
+> [!div class="checklist"]
+> * Set up Telemetry Exporter
+> * Funnel Telemetry data to Application Insights
+> * View exported data in Application Insights
+
+You may also want to:
+
+- [Learn more about Analyzing Data in Application Insights](https://docs.microsoft.com/powerapps/maker/canvas-apps/application-insights)
connectors Connectors Create Api Azureblobstorage https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/connectors/connectors-create-api-azureblobstorage.md
You can put the storage account in an Azure virtual network that you manage, and
To give Microsoft trusted services access to a storage account through a firewall, you can set up an exception on that storage account for those services. This solution permits Azure services that support [managed identities for authentication](../active-directory/managed-identities-azure-resources/overview.md) to access storage accounts behind firewalls as trusted services. Specifically, for a logic app in global multi-tenant Azure to access these storage accounts, you first [enable managed identity support](../logic-apps/create-managed-service-identity.md) on the logic app. Then, you use the HTTP action or trigger in your logic app and [set their authentication type to use your logic app's managed identity](../logic-apps/create-managed-service-identity.md#authenticate-access-with-managed-identity). For this scenario, you can use *only* the HTTP action or trigger.
+> [!NOTE]
+> If you use the managed identity capability for authenticating access to your storage account,
+> you can't use the built-in Azure Blob Storage operations. You have to use the HTTP trigger
+> or action that has the managed identity set up to authenticate your storage account connection.
+> To run the necessary storage operations, you then have to call the corresponding REST APIs
+> for Azure Blob Storage. For more information, review the
+> [Blob service REST API](/rest/api/storageservices/blob-service-rest-api).
+ To set up the exception and managed identity support, follow these general steps: 1. On your storage account, under **Settings**, select **Firewalls and virtual networks**. Under **Allow access from**, select the **Selected networks** option so that the related settings appear.
If you use a dedicated tier for [API Management](../api-management/api-managemen
## Next steps
-* Learn about other [Logic Apps connectors](../connectors/apis-list.md)
+* Learn about other [Logic Apps connectors](../connectors/apis-list.md)
cosmos-db How To Manage Conflicts https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cosmos-db/how-to-manage-conflicts.md
Title: Manage conflicts between regions in Azure Cosmos DB description: Learn how to manage conflicts in Azure Cosmos DB by creating the last-writer-wins or a custom conflict resolution policy-+ Last updated 06/11/2020-+
With multi-region writes, when multiple clients write to the same item, conflicts may occur. When a conflict occurs, you can resolve the conflict by using different conflict resolution policies. This article describes how to manage conflict resolution policies.
+> [!TIP]
+> Conflict resolution policy can only be specified at container creation time and cannot be modified after container creation.
+ ## Create a last-writer-wins conflict resolution policy These samples show how to set up a container with a last-writer-wins conflict resolution policy. The default path for last-writer-wins is the timestamp field or the `_ts` property. For SQL API, this may also be set to a user-defined path with a numeric type. In a conflict, the highest value wins. If the path isn't set or it's invalid, it defaults to `_ts`. Conflicts resolved with this policy do not show up in the conflict feed. This policy can be used by all APIs.
cosmos-db Quick Create Template https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cosmos-db/quick-create-template.md
An Azure subscription or free Azure Cosmos DB trial account
## Review the template
-The template used in this quickstart is from [Azure Quickstart Templates](https://azure.microsoft.com/resources/templates/101-cosmosdb-sql/).
+The template used in this quickstart is from [Azure Quickstart Templates](https://azure.microsoft.com/resources/templates/cosmosdb-sql/).
:::code language="json" source="~/quickstart-templates/quickstarts/microsoft.documentdb/cosmosdb-sql/azuredeploy.json":::
cosmos-db Sql Api Sdk Bulk Executor Java https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cosmos-db/sql-api-sdk-bulk-executor-java.md
|**Minimum supported runtime**|[Java Development Kit (JDK) 7+](/java/azure/jdk/)| ## Release notes
+### <a name="2.12.3"></a>2.12.3
+
+* Fix retry policy when `GoneException` is wrapped in `IllegalStateException` - this change is necessary to make sure Gateway cache is refreshed on 410 so the Spark connector (for Spark 2.4) can use a custom retry policy to allow queries to succeed during partition splits
+
+### <a name="2.12.2"></a>2.12.2
+
+* Fix an issue resulting in documents not always being imported on transient errors.
+
+### <a name="2.12.1"></a>2.12.1
+
+* Upgrade to use latest Cosmos Core SDK version.
+
+### <a name="2.12.0"></a>2.12.0
+
+* Improve handling of RU budget provided through the Spark Connector for bulk operation. An initial one-time bulk import is performed from spark connector with a baseBatchSize and the RU consumption for the above batch import is collected.
+ A miniBatchSizeAdjustmentFactor is calculated based on the above RU consumption, and the mini-batch size is adjusted based on this. Based on the Elapsed time and the consumed RU for each batch import, a sleep duration is calculated to limit the RU consumption per second and is used to pause the thread prior to the next batch import.
+
+### <a name="2.11.0"></a>2.11.0
+
+* Fix a bug preventing bulk updates when using a nested partition key
### <a name="2.10.0"></a>2.10.0
data-factory Introduction https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/introduction.md
Additionally, you can publish your transformed data to data stores such as Azure
Data Factory contains a series of interconnected systems that provide a complete end-to-end platform for data engineers.
+This visual guide provides a high level overview of of the Data Factory architecture:
++ ### Connect and collect Enterprises have data of various types that are located in disparate sources on-premises, in the cloud, structured, unstructured, and semi-structured, all arriving at different intervals and speeds.
data-factory Tutorial Managed Virtual Network On Premise Sql Server https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/tutorial-managed-virtual-network-on-premise-sql-server.md
Title: Access on premises SQL Server from Data Factory Managed VNET using Private Endpoint
-description: This tutorial provides steps for using the Azure portal to setup Private Link Service and access on-prem SQL Server from Managed VNET using Private Endpoint.
+ Title: Access on-premises SQL Server from Data Factory Managed VNet using Private Endpoint
+description: This tutorial provides steps for using the Azure portal to setup Private Link Service and access on-premises SQL Server from Managed VNet using Private Endpoint.
Last updated 05/06/2021
-# Tutorial: How to access on premises SQL Server from Data Factory Managed VNET using Private Endpoint
+# Tutorial: How to access on-premises SQL Server from Data Factory Managed VNet using Private Endpoint
-This tutorial provides steps for using the Azure portal to setup Private Link Service and access on-prem SQL Server from Managed VNET using Private Endpoint.
+This tutorial provides steps for using the Azure portal to setup Private Link Service and access on-premises SQL Server from Managed VNet using Private Endpoint.
## Prerequisites * **Azure subscription**. If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/) before you begin.
-* **Virtual Network**. If you donΓÇÖt have a Virtual Network, create one following [Create Virtual Network](https://docs.microsoft.com/azure/virtual-network/quick-create-portal).
-* **Virtual network to on-premises network**. Create a connection between virtual network and on-premises network either using [ExpressRoute](https://docs.microsoft.com/azure/expressroute/expressroute-howto-linkvnet-portal-resource-manager?toc=/azure/virtual-network/toc.json) or [VPN](https://docs.microsoft.com/azure/vpn-gateway/tutorial-site-to-site-portal?toc=/azure/virtual-network/toc.json).
-* **Data Factory with Managed VNET enabled**. If you donΓÇÖt have a Data Factory or Managed VNET is not enabled, create one following [Create Data Factory with Managed VNET](https://docs.microsoft.com/azure/data-factory/tutorial-copy-data-portal-private).
+* **Virtual Network**. If you donΓÇÖt have a Virtual Network, create one following [Create Virtual Network](../virtual-network/quick-create-portal.md).
+* **Virtual network to on-premises network**. Create a connection between virtual network and on-premises network either using [ExpressRoute](../expressroute/expressroute-howto-linkvnet-portal-resource-manager.md?toc=/azure/virtual-network/toc.json) or [VPN](../vpn-gateway/tutorial-site-to-site-portal.md?toc=/azure/virtual-network/toc.json).
+* **Data Factory with Managed VNet enabled**. If you donΓÇÖt have a Data Factory or Managed VNet is not enabled, create one following [Create Data Factory with Managed VNet](tutorial-copy-data-portal-private.md).
## Create subnets for resources
the page.
2. Run the script on with the following options:<br/> **sudo ./ip_fwd.sh -i eth0 -f 1433 -a <FQDN/IP> -b 1433**<br/> <FQDN/IP> is your target SQL Server IP.<br/>
- >[!Note]
- >FQDN doesnΓÇÖt work for on premise SQL Server unless you add a record in Azure DNS zone.
+
+ > [!Note]
+ > FQDN doesnΓÇÖt work for on-premises SQL Server unless you add a record in Azure DNS zone.
+
3. Run below command and check the iptables in your backend server VMs. You can see one record in your iptables with your target IP.<br/> **sudo iptables -t nat -v -L PREROUTING -n --line-number**
data factory from the resources list.
4. Select + **New** under **Managed private endpoints**. 5. Select the **Private Link Service** tile from the list and select **Continue**. 6. Enter the name of private endpoint and select **myPrivateLinkService** in private link service list.
-7. Add FQDN of your target on premises SQL Server and NAT IPs of your private link Service.
+7. Add FQDN of your target on-premises SQL Server and NAT IPs of your private link Service.
:::image type="content" source="./media/tutorial-managed-virtual-network/link-service-nat-ip.png" alt-text="Screenshot that shows the NAT IP in the linked service." lightbox="./media/tutorial-managed-virtual-network/link-service-nat-ip-expanded.png":::
data factory from the resources list.
:::image type="content" source="./media/tutorial-managed-virtual-network/linked-service-2.png" alt-text="Screenshot that shows how to enable Interactive Authoring.":::
-5. Input the **FQDN** of your on-prem SQL Server, **user name** and **password**.
+5. Input the **FQDN** of your on-premises SQL Server, **user name** and **password**.
6. Then click **Test connection**. :::image type="content" source="./media/tutorial-managed-virtual-network/linked-service-3.png" alt-text="Screenshot that shows the SQL server linked service creation page.":::
Go to the backend server VM, confirm telnet the SQL Server works: **telnet **<**
## Next steps
-Advance to the following tutorial to learn about accessing Microsoft Azure SQL Managed Instance from Data Factory Managed VNET using Private Endpoint:
+Advance to the following tutorial to learn about accessing Microsoft Azure SQL Managed Instance from Data Factory Managed VNet using Private Endpoint:
> [!div class="nextstepaction"]
-> [Access SQL Managed Instance from Data Factory Managed VNET](tutorial-managed-virtual-network-sql-managed-instance.md)
+> [Access SQL Managed Instance from Data Factory Managed VNet](tutorial-managed-virtual-network-sql-managed-instance.md)
data-lake-store Data Lake Store In Storage Explorer https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-lake-store/data-lake-store-in-storage-explorer.md
description: Learn how to access and manage your Azure Data Lake Storage Gen1 da
Previously updated : 02/05/2018 Last updated : 06/04/2021
-# Manage Azure Data Lake Storage Gen1 resources by using Storage Explorer
+# Manage Data Lake Storage Gen1 resources by using Storage Explorer
[Azure Data Lake Storage Gen1](./data-lake-store-overview.md) is a service for storing large amounts of unstructured data, such as text or binary data. You can get access to the data from anywhere via HTTP or HTTPS. Data Lake Storage Gen1 in Azure Storage Explorer enables you to access and manage Data Lake Storage Gen1 data and resources, along with other Azure entities like blobs and queues. Now you can use the same tool to manage your different Azure entities in one place.
-Another advantage is that you don't need to have subscription permission to manage Data Lake Storage Gen1 data. In Storage Explorer, you can attach the Data Lake Storage Gen1 path to the **Local and Attached** node as long as someone grants the permission.
+Another advantage is that you don't need to have subscription permission to manage Data Lake Storage Gen1 data. In Storage Explorer, you can attach the Data Lake Storage Gen1 path to the **Local & Attached** node as long as someone grants the permission.
## Prerequisites
To complete the steps in this article, you need the following prerequisites:
## Install Storage Explorer
-Install the newest Azure Storage Explorer bits from the [product webpage](https://azure.microsoft.com/features/storage-explorer/). The installation supports Windows, Linux, and Mac versions.
+Install the latest Azure Storage Explorer bits from the [product webpage](https://azure.microsoft.com/features/storage-explorer/). The installation supports Windows, Linux, and Mac versions.
## Connect to an Azure subscription
-1. In Storage Explorer, select the plug-in icon on the left.
+1. In Storage Explorer, select the plug-in icon.
- ![Plug-in icon](./media/data-lake-store-in-storage-explorer/plug-in-icon.png)
+ ![Screenshot that shows where the plug-in icon is located in the user interface](./media/data-lake-store-in-storage-explorer/plug-in-icon.png)
-1. Select **Add an Azure Account**, and then select **Sign-in**.
+ This opens the **Connect to Azure Storage** dialog box.
+1. On the **Select Resource** page, select **Subscription**.
+1. On the **Select Azure Environment** page, select the Azure environment to sign in to, and then select **Next**.
+1. In the **Sign in** dialog box, enter your Azure credentials, and then select **Next**.
- !["Connect to Azure Storage" dialog box](./media/data-lake-store-in-storage-explorer/connect-to-azure-subscription.png)
+1. In Storage Explorer, in the **ACCOUNT MANAGEMENT** pane, select the subscription that contains the Data Lake Storage Gen1 account that you want to manage, and then select **Open Explorer**.
+1. In the **EXPLORER** pane, expand your subscription. The pane updates and displays the accounts in the selected subscription. This includes any Data Lake Storage Gen1 accounts, for example:
-1. In the **Sign in to your account** dialog box, enter your Azure credentials.
-
- ![Dialog box for Azure sign-in](./media/data-lake-store-in-storage-explorer/sign-in.png)
-
-1. Select your subscription from the list, and then select **Apply**.
-
- ![Subscription information and "Apply" button](./media/data-lake-store-in-storage-explorer/apply-subscription.png)
-
- The **EXPLORER** pane is updated and displays the accounts in the selected subscription.
-
- ![Account list](./media/data-lake-store-in-storage-explorer/account-list.png)
-
-You have successfully connected Data Lake Storage Gen1 to your Azure subscription.
+ ![Screenshot that shows an example account in the Data Lake Storage Gen1 node](./media/data-lake-store-in-storage-explorer/account-list.png)
## Connect to Data Lake Storage Gen1 You can access resources that don't exist in your subscription if someone gives you the URI for the resources. You can then connect to Data Lake Storage Gen1 by using the URI after you sign in. 1. Open Storage Explorer.
-2. In the left pane, expand **Local and Attached**.
-3. Right-click **Data Lake Store**, and then select **Connect to Data Lake Store**.
+1. Expand **Local & Attached**.
+1. Right-click **Data Lake Storage Gen1 (Preview)**, and then select **Connect to Data Lake Storage Gen1**.
+1. Enter the URI, for example:
- !["Connect to Data Lake Store" on the shortcut menu](./media/data-lake-store-in-storage-explorer/storageexplorer-adls-uri-attach.png)
+ ![Screenshot that shows the "Connect to Data Lake Store" dialog box, with the text box for entering the URI](./media/data-lake-store-in-storage-explorer/storageexplorer-adls-uri-attach-dialog.png)
-4. Enter the URI. The tool browses to the location of the URL that you just entered.
+ The tool browses to the location of the URL that you just entered.
- !["Connect to Data Lake Store" dialog box, with the text box for entering the URI](./media/data-lake-store-in-storage-explorer/storageexplorer-adls-uri-attach-dialog.png)
+ ![Shows the Data Lake Storage Gen1 account listed under the Data Lake Storage Gen1 (Preview) node in the UI](./media/data-lake-store-in-storage-explorer/storageexplorer-adls-attach-finish.png)
- ![Result of connecting to Data Lake Storage Gen1](./media/data-lake-store-in-storage-explorer/storageexplorer-adls-attach-finish.png)
+## View the contents of a Data Lake Storage Gen1 account
-## View a Data Lake Storage Gen1 account's contents
-
-A Data Lake Storage Gen1 account's resources contain folders and files.
-
-The following steps illustrate how to view the contents of a Data Lake Storage Gen1 account within Storage Explorer:
+A Data Lake Storage Gen1 account's resources contain folders and files. The following steps show how to view the contents of a Data Lake Storage Gen1 account within Storage Explorer.
1. Open Storage Explorer.
-2. In the left pane, expand the subscription that contains the Data Lake Storage Gen1 account that you want to view.
-3. Expand **Data Lake Store**.
-4. Right-click the Data Lake Storage Gen1 account node that you want to view, and then select **Open**. You can also double-click the Data Lake Storage Gen1 account to open it.
+1. Expand the subscription that contains the Data Lake Storage Gen1 account that you want to view.
+1. Expand **Data Lake Storage Gen1 (Preview)**.
+1. Select the Data Lake Storage Gen1 account that you want to view.
- The main pane displays the Data Lake Storage Gen1 account's contents.
+ The main pane displays the contents of the Data Lake Storage Gen1 account.
- ![Main pane with a list of folders](./media/data-lake-store-in-storage-explorer/storageexplorer-adls-toolbar-mainpane.png)
+ ![Shows the main pane with the Data Lake Storage Gen1 account selected and a list of folders in the account](./media/data-lake-store-in-storage-explorer/storageexplorer-adls-toolbar-mainpane.png)
## Manage resources in Data Lake Storage Gen1
You can manage Data Lake Storage Gen1 resources by doing following operations:
* Browse through Data Lake Storage Gen1 resources across multiple Data Lake Storage Gen1 accounts. * Use a connection string to connect to and manage Data Lake Storage Gen1 directly.
-* View Data Lake Storage Gen1 resources shared by others through an ACL under **Local and Attached**.
+* View Data Lake Storage Gen1 resources shared by others through an ACL under **Local & Attached**.
* Perform file and folder CRUD operations: support recursive folders and multi-selected files. * Drag, drop, and add a folder to quickly access recent locations. This operation mirrors the desktop File Explorer experience. * Copy and open a Data Lake Storage Gen1 hyperlink in Storage Explorer with one click.
-* Display Activity Log in the lower-right pane to view activity status.
+* Display the **Activities** log in the lower pane to view activity status.
* Display folder statistics and file properties. ## Manage resources in Azure Storage Explorer
After you create a Data Lake Storage Gen1 account, you can:
* Pin to **Quick Access**, create a new folder, copy a URL, and select all. * Copy and paste, rename, delete, get folder statistics, and refresh.
-The following items illustrate how to manage resources within a Data Lake Storage Gen1 account. Follow the steps for the task that you want to perform.
+The following items show how to manage resources in a Data Lake Storage Gen1 account. Follow the steps for the task that you want to do.
### Upload files
-1. On the main pane's toolbar, select **Upload**, and then select **Upload Files** on the drop-down menu.
-
- !["Upload Files" menu item](./media/data-lake-store-in-storage-explorer/storageexplorer-adls-upload-files-menu.png)
-
-2. In the **Select files to upload** dialog box, select the files that you want to upload.
-
- ![Dialog box for uploading files](./media/data-lake-store-in-storage-explorer/storageexplorer-adls-upload-files-dialog.png)
+1. On the main pane's toolbar, select **Upload**, and then select **Upload Files**.
+1. In the **Select files to upload** dialog box, select the files that you want to upload.
+1. Select **Open** to begin the upload.
-3. Select **Open** to begin the upload.
+> [!NOTE]
+> You can also directly drag the files on a local computer to start uploading.
### Upload a folder
-1. On the main pane's toolbar, select **Upload**, and then select **Upload Folder** on the drop-down menu.
-
- !["Upload Folder" menu item](./media/data-lake-store-in-storage-explorer/storageexplorer-adls-upload-folder-menu.png)
-
-2. In the **Select folder to upload** dialog box, select a folder that you want to upload. Then click **Select Folder**.
-
- ![Dialog box for uploading folders](./media/data-lake-store-in-storage-explorer/storageexplorer-adls-upload-folder-dialog.png)
-
- The upload starts.
-
- ![Dialog box with the upload in progress](./media/data-lake-store-in-storage-explorer/storageexplorer-adls-upload-folder-drag.png)
+1. On the main pane's toolbar, select **Upload**, and then select **Upload Folder**.
+1. In the **Select folder to upload** dialog box, select the folder that you want to upload.
+1. Select **Select Folder** to begin the upload.
> [!NOTE]
-> You can directly drag the folders and files on a local computer to start uploading.
+> You can also directly drag a folder on a local computer to start uploading.
### Download folders or files to your local computer 1. Select the folders or files that you want to download.
-2. On the main pane's toolbar, select **Download**.
-3. In the **Select a folder to save the downloaded files into** dialog box, specify the location and the name.
-4. Select **Save**.
+1. On the main pane's toolbar, select **Download**.
+1. In the **Select a folder to save the downloaded files into** dialog box, specify the location and the name.
+1. Select **Save**.
### Open a folder or file from your local computer 1. Select the folder or file that you want to open.
-2. On the main pane's toolbar, select **Open**. Or right-click the selected folder or file, and then select **Open** on the shortcut menu.
+1. On the main pane's toolbar, select **Open**. Or, right-click the selected folder or file, and then select **Open** on the shortcut menu.
-The file is downloaded and opened through the application that's associated with the underlying file type. Or the folder is opened in the main pane.
-
-![Opened file](./media/data-lake-store-in-storage-explorer/storageexplorer-adls-open.png)
+The file is downloaded and opened through the application that's associated with the underlying file type. Or, the folder is opened in the main pane.
### Copy folders or files to the clipboard
-1. Select the folders or files that you want to copy.
-2. On the main pane's toolbar, select **Copy**. Or right-click the selected folders or files, and then select **Copy** on the shortcut menu.
-3. In the left pane, browse to another Data Lake Storage Gen1 account, and double-click it to view it in the main pane.
-4. On the main pane's toolbar, select **Paste** to create a copy. Or select **Paste** on the destination's shortcut menu.
+You can copy Data Lake Storage Gen1 folders or files and paste them in another Data Lake Storage Gen1 account. Copy and paste operations across storage types aren't supported. For example, you can't copy Data Lake Storage Gen1 folders or files and paste them to Azure Blob storage or the other way around.
-![Selections for copying a folder](./media/data-lake-store-in-storage-explorer/storageexplorer-adls-copy-paste.png)
+1. Select the folders or files that you want to copy.
+1. On the main pane's toolbar, select **Copy**. Or, right-click the selected folders or files, and then select **Copy** on the shortcut menu.
+1. In the navigation pane, browse to another Data Lake Storage Gen1 account, and select it to view it in the main pane.
+1. On the main pane's toolbar, select **Paste** to create a copy. Or, select **Paste** on the destination's shortcut menu.
> [!NOTE]
-> Copy/paste operations across s