Updates from: 06/08/2022 01:20:22
Service Microsoft Docs article Related commit history on GitHub Change details
active-directory-b2c Relyingparty https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/relyingparty.md
The following example shows a **RelyingParty** element in the *B2C_1A_signup_sig
<UserJourneyBehaviors> <SingleSignOn Scope="Tenant" KeepAliveInDays="7"/> <SessionExpiryType>Rolling</SessionExpiryType>
- <SessionExpiryInSeconds>300</SessionExpiryInSeconds>
+ <SessionExpiryInSeconds>900</SessionExpiryInSeconds>
<JourneyInsights TelemetryEngine="ApplicationInsights" InstrumentationKey="your-application-insights-key" DeveloperMode="true" ClientEnabled="false" ServerEnabled="true" TelemetryVersion="1.0.0" /> <ContentDefinitionParameters> <Parameter Name="campaignId">{OAUTH-KV:campaignId}</Parameter>
active-directory Application Provisioning Config Problem Scim Compatibility https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/application-provisioning-config-problem-scim-compatibility.md
Previously updated : 08/25/2021 Last updated : 05/25/2022
The provisioning service uses the concept of a job to operate against an applica
If you are using an application in the gallery, the job generally contains the name of the app (e.g. zoom snowFlake, dataBricks, etc.). You can skip this documentation when using a gallery application. This primarily applies for non-gallery applications with jobID SCIM or customAppSSO. ## SCIM 2.0 compliance issues and status
-In the table below, any item marked as fixed means that the proper behavior can be found on the SCIM job. We have worked to ensure backwards compatibility for the changes we have made. However, we do not recommend implementing old behavior. We recommend using the new behavior for any new implementations and updating existing implementations.
+In the table below, any item marked as fixed means that the proper behavior can be found on the SCIM job. We have worked to ensure backwards compatibility for the changes we have made. We recommend using the new behavior for any new implementations and updating existing implementations. Please note that the customappSSO behavior that was the default prior to December 2018 is not supported anymore.
> [!NOTE]
-> For the changes made in 2018, you can revert back to the customappsso behavior. For the changes made since 2018, you can use the URLs to revert back to the older behavior. We have worked to ensure backwards compatibility for the changes we have made by allowing you to revert back to the old jobID or by using a flag. However, as previously mentioned, we do not recommend implementing old behavior. We recommend using the new behavior for any new implementations and updating existing implementations.
+> For the changes made in 2018, it is possible to revert back to the customappsso behavior. For the changes made since 2018, you can use the URLs to revert back to the older behavior. We have worked to ensure backwards compatibility for the changes we have made by allowing you to revert back to the old jobID or by using a flag. However, as previously mentioned, we do not recommend implementing old behavior as it is not supported anymore. We recommend using the new behavior for any new implementations and updating existing implementations.
| **SCIM 2.0 compliance issue** | **Fixed?** | **Fix date** | **Backwards compatibility** | ||||
active-directory How To Migrate Mfa Server To Azure Mfa With Federation https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/how-to-migrate-mfa-server-to-azure-mfa-with-federation.md
This section covers final steps before migrating user phone numbers.
### Set federatedIdpMfaBehavior to enforceMfaByFederatedIdp
-For federated domains, MFA may be enforced by Azure AD Conditional Access or by the on-premises federation provider. Each federated domain has a Microsoft Graph PowerShell security setting named **federatedIdpMfaBehavior**. You can set **federatedIdpMfaBehavior** to `enforceMfaByFederatedIdp` so Azure AD accepts MFA that's performed by the federated identity provider. If the federated identity provider didn't perform MFA, Azure AD redirects the request to the federated identity provider to perform MFA. For more information, see [federatedIdpMfaBehavior](/graph/api/resources/internaldomainfederation?view=graph-rest-beta#federatedidpmfabehavior-values).
+For federated domains, MFA may be enforced by Azure AD Conditional Access or by the on-premises federation provider. Each federated domain has a Microsoft Graph PowerShell security setting named **federatedIdpMfaBehavior**. You can set **federatedIdpMfaBehavior** to `enforceMfaByFederatedIdp` so Azure AD accepts MFA that's performed by the federated identity provider. If the federated identity provider didn't perform MFA, Azure AD redirects the request to the federated identity provider to perform MFA. For more information, see [federatedIdpMfaBehavior](/graph/api/resources/internaldomainfederation?view=graph-rest-beta#federatedidpmfabehavior-values&preserve-view=true ).
>[!NOTE] > The **federatedIdpMfaBehavior** setting is an evolved version of the **SupportsMfa** property of the [Set-MsolDomainFederationSettings MSOnline v1 PowerShell cmdlet](/powershell/module/msonline/set-msoldomainfederationsettings).
active-directory Howto Mfa Adfs https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-mfa-adfs.md
If your organization is federated with Azure Active Directory, use Azure AD Multi-Factor Authentication or Active Directory Federation Services (AD FS) to secure resources that are accessed by Azure AD. Use the following procedures to secure Azure Active Directory resources with either Azure AD Multi-Factor Authentication or Active Directory Federation Services. >[!NOTE]
->Set the domain setting [federatedIdpMfaBehavior](/graph/api/resources/internaldomainfederation?view=graph-rest-beta#federatedidpmfabehavior-values) to `enforceMfaByFederatedIdp` (recommended) or **SupportsMFA** to `$True`. The **federatedIdpMfaBehavior** setting overrides **SupportsMFA** when both are set.
+>Set the domain setting [federatedIdpMfaBehavior](/graph/api/resources/internaldomainfederation?view=graph-rest-beta#federatedidpmfabehavior-values&preserve-view=true) to `enforceMfaByFederatedIdp` (recommended) or **SupportsMFA** to `$True`. The **federatedIdpMfaBehavior** setting overrides **SupportsMFA** when both are set.
## Secure Azure AD resources using AD FS
active-directory Tutorial Enable Sspr Writeback https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/tutorial-enable-sspr-writeback.md
+adobe-target: true
# Customer intent: As an Azure AD Administrator, I want to learn how to enable and use password writeback so that when end-users reset their password through a web browser their updated password is synchronized back to my on-premises AD environment.
active-directory How To Create Custom Queries https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/how-to-create-custom-queries.md
This article describes how you can use the **Audit** dashboard in Permissions Ma
1. In the **Audit** dashboard, load the query you want to duplicate. 2. Select the ellipses menu **(…)** on the far right, and then select **Duplicate**.
- CloudKnox creates a copy of the query. Both the copy of the query and the original query display in the **Saved Queries** list.
+ Permissions Management creates a copy of the query. Both the copy of the query and the original query display in the **Saved Queries** list.
You can rename the original or copy of the query, change it, and save it without changing the other query.
active-directory Product Integrations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/product-integrations.md
Title: View integration information about an authorization system in CloudKnox Permissions Management
-description: View integration information about an authorization system in CloudKnox Permissions Management.
+ Title: View integration information about an authorization system in Permissions Management
+description: View integration information about an authorization system in Permissions Management.
# View integration information about an authorization system > [!IMPORTANT]
-> CloudKnox Permissions Management (CloudKnox) is currently in PREVIEW.
+> Entra Permissions Management is currently in PREVIEW.
> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-The **Integrations** dashboard in CloudKnox Permissions Management (CloudKnox) allows you to view all your authorization systems in one place, and to ensure all applications are functioning as one. This information helps improve quality and performance as a whole.
+The **Integrations** dashboard in Permissions Management allows you to view all your authorization systems in one place, and to ensure all applications are functioning as one. This information helps improve quality and performance as a whole.
## Display integration information about an authorization system
-Refer to the **Integration** subpages in CloudKnox for information about available authorization systems for integration.
+Refer to the **Integration** subpages in Permissions Management for information about available authorization systems for integration.
1. To display the **Integrations** dashboard, select **User** (your initials) in the upper right of the screen, and then select **Integrations.**
Refer to the **Integration** subpages in CloudKnox for information about availab
## Available integrated authorization systems
-The following authorization systems may be listed in the **Integrations** dashboard, depending on which systems are integrated into the CloudKnox application.
+The following authorization systems may be listed in the **Integrations** dashboard, depending on which systems are integrated into the Permissions Management application.
-- **ServiceNow**: Manages digital workflows for enterprise operations, and the CloudKnox integration allows you to request and approve permissions through the ServiceNow ticketing workflow.-- **Splunk**: Searches, monitors, and analyzes machine-generated data, and the CloudKnox integration enables exporting usage analytics data, alerts, and logs.-- **HashiCorp Terraform**: CloudKnox enables the generation of least-privilege policies through the Hashi Terraform provider.-- **CloudKnox API**: The CloudKnox application programming interface (API) provides access to CloudKnox features.
+- **ServiceNow**: Manages digital workflows for enterprise operations, and the Permissions Management integration allows you to request and approve permissions through the ServiceNow ticketing workflow.
+- **Splunk**: Searches, monitors, and analyzes machine-generated data, and the Permissions Management integration enables exporting usage analytics data, alerts, and logs.
+- **HashiCorp Terraform**: Permissions Management enables the generation of least-privilege policies through the Hashi Terraform provider.
+- **Permissions Management API**: The Permissions Management application programming interface (API) provides access to Permissions Management features.
- **Saviynt**: Enables you to view Identity entitlements and usage inside the Saviynt console. - **Securonix**: Enables exporting usage analytics data, alerts, and logs.
The following authorization systems may be listed in the **Integrations** dashbo
<!## Next steps>
-<![Installation overview](cloudknox-installation.md)>
-<![Configure integration with the CloudKnox API](cloudknox-integration-api.md)>
-<![Sign up and deploy FortSentry in your organization](cloudknox-fortsentry-registration.md)>
+<![Installation overview](installation.md)>
+<![Configure integration with the Permissions Management API](integration-api.md)>
+<![Sign up and deploy FortSentry in your organization](fortsentry-registration.md)>
active-directory Product Permissions Analytics Reports https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/product-permissions-analytics-reports.md
Title: Generate and download the Permissions analytics report in CloudKnox Permissions Management
-description: How to generate and download the Permissions analytics report in CloudKnox Permissions Management.
+ Title: Generate and download the Permissions analytics report in Permissions Management
+description: How to generate and download the Permissions analytics report in Permissions Management.
# Generate and download the Permissions analytics report > [!IMPORTANT]
-> CloudKnox Permissions Management (CloudKnox) is currently in PREVIEW.
+> Entra Permissions Management is currently in PREVIEW.
> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-This article describes how to generate and download the **Permissions analytics report** in CloudKnox Permissions Management (CloudKnox).
+This article describes how to generate and download the **Permissions analytics report** in Permissions Management.
> [!NOTE] > This topic applies only to Amazon Web Services (AWS) users. ## Generate the Permissions analytics report
-1. In the CloudKnox home page, select the **Reports** tab, and then select the **Systems Reports** subtab.
+1. In the Permissions Management home page, select the **Reports** tab, and then select the **Systems Reports** subtab.
The **Systems Reports** subtab displays a list of reports the **Reports** table. 1. Find **Permissions Analytics Report** in the list, and to download the report, select the down arrow to the right of the report name, or from the ellipses **(...)** menu, select **Download**.
active-directory Product Reports https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/product-reports.md
Title: View system reports in the Reports dashboard in CloudKnox Permissions Management
-description: How to view system reports in the Reports dashboard in CloudKnox Permissions Management.
+ Title: View system reports in the Reports dashboard in Permissions Management
+description: How to view system reports in the Reports dashboard in Permissions Management.
# View system reports in the Reports dashboard > [!IMPORTANT]
-> CloudKnox Permissions Management (CloudKnox) is currently in PREVIEW.
+> Entra Permissions Management is currently in PREVIEW.
> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-CloudKnox Permissions Management (CloudKnox) has various types of system report types available that capture specific sets of data. These reports allow management to:
+Permissions Management has various types of system report types available that capture specific sets of data. These reports allow management to:
- Make timely decisions. - Analyze trends and system/user performance.
The **Reports** dashboard provides a table of information with both system repor
## Available system reports
-CloudKnox offers the following reports for management associated with the authorization systems noted in parenthesis:
+Permissions Management offers the following reports for management associated with the authorization systems noted in parenthesis:
- **Access Key Entitlements And Usage**: - **Summary of report**: Provides information about access key, for example, permissions, usage, and rotation date.
active-directory Training Videos https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/training-videos.md
Title: CloudKnox Permissions Management training videos
-description: CloudKnox Permissions Management training videos.
+ Title: Permissions Management training videos
+description: Permissions Management training videos.
Last updated 04/20/2022
-# CloudKnox Permissions Management training videos
+# Entra Permissions Management training videos
-To view step-by-step training videos on how to use CloudKnox Permissions Management (CloudKnox) features, select a link below.
+To view step-by-step training videos on how to use Permissions Management features, select a link below.
-## Onboard CloudKnox in your organization
+## Onboard Permissions Management in your organization
-### Enable CloudKnox in your Azure Active Directory (Azure AD) tenant
+### Enable Permissions Management in your Azure Active Directory (Azure AD) tenant
-To view a video on how to enable CloudKnox in your Azure AD tenant, select [Enable CloudKnox in your Azure AD tenant](https://www.youtube.com/watch?v=-fkfeZyevoo).
+To view a video on how to enable Permissions Management in your Azure AD tenant, select [Enable Permissions Management in your Azure AD tenant](https://www.youtube.com/watch?v=-fkfeZyevoo).
### Configure and onboard Amazon Web Services (AWS) accounts
-To view a video on how to configure and onboard Amazon Web Services (AWS) accounts in CloudKnox, select [Configure and onboard AWS accounts](https://www.youtube.com/watch?v=R6K21wiWYmE).
+To view a video on how to configure and onboard Amazon Web Services (AWS) accounts in Permissions Management, select [Configure and onboard AWS accounts](https://www.youtube.com/watch?v=R6K21wiWYmE).
### Configure and onboard Google Cloud Platform (GCP) accounts
-To view a video on how to configure and onboard Google Cloud Platform (GCP) accounts in CloudKnox, select [Configure and onboard GCP accounts](https://www.youtube.com/watch?app=desktop&v=W3epcOaec28).
+To view a video on how to configure and onboard Google Cloud Platform (GCP) accounts in Permissions Management, select [Configure and onboard GCP accounts](https://www.youtube.com/watch?app=desktop&v=W3epcOaec28).
## Next steps -- For an overview of CloudKnox, see [What's CloudKnox Permissions Management?](overview.md)-- For a list of frequently asked questions (FAQs) about CloudKnox, see [FAQs](faqs.md).-- For information on how to start viewing information about your authorization system in CloudKnox, see [View key statistics and data about your authorization system](ui-dashboard.md).
+- For an overview of Permissions Management, see [What's Permissions Management?](overview.md)
+- For a list of frequently asked questions (FAQs) about Permissions Management, see [FAQs](faqs.md).
+- For information on how to start viewing information about your authorization system in Permissions Management, see [View key statistics and data about your authorization system](ui-dashboard.md).
active-directory Concept Condition Filters For Devices https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/concept-condition-filters-for-devices.md
There are multiple scenarios that organizations can now enable using filter for
- **Restrict access to privileged resources**. For this example, lets say you want to allow access to Microsoft Azure Management from a user who is assigned a privilged role Global Admin, has satisfied multifactor authentication and accessing from a device that is [privileged or secure admin workstations](/security/compass/privileged-access-devices) and attested as compliant. For this scenario, organizations would create two Conditional Access policies: - Policy 1: All users with the directory role of Global administrator, accessing the Microsoft Azure Management cloud app, and for Access controls, Grant access, but require multifactor authentication and require device to be marked as compliant.
- - Policy 2: All users with the directory role of Global administrator, accessing the Microsoft Azure Management cloud app, excluding a filter for devices using rule expression device.extensionAttribute1 equals SAW and for Access controls, Block. Learn how to [update extensionAttributes on an Azure AD device object](/graph/api/device-update?tabs=http&view=graph-rest-1.0).
+ - Policy 2: All users with the directory role of Global administrator, accessing the Microsoft Azure Management cloud app, excluding a filter for devices using rule expression device.extensionAttribute1 equals SAW and for Access controls, Block. Learn how to [update extensionAttributes on an Azure AD device object](/graph/api/device-update?view=graph-rest-1.0&tabs=http&preserve-view=true).
- **Block access to organization resources from devices running an unsupported Operating System**. For this example, lets say you want to block access to resources from Windows OS version older than Windows 10. For this scenario, organizations would create the following Conditional Access policy: - All users, accessing all cloud apps, excluding a filter for devices using rule expression device.operatingSystem equals Windows and device.operatingSystemVersion startsWith "10.0" and for Access controls, Block. - **Do not require multifactor authentication for specific accounts on specific devices**. For this example, lets say you want to not require multifactor authentication when using service accounts on specific devices like Teams phones or Surface Hub devices. For this scenario, organizations would create the following two Conditional Access policies:
active-directory Concept Conditional Access Session https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/concept-conditional-access-session.md
Organizations can use this control to require Azure AD to pass device informatio
For more information on the use and configuration of app-enforced restrictions, see the following articles: - [Enabling limited access with SharePoint Online](/sharepoint/control-access-from-unmanaged-devices)-- [Enabling limited access with Exchange Online](/microsoft-365/security/office-365-security/secure-email-recommended-policies?view=o365-worldwide#limit-access-to-exchange-online-from-outlook-on-the-web)
+- [Enabling limited access with Exchange Online](/microsoft-365/security/office-365-security/secure-email-recommended-policies?view=o365-worldwide#limit-access-to-exchange-online-from-outlook-on-the-web&preserve-view=true)
## Conditional Access application control
active-directory Msal Net Acquire Token Silently https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/msal-net-acquire-token-silently.md
Last updated 07/16/2019 -+ #Customer intent: As an application developer, I want to learn how how to use the AcquireTokenSilent method so I can acquire tokens from the cache.
When you acquire an access token using the Microsoft Authentication Library for .NET (MSAL.NET), the token is cached. When the application needs a token, it should first call the `AcquireTokenSilent` method to verify if an acceptable token is in the cache. In many cases, it's possible to acquire another token with more scopes based on a token in the cache. It's also possible to refresh a token when it's getting close to expiration (as the token cache also contains a refresh token).
-For authentication flows that require a user interaction, MSAL caches the access, refresh, and ID tokens, as well as the `IAccount` object, which represents information about a single account. Learn more about [IAccount](/dotnet/api/microsoft.identity.client.iaccount?view=azure-dotnet). For application flows, such as [client credentials](msal-authentication-flows.md#client-credentials), only access tokens are cached, because the `IAccount` object and ID token require a user, and the refresh token is not applicable.
+For authentication flows that require a user interaction, MSAL caches the access, refresh, and ID tokens, as well as the `IAccount` object, which represents information about a single account. Learn more about [IAccount](/dotnet/api/microsoft.identity.client.iaccount?view=azure-dotnet&preserve-view=true). For application flows, such as [client credentials](msal-authentication-flows.md#client-credentials), only access tokens are cached, because the `IAccount` object and ID token require a user, and the refresh token is not applicable.
The recommended pattern is to call the `AcquireTokenSilent` method first. If `AcquireTokenSilent` fails, then acquire a token using other methods.
active-directory Scenario Desktop Acquire Token Wam https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/scenario-desktop-acquire-token-wam.md
Previously updated : 08/25/2021 Last updated : 06/07/2022 #Customer intent: As an application developer, I want to know how to write a desktop app that calls web APIs by using the Microsoft identity platform.
MSAL 4.25+ supports WAM on UWP, .NET Classic, .NET Core 3.1, and .NET 5.
For .NET Classic and .NET Core 3.1, WAM functionality is fully supported but you have to add a reference to [Microsoft.Identity.Client.Desktop](https://www.nuget.org/packages/Microsoft.Identity.Client.Desktop/) package, alongside MSAL, and instead of `WithBroker()`, call `.WithWindowsBroker()`.
-For .NET 5, target `net5.0-windows10.0.17763.0` (or higher) and not just `net5.0`. Your app will still run on older versions of Windows if you add `<SupportedOSPlatformVersion>7</SupportedOSPlatformVersion>` in the csproj. MSAL will use a browser when WAM is not available.
+For .NET 5, target `net5.0-windows10.0.17763.0` (or higher) and not just `net5.0`. Your app will still run on older versions of Windows if you add `<SupportedOSPlatformVersion>7</SupportedOSPlatformVersion>` in the csproj. MSAL will use a browser when WAM isn't available.
## WAM value proposition Using an authentication broker such as WAM has numerous benefits. -- Enhanced security (your app does not have to manage the powerful refresh token)
+- Enhanced security (your app doesn't have to manage the powerful refresh token)
- Better support for Windows Hello, Conditional Access and FIDO keys - Integration with Windows' "Email and Accounts" view - Better Single Sign-On (users don't have to reenter passwords)
Using an authentication broker such as WAM has numerous benefits.
## WAM limitations -- B2C and ADFS authorities are not supported. MSAL will fallback to a browser.-- Available on Win10+ and Win Server 2019+. On Mac, Linux and earlier Windows MSAL will fallback to a browser.
+- B2C and ADFS authorities aren't supported. MSAL will fall back to a browser.
+- Available on Win10+ and Win Server 2019+. On Mac, Linux, and earlier versions of Windows, MSAL will fall back to a browser.
- Not available on Xbox. ## WAM calling pattern
catch (MsalUiRequiredException) // no change in the pattern
} ```
-Call `.WithBroker(true)`. If a broker is not present (e.g. Win8.1, Mac, or Linux), then MSAL will fallback to a browser! Redirect URI rules apply to the browser.
+Call `.WithBroker(true)`. If a broker isn't present (for example, Win8.1, Mac, or Linux), then MSAL will fall back to a browser. Redirect URI rules apply to the browser.
## Redirect URI
-WAM redirect URIs do not need to be configured in MSAL, but they must be configured in the app registration.
+WAM redirect URIs don't need to be configured in MSAL, but they must be configured in the app registration.
### Win32 (.NET framework / .NET 5)
ms-appx-web://microsoft.aad.brokerplugin/{client_id}
## Token cache persistence
-It's important to persist MSAL's token cache because MSAL needs to save internal WAM account IDs there. Without it, restarting the app means that `GetAccounts` API will miss some of the accounts. Note that on UWP, MSAL knows where to save the token cache.
+It's important to persist MSAL's token cache because MSAL needs to save internal WAM account IDs there. Without it, restarting the app means that `GetAccounts` API will miss some of the accounts. On UWP, MSAL knows where to save the token cache.
## GetAccounts `GetAccounts` returns accounts of users who have previously logged in interactively into the app.
-In addition to this, WAM can list the OS-wide Work and School accounts configured in Windows (for Win32 apps but not for UWP apps). To opt-into this feature, set `ListWindowsWorkAndSchoolAccounts` in `WindowsBrokerOptions` to **true**. You can enable it as below.
+In addition, WAM can list the OS-wide Work and School accounts configured in Windows (for Win32 apps but not for UWP apps). To opt-into this feature, set `ListWindowsWorkAndSchoolAccounts` in `WindowsBrokerOptions` to **true**. You can enable it as below.
```csharp .WithWindowsBrokerOptions(new WindowsBrokerOptions()
In addition to this, WAM can list the OS-wide Work and School accounts configure
``` >[!NOTE]
-> Microsoft (i.e. outlook.com etc.) accounts will not be listed in Win32 nor UWP for privacy reasons.
+> Microsoft (outlook.com etc.) accounts will not be listed in Win32 nor UWP for privacy reasons.
Applications cannot remove accounts from Windows! ## RemoveAsync -- Removes all account information from MSAL's token cache (this includes MSA - i.e. personal accounts - account info and other account information copied by MSAL into its cache).
+- Removes all account information from MSAL's token cache (this includes MSA, that is, personal accounts information copied by MSAL into its cache).
- Removes app-only (not OS-wide) accounts. >[!NOTE]
Applications cannot remove accounts from Windows!
## Other considerations -- WAM's interactive operations require being on the UI thread. MSAL throws a meaningful exception when not on UI thread. This does NOT apply to console apps.
+- WAM's interactive operations require being on the UI thread. MSAL throws a meaningful exception when not on UI thread. This doesn't apply to console apps.
- `WithAccount` provides an accelerated authentication experience if the MSAL account was originally obtained via WAM, or, WAM can find a work and school account in Windows.-- WAM is not able to pre-populate the username field with a login hint, unless a Work and School account with the same username is found in Windows.
+- WAM isn't able to pre-populate the username field with a login hint, unless a Work and School account with the same username is found in Windows.
- If WAM is unable to offer an accelerated authentication experience, it will show an account picker. Users can add new accounts. !["WAM account picker"](media/scenario-desktop-acquire-token-wam/wam-account-picker.png) -- New accounts are automatically remembered by Windows. Work and School have the option of joining the organization's directory or opting out completely, in which case the account will not appear under "Email & Accounts". Microsoft accounts are automatically added to Windows. Apps cannot list these accounts programmatically (but only through the Account Picker).
+- New accounts are automatically remembered by Windows. Work and School have the option of joining the organization's directory or opting out completely, in which case the account won't appear under "Email & Accounts". Microsoft accounts are automatically added to Windows. Apps can't list these accounts programmatically (but only through the Account Picker).
## Troubleshooting
-### "Either the user cancelled the authentication or the WAM Account Picker crashed because the app is running in an elevated process" error message
+### "Either the user canceled the authentication or the WAM Account Picker crashed because the app is running in an elevated process" error message
When an app that uses MSAL is run as an elevated process, some of these calls within WAM may fail due to different process security levels. Internally MSAL.NET uses native Windows methods ([COM](/windows/win32/com/the-component-object-model)) to integrate with WAM. Starting with version 4.32.0, MSAL will display a descriptive error message when it detects that the app process is elevated and WAM returned no accounts.
-One solution is to not run the app as elevated, if possible. Another solution is for the app developer to call `WindowsNativeUtils.InitializeProcessSecurity` method when the app starts up. This will set the security of the processes used by WAM to the same levels. See [this sample app](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/blob/master/tests/devapps/WAM/NetCoreWinFormsWam/Program.cs#L18-L21) for an example. However, note, that this solution is not guaranteed to succeed to due external factors like the underlying CLR behavior. In that case, an `MsalClientException` will be thrown. See issue [#2560](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/issues/2560) for additional information.
+One solution is to not run the app as elevated, if possible. Another solution is for the app developer to call `WindowsNativeUtils.InitializeProcessSecurity` method when the app starts up. This will set the security of the processes used by WAM to the same levels. See [this sample app](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/blob/master/tests/devapps/WAM/NetCoreWinFormsWam/Program.cs#L18-L21) for an example. However, note, that this solution isn't guaranteed to succeed to due external factors like the underlying CLR behavior. In that case, an `MsalClientException` will be thrown. For more information, see issue [#2560](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/issues/2560).
### "WAM Account Picker did not return an account" error message
active-directory B2b Quickstart Invite Powershell https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/b2b-quickstart-invite-powershell.md
If you donΓÇÖt have an Azure subscription, create a [free account](https://azure
## Prerequisites ### PowerShell Module
-Install the [Microsoft Graph Identity Sign-ins module](/powershell/module/microsoft.graph.identity.signins/?view=graph-powershell-beta) (Microsoft.Graph.Identity.SignIns) and the [Microsoft Graph Users module](/powershell/module/microsoft.graph.users/?view=graph-powershell-beta) (Microsoft.Graph.Users).
+Install the [Microsoft Graph Identity Sign-ins module](/powershell/module/microsoft.graph.identity.signins/?view=graph-powershell-beta&preserve-view=true) (Microsoft.Graph.Identity.SignIns) and the [Microsoft Graph Users module](/powershell/module/microsoft.graph.users/?view=graph-powershell-beta&preserve-view=true) (Microsoft.Graph.Users).
### Get a test email account
active-directory Leave The Organization https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/leave-the-organization.md
+adobe-target: true
# Leave an organization as a B2B collaboration user
active-directory Recover From Deletions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/recover-from-deletions.md
# Recover from deletions
-This article addresses recovering from soft and hard deletions in your Azure AD tenant. If you havenΓÇÖt already done so, we recommend first reading the [Recoverability best practices article](recoverability-overview.md) for foundational knowledge.
+This article addresses recovering from soft and hard deletions in your Azure Active Directory (Azure AD) tenant. If you haven't already done so, read [Recoverability best practices](recoverability-overview.md) for foundational knowledge.
## Monitor for deletions
-The [Azure AD Audit Log](../reports-monitoring/concept-audit-logs.md) contains information on all delete operations performed in your tenant. We recommend that you export these logs to a security information and event management (SIEM) tool such as [Microsoft Sentinel](../../sentinel/overview.md). You can also use Microsoft Graph to audit changes and build a custom solution to monitor differences over time. For more information on finding deleted items using Microsoft Graph, see [List deleted items - Microsoft Graph v1.0. ](/graph/api/directory-deleteditems-list?tabs=http)
+The [Azure AD Audit log](../reports-monitoring/concept-audit-logs.md) contains information on all delete operations performed in your tenant. Export these logs to a security information and event management tool such as [Microsoft Sentinel](../../sentinel/overview.md).
-### Audit log
+You can also use Microsoft Graph to audit changes and build a custom solution to monitor differences over time. For more information on how to find deleted items by using Microsoft Graph, see [List deleted items - Microsoft Graph v1.0](/graph/api/directory-deleteditems-list?tabs=http).
-The Audit Log always records a "Delete \<object\>" event when an object in the tenant is removed from an active state by either a soft or hard deletion.
+### Audit log
-[![Screenshot of audit log showing deletions](./media/recoverability/delete-audit-log.png)](./media/recoverability/delete-audit-log.png#lightbox)
+The Audit log always records a "Delete \<object\>" event when an object in the tenant is removed from an active state by either a soft or hard deletion.
+[![Screenshot that shows an Audit log with deletions.](./media/recoverability/delete-audit-log.png)](./media/recoverability/delete-audit-log.png#lightbox)
-
-A delete event for applications, users, and Microsoft 365 Groups is a soft delete. For any other object type, it's a hard delete. Track the occurrence of hard-delete events by comparing "Delete \<object\>" events with the type of object that has been deleted, noting those that do not support soft-delete. In addition, note "Hard Delete \<object\>" events.
-
+A delete event for applications, users, and Microsoft 365 Groups is a soft delete. For any other object type, it's a hard delete. Track the occurrence of hard-delete events by comparing "Delete \<object\>" events with the type of object that was deleted. Note the events that don't support soft delete. Also note "Hard Delete \<object\>" events.
| Object type | Activity in log| Result | | - | - | - |
A delete event for applications, users, and Microsoft 365 Groups is a soft delet
| User| Hard delete user| Hard deleted | | Microsoft 365 Group| Delete group| Soft deleted | | Microsoft 365 Group| Hard delete group| Hard deleted |
-| All other objects| Delete ΓÇ£objectTypeΓÇ¥| Hard deleted |
-
+| All other objects| Delete "objectType"| Hard deleted |
> [!NOTE]
-> The audit log does not distinguish the group type of a deleted group. Only Microsoft 365 Groups are soft-deleted. If you see a Delete group entry, it may be the soft delete of a M365 group, or the hard delete of another type of group. **It is therefore important that your documentation of your known good state include the group type for each group in your organization**. To learn more about documenting your known good state, see [Recoverability best practices](recoverability-overview.md).
+> The Audit log doesn't distinguish the group type of a deleted group. Only Microsoft 365 Groups are soft deleted. If you see a Delete group entry, it might be the soft delete of a Microsoft 365 Group or the hard delete of another type of group.
+>
+>*It's important that your documentation of your known good state includes the group type for each group in your organization*. To learn more about documenting your known good state, see [Recoverability best practices](recoverability-overview.md).
+ ### Monitor support tickets
-A sudden increase in support tickets regarding access to a specific object may indicate that there has been a deletion. Because some objects have dependencies, deletion of a group used to access an application, an application itself, or a Conditional Access policy targeting an application can all cause broad sudden impact. If you see a trend like this, check to ensure that none of the objects required for access have been deleted.
+A sudden increase in support tickets about access to a specific object might indicate that a deletion occurred. Because some objects have dependencies, deletion of a group used to access an application, an application itself, or a Conditional Access policy that targets an application can all cause broad sudden impact. If you see a trend like this, check to ensure that none of the objects required for access were deleted.
## Soft deletions
-When objects such as users, Microsoft 365 groups, or application registrations are ΓÇ£soft deleted,ΓÇ¥ they enter a suspended state in which they aren't available for use by other services. In this state, items retain their properties and can be restored for 30 days. After 30 days, objects in the soft-deleted state are permanently or ΓÇ£hardΓÇ¥ deleted.
+When objects such as users, Microsoft 365 Groups, or application registrations are soft deleted, they enter a suspended state in which they aren't available for use by other services. In this state, items retain their properties and can be restored for 30 days. After 30 days, objects in the soft-deleted state are permanently, or hard, deleted.
> [!NOTE]
-> Objects cannot be restored from a hard-deleted state. They must be recreated and reconfigured.
-
+> Objects can't be restored from a hard-deleted state. They must be re-created and reconfigured.
+ ### When soft deletes occur
-It's important to understand why object deletions occur in your environment to prepare for them. This section outlines frequent scenarios for soft deletion by object class. Keep in mind there may be scenarios your organization sees which are unique to your organization so a discovery process is key to preparation.
+It's important to understand why object deletions occur in your environment so that you can prepare for them. This section outlines frequent scenarios for soft deletion by object class. You might see scenarios that are unique to your organization, so a discovery process is key to preparation.
### Users
-Users enter the soft delete state anytime the user object is deleted by using the Azure portal, Microsoft Graph, or PowerShell.
+Users enter the soft-delete state anytime the user object is deleted by using the Azure portal, Microsoft Graph, or PowerShell.
The most frequent scenarios for user deletion are:
-* An administrator intentionally deletes a user in the Azure AD portal in response to a request, or as part of routine user maintenance.
-
-* An automation script in Microsoft Graph or PowerShell triggers the deletion. For example, you may have a script that removes users who haven't signed in for a specified time period.
-
-* A user is moved out of scope for synchronization with Azure Active Directory (Azure AD) connect.
-
-* A user is removed in an HR system and is deprovisioned via an automated workflow.
+* An administrator intentionally deletes a user in the Azure AD portal in response to a request or as part of routine user maintenance.
+* An automation script in Microsoft Graph or PowerShell triggers the deletion. For example, you might have a script that removes users who haven't signed in for a specified time.
+* A user is moved out of scope for synchronization with Azure AD Connect.
+* A user is removed from an HR system and is deprovisioned via an automated workflow.
### Microsoft 365 Groups The most frequent scenarios for Microsoft 365 Groups being deleted are:
-* An administrator intentionally deletes the group, for example in response to a support request.
-
-* An automation script in Microsoft Graph or PowerShell triggers the deletion. For example, you may have a script that deletes groups that haven't been accessed or attested to by the group owner for a specific period of time.
-
-* Non-adminsΓÇÖ unintentional deletion of a group they own.
--
+* An administrator intentionally deletes the group, for example, in response to a support request.
+* An automation script in Microsoft Graph or PowerShell triggers the deletion. For example, you might have a script that deletes groups that haven't been accessed or attested to by the group owner for a specified time.
+* Unintentional deletion of a group owned by non-admins.
### Application objects and service principals The most frequent scenarios for application deletion are:
-* An administrator intentionally deletes the application, for example in response to a support request.
-
-* An automation script in Microsoft Graph or PowerShell triggers the deletion. For example, you may want a process for deleting abandoned applications that are no longer used or managed. In general, create an offboarding process for applications rather than scripting to avoid unintentional deletions.
+* An administrator intentionally deletes the application, for example, in response to a support request.
+* An automation script in Microsoft Graph or PowerShell triggers the deletion. For example, you might want a process for deleting abandoned applications that are no longer used or managed. In general, create an offboarding process for applications rather than scripting to avoid unintentional deletions.
### Properties maintained with soft delete - | Object type| Important properties maintained | | - | - |
-| Users (including external users)| **All properties maintained**, including ObjectID, group memberships, roles, licenses, application assignments. |
-| Microsoft 365 Groups| **All properties maintained**, including ObjectID, group memberships, licenses, application assignments |
-| Application Registration| **All properties maintained.** (See additional information following this table.) |
----
-When you delete an application, the application registration by default enters the soft-delete state. To understand the relationship between application registrations and service principals, see [Apps & service principals in Azure AD - Microsoft identity platform](/azure/active-directory/develop/app-objects-and-service-principals).
-
+| Users (including external users)| *All properties are maintained*, including ObjectID, group memberships, roles, licenses, and application assignments. |
+| Microsoft 365 Groups| *All properties are maintained*, including ObjectID, group memberships, licenses, and application assignments. |
+| Application registration| *All properties are maintained.* (See more information after this table.) |
+When you delete an application, the application registration by default enters the soft-delete state. To understand the relationship between application registrations and service principals, see [Apps and service principals in Azure AD - Microsoft identity platform](/azure/active-directory/develop/app-objects-and-service-principals).
## Recover from soft deletion
-You can restore soft deleted items in the Azure portal or with Microsoft Graph.
+You can restore soft-deleted items in the Azure portal or with Microsoft Graph.
### Users
-You can see soft-deleted users in the Azure portal on the Users ΓÇô Deleted users page.
-
-![screenshot showing restoring users in the Azure portal](media/recoverability/deletion-restore-user.png)
+You can see soft-deleted users in the Azure portal on the **Users | Deleted users** page.
-For details on restoring users, see the following documentation:
+![Screenshot that shows restoring users in the Azure portal.](media/recoverability/deletion-restore-user.png)
-* See [Restore or permanently remove recently deleted user](active-directory-users-restore.md) for restoring in the Azure portal.
+For more information on how to restore users, see the following documentation:
-* See [Restore deleted item ΓÇô Microsoft Graph v1.0](/graph/api/directory-deleteditems-restore?tabs=http) for restoring with Microsoft Graph.
+* To restore from the Azure portal, see [Restore or permanently remove recently deleted user](active-directory-users-restore.md).
+* To restore by using Microsoft Graph, see [Restore deleted item ΓÇô Microsoft Graph v1.0](/graph/api/directory-deleteditems-restore?tabs=http).
### Groups
-You can see soft-deleted Microsoft 365 (Microsoft 365) Groups in the Azure portal in the Groups ΓÇô Deleted groups screen.
-
-![Screenshot showing restoring groups in the Azure portal.](media/recoverability/deletion-restore-groups.png)
-
+You can see soft-deleted Microsoft 365 Groups in the Azure portal on the **Groups | Deleted groups** page.
-For details on restoring soft deleted Microsoft 365 Groups, see the following documentation:
+![Screenshot that shows restoring groups in the Azure portal.](media/recoverability/deletion-restore-groups.png)
-* To restore from the Azure portal, see [Restore a deleted Microsoft 365 group. ](../enterprise-users/groups-restore-deleted.md)
+For more information on how to restore soft-deleted Microsoft 365 Groups, see the following documentation:
-* To restore by using Microsoft Graph, see [Restore deleted item ΓÇô Microsoft Graph v1.0](/graph/api/directory-deleteditems-restore?tabs=http).
+* To restore from the Azure portal, see [Restore a deleted Microsoft 365 Group](../enterprise-users/groups-restore-deleted.md).
+* To restore by using Microsoft Graph, see [Restore deleted item ΓÇô Microsoft Graph v1.0](/graph/api/directory-deleteditems-restore?tabs=http).
### Applications
-Applications have two objects, the application registration and the service principle. For more information on the differences between the registration and the service principal, see [Apps & service principals in Azure AD.](/azure/active-directory/develop/app-objects-and-service-principals)
+Applications have two objects: the application registration and the service principal. For more information on the differences between the registration and the service principal, see [Apps and service principals in Azure AD](/azure/active-directory/develop/app-objects-and-service-principals).
-To restore an application from the Azure portal, select App registrations, then deleted applications. Select the application registration to restore, and then select Restore app registration.
+To restore an application from the Azure portal, select **App registrations** > **Deleted applications**. Select the application registration to restore, and then select **Restore app registration**.
+
+[![Screenshot that shows the app registration restore process in the azure portal.](./media/recoverability/deletion-restore-application.png)](./media/recoverability/deletion-restore-application.png#lightbox)
-[![A screenshot showing the app registration restore process in the azure portal.](./media/recoverability/deletion-restore-application.png)](./media/recoverability/deletion-restore-application.png#lightbox)
-
## Hard deletions
-A ΓÇ£hard deletionΓÇ¥ is the permanent removal of an object from your Azure Active Directory (Azure AD) tenant. Objects that don't support soft delete are removed in this way. Similarly, soft deleted objects are hard deleted once the deletion time is 30 days ago. The only object types that support a soft delete are:
+A hard deletion is the permanent removal of an object from your Azure AD tenant. Objects that don't support soft delete are removed in this way. Similarly, soft-deleted objects are hard deleted after a deletion time of 30 days. The only object types that support a soft delete are:
* Users- * Microsoft 365 Groups- * Application registration > [!IMPORTANT]
-> All other item types are hard deleted. When an item is hard deleted it cannot be restored: it must be recreated. Neither administrators nor Microsoft can restore hard deleted items. It's important to prepare for this situation by ensuring that you have processes and documentation to minimize potential disruption from a hard delete.
-For information on preparing for and documenting current states, see [Recoverability best practices](recoverability-overview.md).
+> All other item types are hard deleted. When an item is hard deleted, it can't be restored. It must be re-created. Neither administrators nor Microsoft can restore hard-deleted items. Prepare for this situation by ensuring that you have processes and documentation to minimize potential disruption from a hard delete.
+>
+> For information on how to prepare for and document current states, see [Recoverability best practices](recoverability-overview.md).
### When hard deletes usually occur Hard deletes most often occur in the following circumstances.
-Moving from soft to hard delete
+Moving from soft to hard delete:
* A soft-deleted object wasn't restored within 30 days.
+* An administrator intentionally deletes an object in the soft delete state.
-* An administrator intentionally deletes an object in the soft delete state
-
-Directly hard deleted
+Directly hard deleted:
-* The object type deleted doesn't support soft delete.
-
-* An administrator chooses to permanently delete an item by using the portal, typically in response to a request.
-
-* An automation script triggers the deletion of the object by using Microsoft Graph or PowerShell. Use of an automation script to clean up stale objects isn't uncommon. Microsoft recommends a robust off-boarding process for objects in your tenant to avoid mistakes that may result in mass-deletion of critical objects.
+* The object type that was deleted doesn't support soft delete.
+* An administrator chooses to permanently delete an item by using the portal, which typically occurs in response to a request.
+* An automation script triggers the deletion of the object by using Microsoft Graph or PowerShell. Use of an automation script to clean up stale objects isn't uncommon. A robust off-boarding process for objects in your tenant helps you to avoid mistakes that might result in mass deletion of critical objects.
## Recover from hard deletion
-Hard deleted items must be recreated and reconfigured. It's best to avoid unwanted hard deletions.
+Hard-deleted items must be re-created and reconfigured. It's best to avoid unwanted hard deletions.
-### Review soft-deleted objects
+### Review soft-deleted objects
-Ensure you have a process to frequently review items in the soft delete state and restore them if appropriate. To do so, you should:
-
-* Frequently [list deleted items](/graph/api/directory-deleteditems-list?tabs=http).
+Ensure you have a process to frequently review items in the soft-delete state and restore them if appropriate. To do so, you should:
+* Frequently [list deleted items](/graph/api/directory-deleteditems-list?tabs=http).
* Ensure that you have specific criteria for what should be restored.
+* Ensure that you have specific roles or users assigned to evaluate and restore items as appropriate.
+* Develop and test a continuity management plan. For more information, see [Considerations for your Enterprise Business Continuity Management Plan](/compliance/assurance/assurance-developing-your-ebcm-plan).
-* Ensure that you have specific roles or users assigned to evaluating and restoring items as appropriate.
-
-* Develop and test a continuity management plan. For more information, see [Considerations for your Enterprise Business Continuity Management Plan. ](/compliance/assurance/assurance-developing-your-ebcm-plan)
--
-For more information on avoiding unwanted deletions, see the following topics in the [Recoverability best practices](recoverability-overview.md) article.
+For more information on how to avoid unwanted deletions, see the following topics in [Recoverability best practices](recoverability-overview.md):
* Business continuity and disaster planning- * Document known good states- * Monitoring and data retention
active-directory Recover From Misconfigurations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/recover-from-misconfigurations.md
# Recover from misconfiguration
-Configuration settings in Azure Active Directory (Azure AD) can affect any resource in the Azure AD tenant through targeted or tenant-wide management actions.
+Configuration settings in Azure Active Directory (Azure AD) can affect any resource in the Azure AD tenant through targeted or tenant-wide management actions.
## What is configuration?
-Configurations are any changes in Azure AD that alter the behavior or capabilities of an Azure AD service or feature. For example, when you configure a Conditional Access policy you alter who can access the targeted applications and under what circumstances.
+Configurations are any changes in Azure AD that alter the behavior or capabilities of an Azure AD service or feature. For example, when you configure a Conditional Access policy, you alter who can access the targeted applications and under what circumstances.
-It's important to understand the configuration items that are important to your organization. The following configurations have a high impact on your security posture.
+You need to understand the configuration items that are important to your organization. The following configurations have a high impact on your security posture.
-### Tenant wide configurations
+### Tenant-wide configurations
-* **External identities**: Global administrators for the tenant identify and control the external identities that can be provisioned in the tenant.
+* **External identities**: Global administrators for the tenant identify and control the external identities that can be provisioned in the tenant. They determine:
* Whether to allow external identities in the tenant.-
- * From which domain(s) external identities can be added.
-
+ * From which domains external identities can be added.
* Whether users can invite users from other tenants.
-* **Named Locations**: Global administrators can create named locations, which can then be used to
+* **Named locations**: Global administrators can create named locations, which can then be used to:
* Block sign-ins from specific locations.
+ * Trigger Conditional Access policies like multifactor authentication.
- * Trigger conditional access policies such as MFA.
-
-* **Allowed authentication methods**: Global administrators set the authentication methods allowed for the tenant.
-
-* **Self-service options**. Global Administrators set self-service options such as self-service-password reset and create Office 365 groups at the tenant level.
+* **Allowed authentication methods**: Global administrators set the authentication methods allowed for the tenant.
+* **Self-service options**: Global administrators set self-service options like self-service password reset and create Office 365 groups at the tenant level.
The implementation of some tenant-wide configurations can be scoped, provided they aren't overridden by global administration policies. For example: * If the tenant is configured to allow external identities, a resource administrator can still exclude those identities from accessing a resource.- * If the tenant is configured to allow personal device registration, a resource administrator can exclude those devices from accessing specific resources.-
-* If named locations are configured, a resource administrator can configure policies either allowing or excluding access from those locations.
+* If named locations are configured, a resource administrator can configure policies that either allow or exclude access from those locations.
### Conditional Access configurations
-Conditional Access policies are access control configurations that bring together signals to make decisions and enforce organizational policies.
-
-![A screenshot showing user, location. Device, application, and risk signals coming together in conditional access policies.](media\recoverability\miscofigurations-conditional-accss-signals.png)
+Conditional Access policies are access control configurations that bring together signals to make decisions and enforce organizational policies.
+![Screenshot that shows user, location, device, application, and risk signals coming together in Conditional Access policies.](media\recoverability\miscofigurations-conditional-accss-signals.png)
-
-To learn more about Conditional Access policies, see [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+To learn more about Conditional Access policies, see [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md).
> [!NOTE]
-> While configuration alters the behavior or capabilities of an object or policy, not all changes to an object are configuration. You can change the data or attributes associated with an item, such as changing a userΓÇÖs address, without affecting the capabilities of that user object.
-## What is misconfiguration
+> While configuration alters the behavior or capabilities of an object or policy, not all changes to an object are configuration. You can change the data or attributes associated with an item, like changing a user's address, without affecting the capabilities of that user object.
+
+## What is misconfiguration?
-A misconfiguration is a configuration of a resource or policy that diverges from your organizational policies or plans and causes unintended or unwanted consequences.
+Misconfiguration is a configuration of a resource or policy that diverges from your organizational policies or plans and causes unintended or unwanted consequences.
A misconfiguration of tenant-wide settings or Conditional Access policies can seriously affect your security and the public image of your organization by:
-* Changing how administrators, tenant users, and external users interact with resources in your tenant.
+* Changing how administrators, tenant users, and external users interact with resources in your tenant:
* Unnecessarily limiting access to resources.- * Loosening access controls on sensitive resources.
-* Changing the ability of your users to interact with other tenants, and external users to interact with your tenant.
-
-* Causing denial of service, for example by not allowing customers to access their accounts.
-
+* Changing the ability of your users to interact with other tenants and external users to interact with your tenant.
+* Causing denial of service, for example, by not allowing customers to access their accounts.
* Breaking dependencies among data, systems, and applications resulting in business process failures. ### When does misconfiguration occur?
A misconfiguration of tenant-wide settings or Conditional Access policies can se
Misconfiguration is most likely to occur when: * A mistake is made during ad-hoc changes.- * A mistake is made as a result of troubleshooting exercises.-
-* Malicious intent by a bad actor.
+* An action was carried out with malicious intent by a bad actor.
## Prevent misconfiguration It's critical that alterations to the intended configuration of an Azure AD tenant are subject to robust change management processes, including: * Documenting the change, including prior state and intended post-change state.-
-* Using Privileged Identity Management (PIM) to ensure that administrators with intent to change must deliberately escalate their privileges to do so. To learn more about PIM, see [What is Privileged Identity Management?](../privileged-identity-management/pim-configure.md)
-
+* Using Privileged Identity Management (PIM) to ensure that administrators with intent to change must deliberately escalate their privileges to do so. To learn more about PIM, see [What is Privileged Identity Management?](../privileged-identity-management/pim-configure.md).
* Using a strong approval workflow for changes, for example, requiring [approval of PIM escalation of privileges](../privileged-identity-management/azure-ad-pim-approval-workflow.md). -- ## Monitor for configuration changes
-While you want to prevent misconfiguration, you can't set the bar for changes so high that it impacts administratorsΓÇÖ ability to perform their work efficiently.
+While you want to prevent misconfiguration, you can't set the bar for changes so high that it affects the ability of administrators to perform their work efficiently.
-Closely monitor for configuration changes by watching for the following operations in your [Azure AD Audit log](../reports-monitoring/concept-audit-logs.md).
+Closely monitor for configuration changes by watching for the following operations in your [Azure AD Audit log](../reports-monitoring/concept-audit-logs.md):
* Add- * Create
+* Update
+* Set
+* Delete
-* Update
-
-* Set
-
-* Delete
-
-The following table includes informative entries in the Audit Log you can look for.
+The following table includes informative entries in the Audit log you can look for.
### Conditional Access and authentication method configuration changes
-Conditional Access policies are created on the Conditional Access page in the Azure portal. Changes to policies are made in the Conditional Access policy details page for the policy.
+Conditional Access policies are created on the **Conditional Access** page in the Azure portal. Changes to policies are made on the **Conditional Access policy details** page for the policy.
| Service filter| Activities| Potential impacts | | - | - | - |
-| Conditional Access| Add, Update, or Delete Conditional Access policy| User access is granted or blocked when it shouldnΓÇÖt be. |
-| Conditional Access| Add, Update, or Delete Named location| Network locations consumed by CA Policy aren't configured as intended, creating gaps in CA Policy conditions. |
-| Authentication Method| Update Authentication methods policy| Users can use weaker authentication methods or are blocked from a method they should use |
-
+| Conditional Access| Add, update, or delete Conditional Access policy| User access is granted or blocked when it shouldnΓÇÖt be. |
+| Conditional Access| Add, update, or delete named location| Network locations consumed by the Conditional Access policy aren't configured as intended, which creates gaps in Conditional Access policy conditions. |
+| Authentication method| Update authentication methods policy| Users can use weaker authentication methods or are blocked from a method they should use. |
### User and password reset configuration changes
-User settings changes are made in the Azure AD portal User settings page. Password Reset changes are made on the Password reset page. Changes made on these pages are captured in the audit log as detailed in the following table.
+User settings changes are made on the Azure AD portal **User settings** page. Password reset changes are made on the **Password reset** page. Changes made on these pages are captured in the Audit log as detailed in the following table.
| Service filter| Activities| Potential impacts | | - | - | - |
-| Core Directory| Update company settings| Users may or may not be able to register applications, contrary to intent. |
-| Core Directory| Set company information| Users may or may not be able to access the Azure AD administration portal contrary to intent. <br>Sign-in pages donΓÇÖt represent the company brand with potential damage to reputation |
-| Core Directory| **Activity**: Updated service principal<br>**Target**: 0365 LinkedIn connection| Users may/may not be able to connect their Azure AD account with LinkedIn contrary to intent. |
-| Self-service group Management| Update Myapps feature value| Users may/may not be able to use user features contrary to intent. |
-| Self-service group Management| Update ConvergedUXV2 feature value| Users may/may not be able to use user features contrary to intent. |
-| Self-service group Management| Update MyStaff feature value| Users may/may not be able to use user features contrary to intent. |
-| Core directory| **Activity**: Update service principal<br>**Target**: Microsoft password reset service| Users are able/unable to reset their password contrary to intent. <br>Users are required/not required to register for SSPR contrary to intent.<br> Users can reset their password using methods that are unapproved, for example by using security questions. |
--
+| Core directory| Update company settings| Users might or might not be able to register applications, contrary to intent. |
+| Core directory| Set company information| Users might or might not be able to access the Azure AD administration portal, contrary to intent. <br>Sign-in pages don't represent the company brand, with potential damage to reputation. |
+| Core directory| **Activity**: Updated service principal<br>**Target**: 0365 LinkedIn connection| Users might or might not be able to connect their Azure AD account with LinkedIn, contrary to intent. |
+| Self-service group management| Update MyApps feature value| Users might or might not be able to use user features, contrary to intent. |
+| Self-service group management| Update ConvergedUXV2 feature value| Users might or might not be able to use user features, contrary to intent. |
+| Self-service group management| Update MyStaff feature value| Users might or might not be able to use user features, contrary to intent. |
+| Core directory| **Activity**: Update service principal<br>**Target**: Microsoft password reset service| Users are able or unable to reset their password, contrary to intent. <br>Users are required or not required to register for self-service password reset, contrary to intent.<br> Users can reset their password by using methods that are unapproved, for example, by using security questions. |
### External identities configuration changes
-You can make changes to these settings on the External identities or External collaboration settings pages in the Azure AD portal.
+You can make changes to these settings on the **External identities** or **External collaboration** settings pages in the Azure AD portal.
| Service filter| Activities| Potential impacts | | - | - | - |
-| Core Directory| Add, update, or delete a partner to cross-tenant access setting| Users have outbound access to tenants that should be blocked.<br>Users from external tenants who should be blocked have inbound access |
+| Core directory| Add, update, or delete a partner to cross-tenant access setting| Users have outbound access to tenants that should be blocked.<br>Users from external tenants who should be blocked have inbound access. |
| B2C| Create or delete identity provider| Identity providers for users who should be able to collaborate are missing, blocking access for those users. |
-| Core directory| Set directory feature on tenant| External users have greater/less visibility of directory objects than intended.<br>External users may/may not invite other external users to your tenant contrary to intent. |
-| Core Directory| Set federation settings on domain| External user invitations may/may not be sent to users in other tenants contrary to intent. |
-| AuthorizationPolicy| Update authorization policy| External user invitations may/may not be sent to users in other tenants contrary to intent. |
-| Core Directory| Update Policy| External user invitations may/may not be sent to users in other tenants contrary to intent. |
---
+| Core directory| Set directory feature on tenant| External users have greater or less visibility of directory objects than intended.<br>External users might or might not invite other external users to your tenant, contrary to intent. |
+| Core directory| Set federation settings on domain| External user invitations might or might not be sent to users in other tenants, contrary to intent. |
+| AuthorizationPolicy| Update authorization policy| External user invitations might or might not be sent to users in other tenants, contrary to intent. |
+| Core directory| Update policy| External user invitations might or might not be sent to users in other tenants, contrary to intent. |
### Custom role and mobility definition configuration changes -
-| Service filter| Activities / portal| Potential impacts |
+| Service filter| Activities/portal| Potential impacts |
| - |- | -|
-| Core Directory| Add role definition| Custom role scope is narrower or broader than intended |
-| PIM| Update role setting| Custom role scope is narrower or broader than intended |
-| Core Directory| Update role definition| Custom role scope is narrower or broader than intended |
-| Core Directory| Delete role definition| Custom role are missing |
-| Core Directory| Add delegated permission grant| Mobile Device Management (MDM) and/or Mobile Application Management (MAM) configuration is missing or misconfigured leading to the failure of device or application management |
+| Core directory| Add role definition| Custom role scope is narrower or broader than intended. |
+| PIM| Update role setting| Custom role scope is narrower or broader than intended. |
+| Core directory| Update role definition| Custom role scope is narrower or broader than intended. |
+| Core directory| Delete role definition| Custom roles are missing. |
+| Core directory| Add delegated permission grant| Mobile device management or mobile application management configuration is missing or misconfigured, which leads to the failure of device or application management. |
### Audit log detail view
-Selecting some audit entries in the Audit Log will provide you with details on the old and new configuration values. For example, for Conditional Access policy configuration changes you can see the information in the following screenshot.
-
-![A screenshot of audit log details for a change to a conditional access policy.](media/recoverability/misconfiguration-audit-log-details.png)
+Selecting some audit entries in the Audit log will provide you with details on the old and new configuration values. For example, for Conditional Access policy configuration changes, you can see the information in the following screenshot.
+![Screenshot that shows Audit log details for a change to a Conditional Access policy.](media/recoverability/misconfiguration-audit-log-details.png)
## Use workbooks to track changes
-There are several Azure Monitor workbooks that can help you to monitor configuration changes.
+Azure Monitor workbooks can help you monitor configuration changes.
-[The Sensitive Operations Report workbook](../reports-monitoring/workbook-sensitive-operations-report.md) can help identify suspicious application and service principal activity that may indicate a compromise, including:
+The [Sensitive operations report workbook](../reports-monitoring/workbook-sensitive-operations-report.md) can help identify suspicious application and service principal activity that might indicate a compromise, including:
-* Modified application or service principal credentials or authentication methods
+* Modified application or service principal credentials or authentication methods.
+* New permissions granted to service principals.
+* Directory role and group membership updates for service principals.
+* Modified federation settings.
-* New permissions granted to service principals
-
-* Directory role and group membership updates for service principals
-
-* Modified federation settings
-
-The [Cross-tenant access activity workbook ](../reports-monitoring/workbook-cross-tenant-access-activity.md)can help you monitor which applications in external tenants your users are accessing, and which applications I your tenant external users are accessing. Use this workbook to look for anomalous changes in either inbound or outbound application access across tenants.
+The [Cross-tenant access activity workbook](../reports-monitoring/workbook-cross-tenant-access-activity.md) can help you monitor which applications in external tenants your users are accessing and which applications your tenant external users are accessing. Use this workbook to look for anomalous changes in either inbound or outbound application access across tenants.
## Next steps
-For foundational information on recoverability, see [Recoverability best practices](recoverability-overview.md)
-
-for information on recovering from deletions, see [Recover from deletions](recover-from-deletions.md)
+- For foundational information on recoverability, see [Recoverability best practices](recoverability-overview.md).
+- For information on recovering from deletions, see [Recover from deletions](recover-from-deletions.md).
active-directory Recoverability Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/recoverability-overview.md
# Recoverability best practices
+Unintended deletions and misconfigurations will happen to your tenant. To minimize the impact of these unintended events, you must prepare for their occurrence.
-Unintended deletions and misconfigurations will happen to your tenant. To minimize the impact of these unintended events, you must prepare for their occurrence.
+Recoverability is the preparatory processes and functionality that enable you to return your services to a prior functioning state after an unintended change. Unintended changes include the soft or hard deletion or misconfiguration of applications, groups, users, policies, and other objects in your Azure Active Directory (Azure AD) tenant.
-Recoverability is the preparatory processes and functionality that enable you to return your services to a prior functioning state after an unintended change. Unintended changes include the soft- or hard-deletion or misconfiguration of applications, groups, users, policies, and other objects in your Azure Active Directory (Azure AD) tenant.
+Recoverability helps your organization be more resilient. Resilience, while related, is different. Resilience is the ability to endure disruption to system components and recover with minimal impact to your business, users, customers, and operations. For more information about how to make your systems more resilient, see [Building resilience into identity and access management with Azure Active Directory](resilience-overview.md).
-Recoverability helps your organization be more resilient. Resilience while related, is different. Resilience is the ability to endure disruption to system components and recover with minimal impact to your business, users, customers, and operations. For more information about making your systems more resilient, see [Building resilient identity and access management with Azure Active Directory](resilience-overview.md).
-
-This article describes the best practices in preparing for deletions and misconfigurations to minimize the unintended consequences to your organizationΓÇÖs business.
+This article describes the best practices in preparing for deletions and misconfigurations to minimize the unintended consequences to your organization's business.
## Deletions and misconfigurations
Deletions and misconfigurations have different impacts on your tenant.
The impact of deletions depends on the object type.
-Users, Microsoft 365 (Microsoft 365) Groups, and applications can be ΓÇ£soft deleted.ΓÇ¥ Soft deleted items are sent to the Azure AD recycle bin. While in the recycle bin, items are not available for use. However, they retain all their properties, and can be restored via a Microsoft Graph API call, or in the Azure AD portal. Items in the soft delete state that aren't restored within 30 days, are permanently or ΓÇ£hard deleted.ΓÇ¥
+Users, Microsoft 365 Groups, and applications can be soft deleted. Soft-deleted items are sent to the Azure AD recycle bin. While in the recycle bin, items aren't available for use. However, they retain all their properties and can be restored via a Microsoft Graph API call or in the Azure AD portal. Items in the soft-delete state that aren't restored within 30 days are permanently, or hard, deleted.
-![Screenshot showing that users, Microsoft 365 groups, and applications are soft deleted, and then hard deleted after 30 days.](media/recoverability/overview-deletes.png)
+![Diagram that shows that users, Microsoft 365 Groups, and applications are soft deleted and then hard deleted after 30 days.](media/recoverability/overview-deletes.png)
> [!IMPORTANT]
-> All other object types are hard deleted immediately when selected for deletion. When an object is hard deleted, it cannot be recovered. It must be recreated and reconfigured.
-For more information on deletions and how to recover from them, see [Recover from deletions](recover-from-deletions.md).
+> All other object types are hard deleted immediately when they're selected for deletion. When an object is hard deleted, it can't be recovered. It must be re-created and reconfigured.
+>
+>For more information on deletions and how to recover from them, see [Recover from deletions](recover-from-deletions.md).
### Misconfigurations
-Configurations are any changes in Azure AD that alter the behavior or capabilities of an Azure AD service or feature. For example, when you configure a Conditional Access policy you alter who can access the targeted applications and under what circumstances. Tenant-wide configurations affect your entire tenant. Configurations of specific objects or services affect only that object and its dependencies.
+Misconfigurations are configurations of a resource or policy that diverge from your organizational policies or plans and cause unintended or unwanted consequences. Misconfiguration of tenant-wide settings or Conditional Access policies can seriously affect your security and the public image of your organization. Misconfigurations can:
-For more information on misconfigurations and how to recover from them, see [Recover from misconfigurations](recover-from-misconfigurations.md).
+* Change how administrators, tenant users, and external users interact with resources in your tenant.
+* Change the ability of your users to interact with other tenants and external users to interact with your tenant.
+* Cause denial of service.
+* Break dependencies among data, systems, and applications.
-## Shared responsibility
+For more information on misconfigurations and how to recover from them, see [Recover from misconfigurations](recover-from-misconfigurations.md).
-Recoverability is a shared responsibility between Microsoft as your cloud service provider, and your organization.
+## Shared responsibility
-![Screenshot that shows shared responsibilities between Microsoft and customers for planning and recovery.](media/recoverability/overview-shared-responsiblility.png)
+Recoverability is a shared responsibility between Microsoft as your cloud service provider and your organization.
+![Diagram that shows shared responsibilities between Microsoft and customers for planning and recovery.](media/recoverability/overview-shared-responsiblility.png)
You can use the tools and services that Microsoft provides to prepare for deletions and misconfigurations. ## Business continuity and disaster planning
-Restoring a hard deleted or misconfigured item is a resource-intensive process. You can minimize the resources needed by planning ahead. Consider having a specific team of admins in charge of restorations.
+Restoring a hard-deleted or misconfigured item is a resource-intensive process. You can minimize the resources needed by planning ahead. Consider having a specific team of admins in charge of restorations.
### Test your restoration process
-You should rehearse your restoration process for different object types, and the communication that will go out as a result. Be sure to do rehearse with test objects, ideally in a test tenant.
+Rehearse your restoration process for different object types and the communication that will go out as a result. Be sure to rehearse with test objects, ideally in a test tenant.
-Testing your plan can help you to determine the following:
+Testing your plan can help you determine the:
- Validity and completeness of your object state documentation.- - Typical time to resolution.- - Appropriate communications and their audiences.- - Expected successes and potential challenges. ### Create the communication process
-Create a process of pre-defined communications to make others aware of the issue and timelines for restoration. Include the following in your restoration communication plan.
--- The types of communications to go out. Consider creating pre-defined templates.
+Create a process of predefined communications to make others aware of the issue and timelines for restoration. Include the following points in your restoration communication plan:
-- Stakeholders to receive communications. Include the following as applicable:-
- - impacted business owners.
-
- - operational admins who will perform recovery.
+- The types of communications to go out. Consider creating predefined templates.
+- Stakeholders to receive communications. Include the following groups, as applicable:
+ - Affected business owners.
+ - Operational admins who will perform recovery.
- Business and technical approvers.
+ - Affected users.
- - Impacted users.
--- Define the events that trigger communications, such as---
+- Define the events that trigger communications, such as:
+ - Initial deletion.
+ - Impact assessment.
+ - Time to resolution.
+ - Restoration.
## Document known good states
-Document the state of your tenant and its objects regularly so that in the event of a hard delete or misconfiguration you have a road map to recovery. The following tools can help you in documenting your current state.
--- The [Microsoft Graph APIs](/graph/overview) can be used to export the current state of many Azure AD configurations.--- You can use the [Azure AD Exporter](https://github.com/microsoft/azureadexporter) to regularly export your configuration settings. --- The [Microsoft 365 desired state configuration](https://github.com/microsoft/Microsoft365DSC/wiki/What-is-Microsoft365DSC) module is a module of the PowerShell Desired State Configuration framework. It can be used to export the configurations for reference, and application of the prior state of many settings.--- The [Conditional Access APIs](https://github.com/Azure-Samples/azure-ad-conditional-access-apis) can be used to manage your Conditional Access policies as code.-
+Document the state of your tenant and its objects regularly. Then if a hard delete or misconfiguration occurs, you have a roadmap to recovery. The following tools can help you document your current state:
+- [Microsoft Graph APIs](/graph/overview) can be used to export the current state of many Azure AD configurations.
+- [Azure AD Exporter](https://github.com/microsoft/azureadexporter) is a tool you can use to export your configuration settings.
+- [Microsoft 365 Desired State Configuration](https://github.com/microsoft/Microsoft365DSC/wiki/What-is-Microsoft365DSC) is a module of the PowerShell Desired State Configuration framework. You can use it to export configurations for reference and application of the prior state of many settings.
+- [Conditional Access APIs](https://github.com/Azure-Samples/azure-ad-conditional-access-apis) can be used to manage your Conditional Access policies as code.
### Commonly used Microsoft Graph APIs
-The Microsoft Graph APIs can be used to export the current state of many Azure AD configurations. The APIs cover most scenarios where reference material about the prior state, or the ability to apply that state from an exported copy, could become vital to keep your business running.
-
-Graph APIs are highly customizable based on your organizational needs. To implement a solution for backups or reference material requires developers to engineer code to query for, store, and display the data. Many implementations use online code repositories as part of this functionality.
+You can use Microsoft Graph APIs to export the current state of many Azure AD configurations. The APIs cover most scenarios where reference material about the prior state, or the ability to apply that state from an exported copy, could become vital to keeping your business running.
-### Useful APIS for recovery
+Microsoft Graph APIs are highly customizable based on your organizational needs. To implement a solution for backups or reference material requires developers to engineer code to query for, store, and display the data. Many implementations use online code repositories as part of this functionality.
+### Useful APIs for recovery
| Resource types| Reference links | | - | - |
Graph APIs are highly customizable based on your organizational needs. To implem
| Conditional Access policies| [Conditional Access policy API](/graph/api/resources/conditionalaccesspolicy) | | Devices| [devices API](/graph/api/resources/device) | | Domains| [domains API](/graph/api/domain-list?tabs=http) |
-| Administrative Units| [administrativeUnit API)](/graph/api/resources/administrativeunit) |
-| Deleted Items*| [deletedItems API](/graph/api/resources/directory) |
-
+| Administrative units| [administrative unit API)](/graph/api/resources/administrativeunit) |
+| Deleted items*| [deletedItems API](/graph/api/resources/directory) |
-Securely store these configuration exports with access provided to a limited number of admins.
+*Securely store these configuration exports with access provided to a limited number of admins.
-The [Azure AD Exporter](https://github.com/microsoft/azureadexporter) can provide most of the documentation you'll need.
+The [Azure AD Exporter](https://github.com/microsoft/azureadexporter) can provide most of the documentation you need:
- Verify that you've implemented the desired configuration. - Use the exporter to capture current configurations. - Review the export, understand the settings for your tenant that aren't exported, and manually document them. - Store the output in a secure location with limited access. - > [!NOTE]
-> Settings in the legacy MFA portal, for Application Proxy and federation settings may not be exported with the Azure AD Exporter, or with the Graph API.
-The [Microsoft 365 desired state configuration](https://github.com/microsoft/Microsoft365DSC/wiki/What-is-Microsoft365DSC) module uses Microsoft Graph and PowerShell to retrieve the state of many of the configurations in Azure AD. This information can be used as reference information or, by using PowerShell Desired State Configuration scripting, to reapply a known-good state.
+> Settings in the legacy multifactor authentication portal for Application Proxy and federation settings might not be exported with the Azure AD Exporter, or with the Microsoft Graph API.
+The [Microsoft 365 Desired State Configuration](https://github.com/microsoft/Microsoft365DSC/wiki/What-is-Microsoft365DSC) module uses Microsoft Graph and PowerShell to retrieve the state of many of the configurations in Azure AD. This information can be used as reference information or, by using PowerShell Desired State Configuration scripting, to reapply a known good state.
- Use [Conditional Access Graph APIs](https://github.com/Azure-Samples/azure-ad-conditional-access-apis) to manage policies like code. Automate approvals to promote policies from preproduction environments, backup and restore, monitor change, and plan ahead for emergencies.
+ Use [Conditional Access Graph APIs](https://github.com/Azure-Samples/azure-ad-conditional-access-apis) to manage policies like code. Automate approvals to promote policies from preproduction environments, backup and restore, monitor change, and plan ahead for emergencies.
-### Map the dependencies among objects.
+### Map the dependencies among objects
-The deletion of some objects can cause a ripple effect due to dependencies. For example, deletion of a security group used for application assignment would result in users who were members of that group being unable to access the applications to which the group was assigned.
+The deletion of some objects can cause a ripple effect because of dependencies. For example, deletion of a security group used for application assignment would result in users who were members of that group being unable to access the applications to which the group was assigned.
#### Common dependencies -
-| Object Type| Potential Dependencies |
+| Object type| Potential dependencies |
| - | - |
-| Application object| Service Principal (Enterprise Application). <br>Groups assigned to the application. <br>Conditional Access Policies affecting the application. |
-| Service principals| Application object |
-| Conditional Access Policies| Users assigned to the policy.<br>Groups assigned to the policy.<br>Service Principal (Enterprise Application) targeted by the policy. |
-| Groups other than Microsoft 365 Groups| Users assigned to the group.<br>Conditional access policies to which the group is assigned.<br>Applications to which the group is assigned access. |
+| Application object| Service principal (enterprise application). <br>Groups assigned to the application. <br>Conditional Access policies affecting the application. |
+| Service principals| Application object. |
+| Conditional Access policies| Users assigned to the policy.<br>Groups assigned to the policy.<br>Service principal (enterprise application) targeted by the policy. |
+| Groups other than Microsoft 365 Groups| Users assigned to the group.<br>Conditional Access policies to which the group is assigned.<br>Applications to which the group is assigned access. |
## Monitoring and data retention
-The [Azure AD Audit Log](../reports-monitoring/concept-audit-logs.md) contains information on all delete and configuration operations performed in your tenant. We recommend that you export these logs to a security information and event management (SIEM) tool such as [Microsoft Sentinel](../../sentinel/overview.md). You can also use Microsoft Graph to audit changes, and build a custom solution to monitor differences over time. For more information on finding deleted items using Microsoft Graph, see [List deleted items - Microsoft Graph v1.0 ](/graph/api/directory-deleteditems-list?tabs=http)
+The [Azure AD Audit log](../reports-monitoring/concept-audit-logs.md) contains information on all delete and configuration operations performed in your tenant. We recommend that you export these logs to a security information and event management tool such as [Microsoft Sentinel](../../sentinel/overview.md). You can also use Microsoft Graph to audit changes and build a custom solution to monitor differences over time. For more information on finding deleted items by using Microsoft Graph, see [List deleted items - Microsoft Graph v1.0 ](/graph/api/directory-deleteditems-list?tabs=http).
### Audit logs
-The Audit Log always records a "Delete \<object\>" event when an object in the tenant is removed from an active state (either from active to soft-deleted or active to hard-deleted).
+The Audit log always records a "Delete \<object\>" event when an object in the tenant is removed from an active state, either from active to soft deleted or active to hard deleted.
-A Delete event for applications, users, and Microsoft 365 Groups is a soft delete. For any other object type it's a hard delete.
+A Delete event for applications, users, and Microsoft 365 Groups is a soft delete. For any other object type, it's a hard delete.
-| Object Type | Activity in log| Result |
+| Object type | Activity in log| Result |
| - | - | - | | Application| Delete application| Soft deleted | | Application| Hard delete application| Hard deleted |
A Delete event for applications, users, and Microsoft 365 Groups is a soft delet
| All other objects| Delete ΓÇ£objectTypeΓÇ¥| Hard deleted | > [!NOTE]
-> The audit log does not distinguish the group type of a deleted group. Only Microsoft 365 Groups are soft-deleted. If you see a Delete group entry, it may be the soft delete of a M365 group, or the hard delete of another type of group. It is therefore important that your documentation of your known good state include the group type for each group in your organization.
+> The Audit log doesn't distinguish the group type of a deleted group. Only Microsoft 365 Groups are soft deleted. If you see a Delete group entry, it might be the soft delete of a Microsoft 365 Group or the hard delete of another type of group. Your documentation of your known good state should include the group type for each group in your organization.
-For information on monitoring configuration changes, see [Recover from misconfigurations](recover-from-misconfigurations.md).
+For information on monitoring configuration changes, see [Recover from misconfigurations](recover-from-misconfigurations.md).
### Use workbooks to track configuration changes
-There are several Azure Monitor workbooks that can help you to monitor configuration changes.
-
-[The Sensitive Operations Report workbook](../reports-monitoring/workbook-sensitive-operations-report.md) can help identify suspicious application and service principal activity that may indicate a compromise, including:
--- Modified application or service principal credentials or authentication methods-- New permissions granted to service principals-- Directory role and group membership updates for service principals-- Modified federation settings-
-The [Cross-tenant access activity workbook ](../reports-monitoring/workbook-cross-tenant-access-activity.md)can help you monitor which applications in external tenants your users are accessing, and which applications in your tenant external users are accessing. Use this workbook to look for anomalous changes in either inbound or outbound application access across tenants.
-
-## Operational security
+Azure Monitor workbooks can help you monitor configuration changes.
-Preventing unwanted changes is far less difficult than needing to recreate and reconfigure objects. Include the following in your change management processes to minimize accidents:
+The [Sensitive operations report workbook](../reports-monitoring/workbook-sensitive-operations-report.md) can help identify suspicious application and service principal activity that might indicate a compromise, including:
-- Use a least privilege model. Ensure that each member of your team has the least privileges necessary to complete their usual tasks and require a process to escalate privileges for more unusual tasks.
+- Modified application or service principal credentials or authentication methods.
+- New permissions granted to service principals.
+- Directory role and group membership updates for service principals.
+- Modified federation settings.
-- Administrative control of an object enables configuration and deletion. Use Read Only admin roles, for example the Global Reader role, for any tasks that do not require operations to create, update, or delete (CRUD). When CRUD operations are required, use object specific roles when possible. For example, User Administrators can delete only users, and Application Administrators can delete only applications. Use these more limited roles whenever possible, instead of a Global Administrator role, which can delete anything, including the tenant.
+The [Cross-tenant access activity workbook ](../reports-monitoring/workbook-cross-tenant-access-activity.md)can help you monitor which applications in external tenants your users are accessing and which applications in your tenant external users are accessing. Use this workbook to look for anomalous changes in either inbound or outbound application access across tenants.
-- [Use Privileged Identity Management (PIM)](../privileged-identity-management/pim-configure.md). PIM enables just-in-time escalation of privileges to perform tasks like hard deletion. You can configure PIM to have notifications and or approvals for the privilege escalation.
+## Operational security
+Preventing unwanted changes is far less difficult than needing to re-create and reconfigure objects. Include the following tasks in your change management processes to minimize accidents:
-## Next steps
+- Use a least privilege model. Ensure that each member of your team has the least privileges necessary to complete their usual tasks. Require a process to escalate privileges for more unusual tasks.
+- Administrative control of an object enables configuration and deletion. Use read-only admin roles, for example, the Global Reader role, for tasks that don't require operations to create, update, or delete (CRUD). When CRUD operations are required, use object-specific roles when possible. For example, User administrators can delete only users, and Application administrators can delete only applications. Use these more limited roles whenever possible, instead of a Global administrator role, which can delete anything, including the tenant.
+- [Use Privileged Identity Management (PIM)](../privileged-identity-management/pim-configure.md). PIM enables just-in-time escalation of privileges to perform tasks like hard deletion. You can configure PIM to have notifications or approvals for the privilege escalation.
-[Recover from deletions](recover-from-deletions.md)
+## Next steps
-[Recover from misconfigurations](recover-from-misconfigurations.md)
+- [Recover from deletions](recover-from-deletions.md)
+- [Recover from misconfigurations](recover-from-misconfigurations.md)
active-directory Reference Connect Sync Attributes Synchronized https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/reference-connect-sync-attributes-synchronized.md
In this case, start with the list of attributes in this topic and identify those
| st |X |X | | | | streetAddress |X |X | | | | telephoneNumber |X |X | | |
-| thumbnailphoto |X |X | |synced only once from Azure AD to Exchange Online after which Exchange Online becomes source of authority for this attribute and any later changes can't be synced from on-premise. See ([KB](https://support.microsoft.com/help/3062745/user-photos-aren-t-synced-from-the-on-premises-environment-to-exchange)) for more.|
+| thumbnailphoto |X |X | |synced only once from Azure AD to Exchange Online after which Exchange Online becomes source of authority for this attribute and any later changes can't be synced from on-premises. See ([KB](https://support.microsoft.com/help/3062745/user-photos-aren-t-synced-from-the-on-premises-environment-to-exchange)) for more.|
| title |X |X | | | | usageLocation |X | | |mechanical property. The userΓÇÖs country/region. Used for license assignment. | | userPrincipalName |X | | |UPN is the login ID for the user. Most often the same as [mail] value. |
active-directory App Management Videos https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/app-management-videos.md
-+ Last updated 05/31/2022
active-directory Configure Authentication For Federated Users Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/configure-authentication-for-federated-users-portal.md
Use the previous example to get the **ObjectID** of the policy, and that of the
## Configuring policy through Graph Explorer
-Set the HRD policy using Microsoft Graph. See [homeRealmDiscoveryPolicy](/graph/api/resources/homeRealmDiscoveryPolicy?view=graph-rest-1.0) resource type for information on how to create the policy.
+Set the HRD policy using Microsoft Graph. See [homeRealmDiscoveryPolicy](/graph/api/resources/homeRealmDiscoveryPolicy?view=graph-rest-1.0&preserve-view=true) resource type for information on how to create the policy.
From the Microsoft Graph explorer window:
active-directory Bridgelineunbound Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/bridgelineunbound-tutorial.md
- Title: 'Tutorial: Azure Active Directory integration with Bridgeline Unbound | Microsoft Docs'
-description: Learn how to configure single sign-on between Azure Active Directory and Bridgeline Unbound.
-------- Previously updated : 12/16/2020--
-# Tutorial: Azure Active Directory integration with Bridgeline Unbound
-
-In this tutorial, you'll learn how to integrate Bridgeline Unbound with Azure Active Directory (Azure AD). When you integrate Bridgeline Unbound with Azure AD, you can:
-
-* Control in Azure AD who has access to Bridgeline Unbound.
-* Enable your users to be automatically signed-in to Bridgeline Unbound with their Azure AD accounts.
-* Manage your accounts in one central location - the Azure portal.
-
-## Prerequisites
-
-To configure Azure AD integration with Bridgeline Unbound, you need the following items:
-
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial [here](https://azure.microsoft.com/pricing/free-trial/)
-* Bridgeline Unbound single sign-on enabled subscription
-
-## Scenario description
-
-In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-
-* Bridgeline supports **SP and IDP** initiated SSO
-* Bridgeline Unbound supports **Just In Time** user provisioning
-
-## Adding Bridgeline Unbound from the gallery
-
-To configure the integration of Bridgeline Unbound into Azure AD, you need to add Bridgeline Unbound from the gallery to your list of managed SaaS apps.
-
-1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
-1. On the left navigation pane, select the **Azure Active Directory** service.
-1. Navigate to **Enterprise Applications** and then select **All Applications**.
-1. To add new application, select **New application**.
-1. In the **Add from the gallery** section, type **Bridgeline Unbound** in the search box.
-1. Select **Bridgeline Unbound** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
--
-## Configure and test Azure AD SSO for Bridgeline Unbound
-
-Configure and test Azure AD SSO with Bridgeline Unbound using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Bridgeline Unbound.
-
-To configure and test Azure AD SSO with Bridgeline Unbound, perform the following steps:
-
-1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
- 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
- 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-2. **[Configure Bridgeline Unbound SSO](#configure-bridgeline-unbound-sso)** - to configure the Single Sign-On settings on application side.
- 1. **[Create Bridgeline Unbound test user](#create-bridgeline-unbound-test-user)** - to have a counterpart of Britta Simon in Bridgeline Unbound that is linked to the Azure AD representation of user.
-6. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-
-### Configure Azure AD SSO
-
-Follow these steps to enable Azure AD SSO in the Azure portal.
-
-1. In the Azure portal, on the **Bridgeline Unbound** application integration page, find the **Manage** section and select **single sign-on**.
-1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
-
- ![Edit Basic SAML Configuration](common/edit-urls.png)
-4. On the **Basic SAML Configuration** section, If you wish to configure the application in **IDP** initiated mode, perform the following steps:
-
- a. In the **Identifier** text box, type a URL using the following pattern:
- `iApps_UPSTT_<ENVIRONMENTNAME>`
-
- b. In the **Reply URL** text box, type a URL using the following pattern:
- `https://<SUBDOMAIN>.iapps.com/SAMLAssertionService.aspx`
-
-5. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode:
-
- In the **Sign-on URL** text box, type a URL using the following pattern:
- `https://<SUBDOMAIN>.iapps.com/CommonLogin/login?<INSTANCENAME>`
-
- > [!NOTE]
- > These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact [Bridgeline Unbound Client support team](mailto:support@iapps.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
-
-6. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Certificate (Base64)** from the given options as per your requirement and save it on your computer.
-
- ![The Certificate download link](common/certificatebase64.png)
-
-7. On the **Set up Bridgeline Unbound** section, copy the appropriate URL(s) as per your requirement.
-
- ![Copy configuration URLs](common/copy-configuration-urls.png)
--
-### Create an Azure AD test user
-
-In this section, you'll create a test user in the Azure portal called B.Simon.
-
-1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
-1. Select **New user** at the top of the screen.
-1. In the **User** properties, follow these steps:
- 1. In the **Name** field, enter `B.Simon`.
- 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
- 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
- 1. Click **Create**.
-
-### Assign the Azure AD test user
-
-In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Bridgeline Unbound.
-
-1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
-1. In the applications list, select **Bridgeline Unbound**.
-1. In the app's overview page, find the **Manage** section and select **Users and groups**.
-1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
-1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
-1. In the **Add Assignment** dialog, click the **Assign** button.
--
-## Configure Bridgeline Unbound SSO
-
-To configure single sign-on on **Bridgeline Unbound** side, you need to send the downloaded **Certificate (Base64)** and appropriate copied URLs from Azure portal to [Bridgeline Unbound support team](mailto:support@iapps.com). They set this setting to have the SAML SSO connection set properly on both sides.
-
-### Create Bridgeline Unbound test user
-
-In this section, a user called Britta Simon is created in Bridgeline Unbound. Bridgeline Unbound supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in Bridgeline Unbound, a new one is created after authentication.
-
-## Test SSO
-
-In this section, you test your Azure AD single sign-on configuration with following options.
-
-#### SP initiated:
-
-* Click on **Test this application** in Azure portal. This will redirect to Bridgeline Unbound Sign on URL where you can initiate the login flow.
-
-* Go to Bridgeline Unbound Sign-on URL directly and initiate the login flow from there.
-
-#### IDP initiated:
-
-* Click on **Test this application** in Azure portal and you should be automatically signed in to the Bridgeline Unbound for which you set up the SSO
-
-You can also use Microsoft My Apps to test the application in any mode. When you click the Bridgeline Unbound tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Bridgeline Unbound for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).
--
-## Next steps
-
-Once you configure Bridgeline Unbound you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-any-app).
active-directory Igrafx Platform Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/igrafx-platform-tutorial.md
Previously updated : 02/18/2022 Last updated : 06/03/2022
Follow these steps to enable Azure AD SSO in the Azure portal.
1. On the **Select a single sign-on method** page, select **SAML**. 1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+ ![Screenshot shows to edit Basic S A M L Configuration.](common/edit-urls.png "Basic Configuration")
1. On the **Basic SAML Configuration** section, perform the following steps:
Follow these steps to enable Azure AD SSO in the Azure portal.
| **Identifier** | |--|
- | `https://<CustomerName>.igrafxcloud.com/saml/metadata` |
- | `https://<CustomerName>.igrafxdemo.com/saml/metadata` |
- | `https://<CustomerName>.igrafxtraining.com/saml/metadata` |
- | `https://<CustomerName>.igrafx.com/saml/metadata` |
+ | `https://<SUBDOMAIN>.igrafxcloud.com/saml/metadata` |
+ | `https://<SUBDOMAIN>.igrafxdemo.com/saml/metadata` |
+ | `https://<SUBDOMAIN>.igrafxtraining.com/saml/metadata` |
+ | `https://<SUBDOMAIN>.igrafx.com/saml/metadata` |
b. In the **Reply URL** text box, type a URL using one of the following patterns: | **Reply URL** | ||
- | `https://<CustomerName>.igrafxcloud.com/` |
- | `https://<CustomerName>.igrafxdemo.com/` |
- | `https://<CustomerName>.igrafxtraining.com/` |
- | `https://<CustomerName>.igrafx.com/` |
+ | `https://<SUBDOMAIN>.igrafxcloud.com/` |
+ | `https://<SUBDOMAIN>.igrafxdemo.com/` |
+ | `https://<SUBDOMAIN>.igrafxtraining.com/` |
+ | `https://<SUBDOMAIN>.igrafx.com/` |
c. In the **Sign on URL** text box, type a URL using one of the following patterns: | **Sign on URL** | |-|
- | `https://<CustomerName>.igrafxcloud.com/` |
- | `https://<CustomerName>.igrafxdemo.com/` |
- | `https://<CustomerName>.igrafxtraining.com/` |
- | `https://<CustomerName>.igrafx.com/` |
+ | `https://<SUBDOMAIN>.igrafxcloud.com/` |
+ | `https://<SUBDOMAIN>.igrafxdemo.com/` |
+ | `https://<SUBDOMAIN>.igrafxtraining.com/` |
+ | `https://<SUBDOMAIN>.igrafx.com/` |
> [!NOTE] > These values are not real. Update these values with the actual Identifier, Reply URL and Sign on URL. Contact [iGrafx Platform Client support team](mailto:support@igrafx.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal. 1. On the **Set up single sign-on with SAML** page, In the **SAML Signing Certificate** section, click copy button to copy **App Federation Metadata Url** and save it on your computer.
- ![The Certificate download link](common/copy-metadataurl.png)
+ ![Screenshot shows the Certificate download link.](common/copy-metadataurl.png "Certificate")
### Create an Azure AD test user
active-directory Rackspacesso Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/rackspacesso-tutorial.md
Title: 'Tutorial: Azure Active Directory integration with Rackspace SSO | Microsoft Docs'
+ Title: 'Tutorial: Azure AD SSO integration with Rackspace SSO'
description: Learn how to configure single sign-on between Azure Active Directory and Rackspace SSO.
Previously updated : 05/14/2021 Last updated : 06/03/2022
-# Tutorial: Azure Active Directory integration with Rackspace SSO
+# Tutorial: Azure AD SSO integration with Rackspace SSO
In this tutorial, you'll learn how to integrate Rackspace SSO with Azure Active Directory (Azure AD). When you integrate Rackspace SSO with Azure AD, you can:
To configure Azure AD integration with Rackspace SSO, you need the following ite
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* Rackspace SSO supports **SP** initiated SSO.
+* Rackspace SSO supports **IDP** initiated SSO.
> [!NOTE] > Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
To configure and test Azure AD single sign-on with Rackspace SSO, you need to pe
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature. 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-2. **[Configure Rackspace SSO Single Sign-On](#configure-rackspace-sso-single-sign-on)** - to configure the Single Sign-On settings on application side.
+2. **[Configure Rackspace SSO](#configure-rackspace-sso)** - to configure the Single Sign-On settings on application side.
1. **[Set up Attribute Mapping in the Rackspace Control Panel](#set-up-attribute-mapping-in-the-rackspace-control-panel)** - to assign Rackspace roles to Azure AD users. 1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
Follow these steps to enable Azure AD SSO in the Azure portal.
1. On the **Select a single sign-on method** page, select **SAML**. 1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+ ![Screenshot shows to edit Basic S A M L Configuration.](common/edit-urls.png "Basic Configuration")
-4. On the **Basic SAML Configuration** section, Upload the **Service Provider metadata file** which you can download from the [URL](https://login.rackspace.com/federate/sp.xml) and perform the following steps:
+4. On the **Basic SAML Configuration** section, upload the **Service Provider metadata file** which you can download from the [URL](https://login.rackspace.com/federate/sp.xml) and perform the following steps:
a. Click **Upload metadata file**.
- ![Screenshot shows Basic SAML Configuration with the Upload metadata file link.](common/upload-metadata.png)
+ ![Screenshot shows Basic S A M L Configuration with the Upload metadata file link.](common/upload-metadata.png "Metadata")
b. Click on **folder logo** to select the metadata file and click **Upload**.
- ![Screenshot shows a dialog box where you can select and upload a file.](common/browse-upload-metadata.png)
+ ![Screenshot shows a dialog box where you can select and upload a file.](common/browse-upload-metadata.png "Folder")
c. Once the metadata file is successfully uploaded, the necessary URLs get auto populated automatically.
- d. In the **Sign-on URL** text box, type the URL:
- `https://login.rackspace.com/federate/`
- 5. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Federation Metadata XML** from the given options as per your requirement and save it on your computer.
- ![The Certificate download link](common/metadataxml.png)
+ ![Screenshot shows the Certificate download link.](common/metadataxml.png "Certificate")
This file will be uploaded to Rackspace to populate required Identity Federation configuration settings.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected. 1. In the **Add Assignment** dialog, click the **Assign** button.
-## Configure Rackspace SSO Single Sign-On
+## Configure Rackspace SSO
To configure single sign-on on **Rackspace SSO** side: 1. See the documentation at [Add an Identity Provider to the Control Panel](https://developer.rackspace.com/docs/rackspace-federation/gettingstarted/add-idp-cp/) 1. It will lead you through the steps to:
- 1. Create a new Identity Provider
+ 1. Create a new Identity Provider.
1. Specify an email domain that users will use to identify your company when signing in. 1. Upload the **Federation Metadata XML** previously downloaded from the Azure control panel.
Rackspace uses an **Attribute Mapping Policy** to assign Rackspace roles and gro
* If you want to assign varying levels of Rackspace access using Azure AD groups, you will need to enable the Groups claim in the Azure **Rackspace SSO** Single Sign-on settings. The **Attribute Mapping Policy** will then be used to match those groups to desired Rackspace roles and groups:
- ![The Groups claim settings](common/sso-groups-claim.png)
+ ![Screenshot shows the Groups claim settings.](common/sso-groups-claim.png "Groups")
* By default, Azure AD sends the UID of Azure AD Groups in the SAML claim, versus the name of the Group. However, if you are synchronizing your on-premises Active Directory to Azure AD, you have the option to send the actual names of the groups:
- ![The Groups claim name settings](common/sso-groups-claims-names.png)
+ ![Screenshot shows the Groups claim name settings.](common/sso-groups-claims-names.png "Claims")
The following example **Attribute Mapping Policy** demonstrates: 1. Setting the Rackspace user's name to the `user.name` SAML claim. Any claim can be used, but it is most common to set this to a field containing the user's email address.
See the Rackspace [Attribute Mapping Basics documentation](https://developer.rac
## Test SSO
-In this section, you test your Azure AD single sign-on configuration with following options.
-
-* Click on **Test this application** in Azure portal. This will redirect to Rackspace SSO Sign-on URL where you can initiate the login flow.
+In this section, you test your Azure AD single sign-on configuration with following options.
-* Go to Rackspace SSO Sign-on URL directly and initiate the login flow from there.
+* Click on Test this application in Azure portal and you should be automatically signed in to the Rackspace SSO for which you set up the SSO.
-* You can use Microsoft My Apps. When you click the Rackspace SSO tile in the My Apps, this will redirect to Rackspace SSO Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).
+* You can use Microsoft My Apps. When you click the Rackspace SSO tile in the My Apps, you should be automatically signed in to the Rackspace SSO for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
You can also use the **Validate** button in the **Rackspace SSO** Single sign-on settings:
- ![SSO Validate Button](common/sso-validate-sign-on.png)
+ ![Screenshot shows the SSO Validate Button.](common/sso-validate-sign-on.png "Validate")
## Next steps
-Once you configure Rackspace SSO you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-aad).
+Once you configure Rackspace SSO you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-aad).
active-directory Rstudio Connect Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/rstudio-connect-tutorial.md
Previously updated : 09/14/2021 Last updated : 06/03/2022 # Tutorial: Azure AD SSO integration with RStudio Connect SAML Authentication
IdPAttributeProfile = azure
SSOInitiated = IdPAndSP ```
+If `IdPAttributeProfile = azure`,the profile sets the NameIDFormat to persistent, among other settings and overrides any other specified attributes defined in the configuration [file](https://docs.rstudio.com/connect/admin/authentication/saml/#the-azure-profile).
+
+This becomes an issue if you want to create a user ahead of time using the RStudio Connect API and apply permissions prior to the user logging in the first time. The NameIDFormat should be set to emailAddress or some other unique identifier because when it's set to persistent, then the value gets hashed and you don't know what the value is ahead of time. So using the API will not work.
+API for creating user for SAML: https://docs.rstudio.com/connect/api/#post-/v1/users
+
+So you may want to have this in your configuration file in this situation:
+
+```
+[SAML]
+NameIDFormat = emailAddress
+UniqueIdAttribute = NameID
+UsernameAttribute = http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
+FirstNameAttribute = http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
+LastNameAttribute = http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
+EmailAttribute = http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailAddress
+```
+ Store your **Server Address** in the `Server.Address` value, and the **App Federation Metadata Url** in the `SAML.IdPMetaData` value. Note that this sample configuration uses an unencrypted HTTP connection, while Azure AD requires the use of an encrypted HTTPS connection. You can either use a [reverse proxy](https://docs.rstudio.com/connect/admin/proxy/) in front of RStudio Connect SAML Authentication or configure RStudio Connect SAML Authentication to [use HTTPS directly](https://docs.rstudio.com/connect/admin/appendix/configuration/#HTTPS). If you have trouble with configuration, you can read the [RStudio Connect SAML Authentication Admin Guide](https://docs.rstudio.com/connect/admin/authentication/saml/) or email the [RStudio support team](mailto:support@rstudio.com) for help.
active-directory Tap App Security Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/tap-app-security-provisioning-tutorial.md
The scenario outlined in this tutorial assumes that you already have the followi
## Step 2. Configure TAP App Security to support provisioning with Azure AD
-Contact [TAP App Security support](mailto:support@tapappsecurity.com) in order to obtain a SCIM Token.
--
+1. Log in to [TAP App Security back-end control panel](https://app.tapappsecurity.com/).
+1. Navigate to **Single Sign On > Active Directory**.
+1. Click on the **Integrate Active Directory app** button. Then enter the domain of your organization and click **Save** button.
+ [![Screenshot on how to add domain.](media/tap-app-security-provisioning-tutorial/add-domain.png)](media/tap-app-security-provisioning-tutorial/add-domain.png#lightbox)
+1. After entering the domain, a new line in the table appears showing domain name and its status as **initialize**. Click on the gear icon to reveal technical data about TAP app Security server and to complete initialization.
+ [![Screenshot showing initialize.](media/tap-app-security-provisioning-tutorial/initialize.png)](media/tap-app-security-provisioning-tutorial/initialize.png#lightbox)
+1. Technical data about TAP App Security servers is revealed.You can now copy the **Tenant Url** and **Authorization Token** from this page to be used later on while setting up provisioning in Azure AD.
+ [![Screenshot showing domain details.](media/tap-app-security-provisioning-tutorial/domain-details.png)](media/tap-app-security-provisioning-tutorial/domain-details.png#lightbox)
## Step 3. Add TAP App Security from the Azure AD application gallery Add TAP App Security from the Azure AD application gallery to start managing provisioning to TAP App Security. If you have previously setup TAP App Security for SSO, you can use the same application. However it is recommended that you create a separate app when testing out the integration initially. Learn more about adding an application from the gallery [here](../manage-apps/add-application-portal.md).
aks Keda Integrations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/keda-integrations.md
However, these external scalers aren't supported as part of the add-on and rely
<!-- LINKS - internal --> [aks-support-policy]: support-policies.md
-[azure-monitor]: ../azure-monitor/overview.md
-[azure-monitor-container-insights]: ../azure-monitor/containers/container-insights-onboard.md
[keda-arm]: keda-deploy-add-on-arm.md <!-- LINKS - external -->
-[keda-scalers]: https://keda.sh/docs/scalers/
-[keda-metrics]: https://keda.sh/docs/latest/operate/prometheus/
-[keda-event-docs]: https://keda.sh/docs/2.7/operate/events/
+[keda-scalers]: https://keda.sh/docs/latest/scalers/
+[keda-event-docs]: https://keda.sh/docs/latest/operate/events/
[keda-sample]: https://github.com/kedacore/sample-dotnet-worker-servicebus-queue
aks Quick Windows Container Deploy Cli https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/learn/quick-windows-container-deploy-cli.md
az aks create \
--generate-ssh-keys \ --windows-admin-username $WINDOWS_USERNAME \ --vm-set-type VirtualMachineScaleSets \
- --kubernetes-version 1.20.7 \
--network-plugin azure ```
aks Operator Best Practices Cluster Security https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/operator-best-practices-cluster-security.md
AppArmor profiles are added using the `apparmor_parser` command.
spec: containers: - name: hello
- image: mcr.microsoft.com/aks/fundamental/base-ubuntu:v0.0.11
+ image: mcr.microsoft.com/dotnet/runtime-deps:6.0
command: [ "sh", "-c", "echo 'Hello AppArmor!' && sleep 1h" ] ```
To see seccomp in action, create a filter that prevents changing permissions on
spec: containers: - name: chmod
- image: mcr.microsoft.com/aks/fundamental/base-ubuntu:v0.0.11
+ image: mcr.microsoft.com/dotnet/runtime-deps:6.0
command: - "chmod" args:
To see seccomp in action, create a filter that prevents changing permissions on
localhostProfile: prevent-chmod containers: - name: chmod
- image: mcr.microsoft.com/aks/fundamental/base-ubuntu:v0.0.11
+ image: mcr.microsoft.com/dotnet/runtime-deps:6.0
command: - "chmod" args:
aks Troubleshooting https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/troubleshooting.md
spec:
```yaml initContainers: - name: volume-mount
- image: mcr.microsoft.com/aks/fundamental/base-ubuntu:v0.0.11
+ image: mcr.microsoft.com/dotnet/runtime-deps:6.0
command: ["sh", "-c", "chown -R 100:100 /data"] volumeMounts: - name: <your data volume>
aks Use Multiple Node Pools https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/use-multiple-node-pools.md
az aks nodepool add \
To verify your node pool is FIPS-enabled, use [az aks show][az-aks-show] to check the *enableFIPS* value in *agentPoolProfiles*. ```azurecli-interactive
-az aks show --resource-group myResourceGroup --cluster-name myAKSCluster --query="agentPoolProfiles[].{Name:name enableFips:enableFips}" -o table
+az aks show --resource-group myResourceGroup --name myAKSCluster --query="agentPoolProfiles[].{Name:name enableFips:enableFips}" -o table
``` The following example output shows the *fipsnp* node pool is FIPS-enabled and *nodepool1* isn't.
aks-nodepool1-12345678-vmss000000 Ready agent 34m v1.19.9
In the above example, the nodes starting with `aks-fipsnp` are part of the FIPS-enabled node pool. Use `kubectl debug` to run a deployment with an interactive session on one of those nodes in the FIPS-enabled node pool. ```azurecli-interactive
-kubectl debug node/aks-fipsnp-12345678-vmss000000 -it --image=mcr.microsoft.com/aks/fundamental/base-ubuntu:v0.0.11
+kubectl debug node/aks-fipsnp-12345678-vmss000000 -it --image=mcr.microsoft.com/dotnet/runtime-deps:6.0
``` From the interactive session, you can verify the FIPS cryptographic libraries are enabled:
aks Web App Routing https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/web-app-routing.md
The Web Application Routing solution may only be triggered on service resources
```yaml annotations: kubernetes.azure.com/ingress-host: myapp.contoso.com
- kubernetes.azure.com/tls-cert-keyvault-uri: myapp-contoso.vault.azure.net
+ kubernetes.azure.com/tls-cert-keyvault-uri: myapp-contoso.vault.azure.net/certificates/keyvault-certificate-name/keyvault-certificate-name-revision
```
-These annotations in the service manifest would direct Web Application Routing to create an ingress servicing `myapp.contoso.com` connected to the keyvault `myapp-contoso`.
+These annotations in the service manifest would direct Web Application Routing to create an ingress servicing `myapp.contoso.com` connected to the keyvault `myapp-contoso` and will retrieve the `keyvault-certificate-name` with `keyvault-certificate-name-revision`
-Create a file named **samples-web-app-routing.yaml** and copy in the following YAML. On line 29-31, update `<MY_HOSTNAME>` with your DNS host name and `<MY_KEYVAULT_URI>` with the vault URI collected in the previous step of this article.
+Create a file named **samples-web-app-routing.yaml** and copy in the following YAML. On line 29-31, update `<MY_HOSTNAME>` with your DNS host name and `<MY_KEYVAULT_URI>` with the full certficicate vault URI.
```yaml apiVersion: apps/v1
apiVersion: v1
kind: Service metadata: name: aks-helloworld
-annotations:
- kubernetes.azure.com/ingress-host: <MY_HOSTNAME>
- kubernetes.azure.com/tls-cert-keyvault-uri: <MY_KEYVAULT_URI>
+ annotations:
+ kubernetes.azure.com/ingress-host: <MY_HOSTNAME>
+ kubernetes.azure.com/tls-cert-keyvault-uri: <MY_KEYVAULT_URI>
spec: type: ClusterIP ports:
api-management Api Management Howto Integrate Internal Vnet Appgateway https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-howto-integrate-internal-vnet-appgateway.md
By combining API Management provisioned in an internal virtual network with the
* Use a single API Management resource and have a subset of APIs defined in API Management available for external consumers. * Provide a turnkey way to switch access to API Management from the public internet on and off.
+For architectural guidance, see:
+* **Basic enterprise integration**: [Reference architecture](/azure/architecture/reference-architectures/enterprise-integration/basic-enterprise-integration?toc=%2Fazure%2Fapi-management%2Ftoc.json&bc=/azure/api-management/breadcrumb/toc.json)
+* **API Management landing zone accelerator**: [Reference architecture](/azure/architecture/example-scenario/integration/app-gateway-internal-api-management-function?toc=%2Fazure%2Fapi-management%2Ftoc.json&bc=/azure/api-management/breadcrumb/toc.json) and [design guidance](/azure/cloud-adoption-framework/scenarios/app-platform/api-management/land?toc=%2Fazure%2Fapi-management%2Ftoc.json&bc=/azure/api-management/breadcrumb/toc.json)
++ > [!NOTE] > This article has been updated to use the [Application Gateway WAF_v2 SKU](../application-gateway/application-gateway-autoscaling-zone-redundant.md).
api-management Devops Api Development Templates https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/devops-api-development-templates.md
This article shows you how to use API DevOps with Azure API Management, through
For details, tools, and code samples to implement the DevOps approach described in this article, see the open-source [Azure API Management DevOps Resource Kit](https://github.com/Azure/azure-api-management-devops-resource-kit) in GitHub. Because customers bring a wide range of engineering cultures and existing automation solutions, the approach isn't a one-size-fits-all solution.
+For architectural guidance, see:
+
+* **API Management landing zone accelerator**: [Reference architecture](/azure/architecture/example-scenario/integration/app-gateway-internal-api-management-function?toc=%2Fazure%2Fapi-management%2Ftoc.json&bc=/azure/api-management/breadcrumb/toc.json) and [design guidance](/azure/cloud-adoption-framework/scenarios/app-platform/api-management/land?toc=%2Fazure%2Fapi-management%2Ftoc.json&bc=/azure/api-management/breadcrumb/toc.json)
+ ## The problem Organizations today normally have multiple deployment environments (such as development, testing, and production) and use separate API Management instances for each environment. Some instances are shared by multiple development teams, who are responsible for different APIs with different release cadences.
applied-ai-services Concept Custom Template https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/applied-ai-services/form-recognizer/concept-custom-template.md
Custom template models support key-value pairs, selection marks, tables, signatu
## Tabular fields
-With the release of API version **2022-06-30-preview**, custom template models will support tabular fields (tables):
-
-* Models trained with API version 2022-06-30-preview or later will accept tabular field labels.
-* Documents analyzed with custom neural models using API version 2022-06-30-preview or later will produce tabular fields aggregated across the tables.
-* The results can be found in the ```analyzeResult``` object's ```documents``` array that is returned following an analysis operation.
-
-Tabular fields support **cross page tables** by default:
+With the release of API version **2022-06-30-preview**, custom template models will add support for **cross page** tabular fields (tables):
* To label a table that spans multiple pages, label each row of the table across the different pages in a single table.
-* As a best practice, ensure that your dataset contains a few samples of the expected variations. For example, include samples where the entire table is on a single page and where tables span two or more pages.
+* As a best practice, ensure that your dataset contains a few samples of the expected variations. For example, include samples where the entire table is on a single page and where tables span two or more pages if you expect to see those variations in documents.
Tabular fields are also useful when extracting repeating information within a document that isn't recognized as a table. For example, a repeating section of work experiences in a resume can be labeled and extracted as a tabular field.
https://{endpoint}/formrecognizer/documentModels:build?api-version=2022-06-30
* View the REST API: > [!div class="nextstepaction"]
- > [Form Recognizer API v2.1](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-v2-1/operations/AnalyzeWithCustomForm)
+ > [Form Recognizer API v2.1](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-v2-1/operations/AnalyzeWithCustomForm)
applied-ai-services Whats New https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/applied-ai-services/form-recognizer/whats-new.md
The **2022-06-30-preview** release is the latest update to the Form Recognizer s
* [🆕 **Layout extends structure extraction**](concept-layout.md). Layout now includes added structure elements including sections, section headers, and paragraphs. This update enables finer grain document segmentation scenarios. For a complete list of structure elements identified, _see_ [enhanced structure](concept-layout.md#data-extraction). * [🆕 **Custom neural model tabular fields support**](concept-custom-neural.md). Custom document models now support tabular fields. Tabular fields by default are also multi page. To learn more about tabular fields in custom neural models, _see_ [tabular fields](concept-custom-neural.md#tabular-fields). * [🆕 **Custom template model tabular fields support for cross page tables**](concept-custom-template.md). Custom form models now support tabular fields across pages. To learn more about tabular fields in custom template models, _see_ [tabular fields](concept-custom-neural.md#tabular-fields).
-* [🆕 **Invoice model output now includes general document key-value pairs**](concept-custom-template.md). Where invoices contain required fields beyond the fields included in the prebuilt model, the general document model supplements the output with key-value pairs. _See_ [key value pairs](concept-invoice.md#key-value-pairs-preview).
-* [🆕 **Invoice language expansion**](concept-custom-template.md). The invoice model includes expanded language support. _See_ [supported languages](concept-invoice.md#supported-languages-and-locales).
-* [🆕 **Prebuilt business card**](concept-business-card.md). The business card model now includes Japanese language support. _See_ [supported languages](concept-business-card.md#supported-languages-and-locales).
+* [🆕 **Invoice model output now includes general document key-value pairs**](concept-invoice.md). Where invoices contain required fields beyond the fields included in the prebuilt model, the general document model supplements the output with key-value pairs. _See_ [key value pairs](concept-invoice.md#key-value-pairs-preview).
+* [🆕 **Invoice language expansion**](concept-invoice.md). The invoice model includes expanded language support. _See_ [supported languages](concept-invoice.md#supported-languages-and-locales).
+* [🆕 **Prebuilt business card**](concept-business-card.md) now includes Japanese language support. _See_ [supported languages](concept-business-card.md#supported-languages-and-locales).
+* [🆕 **Prebuilt ID document model**](concept-id-document.md). The ID document model now extracts DateOfIssue, Height, Weight, EyeColor, HairColor, and DocumentDiscriminator from US driver's licenses. _See_ [field extraction](concept-id-document.md#id-document-preview-field-extraction).
* [🆕 **Read model now supports common Microsoft Office document types**](concept-read.md). Document types like Word (docx) and PowerPoint (ppt) are now supported with the Read API. See [page extraction](concept-read.md#pages). ## February 2022
attestation Attestation Token Examples https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/attestation/attestation-token-examples.md
+
+ Title: Examples of an Azure Attestation token
+description: Examples of Azure Attestation token
++++ Last updated : 06/07/2022++++
+# Examples of an attestation token
+
+Attestation policy is used to process the attestation evidence and determine whether Azure Attestation will issue an attestation token. Attestation token generation can be controlled with custom policies. Below are some examples of an attestation policy.
+
+## Sample JWT generated for SGX attestation
+
+```
+{
+ "alg": "RS256",
+ "jku": "https://tradewinds.us.attest.azure.net/certs",
+ "kid": <self signed certificate reference to perform signature verification of attestation token,
+ "typ": "JWT"
+}.{
+ "aas-ehd": <input enclave held data>,
+ "exp": 1568187398,
+ "iat": 1568158598,
+ "is-debuggable": false,
+ "iss": "https://tradewinds.us.attest.azure.net",
+ "maa-attestationcollateral":
+ {
+ "qeidcertshash": <SHA256 value of QE Identity issuing certs>,
+ "qeidcrlhash": <SHA256 value of QE Identity issuing certs CRL list>,
+ "qeidhash": <SHA256 value of the QE Identity collateral>,
+ "quotehash": <SHA256 value of the evaluated quote>,
+ "tcbinfocertshash": <SHA256 value of the TCB Info issuing certs>,
+ "tcbinfocrlhash": <SHA256 value of the TCB Info issuing certs CRL list>,
+ "tcbinfohash": <SHA256 value of the TCB Info collateral>
+ },
+ "maa-ehd": <input enclave held data>,
+ "nbf": 1568158598,
+ "product-id": 4639,
+ "sgx-mrenclave": <SGX enclave mrenclave value>,
+ "sgx-mrsigner": <SGX enclave msrigner value>,
+ "svn": 0,
+ "tee": "sgx"
+ "x-ms-attestation-type": "sgx",
+ "x-ms-policy-hash": <>,
+ "x-ms-sgx-collateral":
+ {
+ "qeidcertshash": <SHA256 value of QE Identity issuing certs>,
+ "qeidcrlhash": <SHA256 value of QE Identity issuing certs CRL list>,
+ "qeidhash": <SHA256 value of the QE Identity collateral>,
+ "quotehash": <SHA256 value of the evaluated quote>,
+ "tcbinfocertshash": <SHA256 value of the TCB Info issuing certs>,
+ "tcbinfocrlhash": <SHA256 value of the TCB Info issuing certs CRL list>,
+ "tcbinfohash": <SHA256 value of the TCB Info collateral>
+ },
+ "x-ms-sgx-ehd": <>,
+ "x-ms-sgx-is-debuggable": true,
+ "x-ms-sgx-mrenclave": <SGX enclave mrenclave value>,
+ "x-ms-sgx-mrsigner": <SGX enclave msrigner value>,
+ "x-ms-sgx-product-id": 1,
+ "x-ms-sgx-svn": 1,
+ "x-ms-ver": "1.0",
+ "x-ms-sgx-config-id": "000102030405060708090a0b0c0d8f99000102030405060708090a0b0c860e9a000102030405060708090a0b7d0d0e9b000102030405060708090a740c0d0e9c",
+ "x-ms-sgx-config-svn": 3451,
+ "x-ms-sgx-isv-extended-product-id": "8765432143211234abcdabcdef123456",
+ "x-ms-sgx-isv-family-id": "1234567812344321abcd1234567890ab"
+}.[Signature]
+```
+
+Some of the claims used above are considered deprecated but are fully supported. It is recommended that all future code and tooling use the non-deprecated claim names. See [claims issued by Azure Attestation](claim-sets.md) for more information.
+
+The below claims will appear only in the attestation token generated for Intel® Xeon® Scalable processor-based server platforms. The claims will not appear if the SGX enclave is not configured with [Key Separation and Sharing Support](https://github.com/openenclave/openenclave/issues/3054)
+
+**x-ms-sgx-config-id**
+
+**x-ms-sgx-config-svn**
+
+**x-ms-sgx-isv-extended-product-id**
+
+**x-ms-sgx-isv-family-id**
+
+## Sample JWT generated for SEV-SNP attestation
+
+```
+{
+ΓÇ» "exp": 1649970020,
+ΓÇ» "iat": 1649941220,
+ΓÇ» "iss": "https://maasandbox0001.wus.attest.azure.net",
+ΓÇ» "jti": "b65da1dcfbb4698b0bb2323cac664b745a2ff1cffbba55641fd65784aa9474d5",
+ΓÇ» "nbf": 1649941220,
+ΓÇ» "x-ms-attestation-type": "sevsnpvm",
+ΓÇ» "x-ms-compliance-status": "azure-compliant-cvm",
+ΓÇ» "x-ms-policy-hash": "LTPRQQju-FejAwdYihF8YV_c2XWebG9joKvrHKc3bxs",
+ΓÇ» "x-ms-runtime": {
+ΓÇ» ΓÇ» "keys": [
+ΓÇ» ΓÇ» ΓÇ» {
+ΓÇ» ΓÇ» ΓÇ» ΓÇ» "e": "AQAB",
+ΓÇ» ΓÇ» ΓÇ» ΓÇ» "key_ops": ["encrypt"],
+ΓÇ» ΓÇ» ΓÇ» ΓÇ» "kid": "HCLTransferKey",
+ΓÇ» ΓÇ» ΓÇ» ΓÇ» "kty": "RSA",
+ΓÇ» ΓÇ» ΓÇ» ΓÇ» "n": "ur08DccjGGzRo3OIq445n00Q3OthMIbR3SWIzCcicIM_7nPiVF5NBIknk2zdHZN1iiNhIzJezrXSqVT7Ty1Dl4AB5xiAAqxo7xGjFqlL47NA8WbZRMxQtwlsOjZgFxosDNXIt6dMq7ODh4nj6nV2JMScNfRKyr1XFIUK0XkOWvVlSlNZjaAxj8H4pS0yNfNwr1Q94VdSn3LPRuZBHE7VrofHRGSHJraDllfKT0-8oKW8EjpMwv1ME_OgPqPwLyiRzr99moB7uxzjEVDe55D2i2mPrcmT7kSsHwp5O2xKhM68rda6F-IT21JgdhQ6n4HWCicslBmx4oqkI-x5lVsRkQ"
+ΓÇ» ΓÇ» ΓÇ» }
+ΓÇ» ΓÇ» ],
+ΓÇ» ΓÇ» "vm-configuration": {
+ΓÇ» ΓÇ» ΓÇ» "secure-boot": true,
+ΓÇ» ΓÇ» ΓÇ» "secure-boot-template-id": "1734c6e8-3154-4dda-ba5f-a874cc483422",
+ΓÇ» ΓÇ» ΓÇ» "tpm-enabled": true,
+ΓÇ» ΓÇ» ΓÇ» "vmUniqueId": "AE5CBB2A-DC95-4870-A74A-EE4FB33B1A9C"
+ΓÇ» ΓÇ» }
+ΓÇ» },
+ΓÇ» "x-ms-sevsnpvm-authorkeydigest": "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
+ΓÇ» "x-ms-sevsnpvm-bootloader-svn": 0,
+ΓÇ» "x-ms-sevsnpvm-familyId": "01000000000000000000000000000000",
+ΓÇ» "x-ms-sevsnpvm-guestsvn": 1,
+ΓÇ» "x-ms-sevsnpvm-hostdata": "0000000000000000000000000000000000000000000000000000000000000000",
+ΓÇ» "x-ms-sevsnpvm-idkeydigest": "38ed94f9aab20bc5eb40e89c7cbb03aa1b9efb435892656ade789ccaa0ded82ff18bae0e849c3166351ba1fa7ff620a2",
+ΓÇ» "x-ms-sevsnpvm-imageId": "02000000000000000000000000000000",
+ΓÇ» "x-ms-sevsnpvm-is-debuggable": false,
+ΓÇ» "x-ms-sevsnpvm-launchmeasurement": "04a170f39a3f702472ed0c7ecbda9babfc530e3caac475fdd607ff499177d14c278c5a15ad07ceacd5230ae63d507e9d",
+ΓÇ» "x-ms-sevsnpvm-microcode-svn": 40,
+ΓÇ» "x-ms-sevsnpvm-migration-allowed": false,
+ΓÇ» "x-ms-sevsnpvm-reportdata": "99dd4593a43f4b0f5f10f1856c7326eba309b943251fededc15592e3250ca9e90000000000000000000000000000000000000000000000000000000000000000",
+ΓÇ» "x-ms-sevsnpvm-reportid": "d1d5c2c71596fae601433ecdfb62799de2a785cc08be3b1c8a4e26a381494787",
+ΓÇ» "x-ms-sevsnpvm-smt-allowed": true,
+ΓÇ» "x-ms-sevsnpvm-snpfw-svn": 0,
+ΓÇ» "x-ms-sevsnpvm-tee-svn": 0,
+ΓÇ» "x-ms-sevsnpvm-vmpl": 0,
+ΓÇ» "x-ms-ver": "1.0"
+}
+```
+
+## Next steps
+
+- [View examples of an attestation policy](policy-examples.md)
attestation Basic Concepts https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/attestation/basic-concepts.md
Attestation policy is used to process the attestation evidence and is configurab
If the default policy in the attestation provider doesnΓÇÖt meet the needs, customers will be able to create custom policies in any of the regions supported by Azure Attestation. Policy management is a key feature provided to customers by Azure Attestation. Policies will be attestation type specific and can be used to identify enclaves or add claims to the output token or modify claims in an output token.
-See [examples of an attestation policy](policy-examples.md) for policy samples.
+See [examples of an attestation policy](policy-examples.md)
## Benefits of policy signing
Azure Attestation response will be a JSON string whose value contains JWT. Azure
The Get OpenID Metadata API returns an OpenID Configuration response as specified by the [OpenID Connect Discovery protocol](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig). The API retrieves metadata about the signing certificates in use by Azure Attestation.
-Example of JWT generated for an SGX enclave:
-
-```
-{
- "alg": "RS256",
- "jku": "https://tradewinds.us.attest.azure.net/certs",
- "kid": <self signed certificate reference to perform signature verification of attestation token,
- "typ": "JWT"
-}.{
- "aas-ehd": <input enclave held data>,
- "exp": 1568187398,
- "iat": 1568158598,
- "is-debuggable": false,
- "iss": "https://tradewinds.us.attest.azure.net",
- "maa-attestationcollateral":
- {
- "qeidcertshash": <SHA256 value of QE Identity issuing certs>,
- "qeidcrlhash": <SHA256 value of QE Identity issuing certs CRL list>,
- "qeidhash": <SHA256 value of the QE Identity collateral>,
- "quotehash": <SHA256 value of the evaluated quote>,
- "tcbinfocertshash": <SHA256 value of the TCB Info issuing certs>,
- "tcbinfocrlhash": <SHA256 value of the TCB Info issuing certs CRL list>,
- "tcbinfohash": <SHA256 value of the TCB Info collateral>
- },
- "maa-ehd": <input enclave held data>,
- "nbf": 1568158598,
- "product-id": 4639,
- "sgx-mrenclave": <SGX enclave mrenclave value>,
- "sgx-mrsigner": <SGX enclave msrigner value>,
- "svn": 0,
- "tee": "sgx"
- "x-ms-attestation-type": "sgx",
- "x-ms-policy-hash": <>,
- "x-ms-sgx-collateral":
- {
- "qeidcertshash": <SHA256 value of QE Identity issuing certs>,
- "qeidcrlhash": <SHA256 value of QE Identity issuing certs CRL list>,
- "qeidhash": <SHA256 value of the QE Identity collateral>,
- "quotehash": <SHA256 value of the evaluated quote>,
- "tcbinfocertshash": <SHA256 value of the TCB Info issuing certs>,
- "tcbinfocrlhash": <SHA256 value of the TCB Info issuing certs CRL list>,
- "tcbinfohash": <SHA256 value of the TCB Info collateral>
- },
- "x-ms-sgx-ehd": <>,
- "x-ms-sgx-is-debuggable": true,
- "x-ms-sgx-mrenclave": <SGX enclave mrenclave value>,
- "x-ms-sgx-mrsigner": <SGX enclave msrigner value>,
- "x-ms-sgx-product-id": 1,
- "x-ms-sgx-svn": 1,
- "x-ms-ver": "1.0",
- "x-ms-sgx-config-id": "000102030405060708090a0b0c0d8f99000102030405060708090a0b0c860e9a000102030405060708090a0b7d0d0e9b000102030405060708090a740c0d0e9c",
- "x-ms-sgx-config-svn": 3451,
- "x-ms-sgx-isv-extended-product-id": "8765432143211234abcdabcdef123456",
- "x-ms-sgx-isv-family-id": "1234567812344321abcd1234567890ab"
-}.[Signature]
-```
-
-Some of the claims used above are considered deprecated but are fully supported. It is recommended that all future code and tooling use the non-deprecated claim names. See [claims issued by Azure Attestation](claim-sets.md) for more information.
-
-The below claims will appear only in the attestation token generated for Intel® Xeon® Scalable processor-based server platforms. The claims will not appear if the SGX enclave is not configured with [Key Separation and Sharing Support](https://github.com/openenclave/openenclave/issues/3054)
-
-**x-ms-sgx-config-id**
-
-**x-ms-sgx-config-svn**
-
-**x-ms-sgx-isv-extended-product-id**
-
-**x-ms-sgx-isv-family-id**
+See [examples of attestation token](attestation-token-examples.md).
## Encryption of data at rest
attestation Policy Examples https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/attestation/policy-examples.md
issuancerules {
Claims used in default policy are considered deprecated but are fully supported and will continue to be included in the future. It's recommended to use the non-deprecated claim names. For more information on the recommended claim names, see [claim sets](./claim-sets.md).
+## Sample custom policy to support multiple SGX enclaves
+
+```
+version= 1.0;
+authorizationrules
+{
+ [ type=="x-ms-sgx-is-debuggable", value==true ]&&
+ [ type=="x-ms-sgx-mrsigner", value=="mrsigner1"] => permit();
+ [ type=="x-ms-sgx-is-debuggable", value==true ]&&
+ [ type=="x-ms-sgx-mrsigner", value=="mrsigner2"] => permit();
+};
+```
+
+## Unsigned Policy for an SGX enclave with PolicyFormat=JWT
+
+```
+eyJhbGciOiJub25lIn0.eyJBdHRlc3RhdGlvblBvbGljeSI6ICJkbVZ5YzJsdmJqMGdNUzR3TzJGMWRHaHZjbWw2WVhScGIyNXlkV3hsYzN0ak9sdDBlWEJsUFQwaUpHbHpMV1JsWW5WbloyRmliR1VpWFNBOVBpQndaWEp0YVhRb0tUdDlPMmx6YzNWaGJtTmxjblZzWlhON1l6cGJkSGx3WlQwOUlpUnBjeTFrWldKMVoyZGhZbXhsSWwwZ1BUNGdhWE56ZFdVb2RIbHdaVDBpYVhNdFpHVmlkV2RuWVdKc1pTSXNJSFpoYkhWbFBXTXVkbUZzZFdVcE8yTTZXM1I1Y0dVOVBTSWtjMmQ0TFcxeWMybG5ibVZ5SWwwZ1BUNGdhWE56ZFdVb2RIbHdaVDBpYzJkNExXMXljMmxuYm1WeUlpd2dkbUZzZFdVOVl5NTJZV3gxWlNrN1l6cGJkSGx3WlQwOUlpUnpaM2d0YlhKbGJtTnNZWFpsSWwwZ1BUNGdhWE56ZFdVb2RIbHdaVDBpYzJkNExXMXlaVzVqYkdGMlpTSXNJSFpoYkhWbFBXTXVkbUZzZFdVcE8yTTZXM1I1Y0dVOVBTSWtjSEp2WkhWamRDMXBaQ0pkSUQwLUlHbHpjM1ZsS0hSNWNHVTlJbkJ5YjJSMVkzUXRhV1FpTENCMllXeDFaVDFqTG5aaGJIVmxLVHRqT2x0MGVYQmxQVDBpSkhOMmJpSmRJRDAtSUdsemMzVmxLSFI1Y0dVOUluTjJiaUlzSUhaaGJIVmxQV011ZG1Gc2RXVXBPMk02VzNSNWNHVTlQU0lrZEdWbElsMGdQVDRnYVhOemRXVW9kSGx3WlQwaWRHVmxJaXdnZG1Gc2RXVTlZeTUyWVd4MVpTazdmVHMifQ.
+```
+
+## Signed Policy for an SGX enclave with PolicyFormat=JWT
+
+```
+eyJhbGciOiJSU0EyNTYiLCJ4NWMiOlsiTUlJQzFqQ0NBYjZnQXdJQkFnSUlTUUdEOUVGakJcdTAwMkJZd0RRWUpLb1pJaHZjTkFRRUxCUUF3SWpFZ01CNEdBMVVFQXhNWFFYUjBaWE4wWVhScGIyNURaWEowYVdacFkyRjBaVEF3SGhjTk1qQXhNVEl6TVRneU1EVXpXaGNOTWpFeE1USXpNVGd5TURVeldqQWlNU0F3SGdZRFZRUURFeGRCZEhSbGMzUmhkR2x2YmtObGNuUnBabWxqWVhSbE1EQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQUpyRWVNSlo3UE01VUJFbThoaUNLRGh6YVA2Y2xYdkhmd0RIUXJ5L3V0L3lHMUFuMGJ3MVU2blNvUEVtY2FyMEc1WmYxTUR4alZOdEF5QjZJWThKLzhaQUd4eFFnVVZsd1dHVmtFelpGWEJVQTdpN1B0NURWQTRWNlx1MDAyQkJnanhTZTBCWVpGYmhOcU5zdHhraUNybjYwVTYwQUU1WFx1MDAyQkE1M1JvZjFUUkNyTXNLbDRQVDRQeXAzUUtNVVlDaW9GU3d6TkFQaU8vTy9cdTAwMkJIcWJIMXprU0taUXh6bm5WUGVyYUFyMXNNWkptRHlyUU8vUFlMTHByMXFxSUY2SmJsbjZEenIzcG5uMXk0Wi9OTzJpdFBxMk5Nalx1MDAyQnE2N1FDblNXOC9xYlpuV3ZTNXh2S1F6QVR5VXFaOG1PSnNtSThUU05rLzBMMlBpeS9NQnlpeDdmMTYxQ2tjRm1LU3kwQ0F3RUFBYU1RTUE0d0RBWURWUjBUQkFVd0F3RUIvekFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBZ1ZKVWRCaXRud3ZNdDdvci9UMlo4dEtCUUZsejFVcVVSRlRUTTBBcjY2YWx2Y2l4VWJZR3gxVHlTSk5pbm9XSUJROU9QamdMa1dQMkVRRUtvUnhxN1NidGxqNWE1RUQ2VjRyOHRsejRISjY0N3MyM2V0blJFa2o5dE9Gb3ZNZjhOdFNVeDNGTnBhRUdabDJMUlZHd3dcdTAwMkJsVThQd0gzL2IzUmVCZHRhQTdrZmFWNVx1MDAyQml4ZWRjZFN5S1F1VkFUbXZNSTcxM1A4VlBsNk1XbXNNSnRrVjNYVi9ZTUVzUVx1MDAyQkdZcU1yN2tLWGwxM3lldUVmVTJWVkVRc1ovMXRnb29iZVZLaVFcdTAwMkJUcWIwdTJOZHNcdTAwMkJLamRIdmFNYngyUjh6TDNZdTdpR0pRZnd1aU1tdUxSQlJwSUFxTWxRRktLNmRYOXF6Nk9iT01zUjlpczZ6UDZDdmxGcEV6bzVGUT09Il19.eyJBdHRlc3RhdGlvblBvbGljeSI6ImRtVnljMmx2YmoweExqQTdZWFYwYUc5eWFYcGhkR2x2Ym5KMWJHVnpJSHRqT2x0MGVYQmxQVDBpSkdsekxXUmxZblZuWjJGaWJHVWlYU0FtSmlCYmRtRnNkV1U5UFhSeWRXVmRJRDAtSUdSbGJua29LVHM5UGlCd1pYSnRhWFFvS1R0OU8ybHpjM1ZoYm1ObGNuVnNaWE1nZXlBZ0lDQmpPbHQwZVhCbFBUMGlKR2x6TFdSbFluVm5aMkZpYkdVaVhTQTlQaUJwYzNOMVpTaDBlWEJsUFNKT2IzUkVaV0oxWjJkaFlteGxJaXdnZG1Gc2RXVTlZeTUyWVd4MVpTazdJQ0FnSUdNNlczUjVjR1U5UFNJa2FYTXRaR1ZpZFdkbllXSnNaU0pkSUQwLUlHbHpjM1ZsS0hSNWNHVTlJbWx6TFdSbFluVm5aMkZpYkdVaUxDQjJZV3gxWlQxakxuWmhiSFZsS1RzZ0lDQWdZenBiZEhsd1pUMDlJaVJ6WjNndGJYSnphV2R1WlhJaVhTQTlQaUJwYzNOMVpTaDBlWEJsUFNKelozZ3RiWEp6YVdkdVpYSWlMQ0IyWVd4MVpUMWpMblpoYkhWbEtUc2dJQ0FnWXpwYmRIbHdaVDA5SWlSelozZ3RiWEpsYm1Oc1lYWmxJbDBnUFQ0Z2FYTnpkV1VvZEhsd1pUMGljMmQ0TFcxeVpXNWpiR0YyWlNJc0lIWmhiSFZsUFdNdWRtRnNkV1VwT3lBZ0lDQmpPbHQwZVhCbFBUMGlKSEJ5YjJSMVkzUXRhV1FpWFNBOVBpQnBjM04xWlNoMGVYQmxQU0p3Y205a2RXTjBMV2xrSWl3Z2RtRnNkV1U5WXk1MllXeDFaU2s3SUNBZ0lHTTZXM1I1Y0dVOVBTSWtjM1p1SWwwZ1BUNGdhWE56ZFdVb2RIbHdaVDBpYzNadUlpd2dkbUZzZFdVOVl5NTJZV3gxWlNrN0lDQWdJR002VzNSNWNHVTlQU0lrZEdWbElsMGdQVDRnYVhOemRXVW9kSGx3WlQwaWRHVmxJaXdnZG1Gc2RXVTlZeTUyWVd4MVpTazdmVHMifQ.c0l-xqGDFQ8_kCiQ0_vvmDQYG_u544CYmoiucPNxd9MU8ZXT69UD59UgSuya2yl241NoVXA_0LaMEB2re0JnTbPD_dliJn96HnIOqnxXxRh7rKbu65ECUOMWPXbyKQMZ0I3Wjhgt_XyyhfEiQGfJfGzA95-wm6yWqrmW7dMI7JkczG9ideztnr0bsw5NRsIWBXOjVy7Bg66qooTnODS_OqeQ4iaNsN-xjMElHABUxXhpBt2htbhemDU1X41o8clQgG84aEHCgkE07pR-7IL_Fn2gWuPVC66yxAp00W1ib2L-96q78D9J52HPdeDCSFio2RL7r5lOtz8YkQnjacb6xA
+```
+ ## Sample policy for TPM using Policy version 1.0 ```
c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="elamDriverL
The policy uses the TPM version to restrict attestation calls. The issuancerules looks at various properties measured during boot.
-## Sample custom policy to support multiple SGX enclaves
-
-```
-version= 1.0;
-authorizationrules
-{
- [ type=="x-ms-sgx-is-debuggable", value==true ]&&
- [ type=="x-ms-sgx-mrsigner", value=="mrsigner1"] => permit();
- [ type=="x-ms-sgx-is-debuggable", value==true ]&&
- [ type=="x-ms-sgx-mrsigner", value=="mrsigner2"] => permit();
-};
-```
-
-## Unsigned Policy for an SGX enclave with PolicyFormat=JWT
-
-```
-eyJhbGciOiJub25lIn0.eyJBdHRlc3RhdGlvblBvbGljeSI6ICJkbVZ5YzJsdmJqMGdNUzR3TzJGMWRHaHZjbWw2WVhScGIyNXlkV3hsYzN0ak9sdDBlWEJsUFQwaUpHbHpMV1JsWW5WbloyRmliR1VpWFNBOVBpQndaWEp0YVhRb0tUdDlPMmx6YzNWaGJtTmxjblZzWlhON1l6cGJkSGx3WlQwOUlpUnBjeTFrWldKMVoyZGhZbXhsSWwwZ1BUNGdhWE56ZFdVb2RIbHdaVDBpYVhNdFpHVmlkV2RuWVdKc1pTSXNJSFpoYkhWbFBXTXVkbUZzZFdVcE8yTTZXM1I1Y0dVOVBTSWtjMmQ0TFcxeWMybG5ibVZ5SWwwZ1BUNGdhWE56ZFdVb2RIbHdaVDBpYzJkNExXMXljMmxuYm1WeUlpd2dkbUZzZFdVOVl5NTJZV3gxWlNrN1l6cGJkSGx3WlQwOUlpUnpaM2d0YlhKbGJtTnNZWFpsSWwwZ1BUNGdhWE56ZFdVb2RIbHdaVDBpYzJkNExXMXlaVzVqYkdGMlpTSXNJSFpoYkhWbFBXTXVkbUZzZFdVcE8yTTZXM1I1Y0dVOVBTSWtjSEp2WkhWamRDMXBaQ0pkSUQwLUlHbHpjM1ZsS0hSNWNHVTlJbkJ5YjJSMVkzUXRhV1FpTENCMllXeDFaVDFqTG5aaGJIVmxLVHRqT2x0MGVYQmxQVDBpSkhOMmJpSmRJRDAtSUdsemMzVmxLSFI1Y0dVOUluTjJiaUlzSUhaaGJIVmxQV011ZG1Gc2RXVXBPMk02VzNSNWNHVTlQU0lrZEdWbElsMGdQVDRnYVhOemRXVW9kSGx3WlQwaWRHVmxJaXdnZG1Gc2RXVTlZeTUyWVd4MVpTazdmVHMifQ.
-```
-
-## Signed Policy for an SGX enclave with PolicyFormat=JWT
-
-```
-eyJhbGciOiJSU0EyNTYiLCJ4NWMiOlsiTUlJQzFqQ0NBYjZnQXdJQkFnSUlTUUdEOUVGakJcdTAwMkJZd0RRWUpLb1pJaHZjTkFRRUxCUUF3SWpFZ01CNEdBMVVFQXhNWFFYUjBaWE4wWVhScGIyNURaWEowYVdacFkyRjBaVEF3SGhjTk1qQXhNVEl6TVRneU1EVXpXaGNOTWpFeE1USXpNVGd5TURVeldqQWlNU0F3SGdZRFZRUURFeGRCZEhSbGMzUmhkR2x2YmtObGNuUnBabWxqWVhSbE1EQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQUpyRWVNSlo3UE01VUJFbThoaUNLRGh6YVA2Y2xYdkhmd0RIUXJ5L3V0L3lHMUFuMGJ3MVU2blNvUEVtY2FyMEc1WmYxTUR4alZOdEF5QjZJWThKLzhaQUd4eFFnVVZsd1dHVmtFelpGWEJVQTdpN1B0NURWQTRWNlx1MDAyQkJnanhTZTBCWVpGYmhOcU5zdHhraUNybjYwVTYwQUU1WFx1MDAyQkE1M1JvZjFUUkNyTXNLbDRQVDRQeXAzUUtNVVlDaW9GU3d6TkFQaU8vTy9cdTAwMkJIcWJIMXprU0taUXh6bm5WUGVyYUFyMXNNWkptRHlyUU8vUFlMTHByMXFxSUY2SmJsbjZEenIzcG5uMXk0Wi9OTzJpdFBxMk5Nalx1MDAyQnE2N1FDblNXOC9xYlpuV3ZTNXh2S1F6QVR5VXFaOG1PSnNtSThUU05rLzBMMlBpeS9NQnlpeDdmMTYxQ2tjRm1LU3kwQ0F3RUFBYU1RTUE0d0RBWURWUjBUQkFVd0F3RUIvekFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBZ1ZKVWRCaXRud3ZNdDdvci9UMlo4dEtCUUZsejFVcVVSRlRUTTBBcjY2YWx2Y2l4VWJZR3gxVHlTSk5pbm9XSUJROU9QamdMa1dQMkVRRUtvUnhxN1NidGxqNWE1RUQ2VjRyOHRsejRISjY0N3MyM2V0blJFa2o5dE9Gb3ZNZjhOdFNVeDNGTnBhRUdabDJMUlZHd3dcdTAwMkJsVThQd0gzL2IzUmVCZHRhQTdrZmFWNVx1MDAyQml4ZWRjZFN5S1F1VkFUbXZNSTcxM1A4VlBsNk1XbXNNSnRrVjNYVi9ZTUVzUVx1MDAyQkdZcU1yN2tLWGwxM3lldUVmVTJWVkVRc1ovMXRnb29iZVZLaVFcdTAwMkJUcWIwdTJOZHNcdTAwMkJLamRIdmFNYngyUjh6TDNZdTdpR0pRZnd1aU1tdUxSQlJwSUFxTWxRRktLNmRYOXF6Nk9iT01zUjlpczZ6UDZDdmxGcEV6bzVGUT09Il19.eyJBdHRlc3RhdGlvblBvbGljeSI6ImRtVnljMmx2YmoweExqQTdZWFYwYUc5eWFYcGhkR2x2Ym5KMWJHVnpJSHRqT2x0MGVYQmxQVDBpSkdsekxXUmxZblZuWjJGaWJHVWlYU0FtSmlCYmRtRnNkV1U5UFhSeWRXVmRJRDAtSUdSbGJua29LVHM5UGlCd1pYSnRhWFFvS1R0OU8ybHpjM1ZoYm1ObGNuVnNaWE1nZXlBZ0lDQmpPbHQwZVhCbFBUMGlKR2x6TFdSbFluVm5aMkZpYkdVaVhTQTlQaUJwYzNOMVpTaDBlWEJsUFNKT2IzUkVaV0oxWjJkaFlteGxJaXdnZG1Gc2RXVTlZeTUyWVd4MVpTazdJQ0FnSUdNNlczUjVjR1U5UFNJa2FYTXRaR1ZpZFdkbllXSnNaU0pkSUQwLUlHbHpjM1ZsS0hSNWNHVTlJbWx6TFdSbFluVm5aMkZpYkdVaUxDQjJZV3gxWlQxakxuWmhiSFZsS1RzZ0lDQWdZenBiZEhsd1pUMDlJaVJ6WjNndGJYSnphV2R1WlhJaVhTQTlQaUJwYzNOMVpTaDBlWEJsUFNKelozZ3RiWEp6YVdkdVpYSWlMQ0IyWVd4MVpUMWpMblpoYkhWbEtUc2dJQ0FnWXpwYmRIbHdaVDA5SWlSelozZ3RiWEpsYm1Oc1lYWmxJbDBnUFQ0Z2FYTnpkV1VvZEhsd1pUMGljMmQ0TFcxeVpXNWpiR0YyWlNJc0lIWmhiSFZsUFdNdWRtRnNkV1VwT3lBZ0lDQmpPbHQwZVhCbFBUMGlKSEJ5YjJSMVkzUXRhV1FpWFNBOVBpQnBjM04xWlNoMGVYQmxQU0p3Y205a2RXTjBMV2xrSWl3Z2RtRnNkV1U5WXk1MllXeDFaU2s3SUNBZ0lHTTZXM1I1Y0dVOVBTSWtjM1p1SWwwZ1BUNGdhWE56ZFdVb2RIbHdaVDBpYzNadUlpd2dkbUZzZFdVOVl5NTJZV3gxWlNrN0lDQWdJR002VzNSNWNHVTlQU0lrZEdWbElsMGdQVDRnYVhOemRXVW9kSGx3WlQwaWRHVmxJaXdnZG1Gc2RXVTlZeTUyWVd4MVpTazdmVHMifQ.c0l-xqGDFQ8_kCiQ0_vvmDQYG_u544CYmoiucPNxd9MU8ZXT69UD59UgSuya2yl241NoVXA_0LaMEB2re0JnTbPD_dliJn96HnIOqnxXxRh7rKbu65ECUOMWPXbyKQMZ0I3Wjhgt_XyyhfEiQGfJfGzA95-wm6yWqrmW7dMI7JkczG9ideztnr0bsw5NRsIWBXOjVy7Bg66qooTnODS_OqeQ4iaNsN-xjMElHABUxXhpBt2htbhemDU1X41o8clQgG84aEHCgkE07pR-7IL_Fn2gWuPVC66yxAp00W1ib2L-96q78D9J52HPdeDCSFio2RL7r5lOtz8YkQnjacb6xA
-```
- ## Next steps - [How to author and sign an attestation policy](author-sign-policy.md)
attestation Workflow https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/attestation/workflow.md
The following actors are involved in an Azure Attestation work flow:
Here are the general steps in a typical SGX enclave attestation workflow (using Azure Attestation):
-1. Client collects evidence from an enclave. Evidence is information about the enclave environment and the client library running inside the enclave.
-1. The client has an URI which refers to an instance of Azure Attestation. The client sends evidence to Azure Attestation. Exact information submitted to the provider depends on the enclave type.
-1. Azure Attestation validates the submitted information and evaluates it against a configured policy. If the verification succeeds, Azure Attestation issues an attestation token and returns it to the client. If this step fails, Azure Attestation reports an error to the client.
-1. The client sends the attestation token to relying party. The relying party calls public key metadata endpoint of Azure Attestation to retrieve signing certificates. The relying party then verifies the signature of the attestation token and ensures the enclave trustworthiness.
+1. Client collects evidence from an enclave. Evidence is information about the enclave environment and the client library running inside the enclave
+1. The client has an URI which refers to an instance of Azure Attestation. The client sends evidence to Azure Attestation. Exact information submitted to the provider depends on the enclave type
+1. Azure Attestation validates the submitted information and evaluates it against a configured policy. If the verification succeeds, Azure Attestation issues an attestation token and returns it to the client. If this step fails, Azure Attestation reports an error to the client
+1. The client sends the attestation token to relying party. The relying party calls public key metadata endpoint of Azure Attestation to retrieve signing certificates. The relying party then verifies the signature of the attestation token and ensures the enclave trustworthiness
![SGX enclave validation flow](./media/sgx-validation-flow.png)
Here are the general steps in a typical SGX enclave attestation workflow (using
Here are the general steps in a typical TPM enclave attestation workflow (using Azure Attestation):
-1. On device/platform boot, various boot loaders and boot services measure events which backed by the TPM and are securely stored (TCG log).
-2. Client collects the TCG logs from the device and TPM quote, which acts the evidence for attestation.
-3. The client has an URI which refers to an instance of Azure Attestation. The client sends evidence to Azure Attestation. Exact information submitted to the provider depends on the platform.
-4. Azure Attestation validates the submitted information and evaluates it against a configured policy. If the verification succeeds, Azure Attestation issues an attestation token and returns it to the client. If this step fails, Azure Attestation reports an error to the client. The communication between the client and attestation service is dictated by the Azure attestation TPM protocol.
-5. The client then sends the attestation token to relying party. The relying party calls public key metadata endpoint of Azure Attestation to retrieve signing certificates. The relying party then verifies the signature of the attestation token and ensures the platforms trustworthiness.
+1. On device/platform boot, various boot loaders and boot services measure events backed by TPM and securely store them as TCG logs. Client collects the TCG logs from the device and TPM quote which acts evidence for attestation
+2. The client authenticates to Azure AD and obtains a access token
+3. The client has an URI which refers to an instance of Azure Attestation. The client sends the evidence and the Azure Active Directory (Azure AD) access token to Azure Attestation. Exact information submitted to the provider depends on the platform
+4. Azure Attestation validates the submitted information and evaluates it against a configured policy. If the verification succeeds, Azure Attestation issues an attestation token and returns it to the client. If this step fails, Azure Attestation reports an error to the client. The communication between the client and attestation service is dictated by the Azure attestation TPM protocol
+5. The client then sends the attestation token to relying party. The relying party calls public key metadata endpoint of Azure Attestation to retrieve signing certificates. The relying party then verifies the signature of the attestation token and ensures the platforms trustworthiness
![TPM validation flow](./media/tpm-validation-flow.png)
azure-arc Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/overview.md
For information, see the [Azure pricing page](https://azure.microsoft.com/pricin
* Learn about [Azure Arc-enabled data services](https://azure.microsoft.com/services/azure-arc/hybrid-data-services/). * Learn about [SQL Server on Azure Arc-enabled servers](/sql/sql-server/azure-arc/overview). * Learn about [Azure Arc-enabled VMware vSphere](vmware-vsphere/overview.md) and [Azure Arc-enabled Azure Stack HCI](/azure-stack/hci/manage/azure-arc-enabled-virtual-machines)
-* Experience Azure Arc-enabled services by exploring the [Jumpstart proof of concept](https://azurearcjumpstart.io/azure_arc_jumpstart/).
+* Learn about [Azure Arc-enabled System Center Virtual Machine Manager](system-center-virtual-machine-manager/overview.md)
+* Experience Azure Arc-enabled services by exploring the [Jumpstart proof of concept](https://azurearcjumpstart.io/azure_arc_jumpstart/).
azure-arc Agent Release Notes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/servers/agent-release-notes.md
This page is updated monthly, so revisit it regularly. If you're looking for ite
- If you attempt to run `azcmagent connect` on a server that is already connected to Azure, the resource ID is now printed to the console to help you locate the resource in Azure. - The `azcmagent connect` timeout has been extended to 10 minutes.-- `azcmagent show` no longer prints the private link scope ID. You can check if the server is associated with an Azure Arc private link scope by reviewing the machine details in the [Azure portal](https://portal.azure.com/#blade/Microsoft_Azure_HybridCompute/AzureArcCenterBlade/servers), [CLI](/cli/azure/connectedmachine?view=azure-cli-latest#az-connectedmachine-show), [PowerShell](/powershell/module/az.connectedmachine/get-azconnectedmachine), or [REST API](/rest/api/hybridcompute/machines/get).
+- `azcmagent show` no longer prints the private link scope ID. You can check if the server is associated with an Azure Arc private link scope by reviewing the machine details in the [Azure portal](https://portal.azure.com/#blade/Microsoft_Azure_HybridCompute/AzureArcCenterBlade/servers), [CLI](/cli/azure/connectedmachine?view=azure-cli-latest#az-connectedmachine-show&preserve-view=true), [PowerShell](/powershell/module/az.connectedmachine/get-azconnectedmachine), or [REST API](/rest/api/hybridcompute/machines/get).
- `azcmagent logs` collects only the 2 most recent logs for each service to reduce ZIP file size. - `azcmagent logs` collects Guest Configuration logs again.
azure-arc Create Virtual Machine https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/system-center-virtual-machine-manager/create-virtual-machine.md
+
+ Title: Create a virtual machine on System Center Virtual Machine Manager using Azure Arc (preview)
+description: This article helps you create a virtual machine using Azure portal (preview).
Last updated : 05/25/2022+
+ms.
++
+keywords: "VMM, Arc, Azure"
+++
+# Create a virtual machine on System Center Virtual Machine Manager using Azure Arc (preview)
+
+Once your administrator has connected an SCVMM management server to Azure, represented VMM resources such as private clouds, VM templates in Azure, and provided you the required permissions on those resources, you'll be able to create a virtual machine in Azure.
+
+## Prerequisites
+
+- An Azure subscription and resource group where you have *Arc SCVMM VM Contributor* role.
+- A cloud resource on which you have *Arc SCVMM Private Cloud Resource User* role.
+- A virtual machine template resource on which you have *Arc SCVMM Private Cloud Resource User role*.
+- A virtual network resource on which you have *Arc SCVMM Private Cloud Resource User* role.
+
+## How to create a VM in Azure portal
+
+1. Go to Azure portal.
+2. Select **Azure Arc** as the service and then select **Azure Arc virtual machine** from the left blade.
+3. Click **+ Create**, **Create an Azure Arc virtual machine** page opens.
+
+3. Under **Basics** > **Project details**, select the **Subscription** and **Resource group** where you want to deploy the VM.
+4. Under **Instance details**, provide the following details:
+ - Virtual machine name - Specify the name of the virtual machine.
+ - Custom location - Select the custom location that your administrator has shared with you.
+ - Virtual machine kind ΓÇô Select **System Center Virtual Machine Manager**.
+ - Cloud ΓÇô Select the target VMM private cloud.
+ - Availability set - (Optional) Use availability sets to identify virtual machines that you want VMM to keep on separate hosts for improved continuity of service.
+5. Under **Template details**, provide the following details:
+ - Template ΓÇô Choose the VM template for deployment.
+ - Override template details - Select the checkbox to override the default CPU cores and memory on the VM templates.
+ - Specify computer name for the VM, if the VM template has computer name associated with it.
+6. Under **Administrator account**, provide the following details and click **Next : Disks >**.
+ - Username
+ - Password
+ - Confirm password
+7. Under **Disks**, you can optionally change the disks configured in the template. You can add more disks or update existing disks.
+8. Under **Networking**, you can optionally change the network interfaces configured in the template. You can add Network interface cards (NICs) or update the existing NICs. You can also change the network that this NIC will be attached to provided you have appropriate permissions to the network resource.
+9. Under **Advanced**, enable processor compatibility mode if required.
+10. Under **Tags**, you can optionally add tags to the VM resource.
+ >[!NOTE]
+ > Custom properties defined for the VM in VMM will be synced as tags in Azure.
+
+11. Under **Review + create**, review all the properties and select **Create**. The VM will be created in a few minutes.
azure-arc Enable Scvmm Inventory Resources https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/system-center-virtual-machine-manager/enable-scvmm-inventory-resources.md
+
+ Title: Enable SCVMM inventory resources in Azure Arc center (preview)
+description: This article helps you enable SCVMM inventory resources from Azure portal (preview)
+++ Last updated : 05/25/2022+
+keywords: "VMM, Arc, Azure"
++
+# Enable SCVMM inventory resources from Azure portal (preview)
+
+The article describes how you can view SCVMM management servers and enable SCVMM inventory from Azure portal, after connecting to the SCVMM management server.
+
+## View SCVMM management servers
+
+You can view all the connected SCVMM management servers under **SCVMM management servers** in Azure Arc center.
++
+In the inventory view, you can browse the virtual machines (VMs), VMM clouds, VM network, and VM templates.
+Under each inventory, you can select and enable one or more SCVMM resources in Azure to create an Azure resource representing your SCVMM resource.
+
+You can further use the Azure resource to assign permissions or perform management operations.
+
+## Enable SCVMM cloud, VM templates and VM networks in Azure
+
+To enable the SCVMM inventory resources, follow these steps:
+
+1. From Azure home > **Azure Arc** center, go to **SCVMM management servers (preview)** blade and go to inventory resources blade.
+
+ :::image type="content" source="media/enable-scvmm-inventory-resources/scvmm-server-blade-inline.png" alt-text="Screenshot of how to go to SCVMM management servers blade." lightbox="media/enable-scvmm-inventory-resources/scvmm-server-blade-expanded.png":::
+
+1. Select the resource(s) you want to enable and select **Enable in Azure**.
+
+ :::image type="content" source="media/enable-scvmm-inventory-resources/scvmm-enable-azure-inline.png" alt-text="Screenshot of how to enable in Azure option." lightbox="media/enable-scvmm-inventory-resources/scvmm-enable-azure-expanded.png":::
+
+1. In **Enable in Azure**, select your **Azure subscription** and **Resource Group** and select **Enable**.
+
+ :::image type="content" source="media/enable-scvmm-inventory-resources/scvmm-select-sub-resource-inline.png" alt-text="Screenshot of how to select subscription and resource group." lightbox="media/enable-scvmm-inventory-resources/scvmm-select-sub-resource-expanded.png":::
+
+ The deployment is initiated and it creates a resource in Azure, representing your SCVMM resources. It allows you to manage the access to these resources through the Azure role-based access control (RBAC) granularly.
+
+ Repeat the above steps for one or more VM networks and VM template resources.
+
+## Enable existing virtual machines in Azure
+
+To enable the existing virtual machines in Azure, follow these steps:
+
+1. From Azure home > **Azure Arc** center, go to **SCVMM management servers (preview)** blade and go to inventory resources blade.
+
+1. Go to **SCVMM inventory** resource blade, select **Virtual machines** and then select the VMs you want to enable and select **Enable in Azure**.
+
+ :::image type="content" source="media/enable-scvmm-inventory-resources/scvmm-enable-existing-vm-inline.png" alt-text="Screenshot of how to enable existing virtual machines in Azure." lightbox="media/enable-scvmm-inventory-resources/scvmm-enable-existing-vm-expanded.png":::
+
+1. Select your **Azure subscription** and **Resource group**.
+
+1. Select **Enable** to start the deployment of the VM represented in Azure.
+
+## Next steps
+
+[Connect virtual machines to Arc](quickstart-connect-system-center-virtual-machine-manager-to-arc.md)
azure-arc Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/system-center-virtual-machine-manager/overview.md
+
+ Title: Overview of the Azure Connected System Center Virtual Machine Manager (preview)
+description: This article provides a detailed overview of the Azure Arc-enabled System Center Virtual Machine Manager (preview).
Last updated : 05/25/2022+
+ms.
++
+keywords: "VMM, Arc, Azure"
+++
+# Overview of Arc-enabled System Center Virtual Machine Manager (preview)
+
+Azure Arc-enabled System Center Virtual Machine Manager (SCVMM) empowers System Center customers to connect their VMM environment to Azure and perform VM self-service operations from Azure portal. With Azure Arc-enabled SCVMM, you get a consistent management experience across Azure.
+
+Azure Arc-enabled System Center Virtual Machine Manager allows you to manage your Hybrid environment and perform self-service VM operations through Azure portal. For Microsoft Azure Pack customers, this solution is intended as an alternative to perform VM self-service operations.
+
+Arc-enabled System Center VMM allows you to:
+
+- Perform various VM lifecycle operations such as start, stop, pause, delete VMs on VMM managed VMs directly from Azure.
+- Empower developers and application teams to self-serve VM operations on-demand using [Azure role-based access control (RBAC)](/azure/role-based-access-control/overview).
+- Browse your VMM resources (VMs, templates, VM networks, and storage) in Azure, providing you a single pane view for your infrastructure across both environments.
+- Discover and onboard existing SCVMM managed VMs to Azure.
+
+## How does it work?
+
+To Arc-enable a System Center VMM management server, deploy [Azure Arc resource bridge](/azure/azure-arc/resource-bridge/overview) (preview) in the VMM environment. Arc resource bridge is a virtual appliance that connects VMM management server to Azure. Azure Arc resource bridge (preview) enables you to represent the SCVMM resources (clouds, VMs, templates etc.) in Azure and do various operations on them.
+
+## Architecture
+
+The following image shows the architecture for the Arc-enabled SCVMM:
++
+### Supported VMM versions
+
+Azure Arc-enabled SCVMM works with VMM 2016, 2019 and 2022 versions.
+
+### Supported scenarios
+
+The following scenarios are supported in Azure Arc-enabled SCVMM (preview):
+
+- SCVMM administrators can connect a VMM instance to Azure and browse the SCVMM virtual machine inventory in Azure.
+- Administrators can use the Azure portal to browse SCVMM inventory and register SCVMM cloud, virtual machines, VM networks, and VM templates into Azure.
+- Administrators can provide app teams/developers fine-grained permissions on those SCVMM resources through Azure RBAC.
+- App teams can use Azure interfaces (portal, CLI, or REST API) to manage the lifecycle of on-premises VMs they use for deploying their applications (CRUD, Start/Stop/Restart).
+
+### Supported regions
+
+Azure Arc-enabled SCVMM (preview) is currently supported in the following regions:
+
+- East US
+- West Europe
+
+## Next steps
+
+[See how to create a Azure Arc VM](create-virtual-machine.md)
azure-arc Quickstart Connect System Center Virtual Machine Manager To Arc https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/system-center-virtual-machine-manager/quickstart-connect-system-center-virtual-machine-manager-to-arc.md
+
+ Title: Quick Start for Azure Arc-enabled System Center Virtual Machine Manager (preview)
+description: In this QuickStart, you will learn how to use the helper script to connect your System Center Virtual Machine Manager management server to Azure Arc (preview).
+++ Last updated : 05/25/2022+++
+# QuickStart: Connect your System Center Virtual Machine Manager management server to Azure Arc (preview)
+
+Before you can start using the Azure Arc-enabled SCVMM features, you need to connect your VMM management server to Azure Arc.
+
+This QuickStart shows you how to connect your SCVMM management server to Azure Arc using a helper script. The script deploys a lightweight Azure Arc appliance (called Azure Arc resource bridge) as a virtual machine running in your VMM environment and installs an SCVMM cluster extension on it, to provide a continuous connection between your VMM management server and Azure Arc.
+
+## Prerequisites
+
+| **Requirement** | **Details** |
+| | |
+| **Azure** | An Azure subscription <br/><br/> A resource group in the above subscription where you have the *Owner/Contributor* role. |
+| **SCVMM** | You need an SCVMM management server running version 2016 or later.<br/><br/> A private cloud that has at least one cluster with minimum free capacity of 16 GB of RAM, 4 vCPUs with 100 GB of free disk space. <br/><br/> A VM network with internet access, directly or through proxy. Appliance VM will be deployed using this VM network.<br/><br/> For dynamic IP allocation to appliance VM, DHCP server is required. For static IP allocation, VMM static IP pool is required. |
+| **SCVMM accounts** | An SCVMM admin account that can perform all administrative actions on all objects that VMM manages. <br/><br/> This will be used for the ongoing operation of Azure Arc-enabled SCVMM as well as the deployment of the Arc Resource bridge VM. |
+| **Workstation** | The workstation will be used to run the helper script.<br/><br/> A Windows/Linux machine that can access both your SCVMM management server and internet, directly or through proxy.<br/><br/> The helper script can be run directly from the VMM server machine as well.<br/><br/> Note that when you execute the script from a Linux machine, the deployment takes a bit longer and you may experience performance issues. |
+
+## Prepare SCVMM management server
+
+- Create an SCVMM private cloud if you don't have one. The private cloud should have a reservation of at least 16 GB of RAM and 4 vCPUs. It should also have at least 100 GB of disk space.
+- Ensure that SCVMM administrator account has the appropriate permissions.
+
+## Download the onboarding script
+
+1. Go to [Azure portal](https://aka.ms/SCVMM/MgmtServers).
+1. Search and select **Azure Arc**.
+1. In the **Overview** page, select **Add** in **Add your infrastructure for free** or move to the **infrastructure** tab.
+
+ :::image type="content" source="media/quick-start-connect-scvmm-to-azure/overview-add-infrastructure-inline.png" alt-text="Screenshot of how to select Add your infrastructure for free." lightbox="media/quick-start-connect-scvmm-to-azure/overview-add-infrastructure-expanded.png":::
+
+1. In the **Platform** section, in **System Center VMM** select **Add**.
+
+ :::image type="content" source="media/quick-start-connect-scvmm-to-azure/platform-add-system-center-vmm-inline.png" alt-text="Screenshot of how to select System Center V M M platform." lightbox="media/quick-start-connect-scvmm-to-azure/platform-add-system-center-vmm-expanded.png":::
+
+1. Select **Create new resource bridge** and select **Next**.
+1. Provide a name for **Azure Arc resource bridge**. For example: *contoso-nyc-resourcebridge*.
+1. Select a subscription and resource group where you want to create the resource bridge.
+1. Under **Region**, select an Azure location where you want to store the resource metadata. The currently supported regions are **East US** and **West Europe**.
+1. Provide a name for **Custom location**.
+ This is the name that you'll see when you deploy virtual machines. Name it for the datacenter or the physical location of your datacenter. For example: *contoso-nyc-dc.*
+1. Leave the option **Use the same subscription and resource group as your resource bridge** selected.
+1. Provide a name for your **SCVMM management server instance** in Azure. For example: *contoso-nyc-scvmm.*
+1. Select **Next: Download and run script**.
+1. If your subscription isn't registered with all the required resource providers, select **Register** to proceed to next step.
+1. Based on the operating system of your workstation, download the PowerShell or Bash script and copy it to the workstation.
+1. To see the status of your onboarding after you run the script on your workstation, select **Next:Verification**. The onboarding isn't affected when you close this page.
+
+## Run the script
+
+Use the following instructions to run the script, depending on the Operating System of the workstation.
+
+>[!NOTE]
+>Before running the script, install the latest version of Azure CLI (2.36.0 or later).
++
+### Windows
+
+Follow these instructions to run the script on a Windows machine.
+
+1. Open a new PowerShell window and verify if Azure CLI is successfully installed in the workstation, use the following command:
+ ```azurepowershell-interactive
+ az
+ ```
+1. Navigate to the folder where you've downloaded the PowerShell script:
+ *cd C:\Users\ContosoUser\Downloads*
+
+1. Run the following command to allow the script to run since it's an unsigned script (if you close the session before you complete all the steps, run this command again for the new session):
+ ```azurepowershell-interactive
+ Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass
+ ```
+1. Run the script:
+ ```azurepowershell-interactive
+ ./resource-bridge-onboarding-script.ps1
+ ```
+### Linux
+
+Follow these instructions to run the script on a Linux machine:
+
+1. Open the terminal and navigate to the folder, where you've downloaded the Bash script.
+2. Execute the script using the following command:
+
+ ```sh
+ bash resource-bridge-onboarding-script.sh
+ ```
+
+## Script runtime
+The script execution will take up to half an hour and you'll be prompted for various details. See the following table for related information:
+
+| **Parameter** | **Details** |
+| | |
+| **Azure login** | You would be asked to log in to Azure by visiting [this site](https://www.microsoft.com/devicelogin) and pasting the prompted code. |
+| **SCVMM management server FQDN/Address** | FQDN for the VMM server (or an IP address). </br> Provide role name if itΓÇÖs a Highly Available VMM deployment. </br> For example: nyc-scvmm.contoso.com or 10.160.0.1 |
+| **SCVMM Username**</br> (domain\username) | Username for the SCVMM administrator account. The required permissions for the account are listed in the prerequisites above.</br> Example: contoso\contosouser |
+| **SCVMM password** | Password for the SCVMM admin account |
+| **Private cloud selection** | Select the name of the private cloud where the Arc resource bridge VM should be deployed. |
+| **Virtual Network selection** | Select the name of the virtual network to which *Arc resource bridge VM* needs to be connected. This network should allow the appliance to talk to the VMM management server and the Azure endpoints (or internet). |
+| **Static IP pool** | Select the VMM static IP pool that will be used to allot IP address. |
+| **Control Pane IP** | Provide a reserved IP address (a reserved IP address in your DHCP range or a static IP outside of DHCP range but still available on the network). The key thing is this IP address shouldn't be assigned to any other machine on the network. |
+| **Appliance proxy settings** | Type ΓÇÿYΓÇÖ if there's a proxy in your appliance network, else type ΓÇÿNΓÇÖ.|
+| **http** | Address of the HTTP proxy server. |
+| **https** | Address of the HTTPS proxy server.|
+| **NoProxy** | Addresses to be excluded from proxy.|
+|**CertificateFilePath** | For SSL based proxies, provide the path to the certificate. |
+
+Once the command execution is completed, your setup is complete, and you can try out the capabilities of Azure Arc- enabled SCVMM.
+
+### Retry command - Windows
+
+If for any reason, the appliance creation fails, you need to retry it. Run the command with ```-Force``` to clean up and onboard again.
+
+```powershell-interactive
+ ./resource-bridge-onboarding-script.ps1-Force -Subscription <Subscription> -ResourceGroup <ResourceGroup> -AzLocation <AzLocation> -ApplianceName <ApplianceName> -CustomLocationName <CustomLocationName> -VMMservername <VMMservername>
+```
+
+### Retry command - Linux
+
+If for any reason, the appliance creation fails, you need to retry it. Run the command with ```--force``` to clean up and onboard again.
+
+ ```sh
+ bash resource-bridge-onboarding-script.sh --force
+ ```
+>[!NOTE]
+> - After successful deployment, we recommend to maintain the state of **Arc Resource Bridge VM** as *online*.
+> - Intermittently appliance might become unreachable, when you shut down and restart the VM.
++
+## Next steps
+
+[Create a VM](create-virtual-machine.md)
azure-australia Australia Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-australia/australia-overview.md
- Title: What is Azure Australia? | Microsoft Docs
-description: Guidance on configuring Azure within the Australian regions to meet the specific requirements of Australian Government policy, regulations, and legislation.
--- Previously updated : 07/22/2019----
-# What is Azure Australia?
-
-In 2014, Azure was launched in Australia, with two regions; Australia East (Sydney) and Australia Southeast (Melbourne). In April 2018, two new Azure Regions located in Canberra ΓÇô Australia Central and Australia Central 2, were launched. The Australia Central and Australia Central 2 regions are purposely designed to meet the needs of government and critical national infrastructure, and offer specialised connectivity and flexibility so you can locate your systems beside the cloud, with levels of security and resilience only expected of Secret-classified networks. Azure Australia is a platform for the digital transformation of government and critical national infrastructure ΓÇô and the only mission-critical cloud available in Australia designed specifically for those needs.
-
-There are specific Australian Government requirements for connecting to, consuming, and operating within [Microsoft Azure Australia](https://azure.microsoft.com/global-infrastructure/australia/) for Australian Government data and systems. The resources on this page also provide general guidance applicable to all customers with a specific focus on secure configuration and operation.
-
-Refer to the Australia page of the [Microsoft Service Trust Portal](https://aka.ms/au-irap) for current information on the Azure Australia Information Security Registered Assessor (IRAP) Assessments, certification and inclusion on the Certified Cloud Services List (CCSL). On the Australia page, you will also find other Microsoft advice specific to Government and Critical Infrastructure providers.
-
-## Principles for securing customer data in Azure Australia
-
-Azure Australia provides a range of features and services that you can use to build cloud solutions to meet your regulated/controlled data needs. A compliant customer solution is nothing more than the effective implementation of out-of-the-box Azure Australia capabilities, coupled with a solid data security practice.
-
-When you host a solution in Azure Australia, Microsoft handles many of these requirements at the cloud infrastructure level.
-
-The following diagram shows the Azure defence-in-depth model. For example, Microsoft provides basic cloud infrastructure DDoS, along with customer capabilities such as security appliances or premium DDoS services for customer-specific application needs.
-
-![alt text](media/defenceindepth.png)
-
-These articles outline the foundational principles for securing your services and applications, with guidance and best practices on how to apply these principles. In other words, how customers should make smart use of Azure Australia to meet the obligations and responsibilities that are required for a solution that handles Government sensitive and classified information.
-
-There are two categories of documentation provided for Australian Government agencies migrating to Azure.
-
-## Security in Azure Australia
-
-Identity, Azure role-based access control, data protection through encryption and rights management, and effective monitoring and configuration control are key elements that you need to implement. In this section, there are a series of articles explaining the built-in capabilities of Azure and how they relate to the ISM and ASD Essential 8.
-
-These articles can be accessed through the menu under *Concepts -> Security in Azure Australia*.
-
-## Gateways in Azure Australia
-
-Another key step for Government agencies is the establishment of perimeter security capabilities. These capabilities are called Secure Internet Gateways (SIG) and when using Azure it is your responsibility to ensure these protections are in place. Microsoft does not operate a SIG; however, by combining our edge networking services that protect all customers, and specific services deployed within your Azure environment you can operate an equivalent capability.
-
-These articles can be accessed through the menu under *Concepts -> Gateways in Azure Australia*.
-
-## Next steps
-
-* If your key focus is securing your data in Azure, start with [Data Security](secure-your-data.md)
-* If your key focus is building a Gateway in Azure, start with [Gateway auditing, logging, and visibility](gateway-log-audit-visibility.md).
azure-australia Azure Key Vault https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-australia/azure-key-vault.md
- Title: Azure Key Vault in Azure Australia
-description: Guidance on configuring and using Azure Key Vault for key management within the Australian regions to meet the specific requirements of Australian Government policy, regulations, and legislation.
--- Previously updated : 07/22/2019---
-# Azure Key Vault in Azure Australia
-
-The secure storage of cryptographic keys and management of the cryptographic key lifecycle are critical elements within cryptographic systems. The service that provides this capability in Azure is the Azure Key Vault. Key Vault has been IRAP security accessed and ACSC certified for PROTECTED. This article outlines the key considerations when using Key Vault to comply with the Australian Signals Directorate's (ASD) [Information Security Manual Controls](https://acsc.gov.au/infosec/ism/) (ISM).
-
-Azure Key Vault is a cloud service that safeguards encryption keys and secrets. Because this data is sensitive and business critical, Key Vault enables secure access to key vaults, allowing only authorized users and applications. There are three main artifacts managed and controlled by Key Vault:
--- keys-- secrets-- certificates-
-This article will focus on management of keys using Key Vault.
-
-![Azure Key Vault](media/azure-key-vault-overview.png)
-
-*Diagram 1 ΓÇô Azure Key Vault*
-
-## Key design considerations
-
-### Deployment options
-
-There are two options for creating Azure Key Vaults. Both options use the nCipher nShield family of Hardware Security Modules (HSM), are Federal Information Processing Standards (FIPS) validated, and are approved to store keys in PROTECTED environments. The options are:
--- **Software-protected vaults:** FIPS 140-2 level 1 validated. Keys stored on an HSM. Encryption and decryption operations are performed in compute resources on Azure.-- **HSM-protected vaults:** FIPS 140-2 level 2 validated. Keys stored on an HSM. Encryption and decryption operations are performed on the HSM.-
-Key Vault supports Rivest-Shamir-Adleman (RSA) and Elliptic Curve Cryptography (ECC) keys. The default is RSA 2048-bit keys but there is an advanced option for RSA 3072-bit, RSA 4096-bit, and ECC keys. All keys meet the ISM controls, but Elliptic Curve keys are preferred.
-
-### Resource operations
-
-There are several personas involved in Azure Key Vault:
--- **Key Vault administrator:** Manages the lifecycle of the vault-- **Key administrator:** Manages the lifecycle of keys in the vault-- **Developer/operator:** Integrate keys from the vault into applications and services-- **Auditor:** Monitor key usage and access-- **Applications:** Use keys to secure information-
-Azure Key Vault is secured with two separate interfaces:
--- **Management Plane:** This plane deals with managing the vault and it secured by Azure RBAC.-- **Data Plane:** This plane deals with managing and accessing the artifacts in the vault. Secured using Key Vault access policy.-
-As required by the ISM, proper authentication and authorisation are required before a caller (a user or an application) before they can get access to key vault by either plane.
-
-Azure RBAC has one built-in role for Key Vault, [Key Vault Contributor](../role-based-access-control/built-in-roles.md#key-vault-contributor), to control management of the Key Vaults. The creation of custom roles aligned to more granular roles for managing your Key Vaults is recommended.
-
->[!WARNING]
->When access to keys is enabled via Key Vault access policy then the user or application has that access to all keys in the key vault (for example, if a user has 'delete' access then they can delete all keys). Therefore, multiple key vaults should be deployed to align with security domains/boundaries.
-
-### Networking
-
-You can configure Key Vault firewalls and virtual networks to control access to the data plane. You can allow access to users or applications on specified networks while denying access to users or applications on all other networks. [Trusted services](../key-vault/general/overview-vnet-service-endpoints.md#trusted-services) are an exception to this control if "Allow trusted services" is enabled. The virtual networking control does not apply to the management plane.
-
-Access to Key Vaults should be explicitly restricted to the minimum set of networks that have users or applications requiring access to keys.
-
-### Bring Your Own Key (BYOK)
-
-Key Vault supports BYOK. BYOK enables users to import keys from their existing key infrastructures. The BYOK toolset supports the secure transfer and import of keys from an external HSM (for example, keys generated with an offline workstation) into Key Vault.
-
-### Key Vault auditing and logging
-
-The ACSC requires Commonwealth entities to use the appropriate Azure services to undertake real-time monitoring and reporting on their Azure workloads.
-
-Logging is enabled by enabling the **_"AuditEvent"_** diagnostic setting on Key Values. Audit events will be logged to the specified storage account. **_"RetentionInDays"_** period should be set according to the data retention policy. [Operations](../key-vault/general/logging.md#interpret-your-key-vault-logs) on both the management plane and data plane are audited and logged. The [Azure Key Vault solution in Azure Monitor](../azure-monitor/insights/key-vault-insights-overview.md) can be used to review Key Vault AuditEvent logs. A number of other Azure services can be used to process and distribute Key Vault AuditEvents.
-
-### Key rotation
-
-Storing keys in Key Vault provided a single point to maintain keys outside applications that enable keys to be updated without affecting the behaviour of the applications. Storing keys in Azure Key Vault enables various strategies for supporting key rotation:
--- Manually-- Programmatically via APIs-- Automation Scripts (for example, using PowerShell and Azure Automation)-
-These options enable keys to be rotated on a periodic basis to satisfy compliance requirements or on an ad-hoc basis if there are concerns that keys may have been compromised.
-
-#### Key rotation strategies
-
-It is important to develop an appropriate key rotation strategy for keys which are stored in KeyVault. Using the wrong key will lead to information being incorrectly decrypted, and losing keys can lead to the complete loss of access to information. Examples of key rotation strategies for different scenarios include:
--- **Inflight data:** volatile information is transmitted between 2 parties. When a key is rotated then both parties must have a mechanism to synchronous retrieving the updated keys from the key vault.-- **Data as rest:** A party stores encrypted data and decrypts it in the future to use. When a key is going to rotated then the data must be decrypted with the old key and then encrypted with the new, rotated key. There are approaches to minimize the impact of the decrypt/encrypt process using key encrypting keys (see example). Microsoft manages the majority of the process related to key rotation for Azure Storage (see…)-- **Access keys:** a number of Azure services have access keys that can be stored in Key Vault (for example, CosmosDB). The azure services have primary and secondary access keys. It is important that both keys are not rotated at the same time. Therefore, one key should be rotated then after a period and the key operation has been verified then the second key can be rotated.-
-### High availability
-
-The ISM has several controls that relate to Business Continuity.
-Azure Key Vault has multiple layers of redundancy with contents replicated within the region and to the secondary, [paired region](../availability-zones/cross-region-replication-azure.md).
-
-When the key vault is in a fail-over state, it is in read-only mode and will return to read-write mode the primary service is restored.
-
-The ISM has several controls related to backup. It is important to develop and execute appropriate backup/restore plans for vaults and their keys.
-
-## Key lifecycle
-
-### Key operations
-
-Key Vault support the following operations on a key:
--- **create:** Allows a client to create a key in Key Vault. The value of the key is generated by Key Vault and stored, and isn't released to the client. Asymmetric keys may be created in Key Vault.-- **import:** Allows a client to import an existing key to Key Vault. Asymmetric keys may be imported to Key Vault using a number of different packaging methods within a JWK construct.-- **update:** Allows a client with sufficient permissions to modify the metadata (key attributes) associated with a key previously stored within Key Vault.-- **delete:** Allows a client with sufficient permissions to delete a key from Key Vault.-- **list:** Allows a client to list all keys in a given Key Vault.-- **list versions:** Allows a client to list all versions of a given key in a given Key Vault.-- **get:** Allows a client to retrieve the public parts of a given key in a Key Vault.-- **backup:** Exports a key in a protected form.-- **restore:** Imports a previously backed up key.-
-There is a corresponding set of permissions that can be granted to users, service principals, or applications using Key Vault access control entries to enable them to execute key operations.
-
-Key Vault has a soft delete feature to allow the recovery of deleted vaults and keys. By default, **_"soft delete"_** is not enabled, but once enabled, objects are held for 90 days (the retention period) while appearing to be deleted. An additional permission **_"purge"_**, allows the permanent deletion of keys if the **_"Purge Protection"_** option is disabled.
-
-Creating or importing an existing key creates a new version of the key.
-
-### Cryptographic operations
-
-Key Vault also supports cryptographic operations using keys:
--- **sign and verify:** this operation is a "sign hash" or "verify hash". Key Vault does not support hashing of content as part of signature creation.-- **key encryption/wrapping:** this operation is used to protect another key.-- **encrypt and decrypt:** the stored key is used to encrypt or decrypt a single block of data-
-There is a corresponding set of permissions that can be granted to users, service principals, or applications using Key Vault access control entries to enable them to execute cryptographic operations.
-
-There are three key attributes that can set to control whether a key is enabled and useable of cryptographic operations:
--- **enabled**-- **nbf:** not before enabled before specified date-- **exp:** expiration date-
-## Storage and keys
-
-Customer-managed keys are more flexibility and enable assess to and management of the keys to be controlled. They also enable auditing the encryption keys used to protect data.
-There are three aspects to storage and keys stored in Key Vault:
--- Key Vault managed storage account keys-- Azure Storage Service Encryption (SSE) for data at rest-- Managed disks and Azure Disk Encryption-
-Key Vault's Azure Storage account key management is an extension to Key Vault's key service that supports synchronization and regeneration (rotation) of storage account keys. [Azure Storage integration with Azure Active Directory](../storage/blobs/authorize-access-azure-active-directory.md) (preview) is recommended when released as it provides superior security and ease of use.
-SSE uses two keys to manage encryption of data at rest:
--- Key Encryption Keys (KEK)-- Data Encryption Keys (DEK)-
-While Microsoft manages the DEKs, SSE has an option to use customer-managed KEKs that can be stored in Key Vault. This enables the rotation of keys in Azure Key Vault as per the appropriate compliance policies. When keys are rotated, Azure Storage re-encrypts the Account Encryption Key for that storage account. This does not result in re-encryption of all data and there is no other action required.
-
-SSE is used for managed disks but customer-managed keys are not supported. Encryption of managed disks can be done using Azure Disk Encryption with customer-managed KEK keys in Key Vault.
-
-## Next Steps
-
-Review the article on [Identity Federation](identity-federation.md)
-
-Review additional Azure Key Vault documentation and tutorials in the [Reference Library](reference-library.md)
azure-australia Azure Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-australia/azure-policy.md
- Title: Security compliance with Azure Policy and Azure Blueprints
-description: Ensuring compliance and enforcing security with Azure Policy and Azure Blueprints for Australian Government agencies as it relates to the ASD ISM and Essential 8
--- Previously updated : 07/22/2019---
-# Security compliance with Azure Policy and Azure Blueprints
-
-The challenge of enforcing governance within your IT environment, whether it be an on-premises, cloud native or a hybrid environment, exists for all organisations. A robust technical governance framework needs to be in place to ensure your Microsoft Azure environment conforms with design, regulatory, and security requirements.
-
-For Australian Government agencies, they key controls to consider when assessing risk are in the [Australian Cyber Security Centre (ACSC) Information Security Manual](https://acsc.gov.au/infosec/ism/index.htm) (ISM). The majority of controls detailed within the ISM require the application of technical governance to be effectively managed and enforced. It is important you have the appropriate tools to evaluate and enforce configuration in your environments.
-
-Microsoft Azure provides two complimentary services to assist with these challenges, Azure Policy and Azure Blueprints.
-
-## Azure Policy
-
-Azure Policy enables the application of the technical elements of an organisation's IT governance. Azure Policy contains a constantly growing library of built-in policies. Each Policy enforces rules and effects on the targeted Azure Resources.
-
-Once a policy is assigned to resources, the overall compliance against that policy can be evaluated, and be remediated if necessary.
-
-This library of built-in Azure Polices enable an organisation to quickly enforce the types of controls found in the ACSC ISM. Examples of controls include:
-
-* Monitoring virtual machines for missing system updates
-* Auditing accounts with elevated permissions for multi-factor authentication
-* Identifying unencrypted SQL Databases
-* Monitoring the use of custom Azure role-based access control (Azure RBAC)
-* Restricting the Azure regions that resources can be created in
-
-If governance or regulatory controls are not met by a built-in Azure Policy definition, a custom definition can be created and assigned. All Azure Policy definitions are defined in JSON and follow a standard [definition structure](../governance/policy/concepts/definition-structure.md). Existing Azure Policy definitions can also be duplicated and used to form the basis of a custom Policy definition.
-
-Assigning individual Azure Policies to resources, especially in complex environments or in environments with strict regulatory requirements, can create large overhead for your administrators. To assist with these challenges, a set of Azure Policies can be grouped together to form an Azure Policy Initiative. Policy Initiatives are used to combine related Azure policies that, when applied together as a group, form the basis of a specific security or compliance objective. Microsoft is adding built-in Azure Policy Initiative definitions, including definitions designed to meet specific regulatory requirements:
-
-![Regulatory Compliance Policy Initiatives](media/regulatory-initiatives.png)
-
-All Azure Policies and Initiatives are assigned to an assignment scope. This scope is defined at either the Azure Subscription, Azure Management Group, or Azure Resource Group levels. Once the required Azure Policies or Policy Initiatives have been assigned, an organisation will be able to enforce the configuration requirements on all newly created Azure resources.
-
-Assigning a new Azure Policy or Initiative will not affect existing Azure resources. Azure Policy can; however, enable an organisation to view the compliance of existing Azure resources. Any resources that have been identified as being non-compliant can be remediated at the organisation's discretion
-
-### Azure Policy and initiatives in action
-
-The available built-in Azure Policy and Initiative definitions can be found under the Definition node in the Policy section of the Azure portal:
-
-![Built-In Azure Policy Definitions](media/policy-definitions.png)
-
-Using the library of built-in definitions, you can quickly search for Policies that meet an organisational requirement, review the policy definition, and assign the Policy to the appropriate resources. For example, the ISM requires multi-factor authentication (MFA) for all privileged users, and for all users with access to important data repositories. In Azure Policy you can search for "MFA" amongst the Azure Policy definitions:
-
-![Azure AD MFA Policies](media/mfa-policies.png)
-
-Once a suitable policy is identified, you assign the policy to the desired scope. If there is no built-in policy that meets your requirements, you can duplicate the existing policy and make the desired changes:
-
-![Duplicate existing Azure Policy](media/duplicate-policy.png)
-
-Microsoft also provides a collection of Azure Policy samples on [GitHub](https://github.com/Azure/azure-policy) as a 'quickstart' for you to build custom Azure Policies. These Policy samples can be copied directly into the Azure Policy editor within the Azure portal.
-
-When creating Azure Policy Initiatives, you can sort the list of available policy definitions, both built-in and custom, adding the required definitions.
-
-For instance, you could search through the list of available Azure Policy definitions for all of the policies related to Windows virtual machines. Then you those definitions to an Initiative designed to enforce recommended virtual machine hardening practices:
-
-![List of Azure Policies](media/initiative-definitions.png)
-
-While assigning an Azure Policy or Policy Initiative to an assignment scope, it is possible for you to exclude Azure resources from the effects of the Policies by excluding either Azure Management Groups or Azure Resource Groups.
-
-### Real-time enforcement and compliance assessment
-
-Azure Policy compliance scans of in-scope Azure resources are undertaken when the following conditions are met:
-
-* When an Azure Policy or Azure Policy Initiative is assigned
-* When the scope of an existing Azure Policy or Initiative is changed
-* On demand via the API up to a maximum of 10 scans per hour
-* Once every 24 hours - the default behaviour
-
-A policy compliance scan for a single Azure resource is undertaken 15 minutes after a change has been made to the resource.
-
-An overview of the Azure Policy compliance of resources can be reviewed within the Azure portal via the Policy Compliance dashboard:
-
-![Azure Policy compliance score](media/simple-compliance.png)
-
-The overall resource compliance percentage figure is an aggregate of the compliance of all in-scope deployed resources against all of your assigned Azure Policies. This allows you to identify the resources within an environment that are non-compliant and devise the plan to best remediate these resources.
-
-The Policy Compliance dashboard also includes the change history for each resource. If a resource is identified as no longer being compliant with assigned policy, and automatic remediation is not enabled, you can view who made the change, what was changed, and when the changes were made to that resource.
-
-## Azure Blueprints
-
-Azure Blueprints extend the capability of Azure Policy by combining them with:
-
-* Azure RBAC
-* Azure Resource Groups
-* [Azure Resource Manager Templates](../azure-resource-manager/templates/syntax.md)
-
-Blueprints allow for the creation of environment designs that deploy Azure resources from Resource Manager templates, configure Azure RBAC, and enforce and audit configuration by assigning Azure Policy. Blueprints form an editable and redeployable environment template. Once the blueprint has been created, it can then be assigned to an Azure Subscription. Once assigned, all of the Azure resources defined within the blueprint will be created and the Azure Policies applied. The deployment and configuration of resources defined in an Azure blueprint can be monitored from the Azure Blueprints console in the Azure portal.
-
-Azure Blueprints that have been edited must be republished in the Azure portal. Each time a Blueprint is republished, the version number of the Blueprint is incremented. The version number allows you to determine which specific version of a Blueprint has been deployed to an organisation's Azure Subscriptions. If desired, the currently assigned version of the Blueprint can be updated to the latest version.
-
-Resources deployed using an Azure blueprint can be configured with [Azure Resource Locks](../azure-resource-manager/management/lock-resources.md) at the time of deployment. Resource locks prevent resources from being accidentally modified or deleted.
-
-Microsoft is developing Azure Blueprints templates for a range of industries and regulatory requirements. The current library of available Azure Blueprints definitions can be viewed in the Azure portal or the [Azure Security and Compliance Blueprint](https://servicetrust.microsoft.com/ViewPage/BlueprintOverview/) page in the Service Trust Portal.
-
-### Azure Blueprints artifacts
-
-To create an Azure Blueprint, you can start with a blank Blueprint template, or use one of the existing sample Blueprints as a starting point. You can add artifacts to the Blueprint that will be configured as part of deployment:
-
-![Azure Blueprints Artifacts](media/blueprint-artifacts.png)
-
-These artifacts could include the Azure Resource Group and Resources and associated Azure Policy and Policy Initiatives to enforce the configuration required for your environment to be compliant you're your regulatory requirements, for example, the ISM controls for system hardening.
-
-Each of these artifacts can also be configured with parameters. These values are provided when the Blueprint has been assigned to an Azure subscription and deployed. Parameters allow for a single Blueprint to be created and used to deploy resources into different environments without having to edit the underlying Blueprint.
-
-Microsoft is developing Azure PowerShell and CLI cmdlets to create and manage Azure Blueprints with the intention that a Blueprint could be maintained and deployed by an organisation via a CI/CD pipeline.
-
-## Next steps
-
-This article explained how governance and security can be enforced with Azure Policy and Azure Blueprints. Now that you've been exposed at a high level, learn how to use each service in more detail:
-
-* [Azure Policy Overview](../governance/policy/overview.md)
-* [Azure Blueprints Overview](https://azure.microsoft.com/services/blueprints/)
-* [Azure Policy Samples](../governance/policy/samples/index.md)
-* [Azure Policy Samples Repository](https://github.com/Azure/azure-policy)
-* [Azure Policy Definition Structure](../governance/policy/concepts/definition-structure.md)
-* [Azure Policy Effects](../governance/policy/concepts/effects.md)
azure-australia Gateway Egress Traffic https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-australia/gateway-egress-traffic.md
- Title: Controlling egress traffic in Azure Australia
-description: Key elements of controlling egress traffic in Azure to meet Australian Government requirements for Secure Internet Gateways
--- Previously updated : 07/29/2019---
-# Controlling egress traffic in Azure Australia
-
-A fundamental component of securing ICT systems is controlling network traffic. Restricting communication to only the traffic necessary for a system to function reduces the potential for compromise. Visibility and control over the external systems that your applications and services communicate with helps detect compromised systems, and attempted or successful data exfiltration. This article provides information on how outbound (egress) network traffic works within Azure and provides recommendations for implementing network security controls for an internet connected system that aligns with the Australian Cyber Security Centre (ACSC) Consumer Guidance and the intent of the ACSC's Information Security Manual (ISM).
-
-## Requirements
-
-The overall security requirements for Commonwealth systems are defined in the ISM. To assist Commonwealth entities in implementing network security, the ACSC has published _ACSC Protect: Implementing Network Segmentation and Segregation_, and to assist with securing systems in Cloud environments the ACSC has published _Cloud Computing Security for Tenants_.
-
-The ACSC documents outline the context for implementing network security and controlling traffic, and provide practical recommendations for network design and configuration.
-
-The following key requirements for controlling egress traffic in Azure have been identified in the ACSC documents.
-
-Description|Source
- |
-**Implement Network Segmentation and Segregation**, for example, use an n-tier architecture, using host-based firewalls and network access controls to limit inbound and outbound network connectivity to only required ports and protocols.| [Cloud Computing for Tenants](https://www.cyber.gov.au/acsc/view-all-content/publications/cloud-computing-security-tenants)
-**Implement adequately high bandwidth, low latency, reliable network connectivity** between the tenant (including the tenant's remote users) and the cloud service to meet the tenant's availability requirements | [ACSC Protect: Implementing Network Segmentation and Segregation](https://www.cyber.gov.au/acsc/view-all-content/publications/implementing-network-segmentation-and-segregation)
-**Apply technologies at more than just the network layer**. Each host and network should be segmented and segregated, where possible, at the lowest level that can be practically managed. In most cases, this applies from the data link layer up to and including the application layer; however, in sensitive environments, physical isolation may be appropriate. Host-based and network-wide measures should be deployed in a complementary manner and be centrally monitored. Just implementing a firewall or security appliance as the only security measure is not sufficient. |[ACSC Protect: Implementing Network Segmentation and Segregation](https://www.cyber.gov.au/acsc/view-all-content/publications/implementing-network-segmentation-and-segregation)
-**Use the principles of least privilege and needΓÇÉtoΓÇÉknow**. If a host, service, or network doesn't need to communicate with another host, service, or network, it should not be allowed to. If a host, service, or network only needs to talk to another host, service, or network on a specific port or protocol, it should be restricted to only those ports and protocols. Adopting these principles across a network will complement the minimisation of user privileges and significantly increase the overall security posture of the environment. |[ACSC Protect: Implementing Network Segmentation and Segregation](https://www.cyber.gov.au/acsc/view-all-content/publications/implementing-network-segmentation-and-segregation)
-**Separate hosts and networks based on their sensitivity or criticality to business operations**. This may include using different hardware or platforms depending on different security classifications, security domains, or availability/integrity requirements for certain hosts or networks. In particular, separate management networks and consider physically isolating out-of-band management networks for sensitive environments. |[ACSC Protect: Implementing Network Segmentation and Segregation](https://www.cyber.gov.au/acsc/view-all-content/publications/implementing-network-segmentation-and-segregation)
-**Identify, authenticate, and authorise access by all entities to all other entities**. All users, hosts, and services should have their access to all other users, hosts, and services restricted to only those required to perform their designated duties or functions. All legacy or local services which bypass or downgrade the strength of identification, authentication, and authorisation services should be disabled wherever possible and have their use closely monitored. |[ACSC Protect: Implementing Network Segmentation and Segregation](https://www.cyber.gov.au/acsc/view-all-content/publications/implementing-network-segmentation-and-segregation)
-**Implement allowlisting of network traffic instead of deny listing**. Only permit access for known good network traffic (traffic that is identified, authenticated, and authorised), rather than denying access to known bad network traffic (for example, blocking a specific address or service). Allowlists result in a superior security policy to deny lists, and significantly improve your capacity to detect and assess potential network intrusions. |[ACSC Protect: Implementing Network Segmentation and Segregation](https://www.cyber.gov.au/acsc/view-all-content/publications/implementing-network-segmentation-and-segregation)
-**Defining an allowlist of permitted websites and blocking all unlisted websites** effectively removes one of the most common data delivery and exfiltration techniques used by an adversary. If users have a legitimate requirement to access numerous websites, or a rapidly changing list of websites; you should consider the costs of such an implementation. Even a relatively permissive allowlist offers better security than relying on deny lists, or no restrictions at all, while still reducing implementation costs. An example of a permissive allowlist could be permitting the entire Australian subdomain, that is '*.au', or allowing the top 1,000 sites from the Alexa site ranking (after filtering Dynamic Domain Name System (DDNS) domains and other inappropriate domains).| [Australian Government Information Security Manual (ISM)](https://www.cyber.gov.au/ism)
-|
-
-This article provides information and recommendations on how network traffic leaving your Azure environment is controlled. It covers systems deployed in Azure using both Infrastructure as a Service (IaaS) and Platform as a Service (PaaS).
-
-The [Gateway Ingress Traffic](gateway-ingress-traffic.md) article addresses network traffic entering your Azure environment and is the companion to this article for full network control coverage.
-
-## Architecture
-
-To appropriately control egress traffic, when you design and implement network security, you must first understand how egress network traffic works within Azure across both IaaS and PaaS. This section provides an overview of how outbound traffic generated by a resource hosted in Azure is processed, and the security controls available to restrict, and control that traffic.
-
-### Architecture components
-
-The architectural diagram shown here depicts the possible paths that network traffic can take when exiting a system that is deployed into a subnet in a virtual network. Traffic in a virtual network is managed and governed at a subnet level, with routing and security rules applying to the resources contained within. The components related to egress traffic are divided into Systems, Effective Routes, Next Hop types, Security Controls, and PaaS egress.
-
-![Architecture](media/egress-traffic.png)
-
-### Systems
-
-Systems are the Azure resources and related components that generate outbound traffic within an IP subnet that is part of a virtual network.
-
-| Component | Description |
-| | |
-|Virtual Network (VNet) | A VNet is a foundational resource within Azure that provides a platform and boundary for deploying resources and enabling communication. The VNet exists within an Azure Region and defines the IP Address Space and Routing boundaries for VNet integrated resources such as Virtual Machines.|
-|Subnet | A subnet is an IP address range that is created within a VNet. Multiple subnets can be created within a VNet for network segmentation.|
-|Network Interface| A network interface is a resource that exists in Azure. It is attached to a Virtual Machine and assigned a private, non-Internet routable IP address from the subnet that it is associated with. This IP address is dynamically or statically assigned through Azure Resource Manager.|
-|Public IPs| A Public IP is a resource that reserves one of the Microsoft owned Public, Internet-Routable IP Addresses from the specified region for use within the virtual network. It can be associated with a specific Network Interface or PaaS resource, which enables the resource to communicate with the Internet, ExpressRoute and to other PaaS systems.|
-|
-
-### Routes
-
-The path that egress traffic takes is dependent on the effective routes for that resource, which is the resultant set of routes determined by the combination of routes learned from all possible sources and the application of Azure routing logic.
-
-| Component | Description |
-| | |
-|System Routes| Azure automatically creates system routes and assigns the routes to each subnet in a virtual network. System routes cannot be created or removed, but some can be overridden with custom routes. Azure creates default system routes for each subnet, and adds additional optional default routes to specific subnets, or every subnet, when specific Azure capabilities are utilised.|
-|Service Endpoints| Service endpoints provide a direct, private egress connection from a subnet to a specific PaaS capability. Service endpoints, which are only available for a subset of PaaS capabilities, provide increased performance and security for resources in a VNet accessing PaaS.|
-|Route Tables| A route table is a resource in Azure that can be created to specify User-Defined Routes (UDRs) that can complement or override systems routes or routes learned via Border Gateway Protocol. Each UDR specifies a network, a network mask, and a next hop. A route table can be associated to a subnet and the same route table can be associated to multiple subnets, but a subnet can only have zero or one route table.|
-|Border Gateway Protocol (BGP)| BGP is an inter-autonomous system routing protocol. An autonomous system is a network or group of networks under a common administration and with common routing policies. BGP is used to exchange routing information between autonomous systems. BGP can be integrated into virtual networks through virtual network gateways.|
-|
-
-### Next hop types defined
-
-Each route within Azure includes the network range and associated subnet mask and the next hop, which determines how the traffic is processed.
-
-Next Hop Type | Description
-- | -
-**Virtual Network** | Routes traffic between address ranges within the address space of a virtual network. Azure creates a route with an address prefix that corresponds to each address range defined within the address space of a virtual network. If the virtual network address space has multiple addresses ranges defined, Azure creates an individual route for each address range. Azure automatically routes traffic between subnets within a VNet using the routes created for each address range.
-**VNet peering** | When a virtual network peering is created between two virtual networks, a route is added for each address range of each virtual network to the virtual network it is peered to. Traffic is routed between the peered virtual networks in the same way as subnets within a virtual network.
-**Virtual network gateway** | One or more routes with virtual network gateway listed as the next hop type are added when a virtual network gateway is added to a virtual network. The routes included are those that are configured within the local network gateway resource and any routes learned via BGP.
-**Virtual appliance** | A virtual appliance typically runs a network application, such as a firewall. The virtual appliance allows additional processing of the traffic to occur, such as filtering, inspection, or address translation. Each route with the virtual appliance hop type must also specify a next hop IP address.
-**VirtualNetworkServiceEndpoint** | The public IP addresses for a specific service are added as routes to a subnet with a next hop of VirtualNetworkServiceEndpoint when a service endpoint is enabled. Service endpoints are enabled for individual services on individual subnets within a virtual network. The public IP addresses of Azure services change periodically. Azure manages the addresses in the route table automatically when the addresses change.
-**Internet** | Traffic with a next hop of Internet will exit the virtual network and automatically be translated to a Public IP address either from a dynamic pool available in the associated Azure region, or by using a Public IP address configured for that resource. If the destination address is for one of Azure's services, traffic is routed directly to the service over Azure's backbone network, rather than routing the traffic to the Internet. Traffic between Azure services does not traverse the Internet, regardless of which Azure region the virtual network exists in, or which Azure region an instance of the Azure service is deployed in.
-**None** | Traffic with a next hop of none is dropped. Azure creates system default routes for reserved address prefixes with none as the next hop type. Routes with a next hop of none can also be added using route tables to prevent traffic from being routed to specific networks.
-|
-
-### Security controls
-
-Control | Description
| --
-**Network Security Groups (NSGs)** | NSGs control traffic into and out of virtual network resources in Azure. NSGs apply rules for the traffic flows that are permitted or denied, which includes traffic within Azure and between Azure and external networks such as on-premises or the Internet. NSGs are applied to subnets within a virtual network or to individual network interfaces.
-**Azure Firewall** | Azure Firewall is a managed, cloud-based network security service that protects Azure virtual network resources. It is a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability. Azure Firewall can be configured with traditional network filtering rules based on IP addresses, protocols, and ports, but also supports filtering based on Fully Qualified Domain Names (FQDN), Service Tags and inbuilt Threat Intelligence.
-**Network Virtual Appliance (NVA)** | Network Virtual Appliances are virtual machine media that can provide networking, security, and other functions to Azure. NVAs support network functionality and services in the form of VMs in virtual networks and deployments. NVAs can be used to address specific requirements, integrate with management and operational tools, or to provide consistency with existing products. Azure supports a broad list of third-party network virtual appliances including web application firewalls (WAF), firewalls, gateways/routers, application delivery controllers (ADC), and WAN optimizers.
-**Service endpoint policies (Preview)** | Virtual network service endpoint policies allow you to filter virtual network traffic to Azure services, allowing only specific Azure service resources, over service endpoints. Endpoint policies provide granular access control for virtual network traffic to Azure services.
-**Azure Policy** | Azure Policy is a service in Azure for creating, assigning, and managing policies. These policies use rules to control the types of resources that can be deployed and the configuration of those resources. Policies can be used to enforce compliance by preventing resources from being deployed if they do not meet requirements or can be used for monitoring to report on compliance status.
-|
-
-### PaaS egress
-
-The majority of PaaS resources do not generate egress traffic, but either respond to inbound requests (such as an Application Gateway, Storage, SQL Database, etc.) or relay data from other resources (such as Service Bus and Azure Relay). The network communication flows between PaaS resources such as App Services to Storage or SQL Databases is controlled and contained by Azure and secured through identity and other resource configuration controls rather than network segmentation or segregation.
-
-PaaS resources deployed into a virtual network receive dedicated IP addresses and are subject to any routing controls and NSGs in the same way as other resources in the virtual network. PaaS resources that do not exist within a virtual network will utilise a pool of IP addresses that are shared across all instances of the resource, which are either published through Microsoft documentation or can be determined through Azure Resource Manager.
-
-## General guidance
-
-To design and build secure solutions within Azure, it is critical to understand and control the network traffic so that only identified and authorised communication can occur. The intent of this guidance and the specific component guidance in later sections is to describe the tools and services that can be utilised to apply the principles outlined in the [ACSC Protect: Implementing Network Segmentation and Segregation](https://www.cyber.gov.au/acsc/view-all-content/publications/implementing-network-segmentation-and-segregation) across Azure workloads. This includes detailing how to create a virtual architecture for securing resources when it is not possible to apply the same traditional physical and network controls that are possible in an on-premises environment.
-
-### Guidance
-
-* Limit the number of egress points for virtual networks
-* Override the system default route for all subnets that do not need direct outbound communication to the Internet
-* Design and implement a complete network architecture to identify and control all ingress and egress points to Azure resources
-* Consider utilising a Hub and Spoke Network Design for virtual networks as discussed in the Microsoft Virtual Data Centre (VDC) documentation
-* Utilise products with inbuilt security capabilities for outbound connections to the Internet (for example, Azure Firewall, Network Virtual Appliances or Web Proxies)
-* Use identity controls such as Azure role-based access control, Conditional Access, and Multi-Factor Authentication (MFA) to limit network configuration privileges
-* Implement Locks to prevent modification or deletion of key elements of the network configuration
-* Deploy PaaS in a VNet integrated configuration for increased segregation and control
-* Implement ExpressRoute for connectivity with on-premises networks
-* Implement VPNs for integration with external networks
-* Utilise Azure Policy to restrict the regions and resources to only those that are necessary for system functionality
-* Utilise Azure Policy to enforce baseline security configuration for resources
-* Leverage Network Watcher and Azure Monitor for logging, auditing, and visibility of network traffic within Azure
-
-### Resources
-
-Item | Link
|
-_Australian Regulatory and Policy Compliance Documents including Consumer Guidance_ | [https://aka.ms/au-irap](https://aka.ms/au-irap)
-_Azure Virtual Data Centre_ | [https://docs.microsoft.com/azure/architecture/vdc/networking-virtual-datacenter](/azure/architecture/vdc/networking-virtual-datacenter)
-_ACSC Network Segmentation_ | [https://www.cyber.gov.au/acsc/view-all-content/publications/implementing-network-segmentation-and-segregation](https://www.cyber.gov.au/acsc/view-all-content/publications/implementing-network-segmentation-and-segregation)
-_ACSC Cloud Security for Tenants_ | [https://www.cyber.gov.au/acsc/view-all-content/publications/cloud-computing-security-tenants](https://www.cyber.gov.au/acsc/view-all-content/publications/cloud-computing-security-tenants)
-_ACSC Information Security Manual_ | [https://acsc.gov.au/infosec/ism/index.htm](https://acsc.gov.au/infosec/ism/index.htm)
-|
-
-## Component guidance
-
-This section provides further guidance on the individual components that are relevant to egress traffic for systems deployed in Azure. Each section describes the intent of the specific component with links to documentation and configuration guides that can be used to assist with design and build activities.
-
-### Systems security
-
-All communication to resources within Azure passes through the Microsoft maintained network infrastructure, which provides connectivity and security functionality. A range of protections are automatically put in place by Microsoft to protect the Azure platform and network infrastructure and additional capabilities are available as services within Azure to control network traffic and establish network segmentation and segregation.
-
-### Virtual Network (VNet)
-
-Virtual networks are one of the fundamental building blocks for networking in Azure. Virtual networks define an IP address space and routing boundary to be used across a variety of systems. Virtual networks are divided into subnets and all subnets within a Virtual Network have a direct network route to each other. By using virtual network gateways (ExpressRoute or VPN), systems within a virtual network can integrate with on-premises and external environments and through Azure provided Network Address Translation (NAT) and Public IP address allocation, systems can connect to the Internet or other Azure Regions and Services. Understanding virtual networks and the associated configuration parameters and routing is crucial in understanding and controlling egress network traffic.
-
-As virtual networks form the base address space and routing boundary within Azure, it can be used as a primary building block of network segmentation and segregation.
-
-| Resource | Link |
-| | |
-| *Virtual Networks Overview* | [https://docs.microsoft.com/azure/virtual-network/virtual-networks-overview](../virtual-network/virtual-networks-overview.md) |
-| *Plan Virtual Networks How-to Guide* | [https://docs.microsoft.com/azure/virtual-network/virtual-network-vnet-plan-design-arm](../virtual-network/virtual-network-vnet-plan-design-arm.md) |
-| *Create a Virtual Network Quickstart* | [https://docs.microsoft.com/azure/virtual-network/quick-create-portal](../virtual-network/quick-create-portal.md)
-|
-
-### Subnet
-
-Subnets are a crucial component for network segmentation and segregation within Azure. Subnets can be used to provide separation between systems. A subnet is the resource within a virtual network where NSGs, Route Tables, and service endpoints are applied. Subnets can be used as both source and destination addresses for firewall rules and access-control lists.
-
-The subnets within a virtual network should be planned to meet the requirements of workloads and systems. Individuals involved in the design or implementation of subnets should refer to the ACSC guidelines for network segmentation to determine how systems should be grouped together within a subnet.
-
-|Resource|Link|
-|||
-|*Add, change, or delete a virtual network subnet* | [https://docs.microsoft.com/azure/virtual-network/virtual-network-manage-subnet](../virtual-network/virtual-network-manage-subnet.md)
-|
-
-### Network interface
-
-Network interfaces are the source for all egress traffic from a virtual machine. Network Interfaces enable the configuration of IP Addressing, and can be used to apply NSGs or for routing traffic through an NVA. The Network Interfaces for virtual machines should be planned and configured appropriately to align with overall network segmentation and segregation objectives.
-
-|Resource|Link|
-|||
-|*Create, Change, or Delete a Network Interface* | [https://docs.microsoft.com/azure/virtual-network/virtual-network-network-interface](../virtual-network/virtual-network-network-interface.md) |
-|*Network Interface IP Addressing* | [https://docs.microsoft.com/azure/virtual-network/private-ip-addresses](../virtual-network/ip-services/private-ip-addresses.md)
-|
-
-### VNet integrated PaaS
-
-PaaS can provide enhanced functionality and availability and reduce management overhead but must be secured appropriately. To increase control, enforce network segmentation, or to provide a secure egress point for applications and services, many PaaS capabilities can be integrated with a virtual network.
-
-Using PaaS as an integrated part of system or application architecture, Microsoft provides multiple mechanisms to deploy PaaS into a virtual network. The deployment methodology can help restrict access while providing connectivity and integration with internal systems and applications. Examples include App Service Environments, SQL Managed Instance, and more.
-
-When deploying PaaS into a virtual network where routing and NSG controls have been implemented, it is crucial to understand the specific communication requirements of the resource, including management access from Microsoft services and the path that communications traffic will take when replying to incoming requests from these services.
-
-| Resource | Link |
-| | |
-| *Virtual network integration for Azure services* | [https://docs.microsoft.com/azure/virtual-network/virtual-network-for-azure-services](../virtual-network/virtual-network-for-azure-services.md) |
-| *Integrate your app with an Azure Virtual Network How-to guide* | [https://docs.microsoft.com/azure/app-service/web-sites-integrate-with-vnet](../app-service/overview-vnet-integration.md)
-|
-
-### Public IP
-
-Public IP addresses are used when communicating outside a virtual network. This includes PaaS resources and any routes with a next hop of Internet. Commonwealth entities should plan the allocation of Public IP addresses carefully and only assign them to resources where there is a genuine requirement. As a general design practice, Public IP addresses should be allocated to controlled egress points for the virtual network such as Azure Firewall, VPN Gateway, or Network Virtual Appliances.
-
-|Resource|Link|
-|||
-|*Public IP Addresses Overview* | [https://docs.microsoft.com/azure/virtual-network/virtual-network-ip-addresses-overview-arm#public-ip-addresses](../virtual-network/ip-services/public-ip-addresses.md#public-ip-addresses) |
-|*Create, change, or delete a public IP address* | [https://docs.microsoft.com/azure/virtual-network/virtual-network-public-ip-address](../virtual-network/ip-services/virtual-network-public-ip-address.md)
-|
-
-## Effective routes
-
-Effective routes are the resultant set of routes determined by the combination of system routes, service endpoints, Route Tables, and BGP and the application of Azure routing logic. When outbound traffic is sent from a subnet, Azure selects a route based on the destination IP address, using the longest prefix match algorithm. If multiple routes contain the same address prefix, Azure selects the route type, based on the following priority:
-
-1. User-defined route
-2. BGP route
-3. System route
-
-It is important to note that system routes for traffic related to virtual network, virtual network peerings, or virtual network service endpoints, are preferred routes, even if BGP routes are more specific.
-
-Individuals involved in the design or implementation of routing topologies in Azure should understand how Azure routes traffic and develop an architecture that balances the necessary functionality of systems with the required security and visibility. Care should be taken to plan the environment appropriately to avoid excessive interventions and exceptions to routing behaviours as this will increase complexity and may make troubleshooting and fault finding more difficult and time consuming.
-
-| Resource |
-| |
-| [View effective routes](../virtual-network/manage-route-table.md#view-effective-routes)
-
-### System routes
-
-For [System Routes](../virtual-network/virtual-networks-udr-overview.md#system-routes), individuals involved in the design or implementation of virtual networks should understand the default system routes and the options available to complement or override those routes.
-
-### Service endpoints
-
-Enabling [service endpoints](../virtual-network/virtual-network-service-endpoints-overview.md) on a subnet provides a direct communication path to the associated PaaS resource. This can provide increased performance and security by restricting the available communication path to just that service. The use of service endpoints does introduce a potential data exfiltration path as the default configuration allows access to all instances of the PaaS service rather than the specific instances required for an application or system.
-
-Commonwealth entities should evaluate the risk associated with providing direct access to the PaaS resource including the likelihood and consequence of the path being misused.
-
-To reduce potential risks associated with service endpoints, implement service endpoint policies where possible or consider enabling service endpoints on an Azure Firewall or NVA subnet and routing traffic from specific subnets through it where additional filtering, monitoring, or inspection can be applied.
-
-|Resource|Link|
-|||
-|*Tutorial: Restrict network access to PaaS resources with virtual network service endpoints using the Azure portal* |[https://docs.microsoft.com/azure/virtual-network/tutorial-restrict-network-access-to-resources](../virtual-network/tutorial-restrict-network-access-to-resources.md)|
-|
-
-### Route tables
-
-Route tables provide an administrator configured mechanism for controlling network traffic within Azure. Route tables can be utilised for forwarding traffic through to an Azure Firewall or NVA, connect directly to external resources, or to override Azure system routes. Route tables can also be used to prevent networks learned through a virtual network gateway from being made available to resources in a subnet by disabling virtual network gateway route propagation.
-
-|Resource|Link|
-|||
-|*Routing Concepts - custom routes* |[https://docs.microsoft.com/azure/virtual-network/virtual-networks-udr-overview#custom-routes](../virtual-network/virtual-networks-udr-overview.md#custom-routes)|
-|*Tutorial: Route network traffic* |[https://docs.microsoft.com/azure/virtual-network/tutorial-create-route-table-portal](../virtual-network/tutorial-create-route-table-portal.md)|
-|
-
-### Border Gateway Protocol (BGP)
-
-BGP can be utilised by virtual network gateways to dynamically exchange routing information with on-premises or other external networks. BGP applies to a virtual network when configured through an ExpressRoute virtual network gateway over ExpressRoute private peering and when enabled on an Azure VPN Gateway.
-
-Individuals involved in the design or implementation of virtual networks and virtual network gateways in Azure should take time to understand the behaviour and configuration options available for BGP in Azure.
-
-|Resource|Link|
-|||
-|*Routing Concepts: BGP* | [https://docs.microsoft.com/azure/virtual-network/virtual-networks-udr-overview#next-hop-types-across-azure-tools](../virtual-network/virtual-networks-udr-overview.md#next-hop-types-across-azure-tools)|
-|*ExpressRoute routing requirements* | [https://docs.microsoft.com/azure/expressroute/expressroute-routing](../expressroute/expressroute-routing.md)|
-|*About BGP with Azure VPN Gateway* |[https://docs.microsoft.com/azure/vpn-gateway/vpn-gateway-bgp-overview](../vpn-gateway/vpn-gateway-bgp-overview.md)|
-|*Tutorial: Configure a site-to-site VPN over ExpressRoute Microsoft peering* |[https://docs.microsoft.com/azure/expressroute/site-to-site-vpn-over-microsoft-peering](../expressroute/site-to-site-vpn-over-microsoft-peering.md)|
-|
-
-## Next hop types
-
-### Virtual Network
-
-Routes with a Next Hop of Virtual Network are added automatically as system routes, but can also be added to user-defined routes to direct traffic back to the virtual network in instances where the system route has been overridden.
-
-### VNet peering
-
-VNet peering enables communication between two disparate virtual networks. Configuring VNet peering must be enabled on each virtual network, but the virtual networks do not need to be in the same region, subscription or associated to the same Azure Active Directory (Azure AD) tenant.
-
-When configuring VNet peering, it is critical that individuals involved in the design or implementation of VNet peering understand the four associated configuration parameters and how they apply to each side of the peer:
-
-1. **Allow virtual network access:** Select **Enabled** (default) to enable communication between the two virtual networks. Enabling communication between virtual networks allows resources connected to either virtual network to communicate with each other with the same bandwidth and latency as if they were connected to the same virtual network.
-2. **Allow forwarded traffic:** Check this box to allow traffic *forwarded* by a network - traffic that didn't originate from the virtual network - to flow to this virtual network through a peering. This setting is fundamental to implementing a hub and spoke network topology.
-3. **Allow gateway transit:** Check this box to allow the peered virtual network to utilise the virtual network gateway attached to this virtual network. *Allow gateway transit* is enabled on the virtual network with the virtual network gateway resource, but only applies if *Use remote gateways* is enabled on the other virtual network.
-4. **Use remote gateways:** Check this box to allow traffic from this virtual network to flow through a virtual network gateway attached to the virtual network being peered with. *Use remote gateways* is enabled on the virtual network without a virtual network gateway and only applies if the *Allow gateway transit* option is enabled on the other virtual network.
-
-|Resource|Link|
-|||
-| Concepts: Virtual network peering | [https://docs.microsoft.com/azure/virtual-network/virtual-network-peering-overview](../virtual-network/virtual-network-peering-overview.md) |
-| Create, change, or delete a virtual network peering | [https://docs.microsoft.com/azure/virtual-network/virtual-network-manage-peering](../virtual-network/virtual-network-manage-peering.md)|
-|
-
-### Virtual network gateway
-
-Virtual network gateways provide a mechanism for integrating virtual networks with external networks, such as on-premises environments, partner environments, and other cloud deployments. The two types of virtual network gateway are ExpressRoute and VPN.
-
-#### ExpressRoute Gateway
-
-ExpressRoute Gateways provide an egress point from the virtual network to an on-premises environment and should be deployed to meet security, availability, financial, and performance requirements. ExpressRoute Gateways provide a defined network bandwidth and incur usage costs after deployment. Virtual networks can have only one ExpressRoute Gateway, but this can be connected to multiple ExpressRoute circuits and can be leveraged by multiple virtual networks through VNet Peering, allowing bandwidth and connectivity to be shared. Care should be taken to configure routing between on-premises environments and virtual networks using ExpressRoute Gateways to ensure end to end connectivity using known, controlled network egress points. Commonwealth entities using ExpressRoute Gateway over ExpressRoute private peering must also deploy Network Virtual Appliances (NVA) to establish VPN connectivity to the on-premises environment for compliance with the ACSC consumer guidance.
-
-It is important to note that ExpressRoute Gateways have restrictions on the address ranges, communities, and other specific configuration items exchanged through BGP.
-
-| Resource | Link |
-|||
-| ExpressRoute Gateway Overview | [https://docs.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways](../expressroute/expressroute-about-virtual-network-gateways.md) |
-| Configure a virtual network gateway for ExpressRoute | [https://docs.microsoft.com/azure/expressroute/expressroute-howto-add-gateway-portal-resource-manager](../expressroute/expressroute-howto-add-gateway-portal-resource-manager.md)
-|
-
-#### VPN Gateway
-
-Azure VPN Gateway provides an egress network point from the virtual network to an external network for secure site-to-site connectivity. VPN Gateways provide a defined network bandwidth and incur usage costs after deployment. Commonwealth entities utilising VPN Gateway should ensure that it is configured in accordance with the ACSC consumer guidance. Virtual Networks can have only one VPN Gateway, but this can be configured with multiple tunnels and can be leveraged by multiple virtual networks through VNet Peering, allowing multiple virtual networks to share bandwidth and connectivity. VPN Gateways can be established over the Internet or over ExpressRoute through Microsoft Peering.
-
-| Resource | Link |
-| | |
-| VPN Gateway Overview| [https://docs.microsoft.com/azure/vpn-gateway](../vpn-gateway/index.yml)|
-| Planning and design for VPN Gateway | [https://docs.microsoft.com/azure/vpn-gateway/vpn-gateway-plan-design](../vpn-gateway/vpn-gateway-about-vpngateways.md)|
-| Azure VPN Gateway in Azure Australia | [Azure VPN Gateway in Azure Australia](vpn-gateway.md)
-|
-
-### Next hop of virtual appliance
-
-The next hop of virtual appliance provides the ability to process network traffic outside the Azure networking and routing topology applied to virtual networks. Virtual appliances can apply security rules, translate addresses, establish VPNs, proxy traffic, or a range of other capabilities. The next hop of virtual appliance is applied through UDRs in a route table and can be used to direct traffic to an Azure Firewall, individual NVA, or Azure Load Balancer providing availability across multiple NVAs. To use a virtual appliance for routing, the associated network interfaces must be enabled for IP forwarding.
-
-| Resource | Link |
-| | |
-| Routing concepts: Custom Routes | [https://docs.microsoft.com/azure/virtual-network/virtual-networks-udr-overview#custom-routes](../virtual-network/virtual-networks-udr-overview.md#custom-routes) |
-| Enable or Disable IP forwarding | [https://docs.microsoft.com/azure/virtual-network/virtual-network-network-interface#enable-or-disable-ip-forwarding](../virtual-network/virtual-network-network-interface.md#enable-or-disable-ip-forwarding)
-|
-
-### Next hop of VirtualNetworkServiceEndpoint
-
-Routes with a next hop type of VirtualNetworkServiceEndpoint are only added when a service endpoint is configured on a subnet and cannot be manually configured through route tables.
-
-### Next hop of Internet
-
-The next hop Internet is used to reach any resources that use a Public IP address, which includes the Internet as well as PaaS and Azure Services in Azure Regions. The next hop Internet does not require a default route (0.0.0.0/0) covering all networks, but can be used to enable routing paths to specific public services. The next hop of Internet should be used for adding routes to authorised services and capabilities required for system functionality such as Microsoft management addresses.
-
-Examples of services that can be added using the next hop of Internet are:
-
-1. Key Management Services for Windows activation
-2. App Service Environment management
-
-|Resource|Link|
-|||
-| Outbound connections in Azure | [https://docs.microsoft.com/azure/load-balancer/load-balancer-outbound-connections](../load-balancer/load-balancer-outbound-connections.md) |
-| Use Azure custom routes to enable KMS activation | [https://docs.microsoft.com/azure/virtual-machines/troubleshooting/custom-routes-enable-kms-activation](/troubleshoot/azure/virtual-machines/custom-routes-enable-kms-activation) |
-| Locking down an App Service Environment | [https://docs.microsoft.com/azure/app-service/environment/firewall-integration](../app-service/environment/firewall-integration.md) |
-|
-
-### Next hop of none
-
-The next hop of none can be used to prevent communication to a specific network. In contrast with an NSG, which controls whether the traffic is permitted or denied from traversing an available network path, using a next hop of none removes the network path completely. Care should be taken when creating routes with a next hop of none, especially when applying it to a default route of 0.0.0.0/0 as this can have unintended consequences and may make troubleshooting system issues complex and time consuming.
-
-## Security
-
-Implementing network segmentation and segregation controls on IaaS and PaaS capabilities is achieved through securing the capabilities themselves and by implementing controlled communication paths from the systems that will be communicating with the capability.
-
-Designing and building solutions in Azure is a process of creating a logical architecture to understand, control, and monitor network resources across the entire Azure presence. This logical architecture is software defined within the Azure platform and takes the place of a physical network topology that is implemented in traditional network environments.
-
-The logical architecture that is created must provide the functionality necessary for usability, but must also provide the visibility and control needed for security and integrity.
-
-Achieving this outcome is based on implementing the necessary network segmentation and segregation tools, but also in protecting and enforcing the network topology and the implementation of these tools.
-
-### Network Security Groups (NSGs)
-
-NSGs are used to specify the inbound and outbound traffic permitted for a subnet or a specific network interface. When configuring NSGs, commonwealth entities should use an approval list approach where rules are configured to permit the necessary traffic with a default rule configured to deny all traffic that does not match a specific permit statement. When planning and configuring NSGs, care must be taken to ensure that all necessary inbound and outbound traffic is captured appropriately. This includes identifying and understanding all private IP address ranges utilised within virtual networks and the on-premises environment, and specific Microsoft services such as Azure Load Balancer and PaaS management requirements. Individuals involved in the design and implementation of NSGs should also understand the use of Service Tags and Application Security Groups for creating fine-grained, service, and application-specific security rules.
-
-It is important to note that the default configuration for an NSG permits outbound traffic to all addresses within the virtual network and all public IP addresses.
-
-|Resource|Link|
-|||
-|Network Security Overview | [https://docs.microsoft.com/azure/virtual-network/security-overview](../virtual-network/network-security-groups-overview.md)|
-|Create, change, or delete a network security group | [https://docs.microsoft.com/azure/virtual-network/manage-network-security-group](../virtual-network/manage-network-security-group.md)|
-|
-
-### Azure Firewall
-
-Azure Firewall can be utilised to build a hub and spoke network topology and enforce centralised network security controls. Azure Firewall can be used to meet the necessary requirements of the ISM for egress traffic by implementing an allowlisting approach where only the IP addresses, protocols, ports, and FQDNs required for system functionality are authorised. Commonwealth entities should take a risk-based approach to determine whether the security capabilities provided by Azure Firewall are sufficient for their requirements. For scenarios where additional security capabilities beyond those provided by Azure Firewall are required, commonwealth entities should consider implementing NVAs.
-
-|Resource|Link|
-|||
-|*Azure Firewall Documentation* | [https://docs.microsoft.com/azure/firewall](../firewall/index.yml)|
-|*Tutorial: Deploy and configure Azure Firewall in a hybrid network using Azure PowerShell* | [https://docs.microsoft.com/azure/firewall/tutorial-hybrid-ps](../firewall/tutorial-hybrid-ps.md)|
-|
-
-### Network Virtual Appliances (NVAs)
-
-NVAs can be used to build a hub and spoke network topology, provide enhanced or complementary network capabilities or can be used as an alternative to Azure network mechanisms for familiarity and consistent support and management with on-premises network services. NVAs can be deployed to meet specific security requirements such as; scenarios where there is a requirement for identity awareness associated to network traffic, HTTPS decryption, content inspection, filtering, or other security capabilities. NVAs should be deployed in a highly available configuration and individuals involved in the design or implementation of NVAs should consult the appropriate vendor documentation for guidelines on deployment in Azure.
-
-|Resource|Link|
-|||
-|*Deploy highly available network virtual appliances* | [https://docs.microsoft.com/azure/architecture/reference-architectures/dmz/nva-ha](/azure/architecture/reference-architectures/dmz/nva-ha)|
-|
-
-### Service endpoint policies (Preview)
-
-Configure service endpoint policies based on availability of the service and a security risk assessment of the likelihood and impact of data exfiltration. Service endpoint policies should be considered for Azure Storage and managed on a case by case basis for other services based on the associated risk profile.
-
-| Resource | Link |
-| | |
-| *Service endpoint policies overview* | [https://docs.microsoft.com/azure/virtual-network/virtual-network-service-endpoint-policies-overview](../virtual-network/virtual-network-service-endpoint-policies-overview.md) |
-| *Create, change, or delete service endpoint policy using the Azure portal* | [https://docs.microsoft.com/azure/virtual-network/virtual-network-service-endpoint-policies-portal](../virtual-network/virtual-network-service-endpoint-policies-portal.md)
-|
-
-### Azure Policy
-
-Azure Policy is a key component for enforcing and maintaining the integrity of the logical architecture of the Azure environment. There are a variety of services and egress network traffic paths available through Azure services. It is crucial that Commonwealth entities are aware of the resources that exist within their environment and the available network egress points. To ensure that unauthorised network egress points are not created in the Azure environment, Commonwealth entities should use Azure Policy to control the types of resources that can be deployed and the configuration of those resources. Practical examples include restricting resources to only those authorised and approved for use and requiring NSGs to be added to subnets.
-
-|Resource | Link|
-|||
-|*Azure Policy Overview* | [https://docs.microsoft.com/azure/governance/policy/overview](../governance/policy/overview.md)|
-|*Allowed Resource Types sample policy* | [https://docs.microsoft.com/azure/governance/policy/samples/allowed-resource-types](../governance/policy/samples/index.md)|
-|*Force NSG on a subnet sample policy*| [https://docs.microsoft.com/azure/governance/policy/samples/nsg-on-subnet](../governance/policy/samples/index.md)|
-|
-
-## PaaS egress capabilities
-
-PaaS capabilities provide opportunities for increased functionality and simplified management, but introduce complexities in addressing requirements for network segmentation and segregation. PaaS capabilities are typically configured with Public IP addresses and are accessible from the Internet. If you are using PaaS capabilities within your systems and solutions, care should be taken to identify the communication flows between components and create network security rules to only allow that communication. As part of a defence-in-depth approach to security, PaaS capabilities should be configured with encryption, authentication, and appropriate access controls and permissions.
-
-### Public IP for PaaS
-
-Public IP addresses for PaaS capabilities are allocated based on the region where the service is hosted or deployed. An understanding of Public IP address allocation and regions is required if you are going to build appropriate network security rules and routing topology for network segmentation and segregation covering Azure virtual networks, PaaS and ExpressRoute and Internet connectivity. Azure allocates IP addresses from a pool allocated to each Azure region. Microsoft makes the addresses used in each region available for download, which is updated in a regular and controlled manner. The services that are available in each region also frequently changes as new services are released or services are deployed more widely. Commonwealth entities should review these materials regularly and can use automation to maintain systems as required. Specific IP addresses for some services hosted in each region can be obtained by contacting Microsoft support.
-
-| Resource | Link |
-| | |
-| *Microsoft Azure Datacenter IP Ranges* | [https://www.microsoft.com/download/details.aspx?id=41653](https://www.microsoft.com/download/details.aspx?id=41653) |
-| *Azure Services per region* | [https://azure.microsoft.com/global-infrastructure/services/?regions=non-regional,australia-central,australia-central-2,australia-east,australia-southeast&products=all](https://azure.microsoft.com/global-infrastructure/services/?regions=non-regional,australia-central,australia-central-2,australia-east,australia-southeast&products=all) |
-| *Inbound and outbound IP addresses in Azure App Service* | [https://docs.microsoft.com/azure/app-service/overview-inbound-outbound-ips](../app-service/overview-inbound-outbound-ips.md)
-|
-
-## Next steps
-
-Compare your overall architecture and design to the published [PROTECTED Blueprints for IaaS and PaaS Web Applications](https://aka.ms/au-protected).
azure-australia Gateway Ingress Traffic https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-australia/gateway-ingress-traffic.md
- Title: Controlling ingress traffic in Azure Australia
-description: A guide for controlling ingress traffic in Azure Australia to meet Australian Government requirements for Secure Internet Gateways
--- Previously updated : 07/22/2019---
-# Controlling ingress traffic in Azure Australia
-
-A core element of securing ICT systems is controlling network traffic. Traffic should be restricted to only that necessary for a system to functions to reduce the potential for compromise.
-
-This guide gives details about how inbound (ingress) network traffic works within Azure, and recommendations for implementing network security controls for an internet connected system.
-
-The network controls align with the Australian Cyber Security Centre (ACSC) Consumer Guidance and the intent of the ACSC's Information Security Manual (ISM).
-
-## Requirements
-
-The overall security requirements for Commonwealth systems are defined in the ISM. To assist Commonwealth entities in implementing network security, the ACSC has published [ACSC Protect: Implementing Network Segmentation and Segregation](https://www.cyber.gov.au/acsc/view-all-content/publications/implementing-network-segmentation-and-segregation), and to assist with securing systems in Cloud environments the ACSC has published [Cloud Computing Security for Tenants](https://www.cyber.gov.au/publications/cloud-computing-security-for-tenants).
-
-These guides outline the context for implementing network security and controlling traffic and include practical recommendations for network design and configuration.
-
-The Microsoft [Cloud Computing Security for Tenants of Microsoft Azure](https://aka.ms/au-irap) guide in the Australian page of the Service Trust Portal highlights specific Microsoft technologies that enable you to meet the advice in the ACSC publications.
-
-The following key requirements, identified in the publications from the ACSC, are important for controlling ingress traffic in Azure:
-
-|Description|Source|
-|||
-|**Implement Network Segmentation and Segregation, for example, n-tier architecture, using host-based firewalls and CSP's network access controls to limit inbound and outbound VM network connectivity to only required ports/protocols.**| _Cloud Computing for Tenants_|
-|**Implement adequately high bandwidth, low latency, reliable network connectivity** between the tenant (including the tenant's remote users) and the cloud service to meet the tenant's availability requirements | _Cloud Computing for Tenants_|
-|**Apply technologies at more than just the network layer**. Each host and network should be segmented and segregated, where possible, at the lowest level that can be practically managed. In most cases, segmentation and segregation apply from the data link layer up to and including the application layer; however, in sensitive environments, physical isolation may be appropriate. Host-based and network-wide measures should be deployed in a complementary manner and be centrally monitored. Using a firewall or security appliance as the only security measure is not sufficient. |_ACSC Protect: Implementing Network Segmentation and Segregation_|
-|**Use the principles of least privilege and needΓÇÉtoΓÇÉknow**. If a host, service or network doesn't need to communicate with another host, service, or network, it shouldn't be allowed to. If a host, service, or network only needs to talk to another host, service, or network using specific ports or protocols, then any other ports or protocols should be disabled. Adopting these principles across a network will complement the minimization of user privileges and significantly increase the overall security posture of the environment. |_ACSC Protect: Implementing Network Segmentation and Segregation_|
-|**Separate hosts and networks based on their sensitivity or criticality to business operations**. Separation can be achieved by using different hardware or platforms depending on different security classifications, security domains, or availability/integrity requirements for certain hosts or networks. In particular, separate management networks and consider physically isolating out-of-band management networks for sensitive environments. |_ACSC Protect: Implementing Network Segmentation and Segregation_|
-|**Identify, authenticate, and authorize access by all entities to all other entities**. All users, hosts, and services should have their access restricted to only the other users, hosts, and services required to do their designated duties or functions. All legacy or local services which bypass or downgrade the strength of identification, authentication, and authorization services should be disabled and their use should be closely monitored. |_ACSC Protect: Implementing Network Segmentation and Segregation_|
-|**Implement allow listing of network traffic instead of deny listing**. Only permit access for known good network traffic (that is, that which is identified, authenticated, and authorized), rather than denying access to known bad network traffic (for example, blocking a specific address or service). Using an accepted senders list results in a superior security policy to a block list, and significantly improves an organization's capacity to detect and assess potential network intrusions. |_ACSC Protect: Implementing Network Segmentation and Segregation_|
-|
-
-This article provides information and recommendations on how these requirements can be met for systems deployed in Azure using both Infrastructure as a Service (IaaS) and Platform as a Service (PaaS). You should also read the article on [Controlling egress traffic in Azure Australia](gateway-egress-traffic.md) to fully understand controlling network traffic within Azure.
-
-## Architecture
-
-If you are involved in the design or implementation of network security and ingress traffic controls, you must first understand how ingress network traffic works within Azure across both IaaS and PaaS. This section provides an overview of the possible entry points where network traffic could reach a resource hosted in Azure, and the security controls available to restrict and control that traffic. Each of these components is discussed in detail in the remaining sections of this guide.
-
-### Architecture components
-
-The architectural diagram shown here depicts the possible paths that network traffic can take to connect into a service hosted in Azure. These components are divided into Azure, IaaS Ingress, PaaS Ingress, and Security Control, depending on the function that they provide for ingress traffic.
-
-![Architecture](media/ingress-traffic.png)
-
-### Azure components
-
-|Component | Description|
-|||
-|**DDoS Protection** | Distributed denial of service (DDoS) attacks attempt to exhaust an application's resources, making the application unavailable to legitimate users. DDoS attacks can be targeted at any endpoint that is publicly reachable through the internet. Azure includes DDoS Protection automatically through the Azure platform and provides additional mitigation capabilities that can be enabled for specific applications for more granular control.|
-| **Traffic Manager** | Azure Traffic Manager is a Domain Name System (DNS) based traffic load balancer that can distribute traffic optimally to services across Azure regions, while providing high availability and responsiveness. Traffic Manager uses DNS to direct client requests to the most appropriate endpoint based on a traffic-routing method and the health of the endpoints.|
-| **ExpressRoute** | ExpressRoute is a dedicated network connection for consuming Microsoft cloud services. It is provisioned through a connectivity provider and offers more reliability, faster speeds, lower latencies, and higher security than typical connections over the Internet. An ExpressRoute circuit represents the logical connection between the on-premises infrastructure and Microsoft cloud services through a connectivity provider.|
-| **ExpressRoute Private Peering** | ExpressRoute Private Peering is a connection between the on-premises environment and private Azure virtual networks. Private Peering enables access to Azure services such as Virtual Machines, that are deployed within a virtual network. The resources and virtual networks accessed via private peering are considered an extension of an organization's core network. Private Peering provides bi-directional connectivity between the on-premises network and Azure virtual networks using private IP addresses.|
-| **ExpressRoute Microsoft Peering** | ExpressRoute Microsoft Peering is a connection between the on-premises environment and Microsoft and Azure public services. This includes connectivity to Microsoft 365, Dynamics 365, and Azure PaaS services. Peering is established over public IP addresses that are owned by the organization or connectivity provider. No services are accessible via ExpressRoute Microsoft Peering by default and an organization must opt in to the services that are required. This process then provides connectivity to the same endpoints that are available on the Internet.|
-|
-
-### IaaS ingress components
-
-|Component | Description|
-|||
-|**Network Interface** | A network interface is a resource that exists in Azure. It is attached to a Virtual Machine and assigned a private, non-Internet routable IP address from the subnet that it is associated with. This IP address is dynamically or statically assigned through Azure Resource Manager.|
-|**Subnet** | A subnet is an IP address range that is created within a VNet. Multiple subnets can be created within a VNet for network segmentation.|
-| **Virtual Network (VNet)** | A VNet is a foundational resource within Azure that provides a platform and boundary for deploying resources and enabling communication. The VNet exists within an Azure Region and defines the IP Address Space and Routing boundaries for VNet integrated resources such as Virtual Machines.|
-| **VNet Peering** | VNet Peering is an Azure configuration option that enables direct communication between two VNets without the need for a Virtual Network Gateway. Once peered, the two VNets can communicate directly and additional configuration can control the use of Virtual Network Gateways and other transit options.|
-| **Public IP** | A Public IP is a resource that reserves one of the Microsoft owned Public, Internet-Routable IP Addresses from the specified region for use within the virtual network. It can be associated with a specific Network Interface, which enables the resource to be accessible from the Internet, ExpressRoute and PaaS systems.|
-| **ExpressRoute Gateway** | An ExpressRoute Gateway is an object in a Virtual Network provides connectivity and routing from the Virtual Network to on-premises networks over Private Peering on an ExpressRoute Circuit.|
-| **VPN Gateway** | A VPN Gateway is an object in a Virtual Network that provides an encrypted tunnel from a Virtual Network to an external network. The encrypted tunnel can be Site-to-Site for bi-directional communication with an on-premises environment, other virtual network, or cloud environment or Point-to-Site for communication with a single end point.|
-| **PaaS VNet Integration** | Many PaaS capabilities can be deployed into, or integrated with, a Virtual Network. Some PaaS capabilities can be fully integrated with a VNet and be accessible via only private IP addresses. Others, such as Azure Load Balancer and Azure Application Gateway, can have an external interface with a public IP address and an internal interface with a private IP address inside the virtual network. In this instance, traffic can ingress into the Virtual Network via the PaaS capability.|
-|
-
-### PaaS ingress components
-
-|Component | Description|
-|||
-|**Hostname** | Azure PaaS capabilities are identified by a unique public hostname that is assigned when the resource is created. This hostname is then registered into a public DNS domain, where it can be resolved to a Public IP address.|
-|**Public IP** | Unless deployed in a VNet integrated configuration, Azure PaaS capabilities are accessed via a Public, Internet-routable IP address. This address can be dedicated to the specific resources, such as a Public Load Balancer, or could be associated with a specific capability that has a shared entry point for multiple instances, such as Storage or SQL. This Public IP addressed can be accessed from the Internet, ExpressRoute or from IaaS public IP addresses through the Azure backbone network.|
-|**Service endpoints** | Service endpoints provide a direct, private connection from a Virtual Network to a specific PaaS capability. Service endpoints, which are only available for a subset of PaaS capabilities, provide increased performance and security for resources in a VNet accessing PaaS.|
-|
-
-### Security controls
-
-|Component | Description|
-|||
-|**Network Security Groups (NSGs)** | NSGs control traffic into and out of virtual network resources in Azure. NSGs apply rules for the traffic flows that are permitted or denied, which includes traffic within Azure and between Azure and external networks such as on-premises or the Internet. NSGs are applied to subnets within a virtual network or to individual network interfaces.|
-|**PaaS Firewall** | Many PaaS capabilities, such as Storage and SQL have an inbuilt Firewall for controlling ingress network traffic to the specific resource. Rules can be created to allow or deny connections from specific IP Addresses and/or Virtual Networks.|
-|**PaaS Authentication and Access Control** | As part of a layered approach to security, PaaS capabilities provide multiple mechanisms for authenticating users and controlling privileges and access.|
-|**Azure Policy** | Azure Policy is a service in Azure for creating, assigning, and managing policies. These policies use rules to control the types of resources that can be deployed and the configuration of those resources. Policies can be used to enforce compliance by preventing resources from being deployed if they do not meet requirements or can be used for monitoring to report on compliance status.|
-|
-
-## General guidance
-
-To design and build secure solutions within Azure, it is critical to understand and control the network traffic so that only identified and authorized communication can occur. The intent of this guidance, and the specific component guidance in later sections, is to describe the tools and services that can be utilized to apply the principles outlined in the _ACSC Protect: Implementing Network Segmentation and Segregation_ across Azure workloads. This includes detailing how to create a virtual architecture for securing resources when it is not possible to apply the same traditional physical and network controls that are possible in an on-premises environment.
-
-### Specific focus areas
-
-* Limit the number of entry points to virtual networks
-* Limit the number of Public IP addresses
-* Consider utilizing a Hub and Spoke Network Design for Virtual Networks as discussed in the Microsoft Virtual Data Center (VDC) documentation
-* Utilize products with inbuilt security capabilities for inbound connections from the Internet (for example, Application Gateway, API Gateway, Network Virtual Appliances)
-* Restrict communication flows to PaaS capabilities to only those necessary for system functionality
-* Deploy PaaS in a VNet integrated configuration for increased segregation and control
-* Configure systems to use encryption mechanisms in line with the ACSC Consumer Guidance and ISM
-* Use identity-based protections such as authentication and Azure role-based access control in addition to traditional network controls
-* Implement ExpressRoute for connectivity with on-premises networks
-* Implement VPNs for administrative traffic and integration with external networks
-* Utilize Azure Policy to restrict the regions and resources to only those that are necessary for system functionality
-* Utilize Azure Policy to enforce baseline security configuration for internet-accessible resources
-
-### Additional resources
-
-|Resource | Link|
-|||
-|Australian Regulatory and Policy Compliance Documents including Consumer Guidance|[https://aka.ms/au-irap](https://aka.ms/au-irap)|
-|Azure Virtual Data Center|[https://docs.microsoft.com/azure/architecture/vdc/networking-virtual-datacenter](/azure/architecture/vdc/networking-virtual-datacenter)|
-|ACSC Network Segmentation|[https://www.cyber.gov.au/acsc/view-all-content/publications/implementing-network-segmentation-and-segregation](https://www.cyber.gov.au/acsc/view-all-content/publications/implementing-network-segmentation-and-segregation)|
-|ACSC Cloud Security for Tenants| [https://www.cyber.gov.au/acsc/view-all-content/publications/cloud-computing-security-tenants](https://www.cyber.gov.au/acsc/view-all-content/publications/cloud-computing-security-tenants)|
-|ACSC Information Security Manual|[https://acsc.gov.au/infosec/ism/index.htm](https://acsc.gov.au/infosec/ism/index.htm)|
-
-## Component guidance
-
-This section provides further guidance on the individual components that are relevant to ingress traffic to systems deployed in Azure. Each section describes the intent of the specific component with links to documentation and configuration guides that can be used to assist with design and build activities.
-
-## Azure
-
-All communication to resources within Azure passes through the Microsoft maintained network infrastructure, which provides connectivity and security functionality. A range of protections are automatically put in place by Microsoft to protect the Azure platform and network infrastructure and additional capabilities are available as services within Azure to control network traffic and establish network segmentation and segregation.
-
-### DDoS Protection
-
-Internet accessible resources are susceptible to DDoS attacks. To protect against these attacks, Azure provides DDoS protections at a Basic and a Standard level.
-
-Basic is automatically enabled as part of the Azure platform including always-on traffic monitoring, and real-time mitigation of common network-level attacks, providing the same defenses utilized by Microsoft's online services. The entire scale of Azure's global network can be used to distribute and mitigate attack traffic across regions. Protection is provided for IPv4 and IPv6 Azure public IP addresses
-
-Standard provides additional mitigation capabilities over the Basic service tier that are tuned specifically to Azure Virtual Network resources. Protection policies are tuned through dedicated traffic monitoring and machine learning algorithms. Protection is provided for IPv4 Azure public IP addresses.
-
-|Resource|Link|
-|||
-|Azure DDoS Protection Overview|[https://docs.microsoft.com/azure/virtual-network/ddos-protection-overview](../ddos-protection/ddos-protection-overview.md)|
-|Azure DDoS Best Practices|[https://docs.microsoft.com/azure/ddos-protection/fundamental-best-practices](../ddos-protection/fundamental-best-practices.md)|
-|Managing DDoS Protection|[https://docs.microsoft.com/azure/virtual-network/manage-ddos-protection](../ddos-protection/manage-ddos-protection.md)|
-|
-
-### Traffic Manager
-
-Traffic Manager is used to manage ingress traffic by controlling which endpoints of an application receive connections. To protect against a loss of availability of systems or applications due to cyber security attack, or to recover services after a system compromise, Traffic Manager can be used to redirect traffic to functioning, available application instances.
-
-|Resource|Link|
-|||
-|Traffic Manager Overview | [https://docs.microsoft.com/azure/traffic-manager/traffic-manager-overview](../traffic-manager/traffic-manager-overview.md)|
-|Disaster recovery using Azure DNS and Traffic Manager Guide | [https://docs.microsoft.com/azure/networking/disaster-recovery-dns-traffic-manager](../networking/disaster-recovery-dns-traffic-manager.md)|
-|
-
-### ExpressRoute
-
-ExpressRoute can be used to establish a private path from an on-premises environment to systems hosted in Azure. This connection can provide greater reliability and guaranteed performance with enhanced privacy for network communications. Express Route allows commonwealth entities to control inbound traffic from the on-premises environment and define dedicated addresses specific to the organization to use for inbound firewall rules and access control lists.
-
-|Resource | Link|
-|||
-|ExpressRoute Overview | [https://docs.microsoft.com/azure/expressroute/](../expressroute/index.yml)|
-|ExpressRoute Connectivity Models | [https://docs.microsoft.com/azure/expressroute/expressroute-connectivity-models](../expressroute/expressroute-connectivity-models.md)|
-|
-
-### ExpressRoute Private Peering
-
-Private peering provides a mechanism for extending an on-premises environment into Azure using only private IP addresses. This enables commonwealth entities to integrate Azure Virtual Networks and address ranges with existing on-premises systems and services. Private Peering provides assurance that communication across ExpressRoute is only to Virtual Networks authorized by the organization. If you use Private Peering, Commonwealth entities must implement Network Virtual Appliances (NVA) instead of Azure VPN Gateway to establish the secure VPN communication to your on-premises networks as required by the ACSC consumer guidance.
-
-|Resource | Link|
-|||
-|ExpressRoute Private Peering Overview | [https://docs.microsoft.com/azure/expressroute/expressroute-circuit-peerings#routingdomains](../expressroute/expressroute-circuit-peerings.md#routingdomains)|
-|ExpressRoute Private Peering How-to Guide | [https://docs.microsoft.com/azure/expressroute/expressroute-howto-routing-portal-resource-manager#private](../expressroute/expressroute-howto-routing-portal-resource-manager.md#private)|
-|
-
-### ExpressRoute Microsoft Peering
-
-Microsoft Peering provides a high-speed, low latency connection to Microsoft Public Services without needing to traverse the Internet. This provides greater reliability, performance, and privacy for connections. By using Route Filters, commonwealth entities can restrict communications to only the Azure Regions that they require, but this includes services hosted by other organizations and may necessitate additional filtering or inspection capabilities between the on-premises environment and Microsoft.
-
-Commonwealth entities can use the dedicated Public IP addresses established through the peering relationship to uniquely identify the on-premises environment for use in firewalls and access control lists within PaaS capabilities.
-
-As an alternative, commonwealth entities can use ExpressRoute Microsoft peering as an underlay network for establishing VPN connectivity through Azure VPN Gateway. In this model, there is no active communication from the internal on-premises network to Azure public services over ExpressRoute, but secure connectivity through to private Virtual Networks is achieved in compliance with the ACSC consumer guidance.
-
-|Resource | Link|
-|||
-|ExpressRoute Microsoft Peering Overview | [https://docs.microsoft.com/azure/expressroute/expressroute-circuit-peerings#routingdomains](../expressroute/expressroute-circuit-peerings.md#routingdomains)|
-|ExpressRoute Microsoft Peering How-to Guide | [https://docs.microsoft.com/azure/expressroute/expressroute-howto-routing-portal-resource-manager#msft](../expressroute/expressroute-howto-routing-portal-resource-manager.md#msft)|
-|
-
-## IaaS ingress
-
-This section provides the component guidance for controlling Ingress traffic to IaaS components. IaaS includes Virtual Machines and other compute resources that can be deployed and managed within a Virtual Network in Azure. For traffic to arrive at systems deployed using IaaS it must have an entry point to the Virtual Network, which can be established through a Public IP address, Virtual Network Gateway or Virtual Network peering relationship.
-
-### Network interface
-
-Network interfaces are the ingress points for all traffic to a Virtual Machine. Network Interfaces enable the configuration of IP Addressing, and can be used to apply NSGs or for routing traffic through a Network Virtual Appliance. The Network Interfaces for Virtual Machines should be planned and configured appropriately to align with overall network segmentation and segregation objectives.
-
-|Resource | Link|
-|||
-|Create, Change, or Delete a Network Interface | [https://docs.microsoft.com/azure/virtual-network/virtual-network-network-interface](../virtual-network/virtual-network-network-interface.md)|
-|Network Interface IP Addressing | [https://docs.microsoft.com/azure/virtual-network/private-ip-addresses](../virtual-network/ip-services/private-ip-addresses.md)|
-|
-
-### Subnet
-
-Subnets are a crucial component for network segmentation and segregation within Azure. Subnets can be used similarly to provide separation between systems. NSGs can be applied to subnets to restrict ingress communication flows to only those necessary for system functionality. Subnets can be used as both source and destination addresses for firewall rules and access-control lists and can be configured for service endpoints to provide connectivity to PaaS capabilities.
-
-|Resource | Link|
-|||
-|Add, change, or delete a virtual network subnet | [https://docs.microsoft.com/azure/virtual-network/virtual-network-manage-subnet](../virtual-network/virtual-network-manage-subnet.md)|
-|
-
-### Virtual Network (VNet)
-
-VNets are one of the fundamental building blocks for networking in Azure. Virtual Networks define an IP address space and routing boundary to be used across a variety of systems. Virtual Networks are divided into subnets and all subnets within a Virtual Network have a direct network route to each other. By using Virtual Network Gateways (ExpressRoute or VPN), systems within a Virtual Network can be made accessible to on-premises and external environments. Understanding Virtual Networks and the associated configuration parameters and routing is crucial in understanding and controlling ingress network traffic.
-
-|Resource | Link|
-|||
-|Virtual Networks Overview | [https://docs.microsoft.com/azure/virtual-network/virtual-networks-overview](../virtual-network/virtual-networks-overview.md)|
-|Plan Virtual Networks How-to Guide | [https://docs.microsoft.com/azure/virtual-network/virtual-network-vnet-plan-design-arm](../virtual-network/virtual-network-vnet-plan-design-arm.md)|
-Create a Virtual Network Quickstart | [https://docs.microsoft.com/azure/virtual-network/quick-create-portal](../virtual-network/quick-create-portal.md)|
-|
-
-### VNet Peering
-
-VNet Peering is used to provide a direct communication path between two Virtual Networks. Once peering is established, hosts in one Virtual Network have a high-speed routing path directly to hosts in another Virtual Network. NSGs still apply to the traffic as normal and advanced configuration parameters can be used to define whether communication through Virtual Network Gateways or from other external systems is permitted.
-
-|Resource | Link|
-|||
-|Virtual Network Peering Overview | [https://docs.microsoft.com/azure/virtual-network/virtual-network-peering-overview](../virtual-network/virtual-network-peering-overview.md)|
-|Create, change, or delete a virtual network peering | [https://docs.microsoft.com/azure/virtual-network/virtual-network-manage-peering](../virtual-network/virtual-network-manage-peering.md)|
-|
-
-### Public IP on VNET
-
-Public IP addresses are used to provide an ingress communication path to services deployed in a Virtual Network. Commonwealth entities should plan the allocation of Public IP addresses carefully and only assign them to resources where there is a genuine requirement. As a general design practice, Public IP addresses should be allocated to resources with inbuilt security capabilities such as Application Gateway or Network Virtual Appliances to provide a secure, controlled public entry point to a Virtual Network.
-
-|Resource | Link|
-|||
-|Public IP Addresses Overview | [https://docs.microsoft.com/azure/virtual-network/virtual-network-ip-addresses-overview-arm#public-ip-addresses](../virtual-network/ip-services/public-ip-addresses.md#public-ip-addresses)|
-|Create, change, or delete a public IP address | [https://docs.microsoft.com/azure/virtual-network/virtual-network-public-ip-address](../virtual-network/ip-services/virtual-network-public-ip-address.md)|
-|
-
-### ExpressRoute Gateway
-
-ExpressRoute Gateways provide an ingress point from the on-premises environment and should be deployed to meet security, availability, financial, and performance requirements. ExpressRoute Gateways provide a defined network bandwidth and incur usage costs after deployment. Virtual Networks can have only one ExpressRoute Gateway, but this can be connected to multiple ExpressRoute circuits and can be leveraged by multiple Virtual Networks through VNet Peering, allowing multiple Virtual Networks to share bandwidth and connectivity. Care should be taken to configure routing between on-premises environments and Virtual Networks using ExpressRoute Gateways to ensure end to end connectivity using known, controlled network ingress points. Commonwealth entities using ExpressRoute Gateway must also deploy Network Virtual Appliances to establish VPN connectivity to the on-premises environment for compliance with the ACSC consumer guidance.
-
-|Resource | Link|
-|||
-|ExpressRoute Gateway Overview | [https://docs.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways](../expressroute/expressroute-about-virtual-network-gateways.md)|
-|Configure a virtual network gateway for ExpressRoute | [https://docs.microsoft.com/azure/expressroute/expressroute-howto-add-gateway-portal-resource-manager](../expressroute/expressroute-howto-add-gateway-portal-resource-manager.md)|
-|
-
-### VPN Gateway
-
-Azure VPN Gateway provides an ingress network point from an external network for secure site-to-site or point-to-site connections. VPN Gateways provide a defined network bandwidth and incur usage costs after deployment. Commonwealth entities utilizing VPN Gateway should ensure that it is configured in accordance with the ACSC consumer guidance. Virtual Networks can have only one VPN Gateway, but this can be configured with multiple tunnels and can be leveraged by multiple Virtual Networks through VNet Peering, allowing multiple Virtual Networks to share bandwidth and connectivity. VPN Gateways can be established over the Internet or over ExpressRoute through Microsoft Peering.
-
-|Resource | Link|
-|||
-|VPN Gateway Overview | [https://docs.microsoft.com/azure/vpn-gateway/](../vpn-gateway/index.yml)|
-|Planning and design for VPN Gateway | [https://docs.microsoft.com/azure/vpn-gateway/vpn-gateway-plan-design](../vpn-gateway/vpn-gateway-about-vpngateways.md)|
-|VPN Gateway configuration for Australian Government agencies|[IPSEC configuration required for Australian Government agencies](vpn-gateway.md)|
-|
-
-### PaaS VNet integration
-
-Leveraging PaaS can provide enhanced functionality and availability and reduce management overhead but must be secured appropriately. To increase control, enforce network segmentation, or to provide a secure ingress entry point for applications and services, many PaaS capabilities can be integrated with a Virtual Network.
-
-To provide a secure entry point, PaaS capabilities such as Application Gateway can be configured with an external, public facing interface and an internal, private interface for communicating with application services. This prevents the need to configure application servers with Public IP addresses and expose them to external networks.
-
-To use PaaS as an integrated part of system or application architecture, Microsoft provides multiple mechanisms to deploy PaaS into a Virtual Network. The deployment methodology restricts the inbound access from external networks such as the Internet while providing connectivity and integration with internal systems and applications. Examples include App Service Environments, SQL Managed Instance, and more.
-
-|Resource | Link|
-|||
-|Virtual network integration for Azure services | [https://docs.microsoft.com/azure/virtual-network/virtual-network-for-azure-services](../virtual-network/virtual-network-for-azure-services.md)|
-|Integrate your app with an Azure Virtual Network How-to guide | [https://docs.microsoft.com/azure/app-service/web-sites-integrate-with-vnet](../app-service/overview-vnet-integration.md)|
-|
-
-## PaaS ingress
-
-PaaS capabilities provide opportunities for increased capability and simplified management, but introduce complexities in addressing requirements for network segmentation and segregation. PaaS capabilities are typically configured with Public IP addresses and are accessible from the Internet. When building systems using PaaS capabilities, care should be taken to identify all the necessary communication flows between components within the system and network security rules created to allow only this communication. As part of a defence-in-depth approach to security, PaaS capabilities should be configured with encryption, authentication, and appropriate access controls and permissions.
-
-### Hostname
-
-PaaS capabilities are uniquely identified by hostnames to allow multiple instances of the same service to be hosted on the same Public IP address. Unique hostnames are specified when resources are created and exist within Microsoft owned DNS domains. The specific hostnames for authorized services can be used within security tools with application level filtering capabilities. Certain services can also be configured with custom domains as required.
-
-|Resource | Link|
-|||
-|Many public namespaces used by Azure services can be obtained through PowerShell by running the Get-AzureRMEnvironment command | [https://docs.microsoft.com/powershell/module/azurerm.profile/get-azurermenvironment](/powershell/module/azurerm.profile/get-azurermenvironment)|
-|Configuring a custom domain name for an Azure cloud service | App Services and others can have custom domains [https://docs.microsoft.com/azure/cloud-services/cloud-services-custom-domain-name-portal](../cloud-services/cloud-services-custom-domain-name-portal.md)|
-|
-
-### Public IP for PaaS
-
-Public IP addresses for PaaS capabilities are allocated based on the region where the service is hosted or deployed. To build appropriate network security rules and routing topology for network segmentation and segregation covering Azure Virtual Networks, PaaS and ExpressRoute and Internet connectivity, an understanding of Public IP address allocation and regions is required. Azure allocates IP addresses from a pool allocated to each Azure region. Microsoft makes the addresses used in each region available for download, which is updated in a regular and controlled manner. The services that are available in each region also frequently changes as new services are released or services are deployed more widely. Commonwealth entities should review these materials regularly and can leverage automation to maintain systems as required. Specific IP addresses for some services hosted in each region can be obtained by contacting Microsoft support.
-
-|Resource | Link|
-|||
-|Microsoft Azure Datacenter IP Ranges | [https://www.microsoft.com/download/details.aspx?id=41653](https://www.microsoft.com/download/details.aspx?id=41653)|
-|Azure Services per region | [https://azure.microsoft.com/global-infrastructure/services/?regions=non-regional,australia-central,australia-central-2,australia-east,australia-southeast&products=all](https://azure.microsoft.com/global-infrastructure/services/?regions=non-regional,australia-central,australia-central-2,australia-east,australia-southeast&products=all)|
-|
-
-### Service endpoints
-
-Virtual Network Service endpoints provide a high-speed, private ingress network connection for subnets within a Virtual Network to consume specific PaaS capabilities. For complete network segmentation and segregation of the PaaS capability, the PaaS capability must be configured to accept connections only from the necessary virtual networks. Not all PaaS Capabilities support a combination of Firewall rules that includes service endpoints and traditional IP address-based rules, so care should be taken to understand the flow of communications required for application functionality and administration so that the implementation of these security controls does not impact service availability.
-
-|Resource | Link|
-|||
-|Service endpoints overview | [https://docs.microsoft.com/azure/virtual-network/virtual-network-service-endpoints-overview](../virtual-network/virtual-network-service-endpoints-overview.md)
-|Tutorial |[https://docs.microsoft.com/azure/virtual-network/tutorial-restrict-network-access-to-resources](../virtual-network/tutorial-restrict-network-access-to-resources.md)|
-|
-
-## Security
-
-Implementing network segmentation and segregation controls on IaaS and PaaS capabilities is achieved through securing the capabilities themselves and by implementing controlled communication paths from the systems that will be communicating with the capability.
-
-Designing and building solutions in Azure is a process of creating a logical architecture to understand, control, and monitor network resources across the entire Azure presence. This logical architecture is software defined within the Azure platform and takes the place of a physical network topology that is implemented in traditional network environments.
-
-The logical architecture that is created must provide the functionality necessary for usability, but must also provide the visibility and control needed for security and integrity.
-
-Achieving this outcome is based on implementing the necessary network segmentation and segregation tools, but also in protecting and enforcing the network topology and the implementation of these tools.
-
-The information provided in this guide can be used to help identify the sources of ingress traffic that need to be permitted and the ways that the traffic can be further controlled or constrained.
-
-### Network Security Groups (NSGs)
-
-NSGs are used to specify the inbound and outbound traffic permitted for a subnet or a specific network interface. When configuring NSGs, commonwealth entities should use a approval list approach where rules are configured to permit the necessary traffic with a default rule configured to deny all traffic that does not match a specific permit statement. Care must be taken when planning and configuring NSGs to ensure that all necessary inbound and outbound traffic is captured appropriately. This includes identifying and understanding all private IP address ranges utilized within Azure Virtual Networks and the on-premises environment, and specific Microsoft services such as Azure Load Balancer and PaaS management requirements. Individuals involved in the design and implementation of Network Security Groups should also understand the use of Service Tags and Application Security Groups for creating fine-grained, service, and application-specific security rules.
-
-|Resource | Link|
-|||
-|Network Security Overview | [https://docs.microsoft.com/azure/virtual-network/security-overview](../virtual-network/network-security-groups-overview.md)
-|Create, change, or delete a network security group | [https://docs.microsoft.com/azure/virtual-network/manage-network-security-group](../virtual-network/manage-network-security-group.md)|
-|
-
-## PaaS firewall
-
-A PaaS firewall is a network access control capability that can be applied to certain PaaS services. It allows IP address filtering or filtering from specific virtual networks to be configured to restrict ingress traffic to the specific PaaS instance. For PaaS capabilities that include a Firewall, network access control policies should be configured to permit only the necessary ingress traffic based on application requirements.
-
-|Resource | Link|
-|||
-|Azure SQL Database and Azure Synapse Analytics IP firewall rules | [https://docs.microsoft.com/azure/sql-database/sql-database-firewall-configure](/azure/azure-sql/database/firewall-configure)|
-|Storage Network Security | [https://docs.microsoft.com/azure/storage/common/storage-network-security](../storage/common/storage-network-security.md)|
-|
-
-## PaaS authentication and access control
-
-Depending on the PaaS capability and its purpose, using network controls to restrict access may not be possible or practical. As part of the layered security model for PaaS, Azure provides a variety of authentication and access control mechanisms to restrict access to a service, even if network traffic is allowed. Typical authentication mechanisms for PaaS capabilities include Azure Active Directory, Application level authentication, and Shared Keys or access signatures. Once a user is securely identified, roles can be utilized to control the actions that the user can perform. These tools can be utilized as an alternative or as a complimentary measure to restrict access into services.
-
-|Resource | Link|
-|||
-|Controlling and granting database access to SQL Database and Azure Synapse Analytics | [https://docs.microsoft.com/azure/sql-database/sql-database-manage-logins](/azure/azure-sql/database/logins-create-manage)|
-|Authorization for the Azure Storage Services | [https://docs.microsoft.com/rest/api/storageservices/authorization-for-the-Azure-Storage-Services](/rest/api/storageservices/authorization-for-the-Azure-Storage-Services)|
-|
-
-## Azure Policy
-
-Azure Policy is a key component for enforcing and maintaining the integrity of the logical architecture of the Azure environment. Given the variety of services and ingress network traffic paths available through Azure services, it is crucial that Commonwealth entities are aware of the resources that exist within their environment and the available network ingress points. To ensure that unauthorized network ingress points are not created in the Azure environment, Commonwealth entities should leverage Azure Policy to control the types of resources that can be deployed and the configuration of those resources. Practical examples include restricting resources to only those authorized and approved for use, enforcing HTTPS encryption on Storage and requiring NSGs to be added to subnets.
-
-|Resource | Link|
-|||
-|Azure Policy Overview | [https://docs.microsoft.com/azure/governance/policy/overview](../governance/policy/overview.md)|
-|Allowed Resource Types sample policy | [https://docs.microsoft.com/azure/governance/policy/samples/allowed-resource-types](../governance/policy/samples/index.md)
-|Ensure HTTPS Storage Account sample policy|[https://docs.microsoft.com/azure/governance/policy/samples/ensure-https-storage-account](../governance/policy/samples/index.md)_
-|Force NSG on a subnet sample policy| [https://docs.microsoft.com/azure/governance/policy/samples/nsg-on-subnet](../governance/policy/samples/index.md)|
-|
-
-## Next steps
-
-Review the article on [Gateway Egress Traffic Management and Control](gateway-egress-traffic.md) for details on managing traffic flows from your Azure environment to other networks using your Gateway components in Azure.
azure-australia Gateway Log Audit Visibility https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-australia/gateway-log-audit-visibility.md
- Title: Gateway logging, auditing, and visibility in Azure Australia
-description: How to configure Logging, Auditing, and Visibility within the Australian regions to meet the specific requirements of Australian Government policy, regulations, and legislation.
--- Previously updated : 07/22/2019---
-# Gateway logging, auditing, and visibility in Azure Australia
-
-Detecting and responding to cyber security threats relies on generating, collecting and analyzing data related to the operation of a system.
-
-Microsoft has built-in tools in Azure to help you implement logging, auditing, and visibility to manage the security of your systems deployed in Azure. There is also a reference architecture that aligns with the Australian Cyber Security Centre (ACSC) Consumer Guidance and the intent of the Information Security Manual (ISM).
-
-Gateways act as information flow control mechanisms at the network layer and may also control information at the higher layers of the Open System Interconnect (OSI) model. Gateways are necessary to control data flows between security domains and prevent unauthorised access from external networks. Given the criticality of gateways in controlling the flow of information between security domains, any failure, particularly at higher classifications, may have serious consequences. As such, robust mechanisms for alerting personnel to situations that may cause cyber security incidents are especially important for gateways.
-
-Implementing logging and alerting capabilities for gateways can assist in detecting cyber security incidents, attempted intrusions, and unusual usage patterns. In addition, storing event logs on a separate secure log server increases the difficulty for an adversary to delete logging information in order to destroy evidence of a targeted cyber intrusion.
-
-## Australian Cyber Security Centre (ACSC) requirements
-
-The overall security requirements for Commonwealth systems are defined in the ACSC Information Security Manual (ISM). To assist Commonwealth entities to meet these requirements within Azure, the *ACSC CONSUMER GUIDE ΓÇô Microsoft Azure at PROTECTED* and *ACSC CERTIFICATION REPORT ΓÇô Microsoft Azure* publications detail the following specific requirements related to Logging, Auditing, and Visibility:
-
-1. To mitigate the risks arising from using shared underlying cloud resources, Commonwealth entities must opt in to Microsoft Azure provided capabilities including Azure Security Centre, Azure Monitor, Azure Policy, and Azure Advisor to assist entities to perform real-time monitoring of their Azure workloads
-
-2. The ACSC also recommends that Commonwealth entities forward all mandated security logs to the ACSC for whole of Australian Government monitoring
-
-3. To assist in risk mitigation, Commonwealth entities should configure within their Azure subscriptions:
-
- * Enable Azure Security Centre
- * Upgrade to the Standard Tier
- * Enable Automatic Provisioning of the Microsoft Monitoring Agent to supported Azure VMs
- * Regularly review, prioritise, and mitigate the security recommendations and alerts on the Security Centre dashboard
-
-4. Government entities must enable log and event forwarding from their Azure subscription to the ACSC to provide the ACSC with visibility of non-compliance with this guidance. Azure Event Hubs provides the capability to perform external log streaming to the ACSC or on-premises systems owned by the Commonwealth entity
-
-5. Commonwealth entities should align the logging they enable within Azure to the requirements specified in the ISM
-
-6. Microsoft keeps logs within Azure for 90 days. Customer entities must implement a log archival regime to ensure logs can be kept for the seven years required under the NAA AFDA
-
-7. Commonwealth entities that have on-premises or Azure-based Security Information and Event Management (SIEM) capabilities can also forward logs to those systems
-
-8. Commonwealth entities should implement Network Watcher flow logs for Network Security Groups (NSGs) and Virtual Machines. These logs should be stored in a dedicated storage account containing only security logs, and access to the storage account should be secured with Azure role-based access control (Azure RBAC)
-
-9. Commonwealth entities must implement ACSC Consumer Guidance to ensure Azure workloads meet the intent of the ISM for logging and monitoring. Commonwealth entities must also opt in to Azure capabilities that assist the ACSC to receive real-time monitoring, alerting, and logs associated with Australian Government usage of Azure
-
-## Architecture
-
-To confidently understand the network traffic entering and leaving your Azure environment, the necessary logging must be enabled on the right set of components. Doing this ensures complete visibility of the environment and provides the necessary data to do analysis.
-
-![Azure Monitoring Architecture](media/visibility.png)
-
-## Components
-
-The architecture shown above is made up of discrete components that provide the function of either Log Sources, Log Collection, Log Retention, Log Analysis or Incident Response. This architecture includes individual components that are typically involved in internet accessible Azure deployments.
-
-|Functions|Components|
-|||
-|Log Sources|<ul><li>Application Gateway</li><li>VPN Gateway</li><li>Azure Firewall</li><li>Network Virtual Appliances</li><li>Azure Load Balancer</li><li>Virtual Machines</li><li>Domain Naming System (DNS) Servers</li><li>Syslog and/or Log Collection Servers</li><li>NSGs</li><li>Azure Activity Log</li><li>Azure Diagnostic Log</li><li>Azure Policy</li></ul>|
-|Log Collection|<ul><li>Event Hubs</li><li>Network Watcher</li><li>Log Analytics</li></ul>|
-|Log Retention|<ul><li>Azure Storage</li></ul>|
-|Log Analysis|<ul><li>Microsoft Defender for Cloud</li><li>Azure Advisor</li><li>Log Analytics Solutions<ul><li>Traffic Analytics</li><li>DNS Analytics (Preview)</li><li>Activity Log Analytics</li></ul></li><li>SIEM</li><li>ACSC</li></ul>|
-|Incident Response|<ul><li>Azure Alerts</li><li>Azure Automation</li></ul>|
-|
-
-The architecture works by first generating logs from the necessary sources and then collecting them into centralised repositories. Once you've collected the logs, they can be:
-
-* used by Azure analysis services to get insight,
-* get forwarded to external systems, or
-* get archived to storage for long-term retention.
-
-To respond to key events or incidents identified by analysis tools, alerts can be configured, and automation developed to take necessary actions for proactive management and response.
-
-## General guidance
-
-When implementing the components listed in this article, the following general guidance applies:
-
-* Validate the region availability of services, ensuring that all data remains within authorised locations and deploy to AU Central or AU Central 2 as the first preference for PROTECTED workloads
-
-* Refer to the *Azure - ACSC Certification Report ΓÇô Protected 2018* publication for the certification status of individual services and perform self-assessments on any relevant components not included in the report as per the *ACSC CONSUMER GUIDE ΓÇô Microsoft Azure at PROTECTED*
-
-* For components not referenced in this article, Commonwealth entities should follow the principles included about generating, capturing, analysing, and keeping logs
-
-* Identify and prioritise the logging, auditing, and visibility on high value systems as well as all network ingress and egress points to systems hosted in Azure
-
-* Consolidate logs and minimise the number of instances of logging tools such as storage accounts, Log Analytics workspaces and Event Hubs
-
-* Restrict administrative privileges through Azure role-based access control (Azure RBAC)
-
-* Use Multi-Factor Authentication (MFA) for accounts administering or configuring resources in Azure
-
-* When centralising log collection across multiple subscriptions, ensure that administrators have the necessary privileges in each subscription
-
-* Ensure network connectivity and any necessary proxy configuration for Virtual Machines, including Network Virtual Appliances (NVAs), Log Collection Servers and DNS Servers, to connect to necessary Azure services such as the Log Analytics workspaces, Event Hubs, and Storage
-
-* Configure the Microsoft Monitoring Agent (MMA) to utilise TLS version 1.2
-
-* Use Azure Policy to monitor and enforce compliance with requirements
-
-* Enforce encryption on all data repositories such as Storage and Databases
-
-* Use Locally redundant storage (LRS) and snapshots for availability of Storage Accounts and associated data
-
-* Consider Geo-redundant storage (GRS) or off-site storage to align with Disaster Recovery strategies
-
-|Resource|URL|
-|||
-|Australian Regulatory and Policy Compliance Documents|[https://aka.ms/au-irap](https://aka.ms/au-irap)|
-|Azure products - Australian regions and non-regional|[https://azure.microsoft.com/global-infrastructure/services/?regions=non-regional,australia-central,australia-central-2,australia-east,australia-southeast](https://azure.microsoft.com/global-infrastructure/services/?regions=non-regional,australia-central,australia-central-2,australia-east,australia-southeast)|
-|Microsoft Azure Security and Audit Log Management Whitepaper|[https://download.microsoft.com/download/B/6/C/B6C0A98B-D34A-417C-826E-3EA28CDFC9DD/AzureSecurityandAuditLogManagement_11132014.pdf](https://download.microsoft.com/download/B/6/C/B6C0A98B-D34A-417C-826E-3EA28CDFC9DD/AzureSecurityandAuditLogManagement_11132014.pdf)|
-|Microsoft Monitoring Agent Configuration|[https://docs.microsoft.com/azure/azure-monitor/platform/log-analytics-agent](../azure-monitor/agents/log-analytics-agent.md)|
-|
-
-## Component guidance
-
-This section provides information on the purpose of each component and its role in the overall logging, auditing, and visibility architecture. Additional links are provided to access useful resources such as reference documentation, guides, and tutorials.
-
-## Log sources
-
-Before any analysis, alerting or reporting can be completed, the necessary logs must be generated. Azure logs are categorized into control/management logs, data plane logs, and processed events.
-
-|Type|Description|
-|||
-|Control/management logs|Provide information about Azure Resource Manager operations|
-|Data plane logs|Provide information about events raised as part of Azure resource usage, such as logs in a Virtual Machine and the diagnostics logs available through Azure Monitor|
-|Processed events|Provide information about analysed events/alerts that have been processed by Azure, such as where Microsoft Defender for Cloud has processed and analysed subscriptions to provide security alerts|
-|
-
-### Application Gateway
-
-Azure Application Gateway is one of the possible entry points into an Azure environment so you need to capture information related to incoming connections communicating with web applications. Application Gateway can provide crucial information relating to web application usage as well as assisting in detecting cyber security incidents. Application Gateway sends metadata to the Activity Log and Diagnostic Logs in Azure Monitor where it can be utilised in Log Analytics or distributed to an Event Hub or Storage Account.
-
-|Resources|Link|
-|||
-|Application Gateway Documentation|[https://docs.microsoft.com/azure/application-gateway/](../application-gateway/index.yml)|
-|Application Gateway quickstart Guide|[https://docs.microsoft.com/azure/application-gateway/quick-create-portal](../application-gateway/quick-create-portal.md)|
-|
-
-### VPN Gateway
-
-The VPN Gateway is a potential entry point for a wide range of communications into the Azure environment, such as the connection to an on-premises environment and administrative traffic. Logging on VPN Gateways provides insight and traceability for the connections made to the Azure environment. Logging can provide auditing and analysis as well as assist in the detection or investigation of malicious or anomalous connections. VPN Gateway logs are sent to the Azure Monitor Activity Log where they can be utilised in Log Analytics or distributed to an Event Hub or Storage Account.
-
-|Resources|Link|
-|||
-|VPN Gateway Documentation|[https://docs.microsoft.com/azure/vpn-gateway/](../vpn-gateway/index.yml)|
-|Australian Government specific VPN Gateway guidance|[Azure VPN Gateway configuration](vpn-gateway.md)|
-|
-
-### Azure Firewall
-
-Azure Firewall provides a controlled exit point from an Azure environment and the logs generated, which include information on attempted and successful outbound connections, are an important element in your logging strategy. These logs can validate that systems are operating as designed, as well as assist in detecting malicious code or actors attempting to connect to unauthorised external systems. Azure Firewall writes logs to the Activity Log and Diagnostic Logs in Azure Monitor where it can be used in Log Analytics, or distributed to an Event Hub or Storage Account.
-
-|Resources|Link|
-|||
-|Azure Firewall Documentation|[https://docs.microsoft.com/azure/firewall/](../firewall/index.yml)|
-|Tutorial: Monitor Azure Firewall logs and metrics|[https://docs.microsoft.com/azure/firewall/tutorial-diagnostics](../firewall/firewall-diagnostics.md)|
-|
-
-### Network Virtual Appliances (NVA)
-
-NVAs can be used to complement the security capabilities available natively in Azure. The logs generated on NVAs can be valuable resources in detecting cyber security incidents and are a key part of an overall logging, auditing, and visibility strategy. To capture logs from NVAs, utilise the Microsoft Monitoring Agent (MMA). For NVAs that don't support the installation of the MMA, consider using a Syslog or other log collection server to relay logs.
-
-|Resources|Link|
-|||
-|Overview of Network Virtual Appliances|[https://azure.microsoft.com/solutions/network-appliances](https://azure.microsoft.com/solutions/network-appliances)|
-|NVA Documentation|Refer to the vendor documentation on the implementation of the relevant NVA in Azure|
-|
-
-### Azure Load Balancer
-
-Azure Load Balancer logs are used to obtain useful information about the connections and usage related to systems deployed in Azure. This can be used for health and availability monitoring, but also forms another key component in gaining the necessary insight into communications traffic and detecting malicious or anomalous traffic patterns. Azure Load Balancer logs to the Activity Log and Diagnostic Logs in Azure Monitor where it can be utilised in Log Analytics or distributed to an Event Hub or Storage Account.
-
-|Resources|Link|
-|||
-|Azure Load Balancer Documentation|[https://docs.microsoft.com/azure/load-balancer](../load-balancer/index.yml)|
-|Metrics and health diagnostics for Standard Load Balancer|[https://docs.microsoft.com/azure/load-balancer/load-balancer-standard-diagnostics](../load-balancer/load-balancer-standard-diagnostics.md)|
-|
-
-### Virtual machines
-
-Virtual machines are endpoints that send and receive network communications, process data, and provide services. As Virtual machines can host data or crucial system services, ensuring that they're operating correctly and detecting cyber security incidents can be critical. Virtual machines collect various event and audit logs that can track the operation of the system and the actions done on that system. Logs collected on Virtual Machines can be forwarded to a Log Analytics workspace using the Log Analytics agent where they can be analyzed by Microsoft Defender for Cloud. Virtual machines can also integrate directly with Azure Event Hubs or with a SIEM solution, either directly or through a log collection server.
-
-|Resources|Link|
-|||
-|Virtual Machines|[https://docs.microsoft.com/azure/virtual-machines](../virtual-machines/index.yml)|
-|Collect Data from Virtual Machines|[https://docs.microsoft.com/azure/log-analytics/log-analytics-quick-collect-azurevm](../azure-monitor/vm/monitor-virtual-machine.md)|
-|Stream Virtual Machine Logs to Event Hubs|[https://docs.microsoft.com/azure/monitoring-and-diagnostics/azure-diagnostics-streaming-event-hubs](../azure-monitor/agents/diagnostics-extension-stream-event-hubs.md)|
-|
-
-### Domain Name Services (DNS) servers
-
-DNS Server logs provide key information related to the services that systems are trying to access, either internally or externally. Capturing DNS logs can help identify a cyber security incident and provide insight into the type of incident, and the systems that may be affected. The Microsoft Management Agent (MMA) can be used on DNS Servers to forward the logs through to Log Analytics for use in DNS Analytics (Preview).
-
-|Resources|Link|
-|||
-|Azure Name Resolution for Virtual Networks|[https://docs.microsoft.com/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances](../virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances.md)|
-|
-
-### Syslog and log collection servers
-
-To receive logs from Network Virtual Appliances, or custom security logs from other systems for use within a SIEM, dedicated servers can be deployed within Azure VNets. Syslog logs can be collected on a Syslog server and relayed to Log Analytics for analysis. A Log Collection Server is a generic term for any log aggregation and distribution capability used by centralised monitoring systems or SIEMs. These can be used to simplify network architecture and security and to filter and aggregate logs before being distributed to the centralised capability.
-
-|Resources|Link|
-|||
-|Syslog data sources in Log Analytics|[https://docs.microsoft.com/azure/azure-monitor/platform/data-sources-syslog](../azure-monitor/agents/data-sources-syslog.md)|
-|Log Collection Server|Refer to vendor documentation for details on monitoring and SIEM architecture|
-|
-
-### Network Security Groups (NSGs)
-
-NSGs control traffic into and out of virtual networks in Azure. NSGs apply rules for the traffic flows that are permitted or denied, which includes traffic within Azure and between Azure and external networks such as on-premises or the Internet. NSGs are applied to subnets within a virtual network or to individual network interfaces. To capture information on the traffic entering and leaving systems in Azure, NSG logs can be enabled through the Network Watcher NSG Flow Logs feature. These logs are used to form a baseline for the standard operation of a system and are the data source for Traffic Analytics, which provides detailed insights into the traffic patterns of systems hosted in Azure.
-
-|Resources|Link|
-|||
-|Network Security Group Documentation|[https://docs.microsoft.com/azure/virtual-network/security-overview](../virtual-network/network-security-groups-overview.md)|
-|Introduction to flow logging for network security groups|[https://docs.microsoft.com/azure/network-watcher/network-watcher-nsg-flow-logging-overview](../network-watcher/network-watcher-nsg-flow-logging-overview.md)|
-|Tutorial: Log network traffic to and from a Virtual Machine using the Azure portal|[https://docs.microsoft.com/azure/network-watcher/network-watcher-nsg-flow-logging-portal](../network-watcher/network-watcher-nsg-flow-logging-portal.md)|
-|
-
-### Azure Activity Log
-
-Azure Activity Log, which is part of Azure Monitor, is a subscription log that provides insight into subscription-level events that have occurred in Azure. The Activity Log can help determine the 'what, who, and when' for any write operations (PUT, POST, DELETE) taken ***on*** the resources in a subscription. The Activity Log is crucial for tracking the configuration changes made within the Azure environment. Azure Activity Logs are automatically available for use in Log Analytics solutions and can be sent to Event Hubs or Azure Storage for processing or retention.
-
-|Resources|Link|
-|||
-|Azure Activity Log Documentation|[https://docs.microsoft.com/azure/monitoring-and-diagnostics/monitoring-overview-activity-logs](../azure-monitor/essentials/platform-logs-overview.md)|
-|Stream the Azure Activity Log to Event Hubs|[https://docs.microsoft.com/azure/monitoring-and-diagnostics/monitoring-stream-activity-logs-event-hubs](../azure-monitor/essentials/activity-log.md#legacy-collection-methods)|
-|
-
-### Azure Diagnostic Log
-
-Azure Monitor diagnostic logs are logs emitted by an Azure service that provide rich, frequent data about the operation of that service. Diagnostic logs provide insight into the operation of a resource at a detailed level and can be used for a range of requirements such as auditing or troubleshooting. Azure Diagnostic Logs are automatically available for use in Log Analytics solutions and can be sent to Event Hubs or Azure Storage for processing or retention.
-
-|Resources|Link|
-|||
-|Azure Diagnostic Log Documentation|[https://docs.microsoft.com/azure/monitoring-and-diagnostics/monitoring-overview-of-diagnostic-logs](../azure-monitor/essentials/platform-logs-overview.md)|
-|Support services for Diagnostic Logs|[https://docs.microsoft.com/azure/monitoring-and-diagnostics/monitoring-diagnostic-logs-schema](../azure-monitor/essentials/resource-logs-schema.md)|
-|
-
-### Azure Policy
-
-Azure Policy enforces rules on how resources can be deployed, such as the type, location, and configuration. Azure Policy can be configured to ensure resources can only be deployed if they're compliant with requirements. Azure Policy is a core component to maintaining the integrity of an Azure environment. Events related to Azure Policy are logged to the Azure Activity Log and are automatically available for use in Log Analytics solutions or can be sent to Event Hubs or Azure Storage for processing or retention.
-
-|Resources|Link|
-|||
-|Azure Policy Documentation|[https://docs.microsoft.com/azure/governance/policy](../governance/policy/index.yml)|
-|Leveraging Azure Policy and Resource Manager templates using Azure Blueprints|[https://docs.microsoft.com/azure/governance/blueprints/overview](../governance/blueprints/overview.md)|
-|
-
-## Log collection
-
-Once generated from the multiple log sources, logs need to be stored in a centralised location for ongoing access and analysis. Azure provides multiple methods and options for Log Collection that can be utilised depending on the log type and requirements.
-
-### Event Hubs
-
-The purpose of an Event Hub is to aggregate the log data for the various sources for distribution. From the Event Hub, the log data can be sent on to a SIEM, to the ACSC for compliance and to Storage for long-term retention.
-
-|Resources|Link|
-|||
-|Event Hubs Documentation|[https://docs.microsoft.com/azure/event-hubs](../event-hubs/index.yml)|
-|Guidance on Event Hubs and External Tools|[https://docs.microsoft.com/azure/monitoring-and-diagnostics/monitor-stream-monitoring-data-event-hubs](../azure-monitor/essentials/stream-monitoring-data-event-hubs.md)|
-|
-
-### Log Analytics
-
-Log Analytics is part of Azure Monitor and is used for log analysis. Log Analytics uses a workspace as the storage mechanism where log data can be made available for a variety of analysis tools and solutions available within Azure. Log Analytics integrates with a wide range of Azure components directly, as well as Virtual Machines through the Microsoft Monitoring Agent.
-
-|Resources|Link|
-|||
-|Log Analytics Documentation|[https://docs.microsoft.com/azure/azure-monitor](../azure-monitor/index.yml)|
-|Tutorial: Analyze Data in Log Analytics|[https://docs.microsoft.com/azure/azure-monitor/learn/tutorial-viewdata](../azure-monitor/logs/log-analytics-tutorial.md)|
-|
-
-### Network Watcher
-
-The use of Network Watcher is recommended by the ACSC to assist in understanding and capturing network traffic in an Azure subscription. NSG Flow logs provide the input to the Traffic Analytics solution in Log Analytics, which provides increased visibility, analysis and reporting natively through Azure. Network Watcher also provides a packet capture capability directly from the Azure portal without the need to sign in to the Virtual Machine. Packet capture allows you to create packet capture sessions to track traffic to and from a virtual machine.
-
-|Resources|Link|
-|||
-|Network Watcher|[https://docs.microsoft.com/azure/network-watcher](../network-watcher/index.yml)|
-|Packet Capture Overview|[https://docs.microsoft.com/azure/network-watcher/network-watcher-packet-capture-overview](../network-watcher/network-watcher-packet-capture-overview.md)|
-|
-
-## Log retention
-
-For Australian Government organisations, the logs captured within Azure must be retained in accordance with the National Archives of Australia [Administrative Functions Disposal Authority (AFDA)](https://www.naa.gov.au/information-management/records-authorities/types-records-authorities/afda-express-version-2-functions), which specifies retaining logs up to seven years.
-
-|Log Location|Retention Period|
-|||
-|Azure Activity Log|Up to 90 days|
-|Log Analytics workspace|Up to two years|
-|Event Hub|Up to seven days|
-|
-
-It is your responsibility to ensure that logs are archived appropriately to adhere to AFDA and other legislative requirements.
-
-### Azure Storage
-
-Azure Storage is the repository for logs for long-term retention in Azure. Azure Storage can be used to archive logs from Azure including Event Hubs, Azure Activity Log, and Azure Diagnostic Logs. The period of retention of data in Storage can be set to zero, or can be specified as a number of days. A retention of zero days means logs are kept forever, otherwise, the value can be any number of days between 1 and 2147483647.
-
-|Resources|Link|
-|||
-|Azure Storage Documentation|[https://docs.microsoft.com/azure/storage](../storage/index.yml)|
-|Capture events through Azure Event Hubs in Azure Blob Storage or Azure Data Lake Storage|[https://docs.microsoft.com/azure/event-hubs/event-hubs-capture-overview](../event-hubs/event-hubs-capture-overview.md)|
-|Tutorial: Archive Azure metric and log data using Azure Storage|[https://docs.microsoft.com/azure/monitoring-and-diagnostics/monitor-tutorial-archive-monitoring-data](../azure-monitor/essentials/platform-logs-overview.md)|
-|Azure Storage Replication|[https://docs.microsoft.com/azure/storage/common/storage-redundancy](../storage/common/storage-redundancy.md)|
-|Creating a Snapshot of a Blob|[https://docs.microsoft.com/rest/api/storageservices/creating-a-snapshot-of-a-blob](/rest/api/storageservices/creating-a-snapshot-of-a-blob)|
-|
-
-## Log analysis
-
-Once generated and stored in a centralised location, the logs must be analysed to assist with detecting attempted or successful security incidents. When security incidents are detected, an agency needs the ability to respond to those incidents and to track, contain, and remediate any threats.
-
-### Microsoft Defender for Cloud
-
-Microsoft Defender for Cloud provides unified security management and advanced threat protection. Microsoft Defender for Cloud can apply security policies across workloads, limit exposure to threats, and detect and respond to attacks. Microsoft Defender for Cloud provides dashboards and analysis across a wide range of Azure components. The use of Microsoft Defender for Cloud is specified as a requirement in the ACSC consumer guidance.
-
-|Resources|Link|
-|||
-|Microsoft Defender for Cloud documentation|[https://docs.microsoft.com/azure/security-center](../security-center/index.yml)|
-|Quickstart: Enable Microsoft Defender for Cloud's enhanced security features|[https://docs.microsoft.com/azure/security-center/security-center-get-started](../security-center/enable-enhanced-security.md)|
-|||
-
-### Traffic Analytics
-
-Traffic Analytics is a cloud-based solution that provides visibility into user and application activity in Azure. Traffic analytics analyses Network Watcher NSG flow logs to provide insights into traffic flow in Azure. Traffic Analytics is used to provide dashboards, reports, analysis, and event response capabilities related to the network traffic seen across virtual networks. Traffic Analytics gives significant insight and helps in identifying and resolving cyber security incidents.
-
-|Resources|Link|
-|||
-|Traffic Analytics Documentation|[https://docs.microsoft.com/azure/network-watcher/traffic-analytics](../network-watcher/traffic-analytics.md)|
-|
-
-### Azure Advisor
-
-Azure Advisor analyses resource configuration and other data to recommend solutions to help improve the performance, security, and high availability of resources while looking for opportunities to reduce overall Azure spend. Azure Advisor is recommended by the ACSC and provides easily accessible and detailed advice on the configuration of the Azure environment.
-
-|Resources|Link|
-|||
-|Azure Advisor Documentation|[https://docs.microsoft.com/azure/advisor](../advisor/index.yml)|
-|Get started with Azure Advisor|[https://docs.microsoft.com/azure/advisor/advisor-get-started](../advisor/advisor-get-started.md)|
-|
-
-### DNS Analytics (Preview)
-
-DNS Analytics is a Log Analytics Solution that collects, analyses, and correlates Windows DNS analytic and audit logs and other related data. DNS Analytics identifies clients that try to resolve malicious domain names, stale resource records, frequently queried domain names, and talkative DNS clients. DNS Analytics also provides insight into request load on DNS servers and dynamic DNS registration failures. DNS Analytics is used to provide dashboards, reports, analysis, and event response capabilities related to the DNS queries made within an Azure environment. DNS Analytics gives significant insight and helps in identifying and resolving cyber security incidents.
-
-|Resources|Link|
-|||
-|DNS Analytics Documentation|[https://docs.microsoft.com/azure/azure-monitor/insights/dns-analytics](../azure-monitor/insights/dns-analytics.md)|
-|
-
-### Activity Log Analytics
-
-Activity Log Analytics is a Log Analytics Solution that helps analyse and search the Azure activity log across multiple Azure subscriptions. Activity Log Analytics is used to provide centralised dashboards, reports, analysis, and event response capabilities related to the actions that are performed on resources the whole Azure environment. Activity Log Analytics can assist with auditing and investigation.
-
-|Resources|Link|
-|||
-|Collect and analyze Azure activity logs in Log Analytics|[https://docs.microsoft.com/azure/azure-monitor/platform/collect-activity-logs](../azure-monitor/essentials/activity-log.md)|
-|
-
-### Security Information and Event Management (SIEM)
-
-A SIEM is a system that provides centralised storage, auditing and analysis of security logs, with defined mechanisms for ingesting a wide range of log data and intelligent tools for analysis, reporting and incident detection and response. You can use SIEM capabilities that include Azure logging information to supplement the security capabilities provided natively in Azure. Commonwealth entities can utilise a SIEM hosted on Virtual Machines in Azure, on-premises or as a Software as a Service (SaaS) capability depending on specific requirements.
-
-|Resources|Link|
-|||
-|Microsoft Sentinel (Preview)|[https://azure.microsoft.com/services/azure-Sentinel](https://azure.microsoft.com/services/azure-sentinel)|
-|SIEM Documentation|Refer to vendor documentation for SIEM architecture and guidance|
-|Use Azure Monitor to integrate with SIEM tools|[https://azure.microsoft.com/blog/use-azure-monitor-to-integrate-with-siem-tools](https://azure.microsoft.com/blog/use-azure-monitor-to-integrate-with-siem-tools)|
-|
-
-### Australian Cyber Security Centre
-
-The Australian Cyber Security Centre (ACSC) is the Australian Government's lead on national cyber security. It brings together cyber security capabilities from across the Australian Government to improve the cyber resilience of the Australian community and support the economic and social prosperity of Australia in the digital age. The ACSC recommends that Commonwealth entities forward all mandated system-generated log files, events, and logs to the ACSC for whole of Australian Government monitoring.
-
-|Resources|Link|
-|||
-|Australian Cyber Security Centre website|[https://www.acsc.gov.au](https://www.acsc.gov.au)|
-|
-
-## Incident response
-
-Generating the appropriate logs, collecting them into centralised repositories and performing analysis increases understanding of systems and provides mechanisms to detect cyber security incidents. After incidents or events have been detected, the next step is to react to those events and perform actions to maintain system health and protect services and data from compromise. Azure provides a combination of services to respond effectively to any events that occur.
-
-### Azure Alerts
-
-Azure Alerts can be used to notify support and security personnel in response to particular events. This allows a Commonwealth entity to proactively respond to the detection of relevant events raised by the analysis services listed in this article.
-
-|Resources|Link|
-|||
-|Overview of Alerts in Microsoft Azure|[https://docs.microsoft.com/azure/monitoring-and-diagnostics/monitoring-overview-alerts](../azure-monitor/alerts/alerts-overview.md)|
-|Managing and responding to security alerts in Microsoft Defender for Cloud|[https://docs.microsoft.com/azure/security-center/security-center-managing-and-responding-alerts](../security-center/security-center-managing-and-responding-alerts.md)|
-|Azure Monitor Log Alerts|[https://docs.microsoft.com/azure/azure-monitor/learn/tutorial-response](../azure-monitor/alerts/alerts-log.md)|
-|
-
-### Azure Automation
-
-Azure Automation enables Commonwealth entities to trigger actions in response to events. This could be to start a packet capture on Virtual Machines, run a workflow, stop, or start Virtual Machines or services, or a range of other tasks. Automation enables rapid response to alerts without manual intervention thus reducing the response time and severity of an incident or event.
-
-|Resources|Link|
-|||
-|Azure Automation Documentation|[https://docs.microsoft.com/azure/automation](../automation/index.yml)|
-|How-to guide: Use an alert to trigger an Azure Automation runbook|[https://docs.microsoft.com/azure/automation/automation-create-alert-triggered-runbook](../automation/automation-create-alert-triggered-runbook.md)|
-|
-
-## Next steps
-
-Review the article on [Gateway Secure Remote Administration](gateway-secure-remote-administration.md) for details on securely managing your Gateway environment in Azure.
azure-australia Gateway Secure Remote Administration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-australia/gateway-secure-remote-administration.md
- Title: Secure remote administration of gateway in Azure Australia
-description: Guidance on configuring secure remote administration within the Australian regions to meet the specific requirements of Australian Government policy, regulations, and legislation.
--- Previously updated : 07/22/2019---
-# Secure remote administration of your Gateway in Azure Australia
-
-It's critical to the availability and integrity of any system that administrative activities are conducted securely and are controlled. Administrative activities should be done from a secure device, over a secure connection, and be backed by strong authentication and authorisation processes. Secure Remote Administration ensures that only authorised actions are performed and only by authorised administrators.
-
-This article provides information on implementing a secure remote administration capability for an internet accessible system hosted in Azure that aligns with the Australian Cyber Security Centre (ACSC) Consumer Guidance and the intent of the ACSC's Information Security Manual (ISM).
-
-## Australian Cyber Security Centre (ACSC) requirements
-
-The overall security requirements for Commonwealth systems are defined in the ISM. To assist Commonwealth entities in providing secure administration, the ACSC has published [ACSC Protect: Secure Administration](https://www.cyber.gov.au/acsc/view-all-content/publications/secure-administration)
-
-This document discusses the importance of secure administration and suggests one method of implementing a secure administration environment. The document describes the elements of a secure administration solution as follows:
-
-|Element |Description |
-|||
-|Privileged access control |Controlling access to privileged accounts is a fundamental security control that will protect privileged accounts from misuse. The access control methodology will encompass the concepts of 'least privilege' and 'need to have' as well as processes and procedures for managing service accounts and staff movements. |
-|Multi-factor authentication |Implementing additional factors of authentication beyond usernames and passphrases, such as physical tokens or smartcards, can help protect critical assets. If an adversary compromises credentials for privileged accounts, as all administrative actions would first need to go through some form of multi-factor authentication, the consequences can be greatly reduced.|
-|Privileged workstations|The use of a known secure environment for administrative tasks can result in a lesser risk of the network being compromised due to the implementation of additional security controls.|
-|Logging and auditing |Automated generation, collection, and analysis of security and administrative related events from workstations, servers, network devices, and jump boxes will enable detection of compromises and attempted compromises. Automation enables organisations to respond more quickly, reducing the implications of a compromise.|
-|Network segmentation and segregation|Segmenting a network into logical zones such as differing security domains, and further segregating these logical networks by restricting the types of data that flow from one zone to another, restricts lateral movement. Segmentation prevents an adversary from gaining access to additional resources.|
-|Jump boxes|A jump box is a hardened remote access server, commonly utilising Microsoft's Remote Desktop Services or Secure Shell (SSH) software. Jump boxes act as a stepping point for administrators accessing critical systems with all administrative actions performed from the dedicated host.|
-
-This article provides a reference architecture for how the elements above can be used for secure administration of systems deployed in Azure.
-
-## Architecture
-
-Providing a secure administration capability requires multiple components that all work together to form a cohesive solution. In the reference architecture provided, the components are mapped to the elements described in [ACSC Protect: Secure Administration](https://www.cyber.gov.au/acsc/view-all-content/publications/secure-administration)
-
-![Azure Secure Remote Administration Architecture](media/remote-admin.png)
-
-## Components
-
-The architecture is designed to ensure that a privileged account is granted only the necessary permissions, is securely identified, and then provided access to administrative interfaces only from an authorised device and through secure communications mechanisms that are controlled and audited.
-
-|Solution| Components|Elements|
-||||
-|Secure Devices |<ul><li>Privileged Workstation</li><li>Mobile Device</li><li>Microsoft Intune</li><li>Group Policy</li><li>Jump Server / Bastion Host</li><li>Just in Time (JIT) Administration</li></ul> |<ul><li>Privileged workstations</li><li>Jump boxes</li></ul>|
-|Secure Communication |<ul><li>Azure portal</li><li>Azure VPN Gateway</li><li>Remote Desktop (RD) Gateway</li><li>Network Security Groups (NSGs)</li></ul> |<ul><li>Network segmentation and segregation</li></ul>|
-|Strong Authentication |<ul><li>Domain Controller (DC)</li><li>Azure Active Directory (Azure AD)</li><li>Network Policy Server (NPS)</li><li>Azure AD MFA</li></ul> |<ul><li>Multi-factor authentication</li></ul> |
-|Strong Authorisation |<ul><li>Identity and Access Management (IAM)</li><li>Privileged Identity Management (PIM)</li><li>Conditional Access</li></ul>|<ul><li>Privileged access control</li></ul>|
-|||
-
->[!NOTE]
->For more information on the Logging and auditing element, see the article on [Gateway logging, auditing, and visibility](gateway-log-audit-visibility.md)
-
-## Administration workflow
-
-Administering systems deployed in Azure is divided into two distinct categories, administering the Azure configuration and administering workloads deployed in Azure. Azure configuration is conducted through the Azure portal and workload administration is completed through administrative mechanisms such as Remote Desktop Protocol (RDP), Secure Shell (SSH) or for PaaS capabilities, using tools such as SQL Management Studio.
-
-Gaining access for administration is a multi-step process involving the components listed in the architecture and requires access to the Azure portal and Azure configuration before access can be made to Azure workloads.
-
->[!NOTE]
-> The steps described here are the general process using the Graphical User Interface (GUI) components of Azure. These steps can also be completed using other interfaces such as PowerShell.
-
-### Azure configuration and Azure portal access
-
-|Step |Description |
-|||
-|Privileged Workstation sign in |The administrator signs in the privileged workstation using administrative credentials. Group Policy controls prevent non-administrative accounts from authenticating to the privileged workstation and prevents administrative accounts from authenticating to non-privileged workstations. Microsoft Intune manages the compliance of the privileged workstation to ensure that it is up-to-date with software patches, antimalware, and other compliance requirements. |
-|Azure portal sign in |The administrator opens a web browser to the Azure portal, which is encrypted using Transport Layer Security (TLS), and signs in on using administrative credentials. The authentication request is processed through Azure Active Directory directly or through authentication mechanisms such as Active Directory Federation Services (AD FS) or Pass-through authentication. |
-|Azure AD MFA |Azure AD MFA sends an authentication request to the registered mobile device of the privileged account. The mobile device is managed by Intune to ensure compliance with security requirements. The administrator must authenticate first to the mobile device and then to the Microsoft Authenticator App using a PIN or Biometric system before the authentication attempt is authorised to Azure AD MFA. |
-|Conditional Access |Conditional Access policies check the authentication attempt to ensure that it meets the necessary requirements such as the IP address the connection is coming from, group membership for the privileged account, and the management and compliance status of the privileged workstation as reported by Intune. |
-|Privileged Identity Management (PIM) |Through the Azure portal the administrator can now activate or request activation for the privileged roles for which they have authorisation through PIM. PIM ensures that privileged accounts do not have any standing administrative privileges and that all requests for privileged access are only for the time required to perform administrative tasks. PIM also provides logging of all requests and activations for auditing purposes. |
-|Identity and Access Management|Once the privileged account has been securely identified and roles activated, the administrator is provided access to the Azure subscriptions and resources that they have been assigned permissions to through Identity and Access Management.|
-
-Once the privileged account has completed the steps to gain administrative access to the Azure portal, access to the workloads can be configured and administrative connections can be made.
-
-### Azure workload administration
-
-|Step |Description|
-|||
-|Just in Time (JIT) Access|To obtain access to virtual machines, the Administrator uses JIT to request access to RDP to the Jump Server from the RD Gateway IP address and RDP or SSH from the Jump Server to the relevant workload virtual machines.|
-|Azure VPN Gateway|The administrator now establishes a Point-to-Site IPSec VPN connection from their privileged workstation to the Azure VPN Gateway, which performs certificate authentication to establish the connection.|
-|RD Gateway|The administrator now attempts an RDP connection to the Jump Server with the RD Gateway specified in the Remote Desktop Connection configuration. The RD Gateway has a private IP address that is reachable through the Azure VPN Gateway connection. Policies on the RD Gateway control whether the privileged account is authorised to access the requested Jump Server. The RD Gateway prompts the administrator for credentials and forwards the authentication request to the Network Policy Server (NPS).|
-|Network Policy Server (NPS)|The NPS receives the authentication request from the RD Gateway and validates the username and password against Active Directory before sending a request to Azure Active Directory to trigger an Azure AD MFA authentication request.|
-|Azure AD MFA|Azure AD MFA sends an authentication request to the registered mobile device of the privileged account. The mobile device is managed by Intune to ensure compliance with security requirements. The administrator must authenticate first to the mobile device and then to the Microsoft Authenticator App using a PIN or Biometric system before the authentication attempt is authorised to Azure AD MFA.|
-|Jump Server|Once successfully authenticated, the RDP connection is encrypted using Transport Layer Security (TLS) and then sent through the encrypted IPSec tunnel to the Azure VPN Gateway, through the RD Gateway and on to the Jump Server. From the Jump Server, the administrator can now RDP or SSH to workload virtual machines as specified in the JIT request.|
-
-## General guidance
-
-When implementing the components listed in this article, the following general guidance applies:
-
-* Validate the region availability of services, ensuring that all data remains within authorised locations and deploy to AU Central or AU Central 2 as the first preference for PROTECTED workloads
-
-* Refer to the *Azure - ACSC Certification Report ΓÇô Protected 2018* publication for the certification status of individual services and perform self-assessments on any relevant components not included in the report as per the *ACSC CONSUMER GUIDE ΓÇô Microsoft Azure at PROTECTED*
-
-* Ensure network connectivity and any necessary proxy configuration for access to necessary authentication components such as Azure AD, ADFS, and PTA
-
-* Use Azure Policy to monitor and enforce compliance with requirements
-
-* Ensure virtual machines, especially Active Directory Domain Controllers, are stored in encrypted storage accounts and utilise Azure Disk Encryption
-
-* Create and maintain robust identity and administrative privilege management processes and governance to underpin the technical controls listed in this article
-
-|Resource|URL|
-|||
-|Australian Regulatory and Policy Compliance Documents|[Australian Regulatory and Policy Compliance Documents](https://aka.ms/au-irap)|
-|Azure products - Australian regions and non-regional|[Azure products - Australian regions and non-regional](https://azure.microsoft.com/global-infrastructure/services/?regions=non-regional,australia-central,australia-central-2,australia-east,australia-southeast)|
-|Strategies to Mitigate Cyber Security Incidents|[Strategies to Mitigate Cyber Security Incidents](https://acsc.gov.au/infosec/mitigationstrategies.htm)|
-|ACSC Protect: Secure Administration|[ACSC Protect: Secure Administration](https://www.cyber.gov.au/acsc/view-all-content/publications//secure-administration)|
-|How To: Integrate your Remote Desktop Gateway infrastructure using the Network Policy Server (NPS) extension and Azure AD|[Integrate RD Gateway with NPS and Azure AD](../active-directory/authentication/howto-mfa-nps-extension-rdg.md)|
-
-## Component guidance
-
-This section provides information on the purpose of each component and its role in the overall Secure Remote Administration architecture. Additional links are provided to access useful resources such as reference documentation, guides, and tutorials.
-
-## Secure devices
-
-The physical devices used by privileged users to perform administrative functions are valuable targets for malicious actors. Maintaining the security and integrity of the physical devices and ensuring that they are free from malicious software and protecting them from compromise is a key part of providing a secure remote administration capability. This involves high priority security configuration as specified in the ACSC's Essential Eight Strategies to Mitigate Cyber Security Incidents such as application filtering, patching applications, application hardening, and patching operating systems. These capabilities must be installed, configured, audited, validated, and reported on to ensure the state of a device is compliant with organisation requirements.
-
-### Privileged workstation
-
-The privileged workstation is a hardened machine that can be used to perform administrative duties and is only accessible to administrative accounts. The privileged workstation should have policies and configuration in place to limit the software that can be run, its access to network resources and the internet and credentials should be protected in the event that the device is stolen or compromised.|
-
-|Resources|Link|
-|||
-|Privileged Access Workstations Architecture Overview|[https://4sysops.com/archives/understand-the-microsoft-privileged-access-workstation-paw-security-model/](/security/compass/privileged-access-deployment)|
-|Securing Privileged Access Reference Material|[https://docs.microsoft.com/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material](/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material)|
-
-### Mobile device
-
-A mobile device is at greater risk of accidental loss or theft due to its portability and size and needs to be secured appropriately. The mobile device provides a strong additional factor for authentication given its ability to enforce authentication for device access, traceability through location services, encryption functions, and the ability to be remotely wiped. When using a mobile device as an additional authentication factor for Azure, the device should be configured to use the Microsoft Authenticator App with PIN or Biometric authentication and not through phone calls or text messages.
-
-|Resources|Link|
-|||
-|Azure AD Authentication Methods|[https://docs.microsoft.com/azure/active-directory/authentication/concept-authentication-methods](../active-directory/authentication/concept-authentication-methods.md)|
-|How to use the Microsoft Authenticator App|[https://support.microsoft.com/help/4026727/microsoft-account-how-to-use-the-microsoft-authenticator-app](https://support.microsoft.com/help/4026727/microsoft-account-how-to-use-the-microsoft-authenticator-app)|
-
-### Microsoft Intune
-
-Intune is the component of Enterprise Mobility + Security that manages mobile devices and apps. It integrates closely with other components like Azure Active Directory for identity and access control and Azure Information Protection for data protection. Intune provides policies for workstations and mobile devices to set compliance requirements for accessing resources and provides reporting and auditing capabilities for gaining insight into the status of administrative devices.
-
-|Resources|Link|
-|||
-|Microsoft Intune Documentation|[https://docs.microsoft.com/intune/](/intune/)|
-|Get started with Device Compliance in Intune|[https://docs.microsoft.com/intune/device-compliance-get-started](/intune/device-compliance-get-started)|
-
-### Group Policy
-
-Group Policy is used to control the configuration of operating systems and applications. Security policies control the authentication, authorisation, and auditing settings of a system. Group Policy is used to harden the privileged workstation, protect administrative credentials and restrict non-privileged accounts from accessing privileged devices.
-
-|Resources|Link|
-|||
-|Allow sign in locally Group Policy setting|[https://docs.microsoft.com/windows/security/threat-protection/security-policy-settings/allow-log-on-locally](/windows/security/threat-protection/security-policy-settings/allow-log-on-locally)|
-
-### Jump Server / Bastion Host
-
-The Jump Server / Bastion Host is a centralised point for administration. It has the tools required to perform administrative duties, but also has the network access necessary to connect to resources on administrative ports. The Jump Server is the central point for administering Virtual Machine workloads in this article, but it can also be configured as the authorised point for administering Platform as a Service (PaaS) capabilities such as SQL. Access to PaaS capabilities can be restricted on a per service basis using identity and network controls.
-
-|Resources|Link|
-|||
-|Implementing Secure Administrative Hosts|[https://docs.microsoft.com/windows-server/identity/ad-ds/plan/security-best-practices/implementing-secure-administrative-hosts](/windows-server/identity/ad-ds/plan/security-best-practices/implementing-secure-administrative-hosts)|
-
-### Just in Time (JIT) access
-
-JIT is a Microsoft Defender for Cloud capability that utilises Network Security Groups (NSGs) to block access to administrative protocols such as RDP and SSH on Virtual Machines. Applications hosted on Virtual Machines continue to function as normal, but for administrative access to be obtained it must be requested can only be granted for a set period of time. All requests are logged for auditing purposes.
-
-|Resources |Link |
-|||
-|Manage Just in Time (JIT) access|[https://docs.microsoft.com/azure/security-center/security-center-just-in-time](../security-center/security-center-just-in-time.md)|
-|Automating Azure Just In Time VM Access|[https://blogs.technet.microsoft.com/motiba/2018/06/24/automating-azure-just-in-time-vm-access](/archive/blogs/motiba/automating-azure-just-in-time-vm-access)|
-
-## Secure communication
-
-Communications traffic for administration activities can contain highly sensitive information, such as administrative credentials and must be managed and protected accordingly. Providing secure communication involves reliable encryption capabilities to prevent eavesdropping and network segmentation and restrictions that limit administrative traffic to authorised end points and controls lateral movement if a system is compromised.
-
-### Azure portal
-
-Communications to the Azure portal are encrypted using Transport Layer Security (TLS) and the use of the Azure portal has been certified by the ACSC. Commonwealth entities should follow the recommendations in the *ACSC Consumer Guide* and configure their web browsers to ensure that they are using the latest version of TLS and with supported cryptographic algorithms.
-
-|Resources |Link |
-|||
-|Azure Encryption Overview ΓÇô Encryption in transit|[https://docs.microsoft.com/azure/security/security-azure-encryption-overview#encryption-of-data-in-transit](../security/fundamentals/encryption-overview.md#encryption-of-data-in-transit)|
-
-### Azure VPN Gateway
-
-The Azure VPN Gateway provides the secure encrypted connection from the privileged workstation to Azure. The Azure VPN Gateway has been certified by the ACSC for providing secure IPSec communication. Commonwealth entities should configure the Azure VPN Gateway in accordance with the ACSC Consumer Guide, ACSC Certification Report, and other specific guidance.
-
-|Resources |Link |
-|||
-|About Point-to-Site Connections|[https://docs.microsoft.com/azure/vpn-gateway/point-to-site-about](../vpn-gateway/point-to-site-about.md)|
-|Azure VPN Gateway Cryptographic Details|[https://docs.microsoft.com/azure/vpn-gateway/vpn-gateway-about-compliance-crypto](../vpn-gateway/vpn-gateway-about-compliance-crypto.md)|
-|Azure VPN Gateway Configuration|[Azure VPN Gateway configuration](vpn-gateway.md)|
-
-### Remote Desktop (RD) Gateway
-
-RD Gateway is a secure mechanism for controlling and authorising RDP connections to systems. It works by encapsulating RDP traffic in HyperText Transfer Protocol Secure (HTTPS) and encrypted using TLS. TLS provides an additional layer of security for administrative traffic.
-
-|Resources |Link |
-|||
-|Remote Desktop Services Architecture|[https://docs.microsoft.com/windows-server/remote/remote-desktop-services/desktop-hosting-logical-architecture](/windows-server/remote/remote-desktop-services/desktop-hosting-logical-architecture)|
-
-### Network Security Groups (NSGs)
-
-NSGs function as Access Control Lists (ACLs) for network traffic entering or leaving subnets or virtual machines. NSGs provide network segmentation and provide a mechanism for controlling and limiting the communications flows permitted between systems. NSGs are a core component of Just in Time Administration (JIT) for allowing or denying access to administrative protocols.
-
-|Resources |Link |
-|||
-|Azure Security Groups Overview|[https://docs.microsoft.com/azure/virtual-network/security-overview](../virtual-network/network-security-groups-overview.md)|
-|How to: Plan Virtual Networks|[https://docs.microsoft.com/azure/virtual-network/virtual-network-vnet-plan-design-arm](../virtual-network/virtual-network-vnet-plan-design-arm.md)|
-
-## Strong authentication
-
-Securely identifying privileged users before granting access to systems is a core component of secure administration. Mechanisms must be in place to protect the credentials associated with a privileged account and to prevent malicious actors from gaining access to systems through impersonation or credential theft.
-
-### Domain Controller (DC)
-
-At a high level, a DC hosts a copy of the Active Directory Database, which contains all the users, computers and groups within a Domain. DCs perform authentication for users and computers. The DCs in this architecture are hosted as virtual machines within Azure and provide authentication services for privileged accounts connecting to Jump Servers and workload virtual machines.
-
-|Resources |Link |
-|||
-|Active Directory Domain Services Overview|[https://docs.microsoft.com/windows-server/identity/ad-ds/get-started/virtual-dc/active-directory-domain-services-overview](/windows-server/identity/ad-ds/get-started/virtual-dc/active-directory-domain-services-overview)|
-
-### Azure Active Directory (Azure AD)
-
-Azure AD is the authentication service for Azure. It contains the cloud
-
-identities and provides authentication and authorisation for an Azure environment. Azure AD can be synchronised with Active Directory through Azure AD Connect and can provide federated authentication through Active Directory Federation Services (AD FS) and Azure AD Connect. Azure AD is a core component of secure administration.
-
-|Resources |Link |
-|||
-|Azure Active Directory Documentation|[https://docs.microsoft.com/azure/active-directory](../active-directory/index.yml)|
-|Hybrid Identity Documentation|[https://docs.microsoft.com/azure/active-directory/hybrid](../active-directory/hybrid/index.yml)|
-
-### Network Policy Server (NPS)
-
-An NPS is an authentication and policy server that provides advanced authentication and authorisation processes. The NPS server in this architecture is provided to integrate Azure AD MFA authentication with RD Gateway authentication requests. The NPS has a specific plug-in to support integration with Azure AD MFA in Azure AD.
-
-|Resources |Link |
-|||
-|Network Policy Server Documentation|[https://docs.microsoft.com/windows-server/networking/technologies/nps/nps-top](/windows-server/networking/technologies/nps/nps-top)|
-
-### Azure AD MFA
-
-Azure AD MFA is an authentication service provided within Azure Active Directory to enable authentication requests beyond a username and password for accessing cloud resources such as the Azure portal. Azure AD MFA supports a range of authentication methods and this architecture utilises the Microsoft Authenticator App for enhanced security and integration with the NPS.
-
-|Resources |Link |
-|||
-|How it works: Azure AD Multi-Factor Authentication|[https://docs.microsoft.com/azure/active-directory/authentication/concept-mfa-howitworks](../active-directory/authentication/concept-mfa-howitworks.md)|
-|How to: Deploy cloud-based Azure AD Multi-Factor Authentication|[https://docs.microsoft.com/azure/active-directory/authentication/howto-mfa-getstarted](../active-directory/authentication/howto-mfa-getstarted.md)|
-
-## Strong authorisation
-
-Once a privileged account has been securely identified, it can be granted access to resources. Authorisation controls and manages the privileges that are assigned to a specific account. Strong Authorisation processes align with the ACSC's Essential Eight strategy for mitigating cyber security incidents of restricting administrative privileges.
-
-### Identity and access management
-
-Access to perform privileged actions within Azure is based on roles that are assigned to that account. Azure includes an extensive and granular range of roles with specific permissions to undertaken specific tasks. These roles can be granted at multiple levels such as a subscription or resource group. Role assignment and permission management are based on accounts and groups in Azure Active Directory and is managed through Access Control (IAM) within Azure.
-
-|Resources |Link |
-|||
-|Azure role-based access control (Azure RBAC)|[https://docs.microsoft.com/azure/role-based-access-control](../role-based-access-control/index.yml)|
-|Understand Role Definitions|[https://docs.microsoft.com/azure/role-based-access-control/role-definitions](../role-based-access-control/role-definitions.md)|
-
-### Privileged Identity Management (PIM)
-
-PIM is an Azure Active Directory component that controls access to privileged roles. Privileged accounts do not require permanent or standing privileged access, but can instead be granted the ability to request privileged access for a period of time in order to complete privileged activities. PIM provides additional controls around maintaining and restricting privileged access as well as logging and auditing to track instances of privilege use.
-
-|Resources |Link |
-|||
-|Privileged Identity Management (PIM) Documentation|[https://docs.microsoft.com/azure/active-directory/privileged-identity-management](../active-directory/privileged-identity-management/index.yml)|
-|Start using PIM|[https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-getting-started](../active-directory/privileged-identity-management/pim-getting-started.md)|
-
-### Conditional access
-
-Conditional access is a component of Azure Active Directory that allows or denies access to resources based on conditions. These conditions can be network location based, device type, compliance status, group membership and more. Conditional Access is used to enforce MFA, device management, and compliance through Intune and group membership of administrative accounts.
-
-|Resources |Link |
-|||
-|Conditional Access Documentation|[https://docs.microsoft.com/azure/active-directory/conditional-access](../active-directory/conditional-access/index.yml)|
-|How to: Require Managed Devices for cloud app access with conditional access|[https://docs.microsoft.com/azure/active-directory/conditional-access/require-managed-devices](../active-directory/conditional-access/require-managed-devices.md)|
-
-## Next steps
-
-Review the article on [Gateway Ingress Traffic Management and Control](gateway-ingress-traffic.md) for details on controlling traffic flows through your Gateway components in Azure.
azure-australia Identity Federation https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-australia/identity-federation.md
- Title: Identity federation in Azure Australia
-description: Guidance on configuring identity federation within the Australian regions to meet the specific requirements of Australian Government policy, regulations, and legislation.
--- Previously updated : 07/22/2019----
-# Identity federation in Azure Australia
-
-Identity Management and Federation with Public Cloud offerings is one of the most crucial first-steps for using the cloud. Microsoft's Azure Active Directory service stores user information to enable access to cloud services and is a pre-requisite for consuming other Azure services.
-
-This article covers the key design points for implementing Azure Active Directory, synchronizing users from an Active Directory Domain Services domain, and implementing secure authentication. Specific focus is placed on the recommendations in the Australian Cyber Security Center's Information Security Manual (ISM) and Azure Certification Reports.
-
-The classification of information stored within Azure Active Directory should inform decisions about how it is designed. The following excerpt is provided from the [ACSC Certification Report ΓÇô Microsoft Azure](https://aka.ms/au-irap):
-
->**ACSC Certification Report ΓÇô Microsoft Azure**
->Azure Active Directory (Azure AD) must be configured with Active Directory Federation services when Commonwealth entities classify the use and data content of their Active Directory at PROTECTED. While Active Directory data at the UNCLASSIFIED Dissemination Limiting Markings (UDLM) classification does not require federation, Commonwealth entities can still implement federation to mitigate risks associated with the service being provided from outside of Australia.
-
-As such, what information is synchronised, and the mechanism by which users are authenticated, are the two key concerns covered here.
-
-## Key design considerations
-
-### User synchronisation
-
-When deploying Azure AD Connect, there are several decisions that must be made about the data that will be synchronised. Azure AD Connect is based upon Microsoft Identity Manager and provides a robust feature-set for [transforming](../active-directory/hybrid/how-to-connect-sync-best-practices-changing-default-configuration.md) data between directories.
-
-Microsoft Consulting Services can be engaged to do an ADRAP evaluation of your existing Windows Server Active Directory. The ADRAP assists in determining any issues that may need to be corrected before synchronising with Azure Active Directory. Microsoft Premier Support Agreements will generally include this service.
-
-The [IDFix tool](/office365/enterprise/install-and-run-idfix) scans your on-premises Active Directory domain for issues before synchronising with Azure AD. IDFix is a key first step before implementing Azure AD Connect. Although an IDFix scan can identify a large number of issues, many of these issues can either be resolved quickly with scripts, or worked-around using data transforms in Azure AD Connect.
-
-Azure AD requires that users have an externally routable top-level domain to enable authentication. If your domain has a UPN suffix that is not externally routable, the you need to set the [alternative sign in ID](../active-directory/hybrid/plan-connect-userprincipalname.md) in AD Connect to the user's mail attribute. Users then sign in to Azure services with their email address rather than their domain sign in.
-
-The UPN suffix on user accounts can also be altered using tools such as PowerShell however; it can have unforeseen consequences for other connected systems and is no longer considered best practice.
-
-In deciding which attributes to synchronise to Azure Active Directory, it's safest to assume that all attributes are required. It is rare for a directory to contain actual PROTECTED data, however conducting an audit is recommended. If PROTECTED data is found within the directory, assess the impact of omitting or transforming the attribute. As a helpful guide, there is a list of attributes which Microsoft Cloud Services [require](../active-directory/hybrid/reference-connect-sync-attributes-synchronized.md).
-
-### Authentication
-
-It's important to understand the options that are available, and how they can be used to keep end-users secure.
-Microsoft offers [three native solutions](../active-directory/hybrid/plan-connect-user-signin.md) to authenticate users against Azure Active Directory:
-
-* Password hash synchronization - The hashed passwords from Active Directory Domain Services are synchronised by Azure AD Connect into Azure Active Directory.
-* [Pass-through authentication](../active-directory/hybrid/how-to-connect-pta.md) - Passwords remain within Active Directory Domain Services. Users are authenticated against Active Directory Domain Services via an agent. No passwords are stored within Azure AD.
-* [Federated SSO](../active-directory/hybrid/how-to-connect-fed-whatis.md) - Azure Active Directory is federated with Active Directory Federation Services, during sign in, Azure directs users to Active Directory Federation Services to authenticate. No passwords are stored within Azure AD.
-
-Password hash synchronisation can be used in scenarios where OFFICIAL:Sensitive and below data is being stored within the directory. Scenarios where PROTECTED data is being stored will require one of the two remaining options.
-
-All three of these options support [Password Write-Back](../active-directory/authentication/concept-sspr-writeback.md), which the [ACSC Consumer Guide](https://aka.ms/au-irap) recommends being disabled. However; organisations should evaluate the risk of disabling Password Writeback against the productivity gains and reduced support effort of using self-service password resets.
-
-#### Pass-Through Authentication (PTA)
-
-Pass-Through Authentication was released after the IRAP assessment was completed and therefore; should be individually evaluated to determine how the solution fits your organisation's risk profile. Pass-Through Authentication is preferred over Federation by Microsoft due to the improved security posture.
-
-![Pass-Through Authentication](media/pta1.png)
-
-Pass-Through Authentication presents several design factors to be considered:
-
-* Pass-Through Authentication Agent must be able to establish outgoing connections to Microsoft Cloud Services.
-* Installing more than one agent to ensure that the service will be Highly Available. It is best practice to deploy at least three agents, and up to a maximum of 12 agents.
-* Best Practice is to avoid installing the agent directly onto an Active Directory Domain Controllers. By default when deploying Azure AD Connect with Pass-Through authentication it will install the agent on the AD Connect server.
-* Pass-Through Authentication is a lower maintenance option than Active Directory Federation Services because it does not require dedicated server infrastructure, certificate management, or inbound firewall rules.
-
-#### Active Directory Federation Services (ADFS)
-
-Active Directory Federation Services was included within the IRAP assessment and is approved for use in PROTECTED environments.
-
-![Federation](media/federated-identity.png)
-
-Active Directory Federation Services presents several design factors to be considered:
-
-* Federation Services will require network ingress for HTTPS traffic from the internet or at minimum Microsoft's service endpoints.
-* Federation Services uses PKI and certificates, which require ongoing management and renewal.
-* Federation Services should be deployed on dedicated servers, and will require the relevant network infrastructure to make it securely accessible externally.
-
-### Multi-Factor Authentication (MFA)
-
-The ISM section on multi-factor authentication recommends implementing it in the following scenarios based on your risk profile:
-
-* Authenticating Standard Users
-* Authenticating Privileged accounts
-* Authenticating Users Remote access
-* Users doing privileged actions
-
-Azure Active Directory provides Multi-Factor Authentication that can be enabled for either all, or a subset of users (for example, only Privileged Accounts). Microsoft also provides a solution called Conditional Access, which allows more granular control over how Multi-Factor Authentication is applied (for example, only when users sign in from remote IP address ranges).
-
-Azure AD Multi-Factor Authentication supports the following ISM acceptable forms of validation:
-
-* Phone call
-* SMS message
-* Microsoft Authenticator Application
-* Supported hardware tokens
-
-Privileged Identity Management, a component of Azure Active Directory, can be used to enforce the use of Multi-Factor authentication when users elevate their permissions to meet the fourth recommendation.
-
-## Next steps
-
-Review the article on [Azure role-based access control (Azure RBAC) and Privileged Identity Management](role-privileged.md).
azure-australia Recovery Backup https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-australia/recovery-backup.md
- Title: Backup and disaster recovery in Azure Australia
-description: Backup and disaster recovery in Microsoft Azure for Australian Government agencies as it relates to the ASD Essential 8
--- Previously updated : 07/22/2019---
-# Backup and disaster recovery in Azure Australia
-
-Having backup and disaster recovery plans with the supporting infrastructure in place is critical for all organisations. The importance of having a backup solution is highlighted by its inclusion in the [Australian Cyber Security Center's Essential 8](https://acsc.gov.au/publications/protect/essential-eight-explained.htm).
-
-Microsoft Azure provides two services that enable resilience: Azure Backup and Azure Site Recovery. These services enable you to protect your data, both on-premises and in the cloud, for a variety of design scenarios. Azure Backup and Azure Site Recovery both use a common storage and management resource: the Azure Recovery Services Vault. This vault is used to manage, monitor, and segregate Azure Backup and Azure Site Recovery Data.
-
-This article details the key design elements for implementing Azure Backup and Azure Site Recovery in line with the [Australian Signals Directorate's (ASD) Information Security Manual (ISM) Controls](https://acsc.gov.au/infosec/ism/index.htm).
-
-## Azure Backup
-
-![Azure Backup](media/backup-overview.png)
-
-Azure Backup resembles a traditional on-premises backup solution and provides the ability to backup both on-premises and Azure hosted data. Azure Backup can be used to back up the following data types to Azure:
-
-* Files and folders
-* Supported Windows and Linux operating systems hosted on:
- * Hyper-V and VMWare Hypervisors
- * Physical hardware
-* Supported Microsoft applications
-
-### Azure Site Recovery
-
-![Azure Site Recovery](media/asr-overview.png)
-
-Azure Site Recovery replicates workloads consisting of either a single virtual machine or multi-tier applications. Replication is supported from on-premises into Azure, between Azure regions, or between on-premises locations orchestrated by Azure Site Recovery. On-premises virtual machines can be replicated to Azure or to a supported on-premises hypervisor. Once configured, Azure Site Recovery orchestrates replication, fail-over, and fail-back.
-
-## Key design considerations
-
-When implementing a backup or disaster recovery solution, the proposed solution needs to consider:
-
-* The scope and volume of data to be captured
-* How long the data will be retained
-* How this data is securely stored and managed
-* The geographical locations where the data is stored
-* Routine system testing procedures
-
-The ISM provides guidance on the security considerations that should be made when designing a solution. Microsoft Azure provides means to address these security considerations.
-
-### Data sovereignty
-
-Organisations need to ensure that data sovereignty is maintained when utilising cloud based storage locations. Azure Policy provides the means to restrict the permitted locations where an Azure resource can be created. The built-in Azure Policy "Allowed Locations" is used to ensure that any Azure resources created under the scope of an assigned Azure Policy can only be created in the nominated geographical locations.
-
-The Azure Policy items for geographic restriction for Azure resources are:
-
-* allowedLocations
-* allowedSingleLocation
-
-These policies allow Azure administrators to restrict creation to a list of nominated locations or even as single geographic location.
-
-### Redundant and geographically dispersed storage
-
-Data stored in the Azure Recovery Service Vault is always stored on redundant storage. By default the Recovery Service Vault uses Azure Geographically Redundant Storage (GRS). Data stored using GRS is replicated to other Azure data centres in the Recovery Service Vault's [secondary paired region](../availability-zones/cross-region-replication-azure.md). This replicated data is stored as read-only and is only made writeable if there is an Azure failover event. Within the Azure data centre, the data is replicated between separate fault domains and upgrade domains to minimise the chance of hardware or maintenance-based outage. GRS provides at least 99.99999999999999% availability annually.
-
-The Azure Recovery Services Vault can be configured to utilise Locally Redundant Storage (LRS). LRS is a lower-cost storage option with the trade-off of reduced availability. This redundancy model employs the same replication between separate fault domains and upgrade domains but is not replicated between geographic regions. Data located on LRS storage, while not as resilient as GRS, still provides at least 99.999999999% availability annually.
-
-Unlike traditional offsite storage technologies like tape media, the additional copies of the data are created automatically and do not require any additional administrative overhead.
-
-### Restricted access and activity monitoring
-
-Backup data must be protected from corruption, modification, and unapproved deletion. Both Azure Backup and Azure Site Recovery make use of the common Azure management fabric. This fabric provides detailed auditing, logging, and Azure role-based access control (Azure RBAC) to resources located within Azure. Access to backup data can be restricted to select administrative staff and all actions involving backup data can be logged and audited.
-
-Both Azure Backup and Azure Site Recovery have built-in logging and reporting features. Any issues that occur during backup or replication are reported to administrators using the Azure management fabric.
-
-Azure Recovery Services Vault also has the following additional data security measures in place:
-
-* Backup data is retained for 14 days after a delete operation has occurred
-* Alerts and Notifications for critical operations such as "Stop Backup with delete data"
-* Security PIN requirements for critical operations
-* Minimum retention range checks are in place
-
-These minimum retention range checks include:
-
-* For daily retention, a minimum of seven days of retention
-* For weekly retention, a minimum of four weeks of retention
-* For monthly retention, a minimum of three months of retention
-* For yearly retention, a minimum of one year of retention
-
-All backup data stored within Azure is encrypted at rest using Azure's Storage Service Encryption (SSE). This is enabled for all new and existing storage accounts by default and cannot be disabled. The encrypted data is automatically decrypted during retrieval. By default, data encrypted using SSE is encrypted using a key provided by and managed by Microsoft. Organisations can choose to provide and manage their own encryption key for use with SSE. This provides an optional additional layer of security for the encrypted data. This key can be stored by the customer on-premises or securely within the Azure Key vault.
-
-### Secure data transport
-
-Azure Backup data encrypted in transit using AES 256. This data is secured via the use of a passphrase created by administrative staff when the backup is first configured. Microsoft does not have access to this passphrase meaning the customer must ensure this passphrase is stored securely. The data transfer then takes place between the on-premises environment and the Azure Recovery Services Vault via a secure HTTPS connection. The data within the Recovery Services Vault is then encrypted at rest using Azure SSE.
-
-Azure Site Recovery data is also always encrypted in transit. All replicated data is securely transported to Azure using HTTPS and TLS. When an Azure customer connects to Azure using an ExpressRoute connection, Azure Site Recovery data is sent via this private connection. When an Azure customer is connecting to Azure using a VPN connection, the data is replicated between on-premises and the Recovery Services vault securely over the internet.
-
-This secure network data transfer removes the security risk and mitigation requirements for managing traditional offsite backup storage solutions such as tape media.
-
-### Data retention periods
-
-A minimum backup retention period of three months is recommended, however, longer retention periods are commonly required. Azure Backup can provide up to 9999 copies of a backup. If a single Azure Backup of a protected instance was taken daily, this would allow for the retention of 27 years of daily backups. Individual monthly backups of a protected instance allow for 833 years of retention. As backup data is aged out and less granular backups are retained over time, the total retention window for backup data grows. Azure doesn't limit the length of time data can remain in an Azure Recovery Services Vault, only the total number of backups per instance. There is also no performance difference between restoring from old or new backups, each restore takes the same amount of time to occur.
-
-The Azure Recovery Services Vault has a number of default backup and retention policies in place. Administrative staff can also create custom backup and retention policies.
-
-![Azure Backup Policy](media/create-policy.png)
-
-A balance between backup frequency and long-term retention requirements needs to be found when configuring Azure Backup and retention policies.
-
-### Backup and restore testing
-
-The ISM recommends testing of backup data to ensure that the protected data is valid when a restore or failover is required. Azure Backup and Azure Site Recovery also provide the capability to test protected data once it has been backed up or replicated. Data managed by Azure Backup can be restored to a nominated location and the consistency of the data can then be validated.
-
-Azure Site Recovery has inbuilt capability to perform failover testing. Workloads replicated to the Recovery Services Vault can be restored to a nominated Azure environment. The target restore environment can be fully isolated from any production environment to ensure there is no impact on production systems while performing a test. Once the test is complete, the test environment and all resources can be immediately deleted to reduce operational costs.
-
-Failover testing and validation can be automated using the Azure Automation service built into the Azure platform. This allows for failover testing to be scheduled to occur automatically to ensure that data is being successfully replicated to Azure.
-
-## Next steps
-
-Review the article on [Ensuring Security with Azure Policy](azure-policy.md).
azure-australia Reference Library https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-australia/reference-library.md
- Title: Additional documentation and resources-
-description: Additional documentation, tutorials or references relevant to Australian Government agencies operating securely in Azure.
--- Previously updated : 07/29/2019---
-# Additional documentation and resources by focus area
-
-This resource library contains additional links and references that are relevant to the secure implementation of Australian Government workloads in Azure Australia.
-
-## General references for all security and governance in Azure Australia
-
-* [Microsoft Service Trust Portal Australia Page](https://aka.ms/au-irap)
-* [Microsoft Trust Center CCSL Page](https://www.microsoft.com/trustcenter/compliance/ccsl)
-* [Azure Security and Compliance Blueprints for PROTECTED](https://aka.ms/au-protected)
-* [Tenant Isolation in Microsoft Azure](../security/fundamentals/isolation-choices.md)
-* [Australian Information Security Manual](https://www.cyber.gov.au/ism)
-* [Australian Cyber Security Centre (ACSC) Certified Cloud List](https://www.cyber.gov.au/irap/cloud-services)
-
-## Azure Key Vault
-
-* [Azure Key Vault Overview](../key-vault/general/overview.md)
-* [About keys, secrets, and certificates](../key-vault/general/about-keys-secrets-certificates.md)
-* [Configure Azure Key Vault firewalls and virtual networks](../key-vault/general/network-security.md)
-* [Secure access to a key vault](../key-vault/general/security-features.md)
-* [Azure Data Encryption-at-Rest](../security/fundamentals/encryption-atrest.md)
-* [How to use Azure Key Vault with Azure Windows Virtual Machines in .NET](../key-vault/general/tutorial-net-virtual-machine.md)
-* [Azure Key Vault managed storage account - PowerShell](../key-vault/general/tutorial-net-virtual-machine.md)
-* [Setup key rotation and auditing](../key-vault/secrets/tutorial-rotation-dual.md)
-
-## Identity federation
-
-* [Azure AD Connect - Installation Guide](../active-directory/hybrid/how-to-connect-install-roadmap.md)
-* [Password Write-Back](../active-directory/authentication/concept-sspr-writeback.md)
-* [Install and Run the IDFix Tool](/office365/enterprise/install-and-run-idfix)
-* [Azure AD UPN Population](../active-directory/hybrid/plan-connect-userprincipalname.md)
-* [Azure AD Connect - Synchronised Attributes](../active-directory/hybrid/reference-connect-sync-attributes-synchronized.md)
-* [Azure AD Connect - Best-Practice Configuration Guide](../active-directory/hybrid/how-to-connect-sync-best-practices-changing-default-configuration.md)
-* [Azure AD Connect - User Sign-In Options](../active-directory/hybrid/plan-connect-user-signin.md)
-* [Azure AD Connect and Federation](../active-directory/hybrid/how-to-connect-fed-whatis.md)
-* [Pass-Through Authentication Documentation](../active-directory/hybrid/how-to-connect-pta.md)
-* [Deploying Azure AD Multi-Factor Authentication](../active-directory/authentication/howto-mfa-getstarted.md)
-* [Azure Privileged Identity Management](../active-directory/privileged-identity-management/pim-configure.md)
-
-## Azure Backup and Azure Site Recovery
-
-* [Introduction to Azure Backup](../backup/backup-overview.md)
-* [Azure Backup Overview](../backup/backup-overview.md)
-* [Azure Site Recovery Overview](../site-recovery/site-recovery-overview.md)
-* [Azure Governance](../governance/index.yml)
-* [Azure Paired Regions](../availability-zones/cross-region-replication-azure.md)
-* [Azure Policy](../governance/policy/overview.md)
-* [Azure Storage Service Encryption](../storage/common/storage-service-encryption.md)
-* [Azure Backup Tutorials](../backup/index.yml)
-* [Azure Site Recovery Tutorials](../site-recovery/index.yml)
-
-## Azure role-based access control (Azure RBAC) and Privileged Identity Management (PIM)
-
-* [Azure RBAC Overview](../role-based-access-control/overview.md)
-* [Azure Privileged Identify Management Overview](../active-directory/privileged-identity-management/pim-configure.md)
-* [Azure Management Groups Overview](../governance/management-groups/index.yml)
-* [Azure Identity and Access Control Best Practices](../security/fundamentals/identity-management-best-practices.md)
-* [Managing Azure AD Groups](../active-directory/fundamentals/active-directory-manage-groups.md)
-* [Hybrid Identity](../active-directory/hybrid/whatis-hybrid-identity.md)
-* [Azure Custom Roles](../role-based-access-control/custom-roles.md)
-* [Azure Built-in Roles](../role-based-access-control/built-in-roles.md)
-* [Securing Privileged Access in Hybrid Cloud Environments](../active-directory/roles/security-planning.md)
-* [Azure Enterprise Scaffold](/azure/architecture/cloud-adoption/appendix/azure-scaffold)
-
-## System monitoring for security
-
-* [Azure Governance](../governance/index.yml)
-* [Azure Security Best Practices](../security/fundamentals/best-practices-and-patterns.md)
-* [Platforms and features supported by Microsoft Defender for Cloud](../security-center/security-center-os-coverage.md)
-* [Azure Activity Log](../azure-monitor/essentials/platform-logs-overview.md)
-* [Azure Diagnostic Logs](../azure-monitor/essentials/platform-logs-overview.md)
-* [Microsoft Defender for Cloud Alerts](../security-center/security-center-managing-and-responding-alerts.md)
-* [Azure Log Integration](/previous-versions/azure/security/fundamentals/azure-log-integration-overview)
-* [Analyze Log Data in Azure Monitor](../azure-monitor/logs/log-query-overview.md)
-* [Stream Azure Monitor Logs to an Event Hub](../azure-monitor/essentials/stream-monitoring-data-event-hubs.md)
-* [Event Hub Security and Authentication](../event-hubs/authenticate-shared-access-signature.md)
-
-## Azure Policy and Azure Blueprints
-
-* [Azure Policy Overview](../governance/policy/overview.md)
-* [Azure Blueprints Overview](https://azure.microsoft.com/services/blueprints/)
-* [Azure Policy Samples](../governance/policy/samples/index.md)
-* [Azure Policy Samples Repository](https://github.com/Azure/azure-policy)
-* [Azure Policy Definition Structure](../governance/policy/concepts/definition-structure.md)
-* [Azure Policy Effects](../governance/policy/concepts/effects.md)
-* [Azure Governance](../governance/index.yml)
-* [Azure Management Groups](../governance/management-groups/index.yml)
-* [Azure role-based access control (Azure RBAC)](../role-based-access-control/overview.md)
-
-## Next steps
-
-Login to the [Azure portal](https://portal.azure.com) and start configuring your resources securely in Azure Australia.
azure-australia Role Privileged https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-australia/role-privileged.md
- Title: Azure role-based access control (Azure RBAC) and Privileged Identity Management-
-description: Guidance on Implementing Azure role-based access control (Azure RBAC) and Privileged Identity Management within the Australian regions to meet the specific requirements of Australian Government policy, regulations, and legislation.
--- Previously updated : 07/22/2019----
-# Azure role-based access control (Azure RBAC) and Privileged Identity Management (PIM)
-
-Managing administrative privilege is a critical step in ensuring security within any IT environment. Restricting administrative privilege via the use of Least Privilege Security is a requirement of the [ACSC ISM](https://acsc.gov.au/infosec/ism/index.htm) and forms part of the [ACSC Essential 8](https://www.acsc.gov.au/infosec/mitigationstrategies.htm) list of security recommendations.
-
-Microsoft provides a suite of controls to implement Just-in-Time and Just-Enough-Access within Microsoft Azure. Understanding these controls is essential for an effective security posture in the Cloud. This guide will provide an overview of the controls themselves and the key design considerations when implementing them.
-
-## Azure RBAC
-
-Azure role-based access control (Azure RBAC) is central to the management of access to all resources within Microsoft Azure and the management of Azure Active Directory (Azure AD). Azure RBAC can be implemented alongside a number of complementary features available in Azure. This article focuses on implementing effective RBAC using Azure Management Groups, Azure Active Directory Groups, and Azure Privileged Identity Management (PIM).
-
-At a high level, implementing Azure RBAC requires three components:
-
-![Diagram shows the three components necessary for implementing R B A C, which are security principal, role definition, and scope, which all feed into role assigment.](media/rbac-overview.png)
-
-* **Security Principals**: A security principal can be any one of the following; a user, a group, [Service Principals](../active-directory/develop/app-objects-and-service-principals.md), or a [Managed Identity](../active-directory/managed-identities-azure-resources/overview.md). Security Principals should be assigned privileges using Azure Active Directory Groups.
-
-* **Role Definitions**: A Role Definition, also referred to as a Role, is a collection of permissions. These permissions define the operations that can be performed by the Security Principals assigned to the Role Definition. This functionality is provided by Azure Resource Roles and Azure Active Directory Administrator Roles. Azure comes with a set of built-in roles (link) which can be augmented with custom roles.
-
-* **Scope**: The scope is the set of Azure resources that a Role Definition applies to. Azure Roles can be assigned to Azure Resources using Azure Management Groups.
-
-These three components combine to grant Security Principals the access defined in the Role Definitions to all of the resources that fall under the Azure Management Groups' Scope, this is called a Role Assignment. Multiple Role Definitions can be assigned to a Security Principal, and multiple Security Principals can be assigned to a single Scope.
-
-### Azure Active Directory Groups
-
-When assigning privileges to individuals or teams, whenever possible the assignment should be linked to an Azure Active Directory Group and not assigned directly to the user in question. This is the same recommended practice inherited from on-premises Active Directory implementations. Where possible Azure Active Directory Groups should be created per team, complementary to the logical structure of the Azure Management Groups you have created.
-
-In a hybrid cloud scenario, on-premises Windows Server Active Directory Security Groups can be synchronized to your Azure Active Directory instance. If you have already implemented Azure RBAC on-premises using these Windows Server Active Directory Security Groups, these groups, once synchronized, can then be used to implement Azure RBAC for your Azure Resources. Otherwise, your cloud environment can be seen as a clean slate to design and implement a robust privilege management plan built around your Azure Active Directory implementation.
-
-### Azure resource roles versus Azure Active Directory Administrator roles
-
-Microsoft Azure offers a wide variety of built-in roles for [Azure Resources](../role-based-access-control/built-in-roles.md) and [Azure Active Directory Administration](../active-directory/roles/permissions-reference.md). Both types of Role provide specific granular access to either Azure Resources or for Azure AD administrators. It is important to note that Azure Resource roles cannot be used to provide administrative access to Azure AD and Azure AD roles do not provide specific access to Azure resources.
-
-Some examples of the types of access that can be assigned to an Azure resource using a built-in role are:
-
-* Allow one user to manage virtual machines in a subscription and another user to manage virtual networks
-* Allow a DBA group to manage SQL databases in a subscription
-* Allow a user to manage all resources in a resource group, such as virtual machines, websites, and subnets
-* Allow an application to access all resources in a resource group
-
-Examples of the types of access that can be assigned for Azure AD administration are:
-
-* Allow helpdesk staff to reset user passwords
-* Allow staff to invite external users to an Azure AD instance for B2B collaboration
-* Allow administrative staff read access to sign in and audit reports
-* Allow staff to manage all users and groups, including resetting passwords.
-
-It is important to take the time to understand the full list of allowed actions a built-in role provides to ensure that undue access to isn't granted. The list of built-in roles and the access they provide is constantly evolving, the full list of the Roles and their definitions can be viewed by reviewing the documentation linked above or by using the Azure PowerShell cmdlet:
-
-```PowerShell
-Get-AzRoleDefinition
-```
-
-```output
-Name : AcrDelete
-Id : <<RoleID>>
-IsCustom : False
-Description : acr delete
-Actions : {Microsoft.ContainerRegistry/registries/artifacts/delete}
-NotActions : {}
-DataActions : {}
-NotDataActions : {}
-AssignableScopes : {/}
-...
-```
-
-or the Azure CLI command:
-
-```azurecli-interactive
-az role definition list
-```
-
-```output
-[
- {
- "assignableScopes": [
- "/"
- ],
- "description": "acr delete",
- "id": "/subscriptions/49b12d1b-4030-431c-8448-39056021c4ab/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11",
- "name": "c2f4ef07-c644-48eb-af81-4b1b4947fb11",
- "permissions": [
- {
- "actions": [
- "Microsoft.ContainerRegistry/registries/artifacts/delete"
- ],
- "dataActions": [],
- "notActions": [],
- "notDataActions": []
- }
- ],
- "roleName": "AcrDelete",
- "roleType": "BuiltInRole",
- "type": "Microsoft.Authorization/roleDefinitions"
- },
-...
-```
-
-It is also possible to create custom Azure Resource Roles as required. These custom roles can be created in the Azure portal, via PowerShell, or the Azure CLI. When creating custom Roles, it is vital to ensure the purpose of the Role is unique and that its function is not already provided by an existing Azure Resource Role. This reduces ongoing management complexity and reduces the risk of Security Principals receiving unnecessary privileges. An example would be creating a custom Azure Resource Role that sits between the built-in Azure Resource Roles, "Virtual Machine Contributor" and "Virtual Machine Administrator Login".
-
-The custom Role could be based on the existing Contributor Role, which grants the following access:
-
-| Azure Resource | Access Level |
-| | |
-| Virtual Machines | Can Manage but cannot access |
-| Virtual Network attached to VM | Cannot access |
-| Storage attached to VM | Cannot access |
-|
-
-The custom role could preserve this basic access, but allow the designated users some basic additional privileges to modify the network configuration of the virtual machines.
-
-Azure Resource Roles also have the benefit of being able to be assigned to resources via Azure Management Groups.
-
-### Azure Management Groups
-
-Azure Management Groups can be used by an organisation to manage the assignment of Roles to all of the subscriptions and their resources within an Azure Tenancy. Azure Management Groups are designed to allow you to create management hierarchies, including the ability to map your organisational structure hierarchically, within Azure. Creating organisational business units as separate logical entities allows permissions to be applied within an organisation based on each team's specific requirements. Azure Management Groups can be used to define a management hierarchy up to six levels deep.
-
-![Management Groups](media/management-groups.png)
-
-Azure Management Groups are mapped to Azure Subscriptions within an Azure Tenancy. This allows an organisation to segregate Azure Resources belonging to specific business units and provide a level of granular control over both cost management and privilege assignment.
-
-## Privileged Identity Management (PIM)
-
-Microsoft has implemented Just-In-Time (JIT) and Just-Enough-Access (JEA) through Azure Privileged Identity Management. This service enables administrative staff to control, manage, and monitor privileged access to Azure Resources. PIM allows Security Principals to be made "eligible" for a Role by administrative staff, allowing users to request the activation of the Role through the Azure portal or via PowerShell cmdlets. By default, Role assignment can be activated for a period of between 1 and 72 hours. If necessary, the user can request an extension to their Role assignment and the option to make Role assignment permanent does exist. Optionally, the requirement for Multi-factor Authentication can be enforced when users request the activation of their eligible roles. Once the allocated period of the Role activation expires, the Security Principal no longer has the privileged access granted by the Role.
-
-The use of PIM prevents the common privilege assignment issues that can occur in environments that don't use Just-In-Time access or don't conduct routine audits of privilege assignment. One common issue is the assignment of elevated privileges being forgotten and remaining in place long after the task requiring elevated privileges has been completed. Another issue is the proliferation of elevated privileges within an environment through the cloning of the access assigned to a Security Principal when configuring other similar Security Principals.
-
-## Key design considerations
-
-When designing an Azure RBAC strategy with the intention of enforcing Least Privilege Security, the following security requirements should be considered:
-
-* Requests for privileged access are validated
-* Administrative privileges are restricted to the minimum access required to perform the specific duties
-* Administrative privileges are restricted to the minimum period of time required to perform the specific duties
-* Regular reviews of granted administrative privileges are undertaken
-
-The process of designing an Azure RBAC strategy will necessitate a detailed review of business functions to understand the difference in access between distinct business roles, and the type and frequency of work that requires elevated privileges. The difference in function between a Backup Operator, a Security Administrator, and an Auditor will require different levels of access at different times with varying levels of ongoing review.
-
-## Validate requests for access
-
-Elevated privileges must be explicitly approved. To support this, an approval process must be developed and appropriate staff made responsible for validating that all requests for additional privileges are legitimate. Privileged Identity Management provides multiple options for approving Role assignment. A role activation request can be configured to allow for self-approval or be gated and require nominated approvers to manually review and approve all Role activation requests. Activation requests can also be configured to require additional supporting information is included with the activation request, such as ticket numbers.
-
-### Restrict privilege based on duties
-
-Restricting the level of privilege granted to Security Principals is critical, as the over assignment of privileges is a common IT Security attack vector. The types of resources being managed, and the teams responsible, must be assessed so the minimum level of privileges required for daily duties can be assigned. Additional privileges that go beyond those required for daily duties should only ever be granted for the period of time required to perform a specific task. An example of this would be providing "Contributor" access to a customer's administrator, but allowing them to request "Owner" permissions for an Azure Resource for a specific task requiring temporary high-level access.
-
-This ensures that each individual administrator only has elevated access for the shortest period of time. Adherence to these practices reduces the overall attack surface for any organisations IT infrastructure.
-
-### Regular evaluation of administrative privilege
-
-It is vital that Security Principals within an environment are routinely audited to ensure that the correct level of privilege is currently assigned. Microsoft Azure provides a number of means to audit and evaluate the privileges assigned to Azure Security Principals. Privileged Identity Management allows administrative staff to periodically perform "Access Reviews" of the Roles granted to Security Principals. An Access Review can be undertaken to audit both Azure Resource Role assignment and Azure Active Directory Administrative Role assignment. An Access Review can be configured with the following properties:
-
-* **Review name and review start and end dates**: Reviews should be configured to be long enough for the nominated users to complete them.
-
-* **Role to be reviewed**: Each Access Review focuses on a single Azure Role.
-
-* **Nominated reviewers**: There are three options for performing a review. You can assign the review to someone else to complete, you can do it yourself, or you can have each user review their own access.
-
-* **Require users to provide a reason for access**: Users can be required to enter a reason for maintaining their level of privilege when completing the access review.
-
-The progress of pending Access Reviews can be monitored at any time via a dashboard in the Azure portal. Access to the role being reviewed will remain unchanged until the Access Review has been completed. It is also possible to [audit](../active-directory/privileged-identity-management/pim-how-to-use-audit-log.md) all PIM user assignments and activations within a nominated time period.
-
-## Next steps
-
-Review the article on [System Monitoring in Azure Australia](system-monitor.md).
azure-australia Secure Your Data https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-australia/secure-your-data.md
- Title: Data security in Azure Australia
-description: Configuring Azure within the Australian regions to meet the specific requirements of Australian Government policy, regulations, and legislation.
--- Previously updated : 07/22/2019---
-# Data security in Azure Australia
-
-The overarching principles for securing customer data are:
-
-* Protecting data using encryption
-* Managing secrets
-* Restricting data access
-
-## Encrypting your data
-
-The encryption of data can be applied at the disk level (at-rest), in databases (at-rest and in-transit), in applications (in-transit), and while on the network (in-transit). There are several ways of achieving encryption in Azure:
-
-|Service/Feature|Description|
-|||
-|Storage Service Encryption|Azure Storage Service Encryption is enabled at the storage account level, resulting in block blobs and page blobs being automatically encrypted when written to Azure Storage. When you read the data from Azure Storage, it will be decrypted by the storage service before being returned. Use SSE to secure your data without having to modify or add code to any applications.|
-|Azure Disk Encryption|Use Azure Disk Encryption to encrypt the OS disks and data disks used by an Azure Virtual Machine. Integration with Azure Key Vault gives you control and helps you manage disk encryption keys.|
-|Client-Side Application Level Encryption|Client-Side Encryption is built into the Java and the .NET storage client libraries, which can utilize Azure Key Vault APIs, making it straightforward to implement. Use Azure Key Vault to gain access to the secrets in Azure Key Vault for specific individuals using Azure Active Directory.|
-|Encryption in transit|The basic encryption available for connectivity to Azure Australia supports Transport Level Security (TLS) 1.2 protocol, and X.509 certificates. Federal Information Processing Standard (FIPS) 140-2 Level 1 cryptographic algorithms are also used for infrastructure network connections between Azure Australia data centers. Windows Server 2016, Windows 10, Windows Server 2012 R2, Windows 8.1, and Azure File shares can use SMB 3.0 for encryption between the VM and the file share. Use Client-Side Encryption to encrypt the data before it's transferred into storage in a client application, and to decrypt the data after it's transferred out of storage.|
-|IaaS VMs|Use Azure Disk Encryption. Turn on Storage Service Encryption to encrypt the VHD files that are used to back up those disks in Azure Storage, but this only encrypts newly written data. This means that, if you create a VM and then enable Storage Service Encryption on the storage account that holds the VHD file, only the changes will be encrypted, not the original VHD file.|
-|Client-Side Encryption|This is the most secure method for encrypting your data, because it encrypts it before transit, and encrypts the data at rest. However, it does require that you add code to your applications using storage, which you might not want to do. In those cases, you can use HTTPS for your data in transit, and Storage Service Encryption to encrypt the data at rest. Client-Side Encryption also involves more load on the clientΓÇöyou have to account for this in your scalability plans, especially if you're encrypting and transferring large amounts of data.|
-|
-
-For more information on the encryption options in Azure, see the [Storage Security Guide](../storage/blobs/security-recommendations.md).
-
-## Protecting data by managing secrets
-
-Secure key management is essential for protecting data in the cloud. Customers should strive to simplify key management and maintain control of keys used by cloud applications and services to encrypt data.
-
-### Managing secrets
-
-* Use Key Vault to minimize the risks of secrets being exposed through hard-coded configuration files, scripts, or in source code. Azure Key Vault encrypts keys (such as the encryption keys for Azure Disk Encryption) and secrets (such as passwords), by storing them in FIPS 140-2 Level 2 validated hardware security modules (HSMs). For added assurance, you can import or generate keys in these HSMs.
-* Application code and templates should only contain URI references to the secrets (which means the actual secrets are not in code, configuration, or source code repositories). This prevents key phishing attacks on internal or external repos, such as harvest-bots in GitHub.
-* Utilize strong Azure RBAC controls within Key Vault. If a trusted operator leaves the company or transfers to a new group within the company, they should be prevented from being able to access the secrets.
-
-For more information, see [Azure Key Vault](azure-key-vault.md)
-
-## Isolation to restrict data access
-
-Isolation is all about using boundaries, segmentation, and containers to limit data access to only authorized users, services, and applications. For example, the separation between tenants is an essential security mechanism for multi-tenant cloud platforms such as Microsoft Azure. Logical isolation helps prevent one tenant from interfering with the operations of any other tenant.
-
-#### Per-customer isolation
-
-Azure implements network access control and segregation through layer 2 VLAN isolation, access control lists, load balancers, and IP filters.
-
-Customers can further isolate their resources across subscriptions, resource groups, virtual networks, and subnets.
-
-For more information on isolation in Microsoft Azure, see the [Isolation in the Azure Public Cloud](../security/fundamentals/isolation-choices.md).
-
-## Next steps
-
-Review the article on [Azure VPN Gateway](vpn-gateway.md)
azure-australia Security Explained https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-australia/security-explained.md
- Title: Azure Australia security explained
-description: Information most asked about the Australian regions and meeting the specific requirements of Australian Government policy, regulations, and legislation.
--- Previously updated : 07/22/2019---
-# Azure Australia security explained
-
-This article addresses some of the common questions and areas of interest for Australian Government agencies that investigate with, design for, and deploy to Microsoft Azure Australia.
-
-## IRAP and Certified Cloud Services List documents
-
-The Australian Cyber Security Centre (ACSC) provides a Letter of Certification, a Certification Report, and a Consumer Guide for the service when it's added to the Certified Cloud Services List (CCSL).
-
-Microsoft is currently listed on the CCSL for Azure, Office 365, and Dynamics 365 CRM.
-
-Microsoft makes our audit, assessment, and ACSC certification documents available to customers and partners on an Australia-specific page of the [Microsoft Service Trust Portal](https://aka.ms/au-irap).
-
-## Dissemination Limiting Markers and PROTECTED certification
-
-The process of having systems, including cloud services, approved for use by government organisations is defined in the [Information Security Manual (ISM)](https://www.cyber.gov.au/acsc/view-all-content/ism) that's produced and published by the ACSC. The ACSC is the entity within the Australian Signals Directorate (ASD) that's responsible for cyber security and cloud certification.
-
-There are two steps to the approval process:
-
-1. **Security Assessment (IRAP)**: A process in which registered professionals assess systems, services, and solutions against the technical controls in the ISM and evaluate whether the controls were implemented effectively. The assessment also identifies any specific risks for the approval authority to consider prior to issuing an Approval to Operate (ATO).
-
-1. **Approval to Operate**: The process in which a senior officer of a government agency formally recognises and accepts the residual risk of a system to the information it processes, stores, and communicates. An input to this process is the Security Assessment.
-
-The assessment of Azure services at the PROTECTED level identifies that the implementation of the security controls required for the storage and processing of PROTECTED and below data were confirmed to be in place and are operating effectively.
-
-## Australian data classification changes
-
-On October 1, 2018, the Attorney General's Department publicly announced changes to the Protective Security Policy Framework (PSPF), specifically a new [sensitive and classified information system](https://www.protectivesecurity.gov.au/information/sensitive-classified-information/Pages/default.aspx).
-
-![Revised PSPF classifications](media/pspf-classifications.png)
-
-All Australian agencies and organisations that operate under the PSPF are affected by these changes. The primary change that affects our current IRAP/CCSL certifications is that the current Dissemination Limiting Markings (DLMs) were retired. The OFFICIAL: Sensitive marking replaces the various DLMs used for the protection of sensitive information. The change also introduced three information management markers that can be applied to all official information at all levels of sensitivity and classification. The PROTECTED classification remains unchanged.
-
-The term "Unclassified" is removed from the new system and the term "Unofficial" is applied to non-Government information, although it doesn't require a formal marking.
-
-## Choose an Azure region for OFFICIAL: Sensitive and PROTECTED workloads
-
-The Azure OFFICIAL: Sensitive and PROTECTED certified services are deployed to all four Australian Data Centre regions: Australia East, Australia South East, Australia Central, and Australia Central 2. The certification report issued by the ACSC recommends that PROTECTED data be deployed to the Azure Government regions in Canberra if a service is available there. For more information about the PROTECTED certified Azure services, see the [Australia page on the Service Trust Portal](https://aka.ms/au-irap).
-
->[!NOTE]
->Microsoft recommends that government data of all sensitivities and classifications should be deployed to the Australia Central and Australia Central 2 regions because they're designed and operated specifically for the needs of government.
-
-For more information on the special nature of the Azure Australian regions, see [Azure Australia Central regions](https://azure.microsoft.com/global-infrastructure/australia/).
-
-## How Microsoft separates classified and official data
-
-Microsoft operates Azure and Office 365 in Australia as if all data is sensitive or classified, which raises our security controls to that high bar.
-
-The infrastructure that supports Azure potentially serves data of multiple classifications. Because we assume that the customer data is classified, the appropriate controls are in place. Microsoft has adopted a baseline security posture for our services that complies with the PSPF requirements to store and process PROTECTED classified information.
-
-To assure our customers that one tenant in Azure isn't at risk from other tenants, Microsoft implements comprehensive defence-in-depth controls.
-
-Beyond the capabilities implemented within the Microsoft Azure platform, additional customer configurable controls, such as encryption with customer-managed keys, nested virtualisation, and just-in-time administrative access, can further reduce the risk. Within the Azure Government Australia regions in Canberra, a process for formal approving only Australian and New Zealand government and national critical infrastructure organisations is in place. This community cloud provides additional assurance to organisations that are sensitive to cotenant risks.
-
-The Microsoft Azure PROTECTED Certification Report confirms that these controls are effective for the storage and processing of PROTECTED classified data and their isolation.
-
-## Relevance of IRAP/CCSL to state government and critical infrastructure providers
-
-Many state government and critical infrastructure providers incorporate federal government requirements into their security policy and assurance framework. These organisations also handle OFFICIAL, OFFICIAL: Sensitive, and some amount of PROTECTED classified data, either from their interaction with the federal government or in their own right.
-
-The Australian Government is increasingly focusing policy and legislation on the protection of non-Government data that fundamentally affect the security and economic prosperity of Australia. As such, the Azure Australia regions and the CCSL certification are relevant to all of those industries.
-
-![Critical infrastructure sectors](media/nci-sectors.png)
-
-The Microsoft certifications demonstrate that Azure services were subjected to a thorough, rigorous, and formal assessment of the security protections in place and they were approved for handling such highly sensitive data.
-
-## Location and control of Microsoft data centres
-
-It's a mandatory requirement of government and critical infrastructure to explicitly know the data centre location and ownership for cloud services processing their data. Microsoft is unique as a hyperscale cloud provider in providing extensive information about these locations and ownership.
-
-Microsoft's Azure Australia regions (Australia Central and Australia Central 2) operate within the facilities of CDC Datacentres. The ownership of CDC Datacentres is Australian controlled with 48% ownership from the Commonwealth Superannuation Corporation, 48% ownership from Infratil (a New Zealand-based, dual Australian and New Zealand Stock Exchange listed long-term infrastructure asset fund), and 4% Australian management.
-
-The management of CDC Datacentres has contractual assurances in place with the Australian Government that restrict future transfer of ownership and control. This transparency of supply chain and ownership via Microsoft's partnership with CDC Datacentres is in line with the principles of the [Whole-of-Government Hosting Strategy](https://www.dta.gov.au/our-projects/whole-government-hosting-strategy) and the definition of a Certified Sovereign Datacentre.
-
-## Azure services that are included in the current CCSL certification
-
-In June 2017, the ACSC certified 41 Azure services for the storage and processing of data at the Unclassified: DLM level. In April 2018, 24 of those services were certified for PROTECTED classified data.
-
-The availability of ACSC-certified Azure services across our Azure regions in Australia are as follows (services shown in bold are certified at the PROTECTED level).
-
-|Azure Australia Central regions|Non-regional services and other regions|
-|||
-|API Management, App Gateway, Application Services, **Automation**, **Azure portal**, **Backup**, **Batch**, **Cloud Services**, Cosmos DB, Event Hubs, **ExpressRoute**, HDInsight, **Key Vault**, Load Balancer, Log Analytics, **Multi-factor Authentication**, Redis Cache, **Resource Manager**, **Service Bus**, **Service Fabric**, **Site Recovery**, **SQL Database**, **Storage**, Traffic Manager, **Virtual Machines**, **Virtual Network**, **VPN Gateway**|**Azure Active Directory**, CDN, Data Catalog, **Import Export**, **Information Protection**, **IOT Hub**, Machine Learning, Media Services, **Notification Hubs**, Power BI, **Scheduler**, **Security Centre**, Search, Stream Analytics|
-|
-
-Microsoft publishes the [Overview of Microsoft Azure Compliance](https://gallery.technet.microsoft.com/Overview-of-Azure-c1be3942/file/178110/44/Microsoft%20Azure%20Compliance%20Offerings.pdf) that lists all in-scope services for all of the Global, Government, Industry, and Regional compliance and assessment processes that Azure goes through, which includes IRAP/CCSL.
-
-## Azure service not listed or assessed at a lower level than needed
-
-Services that aren't certified, or that have been certified at the OFFICIAL: Sensitive but not the PROTECTED level, can be used alongside or as part of a solution hosting PROTECTED data provided the services are either:
--- Not storing or processing PROTECTED data unencrypted, or-- You've completed a risk assessment and approved the service to store PROTECTED data yourself.-
-You can use a service that isn't included on the CCSL to store and process OFFICIAL data, but the ISM requires you to notify the ACSC in writing that you're doing so before you enter into or renew a contract with a cloud service provider.
-
-Any service that's used by an agency for PROTECTED workloads must be security assessed and approved in line with the processes outlined in the ISM and the Agency-managed IRAP Assessments process in the [DTA Secure Cloud Strategy](https://www.dta.gov.au/files/cloud-strategy/secure-cloud-strategy.pdf).
-
-![DTA Secure Cloud Strategy Certification Process](media/certification.png)
-
-Microsoft continually assesses our services to ensure the platform is secure and fit-for-purpose for Australian Government use. Contact Microsoft if you require assistance with a service that isn't currently on the CCSL at the PROTECTED level.
-
-Because Microsoft has a range of services certified on the CCSL at both the Unclassified DLM and PROTECTED classifications, the ISM requires that we undertake an IRAP assessment of our services at least every two years. Microsoft undertakes an annual assessment, which is also an opportunity to include additional services for consideration.
-
-## Certified PROTECTED gateway in Azure
-
-Microsoft doesn't operate a government-certified Secure Internet Gateway (SIG) because of restrictions on the number of SIGs permissible under the Gateway Consolidation Program. But the expected and necessary capabilities of a SIG can be configured within Microsoft Azure.
-
-Through the PROTECTED certification of Azure services, the ACSC has specific recommendations to agencies for connecting to Azure and when implementing network segmentation between security domains, for example, between PROTECTED and the Internet. These recommendations include the use of network security groups, firewalls, and virtual private networks. The ACSC recommends the use of a virtual gateway appliance. There are several virtual appliances available in Azure that have a physical equivalent on the ASD Evaluated Products List or have been evaluated against the Common Criteria Protection Profiles and are listed on the Common Criteria portal. These products are mutually recognised by ASD as a signatory to the Common Criteria Recognition Arrangement.
-
-Microsoft has produced guidance on implementing Azure-based capabilities that provide the security functions required to protect the boundary between different security domains, which, when combined, form the equivalent to a certified SIG. A number of partners can assist with design and implementation of these capabilities, and a number of partner solutions are available that do the same.
-
-## Security clearances and citizenship of Microsoft support personnel
-
-Microsoft operates our services globally with screened and trained security personnel. Personnel that have unescorted physical access to facilities in Sydney and Melbourne have Australian Government Baseline security clearances. Personnel within the Australia Central and Australia Central 2 regions have minimum Negative Vetting 1 (NV1) clearances (as appropriate for SECRET data). These clearance requirements provide additional assurance to customers that personnel within data centres operating Azure are highly trustworthy.
-
-Microsoft has a zero standing access policy with access granted through a system of just in time and just enough administration based on Azure role-based access control (Azure RBAC). In the vast majority of cases, our administrators don't require access or privileges to customer data in order to troubleshoot and maintain the service. High degrees of automation and scripting of tasks for remote execution negate the need for direct access to customer data.
-
-The Attorney General's Department has confirmed that Microsoft's personnel security policies and procedures within Azure are consistent with the intent of the PSPF Access to Information provisions in INFOSEC-9.
-
-## Store International Traffic of Arms Regulations (ITAR) or Export Administration Regulations (EAR) data
-
-The Azure technical controls that assist customers with meeting their obligations for export-controlled data are the same globally in Azure. Importantly, there's no formal assessment and certification framework for export-controlled data.
-
-For Azure Government and Office 365 US Government for Defense, we've put additional contractual and process measures in place to support customers subject to export controls. Those additional contractual clauses and the guaranteed U.S. national support and administration of the Azure regions isn't in place for Australia.
-
-That doesn't mean that Azure in Australia can't be used for ITAR/EAR, but you need to clearly understand the restrictions imposed on you through your export license. You also must implement additional protections to meet those obligations before you use Azure to store that data. For example, you might need to:
--- Build nationality as an attribute into Azure Active Directory.-- Use Azure Information Protection to enforce encryption rules over the data and limit it to only U.S. and whatever other nationalities are included on the export license.-- Encrypt all data on-premises before you store it in Azure by using a customer key or Hold Your Own Key for ITAR data.-
-Because ITAR isn't a formal certification, you need to understand what the restrictions and limitations associated with the export license are. Then you can work through whether there are sufficient controls in Azure to meet those requirements. In this case, one of the issues to closely consider is the access by our engineers who might not be a nationality approved on the export license.
-
-## Next steps
-
- For ISM-compliant configuration and implementation of VPN connectivity to Azure Australia, see [Azure VPN Gateway](vpn-gateway.md).
azure-australia System Monitor https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-australia/system-monitor.md
- Title: System monitoring for security in Azure Australia
-description: Guidance on configuring System Monitoring within the Australian regions to meet the specific requirements of Australian Government policy, regulations, and legislation.
--- Previously updated : 07/22/2019---
-# System monitoring for security in Azure Australia
-
-Having robust security strategies that include real-time monitoring and routine security assessments are critical for you to enhance the day to day operational security of your IT environments, including cloud.
-
-Cloud security is a joint effort between the customer and the cloud provider. There are four services which Microsoft Azure provides to facilitate these requirements with consideration to the recommendations contained within the [Australian Cyber Security Centre's (ACSC) Information Security Manual Controls](https://acsc.gov.au/infosec/ism/index.htm) (ISM), specifically, the implementation of centralised event logging, event log auditing, and security vulnerability assessment and management. The Microsoft Azure services are:
-
-* Microsoft Defender for Cloud
-* Azure Monitor
-* Azure Advisor
-* Azure Policy
-
-The ACSC recommends that you use these services for **PROTECTED** data. By using these services, you can proactively monitor and analyse your IT environments, and make informed decisions on where to best allocate resources to enhance your security. Each of these services is part of a combined solution to provide you with the best insight, recommendations, and protection possible.
-
-## Microsoft Defender for Cloud
-
-[Microsoft Defender for Cloud](../security-center/security-center-introduction.md) provides a unified security management console that you use to monitor and enhance the security of Azure resources and your hosted data. Microsoft Defender for Cloud includes Secure Score, a score based on an analysis of the state of best practice configuration from Azure Advisor and the overall compliance of Azure Policy.
-
-Microsoft Defender for Cloud provides Azure customers with the following features:
-
-* Security policy, assessment, and recommendations
-* Security event collection and search
-* Access and application controls
-* Advanced Threat Detection
-* Just-in-time Virtual Machines access control
-* Hybrid Security
-
-The scope of resources monitored by Microsoft Defender for Cloud can be expanded to include supported on-premises resources in a hybrid-cloud environment. This includes on-premises resources currently being monitored by a supported version of System Center Operations Manager.
-
-Defender for Cloud's enhanced security features provide cloud-based security controls required by the [ASD Essential 8](https://acsc.gov.au/publications/protect/essential-eight-explained.htm). These include application filtering and restriction of administrative privilege via just-in-time access.
-
-### Azure Monitor
-
-[Azure Monitor](../azure-monitor/overview.md) is the centralized logging solution for all Azure Resources, and includes Log Analytics and Application Insights. Two key data types are collected from Azure resources: logs and metrics. Once collected in Azure Monitor, logging information can be used by a wide range of tools and for a variety of purposes.
-
-![Azure Monitor Overview](media/overview.png)
-
-Azure Monitor also includes the "Azure Activity Log". The SActivity Log stores all subscription level events that have occurred within Azure. It allows Azure customers to see the "who, what and when" behind operations undertaken on their Azure resources. Both resource based logging sent to Azure Monitor and Azure Activity Log events can be analysed using the in-built Kusto query language. These logs can then be exported, used to create custom dashboards and views, and configured to trigger alerts and notifications.
-
-### Azure Advisor
-
-[Azure Advisor](../advisor/advisor-overview.md) analyses supported Azure resources, system-generated log files, and current resource configurations within your Azure subscription. The analysis provided in Azure Advisor is generated in real time and based upon Microsoft's recommended best practices. Any supported Azure resources added to your environment will be analysed and appropriate recommendations will be provided. Azure Advisor recommendations are categorised into four best practice categories:
-
-* Security
-* High Availability
-* Performance
-* Cost
-
-Security recommendations generated by Azure Advisor form part of the overall security analysis provided by Microsoft Defender for Cloud.
-
-The information gathered by Azure Advisor provides administrators with:
-
-* Insight into resource configuration that does not meet recommended best practice
-* Guidance on specific remediation actions to undertake
-* Rankings indicating which remediation actions should be undertaken as a high priority
-
-### Azure Policy
-
-[Azure Policy](../governance/policy/overview.md) provides the ability to apply rules that govern the types of Azure resources and their allowed configuration. Policy can be used to control resource creation and configuration, or it can be used to audit configuration settings across an environment. These audit results can be used to form the basis of remediation activities. Azure Policy differs from Azure role-based access control (Azure RBAC); Azure Policy is used to restrict resources and their configuration, Azure RBAC is used to restrict privileged access to Azure users.
-
-Whether the specific policy is being enforced or the effect of the policy is being audited, policy compliance is continually monitored, and overall and resource-specific compliance information is provided to administrators. Azure Policy compliance data is provided to Microsoft Defender for Cloud and forms part of the Secure Score.
-
-## Key design considerations
-
-When implementing an event log strategy, the ACSC ISM highlights the following considerations:
-
-* Centralised logging facilities
-* Specific events to be logged
-* Event log protection
-* Event log retention
-* Event log auditing
-
-In additional to collecting and managing logs, the ISM also recommends routine vulnerability assessment of an organisation's IT environment.
-
-### Centralised logging
-
-Any logging solution should, wherever possible, consolidate captured logs into a single data repository. This not only reduces operational complexity and prevents the creation of multiple data silos, it enables data collected from multiple sources to be analysed together allowing any correlating events to be identified. This is critical for detecting and managing the scope of any cyber security incidents.
-
-This requirement is met for all Azure customers with Azure Monitor. This offering not only provides a centralised logging repository in Azure for all Azure resources, it also enables you to stream your data to an Azure Event Hub. Azure Event Hubs provides a fully managed, real-time data ingestion service. Once Azure Monitor data is streamed to an Azure Event Hub, the data can also be easily connected to existing supported Security information and event management (SIEM) repositories and additional third party monitoring tools.
-
-Microsoft also offers its own Azure native SIEM solution, Microsoft Sentinel. Microsoft Sentinel supports a wide variety of data connectors and can be used to monitor security events across an entire enterprise. By combining the data from supported [data connectors](../sentinel/connect-data-sources.md), Microsoft Sentinel's built-in machine learning, and the Kusto query language, security administrators are provided with a single solution for alert detection, threat visibility, proactive hunting, and threat response. Microsoft Sentinel also provides a hunting and notebook feature that allows security administrators to record all the steps undertaken as part of a security investigation in a reuseable playbook that can be shared within an organisation. Security Administrators can even use the built-in [User Analytics](../sentinel/overview.md) to investigate the actions of a single nominated user.
-
-### Logged events and log detail
-
-The ISM provides a detailed list of event log types that should be included in any logging strategy. Any captured logs must contain sufficient detail to be of any practical use in conducting analysis and investigations.
-
-The logs collected in Azure fall under one of following three categories:
-
-* **Control and Management Logs**: These logs provide information about Azure Resource Manager CREATE, UPDATE, and DELETE operations.
-
-* **Data Plane Logs**: These contain events raised as part of Azure resource usage. Includes sources such as Windows event logs including System, Security, and Application logs.
-
-* **Processed Events**: These events contain information about events and alerts that have been automatically processed on the customer's behalf by Azure. An example of a Processed Event is a Microsoft Defender for Cloud Alert.
-
-Azure virtual machine monitoring is enhanced by the deployment of the virtual machine agent for both Windows and Linux. This markedly increases the breadth of logging information gathered. Deployment of this agent can be configured to occur automatically via the Microsoft Defender for Cloud.
-
-Microsoft provides detailed information about Azure resource-specific logs and their [schemas](../security/fundamentals/log-audit.md).
-
-### Log retention and protection
-
- Event logs must be stored securely for the required retention period. The ISM advises that logs are retained for a minimum of seven years. Azure provides a number of means to ensure the long life of your collected logs. By default, the Azure Log events are stored for 90 days. Log data captured by Azure Monitor can be moved and stored on an Azure Storage account as required for long-term retention. Activity logs stored on an Azure Storage Account can be retained for a set number of days, or indefinitely if necessary.
-
-Azure Storage Accounts used to store Azure Log events can be made geo-redundant and can be backed up using Azure Backup. Once captured by Azure Backup, any deletion of backups containing logs requires administrative approval and backups marked for deletion are still held for 14 days allowing for recovery. Azure Backup allows for 9999 copies of a protected instance, providing over 27 years of daily backups.
-
-Azure role-based access control (Azure RBAC) should be used to control access to resources used for Azure logging. Azure Monitor, Azure Storage accounts, and Azure Backups should be configured with Azure RBAC to ensure the security of the data contained within the logs.
-
-### Log auditing
-
-The true value of logs is realised once they are analysed. Using both automated and manual analysis, and being familiar with the available tools, will assist you to detect and manage breaches of organisational security policy, and cyber security incidents. Azure Monitor provides a rich set of tools to analyse collected logs. The result of this analysis can then be shared between systems, visualised, or disseminated in multiple formats.
-
-Log data stored in Azure Monitor is kept in a Log Analytics Workspace. All analysis begins with a query. Azure Monitor queries are written in the Kusto query language. Queries form the basis of all outputs from Azure Monitor, from Azure Dashboards to Alert Rules.
-
-![Azure Log Queries Overview](media/queries-overview.png)
-
-Auditing of logs can be enhanced through the use of Monitoring Solutions. These are pre-packaged solutions that contain collection logic, queries, and data visualisation views. Microsoft [provide](../azure-monitor/monitor-reference.md) a number of Monitoring Solutions and additional solutions from product vendors can be found in the Azure Marketplace.
-
-### Vulnerability assessment and management
-
-The ISM notes that routine vulnerability assessment and management are essential. Your IT environment is constantly evolving, and the external security threat is endlessly changing. With Microsoft Defender for Cloud you can do automated vulnerability assessments and get guidance on how to plan and perform remediation activities.
-
-Secure Score in Microsoft Defender for Cloud gives you a list of recommendations that, when applied, will improve the security of your environment. The list is sorted by the impact on the overall Secure Score from highest to lowest. Ordering the list by impact allows you to focus on the highest priority recommendations that present the most value in enhancing your security.
-
-Azure Policy also plays a key part in the ongoing vulnerability assessment. The types of policy available in Azure Policy range from enforcing resource tags and values, to restricting the Azure regions in which resources can be created, to blocking the creation of particular resource types altogether. A set of Azure policies can be grouped into Initiatives. Initiatives are used to apply related Azure policies that, when applied together as a group, form the basis of a specific security or compliance objective.
-
-Azure Policy has a library of built-in policy definitions which is constantly growing. Azure portal also gives you the option to author your own custom Azure Policy definitions. Once you find a policy in the existing library or create a new one, you can then assign the policy to Azure resources. These assignments can be [scoped](../governance/policy/tutorials/create-and-manage.md) at various levels in the resource management hierarchy. Policy assignment is inherited, meaning all child resources within a scope receive the same policy assignment. Resources can also be excluded from scoped policy assignment as required.
-
-All deployed Azure policies contribute to an organisation's Secure Score. In a highly bespoke environment, custom Azure Policy definitions can be created and deployed to provide audit information tailored to specific workloads.
-
-## Getting started
-
-To start with Microsoft Defender for Cloud and make full use of Azure Monitor, Advisor and Policy, Microsoft recommends the following initial steps:
-
-* Enable Microsoft Defender for Cloud
-* Enable Microsoft Defender for Cloud's enhanced security features
-* Enable automatic provisioning of the Log Analytics agent to supported machines
-* Review, prioritize, and mitigate the security recommendations and alerts shown on the Defender for Cloud dashboards
-
-## Next steps
-
-Read [Azure Policy and Azure Blueprints](azure-policy.md) for details on implementing governance and control over your Azure Australia resources to ensure policy and regulatory compliance.
azure-australia Vpn Gateway https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-australia/vpn-gateway.md
- Title: Azure VPN Gateway in Azure Australia
-description: Implementing VPN Gateway in Azure Australia to be compliant with the ISM and effectively protect Australian Government agencies
--- Previously updated : 07/22/2019----
-# Azure VPN Gateway in Azure Australia
-
-A critical service with any public cloud is the secure connection of cloud resources and services to existing on-premises systems. The service that provides this capability in Azure is Azure VPN Gateway. This article outlines the key points to consider when you configure a VPN gateway to comply with the Australian Signals Directorate's (ASD) [Information Security Manual (ISM) controls](https://acsc.gov.au/infosec/ism/).
-
-A VPN gateway is used to send encrypted traffic between a virtual network in Azure and another network. Three scenarios are addressed by VPN gateways:
--- Site-to-site (S2S)-- Point-to-site (P2S)-- Network-to-network-
-This article focuses on S2S VPN gateways. Diagram 1 shows an example S2S VPN gateway configuration.
-
-![VPN gateway with multi-site connections](media/vpngateway-multisite-connection-diagram.png)
-
-*Diagram 1 ΓÇô Azure S2S VPN Gateway*
-
-## Key design considerations
-
-There are three networking options to connect Azure to Australian Government customers:
--- ICON-- Azure ExpressRoute-- Public internet-
-The Australian Cyber Security Centre's [Consumer Guide for Azure](https://servicetrust.microsoft.com/viewpage/Australia) recommends that VPN Gateway (or an equivalent PROTECTED certified third-party service) is used in conjunction with the three networking options. This recommendation is to ensure that the connections comply with the ISM controls for encryption and integrity.
-
-### Encryption and integrity
-
-By default, the VPN negotiates the encryption and integrity algorithms and parameters during the connection establishment as part of the IKE handshakes. During the IKE handshake, the configuration and order of preference depends on whether the VPN gateway is the initiator or the responder. This designation is controlled via the VPN device. The final configuration of the connection is controlled by the configuration of the VPN device. For more information on validated VPN devices and their configuration, see [About VPN services](../vpn-gateway/vpn-gateway-about-vpn-devices.md).
-
-VPN gateways can control encryption and integrity by configuring a custom IPsec/IKE policy on the connection.
-
-### Resource operations
-
-VPN gateways create a connection between Azure and non-Azure environments over the public internet. The ISM has controls that relate to the explicit authorization of connections. By default, it's possible to use VPN gateways to create unauthorized tunnels into secure environments. It's critical that organizations use Azure role-based access control (Azure RBAC) to control who can create and modify VPN gateways and their connections. Azure has no built-in role to manage VPN gateways, so a custom role is required.
-
-Access to Owner, Contributor, and Network Contributor roles is tightly controlled. We also recommend that you use Azure Active Directory Privileged Identity Management for more granular access control.
-
-### High availability
-
-Azure VPN gateways can have multiple connections and support multiple on-premises VPN devices to the same on-premises environment. See Diagram 1.
-
-Virtual networks in Azure can have multiple VPN gateways that can be deployed in independent, active-passive, or active-active configurations.
-
-We recommend that you deploy all VPN gateways in a [highly available configuration](../vpn-gateway/vpn-gateway-highlyavailable.md). An example is two on-premises VPN devices connected to two VPN gateways in either active-passive or active-active mode. See Diagram 2.
-
-![VPN gateway redundant connections](media/dual-redundancy.png)
-
-*Diagram 2 ΓÇô Active-active VPN gateways and two VPN devices*
-
-### Forced tunneling
-
-Forced tunneling redirects, or forces, all Internet-bound traffic back to the on-premises environment via the VPN gateway for inspection and auditing. Without forced tunneling, Internet-bound traffic from VMs in Azure traverses the Azure network infrastructure directly out to the public internet, without the option to inspect or audit the traffic. Forced tunneling is critical when an organization is required to use a Secure Internet Gateway (SIG) for an environment.
-
-## Detailed configuration
-
-### Service attributes
-
-VPN gateways for S2S connections configured for the Australian Government must have the following attributes:
-
-|Attribute | Must|
-| | |
-|gatewayType | "VPN"|
-|
-
-Attribute settings required to comply with the ISM controls for PROTECTED are:
-
-|Attribute | Must|
-| ||
-|vpnType |"RouteBased"|
-|vpnClientConfiguration/vpnClientProtocols | "IkeV2"|
-|
-
-Azure VPN gateways support a range of cryptographic algorithms from the IPsec and IKE protocol standards. The default policy sets maximum interoperability with a wide range of third-party VPN devices. As a result, it's possible that during the IKE handshake a noncompliant configuration might be negotiated. We highly recommend that you apply [custom IPsec/IKE policy](../vpn-gateway/vpn-gateway-ipsecikepolicy-rm-powershell.md) parameters to vpnClientConfiguration in VPN gateways to ensure the connections meet the ISM controls for on-premises environment connections to Azure. The key attributes are shown in the following table.
-
-|Attribute|Should|Must|
-||||
-|saLifeTimeSeconds|<14,400 secs|>300 secs|
-|saDataSizeKilobytes| |>1,024 KB|
-|ipsecEncryption| |AES256-GCMAES256|
-|ipsecIntegrity| |SHA256-GCMAES256|
-|ikeEncryption| |AES256-GCMAES256|
-|ikeIntegrity| |SHA256-GCMAES256|
-|dhGroup|DHGroup14, DHGroup24, ECP256, ECP384|DHGroup2|
-|pfsGroup|PFS2048, PFS24, ECP256, ECP384||
-|
-
-For dhGroup and pfsGroup in the previous table, ECP256 and ECP384 are preferred even though other settings can be used.
-
-### Related services
-
-When you design and configure an Azure VPN gateway, a number of related services must also exist and be configured.
-
-|Service | Action required|
-| | |
-|Virtual network | VPN gateways are attached to a virtual network. Create a virtual network before you create a new VPN gateway.|
-|Public IP address | S2S VPN gateways need a public IP address to establish connectivity between the on-premises VPN device and the VPN gateway. Create a public IP address before you create a S2S VPN gateway.|
-|Subnet | Create a subnet of the virtual network for the VPN gateway.|
-|
-
-## Implementation steps using PowerShell
-
-### Azure role-based access control
-
-1. Create a custom role. An example is virtualNetworkGateway Contributor. Create a role to be assigned to users who will be allowed to create and modify VPN gateways. The custom role should allow the following operations:
-
- Microsoft.Network/virtualNetworkGateways/*
- Microsoft.Network/connections/*
- Microsoft.Network/localnetworkgateways/*
- Microsoft.Network/virtualNetworks/subnets/*
- Microsoft.Network/publicIPAddresses/*
- Microsoft.Network/publicIPPrefixes/*
- Microsoft.Network/routeTables/*
-
-2. Add the custom role to users who are allowed to create and manage VPN gateways and connections to on-premises environments.
-
-### Create a VPN gateway
-
-These steps assume that you already created a virtual network.
-
-1. Create a new public IP address.
-2. Create a VPN gateway subnet.
-3. Create a VPN gateway IP config file.
-4. Create a VPN gateway.
-5. Create a local network gateway for the on-premises VPN device.
-6. Create an IPsec policy. This step assumes that you're using custom IPsec/IKE policies.
-7. Create a connection between the VPN gateway and a local network gateway by using the IPsec policy.
-
-### Enforce tunneling
-
-If forced tunneling is required, before you create the VPN gateway:
-
-1. Create a route table and route rules.
-2. Associate a route table with the appropriate subnets.
-
-After you create the VPN gateway:
--- Set GatewayDefaultSite to the on-premises environment on the VPN gateway.-
-### Example PowerShell script
-
-An example of PowerShell script used to create a custom IPsec/IKE policy complies with ISM controls for Australian PROTECTED security classification.
-
-It assumes that the virtual network, VPN gateway, and local gateways exist.
-
-#### Create an IPsec/IKE policy
-
-The following sample script creates an IPsec/IKE policy with the following algorithms and parameters:
--- IKEv2: AES256, SHA256, DHGroup ECP256-- IPsec: AES256, SHA256, PFS ECP256, SA Lifetime 14,400 seconds, and 102,400,000 KB-
-```powershell
-$custompolicy = New-AzIpsecPolicy `
- -IkeEncryption AES256 `
- -IkeIntegrity SHA256 `
- -DhGroup ECP256 `
- -IpsecEncryption AES256 `
- -IpsecIntegrity SHA256 `
- -PfsGroup ECP256 `
- -SALifeTimeSeconds 14400 `
- -SADataSizeKilobytes 102400000
-```
-
-#### Create a S2S VPN connection with the custom IPsec/IKE policy
-
-```powershell
-$vpngw = Get-AzVirtualNetworkGateway `
- -Name "<yourVPNGatewayName>" `
- -ResourceGroupName "<yourResourceGroupName>"
-$localgw = Get-AzLocalNetworkGateway `
- -Name "<yourLocalGatewayName>" `
- -ResourceGroupName "<yourResourceGroupName>"
-
-New-AzVirtualNetworkGatewayConnection `
- -Name "ConnectionName" `
- -ResourceGroupName "<yourResourceGroupName>" `
- -VirtualNetworkGateway1 $vpngw `
- -LocalNetworkGateway2 $localgw `
- -Location "Australia Central" `
- -ConnectionType IPsec `
- -IpsecPolicies $custompolicy `
- -SharedKey "AzureA1b2C3"
-```
-
-## Next steps
-
-This article covered the specific configuration of VPN Gateway to meet the requirements specified in the Information Security Manual for securing Australian Government PROTECTED data while in transit. For steps on how to configure your VPN gateway, see:
--- [Azure virtual network gateway overview](../vpn-gateway/index.yml) -- [What is VPN Gateway?](../vpn-gateway/vpn-gateway-about-vpngateways.md) -- [Create a virtual network with a site-to-site VPN connection by using PowerShell](../vpn-gateway/vpn-gateway-create-site-to-site-rm-powershell.md) -- [Create and manage a VPN gateway](../vpn-gateway/tutorial-create-gateway-portal.md)
azure-cache-for-redis Cache Managed Identity https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-cache-for-redis/cache-managed-identity.md
To use managed identity, you must have a premium-tier cache.
## Enable managed identity using the Azure CLI
-Use the Azure CLI for creating a new cache with managed identity or updating an existing cache to use managed identity. For more information, see [az redis create](/cli/azure/redis?view=azure-cli-latest.md) or [az redis identity](/cli/azure/redis/identity?view=azure-cli-latest).
+Use the Azure CLI for creating a new cache with managed identity or updating an existing cache to use managed identity. For more information, see [az redis create](/cli/azure/redis?view=azure-cli-latest.md&preserve-view=true) or [az redis identity](/cli/azure/redis/identity?view=azure-cli-latest&preserve-view=true).
For example, to update a cache to use system-managed identity use the following CLI command:
az redis identity assign \--mi-system-assigned \--name MyCacheName \--resource-g
## Enable managed identity using Azure PowerShell
-Use Azure PowerShell for creating a new cache with managed identity or updating an existing cache to use managed identity. For more information, see [New-AzRedisCache](/powershell/module/az.rediscache/new-azrediscache?view=azps-7.1.0) or [Set-AzRedisCache](/powershell/module/az.rediscache/set-azrediscache?view=azps-7.1.0).
+Use Azure PowerShell for creating a new cache with managed identity or updating an existing cache to use managed identity. For more information, see [New-AzRedisCache](/powershell/module/az.rediscache/new-azrediscache?view=azps-7.1.0&preserve-view=true) or [Set-AzRedisCache](/powershell/module/az.rediscache/set-azrediscache?view=azps-7.1.0&preserve-view=true).
For example, to update a cache to use system-managed identity, use the following PowerShell command:
azure-functions Event Driven Scaling https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/event-driven-scaling.md
$resource.Properties.functionAppScaleLimit = <SCALE_LIMIT>
$resource | Set-AzResource -Force ```
+## Scale-in behaviors
+
+Event-driven scaling automatically reduces capacity when demand for your functions is reduced. It does this by shutting down worker instances of your function app. Before an instance is shut down, new events stop being sent to the instance. Also, functions that are currently executing are given time to finish executing. This behavior is logged as drain mode. This shut-down period can extend up to 10 minutes for Consumption plan apps and up to 60 minutes for Premium plan apps. Event-driven scaling and this behavior don't apply to Dedicated plan apps.
+
+The following considerations apply for scale-in behaviors:
+
+* For Consumption plan function apps running on Windows, only apps created after May 2021 have drain mode behaviors enabled by default.
+* To enable graceful shutdown for functions using the Service Bus trigger, use version 4.2.0 or a later version of the [Service Bus Extension](functions-bindings-service-bus.md).
+ ## Event Hubs trigger This section describes how scaling behaves when your function uses an [Event Hubs trigger](functions-bindings-event-hubs-trigger.md) or an [IoT Hub trigger](functions-bindings-event-iot-trigger.md). In these cases, each instance of an event triggered function is backed by a single [EventProcessorHost](/dotnet/api/microsoft.azure.eventhubs.processor) instance. The trigger (powered by Event Hubs) ensures that only one [EventProcessorHost](/dotnet/api/microsoft.azure.eventhubs.processor) instance can get a lease on a given partition.
azure-functions Language Support Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/language-support-policy.md
There are few exceptions to the retirement policy outlined above. Here is a list
|Node 6|30 April 2019|28 February 2022| |Node 8|31 December 2019|28 February 2022| |Node 10|30 April 2021|30 September 2022|
+|Node 12|30 Apr 2022|TBA|
|PowerShell Core 6| 4 September 2020|30 September 2022| |Python 3.6 |23 December 2021|30 September 2022|
azure-monitor Azure Monitor Agent Extension Versions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/agents/azure-monitor-agent-extension-versions.md
description: This article describes the version details for the Azure Monitor ag
Previously updated : 5/25/2022 Last updated : 6/6/2022
We strongly recommended to update to the latest version at all times, or opt in
## Version details | Release Date | Release notes | Windows | Linux | |:|:|:|:|
+| May 2022 | <ul><li>Fixed issue where agent stops functioning due to faulty XPath query. With this version, only query related Windows events will fail, other data types will continue to be collected</li><li>Collection of Windows network troubleshooting logs added to 'CollectAMAlogs.ps1' tool</li></ul> | 1.5.0.0 | Coming soon |
| April 2022 | <ul><li>Private IP information added in Log Analytics <i>Heartbeat</i> table for Windows and Linux</li><li>Fixed bugs in Windows IIS log collection (preview) <ul><li>Updated IIS site column name to match backend KQL transform</li><li>Added delay to IIS upload task to account for IIS buffering</li></ul></li><li>Fixed Linux CEF syslog forwarding for Sentinel</li><li>Removed 'error' message for Azure MSI token retrieval failure on Arc to show as 'Info' instead</li><li>Support added for Ubuntu 22.04, AlmaLinux and RockyLinux distros</li></ul> | 1.4.1.0<sup>Hotfix</sup> | 1.19.3 | | March 2022 | <ul><li>Fixed timestamp and XML format bugs in Windows Event logs</li><li>Full Windows OS information in Log Analytics Heartbeat table</li><li>Fixed Linux performance counters to collect instance values instead of 'total' only</li></ul> | 1.3.0.0 | 1.17.5.0 | | February 2022 | <ul><li>Bugfixes for the AMA Client installer (private preview)</li><li>Versioning fix to reflect appropriate Windows major/minor/hotfix versions</li><li>Internal test improvement on Linux</li></ul> | 1.2.0.0 | 1.15.3 |
azure-monitor Diagnostics Extension Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/agents/diagnostics-extension-overview.md
Title: Azure Diagnostics extension overview
description: Use Azure diagnostics for debugging, measuring performance, monitoring, traffic analysis in cloud services, virtual machines and service fabric Last updated 04/06/2022
+ms.reviwer: dalek
azure-monitor Auto Collect Dependencies https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/auto-collect-dependencies.md
ms.devlang: csharp, java, javascript Last updated 05/06/2020+ # Dependency auto-collection
azure-monitor Automate Custom Reports https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/automate-custom-reports.md
Title: Automate custom reports with Application Insights data
description: Automate custom daily/weekly/monthly reports with Azure Monitor Application Insights data Last updated 05/20/2019-
-ms.pmowner: vitalyg
+ # Automate custom reports with Application Insights data
azure-monitor Availability Multistep https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/availability-multistep.md
Title: Monitor with multi-step web tests - Azure Application Insights
description: Set up multi-step web tests to monitor your web applications with Azure Application Insights Last updated 07/21/2021+ # Multi-step web tests
azure-monitor Availability Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/availability-overview.md
Title: Application Insights availability tests
description: Set up recurring web tests to monitor availability and responsiveness of your app or website. Last updated 07/13/2021+ # Application Insights availability tests
azure-monitor Availability Private Test https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/availability-private-test.md
Title: Private availability testing - Azure Monitor Application Insights
description: Learn how to use availability tests on internal servers that run behind a firewall with private testing. Last updated 05/14/2021+ # Private testing
azure-monitor Azure Ad Authentication https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/azure-ad-authentication.md
description: Learn how to enable Azure Active Directory (Azure AD) authenticatio
Last updated 08/02/2021 ms.devlang: csharp, java, javascript, python+ # Azure AD authentication for Application Insights (Preview)
azure-monitor Azure Functions Supported Features https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/azure-functions-supported-features.md
description: Application Insights Supported Features for Azure Functions
Last updated 4/23/2019 ms.devlang: csharp+ # Application Insights for Azure Functions supported features
azure-monitor Azure Vm Vmss Apps https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/azure-vm-vmss-apps.md
Last updated 08/26/2019 ms.devlang: csharp, java, javascript, python + # Deploy the Azure Monitor Application Insights Agent on Azure virtual machines and Azure virtual machine scale sets
azure-monitor Azure Web Apps Java https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/azure-web-apps-java.md
Last updated 08/05/2021 ms.devlang: java + # Application Monitoring for Azure App Service and Java
azure-monitor Azure Web Apps Net Core https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/azure-web-apps-net-core.md
Last updated 08/05/2021 ms.devlang: csharp + # Application Monitoring for Azure App Service and ASP.NET Core
azure-monitor Azure Web Apps Net https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/azure-web-apps-net.md
Last updated 08/05/2021 ms.devlang: javascript + # Application Monitoring for Azure App Service and ASP.NET
azure-monitor Azure Web Apps Nodejs https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/azure-web-apps-nodejs.md
Last updated 08/05/2021 ms.devlang: javascript + # Application Monitoring for Azure App Service and Node.js
azure-monitor Cloudservices https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/cloudservices.md
description: Monitor your web and worker roles effectively with Application Insi
ms.devlang: csharp Previously updated : 09/05/2018 Last updated : 06/02/2022+ # Application Insights for Azure cloud services
If there is no data, do the following:
1. In the app, open various pages so that it generates some telemetry. 1. Wait a few seconds, and then click **Refresh**.
-For more information, see [Troubleshooting](https://docs.microsoft.com/azure/azure-monitor/faq#application-insights).
- ## View Azure Diagnostics events You can find the [Azure Diagnostics](../agents/diagnostics-extension-overview.md) information in Application Insights in the following locations:
-* Performance counters are displayed as custom metrics.
+* Performance counters are displayed as custom metrics.
* Windows event logs are shown as traces and custom events. * Application logs, ETW logs, and any diagnostics infrastructure logs appear as traces.
azure-monitor Codeless Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/codeless-overview.md
Title: Monitor your apps without code changes - auto-instrumentation for Azure M
description: Overview of auto-instrumentation for Azure Monitor Application Insights - codeless application performance management Last updated 08/31/2021+ # What is auto-instrumentation for Azure Monitor application insights?
azure-monitor Configuration With Applicationinsights Config https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/configuration-with-applicationinsights-config.md
Last updated 05/22/2019 ms.devlang: csharp
-ms.pmowner: casocha
+
azure-monitor Console https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/console.md
Last updated 05/21/2020 ms.devlang: csharp -+ # Application Insights for .NET console applications
azure-monitor Continuous Monitoring https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/continuous-monitoring.md
Title: Continuous monitoring of your DevOps release pipeline with Azure Pipeline
description: Provides instructions to quickly set up continuous monitoring with Application Insights Last updated 05/01/2020+ # Add continuous monitoring to your release pipeline
azure-monitor Convert Classic Resource https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/convert-classic-resource.md
description: Learn about the steps required to upgrade your Azure Monitor Applic
Last updated 09/23/2020 + # Migrate to workspace-based Application Insights resources
azure-monitor Correlation https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/correlation.md
Last updated 06/07/2019 ms.devlang: csharp, java, javascript, python + # Telemetry correlation in Application Insights
azure-monitor Create New Resource https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/create-new-resource.md
description: Manually set up Application Insights monitoring for a new live appl
Last updated 02/10/2021 + # Create an Application Insights resource
azure-monitor Custom Data Correlation https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/custom-data-correlation.md
Title: Azure Application Insights | Microsoft Docs
description: Correlate data from Application Insights to other datasets, such as data enrichment or lookup tables, non-Application Insights data sources, and custom data. Last updated 08/08/2018+ # Correlating Application Insights data with custom data sources
azure-monitor Custom Endpoints https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/custom-endpoints.md
Last updated 07/26/2019 ms.devlang: csharp, java, javascript, python + # Application Insights overriding default endpoints
azure-monitor Custom Operations Tracking https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/custom-operations-tracking.md
ms.devlang: csharp Last updated 11/26/2019+ # Track custom operations with Application Insights .NET SDK
azure-monitor Data Model Context https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/data-model-context.md
Title: Azure Application Insights Telemetry Data Model - Telemetry Context | Mic
description: Application Insights telemetry context data model Last updated 05/15/2017+ # Telemetry context: Application Insights data model
azure-monitor Data Model Event Telemetry https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/data-model-event-telemetry.md
Title: Azure Application Insights Telemetry Data Model - Event Telemetry | Micro
description: Application Insights data model for event telemetry Last updated 04/25/2017+ # Event telemetry: Application Insights data model
azure-monitor Data Model Exception Telemetry https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/data-model-exception-telemetry.md
Title: Azure Application Insights Exception Telemetry Data model
description: Application Insights data model for exception telemetry Last updated 04/25/2017+ # Exception telemetry: Application Insights data model
azure-monitor Data Model Metric Telemetry https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/data-model-metric-telemetry.md
Title: Data model for metric telemetry - Azure Application Insights
description: Application Insights data model for metric telemetry Last updated 04/25/2017+ # Metric telemetry: Application Insights data model
azure-monitor Data Model Pageview Telemetry https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/data-model-pageview-telemetry.md
Title: Azure Application Insights Data Model - PageView Telemetry
description: Application Insights data model for page view telemetry Last updated 03/24/2022-+ # PageView telemetry: Application Insights data model
azure-monitor Data Model Request Telemetry https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/data-model-request-telemetry.md
Title: Data model for request telemetry - Azure Application Insights
description: Application Insights data model for request telemetry Last updated 01/07/2019+ # Request telemetry: Application Insights data model
azure-monitor Data Model https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/data-model.md
ibiza Last updated 10/14/2019+ # Application Insights telemetry data model
azure-monitor Data Retention Privacy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/data-retention-privacy.md
description: Retention and privacy policy statement
Last updated 06/30/2020 + # Data collection, retention, and storage in Application Insights
azure-monitor Devops https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/devops.md
Title: Web app performance monitoring - Azure Application Insights
description: How Application Insights fits into the DevOps cycle Last updated 12/21/2018+ # Deep diagnostics for web apps and services with Application Insights
azure-monitor Diagnostic Search https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/diagnostic-search.md
Title: Using Search in Azure Application Insights | Microsoft Docs
description: Search and filter raw telemetry sent by your web app. Last updated 07/30/2019++ # Using Search in Application Insights
azure-monitor Distributed Tracing https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/distributed-tracing.md
description: Provides information about Microsoft's support for distributed trac
Last updated 09/17/2018+ # What is Distributed Tracing?
azure-monitor Eventcounters https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/eventcounters.md
description: Monitor system and custom .NET/.NET Core EventCounters in Applicati
Last updated 09/20/2019 + # EventCounters introduction
azure-monitor Export Data Model https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/export-data-model.md
Title: Azure Application Insights Data Model | Microsoft Docs
description: Describes properties exported from continuous export in JSON, and used as filters. Last updated 01/08/2019+ # Application Insights Export Data Model
azure-monitor Export Power Bi https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/export-power-bi.md
Title: Export to Power BI from Azure Application Insights | Microsoft Docs
description: Analytics queries can be displayed in Power BI. Last updated 08/10/2018+ # Feed Power BI from Application Insights
azure-monitor Export Telemetry https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/export-telemetry.md
description: Export diagnostic and usage data to storage in Microsoft Azure, and
Last updated 02/19/2021 + # Export telemetry from Application Insights
azure-monitor Get Metric https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/get-metric.md
Last updated 04/28/2020 ms.devlang: csharp+ # Custom metric collection in .NET and .NET Core
azure-monitor Ilogger https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/ilogger.md
description: Learn how to use Application Insights with the ILogger interface in
Last updated 05/20/2021 ms.devlang: csharp+ # Application Insights logging with .NET
azure-monitor Ip Addresses https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/ip-addresses.md
Title: IP addresses used by Azure Monitor
description: Server firewall exceptions required by Application Insights Last updated 01/27/2020+ # IP addresses used by Azure Monitor
azure-monitor Ip Collection https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/ip-collection.md
description: Understand how Application Insights handles IP addresses and geoloc
Last updated 09/23/2020 + # Geolocation and IP address handling
azure-monitor Java 2X Agent https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/java-2x-agent.md
Last updated 01/10/2019 ms.devlang: java + # Monitor dependencies, caught exceptions, and method execution times in Java web apps
azure-monitor Java 2X Collectd https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/java-2x-collectd.md
Last updated 03/14/2019 ms.devlang: java + # collectd: Linux performance metrics in Application Insights [Deprecated]
azure-monitor Java 2X Filter Telemetry https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/java-2x-filter-telemetry.md
Last updated 3/14/2019 ms.devlang: java + # Filter telemetry in your Java web app
azure-monitor Java 2X Get Started https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/java-2x-get-started.md
Last updated 11/22/2020 ms.devlang: java + # Get started with Application Insights in a Java web project
azure-monitor Java 2X Micrometer https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/java-2x-micrometer.md
ms.devlang: java Last updated 11/01/2018+ # How to use Micrometer with Azure Application Insights Java SDK (not recommended)
azure-monitor Java 2X Trace Logs https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/java-2x-trace-logs.md
Last updated 05/18/2019 ms.devlang: java + # Explore Java trace logs in Application Insights
azure-monitor Java 2X Troubleshoot https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/java-2x-troubleshoot.md
Last updated 03/14/2019 ms.devlang: java + # Troubleshooting and Q and A for Application Insights for Java SDK
azure-monitor Java Jmx Metrics Configuration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/java-jmx-metrics-configuration.md
Last updated 03/16/2021 ms.devlang: java + # Configuring JMX metrics
azure-monitor Java On Premises https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/java-on-premises.md
ms.devlang: java Last updated 04/16/2020+ # Java codeless application monitoring on-premises - Azure Monitor Application Insights
azure-monitor Java Standalone Arguments https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/java-standalone-arguments.md
Last updated 04/16/2020 ms.devlang: java + # Tips for updating your JVM args - Azure Monitor Application Insights for Java
azure-monitor Java Standalone Config https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/java-standalone-config.md
Last updated 11/04/2020 ms.devlang: java + # Configuration options - Azure Monitor Application Insights for Java
azure-monitor Java Standalone Sampling Overrides https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/java-standalone-sampling-overrides.md
Last updated 03/22/2021 ms.devlang: java + # Sampling overrides (preview) - Azure Monitor Application Insights for Java
azure-monitor Java Standalone Telemetry Processors Examples https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/java-standalone-telemetry-processors-examples.md
Last updated 12/29/2020 ms.devlang: java + # Telemetry processor examples - Azure Monitor Application Insights for Java
azure-monitor Java Standalone Telemetry Processors https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/java-standalone-telemetry-processors.md
Last updated 10/29/2020 ms.devlang: java + # Telemetry processors (preview) - Azure Monitor Application Insights for Java
azure-monitor Java Standalone Troubleshoot https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/java-standalone-troubleshoot.md
Last updated 11/30/2020 ms.devlang: java + # Troubleshooting guide: Azure Monitor Application Insights for Java
azure-monitor Java Standalone Upgrade From 2X https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/java-standalone-upgrade-from-2x.md
Last updated 11/25/2020 ms.devlang: java + # Upgrading from Application Insights Java 2.x SDK
azure-monitor Javascript Angular Plugin https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/javascript-angular-plugin.md
ibiza
Last updated 10/07/2020 ms.devlang: javascript+ # Angular plugin for Application Insights JavaScript SDK
azure-monitor Javascript Click Analytics Plugin https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/javascript-click-analytics-plugin.md
ibiza
Last updated 01/14/2021 ms.devlang: javascript+ # Click Analytics Auto-collection plugin for Application Insights JavaScript SDK
azure-monitor Javascript React Native Plugin https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/javascript-react-native-plugin.md
ibiza
Last updated 08/06/2020 ms.devlang: javascript+ # React Native plugin for Application Insights JavaScript SDK
azure-monitor Javascript React Plugin https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/javascript-react-plugin.md
ibiza
Last updated 07/28/2020 ms.devlang: javascript+ # React plugin for Application Insights JavaScript SDK
azure-monitor Javascript Sdk Load Failure https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/javascript-sdk-load-failure.md
Last updated 06/05/2020 ms.devlang: javascript + # Troubleshooting SDK load failure for JavaScript web apps
azure-monitor Javascript https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/javascript.md
Last updated 08/06/2020 ms.devlang: javascript + # Application Insights for web pages
azure-monitor Kubernetes Codeless https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/kubernetes-codeless.md
Title: Monitor applications on Azure Kubernetes Service (AKS) with Application I
description: Azure Monitor seamlessly integrates with your application running on Kubernetes, and allows you to spot the problems with your apps in no time. Last updated 05/13/2020+ # Zero instrumentation application monitoring for Kubernetes - Azure Monitor Application Insights
azure-monitor Legacy Pricing https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/legacy-pricing.md
Title: Application Insights legacy enterprise (per node) pricing tier
description: Describes the legacy pricing tier for Application Insights. Last updated 02/18/2022+ # Application Insights legacy enterprise (per node) pricing tier
azure-monitor Migrate From Instrumentation Keys To Connection Strings https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/migrate-from-instrumentation-keys-to-connection-strings.md
Title: Migrate from Application Insights instrumentation keys to connection stri
description: Learn the steps required to upgrade from Azure Monitor Application Insights instrumentation keys to connection strings Last updated 02/14/2022+ # Migrate from Application Insights instrumentation keys to connection strings
azure-monitor Monitor Functions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/monitor-functions.md
Title: Monitor applications running on Azure Functions with Application Insights
description: Azure Monitor seamlessly integrates with your application running on Azure Functions, and allows you to monitor the performance and spot the problems with your apps in no time. Last updated 08/27/2021+ # Monitoring Azure Functions with Azure Monitor Application Insights
azure-monitor Nodejs https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/nodejs.md
Last updated 10/12/2021 ms.devlang: javascript + # Monitor your Node.js services and apps with Application Insights
azure-monitor Opencensus Python Request https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/opencensus-python-request.md
Last updated 10/15/2019 ms.devlang: python + # Track incoming requests with OpenCensus Python
azure-monitor Opencensus Python https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/opencensus-python.md
Last updated 10/12/2021 ms.devlang: python + # Set up Azure Monitor for your Python application
azure-monitor Opentelemetry Enable https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/opentelemetry-enable.md
description: This article provides guidance on how to enable Azure Monitor on ap
Last updated 10/11/2021 ms.devlang: csharp, javascript, python+ # Enable Azure Monitor OpenTelemetry Exporter for .NET, Node.js, and Python applications (preview)
-This article describes how to enable and configure the OpenTelemetry-based Azure Monitor Preview offering. After you finish the instructions in this article, you'll be able to send OpenTelemetry traces to Azure Monitor Application Insights. To learn more about OpenTelemetry, see the [OpenTelemetry overview](opentelemetry-overview.md) or [OpenTelemetry FAQ](/azure/azure-monitor/faq#opentelemetry).
+The Azure Monitor OpenTelemetry Exporter is a component that sends traces (and eventually all application telemetry) to Azure Monitor Application Insights. To learn more about OpenTelemetry concepts, see the [OpenTelemetry overview](opentelemetry-overview.md) or [OpenTelemetry FAQ](/azure/azure-monitor/faq#opentelemetry).
+
+This article describes how to enable and configure the OpenTelemetry-based Azure Monitor Preview offering. After you finish the instructions in this article, you'll be able to send OpenTelemetry traces to Azure Monitor Application Insights.
> [!IMPORTANT] > Azure Monitor OpenTelemetry Exporter for .NET, Node.js, and Python applications is currently in preview.
azure-monitor Opentelemetry Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/opentelemetry-overview.md
Title: OpenTelemetry with Azure Monitor overview
description: Provides an overview of how to use OpenTelemetry with Azure Monitor. Last updated 10/11/2021+ # OpenTelemetry overview
Telemetry, the data collected to observe your application, can be broken into th
Initially the OpenTelemetry community took on Distributed Tracing. Metrics and Logs are still in progress. A complete observability story includes all three pillars, but currently our [Azure Monitor OpenTelemetry-based exporter **preview** offerings for .NET, Python, and JavaScript](opentelemetry-enable.md) **only include Distributed Tracing**.
-There are several sources that explain the three pillars in detail including the [OpenTelemetry community website](https://opentelemetry.io/docs/concepts/data-sources/), [OpenTelemetry Specifications](https://github.com/open-telemetry/opentelemetry-specification/blob/main/specification/overview.md), and [Distributed Systems Observability](https://www.oreilly.com/library/view/distributed-systems-observability/9781492033431/ch04.html) by Cindy Sridharan.
+There are several sources that explain the three pillars in detail including the [OpenTelemetry community website](https://opentelemetry.io/docs/concepts/data-collection/), [OpenTelemetry Specifications](https://github.com/open-telemetry/opentelemetry-specification/blob/main/specification/overview.md), and [Distributed Systems Observability](https://www.oreilly.com/library/view/distributed-systems-observability/9781492033431/ch04.html) by Cindy Sridharan.
In the following sections, we'll cover some telemetry collection basics.
azure-monitor Performance Counters https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/performance-counters.md
Last updated 12/13/2018 ms.devlang: csharp + # System performance counters in Application Insights
azure-monitor Platforms https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/platforms.md
Title: 'Application Insights: languages, platforms, and integrations | Microsoft
description: Languages, platforms, and integrations available for Application Insights Last updated 10/29/2021-+ # Supported languages
azure-monitor Powershell Azure Diagnostics https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/powershell-azure-diagnostics.md
description: Automate configuring Azure Diagnostics to pipe data to Application
Last updated 08/06/2019
+ms.reviwer: cogoodson
# Using PowerShell to set up Application Insights for Azure Cloud Services
azure-monitor Powershell https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/powershell.md
description: Automate creating and managing resources, alerts, and availability
Last updated 05/02/2020 + # Manage Application Insights resources using PowerShell
azure-monitor Pre Aggregated Metrics Log Metrics https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/pre-aggregated-metrics-log-metrics.md
Title: Log-based and pre-aggregated metrics in Azure Application Insights | Micr
description: Why to use log-based versus pre-aggregated metrics in Azure Application Insights Last updated 09/18/2018+ # Log-based and pre-aggregated metrics in Application Insights
azure-monitor Proactive Application Security Detection Pack https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/proactive-application-security-detection-pack.md
Title: Security detection Pack with Azure Application Insights
description: Monitor application with Azure Application Insights and smart detection for potential security issues. Last updated 12/12/2017+ # Application security detection pack (preview)
azure-monitor Proactive Arm Config https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/proactive-arm-config.md
Title: Smart detection rule settings - Azure Application Insights
description: Automate management and configuration of Azure Application Insights smart detection rules with Azure Resource Manager Templates Last updated 02/14/2021+ # Manage Application Insights smart detection rules using Azure Resource Manager templates
azure-monitor Proactive Cloud Services https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/proactive-cloud-services.md
Title: Alert on issues in Azure Cloud Services using the Azure Diagnostics integ
description: Monitor for issues like startup failures, crashes, and role recycle loops in Azure Cloud Services with Azure Application Insights Last updated 06/07/2018-+ # Alert on issues in Azure Cloud Services using the Azure diagnostics integration with Azure Application Insights
azure-monitor Proactive Diagnostics https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/proactive-diagnostics.md
Title: Smart detection in Azure Application Insights | Microsoft Docs
description: Application Insights performs automatic deep analysis of your app telemetry and warns you of potential problems. Last updated 02/07/2019+ # Smart detection in Application Insights
azure-monitor Proactive Email Notification https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/proactive-email-notification.md
Title: Smart Detection notification change - Azure Application Insights
description: Change to the default notification recipients from Smart Detection. Smart Detection lets you monitor application traces with Azure Application Insights for unusual patterns in trace telemetry. Last updated 02/14/2021+ # Smart Detection e-mail notification change
azure-monitor Proactive Exception Volume https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/proactive-exception-volume.md
Title: Abnormal rise in exception volume - Azure Application Insights
description: Monitor application exceptions with smart detection in Azure Application Insights for unusual patterns in exception volume. Last updated 12/08/2017+ # Abnormal rise in exception volume (preview)
azure-monitor Proactive Potential Memory Leak https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/proactive-potential-memory-leak.md
Title: Detect memory leak - Azure Application Insights smart detection
description: Monitor applications with Azure Application Insights for potential memory leaks. Last updated 12/12/2017+ # Memory leak detection (preview)
azure-monitor Proactive Trace Severity https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/proactive-trace-severity.md
Title: Degradation in trace severity ratio - Azure Application Insights
description: Monitor application traces with Azure Application Insights for unusual patterns in trace telemetry with smart detection. Last updated 11/27/2017+ # Degradation in trace severity ratio (preview)
azure-monitor Remove Application Insights https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/remove-application-insights.md
Title: Remove Application Insights in Visual Studio - Azure Monitor
description: How to remove Application Insights SDK for ASP.NET and ASP.NET Core in Visual Studio. Last updated 04/06/2020+ # How to remove Application Insights in Visual Studio
azure-monitor Resource Manager App Resource https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/resource-manager-app-resource.md
description: Sample Azure Resource Manager templates to deploy Application Insig
Last updated 04/27/2022 + # Resource Manager template samples for creating Application Insights resources
azure-monitor Resource Manager Web App https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/resource-manager-web-app.md
description: Sample Azure Resource Manager templates to deploy an Azure App Serv
Last updated 04/27/2022+ # Resource Manager template samples for creating Azure App Services web apps with Application Insights monitoring
azure-monitor Resources Roles Access Control https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/resources-roles-access-control.md
description: Owners, contributors and readers of your organization's insights.
Last updated 02/14/2019 + # Resources, roles, and access control in Application Insights
azure-monitor Sampling https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/sampling.md
Title: Telemetry sampling in Azure Application Insights | Microsoft Docs
description: How to keep the volume of telemetry under control. Last updated 08/26/2021- + # Sampling in Application Insights
azure-monitor Sdk Connection String https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/sdk-connection-string.md
description: How to use connection strings.
Last updated 04/13/2022 + # Connection strings
azure-monitor Separate Resources https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/separate-resources.md
Title: How to design your Application Insights deployment - One vs many resource
description: Direct telemetry to different resources for development, test, and production stamps. Last updated 05/11/2020+ # How many Application Insights resources should I deploy
azure-monitor Sharepoint https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/sharepoint.md
Title: Monitor a SharePoint site with Application Insights
description: Start monitoring a new application with a new instrumentation key Last updated 09/08/2020+ # Monitor a SharePoint site with Application Insights
azure-monitor Sla Report https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/sla-report.md
Title: Downtime, SLA, and outage workbook - Application Insights
description: Calculate and report SLA for Web Test through a single pane of glass across your Application Insights resources and Azure subscriptions. Last updated 05/4/2021
+ms.reviwer: casocha
# Downtime, SLA, and outages workbook
azure-monitor Snapshot Collector Release Notes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/snapshot-collector-release-notes.md
Title: Release Notes for Microsoft.ApplicationInsights.SnapshotCollector NuGet p
description: Release notes for the Microsoft.ApplicationInsights.SnapshotCollector NuGet package used by the Application Insights Snapshot Debugger. Last updated 11/10/2020+ # Release notes for Microsoft.ApplicationInsights.SnapshotCollector
azure-monitor Snapshot Debugger Function App https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/snapshot-debugger-function-app.md
Title: Enable Snapshot Debugger for .NET and .NET Core apps in Azure Functions |
description: Enable Snapshot Debugger for .NET and .NET Core apps in Azure Functions Last updated 12/18/2020+ # Enable Snapshot Debugger for .NET and .NET Core apps in Azure Functions
azure-monitor Snapshot Debugger Troubleshoot https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/snapshot-debugger-troubleshoot.md
Title: Troubleshoot Azure Application Insights Snapshot Debugger
description: This article presents troubleshooting steps and information to help developers enable and use Application Insights Snapshot Debugger. Last updated 03/07/2019+ # <a id="troubleshooting"></a> Troubleshoot problems enabling Application Insights Snapshot Debugger or viewing snapshots
azure-monitor Snapshot Debugger Upgrade https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/snapshot-debugger-upgrade.md
Title: Upgrading Azure Application Insights Snapshot Debugger
description: How to upgrade Snapshot Debugger for .NET apps to the latest version on Azure App Services, or via Nuget packages Last updated 03/28/2019+ # Upgrading the Snapshot Debugger
azure-monitor Snapshot Debugger Vm https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/snapshot-debugger-vm.md
Title: Enable Snapshot Debugger for .NET apps in Azure Service Fabric, Cloud Ser
description: Enable Snapshot Debugger for .NET apps in Azure Service Fabric, Cloud Service, and Virtual Machines Last updated 03/07/2019+ # Enable Snapshot Debugger for .NET apps in Azure Service Fabric, Cloud Service, and Virtual Machines
azure-monitor Snapshot Debugger https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/snapshot-debugger.md
description: Debug snapshots are automatically collected when exceptions are thr
Last updated 10/12/2021-+ # Debug snapshots on exceptions in .NET apps
azure-monitor Source Map Support https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/source-map-support.md
description: Learn how to upload source maps to your own storage account Blob co
Last updated 06/23/2020 + # Source map support for JavaScript applications
azure-monitor Standard Metrics https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/standard-metrics.md
description: This article lists Azure Application Insights metrics with supporte
Last updated 07/03/2019+ # Application Insights standard metrics
azure-monitor Statsbeat https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/statsbeat.md
description: Statistics about Application Insights SDKs and Auto-Instrumentation
Last updated 09/20/2021
+ms.reviwer: heya
# Statsbeat in Azure Application Insights
azure-monitor Status Monitor V2 Get Started https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/status-monitor-v2-get-started.md
description: A quickstart guide for Application Insights Agent. Monitor website
Last updated 01/22/2021 + # Get started with Azure Monitor Application Insights Agent for on-premises servers
azure-monitor Status Monitor V2 Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/status-monitor-v2-overview.md
Title: Azure Application Insights Agent overview | Microsoft Docs
description: An overview of Application Insights Agent. Monitor website performance without redeploying the website. Works with ASP.NET web apps hosted on-premises, in VMs, or on Azure. Last updated 09/16/2019+ # Deploy Azure Monitor Application Insights Agent for on-premises servers
azure-monitor Status Monitor V2 Troubleshoot https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/status-monitor-v2-troubleshoot.md
Title: Azure Application Insights Agent troubleshooting and known issues | Micro
description: The known issues of Application Insights Agent and troubleshooting examples. Monitor website performance without redeploying the website. Works with ASP.NET web apps hosted on-premises, in VMs, or on Azure. Last updated 04/23/2019+ # Troubleshooting Application Insights Agent (formerly named Status Monitor v2)
azure-monitor Telemetry Channels https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/telemetry-channels.md
Last updated 05/14/2019 ms.devlang: csharp + # Telemetry channels in Application Insights
azure-monitor Troubleshoot Availability https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/troubleshoot-availability.md
Title: Troubleshoot your Azure Application Insights availability tests
description: Troubleshoot web tests in Azure Application Insights. Get alerts if a website becomes unavailable or responds slowly. Last updated 02/14/2021-+ # Troubleshooting
azure-monitor Tutorial Alert https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/tutorial-alert.md
description: Tutorial to send alerts in response to errors in your application u
Last updated 04/10/2019 + # Monitor and alert on application health with Azure Application Insights
azure-monitor Tutorial App Dashboards https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/tutorial-app-dashboards.md
description: Tutorial to create custom KPI dashboards using Azure Application In
Last updated 09/30/2020 + # Create custom KPI dashboards using Azure Application Insights
azure-monitor Tutorial Performance https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/tutorial-performance.md
description: Tutorial to find and diagnose performance issues in your applicatio
Last updated 06/15/2020 + # Find and diagnose performance issues with Azure Application Insights
azure-monitor Tutorial Runtime Exceptions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/tutorial-runtime-exceptions.md
description: Tutorial to find and diagnose run-time exceptions in your applicati
Last updated 09/19/2017 + # Find and diagnose run-time exceptions with Azure Application Insights
azure-monitor Tutorial Users https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/tutorial-users.md
description: Tutorial on using Application Insights to understand how customers
Last updated 07/30/2021 + # Use Azure Application Insights to understand how customers are using your application
azure-monitor Usage Flows https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/usage-flows.md
Title: Application Insights User Flows analyzes navigation flows
description: Analyze how users navigate between the pages and features of your web app. Last updated 07/30/2021+ # Analyze user navigation patterns with User Flows in Application Insights
azure-monitor Usage Funnels https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/usage-funnels.md
Title: Application Insights Funnels
description: Learn how you can use Funnels to discover how customers are interacting with your application. Last updated 07/30/2021+ # Discover how customers are using your application with Application Insights Funnels
azure-monitor Usage Heart https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/usage-heart.md
Title: HEART analytics workbook
description: Product teams use the HEART Workbook to measure success across five user-centric dimensions to deliver better software. Last updated 11/11/2021+ # Analyzing product usage with HEART
azure-monitor Usage Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/usage-overview.md
Title: Usage analysis with Application Insights | Azure Monitor
description: Understand your users and what they do with your app. Last updated 07/30/2021+ # Usage analysis with Application Insights
azure-monitor Usage Retention https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/usage-retention.md
Title: Analyze web app user retention with Application Insights
description: How many users return to your app? Last updated 07/30/2021+ # User retention analysis for web applications with Application Insights
azure-monitor Usage Segmentation https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/usage-segmentation.md
Title: User, session, and event analysis in Application Insights
description: Demographic analysis of users of your web app. Last updated 07/30/2021+ # Users, sessions, and events analysis in Application Insights
azure-monitor Usage Troubleshoot https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/usage-troubleshoot.md
Title: Troubleshoot user analytics tools - Application Insights
description: Troubleshooting guide - analyzing site and app usage with Application Insights. Last updated 07/30/2021+ # Troubleshoot user behavior analytics tools in Application Insights
azure-monitor Visual Studio Codelens https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/visual-studio-codelens.md
description: Quickly access your Application Insights request and exception tele
Last updated 03/17/2017 + # Application Insights telemetry in Visual Studio CodeLens
azure-monitor Visual Studio https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/visual-studio.md
description: Web app performance analysis and diagnostics during debugging and i
Last updated 03/17/2017 + # Debug your applications with Azure Application Insights in Visual Studio
azure-monitor Web App Extension Release Notes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/web-app-extension-release-notes.md
Title: Release Notes for Azure web app extension - Application Insights
description: Releases notes for Azure Web Apps Extension for runtime instrumentation with Application Insights. Last updated 06/26/2020+ # Release notes for Azure Web App extension for Application Insights
azure-monitor Windows Desktop https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/windows-desktop.md
Last updated 06/11/2020 ms.devlang: csharp + # Monitoring usage and performance in Classic Windows Desktop apps
azure-monitor Work Item Integration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/work-item-integration.md
Title: Work Item Integration - Application Insights
description: Learn how to create work items in GitHub or Azure DevOps with Application Insights data embedded in them. Last updated 06/27/2021+ # Work Item Integration
azure-monitor Worker Service https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/worker-service.md
ms.devlang: csharp Last updated 05/12/2022+ # Application Insights for Worker Service applications (non-HTTP applications)
azure-monitor Autoscale Best Practices https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/autoscale/autoscale-best-practices.md
description: Autoscale patterns in Azure for Web Apps, Virtual Machine Scale set
Last updated 04/22/2022 + # Best practices for Autoscale Azure Monitor autoscale applies only to [Virtual Machine Scale Sets](https://azure.microsoft.com/services/virtual-machine-scale-sets/), [Cloud Services](https://azure.microsoft.com/services/cloud-services/), [App Service - Web Apps](https://azure.microsoft.com/services/app-service/web/), and [API Management services](../../api-management/api-management-key-concepts.md).
azure-monitor Autoscale Common Metrics https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/autoscale/autoscale-common-metrics.md
Last updated 04/22/2022 ++ # Azure Monitor autoscaling common metrics
azure-monitor Autoscale Common Scale Patterns https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/autoscale/autoscale-common-scale-patterns.md
description: Learn some of the common patterns to auto scale your resource in Az
Last updated 04/22/2022 + # Overview of common autoscale patterns This article describes some of the common patterns to scale your resource in Azure.
azure-monitor Autoscale Custom Metric https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/autoscale/autoscale-custom-metric.md
description: Learn how to scale your resource by custom metric in Azure.
Last updated 05/07/2017 + # Get started with auto scale by custom metric in Azure This article describes how to scale your resource by a custom metric in Azure portal.
azure-monitor Autoscale Get Started https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/autoscale/autoscale-get-started.md
description: "Learn how to scale your resource web app, cloud service, virtual m
Last updated 04/05/2022 + # Get started with Autoscale in Azure This article describes how to set up your Autoscale settings for your resource in the Microsoft Azure portal.
azure-monitor Autoscale Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/autoscale/autoscale-overview.md
description: "Autoscale in Microsoft Azure"
Last updated 04/22/2022+
azure-monitor Autoscale Predictive https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/autoscale/autoscale-predictive.md
Last updated 01/24/2022 + # Use predictive autoscale to scale out before load demands in virtual machine scale sets (Preview)
azure-monitor Autoscale Resource Log Schema https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/autoscale/autoscale-resource-log-schema.md
description: Format of logs for monitoring and troubleshooting autoscale actions
Last updated 11/14/2019 + # Azure Monitor autoscale actions resource log schema
azure-monitor Autoscale Troubleshoot https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/autoscale/autoscale-troubleshoot.md
description: Tracking down problems with Azure Monitor autoscaling used in Servi
Last updated 11/4/2019 +
azure-monitor Autoscale Understanding Settings https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/autoscale/autoscale-understanding-settings.md
description: "A detailed breakdown of autoscale settings and how they work. Appl
Last updated 12/18/2017 + # Understand Autoscale settings Autoscale settings help ensure that you have the right amount of resources running to handle the fluctuating load of your application. You can configure Autoscale settings to be triggered based on metrics that indicate load or performance, or triggered at a scheduled date and time. This article takes a detailed look at the anatomy of an Autoscale setting. The article begins with the schema and properties of a setting, and then walks through the different profile types that can be configured. Finally, the article discusses how the Autoscale feature in Azure evaluates which profile to execute at any given time.
azure-monitor Autoscale Virtual Machine Scale Sets https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/autoscale/autoscale-virtual-machine-scale-sets.md
Last updated 06/25/2020-+
azure-monitor Autoscale Webhook Email https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/autoscale/autoscale-webhook-email.md
description: Learn how to use autoscale actions to call web URLs or send email n
Last updated 04/03/2017 + # Use autoscale actions to send email and webhook alert notifications in Azure Monitor This article shows you how set up triggers so that you can call specific web URLs or send emails based on autoscale actions in Azure.
azure-monitor Tutorial Autoscale Performance Schedule https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/autoscale/tutorial-autoscale-performance-schedule.md
Last updated 12/11/2017
+ # Create an Autoscale Setting for Azure resources based on performance data or a schedule
azure-monitor Change Analysis Troubleshoot https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/change/change-analysis-troubleshoot.md
ms.contributor: cawa
Last updated 03/21/2022 + # Troubleshoot Azure Monitor's Change Analysis (preview)
azure-monitor Change Analysis Visualizations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/change/change-analysis-visualizations.md
ms.contributor: cawa
Last updated 04/18/2022 + # Visualizations for Change Analysis in Azure Monitor (preview)
azure-monitor Change Analysis https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/change/change-analysis.md
ms.contributor: cawa
Last updated 05/20/2022 + # Use Change Analysis in Azure Monitor (preview)
azure-monitor Cost Logs https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/logs/cost-logs.md
description: Cost details for data stored in a Log Analytics workspace in Azure
Last updated 03/24/2022
+ms.reviwer: dalek git
# Azure Monitor Logs pricing details
azure-monitor Profiler Aspnetcore Linux https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/profiler/profiler-aspnetcore-linux.md
ms.devlang: csharp Last updated 02/23/2018+ # Profile ASP.NET Core Azure Linux web apps with Application Insights Profiler
azure-monitor Profiler Azure Functions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/profiler/profiler-azure-functions.md
Title: Profile Azure Functions app with Application Insights Profiler description: Enable Application Insights Profiler for Azure Functions app.- ms.contributor: charles.weininger Last updated 05/03/2022+ # Profile live Azure Functions app with Application Insights
azure-monitor Profiler Bring Your Own Storage https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/profiler/profiler-bring-your-own-storage.md
Title: Configure BYOS (Bring Your Own Storage) for Profiler & Snapshot Debugger
description: Configure BYOS (Bring Your Own Storage) for Profiler & Snapshot Debugger Last updated 01/14/2021+ # Configure Bring Your Own Storage (BYOS) for Application Insights Profiler and Snapshot Debugger
azure-monitor Profiler Containers https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/profiler/profiler-containers.md
description: Enable Application Insights Profiler for Azure Containers.
ms.contributor: charles.weininger Last updated 05/26/2022+ # Profile live Azure containers with Application Insights
azure-monitor Profiler Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/profiler/profiler-overview.md
description: Identify the hot path in your web server code with a low-footprint
ms.contributor: charles.weininger Last updated 05/26/2022-+ # Profile production applications in Azure with Application Insights
azure-monitor Profiler Servicefabric https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/profiler/profiler-servicefabric.md
description: Enable Profiler for a Service Fabric application
Last updated 08/06/2018+ # Profile live Azure Service Fabric applications with Application Insights
azure-monitor Profiler Settings https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/profiler/profiler-settings.md
description: Use the Azure Application Insights Profiler settings pane to see Pr
ms.contributor: Charles.Weininger Last updated 04/26/2022-+ # Configure Application Insights Profiler
azure-monitor Profiler Trackrequests https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/profiler/profiler-trackrequests.md
description: Write code to track requests with Application Insights so you can g
Last updated 08/06/2018+ # Write code to track requests with Application Insights
azure-monitor Profiler Troubleshooting https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/profiler/profiler-troubleshooting.md
Title: Troubleshoot problems with Azure Application Insights Profiler
description: This article presents troubleshooting steps and information to help developers enable and use Application Insights Profiler. Last updated 08/06/2018+ # Troubleshoot problems enabling or viewing Application Insights Profiler
azure-monitor Profiler Vm https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/profiler/profiler-vm.md
Title: Profile web apps on an Azure VM - Application Insights Profiler
description: Profile web apps on an Azure VM by using Application Insights Profiler. Last updated 11/08/2019+ # Profile web apps running on an Azure virtual machine or a virtual machine scale set by using Application Insights Profiler
azure-monitor Profiler https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/profiler/profiler.md
Title: Enable Profiler for Azure App Service apps | Microsoft Docs
description: Profile live apps on Azure App Service with Application Insights Profiler. Last updated 05/11/2022+ # Enable Profiler for Azure App Service apps
azure-netapp-files Whats New https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/whats-new.md
na Previously updated : 06/02/2022 Last updated : 06/07/2022
Azure NetApp Files is updated regularly. This article provides a summary about t
## June 2022
+* [Azure NetApp Files datastores for Azure VMware Solution](../azure-vmware/attach-azure-netapp-files-to-azure-vmware-solution-hosts.md) (Preview)
+
+ [Azure NetApp Files datastores for Azure VMware Solution](https://azure.microsoft.com/blog/power-your-file-storageintensive-workloads-with-azure-vmware-solution) is now in public preview. This new integration between Azure VMware Solution and Azure NetApp Files will enable you to [create datastores via the Azure VMware Solution resource provider with Azure NetApp Files NFS volumes](../azure-vmware/attach-azure-netapp-files-to-azure-vmware-solution-hosts.md) and mount the datastores on your private cloud clusters of choice. Along with the integration of Azure disk pools for Azure VMware Solution, this will provide more choice to scale storage needs independently of compute resources. For your storage-intensive workloads running on Azure VMware Solution, the integration with Azure NetApp Files helps to easily scale storage capacity and performance beyond the limits of native vSAN built on top of the AVS nodes and lower your overall total cost of ownership.
+
+ Regional Coverage: Australia East, Australia Southeast, Brazil South, Canada Central, Canada East, Central US, East US, France Central, Germany West Central, Japan West, North Central US, North Europe, South Central US, Southeast Asia, Switzerland West, UK South, UK West, West US. Regional coverage will expand as the preview progresses.
+ * [Azure Policy built-in definitions for Azure NetApp](azure-policy-definitions.md#built-in-policy-definitions) Azure Policy helps to enforce organizational standards and assess compliance at scale. Through its compliance dashboard, it provides an aggregated view to evaluate the overall state of the environment, with the ability to drill down to the per-resource, per-policy granularity. It also helps to bring your resources to compliance through bulk remediation for existing resources and automatic remediation for new resources. Azure NetApp Files already supports Azure Policy via custom policy definitions. Azure NetApp Files now also provides built-in policy to enable organization admins to restrict creation of unsecure NFS volumes or audit existing volumes more easily.
azure-portal Get Subscription Tenant Id https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-portal/get-subscription-tenant-id.md
Follow these steps to retrieve the ID for a subscription in the Azure portal.
1. Copy the **Subscription ID**. You can paste this value into a text document or other location. > [!TIP]
-> You can also list your subscriptions and view their IDs programmatically by using [Get-AzSubscription](/powershell/module/az.accounts/get-azsubscription?view=latest) (Azure PowerShell) or [az account list](/cli/azure/account?view=azure-cli-latest) (Azure CLI).
+> You can also list your subscriptions and view their IDs programmatically by using [Get-AzSubscription](/powershell/module/az.accounts/get-azsubscription?view=latest&preserve-view=true) (Azure PowerShell) or [az account list](/cli/azure/account?view=azure-cli-latest&preserve-view=true) (Azure CLI).
## Find your Azure AD tenant
azure-resource-manager Bicep Functions Resource https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/bicep/bicep-functions-resource.md
The possible uses of `list*` are shown in the following table.
| Microsoft.ApiManagement/service/namedValues | [listValue](/rest/api/apimanagement/current-ga/named-value/list-value) | | Microsoft.ApiManagement/service/openidConnectProviders | [listSecrets](/rest/api/apimanagement/current-ga/openid-connect-provider/list-secrets) | | Microsoft.ApiManagement/service/subscriptions | [listSecrets](/rest/api/apimanagement/current-ga/subscription/list-secrets) |
-| Microsoft.AppConfiguration/configurationStores | [ListKeys](/rest/api/appconfiguration/configurationstores/listkeys) |
+| Microsoft.AppConfiguration/configurationStores | [ListKeys](/rest/api/appconfiguration/stable/configuration-stores/list-keys) |
| Microsoft.AppPlatform/Spring | [listTestKeys](/rest/api/azurespringapps/services/list-test-keys) | | Microsoft.Automation/automationAccounts | [listKeys](/rest/api/automation/keys/listbyautomationaccount) | | Microsoft.Batch/batchAccounts | [listkeys](/rest/api/batchmanagement/batchaccount/getkeys) |
azure-resource-manager Tutorial Resource Onboarding https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/custom-providers/tutorial-resource-onboarding.md
In this tutorial, there are two pieces that need to be deployed: **the custom pr
The template will use these resources:
-* [Microsoft.CustomProviders/resourceProviders](/azure/templates/microsoft.customproviders/resourcproviders)
+* [Microsoft.CustomProviders/resourceProviders](/azure/templates/microsoft.customproviders/resourceproviders)
* [Microsoft.Logic/workflows](/azure/templates/microsoft.logic/workflows) * [Microsoft.CustomProviders/associations](/azure/templates/microsoft.customproviders/associations)
azure-resource-manager Resource Name Rules https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/management/resource-name-rules.md
In the following tables, the term alphanumeric refers to:
> | locks | scope of assignment | 1-90 | Alphanumerics, periods, underscores, hyphens, and parenthesis.<br><br>Can't end in period. | > | policyAssignments | scope of assignment | 1-128 display name<br><br>1-64 resource name<br><br>1-24 resource name at management group scope | Display name can contain any characters.<br><br>Resource name can't use:<br>`<>*%&:\?.+/` or control characters. <br><br>Can't end with period or space. | > | policyDefinitions | scope of definition | 1-128 display name<br><br>1-64 resource name | Display name can contain any characters.<br><br>Resource name can't use:<br>`<>*%&:\?.+/` or control characters. <br><br>Can't end with period or space. |
-> | policySetDefinitions | scope of definition | 1-128 display name<br><br>1-64 resource name<br><br>1-24 resource name at management group scope | Display name can contain any characters.<br><br>Resource name can't use:<br>`<>*%&:\?.+/` or control characters. <br><br>Can't end with period or space. |
+> | policySetDefinitions | scope of definition | 1-128 display name<br><br>1-64 resource name<br><br>1-64 resource name at management group scope | Display name can contain any characters.<br><br>Resource name can't use:<br>`<>*%&:\?.+/` or control characters. <br><br>Can't end with period or space. |
> | roleAssignments | tenant | 36 | Must be a globally unique identifier (GUID). | > | roleDefinitions | tenant | 36 | Must be a globally unique identifier (GUID). |
azure-resource-manager Template Functions Resource https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/templates/template-functions-resource.md
The possible uses of `list*` are shown in the following table.
| Microsoft.ApiManagement/service/namedValues | [listValue](/rest/api/apimanagement/current-ga/named-value/list-value) | | Microsoft.ApiManagement/service/openidConnectProviders | [listSecrets](/rest/api/apimanagement/current-ga/openid-connect-provider/list-secrets) | | Microsoft.ApiManagement/service/subscriptions | [listSecrets](/rest/api/apimanagement/current-ga/subscription/list-secrets) |
-| Microsoft.AppConfiguration/configurationStores | [ListKeys](/rest/api/appconfiguration/configurationstores/listkeys) |
+| Microsoft.AppConfiguration/configurationStores | [ListKeys](/rest/api/appconfiguration/stable/configuration-stores/list-keys) |
| Microsoft.AppPlatform/Spring | [listTestKeys](/rest/api/azurespringapps/services/list-test-keys) | | Microsoft.Automation/automationAccounts | [listKeys](/rest/api/automation/keys/listbyautomationaccount) | | Microsoft.Batch/batchAccounts | [listKeys](/rest/api/batchmanagement/batchaccount/getkeys) |
azure-signalr Signalr Howto Scale Multi Instances https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-signalr/signalr-howto-scale-multi-instances.md
private class CustomRouter : EndpointRouterDecorator
## Dynamic Scale ServiceEndpoints
-From SDK version 1.5.0, we're enabling dynamic scale ServiceEndpoints for ASP.NET Core version first. So you don't have to restart app server when you need to add/remove a ServiceEndpoint. As ASP.NET Core is supporting default configuration like `appsettings.json` with `reloadOnChange: true`, you don't need to change a code and it's supported by nature. And if you'd like to add some customized configuration and work with hot-reload, please refer to [this](/aspnet/core/fundamentals/configuration/?view=aspnetcore-3.1).
+From SDK version 1.5.0, we're enabling dynamic scale ServiceEndpoints for ASP.NET Core version first. So you don't have to restart app server when you need to add/remove a ServiceEndpoint. As ASP.NET Core is supporting default configuration like `appsettings.json` with `reloadOnChange: true`, you don't need to change a code and it's supported by nature. And if you'd like to add some customized configuration and work with hot-reload, please refer to [this](/aspnet/core/fundamentals/configuration/?view=aspnetcore-3.1&preserve-view=true).
> [!NOTE] >
azure-video-indexer Network Security https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-video-indexer/network-security.md
# NSG service tags for Azure Video Indexer
-Azure Video Indexer (formerly Video Analyzer for Media) is a service hosted on Azure. In some architecture cases the service needs to interact with other services in order to index video files (that is, a Storage Account) or when a customer orchestrates indexing jobs against our API endpoint using their own service hosted on Azure (i.e AKS, Web Apps, Logic Apps, Functions). Customers who would like to limit access to their resources on a network level can use [Network Security Groups with Service Tags](../virtual-network/service-tags-overview.md). A service tag represents a group of IP address prefixes from a given Azure service, in this case Azure Video Indexer. Microsoft manages the address prefixes grouped by the service tag and automatically updates the service tag as addresses change in our backend, minimizing the complexity of frequent updates to network security rules by the customer.
+Azure Video Indexer (formerly Video Analyzer for Media) is a service hosted on Azure. In some architecture cases the service needs to interact with other services in order to index video files (that is, a Storage Account) or when a customer orchestrates indexing jobs against our API endpoint using their own service hosted on Azure (i.e AKS, Web Apps, Logic Apps, Functions). Customers who would like to limit access to their resources on a network level can use [Network Security Groups with Service Tags](/azure/virtual-network/service-tags-overview). A service tag represents a group of IP address prefixes from a given Azure service, in this case Azure Video Indexer. Microsoft manages the address prefixes grouped by the service tag and automatically updates the service tag as addresses change in our backend, minimizing the complexity of frequent updates to network security rules by the customer.
## Get started with service tags
This tag contains the IP addresses of Azure Video Indexer services for all regio
## Using Azure CLI
-You can also use Azure CLI to create a new or update an existing NSG rule and add the **AzureVideoAnalyzerForMedia** service tag using the `--source-address-prefixes`. For a full list of CLI commands and parameters see [az network nsg](/cli/azure/network/nsg/rule?view=azure-cli-latest)
+You can also use Azure CLI to create a new or update an existing NSG rule and add the **AzureVideoAnalyzerForMedia** service tag using the `--source-address-prefixes`. For a full list of CLI commands and parameters see [az network nsg](/cli/azure/network/nsg/rule?view=azure-cli-latest&preserve-view=true)
Example of a security rule using service tags. For more details, visit https://aka.ms/servicetags
azure-vmware Attach Azure Netapp Files To Azure Vmware Solution Hosts https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-vmware/attach-azure-netapp-files-to-azure-vmware-solution-hosts.md
Title: Attach Azure NetApp Files datastores to Azure VMware Solution hosts (Preview) description: Learn how to create Azure NetApp Files-based NSF datastores for Azure VMware Solution hosts. + Last updated 05/10/2022
To attach an Azure NetApp Files volume to your private cloud using Portal, follo
1. Search for **Microsoft.AVS** and select it. 1. Select **Register**. 1. Under **Settings**, select **Preview features**.
- 1. Verify you're registered for both the `CloudSanExperience` and `AfnDatstoreExperience` features.
+ 1. Verify you're registered for both the `CloudSanExperience` and `AnfDatstoreExperience` features.
1. Navigate to your Azure VMware Solution. Under **Manage**, select **Storage (preview)**. 1. Select **Connect Azure NetApp Files volume**.
azure-vmware Attach Disk Pools To Azure Vmware Solution Hosts https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-vmware/attach-disk-pools-to-azure-vmware-solution-hosts.md
Title: Attach Azure disk pools to Azure VMware Solution hosts (Preview) description: Learn how to attach an Azure disk pool surfaced through an iSCSI target as the VMware vSphere datastore of an Azure VMware Solution private cloud. Once the datastore is configured, you can create volumes on it and consume them from your Azure VMware Solution private cloud. + Last updated 11/02/2021 #Customer intent: As an Azure service administrator, I want to scale my AVS hosts using disk pools instead of scaling clusters. So that I can use block storage for active working sets and tier less frequently accessed data from vSAN to disks. I can also replicate data from on-premises or primary VMware vSphere environment to disk storage for the secondary site.
azure-vmware Azure Security Integration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-vmware/azure-security-integration.md
Title: Integrate Microsoft Defender for Cloud with Azure VMware Solution description: Learn how to protect your Azure VMware Solution VMs with Azure's native security tools from the workload protection dashboard. + Last updated 06/14/2021
azure-vmware Azure Vmware Solution Citrix https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-vmware/azure-vmware-solution-citrix.md
Title: Deploy Citrix on Azure VMware Solution description: Learn how to deploy VMware Citrix on Azure VMware Solution. + Last updated 11/02/2021
azure-vmware Azure Vmware Solution Horizon https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-vmware/azure-vmware-solution-horizon.md
Title: Deploy Horizon on Azure VMware Solution description: Learn how to deploy VMware Horizon on Azure VMware Solution. + Last updated 04/11/2022
azure-vmware Azure Vmware Solution Platform Updates https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-vmware/azure-vmware-solution-platform-updates.md
Title: Platform updates for Azure VMware Solution
description: Learn about the platform updates to Azure VMware Solution. + Last updated 12/22/2021
Last updated 12/22/2021
Azure VMware Solution will apply important updates starting in March 2021. You'll receive a notification through Azure Service Health that includes the timeline of the maintenance. For more information, see [Host maintenance and lifecycle management](concepts-private-clouds-clusters.md#host-maintenance-and-lifecycle-management). +
+## June 7, 2022
+
+All new Azure VMware Solution private clouds in regions (East US2, Canada Central, North Europe, and Japan East), are now deployed in with VMware vCenter Server version 7.0 Update 3c and ESXi version 7.0 Update 3c.
+
+Any existing private clouds in the above mentioned regions will also be upgraded to these versions. For more information, please see [VMware ESXi 7.0 Update 3c Release Notes](https://docs.vmware.com/VMware-vSphere/7.0/rn/vsphere-esxi-70u3c-release-notes.html) and [VMware vCenter Server 7.0 Update 3c Release Notes](https://docs.vmware.com/VMware-vSphere/7.0/rn/vsphere-vcenter-server-70u3c-release-notes.html).
+ ## May 23, 2022 All new Azure VMware Solution private clouds in regions (Germany West Central, Australia East, Central US and UK West), are now deployed with VMware vCenter Server version 7.0 Update 3c and ESXi version 7.0 Update 3c.
azure-vmware Backup Azure Vmware Solution Virtual Machines https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-vmware/backup-azure-vmware-solution-virtual-machines.md
Title: Back up Azure VMware Solution VMs with Azure Backup Server description: Configure your Azure VMware Solution environment to back up virtual machines by using Azure Backup Server. + Last updated 04/06/2022
azure-vmware Bitnami Appliances Deployment https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-vmware/bitnami-appliances-deployment.md
Title: Deploy Bitnami virtual appliances description: Learn about the virtual appliances packed by Bitnami to deploy in your Azure VMware Solution private cloud. + Last updated 04/11/2022- # Bitnami appliance deployment
azure-vmware Concepts Api Management https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-vmware/concepts-api-management.md
Title: Concepts - API Management description: Learn how API Management protects APIs running on Azure VMware Solution virtual machines (VMs) + Last updated 04/28/2021
azure-vmware Concepts Design Public Internet Access https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-vmware/concepts-design-public-internet-access.md
Title: Concept - Internet connectivity design considerations (Preview) description: Options for Azure VMware Solution Internet Connectivity. + Last updated 5/12/2022 + # Internet connectivity design considerations (Preview) There are three primary patterns for creating outbound access to the Internet from Azure VMware Solution and to enable inbound Internet access to resources on your Azure VMware Solution private cloud.
azure-vmware Concepts Hub And Spoke https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-vmware/concepts-hub-and-spoke.md
Title: Concept - Integrate an Azure VMware Solution deployment in a hub and spoke architecture description: Learn about integrating an Azure VMware Solution deployment in a hub and spoke architecture on Azure. + Last updated 10/26/2020
azure-vmware Concepts Identity https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-vmware/concepts-identity.md
Title: Concepts - Identity and access description: Learn about the identity and access concepts of Azure VMware Solution + Last updated 06/06/2022
azure-vmware Concepts Network Design Considerations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-vmware/concepts-network-design-considerations.md
Title: Concepts - Network design considerations description: Learn about network design considerations for Azure VMware Solution + Last updated 03/04/2022
azure-vmware Concepts Networking https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-vmware/concepts-networking.md
Title: Concepts - Network interconnectivity description: Learn about key aspects and use cases of networking and interconnectivity in Azure VMware Solution. + Last updated 06/28/2021
azure-vmware Concepts Private Clouds Clusters https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-vmware/concepts-private-clouds-clusters.md
Title: Concepts - Private clouds and clusters description: Learn about the key capabilities of Azure VMware Solution software-defined data centers and VMware vSphere clusters. + Last updated 08/25/2021
azure-vmware Concepts Run Command https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-vmware/concepts-run-command.md
Title: Concepts - Run command in Azure VMware Solution (Preview) description: Learn about using run commands in Azure VMware Solution. + Last updated 09/17/2021
azure-vmware Concepts Security Recommendations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-vmware/concepts-security-recommendations.md
Title: Concepts - Security recommendations for Azure VMware Solution description: Learn about tips and best practices to help protect Azure VMware Solution deployments from vulnerabilities and malicious actors. + Last updated 01/10/2022
azure-vmware Concepts Storage https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-vmware/concepts-storage.md
Title: Concepts - Storage
description: Learn about storage capacity, storage policies, fault tolerance, and storage integration in Azure VMware Solution private clouds. + Last updated 05/02/2022
azure-vmware Configure Alerts For Azure Vmware Solution https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-vmware/configure-alerts-for-azure-vmware-solution.md
Title: Configure alerts and work with metrics in Azure VMware Solution description: Learn how to use alerts to receive notifications. Also learn how to work with metrics to gain deeper insights into your Azure VMware Solution private cloud. + Last updated 07/23/2021
azure-vmware Configure Dhcp Azure Vmware Solution https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-vmware/configure-dhcp-azure-vmware-solution.md
Title: Configure DHCP for Azure VMware Solution
description: Learn how to configure DHCP by using either NSX-T Manager to host a DHCP server or use a third-party external DHCP server. + Last updated 04/08/2022 # Customer intent: As an Azure service administrator, I want to configure DHCP by using either NSX-T Manager to host a DHCP server or use a third-party external DHCP server.
azure-vmware Configure Dns Azure Vmware Solution https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-vmware/configure-dns-azure-vmware-solution.md
Title: Configure DNS forwarder for Azure VMware Solution
description: Learn how to configure DNS forwarder for Azure VMware Solution using the Azure portal. + Last updated 04/11/2022 #Customer intent: As an Azure service administrator, I want to <define conditional forwarding rules for a desired domain name to a desired set of private DNS servers via the NSX-T Data Center DNS Service.>
azure-vmware Configure Github Enterprise Server https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-vmware/configure-github-enterprise-server.md
Title: Configure GitHub Enterprise Server on Azure VMware Solution description: Learn how to Set up GitHub Enterprise Server on your Azure VMware Solution private cloud. + Last updated 07/07/2021
azure-vmware Configure Hcx Network Extension High Availability https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-vmware/configure-hcx-network-extension-high-availability.md
Title: Configure HCX network extension high availability description: Learn how to configure HCX network extension high availability + Last updated 05/06/2022
azure-vmware Configure Hcx Network Extension https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-vmware/configure-hcx-network-extension.md
Title: Create an HCX network extension description: Learn how to extend any networks from your on-premises environment to Azure VMware Solution. + Last updated 09/07/2021
azure-vmware Configure Identity Source Vcenter https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-vmware/configure-identity-source-vcenter.md
Title: Configure external identity source for vCenter Server description: Learn how to configure Active Directory over LDAP or LDAPS for vCenter Server as an external identity source. + Last updated 04/22/2022
azure-vmware Configure L2 Stretched Vmware Hcx Networks https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-vmware/configure-l2-stretched-vmware-hcx-networks.md
Title: Configure DHCP on L2 stretched VMware HCX networks
description: Learn how to send DHCP requests from your Azure VMware Solution VMs to a non-NSX-T DHCP server. + Last updated 04/11/2022 # Customer intent: As an Azure service administrator, I want to configure DHCP on L2 stretched VMware HCX networks to send DHCP requests from my Azure VMware Solution VMs to a non-NSX-T DHCP server.
azure-vmware Configure Nsx Network Components Azure Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-vmware/configure-nsx-network-components-azure-portal.md
Title: Configure NSX-T Data Center network components using Azure VMware Solution description: Learn how to use the Azure VMware Solution to configure NSX-T Data Center network segments. + Last updated 04/11/2022 # Customer intent: As an Azure service administrator, I want to configure NSX-T Data Center network components using a simplified view of NSX-T Data Center operations a VMware administrator needs daily. The simplified view is targeted at users unfamiliar with NSX-T Manager.
azure-vmware Configure Port Mirroring Azure Vmware Solution https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-vmware/configure-port-mirroring-azure-vmware-solution.md
Title: Configure port mirroring for Azure VMware Solution
description: Learn how to configure port mirroring to monitor network traffic that involves forwarding a copy of each packet from one network switch port to another. + Last updated 04/11/2022 # Customer intent: As an Azure service administrator, I want to configure port mirroring to monitor network traffic that involves forwarding a copy of each packet from one network switch port to another.
azure-vmware Configure Site To Site Vpn Gateway https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-vmware/configure-site-to-site-vpn-gateway.md
Title: Configure a site-to-site VPN in vWAN for Azure VMware Solution
description: Learn how to establish a VPN (IPsec IKEv1 and IKEv2) site-to-site tunnel into Azure VMware Solutions. + Last updated 04/11/2022
azure-vmware Configure Storage Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-vmware/configure-storage-policy.md
Title: Configure storage policy description: Learn how to configure storage policy for your Azure VMware Solution virtual machines. + Last updated 04/11/2022 #Customer intent: As an Azure service administrator, I want set the VMware vSAN storage policies to determine how storage is allocated to the VM.
azure-vmware Configure Vmware Hcx https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-vmware/configure-vmware-hcx.md
Title: Configure VMware HCX in Azure VMware Solution description: Configure the on-premises VMware HCX Connector for your Azure VMware Solution private cloud. + Last updated 09/07/2021
azure-vmware Configure Vmware Syslogs https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-vmware/configure-vmware-syslogs.md
Title: Configure VMware syslogs for Azure VMware Solution description: Learn how to configure diagnostic settings to collect VMware syslogs for your Azure VMware Solution private cloud. + Last updated 04/11/2022 #Customer intent: As an Azure service administrator, I want to collect VMware syslogs and store it in my storage account so that I can view the vCenter Server logs and analyze for any diagnostic purposes.
azure-vmware Configure Windows Server Failover Cluster https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-vmware/configure-windows-server-failover-cluster.md
Title: Configure Windows Server Failover Cluster on Azure VMware Solution vSAN description: Learn how to configure Windows Server Failover Cluster (WSFC) on Azure VMware Solution vSAN with native shared disks. + Last updated 04/11/2022
azure-vmware Connect Multiple Private Clouds Same Region https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-vmware/connect-multiple-private-clouds-same-region.md
Title: Connect multiple Azure VMware Solution private clouds in the same region description: Learn how to create a network connection between two or more Azure VMware Solution private clouds located in the same region. + Last updated 09/20/2021 #Customer intent: As an Azure service administrator, I want create a network connection between two or more Azure VMware Solution private clouds located in the same region.
azure-vmware Create Placement Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-vmware/create-placement-policy.md
Title: Create placement policy description: Learn how to create a placement policy in Azure VMware Solution to control the placement of virtual machines (VMs) on hosts within a cluster through the Azure portal. + Last updated 04/07/2022 #Customer intent: As an Azure service administrator, I want to control the placement of virtual machines on hosts within a cluster in my private cloud.
azure-vmware Deploy Arc For Azure Vmware Solution https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-vmware/deploy-arc-for-azure-vmware-solution.md
Title: Deploy Arc for Azure VMware Solution (Preview) description: Learn how to set up and enable Arc for your Azure VMware Solution private cloud. + Last updated 04/11/2022
azure-vmware Deploy Azure Vmware Solution https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-vmware/deploy-azure-vmware-solution.md
Title: Deploy and configure Azure VMware Solution
description: Learn how to use the information gathered in the planning stage to deploy and configure the Azure VMware Solution private cloud. + Last updated 07/28/2021
azure-vmware Deploy Disaster Recovery Using Jetstream https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-vmware/deploy-disaster-recovery-using-jetstream.md
Title: Deploy disaster recovery using JetStream DR description: Learn how to implement JetStream DR for your Azure VMware Solution private cloud and on-premises VMware workloads. + Last updated 04/11/2022
azure-vmware Deploy Disaster Recovery Using Vmware Hcx https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-vmware/deploy-disaster-recovery-using-vmware-hcx.md
Title: Deploy disaster recovery using VMware HCX description: Learn how to deploy disaster recovery of your virtual machines (VMs) with VMware HCX Disaster Recovery. Also learn how to use Azure VMware Solution as the recovery or target site. + Last updated 06/10/2021
azure-vmware Deploy Traffic Manager Balance Workloads https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-vmware/deploy-traffic-manager-balance-workloads.md
Title: Deploy Traffic Manager to balance Azure VMware Solution workloads description: Learn how to integrate Traffic Manager with Azure VMware Solution to balance application workloads across multiple endpoints in different regions. + Last updated 02/08/2021
azure-vmware Deploy Vm Content Library https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-vmware/deploy-vm-content-library.md
Title: Create a content library to deploy VMs in Azure VMware Solution description: Create a content library to deploy a VM in an Azure VMware Solution private cloud. + Last updated 04/11/2022
azure-vmware Deploy Zerto Disaster Recovery https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-vmware/deploy-zerto-disaster-recovery.md
Title: Deploy Zerto disaster recovery on Azure VMware Solution (Initial Availability) description: Learn how to implement Zerto disaster recovery for on-premises VMware or Azure VMware Solution virtual machines. + Last updated 10/25/2021
azure-vmware Disable Internet Access https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-vmware/disable-internet-access.md
Title: Disable internet access or enable a default route description: This article explains how to disable internet access for Azure VMware Solution and enable default route for Azure VMware Solution. + Last updated 05/12/2022 + # Disable internet access or enable a default route In this article, you'll learn how to disable Internet access or enable a default route for your Azure VMware Solution private cloud. There are multiple ways to set up a default route. You can use a Virtual WAN hub, Network Virtual Appliance in a Virtual Network, or use a default route from on-premise. If you don't set up a default route, there will be no Internet access to your Azure VMware Solution private cloud.
azure-vmware Disaster Recovery Using Vmware Site Recovery Manager https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-vmware/disaster-recovery-using-vmware-site-recovery-manager.md
Title: Deploy disaster recovery with VMware Site Recovery Manager description: Deploy disaster recovery with VMware Site Recovery Manager (SRM) in your Azure VMware Solution private cloud. + Last updated 04/11/2022
azure-vmware Ecosystem App Monitoring Solutions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-vmware/ecosystem-app-monitoring-solutions.md
Title: Application performance monitoring and troubleshooting solutions for Azure VMware Solution description: Learn about leading application monitoring and troubleshooting solutions for your Azure VMware Solution private cloud. + Last updated 04/11/2022
azure-vmware Ecosystem Back Up Vms https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-vmware/ecosystem-back-up-vms.md
Title: Backup solutions for Azure VMware Solution virtual machines description: Learn about leading backup and restore solutions for your Azure VMware Solution virtual machines. + Last updated 04/21/2021
azure-vmware Ecosystem Disaster Recovery Vms https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-vmware/ecosystem-disaster-recovery-vms.md
Title: Disaster recovery solutions for Azure VMware Solution virtual machines description: Learn about leading disaster recovery solutions for your Azure VMware Solution private cloud. + Last updated 11/29/2021 + # Disaster recovery solutions for Azure VMware Solution virtual machines (VMs) One of the most important aspects of any Azure VMware Solution deployment is disaster recovery, which can be achieved by creating disaster recovery plans between different Azure VMware Solution regions or between Azure and an on-premises vSphere environment.
azure-vmware Ecosystem Migration Vms https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-vmware/ecosystem-migration-vms.md
Title: Migration solutions for Azure VMware Solution virtual machines description: Learn about leading migration solutions for your Azure VMware Solution virtual machines. + Last updated 03/22/2021
azure-vmware Ecosystem Os Vms https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-vmware/ecosystem-os-vms.md
Title: Operating system support for Azure VMware Solution virtual machines description: Learn about operating system support for your Azure VMware Solution virtual machines. + Last updated 04/11/2022
azure-vmware Ecosystem Security Solutions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-vmware/ecosystem-security-solutions.md
Title: Security solutions for Azure VMware Solution description: Learn about leading security solutions for your Azure VMware Solution private cloud. + Last updated 04/11/2022 + # Security solutions for Azure VMware Solution A fundamental part of Azure VMware Solution is security. It allows customers to run their VMware-based workloads in a safe and trustable environment.
azure-vmware Enable Managed Snat For Workloads https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-vmware/enable-managed-snat-for-workloads.md
Title: Enable Managed SNAT for Azure VMware Solution Workloads description: This article explains how to enable Managed SNAT for Azure VMware Solution Workloads. + Last updated 05/12/2022 + # Enable Managed SNAT for Azure VMware Solution workloads In this article, you'll learn how to enable Azure VMware SolutionΓÇÖs Managed Source NAT (SNAT) to connect to the Internet outbound. A SNAT service translates from RFC1918 space to the public Internet for simple outbound Internet access. The SNAT service won't work when you have a default route from Azure.
azure-vmware Enable Public Internet Access https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-vmware/enable-public-internet-access.md
Title: Enable public internet for Azure VMware Solution workloads description: This article explains how to use the public IP functionality in Azure Virtual WAN. + Last updated 06/25/2021 + # Enable public internet for Azure VMware Solution workloads Public IP is a feature in Azure VMware Solution connectivity. It makes resources, such as web servers, virtual machines (VMs), and hosts accessible through a public network.
azure-vmware Enable Public Ip Nsx Edge https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-vmware/enable-public-ip-nsx-edge.md
Title: Enable Public IP to the NSX Edge for Azure VMware Solution (Preview) description: This article explains how to enable internet access for your Azure VMware Solution. + Last updated 05/12/2022 + # Enable Public IP to the NSX Edge for Azure VMware Solution (Preview) In this article, you'll learn how to enable Public IP to the NSX Edge for your Azure VMware Solution.
azure-vmware Fix Deployment Failures https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-vmware/fix-deployment-failures.md
Title: Support for Azure VMware Solution deployment or provisioning failure description: Get information from your Azure VMware Solution private cloud to file a service request for an Azure VMware Solution deployment or provisioning failure. + Last updated 10/28/2020
azure-vmware Install Vmware Hcx https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-vmware/install-vmware-hcx.md
Title: Install VMware HCX in Azure VMware Solution description: Install VMware HCX in your Azure VMware Solution private cloud. + Last updated 03/29/2022
azure-vmware Integrate Azure Native Services https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-vmware/integrate-azure-native-services.md
Title: Monitor and protect VMs with Azure native services description: Learn how to integrate and deploy Microsoft Azure native tools to monitor and manage your Azure VMware Solution workloads. + Last updated 08/15/2021
azure-vmware Introduction https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-vmware/introduction.md
Title: Introduction description: Learn the features and benefits of Azure VMware Solution to deploy and manage VMware-based workloads in Azure. Azure VMware Solution SLA guarantees that Azure VMware management tools (vCenter Server and NSX Manager) will be available at least 99.9% of the time. + Last updated 04/20/2021
azure-vmware Move Azure Vmware Solution Across Regions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-vmware/move-azure-vmware-solution-across-regions.md
Title: Move Azure VMware Solution resources across regions
description: This article describes how to move Azure VMware Solution resources from one Azure region to another. + Last updated 04/11/2022 # Customer intent: As an Azure service administrator, I want to move my Azure VMware Solution resources from Azure Region A to Azure Region B.
azure-vmware Move Ea Csp Subscriptions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-vmware/move-ea-csp-subscriptions.md
Title: Move Azure VMware Solution subscription to another subscription
description: This article describes how to move Azure VMware Solution subscription to another subscription. You might move your resources for various reasons, such as billing. + Last updated 04/26/2021 # Customer intent: As an Azure service administrator, I want to move my Azure VMware Solution subscription to another subscription.
azure-vmware Netapp Files With Azure Vmware Solution https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-vmware/netapp-files-with-azure-vmware-solution.md
Title: Attach Azure NetApp Files to Azure VMware Solution VMs description: Use Azure NetApp Files with Azure VMware Solution VMs to migrate and sync data across on-premises servers, Azure VMware Solution VMs, and cloud infrastructures. + Last updated 05/10/2022
azure-vmware Plan Private Cloud Deployment https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-vmware/plan-private-cloud-deployment.md
Title: Plan the Azure VMware Solution deployment
description: Learn how to plan your Azure VMware Solution deployment. + Last updated 09/27/2021
azure-vmware Protect Azure Vmware Solution With Application Gateway https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-vmware/protect-azure-vmware-solution-with-application-gateway.md
Title: Protect web apps on Azure VMware Solution with Azure Application Gateway description: Configure Azure Application Gateway to securely expose your web apps running on Azure VMware Solution. + Last updated 02/10/2021
azure-vmware Request Host Quota Azure Vmware Solution https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-vmware/request-host-quota-azure-vmware-solution.md
Title: Request host quota for Azure VMware Solution
description: Learn how to request host quota/capacity for Azure VMware Solution. You can also request more hosts in an existing Azure VMware Solution private cloud. + Last updated 09/27/2021 #Customer intent: As an Azure service admin, I want to request hosts for either a new private cloud deployment or I want to have more hosts allocated in an existing private cloud.
azure-vmware Reserved Instance https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-vmware/reserved-instance.md
Title: Reserved instances of Azure VMware Solution description: Learn how to buy a reserved instance for Azure VMware Solution. The reserved instance covers only the compute part of your usage and includes software licensing costs. + Last updated 05/13/2021
azure-vmware Rotate Cloudadmin Credentials https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-vmware/rotate-cloudadmin-credentials.md
Title: Rotate the cloudadmin credentials for Azure VMware Solution description: Learn how to rotate the vCenter Server credentials for your Azure VMware Solution private cloud. + Last updated 04/11/2022 #Customer intent: As an Azure service administrator, I want to rotate my cloudadmin credentials so that the HCX Connector has the latest vCenter Server CloudAdmin credentials.
azure-vmware Set Up Backup Server For Azure Vmware Solution https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-vmware/set-up-backup-server-for-azure-vmware-solution.md
Title: Set up Azure Backup Server for Azure VMware Solution description: Set up your Azure VMware Solution environment to back up virtual machines using Azure Backup Server. + Last updated 04/06/2022
azure-vmware Tutorial Access Private Cloud https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-vmware/tutorial-access-private-cloud.md
Title: Tutorial - Access your private cloud description: Learn how to access an Azure VMware Solution private cloud + Last updated 08/13/2021
azure-vmware Tutorial Configure Networking https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-vmware/tutorial-configure-networking.md
Title: Tutorial - Configure networking for your VMware private cloud in Azure
description: Learn to create and configure the networking needed to deploy your private cloud in Azure + Last updated 05/31/2022
azure-vmware Tutorial Create Private Cloud https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-vmware/tutorial-create-private-cloud.md
Title: Tutorial - Deploy an Azure VMware Solution private cloud description: Learn how to create and deploy an Azure VMware Solution private cloud + Last updated 09/29/2021
azure-vmware Tutorial Delete Private Cloud https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-vmware/tutorial-delete-private-cloud.md
Title: Tutorial - Delete an Azure VMware Solution private cloud description: Learn how to delete an Azure VMware Solution private cloud that you no longer need. + Last updated 03/13/2021
azure-vmware Tutorial Expressroute Global Reach Private Cloud https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-vmware/tutorial-expressroute-global-reach-private-cloud.md
Title: Peer on-premises environments to Azure VMware Solution
description: Learn how to create ExpressRoute Global Reach peering to a private cloud in Azure VMware Solution. + Last updated 07/28/2021
azure-vmware Tutorial Network Checklist https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-vmware/tutorial-network-checklist.md
Title: Tutorial - Network planning checklist description: Learn about the network requirements for network connectivity and network ports on Azure VMware Solution. + Last updated 07/01/2021
azure-vmware Tutorial Nsx T Network Segment https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-vmware/tutorial-nsx-t-network-segment.md
Title: Tutorial - Add a network segment in Azure VMware Solution
description: Learn how to add a network segment to use for virtual machines (VMs) in vCenter Server. + Last updated 07/16/2021
azure-vmware Tutorial Scale Private Cloud https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-vmware/tutorial-scale-private-cloud.md
Title: Tutorial - Scale clusters in a private cloud description: In this tutorial, you use the Azure portal to scale an Azure VMware Solution private cloud. + Last updated 08/03/2021 #Customer intent: As a VMware administrator, I want to learn how to scale an Azure VMware Solution private cloud in the Azure portal.
azure-vmware Vmware Hcx Mon Guidance https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-vmware/vmware-hcx-mon-guidance.md
Title: VMware HCX Mobility Optimized Networking (MON) guidance description: Learn about Azure VMware Solution-specific use cases for Mobility Optimized Networking (MON). + Last updated 04/11/2022
azure-vmware Vrealize Operations For Azure Vmware Solution https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-vmware/vrealize-operations-for-azure-vmware-solution.md
Title: Configure vRealize Operations for Azure VMware Solution description: Learn how to set up vRealize Operations for your Azure VMware Solution private cloud. + Last updated 04/11/2022
azure-web-pubsub Reference Server Sdk Js https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-web-pubsub/reference-server-sdk-js.md
When a WebSocket connection connects, the Web PubSub service transforms the conn
[Source code](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/web-pubsub/web-pubsub-express) | [Package (NPM)](https://www.npmjs.com/package/@azure/web-pubsub-express) |
-[API reference documentation](/javascript/api/overview/azure/web-pubsub-express-readme?view=azure-node-latest) |
+[API reference documentation](/javascript/api/overview/azure/web-pubsub-express-readme?view=azure-node-latest&preserve-view=true) |
[Product documentation](./index.yml) | [Samples][samples_ref]
azure-web-pubsub Tutorial Serverless Static Web App https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-web-pubsub/tutorial-serverless-static-web-app.md
Title: Tutorial - Create a serverless chat app using Azure Web PubSub service and Azure Static Web Apps
-description: A tutorial for how to use Azure Web PubSub service and Azure Static Web Apps to build a serverless chat application.
+ Title: Tutorial - Create a serverless chat app with Azure Web PubSub service and Azure Static Web Apps
+description: A tutorial about how to use Azure Web PubSub service and Azure Static Web Apps to build a serverless chat application.
Previously updated : 06/01/2022 Last updated : 06/03/2022
-# Tutorial: Create a serverless chat app using Azure Web PubSub service and Azure Static Web Apps
+# Tutorial: Create a serverless chat app with Azure Web PubSub service and Azure Static Web Apps
-The Azure Web PubSub service helps you build real-time messaging web applications using WebSockets. And with Azure Static Web Apps, you can automatically build and deploy full stack web apps to Azure from a code repository conveniently. In this tutorial, you learn how to use Azure Web PubSub service and Azure Static Web Apps to build a serverless real-time messaging application under chat room scenario.
+Azure Web PubSub service helps you build real-time messaging web applications using WebSockets. By using Azure Static Web Apps, you can automatically build and deploy full-stack web apps to Azure from a code repository. In this tutorial, you'll learn how to use Web PubSub service and Static Web Apps to build a serverless, real-time chat room messaging application.
-In this tutorial, you learn how to:
+In this tutorial, you'll learn how to:
> [!div class="checklist"] > * Build a serverless chat app
In this tutorial, you learn how to:
## Overview
-* GitHub along with DevOps provide source control and continuous delivery. So whenever there's code change to the source repo, Azure DevOps pipeline will soon apply it to Azure Static Web App and present to endpoint user.
-* When a new user is login, Functions `login` API will be triggered and generate Azure Web PubSub service client connection url.
-* When client init the connection request to Azure Web PubSub service, service will send a system `connect` event and Functions `connect` API will be triggered to auth the user.
-* When client send message to Azure Web PubSub service, service will send a user `message` event and Functions `message` API will be triggered and broadcast the message to all the connected clients.
-* Functions `validate` API will be triggered periodically for [CloudEvents Abuse Protection](https://github.com/cloudevents/spec/blob/v1.0/http-webhook.md#4-abuse-protection) purpose, when the events in Azure Web PubSub are configured with predefined parameter `{event}`, that is, https://$STATIC_WEB_APP/api/{event}.
+GitHub or Azure Repos provide source control for Static Web Apps. Azure monitors the repo branch you select, and every time there's a code change to the source repo a new build of your web app is automatically run and deployed to Azure. Continuous delivery is provided by GitHub Actions and Azure Pipelines. Static Web Apps detects the new build and presents it to the endpoint user.
+
+The sample chat room application provided with this tutorial has the following workflow.
+
+1. When a user signs in to the app, the Azure Functions `login` API will be triggered to generate a Web PubSub service client connection URL.
+1. When the client initializes the connection request to Web PubSub, the service sends a system `connect` event that triggers the Functions `connect` API to authenticate the user.
+1. When a client sends a message to Azure Web PubSub service, the service will respond with a user `message` event and the Functions `message` API will be triggered to broadcast the message to all the connected clients.
+1. The Functions `validate` API is triggered periodically for [CloudEvents Abuse Protection](https://github.com/cloudevents/spec/blob/v1.0/http-webhook.md#4-abuse-protection) when the events in Azure Web PubSub are configured with predefined parameter `{event}`, that is, https://$STATIC_WEB_APP/api/{event}.
> [!NOTE]
-> Functions APIs `connect` and `message` will be triggered when Azure Web PubSub service is configured with these 2 events.
+> The Functions APIs `connect` and `message` are triggered when Azure Web PubSub service is configured with these two events.
## Prerequisites
-* [GitHub](https://github.com/) account
-* [Azure](https://portal.azure.com/) account
-* [Azure CLI](/cli/azure) (version 2.29.0 or higher) or [Azure Cloud Shell](../cloud-shell/quickstart.md) to manage Azure resources
+* A [GitHub](https://github.com/) account.
+* An [Azure](https://portal.azure.com/) account. If you don't have an Azure subscription, create an [Azure free account](https://azure.microsoft.com/free/?ref=microsoft.com&utm_source=microsoft.com&utm_medium=docs&utm_campaign=visualstudio) before you begin.
+* [Azure CLI](/cli/azure/install-azure-cli) (version 2.29.0 or higher) or [Azure Cloud Shell](../cloud-shell/quickstart.md) to manage Azure resources.
## Create a Web PubSub resource
In this tutorial, you learn how to:
```azurecli-interactive AWPS_ACCESS_KEY=<YOUR_AWPS_ACCESS_KEY> ```
- Replace the placeholder `<YOUR_AWPS_ACCESS_KEY>` from previous result `primaryConnectionString`.
-## Create a repository
+ Replace the placeholder `<YOUR_AWPS_ACCESS_KEY>` with the value for `primaryConnectionString` from the previous step.
-This article uses a GitHub template repository to make it easy for you to get started. The template features a starter app used to deploy using Azure Static Web Apps.
+## Create a repository
-1. Navigate to the following template to create a new repository under your repo:
- 1. [https://github.com/Azure/awps-swa-sample/generate](https://github.com/login?return_to=/Azure/awps-swa-sample/generate)
-1. Name your repository **my-awps-swa-app**
+This article uses a GitHub template repository to make it easy for you to get started. The template features a starter app that you will deploy to Azure Static Web Apps.
-Select **`Create repository from template`**.
+1. Go to [https://github.com/Azure/awps-swa-sample/generate](https://github.com/login?return_to=/Azure/awps-swa-sample/generate) to create a new repo for this tutorial.
+1. Select yourself as **Owner** and name your repository **my-awps-swa-app**.
+1. You can create a **Public** or **Private** repo according to your preference. Both work for the tutorial.
+1. Select **Create repository from template**.
## Create a static web app
Now that the repository is created, you can create a static web app from the Azu
Replace the placeholder `<YOUR_GITHUB_USER_NAME>` with your GitHub user name.
-1. Create a new static web app from your repository. As you execute this command, the CLI starts GitHub interactive login experience. Following the message to complete authorization.
+1. Create a new static web app from your repository. When you run this command, the CLI starts a GitHub interactive sign-in. Follow the message to complete authorization.
```azurecli-interactive az staticwebapp create \
Now that the repository is created, you can create a static web app from the Azu
--api-location "api" \ --login-with-github ```+ > [!IMPORTANT] > The URL passed to the `--source` parameter must not include the `.git` suffix.
-1. Navigate to **https://github.com/login/device**.
+1. Go to **https://github.com/login/device**.
1. Enter the user code as displayed your console's message.
-1. Select the **Continue** button.
+1. Select **Continue**.
-1. Select the **Authorize AzureAppServiceCLI** button.
+1. Select **Authorize AzureAppServiceCLI**.
1. Configure the static web app settings.
Now that the repository is created, you can create a static web app from the Azu
## View the website
-There are two aspects to deploying a static app. The first operation creates the underlying Azure resources that make up your app. The second is a GitHub Actions workflow that builds and publishes your application.
+There are two aspects to deploying a static app: The first creates the underlying Azure resources that make up your app. The second is a GitHub Actions workflow that builds and publishes your application.
Before you can navigate to your new static site, the deployment build must first finish running.
Before you can navigate to your new static site, the deployment build must first
At this point, Azure is creating the resources to support your static web app. Wait until the icon next to the running workflow turns into a check mark with green background ✅. This operation may take a few minutes to complete.
- Once the success icon appears, the workflow is complete and you can return back to your console window.
+ Once the success icon appears, the workflow is complete and you can return to your console window.
-2. Run the following command to query for your website's URL.
+1. Run the following command to query for your website's URL.
```azurecli-interactive az staticwebapp show \
Before you can navigate to your new static site, the deployment build must first
## Configure the Web PubSub event handler
-Now you're very close to complete. The last step is to configure Web PubSub transfer client requests to your function APIs.
+You're very close to complete. The last step is to configure Web PubSub transfer client requests to your function APIs.
-1. Run command to configure Web PubSub service events. It's mapping to some functions under the `api` folder in your repo.
+1. Run the following command to configure Web PubSub service events. It maps functions under the `api` folder in your repo to the Web PubSub event handler.
```azurecli-interactive az webpubsub hub create \
Now you're very close to complete. The last step is to configure Web PubSub tran
--event-handler url-template=https://$STATIC_WEB_APP/api/{event} system-event="connect" ```
-Now you're ready to play with your website **<YOUR_STATIC_WEB_APP>**. Copy it to browser and click continue to start chatting with your friends.
+Now you're ready to play with your website **<YOUR_STATIC_WEB_APP>**. Copy it to browser and select **Continue** to start chatting with your friends.
## Clean up resources
az group delete --name my-awps-swa-group
## Next steps
-In this quickstart, you learned how to run a serverless chat application. Now, you could start to build your own application.
+In this quickstart, you learned how to run a serverless chat application. Now, you could start to build your own application.
> [!div class="nextstepaction"] > [Tutorial: Client streaming using subprotocol](tutorial-subprotocol.md)
backup Backup Azure Database Postgresql Troubleshoot https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/backup/backup-azure-database-postgresql-troubleshoot.md
Title: Troubleshoot Azure Database for PostgreSQL backup description: Troubleshooting information for backing up Azure Database for PostgreSQL. Previously updated : 01/24/2022 Last updated : 06/07/2022
Establish network line of sight by enabling the **Allow access to Azure services
![Screenshot showing how to search for vault name.](./media/backup-azure-database-postgresql/search-for-vault-name.png)
+## UserErrorDBUserAuthFailed
+
+The Azure Backup service uses the credentials mentioned in the key-vault to access the database as a database user. The relevant key vault and the secret are [provided during configuration of backup](backup-azure-database-postgresql.md#configure-backup-on-azure-postgresql-databases). Ensure that the credentials stored as part of the secret value in the key vault are valid. Ensure that the specified database user has login access.
+
+## UserErrorInvalidSecret
+
+The Azure Backup service uses the credentials mentioned in the key-vault to access the database as a database user. The relevant key vault and the secret are [provided during configuration of backup](backup-azure-database-postgresql.md#configure-backup-on-azure-postgresql-databases). Ensure that the specified secret name is present in the key vault.
+
+## UserErrorMissingDBPermissions
+
+The Azure Backup service uses the credentials mentioned in the key-vault to access the database as a database user. The relevant key vault and the secret are [provided during configuration of backup](backup-azure-database-postgresql.md#configure-backup-on-azure-postgresql-databases). Grant appropriate permissions to the relevant backup or the database user to perform this operation on the database.
+
+## UserErrorSecretValueInUnsupportedFormat
+
+The Azure Backup service uses the credentials mentioned in the key-vault to access the database as a database user. The relevant key vault and the secret are [provided during configuration of backup](backup-azure-database-postgresql.md#configure-backup-on-azure-postgresql-databases). However the secret value is not in a format supported by Azure Backup. Check the supported format as documented [here](backup-azure-database-postgresql.md#create-secrets-in-the-key-vault).
+
+## UserErrorInvalidSecretStore
+
+The Azure Backup service uses the credentials mentioned in the key-vault to access the database as a database user. The relevant key vault and the secret are [provided during configuration of backup](backup-azure-database-postgresql.md#configure-backup-on-azure-postgresql-databases). Ensure that the given key vault exists and the backup service is given access as documented [here](backup-azure-database-postgresql-overview.md#set-of-permissions-needed-for-azure-postgresql-database-backup).
+
+## UserErrorMissingPermissionsOnSecretStore
+
+The Azure Backup service uses the credentials mentioned in the key-vault to access the database as a database user. The relevant key vault and the secret are [provided during configuration of backup](backup-azure-database-postgresql.md#configure-backup-on-azure-postgresql-databases). Ensure that backup vault's MSI is given access to key vault as documented [here](backup-azure-database-postgresql-overview.md#set-of-permissions-needed-for-azure-postgresql-database-backup).
+
+## UserErrorSSLDisabled
+
+SSL needs to be enabled for connections to the server.
+
+## UserErrorDBNotFound
+
+Ensure that the database and the relevant server exist.
+
+## UserErrorDatabaseNameAlreadyInUse
+
+The name given for the restored database already exists and hence the restore operation failed. Retry the restore operation with a different name.
+
+## UserErrorServerConnectionClosed
+
+The operation failed because the server closed the connection unexpectedly. Retry the operation and if the error still persists, please contact Microsoft Support.
++ ## Next steps [About Azure Database for PostgreSQL backup](backup-azure-database-postgresql-overview.md)
baremetal-infrastructure Concepts Baremetal Infrastructure Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/baremetal-infrastructure/concepts-baremetal-infrastructure-overview.md
BareMetal Infrastructure offers these benefits:
- Certified hardware for specialized workloads - SAP (Refer to [SAP Note #1928533](https://launchpad.support.sap.com/#/notes/1928533). You'll need an SAP account for access.)
- - Oracle (Refer to [Oracle document ID #948372.1](https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=52088246571495&id=948372.1&_adf.ctrl-state=kwnkj1hzm_52). You'll need an Oracle account for access.)
+ - Oracle (You'll need an Oracle account for access.)
- Non-hypervised BareMetal instance, single tenant ownership - Low latency between Azure hosted application VMs to BareMetal instances (0.35 ms) - All Flash SSD and NVMe
cdn Cdn Custom Ssl https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cdn/cdn-custom-ssl.md
Previously updated : 12/06/2021 Last updated : 06/06/2022 #Customer intent: As a website owner, I want to enable HTTPS on the custom domain of my CDN endpoint so that my users can use my custom domain to access my content securely.
Grant Azure CDN permission to access the certificates (secrets) in your Azure Ke
:::image type="content" source="./media/cdn-custom-ssl/cdn-access-policy-settings.png" alt-text="Select service principal of Azure CDN" border="true":::
-4. Select **Certificate permissions**. Select the check boxes for **Get** and **List** to allow CDN permissions to get and list the certificates.
+4. Select **Certificate permissions**. Select the check box for **Get** to allow CDN permissions to get the certificates.
-5. Select **Secret permissions**. Select the check boxes for **Get** and **List** to allow CDN permissions to get and list the secrets:
+5. Select **Secret permissions**. Select the check box for **Get** to allow CDN permissions to get the secrets:
:::image type="content" source="./media/cdn-custom-ssl/cdn-vault-permissions.png" alt-text="Select permissions for CDN to keyvault" border="true":::
cdn Cdn Manage Expiration Of Blob Content https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cdn/cdn-manage-expiration-of-blob-content.md
Title: Manage expiration of Azure Blob storage
description: Learn about the options for controlling time-to-live for blobs in Azure CDN caching.
+documentationcenter:
editor: ''
$blob.ICloudBlob.SetProperties()
> ## Setting Cache-Control headers by using .NET
-To specify a blob's `Cache-Control` header by using .NET code, use the [Azure Storage Client Library for .NET](../storage/blobs/storage-quickstart-blobs-dotnet.md) to set the [BlobHttpHeaders.CacheControl](/dotnet/api/azure.storage.blobs.models.blobhttpheaders.cachecontrol?view=azure-dotnet) property.
+To specify a blob's `Cache-Control` header by using .NET code, use the [Azure Storage Client Library for .NET](../storage/blobs/storage-quickstart-blobs-dotnet.md) to set the [BlobHttpHeaders.CacheControl](/dotnet/api/azure.storage.blobs.models.blobhttpheaders.cachecontrol?view=azure-dotnet&preserve-view=true) property.
For example:
certification How To Test Pnp https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/certification/how-to-test-pnp.md
To meet the certification requirements, your device must:
## Test with the Azure IoT Extension CLI
-The [Azure IoT CLI extension](/cli/azure/ext/azure-iot/iot/product?view=azure-cli-latest) lets you validate that the device implementation matches the model before you submit the device for certification through the Azure Certified Device portal.
+The [Azure IoT CLI extension](/cli/azure/ext/azure-iot/iot/product?view=azure-cli-latest&preserve-view=true) lets you validate that the device implementation matches the model before you submit the device for certification through the Azure Certified Device portal.
The following steps show you how to prepare for and run the certification tests using the CLI: ### Install the Azure IoT extension for the Azure CLI
-Install the [Azure CLI](/cli/azure/install-azure-cli) and review the installation instructions to set up the [Azure CLI](/cli/azure/iot?view=azure-cli-latest) in your environment.
+Install the [Azure CLI](/cli/azure/install-azure-cli) and review the installation instructions to set up the [Azure CLI](/cli/azure/iot?view=azure-cli-latest&preserve-view=true) in your environment.
To install the Azure IoT Extension, run the following command:
To install the Azure IoT Extension, run the following command:
az extension add --name azure-iot ```
-To learn more, see [Azure CLI for Azure IoT](/cli/azure/iot/product?view=azure-cli-latest).
+To learn more, see [Azure CLI for Azure IoT](/cli/azure/iot/product?view=azure-cli-latest&preserve-view=true).
### Create a new product test
chaos-studio Chaos Studio Fault Library https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/chaos-studio/chaos-studio-fault-library.md
The following faults are available for use today. Visit the [Fault Providers](./
| Capability Name | CPUPressure-1.0 | | Target type | Microsoft-Agent | | Supported OS Types | Windows, Linux |
-| Description | Add CPU pressure up to the specified value on the VM where this fault is injected for the duration of the fault action. The artificial CPU pressure is removed at the end of the duration or if the experiment is canceled. |
+| Description | Add CPU pressure up to the specified value on the VM where this fault is injected for the duration of the fault action. The artificial CPU pressure is removed at the end of the duration or if the experiment is canceled. On Windows, the "% Processor Utility" performance counter is used at fault start to determine current CPU percentage and this is subtracted from the pressureLevel defined in the fault so that % Processor Utility will hit approximately the pressureLevel defined in the fault parameters. |
| Prerequisites | **Linux:** Running the fault on a Linux VM requires the **stress-ng** utility to be installed. You can install it using the package manager for your Linux distro, </br> APT Command to install stress-ng: *sudo apt-get update && sudo apt-get -y install unzip && sudo apt-get -y install stress-ng* </br> YUM Command to install stress-ng: *sudo dnf -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm && sudo yum -y install stress-ng* | | | **Windows:** None. | | Urn | urn:csci:microsoft:agent:cpuPressure/1.0 |
cognitive-services Multivariate How To https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/Anomaly-Detector/How-to/multivariate-how-to.md
- Previously updated : 01/18/2022+ Last updated : 06/07/2022
The following are the basic steps needed to use MVAD:
1. Get model status. 1. Detect anomalies during the inference process with the trained MVAD model.
-To test out this feature, try this SDK [Notebook](https://github.com/Azure-Samples/AnomalyDetector/blob/master/ipython-notebook/API%20Sample/Multivariate%20API%20Demo%20Notebook.ipynb).
+To test out this feature, try this SDK [Notebook](https://github.com/Azure-Samples/AnomalyDetector/blob/master/ipython-notebook/API%20Sample/Multivariate%20API%20Demo%20Notebook.ipynb). For more instructions on how to run a jupyter notebook, please refer to [Install and Run a Jupyter Notebook](https://jupyter-notebook-beginner-guide.readthedocs.io/en/latest/install.html#).
## Multivariate Anomaly Detector APIs overview
The response contains the result status, variable information, inference paramet
* Error code `InsufficientHistoricalData`. This usually happens only with the first few timestamps because the model inferences data in a window-based manner and it needs historical data to make a decision. For the first few timestamps, there is insufficient historical data, so inference cannot be performed on them. In this case, the error message can be ignored. * `"isAnomaly": false` indicates the current timestamp is not an anomaly.
- * `severity ` indicates the relative severity of the anomaly and for normal data it is always 0.
+ * `severity` indicates the relative severity of the anomaly and for normal data it is always 0.
* `score` is the raw output of the model on which the model makes a decision, which could be non-zero even for normal data points. * `"isAnomaly": true` indicates an anomaly at the current timestamp.
- * `severity ` indicates the relative severity of the anomaly and for abnormal data it is always greater than 0.
+ * `severity` indicates the relative severity of the anomaly and for abnormal data it is always greater than 0.
* `score` is the raw output of the model on which the model makes a decision. `severity` is a derived value from `score`. Every data point has a `score`. * `contributors` is a list containing the contribution score of each variable. Higher contribution scores indicate higher possibility of the root cause. This list is often used for interpreting anomalies and diagnosing the root causes.
A sample request looks like following format, this case is detecting last two ti
"2021-01-01T00:00:00Z", "2021-01-01T00:01:00Z", "2021-01-01T00:02:00Z"
- //more variables
+ //more timestamps
], "values": [ 0.4551378545933972,
A sample request looks like following format, this case is detecting last two ti
"2021-01-01T00:00:00Z", "2021-01-01T00:01:00Z", "2021-01-01T00:02:00Z"
- //more variables
+ //more timestamps
], "values": [ 0.9617871613964145,
A sample request looks like following format, this case is detecting last two ti
"2021-01-01T00:00:00Z", "2021-01-01T00:01:00Z", "2021-01-01T00:02:00Z"
- //more variables
+ //more timestamps
], "values": [ 0.4030756879437628,
See the following example of a JSON response:
## Next steps
-* [What is the Multivariate Anomaly Detector API?](../overview-multivariate.md)
-* [Join us to get more supports!](https://aka.ms/adadvisorsjoin)
+* [Best practices for using the Multivariate Anomaly Detector API](../concepts/best-practices-multivariate.md)
+* [Join us to get more supports!](https://aka.ms/adadvisorsjoin)
cognitive-services How To Specify Source Language https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/Speech-Service/how-to-specify-source-language.md
- Title: Specify source language for speech to text-
-description: The Speech SDK allows you to specify the source language when you convert speech to text. This article describes how to use the FromConfig and SourceLanguageConfig methods to let the Speech service know the source language and provide a custom model target.
------ Previously updated : 05/19/2020-
-zone_pivot_groups: programming-languages-set-two
---
-# Specify source language for speech-to-text
-
-In this article, you'll learn how to specify the source language for an audio input passed to the Speech SDK for speech recognition. The example code that's provided specifies a custom speech model for improved recognition.
--
-## Specify source language in C#
-
-In the following example, the source language is provided explicitly as a parameter by using the `SpeechRecognizer` construct:
-
-```csharp
-var recognizer = new SpeechRecognizer(speechConfig, "de-DE", audioConfig);
-```
-
-In the following example, the source language is provided by using `SourceLanguageConfig`. Then, `sourceLanguageConfig` is passed as a parameter to the `SpeechRecognizer` construct.
-
-```csharp
-var sourceLanguageConfig = SourceLanguageConfig.FromLanguage("de-DE");
-var recognizer = new SpeechRecognizer(speechConfig, sourceLanguageConfig, audioConfig);
-```
-
-In the following example, the source language and custom endpoint are provided by using `SourceLanguageConfig`. Then, `sourceLanguageConfig` is passed as a parameter to the `SpeechRecognizer` construct.
-
-```csharp
-var sourceLanguageConfig = SourceLanguageConfig.FromLanguage("de-DE", "The Endpoint ID for your custom model.");
-var recognizer = new SpeechRecognizer(speechConfig, sourceLanguageConfig, audioConfig);
-```
-
->[!Note]
-> The `SpeechRecognitionLanguage` and `EndpointId` set methods are deprecated from the `SpeechConfig` class in C#. The use of these methods is discouraged. Don't use them when you create a `SpeechRecognizer` construct.
---
-## Specify source language in C++
-
-In the following example, the source language is provided explicitly as a parameter by using the `FromConfig` method.
-
-```C++
-auto recognizer = SpeechRecognizer::FromConfig(speechConfig, "de-DE", audioConfig);
-```
-
-In the following example, the source language is provided by using `SourceLanguageConfig`. Then, `sourceLanguageConfig` is passed as a parameter to `FromConfig` when you create the `recognizer` construct.
-
-```C++
-auto sourceLanguageConfig = SourceLanguageConfig::FromLanguage("de-DE");
-auto recognizer = SpeechRecognizer::FromConfig(speechConfig, sourceLanguageConfig, audioConfig);
-```
-
-In the following example, the source language and custom endpoint are provided by using `SourceLanguageConfig`. Then, `sourceLanguageConfig` is passed as a parameter to `FromConfig` when you create the `recognizer` construct.
-
-```C++
-auto sourceLanguageConfig = SourceLanguageConfig::FromLanguage("de-DE", "The Endpoint ID for your custom model.");
-auto recognizer = SpeechRecognizer::FromConfig(speechConfig, sourceLanguageConfig, audioConfig);
-```
-
->[!Note]
-> `SetSpeechRecognitionLanguage` and `SetEndpointId` are deprecated methods from the `SpeechConfig` class in C++ and Java. The use of these methods is discouraged. Don't use them when you create a `SpeechRecognizer` construct.
---
-## Specify source language in Java
-
-In the following example, the source language is provided explicitly when you create a new `SpeechRecognizer` construct.
-
-```Java
-SpeechRecognizer recognizer = new SpeechRecognizer(speechConfig, "de-DE", audioConfig);
-```
-
-In the following example, the source language is provided by using `SourceLanguageConfig`. Then, `sourceLanguageConfig` is passed as a parameter when you create a new `SpeechRecognizer` construct.
-
-```Java
-SourceLanguageConfig sourceLanguageConfig = SourceLanguageConfig.fromLanguage("de-DE");
-SpeechRecognizer recognizer = new SpeechRecognizer(speechConfig, sourceLanguageConfig, audioConfig);
-```
-
-In the following example, the source language and custom endpoint are provided by using `SourceLanguageConfig`. Then, `sourceLanguageConfig` is passed as a parameter when you create a new `SpeechRecognizer` construct.
-
-```Java
-SourceLanguageConfig sourceLanguageConfig = SourceLanguageConfig.fromLanguage("de-DE", "The Endpoint ID for your custom model.");
-SpeechRecognizer recognizer = new SpeechRecognizer(speechConfig, sourceLanguageConfig, audioConfig);
-```
-
->[!Note]
-> `setSpeechRecognitionLanguage` and `setEndpointId` are deprecated methods from the `SpeechConfig` class in C++ and Java. The use of these methods is discouraged. Don't use them when you create a `SpeechRecognizer` construct.
---
-## Specify source language in Python
-
-In the following example, the source language is provided explicitly as a parameter by using the `SpeechRecognizer` construct.
-
-```Python
-speech_recognizer = speechsdk.SpeechRecognizer(
- speech_config=speech_config, language="de-DE", audio_config=audio_config)
-```
-
-In the following example, the source language is provided by using `SourceLanguageConfig`. Then, `SourceLanguageConfig` is passed as a parameter to the `SpeechRecognizer` construct.
-
-```Python
-source_language_config = speechsdk.languageconfig.SourceLanguageConfig("de-DE")
-speech_recognizer = speechsdk.SpeechRecognizer(
- speech_config=speech_config, source_language_config=source_language_config, audio_config=audio_config)
-```
-
-In the following example, the source language and custom endpoint are provided by using `SourceLanguageConfig`. Then, `SourceLanguageConfig` is passed as a parameter to the `SpeechRecognizer` construct.
-
-```Python
-source_language_config = speechsdk.languageconfig.SourceLanguageConfig("de-DE", "The Endpoint ID for your custom model.")
-speech_recognizer = speechsdk.SpeechRecognizer(
- speech_config=speech_config, source_language_config=source_language_config, audio_config=audio_config)
-```
-
->[!Note]
-> The `speech_recognition_language` and `endpoint_id` properties are deprecated from the `SpeechConfig` class in Python. The use of these properties is discouraged. Don't use them when you create a `SpeechRecognizer` construct.
---
-## Specify source language in JavaScript
-
-The first step is to create a `SpeechConfig` construct:
-
-```Javascript
-var speechConfig = sdk.SpeechConfig.fromSubscription("YourSubscriptionkey", "YourRegion");
-```
-
-Next, specify the source language of your audio with `speechRecognitionLanguage`:
-
-```Javascript
-speechConfig.speechRecognitionLanguage = "de-DE";
-```
-
-If you're using a custom model for recognition, you can specify the endpoint with `endpointId`:
-
-```Javascript
-speechConfig.endpointId = "The Endpoint ID for your custom model.";
-```
-
-## Specify source language in Objective-C
-
-In the following example, the source language is provided explicitly as a parameter by using the `SPXSpeechRecognizer` construct.
-
-```Objective-C
-SPXSpeechRecognizer* speechRecognizer = \
- [[SPXSpeechRecognizer alloc] initWithSpeechConfiguration:speechConfig language:@"de-DE" audioConfiguration:audioConfig];
-```
-
-In the following example, the source language is provided by using `SPXSourceLanguageConfiguration`. Then, `SPXSourceLanguageConfiguration` is passed as a parameter to the `SPXSpeechRecognizer` construct.
-
-```Objective-C
-SPXSourceLanguageConfiguration* sourceLanguageConfig = [[SPXSourceLanguageConfiguration alloc]init:@"de-DE"];
-SPXSpeechRecognizer* speechRecognizer = [[SPXSpeechRecognizer alloc] initWithSpeechConfiguration:speechConfig
- sourceLanguageConfiguration:sourceLanguageConfig
- audioConfiguration:audioConfig];
-```
-
-In the following example, the source language and custom endpoint are provided by using `SPXSourceLanguageConfiguration`. Then, `SPXSourceLanguageConfiguration` is passed as a parameter to the `SPXSpeechRecognizer` construct.
-
-```Objective-C
-SPXSourceLanguageConfiguration* sourceLanguageConfig = \
- [[SPXSourceLanguageConfiguration alloc]initWithLanguage:@"de-DE"
- endpointId:@"The Endpoint ID for your custom model."];
-SPXSpeechRecognizer* speechRecognizer = [[SPXSpeechRecognizer alloc] initWithSpeechConfiguration:speechConfig
- sourceLanguageConfiguration:sourceLanguageConfig
- audioConfiguration:audioConfig];
-```
-
->[!Note]
-> The `speechRecognitionLanguage` and `endpointId` properties are deprecated from the `SPXSpeechConfiguration` class in Objective-C. The use of these properties is discouraged. Don't use them when you create a `SPXSpeechRecognizer` construct.
--
-## Next steps
--- [Language support](language-support.md)
cognitive-services Cognitive Services Apis Create Account Cli https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/cognitive-services-apis-create-account-cli.md
keywords: cognitive services, cognitive intelligence, cognitive solutions, ai services Previously updated : 03/02/2022 Last updated : 06/06/2022 ms.devlang: azurecli
ms.devlang: azurecli
# Quickstart: Create a Cognitive Services resource using the Azure CLI
-Use this quickstart to get started with Azure Cognitive Services using [Azure Command-Line Interface (CLI)](/cli/azure/install-azure-cli) commands.
+Use this quickstart to create a Cognitive Services resource using [Azure Command-Line Interface (CLI)](/cli/azure/install-azure-cli) commands. After creating the resource, use the keys and endpoint generated for you to authenticate your applications.
-Azure Cognitive Services are cloud-based services with REST APIs, and client library SDKs available to help developers build cognitive intelligence into applications without having direct artificial intelligence (AI) or data science skills or knowledge. Azure Cognitive Services enables developers to easily add cognitive features into their applications with cognitive solutions that can see, hear, speak, understand, and even begin to reason.
+Azure Cognitive Services is a cloud-based service with REST APIs, and client library SDKs available to help developers build cognitive intelligence into applications without having direct artificial intelligence (AI) or data science skills or knowledge. Azure Cognitive Services enables developers to easily add cognitive features into their applications with cognitive solutions that can see, hear, speak, understand, and even begin to reason.
-Cognitive Services are represented by Azure [resources](../azure-resource-manager/management/manage-resources-portal.md) that you create in your Azure subscription. After creating the resource, Use the keys and endpoint generated for you to authenticate your applications.
-
-In this quickstart, you'll learn how to sign up for Azure Cognitive Services and create an account that has a single-service or multi-service subscription via the [Azure CLI](/cli/azure/install-azure-cli). These services are represented by Azure [resources](../azure-resource-manager/management/manage-resources-portal.md), which enable you to connect to one or more of the Azure Cognitive Services APIs.
+## Types of Cognitive Services resource
[!INCLUDE [cognitive-services-subscription-types](../../includes/cognitive-services-subscription-types.md)]
You can also use the green **Try It** button to run these commands in your brows
## Create a new Azure Cognitive Services resource group
-Before creating a Cognitive Services resource, you must have an Azure resource group to contain the resource. When you create a new resource, you have the option to either create a new resource group, or use an existing one. This article shows how to create a new resource group.
+Before creating a Cognitive Services resource, you must have an Azure resource group to contain the resource. When you create a new resource, you can either create a new resource group, or use an existing one. This article shows how to create a new resource group.
### Choose your resource group location
az group create \
### Choose a cognitive service and pricing tier
-When creating a new resource, you will need to know the "kind" of service you want to use, along with the [pricing tier](https://azure.microsoft.com/pricing/details/cognitive-services/) (or sku) you want. You will use this and other information as parameters when creating the resource.
+When creating a new resource, you'll need to know the "kind" of service you want to use, along with the [pricing tier](https://azure.microsoft.com/pricing/details/cognitive-services/) (or sku) you want. You'll use this and other information as parameters when creating the resource.
[!INCLUDE [cognitive-services-subscription-types](../../includes/cognitive-services-subscription-types.md)]
az cognitiveservices account list-kinds
### Add a new resource to your resource group
-To create and subscribe to a new Cognitive Services resource, use the [az cognitiveservices account create](/cli/azure/cognitiveservices/account#az-cognitiveservices-account-create) command. This command adds a new billable resource to the resource group created earlier. When creating your new resource, you will need to know the "kind" of service you want to use, along with its pricing tier (or sku) and an Azure location:
+To create and subscribe to a new Cognitive Services resource, use the [az cognitiveservices account create](/cli/azure/cognitiveservices/account#az-cognitiveservices-account-create) command. This command adds a new billable resource to the resource group created earlier. When creating your new resource, you'll need to know the "kind" of service you want to use, along with its pricing tier (or sku) and an Azure location:
You can create an F0 (free) resource for Anomaly Detector, named `anomaly-detector-resource` with the command below.
cognitive-services Cognitive Services Apis Create Account https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/cognitive-services-apis-create-account.md
keywords: cognitive services, cognitive intelligence, cognitive solutions, ai services Previously updated : 05/24/2022 Last updated : 06/06/2022 # Quickstart: Create a Cognitive Services resource using the Azure portal
-Use this quickstart to start using Azure Cognitive Services. After creating a Cognitive Service resource in the Azure portal, you'll get an endpoint and a key for authenticating your applications.
+Use this quickstart to create a Cognitive Services resource. After you create a Cognitive Service resource in the Azure portal , you'll get an endpoint and a key for authenticating your applications.
Azure Cognitive Services are cloud-based services with REST APIs, and client library SDKs available to help developers build cognitive intelligence into applications without having direct artificial intelligence (AI) or data science skills or knowledge. Azure Cognitive Services enables developers to easily add cognitive features into their applications with cognitive solutions that can see, hear, speak, understand, and even begin to reason.
+## Types of Cognitive Services resource
+ [!INCLUDE [cognitive-services-subscription-types](../../includes/cognitive-services-subscription-types.md)] ## Prerequisites
Azure Cognitive Services are cloud-based services with REST APIs, and client lib
* A valid Azure subscription - [Create one for free](https://azure.microsoft.com/free/cognitive-services/). * [!INCLUDE [contributor-requirement](./includes/quickstarts/contributor-requirement.md)] - ## Create a new Azure Cognitive Services resource ### [Multi-service](#tab/multiservice)
The multi-service resource is named **Cognitive Services** in the portal. The mu
:::image type="content" source="media/cognitive-services-apis-create-account/cognitive-services-resource-deployed.png" alt-text="Get resource keys screen"::: 1. From the quickstart pane that opens, you can access the resource endpoint and manage keys.-
+<!--
1. If you missed the previous steps or need to find your resource later, go to the [Azure services](https://ms.portal.azure.com/#home) home page. From here you can view recent resources, select **My resources**, or use the search box to find your resource by name. :::image type="content" source="media/cognitive-services-apis-create-account/home-my-resources.png" alt-text="Find resource keys from home screen":::
+-->
[!INCLUDE [cognitive-services-environment-variables](../../includes/cognitive-services-environment-variables.md)]
The multi-service resource is named **Cognitive Services** in the portal. The mu
If you want to clean up and remove a Cognitive Services subscription, you can delete the resource or resource group. Deleting the resource group also deletes any other resources contained in the group. 1. In the Azure portal, expand the menu on the left side to open the menu of services, and choose **Resource Groups** to display the list of your resource groups.
-1. Locate the resource group containing the resource to be deleted
-1. Right-click on the resource group listing. Select **Delete resource group**, and confirm.
+1. Locate the resource group containing the resource to be deleted.
+1. If you want to delete the entire resource group, select the resource group name. On the next page, Select **Delete resource group**, and confirm.
+1. If you want to delete only the Cognitive Service resource, select the resource group to see all the resources within it. On the next page, select the resource that you want to delete, click the ellipsis menu for that row, and select **Delete**.
If you need to recover a deleted resource, see [Recover deleted Cognitive Services resources](manage-resources.md).
cognitive-services Adding Synonyms https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/language-service/question-answering/tutorials/adding-synonyms.md
LetΓÇÖs us add the following words and their alterations to improve the results:
|Word | Alterations| |--|--|
-| fix problems | `troubleshoot`, `trouble-shoot`|
-| whiteboard | `white-board`, `white board` |
-| bluetooth | `blue-tooth`, `blue tooth` |
+| fix problems | `troubleshoot`, `diagnostic`|
+| whiteboard | `white board`, `white canvas` |
+| bluetooth | `blue tooth`, `BT` |
```json {
LetΓÇÖs us add the following words and their alterations to improve the results:
"alterations": [ "fix problems", "troubleshoot",
- "trouble-shoot",
+ "diagnostic",
] }, { "alterations": [ "whiteboard",
- "white-board",
- "white board"
+ "white board",
+ "white canvas"
] }, { "alterations": [ "bluetooth",
- "blue-tooth",
- "blue tooth"
+ "blue tooth",
+ "BT"
] } ]
communication-services Best Practices https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/concepts/best-practices.md
You can request device permissions using the SDK:
#### Camera being used by another process - On Windows Chrome and Windows Edge, if you start/join/accept a call with video on and the camera device is being used by another process other than the browser that the web sdk is running on, then the call will be started with audio only and no video. A cameraStartFailed UFD will be raised because the camera failed to start since it was being used by another process. Same applies to turning video on mid-call. You can turn off the camera in the other process so that that process releases the camera device, and then start video again from the call and video will now turn on for the call and remote participants will start seeing your video. -- This is not an issue in MacOS Chrome nor MacOS Safari because the OS will let processes/threads share the camera device.
+- This is not an issue in macOS Chrome nor macOS Safari because the OS will let processes/threads share the camera device.
- On mobile devices, if a ProcessA requests the camera device and it is being used by ProcessB, then ProcessA will overtake the camera device and ProcessB will stop using the camera device - On iOS safari, you cannot have the camera on for multiple call clients within the same tab nor across tabs. When any call client uses the camera, it will overtake the camera from any previous call client that was using it. Previous call client will get a cameraStoppedUnexpectedly UFD.
+### Screen sharing
+#### Closing out of application does not stop it from being shared
+For example, lets say that from Chromium, you screen share the Microsoft Teams application. You then click on the "X" button on the Teams application to close it. The Teams application will not be closed and it will still be running in the background. You will even still see the icon in the bottom right of your desktop bar. Since the Teams application is still running, that means that it is still being screen shared and the remote participant in the call can still see your Teams application being screen shared. In order to stop the application from being screen shared, you will have to right click its icon on the desktop bar and then click on quit. Or you will have to click on "Stop sharing" button on the browser. Or call the sdk's Call.stopScreenSharing() API.
+
+#### Safari can only do full screen sharing
+Safari only allows to screen share the entire screen. Unlike Chromium, which lets you screen share full screen, specific desktop app, or specific browser tab.
+
+#### Screen sharing permissions on macOS
+In order to do screen sharing in macOS Safari or macOs Chrome, screen recording permissions must be granted to the browsers in the OS menu: "Systems Preferences" -> "Security & Privacy" -> "Screen Recording".
+ ## Next steps For more information, see the following articles:
communication-services Network Diagnostic https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/concepts/developer-tools/network-diagnostic.md
The Network Diagnostics Tool enables Azure Communication Services developers to
![Network Diagnostic Tool home screen](../media/network-diagnostic-tool.png) As part of the diagnostics performed, the user is asked to enable permissions for the tool to access their devices. Next, the user is asked to record their voice, which is then played back using an echo bot to ensure that the microphone is working. The tool finally, performs a video test. The test uses the camera to detect video and measure the quality for sent and received frames. +
+If you are looking to build your own Network Diagnostic Tool or to perform deeper integration of this tool into your application, you can levearge [pre-call diagnostic APIs](../voice-video-calling/pre-call-diagnostics.md) for the calling SDK.
## Performed tests
When a user runs a network diagnostic, the tool collects and store service and c
## Next Steps
+- [Use Pre-Call Diagnostic APIs to build your own tech check](../voice-video-calling/pre-call-diagnostics.md)
- [Explore User-Facing Diagnostic APIs](../voice-video-calling/user-facing-diagnostics.md) - [Enable Media Quality Statistics in your application](../voice-video-calling/media-quality-sdk.md)-- [Add Real-Time Inspection tool to your application](./real-time-inspection.md)
+- [Debug your application with Monitoring tool](./real-time-inspection.md)
- [Consume call logs with Azure Monitor](../analytics/call-logs-azure-monitor.md)
communication-services Real Time Inspection https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/concepts/developer-tools/real-time-inspection.md
Communication Monitoring is compatible with the same browsers as the Calling SDK
## Get started with Communication Monitoring
-The tool can be accessed through an npm package `@azure/communication-monitoring`. The package contains the `CommunicationMonitoring` object that can be attached to a `Call`. The Call Inspector requires an `HTMLDivElement` as part of its constructor on which it will be rendered. The `HTMLDivElement` will dictate the size of the Call Inspector.
+The tool can be accessed through an npm package `@azure/communication-monitoring`. The package contains the `CommunicationMonitoring` object that can be attached to a `Call`. Instructions on how to initialize the required `CallClient` and `CallAgent` objects can be found [here](https://docs.microsoft.com/azure/communication-services/how-tos/calling-sdk/manage-calls?pivots=platform-web#initialize-required-objects). `CommunicationMonitoring` also requires an `HTMLDivElement` as part of its constructor on which it will be rendered. The `HTMLDivElement` will dictate the size of the rendered panel.
### Installing Communication Monitoring
npm i @azure/communication-monitoring
import { CallAgent, CallClient } from '@azure/communication-calling' import { CommunicationMonitoring } from '@azure/communication-monitoring'
-interface Options {
- callClient: CallClient
- callAgent: CallAgent
- divElement: HTMLDivElement
-}
- const selectedDiv = document.getElementById('selectedDiv') const options = {
- callClient = this.callClient,
- callAgent = this.callAgent,
+ callClient = {INSERT CALL CLIENT OBJECT},
+ callAgent = {INSERT CALL AGENT OBJECT},
divElement = selectedDiv, }
communication-services Manage Teams Identity https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/quickstarts/manage-teams-identity.md
# Quickstart: Set up and manage access tokens for Teams users + In this quickstart, you'll build a .NET console application to authenticate a Microsoft 365 user by using the Microsoft Authentication Library (MSAL) and retrieving a Microsoft Azure Active Directory (Azure AD) user token. You'll then exchange that token for an access token of Teams user with the Azure Communication Services Identity SDK. The access token for Teams user can then be used by the Communication Services Calling SDK to build a custom Teams endpoint. > [!NOTE]
communication-services Get Started With Voice Video Calling Custom Teams Client https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/quickstarts/voice-video-calling/get-started-with-voice-video-calling-custom-teams-client.md
# QuickStart: Add 1:1 video calling to your customized Teams application + [!INCLUDE [Video calling with JavaScript](./includes/custom-teams-endpoint/voice-video-calling-cte-javascript.md)] ## Clean up resources
connectors Connectors Create Api Sqlazure https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/connectors/connectors-create-api-sqlazure.md
The following steps use the Azure portal, but with the appropriate Azure Logic A
1. In the [Azure portal](https://portal.azure.com), open your blank logic app workflow in the designer.
-1. Find and select the [SQL Server managed connector trigger](/connectors/sql) that you want to use.
+1. Find and select the [SQL Server trigger](/connectors/sql) that you want to use.
1. On the designer, under the search box, select **All**. 1. In the search box, enter **sql server**.
- 1. From the triggers list, select the SQL trigger that you want. This example continues with the trigger named **When an item is created**.
+ 1. From the triggers list, select the SQL trigger that you want.
+
+ This example continues with the trigger named **When an item is created**.
![Screenshot showing the Azure portal, Consumption logic app workflow designer, search box with "sql server", and "When an item is created" trigger selected.](./media/connectors-create-api-sqlazure/select-sql-server-trigger-consumption.png)
-1. If the designer prompts you for connection information, [create your SQL database connection now](#create-connection). After you create this connection, you can continue with the next step.
+1. Provide the [information for your connection](#create-connection). When you're done, select **Create**.
-1. In the trigger, specify the interval and frequency for how often the trigger checks the table.
+1. After the trigger information box appears, specify the interval and frequency for how often the trigger checks the table.
1. To add other properties available for this trigger, open the **Add new parameter** list and select those properties. This trigger returns only one row from the selected table, and nothing else. To perform other tasks, continue by adding either a [SQL Server connector action](#add-sql-action) or [another action](../connectors/apis-list.md) that performs the next task that you want in your logic app workflow.
- For example, to view the data in this row, you can add other actions that create a file that includes the fields from the returned row, and then send email alerts. To learn about other available actions for this connector, see the [connector's reference page](/connectors/sql/).
+ For example, to view the data in this row, you can add other actions that create a file that includes the fields from the returned row, and then send email alerts. To learn about other available actions for this connector, see the [SQL Server managed connector reference](/connectors/sql/).
1. When you're done, save your workflow.
- Although this step automatically enables and publishes your logic app live in Azure, the only action that your logic app currently takes is to check your database based on your specified interval and frequency.
- ### [Standard](#tab/standard) In Standard logic app workflows, only the SQL Server managed connector has triggers. The SQL Server built-in connector doesn't have any triggers. 1. In the [Azure portal](https://portal.azure.com), open your blank logic app workflow in the designer.
-1. Find and select the [SQL Server managed connector trigger](/connectors/sql) that you want to use.
+1. Find and select the [SQL Server trigger](/connectors/sql) that you want to use.
1. On the designer, select **Choose an operation**.
In Standard logic app workflows, only the SQL Server managed connector has trigg
1. In the search box, enter **sql server**.
- 1. From the triggers list, select the SQL trigger that you want. This example continues with the trigger named **When an item is created**.
+ 1. From the triggers list, select the SQL trigger that you want.
+
+ This example continues with the trigger named **When an item is created**.
![Screenshot showing Azure portal, Standard logic app workflow designer, search box with "sql server", and "When an item is created" trigger selected.](./media/connectors-create-api-sqlazure/select-sql-server-trigger-standard.png)
-1. If the designer prompts you for connection information, [create your SQL database connection now](#create-connection). After you create this connection, you can continue with the next step.
+1. Provide the [information for your connection](#create-connection). When you're done, select **Create**.
-1. In the trigger, specify the interval and frequency for how often the trigger checks the table.
+1. After the trigger information box appears, specify the interval and frequency for how often the trigger checks the table.
1. To add other properties available for this trigger, open the **Add new parameter** list and select those properties. This trigger returns only one row from the selected table, and nothing else. To perform other tasks, continue by adding either a [SQL Server connector action](#add-sql-action) or [another action](../connectors/apis-list.md) that performs the next task that you want in your logic app workflow.
- For example, to view the data in this row, you can add other actions that create a file that includes the fields from the returned row, and then send email alerts. To learn about other available actions for this connector, see the [connector's reference page](/connectors/sql/).
+ For example, to view the data in this row, you can add other actions that create a file that includes the fields from the returned row, and then send email alerts. To learn about other available actions for this connector, see the [SQL Server managed connector reference](/connectors/sql/).
1. When you're done, save your workflow.
- Although this step automatically enables and publishes your logic app live in Azure, the only action that your logic app currently takes is to check your database based on your specified interval and frequency.
-
+When you save your workflow, this step automatically publishes your updates to your deployed logic app, which is live in Azure. With only a trigger, your workflow just checks the SQL database based on your specified schedule. You have to [add an action](#add-sql-action) that responds to the trigger.
+ <a name="trigger-recurrence-shift-drift"></a> ## Trigger recurrence shift and drift (daylight saving time)
In this example, the logic app workflow starts with the [Recurrence trigger](../
1. In the [Azure portal](https://portal.azure.com), open your logic app workflow in the designer.
-1. Find and select the [SQL Server managed connector action](/connectors/sql) that you want to use. This example continues with the action named **Get row**.
+1. Find and select the [SQL Server action](/connectors/sql) that you want to use.
+
+ This example continues with the action named **Get row**.
1. Under the trigger or action where you want to add the SQL action, select **New step**.
In this example, the logic app workflow starts with the [Recurrence trigger](../
1. In the search box, enter **sql server**.
- 1. From the actions list, select the SQL Server action that you want. This example uses the **Get row** action, which gets a single record.
+ 1. From the actions list, select the SQL Server action that you want.
+
+ This example uses the **Get row** action, which gets a single record.
![Screenshot showing the Azure portal, workflow designer for Consumption logic app, the search box with "sql server", and "Get row" selected in the "Actions" list.](./media/connectors-create-api-sqlazure/select-sql-get-row-action-consumption.png)
-1. If the designer prompts you for connection information, [create your SQL database connection now](#create-connection). After you create this connection, you can continue with the next step.
+1. Provide the [information for your connection](#create-connection). When you're done, select **Create**.
1. If you haven't already provided the SQL server name and database name, provide those values. Otherwise, from the **Table name** list, select the table that you want to use. In the **Row id** property, enter the ID for the record that you want.
In this example, the logic app workflow starts with the [Recurrence trigger](../
1. In the [Azure portal](https://portal.azure.com), open your logic app workflow in the designer.
-1. Find and select the SQL Server connector action that you want to use.
+1. Find and select the SQL Server action that you want to use.
1. Under the trigger or action where you want to add the SQL Server action, select the plus sign (**+**), and then select **Add an action**.
In this example, the logic app workflow starts with the [Recurrence trigger](../
![Screenshot showing the designer search box with "sql server" and "Azure" selected underneath with the "Get row" action selected in the "Actions" list.](./media/connectors-create-api-sqlazure/select-sql-get-row-action-standard.png)
-1. If the designer prompts you for connection information, [create your SQL database connection now](#create-connection). After you create this connection, you can continue with the next step.
+1. Provide the [information for your connection](#create-connection). When you're done, select **Create**.
1. If you haven't already provided the SQL server name and database name, provide those values. Otherwise, from the **Table name** list, select the table that you want to use. In the **Row id** property, enter the ID for the record that you want.
container-apps Vnet Custom Internal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-apps/vnet-custom-internal.md
Previously updated : 5/16/2022 Last updated : 06/07/2022 zone_pivot_groups: azure-cli-or-portal
zone_pivot_groups: azure-cli-or-portal
The following example shows you how to create a Container Apps environment in an existing virtual network. > [!IMPORTANT]
-> In order to ensure the environment deployment within your custom VNET is successful, configure your VNET with an "allow-all" configuration by default. The full list of traffic dependencies required to configure the VNET as "deny-all" is not yet available. For more information, see [Known issues for public preview](https://github.com/microsoft/azure-container-apps/wiki/Known-Issues-for-public-preview).
+> Container Apps environments are deployed on a virtual network. This network can be managed or custom (pre-configured by the user beforehand). In either case, the environment has dependencies on services outside of that virtual network. For a list of these dependencies see [Outbound FQDN dependencies](firewall-integration.md#outbound-fqdn-dependencies).
::: zone pivot="azure-portal"
container-apps Vnet Custom https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-apps/vnet-custom.md
Previously updated : 05/16/2022 Last updated : 06/07/2022 zone_pivot_groups: azure-cli-or-portal
zone_pivot_groups: azure-cli-or-portal
The following example shows you how to create a Container Apps environment in an existing virtual network. > [!IMPORTANT]
-> In order to ensure the environment deployment within your custom VNET is successful, configure your VNET with an "allow-all" configuration by default. The full list of traffic dependencies required to configure the VNET as "deny-all" is not yet available. For more information, see [Known issues for public preview](https://github.com/microsoft/azure-container-apps/wiki/Known-Issues-for-public-preview).
+> Container Apps environments are deployed on a virtual network. This network can be managed or custom (pre-configured by the user beforehand). In either case, the environment has dependencies on services outside of that virtual network. For a list of these dependencies see [Outbound FQDN dependencies](firewall-integration.md#outbound-fqdn-dependencies).
::: zone pivot="azure-portal"
container-instances Container Instances Reference Yaml https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-instances/container-instances-reference-yaml.md
Title: YAML reference for container group description: Reference for the YAML file supported by Azure Container Instances to configure a container group- Previously updated : 11/11/2021+++++ Last updated : 06/06/2022 # YAML reference: Azure Container Instances
-This article covers the syntax and properties for the YAML file supported by Azure Container Instances to configure a [container group](container-instances-container-groups.md). Use a YAML file to input the group configuration to the [az container create][az-container-create] command in the Azure CLI.
+This article covers the syntax and properties for the YAML file supported by Azure Container Instances to configure a [container group](container-instances-container-groups.md). Use a YAML file to input the group configuration to the [az container create][az-container-create] command in the Azure CLI.
-A YAML file is a convenient way to configure a container group for reproducible deployments. It is a concise alternative to using a [Resource Manager template](/azure/templates/Microsoft.ContainerInstance/2019-12-01/containerGroups) or the Azure Container Instances SDKs to create or update a container group.
+A YAML file is a convenient way to configure a container group for reproducible deployments. It's a concise alternative to using a [Resource Manager template](/azure/templates/Microsoft.ContainerInstance/2019-12-01/containerGroups) or the Azure Container Instances SDKs to create or update a container group.
> [!NOTE]
-> This reference applies to YAML files for Azure Container Instances REST API version `2021-07-01`.
+> This reference applies to YAML files for Azure Container Instances REST API version `2021-10-01`.
-## Schema
+## Schema
The schema for the YAML file follows, including comments to highlight key properties. For a description of the properties in this schema, see the [Property values](#property-values) section. -
-```yml
+```yaml
name: string # Name of the container group
-apiVersion: '2021-07-01'
+apiVersion: '2021-10-01'
location: string tags: {} identity:
properties: # Properties of container group
The following tables describe the values you need to set in the schema. -- ### Microsoft.ContainerInstance/containerGroups object | Name | Type | Required | Value | | - | - | - | - | | name | string | Yes | The name of the container group. |
-| apiVersion | enum | Yes | 2018-10-01 |
+| apiVersion | enum | Yes | **2021-10-01 (latest)**, 2021-09-01, 2021-07-01, 2021-03-01, 2020-11-01, 2019-12-01, 2018-10-01, 2018-09-01, 2018-07-01, 2018-06-01, 2018-04-01 |
| location | string | No | The resource location. | | tags | object | No | The resource tags. | | identity | object | No | The identity of the container group, if configured. - [ContainerGroupIdentity object](#containergroupidentity-object) | | properties | object | Yes | [ContainerGroupProperties object](#containergroupproperties-object) | --- ### ContainerGroupIdentity object | Name | Type | Required | Value |
The following tables describe the values you need to set in the schema.
| type | enum | No | The type of identity used for the container group. The type 'SystemAssigned, UserAssigned' includes both an implicitly created identity and a set of user assigned identities. The type 'None' will remove any identities from the container group. - SystemAssigned, UserAssigned, SystemAssigned, UserAssigned, None | | userAssignedIdentities | object | No | The list of user identities associated with the container group. The user identity dictionary key references will be Azure Resource Manager resource IDs in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'. | --- ### ContainerGroupProperties object | Name | Type | Required | Value |
The following tables describe the values you need to set in the schema.
| encryptionProperties | object | No | The encryption properties for a container group. - [EncryptionProperties object](#encryptionproperties-object) | | initContainers | array | No | The init containers for a container group. - [InitContainerDefinition object](#initcontainerdefinition-object) | --- ### Container object | Name | Type | Required | Value |
The following tables describe the values you need to set in the schema.
| name | string | Yes | The user-provided name of the container instance. | | properties | object | Yes | The properties of the container instance. - [ContainerProperties object](#containerproperties-object) | --- ### ImageRegistryCredential object | Name | Type | Required | Value |
The following tables describe the values you need to set in the schema.
| identity | string | No | The resource ID of the user or system-assigned managed identity used to authenticate. | | identityUrl | string | No | The identity URL for the private registry. | --- ### IpAddress object | Name | Type | Required | Value |
The following tables describe the values you need to set in the schema.
| ip | string | No | The IP exposed to the public internet. | | dnsNameLabel | string | No | The Dns name label for the IP. | --- ### Volume object | Name | Type | Required | Value |
The following tables describe the values you need to set in the schema.
| secret | object | No | The secret volume. | | gitRepo | object | No | The git repo volume. - [GitRepoVolume object](#gitrepovolume-object) | --- ### ContainerGroupDiagnostics object | Name | Type | Required | Value | | - | - | - | - | | logAnalytics | object | No | Container group log analytics information. - [LogAnalytics object](#loganalytics-object) | --- ### ContainerGroupSubnetIds object | Name | Type | Required | Value |
The following tables describe the values you need to set in the schema.
| id | string | Yes | The identifier for a subnet. | | name | string | No | The name of the subnet. | --- ### DnsConfiguration object | Name | Type | Required | Value |
The following tables describe the values you need to set in the schema.
| searchDomains | string | No | The DNS search domains for hostname lookup in the container group. | | options | string | No | The DNS options for the container group. | - ### EncryptionProperties object
-| Name | Type | Required | Value |
+| Name | Type | Required | Value |
| - | - | - | - |
-| vaultBaseUrl | string | Yes | The keyvault base url. |
-| keyName | string | Yes | The encryption key name. |
-| keyVersion | string | Yes | The encryption key version. |
+| vaultBaseUrl | string | Yes | The keyvault base url. |
+| keyName | string | Yes | The encryption key name. |
+| keyVersion | string | Yes | The encryption key version. |
### InitContainerDefinition object
-| Name | Type | Required | Value |
+| Name | Type | Required | Value |
| - | - | - | - |
-| name | string | Yes | The name for the init container. |
-| properties | object | Yes | The properties for the init container. - [InitContainerPropertiesDefinition object](#initcontainerpropertiesdefinition-object)
-
+| name | string | Yes | The name for the init container. |
+| properties | object | Yes | The properties for the init container. - [InitContainerPropertiesDefinition object](#initcontainerpropertiesdefinition-object)
### ContainerProperties object
The following tables describe the values you need to set in the schema.
| livenessProbe | object | No | The liveness probe. - [ContainerProbe object](#containerprobe-object) | | readinessProbe | object | No | The readiness probe. - [ContainerProbe object](#containerprobe-object) | --- ### Port object | Name | Type | Required | Value |
The following tables describe the values you need to set in the schema.
| protocol | enum | No | The protocol associated with the port. - TCP or UDP | | port | integer | Yes | The port number. | --- ### AzureFileVolume object | Name | Type | Required | Value |
The following tables describe the values you need to set in the schema.
| storageAccountName | string | Yes | The name of the storage account that contains the Azure File share. | | storageAccountKey | string | No | The storage account access key used to access the Azure File share. | --- ### GitRepoVolume object | Name | Type | Required | Value |
The following tables describe the values you need to set in the schema.
| repository | string | Yes | Repository URL | | revision | string | No | Commit hash for the specified revision. | -- ### LogAnalytics object | Name | Type | Required | Value |
The following tables describe the values you need to set in the schema.
| logType | enum | No | The log type to be used. - ContainerInsights or ContainerInstanceLogs | | metadata | object | No | Metadata for log analytics. | - ### InitContainerPropertiesDefinition object
-| Name | Type | Required | Value |
+| Name | Type | Required | Value |
| - | - | - | - |
-| image | string | No | The image of the init container. |
-| command | array | No | The command to execute within the init container in exec form. - string |
-| environmentVariables | array | No |The environment variables to set in the init container. - [EnvironmentVariable object](#environmentvariable-object)
-| volumeMounts |array | No | The volume mounts available to the init container. - [VolumeMount object](#volumemount-object)
+| image | string | No | The image of the init container. |
+| command | array | No | The command to execute within the init container in exec form. - string |
+| environmentVariables | array | No |The environment variables to set in the init container. - [EnvironmentVariable object](#environmentvariable-object)
+| volumeMounts | array | No | The volume mounts available to the init container. - [VolumeMount object](#volumemount-object)
### ContainerPort object
The following tables describe the values you need to set in the schema.
| protocol | enum | No | The protocol associated with the port. - TCP or UDP | | port | integer | Yes | The port number exposed within the container group. | --- ### EnvironmentVariable object | Name | Type | Required | Value |
The following tables describe the values you need to set in the schema.
| value | string | No | The value of the environment variable. | | secureValue | string | No | The value of the secure environment variable. | --- ### ResourceRequirements object | Name | Type | Required | Value |
The following tables describe the values you need to set in the schema.
| requests | object | Yes | The resource requests of this container instance. - [ResourceRequests object](#resourcerequests-object) | | limits | object | No | The resource limits of this container instance. - [ResourceLimits object](#resourcelimits-object) | --- ### VolumeMount object | Name | Type | Required | Value |
The following tables describe the values you need to set in the schema.
| mountPath | string | Yes | The path within the container where the volume should be mounted. Must not contain colon (:). | | readOnly | boolean | No | The flag indicating whether the volume mount is read-only. | --- ### ContainerProbe object | Name | Type | Required | Value |
The following tables describe the values you need to set in the schema.
| successThreshold | integer | No | The success threshold. | | timeoutSeconds | integer | No | The timeout seconds. | --- ### ResourceRequests object | Name | Type | Required | Value |
The following tables describe the values you need to set in the schema.
| cpu | number | Yes | The CPU request of this container instance. | | gpu | object | No | The GPU request of this container instance. - [GpuResource object](#gpuresource-object) | --- ### ResourceLimits object | Name | Type | Required | Value |
The following tables describe the values you need to set in the schema.
| cpu | number | No | The CPU limit of this container instance. | | gpu | object | No | The GPU limit of this container instance. - [GpuResource object](#gpuresource-object) | --- ### ContainerExec object | Name | Type | Required | Value | | - | - | - | - | | command | array | No | The commands to execute within the container. - string | --- ### ContainerHttpGet object | Name | Type | Required | Value |
The following tables describe the values you need to set in the schema.
| count | integer | Yes | The count of the GPU resource. | | sku | enum | Yes | The SKU of the GPU resource. - K80, P100, V100 | - ## Next steps See the tutorial [Deploy a multi-container group using a YAML file](container-instances-multi-container-yaml.md).
cost-management-billing Cost Mgt Alerts Monitor Usage Spending https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cost-management-billing/costs/cost-mgt-alerts-monitor-usage-spending.md
description: This article describes how cost alerts help you monitor usage and spending in Cost Management. Previously updated : 05/12/2022 Last updated : 06/07/2022
Budget alerts notify you when spending, based on usage or cost, reaches or excee
In the Azure portal, budgets are defined by cost. Using the Azure Consumption API, budgets are defined by cost or by consumption usage. Budget alerts support both cost-based and usage-based budgets. Budget alerts are generated automatically whenever the budget alert conditions are met. You can view all cost alerts in the Azure portal. Whenever an alert is generated, it's shown in cost alerts. An alert email is also sent to the people in the alert recipients list of the budget.
+If you have an Enterprise Agreement, you can [Create and edit budgets with PowerShell](tutorial-acm-create-budgets.md#create-and-edit-budgets-with-powershell). However, we recommend that you use REST APIs to create and edit budgets because CLI commands might not support the latest version of the APIs.
+ You can use the Budget API to send email alerts in a different language. For more information, see [Supported locales for budget alert emails](manage-automation.md#supported-locales-for-budget-alert-emails). ## Credit alerts
cost-management-billing Tutorial Acm Create Budgets https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cost-management-billing/costs/tutorial-acm-create-budgets.md
Title: Tutorial - Create and manage Azure budgets
description: This tutorial helps you plan and account for the costs of Azure services that you consume. Previously updated : 05/13/2022 Last updated : 06/07/2022
Budget integration with action groups works for action groups which have enabled
## Create and edit budgets with PowerShell
-If you're an EA customer, you can create and edit budgets programmatically using the Azure PowerShell module.
+If you're an EA customer, you can create and edit budgets programmatically using the Azure PowerShell module. However, we recommend that you use REST APIs to create and edit budgets because CLI commands might not support the latest version of the APIs.
->[!Note]
->Customers with a Microsoft Customer Agreement should use the [Budgets REST API](/rest/api/consumption/budgets/create-or-update) to create budgets programmatically because PowerShell and CLI aren't yet supported.
+> [!NOTE]
+> Customers with a Microsoft Customer Agreement should use the [Budgets REST API](/rest/api/consumption/budgets/create-or-update) to create budgets programmatically because PowerShell and CLI aren't yet supported.
To download the latest version of Azure PowerShell, run the following command:
cost-management-billing Ea Azure Marketplace https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cost-management-billing/manage/ea-azure-marketplace.md
Previously updated : 10/21/2021 Last updated : 06/07/2022
Some third-party reseller services available on Azure Marketplace now consume yo
### Partners
+> [!NOTE]
+> The Azure Marketplace price list feature in the EA portal is retired. The same feature is available in the Azure portal.
+ LSPs can download an Azure Marketplace price list from the price sheet page in the Azure Enterprise portal. Select the **Marketplace Price list** link in the upper right. Azure Marketplace price list shows all available services and their prices. To download the price list:
cost-management-billing Programmatically Create Subscription Enterprise Agreement https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cost-management-billing/manage/programmatically-create-subscription-enterprise-agreement.md
Previously updated : 05/05/2022- Last updated : 06/06/2022+
When you create an Azure subscription programmatically, that subscription is gov
A user must have an Owner role on an Enrollment Account to create a subscription. There are two ways to get the role: * The Enterprise Administrator of your enrollment can [make you an Account Owner](https://ea.azure.com/helpdocs/addNewAccount) (sign in required) which makes you an Owner of the Enrollment Account.
-* An existing Owner of the Enrollment Account can [grant you access](/rest/api/billing/2019-10-01-preview/enrollmentaccountroleassignments/put).
+* An existing Owner of the Enrollment Account can [grant you access](/rest/api/billing/2019-10-01-preview/enrollmentaccountroleassignments/put).
To use a service principal (SPN) to create an EA subscription, an Owner of the Enrollment Account must [grant that service principal the ability to create subscriptions](/rest/api/billing/2019-10-01-preview/enrollmentaccountroleassignments/put).
For more information about the EA role assignment API request, see [Assign roles
> [!NOTE] > - Ensure that you use the correct API version to give the enrollment account owner permissions. For this article and for the APIs documented in it, use the [2019-10-01-preview](/rest/api/billing/2019-10-01-preview/enrollmentaccountroleassignments/put) API. > - If you're migrating to use the newer APIs, your previous configuration made with the [2015-07-01 version](grant-access-to-create-subscription.md) doesn't automatically convert for use with the newer APIs.
+> - The Enrollment Account information is only visible when the user's role is Account Owner. When a user has multiple roles, the API uses the user's least restrictive role.
## Find accounts you have access to
Using one of the following methods, you'll create a subscription alias name. We
An alias is used for simple substitution of a user-defined string instead of the subscription GUID. In other words, you can use it as a shortcut. You can learn more about alias at [Alias - Create](/rest/api/subscription/2020-09-01/alias/create). In the following examples, `sampleAlias` is created but you can use any string you like.
+If you have multiple user roles in addition to the Account Owner role, then you must retrieve the account ID from the Azure portal. Then you can use the ID to programmatically create subscriptions.
+ ### [REST](#tab/rest) Call the PUT API to create a subscription creation request/alias.
cost-management-billing Understand Reserved Instance Usage Ea https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cost-management-billing/reservations/understand-reserved-instance-usage-ea.md
tags: billing
Previously updated : 05/05/2022 Last updated : 06/07/2022
Other information available in Azure usage data has changed:
- Term - 12 months or 36 months. - RINormalizationRatio - Available under AdditionalInfo. This is the ratio where the reservation is applied to the usage record. If instance size flexibility is enabled on for your reservation, then it can apply to other sizes. The value shows the ratio that the reservation was applied to for the usage record.
-[See field definition](/rest/api/consumption/usagedetails/list#definitions)
+For more information, see the Usage details field [Definitions](/rest/api/consumption/usagedetails/list#definitions).
## Get Azure consumption and reservation usage data using API You can get the data using the API or download it from Azure portal.
+For information about permissions needed to view and manage reservations, see [Who can manage a reservation by default](view-reservations.md#who-can-manage-a-reservation-by-default).
+ You call the [Usage Details API](/rest/api/consumption/usagedetails/list) to get the new data. For details about terminology, see [usage terms](../understand/understand-usage.md). Here's an example call to the Usage Details API:
cost-management-billing Pay Bill https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cost-management-billing/understand/pay-bill.md
If you have Azure credits, they automatically apply to your invoice each billing
## Reserve Bank of India
-**The Reserve Bank of India has issued new regulations.**
+**The Reserve Bank of India has issued new directives.**
-On 1 October 2021, automatic payments in India may block some credit card transactions, especially transactions exceeding 5,000 INR. Because of this you may need to make payments manually in the Azure portal. These regulations won't affect the total amount you will be charged for your Azure usage.
+On 1 October 2021, automatic payments in India may block some credit card transactions, especially transactions exceeding 5,000 INR. Because of this you may need to make payments manually in the Azure portal. This directive will not affect the total amount you will be charged for your Azure usage.
-[Learn more about the Reserve Bank of India regulation for recurring payments](https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=11668&Mode=0)
+[Learn more about the Reserve Bank of India directive; Processing of e-mandate on cards for recurring transactions](https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=11668&Mode=0)
On 1 July 2022, Microsoft and other online merchants will no longer be storing credit card information. To comply with this regulation Microsoft will be removing all stored card details from Microsoft Azure. To avoid service interruption, you will need to add a payment method and make a one-time payment for all invoices.
-[Learn about the Reserve Bank of India regulation for card storage](https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=12211)
+[Learn about the Reserve Bank of India directive; Restriction on storage of actual card data ](https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=12211)
## Pay by default payment method
databox-online Azure Stack Edge Gpu 2205 Release Notes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/databox-online/azure-stack-edge-gpu-2205-release-notes.md
Previously updated : 06/06/2022 Last updated : 06/07/2022
The following release notes identify the critical open issues and the resolved i
The release notes are continuously updated, and as critical issues requiring a workaround are discovered, they're added. Before you deploy your device, carefully review the information contained in the release notes.
-This article applies to the **Azure Stack Edge 2205** release, which maps to software version number **2.2.1981.5086**. This software can be applied to your device if you're running at least Azure Stack Edge 2106 (2.2.1636.3457) software.
+This article applies to the **Azure Stack Edge 2205** release, which maps to software version number **2.2.1983.5094**. This software can be applied to your device if you're running at least Azure Stack Edge 2106 (2.2.1636.3457) software.
## What's new
The following table lists the issues that were release noted in previous release
| No. | Feature | Issue | | | | | |**1.**|GPU Extension installation | In the previous releases, there were issues that caused the GPU extension installation to fail. These issues are described in [Troubleshooting GPU extension issues](azure-stack-edge-gpu-troubleshoot-virtual-machine-gpu-extension-installation.md). These are fixed in the 2205 release and both the Windows and Linux installation packages are updated. More information on 2205 specific installation changes is covered in [Install GPU extension on your Azure Stack Edge device](azure-stack-edge-gpu-deploy-virtual-machine-install-gpu-extension.md). |
+|**2.**|HPN VMs | In the previous release, the Standard_F12_HPN could only support one network interface and couldn't be used for Multi-Access Edge Computing (MEC) deployments. This issue is fixed in this release. |
## Known issues in 2205 release
The following table provides a summary of known issues in this release.
| No. | Feature | Issue | Workaround/comments | | | | | | |**1.**|Preview features |For this release, the following features are available in preview: <br> - Clustering and Multi-Access Edge Computing (MEC) for Azure Stack Edge Pro GPU devices only. <br> - VPN for Azure Stack Edge Pro R and Azure Stack Edge Mini R only. <br> - Local Azure Resource Manager, VMs, Cloud management of VMs, Kubernetes cloud management, and Multi-process service (MPS) for Azure Stack Edge Pro GPU, Azure Stack Edge Pro R, and Azure Stack Edge Mini R. |These features will be generally available in later releases. |
-|**2.**|HPN VMs |For this release, the Standard_F12_HPN can only support one network interface and can't be used for Multi-Access Edge Computing (MEC) deployments. | |
- ## Known issues from previous releases
databox Data Box Customer Managed Encryption Key Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/databox/data-box-customer-managed-encryption-key-portal.md
If you receive any errors related to your customer-managed key, use the followin
| SsemUserErrorKeyVaultBadRequestException | Applied a customer-managed key, but key access has not been granted or has been revoked, or the key vault couldn't be accessed because a firewall is enabled. | Add the identity selected to your key vault to enable access to the customer-managed key. If the key vault has a firewall enabled, switch to a system-assigned identity and then add a customer-managed key. For more information, see how to [Enable the key](#enable-key). | | SsemUserErrorEncryptionKeyTypeNotSupported | The encryption key type isn't supported for the operation. | Enable a supported encryption type on the key - for example, RSA or RSA-HSM. For more information, see [Key types, algorithms, and operations](../key-vault/keys/about-keys-details.md). | | SsemUserErrorSoftDeleteAndPurgeProtectionNotEnabled | Key vault does not have soft delete or purge protection enabled. | Ensure that both soft delete and purge protection are enabled on the key vault. |
-| SsemUserErrorInvalidKeyVaultUrl<br>(Command-line only) | An invalid key vault URI was used. | Get the correct key vault URI. To get the key vault URI, use [Get-AzKeyVault](/powershell/module/az.keyvault/get-azkeyvault?view=azps-7.1.0) in PowerShell. |
+| SsemUserErrorInvalidKeyVaultUrl<br>(Command-line only) | An invalid key vault URI was used. | Get the correct key vault URI. To get the key vault URI, use [Get-AzKeyVault](/powershell/module/az.keyvault/get-azkeyvault?view=azps-7.1.0&preserve-view=true) in PowerShell. |
| SsemUserErrorKeyVaultUrlWithInvalidScheme | Only HTTPS is supported for passing the key vault URI. | Pass the key vault URI over HTTPS. | | SsemUserErrorKeyVaultUrlInvalidHost | The key vault URI host is not an allowed host in the geographical region. | In the public cloud, the key vault URI should end with `vault.azure.net`. In the Azure Government cloud, the key vault URI should end with `vault.usgovcloudapi.net`. | | Generic error | Could not fetch the passkey. | This error is a generic error. Contact Microsoft Support to troubleshoot the error and determine the next steps.|
ddos-protection Alerts https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ddos-protection/alerts.md
na Previously updated : 3/11/2022 Last updated : 06/07/2022
There are two specific alerts that you will see for any DDoS attack detection an
- **DDoS Attack detected for Public IP**: This alert is generated when the DDoS protection service detects that one of your public IP addresses is the target of a DDoS attack. - **DDoS Attack mitigated for Public IP**: This alert is generated when an attack on the public IP address has been mitigated.
-To view the alerts, open **Defender for Cloud** in the Azure portal. Under **Threat Protection**, select **Security alerts**. The following screenshot shows an example of the DDoS attack alerts.
+To view the alerts, open **Defender for Cloud** in the Azure portal and select **Security alerts**. Under **Threat Protection**, select **Security alerts**. The following screenshot shows an example of the DDoS attack alerts.
![DDoS Alert in Microsoft Defender for Cloud](./media/manage-ddos-protection/ddos-alert-asc.png)
ddos-protection Ddos Protection Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ddos-protection/ddos-protection-overview.md
na Previously updated : 09/9/2020 Last updated : 06/07/2022
Azure DDoS Protection Standard, combined with application design best practices,
- **Always-on traffic monitoring:** Your application traffic patterns are monitored 24 hours a day, 7 days a week, looking for indicators of DDoS attacks. DDoS Protection Standard instantly and automatically mitigates the attack, once it is detected. - **Adaptive tuning:** Intelligent traffic profiling learns your application's traffic over time, and selects and updates the profile that is the most suitable for your service. The profile adjusts as traffic changes over time. - **Multi-Layered protection:** When deployed with a web application firewall (WAF), DDoS Protection Standard protects both at the network layer (Layer 3 and 4, offered by Azure DDoS Protection Standard) and at the application layer (Layer 7, offered by a WAF). WAF offerings include Azure [Application Gateway WAF SKU](../web-application-firewall/ag/ag-overview.md?toc=%2fazure%2fvirtual-network%2ftoc.json) as well as third-party web application firewall offerings available in the [Azure Marketplace](https://azuremarketplace.microsoft.com/marketplace/apps?page=1&search=web%20application%20firewall).-- **Extensive mitigation scale:** Over 60 different attack types can be mitigated, with global capacity, to protect against the largest known DDoS attacks.
+- **Extensive mitigation scale:** all L3/L4 attack vectors can be mitigated, with global capacity, to protect against the largest known DDoS attacks.
- **Attack analytics:** Get detailed reports in five-minute increments during an attack, and a complete summary after the attack ends. Stream mitigation flow logs to [Microsoft Sentinel](../sentinel/data-connectors-reference.md#azure-ddos-protection) or an offline security information and event management (SIEM) system for near real-time monitoring during an attack. - **Attack metrics:** Summarized metrics from each attack are accessible through Azure Monitor. - **Attack alerting:** Alerts can be configured at the start and stop of an attack, and over the attack's duration, using built-in attack metrics. Alerts integrate into your operational software like Microsoft Azure Monitor logs, Splunk, Azure Storage, Email, and the Azure portal.
ddos-protection Ddos Protection Partner Onboarding https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ddos-protection/ddos-protection-partner-onboarding.md
documentationcenter: na Previously updated : 08/28/2020 Last updated : 06/07/2022 # Partnering with Azure DDoS Protection Standard
The following steps are required for partners to configure integration with Azur
View existing partner integrations: - [Barracuda WAF-as-a-service](https://www.barracuda.com/waf-as-a-service)-- [Azure Cloud WAF from Radware](https://www.radware.com/resources/microsoft-azure/)+
defender-for-cloud Defender For Cloud Introduction https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/defender-for-cloud-introduction.md
Last updated 05/19/2022
# What is Microsoft Defender for Cloud?
-Microsoft Defender for Cloud is a Cloud Security Posture Management (CSPM) and Cloud Workload Protection Platform (CWPP) for all of your Azure, on-premises, and multi-cloud (Amazon AWS and Google GCP) resources. Defender for Cloud fills three vital needs as you manage the security of your resources and workloads in the cloud and on-premises:
+Microsoft Defender for Cloud is a Cloud Security Posture Management (CSPM) and Cloud Workload Protection Platform (CWPP) for all of your Azure, on-premises, and multicloud (Amazon AWS and Google GCP) resources. Defender for Cloud fills three vital needs as you manage the security of your resources and workloads in the cloud and on-premises:
:::image type="content" source="media/defender-for-cloud-introduction/defender-for-cloud-synopsis.png" alt-text="Understanding the core functionality of Microsoft Defender for Cloud.":::
As soon as you open Defender for Cloud for the first time, Defender for Cloud:
- **Generates a secure score** for your subscriptions based on an assessment of your connected resources compared with the guidance in [Azure Security Benchmark](/security/benchmark/azure/overview). Use the score to understand your security posture, and the compliance dashboard to review your compliance with the built-in benchmark. When you've enabled the enhanced security features, you can customize the standards used to assess your compliance, and add other regulations (such as NIST and Azure CIS) or organization-specific security requirements. You can also apply recommendations, and score based on the AWS Foundational Security Best practices standards. -- **Provides hardening recommendations** based on any identified security misconfigurations and weaknesses. Use these security recommendations to strengthen the security posture of your organization's Azure, hybrid, and multi-cloud resources.
+- **Provides hardening recommendations** based on any identified security misconfigurations and weaknesses. Use these security recommendations to strengthen the security posture of your organization's Azure, hybrid, and multicloud resources.
[Learn more about secure score](secure-score-security-controls.md).
If you would like to learn more about Defender for Cloud from a cybersecurity ex
You can also check out the following blogs: -- [A new name for multi-cloud security: Microsoft Defender for Cloud](https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/a-new-name-for-multi-cloud-security-microsoft-defender-for-cloud/ba-p/2943020)
+- [A new name for multicloud security: Microsoft Defender for Cloud](https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/a-new-name-for-multi-cloud-security-microsoft-defender-for-cloud/ba-p/2943020)
- [Microsoft Defender for Cloud - Use cases](https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/microsoft-defender-for-cloud-use-cases/ba-p/2953619) - [Microsoft Defender for Cloud PoC Series - Microsoft Defender for Containers](https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/microsoft-defender-for-cloud-poc-series-microsoft-defender-for/ba-p/3064644)
defender-for-cloud Defender For Containers Enable https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/defender-for-containers-enable.md
A full list of supported alerts is available in the [reference table of all Defe
## Learn More
-Learn more from the product manager about [Microsoft Defender for Containers in a multi-cloud environment](episode-nine.md).
+Learn more from the product manager about [Microsoft Defender for Containers in a multicloud environment](episode-nine.md).
You can also learn how to [Protect Containers in GCP with Defender for Containers](episode-ten.md). You can also check out the following blogs: - [Protect your Google Cloud workloads with Microsoft Defender for Cloud](https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/protect-your-google-cloud-workloads-with-microsoft-defender-for/ba-p/3073360) - [Introducing Microsoft Defender for Containers](https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/introducing-microsoft-defender-for-containers/ba-p/2952317)-- [A new name for multi-cloud security: Microsoft Defender for Cloud](https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/a-new-name-for-multi-cloud-security-microsoft-defender-for-cloud/ba-p/2943020)
+- [A new name for multicloud security: Microsoft Defender for Cloud](https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/a-new-name-for-multi-cloud-security-microsoft-defender-for-cloud/ba-p/2943020)
## Next steps
defender-for-cloud Defender For Containers Introduction https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/defender-for-containers-introduction.md
Defender for Containers provides real-time threat protection for your containeri
In addition, our threat detection goes beyond the Kubernetes management layer. Defender for Containers includes **host-level threat detection** with over 60 Kubernetes-aware analytics, AI, and anomaly detections based on your runtime workload. Our global team of security researchers constantly monitor the threat landscape. They add container-specific alerts and vulnerabilities as they're discovered.
-This solution monitors the growing attack surface of multi-cloud Kubernetes deployments and tracks the [MITRE ATT&CK® matrix for Containers](https://www.microsoft.com/security/blog/2021/04/29/center-for-threat-informed-defense-teams-up-with-microsoft-partners-to-build-the-attck-for-containers-matrix/), a framework that was developed by the [Center for Threat-Informed Defense](https://mitre-engenuity.org/ctid/) in close partnership with Microsoft and others.
+This solution monitors the growing attack surface of multicloud Kubernetes deployments and tracks the [MITRE ATT&CK® matrix for Containers](https://www.microsoft.com/security/blog/2021/04/29/center-for-threat-informed-defense-teams-up-with-microsoft-partners-to-build-the-attck-for-containers-matrix/), a framework that was developed by the [Center for Threat-Informed Defense](https://mitre-engenuity.org/ctid/) in close partnership with Microsoft and others.
The full list of available alerts can be found in the [Reference table of alerts](alerts-reference.md#alerts-k8scluster).
defender-for-cloud Defender For Sql Introduction https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/defender-for-sql-introduction.md
# Introduction to Microsoft Defender for SQL
-Microsoft Defender for SQL includes two Microsoft Defender plans that extend Microsoft Defender for Cloud's [data security package](/azure/azure-sql/database/azure-defender-for-sql) to protect your SQL estate regardless of where it is located (Azure, multi-cloud or Hybrid environments). Microsoft Defender for SQL includes functions that can be used to discover and mitigate potential database vulnerabilities. Defender for SQL can also detect anomalous activities that may be an indication of a threat to your databases.
+Microsoft Defender for SQL includes two Microsoft Defender plans that extend Microsoft Defender for Cloud's [data security package](/azure/azure-sql/database/azure-defender-for-sql) to protect your SQL estate regardless of where it is located (Azure, multicloud or Hybrid environments). Microsoft Defender for SQL includes functions that can be used to discover and mitigate potential database vulnerabilities. Defender for SQL can also detect anomalous activities that may be an indication of a threat to your databases.
-To protect SQL databases in hybrid and multi-cloud environments, Defender for Cloud uses Azure Arc. Azure ARC connects your hybrid and multi-cloud machines. You can check out the following articles for more information:
+To protect SQL databases in hybrid and multicloud environments, Defender for Cloud uses Azure Arc. Azure ARC connects your hybrid and multicloud machines. You can check out the following articles for more information:
- [Connect your non-Azure machines to Microsoft Defender for Cloud](quickstart-onboard-machines.md)
To protect SQL databases in hybrid and multi-cloud environments, Defender for Cl
- [SQL Server running on Windows machines without Azure Arc](../azure-monitor/agents/agent-windows.md)
- - Multi-cloud SQL servers:
+ - Multicloud SQL servers:
- [Connect your AWS accounts to Microsoft Defender for Cloud](quickstart-onboard-aws.md)
defender-for-cloud Episode Eight https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/episode-eight.md
Learn more about [Defender for IoT](../defender-for-iot/index.yml).
## Next steps > [!div class="nextstepaction"]
-> [Microsoft Defender for Containers in a Multi-Cloud Environment](episode-nine.md)
+> [Microsoft Defender for Containers in a Multicloud Environment](episode-nine.md)
defender-for-cloud Episode Five https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/episode-five.md
Last updated 06/01/2022
# Microsoft Defender for Servers
-**Episode description**: In this episode of Defender for Cloud in the field, Aviv Mor joins Yuri Diogenes to talk about Microsoft Defender for Servers updates, including the new integration with TVM. Aviv explains how this new integration with TVM works, the advantages of this integration, which includes software inventory and easy experience to onboard. Aviv also covers the integration with MDE for Linux and the Defender for Servers support for the new multi-cloud connector for AWS.
+**Episode description**: In this episode of Defender for Cloud in the field, Aviv Mor joins Yuri Diogenes to talk about Microsoft Defender for Servers updates, including the new integration with TVM. Aviv explains how this new integration with TVM works, the advantages of this integration, which includes software inventory and easy experience to onboard. Aviv also covers the integration with MDE for Linux and the Defender for Servers support for the new multicloud connector for AWS.
<br> <br>
defender-for-cloud Episode Nine https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/episode-nine.md
Title: Microsoft Defender for Containers in a multi-cloud environment
+ Title: Microsoft Defender for Containers in a multicloud environment
description: Learn about Microsoft Defender for Containers implementation in AWS and GCP. Last updated 06/01/2022
-# Microsoft Defender for Containers in a Multi-Cloud Environment
+# Microsoft Defender for Containers in a Multicloud Environment
**Episode description**: In this episode of Defender for Cloud in the field, Maya Herskovic joins Yuri Diogenes to talk about Microsoft Defender for Containers implementation in AWS and GCP.
-Maya explains about the new workload protection capabilities related to Containers when they're deployed in a multi-cloud environment. Maya also demonstrates the onboarding experience in GCP and how to visualize security recommendations across AWS, GCP, and Azure in a single dashboard.
+Maya explains about the new workload protection capabilities related to Containers when they're deployed in a multicloud environment. Maya also demonstrates the onboarding experience in GCP and how to visualize security recommendations across AWS, GCP, and Azure in a single dashboard.
<br> <br> <iframe src="https://aka.ms/docs/player?id=f9470496-abe3-4344-8160-d6a6b65c077f" width="1080" height="530" allowFullScreen="true" frameBorder="0"></iframe> -- [01:12](/shows/mdc-in-the-field/containers-multi-cloud#time=01m12s) - Container protection in a multi-cloud environment
+- [01:12](/shows/mdc-in-the-field/containers-multi-cloud#time=01m12s) - Container protection in a multicloud environment
- [05:03](/shows/mdc-in-the-field/containers-multi-cloud#time=05m03s) - Workload protection capabilities for GCP
defender-for-cloud Episode Seven https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/episode-seven.md
Last updated 05/29/2022
# New GCP connector in Microsoft Defender for Cloud
-**Episode description**: In this episode of Defender for Cloud in the field, Or Serok joins Yuri Diogenes to share the new GCP Connector in Microsoft Defender for Cloud. Or explains the use case scenarios for the new connector and how the new connector works. She demonstrates the onboarding process to connect GCP with Microsoft Defender for Cloud and talks about custom assessment and the CSPM experience for multi-cloud.
+**Episode description**: In this episode of Defender for Cloud in the field, Or Serok joins Yuri Diogenes to share the new GCP Connector in Microsoft Defender for Cloud. Or explains the use case scenarios for the new connector and how the new connector works. She demonstrates the onboarding process to connect GCP with Microsoft Defender for Cloud and talks about custom assessment and the CSPM experience for multicloud
<br> <br>
defender-for-cloud Episode Six https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/episode-six.md
Last updated 05/25/2022
# Lessons learned from the field with Microsoft Defender for Cloud
-**Episode description**: In this episode Carlos Faria, Microsoft Cybersecurity Consultant joins Yuri to talk about lessons from the field and how customers are using Microsoft Defender for Cloud to improve their security posture and protect their workloads in a multi-cloud environment.
+**Episode description**: In this episode Carlos Faria, Microsoft Cybersecurity Consultant joins Yuri to talk about lessons from the field and how customers are using Microsoft Defender for Cloud to improve their security posture and protect their workloads in a multicloud environment.
Carlos also covers how Microsoft Defender for Cloud is used to fill the gap between cloud security posture management and cloud workload protection, and demonstrates some features related to this scenario.
Carlos also covers how Microsoft Defender for Cloud is used to fill the gap betw
- [2:58](/shows/mdc-in-the-field/lessons-from-the-field#time=02m58s) - How to fulfill the gap between CSPM and CWPP -- [4:42](/shows/mdc-in-the-field/lessons-from-the-field#time=04m42s) - How a multi-cloud affects the CSPM lifecycle and how Defender for Cloud fits in?
+- [4:42](/shows/mdc-in-the-field/lessons-from-the-field#time=04m42s) - How a multicloud affects the CSPM lifecycle and how Defender for Cloud fits in?
- [8:05](/shows/mdc-in-the-field/lessons-from-the-field#time=08m05s) - Demonstration
defender-for-cloud Episode Three https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/episode-three.md
Last updated 05/29/2022
# Microsoft Defender for Containers
-**Episode description**: In this episode of Defender for Cloud in the field, Maya Herskovic joins Yuri Diogenes to talk about Microsoft Defender for Containers. Maya explains what's new in Microsoft Defender for Containers, the new capabilities that are available, the new pricing model, and the multi-cloud coverage. Maya also demonstrates the overall experience of Microsoft Defender for Containers from the recommendations to the alerts that you may receive.
+**Episode description**: In this episode of Defender for Cloud in the field, Maya Herskovic joins Yuri Diogenes to talk about Microsoft Defender for Containers. Maya explains what's new in Microsoft Defender for Containers, the new capabilities that are available, the new pricing model, and the multicloud coverage. Maya also demonstrates the overall experience of Microsoft Defender for Containers from the recommendations to the alerts that you may receive.
<br> <br>
digital-twins Concepts Security https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/digital-twins/concepts-security.md
For instructions on how to enable a system-managed identity for Azure Digital Tw
[Azure Private Link](../private-link/private-link-overview.md) is a service that enables you to access Azure resources (like [Azure Event Hubs](../event-hubs/event-hubs-about.md), [Azure Storage](../storage/common/storage-introduction.md), and [Azure Cosmos DB](../cosmos-db/introduction.md)) and Azure-hosted customer and partner services over a private endpoint in your [Azure Virtual Network (VNet)](../virtual-network/virtual-networks-overview.md).
-Similarly, you can use private endpoints for your Azure Digital Twin instance to allow clients located in your virtual network to securely access the instance over Private Link.
+Similarly, you can use private endpoints for your Azure Digital Twins instance to allow clients located in your virtual network to securely access the instance over Private Link. Configuring a private endpoint for your Azure Digital Twins instance enables you to secure your Azure Digital Twins instance and eliminate public exposure. Additionally, it helps avoid data exfiltration from your [Azure Virtual Network (VNet)](../virtual-network/virtual-networks-overview.md).
The private endpoint uses an IP address from your Azure VNet address space. Network traffic between a client on your private network and the Azure Digital Twins instance traverses over the VNet and a Private Link on the Microsoft backbone network, eliminating exposure to the public internet. Here's a visual representation of this system:
digital-twins How To Enable Private Link https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/digital-twins/how-to-enable-private-link.md
-# Mandatory fields.
Title: Enable private access with Private Link
+ Title: Enable private access to Azure Digital Twins
-description: Learn how to enable private access for Azure Digital Twins solutions with Private Link.
+description: Learn how to enable private access to your Azure Digital Twins solutions, using Azure Private Link.
- Previously updated : 02/22/2022+ Last updated : 06/07/2022 -+ ms.devlang: azurecli-
-# Optional fields. Don't forget to remove # if you need a field.
-#
-#
-#
-# Enable private access with Private Link
+# Enable private access to Azure Digital Twins using Private Link
-This article describes the different ways to enable [Private Link with a private endpoint for an Azure Digital Twins instance](concepts-security.md#private-network-access-with-azure-private-link). Configuring a private endpoint for your Azure Digital Twins instance enables you to secure your Azure Digital Twins instance and eliminate public exposure. Additionally, it helps avoid data exfiltration from your [Azure Virtual Network (VNet)](../virtual-network/virtual-networks-overview.md).
+By using Azure Digital Twins together with [Azure Private Link](../private-link/private-link-overview.md), you can enable private endpoints for your Azure Digital Twins instance, to eliminate public exposure and allow clients located in your virtual network to securely access the instance over Private Link. For more information about this security strategy for Azure Digital Twins, see [Private Link with a private endpoint for an Azure Digital Twins instance](concepts-security.md#private-network-access-with-azure-private-link).
Here are the steps that are covered in this article: 1. Turn on Private Link and configure a private endpoint for an Azure Digital Twins instance.
-1. View, edit, or delete a private endpoint from an instance.
-1. Disable or enable public network access flags, to restrict API access to Private Link connections only.
+1. View, edit, or delete a private endpoint from an Azure Digital Twins instance.
+1. Disable or enable public network access flags, to restrict API access for an Azure Digital Twins to Private Link connections only.
+
+This article also contains information for deploying Azure Digital Twins with Private Link using an ARM template, and troubleshooting the configuration.
## Prerequisites Before you can set up a private endpoint, you'll need an [Azure Virtual Network (VNet)](../virtual-network/virtual-networks-overview.md) where the endpoint can be deployed. If you don't have a VNet already, you can follow one of the [Azure Virtual Network quickstarts](../virtual-network/quick-create-portal.md) to set this up.
-## Add a private endpoint to Azure Digital Twins
+## Add private endpoints to Azure Digital Twins
You can use either the [Azure portal](https://portal.azure.com) or the [Azure CLI](/cli/azure/what-is-azure-cli) to turn on Private Link with a private endpoint for an Azure Digital Twins instance.
For a full list of required and optional parameters, as well as more private end
-## Manage private endpoint connections
+## Manage private endpoints
In this section, you'll see how to view, edit, and delete a private endpoint after it's been created.
For a sample template that allows an Azure function to connect to Azure Digital
This template creates an Azure Digital Twins instance, a virtual network, an Azure function connected to the virtual network, and a Private Link connection to make the Azure Digital Twins instance accessible to the Azure function through a private endpoint.
-## Troubleshoot Private Link with Azure Digital Twins
+## Troubleshoot
-Here are some common issues experienced with Private Link for Azure Digital Twins.
+Here are some common issues that might arise when using Private Link with Azure Digital Twins.
* **Issue:** When trying to access Azure Digital Twins APIs, you see an HTTP error code 403 with the following error in the response body: ```json
dms Migration Using Azure Data Studio https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/dms/migration-using-azure-data-studio.md
When you migrate database(s) using the Azure SQL migration extension for Azure D
- SSIS packages - Server roles - Server audit-- When migrating to SQL Server on Azure Virtual Machines, SQL Server 2014 and below as target versions are not supported currently.
+- When migrating to SQL Server on Azure Virtual Machines, SQL Server 2008 and below as target versions are not supported currently.
+- If you are using SQL Server 2012 or SQL Server 2014 you need to store your source database backup files on an Azure Storage Blob Container instead of using the network share option. Store the backup files as page blobs since block blobs are only supported in SQL 2016 and after.
- Migrating to Azure SQL Database isn't supported. - Azure storage accounts secured by specific firewall rules or configured with a private endpoint are not supported for migrations. - You can't use an existing self-hosted integration runtime created from Azure Data Factory for database migrations with DMS. Initially, the self-hosted integration runtime should be created using the Azure SQL migration extension in Azure Data Studio and can be reused for further database migrations.
dns Tutorial Public Dns Zones Child https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/dns/tutorial-public-dns-zones-child.md
Title: 'Tutorial: Creating an Azure child DNS zones'
+ Title: 'Tutorial: Create an Azure child DNS zone'
-description: Tutorial on how to create child DNS zones in Azure portal.
+description: In this tutorial, you learn how to create child DNS zones in Azure portal.
ms.assetid: be4580d7-aa1b-4b6b-89a3-0991c0cda897 -+ Previously updated : 04/19/2021 Last updated : 06/07/2022
-# Tutorial: Creating a new Child DNS zone
+# Tutorial: Create a new Child DNS zone
In this tutorial, you learn how to: > [!div class="checklist"]
-> * Signing in to Azure Portal.
-> * Creating child DNS zone via new DNS zone.
-> * Creating child DNS zone via parent DNS zone.
-> * Verifying NS Delegation for new Child DNS zone.
+> * Create a child DNS zone via parent DNS zone.
+> * Create a child DNS zone via new DNS zone.
+> * Verify NS Delegation for the new Child DNS zone.
## Prerequisites
-* An Azure account with an active subscription. If you don't have an account, you can [create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
-* Existing parent Azure DNS zone.
+* An Azure account with an active subscription. If you don't have one, you can [create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
+* A parent Azure DNS zone. If you don't have one, you can [create a DNS zone](./dns-getstarted-portal.md#create-a-dns-zone).
-In this tutorial, we'll use contoso.com as the parent zone and subdomain.contoso.com as the child domain name. Replace *contoso.com* with your parent domain name and *subdomain* with your child domain. If you haven't created your parent DNS zone, see steps to [create DNS zone using Azure portal](./dns-getstarted-portal.md#create-a-dns-zone).
+In this tutorial, we'll use `contoso.com` as the parent zone and `subdomain.contoso.com` as the child domain name. Replace `contoso.com` with your parent domain name and `subdomain` with your child domain.
+There are two ways you can create your child DNS zone:
+1. Through the parent DNS zone's **Overview** page.
+1. Through the **Create DNS zone** page.
-## Sign in to Azure portal
+## Create a child DNS zone via parent DNS zone Overview page
-Sign in to the [Azure portal](https://portal.azure.com/) with your Azure account.
-If you don't have an Azure subscription, create a free account before you begin.
+You'll create a new child DNS zone and delegate it to the parent DNS zone using the **Child Zone** button from parent zone **Overview** page. Using this button, the parent parameters are automatically pre-populated.
-There are two ways you can do create your child DNS zone.
-1. Through the "Create DNS zone" portal page.
-1. Through the parent DNS zone's configuration page.
+1. Sign in to the [Azure portal](https://portal.azure.com).
+1. In the Azure portal, enter *contoso.com* in the search box at the top of the portal and then select **contoso.com** DNS zone from the search results.
+1. In the **Overview** page, select the **+Child zone** button.
-## Create child DNS zone via create DNS zone
+ :::image type="content" source="./media/tutorial-public-dns-zones-child/child-zone-button.png" alt-text="Screenshot of D N S zone showing the child zone button.":::
-In this step, we'll create a new child DNS zone with name **subdomain.contoso.com** and delegate it to existing parent DNS zone **contoso.com**. You'll create the DNS zone using the tabs on the **Create DNS zone** page.
-1. On the Azure portal menu or from the **Home** page, select **Create a resource**. The **New** window appears.
-1. Select **Networking**, then select **DNS zone** and then select **Add** button.
+1. In the **Create DNS zone**, enter or select this information in the **Basics** tab:
-1. On the **basics** tab, type or select the following values:
- * **Subscription**: Select a subscription to create the zone in.
- * **Resource group**: Enter your existing Resource group or create a new one by selecting **Create new**. Enter *MyResourceGroup*, and select **OK**. The resource group name must be unique within the Azure subscription.
- * Check this checkbox: **This zone is a child of an existing zone already hosted in Azure DNS**
- * **Parent zone subscription**: From this drop down, search or select the subscription name under which parent DNS zone *contoso.com* was created.
- * **Parent zone**: In the search bar type *contoso.com* to load it in dropdown list. Once loaded select *contoso.com* from dropdown list.
- * **Name:** Type *subdomain* for this tutorial example. Notice that your parent DNS zone name *contoso.com* is automatically added as suffix to name when we select parent zone from the above step.
+ | Setting | Value |
+ | - | -- |
+ | **Project details** | |
+ | Subscription | Select your Azure subscription.|
+ | Resource group | Select an existing resource group for the child zone or create a new one by selecting **Create new**. </br> In this tutorial, the resource group **MyResourceGroup** of the parent DNS zone is selected. |
+ | **Instance details** | |
+ | Name | Enter your child zone name. In this tutorial, *subdomain* is used. Notice that the parent DNS zone name `contoso.com` is automatically added as a suffix to **Name**. |
+ | Resource group location | The resource group location is selected for you if you selected an existing resource group for the child zone. </br> Select the resource group location if you created a new resource group for the child zone. </br> The resource group location doesn't affect your DNS zone service, which is global and not bound to a location. |
-1. Select **Next: Review + create**.
-1. On the **Review + create** tab, review the summary, correct any validation errors, and then select **Create**.
-It may take a few minutes to create the zone.
+ :::image type="content" source="./media/tutorial-public-dns-zones-child/child-zone-via-overview-page.png" alt-text="Screenshot of Create D N S zone page accessed via the Add child zone button.":::
- :::image type="content" source="./media/dns-delegate-domain-azure-dns/create-dns-zone-inline.png" alt-text="Screenshot of the create DNS zone page." lightbox="./media/dns-delegate-domain-azure-dns/create-dns-zone-expanded.png":::
+ > [!NOTE]
+ > Parent zone information is automatically pre-populated with child zone option box already checked.
-## Create child DNS zone via parent DNS zone overview page
-You can also create a new child DNS zone and delegate it into the parent DNS zone by using the **Child Zone** button from parent zone overview page. Using this button automatically pre-populates the parent parameters for the child zone automatically.
+1. Select **Review + create** button.
+1. Select **Create** button. It may take a few minutes to create the child zone.
-1. In the Azure portal, under **All resources**, open the *contoso.com* DNS zone in the **MyResourceGroup** resource group. You can enter *contoso.com* in the **Filter by name** box to find it more easily.
-1. On DNS zone overview page, select the **+Child Zone** button.
- :::image type="content" source="./media/dns-delegate-domain-azure-dns/create-child-zone-inline.png" alt-text="Screenshot child zone button." border="true" lightbox="./media/dns-delegate-domain-azure-dns/create-child-zone-expanded.png":::
+## Create a child DNS zone via Create DNS zone
-1. The create DNS zone page will then open. Child zone option is already checked, and parent zone subscription and parent zone gets populated for you on this page.
-1. Type the name as *child* for this tutorial example. Notice that you parent DNS zone name contoso.com is automatically added as prefix to name.
-1. Select **Next: Tags** and then **Next: Review + create**.
-1. On the **Review + create** tab, review the summary, correct any validation errors, and then select **Create**.
+You'll create a new child DNS zone and delegate it to the parent DNS zone using the **Create DNS zone** page.
- :::image type="content" source="./media/dns-delegate-domain-azure-dns/create-dns-zone-child-inline.png" alt-text="Screenshot of child zone selected" border="true" lightbox="./media/dns-delegate-domain-azure-dns/create-dns-zone-child-expanded.png":::
+1. On the Azure portal menu or from the **Home** page, select **Create a resource** and then select **Networking**.
+1. Select **DNS zone** and then select the **Create** button.
-## Verify child DNS zone
-Now that you have a new child DNS zone *subdomain.contoso.com* created. To verify that delegation happened correctly, you'll want to check the nameserver(NS) records for your child zone is in the parent zone as described below.
+1. In **Create DNS zone**, enter or select this information in the **Basics** tab:
-**Retrieve name servers of child DNS zone:**
+ | Setting | Value |
+ | - | -- |
+ | **Project details** | |
+ | Subscription | Select your Azure subscription.|
+ | Resource group | Select an existing resource group or create a new one by selecting **Create new**. </br> In this tutorial, the resource group **MyResourceGroup** of the parent DNS zone is selected. |
+ | **Instance details** | |
+ | This zone is a child of an existing zone already hosted in Azure DNS | Check this checkbox. |
+ | Parent zone subscription | Select your Azure subscription under which parent DNS zone `contoso.com` was created. |
+ | Parent zone | In the search bar, enter *contoso.com* to load it in dropdown list. Once loaded, select it from dropdown list. |
+ | Name | Enter your child zone name. In this tutorial, *subdomain* is used. Notice that the parent DNS zone name `contoso.com` is automatically added as a suffix to **Name** after you selected parent zone from the previous step. |
+ | Resource group location | The resource group location is selected for you if you selected an existing resource group for the child zone. </br> Select the resource group location if you created a new resource group for the child zone. </br> The resource group location doesn't affect your DNS zone service, which is global and not bound to a location. |
-1. In the Azure portal, under **All resources**, open the *subdomain.contoso.com* DNS zone in the **MyResourceGroup** resource group. You can enter *subdomain.contoso.com* in the **Filter by name** box to find it more easily.
-1. Retrieve the name servers from the DNS zone overview page. In this example, the zone contoso.com has been assigned name servers *ns1-08.azure-dns.com, ns2-08.azure-dns.net, ns3-08.azure-dns.org*, and *ns4-08.azure-dns.info*:
+ :::image type="content" source="./media/tutorial-public-dns-zones-child/child-zone-via-create-dns-zone-page.png" alt-text="Screenshot of Create D N S zone page accessed via the Create button of D N S zone page.":::
- :::image type="content" source="./media/dns-delegate-domain-azure-dns/create-child-zone-ns-inline.png" alt-text="Screenshot of child zone nameservers" border="true" lightbox="./media/dns-delegate-domain-azure-dns/create-child-zone-ns-expanded.png":::
-**Verify the NS record in parent DNS zone:**
+1. Select **Review + create** button.
+1. Select **Create** button. It may take a few minutes to create the zone.
-Now in this step we go the parent DNS zone *contoso.com* and check that its NS record set entry for the child zones nameservers has been created.
-1. In the Azure portal, under **All resources**, open the contoso.com DNS zone in the **MyResourceGroup** resource group. You can enter contoso.com in the **Filter by name** box to find it more easily.
-1. On the *contoso.com* DNS zones overview page, check for the record sets.
-1. You'll find that record set of type NS and name subdomain is already created in parent DNS zone. Check the values for this record set it's similar to the nameserver list we retrieved from child DNS zone in above step.
+## Verify the child DNS zone
+
+After the new child DNS zone `subdomain.contoso.com` created, verify that the delegation configured correctly. You'll need to check that your child zone name server (NS) records are in the parent zone as described below.
+
+### Retrieve name servers of child DNS zone
+
+1. In the Azure portal, enter *subdomain.contoso.com* in the search box at the top of the portal and then select **subdomain.contoso.com** DNS zone from the search results.
+
+1. Retrieve the name servers from the DNS zone **Overview** page. In this example, the zone `subdomain.contoso.com` has been assigned name servers `ns1-05.azure-dns.com.`, `ns2-05.azure-dns.net.`, `ns3-05.azure-dns.org.`, and `ns4-05.azure-dns.info.`:
+
+ :::image type="content" source="./media/tutorial-public-dns-zones-child/child-zone-name-servers-inline.png" alt-text="