Updates from: 07/15/2021 03:10:24
Service Microsoft Docs article Related commit history on GitHub Change details
active-directory-b2c Data Residency https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/data-residency.md
Previously updated : 04/27/2021 Last updated : 07/14/2021
Azure AD B2C identity data is stored in a geographical location based on the cou
Region availability and data residency are two different concepts that apply to Azure AD B2C. This article explains the differences between these two concepts, and compares how they apply to Azure versus Azure AD B2C.
-Azure AD B2C is **generally available worldwide** with the option for **data residency** in the **United States, Europe, or Asia Pacific**. Azure AD B2C is in **public preview** in Australia.
+Azure AD B2C is **generally available worldwide** with the option for **data residency** in the **United States, Europe, Asia Pacific, or Australia**.
[Region availability](#region-availability) refers to where a service is available for use.
Data resides in **Asia Pacific** for the following countries/regions:
> Afghanistan (AF), Hong Kong SAR (HK), India (IN), Indonesia (ID), Japan (JP), Korea (KR), Malaysia (MY), Philippines (PH), Singapore (SG), Sri Lanka (LK), Taiwan (TW), and Thailand (TH)
-Data resides in **Australia** (Preview) for the following countries/regions:
+Data resides in **Australia** for the following countries/regions:
> Australia and New Zealand
active-directory Concept Sspr Licensing https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/authentication/concept-sspr-licensing.md
Previously updated : 06/03/2021 Last updated : 07/13/2021
To reduce help desk calls and loss of productivity when a user can't sign in to their device or an application, user accounts in Azure Active Directory (Azure AD) can be enabled for self-service password reset (SSPR). Features that make up SSPR include password change, reset, unlock, and writeback to an on-premises directory. Basic SSPR features are available in Microsoft 365 Business Standard or higher and all Azure AD Premium SKUs at no cost.
-This article details the different ways that self-service password reset can be licensed and used. For specific details about pricing and billing, see the [Azure AD pricing page](https://azure.microsoft.com/pricing/details/active-directory/).
+This article details the different ways that self-service password reset can be licensed and used. For specific details about pricing and billing, see the [Azure AD pricing page](https://www.microsoft.com/security/business/identity-access-management/azure-ad-pricing).
## Compare editions and features
For additional licensing information, including costs, see the following pages:
* [Microsoft 365 licensing guidance for security & compliance](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance)
-* [Azure Active Directory pricing](https://azure.microsoft.com/pricing/details/active-directory/)
+* [Azure Active Directory pricing](https://www.microsoft.com/security/business/identity-access-management/azure-ad-pricing)
* [Azure Active Directory features and capabilities](https://www.microsoft.com/cloud-platform/azure-active-directory-features) * [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security) * [Microsoft 365 Enterprise](https://www.microsoft.com/microsoft-365/enterprise)
active-directory Howto Authentication Passwordless Security Key On Premises https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises.md
$domain = "contoso.corp.com"
# Enter an Azure Active Directory global administrator username and password. $cloudCred = Get-Credential
+If you have MFA enabled for Global administrator, Please remove "-Cloudcredential $cloudCred"
+you will see web-based popup and complete the U/P and MFA there
+ # Enter a domain administrator username and password. $domainCred = Get-Credential
active-directory Concept Conditional Access Policies https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/conditional-access/concept-conditional-access-policies.md
Location data is provided by IP geolocation data. Administrators can choose to d
#### Client apps
-By default Conditional Access policies apply to browser apps, mobile apps, and desktop clients that support modern authentication.
+By default, all newly created Conditional Access policies will apply to all client app types even if the client apps condition is not configured.
-This assignment condition allows Conditional Access policies to target specific client applications not using modern authentication. These applications include Exchange ActiveSync clients, older Office applications that do not use modern authentication, and mail protocols like IMAP, MAPI, POP, and SMTP.
+The behavior of the client apps condition was updated in August 2020. If you have existing Conditional Access policies, they will remain unchanged. However, if you click on an existing policy, the configure toggle has been removed and the client apps the policy applies to are selected.
#### Device state
The article [Common Conditional Access policies](concept-conditional-access-poli
[Managing device compliance with Intune](/intune/device-compliance-get-started)
-[Microsoft Cloud App Security and Conditional Access](/cloud-app-security/proxy-intro-aad)
+[Microsoft Cloud App Security and Conditional Access](/cloud-app-security/proxy-intro-aad)
active-directory Plan Conditional Access https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/conditional-access/plan-conditional-access.md
With Conditional Access policies, you can implement automated responses to sign-
* [Require all users to register for MFA](howto-conditional-access-policy-risk.md)
-* [Require a password change for users that are high-risk](howto-conditional-access-policy-risk.md)
+* [Require a password change for users that are high-risk](howto-conditional-access-policy-risk-user.md)
* [Require MFA for users with medium or high sign-in risk](howto-conditional-access-policy-risk.md)
active-directory V2 Howto App Gallery Listing https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/v2-howto-app-gallery-listing.md
The timeline for the process of listing an OpenID Connect application in the gal
![Timeline for listing an OpenID Connect application in the gallery](./media/howto-app-gallery-listing/timeline2.png)
+The timeline for the process of listing a SCIM provisioning application in the gallery is variable and depends on numerous factors.
+ ### Escalations For any escalations, send email to the [Azure AD SSO Integration Team](mailto:SaaSApplicationIntegrations@service.microsoft.com), and we'll respond as soon as possible.
active-directory Assign Local Admin https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/devices/assign-local-admin.md
To modify the device administrator role, configure **Additional local administra
![Additional local administrators](./media/assign-local-admin/10.png)
->[!NOTE]
+> [!NOTE]
> This option requires an Azure AD Premium tenant. Device administrators are assigned to all Azure AD joined devices. You cannot scope device administrators to a specific set of devices. Updating the device administrator role doesn't necessarily have an immediate impact on the affected users. On devices where a user is already signed into, the privilege elevation takes place when *both* the below actions happen:
Device administrators are assigned to all Azure AD joined devices. You cannot sc
- Upto 4 hours have passed for Azure AD to issue a new Primary Refresh Token with the appropriate privileges. - User signs out and signs back in, not lock/unlock, to refresh their profile.
->[!NOTE]
+> [!NOTE]
> The above actions are not applicable to users who have not signed in to the relevant device previously. In this case, the administrator privileges are applied immediately after their first sign-in to the device. ## Manage administrator privileges using Azure AD groups (preview) Starting with Windows 10 version 2004, you can use Azure AD groups to manage administrator privileges on Azure AD joined devices with the [Restricted Groups](/windows/client-management/mdm/policy-csp-restrictedgroups) MDM policy. This policy allows you to assign individual users or Azure AD groups to the local administrators group on an Azure AD joined device, providing you the granularity to configure distinct administrators for different groups of devices.
->[!NOTE]
-> Starting Windows 10 20H2 update, we recommend using [Local Users and Groups](/windows/client-management/mdm/policy-csp-localusersandgroups) policy instead of the Restricted Groups policy
+> [!NOTE]
+> Starting in the Windows 10 20H2 update, we recommend using [Local Users and Groups](/windows/client-management/mdm/policy-csp-localusersandgroups) policy instead of the Restricted Groups policy.
Currently, there's no UI in Intune to manage these policies and they need to be configured using [Custom OMA-URI Settings](/mem/intune/configuration/custom-settings-windows-10). A few considerations for using either of these policies: - Adding Azure AD groups through the policy requires the group's SID that can be obtained by executing the [Microsoft Graph API for Groups](/graph/api/resources/group). The SID is defined by the property `securityIdentifier` in the API response.+ - When Restricted Groups policy is enforced, any current member of the group that is not on the Members list is removed. So enforcing this policy with new members or groups will remove the existing administrators namely user who joined the device, the Device administrator role and Global administrator role from the device. To avoid removing existing members, you need to configure them as part of the Members list in the Restricted Groups policy. This limitation is addressed if you use the Local Users and Groups policy that allows incremental updates to group membership+ - Administrator privileges using both policies are evaluated only for the following well-known groups on a Windows 10 device - Administrators, Users, Guests, Power Users, Remote Desktop Users and Remote Management Users. + - Managing local administrators using Azure AD groups is not applicable to Hybrid Azure AD joined or Azure AD Registered devices.+ - While the Restricted Groups policy existed prior to Windows 10 version 2004, it did not support Azure AD groups as members of a device's local administrators group.
+> [!IMPORTANT]
+> Windows sign-in with Azure AD supports evaluation of up to 20 groups for administrator rights. We recommend having no more than 20 Azure AD groups on each device to ensure that administrator rights are correctly assigned. This limitation also applies to nested groups.
++ ## Manage regular users By default, Azure AD adds the user performing the Azure AD join to the administrator group on the device. If you want to prevent regular users from becoming local administrators, you have the following options:
active-directory Google Federation https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/external-identities/google-federation.md
Previously updated : 07/09/2021 Last updated : 07/13/2021
After you've added Google as one of your application's sign-in options, on the *
![Sign in options for Google users](media/google-federation/sign-in-with-google-overview.png) > [!NOTE]
-> Google federation is designed specifically for Gmail users. To federate with G Suite domains, use [SAML/WS-Fed identity provider federation](direct-federation.md).
+> Google federation is designed specifically for Gmail users. To federate with Google Workspace domains, use [SAML/WS-Fed identity provider federation](direct-federation.md).
> [!IMPORTANT] > > - **Starting July 12, 2021**, if Azure AD B2B customers set up new Google integrations for use with self-service sign-up or for inviting external users for their custom or line-of-business applications, authentication could be blocked for Gmail users (with the error screen shown below in [What to expect](#what-to-expect)). This issue occurs only if you create Google integration for self-service sign-up user flows or invitations after July 12, 2021 and Gmail authentications in your custom or line-of-business applications havenΓÇÖt been moved to system web-views. Because system web-views are enabled by default, most apps will not be affected. To avoid the issue, we strongly advise you to move Gmail authentications to system browsers before creating any new Google integrations for self-service sign-up. Please refer to [Action needed for embedded web-views](#action-needed-for-embedded-frameworks).
-> - **Starting September 30, 2021**, Google is [deprecating web-view sign-in support](https://developers.googleblog.com/2016/08/modernizing-oauth-interactions-in-native-apps.html). If youΓÇÖre using Google federation for B2B invitations or [Azure AD B2C](../../active-directory-b2c/identity-provider-google.md), or if you're using self-service sign-up with Gmail, Google Gmail users won't be able to sign in if your apps authenticate users with an embedded web-view. [Learn more](#deprecation-of-web-view-sign-in-support).
+> - **Starting September 30, 2021**, Google is [deprecating web-view sign-in support](https://developers.googleblog.com/2016/08/modernizing-oauth-interactions-in-native-apps.html). If your apps authenticate users with an embedded web-view and you're using Google federation with [Azure AD B2C](../../active-directory-b2c/identity-provider-google.md) or Azure AD B2B for external user invitations or [self-service sign-up](identity-providers.md), Google Gmail users won't be able to authenticate. [Learn more](#deprecation-of-web-view-sign-in-support).
## What is the experience for the Google user?
You can also give Google guest users a direct link to an application or resource
## Deprecation of web-view sign-in support
-Starting September 30, 2021, Google is [deprecating embedded web-view sign-in support](https://developers.googleblog.com/2016/08/modernizing-oauth-interactions-in-native-apps.html). If youΓÇÖre using Google federation for B2B or [Azure AD B2C](../../active-directory-b2c/identity-provider-google.md), or if you're using [self-service sign-up with Gmail](identity-providers.md), if your apps authenticate users with an embedded web-view, Google Gmail users won't be able to authenticate.
+Starting September 30, 2021, Google is [deprecating embedded web-view sign-in support](https://developers.googleblog.com/2016/08/modernizing-oauth-interactions-in-native-apps.html). If your apps authenticate users with an embedded web-view and you're using Google federation with [Azure AD B2C](../../active-directory-b2c/identity-provider-google.md) or Azure AD B2B for [external user invitations](google-federation.md) or [self-service sign-up](identity-providers.md), Google Gmail users won't be able to authenticate.
The following are known scenarios that will impact Gmail users: - Windows apps that use the [WebView](/windows/communitytoolkit/controls/wpf-winforms/webview) control, [WebView2](/microsoft-edge/webview2/), or the older WebBrowser control, for authentication. These apps should migrate to using the Web Account Manager (WAM) flow. - Android applications using the WebView UI element - iOS applications using UIWebView/WKWebview -- Apps using ADAL
+- [Apps using ADAL](../develop/howto-get-list-of-all-active-directory-auth-library-apps.md)
This change does not affect: - Microsoft apps on Windows - Web apps - Mobile apps using system web-views for authentication ([SFSafariViewController](https://developer.apple.com/documentation/safariservices/sfsafariviewcontroller) on iOS, [Custom Tabs](https://developer.chrome.com/docs/android/custom-tabs/overview/) on Android). -- G Suite identities, for example when youΓÇÖre using [SAML-based federation](direct-federation.md) with G Suite
+- Google Workspace identities, for example when youΓÇÖre using [SAML-based federation](direct-federation.md) with Google Workspace
WeΓÇÖre confirming with Google whether this change affects the following: - Windows apps that use the Web Account Manager (WAM) or Web Authentication Broker (WAB).
active-directory Identity Providers https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/external-identities/identity-providers.md
Previously updated : 07/09/2021 Last updated : 07/13/2021
In addition to Azure AD accounts, External Identities offers a variety of identi
> [!IMPORTANT] > > - **Starting July 12, 2021**, if Azure AD B2B customers set up new Google integrations for use with self-service sign-up for their custom or line-of-business applications, authentication with Google identities wonΓÇÖt work until authentications are moved to system web-views. [Learn more](google-federation.md#deprecation-of-web-view-sign-in-support).
- > - **Starting September 30th, 2021**, Google is [deprecating web-view sign-in support](https://developers.googleblog.com/2016/08/modernizing-oauth-interactions-in-native-apps.html). If youΓÇÖre using Google federation for B2B invitations or [Azure AD B2C](../../active-directory-b2c/identity-provider-google.md), or if you're using self-service sign-up with Gmail, Google Gmail users won't be able to sign in if your apps authenticate users with an embedded web-view. [Learn more](google-federation.md#deprecation-of-web-view-sign-in-support).
+ > - **Starting September 30, 2021**, Google is [deprecating embedded web-view sign-in support](https://developers.googleblog.com/2016/08/modernizing-oauth-interactions-in-native-apps.html). If your apps authenticate users with an embedded web-view and you're using Google federation with [Azure AD B2C](../../active-directory-b2c/identity-provider-google.md) or Azure AD B2B for [external user invitations](google-federation.md) or self-service sign-up, Google Gmail users won't be able to authenticate. [Learn more](google-federation.md#deprecation-of-web-view-sign-in-support).
+ - **Facebook**: When building an app, you can configure self-service sign-up and enable Facebook federation so that users can sign up for your app using their own Facebook accounts. Facebook can only be used for self-service sign-up user flows and isn't available as a sign-in option when users are redeeming invitations from you. See how to [add Facebook as an identity provider](facebook-federation.md).
active-directory Microsoft Account https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/external-identities/microsoft-account.md
Title: Microsoft Account (MSA) identity provider in Azure AD
+ Title: Microsoft account (MSA) identity provider in Azure AD
description: Use Azure AD to enable an external user (guest) to sign in to your Azure AD apps with their Microsoft account (MSA).
-# Microsoft Account (MSA) identity provider for External Identities (Preview)
+# Microsoft account (MSA) identity provider for External Identities (Preview)
> [!NOTE]
-> The Microsoft Account identity provider is a public preview feature of Azure Active Directory. For more information about previews, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
+> The Microsoft account identity provider is a public preview feature of Azure Active Directory. For more information about previews, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
Your B2B guest users can use their own personal Microsoft accounts for B2B collaboration without further configuration. Guest users can redeem your B2B collaboration invitations or complete your sign-up user flows using their personal Microsoft account.
Microsoft accounts are set up by a user to get access to consumer-oriented Micro
## Guest sign-in using Microsoft accounts
-Microsoft Account is available in the list of External Identities identity providers by default. No further configuration is needed to allow guest users to sign in with their Microsoft account using either the invitation flow or a self-service sign-up user flow.
+Microsoft account is available in the list of External Identities identity providers by default. No further configuration is needed to allow guest users to sign in with their Microsoft account using either the invitation flow or a self-service sign-up user flow.
-![Microsoft Account in the identity providers list](media/microsoft-account/microsoft-account-identity-provider.png)
+![Microsoft account in the identity providers list](media/microsoft-account/microsoft-account-identity-provider.png)
-### Microsoft Account in the invitation flow
+### Microsoft account in the invitation flow
When you [invite a guest user](add-users-administrator.md) to B2B collaboration, you can specify their Microsoft account as the email address they'll use to sign in. ![Invite using a Microsoft account](media/microsoft-account/microsoft-account-invite.png)
-### Microsoft Account in self-service sign-up user flows
+### Microsoft account in self-service sign-up user flows
-Microsoft Account is an identity provider option for your self-service sign-up user flows. Users can sign up for your applications using their own Microsoft accounts. First, you'll need to [enable self-service sign-up](self-service-sign-up-user-flow.md) for your tenant. Then you can set up a user flow for the application and select Microsoft Account as one of the sign-in options.
+Microsoft account is an identity provider option for your self-service sign-up user flows. Users can sign up for your applications using their own Microsoft accounts. First, you'll need to [enable self-service sign-up](self-service-sign-up-user-flow.md) for your tenant. Then you can set up a user flow for the application and select Microsoft account as one of the sign-in options.
![Microsoft account in a self-service sign-up user flow](media/microsoft-account/microsoft-account-user-flow.png)
active-directory Redemption Experience https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/external-identities/redemption-experience.md
Previously updated : 07/09/2021 Last updated : 07/13/2021
When you add a guest user to your directory, the guest user account has a consen
> [!IMPORTANT] > > - **Starting July 12, 2021**, if Azure AD B2B customers set up new Google integrations for use with self-service sign-up for their custom or line-of-business applications, authentication with Google identities wonΓÇÖt work until authentications are moved to system web-views. [Learn more](google-federation.md#deprecation-of-web-view-sign-in-support).
- > - **Starting September 30th, 2021**, Google is [deprecating web-view sign-in support](https://developers.googleblog.com/2016/08/modernizing-oauth-interactions-in-native-apps.html). If youΓÇÖre using Google federation for B2B invitations or [Azure AD B2C](../../active-directory-b2c/identity-provider-google.md), or if you're using self-service sign-up with Gmail, Google Gmail users won't be able to sign in if your apps authenticate users with an embedded web-view. [Learn more](google-federation.md#deprecation-of-web-view-sign-in-support).
+ > - **Starting September 30, 2021**, Google is [deprecating embedded web-view sign-in support](https://developers.googleblog.com/2016/08/modernizing-oauth-interactions-in-native-apps.html). If your apps authenticate users with an embedded web-view and you're using Google federation with [Azure AD B2C](../../active-directory-b2c/identity-provider-google.md) or Azure AD B2B for [external user invitations](google-federation.md) or [self-service sign-up](identity-providers.md), Google Gmail users won't be able to authenticate. [Learn more](google-federation.md#deprecation-of-web-view-sign-in-support).
> - **Starting October 2021**, Microsoft will no longer support the redemption of invitations by creating unmanaged Azure AD accounts and tenants for B2B collaboration scenarios. In preparation, we encourage customers to opt into [email one-time passcode authentication](one-time-passcode.md), which is now generally available. ## Redemption and sign-in through a common endpoint
active-directory Self Service Sign Up Add Api Connector https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/external-identities/self-service-sign-up-add-api-connector.md
Previously updated : 07/09/2021 Last updated : 07/13/2021
To use an [API connector](api-connectors-overview.md), you first create the API
> [!IMPORTANT] > > - **Starting July 12, 2021**, if Azure AD B2B customers set up new Google integrations for use with self-service sign-up for their custom or line-of-business applications, authentication with Google identities wonΓÇÖt work until authentications are moved to system web-views. [Learn more](google-federation.md#deprecation-of-web-view-sign-in-support).
-> - **Starting September 30th, 2021**, Google is [deprecating web-view sign-in support](https://developers.googleblog.com/2016/08/modernizing-oauth-interactions-in-native-apps.html). If youΓÇÖre using Google federation for B2B invitations or [Azure AD B2C](../../active-directory-b2c/identity-provider-google.md), or if you're using self-service sign-up with Gmail, Google Gmail users won't be able to sign in if your apps authenticate users with an embedded web-view. [Learn more](google-federation.md#deprecation-of-web-view-sign-in-support).
+> - **Starting September 30, 2021**, Google is [deprecating embedded web-view sign-in support](https://developers.googleblog.com/2016/08/modernizing-oauth-interactions-in-native-apps.html). If your apps authenticate users with an embedded web-view and you're using Google federation with [Azure AD B2C](../../active-directory-b2c/identity-provider-google.md) or Azure AD B2B for [external user invitations](google-federation.md) or [self-service sign-up](identity-providers.md), Google Gmail users won't be able to authenticate. [Learn more](google-federation.md#deprecation-of-web-view-sign-in-support).
## Create an API connector
active-directory Self Service Sign Up Add Approvals https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/external-identities/self-service-sign-up-add-approvals.md
Previously updated : 07/09/2021 Last updated : 07/13/2021
This article gives an example of how to integrate with an approval system. In th
> [!IMPORTANT] > > - **Starting July 12, 2021**, if Azure AD B2B customers set up new Google integrations for use with self-service sign-up for their custom or line-of-business applications, authentication with Google identities wonΓÇÖt work until authentications are moved to system web-views. [Learn more](google-federation.md#deprecation-of-web-view-sign-in-support).
-> - **Starting September 30th, 2021**, Google is [deprecating web-view sign-in support](https://developers.googleblog.com/2016/08/modernizing-oauth-interactions-in-native-apps.html). If youΓÇÖre using Google federation for B2B invitations or [Azure AD B2C](../../active-directory-b2c/identity-provider-google.md), or if you're using self-service sign-up with Gmail, Google Gmail users won't be able to sign in if your apps authenticate users with an embedded web-view. [Learn more](google-federation.md#deprecation-of-web-view-sign-in-support).
+> - **Starting September 30, 2021**, Google is [deprecating embedded web-view sign-in support](https://developers.googleblog.com/2016/08/modernizing-oauth-interactions-in-native-apps.html). If your apps authenticate users with an embedded web-view and you're using Google federation with [Azure AD B2C](../../active-directory-b2c/identity-provider-google.md) or Azure AD B2B for [external user invitations](google-federation.md) or [self-service sign-up](identity-providers.md), Google Gmail users won't be able to authenticate. [Learn more](google-federation.md#deprecation-of-web-view-sign-in-support).
## Register an application for your approval system
active-directory Troubleshoot https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/external-identities/troubleshoot.md
Previously updated : 07/09/2021 Last updated : 07/13/2021 tags: active-directory
Here are some remedies for common problems with Azure Active Directory (Azure AD
> [!IMPORTANT] > > - **Starting July 12, 2021**, if Azure AD B2B customers set up new Google integrations for use with self-service sign-up for their custom or line-of-business applications, authentication with Google identities wonΓÇÖt work until authentications are moved to system web-views. [Learn more](google-federation.md#deprecation-of-web-view-sign-in-support).
- > - **Starting September 30th, 2021**, Google is [deprecating web-view sign-in support](https://developers.googleblog.com/2016/08/modernizing-oauth-interactions-in-native-apps.html). If youΓÇÖre using Google federation for B2B invitations or [Azure AD B2C](../../active-directory-b2c/identity-provider-google.md), or if you're using self-service sign-up with Gmail, Google Gmail users won't be able to sign in if your apps authenticate users with an embedded web-view. [Learn more](google-federation.md#deprecation-of-web-view-sign-in-support).
+ > - **Starting September 30, 2021**, Google is [deprecating embedded web-view sign-in support](https://developers.googleblog.com/2016/08/modernizing-oauth-interactions-in-native-apps.html). If your apps authenticate users with an embedded web-view and you're using Google federation with [Azure AD B2C](../../active-directory-b2c/identity-provider-google.md) or Azure AD B2B for [external user invitations](google-federation.md) or [self-service sign-up](identity-providers.md), Google Gmail users won't be able to authenticate. [Learn more](google-federation.md#deprecation-of-web-view-sign-in-support).
> - **Starting October 2021**, Microsoft will no longer support the redemption of invitations by creating unmanaged Azure AD accounts and tenants for B2B collaboration scenarios. In preparation, we encourage customers to opt into [email one-time passcode authentication](one-time-passcode.md), which is now generally available. ## IΓÇÖve added an external user but do not see them in my Global Address Book or in the people picker
External users can be added only to ΓÇ£assignedΓÇ¥ or ΓÇ£SecurityΓÇ¥ groups and
The invitee should check with their ISP or spam filter to ensure that the following address is allowed: Invites@microsoft.com > [!NOTE]
-> For the Azure service operated by 21Vianet in China, the sender address is Invites@oe.21vianet.com.
+>
+> - For the Azure service operated by 21Vianet in China, the sender address is Invites@oe.21vianet.com.
+> - For the Azure AD Government cloud, the sender address is invites@azuread.us.
## I notice that the custom message does not get included with invitation messages at times
active-directory What Is B2b https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/external-identities/what-is-b2b.md
Azure Active Directory (Azure AD) business-to-business (B2B) collaboration is a
> [!IMPORTANT] > > - **Starting July 12, 2021**, if Azure AD B2B customers set up new Google integrations for use with self-service sign-up for their custom or line-of-business applications, authentication with Google identities wonΓÇÖt work until authentications are moved to system web-views. [Learn more](google-federation.md#deprecation-of-web-view-sign-in-support).
-> - **Starting September 30th, 2021**, Google is [deprecating web-view sign-in support](https://developers.googleblog.com/2016/08/modernizing-oauth-interactions-in-native-apps.html). If youΓÇÖre using Google federation for B2B invitations or [Azure AD B2C](../../active-directory-b2c/identity-provider-google.md), or if you're using self-service sign-up with Gmail, Google Gmail users won't be able to sign in if your apps authenticate users with an embedded web-view. [Learn more](google-federation.md#deprecation-of-web-view-sign-in-support).
+> - **Starting September 30, 2021**, Google is [deprecating embedded web-view sign-in support](https://developers.googleblog.com/2016/08/modernizing-oauth-interactions-in-native-apps.html). If your apps authenticate users with an embedded web-view and you're using Google federation with [Azure AD B2C](../../active-directory-b2c/identity-provider-google.md) or Azure AD B2B for [external user invitations](google-federation.md) or [self-service sign-up](identity-providers.md), Google Gmail users won't be able to authenticate. [Learn more](google-federation.md#deprecation-of-web-view-sign-in-support).
> - **Starting October 2021**, Microsoft will no longer support the redemption of invitations by creating unmanaged Azure AD accounts and tenants for B2B collaboration scenarios. In preparation, we encourage customers to opt into [email one-time passcode authentication](one-time-passcode.md), which is now generally available. ## Collaborate with any partner using their identities
active-directory Security Operations Applications https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/fundamentals/security-operations-applications.md
+
+ Title: Azure Active Directory security operations for applications
+description: Learn how to monitor and alert on applications to identify security threats.
+++++++ Last updated : 07/15/2021+++++
+# Azure Active Directory security operations guide for Applications
+
+Applications provide an attack surface for security breaches and must be monitored. While not targeted as often as user accounts, breaches can occur. Since applications often run without human intervention, the attacks may be harder to detect.
+
+This article provides guidance to monitor and alert on application events. It's regularly updated to help ensure that you:
+
+* Prevent malicious applications from getting unwarranted access to data.
+
+* Prevent existing applications from being compromised by bad actors.
+
+* Gather insights that enable you to build and configure new applications more securely.
+
+If you're unfamiliar with how applications work in Azure Active Directory (Azure AD), see [Apps and service principals in Azure AD](../develop/app-objects-and-service-principals.md).
+
+> [!NOTE]
+> If you have not yet reviewed the [Azure Active Directory security operations overview](security-operations-introduction.md), consider doing so now.
+
+## What to look for
+
+As you monitor your application logs for security incidents, review the following to help differentiate normal activity from malicious activity. The following events may indicate security concerns and each are covered in the rest of the article.
+
+* Any changes occurring outside of normal business processes and schedules.
+
+* Application credentials changes
+
+* Application permissions
+
+ * Service principal assigned to an Azure AD or Azure RBAC role.
+
+ * Applications that are granted highly privileged permissions.
+
+ * Azure Key Vault changes.
+
+ * End user granting applications consent.
+
+ * Stopped end user consent based on level of risk.
+
+* Application configuration changes
+
+ * Universal resource identifier (URI) changed or non-standard.
+
+ * Changes to application owners.
+
+ * Logout URLs modified.
+
+## Where to look
+
+The log files you use for investigation and monitoring are:
+
+* [Azure AD Audit logs](../reports-monitoring/concept-audit-logs.md)
+
+* [Sign-in logs](../reports-monitoring/concept-all-sign-ins.md)
+
+* [Microsoft 365 Audit logs](/microsoft-365/compliance/auditing-solutions-overview?view=o365-worldwide)
+
+* [Azure Key Vault logs](../../key-vault/general/logging.md)
+
+From the Azure portal, you can view the Azure AD Audit logs and download as comma-separated value (CSV) or JavaScript Object Notation (JSON) files. The Azure portal has several ways to integrate Azure AD logs with other tools that allow for greater automation of monitoring and alerting:
+
+* **[Azure Sentinel](../../sentinel/overview.md)** ΓÇô enables intelligent security analytics at the enterprise level by providing security information and event management (SIEM) capabilities.
+
+* **[Azure Monitor](../../azure-monitor/overview.md)** ΓÇô enables automated monitoring and alerting of various conditions. Can create or use workbooks to combine data from different sources.
+
+* **[Azure Event Hubs](../../event-hubs/event-hubs-about.md) integrated with a SIEM**- [Azure AD logs can be integrated to other SIEMs](../reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub.md) such as Splunk, ArcSight, QRadar, and Sumo Logic via the Azure Event Hub integration.
+
+* **[Microsoft Cloud App Security](/cloud-app-security/what-is-cloud-app-security) (MCAS)** ΓÇô enables you to discover and manage apps, govern across apps and resources, and check your cloud appsΓÇÖ compliance.
+
+Much of what you will monitor and alert on are the effects of your Conditional Access policies. You can use the [Conditional Access insights and reporting workbook](../conditional-access/howto-conditional-access-insights-reporting.md) to examine the effects of one or more Conditional Access policies on your sign-ins, as well as the results of policies, including device state. This workbook enables you to view an impact summary, and identify the impact over a specific time period. You can also use the workbook to investigate the sign-ins of a specific user.
+
+ The remainder of this article describes what we recommend you monitor and alert on, and is organized by the type of threat. Where there are specific pre-built solutions we link to them or provide samples following the table. Otherwise, you can build alerts using the preceding tools.
+
+## Application credentials
+
+Many applications use credentials to authenticate in Azure AD. Any additional credentials added outside of expected processes could be a malicious actor using those credentials. We strongly recommend using X509 certificates issued by trusted authorities or Managed Identities instead of using client secrets. However, if you need to use client secrets, follow good hygiene practices to keep applications safe. Note, application and service principal updates are logged as two entries in the audit log.
+
+* Monitor applications to identify those with long credential expiration times.
+
+* Replace long-lived credentials with credentials that have a short life span. Take steps to ensure that credentials don't get committed in code repositories and are stored securely.
++
+| What to monitor| Risk Level| Where| Filter/sub-filter| Notes |
+| -|-|-|-|-|
+| Added credentials to existing applications| High| Azure AD Audit logs| Service-Core Directory, Category-ApplicationManagement <br>Activity: Update Application-Certificates and secrets management<br>-and-<br>Activity: Update Service principal/Update Application| Alert when credentials are:<li> added outside of normal business hours or workflows.<li> of types not used in your environment.<li> added to a non-SAML flow supporting service principal. |
+| Credentials with a lifetime longer than your policies allow.| Medium| Microsoft Graph| State and end date of Application Key credentials<br>-and-<br>Application password credentials| You can use MS Graph API to find the start and end date of credentials, and evaluate those with a longer than allowed lifetime. See PowerShell script following this table. |
+
+ The following pre-built monitoring and alerts are available.
+
+* Azure Sentinel ΓÇô [Alert when new app or service principle credentials added](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/NewAppOrServicePrincipalCredential.yaml)
+
+* Azure Monitor ΓÇô [Azure AD workbook to help you assess Solorigate risk - Microsoft Tech Community](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/azure-ad-workbook-to-help-you-assess-solorigate-risk/ba-p/2010718)
+
+* MCAS ΓÇô [Cloud App Security anomaly detection alerts investigation guide](/cloud-app-security/investigate-anomaly-alerts)
+
+* PowerShell - [Sample PowerShell script to find credential lifetime](https://github.com/madansr7/appCredAge).
+
+## Application permissions
+
+Like an administrator account, applications can be assigned privileged roles. Apps can be assigned Azure AD roles, such as global administrator, or Azure RBAC roles such as subscription owner. Because they can run without a user present and as a background service, closely monitor anytime an application is granted a highly privileged role or permission.
+
+### Service principal assigned to a role
++
+| What to monitor| Risk Level| Where| Filter/sub-filter| Notes |
+|-|-|-|-|-|
+| App assigned to Azure RBAC role, or Azure AD Role| High to Medium| Azure AD Audit logs| Type: service principal<br>Activity: ΓÇ£Add member to roleΓÇ¥ or ΓÇ£Add eligible member to roleΓÇ¥<br>-or-<br>ΓÇ£Add scoped member to role.ΓÇ¥| For highly privileged roles such as Global Administrator, risk is high. For lower privileged roles risk is medium. Alert anytime an application is assigned to an Azure role or Azure AD role outside of normal change management or configuration procedures. |
+
+### Application granted highly privileged permissions
+
+Applications should also follow the principal of least privilege. Investigate application permissions to ensure they're truly needed. You can create an [app consent grant report](https://aka.ms/getazureadpermissions) to help identify existing applications and highlight privileged permissions.
+
+| What to monitor|Risk Level|Where| Filter/sub-filter| Notes|
+|-|-|-|-|-|
+| App granted highly privileged permissions, such as permissions with ΓÇ£*.AllΓÇ¥ (Directory.ReadWrite.All) or wide ranging permissions (Mail.*)| High |Azure AD Audit logs| ΓÇ£Add app role assignment to service principalΓÇ¥, <br>- where-<br> Target(s) identifies an API with sensitive data (such as Microsoft Graph) <br>-and-<br>AppRole.Value identifies a highly privileged application permission (app role).| Apps granted broad permissions such as ΓÇ£*.AllΓÇ¥ (Directory.ReadWrite.All) or wide ranging permissions (Mail.*) |
+| Administrator granting either application permissions (app roles) or highly privileged delegated permissions |High| Microsoft 365 portal| ΓÇ£Add app role assignment to service principalΓÇ¥, <br>-where-<br>Target(s) identifies an API with sensitive data (such as Microsoft Graph)<br>ΓÇ£Add delegated permission grantΓÇ¥, <br>-where-<br>Target(s) identifies an API with sensitive data (such as Microsoft Graph) <br>-and-<br>DelegatedPermissionGrant.Scope includes high-privilege permissions.| Alert when a global administrator, application administrator, or cloud application administrator consents to an application. Especially look for consent outside of normal activity and change procedures. |
+| Application is granted permissions for Microsoft Graph, Exchange, SharePoint, or Azure AD. |High| Azure AD Audit logs| ΓÇ£Add delegated permission grantΓÇ¥ <br>-or-<br>ΓÇ£Add app role assignment to service principalΓÇ¥, <br>-where-<br>Target(s) identifies an API with sensitive data (such as Microsoft Graph, Exchange Online, and so on)| Alert as in the preceding row. |
+| Application permissions (app roles) for other APIs are granted |Medium| Azure AD Audit logs| ΓÇ£Add app role assignment to service principalΓÇ¥, <br>-where-<br>Target(s) identifies any other API.| Alert as in the preceding row. |
+| Highly privileged delegated permissions are granted on behalf of all users |High| Azure AD Audit logs| ΓÇ£Add delegated permission grantΓÇ¥, where Target(s) identifies an API with sensitive data (such as Microsoft Graph), <br> DelegatedPermissionGrant.Scope includes high-privilege permissions, <br>-and-<br>DelegatedPermissionGrant.ConsentType is ΓÇ£AllPrincipalsΓÇ¥.| Alert as in the preceding row. |
+
+For more information on monitoring app permissions, see this tutorial: [Investigate and remediate risky OAuth apps](/cloud-app-security/investigate-risky-oauth).
+
+### Azure Key Vault
+
+Azure Key Vault can be used to store your tenantΓÇÖs secrets. We recommend you pay particular attention to any changes to Key Vault configuration and activities.
+
+| What to monitor| Risk Level| Where| Filter/sub-filter| Notes |
+|-|-|-|-|-|
+| How and when your Key Vaults are accessed and by whom| Medium| [Azure Key Vault logs](../../key-vault/general/logging.md?tabs=Vault)| Resource type: Key Vaults| Look for <li> any access to Key Vault outside of regular processes and hours. <li> any changes to Key Vault ACL. |
+
+After setting up Azure Key Vault, be sure to [enable logging](../../key-vault/general/howto-logging.md?tabs=azure-cli), which shows [how and when your Key Vaults are accessed](../../key-vault/general/logging.md?tabs=Vault), and [configure alerts](../../key-vault/general/alert.md) on Key Vault to notify assigned users or distribution lists via email, phone call, text message, or [event grid](../../key-vault/general/event-grid-overview.md) notification if health is impacted. Additionally, setting up [monitoring](../../key-vault/general/alert.md) with Key Vault insights will give you a snapshot of Key Vault requests, performance, failures, and latency. [Log Analytics](../../azure-monitor/logs/log-analytics-overview.md) also has some [example queries](../../azure-monitor/logs/queries.md) for Azure Key Vault that can be accessed after selecting your Key Vault and then under ΓÇ£MonitoringΓÇ¥ selecting ΓÇ£LogsΓÇ¥.
+
+### End-user consent
+
+| What to monitor| Risk Level| Where| Filter/sub-filter| Notes |
+|-|-|-|-|-|
+| End-user consent to application| Low| Azure AD Audit logs| Activity: Consent to application / ConsentContext.IsAdminConsent = false| Look for: <li>high profile or highly privileged accounts.<li> app requests high-risk permissions<li>apps with suspicious names, for example generic, misspelled, etc. |
++
+The act of consenting to an application is not in itself malicious. However, investigate new end-user consent grants looking for suspicious applications. You can [restrict user consent operations](/security/fundamentals/steps-secure-identity).
+
+For more information on consent operations, see the following resources:
+
+* [Managing consent to applications and evaluating consent requests in Azure Active Directory](../manage-apps/manage-consent-requests.md)
+
+* [Detect and Remediate Illicit Consent Grants - Office 365](/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants?view=o365-worldwide)
+
+* [Incident response playbook - App consent grant investigation](/security/compass/incident-response-playbook-app-consent)
+
+### End user stopped due to risk-based consent
+
+| What to monitor| Risk Level| Where| Filter/sub-filter| Notes |
+|-|-|-|-|-|
+| End-user consent stopped due to risk-based consent| Medium| Azure AD Audit logs| Core Directory / ApplicationManagement / Consent to application<br> Failure status reason = Microsoft.online.Security.userConsent<br>BlockedForRiskyAppsExceptions| Monitor and analyze any time consent is stopped due to risk. Look for:<li>high profile or highly privileged accounts.<li> app requests high-risk permissions<li>apps with suspicious names, for example generic, misspelled, etc. |
+
+## Application configuration changes
+
+Monitor changes to any applicationΓÇÖs configuration. Specifically, configuration changes to the uniform resource identifier (URI), ownership, and logout URL.
+
+### Dangling URI and Redirect URI changes
+
+| What to monitor| Risk Level| Where| Filter/sub-filter| Notes |
+|-|-|-|-|-|
+| Dangling URI| High| Azure AD Logs and Application Registration| Service-Core Directory, Category-ApplicationManagement<br>Activity: Update Application<br>Success ΓÇô Property Name AppAddress| Look for dangling URIs, for example, that point to a domain name that no longer exists or one that you donΓÇÖt explicitly own. |
+| Redirect URI configuration changes| High| Azure AD logs| Service-Core Directory, Category-ApplicationManagement<br>Activity: Update Application<br>Success ΓÇô Property Name AppAddress| Look for URIs not using HTTPS*, URIS with wildcards at the end or the domain of the URL, URIs that are NOT unique to the application, URIs that point to a domain you do not control. |
+
+Alert anytime these changes are detected.
+
+### AppID URI added, modified, or removed
++
+| What to monitor| Risk Level| Where| Filter/sub-filter| Notes |
+|-|-|-|-|-|
+| Changes to AppID URI| High| Azure AD logs| Service-Core Directory, Category-ApplicationManagement<br>Activity: Update<br>Application<br>Activity: Update Service principal| Look for any AppID URI modifications, such as adding, modifying, or removing the URI. |
++
+Alert any time these changes are detected outside of approved change management procedures.
+
+### New Owner
++
+| What to monitor| Risk Level| Where| Filter/sub-filter| Notes |
+|-|-|-|-|-|
+| Changes to application ownership| Medium| Azure AD logs| Service-Core Directory, Category-ApplicationManagement<br>Activity: Add owner to application| Look for any instance of a user being added as an application owner outside of normal change management activities. |
+
+### Logout URL modified or removed
+
+| What to monitor| Risk Level| Where| Filter/sub-filter| Notes |
+|-|-|-|-|-|
+| Changes to logout URL| Low| Azure AD logs| Service-Core Directory, Category-ApplicationManagement<br>Activity: Update Application<br>-and-<br>Activity: Update service principle| Look for any modifications to a sign out URL. Blank entries or entries to non-existent locations would stop a user from terminating a session. |
+
+## Additional Resources
+
+The following are links to useful resources:
+
+* Github Azure AD toolkit - [https://github.com/microsoft/AzureADToolkit](https://github.com/microsoft/AzureADToolkit)
+
+* Azure Key Vault security overview and security guidance - [Azure Key Vault security overview](../../key-vault/general/security-overview.md), [Secure access to a key vault](../../key-vault/general/secure-your-key-vault.md)
+
+* Solorgate risk information and tools - [Azure AD workbook to help you access Solorigate risk](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/azure-ad-workbook-to-help-you-assess-solorigate-risk/ba-p/2010718)
+
+* OAuth attack detection guidance - [Unusual addition of credentials to an OAuth app](/cloud-app-security/investigate-anomaly-alerts)
+
+Azure AD monitoring configuration information for SIEMs - [Partner tools with Azure Monitor integration](../..//azure-monitor/essentials/stream-monitoring-data-event-hubs.md)
+
+ ## Next steps
+
+See these security operations guide articles:
+
+[Azure AD security operations overview](security-operations-introduction.md)
+
+[Security operations for user accounts](security-operations-user-accounts.md)
+
+[Security operations for privileged accounts](security-operations-privileged-accounts.md)
+
+[Security operations for Privileged Identity Management](security-operations-privileged-identity-management.md)
+
+[Security operations for applications](security-operations-applications.md)
+
+[Security operations for devices](security-operations-devices.md)
+
+
+[Security operations for infrastructure](security-operations-infrastructure.md)
active-directory Security Operations Devices https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/fundamentals/security-operations-devices.md
+
+ Title: Azure Active Directory security operations for devices
+description: Learn to establish baselines, and monitor and report on devices to identity potential security risks with devices.
+++++++ Last updated : 07/15/2021+++++
+# Azure Active Directory security operations for devices
+
+Devices aren't commonly targeted in identity-based attacks, but *can* be used to satisfy and trick security controls, or to impersonate users. Devices can have one of four relationships with Azure AD:
+
+* Unregistered
+
+* [Azure Active Directory (Azure AD) registered](../devices/concept-azure-ad-register.md)
+
+* [Azure AD joined](../devices/concept-azure-ad-join.md)
+
+* [Hybrid Azure AD joined](../devices/concept-azure-ad-join-hybrid.md)
+ΓÇÄ
+
+Registered and joined devices are issued a [Primary Refresh Token (PRT),](../devices/concept-primary-refresh-token.md) which can be used as a primary authentication artifact, and in some cases as a multifactor authentication artifact. Attackers may try to register their own devices, use PRTs on legitimate devices to access business data, steal PRT-based tokens from legitimate user devices, or find misconfigurations in device-based controls in Azure Active Directory. With Hybrid Azure AD joined devices, the join process is initiated and controlled by administrators, reducing the available attack methods.
+
+For more information on device integration methods, see [Choose your integration methods](../devices/plan-device-deployment.md) in the article [Plan your Azure AD device deployment.](../devices/plan-device-deployment.md)
+
+To reduce the risk of bad actors attacking your infrastructure through devices, monitor
+
+* Device registration and Azure AD join
+
+* Non-compliant devices accessing applications
+
+* BitLocker key retrieval
+
+* Device administrator roles
+
+* Sign-ins to virtual machines
+
+## Where to look
+
+The log files you use for investigation and monitoring are:
+
+* [Azure AD Audit logs](../reports-monitoring/concept-audit-logs.md)
+
+* [Sign-in logs](../reports-monitoring/concept-all-sign-ins.md)
+
+* [Microsoft 365 Audit logs](/microsoft-365/compliance/auditing-solutions-overview?view=o365-worldwide.md)
+
+* [Azure Key Vault logs](../..//key-vault/general/logging.md?tabs=Vault)
+
+From the Azure portal, you can view the Azure AD Audit logs and download as comma-separated value (CSV) or JavaScript Object Notation (JSON) files. The Azure portal has several ways to integrate Azure AD logs with other tools that allow for greater automation of monitoring and alerting:
+
+* **[Azure Sentinel](../../sentinel/overview.md)** ΓÇô enables intelligent security analytics at the enterprise level by providing security information and event management (SIEM) capabilities.
+
+* **[Azure Monitor](../..//azure-monitor/overview.md)** ΓÇô enables automated monitoring and alerting of various conditions. Can create or use workbooks to combine data from different sources.
+
+* **[Azure Event Hubs](../../event-hubs/event-hubs-about.md) -integrated with a SIEM**- [Azure AD logs can be integrated to other SIEMs](../reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub.md) such as Splunk, ArcSight, QRadar, and Sumo Logic via the Azure Event Hub integration.
+
+* **[Microsoft Cloud App Security](/cloud-app-security/what-is-cloud-app-security) (MCAS)** ΓÇô enables you to discover and manage apps, govern across apps and resources, and check your cloud appsΓÇÖ compliance.
+
+Much of what you'll monitor and alert on are the effects of your Conditional Access policies. You can use the [Conditional Access insights and reporting workbook](../conditional-access/howto-conditional-access-insights-reporting.md) to examine the effects of one or more Conditional Access policies on your sign-ins, and the results of policies including device state. This workbook enables you to view an impact summary, and identify the impact over a specific time period. You can also use the workbook to investigate the sign-ins of a specific user.
+
+ The rest of this article describes what we recommend you monitor and alert on, and is organized by the type of threat. Where there are specific pre-built solutions we link to them or provide samples following the table. Otherwise, you can build alerts using the preceding tools.
+
+ ## Device registrations and joins outside policy
+
+Azure AD registered and Azure AD joined devices possess primary refresh tokens (PRTs), which are the equivalent of a single authentication factor. These devices can at times contain strong authentication claims. For more information on when PRTs contain strong authentication claims, see [When does a PRT get an MFA claim](../devices/concept-primary-refresh-token.md)? To keep bad actors from registering or joining devices, require multifactor authentication (MFA) to register or join devices. Then monitor for any devices registered or joined without MFA. YouΓÇÖll also need to watch for changes to MFA settings and policies, and device compliance policies.
+
+ | What to monitor| Risk Level| Where| Filter/sub-filter| Notes |
+| - |- |- |- |- |
+| Device registration or join completed without MFA| Medium| Sign-in logs| Activity: successful authentication to Device Registration Service. <br>And<br>No MFA required| Alert when: <br>Any device registered or joined without MFA |
+| Changes to the Device Registration MFA toggle in Azure AD| High| Audit log| Activity: Set device registration policies| Look for: <br>The toggle being set to off. There isn't audit log entry. Schedule periodic checks. |
+| Changes to Conditional Access policies requiring domain joined or compliant device.| High| Audit log| Changes to CA policies<br>| Alert when: <br><li> Change to any policy requiring domain joined or compliant.<li>Changes to trusted locations.<li> Accounts or devices added to MFA policy exceptions. |
++
+You can create an alert that notifies appropriate administrators when a device is registered or joined without MFA by using Azure Sentinel.
+
+```
+Sign-in logs
+
+| where ResourceDisplayName == ΓÇ£Device Registration ServiceΓÇ¥
+
+| where conditionalAccessStatus ==ΓÇ¥successΓÇ¥
+
+| where AuthenticationRequirement <> ΓÇ£multiFactorAuthenticationΓÇ¥
+```
+
+You can also use [Microsoft Intune to set and monitor device compliance policies](/mem/intune/protect/device-compliance-get-started).
+
+## Non-compliant device sign in
+
+It might not be possible to block access to all cloud and software-as-a-service applications with Conditional Access policies requiring compliant devices.
+
+[Mobile device management](/windows/client-management/mdm/) (MDM) helps you keep Windows 10 devices compliant. With Windows version 1809, we released a [security baseline](/windows/client-management/mdm/) of policies. Azure Active Directory can [integrate with MDM](/windows/client-management/mdm/azure-active-directory-integration-with-mdm) to enforce device compliance with corporate policies, and can report a deviceΓÇÖs compliance status.
+
+| What to monitor| Risk Level| Where| Filter/sub-filter| Notes |
+| - |- |- |- |- |
+| Sign-ins by non-compliant devices| High| Sign-in logs| DeviceDetail.isCompliant ==false| If requiring sign-in from compliant devices, alert when:<br><li> any sign in by non-compliant devices.<li> any access without MFA or a trusted location.<p>If working toward requiring devices, monitor for suspicious sign-ins. |
+| Sign-ins by unknown devices| Low| Sign-in logs| <li>DeviceDetail is empty<li>Single factor authentication<li>From a non-trusted location| Look for: <br><li>any access from out of compliance devices.<li>any access without MFA or trusted location |
++
+### Use LogAnalytics to query
+
+**Sign-ins by non-compliant devices**
+
+```
+SigninLogs
+
+| where DeviceDetail.isCompliant ==false
+
+| where conditionalAccessStatus == ΓÇ£successΓÇ¥
+```
+
+
+**Sign-ins by unknown devices**
+
+```
+
+SigninLogs
+| where isempty(DeviceDetail.deviceId)
+
+| where AuthenticationRequirement == "singleFactorAuthentication"
+
+| where ResultType == "0"
+
+| where NetworkLocationDetails == "[]"
+```
+
+## Stale devices
+
+Stale devices include devices that haven't signed in for a specified time period. Devices can become stale when a user gets a new device or loses a device, or when an Azure AD joined device is wiped or reprovisioned. Devices may also remain registered or joined when the user is no longer associated with the tenant. Stale devices should be removed so that their primary refresh tokens (PRTs) cannot be used.
+
+| What to monitor| Risk Level| Where| Filter/sub-filter| Notes |
+| - |- |- |- |- |
+| Last sign-in date| Low| Graph API| approximateLastSignInDateTime| Use Graph API or PowerShell to identify and remove stale devices. |
+
+## BitLocker key retrieval
+
+Attackers who have compromised a userΓÇÖs device may retrieve the [BitLocker](/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10) keys in Azure AD. It's uncommon for users to retrieve keys, and should be monitored and investigated.
+
+| What to monitor| Risk Level| Where| Filter/sub-filter| Notes |
+| - |- |- |- |- |
+| Key retrieval| Medium| Audit logs| OperationName == "Read BitLocker keyΓÇ¥| Look for <br><li>key retrieval`<li> other anomalous behavior by users retrieving keys. |
++
+In LogAnalytics create a query such as
+
+```
+AuditLogs
+
+| where OperationName == "Read BitLocker keyΓÇ¥
+```
+
+## Device administrator roles
+
+Global administrators and cloud Device Administrators automatically get local administrator rights on all Azure AD joined devices. ItΓÇÖs important to monitor who has these rights to keep your environment safe.
+
+| What to monitor| Risk Level| Where| Filter/sub-filter| Notes |
+| - |- |- |- |- |
+| Users added to global or device admin roles| High| Audit logs| Activity type = Add member to role.| Look for:<li> new users added to these Azure AD roles.<li> Subsequent anomalous behavior by machines or users. |
++
+## Non-Azure AD sign-ins to virtual machines
+
+Sign-ins to Windows or LINUX virtual machines (VMs) should be monitored for sign-ins by accounts other than Azure AD accounts.
+
+### Azure AD sign-in for LINUX
+
+Azure AD sign-in for LINUX allows organizations to sign in to their Azure LINUX VMs using Azure AD accounts over secure shell protocol (SSH).
+
+| What to monitor| Risk Level| Where| Filter/sub-filter| Notes |
+| - |- |- |- |- |
+| Non-Azure AD account signing in, especially over SSH| High| Local authentication logs| Ubuntu: <br>ΓÇÄmonitor /var/log/auth.log for SSH use<br>RedHat: <br>monitor /var/log/sssd/ for SSH use| Look for:<li> entries [where non-Azure AD accounts are successfully connecting to VMs.](../devices/howto-vm-sign-in-azure-ad-linux.md) <li>See following example. |
++
+Ubuntu example:
+
+ May 9 23:49:39 ubuntu1804 aad_certhandler[3915]: Version: 1.0.015570001; user: localusertest01
+
+ May 9 23:49:39 ubuntu1804 aad_certhandler[3915]: User 'localusertest01' is not an AAD user; returning empty result.
+
+ May 9 23:49:43 ubuntu1804 aad_certhandler[3916]: Version: 1.0.015570001; user: localusertest01
+
+ May 9 23:49:43 ubuntu1804 aad_certhandler[3916]: User 'localusertest01' is not an AAD user; returning empty result.
+
+ May 9 23:49:43 ubuntu1804 sshd[3909]: Accepted publicly for localusertest01 from 192.168.0.15 port 53582 ssh2: RSA SHA256:MiROf6f9u1w8J+46AXR1WmPjDhNWJEoXp4HMm9lvJAQ
+
+ May 9 23:49:43 ubuntu1804 sshd[3909]: pam_unix(sshd:session): session opened for user localusertest01 by (uid=0).
+
+You can set policy for LINUX VM sign-ins, and detect and flag Linux VMs that have non-approved local accounts added. To learn more, see using [Azure Policy to ensure standards and assess compliance](../devices/howto-vm-sign-in-azure-ad-linux.md).
+
+### Azure AD sign-ins for Windows Server
+
+Azure AD sign-in for Windows allows your organization to sign in to your Azure Windows 2019+ VMs using Azure AD accounts over remote desktop protocol (RDP).
+
+| What to monitor| Risk Level| Where| Filter/sub-filter| Notes |
+| - |- |- |- |- |
+| Non-Azure AD account signing in, especially over RDP| High| Windows Server event logs| Interactive Login to Windows VM| Event 528, logon type 10 (RemoteInteractive).<br>Shows when a user signs in over Terminal Services or Remote Desktop. |
++
+## Next Steps
+
+See these additional security operations guide articles:
+
+[Azure AD security operations overview](security-operations-introduction.md)
+
+[Security operations for user accounts](security-operations-user-accounts.md)
+
+[Security operations for privileged accounts](security-operations-privileged-accounts.md)
+
+[Security operations for Privileged Identity Management](security-operations-privileged-identity-management.md)
+
+[Security operations for applications](security-operations-applications.md)
+
+[Security operations for devices](security-operations-devices.md)
+
+
+[Security operations for infrastructure](security-operations-infrastructure.md)
active-directory Security Operations Infrastructure https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/fundamentals/security-operations-infrastructure.md
+
+ Title: Azure Active Directory security operations for infrastructure
+description: Learn how to monitor and alert on infrastructure components to identify security threats.
+++++++ Last updated : 07/15/2021+++++
+# Security operations for infrastructure
+
+Infrastructure has many components where vulnerabilities can occur if not properly configured. As part of your monitoring and alerting strategy for infrastructure, monitor and alert events in the following areas:
+
+* Authentication and Authorization
+
+* Hybrid Authentication components incl. Federation Servers
+
+* Policies
+
+* Subscriptions
+
+Monitoring and alerting the components of your authentication infrastructure is critical. Any compromise can lead to a full compromise of the whole environment. Many enterprises that use Azure AD operate in a hybrid authentication environment. This means both cloud and on-premises components should be included in your monitoring and alerting strategy. Having a hybrid authentication environment also introduces another attack vector to your environment.
+
+We recommend all the components be considered Control Plane / Tier 0 assets, as well as the accounts used to manage them. Refer to [Securing privileged assets](/security/compass/overview) (SPA) for guidance on designing and implementing your environment. This guidance includes recommendations for each of the hybrid authentication components that could potentially be used for an Azure AD tenant.
+
+A first step in being able to detect unexpected events and potential attacks is to establish a baseline. For all on-premises components listed in this article, see [Privileged access deployment](https://docs.microsoft.com/security/compass/privileged-access-deployment), which is part of the Securing privileged assets (SPA) guide.
+
+## Where to look
+
+The log files you use for investigation and monitoring are:
+
+* [Azure AD Audit logs](../reports-monitoring/concept-audit-logs.md)
+
+* [Sign-in logs](../reports-monitoring/concept-all-sign-ins.md)
+
+* [Microsoft 365 Audit logs](/microsoft-365/compliance/auditing-solutions-overview?view=o365-worldwide)
+
+* [Azure Key Vault logs](../../key-vault/general/logging.md?tabs=Vault)
+
+From the Azure portal you can view the Azure AD Audit logs and download as comma separated value (CSV) or JavaScript Object Notation (JSON) files. The Azure portal has several ways to integrate Azure AD logs with other tools that allow for greater automation of monitoring and alerting:
+
+* [Azure Sentinel](../../sentinel/overview.md) ΓÇô enables intelligent security analytics at the enterprise level by providing security information and event management (SIEM) capabilities.
+
+* [Azure Monitor](../../azure-monitor/overview.md) ΓÇô enables automated monitoring and alerting of various conditions. Can create or use workbooks to combine data from different sources.
+
+* [Azure Event Hubs](../../event-hubs/event-hubs-about.md) integrated with a SIEM- [Azure AD logs can be integrated to other SIEMs](../reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub.md) such as Splunk, ArcSight, QRadar and Sumo Logic via the Azure Event Hub integration.
+
+* [Microsoft Cloud App Security](/cloud-app-security/what-is-cloud-app-security) (MCAS) ΓÇô enables you to discover and manage apps, govern across apps and resources, and check your cloud appsΓÇÖ compliance.
+
+The remainder of this article describes what you should monitor and alert on and is organized by the type of threat. Where there are specific pre-built solutions, you will find links to them following the table. Otherwise, you can build alerts using the preceding tools.
+
+## Authentication infrastructure
+
+In hybrid environments that contain both on-premises and cloud-based resources and accounts, the Active Directory infrastructure is a key part of the authentication stack. The stack is also a target for attacks so must be configured to maintain a secure environment and must be monitored properly. Examples of current types of attacks used against your authentication infrastructure use Password Spray and Solorigate techniques. The following are links to articles we recommend:
+
+* [Securing privileged access overview](/security/compass/overview) ΓÇô This article provides an overview of current techniques using Zero Trust techniques to create and maintain secure privileged access.
+
+* [Microsoft Defender for Identity monitored domain activities](/defender-for-identity/monitored-activities) - This article provides a comprehensive list of activities to monitor and set alerts for.
+
+* [Microsoft Defender for Identity security alert tutorial](/defender-for-identity/understanding-security-alerts) - This article provides guidance on creating and implementing a security alert strategy.
+
+The following are links to specific articles that focus on monitoring and alerting your authentication infrastructure:
+
+* [Understand and use Lateral Movement Paths with Microsoft Defender for Identity](/defender-for-identity/use-case-lateral-movement-path) - This article describes detection techniques you can use to help identify when non-sensitive accounts are used to gain access to sensitive accounts throughout your network.
+
+* [Working with security alerts in Microsoft Defender for Identity](/defender-for-identity/working-with-suspicious-activities) - This article describes how to review and manage alerts once they are logged.
+
+ The following are specific things to look for:
+
+| What to monitor| Risk level| Where| Notes |
+| - | - | - | - |
+| Extranet lockout trends| High| Azure AD Connect Health| Use information at [Monitor AD FS using Azure AD Connect Health](../hybrid/how-to-connect-health-adfs.md) for tools and techniques to help detect extranet lockout trends. |
+| Failed sign-ins|High | Connect Health Portal| Export or download the Risky IP report and follow the guidance at [Risky IP report (public preview)](../hybrid/how-to-connect-health-adfs-risky-ip.md) for next steps. |
+| In privacy compliant| Low| Azure AD Connect Health| Configure Azure AD Connect Health to be disable data collections and monitoring using the [User privacy and Azure AD Connect Health](../hybrid/reference-connect-health-user-privacy.md) article. |
+| Potential brute force attack on LDAP| Medium| Microsoft Defender for Identity| Use sensor to help detect potential brute force attacks against LDAP. |
+| Account enumeration reconnaissance| Medium| Microsoft Defender for Identity| Use sensor to help perform account enumeration reconnaissance. |
+| General correlation between Azure AD and Azure AD FS|Medium | Microsoft Defender for Identity| Use capabilities to correlate activities between your Azure AD and Azure AD FS environments. |
++
+
+
+### Pass-through authentication monitoring
+
+Azure Active Directory (Azure AD) Pass-through Authentication signs users in by validating their passwords directly against on-premises Active Directory.
+
+The following are specific things to look for:
+
+| What to monitor| Risk level| Where| Filter/sub-filter| Notes |
+| - | - | - | - | - |
+| Azure AD pass-through authentication errors|Medium | Application and ΓÇÄService Logs\Microsoft\AΓÇÄzureAdConnecΓÇÄt\AuthenticatioΓÇÄnAgent\Admin| AADSTS80001 ΓÇô Unable to connect to Active Directory| Ensure that agent servers are members of the same AD forest as the users whose passwords need to be validated and they can connect to Active Directory. |
+| Azure AD pass-through authentication errors| Medium| Application and ΓÇÄService Logs\Microsoft\AΓÇÄzureAdConnecΓÇÄt\AuthenticatioΓÇÄnAgent\Admin| AADSTS8002 - A timeout occurred connecting to Active Directory| Check to ensure that Active Directory is available and is responding to requests from the agents. |
+| Azure AD pass-through authentication errors|Medium | Application and ΓÇÄService Logs\Microsoft\AΓÇÄzureAdConnecΓÇÄt\AuthenticatioΓÇÄnAgent\Admin| AADSTS80004 - The username passed to the agent was not valid| Ensure the user is attempting to sign in with the right username. |
+| Azure AD pass-through authentication errors|Medium | Application and ΓÇÄService Logs\Microsoft\AΓÇÄzureAdConnecΓÇÄt\AuthenticatioΓÇÄnAgent\Admin| AADSTS80005 - Validation encountered unpredictable WebException| A transient error. Retry the request. If it continues to fail, contact Microsoft support. |
+| Azure AD pass-through authentication errors| Medium| Application and ΓÇÄService Logs\Microsoft\AΓÇÄzureAdConnecΓÇÄt\AuthenticatioΓÇÄnAgent\Admin| AADSTS80007 - An error occurred communicating with Active Directory| Check the agent logs for more information and verify that Active Directory is operating as expected. |
+| Azure AD pass-through authentication errors|High | Win32 LogonUserA function API| Logon events 4624(s): An account was successfully logged on<br>- correlate with ΓÇô<br>4625(F): An account failed to log on| Use with the suspected usernames on the domain controller that is authenticating requests. Guidance at [LogonUserA function (winbase.h)](/windows/win32/api/winbase/nf-winbase-logonusera) |
+| Azure AD pass-through authentication errors| Medium| PowerShell script of domain controller| see query following table. | Use the information at [Azure AD Connect: Troubleshoot Pass-through Authentication](../hybrid/tshoot-connect-pass-through-authentication.md)for additional guidance. |
+
+```Kusto
+
+<QueryList>
+
+<Query Id="0" Path="Security">
+
+<Select Path="Security">*[EventData[Data[@Name='ProcessName'] and (Data='C:\Program Files\Microsoft Azure AD Connect Authentication Agent\AzureADConnectAuthenticationAgentService.exe')]]</Select>
+
+</Query>
+
+</QueryList>
+```
+
+### AppProxy Connector
+
+Azure AD and Azure AD Application Proxy give remote users a single sign-on (SSO) experience. Users securely connect to on-premises apps without a virtual private network (VPN) or dual-homed servers and firewall rules. If your Azure AD Application Proxy connector server is compromised, attackers could alter the SSO experience or change access to published applications.
+
+To configuring monitoring for Application Proxy, see [Troubleshoot Application Proxy problems and error messages](../app-proxy/application-proxy-troubleshoot.md). The data file that logs information can be found in Applications and Services Logs\Microsoft\AadApplicationProxy\Connector\Admin. For a complete reference guide to audit activity, see [Azure AD audit activity reference](../reports-monitoring/reference-audit-activities.md). Specific things to monitor:
+
+| What to monitor| Risk level| Where| Filter/sub-filter| Notes |
+| - | - | - | - | - |
+| Kerberos errors| Medium | Various tools| Medium | Kerberos authentication error guidance under Kerberos errors on [Troubleshoot Application Proxy problems and error messages](../app-proxy/application-proxy-troubleshoot.md). |
+| DC security issues| High| DC Security Audit logs| Event ID 4742(S): A computer account was changed<br>-and-<br>Flag ΓÇô Trusted for Delegation<br>-or-<br>Flag ΓÇô Trusted to Authenticate for Delegation| Investigate any flag change. |
+| Pass-the-ticket like attacks| High| | | Follow guidance in:<li>[Security principal reconnaissance (LDAP) (external ID 2038)](/defender-for-identity/reconnaissance-alerts)<li>[Tutorial: Compromised credential alerts](/defender-for-identity/compromised-credentials-alerts)<li> [Understand and use Lateral Movement Paths with Microsoft Defender for Identity](/defender-for-identity/use-case-lateral-movement-path)<li> [Understanding entity profiles](/defender-for-identity/entity-profiles) |
++
+### Legacy authentication settings
+
+For multifactor authentication (MFA) to be effective, you also need to block legacy authentication. You then need to monitor your environment and alert on any use of legacy authentication. This is because legacy authentication protocols like POP, SMTP, IMAP, and MAPI canΓÇÖt enforce MFA. This makes these protocols preferred entry points for attackers of your organization. For more information on tools that you can use to block legacy authentication, see [New tools to block legacy authentication in your organization](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/new-tools-to-block-legacy-authentication-in-your-organization/ba-p/1225302).
+
+Legacy authentication is captured in the Azure AD Sign-ins log as part of the detail of the event. You can use the Azure Monitor workbook to help with identifying legacy authentication usage. For more information, see [Sign-ins using legacy authentication](../reports-monitoring/howto-use-azure-monitor-workbooks.md), which is part of [How to use Azure Monitor Workbooks for Azure Active Directory reports](../reports-monitoring/howto-use-azure-monitor-workbooks.md). You can also use the Insecure protocols workbook for Azure Sentinel. For more information, see [Azure Sentinel Insecure Protocols Workbook Implementation Guide](https://techcommunity.microsoft.com/t5/azure-sentinel/azure-sentinel-insecure-protocols-workbook-implementation-guide/ba-p/1197564). Specific activities to monitor include:
+
+| What to monitor| Risk level| Where| Filter/sub-filter| Notes |
+| - | - | - | - | - |
+| Legacy authentications|High | Azure AD Sign-ins log| ClientApp : POP<br>ClientApp : IMAP<br>ClientApp : MAPI<br>ClientApp: SMTP<br>ClientApp : ActiveSync go to EXO<br>Other Clients = SharePoint and EWS| In federated domain environments, failed authentications are not recorded so will not appear in the log. |
++
+## Azure AD Connect
+
+Azure AD Connect provides a centralized location that enables account and attribute synchronization between your on-premises and cloud-based Azure AD environment. Azure AD Connect is the Microsoft tool designed to meet and accomplish your hybrid identity goals. It provides the following features:
+
+* [Password hash synchronization](../hybrid/whatis-phs.md) - A sign-in method that synchronizes a hash of a userΓÇÖs on-premises AD password with Azure AD.
+
+* [Synchronization](../hybrid/how-to-connect-sync-whatis.md) - Responsible for creating users, groups, and other objects. As well as, making sure identity information for your on-premises users and groups is matching the cloud. This synchronization also includes password hashes.
+
+* [Health Monitoring](../hybrid/whatis-azure-ad-connect.md) - Azure AD Connect Health can provide robust monitoring and provide a central location in the Azure portal to view this activity.
+
+Synchronizing identity between your on-premises environment and you cloud environment introduces a new attack surface for your on-premises and cloud-based environment. We recommend:
+
+* You treat your Azure AD Connect primary and staging servers as Tier 0 Systems in your control plane.
+
+* You follow a standard set of policies that govern each type of account and its usage in your environment.
+
+* You install Azure AD Connect and Connect Health. These primarily provide operational data for the environment.
+
+Logging of Azure AD Connect operations occurs in different ways:
+
+* The Azure AD Connect wizard logs data to \ProgramData\AADConnect . Each time the wizard is invoked, a timestamped trace log file is created. The trace log can be imported into Sentinel or other 3<sup data-htmlnode="">rd</sup> party security information and event management (SIEM) tools for analysis.
+
+* Some operations initiate a PowerShell script to capture logging information. To collect this data, you must make sure script block logging in enabled.
+
+### Monitoring configuration changes
+
+Azure AD uses Microsoft SQL Server Data Engine or SQL to store Azure AD Connect configuration information. Therefore, monitoring and auditing of the log files associated with configuration should be included in your monitoring and auditing strategy. Specifically, include the following tables in your monitoring and alerting strategy.
+
+| What to monitor| Where| Notes |
+| - | - | - |
+| mms_management_agent| SQL service audit records| See [SQL Server Audit Records](/sql/relational-databases/security/auditing/sql-server-audit-records?view=sql-server-ver15) |
+| mms_partition| SQL service audit records| See [SQL Server Audit Records](/sql/relational-databases/security/auditing/sql-server-audit-records?view=sql-server-ver15) |
+| mms_run_profile| SQL service audit records| See [SQL Server Audit Records](/sql/relational-databases/security/auditing/sql-server-audit-records?view=sql-server-ver15) |
+| mms_server_configuration| SQL service audit records| See [SQL Server Audit Records](/sql/relational-databases/security/auditing/sql-server-audit-records?view=sql-server-ver15) |
+| mms_synchronization_rule| SQL service audit records| See [SQL Server Audit Records](/sql/relational-databases/security/auditing/sql-server-audit-records?view=sql-server-ver15) |
++
+For information on what and how to monitor configuration information refer to:
+
+* For SQL server, see [SQL Server Audit Records](/sql/relational-databases/security/auditing/sql-server-audit-records?view=sql-server-ver15).
+
+* For Azure Sentinel, see [Connect to Windows servers to collect security events](/sql/relational-databases/security/auditing/sql-server-audit-records?view=sql-server-ver15).
+
+* For information on configuring and using Azure AD Connect, see [What is Azure AD Connect?](../hybrid/whatis-azure-ad-connect.md)
+
+### Monitoring and troubleshooting synchronization
+
+ One function of Azure AD Connect is to synchronize hash synchronization between a userΓÇÖs on-premises password and Azure AD. If passwords are not synchronizing as expected, the synchronization might affect a subset of users or all users. Use the following to help verify proper operation or troubleshoot issues:
+
+* Information for checking and troubleshooting hash synchronization, see [Troubleshoot password hash synchronization with Azure AD Connect sync](../hybrid/tshoot-connect-password-hash-synchronization.md).
+
+* Modifications to the connector spaces, see [Troubleshoot Azure AD Connect objects and attributes](/troubleshoot/azure/active-directory/troubleshoot-aad-connect-objects-attributes).
+
+**Important resources on monitoring**
+
+| What to monitor | Resources |
+| - | - |
+| Hash synchronization validation|See [Troubleshoot password hash synchronization with Azure AD Connect sync](../hybrid/tshoot-connect-password-hash-synchronization.md) |
+ Modifications to the connector spaces|see [Troubleshoot Azure AD Connect objects and attributes](/troubleshoot/azure/active-directory/troubleshoot-aad-connect-objects-attributes) |
+| Modifications to the rules you configured| Specifically, monitor filtering changes, domain and OU changes, attribute changes, and group-based changes |
+| SQL and MSDE changes | Changes to logging parameters and addition of custom functions |
+
+**Monitor the following**:
+
+| What to monitor| Risk level| Where| Filter/sub-filter| Notes |
+| - | - | - | - | - |
+| Scheduler changes|High | PowerShell| Set-ADSyncScheduler| Look for modifications to schedule |
+| Changes to scheduled tasks| High | Azure AD Audit logs| Activity = 4699(S): A scheduled task was deleted<br>-or-<br>Activity = 4701(s): A scheduled task was disabled<br>-or-<br>Activity = 4701(s): A scheduled task was updated| Monitor all |
+++
+* For more information on logging PowerShell script operations, refer to [Enabling Script Block Logging](/powershell/module/microsoft.powershell.core/about/about_logging_windows?view=powershell-7.1), which is part of the PowerShell reference documentation.
+
+* For more information on configuring PowerShell logging for analysis by Splunk, refer to [Get Data into Splunk User Behavior Analytics](https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell).
+
+### Monitoring seamless single sign-on
+
+Azure Active Directory (Azure AD) Seamless Single Sign-On (Seamless SSO) automatically signs in users when they are on their corporate desktops that are connected to your corporate network. Seamless SSO provides your users with easy access to your cloud-based applications without needing any additional on-premises components. SSO uses the pass-through authentication and password hash synchronization capabilities provided by Azure AD Connect.
+
+Monitoring single sign-on and Kerberos activity can help you detect general credential theft attack patterns. Monitor using the following information:
+
+| What to monitor| Risk level| Where| Filter/sub-filter| Notes |
+| - | - | - | - | - |
+| Errors associated with SSO and Kerberos validation failures|Medium | Azure AD Sign-ins log| | Single sign-on list of error codes at [Single sign-on](../hybrid/tshoot-connect-sso.md). |
+| Query for troubleshooting errors|Medium | PowerShell| See query following table. check in each forest with SSO enabled.| Check in each forest with SSO enabled. |
+| Kerberos-related events|High | Microsoft Defender for Identity monitoring| | Review guidance available at [Microsoft Defender for Identity Lateral Movement Paths (LMPs)](/defender-for-identity/use-case-lateral-movement-path) |
+
+```kusto
+<QueryList>
+
+<Query Id="0" Path="Security">
+
+<Select Path="Security">*[EventData[Data[@Name='ServiceName'] and (Data='AZUREADSSOACC$')]]</Select>
+
+</Query>
+
+</QueryList>
+```
+## Password protection policies
+
+If you deploy Azure AD Password Protection, monitoring and reporting are essential tasks. The following links provide details to help you understand various monitoring techniques, including where each service logs information and how to report on the use of Azure AD Password Protection.
+
+The domain controller (DC) agent and proxy services both log event log messages. All PowerShell cmdlets described below are only available on the proxy server (see the AzureADPasswordProtection PowerShell module). The DC agent software does not install a PowerShell module.
+
+Detailed information for planning and implementing on-premises password protection is available at [Plan and deploy on-premises Azure Active Directory Password Protection](../authentication/howto-password-ban-bad-on-premises-deploy.md). For monitoring details, see [Monitor on-premises Azure AD Password Protection](../authentication/howto-password-ban-bad-on-premises-monitor.md). On each domain controller, the DC agent service software writes the results of each individual password validation operation (and other status) to the following local event log:
+
+* \Applications and Services Logs\Microsoft\AzureADPasswordProtection\DCAgent\Admin
+
+* \Applications and Services Logs\Microsoft\AzureADPasswordProtection\DCAgent\Operational
+
+* \Applications and Services Logs\Microsoft\AzureADPasswordProtection\DCAgent\Trace
+
+The DC agent Admin log is the primary source of information for how the software is behaving. By default, the Trace log is off and must be enabled before data is logged. To troubleshoot application proxy problems and error messages, detailed information is available at [Troubleshoot Azure Active Directory Application Proxy](../app-proxy/application-proxy-troubleshoot.md). Information for these events is logged in:
+
+* Applications and Services Logs\Microsoft\AadApplicationProxy\Connector\Admin
+
+* Azure AD Audit Log, Category Application Proxy
+
+Complete reference for Azure AD audit activities is available at [Azure Active Directory (Azure AD) audit activity reference](../reports-monitoring/reference-audit-activities.md).
+
+## Next steps
++
+See these additional security operations guide articles:
+
+[Azure AD security operations overview](security-operations-introduction.md)
+
+[Security operations for user accounts](security-operations-user-accounts.md)
+
+[Security operations for privileged accounts](security-operations-privileged-accounts.md)
+
+[Security operations for Privileged Identity Management](security-operations-privileged-identity-management.md)
+
+[Security operations for applications](security-operations-applications.md)
+
+[Security operations for devices](security-operations-devices.md)
+
+[Security operations for infrastructure](security-operations-infrastructure.md)
++
+
+
+
+ΓÇÄ
active-directory Security Operations Introduction https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/fundamentals/security-operations-introduction.md
+
+ Title: Azure Active Directory security operations guide
+description: Learn to monitor, identify, and alert on security issues with accounts, applications, devices, and infrastructure
+++++++ Last updated : 07/15/2021+++++
+# Azure Active Directory security operations guide
+
+Microsoft has a successful and proven approach to [Zero Trust security](https://aka.ms/Zero-Trust) using [Defense in Depth](https://us-cert.cisa.gov/bsi/articles/knowledge/principles/defense-in-depth) principles that leverage identity as a control plane. As organizations continue to embrace a hybrid workload world for scale, cost savings, and security, Azure Active Directory (Azure AD) plays a pivotal role in your strategy for identity management. Recently, news surrounding identity and security compromise has increasingly prompted enterprise IT to consider their identity security posture as a measurement of defensive security success.
+
+Increasingly, organizations must embrace a mixture of on-premises and cloud applications, which users access with both onΓÇôpremises and cloud-only accounts. Managing users, applications, and devices both on-premises and in the cloud poses challenging scenarios.
+
+Azure Active Directory creates a common user identity for authentication and authorization to all resources, regardless of location. We call this hybrid identity.
+
+To achieve hybrid identity with Azure AD, one of three authentication methods can be used, depending on your scenarios. The three methods are:
+
+* [Password hash synchronization (PHS)](../hybrid/whatis-phs.md)
+
+* [Pass-through authentication (PTA)](../hybrid/how-to-connect-pta.md)
+
+* [Federation (AD FS)](../hybrid/whatis-fed.md)
+
+As you audit your current security operations or establish security operations for your Azure environment, we recommend you:
+
+* Read specific portions of the Microsoft security guidance to establish a baseline of knowledge about securing your cloud-based or hybrid Azure environment.
+
+* Audit your account and password strategy and authentication methods to help deter the most common attack vectors.
+
+* Create a strategy for continuous monitoring and alerting on activities that might indicate a security threat.
+
+## Audience
+
+The Azure AD SecOps Guide is intended for enterprise IT identity and security operations teams and managed service providers that need to counter threats through better identity security configuration and monitoring profiles. This guide is especially relevant for IT administrators and identity architects advising Security Operations Center (SOC) defensive and penetration testing teams to improve and maintain their identity security posture.
+
+## Scope
+
+This introduction provides the suggested prereading and password audit and strategy recommendations. This article also provides an overview of the tools available for hybrid Azure environments as well as fully cloud-based Azure environments. Finally, we provide a list of data sources you can use for monitoring and alerting and configuring your security information and event management (SIEM) strategy and environment. The rest of the guidance presents monitoring and alerting strategies in the following areas:
+
+* [User accounts](security-operations-user-accounts.md) ΓÇô Guidance specific to non-privileged user accounts without administrative privilege, including anomalous account creation and usage, and unusual sign-ins.
+
+* [Privileged accounts](security-operations-privileged-accounts.md) ΓÇô Guidance specific to privileged user accounts that have elevated permissions to perform administrative tasks, including Azure AD role assignments, Azure resource role assignments, and access management for Azure resources and subscriptions.
+
+* [Privileged Identity Management (PIM)](security-operations-privileged-identity-management.md) ΓÇô guidance specific to using PIM to manage, control, and monitor access to resources.
+
+* [Applications](security-operations-applications.md) ΓÇô Guidance specific to accounts used to provide authentication for applications.
+
+* [Devices](security-operations-devices.md) ΓÇô Guidance specific to monitoring and alerting for devices registered or joined outside of policies, non-compliant usage, managing device administration roles, and sign-ins to virtual machines.
+
+* [Infrastructure](security-operations-infrastructure.md)ΓÇô Guidance specific to monitoring and alerting on threats to your hybrid and purely cloud-based environments.
+
+## Important reference content
+
+Microsoft has many products and services that enable you to customize your IT environment to fit your needs. We recommend as part of your monitoring and alerting strategy you review the following guidance that is relevant to your operating environment:
+
+* Windows operating systems
+
+ * [Windows 10 and Windows Server 2016 security auditing and monitoring reference](https://www.microsoft.com/download/details.aspx?id=52630)
+
+ * [Security baseline (FINAL) for Windows 10 v1909 and Windows Server v1909](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-for-windows-10-v1909-and-windows-server/ba-p/1023093)
+
+* On-premises environments
+
+ * [Microsoft Defender for Identity architecture](/defender-for-identity/architecture)
+
+ * [Connect Microsoft Defender for Identity to Active Directory quickstart](/defender-for-identity/install-step2)
+
+ * [Azure security baseline for Microsoft Defender for Identity](/defender-for-identity/security-baseline)
+
+ * [Monitoring Active Directory for Signs of Compromise](/windows-server/identity/ad-ds/plan/security-best-practices/monitoring-active-directory-for-signs-of-compromise)
+
+* Cloud-based Azure environments
++
+ * [Monitor sign-ins with the Azure AD sign-in log](../reports-monitoring/concept-all-sign-ins.md)
+
+ * [Audit activity reports in the Azure Active Directory portal](../reports-monitoring/concept-audit-logs.md)
+
+ * [Investigate risk with Azure Active Directory Identity Protection](../identity-protection/howto-identity-protection-investigate-risk.md)
+
+ * [Connect Azure AD Identity Protection data to Azure Sentinel](../../sentinel/connect-azure-ad-identity-protection.md)
+
+* Active Directory Domain Services (AD DS)
+
+ * [Audit Policy Recommendations](/windows-server/identity/ad-ds/plan/security-best-practices/audit-policy-recommendations)
+
+* Active Directory Federation Services (AD FS)
+
+ * [AD FS Troubleshooting - Auditing Events and Logging](/windows-server/identity/ad-fs/troubleshooting/ad-fs-tshoot-logging)
+
+## Data sources
+
+The log files you use for investigation and monitoring are:
+
+* [Azure AD Audit logs](../reports-monitoring/concept-audit-logs.md)
+
+* [Sign-in logs](../reports-monitoring/concept-all-sign-ins.md)
+
+* [Microsoft 365 Audit logs](/microsoft-365/compliance/auditing-solutions-overview?view=o365-worldwide)
+
+* [Azure Key Vault logs](../../key-vault/general/logging.md?tabs=Vault)
+
+From the Azure portal you can view the Azure AD Audit logs and download as comma separated value (CSV) or JavaScript Object Notation (JSON) files. The Azure portal has several ways to integrate Azure AD logs with other tools that allow for greater automation of monitoring and alerting:
+
+* **[Azure Sentinel](../../sentinel/overview.md)** ΓÇô enables intelligent security analytics at the enterprise level by providing security information and event management (SIEM) capabilities.
+
+* **[Azure Monitor](../../azure-monitor/overview.md)** ΓÇô enables automated monitoring and alerting of various conditions. Can create or use workbooks to combine data from different sources.
+
+* **[Azure Event Hubs](../../event-hubs/event-hubs-about.md) integrated with a SIEM**- [Azure AD logs can be integrated to other SIEMs](../reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub.md) such as Splunk, ArcSight, QRadar and Sumo Logic via the Azure Event Hub integration.
+
+* **[Microsoft Cloud App Security](/cloud-app-security/what-is-cloud-app-security) (MCAS)** ΓÇô enables you to discover and manage apps, govern across apps and resources, and check your cloud appsΓÇÖ compliance.
+
+Much of what you will monitor and alert on are the effects of your Conditional Access policies. You can use the [Conditional Access insights and reporting workbook](../conditional-access/howto-conditional-access-insights-reporting.md) to examine the effects of one or more Conditional Access policies on your sign-ins, as well as the results of policies, including device state. This workbook enables you to view an impact summary, and identify the impact over a specific time period. You can also use the workbook to investigate the sign-ins of a specific user.
+
+The remainder of this article describes what we recommend you monitor and alert on, and is organized by the type of threat. Where there are specific pre-built solutions we link to them or provide samples following the table. Otherwise, you can build alerts using the preceding tools.
+
+* **[Identity Protection](../identity-protection/overview-identity-protection.md)** -- generates three key reports that you can use to help with your investigation:
+
+ * **Risky users** ΓÇô contains information about which users are at risk, details about detections, history of all risky sign-ins, and risk history.
+
+ * **Risky sign-ins** ΓÇô contains information surrounding the circumstance of a sign-in that might indicate suspicious circumstances. For additional information on investigating information from this report, visit [How To: Investigate risk](../identity-protection/howto-identity-protection-investigate-risk.md).
+
+ * **Risk detections** - contains information on risk signals detected by Azure AD Identity Protection that informs sign-in and user risk. For more information, see the [Azure AD security operations guide for user accounts](security-operations-user-accounts.md).
+
+### Data sources for domain controller monitoring
+
+For the best results, we recommend that you monitor your domain controllers using Microsoft Defender for Identity. This will enable you for the best detection and automation capabilities. Please follow the guidance from:
+
+* [Microsoft Defender for Identity architecture](/defender-for-identity/architecture)
+
+* [Connect Microsoft Defender for Identity to Active Directory quickstart](/defender-for-identity/install-step2)
+
+If you do not plan to use Microsoft Defender for identity, you can monitor your domain controllers either by event log messages or by running PowerShell cmdlets.
+
+## Components of hybrid authentication
+
+As part of an Azure hybrid environment, the following should be baselined and included in your monitoring and alerting strategy.
+
+* **PTA Agent** ΓÇô The Pass-through authentication agent is used to enable pass-through authentication and is installed on-premises. See [Azure AD Pass-through Authentication agent: Version release history](../hybrid/reference-connect-pta-version-history.md) for information on verifying your agent version and next steps.
+
+* **AD FS/WAP** ΓÇô Azure Active Directory Federation Services (Azure AD FS) and Web Application Proxy (WAP) enable secure sharing of digital identity and entitlement rights across your security and enterprise boundaries. For information on security best practices, see [Best practices for securing Active Directory Federation Services]/windows-server/identity/ad-fs/deployment/best-practices-securing-ad-fs).
+
+* **Azure AD Connect Health Agent** ΓÇô The agent used to provide a communications link for Azure AD Connect Health. For information on installing the agent, see [Azure AD Connect Health agent installation](../hybrid/how-to-connect-health-agent-install.md).
+
+* **Azure AD Connect Sync Engine** - The on-premises component, also called the sync engine. For information on the feature, see [Azure AD Connect sync service features](../hybrid/how-to-connect-syncservice-features.md).
+
+* **Password Protection DC agent** ΓÇô Azure password protection DC agent is used to help with monitoring and reporting event log messages. For information, see ../authentication/concept-password-ban-bad-on-premises.md.
+
+* **Password Filter DLL** ΓÇô The password filter DLL of the DC Agent receives user password-validation requests from the operating system. The filter forwards them to the DC Agent service that's running locally on the DC. For information on using the DLL, see [Enforce on-premises Azure AD Password Protection for Active Directory Domain Services](../authentication/concept-password-ban-bad-on-premises.md).
+
+* **Password writeback Agent** ΓÇô Password writeback is a feature enabled with [Azure AD Connect](../hybrid/whatis-hybrid-identity.md) that allows password changes in the cloud to be written back to an existing on-premises directory in real time. For more information on this feature, see [How does self-service password reset writeback work in Azure Active Directory?](../authentication/concept-sspr-writeback.md)
+
+* **Azure AD Application Proxy Connector** ΓÇô Lightweight agents that sit on-premises and facilitate the outbound connection to the Application Proxy service. For more information, see [Understand Azure ADF Application Proxy connectors](../app-proxy/application-proxy-connectors.md).
+
+## Components of cloud-based authentication
+
+As part of an Azure cloud-based environment, the following should be baselined and included in your monitoring and alerting strategy.
+
+* **Azure AD Application Proxy** ΓÇô This cloud service provides secure remote access to on-premises web applications. For more information, see [Remote access to on-premises applications through Azure AD Application Proxy](../app-proxy/application-proxy-connectors.md).
+
+* **Azure AD Connect** ΓÇô Services used for an Azure AD Connect solution. For more information, see [What is Azure AD Connect](../hybrid/whatis-azure-ad-connect.md).
+
+* **Azure AD Connect Health** ΓÇô Service Health provides you with a customizable dashboard which tracks the health of your Azure services in the regions where you use them. For more information, see [Azure AD Connect Health](../hybrid/whatis-azure-ad-connect.md).
+
+* **Azure MFA** ΓÇô Azure AD Multi-Factor Authentication requires a user to provide more than one form of proof for authentication. This can provide a proactive first step to securing your environment. For more information, see [How it works: Azure AD Multi-Factor Authentication](../authentication/concept-mfa-howitworks.md).
+
+* **Dynamic Groups** ΓÇô Dynamic configuration of security group membership for Azure Active Directory (Azure AD) Administrators can set rules to populate groups that are created in Azure AD based on user attributes. For more information, see [Dynamic groups and Azure Active Directory B2B collaboration](../external-identities/use-dynamic-groups.md).
+
+* **Conditional Access** ΓÇô Conditional Access is the tool used by Azure Active Directory to bring signals together, to make decisions, and enforce organizational policies. Conditional Access is at the heart of the new identity driven control plane. For more information, see [What is Conditional Access](../conditional-access/overview.md).
+
+* **Identity Protection** ΓÇô A tool that enables organizations to automate the detection and remediation of identity-based risks, investigate risks using data in the portal, and export risk detection data to your SIEM. For more information, see [What is Identity Protection](../identity-protection/overview-identity-protection.md)?
+
+* **Group-based licensing**ΓÇô Licenses can be assigned to groups rather than directly to users. Azure AD stores information about license assignment states for users.
+
+* **Provisioning Service** ΓÇô Provisioning refers to creating user identities and roles in the cloud applications that users need access to. In addition to creating user identities, automatic provisioning includes the maintenance and removal of user identities as status or roles change. For more information, see [How Application Provisioning works in Azure Active Directory](../app-provisioning/how-provisioning-works.md).
+
+* **Graph API** ΓÇô The Microsoft Graph API is a RESTful web API that enables you to access Microsoft Cloud service resources. After you register your app and get authentication tokens for a user or service, you can make requests to the Microsoft Graph API. For more information, see [Overview of Microsoft Graph](/graph/overview).
+
+* **Domain Service** ΓÇô Azure Active Directory Domain Services (AD DS) provides managed domain services such as domain join, group policy. For more information, see [What is Azure Active Directory Domain Services?](../../active-directory-domain-services/overview.md)
+
+* **Azure Resource Manager** ΓÇô Azure Resource Manager is the deployment and management service for Azure. It provides a management layer that enables you to create, update, and delete resources in your Azure account. For more information, see [What is Azure Resource Manager?](../../azure-resource-manager/management/overview.md)
+
+* **Managed Identity** ΓÇô Managed identities eliminate the need for developers to manage credentials. Managed identities provide an identity for applications to use when connecting to resources that support Azure Active Directory (Azure AD) authentication. For more information, see [What are managed identities for Azure resources?](../managed-identities-azure-resources/overview.md)
+
+* **Privileged Identity Management** ΓÇô Privileged Identity Management (PIM) is a service in Azure Active Directory (Azure AD) that enables you to manage, control, and monitor access to important resources in your organization. For more information, see [What is Azure AD Privileged Identity Management](../privileged-identity-management/pim-configure.md).
+
+* **Access Reviews** ΓÇô Azure Active Directory (Azure AD) access reviews enable organizations to efficiently manage group memberships, access to enterprise applications, and role assignments. User's access can be reviewed on a regular basis to make sure only the right people have continued access. For more information, see [What are Azure AD access reviews?](../governance/access-reviews-overview.md)
+
+* **Entitlement Management** ΓÇô Azure Active Directory (Azure AD) entitlement management is an [identity governance](../governance/identity-governance-overview.md) feature that enables organizations to manage identity and access lifecycle at scale, by automating access request workflows, access assignments, reviews, and expiration. For more information, see [What is Azure AD entitlement management?](../governance/entitlement-management-overview.md)
+
+* **Activity Logs** ΓÇô The Activity log is a [platform log](../../azure-monitor/essentials/platform-logs-overview.md) in Azure that provides insight into subscription-level events. This includes such information as when a resource is modified or when a virtual machine is started. For more information, see [Azure Activity log](../../azure-monitor/essentials/activity-log.md).
+
+* **Self-service Password reset service** ΓÇô Azure Active Directory (Azure AD) self-service password reset (SSPR) gives users the ability to change or reset their password, with no administrator or help desk involvement. For more information, see [How it works: Azure AD self-service password reset](../authentication/concept-sspr-howitworks.md).
+
+* **Device Services** ΓÇô Device identity management is the foundation for [device-based Conditional Access](../conditional-access/require-managed-devices.md). With device-based Conditional Access policies, you can ensure that access to resources in your environment is only possible with managed devices. For more information, see [What is a device identity?](../devices/overview.md)
+
+* **Self-Service Group Management** ΓÇô You can enable users to create and manage their own security groups or Microsoft 365 groups in Azure Active Directory (Azure AD). The owner of the group can approve or deny membership requests and can delegate control of group membership. Self-service group management features are not available for mail-enabled security groups or distribution lists. For more information, see [Set up self-service group management in Azure Active Directory](../enterprise-users/groups-self-service-management.md).
+
+* **Risk detections** ΓÇô contains information about other risks triggered when a risk is detected and other pertinent information such as sign-in location and any details from Microsoft Cloud App Security (MCAS).
+
+## Next steps
+
+See these security operations guide articles:
+
+[Azure AD security operations overview](security-operations-introduction.md)
+
+[Security operations for user accounts](security-operations-user-accounts.md)
+
+[Security operations for privileged accounts](security-operations-privileged-accounts.md)
+
+[Security operations for Privileged Identity Management](security-operations-privileged-identity-management.md)
+
+[Security operations for applications](security-operations-applications.md)
+
+[Security operations for devices](security-operations-devices.md)
+
+
+[Security operations for infrastructure](security-operations-infrastructure.md)
active-directory Security Operations Privileged Accounts https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/fundamentals/security-operations-privileged-accounts.md
+
+ Title: Azure Active Directory security operations for privileged accounts
+description: Learn to set baselines, then monitor and alert of potential security issues with privileged accounts in Azure Active directory.
+++++++ Last updated : 07/15/2021++++
+# Security operations for privileged accounts
+
+The security of business assets depends on the integrity of the privileged accounts that administer your IT systems. Cyber-attackers use credential theft attacks and other means to target privileged accounts and gain access to sensitive data.
+
+Traditionally, organizational security has focused on the entry and exit points of a network as the security perimeter. However, software-as-a-service (SaaS) applications and personal devices on the Internet have made this approach less effective.
+
+Azure Active Directory (Azure AD) uses identity and access management (IAM) as the control plane. In your organization's identity layer, users assigned to privileged administrative roles are in control. The accounts used for access must be protected, whether the environment is on-premises, in the cloud, or a hybrid environment.
+
+You are entirely responsible for all layers of security for your on-premises IT environment. When you use Azure services, prevention and response are the joint responsibilities of Microsoft as the cloud service provider and you as the customer.
+
+* For more information on the shared responsibility model, visit [Shared responsibility in the cloud](../../security/fundamentals/shared-responsibility.md).
+
+* For more information on securing access for privileged users, visit [Securing Privileged access for hybrid and cloud deployments in Azure AD](../roles/security-planning.md).
+
+* For a wide range of videos, how-to guides, and content of key concepts for privileged identity, visit [Privileged Identity Management documentation](https://docs.microsoft.com/azure/active-directory/privileged-identity-management/).
+
+## Where to look
+
+The log files you use for investigation and monitoring are:
+
+* [Azure AD Audit logs](../reports-monitoring/concept-audit-logs.md)
+
+* [Microsoft 365 Audit logs](/microsoft-365/compliance/auditing-solutions-overview?view=o365-worldwide)
+
+* [Azure Key Vault insights](../../azure-monitor/insights/key-vault-insights-overview.md)
+
+From the Azure portal, you can view the Azure AD Audit logs and download as comma-separated value (CSV) or JavaScript Object Notation (JSON) files. The Azure portal has several ways to integrate Azure AD logs with other tools that allow for greater automation of monitoring and alerting:
+
+* [Azure Sentinel](../../sentinel/overview.md) ΓÇô enables intelligent security analytics at the enterprise level by providing security information and event management (SIEM) capabilities.
+
+* [Azure Monitor](../../azure-monitor/overview.md) ΓÇô enables automated monitoring and alerting of various conditions. Can create or use workbooks to combine data from different sources.
+
+* [Azure Event Hubs](../../event-hubs/event-hubs-about.md) integrated with a SIEM- [Azure AD logs can be pushed to other SIEMs](../reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub.md) such as Splunk, ArcSight, QRadar, and Sumo Logic via the Azure Event Hub integration.
+
+* [Microsoft Cloud App Security](/cloud-app-security/what-is-cloud-app-security) (MCAS) ΓÇô enables you to discover and manage apps, govern across apps and resources, and check your cloud appsΓÇÖ compliance.
+
+* Microsoft Graph - you can export the data and user MS Graph to do more analysis. For more information on MS Graph, visit [Microsoft Graph PowerShell SDK and Azure Active Directory Identity Protection](../identity-protection/howto-identity-protection-graph-api.md).
+
+* [Identity Protection](../identity-protection/overview-identity-protection.md)-- generates three key reports that you can use to help with your investigation:
+
+ * Risky users ΓÇô contains information about which users are at risk, details about detections, history of all risky sign-ins, and risk history.
+
+ * Risky sign-ins ΓÇô contains information surrounding the circumstance of a sign in that might indicate suspicious circumstances. For additional information on investigating information from this report, visit [How To: Investigate risk](../identity-protection/howto-identity-protection-investigate-risk.md).
+
+ * Risk detections ΓÇô contains information about other risks triggered when a risk is detected and other pertinent information such as sign-in location and any details from Microsoft Cloud App Security (MCAS).
+
+
+
+While we discourage the practice, privileged accounts can have standing administration rights. If you choose to use standing privileges, and the account is compromised, it can have the strongly negative impact. We recommend you prioritize monitoring privileged accounts and include the accounts in your Privileged Identity Management (PIM) configuration. For more information on PIM, see [Start using Privileged Identity Management](../privileged-identity-management/pim-getting-started.md). Additionally, we recommend you validate that admin accounts:
+
+* Are required.
+
+* Have the least privilege to execute the require activities.
+
+* Are protected with MFA at a minimum.
+
+* Are run from privileged access workstation (PAW) or secure admin workstation (SAW) devices.
+
+The remainder of this article describes what we recommend you monitor and alert on, and is organized by the type of threat. Where there are specific pre-built solutions we link to them following the table. Otherwise, you can build alerts using the preceding tools. Specifically, this article provides details on setting baselines, auditing sign-in and usage of privileged accounts, and tools and resources you can use to help maintain the integrity of your privileged accounts. The content is organized into the following topic areas:
+
+* Emergency ΓÇ£break-glassΓÇ¥ accounts
+
+* Privileged account sign in
+
+* Privileged account changes
+
+* Privileged groups
+
+* Privilege assignment, and elevation
+
+## Emergency access accounts
+
+It's important that you prevent being accidentally locked out of your Azure Active Directory (Azure AD) tenant. You can mitigate the impact of an accidental lockout by creating emergency access accounts in your organization. Emergency access accounts are also known as ΓÇ£break glassΓÇ¥ accounts, as in ΓÇ£break glass in case of emergencyΓÇ¥ messages found on physical security equipment like fire alarms.
+
+Emergency access accounts are highly privileged, and they aren't assigned to specific individuals. Emergency access accounts are limited to emergency or break glass scenarios where normal privileged accounts can't be used. For example, when a Conditional Access policy is misconfigured and locks out all normal administrative accounts. Restrict emergency account use to only the times when it is absolutely necessary.
+
+Also see our guidance on what to do in an emergency [Secure access practices for administrators in Azure AD](../roles/security-planning.md).
+
+Send a high priority alert every time an emergency access account is used.
+
+### Discovery
+
+Since break glass accounts are only used if there is an emergency, your monitoring should discover no account activity. Send a high priority alert every time an emergency access account is used or changed. Any of the following events might indicate a bad actor is trying to compromise your environments.
+
+* Account used ΓÇô monitor and alert on any activity using this type of account, including:
+
+* Sign in
+
+* Account password change
+
+* Account permission/roles changed
+
+* Credential or auth method added or changed
+
+For more information on managing emergency access accounts, see [Manage emergency access admin accounts in Azure AD](../roles/security-emergency-access.md). For detailed information on creating an alert for emergency account, see [Create an alert rule](../roles/security-emergency-access.md).
+
+## Privileged account sign in
+
+Monitor all privileged account sign in activity by using the Azure AD Sign in logs as the data source. In addition to sign in success and failure information, the logs contain the following details:
+
+* Interrupts
+* Device
+* Location
+* Risk
+* Application
+* Date and time
+* Is the account disabled
+* Lockout
+* MFA fraud
+* CA failure
+
+### Things to monitor
+
+You can monitor privileged account sign-in events in the Azure AD Sign-in logs. Alert on and investigate the following events for privileged accounts.
+
+| What to monitor | Risk level | Where | Filter/sub-filter | Notes |
+| - | - | - | - | - |
+| Sign-in failure, bad password threshold | High | Azure AD Sign-ins log | Status = Failure<br>-and-<br>error code = 50126 | Define a baseline threshold, and then monitor and adjust to suite your organizational behaviors and limit false alerts from being generated. |
+| Failure due to CA requirement |High | Azure AD Sign-ins log | Status = Failure<br>-and-<br>error code = 53003<br>-and-<br>Failure reason = blocked by CA | This can be an indication an attacker is trying to get into the account |
+| Privileged accounts that don't follow naming policy.| | Azure Subscription | [List Azure role assignments using the Azure portal - Azure RBAC](../../role-based-access-control/role-assignments-list-portal.md)| List role assignments for subscriptions and alert where sign in name doesn't match your organizations format. For example, ADM_ as a prefix. |
+| Interrupt | High/Medium | Azure AD Sign-ins | Status = Interrupted<br>-and-<br>error code = 50074<br>-and-<br>Failure reason = Strong Auth required<br>Status = Interrupted<br>-and-<br>Error code = 500121<br>Failure Reason = Authentication failed during strong authentication request | This can be an indication an attacker has the password for the account but can't pass the MFA challenge. | | |
+| Privileged accounts that don't follow naming policy.| High | Azure AD directory | [List Azure AD role assignments](../roles/view-assignments.md)| List roles assignments for Azure AD roles alert where UPN doesn't match your organizations format. For example, ADM_ as a prefix. |
+| Discover privileged accounts not registered for MFA. | High | Azure AD Graph API| Query for IsMFARegistered eq false for administrator accounts. [List credentialUserRegistrationDetails - Microsoft Graph beta](/graph/api/reportroot-list-credentialuserregistrationdetails?view=graph-rest-beta&tabs=http) | Audit and investigate to determine if intentional or an oversight. |
+| Account lockout | High | Azure AD Sign-ins log | Status = Failure<br>-and-<br>error code = 50053 | Define a baseline threshold, and then monitor and adjust to suite your organizational behaviors and limit false alerts from being generated. |
+| Account disabled/blocked for sign-ins | Low | Azure AD Sign-ins log | Status = Failure<br>-and-<br>Target = user UPN<br>-and-<br>error code = 50057 | This could indicate someone is trying to gain access to an account once they have left an organization. Although the account is blocked, it's still important to log and alert on this activity. |
+| MFA fraud alert/block | High | Azure AD Sign-ins log | Succeeded = false<br>-and-<br>Result detail = MFA denied<br>-and-<br>Target = user | Privileged user has indicated they haven't instigated the MFA prompt and could indicate an attacker has the password for the account. |
+| Privileged account sign-ins outside of expected controls. | | Azure AD Sign-ins log | Status = failure<br>UserPricipalName = <Admin account><br>Location = <unapproved location><br>IP Address = <unapproved IP><br>Device Info= <unapproved Browser, Operating System> | Monitor and alert on any entries that you have defined as unapproved. |
+| Outside of normal sign in times | High | Azure AD Sign-ins log | Status =success<br>-and-<br>Location =<br>-and-<br>Time = outside of working hours | Monitor and alert if sign-ins occur outside of expected times. It is important to find the normal working pattern for each privileged account and to alert if there are unplanned changes outside of normal working times. Sign-ins outside of normal working hours could indicate compromise or possible insider threats. |
+| Identity protection risk | High | Identity Protection logs | Risk state = at risk<br>-and-<br>Risk level = low/medium/high<br>-and-<br>Activity = Unfamiliar sign-in/TOR, etc. | This indicates there is some abnormality detected with the sign in for the account and should be alerted on. |
+| Password change | High | Azure AD Audit logs | Activity Actor = admin/self service<br>-and-<br>Target = user<br>-and-<br>Status = success/failure | Alert on any administrator account password changes, especially for Global admins, user admins, subscription admins, and emergency access accounts. Write a query targeted at all privileged accounts. |
+| Change in legacy authentication protocol | High | Azure AD Sign-ins log | Client App = Other client, IMAP, POP3, MAPI, SMTP etc.<br>-and-<br>Username = UPN<br>-and-<br>Application = Exchange (example) | Many attacks use legacy authentication and therefore if there is a change in auth protocol for the user it could be an indication of an attack. |
+| New device or location | High | Azure AD Sign-ins log | Device Info = Device ID<br>-and-<br>Browser<br>-and-<br>OS<br>-and-<br>Compliant/Managed<br>-and-<br>Target = user<br>-and-<br>Location | Most admin activity should be from [privileged access devices](/security/compass/privileged-access-devices), from a limited number of locations. Therefore alert on new devices or locations. |
+| Audit alert setting is changed. | High | Azure AD Audit logs | Service = PIM<br>-and-<br>Category = Role Management<br>-and-<br>Activity = Disable PIM Alert<br>-and-<br>Status = Success | Changes to a core alert should be alerted if unexpected. |
++
+## Changes by privileged accounts
+
+Monitor all completed and attempted changes by a privileged account. This enables you to establish what is normal activity for each privileged account and alert on activity that deviates from the expected. The Azure AD audit logs are used to record this type of event. For more information on Azure AD Audit logs, see [Audit logs in Azure Active Directory](../reports-monitoring/concept-audit-logs.md).
+
+### Azure Active Directory Domain Services
+
+Privileged accounts that have been assigned permissions in Azure Active Directory Domain Services can perform tasks for Azure AD DS that affect the security posture of your Azure hosted virtual machines (VMs) that use Azure AD Domain Services. Enable security audits on VMs and monitor the logs. For more information on enabling Azure AD DS audits and for a list of what are considered sensitive privileges visit, see the following resources.
+
+* [Enable security audits for Azure Active Directory Domain Services](../../active-directory-domain-services/security-audit-events.md)
+
+* [Audit Sensitive Privilege Use](/windows/security/threat-protection/auditing/audit-sensitive-privilege-use)
+
+| What to monitor | Risk level | Where | Filter/sub-filter | Notes |
+|-|||--|--|
+| Attempted and completed changes | High | Azure AD Audit logs | Date and time<br>-and-<br>Service<br>-and-<br>Category and name of the activity (what)<br>-and-<br>Status = success or failure<br>-and-<br>Target<br>-and-<br>Initiator / actor (who) | Any unplanned changes should be alerted on immediately. These logs should be retained to assist in any investigation. Any tenant level changes should be investigated immediately (link out to Infra doc) Changes that would lower the security posture of your tenant. For example: excluding accounts from MFA or conditional access. Alert on any [additions or changes to applications](security-operations-applications.md). |
+| **EXAMPLE**<br>Attempted or completed change to high value apps or services | High | Audit log | Service<br>-and-<br>Category and name of the activity | <li>Date and time <li>Service <li>Category and name of the activity <li>Status = success or failure <li>Target <li>Initiator / actor (who) |
+| Privileged changes in Azure AD DS | High | AD DS | Look for event [4673](/windows/security/threat-protection/auditing/event-4673) | [Enable security audits for Azure Active Directory Domain Services](../../active-directory-domain-services/security-audit-events.md)<br>[Audit Sensitive Privilege Use](/windows/security/threat-protection/auditing/audit-sensitive-privilege-use). See article for list of all privileged events. |
++
+## Changes to privileged accounts
+
+Investigate changes to privileged accounts' authentication rules and privileges, especially if the change provides greater privilege or ability to perform tasks in your Azure AD environment.
+
+| What to monitor| Risk level| Where| Filter/sub-filter| Notes |
+| - | - | - | - | - |
+| Privileged account creation.| Medium| Azure AD Audit logs| Service = Core Directory<br>-and-<br>Category = user management<br>-and-<br>Activity Type = Add user<br>-correlate with-<br>Category Type = Role Management<br>-and-<br>Activity Type = Add member to role<br>-and-<br>Modified properties = Role.DisplayName| Monitor creation of any privileged accounts. Look for correlation that of short time span between creation and deletion of accounts. |
+| Changes to authentication methods.| High| Azure AD Audit logs| Service = Authentication Method<br>-and-<br>Activity Type = User registered security info<br>-and-<br>Category = user management| This could be an indicated of an attacker adding an auth method to the account so they can have continued access. |
+| Alert on changes to privileged account permissions.| High| Azure AD Audit logs| Category = Role Management<br>-and-<br>Activity Type ΓÇô Add eligible member (permanent)<br>-and-<br>Activity Type ΓÇô Add eligible member (eligible)<br>-and-<br>Status = Success/failure<br>-and-<br>Modified properties = Role.DisplayName| This is especially for accounts being assigned roles that aren't known or outside of their normal responsibilities. |
+| Unused privileged accounts.| Medium| Azure AD Access Reviews| | Perform monthly review for inactive privileged user accounts. |
+| Accounts exempt from Conditional Access| High| Azure Monitor Logs<br>-or-<br>Access Reviews| Conditional Access - Insights and Reporting| Any account exempt from CA is most likely bypassing security controls and are more vulnerable to compromise. Break glass accounts are exempt. See information how to monitor break glass accounts in a subsequent section of this article.|
++
+For more information on how to monitor for exceptions to Conditional Access policies, see [Conditional Access insights and reporting](../conditional-access/howto-conditional-access-insights-reporting.md).
+
+For more information on discovering unused privileged accounts, see [Create an access review of Azure AD roles in Privileged Identity Management](../privileged-identity-management/pim-how-to-start-security-review.md)
+
+
+## Assignment and elevation
+
+Having privileged accounts that are permanently provisioned with elevated abilities can increase the attack surface and risk to your security boundary. Instead, employ just-in-time access using an elevation procedure. This type of system allows you to assign eligibility for privileged roles, and admins elevate their privileges to those roles only when performing tasks that need those privileges. Using an elevation process enables you to monitor elevations and non-use of privileged accounts.
+
+### Establish a baseline
+
+To monitor for exceptions, you must first create a baseline. Determine the following
+
+* Admin accounts
+
+ * Your privileged account strategy
+
+ * Use of on-premises accounts to administer on-premises resources.
+
+ * Use of cloud-based accounts to administer cloud-based resources.
+
+ * Approach to separating and monitoring administrative permissions for on-premises and cloud-based resources.
+
+* Privileged role protection
+
+ * Protection strategy for roles that have administrative privileges.
+
+ * Organizational policy for using privileged accounts.
+
+ * Strategy and principles for maintaining permanent privilege versus providing time bound and approved access
+
+
+
+The following concepts and information will help you determine policies.
+
+* Just in time admin principles ΓÇô Use the Azure AD logs to capture information for performing administrative tasks that are common in your environment. Determine the typical amount of time needed to complete the tasks.
+
+* Just enough admin principles ΓÇô [Determine the least privileged role](../roles/delegate-by-task.md),which may be a custom role, needed for administrative tasks.
+
+* Establish an elevation policy ΓÇô Once you have insight into the type of elevated privilege need and how long is needed for each task, create policies that reflect elevated privileged usage for your environment. For example, defining a policy to limit Global Admin access to 1 hour.
+
+ Once you establish your baseline and set policy, you can configure monitoring to detect and alert usage outside of policy.
+
+### Discovery
+
+We recommend you pay particular attention to and investigate changes in assignment and elevation of privilege.
+
+### Things to monitor
+
+You can monitor privileged account changes using Azure AD Audit logs and Azure Monitor logs. Specifically, we recommend the following be included in your monitoring process.
+
+| What to monitor| Risk level| Where| Filter/sub-filter| Notes |
+| - | - | - | - | - |
+| Added to eligible privileged role.| High| Azure AD Audit Logs| Service = PIM<br>-and-<br>Category = Role ManagementΓÇï<br>-and-<br>Activity Type ΓÇô Add member to role completed (eligible)<br>-and-<br>Status = Success/failureΓÇï<br>-and-<br>Modified properties = Role.DisplayName| Any account eligible for a role is now being given privileged access. If the assignment is unexpected or into a role that isn't the responsibility of the account holder, investigate. |
+| Roles assigned out of PIM.| High| Azure AD Audit Logs| Service = PIM<br>-and-<br>Category = Role ManagementΓÇï<br>-and-<br>Activity Type = Add member to role (permanent)<br>-and-<br>Status = Success/failure<br>-and-<br>Modified properties = Role.DisplayName| These should be closely monitored and alerted. Users shouldn't be assigned roles outside of PIM where possible. |
+| Elevations| Medium| Azure AD Audit Logs| Service = PIM<br>-and-<br>Category = Role Management<br>-and-<br>Activity Type ΓÇô Add member to role completed (PIM activation)<br>-and-<br>Status = Success/failureΓÇï<br>-and-<br>Modified properties = Role.DisplayName| Once elevated a privileged account can now make changes that could impact the security of your tenant. All elevations should be logged and if happening outside of the standard pattern for that user should be alerted and investigated if not planned. |
+| Approvals and deny elevation| Low| Azure AD Audit Logs| Service = Access Review<br>-and-<br>Category = UserManagement<br>-and-<br>Activity Type = Request Approved/Denied<br>-and-<br>Initiated actor = UPN| Monitor all elevations as it could give a clear indication of timeline for an attack. |
+| Changes to PIM settings| High| Azure AD Audit Logs| Service =PIM<br>-and-<br>Category = Role Management<br>-and-<br>Activity Type = Update role setting in PIM<br>-and-<br>Status Reason = MFA on activation disabled (example)| One of these actions could reduce the security of the PIM elevation and make it easier for attackers to acquire a privileged account. |
+| Elevation not occurring on SAW/PAW| High| Azure AD Sign In logs| Device IDΓÇï<br>-and-<br>Browser<br>-and-<br>OS<br>-and-<br>Compliant/Managed<br>Correlate with:<br>Service = PIM<br>-and-<br>Category = Role Management<br>-and-<br>Activity Type ΓÇô Add member to role completed (PIM activation)<br>-and-<br>Status = Success/failure<br>-and-<br>Modified properties = Role.DisplayName| If this is configured, any attempt to elevate on a non-PAW/SAW device should be investigated immediately as it could indicate an attacker trying to use the account. |
+| Elevation to manage all Azure subscriptions| High| Azure Monitor| Activity Log/Directory Activity<br>Assigns the caller to user access administrator<br>-and-<br>Status = succeeded, success, fail<br>-and-<br>Event initiated by| This should be investigated immediately if not a planned change. This setting could allow an attacker access to Azure subscriptions in your environment. |
++
+For more information about managing elevation, see [Elevate access to manage all Azure subscriptions and management groups](../../role-based-access-control/elevate-access-global-admin.md). For information on monitoring elevations using information available in the Azure AD logs, see [Azure Activity log](../../azure-monitor/essentials/activity-log.md), which is part of the Azure Monitor documentation.
+
+For information about configuring alerts for Azure role, see [Configure security alerts for Azure resource roles in Privileged Identity Management](../privileged-identity-management/pim-resource-roles-configure-alerts.md).
+
+ ## Next steps
+
+See these security operations guide articles:
+
+[Azure AD security operations overview](security-operations-introduction.md)
+
+[Security operations for user accounts](security-operations-user-accounts.md)
+
+[Security operations for privileged accounts](security-operations-privileged-accounts.md)
+
+[Security operations for Privileged Identity Management](security-operations-privileged-identity-management.md)
+
+[Security operations for applications](security-operations-applications.md)
+
+[Security operations for devices](security-operations-devices.md)
+
+
+[Security operations for infrastructure](security-operations-infrastructure.md)
active-directory Security Operations Privileged Identity Management https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/fundamentals/security-operations-privileged-identity-management.md
+
+ Title: Azure Active Directory security operations for Privileged Identity Management
+description: Guidance to establish baselines and use Azure Active Directory Privileged Identity Management (PIM) to monitor and alert on potential issues with accounts that are governed by PIM.
+++++++ Last updated : 07/15/2021++++++
+# Azure Active Directory security operations for Privileged Identity Management (PIM)
+
+The security of business assets depends on the integrity of the privileged accounts that administer your IT systems. Cyber-attackers use credential theft attacks to target admin accounts and other privileged access accounts to try gaining access to sensitive data.
+
+For cloud services, prevention and response are the joint responsibilities of the cloud service provider and the customer.
+
+Traditionally, organizational security has focused on the entry and exit points of a network as the security perimeter. However, SaaS apps and personal devices have made this approach less effective. In Azure
+Active Directory (Azure AD), we replace the network security perimeter with authentication in your organization's identity layer. As users are assigned to privileged administrative roles, their access must be protected in on-premises, cloud, and hybrid environments
+
+You're entirely responsible for all layers of security for your on-premises IT environment. When you use Azure cloud services, prevention and response are joint responsibilities of Microsoft as the cloud service provider and you as the customer.
+
+* For more information on the shared responsibility model, see [Shared responsibility in the cloud](../../security/fundamentals/shared-responsibility.md).
+
+* For more information on securing access for privileged users, see [Securing Privileged access for hybrid and cloud deployments in Azure AD](../roles/security-planning.md).
+
+* For a wide range of videos, how-to guides, and content of key concepts for privileged identity, visit [Privileged Identity Management documentation](https://docs.microsoft.com/azure/active-directory/privileged-identity-management/).
+
+Privileged Identity Management (PIM) is an Azure AD service that enables you to manage, control, and monitor access to important resources in your organization. These resources include resources in Azure AD, Azure, and other Microsoft Online Services such as Microsoft 365 or Microsoft Intune. You can use PIM to help mitigate the following risks:
+
+* Identify and minimize the number of people who have access to secure information and resources.
+
+* Detect excessive, unnecessary, or misused access permissions on sensitive resources.
+
+* Reduce the chances of a malicious actor getting access to secured information or resources.
+
+* Reduce the possibility of an unauthorized user inadvertently impacting sensitive resources.
+
+This article provides guidance on setting baselines, auditing sign-ins and usage of privileged accounts, and the source of audit logs you can use to help maintain the integrity of your privilege accounts.
+
+## Where to look
+
+The log files you use for investigation and monitoring are:
+
+* [Azure AD Audit logs](../reports-monitoring/concept-audit-logs.md)
+
+* [Sign-in logs](../reports-monitoring/concept-all-sign-ins.md)
+
+* [Microsoft 365 Audit logs](/microsoft-365/compliance/auditing-solutions-overview?view=o365-worldwide)
+
+* [Azure Key Vault logs](../../key-vault/general/logging.md?tabs=Vault)
+
+In the Azure portal you can view the Azure AD Audit logs and download them as comma-separated value (CSV) or JavaScript Object Notation (JSON) files. The Azure portal has several ways to integrate Azure AD logs with other tools that allow for greater automation of monitoring and alerting:
+
+* [**Azure Sentinel**](../../sentinel/overview.md) ΓÇô enables intelligent security analytics at the enterprise level by providing security information and event management (SIEM) capabilities.
+
+* [**Azure Monitor**](../../azure-monitor/overview.md) ΓÇô enables automated monitoring and alerting of various conditions. Can create or use workbooks to combine data from different sources.
+
+* [**Azure Event Hubs**](../../event-hubs/event-hubs-about.md) **integrated with a SIEM**- [Azure AD logs can be integrated to other SIEMs](../reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub.md) such as Splunk, ArcSight, QRadar, and Sumo Logic via the Azure Event Hub integration.
+
+* [**Microsoft Cloud App Security**](/cloud-app-security/what-is-cloud-app-security) (MCAS) ΓÇô enables you to discover and manage apps, govern across apps and resources, and check your cloud appsΓÇÖ compliance.
+
+The rest of this article provides recommendations for setting a baseline to monitor and alert on, organized using a tier model. Links to pre-built solutions are listed following the table. You can also build alerts using the preceding tools. The content is organized into the following topic areas of PIM:
+
+* Baselines
+
+* Azure AD role assignment
+
+* Azure AD role alert settings
+
+* Azure resource role assignment
+
+* Access management for Azure resources
+
+* Elevated access to manage Azure subscriptions
+
+## Baselines
+
+The following are recommended baseline settings:
+
+| What to monitor| Risk level| Recommendation| Roles| Notes |
+| - |- |- |- |- |
+| Azure AD roles assignment| High| <li>Require justification for activation.<li>Require approval to activate.<li>Set two-level approver process.<li>On activation, require Azure Active Directory Multi-Factor Authentication (MFA).<li>Set maximum elevation duration to 8 hrs.| <li>Privileged Role Administration<li>Global Administrator| A privileged role administrator can customize PIM in their Azure AD organization, including changing the experience for users activating an eligible role assignment. |
+| Azure Resource Role Configuration| High| <li>Require justification for activation.<li>Require approval to activate.<li>Set two-level approver process.<li>On activation, require Azure MFA.<li>Set maximum elevation duration to 8 hrs.| <li>Owner<li>Resource Administrator<li>User Access <li>Administrator<li>Global Administrator<li>Security Administrator| Investigate immediately if not a planned change. This setting could enable an attacker access to Azure subscriptions in your environment. |
++
+## Azure AD roles assignment
+
+A privileged role administrator can customize PIM in their Azure AD organization. This includes changing the experience for a user who is activating an eligible role assignment as follows:
+
+* Prevent bad actor to remove Azure MFA requirements to activate privileged access.
+
+* Prevent malicious users bypass justification and approval of activating privileged access.
+
+| What to monitor| Risk level| Where| Filter/sub-filter| Notes |
+| - |- |- |- |- |
+| Alert on Add changes to privileged account permissions| High| Azure AD Audit logs| Category = Role Management<br>-and-<br>Activity Type ΓÇô Add eligible member (permanent) <br>-and-<br>Activity Type ΓÇô Add eligible member (eligible) <br>-and-<br>Status = Success/failure<br>-and-<br>Modified properties = Role.DisplayName| Monitor and always alert for any changes to privileged role administrator and global administrator. <li>This can be an indication an attacker is trying to gain privilege to modify role assignment settings<li> If you donΓÇÖt have a defined threshold, alert on 4 in 60 minutes for users and 2 in 60 minutes for privileged accounts. |
+| Alert on bulk deletion changes to privileged account permissions| High| Azure AD Audit logs| Category = Role Management<br>-and-<br>Activity Type ΓÇô Remove eligible member (permanent) <br>-and-<br>Activity Type ΓÇô Remove eligible member (eligible) <br>-and-<br>Status = Success/failure<br>-and-<br>Modified properties = Role.DisplayName| Investigate immediately if not a planned change. This setting could enable an attacker access to Azure subscriptions in your environment. |
+| Changes to PIM settings| High| Azure AD Audit Log| Service = PIM<br>-and-<br>Category = Role Management<br>-and-<br>Activity Type = Update role setting in PIM<br>-and-<br>Status Reason = MFA on activation disabled (example)| Monitor and always alert for any changes to Privileged Role Administrator and Global Administrator. <li>This can be an indication an attacker already gained access able to modify to modify role assignment settings<li>One of these actions could reduce the security of the PIM elevation and make it easier for attackers to acquire a privileged account. |
+| Approvals and deny elevation| High| Azure AD Audit Log| Service = Access Review<br>-and-<br>Category = UserManagement<br>-and-<br>Activity Type = Request Approved/Denied<br>-and-<br>Initiated actor = UPN| All elevations should be monitored. Log all elevations as this could give a clear indication of timeline for an attack. |
+| Alert setting changes to disabled.| High| Azure AD Audit logs| Service =PIM<br>-and-<br>Category = Role Management<br>-and-<br>Activity Type = Disable PIM Alert<br>-and-<br>Status = Success /Failure| Always alert. <li>Helps detect bad actor removing alerts associated with Azure MFA requirements to activate privileged access.<li>Helps detect suspicious or unsafe activity. |
++
+For more information on identifying role setting changes in the Azure AD Audit log, see [View audit history for Azure AD roles in Privileged Identity Management](../privileged-identity-management/pim-how-to-use-audit-log.md).
+
+## Azure resource role assignment
+
+Monitoring Azure resource role assignments provides visibility into activity and activations for resources roles. These might be misused to create an attack surface to a resource. As you monitor for this type of activity, you are trying to detect:
+
+* Query role assignments at specific resources
+
+* Role assignments for all child resources
+
+* All active and eligible role assignment changes
+
+| What to monitor| Risk level| Where| Filter/sub-filter| Notes |
+| - |- |- |- |- |
+| Audit Alert Resource Audit log for Privileged account activities| High| In PIM, under Azure Resources, Resource Audit| Action : Add eligible member to role in PIM completed (time bound) <br>-and-<br>Primary Target <br>-and-<br>Type User<br>-and-<br>Status = Succeeded<br>| Always alert. Helps detect bad actor adding eligible roles to manage all resources in Azure. |
+| Audit Alert Resource Audit for Disable Alert| Medium| In PIM, under Azure Resources, Resource Audit| Action : Disable Alert<br>-and-<br>Primary Target : Too many owners assigned to a resource<br>-and-<br>Status = Succeeded| Helps detect bad actor disabling alerts from Alerts pane which can bypass malicious activity being investigated |
+| Audit Alert Resource Audit for Disable Alert| Medium| In PIM, under Azure Resources, Resource Audit| Action : Disable Alert<br>-and-<br>Primary Target : Too many permanent owners assigned to a resource<br>-and-<br>Status = Succeeded| Prevent bad actor from disable alerts from Alerts pane which can bypass malicious activity being investigated |
+| Audit Alert Resource Audit for Disable Alert| Medium| In PIM, under Azure Resources, Resource Audit| Action : Disable Alert<br>-and-<br>Primary Target Duplicate role created<br>-and-<br>Status = Succeeded| Prevent bad actor from disable alerts from Alerts pane which can bypass malicious activity being investigated |
++
+For more information on configuring alerts and auditing Azure resource roles, see:
+
+* [Configure security alerts for Azure resource roles in Privileged Identity Management](../privileged-identity-management/pim-resource-roles-configure-alerts.md)
+
+* [View audit report for Azure resource roles in Privileged Identity Management (PIM)](../privileged-identity-management/azure-pim-resource-rbac.md)
+
+## Access management for Azure resources and subscriptions
+
+Users or members of a group assigned to the Owner or User Access Administrator subscriptions roles, and Azure AD Global administrators that enabled subscription management in Azure AD have Resource administrator permissions by default. These administrators can assign roles, configure role settings, and review access using Privileged Identity Management (PIM) for Azure resources.
+
+A user who has Resource administrator permissions can manage PIM for Resources. The risk this introduces that you must monitor for and mitigate, is that the capability can be used to allow bad actors to have privileged access to Azure subscription resources, such as virtual machines or storage accounts.
+
+| What to monitor| Risk level| Where| Filter/sub-filter| Notes |
+| - |- |- |- |- |
+| Elevations| High| Azure AD, under Manage, Properties| Periodically review setting.<br>Access management for Azure resources| Global administrators can elevate by enabling Access management for Azure resources.<br>Verify bad actors have not gained permissions to assign roles in all Azure subscriptions and management groups associated with Active Directory. |
++
+For more information see [Assign Azure resource roles in Privileged Identity Management](../privileged-identity-management/pim-resource-roles-assign-roles.md)
+
+## Next steps
+See these security operations guide articles:
+
+[Azure AD security operations overview](security-operations-introduction.md)
+
+[Security operations for user accounts](security-operations-user-accounts.md)
+
+[Security operations for privileged accounts](security-operations-privileged-accounts.md)
+
+[Security operations for Privileged Identity Management](security-operations-privileged-identity-management.md)
+
+[Security operations for applications](security-operations-applications.md)
+
+[Security operations for devices](security-operations-devices.md)
+
+[Security operations for infrastructure](security-operations-infrastructure.md)
active-directory Security Operations User Accounts https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/fundamentals/security-operations-user-accounts.md
+
+ Title: Azure Active Directory security operations for user accounts
+description: Guidance to establish baselines and how to monitor and alert on potential security issues with user accounts.
+++++++ Last updated : 07/15/2021+++++
+# Azure Active Directory security operations for user accounts
+
+User identity is one of the most important aspects of protecting your organization and data. This article provides guidance for monitoring account creation, deletion, and account usage. The first portion covers how to monitor for unusual account creation and deletion. The second portion covers how to monitor for unusual account usage.
+
+If you have not yet read the [Azure Active Directory (Azure AD) security operations overview](security-operations-introduction.md), we recommend you do so before proceeding.
+
+This article covers general user accounts. For privileged accounts, see Security operations ΓÇô privileged accounts.
+
+## Define a baseline
+
+To discover anomalous behavior, you first must define what normal and expected behavior is. Defining what expected behavior for your organization is, helps you determine when unexpected behavior occurs. The definition also helps to reduce the noise level of false positives when monitoring and alerting.
+
+Once you define what you expect, you perform baseline monitoring to validate your expectations. With that information, you can monitor the logs for anything that falls outside of tolerances you define.
+
+Use the Azure AD Audit Logs, Azure AD Sign-in Logs, and directory attributes as your data sources for accounts created outside of normal processes. The following are suggestions to help you think about and define what normal is for your organization.
+
+* **Users account creation** ΓÇô evaluate the following:
+
+ * Strategy and principles for tools and processes used for creating and managing user accounts. For example, are there standard attributes, formats that are applied to user account attributes.
+
+ * Approved sources for account creation. For example, originating in Active Directory (AD), Azure Active Directory or HR systems like Workday.
+
+ * Alert strategy for accounts created outside of approved sources. Is there a controlled list of organizations your organization collaborates with?
+
+ * Provisioning of guest accounts and alert parameters for accounts created outside of entitlement management or other normal processes.
+
+ * Strategy and alert parameters for accounts created, modified, or disabled by an account that is not an approved user administrator.
+
+ * Monitoring and alert strategy for accounts missing standard attributes, such as employee ID or not following organizational naming conventions.
+
+ * Strategy, principles, and process for account deletion and retention.
+
+* **On-premises user accounts** ΓÇô evaluate the following for accounts synced with Azure AD Connect:
+
+ * The forests, domains, and organizational units (OUs) in scope for synchronization. Who are the approved administrators who can change these settings and how often is the scope checked?
+
+ * The types of accounts that are synchronized. For example, user accounts and or service accounts.
+
+ * The process for creating privileged on-premises accounts and how the synchronization of this type of account is controlled.
+
+ * The process for creating on-premises user accounts and how the synchronization of this type of account is managed.
+
+For more information for securing and monitoring on-premises accounts, see [Protecting Microsoft 365 from on-premises attacks](protect-m365-from-on-premises-attacks.md).
+
+* **Cloud user accounts** ΓÇô evaluate the following:
+
+ * The process to provision and manage cloud accounts directly in Azure AD.
+
+ * The process to determine the types of users provisioned as Azure AD cloud accounts. For example, do you only allow privileged accounts or do you also allow user accounts?
+
+ * The process to create and maintain a list of trusted individuals and or processes expected to create and manage cloud user accounts.
+
+ * The process to create and maintained an alert strategy for non-approved cloud-based accounts.
+
+## Where to look
+
+The log files you use for investigation and monitoring are:
+
+* [Azure AD Audit logs](../reports-monitoring/concept-audit-logs.md)
+
+* [Sign-in logs](../reports-monitoring/concept-all-sign-ins.md)
+
+* [Microsoft 365 Audit logs](/microsoft-365/compliance/auditing-solutions-overview?view=o365-worldwide)
+
+* [Azure Key Vault logs](../../key-vault/general/logging.md?tabs=Vault)
+
+* Risky Users log
+
+* UserRiskEvents log
+
+From the Azure portal you can view the Azure AD Audit logs and download as comma separated value (CSV) or JavaScript Object Notation (JSON) files. The Azure portal has several ways to integrate Azure AD logs with other tools that allow for greater automation of monitoring and alerting:
+
+* **[Azure Sentinel](../../sentinel/overview.md)** ΓÇô enables intelligent security analytics at the enterprise level by providing security information and event management (SIEM) capabilities.
+
+* **[Azure Monitor](../../azure-monitor/overview.md)** ΓÇô enables automated monitoring and alerting of various conditions. Can create or use workbooks to combine data from different sources.
+
+* **[Azure Event Hubs](../../event-hubs/event-hubs-about.md) integrated with a SIEM**- [Azure AD logs can be integrated to other SIEMs](../reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub.md) such as Splunk, ArcSight, QRadar and Sumo Logic via the Azure Event Hub integration.
+
+* **[Microsoft Cloud App Security](/cloud-app-security/what-is-cloud-app-security) (MCAS)** ΓÇô enables you to discover and manage apps, govern across apps and resources, and check your cloud appsΓÇÖ compliance.
+
+Much of what you will monitor and alert on are the effects of your Conditional Access policies. You can use the [Conditional Access insights and reporting workbook](../conditional-access/howto-conditional-access-insights-reporting.md) to examine the effects of one or more Conditional Access policies on your sign-ins, as well as the results of policies, including device state. This workbook enables you to view an impact summary, and identify the impact over a specific time period. You can also use the workbook to investigate the sign-ins of a specific user.
+
+ The remainder of this article describes what we recommend you monitor and alert on, and is organized by the type of threat. Where there are specific pre-built solutions we link to them or provide samples following the table. Otherwise, you can build alerts using the preceding tools.
+
+## Account creation
+
+Anomalous account creation can indicate a security issue. Short lived accounts, accounts not following naming standards, and accounts created outside of normal processes should be investigated.
+
+### Short-lived accounts
+
+Account creation and deletion outside of normal identity management processes should be monitored in Azure AD. Short-lived accounts are accounts created and deleted in a short time span. This type of account creation and quick deletion could mean a bad actor is trying to avoid detection by creating accounts, using them, and then deleting the account.
+
+Short-lived account patterns might indicate non-approved people or processes might have the right to create and delete accounts that fall outside of established processes and policies. This type of behavior removes visible markers from the directory.
+
+If the data trail for account creation and deletion is not discovered quickly, the information required to investigate an incident may no longer exist. For example, accounts might be deleted and then purged from the recycle bin. Audit logs are retained for 30 days. However, you can export your logs to Azure Monitor or a security information and event management (SIEM) solution for longer term retention.
+
+| What to monitor | Risk Level | Where | Filter/sub-filter | Notes |
+||||--|-|
+| Account creation and deletion events within a close time frame. | High | Azure AD Audit logs | Activity: Add user<br>Status = success<br>-and-<br>Activity: Delete user<br>Status = success<br> | Search for user principal name (UPN) events. Look for accounts created and then deleted in under 24 hours. |
+| Accounts created and deleted by non-approved users or processes. | Medium | Azure AD Audit logs | Initiated by (actor) ΓÇô USER PRINCIPAL NAME<br>-and-<br>Activity: Add user<br>Status = success<br>and-or<br>Activity: Delete user<br>Status = success | If the actor are non-approved users, configure to send an alert. |
+| Accounts from non-approved sources. | Medium | Azure AD Audit logs | Activity: Add user<br>Status = success<br>Target(s) = USER PRINCIPAL NAME | If the entry is not from an approved domain or is a known blocked domain, configure to send an alert. |
+| Accounts assigned to a privileged role. | High | Azure AD Audit logs | Activity: Add user<br>Status = success<br>-and-<br>Activity: Delete user<br>Status = success<br>-and-<br>Activity: Add member to role<br>Status = success | If the account is assigned to an Azure AD role, Azure role, or privileged group membership, alert and prioritize the investigation. |
+
+Both privileged and non-privileged accounts should be monitored and alerted. However, since privileged accounts have administrative permissions, they should have higher priority in your monitor, alert, and respond processes.
+
+### Accounts not following naming policies
+
+User accounts not following naming policies might have been created outside of organizational policies.
+
+A best practice is to have a naming policy for user objects. Having a naming policy makes management easier and helps provide consistency. The policy can also help discover when users have been created outside of approved processes. A bad actor might not be aware of your naming standards and might make it easier to detect an account provisioned outside of your organizational processes.
+
+Organizations tend to have specific formats and attributes that are used for creating user and or privileged accounts. For example:
+
+* Admin account UPN = ADM_firstname.lastname@tenant.onmicrosoft.com
+
+* User account UPN = Firstname.Lastname@contoso.com
+
+User accounts also frequently have an attribute that identifies a real user. For example, EMPID = XXXNNN. The following are suggestions to help you think about and define what normal is for your organization, as well as thing to consider when defining your baseline for log entries where accounts donΓÇÖt follow your organizationΓÇÖs naming convention:
+
+* Accounts that donΓÇÖt follow the naming convention. For example, `nnnnnnn@contoso.com` versus `firstname.lastname@contoso.com`.
+
+* Accounts that donΓÇÖt have the standard attributes populated or are not in the correct format. For example, not having a valid employee ID.
+
+| What to monitor| Risk Level| Where| Filter/sub-filter| Notes |
+| - | - | - | - | - |
+| User accounts that do not have expected attributes defined.| Low| Azure AD Audit logs| Activity: Add user<br>Status = success| Look for accounts with your standard attributes either null or in the wrong format. For example, EmployeeID |
+| User accounts created using incorrect naming format.| Low| Azure AD Audit logs| Activity: Add user<br>Status = success| Look for accounts with a UPN that does not follow your naming policy. |
+| Privileged accounts that do not follow naming policy.| High| Azure Subscription| [List Azure role assignments using the Azure portal - Azure RBAC](../../role-based-access-control/role-assignments-list-portal.md)| List role assignments for subscriptions and alert where sign in name does not match your organizations format. For example, ADM_ as a prefix. |
+| Privileged accounts that do not follow naming policy.| High| Azure AD directory| [List Azure AD role assignments](../roles/view-assignments.md)| List roles assignments for Azure AD roles alert where UPN does not match your organizations format. For example, ADM_ as a prefix. |
+++
+For more information on parsing, see:
+
+* For Azure AD Audit logs - [Parse text data in Azure Monitor Logs](../../azure-monitor/logs/parse-text.md)
+
+* For Azure Subscriptions - [List Azure role assignments using Azure PowerShell](../../role-based-access-control/role-assignments-list-powershell.md)
+
+* For Azure Active Directory - [List Azure AD role assignments](../roles/view-assignments.md)
+
+### Accounts created outside normal processes
+
+Having standard processes to create users and privileged accounts is important so that you can securely control the lifecycle of identities. If users are provisioned and deprovisioned outside of established processes, it can introduce security risks. Operating outside of established processes can also introduce identity management problems. Potential risks include:
+
+* User and privileged accounts might not be governed to adhere to organizational policies. This can lead to a wider attack surface on accounts that are not managed correctly.
+
+* It becomes harder to detect when bad actors create accounts for malicious purposes. By having valid accounts created outside of established procedures, it becomes harder to detect when accounts are created, or permissions modified for malicious purposes.
+
+We recommend that user and privileged accounts only be created following your organization policies. For example, an account should be created with the correct naming standards, organizational information and under scope of the appropriate identity governance. Organizations should have rigorous controls for who has the rights to create, manage, and delete identities. Roles to create these accounts should be tightly managed and the rights only available after following an established workflow to approve and obtain these permissions.
+
+| What to monitor| Risk Level| Where| Filter/sub-filter| Notes |
+| - | - | - | - | - |
+| User accounts created or deleted by non-approved users or processes.| Medium| Azure AD Audit logs| Activity: Add user<br>Status = success<br>and-or-<br>Activity: Delete user<br>Status = success<br>-and-<br>Initiated by (actor) = USER PRINCIPAL NAME| Alert on accounts created by non-approved users or processes. Prioritize accounts created with heightened privileges. |
+| User accounts created or deleted from non-approved sources.| Medium| Azure AD Audit logs| Activity: Add user<br>Status = success<br>-or-<br>Activity: Delete user<br>Status = success<br>-and-<br>Target(s) = USER PRINCIPAL NAME| Alert when the domain is non-approved or known blocked domain. |
++
+## Unusual sign ins
+
+Seeing failures for user authentication is normal. But seeing patterns or blocks of failures can be an indicator that something is happening with a userΓÇÖs Identity. For example, in the case of Password spray or Brute Force attacks, or when a user account is compromised. It is critical that you monitor and alert when patterns emerge. This helps ensure you can protect the user and your organizationΓÇÖs data.
+
+Success appears to say all is well. But it can mean that a bad actor has successfully accessed a service. Monitoring successful logins helps you detect user accounts that are gaining access but are not user accounts that should have access. User authentication successes are normal entries in Azure AD Sign-Ins logs. We recommend you monitor and alert to detect when patterns emerge. This helps ensure you can protect user accounts and your organizationΓÇÖs data.
++
+As you design and operationalize a log monitoring and alerting strategy, consider the tools available to you through the Azure portal. Identity Protection enables you to automate the detection, protection, and remediation of identity-based risks. Identity protection uses intelligence-fed machine learning and heuristic systems to detect risk and assign a risk score for users and sign ins. Customers can configure policies based on a risk level for when to allow or deny access or allow the user to securely self-remediate from a risk. The following Identity Protection risk detections inform risk levels today:
+
+| What to monitor | Risk Level | Where | Filter/sub-filter | Notes |
+| - | - | - | - | - |
+| Leaked credentials user risk detection| High| Azure AD Risk Detection logs| UX: Leaked credentials <br><br>API: See [riskDetection resource type - Microsoft Graph beta](/graph/api/resources/riskdetection?view=graph-rest-beta)| See [What is risk? Azure AD Identity Protection](../identity-protection/concept-identity-protection-risks.md) |
+| Azure AD Threat Intelligence user risk detection| High| Azure AD Risk Detection logs| UX: Azure AD threat intelligence <br><br>API: See [riskDetection resource type - Microsoft Graph beta](/graph/api/resources/riskdetection?view=graph-rest-beta)| See [What is risk? Azure AD Identity Protection](../identity-protection/concept-identity-protection-risks.md) |
+| Anonymous IP address sign-in risk detection| Varies| Azure AD Risk Detection logs| UX: Anonymous IP address <br><br>API: See [riskDetection resource type - Microsoft Graph beta](/graph/api/resources/riskdetection?view=graph-rest-beta)| See [What is risk? Azure AD Identity Protection](../identity-protection/concept-identity-protection-risks.md) |
+| Atypical travel sign-in risk detection| Varies| Azure AD Risk Detection logs| UX: Atypical travel <br><br>API: See [riskDetection resource type - Microsoft Graph beta](/graph/api/resources/riskdetection?view=graph-rest-beta)| See [What is risk? Azure AD Identity Protection](../identity-protection/concept-identity-protection-risks.md) |
+| Malware linked IP address sign-in risk detection| Varies| Azure AD Risk Detection logs| UX: Malware linked IP address <br><br>API: See [riskDetection resource type - Microsoft Graph beta](/graph/api/resources/riskdetection?view=graph-rest-beta)| See [What is risk? Azure AD Identity Protection](../identity-protection/concept-identity-protection-risks.md) |
+| Suspicious browser sign-in risk detection| Varies| Azure AD Risk Detection logs| UX: Suspicious browser <br><br>API: See [riskDetection resource type - Microsoft Graph beta](/graph/api/resources/riskdetection?view=graph-rest-beta)| See [What is risk? Azure AD Identity Protection](../identity-protection/concept-identity-protection-risks.md) |
+| Unfamiliar sign-in properties sign-in risk detection| Varies| Azure AD Risk Detection logs| UX: Unfamiliar sign-in properties <br><br>API: See [riskDetection resource type - Microsoft Graph beta](/graph/api/resources/riskdetection?view=graph-rest-beta)| See [What is risk? Azure AD Identity Protection](../identity-protection/concept-identity-protection-risks.md) |
+| Malicious IP address sign-in risk detection| Varies| Azure AD Risk Detection logs| UX: Malicious IP address<br><br>API: See [riskDetection resource type - Microsoft Graph beta](/graph/api/resources/riskdetection?view=graph-rest-beta)| See [What is risk? Azure AD Identity Protection](../identity-protection/concept-identity-protection-risks.md) |
+| Suspicious inbox manipulation rules sign-in risk detection| Varies| Azure AD Risk Detection logs| UX: Suspicious inbox manipulation rules<br><br>API: See [riskDetection resource type - Microsoft Graph beta](/graph/api/resources/riskdetection?view=graph-rest-beta)| See [What is risk? Azure AD Identity Protection](../identity-protection/concept-identity-protection-risks.md) |
+| Password Spray sign-in risk detection| High| Azure AD Risk Detection logs| UX: Password spray<br><br>API: See [riskDetection resource type - Microsoft Graph beta](/graph/api/resources/riskdetection?view=graph-rest-beta)| See [What is risk? Azure AD Identity Protection](../identity-protection/concept-identity-protection-risks.md) |
+| Impossible travel sign-in risk detection| Varies| Azure AD Risk Detection logs| UX: Impossible travel<br><br>API: See [riskDetection resource type - Microsoft Graph beta](/graph/api/resources/riskdetection?view=graph-rest-beta)| See [What is risk? Azure AD Identity Protection](../identity-protection/concept-identity-protection-risks.md) |
+| New country sign-in risk detection| Varies| Azure AD Risk Detection logs| UX: New country<br><br>API: See [riskDetection resource type - Microsoft Graph beta](/graph/api/resources/riskdetection?view=graph-rest-beta)| See [What is risk? Azure AD Identity Protection](../identity-protection/concept-identity-protection-risks.md) |
+| Activity from anonymous IP address sign-in risk detection| Varies| Azure AD Risk Detection logs| UX: Activity from Anonymous IP address<br><br>API: See [riskDetection resource type - Microsoft Graph beta](/graph/api/resources/riskdetection?view=graph-rest-beta)| See [What is risk? Azure AD Identity Protection](../identity-protection/concept-identity-protection-risks.md) |
+| Suspicious inbox forwarding sign-in risk detection| Varies| Azure AD Risk Detection logs| UX: Suspicious inbox forwarding<br><br>API: See [riskDetection resource type - Microsoft Graph beta](/graph/api/resources/riskdetection?view=graph-rest-beta)| See [What is risk? Azure AD Identity Protection](../identity-protection/concept-identity-protection-risks.md) |
+| Azure AD threat intelligence sign-in risk detection| High| Azure AD Risk Detection logs| UX: Azure AD threat intelligence<br>API: See [riskDetection resource type - Microsoft Graph beta](/graph/api/resources/riskdetection?view=graph-rest-beta.md)| See [What is risk? Azure AD Identity Protection](../identity-protection/concept-identity-protection-risks.md) |
+
+For more information, visit [What is Identity Protection](../identity-protection/overview-identity-protection.md).
++
+### What to look for
+
+Configure monitoring on the data within the Azure AD Sign-ins Logs to ensure that alerting occurs and adheres to your organizationΓÇÖs security policies. Some examples of this are:
+
+* **Failed Authentications**: As humans we all get our passwords wrong from time to time. However, many failed authentications can indicate that a bad actor is trying to obtain access. Attacks differ in ferocity but can range from a few attempts per hour to a much higher rate. For example, Password Spray normally preys on easier passwords against many accounts, while Brute Force attempts many passwords against targeted accounts.
+
+* **Interrupted Authentications**: An Interrupt in Azure AD represents an injection of an additional process to satisfy authentication, such as when enforcing a control in a CA policy. This is a normal event and can happen when applications are not configured correctly. But when you see many interrupts for a user account it could indicate something is happening with that account.
+
+ * For example, if you filtered on a user in Sign-in logs and see a large volume of sign in status = Interrupted and Conditional Access = Failure. Digging deeper it may show in authentication details that the password is correct, but that strong authentication is required. This could mean the user is not completing multi-factor authentication (MFA) which could indicate the userΓÇÖs password is compromised and the bad actor is unable to fulfill MFA.
+
+* **Smart lock out**: Azure AD provides a smart lockout service which introduces the concept of familiar and non-familiar locations to the authentication process. A user account visiting a familiar location might authenticate successfully while a bad actor unfamiliar with the same location is blocked after several attempts. Look for accounts that have been locked out and investigate further.
+
+* **IP Changes**: It is normal to see users originating from different IP addresses. However, Zero Trust states never trust and always verify. Seeing a large volume of IP addresses and failed sign ins can be an indicator of intrusion. Look for a pattern of many failed authentications taking place from multiple IP addresses. Note, virtual private network (VPN) connections can cause false positives. Regardless of the challenges, we recommend you monitor for IP address changes and if possible, use Azure AD Identity Protection to automatically detect and mitigate these risks.
+
+* **Locations**: Generally, you expect a user account to be in the same geographical location. You also expect sign ins from locations where you have employees or business relations. When the user account comes from a different international location in less time than it would take to travel there, it can indicate the user account is being abused. Note, VPNs can cause false positives, we recommend you monitor for user accounts signing in from geographically distant locations and if possible, use Azure AD Identity Protection to automatically detect and mitigate these risks.
+
+For this risk area we recommend you monitor both standard user accounts and privileged accounts but prioritize investigations of privileged accounts. Privileged accounts are the most important accounts in any Azure AD tenant. For specific guidance for privileged accounts, see Security operations ΓÇô privileged accounts.
+
+### How to detect
+
+You use Azure Identity Protection and the Azure AD sign-in logs to help discover threats indicated by unusual sign-in characteristics. Information about Identity Protection is available at [What is Identity Protection](../identity-protection/overview-identity-protection.md). You can also replicate the data to Azure Monitor or a SIEM for monitoring and alerting purposes. To define normal for your environment and to set a baseline, determine the following:
+
+* the parameters that you consider normal for your user base.
+
+* the average number of tries of a password over a time before the user calls the service desk or performs a self-service password reset.
+
+* how many failed attempts you want to allow before alerting, and if it will be different for user accounts and privileged accounts.
+
+* how many MFA attempts you want to allow before alerting, and if it will be different for user accounts and privileged accounts.
+
+* if legacy authentication is enabled and your roadmap for discontinuing usage.
+
+* the known egress IP addresses are for your organization.
+
+* the countries your users operate from.
+
+* whether there are groups of users that remain stationary within a network location or country.
+
+* Identify any other indicators for unusual sign ins that are specific to your organization. For example days or times of the week or year that your organization does not operate.
+
+Once you have scoped what normal is for the types of accounts in your environment, consider the following to help determine which scenarios you want to monitor for and alert on, and to fine-tune your alerting.
+
+* Do you need to monitor and alert if Identity Protection is configured?
+
+* Are there stricter conditions applied to privileged accounts that you can use to monitor and alert on? For example, requiring privileged accounts only be used from trusted IP addresses.
+
+* Are the baselines you set too aggressive? Having too many alerts might result in alerts being ignored or missed.
+
+Configure Identity Protection to help ensure protection is in place that supports your security baseline policies. For example, blocking users if risk = high. This risk level indicates with a high degree of confidence that a user account is compromised. For more information on setting up sign in risk policies and user risk policies, visit [Identity Protection policies](../identity-protection/concept-identity-protection-policies.md). For more information on setting up conditional access, visit [Conditional Access: Sign-in risk-based Conditional Access](../conditional-access/howto-conditional-access-policy-risk.md).
+
+The following are listed in order of importance based on the impact and severity of the entries.
+
+### Monitoring for failed unusual sign ins
+
+| What to monitor| Risk Level| Where| Filter/sub-filter| Notes |
+| - |- |- |- |- |
+| Failed sign-in attempts.| Medium - if Isolated Incident<br>High - if a number of accounts are experiencing the same pattern or a VIP.| Azure AD Sign-ins log| Status = failed<br>-and-<br>Sign-in error code 50126 - <br>Error validating credentials due to invalid username or password.| Define a baseline threshold, and then monitor and adjust to suite your organizational behaviors and limit false alerts from being generated. |
+| Smart lock-out events.| Medium - if Isolated Incident<br>High - if a number of accounts are experiencing the same pattern or a VIP.| Azure AD Sign-ins log| Status = failed<br>-and-<br>Sign-in error code = 50053 ΓÇô IdsLocked| Define a baseline threshold, and then monitor and adjust to suite your organizational behaviors and limit false alerts from being generated. |
+| Interrupts| Medium - if Isolated Incident<br>High - if a number of accounts are experiencing the same pattern or a VIP.| Azure AD Sign-ins log| 500121, Authentication failed during strong authentication request. <br>-or-<br>50097, Device authentication is required or 50074, Strong Authentication is required. <br>-or-<br>50155, DeviceAuthenticationFailed<br>-or-<br>50158, ExternalSecurityChallenge - External security challenge was not satisfied<br>-or-<br>53003 and Failure reason = blocked by CA| Monitor and alert on interrupts.<br>Define a baseline threshold, and then monitor and adjust to suite your organizational behaviors and limit false alerts from being generated. |
++
+The following are listed in order of importance based on the impact and severity of the entries.
+
+| What to monitor| Risk Level| Where| Filter/sub-filter| Notes |
+| - |- |- |- |- |
+| Multi-factor authentication (MFA) fraud alerts.| High| Azure AD Sign-ins log| Status = failed<br>-and-<br>Details = MFA Denied<br>| Monitor and alert on any entry. |
+| Failed authentications from countries you do not operate out of.| Medium| Azure AD Sign-ins log| Location = <unapproved location>| Monitor and alert on any entries. |
+| Failed authentications for legacy protocols or protocols that are not used .| Medium| Azure AD Sign-ins log| Status = failure<br>-and-<br>Client app = Other Clients, POP, IMAP, MAPI, SMTP, ActiveSync| Monitor and alert on any entries. |
+| Failures blocked by CA.| Medium| Azure AD Sign-ins log| Error code = 53003 <br>-and-<br>Failure reason = blocked by CA| Monitor and alert on any entries. |
+| Increased failed authentications of any type.| Medium| Azure AD Sign-ins log| Capture increases in failures across the board. I.e., total failures for today is >10 % on the same day the previous week.| If you donΓÇÖt have a set threshold, monitor and alert if failures increase by 10% or greater. |
+| Authentication occurring at times and days of the week when countries do not conduct normal business operations.| Low| Azure AD Sign-ins log| Capture interactive authentication occurring outside of normal operating days\time. <br>Status = success<br>-and-<br>Location = <location><br>-and-<br>Day\Time = <not normal working hours>| Monitor and alert on any entries. |
+| Account disabled/blocked for sign-ins| Low| Azure AD Sign-ins log| Status = Failure<br>-and-<br>error code = 50057, The user account is disabled.| This could indicate someone is trying to gain access to an account once they have left an organization. Although the account is blocked it is still important to log and alert on this activity. |
++
+### Monitoring for successful unusual sign ins
+
+ | What to monitor| Risk Level| Where| Filter/sub-filter| Notes |
+| - |- |- |- |- |
+| Authentications of privileged accounts outside of expected controls.| High| Azure AD Sign-ins log| Status = success<br>-and-<br>UserPricipalName = <Admin account><br>-and-<br>Location = <unapproved location><br>-and-<br>IP Address = <unapproved IP><br>Device Info= <unapproved Browser, Operating System><br>| Monitor and alert on successful authentication for privileged accounts outside of expected controls. Three common controls are listed. |
+| When only single-factor authentication is required.| Low| Azure AD Sign-ins log| Status = success<br>Authentication requirement = Single-factor authentication| Monitor this periodically and ensure this is the expected behavior. |
+| Discover privileged accounts not registered for MFA.| High| Azure Graph API| Query for IsMFARegistered eq false for administrator accounts. <br>[List credentialUserRegistrationDetails - Microsoft Graph beta | Microsoft Docs](/graph/api/reportroot-list-credentialuserregistrationdetails?view=graph-rest-beta&tabs=http)| Audit and investigate to determine if intentional or an oversight. |
+| Successful authentications from countries your organization does not operate out of.| Medium| Azure AD Sign-ins log| Status = success<br>Location = <unapproved country>| Monitor and alert on any entries not equal to the city names you provide. |
+| Successful authentication, session blocked by CA.| Medium| Azure AD Sign-ins log| Status = success<br>-and-<br>error code = 53003 ΓÇô Failure reason, blocked by CA| Monitor and investigate when authentication is successful, but session is blocked by CA. |
+| Successful authentication after you have disabled legacy authentication.| Medium| Azure AD Sign-ins log| status = success <br>-and-<br>Client app = Other Clients, POP, IMAP, MAPI, SMTP, ActiveSync| If your organization has disabled legacy authentication, monitor and alert when successful legacy authentication has taken place. |
++
+On periodic basis, we recommend you review authentications to medium business impact (MBI) and high business impact (HBI) applications where only single-factor authentication is required. For each, you want to determine if single-factor authentication was expected or not. Additionally, review for successful authentication increases or at unexpected times based on the location.
+
+| What to monitor| Risk Level| Where| Filter/sub-filter| Notes |
+| - | - |- |- |- |
+| Authentications to MBI and HBI application using single-factor authentication.| Low| Azure AD Sign-ins log| status = success<br>-and-<br>Application ID = <HBI app> <br>-and-<br>Authentication requirement = single-factor authentication.| Review and validate this configuration is intentional. |
+| Authentications at days and times of the week or year that countries do not conduct normal business operations.| Low| Azure AD Sign-ins log| Capture interactive authentication occurring outside of normal operating days\time. <br>Status = success<br>Location = <location><br>Date\Time = <not normal working hours>| Monitor and alert on authentications days and times of the week or year that countries do not conduct normal business operations. |
+| Measurable increase of successful sign ins.| Low| Azure AD Sign-ins log| Capture increases in successful authentication across the board. I.e., total successes for today is >10 % on the same day the previous week.| If you donΓÇÖt have a set threshold, monitor and alert if successful authentications increase by 10% or greater. |
+
+## Next steps
+See these security operations guide articles:
+
+[Azure AD security operations overview](security-operations-introduction.md)
+
+[Security operations for user accounts](security-operations-user-accounts.md)
+
+[Security operations for privileged accounts](security-operations-privileged-accounts.md)
+
+[Security operations for Privileged Identity Management](security-operations-privileged-identity-management.md)
+
+[Security operations for applications](security-operations-applications.md)
+
+[Security operations for devices](security-operations-devices.md)
+
+[Security operations for infrastructure](security-operations-infrastructure.md)
active-directory Whats New Archive https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/fundamentals/whats-new-archive.md
Previously updated : 5/31/2021 Last updated : 7/13/2021
The What's new in Azure Active Directory? release notes provide information abou
- Deprecated functionality - Plans for changes +
+
+## December 2020
+
+### Public preview - Azure AD B2C Phone Sign-up and Sign-in using Built-in Policy
+
+**Type:** New feature
+**Service category:** B2C - Consumer Identity Management
+**Product capability:** B2B/B2C
+
+B2C Phone Sign-up and Sign-in using Built-in Policy enable IT administrators and developers of organizations to allow their end-users to sign in and sign up using a phone number in user flows. Read [Set up phone sign-up and sign-in for user flows (preview)](../../active-directory-b2c/phone-authentication-user-flows.md) to learn more.
+++
+### General Availability - Security Defaults now enabled for all new tenants by default
+
+**Type:** New feature
+**Service category:** Other
+**Product capability:** Identity Security & Protection
+
+To protect user accounts, all new tenants created on or after November 12, 2020, will come with Security Defaults enabled. Security Defaults enforces multiple policies including:
+- Requires all users and admins to register for MFA using the Microsoft Authenticator App
+- Requires critical admin roles to use MFA every single time they sign-in. All other users will be prompted for MFA whenever necessary.
+- Legacy authentication will be blocked tenant wide.
+
+For more information, read [What are security defaults?](../fundamentals/concept-fundamentals-security-defaults.md)
+++
+### General availability - Support for groups with up to 250K members in AADConnect
+
+**Type:** Changed feature
+**Service category:** AD Connect
+**Product capability:** Identity Lifecycle Management
+
+Microsoft has deployed a new endpoint (API) for Azure AD Connect that improves the performance of the synchronization service operations to Azure Active Directory. When you use the new [V2 endpoint](../hybrid/how-to-connect-sync-endpoint-api-v2.md), you'll experience noticeable performance gains on export and import to Azure AD. This new endpoint supports the following scenarios:
+
+- Syncing groups with up to 250k members
+- Performance gains on export and import to Azure AD
+++
+### General availability - Entitlement Management available for tenants in Azure China cloud
+
+**Type:** New feature
+**Service category:** User Access Management
+**Product capability:** Entitlement Management
+
+
+The capabilities of Entitlement Management are now available for all tenants in the Azure China cloud. For information, visit our [Identity governance documentation](https://docs.azure.cn/zh-cn/active-directory/governance/) site.
+++
+### New provisioning connectors in the Azure AD Application Gallery - December 2020
+
+**Type:** New feature
+**Service category:** App Provisioning
+**Product capability:** 3rd Party Integration
+
+You can now automate creating, updating, and deleting user accounts for these newly integrated apps:
+
+- [Bizagi Studio for Digital Process Automation](../saas-apps/bizagi-studio-for-digital-process-automation-provisioning-tutorial.md)
+- [CybSafe](../saas-apps/cybsafe-provisioning-tutorial.md)
+- [GroupTalk](../saas-apps/grouptalk-provisioning-tutorial.md)
+- [PaperCut Cloud Print Management](../saas-apps/papercut-cloud-print-management-provisioning-tutorial.md)
+- [Parsable](../saas-apps/parsable-provisioning-tutorial.md)
+- [Shopify Plus](../saas-apps/shopify-plus-provisioning-tutorial.md)
+
+For more information about how to better secure your organization by using automated user account provisioning, see [Automate user provisioning to SaaS applications with Azure AD](../app-provisioning/user-provisioning.md).
+
++
+### New Federated Apps available in Azure AD Application gallery - December 2020
+
+**Type:** New feature
+**Service category:** Enterprise Apps
+**Product capability:** 3rd Party Integration
+
+In December 2020 we have added following 18 new applications in our App gallery with Federation support:
+
+[AwareGo](../saas-apps/awarego-tutorial.md), [HowNow SSO](https://gethownow.com/), [ZyLAB ONE Legal Hold](https://www.zylab.com/en/product/legal-hold), [Guider](http://www.guider-ai.com/), [Softcrisis](https://www.softcrisis.se/sv/), [Pims 365](http://www.omega365.com/pims), [InformaCast](../saas-apps/informacast-tutorial.md), [RetrieverMediaDatabase](../saas-apps/retrievermediadatabase-tutorial.md), [vonage](../saas-apps/vonage-tutorial.md), [Count Me In - Operations Dashboard](../saas-apps/count-me-in-operations-dashboard-tutorial.md), [ProProfs Knowledge Base](../saas-apps/proprofs-knowledge-base-tutorial.md), [RightCrowd Workforce Management](../saas-apps/rightcrowd-workforce-management-tutorial.md), [JLL TRIRIGA](../saas-apps/jll-tririga-tutorial.md), [Shutterstock](../saas-apps/shutterstock-tutorial.md), [FortiWeb Web Application Firewall](../saas-apps/linkedin-talent-solutions-tutorial.md), [LinkedIn Talent Solutions](../saas-apps/linkedin-talent-solutions-tutorial.md), [Equinix Federation App](../saas-apps/equinix-federation-app-tutorial.md), [KFAdvance](../saas-apps/kfadvance-tutorial.md)
+
+You can also find the documentation of all the applications from here https://aka.ms/AppsTutorial
+
+For listing your application in the Azure AD app gallery, read the details here https://aka.ms/AzureADAppRequest
+++
+### Navigate to Teams directly from My Access portal
+
+**Type:** Changed feature
+**Service category:** User Access Management
+**Product capability:** Entitlement Management
+
+You can now launch Teams directly from My Access portal. To do so, sign-in to [My Access](https://myaccess.microsoft.com/), navigate to **Access packages**, then go to the **Active** Tab to see all access packages you already have access to. When you expand the access package and hover on Teams, you can launch it by clicking on the **Open** button.
+
+To learn more about using the My Access portal, go to [Request access to an access package in Azure AD entitlement management](../governance/entitlement-management-request-access.md#sign-in-to-the-my-access-portal).
+++
+### Public preview - Second level manager can be set as alternate approver
+
+**Type:** Changed feature
+**Service category:** User Access Management
+**Product capability:** Entitlement Management
+
+An extra option is now available in the approval process in Entitlement Management. If you select Manager as approver for the First Approver, you'll have another option, Second level manager as alternate approver, available to choose in the alternate approver field. When you select this option, you need to add a fallback approver to forward the request to in case the system can't find the second level manager.
+
+For more information, go to [Change approval settings for an access package in Azure AD entitlement management](../governance/entitlement-management-access-package-approval-policy.md#alternate-approvers).
+ ## November 2020
Affected environments are:
- Azure Commercial Cloud - Office 365 GCC and WW
-For guidance to remove deprecating protocols dependencies, please refer to [Enable support for TLS 1.2 in your environment for Azure AD TLS 1.1 and 1.0 deprecation](/troubleshoot/azure/active-directory/enable-support-tls-environment).
+For guidance to remove deprecating protocols dependencies, please refer to [EEnable support for TLS 1.2 in your environment, in preparation for upcoming Azure AD TLS 1.0/1.1 deprecation](https://docs.microsoft.com/troubleshoot/azure/active-directory/enable-support-tls-environment).
This change will result in disruption of service if you don't take action immedi
- [Cloud Provisioning Preview](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/AzureADConnect) agents that do AD to Azure AD sync. If you have an environment with firewall rules set to allow outbound calls to only specific Certificate Revocation List (CRL) download, you'll need to allow CRL and OCSP URLs. For full details on the change and the CRL and OCSP URLs to enable access to, see [Azure TLS certificate changes](../../security/fundamentals/tls-certificate-changes.md).
-
+++
+[1305958](https://identitydivision.visualstudio.com/IAM/IXR/_queries?id=1305958&triage=true&fullScreen=false&_a=edit)
+
+### Azure Active Directory TLS 1.0 & 1.1, and 3DES Cipher Suite Deprecation
+
+**Type:** Plan for change
+**Service category:** N/A
+**Product capability:** Standards
+
+Azure Active Directory will deprecate the following protocols in Azure Active Directory worldwide regions starting on January 31, 2022 (This date has been postponed from 30th June 2021 to 31st Jan 2022, to give Administrators more time to remove the dependency on legacy TLS protocols and ciphers (TLS 1.0,1.1 and 3DES)):
+
+- TLS 1.0
+- TLS 1.1
+- 3DES cipher suite (TLS_RSA_WITH_3DES_EDE_CBC_SHA)
+
+Affected environments are:
+
+- Azure Commercial Cloud
+- Office 365 GCC and WW
+
+Users, services, and applications that interact with Azure Active Directory and Microsoft Graph, should use TLS 1.2 and modern cipher suites to maintain a secure connection to Azure Active Directory for Azure, Office 365, and Microsoft 365 services. For additional guidance, refer to [Enable support for TLS 1.2 in your environment, in preparation for upcoming deprecation of Azure AD TLS 1.0/1.1](https://docs.microsoft.com/troubleshoot/azure/active-directory/enable-support-tls-environment).
+ ### Azure Active Directory TLS 1.0, TLS 1.1, and 3DES Deprecation in US Gov Cloud
active-directory Whats New https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/fundamentals/whats-new.md
Previously updated : 5/31/2021 Last updated : 7/13/2021
Azure AD receives improvements on an ongoing basis. To stay up to date with the
This page is updated monthly, so revisit it regularly. If you're looking for items older than six months, you can find them in [Archive for What's new in Azure Active Directory](whats-new-archive.md).
+## June 2021
+### Context panes to display risk details in Identity Protection Reports
+
+**Type:** Plan for change
+**Service category:** Identity Protection
+**Product capability:** Identity Security & Protection
+
+For the Risky users, Risky sign-ins, and Risk detections reports in Identity Protection, the risk details of a selected entry will be shown in a context pane appearing from the right of the page July 2021. The change only impacts the user interface and won't affect any existing functionalities. To learn more about the functionality of these features, refer to [How To: Investigate risk](../identity-protection/howto-identity-protection-investigate-risk.md).
+
++
+### Public preview - create Azure AD access reviews of Service Principals that are assigned to privileged roles
+
+**Type:** New feature
+**Service category:** Access Reviews
+**Product capability:** Identity Governance
+
+ You can use Azure AD access reviews to review service principal's access to privileged Azure AD and Azure resource roles. [Learn more](../privileged-identity-management/pim-how-to-start-security-review.md#open-access-reviews).
+
++
+### Public preview - group owners in Azure AD can create and manage Azure AD access reviews for their groups
+
+**Type:** New feature
+**Service category:** Access Reviews
+**Product capability:** Identity Governance
+
+Now group owners in Azure AD can create and manage Azure AD access reviews on their groups. This ability can be enabled by tenant administrators through Azure AD access review settings and is disabled by default. [Learn more](../governance/create-access-review.md#allow--group-owners-to-create-and-manage-access-reviews-preview).
+
++
+### Public preview - customers can scope access reviews of privileged roles to just users with eligible or active access
+
+**Type:** New feature
+**Service category:** Access Reviews
+**Product capability:** Identity Governance
+
+When admins create access reviews of assignments to privileged roles, they can scope the reviews to only eligibly assigned users or only actively assigned users. [Learn more](../privileged-identity-management/pim-how-to-start-security-review.md).
+
++
+### Public preview - Microsoft Graph APIs for Mobility (MDM/MAM) management policies
+
+**Type:** New feature
+**Service category:** Other
+**Product capability:** Device Lifecycle Management
+
+Microsoft Graph support for the Mobility (MDM/MAM) configuration in Azure AD is in public preview. Administrators can configure user scope and URLs for MDM applications like Intune using Microsoft Graph v1.0. For more information, see [mobilityManagementPolicy resource type](/graph/api/resources/mobilitymanagementpolicy?view=graph-rest-beta)
+++
+### General availability - Custom questions in access package request flow in Azure Active Directory entitlement management
+
+**Type:** New feature
+**Service category:** User Access Management
+**Product capability:** Entitlement Management
+
+Azure AD entitlement management now supports the creation of custom questions in the access package request flow. This feature allows you to configure custom questions in the access package policy. These questions are shown to requestors who can input their answers as part of the access request process. These answers will be displayed to approvers, giving them helpful information that empowers them to make better decisions on the access request. [Learn more](../governance/entitlement-management-access-package-create.md#add-requestor-information-to-an-access-package).
+++
+### General availability - Multi-geo SharePoint sites as resources in Entitlement Management Access Packages
+
+**Type:** New feature
+**Service category:** User Access Management
+**Product capability:** Entitlement Management
+
+Access packages in Entitlement Management now support multi-geo SharePoint sites for customers who use the multi-geo capabilities in SharePoint Online. [Learn more](../governance/entitlement-management-catalog-create.md#add-a-multi-geo-sharepoint-site).
+
++
+### [General Availability] Knowledge Admin and Knowledge Manager built-in roles
+
+**Type:** New feature
+**Service category:** RBAC
+**Product capability:** Access Control
+
+Two new roles, Knowledge Administrator and Knowledge Manager are now in general availability.
+
+- Users in the Knowledge Administrator role have full access to all Organizational knowledge settings in the Microsoft 365 admin center. They can create and manage content, like topics and acronyms. Additionally, these users can create content centers, monitor service health, and create service requests. [Learn more](../roles/permissions-reference.md#knowledge-administrator)
+- Users in the Knowledge Manager role can create and manage content and are primarily responsible for the quality and structure of knowledge. They have full rights to topic management actions to confirm a topic, approve edits, or delete a topic. This role can also manage taxonomies as part of the term store management tool and create content centers. [Learn more](../roles/permissions-reference.md#knowledge-manager).
+++
+### General availability - Cloud App Security Administrator built-in role
+
+**Type:** New feature
+**Service category:** RBAC
+**Product capability:** Access Control
+
+ Users with this role have full permissions in Cloud App Security. They can add administrators, add Microsoft Cloud App Security (MCAS) policies and settings, upload logs, and do governance actions. [Learn more](../roles/permissions-reference.md#cloud-app-security-administrator).
+
++
+### General availability - Windows Update Deployment Administrator
+
+**Type:** New feature
+**Service category:** RBAC
+**Product capability:** Access Control
+
+
+ Users in this role can create and manage all aspects of Windows Update deployments through the Windows Update for Business deployment service. The deployment service enables users to define settings for when and how updates are deployed. Also, users can specify which updates are offered to groups of devices in their tenant. It also allows users to monitor the update progress. [Learn more](../roles/permissions-reference.md#windows-update-deployment-administrator).
+
++
+### General availability - multi-camera support for Windows Hello
+
+**Type:** New feature
+**Service category:** Authentications (Logins)
+**Product capability:** User Authentication
+
+Now with the Windows 10 21H1 update, Windows Hello supports multiple cameras. The update includes defaults to use the external camera when both built-in and outside cameras are present. [Learn more](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/it-tools-to-support-windows-10-version-21h1/ba-p/2365103).
++
+
+### General availability - Access Reviews MS Graph APIs now in v1.0
+
+**Type:** New feature
+**Service category:** Access Reviews
+**Product capability:** Identity Governance
+
+Azure Active Directory access reviews MS Graph APIs are now in v1.0 support fully configurable access reviews features. [Learn more](/graph/api/resources/accessreviewsv2-root?view=graph-rest-1.0).
+
++
+### New provisioning connectors in the Azure AD Application Gallery - June 2021
+
+**Type:** New feature
+**Service category:** App Provisioning
+**Product capability:** 3rd Party Integration
+
+You can now automate creating, updating, and deleting user accounts for these newly integrated apps:
+
+- [askSpoke](../saas-apps/askspoke-provisioning-tutorial.md)
+- [Cloud Academy - SSO](../saas-apps/cloud-academy-sso-provisioning-tutorial.md)
+- [CheckProof](../saas-apps/checkproof-provisioning-tutorial.md)
+- [GoLinks](../saas-apps/golinks-provisioning-tutorial.md)
+- [Holmes Cloud](../saas-apps/holmes-cloud-provisioning-tutorial.md)
+- [H5mag](../saas-apps/h5mag-provisioning-tutorial.md)
+- [LimbleCMMS](../saas-apps/limblecmms-provisioning-tutorial.md)
+- [LogMeIn](../saas-apps/logmein-provisioning-tutorial.md)
+- [SECURE DELIVER](../saas-apps/secure-deliver-provisioning-tutorial.md)
+- [Sigma Computing](../saas-apps/sigma-computing-provisioning-tutorial.md)
+- [Smallstep SSH](../saas-apps/smallstep-ssh-provisioning-tutorial.md)
+- [Tribeloo](../saas-apps/tribeloo-provisioning-tutorial.md)
+- [Twingate](../saas-apps/twingate-provisioning-tutorial.md)
+
+For more information, see [Automate user provisioning to SaaS applications with Azure AD](../app-provisioning/user-provisioning.md).
+
++
+### New Federated Apps available in Azure AD Application gallery - June 2021
+
+**Type:** New feature
+**Service category:** Enterprise Apps
+**Product capability:** 3rd Party Integration
+
+In June 2021, we have added following 42 new applications in our App gallery with Federation support
+
+[Taksel](https://app.taksel.it/admin/integrations), [IDrive360](../saas-apps/idrive360-tutorial.md), [VIDA](../saas-apps/vida-tutorial.md), [ProProfs Classroom](../saas-apps/proprofs-classroom-tutorial.md), [WAN-Sign](../saas-apps/wan-sign-tutorial.md), [Citrix Cloud SAML SSO](../saas-apps/citrix-cloud-saml-sso-tutorial.md), [Fabric](../saas-apps/fabric-tutorial.md), [DssAD](https://cloudlicensing.deepseedsolutions.com/), [RICOH Creative Collaboration RICC](https://www.ricoh-europe.com/products/software-apps/collaboration-board-software/ricc/), [Styleflow](../saas-apps/styleflow-tutorial.md), [Chaos](https://accounts.chaosgroup.com/corporate_login), [Traced Connector](https://control.traced.app/signup), [Squarespace](https://account.squarespace.com/org/azure), [MX3 Diagnostics Connector](https://mx3www.playground.dynuddns.com/signin-oidc), [Ten Spot](https://tenspot.co/api/v1/sso/azure/login/), [Finvari](../saas-apps/finvari-tutorial.md), [Mobile4ERP](https://play.google.com/store/apps/details?id=com.negevsoft.mobile4erp), [WalkMe US OpenID Connect](https://www.walkme.com/), [Neustar UltraDNS](../saas-apps/neustar-ultradns-tutorial.md), [cloudtamer.io](../saas-apps/cloudtamer-io-tutorial.md), [A Cloud Guru](../saas-apps/a-cloud-guru-tutorial.md), [PetroVue](../saas-apps/petrovue-tutorial.md), [Postman](../saas-apps/postman-tutorial.md), [ReadCube Papers](../saas-apps/readcube-papers-tutorial.md), [Peklostroj](https://app.peklostroj.cz/), [SynCloud](https://onboard.syncloud.io/), [Polymerhq.io](https://www.polymerhq.io/), [Bonos](../saas-apps/bonos-tutorial.md), [Astra Schedule](../saas-apps/astra-schedule-tutorial.md), [Draup](../saas-apps/draup-inc-tutorial.md), [Inc](../saas-apps/draup-inc-tutorial.md), [Applied Mental Health](../saas-apps/applied-mental-health-tutorial.md), [iHASCO Training](../saas-apps/ihasco-training-tutorial.md), [Nexsure](../saas-apps/nexsure-tutorial.md), [XEOX](https://login.xeox.com/), [Plandisc](https://create.plandisc.com/account/logon), [foundU](../saas-apps/foundu-tutorial.md), [Standard for Success Accreditation](../saas-apps/standard-for-success-accreditation-tutorial.md), [Penji Teams](https://web.penjiapp.com/), [CheckPoint Infinity Portal](../saas-apps/checkpoint-infinity-portal-tutorial.md), [Teamgo](../saas-apps/teamgo-tutorial.md), [Hopsworks.ai](../saas-apps/hopsworks-ai-tutorial.md), [HoloMeeting 2](https://backend2.holomeeting.io/)
+
+You can also find the documentation of all the applications here: https://aka.ms/AppsTutorial
+
+For listing your application in the Azure AD app gallery, read the details here: https://aka.ms/AzureADAppRequest
+
++
+### Device code flow now includes an app verification prompt
+
+**Type:** Changed feature
+**Service category:** Authentications (Logins)
+**Product capability:** User Authentication
+
+The [device code flow](../develop/v2-oauth2-device-code.md) has been updated to include one extra user prompt. While signing in, the user will see a prompt asking them to validate the app they're signing into. The prompt ensures that they aren't subject to a phishing attack. [Learn more](../develop/reference-breaking-changes.md#the-device-code-flow-ux-will-now-include-an-app-confirmation-prompt).
+
++
+### User last sign-in date and time is now available on Azure portal
+
+**Type:** Changed feature
+**Service category:** User Management
+**Product capability:** User Management
+
+You can now view your users' last sign-in date and time stamp on the Azure portal. The information is available for each user on the user profile page. This information helps you identify inactive users and effectively manage risky events. [Learn more](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-users-profile-azure-portal?context=/azure/active-directory/enterprise-users/context/ugr-context).
+
++
+### MIM BHOLD Suite impact of end of support for Microsoft Silverlight
+
+**Type:** Changed feature
+**Service category:** Microsoft Identity Manager
+**Product capability:** Identity Governance
+
+Microsoft Silverlight will reach its end of support on October 12, 2021. This change only impacts customers using the Microsoft BHOLD Suite, and doesn't impact other Microsoft Identity Manager scenarios. For more information, see [Silverlight End of Support](https://support.microsoft.com/windows/silverlight-end-of-support-0a3be3c7-bead-e203-2dfd-74f0a64f1788).
+
+Users who haven't installed Microsoft Silverlight in their browser can't use the BHOLD Suite modules which require Silverlight. This includes the BHOLD Model Generator, BHOLD FIM Self-service integration, and BHOLD Analytics. Customers with an existing BHOLD deployment of one or more of those modules should plan to uninstall those modules from their BHOLD server computers by October 2021. Also, they should plan to uninstall Silverlight from any user computers that were previously interacting with that BHOLD deployment.
+
++
+### My* experiences: End of support for Internet Explorer 11
+
+**Type:** Deprecated
+**Service category:** My Apps
+**Product capability:** End User Experiences
+
+
+Microsoft 365 and other apps are ending support for Internet Explorer 11 on August 21, 2021, and this includes the My* experiences. The My*s accessed via Internet Explorer won't receive bug fixes or any updates, which may lead to issues. These dates are being driven by the Edge team and may be subject to change. [Learn more](https://blogs.windows.com/windowsexperience/2021/05/19/the-future-of-internet-explorer-on-windows-10-is-in-microsoft-edge/).
+
++
+### Planned deprecation - Malware linked IP address detection in Identity Protection
+
+**Type:** Deprecated
+**Service category:** Identity Protection
+**Product capability:** Identity Security & Protection
+
+Starting October 1, 2021, Azure AD Identity Protection will no longer generate the "Malware linked IP address" detection. No action is required and customers will remain protected by the other detections provided by Identity Protection. To learn more about protection policies, refer to [Identity Protection policies](../identity-protection/concept-identity-protection-policies.md).
+
+
+
## May 2021 ### Public preview - Azure AD verifiable credentials
This page is updated monthly, so revisit it regularly. If you're looking for ite
**Service category:** Other **Product capability:** User Authentication
-Azure AD customers can now easily design and issue verifiable credentials to represent proof of employment, education, or any other claim while respecting privacy. Digitally validate any piece of information about anyone and any business. [Learn more](../verifiable-credentials/index.yml).
+Azure AD customers can now easily design and issue verifiable credentials. Verifiable credentials can be used to represent proof of employment, education, or any other claim while respecting privacy. Digitally validate any piece of information about anyone and any business. [Learn more](../verifiable-credentials/index.yml).
Azure AD customers can now easily design and issue verifiable credentials to rep
**Service category:** User Authentication **Product capability:** Authentications (Logins)
-As a security improvement, the [device code flow](../develop/v2-oauth2-device-code.md) has been updated to include an additional prompt, which validates that the user is signing into the app they expect. The roll roll out is planned to start in June and expected to be complete by June 30.
+As a security improvement, the [device code flow](../develop/v2-oauth2-device-code.md) has been updated to include an another prompt, which validates that the user is signing into the app they expect. The rollout is planned to start in June and expected to be complete by June 30.
To help prevent phishing attacks where an attacker tricks the user into signing into a malicious application, the following prompt is being added: ΓÇ£Are you trying to sign in to [application display name]?". All users will see this prompt while signing in using the device code flow. As a security measure, it cannot be removed or bypassed. [Learn more](../develop/reference-breaking-changes.md#the-device-code-flow-ux-will-now-include-an-app-confirmation-prompt).
The expression builder allows you to create and test expressions, without having
An important aspect of managing Conditional Access is understanding changes to your policies over time. Policy changes may cause disruptions for your end users, so maintaining a log of changes and enabling admins to revert to previous policy versions is critical.
-In addition to showing who made a policy change and when, the audit logs will now also contain a modified properties value so that admins have greater visibility into what assignments, conditions, or controls changed. If you want to revert to a previous version of a policy, you can copy the JSON representation of the old version and use the Conditional Access APIs to quickly change the policy back to its previous state. [Learn more](../conditional-access/concept-conditional-access-policies.md).
+As well as showing who made a policy change and when, the audit logs will now also contain a modified properties value. This change gives admins greater visibility into what assignments, conditions, or controls changed. If you want to revert to a previous version of a policy, you can copy the JSON representation of the old version and use the Conditional Access APIs to change the policy to its previous state. [Learn more](../conditional-access/concept-conditional-access-policies.md).
In addition to showing who made a policy change and when, the audit logs will no
Admins can now see the sequential steps users took to sign-in, including which authentication methods were used during sign-in.
-To access these details, go to the Azure AD sign-in logs, select a sign-in, and then navigate to the Authentication Method Details tab. Here we have included information such as which method was used, details about the method (e.g. phone number, phone name), authentication requirement satisfied, and result details. [Learn more](../reports-monitoring/concept-sign-ins.md).
+To access these details, go to the Azure AD sign-in logs, select a sign-in, and then navigate to the Authentication Method Details tab. Here we have included information such as which method was used, details about the method (for example, phone number, phone name), authentication requirement satisfied, and result details. [Learn more](../reports-monitoring/concept-sign-ins.md).
B2C now supports Conditional Access and Identity Protection for business-to-cons
**Service category:** B2C - Consumer Identity Management **Product capability:** B2B/B2C
-The next generation of B2C user flows now supports [keep me signed in (KMSI)](../../active-directory-b2c/session-behavior.md?pivots=b2c-custom-policy#enable-keep-me-signed-in-kmsi) and password reset. The KMSI functionality allows customers to extend the session lifetime for the users of their web and native applications by using a persistent cookie. This feature keeps the session active even when the user closes and reopens the browser, and is revoked when the user signs out. Password reset allows users to reset their password from the "Forgot your password
+The next generation of B2C user flows now supports [keep me signed in (KMSI)](../../active-directory-b2c/session-behavior.md?pivots=b2c-custom-policy#enable-keep-me-signed-in-kmsi) and password reset. The KMSI functionality allows customers to extend the session lifetime for the users of their web and native applications by using a persistent cookie. This feature keeps the session active even when the user closes and reopens the browser. The session is revoked when the user signs out. Password reset allows users to reset their password from the "Forgot your password
' link. This also allows the admin to force reset the user's expired password in the Azure AD B2C directory. [Learn more](../../active-directory-b2c/add-password-reset-policy.md?pivots=b2c-user-flow).
A new workbook has been added for surfacing audit events for application role as
**Service category:** B2C - Consumer Identity Management **Product capability:** B2B/B2C
-The new simplified user flow experience offers feature parity with preview features and is the home for all new features. Users will be able to enable new features within the same user flow, reducing the need to create multiple versions with every new feature release. The new, user-friendly UX also simplifies the selection and creation of user flows. Refer to [Create user flows in Azure AD B2C](../../active-directory-b2c/tutorial-create-user-flows.md?pivots=b2c-user-flow) for guidance on using this feature. [Learn more](../../active-directory-b2c/user-flow-versions.md).
+The new simplified user flow experience offers feature parity with preview features and is the home for all new features. Users can enable new features within the same user flow, reducing the need to create multiple versions with every new feature release. The new, user-friendly UX also simplifies the selection and creation of user flows. Refer to [Create user flows in Azure AD B2C](../../active-directory-b2c/tutorial-create-user-flows.md?pivots=b2c-user-flow) for guidance on using this feature. [Learn more](../../active-directory-b2c/user-flow-versions.md).
The new simplified user flow experience offers feature parity with preview featu
**Service category:** Identity Protection **Product capability:** Identity Security & Protection
-This new detection serves as an ad-hoc method to allow our security teams to notify you and protect your users by raising their session risk to a High risk when we observe an attack happening, as well as marking the associated sign-ins as risky. This detection follows the existing Azure Active Directory threat intelligence for user risk detection to provide complete coverage of the various attacks observed by Microsoft security teams. [Learn more](../identity-protection/concept-identity-protection-risks.md#user-risk).
+This new detection serves as an ad-hoc method to allow our security teams to notify you and protect your users by raising their session risk to a High risk when we observe an attack happening. The detection will also mark the associated sign-ins as risky. This detection follows the existing Azure Active Directory threat intelligence for user risk detection to provide complete coverage of the various attacks observed by Microsoft security teams. [Learn more](../identity-protection/concept-identity-protection-risks.md#user-risk).
IPv6 support in named locations is now generally available. Updates include:
- Added capabilities to search and sort named locations and filter by location type and trust type - Added named locations a sign-in belonged to in the sign-in logs
-Additionally, to prevent admins from defining problematic named locations, additional checks have been added to reduce the chance of misconfiguration. [Learn more](../conditional-access/location-condition.md).
+Additionally, to prevent admins from defining problematically named locations, extra checks have been added to reduce the chance of misconfiguration. [Learn more](../conditional-access/location-condition.md).
Additionally, to prevent admins from defining problematic named locations, addit
**Service category:** User Management **Product capability:** Directory
-Directory level permissions for guest users have been updated. These permissions allow administrators to require additional restrictions and controls on external guest user access.
+Directory level permissions for guest users have been updated. These permissions allow administrators to require extra restrictions and controls on external guest user access.
-Admins can now add additional restrictions for external guests' access to user and groups' profile and membership information. Also, customers can manage external user access at scale by hiding group memberships, including restricting guest users from seeing memberships of the group(s) they are in. To learn more, see [Restrict guest access permissions in Azure Active Directory](../enterprise-users/users-restrict-guest-permissions.md).
+Admins can now add more restrictions for external guests' access to user and groups' profile and membership information. Also, customers can manage external user access at scale by hiding group memberships, including restricting guest users from seeing memberships of the group(s) they are in. To learn more, see [Restrict guest access permissions in Azure Active Directory](../enterprise-users/users-restrict-guest-permissions.md).
For more information about how to better secure your organization using automate
**Service category:** Enterprise Apps **Product capability:** 3rd Party Integration
-In May 2021 we have added following 29 new applications in our App gallery with Federation support
+In May 2021, we have added following 29 new applications in our App gallery with Federation support
[InviteDesk](https://app.invitedesk.com/login), [Webrecruit ATS](https://id-test.webrecruit.co.uk/), [Workshop](../saas-apps/workshop-tutorial.md), [Gravity Sketch](https://landingpad.me/), [JustLogin](../saas-apps/justlogin-tutorial.md), [Custellence](https://custellence.com/sso/), [WEVO](https://hello.wevoconversion.com/login), [AppTec360 MDM](https://www.apptec360.com/ms/autopilot.html), [Filemail](https://www.filemail.com/login),[Ardoq](../saas-apps/ardoq-tutorial.md), [Leadfamly](../saas-apps/leadfamly-tutorial.md), [Documo](../saas-apps/documo-tutorial.md), [Autodesk SSO](../saas-apps/autodesk-sso-tutorial.md), [Check Point Harmony Connect](../saas-apps/check-point-harmony-connect-tutorial.md), [BrightHire](https://app.brighthire.ai/), [Rescana](../saas-apps/rescana-tutorial.md), [Bluewhale](https://cloud.bluewhale.dk/), [AlacrityLaw](../saas-apps/alacritylaw-tutorial.md), [Equisolve](../saas-apps/equisolve-tutorial.md), [Zip](../saas-apps/zip-tutorial.md), [Cognician](../saas-apps/cognician-tutorial.md), [Acra](https://www.acrasuite.com/), [VaultMe](https://app.vaultme.com/#/signIn), [TAP App Security](../saas-apps/tap-app-security-tutorial.md), [Cavelo Office365 Cloud Connector](https://dashboard.prod.cavelodata.com/), [Clebex](../saas-apps/clebex-tutorial.md), [Banyan Command Center](../saas-apps/banyan-command-center-tutorial.md), [Check Point Remote Access VPN](../saas-apps/check-point-remote-access-vpn-tutorial.md), [LogMeIn](../saas-apps/logmein-tutorial.md)
For listing your application in the Azure AD app gallery, read the details here
**Product capability:** End User Experiences
-We have updated the wording on the Conditional Access screen shown to users when they are blocked from accessing corporate resources until they enroll their device in Mobile Device Management. These improvements apply to the Android and iOS/iPadOS platforms. The following have been changed:
+We've updated the wording on the Conditional Access screen shown to users when they're blocked from accessing corporate resources. They'll be blocked until they enroll their device in Mobile Device Management. These improvements apply to the Android and iOS/iPadOS platforms. The following have been changed:
- ΓÇ£Help us keep your device secureΓÇ¥ has changed to ΓÇ£Set up your device to get accessΓÇ¥ - ΓÇ£Your sign-in was successful but your admin requires your device to be managed by Microsoft to access this resource.ΓÇ¥ to ΓÇ£[OrganizationΓÇÖs name] requires you to secure this device before you can access [organizationΓÇÖs name] email, files, and data.ΓÇ¥ - ΓÇ£Enroll NowΓÇ¥ to ΓÇ£ContinueΓÇ¥
-Note that the information in [Enroll your Android enterprise device](https://support.microsoft.com/topic/enroll-your-android-enterprise-device-d661c82d-fa28-5dfd-b711-6dff41ae83bb) is out of date.
+The information in [Enroll your Android enterprise device](https://support.microsoft.com/topic/enroll-your-android-enterprise-device-d661c82d-fa28-5dfd-b711-6dff41ae83bb) is out of date.
Note that the information in [Enroll your Android enterprise device](https://sup
**Service category:** Authentications (Logins) **Product capability:** User Authentication
-The Azure Information Protection service signs users into the tenant that encrypted the document as part of providing access to the document. Starting June, Azure AD will begin prompting the user for consent when this access is performed across organizations. This ensures that the user understands that the organization which owns the document will collect some information about the user as part of the document access. [Learn more](/azure/information-protection/known-issues#sharing-external-doc-types-across-tenants).
+The Azure Information Protection service signs users into the tenant that encrypted the document as part of providing access to the document. Starting June, Azure AD will begin prompting the user for consent when this access is given across organizations. This ensures that the user understands that the organization that owns the document will collect some information about the user as part of the document access. [Learn more](/azure/information-protection/known-issues#sharing-external-doc-types-across-tenants).
The Azure Information Protection service signs users into the tenant that encryp
**Product capability:** Monitoring & Reporting
-The attributes "Action" and "statusInfo" will be changed to "provisioningAction" and "provisoiningStatusInfo." Please update any scripts that you have created using the [provisioning logs Graph API](/graph/api/resources/provisioningobjectsummary?view=graph-rest-beta&preserve-view=true) or [Azure Monitor integrations](../app-provisioning/application-provisioning-log-analytics.md).
+The attributes "Action" and "statusInfo" will be changed to "provisioningAction" and "provisoiningStatusInfo." Update any scripts that you have created using the [provisioning logs Graph API](/graph/api/resources/provisioningobjectsummary?view=graph-rest-beta&preserve-view=true) or [Azure Monitor integrations](../app-provisioning/application-provisioning-log-analytics.md).
The attributes "Action" and "statusInfo" will be changed to "provisioningAction"
**Service category:** Privileged Identity Management **Product capability:** Privileged Identity Management
-An updated version of PIM's API for Azure Resource role and Azure AD role has been released. The PIM API for Azure Resource role is now released under the ARM API standard which aligns with the role management API for regular Azure role assignment. On the other hand, the PIM API for Azure AD roles is also released under graph API aligned with the unifiedRoleManagement APIs. Some of the benefit of this change include:
+An updated version of PIM's API for Azure Resource role and Azure AD role has been released. The PIM API for Azure Resource role is now released under the ARM API standard, which aligns with the role management API for regular Azure role assignment. On the other hand, the PIM API for Azure AD roles is also released under graph API aligned with the unifiedRoleManagement APIs. Some of the benefits of this change include:
- Alignment of the PIM API with objects in ARM and Graph for role managementReducing the need to call PIM to onboard new Azure resources. - All Azure resources automatically work with new PIM API.
Previous version of PIM's API under /privilegedaccess will continue to function
**Service category:** Roles **Product capability:** Entitlement Management
-A new role Identity Governance Administrator has recently been introduced.This role will be the replacement for the User Administrator role in managing catalogs and access packages in Azure AD entitlement management. If you have assigned administrators to the User Administrator role or have them activate this role to manage access packages in Azure AD entitlement management, please switch to the Identity Governance Administrator role instead. The User Administrator role will no longer be providing administrative rights to catalogs or access packages. [Learn more](../governance/identity-governance-overview.md#appendixleast-privileged-roles-for-managing-in-identity-governance-features).
+A new role, Identity Governance Administrator, has recently been introduced. This role will be the replacement for the User Administrator role in managing catalogs and access packages in Azure AD entitlement management. If you have assigned administrators to the User Administrator role or have them activate this role to manage access packages in Azure AD entitlement management, switch to the Identity Governance Administrator role instead. The User Administrator role will no longer be providing administrative rights to catalogs or access packages. [Learn more](../governance/identity-governance-overview.md#appendixleast-privileged-roles-for-managing-in-identity-governance-features).
The next generation of B2C user flows now supports the [keep me signed in (KMSI)
-### Public preview - External Identities Self-Service Sign-up in AAD using MSA accounts
-
-**Type:** New feature
-**Service category:** B2B
-**Product capability:** B2B/B2C
-
-External users will can now use Microsoft Accounts to sign in to Azure AD first party and LOB apps. [Learn more](../external-identities/self-service-sign-up-overview.md).
--- ### Public Preview - Reset redemption status for a guest user **Type:** New feature
To do so, sign-in to My Access (https://myaccess.microsoft.com/), navigate to "A
The Logging and End-User Prompts for Risky Guest Users have been updated. Learn more in [Identity Protection and B2B users](../identity-protection/concept-identity-protection-b2b.md).
-
-## December 2020
-
-### Public preview - Azure AD B2C Phone Sign-up and Sign-in using Built-in Policy
-
-**Type:** New feature
-**Service category:** B2C - Consumer Identity Management
-**Product capability:** B2B/B2C
-
-B2C Phone Sign-up and Sign-in using Built-in Policy enable IT administrators and developers of organizations to allow their end-users to sign in and sign up using a phone number in user flows. Read [Set up phone sign-up and sign-in for user flows (preview)](../../active-directory-b2c/phone-authentication-user-flows.md) to learn more.
---
-### General Availability - Security Defaults now enabled for all new tenants by default
-
-**Type:** New feature
-**Service category:** Other
-**Product capability:** Identity Security & Protection
-
-To protect user accounts, all new tenants created on or after November 12, 2020, will come with Security Defaults enabled. Security Defaults enforces multiple policies including:
-- Requires all users and admins to register for MFA using the Microsoft Authenticator App-- Requires critical admin roles to use MFA every single time they sign-in. All other users will be prompted for MFA whenever necessary. -- Legacy authentication will be blocked tenant wide. -
-For more information, read [What are security defaults?](../fundamentals/concept-fundamentals-security-defaults.md)
---
-### General availability - Support for groups with up to 250K members in AADConnect
-
-**Type:** Changed feature
-**Service category:** AD Connect
-**Product capability:** Identity Lifecycle Management
-
-Microsoft has deployed a new endpoint (API) for Azure AD Connect that improves the performance of the synchronization service operations to Azure Active Directory. When you use the new [V2 endpoint](../hybrid/how-to-connect-sync-endpoint-api-v2.md), you'll experience noticeable performance gains on export and import to Azure AD. This new endpoint supports the following scenarios:
--- Syncing groups with up to 250k members-- Performance gains on export and import to Azure AD---
-### General availability - Entitlement Management available for tenants in Azure China cloud
-
-**Type:** New feature
-**Service category:** User Access Management
-**Product capability:** Entitlement Management
-
-
-The capabilities of Entitlement Management are now available for all tenants in the Azure China cloud. For information, visit our [Identity governance documentation](https://docs.azure.cn/zh-cn/active-directory/governance/) site.
---
-### New provisioning connectors in the Azure AD Application Gallery - December 2020
-
-**Type:** New feature
-**Service category:** App Provisioning
-**Product capability:** 3rd Party Integration
-
-You can now automate creating, updating, and deleting user accounts for these newly integrated apps:
--- [Bizagi Studio for Digital Process Automation](../saas-apps/bizagi-studio-for-digital-process-automation-provisioning-tutorial.md)-- [CybSafe](../saas-apps/cybsafe-provisioning-tutorial.md)-- [GroupTalk](../saas-apps/grouptalk-provisioning-tutorial.md)-- [PaperCut Cloud Print Management](../saas-apps/papercut-cloud-print-management-provisioning-tutorial.md)-- [Parsable](../saas-apps/parsable-provisioning-tutorial.md)-- [Shopify Plus](../saas-apps/shopify-plus-provisioning-tutorial.md)-
-For more information about how to better secure your organization by using automated user account provisioning, see [Automate user provisioning to SaaS applications with Azure AD](../app-provisioning/user-provisioning.md).
-
--
-### New Federated Apps available in Azure AD Application gallery - December 2020
-
-**Type:** New feature
-**Service category:** Enterprise Apps
-**Product capability:** 3rd Party Integration
-
-In December 2020 we have added following 18 new applications in our App gallery with Federation support:
-
-[AwareGo](../saas-apps/awarego-tutorial.md), [HowNow SSO](https://gethownow.com/), [ZyLAB ONE Legal Hold](https://www.zylab.com/en/product/legal-hold), [Guider](http://www.guider-ai.com/), [Softcrisis](https://www.softcrisis.se/sv/), [Pims 365](https://omega.pims365.no/), [InformaCast](../saas-apps/informacast-tutorial.md), [RetrieverMediaDatabase](../saas-apps/retrievermediadatabase-tutorial.md), [vonage](../saas-apps/vonage-tutorial.md), [Count Me In - Operations Dashboard](../saas-apps/count-me-in-operations-dashboard-tutorial.md), [ProProfs Knowledge Base](../saas-apps/proprofs-knowledge-base-tutorial.md), [RightCrowd Workforce Management](../saas-apps/rightcrowd-workforce-management-tutorial.md), [JLL TRIRIGA](../saas-apps/jll-tririga-tutorial.md), [Shutterstock](../saas-apps/shutterstock-tutorial.md), [FortiWeb Web Application Firewall](../saas-apps/linkedin-talent-solutions-tutorial.md), [LinkedIn Talent Solutions](../saas-apps/linkedin-talent-solutions-tutorial.md), [Equinix Federation App](../saas-apps/equinix-federation-app-tutorial.md), [KFAdvance](../saas-apps/kfadvance-tutorial.md)
-
-You can also find the documentation of all the applications from here https://aka.ms/AppsTutorial
-
-For listing your application in the Azure AD app gallery, read the details here https://aka.ms/AzureADAppRequest
---
-### Navigate to Teams directly from My Access portal
-
-**Type:** Changed feature
-**Service category:** User Access Management
-**Product capability:** Entitlement Management
-
-You can now launch Teams directly from My Access portal. To do so, sign-in to [My Access](https://myaccess.microsoft.com/), navigate to **Access packages**, then go to the **Active** Tab to see all access packages you already have access to. When you expand the access package and hover on Teams, you can launch it by clicking on the **Open** button.
-
-To learn more about using the My Access portal, go to [Request access to an access package in Azure AD entitlement management](../governance/entitlement-management-request-access.md#sign-in-to-the-my-access-portal).
---
-### Public preview - Second level manager can be set as alternate approver
-
-**Type:** Changed feature
-**Service category:** User Access Management
-**Product capability:** Entitlement Management
-
-An extra option is now available in the approval process in Entitlement Management. If you select Manager as approver for the First Approver, you'll have another option, Second level manager as alternate approver, available to choose in the alternate approver field. When you select this option, you need to add a fallback approver to forward the request to in case the system can't find the second level manager.
-
-For more information, go to [Change approval settings for an access package in Azure AD entitlement management](../governance/entitlement-management-access-package-approval-policy.md#alternate-approvers).
--
active-directory How To Connect Import Export Config https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/hybrid/how-to-connect-import-export-config.md
To import previously exported settings:
> [!NOTE] > Override settings on this page like the use of SQL Server instead of LocalDB or the use of an existing service account instead of a default VSA. These settings aren't imported from the configuration settings file. They are there for information and comparison purposes.
+>[!NOTE]
+>It is not supported to modify the exported JSON file to change the configuration
+ ### Import installation experience The import installation experience is intentionally kept simple with minimal inputs from the user to easily provide reproducibility of an existing server.
active-directory Configure Admin Consent Workflow https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/configure-admin-consent-workflow.md
Previously updated : 10/29/2019 Last updated : 07/08/2021
To enable the admin consent workflow and choose reviewers:
7. Configure the following settings:
- * **Select users to review admin consent requests**. Select reviewers for this workflow from a set of users that have the global administrator, cloud application administrator, and application administrator roles.
+ * **Select users to review admin consent requests**. Select reviewers for this workflow from a set of users that have the global administrator, cloud application administrator, and application administrator roles. **Note that you must designate at least one reviewer before the workflow can be turned on.**
* **Selected users will receive email notifications for requests**. Enable or disable email notifications to the reviewers when a request is made. * **Selected users will receive request expiration reminders**. Enable or disable reminder email notifications to the reviewers when a request is about to expire. * **Consent request expires after (days)**. Specify how long requests stay valid.
No, for now requestors are only able to get updates via email notifications.
If you're concerned about granting admin consent and allowing all users in the tenant to use the application, we recommend that you deny the request. Then manually grant admin consent by restricting access to the application by requiring user assignment, and assigning users or groups to the application. For more information, see [Methods for assigning users and groups](./assign-user-or-group-access-portal.md).
+**I have an app that requires user assignment. A user that I assigned to an application is being asked to request admin consent instead of being able to consent themself. Why is that?**
+
+When access to an application is restricted via the "user assignment required", an Azure AD administrator needs to consent all the permissions requested by the application.
+ ## Next steps For more information on consenting to applications, see [Azure Active Directory consent framework](../develop/consent-framework.md).
active-directory Services Support Managed Identities https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/managed-identities-azure-resources/services-support-managed-identities.md
Refer to the following list to configure managed identity for Azure Container In
Managed identity type | All Generally Available<br>Global Azure Regions | Azure Government | Azure Germany | Azure China 21Vianet | | | :-: | :-: | :-: | :-: |
-| System assigned | ![Available][check] | Not available | Not available | Not available |
-| User assigned | Preview | Not available | Not available | Not available |
+| System assigned | ![Available][check] | Preview | Not available | Preview |
+| User assigned | Preview | Preview | Not available | Preview |
Refer to the following list to configure managed identity for Azure Container Registry Tasks (in regions where available):
active-directory 15Five Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/15five-provisioning-tutorial.md
Title: 'Tutorial: Configure 15Five for automatic user provisioning with Azure Active Directory | Microsoft Docs' description: Learn how to configure Azure Active Directory to automatically provision and de-provision user accounts to 15Five. -
-writer: zchia
+
+writer: twimmers
Last updated 07/26/2019-+ # Tutorial: Configure 15Five for automatic user provisioning
active-directory 4Me Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/4me-provisioning-tutorial.md
Title: 'Tutorial: Configure 4me for automatic user provisioning with Azure Active Directory | Microsoft Docs' description: Learn how to configure Azure Active Directory to automatically provision and de-provision user accounts to 4me. -
-writer: zchia
+
+writer: twimmers
active-directory 8X8 Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/8x8-provisioning-tutorial.md
Title: 'Tutorial: Configure 8x8 for automatic user provisioning with Azure Active Directory | Microsoft Docs' description: Learn how to automatically provision and de-provision user accounts from Azure AD to 8x8. -
-writer: zchia
+
+writer: twimmers
Last updated 05/15/2020-+ # Tutorial: Configure 8x8 for automatic user provisioning
active-directory Adobe Identity Management Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/adobe-identity-management-provisioning-tutorial.md
Title: 'Tutorial: Configure Adobe Identity Management for automatic user provisi
description: Learn how to automatically provision and de-provision user accounts from Azure AD to Adobe Identity Management. documentationcenter: ''-
-writer: Zhchia
+
+writer: twimmers
ms.assetid: 6ae05dc7-1265-44b4-a20c-512b5218b9d1
na
ms.devlang: na Last updated 04/30/2021-+ # Tutorial: Configure Adobe Identity Management for automatic user provisioning
active-directory Airstack Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/airstack-provisioning-tutorial.md
Title: 'Tutorial: Configure Airstack for automatic user provisioning with Azure Active Directory | Microsoft Docs' description: Learn how to configure Azure Active Directory to automatically provision and de-provision user accounts to Airstack. -
-writer: zchia
+
+writer: twimmers
Last updated 09/18/2019-+ # Tutorial: Configure Airstack for automatic user provisioning
active-directory Alertmedia Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/alertmedia-provisioning-tutorial.md
Title: 'Tutorial: Configure AlertMedia for automatic user provisioning with Azur
description: Learn how to automatically provision and de-provision user accounts from Azure AD to AlertMedia. documentationcenter: ''-
-writer: Zhchia
+
+writer: twimmers
ms.assetid: a5df0dd7-05a3-4744-9d51-ec33e89a934f
na
ms.devlang: na Last updated 10/15/2020-+ # Tutorial: Configure AlertMedia for automatic user provisioning
active-directory Apple Business Manager Provision Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/apple-business-manager-provision-tutorial.md
Title: 'Tutorial: Configure Apple Business Manager for automatic user provisioni
description: Learn how to automatically provision and de-provision user accounts from Azure AD to Apple Business Manager. documentationcenter: ''-
-writer: Zhchia
+
+writer: twimmers
ms.assetid: 4ad30031-9904-4ac3-a4d2-e8c28d44f319
na
ms.devlang: na Last updated 09/08/2020-+
active-directory Apple School Manager Provision Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/apple-school-manager-provision-tutorial.md
Title: 'Tutorial: Configure Apple School Manager for automatic user provisioning
description: Learn how to automatically provision and de-provision user accounts from Azure AD to Apple School Manager. documentationcenter: ''-
-writer: Zhchia
+
+writer: twimmers
ms.assetid: f006c177-7b35-4af1-84f2-db4a4e2bf96a
na
ms.devlang: na Last updated 09/08/2020-+
active-directory Askspoke Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/askspoke-provisioning-tutorial.md
Title: "Tutorial: Configure askSpoke for automatic user provisioning with Azure
description: Learn how to automatically provision and de-provision user accounts from Azure AD to askSpoke. documentationcenter: ""-
-writer: Zhchia
+
+writer: twimmers
ms.assetid: f9458aac-f576-49ce-aba4-fc8302ed6360
na
ms.devlang: na Last updated 06/02/2021-+ # Tutorial: Configure askSpoke for automatic user provisioning
active-directory Atea Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/atea-provisioning-tutorial.md
Title: 'Tutorial: Configure Atea for automatic user provisioning with Azure Acti
description: Learn how to automatically provision and de-provision user accounts from Azure AD to Atea. documentationcenter: ''-
-writer: Zhchia
+
+writer: twimmers
ms.assetid: b788328b-10fd-4eaa-a4bc-909d738d8b8b
na
ms.devlang: na Last updated 01/25/2021-+ # Tutorial: Configure Atea for automatic user provisioning
active-directory Auditboard Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/auditboard-provisioning-tutorial.md
Title: 'Tutorial: Configure AuditBoard for automatic user provisioning with Azur
description: Learn how to automatically provision and de-provision user accounts from Azure AD to AuditBoard. documentationcenter: ''-
-writer: Zhchia
+
+writer: twimmers
ms.assetid: e6ab736b-2bb7-4a5a-9f01-67c33f0ff97d
na
ms.devlang: na Last updated 04/21/2021-+ # Tutorial: Configure AuditBoard for automatic user provisioning
active-directory Aws Single Sign On Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/aws-single-sign-on-provisioning-tutorial.md
Title: 'Tutorial: Configure AWS Single Sign-On for automatic user provisioning w
description: Learn how to automatically provision and de-provision user accounts from Azure AD to AWS Single Sign-On. documentationcenter: ''-
-writer: Zhchia
+
+writer: twimmers
ms.assetid: 54a9f704-7877-4ade-81af-b8d3f7fb9255
na
ms.devlang: na Last updated 02/23/2021-+ # Tutorial: Configure AWS Single Sign-On for automatic user provisioning
active-directory Bentley Automatic User Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/bentley-automatic-user-provisioning-tutorial.md
Title: 'Tutorial: Configure Bentley - Automatic User Provisioning for automatic
description: Learn how to automatically provision and de-provision user accounts from Azure AD to Bentley - Automatic User Provisioning. documentationcenter: ''-
-writer: Zhchia
+
+writer: twimmers
ms.assetid: 08778fff-f252-45c2-95d4-cc640c288af3
na
ms.devlang: na Last updated 04/13/2021-+ # Tutorial: Configure Bentley - Automatic User Provisioning for automatic user provisioning
active-directory Bitabiz Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/bitabiz-provisioning-tutorial.md
Title: 'Tutorial: Configure BitaBIZ for automatic user provisioning with Azure Active Directory | Microsoft Docs' description: Learn how to configure Azure Active Directory to automatically provision and de-provision user accounts to BitaBIZ. -
-writer: zchia
+
+writer: twimmers
Last updated 07/26/2019-+ # Tutorial: Configure BitaBIZ for automatic user provisioning
active-directory Bizagi Studio For Digital Process Automation Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/bizagi-studio-for-digital-process-automation-provisioning-tutorial.md
Title: 'Tutorial: Configure Bizagi Studio for Digital Process Automation for aut
description: Learn how to automatically provision and deprovision user accounts from Azure AD to Bizagi Studio for Digital Process Automation. documentationcenter: ''-
-writer: Zhchia
+
+writer: twimmers
ms.assetid: 2fbff65a-5345-4c08-a6c7-60b80d867a3e
na
ms.devlang: na Last updated 10/20/2020-+ # Tutorial: Configure Bizagi Studio for Digital Process Automation for automatic user provisioning
active-directory Blink Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/blink-provisioning-tutorial.md
Title: 'Tutorial: Configure Blink for automatic user provisioning with Azure Active Directory | Microsoft Docs' description: Learn how to configure Azure Active Directory to automatically provision and de-provision user accounts to Blink. -
-writer: zchia
+
+writer: twimmers
Last updated 09/19/2019-+ # Tutorial: Configure Blink for automatic user provisioning
active-directory Blogin Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/blogin-provisioning-tutorial.md
Title: 'Tutorial: Configure BlogIn for automatic user provisioning with Azure Ac
description: Learn how to automatically provision and de-provision user accounts from Azure AD to BlogIn. documentationcenter: ''-
-writer: Zhchia
+
+writer: twimmers
ms.assetid: 4b2ef46c-97a1-450d-bbc8-b2fa76280219
na
ms.devlang: na Last updated 10/08/2020-+ # Tutorial: Configure BlogIn for automatic user provisioning
active-directory Bonusly Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/bonusly-provisioning-tutorial.md
Title: 'Tutorial: Configure Bonusly for automatic user provisioning with Azure Active Directory | Microsoft Docs' description: Learn how to configure Azure Active Directory to automatically provision and de-provision user accounts to Bonusly. -
-writer: zchia
+
+writer: twimmers
active-directory Boxcryptor Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/boxcryptor-provisioning-tutorial.md
Title: 'Tutorial: Configure Boxcryptor for automatic user provisioning with Azur
description: Learn how to automatically provision and de-provision user accounts from Azure AD to Boxcryptor. documentationcenter: ''-
-writer: Zhchia
+
+writer: twimmers
ms.assetid: 656de6d6-399e-4346-a07e-0e5fefb0b4ee
na
ms.devlang: na Last updated 04/02/2021-+ # Tutorial: Configure Boxcryptor for automatic user provisioning
active-directory Bpanda Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/bpanda-provisioning-tutorial.md
Title: 'Tutorial: Configure Bpanda for automatic user provisioning with Azure Ac
description: Learn how to automatically provision and de-provision user accounts from Azure AD to Bpanda. documentationcenter: ''-
-writer: Zhchia
+
+writer: twimmers
ms.assetid: 57e424f8-6fbc-4701-a312-899b562589ea
na
ms.devlang: na Last updated 03/05/2021-+ # Tutorial: Configure Bpanda for automatic user provisioning
active-directory Britive Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/britive-provisioning-tutorial.md
Title: 'Tutorial: Configure Britive for automatic user provisioning with Azure A
description: Learn how to automatically provision and de-provision user accounts from Azure AD to Britive. documentationcenter: ''-
-writer: Zhchia
+
+writer: twimmers
ms.assetid: 622688b3-9d20-482e-aab9-ce2a1f01e747
na
ms.devlang: na Last updated 03/05/2021-+ # Tutorial: Configure Britive for automatic user provisioning
active-directory Brivo Onair Identity Connector Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/brivo-onair-identity-connector-provisioning-tutorial.md
Title: 'Tutorial: Configure Brivo Onair Identity Connector for automatic user provisioning with Azure Active Directory | Microsoft Docs' description: Learn how to configure Azure Active Directory to automatically provision and de-provision user accounts to Brivo Onair Identity Connector. -
-writer: zchia
+
+writer: twimmers
Last updated 10/01/2019-+ # Tutorial: Configure Brivo Onair Identity Connector for automatic user provisioning
active-directory Browserstack Single Sign On Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/browserstack-single-sign-on-provisioning-tutorial.md
Title: 'Tutorial: Configure BrowserStack Single Sign-on for automatic user provi
description: Learn how to automatically provision and de-provision user accounts from Azure AD to BrowserStack Single Sign-on. documentationcenter: ''-
-writer: Zhchia
+
+writer: twimmers
ms.assetid: 39999abc-e4a2-4058-81e0-bf88182f8864
na
ms.devlang: na Last updated 04/22/2021-+ # Tutorial: Configure BrowserStack Single Sign-on for automatic user provisioning
active-directory Checkproof Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/checkproof-provisioning-tutorial.md
Title: 'Tutorial: Configure CheckProof for automatic user provisioning with Azur
description: Learn how to automatically provision and de-provision user accounts from Azure AD to CheckProof. documentationcenter: ''-
-writer: Zhchia
+
+writer: twimmers
ms.assetid: b036510b-bf7a-4284-ac17-41a5b10e2b55
na
ms.devlang: na Last updated 06/21/2021-+ # Tutorial: Configure CheckProof for automatic user provisioning
active-directory Cinode Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/cinode-provisioning-tutorial.md
Title: 'Tutorial: Configure Cinode for automatic user provisioning with Azure Ac
description: Learn how to automatically provision and de-provision user accounts from Azure AD to Cinode. documentationcenter: ''-
-writer: Zhchia
+
+writer: twimmers
ms.assetid: 4d6f06dd-a798-4c22-b84f-8a11f1b8592a
na
ms.devlang: na Last updated 09/28/2020-+ # Tutorial: Configure Cinode for automatic user provisioning
active-directory Cisco Umbrella User Management Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/cisco-umbrella-user-management-provisioning-tutorial.md
Title: 'Tutorial: Configure Cisco Umbrella User Management for automatic user pr
description: Learn how to automatically provision and de-provision user accounts from Azure AD to Cisco Umbrella User Management. documentationcenter: ''-
-writer: Zhchia
+
+writer: twimmers
ms.assetid: 1aa20f40-19ec-4213-9a3b-5eb2bcdd9bbd
na
ms.devlang: na Last updated 04/20/2021-+ # Tutorial: Configure Cisco Umbrella User Management for automatic user provisioning
active-directory Cisco Webex Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/cisco-webex-provisioning-tutorial.md
Title: 'Tutorial: Configure Cisco Webex for automatic user provisioning with Azure Active Directory | Microsoft Docs' description: Learn how to configure Azure Active Directory to automatically provision and de-provision user accounts to Cisco Webex. -
-writer: zchia
+
+writer: twimmers
Last updated 07/12/2019-+ # Tutorial: Configure Cisco Webex for automatic user provisioning
active-directory Clarizen One Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/clarizen-one-provisioning-tutorial.md
Title: 'Tutorial: Configure Clarizen One for automatic user provisioning with Az
description: Learn how to automatically provision and deprovision user accounts from Azure AD to Clarizen One. documentationcenter: ''-
-writer: Zhchia
+
+writer: twimmers
ms.assetid: d8021105-eb5b-4a20-8739-f02e0e22c147
na
ms.devlang: na Last updated 10/01/2020-+ # Tutorial: Configure Clarizen One for automatic user provisioning
active-directory Cloud Academy Sso Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/cloud-academy-sso-provisioning-tutorial.md
Title: 'Tutorial: Configure Cloud Academy - SSO for automatic user provisioning
description: Learn how to automatically provision and de-provision user accounts from Azure AD to Cloud Academy - SSO. documentationcenter: ''-
-writer: Zhchia
+
+writer: twimmers
ms.assetid: 224777cb-fc03-4e4a-8c8d-5befe1174233
na
ms.devlang: na Last updated 06/02/2021-+ # Tutorial: Configure Cloud Academy - SSO for automatic user provisioning
active-directory Coda Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/coda-provisioning-tutorial.md
Title: 'Tutorial: Configure Coda for automatic user provisioning with Azure Acti
description: Learn how to automatically provision and de-provision user accounts from Azure AD to Coda. documentationcenter: ''-
-writer: Zhchia
+
+writer: twimmers
ms.assetid: 4d6f06dd-a798-4c22-b84f-8a11f1b8592a
na
ms.devlang: na Last updated 08/31/2020-+ # Tutorial: Configure Coda for automatic user provisioning
active-directory Code42 Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/code42-provisioning-tutorial.md
Title: 'Tutorial: Configure Code42 for automatic user provisioning with Azure Ac
description: Learn how to automatically provision and de-provision user accounts from Azure AD to Code42. documentationcenter: ''-
-writer: Zhchia
+
+writer: twimmers
ms.assetid: ddcb950b-3f9a-4ebb-bf78-4ec42d16d52d
na
ms.devlang: na Last updated 09/23/2020-+ # Tutorial: Configure Code42 for automatic user provisioning
active-directory Cofense Provision Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/cofense-provision-tutorial.md
Title: 'Tutorial: Configure Cofense Recipient Sync for automatic user provisioni
description: Learn how to automatically provision and de-provision user accounts from Azure AD to Cofense Recipient Sync. documentationcenter: ''-
-writer: Zhchia
+
+writer: twimmers
ms.assetid: 84fe20ef-0de0-4f7c-9b42-6385f3d834db
na
ms.devlang: na Last updated 09/11/2020-+ # Tutorial: Configure Cofense Recipient Sync for automatic user provisioning
active-directory Comeet Recruiting Software Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/comeet-recruiting-software-provisioning-tutorial.md
Title: 'Tutorial: Configure Comeet Recruiting Software for automatic user provisioning with Azure Active Directory | Microsoft Docs' description: Learn how to configure Azure Active Directory to automatically provision and de-provision user accounts to Comeet Recruiting Software. -
-writer: zchia
+
+writer: twimmers
active-directory Contentful Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/contentful-provisioning-tutorial.md
Title: 'Tutorial: Configure Contentful for automatic user provisioning with Azur
description: Learn how to automatically provision and deprovision user accounts from Azure Active Directory (Azure AD) to Contentful. documentationcenter: ''-+ ms.assetid: 3b761984-a9a0-4519-b23e-563438978de5
na
ms.devlang: na Last updated 11/11/2020-+ # Tutorial: Configure Contentful for automatic user provisioning
active-directory Cybsafe Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/cybsafe-provisioning-tutorial.md
Title: 'Tutorial: Configure CybSafe for automatic user provisioning with Azure A
description: Learn how to automatically provision and de-provision user accounts from Azure AD to CybSafe. documentationcenter: ''-
-writer: Zhchia
+
+writer: twimmers
ms.assetid: 7255fe44-1662-4ae4-9ff3-9492911b7ce0
na
ms.devlang: na Last updated 11/12/2020-+ # Tutorial: Configure CybSafe for automatic user provisioning
active-directory Dialpad Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/dialpad-provisioning-tutorial.md
Title: 'Tutorial: Configure Dialpad for automatic user provisioning with Azure Active Directory | Microsoft Docs' description: Learn how to configure Azure Active Directory to automatically provision and de-provision user accounts to Dialpad. -
-writer: zchia
+
+writer: twimmers
Last updated 06/28/2019-+ # Tutorial: Configure Dialpad for automatic user provisioning
active-directory Dropboxforbusiness Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/dropboxforbusiness-provisioning-tutorial.md
Title: 'Tutorial: Configure Dropbox for Business for automatic user provisioning with Azure Active Directory | Microsoft Docs' description: Learn how to configure Azure Active Directory to automatically provision and de-provision user accounts to Dropbox for Business. -
-writer: zchia
+
+writer: twimmers
active-directory Druva Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/druva-provisioning-tutorial.md
Title: 'Tutorial: Configure Druva for automatic user provisioning with Azure Active Directory | Microsoft Docs' description: Learn how to configure Azure Active Directory to automatically provision and de-provision user accounts to Druva. -
-writer: zchia
+
+writer: twimmers
Last updated 07/26/2019-+ # Tutorial: Configure Druva for automatic user provisioning
active-directory Dynamic Signal Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/dynamic-signal-provisioning-tutorial.md
Title: 'Tutorial: Configure Dynamic Signal for automatic user provisioning with Azure Active Directory | Microsoft Docs' description: Learn how to configure Azure Active Directory to automatically provision and de-provision user accounts to Dynamic Signal. -
-writer: zchia
+
+writer: twimmers
active-directory Eletive Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/eletive-provisioning-tutorial.md
Title: 'Tutorial: Configure Eletive for automatic user provisioning with Azure A
description: Learn how to automatically provision and de-provision user accounts from Azure AD to Eletive. documentationcenter: ''-
-writer: Zhchia
+
+writer: twimmers
ms.assetid: 8a775422-e6d7-4cd5-b8d1-cc8a2db24c4f
na
ms.devlang: na Last updated 04/16/2021-+ # Tutorial: Configure Eletive for automatic user provisioning
active-directory Elium Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/elium-provisioning-tutorial.md
Title: 'Tutorial: Configure Elium for automatic user provisioning with Azure Active Directory | Microsoft Docs' description: Learn how to configure Azure Active Directory to automatically provision and de-provision user accounts to Elium. -
-writer: zchia
+
+writer: twimmers
Last updated 08/19/2019-+ # Tutorial: Configure Elium for automatic user provisioning
active-directory Envoy Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/envoy-provisioning-tutorial.md
Title: 'Tutorial: Configure Envoy for automatic user provisioning with Azure Active Directory | Microsoft Docs' description: Learn how to automatically provision and de-provision user accounts from Azure AD to Envoy. -
-writer: zchia
+
+writer: twimmers
Last updated 06/28/2021-+ # Tutorial: Configure Envoy for automatic user provisioning
active-directory Federated Directory Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/federated-directory-provisioning-tutorial.md
Title: 'Tutorial: Configure Federated Directory for automatic user provisioning with Azure Active Directory | Microsoft Docs' description: Learn how to configure Azure Active Directory to automatically provision and de-provision user accounts to Federated Directory. -
-writer: zchia
+
+writer: twimmers
Last updated 07/12/2019-+ # Tutorial: Configure Federated Directory for automatic user provisioning
active-directory Figma Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/figma-provisioning-tutorial.md
Title: 'Tutorial: Configure Figma automatic user provisioning with Azure Active Directory | Microsoft Docs' description: Learn how to configure Azure Active Directory to automatically provision and de-provision user accounts to Figma. -
-writer: zchia
+
+writer: twimmers
Last updated 07/12/2019-+ # Tutorial: Configure Figma for automatic user provisioning
active-directory Flock Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/flock-provisioning-tutorial.md
Title: 'Tutorial: Configure Flock for automatic user provisioning with Azure Active Directory | Microsoft Docs' description: Learn how to configure Azure Active Directory to automatically provision and de-provision user accounts to Flock. -
-writer: zchia
+
+writer: twimmers
Last updated 08/30/2019-+ # Tutorial: Configure Flock for automatic user provisioning
active-directory Foodee Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/foodee-provisioning-tutorial.md
Title: 'Tutorial: Configure Foodee for automatic user provisioning by using Azure Active Directory | Microsoft Docs' description: Learn how to configure Azure Active Directory to automatically provision and deprovision user accounts to Foodee. -
-writer: zchia
+
+writer: twimmers
Last updated 08/30/2019-+ # Tutorial: Configure Foodee for automatic user provisioning
active-directory Fortes Change Cloud Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/fortes-change-cloud-provisioning-tutorial.md
Title: 'Tutorial: Configure Fortes Change Cloud for automatic user provisioning
description: Learn how to automatically provision and de-provision user accounts from Azure AD to Fortes Change Cloud. documentationcenter: ''-
-writer: Zhchia
+
+writer: twimmers
ms.assetid: ef9a8f5e-0bf0-46d6-8e17-3bcf1a5b0a6b
na
ms.devlang: na Last updated 01/15/2021-+ # Tutorial: Configure Fortes Change Cloud for automatic user provisioning
active-directory Fuze Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/fuze-provisioning-tutorial.md
Title: 'Tutorial: Configure Fuze for automatic user provisioning with Azure Active Directory | Microsoft Docs' description: Learn how to configure Azure Active Directory to automatically provision and de-provision user accounts to Fuze. -
-writer: zchia
+
+writer: twimmers
Last updated 04/05/2021-+ # Tutorial: Configure Fuze for automatic user provisioning
active-directory G Suite Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/g-suite-provisioning-tutorial.md
Title: 'Tutorial: Configure G Suite for automatic user provisioning with Azure Active Directory | Microsoft Docs' description: Learn how to automatically provision and de-provision user accounts from Azure AD to G Suite. -
-writer: zchia
+
+writer: twimmers
Last updated 03/18/2021-+ # Tutorial: Configure G Suite for automatic user provisioning
active-directory Getabstract Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/getabstract-provisioning-tutorial.md
Title: 'Tutorial: Configure getAbstract for automatic user provisioning with Azu
description: Learn how to automatically provision and deprovision user accounts from Azure Active Directory to getAbstract. documentationcenter: ''-
-writer: Zhchia
+
+writer: twimmers
ms.assetid: bd8898f9-7a01-4e85-9dd4-61ae4b01ab5b
na
ms.devlang: na Last updated 01/25/2021-+ # Tutorial: Configure getAbstract for automatic user provisioning
active-directory Github Ae Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/github-ae-provisioning-tutorial.md
Title: 'Tutorial: Configure GitHub AE for automatic user provisioning with Azure
description: Learn how to automatically provision and de-provision user accounts from Azure AD to GitHub AE. documentationcenter: ''-
-writer: Zhchia
+
+writer: twimmers
ms.assetid: d9818c05-e279-45b4-8aad-0fa156abd74e
na
ms.devlang: na Last updated 09/29/2020-+ # Tutorial: Configure GitHub AE for automatic user provisioning
active-directory Github Enterprise Managed User Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/github-enterprise-managed-user-provisioning-tutorial.md
Title: 'Tutorial: Configure GitHub Enterprise Managed User for automatic user pr
description: Learn how to automatically provision and de-provision user accounts from Azure AD to GitHub Enterprise Managed User. documentationcenter: ''-
-writer: Zhchia
+
+writer: twimmers
ms.assetid: 6aee39c7-08a1-4110-b936-4c85d129743b
na
ms.devlang: na Last updated 03/05/2021-+ # Tutorial: Configure GitHub Enterprise Managed User for automatic user provisioning
active-directory Global Relay Identity Sync Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/global-relay-identity-sync-provisioning-tutorial.md
Title: 'Tutorial: Configure Global Relay Identity Sync for automatic user provis
description: Learn how to automatically provision and de-provision user accounts from Azure AD to Global Relay Identity Sync. documentationcenter: ''-
-writer: Zhchia
+
+writer: twimmers
ms.assetid: 0c4a3bf0-d0a6-4eab-909b-6cf9f9234e4c
na
ms.devlang: na Last updated 10/22/2020-+ # Tutorial: Configure Global Relay Identity Sync for automatic user provisioning
active-directory Golinks Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/golinks-provisioning-tutorial.md
Title: 'Tutorial: Configure GoLinks for automatic user provisioning with Azure A
description: Learn how to automatically provision and de-provision user accounts from Azure AD to GoLinks. documentationcenter: ''-
-writer: Zhchia
+
+writer: twimmers
ms.assetid: b8a62f41-861f-417a-8925-70b892d9a4de
na
ms.devlang: na Last updated 06/21/2021-+ # Tutorial: Configure GoLinks for automatic user provisioning
active-directory Grammarly Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/grammarly-provisioning-tutorial.md
Title: 'Tutorial: Configure Grammarly for automatic user provisioning with Azure
description: Learn how to automatically provision and de-provision user accounts from Azure AD to Grammarly. documentationcenter: ''-
-writer: Zhchia
+
+writer: twimmers
ms.assetid: cd2dd9d7-4901-40c8-8888-98850557b072
na
ms.devlang: na Last updated 03/16/2021-+ # Tutorial: Configure Grammarly for automatic user provisioning
active-directory Grouptalk Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/grouptalk-provisioning-tutorial.md
Title: 'Tutorial: Configure GroupTalk for automatic user provisioning with Azure
description: Learn how to automatically provision and de-provision user accounts from Azure AD to GroupTalk. documentationcenter: ''-
-writer: Zhchia
+
+writer: twimmers
ms.assetid: e537d393-2724-450f-9f5b-4611cdc9237c
na
ms.devlang: na Last updated 11/18/2020-+ # Tutorial: Configure GroupTalk for automatic user provisioning
active-directory Gtmhub Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/gtmhub-provisioning-tutorial.md
Title: 'Tutorial: Configure Gtmhub for automatic user provisioning with Azure Ac
description: Learn how to automatically provision and de-provision user accounts from Azure AD to Gtmhub. documentationcenter: ''-
-writer: Zhchia
+
+writer: twimmers
ms.assetid: 10b68d00-a544-480b-9bd6-f6ac291a90d0
na
ms.devlang: na Last updated 12/03/2020-+ # Tutorial: Configure Gtmhub for automatic user provisioning
active-directory H5mag Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/h5mag-provisioning-tutorial.md
Title: 'Tutorial: Configure H5mag for automatic user provisioning with Azure Act
description: Learn how to automatically provision and de-provision user accounts from Azure AD to H5mag. documentationcenter: ''-
-writer: Zhchia
+
+writer: twimmers
ms.assetid: 87b4715b-c4b4-4e4b-aa25-21dfc5135a0a
na
ms.devlang: na Last updated 06/21/2021-+ # Tutorial: Configure H5mag for automatic user provisioning
active-directory Harness Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/harness-provisioning-tutorial.md
Title: 'Tutorial: Configure Harness for automatic user provisioning with Azure Active Directory | Microsoft Docs' description: Learn how to configure Azure Active Directory to automatically provision and deprovision user accounts to Harness. -
-writer: zchia
+
+writer: twimmers
Last updated 10/29/2019-+ # Tutorial: Configure Harness for automatic user provisioning
active-directory Helloid Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/helloid-provisioning-tutorial.md
Title: 'Tutorial: Configure HelloID for automatic user provisioning with Azure A
description: Learn how to automatically provision and de-provision user accounts from Azure AD to HelloID. documentationcenter: ''-
-writer: Zhchia
+
+writer: twimmers
ms.assetid: ffd450a5-03ec-4364-8921-5c468e119c4d
na
ms.devlang: na Last updated 01/15/2021-+ # Tutorial: Configure HelloID for automatic user provisioning
active-directory Holmes Cloud Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/holmes-cloud-provisioning-tutorial.md
Title: 'Tutorial: Configure Holmes Cloud for automatic user provisioning with Az
description: Learn how to automatically provision and de-provision user accounts from Azure AD to Holmes Cloud. documentationcenter: ''-
-writer: Zhchia
+
+writer: twimmers
ms.assetid: b1088904-2ea2-4440-b39e-c4b7712b8229
na
ms.devlang: na Last updated 06/07/2021-+ # Tutorial: Configure Holmes Cloud for automatic user provisioning
active-directory Hootsuite Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/hootsuite-provisioning-tutorial.md
Title: 'Tutorial: Configure Hootsuite for automatic user provisioning with Azure Active Directory | Microsoft Docs' description: Learn how to automatically provision and de-provision user accounts from Azure AD to Hootsuite. -
-writer: zchia
+
+writer: twimmers
Last updated 04/15/2020-+ # Tutorial: Configure Hootsuite for automatic user provisioning
active-directory Hoxhunt Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/hoxhunt-provisioning-tutorial.md
Title: 'Tutorial: Configure Hoxhunt for automatic user provisioning with Azure A
description: Learn how to automatically provision and de-provision user accounts from Azure AD to Hoxhunt. documentationcenter: ''-
-writer: Zhchia
+
+writer: twimmers
ms.assetid: 24fbe0a4-ab2d-4e10-93a6-c87d634ffbcf
na
ms.devlang: na Last updated 01/28/2021-+ # Tutorial: Configure Hoxhunt for automatic user provisioning
active-directory Ideo Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/ideo-provisioning-tutorial.md
Title: 'Tutorial: Configure IDEO for automatic user provisioning with Azure Active Directory | Microsoft Docs' description: Learn how to configure Azure Active Directory to automatically provision and de-provision user accounts to IDEO. -
-writer: zchia
+
+writer: twimmers
Last updated 10/24/2019-+ # Tutorial: Configure IDEO for automatic user provisioning
active-directory Infor Cloudsuite Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/infor-cloudsuite-provisioning-tutorial.md
Title: 'Tutorial: Configure Infor CloudSuite for automatic user provisioning with Azure Active Directory | Microsoft Docs' description: Learn how to configure Azure Active Directory to automatically provision and de-provision user accounts to Infor CloudSuite. -
-writer: zchia
+
+writer: twimmers
Last updated 10/14/2019-+ # Tutorial: Configure Infor CloudSuite for automatic user provisioning
active-directory Insight4grc Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/insight4grc-provisioning-tutorial.md
Title: 'Tutorial: Configure Insight4GRC for automatic user provisioning with Azure Active Directory | Microsoft Docs' description: Learn how to automatically provision and de-provision user accounts from Azure AD to Insight4GRC. -
-writer: Zhchia
+
+writer: twimmers
Last updated 02/04/2020-+ # Tutorial: Configure Insight4GRC for automatic user provisioning
active-directory Insite Lms Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/insite-lms-provisioning-tutorial.md
Title: 'Tutorial: Configure Insite LMS for automatic user provisioning with Azur
description: Learn how to automatically provision and de-provision user accounts from Azure AD to Insite LMS. documentationcenter: ''-
-writer: Zhchia
+
+writer: twimmers
ms.assetid: c4dbe83d-b5b4-4089-be89-b357e8d6f359
na
ms.devlang: na Last updated 04/30/2021-+ # Tutorial: Configure Insite LMS for automatic user provisioning
active-directory Invision Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/invision-provisioning-tutorial.md
Title: 'Tutorial: Configure InVision for automatic user provisioning with Azure
description: Learn how to automatically provision and de-provision user accounts from Azure AD to InVision. documentationcenter: ''-
-writer: Zhchia
+
+writer: twimmers
ms.assetid: 72518dda-d485-45c8-849e-6b27ee09d9a8
na
ms.devlang: na Last updated 06/25/2020-+ # Tutorial: Configure InVision for automatic user provisioning
active-directory Ipass Smartconnect Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/ipass-smartconnect-provisioning-tutorial.md
Title: 'Tutorial: Configure iPass SmartConnect for automatic user provisioning with Azure Active Directory | Microsoft Docs' description: Learn how to configure Azure Active Directory to automatically provision and de-provision user accounts to iPass SmartConnect. -
-writer: zchia
+
+writer: twimmers
Last updated 07/26/2019-+ # Tutorial: Configure iPass SmartConnect for automatic user provisioning
active-directory Iris Intranet Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/iris-intranet-provisioning-tutorial.md
Title: 'Tutorial: Configure Iris Intranet for automatic user provisioning with A
description: Learn how to automatically provision and de-provision user accounts from Azure AD to Iris Intranet. documentationcenter: ''-
-writer: Zhchia
+
+writer: twimmers
ms.assetid: 38db8479-6d33-43de-9f71-1f1bd184fe69
na
ms.devlang: na Last updated 01/15/2021-+ # Tutorial: Configure Iris Intranet for automatic user provisioning
active-directory Jostle Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/jostle-provisioning-tutorial.md
Title: 'Tutorial: Configure Jostle for automatic user provisioning with Azure Ac
description: Learn how to automatically provision and de-provision user accounts from Azure AD to Jostle. documentationcenter: ''-
-writer: Zhchia
+
+writer: twimmers
ms.assetid: 6dbb744f-8b8e-4988-b293-ebe079c8c5c5
na
ms.devlang: na Last updated 04/05/2021-+ # Tutorial: Configure Jostle for automatic user provisioning
active-directory Juno Journey Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/juno-journey-provisioning-tutorial.md
Title: 'Tutorial: Configure Juno Journey for automatic user provisioning with Azure Active Directory | Microsoft Docs' description: Learn how to automatically provision and de-provision user accounts from Azure AD to Juno Journey. -
-writer: zchia
+
+writer: twimmers
Last updated 04/16/2020-+ # Tutorial: Configure Juno Journey for automatic user provisioning
active-directory Keeper Password Manager Digitalvault Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/keeper-password-manager-digitalvault-provisioning-tutorial.md
Title: 'Tutorial: Configure Keeper Password Manager & Digital Vault for automatic user provisioning with Azure Active Directory | Microsoft Docs' description: Learn how to configure Azure Active Directory to automatically provision and de-provision user accounts to Keeper Password Manager & Digital Vault. -
-writer: zchia
+
+writer: twimmers
active-directory Kpifire Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/kpifire-provisioning-tutorial.md
Title: 'Tutorial: Configure kpifire for automatic user provisioning with Azure A
description: Learn how to automatically provision and de-provision user accounts from Azure AD to kpifire. documentationcenter: ''-
-writer: Zhchia
+
+writer: twimmers
ms.assetid: 8c5dd093-20da-4ff6-a9b2-8071f44accd6
na
ms.devlang: na Last updated 04/23/2021-+ # Tutorial: Configure kpifire for automatic user provisioning
active-directory Leapsome Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/leapsome-provisioning-tutorial.md
Title: 'Tutorial: Configure Leapsome for automatic user provisioning with Azure Active Directory | Microsoft Docs' description: Learn how to configure Azure Active Directory to automatically provision and de-provision user accounts to Leapsome. -
-writer: zchia
+
+writer: twimmers
active-directory Limblecmms Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/limblecmms-provisioning-tutorial.md
Title: 'Tutorial: Configure LimbleCMMS for automatic user provisioning with Azur
description: Learn how to automatically provision and de-provision user accounts from Azure AD to LimbleCMMS. documentationcenter: ''-
-writer: Zhchia
+
+writer: twimmers
ms.assetid: 5e0d5369-7230-4a16-bc3f-9eac2bc80a8c
na
ms.devlang: na Last updated 06/07/2021-+ # Tutorial: Configure LimbleCMMS for automatic user provisioning
active-directory Logicgate Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/logicgate-provisioning-tutorial.md
Title: 'Tutorial: Configure LogicGate for automatic user provisioning with Azure
description: Learn how to automatically provision and de-provision user accounts from Azure AD to LogicGate. documentationcenter: ''-
-writer: Zhchia
+
+writer: twimmers
ms.assetid: eea988ef-b0f1-4d22-b867-310f167540c3
na
ms.devlang: na Last updated 03/17/2021-+ # Tutorial: Configure LogicGate for automatic user provisioning
active-directory Logmein Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/logmein-provisioning-tutorial.md
Title: 'Tutorial: Configure LogMeIn for automatic user provisioning with Azure A
description: Learn how to automatically provision and de-provision user accounts from Azure AD to LogMeIn. documentationcenter: ''-
-writer: Zhchia
+
+writer: twimmers
ms.assetid: cf38e6ad-6391-4e5d-98f7-fbdaf3de54f5
na
ms.devlang: na Last updated 06/02/2021-+ # Tutorial: Configure LogMeIn for automatic user provisioning
active-directory Looop Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/looop-provisioning-tutorial.md
Title: 'Tutorial: Configure Looop for automatic user provisioning with Azure Active Directory | Microsoft Docs' description: Learn how to configure Azure Active Directory to automatically provision and de-provision user accounts to Looop. -
-writer: zchia
+
+writer: twimmers
Last updated 09/19/2019-+ # Tutorial: Configure Looop for automatic user provisioning
active-directory Lucidchart Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/lucidchart-provisioning-tutorial.md
Title: 'Tutorial: Configure Lucidchart for automatic user provisioning with Azure Active Directory | Microsoft Docs' description: Learn how to automatically provision and de-provision user accounts from Azure AD to Lucidchart. -
-writer: zchia
+
+writer: twimmers
Last updated 01/13/2020-+ # Tutorial: Configure Lucidchart for automatic user provisioning
active-directory Mediusflow Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/mediusflow-provisioning-tutorial.md
Title: 'Tutorial: Configure MediusFlow for automatic user provisioning with Azure Active Directory | Microsoft Docs' description: Learn how to automatically provision and de-provision user accounts from Azure AD to MediusFlow. -
-writer: zchia
+
+writer: twimmers
Last updated 04/30/2020-+ # Tutorial: Configure MediusFlow for automatic user provisioning
active-directory Merchlogix Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/merchlogix-provisioning-tutorial.md
Last updated 03/27/2019-+ # Tutorial: Configure MerchLogix for automatic user provisioning
active-directory Meta Networks Connector Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/meta-networks-connector-provisioning-tutorial.md
Title: 'Tutorial: Configure Meta Networks Connector for automatic user provisioning with Azure Active Directory | Microsoft Docs' description: Learn how to configure Azure Active Directory to automatically provision and de-provision user accounts to Meta Networks Connector. -
-writer: zchia
+
+writer: twimmers
Last updated 10/01/2019-+ # Tutorial: Configure Meta Networks Connector for automatic user provisioning
active-directory Mindtickle Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/mindtickle-provisioning-tutorial.md
Title: 'Tutorial: Configure MindTickle for automatic user provisioning with Azure Active Directory | Microsoft Docs' description: Learn how to configure Azure Active Directory to automatically provision and de-provision user accounts to MindTickle. -
-writer: zchia
+
+writer: twimmers
Last updated 07/23/2019-+ # Tutorial: Configure MindTickle for automatic user provisioning
active-directory Miro Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/miro-provisioning-tutorial.md
Title: 'Tutorial: Configure Miro for automatic user provisioning with Azure Active Directory | Microsoft Docs' description: Learn how to configure Azure Active Directory to automatically provision and de-provision user accounts to Miro. -
-writer: zchia
+
+writer: twimmers
Last updated 10/21/2019-+ # Tutorial: Configure Miro for automatic user provisioning
active-directory Mixpanel Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/mixpanel-provisioning-tutorial.md
Title: 'Tutorial: Configure Mixpanel for automatic user provisioning with Azure Active Directory | Microsoft Docs' description: Learn how to automatically provision and de-provision user accounts from Azure AD to Mixpanel. -
-writer: Zhchia
+
+writer: twimmers
Last updated 01/24/2020-+ # Tutorial: Configure Mixpanel for automatic user provisioning
active-directory Mondaycom Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/mondaycom-provisioning-tutorial.md
Title: 'Tutorial: Configure monday.com for automatic user provisioning with Azur
description: Learn how to automatically provision and de-provision user accounts from Azure AD to monday.com. documentationcenter: ''-
-writer: Zhchia
+
+writer: twimmers
ms.assetid: 7dba523e-c75a-4895-bad4-82239a263afe
na
ms.devlang: na Last updated 11/24/2020-+ # Tutorial: Configure monday.com for automatic user provisioning
active-directory Myday Provision Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/myday-provision-tutorial.md
Title: 'Tutorial: Configure myday for automatic user provisioning with Azure Act
description: Learn how to automatically provision and de-provision user accounts from Azure AD to myday. documentationcenter: ''-
-writer: Zhchia
+
+writer: twimmers
ms.assetid: 59b4150a-9530-479b-9f62-a16c3d005dbe
na
ms.devlang: na Last updated 06/17/2020-+ # Tutorial: Configure myday for automatic user provisioning
active-directory Mypolicies Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/mypolicies-provisioning-tutorial.md
Title: 'Tutorial: Configure myPolicies for automatic user provisioning with Azure Active Directory | Microsoft Docs' description: Learn how to configure Azure Active Directory to automatically provision and de-provision user accounts to myPolicies. -
-writer: zchia
+
+writer: twimmers
Last updated 07/26/2019-+ # Tutorial: Configure myPolicies for automatic user provisioning
active-directory Netskope Administrator Console Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/netskope-administrator-console-provisioning-tutorial.md
Title: 'Tutorial: Configure Netskope User Authentication for automatic user provisioning with Azure Active Directory | Microsoft Docs' description: Learn how to configure Azure Active Directory to automatically provision and de-provision user accounts to Netskope User Authentication. -
-writer: zchia
+
+writer: twimmers
Last updated 11/07/2019-+ # Tutorial: Configure Netskope User Authentication for automatic user provisioning
active-directory New Relic By Organization Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/new-relic-by-organization-provisioning-tutorial.md
Title: 'Tutorial: Configure New Relic by Organization for automatic user provisioning with Azure Active Directory | Microsoft Docs' description: Learn how to automatically provision and de-provision user accounts from Azure AD to New Relic by Organization. -
-writer: zchia
+
+writer: twimmers
Last updated 04/14/2020-+ # Tutorial: Configure New Relic by Organization for automatic user provisioning
active-directory Officespace Software Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/officespace-software-provisioning-tutorial.md
Title: 'Tutorial: Configure OfficeSpace Software for automatic user provisioning with Azure Active Directory | Microsoft Docs' description: Learn how to configure Azure Active Directory to automatically provision and de-provision user accounts to OfficeSpace Software. -
-writer: zchia
+
+writer: twimmers
Last updated 10/02/2019-+ # Tutorial: Configure OfficeSpace Software for automatic user provisioning
active-directory Olfeo Saas Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/olfeo-saas-provisioning-tutorial.md
Title: 'Tutorial: Configure Olfeo SAAS for automatic user provisioning with Azur
description: Learn how to automatically provision and de-provision user accounts from Azure AD to Olfeo SAAS. documentationcenter: ''-
-writer: Zhchia
+
+writer: twimmers
ms.assetid: 5f6b0320-dfe7-451c-8cd8-6ba7f2e40434
na
ms.devlang: na Last updated 02/26/2021-+ # Tutorial: Configure Olfeo SAAS for automatic user provisioning
active-directory Open Text Directory Services Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/open-text-directory-services-provisioning-tutorial.md
Title: 'Tutorial: Configure OpenText Directory Services for automatic user provi
description: Learn how to automatically provision and de-provision user accounts from Azure AD to OpenText Directory Services. documentationcenter: ''-
-writer: Zhchia
+
+writer: twimmers
ms.assetid: ad55ba5f-c56c-4ed0-bdfd-163d2883ed80
na
ms.devlang: na Last updated 10/01/2020-+ # Tutorial: Configure OpenText Directory Services for automatic user provisioning
active-directory Oracle Cloud Infrastructure Console Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/oracle-cloud-infrastructure-console-provisioning-tutorial.md
Title: 'Tutorial: Configure Oracle Cloud Infrastructure Console for automatic user provisioning with Azure Active Directory | Microsoft Docs' description: Learn how to automatically provision and de-provision user accounts from Azure AD to Oracle Cloud Infrastructure Console. -
-writer: zchia
+
+writer: twimmers
Last updated 05/16/2021-+ # Tutorial: Configure Oracle Cloud Infrastructure Console for automatic user provisioning
active-directory Oracle Fusion Erp Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/oracle-fusion-erp-provisioning-tutorial.md
Title: 'Tutorial: Configure Oracle Fusion ERP for automatic user provisioning with Azure Active Directory | Microsoft Docs' description: Learn how to configure Azure Active Directory to automatically provision and de-provision user accounts to Oracle Fusion ERP. -
-writer: zchia
+
+writer: twimmers
Last updated 07/26/2019-+ # Tutorial: Configure Oracle Fusion ERP for automatic user provisioning
active-directory Papercut Cloud Print Management Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/papercut-cloud-print-management-provisioning-tutorial.md
Title: 'Tutorial: Configure PaperCut Cloud Print Management for automatic user p
description: Learn how to automatically provision and de-provision user accounts from Azure AD to PaperCut Cloud Print Management. documentationcenter: ''-
-writer: Zhchia
+
+writer: twimmers
ms.assetid: 7e65d727-2951-4aec-a7a3-7bde49ed09e2
na
ms.devlang: na Last updated 11/18/2020-+ # Tutorial: Configure PaperCut Cloud Print Management for automatic user provisioning
active-directory Parsable Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/parsable-provisioning-tutorial.md
Title: 'Tutorial: Configure Parsable for automatic user provisioning with Azure
description: Learn how to automatically provision and de-provision user accounts from Azure AD to Parsable. documentationcenter: ''-
-writer: Zhchia
+
+writer: twimmers
ms.assetid: 1ec33ea6-bff4-4665-bf2b-f4037ff28c09
na
ms.devlang: na Last updated 11/18/2020-+ # Tutorial: Configure Parsable for automatic user provisioning
active-directory Peakon Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/peakon-provisioning-tutorial.md
Title: 'Tutorial: Configure Peakon automatic user provisioning with Azure Active Directory | Microsoft Docs' description: Learn how to configure Azure Active Directory to automatically provision and de-provision user accounts to Peakon . -
-writer: zchia
+
+writer: twimmers
Last updated 06/28/2019-+ # Tutorial: Configure Peakon for automatic user provisioning
active-directory Playvox Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/playvox-provisioning-tutorial.md
Title: 'Tutorial: Configure Playvox for automatic user provisioning by using Azu
description: Learn how to automatically provision and de-provision user accounts from Azure AD to Playvox. documentationcenter: ''-
-writer: Zhchia
+
+writer: twimmers
ms.assetid: c31c20ab-f6cd-40e1-90ad-fa253ecbc0f8
na
ms.devlang: na Last updated 11/18/2020-+ # Tutorial: Configure Playvox for automatic user provisioning
active-directory Preciate Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/preciate-provisioning-tutorial.md
Title: 'Tutorial: Configure Preciate for automatic user provisioning with Azure
description: Learn how to automatically provision and de-provision user accounts from Azure AD to Preciate. documentationcenter: ''-
-writer: Zhchia
+
+writer: twimmers
ms.assetid: fa640971-87e7-49f2-933b-bc7c95fe51e2
na
ms.devlang: na Last updated 12/09/2020-+ # Tutorial: Configure Preciate for automatic user provisioning
active-directory Printer Logic Saas Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/printer-logic-saas-provisioning-tutorial.md
Title: 'Tutorial: Configure PrinterLogic SaaS for automatic user provisioning wi
description: Learn how to automatically provision and de-provision user accounts from Azure AD to PrinterLogic SaaS. documentationcenter: ''-
-writer: Zhchia
+
+writer: twimmers
ms.assetid: 001cfccf-b8a4-46e6-b355-94e8b694b122
na
ms.devlang: na Last updated 11/02/2020-+ # Tutorial: Configure PrinterLogic SaaS for automatic user provisioning
active-directory Priority Matrix Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/priority-matrix-provisioning-tutorial.md
Title: 'Tutorial: Configure Priority Matrix for automatic user provisioning with Azure Active Directory | Microsoft Docs' description: Learn how to configure Azure Active Directory to automatically provision and de-provision user accounts to Priority Matrix. -
-writer: zchia
+
+writer: twimmers
Last updated 10/08/2019-+ # Tutorial: Configure Priority Matrix for automatic user provisioning
active-directory Promapp Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/promapp-provisioning-tutorial.md
Title: 'Tutorial: Configure Promapp for automatic user provisioning with Azure Active Directory | Microsoft Docs' description: Learn how to configure Azure Active Directory to automatically provision and de-provision user accounts to Promapp. -
-writer: zchia
+
+writer: twimmers
Last updated 11/11/2019-+ # Tutorial: Configure Promapp for automatic user provisioning
active-directory Proware Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/proware-provisioning-tutorial.md
Title: 'Tutorial: Configure Proware for automatic user provisioning with Azure A
description: Learn how to automatically provision and de-provision user accounts from Azure AD to Proware. documentationcenter: ''-
-writer: Zhchia
+
+writer: twimmers
ms.assetid: 8887932e-e27e-419b-aa85-a0cda428d525
na
ms.devlang: na Last updated 03/30/2021-+ # Tutorial: Configure Proware for automatic user provisioning
active-directory Proxyclick Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/proxyclick-provisioning-tutorial.md
Title: 'Tutorial: Configure Proxyclick for automatic user provisioning with Azure Active Directory | Microsoft Docs' description: Learn how to configure Azure Active Directory to automatically provision and de-provision user accounts to Proxyclick. -
-writer: zchia
+
+writer: twimmers
active-directory Purecloud By Genesys Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/purecloud-by-genesys-provisioning-tutorial.md
Title: 'Tutorial: Configure PureCloud by Genesys for automatic user provisioning with Azure Active Directory | Microsoft Docs' description: Learn how to automatically provision and de-provision user accounts from Azure AD to PureCloud by Genesys. -
-writer: Zhchia
+
+writer: twimmers
Last updated 02/05/2020-+ # Tutorial: Configure PureCloud by Genesys for automatic user provisioning
active-directory Reward Gateway Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/reward-gateway-provisioning-tutorial.md
Title: 'Tutorial: Configure Reward Gateway for automatic user provisioning with Azure Active Directory | Microsoft Docs' description: Learn how to configure Azure Active Directory to automatically provision and de-provision user accounts to Reward Gateway. -
-writer: zchia
+
+writer: twimmers
Last updated 07/26/2019-+ # Tutorial: Configure Reward Gateway for automatic user provisioning
active-directory Rfpio Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/rfpio-provisioning-tutorial.md
Title: 'Tutorial: Configure RFPIO for automatic user provisioning with Azure Active Directory | Microsoft Docs' description: Learn how to configure Azure Active Directory to automatically provision and de-provision user accounts to RFPIO. -
-writer: zchia
+
+writer: twimmers
Last updated 07/26/2019-+ # Tutorial: Configure RFPIO for automatic user provisioning
active-directory Ringcentral Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/ringcentral-provisioning-tutorial.md
Title: 'Tutorial: Configure RingCentral for automatic user provisioning with Azure Active Directory | Microsoft Docs' description: Learn how to automatically provision and de-provision user accounts from Azure AD to RingCentral. -
-writer: zchia
+
+writer: twimmers
Last updated 10/30/2019-+ # Tutorial: Configure RingCentral for automatic user provisioning
active-directory Robin Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/robin-provisioning-tutorial.md
Title: 'Tutorial: Configure Robin for automatic user provisioning with Azure Active Directory | Microsoft Docs' description: Learn how to configure Azure Active Directory to automatically provision and de-provision user accounts to Robin Powered. -
-writer: zchia
+
+writer: twimmers
Last updated 09/12/2019-+ # Tutorial: Configure Robin for automatic user provisioning
active-directory Rollbar Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/rollbar-provisioning-tutorial.md
Title: 'Tutorial: Configure Rollbar for automatic user provisioning with Azure Active Directory | Microsoft Docs' description: Learn how to configure Azure Active Directory to automatically provision and de-provision user accounts to Rollbar. -
-writer: zchia
+
+writer: twimmers
Last updated 07/26/2019-+ # Tutorial: Configure Rollbar for automatic user provisioning
active-directory Samanage Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/samanage-provisioning-tutorial.md
Title: 'Tutorial: Configure SolarWinds Service Desk (previously Samanage) for automatic user provisioning with Azure Active Directory | Microsoft Docs' description: Learn how to automatically provision and de-provision user accounts from Azure AD to SolarWinds Service Desk (previously Samanage). -
-writer: zchia
+
+writer: twimmers
Last updated 01/13/2020-+ # Tutorial: Configure SolarWinds Service Desk (previously Samanage) for automatic user provisioning
active-directory Sap Analytics Cloud Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/sap-analytics-cloud-provisioning-tutorial.md
Title: 'Tutorial: Configure SAP Analytics Cloud for automatic user provisioning
description: Learn how to automatically provision and de-provision user accounts from Azure AD to SAP Analytics Cloud. documentationcenter: ''-
-writer: Zhchia
+
+writer: twimmers
ms.assetid: 27d12989-efa8-4254-a4ad-8cb6bf09d839
na
ms.devlang: na Last updated 08/13/2020-+ # Tutorial: Configure SAP Analytics Cloud for automatic user provisioning
active-directory Sap Cloud Platform Identity Authentication Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/sap-cloud-platform-identity-authentication-provisioning-tutorial.md
Title: 'Tutorial: Configure SAP Cloud Platform Identity Authentication for automatic user provisioning with Azure Active Directory | Microsoft Docs' description: Learn how to configure Azure Active Directory to automatically provision and de-provision user accounts to SAP Cloud Platform Identity Authentication. -
-writer: zchia
+
+writer: twimmers
Last updated 09/19/2019-+ # Tutorial: Configure SAP Cloud Platform Identity Authentication for automatic user provisioning
active-directory Secure Deliver Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/secure-deliver-provisioning-tutorial.md
Title: 'Tutorial: Configure SECURE DELIVER for automatic user provisioning with
description: Learn how to automatically provision and de-provision user accounts from Azure AD to SECURE DELIVER. documentationcenter: ''-
-writer: Zhchia
+
+writer: twimmers
ms.assetid: 20bc4dc5-49b3-4f23-bd41-1a36815f9f49
na
ms.devlang: na Last updated 06/02/2021-+ # Tutorial: Configure SECURE DELIVER for automatic user provisioning
active-directory Secure Login Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/secure-login-provisioning-tutorial.md
Title: 'Tutorial: Configure SecureLogin for automatic user provisioning with Azu
description: Learn how to automatically provision and de-provision user accounts from Azure AD to SecureLogin. documentationcenter: ''-
-writer: Zhchia
+
+writer: twimmers
ms.assetid: f37882fb-80fa-446c-8f56-d13fd905fe54
na
ms.devlang: na Last updated 02/22/2021-+ # Tutorial: Configure SecureLogin for automatic user provisioning
active-directory Segment Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/segment-provisioning-tutorial.md
Title: 'Tutorial: Configure Segment for automatic user provisioning with Azure A
description: Learn how to automatically provision and de-provision user accounts from Azure AD to Segment. documentationcenter: ''-
-writer: Zhchia
+
+writer: twimmers
ms.assetid: 20939a92-5f48-4ef7-ab95-042e70ec1e0e
na
ms.devlang: na Last updated 03/24/2021-+ # Tutorial: Configure Segment for automatic user provisioning
active-directory Shopify Plus Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/shopify-plus-provisioning-tutorial.md
Title: 'Tutorial: Configure Shopify Plus for automatic user provisioning with Az
description: Learn how to automatically provision and de-provision user accounts from Azure AD to Shopify Plus. documentationcenter: ''-
-writer: Zhchia
+
+writer: twimmers
ms.assetid: e2fa3ac8-a30f-4dcd-8073-ed7c65909feb
na
ms.devlang: na Last updated 12/07/2020-+ # Tutorial: Configure Shopify Plus for automatic user provisioning
active-directory Sigma Computing Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/sigma-computing-provisioning-tutorial.md
Title: 'Tutorial: Configure Sigma Computing for automatic user provisioning with
description: Learn how to automatically provision and de-provision user accounts from Azure AD to Sigma Computing. documentationcenter: ''-
-writer: Zhchia
+
+writer: twimmers
ms.assetid: 6108a4de-4420-4baa-bc2f-1c39a1ebe81d
na
ms.devlang: na Last updated 06/02/2021-+ # Tutorial: Configure Sigma Computing for automatic user provisioning
active-directory Signagelive Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/signagelive-provisioning-tutorial.md
Title: 'Tutorial: Configure Signagelive for automatic user provisioning with Azure Active Directory | Microsoft Docs' description: Learn how to configure Azure Active Directory to automatically provision and de-provision user accounts to Signagelive. -
-writer: zchia
+
+writer: twimmers
Last updated 07/23/2019-+ # Tutorial: Configure Signagelive for automatic user provisioning
active-directory Smallstep Ssh Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/smallstep-ssh-provisioning-tutorial.md
Title: 'Tutorial: Configure Smallstep SSH for automatic user provisioning with A
description: Learn how to automatically provision and de-provision user accounts from Azure AD to Smallstep SSH. documentationcenter: ''-
-writer: Zhchia
+
+writer: twimmers
ms.assetid: 1f37bd8a-4706-4385-b42e-5507912066f1
na
ms.devlang: na Last updated 06/21/2021-+ # Tutorial: Configure Smallstep SSH for automatic user provisioning
active-directory Smartfile Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/smartfile-provisioning-tutorial.md
Title: 'Tutorial: Configure SmartFile for automatic user provisioning with Azure Active Directory | Microsoft Docs' description: Learn how to configure Azure Active Directory to automatically provision and de-provision user accounts to SmartFile. -
-writer: zchia
+
+writer: twimmers
Last updated 07/26/2019-+ # Tutorial: Configure SmartFile for automatic user provisioning
active-directory Smartsheet Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/smartsheet-provisioning-tutorial.md
Title: 'Tutorial: Configure Smartsheet for automatic user provisioning with Azure Active Directory | Microsoft Docs' description: Learn how to configure Azure Active Directory to automatically provision and de-provision user accounts to Smartsheet. -
-writer: zchia
+
+writer: twimmers
active-directory Snowflake Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/snowflake-provisioning-tutorial.md
Title: 'Tutorial: Configure Snowflake for automatic user provisioning with Azure Active Directory | Microsoft Docs' description: Learn how to configure Azure Active Directory to automatically provision and deprovision user accounts to Snowflake. -
-writer: zchia
+
+writer: twimmers
Last updated 07/26/2019-+ # Tutorial: Configure Snowflake for automatic user provisioning
active-directory Soloinsight Cloudgate Sso Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/soloinsight-cloudgate-sso-provisioning-tutorial.md
Title: 'Tutorial: Configure Soloinsight-CloudGate SSO for automatic user provisioning with Azure Active Directory | Microsoft Docs' description: Learn how to configure Azure Active Directory to automatically provision and de-provision user accounts to Soloinsight-CloudGate SSO. -
-writer: zchia
+
+writer: twimmers
Last updated 10/14/2019-+ # Tutorial: Configure Soloinsight-CloudGate SSO for automatic user provisioning
active-directory Sosafe Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/sosafe-provisioning-tutorial.md
Title: 'Tutorial: Configure SoSafe for automatic user provisioning with Azure Ac
description: Learn how to automatically provision and de-provision user accounts from Azure AD to SoSafe. documentationcenter: ''-
-writer: Zhchia
+
+writer: twimmers
ms.assetid: 30de9f90-482e-43ef-9fcb-f3d4f5eac533
na
ms.devlang: na Last updated 06/07/2021-+ # Tutorial: Configure SoSafe for automatic user provisioning
active-directory Spaceiq Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/spaceiq-provisioning-tutorial.md
Title: 'Tutorial: Configure SpaceIQ for automatic user provisioning with Azure Active Directory | Microsoft Docs' description: Learn how to configure Azure Active Directory to automatically provision and de-provision user accounts to SpaceIQ. -
-writer: zchia
+
+writer: twimmers
Last updated 10/07/2019-+ # Tutorial: Configure SpaceIQ for automatic user provisioning
active-directory Splashtop Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/splashtop-provisioning-tutorial.md
Title: 'Tutorial: Configure Splashtop for automatic user provisioning with Azure
description: Learn how to automatically provision and de-provision user accounts from Azure AD to Splashtop. documentationcenter: ''-
-writer: Zhchia
+
+writer: twimmers
ms.assetid: 8d8c3745-aaa9-4dbd-9fbf-92da4ada2a9e
na
ms.devlang: na Last updated 01/19/2021-+ # Tutorial: Configure Splashtop for automatic user provisioning
active-directory Starleaf Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/starleaf-provisioning-tutorial.md
Title: 'Tutorial: Configure StarLeaf for automatic user provisioning with Azure Active Directory | Microsoft Docs' description: Learn how to configure Azure Active Directory to automatically provision and de-provision user accounts to StarLeaf. -
-writer: zchia
+
+writer: twimmers
Last updated 07/19/2019-+ # Tutorial: Configure StarLeaf for automatic user provisioning
active-directory Storegate Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/storegate-provisioning-tutorial.md
Title: 'Tutorial: Configure Storegate for automatic user provisioning with Azure Active Directory | Microsoft Docs' description: Learn how to configure Azure Active Directory to automatically provision and de-provision user accounts to Storegate. -
-writer: zchia
+
+writer: twimmers
Last updated 10/15/2019-+ # Tutorial: Configure Storegate for automatic user provisioning
active-directory Symantec Web Security Service https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/symantec-web-security-service.md
Title: 'Tutorial: Configure Symantec Web Security Service (WSS) for automatic user provisioning with Azure Active Directory | Microsoft Docs' description: Learn how to configure Azure Active Directory to automatically provision and de-provision user accounts to Symantec Web Security Service (WSS). -
-writer: zchia
+
+writer: twimmers
Last updated 07/23/2019-+ # Tutorial: Configure Symantec Web Security Service (WSS) for automatic user provisioning
active-directory Tableau Online Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/tableau-online-provisioning-tutorial.md
Title: 'Tutorial: Configure Tableau Online for automatic user provisioning with Azure Active Directory | Microsoft Docs' description: Learn how to configure Azure Active Directory to automatically provision and deprovision user accounts to Tableau Online. -
-writer: zchia
+
+writer: twimmers
active-directory Teamviewer Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/teamviewer-provisioning-tutorial.md
Title: 'Tutorial: Configure TeamViewer for automatic user provisioning with Azure Active Directory | Microsoft Docs' description: Learn how to automatically provision and de-provision user accounts from Azure AD to TeamViewer. -
-writer: Zhchia
+
+writer: twimmers
Last updated 01/27/2020-+ # Tutorial: Configure TeamViewer for automatic user provisioning
active-directory Templafy Openid Connect Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/templafy-openid-connect-provisioning-tutorial.md
Title: 'Tutorial: Configure Templafy OpenID Connect for automatic user provisioning with Azure Active Directory | Microsoft Docs' description: Learn how to configure Azure Active Directory to automatically provision and de-provision user accounts to Templafy OpenID Connect. -
-writer: zchia
+
+writer: twimmers
ms.assetid: 8cbb387a-e3fb-4588-bb87-bf4f88144361
Last updated 01/19/2021-+ # Tutorial: Configure Templafy OpenID Connect for automatic user provisioning
active-directory Templafy Saml 2 Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/templafy-saml-2-provisioning-tutorial.md
Title: 'Tutorial: Configure Templafy SAML2 for automatic user provisioning with Azure Active Directory | Microsoft Docs' description: Learn how to configure Azure Active Directory to automatically provision and de-provision user accounts to Templafy SAML2. -
-writer: zchia
+
+writer: twimmers
ms.assetid: 8a966ef5-e364-435b-9e29-3caf27ffb498
Last updated 01/19/2021-+ # Tutorial: Configure Templafy SAML2 for automatic user provisioning
active-directory Theorgwiki Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/theorgwiki-provisioning-tutorial.md
Title: 'Tutorial: Configure TheOrgWiki for automatic user provisioning with Azure Active Directory | Microsoft Docs' description: Learn how to configure Azure Active Directory to automatically provision and de-provision user accounts to TheOrgWiki. -
-writer: zchia
+
+writer: twimmers
Last updated 07/26/2019-+ # Tutorial: Configure TheOrgWiki for automatic user provisioning
active-directory Tic Tac Mobile Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/tic-tac-mobile-provisioning-tutorial.md
Title: 'Tutorial: Configure Tic-Tac Mobile for automatic user provisioning with
description: Learn how to automatically provision and deprovision user accounts from Azure AD to Tic-Tac Mobile. documentationcenter: ''-
-writer: Zhchia
+
+writer: twimmers
ms.assetid: d0f24e81-fecf-4e71-bd8a-ab911366fdf5
na
ms.devlang: na Last updated 10/08/2020-+ # Tutorial: Configure Tic-Tac Mobile for automatic user provisioning
active-directory Travelperk Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/travelperk-provisioning-tutorial.md
Title: 'Tutorial: Configure TravelPerk for automatic user provisioning with Azur
description: Learn how to automatically provision and deprovision user accounts from Azure AD to TravelPerk. documentationcenter: ''-
-writer: Zhchia
+
+writer: twimmers
ms.assetid: 3e40f87d-8624-4b14-b098-80ff916103c3
na
ms.devlang: na Last updated 02/22/2021-+ # Tutorial: Configure TravelPerk for automatic user provisioning
active-directory Tribeloo Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/tribeloo-provisioning-tutorial.md
Title: 'Tutorial: Configure Tribeloo for automatic user provisioning with Azure
description: Learn how to automatically provision and de-provision user accounts from Azure AD to Tribeloo. documentationcenter: ''-
-writer: Zhchia
+
+writer: twimmers
ms.assetid: d1063ef2-5d39-4480-a1e2-f58ebe7f98c3
na
ms.devlang: na Last updated 06/07/2021-+ # Tutorial: Configure Tribeloo for automatic user provisioning
active-directory Twingate Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/twingate-provisioning-tutorial.md
Title: 'Tutorial: Configure Twingate for automatic user provisioning with Azure
description: Learn how to automatically provision and de-provision user accounts from Azure AD to Twingate. documentationcenter: ''-
-writer: Zhchia
+
+writer: twimmers
ms.assetid: 39476198-1ade-4c22-b880-111f4c30d823
na
ms.devlang: na Last updated 06/02/2021-+ # Tutorial: Configure Twingate for automatic user provisioning
active-directory Unifi Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/unifi-provisioning-tutorial.md
Title: 'Tutorial: Configure UNIFI for automatic user provisioning with Azure Act
description: Learn how to automatically provision and de-provision user accounts from Azure AD to UNIFI. documentationcenter: ''-
-writer: Zhchia
+
+writer: twimmers
ms.assetid: 924c603f-574e-4e0a-9345-0cb0c7593dbb
na
ms.devlang: na Last updated 04/20/2021-+ # Tutorial: Configure UNIFI for automatic user provisioning
active-directory Velpic Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/velpic-provisioning-tutorial.md
Last updated 03/27/2019-+ # Tutorial: Configuring Velpic for Automatic User Provisioning
active-directory Visibly Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/visibly-provisioning-tutorial.md
Title: 'Tutorial: Configure Visibly for automatic user provisioning with Azure A
description: Learn how to automatically provision and de-provision user accounts from Azure AD to Visibly. documentationcenter: ''-
-writer: Zhchia
+
+writer: twimmers
ms.assetid: 9c658962-8a11-47ca-86ee-34872a39813a
na
ms.devlang: na Last updated 09/30/2020-+ # Tutorial: Configure Visibly for automatic user provisioning
active-directory Visitly Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/visitly-provisioning-tutorial.md
Title: 'Tutorial: Configure Visitly for automatic user provisioning with Azure Active Directory | Microsoft Docs' description: Learn how to configure Azure Active Directory to automatically provision and deprovision user accounts to Visitly. -
-writer: zchia
+
+writer: twimmers
Last updated 08/30/2019-+ # Tutorial: Configure Visitly for automatic user provisioning
active-directory Vonage Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/vonage-provisioning-tutorial.md
Title: 'Tutorial: Configure Vonage for automatic user provisioning with Azure Ac
description: Learn how to automatically provision and de-provision user accounts from Azure AD to Vonage. documentationcenter: ''-
-writer: Zhchia
+
+writer: twimmers
ms.assetid: dfb7e9bb-c29e-4476-adad-4ab254658e83
na
ms.devlang: na Last updated 06/07/2021-+ # Tutorial: Configure Vonage for automatic user provisioning
active-directory Webroot Security Awareness Training Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/webroot-security-awareness-training-provisioning-tutorial.md
Title: 'Tutorial: Configure Webroot Security Awareness Training for automatic us
description: Learn how to automatically provision and de-provision user accounts from Azure AD to Webroot Security Awareness Training. documentationcenter: ''-
-writer: Zhchia
+
+writer: twimmers
ms.assetid: 455f4396-930e-4db5-a167-d3ea6a860a17
na
ms.devlang: na Last updated 07/06/2020-+ # Tutorial: Configure Webroot Security Awareness Training for automatic user provisioning
active-directory Wedo Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/wedo-provisioning-tutorial.md
Title: 'Tutorial: Configure WEDO for automatic user provisioning with Azure Acti
description: Learn how to automatically provision and de-provision user accounts from Azure AD to WEDO. documentationcenter: ''-
-writer: Zhchia
+
+writer: twimmers
ms.assetid: 3088D3EB-CED5-45A5-BD7E-E20B1D7C40F6
na
ms.devlang: na Last updated 11/24/2020-+ # Tutorial: Configure WEDO for automatic user provisioning
active-directory Workgrid Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/workgrid-provisioning-tutorial.md
Title: 'Tutorial: Configure Workgrid for automatic user provisioning with Azure Active Directory | Microsoft Docs' description: Learn how to configure Azure Active Directory to automatically provision and de-provision user accounts to Workgrid. -
-writer: zchia
+
+writer: twimmers
Last updated 08/17/2019-+ # Tutorial: Configure Workgrid for automatic user provisioning
active-directory Workteam Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/workteam-provisioning-tutorial.md
Title: 'Tutorial: Configure Workteam for automatic user provisioning with Azure Active Directory | Microsoft Docs' description: Learn how to configure Azure Active Directory to automatically provision and de-provision user accounts to Workteam. -
-writer: zchia
+
+writer: twimmers
Last updated 08/17/2019-+ # Tutorial: Configure Workteam for automatic user provisioning
active-directory Wrike Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/wrike-provisioning-tutorial.md
Title: 'Tutorial: Configure Wrike for automatic user provisioning with Azure Active Directory | Microsoft Docs' description: Learn how to configure Azure Active Directory to automatically provision and deprovision user accounts to Wrike. -
-writer: zchia
+
+writer: twimmers
Last updated 08/26/2019-+ # Tutorial: Configure Wrike for automatic user provisioning
active-directory Zapier Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/zapier-provisioning-tutorial.md
Title: 'Tutorial: Configure Zapier for automatic user provisioning with Azure Active Directory | Microsoft Docs' description: Learn how to automatically provision and de-provision user accounts from Azure AD to Zapier. -
-writer: Zhchia
+
+writer: twimmers
Last updated 01/24/2020-+ # Tutorial: Configure Zapier for automatic user provisioning
active-directory Zoom Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/zoom-provisioning-tutorial.md
Title: 'Tutorial: Configure Zoom for automatic user provisioning with Azure Active Directory | Microsoft Docs' description: Learn how to automatically provision and de-provision user accounts from Azure AD to Zoom. -
-writer: zchia
+
+writer: twimmers
Last updated 06/3/2019-+ # Tutorial: Configure Zoom for automatic user provisioning
active-directory Zscaler Beta Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/zscaler-beta-provisioning-tutorial.md
Title: 'Tutorial: Configure Zscaler Beta for automatic user provisioning with Azure Active Directory | Microsoft Docs' description: Learn how to configure Azure Active Directory to automatically provision and de-provision user accounts to Zscaler Beta. -
-writer: zchia
+
+writer: twimmers
active-directory Zscaler One Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/zscaler-one-provisioning-tutorial.md
Title: 'Tutorial: Configure Zscaler One for automatic user provisioning with Azure Active Directory | Microsoft Docs' description: Learn how to configure Azure Active Directory to automatically provision and deprovision user accounts to Zscaler One. -
-writer: zchia
+
+writer: twimmers
active-directory Zscaler Private Access Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/zscaler-private-access-provisioning-tutorial.md
Title: 'Tutorial: Configure Zscaler Private Access (ZPA) for automatic user provisioning with Azure Active Directory | Microsoft Docs' description: Learn how to configure Azure Active Directory to automatically provision and de-provision user accounts to Zscaler Private Access (ZPA). -
-writer: zchia
+
+writer: twimmers
Last updated 10/07/2019-+ # Tutorial: Configure Zscaler Private Access (ZPA) for automatic user provisioning
active-directory Zscaler Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/zscaler-provisioning-tutorial.md
Title: 'Tutorial: Configure Zscaler for automatic user provisioning with Azure Active Directory | Microsoft Docs' description: Learn how to configure Azure Active Directory to automatically provision and de-provision user accounts to Zscaler. -
-writer: zchia
+
+writer: twimmers
active-directory Zscaler Three Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/zscaler-three-provisioning-tutorial.md
Title: 'Tutorial: Configure Zscaler Three for automatic user provisioning with Azure Active Directory | Microsoft Docs' description: In this tutorial, you'll learn how to configure Azure Active Directory to automatically provision and deprovision user accounts to Zscaler Three. -
-writer: zchia
+
+writer: twimmers
active-directory Zscaler Two Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/zscaler-two-provisioning-tutorial.md
Title: 'Tutorial: Configure Zscaler Two for automatic user provisioning with Azure Active Directory | Microsoft Docs' description: In this tutorial, you'll learn how to configure Azure Active Directory to automatically provision and deprovision user accounts to Zscaler Two. -
-writer: zchia
+
+writer: twimmers
active-directory Zscaler Zscloud Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/zscaler-zscloud-provisioning-tutorial.md
Title: 'Tutorial: Configure Zscaler ZSCloud for automatic user provisioning with Azure Active Directory | Microsoft Docs' description: In this tutorial, you'll learn how to configure Azure Active Directory to automatically provision and deprovision user accounts to Zscaler ZSCloud. -
-writer: zchia
+
+writer: twimmers
aks Kubernetes Walkthrough Portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/kubernetes-walkthrough-portal.md
description: Learn how to quickly create a Kubernetes cluster, deploy an application, and monitor performance in Azure Kubernetes Service (AKS) using the Azure portal. Previously updated : 03/15/2021 Last updated : 07/01/2021
Sign in to the Azure portal at [https://portal.azure.com](https://portal.azure.c
* Select an Azure **Subscription**. * Select or create an Azure **Resource group**, such as *myResourceGroup*. - **Cluster details**:
+ * Ensure the the **Preset configuration** is *Standard ($$)*. For more details on preset configurations, see [Cluster configuration presets in the Azure portal][preset-config].
* Enter a **Kubernetes cluster name**, such as *myAKSCluster*. * Select a **Region** and **Kubernetes version** for the AKS cluster. - **Primary node pool**:
- * Select a VM **Node size** for the AKS nodes. The VM size *cannot* be changed once an AKS cluster has been deployed.
- * Select the number of nodes to deploy into the cluster. For this quickstart, set **Node count** to *1*. Node count *can* be adjusted after the cluster has been deployed.
+ * Leave the default values selected.
![Create AKS cluster - provide basic information](media/kubernetes-walkthrough-portal/create-cluster-basics.png)
To manage a Kubernetes cluster, use the Kubernetes command-line client, [kubectl
Output shows the single node created in the previous steps. Make sure the node status is *Ready*: ```output
- NAME STATUS ROLES AGE VERSION
- aks-agentpool-14693408-0 Ready agent 15m v1.11.5
+ NAME STATUS ROLES AGE VERSION
+ aks-agentpool-12345678-vmss000000 Ready agent 23m v1.19.11
+ aks-agentpool-12345678-vmss000001 Ready agent 24m v1.19.11
``` ## Run the application
The `azure-vote-back` and `azure-vote-front` containers will display, as shown i
![View the health of running containers in AKS](media/kubernetes-walkthrough-portal/monitor-containers.png)
-To view logs for the `azure-vote-front` pod, select **View container logs** from the containers list drop-down. These logs include the *stdout* and *stderr* streams from the container.
+To view logs for the `azure-vote-front` pod, select **View in Log Analytics** from the top of the *azure-vote-front | Overview* area on the right side. These logs include the *stdout* and *stderr* streams from the container.
![View the containers logs in AKS](media/kubernetes-walkthrough-portal/monitor-container-logs.png)
To learn more about AKS by walking through a complete example, including buildin
[aks-network]: ./concepts-network.md [aks-tutorial]: ./tutorial-kubernetes-prepare-app.md [http-routing]: ./http-application-routing.md
+[preset-config]: ./quotas-skus-regions.md#cluster-configuration-presets-in-the-azure-portal
[sp-delete]: kubernetes-service-principal.md#additional-considerations
aks Quotas Skus Regions https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/quotas-skus-regions.md
For more information on VM types and their compute resources, see [Sizes for vir
For the latest list of where you can deploy and run clusters, see [AKS region availability][region-availability].
+## Cluster configuration presets in the Azure portal
+
+When you create a cluster using the Azure portal, you can choose a preset configuration to quickly customize based on your scenario. You can modify any of the preset values at any time.
+
+| Preset | Description |
+|||
+| Standard | Best if you're not sure what to choose. Works well with most applications. |
+| Dev/Test | Best for experimenting with AKS or deploying a test application. |
+| Cost-optimized | Best for reducing costs on production workloads that can tolerate interruptions. |
+| Batch processing | Best for machine learning, compute-intensive, and graphics-intensive workloads. Suited for applications requiring fast scale-up and scale-out of the cluster. |
+| Hardened access | Best for large enterprises that need full control of security and stability. |
+ ## Next steps You can increase certain default limits and quotas. If your resource supports an increase, request the increase through an [Azure support request][azure-support] (for **Issue type**, select **Quota**).
aks Start Stop Cluster https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/start-stop-cluster.md
You can verify when your cluster has started by using the [az aks show][az-aks-s
If the `provisioningState` shows `Starting` that means your cluster hasn't fully started yet. > [!NOTE]
-> If you are using cluster autoscaler, when you start your cluster back up your current node count may not be between the min and max range values you set. This behavior is expected. The cluster starts with the number of nodes it needs to run its workloads, which isn't impacted by your autoscaler settings. When your cluster performs scaling operations, the min and max values will impact your current node count and your cluster will eventually enter and remain in that desired range until you stop your cluster.
+> When you start your cluster back up, the following is expected behavior:
+>
+> * The IP address of your API server may change.
+> * If you are using cluster autoscaler, when you start your cluster back up your current node count may not be between the min and max range values you set. The cluster starts with the number of nodes it needs to run its workloads, which isn't impacted by your autoscaler settings. When your cluster performs scaling operations, the min and max values will impact your current node count and your cluster will eventually enter and remain in that desired range until you stop your cluster.
## Next steps
app-service Quickstart Nodejs Uiex https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/quickstart-nodejs-uiex.md
- Title: 'Quickstart: Create a Node.js web app'
-description: Deploy your first Node.js Hello World to Azure App Service in minutes.
- Previously updated : 08/01/2020-
-zone_pivot_groups: app-service-platform-windows-linux
--
-# Create a Node.js web app in Azure
-
-Get started with <abbr title="An HTTP-based service for hosting web applications, REST APIs, and mobile back-end applications.">Azure App Service</abbr> by creating a Node.js/Express app locally using Visual Studio Code and then deploying the app to the Azure cloud. Because you use a <abbr title="In Azure App Service, a base tier in which your app runs on the same VMs as other apps, including the apps of other customers. This tier is intended for development and testing.">free tier</abbr>, you incur no costs to complete this quickstart.
-
-## 1. Prepare your environment
--- An Azure account with an active <abbr title="An Azure subscription is a logical container used to provision resources in Azure. It holds the details of all your resources like virtual machines (VMs), databases, and more.">subscription</abbr>. [Create an account for free](https://azure.microsoft.com/free/?utm_source=campaign&utm_campaign=vscode-tutorial-app-service-extension&mktingSource=vscode-tutorial-app-service-extension).-- <a href="https://git-scm.com/" target="_blank">Install Git</a>-- [Node.js and npm](https://nodejs.org). Run the command `node --version` to verify that Node.js is installed.-- [Visual Studio Code](https://code.visualstudio.com/).-- The [Azure App Service extension](https://marketplace.visualstudio.com/items?itemName=ms-azuretools.vscode-azureappservice) for Visual Studio Code.-
-[Report a problem](https://www.research.net/r/PWZWZ52?tutorial=node-deployment-azure-app-service&prepare-your-environment)
----
-<br>
-<hr/>
-
-## 2. Clone and run a local Node.js application
-
-1. On your local computer, open a terminal and clone the sample repository:
-
- ```bash
- git clone https://github.com/Azure-Samples/nodejs-docs-hello-world
- ```
-
-1. Navigate into the new app folder:
-
- ```bash
- cd nodejs-docs-hello-world
- ```
-
-1. Install the dependencies:
-
- ```bash
- npm install
- ```
-
-1. Start the app to test it locally:
-
- ```bash
- npm start
- ```
-
-1. Open your browser and navigate to `http://localhost:1337`. The browser should display "Hello World!".
-
-1. Press <kbd>Ctrl</kbd> + <kbd>C</kbd> in the terminal to stop the server.
-
-[Report a problem](https://www.research.net/r/PWZWZ52?tutorial=node-deployment-azure-app-service&prepare-your-environment)
--
-<br>
-<hr/>
----
-<!-- VS Code extension works differently for Windows/Linus - Step 3 -->
---------
-## 4. Viewing Logs from Visual Studio Code
-
-View the <abbr title="Any calls to `console.log` in the app are displayed in the output window in Visual Studio Code.">log</abbr> of the running App Service app.
-
-1. Find the app in the **AZURE APP SERVICE** explorer, right-click the app name, and choose **Start Streaming Logs**.
-
-1. The Visual Studio Code output window opens.
-
- ![View Streaming Logs](./media/quickstart-nodejs/view-logs.png)
-
- :::image type="content" source="./media/quickstart-nodejs/enable-restart.png" alt-text="Screenshot of the VS Code prompt to enable file logging and restart the web app, with the yes button selected.":::
-
-1. After a few seconds, you'll see a message indicating that you're connected to the log-streaming service.
-1. Refresh the page a few times to see more activity.
-
- <pre class="is-monospace is-size-small has-padding-medium has-background-tertiary has-text-tertiary-invert">
- 2020-09-20 20:37:39.574 INFO - Initiating warmup request to container msdocs-vscode-node_2_00ac292a for site msdocs-vscode-node
- 2020-09-20 20:37:55.011 INFO - Waiting for response to warmup request for container msdocs-vscode-node_2_00ac292a. Elapsed time = 15.4373071 sec
- 2020-09-20 20:38:08.233 INFO - Container msdocs-vscode-node_2_00ac292a for site msdocs-vscode-node initialized successfully and is ready to serve requests.
- 2020-09-20T20:38:21 Startup Request, url: /Default.cshtml, method: GET, type: request, pid: 61,1,7, SCM_SKIP_SSL_VALIDATION: 0, SCM_BIN_PATH: /opt/Kudu/bin, ScmType: None
- </pre>
-
-<br>
-
-[Report a problem](https://www.research.net/r/PWZWZ52?tutorial=node-deployment-azure-app-service&prepare-your-environment)
-
-<br>
-<hr/>
-
-## 5. Clean up resources
-
-Find the app in the **AZURE APP SERVICE** explorer, right-click the app name, and choose **Delete**.
--
-## Next steps
-
-Congratulations, you've successfully completed this quickstart! You can deploy changes to this app by using the same process and choosing the existing app rather than creating a new one.
-
-Next, check out the other Azure extensions.
-
-* [Cosmos DB](https://marketplace.visualstudio.com/items?itemName=ms-azuretools.vscode-cosmosdb)
-* [Azure Functions](https://marketplace.visualstudio.com/items?itemName=ms-azuretools.vscode-azurefunctions)
-* [Docker Tools](https://marketplace.visualstudio.com/items?itemName=PeterJausovec.vscode-docker)
-* [Azure CLI Tools](https://marketplace.visualstudio.com/items?itemName=ms-vscode.azurecli)
-* [Azure Resource Manager Tools](https://marketplace.visualstudio.com/items?itemName=msazurermtools.azurerm-vscode-tools)
-
-Or get them all by installing the
-[Node Pack for Azure](https://marketplace.visualstudio.com/items?itemName=ms-vscode.vscode-node-azure-pack) extension pack.
app-service Tutorial Nodejs Mongodb App https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/tutorial-nodejs-mongodb-app.md
git clone https://github.com/Azure-Samples/mean-todoapp.git
``` > [!NOTE]
-> For information on how the sample app is create, see [https://github.com/Azure-Samples/mean-todoapp](https://github.com/Azure-Samples/mean-todoapp).
+> For information on how the sample app is created, see [https://github.com/Azure-Samples/mean-todoapp](https://github.com/Azure-Samples/mean-todoapp).
### Run the application
app-service Webjobs Create Ieux Conceptual https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/webjobs-create-ieux-conceptual.md
-
Title: WebJob, background tasks, on Azure
-description: Learn about WebJobs.
--- Previously updated : 10/16/2018-----
-# WebJobs run background tasks in Azure App Service
-
-This article shows how to deploy WebJobs by using the [Azure portal](https://portal.azure.com) to upload an executable or script. For information about how to develop and deploy WebJobs by using Visual Studio, see [Deploy WebJobs using Visual Studio](webjobs-dotnet-deploy-vs.md).
-
-## Overview
-WebJobs is a feature of [Azure App Service](index.yml) that enables you to run a program or script in the same instance as a web app, API app, or mobile app. There is no additional cost to use WebJobs.
-
-> [!IMPORTANT]
-> WebJobs is not yet supported for App Service on Linux.
-
-The Azure WebJobs SDK can be used with WebJobs to simplify many programming tasks. For more information, see [What is the WebJobs SDK](https://github.com/Azure/azure-webjobs-sdk/wiki).
-
-Azure Functions provides another way to run programs and scripts. For a comparison between WebJobs and Functions, see [Choose between Flow, Logic Apps, Functions, and WebJobs](../azure-functions/functions-compare-logic-apps-ms-flow-webjobs.md).
-
-## WebJob types
-
-The following table describes the differences between *continuous* and *triggered* WebJobs.
--
-|Continuous |Triggered |
-|||
-| Starts immediately when the WebJob is created. To keep the job from ending, the program or script typically does its work inside an endless loop. If the job does end, you can restart it. | Starts only when triggered manually or on a schedule. |
-| Runs on all instances that the web app runs on. You can optionally restrict the WebJob to a single instance. |Runs on a single instance that Azure selects for load balancing.|
-| Supports remote debugging. | Doesn't support remote debugging.|
--
-## Add WebJob to source control
-
-If you have source control configured with your application, the Webjobs should be deployed as part of the source control integration. Once source control is configured with your application a WebJob cannot be add from the Azure Portal.
-
-## <a name="acceptablefiles"></a>Supported file types for scripts or programs
-
-The following file types are supported:
-
-* .cmd, .bat, .exe (using Windows cmd)
-* .ps1 (using PowerShell)
-* .sh (using Bash)
-* .php (using PHP)
-* .py (using Python)
-* .js (using Node.js)
-* .jar (using Java)
-
-## Next steps
-
-* Learn how to [create a WebJob](./webjobs-create-ieux.md)
-* View log history of [WebJobs](./webjobs-create-ieux-view-log.md)
app-service Webjobs Create Ieux View Log https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/webjobs-create-ieux-view-log.md
-
Title: View log history of WebJobs
-description: View log history for failed and succeeded jobs.
-- Previously updated : 10/16/2018----
-# View WebJob history in the Azure portal
-
-View log history for failed and succeeded jobs.
-
-1. Select the WebJob you want to see history for, and then select the **Logs** button.
-
- ![Logs button](./media/web-sites-create-web-jobs/wjbladelogslink.png)
-
-1. In the **WebJob Details** page, select a time to see details for one run.
-
- ![WebJob Details](./media/web-sites-create-web-jobs/webjobdetails.png)
-
-1. In the **WebJob Run Details** page, select **Toggle Output** to see the text of the log contents.
-
- ![Web job run details](./media/web-sites-create-web-jobs/webjobrundetails.png)
-
- To see the output text in a separate browser window, select **download**. To download the text itself, right-click **download** and use your browser options to save the file contents.
-
-1. Select the **WebJobs** breadcrumb link at the top of the page to go to a list of WebJobs.
-
- ![WebJob breadcrumb](./media/web-sites-create-web-jobs/breadcrumb.png)
-
- ![List of WebJobs in history dashboard](./media/web-sites-create-web-jobs/webjobslist.png)
-
-## Next steps
-
-* Use the [WebJobs SDK](https://github.com/Azure/azure-webjobs-sdk/wiki) to simplify many programming tasks
-
-* Learn to [develop and deploy WebJobs with Visual Studio](webjobs-dotnet-deploy-vs.md)
app-service Webjobs Create Ieux https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/webjobs-create-ieux.md
-
Title: Run background tasks with WebJobs
-description: Learn how to use WebJobs to run background tasks in Azure App Service. Choose from a variety of script formats and run them with CRON expressions.
--- Previously updated : 10/16/2018---
-#Customer intent: As a web developer, I want to leverage background tasks to keep my application running smoothly.
-zone_pivot_groups: app-service-webjob
---
-# Run background tasks with WebJobs in Azure App Service
-
-The concept of running [background tasks](./webjobs-create-ieux-conceptual.md) on Azure is provided with Azure App service web jobs. Learn how to deploy <abbr title="A program or script in the same instance as a web app, API app, or mobile app.">WebJobs</abbr> by using the [Azure portal](https://portal.azure.com) to upload an executable or script.
-
-Three supported WebJobs include:
-
-* **Continuous**: Starts immediately, typically running in an endless loop.
-* **Scheduled**: Starts from scheduled trigger
-* **Manual**: Starts from manual trigger
---------
-
-## <a name="NextSteps"></a> Next steps
-
-* [Learn more about background tasks as webjobs](./webjobs-create-ieux-conceptual.md)
-* [View log history of WebJobs](./webjobs-create-ieux-view-log.md)
-
-* Use the [WebJobs SDK](https://github.com/Azure/azure-webjobs-sdk/wiki) to simplify many programming tasks
-
-* Learn to [develop and deploy WebJobs with Visual Studio](webjobs-dotnet-deploy-vs.md)
application-gateway Ssl Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/application-gateway/ssl-overview.md
The following tables outline the differences in SNI between the v1 and v2 SKU in
Scenario | v1 | v2 | | | | |
-| If the client specifies SNI header and all the multi-site listeners are enabled with "Require SNI" flag | Return the appropriate certificate and if the site doesn't exist (according to the server_name), then the connection is reset. | Returns appropriate certificate if available, otherwise, returns the certificate of the first HTTPS listener configured (in the order)|
-| If the client doesn't specify a SNI header and if all the multi-site headers are enabled with "Require SNI" | Resets the connection | Returns the certificate of the first HTTPS listener configured (in the order)
-| If the client doesn't specify SNI header and if there's a basic listener configured with a certificate | Returns the certificate configured in the basic listener to the client (default or fallback certificate) | Returns the certificate of the first HTTPS listener configured (in the order) |
+| If the client specifies SNI header and all the multi-site listeners are enabled with "Require SNI" flag | Returns the appropriate certificate and if the site doesn't exist (according to the server_name), then the connection is reset. | Returns appropriate certificate if available, otherwise, returns the certificate of the first HTTPS listener according to the order specified by the request routing rules associated with the HTTPS listeners|
+| If the client doesn't specify a SNI header and if all the multi-site headers are enabled with "Require SNI" | Resets the connection | Returns the certificate of the first HTTPS listener according to the order specified by the request routing rules associated with the HTTPS listeners
+| If the client doesn't specify SNI header and if there's a basic listener configured with a certificate | Returns the certificate configured in the basic listener to the client (default or fallback certificate) | Returns the certificate configured in the basic listener |
### Backend TLS connection (application gateway to the backend server)
automation Automation Linux Hrw Install https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automation/automation-linux-hrw-install.md
Title: Deploy a Linux Hybrid Runbook Worker in Azure Automation
description: This article tells how to install an Azure Automation Hybrid Runbook Worker to run runbooks on Linux-based machines in your local datacenter or cloud environment. Previously updated : 06/29/2021 Last updated : 07/14/2021
The Hybrid Runbook Worker feature supports the following distributions. All oper
* Amazon Linux 2012.09 to 2015.09 * CentOS Linux 5, 6, 7, and 8
-* Oracle Linux 5, 6, and 7
+* Oracle Linux 6, 7, and 8
* Red Hat Enterprise Linux Server 5, 6, 7, and 8 * Debian GNU/Linux 6, 7, and 8 * Ubuntu 12.04 LTS, 14.04 LTS, 16.04 LTS, 18.04, and 20.04 LTS
automation Mecmintegration https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automation/update-management/mecmintegration.md
Title: Integrate Azure Automation Update Management with Microsoft Endpoint Conf
description: This article tells how to configure Microsoft Endpoint Configuration Manager with Update Management to deploy software updates to manager clients. Previously updated : 07/28/2020 Last updated : 07/14/2021
How you manage clients hosted in Azure IaaS with your existing Microsoft Endpoin
Perform the following steps if you are going to continue managing update deployments from Microsoft Endpoint Configuration Manager. Azure Automation connects to Microsoft Endpoint Configuration Manager to apply updates to the client computers connected to your Log Analytics workspace. Update content is available from the client computer cache as if the deployment were managed by Microsoft Endpoint Configuration Manager.
-1. Create a software update deployment from the top-level site in your Microsoft Endpoint Configuration Manager hierarchy using the process described in [Deploy software updates](/configmgr/sum/deploy-use/deploy-software-updates). The only setting that must be configured differently from a standard deployment is the option **Do not install software updates** to control the download behavior of the deployment package. This behavior is managed in Update Management by creating a scheduled update deployment in the next step.
+1. Create a software update deployment from the top-level site in your Microsoft Endpoint Configuration Manager hierarchy using the process described in [Deploy software updates](/configmgr/sum/deploy-use/deploy-software-updates). The only setting that must be configured differently from a standard deployment is the **Installation deadline** option in Endpoint Configuration Manager. It needs to be set to a future date to ensure only Automation Update Management initiates the update deployment. This setting is described under [Step 4, Deploy the software update group](/configmgr/sum/deploy-use/manually-deploy-software-updates#BKMK_4DeployUpdateGroup).
-2. In Azure Automation, select **Update Management**. Create a new deployment following the steps described in [Creating an Update Deployment](deploy-updates.md#schedule-an-update-deployment) and select **Imported groups** on the **Type** dropdown to select the appropriate Microsoft Endpoint Configuration Manager collection. Keep in mind the following important points:
+2. In Endpoint Configuration Manager, configure the **User notifications** option to prevent displaying notifications on the target machines. We recommend setting the **Hide in Software Center and all notifications** option to avoid a logged on user from being notified of a scheduled update deployment and manually deploying those updates. This setting is described under [Step 4, Deploy the software update group](/configmgr/sum/deploy-use/manually-deploy-software-updates#BKMK_4DeployUpdateGroup).
+
+3. In Azure Automation, select **Update Management**. Create a new deployment following the steps described in [Creating an Update Deployment](deploy-updates.md#schedule-an-update-deployment) and select **Imported groups** on the **Type** dropdown to select the appropriate Microsoft Endpoint Configuration Manager collection. Keep in mind the following important points:
a. If a maintenance window is defined on the selected Microsoft Endpoint Configuration Manager device collection, members of the collection honor it instead of the **Duration** setting defined in the scheduled deployment.
automation Operating System Requirements https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automation/update-management/operating-system-requirements.md
Title: Azure Automation Update Management Supported Clients
description: This article describes the supported Windows and Linux operating systems with Azure Automation Update Management. Previously updated : 07/08/2021 Last updated : 07/14/2021
This article details the Windows and Linux operating systems supported and syste
The following table lists the supported operating systems for update assessments and patching. Patching requires a system Hybrid Runbook Worker, which is automatically installed when you enable the virtual machine or server for management by Update Management. For information on Hybrid Runbook Worker system requirements, see [Deploy a Windows Hybrid Runbook Worker](../automation-windows-hrw-install.md#prerequisites) and [Deploy a Linux Hybrid Runbook Worker](../automation-linux-hrw-install.md#prerequisites).
+All operating systems are assumed to be x64. x86 is not supported for any operating system.
+ > [!NOTE] > Update assessment of Linux machines is only supported in certain regions as listed in the Automation account and Log Analytics workspace [mappings table](../how-to/region-mappings.md#supported-mappings).
The following table lists the supported operating systems for update assessments
||| |Windows Server 2019 (Datacenter/Standard including Server Core)<br><br>Windows Server 2016 (Datacenter/Standard excluding Server Core)<br><br>Windows Server 2012 R2(Datacenter/Standard)<br><br>Windows Server 2012 | | |Windows Server 2008 R2 (RTM and SP1 Standard)| Update Management supports assessments and patching for this operating system. The [Hybrid Runbook Worker](../automation-windows-hrw-install.md) is supported for Windows Server 2008 R2. |
-|CentOS 6, 7, and 8 (x64) | Linux agents require access to an update repository. Classification-based patching requires `yum` to return security data that CentOS doesn't have in its RTM releases. For more information on classification-based patching on CentOS, see [Update classifications on Linux](view-update-assessments.md#linux). |
-|Oracle Linux 6.x and 7.x (x64) | Linux agents require access to an update repository. |
-|Red Hat Enterprise 6, 7, and 8 (x64) | Linux agents require access to an update repository. |
-|SUSE Linux Enterprise Server 12, 15, 15.1, and 15.2 (x64) | Linux agents require access to an update repository. |
-|Ubuntu 14.04 LTS, 16.04 LTS, 18.04 LTS, and 20.04 LTS (x64) |Linux agents require access to an update repository. |
+|CentOS 6, 7, and 8 | Linux agents require access to an update repository. Classification-based patching requires `yum` to return security data that CentOS doesn't have in its RTM releases. For more information on classification-based patching on CentOS, see [Update classifications on Linux](view-update-assessments.md#linux). |
+|Oracle Linux 6.x, 7.x, 8x | Linux agents require access to an update repository. |
+|Red Hat Enterprise 6, 7, and 8 | Linux agents require access to an update repository. |
+|SUSE Linux Enterprise Server 12, 15, 15.1, and 15.2 | Linux agents require access to an update repository. |
+|Ubuntu 14.04 LTS, 16.04 LTS, 18.04 LTS, and 20.04 LTS |Linux agents require access to an update repository. |
> [!NOTE] > Update Management does not support safely automating update management across all instances in an Azure virtual machine scale set. [Automatic OS image upgrades](../../virtual-machine-scale-sets/virtual-machine-scale-sets-automatic-upgrade.md) is the recommended method for managing OS image upgrades on your scale set.
azure-arc Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/data/overview.md
The following table describes the scenarios that are currently supported for Arc
> **Just want to try things out?** > Get started quickly with [Azure Arc Jumpstart](https://azurearcjumpstart.io/azure_arc_jumpstart/azure_arc_data/) on Azure Kubernetes Service (AKS), AWS Elastic Kubernetes Service (EKS), Google Cloud Kubernetes Engine (GKE) or in an Azure VM.
+>
+>In addition, deploy [Jumpstart ArcBox](https://azurearcjumpstart.io/azure_jumpstart_arcbox/), an easy to deploy sandbox for all things Azure Arc. ArcBox is designed to be completely self-contained within a single Azure subscription and resource group, which will make it easy for you to get hands-on with all available Azure Arc-enabled technology with nothing more than an available Azure subscription.
[Install the client tools](install-client-tools.md)
azure-arc Agent Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/servers/agent-overview.md
The Azure Arc enabled servers Connected Machine agent enables you to manage your
>Starting with the general release of Azure Arc enabled servers in September 2020, all pre-release versions of the Azure Connected Machine agent (agents with versions less than 1.0) are being **deprecated** by **February 2, 2021**. This time frame allows you to upgrade to version 1.0 or higher before the pre-released agents are no longer able to communicate with the Azure Arc enabled servers service. >[!NOTE]
-> The [Azure Monitor agent](../../azure-monitor/agents/azure-monitor-agent-overview.md) (AMA), which is currently in preview, does not replace the Connected Machine agent. The Azure Monitor agent will replace the Log Analytics agent, Diagnostics extension, and Telegraf agent for both Windows and Linux machines. Review the Azure Monitor documentation about the new agent for more details.
+> The [Azure Monitor agent](../../azure-monitor/agents/azure-monitor-agent-overview.md) (AMA) does not replace the Connected Machine agent. The Azure Monitor agent will replace the Log Analytics agent, Diagnostics extension, and Telegraf agent for both Windows and Linux machines. Review the Azure Monitor documentation about the new agent for more details.
## Agent component details
azure-arc Onboard Portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/servers/onboard-portal.md
msiexec.exe /i AzureConnectedMachineAgent.msi /?
``` >[!NOTE]
- >The agent does not support setting proxy authentication in this preview.
+ >The agent does not support setting proxy authentication.
> 3. After installing the agent, you need to configure it to communicate with the Azure Arc service by running the following command:
After you install the agent and configure it to connect to Azure Arc enabled ser
- Learn how to manage your machine using [Azure Policy](../../governance/policy/overview.md), for such things as VM [guest configuration](../../governance/policy/concepts/guest-configuration.md), verify the machine is reporting to the expected Log Analytics workspace, enable monitoring with [Azure Monitor with VMs](../../azure-monitor/vm/vminsights-enable-policy.md), and much more. -- Learn more about the [Log Analytics agent](../../azure-monitor/agents/log-analytics-agent.md). The Log Analytics agent for Windows and Linux is required when you want to collect operating system and workload monitoring data with Azure Monitor for VMs, manage it using Automation runbooks or features like Update Management, or use other Azure services like [Azure Security Center](../../security-center/security-center-introduction.md).
+- Learn more about the [Log Analytics agent](../../azure-monitor/agents/log-analytics-agent.md). The Log Analytics agent for Windows and Linux is required when you want to collect operating system and workload monitoring data with Azure Monitor for VMs, manage it using Automation runbooks or features like Update Management, or use other Azure services like [Azure Security Center](../../security-center/security-center-introduction.md).
azure-functions Configure Networking How To https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-functions/configure-networking-how-to.md
This article shows you how to perform tasks related to configuring your function
When you create a function app, you must create or link to a general-purpose Azure Storage account that supports Blob, Queue, and Table storage. You can replace this storage account with one that is secured with service endpoints or private endpoints. When configuring your storage account with private endpoints, public access to your function app will be automatically disabled, and your function app will only be accessible through the virtual network. > [!NOTE]
-> This feature currently works for all Windows virtual network-supported SKUs in the Dedicated (App Service) plan and for Windows Elastic Premium plans. Consumption and Linux Elastic Premium plans aren't supported.
+> This feature currently works for all Windows virtual network-supported SKUs in the Dedicated (App Service) plan and for Windows Elastic Premium plans. It is also supported with private DNS for Linux virtual network-supported SKUs. Consumption and custom DNS for Linux plans aren't supported.
To set up a function with a storage account restricted to a private network:
azure-functions Create First Function Vs Code Node_Uiex https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-functions/create-first-function-vs-code-node_uiex.md
- Title: Create a JavaScript function using Visual Studio Code - Azure Functions
-description: Learn how to create a JavaScript function, then publish the local Node.js project to serverless hosting in Azure Functions using the Azure Functions extension in Visual Studio Code.
- Previously updated : 11/03/2020----
-# Quickstart: Create a JavaScript function in Azure using Visual Studio Code
-
-> [!div class="op_single_selector" title1="Select your function language: "]
-> - [JavaScript](create-first-function-vs-code-node.md)
-> - [C#](create-first-function-vs-code-csharp.md)
-> - [Java](create-first-function-vs-code-java.md)
-> - [PowerShell](create-first-function-vs-code-powershell.md)
-> - [Python](create-first-function-vs-code-python.md)
-> - [TypeScript](create-first-function-vs-code-typescript.md)
-> - [Other (Go/Rust)](create-first-function-vs-code-other.md)
-
-Use Visual Studio Code to create a JavaScript function that responds to HTTP requests. Test the code locally, then deploy it to the serverless environment of Azure Functions.
-
-Completing this quickstart incurs a small cost of a few USD cents or less in your <abbr title="The Azure account is a global unique entity that gets you access to Azure services and your Azure subscriptions.">Azure account</abbr>.
-
-## 1. Prepare your environment
-
-Before you get started, make sure you have the following requirements in place:
-
-+ An Azure account with an <abbr title="An Azure subscription is a logical container used to provision resources in Azure. It holds the details of all your resources like virtual machines (VMs), databases, and more.">active subscription</abbr>. [Create an account for free](https://azure.microsoft.com/free/?ref=microsoft.com&utm_source=microsoft.com&utm_medium=docs&utm_campaign=visualstudio).
-
-+ [Node.js 10.14.1+](https://nodejs.org/)
-
-+ [Visual Studio Code](https://code.visualstudio.com/)
-
-+ [Azure Functions extension](https://marketplace.visualstudio.com/items?itemName=ms-azuretools.vscode-azurefunctions) for Visual Studio Code.
-
-+ [Azure Functions Core tools](functions-run-local.md?tabs=linux%2Ccsharp%2Cbash#install-the-azure-functions-core-tools)
-
-<hr/>
-<br/>
-
-## 2. <a name="create-an-azure-functions-project"></a>Create your local Functions project
-
-1. Choose the Azure icon in the <abbr title="">Activity bar</abbr>, then in the **Azure: Functions** area, select the **Create new project...** icon.
-
- ![Choose Create a new project](./media/functions-create-first-function-vs-code/create-new-project.png)
-
-1. **Choose a directory location** for your project workspace then choose **Select**.
-
-1. Provide the following information at the prompts:
-
- + **Select a language for your function project**: Choose `JavaScript`.
-
- + **Select a template for your project's first function**: Choose `HTTP trigger`.
-
- + **Provide a function name**: Type `HttpExample`.
-
- + **Authorization level**: Choose `Anonymous`, which enables anyone to call your function endpoint.
-
- + **Select how you would like to open your project**: Choose `Add to workspace`.
----
-<br/>
-<details>
-<summary><strong>Can't create a function project?</strong></summary>
-
-The most common issues to resolve when creating a local Functions project are:
-* You do not have the Azure Functions extension installed.
-</details>
-
-<hr/>
-<br/>
-
-## 3. Run the function locally
--
-1. Press <kbd>F5</kbd> to start the function app project.
-
-1. In the **Terminal**, see the URL endpoint of your function running locally.
-
- ![Local function VS Code output](../../includes/media/functions-run-function-test-local-vs-code/functions-vscode-f5.png)
-
-1. Copy the following URL and paste in a web browser then press Enter.
-
- `http://localhost:7071/api/HttpExample?name=Functions`
-
-1. View returned response.
--
- ![Browser - localhost example output](./media/create-first-function-vs-code-other/functions-test-local-browser.png)
-
-1. View information in **Terminal** panel about the request.
-
- ![Task host start - VS Code terminal output](../../includes/media/functions-run-function-test-local-vs-code/function-execution-terminal.png)
-
-1. Press <kbd>Ctrl + C</kbd> to stop Core Tools and disconnect the debugger.
-
-<br/>
-<details>
-<summary><strong>Can't run the function locally?</strong></summary>
-
-The most common issues to resolve when running a local Functions project are:
-* You do not have the Core Tools installed.
-* If you have trouble running on Windows, make sure that the default terminal shell for Visual Studio Code isn't set to WSL Bash.
-</details>
-
-<hr/>
-<br/>
-
-## 4. Sign in to Azure
-
-To publish your app, sign in to Azure. If you're already signed in, go to the next section.
-
-1. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure...**.
-
- ![Sign in to Azure within VS Code](../../includes/media/functions-sign-in-vs-code/functions-sign-into-azure.png)
-
-1. When prompted in the browser, **choose your Azure account** and **sign in** using your Azure account credentials.
-
-1. After you've successfully signed in, close the new browser window and go back to Visual Studio Code.
-
-<hr/>
-<br/>
-
-## 5. Publish the project to Azure
-
-Your first deployment of your code includes creating a Function resource in your Azure subscription.
-
-1. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app...** button.
-
- ![Publish your project to Azure](../../includes/media/functions-publish-project-vscode/function-app-publish-project.png)
-
-1. Provide the following information at the prompts:
-
- + **Select folder**: Choose the folder that contains your function app.
-
- + **Select subscription**: Choose the subscription to use. You won't see this if you only have one subscription.
-
- + **Select Function App in Azure**: Choose `+ Create new Function App`.
-
- + **Enter a globally unique name for the function app**: Type a name that is unique across Azure in a URL path. The name you type is validated to ensure global uniqueness.
-
- + **Select a runtime**: Choose the version of Node.js you've been running on locally. You can use the `node --version` command to check your version.
-
- + **Select a location for new resources**: For better performance, choose a [region](https://azure.microsoft.com/regions/) near you.
-
-1. A notification is displayed after your function app is created and the deployment package is applied. Select **View Output** to see the creation and deployment results.
-
- ![Create complete notification](./media/functions-create-first-function-vs-code/function-create-notifications.png)
-
-<br/>
-<details>
-<summary><strong>Can't publish the function?</strong></summary>
-
-This section created the Azure resources and deployed your local code to the Function app. If that didn't succeed:
-
-* Review the Output for error information. The bell icon in the lower right corner is another way to view the output.
-* Did you publish to an existing function app? That action overwrites the content of that app in Azure.
-</details>
--
-<br/>
-<details>
-<summary><strong>What resources were created?</strong></summary>
-
-When completed, the following Azure resources are created in your subscription, using names based on your function app name:
-* **Resource group**: A resource group is a logical container for related resources in the same region.
-* **Azure Storage account**: A Storage resource maintains state and other information about your project.
-* **Consumption plan**: A consumption plan defines the underlying host for your serverless function app.
-* **Function app**: A function app provides the environment for executing your function code and group functions as a logical unit.
-* **Application Insights**: Application Insights tracks usage of your serverless function.
-
-</details>
-----
-<hr/>
-<br/>
-
-## 6. Run the function in Azure
-1. In the **Azure: Functions** side bar, expand the new function app.
-1. Expand **Functions**, then right-click on **HttpExample**, and then choose **Execute Function Now...**.
-
- ![Copy the function URL for the new HTTP trigger](../../includes/media/functions-vs-code-run-remote/execute-function-now.png)
-
-1. **Press Enter** to send default request message to your function.
-
-1. A notification is raised in Visual Studio Code when you function execution completes.
-
-<br/>
-<details>
-<summary><strong>Couldn't run the cloud-based Function app?</strong></summary>
-
-* Did you remember to add the querystring to the end of the URL?
-
-</details>
-
-<hr/>
-<br/>
-
-## 7. Clean up resources
-
-Delete the function app and its resources to avoid incurring any further costs.
-
-1. In Visual Studio Code, select the Azure icon in the Activity bar, then select the Functions area in the side bar.
-1. Select the function app, then right-click and select **Delete Function app...**.
-
-<hr/>
-<br/>
-
-## Next steps
-
-Expand the function by adding an <abbr title="Binding to a function is a way of declaratively connecting another resource to the function.">output binding</abbr>. This binding writes the string from the HTTP request to a message in an Azure Queue Storage queue.
-
-> [!div class="nextstepaction"]
-> [Connect to an Azure Storage queue](functions-add-output-binding-storage-queue-vs-code.md?pivots=programming-language-javascript)
-
-[Azure Functions Core Tools]: functions-run-local.md
-[Azure Functions extension for Visual Studio Code]: https://marketplace.visualstudio.com/items?itemName=ms-azuretools.vscode-azurefunctions
azure-functions Functions Create Vnet https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-functions/functions-create-vnet.md
Create the virtual network to which the function app integrates:
Azure private endpoints are used to connect to specific Azure resources by using a private IP address. This connection ensures that network traffic remains within the chosen virtual network and access is available only for specific resources.
-Create the private endpoints for Azure Files storage and Azure Blob Storage by using your storage account:
+Create the private endpoints for Azure Files Storage, Azure Blob Storage and Azure Table Storage by using your storage account:
1. In your new storage account, in the menu on the left, select **Networking**.
Create the private endpoints for Azure Files storage and Azure Blob Storage by u
| **Name** | blob-endpoint | The name of the private endpoint for blobs from your storage account. | | **Resource** | mysecurestorage | The storage account you created. | | **Target sub-resource** | blob | The private endpoint that will be used for blobs from the storage account. |
+1. Create another private endpoint for tables. On the **Resources** tab, use the settings shown in the following table. For all other settings, use the same values you used to create the private endpoint for files.
+
+ | Setting | Suggested value | Description |
+ | | - | - |
+ | **Subscription** | Your subscription | The subscription under which your resources are created. |
+ | **Resource type** | Microsoft.Storage/storageAccounts | The resource type for storage accounts. |
+ | **Name** | table-endpoint | The name of the private endpoint for blobs from your storage account. |
+ | **Resource** | mysecurestorage | The storage account you created. |
+ | **Target sub-resource** | table | The private endpoint that will be used for tables from the storage account. |
1. After the private endpoints are created, return to the **Firewalls and virtual networks** section of your storage account. 1. Ensure **Selected networks** is selected. It's not necessary to add an existing virtual network.
azure-functions Functions Networking Options https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-functions/functions-networking-options.md
To learn more, see [Virtual network service endpoints](../virtual-network/virtua
When you create a function app, you must create or link to a general-purpose Azure Storage account that supports Blob, Queue, and Table storage. You can replace this storage account with one that is secured with service endpoints or private endpoint.
-This feature currently works for all Windows virtual network-supported SKUs in the Dedicated (App Service) plan and for the Premium plan. The Consumption plan isn't supported. To learn how to set up a function with a storage account restricted to a private network, see [Restrict your storage account to a virtual network](configure-networking-how-to.md#restrict-your-storage-account-to-a-virtual-network).
+This feature is supported for all Windows virtual network-supported SKUs in the Dedicated (App Service) plan and for the Premium plans. It is also supported with private DNS for Linux virtual network-supported SKUs. The Consumption plan and custom DNS on Linux plans aren't supported. To learn how to set up a function with a storage account restricted to a private network, see [Restrict your storage account to a virtual network](configure-networking-how-to.md#restrict-your-storage-account-to-a-virtual-network).
## Use Key Vault references
azure-monitor Agents Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/agents/agents-overview.md
The following tables list the operating systems that are supported by the Azure
| Windows Server 2012 R2 | X | X | X | X | | Windows Server 2012 | X | X | X | X | | Windows Server 2008 R2 SP1 | X | X | X | X |
-| Windows Server 2008 R2 | | X | X | X |
+| Windows Server 2008 R2 | | | X | X |
+| Windows Server 2008 SP2 | | X | | |
| Windows 10 Enterprise<br>(including multi-session) and Pro<br>(Server scenarios only) | X | X | X | X | | Windows 8 Enterprise and Pro<br>(Server scenarios only) | | X | X | | | Windows 7 SP1<br>(Server scenarios only) | | X | X | |
azure-monitor Availability Multistep https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/app/availability-multistep.md
Title: Monitor with multi-step web tests - Azure Application Insights description: Set up multi-step web tests to monitor your web applications with Azure Application Insights Previously updated : 02/14/2021 Last updated : 02/13/2021 # Multi-step web tests
You can monitor a recorded sequence of URLs and interactions with a website via
> </br> > Multi-step web tests **are not supported** in the [Azure Government](../../azure-government/index.yml) cloud.
+> [!NOTE]
+> Multi-step web tests are categorized as classic tests and can be found under **Add Classic Test** in the Availability pane.
## Pre-requisites
azure-monitor Availability Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/app/availability-overview.md
Title: Application Insights availability overview description: Set up recurring web tests to monitor availability and responsiveness of your app or website. Previously updated : 07/10/2021 Last updated : 07/13/2021
You can set up availability tests for any HTTP or HTTPS endpoint that is accessi
## Types of availability tests
-There are three types of availability tests:
+There are four types of availability tests:
-* [URL ping test](monitor-web-app-availability.md): A simple tests you can create through the portal to validate whether an endpoint is responding and measure performance associated with that response. You may also set custom success criteria coupled with more advanced features like parsing dependent requests, and allowing for retries.
-* [Multi-step web test](availability-multistep.md): A recording of a sequence of web requests, which can be played back to test more complex scenarios. Multi-step web tests are created in Visual Studio Enterprise and uploaded to the portal for execution.
+* [URL ping tests (classic)](monitor-web-app-availability.md): A simple test you can create through the portal to validate whether an endpoint is responding and measure performance associated with that response. You may also set custom success criteria coupled with more advanced features like parsing dependent requests, and allowing for retries.
+* [Standard tests (Preview)](availability-standard-tests.md): A single request test that is similar to the URL ping test but includes SSL certificate validity, proactive lifetime check, HTTP request verb (for example `GET`,`HEAD`,`POST`, etc.), custom headers, and custom data associated with your HTTP request.
+* [Multi-step web test (classic)](availability-multistep.md): A recording of a sequence of web requests, which can be played back to test more complex scenarios. Multi-step web tests are created in Visual Studio Enterprise and uploaded to the portal for execution.
* [Custom Track Availability Tests](availability-azure-functions.md): If you decide to create a custom application to run availability tests, the [TrackAvailability()](/dotnet/api/microsoft.applicationinsights.telemetryclient.trackavailability) method can be used to send the results to Application Insights. > [!IMPORTANT]
azure-monitor Availability Standard Tests https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/app/availability-standard-tests.md
+
+ Title: Availability Standard test - Azure Monitor Application Insights
+description: Set up Standard tests in Application Insights to check for availability of a website with a single request test.
+ Last updated : 07/13/2021++
+# Standard test
+
+Standard tests are a single request test that is similar to the [URL ping test](monitor-web-app-availability.md) but more advanced. In addition to validating whether an endpoint is responding and measuring the performance, Standard tests also includes SSL certificate validity, proactive lifetime check, HTTP request verb (for example `GET`,`HEAD`,`POST`, etc.), custom headers, and custom data associated with your HTTP request.
+
+> [!NOTE]
+> Standard tests are currently in public preview. These preview versions are provided without a service level agreement. Certain features might not be supported or might have constrained capabilities.
+
+> [!NOTE]
+> There are currently no additional charges for the preview feature Standard tests. Pricing for features that are in preview will be announced in the future and a notice provided prior to start of billing. Should you choose to continue using Standard tests after the notice period, you will be billed at the applicable rate.
+
+To create an availability test, you need use an existing Application Insights resource or [create an Application Insights resource](create-new-resource.md).
+
+> [!TIP]
+> If you are currently using other availability tests, like URL ping tests, you may add Standard tests along side the others. If you would like to use Standard tests instead of one of your other tests, add a Standard test and delete your old test.
+
+## Create a Standard test
+
+To create a standard test:
+
+1. Go to your Application Insights resource and select the **Availability** pane.
+1. Select **Add Standard (preview) test**.
+
+ :::image type="content" source="./media/availability-standard-test/standard-test.png" alt-text="Screenshot of Availability pane with add standard test tab open." lightbox="./media/availability-standard-test/standard-test.png":::
+
+1. Input your test name, URL and additional settings (explanation below), then select **Create**.
++
+|Setting | Explanation |
+|--|-|
+|**URL** | The URL can be any web page you want to test, but it must be visible from the public internet. The URL can include a query string. So, for example, you can exercise your database a little. If the URL resolves to a redirect, we follow it up to 10 redirects.|
+|**Parse dependent requests**| Test requests images, scripts, style files, and other files that are part of the web page under test. The recorded response time includes the time taken to get these files. The test fails if any of these resources cannot be successfully downloaded within the timeout for the whole test. If the option isn't checked, the test only requests the file at the URL you specified. Enabling this option results in a stricter check. The test could fail for cases, which may not be noticeable when manually browsing the site. |
+|**Enable retries**| When the test fails, it's retried after a short interval. A failure is reported only if three successive attempts fail. Subsequent tests are then performed at the usual test frequency. Retry is temporarily suspended until the next success. This rule is applied independently at each test location. **We recommend this option**. On average, about 80% of failures disappear on retry.|
+| **SSL certificate validation test** | You can verify the SSL certificate on your website to make sure it's correctly installed, valid, trusted, and doesn't give any errors to any of your users. |
+| **Proactive lifetime check** | This enables you to define a set time period before your SSL certificate expires. Once it expires, your test will fail. |
+|**Test frequency**| Sets how often the test is run from each test location. With a default frequency of five minutes and five test locations, your site is tested on average every minute.|
+|**Test locations**| The places from where our servers send web requests to your URL. **Our minimum number of recommended test locations is five** to ensure that you can distinguish problems in your website from network issues. You can select up to 16 locations.|
+| **Custom headers** | Key value pairs that define the operating parameters. |
+| **HTTP request verb** | Indicate what action you would like to take with your request. |
+| **Request body** | Custom data associated with your HTTP request. You can upload your own files, type in your content, or disable this feature. |
+
+## Success criteria
+
+|Setting| Explanation|
+|-||
+| **Test timeout** |Decrease this value to be alerted about slow responses. The test is counted as a failure if the responses from your site have not been received within this period. If you selected **Parse dependent requests**, then all the images, style files, scripts, and other dependent resources must have been received within this period.|
+| **HTTP response** | The returned status code that is counted as a success. 200 is the code that indicates that a normal web page has been returned.|
+| **Content match** | A string, like "Welcome!" We test that an exact case-sensitive match occurs in every response. It must be a plain string, without wildcards. Don't forget that if your page content changes you might have to update it. **Only English characters are supported with content match** |
+
+## Alerts
+
+|Setting| Explanation|
+|-||
+|**Near-realtime (Preview)** | We recommend using Near-realtime alerts. Configuring this type of alert is done after your availability test is created. |
+|**Alert location threshold**|We recommend a minimum of 3/5 locations. The optimal relationship between alert location threshold and the number of test locations is **alert location threshold** = **number of test locations - 2, with a minimum of five test locations.**|
+
+## Location population tags
+
+The following population tags can be used for the geo-location attribute when deploying an availability URL ping test using Azure Resource Manager.
+
+### Azure gov
+
+| Display Name | Population Name |
+|-||
+| USGov Virginia | usgov-va-azr |
+| USGov Arizona | usgov-phx-azr |
+| USGov Texas | usgov-tx-azr |
+| USDoD East | usgov-ddeast-azr |
+| USDoD Central | usgov-ddcentral-azr |
+
+### Azure China
+
+| Display Name | Population Name |
+|-||
+| China East | mc-cne-azr |
+| China East 2 | mc-cne2-azr |
+| China North | mc-cnn-azr |
+| China North 2 | mc-cnn2-azr |
+
+#### Azure
+
+| Display Name | Population Name |
+|-|-|
+| Australia East | emea-au-syd-edge |
+| Brazil South | latam-br-gru-edge |
+| Central US | us-fl-mia-edge |
+| East Asia | apac-hk-hkn-azr |
+| East US | us-va-ash-azr |
+| France South (Formerly France Central) | emea-ch-zrh-edge |
+| France Central | emea-fr-pra-edge |
+| Japan East | apac-jp-kaw-edge |
+| North Europe | emea-gb-db3-azr |
+| North Central US | us-il-ch1-azr |
+| South Central US | us-tx-sn1-azr |
+| Southeast Asia | apac-sg-sin-azr |
+| UK West | emea-se-sto-edge |
+| West Europe | emea-nl-ams-azr |
+| West US | us-ca-sjc-azr |
+| UK South | emea-ru-msa-edge |
+
+## See your availability test results
+
+Availability test results can be visualized with both line and scatter plot views.
+
+After a few minutes, select **Refresh** to see your test results.
++
+The scatterplot view shows samples of the test results that have diagnostic test-step detail in them. The test engine stores diagnostic detail for tests that have failures. For successful tests, diagnostic details are stored for a subset of the executions. Hover over any of the green/red dots to see the test, test name, and location.
++
+Select a particular test, location, or reduce the time period to see more results around the time period of interest. Use Search Explorer to see results from all executions, or use Analytics queries to run custom reports on this data.
+
+## Inspect and edit tests
+
+To edit, temporarily disable, or delete a test, select the ellipses next to a test name. It may take up to 20 minutes for configuration changes to propagate to all test agents after a change is made.
++
+You might want to disable availability tests or the alert rules associated with them while you are performing maintenance on your service.
+
+## If you see failures
+
+Select a red dot.
++
+From an availability test result, you can see the transaction details across all components. Here you can:
+
+* Review the troubleshooting report to determine what may have caused your test to fail but your application is still available.
+* Inspect the response received from your server.
+* Diagnose failure with correlated server-side telemetry collected while processing the failed availability test.
+* Log an issue or work item in Git or Azure Boards to track the problem. The bug will contain a link to this event.
+* Open the web test result in Visual Studio.
+
+To learn more about the end to end transaction diagnostics experience, visit the [transaction diagnostics documentation](./transaction-diagnostics.md).
+
+Select on the exception row to see the details of the server-side exception that caused the synthetic availability test to fail. You can also get the [debug snapshot](./snapshot-debugger.md) for richer code level diagnostics.
++
+In addition to the raw results, you can also view two key Availability metrics in [Metrics Explorer](../essentials/metrics-getting-started.md):
+
+* Availability: Percentage of the tests that were successful, across all test executions.
+* Test Duration: Average test duration across all test executions.
+
+## Next steps
+
+* [Availability Alerts](availability-alerts.md)
+* [Multi-step web tests](availability-multistep.md)
+* [Troubleshooting](troubleshoot-availability.md)
+* [Web Tests Azure Resource Manager template](/azure/templates/microsoft.insights/webtests?tabs=json)
azure-monitor Code Sample Export Sql Stream Analytics https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/app/code-sample-export-sql-stream-analytics.md
We'll start with the assumption that you already have the app you want to monito
In this example, we will be using the page view data, but the same pattern can easily be extended to other data types such as custom events and exceptions.
+> [!IMPORTANT]
+> Continuous export has been deprecated and is only supported for classic Application Insights resources. [Migrate to a workspace-based Application Insights resource](convert-classic-resource.md) to use [diagnostic settings](export-telemetry.md#diagnostic-settings-based-export) for exporting telemetry.
+ ## Add Application Insights to your application To get started:
azure-monitor Monitor Web App Availability https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/app/monitor-web-app-availability.md
Title: Monitor availability with URL ping tests- Azure Monitor description: Set up ping tests in Application Insights. Get alerts if a website becomes unavailable or responds slowly. Previously updated : 07/10/2021 Last updated : 07/13/2021
The name "URL ping test" is a bit of a misnomer. To be clear, these tests are no
In order to create an availability test, you need use an existing Application Insights resource or [create an Application Insights resource](create-new-resource.md).
+> [!NOTE]
+> URL ping tests are categorized as classic tests and can be found under **Add Classic Test** in the Availability pane. For more advanced features, see [Standard tests (preview)](availability-standard-tests.md)
+
## Create a test To create your first availability request:
From an availability test result, you can see the transaction details across all
* Log an issue or work item in Git or Azure Boards to track the problem. The bug will contain a link to this event. * Open the web test result in Visual Studio.
-To learn more about the end to end transaction diagnostics experience visit the [transaction diagnostics documentation](./transaction-diagnostics.md).
+To learn more about the end to end transaction diagnostics experience, visit the [transaction diagnostics documentation](./transaction-diagnostics.md).
Select on the exception row to see the details of the server-side exception that caused the synthetic availability test to fail. You can also get the [debug snapshot](./snapshot-debugger.md) for richer code level diagnostics.
azure-netapp-files Performance Linux Filesystem Cache https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-netapp-files/performance-linux-filesystem-cache.md
The kernel flusher thread is responsible for asynchronously flushing dirty buffe
Considering the default virtual memory tunables and the amount of RAM in modern systems, write-back potentially slows down other storage-bound operations from the perspective of the specific client driving this mixed workload. The following symptoms may be expected from an untuned, write-heavy, cache-laden Linux machine.
-* Directory lists `ls` take long enough as to appear hung.
+* Directory lists `ls` take long enough as to appear unresponsive.
* Read throughput against the filesystem decreases significantly in comparison to write throughput. * `nfsiostat` reports write latencies **in seconds or higher**.
azure-percept How To Get Hardware Support https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-percept/how-to-get-hardware-support.md
+
+ Title: How to get hardware support for Azure Percept DK hardware from ASUS
+description: This guide shows you how to contact ASUS for technical support for the Azure Percept DK hardware.
++++ Last updated : 07/13/2021+++
+# Get support for your Azure Percept DK hardware from ASUS
+
+As the OEM for the Azure Percept DK, ASUS provides technical support to all customer who purchased a device and business support for customers interested in purchasing devices. This article shows you how to contact ASUS to get support.
++
+## Prerequisites
+
+- For the best support experience, be ready to provide the device serial number found on the back of the developer board.
+
+## Get technical support for hardware issues
+If you experience issues with the hardware, which can include missing and broken components, you must contact ASUS directly to get support.
+1. Go to the official ASUS [technical support website](https://www.asus.com/us/support/contact/troubleshooting).
+1. Enter your device serial number or if you've already registered your device you can select **Choose your registered product**.
+1. If you don't have the serial number, you can search for the product.
+ 1. Under **Select a Product**, select **Show All Products**.
+ 1. Select **AIOT & Industrial Solutions**.
+ 1. For **Product Series**, select **Intelligent Edge Computer**.
+ 1. For **Product Model**, select **Azure Percept DK** or **Azure Percept Audio**.
+ 1. Select **Continue**.
+1. You'll be presented with a list of articles for common support issues. Select the article that best represents the issue you're experiencing.
+1. If none of the articles cover your issue, select the **See support** button for options on receiving direct support.
+
+## Get support for business and sales questions
+If you would like to contact ASUS about purchasing dev kits, you can submit an inquiry and they'll connect you with the right people.
+1. Go to the [inquiry form](https://iot.asus.com/inquiry/).
+1. Fill out the needed fields and **Submit**.
+1. An ASUS representative will follow up.
+
+## Next steps
+If you think you need more support, you can also try these options from Microsoft.
+- [Microsoft Q&A](https://docs.microsoft.com/answers/products/)
+- [Azure Support](https://azure.microsoft.com/support/plans/)
+
azure-resource-manager Resources Without Resource Group Limit https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/management/resources-without-resource-group-limit.md
Title: Resources without 800 count limit description: Lists the Azure resource types that can have more than 800 instances in a resource group. Previously updated : 04/12/2021 Last updated : 07/13/2021 # Resources not limited to 800 instances per resource group
For some resource types, you need to contact support to have the 800 instance li
## Microsoft.AzureStack
-* edgeSubscriptions
* linkedSubscriptions * registrations * registrations/customerSubscriptions
For some resource types, you need to contact support to have the 800 instance li
## microsoft.insights * metricalerts
-* scheduledQueryRules
+* scheduledqueryrules
## Microsoft.Logic
For some resource types, you need to contact support to have the 800 instance li
* netAppAccounts/capacityPools/volumes * netAppAccounts/capacityPools/volumes/mountTargets * netAppAccounts/capacityPools/volumes/snapshots
+* netAppAccounts/snapshotPolicies
* netAppAccounts/volumeGroups ## Microsoft.Network
For some resource types, you need to contact support to have the 800 instance li
* privateDnsZones/virtualNetworkLinks * privateEndpoints * privateLinkServices
-* publicIPAddresses - By default, limited to 800 instances. That limit can be increased by contacting support.
+* publicIPAddresses
* serviceEndpointPolicies * trafficmanagerprofiles * virtualNetworkTaps
For some resource types, you need to contact support to have the 800 instance li
* accounts/accountQuotaPolicies * accounts/groupPolicies * accounts/jobs
+* accounts/models
* accounts/storageContainers
-## Microsoft.Storage
-
-* storageAccounts
- ## Microsoft.Sql * servers/databases
-## Microsoft.Web
+## Microsoft.Storage
+
+* storageAccounts
+
+## Microsoft.StreamAnalytics
-* apiManagementAccounts/apis
-* sites
+* streamingjobs - By default, limited to 800 instances. That limit can be increased by contacting support.
## Next steps
azure-sql Firewall Configure https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/firewall-configure.md
Previously updated : 06/17/2020 Last updated : 07/14/2021 # Azure SQL Database and Azure Synapse IP firewall rules [!INCLUDE[appliesto-sqldb-asa](../includes/appliesto-sqldb-asa.md)]
When a computer tries to connect to your server from the internet, the firewall
To allow applications hosted inside Azure to connect to your SQL server, Azure connections must be enabled. To enable Azure connections, there must be a firewall rule with starting and ending IP addresses set to 0.0.0.0.
-When an application from Azure tries to connect to the server, the firewall checks that Azure connections are allowed by verifying this firewall rule exists. This can be turned on directly from the Azure portal blade by switching the **Allow Azure Services and resources to access this server** to **ON** in the **Firewalls and virtual networks** settings. Setting to ON creates an inbound firewall rule for IP 0.0.0.0 - 0.0.0.0 named **AllowAllWindowsIP**. Use PowerShell or the Azure CLI to create a firewall rule with start and end IP addresses set to 0.0.0.0 if youΓÇÖre not using the portal.
+When an application from Azure tries to connect to the server, the firewall checks that Azure connections are allowed by verifying this firewall rule exists. This can be turned on directly from the Azure portal blade by switching the **Allow Azure Services and resources to access this server** to **ON** in the **Firewalls and virtual networks** settings. Switching the setting to ON creates an inbound firewall rule for IP 0.0.0.0 - 0.0.0.0 named **AllowAllWindowsAzureIps**. The rule can be viewed in your master database [sys.firewall_rules](/sql/relational-databases/system-catalog-views/sys-firewall-rules-azure-sql-database) view. Use PowerShell or the Azure CLI to create a firewall rule with start and end IP addresses set to 0.0.0.0 if youΓÇÖre not using the portal.
> [!IMPORTANT] > This option configures the firewall to allow all connections from Azure, including connections from the subscriptions of other customers. If you select this option, make sure that your login and user permissions limit access to authorized users only.
azure-sql Sql Server To Managed Instance Guide https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/migration-guides/managed-instance/sql-server-to-managed-instance-guide.md
source SQL Server version you are running:
|Step|SQL Engine and version|Backup/restore method| |||| |Put backup to Azure Storage|Prior to 2012 SP1 CU2|Upload .bak file directly to Azure Storage|
-| |2012 SP1 CU2 - 2016|Direct backup using deprecated [WITH CREDENTIAL](/sql/t-sql/statements/restore-statements-transact-sql.md) syntax|
-| |2016 and above|Direct backup using [WITH SAS CREDENTIAL](/sql/relational-databases/backup-restore/sql-server-backup-to-url.md)|
+| |2012 SP1 CU2 - 2016|Direct backup using deprecated [WITH CREDENTIAL](/sql/t-sql/statements/restore-statements-transact-sql) syntax|
+| |2016 and above|Direct backup using [WITH SAS CREDENTIAL](/sql/relational-databases/backup-restore/sql-server-backup-to-url)|
|Restore from Azure Storage to a managed instance| |[RESTORE FROM URL with SAS CREDENTIAL](../../managed-instance/restore-sample-database-quickstart.md)| > [!IMPORTANT]
azure-sql Sql Server Availability Group To Sql On Azure Vm https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/migration-guides/virtual-machines/sql-server-availability-group-to-sql-on-azure-vm.md
Your Always On availability group is ready.
- Deploy [Azure Disk Encryption](../../../security/fundamentals/azure-disk-encryption-vms-vmss.md) to help secure disks, and keep data safe from theft and unauthorized access. - Read more about [securing IaaS resources](https://azure.microsoft.com/services/virtual-machines/secure-well-managed-iaas/), and visit the [Azure Security Center](https://azure.microsoft.com/services/security-center/). - For monitoring and management:
- - Consider deploying [Azure Cost Management](../../../cost-management-billing/cloudyn/overview.md) to monitor resource usage and spending.
+ - Consider deploying [Azure Cost Management](../../../cost-management-billing/cost-management-billing-overview.md) to monitor resource usage and spending.
## Next steps
azure-sql Sql Server Failover Cluster Instance To Sql On Azure Vm https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/migration-guides/virtual-machines/sql-server-failover-cluster-instance-to-sql-on-azure-vm.md
Your SQL Server failover cluster instance is ready.
- Deploy [Azure Disk Encryption](../../../security/fundamentals/azure-disk-encryption-vms-vmss.md) to help secure disks, and keep data safe from theft and unauthorized access. - Read more about [securing IaaS resources](https://azure.microsoft.com/services/virtual-machines/secure-well-managed-iaas/), and visit the [Azure Security Center](https://azure.microsoft.com/services/security-center/). - For monitoring and management:
- - Consider deploying [Azure Cost Management](../../../cost-management-billing/cloudyn/overview.md) to monitor resource usage and spending.
+ - Consider deploying [Azure Cost Management](../../../cost-management-billing/cost-management-billing-overview.md) to monitor resource usage and spending.
## Next steps
azure-video-analyzer Grpc Extension Protocol https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-video-analyzer/video-analyzer-docs/grpc-extension-protocol.md
In a single session: The client sends a media stream descriptor followed by vide
It is strongly recommended that responses are returned using valid JSON documents following the pre-established schema defined as per the [inference metadata schema object model](inference-metadata-schema.md). This will better ensure interoperability with other components and scenarios like recording and playback of video with inference metadata. > [!div class="mx-imgBorder"]
-> :::image type="content" source="./media/grpc-extension-protocol/ava-module.png" alt-text="Azure Video Analyzer module" lightbox="./media/grpc-extension-protocol/ava-module.png":::
+> :::image type="content" source="./media/grpc-extension-protocol/grpc-external-srv.svg" alt-text="Azure Video Analyzer module" lightbox="./media/grpc-extension-protocol/grpc-external-srv.svg":::
## Implementing gRPC protocol
azure-vmware Attach Disk Pools To Azure Vmware Solution Hosts https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-vmware/attach-disk-pools-to-azure-vmware-solution-hosts.md
You can only connect the disk pool to an Azure VMware Solution private cloud in
- If you select ultra disks, use Ultra Performance for the Azure VMware Solution private cloud and then [enable ExpressRoute FastPath](/azure/expressroute/expressroute-howto-linkvnet-arm#configure-expressroute-fastpath).
- - If you select premium SSDs, use Standard (1 Gbps) for the Azure VMware Solution private cloud.
+ - If you select premium SSDs, use Standard (1 Gbps) for the Azure VMware Solution private cloud. You must use Standard\_DS##\_v3 to host iSCSI. If you encounter quota issues, request an increase in [vCPU quota limits](../azure-portal/supportability/per-vm-quota-requests.md) per Azure VM series for Dsv3 series.
- Disk pool as the backing storage deployed and exposed as an iSCSI target with each disk as an individual LUN. For details, see [Deploy an Azure disk pool](../virtual-machines/disks-pools-deploy.md).
Now that you've attached a disk pool to your Azure VMware Solution hosts, you ma
- [Disabling iSCSI support on a disk](/azure/virtual-machines/disks-pools-deprovision#disable-iscsi-support). If you disable iSCSI support on a disk pool, you effectively can no longer use a disk pool. - [Moving disk pools to a different subscription](../virtual-machines/disks-pools-move-resource.md). Move an Azure disk pool to a different subscription, which involves moving the disk pool itself, contained disks, managed resource group, and all the resources. +
+- [Troubleshooting disk pools](../virtual-machines/disks-pools-troubleshoot.md). Review the common failure codes related to Azure disk pools (preview). It also provides possible resolutions and some clarity on disk pool statuses.
azure-vmware Configure Dhcp Azure Vmware Solution https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-vmware/configure-dhcp-azure-vmware-solution.md
In this how-to article, you'll use NSX-T Manager to configure DHCP for Azure VMw
- [Third-party external DHCP server](#use-a-third-party-external-dhcp-server) >[!TIP]
->If you want to configure DHCP using a simplified view of NSX-T operations, see [Create a DHCP server or DHCP relay using the Azure portal](configure-nsx-network-components-azure-portal.md#create-a-dhcp-server-or-dhcp-relay-using-the-azure-portal). The simplified view is targeted at users unfamiliar with NSX-T Manager.
+>If you want to configure DHCP using a simplified view of NSX-T operations, see [Create a DHCP server or DHCP relay using the Azure portal](configure-nsx-network-components-azure-portal.md#create-a-dhcp-server-or-dhcp-relay-using-the-azure-portal).
+>[!IMPORTANT]
+>For clouds created on or after July 1, 2021, the simplified view of NSX-T operations must be used to configure DHCP on the default Tier-1 Gateway in your environment.
+ >[!IMPORTANT] >DHCP does not work for virtual machines (VMs) on the VMware HCX L2 stretch network when the DHCP server is in the on-premises datacenter. NSX, by default, blocks all DHCP requests from traversing the L2 stretch. For the solution, see the [Configure DHCP on L2 stretched VMware HCX networks](configure-l2-stretched-vmware-hcx-networks.md) procedure.
When you create a relay to a DHCP server, you'll also specify the DHCP IP addres
If you want to use a third-party external DHCP server, you'll create a DHCP relay service in NSX-T Manager. You'll also specify the DHCP IP address range.
+>[!IMPORTANT]
+>For clouds created on or after July 1, 2021, the simplified view of NSX-T operations must be used to configure DHCP on the default Tier-1 Gateway in your environment.
++ ### Create DHCP relay service Use a DHCP relay for any non-NSX-based DHCP service. For example, a VM running DHCP in Azure VMware Solution, Azure IaaS, or on-premises.
azure-vmware Configure Nsx Network Components Azure Portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-vmware/configure-nsx-network-components-azure-portal.md
You'll have four options to configure NSX-T components in the Azure VMware Solut
>[!IMPORTANT] >You can still use NSX-T Manager for the advanced settings mentioned and other NSX-T features.
+>[!IMPORTANT]
+>For clouds created on or after July 1, 2021, the simplified view of NSX-T operations must be used to configure components on the default Tier-1 Gateway in your environment.
+ ## Prerequisites Virtual machines (VMs) created or migrated to the Azure VMware Solution private cloud should be attached to a network segment.
backup Backup Azure Arm Userestapi Restoreazurevms https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/backup/backup-azure-arm-userestapi-restoreazurevms.md
As explained [above](#restore-operations), the following request body defines pr
"originalStorageAccountOption": false, "encryptionDetails": { "encryptionEnabled": false
+ }
} } ```
backup Backup Azure Restore Files From Vm https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/backup/backup-azure-restore-files-from-vm.md
Also, ensure that you have the [right machine to execute the ILR script](#step-2
## Step 5: Running the script and identifying volumes
+> [!NOTE]
+>
+> The script is generated in English language only and is not localized. Hence it might require that the system locale is in English for the script to execute properly
+>
++ ### For Windows After you meet all the requirements listed in [Step 2](#step-2-ensure-the-machine-meets-the-requirements-before-executing-the-script), [Step 3](#step-3-os-requirements-to-successfully-run-the-script) and [Step 4](#step-4-access-requirements-to-successfully-run-the-script), copy the script from the downloaded location (usually the Downloads folder), see [Step 1 to learn how to generate and download script](#step-1-generate-and-download-script-to-browse-and-recover-files). Right-click the executable file and run it with Administrator credentials. When prompted, type the password or paste the password from memory, and press Enter. Once the valid password is entered, the script connects to the recovery point.
baremetal-infrastructure Concepts Baremetal Infrastructure Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/baremetal-infrastructure/concepts-baremetal-infrastructure-overview.md
Title: What is BareMetal Infrastructure on Azure?
description: Provides an overview of the BareMetal Infrastructure on Azure. Previously updated : 05/27/2021 Last updated : 07/13/2021 # What is BareMetal Infrastructure on Azure?
-Microsoft Azure offers a cloud infrastructure with a wide range of integrated cloud services to meet your business needs. In some cases, though, you may need to run services on bare metal servers without a virtualization layer. You may need root access, and control over the operating system (OS). To meet such a need, Azure offers BareMetal Infrastructure for several high-value and mission-critical applications.
+Microsoft Azure offers a cloud infrastructure with a wide range of integrated cloud services to meet your business needs. In some cases, though, you may need to run services on bare metal servers without a virtualization layer. You may need root access and control over the operating system (OS). To meet this need, Azure offers BareMetal Infrastructure for several high-value, mission-critical applications.
-BareMetal Infrastructure is made up of dedicated BareMetal instances (compute instances). It features high-performance and application-appropriate storage (NFS, ISCSI, and Fiber Channel) and a set of function-specific virtual LANs (VLANs) in an isolated environment. Storage can be shared across BareMetal instances to enable features like scale-out clusters or high availability pairs with STONITH.
+BareMetal Infrastructure is made up of dedicated BareMetal instances (compute instances). It features:
+- High-performance storage appropriate to the application (NFS, ISCSI, and Fiber Channel). Storage can also be shared across BareMetal instances to enable features like scale-out clusters or high availability pairs with STONITH.
+- A set of function-specific virtual LANs (VLANs) in an isolated environment.
This environment also has special VLANs you can access if you're running virtual machines (VMs) on one or more Azure Virtual Networks (VNets) in your Azure subscription. The entire environment is represented as a resource group in your Azure subscription.
-BareMetal Infrastructure is offered in over 30 SKUs from 2-socket to 24-socket servers and memory ranging from 1.5 TB up to 24 TBs. A large set of SKUs is also available with Octane memory. Azure offers the largest range of bare metal instances in a hyperscale cloud.
+BareMetal Infrastructure is offered in over 30 SKUs from 2-socket to 24-socket servers and memory ranging from 1.5 TBs up to 24 TBs. A large set of SKUs is also available with Octane memory. Azure offers the largest range of bare metal instances in a hyperscale cloud.
## Why BareMetal Infrastructure?
-Some central workloads in the enterprise are made up of technologies that just aren't designed to run in a typical virtualized cloud setting. They require special architecture, certified hardware, or extraordinarily large sizes. Although those technologies have the most sophisticated data protection and business continuity features, those features aren't built for the virtualized cloud. They're more sensitive to latencies, noisy neighbors, and require a lot more control over change management and maintenance activity.
+Some workloads in the enterprise are made up of technologies that just aren't designed to run in a typical virtualized cloud setting. They require special architecture, certified hardware, or extraordinarily large sizes. Although those technologies have the most sophisticated data protection and business continuity features, those features aren't built for the virtualized cloud. They're more sensitive to latencies and noisy neighbors and require more control over change management and maintenance activity.
BareMetal Infrastructure is built, certified, and tested for a select set of such applications. Azure was the first to offer such solutions, and has since lead with the largest portfolio and most sophisticated systems. ### BareMetal benefits
-BareMetal Infrastructure is intended for mission critical workloads that require certification to run your enterprise applications. The BareMetal instances are dedicated only to you, and you'll have full access (root access) to the operating system (OS). You manage OS and application installation according to your needs. For security, the instances are provisioned within your Azure Virtual Network (VNet) with no internet connectivity. Only services running on your virtual machines (VMs), and other Azure services in same Tier 2 network, can communicate with your BareMetal instances.
+BareMetal Infrastructure is intended for critical workloads that require certification to run your enterprise applications. The BareMetal instances are dedicated only to you, and you'll have full access (root access) to the operating system (OS). You manage OS and application installation according to your needs. For security, the instances are provisioned within your Azure Virtual Network (VNet) with no internet connectivity. Only services running on your virtual machines (VMs), and other Azure services in same Tier 2 network, can communicate with your BareMetal instances.
BareMetal Infrastructure offers these benefits:
BareMetal Infrastructure offers these benefits:
BareMetal Infrastructure offers multiple SKUs certified for specialized workloads. Use the workload-specific SKUs to meet your needs. - Large instances ΓÇô Ranging from two-socket to four-socket systems. -- Very Large instances ΓÇô Ranging from four-socket to twenty-socket systems.
+- Very Large instances ΓÇô Ranging from 4-socket to 20-socket systems.
BareMetal Infrastructure for specialized workloads is available in the following Azure regions: - West Europe
BareMetal Infrastructure for specialized workloads is available in the following
## Managing BareMetal instances in Azure
-Depending on your needs, the application topologies of BareMetal Infrastructure can be complex. You may deploy multiple instances, in one or more locations, with shared or dedicated storage and specialized LAN and WAN connections. So for BareMetal Infrastructure, Azure offers a consultative capture of that information by a CSA/GBB in the field in a provisioning portal.
+Depending on your needs, the application topologies of BareMetal Infrastructure can be complex. You may deploy multiple instances in one or more locations. The instances can have shared or dedicated storage, and specialized LAN and WAN connections. So for BareMetal Infrastructure, Azure offers a consultation by a CSA/GBB in the field to work with you.
By the time your BareMetal Infrastructure is provisioned, the OS, networks, storage volumes, placements in zones and regions, and WAN connections between locations are already pre-configured. You're set to register your OS licenses (BYOL), configure the OS, and install the application layer.
-You'll be able to see all the BareMetal resources, and their state and attributes, in the Azure portal. You can also operate the instances and open service requests and support tickets from there.
+You'll see all the BareMetal resources,and their state and attributes, in the Azure portal. You can also operate the instances and open service requests and support tickets from there.
## Operational model
The architecture shown is divided into three sections:
## Next steps
-The next step is to learn how to identify and interact with BareMetal instances through the Azure portal.
+Learn how to identify and interact with BareMetal instances through the Azure portal.
> [!div class="nextstepaction"] > [Manage BareMetal instances through the Azure portal](connect-baremetal-infrastructure.md)
baremetal-infrastructure Connect Baremetal Infrastructure https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/baremetal-infrastructure/connect-baremetal-infrastructure.md
Title: Connect BareMetal Infrastructure instances in Azure description: Learn how to identify and interact with BareMetal instances in the Azure portal or Azure CLI. Previously updated : 07/01/2021 Last updated : 07/13/2021 # Connect BareMetal Infrastructure instances in Azure
-This article shows how the [Azure portal](https://portal.azure.com/) displays [BareMetal instances](concepts-baremetal-infrastructure-overview.md). This article also shows you what you can do in the Azure portal with your deployed BareMetal Infrastructure instances.
+In this article, we'll show what you can do in the [Azure portal](https://portal.azure.com/) with your deployed BareMetal Infrastructure instances.
## Register the resource provider
-An Azure resource provider for BareMetal instances provides visibility of the instances in the Azure portal. By default, the Azure subscription you use for BareMetal instance deployments registers the *BareMetalInfrastructure* resource provider. If you don't see your deployed BareMetal instances, you must register the resource provider with your subscription.
+An Azure resource provider for BareMetal instances lets you see the instances in the Azure portal. By default, the Azure subscription you use for BareMetal instance deployments registers the *BareMetalInfrastructure* resource provider. If you don't see your deployed BareMetal instances, register the resource provider with your subscription.
-You can register the BareMetal instance resource provider by using the Azure portal or Azure CLI.
+You can register the BareMetal instance resource provider by using the Azure portal or Azure command-line interface (CLI).
### [Portal](#tab/azure-portal)
-You'll need to list your subscription in the Azure portal and then double-click on the subscription used to deploy your BareMetal instances.
+You'll need to list your subscription in the Azure portal and then double-click the subscription used to deploy your BareMetal instances.
1. Sign in to the [Azure portal](https://portal.azure.com).
You'll need to list your subscription in the Azure portal and then double-click
1. Select the subscription from the subscription list.
-1. Select **Resource providers** and enter **BareMetalInfrastructure** into the search. The resource provider should be **Registered**, as the image shows.
+1. Select **Resource providers** and enter **BareMetalInfrastructure** into search. The resource provider should be **Registered**, as the image shows.
>[!NOTE]
->If the resource provider is not registered, select **Register**.
+>If the resource provider isn't registered, select **Register**.
:::image type="content" source="media/connect-baremetal-infrastructure/register-resource-provider-azure-portal.png" alt-text="Screenshot showing the BareMetal instances registered.":::
For more information about resource providers, see [Azure resource providers and
## BareMetal instances in the Azure portal
-When you submit a BareMetal instance deployment request, you'll specify the Azure subscription that you're connecting to the BareMetal instances. Use the same subscription you use to deploy the application layer that works against the BareMetal instances.
+When you submit a BareMetal instance deployment request, specify the Azure subscription you're connecting to the BareMetal instances. Use the same subscription you use to deploy the application layer that works against the BareMetal instances.
-During the deployment of your BareMetal instances, a new [Azure resource group](../azure-resource-manager/management/manage-resources-portal.md) gets created in the Azure subscription you used in the deployment request. This new resource group lists all of the BareMetal instances you've deployed in that subscription.
+During the deployment of your BareMetal instances, a new [Azure resource group](../azure-resource-manager/management/manage-resources-portal.md) is created in the Azure subscription you used in the deployment request. This new resource group lists all BareMetal instances you've deployed in that subscription.
### [Portal](#tab/azure-portal)
-1. In the BareMetal subscription, in the Azure portal, select **Resource groups**.
+1. In the Azure portal, in the BareMetal subscription, select **Resource groups**.
:::image type="content" source="media/connect-baremetal-infrastructure/view-baremetal-instances-azure-portal.png" alt-text="Screenshot showing the list of Resource groups.":::
In the list of BareMetal instances, select the single instance you want to view.
:::image type="content" source="media/connect-baremetal-infrastructure/view-attributes-single-baremetal-instance.png" alt-text="Screenshot showing the BareMetal instance attributes of a single instance." lightbox="media/connect-baremetal-infrastructure/view-attributes-single-baremetal-instance.png":::
-The attributes in the image don't look much different than the Azure virtual machine (VM) attributes. On the left, you'll see the Resource group, Azure region, and subscription name and ID. If you assigned tags, then you'll see them here as well. By default, the BareMetal instances don't have tags assigned.
+The attributes in the image don't look much different than the Azure virtual machine (VM) attributes. On the left, you'll see the Resource group, Azure region, and subscription name and ID. If you assigned tags, you'll see them here as well. By default, the BareMetal instances don't have tags assigned.
On the right, you'll see the name of the BareMetal instance, operating system (OS), IP address, and SKU that shows the number of CPU threads and memory. You'll also see the power state and hardware version (revision of the BareMetal instance stamp). The power state indicates whether the hardware unit is powered on or off. The operating system details, however, don't indicate whether it's up and running.
The possible hardware revisions are:
>Rev 4.2 is the latest rebranded BareMetal Infrastructure using the existing Rev 4 architecture. Rev 4 provides closer proximity to the Azure virtual machine (VM) hosts. It has significant improvements in network latency between Azure VMs and SAP HANA instances. You can access and manage your BareMetal instances through the Azure portal. For more information, see [BareMetal Infrastructure on Azure](concepts-baremetal-infrastructure-overview.md).
-Also, on the right side, you'll find the [Azure proximity placement group's](../virtual-machines/co-location.md) name, which is created automatically for each deployed BareMetal instance. Reference the proximity placement group when you deploy the Azure VMs that host the application layer. When you use the proximity placement group associated with the BareMetal instance, you ensure that the Azure VMs get deployed close to the BareMetal instance.
+Also on the right side, you'll find the [Azure proximity placement group's](../virtual-machines/co-location.md) name. The placement group's name is created automatically for each deployed BareMetal instance. Reference the proximity placement group when you deploy the Azure VMs that host the application layer. Use the proximity placement group associated with the BareMetal instance to ensure the Azure VMs are deployed close to the BareMetal instance.
>[!TIP] >To locate the application layer in the same Azure datacenter as Revision 4.x, see [Azure proximity placement groups for optimal network latency](../virtual-machines/workloads/sap/sap-proximity-placement-scenarios.md).
You can check the activities of a single BareMetal instance. One of the main act
:::image type="content" source="media/connect-baremetal-infrastructure/check-activities-single-baremetal-instance.png" alt-text="Screenshot showing the BareMetal instance activities." lightbox="media/connect-baremetal-infrastructure/check-activities-single-baremetal-instance.png":::
-Changes to the instance's metadata in Azure also get recorded in the Activity log. Besides the restart initiated, you can see the activity of **Write BareMetallnstances**. This activity makes no changes on the BareMetal instance itself but documents the changes to the unit's metadata in Azure.
+Changes to the instance's metadata in Azure also get recorded in the Activity log. Besides the restart, you can see the activity of **Write BareMetalInstances**. This activity makes no changes on the BareMetal instance itself but documents the changes to the unit's metadata in Azure.
Another activity that gets recorded is when you add or delete a [tag](../azure-resource-manager/management/tag-resources.md) to an instance.
Another activity that gets recorded is when you add or delete a [tag](../azure-r
You can add Azure tags to a BareMetal instance or delete them. Tags get assigned just as they do when assigning tags to VMs. As with VMs, the tags exist in the Azure metadata. Tags have the same restrictions for BareMetal instances as for VMs.
-Deleting tags also works the same way as for VMs. Applying and deleting a tag is listed in the BareMetal instance's Activity log.
+Deleting tags also works the same way as for VMs. Both applying and deleting a tag is listed in the BareMetal instance's Activity log.
### [Azure CLI](#tab/azure-cli)
az baremetalinstance update --resource-group DSM05a-T550 --instance-name orcllab
## Check properties of an instance
-When you acquire the instances, you can go to the Properties section to view the data collected about the instances. Data collected includes the Azure connectivity, storage backend, ExpressRoute circuit ID, unique resource ID, and the subscription ID. You'll use this information in support requests or when setting up storage snapshot configuration.
+When you acquire the instances, you can go to the Properties section to view the data collected about the instances. Data collected includes:
+- Azure connectivity
+- Storage backend
+- ExpressRoute circuit ID
+- Unique resource ID
+- Subscription ID.
+
+You'll use this information in support requests or when setting up storage snapshot configuration.
Another critical piece of information you'll see is the storage NFS IP address. It isolates your storage to your **tenant** in the BareMetal instance stack. You'll use this IP address when you edit the [Configure Azure Application Consistent Snapshot tool](../azure-netapp-files/azacsnap-cmd-ref-configure.md).
It takes up to five business days for a support representative to confirm your r
## Next steps
-Learn more about workloads:
+Learn more about workloads for BareMetal Infrastructure.
-- [What is SAP HANA on Azure (Large Instances)?](../virtual-machines/workloads/sap/hana-overview-architecture.md)
+> [!div class="nextstepaction"]
+> [What is SAP HANA on Azure (Large Instances)?](../virtual-machines/workloads/sap/hana-overview-architecture.md)
baremetal-infrastructure Know Baremetal Terms https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/baremetal-infrastructure/know-baremetal-terms.md
Title: Know the terms of Azure BareMetal Infrastructure description: Know the terms of Azure BareMetal Infrastructure. Previously updated : 04/06/2021 Last updated : 07/13/2021 # Know the terms for BareMetal Infrastructure In this article, we'll cover some important terms related to the BareMetal Infrastructure. -- **Revision**: There are two different stamp revisions for BareMetal Infrastructure (HANA Large Instance) stamps. These differ in architecture and proximity to Azure virtual machine hosts:
+- **Revision**: There are two different stamp revisions for BareMetal Infrastructure (HANA Large Instance) stamps. These revisions differ in architecture and proximity to Azure virtual machine hosts:
- "Revision 3" (Rev 3): The original design deployed mid-2016. - "Revision 4.2" (Rev 4.2): A new design that provides closer proximity to Azure virtual machine hosts, with ultra-low network latency between Azure VMs and HANA Large Instances. Resources in the Azure portal are referred to as "BareMetal Infrastructure," and customers can access their resources as BareMetal instances from the Azure portal.
In this article, we'll cover some important terms related to the BareMetal Infra
## Next steps
-Now that you've been introduced to important terminology of the BareMetal Infrastructure, you may want to learn about:
-- More details of the [BareMetal Infrastructure](concepts-baremetal-infrastructure-overview.md).-- How to [Connect BareMetal Infrastructure instances in Azure](connect-baremetal-infrastructure.md).
+Learn more about BareMetal Infrastructure.
+> [!div class="nextstepaction"]
+> [BareMetal Infrastructure](concepts-baremetal-infrastructure-overview.md)
cognitive-services Speech Encryption Of Data At Rest https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Speech-Service/speech-encryption-of-data-at-rest.md
Previously updated : 08/28/2020 Last updated : 07/14/2021 #Customer intent: As a user of the Translator service, I want to learn how encryption at rest works.
In the meantime, when you use Custom Command, you can manage your subscription w
## Bring your own storage (BYOS) for customization and logging
-To request access to bring your own storage, fill out and submit theΓÇ»[Speech service - bring your own storage (BYOS) request form](https://aka.ms/cogsvc-cmk). Once approved, you'll need to create your own storage account to store the data required for customization and logging. When adding a storage account, the Speech service resource will enable a system assigned managed identity. After the system assigned managed identity is enabled, this resource will be registered with Azure Active Directory (AAD). After being registered, the managed identity will be given access to the storage account. You can learn more about Managed Identities here. For more information about Managed Identity, see [What are managed identities](../../active-directory/managed-identities-azure-resources/overview.md).
+To request access to bring your own storage, fill out and submit theΓÇ»[Speech service - bring your own storage (BYOS) request form](https://aka.ms/cogsvc-cmk). Once approved, you'll need to create your own storage account to store the data required for customization and logging. When adding a storage account, the Speech service resource will enable a system assigned managed identity.
+
+> [!IMPORTANT]
+> The user account you use to create a Speech resource with BYOS functionality enabled should be assigned the [Owner role at the Azure subscription scope](../../cost-management-billing/manage/add-change-subscription-administrator.md#to-assign-a-user-as-an-administrator). Otherwise you will get an authorization error during the resource provisioning.
+
+After the system assigned managed identity is enabled, this resource will be registered with Azure Active Directory (AAD). After being registered, the managed identity will be given access to the storage account. For more about managed identities, see [What are managed identities](../../active-directory/managed-identities-azure-resources/overview.md).
> [!IMPORTANT] > If you disable system assigned managed identities, access to the storage account will be removed. This will cause the parts of the Speech service that require access to the storage account to stop working.
communication-services Best Practices https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/communication-services/concepts/best-practices.md
Azure Communication Services will raise the `microphoneMuteUnexpectedly` call di
It's recommended to hang up the call ( `call.hangUp` ) when this situation occurs. ### Device management
-Developers should use SDK for device and media operations.
-- Application should use `DeviceManager.askDevicePermission` to get user consent to use devices-- Application should not use browser APIs like `getUserMedia` or `getDisplayMedia` to acquire streams outside of SDK. If it does so, please make sure it disposes stream before using DeviceManager or accessing any other device via ACS SDK.
+You can use the Azure Communication Services SDK to manage your devices and media operations.
+- Your application shouldn't use native browser APIs like `getUserMedia` or `getDisplayMedia` to acquire streams outside of the SDK. If you do, you'll have to manually dispose your media stream(s) before using `DeviceManager` or other device management APIs via the Communication Services SDK.
+
+### Request device permissions
+You can request device permissions using the SDK:
+- Your application should use `DeviceManager.askDevicePermission` to request access to audio and/or video devices.
+- If the user denies access, `DeviceManager.askDevicePermission` will return 'false' for a given device type (audio or video) on subsequent calls, even after the page is refreshed. In this scenario, your application must detect that the user previously denied access and instruct the user to manually reset or explicitly grant access to a given device type.
## Next steps For more information, see the following articles:
communication-services Sdk Features https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/communication-services/concepts/chat/sdk-features.md
The following list presents the set of features which are currently available in
| | Get notified when participants are actively typing a message in a chat thread | ✔️ | ❌ | ❌ | ❌ | ✔️ | ✔️ | | | Get all messages in a chat thread | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | | | Send Unicode emojis as part of message content | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ |
+| | Add metadata to chat messages | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ |
+| | Add display name to typing indicator notification | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ |
|Real-time notifications (enabled by proprietary signaling package**)| Chat clients can subscribe to get real-time updates for incoming messages and other operations occurring in a chat thread. To see a list of supported updates for real-time notifications, see [Chat concepts](concepts.md#real-time-notifications) | ✔️ | ❌ | ❌ | ❌ | ✔️ | ✔️ | | Integration with Azure Event Grid | Use the chat events available in Azure Event Grid to plug custom notification services or post that event to a webhook to execute business logic like updating CRM records after a chat is finished | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | | Reporting </br>(This info is available under Monitoring tab for your Communication Services resource on Azure portal) | Understand API traffic from your chat app by monitoring the published metrics in Azure Metrics Explorer and set alerts to detect abnormalities | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ |
communication-services Pricing https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/communication-services/concepts/pricing.md
Azure Communication Services allow for adding voice/video calling and screen sha
### Pricing
-Calling and screen-sharing services are charged on a per minute per participant basis at $0.004 per participant per minute for group calls. To understand the various call flows that are possible, refer to [this page](./call-flows.md).
+Calling and screen-sharing services are charged on a per minute per participant basis at $0.004 per participant per minute for group calls. Azure Communication Services does not charge for data egress. To understand the various call flows that are possible, refer to [this page](./call-flows.md).
Each participant of the call will count in billing for each minute they're connected to the call. This holds true regardless of whether the user is video calling, voice calling, or screen-sharing.
Alice makes a PSTN Call from an app to Bob on his US phone number beginning with
- 1 participant on the VoIP leg (Alice) from App to Communication Services servers x 10 minutes x $0.004 per participant leg per minute = $0.04 - 1 participant on the PSTN outbound leg (Bob) from Communication Services servers to a US telephone number x 10 minutes x $0.013 per participant leg per minute = $0.13.
-Note: USA mixed rates to `+1-425` is $0.013. Refer to the following link for details: https://github.com/Azure/Communication/blob/master/pricing/communication-services-pstn-rates.csv)
+> [!Note]
+> USA mixed rates to `+1-425` is $0.013. Refer to the following link for details: https://github.com/Azure/Communication/blob/master/pricing/communication-services-pstn-rates.csv)
+ **Total cost for the call**: $0.04 + $0.13 = $0.17
Alice makes an outbound call from an Azure Communication Services app to a telep
- 1 participant on the Communication Services direct routing outbound leg (Bob) from Communication Services servers to an SBC x 10 minutes x $0.004 per participant leg per minute = $0.04. **Total cost for the call**: $0.04 + $0.04 = $0.08
->[!Note]
->Azure Communication Services direct routing leg is not charged until 08/01/2021.
+
+> [!Note]
+> Azure Communication Services direct routing leg is not charged until 08/01/2021.
### Pricing example: Group audio call using JS SDK and one PSTN leg
communication-services Privacy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/communication-services/concepts/privacy.md
Azure Communication Services is committed to helping our customers meet their pr
When creating an Communication Services resource, you specify a **geography** (not an Azure data center). All chat messages, and resource data stored by Communication Services at rest will be retained in that geography, in a data center selected internally by Communication Services. Data may transit or be processed in other geographies. These global endpoints are necessary to provide a high-performance, low-latency experience to end-users no matter their location.
+## Data collection
+
+Azure Communication Services only collects diagnostic data required to deliver the service.
+ ## Data residency and events Any Event Grid system topic configured with Azure Communication Services will be created in a global location. To support reliable delivery, a global Event Grid system topic may store the event data in any Microsoft data center. When you configure Event Grid with Azure Communication Services, you're delivering your event data to Event Grid, which is an Azure resource under your control. While Azure Communication Services may be configured to utilize Azure Event Grid, you're responsible for managing your Event Grid resource and the data stored within it.
communication-services Sdk Options https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/communication-services/concepts/sdk-options.md
For more information, see the following SDK overviews:
To get started with Azure Communication -- [Create Azure Communication Resources](../quickstarts/create-communication-resource.md)
+- [Create an Azure Communication Services resource](../quickstarts/create-communication-resource.md)
- Generate [User Access Tokens](../quickstarts/access-tokens.md)
communication-services Teams Interop https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/communication-services/concepts/teams-interop.md
> [!IMPORTANT] > BYOI interoperability is in public preview and broadly available on request. To enable/disable [Teams tenant interoperability](../concepts/teams-interop.md), complete [this form](https://forms.office.com/Pages/ResponsePage.aspx?id=v4j5cvGGr0GRqy180BHbR21ouQM6BHtHiripswZoZsdURDQ5SUNQTElKR0VZU0VUU1hMOTBBMVhESS4u). >
-> Microsoft 365 authenticated interoperability is in private preview, and restricted using service controls to Azure Communication Services early adopters. To enable/disable the custom Teams endpoint experience, complete [this form](https://forms.office.com/r/B8p5KqCH19).
+> Microsoft 365 authenticated interoperability is in private preview, and restricted using service controls to Azure Communication Services early adopters. To join early access program, complete [this form](https://forms.office.com/Pages/ResponsePage.aspx?id=v4j5cvGGr0GRqy180BHbR8MfnD7fOYZEompFbYDoD4JUMkdYT0xKUUJLR001ODdQRk1ITTdOMlRZNSQlQCN0PWcu).
> > Preview APIs and SDKs are provided without a service-level agreement, and are not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
Your custom application should consider user authentication and other security m
Additional information on required dataflows for joining Teams meetings is available at the [client and server architecture page](client-and-server-architecture.md). The [Group Calling Hero Sample](../samples/calling-hero-sample.md) provides example code for joining a Teams meeting from a Web application. ## Microsoft 365 Teams identity
-Authenticating the end user's Microsoft 365 account and authorizing your application through Azure Active Directory allows for a deeper level of interoperability with Microsoft Teams. These applications can make calls and join meetings seamlessly on behalf of Microsoft 365 users. When interacting in a meeting or call, users of the native Teams app will observe your application's end users having the appropriate display name, profile picture, call history, and other Microsoft 365 attributes.
+Authenticating the end user's Microsoft 365 account and authorizing your application through Azure Active Directory allows for a deeper level of interoperability with Microsoft Teams. These applications can make calls and join meetings seamlessly on behalf of Microsoft 365 users. When interacting in a meeting or call, users of the native Teams app will observe your application's end users having the appropriate display name, profile picture, call history, and other Microsoft 365 attributes. Chat functionality is currently available via Graph API.
This identity model is ideal for augmenting a Teams deployment with a fully custom user experience. For example, an application can be used to answer phone calls on behalf of the end user's Teams provisioned PSTN number and have a user interface optimized for a receptionist or call center business process.
-Building an Azure Communication Services app that Microsoft 365 resources requires:
-1. Authentication of the end user's Microsoft 365 credentials
-2. Authorization from the end user
-3. Application authorization from the end user's Azure Active Directory tenant
+Building an Azure Communication Services app using Microsoft 365 identities requires:
+1. Azure Communication Services resource in Azure
+2. Azure Active Directory application
+3. Application authorization from the end-user or an admin in Azure Active Directory
+4. Authentication of the end user's Microsoft 365 identity
-Authentication and authorization of the end user is through [Microsoft Authentication Library flows (MSAL)](https://docs.microsoft.com/azure/active-directory/develop/msal-overview). The following diagram summarizes integrating your calling experiences with authenticated Teams interoperability:
+Authentication and authorization of the end-users are performed through [Microsoft Authentication Library flows (MSAL)](https://docs.microsoft.com/azure/active-directory/develop/msal-overview). The following diagram summarizes integrating your calling experiences with authenticated Teams interoperability:
![Process to enable calling feature for custom Teams endpoint experience](./media/teams-identities/teams-identity-calling-overview.png)
communication-services Direct Routing Provisioning https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/communication-services/concepts/telephony-sms/direct-routing-provisioning.md
If everything set up correctly, you should see exchange of OPTIONS messages betw
## Voice routing considerations
-Azure Communication services direct routing has a routing mechanism that allows a call to be sent to a specific Session Border Controller (SBC) based on the called number pattern.
+Azure Communication Services direct routing has a routing mechanism that allows a call to be sent to a specific Session Border Controller (SBC) based on the called number pattern.
When you add a direct routing configuration to a resource, all calls made from this resourceΓÇÖs instances (identities) will try a direct routing trunk first. The routing is based on a dialed number and a match in voice routes configured for the resource. If there is a match, the call goes through the direct routing trunk. If there is no match, the next step is to process the alternateCallerId parameter of callAgent.startCall method. If the resource is enabled for Voice Calling (PSTN) and has at least one number purchased from Microsoft, and if alternateCallerId matches one of a purchased number for the resource, the call is routed through the Voice Calling (PSTN) using Microsoft infrastructure. If alternateCallerId parameter does not match any of the purchased numbers, the call will fail. The diagram below demonstrates the Azure Communication Services voice routing logic. :::image type="content" source="../media/direct-routing-provisioning/voice-routing-diagram.png" alt-text="Communication Services outgoing voice routing.":::
communication-services Telephony Concept https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/communication-services/concepts/telephony-sms/telephony-concept.md
For cloud calling, outbound calls are billed at per-minute rates depending on th
[!INCLUDE [Public Preview](../../includes/public-preview-include-document.md)]
-With this option, you can connect legacy on-premises telephony and your carrier of choice to Azure Communication services. It provides PSTN calling capabilities to your Communication Services application even if Voice Calling (PSTN) is not available in your country/region.
+With this option, you can connect legacy on-premises telephony and your carrier of choice to Azure Communication Services. It provides PSTN calling capabilities to your Communication Services application even if Voice Calling (PSTN) is not available in your country/region.
![Azure direct routing diagram.](../media/telephony-concept/sip-interface-diagram.png)
communication-services Calling Sdk Features https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/communication-services/concepts/voice-video-calling/calling-sdk-features.md
The following table represents the set of supported browsers which are currently
| Platform | Chrome | Safari | Edge (Chromium) | Notes | | | | | | -- | | Android | ✔️ | ❌ | ❌ | Outgoing Screen Sharing is not supported. |
-| iOS | ❌ | ✔️ | ❌ | An iOS app on Safari can't enumerate/select mic and speaker devices (for example, Bluetooth); this is a limitation of the OS, and there's always only one device. Outgoing screen sharing is not supported. |
+| iOS | ❌ | ✔️ | ❌ | [An iOS app on Safari can't enumerate/select mic and speaker devices](https://docs.microsoft.com/azure/communication-services/concepts/known-issues#enumerating-devices-isnt-possible-in-safari-when-the-application-runs-on-ios-or-ipados) (for example, Bluetooth); this is a limitation of the OS, and there's always only one device, OS controls default device selection. Outgoing screen sharing is not supported. |
| macOS | ✔️ | ✔️ | ❌ | Safari 14+/macOS 11+ needed for outgoing video support. | | Windows | ✔️ | ❌ | ✔️ | | | Ubuntu/Linux | ✔️ | ❌ | ❌ | |
communication-services Create Communication Resource https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/communication-services/quickstarts/create-communication-resource.md
zone_pivot_groups: acs-plat-azp-azcli-net-ps
# Quickstart: Create and manage Communication Services resources
-Get started with Azure Communication Services by provisioning your first Communication Services resource. Communication services resources can be provisioned through the [Azure portal](https://portal.azure.com) or with the .NET management SDK. The management SDK and the Azure portal allow you to create, configure, update and delete your resources and interface with [Azure Resource Manager](../../azure-resource-manager/management/overview.md), Azure's deployment and management service. All functionality available in the SDKs is available in the Azure portal.
+Get started with Azure Communication Services by provisioning your first Communication Services resource. Communication Services resources can be provisioned through the [Azure portal](https://portal.azure.com) or with the .NET management SDK. The management SDK and the Azure portal allow you to create, configure, update and delete your resources and interface with [Azure Resource Manager](../../azure-resource-manager/management/overview.md), Azure's deployment and management service. All functionality available in the SDKs is available in the Azure portal.
> [!WARNING]
communication-services Handle Sms Events https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/communication-services/quickstarts/telephony-sms/handle-sms-events.md
Get started with Azure Communication Services by using Azure Event Grid to handl
## Prerequisites - An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).-- An Azure Communication Service resource. Further details can be found in the [Create an Azure Communication Resource](../create-communication-resource.md) quickstart.
+- An Azure Communication Service resource. Further details can be found in the [Create an Azure Communication Services resource](../create-communication-resource.md) quickstart.
- An SMS enabled telephone number. [Get a phone number](./get-phone-number.md). ## Setting up
communication-services Chat Hero Sample https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/communication-services/samples/chat-hero-sample.md
Below you'll find more information on prerequisites and steps to set up the samp
- [Node.js (8.11.2 and above)](https://nodejs.org/en/download/) - [Visual Studio (2017 and above)](https://visualstudio.microsoft.com/vs/) - [.NET Core 3.1](https://dotnet.microsoft.com/download/dotnet-core/3.1) (Make sure to install version that corresponds with your visual studio instance, 32 vs 64 bit)-- Create an Azure Communication Services resource. For details, see [Create an Azure Communication Resource](../quickstarts/create-communication-resource.md). You'll need to record your resource **connection string** for this quickstart.
+- Create an Azure Communication Services resource. For details, see [Create an Azure Communication Services resource](../quickstarts/create-communication-resource.md). You'll need to record your resource **connection string** for this quickstart.
## Locally deploying the service & client app
You can test the sample locally by opening multiple browser sessions with the UR
1. Open an instance of PowerShell, Windows Terminal, Command Prompt or equivalent and navigate to the directory that you'd like to clone the sample to. 2. `git clone https://github.com/Azure-Samples/communication-services-web-chat-hero.git`
-3. Get the `Connection String` from the Azure portal. For more information on connection strings, see [Create an Azure Communication Resources](../quickstarts/create-communication-resource.md)
+3. Get the `Connection String` from the Azure portal. For more information on connection strings, see [Create an Azure Communication Services resources](../quickstarts/create-communication-resource.md)
4. Once you get the `Connection String`, Add the connection string to the **Chat/appsettings.json** file found under the Chat folder. Input your connection string in the variable: `ResourceConnectionString`. ### Local run
communication-services Postman Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/communication-services/tutorials/postman-tutorial.md
# Tutorial: Sign and make requests with Postman
-In this tutorial, we'll be setting up and using Postman to make a request against Azure Communication Services(ACS) services using HTTP. By the end of this tutorial, you'll have successfully sent an SMS message using ACS and Postman and be able to use Postman to explore other APIs within ACS.
+In this tutorial, we'll be setting up and using Postman to make a request against Azure Communication Services using HTTP. By the end of this tutorial, you'll have successfully sent an SMS message using Communication Services and Postman. You'll then be able to use Postman to explore other APIs within Azure Communication Services.
In this tutorial we'll be: > [!div class="checklist"] > * Downloading Postman > * Setting up Postman to sign HTTP Requests
-> * Making a request against ACS' SMS API to send a message.
+> * Making a request against the Communication Services SMS API to send a message.
## Prerequisites
Postman, can organize requests in many ways. For the purposes of this tutorial.
Once selected, click "Create new Collection", to start the collection creation process. A new tab will open in the center area of Postman. Name the collection whatever you'd like. Here the collection is named "ACS": Once your collection is created and named, you are ready to configure it. ### Adding collection variables
-To handle authentication and to make requests easier, we'll be specifying two collection variables within the newly created ACS collection. These variables are available to all requests within your ACS collection. To get started in creating variables, visit the Collection's Variable's Tab.
+To handle authentication and to make requests easier, we'll be specifying two collection variables within the newly created Communication Services collection. These variables are available to all requests within your Communication Services collection. To get started in creating variables, visit the Collection's Variable's Tab.
Once on the collection tab, create two variables: - key - This variable should be one of your keys from your Azure Communication Services' key page within the Azure portal. For example, `oW...A==`.
Once on the collection tab, create two variables:
Enter these values into the "Initial Value" column of the variables screen. Once entered, press the "Persist All" button just above the table on the right. When configured correctly your Postman screen should look something like this: You can learn more about variables by reading [Postman's documentation on them](https://learning.postman.com/docs/sending-requests/variables). ### Creating a pre-request script
-The next step is to create a pre-request Script within Postman. A pre-request script, is a script that runs before each request in Postman and can modify or alter request parameters on your behalf. We'll be using this to sign our HTTP requests so that they can be authorized by ACS' Services. For more information about the Signing requirements, you can [read our guide on authentication](/rest/api/communication/authentication).
+The next step is to create a pre-request Script within Postman. A pre-request script, is a script that runs before each request in Postman and can modify or alter request parameters on your behalf. We'll be using this to sign our HTTP requests so that they can be authorized by Azure Communication Services. For more information about the Signing requirements, you can [read our guide on authentication](/rest/api/communication/authentication).
We'll be creating this script within the Collection such that it runs on any request within the collection. To do this, within the collection tab click the "Pre-request Script" Sub-Tab. On this Sub-Tab, you can create a pre-request script by entering it into the text area below. It may be easier to write this, within a full code editor such as [Visual Studio Code](https://code.visualstudio.com/) before pasting it in when complete. We'll be going through each part of the script in this tutorial. Feel free to skip to the end if you'd like to just copy it into Postman and get started. Let's start writing the script.
const url = pm.request.url.toString().replace('{{endpoint}}','');
const stringToSign = pm.request.method + '\n' + url + '\n' + dateStr + ';' + hostStr + ';' + hashedBodyStr; ```
-Lastly, we need to sign this string using our ACS key and then add that to our request in the `Authorization` header:
+Lastly, we need to sign this string using our Communication Services key and then add that to our request in the `Authorization` header:
```JavaScript // Decode our access key from previously created variables, into bytes from base64.
Once entered, press CTRL + S or press the save button this will save the script
## Creating a request in Postman
-Now that everything is set up, we're ready to create an ACS request within Postman. To get started click the plus(+) icon next to the ACS Collection:
+Now that everything is set up, we're ready to create a Communication Services request within Postman. To get started click the plus(+) icon next to the Communication Services Collection:
:::image type="content" source="media/postman/create-request.png" alt-text="Postman's plus button."::: This will create a new tab for our request within Postman. With it created we need to configure it. We'll be making a request against the SMS Send API so be sure to refer to the [documentation for this API for assistance](/rest/api/communication/sms/send). Let's configure Postman's request.
-Start by setting, the request type to `POST` and entering `{{endpoint}}/sms?api-version=2021-03-07` into the request URL field. This URL uses our previously created `endpoint` variable to automatically send it to your ACS Resource.
+Start by setting, the request type to `POST` and entering `{{endpoint}}/sms?api-version=2021-03-07` into the request URL field. This URL uses our previously created `endpoint` variable to automatically send it to your Communication Services resource.
:::image type="content" source="media/postman/post-request-and-url.png" alt-text="A Postman request, with the type set to POST and the URL set correctly.":::
In the text area below you'll need to enter a request body, it should be in the
} ```
-For the "from" value, you'll need to [get a telephone number](../quickstarts/telephony-sms/get-phone-number.md) in the ACS Portal as previously mentioned. Enter it without any spaces and prefixed by your country code. For example: `+15555551234`. Your "message" can be whatever you'd like to send but `Hello from ACS` is a good example. The "to" value should be a phone you have access to that can receive SMS messages. Using your own mobile is a good idea.
+For the "from" value, you'll need to [get a telephone number](../quickstarts/telephony-sms/get-phone-number.md) in the Azure Communication Services Portal as previously mentioned. Enter it without any spaces and prefixed by your country code. For example: `+15555551234`. Your "message" can be whatever you'd like to send but `Hello from ACS` is a good example. The "to" value should be a phone you have access to that can receive SMS messages. Using your own mobile is a good idea.
-Once entered, we need to save this request into the ACS Collection that we previously created. This will ensure that it picks up the variables and pre-request script that we previously created. To do, this click the "save" button in the top right of the request area.
+Once entered, we need to save this request into the Communication Services Collection that we previously created. This will ensure that it picks up the variables and pre-request script that we previously created. To do, this click the "save" button in the top right of the request area.
:::image type="content" source="media/postman/postman-save.png" alt-text="The save button for a Postman request.":::
-This will make a dialog window appear that asks you, what you'd like to call the request and where you'd like to save it. You can name it anything you'd like but ensure you select your ACS collection in the lower half of the dialog:
+This will make a dialog window appear that asks you, what you'd like to call the request and where you'd like to save it. You can name it anything you'd like but ensure you select your Communication Services collection in the lower half of the dialog:
## Sending a request
Now that everything is set up, you should be able to send the request and get an
:::image type="content" source="media/postman/postman-send.png" alt-text="A Postman request, with the Send button highlighted.":::
-If everything went well, you should now see the response from ACS, which should be 202 Status code:
+If everything went well, you should now see the response from Communication Services, which should be 202 Status code:
:::image type="content" source="media/postman/postman-202.png" alt-text="A Postman request, sent successfully with a 202 status code.":::
-The Mobile phone, which owns the number you provided in the "to" value, should also have received an SMS message. You've now got a working Postman set up, which can talk to ACS' Services and send SMS messages.
+The Mobile phone, which owns the number you provided in the "to" value, should also have received an SMS message. You now have a functional Postman configuration that can talk to Azure Communication Services and send SMS messages.
## Next steps > [!div class="nextstepaction"]
-> [Explore ACS APIs](/rest/api/communication/)
+> [Explore Azure Communication Services APIs](/rest/api/communication/)
> [Read more about Authentication](/rest/api/communication/authentication) > [Learn more about Postman](https://learning.postman.com/)
communication-services Trusted Service Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/communication-services/tutorials/trusted-service-tutorial.md
Title: Build a trusted user access service using Azure Functions in Azure Communication Services
-description: Learn how to create a trusted user access service for Communication services with Azure Functions
+description: Learn how to create a trusted user access service for Communication Services with Azure Functions
cosmos-db Import Data https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cosmos-db/import-data.md
While the import tool includes a graphical user interface (dtui.exe), it can als
## <a id="Install"></a>Installation
-The migration tool source code is available on GitHub in [this repository](https://github.com/azure/azure-documentdb-datamigrationtool). You can download and compile the solution locally, or [download a pre-compiled binary](https://aka.ms/csdmtool), then run either:
+The migration tool source code is available on GitHub in [this repository](https://github.com/azure/azure-documentdb-datamigrationtool). You can download and compile the solution locally then run either:
* **Dtui.exe**: Graphical interface version of the tool * **Dt.exe**: Command-line version of the tool
cosmos-db Session State And Caching Provider https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cosmos-db/session-state-and-caching-provider.md
+
+ Title: Use Azure Cosmos DB as an ASP.NET session state and caching provider
+description: Learn how to use Azure Cosmos DB as an ASP.NET session state and caching provider
++++ Last updated : 07/14/2021++
+# Use Azure Cosmos DB as an ASP.NET session state and caching provider
+
+The Azure Cosmos DB session and cache provider allows you to use Azure Cosmos DB and leverage its low latency and global scale capabilities for storing session state data and as a distributed cache within your application.
+
+## What is session state?
+
+[Session state](/aspnet/core/fundamentals/app-state?view=aspnetcore-5.0#configure-session-state&preserve-view=true) is user data that tracks a user browsing through a web application during a period of time, within the same browser. The session state expires, and it's limited to the interactions a particular browser is having which does not extend across browsers. It is considered ephemeral data, if it is not present it will not break the application. However, when it exists, it makes the experience faster for the user because the web application does not need to fetch it on every browser request for the same user.
+
+It is often backed by some storage mechanism, that can in some cases, be external to the current web server and enable load-balancing requests of the same browser across multiple web servers to achieve higher scalability.
+
+The simplest session state provider is the in-memory provider that only stores data on the local web server memory and requires the application to use [Application Request Routing](/iis/extensions/planning-for-arr/using-the-application-request-routing-module). This makes the browser session sticky to a particular web server (all requests for that browser need to always land on the same web server). The provider works well on simple scenarios but the stickiness requirement can bring load-balancing problems when web applications scale.
+
+There are many external storage providers available, that can store the session data in a way that can be read and accessed by multiple web servers without requiring session stickiness and enable a higher scale.
+
+## Session state scenarios
+
+Cosmos DB can be used as a session state provider through the extension package [Microsoft.Extensions.Caching.Cosmos](https://www.nuget.org/packages/Microsoft.Extensions.Caching.Cosmos) uses the [Azure Cosmos DB .NET SDK](sql-api-sdk-dotnet-standard.md), using a Container as an effective session storage based on a key/value approach where the key is the session identifier.
+
+Once the package is added, you can use `AddCosmosCache` as part of your Startup process (services.AddSession and app.UseSession are [common initialization](/aspnet/core/fundamentals/app-state?view=aspnetcore-5.0#configure-session-stat&preserve-view=true) steps required for any session state provider):
+
+```csharp
+public void ConfigureServices(IServiceCollection services)
+{
+ /* Other service configurations */
+ services.AddCosmosCache((CosmosCacheOptions cacheOptions) =>
+ {
+ CosmosClientBuilder clientBuilder = new CosmosClientBuilder("myConnectionString")
+ .WithApplicationRegion("West US");
+ cacheOptions.ContainerName = "myContainer";
+ cacheOptions.DatabaseName = "myDatabase";
+ cacheOptions.ClientBuilder = clientBuilder;
+ /* Creates the container if it does not exist */
+ cacheOptions.CreateIfNotExists = true;
+ });
+
+ services.AddSession(options =>
+ {
+ options.IdleTimeout = TimeSpan.FromSeconds(3600);
+ options.Cookie.IsEssential = true;
+ });
+ /* Other service configurations */
+}
+
+public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
+{
+ /* Other configurations */
+
+ app.UseSession();
+
+ /* app.UseEndpoints and other configurations */
+}
+```
+
+Where you specify the database and container you want the session state to be stored and optionally, create them if they don't exist.
+
+You can customize your SDK client configuration by using the `CosmosClientBuilder` or if your application is already using a `CosmosClient` for other operations with Cosmos DB, you can also inject it into the provider:
+
+```csharp
+services.AddCosmosCache((CosmosCacheOptions cacheOptions) =>
+{
+ cacheOptions.ContainerName = "myContainer";
+ cacheOptions.DatabaseName = "myDatabase";
+ cacheOptions.CosmosClient = preExistingClient;
+ /* Creates the container if it does not exist */
+ cacheOptions.CreateIfNotExists = true;
+});
+```
+
+After this, you can use ASP.NET Core sessions like with any other provider and use the HttpContext.Session object. Keep in mind to always try to load your session information asynchronously as per the [ASP.NET recommendations](/aspnet/core/fundamentals/app-state?view=aspnetcore-5.0#load-session-state-asynchronously&preserve-view=true).
+
+## Distributed cache scenarios
+
+Given that the Cosmos DB provider implements the [IDistributedCache interface to act as a distributed cache provider](/aspnet/core/performance/caching/distributed?view=aspnetcore-5.0&preserve-view=true), it can also be used for any application that requires distributed cache, not just for web application that require a performant and distributed session state provider.
+
+Distributed caches require data consistency to provide independent instances to be able to share that cached data. When using the Cosmos DB provider, you can:
+
+- Use your Cosmos DB account in **Session consistency** if you can enable [Application Request Routing](/iis/extensions/planning-for-arr/using-the-application-request-routing-module) and make requests sticky to a particular instance.
+- Use your Cosmos DB account in **Bounded Staleness or Strong consistency** without requiring request stickiness. This provides the greatest scale in terms of load distribution across your instances.
+
+To use the Cosmos DB provider as a distributed cache, it needs to be registered in `ConfiguredService`s with the `services.AddCosmosCache` call. Once that is done, any constructor in the application can ask for the cache by referencing `IDistributedCache` and it will receive the instance injected by [dependency injection](/dotnet/core/extensions/dependency-injection) to be used:
+
+```csharp
+public class MyBusinessClass
+{
+ private readonly IDistributedCache this.cache;
+
+ public MyBusinessClass(IDistributedCache cache)
+ {
+ this.cache = cache;
+ }
+
+ public async Task SomeOperationAsync()
+ {
+ string someCachedValue = await this.cache.GetAsync("someKey");
+ /* Use the cache */
+ }
+}
+```
+
+## Troubleshooting and diagnosing
+
+Since the Cosmos DB provider uses the .NET SDK underneath, all the existing [performance guidelines](performance-tips-dotnet-sdk-v3-sql.md) and [troubleshooting guides](troubleshoot-dot-net-sdk.md) apply to understanding any potential issue. Note, there is a distinct way to get access to the Diagnostics from the underlying Cosmos DB operations because they cannot be exposed through the IDistributedCache APIs.
+
+Registering the optional diagnostics delegate will allow you to capture and conditionally log any diagnostics to troubleshoot any cases like high latency:
+
+```csharp
+void captureDiagnostics(CosmosDiagnostics diagnostics)
+{
+ if (diagnostics.GetClientElapsedTime() > SomePredefinedThresholdTime)
+ {
+ Console.WriteLine(diagnostics.ToString());
+ }
+}
+
+services.AddCosmosCache((CosmosCacheOptions cacheOptions) =>
+{
+ cacheOptions.DiagnosticsHandler = captureDiagnostics;
+ /* other options */
+});
+```
+
+## Next steps
+- To find more details on the Azure Cosmos DB session and cache provider see the [source code on GitHub](https://github.com/Azure/Microsoft.Extensions.Caching.Cosmos/).
+- [Try out](https://github.com/Azure/Microsoft.Extensions.Caching.Cosmos/tree/master/sample) the Azure Cosmos DB session and cache provider by exploring a sample Explore an ASP.NET Core web application.
+- Read more about [distributed caches](/aspnet/core/performance/caching/distributed?view=aspnetcore-5.0&preserve-view=true) in .NET.
cosmos-db Sql Api Query Metrics https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cosmos-db/sql-api-query-metrics.md
See [Azure Cosmos DB global distribution](tutorial-global-distribution-sql-api.m
The section on query execution metrics explains how to retrieve the server execution time of queries ( `totalExecutionTimeInMs`), so that you can differentiate between time spent in query execution and time spent in network transit. ### Indexing policy
-See [Configuring indexing policy](index-policy.md) for indexing paths, kinds, and modes, and how they impact query execution. By default, the indexing policy uses Hash indexing for strings, which is effective for equality queries, but not for range queries/order by queries. If you need range queries for strings, we recommend specifying the Range index type for all strings.
+See [Configuring indexing policy](index-policy.md) for indexing paths, kinds, and modes, and how they impact query execution. By default, the indexing policy uses range indexing for strings, which is effective for equality queries. If you need range queries for strings, we recommend specifying the Range index type for all strings.
By default, Azure Cosmos DB will apply automatic indexing to all data. For high performance insert scenarios, consider excluding paths as this will reduce the RU cost for each insert operation. ## Query execution metrics
-You can obtain detailed metrics on query execution by passing in the optional `x-ms-documentdb-populatequerymetrics` header (`FeedOptions.PopulateQueryMetrics` in the .NET SDK). The value returned in `x-ms-documentdb-query-metrics` has the following key-value pairs meant for advanced troubleshooting of query execution.
+You can obtain detailed metrics on query execution by passing in the optional `x-ms-documentdb-populatequerymetrics` header (`FeedOptions.PopulateQueryMetrics` in the .NET SDK). The value returned in `x-ms-documentdb-query-metrics` has the following key-value pairs meant for advanced troubleshooting of query execution.
```cs IDocumentQuery<dynamic> query = client.CreateDocumentQuery(
cost-management-billing Cost Management Billing Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cost-management-billing/cost-management-billing-overview.md
description: You use Azure Cost Management + Billing features to conduct billing
keywords: Previously updated : 03/03/2021 Last updated : 07/13/2021
Recommendations show how you can optimize and improve efficiency by identifying
If you use external systems to access or review cost management data, you can easily export the data from Azure. And you can set a daily scheduled export in CSV format and store the data files in Azure storage. Then, you can access the data from your external system.
-### Cloudyn deprecation
-
-Cloudyn is an Azure service related to Cost Management that is being deprecated by the end of 2020. Existing Cloudyn features are being integrated directly into the Azure portal wherever possible. No new customers are being onboarded at this time, but support will remain for the product until it is fully deprecated.
-
### Additional Azure tools Azure has other tools that aren't a part of the Azure Cost Management + Billing feature set. However, they play an important role in the cost management process. To learn more about these tools, see the following links.
cost-management-billing Migrate Cost Management Api https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cost-management-billing/costs/migrate-cost-management-api.md
Title: Migrate EA to Microsoft Customer Agreement APIs - Azure
description: This article helps you understand the consequences of migrating a Microsoft Enterprise Agreement (EA) to a Microsoft Customer Agreement. Previously updated : 07/24/2020 Last updated : 07/13/2021
The following items help you transition to MCA APIs.
- Update any programming code to [use Azure AD authentication](/rest/api/azure/#create-the-request). - Update any programming code to replace EA API calls with MCA API calls. - Update error handling to use new error codes.-- Review additional integration offerings, like Cloudyn and Power BI, for other needed action.
+- Review additional integration offerings like Power BI for other needed action.
## EA APIs replaced with MCA APIs
If you use any existing EA APIs, you need to update them to support MCA billing
| Purpose | Old offering | New offering | | | | |
-| Cloudyn | Cloudyn | [Azure Cost Management](https://azure.microsoft.com/services/cost-management/) |
| Power BI | [Microsoft Consumption Insights](/power-bi/desktop-connect-azure-consumption-insights) content pack and connector | [Azure Consumption Insights connector](/power-bi/desktop-connect-azure-consumption-insights) | ## APIs to get balance and credits
To get reservation summaries with the Reservation Summaries API:
| GET | `https://management.azure.com/providers/Microsoft.Consumption/reservationSummaries?api-version=2019-01-01` | -
-## Move from Cloudyn to Cost Management
-
-Organizations using Cloudyn should start using [Azure Cost Management](https://azure.microsoft.com/services/cost-management/) for any cost management needs. Cost Management is available in the Azure portal with no onboarding and an eight-hour latency. For more information, see the [Cost Management documentation](../index.yml).
-
-With Azure Cost Management, you can:
--- View costs over time against a predefined budget. Analyze daily cost patterns to identify and stop spending anomalies. Break down costs by tags, resource group, service, and location.-- Create budgets to set limits on usage and costs and get notified when important thresholds are approached. Set up automation with action groups to trigger custom events and enforce hard limits on your terms.-- Optimize cost and usage with recommendations from Azure Advisor. Discover purchase optimizations with reservations, downsize underused virtual machines, and delete unused resources to stay within budgets.-- Schedule a cost and usage data export to publish a CSV file to your storage account daily. Automate integration with external systems to keep billing data in sync and up to date.- ## Power BI integration You can also use Power BI for cost reporting. The [Azure Cost Management connector](/power-bi/desktop-connect-azure-cost-management) for Power BI Desktop can be used to create powerful, customized reports that help you better understand your Azure spend. The Azure Cost Management connector currently supports customers with either a Microsoft Customer Agreement or an Enterprise Agreement (EA).
cost-management-billing Open Support Request https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cost-management-billing/costs/open-support-request.md
- Title: Create a support request for Cloudyn in Azure
-description: This article walks you through the steps needed to create a support request for Cloudyn.
-- Previously updated : 02/12/2020------
-# Create a support request for Cloudyn
-
-You can open a support request if you can't find the information you're looking for. Or, if you suspect a problem is a service disruption or bug. When you open a support ticket, make sure that open it for a single problem. Do so helps to quickly route the reported issue.
-
-## Open a support ticket
-
-1. Sign in to the Azure portal (https://portal.azure.com).
-2. On the top navigation bar, click **Help**.
-3. In the **Help** menu, click **Help + support**.
-4. In the Help + support menu under Support, click **New support request**.
-5. In the Basics area under Issue type, select **Billing**.
-6. Under Subscription, choose any listed subscription. The subscription that you choose isn't used for issue routing.
-7. Under Support plan, select your Azure Support Plan and then click **Next**.
-8. In the Problem area, select a **Severity** level to help determine response time.
-9. In **Problem type** select **Cloudyn Legacy**, and then select a **Category**.
-10. In the **Title** box, enter a title that describes your request.
-11. In the **Details** box, type additional information.
-12. For **When did the problem start?**, select an approximate date and time for and then click **Next**.
-14. In the **Contact information** area, select your preferred contact method and provide your contact information, then click **Create**.
-
-When the support ticket is created, it is added to the support queue. Response time varies, based on the Support Plan and Severity (business impact) of the issue. For more information, see [Support scope and responsiveness](https://azure.microsoft.com/support/plans/response/).
-
-If you want to create a billing support ticket for Cost Management, under **Problem type**, select **Azure Cost Management**.
-
-To check the status of an incident that you've filed, see [All support requests](../../azure-portal/supportability/how-to-manage-azure-support-request.md#view-support-requests).
-
-If you're a legacy Cloudyn user without an Azure account, you can open a support request at https://support.microsoft.com/oas/default.aspx?prid=16451.
--
-## Next steps
--- To learn more about Cloudyn, continue to the [Review usage and costs](../cloudyn/tutorial-review-usage.md) tutorial for Cloudyn.
cost-management-billing Understand Ea Roles https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cost-management-billing/manage/understand-ea-roles.md
Previously updated : 04/05/2021 Last updated : 07/06/2021
The following table shows the relationship between the Enterprise Agreement admi
|Enterprise Agreement admin role|View charges policy for role|Azure role|Pricing view| ||||| |Account Owner OR Department Admin|Γ£ö Enabled|Owner|Organization's EA pricing|
-|Account Owner OR Department Admin|Γ£ÿ Disabled|Owner|Retail pricing|
+|Account Owner OR Department Admin|Γ£ÿ Disabled|Owner|No pricing|
|Account Owner OR Department Admin|Γ£ö Enabled |none|No pricing| |Account Owner OR Department Admin|Γ£ÿ Disabled |none|No pricing|
-|None|Not applicable |Owner|Retail pricing|
+|None|Not applicable |Owner|No pricing|
You set the Enterprise admin role and view charges policies in the Enterprise portal. The Azure role can be updated in the Azure portal. For more information, see [Assign Azure roles using the Azure portal](../../role-based-access-control/role-assignments-portal.md).
data-factory Managed Virtual Network Private Endpoint https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/managed-virtual-network-private-endpoint.md
To access on premises data sources from managed Virtual Network using Private En
- Canada East - Central India - Central US
+- China East2
+- China North2
- East Asia - East US - East US2
To access on premises data sources from managed Virtual Network using Private En
- South East Asia - Switzerland North - UAE North
+- US Gov Arizona
+- US Gov Texas
+- US Gov Virginia
- UK South - UK West - West Central US
digital-twins How To Create Azure Function https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/digital-twins/how-to-create-azure-function.md
description: See how to create a function in Azure that can access and be triggered by digital twins. Previously updated : 8/27/2020 Last updated : 7/14/2021
This article shows you how to create a function in Azure for use with Azure Digi
## Create a function app in Visual Studio
-In Visual Studio 2019, select **File** > **New** > **Project**. Search for the **Azure Functions** template. Select **Next**.
--
-Specify a name for the function app and then select __Create__.
--
-Select the function app type **Event Grid trigger** and then select __Create__.
--
-After your function app is created, Visual Studio generates a code sample in a *Function1.cs* file in your project folder. This short function is used to log events.
-
+For instructions on how to create a function app using Visual Studio, see [Develop Azure Functions using Visual Studio](../azure-functions/functions-develop-vs.md#publish-to-azure).
## Write a function that has an Event Grid trigger
Now that your application is written, you can publish it to Azure.
## Publish the function app to Azure
+For instructions on how to publish a function app, see [Develop Azure Functions using Visual Studio](../azure-functions/functions-develop-vs.md#publish-to-azure).
### Verify the publication of your function
To access Azure Digital Twins, your function app needs a system-managed identity
## Set up security access for the function app
-You can set up security access for the function app by using either the Azure CLI or the Azure portal. Follow the steps for your preferred option.
-
-# [CLI](#tab/cli)
-
-Run these commands in [Azure Cloud Shell](https://shell.azure.com) or a [local Azure CLI installation](/cli/azure/install-azure-cli).
-You can use the function app's system-managed identity to give it the **Azure Digital Twins Data Owner** role for your Azure Digital Twins instance. The role gives the function app permission in the instance to perform data plane activities. Then make the URL of the instance accessible to your function by setting an environment variable.
-
-### Assign an access role
--
-The function skeleton in earlier examples requires a bearer token to be passed to it. If the bearer token isn't passed, the function app can't authenticate with Azure Digital Twins.
-
-To make sure the bearer token is passed, set up [managed identities](../active-directory/managed-identities-azure-resources/overview.md) permissions so the function app can access Azure Digital Twins. You set up these permissions only once for each function app.
--
-1. Use the following command to see the details of the system-managed identity for the function. Take note of the `principalId` field in the output.
-
- ```azurecli-interactive
- az functionapp identity show --resource-group <your-resource-group> --name <your-App-Service-function-app-name>
- ```
-
- >[!NOTE]
- > If the result is empty instead of showing identity details, create a new system-managed identity for the function by using this command:
- >
- >```azurecli-interactive
- >az functionapp identity assign --resource-group <your-resource-group> --name <your-App-Service-function-app-name>
- >```
- >
- > The output displays details of the identity, including the `principalId` value required for the next step.
-
-1. Use the `principalId` value in the following command to assign the function app's identity to the _Azure Digital Twins Data Owner_ role for your Azure Digital Twins instance.
-
- ```azurecli-interactive
- az dt role-assignment create --dt-name <your-Azure-Digital-Twins-instance> --assignee "<principal-ID>" --role "Azure Digital Twins Data Owner"
- ```
-
-### Configure application settings
-
-Make the URL of your instance accessible to your function by setting an environment variable for it. For more information about environment variables, see [Manage your function app](../azure-functions/functions-how-to-use-azure-function-app-settings.md?tabs=portal).
-
-> [!TIP]
-> The Azure Digital Twins instance's URL is made by adding *https://* to the beginning of your instance's host name. To see the host name, along with all the properties of your instance, run `az dt show --dt-name <your-Azure-Digital-Twins-instance>`.
-
-```azurecli-interactive
-az functionapp config appsettings set --resource-group <your-resource-group> --name <your-App-Service-function-app-name> --settings "ADT_SERVICE_URL=https://<your-Azure-Digital-Twins-instance-host-name>"
-```
-
-# [Azure portal](#tab/portal)
-
-Complete the following steps in the [Azure portal](https://portal.azure.com/).
-
-### Assign an access role
--
-A system-assigned managed identity enables Azure resources to authenticate to cloud services (for example, Azure Key Vault) without storing credentials in code. After you enable system-assigned managed identity, all necessary permissions can be granted through Azure role-based access control.
-
-The lifecycle of this type of managed identity is tied to the lifecycle of this resource. Additionally, each resource can have only one system-assigned managed identity.
-
-1. In the [Azure portal](https://portal.azure.com/), search for your function app by typing its name in the search box. Select your app from the results.
-
- :::image type="content" source="media/how-to-create-azure-function/portal-search-for-function-app.png" alt-text="Screenshot of the Azure portal. The function app's name is in the portal search bar, and the search result is highlighted.":::
-
-1. On the function app page, in the menu on the left, select __Identity__ to work with a managed identity for the function. On the __System assigned__ page, verify that the __Status__ is set to **On**. If it's not, set it now and then **Save** the change.
-
- :::image type="content" source="media/how-to-create-azure-function/verify-system-managed-identity.png" alt-text="Screenshot of the Azure portal. On the Identity page for the function app, the Status option is set to On." lightbox="media/how-to-create-azure-function/verify-system-managed-identity.png":::
-
-1. Select __Azure role assignments__.
-
- :::image type="content" source="media/how-to-create-azure-function/add-role-assignment-1.png" alt-text="Screenshot of the Azure portal. On the Azure Function's Identity page, under Permissions, the button Azure role assignments is highlighted." lightbox="media/how-to-create-azure-function/add-role-assignment-1.png":::
-
- Select __+ Add role assignment (Preview)__.
-
- :::image type="content" source="media/how-to-create-azure-function/add-role-assignment-2.png" alt-text="Screenshot of the Azure portal. On the Azure role assignments page, the button Add role assignment (Preview) is highlighted." lightbox="media/how-to-create-azure-function/add-role-assignment-2.png":::
-
-1. On the __Add role assignment (Preview)__ page, select the following values:
-
- * **Scope**: _Resource group_
- * **Subscription**: Select your Azure subscription.
- * **Resource group**: Select your resource group.
- * **Role**: _Azure Digital Twins Data Owner_
-
- Save the details by selecting __Save__.
-
- :::image type="content" source="media/how-to-create-azure-function/add-role-assignment-3.png" alt-text="Screenshot of the Azure portal, showing how to add a new role assignment. The dialog shows fields for Scope, Subscription, Resource group, and Role.":::
-
-### Configure application settings
-
-To make the URL of your Azure Digital Twins instance accessible to your function, you can set an environment variable. Application settings are exposed as environment variables to allow access to the Azure Digital Twins instance. For more information about environment variables, see [Manage your function app](../azure-functions/functions-how-to-use-azure-function-app-settings.md?tabs=portal).
-
-To set an environment variable with the URL of your instance, first find your instance's host name:
-
-1. Search for your instance in the [Azure portal](https://portal.azure.com).
-1. In the menu on the left, select __Overview__.
-1. Copy the __Host name__ value.
-
- :::image type="content" source="media/how-to-create-azure-function/instance-host-name.png" alt-text="Screenshot of the Azure portal. On the instance's Overview page, the host name value is highlighted.":::
-
-You can now create an application setting:
-
-1. In the portal search bar, search for your function app and then select it from the results.
-
- :::image type="content" source="media/how-to-create-azure-function/portal-search-for-function-app.png" alt-text="Screenshot of the Azure portal. The function app's name is being searched in the portal search bar. The search result is highlighted.":::
-
-1. On the left, select __Configuration__. Then on the __Application settings__ tab, select __+ New application setting__.
-
- :::image type="content" source="media/how-to-create-azure-function/application-setting.png" alt-text="Screenshot of the Azure portal. On the Configuration tab for the function app, the button to create a New application setting is highlighted.":::
-
-1. In the window that opens, use the host name value you copied to create an application setting.
- * **Name**: ADT_SERVICE_URL
- * **Value**: https://<your-Azure-Digital-Twins-host-name>
-
- Select __OK__ to create an application setting.
-
- :::image type="content" source="media/how-to-create-azure-function/add-application-setting.png" alt-text="Screenshot of the Azure portal. On the Add/Edit application setting page, the Name and Value fields are filled out. The O K button is highlighted.":::
-
-1. After you create the setting, it should appear on the __Application settings__ tab. Verify that **ADT_SERVICE_URL** appears on the list. Then save the new application setting by selecting __Save__.
-
- :::image type="content" source="media/how-to-create-azure-function/application-setting-save-details.png" alt-text="Screenshot of the Azure portal. On the application settings tab, the new A D T SERVICE URL setting and the Save button are both highlighted.":::
-
-1. Any changes to the application settings require an application restart, so select __Continue__ to restart your application when prompted.
-
- :::image type="content" source="media/how-to-create-azure-function/save-application-setting.png" alt-text="Screenshot of the Azure portal. A note states that any changes to application settings will restart your application.":::
-- ## Next steps
digital-twins How To Ingest Iot Hub Data https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/digital-twins/how-to-ingest-iot-hub-data.md
When the twin is created successfully, the CLI output from the command should lo
In this section, you'll create an Azure function to access Azure Digital Twins and update twins based on IoT telemetry events that it receives. Follow the steps below to create and publish the function.
-#### Step 1: Create a function app project
+1. First, create a new function app project in Visual Studio. For instructions on how to do this, see [Develop Azure Functions using Visual Studio](../azure-functions/functions-develop-vs.md#create-an-azure-functions-project).
-First, create a new function app project in Visual Studio. For instructions on how to do this, see the [Create a function app in Visual Studio](how-to-create-azure-function.md#create-a-function-app-in-visual-studio) section of the *How-to: Set up a function for processing data* article.
+2. Add the following packages to your project:
+ * [Azure.DigitalTwins.Core](https://www.nuget.org/packages/Azure.DigitalTwins.Core/)
+ * [Azure.Identity](https://www.nuget.org/packages/Azure.Identity/)
+ * [Microsoft.Azure.WebJobs.Extensions.EventGrid](https://www.nuget.org/packages/Microsoft.Azure.WebJobs.Extensions.EventGrid/)
-#### Step 2: Fill in function code
+3. Rename the *Function1.cs* sample function that Visual Studio has generated to *IoTHubtoTwins.cs*. Replace the code in the file with the following code:
-Add the following packages to your project:
-* [Azure.DigitalTwins.Core](https://www.nuget.org/packages/Azure.DigitalTwins.Core/)
-* [Azure.Identity](https://www.nuget.org/packages/Azure.Identity/)
-* [Microsoft.Azure.WebJobs.Extensions.EventGrid](https://www.nuget.org/packages/Microsoft.Azure.WebJobs.Extensions.EventGrid/)
+ :::code language="csharp" source="~/digital-twins-docs-samples/sdks/csharp/IoTHubToTwins.cs":::
-Rename the *Function1.cs* sample function that Visual Studio has generated to *IoTHubtoTwins.cs*. Replace the code in the file with the following code:
+ Save your function code.
+4. Publish the project with the *IoTHubtoTwins.cs* function to a function app in Azure. For instructions on how to do this, see [Develop Azure Functions using Visual Studio](../azure-functions/functions-develop-vs.md#publish-to-azure).
-Save your function code.
+### Configure the function app
-#### Step 3: Publish the function app to Azure
+Next, **assign an access role** for the function and **configure the application settings** so that it can access your Azure Digital Twins instance.
-Publish the project with *IoTHubtoTwins.cs* function to a function app in Azure.
-
-For instructions on how to do this, see the section [Publish the function app to Azure](how-to-create-azure-function.md#publish-the-function-app-to-azure) of the *How-to: Set up a function for processing data* article.
-
-#### Step 4: Configure the function app
-
-Next, **assign an access role** for the function and **configure the application settings** so that it can access your Azure Digital Twins instance. For instructions on how to do this, see the section [Set up security access for the function app](how-to-create-azure-function.md#set-up-security-access-for-the-function-app) of the *How-to: Set up a function for processing data* article.
## Connect your function to IoT Hub
digital-twins How To Ingest Opcua Data https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/digital-twins/how-to-ingest-opcua-data.md
Next, create a [shared access signature for the container](../storage/common/sto
In this section, you'll publish an Azure function that you downloaded in [Prerequisites](#prerequisites) that will process the OPC UA data and update Azure Digital Twins.
-#### Step 1: Open the function in Visual Studio
+1. Navigate to the downloaded [OPC UA to Azure Digital Twins](https://github.com/Azure-Samples/opcua-to-azure-digital-twins) project on your local machine, and into the *Azure Functions/OPCUAFunctions* folder. Open the **OPCUAFunctions.sln** solution in Visual Studio.
+2. Publish the project to a function app in Azure. For instructions on how to do this, see [Develop Azure Functions using Visual Studio](../azure-functions/functions-develop-vs.md#publish-to-azure).
-Navigate to the downloaded [OPC UA to Azure Digital Twins](https://github.com/Azure-Samples/opcua-to-azure-digital-twins) project on your local machine, and into the *Azure Functions/OPCUAFunctions* folder. Open the **OPCUAFunctions.sln** solution in Visual Studio.
+#### Configure the function app
-#### Step 2: Publish the function
+Next, **assign an access role** for the function and **configure the application settings** so that it can access your Azure Digital Twins instance.
-Publish the function project to a function app in Azure.
-For instructions on how to do this, see the section [Publish the function app to Azure](how-to-create-azure-function.md#publish-the-function-app-to-azure) of the *How-to: Set up a function for processing data* article.
+#### Add application settings
-#### Step 3: Configure the function app
-
-**Assign an access role** for the function and **configure the application settings** so that it can access your Azure Digital Twins instance. For instructions on how to do this, see the section [Set up security access for the function app](how-to-create-azure-function.md#set-up-security-access-for-the-function-app) of the *How-to: Set up a function for processing data* article.
-
-#### Step 4: Add application settings
-
-You'll also need to add some application settings to fully set up your environment. Go to the [Azure portal](https://portal.azure.com) and navigate to your newly created Azure function by searching for its name in the portal search bar.
+You'll also need to add some application settings to fully set up your environment and the Azure function. Go to the [Azure portal](https://portal.azure.com) and navigate to your newly created Azure function by searching for its name in the portal search bar.
Select Configuration from the function's left navigation menu. Use the **+ New application setting** button to start creating new settings.
There are three application settings you need to create:
### Create event subscription
-Lastly, create an event subscription to connect your function app and ProcessOPCPublisherEventsToADT function to your IoT Hub. The event subscription is needed so that data can flow from the gateway device into IoT Hub through the function, which then updates Azure Digital Twins.
+Lastly, create an event subscription to connect your function app and *ProcessOPCPublisherEventsToADT* function to your IoT Hub. The event subscription is needed so that data can flow from the gateway device into IoT Hub through the function, which then updates Azure Digital Twins.
For instructions, follow the same steps used in [Connect the IoT hub to the Azure function](tutorial-end-to-end.md#connect-the-iot-hub-to-the-azure-function) from the Azure Digital Twins *Tutorial: Connect an end-to-end solution*.
The event subscription will have an Endpoint type of **Azure function**, and an
After this step, all required components should be installed and running. Data should be flowing from your OPC UA Simulation Server, through Azure IoT Hub, and into your Azure Digital Twins instance.
+### Verify completion
+
+In this section, you set up an Azure function to connect the OPC UA data to Azure Digital Twins. Verify that you've completed the following checklist:
+> [!div class="checklist"]
+> * Created and imported *opcua-mapping.json* file into a blob storage container.
+> * Published the sample function *ProcessOPCPublisherEventsToADT* to a function app in Azure.
+> * Added three new application settings to the Azure Functions app.
+> * Created an event subscription to send IoT Hub events to the function app.
+ The next section provides some Azure CLI commands that you can run to monitor the events and verify everything is working successfully.
-### Verify and monitor
+## Verify and monitor
The commands in this section can be run in the [Azure Cloud Shell](https://shell.azure.com), or in a [local Azure CLI window](/cli/azure/install-azure-cli).
Finally, you can use Azure Digital Twins Explorer to manually monitor twin prope
:::image type="content" source="media/how-to-ingest-opcua-data/adt-explorer-2.png" alt-text="Screenshot of using azure digital twins explorer to monitor twin property updates":::
-### Verify completion
-
-In this section, you set up an Azure function to connect the OPC UA data to Azure Digital Twins. Verify that you've completed the following checklist:
-> [!div class="checklist"]
-> * Created and imported *opcua-mapping.json* file into a blob storage container.
-> * Published the sample function ProcessOPCPublisherEventsToADT to a function app in Azure.
-> * Added three new application settings to the Azure Functions app.
-> * Created an event subscription to send IoT Hub events to the function app.
-> * Used Azure CLI commands to verify the final data flow
- ## Next steps In this article, you set up a full data flow for getting simulated OPC UA Server data into Azure Digital Twins, where it updates a property on a digital twin.
digital-twins How To Integrate Azure Signalr https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/digital-twins/how-to-integrate-azure-signalr.md
In this section, you will set up two Azure functions:
Start Visual Studio (or another code editor of your choice), and open the code solution in the *digital-twins-samples-master > ADTSampleApp* folder. Then do the following steps to create the functions:
-1. In the *SampleFunctionsApp* project, create a new C# class called **SignalRFunctions.cs**.
+1. In the *SampleFunctionsApp* project, create a new C# class called **SignalRFunctions.cs**. For instructions on how to do this, see [Develop Azure Functions using Visual Studio](../azure-functions/functions-develop-vs.md#add-a-function-to-your-project).
1. Replace the contents of the class file with the following code:
Start Visual Studio (or another code editor of your choice), and open the code s
This should resolve any dependency issues in the class.
-1. Publish your function to Azure, using the steps described in the [Publish the app section](tutorial-end-to-end.md#publish-the-app) of the *Connect an end-to-end solution* tutorial. You can publish it to the same app service/function app that you used in the end-to-end tutorial [prerequisite](#prerequisites), or create a new oneΓÇöbut you may want to use the same one to minimize duplication.
+1. Publish your function to Azure. You can publish it to the same app service/function app that you used in the end-to-end tutorial [prerequisite](#prerequisites), or create a new oneΓÇöbut you may want to use the same one to minimize duplication. For instructions on how to publish a function using Visual Studio, see [Develop Azure Functions using Visual Studio](../azure-functions/functions-develop-vs.md#publish-to-azure).
-Next, configure the functions to communicate with your Azure SignalR instance. You'll start by gathering the SignalR instance's **connection string**, and then add it to the functions app's settings.
+### Configure the function
+
+Next, configure the function to communicate with your Azure SignalR instance. You'll start by gathering the SignalR instance's **connection string**, and then add it to the functions app's settings.
1. Go to the [Azure portal](https://portal.azure.com/) and search for the name of your SignalR instance in the search bar at the top of the portal. Select the instance to open it. 1. Select **Keys** from the instance menu to view the connection strings for the SignalR service instance.
Next, configure the functions to communicate with your Azure SignalR instance. Y
:::image type="content" source="media/how-to-integrate-azure-signalr/output-app-setting.png" alt-text="Screenshot of the output in a command window, showing a list item called 'AzureSignalRConnectionString'.":::
-#### Connect the function to Event Grid
+## Connect the function to Event Grid
Next, subscribe the *broadcast* Azure function to the **event grid topic** you created during the [tutorial prerequisite](how-to-integrate-azure-signalr.md#prerequisites). This will allow telemetry data to flow from the thermostat67 twin through the event grid topic and to the function. From here, the function can broadcast the data to all the clients.
digital-twins How To Manage Model https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/digital-twins/how-to-manage-model.md
Models aren't necessarily returned in exactly the document form they were upload
## Update models
+This section describes considerations and strategies for updating your models.
+
+### Before updating: Think in the context of your entire solution
+
+Before making updates to your models, it's recommended to think holistically about your entire solution and the impact of the model changes you're about to make. Models in an Azure Digital Twins solution are often interconnected, so it's important to be aware of cascading changes where updating one model requires updating several others. Updating models will impact the twins that use the models, and can also affect ingress and processing code, client applications, and automated reports.
+
+Here are some recommendations to help you manage your model transitions smoothly:
+* Instead of thinking in terms of individual models, consider evolving your entire model set when appropriate to keep models and their relationships up-to-date together.
+* Treat models like source code and manage them in source control. Apply the same rigor and attention to models and model changes that you apply to other code in your solution.
+
+When you're ready to proceed with updating your models, the rest of this section describes the strategies you can use to implement the updates.
+
+### Strategies for updating models
+ Once a model is uploaded to your Azure Digital Twins instance, the model interface is immutable, which means there's no traditional "editing" of models. Azure Digital Twins also doesn't allow reupload of the same exact model while a matching model is already present in the instance.
-Instead, if you want to make changes to a modelΓÇösuch as updating `displayName` or `description`, or adding and removing propertiesΓÇöyou'll need to replace the original model.
+Instead, if you want to make changes to a modelΓÇösuch as updating `displayName` or `description`, or adding and removing propertiesΓÇöyou'll need to replace the original model.
There are two strategies to choose from when replacing a model:
-* [Option 1: Upload new model version](#option-1-upload-new-model-version): Upload the model, with a new version number, and update your twins to use that new model. Both the new and old versions of the model will exist in your instance until you delete one.
+* [Strategy 1: Upload new model version](#strategy-1-upload-new-model-version): Upload the model, with a new version number, and update your twins to use that new model. Both the new and old versions of the model will exist in your instance until you delete one.
- **Use this strategy when** you want to update only some of your twins that use the model, or when you want to make sure twins stay conformant with their models and writable through the model transition.
-* [Option 2: Delete old model and reupload](#option-2-delete-old-model-and-reupload): Delete the original model and upload the new model with the same name and ID (DTMI value) in its place. Completely replaces the old model with the new one.
+* [Strategy 2: Delete old model and reupload](#strategy-2-delete-old-model-and-reupload): Delete the original model and upload the new model with the same name and ID (DTMI value) in its place. Completely replaces the old model with the new one.
- **Use this strategy when** you want to update all twins that use this model at once, as well as all code reacting to the models. If your model update contains a breaking change with the model update, twins will be nonconformant with their models for a short time while you're transitioning them from the old model to the new one, meaning that they won't be able to take any updates until the new model is uploaded and the twins conform to it. >[!NOTE] > Making breaking changes to your models is discouraged outside of development.
-### Option 1: Upload new model version
+Continue to the next sections to read more about each strategy option in detail.
+
+### Strategy 1: Upload new model version
This option involves creating a new version of the model and uploading it to your instance.
You can also [delete](#deletion) the old model completely if you don't want it i
The sections linked above contain example code and considerations for decommissioning and deleting models.
-### Option 2: Delete old model and reupload
+### Strategy 2: Delete old model and reupload
Instead of incrementing the version of a model, you can delete a model completely and reupload an edited model to the instance.
digital-twins How To Provision Using Device Provisioning Service https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/digital-twins/how-to-provision-using-device-provisioning-service.md
Inside your function app project that you created in the [Prerequisites section]
Start by opening the function app project in Visual Studio on your machine and follow the steps below.
-#### Step 1: Add a new function
+1. First, create a new function of type *HTTP-trigger* in the function app project in Visual Studio. For instructions on how to do this, see [Develop Azure Functions using Visual Studio](../azure-functions/functions-develop-vs.md#add-a-function-to-your-project).
-Add a new function of type *HTTP-trigger* to the function app project in Visual Studio.
+2. Add a new NuGet package to the project: [Microsoft.Azure.Devices.Provisioning.Service](https://www.nuget.org/packages/Microsoft.Azure.Devices.Provisioning.Service/). You might need to add more packages to your project as well, if the packages used in the code aren't part of the project already.
+3. In the newly created function code file, paste in the following code, rename the function to *DpsAdtAllocationFunc.cs*, and save the file.
-#### Step 2: Fill in function code
+ :::code language="csharp" source="~/digital-twins-docs-samples-dps/functions/DpsAdtAllocationFunc.cs":::
-Add a new NuGet package to the project: [Microsoft.Azure.Devices.Provisioning.Service](https://www.nuget.org/packages/Microsoft.Azure.Devices.Provisioning.Service/). You might need to add more packages to your project as well, if the packages used in the code aren't part of the project already.
+4. Publish the project with the *DpsAdtAllocationFunc.cs* function to a function app in Azure. For instructions on how to do this, see [Develop Azure Functions using Visual Studio](../azure-functions/functions-develop-vs.md#publish-to-azure).
-In the newly created function code file, paste in the following code, rename the function to *DpsAdtAllocationFunc.cs*, and save the file.
--
-#### Step 3: Publish the function app to Azure
-
-Publish the project with *DpsAdtAllocationFunc.cs* function to the function app in Azure.
-
+> [!IMPORTANT]
+> When creating the function app for the first time in the [Prerequisites section](#prerequisites), you may have already assigned an access role for the function and configured the application settings for it to access your Azure Digital Twins instance. These need to be done once for the entire function app, so verify they've been completed in your app before continuing. You can find instructions in the [Set up security access for the function app](how-to-create-azure-function.md#set-up-security-access-for-the-function-app) section of the *How-to: Set up a function in Azure to process data* article.
### Create Device Provisioning enrollment
For more about lifecycle events, see [IoT Hub Non-telemetry events](../iot-hub/i
Start by opening the function app project in Visual Studio on your machine and follow the steps below.
-#### Step 1: Add a new function
-
-Add a new function of type *Event Hub Trigger* to the function app project in Visual Studio.
-
+1. First, create a new function of type *Event Hub Trigger* in the function app project in Visual Studio. For instructions on how to do this, see [Develop Azure Functions using Visual Studio](../azure-functions/functions-develop-vs.md#add-a-function-to-your-project).
-#### Step 2: Fill in function code
+2. Add a new NuGet package to the project: [Microsoft.Azure.Devices.Provisioning.Service](https://www.nuget.org/packages/Microsoft.Azure.Devices.Provisioning.Service/). You might need to add more packages to your project as well, if the packages used in the code aren't part of the project already.
-In the newly created function code file, paste in the following code, rename the function to `DeleteDeviceInTwinFunc.cs`, and save the file.
+3. In the newly created function code file, paste in the following code, rename the function to *DeleteDeviceInTwinFunc.cs*, and save the file.
+ :::code language="csharp" source="~/digital-twins-docs-samples-dps/functions/DeleteDeviceInTwinFunc.cs":::
-#### Step 3: Publish the function app to Azure
+4. Publish the project with the *DeleteDeviceInTwinFunc.cs* function to a function app in Azure. For instructions on how to do this, see [Develop Azure Functions using Visual Studio](../azure-functions/functions-develop-vs.md#publish-to-azure).
-Publish the project with *DeleteDeviceInTwinFunc.cs* function to the function app in Azure.
-
+> [!IMPORTANT]
+> When creating the function app for the first time in the [Prerequisites section](#prerequisites), you may have already assigned an access role for the function and configured the application settings for it to access your Azure Digital Twins instance. These need to be done once for the entire function app, so verify they've been completed in your app before continuing. You can find instructions in the [Set up security access for the function app](how-to-create-azure-function.md#set-up-security-access-for-the-function-app) section of the *How-to: Set up a function in Azure to process data* article.
### Create an IoT Hub route for lifecycle events
event-grid Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/event-grid/overview.md
Currently, the following Azure services support sending events to Event Grid. Fo
- [Azure SignalR](event-schema-azure-signalr.md) - [Azure subscriptions](event-schema-subscriptions.md) - [Azure Cache for Redis](event-schema-azure-cache.md)
+- [Azure Kubernetes Service (preview)](event-schema-aks.md)
## Event handlers
frontdoor Front Door Custom Domain Https https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/frontdoor/front-door-custom-domain-https.md
na ms.devlang: na Previously updated : 06/10/2021 Last updated : 07/14/2021 #Customer intent: As a website owner, I want to enable HTTPS on the custom domain in my Front Door so that my users can use my custom domain to access their content securely.
webmaster@&lt;your-domain-name.com&gt;
hostmaster@&lt;your-domain-name.com&gt; postmaster@&lt;your-domain-name.com&gt;
-You should receive an email in a few minutes, similar to the following example, asking you to approve the request. If you are using a spam filter, add admin@digicert.com to its allowlist. If you don't receive an email within 24 hours, contact Microsoft support.
+You should receive an email in a few minutes, similar to the following example, asking you to approve the request. If you are using a spam filter, add no-reply@digitalcertvalidation.com to its allowlist. If you don't receive an email within 24 hours, contact Microsoft support.
When you select the approval link, you're directed to an online approval form. Follow the instructions on the form; you have two verification options:
frontdoor Front Door Routing Methods https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/frontdoor/front-door-routing-methods.md
ms.devlang: na
na Previously updated : 09/28/2020 Last updated : 07/14/2021
There are four traffic routing methods available in Front Door:
* **[Latency](#latency):** The latency-based routing ensures that requests are sent to the lowest latency backends acceptable within a sensitivity range. Basically, your user requests are sent to the "closest" set of backends in respect to network latency. * **[Priority](#priority):** You can assign priorities to your backends when you want to configure a primary backend to service all traffic. The secondary backend can be a backup in case the primary backend becomes unavailable.
-* **[Weighted](#weighted):** You can assign weights to your backends when you want to distribute traffic across a set of backends. Whether you want to evenly distribute or according to the weight coefficients.
+* **[Weighted](#weighted):** You can assign weights to your backends when you want to distribute traffic across a set of backends evenly or according to the weight coefficients. Traffic is distributed as per weights if the latencies of the backends are within the acceptable latency sensitivity range in the backend pool.
* **[Session Affinity](#affinity):** You can configure session affinity for your frontend hosts or domains to ensure requests from the same end user gets sent to the same backend. All Front Door configurations include monitoring of backend health and automated instant global failover. For more information, see [Front Door Backend Monitoring](front-door-health-probes.md). Your Front Door can work based off of a single routing method. But depending on your application needs, you can also combine multiple routing methods to build an optimal routing topology.
Below is the overall decision flow:
| First, select all backends that are enabled and returned healthy (200 OK) for the health probe. If there are six backends A, B, C, D, E, and F, and among them C is unhealthy and E is disabled. The list of available backends is A, B, D, and F. | Next, the top priority backends among the available ones are selected. If backend A, B, and D have priority 1 and backend F has a priority of 2. Then, the selected backends will be A, B, and D.| Select the backends with latency range (least latency & latency sensitivity in ms specified). If backend A is 15 ms, B is 30 ms and D is 60 ms away from the Front Door environment where the request landed, and latency sensitivity is 30 ms, then the lowest latency pool consist of backend A and B, because D is beyond 30 ms away from the closest backend that is A. | Lastly, Front Door will round robin the traffic among the final selected pool of backends in the ratio of weights specified. Say, if backend A has a weight of 5 and backend B has a weight of 8, then the traffic will be distributed in the ratio of 5:8 among backends A and B. | >[!NOTE]
-> By default, the latency sensitivity property is set to 0 ms, that is, always forward the request to the fastest available backend.
+> By default, the latency sensitivity property is set to 0 ms, that is, request is always forwarded to the fastest available backend and weights on the backends will not take effect unless two backends have the same network latency.
## <a name = "priority"></a>Priority-based traffic-routing
healthcare-apis Use Smart On Fhir Proxy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/healthcare-apis/fhir/use-smart-on-fhir-proxy.md
After you complete these steps, you should have:
- A FHIR server with rge audience set to `https://MYFHIRAPI.azurehealthcareapis.com`, where `MYFHIRAPI` is the name of your Azure API for FHIR instance. - A public client application registration. Make a note of the application ID for this client application.
+### Set admin consent for your app
+
+To use SMART on FHIR, you must first authenticate and authorize the app. The first time you use SMART on FHIR, you also must get administrative consent to let the app access your FHIR resources.
+
+If you don't have an ownership role in the app, contact the app owner and ask them to grant admin consent for you in the app.
+
+If you do have administrative privileges, complete the following steps to grant admin consent to yourself directly. (You also can grant admin consent to yourself later when you are prompted in the app.) You can complete the same steps to add other users as owners, so they can view and edit this app registration.
+
+To add yourself or another user as owner of an app:
+
+1. In the Azure portal, go to Azure Active Directory.
+1. In the left menu, select **App Registration**.
+1. Search for the app registration you created, and then select it.
+1. In the left menu, under **Manage**, select **Owners**.
+1. Select **Add owners**, and then add yourself or the user you want to have admin consent.
+1. Select **Save**.
+ ## Enable the SMART on FHIR proxy Enable the SMART on FHIR proxy in the **Authentication** settings for your Azure API for FHIR instance by selecting the **SMART on FHIR proxy** check box:
iot-accelerators Iot Accelerators Connected Factory Customize https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/iot-accelerators/iot-accelerators-connected-factory-customize.md
> [!IMPORTANT] > While we update this article, see [Azure Industrial IoT](https://azure.github.io/Industrial-IoT/) for the most up to date content.
-The Connected Factory solution aggregates and displays data from the OPC UA servers connected to the solution. You can browse and send commands to the OPC UA servers in your solution. For more information about OPC UA, see the [Connected Factory FAQ](iot-accelerators-faq-cf.md).
+The Connected Factory solution aggregates and displays data from the OPC UA servers connected to the solution. You can browse and send commands to the OPC UA servers in your solution. For more information about OPC UA, see the [Connected Factory FAQ](iot-accelerators-faq-cf.yml).
Examples of aggregated data in the solution include the Overall Equipment Efficiency (OEE) and Key Performance Indicators (KPIs) that you can view in the dashboard at the factory, line, and station levels. The following screenshot shows the OEE and KPI values for the **Assembly** station, on **Production line 1**, in the **Munich** factory:
The **azure-iot-connected-factory** repository includes a **build.ps1** PowerShe
Learn more about the Connected Factory solution accelerator by reading the following articles: * [Permissions on the azureiotsolutions.com site][lnk-permissions]
-* [Connected Factory FAQ](iot-accelerators-faq-cf.md)
+* [Connected Factory FAQ](iot-accelerators-faq-cf.yml)
* [FAQ][lnk-faq]
Learn more about the Connected Factory solution accelerator by reading the follo
[lnk-permissions]: iot-accelerators-permissions.md
-[lnk-faq]: iot-accelerators-faq.md
+[lnk-faq]: iot-accelerators-faq.yml
iot-accelerators Iot Accelerators Faq Cf https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/iot-accelerators/iot-accelerators-faq-cf.md
- Title: Connected Factory solution FAQ - Azure | Microsoft Docs
-description: This article answers the frequently asked questions for the Connected Factory solution accelerator. It includes links to the GitHub repository.
----- Previously updated : 12/12/2017---
-# Frequently asked questions for Connected Factory solution accelerator
-
-See also, the general [FAQ](iot-accelerators-faq.md) for IoT solution accelerators.
-
-### Where can I find the source code for the solution accelerator?
-
-The source code is stored in the following GitHub repository:
-
-* [Connected Factory solution accelerator](https://github.com/Azure/azure-iot-connected-factory)
-
-### What is OPC UA?
-
-OPC Unified Architecture (UA), released in 2008, is a platform-independent, service-oriented interoperability standard. OPC UA is used by various industrial systems and devices such as industry PCs, PLCs, and sensors. OPC UA integrates the functionality of the OPC Classic specifications into one extensible framework with built-in security. It is a standard that is driven by the OPC Foundation. The [OPC Foundation](https://opcfoundation.org/) is a not-for-profit organization with more than 440 members. The goal of the organization is to use OPC specifications to facilitate multi-vendor, multi-platform, secure and reliable interoperability through:
-
-* Infrastructure
-* Specifications
-* Technology
-* Processes
-
-### Why did Microsoft choose OPC UA for the Connected Factory solution accelerator?
-
-Microsoft chose OPC UA because it is an open, non-proprietary, platform independent, industry-recognized, and proven standard. It is a requirement for Industrie 4.0 (RAMI4.0) reference architecture solutions ensuring interoperability between a broad set of manufacturing processes and equipment. Microsoft sees demand from its customers to build Industrie 4.0 solutions. Support for OPC UA helps lower the barrier for customers to achieve their goals and provides immediate business value to them.
-
-### How do I add a public IP address to the simulation VM?
-
-You have two options to add the IP address:
-
-* Use the PowerShell script `Simulation/Factory/Add-SimulationPublicIp.ps1` in the [repository](https://github.com/Azure/azure-iot-connected-factory). Pass in your deployment name as a parameter. For a local deployment, use `<your username>ConnFactoryLocal`. The script prints out the IP address of the VM.
-
-* In the Azure portal, locate the resource group of your deployment. Except for a local deployment, the resource group has the name you specified as solution or deployment name. For a local deployment using the build script, the name of the resource group is `<your username>ConnFactoryLocal`. Now add a new **Public IP address** resource to the resource group.
-
-> [!NOTE]
-> In either case, ensure you install the latest patches by following the instructions on the [Ubuntu website](https://wiki.ubuntu.com/Security/Upgrades). Keep the installation up to date for as long as your VM is accessible through a public IP address.
-
-### How do I remove the public IP address to the simulation VM?
-
-You have two options to remove the IP address:
-
-* Use the PowerShell script Simulation/Factory/Remove-SimulationPublicIp.ps1 of the [repository](https://github.com/Azure/azure-iot-connected-factory). Pass in your deployment name as a parameter. For a local deployment, use `<your username>ConnFactoryLocal`. The script prints out the IP address of the VM.
-
-* In the Azure portal, locate the resource group of your deployment. Except for a local deployment, the resource group has the name you specified as solution or deployment name. For a local deployment using the build script, the name of the resource group is `<your username>ConnFactoryLocal`. Now remove the **Public IP address** resource from the resource group.
-
-### How do I sign in to the simulation VM?
-
-Signing in to the simulation VM is only supported if you have deployed your solution using the PowerShell script `build.ps1` in the [repository](https://github.com/Azure/azure-iot-connected-factory).
-
-If you deployed the solution from www.azureiotsolutions.com, you cannot sign in to the VM. You cannot sign in, because the password is generated randomly and you cannot reset it.
-
-1. Add a public IP address to the VM. See [How do I add a public IP address to the simulation VM?](#how-do-i-remove-the-public-ip-address-to-the-simulation-vm)
-1. Create an SSH session to your VM using the IP address of the VM.
-1. The username to use is: `docker`.
-1. The password to use depends on the version you used to deploy:
- * For solutions deployed using the build.ps1 script before 1 June 2017, the password is: `Passw0rd`.
- * For solutions deployed using the build.ps1 script after 1 June 2017, you can find the password in the `<name of your deployment>.config.user` file. The password is stored in the **VmAdminPassword** setting. The password is generated randomly at deployment time unless you specify it using the `build.ps1` script parameter `-VmAdminPassword`
-
-### How do I stop and start all docker processes in the simulation VM?
-
-1. Sign in to the simulation VM. See [How do I sign in to the simulation VM?](#how-do-i-sign-in-to-the-simulation-vm)
-1. To check which containers are active, run: `docker ps`.
-1. To stop all simulation containers, run: `./stopsimulation`.
-1. To start all simulation containers:
- * Export a shell variable with the name **IOTHUB_CONNECTIONSTRING**. Use the value of the **IotHubOwnerConnectionString** setting in the `<name of your deployment>.config.user` file. For example:
-
- ```sh
- export IOTHUB_CONNECTIONSTRING="HostName={yourdeployment}.azure-devices.net;SharedAccessKeyName=iothubowner;SharedAccessKey={your key}"
- ```
-
- * Run `./startsimulation`.
-
-### How do I update the simulation in the VM?
-
-If you have made any changes to the simulation, you can use the PowerShell script `build.ps1` in the [repository](https://github.com/Azure/azure-iot-connected-factory) using the `updatedimulation` command. This script builds all the simulation components, stops the simulation in the VM, uploads, installs, and starts them.
-
-### How do I find out the connection string of the IoT hub used by my solution?
-
-If you deployed your solution with the `build.ps1` script in the [repository](https://github.com/Azure/azure-iot-connected-factory), the connection string is the value of **IotHubOwnerConnectionString** in the `<name of your deployment>.config.user` file.
-
-You can also find the connection string using the Azure portal. In the IoT Hub resource in the resource group of your deployment, locate the connection string settings.
-
-### Which IoT Hub devices does the Connected Factory simulation use?
-
-The simulation self registers the following devices:
-
-* proxy.beijing.corp.contoso
-* proxy.capetown.corp.contoso
-* proxy.mumbai.corp.contoso
-* proxy.munich0.corp.contoso
-* proxy.rio.corp.contoso
-* proxy.seattle.corp.contoso
-* publisher.beijing.corp.contoso
-* publisher.capetown.corp.contoso
-* publisher.mumbai.corp.contoso
-* publisher.munich0.corp.contoso
-* publisher.rio.corp.contoso
-* publisher.seattle.corp.contoso
-
-Using the [DeviceExplorer](https://github.com/Azure/azure-iot-sdk-csharp/tree/master/tools/) or [the IoT extension for Azure CLI](https://github.com/Azure/azure-iot-cli-extension) tool, you can check which devices are registered with the IoT hub your solution is using. To use device explorer, you need the connection string for the IoT hub in your deployment. To use the IoT extension for Azure CLI, you need your IoT Hub name.
-
-### How can I get log data from the simulation components?
-
-All components in the simulation log information in to log files. These files can be found in the VM in the folder `home/docker/Logs`. To retrieve the logs, you can use the PowerShell script `Simulation/Factory/Get-SimulationLogs.ps1` in the [repository](https://github.com/Azure/azure-iot-connected-factory).
-
-This script needs to sign in to the VM. You may need to provide credentials for the sign-in. See [How do I sign in to the simulation VM?](#how-do-i-sign-in-to-the-simulation-vm) to find the credentials.
-
-The script adds/removes a public IP address to the VM, if it does not yet have one and removes it. The script puts all log files in an archive and downloads the archive to your development workstation.
-
-Alternatively log in to the VM via SSH and inspect the log files at runtime.
-
-### How can I check if the simulation is sending data to the cloud?
-
-With the [Azure IoT Explorer](https://github.com/Azure/azure-iot-explorer) or the [Azure IoT CLI Extension monitor-events](/cli/azure/iot/hub#az_iot_hub_monitor_events) command, you can inspect the data sent to IoT Hub from certain devices. To use these tools, you need to know the connection string for the IoT hub in your deployment. See [How do I find out the connection string of the IoT hub used by my solution?](#how-do-i-find-out-the-connection-string-of-the-iot-hub-used-by-my-solution)
-
-Inspect the data sent by one of the publisher devices:
-
-* publisher.beijing.corp.contoso
-* publisher.capetown.corp.contoso
-* publisher.mumbai.corp.contoso
-* publisher.munich0.corp.contoso
-* publisher.rio.corp.contoso
-* publisher.seattle.corp.contoso
-
-If you see no data sent to IoT Hub, then there is an issue with the simulation. As a first analysis step you should analyze the log files of the simulation components. See [How can I get log data from the simulation components?](#how-can-i-get-log-data-from-the-simulation-components) Next, try to stop and start the simulation and if there's still no data sent, update the simulation completely. See [How do I update the simulation in the VM?](#how-do-i-update-the-simulation-in-the-vm)
-
-### How do I enable an interactive map in my Connected Factory solution?
-
-To enable an interactive map in your Connected Factory solution, you must have an Azure Maps account.
-
-When deploying from [www.azureiotsolutions.com](https://www.azureiotsolutions.com), the deployment process adds an Azure Maps account to the resource group that contains the solution accelerator services.
-
-When you deploy using the `build.ps1` script in the Connected Factory GitHub repository set the environment variable `$env:MapApiQueryKey` in the build window to the [key of your Azure Maps account](../azure-maps/how-to-manage-account-keys.md). The interactive map is then enabled automatically.
-
-You can also add an Azure Maps account key to your solution accelerator after deployment. Navigate to the Azure portal and access the App Service resource in your Connected Factory deployment. Navigate to **Application settings**, where you find a section **Application settings**. Set the **MapApiQueryKey** to the [key of your Azure Maps account](../azure-maps/how-to-manage-account-keys.md). Save the settings and then navigate to **Overview** and restart the App Service.
-
-### How do I create an Azure Maps account?
-
-See, [How to manage your Azure Maps account and keys](../azure-maps/how-to-manage-account-keys.md).
-
-### How to obtain your Azure Maps account key
-
-See, [How to manage your Azure Maps account and keys](../azure-maps/how-to-manage-account-keys.md).
-
-### How do enable the interactive map while debugging locally?
-
-To enable the interactive map while you are debugging locally, set the value of the setting `MapApiQueryKey` in the files `local.user.config` and `<yourdeploymentname>.user.config` in the root of your deployment to the value of the **QueryKey** you copied previously.
-
-### How do I use a different image at the home page of my dashboard?
-
-To change the static image shown io the home page of the dashboard, replace the image `WebApp\Content\img\world.jpg`. Then rebuild and redeploy the WebApp.
-
-### How do I use non OPC UA devices with Connected Factory?
-
-To send telemetry data from non OPC UA devices to Connected Factory:
-
-1. [Configure a new station in the Connected Factory topology](iot-accelerators-connected-factory-configure.md) in the `ContosoTopologyDescription.json` file.
-
-1. Ingest the telemetry data in Connected Factory compatible JSON format:
-
- ```json
- [
- {
- "ApplicationUri": "<the_value_of_OpcUri_of_your_station",
- "DisplayName": "<name_of_the_datapoint>",
- "NodeId": "value_of_NodeId_of_your_datapoint_in_the_station",
- "Value": {
- "Value": <datapoint_value>,
- "SourceTimestamp": "<timestamp>"
- }
- }
- ]
- ```
-
-1. The format of `<timestamp>` is: `2017-12-08T19:24:51.886753Z`
-
-1. Restart the Connected Factory App Service.
-
-### Next steps
-
-You can also explore some of the other features and capabilities of the IoT solution accelerators:
-
-* [Deploy Connected Factory solution accelerator](quickstart-connected-factory-deploy.md)
-* [IoT security from the ground up](../iot-fundamentals/iot-security-ground-up.md)
iot-accelerators Iot Accelerators Faq https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/iot-accelerators/iot-accelerators-faq.md
- Title: IoT solution accelerators FAQ - Azure | Microsoft Docs
-description: This article answers the frequently asked questions for IoT solution accelerators. It includes links to the GitHub repositories.
----- Previously updated : 02/15/2018---
-# Frequently asked questions for IoT solution accelerators
-
-See also, the [Connected Factory-specific FAQ](iot-accelerators-faq-cf.md).
-
-### Where can I find the source code for the solution accelerators?
-
-The source code is stored in the following GitHub repositories:
-
-* [Connected Factory solution accelerator](https://github.com/Azure/azure-iot-connected-factory)
-
-### Where can I find the remote monitoring and predictive maintenance solution accelerators?
-
-As of December 10th 2020, the remote monitoring and predictive maintenance accelerators have been removed from the [Azure IoT solution accelerators](https://www.azureiotsolutions.com/Accelerators) site and are no longer available for new deployments. The GitHub repositories for both the accelerators have been archived. The code is still available for anyone to access but the repositories aren't taking any new contributions.
-
-### Where can I find the device simulation solution accelerator?
-
-The GitHub repository for the accelerator has been archived. The code is still available for anyone to access but the repositories aren't taking any new contributions.
-
-### What happens to my existing remote monitoring and predictive maintenance deployments?
-
-Existing deployments aren't impacted by the removal of the remote monitoring and predictive maintenance solution accelerators and will continue to work. Forked repositories also aren't impacted. The master repositories on GitHub have been archived.
-
-### Where can I find information about the removed solution accelerators?
-
-See the following pages on the previous versions site:
-
-* [Remote monitoring](/previous-versions/azure/iot-accelerators/about-iot-accelerators)
-* [Predictive maintenance](/previous-versions/azure/iot-accelerators/about-iot-accelerators)
-* [Device simulation](/previous-versions/azure/iot-accelerators/about-iot-accelerators)
-
-### What SDKs can I use to develop device clients for the solution accelerators?
-
-You can find links to the different language (C, .NET, Java, Node.js, Python) IoT device SDKs in the [Microsoft Azure IoT SDKs](https://github.com/Azure/azure-iot-sdks) GitHub repositories.
-
-If you're using the DevKit device, you can find resources and samples in the [IoT DevKit SDK](https://github.com/Microsoft/devkit-sdk) GitHub repository.
-
-### I'm a service administrator and I'd like to change the directory mapping between my subscription and a specific Azure AD tenant. How do I complete this task?
-
-See [To add an existing subscription to your Azure AD directory](../active-directory/fundamentals/active-directory-how-subscriptions-associated-directory.md#to-associate-an-existing-subscription-to-your-azure-ad-directory)
-
-### I want to change a Service Administrator or Co-Administrator when logged in with an organizational account
-
-See the support article [Changing Service Administrator and Co-Administrator when logged in with an organizational account](https://azure.microsoft.com/support/changing-service-admin-and-co-admin).
-
-### Why am I seeing this error? "Your account does not have the proper permissions to create a solution. Please check with your account administrator or try with a different account."
-
-Look at the following diagram for guidance:
-
-![Permissions flowchart](media/iot-accelerators-faq/flowchart.png)
-
-> [!NOTE]
-> If you continue to see the error after validating you are a global administrator of the Azure AD tenant and a co-administrator of the subscription, have your account administrator remove the user and reassign necessary permissions in this order. First, add the user as a global administrator and then add user as a co-administrator of the Azure subscription. If issues persist, contact [Help & Support](https://portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade).
-
-### Why am I seeing this error when I have an Azure subscription? "An Azure subscription is required to create pre-configured solutions. You can create a free trial account in just a couple of minutes."
-
-If you're certain you have an Azure subscription, validate the tenant mapping for your subscription and check that the correct tenant is selected in the dropdown. If youΓÇÖve validated the tenant is correct, follow the preceding diagram and validate the mapping of your subscription and this Azure AD tenant.
-
-### What's the difference between deleting a resource group in the Azure portal and clicking delete on a solution accelerator in azureiotsolutions.com?
-
-* If you delete the solution accelerator in [azureiotsolutions.com](https://www.azureiotsolutions.com/), you delete all the resources that were deployed when you created the solution accelerator. If you added additional resources to the resource group, these resources are also deleted.
-* If you delete the resource group in the [Azure portal](https://portal.azure.com), you only delete the resources in that resource group. You also need to delete the Azure Active Directory application associated with the solution accelerator.
-
-### Can I continue to leverage my existing investments in Azure IoT solution accelerators?
-
-Yes. Any solution that exists today continues to work in your Azure subscription and the source code stays available in GitHub.
-
-### How many IoT Hub instances can I provision in a subscription?
-
-By default you can provision [10 IoT hubs per subscription](../azure-resource-manager/management/azure-subscription-service-limits.md#iot-hub-limits). You can create an [Azure support ticket](https://portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade) to raise this limit. As a result, since every solution accelerator provisions a new IoT Hub, you can only provision up to 10 solution accelerators in a given subscription.
-
-### How many Azure Cosmos DB instances can I provision in a subscription?
-
-Fifty. You can create an [Azure support ticket](https://portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade) to raise this limit, but by default, you can only provision 50 Cosmos DB instances per subscription.
-
-### Can I create a solution accelerator if I have Microsoft Azure for DreamSpark?
-
-> [!NOTE]
-> Microsoft Azure for DreamSpark is now known as Microsoft Imagine for students.
-
-Currently, you cannot create a solution accelerator with a [Microsoft Azure for DreamSpark](https://azure.microsoft.com/pricing/member-offers/imagine/) account. However, you can create a [free trial account for Azure](https://azure.microsoft.com/free/) in just a couple of minutes that enables you create a solution accelerator.
-
-### How do I delete an Azure AD tenant?
-
-See Eric Golpe's blog post [Walkthrough of Deleting an Azure AD Tenant](/archive/blogs/ericgolpe/walkthrough-of-deleting-an-azure-ad-tenant).
-
-### Next steps
-
-You can also explore some of the other features and capabilities of the IoT solution accelerators:
-
-* [Deploy Connected Factory solution accelerator](quickstart-connected-factory-deploy.md)
-* [IoT security from the ground up](../iot-fundamentals/iot-security-ground-up.md)
iot-accelerators Quickstart Connected Factory Deploy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/iot-accelerators/quickstart-connected-factory-deploy.md
You can click on a chart to do further analysis of the data.
### Factory Locations
-A **Factory locations** panel that shows the status, location, and current production configuration in the solution. When you first run the solution accelerator, the dashboard shows a simulated set of factories. Each production line simulation is made up of three real OPC UA servers that run simulated tasks and share data. For more information about OPC UA, see the [Connected Factory FAQ](iot-accelerators-faq-cf.md):
+A **Factory locations** panel that shows the status, location, and current production configuration in the solution. When you first run the solution accelerator, the dashboard shows a simulated set of factories. Each production line simulation is made up of three real OPC UA servers that run simulated tasks and share data. For more information about OPC UA, see the [Connected Factory FAQ](iot-accelerators-faq-cf.yml):
[![Factory locations](./media/quickstart-connected-factory-deploy/factorylocations-inline.png)](./media/quickstart-connected-factory-deploy/factorylocations-expanded.png#lightbox)
You can navigate through the solution hierarchy and view OEE values and KPIs at
### Map
-If your subscription has access to the [Bing Maps API](iot-accelerators-faq-cf.md), the *Factories* map shows you the geographical location and status of all the factories in the solution. To drill into the location details, click the locations displayed on the map.
+If your subscription has access to the [Bing Maps API](iot-accelerators-faq-cf.yml), the *Factories* map shows you the geographical location and status of all the factories in the solution. To drill into the location details, click the locations displayed on the map.
[![Map](./media/quickstart-connected-factory-deploy/map-inline.png)](./media/quickstart-connected-factory-deploy/map-expanded.png#lightbox)
iot-central Howto Build Iotc Device Bridge https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/iot-central/core/howto-build-iotc-device-bridge.md
Each key in the `measurements` object must match the name of a telemetry type in
You can include a `timestamp` field in the body to specify the UTC date and time of the message. This field must be in ISO 8601 format. For example, `2020-06-08T20:16:54.602Z`. If you don't include a timestamp, the current date and time is used.
-You can include a `modelId` field in the body. Use this field to associate the device with a device template during provisioning. This functionality is only supported by [V3 applications](howto-faq.md#how-do-i-get-information-about-my-application).
+You can include a `modelId` field in the body. Use this field to associate the device with a device template during provisioning. This functionality is only supported by [V3 applications](howto-faq.yml#how-do-i-get-information-about-my-application-).
The `deviceId` must be alphanumeric, lowercase, and may contain hyphens. If you don't include the `modelId` field, or if IoT Central doesn't recognize the model ID, then a message with an unrecognized `deviceId` creates a new _unassociated device_ in IoT Central. An operator can manually migrate the device to the correct device template. To learn more, see [Manage devices in your Azure IoT Central application > Migrating devices to a template](howto-manage-devices-individually.md).
-In [V2 applications](howto-faq.md#how-do-i-get-information-about-my-application), the new device appears on the **Device Explorer > Unassociated devices** page. Select **Associate** and choose a device template to start receiving incoming telemetry from the device.
+In [V2 applications](howto-faq.yml#how-do-i-get-information-about-my-application-), the new device appears on the **Device Explorer > Unassociated devices** page. Select **Associate** and choose a device template to start receiving incoming telemetry from the device.
> [!NOTE] > Until the device is associated to a template, all HTTP calls to the function return a 403 error status.
iot-central Howto Export Data https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/iot-central/core/howto-export-data.md
For example, you can:
## Prerequisites
-To use data export features, you must have a [V3 application](howto-faq.md#how-do-i-get-information-about-my-application), and you must have the [Data export](howto-manage-users-roles.md) permission.
+To use data export features, you must have a [V3 application](howto-faq.yml#how-do-i-get-information-about-my-application-), and you must have the [Data export](howto-manage-users-roles.md) permission.
If you have a V2 application, see [Migrate your V2 IoT Central application to V3](howto-migrate.md).
iot-central Howto Faq https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/iot-central/core/howto-faq.md
- Title: Azure IoT Central frequently asked questions | Microsoft Docs
-description: Azure IoT Central frequently asked questions (FAQ) and answers
-- Previously updated : 12/20/2020-----
-# Frequently asked questions for IoT Central
-
-## How do I get information about my application?
-
-You may need:
--- This information if you contact support.-- The Azure subscription your application uses to locate billing information in the Azure portal.-- The application's ID when you're working with the REST API.-- The application's version to complete tasks such as adding a connector.-
-To get information about your IoT Central application:
-
-1. Select the **Help** link on the top menu.
-
-1. Select **About your app**.
-
-1. The **About your app** page shows information about your application:
-
- :::image type="content" source="media/howto-faq/about-your-app2.png" alt-text="About your app screenshot":::
-
- Use the **Copy info** button to copy the information to the clipboard.
-
-## How many IoT Central applications can I deploy in my subscription?
-
-Each Azure subscription has default quotas that could impact the scope of your IoT solution. Currently, IoT Central limits the number of applications you can deploy in a subscription to 10. If you need to increase this limit, contact [Microsoft support](https://azure.microsoft.com/support/options/).
-
-## How do I transfer a device from IoT Hub to IoT Central?
-
-A device can connect to an IoT hub directly using a connection string or using the [Device Provisioning Service (DPS)](../../iot-dps/about-iot-dps.md). IoT Central always uses DPS.
-
-To connect a device that was connected to IoT Hub to IoT Central, update the device with:
--- The Scope ID of the IoT Central application.-- A key derived from the application's group SAS key or X.509 certificate.-
-To learn more, see [Get connected to Azure IoT Central](concepts-get-connected.md)
-
-To interact with IoT Central, there must be a device template that models the device capabilities. To learn more, see [What are device templates?](concepts-device-templates.md).
-
-## How do I check for credential issues if a device isn't connecting to my IoT Central application?
-
-The [Troubleshoot why data from your devices isn't showing up in Azure IoT Central](troubleshoot-connection.md) includes steps to diagnose connectivity issues for devices.
-
-## How do I file a ticket with customer support?
-
-If you need help, you can file an [Azure support ticket](https://portal.azure.com/#create/Microsoft.Support).
-
-For more information, including other support options, see [Azure IoT support and help options](../../iot-fundamentals/iot-support-help.md).
-
-## How do I unblock a device?
-
-When a device is blocked, it can't send data to your IoT Central application. Blocked devices have a status of **Blocked** on the **Devices** page in your application. An operator must unblock the device before it can resume sending data:
--
-When an operator unblocks a device the status returns to its previous value, **Registered** or **Provisioned**.
-
-## How do I move from a free to a standard pricing plan?
--- Applications that use the free pricing plan are free for seven days before they expire. To avoid losing data, you can move them to a standard pricing plan at any time before they expire.-- Applications that use a standard pricing plan are charged per device, with the first two devices free, per application.-
-Learn more about pricing on the [Azure IoT Central pricing page](https://azure.microsoft.com/pricing/details/iot-central/).
-
-In the pricing section, you can move your application from the free to a standard pricing plan.
-
-To complete this self-service process, follow these steps:
-
-1. Go to the **Pricing** page in the **Administration** section.
-
-1. Select the **Plan**
-
- :::image type="content" source="media/howto-faq/free-trial-billing.png" alt-text="Trial state":::
-
-1. Select the appropriate Azure Active Directory, and then the Azure subscription to use for your application that uses a paid plan.
-
-1. After you select **Save**, your application now uses a paid plan and you start getting billed.
-
-> [!Note]
-> By default, you are converted to a *Standard 2* pricing plan.
-
-## How do I change my application pricing plan
-
-Applications that use a standard pricing plan are charged per device, with the first two devices free, per application.
-
-In the pricing section, you can upgrade or downgrade your Azure IoT pricing plan at any time.
-
-1. Go to the **Pricing** page in the **Administration** section.
-
- :::image type="content" source="media/howto-faq/pricing.png" alt-text="Upgrade pricing plan":::
-
-1. Select the **Plan** and then select **Save** to upgrade or downgrade.
-
-## How do I approve a device?
-
-If the device status is **Waiting for Approval** on the **Devices** page, it means the **Auto approve** option is disabled:
--
-An operator must explicitly approve a device before it starts sending data. Devices not registered manually on the **Devices** page, but connected with valid credentials will have the device status **Waiting for Approval**. Operators can approve these devices from the **Devices** page using the **Approve** button:
--
-## How do I associate a device with a device template?
-
-If the device status is **Unassociated**, it means the device connecting to IoT Central doesn't have an associated device template. This situation typically happens in the following scenarios:
--- A set of devices is added using **Import** on the **Devices** page without specifying the device template.-- A device was registered manually on the **Devices** page without specifying the device template. The device then connected with valid credentials. -
-The operator can associate a device to a device template from the **Devices** page using the **Migrate** button. To learn more, see [Manage devices in your Azure IoT Central application > Migrating devices to a template](howto-manage-devices-individually.md).
-
-## Where can I learn more about IoT Hub?
-
-Azure IoT Central uses Azure IoT Hub as a cloud gateway that enables device connectivity. IoT Hub enables:
--- Data ingestion at scale in the cloud.-- Device management.-- Secure device connectivity.-
-To learn more about IoT Hub, see [Azure IoT Hub](../../iot-hub/index.yml).
-
-## Where can I learn more about the Device Provisioning Service (DPS)?
-
-Azure IoT Central uses DPS to enable devices to connect to your application. To learn more about the role DPS plays in connecting devices to IoT Central, see [Get connected to Azure IoT Central](concepts-get-connected.md). To learn more about DPS, see [Provisioning devices with Azure IoT Hub Device Provisioning Service](../../iot-dps/about-iot-dps.md).
iot-central Howto Manage Iot Central From Portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/iot-central/core/howto-manage-iot-central-from-portal.md
To move the application to a different subscription, select **change** beside t
## Monitor application health > [!NOTE]
-> Metrics are only available for version 3 IoT Central applications. To learn how to check your application version, see [How do I get information about my application?](howto-faq.md#how-do-i-get-information-about-my-application).
+> Metrics are only available for version 3 IoT Central applications. To learn how to check your application version, see [How do I get information about my application?](howto-faq.yml#how-do-i-get-information-about-my-application-).
You can use the set of metrics provided by IoT Central to assess the health of devices connected to your IoT Central application and the health of your running data exports. Metrics are enabled by default for your IoT Central application and you access them from the [Azure portal](https://portal.azure.com/). The [Azure Monitor data platform exposes these metrics](../../azure-monitor/essentials/data-platform-metrics.md) and provides several ways for you to interact with them. For example, you can use charts in the Azure portal, a REST API, or queries in PowerShell or the Azure CLI. > [!TIP]
-> Applications that use the free trial plan don't have an associated Azure subscription and so don't support Azure Monitor metrics. You can [convert an application to a standard pricing plan](./howto-faq.md#how-do-i-move-from-a-free-to-a-standard-pricing-plan) and get access to these metrics.
+> Applications that use the free trial plan don't have an associated Azure subscription and so don't support Azure Monitor metrics. You can [convert an application to a standard pricing plan](./howto-faq.yml#how-do-i-move-from-a-free-to-a-standard-pricing-plan-) and get access to these metrics.
### View metrics in the Azure portal
iot-central Howto Migrate https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/iot-central/core/howto-migrate.md
Currently, when you create a new IoT Central application, it's a V3 application. If you previously created an application, then depending on when you created it, it may be V2. This article describes how to migrate a V2 to a V3 application to be sure you're using the latest IoT Central features.
-To learn how to identify the version of an IoT Central application, see [How do I get information about my application?](howto-faq.md#how-do-i-get-information-about-my-application).
+To learn how to identify the version of an IoT Central application, see [How do I get information about my application?](howto-faq.yml#how-do-i-get-information-about-my-application-).
The steps to migrate an application from V2 to V3 are:
iot-central Overview Iot Central Admin https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/iot-central/core/overview-iot-central-admin.md
The administrator can configure the behavior and appearance of an IoT Central ap
- [Change application name and URL](howto-administer.md#change-application-name-and-url) - [Customize the UI](howto-customize-ui.md)-- [Move an application to a different pricing plans](howto-faq.md#how-do-i-move-from-a-free-to-a-standard-pricing-plan)
+- [Move an application to a different pricing plans](howto-faq.yml#how-do-i-move-from-a-free-to-a-standard-pricing-plan-)
- [Configure file uploads](howto-configure-file-uploads.md) ## Export an application
iot-central Overview Iot Central Tour https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/iot-central/core/overview-iot-central-tour.md
The top menu appears on every page:
* To search for devices, enter a **Search** value. * To change the UI language or theme, choose the **Settings** icon. Learn more about [managing your application preferences](howto-manage-preferences.md)
-* To get help and support, choose the **Help** drop-down for a list of resources. You can [get information about your application](howto-faq.md#how-do-i-get-information-about-my-application) from the **About your app** link. In an application on the free pricing plan, the support resources include access to [live chat](howto-show-hide-chat.md).
+* To get help and support, choose the **Help** drop-down for a list of resources. You can [get information about your application](howto-faq.yml#how-do-i-get-information-about-my-application-) from the **About your app** link. In an application on the free pricing plan, the support resources include access to [live chat](howto-show-hide-chat.md).
* To sign out of the application, choose the **Account** icon. You can choose between a light theme or a dark theme for the UI:
iot-hub-device-update Import Concepts https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/iot-hub-device-update/import-concepts.md
For each Device Update for IoT Hub instance, the following limits are enforced:
There is also a limit of 100 update versions cumulatively (across all providers and names).
+The maximum allowed file size is 800MB for any individual file in an update submission. The _combined_ total of all files in one update submission must also not exceed 800MB.
+ ## Import manifest An import manifest is a JSON file that defines important information about the update that you are importing. You will submit both your import manifest and associated update file or files (such as a firmware update package) as part of the import process. The metadata that is defined in the import manifest is used to ingest the update. Some of the metadata is also used at deployment time - for example, to validate if an update was installed correctly.
iot-hub Iot Concepts https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/iot-hub/iot-concepts.md
+
+ Title: Basic concepts for new Azure IoT Hub users | Microsoft Docs
+description: This article shows the basic concepts for new users of Azure IoT Hub
+++++ Last updated : 07/07/2021
+#Customer intent: As a developer new to IoT Hub, learn the basic concepts and how to set up and use an IoT Hub.
++
+# IoT concepts
+
+IoT Hub is a managed service hosted in the cloud that acts as a central message hub for communications in both directions between an IoT application and its attached devices. You can connect millions of devices and their backend solutions reliably and securely. Almost any device can be connected to an IoT Hub.
+
+Several messaging patterns are supported, including device-to-cloud telemetry, uploading files from devices, and request-reply methods to control your devices from the cloud. IoT Hub also supports monitoring to help you track creating devices, connecting devices, and device failures.
+
+With IoT Hub's capabilities, you can build scalable, full-featured IoT solutions such as managing industrial equipment used in manufacturing, tracking valuable assets in healthcare, and monitoring office building usage.
+
+IoT devices have different characteristics when compared to other clients such as browsers and mobile apps. The [device SDKs](iot-hub-devguide-sdks.md) help you address the challenges of connecting devices securely and reliably to your back-end service.
+
+Specifically, IoT devices:
+
+- Are often embedded systems with no human operator (unlike a phone).
+- Can be deployed in remote locations where physical access is expensive.
+- May only be reachable through the solution back end.
+- May have limited power and processing resources.
+- May have intermittent, slow, or expensive network connectivity.
+- May need to use proprietary, custom, or industry-specific application protocols.
+
+## Securely connect and communicate
+
+Per-device authentication enables each device to connect securely to IoT Hub and for each device to be managed securely. You have complete control over device access and can control connections at the per-device level.
+
+### Devices have a secure identity
+
+Every IoT hub has an identity registry that stores information about the devices and modules permitted to connect to the IoT hub. Before a device or module can connect to an IoT hub, there must be an entry for that device or module in the IoT hub's identity registry. A device or module must also authenticate with the IoT hub based on credentials stored in the identity registry.
+
+We support two methods of authentication between the device and the IoT Hub. In one case, you can use an SAS token-based authentication. The other method supported uses X.509 certificate authentication.
+
+The SAS-based token method provides authentication for each call made by the device to IoT Hub by associating the symmetric key to each call. X.509-based authentication allows authentication of an IoT device at the physical layer as part of the Transport Layer Security (TLS) standard connection establishment. The security-token-based method can be used without the X.509 authentication, which is a less secure pattern. The choice between the two methods is primarily dictated by how secure the device authentication needs to be, and availability of secure storage on the device (to store the private key securely).
+
+Azure IoT SDKs automatically generate tokens without requiring any special configuration. If you don't use the SDK, you'll have to generate the security tokens.
+
+You can set up and provision many devices at a time using the [IoT Hub Device Provisioning Service](/azure/iot-dps).
+
+### Devices can securely communicate with an IoT Hub
+
+After selecting your Authentication method, the internet connection between the IoT device and IoT Hub is secured using the Transport Layer Security (TLS) standard. Azure IoT supports TLS 1.2, TLS 1.1, and TLS 1.0, in that order. Support for TLS 1.0 is provided for backward compatibility only. Check TLS support in IoT Hub to see how to configure your hub to use TLS 1.2, which provides the most security.
+
+## Communication patterns with a device
+
+Typically, IoT devices send telemetry from the sensors to back-end services in the cloud. However, other types of communication are possible, such as a back-end service sending commands to your devices. Some examples of different types of communication include the following examples:
+
+* A refrigeration truck sending temperature every 5 minutes to an IoT Hub
+* A back-end service sending a command to a device to change the frequency at which it sends telemetry to help diagnose a problem
+* A device monitoring a batch reactor in a chemical plant, sending an alert when the temperature exceeds a certain value
+
+### Telemetry is data emitted by a device
+
+Examples of telemetry received from a device can include sensor data such as speed or temperature, an error message such as missed event, or an information message to indicate the device is in good health. IoT Devices send events (notifications, acknowledgments, telemetry) to an application to gain insights. Applications may require specific subsets of events for processing or storage at different endpoints.
+
+### Properties are state values or data that applications can access.
+
+For example, the current firmware version of the device, or writable properties that can be updated, such a temperature, are properties. Properties can be read or set from the IoT Hub, and can be used to send notifications when an action has completed. An example of a specific property on a device is temperature. This can be a writable property that can be updated on the device or read from a temperature sensor attached to the device.
+
+You can enable properties in IoT Hub using [Device Twins](iot-hub-devguide-device-twins.md) or [Plug and Play](../iot-pnp/overview-iot-plug-and-play.md).
+
+
+To learn more about the differences between device twins and Plug and Play, see [Plug and Play](../iot-pnp/concepts-digital-twin.md#device-twins-and-digital-twins).
+
+### Commands can be used to execute methods directly on connected devices.
+
+An example of a command is rebooting the device. IoT Hub implements commands by allowing you to invoke direct methods on devices from the cloud. [Direct methods](iot-hub-devguide-direct-methods.md) represent a request-reply interaction with a device similar to an HTTP call in that they succeed or fail immediately (after a user-specified timeout). This approach is useful for scenarios where the course of immediate action is different depending on whether the device was able to respond.
+
+## View and act on data collected from your devices
+
+IoT Hub gives you the ability to unlock the value of your device data with other Azure services so you can shift to predictive problem-solving, rather than reactive management. Connect your IoT Hub with other Azure services to do machine learning, analytics and AI to act on real-time data, optimize processing, and gain deeper insights.
+
+### Built-in endpoint collects data from your devices by default
+
+A built-in endpoint collects data from your device by default. The data is collected using a request-response pattern over dedicated IoT device endpoints, is available for a max of seven days, and can be used to take actions on a device. Here is the data accepted by the device endpoint:
+
+* Send device-to-cloud messages. A device uses this endpoint to send device-to-cloud messages.
+
+* Receive cloud-to-device messages. A device uses this endpoint to receive targeted cloud-to-device messages.
+
+* Initiate file uploads. A device uses this endpoint to receive an Azure Storage SAS URI from IoT Hub to upload a file.
+
+* Retrieve and update device twin properties. A device uses this endpoint to access its device twin's properties.
+
+* Receive direct method requests. A device uses this endpoint to listen for direct method's requests.
+
+For more information about IoT Hub endpoints, see [IoT Hub Dev Guide Endpoints](
+iot-hub-devguide-endpoints.md#list-of-built-in-iot-hub-endpoints)
+
+### Use Message Routing to send data to other endpoints for processing
+
+Data can also be routed to different services for further processing. As the IoT solution scales out, the number of devices, volume of events, variety of events, and different services also varies. A flexible, scalable, consistent, and reliable method to route events is necessary to serve this pattern. Data can also be filtered to send to different services. Once a message route has been created, data stops flowing to the built-in-endpoint unless a fallback route has been configured. For a tutorial showing multiple uses of message routing, see the [Routing Tutorial](tutorial-routing.md).
+
+IoT Hub also integrates with Event Grid which enables you to fan out data to multiple subscribers. Event Grid is a fully managed event service that enables you to easily manage events across many different Azure services and applications. Made for performance and scale, it simplifies building event-driven applications and serverless architectures. Learn more about Event Grid. The differences between message routing and using Event Grid are explained in the [Message Routing and Event Grid Comparison](iot-hub-event-grid-routing-comparison.md)
iot-hub Iot Hub Automatic Device Management Cli https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/iot-hub/iot-hub-automatic-device-management-cli.md
Previously updated : 12/13/2019 Last updated : 07/08/2021
[!INCLUDE [iot-edge-how-to-deploy-monitor-selector](../../includes/iot-hub-auto-device-config-selector.md)]
-Automatic device management in Azure IoT Hub automates many of the repetitive and complex tasks of managing large device fleets. With automatic device management, you can target a set of devices based on their properties, define a desired configuration, and then let IoT Hub update the devices when they come into scope. This update is done using an _automatic device configuration_ or _automatic module configuration_, which lets you summarize completion and compliance, handle merging and conflicts, and roll out configurations in a phased approach.
+Automatic device management in Azure IoT Hub automates many of the repetitive and complex tasks of managing large device fleets. With automatic device management, you can target a set of devices based on their properties, define a desired configuration, and then let IoT Hub update the devices when they come into scope. This update is done using an *automatic device configuration* or *automatic module configuration*, which lets you summarize completion and compliance, handle merging and conflicts, and roll out configurations in a phased approach.
[!INCLUDE [iot-hub-basic](../../includes/iot-hub-basic-whole.md)]
-Automatic device management works by updating a set of device twins or module twins with desired properties and reporting a summary that's based on twin reported properties. It introduces a new class and JSON document called a *Configuration* that has three parts:
+Automatic device management works by updating a set of device twins or module twins with desired properties and reporting a summary that's based on twin reported properties. It introduces a new class and JSON document called a *configuration* that has three parts:
* The **target condition** defines the scope of device twins or module twins to be updated. The target condition is specified as a query on device twin tags and/or reported properties. * The **target content** defines the desired properties to be added or updated in the targeted device twins or module twins. The content includes a path to the section of desired properties to be changed.
-* The **metrics** define the summary counts of various configuration states such as **Success**, **In Progress**, and **Error**. Custom metrics are specified as queries on twin reported properties. System metrics are the default metrics that measure twin update status, such as the number of twins that are targeted and the number of twins that have been successfully updated.
+* The **metrics** define the summary counts of various configuration states such as **Success**, **In Progress**, and **Error**. Custom metrics are specified as queries on twin reported properties. System metrics are the default metrics that measure twin update status, such as the number of twins that are targeted and the number of twins that have been successfully updated.
Automatic configurations run for the first time shortly after the configuration is created and then at five minute intervals. Metrics queries run each time the automatic configuration runs.
lighthouse Enterprise https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/lighthouse/concepts/enterprise.md
In most enterprise scenarios, youΓÇÖll want to delegate a full subscription to A
Either way, be sure to [follow the principle of least privilege when defining which users will have access to delegated resources](recommended-security-practices.md#assign-permissions-to-groups-using-the-principle-of-least-privilege). Doing so helps to ensure that users only have the permissions needed to perform the required tasks and reduces the chance of inadvertent errors.
-Azure Lighthouse only provides logical links between a managing tenant and managed tenants, rather than physically moving data or resources. Furthermore, the access always goes in only one direction, from the managing tenant to the managed tenants. Users and groups in the managing tenant should continue to use multi-factor authentication when performing management operations on managed tenant resources.
+Azure Lighthouse only provides logical links between a managing tenant and managed tenants, rather than physically moving data or resources. Furthermore, the access always goes in only one direction, from the managing tenant to the managed tenants. Users and groups in the managing tenant should continue to use multifactor authentication when performing management operations on managed tenant resources.
Enterprises with internal or external governance and compliance guardrails can use [Azure Activity logs](../../azure-monitor/essentials/platform-logs-overview.md) to meet their transparency requirements. When enterprise tenants have established managing and managed tenant relationships, users in each tenant can view logged activity to see actions taken by users in the managing tenant.
lighthouse Recommended Security Practices https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/lighthouse/concepts/recommended-security-practices.md
When using [Azure Lighthouse](../overview.md), it's important to consider securi
## Require Azure AD Multi-Factor Authentication
-[Azure AD Multi-Factor Authentication](../../active-directory/authentication/concept-mfa-howitworks.md) (also known as two-step verification) helps prevent attackers from gaining access to an account by requiring multiple authentication steps. You should require Multi-Factor Authentication for all users in your managing tenant, including users who will have access to delegated customer resources.
+[Azure AD Multi-Factor Authentication](../../active-directory/authentication/concept-mfa-howitworks.md) (also known as two-step verification) helps prevent attackers from gaining access to an account by requiring multiple authentication steps. You should require Azure AD Multi-Factor Authentication for all users in your managing tenant, including users who will have access to delegated customer resources.
We recommend that you ask your customers to implement Azure AD Multi-Factor Authentication in their tenants as well.
lighthouse Create Eligible Authorizations https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/lighthouse/how-to/create-eligible-authorizations.md
Title: Create eligible authorizations description: When onboarding customers to Azure Lighthouse, you can let users in your managing tenant elevate their role on a just-in-time basis. Previously updated : 06/15/2021 Last updated : 07/13/2021
Once a user successfully activates an eligible role, they will have that elevate
Administrators in the managing tenant can review all Privileged Identity Management activities by viewing the audit log in the managing tenant. Customers can view these actions in the Azure activity log for the delegated subscription.
-When creating an eligible authorization, you define three elements: the user, the role, and the access policy.
+## Eligible authorization elements
-- The **user** can be either an individual user or an Azure AD group in the managing tenant. If a group is defined, any member of that group will be able to elevate their own individual access to the role per the access policy. You can't use eligible authorizations with service principals.-- The **role** can be any Azure built-in role that is supported for Azure delegated resource management except for User Access Administrator.-- The **access policy** defines the multi-factor authorization (MFA) requirements and the length of time a user will be activated in the role before it expires. The maximum amount you can specify for any role is 8 hours.
+You can create an eligible authorization when onboarding customers with Azure Resource Manager templates or by publishing a Managed Services offer to Azure Marketplace. Each eligible authorization must include three elements: the user, the role, and the access policy.
-More about these elements, and how to define them, is explained below.
+### User
-## Create eligible authorizations using Azure Resource Manager templates
+For each eligible authorization, you provide the Principal ID for either an individual user or an Azure AD group in the managing tenant. Along with the Principal ID, you must provide a display name of your choice for each authorization.
-To onboard your customer to Azure Lighthouse, you use an [Azure Resource Manager template along with a corresponding parameters file](onboard-customer.md#create-an-azure-resource-manager-template) that you modify. The template you choose will depend on whether you're onboarding an entire subscription, a resource group, or multiple resource groups within a subscription.
+If a group is provided in an eligible authorization, any member of that group will be able to elevate their own individual access to that role, per the access policy.
+
+You can't use eligible authorizations with service principals, since there's currently no way for a service principal account to elevate its access and use an eligible role. You also canΓÇÖt use eligible authorizations with `delegatedRoleDefinitionIds` that a User Access Administrator can [assign to managed identities](deploy-policy-remediation.md).
> [!NOTE]
-> While you can also onboard customers using Managed Service offers in Azure Marketplace, you can't currently include eligible authorizations in those offers.
+> For each eligible authorization, be sure to also create a permanent (active) authorization for the same Principal ID with a different role, such as Reader (or another Azure built-in role that includes Reader access). If you don't include a permanent authorization with Reader access, the user won't be able to elevate their role in the Azure portal.
+
+### Role
+
+Each eligible authorization needs to include an [Azure built-in role](../../role-based-access-control/built-in-roles.md) that the user will be eligible to use on a just-in-time basis.
+
+The role can be any Azure built-in role that is supported for Azure delegated resource management except for User Access Administrator.
+
+> [!IMPORTANT]
+> If you include multiple eligible authorizations that use the same role, each of the eligible authorizations must have the same access policy settings.
+
+### Access policy
+
+The access policy defines the multifactor authentication requirements, the length of time a user will be activated in the role before it expires, and whether approvers are required.
+
+#### Multifactor authentication
+
+Specify whether or not to require [Azure AD Multi-Factor Authentication](../../active-directory/authentication/concept-mfa-howitworks.md) in order for an eligible role to be activated.
+
+#### Maximum duration
+
+Define the total length of time for which the user will have the eligible role. The minimum value is 30 minutes and the maximum is 8 hours.
+
+#### Approvers
+
+The approvers element is optional. If you include it, you can specify up to ten users or user groups in the managing tenant who can approve or deny requests from a user to activate the eligible role.
-To include eligible authorizations when you onboard a customer, use one of the templates from the [delegated-resource-management-eligible-authorizations section of our samples repo](https://github.com/Azure/Azure-Lighthouse-samples/tree/master/templates/delegated-resource-management-eligible-authorizations).
+You can't use a service principal account as an approver. Also, approvers can't approve their own access; if an approver is also included as the user in an eligible authorization, a different approver will have to grant access in order for them to elevate their role.
+
+If you donΓÇÖt include any approvers, the user will be able to activate the eligible role whenever they choose.
+
+## Create eligible authorizations using Managed Services offers
+
+To onboard your customer to Azure Lighthouse, you can publish Managed Services offers to Azure Marketplace. When [creating your offers in Partner Center](publish-managed-services-offers.md), you can now specify whether the **Access type** for each [Authorization](../../marketplace/create-managed-service-offer-plans.md#authorizations) should be **Active** or **Eligible**.
+
+When you select **Eligible**, the user in your authorization will be able to activate the role according to the access policy you configure. You must set a maximum duration between 30 minutes and 8 hours, and specify whether youΓÇÖll require Azure multifactor authentication. You can also add up to 10 approvers if you choose to use them, providing a display name and a principal ID for each one.
+
+Be sure to review the details in the [Eligible authorization elements](#eligible-authorization-elements) section when configuring your eligible authorizations in Partner Center.
+
+## Create eligible authorizations using Azure Resource Manager templates
+
+To onboard your customer to Azure Lighthouse, you use an [Azure Resource Manager template along with a corresponding parameters file](onboard-customer.md#create-an-azure-resource-manager-template) that you modify. The template you choose will depend on whether you're onboarding an entire subscription, a resource group, or multiple resource groups within a subscription.
+
+To include eligible authorizations when you onboard a customer, use one of the templates from the [delegated-resource-management-eligible-authorizations section of our samples repo](https://github.com/Azure/Azure-Lighthouse-samples/tree/master/templates/delegated-resource-management-eligible-authorizations). We provide templates with and without approvers included, so that you can use the one that works best for your scenario.
|To onboard this (with eligible authorizations) |Use this Azure Resource Manager template |And modify this parameter file | ||||
-|Subscription |[subscription.json](https://github.com/Azure/Azure-Lighthouse-samples/blob/master/templates/delegated-resource-management-eligible-authorizations/subscription/subscription.json) |[subscription.parameters.json](https://github.com/Azure/Azure-Lighthouse-samples/blob/master/templates/delegated-resource-management-eligible-authorizations/subscription/subscription.Parameters.json) |
+|Subscription |[subscription.json](https://github.com/Azure/Azure-Lighthouse-samples/blob/master/templates/delegated-resource-management-eligible-authorizations/subscription/subscription.json) |[subscription.parameters.json](https://github.com/Azure/Azure-Lighthouse-samples/blob/master/templates/delegated-resource-management-eligible-authorizations/subscription.parameters.json) |
+|Subscription (with approvers) |[subscription-managing-tenant-approvers.json](https://github.com/Azure/Azure-Lighthouse-samples/blob/master/templates/delegated-resource-management-eligible-authorizations/subscription/subscription-managing-tenant-approvers.json) |[subscription-managing-tenant-approvers.parameters.json](https://github.com/Azure/Azure-Lighthouse-samples/blob/master/templates/delegated-resource-management-eligible-authorizations/subscription/subscription-managing-tenant-approvers.parameters.json) |
|Resource group |[rg.json](https://github.com/Azure/Azure-Lighthouse-samples/blob/master/templates/delegated-resource-management-eligible-authorizations/rg/rg.json) |[rg.parameters.json](https://github.com/Azure/Azure-Lighthouse-samples/blob/master/templates/delegated-resource-management-eligible-authorizations/rg/rg.parameters.json) |
+|Resource group (with approvers) |[rg-managing-tenant-approvers.json](https://github.com/Azure/Azure-Lighthouse-samples/blob/master/templates/delegated-resource-management-eligible-authorizations/rg/rg-managing-tenant-approvers.json) |[rg-managing-tenant-approvers.parameters.json](https://github.com/Azure/Azure-Lighthouse-samples/blob/master/templates/delegated-resource-management-eligible-authorizations/rg/rg-managing-tenant-approvers.parameters.json) |
|Multiple resource groups within a subscription |[multiple-rg.json](https://github.com/Azure/Azure-Lighthouse-samples/blob/master/templates/delegated-resource-management-eligible-authorizations/rg/multiple-rg.json) |[multiple-rg.parameters.json](https://github.com/Azure/Azure-Lighthouse-samples/blob/master/templates/delegated-resource-management-eligible-authorizations/rg/multiple-rg.parameters.json) |
+|Multiple resource groups within a subscription (with approvers) |[multiple-rg-managing-tenant-approvers.json](https://github.com/Azure/Azure-Lighthouse-samples/blob/master/templates/delegated-resource-management-eligible-authorizations/rg/multiple-rg-managing-tenant-approvers.json) |[multiple-rg-managing-tenant-approvers.parameters.json](https://github.com/Azure/Azure-Lighthouse-samples/blob/master/templates/delegated-resource-management-eligible-authorizations/rg/multiple-rg-managing-tenant-approvers.parameters.json) |
-The **subscription.json** template, which can be used to onboard a subscription with eligible authorizations, is shown below.
+The **subscription-managing-tenant-approvers.json** template, which can be used to onboard a subscription with eligible authorizations (including approvers), is shown below.
```json {
The **subscription.json** template, which can be used to onboard a subscription
{ "justInTimeAccessPolicy": { "multiFactorAuthProvider": "Azure",
- "maximumActivationDuration": "PT8H"
+ "maximumActivationDuration": "PT8H",
+ "managedByTenantApprovers": [
+ {
+ "principalId": "00000000-0000-0000-0000-000000000000",
+ "principalIdDisplayName": "PIM-Approvers"
+ }
+ ]
}, "principalId": "00000000-0000-0000-0000-000000000000", "principalIdDisplayName": "PIM_Group",
- "roleDefinitionId": "36243c78-bf99-498c-9df9-86d9f8d28608"
+ "roleDefinitionId": "b24988ac-6180-42a0-ab88-20f7382dd24c"
} ]
The **subscription.json** template, which can be used to onboard a subscription
### Define eligible authorizations in your parameters file
-The [subscription.Parameters.json sample template](https://github.com/Azure/Azure-Lighthouse-samples/blob/master/templates/delegated-resource-management-eligible-authorizations/subscription/subscription.Parameters.json) can be used to define authorizations, including eligible authorizations, when onboarding a subscription.
+The [subscription-managing-tenant-approvers.Parameters.json sample template](https://github.com/Azure/Azure-Lighthouse-samples/blob/master/templates/delegated-resource-management-eligible-authorizations/subscription/subscription-managing-tenant-approvers.Parameters.json) can be used to define authorizations, including eligible authorizations, when onboarding a subscription.
Each of your eligible authorizations must be defined in the `eligibleAuthorizations` parameter. This example includes one eligible authorization.
+This template also includes the `managedbyTenantApprovers` element, which adds a `principalId` who will be required to approve all attempts to activate the eligible roles that are defined in the `eligibleAuthorizations` element.
+ ```json { "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentParameters.json#",
Each of your eligible authorizations must be defined in the `eligibleAuthorizati
{ "justInTimeAccessPolicy": { "multiFactorAuthProvider": "Azure",
- "maximumActivationDuration": "PT8H"
+ "maximumActivationDuration": "PT8H",
+ "managedByTenantApprovers": [
+ {
+ "principalId": "00000000-0000-0000-0000-000000000000",
+ "principalIdDisplayName": "PIM-Approvers"
+ }
+ ]
}, "principalId": "00000000-0000-0000-0000-000000000000", "principalIdDisplayName": "Tier 2 Support",
Each of your eligible authorizations must be defined in the `eligibleAuthorizati
} ```
-Each entry within the `eligibleAuthorizations` parameter contains three elements that define an eligible authorization: `principalId`, `roleDefinitionId`, and `justInTimeAccessPolicy`.
+Each entry within the `eligibleAuthorizations` parameter contains [three elements](#eligible-authorization-elements) that define an eligible authorization: `principalId`, `roleDefinitionId`, and `justInTimeAccessPolicy`.
-`principalId` specifies the ID for the Azure AD user or group to which this eligible authorization will apply. Don't use an ID of a service principal account, since there's currently no way for a service principal account to elevate its access and use an eligible role.
-
-> [!IMPORTANT]
-> Be sure to include the same `principalId` in the `authorizations` section of your template with a different role from the eligible authorization, such as Reader (or another Azure built-in role that includes Reader access). If you don't, the user won't be able to elevate their role in the Azure portal.
+`principalId` specifies the ID for the Azure AD user or group to which this eligible authorization will apply.
`roleDefinitionId` contains the role definition ID for an [Azure built-in role](../../role-based-access-control/built-in-roles.md) that the user will be eligible to use on a just-in-time basis. If you include multiple eligible authorizations that use the same `roleDefinitionId`, each of these must have identical settings for `justInTimeAccessPolicy`.
-`justInTimeAccessPolicy` specifies two elements:
+`justInTimeAccessPolicy` specifies three elements:
-- `multiFactorAuthProvider` can either be set to **Azure**, which will require authentication using Azure multi-factor authorization (MFA), or to **None** if no multi-factor authentication will be required.
+- `multiFactorAuthProvider` can either be set to **Azure**, which will require authentication using Azure AD Multi-Factor Authentication, or to **None** if no multifactor authentication will be required.
- `maximumActivationDuration` sets the total length of time for which the user will have the eligible role. This value must use the ISO 8601 duration format. The minimum value is PT30M (30 minutes) and the maximum value is PT8H (8 hours).
+- `managedByTenantApprovers` is optional. If you include it, it must contain one or more combinations of a principalId and a principalIdDisplayName who will be required to approve any activation of the eligible role.
-> [!NOTE]
-> Note: Just-in-time access does not apply to `delegatedRoleDefinitionIds` that a User Access Administrator can [assign to managed identities](deploy-policy-remediation.md). These role assignments can't be created as eligible authorizations. Similarly, you canΓÇÖt create an eligible authorization for the User Access Administrator role itself.
+For more details about these elements, see the [Eligible authorization elements](#eligible-authorization-elements) section above.
## Elevation process for users
Each user can elevate their access at any time by visiting the **My customers**
:::image type="content" source="../media/manage-eligible-roles.png" alt-text="Screenshot showing the Manage eligible roles button in the Azure portal.":::
+If approvers have been specified, the user won't have access to the role until approval is granted by a designated approver. All of the approvers will be notified when approval is requested, and the user wonΓÇÖt be able to use the eligible role until approval is granted. Approvers will also be notified when that happens. For more details about the approval process, see [Approve or deny requests for Azure resource roles in Privileged Identity Management](../../active-directory/privileged-identity-management/pim-resource-roles-approval-workflow.md).
+ Once the eligible role has been activated, the user will have that role for the full duration specified in the eligible authorization. After that time period, they will no longer be able to use that role, unless they repeat the elevation process and elevate their access again. ## Next steps - Learn how to [onboard customers to Azure Lighthouse using ARM templates](onboard-customer.md).
+- Learn how to [onboard customers using Managed Services offers](publish-managed-services-offers.md).
- Learn more about [Azure AD Privileged Identity Management](../../active-directory/privileged-identity-management/pim-configure.md).-- Learn more about [tenants, users, and roles in Azure Lighthouse](../concepts/tenants-users-roles.md).
+- Learn more about [tenants, users, and roles in Azure Lighthouse](../concepts/tenants-users-roles.md).
logic-apps Logic Apps Gateway Connection https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/logic-apps/logic-apps-gateway-connection.md
ms.suite: integration Previously updated : 07/13/2021 Last updated : 07/14/2021 # Connect to on-premises data sources from Azure Logic Apps
For information about how to use the gateway with other services, see these arti
In Azure Logic Apps, the on-premises data gateway supports the [on-premises connectors](../connectors/managed.md#on-premises-connectors) for these data sources: * [Apache Impala](/connectors/impala)
-* [BizTalk Server 2016](/connectors/biztalk)
+* [BizTalk Server](/connectors/biztalk)
* [File System](/connectors/filesystem) * [HTTP with Azure AD](/connectors/webcontents) * [IBM DB2](/connectors/db2)
logic-apps Logic Apps Pricing https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/logic-apps/logic-apps-pricing.md
Title: Pricing and billing models
-description: Overview about how pricing and billing models work in Azure Logic Apps
+ Title: Usage metering, billing, and pricing
+description: Learn how usage metering, billing, and pricing models work in Azure Logic Apps.
ms.suite: integration
Last updated 07/10/2021
-# Pricing and billing models for Azure Logic Apps
+# Usage metering, billing, and pricing models for Azure Logic Apps
-[Azure Logic Apps](../logic-apps/logic-apps-overview.md) helps you create and run automated integration workflows that can scale in the cloud. This article describes how billing and pricing models work for Azure Logic Apps and related resources. For information such as specific pricing rates, cost planning, or different hosting environments, review the following content:
+[Azure Logic Apps](../logic-apps/logic-apps-overview.md) helps you create and run automated integration workflows that can scale in the cloud. This article describes how metering, billing, and pricing models work for Azure Logic Apps and related resources. For information such as specific pricing rates, cost planning, or different hosting environments, review the following content:
* [Pricing rates for Azure Logic Apps](https://azure.microsoft.com/pricing/details/logic-apps) * [Plan and manage costs for Azure Logic Apps](plan-manage-costs.md)
logic-apps Single Tenant Overview Compare https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/logic-apps/single-tenant-overview-compare.md
ms.suite: integration Previously updated : 05/25/2021 Last updated : 07/13/2021 # Single-tenant versus multi-tenant and integration service environment for Azure Logic Apps
With the **Logic App (Standard)** resource type, you can create these workflow t
* *Stateful*
- Create stateful workflows when you need to keep, review, or reference data from previous events. These workflows save the inputs and outputs for each action and their states in external storage, which makes reviewing the run details and history possible after each run finishes. Stateful workflows provide high resiliency if outages happen. After services and systems are restored, you can reconstruct interrupted runs from the saved state and rerun the workflows to completion. Stateful workflows can continue running for much longer than stateless workflows.
+ Create a stateful workflow when you need to keep, review, or reference data from previous events. These workflows save and transfer all the inputs and outputs for each action and their states to external storage, which makes reviewing the run details and history possible after each run finishes. Stateful workflows provide high resiliency if outages happen. After services and systems are restored, you can reconstruct interrupted runs from the saved state and rerun the workflows to completion. Stateful workflows can continue running for much longer than stateless workflows.
* *Stateless*
- Create stateless workflows when you don't need to save, review, or reference data from previous events in external storage for later review. These workflows save the inputs and outputs for each action and their states *only in memory*, rather than transferring this data to external storage. As a result, stateless workflows have shorter runs that are typically no longer than 5 minutes, faster performance with quicker response times, higher throughput, and reduced running costs because the run details and history aren't kept in external storage. However, if outages happen, interrupted runs aren't automatically restored, so the caller needs to manually resubmit interrupted runs. These workflows can only run synchronously.
+ Create a stateless workflow when you don't need to keep, review, or reference data from previous events in external storage after each run finishes for later review. These workflows save all the inputs and outputs for each action and their states *in memory only*, not in external storage. As a result, stateless workflows have shorter runs that are typically less than 5 minutes, faster performance with quicker response times, higher throughput, and reduced running costs because the run details and history aren't saved in external storage. However, if outages happen, interrupted runs aren't automatically restored, so the caller needs to manually resubmit interrupted runs. These workflows can only run synchronously.
+
+ > [!IMPORTANT]
+ > A stateless workflow provides the best performance when handling data or content, such as a file, that doesn't exceed 64 KB in *total* size.
+ > Larger content sizes, such as multiple large attachments, might significantly slow your workflow's performance or even cause your workflow to
+ > crash due to out-of-memory exceptions. If your workflow might have to handle larger content sizes, use a stateful workflow instead.
For easier debugging, you can enable run history for a stateless workflow, which has some impact on performance, and then disable the run history when you're done. For more information, see [Create single-tenant based workflows in Visual Studio Code](create-single-tenant-workflows-visual-studio-code.md#enable-run-history-stateless) or [Create single-tenant based workflows in the Azure portal](create-single-tenant-workflows-visual-studio-code.md#enable-run-history-stateless).
logic-apps Workflow Definition Language Functions Reference https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/logic-apps/workflow-definition-language-functions-reference.md
ms.suite: integration Previously updated : 03/30/2021 Last updated : 07/13/2021 # Reference guide to using functions in expressions for Azure Logic Apps and Power Automate
concat('Hello', 'World')
``` And returns this result: `"HelloWorld"`
+
+> [!NOTE]
+> The length of the result must not exceed 104,857,600 characters.
<a name="contains"></a>
join(createArray('a', 'b', 'c'), '.')
``` And returns this result: `"a.b.c"`
+
+> [!NOTE]
+> The length of the result must not exceed 104,857,600 characters.
<a name="last"></a>
range(1, 4)
``` And returns this result: `[1, 2, 3, 4]`
+
+> [!NOTE]
+> The `count` parameter value must be a positive integer that doesn't exceed 100,000. The sum of the `startIndex` and `count` values must not exceed 2,147,483,647.
<a name="replace"></a>
Here is the result: `Paris`
## Next steps
-Learn about the [Workflow Definition Language](../logic-apps/logic-apps-workflow-definition-language.md)
+Learn about the [Workflow Definition Language](../logic-apps/logic-apps-workflow-definition-language.md)
machine-learning How To Access Azureml Behind Firewall https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/machine-learning/how-to-access-azureml-behind-firewall.md
Previously updated : 07/01/2021 Last updated : 07/13/2021
These rule collections are described in more detail in [What are some Azure Fire
### Inbound configuration
-When using Azure Machine Learning __compute instance__ or __compute cluster__, allow inbound traffic from the IP addresses for Azure Batch management and Azure Machine Learning services.
+When using Azure Machine Learning __compute instance__ or __compute cluster__, allow inbound traffic from Azure Batch management and Azure Machine Learning services. When creating the user-defined routes for this traffic, you can use either **IP Addresses** or **service tags** to route the traffic.
+
+> [!IMPORTANT]
+> Using service tags with user-defined routes is currently in preview and may not be fully supported. For more information, see [Virtual Network routing](../virtual-network/virtual-networks-udr-overview.md#service-tags-for-user-defined-routes-preview).
+
+# [IP Address routes](#tab/ipaddress)
For the Azure Machine Learning service, you must add the IP address of both the __primary__ and __secondary__ regions. To find the secondary region, see the [Ensure business continuity & disaster recovery using Azure Paired Regions](../best-practices-availability-paired-regions.md#azure-regional-pairs). For example, if your Azure Machine Learning service is in East US 2, the secondary region is Central US.
To get a list of IP addresses of the Batch service and Azure Machine Learning se
> * [Azure IP ranges and service tags for Azure Government](https://www.microsoft.com/download/details.aspx?id=57063) > * [Azure IP ranges and service tags for Azure China](https://www.microsoft.com//download/details.aspx?id=57062) - > [!IMPORTANT] > The IP addresses may change over time.
-When adding a UDR for the IP addresses, set the __Next hop type__ to __Internet__. The following image shows an example UDR in the Azure portal:
+When creating the UDR, set the __Next hop type__ to __Internet__. The following image shows an example UDR in the Azure portal:
:::image type="content" source="./media/how-to-enable-virtual-network/user-defined-route.png" alt-text="Image of a user-defined route configuration":::
+# [Service tag routes](#tab/servicetag)
+
+Create user-defined routes for the following service tags:
+
+* `AzureMachineLearning`
+* `BatchNodeManagement.<region>`, where `<region>` is your Azure region.
+++ For information on configuring UDR, see [Route network traffic with a routing table](../virtual-network/tutorial-create-route-table-portal.md). ### Outbound configuration
machine-learning How To Train With Ui https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/machine-learning/how-to-train-with-ui.md
+
+ Title: Create a Training Job from UI
+
+description: Learn how to use the job creation UI in Azure Machine Learning Studio to create a training job.
+++++++ Last updated : 06/22/2021+++
+# Create a training job with the job creation UI (preview)
+
+There are many ways to create a training job with Azure Machine Learning. You can use the CLI (see [Train models (create jobs) with the 2.0 CLI (preview)](how-to-train-cli.md)), the REST API (see [Train models with REST (preview)](how-to-train-with-rest.md)), or you can use the UI to directly create a training job. In this article, you'll learn how to use your own data and code to train a machine learning model with the job creation UI in Azure Machine Learning Studio.
+
+## Prerequisites
+
+* An Azure subscription. If you don't have an Azure subscription, create a free account before you begin. Try the [free or paid version of Azure Machine Learning](https://aka.ms/AMLFree) today.
+
+* An Azure Machine Learning workspace. See [Create an Azure Machine Learning workspace](how-to-manage-workspace.md).
+
+* Understanding of what a job is in Azure Machine Learning. See [Introducing jobs](how-to-train-cli.md#introducing-jobs).
+
+## Get started
+
+1. Sign in to [Azure Machine Learning studio](https://ml.azure.com).
+
+1. Select your subscription and workspace.
+
+* You may enter the job creation UI from the homepage. Click **Create new** and select **Job**.
+[![Azure Machine Learning studio homepage](media/how-to-train-with-ui/home-entry.png)](media/how-to-train-with-ui/home-entry.png)
+
+* Or, you may enter the job creation from the left pane. Click **+New** and select **Job**.
+[![Azure Machine Learning studio left navigation](media/how-to-train-with-ui/left-nav-entry.png)](media/how-to-train-with-ui/left-nav-entry.png)
+
+* Or, if you're in the Experiment page, you may go to the **All runs** tab and click **Create job**.
+[![Experiment page entry for job creation UI](media/how-to-train-with-ui/experiment-entry.png)](media/how-to-train-with-ui/experiment-entry.png)
+
+These options will all take you to the job creation panel, which has a wizard for configuring and creating a training job.
+
+## Select compute resources
+
+The first step in the job creation UI is to select the compute target on which you'd like your job to run. The job creation UI supports several compute types:
+
+| Compute Type | Introduction |
+| | |
+| Compute instance | [What is an Azure Machine Learning compute instance?](concept-compute-instance.md) |
+| Compute cluster | [What is a compute cluster?](how-to-create-attach-compute-cluster.md#what-is-a-compute-cluster) |
+| Attached Kubernetes cluster | [Configure Azure Arc enabled machine learning (preview)](how-to-attach-arc-kubernetes.md). |
+
+1. Select a compute type
+1. Select an existing compute resource. The dropdown shows the node information and SKU type to help your choice.
+1. For a compute cluster or a Kubernetes cluster, you may also specify how many nodes you want for the job in **Instance count**. The default number of instances is 1.
+1. When you're satisfied with your choices, choose **Next**.
+ [![Select a compute cluster](media/how-to-train-with-ui/compute-cluster.png)](media/how-to-train-with-ui/compute-cluster.png)
+
+If you're using Azure Machine Learning for the first time, you'll see an empty list and a link to create a new compute.
+
+ [![Create a new compute instance](media/how-to-train-with-ui/create-new-compute.png)](media/how-to-train-with-ui/create-new-compute.png)
+
+For more information on creating the various types, see:
+
+| Compute Type | How to |
+| | |
+| Compute instance | [Create and manage an Azure Machine Learning compute instance](how-to-create-manage-compute-instance.md) |
+| Compute cluster | [Create an Azure Machine Learning compute cluster](how-to-create-attach-compute-cluster.md) |
+| Attached Kubernetes cluster | [Attach an Azure Arc enabled Kubernetes cluster](how-to-attach-arc-kubernetes.md) |
+
+## Specify the necessary environment
+
+After selecting a compute target, you need to specify the runtime environment for your job. The job creation UI supports three types of environment:
+
+* Curated environments
+* Custom environments
+* Container registry image
+
+### Curated environments
+
+Curated environments are Azure-defined collections of Python packages used in common ML workloads. Curated environments are available in your workspace by default. These environments are backed by cached Docker images, which reduce the run preparation overhead. The cards displayed in the "Curated environments" page show details of each environment.
+
+ [![Curated environments](media/how-to-train-with-ui/curated-env.png)](media/how-to-train-with-ui/curated-env.png)
+
+### Custom environments
+
+Custom environments are environments you've specified yourself. You can specify an environment or reuse an environment that you've already created. To learn more, see [Manage software environments in Azure Machine Learning studio (preview)](how-to-manage-environments-in-studio.md#create-an-environment).
+
+### Container registry image
+
+If you don't want to use the Azure Machine Learning curated environments or specify your own custom environment, you can use a docker image from a public container registry such as [Docker Hub](https://hub.docker.com/). If the image is in a private container, toggle **This is a private container registry**. For private registries, you will need to enter a valid username and password so Azure can get the image.
+[![Container registry image](media/how-to-train-with-ui/container-registry-image.png)](media/how-to-train-with-ui/container-registry-image.png)
+
+## Configure your job
+
+After specifying the environment, you can configure your job with more settings.
+
+|Field| Description|
+|| |
+|Job name| The job name field is used to uniquely identify your job. It's also used as the display name for your job. Setting this field is optional; Azure will generate a GUID name for the job if you don't enter anything. Note: the job name must be unique.|
+|Experiment name| This helps organize the job in Azure Machine Learning studio. Each job's run record will be organized under the corresponding experiment in the studio's "Experiment" tab. By default, Azure will put the job in the **Default** experiment.|
+|Code| You can upload a code file or a folder from your machine, or upload a code file from the workspace's default blob storage. Azure will show the files to be uploaded after you make the selection. |
+|Command| The command to execute. Command-line arguments can be explicitly written into the command or inferred from other sections, specifically **inputs** using curly braces notation, as discussed in the next section.|
+|Inputs| Specify the input binding. We support three types of inputs: 1) Azure Machine Learning registered dataset; 2) workspace default blob storage; 3) upload local file. You can add multiple inputs. |
+|Environment variables| Setting environment variables allows you to provide dynamic configuration of the job. You can add the variable and value here.|
+|Tags| Add tags to your job to help with organization.|
+
+### Specify code and inputs in the command box
+
+#### Code
+
+The command is run from the root directory of the uploaded code folder. After you select your code file or folder, you can see the files to be uploaded. Copy the relative path to the code containing your entry point and paste it into the box labeled **Enter the command to start the job**.
+
+If the code is in the root directory, you can directly refer to it in the command. For instance, `python main.py`.
+
+If the code isn't in the root directory, you should use the relative path. For example, the structure of the [word language model](https://github.com/Azure/azureml-examples/tree/main/cli/jobs/train/pytorch/word-language-model) is:
+
+```tree
+.
+Γö£ΓöÇΓöÇ job.yml
+Γö£ΓöÇΓöÇ data
+ΓööΓöÇΓöÇ src
+ ΓööΓöÇΓöÇ main.py
+```
+Here, the source code is in the `src` subdirectory. The command would be `python ./src/main.py` (plus other command-line arguments).
+
+[![Refer code in the command](media/how-to-train-with-ui/code-command.png)](media/how-to-train-with-ui/code-command.png)
+
+#### Inputs
+
+There are two ways to do input binding:
+
+* Input name: When you use an input in the command, you need to specify the input name. To indicate an input variable, use the form `{inputs.input_name}`. For instance, `{inputs.wiki}`. You can then refer to it in the command, for instance, `--data {inputs.wiki}`.
+[![Refer input name in the command](media/how-to-train-with-ui/input-command-name.png)](media/how-to-train-with-ui/input-command-name.png)
+
+* Path: You can use `--data .path` to specify a cloud location. The path is what you enter in the **Path on compute** field.
+[![Refer input path in the command](media/how-to-train-with-ui/input-command-path.png)](media/how-to-train-with-ui/input-command-path.png)
+
+>[!NOTE]
+>In the **command to start the job**, you must add a period to the **Path on compute** value. For instance, `/data/wikitext-2` becomes `./data/wikitext-2`.
+
+## Review and Create
+
+Once you've configured your job, choose **Next** to go to the **Review** page. To modify a setting, choose the pencil icon and make the change.
+
+You may choose **view the YAML spec** to review and download the yaml file generated by this job configuration. This job yaml file can be used to submit the job from the 2.0 CLI. (See [Train models (create jobs) with the 2.0 CLI (preview)](how-to-train-cli.md).)
+[![view yaml spec](media/how-to-train-with-ui/view-yaml.png)](media/how-to-train-with-ui/view-yaml.png)
+[![Yaml spec](media/how-to-train-with-ui/yaml-spec.png)](media/how-to-train-with-ui/yaml-spec.png)
+
+To launch the job, choose **Create**. Once the job is created, Azure will show you the run details page, where you can monitor and manage your training job.
+
+## Next steps
+
+* [Deploy and score a machine learning model with a managed online endpoint (preview)](how-to-deploy-managed-online-endpoints.md).
+
+* [Train models (create jobs) with the 2.0 CLI (preview)](how-to-train-cli.md)
machine-learning Quickstart Create Resources https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/machine-learning/quickstart-create-resources.md
If you don't yet have a workspace, create one now:
[!INCLUDE [aml-create-portal](../../includes/aml-create-in-portal.md)]
-> [!div class="nextstepaction"]
-> [I created a workspace](?success=create-workspace#instance) [I ran into an issue](https://www.research.net/r/7C8Z3DN?issue=create-workspace)
-- ## <a name="instance"></a> Create compute instance You could install Azure Machine Learning on your own computer. But in this quickstart, you'll create an online compute resource that has a development environment already installed and ready to go. You'll use this online machine, a *compute instance*, for your development environment to write and run code in Python scripts and Jupyter notebooks.
Create a *compute instance* to use this development environment for the rest of
In about two minutes, you'll see the **State** of the compute instance change from *Creating* to *Running*. It's now ready to go.
-> [!div class="nextstepaction"]
-> [I created a compute instance](?success=create-instance#cluster) [I ran into an issue](https://www.research.net/r/7C8Z3DN?issue=create-instance)
- ## <a name="cluster"></a> Create compute clusters Next you'll create a compute cluster. Clusters allow you to distribute a training or batch inference process across a cluster of CPU or GPU compute nodes in the cloud.
In less than a minute, the **State** of the cluster will change from *Creating*
> [!NOTE] > When the cluster is created, it will have 0 nodes provisioned. The cluster *does not* incur costs until you submit a job. This cluster will scale down when it has been idle for 2,400 seconds (40 minutes). This will give you time to use it in a few tutorials if you wish without waiting for it to scale back up.
-> [!div class="nextstepaction"]
-> [I created a compute cluster](?success=create-compute-cluster#clean-up) [I ran into an issue](https://www.research.net/r/7C8Z3DN?issue=create-compute-cluster)
- ## <a name="studio"></a> Quick tour of the studio The studio is your web portal for Azure Machine Learning. This portal combines no-code and code-first experiences for an inclusive data science platform.
machine-learning Tutorial 1St Experiment Bring Data https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/machine-learning/tutorial-1st-experiment-bring-data.md
optimizer = optim.SGD(
) ```
-> [!div class="nextstepaction"]
-> [I adjusted the training script](?success=adjust-training-script#upload) [I ran into an issue](https://www.research.net/r/7C6W7BQ?issue=adjust-training-script)
- ## <a name="upload"></a> Upload the data to Azure
To run this script in Azure Machine Learning, you need to make your training dat
Uploaded 9 files ```
-> [!div class="nextstepaction"]
-> [I uploaded the data](?success=upload-data#control-script) [I ran into an issue](https://www.research.net/r/7C6W7BQ?issue=upload-data)
- ## <a name="control-script"></a> Create a control script As you've done previously, create a new Python control script called *run-pytorch-data.py* in the **get-started** folder:
The control script is similar to the one from [part 3 of this series](tutorial-1
:::column-end::: :::row-end:::
-> [!div class="nextstepaction"]
-> [I created the control script](?success=control-script#submit-to-cloud) [I ran into an issue](https://www.research.net/r/7C6W7BQ?issue=control-script)
- ## <a name="submit-to-cloud"></a> Submit the run to Azure Machine Learning Select **Save and run script in terminal** to run the *run-pytorch-data.py* script. This run will train the model on the compute cluster using the data you uploaded. This code will print a URL to the experiment in the Azure Machine Learning studio. If you go to that link, you'll be able to see your code running.
-> [!div class="nextstepaction"]
-> [I resubmitted the run](?success=submit-to-cloud#inspect-log) [I ran into an issue](https://www.research.net/r/7C6W7BQ?issue=submit-to-cloud)
### <a name="inspect-log"></a> Inspect the log file
Notice:
- Azure Machine Learning has mounted Blob Storage to the compute cluster automatically for you. - The ``dataset.as_named_input('input').as_mount()`` used in the control script resolves to the mount point.
-> [!div class="nextstepaction"]
-> [I inspected the log file](?success=inspect-log#clean-up-resources) [I ran into an issue](https://www.research.net/r/7C6W7BQ?issue=inspect-log)
## Clean up resources
You saw how to modify your training script to accept a data path via the command
Now that you have a model, learn:
-* How to [deploy models with Azure Machine Learning](how-to-deploy-and-where.md).
+> [!div class="nextstepaction"]
+> [How to deploy models with Azure Machine Learning](how-to-deploy-and-where.md).
machine-learning Tutorial 1St Experiment Hello World https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/machine-learning/tutorial-1st-experiment-hello-world.md
Select **Save and run script in terminal** to run the script.
You'll see the output of the script in the terminal window that opens. Close the tab and select **Terminate** to close the session.
-> [!div class="nextstepaction"]
-> [I ran the script locally](?success=run-local#control-script) [I ran into an issue](https://www.research.net/r/7C2NTH7?issue=run-local)
- ## <a name="control-script"></a> Create a control script A *control script* allows you to run your `hello.py` script on different compute resources. You use the control script to control how and where your machine learning code is run.
Here's a description of how the control script works:
:::column-end::: :::row-end:::
-> [!div class="nextstepaction"]
-> [I created the control script](?success=create-control-script#submit) [I ran into an issue](https://www.research.net/r/7C2NTH7?issue=create-control-script)
## <a name="submit"></a> Submit and run your code in the cloud
In the terminal, you may be asked to sign in to authenticate. Copy the code and
> [!TIP] > If you just finished creating the compute cluster, you may see the error "UserError: Required Docker image not found..." Wait about 5 minutes or so, and try again. The compute cluster may need more time before it is ready to spin up nodes.
-> [!div class="nextstepaction"]
-> [I submitted code in the cloud](?success=submit-to-cloud#monitor) [I ran into an issue](https://www.research.net/r/7C2NTH7?issue=submit-to-cloud)
## <a name="monitor"></a>Monitor your code in the cloud in the studio
On line 8, you see the "Hello world!" output.
The `70_driver_log.txt` file contains the standard output from a run. This file can be useful when you're debugging remote runs in the cloud.
-> [!div class="nextstepaction"]
-> [I saw the log in studio](?success=monitor-in-studio#next-steps) [I ran into an issue](https://www.research.net/r/7C2NTH7?issue=monitor-in-studio)
## Next steps
machine-learning Tutorial 1St Experiment Sdk Train https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/machine-learning/tutorial-1st-experiment-sdk-train.md
The training code is taken from [this introductory example](https://pytorch.org/
1. You now have the following folder structure: :::image type="content" source="media/tutorial-1st-experiment-sdk-train/directory-structure.png" alt-text="Directory structure shows train.py in src subdirectory":::
-
-
-> [!div class="nextstepaction"]
-> [I created the training scripts](?success=create-scripts#test-local) [I ran into an issue](https://www.research.net/r/7CTJQQN?issue=create-scripts)
## <a name="test-local"></a> Test locally
After the script completes, select **Refresh** above the file folders. You'll se
:::image type="content" source="media/tutorial-1st-experiment-hello-world/directory-with-data.png" alt-text="Screenshot of folders shows new data folder created by running the file locally.":::
-> [!div class="nextstepaction"]
-> [I ran the code locally](?success=test-local#create-local) [I ran into an issue](https://www.research.net/r/7CTJQQN?issue=test-local)
- ## <a name="create-local"></a> Create the control script
if __name__ == "__main__":
:::column-end::: :::row-end:::
-> [!div class="nextstepaction"]
-> [I created the control script](?success=control-script#submit) [I ran into an issue](https://www.research.net/r/7CTJQQN?issue=control-script)
-- ## <a name="submit"></a> Submit the run to Azure Machine Learning Select **Save and run script in terminal** to run the *run-pytorch.py* script.
Finished Training
> > Select the **...** at the end of the folder, then select **Move** to move **data** to the **get-started** folder. --
-> [!div class="nextstepaction"]
-> [I submitted the run](?success=test-w-environment#log) [I ran into an issue](https://www.research.net/r/7CTJQQN?issue=test-w-environment)
- ## <a name="log"></a> Log training metrics Now that you have a model training in Azure Machine Learning, start tracking some performance metrics.
compare metrics.
- Equipped with a UI so you can visualize training performance in the studio. - Designed to scale, so you keep these benefits even as you run hundreds of experiments.
-> [!div class="nextstepaction"]
-> [I modified train.py ](?success=modify-train#log) [I ran into an issue](https://www.research.net/r/7CTJQQN?issue=modify-train)
-- ### <a name="submit-again"></a> Submit the run to Azure Machine Learning Select the tab for the *run-pytorch.py* script, then select **Save and run script in terminal** to re-run the *run-pytorch.py* script.
This time when you visit the studio, go to the **Metrics** tab where you can now
:::image type="content" source="media/tutorial-1st-experiment-sdk-train/logging-metrics.png" alt-text="Training loss graph on the Metrics tab.":::
-> [!div class="nextstepaction"]
-> [I resubmitted the run](?success=resubmit-with-logging#next-steps) [I ran into an issue](https://www.research.net/r/7CTJQQN?issue=resubmit-with-logging)
- ## Next steps In this session, you upgraded from a basic "Hello world!" script to a more realistic training script that required a specific Python environment to run. You saw how to use curated Azure Machine Learning environments. Finally, you saw how in a few lines of code you can log metrics to Azure Machine Learning.
marketplace Create Managed Service Offer Listing https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/marketplace/create-managed-service-offer-listing.md
On the **Offer listing** page in Partner Center, provide the information describ
4. In the **Description** field, describe your Managed Service offer. You can enter up to 2,000 characters of text in this box, including HTML tags and spaces. For information about HTML formatting, see [HTML tags supported in the offer descriptions](./supported-html-tags.md). 5. In the **Privacy policy link** box, enter a link (starting with https) to your organization's privacy policy. You're responsible to ensure your offer complies with privacy laws and regulations, and for providing a valid privacy policy.
-## Useful links
+## Product information links
You have the option to provide supplemental online documents about your solution:
You have the option to provide supplemental online documents about your solution
Enter the name, email address, and phone number of two people in your company (you can be one of them): a support contact and an engineering contact. We'll use this information to communicate with you about your offer. This information isnΓÇÖt shown to customers but may be provided to Cloud Solution Provider (CSP) partners.
-## Support URLs
+## Support link
If you have support websites for Azure Global Customers and/or Azure Government customers, enter their URL, starting with https.
marketplace Create Managed Service Offer Plans https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/marketplace/create-managed-service-offer-plans.md
You can create up to 20 authorizations for each plan.
Provide the following information for each **Authorization**. Select **+ Add authorization** as needed to add more users and role definitions. - **Display Name**: A friendly name to help the customer understand the purpose of this authorization. The customer will see this name when delegating resources.-- **Principal ID**: The Azure AD identifier of a user, user group, or application that will be granted certain permissions (as defined by the Role Definition) to your customers' resources.-- **Access type**: **Active** authorizations have the privileges assigned to the role at all times. Each plan must have at least one Active authorization. **Eligible** authorizations are time-limited and require activation by the customer. Eligible authorizations can be set with a maximum duration and an option to require multifactor authorization to activate for security purposes.
+- **Principal ID**: The Azure AD identifier of a user, user group, or service principal that will be granted certain permissions (as defined by the **Role** you specify) to your customers' resources.
+- **Access type**:
+ - **Active** authorizations have the privileges assigned to the role at all times. Each plan must have at least one Active authorization.
+ - **Eligible** authorizations are time-limited and require activation by the user. If you select **Eligible**, you must select a maximum duration that defines the total length of time for which the user will have the eligible role after it's activated. The minimum value is 30 minutes and the maximum is 8 hours. You can also select whether to require multifactor authentication in order to activate the role. Note that eligible authorizations are currently in public preview and have specific licensing requirements. For more information, see [Create eligible authorizations](../lighthouse/how-to/create-eligible-authorizations.md).
- **Role**: Select one of the available Azure AD built-in roles from the list. This role will determine the permissions that the user in the **Principal ID** field will have on your customers' resources. For descriptions of these roles, see [Built-in roles](../role-based-access-control/built-in-roles.md) and [Role support for Azure Lighthouse](../lighthouse/concepts/tenants-users-roles.md#role-support-for-azure-lighthouse). > [!NOTE] > As applicable new built-in roles are added to Azure, they will become available here, although there may be some delay before they appear. - **Assignable Roles**: This option will appear only if you have selected User Access Administrator in the **Role Definition** for this authorization. If so, you must add one or more assignable roles here. The user in the **Azure AD Object ID** field will be able to assign these roles to [managed identities](../active-directory/managed-identities-azure-resources/overview.md), which is required in order to [deploy policies that can be remediated](../lighthouse/how-to/deploy-policy-remediation.md). No other permissions normally associated with the User Access Administrator role will apply to this user.
+- **Approvers**: This option will appear only if the **Access type** is set to **Eligible**. If so, you can optionally specify a list of up to ten users or user groups who can [approve or deny requests from a user to activate the eligible role](../lighthouse/how-to/create-eligible-authorizations.md#approvers). Approvers will be notified when the approval is requested and has been granted. If none are provided, the authorization will activate automatically.
> [!TIP] > To ensure you can [remove access to a delegation](../lighthouse/how-to/remove-delegation.md) if needed, include an **Authorization** with the **Role Definition** set to [Managed Services Registration Assignment Delete Role](../role-based-access-control/built-in-roles.md#managed-services-registration-assignment-delete-role). If this role is not assigned, delegated resources can only be removed by a user in the customer's tenant.
Once you've completed all of the sections for your plan, you can select **+ Crea
## Updating an offer
-You can [publish an updated version of your offer](update-existing-offer.md) at any time. For example, you may want to add a new role definition to a previously published offer. When you do so, customers who have already added the offer will see an icon in the [**Service providers**](../lighthouse/how-to/view-manage-service-providers.md) page in the Azure portal that lets them know an update is available. Each customer will be able to review the changes and decide whether they want to update to the new version.
+After your offer is published, you can [publish an updated version of your offer](update-existing-offer.md) at any time. For example, you may want to add a new role definition to a previously published offer. When you do so, customers who have already added the offer will see an icon in the [**Service providers**](../lighthouse/how-to/view-manage-service-providers.md) page in the Azure portal that lets them know an update is available. Each customer will be able to review the changes and decide whether they want to update to the new version.
## Next steps
marketplace Create Managed Service Offer https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/marketplace/create-managed-service-offer.md
After you submit your offer for publication in Partner Center, we'll validate th
> [!TIP] > Make sure the connection to the lead destination stays updated so you don't lose any leads.
-## Configure offer properties
-
-On the Properties page of your offer in Partner Center, youΓÇÖll define the categories applicable to your offer, and legal contracts. This information ensures your Managed Service is displayed correctly on the online store and offered to the right set of customers.
-
-### Select a category
-
-Under **Categories**, select at least one and up to five categories for grouping your offer into the appropriate commercial marketplace search areas.
-
-### Provide terms and conditions
-
-Under **Legal**, provide your terms and conditions for this offer. Customers will be required to accept them before using the offer. You can also provide the URL where your terms and conditions can be found.
- Select **Save draft** before continuing to the next tab, **Properties**. ## Next step
marketplace Marketplace Commercial Transaction Capabilities And Considerations https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/marketplace/marketplace-commercial-transaction-capabilities-and-considerations.md
description: This article describes pricing, billing, invoicing, and payout cons
Previously updated : 07/05/2021 Last updated : 07/12/2021
The transact publishing option is currently supported for the following offer ty
| Offer type | Billing cadence | Metered billing | Pricing model | | | - | - | - |
-| Azure Application<br>(Managed application) | Monthly | Yes | Usage-based |
+| Azure Application <br>(Managed application) | Monthly | Yes | Usage-based |
| Azure Virtual Machine | Monthly * | No | Usage-based, BYOL | | Software as a service (SaaS) | Monthly and annual | Yes | Flat rate, per user, usage-based. | |||||
In this scenario, Microsoft bills $1.14 per hour for use of your published VM im
| **Microsoft bills** | **$1.14 per hour** | |||
-| Microsoft pays you 80% of your license cost | $0.80 per hour |
-| Microsoft keeps 20% of your license cost | $0.20 per hour |
+| Microsoft pays you 97% of your license cost | $0.97 per hour |
+| Microsoft keeps 3% of your license cost | $0.03 per hour |
| Microsoft keeps 100% of the Azure usage cost | $0.14 per hour | ||
SaaS subscriptions can be priced at a flat rate or per user on a monthly or annu
| _Customer is billed by Microsoft_ | _$100.00 per month (publisher must account for any incurred or pass-through infrastructure costs in the license fee)_ | ||
-In this scenario, Microsoft bills $100.00 for your software license and pays out $80.00 or $90.00 to you depending on whether the offer qualifies for a reduced store service fee.
+In this scenario, Microsoft bills $100.00 for your software license and pays out $97.00.
| **Microsoft bills** | **$100.00 per month** | |||
-| Microsoft pays you 80% of your license cost <br> \* Microsoft pays you 90% of your license cost for any qualified SaaS apps | $80.00 per month <br> \* $90.00 per month |
-| Microsoft keeps 20% of your license cost <br> \* Microsoft keeps 10% of your license cost for any qualified SaaS apps. | $20.00 per month <br> \* $10.00 |
+| Microsoft pays you 97% of your license cost | $97.00 per month |
+| Microsoft keeps 3% of your license cost | $3.00 per month |
### Commercial marketplace service fees
-We charge a 20% standard store service fee when customers purchase your transact offer from the commercial marketplace. For details of this fee, see section 5c of the [Microsoft Publisher Agreement](/legal/marketplace/msft-publisher-agreement).
-
-For certain transact offers that you publish to the commercial marketplace, you may qualify for a reduced store service fee of 10%. For an offer to qualify, it must have been designated by Microsoft as _Azure IP Co-sell incentivized_. Eligibility must be met at least five business days before the end of each calendar month to receive the Reduced Marketplace Service Fee. Once eligibility is met, the reduced service fee is awarded to all transactions effective the first day of the following month until _Azure IP Co-sell incentivized_ status is lost. For details about IP co-sell eligibility, see [Requirements for co-sell status](/legal/marketplace/certification-policies#3000-requirements-for-co-sell-status).
-
-The Reduced Marketplace Service Fee applies to Azure IP Co-sell incentivized SaaS, VMs, Managed apps, and any other qualified transactable IaaS solutions made available through the commercial marketplace. Paid SaaS offers associated with one Microsoft Teams app or at least two Microsoft 365 add-ins (Excel, PowerPoint, Word, Outlook, and SharePoint) and published to Microsoft AppSource can also qualify for this discount.
+We charge a 3% standard store service fee when customers purchase your transact offer from the commercial marketplace.
### Customer invoicing, payment, billing, and collections
When subscription or Pay-as-You-Go (also called usage-based) pricing models are
### Publisher payout and reporting
-Any software licensing fees collected by Microsoft as an agent are subject to a 20% transaction fee unless otherwise specified and are deducted at the time of publisher payout.
+Any software licensing fees collected by Microsoft as an agent are subject to a 3% store service fee unless otherwise specified and are deducted at the time of publisher payout.
Customers typically purchase using the Enterprise Agreement or a credit-card enabled pay-as-you-go agreement. The agreement type determines billing, invoicing, collection, and payout timing.
migrate Prepare For Agentless Migration https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/migrate/prepare-for-agentless-migration.md
You can also use this article to manually prepare the VMs for migration to Azure
## Hydration process
-You have to make some changes to the VMs configuration before the migration to ensure that the migrated VMs function properly on Azure. Azure Migrate handles these configuration changes via the *hydration* process. The hydration process is only performed for the versions of Azure supported operating systems given above. You need to perform the required changes manually before you migrate. If the VM is migrated without the required changes, the VM may not boot, or you may not have connectivity to the migrated VM. The following diagram shows you that Azure Migrate performs the hydration process.
+You have to make some changes to the VMs configuration before the migration to ensure that the migrated VMs function properly on Azure. Azure Migrate handles these configuration changes via the *hydration* process. The hydration process is only performed for the versions of Azure supported operating systems given above. Before you migrate, you may need to perform the required changes manually for other operating system versions that are not listed above. If the VM is migrated without the required changes, the VM may not boot, or you may not have connectivity to the migrated VM. The following diagram shows you that Azure Migrate performs the hydration process.
[![Hydration steps](./media/concepts-prepare-vmware-agentless-migration/hydration-process-inline.png)](./media/concepts-prepare-vmware-agentless-migration/hydration-process-expanded.png#lightbox) When a user triggers *Test Migrate* or *Migrate*, Azure Migrate performs the hydration process to prepare the on-premises VM for migration to Azure. To set up the hydration process, Azure Migrate creates a temporary Azure VM and attaches the disks of the source VM to perform changes to make the source VM ready for Azure. The temporary Azure VM is an intermediate VM created during the migration process before the final migrated VM is created. The temporary VM will be created with a similar OS type (Windows/Linux) using one of the marketplace OS images. If the on-premises VM is running Windows, the operating system disk of the on-premises VM will be attached as a data disk to the temporary VM for performing changes. If it is a Linux server, all the disks attached to the on-premises VM will be attached as data disks to the temporary Azure VM.
-Azure Migrate will create the network interface, a new virtual network, subnet, and a network security group (NSG) to host the temporary VM. If there are conflicting policies that prevent the creation of the network artifacts, Azure Migrate will attempt to create the temporary Azure VM in the virtual network and subnet provided as part of the replication target settings options.
+Azure Migrate will create the network interface, a new virtual network, subnet, and a network security group (NSG) to host the temporary VM. These resources are created in the customer's subscription. If there are conflicting policies that prevent the creation of the network artifacts, Azure Migrate will attempt to create the temporary Azure VM in the virtual network and subnet provided as part of the replication target settings options.
After the virtual machine is created, Azure Migrate will invoke the [Custom Script Extension](/azure/virtual-machines/extensions/custom-script-windows) on the temporary VM using the Azure Virtual Machine REST API. The Custom Script Extension utility will execute a preparation script containing the required configuration for Azure readiness on the on-premises VM disks attached to the temporary Azure VM. The preparation script is downloaded from an Azure Migrate owned storage account. The network security group rules of the virtual network will be configured to permit the temporary Azure VM to access the Azure Migrate storage account for invoking the script.
migrate Tutorial Assess Sql https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/migrate/tutorial-assess-sql.md
In this tutorial, you learn how to:
> [!NOTE] > Tutorials show the quickest path for trying out a scenario, and use default options where possible.
+> [!NOTE]
+> If SQL Servers are running on non-VMware
+platforms. [Assess the readiness of a SQL
+Server data estate migrating to Azure SQL
+Database using the Data Migration Assistant](/sql/dma/dma-assess-sql-data-estate-to-sqldb).
## Prerequisites
migrate Tutorial Migrate Aws Virtual Machines https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/migrate/tutorial-migrate-aws-virtual-machines.md
After you've verified that the test migration works as expected, you can migrate
- Deploy [Azure Disk Encryption](../security/fundamentals/azure-disk-encryption-vms-vmss.md) to help secure disks, and keep data safe from theft and unauthorized access. - Read more about [securing IaaS resources](https://azure.microsoft.com/services/virtual-machines/secure-well-managed-iaas/), and visit the [Azure Security Center](https://azure.microsoft.com/services/security-center/). - For monitoring and management:
- - Consider deploying [Azure Cost Management](../cost-management-billing/cloudyn/overview.md) to monitor resource usage and spending.
+ - Consider deploying [Azure Cost Management](../cost-management-billing/cost-management-billing-overview.md) to monitor resource usage and spending.
migrate Tutorial Migrate Gcp Virtual Machines https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/migrate/tutorial-migrate-gcp-virtual-machines.md
After you've verified that the test migration works as expected, you can migrate
- Deploy [Azure Disk Encryption](../security/fundamentals/azure-disk-encryption-vms-vmss.md) to help secure disks, and keep data safe from theft and unauthorized access. - Read more about [securing IaaS resources](https://azure.microsoft.com/services/virtual-machines/secure-well-managed-iaas/), and visit the [Azure Security Center](https://azure.microsoft.com/services/security-center/). - For monitoring and management:
- - Consider deploying [Azure Cost Management](../cost-management-billing/cloudyn/overview.md) to monitor resource usage and spending.
+ - Consider deploying [Azure Cost Management](../cost-management-billing/cost-management-billing-overview.md) to monitor resource usage and spending.
migrate Tutorial Migrate Hyper V https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/migrate/tutorial-migrate-hyper-v.md
If you don't have an Azure subscription, create a [free account](https://azure.m
Before you begin this tutorial, you should: 1. [Review](hyper-v-migration-architecture.md) the Hyper-V migration architecture.
-2. [Review](migrate-support-matrix-hyper-v-migration.md#hyper-v-host-requirements) Hyper-V host requirements for migration, and the Azure URLs to which Hyper-V hosts and clusters need access for VM migration.
-3. [Review](migrate-support-matrix-hyper-v-migration.md#hyper-v-vms) the requirements for Hyper-V VMs that you want to migrate to Azure.
-4. We recommend that you [assess Hyper-V VMs](tutorial-assess-hyper-v.md) before migrating them to Azure, but you don't have to.
-5. Go to the already created project or [create a new project](./create-manage-projects.md)
-6. Verify permissions for your Azure account - Your Azure account needs permissions to create a VM, and write to an Azure managed disk.
+1. [Review](migrate-support-matrix-hyper-v-migration.md#hyper-v-host-requirements) Hyper-V host requirements for migration, and the Azure URLs to which Hyper-V hosts and clusters need access for VM migration.
+1. [Review](migrate-support-matrix-hyper-v-migration.md#hyper-v-vms) the requirements for Hyper-V VMs that you want to migrate to Azure.
+1. We recommend that you [assess Hyper-V VMs](tutorial-assess-hyper-v.md) before migrating them to Azure, but you don't have to.
+1. Go to the already created project or [create a new project.](./create-manage-projects.md)
+1. Verify permissions for your Azure account - Your Azure account needs permissions to create a VM, and write to an Azure managed disk.
-## Download and install the provider
+## Download the provider
For migrating Hyper-V VMs, Azure Migrate:Server Migration installs software providers (Microsoft Azure Site Recovery provider and Microsoft Azure Recovery Service agent) on Hyper-V Hosts or cluster nodes. Note that the [Azure Migrate appliance](migrate-appliance.md) isn't used for Hyper-V migration. 1. In the Azure Migrate project > **Servers**, in **Azure Migrate: Server Migration**, click **Discover**.
-2. In **Discover machines** > **Are your machines virtualized?**, select **Yes, with Hyper-V**.
-3. In **Target region**, select the Azure region to which you want to migrate the machines.
-6. Select **Confirm that the target region for migration is region-name**.
-7. Click **Create resources**. This creates an Azure Site Recovery vault in the background.
+1. In **Discover machines** > **Are your machines virtualized?**, select **Yes, with Hyper-V**.
+1. In **Target region**, select the Azure region to which you want to migrate the machines.
+1. Select **Confirm that the target region for migration is region-name**.
+1. Click **Create resources**. This creates an Azure Site Recovery vault in the background.
- If you've already set up migration with Azure Migrate Server Migration, this option won't appear since resources were set up previously. - You can't change the target region for this project after clicking this button. - All subsequent migrations are to this region.
-8. In **Prepare Hyper-V host servers**, download the Hyper-V Replication provider, and the registration key file.
+1. In **Prepare Hyper-V host servers**, download the Hyper-V Replication provider, and the registration key file.
- The registration key is needed to register the Hyper-V host with Azure Migrate Server Migration. - The key is valid for five days after you generate it. ![Download provider and key](./media/tutorial-migrate-hyper-v/download-provider-hyper-v.png)
-4. Copy the provider setup file and registration key file to each Hyper-V host (or cluster node) running VMs you want to replicate.
-5. Run the provider setup file on each host, as described below:
- - Copy the provider setup file and registration key file to each Hyper-V host (or cluster node) running VMs you want to replicate.
- - Click the file icon in the taskbar to open the folder where the installer file and registration key are downloaded.
- - Select **AzureSiteRecoveryProvider**.
+1. Copy the provider setup file and registration key file to each Hyper-V host (or cluster node) running VMs you want to replicate.
+
+## Install and register the provider
+
+Copy the provider setup file and registration key file to each Hyper-V host (or cluster node) running VMs you want to replicate. To install and register the provider, follow the steps below using either the UI or commands:
+
+# [Using UI](#tab/UI)
+
+Run the provider setup file on each host, as described below:
+
+1. Click the file icon in the taskbar to open the folder where the installer file and registration key are downloaded.
+1. Select **AzureSiteRecoveryProvider.exe** file.
- In the provider installation wizard, ensure **On (recommended)** is checked, and then click **Next**. - Select **Install** to accept the default installation folder. - Select **Register** to register this server in Azure Site Recovery vault.
For migrating Hyper-V VMs, Azure Migrate:Server Migration installs software prov
- Click **Next**. - Ensure **Connect directly to Azure Site Recovery without a proxy server** is selected, and then click **Next**. - Click **Finish**.
-6. After installing the provider on hosts, in **Discover machines**, click **Finalize registration**.
- ![Finalize registration](./media/tutorial-migrate-hyper-v/finalize-registration.png)
-It can take up to 15 minutes after finalizing registration until discovered VMs appear in Azure Migrate Server Migration. As VMs are discovered, the **Discovered servers** count rises.
+# [Using commands](#tab/commands)
+
+Run the following commands on each host, as described below:
+
+1. Extract the contents of installer file (AzureSiteRecoveryProvider.exe) to a local folder (for example .\Temp) on the machine, as follows:
+
+ ```
+ AzureSiteRecoveryProvider.exe /q /x:.\Temp\Extracted
+ ```
+
+1. Go to the folder with the extracted files.
+
+ ```
+ cd .\Temp\Extracted
+ ```
+1. Install the Hyper-V replication provider. The results are logged to %Programdata%\ASRLogs\DRASetupWizard.log.
-![Discovered servers](./media/tutorial-migrate-hyper-v/discovered-servers.png)
+ ```
+ .\setupdr.exe /i
+ ```
+1. Register the Hyper-V host to Azure Migrate.
+
+ ```
+ "C:\Program Files\Microsoft Azure Site Recovery Provider\DRConfigurator.exe" /r /Credentials <key file path>
+ ```
+
+ **Configure proxy rules:** If you need to connect to the internet via a proxy, use the optional parameters /proxyaddress and /proxyport parameters to specify the proxy address (in the form http://ProxyIPAddress) and proxy listening port. For authenticated proxy, you can use the optional parameters /proxyusername and /proxypassword.
+
+ ```
+ "C:\Program Files\Microsoft Azure Site Recovery Provider\DRConfigurator.exe" /r [/proxyaddress http://ProxyIPAddress] [/proxyport portnumber] [/proxyusername username] [/proxypassword password]
+ ```
+
+ **Configure proxy bypass rules:** To configure proxy bypass rules, use the optional parameter /AddBypassUrls and provide bypass URL(s) for proxy separated by ';' and run the following commands:
+
+ ```
+ "C:\Program Files\Microsoft Azure Site Recovery Provider\DRConfigurator.exe" /r [/proxyaddress http://ProxyIPAddress]ΓÇ»[/proxyport portnumber] [/proxyusername username] [/proxypassword password] [/AddBypassUrls URLs]
+ ```
+ and
+ ```
+ "C:\Program Files\Microsoft Azure Site Recovery Provider\DRConfigurator.exe" /configure /AddBypassUrls URLs
+ ```
++
+After installing the provider on hosts, go to the Azure portal and in **Discover machines**, click **Finalize registration**.
+
+ ![Finalize registration](./media/tutorial-migrate-hyper-v/finalize-registration.png)
+
+It can take up to 15 minutes after finalizing registration until discovered VMs appear in Azure Migrate Server Migration. As VMs are discovered, the **Discovered servers** count rises.
+
+ ![Discovered servers](./media/tutorial-migrate-hyper-v/discovered-servers.png)
## Replicate Hyper-V VMs
With discovery completed, you can begin replication of Hyper-V VMs to Azure.
> You can replicate up to 10 machines together. If you need to replicate more, then replicate them simultaneously in batches of 10. 1. In the Azure Migrate project > **Servers**, **Azure Migrate: Server Migration**, click **Replicate**.
-2. In **Replicate**, > **Source settings** > **Are your machines virtualized?**, select **Yes, with Hyper-V**. Then click **Next: Virtual machines**.
-3. In **Virtual machines**, select the machines you want to replicate.
+1. In **Replicate**, > **Source settings** > **Are your machines virtualized?**, select **Yes, with Hyper-V**. Then click **Next: Virtual machines**.
+1. In **Virtual machines**, select the machines you want to replicate.
- If you've run an assessment for the VMs, you can apply VM sizing and disk type (premium/standard) recommendations from the assessment results. To do this, in **Import migration settings from an Azure Migrate assessment?**, select the **Yes** option. - If you didn't run an assessment, or you don't want to use the assessment settings, select the **No** options. - If you selected to use the assessment, select the VM group, and assessment name. ![Select assessment](./media/tutorial-migrate-hyper-v/select-assessment.png)
-4. In **Virtual machines**, search for VMs as needed, and check each VM you want to migrate. Then, click **Next: Target settings**.
+1. In **Virtual machines**, search for VMs as needed, and check each VM you want to migrate. Then, click **Next: Target settings**.
![Select VMs](./media/tutorial-migrate-hyper-v/select-vms.png)
-5. In **Target settings**, select the target region to which you'll migrate, the subscription, and the resource group in which the Azure VMs will reside after migration.
-7. In **Replication Storage Account**, select the Azure Storage account in which replicated data will be stored in Azure.
-8. **Virtual Network**, select the Azure VNet/subnet to which the Azure VMs will be joined after migration.
-9. In **Availability options**, select:
+1. In **Target settings**, select the target region to which you'll migrate, the subscription, and the resource group in which the Azure VMs will reside after migration.
+1. In **Replication Storage Account**, select the Azure Storage account in which replicated data will be stored in Azure.
+1. **Virtual Network**, select the Azure VNet/subnet to which the Azure VMs will be joined after migration.
+1. In **Availability options**, select:
- Availability Zone to pin the migrated machine to a specific Availability Zone in the region. Use this option to distribute servers that form a multi-node application tier across Availability Zones. If you select this option, you'll need to specify the Availability Zone to use for each of the selected machine in the Compute tab. This option is only available if the target region selected for the migration supports Availability Zones - Availability Set to place the migrated machine in an Availability Set. The target Resource Group that was selected must have one or more availability sets in order to use this option. - No infrastructure redundancy required option if you don't need either of these availability configurations for the migrated machines.
-10. In **Azure Hybrid Benefit**:
+1. In **Azure Hybrid Benefit**:
- Select **No** if you don't want to apply Azure Hybrid Benefit. Then, click **Next**. - Select **Yes** if you have Windows Server machines that are covered with active Software Assurance or Windows Server subscriptions, and you want to apply the benefit to the machines you're migrating. Then click **Next**. ![Target settings](./media/tutorial-migrate-hyper-v/target-settings.png)
-11. In **Compute**, review the VM name, size, OS disk type, and availability configuration (if selected in the previous step). VMs must conform with [Azure requirements](migrate-support-matrix-hyper-v-migration.md#azure-vm-requirements).
+1. In **Compute**, review the VM name, size, OS disk type, and availability configuration (if selected in the previous step). VMs must conform with [Azure requirements](migrate-support-matrix-hyper-v-migration.md#azure-vm-requirements).
- **VM size**: If you're using assessment recommendations, the VM size dropdown will contain the recommended size. Otherwise Azure Migrate picks a size based on the closest match in the Azure subscription. Alternatively, pick a manual size in **Azure VM size**. - **OS disk**: Specify the OS (boot) disk for the VM. The OS disk is the disk that has the operating system bootloader and installer.
With discovery completed, you can begin replication of Hyper-V VMs to Azure.
![VM compute settings](./media/tutorial-migrate-hyper-v/compute-settings.png)
-12. In **Disks**, specify the VM disks that needs to be replicated to Azure. Then click **Next**.
+1. In **Disks**, specify the VM disks that needs to be replicated to Azure. Then click **Next**.
- You can exclude disks from replication. - If you exclude disks, won't be present on the Azure VM after migration. ![Screenshot shows the Disks tab of the Replicate dialog box.](./media/tutorial-migrate-hyper-v/disks.png)
-13. In **Review and start replication**, review the settings, and click **Replicate** to start the initial replication for the servers.
+1. In **Review and start replication**, review the settings, and click **Replicate** to start the initial replication for the servers.
> [!NOTE] > You can update replication settings any time before replication starts, in **Manage** > **Replicating machines**. Settings can't be changed after replication starts.
Do a test migration as follows:
![Test migrated servers](./media/tutorial-migrate-hyper-v/test-migrated-servers.png)
-2. Right-click the VM to test, and click **Test migrate**.
+1. Right-click the VM to test, and click **Test migrate**.
![Test migration](./media/tutorial-migrate-hyper-v/test-migrate.png)
-3. In **Test Migration**, select the Azure virtual network in which the Azure VM will be located after the migration. We recommend you use a non-production virtual network.
-4. The **Test migration** job starts. Monitor the job in the portal notifications.
-5. After the migration finishes, view the migrated Azure VM in **Virtual Machines** in the Azure portal. The machine name has a suffix **-Test**.
-6. After the test is done, right-click the Azure VM in **Replicating machines**, and click **Clean up test migration**.
+1. In **Test Migration**, select the Azure virtual network in which the Azure VM will be located after the migration. We recommend you use a non-production virtual network.
+1. The **Test migration** job starts. Monitor the job in the portal notifications.
+1. After the migration finishes, view the migrated Azure VM in **Virtual Machines** in the Azure portal. The machine name has a suffix **-Test**.
+1. After the test is done, right-click the Azure VM in **Replicating machines**, and click **Clean up test migration**.
![Clean up migration](./media/tutorial-migrate-hyper-v/clean-up.png) > [!NOTE]
After you've verified that the test migration works as expected, you can migrate
![Replicating servers](./media/tutorial-migrate-hyper-v/replicate-servers.png)
-2. In **Replicating machines**, right-click the VM > **Migrate**.
-3. In **Migrate** > **Shut down virtual machines and perform a planned migration with no data loss**, select **Yes** > **OK**.
+1. In **Replicating machines**, right-click the VM > **Migrate**.
+1. In **Migrate** > **Shut down virtual machines and perform a planned migration with no data loss**, select **Yes** > **OK**.
- By default Azure Migrate shuts down the on-premises VM, and runs an on-demand replication to synchronize any VM changes that occurred since the last replication occurred. This ensures no data loss. - If you don't want to shut down the VM, select **No**
-4. A migration job starts for the VM. Track the job in Azure notifications.
-5. After the job finishes, you can view and manage the VM from the **Virtual Machines** page.
+1. A migration job starts for the VM. Track the job in Azure notifications.
+1. After the job finishes, you can view and manage the VM from the **Virtual Machines** page.
## Complete the migration
After you've verified that the test migration works as expected, you can migrate
- Stops replication for the on-premises machine. - Removes the machine from the **Replicating servers** count in Azure Migrate: Server Migration. - Cleans up replication state information for the VM.
-2. Install the Azure VM [Windows](../virtual-machines/extensions/agent-windows.md) or [Linux](../virtual-machines/extensions/agent-linux.md) agent on the migrated machines.
-3. Perform any post-migration app tweaks, such as updating database connection strings, and web server configurations.
-4. Perform final application and migration acceptance testing on the migrated application now running in Azure.
-5. Cut over traffic to the migrated Azure VM instance.
-6. Remove the on-premises VMs from your local VM inventory.
-7. Remove the on-premises VMs from local backups.
-8. Update any internal documentation to show the new location and IP address of the Azure VMs.
+1. Install the Azure VM [Windows](../virtual-machines/extensions/agent-windows.md) or [Linux](../virtual-machines/extensions/agent-linux.md) agent on the migrated machines.
+1. Perform any post-migration app tweaks, such as updating database connection strings, and web server configurations.
+1. Perform final application and migration acceptance testing on the migrated application now running in Azure.
+1. Cut over traffic to the migrated Azure VM instance.
+1. Remove the on-premises VMs from your local VM inventory.
+1. Remove the on-premises VMs from local backups.
+1. Update any internal documentation to show the new location and IP address of the Azure VMs.
## Post-migration best practices
After you've verified that the test migration works as expected, you can migrate
- Deploy [Azure Disk Encryption](../security/fundamentals/azure-disk-encryption-vms-vmss.md) to help secure disks, and keep data safe from theft and unauthorized access. - Read more about [securing IaaS resources](https://azure.microsoft.com/services/virtual-machines/secure-well-managed-iaas/), and visit the [Azure Security Center](https://azure.microsoft.com/services/security-center/). - For monitoring and management:-- Consider deploying [Azure Cost Management](../cost-management-billing/cloudyn/overview.md) to monitor resource usage and spending.-
+- Consider deploying [Azure Cost Management](../cost-management-billing/cost-management-billing-overview.md) to monitor resource usage and spending.
## Next steps
migrate Tutorial Migrate Physical Virtual Machines https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/migrate/tutorial-migrate-physical-virtual-machines.md
After you've verified that the test migration works as expected, you can migrate
- Deploy [Azure Disk Encryption](../security/fundamentals/azure-disk-encryption-vms-vmss.md) to help secure disks, and keep data safe from theft and unauthorized access. - Read more about [securing IaaS resources](https://azure.microsoft.com/services/virtual-machines/secure-well-managed-iaas/), and visit the [Azure Security Center](https://azure.microsoft.com/services/security-center/). - For monitoring and management:
- - Consider deploying [Azure Cost Management](../cost-management-billing/cloudyn/overview.md) to monitor resource usage and spending.
+ - Consider deploying [Azure Cost Management](../cost-management-billing/cost-management-billing-overview.md) to monitor resource usage and spending.
## Next steps
migrate Tutorial Migrate Vmware Agent https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/migrate/tutorial-migrate-vmware-agent.md
After you've verified that the test migration works as expected, you can migrate
- Deploy [Azure Disk Encryption](../security/fundamentals/azure-disk-encryption-vms-vmss.md) to help secure disks, and keep data safe from theft and unauthorized access. - Read more about [securing IaaS resources](https://azure.microsoft.com/services/virtual-machines/secure-well-managed-iaas/), and visit the [Azure Security Center](https://azure.microsoft.com/services/security-center/). - For monitoring and management:
- - Consider deploying [Azure Cost Management](../cost-management-billing/cloudyn/overview.md) to monitor resource usage and spending.
+ - Consider deploying [Azure Cost Management](../cost-management-billing/cost-management-billing-overview.md) to monitor resource usage and spending.
migrate Tutorial Migrate Vmware Powershell https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/migrate/tutorial-migrate-vmware-powershell.md
Write-Output $MigrateJob.State
- Deploy [Azure Disk Encryption](../security/fundamentals/azure-disk-encryption-vms-vmss.md) to help secure disks, and keep data safe from theft and unauthorized access. - Read more about [securing IaaS resources](https://azure.microsoft.com/services/virtual-machines/secure-well-managed-iaas/), and visit the [Azure Security Center](https://azure.microsoft.com/services/security-center/). - For monitoring and management:-- Consider deploying [Azure Cost Management](../cost-management-billing/cloudyn/overview.md) to monitor resource usage and spending.
+- Consider deploying [Azure Cost Management](../cost-management-billing/cost-management-billing-overview.md) to monitor resource usage and spending.
migrate Tutorial Migrate Vmware https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/migrate/tutorial-migrate-vmware.md
After you've verified that the test migration works as expected, you can migrate
- Deploy [Azure Disk Encryption](../security/fundamentals/azure-disk-encryption-vms-vmss.md) to help secure disks, and keep data safe from theft and unauthorized access. - Read more about [securing IaaS resources](https://azure.microsoft.com/services/virtual-machines/secure-well-managed-iaas/), and visit the [Azure Security Center](https://azure.microsoft.com/services/security-center/). - For monitoring and management:-- Consider deploying [Azure Cost Management](../cost-management-billing/cloudyn/overview.md) to monitor resource usage and spending.
+- Consider deploying [Azure Cost Management](../cost-management-billing/cost-management-billing-overview.md) to monitor resource usage and spending.
## Next steps
mysql Concepts Read Replicas https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/mysql/flexible-server/concepts-read-replicas.md
If GTID is enabled on a source server (`gtid_mode` = ON), newly created replicas
| Stopped replicas | If you stop replication between a source server and a read replica, the stopped replica becomes a standalone server that accepts both reads and writes. The standalone server can't be made into a replica again. | | Deleted source and standalone servers | When a source server is deleted, replication is stopped to all read replicas. These replicas automatically become standalone servers and can accept both reads and writes. The source server itself is deleted. | | User accounts | Users on the source server are replicated to the read replicas. You can only connect to a read replica using the user accounts available on the source server. |
-| Server parameters | To prevent data from becoming out of sync and to avoid potential data loss or corruption, some server parameters are locked from being updated when using read replicas. <br> The following server parameters are locked on both the source and replica servers:<br> - [`innodb_file_per_table`](https://dev.mysql.com/doc/refman/8.0/en/innodb-file-per-table-tablespaces.html) <br> - [`log_bin_trust_function_creators`](https://dev.mysql.com/doc/refman/5.7/en/replication-options-binary-log.html#sysvar_log_bin_trust_function_creators) <br> The [`event_scheduler`](https://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_event_scheduler) parameter is locked on the replica servers. <br> To update one of the above parameters on the source server, delete replica servers, update the parameter value on the source, and recreate replicas. |
+| Server parameters | To prevent data from becoming out of sync and to avoid potential data loss or corruption, some server parameters are locked from being updated when using read replicas. <br> The following server parameters are locked on both the source and replica servers:<br> - [`innodb_file_per_table`](https://dev.mysql.com/doc/refman/8.0/en/innodb-file-per-table-tablespaces.html) <br> - [`log_bin_trust_function_creators`](https://dev.mysql.com/doc/refman/5.7/en/replication-options-binary-log.html#sysvar_log_bin_trust_function_creators) <br> The [`event_scheduler`](https://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_event_scheduler) parameter is locked on the replica servers. <br> To update one of the above parameters on the source server, delete replica servers, update the parameter value on the source, and recreate replicas.
+<br> When configuring session level parameters such as ΓÇÿforeign_keys_checksΓÇÖ on the read replica, ensure the parameter values being set on the read replica are consistent with that of the source server.|
| Other | - Creating a replica of a replica is not supported. <br> - In-memory tables may cause replicas to become out of sync. This is a limitation of the MySQL replication technology. Read more in the [MySQL reference documentation](https://dev.mysql.com/doc/refman/5.7/en/replication-features-memory.html) for more information. <br>- Ensure the source server tables have primary keys. Lack of primary keys may result in replication latency between the source and replicas.<br>- Review the full list of MySQL replication limitations in the [MySQL documentation](https://dev.mysql.com/doc/refman/5.7/en/replication-features.html) | ## Next steps
mysql How To Configure High Availability Cli https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/mysql/flexible-server/how-to-configure-high-availability-cli.md
# Manage zone redundant high availability in Azure Database for MySQL Flexible Server with Azure CLI
-[[!INCLUDE[applies-to-mysql-flexible-server](../includes/applies-to-mysql-flexible-server.md)]
> [!NOTE]
-> Azure Database for MySQL Flexible Server is in public preview.
+> Azure Database for MySQL Flexible Server is in public preview.
The article describes how you can enable or disable zone redundant high availability configuration at the time of server creation in your flexible server. You can disable zone redundant high availability after server creation too. Enabling zone redundant high availability after server creation is not supported.
mysql Whats New https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/mysql/flexible-server/whats-new.md
Last updated 06/18/2021
# What's new in Azure Database for MySQL - Flexible Server (Preview)?
-[[!INCLUDE[applies-to-mysql-flexible-server](../includes/applies-to-mysql-flexible-server.md)]
- [Azure Database for MySQL - Flexible Server](./overview.md#azure-database-for-mysqlflexible-server-preview) is a deployment mode that's designed to provide more granular control and flexibility over database management functions and configuration settings than does the Single Server deployment mode. The service currently supports community version of MySQL 5.7 and 8.0.
This article summarizes new releases and features in Azure Database for MySQL -
This release of Azure Database for MySQL - Flexible Server includes the following updates. -- **Improved performance on smaller storage servers**
+- **Improved performance on smaller storage servers**
Beginning June 21, 2021, the minimum allowed provisioned storage size for all newly created server increases from 5 GB to 20 GB. In addition, the available free IOPS increases from 100 to 300. These changes are summarized in the following table:
This release of Azure Database for MySQL - Flexible Server includes the followin
Storage auto-grow prevents a server from running out of storage and becoming read-only. If storage auto grow is enabled, the storage automatically grows without impacting the workload. Beginning June 21, 2021, all newly created servers will have storage auto-grow enabled by default. [Learn more](concepts-compute-storage.md#storage-auto-grow). -- **Data-in Replication**
+- **Data-in Replication**
Flexible Server now supports [Data-in Replication](concepts-data-in-replication.md). Use this feature to synchronize and migrate data from a MySQL server running on-premises, in virtual machines, on Azure Database for MySQL Single Server, or on database services outside Azure to Azure Database for MySQL ΓÇô Flexible Server. Learn more about [How to configure Data-in Replication](how-to-data-in-replication.md). - **GitHub actions support with Azure CLI**
- Flexible Server CLI now allows you to automate your workflow to deploy updates with GitHub actions. Use this feature to help you set up and deploy your database updates with MySQL github action workflow. These CLI commands help you with setting up the repository to enable the continuous deployment for ease of development. [Learn more](/cli/azure/mysql/flexible-server/deploy?view=azure-cli-latest&preserve-view=true).
+ Flexible Server CLI now allows customers to automate workflows to deploy updates with GitHub actions. This feature helps set up and deploy database updates with MySQL GitHub action workflow. These CLI commands assist with setting up a repository to enable continuous deployment for ease of development. [Learn more](/cli/azure/mysql/flexible-server/deploy?view=azure-cli-latest&preserve-view=true).
- **Zone redundant HA forced failover fixes**
This release of Azure Database for MySQL - Flexible Server includes the followin
- **Known issue**
- - If a client application trying to connect to an instance of Flexible Server is in a peered virtual network (VNet), the application may not be able to connect using the Flexible Server *servername* because it cannot resolve the DNS name for the Flexible Server instance from a peered VNet. [Learn more](concepts-networking.md#connecting-from-peered-vnets-in-same-azure-region).
- - If you have an existing server with storage provisioned less than 20 GB in size and you try to perform a compute scale up or down operation, the compute scaling operation fails. You can resolve the issue by scaling up the provisioned storage to 20 GB and retrying the compute scaling operation.
+ - If a client application trying to connect to an instance of Flexible Server is in a peered virtual network (VNet), the application may not be able to connect using the Flexible Server *servername* because the application can't resolve the DNS name for the Flexible Server instance from a peered VNet. [Learn more](concepts-networking.md#connecting-from-peered-vnets-in-same-azure-region).
+ - Trying to perform a compute scale up or scale down operation on an existing server with less than 20 GB of storage provisioned won't complete successfully. Resolve the issue by scaling up the provisioned storage to 20 GB and retrying the compute scaling operation.
## May 2021 This release of Azure Database for MySQL - Flexible Server includes the following updates. -- **Extended regional availability (France Central, Brazil South, and Switzerland North)**
+- **Extended regional availability (France Central, Brazil South, and Switzerland North)**
The public preview of Azure Database for MySQL - Flexible Server is now available in the France Central, Brazil South, and Switzerland North regions. [Learn more](overview.md#azure-regions).
This release of Azure Database for MySQL - Flexible Server includes the followin
- **Known issues**
- - Additional IOPs changes donΓÇÖt take effect in zone redundant HA enabled servers. Customers can work around the issue by disabling HA, scaling IOPs, and the re-enabling zone redundant HA.
+ - Additional IOPs changes donΓÇÖt take effect in zone redundant HA enabled servers. Customers can work around the issue by disabling HA, scaling IOPs, and the re-enabling zone redundant HA.
- After force failover, the standby availability zone is inaccurately reflected in the portal. (No workaround) - Server parameter changes don't take effect in zone redundant HA enabled server after forced failover. (No workaround)
mysql Howto Migrate Single Flexible Minimum Downtime https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/mysql/howto-migrate-single-flexible-minimum-downtime.md
In this tutorial, you learn how to:
To complete this tutorial, you need:
-* An instance of Azure Database for MySQL Single Server running version 5.7 or 8.0.
+* An instance of Azure Database for MySQL Single Server running version 5.7 or 8.0.
> [!Note] > If you're running Azure Database for MySQL Single Server version 5.6, upgrade your instance to 5.7 and then configure data in replication. To learn more, see [Major version upgrade in Azure Database for MySQL - Single Server](how-to-major-version-upgrade.md). * An instance of Azure Database for MySQL Flexible Server. For more information, see the article [Create an instance in Azure Database for MySQL Flexible Server](./flexible-server/quickstart-create-server-portal.md).
To complete this tutorial, you need:
* To ensure that you have an Azure VM running Linux in same region (or on the same VNet, with private access) that hosts your source and target databases. * To install mysql client or MySQL Workbench (the client tools) on your Azure VM. Ensure that you can connect to both the primary and replica server. For the purposes of this article, mysql client is installed. * To install mydumper/myloader on your Azure VM. For more information, see the article [mydumper/myloader](concepts-migrate-mydumper-myloader.md).
-* To download and run the sample database script for the [classicmodels](https://www.mysqltutorial.org/wp-content/uploads/2018/03/mysqlsampledatabase.zip) database on the source server
+* To download and run the sample database script for the [classicmodels](https://www.mysqltutorial.org/wp-content/uploads/2018/03/mysqlsampledatabase.zip) database on the source server.
## Configure networking requirements
To configure Data in replication, perform the following steps:
> With Azure Database for MySQL Single Server, which supports up to 4TB, this is not enabled by default. However, if you promote a [read replica](howto-read-replicas-portal.md) for the source server and then delete read replica, the parameter will be set to ON. 4. Based on the SSL enforcement for the source server, create a user in the source server with the replication permission by running the appropriate command.+ If youΓÇÖre using SSL, run the following command: ```sql
To configure Data in replication, perform the following steps:
> * The ΓÇ£mainΓÇ¥ thread only needs to hold the global lock until the ΓÇ£dumpΓÇ¥ threads can start a transaction. > * Offers the shortest duration of global locking
-The ΓÇ£mainΓÇ¥ thread only needs to hold the global lock until the ΓÇ£dumpΓÇ¥ threads can start a transaction.
+ The ΓÇ£mainΓÇ¥ thread only needs to hold the global lock until the ΓÇ£dumpΓÇ¥ threads can start a transaction.
-The variables in this command are explained below:
+ The variables in this command are explained below:
-* **--host:** Name of the primary server
-* **--user:** Name of a user (in the format username@servername since the primary server is running Azure Database for MySQL - Single Server). You can use server admin or a user having SELECT and RELOAD permissions.
-* **--Password:** Password of the user above
+ * **--host:** Name of the primary server
+ * **--user:** Name of a user (in the format username@servername since the primary server is running Azure Database for MySQL - Single Server). You can use server admin or a user having SELECT and RELOAD permissions.
+ * **--Password:** Password of the user above
-For more information about using mydumper, see [mydumper/myloader](concepts-migrate-mydumper-myloader.md)
+ For more information about using mydumper, see [mydumper/myloader](concepts-migrate-mydumper-myloader.md)
6. Read the metadata file to determine the binary log file name and offset by running the following command:
For more information about using mydumper, see [mydumper/myloader](concepts-migr
$ cat ./backup/metadata ```
-In this command, **./backup** refers to the output directory used in the command in the previous step.
+ In this command, **./backup** refers to the output directory used in the command in the previous step.
-The results should appear as shown in the following image:
+ The results should appear as shown in the following image:
+ :::image type="content" source="./media/howto-migrate-single-flexible-minimum-downtime/metadata.png" alt-text="Continuous sync with the Azure Database Migration Service":::
-Make sure to note the binary file name for use in later steps.
+ Make sure to note the binary file name for use in later steps.
7. Restore the database using myloader by running the following command:
-```bash
-$ myloader --host=<servername>.mysql.database.azure.com --user=<username> --password=<Password> --directory=./backup --queries-per-transaction=100 --threads=16 --compress-protocol --ssl --verbose=3 -e 2>myloader-logs.txt
-```
+ ```bash
+ $ myloader --host=<servername>.mysql.database.azure.com --user=<username> --password=<Password> --directory=./backup --queries-per-transaction=100 --threads=16 --compress-protocol --ssl --verbose=3 -e 2>myloader-logs.txt
+ ```
-The variables in this command are explained below:
+ The variables in this command are explained below:
-* **--host:** Name of the replica server
-* **--user:** Name of a user. You can use server admin or a user with read\write permission capable of restoring the schemas and data to the database
-* **--Password:** Password for the user above
+ * **--host:** Name of the replica server
+ * **--user:** Name of a user. You can use server admin or a user with read\write permission capable of restoring the schemas and data to the database
+ * **--Password:** Password for the user above
8. Depending on the SSL enforcement on the primary server, connect to the replica server using the mysql client tool and perform the following the steps.
The variables in this command are explained below:
> [!Note] > If you're using MySQL Workbench the \G modifier is not required.
-If the state of *Slave_IO_Running* and *Slave_SQL_Running* are Yes and the value of *Seconds_Behind_Master* is 0, then replication is working well. Seconds_Behind_Master indicates how late the replica is. If the value is something other than 0, then the replica is processing updates.
+ If the state of *Slave_IO_Running* and *Slave_SQL_Running* are Yes and the value of *Seconds_Behind_Master* is 0, then replication is working well. Seconds_Behind_Master indicates how late the replica is. If the value is something other than 0, then the replica is processing updates.
## Testing the replication (optional)
To confirm that Data-in replication is working properly, you can verify that the
1. Identify a table to use for testing, for example the Customers table, and then confirm that the number of entries it contains is the same on the primary and replica servers by running the following command on each:
-```
-select count(*) from customers;
-```
+ ```
+ select count(*) from customers;
+ ```
2. Make a note of the entry count for later comparison.
-To test replication, try adding some data to the customer tables on the primary server and see then verify that the new data is replicated. In this case, youΓÇÖll add two rows to a table on the primary server and then confirm that they are replicated on the replica server.
+ To test replication, try adding some data to the customer tables on the primary server and see then verify that the new data is replicated. In this case, youΓÇÖll add two rows to a table on the primary server and then confirm that they are replicated on the replica server.
3. In the Customers table on the primary server, insert rows by running the following command:
To ensure a successful cutover, perform the following tasks:
1. Configure the appropriate server-level firewall and virtual network rules to connect to target Server. You can compare the firewall rules for the [source](howto-manage-firewall-using-portal.md) and [target](./flexible-server/how-to-manage-firewall-portal.md#create-a-firewall-rule-after-server-is-created) from the portal. 2. Configure appropriate logins and database level permissions in the target server. You can run *SELECT * FROM mysql.user;* on the source and target servers to compare.
-3. Make sure that all the incoming connections to Azure Database for MySQL Single Server are stopped.
+3. Make sure that all the incoming connections to Azure Database for MySQL Single Server are stopped.
> [!Tip] > You can set the Azure Database for MySQL Single Server to read only. 4. Ensure that the replica has caught up with the primary by running *show slave status \G* and confirming that the value for the *Seconds_Behind_Master* parameter is 0.
At this point, your applications are connected to the new Azure Database for MyS
## Next steps
-* Learn more about Data-in replication [Replicate data into Azure Database for MySQL Flexible Server](flexible-server/concepts-data-in-replication.md) and [Configure Azure Database for MySQL Flexible Server Data-in replication](./flexible-server/how-to-data-in-replication.md)
+* Learn more about Data-in replication [Replicate data into Azure Database for MySQL Flexible Server](flexible-server/concepts-data-in-replication.md) and [Configure Azure Database for MySQL Flexible Server Data-in replication](./flexible-server/how-to-data-in-replication.md)
* Learn more about [troubleshooting common errors in Azure Database for MySQL](howto-troubleshoot-common-errors.md). * Learn more about [migrating MySQL to Azure Database for MySQL offline using Azure Database Migration Service](../dms/tutorial-mysql-azure-mysql-offline-portal.md).
object-anchors Sdk Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/object-anchors/concepts/sdk-overview.md
An [ObjectModel](/dotnet/api/microsoft.azure.objectanchors.objectmodel) represen
An [ObjectSearchArea](/dotnet/api/microsoft.azure.objectanchors.objectsearcharea) specifies the space to look for one or multiple objects. It's defined by a spatial graph node ID and spatial bounds in the coordinate system represented by the spatial graph node ID. The Object Anchors Runtime SDK supports four types of bounds, namely, **field of view**, **bounding box**, **sphere**, and a **location**.
+### AccountInformation
+
+An [AccountInformation](/dotnet/api/microsoft.azure.objectanchors.accountinformation) stores the ID, Key and Domain for your Azure Object Anchors account.
+
+### ObjectAnchorsSession
+
+An [ObjectAnchorsSession](/dotnet/api/microsoft.azure.objectanchors.objectanchorssession) represents an Azure Object Anchors session that is used to create ObjectObserver instances used to detect objects in the physical world.
+
+### ObjectObserver
+
+An [ObjectObserver](/dotnet/api/microsoft.azure.objectanchors.objectobserver) loads object models, detects their instances, and reports 6-DoF poses of each instance in HoloLens coordinate system.
+
+Although any object model or instance is created from an **observer**, their lifetimes are independent. An application can dispose an observer and continue to use the object model or instance.
+ ### ObjectQuery An [ObjectQuery](/dotnet/api/microsoft.azure.objectanchors.objectquery) tells an **object observer** how to find objects of a given model. It provides the following tunable parameters, whose default values can be retrieved from an object model.
An [ObjectInstance](/dotnet/api/microsoft.azure.objectanchors.objectinstance) re
An instance is created by calling `ObjectObserver.DetectAsync` method, then updated automatically in the background when alive. An application can listen to the state changed event on a particular instance or change the tracking mode to pause/resume the update. An instance will automatically be removed from the **observer** when tracking is lost.
-### ObjectObserver
-
-An [ObjectObserver](/dotnet/api/microsoft.azure.objectanchors.objectobserver) loads object models, detects their instances, and reports 6-DoF poses of each instance in HoloLens coordinate system.
-
-Although any object model or instance is created from an **observer**, their lifetimes are independent. An application can dispose an observer and continue to use the object model or instance.
- ### ObjectDiagnosticsSession The [ObjectDiagnosticSession](/dotnet/api/microsoft.azure.objectanchors.diagnostics.objectdiagnosticssession) records diagnostics and writes data to an archive.
if(status != ObjectObserverStatus.Allowed)
Next, the application creates an object observer and loads necessary models generated by the [Object Anchors model conversion service](../quickstarts/get-started-model-conversion.md). ```cs
-var observer = new ObjectObserver();
+// Note that you need to provide the Id, Key and Domain for your Azure Object Anchors account
+var accountInformation = new AccountInformation([yourAccountId], [yourAccountKey], [yourAccountDomain]);
+var session = new ObjectAnchorsSession(accountInformation);
+var observer = session.CreateObjectObserver();
byte[] modelAsBytes; // Load a model into a byte array. Model could be a file, an embedded resource, or a network stream. var model = await observer.LoadObjectModelAsync(modelAsBytes);
object-anchors Model Conversion Error Codes https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/object-anchors/model-conversion-error-codes.md
For common modes of model conversion failure, the `Azure.MixedReality.ObjectAnch
| SERVICE_ERROR | An unknown service error occurred. | Contact a member of the Object Anchors service team if the issue persists: https://github.com/Azure/azure-object-anchors/issues | | ASSET_CANNOT_BE_CONVERTED | The provided asset was corrupted, malformed, or otherwise unable to be converted in its provided format. | Ensure the asset is a validly constructed file of the specified type, and refer to the asset size guidelines before submitting an asset for conversion to ensure conformity: aka.ms/aoa/faq |
-Any errors that occur outside the actual asset conversion jobs will be thrown as exceptions. Most notably, the `Azure.RequestFailedException` can be thrown for service calls that receive an unsuccessful (4xx or 5xx) or unexpected HTTP response code. For further details on these exceptions, examine the `Status`, `ErrorCode`, or `Message` fields on the exception.
+Any errors that occur outside the actual asset conversion jobs will be thrown as exceptions. Most notably, the `Azure.RequestFailedException` can be thrown for service calls that receive an unsuccessful (4xx or 5xx) or unexpected HTTP response code. For further details on these exceptions, examine the `Status`, `ErrorCode`, or `Message` fields on the exception.
+
+| Exception | Cause |
+| | |
+| ArgumentException | <ul><li>Occurs when using an invalidly constructed or all zero account ID to construct a request with the ObjectAnchorsConversionClient.</li><li>Occurs when attempting to initialize the ObjectAnchorsConversionClient using an invalid whitespace account domain.</li><li>Occurs when an unsupported service version is provided to the ObjectAnchorsConversionClient through ObjectAnchorsConversionClientOptions.</li></ul> |
+| ArgumentNullException | <ul><li>Occurs when attempting to initialize the ObjectAnchorsConversionClient using an invalid null account domain.</li><li>Occurs when attempting to initialize the ObjectAnchorsConversionClient using an invalid null credential.</li></ul> |
+| RequestFailedException | <ul><li>Occurs for all other issues resulting from a bad HTTP status code (unrelated to the status of a job that will/is/has run), such as an account not being found, an invalid upload uri being detected by the fronted, frontend service error, etc.</li></ul> |
+| UnsupportedAssetFileTypeException | <ul><li>Occurs when attempting to submit a job with an asset with an extension or specified filetype that is unsupported by the Azure Object Anchors Conversion service.</li></ul> |
object-anchors Get Started Hololens Directx https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/object-anchors/quickstarts/get-started-hololens-directx.md
To complete this quickstart, make sure you have:
* A HoloLens 2 device that is up to date and has [developer mode](/windows/mixed-reality/using-visual-studio#enabling-developer-mode) enabled. * To update to the latest release on HoloLens, open the **Settings** app, go to **Update & Security**, and then select **Check for updates**. + ## Open the sample project [!INCLUDE [Clone Sample Repo](../../../includes/object-anchors-clone-sample-repository.md)] Open `quickstarts/apps/directx/DirectXAoaSampleApp.sln` in Visual Studio.
-Change the **Solution Configuration** to **Release**, change **Solution Platform** to **ARM64**, select **Device** from the deployment target options. Then build the **AoaSampleApp** project by right-clicking the project and selecting **Build**.
+Change the **Solution Configuration** to **Release**, change **Solution Platform** to **ARM64**, select **Device** from the deployment target options.
+
+## Configure the account information
+
+The next step is to configure the app to use your account information. You took note of the **Account Key**, **Account ID**, and **Account Domain** values, in the ["Create an Object Anchors account"](#create-an-object-anchors-account) section.
+
+Open `Assets\ObjectAnchorsConfig.json`.
+
+Locate the `AccountId` field and replace `Set me` with your Account ID.
+
+Locate the `AccountKey` field and replace `Set me` with your Account Key.
+
+Locate the `AccountDomain` field and replace `Set me` with your Account Domain.
+
+Now, build the **AoaSampleApp** project by right-clicking the project and selecting **Build**.
:::image type="content" source="./media/vs-deploy-to-device.png" alt-text="Configure Visual Studio project to deploy":::
object-anchors Get Started Model Conversion https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/object-anchors/quickstarts/get-started-model-conversion.md
To complete this quickstart, make sure you have:
[!INCLUDE [quickstarts-free-trial-note](../../../includes/quickstarts-free-trial-note.md)]
-## Create an Object Anchors account
-
-First, you need to create an account with the Object Anchors service.
-
-1. Go to the [Azure portal](https://portal.azure.com/) and select **Create a resource**.
-
- :::image type="content" source="./media/create-aoa-resource-1.png" alt-text="Create a new resource":::
-
-2. Search for the **Object Anchors** resource.
-
- Search for "Object Anchors".
-
- :::image type="content" source="./media/create-aoa-resource-2.png" alt-text="Select the Object Anchors Resource":::
-
- On the **Object Anchors** resource in the search results, select **Create -> Object Anchors**.
-
- :::image type="content" source="./media/create-aoa-resource-3.png" alt-text="Create an Object Anchors Resource":::
-
-3. In the **Object Anchors Account** dialog box:
- * Enter a unique resource name.
- * Select the subscription you want to attach the resource to.
- * Create or use an existing resource group.
- * Select the region you'd like your resource to exist in.
-
- :::image type="content" source="./media/create-aoa-resource-4.png" alt-text="Enter Object Anchors resource account details":::
-
- Select **Create** to begin creating the resource.
-
-4. Once the resource has been created, select **Go to resource**.
-
- :::image type="content" source="./media/create-aoa-resource-5.png" alt-text="Go to resource":::
-
-5. On the overview page:
-
- Take note of the **Account Domain**. You'll need it later.
-
- :::image type="content" source="./media/create-aoa-resource-6.1.png" alt-text="Copy the account domain for your Object Anchors resource":::
-
- Take note of the **Account ID**. You'll need it later.
-
- :::image type="content" source="./media/create-aoa-resource-6.2.png" alt-text="Copy the account ID for your Object Anchors resource":::
-
- Go to the **Access Keys** page and take note of the **Primary key**. You'll need it later.
-
- :::image type="content" source="./media/create-aoa-resource-7.png" alt-text="Copy the account key for your Object Anchors resource":::
## Get the sample project
object-anchors Get Started Unity Hololens Mrtk https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/object-anchors/quickstarts/get-started-unity-hololens-mrtk.md
You'll learn how to:
[!INCLUDE [Unity quickstart prerequisites](../../../includes/object-anchors-quickstart-unity-prerequisites.md)] + [!INCLUDE [Unity device setup](../../../includes/object-anchors-quickstart-unity-device-setup.md)] ## Open the sample project
In Unity, open the `quickstarts/apps/unity/mrtk` project.
[!INCLUDE [Import Unity Package](../../../includes/object-anchors-quickstart-unity-import-package.md)] + [!INCLUDE [Unity build sample scene 1](../../../includes/object-anchors-quickstart-unity-build-sample-scene-1.md)] When a "TMP Importer" dialog prompts you to import TextMesh Pro resources, select "Import TMP Essentials" to do so.
Example `subscription.json`:
## Next steps
+> [!div class="nextstepaction"]
+> [Quickstart: In-depth MRTK walkthrough](in-depth-mrtk-walkthrough.md)
+ > [!div class="nextstepaction"] > [Concepts: SDK overview](../concepts/sdk-overview.md)
object-anchors Get Started Unity Hololens https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/object-anchors/quickstarts/get-started-unity-hololens.md
You'll learn how to:
[!INCLUDE [Unity quickstart prerequisites](../../../includes/object-anchors-quickstart-unity-prerequisites.md)] + [!INCLUDE [Unity device setup](../../../includes/object-anchors-quickstart-unity-device-setup.md)] ## Open the sample project
In Unity, open the `quickstarts/apps/unity/basic` project.
[!INCLUDE [Import Unity Package](../../../includes/object-anchors-quickstart-unity-import-package.md)] + [!INCLUDE [Unity build sample scene 1](../../../includes/object-anchors-quickstart-unity-build-sample-scene-1.md)] [!INCLUDE [Unity build sample scene 2](../../../includes/object-anchors-quickstart-unity-build-sample-scene-2.md)]
object-anchors In Depth Mrtk Walkthrough https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/object-anchors/quickstarts/in-depth-mrtk-walkthrough.md
+
+ Title: 'Quickstart: In-depth MRTK walkthrough'
+description: In this quickstart, you'll get an in-depth coverage of the Azure Object Anchors MRTK Unity sample application
++++ Last updated : 07/12/2021+++
+# Quickstart: In-depth MRTK walkthrough
+
+This guide provides an in-depth coverage of the [Azure Object Anchors MRTK Unity sample application](get-started-unity-hololens-mrtk.md). It's intended to provide insight into the design of the sample. By reading this guide, developers can accelerate their understanding of key Azure Object Anchors concepts in the sample.
+
+## Project Layout
+
+Assets created for the Azure Object Anchors MRTK Unity sample are stored in `Assets\MixedReality.AzureObjectAnchors`. Subfolders are as follows:
+
+- **Icons**
+ - Contains some custom icons used in the user facing menu.
+- **Materials**
+ - Contains shaders and materials for surface reconstruction visualization and a *depth only* shader, which writes to the depth buffer to help with hologram stabilization around text.
+- **Prefabs**
+ - Contains reusable Unity `GameObjects`. In particular, `TrackableObjectPrefab` represents the object created when Azure Object Anchors detects an object.
+- **Profiles**