Updates from: 07/15/2022 01:17:04
Service Microsoft Docs article Related commit history on GitHub Change details
active-directory Howto Authentication Methods Activity https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-authentication-methods-activity.md
The registration details report shows the following information for each user:
## Limitations - The data in the report is not updated in real-time and may reflect a latency of up to a few hours.-- Temporary Access Pass registrations are not reflected in the registration tab of the report because they are only valid for short period of time. - The **PhoneAppNotification** or **PhoneAppOTP** methods that a user might have configured are not displayed in the dashboard. ## Next steps
active-directory Howto Authentication Passwordless Phone https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-authentication-passwordless-phone.md
Title: Passwordless sign-in with Microsoft Authenticator - Azure Active Directory description: Enable passwordless sign-in to Azure AD using Microsoft Authenticator + Previously updated : 06/23/2022 Last updated : 07/14/2022
Microsoft Authenticator can be used to sign in to any Azure AD account without using a password. Microsoft Authenticator uses key-based authentication to enable a user credential that is tied to a device, where the device uses a PIN or biometric. [Windows Hello for Business](/windows/security/identity-protection/hello-for-business/hello-identity-verification) uses a similar technology. + This authentication technology can be used on any device platform, including mobile. This technology can also be used with any app or website that integrates with Microsoft Authentication Libraries. People who enabled phone sign-in from Microsoft Authenticator see a message that asks them to tap a number in their app. No username or password is asked for. To complete the sign-in process in the app, a user must next take the following actions:
People who enabled phone sign-in from Microsoft Authenticator see a message that
1. Choose **Approve**. 1. Provide their PIN or biometric.
-## Prerequisites
+## Multiple accounts on iOS (preview)
-To use passwordless phone sign in with Microsoft Authenticator, the following prerequisites must be met:
+You can enable passwordless phone sign-in for multiple accounts in Microsoft Authenticator on any supported iOS device. Consultants, students, and others with multiple accounts in Azure AD can add each account to Microsoft Authenticator and use passwordless phone sign-in for all of them from the same iOS device.
-- Recommended: Azure AD Multi-Factor Authentication, with push notifications allowed as a verification method. Push notifications to your smartphone or tablet help Microsoft Authenticator to prevent unauthorized access to accounts and stop fraudulent transactions. Microsoft Authenticator can either perform traditional MFA push notifications to a device that a user must approve or deny, or it can perform passwordless authentication that requires a user to type a matching number. Microsoft Authenticator automatically generates codes when set up to do push notifications so a user has a backup sign-in method even if their device doesn't have connectivity. -- Latest version of Authenticator installed on devices running iOS 8.0 or greater, or Android 6.0 or greater.-- The device on which Microsoft Authenticator is installed must be registered within the Azure AD tenant to an individual user.
+Previously, admins might not require passwordless sign-in for users with multiple accounts because it requires them to carry more devices for sign-in. By removing the limitation of one user sign-in from a device, admins can more confidently encourage users to register passwordless phone sign-in and use it as their default sign-in method.
-> [!NOTE]
-> If you enabled Microsoft Authenticator for passwordless sign-in using Azure AD PowerShell, it was enabled for your entire directory. If you enable using this new method, it supercedes the PowerShell policy. We recommend you enable for all users in your tenant via the new *Authentication Methods* menu, otherwise users not in the new policy are no longer be able to sign in without a password.
+The Azure AD accounts can be in the same tenant or different tenants. Guest accounts aren't supported for multiple account sign-in from one device.
+
+>[!NOTE]
+>Multiple accounts on iOS is currently in public preview. Some features might not be supported or have limited capabilities. For more information about previews, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
+
+## Prerequisites
+
+To use passwordless phone sign-in with Microsoft Authenticator, the following prerequisites must be met:
-## Enable passwordless authentication methods
+- Recommended: Azure AD Multi-Factor Authentication, with push notifications allowed as a verification method. Push notifications to your smartphone or tablet help the Authenticator app to prevent unauthorized access to accounts and stop fraudulent transactions. The Authenticator app automatically generates codes when set up to do push notifications so a user has a backup sign-in method even if their device doesn't have connectivity.
+- Latest version of Microsoft Authenticator installed on devices running iOS 12.0 or greater, or Android 6.0 or greater.
+- For Android, the device that runs Microsoft Authenticator must be registered to an individual user. We're actively working to enable multiple accounts on Android.
+- For iOS, the device must be registered with each tenant where it's used to sign in. For example, the following device must be registered with Contoso and Wingtiptoys to allow all accounts to sign in:
+ - balas@contoso.com
+ - balas@wingtiptoys.com and bsandhu@wingtiptoys
+- For iOS, the option in Microsoft Authenticator to allow Microsoft to gather usage data must be enabled. It's not enabled by default. To enable it in Microsoft Authenticator, go to **Settings** > **Usage Data**.
+
+ :::image type="content" border="true" source="./media/howto-authentication-passwordless-phone/telemetry.png" alt-text="Screenshot os Usage Data in Microsoft Authenticator.":::
To use passwordless authentication in Azure AD, first enable the combined registration experience, then enable users for the passwordless method.
-### Enable passwordless phone sign-in authentication methods
+## Enable passwordless phone sign-in authentication methods
Azure AD lets you choose which authentication methods can be used during the sign-in process. Users then register for the methods they'd like to use. The **Microsoft Authenticator** authentication method policy manages both the traditional push MFA method, as well as the passwordless authentication method.
+> [!NOTE]
+> If you enabled Microsoft Authenticator passwordless sign-in using Azure AD PowerShell, it was enabled for your entire directory. If you enable using this new method, it supersedes the PowerShell policy. We recommend you enable for all users in your tenant via the new **Authentication Methods** menu, otherwise users who aren't in the new policy can't sign in without a password.
+ To enable the authentication method for passwordless phone sign-in, complete the following steps:
-1. Sign in to the [Azure portal](https://portal.azure.com) with an *authentication policy administrator* account.
+1. Sign in to the [Azure portal](https://portal.azure.com) with an *Authentication Policy Administrator* account.
1. Search for and select *Azure Active Directory*, then browse to **Security** > **Authentication methods** > **Policies**. 1. Under **Microsoft Authenticator**, choose the following options: 1. **Enable** - Yes or No
A user can start to utilize passwordless sign-in after all the following actions
- An admin has enabled the user's tenant. - The user has added Microsoft Authenticator as a sign-in method. + The first time a user starts the phone sign-in process, the user performs the following steps: 1. Enters their name at the sign-in page.
The user is then presented with a number. The app prompts the user to authentica
After the user has utilized passwordless phone sign-in, the app continues to guide the user through this method. However, the user will see the option to choose another method. ## Known Issues
An end user can be enabled for multifactor authentication (MFA) through an on-pr
If the user attempts to upgrade multiple installations (5+) of Microsoft Authenticator with the passwordless phone sign-in credential, this change might result in an error.
-### Device registration
-
-Before you can create this new strong credential, there are prerequisites. One prerequisite is that the device on which Microsoft Authenticator is installed must be registered within the Azure AD tenant to an individual user.
-
-Currently, a device can only be enabled for passwordless sign-in in a single tenant. This limit means that only one work or school account in Microsoft Authenticator can be enabled for phone sign-in.
-
-> [!NOTE]
-> Device registration is not the same as device management or mobile device management (MDM). Device registration only associates a device ID and a user ID together, in the Azure AD directory.
## Next steps
active-directory Usage Analytics Users https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/usage-analytics-users.md
Filters can be applied in one, two, or all three categories depending on the typ
1. From the **Authorization System Type** dropdown, select the authorization system you want to use: **AWS**, **Azure**, or **GCP**. 1. From the **Authorization System** dropdown, select from a **List** of accounts and **Folders**.
-1. From the **Identity Subtype**, select the type of user: **All**, **ED**, **Local**, or **Cross Account**.
+1. From the **Identity Subtype**, select the type of user: **All**, **ED** (Enterprise Directory), **Local**, or **Cross Account**.
1. Select **Apply** to run your query and display the information you selected. Select **Reset filter** to discard your changes.
You can filter user details by type of user, user role, app, or service used, or
- To view assigned permissions and usage of the group and the group members, see [View analytic information about groups](usage-analytics-groups.md). - To view active resources, see [View analytic information about active resources](usage-analytics-active-resources.md). - To view the permission usage of access keys for a given user, see [View analytic information about access keys](usage-analytics-access-keys.md).-- To view assigned permissions and usage of the serverless functions, see [View analytic information about serverless functions](usage-analytics-serverless-functions.md).
+- To view assigned permissions and usage of the serverless functions, see [View analytic information about serverless functions](usage-analytics-serverless-functions.md).
active-directory Reference Expressions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-sync/reference-expressions.md
Requires a minimum of two arguments, which are unique value generation rules def
> - This is a top-level function, it cannot be nested. > - This function cannot be applied to attributes that have a matching precedence. > - This function is only meant to be used for entry creations. When using it with an attribute, set the **Apply Mapping** property to **Only during object creation**.
-> - This function is currently only supported for "Workday to Active Directory User Provisioning". It cannot be used with other provisioning applications.
+> - This function is currently only supported for "Workday and SuccessFactors to Active Directory User Provisioning". It cannot be used with other provisioning applications.
**Parameters:**<br>
active-directory Reference Powershell https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-sync/reference-powershell.md
Here are some details about what you need:
``` [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 ```-
+- The AADCloudSyncTools module might not work correctly if the Azure AD Connect cloud provisioning agent is not running or the configuration wizard has not finished successfully.
## Install the AADCloudSyncTools PowerShell module
Here are some details about what you need:
Import-module "C:\Program Files\Microsoft Azure AD Connect Provisioning Agent\Utility\AADCloudSyncTools" ``` - ## AADCloudSyncTools cmdlets
+> [!NOTE]
+> Before using AADCloudSyncTools module make sure the Azure AD Connect cloud provisioning agent is running and the configuration wizard has finished successfully. To troubleshoot wizard issues, you can find trace logs in the folder *C:\ProgramData\Microsoft\Azure AD Connect Provisioning Agent\Trace*, see [Cloud sync troubleshooting](how-to-troubleshoot.md) for more information.
+ ### Connect-AADCloudSyncTools This cmdlet uses the MSAL.PS module to request a token for the Azure AD administrator to access Microsoft Graph.
This cmdlet uses the MSAL.PS module to request a token for the Azure AD administ
This cmdlet exports and packages all the troubleshooting data in a compressed file, as follows:
-1. Sets verbose tracing and starts collecting data from the provisioning agent (same as `Start-AADCloudSyncToolsVerboseLogs`). You can find these trace logs in the folder *C:\ProgramData\Microsoft\Azure AD Connect Provisioning Agent\Trace*.
-2. Stops data collection after three minutes and disables verbose tracing (same as `Stop-AADCloudSyncToolsVerboseLogs`). You can specify a different duration by using `-TracingDurationMins` or completely skip verbose tracing by using `-SkipVerboseTrace`.
+1. Sets verbose tracing and starts collecting data from the provisioning agent (same as `Start-AADCloudSyncToolsVerboseLogs`).
+2. Stops data collection after three minutes and disables verbose tracing (same as `Stop-AADCloudSyncToolsVerboseLogs`).
3. Collects Event Viewer logs for the last 24 hours.
-4. Compresses all the agent logs, verbose logs, and Event Viewer logs into a .zip file in the user's *Documents* folder. You can specify a different output folder by using `-OutputPath <folder path>`.
+4. Compresses all the agent logs, verbose logs, and Event Viewer logs into a .zip file in the user's *Documents* folder.
+
+You can use the following options to fine-tune your data collection:
+
+- `SkipVerboseTrace` to only export current logs without capturing verbose logs (default = false).
+- `TracingDurationMins` to specify a different capture duration (default = 3 minutes).
+- `OutputPath` to specify a different output path (default = userΓÇÖs Documents folder).
### Get-AADCloudSyncToolsInfo
active-directory Howto Configure Publisher Domain https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/howto-configure-publisher-domain.md
# Configure an application's publisher domain
-An applicationΓÇÖs publisher domain informs the users where their information is being sent and acts as an input/prerequisite for [publisher verification](publisher-verification-overview.md). Depending on when the app was registered and it's verified publisher status, publisher domain may be displayed directly to the user on the [application's consent prompt](application-consent-experience.md). [Multi-tenant applications](/azure/architecture/guide/multitenant/overview) that are registered after May 21, 2019, that don't have a publisher domain show up asΓÇ»**unverified**. Multi-tenant applications are applications that support accounts outside of a single organizational directory; for example, support all Azure AD accounts, or support all Azure AD accounts and personal Microsoft accounts.
+An applicationΓÇÖs publisher domain informs the users where their information is being sent and acts as an input/prerequisite for [publisher verification](publisher-verification-overview.md). Depending on whether an app is a [multi-tenant app](/azure/architecture/guide/multitenant/overview), when it was registered and it's verified publisher status, either the publisher domain or the verified publisher status will be displayed to the user on the [application's consent prompt](application-consent-experience.md). Multi-tenant applications are applications that support accounts outside of a single organizational directory; for example, support all Azure AD accounts, or support all Azure AD accounts and personal Microsoft accounts.
## New applications
The following table summarizes the default behavior of the publisher domain valu
| - *.onmicrosoft.com<br/>- domain1.com<br/>- domain2.com (primary) | domain2.com | 1. If your multi-tenant was registered between **May 21, 2019 and November 30, 2020**:
+ - If the application's publisher domain isn't set, or if it's set to a domain that ends in .onmicrosoft.com, the app's consent prompt will show **unverified** in place of the publisher domain.
+ - If the application has a verified app domain, the consent prompt will show the verified domain.
+ - If the application is publisher verified, it will show a [blue "verified" badge](publisher-verification-overview.md) indicating the same
2. If your multi-tenant was registered after **November 30, 2020**:
+ - If the application is not publisher verified, the app will show as "**unverified**" in the consent prompt (i.e, no publisher domain related info is shown)
+ - If the application is publisher verified, it will show a [blue "verified" badge](publisher-verification-overview.md) indicating the same
## Grandfathered applications
-If your app was registered before May 21, 2019, your application's consent prompt will not show **unverified** even if you have not set a publisher domain. We recommend that you set the publisher domain value so that users can see this information on your app's consent prompt.
+If your app was registered **before May 21, 2019**, your application's consent prompt will not show **unverified** even if you have not set a publisher domain. We recommend that you set the publisher domain value so that users can see this information on your app's consent prompt.
## Configure publisher domain using the Azure portal
active-directory Howto Convert App To Be Multi Tenant https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/howto-convert-app-to-be-multi-tenant.md
App-only permissions always require a tenant administratorΓÇÖs consent. If your
Certain delegated permissions also require a tenant administratorΓÇÖs consent. For example, the ability to write back to Azure AD as the signed in user requires a tenant administratorΓÇÖs consent. Like app-only permissions, if an ordinary user tries to sign in to an application that requests a delegated permission that requires administrator consent, your application receives an error. Whether a permission requires admin consent is determined by the developer that published the resource, and can be found in the documentation for the resource. The permissions documentation for the [Microsoft Graph API][MSFT-Graph-permission-scopes] indicate which permissions require admin consent.
-If your application uses permissions that require admin consent, have a gesture such as a button or link where the admin can initiate the action. The request your application sends for this action is the usual OAuth2/OpenID Connect authorization request that also includes the `prompt=admin_consent` query string parameter. Once the admin has consented and the service principal is created in the customerΓÇÖs tenant, subsequent sign-in requests do not need the `prompt=admin_consent` parameter. Since the administrator has decided the requested permissions are acceptable, no other users in the tenant are prompted for consent from that point forward.
+If your application uses permissions that require admin consent, have a gesture such as a button or link where the admin can initiate the action. The request your application sends for this action is the usual OAuth2/OpenID Connect authorization request that also includes the `prompt=consent` query string parameter. Once the admin has consented and the service principal is created in the customerΓÇÖs tenant, subsequent sign-in requests do not need the `prompt=consent` parameter. Since the administrator has decided the requested permissions are acceptable, no other users in the tenant are prompted for consent from that point forward.
A tenant administrator can disable the ability for regular users to consent to applications. If this capability is disabled, admin consent is always required for the application to be used in the tenant. If you want to test your application with end-user consent disabled, you can find the configuration switch in the [Azure portal][AZURE-portal] in the **[User settings](https://portal.azure.com/#blade/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/UserSettings/menuId/)** section under **Enterprise applications**.
-The `prompt=admin_consent` parameter can also be used by applications that request permissions that do not require admin consent. An example of when this would be used is if the application requires an experience where the tenant admin ΓÇ£signs upΓÇ¥ one time, and no other users are prompted for consent from that point on.
+The `prompt=consent` parameter can also be used by applications that request permissions that do not require admin consent. An example of when this would be used is if the application requires an experience where the tenant admin ΓÇ£signs upΓÇ¥ one time, and no other users are prompted for consent from that point on.
-If an application requires admin consent and an admin signs in without the `prompt=admin_consent` parameter being sent, when the admin successfully consents to the application it will apply **only for their user account**. Regular users will still not be able to sign in or consent to the application. This feature is useful if you want to give the tenant administrator the ability to explore your application before allowing other users access.
+If an application requires admin consent and an admin signs in without the `prompt=consent` parameter being sent, when the admin successfully consents to the application it will apply **only for their user account**. Regular users will still not be able to sign in or consent to the application. This feature is useful if you want to give the tenant administrator the ability to explore your application before allowing other users access.
### Consent and multi-tier applications
To learn more about making API calls to Azure AD and Microsoft 365 services like
[OAuth2-Client-Types]: https://tools.ietf.org/html/rfc6749#section-2.1 [OAuth2-Role-Def]: https://tools.ietf.org/html/rfc6749#page-6 [OpenIDConnect]: https://openid.net/specs/openid-connect-core-1_0.html
-[OpenIDConnect-ID-Token]: https://openid.net/specs/openid-connect-core-1_0.html#IDToken
+[OpenIDConnect-ID-Token]: https://openid.net/specs/openid-connect-core-1_0.html#IDToken
active-directory Msal Node Migration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/msal-node-migration.md
## Prerequisites -- Node version 10, 12 or 14. See the [note on version support](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/lib/msal-node#node-version-support)
+- Node version 10, 12, 14, 16 or 18. See the [note on version support](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/lib/msal-node#node-version-support)
## Update app registration settings
const cca = new msal.ConfidentialClientApplication(config);
const refreshTokenRequest = { refreshToken: "", // your previous refresh token here
- scopes: ["user.read"],
+ scopes: ["https://graph.microsoft.com/.default"],
+ forceCache: true,
}; cca.acquireTokenByRefreshToken(refreshTokenRequest).then((response) => {
- console.log(JSON.stringify(response));
+ console.log(response);
}).catch((error) => {
- console.log(JSON.stringify(error));
+ console.log(error);
}); ```
+For more information, please refer to the [ADAL Node to MSAL Node migration sample](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/samples/msal-node-samples/refresh-token).
+ > [!NOTE] > We recommend you to destroy the older ADAL Node token cache once you utilize the still valid refresh tokens to get a new set of tokens using the MSAL Node's `acquireTokenByRefreshToken` method as shown above.
var adal = require('adal-node');
// Authentication parameters var clientId = 'Enter_the_Application_Id_Here'; var clientSecret = 'Enter_the_Client_Secret_Here';
-var tenant = 'common';
+var tenant = 'Enter_the_Tenant_Info_Here';
var authorityUrl = 'https://login.microsoftonline.com/' + tenant; var redirectUri = 'http://localhost:3000/redirect'; var resource = 'https://graph.microsoft.com';
const msal = require('@azure/msal-node');
const config = { auth: { clientId: "Enter_the_Application_Id_Here",
- authority: "https://login.microsoftonline.com/common",
+ authority: "https://login.microsoftonline.com/Enter_the_Tenant_Info_Here",
clientSecret: "Enter_the_Client_Secret_Here" }, system: {
active-directory Workload Identity Federation https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/workload-identity-federation.md
Previously updated : 01/10/2022 Last updated : 07/13/2022
You use workload identity federation to configure an Azure AD app registration t
## Supported scenarios > [!NOTE]
-> Azure AD-issued tokens might not be used for federated identity flows.
+> Azure AD issued tokens may not be used for federated identity flows. The federated identity credentials flow does not support tokens issued by Azure AD.
The following scenarios are supported for accessing Azure AD protected resources using workload identity federation:
active-directory Groups Assign Sensitivity Labels https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/groups-assign-sensitivity-labels.md
To apply published labels to groups, you must first enable the feature. These st
```powershell Install-Module AzureADPreview Import-Module AzureADPreview
- Connect-AzureAD
+ AzureADPreview\Connect-AzureAD
``` In the **Sign in to your account** page, enter your admin account and password to connect you to your service, and select **Sign in**.
active-directory Active Directory Access Create New Tenant https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/active-directory-access-create-new-tenant.md
Title: Quickstart - Access & create new tenant - Azure AD description: Instructions about how to find Azure Active Directory and how to create a new tenant for your organization. --++ Last updated 12/22/2021-+
active-directory Active Directory Accessmanagement Managing Group Owners https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/active-directory-accessmanagement-managing-group-owners.md
Title: Add or remove group owners - Azure Active Directory | Microsoft Docs description: Instructions about how to add or remove group owners using Azure Active Directory. --++ Last updated 09/11/2018-+
active-directory Active Directory Architecture https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/active-directory-architecture.md
Title: Architecture overview - Azure Active Directory | Microsoft Docs description: Learn what an Azure Active Directory tenant is and how to manage Azure using Azure Active Directory. --++ Last updated 07/08/2022-+
active-directory Active Directory Compare Azure Ad To Ad https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/active-directory-compare-azure-ad-to-ad.md
Title: Compare Active Directory to Azure Active Directory
description: This document compares Active Directory Domain Services (ADDS) to Azure Active Directory (AD). It outlines key concepts in both identity solutions and explains how it's different or similar. -+ tags: azuread
active-directory Active Directory Data Storage Australia Newzealand https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/active-directory-data-storage-australia-newzealand.md
Title: Customer data storage for Australian and New Zealand customers - Azure AD description: Learn about where Azure Active Directory stores customer-related data for its Australian and New Zealand customers. ---+++
active-directory Active Directory Data Storage Australia https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/active-directory-data-storage-australia.md
Title: Identity data storage for Australian and New Zealand customers - Azure AD description: Learn about where Azure Active Directory stores identity-related data for its Australian and New Zealand customers. ---+++
active-directory Active Directory Data Storage Eu https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/active-directory-data-storage-eu.md
Title: Identity data storage for European customers - Azure AD description: Learn about where Azure Active Directory stores identity-related data for its European customers. ---+++
active-directory Active Directory Data Storage Japan https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/active-directory-data-storage-japan.md
Title: Customer data storage for Japan customers - Azure AD
description: Learn about where Azure Active Directory stores customer-related data for its Japan customers. -+
active-directory Active Directory Deployment Checklist P2 https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/active-directory-deployment-checklist-p2.md
Last updated 12/07/2021
-+
active-directory Active Directory Get Started Premium https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/active-directory-get-started-premium.md
Title: Sign up for premium editions - Azure Active Directory| Microsoft Docs description: Instructions about how to sign up for Azure Active Directory Premium editions. --++ Last updated 09/07/2017-+
active-directory Active Directory Groups Create Azure Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/active-directory-groups-create-azure-portal.md
Title: Create a basic group and add members - Azure Active Directory | Microsoft Docs description: Instructions about how to create a basic group using Azure Active Directory. --++ Last updated 06/05/2020-+
active-directory Active Directory Groups Delete Group https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/active-directory-groups-delete-group.md
Title: Delete a group - Azure Active Directory | Microsoft Docs description: Instructions about how to delete a group using Azure Active Directory. --++ Last updated 08/29/2018-+
active-directory Active Directory Groups Members Azure Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/active-directory-groups-members-azure-portal.md
Title: Add or remove group members - Azure Active Directory | Microsoft Docs description: Instructions about how to add or remove members from a group using Azure Active Directory. --++ Last updated 08/23/2018-+
active-directory Active Directory Groups Membership Azure Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/active-directory-groups-membership-azure-portal.md
Title: Add or remove a group from another group - Azure AD description: Instructions about how to add or remove a group from another group using Azure Active Directory. --++ Last updated 10/19/2018-+
active-directory Active Directory Groups Settings Azure Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/active-directory-groups-settings-azure-portal.md
Title: Edit your group information - Azure Active Directory | Microsoft Docs description: Instructions about how to edit your group's information using Azure Active Directory. --++ Last updated 08/27/2018-+
active-directory Active Directory Groups View Azure Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/active-directory-groups-view-azure-portal.md
Title: Quickstart - View groups & members - Azure AD description: Instructions about how to search for and view your organization's groups and their assigned members. --++ Last updated 09/24/2018-+
active-directory Active Directory How Subscriptions Associated Directory https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/active-directory-how-subscriptions-associated-directory.md
Title: Add an existing Azure subscription to your tenant - Azure AD description: Instructions about how to add an existing Azure subscription to your Azure Active Directory (Azure AD) tenant. --++ Last updated 03/05/2021-+
active-directory Active Directory How To Find Tenant https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/active-directory-how-to-find-tenant.md
Title: How to find your tenant ID - Azure Active Directory description: Instructions about how to find and Azure Active Directory tenant ID to an existing Azure subscription. --++ Last updated 10/30/2020-+
active-directory Active Directory Licensing Whatis Azure Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/active-directory-licensing-whatis-azure-portal.md
Title: What is group-based licensing - Azure Active Directory | Microsoft Docs
description: Learn about Azure Active Directory group-based licensing, including how it works and best practices. keywords: Azure AD licensing--++ Last updated 10/29/2018-+
active-directory Active Directory Manage Groups https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/active-directory-manage-groups.md
Title: Manage app & resource access using groups - Azure AD description: Learn about how to manage access to your organization's cloud-based apps, on-premises apps, and resources using Azure Active Directory groups. --++ Last updated 01/08/2020-+
active-directory Active Directory Ops Guide Auth https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/active-directory-ops-guide-auth.md
Title: Azure Active Directory Authentication management operations reference gui
description: This operations reference guide describes the checks and actions you should take to secure authentication management -+ tags: azuread
active-directory Active Directory Ops Guide Govern https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/active-directory-ops-guide-govern.md
Title: Azure Active Directory governance operations reference guide
description: This operations reference guide describes the checks and actions you should take to secure governance management -+ tags: azuread
active-directory Active Directory Ops Guide Iam https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/active-directory-ops-guide-iam.md
Title: Azure Active Directory Identity and access management operations referenc
description: This operations reference guide describes the checks and actions you should take to secure identity and access management operations -+ tags: azuread
active-directory Active Directory Ops Guide Intro https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/active-directory-ops-guide-intro.md
Title: Azure Active Directory operations reference guide
description: This operations reference guide describes the checks and actions you should take to secure and maintain identity and access management, authentication, governance, and operations -+ tags: azuread
active-directory Active Directory Ops Guide Ops https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/active-directory-ops-guide-ops.md
Title: Azure Active Directory general operations guide reference
description: This operations reference guide describes the checks and actions you should take to secure general operations -+ tags: azuread
active-directory Active Directory Properties Area https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/active-directory-properties-area.md
Title: Add your organization's privacy info - Azure Active Directory | Microsoft Docs description: Instructions about how to add your organization's privacy info to the Azure Active Directory Properties area. --++ Last updated 04/17/2018-+
active-directory Active Directory Troubleshooting Support Howto https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/active-directory-troubleshooting-support-howto.md
Title: Find help and open a support ticket - Azure Active Directory | Microsoft Docs description: Instructions about how to get help and open a support ticket for Azure Active Directory. --++ Last updated 08/28/2017-+
active-directory Active Directory Users Assign Role Azure Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/active-directory-users-assign-role-azure-portal.md
Title: Assign Azure AD roles to users - Azure Active Directory | Microsoft Docs description: Instructions about how to assign administrator and non-administrator roles to users with Azure Active Directory. --++ Last updated 08/31/2020-+
active-directory Active Directory Users Profile Azure Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/active-directory-users-profile-azure-portal.md
Title: Add or update user profile information - Azure AD description: Instructions about how to add information to a user's profile in Azure Active Directory, including a picture and job details. --++ Last updated 06/10/2021-+
active-directory Active Directory Users Reset Password Azure Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/active-directory-users-reset-password-azure-portal.md
Title: Reset a user's password - Azure Active Directory | Microsoft Docs description: Instructions about how to reset a user's password using Azure Active Directory. --++ ms.assetid: fad5624b-2f13-4abc-b3d4-b347903a8f16
Last updated 06/07/2022-+
active-directory Active Directory Users Restore https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/active-directory-users-restore.md
Title: Restore or permanently remove recently deleted user - Azure AD description: How to view restorable users, restore a deleted user, or permanently delete a user with Azure Active Directory. --++ Last updated 10/23/2020-+
active-directory Active Directory Whatis https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/active-directory-whatis.md
Title: What is Azure Active Directory? description: Learn about Azure Active Directory, including terminology, available licenses, and a list of associated features. --++ Last updated 01/27/2022-+ # Customer intent: As a new administrator, I want to understand what Azure Active Directory is, which license is right for me, and what features are available.
active-directory Add Custom Domain https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/add-custom-domain.md
Title: Add your custom domain - Azure Active Directory | Microsoft Docs description: Instructions about how to add a custom domain using Azure Active Directory. --++ Last updated 10/25/2019-+
active-directory Add Users Azure Active Directory https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/add-users-azure-active-directory.md
Title: Add or delete users - Azure Active Directory | Microsoft Docs description: Instructions about how to add new users or delete existing users using Azure Active Directory. --++ Last updated 02/16/2022-+
active-directory Concept Fundamentals Block Legacy Authentication https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/concept-fundamentals-block-legacy-authentication.md
Last updated 01/26/2021
-+
active-directory Concept Fundamentals Mfa Get Started https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/concept-fundamentals-mfa-get-started.md
Last updated 03/18/2020 ---+++
active-directory Concept Fundamentals Security Defaults https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/concept-fundamentals-security-defaults.md
Last updated 04/07/2022
-+
active-directory Concept Secure Remote Workers https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/concept-secure-remote-workers.md
Last updated 04/27/2020
-+
active-directory Customize Branding https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/customize-branding.md
Title: Add branding to your organization's sign-in page - Azure AD description: Instructions about how to add your organization's branding to the Azure Active Directory sign-in page. --++ Last updated 07/03/2021-+
active-directory Identity Secure Score https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/identity-secure-score.md
Last updated 06/09/2022
-+ #Customer intent: As an IT admin, I want understand the identity secure score, so that I can maximize the security posture of my tenant.
active-directory Keep Me Signed In https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/keep-me-signed-in.md
Title: Configure the 'Stay signed in?' prompt for Azure Active Directory account
description: Learn about keep me signed in (KMSI), which displays the Stay signed in? prompt, how to configure it in the Azure Active Directory portal, and how to troubleshoot sign-in issues. -+
active-directory License Users Groups https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/license-users-groups.md
Title: Assign or remove licenses - Azure Active Directory | Microsoft Docs description: Instructions about how to assign or remove Azure Active Directory licenses from your users or groups. --++ ms.assetid: f8b932bc-8b4f-42b5-a2d3-f2c076234a78
Last updated 12/14/2020-+
active-directory Resilience B2b Authentication https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/resilience-b2b-authentication.md
Title: Build resilience in external user authentication with Azure Active Direct
description: A guide for IT admins and architects to building resilient authentication for external users -+
active-directory Sign Up Organization https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/sign-up-organization.md
Title: Sign up your organization - Azure Active Directory | Microsoft Docs description: Instructions about how to sign up your organization to use Azure and Azure Active Directory. --++ Last updated 09/14/2018-+
active-directory Users Default Permissions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/users-default-permissions.md
Title: Default user permissions - Azure Active Directory | Microsoft Docs description: Learn about the user permissions available in Azure Active Directory. --++ Last updated 08/04/2021-+
active-directory Whats New Archive https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/whats-new-archive.md
Title: Archive for What's new in Azure Active Directory? | Microsoft Docs description: The What's new release notes in the Overview section of this content set contains 6 months of activity. After 6 months, the items are removed from the main article and put into this archive article. --++ Last updated 1/31/2022-+
active-directory Whats New Microsoft 365 Government https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/whats-new-microsoft-365-government.md
Title: WhatΓÇÖs new for Azure AD in Microsoft 365 Government? | Microsoft Docs
description: Learn about some changes to Azure Active Directory (Azure AD) in the Microsoft 365 Government cloud instance, which might impact you. -+
active-directory Whats New https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/whats-new.md
Title: What's new? Release notes - Azure Active Directory | Microsoft Docs description: Learn what is new with Azure Active Directory; such as the latest release notes, known issues, bug fixes, deprecated functionality, and upcoming changes.--++ featureFlags: - clicktale ms.assetid: 06a149f7-4aa1-4fb9-a8ec-ac2633b031fb
Last updated 1/31/2022-+
active-directory How To Connect Fix Default Rules https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/how-to-connect-fix-default-rules.md
Keep **Scoping filter** and **Join rules** empty. Fill in the transformation as
You now know how to make a new attribute for a user object flow from Active Directory to Azure Active Directory. You can use these steps to map any attribute from any object to source and target. For more information, see [Creating custom sync rules](how-to-connect-create-custom-sync-rule.md) and [Prepare to provision users](/office365/enterprise/prepare-for-directory-synchronization). ### Override the value of an existing attribute
-You might want to override the value of an attribute that has already been mapped. For example, if you always want to set a null value to an attribute in Azure AD, simply create an inbound rule only. Make the constant value, `AuthoritativeNull`, flow to the target attribute.
+You might want to override the value of an attribute that has already been mapped. For example, if you always want to set a null value to an attribute in Azure AD, simply create an inbound rule only. Make the expression value, `AuthoritativeNull`, flow to the target attribute.
>[!NOTE] > Use `AuthoritativeNull` instead of `Null` in this case. This is because the non-null value replaces the null value, even if it has lower precedence (a higher number value in the rule). `AuthoritativeNull`, on the other hand, isn't replaced with a non-null value by other rules.
active-directory How To Connect Import Export Config https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/how-to-connect-import-export-config.md
Each time the configuration is changed from the Azure AD Connect wizard, a new t
> [!IMPORTANT] > Only changes made by Azure AD Connect are automatically exported. Any changes made by using PowerShell, the Synchronization Service Manager, or the Synchronization Rules Editor must be exported on demand as needed to maintain an up-to-date copy. Export on demand can also be used to place a copy of the settings in a secure location for disaster recovery purposes.
+>[!NOTE]
+> This feature cannot be combined with using an existing ADSync database. The use of import/export configuration and using existing database are mutually exclusive.
+ ## Export Azure AD Connect settings To view a summary of your configuration settings, open the Azure AD Connect tool, and select the additional task named **View or Export Current Configuration**. A quick summary of your settings is shown along with the ability to export the full configuration of your server.
To import previously exported settings:
> [!NOTE] > Override settings on this page like the use of SQL Server instead of LocalDB or the use of an existing service account instead of a default VSA. These settings aren't imported from the configuration settings file. They are there for information and comparison purposes.
->[!NOTE]
->It is not supported to modify the exported JSON file to change the configuration
+> [!NOTE]
+> It is not supported to modify the exported JSON file to change the configuration
### Import installation experience
active-directory How To Connect Install Custom https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/how-to-connect-install-custom.md
On the **Express Settings** page, select **Customize** to start a customized-set
- [Sync](#sync-pages) ### Install required components
-When you install the synchronization services, you can leave the optional configuration section unselected. Azure AD Connect sets up everything automatically. It sets up a SQL Server 2019 Express LocalDB instance, creates the appropriate groups, and assign permissions. If you want to change the defaults, clear the appropriate boxes. The following table summarizes these options and provides links to additional information.
+When you install the synchronization services, you can leave the optional configuration section unselected. Azure AD Connect sets up everything automatically. It sets up a SQL Server 2019 Express LocalDB instance, creates the appropriate groups, and assign permissions. If you want to change the defaults, select the appropriate boxes. The following table summarizes these options and provides links to additional information.
![Screenshot showing optional selections for the required installation components in Azure AD Connect.](./media/how-to-connect-install-custom/requiredcomponents2.png)
Now that you have installed Azure AD Connect, you can [verify the installation a
For more information about the features that you enabled during the installation, see [Prevent accidental deletes](how-to-connect-sync-feature-prevent-accidental-deletes.md) and [Azure AD Connect Health](how-to-connect-health-sync.md).
-For more information about other common topics, see [Azure AD Connect sync: Scheduler](how-to-connect-sync-feature-scheduler.md) and [Integrate your on-premises identities with Azure AD](whatis-hybrid-identity.md).
+For more information about other common topics, see [Azure AD Connect sync: Scheduler](how-to-connect-sync-feature-scheduler.md) and [Integrate your on-premises identities with Azure AD](whatis-hybrid-identity.md).
active-directory How To Connect Install Prerequisites https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/how-to-connect-install-prerequisites.md
We recommend that you harden your Azure AD Connect server to decrease the securi
### Connectivity * The Azure AD Connect server needs DNS resolution for both intranet and internet. The DNS server must be able to resolve names both to your on-premises Active Directory and the Azure AD endpoints. * Azure AD Connect requires network connectivity to all configured domains
+* Azure AD Connect requires network connectivity to the root domain of all configured forest
* If you have firewalls on your intranet and you need to open ports between the Azure AD Connect servers and your domain controllers, see [Azure AD Connect ports](reference-connect-ports.md) for more information. * If your proxy or firewall limit which URLs can be accessed, the URLs documented in [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2) must be opened. Also see [Safelist the Azure portal URLs on your firewall or proxy server](../../azure-portal/azure-portal-safelist-urls.md?tabs=public-cloud). * If you're using the Microsoft cloud in Germany or the Microsoft Azure Government cloud, see [Azure AD Connect sync service instances considerations](reference-connect-instances.md) for URLs.
active-directory How To Connect Selective Password Hash Synchronization https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/how-to-connect-selective-password-hash-synchronization.md
the attribute **adminDescription** populated in Active Directory with the value
Once you completed the steps to configure the necessary synchronization rules, re-enable the synchronization scheduler with the following steps: 1. In Windows PowerShell run:
- `set-adsyncscheduler-synccycleenabled$true`
+ `set-adsyncscheduler -synccycleenabled:$true`
2. Then confirm it has been successfully enabled by running:
active-directory How To Connect Sync Service Manager Ui Connectors https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/how-to-connect-sync-service-manager-ui-connectors.md
The delete action is used for two different things.
The option **Delete connector space only** removes all data, but keep the configuration.
-The option **Delete Connector and connector space** removes the data and the configuration. This option is used when you do not want to connect to a forest anymore.
+The option **Delete Connector and connector space** removes the data, the configuration and all the sync rules associated with the connector. This option is used when you do not want to connect to a forest anymore.
Both options sync all objects and update the metaverse objects. This action is a long running operation.
active-directory Tshoot Connect Pass Through Authentication https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/tshoot-connect-pass-through-authentication.md
If the user is unable to sign into using Pass-through Authentication, they may s
|Error|Description|Resolution | | | |AADSTS80001|Unable to connect to Active Directory|Ensure that agent servers are members of the same AD forest as the users whose passwords need to be validated and they are able to connect to Active Directory.
-|AADSTS8002|A timeout occurred connecting to Active Directory|Check to ensure that Active Directory is available and is responding to requests from the agents.
+|AADSTS80002|A timeout occurred connecting to Active Directory|Check to ensure that Active Directory is available and is responding to requests from the agents.
|AADSTS80004|The username passed to the agent was not valid|Ensure the user is attempting to sign in with the right username. |AADSTS80005|Validation encountered unpredictable WebException|A transient error. Retry the request. If it continues to fail, contact Microsoft support. |AADSTS80007|An error occurred communicating with Active Directory|Check the agent logs for more information and verify that Active Directory is operating as expected.
active-directory Manage Application Permissions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/manage-application-permissions.md
# Review permissions granted to applications
-In this article you'll learn how to review permissions granted to applications in your Azure Active Directory (Azure AD) tenant. You may need to review permissions when you have detected a malicious application or the application has been granted more permissions than is necessary.
+In this article, you'll learn how to review permissions granted to applications in your Azure Active Directory (Azure AD) tenant. You may need to review permissions when you've detected a malicious application or the application has been granted more permissions than is necessary.
The steps in this article apply to all applications that were added to your Azure Active Directory (Azure AD) tenant via user or admin consent. For more information on consenting to applications, see [Azure Active Directory consent framework](../develop/consent-framework.md).
The steps in this article apply to all applications that were added to your Azur
To review permissions granted to applications, you need: - An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).-- One of the following roles: Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal.
+- One of the following roles: Global Administrator, Cloud Application Administrator, Application Administrator.
+- A Service principal owner who isn't an administrator is able to invalidate refresh tokens.
+ You can access the Azure AD portal to get contextual PowerShell scripts to perform the actions.
To review application permissions:
1. Select the application that you want to restrict access to. 1. Select **Permissions**. In the command bar, select **Review permissions**. ![Screenshot of the review permissions window.](./media/manage-application-permissions/review-permissions.png)
-1. Give a reason for why you want to review permissions for the application by selecting any of the options listed after the question , **Why do you want to review permissions for this application?**
+1. Give a reason for why you want to review permissions for the application by selecting any of the options listed after the question, **Why do you want to review permissions for this application?**
Each option generates PowerShell scripts that enable you to control user access to the application and to review permissions granted to the application. For information about how to control user access to an application, see [How to remove a user's access to an application](methods-for-removing-user-access.md)
active-directory Manage Consent Requests https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/manage-consent-requests.md
Previously updated : 11/25/2021 Last updated : 07/14/2022
Microsoft recommends that you [restrict user consent](../../active-directory/manage-apps/configure-user-consent.md) to allow users to consent only for apps from verified publishers, and only for permissions that you select. For apps that don't meet these criteria, the decision-making process will be centralized with your organization's security and identity administrator team.
-After you've disabled or restricted user consent, you have several important steps to take to help keep your organization secure as you continue to allow business-critical applications to be used. These steps are crucial to minimize impact on your organization's support team and IT administrators, and to help prevent the use of unmanaged accounts in third-party applications.
+After you've disabled or restricted user consent, you have several important steps to take to help keep your organization secure as you continue to allow business-critical applications to be used. These steps are crucial to minimize impact on your organization's support team and IT administrators, and to help prevent the use of un-managed accounts in third-party applications.
## Process changes and education
To minimize impact on trusted, business-critical applications that are already i
Granting tenant-wide admin consent is a sensitive operation. Permissions will be granted on behalf of the entire organization, and they can include permissions to attempt highly privileged operations. Examples of such operations are role management, full access to all mailboxes or all sites, and full user impersonation.
-Before you grant tenant-wide admin consent, it's important to ensure that you trust the application and the application publisher for the level of access you're granting. If you aren't confident that you understand who controls the application and why the application is requesting the permissions, do *not* grant consent.
+Before you grant tenant-wide admin consent, it's important to ensure that you trust the application, and the application publisher for the level of access you're granting. If you aren't confident that you understand who controls the application and why the application is requesting the permissions, do *not* grant consent.
When you're evaluating a request to grant admin consent, here are some recommendations to consider:
When you're evaluating a request to grant admin consent, here are some recommend
* Understand the permissions that are being requested.
- The permissions requested by the application are listed in the [consent prompt](../develop/application-consent-experience.md). Expanding the permission title displays the permissionΓÇÖs description. The description for application permissions generally end in "without a signed-in user." The description for delegated permissions generally end with "on behalf of the signed-in user." Permissions for the Microsoft Graph API are described in [Microsoft Graph Permissions Reference](/graph/permissions-reference). Refer to the documentation for other APIs to understand the permissions they expose.
+ The permissions requested by the application are listed in the [consent prompt](../develop/application-consent-experience.md). Expanding the permission title displays the permissionΓÇÖs description. The description for application permissions generally ends in "without a signed-in user." The description for delegated permissions generally end with "on behalf of the signed-in user." Permissions for the Microsoft Graph API are described in [Microsoft Graph Permissions Reference](/graph/permissions-reference). Refer to the documentation for other APIs to understand the permissions they expose.
If you don't understand a permission that's being requested, do *not* grant consent.
When you're evaluating a request to grant admin consent, here are some recommend
For step-by-step instructions for granting tenant-wide admin consent from the Azure portal, see [Grant tenant-wide admin consent to an application](grant-admin-consent.md).
+## Revoke tenant wide admin consent
+
+To revoke tenant-wide admin consent, you can review and revoke the permissions previously granted to the application. For more information, see [review permissions granted to applications](manage-application-permissions.md). You can also remove userΓÇÖs access to the application by [disabling user sign-in to application](disable-user-sign-in-portal.md) or by [hiding the application](hide-application-from-user-portal.md) so that it doesnΓÇÖt appear in the My apps portal.
+ ### Grant consent on behalf of a specific user Instead of granting consent for the entire organization, an administrator can also use the [Microsoft Graph API](/graph/use-the-api) to grant consent to delegated permissions on behalf of a single user. For a detailed example that uses Microsoft Graph PowerShell, see [Grant consent on behalf of a single user by using PowerShell](grant-consent-single-user.md). ## Limit user access to applications
-User access to applications can still be limited even when tenant-wide admin consent has been granted. For more information about how to require user assignment to an application, see [Methods for assigning users and groups](./assign-user-or-group-access-portal.md). Administrators can also limit user access to applications by disabling all future user consent operations to any application.
+User access to applications can still be limited even when tenant-wide admin consent has been granted. To limit user access, require user assignment to an application. For more information, see [Methods for assigning users and groups](./assign-user-or-group-access-portal.md). Administrators can also limit user access to applications by disabling all future user consent operations to any application.
For a broader overview, including how to handle more complex scenarios, see [Use Azure Active Directory (Azure AD) for application access management](what-is-access-management.md).
active-directory Birst Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/birst-tutorial.md
Title: 'Tutorial: Azure Active Directory integration with Birst Agile Business Analytics | Microsoft Docs'
+ Title: 'Tutorial: Azure AD SSO integration with Birst Agile Business Analytics'
description: Learn how to configure single sign-on between Azure Active Directory and Birst Agile Business Analytics.
Previously updated : 02/07/2019 Last updated : 07/08/2022
-# Tutorial: Azure Active Directory integration with Birst Agile Business Analytics
+# Tutorial: Azure AD SSO integration with Birst Agile Business Analytics
-In this tutorial, you learn how to integrate Birst Agile Business Analytics with Azure Active Directory (Azure AD).
-Integrating Birst Agile Business Analytics with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate Birst Agile Business Analytics with Azure Active Directory (Azure AD). When you integrate Birst Agile Business Analytics with Azure AD, you can:
-* You can control in Azure AD who has access to Birst Agile Business Analytics.
-* You can enable your users to be automatically signed-in to Birst Agile Business Analytics (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to Birst Agile Business Analytics.
+* Enable your users to be automatically signed-in to Birst Agile Business Analytics with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites
-To configure Azure AD integration with Birst Agile Business Analytics, you need the following items:
+To get started, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial [here](https://azure.microsoft.com/pricing/free-trial/)
-* Birst Agile Business Analytics single sign-on enabled subscription
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* Birst Agile Business Analytics single sign-on (SSO) enabled subscription.
+* Along with Cloud Application Administrator, Application Administrator can also add or manage applications in Azure AD.
+For more information, see [Azure built-in roles](../roles/permissions-reference.md).
## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* Birst Agile Business Analytics supports **SP** initiated SSO
-
-## Adding Birst Agile Business Analytics from the gallery
-
-To configure the integration of Birst Agile Business Analytics into Azure AD, you need to add Birst Agile Business Analytics from the gallery to your list of managed SaaS apps.
-
-**To add Birst Agile Business Analytics from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add new application, click **New application** button on the top of dialog.
-
- ![The New application button](common/add-new-app.png)
-
-4. In the search box, type **Birst Agile Business Analytics**, select **Birst Agile Business Analytics** from result panel then click **Add** button to add the application.
+* Birst Agile Business Analytics supports **SP** initiated SSO.
- ![Birst Agile Business Analytics in the results list](common/search-new-app.png)
-
-## Configure and test Azure AD single sign-on
-
-In this section, you configure and test Azure AD single sign-on with Birst Agile Business Analytics based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in Birst Agile Business Analytics needs to be established.
-
-To configure and test Azure AD single sign-on with Birst Agile Business Analytics, you need to complete the following building blocks:
+> [!NOTE]
+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure Birst Agile Business Analytics Single Sign-On](#configure-birst-agile-business-analytics-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create Birst Agile Business Analytics test user](#create-birst-agile-business-analytics-test-user)** - to have a counterpart of Britta Simon in Birst Agile Business Analytics that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
+## Add Birst Agile Business Analytics from the gallery
-### Configure Azure AD single sign-on
+To configure the integration of Birst Agile Business Analytics into Azure AD, you need to add Birst Agile Business Analytics from the gallery to your list of managed SaaS apps.
-In this section, you enable Azure AD single sign-on in the Azure portal.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Birst Agile Business Analytics** in the search box.
+1. Select **Birst Agile Business Analytics** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-To configure Azure AD single sign-on with Birst Agile Business Analytics, perform the following steps:
+## Configure and test Azure AD SSO for Birst Agile Business Analytics
-1. In the [Azure portal](https://portal.azure.com/), on the **Birst Agile Business Analytics** application integration page, select **Single sign-on**.
+Configure and test Azure AD SSO with Birst Agile Business Analytics using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Birst Agile Business Analytics.
- ![Configure single sign-on link](common/select-sso.png)
+To configure and test Azure AD SSO with Birst Agile Business Analytics, perform the following steps:
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Birst Agile Business Analytics SSO](#configure-birst-agile-business-analytics-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Birst Agile Business Analytics test user](#create-birst-agile-business-analytics-test-user)** - to have a counterpart of B.Simon in Birst Agile Business Analytics that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
- ![Single sign-on select mode](common/select-saml-option.png)
+## Configure Azure AD SSO
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
+Follow these steps to enable Azure AD SSO in the Azure portal.
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+1. In the Azure portal, on the **Birst Agile Business Analytics** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
-4. On the **Basic SAML Configuration** section, perform the following steps:
+ ![Screenshot shows to edit Basic S A M L Configuration.](common/edit-urls.png "Basic Configuration")
- ![Birst Agile Business Analytics Domain and URLs single sign-on information](common/sp-intiated.png)
+1. On the **Basic SAML Configuration** section, perform the following steps:
- In the **Sign-on URL** textbox, type a URL using the following pattern: `https://login.bws.birst.com/SAMLSSO/Services.aspx?birst.idpid=TENANTIDPID`
+ In the **Sign-on URL** textbox, type a URL using the following pattern: `https://login.bws.birst.com/SAMLSSO/Services.aspx?birst.idpid=<TENANTIDPID>`
The URL depends on the datacenter that your Birst account is located:
- * For US datacenter use following the pattern: `https://login.bws.birst.com/SAMLSSO/Services.aspx?birst.idpid=TENANTIDPID`
+ * For US datacenter use following the pattern: `https://login.bws.birst.com/SAMLSSO/Services.aspx?birst.idpid=<TENANTIDPID>`
- * For Europe datacenter use the following pattern: `https://login.eu1.birst.com/SAMLSSO/Services.aspx?birst.idpid=TENANTIDPID`
+ * For Europe datacenter use the following pattern: `https://login.eu1.birst.com/SAMLSSO/Services.aspx?birst.idpid=<TENANTIDPID>`
> [!NOTE] > This value is not real. Update the value with the actual Sign-On URL. Contact [Birst Agile Business Analytics Client support team](mailto:info@birst.com) to get the value.
-5. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Certificate (Base64)** from the given options as per your requirement and save it on your computer.
-
- ![The Certificate download link](common/certificatebase64.png)
+1. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Certificate (Base64)** from the given options as per your requirement and save it on your computer.
-6. On the **Set up Birst Agile Business Analytics** section, copy the appropriate URL(s) as per your requirement.
+ ![Screenshot shows the Certificate download link.](common/certificatebase64.png "Certificate")
- ![Copy configuration URLs](common/copy-configuration-urls.png)
+1. On the **Set up Birst Agile Business Analytics** section, copy the appropriate URL(s) as per your requirement.
- a. Login URL
-
- b. Azure Ad Identifier
-
- c. Logout URL
-
-### Configure Birst Agile Business Analytics Single Sign-On
-
-To configure single sign-on on **Birst Agile Business Analytics** side, you need to send the downloaded **Certificate (Base64)** and appropriate copied URLs from Azure portal to [Birst Agile Business Analytics support team](mailto:info@birst.com). They set this setting to have the SAML SSO connection set properly on both sides.
-
-> [!NOTE]
-> Mention to Birst team that this integration needs SHA256 Algorithm (SHA1 will not be supported) so that they can set the SSO on the appropriate server like **app2101** etc.
+ ![Screenshot shows to copy configuration appropriate U R L.](common/copy-configuration-urls.png "Metadata")
### Create an Azure AD test user
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field enter **BrittaSimon**.
-
- b. In the **User name** field type **brittasimon\@yourcompanydomain.extension**
- For example, BrittaSimon@contoso.com
+In this section, you'll create a test user in the Azure portal called B.Simon.
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
-
- d. Click **Create**.
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
### Assign the Azure AD test user
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to Birst Agile Business Analytics.
-
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Birst Agile Business Analytics**.
-
- ![Enterprise applications blade](common/enterprise-applications.png)
-
-2. In the applications list, select **Birst Agile Business Analytics**.
-
- ![The Birst Agile Business Analytics link in the Applications list](common/all-applications.png)
-
-3. In the menu on the left, select **Users and groups**.
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Birst Agile Business Analytics.
- ![The "Users and groups" link](common/users-groups-blade.png)
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Birst Agile Business Analytics**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
+1. In the **Add Assignment** dialog, click the **Assign** button.
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
+## Configure Birst Agile Business Analytics SSO
- ![The Add Assignment pane](common/add-assign-user.png)
-
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
-
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
+To configure single sign-on on **Birst Agile Business Analytics** side, you need to send the downloaded **Certificate (Base64)** and appropriate copied URLs from Azure portal to [Birst Agile Business Analytics support team](mailto:info@birst.com). They set this setting to have the SAML SSO connection set properly on both sides.
-7. In the **Add Assignment** dialog click the **Assign** button.
+> [!NOTE]
+> Mention to Birst team that this integration needs SHA256 Algorithm (SHA1 will not be supported) so that they can set the SSO on the appropriate server like **app2101** etc.
### Create Birst Agile Business Analytics test user In this section, you create a user called Britta Simon in Birst Agile Business Analytics. Work with [Birst Agile Business Analytics support team](mailto:info@birst.com) to add the users in the Birst Agile Business Analytics platform. Users must be created and activated before you use single sign-on.
-### Test single sign-on
+## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
-When you click the Birst Agile Business Analytics tile in the Access Panel, you should be automatically signed in to the Birst Agile Business Analytics for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).
+* Click on **Test this application** in Azure portal. This will redirect to Birst Agile Business Analytics Sign-on URL where you can initiate the login flow.
-## Additional Resources
+* Go to Birst Agile Business Analytics Sign-on URL directly and initiate the login flow from there.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+* You can use Microsoft My Apps. When you click the Birst Agile Business Analytics tile in the My Apps, this will redirect to Birst Agile Business Analytics Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure Birst Agile Business Analytics you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Blue Access For Members Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/blue-access-for-members-tutorial.md
Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with Blue Access for Members (BAM) | Microsoft Docs'
+ Title: 'Tutorial: Azure AD SSO integration with Blue Access for Members (BAM)'
description: Learn how to configure single sign-on between Azure Active Directory and Blue Access for Members (BAM).
Previously updated : 11/06/2019 Last updated : 07/09/2022
-# Tutorial: Azure Active Directory single sign-on (SSO) integration with Blue Access for Members (BAM)
+# Tutorial: Azure AD SSO integration with Blue Access for Members (BAM)
In this tutorial, you'll learn how to integrate Blue Access for Members (BAM) with Azure Active Directory (Azure AD). When you integrate Blue Access for Members (BAM) with Azure AD, you can:
In this tutorial, you'll learn how to integrate Blue Access for Members (BAM) wi
* Enable your users to be automatically signed-in to Blue Access for Members (BAM) with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items: * An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/). * Blue Access for Members (BAM) single sign-on (SSO) enabled subscription.
+* Along with Cloud Application Administrator, Application Administrator can also add or manage applications in Azure AD.
+For more information, see [Azure built-in roles](../roles/permissions-reference.md).
## Scenario description In this tutorial, you configure and test Azure AD SSO in a test environment.
+* Blue Access for Members (BAM) supports **IDP** initiated SSO.
-* Blue Access for Members (BAM) supports **IDP** initiated SSO
----
-## Adding Blue Access for Members (BAM) from the gallery
+## Add Blue Access for Members (BAM) from the gallery
To configure the integration of Blue Access for Members (BAM) into Azure AD, you need to add Blue Access for Members (BAM) from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **Blue Access for Members (BAM)** in the search box. 1. Select **Blue Access for Members (BAM)** from results panel and then add the app. Wait a few seconds while the app is added to your tenant. -
-## Configure and test Azure AD single sign-on for Blue Access for Members (BAM)
+## Configure and test Azure AD SSO for Blue Access for Members (BAM)
Configure and test Azure AD SSO with Blue Access for Members (BAM) using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Blue Access for Members (BAM).
-To configure and test Azure AD SSO with Blue Access for Members (BAM), complete the following building blocks:
+To configure and test Azure AD SSO with Blue Access for Members (BAM), perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
- * **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
- * **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
1. **[Configure Blue Access for Members (BAM) SSO](#configure-blue-access-for-members-bam-sso)** - to configure the single sign-on settings on application side.
- * **[Create Blue Access for Members (BAM) test user](#create-blue-access-for-members-bam-test-user)** - to have a counterpart of B.Simon in Blue Access for Members (BAM) that is linked to the Azure AD representation of user.
+ 1. **[Create Blue Access for Members (BAM) test user](#create-blue-access-for-members-bam-test-user)** - to have a counterpart of B.Simon in Blue Access for Members (BAM) that is linked to the Azure AD representation of user.
1. **[Test SSO](#test-sso)** - to verify whether the configuration works. ## Configure Azure AD SSO Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **Blue Access for Members (BAM)** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **Blue Access for Members (BAM)** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+ ![Screenshot shows to edit Basic S A M L Configuration.](common/edit-urls.png "Basic Configuration")
-1. On the **Basic SAML Configuration** section, enter the values for the following fields:
+1. On the **Basic SAML Configuration** section, perform the following steps:
- a. In the **Identifier** text box, type a URL using the following pattern:
+ a. In the **Identifier** text box, type a value using the following pattern:
`<Custom Domain Value>` b. In the **Reply URL** text box, type a URL using the following pattern:
Follow these steps to enable Azure AD SSO in the Azure portal.
1. Blue Access for Members (BAM) application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes.
- ![image](common/default-attributes.png)
+ ![Screenshot shows the image of attribute mappings.](common/default-attributes.png "Attributes")
1. In addition to above, Blue Access for Members (BAM) application expects few more attributes to be passed back in SAML response which are shown below. These attributes are also pre populated but you can review them as per your requirements.
Follow these steps to enable Azure AD SSO in the Azure portal.
1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Federation Metadata XML** and select **Download** to download the certificate and save it on your computer.
- ![The Certificate download link](common/metadataxml.png)
+ ![Screenshot shows the Certificate download link.](common/metadataxml.png "Certificate")
1. On the **Set up Blue Access for Members (BAM)** section, copy the appropriate URL(s) based on your requirement.
- ![Copy configuration URLs](common/copy-configuration-urls.png)
+ ![Screenshot shows to copy configuration appropriate U R L.](common/copy-configuration-urls.png "Metadata")
### Create an Azure AD test user
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **Blue Access for Members (BAM)**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen. 1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen. 1. In the **Add Assignment** dialog, click the **Assign** button.
In this section, you create a user called B.Simon in Blue Access for Members (BA
## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
-
-When you click the Blue Access for Members (BAM) tile in the Access Panel, you should be automatically signed in to the Blue Access for Members (BAM) for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).
-
-## Additional resources
+In this section, you test your Azure AD single sign-on configuration with following options.
-- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](./tutorial-list.md)
+* Click on Test this application in Azure portal and you should be automatically signed in to the Blue Access for Members (BAM) for which you set up the SSO.
-- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md)
+* You can use Microsoft My Apps. When you click the Blue Access for Members (BAM) tile in the My Apps, you should be automatically signed in to the Blue Access for Members (BAM) for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+## Next steps
-- [Try Blue Access for Members (BAM) with Azure AD](https://aad.portal.azure.com/)
+Once you configure Blue Access for Members (BAM) you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Folloze Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/folloze-tutorial.md
Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with Folloze | Microsoft Docs'
+ Title: 'Tutorial: Azure AD SSO integration with Folloze'
description: Learn how to configure single sign-on between Azure Active Directory and Folloze.
Previously updated : 10/23/2019 Last updated : 07/09/2022
-# Tutorial: Azure Active Directory single sign-on (SSO) integration with Folloze
+# Tutorial: Azure AD SSO integration with Folloze
In this tutorial, you'll learn how to integrate Folloze with Azure Active Directory (Azure AD). When you integrate Folloze with Azure AD, you can:
In this tutorial, you'll learn how to integrate Folloze with Azure Active Direct
* Enable your users to be automatically signed-in to Folloze with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items: * An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/). * Folloze single sign-on (SSO) enabled subscription.
+* Along with Cloud Application Administrator, Application Administrator can also add or manage applications in Azure AD.
+For more information, see [Azure built-in roles](../roles/permissions-reference.md).
## Scenario description In this tutorial, you configure and test Azure AD SSO in a test environment.
+* Folloze supports **IDP** initiated SSO.
-* Folloze supports **IDP** initiated SSO
-
-* Folloze supports **Just In Time** user provisioning
+* Folloze supports **Just In Time** user provisioning.
> [!NOTE] > Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
-## Adding Folloze from the gallery
+## Add Folloze from the gallery
To configure the integration of Folloze into Azure AD, you need to add Folloze from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **Folloze** in the search box. 1. Select **Folloze** from results panel and then add the app. Wait a few seconds while the app is added to your tenant. -
-## Configure and test Azure AD single sign-on for Folloze
+## Configure and test Azure AD SSO for Folloze
Configure and test Azure AD SSO with Folloze using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Folloze.
-To configure and test Azure AD SSO with Folloze, complete the following building blocks:
+To configure and test Azure AD SSO with Folloze, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
- 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
- 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
1. **[Configure Folloze SSO](#configure-folloze-sso)** - to configure the single sign-on settings on application side.
- 1. **[Create Folloze test user](#create-folloze-test-user)** - to have a counterpart of B.Simon in Folloze that is linked to the Azure AD representation of user.
+ 1. **[Create Folloze test user](#create-folloze-test-user)** - to have a counterpart of B.Simon in Folloze that is linked to the Azure AD representation of user.
1. **[Test SSO](#test-sso)** - to verify whether the configuration works. ## Configure Azure AD SSO Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **Folloze** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **Folloze** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+ ![Screenshot shows to edit Basic S A M L Configuration.](common/edit-urls.png "Basic Configuration")
-1. On the **Basic SAML Configuration** section the application is pre-configured in **IDP** initiated mode and the necessary URLs are already pre-populated with Azure. The user needs to save the configuration by clicking the **Save** button.
+1. On the **Basic SAML Configuration** section, the application is pre-configured in **IDP** initiated mode and the necessary URLs are already pre-populated with Azure. The user needs to save the configuration by clicking the **Save** button.
1. Folloze application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes.
- ![image](common/edit-attribute.png)
+ ![Screenshot shows the image of attributes configuration.](common/edit-attribute.png "Attributes")
1. In addition to above, Folloze application expects few more attributes to be passed back in SAML response which are shown below. These attributes are also pre populated but you can review them as per your requirement.
Follow these steps to enable Azure AD SSO in the Azure portal.
1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (Base64)** and select **Download** to download the certificate and save it on your computer.
- ![The Certificate download link](common/certificatebase64.png)
+ ![Screenshot shows the Certificate download link.](common/certificatebase64.png "Certificate")
1. On the **Set up Folloze** section, copy the appropriate URL(s) based on your requirement.
- ![Copy configuration URLs](common/copy-configuration-urls.png)
+ ![Screenshot shows to copy configuration appropriate U R L.](common/copy-configuration-urls.png "Metadata")
### Create an Azure AD test user
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **Folloze**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen. 1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen. 1. In the **Add Assignment** dialog, click the **Assign** button.
In this section, a user called Britta Simon is created in Folloze. Folloze suppo
## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
-
-When you click the Folloze tile in the Access Panel, you should be automatically signed in to the Folloze for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).
-
-## Additional resources
+In this section, you test your Azure AD single sign-on configuration with following options.
-- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](./tutorial-list.md)
+* Click on Test this application in Azure portal and you should be automatically signed in to the Folloze for which you set up the SSO.
-- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md)
+* You can use Microsoft My Apps. When you click the Folloze tile in the My Apps, you should be automatically signed in to the Folloze for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+## Next steps
-- [Try Folloze with Azure AD](https://aad.portal.azure.com/)
+Once you configure Folloze you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Freshgrade Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/freshgrade-tutorial.md
Title: 'Tutorial: Azure Active Directory integration with FreshGrade | Microsoft Docs'
+ Title: 'Tutorial: Azure AD SSO integration with FreshGrade'
description: Learn how to configure single sign-on between Azure Active Directory and FreshGrade.
Previously updated : 02/15/2019 Last updated : 07/09/2022
-# Tutorial: Azure Active Directory integration with FreshGrade
+# Tutorial: Azure AD SSO integration with FreshGrade
-In this tutorial, you learn how to integrate FreshGrade with Azure Active Directory (Azure AD).
-Integrating FreshGrade with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate FreshGrade with Azure Active Directory (Azure AD). When you integrate FreshGrade with Azure AD, you can:
-* You can control in Azure AD who has access to FreshGrade.
-* You can enable your users to be automatically signed-in to FreshGrade (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to FreshGrade.
+* Enable your users to be automatically signed-in to FreshGrade with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites
-To configure Azure AD integration with FreshGrade, you need the following items:
+To get started, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial [here](https://azure.microsoft.com/pricing/free-trial/)
-* FreshGrade single sign-on enabled subscription
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* FreshGrade single sign-on (SSO) enabled subscription.
+* Along with Cloud Application Administrator, Application Administrator can also add or manage applications in Azure AD.
+For more information, see [Azure built-in roles](../roles/permissions-reference.md).
## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* FreshGrade supports **SP** initiated SSO
+* FreshGrade supports **SP** initiated SSO.
-## Adding FreshGrade from the gallery
+## Add FreshGrade from the gallery
To configure the integration of FreshGrade into Azure AD, you need to add FreshGrade from the gallery to your list of managed SaaS apps.
-**To add FreshGrade from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add new application, click **New application** button on the top of dialog.
-
- ![The New application button](common/add-new-app.png)
-
-4. In the search box, type **FreshGrade**, select **FreshGrade** from result panel then click **Add** button to add the application.
-
- ![FreshGrade in the results list](common/search-new-app.png)
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **FreshGrade** in the search box.
+1. Select **FreshGrade** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD single sign-on
+## Configure and test Azure AD SSO for FreshGrade
-In this section, you configure and test Azure AD single sign-on with FreshGrade based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in FreshGrade needs to be established.
+Configure and test Azure AD SSO with FreshGrade using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in FreshGrade.
-To configure and test Azure AD single sign-on with FreshGrade, you need to complete the following building blocks:
+To configure and test Azure AD SSO with FreshGrade, perform the following steps:
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure FreshGrade Single Sign-On](#configure-freshgrade-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create FreshGrade test user](#create-freshgrade-test-user)** - to have a counterpart of Britta Simon in FreshGrade that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure FreshGrade SSO](#configure-freshgrade-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create FreshGrade test user](#create-freshgrade-test-user)** - to have a counterpart of B.Simon in FreshGrade that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-### Configure Azure AD single sign-on
+## Configure Azure AD SSO
-In this section, you enable Azure AD single sign-on in the Azure portal.
+Follow these steps to enable Azure AD SSO in the Azure portal.
-To configure Azure AD single sign-on with FreshGrade, perform the following steps:
+1. In the Azure portal, on the **FreshGrade** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
-1. In the [Azure portal](https://portal.azure.com/), on the **FreshGrade** application integration page, select **Single sign-on**.
+ ![Screenshot shows to edit Basic S A M L Configuration.](common/edit-urls.png "Basic Configuration")
- ![Configure single sign-on link](common/select-sso.png)
+1. On the **Basic SAML Configuration** section, perform the following steps:
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
+ a. In the **Identifier (Entity ID)** textbox, type a URL using one of the following patterns:
- ![Single sign-on select mode](common/select-saml-option.png)
+ | **Identifier** |
+ |-|
+ |`https://login.onboarding.freshgrade.com:443/saml/metadata/alias/<instancename>`|
+ |`https://login.freshgrade.com:443/saml/metadata/alias/<instancename>`|
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
-
- ![Edit Basic SAML Configuration](common/edit-urls.png)
-
-4. On the **Set up Single Sign-On with SAML** page, perform the following steps:
-
- ![FreshGrade Domain and URLs single sign-on information](common/sp-identifier.png)
-
- a. In the **Sign-on URL** textbox, type a URL using the following patterns:
-
- ```http
- https://<subdomain>.freshgrade.com/login
- https://<subdomain>.onboarding.freshgrade.com/login
- ```
-
- b. In the **Identifier (Entity ID)** textbox, type a URL using the following patterns:
-
- ```http
- https://login.onboarding.freshgrade.com:443/saml/metadata/alias/<instancename>
- https://login.freshgrade.com:443/saml/metadata/alias/<instancename>
- ```
+ b. In the **Sign-on URL** textbox, type a URL using one of the following patterns:
+
+ | **Sign-on URL** |
+ ||
+ |`https://<subdomain>.freshgrade.com/login`|
+ |`https://<subdomain>.onboarding.freshgrade.com/login`|
> [!NOTE]
- > These values are not real. Update these values with the actual Sign-On URL and Identifier. Contact [FreshGrade Client support team](mailto:support@freshgrade.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
-
-5. On the **Set up Single Sign-On with SAML** page, In the **SAML Signing Certificate** section, click copy button to copy **App Federation Metadata Url** and save it on your computer.
+ > These values are not real. Update these values with the actual Identifier and Sign on URL. Contact [FreshGrade Client support team](mailto:support@freshgrade.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
- ![The Certificate download link](common/copy-metadataurl.png)
+1. On the **Set up Single Sign-On with SAML** page, In the **SAML Signing Certificate** section, click copy button to copy **App Federation Metadata Url** and save it on your computer.
-### Configure FreshGrade Single Sign-On
-
-To configure single sign-on on **FreshGrade** side, you need to send the **App Federation Metadata Url** to [FreshGrade support team](mailto:support@freshgrade.com). They set this setting to have the SAML SSO connection set properly on both sides.
+ ![Screenshot shows the Certificate download link.](common/copy-metadataurl.png "Certificate")
### Create an Azure AD test user
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
+In this section, you'll create a test user in the Azure portal called B.Simon.
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field enter **BrittaSimon**.
-
- b. In the **User name** field type **brittasimon\@yourcompanydomain.extension**
- For example, BrittaSimon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
-
- d. Click **Create**.
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
### Assign the Azure AD test user
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to FreshGrade.
-
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **FreshGrade**.
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to FreshGrade.
- ![Enterprise applications blade](common/enterprise-applications.png)
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **FreshGrade**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
-2. In the applications list, select **FreshGrade**.
+## Configure FreshGrade SSO
- ![The FreshGrade link in the Applications list](common/all-applications.png)
-
-3. In the menu on the left, select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
-
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
-
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
-
-7. In the **Add Assignment** dialog click the **Assign** button.
+To configure single sign-on on **FreshGrade** side, you need to send the **App Federation Metadata Url** to [FreshGrade support team](mailto:support@freshgrade.com). They set this setting to have the SAML SSO connection set properly on both sides.
### Create FreshGrade test user In this section, you create a user called Britta Simon in FreshGrade. Work with [FreshGrade support team](mailto:support@freshgrade.com) to add the users in the FreshGrade platform. Users must be created and activated before you use single sign-on.
-### Test single sign-on
+## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
-When you click the FreshGrade tile in the Access Panel, you should be automatically signed in to the FreshGrade for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).
+* Click on **Test this application** in Azure portal. This will redirect to FreshGrade Sign-on URL where you can initiate the login flow.
-## Additional Resources
+* Go to FreshGrade Sign-on URL directly and initiate the login flow from there.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+* You can use Microsoft My Apps. When you click the FreshGrade tile in the My Apps, this will redirect to FreshGrade Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure FreshGrade you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Headspace Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/headspace-tutorial.md
+
+ Title: 'Tutorial: Azure AD SSO integration with Headspace'
+description: Learn how to configure single sign-on between Azure Active Directory and Headspace.
++++++++ Last updated : 07/14/2022++++
+# Tutorial: Azure AD SSO integration with Headspace
+
+In this tutorial, you'll learn how to integrate Headspace with Azure Active Directory (Azure AD). When you integrate Headspace with Azure AD, you can:
+
+* Control in Azure AD who has access to Headspace.
+* Enable your users to be automatically signed-in to Headspace with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
+
+## Prerequisites
+
+To get started, you need the following items:
+
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* Headspace single sign-on (SSO) enabled subscription.
+* Along with Cloud Application Administrator, Application Administrator can also add or manage applications in Azure AD.
+For more information, see [Azure built-in roles](../roles/permissions-reference.md).
+
+## Scenario description
+
+In this tutorial, you configure and test Azure AD SSO in a test environment.
+
+* Headspace supports **SP** initiated SSO.
+* Headspace supports **Just In Time** user provisioning.
+
+## Add Headspace from the gallery
+
+To configure the integration of Headspace into Azure AD, you need to add Headspace from the gallery to your list of managed SaaS apps.
+
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Headspace** in the search box.
+1. Select **Headspace** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
+
+## Configure and test Azure AD SSO for Headspace
+
+Configure and test Azure AD SSO with Headspace using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Headspace.
+
+To configure and test Azure AD SSO with Headspace, perform the following steps:
+
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Headspace SSO](#configure-headspace-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Headspace test user](#create-headspace-test-user)** - to have a counterpart of B.Simon in Headspace that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
+
+## Configure Azure AD SSO
+
+Follow these steps to enable Azure AD SSO in the Azure portal.
+
+1. In the Azure portal, on the **Headspace** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
+
+ ![Screenshot shows to edit Basic S A M L Configuration.](common/edit-urls.png "Basic Configuration")
+
+1. On the **Basic SAML Configuration** section, perform the following steps:
+
+ a. In the **Identifier** textbox, type a value using the following pattern:
+ `urn:auth0:<Auth0TenantName>:<CustomerConnectionName>`
+
+ b. In the **Reply URL** textbox, type a value using the following pattern:
+ `https://auth.<Enviornment>.headspace.com/login/callback?connection=<CustomerConnectionName>`
+
+ c. In the **Sign on URL** textbox, type a value using the following pattern:
+ `https://<Environment>.headspace.com/sso-login`
+
+ > [!Note]
+ > These values are not real. Update these values with the actual Identifier, Reply URL and Sign on URL. Contact [Headspace Client support team](mailto:ecosystem-integration-squad@headspace.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+
+1. Headspace application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes.
+
+ ![Screenshot shows the image of Headspace application.](common/default-attributes.png "Attributes")
+
+1. In addition to above, Headspace application expects few more attributes to be passed back in SAML response, which are shown below. These attributes are also pre populated but you can review them as per your requirements.
+
+ | Name | Source Attribute|
+ | | |
+ | email | user.mail |
+ | family_name | user.surname |
+ | userName | user.userprincipalname |
+
+1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (PEM)** and select **Download** to download the certificate and save it on your computer.
+
+ ![Screenshot shows the Certificate download link.](common/certificate-base64-download.png "Certificate")
+
+1. On the **Set up Headspace** section, copy the appropriate URL(s) based on your requirement.
+
+ ![Screenshot shows to copy configuration appropriate U R L.](common/copy-configuration-urls.png "Metadata")
+
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called B.Simon.
+
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
+
+### Assign the Azure AD test user
+
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Headspace.
+
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Headspace**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
+
+## Configure Headspace SSO
+
+To configure single sign-on on **Headspace** side, you need to send the downloaded **Certificate (PEM)** and appropriate copied URLs from Azure portal to [Headspace support team](mailto:ecosystem-integration-squad@headspace.com). They set this setting to have the SAML SSO connection set properly on both sides.
+
+### Create Headspace test user
+
+In this section, a user called B.Simon is created in Headspace. Headspace supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in Headspace, a new one is created after authentication.
+
+## Test SSO
+
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+* Click on **Test this application** in Azure portal. This will redirect to Headspace Sign-on URL where you can initiate the login flow.
+
+* Go to Headspace Sign-on URL directly and initiate the login flow from there.
+
+* You can use Microsoft My Apps. When you click the Headspace tile in the My Apps, this will redirect to Headspace Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
+
+## Next steps
+
+Once you configure Headspace you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Infogix Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/infogix-tutorial.md
Title: 'Tutorial: Azure Active Directory integration with Infogix Data3Sixty Govern | Microsoft Docs'
+ Title: 'Tutorial: Azure AD SSO integration with Infogix Data3Sixty Govern'
description: Learn how to configure single sign-on between Azure Active Directory and Infogix Data3Sixty Govern.
Previously updated : 03/14/2019 Last updated : 07/09/2022
-# Tutorial: Azure Active Directory integration with Infogix Data3Sixty Govern
+# Tutorial: Azure AD SSO integration with Infogix Data3Sixty Govern
-In this tutorial, you learn how to integrate Infogix Data3Sixty Govern with Azure Active Directory (Azure AD).
-Integrating Infogix Data3Sixty Govern with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate Infogix Data3Sixty Govern with Azure Active Directory (Azure AD). When you integrate Infogix Data3Sixty Govern with Azure AD, you can:
-* You can control in Azure AD who has access to Infogix Data3Sixty Govern.
-* You can enable your users to be automatically signed-in to Infogix Data3Sixty Govern (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to Infogix Data3Sixty Govern.
+* Enable your users to be automatically signed-in to Infogix Data3Sixty Govern with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites
-To configure Azure AD integration with Infogix Data3Sixty Govern, you need the following items:
+To get started, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial [here](https://azure.microsoft.com/pricing/free-trial/)
-* Infogix Data3Sixty Govern single sign-on enabled subscription
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* Infogix Data3Sixty Govern single sign-on (SSO) enabled subscription.
+* Along with Cloud Application Administrator, Application Administrator can also add or manage applications in Azure AD.
+For more information, see [Azure built-in roles](../roles/permissions-reference.md).
## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* Infogix Data3Sixty Govern supports **SP and IDP** initiated SSO
-* Infogix Data3Sixty Govern supports **Just In Time** user provisioning
-
-## Adding Infogix Data3Sixty Govern from the gallery
-
-To configure the integration of Infogix Data3Sixty Govern into Azure AD, you need to add Infogix Data3Sixty Govern from the gallery to your list of managed SaaS apps.
-
-**To add Infogix Data3Sixty Govern from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add new application, click **New application** button on the top of dialog.
-
- ![The New application button](common/add-new-app.png)
+* Infogix Data3Sixty Govern supports **SP and IDP** initiated SSO.
+* Infogix Data3Sixty Govern supports **Just In Time** user provisioning.
-4. In the search box, type **Infogix Data3Sixty Govern**, select **Infogix Data3Sixty Govern** from result panel then click **Add** button to add the application.
+> [!NOTE]
+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
- ![Infogix Data3Sixty Govern in the results list](common/search-new-app.png)
+## Add Infogix Data3Sixty Govern from the gallery
-## Configure and test Azure AD single sign-on
-
-In this section, you configure and test Azure AD single sign-on with Infogix Data3Sixty Govern based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in Infogix Data3Sixty Govern needs to be established.
-
-To configure and test Azure AD single sign-on with Infogix Data3Sixty Govern, you need to complete the following building blocks:
-
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure Infogix Data3Sixty Govern Single Sign-On](#configure-infogix-data3sixty-govern-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create Infogix Data3Sixty Govern test user](#create-infogix-data3sixty-govern-test-user)** - to have a counterpart of Britta Simon in Infogix Data3Sixty Govern that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
-
-### Configure Azure AD single sign-on
+To configure the integration of Infogix Data3Sixty Govern into Azure AD, you need to add Infogix Data3Sixty Govern from the gallery to your list of managed SaaS apps.
-In this section, you enable Azure AD single sign-on in the Azure portal.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Infogix Data3Sixty Govern** in the search box.
+1. Select **Infogix Data3Sixty Govern** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-To configure Azure AD single sign-on with Infogix Data3Sixty Govern, perform the following steps:
+## Configure and test Azure AD SSO for Infogix Data3Sixty Govern
-1. In the [Azure portal](https://portal.azure.com/), on the **Infogix Data3Sixty Govern** application integration page, select **Single sign-on**.
+Configure and test Azure AD SSO with Infogix Data3Sixty Govern using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Infogix Data3Sixty Govern.
- ![Configure single sign-on link](common/select-sso.png)
+To configure and test Azure AD SSO with Infogix Data3Sixty Govern, perform the following steps:
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Infogix Data3Sixty Govern SSO](#configure-infogix-data3sixty-govern-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Infogix Data3Sixty Govern test user](#create-infogix-data3sixty-govern-test-user)** - to have a counterpart of B.Simon in Infogix Data3Sixty Govern that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
- ![Single sign-on select mode](common/select-saml-option.png)
+## Configure Azure AD SSO
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
+Follow these steps to enable Azure AD SSO in the Azure portal.
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+1. In the Azure portal, on the **Infogix Data3Sixty Govern** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
-4. On the **Basic SAML Configuration** section, If you wish to configure the application in **IDP** initiated mode, perform the following steps:
+ ![Screenshot shows to edit Basic S A M L Configuration.](common/edit-urls.png "Basic Configuration")
- ![Screenshot shows the Basic SAML Configuration, where you can enter Identifier, Reply U R L, and select Save.](common/idp-intiated.png)
+1. On the **Basic SAML Configuration** section, perform the following steps:
- a. In the **Identifier** text box, type a URL:
+ a. In the **Identifier** text box, type the URL:
`https://data3sixty.com/ui` b. In the **Reply URL** text box, type a URL using the following pattern: `https://<subdomain>.data3sixty.com/sso/acs`
-5. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode:
-
- ![Screenshot shows Set additional U R Ls where you can enter a Sign on U R L.](common/metadata-upload-additional-signon.png)
+1. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode:
In the **Sign-on URL** text box, type a URL using the following pattern: `https://<subdomain>.data3sixty.com`
To configure Azure AD single sign-on with Infogix Data3Sixty Govern, perform the
> [!NOTE] > These values are not real. Update these values with the actual Reply URL and Sign-On URL. Contact [Infogix Data3Sixty Govern Client support team](mailto:data3sixtysupport@infogix.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
-6. Infogix Data3Sixty Govern application expects the SAML assertions in a specific format. Configure the following claims for this application. You can manage the values of these attributes from the **User Attributes** section on application integration page. On the **Set up Single Sign-On with SAML** page, click **Edit** button to open **User Attributes** dialog.
+1. Infogix Data3Sixty Govern application expects the SAML assertions in a specific format. Configure the following claims for this application. You can manage the values of these attributes from the **User Attributes** section on application integration page. On the **Set up Single Sign-On with SAML** page, click **Edit** button to open **User Attributes** dialog.
- ![Screenshot shows User Attributes with the Edit icon selected.](common/edit-attribute.png)
+ ![Screenshot shows User Attributes with the Edit icon selected.](common/edit-attribute.png "Attributes")
-7. In the **User Claims** section on the **User Attributes** dialog, edit the claims by using **Edit icon** or add the claims by using **Add new claim** to configure SAML token attribute as shown in the image above and perform the following steps:
+1. In the **User Claims** section on the **User Attributes** dialog, edit the claims by using **Edit icon** or add the claims by using **Add new claim** to configure SAML token attribute as shown in the image above and perform the following steps:
| Name | Source Attribute| | --| -- |
To configure Azure AD single sign-on with Infogix Data3Sixty Govern, perform the
a. Click **Add new claim** to open the **Manage user claims** dialog.
- ![Screenshot shows User claims with the option to Add new claim.](common/new-save-attribute.png)
+ ![Screenshot shows User claims with the option to Add new claim.](common/new-save-attribute.png "Claims")
- ![Screenshot shows the Manage user claims dialog box where you can enter the values described.](common/new-attribute-details.png)
+ ![Screenshot shows the Manage user claims dialog box where you can enter the values described.](common/new-attribute-details.png "Values")
b. In the **Name** textbox, type the attribute name shown for that row.
To configure Azure AD single sign-on with Infogix Data3Sixty Govern, perform the
g. Click **Save**.
-8. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Certificate (Raw)** from the given options as per your requirement and save it on your computer.
-
- ![The Certificate download link](common/certificateraw.png)
-
-9. On the **Set up Infogix Data3Sixty Govern** section, copy the appropriate URL(s) as per your requirement.
-
- ![Copy configuration URLs](common/copy-configuration-urls.png)
-
- a. Login URL
-
- b. Azure AD Identifier
+1. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Certificate (Raw)** from the given options as per your requirement and save it on your computer.
- c. Logout URL
+ ![Screenshot shows the Certificate download link.](common/certificateraw.png "Certificate")
-### Configure Infogix Data3Sixty Govern Single Sign-On
+1. On the **Set up Infogix Data3Sixty Govern** section, copy the appropriate URL(s) as per your requirement.
-To configure single sign-on on **Infogix Data3Sixty Govern** side, you need to send the downloaded **Certificate (Raw)** and appropriate copied URLs from Azure portal to [Infogix Data3Sixty Govern support team](mailto:data3sixtysupport@infogix.com). They set this setting to have the SAML SSO connection set properly on both sides.
+ ![Screenshot shows to copy configuration appropriate U R L.](common/copy-configuration-urls.png "Metadata")
### Create an Azure AD test user
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
+In this section, you'll create a test user in the Azure portal called B.Simon.
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field enter **BrittaSimon**.
-
- b. In the **User name** field type **brittasimon@yourcompanydomain.extension**
- For example, BrittaSimon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
-
- d. Click **Create**.
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
### Assign the Azure AD test user
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to Infogix Data3Sixty Govern.
-
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Infogix Data3Sixty Govern**.
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Infogix Data3Sixty Govern.
- ![Enterprise applications blade](common/enterprise-applications.png)
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Infogix Data3Sixty Govern**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
+1. In the **Add Assignment** dialog, click the **Assign** button.
-2. In the applications list, select **Infogix Data3Sixty Govern**.
+## Configure Infogix Data3Sixty Govern SSO
- ![The Infogix Data3Sixty Govern link in the Applications list](common/all-applications.png)
-
-3. In the menu on the left, select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
-
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
-
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
-
-7. In the **Add Assignment** dialog click the **Assign** button.
+To configure single sign-on on **Infogix Data3Sixty Govern** side, you need to send the downloaded **Certificate (Raw)** and appropriate copied URLs from Azure portal to [Infogix Data3Sixty Govern support team](mailto:data3sixtysupport@infogix.com). They set this setting to have the SAML SSO connection set properly on both sides.
### Create Infogix Data3Sixty Govern test user
In this section, a user called Britta Simon is created in Infogix Data3Sixty Gov
> [!Note] > If you need to create a user manually, contact [Infogix Data3Sixty Govern support team](mailto:data3sixtysupport@infogix.com).
-### Test single sign-on
+## Test SSO
+
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+#### SP initiated:
+
+* Click on **Test this application** in Azure portal. This will redirect to Infogix Data3Sixty Govern Sign-on URL where you can initiate the login flow.
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+* Go to Infogix Data3Sixty Govern Sign-on URL directly and initiate the login flow from there.
-When you click the Infogix Data3Sixty Govern tile in the Access Panel, you should be automatically signed in to the Infogix Data3Sixty Govern for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).
+#### IDP initiated:
-## Additional Resources
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the Infogix Data3Sixty Govern for which you set up the SSO.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+You can also use Microsoft My Apps to test the application in any mode. When you click the Infogix Data3Sixty Govern tile in the My Apps, if configured in SP mode you would be redirected to the application sign-on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Infogix Data3Sixty Govern for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure Infogix Data3Sixty Govern you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Intacct Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/intacct-tutorial.md
Previously updated : 03/16/2022 Last updated : 07/14/2022
To configure and test Azure AD SSO with Sage Intacct, perform the following step
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature. 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on. 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
-2. **[Configure Sage Intacct SSO](#configure-sage-intacct-sso)** - to configure the Single Sign-On settings on application side.
+2. **[Configure Sage Intacct SSO](#configure-sage-intacct-sso)** - to configure the single sign-on settings on application side.
1. **[Set up individual users in Intacct](#set-up-individual-users-in-intacct)** - to have a counterpart of B.Simon in Sage Intacct that is linked to the Azure AD representation of user. 6. **[Test SSO](#test-sso)** - to verify whether the configuration works.
Follow these steps to enable Azure AD SSO in the Azure portal.
![Edit Basic SAML Configuration](common/edit-urls.png)
-1. On the **Basic SAML Configuration** section, perform the following step:
+1. On the **Basic SAML Configuration** section, perform the following steps:
- In the **Reply URL** text box, type one of the following URLs:
+ a. In the **Identifier (Entity ID)** text box, type a unique identifier for your Sage Intacct company, such as `https://saml.intacct.com`.
- | Reply URL |
- | - |
- | `https://www.intacct.com/ia/acct/sso_response.phtml` (Select as the default.) |
- | `https://www-p02.intacct.com/ia/acct/sso_response.phtml` |
- | `https://www-p03.intacct.com/ia/acct/sso_response.phtml` |
- | `https://www-p04.intacct.com/ia/acct/sso_response.phtml` |
- | `https://www-p05.intacct.com/ia/acct/sso_response.phtml` |
- |
+ b. In the **Reply URL** text box, add the following URLs:
-1. The Sage Intacct application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes. Click **Edit** icon to open User Attributes dialog..
+ | Reply URL |
+ | - |
+ | `https://www.intacct.com/ia/acct/sso_response.phtml` (Select as the default.) |
+ | `https://www-p02.intacct.com/ia/acct/sso_response.phtml` |
+ | `https://www-p03.intacct.com/ia/acct/sso_response.phtml` |
+ | `https://www-p04.intacct.com/ia/acct/sso_response.phtml` |
+ | `https://www-p05.intacct.com/ia/acct/sso_response.phtml` |
+
+
+1. The Sage Intacct application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes. Click **Edit** icon to open User Attributes dialog.
![image](common/edit-attribute.png)
-1. In addition to above, Sage Intacct application expects few more attributes to be passed back in SAML response. In the **User Attributes & Claims** dialog, perform the following steps to add SAML token attribute as shown in the below table:
+1. In the **Attributes & Claims** dialog, perform the following steps:
+ a. Edit **Unique User Identifier (Name ID)** and set source attribute to user.mail and verify Name identifier format is set to Email address and click **Save**
+
+ b. Remove all default Additional claims attributes by clicking ***...*** and Delete.
+
| Attribute Name | Source Attribute| | | | | Company Name | **Sage Intacct Company ID** | | name | `<User ID>`| > [!NOTE]
- > Enter the `<User ID>` value should be same as the Sage Intacct **User ID**, which you enter in the **[Set up individual users in Intacct](#set-up-individual-users-in-intacct)**, which is explained later in the tutorial
+ > Enter the `<User ID>` value should be same as the Sage Intacct **User ID**, which you enter in the **[Set up individual users in Intacct](#set-up-individual-users-in-intacct)**, which is explained later in the tutorial. Usually, this is the prefix of the email address. In this case, you can set the source as a transformation and use ExtractMailPrefix() on user.mail parameter.
- a. Click **Add new claim** to open the **Manage user claims** dialog.
+ c. Click **Add new claim** to open the **Manage user claims** dialog.
- b. In the **Name** textbox, type the attribute name shown for that row.
+ d. In the **Name** textbox, type the attribute name shown for that row.
- c. Leave the **Namespace** blank.
+ e. Leave the **Namespace** blank.
- d. Select Source as **Attribute**.
+ f. Select Source as **Attribute**.
- e. From the **Source attribute** list, type or select the attribute value shown for that row.
+ g. From the **Source attribute** list, type or select the attribute value shown for that row.
- f. Click **Ok**
+ h. Click **Ok**
- g. Click **Save**.
+ i. Click **Save**.
+
+ > Repeat steps c-i to add both custom attibutes.
+
-1. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (Base64)** and select **Download** to download the certificate and save it on your computer.
+1. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Edit** to open the dialog. Click **...** next to the Active certificate and select **PEM certificate download** to download the certificate and save it to your local drive.
- ![The Certificate download link](common/certificatebase64.png)
+ ![The Certificate download link](common/certificate-base64-download.png)
-1. On the **Set up Sage Intacct** section, copy the appropriate URL(s) based on your requirement.
+1. On the **Set up Sage Intacct** section, copy the Login URL as you will use it within Sage Intacct configuration.
![Copy configuration URLs](common/copy-configuration-urls.png)
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
b. As **Identity provider type**, select **SAML 2.0**.
- c. In **Issuer URL** textbox, paste the value of **Azure AD Identifier**, which you have copied from Azure portal.
+ c. In **Issuer URL** textbox, paste the value of **Identifier (Entity ID)**, which you created in the Basic SAML Configuration dialog.
d. In **Login URL** textbox, paste the value of **Login URL**, which you have copied from Azure portal.
- e. Open your **base-64** encoded certificate in notepad, copy the content of it into your clipboard, and then paste it to the **Certificate** box.
+ e. Open your **PEM** encoded certificate in notepad, copy the content of it into your clipboard, and then paste it to the **Certificate** box.
f. Set **Requested authentication content type** to **Exact**.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
### Set up individual users in Intacct
-When SSO is enabled for your company, you can individually require users to use SSO when logging in to your company. After you set up a user for SSO, the user will no longer be able to use a password to log in to your company directly. Instead, that user will need to use single sign-on and will be authenticated by your SSO identity provider as being an authorized user. Any users who aren't set up for SSO can continue to log in to your company using the basic signin page.
+When SSO is enabled for your company, you can individually require users to use SSO when logging in to your company. After you set up a user for SSO, the user will no longer be able to use a password to log in to your company directly. Instead, that user will need to use single sign-on and be authenticated by your SSO identity provider as an authorized user. Any users who are not set up for SSO can continue to log in to your company using the basic sign-in page.
**To enable SSO for a user, perform the following steps:**
-1. Sign in to your **Sage Intacct** tenant.
+1. Sign in to your **Sage Intacct** company.
1. Go to **Company**, click the **Admin** tab, then click **Users**.
When SSO is enabled for your company, you can individually require users to use
1. Locate the desired user and click **Edit** next to it.
- ![Edit the user](./media/intacct-tutorial/user-edit.png "edit")
+ ![Screenshot to Edit the user](./media/intacct-tutorial/user-edit.png "edit")
+
+1. Click the **Single sign-on** tab and type the **Federated SSO user ID**.
-1. Click **Single sign-on** tab and make sure that the **Federated SSO user ID** in below screenshot and the **Source Attribute** value which is mapped with the `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier` in the **User Attributes** section in the Azure portal should be same.
+> [!NOTE]
+> This value is mapped with the Unique User Identifier found in Azure's Attributes & Claims dialog.
- ![Screenshot shows the User Information section where you can enter the Federated S S O user i d.](./media/intacct-tutorial/user-information.png "User Information")
+![Screenshot shows the User Information section where you can enter the Federated S S O user i d.](./media/intacct-tutorial/user-information.png "User Information")
> [!NOTE] > To provision Azure AD user accounts, you can use other Sage Intacct user account creation tools or APIs that are provided by Sage Intacct.
In this section, you test your Azure AD single sign-on configuration with follow
## Next steps
-Once you configure Sage Intacct you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-any-app).
+Once you configure Sage Intacct you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-any-app).
active-directory Lift Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/lift-tutorial.md
Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with LIFT | Microsoft Docs'
+ Title: 'Tutorial: Azure AD SSO integration with LIFT'
description: Learn how to configure single sign-on between Azure Active Directory and LIFT.
Previously updated : 03/11/2020 Last updated : 07/08/2022
-# Tutorial: Azure Active Directory single sign-on (SSO) integration with LIFT
+# Tutorial: Azure AD SSO integration with LIFT
In this tutorial, you'll learn how to integrate LIFT with Azure Active Directory (Azure AD). When you integrate LIFT with Azure AD, you can:
In this tutorial, you'll learn how to integrate LIFT with Azure Active Directory
* Enable your users to be automatically signed-in to LIFT with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items: * An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/). * LIFT single sign-on (SSO) enabled subscription.
+* Along with Cloud Application Administrator, Application Administrator can also add or manage applications in Azure AD.
+For more information, see [Azure built-in roles](../roles/permissions-reference.md).
## Scenario description In this tutorial, you configure and test Azure AD SSO in a test environment.
-* LIFT supports **SP** initiated SSO
-* Once you configure LIFT you can enforce Session Control, which protect exfiltration and infiltration of your organizationΓÇÖs sensitive data in real-time. Session Control extend from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-aad).
+* LIFT supports **SP** initiated SSO.
-## Adding LIFT from the gallery
+## Add LIFT from the gallery
To configure the integration of LIFT into Azure AD, you need to add LIFT from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **LIFT** in the search box. 1. Select **LIFT** from results panel and then add the app. Wait a few seconds while the app is added to your tenant. -
-## Configure and test Azure AD single sign-on for LIFT
+## Configure and test Azure AD SSO for LIFT
Configure and test Azure AD SSO with LIFT using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in LIFT.
-To configure and test Azure AD SSO with LIFT, complete the following building blocks:
+To configure and test Azure AD SSO with LIFT, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature. 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
To configure and test Azure AD SSO with LIFT, complete the following building bl
Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **LIFT** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **LIFT** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+ ![Screenshot shows to edit Basic S A M L Configuration.](common/edit-urls.png "Basic Configuration")
-1. On the **Basic SAML Configuration** section, enter the values for the following fields:
-
- a. In the **Sign on URL** text box, type a URL using the following pattern:
- `https://<companyname>.portal.liftsoftware.nl/lift/secure`
+1. On the **Basic SAML Configuration** section, perform the following steps:
- b. In the **Identifier (Entity ID)** text box, type a URL using the following pattern:
+ a. In the **Identifier (Entity ID)** text box, type a URL using the following pattern:
`https://<companyname>.portal.liftsoftware.nl/saml-metadata/<identifier>`
+
+ b. In the **Sign on URL** text box, type a URL using the following pattern:
+ `https://<companyname>.portal.liftsoftware.nl/lift/secure`
> [!NOTE]
- > These values are not real. Update these values with the actual Sign on URL and Identifier. Contact [LIFT Client support team](mailto:support@liftsoftware.nl) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
-
+ > These values are not real. Update these values with the actual Identifier and Sign on URL. Contact [LIFT Client support team](mailto:support@liftsoftware.nl) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
1. On the **Set up single sign-on with SAML** page, In the **SAML Signing Certificate** section, click copy button to copy **App Federation Metadata Url** and save it on your computer.
- ![The Certificate download link](common/copy-metadataurl.png)
+ ![Screenshot shows the Certificate download link.](common/copy-metadataurl.png "Certificate")
### Create an Azure AD test user
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **LIFT**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen. 1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen. 1. In the **Add Assignment** dialog, click the **Assign** button. - ## Configure LIFT SSO To configure single sign-on on **LIFT** side, you need to send the **App Federation Metadata Url** to [LIFT support team](mailto:support@liftsoftware.nl). They set this setting to have the SAML SSO connection set properly on both sides.
In this section, you create a user called B.Simon in LIFT. Work with [LIFT suppo
## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
-
-When you click the LIFT tile in the Access Panel, you should be automatically signed in to the LIFT for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).
-
-## Additional resources
+In this section, you test your Azure AD single sign-on configuration with following options.
-- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](./tutorial-list.md)
+* Click on **Test this application** in Azure portal. This will redirect to LIFT Sign-on URL where you can initiate the login flow.
-- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md)
+* Go to LIFT Sign-on URL directly and initiate the login flow from there.
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+* You can use Microsoft My Apps. When you click the LIFT tile in the My Apps, this will redirect to LIFT Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [Try LIFT with Azure AD](https://aad.portal.azure.com/)
+## Next steps
-- [What is session control in Microsoft Defender for Cloud Apps?](/cloud-app-security/proxy-intro-aad)
+Once you configure LIFT you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Maxxpoint Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/maxxpoint-tutorial.md
Title: 'Tutorial: Azure Active Directory integration with MaxxPoint | Microsoft Docs'
+ Title: 'Tutorial: Azure AD SSO integration with MaxxPoint'
description: Learn how to configure single sign-on between Azure Active Directory and MaxxPoint.
Previously updated : 02/21/2019 Last updated : 07/09/2022
-# Tutorial: Azure Active Directory integration with MaxxPoint
+# Tutorial: Azure AD SSO integration with MaxxPoint
-In this tutorial, you learn how to integrate MaxxPoint with Azure Active Directory (Azure AD).
-Integrating MaxxPoint with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate MaxxPoint with Azure Active Directory (Azure AD). When you integrate MaxxPoint with Azure AD, you can:
-* You can control in Azure AD who has access to MaxxPoint.
-* You can enable your users to be automatically signed-in to MaxxPoint (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to MaxxPoint.
+* Enable your users to be automatically signed-in to MaxxPoint with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites
-To configure Azure AD integration with MaxxPoint, you need the following items:
+To get started, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial [here](https://azure.microsoft.com/pricing/free-trial/)
-* MaxxPoint single sign-on enabled subscription
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* MaxxPoint single sign-on (SSO) enabled subscription.
+* Along with Cloud Application Administrator, Application Administrator can also add or manage applications in Azure AD.
+For more information, see [Azure built-in roles](../roles/permissions-reference.md).
## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* MaxxPoint supports **SP** and **IDP** initiated SSO
+* MaxxPoint supports **SP** and **IDP** initiated SSO.
-## Adding MaxxPoint from the gallery
+## Add MaxxPoint from the gallery
To configure the integration of MaxxPoint into Azure AD, you need to add MaxxPoint from the gallery to your list of managed SaaS apps.
-**To add MaxxPoint from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add new application, click **New application** button on the top of dialog.
-
- ![The New application button](common/add-new-app.png)
-
-4. In the search box, type **MaxxPoint**, select **MaxxPoint** from result panel then click **Add** button to add the application.
-
- ![MaxxPoint in the results list](common/search-new-app.png)
-
-## Configure and test Azure AD single sign-on
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **MaxxPoint** in the search box.
+1. Select **MaxxPoint** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-In this section, you configure and test Azure AD single sign-on with MaxxPoint based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in MaxxPoint needs to be established.
+## Configure and test Azure AD SSO for MaxxPoint
-To configure and test Azure AD single sign-on with MaxxPoint, you need to complete the following building blocks:
+Configure and test Azure AD SSO with MaxxPoint using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in MaxxPoint.
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure MaxxPoint Single Sign-On](#configure-maxxpoint-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create MaxxPoint test user](#create-maxxpoint-test-user)** - to have a counterpart of Britta Simon in MaxxPoint that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
+To configure and test Azure AD SSO with MaxxPoint, perform the following steps:
-### Configure Azure AD single sign-on
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure MaxxPoint SSO](#configure-maxxpoint-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create MaxxPoint test user](#create-maxxpoint-test-user)** - to have a counterpart of B.Simon in MaxxPoint that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-In this section, you enable Azure AD single sign-on in the Azure portal.
+## Configure Azure AD SSO
-To configure Azure AD single sign-on with MaxxPoint, perform the following steps:
+Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **MaxxPoint** application integration page, select **Single sign-on**.
+1. In the Azure portal, on the **MaxxPoint** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
- ![Configure single sign-on link](common/select-sso.png)
+ ![Screenshot shows to edit Basic S A M L Configuration.](common/edit-urls.png "Basic Configuration")
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
+1. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, the user does not have to perform any step as the app is already pre-integrated with Azure.
- ![Single sign-on select mode](common/select-saml-option.png)
-
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
-
- ![Edit Basic SAML Configuration](common/edit-urls.png)
-
-4. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, the user does not have to perform any step as the app is already pre-integrated with Azure.
-
- ![Screenshot shows Basic SAML Configuration.](common/preintegrated.png)
-
-5. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode:
-
- ![Screenshot shows Set additional U R Ls where you can enter a Sign on U R L.](common/metadata-upload-additional-signon.png)
+1. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode:
In the **Sign on URL** text box, type a URL using the following pattern: `https://maxxpoint.westipc.com/default/sso/login/entity/<customer-id>-azure`
To configure Azure AD single sign-on with MaxxPoint, perform the following steps
>[!NOTE] >This is not the real value. Update the value with the actual Sign on URL. Call MaxxPoint team on 888-728-0950 to get this value.
-6. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Federation Metadata XML** from the given options as per your requirement and save it on your computer.
-
- ![The Certificate download link](common/metadataxml.png)
-
-7. On the **Set up MaxxPoint** section, copy the appropriate URL(s) as per your requirement.
-
- ![Copy configuration URLs](common/copy-configuration-urls.png)
-
- a. Login URL
+1. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Federation Metadata XML** from the given options as per your requirement and save it on your computer.
- b. Azure AD Identifier
+ ![Screenshot shows the Certificate download link.](common/metadataxml.png "Certificate")
- c. Logout URL
+1. On the **Set up MaxxPoint** section, copy the appropriate URL(s) as per your requirement.
-### Configure MaxxPoint Single Sign-On
-
-To get SSO configured for your application, call MaxxPoint support team on **888-728-0950** and they'll assist you further on how to provide them the downloaded **Federation Metadata XML** file.
+ ![Screenshot shows to copy configuration appropriate U R L.](common/copy-configuration-urls.png "Metadata")
### Create an Azure AD test user
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field enter **BrittaSimon**.
-
- b. In the **User name** field type **brittasimon\@yourcompanydomain.extension**
- For example, BrittaSimon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
+In this section, you'll create a test user in the Azure portal called B.Simon.
- d. Click **Create**.
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
### Assign the Azure AD test user
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to MaxxPoint.
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to MaxxPoint.
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **MaxxPoint**.
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **MaxxPoint**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
- ![Enterprise applications blade](common/enterprise-applications.png)
+## Configure MaxxPoint SSO
-2. In the applications list, select **MaxxPoint**.
-
- ![The MaxxPoint link in the Applications list](common/all-applications.png)
-
-3. In the menu on the left, select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
+To get SSO configured for your application, call MaxxPoint support team on **888-728-0950** and they'll assist you further on how to provide them the downloaded **Federation Metadata XML** file.
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
+### Create MaxxPoint test user
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
+In this section, you create a user called Britta Simon in MaxxPoint. Please call MaxxPoint support team on **888-728-0950** to add the users in the MaxxPoint application.
-7. In the **Add Assignment** dialog click the **Assign** button.
+## Test SSO
-### Create MaxxPoint test user
+In this section, you test your Azure AD single sign-on configuration with following options.
-In this section, you create a user called Britta Simon in MaxxPoint. Please call MaxxPoint support team on **888-728-0950** to add the users in the MaxxPoint application.
+#### SP initiated:
-### Test single sign-on
+* Click on **Test this application** in Azure portal. This will redirect to MaxxPoint Sign-on URL where you can initiate the login flow.
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+* Go to MaxxPoint Sign-on URL directly and initiate the login flow from there.
-When you click the MaxxPoint tile in the Access Panel, you should be automatically signed in to the MaxxPoint for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).
+#### IDP initiated:
-## Additional Resources
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the MaxxPoint for which you set up the SSO.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+You can also use Microsoft My Apps to test the application in any mode. When you click the MaxxPoint tile in the My Apps, if configured in SP mode you would be redirected to the application sign-on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the MaxxPoint for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure MaxxPoint you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Mindflash Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/mindflash-tutorial.md
Title: 'Tutorial: Azure Active Directory integration with Mindflash | Microsoft Docs'
+ Title: 'Tutorial: Azure AD SSO integration with Mindflash'
description: Learn how to configure single sign-on between Azure Active Directory and Mindflash.
Previously updated : 02/25/2019 Last updated : 07/09/2022
-# Tutorial: Azure Active Directory integration with Mindflash
+# Tutorial: Azure AD SSO integration with Mindflash
-In this tutorial, you learn how to integrate Mindflash with Azure Active Directory (Azure AD).
-Integrating Mindflash with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate Mindflash with Azure Active Directory (Azure AD). When you integrate Mindflash with Azure AD, you can:
-* You can control in Azure AD who has access to Mindflash.
-* You can enable your users to be automatically signed-in to Mindflash (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to Mindflash.
+* Enable your users to be automatically signed-in to Mindflash with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites
-To configure Azure AD integration with Mindflash, you need the following items:
+To get started, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial [here](https://azure.microsoft.com/pricing/free-trial/)
-* Mindflash single sign-on enabled subscription
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* Mindflash single sign-on (SSO) enabled subscription.
+* Along with Cloud Application Administrator, Application Administrator can also add or manage applications in Azure AD.
+For more information, see [Azure built-in roles](../roles/permissions-reference.md).
## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* Mindflash supports **SP** initiated SSO
+* Mindflash supports **SP** initiated SSO.
-## Adding Mindflash from the gallery
+## Add Mindflash from the gallery
To configure the integration of Mindflash into Azure AD, you need to add Mindflash from the gallery to your list of managed SaaS apps.
-**To add Mindflash from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add new application, click **New application** button on the top of dialog.
-
- ![The New application button](common/add-new-app.png)
-
-4. In the search box, type **Mindflash**, select **Mindflash** from result panel then click **Add** button to add the application.
-
- ![Mindflash in the results list](common/search-new-app.png)
-
-## Configure and test Azure AD single sign-on
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Mindflash** in the search box.
+1. Select **Mindflash** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-In this section, you configure and test Azure AD single sign-on with Mindflash based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in Mindflash needs to be established.
+## Configure and test Azure AD SSO for Mindflash
-To configure and test Azure AD single sign-on with Mindflash, you need to complete the following building blocks:
+Configure and test Azure AD SSO with Mindflash using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Mindflash.
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure Mindflash Single Sign-On](#configure-mindflash-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create Mindflash test user](#create-mindflash-test-user)** - to have a counterpart of Britta Simon in Mindflash that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
+To configure and test Azure AD SSO with Mindflash, perform the following steps:
-### Configure Azure AD single sign-on
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Mindflash SSO](#configure-mindflash-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Mindflash test user](#create-mindflash-test-user)** - to have a counterpart of B.Simon in Mindflash that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-In this section, you enable Azure AD single sign-on in the Azure portal.
+## Configure Azure AD SSO
-To configure Azure AD single sign-on with Mindflash, perform the following steps:
+Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **Mindflash** application integration page, select **Single sign-on**.
+1. In the Azure portal, on the **Mindflash** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
- ![Configure single sign-on link](common/select-sso.png)
+ ![Screenshot shows to edit Basic S A M L Configuration.](common/edit-urls.png "Basic Configuration")
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
+1. On the **Basic SAML Configuration** section, perform the following steps:
- ![Single sign-on select mode](common/select-saml-option.png)
-
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
-
- ![Edit Basic SAML Configuration](common/edit-urls.png)
-
-4. On the **Basic SAML Configuration** section, perform the following steps:
-
- ![Mindflash Domain and URLs single sign-on information](common/sp-identifier.png)
-
- a. In the **Sign on URL** text box, type a URL using the following pattern:
+ a. In the **Identifier (Entity ID)** text box, type a URL using the following pattern:
`https://<companyname>.mindflash.com`
- b. In the **Identifier (Entity ID)** text box, type a URL using the following pattern:
+ b. In the **Sign on URL** text box, type a URL using the following pattern:
`https://<companyname>.mindflash.com` > [!NOTE]
- > These values are not real. Update these values with the actual Sign on URL and Identifier. Contact [Mindflash Client support team](https://www.mindflash.com/contact/) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
-
-5. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Federation Metadata XML** from the given options as per your requirement and save it on your computer.
-
- ![The Certificate download link](common/metadataxml.png)
-
-6. On the **Set up Mindflash** section, copy the appropriate URL(s) as per your requirement.
-
- ![Copy configuration URLs](common/copy-configuration-urls.png)
+ > These values are not real. Update these values with the actual Identifier and Sign on URL. Contact [Mindflash Client support team](https://www.mindflash.com/contact/) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
- a. Login URL
+1. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Federation Metadata XML** from the given options as per your requirement and save it on your computer.
- b. Azure Ad Identifier
+ ![Screenshot shows the Certificate download link.](common/metadataxml.png "Certificate")
- c. Logout URL
+1. On the **Set up Mindflash** section, copy the appropriate URL(s) as per your requirement.
-### Configure Mindflash Single Sign-On
-
-To configure single sign-on on **Mindflash** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [Mindflash support team](https://www.mindflash.com/contact/). They set this setting to have the SAML SSO connection set properly on both sides.
+ ![Screenshot shows to copy configuration appropriate U R L.](common/copy-configuration-urls.png "Metadata")
### Create an Azure AD test user
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field enter **BrittaSimon**.
-
- b. In the **User name** field type **brittasimon\@yourcompanydomain.extension**
- For example, BrittaSimon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
+In this section, you'll create a test user in the Azure portal called B.Simon.
- d. Click **Create**.
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
### Assign the Azure AD test user
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to Mindflash.
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Mindflash.
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Mindflash**.
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Mindflash**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
- ![Enterprise applications blade](common/enterprise-applications.png)
+## Configure Mindflash SSO
-2. In the applications list, select **Mindflash**.
-
- ![The Mindflash link in the Applications list](common/all-applications.png)
-
-3. In the menu on the left, select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
-
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
-
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
-
-7. In the **Add Assignment** dialog click the **Assign** button.
+To configure single sign-on on **Mindflash** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [Mindflash support team](https://www.mindflash.com/contact/). They set this setting to have the SAML SSO connection set properly on both sides.
### Create Mindflash test user
In order to enable Azure AD users to log into Mindflash, they must be provisione
1. Go to **Manage Users**.
- ![Manage Users](./media/mindflash-tutorial/ic787140.png "Manage Users")
+ ![Screenshot shows the Manage Users of account.](./media/mindflash-tutorial/account.png "Manage Users")
1. Click the **Add Users**, and then click **New**. 1. In the **Add New Users** section, perform the following steps of a valid Azure AD account you want to provision:
- ![Add New Users](./media/mindflash-tutorial/ic787141.png "Add New Users")
+ ![Screenshot shows to Add New Users of the account.](./media/mindflash-tutorial/user.png "Add New Users")
a. In the **First name** textbox, type **First name** of the user as **Britta**.
In order to enable Azure AD users to log into Mindflash, they must be provisione
>You can use any other Mindflash user account creation tools or APIs provided by Mindflash to provision Azure AD user accounts. >
-### Test single sign-on
+## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
-When you click the Mindflash tile in the Access Panel, you should be automatically signed in to the Mindflash for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).
+* Click on **Test this application** in Azure portal. This will redirect to Mindflash Sign-on URL where you can initiate the login flow.
-## Additional Resources
+* Go to Mindflash Sign-on URL directly and initiate the login flow from there.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+* You can use Microsoft My Apps. When you click the Mindflash tile in the My Apps, this will redirect to Mindflash Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure Mindflash you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Moxiengage Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/moxiengage-tutorial.md
Title: 'Tutorial: Azure Active Directory integration with Moxi Engage | Microsoft Docs'
+ Title: 'Tutorial: Azure AD SSO integration with Moxi Engage'
description: Learn how to configure single sign-on between Azure Active Directory and Moxi Engage.
Previously updated : 02/25/2019 Last updated : 07/09/2022
-# Tutorial: Azure Active Directory integration with Moxi Engage
+# Tutorial: Azure AD SSO integration with Moxi Engage
-In this tutorial, you learn how to integrate Moxi Engage with Azure Active Directory (Azure AD).
-Integrating Moxi Engage with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate Moxi Engage with Azure Active Directory (Azure AD). When you integrate Moxi Engage with Azure AD, you can:
-* You can control in Azure AD who has access to Moxi Engage.
-* You can enable your users to be automatically signed-in to Moxi Engage (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to Moxi Engage.
+* Enable your users to be automatically signed-in to Moxi Engage with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites
-To configure Azure AD integration with Moxi Engage, you need the following items:
+To get started, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial [here](https://azure.microsoft.com/pricing/free-trial/)
-* Moxi Engage single sign-on enabled subscription
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* Moxi Engage single sign-on (SSO) enabled subscription.
+* Along with Cloud Application Administrator, Application Administrator can also add or manage applications in Azure AD.
+For more information, see [Azure built-in roles](../roles/permissions-reference.md).
## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* Moxi Engage supports **SP** initiated SSO
-
-## Adding Moxi Engage from the gallery
-
-To configure the integration of Moxi Engage into Azure AD, you need to add Moxi Engage from the gallery to your list of managed SaaS apps.
-
-**To add Moxi Engage from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add new application, click **New application** button on the top of dialog.
+* Moxi Engage supports **SP** initiated SSO.
- ![The New application button](common/add-new-app.png)
+> [!NOTE]
+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
-4. In the search box, type **Moxi Engage**, select **Moxi Engage** from result panel then click **Add** button to add the application.
+## Add Moxi Engage from the gallery
- ![Moxi Engage in the results list](common/search-new-app.png)
-
-## Configure and test Azure AD single sign-on
-
-In this section, you configure and test Azure AD single sign-on with Moxi Engage based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in Moxi Engage needs to be established.
-
-To configure and test Azure AD single sign-on with Moxi Engage, you need to complete the following building blocks:
-
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure Moxi Engage Single Sign-On](#configure-moxi-engage-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create Moxi Engage test user](#create-moxi-engage-test-user)** - to have a counterpart of Britta Simon in Moxi Engage that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
-
-### Configure Azure AD single sign-on
+To configure the integration of Moxi Engage into Azure AD, you need to add Moxi Engage from the gallery to your list of managed SaaS apps.
-In this section, you enable Azure AD single sign-on in the Azure portal.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Moxi Engage** in the search box.
+1. Select **Moxi Engage** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-To configure Azure AD single sign-on with Moxi Engage, perform the following steps:
+## Configure and test Azure AD SSO for Moxi Engage
-1. In the [Azure portal](https://portal.azure.com/), on the **Moxi Engage** application integration page, select **Single sign-on**.
+Configure and test Azure AD SSO with Moxi Engage using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Moxi Engage.
- ![Configure single sign-on link](common/select-sso.png)
+To configure and test Azure AD SSO with Moxi Engage, perform the following steps:
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Moxi Engage SSO](#configure-moxi-engage-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Moxi Engage test user](#create-moxi-engage-test-user)** - to have a counterpart of B.Simon in Moxi Engage that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
- ![Single sign-on select mode](common/select-saml-option.png)
+## Configure Azure AD SSO
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
+Follow these steps to enable Azure AD SSO in the Azure portal.
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+1. In the Azure portal, on the **Moxi Engage** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
-4. On the **Basic SAML Configuration** section, perform the following steps:
+ ![Screenshot shows to edit Basic S A M L Configuration.](common/edit-urls.png "Basic Configuration")
- ![Moxi Engage Domain and URLs single sign-on information](common/sp-signonurl.png)
+1. On the **Basic SAML Configuration** section, perform the following step:
In the **Sign-on URL** text box, type a URL using the following pattern: `https://svc.<moxiworks-integration-domain>/service/v1/auth/inbound/saml/aad`
To configure Azure AD single sign-on with Moxi Engage, perform the following ste
> [!NOTE] > The value is not real. Update the value with the actual Sign-On URL. Contact [Moxi Engage Client support team](mailto:support@moxiworks.com) to get the value. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
-5. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Federation Metadata XML** from the given options as per your requirement and save it on your computer.
-
- ![The Certificate download link](common/metadataxml.png)
-
-6. On the **Set up Moxi Engage** section, copy the appropriate URL(s) as per your requirement.
-
- ![Copy configuration URLs](common/copy-configuration-urls.png)
-
- a. Login URL
+1. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Federation Metadata XML** from the given options as per your requirement and save it on your computer.
- b. Azure AD Identifier
+ ![Screenshot shows the Certificate download link.](common/metadataxml.png "Certificate")
- c. Logout URL
+1. On the **Set up Moxi Engage** section, copy the appropriate URL(s) as per your requirement.
-### Configure Moxi Engage Single Sign-On
-
-To configure single sign-on on **Moxi Engage** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [Moxi Engage support team](mailto:support@moxiworks.com). They set this setting to have the SAML SSO connection set properly on both sides.
+ ![Screenshot shows to copy configuration appropriate U R L.](common/copy-configuration-urls.png "Metadata")
### Create an Azure AD test user
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field, enter **BrittaSimon**.
-
- b. In the **User name** field, type **brittasimon\@yourcompanydomain.extension**
- For example, BrittaSimon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
+In this section, you'll create a test user in the Azure portal called B.Simon.
- d. Click **Create**.
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
### Assign the Azure AD test user
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to Moxi Engage.
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Moxi Engage.
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Moxi Engage**.
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Moxi Engage**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
- ![Enterprise applications blade](common/enterprise-applications.png)
+## Configure Moxi Engage SSO
-2. In the applications list, select **Moxi Engage**.
-
- ![The Moxi Engage link in the Applications list](common/all-applications.png)
-
-3. In the menu on the left, select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
-
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
-
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog, select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
-
-7. In the **Add Assignment** dialog, click the **Assign** button.
+To configure single sign-on on **Moxi Engage** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [Moxi Engage support team](mailto:support@moxiworks.com). They set this setting to have the SAML SSO connection set properly on both sides.
### Create Moxi Engage test user In this section, you create a user called Britta Simon in Moxi Engage. Work with [Moxi Engage support team](mailto:support@moxiworks.com) to add the users in the Moxi Engage platform. Users must be created and activated before you use single sign-on.
-### Test single sign-on
+## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
-When you click the Moxi Engage tile in the Access Panel, you should be automatically signed in to the Moxi Engage for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).
+* Click on **Test this application** in Azure portal. This will redirect to Moxi Engage Sign-on URL where you can initiate the login flow.
-## Additional Resources
+* Go to Moxi Engage Sign-on URL directly and initiate the login flow from there.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+* You can use Microsoft My Apps. When you click the Moxi Engage tile in the My Apps, this will redirect to Moxi Engage Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure Moxi Engage you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Oracle Cloud Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/oracle-cloud-tutorial.md
Previously updated : 01/28/2022 Last updated : 07/14/2022
Follow these steps to enable Azure AD SSO in the Azure portal.
> If the **Identifier** and **Reply URL** values do not get auto populated, then fill in the values manually according to your requirement. In the **Sign-on URL** text box, type a URL using the following pattern:
- `https://console.<REGIONNAME>.oraclecloud.com/`
+ `https://cloud.oracle.com/?region=<REGIONNAME>`
> [!NOTE] > The value is not real. Update the value with the actual Sign-On URL. Contact [Oracle Cloud Infrastructure Console Client support team](https://www.oracle.com/support/advanced-customer-services/cloud/) to get the value. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
active-directory Patentsquare Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/patentsquare-tutorial.md
Title: 'Tutorial: Azure Active Directory integration with PatentSQUARE | Microsoft Docs'
+ Title: 'Tutorial: Azure AD SSO integration with PatentSQUARE'
description: Learn how to configure single sign-on between Azure Active Directory and PatentSQUARE.
Previously updated : 03/14/2019 Last updated : 07/09/2022
-# Tutorial: Azure Active Directory integration with PatentSQUARE
+# Tutorial: Azure AD SSO integration with PatentSQUARE
-In this tutorial, you learn how to integrate PatentSQUARE with Azure Active Directory (Azure AD).
-Integrating PatentSQUARE with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate PatentSQUARE with Azure Active Directory (Azure AD). When you integrate PatentSQUARE with Azure AD, you can:
-* You can control in Azure AD who has access to PatentSQUARE.
-* You can enable your users to be automatically signed-in to PatentSQUARE (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to PatentSQUARE.
+* Enable your users to be automatically signed-in to PatentSQUARE with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites
-To configure Azure AD integration with PatentSQUARE, you need the following items:
+To get started, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial [here](https://azure.microsoft.com/pricing/free-trial/)
-* PatentSQUARE single sign-on enabled subscription
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* PatentSQUARE single sign-on (SSO) enabled subscription.
+* Along with Cloud Application Administrator, Application Administrator can also add or manage applications in Azure AD.
+For more information, see [Azure built-in roles](../roles/permissions-reference.md).
## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* PatentSQUARE supports **SP** initiated SSO
+* PatentSQUARE supports **SP** initiated SSO.
-## Adding PatentSQUARE from the gallery
+## Add PatentSQUARE from the gallery
To configure the integration of PatentSQUARE into Azure AD, you need to add PatentSQUARE from the gallery to your list of managed SaaS apps.
-**To add PatentSQUARE from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add new application, click **New application** button on the top of dialog.
-
- ![The New application button](common/add-new-app.png)
-
-4. In the search box, type **PatentSQUARE**, select **PatentSQUARE** from result panel then click **Add** button to add the application.
-
- ![PatentSQUARE in the results list](common/search-new-app.png)
-
-## Configure and test Azure AD single sign-on
-
-In this section, you configure and test Azure AD single sign-on with PatentSQUARE based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in PatentSQUARE needs to be established.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **PatentSQUARE** in the search box.
+1. Select **PatentSQUARE** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-To configure and test Azure AD single sign-on with PatentSQUARE, you need to complete the following building blocks:
+## Configure and test Azure AD SSO for PatentSQUARE
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure PatentSQUARE Single Sign-On](#configure-patentsquare-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create PatentSQUARE test user](#create-patentsquare-test-user)** - to have a counterpart of Britta Simon in PatentSQUARE that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
+Configure and test Azure AD SSO with PatentSQUARE using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in PatentSQUARE.
-### Configure Azure AD single sign-on
+To configure and test Azure AD SSO with PatentSQUARE, perform the following steps:
-In this section, you enable Azure AD single sign-on in the Azure portal.
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure PatentSQUARE SSO](#configure-patentsquare-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create PatentSQUARE test user](#create-patentsquare-test-user)** - to have a counterpart of B.Simon in PatentSQUARE that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-To configure Azure AD single sign-on with PatentSQUARE, perform the following steps:
+## Configure Azure AD SSO
-1. In the [Azure portal](https://portal.azure.com/), on the **PatentSQUARE** application integration page, select **Single sign-on**.
+Follow these steps to enable Azure AD SSO in the Azure portal.
- ![Configure single sign-on link](common/select-sso.png)
+1. In the Azure portal, on the **PatentSQUARE** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
+ ![Screenshot shows to edit Basic S A M L Configuration.](common/edit-urls.png "Basic Configuration")
- ![Single sign-on select mode](common/select-saml-option.png)
+1. On the **Basic SAML Configuration** section, perform the following steps:
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
-
- ![Edit Basic SAML Configuration](common/edit-urls.png)
-
-4. On the **Basic SAML Configuration** section, perform the following steps:
-
- ![PatentSQUARE Domain and URLs single sign-on information](common/sp-identifier.png)
-
- a. In the **Sign on URL** text box, type a URL using the following pattern:
- `https://<companysubdomain>.pat-dss.com:443/patlics/secure/aad`
-
- b. In the **Identifier (Entity ID)** text box, type a URL using the following pattern:
+ a. In the **Identifier (Entity ID)** text box, type a URL using the following pattern:
`https://<companysubdomain>.pat-dss.com:443/patlics`
+
+ b. In the **Sign on URL** text box, type a URL using the following pattern:
+ `https://<companysubdomain>.pat-dss.com:443/patlics/secure/aad`
> [!NOTE]
- > These values are not real. Update these values with the actual Sign on URL and Identifier. Contact [PatentSQUARE Client support team](https://www.panasonic.com/jp/business/its/patentsquare.html) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
-
-4. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Federation Metadata XML** from the given options as per your requirement and save it on your computer.
-
- ![The Certificate download link](common/metadataxml.png)
-
-5. On the **Set up PatentSQUARE** section, copy the appropriate URL(s) as per your requirement.
+ > These values are not real. Update these values with the actual Identifier and Sign on URL. Contact [PatentSQUARE Client support team](https://www.panasonic.com/jp/business/its/patentsquare.html) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
- ![Copy configuration URLs](common/copy-configuration-urls.png)
+1. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Federation Metadata XML** from the given options as per your requirement and save it on your computer.
- a. Login URL
+ ![Screenshot shows the Certificate download link.](common/metadataxml.png "Certificate")
- b. Azure AD Identifier
+1. On the **Set up PatentSQUARE** section, copy the appropriate URL(s) as per your requirement.
- c. Logout URL
-
-### Configure PatentSQUARE Single Sign-On
-
-To configure single sign-on on **PatentSQUARE** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [PatentSQUARE support team](https://www.panasonic.com/jp/business/its/patentsquare.html). They set this setting to have the SAML SSO connection set properly on both sides.
+ ![Screenshot shows to copy configuration appropriate U R L.](common/copy-configuration-urls.png "Metadata")
### Create an Azure AD test user
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field enter **BrittaSimon**.
-
- b. In the **User name** field type **brittasimon@yourcompanydomain.extension**
- For example, BrittaSimon@contoso.com
+In this section, you'll create a test user in the Azure portal called B.Simon.
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
-
- d. Click **Create**.
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
### Assign the Azure AD test user
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to PatentSQUARE.
-
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **PatentSQUARE**.
-
- ![Enterprise applications blade](common/enterprise-applications.png)
-
-2. In the applications list, select **PatentSQUARE**.
-
- ![The PatentSQUARE link in the Applications list](common/all-applications.png)
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to PatentSQUARE.
-3. In the menu on the left, select **Users and groups**.
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **PatentSQUARE**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
+1. In the **Add Assignment** dialog, click the **Assign** button.
- ![The "Users and groups" link](common/users-groups-blade.png)
+## Configure PatentSQUARE SSO
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
-
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
-
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
-
-7. In the **Add Assignment** dialog click the **Assign** button.
+To configure single sign-on on **PatentSQUARE** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [PatentSQUARE support team](https://www.panasonic.com/jp/business/its/patentsquare.html). They set this setting to have the SAML SSO connection set properly on both sides.
### Create PatentSQUARE test user In this section, you create a user called Britta Simon in PatentSQUARE. Work with [PatentSQUARE support team](https://www.panasonic.com/jp/business/its/patentsquare.html) to add the users in the PatentSQUARE platform. Users must be created and activated before you use single sign-on.
-### Test single sign-on
+## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
-When you click the PatentSQUARE tile in the Access Panel, you should be automatically signed in to the PatentSQUARE for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).
+* Click on **Test this application** in Azure portal. This will redirect to PatentSQUARE Sign-on URL where you can initiate the login flow.
-## Additional Resources
+* Go to PatentSQUARE Sign-on URL directly and initiate the login flow from there.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+* You can use Microsoft My Apps. When you click the PatentSQUARE tile in the My Apps, this will redirect to PatentSQUARE Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure PatentSQUARE you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Planview Id Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/planview-id-tutorial.md
+
+ Title: 'Tutorial: Azure AD SSO integration with Planview ID'
+description: Learn how to configure single sign-on between Azure Active Directory and Planview ID.
++++++++ Last updated : 07/11/2022++++
+# Tutorial: Azure AD SSO integration with Planview ID
+
+In this tutorial, you'll learn how to integrate Planview ID with Azure Active Directory (Azure AD). When you integrate Planview ID with Azure AD, you can:
+
+* Control in Azure AD who has access to Planview ID.
+* Enable your users to be automatically signed-in to Planview ID with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
+
+## Prerequisites
+
+To get started, you need the following items:
+
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* Planview ID single sign-on (SSO) enabled subscription.
+* Along with Cloud Application Administrator, Application Administrator can also add or manage applications in Azure AD.
+For more information, see [Azure built-in roles](../roles/permissions-reference.md).
+
+## Scenario description
+
+In this tutorial, you configure and test Azure AD SSO in a test environment.
+
+* Planview ID supports **SP** and **IDP** initiated SSO.
+
+> [!NOTE]
+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
+
+## Add Planview ID from the gallery
+
+To configure the integration of Planview ID into Azure AD, you need to add Planview ID from the gallery to your list of managed SaaS apps.
+
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Planview ID** in the search box.
+1. Select **Planview ID** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
+
+## Configure and test Azure AD SSO for Planview ID
+
+Configure and test Azure AD SSO with Planview ID using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Planview ID.
+
+To configure and test Azure AD SSO with Planview ID, perform the following steps:
+
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Planview ID SSO](#configure-planview-id-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Planview ID test user](#create-planview-id-test-user)** - to have a counterpart of B.Simon in Planview ID that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
+
+## Configure Azure AD SSO
+
+Follow these steps to enable Azure AD SSO in the Azure portal.
+
+1. In the Azure portal, on the **Planview ID** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
+
+ ![Screenshot shows to edit Basic S A M L Configuration.](common/edit-urls.png "Basic Configuration")
+
+1. On the **Basic SAML Configuration** section, perform the following step:
+
+ In the **Reply URL** textbox, type a URL using the following pattern:
+ `https://<Region>.id.planview.com/api/loginsso/callback`
+
+1. Click **Set additional URLs** and perform the following step, if you wish to configure the application in **SP** initiated mode:
+
+ In the **Sign-on URL** text box, type a URL using the following pattern:
+ `https://<Region>.id.planview.com`
+
+ > [!Note]
+ > These values are not real. Update these values with the actual Reply URL and Sign on URL. Contact [Planview ID support team](mailto:jordan.nguyen@planview.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+
+1. On the **Set up single sign-on with SAML** page, In the **SAML Signing Certificate** section, click copy button to copy **App Federation Metadata Url** and save it on your computer.
+
+ ![Screenshot shows the Certificate download link.](common/copy-metadataurl.png "Certificate")
+
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called B.Simon.
+
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
+
+### Assign the Azure AD test user
+
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Planview ID.
+
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Planview ID**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
+
+## Configure Planview ID SSO
+
+To configure single sign-on on **Planview ID** side, you need to send the **App Federation Metadata Url** to [Planview ID support team](mailto:jordan.nguyen@planview.com). They set this setting to have the SAML SSO connection set properly on both sides.
+
+### Create Planview ID test user
+
+In this section, you create a user called Britta Simon in Planview ID. Work with [Planview ID support team](mailto:jordan.nguyen@planview.com) to add the users in the Planview ID platform. Users must be created and activated before you use single sign-on.
+
+## Test SSO
+
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+#### SP initiated:
+
+* Click on **Test this application** in Azure portal. This will redirect to Planview ID Sign-on URL where you can initiate the login flow.
+
+* Go to Planview ID Sign-on URL directly and initiate the login flow from there.
+
+#### IDP initiated:
+
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the Planview ID for which you set up the SSO.
+
+You can also use Microsoft My Apps to test the application in any mode. When you click the Planview ID tile in the My Apps, if configured in SP mode you would be redirected to the application sign-on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Planview ID for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
+
+## Next steps
+
+Once you configure Planview ID you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Risecom Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/risecom-tutorial.md
Previously updated : 06/24/2022 Last updated : 07/14/2022
Follow these steps to enable Azure AD SSO in the Azure portal.
![Screenshot shows the image of attributes.](common/default-attributes.png "Attributes")
-1. In addition to above, Rise.com application expects few more attributes to be passed back in SAML response, which are shown below. These attributes are also pre populated but you can review them as per your requirements.
+1. The Rise.com application expects the default attributes to be replaced with the specific attributes as shown below. These attributes are also pre populated but you can review them as per your requirements.
| Name | Source Attribute| | | |
active-directory Sap Hana Cloud Platform Identity Authentication Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/sap-hana-cloud-platform-identity-authentication-tutorial.md
Title: 'Tutorial: Azure Active Directory integration with SAP Cloud Platform Identity Authentication | Microsoft Docs'
-description: Learn how to configure single sign-on between Azure Active Directory and SAP Cloud Platform Identity Authentication.
+ Title: 'Tutorial: Azure Active Directory integration with SAP Cloud Identity Services | Microsoft Docs'
+description: Learn how to configure single sign-on between Azure Active Directory and SAP Cloud Identity Services.
Previously updated : 09/01/2021 Last updated : 07/14/2022
-# Tutorial: Azure Active Directory single sign-on (SSO) integration with SAP Cloud Platform Identity Authentication
+# Tutorial: Azure Active Directory single sign-on (SSO) integration with SAP Cloud Identity Services
-In this tutorial, you'll learn how to integrate SAP Cloud Platform Identity Authentication with Azure Active Directory (Azure AD). When you integrate SAP Cloud Platform Identity Authentication with Azure AD, you can:
+In this tutorial, you'll learn how to integrate SAP Cloud Identity Services with Azure Active Directory (Azure AD). When you integrate SAP Cloud Identity Services with Azure AD, you can:
-* Control in Azure AD who has access to SAP Cloud Platform Identity Authentication.
-* Enable your users to be automatically signed-in to SAP Cloud Platform Identity Authentication with their Azure AD accounts.
+* Control in Azure AD who has access to SAP Cloud Identity Services.
+* Enable your users to be automatically signed-in to SAP Cloud Identity Services with their Azure AD accounts.
* Manage your accounts in one central location - the Azure portal. ## Prerequisites
In this tutorial, you'll learn how to integrate SAP Cloud Platform Identity Auth
To get started, you need the following items: * An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
-* SAP Cloud Platform Identity Authentication single sign-on (SSO) enabled subscription.
+* SAP Cloud Identity Services single sign-on (SSO) enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* SAP Cloud Platform Identity Authentication supports **SP** and **IDP** initiated SSO.
-* SAP Cloud Platform Identity Authentication supports [Automated user provisioning](sap-cloud-platform-identity-authentication-provisioning-tutorial.md).
+* SAP Cloud Identity Services supports **SP** and **IDP** initiated SSO.
+* SAP Cloud Identity Services supports [Automated user provisioning](sap-cloud-platform-identity-authentication-provisioning-tutorial.md).
-Before you dive into the technical details, it's vital to understand the concepts you're going to look at. The SAP Cloud Platform Identity Authentication and Active Directory Federation Services enable you to implement SSO across applications or services that are protected by Azure AD (as an IdP) with SAP applications and services that are protected by SAP Cloud Platform Identity Authentication.
+Before you dive into the technical details, it's vital to understand the concepts you're going to look at. The SAP Cloud Identity Services and Active Directory Federation Services enable you to implement SSO across applications or services that are protected by Azure AD (as an IdP) with SAP applications and services that are protected by SAP Cloud Identity Services.
-Currently, SAP Cloud Platform Identity Authentication acts as a Proxy Identity Provider to SAP applications. Azure Active Directory in turn acts as the leading Identity Provider in this setup.
+Currently, SAP Cloud Identity Services acts as a Proxy Identity Provider to SAP applications. Azure Active Directory in turn acts as the leading Identity Provider in this setup.
The following diagram illustrates this relationship: ![Creating an Azure AD test user](./media/sap-hana-cloud-platform-identity-authentication-tutorial/architecture-01.png)
-With this setup, your SAP Cloud Platform Identity Authentication tenant is configured as a trusted application in Azure Active Directory.
+With this setup, your SAP Cloud Identity Services tenant is configured as a trusted application in Azure Active Directory.
-All SAP applications and services that you want to protect this way are subsequently configured in the SAP Cloud Platform Identity Authentication management console.
+All SAP applications and services that you want to protect this way are subsequently configured in the SAP Cloud Identity Services management console.
-Therefore, the authorization for granting access to SAP applications and services needs to take place in SAP Cloud Platform Identity Authentication (as opposed to Azure Active Directory).
+Therefore, the authorization for granting access to SAP applications and services needs to take place in SAP Cloud Identity Services (as opposed to Azure Active Directory).
-By configuring SAP Cloud Platform Identity Authentication as an application through the Azure Active Directory Marketplace, you don't need to configure individual claims or SAML assertions.
+By configuring SAP Cloud Identity Services as an application through the Azure Active Directory Marketplace, you don't need to configure individual claims or SAML assertions.
> [!NOTE] > Currently only Web SSO has been tested by both parties. The flows that are necessary for App-to-API or API-to-API communication should work but have not been tested yet. They will be tested during subsequent activities.
-## Adding SAP Cloud Platform Identity Authentication from the gallery
+## Adding SAP Cloud Identity Services from the gallery
-To configure the integration of SAP Cloud Platform Identity Authentication into Azure AD, you need to add SAP Cloud Platform Identity Authentication from the gallery to your list of managed SaaS apps.
+To configure the integration of SAP Cloud Identity Services into Azure AD, you need to add SAP Cloud Identity Services from the gallery to your list of managed SaaS apps.
1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account. 1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**.
-1. In the **Add from the gallery** section, type **SAP Cloud Platform Identity Authentication** in the search box.
-1. Select **SAP Cloud Platform Identity Authentication** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
+1. In the **Add from the gallery** section, type **SAP Cloud Identity Services** in the search box.
+1. Select **SAP Cloud Identity Services** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD SSO for SAP Cloud Platform Identity Authentication
+## Configure and test Azure AD SSO for SAP Cloud Identity Services
-Configure and test Azure AD SSO with SAP Cloud Platform Identity Authentication using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in SAP Cloud Platform Identity Authentication.
+Configure and test Azure AD SSO with SAP Cloud Identity Services using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in SAP Cloud Identity Services.
-To configure and test Azure AD SSO with SAP Cloud Platform Identity Authentication, perform the following steps:
+To configure and test Azure AD SSO with SAP Cloud Identity Services, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature. 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon. 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
-1. **[Configure SAP Cloud Platform Identity Authentication SSO](#configure-sap-cloud-platform-identity-authentication-sso)** - to configure the single sign-on settings on application side.
- 1. **[Create SAP Cloud Platform Identity Authentication test user](#create-sap-cloud-platform-identity-authentication-test-user)** - to have a counterpart of B.Simon in SAP Cloud Platform Identity Authentication that is linked to the Azure AD representation of user.
+1. **[Configure SAP Cloud Identity Services SSO](#configure-sap-cloud-identity-services-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create SAP Cloud Identity Services test user](#create-sap-cloud-identity-services-test-user)** - to have a counterpart of B.Simon in SAP Cloud Identity Services that is linked to the Azure AD representation of user.
1. **[Test SSO](#test-sso)** - to verify whether the configuration works. ## Configure Azure AD SSO Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the Azure portal, on the **SAP Cloud Platform Identity Authentication** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **SAP Cloud Identity Services** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**. 1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
Follow these steps to enable Azure AD SSO in the Azure portal.
`https://<IAS-tenant-id>.accounts.ondemand.com/saml2/idp/acs/<IAS-tenant-id>.accounts.ondemand.com` > [!NOTE]
- > These values are not real. Update these values with the actual Identifier and Reply URL. Contact the [SAP Cloud Platform Identity Authentication Client support team](https://cloudplatform.sap.com/capabilities/security/trustcenter.html) to get these values. If you don't understand Identifier value, read the SAP Cloud Platform Identity Authentication documentation about [Tenant SAML 2.0 configuration](https://help.hana.ondemand.com/cloud_identity/frameset.htm?e81a19b0067f4646982d7200a8dab3ca.html).
+ > These values are not real. Update these values with the actual Identifier and Reply URL. Contact the [SAP Cloud Identity Services Client support team](https://cloudplatform.sap.com/capabilities/security/trustcenter.html) to get these values. If you don't understand Identifier value, read the SAP Cloud Identity Services documentation about [Tenant SAML 2.0 configuration](https://help.hana.ondemand.com/cloud_identity/frameset.htm?e81a19b0067f4646982d7200a8dab3ca.html).
5. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP**-initiated mode:
- ![SAP Cloud Platform Identity Authentication Domain and URLs single sign-on information](common/metadata-upload-additional-signon.png)
+ ![SAP Cloud Identity Services Domain and URLs single sign-on information](common/metadata-upload-additional-signon.png)
In the **Sign-on URL** text box, type a value using the following pattern: `{YOUR BUSINESS APPLICATION URL}` > [!NOTE]
- > This value is not real. Update this value with the actual sign-on URL. Please use your specific business application Sign-on URL. Contact the [SAP Cloud Platform Identity Authentication Client support team](https://cloudplatform.sap.com/capabilities/security/trustcenter.html) if you have any doubt.
+ > This value is not real. Update this value with the actual sign-on URL. Please use your specific business application Sign-on URL. Contact the [SAP Cloud Identity Services Client support team](https://cloudplatform.sap.com/capabilities/security/trustcenter.html) if you have any doubt.
-1. SAP Cloud Platform Identity Authentication application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes.
+1. SAP Cloud Identity Services application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes.
![image](common/default-attributes.png)
-1. In addition to above, SAP Cloud Platform Identity Authentication application expects few more attributes to be passed back in SAML response which are shown below. These attributes are also pre populated but you can review them as per your requirements.
+1. In addition to above, SAP Cloud Identity Services application expects few more attributes to be passed back in SAML response, which are shown below. These attributes are also pre populated but you can review them as per your requirements.
| Name | Source Attribute| | | |
Follow these steps to enable Azure AD SSO in the Azure portal.
![The Certificate download link](common/metadataxml.png)
-9. On the **Set up SAP Cloud Platform Identity Authentication** section, copy the appropriate URL(s) as per your requirement.
+9. On the **Set up SAP Cloud Identity Services** section, copy the appropriate URL(s) as per your requirement.
![Copy configuration URLs](common/copy-configuration-urls.png)
In this section, you'll create a test user in the Azure portal called B.Simon.
### Assign the Azure AD test user
-In this section, you'll enable B.Simon to use Azure single sign-on by granting access to SAP Cloud Platform Identity Authentication.
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to SAP Cloud Identity Services.
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
-1. In the applications list, select **SAP Cloud Platform Identity Authentication**.
+1. In the applications list, select **SAP Cloud Identity Services**.
1. In the app's overview page, find the **Manage** section and select **Users and groups**. 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the **Add Assignment** dialog, click the **Assign** button.
-## Configure SAP Cloud Platform Identity Authentication SSO
+## Configure SAP Cloud Identity Services SSO
-1. To automate the configuration within SAP Cloud Platform Identity Authentication, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**.
+1. To automate the configuration within SAP Cloud Identity Services, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**.
![My apps extension](common/install-myappssecure-extension.png)
-2. After adding extension to the browser, click on **Set up SAP Cloud Platform Identity Authentication** will direct you to the SAP Cloud Platform Identity Authentication application. From there, provide the admin credentials to sign into SAP Cloud Platform Identity Authentication. The browser extension will automatically configure the application for you and automate steps 3-7.
+2. After adding extension to the browser, click on **Set up SAP Cloud Identity Services** will direct you to the SAP Cloud Identity Services application. From there, provide the admin credentials to sign into SAP Cloud Identity Services. The browser extension will automatically configure the application for you and automate steps 3-7.
![Setup configuration](common/setup-sso.png)
-3. If you want to setup SAP Cloud Platform Identity Authentication manually, in a different web browser window, go to the SAP Cloud Platform Identity Authentication administration console. The URL has the following pattern: `https://<tenant-id>.accounts.ondemand.com/admin`. Then read the documentation about SAP Cloud Platform Identity Authentication at [Integration with Microsoft Azure AD](https://developers.sap.com/tutorials/cp-ias-azure-ad.html).
+3. If you want to set up SAP Cloud Identity Services manually, in a different web browser window, go to the SAP Cloud Identity Services administration console. The URL has the following pattern: `https://<tenant-id>.accounts.ondemand.com/admin`. Then read the documentation about SAP Cloud Identity Services at [Integration with Microsoft Azure AD](https://developers.sap.com/tutorials/cp-ias-azure-ad.html).
2. In the Azure portal, select the **Save** button.
-3. Continue with the following only if you want to add and enable SSO for another SAP application. Repeat the steps under the section **Adding SAP Cloud Platform Identity Authentication from the gallery**.
+3. Continue with the following only if you want to add and enable SSO for another SAP application. Repeat the steps under the section **Adding SAP Cloud Identity Services from the gallery**.
-4. In the Azure portal, on the **SAP Cloud Platform Identity Authentication** application integration page, select **Linked Sign-on**.
+4. In the Azure portal, on the **SAP Cloud Identity Services** application integration page, select **Linked Sign-on**.
![Configure Linked Sign-On](./media/sap-hana-cloud-platform-identity-authentication-tutorial/linked-sign-on.png) 5. Save the configuration. > [!NOTE]
-> The new application leverages the single sign-on configuration of the previous SAP application. Make sure you use the same Corporate Identity Providers in the SAP Cloud Platform Identity Authentication administration console.
+> The new application leverages the single sign-on configuration of the previous SAP application. Make sure you use the same Corporate Identity Providers in the SAP Cloud Identity Services administration console.
-### Create SAP Cloud Platform Identity Authentication test user
+### Create SAP Cloud Identity Services test user
-You don't need to create a user in SAP Cloud Platform Identity Authentication. Users who are in the Azure AD user store can use the SSO functionality.
+You don't need to create a user in SAP Cloud Identity Services. Users who are in the Azure AD user store can use the SSO functionality.
-SAP Cloud Platform Identity Authentication supports the Identity Federation option. This option allows the application to check whether users who are authenticated by the corporate identity provider exist in the user store of SAP Cloud Platform Identity Authentication.
+SAP Cloud Identity Services supports the Identity Federation option. This option allows the application to check whether users who are authenticated by the corporate identity provider exist in the user store of SAP Cloud Identity Services.
-The Identity Federation option is disabled by default. If Identity Federation is enabled, only the users that are imported in SAP Cloud Platform Identity Authentication can access the application.
+The Identity Federation option is disabled by default. If Identity Federation is enabled, only the users that are imported in SAP Cloud Identity Services can access the application.
-For more information about how to enable or disable Identity Federation with SAP Cloud Platform Identity Authentication, see "Enable Identity Federation with SAP Cloud Platform Identity Authentication" in [Configure Identity Federation with the User Store of SAP Cloud Platform Identity Authentication](https://help.sap.com/viewer/6d6d63354d1242d185ab4830fc04feb1/Cloud/c029bbbaefbf4350af15115396ba14e2.html).
+For more information about how to enable or disable Identity Federation with SAP Cloud Identity Services, see "Enable Identity Federation with SAP Cloud Identity Services" in [Configure Identity Federation with the User Store of SAP Cloud Identity Services](https://help.sap.com/viewer/6d6d63354d1242d185ab4830fc04feb1/Cloud/c029bbbaefbf4350af15115396ba14e2.html).
> [!NOTE]
-> SAP Cloud Platform Identity Authentication also supports automatic user provisioning, you can find more details [here](./sap-cloud-platform-identity-authentication-provisioning-tutorial.md) on how to configure automatic user provisioning.
+> SAP Cloud Identity Services also supports automatic user provisioning, you can find more details [here](./sap-cloud-platform-identity-authentication-provisioning-tutorial.md) on how to configure automatic user provisioning.
## Test SSO
In this section, you test your Azure AD single sign-on configuration with follow
#### SP initiated:
-* Click on **Test this application** in Azure portal. This will redirect to SAP Cloud Platform Identity Authentication Sign on URL where you can initiate the login flow.
+* Click on **Test this application** in Azure portal. This will redirect to SAP Cloud Identity Services Sign on URL where you can initiate the login flow.
-* Go to SAP Cloud Platform Identity Authentication Sign-on URL directly and initiate the login flow from there.
+* Go to SAP Cloud Identity Services Sign-on URL directly and initiate the login flow from there.
#### IDP initiated:
-* Click on **Test this application** in Azure portal and you should be automatically signed in to the SAP Cloud Platform Identity Authentication for which you set up the SSO
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the SAP Cloud Identity Services for which you set up the SSO
-You can also use Microsoft My Apps to test the application in any mode. When you click the SAP Cloud Platform Identity Authentication tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the SAP Cloud Platform Identity Authentication for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).
+You can also use Microsoft My Apps to test the application in any mode. When you click the SAP Cloud Identity Services tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the SAP Cloud Identity Services for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).
## Next steps
-Once you configure the SAP Cloud Platform Identity Authentication you can enforce session controls, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session controls extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-aad).
+Once you configure the SAP Cloud Identity Services you can enforce session controls, which protect exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session controls extend from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-aad).
active-directory Seekout Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/seekout-tutorial.md
+
+ Title: 'Tutorial: Azure AD SSO integration with SeekOut'
+description: Learn how to configure single sign-on between Azure Active Directory and SeekOut.
++++++++ Last updated : 07/11/2022++++
+# Tutorial: Azure AD SSO integration with SeekOut
+
+In this tutorial, you'll learn how to integrate SeekOut with Azure Active Directory (Azure AD). When you integrate SeekOut with Azure AD, you can:
+
+* Control in Azure AD who has access to SeekOut.
+* Enable your users to be automatically signed-in to SeekOut with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
+
+## Prerequisites
+
+To get started, you need the following items:
+
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* SeekOut single sign-on (SSO) enabled subscription.
+* Along with Cloud Application Administrator, Application Administrator can also add or manage applications in Azure AD.
+For more information, see [Azure built-in roles](../roles/permissions-reference.md).
+
+## Scenario description
+
+In this tutorial, you configure and test Azure AD SSO in a test environment.
+
+* SeekOut supports **SP** and **IDP** initiated SSO.
+* SeekOut supports **Just In Time** user provisioning.
+
+> [!NOTE]
+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
+
+## Add SeekOut from the gallery
+
+To configure the integration of SeekOut into Azure AD, you need to add SeekOut from the gallery to your list of managed SaaS apps.
+
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **SeekOut** in the search box.
+1. Select **SeekOut** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
+
+## Configure and test Azure AD SSO for SeekOut
+
+Configure and test Azure AD SSO with SeekOut using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in SeekOut.
+
+To configure and test Azure AD SSO with SeekOut, perform the following steps:
+
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure SeekOut SSO](#configure-seekout-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create SeekOut test user](#create-seekout-test-user)** - to have a counterpart of B.Simon in SeekOut that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
+
+## Configure Azure AD SSO
+
+Follow these steps to enable Azure AD SSO in the Azure portal.
+
+1. In the Azure portal, on the **SeekOut** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
+
+ ![Screenshot shows to edit Basic S A M L Configuration.](common/edit-urls.png "Basic Configuration")
+
+1. On the **Basic SAML Configuration** section, perform the following step:
+
+ In the **Reply URL** textbox, type a URL using the following pattern:
+ `https://app.seekout.io/api/auth/sso/<ID>`
+
+1. Click **Set additional URLs** and perform the following step, if you wish to configure the application in **SP** initiated mode:
+
+ In the **Sign-on URL** text box, type the URL:
+ `https://app.seekout.io`
+
+ > [!Note]
+ > This value is not real. Update this value with the actual Reply URL. Contact [SeekOut support team](mailto:support@seekout.com) to get the value. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+
+1. On the **Set-up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Federation Metadata XML** and select **Download** to download the certificate and save it on your computer.
+
+ ![Screenshot shows the Certificate download link.](common/metadataxml.png "Certificate")
+
+1. On the **Set up SeekOut** section, copy the appropriate URL(s) based on your requirement.
+
+ ![Screenshot shows to copy configuration appropriate U R L.](common/copy-configuration-urls.png "Attributes")
+
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called B.Simon.
+
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
+
+### Assign the Azure AD test user
+
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to SeekOut.
+
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **SeekOut**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
+
+## Configure SeekOut SSO
+
+To configure single sign-on on **SeekOut** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [SeekOut support team](mailto:support@seekout.com). They set this setting to have the SAML SSO connection set properly on both sides.
+
+### Create SeekOut test user
+
+In this section, a user called B.Simon is created in SeekOut. SeekOut supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in SeekOut, a new one is created after authentication.
+
+## Test SSO
+
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+#### SP initiated:
+
+* Click on **Test this application** in Azure portal. This will redirect to SeekOut Sign-on URL where you can initiate the login flow.
+
+* Go to SeekOut Sign-on URL directly and initiate the login flow from there.
+
+#### IDP initiated:
+
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the SeekOut for which you set up the SSO.
+
+You can also use Microsoft My Apps to test the application in any mode. When you click the SeekOut tile in the My Apps, if configured in SP mode you would be redirected to the application sign-on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the SeekOut for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
+
+## Next steps
+
+Once you configure SeekOut you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Sharevault Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/sharevault-tutorial.md
Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with ShareVault | Microsoft Docs'
+ Title: 'Tutorial: Azure AD SSO integration with ShareVault'
description: Learn how to configure single sign-on between Azure Active Directory and ShareVault.
Previously updated : 08/20/2020 Last updated : 07/08/2022
-# Tutorial: Azure Active Directory single sign-on (SSO) integration with ShareVault
+# Tutorial: Azure AD SSO integration with ShareVault
In this tutorial, you'll learn how to integrate ShareVault with Azure Active Directory (Azure AD). When you integrate ShareVault with Azure AD, you can:
In this tutorial, you'll learn how to integrate ShareVault with Azure Active Dir
* Enable your users to be automatically signed-in to ShareVault with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items: * An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/). * ShareVault single sign-on (SSO) enabled subscription.
+* Along with Cloud Application Administrator, Application Administrator can also add or manage applications in Azure AD.
+For more information, see [Azure built-in roles](../roles/permissions-reference.md).
## Scenario description In this tutorial, you configure and test Azure AD SSO in a test environment.
-* ShareVault supports **SP and IDP** initiated SSO
-* ShareVault supports **Just In Time** user provisioning
-* Once you configure ShareVault you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-any-app).
+* ShareVault supports **SP and IDP** initiated SSO.
+* ShareVault supports **Just In Time** user provisioning.
> [!NOTE] > Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
-## Adding ShareVault from the gallery
+## Add ShareVault from the gallery
To configure the integration of ShareVault into Azure AD, you need to add ShareVault from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**.
To configure the integration of ShareVault into Azure AD, you need to add ShareV
Configure and test Azure AD SSO with ShareVault using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in ShareVault.
-To configure and test Azure AD SSO with ShareVault, complete the following building blocks:
+To configure and test Azure AD SSO with ShareVault, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature. 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
To configure and test Azure AD SSO with ShareVault, complete the following build
Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **ShareVault** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **ShareVault** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+ ![Screenshot shows to edit Basic S A M L Configuration.](common/edit-urls.png "Basic Configuration")
1. On the **Basic SAML Configuration** section, the user does not have to perform any step as the app is already pre-integrated with Azure.
Follow these steps to enable Azure AD SSO in the Azure portal.
1. ShareVault application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes.
- ![image](common/default-attributes.png)
+ ![Screenshot shows the image of ShareVault application.](common/default-attributes.png "Attributes")
1. In addition to above, ShareVault application expects few more attributes to be passed back in SAML response which are shown below. These attributes are also pre populated but you can review them as per your requirements.
Follow these steps to enable Azure AD SSO in the Azure portal.
1. On the **Set up single sign-on with SAML** page, In the **SAML Signing Certificate** section, click copy button to copy **App Federation Metadata Url** and save it on your computer.
- ![The Certificate download link](common/copy-metadataurl.png)
+ ![Screenshot shows the Certificate download link.](common/copy-metadataurl.png "Certificate")
### Create an Azure AD test user
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **ShareVault**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen. 1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen. 1. In the **Add Assignment** dialog, click the **Assign** button.
In this section, a user called Britta Simon is created in ShareVault. ShareVault
## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
-When you click the ShareVault tile in the Access Panel, you should be automatically signed in to the ShareVault for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).
+#### SP initiated:
-## Additional resources
+* Click on **Test this application** in Azure portal. This will redirect to ShareVault Sign-on URL where you can initiate the login flow.
-- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](./tutorial-list.md)
+* Go to ShareVault Sign-on URL directly and initiate the login flow from there.
-- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md)
+#### IDP initiated:
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the ShareVault for which you set up the SSO.
-- [Try ShareVault with Azure AD](https://aad.portal.azure.com/)
+You can also use Microsoft My Apps to test the application in any mode. When you click the ShareVault tile in the My Apps, if configured in SP mode you would be redirected to the application sign-on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the ShareVault for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is session control in Microsoft Defender for Cloud Apps?](/cloud-app-security/proxy-intro-aad)
+## Next steps
-- [How to protect ShareVault with advanced visibility and controls](/cloud-app-security/proxy-intro-aad)
+Once you configure ShareVault you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Smartlpa Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/smartlpa-tutorial.md
Title: 'Tutorial: Azure Active Directory integration with SmartLPA | Microsoft Docs'
+ Title: 'Tutorial: Azure AD SSO integration with SmartLPA'
description: Learn how to configure single sign-on between Azure Active Directory and SmartLPA.
Previously updated : 03/07/2019 Last updated : 07/09/2022
-# Tutorial: Azure Active Directory integration with SmartLPA
+# Tutorial: Azure AD SSO integration with SmartLPA
-In this tutorial, you learn how to integrate SmartLPA with Azure Active Directory (Azure AD).
-Integrating SmartLPA with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate SmartLPA with Azure Active Directory (Azure AD). When you integrate SmartLPA with Azure AD, you can:
-* You can control in Azure AD who has access to SmartLPA.
-* You can enable your users to be automatically signed-in to SmartLPA (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to SmartLPA.
+* Enable your users to be automatically signed-in to SmartLPA with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites
-To configure Azure AD integration with SmartLPA, you need the following items:
+To get started, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial [here](https://azure.microsoft.com/pricing/free-trial/)
-* SmartLPA single sign-on enabled subscription
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* SmartLPA single sign-on (SSO) enabled subscription.
+* Along with Cloud Application Administrator, Application Administrator can also add or manage applications in Azure AD.
+For more information, see [Azure built-in roles](../roles/permissions-reference.md).
## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* SmartLPA supports **SP** initiated SSO
+* SmartLPA supports **SP** initiated SSO.
-## Adding SmartLPA from the gallery
+## Add SmartLPA from the gallery
To configure the integration of SmartLPA into Azure AD, you need to add SmartLPA from the gallery to your list of managed SaaS apps.
-**To add SmartLPA from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add new application, click **New application** button on the top of dialog.
-
- ![The New application button](common/add-new-app.png)
-
-4. In the search box, type **SmartLPA**, select **SmartLPA** from result panel then click **Add** button to add the application.
-
- ![SmartLPA in the results list](common/search-new-app.png)
-
-## Configure and test Azure AD single sign-on
-
-In this section, you configure and test Azure AD single sign-on with SmartLPA based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in SmartLPA needs to be established.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **SmartLPA** in the search box.
+1. Select **SmartLPA** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-To configure and test Azure AD single sign-on with SmartLPA, you need to complete the following building blocks:
+## Configure and test Azure AD SSO for SmartLPA
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure SmartLPA Single Sign-On](#configure-smartlpa-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create SmartLPA test user](#create-smartlpa-test-user)** - to have a counterpart of Britta Simon in SmartLPA that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
+Configure and test Azure AD SSO with SmartLPA using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in SmartLPA.
-### Configure Azure AD single sign-on
+To configure and test Azure AD SSO with SmartLPA, perform the following steps:
-In this section, you enable Azure AD single sign-on in the Azure portal.
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure SmartLPA SSO](#configure-smartlpa-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create SmartLPA test user](#create-smartlpa-test-user)** - to have a counterpart of B.Simon in SmartLPA that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-To configure Azure AD single sign-on with SmartLPA, perform the following steps:
+## Configure Azure AD SSO
-1. In the [Azure portal](https://portal.azure.com/), on the **SmartLPA** application integration page, select **Single sign-on**.
+Follow these steps to enable Azure AD SSO in the Azure portal.
- ![Configure single sign-on link](common/select-sso.png)
+1. In the Azure portal, on the **SmartLPA** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
+ ![Screenshot shows to edit Basic S A M L Configuration.](common/edit-urls.png "Basic Configuration")
- ![Single sign-on select mode](common/select-saml-option.png)
+1. On the **Basic SAML Configuration** section, perform the following steps:
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
-
- ![Edit Basic SAML Configuration](common/edit-urls.png)
-
-4. On the **Basic SAML Configuration** section, perform the following steps:
-
- ![SmartLPA Domain and URLs single sign-on information](common/sp-identifier.png)
-
- a. In the **Sign on URL** text box, type a URL using the following pattern:
- `https://<TENANTNAME>.smartlpa.com/`
-
- b. In the **Identifier (Entity ID)** text box, type a URL using the following pattern:
+ a. In the **Identifier (Entity ID)** text box, type a URL using the following pattern:
`https://<TENANTNAME>.smartlpa.com/<UNIQUE ID>`
+
+ b. In the **Sign on URL** text box, type a URL using the following pattern:
+ `https://<TENANTNAME>.smartlpa.com/`
> [!NOTE]
- > These values are not real. Update these values with the actual Sign on URL and Identifier. Contact [SmartLPA Client support team](mailto:support@smartlpa.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
-
-5. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Certificate (Base64)** from the given options as per your requirement and save it on your computer.
-
- ![The Certificate download link](common/certificatebase64.png)
-
-6. On the **Set up SmartLPA** section, copy the appropriate URL(s) as per your requirement.
+ > These values are not real. Update these values with the actual Identifier and Sign on URL. Contact [SmartLPA Client support team](mailto:support@smartlpa.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
- ![Copy configuration URLs](common/copy-configuration-urls.png)
+1. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Certificate (Base64)** from the given options as per your requirement and save it on your computer.
- a. Login URL
+ ![Screenshot shows the Certificate download link.](common/certificatebase64.png "Certificate")
- b. Azure AD Identifier
+1. On the **Set up SmartLPA** section, copy the appropriate URL(s) as per your requirement.
- c. Logout URL
-
-### Configure SmartLPA Single Sign-On
-
-To configure single sign-on on **SmartLPA** side, you need to send the downloaded **Certificate (Base64)** and appropriate copied URLs from Azure portal to [SmartLPA support team](mailto:support@smartlpa.com). They set this setting to have the SAML SSO connection set properly on both sides.
+ ![Screenshot shows to copy configuration appropriate U R L.](common/copy-configuration-urls.png "Metadata")
### Create an Azure AD test user
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field enter **BrittaSimon**.
-
- b. In the **User name** field type **brittasimon@yourcompanydomain.extension**
- For example, BrittaSimon@contoso.com
+In this section, you'll create a test user in the Azure portal called B.Simon.
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
-
- d. Click **Create**.
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
### Assign the Azure AD test user
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to SmartLPA.
-
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **SmartLPA**.
-
- ![Enterprise applications blade](common/enterprise-applications.png)
-
-2. In the applications list, select **SmartLPA**.
-
- ![The SmartLPA link in the Applications list](common/all-applications.png)
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to SmartLPA.
-3. In the menu on the left, select **Users and groups**.
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **SmartLPA**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
+1. In the **Add Assignment** dialog, click the **Assign** button.
- ![The "Users and groups" link](common/users-groups-blade.png)
+## Configure SmartLPA SSO
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
-
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
-
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
-
-7. In the **Add Assignment** dialog click the **Assign** button.
+To configure single sign-on on **SmartLPA** side, you need to send the downloaded **Certificate (Base64)** and appropriate copied URLs from Azure portal to [SmartLPA support team](mailto:support@smartlpa.com). They set this setting to have the SAML SSO connection set properly on both sides.
### Create SmartLPA test user In this section, you create a user called Britta Simon in SmartLPA. Work with [SmartLPA support team](mailto:support@smartlpa.com) to add the users in the SmartLPA platform. Users must be created and activated before you use single sign-on.
-### Test single sign-on
+## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
-When you click the SmartLPA tile in the Access Panel, you should be automatically signed in to the SmartLPA for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).
+* Click on **Test this application** in Azure portal. This will redirect to SmartLPA Sign-on URL where you can initiate the login flow.
-## Additional Resources
+* Go to SmartLPA Sign-on URL directly and initiate the login flow from there.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+* You can use Microsoft My Apps. When you click the SmartLPA tile in the My Apps, this will redirect to SmartLPA Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure SmartLPA you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Snowflake Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/snowflake-tutorial.md
Previously updated : 06/03/2022 Last updated : 07/14/2022 # Tutorial: Azure AD SSO integration with Snowflake
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. Open the **downloaded Base 64 certificate** in notepad. Copy the value between ΓÇ£--BEGIN CERTIFICATE--ΓÇ¥ and ΓÇ£--END CERTIFICATE--" and paste this content into the **SAML2_X509_CERT**.
-1. In the **SAML2_ISSUER**, paste **Identifier** value which you have copied from the Azure portal.
+1. In the **SAML2_ISSUER**, paste **Identifier** value, which you have copied from the Azure portal.
-1. In the **SAML2_SSO_URL**, paste **Login URL** value which you have copied from the Azure portal.
+1. In the **SAML2_SSO_URL**, paste **Login URL** value, which you have copied from the Azure portal.
-1. In the **SAML2_PROVIDER**, give the value like `AzureAD`.
+1. In the **SAML2_PROVIDER**, give the value like `CUSTOM`.
1. Select the **All Queries** and click **Run**.
In this section, you test your Azure AD single sign-on configuration with follow
#### SP initiated:
-* Click on **Test this application** in Azure portal. This will redirect to Snowflake Sign-on URL where you can initiate the login flow.
+* Click on **Test this application** in Azure portal. This will redirect to Snowflake Sign on URL where you can initiate the login flow.
* Go to Snowflake Sign on URL directly and initiate the login flow from there.
You can also use Microsoft My Apps to test the application in any mode. When you
## Next steps
-Once you configure Snowflake you can enforce Session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-aad).
+Once you configure Snowflake you can enforce Session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-aad).
active-directory Stackby Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/stackby-tutorial.md
+
+ Title: 'Tutorial: Azure AD SSO integration with Stackby'
+description: Learn how to configure single sign-on between Azure Active Directory and Stackby.
++++++++ Last updated : 07/11/2022++++
+# Tutorial: Azure AD SSO integration with Stackby
+
+In this tutorial, you'll learn how to integrate Stackby with Azure Active Directory (Azure AD). When you integrate Stackby with Azure AD, you can:
+
+* Control in Azure AD who has access to Stackby.
+* Enable your users to be automatically signed-in to Stackby with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
+
+## Prerequisites
+
+To get started, you need the following items:
+
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* Stackby single sign-on (SSO) enabled subscription.
+* Along with Cloud Application Administrator, Application Administrator can also add or manage applications in Azure AD.
+For more information, see [Azure built-in roles](../roles/permissions-reference.md).
+
+## Scenario description
+
+In this tutorial, you configure and test Azure AD SSO in a test environment.
+
+* Stackby supports **IDP** initiated SSO.
+* Stackby supports **Just In Time** user provisioning.
+
+## Add Stackby from the gallery
+
+To configure the integration of Stackby into Azure AD, you need to add Stackby from the gallery to your list of managed SaaS apps.
+
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Stackby** in the search box.
+1. Select **Stackby** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
+
+## Configure and test Azure AD SSO for Stackby
+
+Configure and test Azure AD SSO with Stackby using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user at Stackby.
+
+To configure and test Azure AD SSO with Stackby, perform the following steps:
+
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Stackby SSO](#configure-stackby-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Stackby test user](#create-stackby-test-user)** - to have a counterpart of B.Simon in Stackby that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
+
+## Configure Azure AD SSO
+
+Follow these steps to enable Azure AD SSO in the Azure portal.
+
+1. In the Azure portal, on the **Stackby** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
+
+ ![Screenshot shows to edit Basic SAML Configuration.](common/edit-urls.png "Basic Configuration")
+
+1. On the **Basic SAML Configuration** section, the application is pre-configured and the necessary URLs are already pre-populated with Azure. The user needs to save the configuration by clicking the **Save** button.
+
+1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (Base64)** and select **Download** to download the certificate and save it on your computer.
+
+ ![Screenshot shows the Certificate download link.](common/certificatebase64.png "Certificate")
+
+1. On the **Set up Stackby** section, copy the appropriate URL(s) based on your requirement.
+
+ ![Screenshot shows to copy configuration appropriate URL.](common/copy-configuration-urls.png "Metadata")
+
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called B.Simon.
+
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
+
+### Assign the Azure AD test user
+
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Stackby.
+
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Stackby**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
+
+## Configure Stackby SSO
+
+To configure single sign-on on **Stackby** side, you need to send the downloaded **Certificate (Base64)** and appropriate copied URLs from Azure portal to [Stackby support team](mailto:support@stackby.com). They set this setting to have the SAML SSO connection set properly on both sides.
+
+### Create Stackby test user
+
+In this section, a user called B.Simon is created in Stackby. Stackby supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in Stackby, a new one is created after authentication.
+
+## Test SSO
+
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+* Click on Test this application in Azure portal and you should be automatically signed in to the Stackby for which you set up the SSO.
+
+* You can use Microsoft My Apps. When you click the Stackby tile in the My Apps, you should be automatically signed in to the Stackby for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
+
+## Next steps
+
+Once you configure Stackby you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Tivitz Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/tivitz-tutorial.md
Title: 'Tutorial: Azure Active Directory integration with TiViTz | Microsoft Docs'
+ Title: 'Tutorial: Azure AD SSO integration with TiViTz'
description: Learn how to configure single sign-on between Azure Active Directory and TiViTz.
Previously updated : 03/27/2019 Last updated : 07/09/2022
-# Tutorial: Azure Active Directory integration with TiViTz
+# Tutorial: Azure AD SSO integration with TiViTz
-In this tutorial, you learn how to integrate TiViTz with Azure Active Directory (Azure AD).
-Integrating TiViTz with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate TiViTz with Azure Active Directory (Azure AD). When you integrate TiViTz with Azure AD, you can:
-* You can control in Azure AD who has access to TiViTz.
-* You can enable your users to be automatically signed-in to TiViTz (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to TiViTz.
+* Enable your users to be automatically signed-in to TiViTz with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites
-To configure Azure AD integration with TiViTz, you need the following items:
+To get started, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial [here](https://azure.microsoft.com/pricing/free-trial/)
-* TiViTz single sign-on enabled subscription
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* TiViTz single sign-on (SSO) enabled subscription.
+* Along with Cloud Application Administrator, Application Administrator can also add or manage applications in Azure AD.
+For more information, see [Azure built-in roles](../roles/permissions-reference.md).
## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* TiViTz supports **SP** initiated SSO
+* TiViTz supports **SP** initiated SSO.
-* TiViTz supports **Just In Time** user provisioning
+* TiViTz supports **Just In Time** user provisioning.
-## Adding TiViTz from the gallery
+## Add TiViTz from the gallery
To configure the integration of TiViTz into Azure AD, you need to add TiViTz from the gallery to your list of managed SaaS apps.
-**To add TiViTz from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add new application, click **New application** button on the top of dialog.
-
- ![The New application button](common/add-new-app.png)
-
-4. In the search box, type **TiViTz**, select **TiViTz** from result panel then click **Add** button to add the application.
-
- ![TiViTz in the results list](common/search-new-app.png)
-
-## Configure and test Azure AD single sign-on
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **TiViTz** in the search box.
+1. Select **TiViTz** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-In this section, you configure and test Azure AD single sign-on with TiViTz based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in TiViTz needs to be established.
+## Configure and test Azure AD SSO for TiViTz
-To configure and test Azure AD single sign-on with TiViTz, you need to complete the following building blocks:
+Configure and test Azure AD SSO with TiViTz using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in TiViTz.
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure TiViTz Single Sign-On](#configure-tivitz-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create TiViTz test user](#create-tivitz-test-user)** - to have a counterpart of Britta Simon in TiViTz that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
+To configure and test Azure AD SSO with TiViTz, perform the following steps:
-### Configure Azure AD single sign-on
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure TiViTz SSO](#configure-tivitz-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create TiViTz test user](#create-tivitz-test-user)** - to have a counterpart of B.Simon in TiViTz that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-In this section, you enable Azure AD single sign-on in the Azure portal.
+## Configure Azure AD SSO
-To configure Azure AD single sign-on with TiViTz, perform the following steps:
+Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **TiViTz** application integration page, select **Single sign-on**.
+1. In the Azure portal, on the **TiViTz** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
- ![Configure single sign-on link](common/select-sso.png)
+ ![Screenshot shows to edit Basic S A M L Configuration.](common/edit-urls.png "Basic Configuration")
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
+1. On the **Basic SAML Configuration** section, perform the following steps:
- ![Single sign-on select mode](common/select-saml-option.png)
-
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
-
- ![Edit Basic SAML Configuration](common/edit-urls.png)
-
-4. On the **Basic SAML Configuration** section, perform the following steps:
-
- ![TiViTz Domain and URLs single sign-on information](common/sp-identifier.png)
-
- a. In the **Sign on URL** text box, type a URL using the following pattern:
+ a. In the **Identifier (Entity ID)** text box, type a URL using the following pattern:
`https://<companyname>.o365.tivitz.com/`
- b. In the **Identifier (Entity ID)** text box, type a URL using the following pattern:
+ b. In the **Sign on URL** text box, type a URL using the following pattern:
`https://<companyname>.o365.tivitz.com/` > [!NOTE]
- > These values are not real. Update these values with the actual Sign on URL and Identifier. Contact [TiViTz Client support team](mailto:info@tivitz.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
-
-5. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Federation Metadata XML** from the given options as per your requirement and save it on your computer.
-
- ![The Certificate download link](common/metadataxml.png)
-
-6. On the **Set up TiViTz** section, copy the appropriate URL(s) as per your requirement.
-
- ![Copy configuration URLs](common/copy-configuration-urls.png)
+ > These values are not real. Update these values with the actual Identifier and Sign on URL. Contact [TiViTz Client support team](mailto:info@tivitz.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
- a. Login URL
+1. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Federation Metadata XML** from the given options as per your requirement and save it on your computer.
- b. Azure AD Identifier
+ ![Screenshot shows the Certificate download link.](common/metadataxml.png "Certificate")
- c. Logout URL
+1. On the **Set up TiViTz** section, copy the appropriate URL(s) as per your requirement.
-### Configure TiViTz Single Sign-On
-
-To configure single sign-on on **TiViTz** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [TiViTz support team](mailto:info@tivitz.com). They set this setting to have the SAML SSO connection set properly on both sides.
+ ![Screenshot shows to copy configuration appropriate U R L.](common/copy-configuration-urls.png "Metadata")
### Create an Azure AD test user
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field enter **BrittaSimon**.
-
- b. In the **User name** field type brittasimon@yourcompanydomain.extension. For example, BrittaSimon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
+In this section, you'll create a test user in the Azure portal called B.Simon.
- d. Click **Create**.
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
### Assign the Azure AD test user
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to TiViTz.
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to TiViTz.
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **TiViTz**.
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **TiViTz**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
- ![Enterprise applications blade](common/enterprise-applications.png)
+## Configure TiViTz SSO
-2. In the applications list, select **TiViTz**.
-
- ![The TiViTz link in the Applications list](common/all-applications.png)
-
-3. In the menu on the left, select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
-
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
-
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
-
-7. In the **Add Assignment** dialog click the **Assign** button.
+To configure single sign-on on **TiViTz** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [TiViTz support team](mailto:info@tivitz.com). They set this setting to have the SAML SSO connection set properly on both sides.
### Create TiViTz test user
In this section, a user called Britta Simon is created in TiViTz. TiViTz support
>[!NOTE] >If you need to create a user manually, you need to contact [TiViTz support team](mailto:info@tivitz.com).
-### Test single sign-on
+## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
-When you click the TiViTz tile in the Access Panel, you should be automatically signed in to the TiViTz for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).
+* Click on **Test this application** in Azure portal. This will redirect to TiViTz Sign-on URL where you can initiate the login flow.
-## Additional Resources
+* Go to TiViTz Sign-on URL directly and initiate the login flow from there.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+* You can use Microsoft My Apps. When you click the TiViTz tile in the My Apps, this will redirect to TiViTz Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure TiViTz you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Userecho Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/userecho-tutorial.md
Title: 'Tutorial: Azure Active Directory integration with UserEcho | Microsoft Docs'
+ Title: 'Tutorial: Azure AD SSO integration with UserEcho'
description: Learn how to configure single sign-on between Azure Active Directory and UserEcho.
Previously updated : 03/29/2019 Last updated : 07/09/2022
-# Tutorial: Azure Active Directory integration with UserEcho
+# Tutorial: Azure AD SSO integration with UserEcho
-In this tutorial, you learn how to integrate UserEcho with Azure Active Directory (Azure AD).
-Integrating UserEcho with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate UserEcho with Azure Active Directory (Azure AD). When you integrate UserEcho with Azure AD, you can:
-* You can control in Azure AD who has access to UserEcho.
-* You can enable your users to be automatically signed-in to UserEcho (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to UserEcho.
+* Enable your users to be automatically signed-in to UserEcho with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites To configure Azure AD integration with UserEcho, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/)
-* UserEcho single sign-on enabled subscription
+* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/).
+* UserEcho single sign-on enabled subscription.
+* Along with Cloud Application Administrator, Application Administrator can also add or manage applications in Azure AD.
+For more information, see [Azure built-in roles](../roles/permissions-reference.md).
## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* UserEcho supports **SP** initiated SSO
+* UserEcho supports **SP** initiated SSO.
-## Adding UserEcho from the gallery
+## Add UserEcho from the gallery
To configure the integration of UserEcho into Azure AD, you need to add UserEcho from the gallery to your list of managed SaaS apps.
-**To add UserEcho from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add new application, click **New application** button on the top of dialog.
-
- ![The New application button](common/add-new-app.png)
-
-4. In the search box, type **UserEcho**, select **UserEcho** from result panel then click **Add** button to add the application.
-
- ![UserEcho in the results list](common/search-new-app.png)
-
-## Configure and test Azure AD single sign-on
-
-In this section, you configure and test Azure AD single sign-on with UserEcho based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in UserEcho needs to be established.
-
-To configure and test Azure AD single sign-on with UserEcho, you need to complete the following building blocks:
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **UserEcho** in the search box.
+1. Select **UserEcho** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure UserEcho Single Sign-On](#configure-userecho-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create UserEcho test user](#create-userecho-test-user)** - to have a counterpart of Britta Simon in UserEcho that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
+## Configure and test Azure AD SSO for UserEcho
-### Configure Azure AD single sign-on
+Configure and test Azure AD SSO with UserEcho using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in UserEcho.
-In this section, you enable Azure AD single sign-on in the Azure portal.
+To configure and test Azure AD SSO with UserEcho, perform the following steps:
-To configure Azure AD single sign-on with UserEcho, perform the following steps:
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure UserEcho SSO](#configure-userecho-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create UserEcho test user](#create-userecho-test-user)** - to have a counterpart of B.Simon in UserEcho that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-1. In the [Azure portal](https://portal.azure.com/), on the **UserEcho** application integration page, select **Single sign-on**.
+## Configure Azure AD SSO
- ![Configure single sign-on link](common/select-sso.png)
+Follow these steps to enable Azure AD SSO in the Azure portal.
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
+1. In the Azure portal, on the **UserEcho** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
- ![Single sign-on select mode](common/select-saml-option.png)
+ ![Screenshot shows to edit Basic S A M L Configuration.](common/edit-urls.png "Basic Configuration")
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
+1. On the **Basic SAML Configuration** section, perform the following steps:
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+ a. In the **Identifier (Entity ID)** text box, type a URL using the following pattern:
+ `https://<companyname>.userecho.com/saml/metadata/`
-4. On the **Basic SAML Configuration** section, perform the following steps:
+ b. In the **Sign on URL** text box, type a URL using the following pattern:
+ `https://<companyname>.userecho.com/`
- ![UserEcho Domain and URLs single sign-on information](common/sp-identifier.png)
+ > [!NOTE]
+ > These values are not real. Update these values with the actual Identifier and Sign on URL. Contact [UserEcho Client support team](https://feedback.userecho.com/) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
- a. In the **Sign on URL** text box, type a URL using the following pattern:
- `https://<companyname>.userecho.com/`
+1. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Certificate (Base64)** from the given options as per your requirement and save it on your computer.
- b. In the **Identifier (Entity ID)** text box, type a URL using the following pattern:
- `https://<companyname>.userecho.com/saml/metadata/`
+ ![Screenshot shows the Certificate download link.](common/certificatebase64.png "Certificate")
- > [!NOTE]
- > These values are not real. Update these values with the actual Sign on URL and Identifier. Contact [UserEcho Client support team](https://feedback.userecho.com/) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+1. On the **Set up UserEcho** section, copy the appropriate URL(s) as per your requirement.
-4. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Certificate (Base64)** from the given options as per your requirement and save it on your computer.
+ ![Screenshot shows to copy configuration appropriate U R L.](common/copy-configuration-urls.png "Metadata")
- ![The Certificate download link](common/certificatebase64.png)
+### Create an Azure AD test user
-6. On the **Set up UserEcho** section, copy the appropriate URL(s) as per your requirement.
+In this section, you'll create a test user in the Azure portal called B.Simon.
- ![Copy configuration URLs](common/copy-configuration-urls.png)
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
- a. Login URL
+### Assign the Azure AD test user
- b. Azure AD Identifier
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to UserEcho.
- c. Logout URL
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **UserEcho**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
+1. In the **Add Assignment** dialog, click the **Assign** button.
-### Configure UserEcho Single Sign-On
+## Configure UserEcho SSO
1. In another browser window, sign on to your UserEcho company site as an administrator. 2. In the toolbar on the top, click your user name to expand the menu, and then click **Setup**.
- ![Screenshot shows Setup selected from the UserEcho site.](./media/userecho-tutorial/tutorial_userecho_06.png)
+ ![Screenshot shows Setup selected from the UserEcho site.](./media/userecho-tutorial/profile.png "Site")
3. Click **Integrations**.
- ![Screenshot shows Integrations selected from the Settings menu.](./media/userecho-tutorial/tutorial_userecho_07.png)
+ ![Screenshot shows Integrations selected from the Settings menu.](./media/userecho-tutorial/menu.png "Integrations")
4. Click **Website**, and then click **Single sign-on (SAML2)**.
- ![Screenshot shows Single sign-on SAML2 selected from the Integrations menu.](./media/userecho-tutorial/tutorial_userecho_08.png)
+ ![Screenshot shows Single sign-on SAML2 selected from the Integrations menu.](./media/userecho-tutorial/website.png "Folder")
5. On the **Single sign-on (SAML)** page, perform the following steps:
- ![Screenshot shows the Single Sign-on SAML page where you can enter the values described.](./media/userecho-tutorial/tutorial_userecho_09.png)
+ ![Screenshot shows the Single Sign-on SAML page where you can enter the values described.](./media/userecho-tutorial/values.png "Details")
a. As **SAML-enabled**, select **Yes**.
To configure Azure AD single sign-on with UserEcho, perform the following steps:
e. Click **Save**.
-### Create an Azure AD test user
-
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field enter **BrittaSimon**.
-
- b. In the **User name** field type brittasimon@yourcompanydomain.extension. For example, BrittaSimon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
-
- d. Click **Create**.
-
-### Assign the Azure AD test user
-
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to UserEcho.
-
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **UserEcho**.
-
- ![Enterprise applications blade](common/enterprise-applications.png)
-
-2. In the applications list, select **UserEcho**.
-
- ![The UserEcho link in the Applications list](common/all-applications.png)
-
-3. In the menu on the left, select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
-
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
-
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
-
-7. In the **Add Assignment** dialog click the **Assign** button.
- ### Create UserEcho test user The objective of this section is to create a user called Britta Simon in UserEcho.
The objective of this section is to create a user called Britta Simon in UserEch
2. In the toolbar on the top, click your user name to expand the menu, and then click **Setup**.
- ![Screenshot shows Setup selected from the UserEcho site.](./media/userecho-tutorial/tutorial_userecho_06.png)
+ ![Screenshot shows Setup selected from the UserEcho site.](./media/userecho-tutorial/profile.png "Site")
3. Click **Users**, to expand the **Users** section.
- ![Screenshot shows Users selected from the Settings menu.](./media/userecho-tutorial/tutorial_userecho_10.png)
+ ![Screenshot shows Users selected from the Settings menu.](./media/userecho-tutorial/user.png "Settings")
4. Click **Users**.
- ![Screenshot shows Users selected.](./media/userecho-tutorial/tutorial_userecho_11.png)
+ ![Screenshot shows Users selected button.](./media/userecho-tutorial/new-user.png "Users")
5. Click **Invite a new user**.
- ![Screenshot shows the Invite a new user control.](./media/userecho-tutorial/tutorial_userecho_12.png)
+ ![Screenshot shows the Invite a new user control.](./media/userecho-tutorial/control.png "Information")
6. On the **Invite a new user** dialog, perform the following steps:
- ![Screenshot shows the Invite a new user dialog box where you can enter user information.](./media/userecho-tutorial/tutorial_userecho_13.png)
+ ![Screenshot shows the Invite a new user dialog box where you can enter user information.](./media/userecho-tutorial/name.png "Steps")
a. In the **Name** textbox, type name of the user like Britta Simon.
The objective of this section is to create a user called Britta Simon in UserEch
c. Click **Invite**.
-### Test single sign-on
+## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
-When you click the UserEcho tile in the Access Panel, you should be automatically signed in to the UserEcho for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).
+* Click on **Test this application** in Azure portal. This will redirect to UserEcho Sign-on URL where you can initiate the login flow.
-## Additional Resources
+* Go to UserEcho Sign-on URL directly and initiate the login flow from there.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+* You can use Microsoft My Apps. When you click the UserEcho tile in the My Apps, this will redirect to UserEcho Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure UserEcho you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Visitorg Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/visitorg-tutorial.md
Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with Visit.org | Microsoft Docs'
+ Title: 'Tutorial: Azure AD SSO integration with Visit.org'
description: Learn how to configure single sign-on between Azure Active Directory and Visit.org.
Previously updated : 10/16/2019 Last updated : 07/09/2022
-# Tutorial: Azure Active Directory single sign-on (SSO) integration with Visit.org
+# Tutorial: Azure AD SSO integration with Visit.org
In this tutorial, you'll learn how to integrate Visit.org with Azure Active Directory (Azure AD). When you integrate Visit.org with Azure AD, you can:
In this tutorial, you'll learn how to integrate Visit.org with Azure Active Dire
* Enable your users to be automatically signed-in to Visit.org with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items: * An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/). * Visit.org single sign-on (SSO) enabled subscription.
+* Along with Cloud Application Administrator, Application Administrator can also add or manage applications in Azure AD.
+For more information, see [Azure built-in roles](../roles/permissions-reference.md).
## Scenario description In this tutorial, you configure and test Azure AD SSO in a test environment.
-* Visit.org supports **IDP** initiated SSO
+* Visit.org supports **IDP** initiated SSO.
> [!NOTE] > Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
-## Adding Visit.org from the gallery
+## Add Visit.org from the gallery
To configure the integration of Visit.org into Azure AD, you need to add Visit.org from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **Visit.org** in the search box. 1. Select **Visit.org** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD single sign-on for Visit.org
+## Configure and test Azure AD SSO for Visit.org
Configure and test Azure AD SSO with Visit.org using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Visit.org.
-To configure and test Azure AD SSO with Visit.org, complete the following building blocks:
+To configure and test Azure AD SSO with Visit.org, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
- * **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
- * **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
1. **[Configure Visit.org SSO](#configure-visitorg-sso)** - to configure the single sign-on settings on application side.
- * **[Create Visit.org test user](#create-visitorg-test-user)** - to have a counterpart of B.Simon in Visit.org that is linked to the Azure AD representation of user.
+ 1. **[Create Visit.org test user](#create-visitorg-test-user)** - to have a counterpart of B.Simon in Visit.org that is linked to the Azure AD representation of user.
1. **[Test SSO](#test-sso)** - to verify whether the configuration works. ## Configure Azure AD SSO Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **Visit.org** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **Visit.org** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+ ![Screenshot shows to edit Basic S A M L Configuration.](common/edit-urls.png "Basic Configuration")
1. On the **Basic SAML Configuration** section, the application is pre-configured and the necessary URLs are already pre-populated with Azure. The user needs to save the configuration by clicking the **Save** button. 1. Visit.org application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes.
- ![image](common/default-attributes.png)
+ ![Screenshot shows the image of attributes configuration.](common/default-attributes.png "Attributes")
1. In addition to above, Visit.org application expects few more attributes to be passed back in SAML response which are shown below. These attributes are also pre populated but you can review them as per your requirements.
Follow these steps to enable Azure AD SSO in the Azure portal.
1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (Raw)** and select **Download** to download the certificate and save it on your computer.
- ![The Certificate download link](common/certificateraw.png)
+ ![Screenshot shows the Certificate download link.](common/certificateraw.png "Certificate")
1. On the **Set up Visit.org** section, copy the appropriate URL(s) based on your requirement.
- ![Copy configuration URLs](common/copy-configuration-urls.png)
+ ![Screenshot shows to copy configuration appropriate U R L.](common/copy-configuration-urls.png "Metadata")
### Create an Azure AD test user
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **Visit.org**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen. 1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen. 1. In the **Add Assignment** dialog, click the **Assign** button.
In this section, you create a user called B.Simon in Visit.org. Work with [Visi
## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
-
-When you click the Visit.org tile in the Access Panel, you should be automatically signed in to the Visit.org for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).
-
-## Additional resources
+In this section, you test your Azure AD single sign-on configuration with following options.
-- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](./tutorial-list.md)
+* Click on Test this application in Azure portal and you should be automatically signed in to the Visit.org for which you set up the SSO.
-- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md)
+* You can use Microsoft My Apps. When you click the Visit.org tile in the My Apps, you should be automatically signed in to the Visit.org for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+## Next steps
-- [Try Visit.org with Azure AD](https://aad.portal.azure.com/)
+Once you configure Visit.org you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Workable Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/workable-tutorial.md
Title: 'Tutorial: Azure Active Directory integration with Workable | Microsoft Docs'
+ Title: 'Tutorial: Azure AD SSO integration with Workable'
description: Learn how to configure single sign-on between Azure Active Directory and Workable.
Previously updated : 08/09/2021 Last updated : 07/14/2022
-# Tutorial: Azure Active Directory integration with Workable
+# Tutorial: Azure AD SSO integration with Workable
In this tutorial, you'll learn how to integrate Workable with Azure Active Directory (Azure AD). When you integrate Workable with Azure AD, you can:
Follow these steps to enable Azure AD SSO in the Azure portal.
4. On the **Basic SAML Configuration** section, If you wish to configure the application in **IDP** initiated mode, perform the following step: In the **Reply URL** text box, type a URL using the following pattern:
- `https://www.workable.com/auth/saml/<SUBDOMAIN>/callback`
+ `https://id.workable.com/auth/saml/ats_server/<SUBDOMAIN>/callback`
5. Click **set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode:
- In the **Sign-on URL** text box, type the URL:
- `https://www.workable.com/sso/signin`
+ In the **Sign-on URL** text box, type a URL using the following pattern:
+ `https://<SUBDOMAIN>.workable.com/signin`
> [!NOTE]
- > The Reply URL value is not real. Update Reply URL value with the actual Reply URL. Contact [Workable Client support team](mailto:support@workable.com) to get the value. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+ > These values are not real. Update these values with the actual Reply URL and Sign on URL. Contact [Workable Client support team](mailto:support@workable.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
6. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Certificate (Base64)** from the given options as per your requirement and save it on your computer.
active-directory Verifiable Credentials Configure Issuer https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/verifiable-credentials/verifiable-credentials-configure-issuer.md
In this step, you create the verified credential expert card by using Azure AD V
"required": false } ]
+ },
+ "validityInterval": 2592000,
+ "vc": {
+ "type": [
+ "VerifiedCredentialExpert"
+ ]
} } ```
aks Integrations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/integrations.md
Azure Kubernetes Service (AKS) provides additional, supported functionality for
## Add-ons
-Add-ons provide extra capabilities for your AKS cluster and their installation and configuration is managed by Azure. Use `az aks addon` to manage all add-ons for your cluster.
+Add-ons are a fully-supported way to provide extra capabilities for your AKS cluster. Add-ons' installation, configuration, and lifecycle is managed by AKS. Use `az aks addon` to install an add-on or manage the add-ons for your cluster.
+
+The following rules are used by AKS for applying updates to installed add-ons:
+
+- Only an add-on's patch version can be upgraded within a Kubernetes minor version. The add-on's major/minor version will not be upgraded within the same Kubernetes minor version.
+- The major/minor version of the add-on will only be upgraded when moving to a later Kubernetes minor version.
+- Any breaking or behavior changes to the add-on will be announced well before, usually 60 days, a later minor version of Kubernetes is released on AKS.
+- Add-ons can be patched weekly with every new release of AKS which will be announced in the release notes. AKS releases can be controlled using [maintenance windows][maintenance-windows] and followed using [release tracker][release-tracker].
The below table shows the available add-ons.
The below table shows a few examples of open-source and third-party integrations
[gitops-overview]: ../azure-arc/kubernetes/conceptual-gitops-flux2.md [managed-grafana]: ../managed-grafan [keda]: keda-about.md
-[web-app-routing]: web-app-routing.md
+[web-app-routing]: web-app-routing.md
+[maintenance-windows]: planned-maintenance.md
+[release-tracker]: release-tracker.md
aks Support Policies https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/support-policies.md
Microsoft manages and monitors the following components through the control pane
* Etcd or a compatible key-value store, providing Quality of Service (QoS), scalability, and runtime * DNS services (for example, kube-dns or CoreDNS) * Kubernetes proxy or networking (except when [BYOCNI](use-byo-cni.md) is used)
-* Any additional addon or system component running in the kube-system namespace
+* Any additional [add-ons][add-ons] or system component running in the kube-system namespace
AKS isn't a Platform-as-a-Service (PaaS) solution. Some components, such as agent nodes, have *shared responsibility*, where users must help maintain the AKS cluster. User input is required, for example, to apply an agent node operating system (OS) security patch.
When a technical support issue is root-caused by one or more upstream bugs, AKS
* The issue, including links to upstream bugs. * The workaround and details about an upgrade or another persistence of the solution. * Rough timelines for the issue's inclusion, based on the upstream release cadence.++
+[add-ons]: integrations.md#add-ons
application-gateway Features https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/application-gateway/features.md
The application gateway Standard_v2 SKU supports static VIP type exclusively. Th
## Web Application Firewall
-Web Application Firewall (WAF) is a service that provides centralized protection of your web applications from common exploits and vulnerabilities. WAF is based on rules from the [OWASP (Open Web Application Security Project) core rule sets](https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project) 3.1 (WAF_v2 only), 3.0, and 2.2.9.
+Web Application Firewall (WAF) is a service that provides centralized protection of your web applications from common exploits and vulnerabilities. WAF is based on rules from the [OWASP (Open Web Application Security Project) core rule sets](https://owasp.org/www-project-modsecurity-core-rule-set/) 3.1 (WAF_v2 only), 3.0, and 2.2.9.
Web applications are increasingly targets of malicious attacks that exploit common known vulnerabilities. Common among these exploits are SQL injection attacks, cross site scripting attacks to name a few. Preventing such attacks in application code can be challenging and may require rigorous maintenance, patching and monitoring at many layers of the application topology. A centralized web application firewall helps make security management much simpler and gives better assurance to application administrators against threats or intrusions. A WAF solution can also react to a security threat faster by patching a known vulnerability at a central location versus securing each of individual web applications. Existing application gateways can be converted to a Web Application Firewall enabled application gateway easily.
For an Application Gateway v1-v2 feature comparison, see [What is Azure Applicat
## Next steps -- Learn how Application Gateway works - [How an application gateway works](how-application-gateway-works.md)
+- Learn [how an application gateway works](how-application-gateway-works.md)
application-gateway Redirect Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/application-gateway/redirect-overview.md
A common redirection scenario for many web applications is to support automatic
A redirect type sets the response status code for the clients to understand the purpose of the redirect. The following types of redirection are supported: - 301 (Moved permanently): Indicates that the target resource has been assigned a new permanent URI. Any future references to this resource will use one of the enclosed URIs. Use 301 status code for HTTP to HTTPS redirection.-- 303 (Permanent redirect): Indicates that the target resource has been assigned a new permanent URI. Any future references to this resource should use one of the enclosed URIs. - 302 (Found): Indicates that the target resource is temporarily under a different URI. Since the redirection can change on occasion, the client should continue to use the effective request URI for future requests.
+- 303 (See Other): Indicates that the target resource is redirecting the user agent to a different resource, as indicated by a URI in the Location header field.
- 307 (Temporary redirect): Indicates that the target resource is temporarily under a different URI. The user agent MUST NOT change the request method if it does an automatic redirection to that URI. Since the redirection can change over time, the client ought to continue using the original effective request URI for future requests. ## Redirection capabilities
applied-ai-services Compose Custom Models https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/applied-ai-services/form-recognizer/compose-custom-models.md
Use the programming language code of your choice to create a composed model that
* [**C#/.NET**](https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/formrecognizer/Azure.AI.FormRecognizer/samples/Sample_ModelCompose.md).
-* [**Java**](https://github.com/Azure/azure-sdk-for-java/blob/main/sdk/formrecognizer/azure-ai-formrecognizer/src/samples/java/com/azure/ai/formrecognizer/administration/CreateComposedModel.java).
+* [**Java**](https://github.com/Azure/azure-sdk-for-java/blob/main/sdk/formrecognizer/azure-ai-formrecognizer/src/samples/java/com/azure/ai/formrecognizer/administration/ComposeModel.java).
* [**JavaScript**](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/formrecognizer/ai-form-recognizer/samples/v3/javascript/createComposedModel.js).
-* [**Python**](https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/formrecognizer/azure-ai-formrecognizer/samples/v3.2-beta/sample_create_composed_model.py)
+* [**Python**](https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/formrecognizer/azure-ai-formrecognizer/samples/v3.2-beta/sample_compose_model.py)
Learn more about the Form Recognizer client library by exploring our API referen
> [!div class="nextstepaction"] > [Form Recognizer API reference](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2022-06-30-preview/operations/AnalyzeDocument)
->
+>
applied-ai-services Concept Custom Neural https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/applied-ai-services/form-recognizer/concept-custom-neural.md
Tabular fields are also useful when extracting repeating information within a do
## Supported regions
-Starting on August 1st 2022, Form Recognizer custom neural model training will only be available in the following Azure regions until further notice:
+Starting August 01, 2022, Form Recognizer custom neural model training will only be available in the following Azure regions until further notice:
* Brazil South * Canada Central
applied-ai-services Service Limits https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/applied-ai-services/form-recognizer/service-limits.md
Last updated 06/06/2022
-# Form Recognizer service Quotas and Limits
+# Form Recognizer service quotas and limits
This article contains a quick reference and the **detailed description** of Azure Form Recognizer service Quotas and Limits for all [pricing tiers](https://azure.microsoft.com/pricing/details/form-recognizer/). It also contains some best practices to avoid request throttling.
automation Add User Assigned Identity https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automation/add-user-assigned-identity.md
If you don't have an Azure subscription, create a [free account](https://azure.m
- An Azure resource that you want to access from your Automation runbook. This resource needs to have a role defined for the user-assigned managed identity, which helps the Automation runbook authenticate access to the resource. To add roles, you need to be an owner for the resource in the corresponding Azure AD tenant. -- To add the user assigned managed identity you must have the ```Microsoft.ManagedIdentity/userAssignedIdentities/*/read``` and ```Microsoft.ManagedIdentity/userAssignedIdentities/*/assign/action``` permissions over the user assigned managed identity, which are granted to [Managed Identity Operator](/azure/role-based-access-control/built-in-roles.md#managed-identity-operator) and [Managed Identity Contributor](/azure/role-based-access-control/built-in-roles.md#managed-identity-contributor)--- To assign an Azure role to the managed identity, you must have ```Microsoft.Authorization/roleAssignments/write``` permission, which is granted either to [User Access Administrator](/azure/role-based-access-control/built-in-roles.md#user-access-administrator) or [Owner](/azure/role-based-access-control/built-in-roles.md#owner)
+- To assign an Azure role, you must have ```Microsoft.Authorization/roleAssignments/write``` permissions, such as [User Access Administrator](/azure/role-based-access-control/built-in-roles.md#user-access-administrator) or [Owner](/azure/role-based-access-control/built-in-roles.md.md#owner).
## Add user-assigned managed identity for Azure Automation account
automation Manage Run As Account https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automation/manage-run-as-account.md
+
+ Title: Manage an Azure Automation Run As account
+description: This article tells how to manage your Azure Automation Run As account with PowerShell or from the Azure portal.
++ Last updated : 08/02/2021++++
+# Manage an Azure Automation Run As account
+
+Run As accounts in Azure Automation provide authentication for managing resources on the Azure Resource Manager or Azure Classic deployment model using Automation runbooks and other Automation features.
+
+In this article we cover how to manage a Run as or Classic Run As account, including:
+
+ * How to renew a self-signed certificate
+ * How to renew a certificate from an enterprise or third-party certificate authority (CA)
+ * Manage permissions for the Run As account
+
+To learn more about Azure Automation account authentication, permissions required to manage the Run as account, and guidance related to process automation scenarios, see [Automation Account authentication overview](automation-security-overview.md).
+
+## <a name="cert-renewal"></a>Renew a self-signed certificate
+
+The self-signed certificate that you have created for the Run As account expires one year from the date of creation. At some point before your Run As account expires, you must renew the certificate. You can renew it any time before it expires.
+
+When you renew the self-signed certificate, the current valid certificate is retained to ensure that any runbooks that are queued up or actively running, and that authenticate with the Run As account, aren't negatively affected. The certificate remains valid until its expiration date.
+
+>[!NOTE]
+>If you think that the Run As account has been compromised, you can delete and re-create the self-signed certificate.
+
+>[!NOTE]
+>If you have configured your Run As account to use a certificate issued by your enterprise or third-party CA and you use the option to renew a self-signed certificate option, the enterprise certificate is replaced by a self-signed certificate. To renew your certificate in this case, see [Renew an enterprise or third-party certificate](#renew-an-enterprise-or-third-party-certificate).
+
+Use the following steps to renew the self-signed certificate.
+
+1. Sign-in to the [Azure portal](https://portal.azure.com).
+
+1. Go to your Automation account and select **Run As Accounts** in the account settings section.
+
+ :::image type="content" source="media/manage-run-as-account/automation-account-properties-pane.png" alt-text="Automation account properties pane.":::
+
+1. On the **Run As Accounts** properties page, select either **Run As Account** or **Classic Run As Account** depending on which account you need to renew the certificate for.
+
+1. On the **Properties** page for the selected account, select **Renew certificate**.
+
+ :::image type="content" source="media/manage-run-as-account/automation-account-renew-run-as-certificate.png" alt-text="Renew certificate for Run As account.":::
+
+1. While the certificate is being renewed, you can track the progress under **Notifications** from the menu.
+
+## Renew an enterprise or third-party certificate
+
+Every certificate has a built-in expiration date. If the certificate you assigned to the Run As account was issued by a certification authority (CA), you need to perform a different set of steps to configure the Run As account with the new certificate before it expires. You can renew it any time before it expires.
+
+1. Import the renewed certificate following the steps for [Create a new certificate](./shared-resources/certificates.md#create-a-new-certificate). Automation requires the certificate to have the following configuration:
+
+ * Specify the provider **Microsoft Enhanced RSA and AES Cryptographic Provider**
+ * Marked as exportable
+ * Configured to use the SHA256 algorithm
+ * Saved in the `*.pfx` or `*.cer` format.
+
+ After you import the certificate, note or copy the certificate **Thumbprint** value. This value is used to update the Run As connection properties with the new certificate.
+
+1. Sign in to the [Azure portal](https://portal.azure.com).
+
+1. Search for and select **Automation Accounts**.
+
+1. On the Automation Accounts page, select your Automation account from the list.
+
+1. In the left pane, select **Connections**.
+
+1. On the **Connections** page, select **AzureRunAsConnection** and update the **Certificate Thumbprint** with the new certificate thumbprint.
+
+1. Select **Save** to commit your changes.
+
+## Grant Run As account permissions in other subscriptions
+
+Azure Automation supports using a single Automation account from one subscription, and executing runbooks against Azure Resource Manager resources across multiple subscriptions. This configuration does not support the Azure Classic deployment model.
+
+You assign the Run As account service principal the [Contributor](../role-based-access-control/built-in-roles.md#contributor) role in the other subscription, or more restrictive permissions. For more information, see [Role-based access control](automation-role-based-access-control.md) in Azure Automation. To assign the Run As account to the role in the other subscription, the user account performing this task needs to be a member of the **Owner** role in that subscription.
+
+> [!NOTE]
+> This configuration only supports multiple subscriptions of an organization using a common Azure AD tenant.
+
+Before granting the Run As account permissions, you need to first note the display name of the service principal to assign.
+
+1. Sign in to the [Azure portal](https://portal.azure.com).
+1. From your Automation account, select **Run As Accounts** under **Account Settings**.
+1. Select **Azure Run As Account**.
+1. Copy or note the value for **Display Name** on the **Azure Run As Account** page.
+
+For detailed steps for how to add role assignments, check out the following articles depending on the method you want to use.
+
+* [Assign Azure roles using the Azure portal](../role-based-access-control/role-assignments-portal.md)
+* [Assign Azure roles using Azure PowerShell](../role-based-access-control/role-assignments-powershell.md)
+* [Assign Azure roles using the Azure CLI](../role-based-access-control/role-assignments-cli.md)
+* [Assign Azure roles using the REST API](..//role-based-access-control/role-assignments-rest.md)
+
+After assigning the Run As account to the role, in your runbook specify `Set-AzContext -SubscriptionId "xxxx-xxxx-xxxx-xxxx"` to set the subscription context to use. For more information, see [Set-AzContext](/powershell/module/az.accounts/set-azcontext).
+
+## Check role assignment for Azure Automation Run As account
+
+To check the role assigned to the Automation Run As account Azure AD, follow these steps:
+
+1. Sign in to the [Azure portal](https://portal.azure.com/).
+1. Go to your Automation account and in **Account Settings**, select **Run as accounts**.
+1. Select **Azure Run as Account** to view the **Application ID**.
+
+ :::image type="content" source="media/manage-run-as-account/automation-run-as-app-id.png" alt-text="Screenshot that describes on how to copy application ID.":::
+
+1. Go to Azure portal and search for **Azure Active Directory**.
+1. On the **Active Directory Overview** page, **Overview** tab, in the search box, enter the Application ID.
+
+ :::image type="content" source="media/manage-run-as-account/active-directory-app-id-inline.png" alt-text="Screenshot that describes application ID copied in the Overview tab." lightbox="media/manage-run-as-account/active-directory-app-id-expanded.png":::
+
+ In the **Enterprise applications** section, you will see the display name of your Run As Account.
+
+1. Select the application ID and in the properties page of that ID, go to **Overview** blade, **Properties**, and copy the name of the Enterprise application.
+1. Go to Azure portal and search for your **Subscription** and select your subscription.
+1. Go to **Access Control (IAM)**, **Role Assignment** and paste the name of the Enterprise application in the search box to view the App along with the role and scope assigned to it.
+For example: in the screenshot below, the Run As Account Azure AD App has the Contributor access at the subscription level.
+
+ :::image type="content" source="media/manage-run-as-account/check-role-assignments-inline.png" alt-text="Screenshot that describes how to view the role and scope assigned to the enterprise application." lightbox="media/manage-run-as-account/check-role-assignments-expanded.png":::
++
+## Limit Run As account permissions
+
+To control the targeting of Automation against resources in Azure, you can run the [Update-AutomationRunAsAccountRoleAssignments.ps1](https://aka.ms/AA5hug8) script. This script changes your existing Run As account service principal to create and use a custom role definition. The role has permissions for all resources except [Key Vault](../key-vault/index.yml).
+
+>[!IMPORTANT]
+>After you run the **Update-AutomationRunAsAccountRoleAssignments.ps1** script, runbooks that access Key Vault through the use of Run As accounts no longer work. Before running the script, you should review runbooks in your account for calls to Azure Key Vault. To enable access to Key Vault from Azure Automation runbooks, you must [add the Run As account to Key Vault's permissions](#add-permissions-to-key-vault).
+
+If you need to further restrict what the Run As service principal can do, you can add other resource types to the `NotActions` element of the custom role definition. The following example restricts access to `Microsoft.Compute/*`. If you add this resource type to `NotActions` for the role definition, the role will not be able to access any Compute resource. To learn more about role definitions, see [Understand role definitions for Azure resources](../role-based-access-control/role-definitions.md).
+
+```powershell
+$roleDefinition = Get-AzRoleDefinition -Name 'Automation RunAs Contributor'
+$roleDefinition.NotActions.Add("Microsoft.Compute/*")
+$roleDefinition | Set-AzRoleDefinition
+```
+
+You can determine if the service principal used by your Run As account assigned the **Contributor** role or a custom one.
+
+1. Sign in to the [Azure portal](https://portal.azure.com).
+1. Go to your Automation account and select **Run As Accounts** in the account settings section.
+1. Select **Azure Run As Account**.
+1. Select **Role** to locate the role definition that is being used.
++
+You can also determine the role definition used by the Run As accounts for multiple subscriptions or Automation accounts. Do this by using the [Check-AutomationRunAsAccountRoleAssignments.ps1](https://aka.ms/AA5hug5) script in the PowerShell Gallery.
+
+### Add permissions to Key Vault
+
+You can allow Azure Automation to verify if Key Vault and your Run As account service principal are using a custom role definition. You must:
+
+* Grant permissions to Key Vault.
+* Set the access policy.
+
+You can use the [Extend-AutomationRunAsAccountRoleAssignmentToKeyVault.ps1](https://aka.ms/AA5hugb) script in the PowerShell Gallery to grant your Run As account permissions to Key Vault. See [Assign a Key Vault access policy](../key-vault/general/assign-access-policy-powershell.md) for more details on setting permissions on Key Vault.
+
+## Resolve misconfiguration issues for Run As accounts
+
+Some configuration items necessary for a Run As or Classic Run As account might have been deleted or created improperly during initial setup. Possible instances of misconfiguration include:
+
+* Certificate asset
+* Connection asset
+* Run As account removed from the Contributor role
+* Service principal or application in Azure AD
+
+For such misconfiguration instances, the Automation account detects the changes and displays a status of *Incomplete* on the Run As Accounts properties pane for the account.
++
+When you select the Run As account, the account properties pane displays the following error message:
+
+```text
+The Run As account is incomplete. Either one of these was deleted or not created - Azure Active Directory Application, Service Principal, Role, Automation Certificate asset, Automation Connect asset - or the Thumbprint is not identical between Certificate and Connection. Please delete and then re-create the Run As Account.
+```
+
+You can quickly resolve these Run As account issues by [deleting](delete-run-as-account.md) and [re-creating](create-run-as-account.md) the Run As account.
+
+## Next steps
+
+* [Application Objects and Service Principal Objects](../active-directory/develop/app-objects-and-service-principals.md).
+* [Certificates overview for Azure Cloud Services](../cloud-services/cloud-services-certs-create.md).
+* To create or re-create a Run As account, see [Create a Run As account](create-run-as-account.md).
+* If you no longer need to use a Run As account, see [Delete a Run As account](delete-run-as-account.md).
azure-app-configuration Concept Config File https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-app-configuration/concept-config-file.md
az appconfig kv import --profile appconfig/kvset --name <your store name> --sour
``` > [!NOTE]
-> The KVSet file content profile is currently supported in Azure CLI only and requires CLI version 2.30.0 or later.
+> The KVSet file content profile is currently supported in
+> - Azure CLI version 2.30.0 or later
+> - [Azure App Configuration Push Task](./push-kv-devops-pipeline.md) version 3.3.0 or later
The following table shows all the imported data in your App Configuration store.
azure-arc Concepts Distributed Postgres Hyperscale https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/data/concepts-distributed-postgres-hyperscale.md
The key concepts around Azure Arc-enabled PostgreSQL Hyperscale are summarized b
[!INCLUDE [azure-arc-data-preview](../../../includes/azure-arc-data-preview.md)] ## Nodes and tables
-It is important to know about the following concepts to benefit the most from Azure Arc-enabled Postgres Hyperscale:
+It is important to know about the following concepts to benefit the most from Azure Arc-enabled PostgreSQL Hyperscale:
- Specialized Postgres nodes in Azure Arc-enabled PostgreSQL Hyperscale: coordinator and workers - Types of tables: distributed tables, reference tables and local tables - Shards
See more information at [Nodes and tables in Azure Database for PostgreSQL ΓÇô H
## Determine the application type Clearly identifying the type of application you are building is important. Why? Because running efficient queries on a Azure Arc-enabled PostgreSQL Hyperscale server group requires that tables be properly distributed across servers.
-The recommended distribution varies by the type of application and its query patterns. There are broadly two kinds of applications that work well on Azure Arc-enabled Postgres Hyperscale:
+The recommended distribution varies by the type of application and its query patterns. There are broadly two kinds of applications that work well on Azure Arc-enabled PostgreSQL Hyperscale:
- Multi-Tenant Applications - Real-Time Applications
azure-arc Create Postgresql Hyperscale Server Group Azure Data Studio https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/data/create-postgresql-hyperscale-server-group-azure-data-studio.md
In a few minutes, your creation should successfully complete.
### Important parameters you should consider: -- **the number of worker nodes** you want to deploy to scale out and potentially reach better performances. Before proceeding here, read the [concepts about Postgres Hyperscale](concepts-distributed-postgres-hyperscale.md). The table below indicates the range of supported values and what form of Postgres deployment you get with them. For example, if you want to deploy a server group with 2 worker nodes, indicate 2. This will create three pods, one for the coordinator node/instance and two for the worker nodes/instances (one for each of the workers).
+- **the number of worker nodes** you want to deploy to scale out and potentially reach better performances. Before proceeding here, read the [concepts about PostgreSQL Hyperscale](concepts-distributed-postgres-hyperscale.md). The table below indicates the range of supported values and what form of Postgres deployment you get with them. For example, if you want to deploy a server group with 2 worker nodes, indicate 2. This will create three pods, one for the coordinator node/instance and two for the worker nodes/instances (one for each of the workers).
|You need |Shape of the server group you will deploy |Number of worker nodes to indicate |Note | ||||| |A scaled out form of Postgres to satisfy the scalability needs of your applications. |3 or more Postgres instances, 1 is coordinator, n are workers with n >=2. |n, with n>=2. |The Citus extension that provides the Hyperscale capability is loaded. |
- |A basic form of Postgres Hyperscale for you to do functional validation of your application at minimum cost. Not valid for performance and scalability validation. For that you need to use the type of deployments described above. |1 Postgres instance that is both coordinator and worker. |0 and add Citus to the list of extensions to load. |The Citus extension that provides the Hyperscale capability is loaded. |
+ |A basic form of PostgreSQL Hyperscale for you to do functional validation of your application at minimum cost. Not valid for performance and scalability validation. For that you need to use the type of deployments described above. |1 Postgres instance that is both coordinator and worker. |0 and add Citus to the list of extensions to load. |The Citus extension that provides the Hyperscale capability is loaded. |
|A simple instance of Postgres that is ready to scale out when you need it. |1 Postgres instance. It is not yet aware of the semantic for coordinator and worker. To scale it out after deployment, edit the configuration, increase the number of worker nodes and distribute the data. |0 |The Citus extension that provides the Hyperscale capability is present on your deployment but is not yet loaded. | | | | | | This table is demonstrated in the following figure:
- :::image type="content" source="media/postgres-hyperscale/deployment-parameters.png" alt-text="Diagram that depicts Postgres Hyperscale worker node parameters and associated architecture." border="false":::
+ :::image type="content" source="media/postgres-hyperscale/deployment-parameters.png" alt-text="Diagram that depicts PostgreSQL Hyperscale worker node parameters and associated architecture." border="false":::
While indicating 1 worker works, we do not recommend you use it. This deployment will not provide you much value. With it, you will get 2 instances of Postgres: 1 coordinator and 1 worker. With this setup you actually do not scale out the data since you deploy a single worker. As such you will not see an increased level of performance and scalability. We will remove the support of this deployment in a future release.
In a few minutes, your creation should successfully complete.
## Next steps - [Manage your server group using Azure Data Studio](manage-postgresql-hyperscale-server-group-with-azure-data-studio.md) - [Monitor your server group](monitor-grafana-kibana.md)-- Read the concepts and How-to guides of Azure Database for PostgreSQL Hyperscale to distribute your data across multiple PostgreSQL Hyperscale nodes and to benefit from all the power of Azure Database for Postgres Hyperscale. :
+- Read the concepts and How-to guides of Azure Database for PostgreSQL Hyperscale to distribute your data across multiple PostgreSQL Hyperscale nodes and to benefit from all the power of Azure Database for PostgreSQL Hyperscale. :
* [Nodes and tables](../../postgresql/hyperscale/concepts-nodes.md) * [Determine application type](../../postgresql/hyperscale/howto-app-type.md) * [Choose a distribution column](../../postgresql/hyperscale/howto-choose-distribution-column.md)
azure-arc Create Postgresql Hyperscale Server Group Azure Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/data/create-postgresql-hyperscale-server-group-azure-portal.md
Be aware of the following considerations when you're deploying:
This table is demonstrated in the following figure:
- :::image type="content" source="media/postgres-hyperscale/deployment-parameters.png" alt-text="Diagram that depicts Postgres Hyperscale worker node parameters and associated architecture." border="false":::
+ :::image type="content" source="media/postgres-hyperscale/deployment-parameters.png" alt-text="Diagram that depicts PostgreSQL Hyperscale worker node parameters and associated architecture." border="false":::
Although you can indicate *1* worker, it's not a good idea to do so. This deployment doesn't provide you with much value. With it, you get two instances of Azure Arc-enabled PostgreSQL Hyperscale: one coordinator and one worker. You don't scale out the data because you deploy a single worker. As such, you don't see an increased level of performance and scalability.
azure-arc Create Postgresql Hyperscale Server Group https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/data/create-postgresql-hyperscale-server-group.md
The main parameters should consider are:
- **the version of the PostgreSQL engine** you want to deploy: by default it is version 12. To deploy version 12, you can either omit this parameter or pass one of the following parameters: `--engine-version 12` or `-ev 12`. To deploy version 11, indicate `--engine-version 11` or `-ev 11`. -- **the number of worker nodes** you want to deploy to scale out and potentially reach better performances. Before proceeding here, read the [concepts about Postgres Hyperscale](concepts-distributed-postgres-hyperscale.md). To indicate the number of worker nodes to deploy, use the parameter `--workers` or `-w` followed by an integer. The table below indicates the range of supported values and what form of Postgres deployment you get with them. For example, if you want to deploy a server group with two worker nodes, indicate `--workers 2` or `-w 2`. This will create three pods, one for the coordinator node/instance and two for the worker nodes/instances (one for each of the workers).
+- **the number of worker nodes** you want to deploy to scale out and potentially reach better performances. Before proceeding here, read the [concepts about PostgreSQL Hyperscale](concepts-distributed-postgres-hyperscale.md). To indicate the number of worker nodes to deploy, use the parameter `--workers` or `-w` followed by an integer. The table below indicates the range of supported values and what form of Postgres deployment you get with them. For example, if you want to deploy a server group with two worker nodes, indicate `--workers 2` or `-w 2`. This will create three pods, one for the coordinator node/instance and two for the worker nodes/instances (one for each of the workers).
|You need |Shape of the server group you will deploy |`-w` parameter to use |Note | ||||| |A scaled out form of Postgres to satisfy the scalability needs of your applications. |Three or more Postgres instances, one is coordinator, n are workers with n >=2. |Use `-w n`, with n>=2. |The Citus extension that provides the Hyperscale capability is loaded. |
- |A basic form of Postgres Hyperscale for you to do functional validation of your application at minimum cost. Not valid for performance and scalability validation. For that you need to use the type of deployments described above. |One Postgres instance that is both coordinator and worker. |Use `-w 0` and load the Citus extension. Use the following parameters if deploying from command line: `-w 0` --extensions Citus. |The Citus extension that provides the Hyperscale capability is loaded. |
+ |A basic form of PostgreSQL Hyperscale for you to do functional validation of your application at minimum cost. Not valid for performance and scalability validation. For that you need to use the type of deployments described above. |One Postgres instance that is both coordinator and worker. |Use `-w 0` and load the Citus extension. Use the following parameters if deploying from command line: `-w 0` --extensions Citus. |The Citus extension that provides the Hyperscale capability is loaded. |
|A simple instance of Postgres that is ready to scale out when you need it. |One Postgres instance. It is not yet aware of the semantic for coordinator and worker. To scale it out after deployment, edit the configuration, increase the number of worker nodes and distribute the data. |Use `-w 0` or do not specify `-w`. |The Citus extension that provides the Hyperscale capability is present on your deployment but is not yet loaded. | | | | | | This table is demonstrated in the following figure:
- :::image type="content" source="media/postgres-hyperscale/deployment-parameters.png" alt-text="Diagram that depicts Postgres Hyperscale worker node parameters and associated architecture." border="false":::
+ :::image type="content" source="media/postgres-hyperscale/deployment-parameters.png" alt-text="Diagram that depicts PostgreSQL Hyperscale worker node parameters and associated architecture." border="false":::
While using `-w 1` works, we do not recommend you use it. This deployment will not provide you much value. With it, you will get two instances of Postgres: One coordinator and one worker. With this setup, you actually do not scale out the data since you deploy a single worker. As such you will not see an increased level of performance and scalability. We will remove the support of this deployment in a future release.
azure-arc Migrate Postgresql Data Into Postgresql Hyperscale Server Group https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/data/migrate-postgresql-data-into-postgresql-hyperscale-server-group.md
Within your Arc setup you can use `psql` to connect to your Postgres instance, s
* [Design a multi-tenant database](../../postgresql/hyperscale/tutorial-design-database-multi-tenant.md)* * [Design a real-time analytics dashboard](../../postgresql/hyperscale/tutorial-design-database-realtime.md)*
-> *In these documents, skip the sections **Sign in to the Azure portal**, and **Create an Azure Database for Postgres - Hyperscale (Citus)**. Implement the remaining steps in your Azure Arc deployment. Those sections are specific to the Azure Database for PostgreSQL Hyperscale (Citus) offered as a PaaS service in the Azure cloud but the other parts of the documents are directly applicable to your Azure Arc-enabled PostgreSQL Hyperscale.
+> *In these documents, skip the sections **Sign in to the Azure portal**, and **Create an Azure Database for PostgreSQL - Hyperscale (Citus)**. Implement the remaining steps in your Azure Arc deployment. Those sections are specific to the Azure Database for PostgreSQL Hyperscale (Citus) offered as a PaaS service in the Azure cloud but the other parts of the documents are directly applicable to your Azure Arc-enabled PostgreSQL Hyperscale.
- [Scale out your Azure Database for PostgreSQL Hyperscale server group](scale-out-in-postgresql-hyperscale-server-group.md)
azure-arc Preview Testing https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/data/preview-testing.md
If you use the Azure CLI extension:
If you use the Azure Data Studio extension to install: - Uninstall the Azure Data Studio extension. Select the Extensions panel and select on the **Azure Arc** extension, select **Uninstall**.-- Download the latest pre-release Azure Data Studio extension .vsix file from [https://aka.ms/ads-arcdata-ext](https://aka.ms/ads-arcdata-ext).-- Install the extension by choosing File -> Install Extension from VSIX package and then browsing to the download location of the .vsix file.
+- Download the latest pre-release Azure Data Studio extension .vsix files from [https://aka.ms/ads-arcdata-ext](https://aka.ms/ads-arcdata-ext) and [https://aka.ms/ads-azcli-ext](https://aka.ms/ads-azcli-ext).
+- Install the extensions by choosing File -> Install Extension from VSIX package and then browsing to the download location of the .vsix files. Install the `azcli` extension first and then `arc`.
### Install using Azure CLI
azure-arc Release Notes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/data/release-notes.md
For complete release version information, see [Version log](version-log.md#july-
- Permissions required to deploy the Arc data controller have been reduced to a least-privilege level. - When deployed via the Azure CLI, the Arc data controller is now installed via a K8s job that uses a helm chart to do the installation. There's no change to the user experience.
+- Resource Sync rule is created automatically when Data Controller is deployed in Direct connected mode. This enables customers to deploy an Azure Arc enabled SQL Managed Instance by directly talking to the kubernetes APIs.
## June 14, 2022
For instructions see [What are Azure Arc-enabled data services?](overview.md)
- [Plan an Azure Arc-enabled data services deployment](plan-azure-arc-data-services.md) (requires installing the client tools first) - [Create an Azure SQL Managed Instance on Azure Arc](create-sql-managed-instance.md) (requires creation of an Azure Arc data controller first) - [Create an Azure Database for PostgreSQL Hyperscale server group on Azure Arc](create-postgresql-hyperscale-server-group.md) (requires creation of an Azure Arc data controller first)-- [Resource providers for Azure services](../../azure-resource-manager/management/azure-services-resource-providers.md)
+- [Resource providers for Azure services](../../azure-resource-manager/management/azure-services-resource-providers.md)
azure-arc Resource Sync https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/data/resource-sync.md
+
+ Title: Resource sync
+description: Synchronize resources for Azure Arc-enabled data services in directly connected mode
++++++ Last updated : 07/14/2022+++
+# Resource sync
+
+Resource sync lets you create, update, or delete resources directly on the Kubernetes cluster using Kubernetes APIs in the direct connected mode, and automatically synchronizes those changes to Azure. This article explains resource sync.
++
+When you deploy Azure Arc-enabled data services in direct connected mode, the deployment creates a *resource sync* rule. This resource sync rule ensures that the Arc resources such as SQL managed instance created or updated by directly calling the Kubernetes APIs get updated appropriately in the mapped resources in Azure and the resource metadata is continually synced back to Azure. This rule is created within the same resource group as the data controller.
+
+ > [!NOTE]
+ > The resource sync rule is created by default, during the Azure Arc Data Controller deployment and is only applicable in direct connected mode.
+
+Without the resource sync rule, the SQL managed instance is created using the following command:
+
+```azurecli
+az sql mi-arc create --name <name> --resource-group <group> --location <Azure location> -ΓÇôsubscription <subscription> --custom-location <custom-location> --storage-class-backups <RWX capable storageclass>
+```
+
+In this scenario, first the Azure ARM APIs are called and the mapped Azure resource is created. Once this mapped resource is created successfully, then the Kubernetes API is called to create the SQL managed instance on the Kubernetes cluster.
++
+With the resource sync rule, you can use the Kubernetes API to create the Arc-enabled SQL managed instance, as follows:
+
+```azurecli
+az sql mi-arc create --name <name> -k <namespace> --use-k8 --storage-class-backups <RWX capable storageclass>
+```
+
+In this scenario, the SQL managed instance is directly created in the Kubernetes cluster. The resource sync rule ensures that the equivalent resource in Azure is created as well.
+
+If the resource sync rule is deleted accidentally, you can add it back to restore the sync functionality by using the below REST API. Refer to Azure REST API reference for guidance on executing REST APIs. Please make sure to use data controller Azure resource subscription and resource group.
++
+```rest
+https://management.azure.com/subscriptions/{{subscription}}/resourcegroups/{{resource_group}}/providers/microsoft.extendedlocation/customlocations/{{custom_location_name}}/resourcesyncrules/defaultresourcesyncrule?api-version=2021-08-31-preview
+```
+++
+```azurecli
+ "location": "{{Azure region}}",
+ "properties": {
+ "targetResourceGroup": "/subscriptions/{{subscription}}/resourcegroups/{{resource_group_of_ data_controller}}",
+ "priority": 100,
+ "selector": {
+ "matchLabels": {
+ "management.azure.com/resourceProvider": "Microsoft.AzureArcData" //Mandatory
+ }
+ }
+ }
+}
+```
+
+### Limitations:
+
+- Resource sync rule does not hydrate Azure Arc Data controller. The Azure Arc Data controller must be deployed via ARM API.
+- Resource sync only applies to the data services such as Arc enabled SQL managed instance, post deployment of Data controller.
+- Resource sync rule does not hydrate Azure Arc enabled PostgreSQL
+- Resource sync rule does not hydrate Azure Arc Active Directory connector
+- Resource sync rule does not hydrate Azure Arc Instance Failover Groups
+
+## Next steps
+
+[Create Azure Arc-enabled data controller using Kubernetes tools](create-data-controller-using-kubernetes-native-tools.md)
azure-arc Restore Adventureworks Sample Db Into Postgresql Hyperscale Server Group https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/data/restore-adventureworks-sample-db-into-postgresql-hyperscale-server-group.md
Run a command like this to download the files replace the value of the pod name
> Your container will need to have Internet connectivity over 443 to download the file from GitHub. > [!NOTE]
-> Use the pod name of the Coordinator node of the Postgres Hyperscale server group. Its name is \<server group name\>c-0 (for example postgres01c-0, where c stands for Coordinator node). If you are not sure of the pod name run the command `kubectl get pod`
+> Use the pod name of the Coordinator node of the PostgreSQL Hyperscale server group. Its name is \<server group name\>c-0 (for example postgres01c-0, where c stands for Coordinator node). If you are not sure of the pod name run the command `kubectl get pod`
```console kubectl exec <PostgreSQL pod name> -n <namespace name> -c postgres -- /bin/bash -c "cd /tmp && curl -k -O https://raw.githubusercontent.com/microsoft/azure_arc/main/azure_arc_data_jumpstart/cluster_api/capi_azure/arm_template/artifacts/AdventureWorks2019.sql"
azure-arc Scale Out In Postgresql Hyperscale Server Group https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/data/scale-out-in-postgresql-hyperscale-server-group.md
# Scale out and in your Azure Arc-enabled PostgreSQL Hyperscale server group by adding more worker nodes This document explains how to scale out and scale in an Azure Arc-enabled PostgreSQL Hyperscale server group. It does so by taking you through a scenario. **If you do not want to run through the scenario and want to just read about how to scale out, jump to the paragraph [Scale out](#scale-out)** or [Scale in]().
-You scale out when you add Postgres instances (Postgres Hyperscale worker nodes) to your Azure Arc-enabled PosrgreSQL Hyperscale server group.
+You scale out when you add Postgres instances (PostgreSQL Hyperscale worker nodes) to your Azure Arc-enabled PosrgreSQL Hyperscale server group.
-You scale in when you remove Postgres instances (Postgres Hyperscale worker nodes) from your Azure Arc-enabled PosrgreSQL Hyperscale server group.
+You scale in when you remove Postgres instances (PostgreSQL Hyperscale worker nodes) from your Azure Arc-enabled PosrgreSQL Hyperscale server group.
[!INCLUDE [azure-arc-data-preview](../../../includes/azure-arc-data-preview.md)]
The scale-in operation is an online operation. Your applications continue to acc
- Read about how to [scale up and down (memory, vCores) your Azure Arc-enabled PostgreSQL Hyperscale server group](scale-up-down-postgresql-hyperscale-server-group-using-cli.md) - Read about how to set server parameters in your Azure Arc-enabled PostgreSQL Hyperscale server group-- Read the concepts and How-to guides of Azure Database for PostgreSQL Hyperscale to distribute your data across multiple PostgreSQL Hyperscale nodes and to benefit from all the power of Azure Database for Postgres Hyperscale. :
+- Read the concepts and How-to guides of Azure Database for PostgreSQL Hyperscale to distribute your data across multiple PostgreSQL Hyperscale nodes and to benefit from all the power of Azure Database for PostgreSQL Hyperscale. :
* [Nodes and tables](../../postgresql/hyperscale/concepts-nodes.md) * [Determine application type](../../postgresql/hyperscale/howto-app-type.md) * [Choose a distribution column](../../postgresql/hyperscale/howto-choose-distribution-column.md)
azure-arc Conceptual Extensions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/kubernetes/conceptual-extensions.md
Title: "Cluster extensions - Azure Arc-enabled Kubernetes" Previously updated : 11/24/2021 Last updated : 07/12/2022 description: "This article provides a conceptual overview of cluster extensions capability of Azure Arc-enabled Kubernetes" # Cluster extensions
-[Helm charts](https://helm.sh/) help you manage Kubernetes applications by providing the building blocks needed to define, install, and upgrade even the most complex Kubernetes applications. Cluster extension feature builds on top of the packaging components of Helm by providing an Azure Resource Manager driven experience for installation and lifecycle management of different Azure capabilities on top of your Kubernetes cluster. A cluster operator or admin can use the cluster extensions feature to:
+[Helm charts](https://helm.sh/) help you manage Kubernetes applications by providing the building blocks needed to define, install, and upgrade even the most complex Kubernetes applications. The cluster extension feature builds on top of the packaging components of Helm by providing an Azure Resource Manager-driven experience for installation and lifecycle management of different Azure capabilities on top of your Kubernetes cluster.
+
+A cluster operator or admin can use the cluster extensions feature to:
- Install and manage key management, data, and application offerings on your Kubernetes cluster. List of available extensions can be found [here](extensions.md#currently-available-extensions) - Use Azure Policy to automate at-scale deployment of cluster extensions across all clusters in your environment.
description: "This article provides a conceptual overview of cluster extensions
- Set up auto-upgrade for extensions or pin to a specific version and manually upgrade versions. - Update extension properties or delete extension instances.
-An extension can be cluster-scoped or scoped to a namespace. Each extension type (like Azure Monitor for containers, Microsoft Defender for Cloud, Azure App services) defines the scope at which they operate on the cluster.
+An extension can be [cluster-scoped or scoped to a namespace](extensions.md#extension-scope). Each extension type (such as Azure Monitor for containers, Microsoft Defender for Cloud, Azure App services) defines the scope at which they operate on the cluster.
## Architecture
The `config-agent` running in your cluster tracks new and updated extension reso
Both the `config-agent` and `extensions-manager` components running in the cluster handle extension instance updates, version updates and extension instance deletion. These agents use the system-assigned managed identity of the cluster to securely communicate with Azure services. > [!NOTE]
-> * `config-agent` checks for new or updated extension instances on top of Azure Arc-enabled Kubernetes cluster. The agents require connectivity for the desired state of the extension to be pulled down to the cluster. If agents are unable to connect to Azure, propagation of the desired state to the cluster is delayed.
-> * Protected configuration settings for an extension instance are stored for up to 48 hours in the Azure Arc-enabled Kubernetes services. As a result, if the cluster remains disconnected during the 48 hours after the extension resource was created on Azure, the extension transitions from a `Pending` state to `Failed` state. As a result, we advise bringing the clusters online regularly.
+> `config-agent` checks for new or updated extension instances on top of Azure Arc-enabled Kubernetes cluster. The agents require connectivity for the desired state of the extension to be pulled down to the cluster. If agents are unable to connect to Azure, propagation of the desired state to the cluster is delayed.
+>
+> Protected configuration settings for an extension instance are stored for up to 48 hours in the Azure Arc-enabled Kubernetes services. As a result, if the cluster remains disconnected during the 48 hours after the extension resource was created on Azure, the extension changes from a `Pending` state to `Failed` state. To prevent this, we recommend bringing clusters online regularly.
## Next steps
-* Use our quickstart to [connect a Kubernetes cluster to Azure Arc](./quickstart-connect-cluster.md).
-* [Deploy cluster extensions](./extensions.md) on your Azure Arc-enabled Kubernetes cluster.
+- Use our quickstart to [connect a Kubernetes cluster to Azure Arc](./quickstart-connect-cluster.md).
+- [Deploy cluster extensions](./extensions.md) on your Azure Arc-enabled Kubernetes cluster.
azure-arc Extensions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/kubernetes/extensions.md
Title: "Azure Arc-enabled Kubernetes cluster extensions"
Previously updated : 05/24/2022 Last updated : 07/12/2022 description: "Deploy and manage lifecycle of extensions on Azure Arc-enabled Kubernetes"
In this article, you learn:
A conceptual overview of this feature is available in [Cluster extensions - Azure Arc-enabled Kubernetes](conceptual-extensions.md). - ## Prerequisites * [Install or upgrade Azure CLI](/cli/azure/install-azure-cli) to version >= 2.16.0.
A conceptual overview of this feature is available in [Cluster extensions - Azur
## Currently available extensions
+The following extensions are currently available.
+ | Extension | Description | | | -- | | [Azure Monitor for containers](../../azure-monitor/containers/container-insights-enable-arc-enabled-clusters.md?toc=/azure/azure-arc/kubernetes/toc.json&bc=/azure/azure-arc/kubernetes/breadcrumb/toc.json) | Provides visibility into the performance of workloads deployed on the Kubernetes cluster. Collects memory and CPU utilization metrics from controllers, nodes, and containers. |
A conceptual overview of this feature is available in [Cluster extensions - Azur
| [Azure Key Vault Secrets Provider](tutorial-akv-secrets-provider.md) | The Azure Key Vault Provider for Secrets Store CSI Driver allows for the integration of Azure Key Vault as a secrets store with a Kubernetes cluster via a CSI volume. | | [Microsoft Defender for Cloud](../../defender-for-cloud/defender-for-kubernetes-azure-arc.md?toc=/azure/azure-arc/kubernetes/toc.json&bc=/azure/azure-arc/kubernetes/breadcrumb/toc.json) | Gathers information related to security like audit log data from the Kubernetes cluster. Provides recommendations and threat alerts based on gathered data. | | [Azure Arc-enabled Open Service Mesh](tutorial-arc-enabled-open-service-mesh.md) | Deploys Open Service Mesh on the cluster and enables capabilities like mTLS security, fine grained access control, traffic shifting, monitoring with Azure Monitor or with open source add-ons of Prometheus and Grafana, tracing with Jaeger, integration with external certification management solution. |
-| [Azure Arc-enabled Data Services](../../azure-arc/kubernetes/custom-locations.md#create-custom-location) | Makes it possible for you to run Azure data services on-prem, at the edge, and in public clouds using Kubernetes and the infrastructure of your choice. |
+| [Azure Arc-enabled Data Services](../../azure-arc/kubernetes/custom-locations.md#create-custom-location) | Makes it possible for you to run Azure data services on-premises, at the edge, and in public clouds using Kubernetes and the infrastructure of your choice. |
| [Azure App Service on Azure Arc](../../app-service/overview-arc-integration.md) | Allows you to provision an App Service Kubernetes environment on top of Azure Arc-enabled Kubernetes clusters. |
-| [Event Grid on Kubernetes](../../event-grid/kubernetes/overview.md) | Create and manage event grid resources such as topics and event subscriptions on top of Azure Arc-enabled Kubernetes clusters. |
+| [Azure Event Grid on Kubernetes](../../event-grid/kubernetes/overview.md) | Create and manage event grid resources such as topics and event subscriptions on top of Azure Arc-enabled Kubernetes clusters. |
| [Azure API Management on Azure Arc](../../api-management/how-to-deploy-self-hosted-gateway-azure-arc.md) | Deploy and manage API Management gateway on Azure Arc-enabled Kubernetes clusters. | | [Azure Arc-enabled Machine Learning](../../machine-learning/how-to-attach-kubernetes-anywhere.md) | Deploy and run Azure Machine Learning on Azure Arc-enabled Kubernetes clusters. | | [Flux (GitOps)](./conceptual-gitops-flux2.md) | Use GitOps with Flux to manage cluster configuration and application deployment. | | [Dapr extension for Azure Kubernetes Service (AKS) and Arc-enabled Kubernetes](../../aks/dapr.md)| Eliminates the overhead of downloading Dapr tooling and manually installing and managing the runtime on your clusters. |
+### Extension scope
+
+Extension installations on the Arc-enabled Kubernetes cluster are either *cluster-scoped* or *namespace-scoped*.
+
+A cluster-scoped extension will be installed in the `release-namespace` specified during extension creation. Typically, only one instance of the cluster-scoped extension and its components, such as pods, operators, and Custom Resource Definitions (CRDs), are installed in the release namespace on the cluster.
+
+A namespace-scoped extension can be installed in a given namespace provided using the `ΓÇônamespace` property. Since the extension can be deployed at a namespace scope, multiple instances of the namespace-scoped extension and its components can run on the cluster. Each extension instance has permissions on the namespace where it is deployed to. All the above extensions are cluster-scoped except Event Grid on Kubernetes.
+
+All of the extensions listed above are cluster-scoped, except for [Azure API Management on Azure Arc](../../api-management/how-to-deploy-self-hosted-gateway-azure-arc.md) .
+ ## Usage of cluster extensions ### Create extensions instance
az k8s-extension create --name azuremonitor-containers --extension-type Microso
``` > [!NOTE]
-> * The service is unable to retain sensitive information for more than 48 hours. If Azure Arc-enabled Kubernetes agents don't have network connectivity for more than 48 hours and cannot determine whether to create an extension on the cluster, then the extension transitions to `Failed` state. Once in `Failed` state, you will need to run `k8s-extension create` again to create a fresh extension Azure resource.
-> * Azure Monitor for containers is a singleton extension (only one required per cluster). You'll need to clean up any previous Helm chart installations of Azure Monitor for containers (without extensions) before installing the same via extensions. Follow the instructions for [deleting the Helm chart before running `az k8s-extension create`](../../azure-monitor/containers/container-insights-optout-hybrid.md).
+> The service is unable to retain sensitive information for more than 48 hours. If Azure Arc-enabled Kubernetes agents don't have network connectivity for more than 48 hours and cannot determine whether to create an extension on the cluster, then the extension transitions to `Failed` state. Once in `Failed` state, you will need to run `k8s-extension create` again to create a fresh extension Azure resource.
+>
+> Azure Monitor for containers is a singleton extension (only one required per cluster). You'll need to clean up any previous Helm chart installations of Azure Monitor for containers (without extensions) before installing the same via extensions. Follow the instructions for [deleting the Helm chart before running `az k8s-extension create`](../../azure-monitor/containers/container-insights-optout-hybrid.md).
**Required parameters**
azure-arc Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/resource-bridge/overview.md
Title: Azure Arc resource bridge (preview) overview description: Learn how to use Azure Arc resource bridge (preview) to support VM self-servicing on Azure Stack HCI, VMware, and System Center Virtual Machine Manager. Previously updated : 11/08/2021 Last updated : 07/14/2022 # What is Azure Arc resource bridge (preview)?
-Azure Arc resource bridge (preview) is part of the core Azure Arc platform, and is designed to host other Azure Arc services. In this release, the resource bridge supports VM self-servicing and management from Azure, for virtualized Windows and Linux virtual machines hosted in an on-premises environment on [Azure Stack HCI](/azure-stack/hci/overview) and VMware. The resource bridge is a packaged virtual machine, which hosts a *management* Kubernetes cluster that requires no user management. This virtual appliance delivers the following benefits:
+Azure Arc resource bridge (preview) is part of the core Azure Arc platform, and is designed to host other Azure Arc services. In this release, the resource bridge supports VM self-servicing and management from Azure, for virtualized Windows and Linux virtual machines hosted in an on-premises environment on [Azure Stack HCI](/azure-stack/hci/overview) and VMware.
-* Enables VM self-servicing from Azure without having to create and manage a Kubernetes cluster
-* It is fully supported by Microsoft, including update of core components.
+The resource bridge is a packaged virtual machine, which hosts a *management* Kubernetes cluster that requires no user management. This virtual appliance delivers the following benefits:
+
+* Enables VM self-servicing from Azure without having to create and manage a Kubernetes cluster.
+* Fully supported by Microsoft, including updates to core components.
* Designed to recover from software failures. * Supports deployment to any private cloud hosted on Hyper-V or VMware from the Azure portal or using the Azure Command-Line Interface (CLI).
-All management operations are performed from Azure, no local configuration is required on the appliance.
+All management operations are performed from Azure, so no local configuration is required on the appliance.
## Overview
-Azure resource bridge (preview) hosts other components such as Custom Locations, cluster extensions, and other Azure Arc agents in order to deliver the level of functionality with the private cloud infrastructures it supports. This complex system is composed of three layers:
+Azure Arc resource bridge (preview) hosts other components such as [custom locations](..\platform\conceptual-custom-locations.md), cluster extensions, and other Azure Arc agents in order to deliver the level of functionality with the private cloud infrastructures it supports. This complex system is composed of three layers:
-* The base layer that represents the resource bridge and the Arc agents
-* The platform layer that includes the Custom Location and Cluster extension
+* The base layer that represents the resource bridge and the Arc agents.
+* The platform layer that includes the custom location and cluster extension.
* The solution layer for each service supported by Arc resource bridge (that is, the different type of VMs). :::image type="content" source="media/overview/architecture-overview.png" alt-text="Azure Arc resource bridge architecture diagram." border="false"::: Azure Arc resource bridge (preview) can host other Azure services or solutions running on-premises. For this preview, there are two objects hosted on the Arc resource bridge (preview):
-* Cluster extension: Is the Azure service deployed to run on-premises. For the preview release, it supports two
+* Cluster extension: The Azure service deployed to run on-premises. For the preview release, it supports two
- - Azure Arc-enabled VMware
+ * Azure Arc-enabled VMware
- - Azure Arc-enabled Azure Stack HCI
+ * Azure Arc-enabled Azure Stack HCI
-* Custom Locations: Is a deployment target, where you can create Azure resources. It maps to different resource for different Azure services. For example, for Arc-enabled VMware, the Custom Locations resource maps to an instance of vCenter, and for Arc-enabled Azure Stack HCI, it maps to an HCI cluster instance.
+* Custom locations: A deployment target where you can create Azure resources. It maps to different resource for different Azure services. For example, for Arc-enabled VMware, the custom locations resource maps to an instance of vCenter, and for Arc-enabled Azure Stack HCI, it maps to an HCI cluster instance.
-Custom Locations and cluster extension are both Azure resources, they are linked to the Azure Arc resource bridge (preview) resource in Azure Resource Manager. When you create an on-premises VM from Azure, you can select the custom location, and that routes that *create action* to the mapped vCenter or Azure Stack HCI cluster.
+Custom locations and cluster extension are both Azure resources, which are linked to the Azure Arc resource bridge (preview) resource in Azure Resource Manager. When you create an on-premises VM from Azure, you can select the custom location, and that routes that *create action* to the mapped vCenter or Azure Stack HCI cluster.
-There is a set of resources unique to the infrastructure. For example, vCenter has a resource pool, network, and template resources. During VM creation, these resources need to be specified. With Azure Stack HCI, you just need to select the custom location, network and template to create a VM.
+Some resources are unique to the infrastructure. For example, vCenter has a resource pool, network, and template resources. During VM creation, these resources need to be specified. With Azure Stack HCI, you just need to select the custom location, network and template to create a VM.
-To summarize, the Azure resources are projections of the resources running in your on-premises private cloud. If the on-premises resource is not healthy, it can impact the health of the related resources. For example, if the Arc resource bridge (preview) has been deleted by accident, all the resources hosted in the Arc resource bridge (preview) are impacted. That is, the Custom Locations and cluster extensions are deleted as a result. The actual VMs are not impacted, as they are running on vCenter, but the management path to those VMs is interrupted. You won't be able to start/stop the VM from Azure. It is not recommended to manage or modify the Arc resource bridge (preview) using any on-premises applications directly.
+To summarize, the Azure resources are projections of the resources running in your on-premises private cloud. If the on-premises resource is not healthy, it can impact the health of the related resources. For example, if the Arc resource bridge (preview) has been deleted by accident, all the resources hosted in the Arc resource bridge (preview) are impacted. That is, the custom locations and cluster extensions are deleted as a result. The actual VMs are not impacted, as they are running on vCenter, but the management path to those VMs is interrupted, and you won't be able to start or stop the VM from Azure. It is not recommended to manage or modify the Arc resource bridge (preview) using any on-premises applications directly.
## Benefits of Azure Arc resource bridge (preview)
-Through the Azure Arc resource bridge (preview), you can accomplish the following for each private cloud infrastructure from Azure:
+Through Azure Arc resource bridge (preview), you can accomplish the following for each private cloud infrastructure from Azure:
+
+### VMware vSphere
-* VMware vSphere - By registering resource pools, networks, and VM templates in Azure you can represent a subset of your vCenter resources in Azure to enable self-service. Integration with Azure allows you to not only manage access to your vCenter resources in Azure to maintain a secure environment, but also to perform various operations on the VMware virtual machines that are enabled by Arc-enabled VMware vSphere:
+By registering resource pools, networks, and VM templates, you can represent a subset of your vCenter resources in Azure to enable self-service. Integration with Azure allows you to manage access to your vCenter resources in Azure to maintain a secure environment. You can also perform various operations on the VMware virtual machines that are enabled by Arc-enabled VMware vSphere:
-- Start, stop, and restart a virtual machine-- Control access and add Azure tags-- Add, remove, and update network interfaces-- Add, remove, and update disks and update VM size (CPU cores and memory)-- Enable guest management-- Install extensions
+* Start, stop, and restart a virtual machine
+* Control access and add Azure tags
+* Add, remove, and update network interfaces
+* Add, remove, and update disks and update VM size (CPU cores and memory)
+* Enable guest management
+* Install extensions
-* Azure Stack HCI - You can provision and manage on-premises Windows and Linux virtual machines (VMs) running on Azure Stack HCI clusters.
+### Azure Stack HCI
+
+You can provision and manage on-premises Windows and Linux virtual machines (VMs) running on Azure Stack HCI clusters.
## Prerequisites
If you are deploying on Azure Stack HCI, the x32 Azure CLI installer can be used
Azure Arc resource bridge currently supports the following Azure regions: -- East US--- West Europe
+* East US
+* West Europe
### Regional resiliency
The following private cloud environments and their versions are officially suppo
### Required Azure permissions
-* To onboard the Arc resource bridge, you are a member of the [Contributor](../../role-based-access-control/built-in-roles.md#contributor) role in the resource group.
-
-* To read, modify, and delete the resource bridge, you are a member of the [Contributor](../../role-based-access-control/built-in-roles.md#contributor) role in the resource group.
+* To onboard the Arc resource bridge, you must have the [Contributor](../../role-based-access-control/built-in-roles.md#contributor) role for the resource group.
+* To read, modify, and delete the Arc resource bridge, you must have the [Contributor](../../role-based-access-control/built-in-roles.md#contributor) role for the resource group.
### Networking The Arc resource bridge communicates outbound securely to Azure Arc over TCP port 443. If the appliance needs to connect through a firewall or proxy server to communicate over the internet, it communicates outbound using the HTTPS protocol.
-If outbound connectivity is restricted by your firewall or proxy server, make sure the URLs listed below are not blocked.
-
-URLS:
-
-| Agent resource | Description |
-|||
-|`https://mcr.microsoft.com`|Microsoft container registry|
-|`https://*.his.arc.azure.com`|Azure Arc Identity service|
-|`https://*.dp.kubernetesconfiguration.azure.com`|Azure Arc configuration service|
-|`https://*.servicebus.windows.net`|Cluster connect|
-|`https://guestnotificationservice.azure.com` |Guest notification service|
-|`https://*.dp.prod.appliances.azure.com`|Resource bridge data plane service|
-|`https://ecpacr.azurecr.io` |Resource bridge container image download |
-|`.blob.core.windows.net`<br> `*.dl.delivery.mp.microsoft.com`<br> `*.do.dsp.mp.microsoft.com` |Resource bridge image download |
+You may need to allow specific URLs to [ensure outbound connectivity is not blocked](troubleshoot-resource-bridge.md#restricted-outbound-connectivity) by your firewall or proxy server.
## Next steps
-To learn more about how Azure Arc-enabled VMware vSphere extends Azure's governance and management capabilities to VMware vSphere infrastructure, see the following [Overview](../vmware-vsphere/overview.md) article.
+* Learn more about [how Azure Arc-enabled VMware vSphere extends Azure's governance and management capabilities to VMware vSphere infrastructure](../vmware-vsphere/overview.md).
+* Learn more about [provisioning and managing on-premises Windows and Linux VMs running on Azure Stack HCI clusters](/azure-stack/hci/manage/azure-arc-enabled-virtual-machines).
azure-arc Security Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/resource-bridge/security-overview.md
Title: Azure Arc resource bridge (preview) security overview description: Security information about Azure resource bridge (preview). Previously updated : 11/08/2021 Last updated : 07/14/2022 # Azure Arc resource bridge (preview) security overview
This article describes the security configuration and considerations you should
## Using a managed identity
-By default, an Azure Active Directory system-assigned [managed identity](../../active-directory/managed-identities-azure-resources/overview.md) is created and assigned to the Azure Arc resource bridge (preview). Azure Arc resource bridge (preview) currently supports only a system-assigned identity. The `clusteridentityoperator` identity initiates the first outbound communication and fetches the Managed Service Identity (MSI) certificate used by other agents for communication with Azure.
+By default, an Azure Active Directory system-assigned [managed identity](../../active-directory/managed-identities-azure-resources/overview.md) is created and assigned to the Azure Arc resource bridge (preview). Azure Arc resource bridge currently supports only a system-assigned identity. The `clusteridentityoperator` identity initiates the first outbound communication and fetches the Managed Service Identity (MSI) certificate used by other agents for communication with Azure.
## Identity and access control Azure Arc resource bridge (preview) is represented as a resource in a resource group inside an Azure subscription. Access to this resource is controlled by standard [Azure role-based access control](../../role-based-access-control/overview.md). From the [**Access Control (IAM)**](../../role-based-access-control/role-assignments-portal.md) page in the Azure portal, you can verify who has access to your Azure Arc resource bridge (preview).
-Users and applications granted [contributor](../../role-based-access-control/built-in-roles.md#contributor) or administrator role access to the resource can make changes to the resource, including deploying or deleting cluster extensions.
+Users and applications who are granted the [Contributor](../../role-based-access-control/built-in-roles.md#contributor) or Administrator role to the resource group can make changes to the resource bridge, including deploying or deleting cluster extensions.
## Data encryption at rest
-The Azure Arc resource bridge stores the resource information in the Cosmos DB, and as described in the [Encryption at rest in Azure Cosmos DB](../../cosmos-db/database-encryption-at-rest.md) article, all the data is encrypted at rest.
+The Azure Arc resource bridge stores resource information in Azure Cosmos DB. As described in [Encryption at rest in Azure Cosmos DB](../../cosmos-db/database-encryption-at-rest.md), all the data is encrypted at rest.
## Security audit logs
-The Activity log is a platform log in Azure that provides insight into subscription-level events. This includes such information as when the Azure Arc resource bridge is modified, deleted, or added. You can view the Activity log in the Azure portal or retrieve entries with PowerShell and CLI. See [View the Activity log](../../azure-monitor/essentials/activity-log.md#view-the-activity-log) for details. See [retention of the Activity log](../../azure-monitor/essentials/activity-log.md#retention-period) for details.
+The [activity log](../../azure-monitor/essentials/activity-log.md) is a platform log in Azure that provides insight into subscription-level events. This includes tracking when the Azure Arc resource bridge is modified, deleted, or added. You can [view the activity log](../../azure-monitor/essentials/activity-log.md#view-the-activity-log) in the Azure portal or retrieve entries with PowerShell and Azure CLI. By default, activity log events are [retained for 90 days](../../azure-monitor/essentials/activity-log.md#retention-period) and then deleted.
## Next steps
-Before evaluating or enabling Azure Arc-enabled vSphere or Azure Stack HCI, review the Azure Arc resource bridge (preview) [overview](overview.md) to understand requirements and technical details.
+- Review the [Azure Arc resource bridge (preview) overview](overview.md) to understand more about requirements and technical details.
+- Learn more about [Azure Arc](../overview.md).
azure-arc Troubleshoot Resource Bridge https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/resource-bridge/troubleshoot-resource-bridge.md
Title: Troubleshoot Azure Arc resource bridge (preview) issues description: This article tells how to troubleshoot and resolve issues with the Azure Arc resource bridge (preview) when trying to deploy or connect to the service. Previously updated : 06/27/2022 Last updated : 07/14/2022
When the appliance is deployed to a host resource pool, there is no high availab
## Networking issues
+### Restricted outbound connectivity
+
+If outbound connectivity is restricted by your firewall or proxy server, make sure the URLs listed below are not blocked.
+
+URLS:
+
+| Agent resource | Description |
+|||
+|`https://mcr.microsoft.com`|Microsoft container registry|
+|`https://*.his.arc.azure.com`|Azure Arc Identity service|
+|`https://*.dp.kubernetesconfiguration.azure.com`|Azure Arc configuration service|
+|`https://*.servicebus.windows.net`|Cluster connect|
+|`https://guestnotificationservice.azure.com` |Guest notification service|
+|`https://*.dp.prod.appliances.azure.com`|Resource bridge data plane service|
+|`https://ecpacr.azurecr.io` |Resource bridge container image download |
+|`.blob.core.windows.net`<br> `*.dl.delivery.mp.microsoft.com`<br> `*.do.dsp.mp.microsoft.com` |Resource bridge image download |
+ ### Azure Arc resource bridge is unreachable Azure Arc resource bridge (preview) runs a Kubernetes cluster, and its control plane requires a static IP address. The IP address is specified in the `infra.yaml` file. If the IP address is assigned from a DHCP server, the address can change if not reserved. Rebooting the Azure Arc resource bridge (preview) or VM can trigger an IP address change, resulting in failing services.
azure-cache-for-redis Cache How To Geo Replication https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-cache-for-redis/cache-how-to-geo-replication.md
Some features aren't supported with geo-replication:
- Clustering is supported if both caches have clustering enabled and have the same number of shards. - Caches in the same Virtual Network (VNet) are supported. - Caches in different VNets are supported with caveats. See [Can I use geo-replication with my caches in a VNet?](#can-i-use-geo-replication-with-my-caches-in-a-vnet) for more information.-- Caches with more than one replica cannot be geo-replicated.
+- Caches with more than one replica can't be geo-replicated.
After geo-replication is configured, the following restrictions apply to your linked cache pair:
After geo-replication is configured, the following restrictions apply to your li
- You can't delete either linked cache, or the resource group that contains them, until you unlink the caches. For more information, see [Why did the operation fail when I tried to delete my linked cache?](#why-did-the-operation-fail-when-i-tried-to-delete-my-linked-cache) - If the caches are in different regions, network egress costs apply to the data moved across regions. For more information, see [How much does it cost to replicate my data across Azure regions?](#how-much-does-it-cost-to-replicate-my-data-across-azure-regions) - Automatic failover doesn't occur between the primary and secondary linked cache. For more information and information on how to failover a client application, see [How does failing over to the secondary linked cache work?](#how-does-failing-over-to-the-secondary-linked-cache-work)
+- Private links can't be added to caches that are already geo-replicated. To add a private link to a geo-replicated cache: 1. Unlink the geo-replication. 2. Add a Private Link. 3. Last, relink the geo-replication.
## Add a geo-replication link
azure-cache-for-redis Cache How To Monitor https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-cache-for-redis/cache-how-to-monitor.md
The other options under **Monitoring**, provide other ways to view and use the m
## View metrics charts with Azure Monitor for Azure Cache for Redis
-Use [Azure Monitor for Azure Cache for Redis](../azure-monitor/insights/redis-cache-insights-overview.md) for a view of the overall performance, failures, capacity, and operational health of all your Azure Cache for Redis resources. View metrics in a customizable, unified, and interactive experience that lets you drill down into details for individual resources. Azure Monitor for Azure Cache for Redis is based on the [workbooks feature of Azure Monitor](../azure-monitor/visualize/workbooks-overview.md) that provides rich visualizations for metrics and other data. To learn more, see the [Explore Azure Monitor for Azure Cache for Redis](../azure-monitor/insights/redis-cache-insights-overview.md) article.
+Use [Azure Monitor for Azure Cache for Redis](redis-cache-insights-overview.md) for a view of the overall performance, failures, capacity, and operational health of all your Azure Cache for Redis resources. View metrics in a customizable, unified, and interactive experience that lets you drill down into details for individual resources. Azure Monitor for Azure Cache for Redis is based on the [workbooks feature of Azure Monitor](../azure-monitor/visualize/workbooks-overview.md) that provides rich visualizations for metrics and other data. To learn more, see the [Explore Azure Monitor for Azure Cache for Redis](redis-cache-insights-overview.md) article.
While you can access Azure Monitor features from the Monitor menu in the Azure portal, Azure Monitor features can be accessed directly from the Resource menu for an Azure Cache for Redis resource. For more information on working with metrics using Azure Monitor, see [Overview of metrics in Microsoft Azure](../azure-monitor/data-platform.md).
For information on creating a metric, see [Create your own metrics](#create-your
## Next steps -- [Azure Monitor for Azure Cache for Redis](../azure-monitor/insights/redis-cache-insights-overview.md)
+- [Azure Monitor for Azure Cache for Redis](redis-cache-insights-overview.md)
- [Azure Monitor Metrics REST API](../azure-monitor/essentials/stream-monitoring-data-event-hubs.md) - [`INFO`](https://redis.io/commands/info)
azure-cache-for-redis Cache Private Link https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-cache-for-redis/cache-private-link.md
Title: Azure Cache for Redis with Azure Private Link
-description: Azure Private Endpoint is a network interface that connects you privately and securely to Azure Cache for Redis powered by Azure Private Link. In this article, you'll learn how to create an Azure Cache, an Azure Virtual Network, and a Private Endpoint using the Azure portal.
+description: Learn how to create an Azure Cache, an Azure Virtual Network, and a Private Endpoint using the Azure portal.
+
You can restrict public access to the private endpoint of your cache by disablin
> [!IMPORTANT] > Currently, portal console support, and persistence to firewall storage accounts are not supported. >
->
## Create a private endpoint with a new Azure Cache for Redis instance
For more information, see [Azure services DNS zone configuration](../private-lin
### What features aren't supported with private endpoints?
-Trying to connect from the Azure portal console is an unsupported scenario where you'll see a connection failure.
+- Trying to connect from the Azure portal console is an unsupported scenario where you'll see a connection failure.
+- Private links can't be added to caches that are already geo-replicated. To add a private link to a geo-replicated cache: 1. Unlink the geo-replication. 2. Add a Private Link. 3. Last, relink the geo-replication.
### How do I verify if my private endpoint is configured correctly?
azure-cache-for-redis Cache Reserved Pricing https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-cache-for-redis/cache-reserved-pricing.md
The size of reservation should be based on the total amount of memory size that
For example, let's suppose that you're running two caches - one at 13 GB and the other at 26 GB. You'll need both for at least one year. Further, let's suppose that you plan to scale the existing 13-GB caches to 26 GB for a month to meet your seasonal demand, and then scale back. In this case, you can purchase either one P2-cache and one P3-cache or three P2-caches on a one-year reservation to maximize savings. You'll receive discount on the total amount of cache memory you reserve, independent of how that amount is allocated across your caches.
+Reserved capacity is sold in increments of nodes. Each shard contains 2 nodes by default. To buy reserved capacity for a shard, you buy 2 reserved capacity. For the number of nodes calculation, see "View Cost Calculation" on [Pricing calculator](https://azure.microsoft.com/pricing/calculator/). For an explanation of the architecture of a cache, see [A quick summary of cache architecture](cache-failover.md#a-quick-summary-of-cache-architecture).
+ ## Buy Azure Cache for Redis reserved capacity You can buy a reserved VM instance in the [Azure portal](https://portal.azure.com/#blade/Microsoft_Azure_Reservations/CreateBlade/). Pay for the reservation [up front or with monthly payments](../cost-management-billing/reservations/prepare-buy-reservation.md).
azure-cache-for-redis Redis Cache Insights Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-cache-for-redis/redis-cache-insights-overview.md
+
+ Title: Azure Monitor for Azure Cache for Redis | Microsoft Docs
+description: This article describes the Azure Monitor for Azure Redis Cache feature, which provides cache owners with a quick understanding of performance and utilization problems.
++++ Last updated : 09/10/2020+++++
+# Explore Azure Monitor for Azure Cache for Redis
+
+For all of your Azure Cache for Redis resources, Azure Monitor for Azure Cache for Redis provides a unified, interactive view of:
+
+- Overall performance
+- Failures
+- Capacity
+- Operational health
+
+This article helps you understand the benefits of this new monitoring experience. It also shows how to modify and adapt the experience to fit the unique needs of your organization.
+
+## Introduction
+
+Before starting the experience, you should understand how Azure Monitor for Azure Cache for Redis visually presents information.
+
+It delivers:
+
+- **At scale perspective** of your Azure Cache for Redis resources in a single location across all of your subscriptions. You can selectively scope to only the subscriptions and resources you want to evaluate.
+
+- **Drill-down analysis** of a particular Azure Cache for Redis resource. You can diagnose problems and see detailed analysis of utilization, failures, capacity, and operations. Select any of these categories to see an in-depth view of relevant information.
+
+- **Customization** of this experience, which is built atop Azure Monitor workbook templates. The experience lets you change what metrics are displayed and modify or set thresholds that align with your limits. You can save the changes in a custom workbook and then pin workbook charts to Azure dashboards.
+
+This feature doesn't require you to enable or configure anything. Azure Cache for Redis information is collected by default.
+
+>[!NOTE]
+>There is no charge to access this feature. You're charged only for the Azure Monitor essential features you configure or enable, as described on the [Azure Monitor pricing details](https://azure.microsoft.com/pricing/details/monitor/) page.
+
+## View utilization and performance metrics for Azure Cache for Redis
+
+To view the utilization and performance of your storage accounts across all of your subscriptions, do the following steps:
+
+1. Sign in to the [Azure portal](https://portal.azure.com).
+
+1. Search for **Monitor**, and select **Monitor**.
+
+ ![Search box with the word "Monitor" and the Services search result that shows "Monitor" with a speedometer symbol](../azure-monitor/insights/media/cosmosdb-insights-overview/search-monitor.png)
+
+1. Select **Azure Cache for Redis**. If this option isn't present, select **More** > **Azure Cache for Redis**.
+
+### Overview
+
+On **Overview**, the table displays interactive Azure Cache for Redis metrics. You can filter the results based on the options you select from the following drop-down lists:
+
+- **Subscriptions**: Only subscriptions that have an Azure Cache for Redis resource are listed.
+
+- **Azure Cache for Redis**: You can select all, a subset, or a single Azure Cache for Redis resource.
+
+- **Time Range**: By default, the table displays the last four hours of information based on the corresponding selections.
+
+There's a counter tile under the drop-down lists. The tile shows the total number of Azure Cache for Redis resources in the selected subscriptions. Conditional color codes or heat maps for workbook columns report transaction metrics. The deepest color represents the highest value. Lighter colors represent lower values.
+
+Selecting a drop-down list arrow next to one of the Azure Cache for Redis resources reveals a breakdown of the performance metrics at the individual resource level.
+
+![Screenshot of the overview experience](./media/redis-cache-insights-overview/overview.png)
+
+When you select the Azure Cache for Redis resource name highlighted in blue, you see the default **Overview** table for the associated account. It shows these columns:
+
+- **Used Memory**
+- **Used Memory Percentage**
+- **Server Load**
+- **Server Load Timeline**
+- **CPU**
+- **Connected Clients**
+- **Cache Misses**
+- **Errors (Max)**
+
+### Operations
+
+When you select **Operations** at the top of the page, the **Operations** table of the workbook template opens. It shows these columns:
+
+- **Total Operations**
+- **Total Operations Timeline**
+- **Operations Per Second**
+- **Gets**
+- **Sets**
+
+![Screenshot of the operations experience](./media/redis-cache-insights-overview/operations.png)
+
+### Usage
+
+When you select **Usage** at the top of the page, the **Usage** table of the workbook template opens. It shows these columns:
+
+- **Cache Read**
+- **Cache Read Timeline**
+- **Cache Write**
+- **Cache Hits**
+- **Cache Misses**
+
+![Screenshot of the usage experience](./media/redis-cache-insights-overview/usage.png)
+
+### Failures
+
+When you select **Failures** at the top of the page, the **Failures** table of the workbook template opens. It shows these columns:
+
+- **Total Errors**
+- **Failover/Errors**
+- **UnresponsiveClient/Errors**
+- **RDB/Errors**
+- **AOF/Errors**
+- **Export/Errors**
+- **Dataloss/Errors**
+- **Import/Errors**
+
+![Screenshot of failures with a breakdown by HTTP request type](./media/redis-cache-insights-overview/failures.png)
+
+### Metric definitions
+
+For a full list of the metric definitions that form these workbooks, check out the [article on available metrics and reporting intervals](./cache-how-to-monitor.md#create-your-own-metrics).
+
+## View from an Azure Cache for Redis resource
+
+To access Azure Monitor for Azure Cache for Redis directly from an individual resource:
+
+1. In the Azure portal, select Azure Cache for Redis.
+
+2. From the list, choose an individual Azure Cache for Redis resource. In the monitoring section, choose Insights.
+
+ ![Screenshot of Menu options with the words "Insights" highlighted in a red box](./media/redis-cache-insights-overview/insights.png)
+
+These views are also accessible by selecting the resource name of an Azure Cache for Redis resource from the Azure Monitor level workbook.
+
+### Resource-level overview
+
+On the **Overview** workbook for the Azure Redis Cache, it shows several performance metrics that give you access to:
+
+- Interactive performance charts showing the most essential details related to Azure Cache for Redis performance.
+
+- Metrics and status tiles highlighting shard performance, total number of connected clients, and overall latency.
+
+![Screenshot of overview dashboard displaying information on CPU performance, used memory, connected clients, errors, expired keys, and evicted keys](./media/redis-cache-insights-overview/resource-overview.png)
+
+Selecting any of the other tabs for **Performance** or **Operations** opens the respective workbooks.
+
+### Resource-level performance
+
+![Screenshot of resource performance graphs](./media/redis-cache-insights-overview/resource-performance.png)
+
+### Resource-level operations
+
+![Screenshot of resource operations graphs](./media/redis-cache-insights-overview/resource-operations.png)
+
+## Pin, export, and expand
+
+To pin any metric section to an [Azure dashboard](../azure-portal/azure-portal-dashboards.md), select the pushpin symbol in the section's upper right.
+
+![A metric section with the pushpin symbol highlighted](../azure-monitor/insights/media/cosmosdb-insights-overview/pin.png)
+
+To export your data into an Excel format, select the down arrow symbol to the left of the pushpin symbol.
+
+![A highlighted export-workbook symbol](../azure-monitor/insights/media/cosmosdb-insights-overview/export.png)
+
+To expand or collapse all views in a workbook, select the expand symbol to the left of the export symbol.
+
+![A highlighted expand-workbook symbol](../azure-monitor/insights/media/cosmosdb-insights-overview/expand.png)
+
+## Customize Azure Monitor for Azure Cache for Redis
+
+Because this experience is built atop Azure Monitor workbook templates, you can select **Customize** > **Edit** > **Save** to save a copy of your modified version into a custom workbook.
+
+![A command bar with Customize highlighted](../azure-monitor/insights/media/cosmosdb-insights-overview/customize.png)
+
+Workbooks are saved within a resource group in either the **My Reports** section or the **Shared Reports** section. **My Reports** is available only to you. **Shared Reports** is available to everyone with access to the resource group.
+
+After you save a custom workbook, go to the workbook gallery to open it.
+
+![A command bar with Gallery highlighted](../azure-monitor/insights/media/cosmosdb-insights-overview/gallery.png)
+
+## Troubleshooting
+
+For troubleshooting guidance, refer to the dedicated workbook-based insights [troubleshooting article](../azure-monitor/insights/troubleshoot-workbooks.md).
+
+## Next steps
+
+* Configure [metric alerts](../azure-monitor/alerts/alerts-metric.md) and [service health notifications](../service-health/alerts-activity-log-service-notifications-portal.md) to set up automated alerts that aid in detecting problems.
+
+* Learn the scenarios that workbooks support, how to author or customize reports, and more by reviewing [Create interactive reports with Azure Monitor workbooks](../azure-monitor/visualize/workbooks-overview.md).
azure-functions Functions Develop Local https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/functions-develop-local.md
The following application settings can be included in the **`Values`** array whe
|--|--|--| |**`AzureWebJobsStorage`**| Storage account connection string, or<br/>`UseDevelopmentStorage=true`| Contains the connection string for an Azure storage account. Required when using triggers other than HTTP. For more information, see the [`AzureWebJobsStorage`] reference.<br/>When you have the [Azurite Emulator](../storage/common/storage-use-azurite.md) installed locally and you set [`AzureWebJobsStorage`] to `UseDevelopmentStorage=true`, Core Tools uses the emulator. The emulator is useful during development, but you should test with an actual storage connection before deployment.| |**`AzureWebJobs.<FUNCTION_NAME>.Disabled`**| `true`\|`false` | To disable a function when running locally, add `"AzureWebJobs.<FUNCTION_NAME>.Disabled": "true"` to the collection, where `<FUNCTION_NAME>` is the name of the function. To learn more, see [How to disable functions in Azure Functions](disable-function.md#localsettingsjson). |
-|**`FUNCTIONS_WORKER_RUNTIME`** | `dotnet`<br/>`node`<br/>`java`<br/>`powershell`<br/>`python`| Indicates the targeted language of the Functions runtime. Required for version 2.x and higher of the Functions runtime. This setting is generated for your project by Core Tools. To learn more, see the [`FUNCTIONS_WORKER_RUNTIME`](functions-app-settings.md#functions_worker_runtime) reference.|
+|**`FUNCTIONS_WORKER_RUNTIME`** | `dotnet`<br/>`dotnet-isolated`<br/>`node`<br/>`java`<br/>`powershell`<br/>`python`| Indicates the targeted language of the Functions runtime. Required for version 2.x and higher of the Functions runtime. This setting is generated for your project by Core Tools. To learn more, see the [`FUNCTIONS_WORKER_RUNTIME`](functions-app-settings.md#functions_worker_runtime) reference.|
| **`FUNCTIONS_WORKER_RUNTIME_VERSION`** | `~7` |Indicates to use PowerShell 7 when running locally. If not set, then PowerShell Core 6 is used. This setting is only used when running locally. The PowerShell runtime version is determined by the `powerShellVersion` site configuration setting, when it runs in Azure, which can be [set in the portal](functions-reference-powershell.md#changing-the-powershell-version). | ## Next steps
azure-government Azure Secure Isolation Guidance https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-government/azure-secure-isolation-guidance.md
recommendations: false Previously updated : 06/02/2022 Last updated : 07/14/2022 # Azure guidance for secure isolation
The Azure Management Console and Management Plane follow strict security archite
- **Management Console (MC)** ΓÇô The MC in Azure Cloud is composed of the Azure portal GUI and the Azure Resource Manager API layers. They both use user credentials to authenticate and authorize all operations. - **Management Plane (MP)** ΓÇô This layer performs the actual management actions and is composed of the Compute Resource Provider (CRP), Fabric Controller (FC), Fabric Agent (FA), and the underlying Hypervisor, which has its own Hypervisor Agent to service communication. These layers all use system contexts that are granted the least permissions needed to perform their operations.
-The Azure FC allocates infrastructure resources to tenants and manages unidirectional communications from the Host OS to Guest VMs. The VM placement algorithm of the Azure FC is highly sophisticated and nearly impossible to predict. The FA resides in the Host OS and it manages tenant VMs. The collection of the Azure Hypervisor, Host OS and FA, and customer VMs constitute a compute node, as shown in Figure 4. FCs manage FAs although FCs exist outside of compute nodes ΓÇô separate FCs exist to manage compute and storage clusters. If you update your applicationΓÇÖs configuration file while running in the MC, the MC communicates through CRP with the FC and the FC communicates with the FA.
+The Azure FC allocates infrastructure resources to tenants and manages unidirectional communications from the Host OS to Guest VMs. The VM placement algorithm of the Azure FC is highly sophisticated and nearly impossible to predict. The FA resides in the Host OS and it manages tenant VMs. The collection of the Azure Hypervisor, Host OS and FA, and customer VMs constitute a compute node, as shown in Figure 4. FCs manage FAs although FCs exist outside of compute nodes ΓÇô separate FCs exist to manage compute and storage clusters. If you update your applicationΓÇÖs configuration file while running in the MC, the MC communicates through CRP with the FC, and the FC communicates with the FA.
CRP is the front-end service for Azure Compute, exposing consistent compute APIs through Azure Resource Manager, thereby enabling you to create and manage virtual machine resources and extensions via simple templates.
The Target of Evaluation (TOE) was composed of Microsoft Windows Server, Microso
- **Security Management** ΓÇô Windows includes several functions to manage security policies. Access to administrative functions is enforced through administrative roles. Windows also has the ability to support the separation of management and operational networks and to prohibit data sharing between Guest VMs. - **Protection of the TOE Security Functions (TSF)** ΓÇô Windows implements various self-protection mechanisms to ensure that it can't be used as a platform to gain unauthorized access to data stored on a Guest VM, that the integrity of both the TSF and its Guest VMs is maintained, and that Guest VMs are accessed solely through well-documented interfaces. - **TOE Access** ΓÇô In the context of this evaluation, Windows allows an authorized administrator to configure the system to display a logon banner before the logon dialog.-- **Trusted Path/Channels** ΓÇô Windows implements IPsec, TLS, and HTTPS trusted channels and paths for the purpose of remote administration, transfer of audit data to the operational environment, and separation of management and operational networks.
+- **Trusted Path/Channels** ΓÇô Windows implements IPsec, TLS, and HTTPS trusted channels and paths for remote administration, transfer of audit data to the operational environment, and separation of management and operational networks.
More information is available from the [third-party certification report](https://www.niap-ccevs.org/MMO/Product/st_vid11087-vr.pdf).
For [Windows VMs](../virtual-machines/windows/disk-encryption-faq.yml), Azure Di
Customer-managed keys (CMK) enable you to have [full control](../virtual-machines/disk-encryption.md#full-control-of-your-keys) over your encryption keys. You can grant access to managed disks in your Azure Key Vault so that your keys can be used for encrypting and decrypting the DEK. You can also disable your keys or revoke access to managed disks at any time. Finally, you have full audit control over key usage with Azure Key Vault monitoring to ensure that only managed disks or other authorized resources are accessing your encryption keys. ##### *Encryption at host*
-Encryption at host ensures that data stored on the VM host is encrypted at rest and flows encrypted to the Storage service. Disks with encryption at host enabled aren't encrypted with Azure Storage encryption; instead, the server hosting your VM provides the encryption for your data, and that encrypted data flows into Azure Storage. For more information, see [Encryption at host - End-to-end encryption for your VM data](../virtual-machines/disk-encryption.md#encryption-at-hostend-to-end-encryption-for-your-vm-data). As mentioned previously, [Azure Disk encryption](../security/fundamentals/azure-disk-encryption-vms-vmss.md) for VM and VMSS isn't supported by Managed HSM. However, encryption at host with CMK is supported by Managed HSM.
+Encryption at host ensures that data stored on the VM host is encrypted at rest and flows encrypted to the Storage service. Disks with encryption at host enabled aren't encrypted with Azure Storage encryption; instead, the server hosting your VM provides the encryption for your data, and that encrypted data flows into Azure Storage. For more information, see [Encryption at host - End-to-end encryption for your VM data](../virtual-machines/disk-encryption.md#encryption-at-hostend-to-end-encryption-for-your-vm-data). As mentioned previously, [Azure Disk encryption](../security/fundamentals/azure-disk-encryption-vms-vmss.md) for virtual machines and virtual machine scale sets isn't supported by Managed HSM. However, encryption at host with CMK is supported by Managed HSM.
You're [always in control of your customer data](https://www.microsoft.com/trust-center/privacy/data-management) in Azure. You can access, extract, and delete your customer data stored in Azure at will. When you terminate your Azure subscription, Microsoft takes the necessary steps to ensure that you continue to own your customer data. A common concern upon data deletion or subscription termination is whether another customer or Azure administrator can access your deleted data. The following sections explain how data deletion, retention, and destruction work in Azure.
azure-government Compare Azure Government Global Azure https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-government/compare-azure-government-global-azure.md
recommendations: false Previously updated : 06/02/2022 Last updated : 07/14/2022 # Compare Azure Government and global Azure
Table below lists API endpoints in Azure vs. Azure Government for accessing and
|||docs.loganalytics.io|docs.loganalytics.us|| |||adx.monitor.azure.com|adx.monitor.azure.us|[Data Explorer queries](/azure/data-explorer/query-monitor-data)| ||Azure Resource Manager|management.azure.com|management.usgovcloudapi.net||
+||Cost Management|consumption.azure.com|consumption.azure.us||
||Gallery URL|gallery.azure.com|gallery.azure.us|| ||Microsoft Azure portal|portal.azure.com|portal.azure.us|| ||Microsoft Intune|enterpriseregistration.windows.net|enterpriseregistration.microsoftonline.us|Enterprise registration|
azure-government Documentation Government Impact Level 5 https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-government/documentation-government-impact-level-5.md
recommendations: false Previously updated : 03/07/2022 Last updated : 07/14/2022 # Isolation guidelines for Impact Level 5 workloads
You need to address two key areas for Azure services in IL5 scope: compute isola
### Compute isolation
-IL5 separation requirements are stated in Section 5.2.2.3 (Page 51) of the [Cloud Computing SRG](https://public.cyber.mil/dccs/dccs-documents/). The SRG focuses on compute separation during "processing" of IL5 data. This separation ensures that a virtual machine that could potentially compromise the physical host can't affect a DoD workload. To remove the risk of runtime attacks and ensure long running workloads aren't compromised from other workloads on the same host, **all IL5 virtual machines and virtual machine scale sets** should be isolated via [Azure Dedicated Host](https://azure.microsoft.com/services/virtual-machines/dedicated-host/) or [isolated virtual machines](../virtual-machines/isolation.md). Doing so provides a dedicated physical server to host your Azure Virtual Machines (VMs) for Windows and Linux.
+IL5 separation requirements are stated in Section 5.2.2.3 (Page 51) of the [Cloud Computing SRG](https://public.cyber.mil/dccs/dccs-documents/). The SRG focuses on compute separation during "processing" of IL5 data. This separation ensures that a virtual machine that could potentially compromise the physical host can't affect a DoD workload. To remove the risk of runtime attacks and ensure long running workloads aren't compromised from other workloads on the same host, **all IL5 virtual machines and virtual machine scale sets** should be isolated by DoD mission owners via [Azure Dedicated Host](https://azure.microsoft.com/services/virtual-machines/dedicated-host/) or [isolated virtual machines](../virtual-machines/isolation.md). Doing so provides a dedicated physical server to host your Azure Virtual Machines (VMs) for Windows and Linux.
For services where the compute processes are obfuscated from access by the owner and stateless in their processing of data, you should accomplish isolation by focusing on the data being processed and how it's stored and retained. This approach ensures the data is stored in protected mediums. It also ensures the data isn't present on these services for extended periods unless it's encrypted as needed. ### Storage isolation
-The DoD requirements for encrypting data at rest are provided in Section 5.11 (Page 122) of the [Cloud Computing SRG](https://public.cyber.mil/dccs/dccs-documents/). DoD emphasizes encrypting all data at rest stored in virtual machine virtual hard drives, mass storage facilities at the block or file level, and database records where the mission owner does not have sole control over the database service. For cloud applications where encrypting data at rest with DoD key control is not possible, mission owners must perform a risk analysis with relevant data owners before transmitting data into a cloud service offering.
+The DoD requirements for encrypting data at rest are provided in Section 5.11 (Page 122) of the [Cloud Computing SRG](https://public.cyber.mil/dccs/dccs-documents/). DoD emphasizes encrypting all data at rest stored in virtual machine virtual hard drives, mass storage facilities at the block or file level, and database records where the mission owner doesn't have sole control over the database service. For cloud applications where encrypting data at rest with DoD key control isn't possible, mission owners must perform a risk analysis with relevant data owners before transmitting data into a cloud service offering.
In a recent PA for Azure Government, DISA approved logical separation of IL5 from other data via cryptographic means. In Azure, this approach involves data encryption via keys that are maintained in Azure Key Vault and stored in [FIPS 140 validated](/azure/compliance/offerings/offering-fips-140-2) Hardware Security Modules (HSMs). The keys are owned and managed by the IL5 system owner (also known as customer-managed keys).
For Containers services availability in Azure Government, see [Products availabl
### [Container Registry](../container-registry/index.yml) -- When you store images and other artifacts in a Container Registry, Azure automatically encrypts the registry content at rest by using service-managed keys. You can supplement the default encryption with an additional encryption layer by [using a key that you create and manage in Azure Key Vault](../container-registry/container-registry-customer-managed-keys.md).
+- When you store images and other artifacts in a Container Registry, Azure automatically encrypts the registry content at rest by using service-managed keys. You can supplement the default encryption with an extra encryption layer by [using a key that you create and manage in Azure Key Vault](../container-registry/container-registry-customer-managed-keys.md).
## Databases
For Management and governance services availability in Azure Government, see [Pr
Log Analytics, which is a feature of Azure Monitor, is intended to be used for monitoring the health and status of services and infrastructure. The monitoring data and logs primarily store [logs and metrics](../azure-monitor/logs/data-security.md#data-retention) that are service generated. When used in this primary capacity, Log Analytics supports Impact Level 5 workloads in Azure Government with no extra configuration required.
-Log Analytics may also be used to ingest additional customer-provided logs. These logs may include data ingested as part of operating Microsoft Defender for Cloud or Microsoft Sentinel. If the ingested logs or the queries written against these logs are categorized as IL5 data, then you should configure customer-managed keys (CMK) for your Log Analytics workspaces and Application Insights components. Once configured, any data sent to your workspaces or components is encrypted with your Azure Key Vault key. For more information, see [Azure Monitor customer-managed keys](../azure-monitor/logs/customer-managed-keys.md).
+Log Analytics may also be used to ingest extra customer-provided logs. These logs may include data ingested as part of operating Microsoft Defender for Cloud or Microsoft Sentinel. If the ingested logs or the queries written against these logs are categorized as IL5 data, then you should configure customer-managed keys (CMK) for your Log Analytics workspaces and Application Insights components. Once configured, any data sent to your workspaces or components is encrypted with your Azure Key Vault key. For more information, see [Azure Monitor customer-managed keys](../azure-monitor/logs/customer-managed-keys.md).
### [Azure Site Recovery](../site-recovery/index.yml)
Log Analytics may also be used to ingest additional customer-provided logs. Thes
### [Microsoft Intune](/mem/intune/fundamentals/) -- Intune supports Impact Level 5 workloads in Azure Government with no extra configuration required. Line-of-business apps should be evaluated for IL5 restrictions prior to [uploading to Intune storage](/mem/intune/apps/apps-add). While Intune does encrypt applications that are uploaded to the service for distribution, it does not support customer-managed keys.
+- Intune supports Impact Level 5 workloads in Azure Government with no extra configuration required. Line-of-business apps should be evaluated for IL5 restrictions prior to [uploading to Intune storage](/mem/intune/apps/apps-add). While Intune does encrypt applications that are uploaded to the service for distribution, it doesn't support customer-managed keys.
## Migration
To implement Impact Level 5 compliant controls on an Azure Storage account that
For more information about how to enable this Azure Storage encryption feature, see [Configure encryption with customer-managed keys stored in Azure Key Vault](../storage/common/customer-managed-keys-configure-key-vault.md). > [!NOTE]
-> When you use this encryption method, you need to enable it before you add content to the storage account. Any content that's added earlier won't be encrypted with the selected key. It will be encrypted only via the standard encryption at rest provided by Azure Storage that uses Microsoft-managed keys.
+> When you use this encryption method, you need to enable it before you add content to the storage account. Any content that's added before the customer-managed key is configured will be protected with Microsoft-managed keys.
### [StorSimple](../storsimple/index.yml)
azure-monitor Agents Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/agents/agents-overview.md
The following tables list the operating systems that are supported by the Azure
| Oracle Linux 7 | X | X | | X | | Oracle Linux 6 | | X | | | | Oracle Linux 6.4+ | | X | | X |
-| Red Hat Enterprise Linux Server 8.5, 8.6 | X | | | |
+| Red Hat Enterprise Linux Server 8.5, 8.6 | X | X | | |
| Red Hat Enterprise Linux Server 8, 8.1, 8.2, 8.3, 8.4 | X <sup>3</sup> | X | X | | | Red Hat Enterprise Linux Server 7 | X | X | X | X | | Red Hat Enterprise Linux Server 6 | | X | X | |
azure-monitor Javascript https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/javascript.md
Reporting of SDK load failures isn't supported on Internet Explorer 8 or earlier
#### Snippet configuration options
-All configuration options have been move towards the end of the script. This placement avoids accidentally introducing JavaScript errors that wouldn't just cause the SDK to fail to load, but also it would disable the reporting of the failure.
+All configuration options have been moved towards the end of the script. This placement avoids accidentally introducing JavaScript errors that wouldn't just cause the SDK to fail to load, but also it would disable the reporting of the failure.
Each configuration option is shown above on a new line, if you don't wish to override the default value of an item listed as [optional] you can remove that line to minimize the resulting size of your returned page.
azure-monitor Sdk Support Guidance https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/sdk-support-guidance.md
# Application Insights SDK support guidance
-Microsoft announces feature deprecations or breaking changes at least three years in advance and strives to provide a seamless process for migration to the replacement experience.
+Microsoft announces feature deprecations or breaking changes at least one year in advance and strives to provide a seamless process for migration to the replacement experience.
-The [Microsoft Azure SDK lifecycle policy](/lifecycle/faq/azure) is followed when features are enhanced in a new SDK or before an SDK is designated as legacy. Microsoft strives to retain legacy SDK functionality, but newer features may not be available with older versions.
+For more information, review the [Azure SDK Lifecycle and Support Policy](https://azure.github.io/azure-sdk/policies_support.html).
> [!NOTE] > Diagnostic tools often provide better insight into the root cause of a problem when the latest stable SDK version is used.
Support engineers are expected to provide SDK update guidance according to the f
|Current SDK version in use |Alternative version available |Update policy for support | ||||
-|Stable and less than one year old | Newer supported stable version | **UPDATE RECOMMENDED** |
-|Stable and more than one year old | Newer supported stable version | **UPDATE REQUIRED** |
-|Unsupported ([support policy](/lifecycle/faq/azure)) | Any supported version | **UPDATE REQUIRED** |
+|Latest stable minor version of a GA SDK | Newer supported stable version | **UPDATE REQUIRED** |
+|Unsupported ([support policy](/lifecycle/faq/azure)) | Any supported version | **UPDATE REQUIRED** |
|Preview | Stable version | **UPDATE REQUIRED** | |Preview | Older stable version | **UPDATE RECOMMENDED** | |Preview | Newer preview version, no older stable version | **UPDATE RECOMMENDED** |
azure-monitor Data Collector Api https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/logs/data-collector-api.md
description: You can use the Azure Monitor HTTP Data Collector API to add POST J
Previously updated : 10/20/2021 Last updated : 07/14/2022
The data posted to the Azure Monitor Data collection API is subject to certain c
* Maximum of 32 KB for field values. If the field value is greater than 32 KB, the data will be truncated. * Recommended maximum of 50 fields for a given type. This is a practical limit from a usability and search experience perspective. * Tables in Log Analytics workspaces support only up to 500 columns (referred to as fields in this article).
-* Maximum of 50 characters for column names.
+* Maximum of 45 characters for column names.
## Return codes The HTTP status code 200 means that the request has been received for processing. This indicates that the operation finished successfully.
azure-monitor Monitor Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/monitor-reference.md
The table below lists the available curated visualizations and more detailed inf
|:--|:--|:--|:--| | [Azure Monitor Workbooks for Azure Active Directory](../active-directory/reports-monitoring/howto-use-azure-monitor-workbooks.md) | GA (General availability) | [Yes](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Workbooks) | Azure Active Directory provides workbooks to understand the effect of your Conditional Access policies, to troubleshoot sign-in failures, and to identify legacy authentications. | | [Azure Backup](../backup/backup-azure-monitoring-use-azuremonitor.md) | GA | [Yes](https://portal.azure.com/#blade/Microsoft_Azure_DataProtection/BackupCenterMenuBlade/backupReportsConfigure/menuId/backupReportsConfigure) | Provides built-in monitoring and alerting capabilities in a Recovery Services vault. |
-| [Azure Monitor for Azure Cache for Redis (preview)](./insights/redis-cache-insights-overview.md) | GA | [Yes](https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/redisCacheInsights) | Provides a unified, interactive view of overall performance, failures, capacity, and operational health |
+| [Azure Monitor for Azure Cache for Redis (preview)](../azure-cache-for-redis/redis-cache-insights-overview.md) | GA | [Yes](https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/redisCacheInsights) | Provides a unified, interactive view of overall performance, failures, capacity, and operational health |
| [Azure Cosmos DB Insights](./insights/cosmosdb-insights-overview.md) | GA | [Yes](https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/cosmosDBInsights) | Provides a view of the overall performance, failures, capacity, and operational health of all your Azure Cosmos DB resources in a unified interactive experience. | | [Azure Container Insights](/azure/azure-monitor/insights/container-insights-overview) | GA | [Yes](https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/containerInsights) | Monitors the performance of container workloads that are deployed to managed Kubernetes clusters hosted on Azure Kubernetes Service (AKS). It gives you performance visibility by collecting metrics from controllers, nodes, and containers that are available in Kubernetes through the Metrics API. Container logs are also collected. After you enable monitoring from Kubernetes clusters, these metrics and logs are automatically collected for you through a containerized version of the Log Analytics agent for Linux. | | [Azure Data Explorer insights](/azure/data-explorer/data-explorer-insights) | GA | [Yes](https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/adxClusterInsights) | Azure Data Explorer Insights provides comprehensive monitoring of your clusters by delivering a unified view of your cluster performance, operations, usage, and failures. |
The following table lists Azure services and the data they collect into Azure Mo
| [Azure Blockchain Service](../blockchain/workbench/index.yml) | Microsoft.Blockchain/blockchainMembers | [**Yes**](./essentials/metrics-supported.md#microsoftblockchainblockchainmembers) | [**Yes**](./essentials/resource-logs-categories.md#microsoftblockchainblockchainmembers) | | | | [Azure Blockchain Service](../blockchain/workbench/index.yml) | Microsoft.Blockchain/cordaMembers | No | [**Yes**](./essentials/resource-logs-categories.md#microsoftblockchaincordamembers) | | | | [Azure Bot Service](/azure/bot-service/) | Microsoft.BotService/botServices | [**Yes**](./essentials/metrics-supported.md#microsoftbotservicebotservices) | [**Yes**](./essentials/resource-logs-categories.md#microsoftbotservicebotservices) | | |
- | [Azure Cache for Redis](../azure-cache-for-redis/index.yml) | Microsoft.Cache/Redis | [**Yes**](./essentials/metrics-supported.md#microsoftcacheredis) | [**Yes**](./essentials/resource-logs-categories.md#microsoftcacheredis) | [Azure Monitor for Azure Cache for Redis (preview)](./insights/redis-cache-insights-overview.md) | |
- | [Azure Cache for Redis](../azure-cache-for-redis/index.yml) | Microsoft.Cache/redisEnterprise | [**Yes**](./essentials/metrics-supported.md#microsoftcacheredisenterprise) | No | [Azure Monitor for Azure Cache for Redis (preview)](./insights/redis-cache-insights-overview.md) | |
+ | [Azure Cache for Redis](../azure-cache-for-redis/index.yml) | Microsoft.Cache/Redis | [**Yes**](./essentials/metrics-supported.md#microsoftcacheredis) | [**Yes**](./essentials/resource-logs-categories.md#microsoftcacheredis) | [Azure Monitor for Azure Cache for Redis (preview)](../azure-cache-for-redis/redis-cache-insights-overview.md) | |
+ | [Azure Cache for Redis](../azure-cache-for-redis/index.yml) | Microsoft.Cache/redisEnterprise | [**Yes**](./essentials/metrics-supported.md#microsoftcacheredisenterprise) | No | [Azure Monitor for Azure Cache for Redis (preview)](../azure-cache-for-redis/redis-cache-insights-overview.md) | |
| [Content Delivery Network](../cdn/index.yml) | Microsoft.Cdn/CdnWebApplicationFirewallPolicies | [**Yes**](./essentials/metrics-supported.md#microsoftcdncdnwebapplicationfirewallpolicies) | [**Yes**](./essentials/resource-logs-categories.md#microsoftcdncdnwebapplicationfirewallpolicies) | | | | [Content Delivery Network](../cdn/index.yml) | Microsoft.Cdn/profiles | [**Yes**](./essentials/metrics-supported.md#microsoftcdnprofiles) | [**Yes**](./essentials/resource-logs-categories.md#microsoftcdnprofiles) | | | | [Content Delivery Network](../cdn/index.yml) | Microsoft.Cdn/profiles/endpoints | No | [**Yes**](./essentials/resource-logs-categories.md#microsoftcdnprofilesendpoints) | | |
azure-monitor Workbook Templates Move Region https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/visualize/workbook-templates-move-region.md
Title: Azure Monitor Workbook Templates - Move Regions
+ Title: Move and Azure Workbook template to another region
description: How to move a workbook template to a different region
azure-monitor Workbooks Create Workbook https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/visualize/workbooks-create-workbook.md
Last updated 05/30/2022
-# Creating an Azure Workbook
+# Create an Azure Workbook
This article describes how to create a new workbook and how to add elements to your Azure Workbook. This video walks you through creating workbooks.
azure-monitor Workbooks Getting Started https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/visualize/workbooks-getting-started.md
Last updated 05/30/2022
-# Getting started with Azure Workbooks
+# Get started with Azure Workbooks
This article describes how to access Azure Workbooks and the common tasks used to work with Workbooks.
azure-monitor Workbooks Jsonpath https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/visualize/workbooks-jsonpath.md
Last updated 07/05/2022
-# How to use JSONPath to transform JSON data in workbooks
+# Use JSONPath to transform JSON data in workbooks
Workbooks is able to query data from many sources. Some endpoints, such as [Azure Resource Manager](../../azure-resource-manager/management/overview.md) or custom endpoint, can return results in JSON. If the JSON data returned by the queried endpoint is not configured in a format that you desire, JSONPath can be used to transform the results.
azure-monitor Workbooks Text https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/visualize/workbooks-text.md
Textbox parameters provide a simple way to collect text input from workbook user
A common use of textboxes is as internal variables used by other workbook controls. This is done by using a query for default values, and making the input control invisible in read-mode. For example, a user may want a threshold to come from a formula (not a user) and then use the threshold in subsequent queries.
-## Creating a text parameter
+## Create a text parameter
1. Start with an empty workbook in edit mode. 2. Choose _Add parameters_ from the links within the workbook. 3. Select on the blue _Add Parameter_ button.
Text parameter supports following field style:
:::image type="content" source="./media/workbooks-text/kql-text.png" alt-text="Screenshot showing multiline text field.":::
-## Referencing a text parameter
+## Reference a text parameter
1. Add a query control to the workbook by selecting the blue `Add query` link and select an Application Insights resource. 2. In the KQL box, add this snippet: ```kusto
Text parameter supports following field style:
> [!NOTE] > In the example above, `{SlowRequestThreshold}` represents an integer value. If you were querying for a string like `{ComputerName}` you would need to modify your Kusto query to add quotes `"{ComputerName}"` in order for the parameter field to an accept input without quotes.
-## Setting default values using queries
+## Set the default values using queries
1. Start with an empty workbook in edit mode. 2. Choose _Add parameters_ from the links within the workbook. 3. Select on the blue _Add Parameter_ button.
Text parameter supports following field style:
> [!NOTE] > While this example queries Application Insights data, the approach can be used for any log based data source - Log Analytics, Azure Resource Graph, etc.
-## Adding validations
+## Add validations
For standard and password text parameters, user can add validation rules that are applied to the text field. Add a valid regex with error message. If message is set, it's shown as error when field is invalid.
azure-resource-manager Msbuild Bicep File https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/bicep/msbuild-bicep-file.md
+
+ Title: Use MSBuild to convert Bicep to JSON
+description: Use MSBuild to convert a Bicep file to Azure Resource Manager template (ARM template) JSON.
Last updated : 07/14/2022++++
+# Customer intent: As a developer I want to convert Bicep files to Azure Resource Manager template (ARM template) JSON in an MSBuild pipeline.
++
+# Quickstart: Use MSBuild to convert Bicep to JSON
+
+This article describes how to use MSBuild to convert a Bicep file to Azure Resource Manager template (ARM template) JSON. The examples use MSBuild from the command line with C# project files that convert Bicep to JSON. The project files are examples that can be used in an MSBuild continuous integration (CI) pipeline.
+
+## Prerequisites
+
+You'll need the latest versions of the following software:
+
+- [Visual Studio](/visualstudio/install/install-visual-studio). The free community version will install .NET 6.0, .NET Core 3.1, .NET SDK, MSBuild, .NET Framework 4.8, NuGet package manager, and C# compiler. From the installer, select **Workloads** > **.NET desktop development**.
+- [Visual Studio Code](https://code.visualstudio.com/) with the extensions for [Bicep](https://marketplace.visualstudio.com/items?itemName=ms-azuretools.vscode-bicep) and [Azure Resource Manager (ARM) Tools](https://marketplace.visualstudio.com/items?itemName=msazurermtools.azurerm-vscode-tools).
+- [PowerShell](/powershell/scripting/install/installing-powershell) or a command-line shell for your operating system.
+
+## MSBuild tasks and CLI packages
+
+If your existing continuous integration (CI) pipeline relies on [MSBuild](/visualstudio/msbuild/msbuild), you can use MSBuild tasks and CLI packages to convert Bicep files into ARM template JSON.
+
+The functionality relies on the following NuGet packages. The latest NuGet package versions match the latest Bicep version.
+
+| Package Name | Description |
+| - |- |
+| [Azure.Bicep.MSBuild](https://www.nuget.org/packages/Azure.Bicep.MSBuild) | Cross-platform MSBuild task that invokes the Bicep CLI and compiles Bicep files into ARM template JSON. |
+| [Azure.Bicep.CommandLine.win-x64](https://www.nuget.org/packages/Azure.Bicep.CommandLine.win-x64) | Bicep CLI for Windows. |
+| [Azure.Bicep.CommandLine.linux-x64](https://www.nuget.org/packages/Azure.Bicep.CommandLine.linux-x64) | Bicep CLI for Linux. |
+| [Azure.Bicep.CommandLine.osx-x64](https://www.nuget.org/packages/Azure.Bicep.CommandLine.osx-x64) | Bicep CLI for macOS. |
+
+### Azure.Bicep.MSBuild package
+
+When referenced in a project file's `PackageReference` the `Azure.Bicep.MSBuild` package imports the `Bicep` task that's used to invoke the Bicep CLI. The package converts its output into MSBuild errors and the `BicepCompile` target that's used to simplify the `Bicep` task's usage. By default the `BicepCompile` runs after the `Build` target and compiles all `@(Bicep)` items and places the output in `$(OutputPath)` with the same file name and the _.json_ extension.
+
+The following example compiles _one.bicep_ and _two.bicep_ files in the same directory as the project file and places the compiled _one.json_ and _two.json_ in the `$(OutputPath)` directory.
+
+```xml
+<ItemGroup>
+ <Bicep Include="one.bicep" />
+ <Bicep Include="two.bicep" />
+</ItemGroup>
+```
+
+You can override the output path per file using the `OutputFile` metadata on `Bicep` items. The following example will recursively find all _main.bicep_ files and place the compiled _.json_ files in `$(OutputPath)` under a subdirectory with the same name in `$(OutputPath)`:
+
+```xml
+<ItemGroup>
+ <Bicep Include="**\main.bicep" OutputFile="$(OutputPath)\%(RecursiveDir)\%(FileName).json" />
+</ItemGroup>
+```
+
+More customizations can be performed by setting one of the following properties in your project:
+
+| Property Name | Default Value | Description |
+| - |- | - |
+| `BicepCompileAfterTargets` | `Build` | Used as `AfterTargets` value for the `BicepCompile` target. Change the value to override the scheduling of the `BicepCompile` target in your project. |
+| `BicepCompileDependsOn` | None | Used as `DependsOnTargets` value for the `BicepCompile` target. This property can be set to targets that you want `BicepCompile` target to depend on. |
+| `BicepCompileBeforeTargets` | None | Used as `BeforeTargets` value for the `BicepCompile` target. |
+| `BicepOutputPath` | `$(OutputPath)` | Set this property to override the default output path for the compiled ARM template. `OutputFile` metadata on `Bicep` items takes precedence over this value. |
+
+The `Azure.Bicep.MSBuild` requires the `BicepPath` property to be set either in order to function. You may set it by referencing the appropriate `Azure.Bicep.CommandLine.*` package for your operating system or manually by installing the Bicep CLI and setting the `BicepPath` environment variable or MSBuild property.
+
+### Azure.Bicep.CommandLine packages
+
+The `Azure.Bicep.CommandLine.*` packages are available for Windows, Linux, and macOS. When referenced in a project file via a `PackageReference`, the `Azure.Bicep.CommandLine.*` packages set the `BicepPath` property to the full path of the Bicep executable for the platform. The reference to this package may be omitted if Bicep CLI is installed through other means and the `BicepPath` environment variable or MSBuild property are set accordingly.
+
+### SDK-based examples
+
+The following examples contain a default Console App SDK-based C# project file that was modified to convert Bicep files into ARM templates. Replace `__LATEST_VERSION__` with the latest version of the Bicep NuGet packages.
+
+The .NET Core 3.1 and .NET 6 examples are similar. But .NET 6 uses a different format for the _Program.cs_ file. For more information, see [.NET 6 C# console app template generates top-level statements](/dotnet/core/tutorials/top-level-templates).
+
+### .NET 6
+
+In this example, the `RootNamespace` property contains a placeholder value. When you create a project file, the value matches your project's name.
+
+```xml
+<Project Sdk="Microsoft.NET.Sdk">
+ <PropertyGroup>
+ <OutputType>Exe</OutputType>
+ <TargetFramework>net6.0</TargetFramework>
+ <RootNamespace>net6-sdk-project-name</RootNamespace>
+ <ImplicitUsings>enable</ImplicitUsings>
+ <Nullable>enable</Nullable>
+ </PropertyGroup>
+
+ <ItemGroup>
+ <PackageReference Include="Azure.Bicep.CommandLine.win-x64" Version="__LATEST_VERSION__" />
+ <PackageReference Include="Azure.Bicep.MSBuild" Version="__LATEST_VERSION__" />
+ </ItemGroup>
+
+ <ItemGroup>
+ <Bicep Include="**\main.bicep" OutputFile="$(OutputPath)\%(RecursiveDir)\%(FileName).json" />
+ </ItemGroup>
+</Project>
+```
+
+### .NET Core 3.1
+
+```xml
+<Project Sdk="Microsoft.NET.Sdk">
+ <PropertyGroup>
+ <OutputType>Exe</OutputType>
+ <TargetFramework>netcoreapp3.1</TargetFramework>
+ </PropertyGroup>
+
+ <ItemGroup>
+ <PackageReference Include="Azure.Bicep.CommandLine.win-x64" Version="__LATEST_VERSION__" />
+ <PackageReference Include="Azure.Bicep.MSBuild" Version="__LATEST_VERSION__" />
+ </ItemGroup>
+
+ <ItemGroup>
+ <Bicep Include="**\main.bicep" OutputFile="$(OutputPath)\%(RecursiveDir)\%(FileName).json" />
+ </ItemGroup>
+</Project>
+```
+
+### NoTargets SDK
+
+The following example contains a project that converts Bicep files into ARM templates using [Microsoft.Build.NoTargets](https://www.nuget.org/packages/Microsoft.Build.NoTargets). This SDK allows creation of standalone projects that compile only Bicep files. Replace `__LATEST_VERSION__` with the latest version of the Bicep NuGet packages.
+
+For [Microsoft.Build.NoTargets](/dotnet/core/project-sdk/overview#project-files), specify a version like `Microsoft.Build.NoTargets/3.5.6`.
+
+```xml
+<Project Sdk="Microsoft.Build.NoTargets/__LATEST_VERSION__">
+ <PropertyGroup>
+ <TargetFramework>net48</TargetFramework>
+ </PropertyGroup>
+
+ <ItemGroup>
+ <PackageReference Include="Azure.Bicep.CommandLine.win-x64" Version="__LATEST_VERSION__" />
+ <PackageReference Include="Azure.Bicep.MSBuild" Version="__LATEST_VERSION__" />
+ </ItemGroup>
+
+ <ItemGroup>
+ <Bicep Include="main.bicep"/>
+ </ItemGroup>
+</Project>
+```
+
+### Classic framework
+
+The following example converts Bicep to JSON inside a classic project file that's not SDK-based. Only use the classic example if the previous examples don't work for you. Replace `__LATEST_VERSION__` with the latest version of the Bicep NuGet packages.
+
+In this example, the `ProjectGuid`, `RootNamespace` and `AssemblyName` properties contain placeholder values. When you create a project file, a unique GUID is created and the name values match your project's name.
+
+```xml
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+ <Import Project="$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props" Condition="Exists('$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props')" />
+ <PropertyGroup>
+ <Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration>
+ <Platform Condition=" '$(Platform)' == '' ">AnyCPU</Platform>
+ <ProjectGuid>{11111111-1111-1111-1111-111111111111}</ProjectGuid>
+ <OutputType>Exe</OutputType>
+ <RootNamespace>ClassicFramework</RootNamespace>
+ <AssemblyName>ClassicFramework</AssemblyName>
+ <TargetFrameworkVersion>v4.8</TargetFrameworkVersion>
+ <FileAlignment>512</FileAlignment>
+ <AutoGenerateBindingRedirects>true</AutoGenerateBindingRedirects>
+ <Deterministic>true</Deterministic>
+ </PropertyGroup>
+ <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Debug|AnyCPU' ">
+ <PlatformTarget>AnyCPU</PlatformTarget>
+ <DebugSymbols>true</DebugSymbols>
+ <DebugType>full</DebugType>
+ <Optimize>false</Optimize>
+ <OutputPath>bin\Debug\</OutputPath>
+ <DefineConstants>DEBUG;TRACE</DefineConstants>
+ <ErrorReport>prompt</ErrorReport>
+ <WarningLevel>4</WarningLevel>
+ </PropertyGroup>
+ <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
+ <PlatformTarget>AnyCPU</PlatformTarget>
+ <DebugType>pdbonly</DebugType>
+ <Optimize>true</Optimize>
+ <OutputPath>bin\Release\</OutputPath>
+ <DefineConstants>TRACE</DefineConstants>
+ <ErrorReport>prompt</ErrorReport>
+ <WarningLevel>4</WarningLevel>
+ </PropertyGroup>
+ <ItemGroup>
+ <Reference Include="System" />
+ <Reference Include="System.Core" />
+ <Reference Include="System.Xml.Linq" />
+ <Reference Include="System.Data.DataSetExtensions" />
+ <Reference Include="Microsoft.CSharp" />
+ <Reference Include="System.Data" />
+ <Reference Include="System.Net.Http" />
+ <Reference Include="System.Xml" />
+ </ItemGroup>
+ <ItemGroup>
+ <Compile Include="Program.cs" />
+ <Compile Include="Properties\AssemblyInfo.cs" />
+ </ItemGroup>
+ <ItemGroup>
+ <None Include="App.config" />
+ <Bicep Include="main.bicep" />
+ </ItemGroup>
+ <ItemGroup>
+ <PackageReference Include="Azure.Bicep.CommandLine.win-x64">
+ <Version>__LATEST_VERSION__</Version>
+ </PackageReference>
+ <PackageReference Include="Azure.Bicep.MSBuild">
+ <Version>__LATEST_VERSION__</Version>
+ </PackageReference>
+ </ItemGroup>
+ <Import Project="$(MSBuildToolsPath)\Microsoft.CSharp.targets" />
+</Project>
+```
+
+## Convert Bicep to JSON
+
+The following examples show how MSBuild converts a Bicep file to JSON. Follow the instructions to create one of the project files for .NET, .NET Core 3.1, or Classic framework. Then continue to create the Bicep file and run MSBuild.
+
+# [.NET](#tab/dotnet)
+
+Build a project in .NET with the dotnet CLI.
+
+1. Open Visual Studio code and select **Terminal** > **New Terminal** to start a PowerShell session.
+1. Create a directory named _bicep-msbuild-demo_ and go to the directory. This example uses _C:\bicep-msbuild-demo_.
+
+ ```powershell
+ New-Item -Name .\bicep-msbuild-demo -ItemType Directory
+ Set-Location -Path .\bicep-msbuild-demo
+ ```
+1. Run the `dotnet` command to create a new console with the .NET 6 framework.
+
+ ```powershell
+ dotnet new console --framework net6.0
+ ```
+
+ The project file uses the same name as your directory, _bicep-msbuild-demo.csproj_. For more information about how to create a console application from Visual Studio Code, see the [tutorial](/dotnet/core/tutorials/with-visual-studio-code).
+
+1. Replace the contents of _bicep-msbuild-demo.csproj_ with the [.NET 6](#net-6) or [NoTargets SDK](#notargets-sdk) examples.
+1. Replace `__LATEST_VERSION__` with the latest version of the Bicep NuGet packages.
+1. Save the file.
+
+# [.NET Core 3.1](#tab/netcore31)
+
+Build a project in .NET Core 3.1 using the dotnet CLI.
+
+1. Open Visual Studio code and select **Terminal** > **New Terminal** to start a PowerShell session.
+1. Create a directory named _bicep-msbuild-demo_ and go to the directory. This example uses _C:\bicep-msbuild-demo_.
+
+ ```powershell
+ New-Item -Name .\bicep-msbuild-demo -ItemType Directory
+ Set-Location -Path .\bicep-msbuild-demo
+ ```
+1. Run the `dotnet` command to create a new console with the .NET 6 framework.
+
+ ```powershell
+ dotnet new console --framework netcoreapp3.1
+ ```
+
+ The project file is named the same as your directory, _bicep-msbuild-demo.csproj_. For more information about how to create a console application from Visual Studio Code, see the [tutorial](/dotnet/core/tutorials/with-visual-studio-code).
+
+1. Replace the contents of _bicep-msbuild-demo.csproj_ with the [.NET Core 3.1](#net-core-31) or [NoTargets SDK](#notargets-sdk) examples.
+1. Replace `__LATEST_VERSION__` with the latest version of the Bicep NuGet packages.
+1. Save the file.
+
+# [Classic framework](#tab/classicframework)
+
+Build a project using the classic framework.
+
+To create the project file and dependencies, use Visual Studio.
+
+1. Open Visual Studio.
+1. Select **Create a new project**.
+1. For the C# language, select **Console App (.NET Framework)** and select **Next**.
+1. Enter a project name. For this example, use _bicep-msbuild-demo_ for the project.
+1. Select **Place solution and project in same directory**.
+1. Select **.NET Framework 4.8**.
+1. Select **Create**.
+
+If you know how to unload a project and reload a project, you can edit _bicep-msbuild-demo.csproj_ in Visual Studio.
+
+Otherwise, edit the project file in Visual Studio Code.
+
+1. Open Visual Studio Code and go to the _bicep-msbuild-demo_ directory.
+1. Replace _bicep-msbuild-demo.csproj_ with the [Classic framework](#classic-framework) code sample.
+1. Replace `__LATEST_VERSION__` with the latest version of the Bicep NuGet packages.
+1. Save the file.
+++
+### Create Bicep file
+
+You'll need a Bicep file that will be converted to JSON.
+
+1. Use Visual Studio Code and create a new file.
+1. Copy the following sample and save it as _main.bicep_ in the _C:\bicep-msbuild-demo_ directory.
+
+```bicep
+@allowed([
+ 'Premium_LRS'
+ 'Premium_ZRS'
+ 'Standard_GRS'
+ 'Standard_GZRS'
+ 'Standard_LRS'
+ 'Standard_RAGRS'
+ 'Standard_RAGZRS'
+ 'Standard_ZRS'
+])
+@description('Storage account type.')
+param storageAccountType string = 'Standard_LRS'
+
+@description('Location for all resources.')
+param location string = resourceGroup().location
+
+var storageAccountName = 'storage${uniqueString(resourceGroup().id)}'
+
+resource storageAccount 'Microsoft.Storage/storageAccounts@2021-09-01' = {
+ name: storageAccountName
+ location: location
+ sku: {
+ name: storageAccountType
+ }
+ kind: 'StorageV2'
+}
+
+output storageAccountNameOutput string = storageAccount.name
+```
+
+### Run MSBuild
+
+Run MSBuild to convert the Bicep file to JSON.
+
+1. Open a Visual Studio Code terminal session.
+1. In the PowerShell session, go to the _C:\bicep-msbuild-demo_ directory.
+1. Run MSBuild.
+
+ ```powershell
+ MSBuild.exe -restore .\bicep-msbuild-demo.csproj
+ ```
+
+ The `restore` parameter creates dependencies needed to compile the Bicep file during the initial build. The parameter is optional after the initial build.
+
+1. Go to the output directory and open the _main.json_ file that should look like the sample.
+
+ MSBuild creates an output directory based on the SDK or framework version:
+
+ - .NET 6: _\bin\Debug\net6.0_
+ - .NET Core 3.1: _\bin\Debug\netcoreapp3.1_
+ - NoTargets SDK: _\bin\Debug\net48_
+ - Classic framework: _\bin\Debug_
+
+ ```json
+ {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.8.9.13224",
+ "templateHash": "12345678901234567890"
+ }
+ },
+ "parameters": {
+ "storageAccountType": {
+ "type": "string",
+ "defaultValue": "Standard_LRS",
+ "metadata": {
+ "description": "Storage account type."
+ },
+ "allowedValues": [
+ "Premium_LRS",
+ "Premium_ZRS",
+ "Standard_GRS",
+ "Standard_GZRS",
+ "Standard_LRS",
+ "Standard_RAGRS",
+ "Standard_RAGZRS",
+ "Standard_ZRS"
+ ]
+ },
+ "location": {
+ "type": "string",
+ "defaultValue": "[resourceGroup().location]",
+ "metadata": {
+ "description": "Location for all resources."
+ }
+ }
+ },
+ "variables": {
+ "storageAccountName": "[format('storage{0}', uniqueString(resourceGroup().id))]"
+ },
+ "resources": [
+ {
+ "type": "Microsoft.Storage/storageAccounts",
+ "apiVersion": "2021-09-01",
+ "name": "[variables('storageAccountName')]",
+ "location": "[parameters('location')]",
+ "sku": {
+ "name": "[parameters('storageAccountType')]"
+ },
+ "kind": "StorageV2"
+ }
+ ],
+ "outputs": {
+ "storageAccountNameOutput": {
+ "type": "string",
+ "value": "[variables('storageAccountName')]"
+ }
+ }
+ }
+ ```
+
+If you make changes or want to rerun the build, delete the output directory so new files can be created.
+
+## Clean up resources
+
+When you're finished with the files, delete the directory. For this example, delete _C:\bicep-msbuild-demo_.
+
+```powershell
+Remove-Item -Path "C:\bicep-msbuild-demo" -Recurse
+```
+
+## Next steps
+
+- For more information about MSBuild, see [MSBuild reference](/visualstudio/msbuild/msbuild-reference) and [.NET project files](/dotnet/core/project-sdk/overview#project-files).
+- To learn more about MSBuild properties, items, targets, and tasks, see [MSBuild concepts](/visualstudio/msbuild/msbuild-concepts).
+- For more information about the .NET CLI, see [.NET CLI overview](/dotnet/core/tools/).
azure-resource-manager Cli Samples https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/managed-applications/cli-samples.md
Title: Azure CLI samples description: Provides Azure CLI sample scripts to use when working with Azure Managed Applications.-+ Last updated 10/25/2017-+ # Azure CLI Samples for Azure Managed Applications
azure-resource-manager Create Ui Definition Collection Functions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/managed-applications/create-ui-definition-collection-functions.md
Title: Create UI definition collection functions description: Describes the functions to use when working with collections, like arrays and objects.-+ Last updated 07/13/2020-+ # CreateUiDefinition collection functions
azure-resource-manager Create Ui Definition Conversion Functions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/managed-applications/create-ui-definition-conversion-functions.md
Title: Create UI definition conversion functions description: Describes the functions to use when converting values between data types and encodings.-+ Last updated 07/13/2020-+ # CreateUiDefinition conversion functions
azure-resource-manager Create Ui Definition Date Functions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/managed-applications/create-ui-definition-date-functions.md
Title: Create UI definition date functions description: Describes the functions to use when working with date values.-+ Last updated 07/13/2020-+ # CreateUiDefinition date functions
azure-resource-manager Create Ui Definition Logical Functions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/managed-applications/create-ui-definition-logical-functions.md
Title: Create UI definition logical functions description: Describes the functions to perform logical operations.-+ Last updated 07/13/2020-+ # CreateUiDefinition logical functions
azure-resource-manager Create Ui Definition Math Functions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/managed-applications/create-ui-definition-math-functions.md
Title: Create UI definition math functions description: Describes the functions to use when performing math operations.-+ Last updated 07/13/2020-+ # CreateUiDefinition math functions
azure-resource-manager Create Ui Definition Referencing Functions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/managed-applications/create-ui-definition-referencing-functions.md
Title: Create UI definition referencing functions description: Describes the functions to use when constructing UI definitions for Azure portal that reference other objects.-+ Last updated 07/13/2020-+ # CreateUiDefinition referencing functions
azure-resource-manager Create Ui Definition String Functions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/managed-applications/create-ui-definition-string-functions.md
Title: Create UI definition string functions description: Describes the string functions to use when constructing UI definitions for Azure Managed Applications-+ Last updated 07/13/2020-+ # CreateUiDefinition string functions
azure-resource-manager Create Uidefinition Elements https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/managed-applications/create-uidefinition-elements.md
Title: Create UI definition elements description: Describes the elements to use when constructing UI definitions for Azure portal.-+ Last updated 10/27/2020-+ # CreateUiDefinition elements
azure-resource-manager Create Uidefinition Functions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/managed-applications/create-uidefinition-functions.md
Title: Create UI definition functions description: Describes the functions to use when constructing UI definitions for Azure Managed Applications-+ Last updated 07/13/2020-+ # CreateUiDefinition functions
azure-resource-manager Create Uidefinition Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/managed-applications/create-uidefinition-overview.md
Title: CreateUiDefinition.json file for portal pane description: Describes how to create user interface definitions for the Azure portal. Used when defining Azure Managed Applications.-+ Last updated 03/26/2021-+ # CreateUiDefinition.json for Azure managed application's create experience
azure-resource-manager Deploy Service Catalog Quickstart https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/managed-applications/deploy-service-catalog-quickstart.md
Title: Use Azure portal to deploy service catalog app description: Shows consumers of Managed Applications how to deploy a service catalog app through the Azure portal. -+ Last updated 10/04/2018-+ # Quickstart: Deploy service catalog app through Azure portal
azure-resource-manager Existing Vnet Integration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/managed-applications/existing-vnet-integration.md
Title: Deploy to existing virtual network description: Describes how to enable users of your managed application to select an existing virtual network. The virtual network can be outside of the managed application.-+ Last updated 05/11/2020-+
azure-resource-manager Microsoft Common Checkbox https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/managed-applications/microsoft-common-checkbox.md
Title: CheckBox UI element description: Describes the Microsoft.Common.CheckBox UI element for Azure portal. Enables users to select to check or uncheck an option.-+ Last updated 07/09/2020-+ # Microsoft.Common.CheckBox UI element
azure-resource-manager Microsoft Common Dropdown https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/managed-applications/microsoft-common-dropdown.md
Title: DropDown UI element description: Describes the Microsoft.Common.DropDown UI element for Azure portal. Use to select from available options when deploying a managed application.-+ Last updated 07/14/2020-+
azure-resource-manager Microsoft Common Editablegrid https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/managed-applications/microsoft-common-editablegrid.md
Title: EditableGrid UI element description: Describes the Microsoft.Common.EditableGrid UI element for Azure portal. Enables users to gather tabular input.-+ Last updated 08/24/2020-+ # Microsoft.Common.EditableGrid UI element
azure-resource-manager Microsoft Common Fileupload https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/managed-applications/microsoft-common-fileupload.md
Title: FileUpload UI element description: Describes the Microsoft.Common.FileUpload UI element for Azure portal. Enables users need to upload files when deploying a managed application.-+ Last updated 09/05/2018-+ # Microsoft.Common.FileUpload UI element
azure-resource-manager Microsoft Common Infobox https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/managed-applications/microsoft-common-infobox.md
Title: InfoBox UI element description: Describes the Microsoft.Common.InfoBox UI element for Azure portal. Use to add text or warnings when deploying managed application.-+ Last updated 06/15/2018-+
azure-resource-manager Microsoft Common Optionsgroup https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/managed-applications/microsoft-common-optionsgroup.md
Title: OptionsGroup UI element description: Describes the Microsoft.Common.OptionsGroup UI element for Azure portal. Enables users to select from available options when deploying a managed application.-+ Last updated 07/09/2020-+ # Microsoft.Common.OptionsGroup UI element
azure-resource-manager Microsoft Common Passwordbox https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/managed-applications/microsoft-common-passwordbox.md
Title: PasswordBox UI element description: Describes the Microsoft.Common.PasswordBox UI element for Azure portal. Enables users to provide a secret value when deploying managed applications.-+ Last updated 06/27/2018-+ # Microsoft.Common.PasswordBox UI element
azure-resource-manager Microsoft Common Section https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/managed-applications/microsoft-common-section.md
Title: Section UI element description: Describes the Microsoft.Common.Section UI element for Azure portal. Use to group elements in the portal for deploying managed applications.-+ Last updated 06/27/2018-+ # Microsoft.Common.Section UI element
azure-resource-manager Microsoft Common Serviceprincipalselector https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/managed-applications/microsoft-common-serviceprincipalselector.md
Title: ServicePrincipalSelector UI element description: Describes the Microsoft.Common.ServicePrincipalSelector UI element for Azure portal. Provides a control to choose an application and a textbox to input a password or certificate thumbprint.-+ Last updated 11/17/2020-+ # Microsoft.Common.ServicePrincipalSelector UI element
azure-resource-manager Microsoft Common Slider https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/managed-applications/microsoft-common-slider.md
Title: Slider UI element description: Describes the Microsoft.Common.Slider UI element for Azure portal. Enables users to set a value from a range of options.-+ Last updated 07/10/2020-+ # Microsoft.Common.Slider UI element
azure-resource-manager Microsoft Common Tagsbyresource https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/managed-applications/microsoft-common-tagsbyresource.md
Title: TagsByResource UI element description: Describes the Microsoft.Common.TagsByResource UI element for Azure portal. Use to apply tags to a resource during deployment.-+ Last updated 11/11/2019-+
azure-resource-manager Microsoft Common Textblock https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/managed-applications/microsoft-common-textblock.md
Title: TextBlock UI element description: Describes the Microsoft.Common.TextBlock UI element for Azure portal. Use to add text to the interface.-+ Last updated 06/27/2018-+
azure-resource-manager Microsoft Common Textbox https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/managed-applications/microsoft-common-textbox.md
Title: TextBox UI element description: Describes the Microsoft.Common.TextBox UI element for Azure portal. Use for adding unformatted text.-+ Last updated 03/03/2021-+
azure-resource-manager Microsoft Compute Credentialscombo https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/managed-applications/microsoft-compute-credentialscombo.md
Title: CredentialsCombo UI element description: Describes the Microsoft.Compute.CredentialsCombo UI element for Azure portal.-+ Last updated 09/29/2018-+ # Microsoft.Compute.CredentialsCombo UI element
azure-resource-manager Microsoft Compute Sizeselector https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/managed-applications/microsoft-compute-sizeselector.md
Title: SizeSelector UI element description: Describes the Microsoft.Compute.SizeSelector UI element for Azure portal. Use for selecting the size of a virtual machine.-+ Last updated 06/27/2018-+ # Microsoft.Compute.SizeSelector UI element
azure-resource-manager Microsoft Compute Usernametextbox https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/managed-applications/microsoft-compute-usernametextbox.md
Title: UserNameTextBox UI element description: Describes the Microsoft.Compute.UserNameTextBox UI element for Azure portal. Enables users to provide Windows or Linux user names.-+ Last updated 06/27/2018-+ # Microsoft.Compute.UserNameTextBox UI element
azure-resource-manager Microsoft Keyvault Keyvaultcertificateselector https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/managed-applications/microsoft-keyvault-keyvaultcertificateselector.md
Title: KeyVaultCertificateSelector UI element description: Describes the Microsoft.KeyVault.KeyVaultCertificateSelector UI element for Azure portal.-+ Last updated 10/27/2020-+ # Microsoft.KeyVault.KeyVaultCertificateSelector UI element
azure-resource-manager Microsoft Managedidentity Identityselector https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/managed-applications/microsoft-managedidentity-identityselector.md
Title: IdentitySelector UI element description: Describes the Microsoft.ManagedIdentity.IdentitySelector UI element for Azure portal. Use to assign managed identities to a resource.-+ Last updated 02/06/2020-+
azure-resource-manager Microsoft Network Publicipaddresscombo https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/managed-applications/microsoft-network-publicipaddresscombo.md
Title: PublicIpAddressCombo UI element description: Describes the Microsoft.Network.PublicIpAddressCombo UI element for Azure portal.-+ Last updated 06/28/2018-+ # Microsoft.Network.PublicIpAddressCombo UI element
azure-resource-manager Microsoft Network Virtualnetworkcombo https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/managed-applications/microsoft-network-virtualnetworkcombo.md
Title: VirtualNetworkCombo UI element description: Describes the Microsoft.Network.VirtualNetworkCombo UI element for Azure portal.-+ Last updated 06/28/2018-+ # Microsoft.Network.VirtualNetworkCombo UI element
azure-resource-manager Microsoft Solutions Armapicontrol https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/managed-applications/microsoft-solutions-armapicontrol.md
Title: ArmApiControl UI element description: Describes the Microsoft.Solutions.ArmApiControl UI element for Azure portal. Used for calling API operations.-+ Last updated 07/14/2020-+
azure-resource-manager Microsoft Solutions Resourceselector https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/managed-applications/microsoft-solutions-resourceselector.md
Title: ResourceSelector UI element description: Describes the Microsoft.Solutions.ResourceSelector UI element for Azure portal. Used for getting a list of existing resources.-+ Last updated 07/13/2020-+
azure-resource-manager Microsoft Storage Multistorageaccountcombo https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/managed-applications/microsoft-storage-multistorageaccountcombo.md
Title: MultiStorageAccountCombo UI element description: Describes the Microsoft.Storage.MultiStorageAccountCombo UI element for Azure portal.-+ Last updated 06/28/2018-+ # Microsoft.Storage.MultiStorageAccountCombo UI element
azure-resource-manager Microsoft Storage Storageaccountselector https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/managed-applications/microsoft-storage-storageaccountselector.md
Title: StorageAccountSelector UI element description: Describes the Microsoft.Storage.StorageAccountSelector UI element for Azure portal.-+ Last updated 06/28/2018-+ # Microsoft.Storage.StorageAccountSelector UI element
azure-resource-manager Microsoft Storage Storageblobselector https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/managed-applications/microsoft-storage-storageblobselector.md
Title: StorageBlobSelector UI element description: Describes the Microsoft.Storage.StorageBlobSelector UI element for Azure portal.-+ Last updated 10/27/2020-+ # Microsoft.Storage.StorageBlobSelector UI element
azure-resource-manager Monitor Managed Application Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/managed-applications/monitor-managed-application-portal.md
Title: Use Azure portal to monitor a managed app description: Shows how to use the Azure portal to monitor availability and alerts for a managed application.-+ Last updated 10/04/2018-+ # Monitor a deployed instance of a managed application
azure-resource-manager Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/managed-applications/overview.md
Title: Overview of managed applications description: Describes the concepts for Azure Managed Applications, which provides cloud solutions that are easy for consumers to deploy and operate.-+ Last updated 07/12/2019-+ # Azure managed applications overview
azure-resource-manager Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/managed-applications/policy-reference.md
Title: Built-in policy definitions for Azure Managed Applications
description: Lists Azure Policy built-in policy definitions for Azure Managed Applications. These built-in policy definitions provide common approaches to managing your Azure resources. Last updated 07/06/2022 --++ # Azure Policy built-in definitions for Azure Managed Applications
azure-resource-manager Powershell Samples https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/managed-applications/powershell-samples.md
Title: Azure PowerShell samples description: Provides Azure PowerShell sample scripts to use when working with Azure Managed Applications.-+ Last updated 10/27/2017-+ # Azure PowerShell samples
azure-resource-manager Publish Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/managed-applications/publish-portal.md
Title: Publish managed apps through portal description: Shows how to use the Azure portal to create an Azure managed application that is intended for members of your organization.-+ Last updated 11/02/2017-+ # Publish a service catalog application through Azure portal
azure-resource-manager Sample Projects https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/managed-applications/sample-projects.md
Title: Sample projects description: Provides a summary of sample projects that are available for Azure Managed Applications.-+ Last updated 09/04/2019-+ # Sample projects for Azure managed applications
azure-resource-manager Managed Application Define Create Cli Sample https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/managed-applications/scripts/managed-application-define-create-cli-sample.md
Title: Create managed application definition - Azure CLI description: Provides an Azure CLI script sample that publishes a managed application definition to a service catalog and then deploys a managed application definition from the service catalog.-+ ms.devlang: azurecli Last updated 03/07/2022-+
azure-resource-manager Managed Application Powershell Sample Create Definition https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/managed-applications/scripts/managed-application-powershell-sample-create-definition.md
Title: Create managed application definition - Azure PowerShell description: Provides an Azure PowerShell script sample that creates a managed application definition in the Azure subscription.-+ ms.devlang: powershell Last updated 10/27/2017-+ # Create a managed application definition with PowerShell
azure-resource-manager Managed Application Powershell Sample Get Managed Group Resize Vm https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/managed-applications/scripts/managed-application-powershell-sample-get-managed-group-resize-vm.md
Title: Get managed resource group & resize VMs - Azure PowerShell description: Provides Azure PowerShell sample script that gets a managed resource group for an Azure Managed Application. The script resizes VMs.-+ ms.devlang: powershell Last updated 10/27/2017-+ # Get resources in a managed resource group and resize VMs with PowerShell
azure-resource-manager Managed Application Poweshell Sample Create Application https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/managed-applications/scripts/managed-application-poweshell-sample-create-application.md
Title: Azure PowerShell script sample - Deploy a managed application description: Provides Azure PowerShell sample script sample that deploys a managed application definition to the subscription.-+ ms.devlang: powershell Last updated 10/27/2017-+ # Deploy a managed application for a service catalog with PowerShell
azure-resource-manager Test Createuidefinition https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/managed-applications/test-createuidefinition.md
Title: Test the UI definition file description: Describes how to test the user experience for creating your Azure Managed Application through the portal.-+ Last updated 06/04/2021-+ # Test your portal interface for Azure Managed Applications
azure-resource-manager Update Managed Resources https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/managed-applications/update-managed-resources.md
Title: Update managed resources description: Describes how to work on resources in the managed resource group for an Azure managed application.-+ Last updated 10/26/2017-+ # Work with resources in the managed resource group for Azure managed application
azure-vmware Enable Public Ip Nsx Edge https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-vmware/enable-public-ip-nsx-edge.md
The Distributed Firewall could be used to filter traffic to VMs. This feature is
[Enable Managed SNAT for Azure VMware Solution Workloads (Preview)](enable-managed-snat-for-workloads.md) [Disable Internet access or enable a default route](disable-internet-access.md)+
+[Enable HCX access over the internet](enable-hcx-access-over-internet.md)
azure-vmware Enable Sql Azure Hybrid Benefit https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-vmware/enable-sql-azure-hybrid-benefit.md
+
+ Title: Enable SQL Azure hybrid benefit for Azure VMware Solution (Preview)
+description: This article shows you how to apply SQL Azure hybrid benefits to your Azure VMware Solution private cloud by configuring a placement policy.
++ Last updated : 06/14/2022++
+# Enable SQL Azure hybrid benefit for Azure VMware Solution (Preview)
+
+In this article, youΓÇÖll learn how to apply SQL Azure hybrid benefits to an Azure VMware Solution private cloud by configuring a placement policy. The placement policy defines the number of hosts that are running SQL.
+>[!IMPORTANT]
+> It is important to note that SQL benefits are applied at the host level.
+
+For example, if each host in Azure VMware Solution has 36 cores and you signal that two hosts run SQL, then SQL Azure hybrid benefit will apply to 72 cores.
+
+## Configure host-VM placement policy
+1. From your Azure VMware Solution private cloud, select Azure hybrid benefit, then Create host-VM placement policy.
+ :::image type="content" source="media/sql-azure-hybrid-benefit/azure-hybrid-benefit.png" alt-text="Diagram that shows how to create a host new virtual machine placement policy.":::
+
+1. Fill in the required fields for creating the placement policy.
+ 1. **Name** ΓÇô Select the name that identifies this policy.
+ 2. **Type** ΓÇô Select the type of policy. This type must be VM-Host affinity only.
+ 3. **Azure hybrid benefit** ΓÇô Select the checkbox to apply the SQL Azure hybrid benefit.
+ 4. **Cluster** ΓÇô Select the necessary cluster. The policy is applicable per cluster only.
+ 1. **Enabled** ΓÇô Select enabled to apply the policy immediately once created.
+
+ :::image type="content" source="media/sql-azure-hybrid-benefit/create-placement-policy.png" alt-text="Diagram that shows how to create a host virtual machine placement policy using the host VM affinity.":::
+3. Select the hosts and VMs that will be applied to the VM-Host affinity policy.
+ 1. **Add Hosts** ΓÇô Select the hosts that will be running SQL.
+ 2. **Add VMs** ΓÇô Select the VMs that should run on the selected hosts.
+ 3. **Review and Create** the policy.
+ :::image type="content" source="media/sql-azure-hybrid-benefit/select-policy-host.png" alt-text="Diagram that shows how to create a host virtual machine affinity.":::
+
+## Manage placement policies
+
+After creating the placement policy, you can review, manage, or edit the policy by way of the Placement policies menu in the Azure VMware Solution private cloud.
+
+By checking the Azure hybrid benefit checkbox in the configuration setting, you can enable existing host-VM affinity policies with the SQL Azure hybrid benefit.
++
+## Next steps
+[Azure Hybrid Benefit](https://azure.microsoft.com/pricing/hybrid-benefit/)
+
+[Attach Azure NetApp Files datastores to Azure VMware Solution hosts (Preview)](attach-azure-netapp-files-to-azure-vmware-solution-hosts.md)
+
bastion Bastion Connect Vm Ssh Windows https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/bastion/bastion-connect-vm-ssh-windows.md
# Create an SSH connection to a Windows VM using Azure Bastion
-This article shows you how to securely and seamlessly create an RDP connection to your Windows VMs located in an Azure virtual network directly through the Azure portal. When you use Azure Bastion, your VMs don't require a client, agent, or additional software. You can also connect to a Windows VM using RDP. For information, see [Create an RDP connection to a Windows VM](bastion-connect-vm-rdp-windows.md).
+This article shows you how to securely and seamlessly create an SSH connection to your Windows VMs located in an Azure virtual network directly through the Azure portal. When you use Azure Bastion, your VMs don't require a client, agent, or additional software. You can also connect to a Windows VM using RDP. For information, see [Create an RDP connection to a Windows VM](bastion-connect-vm-rdp-windows.md).
Azure Bastion provides secure connectivity to all of the VMs in the virtual network in which it is provisioned. Using Azure Bastion protects your virtual machines from exposing RDP/SSH ports to the outside world, while still providing secure access using RDP/SSH. For more information, see the [What is Azure Bastion?](bastion-overview.md).
bastion Bastion Faq https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/bastion/bastion-faq.md
Azure Bastion needs to be able to communicate with certain internal endpoints to
* vault.azure.com * azure.com
-You may use a private DNS zone ending with one of the names listed above (ex: dummy.blob.core.windows.net).
+You may use a private DNS zone ending with one of the names listed above (ex: privatelink.blob.core.windows.net).
Azure Bastion isn't supported with Azure Private DNS Zones in national clouds.
bastion Vm Upload Download Native https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/bastion/vm-upload-download-native.md
The steps in this section apply when connecting to a target VM from a Windows lo
1. Sign in to your target VM via RDP using the following command. You can use either a local username and password, or your Azure AD credentials. To learn more about how to use Azure AD to sign in to your Azure Windows VMs, see [Azure Windows VMs and Azure AD](../active-directory/devices/howto-vm-sign-in-azure-ad-windows.md). ```azurecli
- az network bastion rdp --name "<BastionName>" --resource-group "<ResourceGroupName>" --target-resource-id "<VMResourceId>"
+ az network bastion rdp --name "<BastionName>" --resource-group "<BastionResourceGroupName>" --target-resource-id "<VMResourceId>"
``` 1. Once you sign in to your target VM, the native client on your computer will open up with your VM session. You can now transfer files between your VM and local machine using right-click, then **Copy** and **Paste**.
cognitive-services Batch Anomaly Detection Powerbi https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/Anomaly-Detector/tutorials/batch-anomaly-detection-powerbi.md
In this tutorial, you'll learn how to:
## Prerequisites * An [Azure subscription](https://azure.microsoft.com/free/cognitive-services) * [Microsoft Power BI Desktop](https://powerbi.microsoft.com/get-started/), available for free.
-* An excel file (.xlsx) containing time series data points. The example data for this quickstart can be found on [GitHub](https://github.com/Azure-Samples/AnomalyDetector/blob/master/sampledata/example-data.xlsx)
+* An excel file (.xlsx) containing time series data points.
* Once you have your Azure subscription, <a href="https://portal.azure.com/#create/Microsoft.CognitiveServicesAnomalyDetector" title="Create an Anomaly Detector resource" target="_blank">create an Anomaly Detector resource </a> in the Azure portal to get your key and endpoint. * You will need the key and endpoint from the resource you create to connect your application to the Anomaly Detector API. You'll do this later in the quickstart.
cognitive-services Utterances https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/LUIS/concepts/utterances.md
Each intent needs to have example utterances - at least 15. If you have an inten
## Add small groups of utterances
-Each time you [iterate on your model](https://microsoft-my.sharepoint.com/personal/v-babdullah_microsoft_com/Documents/Documents/work/LUIS%20Documentation/Application%20Design%20concepts.docx) to improve it, don't add large quantities of utterances. Consider adding utterances in quantities of 15. Then [Train](/azure/cognitive-services/luis/luis-how-to-train), [publish](/azure/cognitive-services/luis/luis-how-to-publish-app), and [test](/azure/cognitive-services/luis/luis-interactive-test) again.
+Each time you iterate on your model to improve it, don't add large quantities of utterances. Consider adding utterances in quantities of 15. Then [Train](/azure/cognitive-services/luis/luis-how-to-train), [publish](/azure/cognitive-services/luis/luis-how-to-publish-app), and [test](/azure/cognitive-services/luis/luis-interactive-test) again.
LUIS builds effective models with utterances that are carefully selected by the LUIS model author. Adding too many utterances isn't valuable because it introduces confusion.
After the app is published, only add utterances from active learning in the deve
## Next steps * [Intents](intents.md)
-* [Patterns and features concepts](patterns-features.md)
+* [Patterns and features concepts](patterns-features.md)
cognitive-services Language Support https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/Speech-Service/language-support.md
To improve accuracy, customization is available for some languages and base mode
| Sinhala (Sri Lanka) | `si-LK` | | Slovak (Slovakia) | `sk-SK` | | Slovenian (Slovenia) | `sl-SI` |
+| Somali (Somalia) | `so-SO` |
| Spanish (Argentina) | `es-AR` | | Spanish (Bolivia) | `es-BO` | | Spanish (Chile) | `es-CL` |
To improve accuracy, customization is available for some languages and base mode
| Ukrainian (Ukraine) | `uk-UA` | | Uzbek (Uzbekistan) | `uz-UZ` | | Vietnamese (Vietnam) | `vi-VN` |
+| Welsh (United Kingdom) | `cy-GB` |
| Zulu (South Africa) | `zu-ZA` | ### [Plain text](#tab/plaintext)
The following neural voices are in public preview.
| Chinese (Mandarin, Simplified) | `zh-CN` | Male | `zh-CN-YunfengNeural` <sup>New</sup> | General, multiple styles available [using SSML](speech-synthesis-markup.md#adjust-speaking-styles) | | Chinese (Mandarin, Simplified) | `zh-CN` | Male | `zh-CN-YunhaoNeural` <sup>New</sup> | Optimized for promoting a product or service, 1 new multiple style available [using SSML](speech-synthesis-markup.md#adjust-speaking-styles) | | Chinese (Mandarin, Simplified) | `zh-CN` | Male | `zh-CN-YunjianNeural` <sup>New</sup> | Optimized for broadcasting sports event, 2 new multiple styles available [using SSML](speech-synthesis-markup.md#adjust-speaking-styles) |
-| Chinese (Mandarin, Simplified) | `zh-CN-LN` | Female | `zh-CN-LN-XiaobeiNeural` <sup>New</sup> | General, Liaoning accent |
-| Chinese (Mandarin, Simplified) | `zh-CN-SC` | Male | `zh-CN-SC-YunxiSichuanNeural` <sup>New</sup> | General, Sichuan accent |
+| Chinese (Mandarin, Simplified) | `zh-CN-liaoning` | Female | `zh-CN-liaoning-XiaobeiNeural` <sup>New</sup> | General, Liaoning accent |
+| Chinese (Mandarin, Simplified) | `zh-CN-sichuan` | Male | `zh-CN-sichuan-YunxiSichuanNeural` <sup>New</sup> | General, Sichuan accent |
| English (United States) | `en-US` | Female | `en-US-JaneNeural` <sup>New</sup> | General, multiple voice styles available [using SSML](speech-synthesis-markup.md#adjust-speaking-styles) | | English (United States) | `en-US` | Female | `en-US-NancyNeural` <sup>New</sup> | General, multiple voice styles available [using SSML](speech-synthesis-markup.md#adjust-speaking-styles) | | English (United States) | `en-US` | Male | `en-US-DavisNeural` <sup>New</sup> | General, multiple voice styles available [using SSML](speech-synthesis-markup.md#adjust-speaking-styles) |
cognitive-services Rest Speech To Text V3 1 https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/Speech-Service/rest-speech-to-text-v3-1.md
Use the REST API v3.1 to:
```json "features": { …
- "supportsAdaptationsWith": [
- ΓÇ£AcousticΓÇ¥,
- "Language",
- ΓÇ£LanguageMarkdownΓÇ¥,
+ "supportsAdaptationsWith": [
+ "Acoustic",
+ "Language",
+ "LanguageMarkdown",
"Pronunciation" ] }
cognitive-services Speech Synthesis Markup https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/Speech-Service/speech-synthesis-markup.md
The `say-as` element is optional. It indicates the content type, such as number
| `format` | Provides additional information about the precise formatting of the element's text for content types that might have ambiguous formats. SSML defines formats for content types that use them. See the following table. | Optional | | `detail` | Indicates the level of detail to be spoken. For example, this attribute might request that the speech synthesis engine pronounce punctuation marks. There are no standard values defined for `detail`. | Optional |
-The following content types are supported for the `interpret-as` and `format` attributes. Include the `format` attribute only if `interpret-as` is set to date and time.
+The following content types are supported for the `interpret-as` and `format` attributes. Include the `format` attribute only if `format` column is not empty in the table below.
| interpret-as | format | Interpretation | |--|--|-|
The following content types are supported for the `interpret-as` and `format` at
| `ordinal` | | The text is spoken as an ordinal number. The speech synthesis engine pronounces:<br /><br />`Select the <say-as interpret-as="ordinal">3rd</say-as> option`<br /><br />As "Select the third option." | | `telephone` | | The text is spoken as a telephone number. The `format` attribute can contain digits that represent a country code. Examples are "1" for the United States or "39" for Italy. The speech synthesis engine can use this information to guide its pronunciation of a phone number. The phone number might also include the country code, and if so, takes precedence over the country code in the `format` attribute. The speech synthesis engine pronounces:<br /><br />`The number is <say-as interpret-as="telephone" format="1">(888) 555-1212</say-as>`<br /><br />As "My number is area code eight eight eight five five five one two one two." | | `time` | hms12, hms24 | The text is spoken as a time. The `format` attribute specifies whether the time is specified by using a 12-hour clock (hms12) or a 24-hour clock (hms24). Use a colon to separate numbers representing hours, minutes, and seconds. Here are some valid time examples: 12:35, 1:14:32, 08:15, and 02:50:45. The speech synthesis engine pronounces:<br /><br />`The train departs at <say-as interpret-as="time" format="hms12">4:00am</say-as>`<br /><br />As "The train departs at four A M." |
+| `duration` | hms, hm, ms | The text is spoken as a duration. The `format` attribute specifies the duration's format (*h=hour, m=minute, and s=second*). The speech synthesis engine pronounces:<br /><br />`<say-as interpret-as="duration">01:18:30</say-as>`<br /><br /> As "one hour eighteen minutes and thirty seconds".<br />Pronounces:<br /><br />`<say-as interpret-as="duration" format="ms">01:18</say-as>`<br /><br /> As "one minute and eighteen seconds".<br />This tag is only supported on English and Spanish.|
| `name` | | The text is spoken as a person's name. The speech synthesis engine pronounces:<br /><br />`<say-as interpret-as="name">ED</say-as>`<br /><br />As [æd]. <br />In Chinese names, some characters pronounce differently when they appear in a family name. For example, the speech synthesis engine says 仇 in <br /><br />`<say-as interpret-as="name">仇先生</say-as>`<br /><br /> As [qiú] instead of [chóu]. | **Usage**
cognitive-services Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/Translator/document-translation/overview.md
Previously updated : 05/24/2022 Last updated : 07/13/2022 recommendations: false
The following document file types are supported by Document Translation:
|Adobe PDF|pdf|Portable document file format.| |Comma-Separated Values |csv| A comma-delimited raw-data file used by spreadsheet programs.| |HTML|html, htm|Hyper Text Markup Language.|
-|Localization Interchange File Format|xlf. , xliff| A parallel document format, export of Translation Memory systems. The languages used are defined inside the file.|
+|Localization Interchange File Format|xlf| A parallel document format, export of Translation Memory systems. The languages used are defined inside the file.|
|Markdown| markdown, mdown, mkdn, md, mkd, mdwn, mdtxt, mdtext, rmd| A lightweight markup language for creating formatted text.| |MHTML|mthml, mht| A web page archive format used to combine HTML code and its companion resources.| |Microsoft Excel|xls, xlsx|A spreadsheet file for data analysis and documentation.|
cognitive-services Migrate Language Service Latest https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/language-service/concepts/migrate-language-service-latest.md
Previously updated : 01/10/2022 Last updated : 07/13/2022
# Migrate to the latest version of Azure Cognitive Service for Language > [!TIP]
-> Just getting started with Azure Cognitive Service for Language? See the [overview article](../overview.md) for details on the service, available features, and links to quickstarts for sending your first API requests.
+> Just getting started with Azure Cognitive Service for Language? See the [overview article](../overview.md) for details on the service, available features, and links to quickstarts for information on the current version of the API.
-If your applications are using an older version of the Text Analytics API (before v3.1), or client library (before stable v5.1.0), this article will help you upgrade your applications to use the latest version of the [Azure Cognitive Service for language](../overview.md) features.
+If your applications are still using the Text Analytics API, or client library (before stable v5.1.0), this article will help you upgrade your applications to use the latest version of the [Azure Cognitive Service for language](../overview.md) features.
-## Features
+## Unified Language endpoint (REST API)
-Select one of the features below to see information you can use to update your application.
+This section applies to applications that use the older `/text/analytics/...` endpoint format for REST API calls. For example:
-## [Sentiment analysis](#tab/sentiment-analysis)
+```http
+https://<your-custom-subdomain>.cognitiveservices.azure.com/text/analytics/<version>/<feature>
+```
-> [!NOTE]
-> * Want to use the latest version of the API in your application? See the [sentiment analysis](../sentiment-opinion-mining/how-to/call-api.md) how-to article and [quickstart](../sentiment-opinion-mining/quickstart.md) for information on the current version of the API.
-> * The version `3.1-preview.x` REST API endpoints and `5.1.0-beta.x` client library has been deprecated.
+If your application uses the above endpoint format, the REST API endpoint for the following Language service features has changed:
-## Feature changes from version 2.1
+* [Entity linking](../entity-linking/quickstart.md?pivots=rest-api)
+* [Key phrase extraction](../key-phrase-extraction/quickstart.md?pivots=rest-api)
+* [Language detection](../language-detection/quickstart.md?pivots=rest-api)
+* [Named entity recognition (NER)](../named-entity-recognition/quickstart.md?pivots=rest-api)
+* [Personally Identifying Information (PII) detection](../personally-identifiable-information/quickstart.md?pivots=rest-api)
+* [Sentiment analysis and opinion mining](../sentiment-opinion-mining/quickstart.md?pivots=rest-api)
+* [Text analytics for health](../text-analytics-for-health/quickstart.md?pivots=rest-api)
-Sentiment Analysis in version 2.1 returns sentiment scores between 0 and 1 for each document sent to the API, with scores closer to 1 indicating more positive sentiment. The current version of this feature returns sentiment labels (such as "positive" or "negative") for both the sentences and the document as a whole, and their associated confidence scores.
+The Language service now provides a unified endpoint for sending REST API requests to these features. If your application uses the REST API, update its request endpoint to use the current endpoint:
-## Migrate to the current version
+```http
+https://<your-language-resource-endpoint>/language/:analyze-text?api-version=2022-05-01
+```
-### REST API
+Additionally, the format of the JSON request body has changed. You'll need to update the request structure that your application sends to the API, for example the following entity recognition JSON body:
-If your application uses the REST API, update its request endpoint to use the [current endpoint](../sentiment-opinion-mining/quickstart.md?pivots=rest-api) for sentiment analysis. For example:`https://<your-custom-subdomain>.cognitiveservices.azure.com/text/analytics/v3.1/sentiment`. You will also need to update the application to use the sentiment labels returned in the [API's response](../sentiment-opinion-mining/how-to/call-api.md).
+```json
+{
+ "kind": "EntityRecognition",
+ "parameters": {
+ "modelVersion": "latest"
+ },
+ "analysisInput":{
+ "documents":[
+ {
+ "id":"1",
+ "language": "en",
+ "text": "I had a wonderful trip to Seattle last week."
+ }
+ ]
+ }
+}
+```
-See the reference documentation for examples of the JSON response.
-* [Version 2.1](https://westcentralus.dev.cognitive.microsoft.com/docs/services/TextAnalytics-v2-1/operations/56f30ceeeda5650db055a3c9)
-* [Version 3.0](https://westus.dev.cognitive.microsoft.com/docs/services/TextAnalytics-v3-0/operations/Sentiment)
-* [Version 3.1](https://westcentralus.dev.cognitive.microsoft.com/docs/services/TextAnalytics-v3-1/operations/Sentiment)
+Use the quickstarts linked above to see current example REST API calls for the feature(s) you're using, and the associated API output.
-### Client libraries
+## Client libraries
-To use the latest version of the sentiment analysis client library, you will need to download the latest software package in the `Azure.AI.TextAnalytics` namespace. The [quickstart article](../sentiment-opinion-mining/quickstart.md) lists the commands you can use for your preferred language, with example code.
+To use the latest version of the client library, you will need to download the latest software package in the `Azure.AI.TextAnalytics` namespace. See the quickstart articles linked above for example code and instructions for using the client library in your preferred language.
+<!--[!INCLUDE [SDK target versions](../includes/sdk-target-versions.md)]-->
-## [NER, PII, and entity linking](#tab/named-entity-recognition)
-> [!NOTE]
-> Want to use the latest version of the API in your application? See the following articles for information on the current version of the APIs:
->
-> * [NER quickstart](../named-entity-recognition/quickstart.md)
-> * [Entity linking quickstart](../entity-linking/quickstart.md)
-> * [Personally Identifying Information (PII) detection quickstart](../personally-identifiable-information/quickstart.md)
->
-> The version `3.1-preview.x` REST API endpoints and `5.1.0-beta.x` client libraries has been deprecated.
+## Version 2.1 functionality changes
-## Feature changes from version 2.1
+If you're migrating an application from v2.1 of the API, there are several changes to feature functionality you should be aware of.
-In version 2.1, the Text Analytics API uses one endpoint for Named Entity Recognition (NER) and entity linking. The current version of this feature provides expanded named entity detection, and uses separate endpoints for NER and entity linking requests. Additionally, you can use another feature offered in the Language service that lets you detect [detect personal (pii) and health (phi) information](../personally-identifiable-information/overview.md).
+### Sentiment analysis v2.1
-## Migrate to the current version
+[Sentiment Analysis](../sentiment-opinion-mining/quickstart.md) in version 2.1 returns sentiment scores between 0 and 1 for each document sent to the API, with scores closer to 1 indicating more positive sentiment. The current version of this feature returns sentiment labels (such as "positive" or "negative") for both the sentences and the document as a whole, and their associated confidence scores.
-### REST API
+### NER, PII, and entity linking v2.1
-If your application uses the REST API, update its request endpoint to the [current endpoints](../named-entity-recognition/quickstart.md?pivots=rest-api) for NER and/or entity linking. For example:
-
-Entity Linking
-* `https://<your-custom-subdomain>.cognitiveservices.azure.com/text/analytics/v3.1/entities/linking`
-
-NER
-* `https://<your-custom-subdomain>.cognitiveservices.azure.com/text/analytics/v3.1/entities/recognition/general`
+In version 2.1, the Text Analytics API used one endpoint for Named Entity Recognition (NER) and entity linking. The current version of this feature provides expanded named entity detection, and has separate endpoints for [NER](../named-entity-recognition/quickstart.md?pivots=rest-api) and [entity linking](../entity-linking/quickstart.md?pivots=rest-api) requests. Additionally, you can use another feature offered in the Language service that lets you detect [detect personal (PII) and health (PHI) information](../personally-identifiable-information/overview.md).
You will also need to update your application to use the [entity categories](../named-entity-recognition/concepts/named-entity-categories.md) returned in the [API's response](../named-entity-recognition/how-to-call.md).
-See the reference documentation for examples of the JSON response.
-* [Version 2.1](https://westcentralus.dev.cognitive.microsoft.com/docs/services/TextAnalytics-v2-1/operations/5ac4251d5b4ccd1554da7634)
-* [Version 3.0](https://westus.dev.cognitive.microsoft.com/docs/services/TextAnalytics-v3-0/operations/EntitiesRecognitionGeneral)
-* [Version 3.1](https://westcentralus.dev.cognitive.microsoft.com/docs/services/TextAnalytics-v3-1/operations/EntitiesRecognitionGeneral)
-
-### Client libraries
-
-To use the latest version of the NER and entity linking client libraries, you will need to download the latest software package in the `Azure.AI.TextAnalytics` namespace. The quickstart article for [Named Entity Recognition](../named-entity-recognition/quickstart.md) and [entity linking](../entity-linking/quickstart.md) lists the commands you can use for your preferred language, with example code.
--
-#### Version 2.1 entity categories
+### Version 2.1 entity categories
The following table lists the entity categories returned for NER v2.1.
The following table lists the entity categories returned for NER v2.1.
| Dimension | Dimensions and measurements. | | Temperature | Temperatures. |
-## [Language detection](#tab/language-detection)
-
-> [!NOTE]
-> * Want to use the latest version of the API in your application? See the [language detection](../language-detection/how-to/call-api.md) how-to article and [quickstart](../language-detection/quickstart.md) for information on the current version of the API.
-> * The version `3.1-preview.x` REST API endpoints and `5.1.0-beta.x` client libraries has been deprecated.
-
-## Feature changes from version 2.1
-
-The language detection feature output has changed in the current version. The JSON response will contain `ConfidenceScore` instead of `score`. The current version also only returns one language in a `detectedLanguage` attribute for each document.
-
-## Migrate to the current version
-
-### REST API
-
-If your application uses the REST API, update its request endpoint to the [current endpoint](../language-detection/quickstart.md?pivots=rest-api) for language detection. For example:`https://<your-custom-subdomain>.cognitiveservices.azure.com/text/analytics/v3.1/languages`. You will also need to update the application to use `ConfidenceScore` instead of `score` in the [API's response](../language-detection/how-to/call-api.md).
-
-See the reference documentation for examples of the JSON response.
-* [Version 2.1](https://westcentralus.dev.cognitive.microsoft.com/docs/services/TextAnalytics-v2-1/operations/56f30ceeeda5650db055a3c7)
-* [Version 3.0](https://westus.dev.cognitive.microsoft.com/docs/services/TextAnalytics-v3-0/operations/Languages)
-* [Version 3.1](https://westcentralus.dev.cognitive.microsoft.com/docs/services/TextAnalytics-v3-1/operations/Languages)
+### Language detection v2.1
-#### Client libraries
+The [language detection](../language-detection/quickstart.md) feature output has changed in the current version. The JSON response will contain `ConfidenceScore` instead of `score`. The current version also only returns one language for each document.
-To use the latest version of the sentiment analysis client library, you will need to download the latest software package in the `Azure.AI.TextAnalytics` namespace. The [quickstart article](../language-detection/quickstart.md) lists the commands you can use for your preferred language, with example code.
+### Key phrase extraction v2.1
-
-## [Key phrase extraction](#tab/key-phrase-extraction)
-
-> [!NOTE]
-> * Want to use the latest version of the API in your application? See the [key phrase extraction](../key-phrase-extraction/how-to/call-api.md) how-to article and [quickstart](../key-phrase-extraction/quickstart.md) for information on the current version of the API.
-> * The version `3.1-preview.x` REST API endpoints and `5.1.0-beta.x` client library has been deprecated.
-
-## Feature changes from version 2.1
-
-The key phrase extraction feature currently has not changed outside of the endpoint version.
-
-## Migrate to the current version
-
-### REST API
-
-If your application uses the REST API, update its request endpoint to the [current endpoint](../key-phrase-extraction/quickstart.md?pivots=rest-api) for key phrase extraction. For example: `https://<your-custom-subdomain>.api.cognitiveservices.azure.com/text/analytics/v3.1/keyPhrases`
-
-See the reference documentation for examples of the JSON response.
-* [Version 2.1](https://westcentralus.dev.cognitive.microsoft.com/docs/services/TextAnalytics-v2-1/operations/56f30ceeeda5650db055a3c6)
-* [Version 3.0](https://westus.dev.cognitive.microsoft.com/docs/services/TextAnalytics-v3-0/operations/KeyPhrases)
-* [Version 3.1](https://westcentralus.dev.cognitive.microsoft.com/docs/services/TextAnalytics-v3-1/operations/KeyPhrases)
-
-### Client libraries
-
-To use the latest version of the sentiment analysis client library, you will need to download the latest software package in the `Azure.AI.TextAnalytics` namespace. The [quickstart article](../key-phrase-extraction/quickstart.md) lists the commands you can use for your preferred language, with example code.
---
+The key phrase extraction feature functionality currently has not changed outside of the endpoint and request format.
## See also
-* [What is Azure Cognitive Service for language?](../overview.md)
+* [What is Azure Cognitive Service for Language?](../overview.md)
+* [Language service developer guide](developer-guide.md)
+* See the following reference documentation for information on previous API versions.
+ * [Version 2.1](https://westcentralus.dev.cognitive.microsoft.com/docs/services/TextAnalytics-v2-1/operations/56f30ceeeda5650db055a3c9)
+ * [Version 3.0](https://westus.dev.cognitive.microsoft.com/docs/services/TextAnalytics-v3-0/operations/Sentiment)
+ * [Version 3.1](https://westcentralus.dev.cognitive.microsoft.com/docs/services/TextAnalytics-v3-1/operations/Sentiment)
+* Use the following quickstart guides to see examples for the current version of these features.
+ * [Entity linking](../entity-linking/quickstart.md)
+ * [Key phrase extraction](../key-phrase-extraction/quickstart.md)
+ * [Named entity recognition (NER)](../named-entity-recognition/quickstart.md)
+ * [Language detection](../language-detection/quickstart.md)
+ * [Personally Identifying Information (PII) detection](../personally-identifiable-information/quickstart.md)
+ * [Sentiment analysis and opinion mining](../sentiment-opinion-mining/quickstart.md)
+ * [Text analytics for health](../text-analytics-for-health/quickstart.md)
+
communication-services Pricing https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/concepts/pricing.md
Alice makes an outbound call from an Azure Communication Services app to a telep
**Total cost for the call**: $0.04 + $0.04 = $0.08
+### Pricing example: Outbound Call from a Dynamics 365 Omnichannel (D365 OC) agent application via Azure Communication Services direct routing
+
+Alice is a D365 contact center agent, who makes an outbound call from D365 OC to a telephone number (Bob) via Azure Communication Services direct routing.
+- Alice uses D365 OC client application
+- D365 OC bot starts new outgoing call via direct routing
+- Call goes to a Session Border Controller (SBC) connected via Communication Services direct routing
+- D365 OC bot adds Alice to a call by escalating the direct routing call to a group call
+- The call lasts a total of 10 minutes.
+
+**Cost calculations**
+
+- One participant on the VoIP leg (Alice) from D365 OC client application x 10 minutes x $0.004 per participant leg per minute = $0.04
+- One participant on the Communication Services direct routing outbound leg (Bob) from Communication Services servers to an SBC x 10 minutes x $0.004 per participant leg per minute = $0.04.
+- D365 OC bot does not introduce additional ACS charges.
+
+**Total cost for the call**: $0.04 + $0.04 = $0.08
+ ### Pricing example: Group audio call using JS SDK and one PSTN leg Alice and Bob are on a VOIP Call. Bob escalated the call to Charlie on Charlie's PSTN number, a US phone number beginning with `+1-425`.
communication-services Pstn Pricing https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/concepts/pstn-pricing.md
All prices shown below are in USD.
Note: Pricing for all countries is subject to change as pricing is market-based and depends on third-party suppliers of telephony services. Additionally, pricing may include requisite taxes and fees. ***
+## Direct routing pricing
+For Azure Communication Services direct routing there is a flat rate regardless of the geography:
+
+|Number type |To make calls |To receive calls|
+|--|--||
+|Direct routing|USD 0.0040/min|USD 0.0040/min |
+ ## Next steps In this quickstart, you learned how Telephony (PSTN) Offers are priced for Azure Communication Services.
communication-services Troubleshooting Info https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/concepts/troubleshooting-info.md
To verify your Teams License eligibility via Teams web client, follow the steps
1. If the authentication is successful and you remain in the https://teams.microsoft.com/ domain, then your Teams License is eligible. If authentication fails or you're redirected to the https://www.teams.live.com domain, then your Teams License isn't eligible to use Azure Communication Services support for Teams users. #### Checking your current Teams license via Microsoft Graph API
-You can find your current Teams license using [licenseDetails](https://docs.microsoft.com/graph/api/resources/licensedetails) Microsoft Graph API that returns licenses assigned to a user. Follow the steps below to use the Graph Explorer tool to view licenses assigned to a user:
+You can find your current Teams license using [licenseDetails](/graph/api/resources/licensedetails) Microsoft Graph API that returns licenses assigned to a user. Follow the steps below to use the Graph Explorer tool to view licenses assigned to a user:
1. Open your browser and navigate to [Graph Explorer](https://developer.microsoft.com/graph/graph-explorer) 1. Sign in to Graph Explorer using the credentials.
The Azure Communication Services SMS SDK uses the following error codes to help
## Related information - [Logs and diagnostics](logging-and-diagnostics.md) - [Metrics](metrics.md)-- [Service limits](service-limits.md)
+- [Service limits](service-limits.md)
communication-services Eligible Teams Licenses https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/quickstarts/eligible-teams-licenses.md
For more information, see [Azure AD Product names and service plan identifiers](
### How to find current Teams license
-You can find your current Teams license using [licenseDetails](https://docs.microsoft.com/graph/api/resources/licensedetails) Microsoft Graph API that returns licenses assigned to a user.
+You can find your current Teams license using [licenseDetails](/graph/api/resources/licensedetails) Microsoft Graph API that returns licenses assigned to a user.
For more information on verification for eligibility, see [Verification of Teams license eligibility](../concepts/troubleshooting-info.md#verification-of-teams-license-eligibility-to-use-azure-communication-services-support-for-teams-users).
communication-services Pstn Call https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/quickstarts/telephony/pstn-call.md
Title: Quickstart - Call To Phone
+ Title: Quickstart - Call to a telephone number
description: In this quickstart, you'll learn how to add PSTN calling capabilities to your app using Azure Communication Services.
zone_pivot_groups: acs-plat-web-ios-android
-# Quickstart: Call To Phone
+# Quickstart: Outbound call to a telephone number
Get started with Azure Communication Services by using the Communication Services Calling SDK to add PSTN calling to your app.
communication-services File Sharing Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/tutorials/file-sharing-tutorial.md
You can follow the tutorial [Upload file to Azure Blob Storage with an Azure Fun
Once implemented, you can call this Azure Function inside the `uploadHandler` function to upload files to Azure Blob Storage. For the remaining of the tutorial, we will assume you have generated the function using the tutorial for Azure Blob Storage linked above.
+### Securing your Azure Blob Storage Container
+
+Note that the tutorial above assumes that your Azure blob storage container allows public access to the files you upload. Making your Azure storage containers public isn't recommended for real world production applications.
+
+For downloading the files you upload to Azure blob storage, you can use shared access signatures (SAS). A shared access signature (SAS) provides secure delegated access to resources in your storage account. With a SAS, you have granular control over how a client can access your data.
+
+The downloadable [GitHub sample](https://github.com/Azure-Samples/communication-services-javascript-quickstarts/tree/main/ui-library-filesharing-chat-composite) showcases the use of SAS for creating SAS URLs to Azure Storage contents. Additionally, you can [read more about SAS](/azure/storage/common/storage-sas-overview).
+ UI Library requires a React environment to be setup. Next we will do that. If you already have a React App, you can skip this section. ### Set Up React App
You may also want to:
- [Add chat to your app](../quickstarts/chat/get-started.md) - [Creating user access tokens](../quickstarts/access-tokens.md) - [Learn about client and server architecture](../concepts/client-and-server-architecture.md)-- [Learn about authentication](../concepts/authentication.md)
+- [Learn about authentication](../concepts/authentication.md)
container-apps Compare Options https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-apps/compare-options.md
Azure Container Apps doesn't provide direct access to the underlying Kubernetes
You can get started building your first container app [using the quickstarts](get-started.md). ### Azure App Service
-[Azure App Service](/azure/app-service) provides fully managed hosting for web applications including websites and web APIs. These web applications may be deployed using code or containers. Azure App Service is optimized for web applications. Azure App Service is integrated with other Azure services including Azure Container Apps or Azure Functions. When building web apps, Azure App Service is an ideal option.
+[Azure App Service](../app-service/index.yml) provides fully managed hosting for web applications including websites and web APIs. These web applications may be deployed using code or containers. Azure App Service is optimized for web applications. Azure App Service is integrated with other Azure services including Azure Container Apps or Azure Functions. When building web apps, Azure App Service is an ideal option.
### Azure Container Instances
-[Azure Container Instances (ACI)](/azure/container-instances) provides a single pod of Hyper-V isolated containers on demand. It can be thought of as a lower-level "building block" option compared to Container Apps. Concepts like scale, load balancing, and certificates are not provided with ACI containers. For example, to scale to five container instances, you create five distinct container instances. Azure Container Apps provide many application-specific concepts on top of containers, including certificates, revisions, scale, and environments. Users often interact with Azure Container Instances through other services. For example, Azure Kubernetes Service can layer orchestration and scale on top of ACI through [virtual nodes](../aks/virtual-nodes.md). If you need a less "opinionated" building block that doesn't align with the scenarios Azure Container Apps is optimizing for, Azure Container Instances is an ideal option.
+[Azure Container Instances (ACI)](../container-instances/index.yml) provides a single pod of Hyper-V isolated containers on demand. It can be thought of as a lower-level "building block" option compared to Container Apps. Concepts like scale, load balancing, and certificates are not provided with ACI containers. For example, to scale to five container instances, you create five distinct container instances. Azure Container Apps provide many application-specific concepts on top of containers, including certificates, revisions, scale, and environments. Users often interact with Azure Container Instances through other services. For example, Azure Kubernetes Service can layer orchestration and scale on top of ACI through [virtual nodes](../aks/virtual-nodes.md). If you need a less "opinionated" building block that doesn't align with the scenarios Azure Container Apps is optimizing for, Azure Container Instances is an ideal option.
### Azure Kubernetes Service [Azure Kubernetes Service (AKS)](../aks/intro-kubernetes.md) provides a fully managed Kubernetes option in Azure. It supports direct access to the Kubernetes API and runs any Kubernetes workload. The full cluster resides in your subscription, with the cluster configurations and operations within your control and responsibility. Teams looking for a fully managed version of Kubernetes in Azure, Azure Kubernetes Service is an ideal option.
You can get started building your first container app [using the quickstarts](ge
## Next steps > [!div class="nextstepaction"]
-> [Deploy your first container app](get-started.md)
+> [Deploy your first container app](get-started.md)
container-apps Networking https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-apps/networking.md
There's no forced tunneling in Container Apps routes.
## Managed resources
-When you deploy an internal or an external environment into your own network, a new resource group prefixed with `MC_` is created in the Azure subscription where your environment is hosted. This resource group contains infrastructure components managed by the Azure Container Apps platform, and shouldn't be modified. The resource group contains Public IP addresses used specifically for outbound connectivity from your environment and a load balancer. In addition to the [Azure Container Apps billing](https://docs.microsoft.com/azure/container-apps/billing), you will be billed for the following:
+When you deploy an internal or an external environment into your own network, a new resource group prefixed with `MC_` is created in the Azure subscription where your environment is hosted. This resource group contains infrastructure components managed by the Azure Container Apps platform, and shouldn't be modified. The resource group contains Public IP addresses used specifically for outbound connectivity from your environment and a load balancer. In addition to the [Azure Container Apps billing](./billing.md), you will be billed for the following:
- Three standard static [public IPs](https://azure.microsoft.com/pricing/details/ip-addresses/) if using an internal environment, or four standard static [public IPs](https://azure.microsoft.com/pricing/details/ip-addresses/) if using an external environment. - Two standard [Load Balancers](https://azure.microsoft.com/pricing/details/load-balancer/) if using an internal environment, or one standard [Load Balancer](https://azure.microsoft.com/pricing/details/load-balancer/) if using an external environment. Each load balancer has less than six rules. The cost of data processed (GB) includes both ingress and egress for management operations.
When you deploy an internal or an external environment into your own network, a
## Next steps - [Deploy with an external environment](vnet-custom.md)-- [Deploy with an internal environment](vnet-custom-internal.md)
+- [Deploy with an internal environment](vnet-custom-internal.md)
container-apps Vnet Custom Internal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-apps/vnet-custom-internal.md
zone_pivot_groups: azure-cli-or-portal
The following example shows you how to create a Container Apps environment in an existing virtual network.
-> [!IMPORTANT]
-> Container Apps environments are deployed on a virtual network. This network can be managed or custom (pre-configured by the user beforehand). In either case, the environment has dependencies on services outside of that virtual network. For a list of these dependencies see [Outbound FQDN dependencies](firewall-integration.md#outbound-fqdn-dependencies).
- ::: zone pivot="azure-portal" <!-- Create -->
container-apps Vnet Custom https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-apps/vnet-custom.md
zone_pivot_groups: azure-cli-or-portal
The following example shows you how to create a Container Apps environment in an existing virtual network.
-> [!IMPORTANT]
-> Container Apps environments are deployed on a virtual network. This network can be managed or custom (pre-configured by the user beforehand). In either case, the environment has dependencies on services outside of that virtual network. For a list of these dependencies see [Outbound FQDN dependencies](firewall-integration.md#outbound-fqdn-dependencies).
- ::: zone pivot="azure-portal" <!-- Create -->
container-instances Container Instances Custom Dns https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-instances/container-instances-custom-dns.md
See the Azure quickstart template [Create an Azure container group with VNet](ht
[az-container-delete]: /cli/azure/container#az-container-delete [az-network-vnet-delete]: /cli/azure/network/vnet#az-network-vnet-delete [az-group-delete]: /cli/azure/group#az-group-create
-[cloud-shell-bash]: /azure/cloud-shell/overview
+[cloud-shell-bash]: ../cloud-shell/overview.md
container-instances Container Instances Gpu https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-instances/container-instances-gpu.md
This article shows how to add GPU resources when you deploy a container group by
> [!IMPORTANT] > This feature is currently in preview, and some [limitations apply](#preview-limitations). Previews are made available to you on the condition that you agree to the [supplemental terms of use][terms-of-use]. Some aspects of this feature may change prior to general availability (GA).
+## Prerequisites
+> [!NOTE}
+> Due to some current limitations, not all limit increase requests are guaranteed to be approved.
+
+* If you would like to use this sku for your production container deployments, create an [Azure Support request](https://azure.microsoft.com/support) to increase the limit.
+ ## Preview limitations In preview, the following limitations apply when using GPU resources in container groups.
container-instances Container Instances Virtual Network Concepts https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-instances/container-instances-virtual-network-concepts.md
Container groups deployed into an Azure virtual network enable scenarios like:
* Outbound connection to port 25 is not supported at this time. * If you are connecting your container group to an Azure Storage Account, you must add a [service endpoint](../virtual-network/virtual-network-service-endpoints-overview.md) to that resource. * [IPv6 addresses](../virtual-network/ip-services/ipv6-overview.md) are not supported at this time.
-* Depending on your subscription type, [certain ports may be blocked](/azure/virtual-network/network-security-groups-overview#azure-platform-considerations).
+* Depending on your subscription type, [certain ports may be blocked](../virtual-network/network-security-groups-overview.md#azure-platform-considerations).
## Required network resources
In the following diagram, several container groups have been deployed to a subne
<!-- LINKS - Internal --> [az-container-create]: /cli/azure/container#az_container_create
-[az-network-profile-list]: /cli/azure/network/profile#az_network_profile_list
+[az-network-profile-list]: /cli/azure/network/profile#az_network_profile_list
container-instances Monitor Azure Container Instances Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-instances/monitor-azure-container-instances-reference.md
Azure Container Instances has the following dimension associated with its metric
## Activity log
-The following table lists the operations that Azure Container Instances may record in the Activity log. This is a subset of the possible entries you might find in the activity log. You can also find this information in the [Azure role-based access control (RBAC) Resource provider operations documentation](/azure/role-based-access-control/resource-provider-operations#microsoftcontainerinstance).
+The following table lists the operations that Azure Container Instances may record in the Activity log. This is a subset of the possible entries you might find in the activity log. You can also find this information in the [Azure role-based access control (RBAC) Resource provider operations documentation](../role-based-access-control/resource-provider-operations.md#microsoftcontainerinstance).
| Operation | Description | |:|:|
The following table lists the operations that Azure Container Instances may reco
| Microsoft.ContainerInstance/operations/read | List the operations for Azure Container Instance service. | | Microsoft.ContainerInstance/serviceassociationlinks/delete | Delete the service association link created by Azure Container Instance resource provider on a subnet. |
-See [all the possible resource provider operations in the activity log](/azure/role-based-access-control/resource-provider-operations).
+See [all the possible resource provider operations in the activity log](../role-based-access-control/resource-provider-operations.md).
-For more information on the schema of Activity Log entries, see [Activity Log schema](/azure/azure-monitor/essentials/activity-log-schema).
+For more information on the schema of Activity Log entries, see [Activity Log schema](../azure-monitor/essentials/activity-log-schema.md).
## Schemas
The following schemas are in use by Azure Container Instances.
## See also - See [Monitoring Azure Container Instances](monitor-azure-container-instances.md) for a description of monitoring Azure Container Instances.-- See [Monitoring Azure resources with Azure Monitor](/azure/azure-monitor/essentials/monitor-azure-resource) for details on monitoring Azure resources.
+- See [Monitoring Azure resources with Azure Monitor](../azure-monitor/essentials/monitor-azure-resource.md) for details on monitoring Azure resources.
container-instances Monitor Azure Container Instances https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-instances/monitor-azure-container-instances.md
Last updated 06/06/2022
When you have critical applications and business processes relying on Azure resources, you want to monitor those resources for their availability, performance, and operation.
-This article describes the monitoring data generated by Azure Container Instances. Azure Container Instances includes built-in support for [Azure Monitor](/azure/azure-monitor/overview). If you're unfamiliar with the features of Azure Monitor common to all Azure services that use it, read [Monitoring Azure resources with Azure Monitor](/azure/azure-monitor/essentials/monitor-azure-resource).
+This article describes the monitoring data generated by Azure Container Instances. Azure Container Instances includes built-in support for [Azure Monitor](../azure-monitor/overview.md). If you're unfamiliar with the features of Azure Monitor common to all Azure services that use it, read [Monitoring Azure resources with Azure Monitor](../azure-monitor/essentials/monitor-azure-resource.md).
## Monitoring overview page in Azure portal
The **Overview** page in the Azure portal for each container instance includes a
## Monitoring data
-Azure Container Instances collects the same kinds of monitoring data as other Azure resources that are described in [Monitoring data from Azure resources](/azure/azure-monitor/essentials/monitor-azure-resource#monitoring-data-from-Azure-resources).
+Azure Container Instances collects the same kinds of monitoring data as other Azure resources that are described in [Monitoring data from Azure resources](../azure-monitor/essentials/monitor-azure-resource.md#monitoring-data-from-azure-resources).
See [Monitoring *Azure Container Instances* data reference](monitor-azure-container-instances-reference.md) for detailed information on the metrics and logs metrics created by Azure Container Instances.
The metrics and logs you can collect are discussed in the following sections.
## Analyzing metrics
-You can analyze metrics for *Azure Container Instances* with metrics from other Azure services using metrics explorer by opening **Metrics** from the **Azure Monitor** menu. See [Getting started with Azure Metrics Explorer](/azure/azure-monitor/essentials/metrics-getting-started) for details on using this tool.
+You can analyze metrics for *Azure Container Instances* with metrics from other Azure services using metrics explorer by opening **Metrics** from the **Azure Monitor** menu. See [Getting started with Azure Metrics Explorer](../azure-monitor/essentials/metrics-getting-started.md) for details on using this tool.
For a list of the platform metrics collected for Azure Container Instances, see [Monitoring Azure Container Instances data reference metrics](monitor-azure-container-instances-reference.md#metrics). All metrics for Azure Container Instances are in the namespace **Container group standard metrics**. In a container group with multiple containers, you can additionally filter on the [dimension](monitor-azure-container-instances-reference.md#metric-dimensions) **containerName** to acquire metrics from a specific container within the group.
-For reference, you can see a list of [all resource metrics supported in Azure Monitor](/azure/azure-monitor/essentials/metrics-supported).
+For reference, you can see a list of [all resource metrics supported in Azure Monitor](../azure-monitor/essentials/metrics-supported.md).
### View operation level metrics for Azure Container Instances
In a scenario where you have a container group with multiple containers, you may
Data in Azure Monitor Logs is stored in tables where each table has its own set of unique properties.
-All resource logs in Azure Monitor have the same fields followed by service-specific fields. The common schema is outlined in [Azure Monitor resource log schema](/azure/azure-monitor/essentials/resource-logs-schema) The schema for Azure Container Instances resource logs is found in the [Azure Container Instances Data Reference](monitor-azure-container-instances-reference.md#schemas).
+All resource logs in Azure Monitor have the same fields followed by service-specific fields. The common schema is outlined in [Azure Monitor resource log schema](../azure-monitor/essentials/resource-logs-schema.md) The schema for Azure Container Instances resource logs is found in the [Azure Container Instances Data Reference](monitor-azure-container-instances-reference.md#schemas).
-The [Activity log](/azure/azure-monitor/essentials/activity-log) is a type of Azure platform log that provides insight into subscription-level events. You can view it independently or route it to Azure Monitor Logs, where you can do much more complex queries using Log Analytics. You can see a list of the kinds of operations that will be logged in the [Azure Container Instances Data Reference](monitor-azure-container-instances-reference.md#activity-log)
+The [Activity log](../azure-monitor/essentials/activity-log.md) is a type of Azure platform log that provides insight into subscription-level events. You can view it independently or route it to Azure Monitor Logs, where you can do much more complex queries using Log Analytics. You can see a list of the kinds of operations that will be logged in the [Azure Container Instances Data Reference](monitor-azure-container-instances-reference.md#activity-log)
### Sample Kusto queries
ContainerInstanceLog_CL
``` > [!IMPORTANT]
-> When you select **Logs** from the Azure Container Instances menu, Log Analytics is opened with the query scope set to the current Azure Container Instances. This means that log queries will only include data from that resource. If you want to run a query that includes data from other resources or data from other Azure services, select **Logs** from the **Azure Monitor** menu. See [Log query scope and time range in Azure Monitor Log Analytics](/azure/azure-monitor/logs/scope) for details.
+> When you select **Logs** from the Azure Container Instances menu, Log Analytics is opened with the query scope set to the current Azure Container Instances. This means that log queries will only include data from that resource. If you want to run a query that includes data from other resources or data from other Azure services, select **Logs** from the **Azure Monitor** menu. See [Log query scope and time range in Azure Monitor Log Analytics](../azure-monitor/logs/scope.md) for details.
-For a list of common queries for Azure Container Instances, see the [Log Analytics queries interface](/azure/azure-monitor/logs/queries).
+For a list of common queries for Azure Container Instances, see the [Log Analytics queries interface](../azure-monitor/logs/queries.md).
## Alerts
For Azure Container Instances, there are three categories for alerting:
## Next steps * See the [Monitoring Azure Container Instances data reference](monitor-azure-container-instances-reference.md) for a reference of the metrics, logs, and other important values created by Azure Container Instances.
-* See [Monitoring Azure resources with Azure Monitor](/azure/azure-monitor/essentials/monitor-azure-resource) for details on monitoring Azure resources.
+* See [Monitoring Azure resources with Azure Monitor](../azure-monitor/essentials/monitor-azure-resource.md) for details on monitoring Azure resources.
container-registry Container Registry Authentication Managed Identity https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-registry/container-registry-authentication-managed-identity.md
For this article, you learn more about managed identities and how to:
> * Grant the identity access to an Azure container registry > * Use the managed identity to access the registry and pull a container image
-To create the Azure resources, this article requires that you run the Azure CLI version 2.0.55 or later. Run `az --version` to find the version. If you need to install or upgrade, see [Install Azure CLI][azure-cli].
+### [Azure CLI](#tab/azure-cli)
+
+To create the Azure resources, this article requires that you run the Azure CLI version 2.0.55 or later. Run `az --version` to find the version. If you need to install or upgrade, see [Install Azure CLI][azure-cli-install].
+
+### [Azure PowerShell](#tab/azure-powershell)
+
+To create the Azure resources, this article requires that you run the Azure PowerShell module version 7.5.0 or later. Run `Get-Module Az -ListAvailable` to find the version. If you need to install or upgrade, see [Install Azure PowerShell module][azure-powershell-install].
++ To set up a container registry and push a container image to it, you must also have Docker installed locally. Docker provides packages that easily configure Docker on any [macOS][docker-mac], [Windows][docker-windows], or [Linux][docker-linux] system.
Then, use the identity to authenticate to any [service that supports Azure AD au
## Create a container registry
+### [Azure CLI](#tab/azure-cli)
+ If you don't already have an Azure container registry, create a registry and push a sample container image to it. For steps, see [Quickstart: Create a private container registry using the Azure CLI](container-registry-get-started-azure-cli.md). This article assumes you have the `aci-helloworld:v1` container image stored in your registry. The examples use a registry name of *myContainerRegistry*. Replace with your own registry and image names in later steps.
+### [Azure PowerShell](#tab/azure-powershell)
+
+If you don't already have an Azure container registry, create a registry and push a sample container image to it. For steps, see [Quickstart: Create a private container registry using Azure PowerShell](container-registry-get-started-powershell.md).
+
+This article assumes you have the `aci-helloworld:v1` container image stored in your registry. The examples use a registry name of *myContainerRegistry*. Replace with your own registry and image names in later steps.
+++ ## Create a Docker-enabled VM
-Create a Docker-enabled Ubuntu virtual machine. You also need to install the [Azure CLI](/cli/azure/install-azure-cli) on the virtual machine. If you already have an Azure virtual machine, skip this step to create the virtual machine.
+### [Azure CLI](#tab/azure-cli)
+
+Create a Docker-enabled Ubuntu virtual machine. You also need to install the [Azure CLI][azure-cli-install] on the virtual machine. If you already have an Azure virtual machine, skip this step to create the virtual machine.
Deploy a default Ubuntu Azure virtual machine with [az vm create][az-vm-create]. The following example creates a VM named *myDockerVM* in an existing resource group named *myResourceGroup*:
-```azurecli
+```azurecli-interactive
az vm create \ --resource-group myResourceGroup \ --name myDockerVM \
az vm create \
It takes a few minutes for the VM to be created. When the command completes, take note of the `publicIpAddress` displayed by the Azure CLI. Use this address to make SSH connections to the VM.
+### [Azure PowerShell](#tab/azure-powershell)
+
+Create a Docker-enabled Ubuntu virtual machine. You also need to install the [Azure PowerShell][azure-powershell-install] on the virtual machine. If you already have an Azure virtual machine, skip this step to create the virtual machine.
+
+Deploy a default Ubuntu Azure virtual machine with [New-AzVM][new-azvm]. The following example creates a VM named *myDockerVM* in an existing resource group named *myResourceGroup*. You will be prompted for a user name that will be used when you connect to the VM. Specify *azureuser* as the user name. You will also be asked for a password, which you can leave blank. Password login for the VM is disabled when using an SSH key.
+
+```azurepowershell-interactive
+$vmParams = @{
+ ResourceGroupName = 'MyResourceGroup'
+ Name = 'myDockerVM'
+ Image = 'UbuntuLTS'
+ PublicIpAddressName = 'myPublicIP'
+ GenerateSshKey = $true
+ SshKeyName = 'mySSHKey'
+}
+New-AzVM @vmParams
+```
+
+It takes a few minutes for the VM to be created. When the command completes, run the following command to get the public IP address. Use this address to make SSH connections to the VM.
+
+```azurepowershell-interactive
+Get-AzPublicIpAddress -Name myPublicIP -ResourceGroupName myResourceGroup | Select-Object -ExpandProperty IpAddress
+```
+++ ### Install Docker on the VM After the VM is running, make an SSH connection to the VM. Replace *publicIpAddress* with the public IP address of your VM.
After installation, run the following command to verify that Docker is running p
sudo docker run -it mcr.microsoft.com/hello-world ```
-Output:
-
-```
+```output
Hello from Docker! This message shows that your installation appears to be working correctly. [...] ```
+### [Azure CLI](#tab/azure-cli)
### Install the Azure CLI Follow the steps in [Install Azure CLI with apt](/cli/azure/install-azure-cli-apt) to install the Azure CLI on your Ubuntu virtual machine. For this article, ensure that you install version 2.0.55 or later.
+### [Azure PowerShell](#tab/azure-powershell)
+
+### Install the Azure PowerShell
+
+Follow the steps in [Installing PowerShell on Ubuntu][powershell-install] and [Install the Azure Az PowerShell module][azure-powershell-install] to install PowerShell and Azure PowerShell on your Ubuntu virtual machine. For this article, ensure that you install Azure PowerShell version 7.5.0 or later.
+++ Exit the SSH session. ## Example 1: Access with a user-assigned identity ### Create an identity
-Create an identity in your subscription using the [az identity create](/cli/azure/identity#az-identity-create) command. You can use the same resource group you used previously to create the container registry or virtual machine, or a different one.
+### [Azure CLI](#tab/azure-cli)
+
+Create an identity in your subscription using the [az identity create][az-identity-create] command. You can use the same resource group you used previously to create the container registry or virtual machine, or a different one.
```azurecli-interactive az identity create --resource-group myResourceGroup --name myACRId ```
-To configure the identity in the following steps, use the [az identity show][az_identity_show] command to store the identity's resource ID and service principal ID in variables.
+To configure the identity in the following steps, use the [az identity show][az-identity-show] command to store the identity's resource ID and service principal ID in variables.
-```azurecli
+```azurecli-interactive
# Get resource ID of the user-assigned identity userID=$(az identity show --resource-group myResourceGroup --name myACRId --query id --output tsv)
echo $userID
The ID is of the form:
+```output
+/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/resourcegroups/myResourceGroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myACRId
+```
+
+### [Azure PowerShell](#tab/azure-powershell)
+
+Create an identity in your subscription using the [New-AzUserAssignedIdentity][new-azuserassignedidentity] cmdlet. You can use the same resource group you used previously to create the container registry or virtual machine, or a different one.
+
+```azurepowershell-interactive
+New-AzUserAssignedIdentity -ResourceGroupName myResourceGroup -Location eastus -Name myACRId
```+
+To configure the identity in the following steps, use the [Get-AzUserAssignedIdentity][get-azuserassignedidentity] cmdlet to store the identity's resource ID and service principal ID in variables.
+
+```azurepowershell-interactive
+# Get resource ID of the user-assigned identity
+$userID = (Get-AzUserAssignedIdentity -ResourceGroupName myResourceGroup -Name myACRId).Id
+
+# Get service principal ID of the user-assigned identity
+$spID = (Get-AzUserAssignedIdentity -ResourceGroupName myResourceGroup -Name myACRId).PrincipalId
+```
+
+Because you need the identity's ID in a later step when you sign in to the Azure PowerShell from your virtual machine, show the value:
+
+```azurepowershell-interactive
+$userID
+```
+
+The ID is of the form:
+
+```output
/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/resourcegroups/myResourceGroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myACRId ``` ++ ### Configure the VM with the identity
+### [Azure CLI](#tab/azure-cli)
+ The following [az vm identity assign][az-vm-identity-assign] command configures your Docker VM with the user-assigned identity:
-```azurecli
+```azurecli-interactive
az vm identity assign --resource-group myResourceGroup --name myDockerVM --identities $userID ```
+### [Azure PowerShell](#tab/azure-powershell)
+
+The following [Update-AzVM][update-azvm] command configures your Docker VM with the user-assigned identity:
+
+```azurepowershell-interactive
+$vm = Get-AzVM -ResourceGroupName myResourceGroup -Name myDockerVM
+Update-AzVM -ResourceGroupName myResourceGroup -VM $vm -IdentityType UserAssigned -IdentityID $userID
+```
+++ ### Grant identity access to the container registry
+### [Azure CLI](#tab/azure-cli)
+ Now configure the identity to access your container registry. First use the [az acr show][az-acr-show] command to get the resource ID of the registry:
-```azurecli
+```azurecli-interactive
resourceID=$(az acr show --resource-group myResourceGroup --name myContainerRegistry --query id --output tsv) ```
-Use the [az role assignment create][az-role-assignment-create] command to assign the AcrPull role to the registry. This role provides [pull permissions](container-registry-roles.md) to the registry. To provide both pull and push permissions, assign the ACRPush role.
+Use the [az role assignment create][az-role-assignment-create] command to assign the AcrPull role to the identity. This role provides [pull permissions](container-registry-roles.md) to the registry. To provide both pull and push permissions, assign the AcrPush role.
-```azurecli
+```azurecli-interactive
az role assignment create --assignee $spID --scope $resourceID --role acrpull ```
+### [Azure PowerShell](#tab/azure-powershell)
+
+Now configure the identity to access your container registry. First use the [Get-AzContainerRegistry][get-azcontainerregistry] command to get the resource ID of the registry:
+
+```azurepowershell-interactive
+$resourceID = (Get-AzContainerRegistry -ResourceGroupName myResourceGroup -Name myContainerRegistry).Id
+```
+
+Use the [New-AzRoleAssignment][new-azroleassignment] cmdlet to assign the AcrPull role to the identity. This role provides [pull permissions](container-registry-roles.md) to the registry. To provide both pull and push permissions, assign the AcrPush role.
+
+```azurepowershell-interactive
+New-AzRoleAssignment -ObjectId $spID -Scope $resourceID -RoleDefinitionName AcrPull
+```
+++ ### Use the identity to access the registry
+### [Azure CLI](#tab/azure-cli)
+ SSH into the Docker virtual machine that's configured with the identity. Run the following Azure CLI commands, using the Azure CLI installed on the VM. First, authenticate to the Azure CLI with [az login][az-login], using the identity you configured on the VM. For `<userID>`, substitute the ID of the identity you retrieved in a previous step.
You should see a `Login succeeded` message. You can then run `docker` commands w
docker pull mycontainerregistry.azurecr.io/aci-helloworld:v1 ```
+### [Azure PowerShell](#tab/azure-powershell)
+
+SSH into the Docker virtual machine that's configured with the identity. Run the following Azure PowerShell commands, using the Azure PowerShell installed on the VM.
+
+First, authenticate to the Azure PowerShell with [Connect-AzAccount][connect-azaccount], using the identity you configured on the VM. For `-AccountId` specify a client ID of the identity.
+
+```azurepowershell
+$clientId = (Get-AzUserAssignedIdentity -ResourceGroupName myResourceGroup -Name myACRId).ClientId
+Connect-AzAccount -Identity -AccountId $clientId
+```
+
+Then, authenticate to the registry with [Connect-AzContainerRegistry][connect-azcontainerregistry]. When you use this command, the Azure PowerShell uses the Active Directory token created when you ran `Connect-AzAccount` to seamlessly authenticate your session with the container registry. (Depending on your VM's setup, you might need to run this command and docker commands with `sudo`.)
+
+```azurepowershell
+sudo pwsh -command Connect-AzContainerRegistry -Name myContainerRegistry
+```
+
+You should see a `Login succeeded` message. You can then run `docker` commands without providing credentials. For example, run [docker pull][docker-pull] to pull the `aci-helloworld:v1` image, specifying the login server name of your registry. The login server name consists of your container registry name (all lowercase) followed by `.azurecr.io` - for example, `mycontainerregistry.azurecr.io`.
+
+```
+docker pull mycontainerregistry.azurecr.io/aci-helloworld:v1
+```
+++ ## Example 2: Access with a system-assigned identity ### Configure the VM with a system-managed identity
+### [Azure CLI](#tab/azure-cli)
+ The following [az vm identity assign][az-vm-identity-assign] command configures your Docker VM with a system-assigned identity:
-```azurecli
+```azurecli-interactive
az vm identity assign --resource-group myResourceGroup --name myDockerVM ```
Use the [az vm show][az-vm-show] command to set a variable to the value of `prin
spID=$(az vm show --resource-group myResourceGroup --name myDockerVM --query identity.principalId --out tsv) ```
+### [Azure PowerShell](#tab/azure-powershell)
+
+The following [Update-AzVM][update-azvm] command configures your Docker VM with a system-assigned identity:
+
+```azurepowershell-interactive
+$vm = Get-AzVM -ResourceGroupName myResourceGroup -Name myDockerVM
+Update-AzVM -ResourceGroupName myResourceGroup -VM $vm -IdentityType SystemAssigned
+```
+
+Use the [Get-AzVM][get-azvm] command to set a variable to the value of `principalId` (the service principal ID) of the VM's identity, to use in later steps.
+
+```azurepowershell-interactive
+$spID = (Get-AzVM -ResourceGroupName myResourceGroup -Name myDockerVM).Identity.PrincipalId
+```
+++ ### Grant identity access to the container registry
+### [Azure CLI](#tab/azure-cli)
+ Now configure the identity to access your container registry. First use the [az acr show][az-acr-show] command to get the resource ID of the registry:
-```azurecli
+```azurecli-interactive
resourceID=$(az acr show --resource-group myResourceGroup --name myContainerRegistry --query id --output tsv) ```
-Use the [az role assignment create][az-role-assignment-create] command to assign the AcrPull role to the identity. This role provides [pull permissions](container-registry-roles.md) to the registry. To provide both pull and push permissions, assign the ACRPush role.
+Use the [az role assignment create][az-role-assignment-create] command to assign the AcrPull role to the identity. This role provides [pull permissions](container-registry-roles.md) to the registry. To provide both pull and push permissions, assign the AcrPush role.
-```azurecli
+```azurecli-interactive
az role assignment create --assignee $spID --scope $resourceID --role acrpull ```
+### [Azure PowerShell](#tab/azure-powershell)
+
+Now configure the identity to access your container registry. First use the [[Get-AzContainerRegistry][get-azcontainerregistry] command to get the resource ID of the registry:
+
+```azurepowershell-interactive
+$resourceID = (Get-AzContainerRegistry -ResourceGroupName myResourceGroup -Name myContainerRegistry).Id
+```
+
+Use the [New-AzRoleAssignment][new-azroleassignment] cmdlet to assign the AcrPull role to the identity. This role provides [pull permissions](container-registry-roles.md) to the registry. To provide both pull and push permissions, assign the AcrPush role.
+
+```azurepowershell-interactive
+New-AzRoleAssignment -ObjectId $spID -Scope $resourceID -RoleDefinitionName AcrPull
+```
+++ ### Use the identity to access the registry
+### [Azure CLI](#tab/azure-cli)
+ SSH into the Docker virtual machine that's configured with the identity. Run the following Azure CLI commands, using the Azure CLI installed on the VM. First, authenticate the Azure CLI with [az login][az-login], using the system-assigned identity on the VM.
You should see a `Login succeeded` message. You can then run `docker` commands w
``` docker pull mycontainerregistry.azurecr.io/aci-helloworld:v1 ```
+### [Azure PowerShell](#tab/azure-powershell)
+
+SSH into the Docker virtual machine that's configured with the identity. Run the following Azure PowerShell commands, using the Azure PowerShell installed on the VM.
+
+First, authenticate the Azure PowerShell with [Connect-AzAccount][connect-azaccount], using the system-assigned identity on the VM.
+
+```azurepowershell
+Connect-AzAccount -Identity
+```
+
+Then, authenticate to the registry with [Connect-AzContainerRegistry][connect-azcontainerregistry]. When you use this command, the PowerShell uses the Active Directory token created when you ran `Connect-AzAccount` to seamlessly authenticate your session with the container registry. (Depending on your VM's setup, you might need to run this command and docker commands with `sudo`.)
+
+```azurepowershell
+sudo pwsh -command Connect-AzContainerRegistry -Name myContainerRegistry
+```
+
+You should see a `Login succeeded` message. You can then run `docker` commands without providing credentials. For example, run [docker pull][docker-pull] to pull the `aci-helloworld:v1` image, specifying the login server name of your registry. The login server name consists of your container registry name (all lowercase) followed by `.azurecr.io` - for example, `mycontainerregistry.azurecr.io`.
+
+```
+docker pull mycontainerregistry.azurecr.io/aci-helloworld:v1
+```
++ ## Next steps
In this article, you learned about using managed identities with Azure Container
<!-- LINKS - Internal --> [az-login]: /cli/azure/reference-index#az_login
+[connect-azaccount]: /powershell/module/az.accounts/connect-azaccount
[az-acr-login]: /cli/azure/acr#az_acr_login
+[connect-azcontainerregistry]: /powershell/module/az.containerregistry/connect-azcontainerregistry
[az-acr-show]: /cli/azure/acr#az_acr_show
+[get-azcontainerregistry]: /powershell/module/az.containerregistry/get-azcontainerregistry
[az-vm-create]: /cli/azure/vm#az_vm_create
+[new-azvm]: /powershell/module/az.compute/new-azvm
[az-vm-show]: /cli/azure/vm#az_vm_show
+[get-azvm]: /powershell/module/az.compute/get-azvm
+[az-identity-create]: /cli/azure/identity#az_identity_create
+[new-azuserassignedidentity]: /powershell/module/az.managedserviceidentity/new-azuserassignedidentity
[az-vm-identity-assign]: /cli/azure/vm/identity#az_vm_identity_assign
+[update-azvm]: /powershell/module/az.compute/update-azvm
[az-role-assignment-create]: /cli/azure/role/assignment#az_role_assignment_create
-[az-acr-login]: /cli/azure/acr#az_acr_login
+[new-azroleassignment]: /powershell/module/az.resources/new-azroleassignment
[az-identity-show]: /cli/azure/identity#az_identity_show
-[azure-cli]: /cli/azure/install-azure-cli
+[get-azuserassignedidentity]: /powershell/module/az.managedserviceidentity/get-azuserassignedidentity
+[azure-cli-install]: /cli/azure/install-azure-cli
+[azure-powershell-install]: /powershell/azure/install-az-ps
+[powershell-install]: /powershell/scripting/install/install-ubuntu
container-registry Container Registry Skus https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-registry/container-registry-skus.md
Throttling could occur temporarily when you generate a burst of image pull or pu
## Show registry usage
-Use the [az acr show-usage](/cli/azure/acr#az-acr-show-usage) command, or the [List Usages](/rest/api/containerregistry/registries/list-usages) REST API, to get a snapshot of your registry's current consumption of storage and other resources, compared with the limits for that registry's service tier. Storage usage also appears on the registry's **Overview** page in the portal.
+Use the [az acr show-usage](/cli/azure/acr#az-acr-show-usage) command in the Azure CLI, [Get-AzContainerRegistryUsage](/powershell/module/az.containerregistry/get-azcontainerregistryusage) in Azure PowerShell, or the [List Usages](/rest/api/containerregistry/registries/list-usages) REST API, to get a snapshot of your registry's current consumption of storage and other resources, compared with the limits for that registry's service tier. Storage usage also appears on the registry's **Overview** page in the portal.
Usage information helps you make decisions about [changing the service tier](#changing-tiers) when your registry nears a limit. This information also helps you [manage consumption](container-registry-best-practices.md#manage-registry-size).
There is no registry downtime or impact on registry operations when you move bet
To move between service tiers in the Azure CLI, use the [az acr update][az-acr-update] command. For example, to switch to Premium: ```azurecli
-az acr update --name myregistry --sku Premium
+az acr update --name myContainerRegistry --sku Premium
+```
+
+### Azure PowerShell
+
+To move between service tiers in Azure PowerShell, use the [Update-AzContainerRegistry][update-azcontainerregistry] cmdlet. For example, to switch to Premium:
+
+```azurepowershell
+Update-AzContainerRegistry -ResourceGroupName myResourceGroup -Name myContainerRegistry -Sku Premium
``` ### Azure portal
Submit and vote on new feature suggestions in [ACR UserVoice][container-registry
<!-- LINKS - Internal --> [az-acr-update]: /cli/azure/acr#az_acr_update
+[update-azcontainerregistry]: /powershell/module/az.containerregistry/update-azcontainerregistry
[container-registry-geo-replication]: container-registry-geo-replication.md [container-registry-storage]: container-registry-storage.md [container-registry-delete]: container-registry-delete.md
container-registry Container Registry Troubleshoot Login https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-registry/container-registry-troubleshoot-login.md
Run the [az acr check-health](/cli/azure/acr#az-acr-check-health) command to get
See [Check the health of an Azure container registry](container-registry-check-health.md) for command examples. If errors are reported, review the [error reference](container-registry-health-error-reference.md) and the following sections for recommended solutions.
-Follow the instructions from the [AKS support doc](https://docs.microsoft.com/troubleshoot/azure/azure-kubernetes/cannot-pull-image-from-acr-to-aks-cluster) if you fail to pull images from ACR to the AKS cluster.
+Follow the instructions from the [AKS support doc](/troubleshoot/azure/azure-kubernetes/cannot-pull-image-from-acr-to-aks-cluster) if you fail to pull images from ACR to the AKS cluster.
> [!NOTE] > Some authentication or authorization errors can also occur if there are firewall or network configurations that prevent registry access. See [Troubleshoot network issues with registry](container-registry-troubleshoot-access.md).
If you don't resolve your problem here, see the following options.
* [Troubleshoot registry performance](container-registry-troubleshoot-performance.md) * [Community support](https://azure.microsoft.com/support/community/) options * [Microsoft Q&A](/answers/products/)
-* [Open a support ticket](https://azure.microsoft.com/support/create-ticket/) - based on information you provide, a quick diagnostic might be run for authentication failures in your registry
+* [Open a support ticket](https://azure.microsoft.com/support/create-ticket/) - based on information you provide, a quick diagnostic might be run for authentication failures in your registry
container-registry Container Registry Tutorial Sign Build Push https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-registry/container-registry-tutorial-sign-build-push.md
In this tutorial:
## Prerequisites
-> * Install, create and sign in to [ORAS artifact enabled registry](/azure/container-registry/container-registry-oras-artifacts#create-oras-artifact-enabled-registry)
-> * Create or use an [Azure Key Vault](/azure/key-vault/general/quick-create-cli)
+> * Install, create and sign in to [ORAS artifact enabled registry](./container-registry-oras-artifacts.md#create-oras-artifact-enabled-registry)
+> * Create or use an [Azure Key Vault](../key-vault/general/quick-create-cli.md)
>* This tutorial can be run in the [Azure Cloud Shell](https://portal.azure.com/#cloudshell/) ## Install the notation CLI and AKV plugin
cosmos-db Connect Spark Configuration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/cassandra/connect-spark-configuration.md
This article is one among a series of articles on Azure Cosmos DB Cassandra API
## Dependencies for connectivity * **Spark connector for Cassandra:**
- Spark connector is used to connect to Azure Cosmos DB Cassandra API. Identify and use the version of the connector located in [Maven central]( https://mvnrepository.com/artifact/com.datastax.spark/spark-cassandra-connector) that is compatible with the Spark and Scala versions of your Spark environment. We recommend an environment which supports Spark 3.0 or higher, and the spark connector available at maven coordinates `com.datastax.spark:spark-cassandra-connector-assembly_2.12:3.0.0`. If using Spark 2.x, we recommend an environment with Spark version 2.4.5, using spark connector at maven coordinates `com.datastax.spark:spark-cassandra-connector_2.11:2.4.3`.
+ Spark connector is used to connect to Azure Cosmos DB Cassandra API. Identify and use the version of the connector located in [Maven central](https://mvnrepository.com/artifact/com.datastax.spark/spark-cassandra-connector-assembly) that is compatible with the Spark and Scala versions of your Spark environment. We recommend an environment that supports Spark 3.2.1 or higher, and the spark connector available at maven coordinates `com.datastax.spark:spark-cassandra-connector-assembly_2.12:3.2.0`. If using Spark 2.x, we recommend an environment with Spark version 2.4.5, using spark connector at maven coordinates `com.datastax.spark:spark-cassandra-connector_2.11:2.4.3`.
* **Azure Cosmos DB helper library for Cassandra API:**
- If you are using a version Spark 2.x then in addition to the Spark connector, you need another library called [azure-cosmos-cassandra-spark-helper]( https://search.maven.org/artifact/com.microsoft.azure.cosmosdb/azure-cosmos-cassandra-spark-helper/1.2.0/jar) with maven coordinates `com.microsoft.azure.cosmosdb:azure-cosmos-cassandra-spark-helper:1.2.0` from Azure Cosmos DB in order to handle [rate limiting](./scale-account-throughput.md#handling-rate-limiting-429-errors). This library contains custom connection factory and retry policy classes.
+ If you're using a version Spark 2.x, then in addition to the Spark connector, you need another library called [azure-cosmos-cassandra-spark-helper]( https://search.maven.org/artifact/com.microsoft.azure.cosmosdb/azure-cosmos-cassandra-spark-helper/1.2.0/jar) with maven coordinates `com.microsoft.azure.cosmosdb:azure-cosmos-cassandra-spark-helper:1.2.0` from Azure Cosmos DB in order to handle [rate limiting](./scale-account-throughput.md#handling-rate-limiting-429-errors). This library contains custom connection factory and retry policy classes.
- The retry policy in Azure Cosmos DB is configured to handle HTTP status code 429("Request Rate Large") exceptions. The Azure Cosmos DB Cassandra API translates these exceptions into overloaded errors on the Cassandra native protocol, and you can retry with back-offs. Because Azure Cosmos DB uses provisioned throughput model, request rate limiting exceptions occur when the ingress/egress rates increase. The retry policy protects your spark jobs against data spikes that momentarily exceed the throughput allocated for your container. If using the Spark 3.x connector, implementing this library is not required.
+ The retry policy in Azure Cosmos DB is configured to handle HTTP status code 429("Request Rate Large") exceptions. The Azure Cosmos DB Cassandra API translates these exceptions into overloaded errors on the Cassandra native protocol, and you can retry with back-offs. Because Azure Cosmos DB uses provisioned throughput model, request rate limiting exceptions occur when the ingress/egress rates increase. The retry policy protects your spark jobs against data spikes that momentarily exceed the throughput allocated for your container. If using the Spark 3.x connector, implementing this library isn't required.
> [!NOTE] > The retry policy can protect your spark jobs against momentary spikes only. If you have not configured enough RUs required to run your workload, then the retry policy is not applicable and the retry policy class rethrows the exception.
This article is one among a series of articles on Azure Cosmos DB Cassandra API
Listed in the next section are all the relevant parameters for controlling throughput using the Spark Connector for Cassandra. In order to optimize parameters to maximize throughput for spark jobs, the `spark.cassandra.output.concurrent.writes`, `spark.cassandra.concurrent.reads`, and `spark.cassandra.input.reads_per_sec` configs needs to be correctly configured, in order to avoid too much throttling and back-off (which in turn can lead to lower throughput).
-The optimal value of these configurations depends on 4 factors:
+The optimal value of these configurations depends on four factors:
- The amount of throughput (Request Units) configured for the table that data is being ingested into. - The number of workers in your Spark cluster. - The number of executors configured for your spark job (which can be controlled using `spark.cassandra.connection.connections_per_executor_max` or `spark.cassandra.connection.remoteConnectionsPerExecutor` depending on Spark version)-- The average latency of each request to cosmos DB, if you are collocated in the same Data Center. Assume this value to be 10 ms for writes and 3 ms for reads.
+- The average latency of each request to Cosmos DB, if you're collocated in the same Data Center. Assume this value to be 10 ms for writes and 3 ms for reads.
-As an example, if we have 5 workers and a value of `spark.cassandra.output.concurrent.writes`= 1, and a value of `spark.cassandra.connection.remoteConnectionsPerExecutor` = 1, then we have 5 workers that are concurrently writing into the table, each with 1 thread. If it takes 10 ms to perform a single write, then we can send 100 requests (1000 milliseconds divided by 10) per second, per thread. With 5 workers, this would be 500 writes per second. At an average cost of 5 request units (RUs) per write, the target table would need a minimum 2500 request units provisioned (5 RUs x 500 writes per second).
+As an example, if we have five workers and a value of `spark.cassandra.output.concurrent.writes`= 1, and a value of `spark.cassandra.connection.remoteConnectionsPerExecutor` = 1, then we have five workers that are concurrently writing into the table, each with one thread. If it takes 10 ms to perform a single write, then we can send 100 requests (1000 milliseconds divided by 10) per second, per thread. With five workers, this would be 500 writes per second. At an average cost of five request units (RUs) per write, the target table would need a minimum 2500 request units provisioned (5 RUs x 500 writes per second).
Increasing the number of executors can increase the number of threads in a given job, which can in turn increase throughput. However, the exact impact of this can be variable depending on the job, while controlling throughput with number of workers is more deterministic. You can also determine the exact cost of a given request by profiling it to get the Request Unit (RU) charge. This will help you to be more accurate when provisioning throughput for your table or keyspace. Have a look at our article [here](./find-request-unit-charge-cassandra.md) to understand how to get request unit charges at a per request level. ### Scaling throughput in the database
-The Cassandra Spark connector will saturate throughput in Azure Cosmos DB very efficiently. As a result, even with effective retries, you will need to ensure you have sufficient throughput (RUs) provisioned at the table or keyspace level to prevent rate limiting related errors. The minimum setting of 400 RUs in a given table or keyspace will not be sufficient. Even at minimum throughput configuration settings, the Spark connector can write at a rate corresponding to around **6000 request units** or more.
+The Cassandra Spark connector will saturate throughput in Azure Cosmos DB efficiently. As a result, even with effective retries, you'll need to ensure you have sufficient throughput (RUs) provisioned at the table or keyspace level to prevent rate limiting related errors. The minimum setting of 400 RUs in a given table or keyspace won't be sufficient. Even at minimum throughput configuration settings, the Spark connector can write at a rate corresponding to around **6000 request units** or more.
If the RU setting required for data movement using Spark is higher than what is required for your steady state workload, you can easily scale throughput up and down systematically in Azure Cosmos DB to meet the needs of your workload for a given time period. Read our article on [elastic scale in Cassandra API](scale-account-throughput.md) to understand the different options for scaling programmatically and dynamically.
The following table lists Azure Cosmos DB Cassandra API-specific throughput conf
| **Property Name** | **Default value** | **Description** | |||| | spark.cassandra.output.batch.size.rows | 1 |Number of rows per single batch. Set this parameter to 1. This parameter is used to achieve higher throughput for heavy workloads. |
-| spark.cassandra.connection.connections_per_executor_max (Spark 2.x) spark.cassandra.connection.remoteConnectionsPerExecutor (Spark 3.x) | None | Maximum number of connections per node per executor. 10*n is equivalent to 10 connections per node in an n-node Cassandra cluster. So, if you require 5 connections per node per executor for a 5 node Cassandra cluster, then you should set this configuration to 25. Modify this value based on the degree of parallelism or the number of executors that your spark jobs are configured for. |
+| spark.cassandra.connection.connections_per_executor_max (Spark 2.x) spark.cassandra.connection.remoteConnectionsPerExecutor (Spark 3.x) | None | Maximum number of connections per node per executor. 10*n is equivalent to 10 connections per node in an n-node Cassandra cluster. So, if you require five connections per node per executor for a five node Cassandra cluster, then you should set this configuration to 25. Modify this value based on the degree of parallelism or the number of executors that your spark jobs are configured for. |
| spark.cassandra.output.concurrent.writes | 100 | Defines the number of parallel writes that can occur per executor. Because you set "batch.size.rows" to 1, make sure to scale up this value accordingly. Modify this value based on the degree of parallelism or the throughput that you want to achieve for your workload. | | spark.cassandra.concurrent.reads | 512 | Defines the number of parallel reads that can occur per executor. Modify this value based on the degree of parallelism or the throughput that you want to achieve for your workload | | spark.cassandra.output.throughput_mb_per_sec | None | Defines the total write throughput per executor. This parameter can be used as an upper limit for your spark job throughput, and base it on the provisioned throughput of your Cosmos container. |
The following table lists Azure Cosmos DB Cassandra API-specific throughput conf
| spark.cassandra.output.batch.grouping.buffer.size | 1000 | Defines the number of batches per single spark task that can be stored in memory before sending to Cassandra API | | spark.cassandra.connection.keep_alive_ms | 60000 | Defines the period of time until which unused connections are available. |
-Adjust the throughput and degree of parallelism of these parameters based on the workload you expect for your spark jobs, and the throughput you have provisioned for your Cosmos DB account.
+Adjust the throughput and degree of parallelism of these parameters based on the workload you expect for your spark jobs, and the throughput you've provisioned for your Cosmos DB account.
## Connecting to Azure Cosmos DB Cassandra API from Spark ### cqlsh
-The following commands detail how to connect to Azure CosmosDB Cassandra API from cqlsh. This is useful for validation as you run through the samples in Spark.<br>
+The following commands detail how to connect to Azure Cosmos DB Cassandra API from cqlsh. This is useful for validation as you run through the samples in Spark.<br>
**From Linux/Unix/Mac:** ```bash
import com.microsoft.azure.cosmosdb.cassandra
#### Spark session configuration: ```scala
-//Connection-related
-spark.conf.set("spark.cassandra.connection.host","YOUR_ACCOUNT_NAME.cassandra.cosmosdb.azure.com")
-spark.conf.set("spark.cassandra.connection.port","10350")
-spark.conf.set("spark.cassandra.connection.ssl.enabled","true")
-spark.conf.set("spark.cassandra.auth.username","YOUR_ACCOUNT_NAME")
-spark.conf.set("spark.cassandra.auth.password","YOUR_ACCOUNT_KEY")
-spark.conf.set("spark.cassandra.connection.factory", "com.microsoft.azure.cosmosdb.cassandra.CosmosDbConnectionFactory")
-
-//Throughput-related. You can adjust the values as needed
-spark.conf.set("spark.cassandra.output.batch.size.rows", "1")
-//spark.conf.set("spark.cassandra.connection.connections_per_executor_max", "10") // Spark 2.x
-spark.conf.set("spark.cassandra.connection.remoteConnectionsPerExecutor", "10") // Spark 3.x
-spark.conf.set("spark.cassandra.output.concurrent.writes", "1000")
-spark.conf.set("spark.cassandra.concurrent.reads", "512")
-spark.conf.set("spark.cassandra.output.batch.grouping.buffer.size", "1000")
-spark.conf.set("spark.cassandra.connection.keep_alive_ms", "600000000")
+ spark.cassandra.connection.host YOUR_ACCOUNT_NAME.cassandra.cosmosdb.azure.com
+ spark.cassandra.connection.port 10350
+ spark.cassandra.connection.ssl.enabled true
+ spark.cassandra.auth.username YOUR_ACCOUNT_NAME
+ spark.cassandra.auth.password YOUR_ACCOUNT_KEY
+// if using Spark 2.x
+// spark.cassandra.connection.factory com.microsoft.azure.cosmosdb.cassandra.CosmosDbConnectionFactory
+
+//Throughput-related...adjust as needed
+ spark.cassandra.output.batch.size.rows 1
+// spark.cassandra.connection.connections_per_executor_max 10 // Spark 2.x
+ spark.cassandra.connection.remoteConnectionsPerExecutor 10 // Spark 3.x
+ spark.cassandra.output.concurrent.writes 1000
+ spark.cassandra.concurrent.reads 512
+ spark.cassandra.output.batch.grouping.buffer.size 1000
+ spark.cassandra.connection.keep_alive_ms 600000000
``` ## Next steps
cosmos-db Manage Data Cqlsh https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/cassandra/manage-data-cqlsh.md
In this quickstart, you create an Azure Cosmos DB Cassandra API account, and use
## Prerequisites-- An Azure account with an active subscription. [Create one for free](https://azure.microsoft.com/free/?ref=microsoft.com&utm_source=microsoft.com&utm_medium=docs&utm_campaign=visualstudio). Or [try Azure Cosmos DB for free](/azure/cosmos-db/try-free) without an Azure subscription.
+- An Azure account with an active subscription. [Create one for free](https://azure.microsoft.com/free/?ref=microsoft.com&utm_source=microsoft.com&utm_medium=docs&utm_campaign=visualstudio). Or [try Azure Cosmos DB for free](../try-free.md) without an Azure subscription.
## Create a database account
In the Azure portal, open **Data Explorer** to query, modify, and work with this
In this quickstart, you learned how to create an Azure Cosmos DB account with Cassandra API using CQLSH that creates a Cassandra database and container. You can now import additional data into your Azure Cosmos DB account. > [!div class="nextstepaction"]
-> [Import Cassandra data into Azure Cosmos DB](migrate-data.md)
+> [Import Cassandra data into Azure Cosmos DB](migrate-data.md)
cosmos-db Manage Data Dotnet Core https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/cassandra/manage-data-dotnet-core.md
Azure Cosmos DB is Microsoft's globally distributed multi-model database service
## Prerequisites In addition, you need: * Latest [!INCLUDE [cosmos-db-visual-studio](../includes/cosmos-db-visual-studio.md)]
Now go back to the Azure portal to get your connection string information and co
In this quickstart, you've learned how to create an Azure Cosmos DB account, create a container using the Data Explorer, and run a web app. You can now import other data to your Cosmos DB account. > [!div class="nextstepaction"]
-> [Import Cassandra data into Azure Cosmos DB](migrate-data.md)
+> [Import Cassandra data into Azure Cosmos DB](migrate-data.md)
cosmos-db Manage Data Dotnet https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/cassandra/manage-data-dotnet.md
Azure Cosmos DB is Microsoft's globally distributed multi-model database service
## Prerequisites In addition, you need: * Latest [!INCLUDE [cosmos-db-visual-studio](../includes/cosmos-db-visual-studio.md)]
Now go back to the Azure portal to get your connection string information and co
In this quickstart, you've learned how to create an Azure Cosmos DB account, create a container using the Data Explorer, and run a web app. You can now import other data to your Cosmos DB account. > [!div class="nextstepaction"]
-> [Import Cassandra data into Azure Cosmos DB](migrate-data.md)
+> [Import Cassandra data into Azure Cosmos DB](migrate-data.md)
cosmos-db Manage Data Java V4 Sdk https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/cassandra/manage-data-java-v4-sdk.md
In this quickstart, you create an Azure Cosmos DB Cassandra API account, and use
## Prerequisites -- An Azure account with an active subscription. [Create one for free](https://azure.microsoft.com/free/?ref=microsoft.com&utm_source=microsoft.com&utm_medium=docs&utm_campaign=visualstudio). Or [try Azure Cosmos DB for free](/azure/cosmos-db/try-free) without an Azure subscription.
+- An Azure account with an active subscription. [Create one for free](https://azure.microsoft.com/free/?ref=microsoft.com&utm_source=microsoft.com&utm_medium=docs&utm_campaign=visualstudio). Or [try Azure Cosmos DB for free](../try-free.md) without an Azure subscription.
- [Java Development Kit (JDK) 8](https://www.azul.com/downloads/azure-only/zulu/?&version=java-8-lts&architecture=x86-64-bit&package=jdk). Point your `JAVA_HOME` environment variable to the folder where the JDK is installed. - A [Maven binary archive](https://maven.apache.org/download.cgi). On Ubuntu, run `apt-get install maven` to install Maven. - [Git](https://www.git-scm.com/downloads). On Ubuntu, run `sudo apt-get install git` to install Git.
Now go back to the Azure portal to get your connection string information and co
In this quickstart, you learned how to create an Azure Cosmos DB account with Cassandra API, and run a Cassandra Java app that creates a Cassandra database and container. You can now import additional data into your Azure Cosmos DB account. > [!div class="nextstepaction"]
-> [Import Cassandra data into Azure Cosmos DB](migrate-data.md)
+> [Import Cassandra data into Azure Cosmos DB](migrate-data.md)
cosmos-db Manage Data Java https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/cassandra/manage-data-java.md
In this quickstart, you create an Azure Cosmos DB Cassandra API account, and use
## Prerequisites -- An Azure account with an active subscription. [Create one for free](https://azure.microsoft.com/free/?ref=microsoft.com&utm_source=microsoft.com&utm_medium=docs&utm_campaign=visualstudio). Or [try Azure Cosmos DB for free](/azure/cosmos-db/try-free) without an Azure subscription.
+- An Azure account with an active subscription. [Create one for free](https://azure.microsoft.com/free/?ref=microsoft.com&utm_source=microsoft.com&utm_medium=docs&utm_campaign=visualstudio). Or [try Azure Cosmos DB for free](../try-free.md) without an Azure subscription.
- [Java Development Kit (JDK) 8](https://www.azul.com/downloads/azure-only/zulu/?&version=java-8-lts&architecture=x86-64-bit&package=jdk). Point your `JAVA_HOME` environment variable to the folder where the JDK is installed. - A [Maven binary archive](https://maven.apache.org/download.cgi). On Ubuntu, run `apt-get install maven` to install Maven. - [Git](https://www.git-scm.com/downloads). On Ubuntu, run `sudo apt-get install git` to install Git.
Now go back to the Azure portal to get your connection string information and co
In this quickstart, you learned how to create an Azure Cosmos DB account with Cassandra API, and run a Cassandra Java app that creates a Cassandra database and container. You can now import additional data into your Azure Cosmos DB account. > [!div class="nextstepaction"]
-> [Import Cassandra data into Azure Cosmos DB](migrate-data.md)
+> [Import Cassandra data into Azure Cosmos DB](migrate-data.md)
cosmos-db Manage Data Nodejs https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/cassandra/manage-data-nodejs.md
In this quickstart, you create an Azure Cosmos DB Cassandra API account, and use
## Prerequisites In addition, you need:
Go to the Azure portal to get your connection string information and copy it int
In this quickstart, you learned how to create an Azure Cosmos DB account with Cassandra API, and run a Cassandra Node.js app that creates a Cassandra database and container. You can now import more data into your Azure Cosmos DB account. > [!div class="nextstepaction"]
-> [Import Cassandra data into Azure Cosmos DB](migrate-data.md)
+> [Import Cassandra data into Azure Cosmos DB](migrate-data.md)
cosmos-db Manage Data Python https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/cassandra/manage-data-python.md
In this quickstart, you create an Azure Cosmos DB Cassandra API account, and use
## Prerequisites -- An Azure account with an active subscription. [Create one for free](https://azure.microsoft.com/free/?ref=microsoft.com&utm_source=microsoft.com&utm_medium=docs&utm_campaign=visualstudio). Or [try Azure Cosmos DB for free](/azure/cosmos-db/try-free) without an Azure subscription.
+- An Azure account with an active subscription. [Create one for free](https://azure.microsoft.com/free/?ref=microsoft.com&utm_source=microsoft.com&utm_medium=docs&utm_campaign=visualstudio). Or [try Azure Cosmos DB for free](../try-free.md) without an Azure subscription.
- [Python 2.7 or 3.6+](https://www.python.org/downloads/). - [Git](https://git-scm.com/downloads). - [Python Driver for Apache Cassandra](https://github.com/datastax/python-driver).
Now go back to the Azure portal to get your connection string information and co
In this quickstart, you learned how to create an Azure Cosmos DB account with Cassandra API, and run a Cassandra Python app that creates a Cassandra database and container. You can now import additional data into your Azure Cosmos DB account. > [!div class="nextstepaction"]
-> [Import Cassandra data into Azure Cosmos DB](migrate-data.md)
+> [Import Cassandra data into Azure Cosmos DB](migrate-data.md)
cosmos-db Materialized Views Cassandra https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/cassandra/materialized-views-cassandra.md
New Cassandra API accounts with Materialized Views enabled can be provisioned on
### Log in to the Azure command line interface
-Install Azure CLI as mentioned at [How to install the Azure CLI | Microsoft Docs](https://docs.microsoft.com/cli/azure/install-azure-cli) and log on using the below:
+Install Azure CLI as mentioned at [How to install the Azure CLI | Microsoft Docs](/cli/azure/install-azure-cli) and log on using the below:
```azurecli-interactive az login ```
This step is optional ΓÇô you can skip this step if you don't want to use Custom
To use Customer Managed Keys feature and Materialized views together on Cosmos DB account, you must first configure managed identities with Azure Active Directory for your account and then enable support for materialized views.
-You can use the documentation [here](https://docs.microsoft.com/azure/cosmos-db/how-to-setup-cmk) to configure your Cosmos DB Cassandra account with customer managed keys and setup managed identity access to the key Vault. Make sure you follow all the steps in [Using a managed identity in Azure key vault access policy](https://docs.microsoft.com/azure/cosmos-db/how-to-setup-managed-identity). The next step to enable materializedViews on the account.
+You can use the documentation [here](../how-to-setup-cmk.md) to configure your Cosmos DB Cassandra account with customer managed keys and setup managed identity access to the key Vault. Make sure you follow all the steps in [Using a managed identity in Azure key vault access policy](../how-to-setup-managed-identity.md). The next step to enable materializedViews on the account.
Once your account is set up with CMK and managed identity, you can enable materialized views on the account by enabling ΓÇ£enableMaterializedViewsΓÇ¥ property in the request body.
cosmos-db Spark Aggregation Operations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/cassandra/spark-aggregation-operations.md
This article describes basic aggregation operations against Azure Cosmos DB Cass
> Server-side filtering, and server-side aggregation is currently not supported in Azure Cosmos DB Cassandra API. ## Cassandra API configuration-
+Set below spark configuration in your notebook cluster. It's one time activity.
```scala
-import org.apache.spark.sql.cassandra._
-//Spark connector
-import com.datastax.spark.connector._
-import com.datastax.spark.connector.cql.CassandraConnector
-import org.apache.spark.sql.functions._
-
-//if using Spark 2.x, CosmosDB library for multiple retry
-//import com.microsoft.azure.cosmosdb.cassandra
- //Connection-related
-spark.conf.set("spark.cassandra.connection.host","YOUR_ACCOUNT_NAME.cassandra.cosmosdb.azure.com")
-spark.conf.set("spark.cassandra.connection.port","10350")
-spark.conf.set("spark.cassandra.connection.ssl.enabled","true")
-spark.conf.set("spark.cassandra.auth.username","YOUR_ACCOUNT_NAME")
-spark.conf.set("spark.cassandra.auth.password","YOUR_ACCOUNT_KEY")
+ spark.cassandra.connection.host YOUR_ACCOUNT_NAME.cassandra.cosmosdb.azure.com
+ spark.cassandra.connection.port 10350
+ spark.cassandra.connection.ssl.enabled true
+ spark.cassandra.auth.username YOUR_ACCOUNT_NAME
+ spark.cassandra.auth.password YOUR_ACCOUNT_KEY
// if using Spark 2.x
-// spark.conf.set("spark.cassandra.connection.factory", "com.microsoft.azure.cosmosdb.cassandra.CosmosDbConnectionFactory")
+// spark.cassandra.connection.factory com.microsoft.azure.cosmosdb.cassandra.CosmosDbConnectionFactory
//Throughput-related...adjust as needed
-spark.conf.set("spark.cassandra.output.batch.size.rows", "1")
-//spark.conf.set("spark.cassandra.connection.connections_per_executor_max", "10") // Spark 2.x
-spark.conf.set("spark.cassandra.connection.remoteConnectionsPerExecutor", "10") // Spark 3.x
-spark.conf.set("spark.cassandra.output.concurrent.writes", "1000")
-spark.conf.set("spark.cassandra.concurrent.reads", "512")
-spark.conf.set("spark.cassandra.output.batch.grouping.buffer.size", "1000")
-spark.conf.set("spark.cassandra.connection.keep_alive_ms", "600000000")
+ spark.cassandra.output.batch.size.rows 1
+// spark.cassandra.connection.connections_per_executor_max 10 // Spark 2.x
+ spark.cassandra.connection.remoteConnectionsPerExecutor 10 // Spark 3.x
+ spark.cassandra.output.concurrent.writes 1000
+ spark.cassandra.concurrent.reads 512
+ spark.cassandra.output.batch.grouping.buffer.size 1000
+ spark.cassandra.connection.keep_alive_ms 600000000
``` > [!NOTE]
-> If you are using Spark 3.0 or higher, you do not need to install the Cosmos DB helper and connection factory. You should also use `remoteConnectionsPerExecutor` instead of `connections_per_executor_max` for the Spark 3 connector(see above). You will see that connection related properties are defined within the notebook above. Using the syntax below, connection properties can be defined in this manner without needing to be defined at the cluster level (Spark context initialization). However, when using operations that require spark context (e.g. `CassandraConnector(sc)` for some of the operations shown below), connection properties need to be defined at the cluster level.
+> If you are using Spark 3.x, you do not need to install the Cosmos DB helper and connection factory. You should also use `remoteConnectionsPerExecutor` instead of `connections_per_executor_max` for the Spark 3 connector (see above).
+
+> [!WARNING]
+> The Spark 3 samples shown in this article have been tested with Spark **version 3.2.1** and the corresponding Cassandra Spark Connector **com.datastax.spark:spark-cassandra-connector-assembly_2.12:3.2.0**. Later versions of Spark and/or the Cassandra connector may not function as expected.
## Sample data generator ```scala
+import org.apache.spark.sql.cassandra._
+//Spark connector
+import com.datastax.spark.connector._
+import com.datastax.spark.connector.cql.CassandraConnector
+import org.apache.spark.sql.functions._
+
+//if using Spark 2.x, CosmosDB library for multiple retry
+//import com.microsoft.azure.cosmosdb.cassandra
+ // Generate a simple dataset containing five values val booksDF = Seq( ("b00001", "Arthur Conan Doyle", "A study in scarlet", 1887,11.33),
Count against dataframes is currently not supported. The sample below shows how
Choose a [storage option]( https://spark.apache.org/docs/2.2.0/rdd-programming-guide.html#which-storage-level-to-choose) from the following available options, to avoid running into "out of memory" issues:
-* MEMORY_ONLY: This is the default storage option. Stores RDD as deserialized Java objects in the JVM. If the RDD does not fit in memory, some partitions will not be cached and they are recomputed on the fly each time they're needed.
+* MEMORY_ONLY: It's the default storage option. Stores RDD as deserialized Java objects in the JVM. If the RDD doesn't fit in memory, some partitions won't be cached, and they're recomputed on the fly each time they're needed.
-* MEMORY_AND_DISK: Stores RDD as deserialized Java objects in the JVM. If the RDD does not fit in memory, store the partitions that don't fit on disk, and whenever required, read them from the location they are stored.
+* MEMORY_AND_DISK: Stores RDD as deserialized Java objects in the JVM. If the RDD doesn't fit in memory, store the partitions that don't fit on disk, and whenever required, read them from the location they're stored.
-* MEMORY_ONLY_SER (Java/Scala): Stores RDD as serialized Java objects- one-byte array per partition. This option is space-efficient when compared to deserialized objects, especially when using a fast serializer, but more CPU-intensive to read.
+* MEMORY_ONLY_SER (Java/Scala): Stores RDD as serialized Java objects- 1-byte array per partition. This option is space-efficient when compared to deserialized objects, especially when using a fast serializer, but more CPU-intensive to read.
* MEMORY_AND_DISK_SER (Java/Scala): This storage option is like MEMORY_ONLY_SER, the only difference is that it spills partitions that don't fit in the disk memory instead of recomputing them when they're needed.
cosmos-db Spark Create Operations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/cassandra/spark-create-operations.md
Last updated 09/24/2018
This article describes how to insert sample data into a table in Azure Cosmos DB Cassandra API from Spark. ## Cassandra API configuration
+Set below spark configuration in your notebook cluster. It's one time activity.
```scala
-import org.apache.spark.sql.cassandra._
-//Spark connector
-import com.datastax.spark.connector._
-import com.datastax.spark.connector.cql.CassandraConnector
-
-//if using Spark 2.x, CosmosDB library for multiple retry
-//import com.microsoft.azure.cosmosdb.cassandra
- //Connection-related
-spark.conf.set("spark.cassandra.connection.host","YOUR_ACCOUNT_NAME.cassandra.cosmosdb.azure.com")
-spark.conf.set("spark.cassandra.connection.port","10350")
-spark.conf.set("spark.cassandra.connection.ssl.enabled","true")
-spark.conf.set("spark.cassandra.auth.username","YOUR_ACCOUNT_NAME")
-spark.conf.set("spark.cassandra.auth.password","YOUR_ACCOUNT_KEY")
+ spark.cassandra.connection.host YOUR_ACCOUNT_NAME.cassandra.cosmosdb.azure.com
+ spark.cassandra.connection.port 10350
+ spark.cassandra.connection.ssl.enabled true
+ spark.cassandra.auth.username YOUR_ACCOUNT_NAME
+ spark.cassandra.auth.password YOUR_ACCOUNT_KEY
// if using Spark 2.x
-// spark.conf.set("spark.cassandra.connection.factory", "com.microsoft.azure.cosmosdb.cassandra.CosmosDbConnectionFactory")
+// spark.cassandra.connection.factory com.microsoft.azure.cosmosdb.cassandra.CosmosDbConnectionFactory
//Throughput-related...adjust as needed
-spark.conf.set("spark.cassandra.output.batch.size.rows", "1")
-//spark.conf.set("spark.cassandra.connection.connections_per_executor_max", "10") // Spark 2.x
-spark.conf.set("spark.cassandra.connection.remoteConnectionsPerExecutor", "10") // Spark 3.x
-spark.conf.set("spark.cassandra.output.concurrent.writes", "1000")
-spark.conf.set("spark.cassandra.concurrent.reads", "512")
-spark.conf.set("spark.cassandra.output.batch.grouping.buffer.size", "1000")
-spark.conf.set("spark.cassandra.connection.keep_alive_ms", "600000000")
+ spark.cassandra.output.batch.size.rows 1
+// spark.cassandra.connection.connections_per_executor_max 10 // Spark 2.x
+ spark.cassandra.connection.remoteConnectionsPerExecutor 10 // Spark 3.x
+ spark.cassandra.output.concurrent.writes 1000
+ spark.cassandra.concurrent.reads 512
+ spark.cassandra.output.batch.grouping.buffer.size 1000
+ spark.cassandra.connection.keep_alive_ms 600000000
``` > [!NOTE]
-> If you are using Spark 3.0, you do not need to install the Cosmos DB helper and connection factory. You should also use `remoteConnectionsPerExecutor` instead of `connections_per_executor_max` for the Spark 3 connector (see above). You will see that connection related properties are defined within the notebook above. Using the syntax below, connection properties can be defined in this manner without needing to be defined at the cluster level (Spark context initialization).
+> If you are using Spark 3.x, you do not need to install the Cosmos DB helper and connection factory. You should also use `remoteConnectionsPerExecutor` instead of `connections_per_executor_max` for the Spark 3 connector (see above).
> [!WARNING]
-> The Spark 3 samples shown in this article have been tested with Spark **version 3.0.1** and the corresponding Cassandra Spark Connector **com.datastax.spark:spark-cassandra-connector-assembly_2.12:3.0.0**. Later versions of Spark and/or the Cassandra connector may not function as expected.
+> The Spark 3 samples shown in this article have been tested with Spark **version 3.2.1** and the corresponding Cassandra Spark Connector **com.datastax.spark:spark-cassandra-connector-assembly_2.12:3.2.0**. Later versions of Spark and/or the Cassandra connector may not function as expected.
## Dataframe API ### Create a Dataframe with sample data ```scala
+import org.apache.spark.sql.cassandra._
+//Spark connector
+import com.datastax.spark.connector._
+import com.datastax.spark.connector.cql.CassandraConnector
+
+//if using Spark 2.x, CosmosDB library for multiple retry
+//import com.microsoft.azure.cosmosdb.cassandra
+ // Generate a dataframe containing five records val booksDF = Seq( ("b00001", "Arthur Conan Doyle", "A study in scarlet", 1887),
select * from books;
## Resilient Distributed Database (RDD) API
-### Create a RDD with sample data
+### Create an RDD with sample data
```scala //Drop and re-create table to delete records created in the previous section val cdbConnector = CassandraConnector(sc)
When saving data to Cassandra API, you can also set time-to-live and consistency
```scala import com.datastax.spark.connector.writer._
+import com.datastax.oss.driver.api.core.ConsistencyLevel
//Persist booksRDD.saveToCassandra("books_ks", "books", SomeColumns("book_id", "book_author", "book_name", "book_pub_year"),writeConf = WriteConf(ttl = TTLOption.constant(900000),consistencyLevel = ConsistencyLevel.ALL))
cosmos-db Spark Databricks https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/cassandra/spark-databricks.md
This article details how to work with Azure Cosmos DB Cassandra API from Spark o
* **Cassandra API instance configuration for Cassandra connector:**
- The connector for Cassandra API requires the Cassandra connection details to be initialized as part of the spark context. When you launch a Databricks notebook, the spark context is already initialized and it is not advisable to stop and reinitialize it. One solution is to add the Cassandra API instance configuration at a cluster level, in the cluster spark configuration. This is a one-time activity per cluster. Add the following code to the Spark configuration as a space separated key value pair:
+ The connector for Cassandra API requires the Cassandra connection details to be initialized as part of the spark context. When you launch a Databricks notebook, the spark context is already initialized, and it isn't advisable to stop and reinitialize it. One solution is to add the Cassandra API instance configuration at a cluster level, in the cluster spark configuration. It's one-time activity per cluster. Add the following code to the Spark configuration as a space separated key value pair:
```scala spark.cassandra.connection.host YOUR_COSMOSDB_ACCOUNT_NAME.cassandra.cosmosdb.azure.com
This article details how to work with Azure Cosmos DB Cassandra API from Spark o
* **Cassandra Spark connector:** - To integrate Azure Cosmos DB Cassandra API with Spark, the Cassandra connector should be attached to the Azure Databricks cluster. To attach the cluster:
- * Review the Databricks runtime version, the Spark version. Then find the [maven coordinates](https://mvnrepository.com/artifact/com.datastax.spark/spark-cassandra-connector) that are compatible with the Cassandra Spark connector, and attach it to the cluster. See ["Upload a Maven package or Spark package"](https://docs.databricks.com/user-guide/libraries.html) article to attach the connector library to the cluster. We recommend selecting Databricks runtime version 7.5, which supports Spark 3.0. To add the Apache Spark Cassandra Connector, your cluster, select **Libraries** > **Install New** > **Maven**, and then add `com.datastax.spark:spark-cassandra-connector-assembly_2.12:3.0.0` in Maven coordinates. If using Spark 2.x, we recommend an environment with Spark version 2.4.5, using spark connector at maven coordinates `com.datastax.spark:spark-cassandra-connector_2.11:2.4.3`.
+ * Review the Databricks runtime version, the Spark version. Then find the [maven coordinates](https://mvnrepository.com/artifact/com.datastax.spark/spark-cassandra-connector-assembly) that are compatible with the Cassandra Spark connector, and attach it to the cluster. See ["Upload a Maven package or Spark package"](https://docs.databricks.com/user-guide/libraries.html) article to attach the connector library to the cluster. We recommend selecting Databricks runtime version 10.4 LTS, which supports Spark 3.2.1. To add the Apache Spark Cassandra Connector, your cluster, select **Libraries** > **Install New** > **Maven**, and then add `com.datastax.spark:spark-cassandra-connector-assembly_2.12:3.2.0` in Maven coordinates. If using Spark 2.x, we recommend an environment with Spark version 2.4.5, using spark connector at maven coordinates `com.datastax.spark:spark-cassandra-connector_2.11:2.4.3`.
-* **Azure Cosmos DB Cassandra API-specific library:** - If you are using Spark 2.x, a custom connection factory is required to configure the retry policy from the Cassandra Spark connector to Azure Cosmos DB Cassandra API. Add the `com.microsoft.azure.cosmosdb:azure-cosmos-cassandra-spark-helper:1.2.0`[maven coordinates](https://search.maven.org/artifact/com.microsoft.azure.cosmosdb/azure-cosmos-cassandra-spark-helper/1.2.0/jar) to attach the library to the cluster.
+* **Azure Cosmos DB Cassandra API-specific library:** - If you're using Spark 2.x, a custom connection factory is required to configure the retry policy from the Cassandra Spark connector to Azure Cosmos DB Cassandra API. Add the `com.microsoft.azure.cosmosdb:azure-cosmos-cassandra-spark-helper:1.2.0`[maven coordinates](https://search.maven.org/artifact/com.microsoft.azure.cosmosdb/azure-cosmos-cassandra-spark-helper/1.2.0/jar) to attach the library to the cluster.
> [!NOTE]
-> If you are using Spark 3.0, you do not need to install the Cosmos DB Cassandra API-specific library mentioned above.
+> If you are using Spark 3.x, you do not need to install the Cosmos DB Cassandra API-specific library mentioned above.
> [!WARNING]
-> The Spark 3 samples shown in this article have been tested with Spark **version 3.0.1** and the corresponding Cassandra Spark Connector **com.datastax.spark:spark-cassandra-connector-assembly_2.12:3.0.0**. Later versions of Spark and/or the Cassandra connector may not function as expected.
+> The Spark 3 samples shown in this article have been tested with Spark **version 3.2.1** and the corresponding Cassandra Spark Connector **com.datastax.spark:spark-cassandra-connector-assembly_2.12:3.2.0**. Later versions of Spark and/or the Cassandra connector may not function as expected.
## Sample notebooks
-A list of Azure Databricks [sample notebooks](https://github.com/Azure-Samples/azure-cosmos-db-cassandra-api-spark-notebooks-databricks/tree/main/notebooks/scala) are available in GitHub repo for you to download. These samples include how to connect to Azure Cosmos DB Cassandra API from Spark and perform different CRUD operations on the data. You can also [import all the notebooks](https://github.com/Azure-Samples/azure-cosmos-db-cassandra-api-spark-notebooks-databricks/tree/main/dbc) into your Databricks cluster workspace and run it.
+A list of Azure Databricks [sample notebooks](https://github.com/Azure-Samples/azure-cosmos-db-cassandra-api-spark-notebooks-databricks/tree/main/notebooks/scala) is available in GitHub repo for you to download. These samples include how to connect to Azure Cosmos DB Cassandra API from Spark and perform different CRUD operations on the data. You can also [import all the notebooks](https://github.com/Azure-Samples/azure-cosmos-db-cassandra-api-spark-notebooks-databricks/tree/main/dbc) into your Databricks cluster workspace and run it.
## Accessing Azure Cosmos DB Cassandra API from Spark Scala programs
cosmos-db Spark Ddl Operations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/cassandra/spark-ddl-operations.md
This article details keyspace and table DDL operations against Azure Cosmos DB C
## Spark context
- The connector for Cassandra API requires the Cassandra connection details to be initialized as part of the spark context. When you launch a notebook, the spark context is already initialized and it is not advisable to stop and reinitialize it. One solution is to add the Cassandra API instance configuration at a cluster level, in the cluster spark configuration. This is a one-time activity per cluster. Add the following code to the Spark configuration as a space separated key value pair:
+ The connector for Cassandra API requires the Cassandra connection details to be initialized as part of the spark context. When you launch a notebook, the spark context is already initialized, and it isn't advisable to stop and reinitialize it. One solution is to add the Cassandra API instance configuration at a cluster level, in the cluster spark configuration. It's one-time activity per cluster. Add the following code to the Spark configuration as a space separated key value pair:
```scala spark.cassandra.connection.host YOUR_COSMOSDB_ACCOUNT_NAME.cassandra.cosmosdb.azure.com
This article details keyspace and table DDL operations against Azure Cosmos DB C
spark.cassandra.connection.ssl.enabled true spark.cassandra.auth.username YOUR_COSMOSDB_ACCOUNT_NAME spark.cassandra.auth.password YOUR_COSMOSDB_KEY+
+ //Throughput-related...adjust as needed
+ spark.cassandra.output.batch.size.rows 1
+ // spark.cassandra.connection.connections_per_executor_max 10 // Spark 2.x
+ spark.cassandra.connection.remoteConnectionsPerExecutor 10 // Spark 3.x
+ spark.cassandra.output.concurrent.writes 1000
+ spark.cassandra.concurrent.reads 512
+ spark.cassandra.output.batch.grouping.buffer.size 1000
+ spark.cassandra.connection.keep_alive_ms 600000000
``` ## Cassandra API-related configuration
import com.datastax.spark.connector.cql.CassandraConnector
//if using Spark 2.x, CosmosDB library for multiple retry //import com.microsoft.azure.cosmosdb.cassandra //spark.conf.set("spark.cassandra.connection.factory", "com.microsoft.azure.cosmosdb.cassandra.CosmosDbConnectionFactory")-
-//Throughput-related...adjust as needed
-spark.conf.set("spark.cassandra.output.batch.size.rows", "1")
-//spark.conf.set("spark.cassandra.connection.connections_per_executor_max", "10") // Spark 2.x
-spark.conf.set("spark.cassandra.connection.remoteConnectionsPerExecutor", "10") // Spark 3.x
-spark.conf.set("spark.cassandra.output.concurrent.writes", "1000")
-spark.conf.set("spark.cassandra.concurrent.reads", "512")
-spark.conf.set("spark.cassandra.output.batch.grouping.buffer.size", "1000")
-spark.conf.set("spark.cassandra.connection.keep_alive_ms", "600000000")
``` > [!NOTE]
-> If you are using Spark 3.0, you do not need to install the Cosmos DB helper and connection factory. You should also use `remoteConnectionsPerExecutor` instead of `connections_per_executor_max` for the Spark 3 connector (see above).
+> If you are using Spark 3.x, you do not need to install the Cosmos DB helper and connection factory. You should also use `remoteConnectionsPerExecutor` instead of `connections_per_executor_max` for the Spark 3 connector (see above).
> [!WARNING]
-> The Spark 3 samples shown in this article have been tested with Spark **version 3.0.1** and the corresponding Cassandra Spark Connector **com.datastax.spark:spark-cassandra-connector-assembly_2.12:3.0.0**. Later versions of Spark and/or the Cassandra connector may not function as expected.
+> The Spark 3 samples shown in this article have been tested with Spark **version 3.2.1** and the corresponding Cassandra Spark Connector **com.datastax.spark:spark-cassandra-connector-assembly_2.12:3.2.1**. Later versions of Spark and/or the Cassandra connector may not function as expected.
## Keyspace DDL operations
USE books_ks;
DESCRIBE books; ```
-Provisioned throughput and default TTL values are not shown in the output of the previous command, you can get these values from the portal.
+Provisioned throughput and default TTL values aren't shown in the output of the previous command, you can get these values from the portal.
### Alter table
After creating the keyspace and the table, proceed to the following articles for
* [Upsert operations](spark-upsert-operations.md) * [Delete operations](spark-delete-operation.md) * [Aggregation operations](spark-aggregation-operations.md)
-* [Table copy operations](spark-table-copy-operations.md)
+* [Table copy operations](spark-table-copy-operations.md)
cosmos-db Spark Delete Operation https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/cassandra/spark-delete-operation.md
ms.devlang: scala
This article describes how to delete data in Azure Cosmos DB Cassandra API tables from Spark. ## Cassandra API configuration-
+Set below spark configuration in your notebook cluster. It's one time activity.
```scala
-import org.apache.spark.sql.cassandra._
-//Spark connector
-import com.datastax.spark.connector._
-import com.datastax.spark.connector.cql.CassandraConnector
-
-//if using Spark 2.x, CosmosDB library for multiple retry
-//import com.microsoft.azure.cosmosdb.cassandra
- //Connection-related
-spark.conf.set("spark.cassandra.connection.host","YOUR_ACCOUNT_NAME.cassandra.cosmosdb.azure.com")
-spark.conf.set("spark.cassandra.connection.port","10350")
-spark.conf.set("spark.cassandra.connection.ssl.enabled","true")
-spark.conf.set("spark.cassandra.auth.username","YOUR_ACCOUNT_NAME")
-spark.conf.set("spark.cassandra.auth.password","YOUR_ACCOUNT_KEY")
+ spark.cassandra.connection.host YOUR_ACCOUNT_NAME.cassandra.cosmosdb.azure.com
+ spark.cassandra.connection.port 10350
+ spark.cassandra.connection.ssl.enabled true
+ spark.cassandra.auth.username YOUR_ACCOUNT_NAME
+ spark.cassandra.auth.password YOUR_ACCOUNT_KEY
// if using Spark 2.x
-// spark.conf.set("spark.cassandra.connection.factory", "com.microsoft.azure.cosmosdb.cassandra.CosmosDbConnectionFactory")
+// spark.cassandra.connection.factory com.microsoft.azure.cosmosdb.cassandra.CosmosDbConnectionFactory
//Throughput-related...adjust as needed
-spark.conf.set("spark.cassandra.output.batch.size.rows", "1")
-//spark.conf.set("spark.cassandra.connection.connections_per_executor_max", "10") // Spark 2.x
-spark.conf.set("spark.cassandra.connection.remoteConnectionsPerExecutor", "10") // Spark 3.x
-spark.conf.set("spark.cassandra.output.concurrent.writes", "1000")
-spark.conf.set("spark.cassandra.concurrent.reads", "512")
-spark.conf.set("spark.cassandra.output.batch.grouping.buffer.size", "1000")
-spark.conf.set("spark.cassandra.connection.keep_alive_ms", "600000000")
+ spark.cassandra.output.batch.size.rows 1
+// spark.cassandra.connection.connections_per_executor_max 10 // Spark 2.x
+ spark.cassandra.connection.remoteConnectionsPerExecutor 10 // Spark 3.x
+ spark.cassandra.output.concurrent.writes 1000
+ spark.cassandra.concurrent.reads 512
+ spark.cassandra.output.batch.grouping.buffer.size 1000
+ spark.cassandra.connection.keep_alive_ms 600000000
``` > [!NOTE]
-> If you are using Spark 3.0, you do not need to install the Cosmos DB helper and connection factory. You should also use `remoteConnectionsPerExecutor` instead of `connections_per_executor_max` for the Spark 3 connector (see above). You will see that connection related properties are defined within the notebook above. Using the syntax below, connection properties can be defined in this manner without needing to be defined at the cluster level (Spark context initialization). However, when using operations that require spark context (for example, `CassandraConnector(sc)` for `delete` as shown below), connection properties need to be defined at the cluster level.
+> If you are using Spark 3.x, you do not need to install the Cosmos DB helper and connection factory. You should also use `remoteConnectionsPerExecutor` instead of `connections_per_executor_max` for the Spark 3 connector (see above).
> [!WARNING]
-> The Spark 3 samples shown in this article have been tested with Spark **version 3.0.1** and the corresponding Cassandra Spark Connector **com.datastax.spark:spark-cassandra-connector-assembly_2.12:3.0.0**. Later versions of Spark and/or the Cassandra connector may not function as expected.
+> The Spark 3 samples shown in this article have been tested with Spark **version 3.2.1** and the corresponding Cassandra Spark Connector **com.datastax.spark:spark-cassandra-connector-assembly_2.12:3.2.0**. Later versions of Spark and/or the Cassandra connector may not function as expected.
## Sample data generator
-We will use this code fragment to generate sample data:
+We'll use this code fragment to generate sample data:
```scala
+import org.apache.spark.sql.cassandra._
+//Spark connector
+import com.datastax.spark.connector._
+import com.datastax.spark.connector.cql.CassandraConnector
+
+//if using Spark 2.x, CosmosDB library for multiple retry
+//import com.microsoft.azure.cosmosdb.cassandra
+ //Create dataframe val booksDF = Seq( ("b00001", "Arthur Conan Doyle", "A study in scarlet", 1887,11.33),
cosmos-db Spark Read Operation https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/cassandra/spark-read-operation.md
This article describes how to read data stored in Azure Cosmos DB Cassandra API from Spark. ## Cassandra API configuration
+Set below spark configuration in your notebook cluster. It's one time activity.
```scala
-import org.apache.spark.sql.cassandra._
-//Spark connector
-import com.datastax.spark.connector._
-import com.datastax.spark.connector.cql.CassandraConnector
-
-//if using Spark 2.x, CosmosDB library for multiple retry
-//import com.microsoft.azure.cosmosdb.cassandra
- //Connection-related
-spark.conf.set("spark.cassandra.connection.host","YOUR_ACCOUNT_NAME.cassandra.cosmosdb.azure.com")
-spark.conf.set("spark.cassandra.connection.port","10350")
-spark.conf.set("spark.cassandra.connection.ssl.enabled","true")
-spark.conf.set("spark.cassandra.auth.username","YOUR_ACCOUNT_NAME")
-spark.conf.set("spark.cassandra.auth.password","YOUR_ACCOUNT_KEY")
+ spark.cassandra.connection.host YOUR_ACCOUNT_NAME.cassandra.cosmosdb.azure.com
+ spark.cassandra.connection.port 10350
+ spark.cassandra.connection.ssl.enabled true
+ spark.cassandra.auth.username YOUR_ACCOUNT_NAME
+ spark.cassandra.auth.password YOUR_ACCOUNT_KEY
// if using Spark 2.x
-// spark.conf.set("spark.cassandra.connection.factory", "com.microsoft.azure.cosmosdb.cassandra.CosmosDbConnectionFactory")
+// spark.cassandra.connection.factory com.microsoft.azure.cosmosdb.cassandra.CosmosDbConnectionFactory
//Throughput-related...adjust as needed
-spark.conf.set("spark.cassandra.output.batch.size.rows", "1")
-//spark.conf.set("spark.cassandra.connection.connections_per_executor_max", "10") // Spark 2.x
-spark.conf.set("spark.cassandra.connection.remoteConnectionsPerExecutor", "10") // Spark 3.x
-spark.conf.set("spark.cassandra.output.concurrent.writes", "1000")
-spark.conf.set("spark.cassandra.concurrent.reads", "512")
-spark.conf.set("spark.cassandra.output.batch.grouping.buffer.size", "1000")
-spark.conf.set("spark.cassandra.connection.keep_alive_ms", "600000000")
+ spark.cassandra.output.batch.size.rows 1
+// spark.cassandra.connection.connections_per_executor_max 10 // Spark 2.x
+ spark.cassandra.connection.remoteConnectionsPerExecutor 10 // Spark 3.x
+ spark.cassandra.output.concurrent.writes 1000
+ spark.cassandra.concurrent.reads 512
+ spark.cassandra.output.batch.grouping.buffer.size 1000
+ spark.cassandra.connection.keep_alive_ms 600000000
``` > [!NOTE]
-> If you are using Spark 3.0, you do not need to install the Cosmos DB helper and connection factory. You should also use `remoteConnectionsPerExecutor` instead of `connections_per_executor_max` for the Spark 3 connector(see above). You will see that connection related properties are defined within the notebook above. Using the syntax below, connection properties can be defined in this manner without needing to be defined at the cluster level (Spark context initialization).
+> If you are using Spark 3.x, you do not need to install the Cosmos DB helper and connection factory. You should also use `remoteConnectionsPerExecutor` instead of `connections_per_executor_max` for the Spark 3 connector (see above).
> [!WARNING]
-> The Spark 3 samples shown in this article have been tested with Spark **version 3.0.1** and the corresponding Cassandra Spark Connector **com.datastax.spark:spark-cassandra-connector-assembly_2.12:3.0.0**. Later versions of Spark and/or the Cassandra connector may not function as expected.
+> The Spark 3 samples shown in this article have been tested with Spark **version 3.2.1** and the corresponding Cassandra Spark Connector **com.datastax.spark:spark-cassandra-connector-assembly_2.12:3.2.0**. Later versions of Spark and/or the Cassandra connector may not function as expected.
## Dataframe API ### Read table using session.read.format command ```scala
+import org.apache.spark.sql.cassandra._
+//Spark connector
+import com.datastax.spark.connector._
+import com.datastax.spark.connector.cql.CassandraConnector
+
+//if using Spark 2.x, CosmosDB library for multiple retry
+//import com.microsoft.azure.cosmosdb.cassandra
+ val readBooksDF = sqlContext .read .format("org.apache.spark.sql.cassandra")
cosmos-db Spark Table Copy Operations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/cassandra/spark-table-copy-operations.md
ms.devlang: scala
This article describes how to copy data between tables in Azure Cosmos DB Cassandra API from Spark. The commands described in this article can also be used to copy data from Apache Cassandra tables to Azure Cosmos DB Cassandra API tables. ## Cassandra API configuration-
+Set below spark configuration in your notebook cluster. It's one time activity.
```scala
-import org.apache.spark.sql.cassandra._
-//Spark connector
-import com.datastax.spark.connector._
-import com.datastax.spark.connector.cql.CassandraConnector
-
-//if using Spark 2.x, CosmosDB library for multiple retry
-//import com.microsoft.azure.cosmosdb.cassandra
- //Connection-related
-spark.conf.set("spark.cassandra.connection.host","YOUR_ACCOUNT_NAME.cassandra.cosmosdb.azure.com")
-spark.conf.set("spark.cassandra.connection.port","10350")
-spark.conf.set("spark.cassandra.connection.ssl.enabled","true")
-spark.conf.set("spark.cassandra.auth.username","YOUR_ACCOUNT_NAME")
-spark.conf.set("spark.cassandra.auth.password","YOUR_ACCOUNT_KEY")
+ spark.cassandra.connection.host YOUR_ACCOUNT_NAME.cassandra.cosmosdb.azure.com
+ spark.cassandra.connection.port 10350
+ spark.cassandra.connection.ssl.enabled true
+ spark.cassandra.auth.username YOUR_ACCOUNT_NAME
+ spark.cassandra.auth.password YOUR_ACCOUNT_KEY
// if using Spark 2.x
-// spark.conf.set("spark.cassandra.connection.factory", "com.microsoft.azure.cosmosdb.cassandra.CosmosDbConnectionFactory")
+// spark.cassandra.connection.factory com.microsoft.azure.cosmosdb.cassandra.CosmosDbConnectionFactory
//Throughput-related...adjust as needed
-spark.conf.set("spark.cassandra.output.batch.size.rows", "1")
-//spark.conf.set("spark.cassandra.connection.connections_per_executor_max", "10") // Spark 2.x
-spark.conf.set("spark.cassandra.connection.remoteConnectionsPerExecutor", "10") // Spark 3.x
-spark.conf.set("spark.cassandra.output.concurrent.writes", "1000")
-spark.conf.set("spark.cassandra.concurrent.reads", "512")
-spark.conf.set("spark.cassandra.output.batch.grouping.buffer.size", "1000")
-spark.conf.set("spark.cassandra.connection.keep_alive_ms", "600000000")
+ spark.cassandra.output.batch.size.rows 1
+// spark.cassandra.connection.connections_per_executor_max 10 // Spark 2.x
+ spark.cassandra.connection.remoteConnectionsPerExecutor 10 // Spark 3.x
+ spark.cassandra.output.concurrent.writes 1000
+ spark.cassandra.concurrent.reads 512
+ spark.cassandra.output.batch.grouping.buffer.size 1000
+ spark.cassandra.connection.keep_alive_ms 600000000
``` > [!NOTE]
-> If you are using Spark 3.0 or higher, you do not need to install the Cosmos DB helper and connection factory. You should also use `remoteConnectionsPerExecutor` instead of `connections_per_executor_max` for the Spark 3 connector (see above). You will see that connection related properties are defined within the notebook above. Using the syntax below, connection properties can be defined in this manner without needing to be defined at the cluster level (Spark context initialization).
+> If you are using Spark 3.x, you do not need to install the Cosmos DB helper and connection factory. You should also use `remoteConnectionsPerExecutor` instead of `connections_per_executor_max` for the Spark 3 connector (see above).
> [!WARNING]
-> The Spark 3 samples shown in this article have been tested with Spark **version 3.0.1** and the corresponding Cassandra Spark Connector **com.datastax.spark:spark-cassandra-connector-assembly_2.12:3.0.0**. Later versions of Spark and/or the Cassandra connector may not function as expected.
+> The Spark 3 samples shown in this article have been tested with Spark **version 3.2.1** and the corresponding Cassandra Spark Connector **com.datastax.spark:spark-cassandra-connector-assembly_2.12:3.2.0**. Later versions of Spark and/or the Cassandra connector may not function as expected.
## Insert sample data ```scala
+import org.apache.spark.sql.cassandra._
+//Spark connector
+import com.datastax.spark.connector._
+import com.datastax.spark.connector.cql.CassandraConnector
+
+//if using Spark 2.x, CosmosDB library for multiple retry
+//import com.microsoft.azure.cosmosdb.cassandra
+ val booksDF = Seq( ("b00001", "Arthur Conan Doyle", "A study in scarlet", 1887,11.33), ("b00023", "Arthur Conan Doyle", "A sign of four", 1890,22.45),
sqlContext
.show ```
-### Copy data between tables (destination table does not exist)
+### Copy data between tables (destination table doesn't exist)
```scala import com.datastax.spark.connector._
cosmos-db Spark Upsert Operations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/cassandra/spark-upsert-operations.md
ms.devlang: scala
This article describes how to upsert data into Azure Cosmos DB Cassandra API from Spark. ## Cassandra API configuration-
+Set below spark configuration in your notebook cluster. It's one time activity.
```scala
-import org.apache.spark.sql.cassandra._
-//Spark connector
-import com.datastax.spark.connector._
-import com.datastax.spark.connector.cql.CassandraConnector
-
-//if using Spark 2.x, CosmosDB library for multiple retry
-//import com.microsoft.azure.cosmosdb.cassandra
- //Connection-related
-spark.conf.set("spark.cassandra.connection.host","YOUR_ACCOUNT_NAME.cassandra.cosmosdb.azure.com")
-spark.conf.set("spark.cassandra.connection.port","10350")
-spark.conf.set("spark.cassandra.connection.ssl.enabled","true")
-spark.conf.set("spark.cassandra.auth.username","YOUR_ACCOUNT_NAME")
-spark.conf.set("spark.cassandra.auth.password","YOUR_ACCOUNT_KEY")
+ spark.cassandra.connection.host YOUR_ACCOUNT_NAME.cassandra.cosmosdb.azure.com
+ spark.cassandra.connection.port 10350
+ spark.cassandra.connection.ssl.enabled true
+ spark.cassandra.auth.username YOUR_ACCOUNT_NAME
+ spark.cassandra.auth.password YOUR_ACCOUNT_KEY
// if using Spark 2.x
-// spark.conf.set("spark.cassandra.connection.factory", "com.microsoft.azure.cosmosdb.cassandra.CosmosDbConnectionFactory")
+// spark.cassandra.connection.factory com.microsoft.azure.cosmosdb.cassandra.CosmosDbConnectionFactory
//Throughput-related...adjust as needed
-spark.conf.set("spark.cassandra.output.batch.size.rows", "1")
-//spark.conf.set("spark.cassandra.connection.connections_per_executor_max", "10") // Spark 2.x
-spark.conf.set("spark.cassandra.connection.remoteConnectionsPerExecutor", "10") // Spark 3.x
-spark.conf.set("spark.cassandra.output.concurrent.writes", "1000")
-spark.conf.set("spark.cassandra.concurrent.reads", "512")
-spark.conf.set("spark.cassandra.output.batch.grouping.buffer.size", "1000")
-spark.conf.set("spark.cassandra.connection.keep_alive_ms", "600000000")
+ spark.cassandra.output.batch.size.rows 1
+// spark.cassandra.connection.connections_per_executor_max 10 // Spark 2.x
+ spark.cassandra.connection.remoteConnectionsPerExecutor 10 // Spark 3.x
+ spark.cassandra.output.concurrent.writes 1000
+ spark.cassandra.concurrent.reads 512
+ spark.cassandra.output.batch.grouping.buffer.size 1000
+ spark.cassandra.connection.keep_alive_ms 600000000
``` > [!NOTE]
-> If you are using Spark 3.0, you do not need to install the Cosmos DB helper and connection factory. You should also use `remoteConnectionsPerExecutor` instead of `connections_per_executor_max` for the Spark 3 connector (see above). You will see that connection related properties are defined within the notebook above. Using the syntax below, connection properties can be defined in this manner without needing to be defined at the cluster level (Spark context initialization). However, when using operations that require spark context (for example, `CassandraConnector(sc)` for `update` as shown below), connection properties need to be defined at the cluster level.
+> If you are using Spark 3.x, you do not need to install the Cosmos DB helper and connection factory. You should also use `remoteConnectionsPerExecutor` instead of `connections_per_executor_max` for the Spark 3 connector (see above).
> [!WARNING]
-> The Spark 3 samples shown in this article have been tested with Spark **version 3.0.1** and the corresponding Cassandra Spark Connector **com.datastax.spark:spark-cassandra-connector-assembly_2.12:3.0.0**. Later versions of Spark and/or the Cassandra connector may not function as expected.
+> The Spark 3 samples shown in this article have been tested with Spark **version 3.2.1** and the corresponding Cassandra Spark Connector **com.datastax.spark:spark-cassandra-connector-assembly_2.12:3.2.0**. Later versions of Spark and/or the Cassandra connector may not function as expected.
## Dataframe API ### Create a dataframe ```scala
+import org.apache.spark.sql.cassandra._
+//Spark connector
+import com.datastax.spark.connector._
+import com.datastax.spark.connector.cql.CassandraConnector
+
+//if using Spark 2.x, CosmosDB library for multiple retry
+//import com.microsoft.azure.cosmosdb.cassandra
+ // (1) Update: Changing author name to include prefix of "Sir" // (2) Insert: adding a new book
cosmos-db Quickstart Dotnet https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/mongodb/quickstart-dotnet.md
This quickstart will create a single Azure Cosmos DB account using the MongoDB A
### Create a new .NET app
-Create a new .NET application in an empty folder using your preferred terminal. Use the [``dotnet new console``](/dotnet/core/tools/dotnet-newt) to create a new console app.
+Create a new .NET application in an empty folder using your preferred terminal. Use the [``dotnet new console``](/dotnet/core/tools/dotnet-new) to create a new console app.
```console dotnet new console -o <app-name>
cosmos-db Quickstart Javascript https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/mongodb/quickstart-javascript.md
Remove-AzResourceGroup @parameters
In this quickstart, you learned how to create an Azure Cosmos DB MongoDB API account, create a database, and create a collection using the MongoDB driver. You can now dive deeper into the Cosmos DB MongoDB API to import more data, perform complex queries, and manage your Azure Cosmos DB MongoDB resources. > [!div class="nextstepaction"]
-> [Migrate MongoDB to Azure Cosmos DB API for MongoDB offline](/azure/dms/tutorial-mongodb-cosmos-db?toc=%2Fazure%2Fcosmos-db%2Ftoc.json%3Ftoc%3D%2Fazure%2Fcosmos-db%2Ftoc.json)
+> [Migrate MongoDB to Azure Cosmos DB API for MongoDB offline](../../dms/tutorial-mongodb-cosmos-db.md?toc=%2fazure%2fcosmos-db%2ftoc.json%3ftoc%3d%2fazure%2fcosmos-db%2ftoc.json)
cosmos-db Lock https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/scripts/cli/table/lock.md
az group delete --name $resourceGroup
## Next steps - [Prevent Azure Cosmos DB resources from being deleted or changed](../../../resource-locks.md)-- [Lock resources to prevent unexpected changes](/azure/azure-resource-manager/management/lock-resources)
+- [Lock resources to prevent unexpected changes](../../../../azure-resource-manager/management/lock-resources.md)
- [How to audit Azure Cosmos DB control plane operations](../../../audit-control-plane-logs.md) - [Azure Cosmos DB CLI documentation](/cli/azure/cosmosdb)-- [Azure Cosmos DB CLI GitHub repository](https://github.com/Azure-Samples/azure-cli-samples/tree/master/cosmosdb)
+- [Azure Cosmos DB CLI GitHub repository](https://github.com/Azure-Samples/azure-cli-samples/tree/master/cosmosdb)
cosmos-db Bulk Executor Java https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/sql/bulk-executor-java.md
Currently, the bulk executor library is supported only by Azure Cosmos DB SQL AP
* If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?ref=microsoft.com&utm_source=microsoft.com&utm_medium=docs&utm_campaign=visualstudio) before you begin.
-* You can [try Azure Cosmos DB for free](/azure/cosmos-db/try-free) without an Azure subscription, free of charge and commitments. Or, you can use the [Azure Cosmos DB Emulator](../local-emulator.md) with the `https://localhost:8081` endpoint. The Primary Key is provided in [Authenticating requests](../local-emulator.md#authenticate-requests).
+* You can [try Azure Cosmos DB for free](../try-free.md) without an Azure subscription, free of charge and commitments. Or, you can use the [Azure Cosmos DB Emulator](../local-emulator.md) with the `https://localhost:8081` endpoint. The Primary Key is provided in [Authenticating requests](../local-emulator.md#authenticate-requests).
* [Java Development Kit (JDK) 1.8+](/java/azure/jdk/) - On Ubuntu, run `apt-get install default-jdk` to install the JDK.
cosmos-db Create Table Dotnet https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/table/create-table-dotnet.md
This quickstart shows how to get started with the Azure Cosmos DB Table API from
> [!NOTE] > The [example code snippets](https://github.com/Azure-Samples/cosmos-db-table-api-dotnet-samples) are available on GitHub as a .NET project.
-[Table API reference documentation](/azure/storage/tables) | [Azure.Data.Tables Package (NuGet)](https://www.nuget.org/packages/Azure.Data.Tables/)
+[Table API reference documentation](../../storage/tables/index.yml) | [Azure.Data.Tables Package (NuGet)](https://www.nuget.org/packages/Azure.Data.Tables/)
## Prerequisites
You can retrieve a specific item from a table using the [``TableEntity.GetEntity
After you insert an item, you can also run a query to get all items that match a specific filter by using the `TableClient.Query<T>` method. This example filters products by category using [Linq](/dotnet/standard/linq) syntax, which is a benefit of using strongly typed `ITableEntity` models like the `Product` class. > [!NOTE]
-> You can also query items using [OData](/rest/api/storageservices/querying-tables-and-entities) syntax. You can see an example of this approach in the [Query Data](/azure/cosmos-db/table/tutorial-query-table) tutorial.
+> You can also query items using [OData](/rest/api/storageservices/querying-tables-and-entities) syntax. You can see an example of this approach in the [Query Data](./tutorial-query-table.md) tutorial.
:::code language="csharp" source="~/azure-cosmos-tableapi-dotnet/001-quickstart/Program.cs" id="query_items" :::
Remove-AzResourceGroup @parameters
In this quickstart, you learned how to create an Azure Cosmos DB Table API account, create a table, and manage entries using the .NET SDK. You can now dive deeper into the SDK to learn how to perform more advanced data queries and management tasks in your Azure Cosmos DB Table API resources. > [!div class="nextstepaction"]
-> [Get started with Azure Cosmos DB Table API and .NET](/azure/cosmos-db/table/how-to-dotnet-get-started)
+> [Get started with Azure Cosmos DB Table API and .NET](./how-to-dotnet-get-started.md)
cost-management-billing Group Filter https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cost-management-billing/costs/group-filter.md
The following table lists some of the most common grouping and filtering options
| **Frequency** | Break down usage-based, one-time, and recurring costs. | | | **Invoice ID** | Break down costs by billed invoice. | Unbilled charges don't have an invoice ID yet and EA costs don't include invoice details and will show as **No invoice ID**. | | **Location** | Break down costs by resource location or region. | Purchases and Marketplace usage may be shown as **unassigned**, or **No resource location**. |
-| **Meter** | Break down costs by usage meter. | Purchases and Marketplace usage will show as **No meter**. Refer to **Charge type** to identify purchases and **Publisher type** to identify Marketplace charges. |
+| **Meter** | Break down costs by usage meter. | Purchases and Marketplace usage will show as **unassigned** or **No meter**. Refer to **Charge type** to identify purchases and **Publisher type** to identify Marketplace charges. |
| **Operation** | Break down AWS costs by operation. | Applicable only to AWS scopes and management groups. Azure data doesn't include operation and will show as **No operation** - use **Meter** instead. | | **Pricing model** | Break down costs by on-demand, reservation, or spot usage. | Purchases show as **OnDemand**. If you see **Not applicable**, group by **Reservation** to determine whether the usage is reservation or on-demand usage and **Charge type** to identify purchases. | **Provider** | Break down costs by the provider type: Azure, Microsoft 365, Dynamics 365, AWS, and so on. | Identifier for product and line of business. |
cost-management-billing Review Individual Bill https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cost-management-billing/understand/review-individual-bill.md
Your usage charges are displayed at the meter level. The following terms mean th
|Resource |MeterName | |Region |MeterRegion | |Consumed | Quantity |
-|Included |Included Quantity |
|Billable |Overage Quantity | |Rate | EffectivePrice| | Value | Cost |
data-factory Data Flow Cast https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/data-flow-cast.md
+
+ Title: Cast transformation in mapping data flow
+description: Learn how to use a mapping data flow cast transformation to easily change column data types in Azure Data Factory or Synapse Analytics pipelines.
++++++++ Last updated : 07/13/2022++
+# Cast transformation in mapping data flow
+++
+Use the cast transformation to easily modify the data types of individual columns in a data flow. The cast transformation also enables an easy way to check for casting errors.
+
+## Configuration
++
+To modify the data type for columns in your data flow, add columns to "Cast settings" using the plus (+) sign.
+
+**Column name:** Pick the column you wish to cast from your list of metadata columns.
+
+**Type:** Choose the data type to cast your column to. If you pick "complex", you can then select "Define complex type" and define structures, arrays, and maps inside the expression builder.
+
+**Format:** Some data types, like decimal and dates, will allow for additional formatting options.
+
+**Assert type check:** The cast transformation allows for type checking. If the casting fails, the row will be marked as an assertion error that you can trap later in the stream.
+
+## Data flow script
+
+### Syntax
+
+```
+<incomingStream>
+ cast(output(
+ AddressID as integer,
+ AddressLine1 as string,
+ AddressLine2 as string,
+ City as string
+ ),
+ errors: true) ~> <castTransformationName<>
+```
+## Next steps
+
+Modify existing columns and new columns using the [derived column transformation](data-flow-derived-column.md).
data-factory Data Flow Transformation Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/data-flow-transformation-overview.md
Previously updated : 12/20/2021 Last updated : 07/14/2022 # Mapping data flow transformation overview
Below is a list of the transformations currently supported in mapping data flow.
| [Aggregate](data-flow-aggregate.md) | Schema modifier | Define different types of aggregations such as SUM, MIN, MAX, and COUNT grouped by existing or computed columns. | | [Alter row](data-flow-alter-row.md) | Row modifier | Set insert, delete, update, and upsert policies on rows. | | [Assert](data-flow-assert.md) | Row modifier | Set assert rules for each row. |
+| [Cast](data-flow-cast.md) | Schema modifier | Change column data types with type checking. |
| [Conditional split](data-flow-conditional-split.md) | Multiple inputs/outputs | Route rows of data to different streams based on matching conditions. | | [Derived column](data-flow-derived-column.md) | Schema modifier | Generate new columns or modify existing fields using the data flow expression language. | | [External call](data-flow-external-call.md) | Schema modifier | Call external endpoints inline row-by-row. | | [Exists](data-flow-exists.md) | Multiple inputs/outputs | Check whether your data exists in another source or stream. | | [Filter](data-flow-filter.md) | Row modifier | Filter a row based upon a condition. | | [Flatten](data-flow-flatten.md) | Formatters | Take array values inside hierarchical structures such as JSON and unroll them into individual rows. |
+| [Flowlet](concepts-data-flow-flowlet.md) | Flowlets | Build and include custom re-usable transformation logic. |
| [Join](data-flow-join.md) | Multiple inputs/outputs | Combine data from two sources or streams. | | [Lookup](data-flow-lookup.md) | Multiple inputs/outputs | Reference data from another source. | | [New branch](data-flow-new-branch.md) | Multiple inputs/outputs | Apply multiple sets of operations and transformations against the same data stream. |
databox Data Box Deploy Export Picked Up https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/databox/data-box-deploy-export-picked-up.md
Previously updated : 04/21/2022 Last updated : 06/16/2022
+zone_pivot_groups: data-box-shipping
# Customer intent: As an IT admin, I need to be able to return Data Box to upload on-premises data from my server onto Azure.
Before you begin, make sure:
The next steps are determined by where you are returning the device.
-## Ship Data Box back
+## Ship Data Box back
-Ensure that the data copy from the device is complete and **Prepare to ship** run is successful.
+Based on the region where you're shipping the device, the procedure is different. In many countries/regions, you can use Microsoft managed shipping or [self-managed shipping](#self-managed-shipping).
-Based on the region where you're shipping the device, the procedure is different. In many countries/regions, you can use Microsoft managed shipping or self-managed shipping.
-### Microsoft managed shipping
+If using Microsoft managed shipping, follow these steps.
-Follow the guidelines for the region you're shipping from if you're using Microsoft managed shipping.
+## Shipping in Americas
-## [US & Canada](#tab/in-us-canada)
+### US & Canada
[!INCLUDE [data-box-shipping-in-us-canada](../../includes/data-box-shipping-in-us-canada.md)]
-## [EU](#tab/in-eu)
++
+If using Microsoft managed shipping, follow these steps.
+
+## Shipping in Europe
+
+### [EU](#tab/in-europe)
[!INCLUDE [data-box-shipping-in-eu](../../includes/data-box-shipping-in-eu.md)] **If you're shipping back to Azure datacenters in Germany or Switzerland,** you can also [use self-managed shipping](#self-managed-shipping).
-## [UK](#tab/in-uk)
+### [UK](#tab/in-uk)
[!INCLUDE [data-box-shipping-in-uk](../../includes/data-box-shipping-in-uk.md)]
-## [Australia](#tab/in-australia)
+### [Norway](#tab/in-norway)
++
+If using Microsoft managed shipping, follow these steps.
+
+## Shipping in Asia
-## [Japan](#tab/in-japan)
+### [Japan](#tab/in-japan)
[!INCLUDE [data-box-shipping-in-japan](../../includes/data-box-shipping-in-japan.md)]
-## [Singapore](#tab/in-singapore)
+### [Singapore](#tab/in-singapore)
[!INCLUDE [data-box-shipping-in-singapore](../../includes/data-box-shipping-in-singapore.md)]
-## [Hong Kong](#tab/in-hk)
+### [Hong Kong](#tab/in-hk)
[!INCLUDE [data-box-shipping-in-hk](../../includes/data-box-shipping-in-hk.md)]
-## [Korea](#tab/in-korea)
+### [Korea](#tab/in-korea)
[!INCLUDE [data-box-shipping-in-korea](../../includes/data-box-shipping-in-korea.md)]
-## [S Africa](#tab/in-sa)
+### [UAE](#tab/in-uae)
-## [UAE](#tab/in-uae)
-## [Norway](#tab/in-norway)
-
+If using Microsoft managed shipping, follow these steps.
+
+## Shipping in Australia
-### Self-managed shipping
+### Australia
++++
+If using Microsoft managed shipping, follow these steps.
+
+## Shipping in Africa
+
+### S Africa
+++
+## Self-managed shipping
+ [!INCLUDE [data-box-shipping-self-managed](../../includes/data-box-shipping-self-managed.md)] +
+### Shipping in Brazil
+
+To schedule a device return in Brazil, send an email to [adbops@microsoft.com](mailto:adbops@microsoft.com) with the following information:
+
+```
+Subject: Request Azure Data Box Disk drop-off for order: <ordername>
+
+- Order name
+- Contact name of the person who will drop off the Data Box Disk (A government-issued photo ID will be required to validate the contactΓÇÖs identity upon arrival.)
+- Inbound Nota Fiscal (A copy of the inbound Nota Fiscal will be required at drop-off.)
+```
++ ## Erasure of data from Data Box Once the device reaches Azure datacenter, the Data Box erases the data on its disks as per the [NIST SP 800-88 Revision 1 guidelines](https://csrc.nist.gov/News/2014/Released-SP-800-88-Revision-1,-Guidelines-for-Medi).
databox Data Box Deploy Picked Up https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/databox/data-box-deploy-picked-up.md
Title: Tutorial to ship Azure Data Box back| Microsoft Docs
-description: In this tutorial, learn how to return Azure Data Box, including preparing to ship, shipping Data Box, verifying data upload, and erasing data from Data Box.
+ Title: Tutorial to return Azure Data Box
+description: In this tutorial, learn how to return Azure Data Box, including shipping the device, verifying data upload to Azure, and erasing data from Data Box.
Previously updated : 03/31/2022 Last updated : 06/16/2022
+zone_pivot_groups: data-box-shipping
# Customer intent: As an IT admin, I need to be able to return a Data Box to upload on-premises data from my server onto Azure. ::: zone target="docs"
-# Tutorial: Return Azure Data Box and verify data upload to Azure
+# Tutorial: Return Azure Data Box and verify data has been uploaded to Azure
::: zone-end
In this tutorial, you will learn about topics such as:
> [!div class="checklist"] > > * Prerequisites
-> * Prepare to ship
> * Ship Data Box to Microsoft > * Verify data upload to Azure > * Erasure of data from Data Box
In this tutorial, you will learn about topics such as:
Before you begin, make sure:
-* You've have completed the [Tutorial: Copy data to Azure Data Box and verify](data-box-deploy-copy-data.md).
-* Copy jobs are complete and there are no errors on the **Connect and copy** page. **Prepare to ship** can't run if copy jobs are in progress or there are errors in the **Connect and copy** page.
-
-## Prepare to ship
-
+* You've completed the [Tutorial: Prepare to ship Azure Data Box](data-box-deploy-prepare-to-ship.md).
+* The data copy to the device completed and the **Prepare to ship** run was successful.
::: zone-end -
-After the data copy is complete, you prepare and ship the device. When the device reaches Azure datacenter, data is automatically uploaded to Azure.
-
-## Prepare to ship
+## Ship Data Box back
-Before you prepare to ship, make sure that copy jobs are complete.
+Based on the region where you're shipping the device, the procedure is different. In many countries/regions, you can use Microsoft managed shipping or [self-managed shipping](#self-managed-shipping).
-1. Go to **Prepare to ship** page in the local web UI and start the ship preparation.
-2. Turn off the device from the local web UI. Remove the cables from the device.
-The next steps are determined by where you're returning the device.
+If using Microsoft managed shipping, follow these steps.
+## Shipping in Americas
+### US & Canada
-## Ship Data Box back
-
-Make sure the data copy to the device completed and the **Prepare to ship** run was successful.
-
-Based on the region where you're shipping the device, the procedure is different. In many countries/regions, you can use [Microsoft managed shipping](#microsoft-managed-shipping) or [self-managed shipping](#self-managed-shipping).
-### Microsoft managed shipping
-Follow the guidelines for the region you're shipping from if you're using Microsoft managed shipping.
-## [US & Canada](#tab/in-us-canada)
+If using Microsoft managed shipping, follow these steps.
+## Shipping in Europe
-## [EU](#tab/in-europe)
+### [EU](#tab/in-europe)
[!INCLUDE [data-box-shipping-in-eu](../../includes/data-box-shipping-in-eu.md)] **If you're shipping back to Azure datacenters in Germany or Switzerland,** you can also [use self-managed shipping](#self-managed-shipping).
-## [UK](#tab/in-uk)
+### [UK](#tab/in-uk)
[!INCLUDE [data-box-shipping-in-uk](../../includes/data-box-shipping-in-uk.md)]
-## [Australia](#tab/in-australia)
+### [Norway](#tab/in-norway)
++
+If using Microsoft managed shipping, follow these steps.
+
+## Shipping in Asia
-## [Japan](#tab/in-japan)
+### [Japan](#tab/in-japan)
[!INCLUDE [data-box-shipping-in-japan](../../includes/data-box-shipping-in-japan.md)]
-## [Singapore](#tab/in-singapore)
+### [Singapore](#tab/in-singapore)
[!INCLUDE [data-box-shipping-in-singapore](../../includes/data-box-shipping-in-singapore.md)]
-## [Hong Kong](#tab/in-hk)
+### [Hong Kong](#tab/in-hk)
[!INCLUDE [data-box-shipping-in-hk](../../includes/data-box-shipping-in-hk.md)]
-## [Korea](#tab/in-korea)
+### [Korea](#tab/in-korea)
[!INCLUDE [data-box-shipping-in-korea](../../includes/data-box-shipping-in-korea.md)]
-## [S Africa](#tab/in-sa)
+### [UAE](#tab/in-uae)
-## [UAE](#tab/in-uae)
-## [Norway](#tab/in-norway)
+If using Microsoft managed shipping, follow these steps.
-
+## Shipping in Australia
+
+### Australia
++++
+If using Microsoft managed shipping, follow these steps.
+
+## Shipping in Africa
+
+### S Africa
++
-### Self-managed shipping
+## Self-managed shipping
+
+Self-managed shipping is available as an option when you [Order Azure Data Box](data-box-disk-deploy-ordered.md). For detailed steps, see [Use self-managed shipping](data-box-portal-customer-managed-shipping.md).
[!INCLUDE [data-box-shipping-regions](../../includes/data-box-shipping-regions.md)] [!INCLUDE [data-box-shipping-self-managed](../../includes/data-box-shipping-self-managed.md)] +
+### Shipping in Brazil
+
+To schedule a device return in Brazil, send an email to [adbops@microsoft.com](mailto:adbops@microsoft.com) with the following information:
+
+```
+Subject: Request Azure Data Box Disk drop-off for order: <ordername>
+
+- Order name
+- Contact name of the person who will drop off the Data Box Disk (A government-issued photo ID will be required to validate the contactΓÇÖs identity upon arrival.)
+- Inbound Nota Fiscal (A copy of the inbound Nota Fiscal will be required at drop-off.)
+```
++ ::: zone target="chromeless"
-## Verify data upload to Azure
+## Verify data has been uploaded to Azure
[!INCLUDE [data-box-verify-upload](../../includes/data-box-verify-upload.md)]
-## Erasure of data from Data Box
+## Data erasure from Data Box
Once the upload to Azure is complete, the Data Box erases the data on its disks as per the [NIST SP 800-88 Revision 1 guidelines](https://csrc.nist.gov/News/2014/Released-SP-800-88-Revision-1,-Guidelines-for-Medi).
Once the upload to Azure is complete, the Data Box erases the data on its disks
::: zone target="docs"
-## Verify data upload to Azure
+## Verify data has uploaded to Azure
[!INCLUDE [data-box-verify-upload-return](../../includes/data-box-verify-upload-return.md)]
databox Data Box Deploy Prepare To Ship https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/databox/data-box-deploy-prepare-to-ship.md
+
+ Title: Tutorial to ship Azure Data Box
+description: In this tutorial, learn how to prepare to ship Data Box for return.
+++++++ Last updated : 05/05/2022++
+# Customer intent: As an IT admin, I need to be able to return a Data Box to upload on-premises data from my server onto Azure.
+++
+# Tutorial: Prepare to ship Azure Data Box
+++
+This tutorial describes how to prepare your Azure Data Box to ship.
+
+In this tutorial, you will learn about topics such as:
+
+> [!div class="checklist"]
+>
+> * Prerequisites
+> * Prepare to ship
+
+## Prerequisites
+
+Before you begin, make sure:
+
+* You've have completed the [Tutorial: Copy data to Azure Data Box and verify](data-box-deploy-copy-data.md).
+* Copy jobs are complete and there are no errors on the **Connect and copy** page. **Prepare to ship** can't run if copy jobs are in progress or there are errors in the **Connect and copy** page.
+
+## Prepare to ship
++++
+After the data copy is complete, you prepare and ship the device. When the device reaches Azure datacenter, data is automatically uploaded to Azure.
+
+## Prepare to ship
+
+Before you prepare to ship, make sure that copy jobs are complete.
+
+1. Go to **Prepare to ship** page in the local web UI and start the ship preparation.
+2. Turn off the device from the local web UI. Remove the cables from the device.
+
+The next steps are determined by where you're returning the device.
+++
+## Next steps
+In this tutorial, you learned about Azure Data Box topics such as:
+
+> [!div class="checklist"]
+> * Prerequisites
+> * Prepare to ship
+
+Advance to the following article to learn how to ship your Azure Data Box and verify the data uploaded to Azure.
+
+> [!div class="nextstepaction"]
+> [Tutorial: Return Azure Data Box and verify data upload to Azure](data-box-deploy-picked-up.md)
+
databox Data Box Disk Deploy Picked Up https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/databox/data-box-disk-deploy-picked-up.md
Previously updated : 01/25/2022 Last updated : 06/16/2022 +
+zone_pivot_groups: data-box-shipping
# Customer intent: As an IT admin, I need to be able to order Data Box Disk to upload on-premises data from my server onto Azure.
Before you begin, make sure you've completed the [Tutorial: Copy data to Azure D
- We recommend that you pack disks using a well-secured bubbled wrap. - Make sure the fit is snug to reduce any movements within the box.
-The next steps are determined by where you are returning the device. In many countries/regions, you can use [Microsoft managed shipping](#microsoft-managed-shipping) or [self-managed shipping](#self-managed-shipping).
+The next steps are determined by where you are returning the device. In many countries/regions, you can use Microsoft managed shipping or [self-managed shipping](#self-managed-shipping).
-### Microsoft managed shipping
-Follow the guidelines for the region you're shipping from if you're using Microsoft managed shipping.
+If using Microsoft managed shipping, follow these steps.
-### [US & Canada](#tab/in-us-canada)
+## Shipping in Americas
+
+### US & Canada
Take the following steps if returning the device in US or Canada.
Take the following steps if returning the device in US or Canada.
- If the tracking number isn't quoted, UPS will require you to pay an additional charge during pickup. - Instead of scheduling the pickup, you can also drop off the Data Box Disk at the nearest drop-off location.
-### [EU & UK](#tab/in-europe-uk)
++
+If using Microsoft managed shipping, follow these steps.
+
+## Shipping in Europe
+
+### EU & UK
Take the following steps if returning the device in Europe or the UK.
Take the following steps if returning the device in Europe or the UK.
3. Go to the country/region DHL Express website and select **Schedule a Pickup**. Under **Do you need a shipping label**, select **No** > **I have a DHL Waybill Number**. 4. Specify the waybill number, and click **Schedule Pickup** to arrange for pickup.
-### [Australia](#tab/in-australia)
++
+If using Microsoft managed shipping, follow these steps.
+
+## Shipping in Australia
+
+### Australia
Azure datacenters in Australia have an additional security notification. All the inbound shipments must have an advanced notification. Take the following steps for pickup in Australia.
Azure datacenters in Australia have an additional security notification. All the
2. Affix the label on the box. 3. Book a pickup online at the link https://mydhl.express.dhl/au/en/schedule-pickup.html#/schedule-pickup#label-reference. ++
+If using Microsoft managed shipping, follow these steps.
+
+## Shipping in Asia
+ ### [Japan](#tab/in-japan) 1. Write your company name and address information on the consignment note as your sender information.
Take the following steps if returning the device in China.
|Phone: | 400.889.6066 ext. 3603 | |E-mail: | [739951@fedex.com](mailto:739951@fedex.com) | ++
+If using Microsoft managed shipping, follow these steps.
+
+## Shipping in Africa
### [S Africa](#tab/in-sa)
Take the following steps if returning the device in South Africa.
5. If you come across any issues, email [Priority.Support@dhl.com](mailto:Priority.Support@dhl.com) with details of the issue(s), and put the waybill number in the Subject: line. You can also call +27(0)119213902. -
-### Self-managed shipping
+## Self-managed shipping
-If you are using Data Box Disk in US Government, Japan, Singapore, Korea, United Kingdom, West Europe, Australia, South Africa, India, or Brazil, and have selected the self-managed shipping option during order creation, follow these instructions. For detailed steps, see [Use self-managed shipping](data-box-disk-portal-customer-managed-shipping.md).
+ Self-managed shipping is available as an option when you [Order Azure Data Box](data-box-disk-deploy-ordered.md). For detailed steps, see [Use self-managed shipping](data-box-disk-portal-customer-managed-shipping.md).
+
+Self-managed shipping is available in the following regions:
+
+| Region | Region | Region | Region | Region |
+||-|-|--|--|
+| US Government | United Kingdom | West Europe | Japan | Singapore |
+| Korea | India | South Africa | Australia | Brazil |
+
+If you are using Data Box Disk and have selected the self-managed shipping option during order creation, follow these instructions.
1. Go to the **Overview** blade for your order in the Azure portal. Go through the instructions displayed when you select **Schedule pickup**. You should see an Authorization code that is used at the time of dropping off the order.
-2. Send an email to the Azure Data Box Operations team using the following template when you're ready to return the device.
+2. Send an email to the Azure Data Box Operations team using the following template when you're ready to return the device.
``` To: adbops@microsoft.com
If you are using Data Box Disk in US Government, Japan, Singapore, Korea, United
2. Contact name of the person dropping off. You will need to display a government-approved ID during the drop-off. ```
- > [!NOTE]
- > - Required information for return may vary by region.
- > - If you're returning a Data Box Disk in Brazil, see [Use self-managed shipping for Azure Data Box Disk](data-box-disk-portal-customer-managed-shipping.md) for detailed instructions.
-
- 3. Azure Data Box Operations team will work with you to arrange the drop-off to the Azure datacenter. -+
+### Shipping in Brazil
+
+To schedule a device return in Brazil, send an email to [adbops@microsoft.com](mailto:adbops@microsoft.com) with the following information:
+
+```
+Subject: Request Azure Data Box Disk drop-off for order: <ordername>
+
+- Order name
+- Contact name of the person who will drop off the Data Box Disk (A government-issued photo ID will be required to validate the contactΓÇÖs identity upon arrival.)
+- Inbound Nota Fiscal (A copy of the inbound Nota Fiscal will be required at drop-off.)
+```
+
::: zone target="docs"
databox Data Box Disk Portal Customer Managed Shipping https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/databox/data-box-disk-portal-customer-managed-shipping.md
Previously updated : 06/22/2021 Last updated : 06/07/2022
When you place a Data Box Disk order, you can choose self-managed shipping optio
5. Follow the instructions in the **Schedule pickup for Azure**. Before you can get your authorization code, you must email [adbops@microsoft.com](mailto:adbops@microsoft.com) to schedule the device pickup from your region's datacenter. ![Schedule pickup](media\data-box-disk-portal-customer-managed-shipping\data-box-disk-user-pickup-02c.png)-
+
**Instructions for Brazil:** If you're scheduling a device pickup in Brazil, include the following information in your email. The datacenter will schedule the pickup after they receive an inbound `Nota Fiscal`, which can take up to 4 business days. ```
When you place a Data Box Disk order, you can choose self-managed shipping optio
> [!NOTE] > Do not share the authorization code over email. This is only to be verified at the datacenter during drop-off.
- **Instructions for Brazil:** To schedule a device return in Brazil, send an email to [adbops@microsoft.com](mailto:adbops@microsoft.com) with the following information:
-
- ```
- Subject: Request Azure Data Box Disk drop-off for order: <ordername>
+ If you're returning a Data Box Disk in Brazil, see [Return Azure Data Box Disk](data-box-deploy-picked-up.md) for detailed instructions.
- - Order name
- - Contact name of the person who will drop off the Data Box Disk (A government-issued photo ID will be required to validate the contactΓÇÖs identity upon arrival.)
- - Inbound Nota Fiscal (A copy of the inbound Nota Fiscal will be required at drop-off.)
- ```
10. After you receive an appointment for drop-off, the order should be in the **Ready to receive at Azure datacenter** state in the Azure portal.
databox Data Box Portal Customer Managed Shipping https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/databox/data-box-portal-customer-managed-shipping.md
Previously updated : 03/31/2022 Last updated : 06/06/2022
When you place a Data Box order, you can choose the self-managed shipping option
![Schedule pickup for Azure instructions](media\data-box-portal-customer-managed-shipping\data-box-portal-schedule-pickup-email-01.png)
- **Instructions for Brazil:** If you're scheduling a device pickup in Brazil, include the following information in your email. The datacenter will schedule the pickup after they receive an inbound `Nota Fiscal`, which can take up to 4 business days.
+ If you're returning a Data Box in Brazil, see [Return Azure Data Box](data-box-deploy-picked-up.md) for detailed instructions.
``` Subject: Request Azure Data Box Disk pickup for order: <ordername>
When you place a Data Box order, you can choose the self-managed shipping option
![An order in Picked up state](media\data-box-portal-customer-managed-shipping\data-box-portal-picked-up-boxed-01.png)
-9. After the device is picked up, copy data to the Data Box at your site. After the data copy is complete, you can prepare to ship the Data Box. For more information, see [Prepare to ship](data-box-deploy-picked-up.md#prepare-to-ship).
+9. After the device is picked up, copy data to the Data Box at your site. After the data copy is complete, you can prepare to ship the Data Box. For more information, see [Prepare to ship](data-box-deploy-prepare-to-ship.md#prepare-to-ship).
The **Prepare to ship** step needs to complete without any critical errors. Otherwise, you'll need to run this step again after making the necessary fixes. After the **Prepare to ship** step completes successfully, you can view the authorization code for the drop-off on the device local user interface. > [!NOTE] > Do not share the authorization code over email. This is only to be verified at the datacenter during drop off.
- **Instructions for Brazil:** To schedule a device return in Brazil, send an email to [adbops@microsoft.com](mailto:adbops@microsoft.com) with the following information:
-
- ```
- Subject: Request Azure Data Box Disk drop-off for order: <ordername>
-
- - Order name
- - Contact name of the person who will drop off the Data Box Disk (A government-issued photo ID will be required to validate the contactΓÇÖs identity upon arrival.)
- - Inbound Nota Fiscal (A copy of the inbound Nota Fiscal will be required at drop-off.)
- ```
10. If you've received an appointment for drop-off, the order should have **Ready to receive at Azure datacenter** status in the Azure portal. Follow the instructions under **Schedule drop-off** to return the device.
databox Data Box Troubleshoot Data Upload https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/databox/data-box-troubleshoot-data-upload.md
Previously updated : 03/22/2022 Last updated : 06/06/2022
Other REST API errors might occur during data uploads. For more information, see
## Next steps - [Review common REST API errors](/rest/api/storageservices/common-rest-api-error-codes).-- [Verify data upload to Azure](data-box-deploy-picked-up.md#verify-data-upload-to-azure)
+- [Verify data upload to Azure](data-box-deploy-picked-up.md#verify-data-has-uploaded-to-azure)
defender-for-cloud Adaptive Network Hardening https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/adaptive-network-hardening.md
Title: Adaptive network hardening in Microsoft Defender for Cloud | Microsoft Docs
+ Title: Adaptive network hardening in Microsoft Defender for Cloud
description: Learn how to use actual traffic patterns to harden your network security groups (NSG) rules and further improve your security posture.
defender-for-cloud Alert Validation https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/alert-validation.md
Title: Alert validation in Microsoft Defender for Cloud | Microsoft Docs
+ Title: Alert validation in Microsoft Defender for Cloud
description: Learn how to validate that your security alerts are correctly configured in Microsoft Defender for Cloud Last updated 07/04/2022
You can simulate alerts for both of the control plane, and workload alerts with
**Prerequisites** - Ensure the Defender for Containers plan is enabled.-- **ARC only** - Ensure the defender extension is installed.
+- **ARC only** - Ensure the Defender extension is installed.
- **EKS or GKE only** - Ensure the default audit log collection auto-provisioning options are enabled. **To simulate a Kubernetes control plane security alert**:
defender-for-cloud Cross Tenant Management https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/cross-tenant-management.md
Title: Cross-tenant management in Microsoft Defender for Cloud | Microsoft Docs
+ Title: Cross-tenant management in Microsoft Defender for Cloud
description: Learn how to set up cross-tenant management to manage the security posture of multiple tenants in Defender for Cloud using Azure Lighthouse. documentationcenter: na ms.assetid: 7d51291a-4b00-4e68-b872-0808b60e6d9c
defender-for-cloud Custom Security Policies https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/custom-security-policies.md
Title: Create custom security policies in Microsoft Defender for Cloud | Microsoft Docs
+ Title: Create custom security policies in Microsoft Defender for Cloud
description: Azure custom policy definitions monitored by Microsoft Defender for Cloud.
defender-for-cloud Data Security https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/data-security.md
Title: Microsoft Defender for Cloud data security | Microsoft Docs
+ Title: Microsoft Defender for Cloud data security
description: Learn how data is managed and safeguarded in Microsoft Defender for Cloud.
defender-for-cloud Defender For Containers Enable https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/defender-for-containers-enable.md
Title: How to enable Microsoft Defender for Containers in Microsoft Defender for
description: Enable the container protections of Microsoft Defender for Containers zone_pivot_groups: k8s-host Previously updated : 06/28/2022 Last updated : 07/14/2022 # Enable Microsoft Defender for Containers
defender-for-cloud Defender For Servers Introduction https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/defender-for-servers-introduction.md
Title: Microsoft Defender for Servers - the benefits and features description: Learn about the benefits and features of Microsoft Defender for Servers. Previously updated : 07/13/2022 Last updated : 07/14/2022 # Overview of Microsoft Defender for Servers
Defender for Servers offers you a choice between two paid plans:
| [Just-in time VM access](#just-in-time-jit-virtual-machine-vm-access) | | :::image type="icon" source="./media/icons/yes-icon.png"::: | | [Adaptive network hardening](#adaptive-network-hardening-anh) | | :::image type="icon" source="./media/icons/yes-icon.png"::: |
+You can learn more about the different [benefits for each server plan](#benefits-of-the-defender-for-servers-plans) .
+ ### Plan 1 Plan 1 includes the following benefits:
Plan 1 includes the following benefits:
- Flexibility to use Microsoft Defender for Cloud or Microsoft 365 Defender portal - A Microsoft Defender for Endpoint subscription that includes access to alerts, software inventory, Vulnerability Assessment and an automatic integration with Microsoft Defender for Cloud.
-The subscription to Microsoft Defender for Endpoint allows you to deploy Defender for Endpoint to your servers. Defender for Endpoint includes the following capabilities:
+The subscription to [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide) allows you to deploy Defender for Endpoint to your servers. Defender for Endpoint includes the following capabilities:
- Licenses are charged per hour instead of per seat, lowering your costs to protect virtual machines only when they are in use. - Microsoft Defender for Endpoint deploys automatically to all cloud workloads so that you know that they're protected when they spin up.
The subscription to Microsoft Defender for Endpoint allows you to deploy Defende
### Plan 2 (formerly Defender for Servers)
-Plan 2 includes all of the benefits