Updates from: 07/10/2021 03:05:59
Service Microsoft Docs article Related commit history on GitHub Change details
active-directory-b2c Enable Authentication Web Api https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/enable-authentication-web-api.md
To stop the program, in the command shell press `Ctrl+C`. You can rerun the app
> [!TIP] > Alternatively to run the `dotnet run` command, use [VS Code debugger](https://code.visualstudio.com/docs/editor/debugging). VS Code's built-in debugger helps accelerate your edit, compile and debug loop.
-Open a browser and go to http://localhost:6000/public. In the browser window, you should see the following text displayed the current date and time.
+Open a browser and go to `http://localhost:6000/public`. In the browser window, you should see the following text displayed the current date and time.
To stop the program, in the command shell press `Ctrl+C`. You can rerun the app
> [!TIP] > Alternatively to run the `node app.js` command, use [VS Code debugger](https://code.visualstudio.com/docs/editor/debugging). VS Code's built-in debugger helps accelerate your edit, compile and debug loop.
-Open a browser and go to http://localhost:6000/public. In the browser window, you should see the following text displayed the current date and time.
+Open a browser and go to `http://localhost:6000/public`. In the browser window, you should see the following text displayed the current date and time.
## Calling the web API from your app
-First try to call the protected web API endpoint without an access token. Open a browser and go to http://localhost:6000/hello. The API will return unauthorized HTTP error message, confirming that web API is protected with a bearer token.
+First try to call the protected web API endpoint without an access token. Open a browser and go to `http://localhost:6000/hello`. The API will return unauthorized HTTP error message, confirming that web API is protected with a bearer token.
Continue to configure your app to call the web API. For guidance, see the [Prerequisites](#prerequisites) section.
Get the complete example on GitHub:
* [Node.js Web API using the Passport.js library](https://github.com/Azure-Samples/active-directory-b2c-javascript-nodejs-webapi) ---
active-directory-b2c Localization String Ids https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/localization-string-ids.md
The following are the IDs for a [Verification display control](display-control-v
|but_send_new_code | Send new code| |but_change_claims | Change e-mail|
-Note: The `intro_msg` element is hidden, and not shown on the self-asserted page. To make it visible, use the [HTML customiztion](customize-ui-with-html.md) with Cascading Style Sheets. For example:
+Note: The `intro_msg` element is hidden, and not shown on the self-asserted page. To make it visible, use the [HTML customization](customize-ui-with-html.md) with Cascading Style Sheets. For example:
```css .verificationInfoText div{display: block!important}
The following are the IDs for a [one-time password technical profile](one-time-p
| ID | Default value | | -- | - |
-|UserMessageIfMaxRetryAttempted |One time password provided verification has exceeded maximum number of attempts |
-|UserMessageIfSessionDoesNotExist |One time password verification session has expired |
-|UserMessageIfSessionConflict |One time password verification session has conflict |
-|UserMessageIfInvalidCode |One time password provided for verification is incorrect |
-|UserMessageIfVerificationFailedRetryAllowed |That code is incorrect. Please try again. |
+| UserMessageIfSessionDoesNotExist | No | The message to display to the user if the code verification session has expired. It is either the code has expired or the code has never been generated for a given identifier. |
+| UserMessageIfMaxRetryAttempted | No | The message to display to the user if they've exceeded the maximum allowed verification attempts. |
+| UserMessageIfMaxNumberOfCodeGenerated | No | The message to display to the user if the code generation has exceeded the maximum allowed number of attempts. |
+| UserMessageIfInvalidCode | No | The message to display to the user if they've provided an invalid code. |
+| UserMessageIfVerificationFailedRetryAllowed | No | The message to display to the user if they've provided an invalid code, and user is allowed to provide the correct code. |
+|UserMessageIfSessionConflict|No| The message to display to the user if the code cannot be verified.|
### One time password example
The following are the IDs for a [one-time password technical profile](one-time-p
<LocalizedStrings> <LocalizedString ElementType="ErrorMessage" StringId="UserMessageIfSessionDoesNotExist">You have exceeded the maximum time allowed.</LocalizedString> <LocalizedString ElementType="ErrorMessage" StringId="UserMessageIfMaxRetryAttempted">You have exceeded the number of retries allowed.</LocalizedString>
+ <LocalizedString ElementType="ErrorMessage" StringId="UserMessageIfMaxNumberOfCodeGenerated">You have exceeded the number of retries allowed.</LocalizedString>
<LocalizedString ElementType="ErrorMessage" StringId="UserMessageIfInvalidCode">You have entered the wrong code.</LocalizedString>
- <LocalizedString ElementType="ErrorMessage" StringId="UserMessageIfSessionConflict">Cannot verify the code, please try again later.</LocalizedString>
- <LocalizedString ElementType="ErrorMessage" StringId="UserMessageIfVerificationFailedRetryAllowed">That code is incorrect. Please try again.</LocalizedString>
+ <LocalizedString ElementType="ErrorMessage" StringId="UserMessageIfVerificationFailedRetryAllowed">That code is incorrect. Please try again.</LocalizedString>
+ <LocalizedString ElementType="ErrorMessage" StringId="UserMessageIfSessionConflict">Cannot verify the code, please try again later.</LocalizedString>
</LocalizedStrings> </LocalizedResources> ```
active-directory Concept Conditional Access Conditions https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/conditional-access/concept-conditional-access-conditions.md
This setting works with all browsers. However, to satisfy a device policy, like
| Windows Server 2016 | Internet Explorer | | Windows Server 2012 R2 | Internet Explorer | | Windows Server 2008 R2 | Internet Explorer |
-| macOS | Chrome, Safari |
+| macOS | Microsoft Edge, Chrome, Safari |
These browsers support device authentication, allowing the device to be identified and validated against a policy. The device check fails if the browser is running in private mode or if cookies are disabled.
active-directory Plan Conditional Access https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/conditional-access/plan-conditional-access.md
The proliferation of supported devices to access your cloud resources helps to i
### Require approved client apps
-Employees use their mobile devices for both personal and work tasks. For BYOD scenarios you must decide whether to manage the entire device or just the data on it. if managing only data and access, you can [require approved cloud apps](app-based-conditional-access.md) that can protect your corporate data. for example, you can require email only be accessed via Outlook mobile, and not via a generic mail program.
+Employees use their mobile devices for both personal and work tasks. For BYOD scenarios you must decide whether to manage the entire device or just the data on it. If managing only data and access, you can [require approved cloud apps](app-based-conditional-access.md) that can protect your corporate data. for example, you can require email only be accessed via Outlook mobile, and not via a generic mail program.
### Block access
active-directory Developer Guide Conditional Access Authentication Context https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/developer-guide-conditional-access-authentication-context.md
Do not use auth context where the app itself is going to be a target of Conditio
- [Granular Conditional Access for sensitive data and actions (Blog)](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/granular-conditional-access-for-sensitive-data-and-actions/ba-p/1751775) - [Zero trust with the Microsoft Identity platform](/security/zero-trust/identity-developer) - [Building Zero Trust ready apps with the Microsoft identity platform](/security/zero-trust/identity-developer)
+- [Use the Conditional Access auth context to perform step\-up authentication for high\-privilege operations in a Web app](https://github.com/Azure-Samples/ms-identity-dotnetcore-ca-auth-context-app/blob/main/README.md)
- [Use the Conditional Access auth context to perform step-up authentication for high-privilege operations in a Web API](https://github.com/Azure-Samples/ms-identity-ca-auth-context/blob/main/README.md) - [Conditional Access authentication context](../conditional-access/concept-conditional-access-cloud-apps.md#authentication-context-preview) - [authenticationContextClassReference resource type - MS Graph](/graph/api/conditionalaccessroot-list-authenticationcontextclassreferences)
active-directory Users Bulk Delete https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/enterprise-users/users-bulk-delete.md
Previously updated : 12/02/2020 Last updated : 07/09/2021
- # Bulk delete users in Azure Active Directory
-Using Azure Active Directory (Azure AD) portal, you can remove a large number of members to a group by using a comma-separated values (CSV) file to bulk delete users.
-
-## Understand the CSV template
+Using the Azure Active Directory (Azure AD) portal, you can remove a large number of members to a group by using a comma-separated values (CSV) file to bulk delete users.
-Download and fill in the CSV template to help you successfully delete Azure AD users in bulk. The CSV template you download might look like this example:
+## CSV template structure
-![Spreadsheet for upload and call-outs explaining the purpose and values for each row and column](./media/users-bulk-delete/understand-template.png)
-
-### CSV template structure
+![The CSV file contains names and IDs of the users to delete](./media/users-bulk-delete/delete-csv-file.png)
The rows in a downloaded CSV template are as follows: - **Version number**: The first row containing the version number must be included in the upload CSV.-- **Column headings**: The format of the column headings is &lt;*Item name*&gt; [PropertyName] &lt;*Required or blank*&gt;. For example, `User name [userPrincipalName] Required`. Some older versions of the template might have slight variations.-- **Examples row**: We have included in the template a row of examples of acceptable values for each column. You must remove the examples row and replace it with your own entries.
+- **Column headings**: `User name [userPrincipalName] Required`. Older versions of the template might vary.
+- **Examples row**: We have included in the template an example of an acceptable value. `Example: chris@contoso.com` You must remove the example row and replace it with your own entries.
### Additional guidance -- The first two rows of the upload template must not be removed or modified, or the upload can't be processed.
+- The first two rows of the template must not be removed or modified, or the template can't be processed.
- The required columns are listed first.-- We don't recommend adding new columns to the template. Any additional columns you add are ignored and not processed.-- We recommend that you download the latest version of the CSV template as often as possible.
+- Don't add new columns to the template. Any additional columns you add are ignored and not processed.
+- Download the latest version of the CSV template before making new changes.
## To bulk delete users 1. [Sign in to your Azure AD organization](https://aad.portal.azure.com) with an account that is a User administrator in the organization.
-1. In Azure AD, select **Users** > **Bulk delete**.
-1. On the **Bulk delete user** page, select **Download** to receive a valid CSV file of user properties.
-
- ![Select a local CSV file in which you list the users you want to delete](./media/users-bulk-delete/bulk-delete.png)
-
-1. Open the CSV file and add a line for each user you want to delete. The only required value is **User principal name**. Then save the file.
-
- ![The CSV file contains names and IDs of the users to delete](./media/users-bulk-delete/delete-csv-file.png)
-
+1. In Azure AD, select **Users** > **Bulk operations** > **Bulk delete**.
+1. On the **Bulk delete user** page, select **Download** to download the latest version of the CSV template.
+1. Open the CSV file and add a line for each user you want to delete. The only required value is **User principal name**. Save the file.
1. On the **Bulk delete user** page, under **Upload your csv file**, browse to the file. When you select the file and click submit, validation of the CSV file starts. 1. When the file contents are validated, youΓÇÖll see **File uploaded successfully**. If there are errors, you must fix them before you can submit the job. 1. When your file passes validation, select **Submit** to start the Azure bulk operation that deletes the users.
active-directory Google Federation https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/external-identities/google-federation.md
Previously updated : 06/08/2021 Last updated : 07/09/2021
After you've added Google as one of your application's sign-in options, on the *
> Google federation is designed specifically for Gmail users. To federate with G Suite domains, use [SAML/WS-Fed identity provider federation](direct-federation.md). > [!IMPORTANT]
-> **Starting September 30, 2021**, Google is [deprecating web-view sign-in support](https://developers.googleblog.com/2016/08/modernizing-oauth-interactions-in-native-apps.html). If youΓÇÖre using Google federation for B2B invitations or [Azure AD B2C](../../active-directory-b2c/identity-provider-google.md), or if you're using self-service sign-up with Gmail, Google Gmail users won't be able to sign in if your apps authenticate users with an embedded web-view. [Learn more](#deprecation-of-web-view-sign-in-support).
+>
+> - **Starting July 12, 2021**, if Azure AD B2B customers set up new Google integrations for use with self-service sign-up for their custom or line-of-business applications, authentication could be blocked for Gmail users (with the error screen shown below in [What to expect](#what-to-expect)). This issue occurs only if you create Google integration for self-service sign-up user flows after July 12, 2021 and Gmail authentications in your custom or line-of-business applications havenΓÇÖt been moved to system web-views. Because system web-views are enabled by default, most apps will not be affected. To avoid the issue, we strongly advise you to move Gmail authentications to system browsers before creating any new Google integrations for self-service sign-up. Please refer to [Action needed for embedded web-views](#action-needed-for-embedded-frameworks).
+> - **Starting September 30, 2021**, Google is [deprecating web-view sign-in support](https://developers.googleblog.com/2016/08/modernizing-oauth-interactions-in-native-apps.html). If youΓÇÖre using Google federation for B2B invitations or [Azure AD B2C](../../active-directory-b2c/identity-provider-google.md), or if you're using self-service sign-up with Gmail, Google Gmail users won't be able to sign in if your apps authenticate users with an embedded web-view. [Learn more](#deprecation-of-web-view-sign-in-support).
## What is the experience for the Google user?
active-directory Identity Providers https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/external-identities/identity-providers.md
Previously updated : 07/01/2021 Last updated : 07/09/2021
In addition to Azure AD accounts, External Identities offers a variety of identi
- **Google**: Google federation allows external users to redeem invitations from you by signing in to your apps with their own Gmail accounts. Google federation can also be used in your self-service sign-up user flows. See how to [add Google as an identity provider](google-federation.md). > [!IMPORTANT]
- > **Starting September 30th, 2021**, Google is [deprecating web-view sign-in support](https://developers.googleblog.com/2016/08/modernizing-oauth-interactions-in-native-apps.html). If youΓÇÖre using Google federation for B2B invitations or [Azure AD B2C](../../active-directory-b2c/identity-provider-google.md), or if you're using self-service sign-up with Gmail, Google Gmail users won't be able to sign in if your apps authenticate users with an embedded web-view. [Learn more](google-federation.md#deprecation-of-web-view-sign-in-support).
+ >
+ > - **Starting July 12, 2021**, if Azure AD B2B customers set up new Google integrations for use with self-service sign-up for their custom or line-of-business applications, authentication with Google identities wonΓÇÖt work until authentications are moved to system web-views. [Learn more](google-federation.md#deprecation-of-web-view-sign-in-support).
+ > - **Starting September 30th, 2021**, Google is [deprecating web-view sign-in support](https://developers.googleblog.com/2016/08/modernizing-oauth-interactions-in-native-apps.html). If youΓÇÖre using Google federation for B2B invitations or [Azure AD B2C](../../active-directory-b2c/identity-provider-google.md), or if you're using self-service sign-up with Gmail, Google Gmail users won't be able to sign in if your apps authenticate users with an embedded web-view. [Learn more](google-federation.md#deprecation-of-web-view-sign-in-support).
- **Facebook**: When building an app, you can configure self-service sign-up and enable Facebook federation so that users can sign up for your app using their own Facebook accounts. Facebook can only be used for self-service sign-up user flows and isn't available as a sign-in option when users are redeeming invitations from you. See how to [add Facebook as an identity provider](facebook-federation.md).
active-directory Redemption Experience https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/external-identities/redemption-experience.md
Previously updated : 07/01/2021 Last updated : 07/09/2021
This article describes the ways guest users can access your resources and the co
When you add a guest user to your directory, the guest user account has a consent status (viewable in PowerShell) thatΓÇÖs initially set to **PendingAcceptance**. This setting remains until the guest accepts your invitation and agrees to your privacy policy and terms of use. After that, the consent status changes to **Accepted**, and the consent pages are no longer presented to the guest. > [!IMPORTANT]
+ >
+ > - **Starting July 12, 2021**, if Azure AD B2B customers set up new Google integrations for use with self-service sign-up for their custom or line-of-business applications, authentication with Google identities wonΓÇÖt work until authentications are moved to system web-views. [Learn more](google-federation.md#deprecation-of-web-view-sign-in-support).
> - **Starting September 30th, 2021**, Google is [deprecating web-view sign-in support](https://developers.googleblog.com/2016/08/modernizing-oauth-interactions-in-native-apps.html). If youΓÇÖre using Google federation for B2B invitations or [Azure AD B2C](../../active-directory-b2c/identity-provider-google.md), or if you're using self-service sign-up with Gmail, Google Gmail users won't be able to sign in if your apps authenticate users with an embedded web-view. [Learn more](google-federation.md#deprecation-of-web-view-sign-in-support). > - **Starting October 2021**, Microsoft will no longer support the redemption of invitations by creating unmanaged Azure AD accounts and tenants for B2B collaboration scenarios. In preparation, we encourage customers to opt into [email one-time passcode authentication](one-time-passcode.md), which is now generally available.
active-directory Self Service Sign Up Add Api Connector https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/external-identities/self-service-sign-up-add-api-connector.md
Previously updated : 07/01/2021 Last updated : 07/09/2021
To use an [API connector](api-connectors-overview.md), you first create the API connector and then enable it in a user flow. > [!IMPORTANT]
-> **Starting September 30th, 2021**, Google is [deprecating web-view sign-in support](https://developers.googleblog.com/2016/08/modernizing-oauth-interactions-in-native-apps.html). If youΓÇÖre using Google federation for B2B invitations or [Azure AD B2C](../../active-directory-b2c/identity-provider-google.md), or if you're using self-service sign-up with Gmail, Google Gmail users won't be able to sign in if your apps authenticate users with an embedded web-view. [Learn more](google-federation.md#deprecation-of-web-view-sign-in-support).
+>
+> - **Starting July 12, 2021**, if Azure AD B2B customers set up new Google integrations for use with self-service sign-up for their custom or line-of-business applications, authentication with Google identities wonΓÇÖt work until authentications are moved to system web-views. [Learn more](google-federation.md#deprecation-of-web-view-sign-in-support).
+> - **Starting September 30th, 2021**, Google is [deprecating web-view sign-in support](https://developers.googleblog.com/2016/08/modernizing-oauth-interactions-in-native-apps.html). If youΓÇÖre using Google federation for B2B invitations or [Azure AD B2C](../../active-directory-b2c/identity-provider-google.md), or if you're using self-service sign-up with Gmail, Google Gmail users won't be able to sign in if your apps authenticate users with an embedded web-view. [Learn more](google-federation.md#deprecation-of-web-view-sign-in-support).
## Create an API connector
active-directory Self Service Sign Up Add Approvals https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/external-identities/self-service-sign-up-add-approvals.md
Previously updated : 07/01/2021 Last updated : 07/09/2021
This article gives an example of how to integrate with an approval system. In th
- Trigger a manual review. If the request is approved, the approval system uses Microsoft Graph to provision the user account. The approval system can also notify the user that their account has been created. > [!IMPORTANT]
-> **Starting September 30th, 2021**, Google is [deprecating web-view sign-in support](https://developers.googleblog.com/2016/08/modernizing-oauth-interactions-in-native-apps.html). If youΓÇÖre using Google federation for B2B invitations or [Azure AD B2C](../../active-directory-b2c/identity-provider-google.md), or if you're using self-service sign-up with Gmail, Google Gmail users won't be able to sign in if your apps authenticate users with an embedded web-view. [Learn more](google-federation.md#deprecation-of-web-view-sign-in-support).
+>
+> - **Starting July 12, 2021**, if Azure AD B2B customers set up new Google integrations for use with self-service sign-up for their custom or line-of-business applications, authentication with Google identities wonΓÇÖt work until authentications are moved to system web-views. [Learn more](google-federation.md#deprecation-of-web-view-sign-in-support).
+> - **Starting September 30th, 2021**, Google is [deprecating web-view sign-in support](https://developers.googleblog.com/2016/08/modernizing-oauth-interactions-in-native-apps.html). If youΓÇÖre using Google federation for B2B invitations or [Azure AD B2C](../../active-directory-b2c/identity-provider-google.md), or if you're using self-service sign-up with Gmail, Google Gmail users won't be able to sign in if your apps authenticate users with an embedded web-view. [Learn more](google-federation.md#deprecation-of-web-view-sign-in-support).
## Register an application for your approval system
active-directory Troubleshoot https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/external-identities/troubleshoot.md
Previously updated : 07/01/2021 Last updated : 07/09/2021 tags: active-directory
Here are some remedies for common problems with Azure Active Directory (Azure AD) B2B collaboration. > [!IMPORTANT]
+ >
+ > - **Starting July 12, 2021**, if Azure AD B2B customers set up new Google integrations for use with self-service sign-up for their custom or line-of-business applications, authentication with Google identities wonΓÇÖt work until authentications are moved to system web-views. [Learn more](google-federation.md#deprecation-of-web-view-sign-in-support).
> - **Starting September 30th, 2021**, Google is [deprecating web-view sign-in support](https://developers.googleblog.com/2016/08/modernizing-oauth-interactions-in-native-apps.html). If youΓÇÖre using Google federation for B2B invitations or [Azure AD B2C](../../active-directory-b2c/identity-provider-google.md), or if you're using self-service sign-up with Gmail, Google Gmail users won't be able to sign in if your apps authenticate users with an embedded web-view. [Learn more](google-federation.md#deprecation-of-web-view-sign-in-support). > - **Starting October 2021**, Microsoft will no longer support the redemption of invitations by creating unmanaged Azure AD accounts and tenants for B2B collaboration scenarios. In preparation, we encourage customers to opt into [email one-time passcode authentication](one-time-passcode.md), which is now generally available.
active-directory What Is B2b https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/external-identities/what-is-b2b.md
Previously updated : 07/01/2021 Last updated : 07/09/2021
Azure Active Directory (Azure AD) business-to-business (B2B) collaboration is a feature within External Identities that lets you invite guest users to collaborate with your organization. With B2B collaboration, you can securely share your company's applications and services with guest users from any other organization, while maintaining control over your own corporate data. Work safely and securely with external partners, large or small, even if they don't have Azure AD or an IT department. A simple invitation and redemption process lets partners use their own credentials to access your company's resources. Developers can use Azure AD business-to-business APIs to customize the invitation process or write applications like self-service sign-up portals. For licensing and pricing information related to guest users, refer to [Azure Active Directory pricing](https://azure.microsoft.com/pricing/details/active-directory/). > [!IMPORTANT]
+>
+> - **Starting July 12, 2021**, if Azure AD B2B customers set up new Google integrations for use with self-service sign-up for their custom or line-of-business applications, authentication with Google identities wonΓÇÖt work until authentications are moved to system web-views. [Learn more](google-federation.md#deprecation-of-web-view-sign-in-support).
> - **Starting September 30th, 2021**, Google is [deprecating web-view sign-in support](https://developers.googleblog.com/2016/08/modernizing-oauth-interactions-in-native-apps.html). If youΓÇÖre using Google federation for B2B invitations or [Azure AD B2C](../../active-directory-b2c/identity-provider-google.md), or if you're using self-service sign-up with Gmail, Google Gmail users won't be able to sign in if your apps authenticate users with an embedded web-view. [Learn more](google-federation.md#deprecation-of-web-view-sign-in-support). > - **Starting October 2021**, Microsoft will no longer support the redemption of invitations by creating unmanaged Azure AD accounts and tenants for B2B collaboration scenarios. In preparation, we encourage customers to opt into [email one-time passcode authentication](one-time-passcode.md), which is now generally available.
active-directory Customize Branding https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/fundamentals/customize-branding.md
Previously updated : 06/24/2020 Last updated : 07/03/2021
You can't change your original configuration's language from your default langua
![Contoso - Company branding page, with the new language configuration shown](media/customize-branding/company-branding-french-config.png) ## Add your custom branding to pages
-Add your custom branding to pages by modifying the end of the URL with the text, `?whr=yourdomainname`. This modification works on several pages, including the Multi-Factor Authentication (MFA) setup page, the Self-service Password Reset (SSPR) setup page, and the sign in page.
+Add your custom branding to pages by modifying the end of the URL with the text, `?whr=yourdomainname`. This specific modification works on different types of pages, including the Multi-Factor Authentication (MFA) setup page, the Self-service Password Reset (SSPR) setup page, and the sign in page.
+
+Whether an application supports customized URLs for branding or not depends on the specific application, and should be checked before attempting to add a custom branding to a page.
**Examples:**
active-directory Entitlement Management Access Reviews Create https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/governance/entitlement-management-access-reviews-create.md
This setting determines how often access reviews will occur.
![Add the fallback reviewers](./media/entitlement-management-access-reviews/access-reviews-select-manager.png) 1. Click **Review + Create** if you are creating a new access package or **Update** if you are editing an access package, at the bottom of the page.
-
-> [!NOTE]
-> In Azure AD Entitlement Management, the result of an access package review is always auto-applied to the users assigned to the package, according to the setting selected in **If reviewers donΓÇÖt respond**. When the review setting of **If reviewers donΓÇÖt respond** is set to **No change**, this is equivalent to the system approving continued access for the users being reviewed.
## View the status of the access review
active-directory Access Panel Collections https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/access-panel-collections.md
To create a collection, you must have an Azure AD Premium P1 or P2 license.
11. Select **Review + Create**. The properties for the new collection appear. - ## View audit logs The Audit logs record My Apps collections operations, including collection creation end-user actions. The following events are generated from My Apps:
You can access audit logs in the [Azure portal](https://portal.azure.com) by sel
From the My Apps page, a user can select **My account** > **View my account** to open their account settings. On the Azure AD **My Account** page, users can manage their security info, devices, passwords, and more. They can also access their Office account settings.
-In case you need to submit a support request for an issue with the Azure AD account page or the Office account page, follow these steps so your request is routed properly:
+In case you need to submit a support request for an issue with the Azure AD account page or the Office account page, follow these steps so your request is routed properly:
* For issues with the **Azure AD "My Account"** page, open a support request from within the Azure portal. Go to **Azure portal** > **Azure Active Directory** > **New support request**.
-* For issues with the **Office "My account"** page, open a support request from within the Microsoft 365 admin center. Go to **Microsoft 365 admin center** > **Support**.
+* For issues with the **Office "My account"** page, open a support request from within the Microsoft 365 admin center. Go to **Microsoft 365 admin center** > **Support**.
## Next steps
-[End-user experiences for applications in Azure Active Directory](end-user-experiences.md)
+
+[End-user experiences for applications in Azure Active Directory](end-user-experiences.md)
active-directory Access Panel Manage Self Service Access https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/access-panel-manage-self-service-access.md
To learn about using My Apps from an end-user perspective, see [My Apps portal h
Using this feature, you can: -- Let users self-discover applications from [My Apps](https://myapps.microsoft.com/) without bothering the IT group.-- Add those users to a pre-configured group so you can see who has requested access, remove access, and manage the roles assigned to them.-- Optionally allow someone to approve app access requests so the IT group doesnΓÇÖt have to.-- Optionally configure up to 10 individuals who may approve access to this application.-- Optionally allow someone to set the passwords those users can use to sign in to the application.-- Optionally automatically assign self-service assigned users to an application role directly.
+- Let users self-discover applications from [My Apps](https://myapps.microsoft.com/) without bothering the IT group.
+- Add those users to a pre-configured group so you can see who has requested access, remove access, and manage the roles assigned to them.
+- Optionally allow someone to approve app access requests so the IT group doesnΓÇÖt have to.
+- Optionally configure up to 10 individuals who may approve access to this application.
+- Optionally allow someone to set the passwords those users can use to sign in to the application.
+- Optionally automatically assign self-service assigned users to an application role directly.
## Enable self-service application access to allow users to find their own applications Self-service application access is a great way to allow users to self-discover applications, optionally allow the business group to approve access to those applications. You can allow the business group to manage the credentials assigned to those users for Password Single-Sign On Applications right from their My Apps page. To enable self-service application access to an application, follow the steps below:+ 1. Open the [**Azure portal**](https://portal.azure.com/) and sign in as a **Global Administrator.** 2. Open the **Azure Active Directory Extension** by selecting **All services** at the top of the main left-hand navigation menu. 3. Type in **ΓÇ£Azure Active Directory**ΓÇ¥ in the filter search box and select the **Azure Active Directory** item. 4. Select **Enterprise Applications** from the Azure Active Directory left-hand navigation menu. 5. Select **All Applications** to view a list of all your applications.
- * If you do not see the application you want show up here, use the **Filter** control at the top of the **All Applications List** and set the **Show** option to **All Applications.**
+ - If you do not see the application you want show up here, use the **Filter** control at the top of the **All Applications List** and set the **Show** option to **All Applications.**
6. Select the application you want to enable Self-service access to from the list. 7. Once the application loads, select **Self-service** from the applicationΓÇÖs left-hand navigation menu. 8. To enable Self-service application access for this application, turn the **Allow users to request access to this application?** toggle to **Yes.**
To enable self-service application access to an application, follow the steps be
10. **Optional:** If you wish to require a business approval before users are allowed access, set the **Require approval before granting access to this application?** toggle to **Yes**. 11. **Optional: For applications using password single-sign on only,** if you wish to allow those business approvers to specify the passwords that are sent to this application for approved users, set the **Allow approvers to set userΓÇÖs passwords for this application?** toggle to **Yes**. 12. **Optional:** Specify the business approvers who are allowed to approve access to this app. Select **Who is allowed to approve access to this application?** Then select up to 10 individual business approvers.
- * Groups are not supported.
+ - Groups are not supported.
13. **Optional:** **For applications which expose roles**, if you wish to assign self-service approved users to a role, select the selector next to the **To which role should users be assigned in this application?** to select the role to which these users should be assigned. 14. Select the **Save** button at the top to finish.
-Once you complete Self-service application configuration, users can navigate to [My Apps](https://myapps.microsoft.com/) and select the **+Add** button to find the apps to which you have enabled Self-service access. Business approvers also see a notification in their [My Apps](https://myapps.microsoft.com/) page. You can enable an email notifying them when a user has requested access to an application that requires their approval.
+Once you complete Self-service application configuration, users can navigate to [My Apps](https://myapps.microsoft.com/) and select the **+Add** button to find the apps to which you have enabled Self-service access. Business approvers also see a notification in their [My Apps](https://myapps.microsoft.com/) page. You can enable an email notifying them when a user has requested access to an application that requires their approval.
These approvals support single approval workflows only, meaning that if you specify multiple approvers, any single approver may approve access to the application. ## Things to check if self-service isn't working-- Make sure the user or group has been enabled to request self-service application access.-- Make sure the user is visiting the correct place for self-service application access. users can navigate to their [My Apps](https://myapps.microsoft.com/) page and select the **+Add** button to find the apps to which you have enabled self-service access.-- If self-service application access was recently configured, try to sign in and out again into the userΓÇÖs My Apps after a few minutes to see if the self-service access changes have appeared.+
+- Make sure the user or group has been enabled to request self-service application access.
+- Make sure the user is visiting the correct place for self-service application access. users can navigate to their [My Apps](https://myapps.microsoft.com/) page and select the **+Add** button to find the apps to which you have enabled self-service access.
+- If self-service application access was recently configured, try to sign in and out again into the userΓÇÖs My Apps after a few minutes to see if the self-service access changes have appeared.
## Next steps+ [Setting up Azure Active Directory for self-service group management](../enterprise-users/groups-self-service-management.md)
active-directory Add Application Portal Assign Users https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/add-application-portal-assign-users.md
To assign users to an app that you added to your Azure AD tenant, you need:
>Use a non-production environment to test the steps in this quickstart. ## Assign users to an app+ 1. In the Azure AD portal, select **Enterprise applications**. Then find and select the application you want to configure. 2. In the left navigation menu, select **Users and groups**. > [!NOTE]
- > Some of the Microsoft 365 apps require the use of PowerShell.
+ > Some of the Microsoft 365 apps require the use of PowerShell.
3. Select the **Add user** button. 4. On the **Add Assignment** pane, select **Users and groups**. 5. Select the user or group you want to assign to the application. You can also start typing the name of the user or group in the search box. You can choose multiple users and groups, and your selections will appear under **Selected items**.
To assign users to an app that you added to your Azure AD tenant, you need:
> When you assign a group to an application, only users in the group will have access. The assignment does not cascade to nested groups. > [!NOTE]
- > Group-based assignment requires Azure Active Directory Premium P1 or P2 edition. Group-based assignment is supported for Security groups only. Nested group memberships and Microsoft 365 groups are not currently supported. For more licensing requirements for the features discussed in this article, see the [Azure Active Directory pricing page](https://azure.microsoft.com/pricing/details/active-directory).
+ > Group-based assignment requires Azure Active Directory Premium P1 or P2 edition. Group-based assignment is supported for Security groups only. Nested group memberships and Microsoft 365 groups are not currently supported. For more licensing requirements for the features discussed in this article, see the [Azure Active Directory pricing page](https://azure.microsoft.com/pricing/details/active-directory).
6. When finished, choose **Select**. ![Assign a user or group to the app](./media/assign-user-or-group-access-portal/assign-users.png) 7. On the **Users and groups** pane, select one or more users or groups from the list and then choose the **Select** button at the bottom of the pane.
-8. If the application supports it, you can assign a role to the user or group. On the **Add Assignment** pane, choose **Select Role**. Then, on the **Select Role** pane, choose a role to apply to the selected users or groups, then select **OK** at the bottom of the pane.
+8. If the application supports it, you can assign a role to the user or group. On the **Add Assignment** pane, choose **Select Role**. Then, on the **Select Role** pane, choose a role to apply to the selected users or groups, then select **OK** at the bottom of the pane.
> [!NOTE] > If the application doesn't support role selection, the default access role is assigned. In this case, the application manages the level of access users have. 9. On the **Add Assignment** pane, select the **Assign** button at the bottom of the pane.
-You can unassign users or groups using the same procedure. Select the user or group you want to unassign and then select **Remove**. Some of the Microsoft 365 and Office 365 apps require the use of PowerShell.
+You can unassign users or groups using the same procedure. Select the user or group you want to unassign and then select **Remove**. Some of the Microsoft 365 and Office 365 apps require the use of PowerShell.
## Clean up resources
active-directory Add Application Portal Configure https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/add-application-portal-configure.md
# Quickstart: Configure properties for an application in your Azure Active Directory (Azure AD) tenant In the previous quickstart, you added an application to your Azure Active Directory (Azure AD) tenant. When you add an application, you're letting your Azure AD tenant know it's the identity provider for the app. Now you'll configure some of the properties for the app.
-
+ ## Prerequisites To configure the properties of an application in your Azure AD tenant, you need:
To configure the properties of an application in your Azure AD tenant, you need:
## Configure app properties
-When you finish adding an application to your Azure AD tenant, the overview page appears. If you're configuring an application that was already added, look at the first quickstart. It walks you through viewing the applications added to your tenant.
+When you finish adding an application to your Azure AD tenant, the overview page appears. If you're configuring an application that was already added, look at the first quickstart. It walks you through viewing the applications added to your tenant.
To edit the application properties:
To edit the application properties:
- **Enabled for users to sign in?** determines whether users assigned to the application can sign in. - **User assignment required?** determines whether users who aren't assigned to the application can sign in. - **Visible to users?** determines whether users assigned to an app can see it in [My Apps](https://myapps.microsoft.com) and Microsoft 365 app launcher. (See the waffle menu in the upper-left corner of a Microsoft 365 website.)
-
+ > [!TIP] > Assigning users happens on the **Users and groups** section of navigation. The three options can be toggled independently of each other and the resulting behavior is not always obvious. Here is a table that might help:
-
+ | Enabled for users to sign in? | User assignment required? | Visible to users? | Behavior for users who have either been assigned to the app or not. | ||||| | Yes | Yes | Yes | Assigned users can see the app and sign in.<br>Unassigned users cannot see the app and cannot sign in. |
To use a custom logo:
1. Create a logo that's 215 by 215 pixels, and save it in .png format. 2. In the Azure AD portal, select **Enterprise applications**. Then find and select the application you want to configure.
-3. In the **Manage** section, select **Properties** to open the **Properties** pane for editing.
+3. In the **Manage** section, select **Properties** to open the **Properties** pane for editing.
4. Select the icon to upload the logo. 5. When you're finished, select **Save**.
To use a custom logo:
> [!NOTE] > The thumbnail displayed on this **Properties** pane doesn't update right away. You can close and reopen the **Properties** pane to see the updated icon. - > [!TIP] > You can automate app management using the Graph API, see [Automate app management with Microsoft Graph API](/graph/application-saml-sso-configure-api).
You can use the notes field to add any information that is relevant for the mana
![Screenshot of the Properties screen that shows how to change the notes](media/add-application-portal/notes-application.png)
-
## Clean up resources If you're not going to continue with the quickstart series, then consider deleting the app to clean up your test tenant. Deleting the app is covered in the last quickstart in this series, see [Delete an app](delete-application-portal.md).
active-directory Add Application Portal Setup Oidc Sso https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/add-application-portal-setup-oidc-sso.md
To set up SSO for an application that you added to your Azure AD tenant, you nee
## Enable single sign-on for an app
-When you add an app that uses the OIDC standard for SSO, you have a setup button. When you select the button, you go to the applications site and complete the sign-up process for the app. The process of adding an app is covered in the Add an app quickstart earlier in this series. If you're configuring an application that was already added, look at the first quickstart. It walks you through viewing the applications already in your tenant.
+When you add an app that uses the OIDC standard for SSO, you have a setup button. When you select the button, you go to the applications site and complete the sign-up process for the app. The process of adding an app is covered in the Add an app quickstart earlier in this series. If you're configuring an application that was already added, look at the first quickstart. It walks you through viewing the applications already in your tenant.
To set up single sign-on for an application:
-1. In the quickstart earlier in this series, you learned how to add an app that will use your Azure AD tenant for identity management. If the app developer used the OIDC standard to implement SSO, then you are presented with a sign-up button when adding the app.
+1. In the quickstart earlier in this series, you learned how to add an app that will use your Azure AD tenant for identity management. If the app developer used the OIDC standard to implement SSO, then you are presented with a sign-up button when adding the app.
:::image type="content" source="media/add-application-portal-setup-oidc-sso/sign-up-oidc-sso.png" alt-text="Screenshot shows the single sign-on option and the sign-up button." lightbox="media/add-application-portal-setup-oidc-sso/sign-up-oidc-sso.png"::: -
-2. Select **Sign-up** and you will be taken to the app developers sign-on page. Sign in using Azure Active Directory sign-in credentials.
+2. Select **Sign-up** and you will be taken to the app developers sign-on page. Sign in using Azure Active Directory sign-in credentials.
> [!IMPORTANT] > If you already have a subscription to the application then validation of user details and tenant/directory information will happen. If the application is not able to verify the user then it will redirect you to sign-up for the application service or to the error page.
To set up single sign-on for an application:
4. The application is added to your tenant and the application home page appears. - > [!TIP] > You can automate app management using the Graph API, see [Automate app management with Microsoft Graph API](/graph/application-saml-sso-configure-api).
active-directory Add Application Portal Setup Sso https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/add-application-portal-setup-sso.md
To set up SSO for an application that you added to your Azure AD tenant, you nee
- Optional: Completion of [Configure an app](add-application-portal-configure.md). - Optional: Completion of [Assign users to an app](add-application-portal-assign-users.md). - >[!IMPORTANT] >Use a non-production environment to test the steps in this quickstart.
To set up single sign-on for an application:
> [!TIP] > You can automate app management using the Graph API, see [Automate app management with Microsoft Graph API](/graph/application-saml-sso-configure-api). - ## Clean up resources When you're done with this quickstart series, consider deleting the app to clean up your test tenant. Deleting the app is covered in the last quickstart in this series, see [Delete an app](delete-application-portal.md).
active-directory App Management Powershell Samples https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/app-management-powershell-samples.md
# Azure Active Directory PowerShell examples for Application Management The following table includes links to PowerShell script examples for Azure AD Application Management. These samples require either:+ - The [AzureAD V2 PowerShell for Graph module](/powershell/azure/active-directory/install-adv2) or, - The [AzureAD V2 PowerShell for Graph module preview version](/powershell/azure/active-directory/install-adv2?view=azureadps-2.0-preview&preserve-view=true), unless otherwise noted.
active-directory Application Management Certs Faq https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/application-management-certs-faq.md
This page answers frequently asked questions about managing the certificates for
## Is there a way to generate a list of expiring SAML signing certificates?
-You can export all app registrations with expiring secrets, certificates and their owners for the specified apps from your directory in a CSV file through [PowerShell scripts](app-management-powershell-samples.md).
+You can export all app registrations with expiring secrets, certificates and their owners for the specified apps from your directory in a CSV file through [PowerShell scripts](app-management-powershell-samples.md).
## Where can I find the information about soon to expire certificates renewal steps?
By default, Azure AD configures a certificate to expire after three years when i
## How can I automate the certificates expiration notifications?
-Azure AD will send an email notification 60, 30, and 7 days before the SAML certificate expires. You may add more than one email address to receive notifications.
+Azure AD will send an email notification 60, 30, and 7 days before the SAML certificate expires. You may add more than one email address to receive notifications.
> [!NOTE]
-> You can add up to 5 email addresses to the Notification list (including the email address of the admin who added the application). If you need more people to be notified, use the distribution list emails.
+> You can add up to 5 email addresses to the Notification list (including the email address of the admin who added the application). If you need more people to be notified, use the distribution list emails.
To specify the emails you want the notifications to be sent to, see [Add email notification addresses for certificate expiration](manage-certificates-for-federated-single-sign-on.md#add-email-notification-addresses-for-certificate-expiration).
There is no option to edit or customize these email notifications received from
The owner of the application or Global Administrator or Application Administrator can update the certificates through Azure portal UI, PowerShell or Microsoft Graph.
-## I need more details about certificate signing options.
+## I need more details about certificate signing options
In Azure AD, you can set up certificate signing options and the certificate signing algorithm. To learn more, see [Advanced SAML token certificate signing options for Azure AD apps](certificate-signing-options.md).
-## I need to replace the certificate for Azure AD Application Proxy applications and need more instructions.
+## I need to replace the certificate for Azure AD Application Proxy applications and need more instructions
To replace certificates for Azure AD Application Proxy applications, see [PowerShell sample - Replace certificate in Application Proxy apps](../app-proxy/scripts/powershell-get-custom-domain-replace-cert.md). ## How do I manage certificates for custom domains in Azure AD Application Proxy?
-To configure an on-premises app to use a custom domain, you need a verified Azure Active Directory custom domain, a PFX certificate for the custom domain, and an on-premises app to configure. To learn more, see [Custom domains in Azure AD Application Proxy](../app-proxy/application-proxy-configure-custom-domain.md).
+To configure an on-premises app to use a custom domain, you need a verified Azure Active Directory custom domain, a PFX certificate for the custom domain, and an on-premises app to configure. To learn more, see [Custom domains in Azure AD Application Proxy](../app-proxy/application-proxy-configure-custom-domain.md).
## I need to update the token signing certificate on the application side. Where can I get it on Azure AD side?
You can renew a SAML X.509 Certificate, see [SAML Signing certificate](configure
## What is Azure AD signing key rollover?
-You can find more details [here](../develop/active-directory-signing-key-rollover.md).
+You can find more details [here](../develop/active-directory-signing-key-rollover.md).
## How do I renew application token encryption certificate?
-To renew an application token encryption certificate, see [How to renew a token encryption certificate for an enterprise application](howto-saml-token-encryption.md).
+To renew an application token encryption certificate, see [How to renew a token encryption certificate for an enterprise application](howto-saml-token-encryption.md).
## How do I renew application token signing certificate?
active-directory Application Management Fundamentals https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/application-management-fundamentals.md
Title: 'Application management: Best practices and recommendations | Microsoft Docs' description: Learn best practices and recommendations for managing applications in Azure Active Directory. Learn about using automatic provisioning and publishing on-premises apps with Application Proxy.- ms.devlang: na
This article contains recommendations and best practices for managing applications in Azure Active Directory (Azure AD), using automatic provisioning, and publishing on-premises apps with Application Proxy. ## Cloud app and single sign-on recommendations+ | Recommendation | Comments | | | |
-| Check the Azure AD application gallery for apps | Azure AD has a gallery that contains thousands of pre-integrated applications that are enabled with Enterprise single sign-on (SSO). For app-specific setup guidance, see the [List of SaaS app tutorials](../saas-apps/tutorial-list.md). |
-| Use federated SAML-based SSO | When an application supports it, use Federated, SAML-based SSO with Azure AD instead of password-based SSO and ADFS. |
-| Use SHA-256 for certificate signing | Azure AD uses the SHA-256 algorithm by default to sign the SAML response. Use SHA-256 unless the application requires SHA-1 (see [Certificate signing options](certificate-signing-options.md) and [Application sign-in problem](application-sign-in-problem-application-error.md).) |
-| Require user assignment | By default, users can access to your enterprise applications without being assigned to them. However, if the application exposes roles, or if you want the application to appear on a userΓÇÖs My Apps, require user assignment. |
+| Check the Azure AD application gallery for apps | Azure AD has a gallery that contains thousands of pre-integrated applications that are enabled with Enterprise single sign-on (SSO). For app-specific setup guidance, see the [List of SaaS app tutorials](../saas-apps/tutorial-list.md). |
+| Use federated SAML-based SSO | When an application supports it, use Federated, SAML-based SSO with Azure AD instead of password-based SSO and ADFS. |
+| Use SHA-256 for certificate signing | Azure AD uses the SHA-256 algorithm by default to sign the SAML response. Use SHA-256 unless the application requires SHA-1 (see [Certificate signing options](certificate-signing-options.md) and [Application sign-in problem](application-sign-in-problem-application-error.md).) |
+| Require user assignment | By default, users can access to your enterprise applications without being assigned to them. However, if the application exposes roles, or if you want the application to appear on a userΓÇÖs My Apps, require user assignment. |
| Deploy My Apps to your users | [My Apps](end-user-experiences.md) at `https://myapps.microsoft.com` is a web-based portal that provides users with a single point of entry for their assigned cloud-based applications. As additional capabilities like group management and self-service password reset are added, users can find them in My Apps. See [Plan My Apps deployment](my-apps-deployment-plan.md).
-| Use group assignment | If included in your subscription, assign groups to an application so you can delegate ongoing access management to the group owner. |
+| Use group assignment | If included in your subscription, assign groups to an application so you can delegate ongoing access management to the group owner. |
| Establish a process for managing certificates | The maximum lifetime of a signing certificate is three years. To prevent or minimize outage due to a certificate expiring, use roles and email distribution lists to ensure that certificate-related change notifications are closely monitored. | ## Provisioning recommendations+ | Recommendation | Comments | | | | | Use tutorials to set up provisioning with cloud apps | Check the [List of SaaS app tutorials](../saas-apps/tutorial-list.md) for step-by-step guidance on configuring provisioning for the gallery app you want to add. | | Use provisioning logs (preview) to monitor status | The [provisioning logs](../reports-monitoring/concept-provisioning-logs.md?context=azure/active-directory/manage-apps/context/manage-apps-context) give details about all actions performed by the provisioning service, including status for individual users. | | Assign a distribution group to the provisioning notification email | To increase the visibility of critical alerts sent by the provisioning service, assign a distribution group to the Notification Emails setting. | - ## Application Proxy recommendations+ | Recommendation | Comments | | | | | Use Application Proxy for remote access to internal resources | Application Proxy is recommended for giving remote users access to internal resources, replacing the need for a VPN or reverse proxy. It is not intended for accessing resources from within the corporate network because it could add latency.
This article contains recommendations and best practices for managing applicatio
| Use multiple connectors | Use two or more Application Proxy connectors for greater resiliency, availability, and scale (see [Application Proxy connectors](../app-proxy/application-proxy-connectors.md)). Create connector groups and ensure each connector group has at least two connectors (three connectors is optimal). | | Locate connector servers close to application servers, and make sure they're in the same domain | To optimize performance, physically locate the connector server close to the application servers (see [Network topology considerations](../app-proxy/application-proxy-network-topology.md)). Also, the connector server and web applications servers should belong to the same Active Directory domain, or they should span trusting domains. This configuration is required for SSO with Integrated Windows Authentication (IWA) and Kerberos Constrained Delegation (KCD). If the servers are in different domains, you'll need to use resource-based delegation for SSO (see [KCD for single sign-on with Application Proxy](../app-proxy/application-proxy-configure-single-sign-on-with-kcd.md)). | | Enable auto-updates for connectors | Enable auto-updates for your connectors for the latest features and bug fixes. Microsoft provides direct support for the latest connector version and one version before. (See [Application Proxy release version history](../app-proxy/application-proxy-release-version-history.md).) |
-| Bypass your on-premises proxy | For easier maintenance, configure the connector to bypass your on-premises proxy so it directly connects to the Azure services. (See [Application Proxy connectors and proxy servers](../app-proxy/application-proxy-configure-connectors-with-proxy-servers.md).) |
+| Bypass your on-premises proxy | For easier maintenance, configure the connector to bypass your on-premises proxy so it directly connects to the Azure services. (See [Application Proxy connectors and proxy servers](../app-proxy/application-proxy-configure-connectors-with-proxy-servers.md).) |
active-directory Application Sign In Other Problem Access Panel https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/application-sign-in-other-problem-access-panel.md
My Apps is a web-based portal that enables a user with a work or school account
To learn more about using Azure AD as an identity provider for an app, see the [What is Application Management in Azure AD](what-is-application-management.md). To get up to speed quickly, check out the [Quickstart Series on Application Management](view-applications-portal.md).
-These applications are configured on behalf of the user in the Azure AD portal. The application must be configured properly and assigned to the user or a group the user is a member of to see the application in My Apps.
+These applications are configured on behalf of the user in the Azure AD portal. The application must be configured properly and assigned to the user or a group the user is a member of to see the application in My Apps.
The type of apps a user may be seeing fall in the following categories:-- Microsoft 365 Applications-- Microsoft and third-party applications configured with federation-based SSO-- Password-based SSO applications-- Applications with existing SSO solutions
-Here are some things to check if an app is appearing or not appearing.
+- Microsoft 365 Applications
+- Microsoft and third-party applications configured with federation-based SSO
+- Password-based SSO applications
+- Applications with existing SSO solutions
+
+Here are some things to check if an app is appearing or not appearing:
+ - Make sure the app is added to Azure AD and make sure the user is assigned. To learn more, see the [Quickstart Series on Application Management](add-application-portal.md).-- If an app was recently added, have the user sign out and back in again.
+- If an app was recently added, have the user sign out and back in again.
- If the app requires a license, such as Office, then make sure the user is assigned the appropriate license. - The time it takes for licensing changes can vary depending on the size and complexity of the group. ## General issues to check first -- Make sure the web browser meets the requirements, see [My Apps supported browsers](../user-help/my-apps-portal-end-user-access.md).-- Make sure the userΓÇÖs browser has added the URL of the application to its **trusted sites**.-- Make sure to check the application is **configured** correctly.-- Make sure the userΓÇÖs account is **enabled** for sign-ins.-- Make sure the userΓÇÖs account is **not locked out.**-- Make sure the userΓÇÖs **password is not expired or forgotten.**-- Make sure **Multi-Factor Authentication** is not blocking user access.-- Make sure a **Conditional Access policy** or **Identity Protection** policy is not blocking user access.-- Make sure that a userΓÇÖs **authentication contact info** is up to date to allow Multi-Factor Authentication or Conditional Access policies to be enforced.-- Make sure to also try clearing your browserΓÇÖs cookies and trying to sign in again.
+- Make sure the web browser meets the requirements, see [My Apps supported browsers](../user-help/my-apps-portal-end-user-access.md).
+- Make sure the userΓÇÖs browser has added the URL of the application to its **trusted sites**.
+- Make sure to check the application is **configured** correctly.
+- Make sure the userΓÇÖs account is **enabled** for sign-ins.
+- Make sure the userΓÇÖs account is **not locked out.**
+- Make sure the userΓÇÖs **password is not expired or forgotten.**
+- Make sure **Multi-Factor Authentication** is not blocking user access.
+- Make sure a **Conditional Access policy** or **Identity Protection** policy is not blocking user access.
+- Make sure that a userΓÇÖs **authentication contact info** is up to date to allow Multi-Factor Authentication or Conditional Access policies to be enforced.
+- Make sure to also try clearing your browserΓÇÖs cookies and trying to sign in again.
## Problems with the userΓÇÖs account+ Access to My Apps can be blocked due to a problem with the userΓÇÖs account. Following are some ways you can troubleshoot and solve problems with users and their account settings:-- [Check if a user account exists in Azure Active Directory](#check-if-a-user-account-exists-in-azure-active-directory)-- [Check a userΓÇÖs account status](#check-a-users-account-status)-- [Reset a userΓÇÖs password](#reset-a-users-password)-- [Enable self-service password reset](#enable-self-service-password-reset)-- [Check a userΓÇÖs multi-factor authentication status](#check-a-users-multi-factor-authentication-status)-- [Check a userΓÇÖs authentication contact info](#check-a-users-authentication-contact-info)-- [Check a userΓÇÖs group memberships](#check-a-users-group-memberships)-- [Check if a user has more than 999 app role assignments](#check-if-a-user-has-more-than-999-app-role-assignments)-- [Check a userΓÇÖs assigned licenses](#check-a-users-assigned-licenses)-- [Assign a user a license](#assign-a-user-a-license)+
+- [Check if a user account exists in Azure Active Directory](#check-if-a-user-account-exists-in-azure-active-directory)
+- [Check a userΓÇÖs account status](#check-a-users-account-status)
+- [Reset a userΓÇÖs password](#reset-a-users-password)
+- [Enable self-service password reset](#enable-self-service-password-reset)
+- [Check a userΓÇÖs multi-factor authentication status](#check-a-users-multi-factor-authentication-status)
+- [Check a userΓÇÖs authentication contact info](#check-a-users-authentication-contact-info)
+- [Check a userΓÇÖs group memberships](#check-a-users-group-memberships)
+- [Check if a user has more than 999 app role assignments](#check-if-a-user-has-more-than-999-app-role-assignments)
+- [Check a userΓÇÖs assigned licenses](#check-a-users-assigned-licenses)
+- [Assign a user a license](#assign-a-user-a-license)
### Check if a user account exists in Azure Active Directory+ To check if a userΓÇÖs account is present, follow these steps:
-1. Open the [**Azure portal**](https://portal.azure.com/) and sign in as a **Global Administrator.**
-2. Open the **Azure Active Directory Extension** by selecting **All services** at the top of the main left-hand navigation menu.
-3. Type in **ΓÇ£Azure Active Directory**ΓÇ¥ in the filter search box and select the **Azure Active Directory** item.
-4. Select **Users and groups** in the navigation menu.
-5. Select **All users**.
-6. **Search** for the user you are interested in and **select the row** to select.
-7. Check the properties of the user object to be sure that they look as you expect and no data is missing.
+
+1. Open the [**Azure portal**](https://portal.azure.com/) and sign in as a **Global Administrator.**
+2. Open the **Azure Active Directory Extension** by selecting **All services** at the top of the main left-hand navigation menu.
+3. Type in **ΓÇ£Azure Active Directory**ΓÇ¥ in the filter search box and select the **Azure Active Directory** item.
+4. Select **Users and groups** in the navigation menu.
+5. Select **All users**.
+6. **Search** for the user you are interested in and **select the row** to select.
+7. Check the properties of the user object to be sure that they look as you expect and no data is missing.
### Check a userΓÇÖs account status+ To check a userΓÇÖs account status, follow these steps:
-1. Open the [**Azure portal**](https://portal.azure.com/) and sign in as a **Global Administrator.**
-2. Open the **Azure Active Directory Extension** by selecting **All services** at the top of the main left-hand navigation menu.
-3. Type in **ΓÇ£Azure Active Directory**ΓÇ¥ in the filter search box and select the **Azure Active Directory** item.
-4. Select **Users and groups** in the navigation menu.
-5. Select **All users**.
-6. **Search** for the user you are interested in and **select the row** to select.
-7. Select **Profile**.
-8. Under **Settings** ensure that **Block sign in** is set to **No**.
+
+1. Open the [**Azure portal**](https://portal.azure.com/) and sign in as a **Global Administrator.**
+2. Open the **Azure Active Directory Extension** by selecting **All services** at the top of the main left-hand navigation menu.
+3. Type in **ΓÇ£Azure Active Directory**ΓÇ¥ in the filter search box and select the **Azure Active Directory** item.
+4. Select **Users and groups** in the navigation menu.
+5. Select **All users**.
+6. **Search** for the user you are interested in and **select the row** to select.
+7. Select **Profile**.
+8. Under **Settings** ensure that **Block sign in** is set to **No**.
### Reset a userΓÇÖs password+ To reset a userΓÇÖs password, follow these steps:
-1. Open the [**Azure portal**](https://portal.azure.com/) and sign in as a **Global Administrator.**
-2. Open the **Azure Active Directory Extension** by selecting **All services** at the top of the main left-hand navigation menu.
-3. Type in **ΓÇ£Azure Active Directory**ΓÇ¥ in the filter search box and select the **Azure Active Directory** item.
-4. Select **Users and groups** in the navigation menu.
-5. Select **All users**.
-6. **Search** for the user you are interested in and **select the row** to select.
-7. Select the **Reset password** button at the top of the user pane.
-8. Select the **Reset password** button on the **Reset password** pane that appears.
-9. Copy the **temporary password** or **enter a new password** for the user.
+
+1. Open the [**Azure portal**](https://portal.azure.com/) and sign in as a **Global Administrator.**
+2. Open the **Azure Active Directory Extension** by selecting **All services** at the top of the main left-hand navigation menu.
+3. Type in **ΓÇ£Azure Active Directory**ΓÇ¥ in the filter search box and select the **Azure Active Directory** item.
+4. Select **Users and groups** in the navigation menu.
+5. Select **All users**.
+6. **Search** for the user you are interested in and **select the row** to select.
+7. Select the **Reset password** button at the top of the user pane.
+8. Select the **Reset password** button on the **Reset password** pane that appears.
+9. Copy the **temporary password** or **enter a new password** for the user.
10. Communicate this new password to the user, they be required to change this password during their next sign-in to Azure Active Directory. ### Enable self-service password reset+ To enable self-service password reset, follow these deployment steps:-- [Enable users to reset their Azure Active Directory passwords](../authentication/tutorial-enable-sspr.md)-- [Enable users to reset or change their Active Directory on-premises passwords](../authentication/tutorial-enable-sspr.md)+
+- [Enable users to reset their Azure Active Directory passwords](../authentication/tutorial-enable-sspr.md)
+- [Enable users to reset or change their Active Directory on-premises passwords](../authentication/tutorial-enable-sspr.md)
### Check a userΓÇÖs multi-factor authentication status+ To check a userΓÇÖs multi-factor authentication status, follow these steps:+ 1. Open the [**Azure portal**](https://portal.azure.com/) and sign in as a **Global Administrator.** 2. Open the **Azure Active Directory Extension** by selecting **All services** at the top of the main left-hand navigation menu. 3. Type in **ΓÇ£Azure Active Directory**ΓÇ¥ in the filter search box and select the **Azure Active Directory** item.
To check a userΓÇÖs multi-factor authentication status, follow these steps:
>If a user is in an **Enforced** state, you may set them to **Disabled** temporarily to let them back into their account. Once they are back in, you can then change their state to **Enabled** again to require them to re-register their contact information during their next sign-in. Alternatively, you can follow the steps in the [Check a userΓÇÖs authentication contact info](#check-a-users-authentication-contact-info) to verify or set this data for them. ### Check a userΓÇÖs authentication contact info+ To check a userΓÇÖs authentication contact info used for Multi-factor authentication, Conditional Access, Identity Protection, and Password Reset, follow these steps:
-1. Open the [**Azure portal**](https://portal.azure.com/) and sign in as a **Global Administrator.**
-2. Open the **Azure Active Directory Extension** by selecting **All services** at the top of the main left-hand navigation menu.
-3. Type in **ΓÇ£Azure Active Directory**ΓÇ¥ in the filter search box and select the **Azure Active Directory** item.
-4. Select **Users and groups** in the navigation menu.
-5. Select **All users**.
-6. **Search** for the user you are interested in and **select the row** to select.
-7. Select **Profile**.
-8. Scroll down to **Authentication contact info**.
-9. **Review** the data registered for the user and update as needed.
+
+1. Open the [**Azure portal**](https://portal.azure.com/) and sign in as a **Global Administrator.**
+2. Open the **Azure Active Directory Extension** by selecting **All services** at the top of the main left-hand navigation menu.
+3. Type in **ΓÇ£Azure Active Directory**ΓÇ¥ in the filter search box and select the **Azure Active Directory** item.
+4. Select **Users and groups** in the navigation menu.
+5. Select **All users**.
+6. **Search** for the user you are interested in and **select the row** to select.
+7. Select **Profile**.
+8. Scroll down to **Authentication contact info**.
+9. **Review** the data registered for the user and update as needed.
### Check a userΓÇÖs group memberships+ To check a userΓÇÖs group memberships, follow these steps:
-1. Open the [**Azure portal**](https://portal.azure.com/) and sign in as a **Global Administrator.**
-2. Open the **Azure Active Directory Extension** by selecting **All services** at the top of the main left-hand navigation menu.
-3. Type in **ΓÇ£Azure Active Directory**ΓÇ¥ in the filter search box and select the **Azure Active Directory** item.
-4. Select **Users and groups** in the navigation menu.
-5. Select **All users**.
-6. **Search** for the user you are interested in and **select the row** to select.
-7. Select **Groups** to see which groups the user is a member of.
+
+1. Open the [**Azure portal**](https://portal.azure.com/) and sign in as a **Global Administrator.**
+2. Open the **Azure Active Directory Extension** by selecting **All services** at the top of the main left-hand navigation menu.
+3. Type in **ΓÇ£Azure Active Directory**ΓÇ¥ in the filter search box and select the **Azure Active Directory** item.
+4. Select **Users and groups** in the navigation menu.
+5. Select **All users**.
+6. **Search** for the user you are interested in and **select the row** to select.
+7. Select **Groups** to see which groups the user is a member of.
### Check if a user has more than 999 app role assignments+ If a user has more than 999 app role assignments, then they may not see all of their apps on My Apps. This is because My Apps currently reads up to 999 app role assignments to determine the apps to which users are assigned. If a user is assigned to more than 999 apps, it is not possible to control which of those apps will show in the My Apps portal. To check if a user has more than 999 app role assignments, follow these steps:+ 1. Install the [**Microsoft.Graph**](https://github.com/microsoftgraph/msgraph-sdk-powershell) PowerShell module. 2. Run `Connect-MgGraph -Scopes "User.ReadBasic.All Application.Read.All"`. 3. Run `(Get-MgUserAppRoleAssignment -UserId "<user-id>" -PageSize 999).Count` to determine the number of app role assignments the user currently has granted. 4. If the result is 999, the user likely has more than 999 app roles assignments. ### Check a userΓÇÖs assigned licenses+ To check a userΓÇÖs assigned licenses, follow these steps:
-1. Open the [**Azure portal**](https://portal.azure.com/) and sign in as a **Global Administrator.**
-2. Open the **Azure Active Directory Extension** by selecting **All services** at the top of the main left-hand navigation menu.
-3. Type in **ΓÇ£Azure Active Directory**ΓÇ¥ in the filter search box and select the **Azure Active Directory** item.
-4. Select **Users and groups** in the navigation menu.
-5. Select **All users**.
-6. **Search** for the user you are interested in and **select the row** to select.
-7. Select **Licenses** to see which licenses the user currently has assigned.
-
-### Assign a user a license
+
+1. Open the [**Azure portal**](https://portal.azure.com/) and sign in as a **Global Administrator.**
+2. Open the **Azure Active Directory Extension** by selecting **All services** at the top of the main left-hand navigation menu.
+3. Type in **ΓÇ£Azure Active Directory**ΓÇ¥ in the filter search box and select the **Azure Active Directory** item.
+4. Select **Users and groups** in the navigation menu.
+5. Select **All users**.
+6. **Search** for the user you are interested in and **select the row** to select.
+7. Select **Licenses** to see which licenses the user currently has assigned.
+
+### Assign a user a license
+ To assign a license to a user, follow these steps:
-1. Open the [**Azure portal**](https://portal.azure.com/) and sign in as a **Global Administrator.**
-2. Open the **Azure Active Directory Extension** by selecting **All services** at the top of the main left-hand navigation menu.
-3. Type in **ΓÇ£Azure Active Directory**ΓÇ¥ in the filter search box and select the **Azure Active Directory** item.
-4. Select **Users and groups** in the navigation menu.
-5. Select **All users**.
-6. **Search** for the user you are interested in and **select the row** to select.
-7. Select **Licenses** to see which licenses the user currently has assigned.
-8. Select the **Assign** button.
-9. Select **one or more products** from the list of available products.
+
+1. Open the [**Azure portal**](https://portal.azure.com/) and sign in as a **Global Administrator.**
+2. Open the **Azure Active Directory Extension** by selecting **All services** at the top of the main left-hand navigation menu.
+3. Type in **ΓÇ£Azure Active Directory**ΓÇ¥ in the filter search box and select the **Azure Active Directory** item.
+4. Select **Users and groups** in the navigation menu.
+5. Select **All users**.
+6. **Search** for the user you are interested in and **select the row** to select.
+7. Select **Licenses** to see which licenses the user currently has assigned.
+8. Select the **Assign** button.
+9. Select **one or more products** from the list of available products.
10. **Optional** select the **assignment options** item to granularly assign products. Select **Ok**. 11. Select the **Assign** button to assign these licenses to this user. ## Troubleshooting deep links+ Deep links or User access URLs are links your users may use to access their password-SSO applications directly from their browsers URL bars. By navigating to this link, users are automatically signed into the application without having to go to My Apps first. The link is the same one that users use to access these applications from the Microsoft 365 application launcher. ### Checking the deep link To check if you have the correct deep link, follow these steps:+ 1. Open the [**Azure portal**](https://portal.azure.com/) and sign in as a **Global Administrator** or **Co-admin.** 2. Open the **Azure Active Directory Extension** by selecting **All services** at the top of the main left-hand navigation menu. 3. Type in **ΓÇ£Azure Active Directory**ΓÇ¥ in the filter search box and select the **Azure Active Directory** item. 4. Select **Enterprise Applications** from the Azure Active Directory left-hand navigation menu. 5. Select **All Applications** to view a list of all your applications.
- * If you do not see the application you want show up here, use the **Filter** control at the top of the **All Applications List** and set the **Show** option to **All Applications.**
+ - If you do not see the application you want show up here, use the **Filter** control at the top of the **All Applications List** and set the **Show** option to **All Applications.**
6. Open the [**Azure portal**](https://portal.azure.com/) and sign in as a **Global Administrator** or **Co-admin.** 7. Open the **Azure Active Directory Extension** by selecting **All services** at the top of the main left-hand navigation menu. 8. Type in **ΓÇ£Azure Active Directory**ΓÇ¥ in the filter search box and select the **Azure Active Directory** item. 9. Select **Enterprise Applications** from the Azure Active Directory left-hand navigation menu. 10. Select **All Applications** to view a list of all your applications.
- * If you do not see the application you want show up here, use the **Filter** control at the top of the **All Applications List** and set the **Show** option to **All Applications.**
+ - If you do not see the application you want show up here, use the **Filter** control at the top of the **All Applications List** and set the **Show** option to **All Applications.**
11. Select the application you want the check the deep link for. 12. Find the label **User Access URL**. Your deep link should match this URL. ## Contact support+ Open a support ticket with the following information if available:-- Correlation error ID-- UPN (user email address)-- TenantID-- Browser type-- Time zone and time/timeframe during error occurs-- Fiddler traces+
+- Correlation error ID
+- UPN (user email address)
+- TenantID
+- Browser type
+- Time zone and time/timeframe during error occurs
+- Fiddler traces
## Next steps+ - [Quickstart Series on Application Management](view-applications-portal.md)
active-directory Application Sign In Problem Application Error https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/application-sign-in-problem-application-error.md
In this scenario, Azure Active Directory (Azure AD) signs the user in. But the a
There are several possible reasons why the app didn't accept the response from Azure AD. If the error message doesn't clearly identify what's missing from the response, try the following: -- If the app is the Azure AD gallery, verify that you followed the steps in [How to debug SAML-based single sign-on to applications in Azure AD](./debug-saml-sso-issues.md).
+- If the app is the Azure AD gallery, verify that you followed the steps in [How to debug SAML-based single sign-on to applications in Azure AD](./debug-saml-sso-issues.md).
-- Use a tool like [Fiddler](https://www.telerik.com/fiddler) to capture the SAML request, response, and token.
+- Use a tool like [Fiddler](https://www.telerik.com/fiddler) to capture the SAML request, response, and token.
-- Send the SAML response to the app vendor and ask them what's missing.
+- Send the SAML response to the app vendor and ask them what's missing.
## Attributes are missing from the SAML response
To add an attribute in the Azure AD configuration that will be sent in the Azure
1. Select **Add attribute**. Enter the **Name**, and select the **Value** from the drop-down list.
- 1. Select **Save**. You'll see the new attribute in the table.
+ 1. Select **Save**. You'll see the new attribute in the table.
9. Save the configuration.
To change which parts of the SAML token are digitally signed by Azure AD, follow
9. Select the **Signing Option** that the app expects from among these options:
- * **Sign SAML response**
- * **Sign SAML response and assertion**
- * **Sign SAML assertion**
+ - **Sign SAML response**
+ - **Sign SAML response and assertion**
+ - **Sign SAML assertion**
The next time that the user signs in to the app, Azure AD will sign the part of the SAML response that you selected.
To change the signing algorithm, follow these steps:
The next time that the user signs in to the app, Azure AD will sign the SAML token by using the SHA-1 algorithm. ## Next steps
-[How to debug SAML-based single sign-on to applications in Azure AD](./debug-saml-sso-issues.md).
+
+[How to debug SAML-based single sign-on to applications in Azure AD](./debug-saml-sso-issues.md).
active-directory Application Sign In Problem First Party Microsoft https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/application-sign-in-problem-first-party-microsoft.md
Microsoft Applications (like Exchange, SharePoint, Yammer, etc.) are assigned an
There are three main ways that a user can get access to a Microsoft-published application. -- For applications in the Microsoft 365 or other paid suites, users are granted access through **license assignment** either directly to their user account, or through a group using our group-based license assignment capability.
+- For applications in the Microsoft 365 or other paid suites, users are granted access through **license assignment** either directly to their user account, or through a group using our group-based license assignment capability.
-- For applications that Microsoft or a Third Party publishes freely for anyone to use, users may be granted access through **user consent**. This means that they sign in to the application with their Azure AD Work or School account and allow it to have access to some limited set of data on their account.
+- For applications that Microsoft or a Third Party publishes freely for anyone to use, users may be granted access through **user consent**. This means that they sign in to the application with their Azure AD Work or School account and allow it to have access to some limited set of data on their account.
-- For applications that Microsoft or a 3rd party publishes freely for anyone to use, users may also be granted access through **administrator consent**. This means that an administrator has determined the application may be used by everyone in the organization, so they sign in to the application with a Global Administrator account and grant access to everyone in the organization.
+- For applications that Microsoft or a 3rd party publishes freely for anyone to use, users may also be granted access through **administrator consent**. This means that an administrator has determined the application may be used by everyone in the organization, so they sign in to the application with a Global Administrator account and grant access to everyone in the organization.
To troubleshoot your issue, start with the [General Problem Areas with Application Access to consider](#general-problem-areas-with-application-access-to-consider) and then read the Walkthrough: Steps to troubleshoot Microsoft Application access to get into the details.
To troubleshoot your issue, start with the [General Problem Areas with Applicati
Following is a list of the general problem areas that you can drill into if you have an idea of where to start, but we recommend you read the walkthrough to get going quickly: Walkthrough: Steps to troubleshoot Microsoft Application access. -- [Problems with the userΓÇÖs account](#problems-with-the-users-account)
+- [Problems with the userΓÇÖs account](#problems-with-the-users-account)
-- [Problems with groups](#problems-with-groups)
+- [Problems with groups](#problems-with-groups)
-- [Problems with Conditional Access policies](#problems-with-conditional-access-policies)
+- [Problems with Conditional Access policies](#problems-with-conditional-access-policies)
-- [Problems with application consent](#problems-with-application-consent)
+- [Problems with application consent](#problems-with-application-consent)
## Steps to troubleshoot Microsoft Application access
Following are some common issues folks run into when their users cannot sign in
Application access can be blocked due to a problem with a user that is assigned to the application. Following are some ways you can troubleshoot and solve problems with users and their account settings: -- [Check if a user account exists in Azure Active Directory](#check-if-a-user-account-exists-in-azure-active-directory)
+- [Check if a user account exists in Azure Active Directory](#check-if-a-user-account-exists-in-azure-active-directory)
-- [Check a userΓÇÖs account status](#check-a-users-account-status)
+- [Check a userΓÇÖs account status](#check-a-users-account-status)
-- [Reset a userΓÇÖs password](#reset-a-users-password)
+- [Reset a userΓÇÖs password](#reset-a-users-password)
-- [Enable self-service password reset](#enable-self-service-password-reset)
+- [Enable self-service password reset](#enable-self-service-password-reset)
-- [Check a userΓÇÖs multi-factor authentication status](#check-a-users-multi-factor-authentication-status)
+- [Check a userΓÇÖs multi-factor authentication status](#check-a-users-multi-factor-authentication-status)
-- [Check a userΓÇÖs authentication contact info](#check-a-users-authentication-contact-info)
+- [Check a userΓÇÖs authentication contact info](#check-a-users-authentication-contact-info)
-- [Check a userΓÇÖs group memberships](#check-a-users-group-memberships)
+- [Check a userΓÇÖs group memberships](#check-a-users-group-memberships)
-- [Check a userΓÇÖs assigned licenses](#check-a-users-assigned-licenses)
+- [Check a userΓÇÖs assigned licenses](#check-a-users-assigned-licenses)
-- [Assign a user a license](#assign-a-user-a-license)
+- [Assign a user a license](#assign-a-user-a-license)
### Check if a user account exists in Azure Active Directory To check if a userΓÇÖs account is present, follow these steps:
-1. Open the [**Azure portal**](https://portal.azure.com/) and sign in as a **Global Administrator.**
+1. Open the [**Azure portal**](https://portal.azure.com/) and sign in as a **Global Administrator.**
-2. Open the **Azure Active Directory Extension** by clicking **All services** at the top of the main left-hand navigation menu.
+2. Open the **Azure Active Directory Extension** by clicking **All services** at the top of the main left-hand navigation menu.
-3. Type in **ΓÇ£Azure Active Directory**ΓÇ¥ in the filter search box and select the **Azure Active Directory** item.
+3. Type in **ΓÇ£Azure Active Directory**ΓÇ¥ in the filter search box and select the **Azure Active Directory** item.
-4. click **Users and groups** in the navigation menu.
+4. Select **Users and groups** in the navigation menu.
-5. click **All users**.
+5. Select **All users**.
-6. **Search** for the user you are interested in and **click the row** to select.
+6. **Search** for the user you are interested in and **click the row** to select.
-7. Check the properties of the user object to be sure that they look as you expect and no data is missing.
+7. Check the properties of the user object to be sure that they look as you expect and no data is missing.
### Check a userΓÇÖs account status To check a userΓÇÖs account status, follow these steps:
-1. Open the [**Azure portal**](https://portal.azure.com/) and sign in as a **Global Administrator.**
+1. Open the [**Azure portal**](https://portal.azure.com/) and sign in as a **Global Administrator.**
-2. Open the **Azure Active Directory Extension** by clicking **All services** at the top of the main left-hand navigation menu.
+2. Open the **Azure Active Directory Extension** by clicking **All services** at the top of the main left-hand navigation menu.
-3. Type in **ΓÇ£Azure Active Directory**ΓÇ¥ in the filter search box and select the **Azure Active Directory** item.
+3. Type in **ΓÇ£Azure Active Directory**ΓÇ¥ in the filter search box and select the **Azure Active Directory** item.
-4. click **Users and groups** in the navigation menu.
+4. Select **Users and groups** in the navigation menu.
-5. click **All users**.
+5. Select **All users**.
-6. **Search** for the user you are interested in and **click the row** to select.
+6. **Search** for the user you are interested in and **click the row** to select.
-7. click **Profile**.
+7. Select **Profile**.
-8. Under **Settings** ensure that **Block sign in** is set to **No**.
+8. Under **Settings** ensure that **Block sign in** is set to **No**.
### Reset a userΓÇÖs password To reset a userΓÇÖs password, follow these steps:
-1. Open the [**Azure portal**](https://portal.azure.com/) and sign in as a **Global Administrator.**
+1. Open the [**Azure portal**](https://portal.azure.com/) and sign in as a **Global Administrator.**
-2. Open the **Azure Active Directory Extension** by clicking **All services** at the top of the main left-hand navigation menu.
+2. Open the **Azure Active Directory Extension** by clicking **All services** at the top of the main left-hand navigation menu.
-3. Type in **ΓÇ£Azure Active Directory**ΓÇ¥ in the filter search box and select the **Azure Active Directory** item.
+3. Type in **ΓÇ£Azure Active Directory**ΓÇ¥ in the filter search box and select the **Azure Active Directory** item.
-4. click **Users and groups** in the navigation menu.
+4. Select **Users and groups** in the navigation menu.
-5. click **All users**.
+5. Select **All users**.
-6. **Search** for the user you are interested in and **click the row** to select.
+6. **Search** for the user you are interested in and **click the row** to select.
-7. click the **Reset password** button at the top of the user pane.
+7. Select the **Reset password** button at the top of the user pane.
-8. click the **Reset password** button on the **Reset password** pane that appears.
+8. Select the **Reset password** button on the **Reset password** pane that appears.
-9. Copy the **temporary password** or **enter a new password** for the user.
+9. Copy the **temporary password** or **enter a new password** for the user.
10. Communicate this new password to the user, they be required to change this password during their next sign in to Azure Active Directory.
To reset a userΓÇÖs password, follow these steps:
To enable self-service password reset, follow the deployment steps below: -- [Enable users to reset their Azure Active Directory passwords](../authentication/tutorial-enable-sspr.md)
+- [Enable users to reset their Azure Active Directory passwords](../authentication/tutorial-enable-sspr.md)
-- [Enable users to reset or change their Active Directory on-premises passwords](../authentication/tutorial-enable-sspr.md)
+- [Enable users to reset or change their Active Directory on-premises passwords](../authentication/tutorial-enable-sspr.md)
### Check a userΓÇÖs multi-factor authentication status
To check a userΓÇÖs multi-factor authentication status, follow these steps:
3. Type in **ΓÇ£Azure Active Directory**ΓÇ¥ in the filter search box and select the **Azure Active Directory** item.
-4. click **Users and groups** in the navigation menu.
+4. Select **Users and groups** in the navigation menu.
-5. click **All users**.
+5. Select **All users**.
-6. click the **Multi-Factor Authentication** button at the top of the pane.
+6. Select the **Multi-Factor Authentication** button at the top of the pane.
7. Once the **Multi-Factor Authentication Administration portal** loads, ensure you are on the **Users** tab.
To check a userΓÇÖs multi-factor authentication status, follow these steps:
To check a userΓÇÖs authentication contact info used for Multi-factor authentication, Conditional Access, Identity Protection, and Password Reset, follow these steps:
-1. Open the [**Azure portal**](https://portal.azure.com/) and sign in as a **Global Administrator.**
+1. Open the [**Azure portal**](https://portal.azure.com/) and sign in as a **Global Administrator.**
-2. Open the **Azure Active Directory Extension** by clicking **All services** at the top of the main left-hand navigation menu.
+2. Open the **Azure Active Directory Extension** by clicking **All services** at the top of the main left-hand navigation menu.
-3. Type in **ΓÇ£Azure Active Directory**ΓÇ¥ in the filter search box and select the **Azure Active Directory** item.
+3. Type in **ΓÇ£Azure Active Directory**ΓÇ¥ in the filter search box and select the **Azure Active Directory** item.
-4. click **Users and groups** in the navigation menu.
+4. Select **Users and groups** in the navigation menu.
-5. click **All users**.
+5. Select **All users**.
-6. **Search** for the user you are interested in and **click the row** to select.
+6. **Search** for the user you are interested in and **click the row** to select.
-7. click **Profile**.
+7. Select **Profile**.
-8. Scroll down to **Authentication contact info**.
+8. Scroll down to **Authentication contact info**.
-9. **Review** the data registered for the user and update as needed.
+9. **Review** the data registered for the user and update as needed.
### Check a userΓÇÖs group memberships To check a userΓÇÖs group memberships, follow these steps:
-1. Open the [**Azure portal**](https://portal.azure.com/) and sign in as a **Global Administrator.**
+1. Open the [**Azure portal**](https://portal.azure.com/) and sign in as a **Global Administrator.**
-2. Open the **Azure Active Directory Extension** by clicking **All services** at the top of the main left-hand navigation menu.
+2. Open the **Azure Active Directory Extension** by clicking **All services** at the top of the main left-hand navigation menu.
-3. Type in **ΓÇ£Azure Active Directory**ΓÇ¥ in the filter search box and select the **Azure Active Directory** item.
+3. Type in **ΓÇ£Azure Active Directory**ΓÇ¥ in the filter search box and select the **Azure Active Directory** item.
-4. click **Users and groups** in the navigation menu.
+4. Select **Users and groups** in the navigation menu.
-5. click **All users**.
+5. Select **All users**.
-6. **Search** for the user you are interested in and **click the row** to select.
+6. **Search** for the user you are interested in and **click the row** to select.
-7. click **Groups** to see which groups the user is a member of.
+7. Select **Groups** to see which groups the user is a member of.
### Check a userΓÇÖs assigned licenses To check a userΓÇÖs assigned licenses, follow these steps:
-1. Open the [**Azure portal**](https://portal.azure.com/) and sign in as a **Global Administrator.**
+1. Open the [**Azure portal**](https://portal.azure.com/) and sign in as a **Global Administrator.**
-2. Open the **Azure Active Directory Extension** by clicking **All services** at the top of the main left-hand navigation menu.
+2. Open the **Azure Active Directory Extension** by clicking **All services** at the top of the main left-hand navigation menu.
-3. Type in **ΓÇ£Azure Active Directory**ΓÇ¥ in the filter search box and select the **Azure Active Directory** item.
+3. Type in **ΓÇ£Azure Active Directory**ΓÇ¥ in the filter search box and select the **Azure Active Directory** item.
-4. click **Users and groups** in the navigation menu.
+4. Select **Users and groups** in the navigation menu.
-5. click **All users**.
+5. Select **All users**.
-6. **Search** for the user you are interested in and **click the row** to select.
+6. **Search** for the user you are interested in and **click the row** to select.
-7. click **Licenses** to see which licenses the user currently has assigned.
+7. Select **Licenses** to see which licenses the user currently has assigned.
-### Assign a user a license
+### Assign a user a license
To assign a license to a user, follow these steps:
-1. Open the [**Azure portal**](https://portal.azure.com/) and sign in as a **Global Administrator.**
+1. Open the [**Azure portal**](https://portal.azure.com/) and sign in as a **Global Administrator.**
-2. Open the **Azure Active Directory Extension** by clicking **All services** at the top of the main left-hand navigation menu.
+2. Open the **Azure Active Directory Extension** by clicking **All services** at the top of the main left-hand navigation menu.
-3. Type in **ΓÇ£Azure Active Directory**ΓÇ¥ in the filter search box and select the **Azure Active Directory** item.
+3. Type in **ΓÇ£Azure Active Directory**ΓÇ¥ in the filter search box and select the **Azure Active Directory** item.
-4. click **Users and groups** in the navigation menu.
+4. Select **Users and groups** in the navigation menu.
-5. click **All users**.
+5. Select **All users**.
-6. **Search** for the user you are interested in and **click the row** to select.
+6. **Search** for the user you are interested in and **click the row** to select.
-7. click **Licenses** to see which licenses the user currently has assigned.
+7. Select **Licenses** to see which licenses the user currently has assigned.
-8. click the **Assign** button.
+8. Select the **Assign** button.
-9. Select **one or more products** from the list of available products.
+9. Select **one or more products** from the list of available products.
10. **Optional** click the **assignment options** item to granularly assign products. Click **Ok** when this is completed.
-11. Click the **Assign** button to assign these licenses to this user.
+11. Select the **Assign** button to assign these licenses to this user.
## Problems with groups Application access can be blocked due to a problem with a group that is assigned to the application. Following are some ways you can troubleshoot and solve problems with groups and group memberships: -- [Check a groupΓÇÖs membership](#check-a-groups-membership)
+- [Check a groupΓÇÖs membership](#check-a-groups-membership)
-- [Check a dynamic groupΓÇÖs membership criteria](#check-a-dynamic-groups-membership-criteria)
+- [Check a dynamic groupΓÇÖs membership criteria](#check-a-dynamic-groups-membership-criteria)
-- [Check a groupΓÇÖs assigned licenses](#check-a-groups-assigned-licenses)
+- [Check a groupΓÇÖs assigned licenses](#check-a-groups-assigned-licenses)
-- [Reprocess a groupΓÇÖs licenses](#reprocess-a-groups-licenses)
+- [Reprocess a groupΓÇÖs licenses](#reprocess-a-groups-licenses)
-- [Assign a group a license](#assign-a-group-a-license)
+- [Assign a group a license](#assign-a-group-a-license)
### Check a groupΓÇÖs membership To check a groupΓÇÖs membership, follow these steps:
-1. Open the [**Azure portal**](https://portal.azure.com/) and sign in as a **Global Administrator.**
+1. Open the [**Azure portal**](https://portal.azure.com/) and sign in as a **Global Administrator.**
-2. Open the **Azure Active Directory Extension** by clicking **All services** at the top of the main left-hand navigation menu.
+2. Open the **Azure Active Directory Extension** by clicking **All services** at the top of the main left-hand navigation menu.
-3. Type in **ΓÇ£Azure Active Directory**ΓÇ¥ in the filter search box and select the **Azure Active Directory** item.
+3. Type in **ΓÇ£Azure Active Directory**ΓÇ¥ in the filter search box and select the **Azure Active Directory** item.
-4. click **Users and groups** in the navigation menu.
+4. Select **Users and groups** in the navigation menu.
-5. click **All groups**.
+5. Select **All groups**.
-6. **Search** for the group you are interested in and **click the row** to select.
+6. **Search** for the group you are interested in and **click the row** to select.
-7. click **Members** to review the list of users assigned to this group.
+7. Select **Members** to review the list of users assigned to this group.
-### Check a dynamic groupΓÇÖs membership criteria
+### Check a dynamic groupΓÇÖs membership criteria
To check a dynamic groupΓÇÖs membership criteria, follow these steps:
-1. Open the [**Azure portal**](https://portal.azure.com/) and sign in as a **Global Administrator.**
+1. Open the [**Azure portal**](https://portal.azure.com/) and sign in as a **Global Administrator.**
-2. Open the **Azure Active Directory Extension** by clicking **All services** at the top of the main left-hand navigation menu.
+2. Open the **Azure Active Directory Extension** by clicking **All services** at the top of the main left-hand navigation menu.
-3. Type in **ΓÇ£Azure Active Directory**ΓÇ¥ in the filter search box and select the **Azure Active Directory** item.
+3. Type in **ΓÇ£Azure Active Directory**ΓÇ¥ in the filter search box and select the **Azure Active Directory** item.
-4. click **Users and groups** in the navigation menu.
+4. Select **Users and groups** in the navigation menu.
-5. click **All groups**.
+5. Select **All groups**.
-6. **Search** for the group you are interested in and **click the row** to select.
+6. **Search** for the group you are interested in and **click the row** to select.
-7. click **Dynamic membership rules.**
+7. Select **Dynamic membership rules.**
-8. Review the **simple** or **advanced** rule defined for this group and ensure that the user you want to be a member of this group meets these criteria.
+8. Review the **simple** or **advanced** rule defined for this group and ensure that the user you want to be a member of this group meets these criteria.
### Check a groupΓÇÖs assigned licenses To check a groupΓÇÖs assigned licenses, follow these steps:
-1. Open the [**Azure portal**](https://portal.azure.com/) and sign in as a **Global Administrator.**
+1. Open the [**Azure portal**](https://portal.azure.com/) and sign in as a **Global Administrator.**
-2. Open the **Azure Active Directory Extension** by clicking **All services** at the top of the main left-hand navigation menu.
+2. Open the **Azure Active Directory Extension** by clicking **All services** at the top of the main left-hand navigation menu.
-3. Type in **ΓÇ£Azure Active Directory**ΓÇ¥ in the filter search box and select the **Azure Active Directory** item.
+3. Type in **ΓÇ£Azure Active Directory**ΓÇ¥ in the filter search box and select the **Azure Active Directory** item.
-4. click **Users and groups** in the navigation menu.
+4. Select **Users and groups** in the navigation menu.
-5. click **All groups**.
+5. Select **All groups**.
-6. **Search** for the group you are interested in and **click the row** to select.
+6. **Search** for the group you are interested in and **click the row** to select.
-7. click **Licenses** to see which licenses the group currently has assigned.
+7. Select **Licenses** to see which licenses the group currently has assigned.
### Reprocess a groupΓÇÖs licenses
To reprocess a groupΓÇÖs assigned licenses, follow these steps:
3. Type in **ΓÇ£Azure Active Directory**ΓÇ¥ in the filter search box and select the **Azure Active Directory** item.
-4. click **Users and groups** in the navigation menu.
+4. Select **Users and groups** in the navigation menu.
-5. click **All groups**.
+5. Select **All groups**.
6. **Search** for the group you are interested in and **click the row** to select.
-7. click **Licenses** to see which licenses the group currently has assigned.
+7. Select **Licenses** to see which licenses the group currently has assigned.
-8. click the **Reprocess** button to ensure that the licenses assigned to this groupΓÇÖs members are up-to-date. This may take a long time, depending on the size and complexity of the group.
+8. Select the **Reprocess** button to ensure that the licenses assigned to this groupΓÇÖs members are up-to-date. This may take a long time, depending on the size and complexity of the group.
>[!NOTE] >To do this faster, consider temporarily assigning a license to the user directly. [Assign a user a license](#problems-with-application-consent).
To assign a license to a group, follow these steps:
3. Type in **ΓÇ£Azure Active Directory**ΓÇ¥ in the filter search box and select the **Azure Active Directory** item.
-4. click **Users and groups** in the navigation menu.
+4. Select **Users and groups** in the navigation menu.
-5. click **All groups**.
+5. Select **All groups**.
6. **Search** for the group you are interested in and **click the row** to select.
-7. click **Licenses** to see which licenses the group currently has assigned.
+7. Select **Licenses** to see which licenses the group currently has assigned.
-8. click the **Assign** button.
+8. Select the **Assign** button.
9. Select **one or more products** from the list of available products. 10. **Optional** click the **assignment options** item to granularly assign products. Click **Ok** when this is completed.
-11. Click the **Assign** button to assign these licenses to this group. This may take a long time, depending on the size and complexity of the group.
+11. Select the **Assign** button to assign these licenses to this group. This may take a long time, depending on the size and complexity of the group.
>[!NOTE] >To do this faster, consider temporarily assigning a license to the user directly. [Assign a user a license](#problems-with-application-consent).
- >
+ >
> ## Problems with Conditional Access policies
To check or validate a single Conditional Access policy:
3. Type in **ΓÇ£Azure Active Directory**ΓÇ¥ in the filter search box and select the **Azure Active Directory** item.
-4. click **Enterprise applications** in the navigation menu.
+4. Select **Enterprise applications** in the navigation menu.
-5. click the **Conditional Access** navigation item.
+5. Select the **Conditional Access** navigation item.
-6. click the policy you are interested in inspecting.
+6. Select the policy you are interested in inspecting.
7. Review that there are no specific conditions, assignments, or other settings that may be blocking user access.
To check or validate a single Conditional Access policy:
To check or validate a single applicationΓÇÖs currently configured Conditional Access policy:
-1. Open the [**Azure portal**](https://portal.azure.com/) and sign in as a **Global Administrator.**
+1. Open the [**Azure portal**](https://portal.azure.com/) and sign in as a **Global Administrator.**
-2. Open the **Azure Active Directory Extension** by clicking **All services** at the top of the main left-hand navigation menu.
+2. Open the **Azure Active Directory Extension** by clicking **All services** at the top of the main left-hand navigation menu.
-3. Type in **ΓÇ£Azure Active Directory**ΓÇ¥ in the filter search box and select the **Azure Active Directory** item.
+3. Type in **ΓÇ£Azure Active Directory**ΓÇ¥ in the filter search box and select the **Azure Active Directory** item.
-4. click **Enterprise applications** in the navigation menu.
+4. Select **Enterprise applications** in the navigation menu.
-5. click **All applications**.
+5. Select **All applications**.
-6. Search for the application you are interested in, or the user is attempting to sign in to by application display name or application ID.
+6. Search for the application you are interested in, or the user is attempting to sign in to by application display name or application ID.
>[!NOTE] >If you donΓÇÖt see the application you are looking for, click the **Filter** button and expand the scope of the list to **All applications**. If you want to see more columns, click the **Columns** button to add additional details for your applications. > >
-7. click the **Conditional Access** navigation item.
+7. Select the **Conditional Access** navigation item.
-8. click the policy you are interested in inspecting.
+8. Select the policy you are interested in inspecting.
-9. Review that there are no specific conditions, assignments, or other settings which may be blocking user access.
+9. Review that there are no specific conditions, assignments, or other settings which may be blocking user access.
>[!NOTE] >You may wish to temporarily disable this policy to ensure it is not affecting sign-ins. To do this, set the **Enable policy** toggle to **No** and click the **Save** button.
To check or validate a single applicationΓÇÖs currently configured Conditional A
To check or validate a single Conditional Access policy:
-1. Open the [**Azure portal**](https://portal.azure.com/) and sign in as a **Global Administrator.**
+1. Open the [**Azure portal**](https://portal.azure.com/) and sign in as a **Global Administrator.**
-2. Open the **Azure Active Directory Extension** by clicking **All services** at the top of the main left-hand navigation menu.
+2. Open the **Azure Active Directory Extension** by clicking **All services** at the top of the main left-hand navigation menu.
-3. Type in **ΓÇ£Azure Active Directory**ΓÇ¥ in the filter search box and select the **Azure Active Directory** item.
+3. Type in **ΓÇ£Azure Active Directory**ΓÇ¥ in the filter search box and select the **Azure Active Directory** item.
-4. click **Enterprise applications** in the navigation menu.
+4. Select **Enterprise applications** in the navigation menu.
-5. click the **Conditional Access** navigation item.
+5. Select the **Conditional Access** navigation item.
-6. click the policy you are interested in inspecting.
+6. Select the policy you are interested in inspecting.
-7. Disable the policy by setting the **Enable policy** toggle to **No** and click the **Save** button.
+7. Disable the policy by setting the **Enable policy** toggle to **No** and click the **Save** button.
## Problems with application consent Application access can be blocked because the proper permissions consent operation has not occurred. Following are some ways you can troubleshoot and solve application consent issues: -- [Perform a user-level consent operation](#perform-a-user-level-consent-operation)
+- [Perform a user-level consent operation](#perform-a-user-level-consent-operation)
-- [Perform administrator-level consent operation for any application](#perform-administrator-level-consent-operation-for-any-application)
+- [Perform administrator-level consent operation for any application](#perform-administrator-level-consent-operation-for-any-application)
-- [Perform administrator-level consent for a single-tenant application](#perform-administrator-level-consent-for-a-single-tenant-application)
+- [Perform administrator-level consent for a single-tenant application](#perform-administrator-level-consent-for-a-single-tenant-application)
-- [Perform administrator-level consent for a multi-tenant application](#perform-administrator-level-consent-for-a-multi-tenant-application)
+- [Perform administrator-level consent for a multi-tenant application](#perform-administrator-level-consent-for-a-multi-tenant-application)
### Perform a user-level consent operation -- For any Open ID Connect-enabled application that requests permissions, navigating to the applicationΓÇÖs sign in screen performs a user level consent to the application for the signed-in user.
+- For any Open ID Connect-enabled application that requests permissions, navigating to the applicationΓÇÖs sign in screen performs a user level consent to the application for the signed-in user.
-- If you wish to do this programmatically, see [Requesting individual user consent](../develop/v2-permissions-and-consent.md#requesting-individual-user-consent).
+- If you wish to do this programmatically, see [Requesting individual user consent](../develop/v2-permissions-and-consent.md#requesting-individual-user-consent).
### Perform administrator-level consent operation for any application -- For **only applications developed using the V1 application model**, you can force this administrator level consent to occur by adding ΓÇ£**?prompt=admin\_consent**ΓÇ¥ to the end of an applicationΓÇÖs sign in URL.
+- For **only applications developed using the V1 application model**, you can force this administrator level consent to occur by adding ΓÇ£**?prompt=admin\_consent**ΓÇ¥ to the end of an applicationΓÇÖs sign in URL.
-- For **any application developed using the V2 application model**, you can enforce this administrator-level consent to occur by following the instructions under the **Request the permissions from a directory admin** section of [Using the admin consent endpoint](../develop/v2-permissions-and-consent.md#using-the-admin-consent-endpoint).
+- For **any application developed using the V2 application model**, you can enforce this administrator-level consent to occur by following the instructions under the **Request the permissions from a directory admin** section of [Using the admin consent endpoint](../develop/v2-permissions-and-consent.md#using-the-admin-consent-endpoint).
### Perform administrator-level consent for a single-tenant application -- For **single-tenant applications** that request permissions (like those you are developing or own in your organization), you can perform an **administrative-level consent** operation on behalf of all users by signing in as a Global Administrator and clicking on the **Grant permissions** button at the top of the **Application Registry -&gt; All Applications -&gt; Select an App -&gt; Required Permissions** pane.
+- For **single-tenant applications** that request permissions (like those you are developing or own in your organization), you can perform an **administrative-level consent** operation on behalf of all users by signing in as a Global Administrator and clicking on the **Grant permissions** button at the top of the **Application Registry -&gt; All Applications -&gt; Select an App -&gt; Required Permissions** pane.
-- For **any application developed using the V1 or V2 application model**, you can enforce this administrator-level consent to occur by following the instructions under the **Request the permissions from a directory admin** section of [Using the admin consent endpoint](../develop/v2-permissions-and-consent.md#using-the-admin-consent-endpoint).
+- For **any application developed using the V1 or V2 application model**, you can enforce this administrator-level consent to occur by following the instructions under the **Request the permissions from a directory admin** section of [Using the admin consent endpoint](../develop/v2-permissions-and-consent.md#using-the-admin-consent-endpoint).
### Perform administrator-level consent for a multi-tenant application -- For **multi-tenant applications** that request permissions (like an application a third party, or Microsoft, develops), you can perform an **administrative-level consent** operation. Sign in as a Global Administrator and clicking on the **Grant permissions** button under the **Enterprise Applications -&gt; All Applications -&gt; Select an App -&gt; Permissions** pane (available soon).
+- For **multi-tenant applications** that request permissions (like an application a third party, or Microsoft, develops), you can perform an **administrative-level consent** operation. Sign in as a Global Administrator and clicking on the **Grant permissions** button under the **Enterprise Applications -&gt; All Applications -&gt; Select an App -&gt; Permissions** pane (available soon).
-- You can also enforce this administrator-level consent to occur by following the instructions under the **Request the permissions from a directory admin** section of [Using the admin consent endpoint](../develop/v2-permissions-and-consent.md#using-the-admin-consent-endpoint).
+- You can also enforce this administrator-level consent to occur by following the instructions under the **Request the permissions from a directory admin** section of [Using the admin consent endpoint](../develop/v2-permissions-and-consent.md#using-the-admin-consent-endpoint).
## Next steps
-[Using the admin consent endpoint](../develop/v2-permissions-and-consent.md#using-the-admin-consent-endpoint)
+
+[Using the admin consent endpoint](../develop/v2-permissions-and-consent.md#using-the-admin-consent-endpoint)
active-directory Application Sign In Unexpected User Consent Error https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/application-sign-in-unexpected-user-consent-error.md
Many applications that integrate with Azure Active Directory require permissions
Certain conditions must be true for a user to consent to the permissions an application requires. If these conditions are not met, the following errors can occur. ## Requesting not authorized permissions error+ * **AADSTS90093:** &lt;clientAppDisplayName&gt; is requesting one or more permissions that you are not authorized to grant. Contact an administrator, who can consent to this application on your behalf. * **AADSTS90094:** &lt;clientAppDisplayName&gt; needs permission to access resources in your organization that only an admin can grant. Please ask an admin to grant permission to this app before you can use it.
This error occurs when a user who is not a Global Administrator attempts to use
This error can also occur when a user is prevented from consenting to an application due to Microsoft detecting that the permissions request is risky. In this case, an audit event will also be logged with a Category of "ApplicationManagement", Activity Type of "Consent to application" and Status Reason of "Risky application detected".
-Another scenario in which this error might occur is when the user assignment is required for the application, but no administrator consent was provided. In this case, the administrator must first provide administrator consent.
+Another scenario in which this error might occur is when the user assignment is required for the application, but no administrator consent was provided. In this case, the administrator must first provide administrator consent.
## Policy prevents granting permissions error+ * **AADSTS90093:** An administrator of &lt;tenantDisplayName&gt; has set a policy that prevents you from granting &lt;name of app&gt; the permissions it is requesting. Contact an administrator of &lt;tenantDisplayName&gt;, who can grant permissions to this app on your behalf. This error occurs when a Global Administrator turns off the ability for users to consent to applications, then a non-administrator user attempts to use an application that requires consent. This error can be resolved by an administrator granting access to the application on behalf of their organization. ## Intermittent problem error+ * **AADSTS90090:** It looks like the sign-in process encountered an intermittent problem recording the permissions you attempted to grant to &lt;clientAppDisplayName&gt;. try again later. This error indicates that an intermittent service side issue has occurred. It can be resolved by attempting to consent to the application again. ## Resource not available error
-* **AADSTS65005:** The app &lt;clientAppDisplayName&gt; requested permissions to access a resource &lt;resourceAppDisplayName&gt; that is not available.
+
+* **AADSTS65005:** The app &lt;clientAppDisplayName&gt; requested permissions to access a resource &lt;resourceAppDisplayName&gt; that is not available.
Contact the application developer.
-## Resource not available in tenant error
-* **AADSTS65005:** &lt;clientAppDisplayName&gt; is requesting access to a resource &lt;resourceAppDisplayName&gt; that is not available in your organization &lt;tenantDisplayName&gt;.
+## Resource not available in tenant error
+
+* **AADSTS65005:** &lt;clientAppDisplayName&gt; is requesting access to a resource &lt;resourceAppDisplayName&gt; that is not available in your organization &lt;tenantDisplayName&gt;.
Ensure that this resource is available or contact an administrator of &lt;tenantDisplayName&gt;. ## Permissions mismatch error+ * **AADSTS65005:** The app requested consent to access resource &lt;resourceAppDisplayName&gt;. This request failed because it does not match how the app was pre-configured during app registration. Contact the app vendor.** These errors all occur when the application a user is trying to consent to is requesting permissions to access a resource application that cannot be found in the organizationΓÇÖs directory (tenant). This situation can occur for several reasons: -- The client application developer has configured their application incorrectly, causing it to request access to an invalid resource. In this case, the application developer must update the configuration of the client application to resolve this issue.
+* The client application developer has configured their application incorrectly, causing it to request access to an invalid resource. In this case, the application developer must update the configuration of the client application to resolve this issue.
-- A Service Principal representing the target resource application does not exist in the organization, or existed in the past but has been removed. To resolve this issue, a Service Principal for the resource application must be provisioned in the organization so the client application can request permissions to it. The Service Principal can be provisioned in a number of ways, depending on the type of application, including:
+* A Service Principal representing the target resource application does not exist in the organization, or existed in the past but has been removed. To resolve this issue, a Service Principal for the resource application must be provisioned in the organization so the client application can request permissions to it. The Service Principal can be provisioned in a number of ways, depending on the type of application, including:
- - Acquiring a subscription for the resource application (Microsoft published applications)
+* Acquiring a subscription for the resource application (Microsoft published applications)
- - Consenting to the resource application
+* Consenting to the resource application
- - Granting the application permissions via the Azure portal
+* Granting the application permissions via the Azure portal
- - Adding the application from the Azure AD Application Gallery
+* Adding the application from the Azure AD Application Gallery
## Risky app error and warning+ * **AADSTS900941:** Administrator consent is required. App is considered risky. (AdminConsentRequiredDueToRiskyApp) * This app may be risky. If you trust this app, please ask your admin to grant you access. * **AADSTS900981:** An admin consent request was received for a risky app. (AdminConsentRequestRiskyAppWarning) * This app may be risky. Only continue if you trust this app.
-Both of these messages will be displayed when Microsoft has determined that the consent request may be risky. Among a number of other factors, this may occur if a [verified publisher](../develop/publisher-verification-overview.md) has not been added to the app registration. The first error code and message will be shown to end-users when the [Admin consent workflow](configure-admin-consent-workflow.md) is disabled. The second code and message will be shown to end-users when the admin consent workflow is enabled and to admins.
+Both of these messages will be displayed when Microsoft has determined that the consent request may be risky. Among a number of other factors, this may occur if a [verified publisher](../develop/publisher-verification-overview.md) has not been added to the app registration. The first error code and message will be shown to end-users when the [Admin consent workflow](configure-admin-consent-workflow.md) is disabled. The second code and message will be shown to end-users when the admin consent workflow is enabled and to admins.
-End-users will not be able to grant consent to apps that have been detected as risky. Admins are able to, but should evaluate the app very carefuly and proceed with caution. If the app seems suspicious upon further review, it can be reported to Microsoft from the consent screen.
+End-users will not be able to grant consent to apps that have been detected as risky. Admins are able to, but should evaluate the app very carefuly and proceed with caution. If the app seems suspicious upon further review, it can be reported to Microsoft from the consent screen.
-## Next steps
+## Next steps
[Apps, permissions, and consent in Azure Active Directory (v1 endpoint)](../develop/quickstart-register-app.md)<br>
-[Scopes, permissions, and consent in the Azure Active Directory (v2.0 endpoint)](../develop/v2-permissions-and-consent.md)
+[Scopes, permissions, and consent in the Azure Active Directory (v2.0 endpoint)](../develop/v2-permissions-and-consent.md)
active-directory Application Sign In Unexpected User Consent Prompt https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/application-sign-in-unexpected-user-consent-prompt.md
# Unexpected consent prompt when signing in to an application
-Many applications that integrate with Azure Active Directory require permissions to various resources in order to run. When these resources are also integrated with Azure Active Directory, permissions to access them is requested using the Azure AD consent framework.
+Many applications that integrate with Azure Active Directory require permissions to various resources in order to run. When these resources are also integrated with Azure Active Directory, permissions to access them is requested using the Azure AD consent framework.
-This results in a consent prompt being shown the first time an application is used, which is often a one-time operation.
+This results in a consent prompt being shown the first time an application is used, which is often a one-time operation.
> [!VIDEO https://www.youtube.com/embed/a1AjdvNDda4]
Additional prompts can be expected in various scenarios:
> [!NOTE] > Following Microsoft's recommendations and best practices, many organizations have disabled or limited users' permission to grant consent to apps. If an application forces users to grant consent every time they sign in, most users will be blocked from using these applications even if an administrator grants tenant-wide admin consent. If you encounter an application which is requiring user consent even after admin consent has been granted, check with the app publisher to see if they have a setting or option to stop forcing user consent on every sign in. - ## Next steps -- [Apps, permissions, and consent in Azure Active Directory (v1.0 endpoint)](../develop/quickstart-register-app.md)
+* [Apps, permissions, and consent in Azure Active Directory (v1.0 endpoint)](../develop/quickstart-register-app.md)
-- [Scopes, permissions, and consent in the Azure Active Directory (v2.0 endpoint)](../develop/v2-permissions-and-consent.md)
+* [Scopes, permissions, and consent in the Azure Active Directory (v2.0 endpoint)](../develop/v2-permissions-and-consent.md)
active-directory Application Types https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/application-types.md
# Viewing apps using your Azure AD tenant for identity management+ The [Quickstart Series on Application Management](view-applications-portal.md) walks you the basics. In it, you learn how to view all of the apps using your Azure AD tenant for identity management. This article dives a bit deeper into the types of apps you'll find. ## Why does a specific application appear in my all applications list?+ When filtered to **All Applications**, the **All Applications** **List** shows every Service Principal object in your tenant. Service Principal objects can appear in this list in a various ways:+ - When you add any application from the application gallery, including:
- - **Azure AD - Enterprise applications** ΓÇô Apps added to your tenant using the **Enterprise applications** option on the Azure AD portal. Usually apps integrated using the SAML standard.
- - **Azure AD - App registrations** ΓÇô Apps added to your tenant using the **App registrations** option on the Azure AD portal. Usually custom developed apps using the Open ID Connect and OAuth standards.
- - **Application Proxy Applications** ΓÇô An application running in your on-premises environment that you want to provide secure single-sign on to externally
+
+ - **Azure AD - Enterprise applications** ΓÇô Apps added to your tenant using the **Enterprise applications** option on the Azure AD portal. Usually apps integrated using the SAML standard.
+ - **Azure AD - App registrations** ΓÇô Apps added to your tenant using the **App registrations** option on the Azure AD portal. Usually custom developed apps using the Open ID Connect and OAuth standards.
+ - **Application Proxy Applications** ΓÇô An application running in your on-premises environment that you want to provide secure single-sign on to externally
- When signing up for, or signing in to, a third-party application integrated with Azure Active Directory. One example is [Smartsheet](https://app.smartsheet.com/b/home) or [DocuSign](https://www.docusign.net/member/MemberLogin.aspx). - Microsoft apps such as Microsoft 365. - When you add a new application registration by creating a custom-developed application using the [Application Registry](../develop/quickstart-register-app.md)
When filtered to **All Applications**, the **All Applications** **List** shows e
Learn more about how, and why, apps are added to your directory, see [How applications are added to Azure AD](../develop/active-directory-how-applications-are-added.md). ## Next steps+ [Managing Applications with Azure Active Directory](what-is-application-management.md)
active-directory Assign User Or Group Access Portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/assign-user-or-group-access-portal.md
This article shows you how to assign users, and groups, to enterprise applications in Azure Active Directory (Azure AD), either from within the Azure portal or by using PowerShell. When you assign a user to an application, the application appears in the user's [My Apps](https://myapps.microsoft.com/) for easy access. If the application exposes roles, you can also assign a specific role to the user.
-For greater control, certain types of enterprise applications can be configured to [require user assignment](#configure-an-application-to-require-user-assignment).
+For greater control, certain types of enterprise applications can be configured to [require user assignment](#configure-an-application-to-require-user-assignment).
> [!IMPORTANT] > When you assign a group to an application, only users in the group will have access. The assignment does not cascade to nested groups. > [!NOTE]
-> Group-based assignment requires Azure Active Directory Premium P1 or P2 edition. Group-based assignment is supported for Security groups only. Nested group memberships and Microsoft 365 groups are not currently supported. For more licensing requirements for the features discussed in this article, see the [Azure Active Directory pricing page](https://azure.microsoft.com/pricing/details/active-directory).
+> Group-based assignment requires Azure Active Directory Premium P1 or P2 edition. Group-based assignment is supported for Security groups only. Nested group memberships and Microsoft 365 groups are not currently supported. For more licensing requirements for the features discussed in this article, see the [Azure Active Directory pricing page](https://azure.microsoft.com/pricing/details/active-directory).
## Configure an application to require user assignment
With the following types of applications, you have the option of requiring users
- Application Proxy applications that use Azure Active Directory Pre-Authentication - Applications built on the Azure AD application platform that use OAuth 2.0 / OpenID Connect Authentication after a user or admin has consented to that application.
-When user assignment is required, only those users you explicitly assign to the application (either through direct user assignment or based on group membership) will be able to sign in. They can access the app on their My Apps page or by using a direct link.
+When user assignment is required, only those users you explicitly assign to the application (either through direct user assignment or based on group membership) will be able to sign in. They can access the app on their My Apps page or by using a direct link.
-When assignment is *not required*, either because you've set this option to **No** or because the application uses another SSO mode, any user will be able to access the application if they have a direct link to the application or the **User Access URL** in the applicationΓÇÖs **Properties** page.
+When assignment is *not required*, either because you've set this option to **No** or because the application uses another SSO mode, any user will be able to access the application if they have a direct link to the application or the **User Access URL** in the applicationΓÇÖs **Properties** page.
This setting doesn't affect whether or not an application appears on My Apps. Applications appear on users' My Apps access panels once you've assigned a user or group to the application. For background, see [Managing access to apps](what-is-access-management.md). > [!NOTE]
-> When an application requires assignment, user consent for that application is not allowed. This is true even if users consent for that app would have otherwise been allowed. Be sure to [grant tenant-wide admin consent](../manage-apps/grant-admin-consent.md) to apps that require assignment.
+> When an application requires assignment, user consent for that application is not allowed. This is true even if users consent for that app would have otherwise been allowed. Be sure to [grant tenant-wide admin consent](../manage-apps/grant-admin-consent.md) to apps that require assignment.
To require user assignment for an application:+ 1. Sign in to the [Azure portal](https://portal.azure.com) with an administrator account or as an owner of the application. 2. Select **Azure Active Directory**. In the left navigation menu, select **Enterprise applications**. 3. Select the application from the list. If you don't see the application, start typing its name in the search box. Or use the filter controls to select the application type, status, or visibility, and then select **Apply**.
To require user assignment for an application:
6. Select the **Save** button at the top of the screen. ## Assign or unassign users, and groups, for an app using the Azure portal+ To learn how to assign, or unassign, a user or group using the Azure portal, see the [Quickstart Series on Application Management](add-application-portal-assign-users.md). ## Assign or unassign users, and groups, for an app using the Graph API+ You can use the Graph API to assign or unassign users, and groups, for an app. To learn more, see [App role assignments](/graph/api/resources/approleassignment). ## Assign users, and groups, to an app using PowerShell+ 1. Open an elevated Windows PowerShell command prompt. > [!NOTE] > You need to install the AzureAD module (use the command `Install-Module -Name AzureAD`). If prompted to install a NuGet module or the new Azure Active Directory V2 PowerShell module, type Y and press ENTER.
You can use the Graph API to assign or unassign users, and groups, for an app. T
# Assign the user to the app role New-AzureADUserAppRoleAssignment -ObjectId $user.ObjectId -PrincipalId $user.ObjectId -ResourceId $sp.ObjectId -Id $appRole.Id
- ```
+ For more information about how to assign a user to an application role, see the documentation for [New-AzureADUserAppRoleAssignment](/powershell/module/azuread/new-azureaduserapproleassignment). To assign a group to an enterprise app, you must replace `Get-AzureADUser` with `Get-AzureADGroup` and replace `New-AzureADUserAppRoleAssignment` with `New-AzureADGroupAppRoleAssignment`.
This example assigns the user Britta Simon to the [Microsoft Workplace Analytics
# Assign the values to the variables $username = "britta.simon@contoso.com" $app_name = "Workplace Analytics"
- ```
+ 2. In this example, we don't know what is the exact name of the application role we want to assign to Britta Simon. Run the following commands to get the user ($user) and the service principal ($sp) using the user UPN and the service principal display names. ```powershell # Get the user to assign, and the service principal for the app to assign to $user = Get-AzureADUser -ObjectId "$username" $sp = Get-AzureADServicePrincipal -Filter "displayName eq '$app_name'"
- ```
+ 3. Run the command `$sp.AppRoles` to display the roles available for the Workplace Analytics application. In this example, we want to assign Britta Simon the Analyst (Limited access) Role. ![Shows the roles available to a user using Workplace Analytics Role](./media/assign-user-or-group-access-portal/workplace-analytics-role.png) 4. Assign the role name to the `$app_role_name` variable.
This example assigns the user Britta Simon to the [Microsoft Workplace Analytics
# Assign the values to the variables $app_role_name = "Analyst (Limited access)" $appRole = $sp.AppRoles | Where-Object { $_.DisplayName -eq $app_role_name }
- ```
+ 5. Run the following command to assign the user to the app role: ```powershell
This example assigns the user Britta Simon to the [Microsoft Workplace Analytics
Remove-AzureADServiceAppRoleAssignment -ObjectId $spo.ObjectId -AppRoleAssignmentId $assignments[assignment #].ObjectId ``` - ## Related articles - [Learn more about end-user access to applications](end-user-experiences.md) - [Plan an Azure AD My Apps deployment](my-apps-deployment-plan.md) - [Managing access to apps](what-is-access-management.md)
-
+ ## Next steps - [See all of my groups](../fundamentals/active-directory-groups-view-azure-portal.md)
active-directory Certificate Signing Options https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/certificate-signing-options.md
Next, change the certificate signing options in the SAML token for that applicat
## Next steps * [Configure single sign-on to applications that are not in the Azure Active Directory App Gallery](./configure-saml-single-sign-on.md)
-* [Troubleshoot SAML-based single sign-on](./debug-saml-sso-issues.md)
+* [Troubleshoot SAML-based single sign-on](./debug-saml-sso-issues.md)
active-directory Cloud App Security https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/cloud-app-security.md
Use Microsoft Cloud App Discovery (an Azure Active Directory Premium P1 feature)
- Manage your apps - Advanced Shadow IT discovery reporting - Control sanctioned apps
-
+ ### Learn more -- [Discover and manage shadow IT in your network ](/cloud-app-security/tutorial-shadow-it)-- [Discovered apps with Cloud App Security ](/cloud-app-security/discovered-apps)
-
-## User session visibility and control
+- [Discover and manage shadow IT in your network](/cloud-app-security/tutorial-shadow-it)
+- [Discovered apps with Cloud App Security](/cloud-app-security/discovered-apps)
+
+## User session visibility and control
-In todayΓÇÖs workplace, itΓÇÖs often not enough to know whatΓÇÖs happening in your cloud environment after the fact. You want to stop breaches and leaks in real time before employees intentionally or inadvertently put your data and your organization at risk. Together with Azure Active Directory (Azure AD), Microsoft Cloud App Security delivers these capabilities in a holistic and integrated experience with Conditional Access App Control.
+In todayΓÇÖs workplace, itΓÇÖs often not enough to know whatΓÇÖs happening in your cloud environment after the fact. You want to stop breaches and leaks in real time before employees intentionally or inadvertently put your data and your organization at risk. Together with Azure Active Directory (Azure AD), Microsoft Cloud App Security delivers these capabilities in a holistic and integrated experience with Conditional Access App Control.
Session control uses a reverse proxy architecture and is uniquely integrated with Azure AD Conditional Access. Azure AD Conditional Access allows you to enforce access controls on your organizationΓÇÖs apps based on certain conditions. The conditions define who (user or group of users) and what (which cloud apps) and where (which locations and networks) a Conditional Access policy is applied to. After youΓÇÖve determined the conditions, you can route users to Cloud App Security where you can protect data in real time.
-With this control you can:
+With this control you can:
+ - Control file downloads - Monitor B2B scenarios - Control access to files - Protect documents on download
-
+ ### Learn more -- [Protect apps with Session Control in Cloud App Security ](/cloud-app-security/proxy-intro-aad)
-
-## Advanced app visibility and controls
+- [Protect apps with Session Control in Cloud App Security](/cloud-app-security/proxy-intro-aad)
-App connectors use the APIs of app providers to enable greater visibility and control by Microsoft Cloud App Security over the apps you connect to.
-Cloud App Security leverages the APIs provided by the cloud provider. Each service has its own framework and API limitations such as throttling, API limits, dynamic time-shifting API windows, and others. The Cloud App Security product team worked with these services to optimize the use of APIs and provide the best performance. Taking into account different limitations services impose on their APIs, the Cloud App Security engines use their maximum allowed capacity. Some operations, such as scanning all files in the tenant, require numerous API calls so they're spread over a longer period. Expect some policies to run for several hours or days.
-
-### Learn more
+## Advanced app visibility and controls
+
+App connectors use the APIs of app providers to enable greater visibility and control by Microsoft Cloud App Security over the apps you connect to.
+Cloud App Security leverages the APIs provided by the cloud provider. Each service has its own framework and API limitations such as throttling, API limits, dynamic time-shifting API windows, and others. The Cloud App Security product team worked with these services to optimize the use of APIs and provide the best performance. Taking into account different limitations services impose on their APIs, the Cloud App Security engines use their maximum allowed capacity. Some operations, such as scanning all files in the tenant, require numerous API calls so they're spread over a longer period. Expect some policies to run for several hours or days.
+
+### Learn more
-- [Connect apps in Cloud App Security ](/cloud-app-security/enable-instant-visibility-protection-and-governance-actions-for-your-apps)
+- [Connect apps in Cloud App Security](/cloud-app-security/enable-instant-visibility-protection-and-governance-actions-for-your-apps)
## Next steps -- [Discover and manage shadow IT in your network ](/cloud-app-security/tutorial-shadow-it)-- [Discovered apps with Cloud App Security ](/cloud-app-security/discovered-apps)-- [Protect apps with Session Control in Cloud App Security ](/cloud-app-security/proxy-intro-aad)-- [Connect apps in Cloud App Security ](/cloud-app-security/enable-instant-visibility-protection-and-governance-actions-for-your-apps)
+- [Discover and manage shadow IT in your network](/cloud-app-security/tutorial-shadow-it)
+- [Discovered apps with Cloud App Security](/cloud-app-security/discovered-apps)
+- [Protect apps with Session Control in Cloud App Security](/cloud-app-security/proxy-intro-aad)
+- [Connect apps in Cloud App Security](/cloud-app-security/enable-instant-visibility-protection-and-governance-actions-for-your-apps)
active-directory Common Scenarios https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/common-scenarios.md
Passwords, both an IT nightmare and a pain for employees across the world. This
**Common scenarios** - > [!div class="checklist"] > * SSO for all your applications
-> * Automate provisioning and deprovisioning
+> * Automate provisioning and deprovisioning
> * Secure your applications > * Govern access to your applications > * Hybrid secure access ## Scenario 1: Set up SSO for all your applications
-No more managing password. Securely access all the resources you need with your corporate credentials.
+No more managing password. Securely access all the resources you need with your corporate credentials.
|Feature | Description | Recommendation | |||| |SSO|Standards-based federated SSO using trusted industry standards.|Always use [SAML / OIDC](../develop/v2-howto-app-gallery-listing.md) to enable SSO when your application supports it.| |My Apps|Offer your users a simple hub to discover and access all their applications. Enable them to be more productive with self-service capabilities, like requesting access to apps and groups, or managing access to resources on behalf of others.| Deploy [My Apps](my-apps-deployment-plan.md) in your organization once you've integrated your apps with Azure AD for SSO.|
-## Scenario 2: Automate provisioning and deprovisioning
--
-Most applications require a user to be provisioned into the application before accessing the resources that they need. Using CSV files or complex scripts can be costly and hard to manage. Furthermore, customers need to ensure that accounts are removed when someone shouldn't have access anymore. Leverage the tools below to automate provisioning and deprovisioning.
+## Scenario 2: Automate provisioning and deprovisioning
+Most applications require a user to be provisioned into the application before accessing the resources that they need. Using CSV files or complex scripts can be costly and hard to manage. Furthermore, customers need to ensure that accounts are removed when someone shouldn't have access anymore. Leverage the tools below to automate provisioning and deprovisioning.
|Feature |Description|Recommendation | |||| |SCIM Provisioning|[SCIM](https://aka.ms/SCIMOverview) is an industry best practice for automating user provisioning. Any SCIM-compliant application can be integrated with Azure AD. Automatically create, update, and delete user accounts without having to maintain CSV files, custom scripts, or on-prem solutions.|Check out the growing list of [pre-integrated](../saas-apps/tutorial-list.md) apps in the Azure AD app gallery| |Microsoft Graph|Leverage the breath and depth of data that Azure AD has to enrich your application with the data that it needs.|Leverage the [Microsoft graph](https://developer.microsoft.com/graph/) to get data from across the Microsoft ecosystem. | - ## Scenario 3: Secure your applications
-Identity is the linchpin for security. If an identity gets compromised, it's incredibly difficult to stop the domino effect before it's too late. On average over 100 days pass before organizations discover that there was a compromise. Use the tools provided by Azure AD to improve the security posture of your applications.
+
+Identity is the linchpin for security. If an identity gets compromised, it's incredibly difficult to stop the domino effect before it's too late. On average over 100 days pass before organizations discover that there was a compromise. Use the tools provided by Azure AD to improve the security posture of your applications.
|Feature |Description| Recommendation | ||| | |Azure AD MFA|Azure AD Multi-Factor Authentication (MFA) is Microsoft's two-step verification solution. Using admin-approved authentication methods, Azure AD MFA helps safeguard access to your data and applications while meeting the demand for a simple sign-in process.| [Enable MFA](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/all-your-creds-are-belong-to-us/ba-p/855124) for your users. |
-|Conditional Access|With Conditional Access, you can implement automated access control decisions for who can access your cloud apps, based on conditions.| Review the [security defaults](../fundamentals/concept-fundamentals-security-defaults.md) and [common policies](../conditional-access/concept-conditional-access-policy-common.md) customers are using. |
-|Identity Protection|Identity Protection uses the learnings Microsoft has acquired from their position in organizations with Azure AD, the consumer space with Microsoft Accounts, and in gaming with Xbox to protect your users. Microsoft analyses 6.5 trillion signals per day to identify and protect customers from threats.|Enable the [default identity protection policies](../identity-protection/concept-identity-protection-policies.md) provided by our service. |
+|Conditional Access|With Conditional Access, you can implement automated access control decisions for who can access your cloud apps, based on conditions.| Review the [security defaults](../fundamentals/concept-fundamentals-security-defaults.md) and [common policies](../conditional-access/concept-conditional-access-policy-common.md) customers are using. |
+|Identity Protection|Identity Protection uses the learnings Microsoft has acquired from their position in organizations with Azure AD, the consumer space with Microsoft Accounts, and in gaming with Xbox to protect your users. Microsoft analyses 6.5 trillion signals per day to identify and protect customers from threats.|Enable the [default identity protection policies](../identity-protection/concept-identity-protection-policies.md) provided by our service. |
## Scenario 4: Govern access to your applications
-Identity Governance helps organizations achieve a balance between productivity - How quickly can a person have access to the applications they need, such as when they join my organization? And security - How should their access change over time, such as due to changes to that person's employment status?
+
+Identity Governance helps organizations achieve a balance between productivity - How quickly can a person have access to the applications they need, such as when they join my organization? And security - How should their access change over time, such as due to changes to that person's employment status?
|Feature |Description|Recommendation | ||| |
Identity Governance helps organizations achieve a balance between productivity -
|Access Reviews|User's access to apps can be reviewed on a regular basis to make sure only the right people have continued access.| [Review access](../governance/access-reviews-overview.md) to your most sensitive applications. | |Log Analytics|Generate reports about who is accessing which applications and store them in your SIEM tool of choice to correlate data between data sources and over time.| Enable [log analytics](../reports-monitoring/howto-analyze-activity-logs-log-analytics.md) and set up alerts for critical events related to your applications. | - ## Scenario 5: Hybrid Secure Access+ Identity can only be your control plane if it can connect everything across cloud and on-premises applications. Leverage the tools provided by Azure AD and its partners to secure access to legacy-auth based applications. |Feature |Description|Recommendation | |||| |Application Proxy|Employees today want to be productive at any place, at any time, and from any device. They need to access SaaS apps in the cloud and corporate apps on-premises. Azure AD Application proxy enables this robust access without costly and complex virtual private networks (VPNs) or demilitarized zones (DMZs).|Setup [remote access](../app-proxy/application-proxy.md) for your on-prem apps. |
-|F5, Akamai, Zscaler|Using your existing networking and delivery controller, you can easily protect legacy applications that are still critical to your business processes but that you couldn't protect before with Azure AD. It's likely you already have everything you need to start protecting these applications.| Using Akamai, Citrix, F5, or Zscaler? Check out our [pre-built solutions](./secure-hybrid-access.md). |
+|F5, Akamai, Zscaler|Using your existing networking and delivery controller, you can easily protect legacy applications that are still critical to your business processes but that you couldn't protect before with Azure AD. It's likely you already have everything you need to start protecting these applications.| Using Akamai, Citrix, F5, or Zscaler? Check out our [pre-built solutions](./secure-hybrid-access.md). |
## Related articles -- [Application management](./index.yml)-- [Application provisioning](../app-provisioning/user-provisioning.md)-- [Hybrid secure access](./secure-hybrid-access.md)-- [Identity governance](../governance/identity-governance-overview.md)-- [Microsoft identity platform](../develop/v2-overview.md)-- [Identity security](../conditional-access/index.yml)
+* [Application management](./index.yml)
+* [Application provisioning](../app-provisioning/user-provisioning.md)
+* [Hybrid secure access](./secure-hybrid-access.md)
+* [Identity governance](../governance/identity-governance-overview.md)
+* [Microsoft identity platform](../develop/v2-overview.md)
+* [Identity security](../conditional-access/index.yml)
active-directory Configure Admin Consent Workflow https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/configure-admin-consent-workflow.md
This article describes how to enable the admin consent workflow feature, which gives end users a way to request access to applications that require admin consent. Without an admin consent workflow, a user in a tenant where user consent is disabled will be blocked when they try to access any app that requires permissions to access organizational data. The user sees a generic error message that says they're unauthorized to access the app and they should ask their admin for help. But often, the user doesn't know who to contact, so they either give up or create a new local account in the application. Even when an admin is notified, there isn't always a streamlined process to help the admin grant access and notify their users.
-
The admin consent workflow gives admins a secure way to grant access to applications that require admin approval. When a user tries to access an application but is unable to provide consent, they can send a request for admin approval. The request is sent via email to admins who have been designated as reviewers. A reviewer takes action on the request, and the user is notified of the action. To approve requests, a reviewer must be a global administrator, cloud application administrator, or application administrator. The reviewer must already have one of these admin roles assigned; simply designating them as a reviewer doesn't elevate their privileges.
To enable the admin consent workflow and choose reviewers:
1. Sign in to the [Azure portal](https://portal.azure.com) as a global administrator. 2. Click **All services** at the top of the left-hand navigation menu. The **Azure Active Directory Extension** opens. 3. In the filter search box, type "**Azure Active Directory**" and select **the Azure Active Directory** item.
-4. From the navigation menu, click **Enterprise applications**.
+4. From the navigation menu, click **Enterprise applications**.
5. Under **Manage**, select **User settings**. 6. Under **Admin consent requests**, set **Users can request admin consent to apps they are unable to consent to** to **Yes**. ![Configure admin consent workflow settings](media/configure-admin-consent-workflow/admin-consent-requests-settings.png)
-
-6. Configure the following settings:
+
+7. Configure the following settings:
* **Select users to review admin consent requests**. Select reviewers for this workflow from a set of users that have the global administrator, cloud application administrator, and application administrator roles. * **Selected users will receive email notifications for requests**. Enable or disable email notifications to the reviewers when a request is made. * **Selected users will receive request expiration reminders**. Enable or disable reminder email notifications to the reviewers when a request is about to expire. * **Consent request expires after (days)**. Specify how long requests stay valid.
-7. Select **Save**. It can take up to an hour for the feature to become enabled.
+8. Select **Save**. It can take up to an hour for the feature to become enabled.
> [!NOTE] > You can add or remove reviewers for this workflow by modifying the **Select admin consent requests reviewers** list. Note that a current limitation of this feature is that reviewers can retain the ability to review requests that were made while they were designated as a reviewer. ## How users request admin consent
-After the admin consent workflow is enabled, users can request admin approval for an application they're unauthorized to consent to. The following steps describe user's experience when requesting approval.
+After the admin consent workflow is enabled, users can request admin approval for an application they're unauthorized to consent to. The following steps describe user's experience when requesting approval.
1. The user attempts to sign in to the application.
After the admin consent workflow is enabled, users can request admin approval fo
![Screenshot shows the Request sent confirmation.](media/configure-admin-consent-workflow/end-user-sent-request.png)
- 4. The user receives an email notification when their request is approved, denied, or blocked.
+4. The user receives an email notification when their request is approved, denied, or blocked.
## Review and take action on admin consent requests
To review the admin consent requests and take action:
> [!NOTE] > Reviewers will only see admin requests that were created after they were designated as a reviewer.
-1. Select the application that is being requested.
-2. Review details about the request:
+6. Select the application that is being requested.
+7. Review details about the request:
* To see who is requesting access and why, select the **Requested by** tab. * To see what permissions are being requested by the application, select **Review permissions and consent**.
To review the admin consent requests and take action:
* **Approve the request**. To approve a request, grant admin consent to the application. Once a request is approved, all requestors are notified that they have been granted access. * **Deny the request**. To deny a request, you must provide a justification that will be provided to all requestors. Once a request is denied, all requestors are notified that they have been denied access to the application. Denying a request won't prevent users from requesting admin consent to the app again in the future. * **Block the request**. To block a request, you must provide a justification that will be provided to all requestors. Once a request is blocked, all requestors are notified they've been denied access to the application. Blocking a request creates a service principal object for the application in your tenant in a disabled state. Users won't be able to request admin consent to the application in the future.
-
+ ## Email notifications
-
+ If configured, all reviewers will receive email notifications when: * A new request has been created * A request has expired * A request is nearing the expiration date
-
+ Requestors will receive email notifications when: * They submit a new request for access * Their request has expired * Their request has been denied or blocked * Their request has been approved
-
-## Audit logs
-
+
+## Audit logs
+ The table below outlines the scenarios and audit values available for the admin consent workflow. |Scenario |Audit Service |Audit Category |Audit Activity |Audit Actor |Audit log limitations |
The table below outlines the scenarios and audit values available for the admin
|Reviewers approving an admin consent request |Access Reviews |UserManagement |Approve all requests in business flow |App context |Currently you cannot find the user context or the app ID that was granted admin consent. | |Reviewers denying an admin consent request |Access Reviews |UserManagement |Approve all requests in business flow |App context | Currently you cannot find the user context of the actor that denied an admin consent request |
-## FAQ
+## FAQ
**I turned on this workflow, but when testing out the functionality, why canΓÇÖt I see the new ΓÇ£Approval requiredΓÇ¥ prompt allowing me to request access?**
If an application developer has configured their app to use static and dynamic c
No, for now requestors are only able to get updates via email notifications. **As a reviewer, is it possible to approve the application, but not for everyone?**
-
+ If you're concerned about granting admin consent and allowing all users in the tenant to use the application, we recommend that you deny the request. Then manually grant admin consent by restricting access to the application by requiring user assignment, and assigning users or groups to the application. For more information, see [Methods for assigning users and groups](./assign-user-or-group-access-portal.md). ## Next steps
active-directory Configure Authentication For Federated Users Portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/configure-authentication-for-federated-users-portal.md
To check which applications have HRD policy configured, use the **Get-AzureADPol
Get-AzureADPolicyAppliedObject -id <ObjectId of the Policy> ```
-#### Step 5: You're done!
+#### Step 5: You're done
Try the application to check that the new policy is working.
active-directory Configure Linked Sign On https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/configure-linked-sign-on.md
In the [quickstart series](view-applications-portal.md) on application managemen
The **Linked** option lets you configure the target location when a user selects the app in your organization's [My Apps](https://myapps.microsoft.com/) or Office 365 portal. Some common scenarios where the link option is valuable include:+ - Add a link to a custom web application that currently uses federation, such as Active Directory Federation Services (AD FS). - Add deep links to specific SharePoint pages or other web pages that you just want to appear on your user's Access Panels.-- Add a link to an app that doesn't require authentication.
-
+- Add a link to an app that doesn't require authentication.
The **Linked** option doesn't provide sign-on functionality through Azure AD credentials. But, you can still use some of the other features of **Enterprise applications**. For example, you can use audit logs and add a custom logo and app name. ## Before you begin
-To ramp knowledge quickly, walk through the [quickstart series](view-applications-portal.md) on application management. On the quickstart, where you configure single sign-on, you'll also find the **Linked** option.
+To ramp knowledge quickly, walk through the [quickstart series](view-applications-portal.md) on application management. On the quickstart, where you configure single sign-on, you'll also find the **Linked** option.
The **Linked** option doesn't provide sign-on functionality through Azure AD. The option simply sets the location users will be sent to when they select the app on [My Apps](https://myapps.microsoft.com/) or the Microsoft 365 app launcher. Because the sign-in doesn't provide sign-on functionality through Azure AD, Conditional Access is not available for applications configured with Linked single sign-on.
-> [!IMPORTANT]
-> There are some scenarios where the **Single sign-on** option will not be in the navigation for an application in **Enterprise applications**.
+> [!IMPORTANT]
+> There are some scenarios where the **Single sign-on** option will not be in the navigation for an application in **Enterprise applications**.
>
-> If the application was registered using **App registrations** then the single sign-on capability is setup to use OIDC OAuth by default. In this case, the **Single sign-on** option won't show in the navigation under **Enterprise applications**. When you use **App registrations** to add your custom app, you configure options in the manifest file. To learn more about the manifest file, see [Azure Active Directory app manifest](../develop/reference-app-manifest.md). To learn more about SSO standards, see [Authentication and authorization using Microsoft identity platform](../develop/authentication-vs-authorization.md#authentication-and-authorization-using-the-microsoft-identity-platform).
+> If the application was registered using **App registrations** then the single sign-on capability is setup to use OIDC OAuth by default. In this case, the **Single sign-on** option won't show in the navigation under **Enterprise applications**. When you use **App registrations** to add your custom app, you configure options in the manifest file. To learn more about the manifest file, see [Azure Active Directory app manifest](../develop/reference-app-manifest.md). To learn more about SSO standards, see [Authentication and authorization using Microsoft identity platform](../develop/authentication-vs-authorization.md#authentication-and-authorization-using-the-microsoft-identity-platform).
>
-> Other scenarios where **Single sign-on** will be missing from the navigation include when an application is hosted in another tenant or if your account does not have the required permissions (Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal). Permissions can also cause a scenario where you can open **Single sign-on** but won't be able to save. To learn more about Azure AD administrative roles, see (https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles).
+> Other scenarios where **Single sign-on** will be missing from the navigation include when an application is hosted in another tenant or if your account does not have the required permissions (Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal). Permissions can also cause a scenario where you can open **Single sign-on** but won't be able to save. To learn more about Azure AD administrative roles, see [Azure AD built-in roles](https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles).
### Configure link To set a link for an app, select **Linked** on the **Single sign-on** page. Then enter the link and select **Save**. Need a reminder on where to find these options? Check out the [quickstart series](view-applications-portal.md).
-
+ After you configure an app, assign users and groups to it. When you assign users, you can control when the application appears on [My Apps](https://myapps.microsoft.com/) or the Microsoft 365 app launcher. ## Next steps
active-directory Configure Oidc Single Sign On https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/configure-oidc-single-sign-on.md
Last updated 10/19/2020-+ # Understand OIDC-based single sign-on
-In the [quickstart series](view-applications-portal.md) on application management, you learned how to use Azure AD as the Identity Provider (IdP) for an application. This article goes into more detail about apps that use the OpenID Connect standard to implement single sign-on.
+
+In the [quickstart series](view-applications-portal.md) on application management, you learned how to use Azure AD as the Identity Provider (IdP) for an application. This article goes into more detail about apps that use the OpenID Connect standard to implement single sign-on.
## Before you begin
-The process of adding an app to your Azure Active Directory tenant depends on the type of single sign-on the application implemented. To learn more about the single sign-on options available for apps that can use Azure AD for identity management, see [single sign-on options](sso-options.md). This article covers OIDC-based apps.
+The process of adding an app to your Azure Active Directory tenant depends on the type of single sign-on the application implemented. To learn more about the single sign-on options available for apps that can use Azure AD for identity management, see [single sign-on options](sso-options.md). This article covers OIDC-based apps.
## Basic OIDC configuration+ In the [quickstart series](add-application-portal-setup-oidc-sso.md), there's an article on configuring single sign-on. In it, you learn how to add an OIDC-based app to your Azure tenant. The nice thing with adding an app that uses the OIDC standard for single sign-on is that configuration is minimal. Here is a short video showing how to add an OIDC-based app to your tenant.
active-directory Configure Password Single Sign On Non Gallery Applications https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/configure-password-single-sign-on-non-gallery-applications.md
# Understand password-based single sign-on
-In the [quickstart series](view-applications-portal.md) on application management, you learned how to use Azure AD as the Identity Provider (IdP) for an application. In the quickstart guide, you configure SAML-based or OIDC-based SSO. Another option is password-based SSO. This article goes into more detail about the password-based SSO option.
+In the [quickstart series](view-applications-portal.md) on application management, you learned how to use Azure AD as the Identity Provider (IdP) for an application. In the quickstart guide, you configure SAML-based or OIDC-based SSO. Another option is password-based SSO. This article goes into more detail about the password-based SSO option.
This option is available for any website with an HTML sign-in page. Password-based SSO is also known as password vaulting. Password-based SSO enables you to manage user access and passwords to web applications that don't support identity federation. It's also useful where several users need to share a single account, such as to your organization's social media app accounts.
Password-based SSO is a great way to get started integrating applications into A
- Allow your users to provide their own usernames and passwords for any existing application accounts they're typing in manually. -- Allow a member of the business group to specify the usernames and passwords assigned to a user by using the [Self-Service Application Access](./manage-self-service-access.md) feature
+- Allow a member of the business group to specify the usernames and passwords assigned to a user by using the [Self-Service Application Access](./manage-self-service-access.md) feature.
-- Allow an administrator to specify a username and password to be used by individuals or groups when they sign in to the application with the Update Credentials feature
+- Allow an administrator to specify a username and password to be used by individuals or groups when they sign in to the application with the Update Credentials feature.
## Before you begin Using Azure AD as your Identity Provider (IdP) and configuring single sign-on (SSO) can be simple or complex depending on the application being used. Some applications can be configured with just a few actions. Others require in-depth configuration. To ramp knowledge quickly, walk through the [quickstart series](view-applications-portal.md) on application management. If the application you're adding is simple, then you probably don't need to read this article. If the application you're adding requires custom configuration and you need to use password-based SSO, then this article is for you.
-> [!IMPORTANT]
-> There are some scenarios where the **Single sign-on** option will not be in the navigation for an application in **Enterprise applications**.
+> [!IMPORTANT]
+> There are some scenarios where the **Single sign-on** option will not be in the navigation for an application in **Enterprise applications**.
>
-> If the application was registered using **App registrations** then the single sign-on capability is configured to use OIDC OAuth by default. In this case, the **Single sign-on** option won't show in the navigation under **Enterprise applications**. When you use **App registrations** to add your custom app, you configure options in the manifest file. To learn more about the manifest file, see [Azure Active Directory app manifest](../develop/reference-app-manifest.md). To learn more about SSO standards, see [Authentication and authorization using Microsoft identity platform](../develop/authentication-vs-authorization.md#authentication-and-authorization-using-the-microsoft-identity-platform).
+> If the application was registered using **App registrations** then the single sign-on capability is configured to use OIDC OAuth by default. In this case, the **Single sign-on** option won't show in the navigation under **Enterprise applications**. When you use **App registrations** to add your custom app, you configure options in the manifest file. To learn more about the manifest file, see [Azure Active Directory app manifest](../develop/reference-app-manifest.md). To learn more about SSO standards, see [Authentication and authorization using Microsoft identity platform](../develop/authentication-vs-authorization.md#authentication-and-authorization-using-the-microsoft-identity-platform).
> > Other scenarios where **Single sign-on** will be missing from the navigation include when an application is hosted in another tenant or if your account does not have the required permissions (Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal). Permissions can also cause a scenario where you can open **Single sign-on** but won't be able to save. To learn more about Azure AD administrative roles, see (https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles). - ## Basic configuration In the [quickstart series](view-applications-portal.md), you learned how to add an app to your tenant, which lets Azure AD knows it's being used as the Identity Provider (IdP) for the app. Some apps are already pre-configured and they show in the Azure AD gallery. Other apps are not in the gallery and you have to create a generic app and configure it manually. Depending on the app, the password-based SSO option might not be available. If you don't see the Password-based option list on the single sign-on page for the app, then it is not available.
In the [quickstart series](view-applications-portal.md), you learned how to add
The configuration page for password-based SSO is simple. It includes only the URL of the sign-on page that the app uses. This string must be the page that includes the username input field. After you enter the URL, select **Save**. Azure AD parses the HTML of the sign-in page for username and password input fields. If the attempt succeeds, you're done.
-
Your next step is to [Assign users or groups to the application](./assign-user-or-group-access-portal.md). After you've assigned users and groups, you can provide credentials to be used for a user when they sign in to the application. Select **Users and groups**, select the checkbox for the user's or group's row, and then select **Update Credentials**. Finally, enter the username and password to be used for the user or group. If you don't, users will be prompted to enter the credentials themselves upon launch.
-
## Manual configuration If Azure AD's parsing attempt fails, you can configure sign-on manually.
-1. Under **\<application name> Configuration**, select **Configure \<application name> Password Single Sign-on Settings** to display the **Configure sign-on** page.
+1. Under **\<application name> Configuration**, select **Configure \<application name> Password Single Sign-on Settings** to display the **Configure sign-on** page.
2. Select **Manually detect sign-in fields**. Additional instructions describing the manual detection of sign-in fields appear.
active-directory Configure Permission Classifications https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/configure-permission-classifications.md
To learn more:
* [Permissions and consent in the Microsoft identity platform](../develop/v2-permissions-and-consent.md) To get help or find answers to your questions:
-* [Azure AD on Microsoft Q&A](/answers/topics/azure-active-directory.html)
+
+* [Azure AD on Microsoft Q&A](/answers/topics/azure-active-directory.html)
active-directory Configure Saml Single Sign On https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/configure-saml-single-sign-on.md
# Understand SAML-based single sign-on
-In the [quickstart series](view-applications-portal.md) on application management, you learned how to use Azure AD as the Identity Provider (IdP) for an application. This article goes into more detail about the SAML-based option for single sign-on.
-
+In the [quickstart series](view-applications-portal.md) on application management, you learned how to use Azure AD as the Identity Provider (IdP) for an application. This article goes into more detail about the SAML-based option for single sign-on.
## Before you begin
Using Azure AD as your Identity Provider (IdP) and configuring single sign-on (S
In the [quickstart series](add-application-portal-setup-sso.md), there's an article on configuring single sign-on. In it, you learn how to access the SAML configuration page for an app. The SAML configuration page includes five sections. These sections are discussed in detail in this article.
-> [!IMPORTANT]
-> There are some scenarios where the **Single sign-on** option will not be present in the navigation for an application in **Enterprise applications**.
+> [!IMPORTANT]
+> There are some scenarios where the **Single sign-on** option will not be present in the navigation for an application in **Enterprise applications**.
>
-> If the application was registered using **App registrations** then the single sign-on capability is configured to use OIDC OAuth by default. In this case, the **Single sign-on** option won't show in the navigation under **Enterprise applications**. When you use **App registrations** to add your custom app, you configure options in the manifest file. To learn more about the manifest file, see [Azure Active Directory app manifest](../develop/reference-app-manifest.md). To learn more about SSO standards, see [Authentication and authorization using Microsoft identity platform](../develop/authentication-vs-authorization.md#authentication-and-authorization-using-the-microsoft-identity-platform).
+> If the application was registered using **App registrations** then the single sign-on capability is configured to use OIDC OAuth by default. In this case, the **Single sign-on** option won't show in the navigation under **Enterprise applications**. When you use **App registrations** to add your custom app, you configure options in the manifest file. To learn more about the manifest file, see [Azure Active Directory app manifest](../develop/reference-app-manifest.md). To learn more about SSO standards, see [Authentication and authorization using Microsoft identity platform](../develop/authentication-vs-authorization.md#authentication-and-authorization-using-the-microsoft-identity-platform).
> > Other scenarios where **Single sign-on** will be missing from the navigation include when an application is hosted in another tenant or if your account does not have the required permissions (Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal). Permissions can also cause a scenario where you can open **Single sign-on** but won't be able to save. To learn more about Azure AD administrative roles, see (https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles). - ## Basic SAML configuration You should get the values from the application vendor. You can manually enter the values or upload a metadata file to extract the value of the fields.
You should get the values from the application vendor. You can manually enter th
| **Relay State** | Optional | Optional | Specifies to the application where to redirect the user after authentication is completed. Typically the value is a valid URL for the application. However, some applications use this field differently. For more information, ask the application vendor. | **Logout URL** | Optional | Optional | Used to send the SAML Logout responses back to the application.
-## User attributes and claims
+## User attributes and claims
-When a user authenticates to the application, Azure AD issues the application a SAML token with information (or claims) about the user that uniquely identifies them. By default, this information includes the user's username, email address, first name, and last name. You might need to customize these claims if, for example, the application requires specific claim values or a **Name** format other than username.
+When a user authenticates to the application, Azure AD issues the application a SAML token with information (or claims) about the user that uniquely identifies them. By default, this information includes the user's username, email address, first name, and last name. You might need to customize these claims if, for example, the application requires specific claim values or a **Name** format other than username.
> [!IMPORTANT] > Many apps are already pre-configured and in the app gallery and you don't need to worry about setting user and group claims. The [quickstart series](add-application-portal.md) walks you through adding and configuring apps. - The **Unique User Identifier (Name ID)** identifier value is a required claim and is important. The default value is *user.userprincipalname*. The user identifier uniquely identifies each user within the application. For example, if the email address is both the username and the unique identifier, set the value to *user.mail*. To learn more about customizing SAML claims, see [How to: customize claims issued in the SAML token for enterprise applications](../develop/active-directory-saml-claims-customization.md). You can add new claims, for details see [Adding application-specific claims](../develop/active-directory-saml-claims-customization.md#adding-application-specific-claims) or to add group claims, see [Configure group claims](../hybrid/how-to-connect-fed-group-claims.md). - > [!NOTE] > For additional ways to customize the SAML token from Azure AD to your application, see the following resources. >- To create custom roles via the Azure portal, see [Configure role claims](../develop/active-directory-enterprise-app-role-management.md).
Azure AD uses a certificate to sign the SAML tokens it sends to the application.
From Azure AD, you can download the active certificate in Base64 or Raw format directly from the main **Set up Single Sign-On with SAML** page. Also, you can get the active certificate by downloading the application metadata XML file or by using the App federation metadata URL. To view, create, or download your certificates (active or inactive), follow these steps.
-Some common things to check to verify a certificate include:
+Some common things to check to verify a certificate include:
+ - *The correct expiration date.* You can configure the expiration date for up to three years into the future. - *A status of active for the right certificate.* If the status is **Inactive**, change the status to **Active**. To change the status, right-click the certificate's row and select **Make certificate active**. - *The correct signing option and algorithm.*
Sometimes you might need to download the certificate. Be careful where you save
> The application should be capable of handling Byte Order Marker present in the XML rendered when using https://login.microsoftonline.com/{tenant-id}/federationmetadata/2007-06/federationmetadata.xml?appid={app-id}. Byte order mark is represented as a nonprintable ASCII character ┬╗┬┐ and in Hex it is represented as EF BB BF when reviewing the XML data. To make certificate changes, select the Edit button. There are several things you can do on the **SAML Signing Certificate** page:
- - Create a new certificate: select **New Certificate**, select the **Expiration Date**, and then select **Save**. To activate the certificate, select the context menu (**...**) and select **Make certificate active**.
- - Upload a certificate with private key and pfx credentials: select **Import Certificate** and browse to the certificate. Enter the **PFX Password**, and then select **Add**.
- - Configure advanced certificate signing. For more information on these options, see [Advanced certificate signing options](certificate-signing-options.md).
- - Notify additional people when the active certificate is near its expiration date: enter the email addresses in the **Notification email addresses** fields.
+
+- Create a new certificate: select **New Certificate**, select the **Expiration Date**, and then select **Save**. To activate the certificate, select the context menu (**...**) and select **Make certificate active**.
+- Upload a certificate with private key and pfx credentials: select **Import Certificate** and browse to the certificate. Enter the **PFX Password**, and then select **Add**.
+- Configure advanced certificate signing. For more information on these options, see [Advanced certificate signing options](certificate-signing-options.md).
+- Notify additional people when the active certificate is near its expiration date: enter the email addresses in the **Notification email addresses** fields.
## Set up the application to use Azure AD
For more information, see [Debug SAML-based single sign-on to applications in Az
- [Assign users or groups to the application](./assign-user-or-group-access-portal.md) - [Configure automatic user account provisioning](../app-provisioning/configure-automatic-user-provisioning-portal.md) - [Single Sign-On SAML protocol](../develop/single-sign-on-saml-protocol.md)+
active-directory Configure User Consent Groups https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/configure-user-consent-groups.md
To learn more:
* [Permissions and consent in the Microsoft identity platform](../develop/v2-permissions-and-consent.md) To get help or find answers to your questions:
-* [Azure AD on Microsoft Q&A ](/answers/topics/azure-active-directory.html)
+
+* [Azure AD on Microsoft Q&A](/answers/topics/azure-active-directory.html)
active-directory Configure User Consent https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/configure-user-consent.md
To learn more:
* [Permissions and consent in the Microsoft identity platform](../develop/v2-permissions-and-consent.md) To get help or find answers to your questions:
-* [Azure AD on Microsoft Q&A.](/answers/topics/azure-active-directory.html)
+
+* [Azure AD on Microsoft Q&A.](/answers/topics/azure-active-directory.html)
active-directory Debug Saml Sso Issues https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/debug-saml-sso-issues.md
# Debug SAML-based single sign-on to applications in Azure Active Directory
-Learn how to find and fix [single sign-on](what-is-single-sign-on.md) issues for applications in Azure Active Directory (Azure AD) that use SAML-based single sign-on.
+Learn how to find and fix [single sign-on](what-is-single-sign-on.md) issues for applications in Azure Active Directory (Azure AD) that use SAML-based single sign-on.
## Before you begin
To download and install the My Apps Secure Sign-in Extension, use one of the fol
To test SAML-based single sign-on between Azure AD and a target application: 1. Sign in to the [Azure portal](https://portal.azure.com) as a global administrator or other administrator that is authorized to manage applications.
-1. In the left blade, select **Azure Active Directory**, and then select **Enterprise applications**.
+1. In the left blade, select **Azure Active Directory**, and then select **Enterprise applications**.
1. From the list of enterprise applications, select the application for which you want to test single sign-on, and then from the options on the left select **Single sign-on**. 1. To open the SAML-based single sign-on testing experience, go to **Test single sign-on** (step 5). If the **Test** button is greyed out, you need to fill out and save the required attributes first in the **Basic SAML Configuration** section. 1. In the **Test single sign-on** blade, use your corporate credentials to sign in to the target application. You can sign in as the current user or as a different user. If you sign in as a different user, a prompt will ask you to authenticate.
If no resolution is provided for the sign-in error, we suggest that you use the
1. Verify the issuer in the SAML request is the same identifier you have configured for the application in Azure AD. Azure AD uses the issuer to find an application in your directory. 1. Verify AssertionConsumerServiceURL is where the application expects to receive the SAML token from Azure AD. You can configure this value in Azure AD, but it's not mandatory if it's part of the SAML request. - ## Resolve a sign-in error on the application page You might sign in successfully and then see an error on the application's page. This occurs when Azure AD issued a token to the application, but the application does not accept the response.
To resolve the error, follow these steps, or watch this [short video about how t
For more information on the SAML response, see [Single Sign-on SAML protocol](../develop/single-sign-on-saml-protocol.md?toc=/azure/active-directory/azuread-dev/toc.json&bc=/azure/active-directory/azuread-dev/breadcrumb/toc.json).
-1. Now that you have reviewed the SAML response, see [Error on an application's page after signing in](application-sign-in-problem-application-error.md) for guidance on how to resolve the problem.
+1. Now that you have reviewed the SAML response, see [Error on an application's page after signing in](application-sign-in-problem-application-error.md) for guidance on how to resolve the problem.
1. If you're still not able to sign in successfully, you can ask the application vendor what is missing from the SAML response. ## Next steps
active-directory End User Experiences https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/end-user-experiences.md
Which method(s) you choose to deploy in your organization is your discretion.
## Azure AD My Apps
-My Apps at https://myapps.microsoft.com is a web-based portal that allows an end user with an organizational account in Azure Active Directory to view and launch applications to which they have been granted access by the Azure AD administrator. If you are an end user with [Azure Active Directory Premium](https://azure.microsoft.com/pricing/details/active-directory/), you can also utilize self-service group management capabilities through My Apps.
+My Apps at <https://myapps.microsoft.com> is a web-based portal that allows an end user with an organizational account in Azure Active Directory to view and launch applications to which they have been granted access by the Azure AD administrator. If you are an end user with [Azure Active Directory Premium](https://azure.microsoft.com/pricing/details/active-directory/), you can also utilize self-service group management capabilities through My Apps.
-By default, all applications are listed together on a single page. But you can use collections to group together related applications and present them on a separate tab, making them easier to find. For example, you can use collections to create logical groupings of applications for specific job roles, tasks, projects, and so on. For information, see [Create collections on the My Apps portal](access-panel-collections.md).
+By default, all applications are listed together on a single page. But you can use collections to group together related applications and present them on a separate tab, making them easier to find. For example, you can use collections to create logical groupings of applications for specific job roles, tasks, projects, and so on. For information, see [Create collections on the My Apps portal](access-panel-collections.md).
My Apps is separate from the Azure portal and does not require users to have an Azure subscription or Microsoft 365 subscription.
These links use the same access control mechanisms as My Apps and Microsoft 365,
* [Quickstart Series on Application Management](view-applications-portal.md) * [What is single sign-on?](what-is-single-sign-on.md)
-* [Integrating Azure Active Directory with applications getting started guide](plan-an-application-integration.md)
+* [Integrating Azure Active Directory with applications getting started guide](plan-an-application-integration.md)
active-directory F5 Aad Integration https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/f5-aad-integration.md
Title: Azure AD secure hybrid access with F5 | Microsoft Docs description: F5 BIG-IP Access Policy Manager and Azure Active Directory integration for Secure Hybrid Access -+ Last updated 11/12/2020-+
and [Certificate-based authentication](../authentication/active-directory-certif
- [Identity Protection](../identity-protection/overview-identity-protection.md) - Adaptive control through user and session risk profiling - - [Leaked credential detection](../identity-protection/concept-identity-protection-risks.md) - [Self-service password reset (SSPR)](../authentication/tutorial-enable-sspr.md)
Integrating F5 BIG-IP with Azure AD for SHA have the following pre-requisites:
- An active F5 BIG-IP APM license, through one of the following options:
- - F5 BIG-IP® Best bundle (or)
+ - F5 BIG-IP® Best bundle (or)
- - F5 BIG-IP Access Policy ManagerΓäó standalone license
+ - F5 BIG-IP Access Policy ManagerΓäó standalone license
- - F5 BIG-IP Access Policy Manager™ (APM) add-on license on an existing BIG-IP F5 BIG-IP® Local Traffic Manager™ (LTM)
+ - F5 BIG-IP Access Policy Manager™ (APM) add-on license on an existing BIG-IP F5 BIG-IP® Local Traffic Manager™ (LTM)
- - A 90-day BIG-IP Access Policy ManagerΓäó (APM) [trial license](https://www.f5.com/trial/big-ip-trial.php)
+ - A 90-day BIG-IP Access Policy ManagerΓäó (APM) [trial license](https://www.f5.com/trial/big-ip-trial.php)
- Azure AD licensing through either of the following options:
- - An Azure AD [free subscription](/windows/client-management/mdm/register-your-free-azure-active-directory-subscription#:~:text=%20Register%20your%20free%20Azure%20Active%20Directory%20subscription,will%20take%20you%20to%20the%20Azure...%20More%20) provides the minimum core requirements for implementing SHA with password-less authentication
+ - An Azure AD [free subscription](/windows/client-management/mdm/register-your-free-azure-active-directory-subscription#:~:text=%20Register%20your%20free%20Azure%20Active%20Directory%20subscription,will%20take%20you%20to%20the%20Azure...%20More%20) provides the minimum core requirements for implementing SHA with password-less authentication
- - A [Premium subscription](https://azure.microsoft.com/pricing/details/active-directory/) provides all additional value adds outlined in the preface, including [Conditional Access](../conditional-access/overview.md), [MFA](../authentication/concept-mfa-howitworks.md), and [Identity Protection](../identity-protection/overview-identity-protection.md)
+ - A [Premium subscription](https://azure.microsoft.com/pricing/details/active-directory/) provides all additional value adds outlined in the preface, including [Conditional Access](../conditional-access/overview.md), [MFA](../authentication/concept-mfa-howitworks.md), and [Identity Protection](../identity-protection/overview-identity-protection.md)
No previous experience or F5 BIG-IP knowledge is necessary to implement SHA, but we do recommend familiarizing yourself with F5 BIG-IP terminology. F5ΓÇÖs rich [knowledge base](https://www.f5.com/services/resources/glossary) is also a good place to start building BIG-IP knowledge.
active-directory F5 Aad Password Less Vpn https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/f5-aad-password-less-vpn.md
Open a browser on a remote Windows client and browse to the url of the **BIG-IP
![Image shows vpn launcher](media/f5-sso-vpn/vpn-launcher.png) Selecting the VPN tile will install the BIG-IP Edge client and establish a VPN connection configured for SHA.
-The F5 VPN application should also be visible as a target resource in Azure AD Conditional Access. See our [guidance](../conditional-access/concept-conditional-access-policies.md) for building Conditional Access policies and also enabling users for Azure AD [password-less authentication](https://www.microsoft.com/security/business/identity/passwordless).
+The F5 VPN application should also be visible as a target resource in Azure AD Conditional Access. See our [guidance](../conditional-access/concept-conditional-access-policies.md) for building Conditional Access policies and also enabling users for Azure AD [password-less authentication](https://www.microsoft.com/security/business/identity/passwordless).
active-directory F5 Bigip Deployment Guide https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/f5-bigip-deployment-guide.md
Once ready, confirm you can connect to the BIG-IP VMΓÇÖs web config and login wi
- If you are connecting from a VM on its internal network or via VPN, connect directly to the BIG-IPs primary IP and web config port. For example, `https://<BIG-IP-VM_Primary_IP:8443`. Your browser will prompt about the connection being insecure, but you can ignore the prompt until the BIG-IP is configured. If the browser insists on blocking access, clear its cache, and try again. -- If you published the web config via Application Proxy, then use the URL defined to access the web config externally, without appending the port, for example, `https://big-ip-vm.contoso.com`. The internal URL must be defined using the web config port, for example, `https://big-ip-vm.contoso.com:8443`
+- If you published the web config via Application Proxy, then use the URL defined to access the web config externally, without appending the port, for example, `https://big-ip-vm.contoso.com`. The internal URL must be defined using the web config port, for example, `https://big-ip-vm.contoso.com:8443`
A BIG-IP system can also be managed via its underlying SSH environment, which is typically used for command-line (CLI) tasks and root level access. Several options exist for connecting to the CLI, including:
Get-AzVmSnapshot -ResourceGroupName '<E.g.contoso-RG>' -VmName '<E.g.BIG-IP-VM>'
## Additional resources -- [Reset BIG-IP VE password in Azure](https://clouddocs.f5.com/cloud/public/v1/shared/azure_passwordreset.html)
- - [Reset the password without using the portal](https://clouddocs.f5.com/cloud/public/v1/shared/azure_passwordreset.html#reset-the-password-without-using-the-portal)
+- [Reset BIG-IP VE password in Azure](https://clouddocs.f5.com/cloud/public/v1/shared/azure_passwordreset.html)
+- [Reset the password without using the portal](https://clouddocs.f5.com/cloud/public/v1/shared/azure_passwordreset.html#reset-the-password-without-using-the-portal)
-- [Change the NIC used for BIG-IP VE management](https://clouddocs.f5.com/cloud/public/v1/shared/change_mgmt_nic.html)
+- [Change the NIC used for BIG-IP VE management](https://clouddocs.f5.com/cloud/public/v1/shared/change_mgmt_nic.html)
-- [About routes in a single NIC configuration](https://clouddocs.f5.com/cloud/public/v1/shared/routes.html)
+- [About routes in a single NIC configuration](https://clouddocs.f5.com/cloud/public/v1/shared/routes.html)
-- [Microsoft Azure: Waagent](https://clouddocs.f5.com/cloud/public/v1/azure/Azure_waagent.html)
+- [Microsoft Azure: Waagent](https://clouddocs.f5.com/cloud/public/v1/azure/Azure_waagent.html)
## Next steps
active-directory Get It Now Azure Marketplace https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/get-it-now-azure-marketplace.md
# Get It Now - add an app from the Azure Marketplace
-You are almost there!
+You are almost there!
If you are trying to use Azure AD as the identity provider for an app then you are in the right place. You just need to add it to your Azure AD tenant. To learn how to do this, follow the quickstart series here: [View apps in your Azure AD tenant](view-applications-portal.md).
active-directory Grant Admin Consent https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/grant-admin-consent.md
You can grant tenant-wide admin consent through *Enterprise applications* if the
To grant tenant-wide admin consent to an app listed in **Enterprise applications**:
-1. Sign in to the [Azure portal](https://portal.azure.com) with a role that allows granting admin consent (see [Prerequisites](#prerequisites)).
+1. Sign in to the [Azure portal](https://portal.azure.com) with a role that allows granting admin consent (see [Prerequisites](#prerequisites)).
2. Select **Azure Active Directory** then **Enterprise applications**. 3. Select the application to which you want to grant tenant-wide admin consent. 4. Select **Permissions** and then click **Grant admin consent**.
To grant tenant-wide admin consent to an app listed in **Enterprise applications
6. If you agree with the permissions the application requires, grant consent. If not, click **Cancel** or close the window. > [!WARNING]
-> Granting tenant-wide admin consent through **Enterprise apps** will revoke any permissions which had previously been granted tenant-wide. Permissions which have previously been granted by users on their own behalf will not be affected.
+> Granting tenant-wide admin consent through **Enterprise apps** will revoke any permissions which had previously been granted tenant-wide. Permissions which have previously been granted by users on their own behalf will not be affected.
### Grant admin consent in App registrations
To grant tenant-wide admin consent from **App registrations**:
6. If you agree with the permissions the application requires, grant consent. If not, click **Cancel** or close the window. > [!WARNING]
-> Granting tenant-wide admin consent through **App registrations** will revoke any permissions which had previously been granted tenant-wide. Permissions which have previously been granted by users on their own behalf will not be affected.
+> Granting tenant-wide admin consent through **App registrations** will revoke any permissions which had previously been granted tenant-wide. Permissions which have previously been granted by users on their own behalf will not be affected.
## Construct the URL for granting tenant-wide admin consent
where:
As always, carefully review the permissions an application requests before granting consent. > [!WARNING]
-> Granting tenant-wide admin consent through this URL will revoke any permissions which had previously been granted tenant-wide. Permissions which have previously been granted by users on their own behalf will not be affected.
+> Granting tenant-wide admin consent through this URL will revoke any permissions which had previously been granted tenant-wide. Permissions which have previously been granted by users on their own behalf will not be affected.
## Next steps
active-directory Hide Application From User Portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/hide-application-from-user-portal.md
# Hide Enterprise applications from end-users in Azure Active Directory
-Instructions for how to hide applications from end-users' MyApps panel or Microsoft 365 launcher. When an application is hidden, users still have permissions to the application.
+Instructions for how to hide applications from end-users' MyApps panel or Microsoft 365 launcher. When an application is hidden, users still have permissions to the application.
## Prerequisites
Application administrator privileges are required to hide an application from th
Global administrator privileges are required to hide all Microsoft 365 applications. - ## Hide an application from the end user+ Use the following steps to hide an application from MyApps panel and Microsoft 365 application launcher.
-1. Sign in to the [Azure portal](https://portal.azure.com) as the global administrator for your directory.
-2. Select **Azure Active Directory**.
-3. Select **Enterprise applications**. The **Enterprise applications - All applications** blade opens.
-4. Under **Application Type**, select **Enterprise Applications**, if it isn't already selected.
-5. Search for the application you want to hide, and click the application. The application's overview opens.
-6. Click **Properties**.
-7. For the **Visible to users?** question, click **No**.
-8. Click **Save**.
+1. Sign in to the [Azure portal](https://portal.azure.com) as the global administrator for your directory.
+2. Select **Azure Active Directory**.
+3. Select **Enterprise applications**. The **Enterprise applications - All applications** blade opens.
+4. Under **Application Type**, select **Enterprise Applications**, if it isn't already selected.
+5. Search for the application you want to hide, and click the application. The application's overview opens.
+6. Click **Properties**.
+7. For the **Visible to users?** question, click **No**.
+8. Click **Save**.
> [!NOTE] > These instructions apply only to Enterprise applications. ## Use Azure AD PowerShell to hide an application
-To hide an application from the MyApps panel, you can manually add the HideApp tag to the service principal for the application. Run the following [AzureAD PowerShell](/powershell/module/azuread/#service_principals) commands to set the application's **Visible to Users?** property to **No**.
+To hide an application from the MyApps panel, you can manually add the HideApp tag to the service principal for the application. Run the following [AzureAD PowerShell](/powershell/module/azuread/#service_principals) commands to set the application's **Visible to Users?** property to **No**.
```PowerShell Connect-AzureAD
Set-AzureADServicePrincipal -ObjectId $objectId -Tags $tags
Use the following steps to hide all Microsoft 365 applications from the MyApps panel. The applications are still visible in the Office 365 portal.
-1. Sign in to the [Azure portal](https://portal.azure.com) as a global administrator for your directory.
-2. Select **Azure Active Directory**.
-3. Select **Users**.
-4. Select **User settings**.
-5. Under **Enterprise applications**, click **Manage how end users launch and view their applications.**
-6. For **Users can only see Office 365 apps in the Office 365 portal**, click **Yes**.
-7. Click **Save**.
+1. Sign in to the [Azure portal](https://portal.azure.com) as a global administrator for your directory.
+2. Select **Azure Active Directory**.
+3. Select **Users**.
+4. Select **User settings**.
+5. Under **Enterprise applications**, click **Manage how end users launch and view their applications.**
+6. For **Users can only see Office 365 apps in the Office 365 portal**, click **Yes**.
+7. Click **Save**.
## Next steps+ * [See all my groups](../fundamentals/active-directory-groups-view-azure-portal.md) * [Assign a user or group to an enterprise app](assign-user-or-group-access-portal.md) * [Remove a user or group assignment from an enterprise app](./assign-user-or-group-access-portal.md)
active-directory Howto Saml Token Encryption https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/howto-saml-token-encryption.md
SAML token encryption enables the use of encrypted SAML assertions with an appli
Encrypting the SAML assertions between Azure AD and the application provides additional assurance that the content of the token can't be intercepted, and personal or corporate data compromised.
-Even without token encryption, Azure AD SAML tokens are never passed on the network in the clear. Azure AD requires token request/response exchanges to take place over encrypted HTTPS/TLS channels so that communications between the IDP, browser, and application take place over encrypted links. Consider the value of token encryption for your situation compared with the overhead of managing additional certificates.
+Even without token encryption, Azure AD SAML tokens are never passed on the network in the clear. Azure AD requires token request/response exchanges to take place over encrypted HTTPS/TLS channels so that communications between the IDP, browser, and application take place over encrypted links. Consider the value of token encryption for your situation compared with the overhead of managing additional certificates.
To configure token encryption, you need to upload an X.509 certificate file that contains the public key to the Azure AD application object that represents the application. To obtain the X.509 certificate, you can download it from the application itself, or get it from the application vendor in cases where the application vendor provides encryption keys or in cases where the application expects you to provide a private key, it can be created using cryptography tools, the private key portion uploaded to the applicationΓÇÖs key store and the matching public key certificate uploaded to Azure AD.
When you configure a keyCredential using Graph, PowerShell, or in the applicatio
## Next steps * Find out [How Azure AD uses the SAML protocol](../develop/active-directory-saml-protocol-reference.md)
-* Learn the format, security characteristics, and contents of [SAML tokens in Azure AD](../develop/reference-saml-tokens.md)
+* Learn the format, security characteristics, and contents of [SAML tokens in Azure AD](../develop/reference-saml-tokens.md)
active-directory Manage App Consent Policies https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/manage-app-consent-policies.md
To learn more:
* [Permissions and consent in the Microsoft identity platform](../develop/v2-permissions-and-consent.md) To get help or find answers to your questions:
-* [Azure AD on Microsoft Q&A](/answers/products/)
+
+* [Azure AD on Microsoft Q&A](/answers/products/)
active-directory Manage Application Permissions https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/manage-application-permissions.md
Optionally, you can disable the application to keep users from accessing the app
We recommend that you restrict access to the application by turning on the **User assignment** setting. Then review the permissions that users and admins have granted to the application. 1. Sign in to the [Azure portal](https://portal.azure.com) as a global administrator, an application administrator, or a cloud application administrator.
-3. Select **Azure Active Directory** > **Enterprise applications**.
-5. Select the application that you want to restrict access to.
-6. Select **Properties**, and then set **User requirement required** to **Yes**.
-7. Select **Permissions**, and review the admin and user consented permissions.
+2. Select **Azure Active Directory** > **Enterprise applications**.
+3. Select the application that you want to restrict access to.
+4. Select **Properties**, and then set **User requirement required** to **Yes**.
+5. Select **Permissions**, and review the admin and user consented permissions.
Optionally, by using PowerShell, you can:
active-directory Manage Consent Requests https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/manage-consent-requests.md
# Managing consent to applications and evaluating consent requests
-Microsoft [restricting user consent](../../active-directory/manage-apps/configure-user-consent.md) to allow users to consent for only for app from verified publishers, and only for permissions you select. For apps which do not meet this policy, the decision-making process will be centralized with your organization's security and identity administrator team.
+Microsoft recommends [restricting user consent](../../active-directory/manage-apps/configure-user-consent.md) to allow users to consent for only for app from verified publishers, and only for permissions you select. For apps which do not meet this policy, the decision-making process will be centralized with your organization's security and identity administrator team.
After end-user consent is disabled or restricted, there are several important considerations to ensure your organization stays secure while still allowing business critical applications to be used. These steps are crucial to minimize impact on your organization's support team and IT administrators, while preventing the use of unmanaged accounts in third-party applications.
The following list provides some recommendations to consider when evaluating a r
## Granting consent as an administrator ### Granting tenant-wide admin consent+ See [Grant tenant-wide admin consent to an application](grant-admin-consent.md) for step-by-step instructions for granting tenant-wide admin consent from the Azure portal, using Azure AD PowerShell, or from the consent prompt itself. ### Granting consent on behalf of a specific user+ Instead of granting consent for the entire organization, an administrator can also use the [Microsoft Graph API](/graph/use-the-api) to grant consent to delegated permissions on behalf of a single user. For more information, see [Get access on behalf of a user](/graph/auth-v2-user). ## Limiting user access to applications+ Users' access to applications can still be limited even when tenant-wide admin consent has been granted. For more information on how to require user assignment to an application, see [methods for assigning users and groups](./assign-user-or-group-access-portal.md). For more a broader overview including how to handle additional complex scenarios, see [using Azure AD for application access management](what-is-access-management.md).
+## Disable all future user consent operations to any application
+
+Disabling user consent for your entire directory prevent end users from consenting to any application. Administrators can still consent on userΓÇÖs behalf. To learn more about application consent, and why you may or may not want to consent, read [Understanding user and admin consent](../develop/howto-convert-app-to-be-multi-tenant.md).
+
+To disable all future user consent operations in your entire directory, follow these steps:
+
+1. Open the [**Azure portal**](https://portal.azure.com/) and sign in as a **Global Administrator.**
+2. Open the **Azure Active Directory Extension** by clicking **All services** at the top of the main left-hand navigation menu.
+3. Type in **ΓÇ£Azure Active Directory**ΓÇ¥ in the filter search box and select the **Azure Active Directory** item.
+4. Select **Users and groups** in the navigation menu.
+5. Select **User settings**.
+6. Disable all future user consent operations by setting the **Users can allow apps to access their data** toggle to **No** and click the **Save** button.
+ ## Next steps+ * [Five steps to securing your identity infrastructure](../../security/fundamentals/steps-secure-identity.md#before-you-begin-protect-privileged-accounts-with-mfa) * [Configure the admin consent workflow](configure-admin-consent-workflow.md) * [Configure how end-users consent to applications](configure-user-consent.md)
active-directory Manage Self Service Access https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/manage-self-service-access.md
# How to configure self-service application assignment
-Before your users can self-discover applications from their My Apps, you need to enable **Self-service application access** to any applications that you wish to allow users to self-discover and request access to. This functionality is available for applications that were added from the [Azure AD Gallery](./add-application-portal.md), [Azure AD Application Proxy](../app-proxy/application-proxy.md) or were added via [user or admin consent](../develop/application-consent-experience.md).
+Before your users can self-discover applications from their My Apps, you need to enable **Self-service application access** to any applications that you wish to allow users to self-discover and request access to. This functionality is available for applications that were added from the [Azure AD Gallery](./add-application-portal.md), [Azure AD Application Proxy](../app-proxy/application-proxy.md) or were added via [user or admin consent](../develop/application-consent-experience.md).
This feature is a great way for you to save time and money as an IT group, and is highly recommended as part of a modern applications deployment with Azure Active Directory. Using this feature, you can: -- Let users self-discover applications from the [My Apps](https://myapps.microsoft.com/) without bothering the IT group.
+- Let users self-discover applications from the [My Apps](https://myapps.microsoft.com/) without bothering the IT group.
-- Add those users to a pre-configured group so you can see who has requested access, remove access, and manage the roles assigned to them.
+- Add those users to a pre-configured group so you can see who has requested access, remove access, and manage the roles assigned to them.
-- Optionally allow a business approver to approve application access requests so the IT group doesnΓÇÖt have to.
+- Optionally allow a business approver to approve application access requests so the IT group doesnΓÇÖt have to.
-- Optionally configure up to 10 individuals who may approve access to this application.
+- Optionally configure up to 10 individuals who may approve access to this application.
-- Optionally allow a business approver to set the passwords those users can use to sign in to the application, right from the business approverΓÇÖs [My Apps](https://myapps.microsoft.com/).
+- Optionally allow a business approver to set the passwords those users can use to sign in to the application, right from the business approverΓÇÖs [My Apps](https://myapps.microsoft.com/).
-- Optionally automatically assign self-service assigned users to an application role directly.
+- Optionally automatically assign self-service assigned users to an application role directly.
> [!NOTE] > An Azure Active Directory Premium (P1 or P2) license is required for users to request to join a self-service app and for owners to approve or deny requests. Without an Azure Active Directory Premium license, users cannot add self-service apps.
To enable self-service application access to an application, follow the steps be
Once you complete Self-service application configuration, users can navigate to their [My Apps](https://myapps.microsoft.com/) and click the **Add self-service apps** button to find the apps that are enable with self-service access. Business approvers also see a notification in their [My Apps](https://myapps.microsoft.com/). You can enable an email notifying them when a user has requested access to an application that requires their approval. ## Next steps
-[Setting up Azure Active Directory for self-service group management](../enterprise-users/groups-self-service-management.md)
+
+[Setting up Azure Active Directory for self-service group management](../enterprise-users/groups-self-service-management.md)
active-directory Methods For Removing User Access https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/methods-for-removing-user-access.md
Disabling user consent for your entire directory prevent end users from consenti
To **disable all future user consent operations in your entire directory**, follow these instructions:
-1. Open the [**Azure portal**](https://portal.azure.com/) and sign in as a **Global Administrator.**
+1. Open the [**Azure portal**](https://portal.azure.com/) and sign in as a **Global Administrator.**
-2. Open the **Azure Active Directory Extension**
+2. Open the **Azure Active Directory Extension**
-3. Click **Enterprise applications** in the navigation menu.
+3. Click **Enterprise applications** in the navigation menu.
-5. Click **User settings**.
-
-6. Set the **Users can allow apps to access company data on their behalf** toggle to **No** and click the Save button.
+4. Click **User settings**.
+5. Set the **Users can allow apps to access company data on their behalf** toggle to **No** and click the Save button.
## Next steps
-[Managing access to apps](what-is-access-management.md)
+[Managing access to apps](what-is-access-management.md)
active-directory Migrate Adfs Application Activity https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/migrate-adfs-application-activity.md
The AD FS application activity data is available to users who are assigned any o
* Your organization must be currently using AD FS to access applications. * Azure AD Connect Health must be enabled in your Azure AD tenant. * The Azure AD Connect Health for AD FS agent must be installed.
- * [Learn more about Azure AD Connect Health](../hybrid/how-to-connect-health-adfs.md)
- * [Get started with setting up Azure AD Connect Health and install the AD FS agent](../hybrid/how-to-connect-health-agent-install.md)
+* [Learn more about Azure AD Connect Health](../hybrid/how-to-connect-health-adfs.md)
+* [Get started with setting up Azure AD Connect Health and install the AD FS agent](../hybrid/how-to-connect-health-agent-install.md)
->[!IMPORTANT]
+>[!IMPORTANT]
>There are a couple reasons you won't see all the applications you are expecting after you have installed Azure AD Connect Health. The AD FS application activity report only shows AD FS relying parties with user logins in the last 30 days. Also, the report won't display Microsoft related relying parties such as Office 365.
-## Discover AD FS applications that can be migrated
+## Discover AD FS applications that can be migrated
-The AD FS application activity report is available in the Azure portal under Azure AD **Usage & insights** reporting. The AD FS application activity report analyzes each AD FS application to determine if it can be migrated as-is, or if additional review is needed.
+The AD FS application activity report is available in the Azure portal under Azure AD **Usage & insights** reporting. The AD FS application activity report analyzes each AD FS application to determine if it can be migrated as-is, or if additional review is needed.
1. Sign in to the [Azure portal](https://portal.azure.com) with an admin role that has access to AD FS application activity data (global administrator, report reader, security reader, application administrator, or cloud application administrator).
The AD FS application activity report is available in the Azure portal under Azu
* **Additional steps required** means Azure AD doesn't support some of the application's settings, so the application canΓÇÖt be migrated in its current state.
-## Evaluate the readiness of an application for migration
+## Evaluate the readiness of an application for migration
1. In the AD FS application activity list, click the status in the **Migration status** column to open migration details. You'll see a summary of the configuration tests that passed, along with any potential migration issues.
The following table lists all claim rule tests that are performed on AD FS appli
### Can't see all my AD FS applications in the report If you have installed Azure AD Connect health but you still see the prompt to install it or you don't see all your AD FS applications in the report it may be that you don't have active AD FS applications or your AD FS applications are microsoft application.
-
- The AD FS application activity report lists all the AD FS applications in your organization with active users sign-in in the last 30 days. Also, the report doesn't display microsoft related relying parties in AD FS such as Office 365. For example, relying parties with name 'urn:federation:MicrosoftOnline', 'microsoftonline', 'microsoft:winhello:cert:prov:server' won't show up in the list.
---
+ The AD FS application activity report lists all the AD FS applications in your organization with active users sign-in in the last 30 days. Also, the report doesn't display microsoft related relying parties in AD FS such as Office 365. For example, relying parties with name 'urn:federation:MicrosoftOnline', 'microsoftonline', 'microsoft:winhello:cert:prov:server' won't show up in the list.
## Next steps -- [Video: How to use the AD FS activity report to migrate an application](https://www.youtube.com/watch?v=OThlTA239lU)-- [Managing applications with Azure Active Directory](what-is-application-management.md)-- [Manage access to apps](what-is-access-management.md)-- [Azure AD Connect federation](../hybrid/how-to-connect-fed-whatis.md)
+* [Video: How to use the AD FS activity report to migrate an application](https://www.youtube.com/watch?v=OThlTA239lU)
+* [Managing applications with Azure Active Directory](what-is-application-management.md)
+* [Manage access to apps](what-is-access-management.md)
+* [Azure AD Connect federation](../hybrid/how-to-connect-fed-whatis.md)
active-directory Migrate Adfs Apps To Azure https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/migrate-adfs-apps-to-azure.md
The following require additional configuration steps to migrate to Azure AD:
* Apps with multiple Reply URL endpoints. You configure them in Azure AD using PowerShell or the Azure portal interface. * WS-Federation apps such as SharePoint apps that require SAML version 1.1 tokens. You can configure them manually using PowerShell. You can also add a pre-integrated generic template for SharePoint and SAML 1.1 applications from the gallery. We support the SAML 2.0 protocol. * Complex claims issuance transforms rules. For information about supported claims mappings, see:
- * [Claims mapping in Azure Active Directory](../develop/active-directory-claims-mapping.md).
- * [Customizing claims issued in the SAML token for enterprise applications in Azure Active Directory](../develop/active-directory-saml-claims-customization.md).
+ * [Claims mapping in Azure Active Directory](../develop/active-directory-claims-mapping.md).
+ * [Customizing claims issued in the SAML token for enterprise applications in Azure Active Directory](../develop/active-directory-saml-claims-customization.md).
### Apps and configurations not supported in Azure AD today
Specify MFA rules for a user or a group in Azure AD:
ΓÇÄ![Screenshot shows the Grant pane where you can grant access.](media/migrate-adfs-apps-to-azure/mfa-users-groups.png)
- #### Example 2: Enforce MFA for unregistered devices
+#### Example 2: Enforce MFA for unregistered devices
Specify MFA rules for unregistered devices in Azure AD:
This group of users is usually the most critically impacted in case of issues. T
* Read [Migrating application authentication to Azure AD](https://aka.ms/migrateapps/whitepaper). * Set up [Conditional Access](../conditional-access/overview.md) and [MFA](../authentication/concept-mfa-howitworks.md).
-* Try a step-wise code sample:[AD FS to Azure AD application migration playbook for developers](https://aka.ms/adfsplaybook).
+* Try a step-wise code sample:[AD FS to Azure AD application migration playbook for developers](https://aka.ms/adfsplaybook).
active-directory Migrate Application Authentication To Azure Active Directory https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/migrate-application-authentication-to-azure-active-directory.md
Economics and security benefits drive organizations to adopt Azure AD, but full
- Reduce administrative overhead by managing only a single identity for each user across cloud and on-premises environments: - [Automate provisioning](../app-provisioning/user-provisioning.md) of user accounts (in [Azure AD Gallery](https://azuremarketplace.microsoft.com/marketplace/apps/category/azure-active-directory-apps))based on Azure AD identities
- - Access all your apps from MyApps panel in the [Azure portal ](https://portal.azure.com/)
+ - Access all your apps from MyApps panel in the [Azure portal](https://portal.azure.com/)
- Enable developers to secure access to their apps and improve the end-user experience by using the [Microsoft Identity Platform](../develop/v2-overview.md) with the Microsoft Authentication Library (MSAL).
Once you have migrated the apps, you can enrich your userΓÇÖs experience in many
**Point your user** to the [MyApps](../user-help/my-apps-portal-end-user-access.md#download-and-install-the-my-apps-secure-sign-in-extension)portal experience. Here, they can access all cloud-based apps, apps you make available by using [Azure AD Connect](../hybrid/whatis-azure-ad-connect.md), and apps using [Application Proxy](../app-proxy/application-proxy.md) provided they have permissions to access those apps. - You can guide your users on how to discover their apps: - Use the [Existing Single Sign-on](./view-applications-portal.md) feature to **link your users to any app** - - Enable [Self-Service Application Access](./manage-self-service-access.md)to an app and **let users add apps that you curate** - [Hide applications from end-users](./hide-application-from-user-portal.md) (default Microsoft apps or other apps) to **make the apps they do need more discoverable**
Identity deployment issue depending on your Enterprise Agreement with Microsoft.
- **Engage the Product Engineering team:** If you are working on a major customer deployment with millions of users, you are entitled to support from the Microsoft account team or your Cloud Solutions Architect. Based on the projectΓÇÖs deployment complexity, you can work directly with the [Azure Identity Product Engineering team.](https://aad.portal.azure.com/#blade/Microsoft_Azure_Marketplace/MarketplaceOffersBlade/selectedMenuItemId/solutionProviders) -- **Azure AD Identity blog:** Subscribe to the [Azure AD Identity blog](https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/bg-p/Identity) to stay up to date with all the latest product announcements, deep dives, and roadmap information provided directly by the Identity engineering team.
+- **Azure AD Identity blog:** Subscribe to the [Azure AD Identity blog](https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/bg-p/Identity) to stay up to date with all the latest product announcements, deep dives, and roadmap information provided directly by the Identity engineering team.
active-directory Migration Resources https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/migration-resources.md
Resources to help you migrate application access and authentication to Azure Act
|[Solution guide: Migrating apps from Active Directory Federation Services (AD FS) to Azure AD](./migrate-adfs-apps-to-azure.md) | This solution guide walks you through the same four phases of planning and executing an application migration project described at a higher level in the migration whitepaper. In this guide, youΓÇÖll learn how to apply those phases to the specific goal of moving an application from Azure Directory Federated Services (AD FS) to Azure AD.| |[Developer tutorial: AD FS to Azure AD application migration playbook for developers](https://aka.ms/adfsplaybook) | This set of ASP.NET code samples and accompanying tutorials will help you learn how to safely and securely migrate your applications integrated with Active Directory Federation Services (AD FS) to Azure Active Directory (Azure AD). This tutorial is focused towards developers who not only need to learn configuring apps on both AD FS and Azure AD, but also become aware and confident of changes their code base will require in this process.| | [Tool: Active Directory Federation Services Migration Readiness Script](https://aka.ms/migrateapps/adfstools) | This is a script you can run on your on-premises Active Directory Federation Services (AD FS) server to determine the readiness of apps for migration to Azure AD.|
-| [Deployment plan: Migrating from AD FS to password hash sync](https://aka.ms/ADFSTOPHSDPDownload) | With password hash synchronization, hashes of user passwords are synchronized from on-premises Active Directory to Azure AD. This allows Azure AD to authenticate users without interacting with the on-premises Active Directory.|
+| [Deployment plan: Migrating from AD FS to password hash sync](https://aka.ms/ADFSTOPHSDPDownload) | With password hash synchronization, hashes of user passwords are synchronized from on-premises Active Directory to Azure AD. This allows Azure AD to authenticate users without interacting with the on-premises Active Directory.|
| [Deployment plan: Migrating from AD FS to pass-through authentication](https://aka.ms/ADFSTOPTADPDownload)|Azure AD pass-through authentication helps users sign in to both on-premises and cloud-based applications by using the same password. This feature provides your users with a better experience since they have one less password to remember. It also reduces IT helpdesk costs because users are less likely to forget how to sign in when they only need to remember one password. When people sign in using Azure AD, this feature validates users' passwords directly against your on-premises Active Directory.|
-| [Deployment plan: Enabling Single Sign-on to a SaaS app with Azure AD](https://aka.ms/SSODPDownload) | Single sign-on (SSO) helps you access all the apps and resources you need to do business, while signing in only once, using a single user account. For example, after a user has signed in, the user can move from Microsoft Office, to SalesForce, to Box without authenticating (for example, typing a password) a second time.
+| [Deployment plan: Enabling Single Sign-on to a SaaS app with Azure AD](https://aka.ms/SSODPDownload) | Single sign-on (SSO) helps you access all the apps and resources you need to do business, while signing in only once, using a single user account. For example, after a user has signed in, the user can move from Microsoft Office, to SalesForce, to Box without authenticating (for example, typing a password) a second time.
| [Deployment plan: Extending apps to Azure AD with Application Proxy](https://aka.ms/AppProxyDPDownload)| Providing access from employee laptops and other devices to on-premises applications has traditionally involved virtual private networks (VPNs) or demilitarized zones (DMZs). Not only are these solutions complex and hard to make secure, but they are costly to set up and manage. Azure AD Application Proxy makes it easier to access on-premises applications. | | [Deployment plans](../fundamentals/active-directory-deployment-plans.md) | Find more deployment plans for deploying features such as multi-Factor authentication, Conditional Access, user provisioning, seamless SSO, self-service password reset, and more! | | [Migrating apps from Symantec SiteMinder to Azure AD](https://azure.microsoft.com/mediahandler/files/resourcefiles/migrating-applications-from-symantec-siteminder-to-azure-active-directory/Migrating-applications-from-Symantec-SiteMinder-to-Azure-Active-Directory.pdf) | Get step by step guidance on application migration and integration options with an example, that walks you through migrating applications from Symantec SiteMinder to Azure AD. |
active-directory My Apps Deployment Plan https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/my-apps-deployment-plan.md
# Plan Azure Active Directory My Apps configuration > [!NOTE]
-> This article is designed for IT professionals who need to plan the configuration of their organizationΓÇÖs My Apps portal.
+> This article is designed for IT professionals who need to plan the configuration of their organizationΓÇÖs My Apps portal.
> > **For end user documentation, see [Sign in and start apps from the My Apps portal](../user-help/my-apps-portal-end-user-access.md)**.
Azure Active Directory (Azure AD) My Apps is a web-based portal for launching an
## Why Configure My apps
-The My Apps portal is available to users by default and cannot be turned off. ItΓÇÖs important to configure it so that they have the best possible experience, and the portal stays useful.
+The My Apps portal is available to users by default and cannot be turned off. ItΓÇÖs important to configure it so that they have the best possible experience, and the portal stays useful.
Any application in the Azure Active Directory enterprise applications list appears when both of the following conditions are met:
-* The visibility property for the app is set to true.
+* The visibility property for the app is set to true.
* The app is assigned to any user or group. It appears for assigned users. Configuring the portal ensures that the right people can easily find the right apps.
-
### How is the My Apps portal used? Users access the My Apps portal to:
Administrators can configure:
* Company branding shown on My Apps
-
- ## Plan consent configuration
-### User consent for applications
+### User consent for applications
Before a user can sign in to an application and the application can access your organization's data, a user or an admin must grant the application permissions. You can configure whether user consent is allowed, and under which conditions. **Microsoft recommends you only allow user consent for applications from verified publishers.**
For more information, see [Configure how end-users consent to applications](../m
### Group owner consent for apps accessing data
-Group and team owners can authorize applications, such as applications published by third-party vendors, to access your organization's data associated with a group. See [Resource-specific consent in Microsoft Teams](/microsoftteams/resource-specific-consent) to learn more.
+Group and team owners can authorize applications, such as applications published by third-party vendors, to access your organization's data associated with a group. See [Resource-specific consent in Microsoft Teams](/microsoftteams/resource-specific-consent) to learn more.
You can configure whether you'd like to allow or disable this feature.
Although My Apps doesnΓÇÖt typically create user issues, itΓÇÖs important to pre
Microsoft provides [customizable templates for emails and other communications](https://aka.ms/APTemplates) for My Apps. You can adapt these assets for use in other communications channels as appropriate for your corporate culture.
-
- ## Plan your SSO configuration It's best if SSO is enabled for all apps in the My Apps portal so that users have a seamless experience without the need to enter their credentials.
-Azure AD supports multiple SSO options.
+Azure AD supports multiple SSO options.
* To learn more, see [Single sign-on options in Azure AD](sso-options.md).
For more information on how to configure your software as a service (SaaS) appli
> [!TIP] > For a better user experience, use Federated SSO with Azure AD (OpenID Connect/SAML) when an application supports it, instead of password-based SSO and ADFS.
-To sign in to password-based SSO applications, or to applications that are accessed by Azure AD Application Proxy, users need to install and use the My Apps secure sign-in extension. Users are prompted to install the extension when they first launch the password-based SSO or Application Proxy application.
+To sign in to password-based SSO applications, or to applications that are accessed by Azure AD Application Proxy, users need to install and use the My Apps secure sign-in extension. Users are prompted to install the extension when they first launch the password-based SSO or Application Proxy application.
![Screenshot of](./media/my-apps-deployment-plan/ap-dp-install-myapps.png)
The extension allows users to launch any app from its search bar, finding access
#### Plan for mobile access
-For applications that use password-based SSO or accessed by using [Microsoft Azure AD Application Proxy](../app-proxy/application-proxy.md), you must use Microsoft Edge mobile. For other applications, any mobile browser can be used.
+For applications that use password-based SSO or accessed by using [Microsoft Azure AD Application Proxy](../app-proxy/application-proxy.md), you must use Microsoft Edge mobile. For other applications, any mobile browser can be used.
### Linked SSO
By default, all applications to which the user has access and all applications c
### Plan My Apps collections
-Every Azure AD application to which a user has access will appear on My Apps in the All Apps collection. Use collections to group related applications and present them on a separate tab, making them easier to find. For example, you can use collections to create logical groupings of applications for specific job roles, tasks, projects, and so on.
+Every Azure AD application to which a user has access will appear on My Apps in the **Apps** collection. Use collections to group related applications and present them on a separate tab, making them easier to find. For example, you can use collections to create logical groupings of applications for specific job roles, tasks, projects, and so on.
End users can also customize their experience by
End users can also customize their experience by
ThereΓÇÖs an option to hide apps from the My Apps portal, while still allowing access from other locations, such as the Microsoft 365 portal. Learn more: [Hide an application from userΓÇÖs experience in Azure Active Directory](hide-application-from-user-portal.md). > [!IMPORTANT]
-> Only 950 apps to which a user has access can be accessed through My Apps. This includes apps hidden by either the user or the administrator.
+> Only 950 apps to which a user has access can be accessed through My Apps. This includes apps hidden by either the user or the administrator.
### Plan self-service group management membership You can enable users to create and manage their own security groups or Microsoft 365 groups in Azure AD. The owner of the group can approve or deny membership requests and delegate control of group membership. Self-service group management features arenΓÇÖt available for mail-enabled security groups or distribution lists.
-To plan for self-service group membership, determine if youΓÇÖll allow all users in your organization to create and manage groups or only a subset of users. If youΓÇÖre allowing a subset of users, youΓÇÖll need to set up a group to which those people are added.
+To plan for self-service group membership, determine if youΓÇÖll allow all users in your organization to create and manage groups or only a subset of users. If youΓÇÖre allowing a subset of users, youΓÇÖll need to set up a group to which those people are added.
See [Set up self-service group management in Azure Active Directory](../enterprise-users/groups-self-service-management.md) for details on enabling these scenarios. ### Plan self-service application access
-You can enable users to discover and request access to applications via the My Apps panel. To do so, you must first
+You can enable users to discover and request access to applications via the My Apps panel. To do so, you must first
* enable self-service group management
Azure AD provides [reports that offer technical and business insights]../reports
| Report types| Application permissions and usage| Account provisioning activity| Review who is accessing the applications | | Potential actions| Audit access; revoke permissions| Remediate any provisioning errors| Revoke access | - Azure AD keeps most auditing data for 30 days. The data is available via Azure Admin Portal or API for you to download into your analysis systems. #### Auditing
Conduct the following tests with both corporate-owned devices and personal devic
#### Application SSO access test case examples: - | Business case| Expected result | | - | - | | User signs in into the My Apps portal| User can sign in and see their applications |
Conduct the following tests with both corporate-owned devices and personal devic
| User launches an app from Microsoft 365 Portal| User is automatically signed in to the application | | User launches an app from the Managed Browser| User is automatically signed in to the application | - #### Application self-service capabilities test case examples - | Business case| Expected result | | - | - | | User can manage membership to the application| User can add/remove members who have access to the app | | User can edit the application| User can edit the applicationΓÇÖs description and credentials for password SSO applications | - ### Rollback steps ItΓÇÖs important to plan what to do if your deployment doesnΓÇÖt go as planned. If SSO configuration fails during deployment, you must understand how to [troubleshoot SSO issues](../hybrid/tshoot-connect-sso.md) and reduce impact to your users. In extreme circumstances, you might need to [roll back SSO](plan-sso-deployment.md).
Use the least privileged role to accomplish a required task within Azure Active
| Infrastructure admins| Cert rollover owner| Global admin | | Business owner/stakeholder| User attestation in application, configuration on users with permissions| None | - You can use [Privileged Identity Management](../privileged-identity-management/pim-configure.md) to manage your roles to provide additional auditing, control, and access review for users with directory permissions. ## Next steps [Plan a deployment of Azure AD Multi-Factor Authentication](../authentication/howto-mfa-getstarted.md)
-[Plan an Application Proxy deployment](../app-proxy/application-proxy-deployment-plan.md)
+[Plan an Application Proxy deployment](../app-proxy/application-proxy-deployment-plan.md)
active-directory One Click Sso Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/one-click-sso-tutorial.md
The one-click SSO feature is designed to configure single sign-on for Azure Mark
## Additional resources
-* [List of tutorials on how to integrate SaaS apps with Azure Active Directory](../saas-apps/tutorial-list.md)
-* [What is the My Apps Secure Sign-in browser extension?](../user-help/my-apps-portal-end-user-access.md)
+- [List of tutorials on how to integrate SaaS apps with Azure Active Directory](../saas-apps/tutorial-list.md)
+- [What is the My Apps Secure Sign-in browser extension?](../user-help/my-apps-portal-end-user-access.md)
active-directory Plan An Application Integration https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/plan-an-application-integration.md
This topic summarizes the process for integrating applications with Azure Active
To download in-depth deployment plans, see [Next steps](#next-steps). ## Take inventory+ Before integrating applications with Azure AD, it is important to know where you are and where you want to go. The following questions are intended to help you think about your Azure AD application integration project. ### Application inventory+ * Where are all of your applications? Who owns them? * What kind of authentication do your applications require? * Who needs access to which applications?
Before integrating applications with Azure AD, it is important to know where you
* Will you use one that is available in the Azure Application Gallery? ### User and group inventory+ * Where do your user accounts reside? * On-premises Active Directory * Azure AD
Before integrating applications with Azure AD, it is important to know where you
* Will you need to clean up user/group databases before integrating? (This is an important question. Garbage in, garbage out.) ### Access management inventory+ * How do you currently manage user access to applications? Does that need to change? Have you considered other ways to manage access, such as with [Azure RBAC](../../role-based-access-control/role-assignments-portal.md) for example? * Who needs access to what?
As mentioned above, there may be applications that haven't been managed by your
[Set up Cloud Discovery](/cloud-app-security/set-up-cloud-discovery). ## Integrating applications with Azure AD+ The following articles discuss the different ways applications integrate with Azure AD, and provide some guidance. * [Determining which Active Directory to use](../fundamentals/active-directory-whatis.md)
The following articles discuss the different ways applications integrate with Az
You can add any application that already exists in your organization, or any third-party application from a vendor who is not already part of the Azure AD gallery. Depending on your [license agreement](https://azure.microsoft.com/pricing/details/active-directory/), the following capabilities are available: -- Self-service integration of any application that supports [Security Assertion Markup Language (SAML) 2.0](https://wikipedia.org/wiki/SAML_2.0) identity providers (SP-initiated or IdP-initiated)-- Self-service integration of any web application that has an HTML-based sign-in page using [password-based SSO](sso-options.md#password-based-sso)-- Self-service connection of applications that use the [System for Cross-Domain Identity Management (SCIM) protocol for user provisioning](../app-provisioning/use-scim-to-provision-users-and-groups.md)-- Ability to add links to any application in the [Office 365 app launcher](https://support.microsoft.com/office/meet-the-microsoft-365-app-launcher-79f12104-6fed-442f-96a0-eb089a3f476a) or [My Apps](https://myapplications.microsoft.com/)
+* Self-service integration of any application that supports [Security Assertion Markup Language (SAML) 2.0](https://wikipedia.org/wiki/SAML_2.0) identity providers (SP-initiated or IdP-initiated)
+* Self-service integration of any web application that has an HTML-based sign-in page using [password-based SSO](sso-options.md#password-based-sso)
+* Self-service connection of applications that use the [System for Cross-Domain Identity Management (SCIM) protocol for user provisioning](../app-provisioning/use-scim-to-provision-users-and-groups.md)
+* Ability to add links to any application in the [Office 365 app launcher](https://support.microsoft.com/office/meet-the-microsoft-365-app-launcher-79f12104-6fed-442f-96a0-eb089a3f476a) or [My Apps](https://myapplications.microsoft.com/)
If you're looking for developer guidance on how to integrate custom apps with Azure AD, see [Authentication Scenarios for Azure AD](../develop/authentication-vs-authorization.md). When you develop an app that uses a modern protocol like [OpenId Connect/OAuth](../develop/active-directory-v2-protocols.md) to authenticate users, you can register it with the Microsoft identity platform by using the [App registrations](../develop/quickstart-register-app.md) experience in the Azure portal. ### Authentication Types+ Each of your applications may have different authentication requirements. With Azure AD, signing certificates can be used with applications that use SAML 2.0, WS-Federation, or OpenID Connect Protocols and Password Single Sign On. For more information about application authentication types, see [Managing Certificates for Federated Single Sign-On in Azure Active Directory](manage-certificates-for-federated-single-sign-on.md) and [Password based single sign on](what-is-single-sign-on.md). ### Enabling SSO with Azure AD App Proxy+ With Microsoft Azure AD Application Proxy, you can provide access to applications located inside your private network securely, from anywhere and on any device. After you have installed an application proxy connector within your environment, it can be easily configured with Azure AD. ### Integrating custom applications+ If you want to add your custom application to the Azure Application Gallery, see [Publish your app to the Azure AD app gallery](../develop/v2-howto-app-gallery-listing.md). ## Managing access to applications+ The following articles describe ways you can manage access to applications once they have been integrated with Azure AD using Azure AD Connectors and Azure AD. * [Managing access to apps using Azure AD](what-is-access-management.md)
The following articles describe ways you can manage access to applications once
* [Sharing accounts](../enterprise-users/users-sharing-accounts.md) ## Next steps+ For in-depth information, you can download Azure Active Directory deployment plans from [GitHub](../fundamentals/active-directory-deployment-plans.md). For gallery applications, you can download deployment plans for single sign-on, Conditional Access, and user provisioning through the [Azure portal](https://portal.azure.com). To download a deployment plan from the Azure portal:
active-directory Plan Sso Deployment https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/plan-sso-deployment.md
Single sign-on (SSO) means accessing all applications and resources a user needs
## Benefits of SSO
-Single sign-on (SSO) adds security and convenience when users sign on to applications in Azure Active Directory (Azure AD).
+Single sign-on (SSO) adds security and convenience when users sign on to applications in Azure Active Directory (Azure AD).
Many organizations rely on software as a service (SaaS) applications, such as Microsoft 365, Box, and Salesforce, for end user productivity. Historically, IT staff needed to individually create and update user accounts in each SaaS application, and users needed to remember a password for each.
The Azure Marketplace has over 3000 applications with pre-integrated SSO connect
## Plan your SSO team - **Engage the right stakeholders** - When technology projects fail, it's typically due to mismatched expectations on impact, outcomes, and responsibilities. To avoid these pitfalls, [ensure that you're engaging the right stakeholders](../fundamentals/active-directory-deployment-plans.md) and that stakeholders understand their roles.-- **Plan communications** - Communication is critical to the success of any new service. Proactively communicate to your users about how their experience will change, when it will change, and how to gain support if they experience issues. Review the options for [how end-users will access their SSO enabled applications](end-user-experiences.md), and craft your communications to match your selection.
+- **Plan communications** - Communication is critical to the success of any new service. Proactively communicate to your users about how their experience will change, when it will change, and how to gain support if they experience issues. Review the options for [how end-users will access their SSO enabled applications](end-user-experiences.md), and craft your communications to match your selection.
## Plan your SSO protocol
From the sign-in perspective, applications with shared accounts aren't different
1. Work with application business users to document the following: 1. Set of users in the organization who will use the application
- 1. Existing set of credentials in the application associated with the set of users
+ 1. Existing set of credentials in the application associated with the set of users
1. For each combination of user set and credentials, create a security group in the cloud or on-premises based on your requirements.
-1. Reset the shared credentials. Once the app is deployed in Azure AD, individuals don't need the password of the shared account. Since Azure AD will store the password, consider setting it to be very long and complex.
-1. Configure automatic rollover of the password if the application supports it. That way, not even the administrator who did the initial setup will know the password of the shared account.
+1. Reset the shared credentials. Once the app is deployed in Azure AD, individuals don't need the password of the shared account. Since Azure AD will store the password, consider setting it to be very long and complex.
+1. Configure automatic rollover of the password if the application supports it. That way, not even the administrator who did the initial setup will know the password of the shared account.
## Plan your authentication method
Choosing the correct authentication method is a crucial first decision in settin
To choose an authentication method, you need to consider the time, existing infrastructure, complexity, and cost of implementing your choice. These factors are different for every organization and might change over time. You should choose the one that most closely matches your specific scenario. For more information, see [Choose the right authentication method for your Azure Active Directory hybrid identity solution](../hybrid/choose-ad-authn.md).
-## Plan your security and governance
+## Plan your security and governance
-Identity is the new primary pivot for security attention and investments because network perimeters have become increasingly porous and less effective with the explosion of BYOD devices and cloud applications.
+Identity is the new primary pivot for security attention and investments because network perimeters have become increasingly porous and less effective with the explosion of BYOD devices and cloud applications.
### Plan access reviews
Some of the key topics to plan for while setting up access reviews include:
### Plan auditing
-Azure AD provides [reports containing technical and business insights](../reports-monitoring/overview-reports.md).
+Azure AD provides [reports containing technical and business insights](../reports-monitoring/overview-reports.md).
Both security and activity reports are available. Security reports show users flagged for risk, and risky sign-ins. Activity reports help you understand the behavior of users in your organization by detailing sign-in activity and providing audit trails of all logins. You can use reports to manage risk, increase productivity, and monitor compliance.
There's a pre-configured set of attributes and attribute-mappings between Azure
### Certificate requirements
-The certificate for the application must be up-to-date, or there's a risk of users not being able to access the application. Most SaaS application certificates are good for 36 months. You change that certificate duration in the application blade. Make sure to document the expiration and know how you will manage your certificate renewal.
+The certificate for the application must be up-to-date, or there's a risk of users not being able to access the application. Most SaaS application certificates are good for 36 months. You change that certificate duration in the application blade. Make sure to document the expiration and know how you will manage your certificate renewal.
-There are two ways to manage your certificates.
+There are two ways to manage your certificates.
- **Automatic certificate rollover** - Microsoft supports [Signing key rollover in Azure AD](../develop/active-directory-signing-key-rollover.md). While this is our preferred method for managing certificates, not all ISVΓÇÖs supports this scenario.
Use the following phases to plan for and deploy your solution in your organizati
- **Identify your test users** Contact to the app owner and ask them to create a minimum of three test users within the application. Ensure the information that you'll use as the primary identifier is populated correctly and matches an attribute that is available in Azure AD. In most cases this will map to the ΓÇ£NameIDΓÇ¥ for SAML-based applications. For JWT tokens, it's the ΓÇ£preferred_username.ΓÇ¥
-
+ Create the user in Azure AD either manually as a cloud-based user or sync the user from on-premises using the Azure AD Connect sync engine. Ensure the information matches the claims being sent to the application. - **Configure SSO**
After you complete testing based on your test cases, itΓÇÖs time to move into pr
The availability of authentication methods within the application will determine your best strategy. Always ensure you have detailed documentation for app owners on exactly how to get back to the original login configuration state in case your deployment runs into issues. -- **If your app supports multiple identity providers**, for example LDAP and AD FS and Ping, do not delete the existing SSO configuration during rollout. Instead, disable it during migration in case you need to switch it back later.
+- **If your app supports multiple identity providers**, for example LDAP and AD FS and Ping, do not delete the existing SSO configuration during rollout. Instead, disable it during migration in case you need to switch it back later.
- **If your app does not support multiple IDPs** but allows users to log in using forms-based authentication (username/password), ensure that users can fall back to this approach in case the new SSO configuration rollout fails.
The following links present troubleshooting scenarios. You may want to create a
#### SSO issues for applications -- [Problem with password SSO for applications](./troubleshoot-password-based-sso.md) --- [Problems signing in to SAML-based single sign-on configured apps](/troubleshoot/azure/active-directory/troubleshoot-sign-in-saml-based-apps)
+- [Problem with password SSO for applications](./troubleshoot-password-based-sso.md)
+- [Problems signing in to SAML-based single sign-on configured apps](/troubleshoot/azure/active-directory/troubleshoot-sign-in-saml-based-apps)
## Next steps
The following links present troubleshooting scenarios. You may want to create a
[Application SSO Tutorial](../saas-apps/tutorial-list.md)
-[Whitepaper Download - Single sign-on deployment plan](https://aka.ms/SSODeploymentPlan)
+[Whitepaper Download - Single sign-on deployment plan](https://aka.ms/SSODeploymentPlan)
active-directory Prevent Domain Hints With Home Realm Discovery https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/prevent-domain-hints-with-home-realm-discovery.md
Be sure to use slashes to escape the `Definition` JSON section when using Graph.
## Next steps * [Enable passwordless security key sign-in](../authentication/howto-authentication-passwordless-security-key.md)
-* [Enable passwordless sign-in with the Microsoft Authenticator app](../authentication/howto-authentication-passwordless-phone.md)
+* [Enable passwordless sign-in with the Microsoft Authenticator app](../authentication/howto-authentication-passwordless-phone.md)
active-directory Secure Hybrid Access https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/secure-hybrid-access.md
The following SDP vendors offer pre-built solutions and detailed guidance for in
- [Perimeter 81](../saas-apps/perimeter-81-tutorial.md) - - [Silverfort Authentication Platform](./add-application-portal-setup-oidc-sso.md) - [Strata](../saas-apps/maverics-identity-orchestrator-saml-connector-tutorial.md) -- [Zscaler Private Access (ZPA)](../saas-apps/zscalerprivateaccess-tutorial.md)
+- [Zscaler Private Access (ZPA)](../saas-apps/zscalerprivateaccess-tutorial.md)
active-directory Sso Options https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/sso-options.md
To learn more about single sign-on, see [What is single sign-on?](what-is-single
There are several ways to configure an application for single sign-on. Choosing a single sign-on method depends on how the application is configured for authentication. -- Cloud applications can use OpenID Connect, OAuth, SAML, password-based, linked, or disabled methods for single sign-on.
+- Cloud applications can use OpenID Connect, OAuth, SAML, password-based, linked, or disabled methods for single sign-on.
- On-premises applications can use password-based, Integrated Windows Authentication, header-based, linked, or disabled methods for single sign-on. The on-premises choices work when applications are configured for Application Proxy. This flowchart helps you decide which single sign-on method is best for your situation.
When the end user manages the credentials:
- Administrators are still able to set new credentials for the application. ## Linked sign-on+ Linked sign-on enables Azure AD to provide single sign-on to an application that is already configured for single sign-on in another service. The linked application can appear to end users in the Office 365 portal or Azure AD MyApps portal. For example, a user can launch an application that is configured for single sign-on in Active Directory Federation Services 2.0 (AD FS) from the Office 365 portal. Additional reporting is also available for linked applications that are launched from the Office 365 portal or the Azure AD MyApps portal. To configure an application for linked sign-on, see [Configure linked sign-on](configure-linked-sign-on.md). ### Linked sign-on for application migration
Linked sign-on can provide a consistent user experience while you migrate applic
Once a user has authenticated with a linked application, an account record needs to be created before the end user is provided single sign-on access. Provisioning this account record can either occur automatically, or it can occur manually by an administrator. >[!NOTE]
->You cannot apply conditional access policies or multi-factor authentication to a linked application. This is because a linked application does not provide single sign-on capabilities through Azure AD. When you configure a linked application you are simply adding a link that will appear in the app launcher or MyApps portal.
+>You cannot apply conditional access policies or multi-factor authentication to a linked application. This is because a linked application does not provide single sign-on capabilities through Azure AD. When you configure a linked application you are simply adding a link that will appear in the app launcher or MyApps portal.
## Disabled SSO
Choose Integrated Windows Authentication single sign-on mode to provide single s
To configure an on-premises app for IWA, see [Kerberos Constrained Delegation for single sign-on to your applications with Application Proxy](../app-proxy/application-proxy-configure-single-sign-on-with-kcd.md). ### How single sign-on with KCD works+ This diagram explains the flow when a user accesses an on-premises application that uses IWA. ![Microsoft Azure AD authentication flow diagram](../app-proxy/media/application-proxy-configure-single-sign-on-with-kcd/AuthDiagram.png)
Choose header-based single sign-on when Application Proxy is configured for the
To learn more about header-based authentication, see [Header-based SSO](../app-proxy/application-proxy-configure-single-sign-on-with-headers.md). - ## Next steps
-* [Quickstart Series on Application Management](view-applications-portal.md)
-* [Plan a single sign-on deployment](plan-sso-deployment.md)
-* [Single sign-on with on-premises apps](../app-proxy/application-proxy-config-sso-how-to.md)
+
+- [Quickstart Series on Application Management](view-applications-portal.md)
+- [Plan a single sign-on deployment](plan-sso-deployment.md)
+- [Single sign-on with on-premises apps](../app-proxy/application-proxy-config-sso-how-to.md)
active-directory Tenant Restrictions https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/tenant-restrictions.md
There are two steps to get started with tenant restrictions. First, make sure th
### URLs and IP addresses
-To use tenant restrictions, your clients must be able to connect to the following Azure AD URLs to authenticate: [login.microsoftonline.com](https://login.microsoftonline.com/), [login.microsoft.com](https://login.microsoft.com/), and [login.windows.net](https://login.windows.net/). Additionally, to access Office 365, your clients must also be able to connect to the fully qualified domain names (FQDNs), URLs, and IP addresses defined in [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2). 
+To use tenant restrictions, your clients must be able to connect to the following Azure AD URLs to authenticate: [login.microsoftonline.com](https://login.microsoftonline.com/), [login.microsoft.com](https://login.microsoft.com/), and [login.windows.net](https://login.windows.net/). Additionally, to access Office 365, your clients must also be able to connect to the fully qualified domain names (FQDNs), URLs, and IP addresses defined in [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2).
### Proxy configuration and requirements
The headers should include the following elements:
- For *Restrict-Access-Context*, use a value of a single directory ID, declaring which tenant is setting the tenant restrictions. For example, to declare Contoso as the tenant that set the tenant restrictions policy, the name/value pair looks like: `Restrict-Access-Context: 456ff232-35l2-5h23-b3b3-3236w0826f3d`. You **must** use your own directory ID in this spot in order to get logs for these authentications. > [!TIP]
-> You can find your directory ID in the [Azure Active Directory portal](https://aad.portal.azure.com/). Sign in as an administrator, select **Azure Active Directory**, then select **Properties**.
+> You can find your directory ID in the [Azure Active Directory portal](https://aad.portal.azure.com/). Sign in as an administrator, select **Azure Active Directory**, then select **Properties**.
>
-> To validate that a directory ID or domain name refer to the same tenant, use that ID or domain in place of <tenant> in this URL: `https://login.microsoftonline.com/<tenant>/v2.0/.well-known/openid-configuration`. If the results with the domain and the ID are the same, they refer to the same tenant.
+> To validate that a directory ID or domain name refer to the same tenant, use that ID or domain in place of <tenant> in this URL: `https://login.microsoftonline.com/<tenant>/v2.0/.well-known/openid-configuration`. If the results with the domain and the ID are the same, they refer to the same tenant.
To prevent users from inserting their own HTTP header with non-approved tenants, the proxy needs to replace the *Restrict-Access-To-Tenants* header if it is already present in the incoming request.
While configuration of tenant restrictions is done on the corporate proxy infras
The admin for the tenant specified as the Restricted-Access-Context tenant can use this report to see sign-ins blocked because of the tenant restrictions policy, including the identity used and the target directory ID. Sign-ins are included if the tenant setting the restriction is either the user tenant or resource tenant for the sign-in.
-The report may contain limited information, such as target directory ID, when a user who is in a tenant other than the Restricted-Access-Context tenant signs in. In this case, user identifiable information, such as name and user principal name, is masked to protect user data in other tenants ("{PII Removed}@domain.com" or 00000000-0000-0000-0000-000000000000 in place of usernames and object IDs as appropriate).
+The report may contain limited information, such as target directory ID, when a user who is in a tenant other than the Restricted-Access-Context tenant signs in. In this case, user identifiable information, such as name and user principal name, is masked to protect user data in other tenants ("{PII Removed}@domain.com" or 00000000-0000-0000-0000-000000000000 in place of usernames and object IDs as appropriate).
Like other reports in the Azure portal, you can use filters to specify the scope of your report. You can filter on a specific time interval, user, application, client, or status. If you select the **Columns** button, you can choose to display data with any combination of the following fields: -- **User** - this field can have personal data removed, where it will be set to `00000000-0000-0000-0000-000000000000`.
+- **User** - this field can have personal data removed, where it will be set to `00000000-0000-0000-0000-000000000000`.
- **Application** - **Status** - **Date**
Fiddler is a free web debugging proxy that can be used to capture and modify HTT
1. In the Fiddler Web Debugger tool, select the **Rules** menu and select **Customize Rules…** to open the CustomRules file.
- 2. Add the following lines at the beginning of the `OnBeforeRequest` function. Replace \<List of tenant identifiers\> with a domain registered with your tenant (for example, `contoso.onmicrosoft.com`). Replace \<directory ID\> with your tenant's Azure AD GUID identifier. You **must** include the correct GUID identifier in order for the logs to appear in your tenant.
+ 2. Add the following lines at the beginning of the `OnBeforeRequest` function. Replace \<List of tenant identifiers\> with a domain registered with your tenant (for example, `contoso.onmicrosoft.com`). Replace \<directory ID\> with your tenant's Azure AD GUID identifier. You **must** include the correct GUID identifier in order for the logs to appear in your tenant.
```JScript.NET // Allows access to the listed tenants.
active-directory Troubleshoot Password Based Sso https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/troubleshoot-password-based-sso.md
To use password-based single sign-on (SSO) in My Apps, the browser extension must be installed. The extension downloads automatically when you select an app that's configured for password-based SSO. To learn about using My Apps from an end-user perspective, see [My Apps portal help](../user-help/my-apps-portal-end-user-access.md). ## My Apps browser extension not installed
-Make sure the browser extension is installed. To learn more, see [Plan an Azure Active Directory My Apps deployment](my-apps-deployment-plan.md).
+
+Make sure the browser extension is installed. To learn more, see [Plan an Azure Active Directory My Apps deployment](my-apps-deployment-plan.md).
## Single sign-on not configured+ Make sure password-based single sign-on is configured. To learn more, see [Configure password-based single sign-on](configure-password-single-sign-on-non-gallery-applications.md). ## Users not assigned+ Make sure the user is assigned to the app. To learn more, see [Assign a user or group to an app](assign-user-or-group-access-portal.md). ## Credentials are filled in, but the extension does not submit them
To resolve this issue, first try these things:
- Have the user first try to **sign in to the application website directly** with the credentials stored for them.
- * If sign-in works, then have the user click the **Update credentials** button on the **Application Tile** in the **Apps** section of [My Apps](https://myapps.microsoft.com/) to update them to the latest known working username and password.
+ - If sign-in works, then have the user click the **Update credentials** button on the **Application Tile** in the **Apps** section of [My Apps](https://myapps.microsoft.com/) to update them to the latest known working username and password.
- * If you, or another administrator assigned the credentials for this user, find the user or groupΓÇÖs application assignment by navigating to the **Users & Groups** tab of the application, selecting the assignment and clicking the **Update Credentials** button.
+ - If you, or another administrator assigned the credentials for this user, find the user or groupΓÇÖs application assignment by navigating to the **Users & Groups** tab of the application, selecting the assignment and clicking the **Update Credentials** button.
- If the user assigned their own credentials, have the user **check to be sure that their password has not expired in the application** and if so, **update their expired password** by signing in to the application directly.
- * After the password has been updated in the application, request the user to click the **Update credentials** button on the **Application Tile** in the **Apps** section of [My Apps](https://myapps.microsoft.com/) to update them to the latest known working username and password.
+ - After the password has been updated in the application, request the user to click the **Update credentials** button on the **Application Tile** in the **Apps** section of [My Apps](https://myapps.microsoft.com/) to update them to the latest known working username and password.
- * If you, or another administrator assigned the credentials for this user, find the user or groupΓÇÖs application assignment by navigating to the **Users & Groups** tab of the application, selecting the assignment and clicking the **Update Credentials** button.
+ - If you, or another administrator assigned the credentials for this user, find the user or groupΓÇÖs application assignment by navigating to the **Users & Groups** tab of the application, selecting the assignment and clicking the **Update Credentials** button.
- Ensure that the My Apps browser extension is running and enabled in your userΓÇÖs browser.
To resolve this issue, first try these things:
In case the previous suggestions do not work, it could be the case that a change has occurred on the application side that has temporarily broken the applicationΓÇÖs integration with Azure AD. For example, this can occur when the application vendor introduces a script on their page which behaves differently for manual vs automated input, which causes automated integration, like our own, to break. Fortunately, in many instances, Microsoft can work with application vendors to rapidly resolve these issues.
-While Microsoft has technologies to automatically detect when application integrations break, it might not be possible to find the issues right away, or the issues might take some time to fix. When an integration does not work correctly, you can open a support case to get it fixed as quickly as possible.
+While Microsoft has technologies to automatically detect when application integrations break, it might not be possible to find the issues right away, or the issues might take some time to fix. When an integration does not work correctly, you can open a support case to get it fixed as quickly as possible.
In addition to this, **if you are in contact with this applicationΓÇÖs vendor,** **send them our way** so we can work with them to natively integrate their application with Azure Active Directory. You can send the vendor to the [Listing your application in the Azure Active Directory application gallery](../develop/v2-howto-app-gallery-listing.md) to get them started.
In addition to this, **if you are in contact with this applicationΓÇÖs vendor,**
If the applicationΓÇÖs login page has changed drastically, sometimes this causes our integrations to break. An example of this is when an application vendor adds a sign-in field, a captcha, or multi-factor authentication to their experiences. Fortunately, in many instances, Microsoft can work with application vendors to rapidly resolve these issues.
-While Microsoft has technologies to automatically detect when application integrations break, it might not be possible to find the issues right away, or the issues might take some time to fix. When an integration does not work correctly, you can open a support case to get it fixed as quickly as possible.
+While Microsoft has technologies to automatically detect when application integrations break, it might not be possible to find the issues right away, or the issues might take some time to fix. When an integration does not work correctly, you can open a support case to get it fixed as quickly as possible.
In addition to this, **if you are in contact with this applicationΓÇÖs vendor,** **send them our way** so we can work with them to natively integrate their application with Azure Active Directory. You can send the vendor to the [Listing your application in the Azure Active Directory application gallery](../develop/v2-howto-app-gallery-listing.md) to get them started.
In general, if automatic sign-in field capture doesn't work, try the manual opti
### Automatically capture sign-in fields for an app To configure password-based SSO by using automatic sign-in field capture, follow these steps:+ 1. Open the [Azure portal](https://portal.azure.com/). Sign in as a global administrator or co-admin. 2. In the navigation pane on the left side, select **All services** to open the Azure AD extension. 3. Type **Azure Active Directory** in the filter search box, and then select **Azure Active Directory**.
To configure password-based SSO by using automatic sign-in field capture, follow
To manually capture sign-in fields, you must have the My Apps browser extension installed. Also, your browser can't be running in *inPrivate*, *incognito*, or *private* mode. To configure password-based SSO for an app by using manual sign-in field capture, follow these steps:+ 1. Open the [Azure portal](https://portal.azure.com/). Sign in as a global administrator or co-admin. 2. In the navigation pane on the left side, select **All services** to open the Azure AD extension. 3. Type **Azure Active Directory** in the filter search box, and then select **Azure Active Directory**. 4. Select **Enterprise Applications** in the Azure AD navigation pane. 5. Select **All Applications** to view a list of your apps.
- > [!NOTE]
+ > [!NOTE]
> If you don't see the app that you want, use the **Filter** control at the top of the **All Applications** list. Set the **Show** option to "All Applications." 6. Select the app that you want to configure for SSO. 7. After the app loads, select **Single sign-on** in the navigation pane on the left side.
To configure password-based SSO for an app by using manual sign-in field capture
9. Enter the **Sign-on URL**, which is the page where users enter their user name and password to sign in. *Make sure that the sign-in fields are visible on the page for the URL that you provide*. 10. Select **Configure *&lt;appname&gt;* Password Single Sign-on Settings**. 11. Select **Manually detect sign-in fields**.
-14. Select **Ok**.
-15. Select **Save**.
-16. Follow the instructions to use My Apps.
-
+12. Select **Ok**.
+13. Select **Save**.
+14. Follow the instructions to use My Apps.
## Troubleshoot problems
If you keep getting the error, open a support case. Include the information that
### I can't manually detect sign-in fields for my app You might observe the following behaviors when manual detection isn't working:+ - The manual capture process appeared to work, but the captured fields aren't correct. - The correct fields donΓÇÖt get highlighted when the capture process runs. - The capture process takes you to the appΓÇÖs sign-in page as expected, but nothing happens. - Manual capture appears to work, but SSO doesnΓÇÖt happen when users navigate to the app from My Apps. If you experience any of these problems, do the following things:+ - Make sure that you have the latest version of the My Apps browser extension *installed and enabled*. - Make sure that your browser isn't in *incognito*, *inPrivate*, or *Private* mode during the capture process. The My Apps extension isn't supported in these modes. - Make sure that your users aren't trying to sign in to the app from My Apps while in *incognito*, *inPrivate*, or *Private mode*.
If you experience any of these problems, do the following things:
Password-based SSO app has a limit of 48 users. Thus, it has a limit of 48 keys for username/password pairs per app. If you want to add additional users you can either:-- Add additional instance of the app-- Remove users who are no longer using the app first
-## Request support
+- Add additional instance of the app
+- Remove users who are no longer using the app first
+
+## Request support
+ If you get an error message when you set up SSO and assign users, open a support ticket. Include as much of the following information as possible: -- Correlation error ID-- UPN (user email address)-- TenantID-- Browser type-- Time zone and time/time frame when the error occurred-- Fiddler traces
+- Correlation error ID
+- UPN (user email address)
+- TenantID
+- Browser type
+- Time zone and time/time frame when the error occurred
+- Fiddler traces
### View portal notification details To see the details of any portal notification, follow these steps:+ 1. Select the **Notifications** icon (the bell) in the upper-right corner of the Azure portal. 2. Select any notification that shows an *Error* state. (They have a red "!".) > [!NOTE] > You can't select notifications that are in the *Successful* or *In Progress* state. 3. The **Notification Details** pane opens. Read the information to learn about the problem.
-5. If you still need help, share the information with a support engineer or the product group. Select the **copy** icon to the right of the **Copy error** box to copy the notification details to share.
+4. If you still need help, share the information with a support engineer or the product group. Select the **copy** icon to the right of the **Copy error** box to copy the notification details to share.
### Send notification details to a support engineer to get help
The following information explains what each notification item means and provide
- **Copy error**: Enables you to select the **copy icon** to the right of the **Copy error** textbox to copy the notification details to help with support.
- Example:
+ Example:
```{"errorCode":"InternalUrl\_Duplicate","localizedErrorDetails":{"errorDetail":"Internal url 'https://google.com/' is invalid since it is already in use"},"operationResults":\[{"objectId":null,"displayName":null,"status":0,"details":"Internal url 'https://bing.com/' is invalid since it is already in use"}\],"timeStampUtc":"2017-03-23T19:50:26.465743Z","clientRequestId":"302fd775-3329-4670-a9f3-bea37004f0bb","internalTransactionId":"ea5b5475-03b9-4f08-8e95-bbb11289ab65","upn":"tperkins@f128.info","tenantId":"7918d4b5-0442-4a97-be2d-36f9f9962ece","userObjectId":"17f84be4-51f8-483a-b533-383791227a99"}``` - ## Next steps
-* [Quickstart Series on Application Management](view-applications-portal.md)
-* [Plan a My Apps deployment](my-apps-deployment-plan.md)
+
+- [Quickstart Series on Application Management](view-applications-portal.md)
+- [Plan a My Apps deployment](my-apps-deployment-plan.md)
active-directory Troubleshoot Saml Based Sso https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/troubleshoot-saml-based-sso.md
# Troubleshoot SAML-based single sign-on in Azure Active Directory+ If you encounter a problem when configuring an application. Verify you have followed all the steps in the tutorial for the application. In the applicationΓÇÖs configuration, you have inline documentation on how to configure the application. Also, you can access the [List of tutorials on how to integrate SaaS apps with Azure Active Directory](../saas-apps/tutorial-list.md) for a detail step-by-step guidance. ## CanΓÇÖt add another instance of the application+ To add a second instance of an application, you need to be able to:-- Configure a unique identifier for the second instance. You wonΓÇÖt be able to configure the same identifier used for the first instance.-- Configure a different certificate than the one used for the first instance.+
+- Configure a unique identifier for the second instance. You wonΓÇÖt be able to configure the same identifier used for the first instance.
+- Configure a different certificate than the one used for the first instance.
If the application doesnΓÇÖt support any of the above. Then, you wonΓÇÖt be able to configure a second instance. ## CanΓÇÖt add the Identifier or the Reply URL+ If youΓÇÖre not able to configure the Identifier or the Reply URL, confirm the Identifier and Reply URL values match the patterns pre-configured for the application. To know the patterns pre-configured for the application:+ 1. Open the [**Azure portal**](https://portal.azure.com/) and sign in as a **Global Administrator** or **Co-admin.** Go to step 7. If you are already in the application configuration blade on Azure AD. 2. Open the **Azure Active Directory Extension** by clicking **All services** at the top of the main left-hand navigation menu. 3. Type in **ΓÇ£Azure Active Directory**ΓÇ¥ in the filter search box and select the **Azure Active Directory** item. 4. click **Enterprise Applications** from the Azure Active Directory left-hand navigation menu. 5. click **All Applications** to view a list of all your applications.
- * If you do not see the application you want show up here, use the **Filter** control at the top of the **All Applications List** and set the **Show** option to **All Applications.**
+ - If you do not see the application you want show up here, use the **Filter** control at the top of the -**All Applications List** and set the **Show** option to **All Applications.**
6. Select the application you want to configure single sign-on. 7. Once the application loads, click the **Single sign-on** from the applicationΓÇÖs left-hand navigation menu. 8. Select **SAML-based Sign-on** from the **Mode** dropdown. 9. Go to the **Identifier** or **Reply URL** textbox, under the **Domain and URLs section.** 10. There are three ways to know the supported patterns for the application:
- * In the textbox, you see the supported pattern(s) as a placeholder *Example:* <https://contoso.com>.
- * if the pattern is not supported, you see a red exclamation mark when you try to enter the value in the textbox. If you hover your mouse over the red exclamation mark, you see the supported patterns.
- * In the tutorial for the application, you can also get information about the supported patterns. Under the **Configure Azure AD single sign-on** section. Go to the step for configured the values under the **Domain and URLs** section.
+ - In the textbox, you see the supported pattern(s) as a placeholder *Example:* <https://contoso.com>.
+ - if the pattern is not supported, you see a red exclamation mark when you try to enter the value in the textbox. If you hover your mouse over the red exclamation mark, you see the supported patterns.
+ - In the tutorial for the application, you can also get information about the supported patterns. Under the **Configure Azure AD single sign-on** section. Go to the step for configured the values under the **Domain and URLs** section.
If the values donΓÇÖt match with the patterns pre-configured on Azure AD. You can:-- Work with the application vendor to get values that match the pattern pre-configured on Azure AD-- Or, you can contact Azure AD team at <aadapprequest@microsoft.com> or leave a comment in the tutorial to request the update of the supported patterns for the application+
+- Work with the application vendor to get values that match the pattern pre-configured on Azure AD
+- Or, you can contact Azure AD team at <aadapprequest@microsoft.com> or leave a comment in the tutorial to request the update of the supported patterns for the application
## Where do I set the EntityID (User Identifier) format+ You wonΓÇÖt be able to select the EntityID (User Identifier) format that Azure AD sends to the application in the response after user authentication. Azure AD select the format for the NameID attribute (User Identifier) based on the value selected or the format requested by the application in the SAML AuthRequest. For more information visit the article [Single Sign-On SAML protocol](../develop/single-sign-on-saml-protocol.md#authnrequest) under the section NameIDPolicy, ## CanΓÇÖt find the Azure AD metadata to complete the configuration with the application+ To download the application metadata or certificate from Azure AD, follow these steps:+ 1. Open the [**Azure portal**](https://portal.azure.com/) and sign in as a **Global Administrator** or **Co-admin.** 2. Open the **Azure Active Directory Extension** by clicking **All services** at the top of the main left-hand navigation menu. 3. Type in **ΓÇ£Azure Active Directory**ΓÇ¥ in the filter search box and select the **Azure Active Directory** item.
-4. click **Enterprise Applications** from the Azure Active Directory left-hand navigation menu.
-5. click **All Applications** to view a list of all your applications.
- * If you do not see the application you want show up here, use the **Filter** control at the top of the **All Applications List** and set the **Show** option to **All Applications.**
+4. Select **Enterprise Applications** from the Azure Active Directory left-hand navigation menu.
+5. Select **All Applications** to view a list of all your applications.
+ - If you do not see the application you want show up here, use the **Filter** control at the top of the **All Applications List** and set the **Show** option to **All Applications.**
6. Select the application you have configured single sign-on. 7. Once the application loads, click the **Single sign-on** from the applicationΓÇÖs left-hand navigation menu. 8. Go to **SAML Signing Certificate** section, then click **Download** column value. Depending on what the application requires configuring single sign-on, you see either the option to download the Metadata XML or the Certificate.
To download the application metadata or certificate from Azure AD, follow these
Azure AD doesnΓÇÖt provide a URL to get the metadata. The metadata can only be retrieved as a XML file. ## Customize SAML claims sent to an application+ To learn how to customize the SAML attribute claims sent to your application, see [Claims mapping in Azure Active Directory](../develop/active-directory-claims-mapping.md) for more information. ## Next steps
-* [Quickstart Series on Application Management](view-applications-portal.md)
+
+- [Quickstart Series on Application Management](view-applications-portal.md)
active-directory View Applications Portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/view-applications-portal.md
To view applications that have been registered in your Azure AD tenant, you need
[!INCLUDE [cloud-shell-try-it.md](../../../includes/cloud-shell-try-it.md)]
-To install and use the CLI locally, run Azure CLI version 2.0.4 or later. Run `az --version` to find the version. If you need to install or upgrade, see [Install the Azure CLI](/cli/azure/install-azure-cli).
+To install and use the CLI locally, run Azure CLI version 2.0.4 or later. Run `az --version` to find the version. If you need to install or upgrade, see [Install the Azure CLI](/cli/azure/install-azure-cli).
## Find the list of applications in your tenant
active-directory Ways Users Get Assigned To Applications https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/ways-users-get-assigned-to-applications.md
# Understand how users are assigned to apps in Azure Active Directory+ This article help you to understand how users get assigned to an application in your tenant. ## How do users get assigned to an application in Azure AD?+ For a user to access an application, they must first be assigned to it in some way. Assignment can be performed by an administrator, a business delegate, or sometimes, the user themselves. Below describes the ways users can get assigned to applications:
-* An administrator [assigns a user](./assign-user-or-group-access-portal.md) to the application directly
-* An administrator [assigns a group](./assign-user-or-group-access-portal.md) that the user is a member of to the application, including:
- * A group that was synchronized from on-premises
- * A static security group created in the cloud
- * A [dynamic security group](../enterprise-users/groups-dynamic-membership.md) created in the cloud
- * A Microsoft 365 group created in the cloud
- * The [All Users](../fundamentals/active-directory-groups-create-azure-portal.md) group
-* An administrator enables [Self-service Application Access](./manage-self-service-access.md) to allow a user to add an application using [My Apps](../user-help/my-apps-portal-end-user-access.md) **Add App** feature **without business approval**
-* An administrator enables [Self-service Application Access](./manage-self-service-access.md) to allow a user to add an application using [My Apps](../user-help/my-apps-portal-end-user-access.md) **Add App** feature, but only **with prior approval from a selected set of business approvers**
-* An administrator enables [Self-service Group Management](../enterprise-users/groups-self-service-management.md) to allow a user to join a group that an application is assigned to **without business approval**
-* An administrator enables [Self-service Group Management](../enterprise-users/groups-self-service-management.md) to allow a user to join a group that an application is assigned to, but only **with prior approval from a selected set of business approvers**
-* An administrator assigns a license to a user directly for a first party application, like [Microsoft 365](https://products.office.com/)
-* An administrator assigns a license to a group that the user is a member of to a first party application, like [Microsoft 365](https://products.office.com/)
-* An [administrator consents to an application](../develop/howto-convert-app-to-be-multi-tenant.md) to be used by all users and then a user signs in to the application
+* An administrator [assigns a user](./assign-user-or-group-access-portal.md) to the application directly
+* An administrator [assigns a group](./assign-user-or-group-access-portal.md) that the user is a member of to the application, including:
+
+ * A group that was synchronized from on-premises
+ * A static security group created in the cloud
+ * A [dynamic security group](../enterprise-users/groups-dynamic-membership.md) created in the cloud
+ * A Microsoft 365 group created in the cloud
+ * The [All Users](../fundamentals/active-directory-groups-create-azure-portal.md) group
+* An administrator enables [Self-service Application Access](./manage-self-service-access.md) to allow a user to add an application using [My Apps](../user-help/my-apps-portal-end-user-access.md) **Add App** feature **without business approval**
+* An administrator enables [Self-service Application Access](./manage-self-service-access.md) to allow a user to add an application using [My Apps](../user-help/my-apps-portal-end-user-access.md) **Add App** feature, but only **with prior approval from a selected set of business approvers**
+* An administrator enables [Self-service Group Management](../enterprise-users/groups-self-service-management.md) to allow a user to join a group that an application is assigned to **without business approval**
+* An administrator enables [Self-service Group Management](../enterprise-users/groups-self-service-management.md) to allow a user to join a group that an application is assigned to, but only **with prior approval from a selected set of business approvers**
+* An administrator assigns a license to a user directly for a first party application, like [Microsoft 365](https://products.office.com/)
+* An administrator assigns a license to a group that the user is a member of to a first party application, like [Microsoft 365](https://products.office.com/)
+* An [administrator consents to an application](../develop/howto-convert-app-to-be-multi-tenant.md) to be used by all users and then a user signs in to the application
* A user [consents to an application](../develop/howto-convert-app-to-be-multi-tenant.md) themselves by signing in to the application ## Next steps+ * [Quickstart Series on Application Management](view-applications-portal.md) * [What is application management?](what-is-application-management.md)
-* [What is single sign-on?](what-is-single-sign-on.md)
+* [What is single sign-on?](what-is-single-sign-on.md)
active-directory What Is Access Management https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/what-is-access-management.md
Azure AD provides [several customizable ways to deploy applications](end-user-ex
You can determine whether users assigned to an enterprise app can see it in My Apps and Microsoft 365 application launcher. ## Example: Complex application assignment with Azure AD+ Consider an application like Salesforce. In many organizations, Salesforce is primarily used by the marketing and sales teams. Often, members of the marketing team have highly privileged access to Salesforce, while members of the sales team have limited access. In many cases, a broad population of information workers has restricted access to the application. Exceptions to these rules complicate matters. It's often the prerogative of the marketing or sales leadership teams to grant a user access or change their roles independently of these generic rules. With Azure AD, applications like Salesforce can be pre-configured for single sign-on (SSO) and automated provisioning. Once the application is configured, an Administrator can take the one-time action to create and assign the appropriate groups. In this example, an administrator could execute the following assignments:
Microsoft Applications (like Exchange, SharePoint, Yammer, etc.) are assigned an
There are three main ways that a user can get access to a Microsoft-published application. -- For applications in the Microsoft 365 or other paid suites, users are granted access through **license assignment** either directly to their user account, or through a group using our group-based license assignment capability.-- For applications that Microsoft or a 3rd party publishes freely for anyone to use, users may be granted access through [user consent](configure-user-consent.md). This means that they sign in to the application with their Azure AD Work or School account and allow it to have access to some limited set of data on their account.-- For applications that Microsoft or a 3rd party publishes freely for anyone to use, users may also be granted access through [administrator consent](manage-consent-requests.md). This means that an administrator has determined the application may be used by everyone in the organization, so they sign in to the application with a Global Administrator account and grant access to everyone in the organization.
+* For applications in the Microsoft 365 or other paid suites, users are granted access through **license assignment** either directly to their user account, or through a group using our group-based license assignment capability.
+* For applications that Microsoft or a 3rd party publishes freely for anyone to use, users may be granted access through [user consent](configure-user-consent.md). This means that they sign in to the application with their Azure AD Work or School account and allow it to have access to some limited set of data on their account.
+
+* For applications that Microsoft or a 3rd party publishes freely for anyone to use, users may also be granted access through [administrator consent](manage-consent-requests.md). This means that an administrator has determined the application may be used by everyone in the organization, so they sign in to the application with a Global Administrator account and grant access to everyone in the organization.
Some applications combine these methods. For example, certain Microsoft applications are part of a Microsoft 365 subscription, but still require consent.
-Users can access Microsoft 365 applications through their Office 365 portals. You can also show or hide Microsoft 365 applications in the My Apps with the [Office 365 visibility toggle](hide-application-from-user-portal.md) in your directory's **User settings**.
+Users can access Microsoft 365 applications through their Office 365 portals. You can also show or hide Microsoft 365 applications in the My Apps with the [Office 365 visibility toggle](hide-application-from-user-portal.md) in your directory's **User settings**.
As with enterprise apps, you can [assign users](assign-user-or-group-access-portal.md) to certain Microsoft applications via the Azure portal or, if the portal option isn't available, by using PowerShell. ## Next steps+ * [Protecting apps with Conditional Access](../conditional-access/concept-conditional-access-cloud-apps.md) * [Self-service group management/SSAA](../enterprise-users/groups-self-service-management.md)
active-directory What Is Application Management https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/what-is-application-management.md
# What is application management?
-Azure AD is an Identity and Access Management (IAM) system. It provides a single place to store information about digital identities. You can configure your software applications to use Azure AD as the place where user information is stored.
+Azure AD is an Identity and Access Management (IAM) system. It provides a single place to store information about digital identities. You can configure your software applications to use Azure AD as the place where user information is stored.
Azure AD must be configured to integrate with an application. In other words, it needs to know what apps are using it for identities. Making Azure AD aware of these apps, and how it should handle them, is known as application management.
You manage applications on the **Enterprise applications** page located in the M
![The Enterprise applications option under the Manage section of the Azure AD portal.](media/what-is-application-management/enterprise-applications-in-nav.png) ## What is an Identity and Access Management (IAM) system?+ An application is a piece of software that is used for some purpose. Most apps require users to sign in. A centralized identity system provides a single place to store user information that can then be used by all applications. These systems have come to be known as Identity and Access Management (IAM) systems. Azure Active Directory is the IAM system for the Microsoft cloud.
Organizations often have hundreds of applications that users depend on to get th
## How does Azure AD work with apps?
-Azure AD sits in the middle and provides identity management for cloud and on-premises apps.
+Azure AD sits in the middle and provides identity management for cloud and on-premises apps.
![Diagram that shows apps federated via Azure AD](media/what-is-application-management/app-management-overview.png) >[!TIP]
->Reduce administrative costs by [automating user provisioning](../app-provisioning/user-provisioning.md) so that users are automatically added to Azure AD when you add them to your company HR system.
+>Reduce administrative costs by [automating user provisioning](../app-provisioning/user-provisioning.md) so that users are automatically added to Azure AD when you add them to your company HR system.
## What types of applications can I integrate with Azure AD?
-You can use Azure AD as your identity system for just about any app. Many apps are already pre-configured and can be set up with minimal effort. These pre-configured apps are published in the [Azure AD App Gallery](/azure/active-directory/saas-apps/).
+You can use Azure AD as your identity system for just about any app. Many apps are already pre-configured and can be set up with minimal effort. These pre-configured apps are published in the [Azure AD App Gallery](/azure/active-directory/saas-apps/).
-You can manually configure most apps for single sign-on if they aren't already in the gallery. Azure AD provides several SSO options. Some of the most popular are SAML-based SSO and OIDC-based SSO. To learn more about integrating apps to enable SSO, see [single sign-on options](sso-options.md).
+You can manually configure most apps for single sign-on if they aren't already in the gallery. Azure AD provides several SSO options. Some of the most popular are SAML-based SSO and OIDC-based SSO. To learn more about integrating apps to enable SSO, see [single sign-on options](sso-options.md).
Does your organization use on-premises apps? You can integrate them using App Proxy. To learn more, see [Provide remote access to on-premises applications through Azure AD's Application Proxy](../app-proxy/application-proxy.md).
Does your organization use on-premises apps? You can integrate them using App Pr
## Manage risk with Conditional Access policies
-Coupling Azure AD single sign-on (SSO) with [Conditional Access](../conditional-access/concept-conditional-access-cloud-apps.md) provides high levels of security for accessing applications. Conditional Access policies provide granular control to apps based on conditions you set.
+Coupling Azure AD single sign-on (SSO) with [Conditional Access](../conditional-access/concept-conditional-access-cloud-apps.md) provides high levels of security for accessing applications. Conditional Access policies provide granular control to apps based on conditions you set.
## Improve productivity with single sign-on
For Human Resources focused applications, or other applications with a large set
- [Quickstart Series on Application Management](view-applications-portal.md) - [Get started with application integration](plan-an-application-integration.md)-- [Learn how to automate provisioning](../app-provisioning/user-provisioning.md)
+- [Learn how to automate provisioning](../app-provisioning/user-provisioning.md)
active-directory What Is Single Sign On https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/what-is-single-sign-on.md
Single sign-on means a user doesn't have to sign in to every application they use. The user logs in once and that credential is used for other apps too.
-If you're an end user, you likely don't care much about SSO details. You just want to use the apps that make you productive without having to type your password so much. You can find your apps at: https://myapps.microsoft.com.
-
+If you're an end user, you likely don't care much about SSO details. You just want to use the apps that make you productive without having to type your password so much. You can find your apps at: <https://myapps.microsoft.com>.
+ If you're an administrator, or IT professional, then read on to learn more about SSO and how it's implemented in Azure. ## Single sign-on basics+ Single sign-on provides a giant leap forward in how users sign in and use applications. Single sign-on based authentication systems are often called "modern authentication". Modern authentication and single sign-on fall into a category of computing called Identity and Access Management (IAM). To understand what makes single sign-on possible, check out this video. Authentication fundamentals: The basics | Azure Active Directory
Authentication fundamentals: The basics | Azure Active Directory
> [!VIDEO https://www.youtube.com/embed/fbSVgC8nGz4] ## Single sign-on with web applications+ Web applications are incredibly popular. Web apps are hosted by various companies and made available as a service. Some popular examples of web apps include Microsoft 365, GitHub, and Salesforce, and there are thousands of others. People access web apps using a web browser on their computer. Single sign-on makes it possible for people to navigate between the various web apps without having to sign in multiple times. To learn about how single sign-on works with web apps, check out these two videos.
Authentication fundamentals: Web single sign-on | Azure Active Directory
> [!VIDEO https://www.youtube.com/embed/51B-jSOBF8U] ## Cloud versus on-premises hosted apps+ How you implement single sign-on depends on where the app is hosted. Hosting matters because of the way network traffic is routed to access the app. If an app is hosted and accessed over your local network, called an on-premises app, then there is no need for users to access the Internet to use the app. If the app is hosted somewhere else, called a cloud hosted app, then users will need to access the Internet in order to use the app. > [!TIP]
-> Cloud hosted apps are also called Software as a Service (SaaS) apps.
+> Cloud hosted apps are also called Software as a Service (SaaS) apps.
Single sign-on for cloud hosted apps are straightforward. You let the identity provider know it's being used for the app. And then you configure the app to trust the identity provider. To learn how to use Azure AD as an identity provider for an app, see the [Quickstart Series on Application Management](add-application-portal.md).
Single sign-on for cloud hosted apps are straightforward. You let the identity p
You can also use single sign-on for on-premises based apps. The technology to make on-premises SSO happen is called Application Proxy. To learn more about it, see [Single sign-on options](sso-options.md). ## Multiple identity providers+ When you set up single sign-on to work between multiple identity providers, it's called federation. To learn how federation works, check out this video. Authentication fundamentals: Federation | Azure Active Directory > [!VIDEO https://www.youtube.com/embed/CjarTgjKcX8] - ## Next steps+ * [Quickstart Series on Application Management](view-applications-portal.md) * [Single sign-on options](sso-options.md)
active-directory Whats New Docs https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/whats-new-docs.md
Welcome to what's new in Azure Active Directory application management documenta
- [Azure Active Directory application management: What's new](whats-new-docs.md) - ## April 2021 ### New articles
Welcome to what's new in Azure Active Directory application management documenta
- [Use tenant restrictions to manage access to SaaS cloud applications](tenant-restrictions.md) - [Integrating Azure Active Directory with applications getting started guide](plan-an-application-integration.md) - ## March 2021 ### New articles
Welcome to what's new in Azure Active Directory application management documenta
- [Configure Azure Active Directory sign in behavior for an application by using a Home Realm Discovery policy](configure-authentication-for-federated-users-portal.md) - [Moving application authentication from Active Directory Federation Services to Azure Active Directory](migrate-adfs-apps-to-azure.md) - ## February 2021 ### New articles
Welcome to what's new in Azure Active Directory application management documenta
- [Grant tenant-wide admin consent to an application](grant-admin-consent.md) - [Moving application authentication from Active Directory Federation Services to Azure Active Directory](migrate-adfs-apps-to-azure.md) - [Tutorial: Add an on-premises application for remote access through Application Proxy in Azure Active Directory](../app-proxy/application-proxy-add-on-premises-application.md)-- [Use tenant restrictions to manage access to SaaS cloud applications](tenant-restrictions.md)
+- [Use tenant restrictions to manage access to SaaS cloud applications](tenant-restrictions.md)
active-directory Howto Integrate Activity Logs With Log Analytics https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/reports-monitoring/howto-integrate-activity-logs-with-log-analytics.md
na Previously updated : 06/11/2021 Last updated : 07/09/2021
Use the integration of Azure AD activity logs in Azure Monitor logs to perform t
* Compare your Azure AD sign-in logs against security logs published by Azure Security Center. * Troubleshoot performance bottlenecks on your applicationΓÇÖs sign-in page by correlating application performance data from Azure Application Insights.+
+ * Analyze Identity Protection risky users and risk detections logs to detect threats in your environment (public preview)
* Identify sign-ins from applications that use the Active Directory Authentication Library (ADAL) for authentication. [ADAL is nearing end-of-support](../develop/msal-migration.md).
You can route audit activity logs and sign-in activity logs to Azure Monitor log
* **Audit logs**: The [audit logs activity report](concept-audit-logs.md) gives you access to the history of every task that's performed in your tenant. * **Sign-in logs**: With the [sign-in activity report](concept-sign-ins.md), you can determine who performed the tasks that are reported in the audit logs. * **Provisioning logs**: With the [provisioning logs](../app-provisioning/application-provisioning-log-analytics.md), you can monitor which users have been created, updated, and deleted in all your third-party applications.
+* **Risky users logs (public preview)**: With the [risky users logs](../identity-protection/howto-identity-protection-investigate-risk.md#risky-users), you can monitor changes in user risk level and remediation activity.
+* **Risk detections logs (public preview)**: With the [risk detections logs](../identity-protection/howto-identity-protection-investigate-risk.md#risk-detections), you can monitor user's risk detections and analyze trends in risk activity detected in your organization.
> [!NOTE] > Azure AD B2C audit and sign-in activity logs are currently unsupported.
If you want to know for how long the activity data is stored in a Premium tenant
4. Select the Log Analytics workspace you want to send the logs to, or create a new workspace in the provided dialog box.
-5. Do either or both of the following:
+5. Do any or all of the following:
* To send audit logs to the Log Analytics workspace, select the **AuditLogs** check box. * To send sign-in logs to the Log Analytics workspace, select the **SignInLogs** check box.
+ * To send non-interactive user sign-in logs to the Log Analytics workspace, select the **NonInteractiveUserSignInLogs** check box.
+ * To send service principle sign-in logs to the Log Analytics workspace, select the **ServicePrincipleSignInLogs** check box.
+ * To send managed identity sign-in logs to the Log Analytics workspace, select the **ManagedIdentitySignInLogs** check box.
+ * To send provisioning logs to the Log Analytics workspace, select the **ProvisioningLogs** check box.
+ * To send Active Directory Federation Services (ADFS) sign-in logs to the Log Analytics workspace, select **ADFSSignInLogs**.
+ * To send risky users logs to the Log Analytics workspace, select the **RiskyUsers** check box. (public preview)
+ * To send risk detections logs to the Log Analytics workspace, select the **UserRiskEvents** check box. (public preview)
6. Select **Save** to save the setting.
active-directory My Applications Portal Workspaces https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/user-help/my-applications-portal-workspaces.md
Collections are different app views you see in the **My Apps** portal. Apps can
## Access apps using collections
-The list of collections in the **My Apps** portal defaults to show one named **All Apps**, which has every app you have access to:
+The list of collections in the **My Apps** portal defaults to show one named **Apps**:
![All apps page in the My Apps portal](media/my-applications-portal-workspaces/my-apps-all-apps.png)
After you organize your apps into the various categories in the **My Apps** port
- [Manage your organizations](my-account-portal-organizations-page.md). Instructions about how to view and manage your organization-related information on the **Organizations** page of the **My Profile** portal. -- [Manage your connected devices](my-account-portal-devices-page.md). Instructions about how to manage the devices you're connected to using your work or school account, on the **Devices** page of the **My Profile** portal.
+- [Manage your connected devices](my-account-portal-devices-page.md). Instructions about how to manage the devices you're connected to using your work or school account, on the **Devices** page of the **My Profile** portal.
aks Azure Files Volume https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/azure-files-volume.md
description: Learn how to manually create a volume with Azure Files for use with multiple concurrent pods in Azure Kubernetes Service (AKS) Previously updated : 03/01/2019 Last updated : 07/08/2021 #Customer intent: As a developer, I want to learn how to manually create and attach storage using Azure Files to a pod in AKS.
kubectl create secret generic azure-secret --from-literal=azurestorageaccountnam
``` ## Mount file share as an inline volume
-> Note: starting from 1.18.15, 1.19.7, 1.20.2, 1.21.0, secret namespace in inline `azureFile` volume can only be set as `default` namespace, to specify a different secret namespace, please use below persistent volume example instead.
+> Note: inline `azureFile` volume can only access secret in the same namespace as pod, to specify a different secret namespace, please use below persistent volume example instead.
To mount the Azure Files share into your pod, configure the volume in the container spec. Create a new file named `azure-files-pod.yaml` with the following contents. If you changed the name of the Files share or secret name, update the *shareName* and *secretName*. If desired, update the `mountPath`, which is the path where the Files share is mounted in the pod. For Windows Server containers, specify a *mountPath* using the Windows path convention, such as *'D:'*.
aks Custom Node Configuration https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/custom-node-configuration.md
# Customize node configuration for Azure Kubernetes Service (AKS) node pools (preview)
-Customizing your node configuration allows you to configure or tune your operating system (OS) settings or the kubelet parameters to match the needs of the workloads. When you create an AKS cluster or add a node pool to your cluster, you can customize a subset of commonly used OS and kubelet settings. To configure settings beyond this subset, [use a daemon set to customize your needed configurations without loosing AKS support for your nodes](support-policies.md#shared-responsibility).
+Customizing your node configuration allows you to configure or tune your operating system (OS) settings or the kubelet parameters to match the needs of the workloads. When you create an AKS cluster or add a node pool to your cluster, you can customize a subset of commonly used OS and kubelet settings. To configure settings beyond this subset, [use a daemon set to customize your needed configurations without losing AKS support for your nodes](support-policies.md#shared-responsibility).
## Register the `CustomNodeConfigPreview` preview feature
az aks nodepool add --name mynodepool1 --cluster-name myAKSCluster --resource-gr
[az-aks-nodepool-update]: https://github.com/Azure/azure-cli-extensions/tree/master/src/aks-preview#enable-cluster-auto-scaler-for-a-node-pool [autoscaler-scaledown]: https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/FAQ.md#what-types-of-pods-can-prevent-ca-from-removing-a-node [autoscaler-parameters]: https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/FAQ.md#what-are-the-parameters-to-ca
-[kubernetes-faq]: https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/FAQ.md#ca-doesnt-work-but-it-used-to-work-yesterday-why
+[kubernetes-faq]: https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/FAQ.md#ca-doesnt-work-but-it-used-to-work-yesterday-why
api-management Api Management Howto Aad B2c https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/api-management/api-management-howto-aad-b2c.md
Title: Authorize developer accounts by using Azure Active Directory B2C
-description: Learn how to authorize users by using Azure Active Directory B2C in API Management.
+description: Learn how to authorize users of the developer portal in Azure API Management by using Azure Active Directory B2C
- -- Previously updated : 11/04/2019+ Last updated : 07/07/2021 # How to authorize developer accounts by using Azure Active Directory B2C in Azure API Management
-## Overview
-Azure Active Directory B2C is a cloud identity management solution for consumer-facing web and mobile applications. You can use it to manage access to your developer portal. This guide shows you the configuration that's required in your API Management service to integrate with Azure Active Directory B2C. For information about enabling access to the developer portal by using classic Azure Active Directory, see [How to authorize developer accounts using Azure Active Directory].
+Azure Active Directory B2C is a cloud identity management solution for consumer-facing web and mobile applications. You can use it to manage access to your API Management developer portal.
-> [!NOTE]
-> To complete the steps in this guide, you must first have an Azure Active Directory B2C tenant to create an application in. Also, you need to have signup and signin policies ready. For more information, see [Azure Active Directory B2C overview].
+This guide shows you the configuration that's required in your API Management service to integrate with Azure Active Directory B2C. If you are using the deprecated legacy developer portal, some steps differ, as noted in this article.
-
-## Authorize developer accounts by using Azure Active Directory B2C
-
-1. To get started, sign in to the [Azure portal](https://portal.azure.com) and locate your API Management instance.
-
- > [!NOTE]
- > If you haven't yet created an API Management service instance, see [Create an API Management service instance][Create an API Management service instance] in the [Get started with Azure API Management tutorial][Get started with Azure API Management].
-
-1. Under **Identities**. Click **+Add** at the top.
-
- The **Add identity provider** pane appears on the right. Choose **Azure Active Directory B2C**.
-
- ![Add AAD B2C as identity provider][api-management-howto-add-b2c-identity-provider]
-
-1. Copy the **Redirect URL**.
-
- ![AAD B2C identity provider redirect URL][api-management-howto-copy-b2c-identity-provider-redirect-url]
-
-1. In a new tab, access your Azure Active Directory B2C tenant in the Azure portal and open the **Applications** blade.
-
- ![Register a new application 1][api-management-howto-aad-b2c-portal-menu]
-
-1. Click the **Add** button to create a new Azure Active Directory B2C application.
-
- ![Register a new application 2][api-management-howto-aad-b2c-add-button]
-
-1. In the **New application** blade, enter a name for the application. Choose **Yes** under **Web App/Web API**, and choose **Yes** under **Allow implicit flow**. Then paste the **Redirect URL** copied in step 3 into the **Reply URL** text box.
+For information about enabling access to the developer portal by using classic Azure Active Directory, see [How to authorize developer accounts using Azure Active Directory](api-management-howto-aad.md).
- ![Register a new application 3][api-management-howto-aad-b2c-app-details]
+## Prerequisites
-1. If you're using the new developer portal (not the legacy developer portal), include the **Given Name**, **Surname**, and **User's Object ID** in the application claims.
+* An Azure Active Directory B2C tenant to create an application in. For more information, see [Azure Active Directory B2C overview](../active-directory-b2c/overview.md).
+* If you don't already have an API Management service, complete the following quickstart: [Create an Azure API Management instance](get-started-create-service-instance.md)
- ![Application claims](./media/api-management-howto-aad-b2c/api-management-application-claims.png)
-
-1. Click the **Create** button. When the application is created, it appears in the **Applications** blade. Click the application name to see its details.
-
- ![Register a new application 4][api-management-howto-aad-b2c-app-created]
-
-1. From the **Properties** blade, copy the **Application ID** to the clipboard.
-
- ![Application ID 1][api-management-howto-aad-b2c-app-id]
-1. Switch back to the API Management **Add identity provider** pane and paste the ID into the **Client Id** text box.
-
-1. Switch back to the B2C app registration, click the **Keys** button, and then click **Generate key**. Click **Save** to save the configuration and display the **App key**. Copy the key to the clipboard.
+## Configure sign up and sign in user flow
+
+In this section, create a user flow in your Azure Active Directory B2C tenant containing both sign up and sign in policies. For detailed steps, see [Create user flows and custom policies in Azure Active Directory B2C](../active-directory-b2c/tutorial-create-user-flows.md?pivots=b2c-us).
+
+1. In the [Azure portal](https://portal.azure.com), access your Azure Active Directory B2C tenant.
+1. Under **Policies**, select **User flows** > **+ New user flow**.
+1. On the **Create a user flow** page, select the **Sign up and sign in** user flow.
+1. Provide the following information:
+ 1. Enter a unique name for the user flow.
+ 1. In **Identity providers**, select **Email signup**.
+ 1. In **User attributes and token claims**, select the attributes and claims needed for the API Management developer portal (not needed for the legacy developer portal).
+ ![Application claims](./media/api-management-howto-aad-b2c/api-management-application-claims.png)
+ * **Attributes**: Given Name, Surname
+ * **Claims**: Email Addresses, Given Name, Surname, UserΓÇÖs ObjectID
+1. Select **Create**.
+
+## Configure identity provider for developer portal
+
+1. In a separate [Azure portal](https://portal.azure.com) tab, navigate to your API Management instance.
+1. Under **Developer portal**, select **Identities** > **+ Add**.
+1. In the **Add identity provider** page, select **Azure Active Directory B2C**.
+1. In the **Add identity provider** window, copy the **Redirect URL**.
+
+ :::image type="content" source="media/api-management-howto-aad-b2c/b2c-identity-provider-redirect-url.png" alt-text="Copy redirect URL":::
+
+1. Return to the browser tab for your Azure Active Directory B2C tenant in the Azure portal. Select **App registrations** > **+ New registration**.
+1. In the **Register an application** page, enter your application's registration information.
+ * In the **Name** section, enter an application name of your choosing.
+ * In the **Supported account types** section, choose the type of accounts that are appropriate for your scenario. To target a wide set of customers, select **Accounts in any identity provider or organizational directory (for authenticating users with user flows)**. For more information, see [Register an application](../active-directory/develop/quickstart-register-app.md#register-an-application).
+ * In **Redirect URI**, enter the Redirect URL your copied from your API Management instance.
+ * In **Permissions**, select **Grant admin consent to openid and offline_access permissions.**
+ * Select **Register** to create the application.
+
+ :::image type="content" source="media/api-management-howto-aad-b2c/b2c-app-registration.png" alt-text="Register a new application":::
+
+1. On the app **Overview** page, find the **Application (client) ID** and copy the value to the clipboard.
+
+ :::image type="content" source="media/api-management-howto-aad-b2c/b2c-app-id.png" alt-text="Application ID":::
+1. Switch back to the API Management **Add identity provider** page and paste the ID into the **Client Id** text box.
+1. Switch back to the B2C app registration. Select **Certificates & secrets** > **+ New client secret**.
+ :::image type="content" source="media/api-management-howto-aad-b2c/generate-app-key.png" alt-text="Create client secret":::
+ * In the **Add a client secret** page, enter a **Description** and select **Add**.
+ * Record the key in a safe location. This secret value is never displayed again after you leave this page.
+1. Switch back to the API Management **Add identity provider** page, and paste the key into the **Client secret** text box.
+1. Switch back to the B2C app registration. In the left menu, under **Manage**, select **Authentication**.
+ * Under **Implicit grant**, select the **Access tokens** check box.
+ * Select **Save**.
+1. Switch back in the API Management **Add identity provider** page.
+ * In **Signin tenant**, specify the domain name of the Azure Active Directory B2C tenant.
+ * The **Authority** field lets you control the Azure AD B2C login URL to use. Set the value to **<your_b2c_tenant_name>.b2clogin.com**.
+ * Specify the **Signup Policy** and **Signin Policy** from the B2C tenant policies.
+ * Optionally provide the **Profile Editing Policy** and **Password Reset Policy**.
+
+ :::image type="content" source="media/api-management-howto-aad-b2c/add-identity-provider.png" alt-text="Active Directory B2c identity provider configuration":::
+1. After you've specified the desired configuration, select **Add**.
+
+After the changes are saved, developers will be able to create new accounts and sign in to the developer portal by using Azure Active Directory B2C.
- ![App key 1][api-management-howto-aad-b2c-app-key]
+## Developer portal - add Azure AD B2C account authentication
-1. Switch back to the API Management **Add identity provider** pane and paste the key into the **Client Secret** text box.
-
-1. Specify the domain name of the Azure Active Directory B2C tenant in **Signin tenant**.
+> [!IMPORTANT]
+> You need to [republish the developer portal](api-management-howto-developer-portal-customize.md#publish) when you create or update Azure Active Directory B2C configuration settings for the changes to take effect.
-1. The **Authority** field let you control the Azure AD B2C login URL to use. Set the value to **<your_b2c_tenant_name>.b2clogin.com**.
+In the developer portal, sign-in with Azure AD B2C is possible with the **Sign-in button: OAuth** widget. The widget is already included on the sign-in page of the default developer portal content.
-1. Specify the **Signup Policy** and **Signin Policy** from the B2C Tenant policies. Optionally, you can also provide the **Profile Editing Policy** and **Password Reset Policy**.
+1. To sign in by using Azure Active Directory B2C, open a new browser window and go to the developer portal. Select **Sign in**.
-1. After you've specified the desired configuration, click **Save**.
+1. On the **Sign in** page, select **Azure Active Directory B2C**.
- After the changes are saved, developers will be able to create new accounts and sign in to the developer portal by using Azure Active Directory B2C.
+ :::image type="content" source="media/api-management-howto-aad-b2c/developer-portal-sign-in.png" alt-text="Sign in to developer portal":::
+1. You're redirected to the signup policy that you configured in the previous section. Choose to sign up by using your email address in the Active Directory B2C tenant
-## Developer portal - add Azure AD B2C account authentication
+When the signup is complete, you're redirected back to the developer portal. You're now signed in to the developer portal for your API Management service instance.
-In the developer portal, sign-in with AAD B2C is possible with the **Sign-in button: OAuth** widget. The widget is already included on the sign-in page of the default developer portal content.
-Although a new account will be automatically created whenever a new user signs in with AAD B2C, you may consider adding the same widget to the sign-up page.
+Although a new account is automatically created whenever a new user signs in with Azure AD B2C, you may consider adding the same widget to the sign-up page.
The **Sign-up form: OAuth** widget represents a form used for signing up with OAuth.
-> [!IMPORTANT]
-> You need to [republish the portal](api-management-howto-developer-portal-customize.md#publish) for the AAD changes to take effect.
- ## Legacy developer portal - how to sign up with Azure AD B2C [!INCLUDE [api-management-portal-legacy.md](../../includes/api-management-portal-legacy.md)]
-1. To sign up for a developer account by using Azure Active Directory B2C, open a new browser window and go to the developer portal. Click the **Sign up** button.
-
- ![Developer portal 1][api-management-howto-aad-b2c-dev-portal]
+1. To sign up for a developer account by using Azure AD B2C, open a new browser window and go to the legacy developer portal. Click the **Sign up** button.
-2. Choose to sign up with **Azure Active Directory B2C**.
+ :::image type="content" source="media/api-management-howto-aad-b2c/b2c-dev-portal.png" alt-text="Sign up in legacy developer portal":::
+1. Choose to sign up with **Azure Active Directory B2C**.
- ![Developer portal 2][api-management-howto-aad-b2c-dev-portal-b2c-button]
+ :::image type="content" source="media/api-management-howto-aad-b2c/b2c-dev-portal-b2c-button.png" alt-text="Sign up with Azure Active Directory B2C":::
3. You're redirected to the signup policy that you configured in the previous section. Choose to sign up by using your email address or one of your existing social accounts. > [!NOTE] > If Azure Active Directory B2C is the only option that's enabled on the **Identities** tab in the publisher portal, you'll be redirected to the signup policy directly.
- ![Developer portal][api-management-howto-aad-b2c-dev-portal-b2c-options]
+ :::image type="content" source="media/api-management-howto-aad-b2c/b2c-dev-portal-b2c-options.png" alt-text="Sign up options in legacy developer portal":::
When the signup is complete, you're redirected back to the developer portal. You're now signed in to the developer portal for your API Management service instance.
- ![Registration complete][api-management-registration-complete]
- ## Next steps * [Azure Active Directory B2C overview]
The **Sign-up form: OAuth** widget represents a form used for signing up with OA
* [Use a Facebook account as an identity provider in Azure Active Directory B2C] -
-[api-management-howto-add-b2c-identity-provider]: ./media/api-management-howto-aad-b2c/api-management-add-b2c-identity-provider.PNG
-[api-management-howto-copy-b2c-identity-provider-redirect-url]: ./media/api-management-howto-aad-b2c/api-management-b2c-identity-provider-redirect-url.PNG
-[api-management-howto-aad-b2c-portal-menu]: ./media/api-management-howto-aad-b2c/api-management-b2c-portal-menu.PNG
-[api-management-howto-aad-b2c-add-button]: ./media/api-management-howto-aad-b2c/api-management-b2c-add-button.PNG
-[api-management-howto-aad-b2c-app-details]: ./media/api-management-howto-aad-b2c/api-management-b2c-app-details.PNG
-[api-management-howto-aad-b2c-app-created]: ./media/api-management-howto-aad-b2c/api-management-b2c-app-created.PNG
-[api-management-howto-aad-b2c-app-id]: ./media/api-management-howto-aad-b2c/api-management-b2c-app-id.PNG
-[api-management-howto-aad-b2c-client-id]: ./media/api-management-howto-aad-b2c/api-management-b2c-client-id.PNG
-[api-management-howto-aad-b2c-app-key]: ./media/api-management-howto-aad-b2c/api-management-b2c-app-key.PNG
-[api-management-howto-aad-b2c-app-key-saved]: ./media/api-management-howto-aad-b2c/api-management-b2c-app-key-saved.PNG
-[api-management-howto-aad-b2c-client-secret]: ./media/api-management-howto-aad-b2c/api-management-b2c-client-secret.PNG
-[api-management-howto-aad-b2c-allowed-tenant]: ./media/api-management-howto-aad-b2c/api-management-b2c-allowed-tenant.PNG
-[api-management-howto-aad-b2c-policies]: ./media/api-management-howto-aad-b2c/api-management-b2c-policies.PNG
-[api-management-howto-aad-b2c-dev-portal]: ./media/api-management-howto-aad-b2c/api-management-b2c-dev-portal.PNG
-[api-management-howto-aad-b2c-dev-portal-b2c-button]: ./media/api-management-howto-aad-b2c/api-management-b2c-dev-portal-b2c-button.PNG
-[api-management-howto-aad-b2c-dev-portal-b2c-options]: ./media/api-management-howto-aad-b2c/api-management-b2c-dev-portal-b2c-options.PNG
-[api-management-complete-registration]: ./media/api-management-howto-aad/api-management-complete-registration.PNG
-[api-management-registration-complete]: ./media/api-management-howto-aad/api-management-registration-complete.png
-
-[api-management-security-external-identities]: ./media/api-management-howto-aad/api-management-b2c-security-tab.png
-[api-management-security-aad-new]: ./media/api-management-howto-aad/api-management-security-aad-new.png
-[api-management-new-aad-application-menu]: ./media/api-management-howto-aad/api-management-new-aad-application-menu.png
-[api-management-new-aad-application-1]: ./media/api-management-howto-aad/api-management-new-aad-application-1.png
-[api-management-new-aad-application-2]: ./media/api-management-howto-aad/api-management-new-aad-application-2.png
-[api-management-new-aad-app-created]: ./media/api-management-howto-aad/api-management-new-aad-app-created.png
-[api-management-aad-app-permissions]: ./media/api-management-howto-aad/api-management-aad-app-permissions.png
-[api-management-aad-app-client-id]: ./media/api-management-howto-aad/api-management-aad-app-client-id.png
-[api-management-client-id]: ./media/api-management-howto-aad/api-management-client-id.png
-[api-management-aad-key-before-save]: ./media/api-management-howto-aad/api-management-aad-key-before-save.png
-[api-management-aad-key-after-save]: ./media/api-management-howto-aad/api-management-aad-key-after-save.png
-[api-management-client-secret]: ./media/api-management-howto-aad/api-management-client-secret.png
-[api-management-client-allowed-tenants]: ./media/api-management-howto-aad/api-management-client-allowed-tenants.png
-[api-management-client-allowed-tenants-save]: ./media/api-management-howto-aad/api-management-client-allowed-tenants-save.png
-[api-management-aad-delegated-permissions]: ./media/api-management-howto-aad/api-management-aad-delegated-permissions.png
-[api-management-dev-portal-signin]: ./media/api-management-howto-aad/api-management-dev-portal-signin.png
-[api-management-aad-signin]: ./media/api-management-howto-aad/api-management-aad-signin.png
-[api-management-aad-app-multi-tenant]: ./media/api-management-howto-aad/api-management-aad-app-multi-tenant.png
-[api-management-aad-reply-url]: ./media/api-management-howto-aad/api-management-aad-reply-url.png
-[api-management-permissions-form]: ./media/api-management-howto-aad/api-management-permissions-form.png
-[api-management-configure-product]: ./media/api-management-howto-aad/api-management-configure-product.png
-[api-management-add-groups]: ./media/api-management-howto-aad/api-management-add-groups.png
-[api-management-select-group]: ./media/api-management-howto-aad/api-management-select-group.png
-[api-management-aad-groups-list]: ./media/api-management-howto-aad/api-management-aad-groups-list.png
-[api-management-aad-group-added]: ./media/api-management-howto-aad/api-management-aad-group-added.png
-[api-management-groups]: ./media/api-management-howto-aad/api-management-groups.png
-[api-management-edit-group]: ./media/api-management-howto-aad/api-management-edit-group.png
- [How to add operations to an API]: ./mock-api-responses.md [How to add and publish a product]: api-management-howto-add-products.md [Monitoring and analytics]: api-management-monitoring.md
api-management Zone Redundancy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/api-management/zone-redundancy.md
Previously updated : 05/07/2021 Last updated : 07/08/2021
Configuring API Management for zone redundancy is currently supported in the fol
* France Central * Japan East * North Europe
+* South Africa North
* South Central US * Southeast Asia * UK South
app-service Tutorial Python Postgresql App https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/tutorial-python-postgresql-app.md
Title: 'Tutorial: Deploy a Python Django app with Postgres'
description: Create a Python web app with a PostgreSQL database and deploy it to Azure. The tutorial uses the Django framework and the app is hosted on Azure App Service on Linux. ms.devlang: python Previously updated : 02/02/2021 Last updated : 07/02/2021
+zone_pivot_groups: postgres-server-options
# Tutorial: Deploy a Django web app with PostgreSQL in Azure App Service
-This tutorial shows how to deploy a data-driven Python [Django](https://www.djangoproject.com/) web app to [Azure App Service](overview.md) and connect it to an Azure Database for Postgres database. App Service provides a highly scalable, self-patching web hosting service.
+
+This tutorial shows how to deploy a data-driven Python [Django](https://www.djangoproject.com/) web app to [Azure App Service](overview.md) and connect it to an Azure Database for Postgres database. You can also try the PostgresSQL Flexible Server (Preview) by selecting the option above. Flexible Server provides a simpler deployment mechanism and lower ongoing costs.
In this tutorial, you use the Azure CLI to complete the following tasks:
In this tutorial, you use the Azure CLI to complete the following tasks:
> * View diagnostic logs > * Manage the web app in the Azure portal
-You can also use the [Azure portal version of this tutorial](/azure/developer/python/tutorial-python-postgresql-app-portal).
+You can also use the [Azure portal version of this tutorial](/azure/developer/python/tutorial-python-postgresql-app-portal&pivots=postgres-single-server).
+++
+This tutorial shows how to deploy a data-driven Python [Django](https://www.djangoproject.com/) web app to [Azure App Service](overview.md) and connect it to an [Azure Database for PostgreSQL Flexible Server (Preview)](/azure/postgresql/flexible-server/) database. If you cannot use PostgreSQL Flexible Server (Preview), then select the Single Server option above.
+
+In this tutorial, you use the Azure CLI to complete the following tasks:
+
+> [!div class="checklist"]
+> * Set up your initial environment with Python and the Azure CLI
+> * Create an Azure Database for PostgreSQL Flexible Server database
+> * Deploy code to Azure App Service and connect to PostgreSQL Flexible Server
+> * Update your code and redeploy
+> * View diagnostic logs
+> * Manage the web app in the Azure portal
+
+You can also use the [Azure portal version of this tutorial](/azure/developer/python/tutorial-python-postgresql-app-portal&pivots=postgres-flexible-server).
## 1. Set up your initial environment
Then navigate into that folder:
cd djangoapp ``` +
+For Flexible Server (Preview), use the flexible-server branch of the sample, which contains a few necessary changes, such as how the database server URL is set and adding `'OPTIONS': {'sslmode': 'require'}` to the Django database configuration as required by Azure PostgreSQL Flexible Server.
+
+```terminal
+git checkout flexible-server
+```
++ # [Download](#tab/download)
-Visit [https://github.com/Azure-Samples/djangoapp](https://github.com/Azure-Samples/djangoapp), select **Clone**, and then select **Download ZIP**.
+Visit [https://github.com/Azure-Samples/djangoapp](https://github.com/Azure-Samples/djangoapp).
+
+For Flexible Server (Preview), select the branches control that says "master" and select the flexible-server branch instead.
+
+Select **Clone**, and then select **Download ZIP**.
Unpack the ZIP file into a folder named *djangoapp*.
Having issues? [Let us know](https://aka.ms/DjangoCLITutorialHelp).
## 3. Create Postgres database in Azure <!-- > [!NOTE] > Before you create an Azure Database for PostgreSQL server, check which [compute generation](../postgresql/concepts-pricing-tiers.md#compute-generations-and-vcores) is available in your region. -->
If the `az` command is not recognized, be sure you have the Azure CLI installed
Then create the Postgres database in Azure with the [`az postgres up`](/cli/azure/postgres#az_postgres_up) command: ```azurecli
-az postgres up --resource-group DjangoPostgres-tutorial-rg --location westus2 --sku-name B_Gen5_1 --server-name <postgres-server-name> --database-name pollsdb --admin-user <admin-username> --admin-password <admin-password> --ssl-enforcement Enabled
+az postgres up --resource-group DjangoPostgres-tutorial-rg --location centralus --sku-name B_Gen5_1 --server-name <postgres-server-name> --database-name pollsdb --admin-user <admin-username> --admin-password <admin-password> --ssl-enforcement Enabled
``` - **Replace** *\<postgres-server-name>* with a name that's **unique across all Azure** (the server endpoint becomes `https://<postgres-server-name>.postgres.database.azure.com`). A good pattern is to use a combination of your company name and another unique value.
When the command completes, it outputs a JSON object that contains different con
> [!TIP] > `-l <location-name>`, can be set to any one of the [Azure regions](https://azure.microsoft.com/global-infrastructure/regions/). You can get the regions available to your subscription with the [`az account list-locations`](/cli/azure/account#az_account_list_locations) command. For production apps, put your database and your app in the same location. ++
+1. Enable parameters caching with the Azure CLI so you don't need to provide those parameters with every command. (Cached values are saved in the *.azure* folder.)
+
+ ```azurecli
+ az config param-persist on
+ ```
+
+1. Create a [resource group](../azure-resource-manager/management/overview.md#terminology) (you can change the name, if desired). The resource group name is cached and automatically applied to subsequent commands.
+
+ ```azurecli
+ az group create --name Python-Django-PGFlex-rg --location centralus
+ ```
+
+1. Create the database server (the process takes a few minutes):
+
+ ```azurecli
+ az postgres flexible-server create --sku-name Standard_B1ms --public-access all
+ ```
+
+ If the `az` command is not recognized, be sure you have the Azure CLI installed as described in [Set up your initial environment](#1-set-up-your-initial-environment).
+
+ The [az postgres flexible-server create](/cli/azure/postgres/flexible-server#az_postgres_flexible_server_create) command performs the following actions, which take a few minutes:
+
+ - Create a default resource group if there's not a cached name already.
+ - Create a PostgreSQL Flexible Server:
+ - By default, the command uses a generated name like `server383813186`. You can specify your own name with the `--name` parameter. The name must be unique across all of Azure.
+ - The command uses the lowest-cost `Standard_B1ms` pricing tier. Omit the `--sku-name` argument to use the default `Standard_D2s_v3` tier.
+ - The command uses the resource group and location cached from the previous `az group create` command, which in this example is the resource group `Python-Django-PGFlex-rg` in the `centralus` region.
+ - Create an administrator account with a username and password. You can specify these values directly with the `--admin-user` and `--admin-password` parameters.
+ - Create a database named `flexibleserverdb` by default. You can specify a database name with the `--database-name` parameter.
+ - Enables complete public access, which you can control using the `--public-access` parameter.
+
+1. When the command completes, **copy the command's JSON output to a file** as you need values from the output later in this tutorial, specifically the host, username, and password, along with the database name.
++ Having issues? [Let us know](https://aka.ms/DjangoCLITutorialHelp). ## 4. Deploy the code to Azure App Service
In this section, you create app host in App Service app, connect this app to the
### 4.1 Create the App Service app + In the terminal, make sure you're in the *djangoapp* repository folder that contains the app code. Create an App Service app (the host process) with the [`az webapp up`](/cli/azure/webapp#az_webapp_up) command: ```azurecli
-az webapp up --resource-group DjangoPostgres-tutorial-rg --location westus2 --plan DjangoPostgres-tutorial-plan --sku B1 --name <app-name>
+az webapp up --resource-group DjangoPostgres-tutorial-rg --location centralus --plan DjangoPostgres-tutorial-plan --sku B1 --name <app-name>
``` <!-- without --sku creates PremiumV2 plan -->
This command performs the following actions, which may take a few minutes:
- Upload the repository using ZIP deployment with build automation enabled. - Cache common parameters, such as the name of the resource group and App Service plan, into the file *.azure/config*. As a result, you don't need to specify all the same parameter with later commands. For example, to redeploy the app after making changes, you can just run `az webapp up` again without any parameters. Commands that come from CLI extensions, such as `az postgres up`, however, do not at present use the cache, which is why you needed to specify the resource group and location here with the initial use of `az webapp up`. ++
+1. In the terminal, make sure you're in the *djangoapp* repository folder that contains the app code.
+
+1. Switch to the sample app's `flexible-server` branch. This branch contains specific configuration needed for PostgreSQL Flexible Server:
+
+ ```cmd
+ git checkout flexible-server
+ ```
+
+1. Run the following [`az webapp up`](/cli/azure/webapp#az_webapp_up) command to create the App Service host for the app:
+
+ ```azurecli
+ az webapp up --name <app-name> --sku B1
+ ```
+ <!-- without --sku creates PremiumV2 plan -->
+
+ This command performs the following actions, which may take a few minutes, using resource group and location cached from the previous `az group create` command (the group `Python-Django-PGFlex-rg` in the `centralus` region in this example).
+
+ <!-
+ <!-- No it doesn't. az webapp up doesn't respect --resource-group -->
+ - Create an [App Service plan](overview-hosting-plans.md) in the Basic pricing tier (B1). You can omit `--sku` to use default values.
+ - Create the App Service app.
+ - Enable default logging for the app.
+ - Upload the repository using ZIP deployment with build automation enabled.
++ Upon successful deployment, the command generates JSON output like the following example: ![Example az webapp up command output](./media/tutorial-python-postgresql-app/az-webapp-up-output.png)
The app code expects to find database information in four environment variables
To set environment variables in App Service, create "app settings" with the following [az webapp config appsettings set](/cli/azure/webapp/config/appsettings#az_webapp_config_appsettings_set) command. + ```azurecli
-az webapp config appsettings set --settings DBHOST="<postgres-server-name>" DBNAME="pollsdb" DBUSER="<username>" DBPASS="<password>"
+az webapp config appsettings set --settings DBHOST="<postgres-server-name>" DBUSER="<username>" DBPASS="<password>" DBNAME="pollsdb"
``` - Replace *\<postgres-server-name>* with the name you used earlier with the `az postgres up` command. The code in *azuresite/production.py* automatically appends `.postgres.database.azure.com` to create the full Postgres server URL. - Replace *\<username>* and *\<password>* with the administrator credentials that you used with the earlier `az postgres up` command, or those that `az postgres up` generated for you. The code in *azuresite/production.py* automatically constructs the full Postgres username from `DBUSER` and `DBHOST`, so don't include the `@server` portion. (Also, as noted earlier, you should not use the `$` character in either value as it has a special meaning for Linux environment variables.) - The resource group and app names are drawn from the cached values in the *.azure/config* file. ++
+```azurecli
+az webapp config appsettings set --settings DBHOST="<host>" DBUSER="<username>" DBPASS="<password>" DBNAME="flexibleserverdb"
+```
+
+Replace the host, username, and password values with those from the output of the `az postgres flexible-server create` command used earlier. The host should be a URL like `server383813186.postgres.database.azure.com`.
+
+Also replace `flexibleserverdb` with the database name if you changed it with the `az postgres flexible-server create` command.
++ In your Python code, you access these settings as environment variables with statements like `os.environ.get('DBHOST')`. For more information, see [Access environment variables](configure-language-python.md#access-environment-variables). Having issues? Refer first to the [Troubleshooting guide](configure-language-python.md#troubleshooting), otherwise, [let us know](https://aka.ms/DjangoCLITutorialHelp).
Having issues? Refer first to the [Troubleshooting guide](configure-language-pyt
Django database migrations ensure that the schema in the PostgreSQL on Azure database match those described in your code.
-1. Open an SSH session **in the browser** by navigating to the following URL and signing in with your Azure account credentials (not the database server credentials).
+1. Run `az webpp ssh` to open an SSH session for the web app in the browser:
+ ```azurecli
+ az webapp ssh
```
- https://<app-name>.scm.azurewebsites.net/webssh/host
- ```
-
- Replace `<app-name>` with the name used earlier in the `az webapp up` command.
-
- You can alternately connect to an SSH session with the [`az webapp ssh`](/cli/azure/webapp#az_webapp_ssh) command. On Windows, this command requires the Azure CLI 2.18.0 or higher.
If you cannot connect to the SSH session, then the app itself has failed to start. [Check the diagnostic logs](#6-stream-diagnostic-logs) for details. For example, if you haven't created the necessary app settings in the previous section, the logs will indicate `KeyError: 'DBNAME'`.
Having issues? Refer first to the [Troubleshooting guide](configure-language-pyt
### 4.4 Create a poll question in the app
-1. In a browser, open the URL `http://<app-name>.azurewebsites.net`. The app should display the message "Polls app" and "No polls are available" because there are no specific polls yet in the database.
+1. Open the app website. The app should display the message "Polls app" and "No polls are available" because there are no specific polls yet in the database.
+
+ ```azurecli
+ az webapp browse
+ ```
If you see "Application Error", then it's likely that you either didn't create the required settings in the previous step, [Configure environment variables to connect the database](#42-configure-environment-variables-to-connect-the-database), or that those value contain errors. Run the command `az webapp config appsettings list` to check the settings. You can also [check the diagnostic logs](#6-stream-diagnostic-logs) to see specific errors during app startup. For example, if you didn't create the settings, the logs will show the error, `KeyError: 'DBNAME'`. After updating the settings to correct any errors, give the app a minute to restart, then refresh the browser.
-1. Browse to `http://<app-name>.azurewebsites.net/admin`. Sign in using Django superuser credentials from the previous section (`root` and `Pollsdb1`). Under **Polls**, select **Add** next to **Questions** and create a poll question with some choices.
+1. Browse to the web app's admin page by appending `/admin` to the URL, for example, `http://<app-name>.azurewebsites.net/admin`. Sign in using Django superuser credentials from the previous section (`root` and `Pollsdb1`). Under **Polls**, select **Add** next to **Questions** and create a poll question with some choices.
-1. Browse again to `http://<app-name>.azurewebsites.net` to confirm that the questions are now presented to the user. Answer questions however you like to generate some data in the database.
+1. Return to the main the website (`http://<app-name>.azurewebsites.net`) to confirm that the questions are now presented to the user. Answer questions however you like to generate some data in the database.
**Congratulations!** You're running a Python Django web app in Azure App Service for Linux, with an active Postgres database.
Having issues? Refer first to the [Troubleshooting guide](configure-language-pyt
### 5.5 Review app in production
-Browse to `http://<app-name>.azurewebsites.net` and test the app again in production. (Because you changed only the length of a database field, the change is only noticeable if you try to enter a longer response when creating a question.)
+Browse to the app again(using `az webapp browse` or navigating to `http://<app-name>.azurewebsites.net`)and test the app again in production. (Because you changed only the length of a database field, the change is only noticeable if you try to enter a longer response when creating a question.)
Having issues? Refer first to the [Troubleshooting guide](configure-language-python.md#troubleshooting), otherwise, [let us know](https://aka.ms/DjangoCLITutorialHelp).
Having issues? Refer first to the [Troubleshooting guide](configure-language-pyt
## 8. Clean up resources
-If you'd like to keep the app or continue to the additional tutorials, skip ahead to [Next steps](#next-steps). Otherwise, to avoid incurring ongoing charges you can delete the resource group create for this tutorial:
+If you'd like to keep the app or continue to the additional tutorials, skip ahead to [Next steps](#next-steps). Otherwise, to avoid incurring ongoing charges you can delete the resource group created for this tutorial:
```azurecli
-az group delete --no-wait
+az group delete --name Python-Django-PGFlex-rg --no-wait
```
-The command uses the resource group name cached in the *.azure/config* file. By deleting the resource group, you also deallocate and delete all the resources contained within it.
+By deleting the resource group, you also deallocate and delete all the resources contained within it. Be sure you no longer need the resources in the group before using the command.
Deleting all the resources can take some time. The `--no-wait` argument allows the command to return immediately.
application-gateway Monitor Application Gateway Reference https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/application-gateway/monitor-application-gateway-reference.md
sslEnabled_s | Does the client request have SSL enabled|
<!-- replace below with the proper link to your main monitoring service article --> - See [Monitoring Azure Azure Application Gateway](monitor-application-gateway.md) for a description of monitoring Azure Azure Application Gateway.-- See [Monitoring Azure resources with Azure Monitor](/azure/azure-monitor/insights/monitor-azure-resources) for details on monitoring Azure resources.
+- See [Monitoring Azure resources with Azure Monitor](/azure/azure-monitor/essentials/monitor-azure-resource) for details on monitoring Azure resources.
automation Automation Deploy Template Runbook https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automation/automation-deploy-template-runbook.md
keywords: powershell, runbook, json, azure automation
# Deploy an Azure Resource Manager template in a PowerShell runbook You can write an [Azure Automation PowerShell runbook](./learn/automation-tutorial-runbook-textual-powershell.md)
-that deploys an Azure resource by using an [Azure Resource Management template](../azure-resource-manager/templates/quickstart-create-templates-use-the-portal.md). The templates allow you to use Azure Automation to automate deployment of your Azure resources. You can maintain your Resource Manager templates in a central, secure location, such as Azure Storage.
+that deploys an Azure resource by using an [Azure Resource Manager template](../azure-resource-manager/templates/quickstart-create-templates-use-the-portal.md). The templates allow you to use Azure Automation to automate deployment of your Azure resources. You can maintain your Resource Manager templates in a central, secure location, such as Azure Storage.
In this article, we create a PowerShell runbook that uses a Resource Manager template stored in [Azure Storage](../storage/common/storage-introduction.md) to deploy a new Azure Storage account.
automation Automation Runbook Types https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automation/automation-runbook-types.md
PowerShell runbooks are based on Windows PowerShell. You directly edit the code
* Runbooks can't use [parallel processing](automation-powershell-workflow.md#use-parallel-processing) to execute multiple actions in parallel. * Runbooks can't use [checkpoints](automation-powershell-workflow.md#use-checkpoints-in-a-workflow) to resume runbook if there's an error. * You can include only PowerShell Workflow runbooks and graphical runbooks as child runbooks by using the [Start-AzAutomationRunbook](/powershell/module/az.automation/start-azautomationrunbook) cmdlet, which creates a new job.
+* Runbooks can't use the PowerShell [#Requires](/powershell/module/microsoft.powershell.core/about/about_requires) statement, it is not supported in Azure sandbox or on Hybrid Runbook Workers and will cause the job to fail.
### Known issues
automation Runbooks https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automation/troubleshoot/runbooks.md
Title: Troubleshoot Azure Automation runbook issues description: This article tells how to troubleshoot and resolve issues with Azure Automation runbooks. Previously updated : 02/11/2021 Last updated : 07/07/2021
When you receive errors during runbook execution in Azure Automation, you can us
If you're running your runbooks on a Hybrid Runbook Worker instead of in Azure Automation, you might need to [troubleshoot the hybrid worker itself](hybrid-runbook-worker.md).
+## Scenario: PowerShell #Requires statement does not work as expected
+
+### Issue
+
+Your Azure Automation cloud or hybrid jobs includes the PowerShell [#Requires](/powershell/module/microsoft.powershell.core/about/about_requires) statement, but the statement does not prevent the script from executing when the required condition is not met.
+
+### Cause
+
+Runbooks can't use the PowerShell [#Requires](/powershell/module/microsoft.powershell.core/about/about_requires) statement, it is not supported in Azure sandbox or on Hybrid Runbook Workers and will cause the job to fail.
+
+### Resolution
+
+Ensure all script requirements are met before execution.
+ ## <a name="runbook-fails-no-permission"></a>Scenario: Runbook fails with a No permission or Forbidden 403 error ### Issue
azure-arc Get Connection Endpoints And Connection Strings Postgres Hyperscale https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/data/get-connection-endpoints-and-connection-strings-postgres-hyperscale.md
Title: Get connection endpoints and form connection strings for your Arc enabled PostgreSQL Hyperscale server group
+ Title: Get connection endpoints and form the connection strings for your Arc enabled PostgreSQL Hyperscale server group
description: Get connection endpoints and form connection strings for your Arc enabled PostgreSQL Hyperscale server group
Last updated 06/02/2021
-# Get connection endpoints and form connection strings for your Arc enabled PostgreSQL Hyperscale server group
+# Get connection endpoints and form the connection strings for your Arc enabled PostgreSQL Hyperscale server group
-This article explains how you can retrieve the connection endpoints for your server group and how you form connection strings you will use with your applications and/or tools.
+This article explains how you can retrieve the connection endpoints for your server group and how you can form the connection strings which can be used with your applications and/or tools.
[!INCLUDE [azure-arc-data-preview](../../../includes/azure-arc-data-preview.md)]
azure-arc Conceptual Inner Loop Gitops https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/kubernetes/conceptual-inner-loop-gitops.md
+
+ Title: "Inner Loop Developer Experience for Teams Adopting GitOps"
++ Last updated : 06/18/2021+++
+description: "This article provides a conceptual overview of Inner Loop Developer Experience for Teams Adopting GitOps "
+keywords: "GitOps, Kubernetes, K8s, Azure, Helm, Arc, AKS, Azure Kubernetes Service, containers, CI, CD, Azure DevOps, Inner loop, Dev Experience"
+
+# Inner Loop Developer Experience for teams adopting GitOps
+
+This article describes how an established inner loop can enhance developer productivity and help in a seamless transition from inner dev loop to outer loop for teams adopting GitOps.
+
+## Inner dev loop frameworks
+
+Building and deploying containers can slow the inner dev experience and impact team productivity. Cloud-native development teams will benefit from a robust inner dev loop framework. Inner dev loop frameworks assist in the iterative process of writing code, building, and debugging.
+
+Inner dev loop frameworks capabilities include:
+
+
+- Automate repetitive steps like building code, containers, and deploying to target cluster.
+- Easily working with remote and local clusters, and supporting local tunnel debugging for hybrid setup.
+- Ability to configure custom flow for team-based productivity.
+- Allow handling of microservice dependencies.
+- Hot reloading, port forwarding, log, and terminal access.
+++
+Depending on the maturity and complexity of the service, dev teams determine which cluster setup they will use to accelerate the inner dev loop:
+
+* Completely local
+* Completely remote
+* Hybrid
++
+Luckily, there are many frameworks out there that support the listed capabilities. Microsoft offers Bridge to Kubernetes for local tunnel debugging and there are similar market offerings like DevSpace, Scaffold, and Tilt, among others.
+
+> [!NOTE]
+> DonΓÇÖt confuse the market offering [DevSpace](https://github.com/loft-sh/devspace) with MicrosoftΓÇÖs previously named DevSpace, which is now called [Bridge to Kubernetes](https://code.visualstudio.com/docs/containers/bridge-to-kubernetes).
++
+## Inner loop to outer loop transition
+
+Once you've evaluated and chosen an inner loop dev framework, build seamless inner loop to outer loop transition.
+
+As described in the [CI/CD workflow using GitOps](conceptual-gitops-ci-cd.md) article's example, an application developer works on application code within an application repository. This application repository also holds high-level deployment Helm and/or Kustomize templates. CI\CD pipelines:
+
+* Generate the low-level manifests from the high-level templates, adding environment-specific values
+* Create a pull request that merges the low-level manifests with the GitOps repo that holds desired state for the specific environment.
+
+Similar low-level manifests can be generated locally for the inner dev loop, using the configuration values local to the developer. Application developers can iterate on the code changes and use the low-level manifests to deploy and debug applications. Generation of the low-level manifests can be integrated into an inner loop workflow, using the developerΓÇÖs local configuration. Most of the inner loop framework allows configuring custom flows by either extending through custom plugins or injecting script invocation based on hooks.
+
+## Example inner loop workflow built with DevSpace framework
++
+### Diagram A: Inner Loop Flow
+
+### Diagram B: Inner Loop to Outer Loop transition
++
+## Example workflow
+As an application developer, Alice:
+- Authors a devspace.yaml to configure the inner loop.
+- Writes and tests application code using the inner loop for efficiency.
+- Deploys to staging or prod with outer loop.
++
+Suppose Alice wants to update, run, and debug the application either in local or remote cluster.
+
+1. Alice updates the local configuration for the development environment represented in .env file.
+1. Alice runs `devspace use context` and selects the Kubernetes cluster context.
+1. Alice selects a namespace to work with by running `devspace use namespace <namespace_name>`.
+1. Alice can iterates changes to the application code, and deploys and debugs the application onto the target cluster by running `devspace dev`.
+1. Running `devspace dev` generates low-level manifests based on AliceΓÇÖs local configuration and deploys the application. These low-level manifests are configured with devspace hooks in devspace.yaml
+1. Alice doesn't need to rebuild the container every time she makes code changes, since DevSpace will enable hot reloading, using file sync to copy her latest changes inside the container.
+1. Running `devspace dev` will also deploy any dependencies configured in devspace.yaml, such as back-end dependencies to front-end.
+1. Alice tests her changes by accessing the application through the forwarding configured through devspace.yaml.
+1. Once Alice finalizes her changes, she can purge the deployment by running `devspace purge` and create a new pull request to merge her changes to the dev branch of the application repository.
+
+> [!NOTE]
+> Find the sample code for above workflow at this [GitHub repo](https://github.com/Azure/arc-cicd-demo-src)
++
+## Next steps
+Learn more about creating connections between your cluster and a Git repository as a [configuration resource with Azure Arc enabled Kubernetes](./conceptual-configurations.md)
azure-arc Quickstart Connect Cluster https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/kubernetes/quickstart-connect-cluster.md
Title: 'Quickstart: Connect an existing Kubernetes cluster to Azure Arc'
-description: "In this quickstart, learn how to connect an Azure Arc enabled Kubernetes cluster."
+description: "In this quickstart, learn how to connect an Azure Arc enabled Kubernetes cluster."
Previously updated : 06/18/2021- Last updated : 06/30/2021+ keywords: "Kubernetes, Arc, Azure, cluster"
-# Quickstart: Connect an existing Kubernetes cluster to Azure Arc
+# Quickstart: Connect an existing Kubernetes cluster to Azure Arc
In this quickstart, you'll learn the benefits of Azure Arc enabled Kubernetes and how to connect an existing Kubernetes cluster to Azure Arc. For a conceptual look at connecting clusters to Azure Arc, see the [Azure Arc enabled Kubernetes Agent Architecture article](./conceptual-agent-architecture.md). [!INCLUDE [quickstarts-free-trial-note](../../../includes/quickstarts-free-trial-note.md)]
+## Prerequisites
+
+### [Azure CLI](#tab/azure-cli)
+ * An up-and-running Kubernetes cluster. If you don't have one, you can create a cluster using one of these options: * [Kubernetes in Docker (KIND)](https://kind.sigs.k8s.io/) * Create a Kubernetes cluster using Docker for [Mac](https://docs.docker.com/docker-for-mac/#kubernetes) or [Windows](https://docs.docker.com/docker-for-windows/#kubernetes) * Self-managed Kubernetes cluster using [Cluster API](https://cluster-api.sigs.k8s.io/user/quick-start.html) * If you want to connect a OpenShift cluster to Azure Arc, you need to execute the following command just once on your cluster before running `az connectedk8s connect`:
-
+ ```console oc adm policy add-scc-to-user privileged system:serviceaccount:azure-arc:azure-arc-kube-aad-proxy-sa ``` >[!NOTE] > The cluster needs to have at least one node of operating system and architecture type `linux/amd64`. Clusters with only `linux/arm64` nodes aren't yet supported.
-
+ * A `kubeconfig` file and context pointing to your cluster. * 'Read' and 'Write' permissions on the Azure Arc enabled Kubernetes resource type (`Microsoft.Kubernetes/connectedClusters`).
In this quickstart, you'll learn the benefits of Azure Arc enabled Kubernetes an
* [Install or upgrade Azure CLI](/cli/azure/install-azure-cli) to version >= 2.16.0 * Install the `connectedk8s` Azure CLI extension of version >= 1.0.0:
-
+ ```console az extension add --name connectedk8s ``` >[!NOTE] > For [**custom locations**](./custom-locations.md) on your cluster, use East US or West Europe regions. For all other Azure Arc enabled Kubernetes features, [select any region from this list](https://azure.microsoft.com/global-infrastructure/services/?products=azure-arc).
+### [Azure PowerShell](#tab/azure-powershell)
++
+> [!IMPORTANT]
+> While the **Az.ConnectedKubernetes** PowerShell module is in preview, you must install it separately using
+> the `Install-Module` cmdlet.
+
+```azurepowershell-interactive
+Install-Module -Name Az.ConnectedKubernetes
+```
+
+* An up-and-running Kubernetes cluster. If you don't have one, you can create a cluster using one of these options:
+ * [Kubernetes in Docker (KIND)](https://kind.sigs.k8s.io/)
+ * Create a Kubernetes cluster using Docker for [Mac](https://docs.docker.com/docker-for-mac/#kubernetes) or [Windows](https://docs.docker.com/docker-for-windows/#kubernetes)
+ * Self-managed Kubernetes cluster using [Cluster API](https://cluster-api.sigs.k8s.io/user/quick-start.html)
+ * If you want to connect a OpenShift cluster to Azure Arc, you need to execute the following command just once on your cluster before running `New-AzConnectedKubernetes`:
+
+ ```console
+ oc adm policy add-scc-to-user privileged system:serviceaccount:azure-arc:azure-arc-kube-aad-proxy-sa
+ ```
+
+ >[!NOTE]
+ > The cluster needs to have at least one node of operating system and architecture type `linux/amd64`. Clusters with only `linux/arm64` nodes aren't yet supported.
+
+* A `kubeconfig` file and context pointing to your cluster.
+* 'Read' and 'Write' permissions on the Azure Arc enabled Kubernetes resource type (`Microsoft.Kubernetes/connectedClusters`).
+
+* Install the [latest release of Helm 3](https://helm.sh/docs/intro/install).
+
+* [Azure PowerShell version 5.9.0 or later](/powershell/azure/install-az-ps)
+++
+>[!NOTE]
+> For [**custom locations**](./custom-locations.md) on your cluster, use East US or West Europe regions. For all other Azure Arc enabled Kubernetes features, [select any region from this list](https://azure.microsoft.com/global-infrastructure/services/?products=azure-arc).
+ ## Meet network requirements > [!IMPORTANT] > Azure Arc agents require both of the following protocols/ports/outbound URLs to function: > * TCP on port 443: `https://:443`
-
-| Endpoint (DNS) | Description |
-| -- | - |
-| `https://management.azure.com` (for Azure Cloud), `https://management.usgovcloudapi.net` (for Azure US Government) | Required for the agent to connect to Azure and register the cluster. |
-| `https://<region>.dp.kubernetesconfiguration.azure.com` (for Azure Cloud), `https://<region>.dp.kubernetesconfiguration.azure.us` (for Azure US Government) | Data plane endpoint for the agent to push status and fetch configuration information. |
-| `https://login.microsoftonline.com` (for Azure Cloud), `https://login.microsoftonline.us` (for Azure US Government) | Required to fetch and update Azure Resource Manager tokens. |
-| `https://mcr.microsoft.com` | Required to pull container images for Azure Arc agents. |
+
+| Endpoint (DNS) | Description |
+| -- | - |
+| `https://management.azure.com` (for Azure Cloud), `https://management.usgovcloudapi.net` (for Azure US Government) | Required for the agent to connect to Azure and register the cluster. |
+| `https://<region>.dp.kubernetesconfiguration.azure.com` (for Azure Cloud), `https://<region>.dp.kubernetesconfiguration.azure.us` (for Azure US Government) | Data plane endpoint for the agent to push status and fetch configuration information. |
+| `https://login.microsoftonline.com` (for Azure Cloud), `https://login.microsoftonline.us` (for Azure US Government) | Required to fetch and update Azure Resource Manager tokens. |
+| `https://mcr.microsoft.com` | Required to pull container images for Azure Arc agents. |
| `https://gbl.his.arc.azure.com` | Required to get the regional endpoint for pulling system-assigned Managed Service Identity (MSI) certificates. | | `https://<region-code>.his.arc.azure.com` (for Azure Cloud), `https://usgv.his.arc.azure.us` (for Azure US Government) | Required to pull system-assigned Managed Service Identity (MSI) certificates. `<region-code>` mapping for Azure cloud regions: `eus` (East US), `weu` (West Europe), `wcus` (West Central US), `scus` (South Central US), `sea` (South East Asia), `uks` (UK South), `wus2` (West US 2), `ae` (Australia East), `eus2` (East US 2), `ne` (North Europe), `fc` (France Central). | ## 1. Register providers for Azure Arc enabled Kubernetes
+### [Azure CLI](#tab/azure-cli)
+ 1. Enter the following commands: ```console az provider register --namespace Microsoft.Kubernetes
In this quickstart, you'll learn the benefits of Azure Arc enabled Kubernetes an
az provider show -n Microsoft.ExtendedLocation -o table ```
+### [Azure PowerShell](#tab/azure-powershell)
+
+1. Enter the following commands:
+ ```azurepowershell-interactive
+ Register-AzResourceProvider -ProviderNamespace Microsoft.Kubernetes
+ Register-AzResourceProvider -ProviderNamespace Microsoft.KubernetesConfiguration
+ Register-AzResourceProvider -ProviderNamespace Microsoft.ExtendedLocation
+ ```
+1. Monitor the registration process. Registration may take up to 10 minutes.
+ ```azurepowershell-interactive
+ Get-AzResourceProvider -ProviderNamespace Microsoft.Kubernetes
+ Get-AzResourceProvider -ProviderNamespace Microsoft.KubernetesConfiguration
+ Get-AzResourceProvider -ProviderNamespace Microsoft.ExtendedLocation
+ ```
+++ ## 2. Create a resource group
-Run the following command:
+Run the following command:
+
+### [Azure CLI](#tab/azure-cli)
```console az group create --name AzureArcTest --location EastUS --output table
Location Name
eastus AzureArcTest </pre>
+### [Azure PowerShell](#tab/azure-powershell)
+
+```azurepowershell-interactive
+New-AzResourceGroup -Name AzureArcTest -Location EastUS
+```
+
+Output:
+<pre>
+ResourceGroupName : AzureArcTest
+Location : eastus
+ProvisioningState : Succeeded
+Tags :
+ResourceId : /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/AzureArcTest
+</pre>
+++ ## 3. Connect an existing Kubernetes cluster Run the following command:
+### [Azure CLI](#tab/azure-cli)
+ ```console az connectedk8s connect --name AzureArcTest1 --resource-group AzureArcTest ```
Helm release deployment succeeded
> [!NOTE] > If you are logged into Azure CLI using a service principal, an [additional parameter](troubleshooting.md#enable-custom-locations-using-service-principal) needs to be set for enabling the custom location feature on the cluster.
+### [Azure PowerShell](#tab/azure-powershell)
+
+```azurepowershell-interactive
+New-AzConnectedKubernetes -ClusterName AzureArcTest1 -ResourceGroupName AzureArcTest -Location eastus
+```
+
+Output:
+<pre>
+Location Name Type
+-- - -
+eastus AzureArcTest1 microsoft.kubernetes/connectedclusters
+</pre>
+++ ## 4. Verify cluster connection
-Run the following command:
+Run the following command:
+
+### [Azure CLI](#tab/azure-cli)
```console az connectedk8s list --resource-group AzureArcTest --output table
Name Location ResourceGroup
AzureArcTest1 eastus AzureArcTest </pre>
+### [Azure PowerShell](#tab/azure-powershell)
+
+```azurepowershell-interactive
+Get-AzConnectedKubernetes -ResourceGroupName AzureArcTest
+```
+
+Output:
+<pre>
+Location Name Type
+-- - -
+eastus AzureArcTest1 microsoft.kubernetes/connectedclusters
+</pre>
+++ > [!NOTE] > After onboarding the cluster, it takes around 5 to 10 minutes for the cluster metadata (cluster version, agent version, number of nodes, etc.) to surface on the overview page of the Azure Arc enabled Kubernetes resource in Azure portal. ## 5. Connect using an outbound proxy server
-If your cluster is behind an outbound proxy server, Azure CLI and the Azure Arc enabled Kubernetes agents need to route their requests via the outbound proxy server.
+### [Azure CLI](#tab/azure-cli)
+If your cluster is behind an outbound proxy server, Azure CLI and the Azure Arc enabled Kubernetes agents need to route their requests via the outbound proxy server.
1. Set the environment variables needed for Azure CLI to use the outbound proxy server:
If your cluster is behind an outbound proxy server, Azure CLI and the Azure Arc
> * Specify `excludedCIDR` under `--proxy-skip-range` to ensure in-cluster communication is not broken for the agents. > * `--proxy-http`, `--proxy-https`, and `--proxy-skip-range` are expected for most outbound proxy environments. `--proxy-cert` is *only* required if you need to inject trusted certificates expected by proxy into the trusted certificate store of agent pods.
+### [Azure PowerShell](#tab/azure-powershell)
+
+If your cluster is behind an outbound proxy server, Azure PowerShell and the Azure Arc enabled Kubernetes agents need to route their requests via the outbound proxy server.
+
+1. Set the environment variables needed for Azure PowerShell to use the outbound proxy server:
+
+ * Run the following command with appropriate values:
+
+ ```powershell
+ $Env:HTTP_PROXY = "<proxy-server-ip-address>:<port>"
+ $Env:HTTPS_PROXY = "<proxy-server-ip-address>:<port>"
+ $Env:NO_PROXY = "<cluster-apiserver-ip-address>:<port>"
+ ```
+
+2. Run the connect command with the proxy parameter specified:
+
+ ```azurepowershell-interactive
+ New-AzConnectedKubernetes -ClusterName <cluster-name> -ResourceGroupName <resource-group> -Location eastus -Proxy 'https://<proxy-server-ip-address>:<port>'
+ ```
+++ ## 6. View Azure Arc agents for Kubernetes
-Azure Arc enabled Kubernetes deploys a few operators into the `azure-arc` namespace.
+Azure Arc enabled Kubernetes deploys a few operators into the `azure-arc` namespace.
1. View these deployments and pods using:
Azure Arc enabled Kubernetes deploys a few operators into the `azure-arc` namesp
## 7. Clean up resources
+### [Azure CLI](#tab/azure-cli)
+ You can delete the Azure Arc enabled Kubernetes resource, any associated configuration resources, *and* any agents running on the cluster using Azure CLI using the following command: ```console
az connectedk8s delete --name AzureArcTest1 --resource-group AzureArcTest
>[!NOTE] > Deleting the Azure Arc enabled Kubernetes resource using Azure portal removes any associated configuration resources, but *does not* remove any agents running on the cluster. Best practice is to delete the Azure Arc enabled Kubernetes resource using `az connectedk8s delete` instead of Azure portal.
+### [Azure PowerShell](#tab/azure-powershell)
+
+You can delete the Azure Arc enabled Kubernetes resource, any associated configuration resources, *and* any agents running on the cluster using Azure PowerShell using the following command:
+
+```azurepowershell-interactive
+Remove-AzConnectedKubernetes -ClusterName AzureArcTest1 -ResourceGroupName AzureArcTest
+```
+
+>[!NOTE]
+> Deleting the Azure Arc enabled Kubernetes resource using Azure portal removes any associated configuration resources, but *does not* remove any agents running on the cluster. Best practice is to delete the Azure Arc enabled Kubernetes resource using `Remove-AzConnectedKubernetes` instead of Azure portal.
+++ ## Next steps Advance to the next article to learn how to deploy configurations to your connected Kubernetes cluster using GitOps.
azure-functions Analyze Telemetry Data https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-functions/analyze-telemetry-data.md
The following telemetry queries are specific to metrics that impact the cost of
[!INCLUDE [functions-consumption-metrics-queries](../../includes/functions-consumption-metrics-queries.md)]
-## Azure Monitor metrics
-
-In addition to telemetry data collected by Application Insights, you can also get data about how the function app is running from [Azure Monitor Metrics](../azure-monitor/essentials/data-platform-metrics.md). Along with the usual [metrics available to App Service apps](../app-service/web-sites-monitor.md#understand-metrics), there are two metrics specific to Functions that are of interest:
-
-| Metric | Description |
-| - | - |
-| **FunctionExecutionCount** | Function execution count indicates the number of times your function app has executed. This correlates to the number of times a function runs in your app. |
-| **FunctionExecutionUnits** | Function execution units are a combination of execution time and your memory usage. Memory data isn't a metric currently available through Azure Monitor. However, if you want to optimize the memory usage of your app, can use the performance counter data collected by Application Insights. This metric isn't currently supported for Premium and Dedicated (App Service) plans running on Linux.|
-
-To learn more about calculating costs for a Consumption plan using Application Insights data, see [Estimating Consumption plan costs](functions-consumption-costs.md). To learn more about using Monitor Explorer to view metrics, see [Getting started with Azure Metrics Explorer](../azure-monitor/essentials/metrics-getting-started.md).
-- ## Next steps Learn more about monitoring Azure Functions:
azure-functions Functions Consumption Costs https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-functions/functions-consumption-costs.md
In [your invoice](../cost-management-billing/understand/download-azure-invoice.m
### Function app-level metrics
-To better understand the cost impact of your functions, you can use Azure Monitor to view cost-related metrics currently being generated by your function apps. You can use either [Azure Monitor metrics explorer](../azure-monitor/essentials/metrics-getting-started.md) in the [Azure portal] or REST APIs to get this data.
-
-#### Monitor metrics explorer
-
-Use [Azure Monitor metrics explorer](../azure-monitor/essentials/metrics-getting-started.md) to view cost-related data for your Consumption plan function apps in a graphical format.
-
-1. At the top of the [Azure portal] in **Search services, resources, and docs** search for `monitor` and select **Monitor** under **Services**.
-
-1. At the left, select **Metrics** > **Select a resource**, then use the settings below the image to choose your function app.
-
- ![Select your function app resource](media/functions-consumption-costing/select-a-resource.png)
-
-
- |Setting |Suggested value |Description |
- ||||
- | Subscription | Your subscription | The subscription with your function app. |
- | Resource group | Your resource group | The resource group that contains your function app. |
- | Resource type | App Services | Function apps are shown as App Services instances in Monitor. |
- | Resource | Your function app | The function app to monitor. |
-
-1. Select **Apply** to choose your function app as the resource to monitor.
-
-1. From **Metric**, choose **Function Execution Count** and **Sum** for **Aggregation**. This adds the sum of the execution counts during chosen period to the chart.
-
- ![Define a functions app metric to add to the chart](media/functions-consumption-costing/monitor-metrics-add-metric.png)
-
-1. Select **Add metric** and repeat steps 2-4 to add **Function Execution Units** to the chart.
-
-The resulting chart contains the totals for both execution metrics in the chosen time range, which in this case is two hours.
-
-![Graph of function execution counts and execution units](media/functions-consumption-costing/monitor-metrics-execution-sum.png)
-
-As the number of execution units is so much greater than the execution count, the chart just shows execution units.
-
-This chart shows a total of 1.11 billion `Function Execution Units` consumed in a two-hour period, measured in MB-milliseconds. To convert to GB-seconds, divide by 1024000. In this example, the function app consumed `1110000000 / 1024000 = 1083.98` GB-seconds. You can take this value and multiply by the current price of execution time on the [Functions pricing page][pricing page], which gives you the cost of these two hours, assuming you've already used any free grants of execution time.
-
-#### Azure CLI
-
-The [Azure CLI](/cli/azure/) has commands for retrieving metrics. You can use the CLI from a local command environment or directly from the portal using [Azure Cloud Shell](../cloud-shell/overview.md). For example, the following [az monitor metrics list](/cli/azure/monitor/metrics#az_monitor_metrics_list) command returns hourly data over same time period used before.
-
-Make sure to replace `<AZURE_SUBSCRIPTON_ID>` with your Azure subscription ID running the command.
-
-```azurecli-interactive
-az monitor metrics list --resource /subscriptions/<AZURE_SUBSCRIPTION_ID>/resourceGroups/metrics-testing-consumption/providers/Microsoft.Web/sites/metrics-testing-consumption --metric FunctionExecutionUnits,FunctionExecutionCount --aggregation Total --interval PT1H --start-time 2019-09-11T21:46:00Z --end-time 2019-09-11T23:18:00Z
-```
-
-This command returns a JSON payload that looks like the following example:
-
-```json
-{
- "cost": 0.0,
- "interval": "1:00:00",
- "namespace": "Microsoft.Web/sites",
- "resourceregion": "centralus",
- "timespan": "2019-09-11T21:46:00Z/2019-09-11T23:18:00Z",
- "value": [
- {
- "id": "/subscriptions/XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX/resourceGroups/metrics-testing-consumption/providers/Microsoft.Web/sites/metrics-testing-consumption/providers/Microsoft.Insights/metrics/FunctionExecutionUnits",
- "name": {
- "localizedValue": "Function Execution Units",
- "value": "FunctionExecutionUnits"
- },
- "resourceGroup": "metrics-testing-consumption",
- "timeseries": [
- {
- "data": [
- {
- "average": null,
- "count": null,
- "maximum": null,
- "minimum": null,
- "timeStamp": "2019-09-11T21:46:00+00:00",
- "total": 793294592.0
- },
- {
- "average": null,
- "count": null,
- "maximum": null,
- "minimum": null,
- "timeStamp": "2019-09-11T22:46:00+00:00",
- "total": 316576256.0
- }
- ],
- "metadatavalues": []
- }
- ],
- "type": "Microsoft.Insights/metrics",
- "unit": "Count"
- },
- {
- "id": "/subscriptions/XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX/resourceGroups/metrics-testing-consumption/providers/Microsoft.Web/sites/metrics-testing-consumption/providers/Microsoft.Insights/metrics/FunctionExecutionCount",
- "name": {
- "localizedValue": "Function Execution Count",
- "value": "FunctionExecutionCount"
- },
- "resourceGroup": "metrics-testing-consumption",
- "timeseries": [
- {
- "data": [
- {
- "average": null,
- "count": null,
- "maximum": null,
- "minimum": null,
- "timeStamp": "2019-09-11T21:46:00+00:00",
- "total": 33538.0
- },
- {
- "average": null,
- "count": null,
- "maximum": null,
- "minimum": null,
- "timeStamp": "2019-09-11T22:46:00+00:00",
- "total": 13040.0
- }
- ],
- "metadatavalues": []
- }
- ],
- "type": "Microsoft.Insights/metrics",
- "unit": "Count"
- }
- ]
-}
-```
-This particular response shows that from `2019-09-11T21:46` to `2019-09-11T23:18`, the app consumed 1110000000 MB-milliseconds (1083.98 GB-seconds).
+To better understand the cost impact of your functions, you can use Azure Monitor to view cost-related metrics currently being generated by your function apps.
+ ### Function-level metrics
Function execution units are a combination of execution time and your memory usa
If you haven't already done so, [enable Application Insights in your function app](configure-monitoring.md#enable-application-insights-integration). With this integration enabled, you can [query this telemetry data in the portal](analyze-telemetry-data.md#query-telemetry-data).
+You can use either [Azure Monitor metrics explorer](../azure-monitor/essentials/metrics-getting-started.md) in the [Azure portal] or REST APIs to get Monitor Metrics data.
+ [!INCLUDE [functions-consumption-metrics-queries](../../includes/functions-consumption-metrics-queries.md)] ## Next steps
azure-functions Functions Monitoring https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-functions/functions-monitoring.md
The [Azure Functions scale controller](./event-driven-scaling.md#runtime-scaling
To enable this feature, you add an application setting named `SCALE_CONTROLLER_LOGGING_ENABLED` to your function app settings. To learn how, see [Configure scale controller logs](configure-monitoring.md#configure-scale-controller-logs).
+## Azure Monitor metrics
+
+In addition to log-based telemetry data collected by Application Insights, you can also get data about how the function app is running from [Azure Monitor Metrics](../azure-monitor/essentials/data-platform-metrics.md). To learn more, see [Using Azure Monitor Metric with Azure Functions](monitor-metrics.md).
+ ## Report issues To report an issue with Application Insights integration in Functions, or to make a suggestion or request, [create an issue in GitHub](https://github.com/Azure/Azure-Functions/issues/new).
azure-functions Monitor Metrics https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-functions/monitor-metrics.md
+
+ Title: Using Monitor Metrics with Azure Functions
+description: Learn how to use Azure Monitor Metrics to view and query for Azure Functions telemetry data collected by and stored in Azure Application Insights.
+ Last updated : 07/4/2021
+# Customer intent: As a developer, I want to view and query the data being collected from my function app so I can know if it's running correctly and to make improvements.
++
+# Using Azure Monitor Metric with Azure Functions
+
+Azure Functions integrates with Azure Monitor Metrics to let you analyze the metrics generated by your function app during execution. To learn more, see the [Azure Monitor Metrics overview](../azure-monitor/essentials/data-platform-metrics.md). These metrics indicate how your function app is running on the App Service platform. You can review resource consumption data used to estimate consumption plan costs. To investigate detailed telemetry from your function executions, including log data, you should also use [Application Insights](functions-monitoring.md) in Azure Monitor.
+
+> [!NOTE]
+> Azure Monitor Metrics is not currently supported when your function app runs on Linux in a Consumption plan.
+
+## Available metrics
+
+Azure Monitor collects numeric data from a set of monitored resources, which are entered into a time series database. Azure Monitor collects metrics specific to both Functions and the underlying App Service resources.
+
+### Functions-specific metrics
+
+There are two metrics specific to Functions that are of interest:
+
+| Metric | Description |
+| - | - |
+| **FunctionExecutionCount** | Function execution count indicates the number of times your function app has executed. This value correlates to the number of times a function runs in your app. |
+| **FunctionExecutionUnits** | Function execution units are a combination of execution time and your memory usage. Memory data isn't a metric currently available through Azure Monitor. However, if you want to optimize the memory usage of your app, can use the performance counter data collected by Application Insights. This metric isn't currently supported for Premium and Dedicated (App Service) plans running on Linux.|
+
+These metrics are used specifically when [estimating Consumption plan costs](functions-consumption-costs.md).
+
+### General App Service metrics
+
+Aside from function-specific metrics, the App Service platform implements more metrics, which you can use to monitor function apps. For the complete list, see [metrics available to App Service apps](../app-service/web-sites-monitor.md#understand-metrics).
+
+## Accessing metrics
+
+You can use either [Azure Monitor metrics explorer](../azure-monitor/essentials/metrics-getting-started.md) in the [Azure portal](https://portal.azure.com) or REST APIs to get Monitor Metrics data.
+
+The following examples use Monitor Metrics to help estimate the cost of running your function app on a Consumption plan. To learn more about estimating Consumption plan costs, see [Estimating Consumption plan costs](functions-consumption-costs.md).
++
+To learn more about using Monitor Explorer to view metrics, see [Getting started with Azure Metrics Explorer](../azure-monitor/essentials/metrics-getting-started.md).
+
+## Next steps
+
+Learn more about monitoring Azure Functions:
+++ [Monitor Azure Functions](functions-monitoring.md)++ [Analyze Azure Functions telemetry in Application Insights](analyze-telemetry-data.md)
azure-monitor Azure Monitor Agent Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/agents/azure-monitor-agent-overview.md
The following table shows the current support for Azure Monitor agent with Azure
|:|:| | [VM Insights](../vm/vminsights-overview.md) | Private preview | | [VM Insights guest health](../vm/vminsights-health-overview.md) | Public preview |
+| [SQL insights](../insights/sql-insights-overview.md) | Public preview. |
The following table shows the current support for Azure Monitor agent with Azure solutions.
The following table shows the current support for Azure Monitor agent with Azure
|:|:| | [Change Tracking](../../automation/change-tracking/overview.md) | Supported as File Integrity Monitoring (FIM) in Azure Security Center private preview. | | [Update Management](../../automation/update-management/overview.md) | Use Update Management v2 (private preview) that doesnΓÇÖt require an agent. |
-| [SQL Server](../insights/sql-insights-overview.md) | Support by SQL insights which is currently in public preview. |
azure-monitor Alerts Smart Detections Migration https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/alerts/alerts-smart-detections-migration.md
You can create and manage action groups for the new smart detection alert rules
### Managing alert rule settings using Azure Resource Manager templates
-After completing the migration, you can use Azure Resource Management templates to configure settings for smart detection alert rule settings.
+After completing the migration, you can use Azure Resource Manager templates to configure settings for smart detection alert rule settings.
> [!NOTE] > After completion of migration, smart detection settings must be configured using smart detection alert rule templates, and can no longer be configured using the [Application Insights Resource Manager template](../app/proactive-arm-config.md#smart-detection-rule-configuration).
azure-monitor Asp Net https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/app/asp-net.md
This section will guide you through manually adding Application Insights to a te
``` 7. Update the Web.config file as follows:-
+
```xml <?xml version="1.0" encoding="utf-8"?> <!--
This section will guide you through manually adding Application Insights to a te
<system.web> <compilation debug="true" targetFramework="4.7.2" /> <httpRuntime targetFramework="4.7.2" />
+ <!-- Code added for App Insights start -->
<httpModules> <add name="TelemetryCorrelationHttpModule" type="Microsoft.AspNet.TelemetryCorrelation.TelemetryCorrelationHttpModule, Microsoft.AspNet.TelemetryCorrelation" /> <add name="ApplicationInsightsWebTracking" type="Microsoft.ApplicationInsights.Web.ApplicationInsightsHttpModule, Microsoft.AI.Web" /> </httpModules>
+ <!-- Code added for App Insights end -->
</system.web> <runtime> <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
This section will guide you through manually adding Application Insights to a te
<assemblyIdentity name="System.Web.Mvc" publicKeyToken="31bf3856ad364e35" /> <bindingRedirect oldVersion="1.0.0.0-5.2.7.0" newVersion="5.2.7.0" /> </dependentAssembly>
+ <!-- Code added for App Insights start -->
<dependentAssembly> <assemblyIdentity name="System.Memory" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" /> <bindingRedirect oldVersion="0.0.0.0-4.0.1.1" newVersion="4.0.1.1" /> </dependentAssembly>
+ <!-- Code added for App Insights end -->
</assemblyBinding> </runtime> <system.codedom>
This section will guide you through manually adding Application Insights to a te
</system.codedom> <system.webServer> <validation validateIntegratedModeConfiguration="false" />
+ <!-- Code added for App Insights start -->
<modules> <remove name="TelemetryCorrelationHttpModule" /> <add name="TelemetryCorrelationHttpModule" type="Microsoft.AspNet.TelemetryCorrelation.TelemetryCorrelationHttpModule, Microsoft.AspNet.TelemetryCorrelation" preCondition="managedHandler" /> <remove name="ApplicationInsightsWebTracking" /> <add name="ApplicationInsightsWebTracking" type="Microsoft.ApplicationInsights.Web.ApplicationInsightsHttpModule, Microsoft.AI.Web" preCondition="managedHandler" /> </modules>
+ <!-- Code added for App Insights end -->
</system.webServer> </configuration>
azure-monitor Availability Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/app/availability-overview.md
Title: Application Insights availability overview description: Set up recurring web tests to monitor availability and responsiveness of your app or website. Previously updated : 05/04/2021 Last updated : 07/08/2021
You can set up availability tests for any HTTP or HTTPS endpoint that is accessi
## Types of availability tests
-There are three types of availability tests:
+There are four types of availability tests:
-* [URL ping test](monitor-web-app-availability.md): This category has two simple tests you can create through the portal.
+* [URL ping test](monitor-web-app-availability.md): A simple tests you can create through the portal. Standard ping test includes features like using any HTTP request methods (for example `GET`,`HEAD`,`POST`, etc.) or adding custom headers.
* [Multi-step web test](availability-multistep.md): A recording of a sequence of web requests, which can be played back to test more complex scenarios. Multi-step web tests are created in Visual Studio Enterprise and uploaded to the portal for execution. * [Custom Track Availability Tests](/dotnet/api/microsoft.applicationinsights.telemetryclient.trackavailability): If you decide to create a custom application to run availability tests, the `TrackAvailability()` method can be used to send the results to Application Insights.
Dedicated [troubleshooting article](troubleshoot-availability.md).
* [Multi-step web tests](availability-multistep.md) * [URL tests](monitor-web-app-availability.md) * [Create and run custom availability tests using Azure Functions.](availability-azure-functions.md)
-* [Web Tests Azure Resource Manager template](/azure/templates/microsoft.insights/webtests?tabs=json)
+* [Web Tests Azure Resource Manager template](/azure/templates/microsoft.insights/webtests?tabs=json)
azure-monitor Ilogger https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/app/ilogger.md
Depending on the Application Insights logging package you use, there will be var
## ASP.NET Core applications
-To add Application Insights telemetry to to ASP.NET Core applications, use the `Microsoft.ApplicationInsights.AspNetCore` NuGet package. This can be configured from with [Visual Studio as a Connected service](/visualstudio/azure/azure-app-insights-add-connected-service), or manually.
+To add Application Insights telemetry to ASP.NET Core applications, use the `Microsoft.ApplicationInsights.AspNetCore` NuGet package. This can be configured through [Visual Studio as a Connected service](/visualstudio/azure/azure-app-insights-add-connected-service), or manually.
By default, ASP.NET Core applications have Application Insights logging provider registered when configured using the [Code](./asp-net-core.md) or [Code-less](./azure-web-apps.md?tabs=netcore#enable-agent-based-monitoring) approach. The registered provider is configured to automatically capture log events with a severity of <xref:Microsoft.Extensions.Logging.LogLevel.Warning?displayProperty=nameWithType> or greater. Severity and categories may be customized. For more information, see [Control logging level](#control-logging-level).
By default, ASP.NET Core applications have Application Insights logging provider
} ```
-With the NuGet package installed, and the provider being registered with dependency injection, the app is ready to log. With constructor injection, require either <xref:Microsoft.Extensions.Logging.ILogger> or the generic-type alternative <xref:Microsoft.Extensions.Logging.ILogger%601>. When these implementations are resolved, the `ApplicationInsightsLoggerProvider` will be providing them. Messages or exceptions logged will be sent to Application Insights. Consider the following example controller:
+With the NuGet package installed, and the provider being registered with dependency injection, the app is ready to log. With constructor injection, either <xref:Microsoft.Extensions.Logging.ILogger> or the generic-type alternative <xref:Microsoft.Extensions.Logging.ILogger%601> is required. When these implementations are resolved, the `ApplicationInsightsLoggerProvider` will be providing them. Messages or exceptions logged will be sent to Application Insights. Consider the following example controller:
```csharp public class ValuesController : ControllerBase
For more information, see [Logging in ASP.NET Core](/aspnet/core/fundamentals/lo
Some scenarios require capturing logs as part of the app startup routine, prior to the request-response pipeline being ready to accept requests. However, `ILogger` implementations aren't easily available from dependency injection in *Program.cs* and *Startup.cs*. For more information, see [Logging in .NET: Create logs in `Main`](/dotnet/core/extensions/logging?tabs=command-line#create-logs-in-main).
-The are several applicable limitations when logging from *Program.cs* and *Startup.cs*:
+There are several applicable limitations when logging from *Program.cs* and *Startup.cs*:
* Telemetry is sent using the [InMemoryChannel](./telemetry-channels.md) telemetry channel. * No [sampling](./sampling.md) is applied to telemetry.
namespace WebApplication
} ```
-In the preceding code, the `ApplicationInsightsLoggerProvider` is configured with your `"APPINSIGHTS_CONNECTIONSTRING"` connection string, and a filters are applied setting the log level to <xref:Microsoft.Extensions.Logging.LogLevel.Trace?displayProperty=nameWithType>.
+In the preceding code, the `ApplicationInsightsLoggerProvider` is configured with your `"APPINSIGHTS_CONNECTIONSTRING"` connection string, and filters are applied, setting the log level to <xref:Microsoft.Extensions.Logging.LogLevel.Trace?displayProperty=nameWithType>.
> [!IMPORTANT] > [Connection Strings](./sdk-connection-string.md?tabs=net) are recommended over instrumentation keys. New Azure regions **require** the use of connection strings instead of instrumentation keys. Connection string identifies the resource that you want to associate your telemetry data with. It also allows you to modify the endpoints your resource will use as a destination for your telemetry. You will need to copy the connection string and add it to your application's code or to an environment variable.
Host.CreateDefaultBuilder(args)
}); ```
-This preceding code is functionally equivalent as the previous section in *appsettings.json*. For more information, see [Configuration in .NET](/dotnet/core/extensions/configuration).
+This preceding code is functionally equivalent to the previous section in *appsettings.json*. For more information, see [Configuration in .NET](/dotnet/core/extensions/configuration).
## Logging scopes
azure-monitor Monitor Web App Availability https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/app/monitor-web-app-availability.md
Title: Monitor availability with URL ping tests- Azure Monitor description: Set up ping tests in Application Insights. Get alerts if a website becomes unavailable or responds slowly. Previously updated : 05/25/2021 Last updated : 07/08/2021 # Monitor availability with URL ping tests
-The name "URL ping test" is a bit of a misnomer. To be clear, these tests are not making any use of ICMP (Internet Control Message Protocol) to check your site's availability. Instead they use more advanced HTTP request functionality to validate whether an endpoint is responding. They also measure the performance associated with that response, and adds the ability to set custom success criteria coupled with more advanced features like parsing dependent requests, and allowing for retries.
+The name "URL ping test" is a bit of a misnomer. To be clear, these tests aren't making any use of ICMP (Internet Control Message Protocol) to check your site's availability. Instead they use more advanced HTTP request functionality to validate whether an endpoint is responding. They also measure the performance associated with that response, and adds the ability to set custom success criteria coupled with more advanced features like parsing dependent requests, and allowing for retries.
-In order to create an availability test, you need use an existing Application Insight resource or [create an Application Insights resource](create-new-resource.md).
+> [!NOTE]
+> Standard ping tests are currently in public preview. These preview versions are provided without a service level agreement. Certain features might not be supported or might have constrained capabilities.
+
+> [!NOTE]
+> There are currently no additional charges for the preview feature Standard Ping tests. Pricing for features that are in preview will be announced in the future and a notice provided prior to start of billing. Should you choose to continue using Standard Ping tests after the notice period, you will be billed at the applicable rate.
-To create your first availability request, open the Availability pane and selectΓÇ» **Create Test**.
+## Create a Standard URL ping test
+To create an availability test, you need use an existing Application Insight resource or [create an Application Insights resource](create-new-resource.md).
-## Create a test
-|Setting| Explanation
-|-|-|-|
+|Setting | Explanation |
+|--|-|
|**URL** | The URL can be any web page you want to test, but it must be visible from the public internet. The URL can include a query string. So, for example, you can exercise your database a little. If the URL resolves to a redirect, we follow it up to 10 redirects.|
-|**Parse dependent requests**| Test requests images, scripts, style files, and other files that are part of the web page under test. The recorded response time includes the time taken to get these files. The test fails if any of these resources cannot be successfully downloaded within the timeout for the whole test. If the option is not checked, the test only requests the file at the URL you specified. Enabling this option results in a stricter check. The test could fail for cases, which may not be noticeable when manually browsing the site.
-|**Enable retries**|when the test fails, it is retried after a short interval. A failure is reported only if three successive attempts fail. Subsequent tests are then performed at the usual test frequency. Retry is temporarily suspended until the next success. This rule is applied independently at each test location. **We recommend this option**. On average, about 80% of failures disappear on retry.|
+|**Parse dependent requests**| Test requests images, scripts, style files, and other files that are part of the web page under test. The recorded response time includes the time taken to get these files. The test fails if any of these resources cannot be successfully downloaded within the timeout for the whole test. If the option isn't checked, the test only requests the file at the URL you specified. Enabling this option results in a stricter check. The test could fail for cases, which may not be noticeable when manually browsing the site. |
+|**Enable retries**| When the test fails, it's retried after a short interval. A failure is reported only if three successive attempts fail. Subsequent tests are then performed at the usual test frequency. Retry is temporarily suspended until the next success. This rule is applied independently at each test location. **We recommend this option**. On average, about 80% of failures disappear on retry.|
+| **SSL certificate validation test** | You can verify the SSL certificate on your website to make sure it's correctly installed, valid, trusted, and doesn't give any errors to any of your users. |
+| **Proactive lifetime check** | This enables you to define a set time period before your SSL certificate expires. Once it expires, your test will fail. |
|**Test frequency**| Sets how often the test is run from each test location. With a default frequency of five minutes and five test locations, your site is tested on average every minute.|
-|**Test locations**| Are the places from where our servers send web requests to your URL. **Our minimum number of recommended test locations is five** in order to insure that you can distinguish problems in your website from network issues. You can select up to 16 locations.
+|**Test locations**| Are the places from where our servers send web requests to your URL. **Our minimum number of recommended test locations is five** to ensure that you can distinguish problems in your website from network issues. You can select up to 16 locations.|
+| **Custom headers** | Key value pairs that define the operating parameters. |
+| **HTTP request verb** | Indicate what action you would like to take with your request. IF your chosen verb is not available in the UI you can deploy a standard test using Azure Resource Monitor with the desired choice. |
+| **Request body** | Custom data associated with your HTTP request. You can upload your own files, type in your content, or disable this feature. For raw body content, we support TEXT, JSON, HTML, XML, and JavaScript. |
+ **If your URL is not visible from the public internet, you can choose to selectively open up your firewall to allow only the test transactions through**. To learn more about the firewall exceptions for our availability test agents, consult the [IP address guide](./ip-addresses.md#availability-tests).
To create your first availability request, open the Availability pane and select
## Success criteria
-|Setting| Explanation
-|-|-|-|
+|Setting| Explanation|
+|-||
| **Test timeout** |Decrease this value to be alerted about slow responses. The test is counted as a failure if the responses from your site have not been received within this period. If you selected **Parse dependent requests**, then all the images, style files, scripts, and other dependent resources must have been received within this period.| | **HTTP response** | The returned status code that is counted as a success. 200 is the code that indicates that a normal web page has been returned.| | **Content match** | A string, like "Welcome!" We test that an exact case-sensitive match occurs in every response. It must be a plain string, without wildcards. Don't forget that if your page content changes you might have to update it. **Only English characters are supported with content match** | ## Alerts
-|Setting| Explanation
-|-|-|-|
+|Setting| Explanation|
+|-||
|**Near-realtime (Preview)** | We recommend using Near-realtime alerts. Configuring this type of alert is done after your availability test is created. | |**Alert location threshold**|We recommend a minimum of 3/5 locations. The optimal relationship between alert location threshold and the number of test locations is **alert location threshold** = **number of test locations - 2, with a minimum of five test locations.**|
The following population tags can be used for the geo-location attribute when de
Availability test results can be visualized with both line and scatter plot views.
-After a few minutes, click **Refresh** to see your test results.
+After a few minutes, select **Refresh** to see your test results.
:::image type="content" source="./media/monitor-web-app-availability/availability-refresh-002.png" alt-text="Screenshot shows the Availability page with the Refresh button highlighted.":::
Select a particular test, location, or reduce the time period to see more result
## Inspect and edit tests
-To edit, temporarily disable, or delete a test click the ellipses next to a test name. It may take up to 20 minutes for configuration changes to propagate to all test agents after a change is made.
+To edit, temporarily disable, or delete a test, select the ellipses next to a test name. It may take up to 20 minutes for configuration changes to propagate to all test agents after a change is made.
:::image type="content" source="./media/monitor-web-app-availability/edit.png" alt-text="View test details. Edit and Disable a web test." border="false":::
From an availability test result, you can see the transaction details across all
To learn more about the end to end transaction diagnostics experience visit the [transaction diagnostics documentation](./transaction-diagnostics.md).
-Click on the exception row to see the details of the server-side exception that caused the synthetic availability test to fail. You can also get the [debug snapshot](./snapshot-debugger.md) for richer code level diagnostics.
+Select on the exception row to see the details of the server-side exception that caused the synthetic availability test to fail. You can also get the [debug snapshot](./snapshot-debugger.md) for richer code level diagnostics.
:::image type="content" source="./media/monitor-web-app-availability/open-instance-4.png" alt-text="Server-side diagnostics.":::
azure-monitor Data Platform Logs https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/logs/data-platform-logs.md
You must create at least one workspace to use Azure Monitor Logs. A single works
- See [Designing your Azure Monitor Logs deployment](design-logs-deployment.md) on considerations for creating multiple workspaces. ## Data structure
-Log queries retrieve their data from a Log Analytics workspace. Each workspace contains multiple tables are that are organized into separate columns with multiple rows of data. Each table is defined by a unique set of columns that are shared by the rows of data provided by the data source.
+Log queries retrieve their data from a Log Analytics workspace. Each workspace contains multiple tables that are organized into separate columns with multiple rows of data. Each table is defined by a unique set of columns that are shared by the rows of data provided by the data source.
[![Azure Monitor Logs structure](media/data-platform-logs/logs-structure.png)](media/data-platform-logs/logs-structure.png#lightbox)
Azure Monitor Logs is based on Azure Data Explorer. A Log Analytics workspace is
- Learn about [log queries](./log-query-overview.md) to retrieve and analyze data from a Log Analytics workspace. - Learn about [metrics in Azure Monitor](../essentials/data-platform-metrics.md).-- Learn about the [monitoring data available](../agents/data-sources.md) for different resources in Azure.
+- Learn about the [monitoring data available](../agents/data-sources.md) for different resources in Azure.
azure-percept How To Troubleshoot Setup https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-percept/how-to-troubleshoot-setup.md
Refer to the table below for workarounds to common issues found during the [Azur
|The host computer shows a security warning about the connection to the Azure Percept DK access point.|It's a known issue that will be fixed in a later update.|It's safe to continue through the setup experience.| |The Azure Percept DK Wi-Fi access point (scz-xxxx or apd-xxxx) appears in the network list but fails to connect.|It could be because of a temporary corruption of the dev kit's Wi-Fi access point.|Reboot the dev kit and try again.| |Unable to connect to a Wi-Fi network during the setup experience.|The Wi-Fi network must currently have internet connectivity to communicate with Azure. EAP[PEAP/MSCHAP], captive portals, and enterprise EAP-TLS connectivity is currently not supported.|Ensure your Wi-Fi network type is supported and has internet connectivity.|
-|After using the Device Code and signing into Azure, you're presented with an error about policy permissions or compliance issues and will be unable to continue. Here are some of the errors you may see:<br>**BlockedByConditionalAccessOnSecurityPolicy** The tenant admin has configured a security policy that blocks this request. Check the security policies defined at the tenant level to determine if your request meets the policy. <br>**DevicePolicyError** The user tried to sign into a device from a platform that's currently not supported through Conditional Access policy.<br>**DeviceNotCompliant** - Conditional Access policy requires a compliant device, and the device isn't compliant. The user must enroll their device with an approved MDM provider like Intune<br>**BlockedByConditionalAccess** Access has been blocked by Conditional Access policies. The access policy doesn't allow token issuance. |Some Azure tenants may block the usage of ΓÇ£Device CodesΓÇ¥ for manipulating Azure resources as a Security precaution. It's usually the result of your organization's IT policies. As a result, the Azure Percept Setup experience can't create any Azure resources for you. |Workaround |
+|After using the Device Code and signing into Azure, you're presented with an error about policy permissions or compliance issues and will be unable to continue. Here are some of the errors you may see:<br>**BlockedByConditionalAccessOnSecurityPolicy** The tenant admin has configured a security policy that blocks this request. Check the security policies defined at the tenant level to determine if your request meets the policy. <br>**DevicePolicyError** The user tried to sign into a device from a platform that's currently not supported through Conditional Access policy.<br>**DeviceNotCompliant** - Conditional Access policy requires a compliant device, and the device isn't compliant. The user must enroll their device with an approved MDM provider like Intune<br>**BlockedByConditionalAccess** Access has been blocked by Conditional Access policies. The access policy doesn't allow token issuance. |Some Azure tenants may block the usage of ΓÇ£Device CodesΓÇ¥ for manipulating Azure resources as a Security precaution. It's usually the result of your organization's IT policies. As a result, the Azure Percept Setup experience can't create any Azure resources for you. |Work with your organization to navigate their IT policies. |
azure-resource-manager Move Resource Group And Subscription https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/management/move-resource-group-and-subscription.md
To move to a new subscription, provide the `--destination-subscription-id` param
### Validate
-The [validate move operation](/rest/api/resources/resources/moveresources) lets you test your move scenario without actually moving the resources. Use this operation to check if the move will succeed. Validation is automatically called when you send a move request. Use this operation only when you need to predetermine the results. To run this operation, you need the:
+The [validate move operation](/rest/api/resources/resources/validate-move-resources) lets you test your move scenario without actually moving the resources. Use this operation to check if the move will succeed. Validation is automatically called when you send a move request. Use this operation only when you need to predetermine the results. To run this operation, you need the:
* name of the source resource group * resource ID of the target resource group
azure-resource-manager Createuidefinition Test Cases https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/templates/createuidefinition-test-cases.md
+
+ Title: createUiDefinition.json test cases for Azure Resource Manager test toolkit
+description: Describes the createUiDefinition.json tests that are run by the Azure Resource Manager template test toolkit.
+ Last updated : 07/09/2021++++
+# Test cases for createUiDefinition.json
+
+This article describes the tests that are run with the [template test toolkit](test-toolkit.md) for [createUiDefinition.json](../managed-applications/create-uidefinition-overview.md) files. The examples include the test names and code samples that **pass** or **fail** the tests.
+
+The toolkit includes [test cases](test-cases.md) for Azure Resource Manager templates (ARM templates) and the main template files named _azuredeploy.json_ or _maintemplate.json_. When the directory contains a _createUiDefinition.json_ file, specific tests are run for UI controls. For more information about how to run tests, see [Test parameters](test-toolkit.md#test-parameters).
+
+The _createUiDefinition.json_ file creates custom user-interface (UI) controls using [elements](../managed-applications/create-uidefinition-elements.md) and [functions](../managed-applications/create-uidefinition-functions.md).
+
+## Verify template parameter allows values
+
+Test name: **Allowed Values Should Actually Be Allowed**
+
+This test checks that values for each control in _createUiDefinition.json_ are allowed in the main template's parameters. The parameters are mapped by name between the main template and the _createUiDefinition.json_ file.
+
+The main template's parameter must accept the values from the control's `allowedValues`. The test also checks that the control is referenced in the _createUiDefinition.json_ `outputs` section.
+
+This test checks the main template and _createUiDefinition.json_ file. An example of the _createUiDefinition.json_ file is shown after the main template examples.
+
+The following example **fails** because the main template's parameter name `combo` doesn't match the control's parameter name `comboBox`.
+
+```json
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "combo": {
+ "type": "string",
+ "defaultValue": "two"
+ }
+ },
+ "resources": [],
+ "outputs": {
+ "comboBoxOutput": {
+ "type": "string",
+ "value": "[parameters('combo')]"
+ }
+ }
+}
+```
+
+The following example **fails** because the main template's parameter type `int` doesn't accept the control's `string` value. And if a main template's parameter defines a `defaultValue` it must be a valid `value` in the control's `allowedValues`.
+
+```json
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "comboBox": {
+ "type": "int",
+ "defaultValue": 4
+ }
+ },
+ "resources": [],
+ "outputs": {
+ "comboBoxOutput": {
+ "type": "string",
+ "value": "[parameters('combo')]"
+ }
+ }
+}
+```
+
+The following example **passes** because the main template's parameter name matches the control's parameter name. And the template's parameter type is a `string` with a `defaultValue` that's specified in the control's `allowedValues`.
+
+```json
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "comboBox": {
+ "type": "string",
+ "defaultValue": "two"
+ }
+ },
+ "resources": [],
+ "outputs": {
+ "comboBoxOutput": {
+ "type": "string",
+ "value": "[parameters('comboBox')]"
+ }
+ }
+}
+```
+
+The _createUiDefinition.json_ file for this example:
+
+```json
+{
+ "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
+ "handler": "Microsoft.Azure.CreateUIDef",
+ "version": "0.1.2-preview",
+ "parameters": {
+ "basics": [],
+ "steps": [
+ {
+ "name": "demoComboBox",
+ "label": "demoComboBoxLabel",
+ "elements": [
+ {
+ "name": "comboBox",
+ "type": "Microsoft.Common.DropDown",
+ "label": "Example drop down",
+ "defaultValue": "Value two",
+ "toolTip": "This is a tool tip",
+ "constraints": {
+ "allowedValues": [
+ {
+ "label": "Value one",
+ "description": "The value to select for option 1.",
+ "value": "one"
+ },
+ {
+ "label": "Value two",
+ "description": "The value to select for option 2.",
+ "value": "two"
+ }
+ ],
+ "required": true
+ },
+ "visible": true
+ }
+ ]
+ }
+ ],
+ "outputs": {
+ "comboBox": "[steps('demoComboBox').comboBox]"
+ }
+ }
+}
+```
+
+## Output controls must exist
+
+Test name: **Controls In Outputs Must Exist**
+
+Controls that are used in the `outputs` section must exist in an element elsewhere in _createUiDefinition.json_. The name referenced in `outputs` must match a name used in `basics[]` or `steps[]`.
+
+The following example **fails**:
+
+```json
+{
+ "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
+ "handler": "Microsoft.Azure.CreateUIDef",
+ "version": "0.1.2-preview",
+ "parameters": {
+ "basics": [
+ {
+ "name": "nameDoesNotMatchOutput",
+ "type": "Microsoft.Common.DropDown",
+ "label": "Example drop down",
+ "toolTip": "This is a tool tip"
+ }
+ ],
+ "steps": [],
+ "outputs": {
+ "comboBox": "[basics('comboBox')]"
+ }
+ }
+}
+```
+
+The following example **passes**:
+
+```json
+{
+ "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
+ "handler": "Microsoft.Azure.CreateUIDef",
+ "version": "0.1.2-preview",
+ "parameters": {
+ "basics": [
+ {
+ "name": "comboBox",
+ "type": "Microsoft.Common.DropDown",
+ "label": "Example drop down",
+ "toolTip": "This is a tool tip"
+ }
+ ],
+ "steps": [],
+ "outputs": {
+ "comboBox": "[basics('comboBox')]"
+ }
+ }
+}
+```
+
+## Properties must include values
+
+Test name: **CreateUIDefinition Must Not Have Blanks**
+
+Properties must include values. Required properties must use valid values. Optional properties that are blank should be removed. The test allows blank `"basics": []`, `"steps": []`, or `defaultValue`.
+
+The following example **fails** because `label`, `placeholder`, and `toolTip` are blank:
+
+```json
+{
+ "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
+ "handler": "Microsoft.Azure.CreateUIDef",
+ "version": "0.1.2-preview",
+ "parameters": {
+ "basics": [
+ {
+ "name": "comboBox",
+ "type": "Microsoft.Common.DropDown",
+ "label": "",
+ "placeholder": "",
+ "defaultValue": "",
+ "toolTip": ""
+ }
+ ],
+ "steps": [],
+ "outputs": {
+ "comboBox": "[basics('comboBox')]"
+ }
+ }
+}
+```
+
+The following example **passes** because `label` and `toolTip` have values, and `placeholder` was removed:
+
+```json
+{
+ "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
+ "handler": "Microsoft.Azure.CreateUIDef",
+ "version": "0.1.2-preview",
+ "parameters": {
+ "basics": [
+ {
+ "name": "comboBox",
+ "type": "Microsoft.Common.DropDown",
+ "label": "Example drop down",
+ "defaultValue": "",
+ "toolTip": "This is a tool tip"
+ }
+ ],
+ "steps": [],
+ "outputs": {
+ "comboBox": "[basics('comboBox')]"
+ }
+ }
+}
+```
+
+## Use valid schema and version
+
+Test name: **CreateUIDefinition Should Have Schema**
+
+The _createUiDefinition.json_ file must include a `$schema` property and use a valid `$schema` and `version`. The version numbers in `$schema` and `version` must match.
+
+The following example **fails**:
+
+```json
+{
+ "$schema": "https://schema.management.azure.com/schemas/0.9.9-preview/CreateUIDefinition.MultiVm.json#",
+ "handler": "Microsoft.Azure.CreateUIDef",
+ "version": "0.9.9-preview"
+}
+```
+
+The following example **passes** because it uses the latest `$schema` and `version`:
+
+```json
+{
+ "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
+ "handler": "Microsoft.Azure.CreateUIDef",
+ "version": "0.1.2-preview"
+}
+```
+
+## Don't hide credential confirmation
+
+Test name: **Credential Confirmation Should Not Be Hidden**
+
+This test checks that credentials are confirmed for [Microsoft.Common.PasswordBox](../managed-applications/microsoft-common-passwordbox.md) or [Microsoft.Compute.CredentialsCombo](../managed-applications/microsoft-compute-credentialscombo.md). The `hideConfirmation` property should be set to `false` so that the confirmation is visible.
+
+The following example **fails** because `hideConfirmation` is `true`:
+
+```json
+{
+ "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
+ "handler": "Microsoft.Azure.CreateUIDef",
+ "version": "0.1.2-preview",
+ "parameters": {
+ "basics": [
+ {
+ "name": "credentials",
+ "type": "Microsoft.Compute.CredentialsCombo",
+ "label": {
+ "password": "Password",
+ "confirmPassword": "Confirm password"
+ },
+ "toolTip": {
+ "password": "Type your credentials"
+ },
+ "constraints": {
+ "required": true,
+ "customPasswordRegex": "^(?=.*[A-Za-z])(?=.*\\d)[A-Za-z\\d]{12,}$",
+ "customValidationMessage": "The password must be alphanumeric, contain at least 12 characters, and have at least 1 letter and 1 number."
+ },
+ "options": {
+ "hideConfirmation": true
+ },
+ "osPlatform": "Windows",
+ "visible": true
+ }
+ ],
+ "steps": [],
+ "outputs": {
+ "location": "[location()]",
+ "credentials": "[basics('credentials')]"
+ }
+ }
+}
+```
+
+The following example **passes** because `hideConfirmation` is `false`:
+
+```json
+{
+ "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
+ "handler": "Microsoft.Azure.CreateUIDef",
+ "version": "0.1.2-preview",
+ "parameters": {
+ "basics": [
+ {
+ "name": "credentials",
+ "type": "Microsoft.Compute.CredentialsCombo",
+ "label": {
+ "password": "Password",
+ "confirmPassword": "Confirm password"
+ },
+ "toolTip": {
+ "password": "Type your credentials"
+ },
+ "constraints": {
+ "required": true,
+ "customPasswordRegex": "^(?=.*[A-Za-z])(?=.*\\d)[A-Za-z\\d]{12,}$",
+ "customValidationMessage": "The password must be alphanumeric, contain at least 12 characters, and have at least 1 letter and 1 number."
+ },
+ "options": {
+ "hideConfirmation": false
+ },
+ "osPlatform": "Windows",
+ "visible": true
+ }
+ ],
+ "steps": [],
+ "outputs": {
+ "location": "[location()]",
+ "credentials": "[basics('credentials')]"
+ }
+ }
+}
+```
+
+## Use correct handler
+
+Test name: **Handler Must Be Correct**
+
+Use `Microsoft.Azure.CreateUIDef` or `Microsoft.Compute.MultiVm` in the _createUiDefinition.json_ file.
+
+The following example **fails**:
+
+```json
+{
+ "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
+ "handler": "Microsoft.Azure.",
+ "version": "0.1.2-preview"
+}
+```
+
+The following example **passes**:
+
+```json
+{
+ "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
+ "handler": "Microsoft.Azure.CreateUIDef",
+ "version": "0.1.2-preview"
+}
+```
+
+## Don't hide existing resources
+
+Test name: **HideExisting Must Be Correctly Handled**
+
+If `hideExisting` is set to `false` or omitted, `outputs` must contain `resourceGroup` and `newOrExisting`. The default for `hideExisting` is `false`.
+
+Examples of control types that include `hideExisting` are [Microsoft.Storage.StorageAccountSelector](../managed-applications/microsoft-storage-storageaccountselector.md), [Microsoft.Network.PublicIpAddressCombo](../managed-applications/microsoft-network-publicipaddresscombo.md), or [Microsoft.Network.VirtualNetworkCombo](../managed-applications/microsoft-network-virtualnetworkcombo.md).
+
+The following example **fails**:
+
+```json
+{
+ "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
+ "handler": "Microsoft.Azure.CreateUIDef",
+ "version": "0.1.2-preview",
+ "parameters": {
+ "basics": [
+ {
+ "name": "storage",
+ "type": "Microsoft.Storage.StorageAccountSelector",
+ "label": "Storage account",
+ "toolTip": "This is a demo storage account",
+ "defaultValue": {
+ "name": "storageaccount01",
+ "type": "Premium_LRS"
+ },
+ "options": {
+ "hideExisting": false
+ },
+ "visible": true
+ }
+ ],
+ "steps": [],
+ "outputs": {
+ "location": "[location()]"
+ }
+ }
+}
+```
+
+The following example **passes**:
+
+```json
+{
+ "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
+ "handler": "Microsoft.Azure.CreateUIDef",
+ "version": "0.1.2-preview",
+ "parameters": {
+ "basics": [
+ {
+ "name": "storage",
+ "type": "Microsoft.Storage.StorageAccountSelector",
+ "label": "Storage account",
+ "toolTip": "This is a demo storage account",
+ "defaultValue": {
+ "name": "storageaccount01",
+ "type": "Premium_LRS"
+ },
+ "options": {
+ "hideExisting": false
+ },
+ "visible": false
+ }
+ ],
+ "steps": [],
+ "outputs": {
+ "location": "[location()]",
+ "resourceGroup": "[basics('storage').resourceGroup]",
+ "newOrExisting": "[basics('storage').newOrExisting]"
+ }
+ }
+}
+```
+
+## Use location in outputs
+
+Test name: **Location Should Be In Outputs**
+
+The `outputs` section should contain a location using the [location](../managed-applications/create-ui-definition-referencing-functions.md#location) function.
+
+The following example **fails** because `outputs` doesn't include a location:
+
+```json
+{
+ "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
+ "handler": "Microsoft.Azure.CreateUIDef",
+ "version": "0.1.2-preview",
+ "parameters": {
+ "basics": [
+ {
+ "name": "comboBox",
+ "type": "Microsoft.Common.DropDown",
+ "label": "Example drop down",
+ "toolTip": "This is a tool tip"
+ }
+ ],
+ "steps": [],
+ "outputs": {
+ "comboBox": "[basics('comboBox')]"
+ }
+ }
+}
+```
+
+The following example **passes**:
+
+```json
+{
+ "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
+ "handler": "Microsoft.Azure.CreateUIDef",
+ "version": "0.1.2-preview",
+ "parameters": {
+ "basics": [
+ {
+ "name": "comboBox",
+ "type": "Microsoft.Common.DropDown",
+ "label": "Example drop down",
+ "toolTip": "This is a tool tip"
+ }
+ ],
+ "steps": [],
+ "outputs": {
+ "comboBox": "[basics('comboBox')]",
+ "location": "[location()]"
+ }
+ }
+}
+```
+
+## Include control outputs in template parameters
+
+Test name: **Outputs Must Be Present In Template Parameters**
+
+The test checks that _createUiDefinition.json_ includes an `outputs` section. The test also checks that those `outputs` are defined in the main template's `parameters` section. The names must match because parameters are mapped by name between the _createUiDefinition.json_ and the main template.
+
+This test checks the main template and _createUiDefinition.json_ file. An example of the _createUiDefinition.json_ file is shown after the main template examples.
+
+The following example **fails** because the main template doesn't include the `comboBox` parameter from the _createUiDefinition.json_ file's `outputs` section:
+
+```json
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "location": {
+ "type": "string",
+ "defaultValue": "[resourceGroup().location]"
+ }
+ },
+ "resources": [],
+ "outputs": {
+ "location": {
+ "type": "string",
+ "value": "[parameters('location')]"
+ }
+ }
+}
+```
+
+The following example **passes** because the main template includes the `comboBox` parameter:
+
+```json
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "comboBox": {
+ "type": "string",
+ "defaultValue": "two"
+ },
+ "location": {
+ "type": "string",
+ "defaultValue": "[resourceGroup().location]"
+ }
+ },
+ "resources": [],
+ "outputs": {
+ "comboBox": {
+ "type": "string",
+ "value": "[parameters('comboBox')]"
+ },
+ "location": {
+ "type": "string",
+ "value": "[parameters('location')]"
+ }
+ }
+}
+```
+
+The _createUiDefinition.json_ file for this example:
+
+```json
+{
+ "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
+ "handler": "Microsoft.Azure.CreateUIDef",
+ "version": "0.1.2-preview",
+ "parameters": {
+ "basics": [
+ {
+ "name": "comboBox",
+ "type": "Microsoft.Common.DropDown",
+ "label": "Example drop down",
+ "toolTip": "This is a tool tip"
+ }
+ ],
+ "steps": [],
+ "outputs": {
+ "comboBox": "[basics('comboBox')]",
+ "location": "[location()]"
+ }
+ }
+}
+```
+
+## Parameters without default must exist in outputs
+
+Test name: **Parameters Without Default Must Exist In CreateUIDefinition**
+
+Parameters in the main template without a default value must exist in the _createUiDefinition.json_ file's `outputs` section.
+
+This test checks the main template and _createUiDefinition.json_ file. An example of the _azuredeploy.json_ file is shown after the control's examples.
+
+The following example **fails** because the _createUiDefinition.json_ file's `outputs` doesn't include the main template's parameter `comboBox`:
+
+```json
+{
+ "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
+ "handler": "Microsoft.Azure.CreateUIDef",
+ "version": "0.1.2-preview",
+ "parameters": {
+ "basics": [
+ {
+ "name": "comboBox",
+ "type": "Microsoft.Common.DropDown",
+ "label": "Example drop down",
+ "toolTip": "This is a tool tip"
+ }
+ ],
+ "steps": [],
+ "outputs": {
+ "location": "[location()]"
+ }
+ }
+}
+```
+
+The following example **passes** because _createUiDefinition.json_ includes the `comboBox` in `outputs`:
+
+```json
+{
+ "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
+ "handler": "Microsoft.Azure.CreateUIDef",
+ "version": "0.1.2-preview",
+ "parameters": {
+ "basics": [
+ {
+ "name": "comboBox",
+ "type": "Microsoft.Common.DropDown",
+ "label": "Example drop down",
+ "toolTip": "This is a tool tip"
+ }
+ ],
+ "steps": [],
+ "outputs": {
+ "comboBox": "[basics('comboBox')]",
+ "location": "[location()]"
+ }
+ }
+}
+```
+
+The _azuredeploy.json_ file for this example. The `comboBox` parameter doesn't have a default value.
+
+```json
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "comboBox": {
+ "type": "string"
+ },
+ "location": {
+ "type": "string"
+ }
+ },
+ "resources": [],
+ "outputs": {
+ "comboBox": {
+ "type": "string",
+ "value": "[parameters('comboBox')]"
+ },
+ "location": {
+ "type": "string",
+ "value": "[parameters('location')]"
+ }
+ }
+}
+```
+
+## Use secure parameter with password box
+
+Test name: **Password Textboxes Must Be Used For Password Parameters**
+
+This test checks that a [Microsoft.Common.PasswordBox](../managed-applications/microsoft-common-passwordbox.md) element is defined in the main template's `parameters` and the _createUiDefinition.json_ `outputs`. The main template's parameter type for a password box must be `secureString` or `secureObject`.
+
+This test checks the main template and _createUiDefinition.json_ file. An example of the _createUiDefinition.json_ file is shown after the main template examples.
+
+The following example **fails** because the main template's `passwordBox` parameter is a `string`.
+
+```json
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "passwordBox": {
+ "type": "string"
+ },
+ "location": {
+ "type": "string"
+ }
+ },
+ "resources": [],
+ "outputs": {
+ "location": {
+ "type": "string",
+ "value": "[parameters('location')]"
+ }
+ }
+}
+```
+
+The following example **passes** because the main template's `passwordBox` parameter is a `secureString`.
+
+```json
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "passwordBox": {
+ "type": "secureString"
+ },
+ "location": {
+ "type": "string"
+ }
+ },
+ "resources": [],
+ "outputs": {
+ "location": {
+ "type": "string",
+ "value": "[parameters('location')]"
+ }
+ }
+}
+```
+
+The _createUiDefinition.json_ file for this example:
+
+```json
+{
+ "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
+ "handler": "Microsoft.Azure.CreateUIDef",
+ "version": "0.1.2-preview",
+ "parameters": {
+ "basics": [
+ {
+ "name": "passwordBox",
+ "type": "Microsoft.Common.PasswordBox",
+ "label": {
+ "password": "Password",
+ "confirmPassword": "Confirm password"
+ },
+ "toolTip": "Type a password"
+ }
+ ],
+ "steps": [],
+ "outputs": {
+ "location": "[location()]",
+ "passwordBox": "[basics('passwordBox')]"
+ }
+ }
+}
+```
+
+## Password box requires minimum length
+
+Test name: **PasswordBoxes Must Have Min Length**
+
+The test checks that the [Microsoft.Common.PasswordBox](../managed-applications/microsoft-common-passwordbox.md) element uses `constraints` with a `regex` that requires at least 12 characters.
+
+The following example **fails** because there are no `constraints`:
+
+```json
+{
+ "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
+ "handler": "Microsoft.Azure.CreateUIDef",
+ "version": "0.1.2-preview",
+ "parameters": {
+ "basics": [
+ {
+ "name": "passwordBox",
+ "type": "Microsoft.Common.PasswordBox",
+ "label": {
+ "password": "Password",
+ "confirmPassword": "Confirm password"
+ },
+ "toolTip": "Type a password"
+ }
+ ],
+ "steps": [],
+ "outputs": {
+ "location": "[location()]",
+ "passwordBox": "[basics('passwordBox')]"
+ }
+ }
+}
+```
+
+The following example **passes** because the `regex` requires at least 12 characters:
+
+```json
+{
+ "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
+ "handler": "Microsoft.Azure.CreateUIDef",
+ "version": "0.1.2-preview",
+ "parameters": {
+ "basics": [
+ {
+ "name": "passwordBox",
+ "type": "Microsoft.Common.PasswordBox",
+ "label": {
+ "password": "Password",
+ "confirmPassword": "Confirm password"
+ },
+ "toolTip": "Type a password",
+ "constraints": {
+ "required": true,
+ "regex": "^[a-zA-Z0-9]{12,}$",
+ "validationMessage": "Password must be at least 12 characters long, contain only numbers and letters"
+ }
+ }
+ ],
+ "steps": [],
+ "outputs": {
+ "location": "[location()]",
+ "passwordBox": "[basics('passwordBox')]"
+ }
+ }
+}
+```
+
+## Text box must use validation
+
+Test name: **Textboxes Are Well Formed**
+
+Use validation with text boxes to check for `constraints` that contain a `regex` and `message`.
+
+The following example **fails**:
+
+```json
+{
+ "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
+ "handler": "Microsoft.Azure.CreateUIDef",
+ "version": "0.1.2-preview",
+ "parameters": {
+ "basics": [
+ {
+ "name": "textBox",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Text box",
+ "toolTip": "Type 1-30 alphanumeric characters",
+ "placeholder": "Type your text here",
+ "visible": true
+ }
+ ],
+ "steps": [],
+ "outputs": {
+ "location": "[location()]",
+ "textBox": "[basics('textBox')]"
+ }
+ }
+}
+```
+
+The following example **passes**:
+
+```json
+{
+ "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
+ "handler": "Microsoft.Azure.CreateUIDef",
+ "version": "0.1.2-preview",
+ "parameters": {
+ "basics": [
+ {
+ "name": "textBox",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Text box",
+ "toolTip": "Type 1-30 alphanumeric characters",
+ "placeholder": "Type your text here",
+ "constraints": {
+ "required": true,
+ "validations": [
+ {
+ "regex": "^[a-z0-9A-Z]{1,30}$",
+ "message": "Only 1-30 characters alphanumeric characters are allowed."
+ }
+ ]
+ },
+ "visible": true
+ }
+ ],
+ "steps": [],
+ "outputs": {
+ "location": "[location()]",
+ "textBox": "[basics('textBox')]"
+ }
+ }
+}
+```
+
+## toolTip must exist with a value
+
+Test name: **Tooltips Should Be Present**
+
+This test checks that the `toolTip` property exists and contains a value.
+
+The following example **fails**:
+
+```json
+{
+ "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
+ "handler": "Microsoft.Azure.CreateUIDef",
+ "version": "0.1.2-preview",
+ "parameters": {
+ "basics": [
+ {
+ "name": "comboBox",
+ "type": "Microsoft.Common.DropDown",
+ "label": "Example drop down",
+ "toolTip": ""
+ }
+ ],
+ "steps": [],
+ "outputs": {
+ "location": "[location()]",
+ "comboBox": "[basics('comboBox')]"
+ }
+ }
+}
+```
+
+The following example **passes**:
+
+```json
+{
+ "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
+ "handler": "Microsoft.Azure.CreateUIDef",
+ "version": "0.1.2-preview",
+ "parameters": {
+ "basics": [
+ {
+ "name": "comboBox",
+ "type": "Microsoft.Common.DropDown",
+ "label": "Example drop down",
+ "toolTip": "This is a tool tip"
+ }
+ ],
+ "steps": [],
+ "outputs": {
+ "location": "[location()]",
+ "comboBox": "[basics('comboBox')]"
+ }
+ }
+}
+```
+
+## Don't set a default user name
+
+Test name: **Usernames Should Not Have A Default**
+
+The test checks if there's a `defaultValue` set for [Microsoft.Compute.UserNameTextBox](../managed-applications/microsoft-compute-usernametextbox.md).
+
+The following example **fails** because a `defaultValue` is provided:
+
+```json
+{
+ "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
+ "handler": "Microsoft.Azure.CreateUIDef",
+ "version": "0.1.2-preview",
+ "parameters": {
+ "basics": [
+ {
+ "name": "userNameBox",
+ "type": "Microsoft.Compute.UserNameTextBox",
+ "label": "User name",
+ "defaultValue": "admin",
+ "toolTip": "Enter your user name",
+ "osPlatform": "Windows"
+ }
+ ],
+ "steps": [],
+ "outputs": {
+ "location": "[location()]",
+ "userNameBox": "[basics('userNameBox')]"
+ }
+ }
+}
+```
+
+The following example **passes**:
+
+```json
+{
+ "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
+ "handler": "Microsoft.Azure.CreateUIDef",
+ "version": "0.1.2-preview",
+ "parameters": {
+ "basics": [
+ {
+ "name": "userNameBox",
+ "type": "Microsoft.Compute.UserNameTextBox",
+ "label": "User name",
+ "toolTip": "Enter your user name",
+ "osPlatform": "Windows"
+ }
+ ],
+ "steps": [],
+ "outputs": {
+ "location": "[location()]",
+ "userNameBox": "[basics('userNameBox')]"
+ }
+ }
+}
+```
+
+## Use message with validations
+
+Test name: **Validations Must Have Message**
+
+This test checks that any `validations` in _createUiDefinition.json_ include a `message`.
+
+The following example **fails** because the `regex` validation doesn't have a `message`:
+
+```json
+{
+ "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
+ "handler": "Microsoft.Azure.CreateUIDef",
+ "version": "0.1.2-preview",
+ "parameters": {
+ "basics": [
+ {
+ "name": "textBox",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Text box",
+ "toolTip": "Type 1-30 alphanumeric characters",
+ "placeholder": "Type your text here",
+ "constraints": {
+ "required": true,
+ "validations": [
+ {
+ "regex": "^[a-z0-9A-Z]{1,30}$"
+ }
+ ]
+ },
+ "visible": true
+ }
+ ],
+ "steps": [],
+ "outputs": {
+ "location": "[location()]",
+ "textBox": "[basics('textBox')]"
+ }
+ }
+}
+```
+
+The following example **passes**:
+
+```json
+{
+ "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
+ "handler": "Microsoft.Azure.CreateUIDef",
+ "version": "0.1.2-preview",
+ "parameters": {
+ "basics": [
+ {
+ "name": "textBox",
+ "type": "Microsoft.Common.TextBox",
+ "label": "Text box",
+ "toolTip": "Type 1-30 alphanumeric characters",
+ "placeholder": "Type your text here",
+ "constraints": {
+ "required": true,
+ "validations": [
+ {
+ "regex": "^[a-z0-9A-Z]{1,30}$",
+ "message": "Only 1-30 characters alphanumeric characters are allowed."
+ }
+ ]
+ },
+ "visible": true
+ }
+ ],
+ "steps": [],
+ "outputs": {
+ "location": "[location()]",
+ "textBox": "[basics('textBox')]"
+ }
+ }
+}
+```
+
+## Virtual machine sizes must match
+
+Test name: **VM Sizes Must Match Template**
+
+This test checks that the [Microsoft.Compute.SizeSelector](../managed-applications/microsoft-compute-sizeselector.md) is in the _createUiDefinition.json_ `outputs` and the main template's `parameters` section. Main template parameters that specify a `defaultValue` must match a value in the control's `allowedSizes`.
+
+This test checks the main template and _createUiDefinition.json_ file. An example of the _createUiDefinition.json_ file is shown after the main template examples.
+
+The following example **fails** because the main template's `defaultValue` doesn't match a value in `allowedSizes`:
+
+```json
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "location": {
+ "type": "string"
+ },
+ "vmSize": {
+ "type": "string",
+ "defaultValue": "Standard_D9"
+ }
+ },
+ "resources": [],
+ "outputs": {
+ "location": {
+ "type": "string",
+ "value": "[parameters('location')]"
+ },
+ "vmSize": {
+ "type": "string",
+ "value": "[parameters('vmSize')]"
+ }
+ }
+}
+```
+
+The following example **passes** because the main template's `defaultValue` matches a value in `allowedSizes`:
+
+```json
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "location": {
+ "type": "string"
+ },
+ "vmSize": {
+ "type": "string",
+ "defaultValue": "Standard_D3"
+ }
+ },
+ "resources": [],
+ "outputs": {
+ "location": {
+ "type": "string",
+ "value": "[parameters('location')]"
+ },
+ "vmSize": {
+ "type": "string",
+ "value": "[parameters('vmSize')]"
+ }
+ }
+}
+```
+
+The _createUiDefinition.json_ file for this example:
+
+```json
+{
+ "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
+ "handler": "Microsoft.Azure.CreateUIDef",
+ "version": "0.1.2-preview",
+ "parameters": {
+ "basics": [
+ {
+ "name": "vmSize",
+ "type": "Microsoft.Compute.SizeSelector",
+ "label": "VM Size",
+ "toolTip": "Select a virtual machine size",
+ "recommendedSizes": [
+ "Standard_D1"
+ ],
+ "constraints": {
+ "allowedSizes": [
+ "Standard_D1",
+ "Standard_D2",
+ "Standard_D3"
+ ]
+ },
+ "osPlatform": "Windows",
+ "visible": true
+ }
+ ],
+ "steps": [],
+ "outputs": {
+ "location": "[location()]",
+ "vmSize": "[basics('vmSize')]"
+ }
+ }
+}
+```
+
+## Next steps
+
+- To create an Azure portal user interface, see [CreateUiDefinition.json for Azure managed application's create experience](../managed-applications/create-uidefinition-overview.md).
+- To use the Create UI Definition Sandbox, see [Test your portal interface for Azure Managed Applications](../managed-applications/test-createuidefinition.md).
+- For more information about UI controls, see [CreateUiDefinition elements](../managed-applications/create-uidefinition-elements.md) and [CreateUiDefinition functions](../managed-applications/create-uidefinition-functions.md).
+- To learn more about ARM template tests, see [Default test cases for ARM template test toolkit](test-cases.md).
azure-sql Authentication Aad Configure https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/authentication-aad-configure.md
ms.devlang:
- Previously updated : 05/11/2021+ Last updated : 07/07/2021 # Configure and manage Azure AD authentication with Azure SQL
However, using Azure Active Directory authentication with SQL Database and Azure
> [!WARNING] > Special characters like colon `:` or ampersand `&` when included as user names in the T-SQL `CREATE LOGIN` and `CREATE USER` statements are not supported.
+> [!IMPORTANT]
+> Azure AD users and service principals (Azure AD applications) that are members of more than 2048 Azure AD security groups are not supported to login into the database via Security Groups in SQL Database, Managed Instance, or Azure Synapse.
++ To create an Azure AD-based contained database user (other than the server administrator that owns the database), connect to the database with an Azure AD identity, as a user with at least the **ALTER ANY USER** permission. Then use the following Transact-SQL syntax: ```sql
azure-sql Authentication Aad Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/authentication-aad-overview.md
ms.devlang:
- Previously updated : 04/23/2020+ Last updated : 07/07/2021 # Use Azure Active Directory authentication
The following authentication methods are supported for Azure AD server principal
- Only one Azure AD administrator (a user or group) can be configured for a server in SQL Database or Azure Synapse at any time. - The addition of Azure AD server principals (logins) for SQL Managed Instance allows the possibility of creating multiple Azure AD server principals (logins) that can be added to the `sysadmin` role. - Only an Azure AD administrator for the server can initially connect to the server or managed instance using an Azure Active Directory account. The Active Directory administrator can configure subsequent Azure AD database users.
+- Azure AD users and service principals (Azure AD applications) that are members of more than 2048 Azure AD security groups are not supported to login into the database via Security Groups in SQL Database, Managed Instance, or Azure Synapse.
- We recommend setting the connection timeout to 30 seconds. - SQL Server 2016 Management Studio and SQL Server Data Tools for Visual Studio 2015 (version 14.0.60311.1April 2016 or later) support Azure Active Directory authentication. (Azure AD authentication is supported by the **.NET Framework Data Provider for SqlServer**; at least version .NET Framework 4.6). Therefore the newest versions of these tools and data-tier applications (DAC and BACPAC) can use Azure AD authentication. - Beginning with version 15.0.1, [sqlcmd utility](/sql/tools/sqlcmd-utility) and [bcp utility](/sql/tools/bcp-utility) support Active Directory Interactive authentication with Multi-Factor Authentication.
azure-sql Service Tier Hyperscale https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/service-tier-hyperscale.md
Previously updated : 3/31/2021 Last updated : 7/8/2021 # Hyperscale service tier
Hyperscale service tier is only available in [vCore model](service-tiers-vcore.m
- **Compute**:
- The Hyperscale compute unit price is per replica. The [Azure Hybrid Benefit](https://azure.microsoft.com/pricing/hybrid-benefit/) price is applied to high-availabilty and named replicas automatically. We create a primary replica and one secondary [high-availability replica](service-tier-hyperscale-replicas.md) per Hyperscale database by default. Users may adjust the total number of high-availability replicas from 0-4, depending on the needed [SLA](https://azure.microsoft.com/support/legal/sla/sql-database/).
+ The Hyperscale compute unit price is per replica. The [Azure Hybrid Benefit](https://azure.microsoft.com/pricing/hybrid-benefit/) price is applied to high-availabilty and named replicas automatically. We create a primary replica and one secondary [high-availability replica](service-tier-hyperscale-replicas.md) per Hyperscale database by default. Users may adjust the total number of high-availability replicas from 0-4, depending on the needed [SLA](https://azure.microsoft.com/support/legal/sla/azure-sql-database/).
- **Storage**:
These are the current limitations to the Hyperscale service tier as of GA. We'r
| Query Performance Insights | Query Performance Insights is currently not supported for Hyperscale databases. | | Shrink Database | DBCC SHRINKDATABASE or DBCC SHRINKFILE isn't currently supported for Hyperscale databases. | | Database integrity check | DBCC CHECKDB isn't currently supported for Hyperscale databases. DBCC CHECKFILEGROUP and DBCC CHECKTABLE may be used as a workaround. See [Data Integrity in Azure SQL Database](https://azure.microsoft.com/blog/data-integrity-in-azure-sql-database/) for details on data integrity management in Azure SQL Database. |
+| Elastic Jobs | Using a Hyperscale database as the Job database is not supported. However, elastic jobs can target Hyperscale databases in the same way as any other Azure SQL database. |
## Next steps
azure-sql Multi Model Features https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/multi-model-features.md
Last updated 12/17/2018
-# Multi-model capabilities of Azure SQL Database & SQL Managed Instance
+# Multi-model capabilities of Azure SQL Database and SQL Managed Instance
[!INCLUDE[appliesto-sqldb-sqlmi](includes/appliesto-sqldb-sqlmi.md)]
-Multi-model databases enable you to store and work with data represented in multiple data formats such as relational data, graphs, JSON/XML documents, key-value pairs, and so on.
+Multi-model databases enable you to store and work with data in multiple formats, such as relational data, graph, JSON or XML documents, spatial data, and key-value pairs.
-## When to use multi-model capabilities
+The [Azure SQL family of products](azure-sql-iaas-vs-paas-what-is-overview.md) uses a relational model that provides the best performance for a variety of general-purpose applications. However, Azure SQL products like Azure SQL Database and SQL Managed Instance are not limited to relational data. They enable you to use non-relational formats that are tightly integrated into the relational model.
-The [Azure SQL family of products](azure-sql-iaas-vs-paas-what-is-overview.md) are designed to work with the relational model that provides the best performance in the most of the cases for a variety of general-purpose applications. However, the Azure SQL family of products are not limited to relational-data only. The Azure SQL family of products enable you to use a variety of non-relational formats that are tightly integrated into the relational model.
-You should consider using multi-model capabilities of the Azure SQL family of products in the following cases:
+Consider using the multi-model capabilities of Azure SQL in the following cases:
-- You have some information or structures that are better fit for NoSQL models and you don't want to use separate NoSQL database.-- A majority of your data is suitable for relational model, and you need to model some parts of your data in NoSQL style.-- You want to leverage rich Transact-SQL language to query and analyze both relational and NoSQL data, and integrate it with a variety of tools and applications that can use SQL language.-- You want to apply database features such as [in-memory technologies](in-memory-oltp-overview.md) to improve performance of your analytic or processing of your NoSQL data structures, use [transactional replication](managed-instance/replication-transactional-overview.md) or [readable replicas](database/read-scale-out.md) to create copy of your data on the other place and offload some analytic workloads from the primary database.
+- You have some information or structures that are a better fit for NoSQL models, and you don't want to use a separate NoSQL database.
+- A majority of your data is suitable for a relational model, and you need to model some parts of your data in a NoSQL style.
+- You want to use the Transact-SQL language to query and analyze both relational and NoSQL data, and then integrate that data with tools and applications that can use the SQL language.
+- You want to apply database features such as [in-memory technologies](in-memory-oltp-overview.md) to improve the performance of your analytics or the processing of your NoSQL data structures. You can use [transactional replication](managed-instance/replication-transactional-overview.md) or [readable replicas](database/read-scale-out.md) to create copies of your data and offload some analytic workloads from the primary database.
-## Overview
+The following sections describe the most important multi-model capabilities of Azure SQL.
-The Azure SQL family of products provide the following multi-model features:
--- [Graph features](#graph-features) enable you to represent your data as set of nodes and edges, and use standard Transact-SQL queries enhanced with graph `MATCH` operator to query the graph data.-- [JSON features](#json-features) enable you to put JSON documents in tables, transform relational data to JSON documents and vice versa. You can use the standard Transact-SQL language enhanced with JSON functions for parsing documents, and use non clustered indexes, columnstore indexes, or memory-optimized tables, to optimize your queries.-- [Spatial features](#spatial-features) enables you to store geographical and geometrical data, index them using the spatial indexes, and retrieve the data using spatial queries.-- [XML features](#xml-features) enable you to store and index XML data in your database and use native XQuery/XPath operations to work with XML data. The Azure SQL family of products have a specialized built-in XML query engine that process XML data.-- [Key-value pairs](#key-value-pairs) are not explicitly supported as special features since key-value pairs can be natively modeled as two-column tables.-
- > [!Note]
- > You can use JSON Path expression, XQuery/XPath expressions, spatial functions, and graph-query expressions in the same Transact-SQL query to access any data that you stored in the database. Also, any tool or programming language that can execute Transact-SQL queries, can also use that query interface to access multi-model data. This is the key difference compared to the multi-model databases such as [Azure Cosmos DB](../cosmos-db/index.yml) that provides specialized API for different data models.
-
-In the following sections, you can learn about the most important multi-model capabilities of the Azure SQL family of products .
+> [!Note]
+> You can use JSONPath expressions, XQuery/XPath expressions, spatial functions, and graph query expressions in the same Transact-SQL query to access any data that you stored in the database. Any tool or programming language that can execute Transact-SQL queries can also use that query interface to access multi-model data. This is the key difference from multi-model databases such as [Azure Cosmos DB](../cosmos-db/index.yml), which provide specialized APIs for data models.
## Graph features
-The Azure SQL family of products offer graph database capabilities to model many-to-many relationships in database. A graph is a collection of nodes (or vertices) and edges (or relationships). A node represents an entity (for example, a person or an organization) and an edge represents a relationship between the two nodes that it connects (for example, likes or friends). Here are some features that make a graph database unique:
+Azure SQL products offer graph database capabilities to model many-to-many relationships in a database. A graph is a collection of nodes (or vertices) and edges (or relationships). A node represents an entity (for example, a person or an organization). An edge represents a relationship between the two nodes that it connects (for example, likes or friends).
+
+Here are some features that make a graph database unique:
-- Edges or relationships are first class entities in a Graph Database and can have attributes or properties associated with them.-- A single edge can flexibly connect multiple nodes in a Graph Database.
+- Edges are first-class entities in a graph database. They can have attributes or properties associated with them.
+- A single edge can flexibly connect multiple nodes in a graph database.
- You can express pattern matching and multi-hop navigation queries easily. - You can express transitive closure and polymorphic queries easily.
-The [graph relationships and graph query capabilities](/sql/relational-databases/graphs/sql-graph-overview) are integrated into Transact-SQL and receive the benefits of using the SQL Server database engine as the foundational database management system.
+[Graph relationships and graph query capabilities](/sql/relational-databases/graphs/sql-graph-overview) are integrated into Transact-SQL and receive the benefits of using the SQL Server database engine as the foundational database management system. Graph features use standard Transact-SQL queries enhanced with the graph `MATCH` operator to query the graph data.
-### When to use a graph capability
+A relational database can achieve anything that a graph database can. However, a graph database can make it easier to express certain queries. Your decision to choose one over the other can be based on the following factors:
-There is nothing a graph database can achieve, which cannot be achieved using a relational database. However, a graph database can make it easier to express certain queries. Your decision to choose one over the other can be based on following factors:
--- Model hierarchical data where one node can have multiple parents, so HierarchyId cannot be used-- Model has Your application has complex many-to-many relationships; as application evolves, new relationships are added.
+- You need to model hierarchical data where one node can have multiple parents, so you can't use [the hierarchyId data type](/sql/t-sql/data-types/hierarchyid-data-type-method-reference).
+- Your application has complex many-to-many relationships. As the application evolves, new relationships are added.
- You need to analyze interconnected data and relationships.
+- You want to use graph-specific T-SQL search conditions such as [SHORTEST_PATH](/sql/relational-databases/graphs/sql-graph-shortest-path).
## JSON features
-The Azure SQL family of products let you parse and query data represented in JavaScript Object Notation [(JSON)](https://www.json.org/) format, and export your relational data as JSON text.
-
-JSON is a popular data format used for exchanging data in modern web and mobile applications. JSON is also used for storing semi-structured data in log files or in NoSQL databases like [Azure Cosmos DB](https://azure.microsoft.com/services/cosmos-db/). Many REST web services return results formatted as JSON text or accept data formatted as JSON. Most Azure services such as [Azure Cognitive Search](https://azure.microsoft.com/services/search/), [Azure Storage](https://azure.microsoft.com/services/storage/), and [Azure Cosmos DB](https://azure.microsoft.com/services/cosmos-db/) have REST endpoints that return or consume JSON.
+In Azure SQL products, you can parse and query data represented in [JavaScript Object Notation (JSON)](https://www.json.org/) format, and export your relational data as JSON text. [JSON](/sql/relational-databases/json/json-data-sql-server) is a core feature of the SQL Server database engine.
+JSON features enable you to put JSON documents in tables, transform relational data into JSON documents, and transform JSON documents into relational data. You can use the standard Transact-SQL language enhanced with JSON functions for parsing documents. You can also use non-clustered indexes, columnstore indexes, or memory-optimized tables to optimize your queries.
-The Azure SQL family of products let you work with JSON data easily and integrate your database with modern services, and provides the following functions for working with JSON data:
+JSON is a popular data format for exchanging data in modern web and mobile applications. JSON is also used for storing semistructured data in log files or in NoSQL databases. Many REST web services return results formatted as JSON text or accept data formatted as JSON.
-![JSON Functions](./media/multi-model-features/image_1.png)
+Most Azure services have REST endpoints that return or consume JSON. These services include [Azure Cognitive Search](https://azure.microsoft.com/services/search/), [Azure Storage](https://azure.microsoft.com/services/storage/), and [Azure Cosmos DB](https://azure.microsoft.com/services/cosmos-db/).
-If you have JSON text, you can extract data from JSON or verify that JSON is properly formatted by using the built-in functions [JSON_VALUE](/sql/t-sql/functions/json-value-transact-sql), [JSON_QUERY](/sql/t-sql/functions/json-query-transact-sql), and [ISJSON](/sql/t-sql/functions/isjson-transact-sql). The [JSON_MODIFY](/sql/t-sql/functions/json-modify-transact-sql) function lets you update value inside JSON text. For more advanced querying and analysis, [OPENJSON](/sql/t-sql/functions/openjson-transact-sql) function can transform an array of JSON objects into a set of rows. Any SQL query can be executed on the returned result set. Finally, there is a [FOR JSON](/sql/relational-databases/json/format-query-results-as-json-with-for-json-sql-server) clause that lets you format data stored in your relational tables as JSON text.
+If you have JSON text, you can extract data from JSON or verify that JSON is properly formatted by using the built-in functions [JSON_VALUE](/sql/t-sql/functions/json-value-transact-sql), [JSON_QUERY](/sql/t-sql/functions/json-query-transact-sql), and [ISJSON](/sql/t-sql/functions/isjson-transact-sql). The other functions are:
-For more information, see [How to work with JSON data](database/json-features.md).
-[JSON](/sql/relational-databases/json/json-data-sql-server) is a core SQL Server database engine feature.
+- [JSON_MODIFY](/sql/t-sql/functions/json-modify-transact-sql): Lets you update values inside JSON text.
+- [OPENJSON](/sql/t-sql/functions/openjson-transact-sql): Can transform an array of JSON objects into a set of rows, for more advanced querying and analysis. Any SQL query can be executed on the returned result set.
+- [FOR JSON](/sql/relational-databases/json/format-query-results-as-json-with-for-json-sql-server): Lets you format data stored in your relational tables as JSON text.
-### When to use a JSON capability
+![Diagram that illustrates JSON functions.](./media/multi-model-features/image_1.png)
-Document models can be used instead of the relational models in some specific scenarios:
+For more information, see [How to work with JSON data](database/json-features.md).
-- High-normalization of schema doesn't bring significant benefits because you access all the fields of the objects at once, or you never update normalized parts of the objects. However, the normalized model increases the complexity of your queries due to the large number of tables that you need to join to get the data.-- You are working with the applications that natively use JSON documents are communication or data models, and you don't want to introduce additional layers that transforms relational data to JSON and vice versa.-- You need to simplify your data model by de-normalizing child tables or Entity-Object-Value patterns.-- You need to load or export data stored in JSON format without some additional tool that parses the data.-
-## Spatial features
+You can use document models instead of the relational models in some specific scenarios:
-Spatial data represents information about the physical location and shape of geometric objects. These objects can be point locations or more complex objects such as countries/regions, roads, or lakes.
+- High normalization of the schema doesn't bring significant benefits because you access all the fields of the objects at once, or you never update normalized parts of the objects. However, the normalized model increases the complexity of your queries because you need to join a large number of tables to get the data.
+- You're working with applications that natively use JSON documents for communication or data models, and you don't want to introduce more layers that transform relational data into JSON and vice versa.
+- You need to simplify your data model by denormalizing child tables or Entity-Object-Value patterns.
+- You need to load or export data stored in JSON format without an additional tool that parses the data.
- The two supported spatial data types:
+## XML features
-- The geometry type represents data in a Euclidean (flat) coordinate system.-- The geography type represents data in a round-earth coordinate system.
+XML features enable you to store and index XML data in your database and use native XQuery/XPath operations to work with XML data. Azure SQL products have a specialized, built-in XML data type and query functions that process XML data.
-There are a number of Spatial objects that can be used in the Azure SQL family of products let you parse and query data represented in JavaScript Object Notation [(JSON)](https://www.json.org/) format, and export your relational data as JSON text.
-such as [Point](/sql/relational-databases/spatial/point), [LineString](/sql/relational-databases/spatial/linestring),
-[Polygon](/sql/relational-databases/spatial/polygon), and so on.
+The SQL Server database engine provides a powerful platform for developing applications to manage semistructured data. [Support for XML](/sql/relational-databases/xml/xml-data-sql-server) is integrated into all the components of the database engine and includes:
-The Azure SQL family of products also provide specialized [Spatial indexes](/sql/relational-databases/spatial/spatial-indexes-overview) that can be used to improve performance of your spatial queries.
+- The ability to store XML values natively in an XML data-type column that can be typed according to a collection of XML schemas or left untyped. You can index the XML column.
+- The ability to specify an XQuery query against XML data stored in columns and variables of the XML type. You can use XQuery functionalities in any Transact-SQL query that accesses a data model that you use in your database.
+- Automatic indexing of all elements in XML documents by using the [primary XML index](/sql/relational-databases/xml/xml-indexes-sql-server#primary-xml-index). Or you can specify the exact paths that should be indexed by using the [secondary XML index](/sql/relational-databases/xml/xml-indexes-sql-server#secondary-xml-indexes).
+- `OPENROWSET`, which allows the bulk loading of XML data.
+- The ability to transform relational data into XML format.
-[Spatial support](/sql/relational-databases/spatial/spatial-data-sql-server) is a core SQL Server database engine feature.
+You can use document models instead of the relational models in some specific scenarios:
-## XML features
+- High normalization of the schema doesn't bring significant benefits because you access all the fields of the objects at once, or you never update normalized parts of the objects. However, the normalized model increases the complexity of your queries because you need to join a large number of tables to get the data.
+- You're working with applications that natively use XML documents for communication or data models, and you don't want to introduce more layers that transform relational data into JSON and vice versa.
+- You need to simplify your data model by denormalizing child tables or Entity-Object-Value patterns.
+- You need to load or export data stored in XML format without an additional tool that parses the data.
-The SQL Server database engine provides a powerful platform for developing rich applications for semi-structured data management. Support for XML is integrated into all the components of the database engine and includes the following:
+## Spatial features
-- The xml data type. XML values can be stored natively in an xml data type column that can be typed according to a collection of XML schemas, or left untyped. You can index the XML column.-- The ability to specify an XQuery query against XML data stored in columns and variables of the xml type. XQuery functionalities can be used in any Transact-SQL query that access any data model that you use in your database.-- Automatically index all elements in XML documents using [primary XML index](/sql/relational-databases/xml/xml-indexes-sql-server#primary-xml-index) or specify the exact paths that should be indexed using [secondary XML index](/sql/relational-databases/xml/xml-indexes-sql-server#secondary-xml-indexes).-- OPENROWSET that allows bulk loading of XML data.-- Transform relational data to XML format.
+Spatial data represents information about the physical location and shape of objects. These objects can be point locations or more complex objects such as countries/regions, roads, or lakes.
-[XML](/sql/relational-databases/xml/xml-data-sql-server) is a core SQL Server database engine feature.
+Azure SQL supports two spatial data types:
-### When to use an XML capability
+- The geometry type represents data in a Euclidean (flat) coordinate system.
+- The geography type represents data in a round-earth coordinate system.
-Document models can be used instead of the relational models in some specific scenarios:
+Spatial features in Azure SQL enable you to store geometrical and geographical data. You can use spatial objects in Azure SQL to parse and query data represented in JSON format, and export your relational data as JSON text. These spatial objects include [Point](/sql/relational-databases/spatial/point), [LineString](/sql/relational-databases/spatial/linestring), and [Polygon](/sql/relational-databases/spatial/polygon). Azure SQL also provides specialized [spatial indexes](/sql/relational-databases/spatial/spatial-indexes-overview) that you can use to improve the performance of your spatial queries.
-- High-normalization of schema doesn't bring significant benefits because you access all the fields of the objects at once, or you never update normalized parts of the objects. However, the normalized model increases the complexity of your queries due to the large number of tables that you need to join to get the data.-- You are working with the applications that natively use XML documents are communication or data models, and you don't want to introduce additional layers that transforms relational data to XML and vice versa.-- You need to simplify your data model by de-normalizing child tables or Entity-Object-Value patterns.-- You need to load or export data stored in XML format without some additional tool that parses the data.
+[Spatial support](/sql/relational-databases/spatial/spatial-data-sql-server) is a core feature of the SQL Server database engine.
## Key-value pairs
-The Azure SQL family of products don't have specialized types or structures that support key-value pairs since key-value structures can be natively represented as standard relational tables:
+Azure SQL products don't have specialized types or structures that support key-value pairs, because key-value structures can be natively represented as standard relational tables:
```sql CREATE TABLE Collection (
CREATE TABLE Collection (
) ```
-You can customize this key-value structure to fit your needs without any constraints. As an example, the value can be XML document instead of `nvarchar(max)` type, if the value is JSON document, you can put `CHECK` constraint that verifies the validity of JSON content. You can put any number of values related to one key in the additional columns, add computed columns and indexes to simplify and optimize data access, define the table as memory/optimized schema-only table to get better performance, etc.
+You can customize this key-value structure to fit your needs without any constraints. As an example, the value can be an XML document instead of the `nvarchar(max)` type. If the value is a JSON document, you can use a `CHECK` constraint that verifies the validity of JSON content. You can put any number of values related to one key in the additional columns. For example:
+
+- Add computed columns and indexes to simplify and optimize data access.
+- Define the table as a memory-optimized, schema-only table to get better performance.
-See [how BWin is using In-Memory OLTP to achieve unprecedented performance and scale](/archive/blogs/sqlcat/how-bwin-is-using-sql-server-2016-in-memory-oltp-to-achieve-unprecedented-performance-and-scale) for their ASP.NET caching solution that achieved 1.200.000 batches per seconds, as an example how relational model can be effectively used as key-value pair solution in practice.
+For an example of how a relational model can be effectively used as a key-value pair solution in practice, see [How bwin is using SQL Server 2016 In-Memory OLTP to achieve unprecedented performance and scale](/archive/blogs/sqlcat/how-bwin-is-using-sql-server-2016-in-memory-oltp-to-achieve-unprecedented-performance-and-scale). In this case study, bwin used a relational model for its ASP.NET caching solution to achieve 1.2 million batches per second.
## Next steps
-Multi-model capabilities in the Azure SQL family of products are also the core SQL Server database engine features that are shared among the Azure SQL family of products. To learn more details about these features, visit the SQL Relational database documentation pages:
+Multi-model capabilities are core SQL Server database engine features that are shared among Azure SQL products. To learn more about these features, see these articles:
-- [Graph processing](/sql/relational-databases/graphs/sql-graph-overview)-- [JSON data](/sql/relational-databases/json/json-data-sql-server)-- [Spatial support](/sql/relational-databases/spatial/spatial-data-sql-server)-- [XML data](/sql/relational-databases/xml/xml-data-sql-server)
+- [Graph processing with SQL Server and Azure SQL Database](/sql/relational-databases/graphs/sql-graph-overview)
+- [JSON data in SQL Server](/sql/relational-databases/json/json-data-sql-server)
+- [Spatial data in SQL Server](/sql/relational-databases/spatial/spatial-data-sql-server)
+- [XML data in SQL Server](/sql/relational-databases/xml/xml-data-sql-server)
+- [Key-value store performance in Azure SQL Database](https://devblogs.microsoft.com/azure-sql/azure-sql-database-as-a-key-value-store/)
azure-video-analyzer Analyze Live Video Custom Vision https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-video-analyzer/video-analyzer-docs/analyze-live-video-custom-vision.md
After you're finished, you can export the model to a Docker container by using t
This command checks if the new image is in your local registry. ## Set up your development environment+ [!INCLUDE [setup development environment](./includes/set-up-dev-environment/csharp/csharp-set-up-dev-env.md)]+ ## Examine the sample files
After you're finished, you can export the model to a Docker container by using t
1. `"topologyName" : "InferencingWithHttpExtension"` 2. Add the following to the top of the parameters array: `{"name": "inferencingUrl","value": "http://cv/score"},` 3. Change the `rtspUrl` parameter value to `"rtsp://rtspsim:554/media/t2.mkv"`.
-4. Under `livePipelineDelete`, ensure `"name": "InferencingWithHttpExtension"`.
+4. Under `pipelineTopologyDelete`, ensure `"name": "InferencingWithHttpExtension"`.
5. Right-click the src/edge/ deployment.customvision.template.json file, and select **Generate IoT Edge Deployment Manifest**. ![Screenshot that shows Generate IoT Edge Deployment Manifest.](./media/custom-vision/deployment-template-json.png)
azure-vmware Connect Multiple Private Clouds Same Region https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-vmware/connect-multiple-private-clouds-same-region.md
The AVS Interconnect (Preview) feature is available in all regions except for So
:::image type="content" source="media/networking/add-connection-to-other-private-cloud-notification.png" alt-text="Screenshot showing the Notification information for connection in progress and an existing connection." border="true":::
- You'll' see all of your connections under **AVS Private Cloud**.
+ You'll see all of your connections under **AVS Private Cloud**.
:::image type="content" source="media/networking/private-cloud-to-private-cloud-two-connections.png" alt-text="Screenshot showing the AVS Interconnect tab under Connectivity and two established private cloud connections." border="true" lightbox="media/networking/private-cloud-to-private-cloud-two-connections.png":::
azure-vmware Deploy Azure Vmware Solution https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-vmware/deploy-azure-vmware-solution.md
Title: Deploy and configure Azure VMware Solution
description: Learn how to use the information gathered in the planning stage to deploy and configure the Azure VMware Solution private cloud. Previously updated : 05/19/2021 Last updated : 07/09/2021 # Deploy and configure Azure VMware Solution
The diagram shows the deployment workflow of Azure VMware Solution.
## Step 3. Connect to Azure Virtual Network with ExpressRoute
-In the planning phase, you defined whether you to use an *existing* or *new* ExpressRoute virtual network gateway.
+In the planning phase, you defined whether to use an *existing* or *new* ExpressRoute virtual network gateway.
+ ### Use a new ExpressRoute virtual network gateway
In the planning phase, you defined whether you to use an *existing* or *new* Exp
| If | Then | | | |
-| You don't already have a virtual network... | Create the following:<ul><li><a href="tutorial-configure-networking.md#create-a-virtual-network">Virtual network</a></li><li><a href="../expressroute/expressroute-howto-add-gateway-portal-resource-manager.md#create-the-gateway-subnet">GatewaySubnet</a></li><li><a href="tutorial-configure-networking.md#create-a-virtual-network-gateway">Virtual network gateway</a></li></ul> |
-| You already have a virtual network **without** a GatewaySubnet... | Create the following: <ul><li><a href="../expressroute/expressroute-howto-add-gateway-portal-resource-manager.md#create-the-gateway-subnet">GatewaySubnet</a></li><li><a href="tutorial-configure-networking.md#create-a-virtual-network-gateway">Virtual network gateway</a></li></ul> |
-| You already have a virtual network **with** a GatewaySubnet... | [Create a virtual network gateway](tutorial-configure-networking.md#create-a-virtual-network-gateway) |
+| You don't already have a virtual network... | Create the following:<ol><li><a href="tutorial-configure-networking.md#create-a-virtual-network">Virtual network</a></li><li><a href="../expressroute/expressroute-howto-add-gateway-portal-resource-manager.md#create-the-gateway-subnet">GatewaySubnet</a></li><li><a href="tutorial-configure-networking.md#create-a-virtual-network-gateway">Virtual network gateway</a></li><li><a href="tutorial-configure-networking.md#connect-expressroute-to-the-virtual-network-gateway">Connect ExpressRoute to the gateway</a></li></ol> |
+| You already have a virtual network **without** a GatewaySubnet... | Create the following: <ol><li><a href="../expressroute/expressroute-howto-add-gateway-portal-resource-manager.md#create-the-gateway-subnet">GatewaySubnet</a></li><li><a href="tutorial-configure-networking.md#create-a-virtual-network-gateway">Virtual network gateway</a></li><li><a href="tutorial-configure-networking.md#connect-expressroute-to-the-virtual-network-gateway">Connect ExpressRoute to the gateway</a></li></ol> |
+| You already have a virtual network **with** a GatewaySubnet... | Create the following: <ol><li><a href="tutorial-configure-networking.md#create-a-virtual-network-gateway">Virtual network gateway</a></li><li><a href="tutorial-configure-networking.md#connect-expressroute-to-the-virtual-network-gateway">Connect ExpressRoute to the gateway</a></li></ol> |
### Use an existing virtual network gateway
backup Back Up Hyper V Virtual Machines Mabs https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/backup/back-up-hyper-v-virtual-machines-mabs.md
Title: Back up Hyper-V virtual machines with MABS description: This article contains the procedures for backing up and recovery of virtual machines using Microsoft Azure Backup Server (MABS). Previously updated : 04/20/2021 Last updated : 07/09/2021 # Back up Hyper-V virtual machines with Azure Backup Server
These are the prerequisites for backing up Hyper-V virtual machines with MABS:
|Prerequisite|Details| ||-|
-|MABS prerequisites|- If you want to perform item-level recovery for virtual machines (recover files, folders, volumes), then you'll need to install the Hyper-V role on the MABS server. If you only want to recover the virtual machine and not item-level, then the role isn't required.<br />- You can protect up to 800 virtual machines of 100 GB each on one MABS server and allow multiple MABS servers that support larger clusters.<br />- MABS excludes the page file from incremental backups to improve virtual machine backup performance.<br />- MABS can back up a Hyper-V server or cluster in the same domain as the MABS server, or in a child or trusted domain. If you want to back up Hyper-V in a workgroup or an untrusted domain, you'll need to set up authentication. For a single Hyper-V server, you can use NTLM or certificate authentication. For a cluster, you can use certificate authentication only.<br />- Using host-level backup to back up virtual machine data on passthrough disks isn't supported. In this scenario, we recommend you use host-level backup to back up VHD files and guest-level backup to back up the other data that isn't visible on the host.<br /> -You can back up VMs stored on deduplicated volumes.|
+|MABS prerequisites|- If you want to perform item-level recovery for virtual machines (recover files, folders, volumes), then you'll need to have the Hyper-V role enabled on the MABS server (the Hyper-V role gets installed by default during the installation of MABS). If you only want to recover the virtual machine and not item-level, then the role isn't required.<br />- You can protect up to 800 virtual machines of 100 GB each on one MABS server and allow multiple MABS servers that support larger clusters.<br />- MABS excludes the page file from incremental backups to improve virtual machine backup performance.<br />- MABS can back up a Hyper-V server or cluster in the same domain as the MABS server, or in a child or trusted domain. If you want to back up Hyper-V in a workgroup or an untrusted domain, you'll need to set up authentication. For a single Hyper-V server, you can use NTLM or certificate authentication. For a cluster, you can use certificate authentication only.<br />- Using host-level backup to back up virtual machine data on passthrough disks isn't supported. In this scenario, we recommend you use host-level backup to back up VHD files and guest-level backup to back up the other data that isn't visible on the host.<br /> -You can back up VMs stored on deduplicated volumes.|
|Hyper-V VM prerequisites|- The version of Integration Components that's running on the virtual machine should be the same as the version of the Hyper-V host. <br />- For each virtual machine backup you'll need free space on the volume hosting the virtual hard disk files to allow Hyper-V enough room for differencing disks (AVHD's) during backup. The space must be at least equal to the calculation **Initial disk size\*Churn rate\*Backup** window time. If you're running multiple backups on a cluster, you'll need enough storage capacity to accommodate the AVHDs for each of the virtual machines using this calculation.<br />- To back up virtual machines located on Hyper-V host servers running Windows Server 2012 R2, the virtual machine should have a SCSI controller specified, even if it's not connected to anything. (In Windows Server 2012 R2 backup, the Hyper-V host mounts a new VHD in the VM and then later dismounts it. Only the SCSI controller can support this and therefore is required for online backup of the virtual machine. Without this setting, event ID 10103 will be issued when you try to back up the virtual machine.)| |Linux prerequisites|- You can back up Linux virtual machines using MABS. Only file-consistent snapshots are supported.| |Back up VMs with CSV storage|- For CSV storage, install the Volume Shadow Copy Services (VSS) hardware provider on the Hyper-V server. Contact your storage area network (SAN) vendor for the VSS hardware provider.<br />- If a single node shuts down unexpectedly in a CSV cluster, MABS will perform a consistency check against the virtual machines that were running on that node.<br />- If you need to restart a Hyper-V server that has BitLocker Drive Encryption enabled on the CSV cluster, you must run a consistency check for Hyper-V virtual machines.|
When you can recover a backed up virtual machine, you use the Recovery wizard to
7. The **Recovery Status** screen provides information about the recovery job.
+## Restore an individual file from a Hyper-V VM
+
+You can restore individual files from a protected Hyper-V VM recovery point. This feature is only available for Windows Server VMs. Restoring individual files is similar to restoring the entire VM, except you browse into the VMDK and find the file(s) you want, before starting the recovery process. To recover an individual file or select files from a Windows Server VM:
+
+>[!Note]
+>Restoring an individual file from a Hyper-V VM is available only for Windows VM and Disk Recovery Points.
+
+1. In the MABS Administrator Console, select **Recovery** view.
+
+1. Using the **Browse** pane, browse or filter to find the VM you want to recover. Once you select a Hyper-V VM or folder, the **Recovery points for** pane displays the available recovery points.
+
+ !["Recovery points for" pane to recover files from Hyper-v VM](./media/back-up-hyper-v-virtual-machines-mabs/hyper-v-vm-rp-disk.png)
+
+1. In the **Recovery Points for** pane, use the calendar to select the date that contains the desired recovery point(s). Depending on how the backup policy has been configured, dates can have more than one recovery point. Once you've selected the day when the recovery point was taken, make sure you've chosen the correct **Recovery time**. If the selected date has multiple recovery points, choose your recovery point by selecting it in the Recovery time drop-down menu. Once you chose the recovery point, the list of recoverable items appears in the Path pane.
+
+1. To find the files you want to recover, in the **Path** pane, double-click the item in the Recoverable item column to open it. Select the file, files, or folders you want to recover. To select multiple items, press the **Ctrl** key while selecting each item. Use the **Path** pane to search the list of files or folders appearing in the **Recoverable Item** column.**Search list below** doesn't search into subfolders. To search through subfolders, double-click the folder. Use the Up button to move from a child folder into the parent folder. You can select multiple items (files and folders), but they must be in the same parent folder. You can't recover items from multiple folders in the same recovery job.
+
+ ![Review Recovery Selection in Hyper-v VM](./media/back-up-hyper-v-virtual-machines-mabs/hyper-v-vm-rp-disk-ilr-2.png)
+
+1. Once you've selected the item(s) for recovery, in the Administrator Console tool ribbon, select **Recover** to open the **Recovery Wizard**. In the Recovery Wizard, the **Review Recovery Selection** screen shows the selected items to be recovered.
+
+1. On the **Specify Recovery Options** screen, if you want to enable network bandwidth throttling, select **Modify**. To leave network throttling disabled, select **Next**. No other options on this wizard screen are available for VMware VMs. If you choose to modify the network bandwidth throttle, in the Throttle dialog, select **Enable network bandwidth usage throttling** to turn it on. Once enabled, configure the **Settings** and **Work Schedule**.
+
+1. On the **Select Recovery Type** screen, select **Next**. You can only recover your file(s) or folder(s) to a network folder.
+
+1. On the **Specify Destination** screen, select **Browse** to find a network location for your files or folders. MABS creates a folder where all recovered items are copied. The folder name has the prefix, MABS_day-month-year. When you select a location for the recovered files or folder, the details for that location (Destination, Destination path, and available space) are provided.
+
+ ![Specify location to recover files from Hyper-v VM](./media/back-up-hyper-v-virtual-machines-mabs/hyper-v-vm-specify-destination.png)
+
+1. On the **Specify Recovery Options** screen, choose which security setting to apply. You can opt to modify the network bandwidth usage throttling, but throttling is disabled by default. Also, **SAN Recovery** and **Notification** aren't enabled.
+
+1. On the **Summary** screen, review your settings and select **Recover** to start the recovery process. The **Recovery status** screen shows the progression of the recovery operation.
+ ## Next steps [Recover data from Azure Backup Server](./backup-azure-alternate-dpm-server.md)
backup Backup Azure Dataprotection Use Rest Api Backup Blobs https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/backup/backup-azure-dataprotection-use-rest-api-backup-blobs.md
+
+ Title: Back up blobs in a storage account using Azure Data Protection REST API.
+description: In this article, learn how to configure, initiate, and manage backup operations of blobs using REST API.
+ Last updated : 07/09/2021
+ms.assetid: 7c244b94-d736-40a8-b94d-c72077080bbe
++
+# Back up blobs in a storage account using Azure Data Protection via REST API
+
+This article describes how to manage backups for blobs in a storage account via REST API. Backup of blobs is configured at the storage account level. So, all blobs in the storage account are protected with operational backup.
+
+For information on the Azure blob region availability, supported scenarios and limitations, see the [support matrix](blob-backup-support-matrix.md).
+
+## Prerequisites
+
+- [Create a Backup vault](backup-azure-dataprotection-use-rest-api-create-update-backup-vault.md)
+
+- [Create a blob backup policy](backup-azure-dataprotection-use-rest-api-create-update-blob-policy.md)
+
+## Configure backup
+
+Once the vault and policy are created, there are two critical points that the user needs to consider to protect all Azure blobs within a storage account.
+
+### Key entities involved
+
+#### Storage account which contains the blobs to be protected
+
+Fetch the Azure Resource Manager ID of the storage account which contains the blobs to be protected. This will serve as the identifier of the storage account. We will use an example of a storage account named _msblobbackup_, under the resource group _RG-BlobBackup_, in a different subscription and in west US.
+
+```http
+"/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx/resourcegroups/RG-BlobBackup/providers/Microsoft.Storage/storageAccounts/msblobbackup"
+```
+
+#### Backup vault
+
+The Backup vault requires permissions on the storage account to enable backups on blobs present within the storage account. The system-assigned managed identity of the vault is used for assigning such permissions. We will use an example of a backup vault called "testBkpVault" in "West US" region under "TestBkpVaultRG" resource group.
+
+### Assign permissions
+
+You need to assign a few permissions via RBAC to vault (represented by vault MSI) and the relevant storage account. These can be performed via Portal or PowerShell or REST API. Learn more about all [related permissions](blob-backup-configure-manage.md#grant-permissions-to-the-backup-vault-on-storage-accounts).
+
+### Prepare the request to configure backup
+
+Once the relevant permissions are set to the vault and storage account, and the vault and policy are configured, we can prepare the request to configure backup. The following is the request body to configure backup for all blobs within a storage account. The Azure Resource Manager ID (ARM ID) of the storage account and its details are mentioned in the 'datasourceinfo' section and the policy information is present in the 'policyinfo' section.
+
+```json
+{
+ "backupInstance": {
+ "dataSourceInfo": {
+ "datasourceType": "Microsoft.Storage/storageAccounts/blobServices",
+ "objectType": "Datasource",
+ "resourceID": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/resourceGroups/RG-BlobBackup/providers/Microsoft.Storage/storageAccounts/msblobbackup",
+ "resourceLocation": "westUS",
+ "resourceName": "msblobbackup",
+ "resourceType": "Microsoft.Storage/storageAccounts",
+ "resourceUri": ""
+ },
+ "policyInfo": {
+ "policyId": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/resourceGroups/TestBkpVaultRG/providers/Microsoft.DataProtection/backupVaults/testBkpVault/backupPolicies/BlobBackup-Policy"
+ },
+ "objectType": "BackupInstance"
+ }
+}
+```
+
+### Validate the request to configure backup
+
+We can validate whether the request to configure backup or not will be successful or not using [the validate for backup API](/rest/api/dataprotection/backup-instances/validate-for-backup). The response can be used by customer to perform all required pre-requisites and then submit the configuration for backup request.
+
+Validate for backup request is a POST operation and the URI has `{subscriptionId}`, `{vaultName}`, `{vaultresourceGroupName}` parameters.
+
+```http
+POST https://management.azure.com/Subscriptions/{subscriptionId}/resourceGroups/{vaultresourceGroupname}/providers/Microsoft.DataProtection/backupVaults/{backupVaultName}/validateForBackup?api-version=2021-01-01
+```
+
+For example, this translates to
+
+```http
+POST https://management.azure.com/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/resourceGroups/TestBkpVaultRG/providers/Microsoft.DataProtection/backupVaults/testBkpVault/validateForBackup?api-version=2021-01-01
+```
+
+The [request body](#prepare-the-request-to-configure-backup) that we prepared earlier will be used to give the details of the storage account to be protected.
+
+#### Example request body
+
+```json
+{
+ "backupInstance": {
+ "dataSourceInfo": {
+ "datasourceType": "Microsoft.Storage/storageAccounts/blobServices",
+ "objectType": "Datasource",
+ "resourceID": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/resourceGroups/RG-BlobBackup/providers/Microsoft.Storage/storageAccounts/msblobbackup",
+ "resourceLocation": "westUS",
+ "resourceName": "msblobbackup",
+ "resourceType": "Microsoft.Storage/storageAccounts",
+ "resourceUri": ""
+ },
+ "policyInfo": {
+ "policyId": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/resourceGroups/TestBkpVaultRG/providers/Microsoft.DataProtection/backupVaults/testBkpVault/backupPolicies/BlobBackup-Policy"
+ },
+ "objectType": "BackupInstance"
+ }
+}
+```
+
+#### Responses for validate backup request
+
+Validate for backup request is an [asynchronous operation](../azure-resource-manager/management/async-operations.md). It means this operation creates another operation that needs to be tracked separately.
+
+It returns two responses: 202 (Accepted) when another operation is created and then 200 (OK) when that operation completes.
+
+|Name |Type |Description |
+||||
+|202 Accepted | | The operation will be completed asynchronously |
+|200 OK | [OperationJobExtendedInfo](/rest/api/dataprotection/backup-instances/validate-for-backup#operationjobextendedinfo) | Accepted |
+| Other Status codes | [CloudError](/rest/api/dataprotection/backup-instances/validate-for-backup#clouderror) | Error response describing why the operation failed |
+
+##### Example responses for validate backup request
+
+###### Error response
+
+In case the given storage account is already protected, the response is HTTP 400 (Bad request) and clearly states that the given storage account is protected to a backup vault along with details.
+
+```http
+HTTP/1.1 400 BadRequest
+Content-Length: 999
+Content-Type: application/json
+Expires: -1
+Pragma: no-cache
+X-Content-Type-Options: nosniff
+x-ms-request-id:
+Strict-Transport-Security: max-age=31536000; includeSubDomains
+x-ms-ratelimit-remaining-subscription-writes: 1199
+x-ms-correlation-request-id: f36eb67a-8932-42a8-8aba-c5ee2443aa2e
+x-ms-routing-request-id: WESTUS:20210707T124745Z:bcd23af5-fa17-4cd0-9929-a55f141e33ce
+Cache-Control: no-cache
+Date: Wed, 07 Jul 2021 12:47:45 GMT
+X-Powered-By: ASP.NET
+
+{
+ "error": {
+ "additionalInfo": [
+ {
+ "type": "UserFacingError",
+ "info": {
+ "message": "Datasource is already protected under the Backup vault /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/resourceGroups/TestBkpVaultRG/providers/Microsoft.DataProtection/backupVaults/testBkpVault.",
+ "recommendedAction": [
+ "Delete the backup instance msblobbackuptemp from the Backup vault /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/resourceGroups/TestBkpVaultRG/providers/Microsoft.DataProtection/backupVaults/testBkpVault to re-protect the datasource in any other vault."
+ ],
+ "details": null,
+ "code": "UserErrorDppDatasourceAlreadyProtected",
+ "target": "",
+ "innerError": null,
+ "isRetryable": false,
+ "isUserError": false,
+ "properties": {
+ "ActivityId": "f36eb67a-8932-42a8-8aba-c5ee2443aa2e"
+ }
+ }
+ }
+ ],
+ "code": "UserErrorDppDatasourceAlreadyProtected",
+ "message": "Datasource is already protected under the Backup vault /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/resourceGroups/TestBkpVaultRG/providers/Microsoft.DataProtection/backupVaults/testBkpVault.",
+ "target": null
+ }
+}
+```
+
+###### Tracking response
+
+If the datasource is unprotected, then the API proceeds for further validations and creates a tracking operation.
+
+```http
+HTTP/1.1 202 Accepted
+Content-Length: 0
+Expires: -1
+Pragma: no-cache
+Retry-After: 10
+Azure-AsyncOperation: https://management.azure.com/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/providers/Microsoft.DataProtection/locations/westus/operationStatus/ZmMzNDFmYWMtZWJlMS00NGJhLWE4YTgtMDNjYjI4Y2M5OTExOzM2NDdhZDNjLTFiNGEtNDU4YS05MGJkLTQ4NThiYjRhMWFkYg==?api-version=2021-01-01
+X-Content-Type-Options: nosniff
+x-ms-request-id:
+Strict-Transport-Security: max-age=31536000; includeSubDomains
+x-ms-ratelimit-remaining-subscription-writes: 1197
+x-ms-correlation-request-id: 3e7cacb3-65cd-4b3c-8145-71fe90d57327
+x-ms-routing-request-id: CENTRALUSEUAP:20210707T124850Z:105f2105-6db1-44bf-8a34-45972a8ba861
+Cache-Control: no-cache
+Date: Wed, 07 Jul 2021 12:48:50 GMT
+Location: https://management.azure.com/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/providers/Microsoft.DataProtection/locations/westus/operationResults/ZmMzNDFmYWMtZWJlMS00NGJhLWE4YTgtMDNjYjI4Y2M5OTExOzM2NDdhZDNjLTFiNGEtNDU4YS05MGJkLTQ4NThiYjRhMWFkYg==?api-version=2021-01-01
+X-Powered-By: ASP.NET
+```
+
+Track the resulting operation using the "Azure-AsyncOperation" header with a simple *GET* command
+
+```http
+GET https://management.azure.com/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/providers/Microsoft.DataProtection/locations/westus/operationStatus/ZmMzNDFmYWMtZWJlMS00NGJhLWE4YTgtMDNjYjI4Y2M5OTExOzM2NDdhZDNjLTFiNGEtNDU4YS05MGJkLTQ4NThiYjRhMWFkYg==?api-version=2021-01-01
+
+{
+ "id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/providers/Microsoft.DataProtection/locations/westus/operationStatus/ZmMzNDFmYWMtZWJlMS00NGJhLWE4YTgtMDNjYjI4Y2M5OTExOzM2NDdhZDNjLTFiNGEtNDU4YS05MGJkLTQ4NThiYjRhMWFkYg==",
+ "name": "ZmMzNDFmYWMtZWJlMS00NGJhLWE4YTgtMDNjYjI4Y2M5OTExOzM2NDdhZDNjLTFiNGEtNDU4YS05MGJkLTQ4NThiYjRhMWFkYg==",
+ "status": "Inprogress",
+ "startTime": "2021-07-07T12:48:50.3432229Z",
+ "endTime": "0001-01-01T00:00:00"
+}
+```
+
+It returns 200(OK) once it completes and the response body lists further requirements to be fulfilled, such as permissions.
+
+```http
+GET https://management.azure.com/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/providers/Microsoft.DataProtection/locations/westus/operationStatus/ZmMzNDFmYWMtZWJlMS00NGJhLWE4YTgtMDNjYjI4Y2M5OTExOzM2NDdhZDNjLTFiNGEtNDU4YS05MGJkLTQ4NThiYjRhMWFkYg==?api-version=2021-01-01
+
+{
+ "id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/providers/Microsoft.DataProtection/locations/westus/operationStatus/ZmMzNDFmYWMtZWJlMS00NGJhLWE4YTgtMDNjYjI4Y2M5OTExOzM2NDdhZDNjLTFiNGEtNDU4YS05MGJkLTQ4NThiYjRhMWFkYg==",
+ "name": "ZmMzNDFmYWMtZWJlMS00NGJhLWE4YTgtMDNjYjI4Y2M5OTExOzM2NDdhZDNjLTFiNGEtNDU4YS05MGJkLTQ4NThiYjRhMWFkYg==",
+ "status": "Failed",
+ "error": {
+ "additionalInfo": [
+ {
+ "type": "UserFacingError",
+ "info": {
+ "message": "Appropriate permissions to perform the operation is missing.",
+ "recommendedAction": [
+ "Grant appropriate permissions to perform this operation as mentioned at https://aka.ms/UserErrorMissingRequiredPermissions and retry the operation."
+ ],
+ "code": "UserErrorMissingRequiredPermissions",
+ "target": "",
+ "innerError": {
+ "code": "UserErrorMissingRequiredPermissions",
+ "additionalInfo": {
+ "DetailedNonLocalisedMessage": "Validate for Protection failed. Exception Message: The client 'a8b24f84-f43c-45b3-aa54-e3f6d54d31a6' with object id 'a8b24f84-f43c-45b3-aa54-e3f6d54d31a6' does not have authorization to perform action 'Microsoft.Authorization/roleAssignments/read' over scope '/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/resourceGroups/RG-BlobBackup/providers/Microsoft.Storage/storageAccounts/msblobbackup/providers/Microsoft.Authorization' or the scope is invalid. If access was recently granted, please refresh your credentials."
+ }
+ },
+ "isRetryable": false,
+ "isUserError": false,
+ "properties": {
+ "ActivityId": "3e7cacb3-65cd-4b3c-8145-71fe90d57327"
+ }
+ }
+ }
+ ],
+ "code": "UserErrorMissingRequiredPermissions",
+ "message": "Appropriate permissions to perform the operation is missing."
+ },
+ "startTime": "2021-07-07T12:48:50.3432229Z",
+ "endTime": "2021-07-07T12:49:22Z"
+}
+```
+
+If all the permissions are granted, then resubmit the validate request, track the resulting operation and it will return 200(OK) as succeeded if all the conditions are met.
+
+```http
+GET https://management.azure.com/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/providers/Microsoft.DataProtection/locations/westus/operationStatus/ZmMzNDFmYWMtZWJlMS00NGJhLWE4YTgtMDNjYjI4Y2M5OTExOzlhMjk2YWM2LWRjNDMtNGRjZS1iZTU2LTRkZDNiMDhjZDlkOA==?api-version=2021-01-01
+
+{
+ "id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/providers/Microsoft.DataProtection/locations/westus/operationStatus/ZmMzNDFmYWMtZWJlMS00NGJhLWE4YTgtMDNjYjI4Y2M5OTExOzlhMjk2YWM2LWRjNDMtNGRjZS1iZTU2LTRkZDNiMDhjZDlkOA==",
+ "name": "ZmMzNDFmYWMtZWJlMS00NGJhLWE4YTgtMDNjYjI4Y2M5OTExOzlhMjk2YWM2LWRjNDMtNGRjZS1iZTU2LTRkZDNiMDhjZDlkOA==",
+ "status": "Succeeded",
+ "startTime": "2021-07-07T13:03:54.8627251Z",
+ "endTime": "2021-07-07T13:04:06Z"
+}
+```
+
+### Configure backup request
+
+Once the request is validated, then you can submit the same to the [create backup instance API](/rest/api/dataprotection/backup-instances/create-or-update). A Backup instance represents an item protected with data protection service of Azure Backup within the backup vault. In this case, the storage account is the backup instance and you can use the same request body, which was validated above, with minor additions.
+
+You have to decide a unique name for the backup instance and hence we recommend you use a combination of the resource name and a unique identifier. We will use an example of "msblobbackup-f2df34eb-5628-4570-87b2-0331d797c67d" here and mark it as the backup instance name.
+
+To create or update the backup instance, use the following ***PUT*** operation.
+
+```http
+PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DataProtection/{BkpvaultName}/backupInstances/{UniqueBackupInstanceName}?api-version=2021-01-01
+```
+
+For example, this translates to
+
+```http
+ PUT https://management.azure.com/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/resourceGroups/TestBkpVaultRG/providers/Microsoft.DataProtection/backupVaults/testBkpVault/backupInstances/msblobbackup-f2df34eb-5628-4570-87b2-0331d797c67d?api-version=2021-01-01
+```
+
+#### Create the request for configure backup
+
+To create a backup instance, following are the components of the request body
+
+|Name |Type |Description |
+||||
+|properties | [BackupInstance](/rest/api/dataprotection/backup-instances/create-or-update#backupinstance) | BackupInstanceResource properties |
+
+##### Example request for configure backup
+
+We will use the same request body that we used to validate the backup request with a unique name as we mentioned [above](#configure-backup).
+
+```json
+{
+ "name": "msblobbackup-f2df34eb-5628-4570-87b2-0331d797c67d",
+ "type": "Microsoft.DataProtection/backupvaults/backupInstances",
+ "properties": {
+ "objectType": "BackupInstance",
+ "datasourceinfo": {
+ "datasourceType": "Microsoft.Storage/storageAccounts/blobServices",
+ "objectType": "Datasource",
+ "resourceID": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/resourceGroups/RG-BlobBackup/providers/Microsoft.Storage/storageAccounts/msblobbackup",
+ "resourceLocation": "westus",
+ "resourceName": "msblobbackup",
+ "resourceType": "Microsoft.Storage/storageAccounts",
+ "resourceUri": ""
+ },
+ "policyInfo": {
+ "policyId": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/resourceGroups/TestBkpVaultRG/providers/Microsoft.DataProtection/backupVaults/testBkpVault/backupPolicies/BlobBackup-Policy"
+ }
+ }
+}
+```
+
+#### Responses to configure backup request
+
+The create backup instance request is an [asynchronous operation](../azure-resource-manager/management/async-operations.md). It means this operation creates another operation that needs to be tracked separately.
+
+It returns two responses: 201 (Created) when backup instance is created and the protection is being configured and then 200 (OK) when that configuration completes.
+
+|Name |Type |Description |
+||||
+|201 Created | [Backup instance](/rest/api/dataprotection/backup-instances/create-or-update#backupinstanceresource) | Backup instance is created and protection is being configured |
+|200 OK | [Backup instance](/rest/api/dataprotection/backup-instances/create-or-update#backupinstanceresource) | Protection is configured |
+| Other Status codes | [CloudError](/rest/api/dataprotection/backup-instances/validate-for-backup#clouderror) | Error response describing why the operation failed |
+
+##### Example responses to configure backup request
+
+Once you submit the *PUT* request to create a backup instance, the initial response is 201 (Created) with an Azure-asyncOperation header. Please note that the request body contains all the backup instance properties.
+
+```http
+HTTP/1.1 201 Created
+Content-Length: 1149
+Content-Type: application/json
+Expires: -1
+Pragma: no-cache
+Retry-After: 15
+Azure-AsyncOperation: https://management.azure.com/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/providers/Microsoft.DataProtection/locations/westus/operationStatus/ZmMzNDFmYWMtZWJlMS00NGJhLWE4YTgtMDNjYjI4Y2M5OTExOzI1NWUwNmFlLTI5MjUtNDBkNy1iMjMxLTM0ZWZlMDA3NjdkYQ==?api-version=2021-01-01
+X-Content-Type-Options: nosniff
+x-ms-request-id:
+Strict-Transport-Security: max-age=31536000; includeSubDomains
+x-ms-ratelimit-remaining-subscription-writes: 1199
+x-ms-correlation-request-id: 5d9ccf1b-7ac1-456d-8ae3-36c93c0d2427
+x-ms-routing-request-id: CENTRALUSEUAP:20210707T170219Z:9e897266-5d86-4d13-b298-6561c60cf043
+Cache-Control: no-cache
+Date: Wed, 07 Jul 2021 17:02:18 GMT
+Server: Microsoft-IIS/10.0
+X-Powered-By: ASP.NET
+
+{
+ "id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/resourceGroups/TestBkpVaultRG/providers/Microsoft.DataProtection/backupVaults/testBkpVault/backupInstances/msblobbackup-f2df34eb-5628-4570-87b2-0331d797c67d",
+ "name": "msblobbackup-f2df34eb-5628-4570-87b2-0331d797c67d",
+ "type": "Microsoft.DataProtection/backupVaults/backupInstances",
+ "properties": {
+ "friendlyName": "msblobbackup",
+ "dataSourceInfo": {
+ "resourceID": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/resourceGroups/RG-BlobBackup/providers/Microsoft.Storage/storageAccounts/msblobbackup",
+ "resourceUri": "",
+ "datasourceType": "Microsoft.Storage/storageAccounts/blobServices",
+ "resourceName": "msblobbackup",
+ "resourceType": "Microsoft.Storage/storageAccounts",
+ "resourceLocation": "westus",
+ "objectType": "Datasource"
+ },
+ "policyInfo": {
+ "policyId": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/resourceGroups/TestBkpVaultRG/providers/Microsoft.DataProtection/backupVaults/testBkpVault/backupPolicies/BlobBackup-Policy"
+ },
+ "protectionStatus": {
+ "status": "ConfiguringProtection"
+ },
+ "currentProtectionState": "ConfiguringProtection",
+ "provisioningState": "Provisioning",
+ "objectType": "BackupInstance"
+ }
+}
+```
+
+Then track the resulting operation using the Azure-AsyncOperation header with a simple *GET* command.
+
+```http
+GET https://management.azure.com/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/providers/Microsoft.DataProtection/locations/westus/operationStatus/ZmMzNDFmYWMtZWJlMS00NGJhLWE4YTgtMDNjYjI4Y2M5OTExOzI1NWUwNmFlLTI5MjUtNDBkNy1iMjMxLTM0ZWZlMDA3NjdkYQ==?api-version=2021-01-01
+```
+
+Once the operation completes, it returns 200 (OK) with the success message in the response body.
+
+```json
+{
+ "id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/providers/Microsoft.DataProtection/locations/westus/operationStatus/ZmMzNDFmYWMtZWJlMS00NGJhLWE4YTgtMDNjYjI4Y2M5OTExOzI1NWUwNmFlLTI5MjUtNDBkNy1iMjMxLTM0ZWZlMDA3NjdkYQ==",
+ "name": "ZmMzNDFmYWMtZWJlMS00NGJhLWE4YTgtMDNjYjI4Y2M5OTExOzI1NWUwNmFlLTI5MjUtNDBkNy1iMjMxLTM0ZWZlMDA3NjdkYQ==",
+ "status": "Succeeded",
+ "startTime": "2021-07-07T17:02:19.0611871Z",
+ "endTime": "2021-07-07T17:02:20Z"
+}
+```
+
+> [!IMPORTANT]
+> Once a storage account is configured for blobs backup, a few capabilities are affected, such as change feed and delete lock. [Learn more](blob-backup-configure-manage.md#effects-on-backed-up-storage-accounts).
+
+### Stop protection and delete data
+
+To remove the protection on a storage account and delete the backup data as well, perform a delete operation as detailed [here](/rest/api/dataprotection/backup-instances/delete).
+
+Stopping protection and deleting data is a *DELETE* operation.
+
+```http
+DELETE https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DataProtection/backupVaults/{vaultName}/backupInstances/{backupInstanceName}?api-version=2021-01-01
+```
+
+For our example, this translates to:
+
+```http
+DELETE "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/resourceGroups/TestBkpVaultRG/providers/Microsoft.DataProtection/backupVaults/testBkpVault/backupInstances/msblobbackup-f2df34eb-5628-4570-87b2-0331d797c67d?api-version=2021-01-01"
+```
+
+#### Responses for delete protection
+
+*DELETE* protection is an [asynchronous operation](../azure-resource-manager/management/async-operations.md). It means this operation creates another operation that needs to be tracked separately.
+
+It returns two responses: 202 (Accepted) when another operation is created and then 200 (OK) when that operation completes.
+
+|Name |Type |Description |
+||||
+|200 OK | | Status of delete request |
+|202 Accepted | | Accepted |
+
+##### Example responses for delete protection
+
+Once you submit the *DELETE* request, the initial response will be 202 Accepted along with an Azure-asyncOperation header.
+
+```http
+HTTP/1.1 202 Accepted
+Content-Length: 0
+Expires: -1
+Pragma: no-cache
+Retry-After: 30
+Azure-AsyncOperation: https://management.azure.com/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/providers/Microsoft.DataProtection/locations/westus/operationStatus/ZmMzNDFmYWMtZWJlMS00NGJhLWE4YTgtMDNjYjI4Y2M5OTExOzE1ZjM4YjQ5LWZhMGQtNDMxOC1iYjQ5LTExMDJjNjUzNjM5Zg==?api-version=2021-01-01
+X-Content-Type-Options: nosniff
+x-ms-request-id:
+Strict-Transport-Security: max-age=31536000; includeSubDomains
+x-ms-ratelimit-remaining-subscription-deletes: 14999
+x-ms-correlation-request-id: fee7a361-b1b3-496d-b398-60fed030d5a7
+x-ms-routing-request-id: CENTRALUSEUAP:20210708T071330Z:5c3a9f3e-53aa-4d5d-bf9a-20de5601b090
+Cache-Control: no-cache
+Date: Thu, 08 Jul 2021 07:13:29 GMT
+Location: https://management.azure.com/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/providers/Microsoft.DataProtection/locations/westus/operationResults/ZmMzNDFmYWMtZWJlMS00NGJhLWE4YTgtMDNjYjI4Y2M5OTExOzE1ZjM4YjQ5LWZhMGQtNDMxOC1iYjQ5LTExMDJjNjUzNjM5Zg==?api-version=2021-01-01
+X-Powered-By: ASP.NET
+```
+
+Track the Azure-AsyncOperation header with a simple *GET* request. When the request is successful it returns 200 OK with a success status response.
+
+```http
+GET "https://management.azure.com/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/providers/Microsoft.DataProtection/locations/westus/operationStatus/ZmMzNDFmYWMtZWJlMS00NGJhLWE4YTgtMDNjYjI4Y2M5OTExOzE1ZjM4YjQ5LWZhMGQtNDMxOC1iYjQ5LTExMDJjNjUzNjM5Zg==?api-version=2021-01-01"
+
+{
+ "id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/providers/Microsoft.DataProtection/locations/westus/operationStatus/ZmMzNDFmYWMtZWJlMS00NGJhLWE4YTgtMDNjYjI4Y2M5OTExOzE1ZjM4YjQ5LWZhMGQtNDMxOC1iYjQ5LTExMDJjNjUzNjM5Zg==",
+ "name": "ZmMzNDFmYWMtZWJlMS00NGJhLWE4YTgtMDNjYjI4Y2M5OTExOzE1ZjM4YjQ5LWZhMGQtNDMxOC1iYjQ5LTExMDJjNjUzNjM5Zg==",
+ "status": "Succeeded",
+ "startTime": "2021-07-08T07:13:30.23815Z",
+ "endTime": "2021-07-08T07:13:46Z"
+}
+```
+
+## Next steps
+
+[Restore data from an Azure Blob backup](backup-azure-arm-userestapi-restoreazurevms.md).
+
+For more information on the Azure Backup REST APIs, see the following documents:
+
+- [Azure Data Protection Provider REST API](/rest/api/dataprotection/)
+- [Get started with Azure REST API](/rest/api/azure/)
backup Backup Azure Dataprotection Use Rest Api Create Update Backup Vault https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/backup/backup-azure-dataprotection-use-rest-api-create-update-backup-vault.md
+
+ Title: Create Azure Backup policy for blobs using REST API.
+description: In this article, learn how to create a policy to back up blobs in a storage account using REST API.
+ Last updated : 07/09/2021
+ms.assetid: 93861379-5bec-4ed5-95d2-46f534a115fd
+
+# Create Azure Backup vault using REST API
+
+Azure Backup's new Data Protection platform provides enhanced capabilities for backup and restore for newer workloads such as blobs in storage accounts, managed disk and PostGre SQL server's PaaS platform. It aims to minimize management overhead while making it easy for organizing backups. A 'Backup vault' is the cornerstone of the Data protection platform and this is different from the 'Recovery Services' vault.
+
+The steps to create an Azure Backup vault using REST API are outlined in [create vault REST API](/rest/api/dataprotection/backup-vaults/create-or-update) documentation. Let's use this document as a reference to create a vault called "testBkpVault" in "West US" and under 'TestBkpVaultRG' resource group.
+
+To create or update an Azure Backup vault, use the following *PUT* operation.
+
+```http
+PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DataProtection/testBkpVault?api-version=2021-01-01
+```
+
+## Create a request
+
+To create the *PUT* request, the `{subscription-id}` parameter is required. If you have multiple subscriptions, see [Working with multiple subscriptions](/cli/azure/manage-azure-subscriptions-azure-cli). You define a `{resourceGroupName}` and `{vaultName}` for your resources, along with the `api-version` parameter. This article uses `api-version=2021-01-01`.
+
+The following headers are required:
+
+| Request header | Description |
+||--|
+| *Content-Type:* | Required. Set to `application/json`. |
+| *Authorization:* | Required. Set to a valid `Bearer` [access token](/rest/api/azure/#authorization-code-grant-interactive-clients). |
+
+For more information about how to create the request, see [Components of a REST API request/response](/rest/api/azure/#components-of-a-rest-api-requestresponse).
+
+## Create the request body
+
+The following common definitions are used to build a request body:
+
+|Name |Required |Type |Description |
+|||||
+|eTag | | String | Optional eTag |
+|location | true |String | Resource location |
+|properties | true | [BackupVault](/rest/api/dataprotection/backup-vaults/create-or-update#backupvault) | Properties of the vault |
+|Identity | | [DPPIdentityDetails](/rest/api/dataprotection/backup-vaults/create-or-update#dppidentitydetails) | Identifies the unique system identifier for each Azure resource |
+|tags | | Object | Resource tags |
+
+Note that vault name and resource group name are provided in the PUT URI. The request body defines the location.
+
+## Example request body
+
+The following example body is used to create a vault in "West US". Specify the location.
+
+```json
+{
+ "location": "WestUS",
+ "tags": {
+ "key1": "val1"
+ },
+ "identity": {
+ "type": "None"
+ },
+ "properties": {
+ "storageSettings": [
+ {
+ "datastoreType": "VaultStore",
+ "type": "LocallyRedundant"
+ }
+ ]
+ }
+}
+```
+
+If you want to create a backup vault and also generate a system assigned identity, then the following request body should be given.
+
+```json
+{
+ "location": "WestUS",
+ "tags": {
+ "key1": "val1"
+ },
+ "identity": {
+ "type": "systemAssigned"
+ },
+ "properties": {
+ "storageSettings": [
+ {
+ "datastoreType": "VaultStore",
+ "type": "LocallyRedundant"
+ }
+ ]
+ }
+}
+```
+
+## Responses
+
+Creation of a backup vault is an [asynchronous operation](../azure-resource-manager/management/async-operations.md). It means this operation creates another operation that needs to be tracked separately.
+There are two successful responses for the operation to create or update a Backup vault:
+
+|Name |Type |Description |
+||||
+|200 OK | [BackupVaultResource](/rest/api/dataprotection/backup-vaults/create-or-update#backupvaultresource) | OK |
+|201 Created | [BackupVaultResource](/rest/api/dataprotection/backup-vaults/create-or-update#backupvaultresource) | Created |
+| Other status codes | [CloudError](/rest/api/dataprotection/backup-vaults/create-or-update#clouderror)
+
+For more information about REST API responses, see [Process the response message](/rest/api/azure/#process-the-response-message).
+
+### Example response
+
+A condensed *201 Created* response from the previous example request body shows an *id* has been assigned and the *provisioningState* is *Succeeded*:
+
+```json
+{
+ "eTag": null,
+ "id": "/subscriptions/xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourcegroups/TestBkpVaultRG/providers/Microsoft.DataProtection/BackupVaults/testBkpVault",
+ "identity": {
+ "principalId": "xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
+ "tenantId": "xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
+ "type": "SystemAssigned"
+ },
+ "location": "westUS",
+ "name": "testBkpVault",
+ "properties": {
+ "provisioningState": "Succeeded",
+ "storageSettings": [
+ {
+ "datastoreType": "VaultStore",
+ "type": "GeoRedundant"
+ }
+ ]
+ },
+ "resourceGroup": "TestBkpVaultRG",
+ "systemData": null,
+ "tags": {},
+ "type": "Microsoft.DataProtection/backupVaults"
+ }
+```
+
+## Next steps
+
+[Create a backup policy for backing up blobs in this vault](backup-azure-dataprotection-use-rest-api-create-update-blob-policy.md).
+
+For more information on the Azure REST APIs, see the following documents:
+
+- [Azure Data Protection provider REST API](/rest/api/dataprotection/)
+- [Get started with Azure REST API](/rest/api/azure/)
backup Backup Azure Dataprotection Use Rest Api Create Update Blob Policy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/backup/backup-azure-dataprotection-use-rest-api-create-update-blob-policy.md
+
+ Title: Create backup policies for blobs using data protection REST API
+description: In this article, you'll learn how to create and manage backup policies for blobs using REST API.
+ Last updated : 07/09/2021
+ms.assetid: 472d6a4f-7914-454b-b8e4-062e8b556de3
+
+# Create Azure Data Protection backup policies for blobs using REST API
+
+> [!IMPORTANT]
+> Read [this section](blob-backup-configure-manage.md#before-you-start) before proceeding to create the policy and configuring backups for Azure blobs.
+
+A backup policy typically governs the retention and schedule of your backups. Since operational backup for blobs is continuous in nature, you don't need a schedule to perform backups. The policy is essentially needed to specify the retention period. You can reuse the backup policy to configure backup for multiple storage accounts to a vault.
+
+>[!NOTE]
+>Restoring over long durations may lead to restore operations taking longer to complete. Furthermore, the time that it takes to restore a set of data is based on the number of write and delete operations made during the restore period. For example, an account with one million objects with 3,000 objects added per day and 1,000 objects deleted per day will require approximately two hours to restore to a point 30 days in the past. A retention period and restoration more than 90 days in the past would not be recommended for an account with this rate of change.
+
+The steps to create a backup policy for an Azure Recovery Services vault are outlined in the policy [REST API document](/rest/api/dataprotection/backup-policies/create-or-update). Let's use this document as a reference to create a policy for blobs in a storage account.
+
+## Create or update a policy
+
+To create or update an Azure Backup policy, use the following *PUT* operation
+
+```http
+PUT https://management.azure.com/Subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DataProtection/backupVaults/{vaultName}/backupPolicies/{policyName}?api-version=2021-01-01
+```
+
+The `{policyName}` and `{vaultName}` are provided in the URI. Additional information is provided in the request body.
+
+## Create the request body
+
+For example, to create a policy for Blob backup, following are the components of the request body.
+
+|Name |Required |Type |Description |
+|||||
+|properties | True | BaseBackupPolicy:[BackupPolicy](/rest/api/dataprotection/backup-policies/create-or-update#backuppolicy) | BaseBackupPolicyResource properties |
+
+For the complete list of definitions in the request body, refer to the [backup policy REST API document](/rest/api/dataprotection/backup-policies/create-or-update).
+
+### Example request body
+
+The following request body defines a backup policy for blob backups.
+
+The policy says:
+
+- Retention period is 30 days.
+- Datastore is 'operational store' since the backups are local and no data is stored in the Backup vault.
+
+```json
+{
+ "properties": {
+ "datasourceTypes": [
+ "Microsoft.Storage/storageAccounts/blobServices"
+ ],
+ "objectType": "BackupPolicy",
+ "policyRules": [
+ {
+ "name": "Default",
+ "objectType": "AzureRetentionRule",
+ "isDefault": true,
+ "lifecycles": [
+ {
+ "deleteAfter": {
+ "duration": "P30D",
+ "objectType": "AbsoluteDeleteOption"
+ },
+ "sourceDataStore": {
+ "dataStoreType": "OperationalStore",
+ "objectType": "DataStoreInfoBase"
+ }
+ }
+ ]
+ }
+ ]
+ }
+}
+```
+
+> [!IMPORTANT]
+> The time formats for support only DateTime. They don't support Time format alone.
+
+## Responses
+
+The backup policy creation/update is a synchronous operation and returns OK once the operation is successful.
+
+|Name |Type |Description |
+||||
+|200 OK | [BaseBackupPolicyResource](/rest/api/dataprotection/backup-policies/create-or-update#basebackuppolicyresource) | OK |
+
+### Example responses
+
+Once the operation completes, it returns 200 (OK) with the policy content in the response body.
+
+```json
+{
+ "id": "/subscriptions/xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups//TestBkpVaultRG/providers/Microsoft.RecoveryServices/vaults/testBkpVault/backupPolicies/TestBlobPolicy",
+ "name": "TestBlobPolicy",
+ "type": "Microsoft.DataProtection/backupVaults/backupPolicies",
+ "properties": {
+ "policyRules": [
+ {
+ "lifecycles": [
+ {
+ "deleteAfter": {
+ "objectType": "AbsoluteDeleteOption",
+ "duration": "P30D"
+ },
+ "sourceDataStore": {
+ "dataStoreType": "OperationalStore",
+ "objectType": "DataStoreInfoBase"
+ }
+ }
+ ],
+ "isDefault": true,
+ "name": "Default",
+ "objectType": "AzureRetentionRule"
+ }
+ ],
+ "datasourceTypes": [
+ "Microsoft.Storage/storageAccounts/blobServices"
+ ],
+ "objectType": "BackupPolicy"
+ }
+}
+```
+
+## Next steps
+
+Enable protection for blobs in a storage account.
+
+For more information on the Azure Backup REST APIs, see the following documents:
+
+- [Azure Data Protection REST API](/rest/api/dataprotection/)
+- [Get started with Azure REST API](/rest/api/azure/)
backup Backup Azure Dataprotection Use Rest Api Restore Blobs https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/backup/backup-azure-dataprotection-use-rest-api-restore-blobs.md
+
+ Title: Restore blobs in a storage account using Azure Data Protection REST API
+description: In this article, learn how to restore blobs of a storage account using REST API.
+ Last updated : 07/09/2021
+ms.assetid: 9b8d21e6-3e23-4345-bb2b-e21040996afd
++
+# Restore Azure blobs to point-in-time using Azure Data Protection REST API
+
+This article describes how to restore [blobs](blob-backup-overview.md) to any point-in-time using Azure Backup.
+
+> [!IMPORTANT]
+> Before proceeding to restore Azure blobs using Azure Backup, see [important points](blob-restore.md#before-you-start).
+
+In this article, you'll learn how to:
+
+- Restore Azure blobs to point-in-time
+
+- Track the restore operation status
+
+## Prerequisites
+
+- [Create a Backup vault](backup-azure-dataprotection-use-rest-api-create-update-backup-vault.md)
+
+- [Create a blob backup policy](backup-azure-dataprotection-use-rest-api-create-update-blob-policy.md)
+
+- [Configure a blob backup](backup-azure-dataprotection-use-rest-api-backup-blobs.md)
+
+We will refer to an existing backup vault _TestBkpVault_, under the resource group _testBkpVaultRG_, where blobs in a storage account named "msblobbackup-f2df34eb-5628-4570-87b2-0331d797c67d" in the examples.
+
+## Restoring Azure blobs within a storage account
+
+### Fetching the valid time range for restore
+
+As the operational backup for blobs is continuous, there are no distinct points to restore from. Instead, we need to fetch the valid time-range under which blobs can be restored to any point-in-time. In this example, let's check for valid time-ranges to restore within the last 30 days.
+
+The restorable time ranges can be listed using [find restorable time range](/rest/api/dataprotection/restorable-time-ranges/find) API. It is a *POST* API which triggers an operation to calculate the range of continuous backups for the blobs in the storage account.
+
+```http
+POST https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DataProtection/backupVaults/{vaultName}/backupInstances/{backupInstanceName}/findRestorableTimeRanges?api-version=2021-01-01
+```
+
+For our example, this translates to
+
+```http
+POST https://management.azure.com/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/resourceGroups/TestBkpVaultRG/providers/Microsoft.DataProtection/backupVaults/testBkpVault/backupInstances/msblobbackup-f2df34eb-5628-4570-87b2-0331d797c67d/findRestorableTimeRanges?api-version=2021-01-01
+```
+
+#### Create the request body to fetch valid time ranges for restore
+
+To trigger an operation to calculate valid time ranges, following are the components of a request body
+
+|**Name** |**Type** |**Description** |
+||||
+|sourceDatastoreType | [RestoreSourceDataStoreType](/rest/api/dataprotection/restorable-time-ranges/find#restoresourcedatastoretype) | The datastore which contains the data to be restored |
+|startTime | String | Start time for the List Restore Ranges request. ISO 8601 format. |
+|endTime | String | End time for the List Restore Ranges request. ISO 8601 format. |
+
+##### Example request body to fetch valid time range
+
+The following request body defines properties required to fetch the time ranges of the continuous data which can be restored. Since blob backups reside in the storage account, the datastore is 'Operational'. You can give start and end time that helps to narrow the search process and return the available time range.
+
+```json
+{
+ "sourceDataStoreType": "OperationalStore",
+ "startTime": "",
+ "endTime": ""
+}
+```
+
+#### Responses for fetch valid time ranges
+
+Once you submit the *POST* request, the response is 200(OK) with the start and end time of the range available for restore within the specified start and end time of the request.
+
+|**Name** |**Type** |**Description** |
+||||
+|200(OK) | [AzureBackupFindRestorableTimeRangesResponseResource](/rest/api/dataprotection/restorable-time-ranges/find#azurebackupfindrestorabletimerangesresponseresource) | OK |
+|Other Status codes | [CloudError](/rest/api/dataprotection/restorable-time-ranges/find#clouderror) | Error response describing why the operation has failed. |
+
+##### Example response for fetch valid time ranges
+
+```http
+HTTP/1.1 200 OK
+Content-Length: 379
+Content-Type: application/json
+Expires: -1
+Pragma: no-cache
+X-Content-Type-Options: nosniff
+x-ms-request-id:
+Strict-Transport-Security: max-age=31536000; includeSubDomains
+x-ms-ratelimit-remaining-subscription-writes: 1199
+x-ms-correlation-request-id: a2b7c2d9-01f5-499a-b521-55da4862c79a
+x-ms-routing-request-id: CENTRALUSEUAP:20210708T184646Z:4996a2bf-2df8-48a7-9b53-a552466a27f7
+Cache-Control: no-cache
+Date: Thu, 08 Jul 2021 18:46:45 GMT
+Server: Microsoft-IIS/10.0
+X-Powered-By: ASP.NET
+
+{
+ "id": "msblobbackup-f2df34eb-5628-4570-87b2-0331d797c67d",
+ "type": "Microsoft.DataProtection/backupVaults/backupInstances/findRestorableTimeRanges",
+ "properties": {
+ "restorableTimeRanges": [
+ {
+ "startTime": "2021-07-06T18:46:45.947728Z",
+ "endTime": "2021-07-08T18:46:45.9932408Z",
+ "objectType": "RestorableTimeRange"
+ }
+ ],
+ "objectType": "AzureBackupFindRestorableTimeRangesResponse"
+ }
+}
+```
+
+### Preparing the restore request
+
+Once the point-in-time to restore to the same storage account is fixed, there are multiple options to restore.
+
+#### Restoring all the blobs to a point-in-time
+
+Using this option restores all block blobs in the storage account by rolling them back to the selected point in time. Storage accounts containing large amounts of data or witnessing a high churn may take longer times to restore.
+
+##### Constructing the request body for point-in-time restore of all blobs
+
+The key points to remember in this scenario are:
+
+- Restore is happening to the same storage account which means the target object for the restore is same as the source datasource. This is reflected in the restore target info section below.
+- These are continuous backups and hence the restore time is a point-in-time and not a distinct recovery point.
+- All blobs are restored
+- The source datastore that is, where the backups reside, is the same storage account. Hence the source datastore is 'Operational' datastore.
+
+```json
+{
+ "restoreRequestObject": {
+ "objectType": "AzureBackupRecoveryTimeBasedRestoreRequest",
+ "restoreTargetInfo": {
+ "objectType": "RestoreTargetInfo",
+ "recoveryOption": "FailIfExists",
+ "restoreLocation": "westus",
+ "datasourceInfo": {
+ "datasourceType": "Microsoft.Storage/storageAccounts/blobServices",
+ "objectType": "Datasource",
+ "resourceID": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/resourceGroups/RG-BlobBackup/providers/Microsoft.Storage/storageAccounts/msblobbackup",
+ "resourceLocation": "westus",
+ "resourceName": "msblobbackup",
+ "resourceType": "Microsoft.Storage/storageAccounts",
+ "resourceUri": ""
+ }
+ },
+ "sourceDataStoreType": "OperationalStore",
+ "recoveryPointTime": "2021-07-08T00:00:00.0000000Z"
+ }
+}
+```
+
+#### Restoring few containers to a point-in-time
+
+Using this option allows you to select up to 10 containers to restore or restore a subset of blobs using a prefix match. You can specify up to 10 lexicographical ranges of blobs within a single container or across multiple containers to return those blobs to their previous state at a given point in time. In case of using prefixes, here are a few things to keep in mind:
+
+- You can use a forward slash (/) to delineate the container name from the blob prefix
+- The start of the range specified is inclusive, however the specified range is exclusive.
+
+[Learn more](blob-restore.md#use-prefix-match-for-restoring-blobs) about using prefixes to restore blob ranges.
+
+##### Constructing the request body for point-in-time restore of selected containers or few blobs
+
+The key points to remember in this scenario are:
+
+- Restore is happening to the same storage account which means the target object for the restore is same as the source datasource. This is reflected in the restore target info section below.
+- These are continuous backups and hence the restore time is a point-in-time and not a distinct recovery point.
+- Few items within the storage account are restored. They could be containers or blobs with a prefix pattern.
+- The source datastore i.e., where the backups reside, is the same storage account. Hence the source datastore is 'Operational' datastore.
+
+```json
+{
+ "restoreRequestObject": {
+ "objectType": "AzureBackupRecoveryTimeBasedRestoreRequest",
+ "restoreTargetInfo": {
+ "objectType": "ItemLevelRestoreTargetInfo",
+ "recoveryOption": "FailIfExists",
+ "restoreLocation": "westus",
+ "restoreCriteria": [
+ {
+ "objectType": "RangeBasedItemLevelRestoreCriteria",
+ "minMatchingValue": "Container1",
+ "maxMatchingValue": "Container10-0"
+ }
+ ],
+ "datasourceInfo": {
+ "datasourceType": "Microsoft.Storage/storageAccounts/blobServices",
+ "objectType": "Datasource",
+ "resourceID": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/resourceGroups/RG-BlobBackup/providers/Microsoft.Storage/storageAccounts/msblobbackup",
+ "resourceLocation": "westus",
+ "resourceName": "msblobbackup",
+ "resourceType": "Microsoft.Storage/storageAccounts",
+ "resourceUri": ""
+ }
+ },
+ "sourceDataStoreType": "OperationalStore",
+ "recoveryPointTime": "2021-07-08T00:00:00.0000000Z"
+ }
+}
+```
+
+#### Validating restore requests
+
+Once request body is prepared, it can be validated using the [validate for restore API](/rest/api/dataprotection/backup-instances/validate-for-restore). Like the validate for backup API, this is a *POST* operation.
+
+```http
+POST https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DataProtection/backupVaults/{vaultName}/backupInstances/{backupInstanceName}/validateRestore?api-version=2021-01-01
+```
+
+For our example, this translates to:
+
+```http
+POST "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/resourceGroups/TestBkpVaultRG/providers/Microsoft.DataProtection/backupVaults/testBkpVault/backupInstances/msblobbackup-f2df34eb-5628-4570-87b2-0331d797c67d/validateRestore?api-version=2021-01-01"
+```
+
+The request body for this POST API is detailed [here](/rest/api/dataprotection/backup-instances/validate-for-restore#request-body). We have constructed the same in the above section for [all blobs restore](#constructing-the-request-body-for-point-in-time-restore-of-all-blobs) and [few items restore](#constructing-the-request-body-for-point-in-time-restore-of-selected-containers-or-few-blobs) scenarios. We will use the same to trigger a validate operation.
+
+##### Response to validate restore requests
+
+The validate restore request is an [asynchronous operation](../azure-resource-manager/management/async-operations.md). It means this operation creates another operation that needs to be tracked separately.
+
+It returns two responses: 202 (Accepted) when another operation is created and then 200 (OK) when that operation completes.
+
+|Name |Type |Description |
+||||
+|200 OK | | Status of validate request |
+|202 Accepted | | Accepted |
+
+###### Example response to restore validate request
+
+Once the *POST* operation is submitted, the initial response will be 202 Accepted along with an Azure-asyncOperation header.
+
+```http
+HTTP/1.1 202 Accepted
+Content-Length: 0
+Expires: -1
+Pragma: no-cache
+Retry-After: 10
+Azure-AsyncOperation: https://management.azure.com/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/providers/Microsoft.DataProtection/locations/westus/operationStatus/ZmMzNDFmYWMtZWJlMS00NGJhLWE4YTgtMDNjYjI4Y2M5OTExOzVlNzMxZDBiLTQ3MDQtNDkzNS1hYmNjLWY4YWEzY2UzNTk1ZQ==?api-version=2021-01-01
+X-Content-Type-Options: nosniff
+x-ms-request-id:
+Strict-Transport-Security: max-age=31536000; includeSubDomains
+x-ms-ratelimit-remaining-subscription-writes: 1199
+x-ms-correlation-request-id: bae60c92-669d-45a4-aed9-8392cca7cc8d
+x-ms-routing-request-id: CENTRALUSEUAP:20210708T205935Z:f51db7a4-9826-4084-aa3b-ae640dc78af6
+Cache-Control: no-cache
+Date: Thu, 08 Jul 2021 20:59:35 GMT
+Location: https://management.azure.com/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/providers/Microsoft.DataProtection/locations/westus/operationResults/ZmMzNDFmYWMtZWJlMS00NGJhLWE4YTgtMDNjYjI4Y2M5OTExOzVlNzMxZDBiLTQ3MDQtNDkzNS1hYmNjLWY4YWEzY2UzNTk1ZQ==?api-version=2021-01-01
+X-Powered-By: ASP.NET
+```
+
+Track the Azure-AsyncOperation header with a simple *GET* request. When the request is successful it returns 200 OK with a success status response.
+
+```http
+ GET https://management.azure.com/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/providers/Microsoft.DataProtection/locations/westus/operationStatus/ZmMzNDFmYWMtZWJlMS00NGJhLWE4YTgtMDNjYjI4Y2M5OTExOzVlNzMxZDBiLTQ3MDQtNDkzNS1hYmNjLWY4YWEzY2UzNTk1ZQ==?api-version=2021-01-01
+
+{
+ "id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/providers/Microsoft.DataProtection/locations/westus/operationStatus/ZmMzNDFmYWMtZWJlMS00NGJhLWE4YTgtMDNjYjI4Y2M5OTExOzVlNzMxZDBiLTQ3MDQtNDkzNS1hYmNjLWY4YWEzY2UzNTk1ZQ==",
+ "name": "ZmMzNDFmYWMtZWJlMS00NGJhLWE4YTgtMDNjYjI4Y2M5OTExOzVlNzMxZDBiLTQ3MDQtNDkzNS1hYmNjLWY4YWEzY2UzNTk1ZQ==",
+ "status": "Succeeded",
+ "startTime": "2021-07-08T20:59:35.0060264Z",
+ "endTime": "2021-07-08T20:59:57Z"
+}
+```
+
+#### Triggering restore requests
+
+The triggering restore operation is a ***POST*** API. All details about the trigger restore operation are documented [here](/rest/api/dataprotection/backup-instances/trigger-restore).
+
+```http
+POST https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DataProtection/backupVaults/{vaultName}/backupInstances/{backupInstanceName}/restore?api-version=2021-01-01
+```
+
+For our example, this translates to:
+
+```http
+POST "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/resourceGroups/TestBkpVaultRG/providers/Microsoft.DataProtection/backupVaults/testBkpVault/backupInstances/msblobbackup-f2df34eb-5628-4570-87b2-0331d797c67d/restore?api-version=2021-01-01"
+```
+
+##### Creating a request body for restore operations
+
+Once the requests are validated, the same request body can be used to trigger the restore request with minor changes.
+
+###### Example request body for all blobs restore
+
+The only change from the validate restore request body is to remove the "restoreRequest" object at the start.
+
+```json
+{
+ "objectType": "AzureBackupRecoveryTimeBasedRestoreRequest",
+ "restoreTargetInfo": {
+ "objectType": "RestoreTargetInfo",
+ "recoveryOption": "FailIfExists",
+ "restoreLocation": "westus",
+ "datasourceInfo": {
+ "datasourceType": "Microsoft.Storage/storageAccounts/blobServices",
+ "objectType": "Datasource",
+ "resourceID": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/resourceGroups/RG-BlobBackup/providers/Microsoft.Storage/storageAccounts/msblobbackup",
+ "resourceLocation": "westus",
+ "resourceName": "msblobbackup",
+ "resourceType": "Microsoft.Storage/storageAccounts",
+ "resourceUri": ""
+ }
+ },
+ "sourceDataStoreType": "OperationalStore",
+ "recoveryPointTime": "2021-07-08T00:00:00Z"
+}
+```
+
+###### Example request body for items or few blobs restore
+
+The only change from the validate restore request body is to remove the "restoreRequest" object at the start.
+
+```json
+{
+ "objectType": "AzureBackupRecoveryTimeBasedRestoreRequest",
+ "restoreTargetInfo": {
+ "objectType": "ItemLevelRestoreTargetInfo",
+ "recoveryOption": "FailIfExists",
+ "restoreLocation": "westus",
+ "restoreCriteria": [
+ {
+ "objectType": "RangeBasedItemLevelRestoreCriteria",
+ "minMatchingValue": "Container1",
+ "maxMatchingValue": "Container2"
+ }
+ ],
+ "datasourceInfo": {
+ "datasourceType": "Microsoft.Storage/storageAccounts/blobServices",
+ "objectType": "Datasource",
+ "resourceID": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/resourceGroups/RG-BlobBackup/providers/Microsoft.Storage/storageAccounts/msblobbackup",
+ "resourceLocation": "westus",
+ "resourceName": "msblobbackup",
+ "resourceType": "Microsoft.Storage/storageAccounts",
+ "resourceUri": ""
+ }
+ },
+ "sourceDataStoreType": "OperationalStore",
+ "recoveryPointTime": "2021-07-08T00:00:00.0000000Z"
+}
+```
+
+#### Response to trigger restore requests
+
+The trigger restore request is an [asynchronous operation](../azure-resource-manager/management/async-operations.md). It means this operation creates another operation that needs to be tracked separately.
+
+It returns two responses: 202 (Accepted) when another operation is created and then 200 (OK) when that operation completes.
+
+|Name |Type |Description |
+||||
+|200 OK | | Status of restore request |
+|202 Accepted | | Accepted |
+
+##### Example response to trigger restore request
+
+Once the *POST* operation is submitted, the initial response will be 202 Accepted along with an Azure-asyncOperation header.
+
+```http
+HTTP/1.1 202 Accepted
+Content-Length: 0
+Expires: -1
+Pragma: no-cache
+Retry-After: 30
+Azure-AsyncOperation: https://management.azure.com/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/providers/Microsoft.DataProtection/locations/westus/operationStatus/ZmMzNDFmYWMtZWJlMS00NGJhLWE4YTgtMDNjYjI4Y2M5OTExO2Q1NDIzY2VjLTczYjYtNDY5ZC1hYmRjLTc1N2Q0ZTJmOGM5OQ==?api-version=2021-01-01
+X-Content-Type-Options: nosniff
+x-ms-request-id:
+Strict-Transport-Security: max-age=31536000; includeSubDomains
+x-ms-ratelimit-remaining-subscription-writes: 1197
+x-ms-correlation-request-id: 8661209c-5b6a-44fe-b676-4e2b9c296593
+x-ms-routing-request-id: CENTRALUSEUAP:20210708T204652Z:69e3fa4b-c5d9-4601-9410-598006ada187
+Cache-Control: no-cache
+Date: Thu, 08 Jul 2021 20:46:52 GMT
+Location: https://management.azure.com/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/providers/Microsoft.DataProtection/locations/westus/operationResults/ZmMzNDFmYWMtZWJlMS00NGJhLWE4YTgtMDNjYjI4Y2M5OTExO2Q1NDIzY2VjLTczYjYtNDY5ZC1hYmRjLTc1N2Q0ZTJmOGM5OQ==?api-version=2021-01-01
+X-Powered-By: ASP.NET
+```
+
+Track the Azure-AsyncOperation header with a simple *GET* request. When the request is successful it returns 200 OK with a Job ID which should be further tracked for completion of restore request.
+
+```http
+GET https://management.azure.com/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/providers/Microsoft.DataProtection/locations/westus/operationStatus/ZmMzNDFmYWMtZWJlMS00NGJhLWE4YTgtMDNjYjI4Y2M5OTExO2Q1NDIzY2VjLTczYjYtNDY5ZC1hYmRjLTc1N2Q0ZTJmOGM5OQ==?api-version=2021-01-01
+
+{
+ "id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/providers/Microsoft.DataProtection/locations/westus/operationStatus/ZmMzNDFmYWMtZWJlMS00NGJhLWE4YTgtMDNjYjI4Y2M5OTExO2Q1NDIzY2VjLTczYjYtNDY5ZC1hYmRjLTc1N2Q0ZTJmOGM5OQ==",
+ "name": "ZmMzNDFmYWMtZWJlMS00NGJhLWE4YTgtMDNjYjI4Y2M5OTExO2Q1NDIzY2VjLTczYjYtNDY5ZC1hYmRjLTc1N2Q0ZTJmOGM5OQ==",
+ "status": "Succeeded",
+ "startTime": "2021-07-08T20:46:52.4110868Z",
+ "endTime": "2021-07-08T20:46:56Z",
+ "properties": {
+ "jobId": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/resourceGroups/TestBkpVaultRG/providers/Microsoft.DataProtection/backupVaults/testBkpVault/backupJobs/c4bd49a1-0645-4eec-b207-feb818962852",
+ "objectType": "OperationJobExtendedInfo"
+ }
+}
+```
+
+#### Tracking jobs
+
+The trigger restore requests triggered the restore job and the resultant Job ID should be tracking using the [GET Jobs API](/rest/api/dataprotection/jobs/get).
+
+Use the simple GET command to track the JobId given in the [trigger restore response](#example-response-to-trigger-restore-request) above.
+
+```http
+ GET /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/resourceGroups/TestBkpVaultRG/providers/Microsoft.DataProtection/backupVaults/testBkpVault/backupJobs/c4bd49a1-0645-4eec-b207-feb818962852?api-version=2021-01-01
+
+{
+ "properties": {
+ "activityID": "4195ca6c-e02d-11eb-b0b1-70bc105e2242",
+ "subscriptionId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx",
+ "backupInstanceId": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/resourceGroups/TestBkpVaultRG/providers/Microsoft.DataProtection/backupVaults/testBkpVault/backupInstances/msblobbackup-f2df34eb-5628-4570-87b2-0331d797c67d",
+ "policyId": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/resourceGroups/TestBkpVaultRG/providers/Microsoft.DataProtection/backupVaults/testBkpVault/backupPolicies/BlobBackup-Policy",
+ "dataSourceId": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/resourceGroups/RG-BlobBackup/providers/Microsoft.Storage/storageAccounts/msblobbackup",
+ "vaultName": "BV-JPE-GRS",
+ "backupInstanceFriendlyName": "msblobbackup",
+ "policyName": "BlobBackup-Policy",
+ "sourceResourceGroup": "RG-BlobBackup",
+ "dataSourceName": "msblobbackup",
+ "progressEnabled": false,
+ "etag": "W/\"datetime'2021-07-08T20%3A48%3A36.6999667Z'\"",
+ "sourceSubscriptionID": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx",
+ "dataSourceLocation": "westus",
+ "startTime": "2021-07-08T20:44:19.5467125Z",
+ "endTime": "2021-07-08T20:48:35.8297312Z",
+ "dataSourceType": "Microsoft.Storage/storageAccounts/blobServices",
+ "operationCategory": "Restore",
+ "operation": "Restore",
+ "status": "Completed",
+ "isUserTriggered": true,
+ "supportedActions": [
+ ""
+ ],
+ "duration": "PT4M16.2830187S",
+ "extendedInfo": {
+ "sourceRecoverPoint": {
+ "recoveryPointTime": "2021-07-08T00:00:00Z"
+ },
+ "recoveryDestination": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/resourceGroups/RG-BlobBackup/providers/Microsoft.Storage/storageAccounts/msblobbackup",
+ "subTasks": [
+ {
+ "taskId": 1,
+ "taskName": "Trigger Restore",
+ "taskStatus": "Completed"
+ }
+ ]
+ }
+ },
+ "id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/resourceGroups/TestBkpVaultRG/providers/Microsoft.DataProtection/backupVaults/testBkpVault/backupJobs/c4bd49a1-0645-4eec-b207-feb818962852",
+ "name": "c4bd49a1-0645-4eec-b207-feb818962852",
+ "type": "Microsoft.DataProtection/BackupVaults/backupJobs"
+}
+```
+
+The job status above indicates that the restore job is completed and all blobs have been recovered to specified point-in-time.
+
+## Next steps
+
+[Overview of Azure blob backup](blob-backup-overview.md).
+
+For more information on the Azure Backup REST APIs, see the following documents:
+
+- [Azure Data Protection provider REST API](/rest/api/dataprotection/)
+- [Get started with Azure REST API](/rest/api/azure/)
backup Pre Backup Post Backup Scripts https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/backup/pre-backup-post-backup-scripts.md
+
+ Title: Using Pre-Backup and Post-Backup Scripts
+description: This article contains the procedure to specify pre-backup and post-backup scripts. Azure Backup Server (MABS).
+ Last updated : 07/06/2021++
+# Using pre-backup and post-backup scripts
+
+Applies to: Microsoft Azure Backup Server (MABS)
+
+A _pre-backup script_ is a script that resides on the protected computer, is executed before each MABS backup job, and prepares the protected data source for backup.
+
+A _post-backup script_ is a script that runs after a MABS backup job to do any post-backup processing, such as bringing a virtual machine back online.
+
+When you install a protection agent on a computer, a ScriptingConfig.xml file is added to the _install path_ \Microsoft Data Protection Manager\DPM\Scripting folder on the protected computer. For each protected data source on the computer, you can specify a pre-backup script and a post-backup script in ScriptingConfig.xml.
+
+>[!Note]
+>The pre-backup and post-backup scripts canΓÇÖt be VBScripts. Instead, you must use a wrapper command around your script containing **cscript myscript.vbs**.
+
+When MABS runs a protection job, ScriptingConfig.xml on the protected computer is checked. If a pre-backup script is specified, MABS runs the script and then completes the job. If a post-backup script is specified, MABS completes the job and then runs the script.
+
+>[!Note]
+>Protection jobs include replica creation, express full backup, synchronization, and consistency check.
+
+MABS runs the pre-backup and post-backup scripts by using the local system account. As a best practice, you should ensure that the scripts have Read and Execute permissions for the administrator and local system accounts only. This level of permissions prevents unauthorized users to modify the scripts.
+
+**ScriptingConfig.xml**
+
+```
+<?xml version="1.0" encoding="utf-8"?>
+<ScriptConfiguration xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+xmlns:xsd="http://www.w3.org/2001/XMLSchema"
+xmlns="http://schemas.microsoft.com/2003/dls/ScriptingConfig.xsd">
+ <DatasourceScriptConfig DataSourceName="Data source">
+ <PreBackupScript>ΓÇ¥Path\Script ParametersΓÇ¥ </PreBackupScript>
+ <PostBackupScript>"Path\Script ParametersΓÇ¥ </PostBackupScript>
+ <TimeOut>30</TimeOut>
+ </DatasourceScriptConfig>
+</ScriptConfiguration>
+```
+
+To specify pre-backup and post-backup scripts
+
+1. On the protected computer, open the ScriptingConfig.xml file with an XML or text editor.
+
+ >[!Note]
+ >The DataSourceName attribute must be provided as **Drive:** (for example, D: if the data source is on the D drive).
+
+1. For each data source, complete the DatasourceScriptConfig element as follows:
++
+ 1. For the DataSourceName attribute, enter the data source volume (for file data sources) or name (for all other data sources). The data source name for application data should be in the form of _Instance\Database_ for SQL, _Storage group name_ for Exchange, _Logical Path\Component Name_ for Virtual Server, and _SharePoint Farm\SQL Server Name\SQL Instance Name\SharePoint Config DB_ for Windows SharePoint Services.
+ 1. In the _PreBackupScript_ tag, enter the path and script name.
+ 1. In the _PreBackupCommandLine_ tag, enter command-line parameters to be passed to the scripts, separated by spaces.
+ 1. In the _PostBackupScript_ tag, enter the path and script name.
+ 1. In the _PostBackupCommandLine_ tag, enter command-line parameters to be passed to the scripts, separated by spaces.
+ 1. In the _TimeOut_ tag, enter the amount of time in minutes that MABS should wait after invoking a script before timing out and marking the script as failed.
+
+1. Save the ScriptingConfig.xml file.
+
+>[!Note]
+>MABS will suffix an additional Boolean (true/false) parameter to the post-backup script command, indicating the status of the MABS backup job.
bastion Bastion Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/bastion/bastion-overview.md
For frequently asked questions, see the Bastion [FAQ](bastion-faq.md).
## Next steps * [Tutorial: Create an Azure Bastion host and connect to a Windows VM](tutorial-create-host-portal.md).
+* [Learn module: Introduction to Azure Bastion](/learn/modules/intro-to-azure-bastion/).
* Learn about some of the other key [networking capabilities](../networking/fundamentals/networking-overview.md) of Azure.
cdn Cdn Create A Storage Account With Cdn https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cdn/cdn-create-a-storage-account-with-cdn.md
To create a storage account, you must be either the service administrator or a c
From the storage account **Azure CDN** page, select the CDN endpoint from the list to open the CDN endpoint configuration page.
-From this page, you can enable additional CDN features for your delivery, such as [compression](cdn-improve-performance.md), [query string caching](cdn-query-string.md), and [geo filtering](cdn-restrict-access-by-country.md).
+From this page, you can enable additional CDN features for your delivery, such as [compression](cdn-improve-performance.md), [query string caching](cdn-query-string.md), and [geo filtering](cdn-restrict-access-by-country-region.md).
## Enable SAS
cdn Cdn Features https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cdn/cdn-features.md
The following table compares the features available with each product.
| HTTPS support with CDN endpoint | **&#x2713;** |**&#x2713;** |**&#x2713;** |**&#x2713;** | | [Custom domain HTTPS](cdn-custom-ssl.md) | **&#x2713;** | **&#x2713;**, Requires direct CNAME to enable |**&#x2713;** |**&#x2713;** | | [Custom domain name support](cdn-map-content-to-custom-domain.md) | **&#x2713;** |**&#x2713;** |**&#x2713;** |**&#x2713;** |
-| [Geo-filtering](cdn-restrict-access-by-country.md) | **&#x2713;** |**&#x2713;** |**&#x2713;** |**&#x2713;** |
+| [Geo-filtering](cdn-restrict-access-by-country-region.md) | **&#x2713;** |**&#x2713;** |**&#x2713;** |**&#x2713;** |
| [Token authentication](cdn-token-auth.md) | | | |**&#x2713;**| | [DDOS protection](https://www.us-cert.gov/ncas/tips/ST04-015) | **&#x2713;** |**&#x2713;** |**&#x2713;** |**&#x2713;** | | [Bring your own certificate](cdn-custom-ssl.md?tabs=option-2-enable-https-with-your-own-certificate#tlsssl-certificates) |**&#x2713;** | | **&#x2713;** | **&#x2713;** |
cdn Cdn Migrate https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cdn/cdn-migrate.md
To upgrade an **Azure CDN Standard from Verizon** profile, contact [Microsoft Su
## Profile comparison **Azure CDN Premium from Verizon** profiles have the following key differences from **Azure CDN Standard from Verizon** profiles:-- For certain Azure CDN features such as [compression](cdn-improve-performance.md), [caching rules](cdn-caching-rules.md), and [geo filtering](cdn-restrict-access-by-country.md), you cannot use the Azure CDN interface, you must use the Verizon portal via the **Manage** button.
+- For certain Azure CDN features such as [compression](cdn-improve-performance.md), [caching rules](cdn-caching-rules.md), and [geo filtering](cdn-restrict-access-by-country-region.md), you cannot use the Azure CDN interface, you must use the Verizon portal via the **Manage** button.
- API: Unlike with Standard Verizon, you cannot use the API to control those features that are accessed from the Premium Verizon portal. However, you can use the API to control other common features, such as creating/deleting an endpoint, purging/loading cached assets, and enabling/disabling a custom domain. - Pricing: Premium Verizon has a different pricing structure for data transfers than Standard Verizon. For more information, see [Content Delivery Network pricing](https://azure.microsoft.com/pricing/details/cdn/).
cdn Cdn Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cdn/cdn-overview.md
Azure CDN offers the following key features:
- [HTTPS custom domain support](cdn-custom-ssl.md) - [Azure diagnostics logs](cdn-azure-diagnostic-logs.md) - [File compression](cdn-improve-performance.md)-- [Geo-filtering](cdn-restrict-access-by-country.md)
+- [Geo-filtering](cdn-restrict-access-by-country-region.md)
For a complete list of features that each Azure CDN product supports, see [Compare Azure CDN product features](cdn-features.md).
cdn Cdn Restrict Access By Country Region https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cdn/cdn-restrict-access-by-country-region.md
+
+ Title: Restrict Azure CDN content by country/region
+description: Learn how to restrict access by country/region to your Azure CDN content by using the geo-filtering feature.
+
+documentationcenter: ''
+++ Last updated : 07/07/2021+++
+# Restrict Azure CDN content by country/region
+
+## Overview
+When a user requests your content, the content is served to users in all locations. You may want to restrict access to your content by country/region.
+
+With the *geo-filtering* feature, you can create rules on specific paths on your CDN endpoint. You can set the rules to allow or block content in selected countries/regions.
+
+> [!IMPORTANT]
+> **Azure CDN Standard from Microsoft** profiles do not support path-based geo-filtering.
+>
+
+## Standard profiles
+
+These instructions are for **Azure CDN Standard from Akamai** and **Azure CDN Standard from Verizon** profiles.
+
+For **Azure CDN Premium from Verizon** profiles, you must use the **Manage** portal to activate geo-filtering. For more information, see [Azure CDN Premium from Verizon profiles](#azure-cdn-premium-from-verizon-profiles).
+
+### Define the directory path
+To access the geo-filtering feature, select your CDN endpoint within the portal, then select **Geo-filtering** under SETTINGS in the left-hand menu.
+
+![Screenshot showing Geo-filtering selected from the menu for an Endpoint.](./media/cdn-filtering/cdn-geo-filtering-standard.png)
+
+From the **PATH** box, specify the relative path to the location to which users will be allowed or denied access.
+
+You can apply geo-filtering for all your files with a forward slash (/) or select specific folders by specifying directory paths (for example, */pictures/*). You can also apply geo-filtering to a single file (for example */pictures/city.png*). Multiple rules are allowed. After you enter a rule, a blank row appears for you to enter the next rule.
+
+For example, all of the following directory path filters are valid:
+*/*
+*/Photos/*
+*/Photos/Strasbourg/*
+*/Photos/Strasbourg/city.png*
+
+### Define the type of action
+
+From the **ACTION** list, select **Allow** or **Block**:
+
+- **Allow**: Only users from the specified countries/regions are allowed access to assets requested from the recursive path.
+
+- **Block**: Users from the specified countries/regions are denied access to the assets requested from the recursive path. If no other country/region filtering options have been configured for that location, then all other users will be allowed access.
+
+For example, a geo-filtering rule for blocking the path */Photos/Strasbourg/* filters the following files:
+*http:\//\<endpoint>.azureedge.net/Photos/Strasbourg/1000.jpg*
+*http:\//\<endpoint>.azureedge.net/Photos/Strasbourg/Cathedral/1000.jpg*
+
+### Define the countries/regions
+
+From the **COUNTRY/REGION CODES** list, select the countries/regions that you want to block or allow for the path.
+
+After you have finished selecting the countries/regions, select **Save** to activate the new geo-filtering rule.
+
+![Screenshot shows COUNTRY/REGION CODES to use to block or allow countries or regions.](./media/cdn-filtering/cdn-geo-filtering-rules.png)
+
+### Clean up resources
+
+To delete a rule, select it from the list on the **Geo-filtering** page, then choose **Delete**.
+
+## Azure CDN Premium from Verizon profiles
+
+For **Azure CDN Premium from Verizon** profiles, the user interface for creating a geo-filtering rule is different:
+
+1. From the top menu in your Azure CDN profile, select **Manage**.
+
+2. From the Verizon portal, select **HTTP Large**, then select **Country Filtering**.
+
+ :::image type="content" source="./media/cdn-filtering/cdn-geo-filtering-premium.png" alt-text="Screenshot shows how to select country filtering in Azure CDN" border="true":::
+
+3. Select **Add Country Filter**.
+
+4. In **Step One:**, enter the directory path. Select **Block** or **Add**, then select **Next**.
+
+ > [!IMPORTANT]
+ > The endpoint name must be in the path. Example: **/myendpoint8675/myfolder**. Replace **myendpoint8675** with the name of your endpoint.
+ >
+
+5. In **Step Two**, select one or more countries/regions from the list. Select **Finish** to activate the rule.
+
+ The new rule appears in the table on the **Country Filtering** page.
+
+ :::image type="content" source="./media/cdn-filtering/cdn-geo-filtering-premium-rules.png" alt-text="Screenshot shows where the rule appears in country filtering." border="true":::
+
+### Clean up resources
+In the country/region filtering rules table, select the delete icon next to a rule to delete it or the edit icon to modify it.
+
+## Considerations
+* Changes to your geo-filtering configuration don't take effect immediately:
+ * For **Azure CDN Standard from Microsoft** profiles, propagation usually completes in 10 minutes.
+ * For **Azure CDN Standard from Akamai** profiles, propagation usually completes within one minute.
+ * For **Azure CDN Standard from Verizon** and **Azure CDN Premium from Verizon** profiles, propagation usually completes in 10 minutes.
+
+* This feature doesn't support wildcard characters (for example, *).
+
+* The geo-filtering configuration associated with the relative path is applied recursively to that path.
+
+* Only one rule can be applied to the same relative path. That is, you can't create multiple country/region filters that point to the same relative path. However, because country/region filters are recursive, a folder can have multiple country/region filters. In other words, a subfolder of a previously configured folder can be assigned a different country/region filter.
+
+* The geo-filtering feature uses country/region codes to define the countries/regions from which a request is allowed or blocked for a secured directory. Although Akamai and Verizon profiles support most of the same country/region codes, there are a few differences. For more information, see [Azure CDN country/region codes](/previous-versions/azure/mt761717(v=azure.100)).
+
cognitive-services Troubleshoot https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Anomaly-Detector/concepts/troubleshoot.md
This article provides guidance on how to troubleshoot and remediate common error
| `StorageReadError` | 403 | | Same as `StorageWriteError`. | | `UnexpectedError` | 500 | | Please contact us with detailed error information. You could take the support options from [this document](/azure/cognitive-services/cognitive-services-support-options?context=/azure/cognitive-services/anomaly-detector/context/context) or email us at [AnomalyDetector@microsoft.com](mailto:AnomalyDetector@microsoft.com) | + ### Train a Multivariate Anomaly Detection Model | Error Code | HTTP Error Code | Error Message | Comment |
This article provides guidance on how to troubleshoot and remediate common error
| | | - | | | `ModelNotExist` | 404 | The model does not exist. | The model with corresponding model ID does not exist. Please check the model ID in the request URL. |
+### List Multivariate Models
+
+| Error Code | HTTP Error Code | Error Message | Comment |
+| | | - | |
+|`InvalidRequestParameterError`| 400 | Invalid values for $skip or $top … | Please check whether the values for the two parameters are numerical. $skip and $top are used to list the models with pagination. Because the API only returns 10 most recently updated models, you could use $skip and $top to get models updated earlier. |
+ ### Anomaly Detection with a Trained Model | Error Code | HTTP Error Code | Error Message | Comment |
cognitive-services Overview Multivariate https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Anomaly-Detector/overview-multivariate.md
To learn how to call the Anomaly Detector API (multivariate), try this [Notebook
To run the Notebook, you should get a valid Anomaly Detector API **subscription key** and an **API endpoint**. In the notebook, add your valid Anomaly Detector API subscription key to the `subscription_key` variable, and change the `endpoint` variable to your endpoint. - ## Region support
-The preview of Anomaly Detector multivariate is currently available in six regions: West US2, West Europe, East US2, South Central US, East US, and UK South.
+The preview of Anomaly Detector multivariate is currently available in 10 Azure regions: Southeast Asia, Australia East, Canada Central, North Europe, West Europe, East US, East US 2, South Central US, West US 2, and UK South.
## Algorithms
cognitive-services Learn Multivariate Anomaly Detection https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Anomaly-Detector/tutorials/learn-multivariate-anomaly-detection.md
Here is a sample request body and the sample code in Python to train an MVAD mod
"fillNAMethod": "Linear", "paddingValue": 0 },
- "source": "YOUR_SAMPLE_ZIP_FILE_LOCATED_IN_AZURE_BLOB_STORAGE_WITH_SAS",
+ // This could be your own ZIP file of training data stored on Azure Blob and a SAS url could be used here
+ "source": "https://aka.ms/AnomalyDetector/MVADSampleData",
"startTime": "2021-01-01T00:00:00Z", "endTime": "2021-01-02T12:00:00Z", "displayName": "Contoso model"
A sample response looks like this
// more variables ], "setupInfo": {
- "source": "https://multiadsample.blob.core.windows.net/datqGY%2FvGHJXJjUgjS4DneCGl7U5omq5c%3D",
+ "source": "https://aka.ms/AnomalyDetector/MVADSampleData",
"startTime": "2019-04-01T00:15:00Z", "endTime": "2019-04-01T00:40:00Z" }
cognitive-services Whats New https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Anomaly-Detector/whats-new.md
We've also added links to some user-generated content. Those items will be marke
## Release notes
+### July 2021
+
+* Multivariate anomaly detection APIs deployed in four more regions: Australia East, Canada Central, North Europe, and Southeast Asia. Now in total 10 regions are supported.
+ ### June 2021
-* Multivariate anomaly detection APIs available in more regions (West US2, West Europe, East US2, South Central US, East US, and UK South).
+* Multivariate anomaly detection APIs available in more regions: West US2, West Europe, East US2, South Central US, East US, and UK South.
* Anomaly Detector (univariate) available in Azure cloud for US Government. * Anomaly Detector (univariate) available in Azure China (China North 2).
cognitive-services Managed Identity https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Translator/document-translation/managed-identity.md
Title: Create and use managed identities
+ Title: Create and use managed identity
-description: Understand how to create and use managed identities in the Azure portal
+description: Understand how to create and use managed identity in the Azure portal
Previously updated : 07/01/2021 Last updated : 07/08/2021
-# Create and use managed identities
+# Create and use managed identity for Document Translation
> [!IMPORTANT] >
-> Managed identity for Document Translation is currently unavailable in the global region. If you intend to use managed identities for Document Translation operations, [create your Translator resource](https://ms.portal.azure.com/#create/Microsoft.CognitiveServicesTextTranslation) in a non-global Azure region.
+> Managed identity for Document Translation is currently unavailable in the global region. If you intend to use managed identity for Document Translation operations, [create your Translator resource](https://ms.portal.azure.com/#create/Microsoft.CognitiveServicesTextTranslation) in a non-global Azure region.
-## What are managed identities?
+## What is managed identity?
- Azure managed identities are service principals that create an Azure Active Directory (Azure AD) identity and specific permissions for Azure managed resources. You can use managed identities to grant access to any resource that supports Azure AD authentication. To grant access, assign a role to a managed identity using [Azure role-based access control](/azure/role-based-access-control/overview) (Azure RBAC). There is no added cost to use managed identities in Azure.
+ Azure managed identity is a service principal that creates an Azure Active Directory (Azure AD) identity and specific permissions for Azure managed resources. You can use a managed identity to grant access to any resource that supports Azure AD authentication. To grant access, assign a role to a managed identity using [Azure role-based access control](/azure/role-based-access-control/overview) (Azure RBAC). There is no added cost to use managed identity in Azure.
-Managed Identities support both privately and publicly accessible Azure blob storage accounts. For storage accounts with public access, you can opt to use a shared access signature (SAS) to grant limited access. In this article, we will examine how to manage access to translation documents in your Azure blob storage account using system-assigned managed identities.
+Managed identity supports both privately and publicly accessible Azure blob storage accounts. For storage accounts with public access, you can opt to use a shared access signature (SAS) to grant limited access. In this article, we will examine how to manage access to translation documents in your Azure blob storage account using system-assigned managed identity.
> [!NOTE] >
Managed Identities support both privately and publicly accessible Azure blob sto
To get started, you'll need:
-* An active [**Azure account**](https://azure.microsoft.com/free/cognitive-services/). If you don't have one, you can [**create a free account**](https://azure.microsoft.com/free/).
+* An active [**Azure account**](https://azure.microsoft.com/free/cognitive-services/)ΓÇöif you don't have one, you can [**create a free account**](https://azure.microsoft.com/free/).
* A [**single-service Translator**](https://ms.portal.azure.com/#create/Microsoft.CognitiveServicesTextTranslation) (not a multi-service Cognitive Services) resource assigned to a **non-global** region. For detailed steps, _see_ [Create a Cognitive Services resource using the Azure portal](/azure/cognitive-services/cognitive-services-apis-create-account?tabs=multiservice%2Cwindows).
-* An [**Azure blob storage account**](https://ms.portal.azure.com/#create/Microsoft.StorageAccount-ARM) in the same region as your Translator resource. You'll create containers to store and organize your blob data within your storage account. If the account has a firewall, you must have the [exception for trusted Microsoft services](/azure/storage/common/storage-network-security?tabs=azure-portal#manage-exceptions) checkbox enabled.
+* An [**Azure blob storage account**](https://ms.portal.azure.com/#create/Microsoft.StorageAccount-ARM) in the same region as your Translator resource. You'll create containers to store and organize your blob data within your storage account. If the account has a firewall, you must have the [exception for trusted Azure services](/azure/storage/common/storage-network-security?tabs=azure-portal#manage-exceptions) checkbox enabled.
:::image type="content" source="../media/managed-identities/allow-trusted-services-checkbox-portal-view.png" alt-text="Screenshot: allow trusted services checkbox, portal view":::
To get started, you'll need:
## Managed Identity assignments
-There are two types of managed identities, **system-assigned** and **user-assigned**. Right now, Document Translation does not support user-assigned managed identities. A system-assigned managed identity is **enabled** directly on a service instance. It is not enabled by default; you must go to your resource and update the identity setting. The system-assigned managed identity is tied to your resource throughout its lifecycle. If you delete your resource, the managed identity will be deleted as well.
+There are two types of managed identity: **system-assigned** and **user-assigned**. Currently, Document Translation is supported by system-assigned managed identity. A system-assigned managed identity is **enabled** directly on a service instance. It is not enabled by default; you must go to your resource and update the identity setting. The system-assigned managed identity is tied to your resource throughout its lifecycle. If you delete your resource, the managed identity will be deleted as well.
In the following steps, we'll enable a system-assigned managed identity and grant your Translator resource limited access to your Azure blob storage account.
In the following steps, we'll enable a system-assigned managed identity and gran
> > If you are unable to assign a role in the Azure portal because the Add > Add role assignment option is disabled or get the permissions error, "you do not have permissions to add role assignment at this scope", check that you are currently signed in as a user with an assigned a role that has Microsoft.Authorization/roleAssignments/write permissions such as [**Owner**](/azure/role-based-access-control/built-in-roles#owner) or[**User Access Administrator**](/azure/role-based-access-control/built-in-roles#user-access-administrator) at the storage scope for the storage resource.
-7. In the **Add role assignment** pop-up window complete the fields as follows and select **Save**:
+7. Next, you're going to assign a **Storage Blob Data Contributor** role to your Translator service resource. In the **Add role assignment** pop-up window, complete the fields as follows and select **Save**:
| Field | Value| ||--|
In the following steps, we'll enable a system-assigned managed identity and gran
:::image type="content" source="../media/managed-identities/add-role-assignment-window.png" alt-text="Screenshot: add role assignments page in the Azure portal.":::
-Great! You have completed the steps to enable a service-assigned managed identity. With this identity credential, you can grant specific access rights to a single Azure service.
+1. After you've received the _Added Role assignment_ confirmation message, refresh the page to see the added role assignment.
+
+ :::image type="content" source="../media/managed-identities/add-role-assignment-confirmation.png" alt-text="Screenshot: Added role assignment confirmation pop-up message.":::
+
+1. If you don't see the change right away, wait and try refreshing the page once more. When you assign or remove role assignments, it can take up to 30 minutes for changes to take effect.
+
+ :::image type="content" source="../media/managed-identities/assigned-roles-window.png" alt-text="Screenshot: Azure role assignments window.":::
+
+ Great! You have completed the steps to enable a system-assigned managed identity. With this identity credential, you can grant Translator specific access rights to your storage resource.
## Next steps > [!div class="nextstepaction"]
-> [Managed identities for Azure resources frequently asked questions](/azure/active-directory/managed-identities-azure-resources/managed-identities-faq)
+> [Managed identities for Azure resources: frequently asked questions](/azure/active-directory/managed-identities-azure-resources/managed-identities-faq)
> [!div class="nextstepaction"] >[Use managed identities to acquire an access token](/azure/app-service/overview-managed-identity?tabs=dotnet#obtain-tokens-for-azure-resources)
cognitive-services Cognitive Services Data Loss Prevention https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/cognitive-services-data-loss-prevention.md
You can get your subscription key from the [Azure portal](cognitive-services-api
There are two parts to enable data loss prevention. First the property restrictOutboundNetworkAccess must be set to true. When this is set to true, you also need to provide the list of approved URLs. The list of URLs is added to the allowedFqdnList property. The allowedFqdnList property contains an array of comma-separated URLs.
->[!Note]
->The allowedFqdnList can only contain up to 1000 URLs and supports both IP addresses and wildcard domains, i.e. *.microsoft.com. It can take up to 15 minutes for the updated list to take affect.
+>[!NOTE]
+>
+> * The `allowedFqdnList` property value supports a maximum of 1000 URLs.
+> * The property supports both IP addresses and fully qualified domain names i.e., www.microsoft.com, values.
+> * It can take up to 15 minutes for the updated list to take effect.
# [Azure CLI](#tab/azure-cli)
cognitive-services Managed Identity Byos https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/form-recognizer/managed-identity-byos.md
+
+ Title: Create and use managed identity with bring-your-own-storage (BYOS)
+
+description: Understand how to create and use managed identity with BYOS accounts
+++++ Last updated : 07/08/2021+++
+# Create and use managed identity for your Form Recognizer resource
+
+> [!IMPORTANT]
+> Azure role-based access control (Azure RBAC) assignment is currently in preview and not recommended for production workloads. Certain features may not be supported or have constrained capabilities. Azure RBAC assignments are used to grant permissions for managed identity.
+
+## What is managed identity?
+
+Azure managed identity is a service principal that creates an Azure Active Directory (Azure AD) identity and specific permissions for Azure managed resources. You can use a managed identity to grant access to any resource that supports Azure AD authentication. To grant access, assign a role to a managed identity using [Azure role-based access control](/azure/role-based-access-control/overview) (Azure RBAC). There is no added cost to use managed identity in Azure.
+
+Managed identity supports both privately and publicly accessible Azure blob storage accounts. For storage accounts with public access, you can opt to use a shared access signature (SAS) to grant limited access. In this article, you'll learn to enable a system-assigned managed identity for your Form Recognizer instance.
+
+## Private storage account access
+
+ Private Azure storage account access and authentication is supported by [managed identities for Azure resources](/azure/active-directory/managed-identities-azure-resources/overview). If you have an Azure storage account protected by a Virtual Network (VNet) or firewall or have enabled bring-your-own-storage (BYOS), Form Recognizer cannot directly access your storage account data; however, once a managed identity is enabled, the Form Recognizer service can access your storage account using an assigned managed identity credential.
+
+> [!NOTE]
+>
+> The Analyze [**Receipt**](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-v2-1/operations/AnalyzeReceiptAsync), [**Business Card**](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-v2-1/operations/AnalyzeBusinessCardAsync), [**Invoice**](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-v2-1/operations/5ed8c9843c2794cbb1a96291), [**Identity Document**](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-v2-1/operations/5f74a7738978e467c5fb8707), and [**Custom Form**](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-v2-1/operations/AnalyzeWithCustomForm) APIs can extract data from a single document by posting requests as raw binary content. In these scenarios, there is no requirement for a managed identity credential.
+
+## Prerequisites
+
+To get started, you'll need:
+
+* An active [**Azure account**](https://azure.microsoft.com/free/cognitive-services/)ΓÇöif you don't have one, you can [**create a free account**](https://azure.microsoft.com/free/).
+
+* A [**Form Recognizer**](https://ms.portal.azure.com/#create/Microsoft.CognitiveServicesTextTranslation) or [**Cognitive Services**](https://ms.portal.azure.com/#create/Microsoft.CognitiveServicesAllInOne) resource in the Azure portal. For detailed steps, _see_ [Create a Cognitive Services resource using the Azure portal](/azure/cognitive-services/cognitive-services-apis-create-account?tabs=multiservice%2Cwindows).
+
+* An [**Azure blob storage account**](https://ms.portal.azure.com/#create/Microsoft.StorageAccount-ARM). You will create containers to store and organize your blob data within your storage account. If the account has a firewall, you must have the [exception for trusted Azure services](/azure/storage/common/storage-network-security?tabs=azure-portal#manage-exceptions) checkbox enabled.
+
+ :::image type="content" source="media/managed-identities/allow-trusted-services-checkbox-portal-view.png" alt-text="Screenshot: allow trusted services checkbox, portal view":::
+
+* A brief understanding of [**Azure role-based access control (Azure RBAC)**](/azure/role-based-access-control/role-assignments-portal) using the Azure portal.
+
+## Managed identity assignments
+
+There are two types of managed identity: **system-assigned** and **user-assigned**. Currently, Form Recognizer is supported by system-assigned managed identity. A system-assigned managed identity is **enabled** directly on a service instance. It is not enabled by default; you have to go to your resource and update the identity setting. The system-assigned managed identity is tied to your resource throughout its lifecycle. If you delete your resource, the managed identity will be deleted as well.
+
+In the following steps, we will enable a system-assigned managed identity and grant Form Recognizer limited access to your Azure blob storage account.
+
+## Enable a system-assigned managed identity
+
+>[!IMPORTANT]
+>
+> To enable a system-assigned managed identity, you need **Microsoft.Authorization/roleAssignments/write** permissions, such as [**Owner**](/azure/role-based-access-control/built-in-roles#owner) or [**User Access Administrator**](/azure/role-based-access-control/built-in-roles#user-access-administrator). You can specify a scope at four levels: management group, subscription, resource group, or resource.
+
+1. Sign in to the [Azure portal](https://portal.azure.com) using an account associated with your Azure subscription.
+
+1. Navigate to your **Form Recognizer** resource page in the Azure portal.
+
+1. In the left rail, Select **Identity** from the **Resource Management** list:
+
+ :::image type="content" source="media/managed-identities/resource-management-identity-tab.png" alt-text="Screenshot: resource management identity tab in the Azure portal.":::
+
+1. In the main window, toggle the **System assigned Status** tab to **On**.
+
+1. Under **Permissions** select **Azure role assignments**:
+
+ :::image type="content" source="media/managed-identities/enable-system-assigned-managed-identity-portal.png" alt-text="Screenshot: enable system-assigned managed identity in Azure portal.":::
+
+1. An Azure role assignments page will open. Choose your subscription from the drop-down menu then select **&plus; Add role assignment**.
+
+ :::image type="content" source="media/managed-identities/azure-role-assignments-page-portal.png" alt-text="Screenshot: Azure role assignments page in the Azure portal.":::
+
+ > [!NOTE]
+ >
+ > If you're unable to assign a role in the Azure portal because the Add > Add role assignment option is disabled or you get the permissions error, "you do not have permissions to add role assignment at this scope", check that you're currently signed in as a user with an assigned a role that has Microsoft.Authorization/roleAssignments/write permissions such as Owner or User Access Administrator at the Storage scope for the storage resource.
+
+ 7. Next, you're going to assign a **Storage Blob Data Reader** role to your Form Recognizer service resource. In the **Add role assignment** pop-up window complete the fields as follows and select **Save**:
+
+ | Field | Value|
+ ||--|
+ |**Scope**| ***Storage***|
+ |**Subscription**| ***The subscription associated with your storage resource***.|
+ |**Resource**| ***The name of your storage resource***|
+ |**Role** | ***Storage Blob Data Reader***ΓÇöallows for read access to Azure Storage blob containers and data.|
+
+ :::image type="content" source="media/managed-identities/add-role-assignment-window.png" alt-text="Screenshot: add role assignments page in the Azure portal.":::
+
+1. After you've received the _Added Role assignment_ confirmation message, refresh the page to see the added role assignment.
+
+ :::image type="content" source="media/managed-identities/add-role-assignment-confirmation.png" alt-text="Screenshot: Added role assignment confirmation pop-up message.":::
+
+1. If you don't see the change right away, wait and try refreshing the page once more. When you assign or remove role assignments, it can take up to 30 minutes for changes to take effect.
+
+ :::image type="content" source="media/managed-identities/assigned-roles-window.png" alt-text="Screenshot: Azure role assignments window.":::
+
+ That's it! You have completed the steps to enable a system-assigned managed identity. With this identity credential, you can grant Form Recognizer specific access rights to documents and files stored in your BYOS account.
+
+## Learn more about managed identity
+
+> [!div class="nextstepaction"]
+> [Managed identities for Azure resources: frequently asked questions - Azure AD](/azure/active-directory/managed-identities-azure-resources/managed-identities-faq)
cognitive-services Whats New https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/form-recognizer/whats-new.md
<!-- markdownlint-disable MD036 --> # What's new in Azure Form Recognizer
-Form Recognizer service is updated on an ongoing basis. Bookmark this page to stay up-to-date with release notes, feature enhancements, and documentation updates.
+Form Recognizer service is updated on an ongoing basis. Bookmark this page to stay up-to-date with release notes, feature enhancements, and documentation updates.
+
+## July 2021
+
+### System-assigned managed identity support
+
+ You can now enable a system-assigned managed identity to grant Form Recognizer limited access to private storage accounts including those protected by a Virtual Network (VNet) or firewall or have enabled bring-your-own-storage (BYOS). *See* [Create and use managed identity for your Form Recognizer resource](managed-identity-byos.md) to learn more.
## June 2021
cognitive-services Client Libraries Rest Api https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/text-analytics/quickstarts/client-libraries-rest-api.md
Previously updated : 07/06/2021 Last updated : 07/08/2021 keywords: text mining, sentiment analysis, text analytics
Use this article to get started with the Text Analytics client library and REST
::: zone pivot="programming-language-csharp" > [!IMPORTANT]
-> * The latest stable version of the Text Analytics API is `3.0`.
+> * The latest stable version of the Text Analytics API is `3.1`.
> * Be sure to only follow the instructions for the version you are using. > * The code in this article uses synchronous methods and un-secured credentials storage for simplicity reasons. For production scenarios, we recommend using the batched asynchronous methods for performance and scalability. See the reference documentation below. > * If you want to use Text Analytics for health or Asynchronous operations, see the examples on Github for [C#](https://github.com/Azure/azure-sdk-for-net/tree/master/sdk/textanalytics/Azure.AI.TextAnalytics), [Python](https://github.com/Azure/azure-sdk-for-python/tree/master/sdk/textanalytics/azure-ai-textanalytics/) or [Java](https://github.com/Azure/azure-sdk-for-java/tree/master/sdk/textanalytics/azure-ai-textanalytics)
confidential-ledger Create Client Certificate https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/confidential-ledger/create-client-certificate.md
We recommending using OpenSSL to generate certificates. If you have git installe
You can then generate a certificate by running `openssl` in a Bash or PowerShell terminal window: ```bash
-openssl req -new -newkey rsa:1024 -days 365 -nodes -x509 -keyout user_privk.pem -out user_cert.pem -subj=/CN="User Client Certificate"
+openssl ecparam -out "privkey_name.pem" -name "secp384r1" -genkey
+openssl req -new -key "privkey_name.pem" -x509 -nodes -days 365 -out "cert.pem" -"sha384" -subj=/CN="ACL Client Cert"
``` ## Next steps
confidential-ledger Quickstart Python https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/confidential-ledger/quickstart-python.md
Microsoft Azure Confidential Ledger is a new and highly secure service for manag
[!INCLUDE [quickstarts-free-trial-note](../../includes/quickstarts-free-trial-note.md)]
-[API reference documentation](/python/api/overview/azure/keyvault-secrets-readme) | [Library source code](https://github.com/Azure/azure-sdk-for-python/tree/master/sdk/keyvault/azure-keyvault-secrets) | [Package (Python Package Index)](https://pypi.org/project/azure-keyvault-secrets/)
+[API reference documentation](/python/api/overview/azure/keyvault-secrets-readme) | [Library source code](https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/confidentialledger) | [Package (Python Package Index) Management Library](https://pypi.org/project/azure-mgmt-confidentialledger/)| [Package (Python Package Index) Client Library](https://pypi.org/project/azure-confidentialledger/)
## Prerequisites
ledger_name = "<your-unique-ledger-name>"
subscription_id = "<azure-subscription-id>" identity_url = "https://identity.confidential-ledger.core.azure.com"
-ledger_url = "https://" + ledger_name + ".eastus.cloudapp.azure.com"
+ledger_url = "https://" + ledger_name + ".confidential-ledger.azure.com"
``` ### Use the control plane client library
confidential_ledger_mgmt.ledger.begin_create(resource_group, ledger_name, ledger
To verify that your ledger was successfully created, view its details using the `get` function. ```python
-myledger = ledger = confidential_ledger_mgmt.ledger.get(resource_group, ledger_name)
+myledger = confidential_ledger_mgmt.ledger.get(resource_group, ledger_name)
print("Here are the details of your newly created ledger:") print (f"- Name: {myledger.name}")
container-instances Container Instances Region Availability https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/container-instances/container-instances-region-availability.md
The following regions and maximum resources are available to container groups wi
| South India | 4 | 16 | N/A | N/A | 50 | K80 | | Switzerland North | 4 | 16 | N/A | N/A | 50 | N/A | | UK South | 4 | 16 | 4 | 16 | 50 | N/A |
-| UK West | 4 | 16 | 4 | 16 | 50 | N/A |
+| UK West | 4 | 16 | N/A | N/A | 50 | N/A |
| UAE North | 4 | 16 | N/A | N/A | 50 | N/A | | West Central US| 4 | 16 | 4 | 16 | 50 | N/A | | West Europe | 4 | 16 | 4 | 16 | 50 | K80, P100, V100 |
container-instances Container Instances Virtual Network Concepts https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/container-instances/container-instances-virtual-network-concepts.md
Container groups deployed into an Azure virtual network enable scenarios like:
* You can't enable a [liveness probe](container-instances-liveness-probe.md) or [readiness probe](container-instances-readiness-probe.md) in a container group deployed to a virtual network. * Due to the additional networking resources involved, deployments to a virtual network are typically slower than deploying a standard container instance. * If you are connecting your container group to an Azure Storage Account, you must add a [service endpoint](../virtual-network/virtual-network-service-endpoints-overview.md) to that resource.
+* [IPv6 addresses](../virtual-network/ipv6-overview.md) are not supported at this time.
[!INCLUDE [container-instances-restart-ip](../../includes/container-instances-restart-ip.md)]
cosmos-db Cassandra Import Data https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cosmos-db/cassandra-import-data.md
Use the following steps to migrate data to the Cassandra API account with Spark:
1. Provision an [Azure Databricks cluster](cassandra-spark-databricks.md) or an [Azure HDInsight cluster](cassandra-spark-hdinsight.md).
-1. Move data to the destination Cassandra API endpoint by using the [table copy operation](cassandra-spark-table-copy-ops.md).
+1. Move data to the destination Cassandra API endpoint. Refer to this [how-to guide](cassandra-migrate-cosmos-db-databricks.md) for migration with Azure Databricks.
Migrating data by using Spark jobs is a recommended option if you have data residing in an existing cluster in Azure virtual machines or any other cloud. To do this, you must set up Spark as an intermediary for one-time or regular ingestion. You can accelerate this migration by using Azure ExpressRoute connectivity between your on-premises environment and Azure.
cosmos-db How To Setup Cmk https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cosmos-db/how-to-setup-cmk.md
Rotating the customer-managed key used by your Azure Cosmos account can be done
$account | Set-AzResource -Force ```
-The previous key or key version can be disabled after 24 hours, or after the [Azure Key Vault audit logs](../key-vault/general/logging.md) don't show activity from Azure Cosmos DB on that key or key version anymore.
+The previous key or key version can be disabled after the [Azure Key Vault audit logs](../key-vault/general/logging.md) don't show activity from Azure Cosmos DB on that key or key version anymore. No more activity should take place on the previous key or key version after 24 hours of key rotation.
## Error handling
data-factory Data Flow Expression Functions https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/data-flow-expression-functions.md
Previously updated : 05/10/2021 Last updated : 07/04/2021 # Data transformation expressions in mapping data flow
___
<code><b>divide(<i>&lt;value1&gt;</i> : any, <i>&lt;value2&gt;</i> : any) => any</b></code><br/><br/> Divides pair of numbers. Same as the `/` operator. * ``divide(20, 10) -> 2``
-* ``20 / 10 -> 2``
+* ``20 / 10 -> 2``
+___
+### <code>dropLeft</code>
+<code><b>dropLeft(<i>&lt;value1&gt;</i> : string, <i>&lt;value2&gt;</i> : integer) => string</b></code><br/><br/>
+Removes as many characters from the left of the string. If the drop requested exceeds the length of the string, an empty string is returned.
+* dropLeft('bojjus', 2) => 'jjus'
+* dropLeft('cake', 10) => ''
+___
+### <code>dropRight</code>
+<code><b>dropRight(<i>&lt;value1&gt;</i> : string, <i>&lt;value2&gt;</i> : integer) => string</b></code><br/><br/>
+Removes as many characters from the right of the string. If the drop requested exceeds the length of the string, an empty string is returned.
+* dropRight('bojjus', 2) => 'bojj'
+* dropRight('cake', 10) => ''
___ ### <code>endsWith</code> <code><b>endsWith(<i>&lt;string&gt;</i> : string, <i>&lt;substring to check&gt;</i> : string) => boolean</b></code><br/><br/>
Checks if the row is marked for insert. For transformations taking more than one
* ``isUpsert()`` * ``isUpsert(1)`` ___
+### <code>jaroWinkler</code>
+<code><b>jaroWinkler(<i>&lt;value1&gt;</i> : string, <i>&lt;value2&gt;</i> : string) => double</b></code><br/><br/>
+Gets the JaroWinkler distance between two strings.
+* ``jaroWinkler('frog', 'frog') => 1.0``
+___
### <code>lastDayOfMonth</code> <code><b>lastDayOfMonth(<i>&lt;value1&gt;</i> : datetime) => date</b></code><br/><br/> Gets the last date of the month given a date.
Positive Modulus of pair of numbers.
___ ### <code>partitionId</code> <code><b>partitionId() => integer</b></code><br/><br/>
-Returns the current partition id the input row is in.
+Returns the current partition ID the input row is in.
* ``partitionId()`` ___ ### <code>power</code>
___
Raises one number to the power of another. * ``power(10, 2) -> 100`` ___
+### <code>radians</code>
+<code><b>radians(<i>&lt;value1&gt;</i> : number) => double</b></code><br/><br/>
+Converts degrees to radians
+* ``radians(180) => 3.141592653589793``
+___
### <code>random</code> <code><b>random(<i>&lt;value1&gt;</i> : integral) => long</b></code><br/><br/> Returns a random number given an optional seed within a partition. The seed should be a fixed value and is used in conjunction with the partitionId to produce random values
Gets the year value of a date.
## Aggregate functions The following functions are only available in aggregate, pivot, unpivot, and window transformations.+
+___
+### <code>approxDistinctCount</code>
+<code><b>approxDistinctCount(<i>&lt;value1&gt;</i> : any, [ <i>&lt;value2&gt;</i> : double ]) => long</b></code><br/><br/>
+Gets the approximate aggregate count of distinct values for a column. The optional second parameter is to control the estimation error.
+* ``approxDistinctCount(ProductID, .05) => long``
___ ### <code>avg</code> <code><b>avg(<i>&lt;value1&gt;</i> : number) => number</b></code><br/><br/>
Creates an array of items. All items should be of the same type. If no items are
* ``['Seattle', 'Washington'][1]`` * ``'Washington'`` ___
+### <code>at</code>
+<code><b>at(<i>&lt;value1&gt;</i> : array/map, <i>&lt;value2&gt;</i> : integer/key type) => array</b></code><br/><br/>
+Finds the element at an array index. The index is 1-based. Out of bounds index results in a null value. Finds a value in a map given a key. If the key is not found it returns null.
+* ``at(['apples', 'pears'], 1) => 'apples'``
+* ``at(['fruit' -> 'apples', 'vegetable' -> 'carrot'], 'fruit') => 'apples'``
+___
### <code>contains</code> <code><b>contains(<i>&lt;value1&gt;</i> : array, <i>&lt;value2&gt;</i> : unaryfunction) => boolean</b></code><br/><br/> Returns true if any element in the provided array evaluates as true in the provided predicate. Contains expects a reference to one element in the predicate function as #item. * ``contains([1, 2, 3, 4], #item == 3) -> true`` * ``contains([1, 2, 3, 4], #item > 5) -> false`` ___
+### <code>distinct</code>
+<code><b>distinct(<i>&lt;value1&gt;</i> : array) => array</b></code><br/><br/>
+Returns a distinct set of items from an array.
+* ``distinct([10, 20, 30, 10]) => [10, 20, 30]``
+___
+### <code>except</code>
+<code><b>except(<i>&lt;value1&gt;</i> : array, <i>&lt;value2&gt;</i> : array) => array</b></code><br/><br/>
+Returns a difference set of one array from another dropping duplicates.
+* ``except([10, 20, 30], [20, 40]) => [10, 30]``
+___
### <code>filter</code> <code><b>filter(<i>&lt;value1&gt;</i> : array, <i>&lt;value2&gt;</i> : unaryfunction) => array</b></code><br/><br/> Filters elements out of the array that do not meet the provided predicate. Filter expects a reference to one element in the predicate function as #item.
Find the first item from an array that match the condition. It takes a filter fu
) `` ___
+### <code>flatten</code>
+<code><b>flatten(<i>&lt;array&gt;</i> : array, <i>&lt;value2&gt;</i> : array ..., <i>&lt;value2&gt;</i> : boolean) => array</b></code><br/><br/>
+Flattens array or arrays into a single array. Arrays of atomic items are returned unaltered. The last argument is optional and is defaulted to false to flatten recursively more than one level deep.
+* ``flatten([['bojjus', 'girl'], ['gunchus', 'boy']]) => ['bojjus', 'girl', 'gunchus', 'boy']``
+* ``flatten([[['bojjus', 'gunchus']]] , true) => ['bojjus', 'gunchus']``
+___
### <code>in</code> <code><b>in(<i>&lt;array of items&gt;</i> : array, <i>&lt;item to find&gt;</i> : any) => boolean</b></code><br/><br/> Checks if an item is in the array. * ``in([10, 20, 30], 10) -> true`` * ``in(['good', 'kid'], 'bad') -> false`` ___
+### <code>intersect</code>
+<code><b>intersect(<i>&lt;value1&gt;</i> : array, <i>&lt;value2&gt;</i> : array) => array</b></code><br/><br/>
+Returns an intersection set of distinct items from 2 arrays.
+* ``intersect([10, 20, 30], [20, 40]) => [20]``
+___
### <code>map</code> <code><b>map(<i>&lt;value1&gt;</i> : array, <i>&lt;value2&gt;</i> : unaryfunction) => any</b></code><br/><br/> Maps each element of the array to a new element using the provided expression. Map expects a reference to one element in the expression function as #item.
___
Sorts the array using the provided predicate function. Sort expects a reference to two consecutive elements in the expression function as #item1 and #item2. * ``sort([4, 8, 2, 3], compare(#item1, #item2)) -> [2, 3, 4, 8]`` * ``sort(['a3', 'b2', 'c1'], iif(right(#item1, 1) >= right(#item2, 1), 1, -1)) -> ['c1', 'b2', 'a3']`` -
+___
+### <code>unfold</code>
+<code><b>unfold (<i>&lt;value1&gt;</i>: array) => any</b></code><br/><br/>
+Unfolds an array into a set of rows and repeats the values for the remaining columns in every row.
+* ``unfold(addresses) => any``
+* ``unfold( @(name = salesPerson, sales = salesAmount) ) => any``
+___
+### <code>union</code>
+<code><b>union(<i>&lt;value1&gt;</i>: array, <i>&lt;value2&gt;</i> : array) => array</b></code><br/><br/>
+Returns a union set of distinct items from 2 arrays.
+* ``union([10, 20, 30], [20, 40]) => [10, 20, 30, 40]``
+___
+
## Cached lookup functions The following functions are only available when using a cached lookup when you've included a cached sink. ___
Returns the entire output row set of the results of the cache sink
* ``cacheSink#outputs()`` ___ - ## Conversion functions Conversion functions are used to convert data and test for data types
Checks of the string value is a long value given an optional format according to
* ``isLong('$123' -> '$###') -> true`` * ``isLong('gunchus') -> false`` ___
+### <code>isNan</code>
+<code><b>isNan (<i>\<value1\></i> : integral) => boolean</b></code><br/><br/>
+Check if this is not a number.
+* ``isNan(10.2) => false``
+___
### <code>isFloat</code> <code><b>isFloat (<i>\<value1\></i> : string, [<format>: string]) => boolean</b></code><br/><br/> Checks of the string value is a float value given an optional format according to the rules of ``toFloat()``
Converts the timestamp to UTC. You can pass an optional timezone in the form of
* ``toUTC(currentTimestamp()) == toTimestamp('2050-12-12 19:18:12') -> false`` * ``toUTC(currentTimestamp(), 'Asia/Seoul') != toTimestamp('2050-12-12 19:18:12') -> true``
+## Map functions
+
+Map functions perform operations on map data types
+
+### <code>associate</code>
+<code><b>reassociate(<i>&lt;value1&gt;</i> : map, <i>&lt;value2&gt;</i> : binaryFunction) => map</b></code><br/><br/>
+Creates a map of key/values. All the keys & values should be of the same type. If no items are specified, it is defaulted to a map of string to string type.Same as a ```[ -> ]``` creation operator. Keys and values should alternate with each other.
+* ``associate('fruit', 'apple', 'vegetable', 'carrot' )=> ['fruit' -> 'apple', 'vegetable' -> 'carrot']``
+___
+### <code>keyValues</code>
+<code><b>keyValues(<i>&lt;value1&gt;</i> : array, <i>&lt;value2&gt;</i> : array) => map</b></code><br/><br/>
+Creates a map of key/values. The first parameter is an array of keys and second is the array of values. Both arrays should have equal length.
+* ``keyValues(['bojjus', 'appa'], ['gunchus', 'ammi']) => ['bojjus' -> 'gunchus', 'appa' -> 'ammi']``
+___
+### <code>mapAssociation</code>
+<code><b>mapAssociation(<i>&lt;value1&gt;</i> : map, <i>&lt;value2&gt;</i> : binaryFunction) => array</b></code><br/><br/>
+Transforms a map by associating the keys to new values. Returns an array. It takes a mapping function where you can address the item as #key and current value as #value.
+* ``mapAssociation(['bojjus' -> 'gunchus', 'appa' -> 'ammi'], @(key = #key, value = #value)) => [@(key = 'bojjus', value = 'gunchus'), @(key = 'appa', value = 'ammi')]``
+___
+### <code>reassociate</code>
+<code><b>reassociate(<i>&lt;value1&gt;</i> : map, <i>&lt;value2&gt;</i> : binaryFunction) => map</b></code><br/><br/>
+Transforms a map by associating the keys to new values. It takes a mapping function where you can address the item as #key and current value as #value.
+* ``reassociate(['fruit' -> 'apple', 'vegetable' -> 'tomato'], substring(#key, 1, 1) + substring(#value, 1, 1)) => ['fruit' -> 'fa', 'vegetable' -> 'vt']``
+___
+
## Metafunctions Metafunctions primarily function on metadata in your data flow
___
<code><b>hasPath(<i>&lt;value1&gt;</i> : string, [<i>&lt;streamName&gt;</i> : string]) => boolean</b></code><br/><br/> Checks if a certain hierarchical path exists by name in the stream. You can pass an optional stream name as the second argument. Column names/paths known at design time should be addressed just by their name or dot notation path. Computed inputs are not supported but you can use parameter substitutions. * ``hasPath('grandpa.parent.child') => boolean``
-___
+___
+### <code>originColumns</code>
+<code><b>originColumns(<i>&lt;streamName&gt;</i> : string) => any</b></code><br/><br/>
+Gets all output columns for a origin stream where columns were created. Must be enclosed in another function.
+* ``array(toString(originColumns('source1')))``
+___
### <code>hex</code> <code><b>hex(<i>\<value1\></i>: binary) => string</b></code><br/><br/> Returns a hex string representation of a binary value
data-factory Data Flow Flatten https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/data-flow-flatten.md
Similar to the select transformation, choose the projection of the new structure
Refer to the inspect tab and data preview to verify your mapping output.
+## Rule-based mapping
+
+The flatten transformation supports rule-based mapping allowing you to create dynamic and flexible transformations that will flatten arrays based on rules and flatten structures based on hierarchy levels.
+
+![Flatten pattern](media/data-flow/flatten-pattern.png "Flatten patterns")
+
+### Matching condition
+
+Enter a pattern matching condition for the column or columns that you wish to flatten using either exact matching or patterns. Example: ```like(name,'cust%')```
+
+### Deep column traversal
+
+Optional setting that tells ADF to handle all subcolumns of a complex object individually instead of handling the complex object as a whole column.
+
+### Hierarchy level
+
+Choose the level of the hierarchy that you would like expand.
+
+### Name matches (regex)
+
+Optionally choose to express your name matching as a regular expression in this box, instead of using the matching condition above.
+ ## Examples Refer to the following JSON object for the below examples of the flatten transformation
data-factory Pipeline Trigger Troubleshoot Guide https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/pipeline-trigger-troubleshoot-guide.md
Title: Troubleshoot pipeline orchestration and triggers in Azure Data Factory
description: Use different methods to troubleshoot pipeline trigger issues in Azure Data Factory. Previously updated : 04/01/2021 Last updated : 07/09/2021
Operation on target Cancel failed: {ΓÇ£errorΓÇ¥:{ΓÇ£codeΓÇ¥:ΓÇ¥AuthorizationFail
**Cause**
-Pipelines may use the Web activity to call ADF REST API methods if and only if the Azure Data Factory member is assigned the Contributor role. You must first configure add the Azure Data Factory managed identity to the Contributor security role.
+Pipelines may use the Web activity to call ADF REST API methods if and only if the Azure Data Factory member is assigned the Contributor role. You must first configure and add the Azure Data Factory managed identity to the Contributor security role.
**Resolution**
Known Facts about *ForEach*
**Resolution**
-* Concurrency Limit: If your pipeline has a concurrency policy, verify that there are no old pipeline runs in progress. The maximum pipeline concurrency allowed in Azure Data Factory is 10 pipelines .
-* Monitoring limits: Go to the ADF authoring canvas, select your pipeline, and determine if it has a concurrency property assigned to it. If it does, go to the Monitoring view, and make sure there's nothing in the past 45 days that's in progress. If there is something in progress, you can cancel it and the new pipeline run should start.
-* Transient Issues: It is possible that your run was impacted by a transient network issue, credential failures, services outages etc. If this happens, Azure Data Factory has an internal recovery process that monitors all the runs and starts them when it notices something went wrong. This process happens every one hour, so if your run is stuck for more than an hour, create a support case.
+* **Concurrency Limit:** If your pipeline has a concurrency policy, verify that there are no old pipeline runs in progress. The maximum pipeline concurrency allowed in Azure Data Factory is 10 pipelines .
+* **Monitoring limits**: Go to the ADF authoring canvas, select your pipeline, and determine if it has a concurrency property assigned to it. If it does, go to the Monitoring view, and make sure there's nothing in the past 45 days that's in progress. If there is something in progress, you can cancel it and the new pipeline run should start.
+* **Transient Issues:** It is possible that your run was impacted by a transient network issue, credential failures, services outages etc. If this happens, Azure Data Factory has an internal recovery process that monitors all the runs and starts them when it notices something went wrong. This process happens every one hour, so if your run is stuck for more than an hour, create a support case.
### Longer start up times for activities in ADF Copy and Data Flow
This can happen if you have not implemented time to live feature for Data Flow o
**Resolution** * If each copy activity is taking up to 2 minutes to start, and the problem occurs primarily on a VNet join (vs. Azure IR), this can be a copy performance issue. To review troubleshooting steps, go to [Copy Performance Improvement.](./copy-activity-performance-troubleshooting.md)
-* You can use time to live feature to decrease cluster start up time for data flow activities. Please review [Data Flow Integration Runtime.](./control-flow-execute-data-flow-activity.md#data-flow-integration-runtime)
+* You can use time to live feature to decrease cluster start-up time for data flow activities. Please review [Data Flow Integration Runtime.](./control-flow-execute-data-flow-activity.md#data-flow-integration-runtime)
- ### Hitting capacity issues in SHIR(Self Hosted Integration Runtime)
+ ### Hitting capacity issues in SHIR(Self-Hosted Integration Runtime)
**Cause**
This can happen if you have not scaled up SHIR as per your workload.
**Cause**
-Long queue related error messages can appear for various reasons.
+Long queue-related error messages can appear for various reasons.
**Resolution** * If you receive an error message from any source or destination via connectors, which can generate a long queue, go to [Connector Troubleshooting Guide.](./connector-troubleshoot-guide.md)
Long queue related error messages can appear for various reasons.
**Cause**
-It is an user error because JSON payload that hits management.azure.com is corrupt. No logs will be stored because user call did not reach ADF service layer.
+It is a user error because JSON payload that hits management.azure.com is corrupt. No logs will be stored because user call did not reach ADF service layer.
**Resolution**
-Perform network tracing of your API call from ADF portal using Edge/Chrome browser **Developer tools**. You will see offending JSON payload, which could be due to a special characters(for example $), spaces and other types of user input. Once you fix the string expression, you will proceed with rest of ADF usage calls in the browser.
+Perform network tracing of your API call from ADF portal using Edge/Chrome browser **Developer tools**. You will see offending JSON payload, which could be due to a special character(for example $), spaces and other types of user input. Once you fix the string expression, you will proceed with rest of ADF usage calls in the browser.
+
+### ForEach activities do not run in parallel mode
+
+**Cause**
+
+You are running ADF in debug mode.
+
+**Resolution**
+
+Please run pipeline in trigger mode.
+
+### Cannot publish because account is locked
+
+**Cause**
+
+You made changes in collaboration branch to remove storage event trigger. You are trying to publish and encounter "Trigger deactivation error" message. This is due to the storage account, used for the event trigger, is being locked.
### Expression builder fails to load
Perform network tracing of your API call from ADF portal using Edge/Chrome brows
The expression builder can fail to load due to network or cache problems with the web browser. + **Resolution** Upgrade the web browser to the latest version of a supported browser, clear cookies for the site, and refresh the page.
+### "Code":"BadRequest","message":"ErrorCode=FlowRunSizeLimitExceeded
+
+**Cause**
+
+You have chained many activities.
+
+**Resolution**
+
+You can split your pipelines into sub pipelines, and stich them together with **ExecutePipeline** activity.
+++ ## Next steps For more troubleshooting help, try these resources:
databox-online Azure Stack Edge Gpu Create Virtual Machine Image https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/databox-online/azure-stack-edge-gpu-create-virtual-machine-image.md
Previously updated : 06/14/2021 Last updated : 07/08/2021 #Customer intent: As an IT admin, I need to understand how to create Azure VM images that I can use to deploy virtual machines on my Azure Stack Edge Pro GPU device.
devtest-labs Create Environment Service Fabric Cluster https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/devtest-labs/create-environment-service-fabric-cluster.md
This article provides information on how to create an environment with a self-contained Service Fabric cluster in Azure DevTest Labs. ## Overview
-DevTest Labs can create self-contained test environments as defined by Azure Resource Management templates. These environments contain both IaaS resources, like virtual machines, and PaaS resources, like Service Fabric. DevTest Labs allows you to manage virtual machines in an environment by providing commands to control the virtual machines. These commands give you the ability to start or stop a virtual machine on a schedule. Similarly, DevTest Labs can also help you manage Service Fabric clusters in an environment. You can start or stop a Service Fabric cluster in an environment either manually or via a schedule.
+DevTest Labs can create self-contained test environments as defined by Azure Resource Manager templates. These environments contain both IaaS resources, like virtual machines, and PaaS resources, like Service Fabric. DevTest Labs allows you to manage virtual machines in an environment by providing commands to control the virtual machines. These commands give you the ability to start or stop a virtual machine on a schedule. Similarly, DevTest Labs can also help you manage Service Fabric clusters in an environment. You can start or stop a Service Fabric cluster in an environment either manually or via a schedule.
## Create a Service Fabric cluster Service Fabric clusters are created using environments in DevTest Labs. Each environment is defined by an Azure Resource Manager template in a Git repository. The [public Git repository](https://github.com/Azure/azure-devtestlab/tree/master/Environments/) for DevTest Labs contains the Resource Manager template to create a Service Fabric cluster in the [ServiceFabric-Cluster](https://github.com/Azure/azure-devtestlab/tree/master/Environments/ServiceFabric-LabCluster) folder.
digital-twins Concepts Data Explorer Plugin https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/digital-twins/concepts-data-explorer-plugin.md
You can invoke the plugin in a Kusto query with the following command. There are
evaluate azure_digital_twins_query_request(<Azure-Digital-Twins-endpoint>, <Azure-Digital-Twins-query>) ```
-The plugin works by calling the [Azure Digital Twins query API](/rest/api/digital-twins/dataplane/query), and the [query language structure](concepts-query-language.md) is the same as when using the API, with one exception: use of the `*` wildcard in the `SELECT` clause is not supported. Instead, Azure Digital Twin queries that are executed using the plugin should use aliases in the `SELECT` clause.
+The plugin works by calling the [Azure Digital Twins query API](/rest/api/digital-twins/dataplane/query), and the [query language structure](concepts-query-language.md) is the same as when using the API, with two exceptions:
+* The `*` wildcard in the `SELECT` clause is not supported. Instead, Azure Digital Twin queries that are executed using the plugin should use aliases in the `SELECT` clause.
+
+ For example, consider the below Azure Digital Twins query that is executed using the API:
+
+ ```SQL
+ SELECT * FROM DIGITALTWINS
+ ```
+
+ To execute that query when using the plugin, it should be rewritten like this:
+
+ ```SQL
+ SELECT T FROM DIGITALTWINS T
+ ```
+* Column names returned by the plugin may not start with a `$`. Using aliases in the `SELECT` clause will also help to avoid this scenario.
+
+ For example, consider the below Azure Digital Twins query that is executed using the API:
+
+ ```SQL
+ SELECT T.$dtId, T.Temperature FROM DIGITALTWINS T
+ ```
+
+ To execute that query when using the plugin, it should be rewritten like this:
+
+ ```SQL
+ SELECT T.$dtId as tid, T.Temperature FROM DIGITALTWINS T
+ ```
-For example, consider the below Azure Digital Twins query that is executed using the API:
-
-```SQL
-SELECT * FROM DIGITAL TWINS
-```
-
-To execute that query when using the plugin, it should be rewritten like this:
-
-```SQL
-SELECT T FROM DIGITALTWINS T
-```
>[!IMPORTANT] >The user of the plugin must be granted the **Azure Digital Twins Data Reader** role or the **Azure Digital Twins Data Owner** role, as the user's Azure AD token is used to authenticate. Information on how to assign this role can be found in [Concepts: Security for Azure Digital Twins solutions](concepts-security.md#authorization-azure-roles-for-azure-digital-twins).
digital-twins Tutorial End To End https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/digital-twins/tutorial-end-to-end.md
This will open the NuGet Package Manager. Select the *Updates* tab and if there
### Publish the app
-Back in your Visual Studio window where the _**AdtE2ESample**_ project is open, locate the _**SampleFunctionsApp**_ project in the *Solution Explorer* pane.
+To publish the function app to Azure, you'll first need to create a storage account, then create the function app in Azure, and finally publish the functions to the Azure function app. This section completes these actions using the Azure CLI.
+1. Create an **Azure storage account** by running the following command:
-For your function app to be able to access Azure Digital Twins, it will need to have permissions to access your Azure Digital Twins instance and the instance's host name. You'll configure these next.
+ ```azurecli-interactive
+ az storage account create --name <name-for-new-storage-account> --location <location> --resource-group <resource-group> --sku Standard_LRS
+ ```
+
+1. Create an **Azure function app** by running the following command:
+
+ ```azurecli-interactive
+ az functionapp create --name <name-for-new-function-app> --storage-account <name-of-storage-account-from-previous-step> --consumption-plan-location <location> --runtime dotnet --resource-group <resource-group>
+ ```
+
+1. Next, you'll **zip** up the functions and **publish** them to your new Azure function app.
+
+ 1. Open a terminal like PowerShell on your local machine, and navigate to the [Digital Twins samples repo](https://github.com/azure-samples/digital-twins-samples/tree/master/) you downloaded earlier in the tutorial. Inside the downloaded repo folder, navigate to *digital-twins-samples-master\AdtSampleApp\SampleFunctionsApp*.
+
+ 1. In your terminal, run the following command to publish the project:
+
+ ```powershell
+ dotnet publish -c Release
+ ```
+
+ This command publishes the project to the *digital-twins-samples-master\AdtSampleApp\SampleFunctionsApp\bin\Release\netcoreapp3.1\publish* directory.
+
+ 1. Create a zip of the published files that are located in the *digital-twins-samples-master\AdtSampleApp\SampleFunctionsApp\bin\Release\netcoreapp3.1\publish* directory.
+
+ If you're using PowerShell, you can do this by copying the full path to that *\publish* directory and pasting it into the following command:
+
+ ```powershell
+ Compress-Archive -Path <full-path-to-publish-directory>\* -DestinationPath .\publish.zip
+ ```
+
+ The cmdlet will create a **publish.zip** file in the directory location of your terminal that includes a *host.json* file, as well as *bin*, *ProcessDTRoutedData*, and *ProcessHubToDTEvents* directories.
+
+ If you're not using PowerShell and don't have access to the `Compress-Archive` cmdlet, you'll need to zip up the files using the File Explorer or another method.
+
+1. In the Azure CLI, run the following command to deploy the published and zipped functions to your Azure function app:
+
+ ```azurecli-interactive
+ az functionapp deployment source config-zip --resource-group <resource-group> --name <name-of-your-function-app> --src "<full-path-to-publish.zip>"
+ ```
+
+ > [!NOTE]
+ > If you're using the Azure CLI locally, you can access the ZIP file on your computer directly using its path on your machine.
+ >
+ >If you're using the Azure Cloud Shell, upload the ZIP file to Cloud Shell with this button before running the command:
+ >
+ > :::image type="content" source="media/tutorial-end-to-end/azure-cloud-shell-upload.png" alt-text="Screenshot of the Azure Cloud Shell highlighting how to upload files.":::
+ >
+ > In this case, the file will be uploaded to the root directory of your Cloud Shell storage, so you can refer to the file directly by its name for the `--src` parameter of the command (as in, `--src publish.zip`).
+
+ A successful deployment will respond with status code 202 and output a JSON object containing details of your new function. You can confirm the deployment succeeded by looking for this field in the result:
+
+ ```json
+ {
+ ...
+ "provisioningState": "Succeeded",
+ ...
+ }
+ ```
+
+You've now published the functions to a function app in Azure.
+
+Next, for your function app to be able to access Azure Digital Twins, it will need to have permission to access your Azure Digital Twins instance. You'll configure this access in the next section.
### Configure permissions for the function app
-There are two settings that need to be set for the function app to access your Azure Digital Twins instance. These can both be done via commands in the [Azure Cloud Shell](https://shell.azure.com).
+There are two settings that need to be set for the function app to access your Azure Digital Twins instance. These can both be done using the Azure CLI.
#### Assign access role
The first setting gives the function app the **Azure Digital Twins Data Owner**
1. Use the following command to see the details of the system-managed identity for the function. Take note of the **principalId** field in the output. ```azurecli-interactive
- az functionapp identity show -g <your-resource-group> -n <your-App-Service-function-app-name>
+ az functionapp identity show --resource-group <your-resource-group> --name <your-App-Service-function-app-name>
``` >[!NOTE]
expressroute Expressroute Locations Providers https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/expressroute/expressroute-locations-providers.md
The following table shows connectivity locations and the service providers for e
| **Las Vegas** | [Switch LV](https://www.switch.com/las-vegas) | 1 | n/a | 10G, 100G | CenturyLink Cloud Connect, Megaport, PacketFabric | | **London** | [Equinix LD5](https://www.equinix.com/locations/europe-colocation/united-kingdom-colocation/london-data-centers/ld5/) | 1 | UK South | 10G, 100G | AT&T NetBond, British Telecom, CenturyLink, Colt, Equinix, euNetworks, InterCloud, Internet Solutions - Cloud Connect, Interxion, Jisc, Level 3 Communications, Megaport, MTN, NTT Communications, Orange, PCCW Global Limited, Tata Communications, Telehouse - KDDI, Telenor, Telia Carrier, Verizon, Vodafone, Zayo | | **London2** | [Telehouse North Two](https://www.telehouse.net/data-centres/emea/uk-data-centres/london-data-centres/north-two) | 1 | UK South | 10G, 100G | BICS, British Telecom, CenturyLink Cloud Connect, Colt, GTT, IX Reach, Equinix, JISC, Megaport, SES, Sohonet, Telehouse - KDDI |
-| **Los Angeles** | [CoreSite LA1](https://www.coresite.com/data-centers/locations/los-angeles/one-wilshire) | 1 | n/a | 10G, 100G | CoreSite, Equinix, Megaport, Neutrona Networks, NTT, Zayo |
+| **Los Angeles** | [CoreSite LA1](https://www.coresite.com/data-centers/locations/los-angeles/one-wilshire) | 1 | n/a | 10G, 100G | CoreSite, Equinix*, Megaport, Neutrona Networks, NTT, Zayo</br></br> **New ExpressRoute circuits are no longer supported with Equinix in Los Angeles.* |
| **Los Angeles2** | [Equinix LA1](https://www.equinix.com/locations/americas-colocation/united-states-colocation/los-angeles-data-centers/la1/) | 1 | n/a | 10G, 100G | Equinix | | **Madrid** | [Interxion MAD1](https://www.interxion.com/es/donde-estamos/europa/madrid) | 1 | West Europe | 10G, 100G | Interxion, Megaport | | **Marseille** |[Interxion MRS1](https://www.interxion.com/Locations/marseille/) | 1 | France South | n/a | Colt, DE-CIX, GEANT, Interxion, Jaguar Network, Ooredoo Cloud Connect |
expressroute Expressroute Locations https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/expressroute/expressroute-locations.md
The following table shows locations by service provider. If you want to view ava
| **du datamena** |Supported |Supported | Dubai2 | | **eir** |Supported |Supported |Dublin| | **[Epsilon Global Communications](https://www.epsilontel.com/solutions/direct-cloud-connect)** |Supported |Supported |Singapore, Singapore2 |
-| **[Equinix](https://www.equinix.com/partners/microsoft-azure/)** |Supported |Supported |Amsterdam, Amsterdam2, Atlanta, Berlin, Bogota, Canberra2, Chicago, Dallas, Dubai2, Dublin, Frankfurt, Frankfurt2, Geneva, Hong Kong SAR, London, London2, Los Angeles, Los Angeles2, Melbourne, Miami, Milan, New York, Osaka, Paris, Rio de Janeiro, Sao Paulo, Seattle, Seoul, Silicon Valley, Singapore, Singapore2, Stockholm, Sydney, Tokyo, Toronto, Washington DC, Zurich |
+| **[Equinix](https://www.equinix.com/partners/microsoft-azure/)** |Supported |Supported |Amsterdam, Amsterdam2, Atlanta, Berlin, Bogota, Canberra2, Chicago, Dallas, Dubai2, Dublin, Frankfurt, Frankfurt2, Geneva, Hong Kong SAR, London, London2, Los Angeles*, Los Angeles2, Melbourne, Miami, Milan, New York, Osaka, Paris, Rio de Janeiro, Sao Paulo, Seattle, Seoul, Silicon Valley, Singapore, Singapore2, Stockholm, Sydney, Tokyo, Toronto, Washington DC, Zurich</br></br> **New ExpressRoute circuits are no longer supported with Equinix in Los Angeles.* |
| **Etisalat UAE** |Supported |Supported |Dubai| | **[euNetworks](https://eunetworks.com/services/solutions/cloud-connect/microsoft-azure-expressroute/)** |Supported |Supported |Amsterdam, Amsterdam2, Dublin, Frankfurt, London | | **[FarEasTone](https://www.fetnet.net/corporate/en/Enterprise.html)** |Supported |Supported |Taipei|
firewall-manager Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/firewall-manager/overview.md
Azure Firewall Manager has the following known issues:
## Next steps
+- [Learn module: Introduction to Azure Firewall Manager](/learn/modules/intro-to-azure-firewall-manager/).
- Review [Azure Firewall Manager deployment overview](deployment-overview.md) - Learn about [secured Virtual Hubs](secured-virtual-hub.md).
firewall Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/firewall/overview.md
Azure Firewall has the following known issues:
- [Quickstart: Create an Azure Firewall and a firewall policy - ARM template](../firewall-manager/quick-firewall-policy.md) - [Quickstart: Deploy Azure Firewall with Availability Zones - ARM template](deploy-template.md) - [Tutorial: Deploy and configure Azure Firewall using the Azure portal](tutorial-firewall-deploy-portal.md)
+- [Learn module: Introduction to Azure Firewall](/learn/modules/introduction-azure-firewall/)
frontdoor Front Door Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/frontdoor/front-door-overview.md
Subscribe to the RSS feed and view the latest Azure Front Door feature updates o
## Next steps -- Learn how to [create a Front Door](quickstart-create-front-door.md).
+- [Quickstart: Create a Front Door](quickstart-create-front-door.md).
+- [Learn module: Introduction to Azure Front Door](/learn/modules/intro-to-azure-front-door/).
- Learn [how Front Door works](front-door-routing-architecture.md).
frontdoor How To Reports https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/frontdoor/standard-premium/how-to-reports.md
Title: 'Azure Front Door Standard/Premium (Preview) Reports' description: This article explains how reporting works in Azure Front Door. -+ Previously updated : 02/18/2021 Last updated : 07/07/2021
Azure Front Door Standard/Premium Analytics Reports provide a built-in and all-a
||| | Overview of key metrics | Shows overall data that got sent from Azure Front Door edges to clients<br/>- Peak bandwidth<br/>- Requests <br/>- Cache hit ratio<br/> - Total latency<br/>- 5XX error rate | | Traffic by Domain | - Provides an overview of all the domains under the profile<br/>- Breakdown of data transferred out from AFD edge to client<br/>- Total requests<br/>- 3XX/4XX/5XX response code by domains |
-| Traffic by Location | - Shows a map view of request and usage by top countries<br/>- Trend view of top countries |
+| Traffic by Location | - Shows a map view of request and usage by top countries/regions<br/>- Trend view of top countries/regions |
| Usage | - Displays data transfer out from Azure Front Door edge to clients<br/>- Data transfer out from origin to AFD edge<br/>- Bandwidth from AFD edge to clients<br/>- Bandwidth from origin to AFD edge<br/>- Requests<br/>- Total latency<br/>- Request count trend by HTTP status code | | Caching | - Shows cache hit ratio by request count<br/>- Trend view of hit and miss requests | | Top URL | - Shows request count <br/>- Data transferred <br/>- Cache hit ratio <br/>- Response status code distribution for the most requested 50 assets. |
Azure Front Door Standard/Premium Analytics Reports provide a built-in and all-a
| Security reports | Details | ||| | Overview of key metrics | - Shows matched WAF rules<br/>- Matched OWASP rules<br/>- Matched BOT rules<br/>- Matched custom rules |
-| Metrics by dimensions | - Breakdown of matched WAF rules trend by action<br/>- Doughnut chart of events by Rule Set Type and event by rule group<br/>- Break down list of top events by rule ID, country, IP address, URL, and user agent |
+| Metrics by dimensions | - Breakdown of matched WAF rules trend by action<br/>- Doughnut chart of events by Rule Set Type and event by rule group<br/>- Break down list of top events by rule ID, countries/regions, IP address, URL, and user agent |
> [!NOTE] > Security reports is only available with Azure Front Door Premium SKU.
Reports support any selected date range from the previous 90 days. With data poi
You can always use Aggregation to change the default aggregation granularity. Note: 5 minutes doesnΓÇÖt work for data range longer than 14 days.
- 1. **Location** - Select single or multiple client locations by country. Countries are grouped into six regions: North America, Asia, Europe, Africa, Oceania, and South America. Refer to [region/country mapping](https://en.wikipedia.org/wiki/Subregion). By default, all countries are selected.
+ 1. **Location** - Select single or multiple client locations by countries/regions. Countries/regions are grouped into six regions: North America, Asia, Europe, Africa, Oceania, and South America. Refer to [countries/regions mapping](https://en.wikipedia.org/wiki/Subregion). By default, all countries are selected.
:::image type="content" source="../media/how-to-reports/front-door-reports-dimension-locations.png" alt-text="Screenshot of Reports for location dimension.":::
This report shows the trends of traffic and response status code by different di
## Traffic by Location
-This report displays the top 50 locations by the country of the visitors that access your asset the most. The report also provides a breakdown of metrics by country and gives you an overall view of countries where the most traffic gets generated. Lastly you can see which country is having higher cache hit ratio or 4XX/5XX error codes.
+This report displays the top 50 locations by the countries/regions of the visitors that access your asset the most. The report also provides a breakdown of metrics by countries/regions and gives you an overall view of countries/regions
+ where the most traffic gets generated. Lastly you can see which countries/regions is having higher cache hit ratio or 4XX/5XX error codes.
:::image type="content" source="../media/how-to-reports/front-door-reports-by-location.png" alt-text="Screenshot of Reports by locations" lightbox="../media/how-to-reports/front-door-reports-by-location-expanded.png"::: The following are included in the reports:
-* A world map view of the top 50 countries by data transferred out or requests of your choice.
-* Two line charts trend view of the top five countries by data transferred out and requests of your choice.
-* A grid of the top countries with corresponding data transferred out from AFD to clients, data transferred out % of all countries, requests, request % among all countries, cache hit ratio, 4XX response code and 5XX response code.
+* A world map view of the top 50 countries/regions by data transferred out or requests of your choice.
+* Two line charts trend view of the top five countries/regions by data transferred out and requests of your choice.
+* A grid of the top countries/regions with corresponding data transferred out from AFD to clients, data transferred out % of all countries/regions, requests, request % among all countries/regions, cache hit ratio, 4XX response code and 5XX response code.
## Caching
This report allows you to have graphical and statistics view of WAF patterns by
| Events by Rule Group | Doughnut chart of the WAF requests distribution by Rule Group. | | Requests by actions | A table of requests by actions, in descending order. | | Requests by top Rule IDs | A table of requests by top 50 rule IDs, in descending order. |
-| Requests by top countries | A table of requests by top 50 countries, in descending order. |
+| Requests by top countries/regions | A table of requests by top 50 countries/regions, in descending order. |
| Requests by top client IPs | A table of requests by top 50 IPs, in descending order. | | Requests by top Request URL | A table of requests by top 50 URLs, in descending order. | | Request by top Hostnames | A table of requests by top 50 hostname, in descending order. |
Every CSV report includes some general information and the information is availa
| StartDateUTC | The start of the date range for which you generated the report, in Coordinated Universal Time (UTC) | | EndDateUTC | The end of the date range for which you generated the report, in Coordinated Universal Time (UTC) | | GeneratedTimeUTC | The date and time when you generated the report, in Coordinated Universal Time (UTC) |
-| Location | The list of the countries where the client requests originated. The value is ALL by default. Not applicable to Security report. |
+| Location | The list of the countries/regions where the client requests originated. The value is ALL by default. Not applicable to Security report. |
| Protocol | The protocol of the request, HTTP, or HTTPs. Not applicable to Top URL and Traffic by User Agent in Reports and Security report. | | Aggregation | The granularity of data aggregation in each row, every 5 minutes, every hour, and every day. Not applicable to Traffic by Domain, Top URL, and Traffic by User Agent in Reports and Security report. |
There are seven tables all with the same fields below.
* CustomRuleRequests * BotRequests
-The seven tables are for time, rule ID, country, IP address, URL, hostname, user agent.
+The seven tables are for time, rule ID, countries/regions, IP address, URL, hostname, user agent.
## Next steps
governance Guest Configuration https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/governance/policy/concepts/guest-configuration.md
To communicate with the Guest Configuration resource provider in Azure, machines
access to Azure datacenters on port **443**. If a network in Azure doesn't allow outbound traffic, configure exceptions with [Network Security Group](../../../virtual-network/manage-network-security-group.md#create-a-security-rule) rules. The
-[service tag](../../../virtual-network/service-tags-overview.md) "AzureArcInfrastructure" can be
-used to reference the Guest Configuration service rather than manually maintaining the [list of IP
-ranges](https://www.microsoft.com/en-us/download/details.aspx?id=56519) for Azure datacenters.
+[service tags](../../../virtual-network/service-tags-overview.md) "AzureArcInfrastructure" and "Storage" can be
+used to reference the Guest Configuration and Storage services rather than manually maintaining the [list of IP
+ranges](https://www.microsoft.com/download/details.aspx?id=56519) for Azure datacenters. Both tags are required
+because Guest Configuration content packages are hosted by Azure Storage.
### Communicate over Private Link in Azure
hdinsight Apache Hbase Backup Replication https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/hdinsight/hbase/apache-hbase-backup-replication.md
The general steps to set up replication are:
5. Copy existing data from the source tables to the destination tables. 6. Replication automatically copies new data modifications to the source tables into the destination tables.
-To enable replication on HDInsight, apply a Script Action to your running source HDInsight cluster. For a walkthrough of enabling replication in your cluster, or to experiment with replication on sample clusters created in virtual networks using Azure Resource Management templates, see [Configure Apache HBase replication](apache-hbase-replication.md). That article also includes instructions for enabling replication of Phoenix metadata.
+To enable replication on HDInsight, apply a Script Action to your running source HDInsight cluster. For a walkthrough of enabling replication in your cluster, or to experiment with replication on sample clusters created in virtual networks using Azure Resource Manager templates, see [Configure Apache HBase replication](apache-hbase-replication.md). That article also includes instructions for enabling replication of Phoenix metadata.
## Next steps
hpc-cache Add Namespace Paths https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/hpc-cache/add-namespace-paths.md
The options used for the update command are similar to the "create" command, exc
-### ADLS-NFS namespace paths (PREVIEW)
+### ADLS-NFS namespace paths
Like a regular blob storage target, an ADLS-NFS storage target only has one export, so it can only have one namespace path.
hpc-cache Cache Usage Models https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/hpc-cache/cache-usage-models.md
description: Describes the different cache usage models and how to choose among
Previously updated : 04/08/2021 Last updated : 06/17/2021
+<!-- filename is referenced from GUI in aka.ms/hpc-cache-usagemodel -->
# Understand cache usage models
Cache usage models let you customize how your Azure HPC Cache stores files to sp
File caching is how Azure HPC Cache expedites client requests. It uses these basic practices:
-* **Read caching** - Azure HPC Cache keeps a copy of files that clients request from the storage system. The next time a client requests the same file, HPC Cache can provide the version in its cache instead of having to fetch it from the back-end storage system again.
+* **Read caching** - Azure HPC Cache keeps a copy of files that clients request from the storage system. The next time a client requests the same file, HPC Cache can provide the version in its cache instead of having to fetch the file from the back-end storage system again.
* **Write caching** - Optionally, Azure HPC Cache can store a copy of any changed files sent from the client machines. If multiple clients make changes to the same file over a short period, the cache can collect all the changes in the cache instead of having to write each change individually to the back-end storage system.
These are the usage model options:
* **Greater than 15% writes** - This option speeds up both read and write performance. When using this option, all clients must access files through the Azure HPC Cache instead of mounting the back-end storage directly. The cached files will have recent changes that have not yet been copied to the back end.
- In this usage model, files in the cache are only checked against the files on back-end storage every eight hours. The cached version of the file is assumed to be more current. A modified file in the cache is written to the back-end storage system after it has been in the cache for 20 minutes<!-- an hour --> with no additional changes.
+ In this usage model, files in the cache are only checked against the files on back-end storage every eight hours. The cached version of the file is assumed to be more current. A modified file in the cache is written to the back-end storage system after it has been in the cache for an hour with no additional changes.
* **Clients write to the NFS target, bypassing the cache** - Choose this option if any clients in your workflow write data directly to the storage system without first writing to the cache, or if you want to optimize data consistency. Files that clients request are cached (reads), but any changes to those files from the client (writes) are not cached. They are passed through directly to the back-end storage system.
This table summarizes the usage model differences:
If you have questions about the best usage model for your Azure HPC Cache workflow, talk to your Azure representative or open a support request for help.
-## Know when to remount clients for NLM
+## Change usage models
-In some situations, you might need to remount clients if you change a storage target's usage model. This is needed because of the way different usage models handle Network Lock Manager (NLM) requests.
+You can change usage models by editing the storage target, but some changes are not allowed because they create a small risk of file version conflict.
-The HPC Cache sits between clients and the back-end storage system. Usually the cache passes NLM requests through to the back-end storage system, but in some situations, the cache itself acknowledges the NLM request and returns a value to the client. In Azure HPC Cache, this only happens when you use the usage model **Read heavy, infrequent writes** (or with a standard blob storage target, which doesn't have configurable usage models).
+You can't change **to** or **from** the model named **Read heavy, infrequent writes**. To change a storage target to this usage model, or to change it from this model to a different usage model, you have to delete the original storage target and create a new one.
-There is a small risk of file conflict if you change between the **Read heavy, infrequent writes** usage model and a different usage model. There's no way to transfer the current NLM state from the cache to the storage system or vice versa. So the client's lock status is inaccurate.
+This restriction is needed because of the way different usage models handle Network Lock Manager (NLM) requests. Azure HPC Cache sits between clients and the back-end storage system. Usually, the cache passes NLM requests through to the back-end storage system, but in some situations, the cache itself acknowledges the NLM request and returns a value to the client. In Azure HPC Cache, this only happens when you use the usage model **Read heavy, infrequent writes** (or with a standard blob storage target, which doesn't have configurable usage models).
-Remount the clients to make sure that they have an accurate NLM state with the new lock manager.
-
-If your clients send a NLM request when the usage model or back-end storage does not support it, they will receive an error.
-
-### Disable NLM at client mount time
-
-It is not always easy to know whether or not your client systems will send NLM requests.
-
-You can disable NLM when clients mount the cluster by using the option ``-o nolock`` in the ``mount`` command.
-
-The exact behavior of the ``nolock`` option depends on the client operating system, so check the mount documentation (man 5 nfs) for your client OS. In most cases, it moves the lock locally to the client. Use caution if your application lock files across multiple clients.
+If you change between the **Read heavy, infrequent writes** usage model and a different usage model, there's no way to transfer the current NLM state from the cache to the storage system or vice versa. So the client's lock status is inaccurate.
> [!NOTE]
-> ADLS-NFS does not support NLM. You should disable NLM with the mount option above when using an ADLS-NFS storage target.
+> ADLS-NFS does not support NLM. You should disable NLM when clients mount the cluster to access an ADLS-NFS storage target.
+>
+> Use the option ``-o nolock`` in the ``mount`` command. Check your client operating system's mount documentation (man 5 nfs) to learn the exact behavior of the ``nolock`` option for your clients.
## Next steps
hpc-cache Configuration https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/hpc-cache/configuration.md
Consider using a test cache to check and refine your DNS setup before you use it
### Refresh storage target DNS
-If your DNS server updates IP addresses, the associated NFS storage targets will become temporarily unavailable. Read how to update your custom DNS system IP addresses in [Edit storage targets](hpc-cache-edit-storage.md#update-ip-address-custom-dns-configurations-only).
+If your DNS server updates IP addresses, the associated NFS storage targets will become temporarily unavailable. Read how to update your custom DNS system IP addresses in [Manage storage targets](manage-storage-targets.md#update-ip-address-custom-dns-configurations-only).
## View snapshots for blob storage targets
hpc-cache Customer Keys https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/hpc-cache/customer-keys.md
description: How to use Azure Key Vault with Azure HPC Cache to control encrypti
Previously updated : 07/20/2020 Last updated : 07/08/2021
Azure HPC Cache also is protected by [VM host encryption](../virtual-machines/di
There are three steps to enable customer-managed key encryption for Azure HPC Cache: 1. Set up an Azure Key Vault to store the keys.
-1. When creating the Azure HPC Cache, choose customer-managed key encryption and specify the key vault and key to use.
-1. After the cache is created, authorize it to access the key vault.
+1. When creating the Azure HPC Cache, choose customer-managed key encryption and specify the key vault and key to use. Optionally, supply a user-assigned managed identity to the cache instance so that you can skip step 3.
+1. **If using a system-assigned managed identity:** Go to the newly created cache and authorize it to access the key vault.
-Encryption is not completely set up until after you authorize it from the newly created cache (step 3). This is because you must pass the cache's identity to the key vault to make it an authorized user. You can't do this before creating the cache, because the identity does not exist until the cache is created.
+ Encryption is not completely set up until after you authorize it from the newly created cache (step 3). This is because you must pass the cache's identity to the key vault to make it an authorized user. You can't do this before creating the cache, because the identity does not exist until the cache is created.
+
+ If you supply a [user-assigned managed identity](#2-create-the-cache-with-customer-managed-keys-enabled) when setting up the cache, this step is unnecessary.
After you create the cache, you can't change between customer-managed keys and Microsoft-managed keys. However, if your cache uses customer-managed keys you can [change](#update-key-settings) the encryption key, the key version, and the key vault as needed.
You must specify the encryption key source when you create your Azure HPC Cache.
> [!TIP] > If the **Disk encryption keys** page does not appear, make sure that your cache is in one of the [supported regions](https://azure.microsoft.com/global-infrastructure/services/?regions=all&products=hpc-cache,key-vault).
+![Screenshot of the completed Disk encryption keys screen, part of the cache creation interface in the portal.](media/customer-keys-populated.png)
+ The user who creates the cache must have privileges equal to the [Key Vault contributor role](../role-based-access-control/built-in-roles.md#key-vault-contributor) or higher. 1. Click the button to enable privately managed keys. After you change this setting, the key vault settings appear.
The user who creates the cache must have privileges equal to the [Key Vault cont
1. Specify the version for the selected key. Learn more about versioning in the [Azure Key Vault documentation](../key-vault/general/about-keys-secrets-certificates.md#objects-identifiers-and-versioning).
+These settings are optional:
+
+* Check the **Always use current key version** box if you want to use [automatic key rotation](../virtual-machines/disk-encryption.md#automatic-key-rotation-of-customer-managed-keys-preview).
+
+* If you want to use a specific managed identity for this cache, select **User assigned** in the **Managed identities** section and select the identity to use. Read the [managed identities documentation](../active-directory/managed-identities-azure-resources/overview.md#managed-identity-types) for help.
+
+ > [!TIP]
+ > A user-assigned managed identity simplifies cache creation. With a system-assigned managed identity, you must take an extra step after the cache is created in order to authorize the cache's newly assigned identity to use your key vault.
+
+ > [!NOTE]
+ > You cannot change the assigned identity after you create the cache.
+ Continue with the rest of the specifications and create the cache as described in [Create an Azure HPC Cache](hpc-cache-create.md). ## 3. Authorize Azure Key Vault encryption from the cache <!-- header is linked from create article, update if changed -->
+> [!NOTE]
+> This step is not required if you supply a user-assigned managed identity when you create the cache.
+ After a few minutes, the new Azure HPC Cache appears in your Azure portal. Go to the **Overview** page to authorize it to access your Azure Key Vault and enable customer-managed key encryption. > [!TIP] > The cache might appear in the resources list before the "deployment underway" messages clear. Check your resources list after a minute or two instead of waiting for a success notification.
-This two-step process is necessary because the Azure HPC Cache instance needs an identity to pass to the Azure Key Vault for authorization. The cache identity doesn't exist until after its initial creation steps are complete.
+This two-step process is necessary because the Azure HPC Cache instance needs an identity to pass to the Azure Key Vault for authorization. The cache identity doesn't exist until after its initial creation steps are complete. If you provided a user-assigned managed identity when you created the cache, there's no authorization step afterward.
> [!NOTE] > You must authorize encryption within 90 minutes after creating the cache. If you don't complete this step, the cache will time out and fail. A failed cache has to be re-created, it can't be fixed. The cache shows the status **Waiting for key**. Click the **Enable encryption** button at the top of the page to authorize the cache to access the specified key vault.
-![screenshot of cache overview page in portal, with highlighting on the Enable encryption button (top row) and Status: Waiting for key](media/waiting-for-key.png)
+![Screenshot of cache overview page in portal, with highlighting on the Enable encryption button (top row) and Status: Waiting for key.](media/waiting-for-key.png)
Click **Enable encryption** and then click the **Yes** button to authorize the cache to use the encryption key. This action also enables soft-delete and purge protection (if not already enabled) on the key vault.
-![screenshot of cache overview page in portal, with a banner message at the top that asks the user to enable encryption by clicking yes](media/enable-keyvault.png)
+![Screenshot of cache overview page in portal, with a banner message at the top that asks the user to enable encryption by clicking yes.](media/enable-keyvault.png)
After the cache requests access to the key vault, it can create and encrypt the disks that store cached data.
You can change the key vault, key, or key version for your cache from the Azure
You cannot change a cache between customer-managed keys and system-managed keys.
-![screenshot of "Customer keys settings" page, reached by clicking Settings > Encryption from the cache page in the Azure portal](media/change-key-click.png)
+![Screenshot of "Customer keys settings" page, reached by clicking Settings > Encryption from the cache page in the Azure portal.](media/change-key-click.png)
Click the **Change key** link, then click **Change the key vault, key, or version** to open the key selector.
-![screenshot of "select key from Azure Key Vault" page with three drop-down selectors to choose key vault, key, and version](media/select-new-key.png)
+![Screenshot of "select key from Azure Key Vault" page with three drop-down selectors to choose key vault, key, and version.](media/select-new-key.png)
Key vaults in the same subscription and same region as this cache are shown in the list. After you choose the new encryption key values, click **Select**. A confirmation page appears with the new values. Click **Save** to finalize the selection.
-![screenshot of confirmation page with Save button at top left](media/save-key-settings.png)
+![Screenshot of confirmation page with Save button at top left.](media/save-key-settings.png)
## Read more about customer-managed keys in Azure
hpc-cache Hpc Cache Add Storage https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/hpc-cache/hpc-cache-add-storage.md
description: How to define storage targets so that your Azure HPC Cache can use
Previously updated : 05/05/2021 Last updated : 07/06/2021
You can define 10 different storage targets for any cache, and larger caches can [support up to 20 storage targets](#size-your-cache-correctly-to-support-your-storage-targets).
-The cache presents all of the storage targets in one aggregated namespace. The namespace paths are configured separately after you add the storage targets.
+The cache presents all of the storage targets in one [aggregated namespace](hpc-cache-namespace.md). The namespace paths are configured separately after you add the storage targets.
Remember that the storage exports must be accessible from your cache's virtual network. For on-premises hardware storage, you might need to set up a DNS server that can resolve hostnames for NFS storage access. Read more in [DNS access](hpc-cache-prerequisites.md#dns-access).
Click the image below to watch a [video demonstration](https://azure.microsoft.c
## Size your cache correctly to support your storage targets
-The number of supported storage targets depends on the cache size, which is set when you create the cache. The size is a combination of throughput capacity (in GB/s) and storage capacity (in TB).
+The number of supported storage targets depends on the cache size, which is set when you create the cache. The cache capacity is a combination of throughput capacity (in GB/s) and storage capacity (in TB).
-* Up to 10 storage targets - If you choose the smallest or medium cache storage size for your selected throughput value, your cache can have up to 10 storage targets.
-* Up to 20 storage targets - Choose the highest available cache size for your selected throughput value if you want to use more than 10 storage targets. (If using Azure CLI, choose the highest valid cache size for your cache SKU.)
+* Up to 10 storage targets - A standard cache with the smallest or medium cache storage value for your selected throughput can have a maximum of 10 storage targets.
+
+ For example, if you choose 2GB/second throughput and do not choose the highest cache storage size, your cache supports a maximum of 10 storage targets.
+
+* Up to 20 storage targets -
+
+ * All high-throughput caches (which have preconfigured cache storage sizes) can support up to 20 storage targets.
+ * Standard caches can support up to 20 storage targets if you choose the highest available cache size for your selected throughput value. (If using Azure CLI, choose the highest valid cache size for your cache SKU.)
Read [Set cache capacity](hpc-cache-create.md#set-cache-capacity) to learn more about throughput and cache size settings.
+## Choose the correct storage target type
+
+You can select from three storage target types: **NFS**, **Blob**, and **ADLS-NFS**. Choose the type that matches the kind of storage system you will use to store your files during this HPC Cache project.
+
+* **NFS** - Create an NFS storage target to access data on an on-premises NAS system.
+
+ * Requirements: [NFS storage requirements](hpc-cache-prerequisites.md#nfs-storage-requirements)
+ * Instructions: [Add a new NFS storage target](#add-a-new-nfs-storage-target)
+
+* **Blob** - Use a blob storage target to store your working files in a new Azure Blob container. This container can only be read or written to from the Azure HPC Cache.
+
+ * Prerequisites: [Blob storage requirements](hpc-cache-prerequisites.md#blob-storage-requirements)
+ * Instructions: [Add a new Azure Blob storage target](#add-a-new-azure-blob-storage-target)
+
+* **ADLS-NFS** - The ADLS-NFS storage target accesses data from an [NFS-enabled Blob](../storage/blobs/network-file-system-protocol-support.md) container. You can pre-load the container by using standard NFS commands, and the files can be read later with NFS.
+
+ * Prerequisites: [ADLS-NFS storage requirements](hpc-cache-prerequisites.md#nfs-mounted-blob-adls-nfs-storage-requirements)
+ * Instructions: [Add a new ADLS-NFS storage target](#add-a-new-adls-nfs-storage-target)
+ ## Add a new Azure Blob storage target A new Blob storage target needs an empty Blob container or a container that is populated with data in the Azure HPC Cache cloud file system format. Read more about pre-loading a Blob container in [Move data to Azure Blob storage](hpc-cache-ingest.md).
A new Blob storage target needs an empty Blob container or a container that is p
The Azure portal **Add storage target** page includes the option to create a new Blob container just before you add it. > [!NOTE]
-> For NFS-mounted blob storage, use the [ADLS-NFS storage target](#) type.
+>
+> * For NFS-mounted blob storage, use the [ADLS-NFS storage target](#add-a-new-adls-nfs-storage-target) type.
+> * [High-throughput cache configurations](hpc-cache-create.md#choose-the-cache-type-for-your-needs) do not support standard Azure Blob storage targets. Use NFS-enabled blob storage (ADLS-NFS) instead.
### [Portal](#tab/azure-portal)
Azure HPC Cache uses [Azure role-based access control (Azure RBAC)](../role-base
The storage account owner must explicitly add the roles [Storage Account Contributor](../role-based-access-control/built-in-roles.md#storage-account-contributor) and [Storage Blob Data Contributor](../role-based-access-control/built-in-roles.md#storage-blob-data-contributor) for the user "HPC Cache Resource Provider".
-You can do this ahead of time, or by clicking a link on the page where you add a Blob storage target. Keep in mind that it can take up to five minutes for the role settings to propagate through the Azure environment, so you should wait a few minutes after adding the roles before creating a storage target.
+You can do this ahead of time, or by clicking a link on the portal page where you add a Blob storage target. Keep in mind that it can take up to five minutes for the role settings to propagate through the Azure environment, so you should wait a few minutes after adding the roles before creating a storage target.
1. Open **Access control (IAM)** for your storage account.
You can do this ahead of time, or by clicking a link on the page where you add a
![Add role assignment page](../../includes/role-based-access-control/media/add-role-assignment-page.png) > [!NOTE]
- > If you can't find the HPC Cache Resource Provider, try a search for the string "storagecache" instead. Users who participated in HPC Cache previews (before GA) might need to use the older name for the service principal.
+ > If you can't find the HPC Cache Resource Provider, try a search for the string "storagecache" instead. This was a pre-GA name for the service principal.
<!-- Steps to add the Azure roles:
az hpc-cache blob-storage-target add --resource-group "hpc-cache-group" \
## Add a new NFS storage target
-An NFS storage target has different settings from a Blob storage target. The usage model setting helps the cache to efficiently cache data from this storage system.
+An NFS storage target has different settings from a Blob storage target, including a usage model setting that tells the cache how to store data from this storage system.
![Screenshot of add storage target page with NFS target defined](media/add-nfs-target.png)
An NFS storage target has different settings from a Blob storage target. The usa
> Before you create an NFS storage target, make sure your storage system is accessible from the Azure HPC Cache and meets permission requirements. Storage target creation will fail if the cache can't access the storage system. Read [NFS storage requirements](hpc-cache-prerequisites.md#nfs-storage-requirements) and [Troubleshoot NAS configuration and NFS storage target issues](troubleshoot-nas.md) for details. ### Choose a usage model
-<!-- referenced from GUI by aka.ms link -->
When you create a storage target that uses NFS to reach its storage system, you need to choose a usage model for that target. This model determines how your data is cached. Read [Understand usage models](cache-usage-models.md) for more details about all of these settings.
-The built-in usage models let you choose how to balance fast response with the risk of getting stale data. If you want to optimize speed for reading files, you might not care whether the files in the cache are checked against the back-end files. On the other hand, if you want to make sure your files are always up to date with the remote storage, choose a model that checks frequently.
+HPC Cache's built-in usage models let you choose how to balance fast response with the risk of getting stale data. If you want to optimize speed for reading files, you might not care whether the files in the cache are checked against the back-end files. On the other hand, if you want to make sure your files are always up to date with the remote storage, choose a model that checks frequently.
+
+> [!NOTE]
+> [High-throughput style caches](hpc-cache-create.md#choose-the-cache-type-for-your-needs) support read caching only.
These three options cover most situations:
Provide this information for an NFS-backed storage target:
* **Target type** - Choose **NFS**.
-* **Hostname** - Enter the IP address or fully qualified domain name for your NFS storage system. (Use a domain name only if your cache has access to a DNS server that can resolve the name.)
+* **Hostname** - Enter the IP address or fully qualified domain name for your NFS storage system. (Use a domain name only if your cache has access to a DNS server that can resolve the name.) You can enter multiple IP addresses if your storage system is referenced by multiple IPs.
* **Usage model** - Choose one of the data caching profiles based on your workflow, described in [Choose a usage model](#choose-a-usage-model) above.
Output:
-## Add a new ADLS-NFS storage target (PREVIEW)
+## Add a new ADLS-NFS storage target
ADLS-NFS storage targets use Azure Blob containers that support the Network File System (NFS) 3.0 protocol.
-> [!NOTE]
-> NFS 3.0 protocol support for Azure Blob storage is in public preview. Availability is restricted, and features might change between now and when the feature becomes generally available. Do not use preview technology in production systems.
->
-> Read [NFS 3.0 protocol support](../storage/blobs/network-file-system-protocol-support.md) for the latest information.
+Read [NFS 3.0 protocol support](../storage/blobs/network-file-system-protocol-support.md) to learn more about this feature.
ADLS-NFS storage targets have some similarities with Blob storage targets and some with NFS storage targets. For example: * Like a Blob storage target, you need to give Azure HPC Cache permission to [access your storage account](#add-the-access-control-roles-to-your-account). * Like an NFS storage target, you need to set a cache [usage model](#choose-a-usage-model).
-* Because NFS-enabled blob containers have an NFS-compatible hierarchical structure, you do not need to use the cache to ingest data, and the containers are readable by other NFS systems. You can pre-load data in an ADLS-NFS container, then add it to an HPC Cache as a storage target, and then access the data later from outside of an HPC Cache. When you use a standard blob container as an HPC Cache storage target, the data is written in a proprietary format and can only be accessed from other Azure HPC Cache-compatible products.
+* Because NFS-enabled blob containers have an NFS-compatible hierarchical structure, you do not need to use the cache to ingest data, and the containers are readable by other NFS systems.
+
+ You can pre-load data in an ADLS-NFS container, then add it to an HPC Cache as a storage target, and then access the data later from outside of an HPC Cache. When you use a standard blob container as an HPC Cache storage target, the data is written in a proprietary format and can only be accessed from other Azure HPC Cache-compatible products.
-Before you can create an ADLS-NFS storage target, you must create an NFS-enabled storage account. Follow the tips in [Prerequisites for Azure HPC Cache](hpc-cache-prerequisites.md#nfs-mounted-blob-adls-nfs-storage-requirements-preview) and the instructions in [Mount Blob storage by using NFS](../storage/blobs/network-file-system-protocol-support-how-to.md). After your storage account is set up you can create a new container when you create the storage target.
+Before you can create an ADLS-NFS storage target, you must create an NFS-enabled storage account. Follow the tips in [Prerequisites for Azure HPC Cache](hpc-cache-prerequisites.md#nfs-mounted-blob-adls-nfs-storage-requirements) and the instructions in [Mount Blob storage by using NFS](../storage/blobs/network-file-system-protocol-support-how-to.md). After your storage account is set up you can create a new container when you create the storage target.
Read [Use NFS-mounted blob storage with Azure HPC Cache](nfs-blob-considerations.md) to learn more about this configuration.
hpc-cache Hpc Cache Create https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/hpc-cache/hpc-cache-create.md
description: How to create an Azure HPC Cache instance
Previously updated : 05/05/2021 Last updated : 07/08/2021
Click the image below to watch a [video demonstration](https://azure.microsoft.c
## Define basic details
-![screenshot of project details page in Azure portal](media/hpc-cache-create-basics.png)
+![Screenshot of project details page in Azure portal.](media/hpc-cache-create-basics.png)
In **Project Details**, select the subscription and resource group that will host the cache.
In **Service Details**, set the cache name and these other attributes:
* Subnet - Choose or create a subnet with at least 64 IP addresses (/24). This subnet must be used only for this Azure HPC Cache instance. ## Set cache capacity
-<!-- referenced from GUI - update aka.ms link if you change this header text -->
+<!-- referenced from GUI - update aka.ms/hpc-cache-iops link if you change this header text -->
-On the **Cache** page, you must set the capacity of your cache. The values set here determine how much data your cache can hold and how quickly it can service client requests.
+On the **Cache** page, you must set the capacity of your cache. The values set here determine how quickly your cache can service client requests and how much data it can hold.
Capacity also affects the cache's cost, and how many storage targets it can support.
-Choose the capacity by setting these two values:
+Cache capacity is a combination of two values:
* The maximum data transfer rate for the cache (throughput), in GB/second * The amount of storage allocated for cached data, in TB
-Choose one of the available throughput values and cache storage sizes.
+![Screenshot of cache sizing page in the Azure portal.](media/hpc-cache-create-capacity.png)
-> [!TIP]
-> If you want to use more than 10 storage targets with your cache, you must choose the highest available cache storage size value for your throughput size. Learn more in [Add storage targets](hpc-cache-add-storage.md#size-your-cache-correctly-to-support-your-storage-targets).
+### Understand throughput and cache size
-Keep in mind that the actual data transfer rate depends on workload, network speeds, and the type of storage targets. The values you choose set the maximum throughput for the entire cache system, but some of that is used for overhead tasks. For example, if a client requests a file that isn't already stored in the cache, or if the file is marked as stale, your cache uses some of its throughput to fetch it from back-end storage.
+Several factors can affect your HPC Cache's efficiency, but choosing an appropriate throughput value and cache storage size is one of the most important.
-Azure HPC Cache manages which files are cached and preloaded to maximize cache hit rates. Cache contents are continuously assessed, and files are moved to long-term storage when they're less frequently accessed. Choose a cache storage size that can comfortably hold the active set of working files, plus additional space for metadata and other overhead.
+When you choose a throughput value, keep in mind that the actual data transfer rate depends on workload, network speeds, and the type of storage targets.
-![screenshot of cache sizing page](media/hpc-cache-create-capacity.png)
+The values you choose set the maximum throughput for the entire cache system, but some of that is used for overhead tasks. For example, if a client requests a file that isn't already stored in the cache, or if the file is marked as stale, your cache uses some of its throughput to fetch it from back-end storage.
-## Enable Azure Key Vault encryption (optional)
+Azure HPC Cache manages which files are cached and pre-loaded to maximize cache hit rates. Cache contents are continuously assessed, and files are moved to long-term storage when they're less frequently accessed.
+
+Choose a cache storage size that can comfortably hold the active set of working files, plus additional space for metadata and other overhead.
+
+Throughput and cache size also affect how many storage targets are supported for a particular cache. If you want to use more than 10 storage targets with your cache, you must choose the highest available cache storage size value available for your throughput size, or choose one of the high-throughput read-only configurations. Learn more in [Add storage targets](hpc-cache-add-storage.md#size-your-cache-correctly-to-support-your-storage-targets).
+
+If you need help sizing your cache correctly, contact Microsoft Service and Support.
+
+### Choose the cache type for your needs
+
+When you choose your cache capacity, you might notice that some throughput values have fixed cache sizes, and others let you select from multiple cache size options. This is because there are two different styles of cache infrastructure:
+
+* Standard caches - listed under **Read-write caching** in the throughput menu
+
+ With standard caches, you can choose from several cache size values. These caches can be configured for read-only or for read and write caching.
+
+* High-throughput caches - listed under **Read-only caching** in the throughput menu
+
+ The high-throughput configurations have set cache sizes because they're preconfigured with NVME disks. They're designed to optimize file read access only.
+
+![Screenshot of maximum throughput menu in the portal. There are several size options under the heading "Read-write caching" and several under the heading "Read-only".](media/rw-ro-cache-sizing.png)
-The **Disk encryption keys** page appears between the **Cache** and **Tags** tabs.<!-- Read [Regional availability](hpc-cache-overview.md#region-availability) to learn more about region support. -->
+This table explains some important differences between the two options.
+
+| Attribute | Standard cache | High-throughput cache |
+|--|--|--|
+| Throughput menu category |"Read-write caching"| "Read-only caching"|
+| Throughput sizes | 2, 4, or 8 GB/sec | 4.5, 9, or 16 GB/sec |
+| Cache sizes | 3, 6, or 12 TB for 2 GB/sec<br/> 6, 12, or 24 TB for 4 GB/sec<br/> 12, 24, or 48 TB for 8 GB/sec| 21 TB for 4.5 GB/sec <br/> 42 TB for 9 GB/sec <br/> 84 TB for 16 GB/sec |
+| Maximum number of storage targets | [10 or 20](hpc-cache-add-storage.md#size-your-cache-correctly-to-support-your-storage-targets) depending on cache size selection | 20 |
+| Compatible storage target types | Azure blob, on-premises NFS storage, NFS-enabled blob | on-premises NFS storage <br/>NFS-enabled blob storage is in preview for this combination |
+| Caching styles | Read caching or read-write caching | Read caching only |
+| Cache can be stopped to save cost when not needed | Yes | No |
+
+Learn more about these options:
+
+* [Maximum number of storage targets](hpc-cache-add-storage.md#size-your-cache-correctly-to-support-your-storage-targets)
+* [Read and write caching modes](cache-usage-models.md#basic-file-caching-concepts)
+
+## Enable Azure Key Vault encryption (optional)
If you want to manage the encryption keys used for your cache storage, supply your Azure Key Vault information on the **Disk encryption keys** page. The key vault must be in the same region and in the same subscription as the cache.
You can skip this section if you do not need customer-managed keys. Azure encryp
> [!NOTE] > > * You cannot change between Microsoft-managed keys and customer-managed keys after creating the cache.
-> * After the cache is created, you must authorize it to access the key vault. Click the **Enable encryption** button in the cache's **Overview** page to turn on encryption. Take this step within 90 minutes of creating the cache.
-> * Cache disks are created after this authorization. This means that the initial cache creation time is short, but the cache will not be ready to use for ten minutes or more after you authorize access.
+> * If you use a system-assigned managed identity, an extra step is needed:
+> * After the cache is created, you must authorize it to access the key vault. Click the **Enable encryption** button in the cache's **Overview** page to turn on encryption. Take this step within 90 minutes of creating the cache.
+> * Cache disks are created after this authorization. This means that the initial cache creation time is short, but the cache will not be ready to use for ten minutes or more after you authorize access.
+>
+> With a user-assigned managed identity, the authorization happens automatically.
For a complete explanation of the customer-managed key encryption process, read [Use customer-managed encryption keys for Azure HPC Cache](customer-keys.md).
-![screenshot of encryption keys page with "customer managed" selected and key vault fields showing](media/create-encryption.png)
+![Screenshot of encryption keys page with "Customer managed" selected and the "Customer key settings" and "Managed identities" configuration forms showing.](media/create-encryption.png)
Select **Customer managed** to choose customer-managed key encryption. The key vault specification fields appear. Select the Azure Key Vault to use, then select the key and version to use for this cache. The key must be a 2048-bit RSA key. You can create a new key vault, key, or key version from this page.
-After you create the cache, you must authorize it to use the key vault service. Read [Authorize Azure Key Vault encryption from the cache](customer-keys.md#3-authorize-azure-key-vault-encryption-from-the-cache) for details.
+Check the **Always use current key version** box if you want to use [automatic key rotation](../virtual-machines/disk-encryption.md#automatic-key-rotation-of-customer-managed-keys-preview).
+
+If you want to use a specific managed identity for this cache, configure it in the **Managed identities** section. Read the [managed identities documentation](../active-directory/managed-identities-azure-resources/overview.md#managed-identity-types) for help.
+
+> [!NOTE]
+> You cannot change the assigned identity after you create the cache.
+
+ If you supply a user-assigned managed identity instead of using a system-assigned identity, you don't need to do any extra authorization step after the cache is created.
+
+If you use a system-assigned managed identity, there is an extra step to do after you create the cache. You must authorize the cache to use the key vault service. Read [Authorize Azure Key Vault encryption from the cache](customer-keys.md#3-authorize-azure-key-vault-encryption-from-the-cache) for details.
## Add resource tags (optional)
Supply these values:
* Azure region * Cache subnet, in this format:
- ``--subnet "/subscriptions/<subscription_id>/resourceGroups/<cache_resource_group>/providers/Microsoft.Network/virtualNetworks/<virtual_network_name>/sub
-nets/<cache_subnet_name>"``
+ ``--subnet "/subscriptions/<subscription_id>/resourceGroups/<cache_resource_group>/providers/Microsoft.Network/virtualNetworks/<virtual_network_name>/subnets/<cache_subnet_name>"``
The cache subnet needs at least 64 IP addresses (/24), and it can't house any other resources.
Provide these values:
* Azure region * Cache subnet, in this format:
- `-SubnetUri "/subscriptions/<subscription_id>/resourceGroups/<cache_resource_group>/providers/Microsoft.Network/virtualNetworks/<virtual_network_name>/sub
-nets/<cache_subnet_name>"`
+ `-SubnetUri "/subscriptions/<subscription_id>/resourceGroups/<cache_resource_group>/providers/Microsoft.Network/virtualNetworks/<virtual_network_name>/subnets/<cache_subnet_name>"`
The cache subnet needs at least 64 IP addresses (/24), and it can't house any other resources.
hpc-cache Hpc Cache Edit Storage https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/hpc-cache/hpc-cache-edit-storage.md
description: How to edit Azure HPC Cache storage targets
Previously updated : 03/29/2021 Last updated : 06/30/2021 # Edit storage targets
-You can remove or modify storage targets with the Azure portal or by using the Azure CLI.
+You can modify storage targets with the Azure portal or by using the Azure CLI. For example, you can change access policies, usage models, and namespace paths for an existing storage target.
+
+> [!TIP]
+> Read [Manage storage targets](manage-storage-targets.md) to learn how to delete or suspend storage targets, or make them write cached data to back-end storage.
Depending on the type of storage, you can modify these storage target values:
Depending on the type of storage, you can modify these storage target values:
* For ADLS-NFS storage targets, you can change the namespace path, access policy, and the usage model.
-You can't edit a storage target's name, type, or back-end storage system (Blob container or NFS hostname/IP address). If you need to change these properties, delete the storage target and create a replacement with the new value.
-
-> [!TIP]
-> The [Managing Azure HPC Cache video](https://azure.microsoft.com/resources/videos/managing-hpc-cache/) shows how to edit a storage target in the Azure portal.
-
-## Remove a storage target
-
-### [Portal](#tab/azure-portal)
-
-To remove a storage target, open the **Storage targets** page. Select the storage target from the list and click the **Delete** button.
-
-### [Azure CLI](#tab/azure-cli)
-
-[Set up Azure CLI for Azure HPC Cache](./az-cli-prerequisites.md).
-
-Use [az hpc-cache storage-target remove](/cli/azure/hpc-cache/storage-target#az_hpc_cache_storage_target_remove) to delete a storage target from the cache.
-
-```azurecli
-$ az hpc-cache storage-target remove --resource-group cache-rg --cache-name doc-cache0629 --name blob1
-
-{- Finished ..
- "endTime": "2020-07-09T21:45:06.1631571+00:00",
- "name": "2f95eac1-aded-4860-b19c-3f089531a7ec",
- "startTime": "2020-07-09T21:43:38.5461495+00:00",
- "status": "Succeeded"
-}
-```
--
+You can't edit a storage target's name, type, or back-end storage system. If you need to change these properties, delete the storage target and create a replacement with the new value.
-Deleting a storage target removes the storage system's association with this Azure HPC Cache system, but it does not change the back-end storage system. For example, if you used an Azure Blob storage container, the container and its contents still exist after you delete it from the cache. You can add the container to a different Azure HPC Cache, re-add it to this cache, or delete it with the Azure portal.
+The [Managing Azure HPC Cache video](https://azure.microsoft.com/resources/videos/managing-hpc-cache/) shows how to edit a storage target in the Azure portal.
-Any file changes stored in the cache are written to the back-end storage system before the storage target is removed. This process can take an hour or more if a lot of changed data is in the cache.
-
-## Change a blob storage target's namespace path
+## Change a blob storage target's namespace path or access policy
Namespace paths are the paths that clients use to mount this storage target. (To learn more, read [Plan the aggregated namespace](hpc-cache-namespace.md) and [Set up the aggregated namespace](add-namespace-paths.md)).
-The namespace path is the only update you can make on an Azure Blob storage target. Use the Azure portal or the Azure CLI to change it.
+Use the Azure portal or the Azure CLI to change the namespace path or access policy.
### [Portal](#tab/azure-portal)
-Use the **Namespace** page for your Azure HPC Cache. The namespace page is described in more detail in the article [Set up the aggregated namespace](add-namespace-paths.md).
+Use the **Namespace** page for your Azure HPC Cache to update the namespace path or client access policy. The namespace page is described in more detail in the article [Set up the aggregated namespace](add-namespace-paths.md).
+
+1. Click the path that you want to change.
+ ![Screenshot of the Namespace page with the cursor over an item in the Namespace path column (first column to the left). The name is formatted as a hyperlink and the cursor indicates that it can be clicked.](media/edit-select-namespace.png)
-Click the name of the path that you want to change, and create the new path in the edit window that appears.
+1. Use the edit window to type in new virtual path or update the access policy.
-![Screenshot of the namespace page after clicking on a Blob namespace path - the edit fields appear on a pane to the right](media/update-namespace-blob.png)
+ ![Screenshot of the namespace page after clicking on a Blob namespace path - the edit fields appear on a pane to the right.](media/update-namespace-blob.png)
After making changes, click **OK** to update the storage target, or click **Cancel** to discard changes.
To change a blob storage target's namespace with the Azure CLI, use the command
For NFS storage targets, you can change or add virtual namespace paths, change the NFS export or subdirectory values that a namespace path points to, and change the usage model.
-Storage targets in caches with some types of custom DNS settings also have a control for refreshing their IP addresses. (This kind of configuration is rare.)
+Storage targets in caches with some types of custom DNS settings also have a control for refreshing their IP addresses. (This kind of configuration is rare.) Learn how to refresh the DNS settings in [Manage storage targets](manage-storage-targets.md#update-ip-address-custom-dns-configurations-only).
Details are below: * [Change aggregated namespace values](#change-aggregated-namespace-values) (virtual namespace path, access policy, export, and export subdirectory) * [Change the usage model](#change-the-usage-model)
-* [Refresh DNS](#update-ip-address-custom-dns-configurations-only)
### Change aggregated namespace values
-You can use the Azure portal or the Azure CLI to change the client-facing namespace path, the storage export, and the export subdirectory (if used).
+You can use the Azure portal or the Azure CLI to change the client-facing namespace path, the storage export, and the export subdirectory (if used). If you need to change the access policy, use the Azure portal.
Read the guidelines in [Add NFS namespace paths](add-namespace-paths.md#nfs-namespace-paths) if you need a reminder about how to create multiple valid paths on one storage target. ### [Portal](#tab/azure-portal)
-Use the **Namespace** page for your Azure HPC Cache to update namespace values. This page is described in more detail in the article [Set up the aggregated namespace](add-namespace-paths.md).
+Use the **Namespace** page for your Azure HPC Cache to update namespace values, including the client access policy. This page is described in more detail in the article [Set up the aggregated namespace](add-namespace-paths.md).
![screenshot of the portal namespace page with the NFS update page open at the right](media/update-namespace-nfs.png)
az hpc-cache nfs-storage-target update --cache-name mycache \
The usage model influences how the cache retains data. Read [Understand cache usage models](cache-usage-models.md) to learn more. > [!NOTE]
-> If you change usage models, you might need to remount clients to avoid NLM errors. Read [Know when to remount clients](cache-usage-models.md#know-when-to-remount-clients-for-nlm) for details.
+> You can't change between **Read heavy, infrequent writes** and other usage models. Read [Understand cache usage models](cache-usage-models.md#change-usage-models) for details.
To change the usage model for an NFS storage target, use one of these methods. ### [Portal](#tab/azure-portal)
-Change the usage model from the **Storage targets** page in the Azure portal. Click the name of the storage target to change.
+Open the **Storage targets** page in the Azure portal. Click the name of a storage target in the list to open its edit page.
![screenshot of the edit page for an NFS storage target](media/edit-storage-nfs.png)
If the cache is stopped or not in a healthy state, the update will apply after t
-### Update IP address (custom DNS configurations only)
-
-If your cache uses a non-default DNS configuration, it's possible for your NFS storage target's IP address to change because of back-end DNS changes. If your DNS server changes the back-end storage system's IP address, Azure HPC Cache can lose access to the storage system.
-
-Ideally, you should work with the manager of your cache's custom DNS system to plan for any updates, because these changes make storage unavailable.
-
-If you need to update a storage target's DNS-provided IP address, there is a button on the Storage targets list. Click **Refresh DNS** to query the custom DNS server for a new IP address.
-
-![Screenshot of storage target list. For one storage target, the "..." menu in the far right column is open and two options appear: Delete, and Refresh DNS.](media/refresh-dns.png)
-
-If successful, the update should take less than two minutes. You can only refresh one storage target at a time; wait for the previous operation to complete before trying another.
-
-## Update an ADLS-NFS storage target (PREVIEW)
+## Update an ADLS-NFS storage target
Similar to NFS targets, you can change the namespace path and the usage model for ADLS-NFS storage targets.
Use the **Namespace** page for your Azure HPC Cache to update namespace values.
The configuration for ADLS-NFS usage models is identical to the NFS usage model selection. Read the portal instructions in [Change the usage model](#change-the-usage-model) in the NFS section above. Additional tools for updating ADLS-NFS storage targets are in development. - ## Next steps
-* Read [Add storage targets](hpc-cache-add-storage.md) to learn more about these options.
+* Read [Manage storage targets](manage-storage-targets.md) for information about stopping, deleting, and flushing individual storage targets.
+* Read [Add storage targets](hpc-cache-add-storage.md) to learn more about storage target options.
* Read [Plan the aggregated namespace](hpc-cache-namespace.md) for more tips about using virtual paths.
hpc-cache Hpc Cache Ingest https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/hpc-cache/hpc-cache-ingest.md
description: How to populate Azure Blob storage for use with Azure HPC Cache
Previously updated : 10/30/2019 Last updated : 06/30/2021 # Move data to Azure Blob storage
-If your workflow includes moving data to Azure Blob storage, make sure you are using an efficient strategy. You can either preload data in a new Blob container before defining it as a storage target, or add the container and then copy your data using Azure HPC Cache.
+If your workflow includes moving data to Azure Blob storage, make sure you are using an efficient strategy. You can either pre-load data in a new blob container before defining it as a storage target, or add the container and then copy your data using Azure HPC Cache.
-This article explains the best ways to move data to Blob storage for use with Azure HPC Cache.
+This article explains the best ways to move data to blob storage for use with Azure HPC Cache.
+
+> [!TIP]
+>
+> This article does not apply to NFS-mounted blob storage (ADLS-NFS storage targets). You can use any NFS-based method to populate an ADLS-NFS blob container before adding it to the HPC Cache. Read [Pre-load data with NFS protocol](nfs-blob-considerations.md#pre-load-data-with-nfs-protocol) to learn more.
Keep these facts in mind:
-* Azure HPC Cache uses a specialized storage format to organize data in Blob storage. This is why a Blob storage target must either be a new, empty container, or a Blob container that was previously used for Azure HPC Cache data.
+* Azure HPC Cache uses a specialized storage format to organize data in blob storage. This is why a blob storage target must either be a new, empty container, or a blob container that was previously used for Azure HPC Cache data.
* Copying data through the Azure HPC Cache to a back-end storage target is more efficient when you use multiple clients and parallel operations. A simple copy command from one client will move data slowly.
-A Python-based utility is available to load content into a Blob storage container. Read [Pre-load data in Blob storage](#pre-load-data-in-blob-storage-with-clfsload) to learn more.
+A Python-based utility is available to load content into a blob storage container. Read [Pre-load data in blob storage](#pre-load-data-in-blob-storage-with-clfsload) to learn more.
If you don't want to use the loading utility, or if you want to add content to an existing storage target, follow the parallel data ingest tips in [Copy data through the Azure HPC Cache](#copy-data-through-the-azure-hpc-cache).
-## Pre-load data in Blob storage with CLFSLoad
+## Pre-load data in blob storage with CLFSLoad
-You can use the Avere CLFSLoad utility to copy data to a new Blob storage container before you add it as a storage target. This utility runs on a single Linux system and writes data in the proprietary format needed for Azure HPC Cache. CLFSLoad is the most efficient way to populate a Blob storage container for use with the cache.
+You can use the Avere CLFSLoad utility to copy data to a new blob storage container before you add it as a storage target. This utility runs on a single Linux system and writes data in the proprietary format needed for Azure HPC Cache. CLFSLoad is the most efficient way to populate a blob storage container for use with the cache.
The Avere CLFSLoad utility is available by request from your Azure HPC Cache team. Ask your team contact for it, or open a [support ticket](hpc-cache-support-ticket.md) to request assistance.
A general overview of the process:
The Avere CLFSLoad utility needs the following information:
-* The storage account ID that contains your Blob storage container
-* The name of the empty Blob storage container
+* The storage account ID that contains your blob storage container
+* The name of the empty blob storage container
* A shared access signature (SAS) token that allows the utility to write to the container * A local path to the data source - either a local directory that contains the data to copy, or a local path to a mounted remote system with the data ## Copy data through the Azure HPC Cache
-If you don't want to use the Avere CLFSLoad utility, or if you want to add a large amount of data to an existing Blob storage target, you can copy it through the cache. Azure HPC Cache is designed to serve multiple clients simultaneously, so to copy data through the cache, you should use parallel writes from multiple clients.
+If you don't want to use the Avere CLFSLoad utility, or if you want to add a large amount of data to an existing blob storage target, you can copy it through the cache. Azure HPC Cache is designed to serve multiple clients simultaneously, so to copy data through the cache, you should use parallel writes from multiple clients.
-![Diagram showing multi-client, multi-threaded data movement: At the top left, an icon for on-premises hardware storage has multiple arrows coming from it. The arrows point to four client machines. From each client machine three arrows point toward the Azure HPC Cache. From the Azure HPC Cache, multiple arrows point to Blob storage.](media/hpc-cache-parallel-ingest.png)
+![Diagram showing multi-client, multi-threaded data movement: At the top left, an icon for on-premises hardware storage has multiple arrows coming from it. The arrows point to four client machines. From each client machine three arrows point toward the Azure HPC Cache. From the Azure HPC Cache, multiple arrows point to blob storage.](media/hpc-cache-parallel-ingest.png)
The ``cp`` or ``copy`` commands that you typically use to transfer data from one storage system to another are single-threaded processes that copy only one file at a time. This means that the file server is ingesting only one file at a time - which is a waste of the cache's resources.
-This section explains strategies for creating a multi-client, multi-threaded file copying system to move data to Blob storage with Azure HPC Cache. It explains file transfer concepts and decision points that can be used for efficient data copying using multiple clients and simple copy commands.
+This section explains strategies for creating a multi-client, multi-threaded file copying system to move data to blob storage with Azure HPC Cache. It explains file transfer concepts and decision points that can be used for efficient data copying using multiple clients and simple copy commands.
It also explains some utilities that can help. The ``msrsync`` utility can be used to partially automate the process of dividing a dataset into buckets and using rsync commands. The ``parallelcp`` script is another utility that reads the source directory and issues copy commands automatically.
hpc-cache Hpc Cache Manage https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/hpc-cache/hpc-cache-manage.md
description: How to manage and update Azure HPC Cache using the Azure portal or
Previously updated : 03/08/2021 Last updated : 07/08/2021
The buttons at the top of the page can help you manage the cache:
Read more about these options below.
+> [!TIP]
+> You can also manage individual storage targets - read [Manage storage targets](manage-storage-targets.md) for details.
+ Click the image below to watch a [video](https://azure.microsoft.com/resources/videos/managing-hpc-cache/) that demonstrates cache management tasks. [![video thumbnail: Azure HPC Cache: Manage (click to visit the video page)](media/video-5-manage.png)](https://azure.microsoft.com/resources/videos/managing-hpc-cache/)
$
-## Cache metrics and monitoring
-
-The overview page shows graphs for some basic cache statistics - cache throughput, operations per second, and latency.
-
-![screenshot of three line graphs showing the statistics mentioned above for a sample cache](media/hpc-cache-overview-stats.png)
-
-These charts are part of Azure's built-in monitoring and analytics tools. Additional tools and alerts are available from the pages under the **Monitoring** heading in the portal sidebar. Learn more in the portal section of the [Azure Monitoring documentation](../azure-monitor/essentials/monitor-azure-resource.md#monitoring-in-the-azure-portal).
- ## View warnings If the cache goes into an unhealthy state, check the **Warnings** page. This page shows notifications from the cache software that might help you understand its state.
Kinds of warnings you might see here include:
## Next steps
-* Learn more about [Azure metrics and statistics tools](../azure-monitor/index.yml)
+* [Monitor the cache with statistics](metrics.md)
* Get [help with your Azure HPC Cache](hpc-cache-support-ticket.md)
hpc-cache Hpc Cache Namespace https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/hpc-cache/hpc-cache-namespace.md
To allow easy access through the cache, consider creating storage targets with t
| /goldline/templates/acme2017/sku980 | /templates/sku980 | | sourcecollection | /source/ |
-An NFS storage target can have multiple virtual namespace paths, as long as each one references a unique export path. (Read [NFS namespace paths](add-namespace-paths.md#nfs-namespace-paths) to learn the recommended maximum number of namespace paths per NFS storage target.)
+An NFS storage target can have multiple virtual namespace paths, as long as each one references a unique export path. (Read [NFS namespace paths](add-namespace-paths.md#nfs-namespace-paths) to learn more about using multiple namespace paths with an NFS storage target.)
Because the NFS source paths are subdirectories of the same export, you will need to define multiple namespace paths from the same storage target.
hpc-cache Hpc Cache Prerequisites https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/hpc-cache/hpc-cache-prerequisites.md
Check these permission-related prerequisites before starting to create your cach
## Storage infrastructure <!-- heading is linked in create storage target GUI as aka.ms/hpc-cache-prereq#storage-infrastructure - make sure to fix that if you change the wording of this heading -->
-The cache supports Azure Blob containers, NFS hardware storage exports, and NFS-mounted ADLS blob containers (currently in preview). Add storage targets after you create the cache.
+The cache supports Azure Blob containers, NFS hardware storage exports, and NFS-mounted ADLS blob containers. Add storage targets after you create the cache.
The size of your cache determines how many storage targets it can support - up to 10 storage targets for most caches, or up to 20 for the largest sizes. Read [Size your cache correctly to support your storage targets](hpc-cache-add-storage.md#size-your-cache-correctly-to-support-your-storage-targets) for details.
Each storage type has specific prerequisites.
If you want to use Azure Blob storage with your cache, you need a compatible storage account and either an empty Blob container or a container that is populated with Azure HPC Cache formatted data as described in [Move data to Azure Blob storage](hpc-cache-ingest.md). > [!NOTE]
-> Different requirements apply to NFS-mounted blob storage. Read [ADLS-NFS storage requirements](#nfs-mounted-blob-adls-nfs-storage-requirements-preview) for details.
+> Different requirements apply to NFS-mounted blob storage. Read [ADLS-NFS storage requirements](#nfs-mounted-blob-adls-nfs-storage-requirements) for details.
Create the account before attempting to add a storage target. You can create a new container when you add the target.
It's a good practice to use a storage account in the same Azure region as your c
You also must give the cache application access to your Azure storage account as mentioned in [Permissions](#permissions), above. Follow the procedure in [Add storage targets](hpc-cache-add-storage.md#add-the-access-control-roles-to-your-account) to give the cache the required access roles. If you are not the storage account owner, have the owner do this step. ### NFS storage requirements
-<!-- linked from configuration.md -->
+<!-- linked from configuration.md and add storage -->
If using an NFS storage system (for example, an on-premises hardware NAS system), make sure it meets these requirements. You might need to work with the network administrators or firewall managers for your storage system (or data center) to verify these settings.
More information is included in [Troubleshoot NAS configuration and NFS storage
* NFS back-end storage must be a compatible hardware/software platform. Contact the Azure HPC Cache team for details.
-### NFS-mounted blob (ADLS-NFS) storage requirements (PREVIEW)
+### NFS-mounted blob (ADLS-NFS) storage requirements
Azure HPC Cache also can use a blob container mounted with the NFS protocol as a storage target.
-> [!NOTE]
-> NFS 3.0 protocol support for Azure Blob storage is in public preview. Availability is restricted, and features might change between now and when the feature becomes generally available. Do not use preview technology in production systems.
->
-> Read more about this preview feature in [NFS 3.0 protocol support in Azure Blob storage](../storage/blobs/network-file-system-protocol-support.md).
+Read more about this feature in [NFS 3.0 protocol support in Azure Blob storage](../storage/blobs/network-file-system-protocol-support.md).
The storage account requirements are different for an ADLS-NFS blob storage target and for a standard blob storage target. Follow the instructions in [Mount Blob storage by using the Network File System (NFS) 3.0 protocol](../storage/blobs/network-file-system-protocol-support-how-to.md) carefully to create and configure the NFS-enabled storage account.
hpc-cache Manage Storage Targets https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/hpc-cache/manage-storage-targets.md
+
+ Title: Manage Azure HPC Cache storage targets
+description: How to suspend, remove, force delete, and flush Azure HPC Cache storage targets
+++ Last updated : 07/01/2021+++
+# Manage storage targets
+
+You can perform management actions on individual storage targets. These actions supplement the cache-level options discussed in [Manage your cache](hpc-cache-manage.md).
+
+These controls can help you recover from an unexpected situation (like an unresponsive storage target), and also give you the ability to override some automatic cache actions (like writing changed files back to the long-term storage system).
+
+Open the **Storage targets** page in the Azure portal. Click the **...** text on the far right of the storage target list to open the list of tasks.
+
+![Screenshot of the storage targets page in the Azure portal, with the cursor over the menu exposed by clicking on the three dots (...) symbol to the far right of the storage target's row in the list.](media/storage-target-manage-options.png)
+
+These options are available:
+
+* **Flush** - Write all cached changes to the back-end storage
+* **Suspend** - Temporarily stop the storage target from serving requests
+* **Resume** - Put a suspended storage target back into service
+* **Force remove** - Delete a storage target, skipping some usual steps
+* **Delete** - Permanently remove a storage target
+
+Some storage targets also have a **Refresh DNS** option on this menu, which updates the storage target IP address from a custom DNS server. This configuration is uncommon.
+
+Read the rest of this article for more detail about these options.
+
+## Write cached files to the storage target
+
+The **Flush** option tells the cache immediately copy any changed files stored in the cache to the back-end storage system. For example, if your client machines are updating a particular file repeatedly, it is held in the cache for quicker access and not written to the long-term storage system for a period ranging from several minutes to more than an hour.
+
+The **Flush** action tells the cache to write all files to the storage system.
+
+The cache won't accept requests from clients for files on this storage target until after the flush is complete.
+
+You could use this option to make sure that the back-end storage is populated before doing a backup, or for any situation where you want to make sure the back-end storage has recent updates.
+
+This option mainly applies to usage models that include write caching. Read [Understand cache usage models](cache-usage-models.md) to learn more about read and write caching.
+
+## Suspend a storage target
+
+The suspend feature disables client access to a storage target, but doesn't permanently remove the storage target from your cache. You can use this option if you need to disable a back-end storage system for maintenance, repair, or replacement.
+
+## Put a suspended storage target back in service
+
+Use **Resume** to un-suspend a storage target.
+
+## Force remove a storage target
+
+> [!NOTE]
+> This option can cause data loss for the affected storage target.
+
+If a storage target can't be removed with a normal delete action, you can use the **Force remove** option to delete it from the Azure HPC Cache.
+
+This action skips the step that synchronizes files in the cache with the files in the back-end storage system. There is no guarantee that any changes written to the HPC Cache will be written to the back-end storage system, so changes can be lost if you use this option.
+
+There also is no guarantee that the back-end storage system will be accessible after it is removed from the cache.
+
+Usually, force remove is used only when a storage target has become unresponsive or otherwise is in a bad state. This option lets you remove the bad storage target instead of having to take more drastic action.
+<!-- https://msazure.visualstudio.com/One/_workitems/edit/8267141 -->
+
+## Delete a storage target
+
+You can use the Azure portal or the AZ CLI to delete a storage target.
+
+The regular delete option permanently removes the storage target from the HPC Cache, but first it synchronizes the cache contents with the back-end storage system. It's different from the force delete option, which does not synchronize data.
+
+Deleting a storage target removes the storage system's association with this Azure HPC Cache, but it does not change the back-end storage system. For example, if you used an Azure Blob storage container, the container and its contents still exist after you delete it from the cache. You can add the container to a different Azure HPC Cache, re-add it to this cache, or delete it with the Azure portal.
+
+If there is a large amount of changed data stored in the cache, deleting a storage target can take several minutes to complete. Wait for the action to finish to be sure that the data is safely stored in your long-term storage system.
+
+### [Portal](#tab/azure-portal)
+
+To remove a storage target, open the **Storage targets** page. Click the '...' next to the storage target and choose **Delete** from the menu.
+
+### [Azure CLI](#tab/azure-cli)
+
+[Set up Azure CLI for Azure HPC Cache](./az-cli-prerequisites.md).
+
+Use [az hpc-cache storage-target remove](/cli/azure/hpc-cache/storage-target#az_hpc_cache_storage_target_remove) to delete a storage target from the cache.
+
+```azurecli
+$ az hpc-cache storage-target remove --resource-group cache-rg --cache-name doc-cache0629 --name blob1
+
+{- Finished ..
+ "endTime": "2020-07-09T21:45:06.1631571+00:00",
+ "name": "2f95eac1-aded-4860-b19c-3f089531a7ec",
+ "startTime": "2020-07-09T21:43:38.5461495+00:00",
+ "status": "Succeeded"
+}
+```
+++
+## Update IP address (custom DNS configurations only)
+
+If your cache uses a non-default DNS configuration, it's possible for your NFS storage target's IP address to change because of back-end DNS changes. If your DNS server changes the back-end storage system's IP address, Azure HPC Cache can lose access to the storage system.
+
+Ideally, you should work with the manager of your cache's custom DNS system to plan for any updates, because these changes make storage unavailable.
+
+If you need to update a storage target's DNS-provided IP address, use the **Storage targets** page. Click the **...** symbol in the right column to open the context menu. Choose **Refresh DNS** to query the custom DNS server for a new IP address.
+
+![Screenshot of storage target list. For one storage target, the "..." menu in the far right column is open and two options appear: Delete, and Refresh DNS.](media/refresh-dns.png) <!-- update screenshot if possible -->
+
+If successful, the update should take less than two minutes. You can only refresh one storage target at a time; wait for the previous operation to complete before trying another.
+
+## Next steps
+
+* Learn about [cache-level management actions](hpc-cache-manage.md)
+* [Edit a storage target](hpc-cache-edit-storage.md)
hpc-cache Metrics https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/hpc-cache/metrics.md
+
+ Title: Azure HPC Cache metrics and monitoring
+description: How to see statistics about your Azure HPC Cache
+++ Last updated : 07/08/2021+++
+# Cache metrics and monitoring
+
+The Azure portal has several built-in visualizations that you can use to monitor the performance of your Azure HPC Cache.
+
+This article explains where to find the visualizations, and what they show.
+
+There are four HPC Cache portal pages that show cache performance data:
+
+* **Overview**
+* **Metrics**
+* **Cache report**
+* **Client status**
+
+Open the **Metrics**, **Cache report**, and **Client status** pages from the **Monitoring** menu in the sidebar. The cache's **Overview** page is the top item on the sidebar menu.
+
+![screenshot of the Monitoring menu on the left of the Azure portal interface for HPC Cache.](media/monitoring-menu.png)
+
+## Overview page
+
+The cache's **Overview** page shows graphs for some basic cache statistics - cache throughput, operations per second, and latency. The graphs are at the bottom of the page, underneath the **Essentials** section.
+
+![screenshot of three line graphs showing the statistics mentioned above for a sample cache](media/hpc-cache-overview-stats.png)
+
+These charts are part of Azure's built-in monitoring and analytics tools. Learn more about these capabilities from the [Azure Monitoring documentation](../azure-monitor/essentials/monitor-azure-resource.md#monitoring-in-the-azure-portal).
+
+## Metrics page
+
+The HPC Cache **Metrics** page is another standard Azure feature. Follow the tips on the page to create your own charts and to learn more about the features.
+
+## Cache report
+
+The **Cache report** is a customized set of charts that show your cache's used space, free space, and cache recycle rate.
+
+By default, the page shows aggregated data for all of the cache's storage targets, but you can use the **Storage target** control to show the cache consumption data for one particular storage target instead. You also can customize the time range to show.
+
+![screenshot of the Cache report page.](media/cache-report.png)
+
+* **Cache used space** is the amount of space in your cache storage that's in use storing files that client machines have requested. If you select a single storage target, it shows only the space used for files from that back-end storage system.
+
+* **Cache free space** is the available capacity remaining in cache storage.
+
+* **Cache recycle rate** represents the rate at which old files are being removed from the cache to make room for newly requested files. For a single storage target, this calculation only includes files stored on that target.
+
+## Client status
+
+The **Client status** page lists the client machines that are connected to your Azure HPC Cache.
+
+![screenshot of the Client status page.](media/client-status.png)
+
+You can customize the table with filters to show a specific client address or address range, a specific storage target, or an individual cache mount address.
+
+The connection types shown in the table have to do with the client connections to the storage target:
+
+* `azure_https_backend` is a secure client connection to a standard Azure Blob storage system.
+* `mount_backend` is an NFS connection to either a hardware NFS system or an NFS-enabled blob container.
+* `nfs_backend` is similar