| Service | Microsoft Docs article | Related commit history on GitHub | Change details |
|---|---|---|---|
| active-directory | Inbound Provisioning Api Faqs | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/inbound-provisioning-api-faqs.md | You can retrieve the unique API endpoint for each job from the Provisioning blad To process terminations, identify an attribute in your source that will be used to set the ```accountEnabled``` flag in Azure AD. If you are provisioning to on-premises Active Directory, then map that source attribute to the `accountDisabled` attribute. -By default, the value associated with the SCIM User Core schema attribute ```active``` determines the status of the user's account in the target directory. +By default, the value associated with the SCIM Core User schema attribute ```active``` determines the status of the user's account in the target directory. If the attribute is set to **true**, the default mapping rule enables the account. If the attribute is set to **false**, then the default mapping rule disables the account. |
| active-directory | Powershell Assign Group To App | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/scripts/powershell-assign-group-to-app.md | |
| active-directory | Powershell Assign User To App | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/scripts/powershell-assign-user-to-app.md | |
| active-directory | Powershell Display Users Group Of App | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/scripts/powershell-display-users-group-of-app.md | |
| active-directory | Powershell Get All App Proxy Apps Basic | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/scripts/powershell-get-all-app-proxy-apps-basic.md | |
| active-directory | Powershell Get All App Proxy Apps By Connector Group | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/scripts/powershell-get-all-app-proxy-apps-by-connector-group.md | |
| active-directory | Powershell Get All App Proxy Apps Extended | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/scripts/powershell-get-all-app-proxy-apps-extended.md | |
| active-directory | Powershell Get All App Proxy Apps With Policy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/scripts/powershell-get-all-app-proxy-apps-with-policy.md | |
| active-directory | Powershell Get All Connectors | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/scripts/powershell-get-all-connectors.md | |
| active-directory | Powershell Get All Custom Domain No Cert | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/scripts/powershell-get-all-custom-domain-no-cert.md | |
| active-directory | Powershell Get All Custom Domains And Certs | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/scripts/powershell-get-all-custom-domains-and-certs.md | |
| active-directory | Powershell Get All Default Domain Apps | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/scripts/powershell-get-all-default-domain-apps.md | |
| active-directory | Powershell Get All Wildcard Apps | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/scripts/powershell-get-all-wildcard-apps.md | |
| active-directory | Powershell Get Custom Domain Identical Cert | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/scripts/powershell-get-custom-domain-identical-cert.md | |
| active-directory | Powershell Get Custom Domain Replace Cert | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/scripts/powershell-get-custom-domain-replace-cert.md | |
| active-directory | Powershell Move All Apps To Connector Group | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/scripts/powershell-move-all-apps-to-connector-group.md | |
| active-directory | Howto Authentication Sms Signin | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-authentication-sms-signin.md | If you receive an error when you try to set a phone number for a user account in [rest-disable]: /graph/api/phoneauthenticationmethod-disablesmssignin <!-- EXTERNAL LINKS -->-[azure-portal]: https://portal.azure.com [office]: https://www.office.com [m365-firstline-workers-licensing]: https://www.microsoft.com/licensing/news/m365-firstline-workers [azuread-licensing]: https://azure.microsoft.com/pricing/details/active-directory/ |
| active-directory | Howto Authentication Use Email Signin | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-authentication-use-email-signin.md | During preview, you currently need *Global Administrator* permissions to enable ### Azure portal -1. Sign in to the [Azure portal][azure-portal] as a *Global Administrator*. +1. Sign in to the [Azure portal](https://portal.azure.com) as a *Global Administrator*. 1. Search for and select **Azure Active Directory**. 1. From the navigation menu on the left-hand side of the Azure Active Directory window, select **Azure AD Connect > Email as alternate login ID**. For more information on hybrid identity operations, see [how password hash sync] [sign-in-logs]: ../reports-monitoring/concept-sign-ins.md <!-- EXTERNAL LINKS -->-[azure-portal]: https://portal.azure.com [Install-Module]: /powershell/module/powershellget/install-module [Connect-AzureAD]: /powershell/module/azuread/connect-azuread [Get-AzureADPolicy]: /powershell/module/azuread/get-azureadpolicy |
| active-directory | Active Directory Devhowto Adal Error Handling | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/azuread-dev/active-directory-devhowto-adal-error-handling.md | Use the comments section that follows, to provide feedback and help us refine an [AAD-Auth-Libraries]: ./active-directory-authentication-libraries.md [AAD-Auth-Scenarios]:v1-authentication-scenarios.md [AAD-Integrating-Apps]:../develop/quickstart-register-app.md?toc=/azure/active-directory/azuread-dev/toc.json&bc=/azure/active-directory/azuread-dev/breadcrumb/toc.json-[AZURE-portal]: https://portal.azure.com <!--Image references--> [AAD-Sign-In]:./media/active-directory-devhowto-multi-tenant-overview/sign-in-with-microsoft-light.png |
| active-directory | How To Create Alert Trigger | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/how-to-create-alert-trigger.md | This article describes how you can create and view activity alerts and alert tri The **Alerts** table displays information about your alert. + Select the alert name to view the individual activities and further details about the **resources**, **tasks**, and **identities** involved. + ## View activity alert triggers |
| active-directory | Ui Triggers | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/ui-triggers.md | This article describes how to use the **Alerts** dashboard in Permissions Manage - **Alerts** - **Alert Triggers**+ +- Select the **Authorization system**(s) and/or **folder**(s) to display alerts and alert triggers in scope of the selected view. +- Alert triggers are based on data collected. All alerts, if triggered, are shown every hour under the Alerts subtab. ## View information about alerts The **Rule-Based Anomaly** tab and the **Statistical Anomaly** tab both have one - **Columns**: Select the columns you want to display: **Task**, **Resource**, and **Identity**. - To return to the system default settings, select **Reset to default**. -Alert triggers are based on data collected. All alerts, if triggered, are shown every hour under the Alerts subtab. ## View information about alert triggers |
| active-directory | How To App Protection Policy Windows | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/how-to-app-protection-policy-windows.md | App protection policies apply mobile application management (MAM) to specific ap ## Prerequisites -The following requirements must be met before you can apply an [app protection policy] to Windows client devices: --- Ensure your Windows client version is Windows 11, build 10.0.22621 (22H2) or newer.-- Ensure your device isn't managed, including:- - Not Azure AD joined or enrolled in Mobile Device Management (MDM) for the same tenant -as your MAM user. - - Not Azure AD registered (workplace joined) with more than two users besides the MAM user. There's a limit of no more than [three Azure AD registered users to a device](../devices/faq.yml#i-can-t-add-more-than-3-azure-ad-user-accounts-under-the-same-user-session-on-a-windows-10-11-device--why). -- Clients must be running Microsoft Edge build v115.0.1901.155 or newer.- - You can check the version by going to `edge://settings/help` in the address bar. -- Clients must have the **Enable MAM on Edge desktop platforms** flag enabled.- - You can enable this going to `edge://flags/#edge-desktop-mam` in the address bar. - - Enable **Enable MAM on Edge desktop platforms** - - Click the **Restart** button at the bottom of the window. +Customers interested in the public preview will need to opt-in using the [MAM for Windows Public Preview Sign Up Form](https://aka.ms/MAMforWindowsPublic). ## User exclusions [!INCLUDE [active-directory-policy-exclusions](../../../includes/active-directory-policy-exclude-user.md)] |
| active-directory | App Objects And Service Principals | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/app-objects-and-service-principals.md | The application object describes three aspects of an application: - The resources that the application might need to access - The actions that the application can take -You can use the **App registrations** page in the [Azure portal][azure-portal] to list and manage the application objects in your home tenant. +You can use the **App registrations** page in the [Azure portal] to list and manage the application objects in your home tenant.  Learn how to create a service principal: [ms-graph-app-entity]: /graph/api/resources/application [ms-graph-sp-entity]: /graph/api/resources/serviceprincipal-[azure-portal]: https://portal.azure.com +[Azure portal]: https://portal.azure.com |
| active-directory | Developer Glossary | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/developer-glossary.md | The application ID, or _[client ID](https://datatracker.ietf.org/doc/html/rfc674 ## Application manifest -A feature provided by the [Azure portal][AZURE-portal], which produces a JSON representation of the application's identity configuration, used as a mechanism for updating its associated [Application][Graph-App-Resource] and [ServicePrincipal][Graph-Sp-Resource] entities. See [Understanding the Azure Active Directory application manifest][AAD-App-Manifest] for more details. +A feature provided by the [Azure portal], which produces a JSON representation of the application's identity configuration, used as a mechanism for updating its associated [Application][Graph-App-Resource] and [ServicePrincipal][Graph-Sp-Resource] entities. See [Understanding the Azure Active Directory application manifest][AAD-App-Manifest] for more details. ## Application object -When you register/update an application in the [Azure portal][AZURE-portal], the portal creates/updates both an application object and a corresponding [service principal object](#service-principal-object) for that tenant. The application object _defines_ the application's identity configuration globally (across all tenants where it has access), providing a template from which its corresponding service principal object(s) are _derived_ for use locally at run-time (in a specific tenant). +When you register/update an application in the [Azure portal], the portal creates/updates both an application object and a corresponding [service principal object](#service-principal-object) for that tenant. The application object _defines_ the application's identity configuration globally (across all tenants where it has access), providing a template from which its corresponding service principal object(s) are _derived_ for use locally at run-time (in a specific tenant). For more information, see [Application and Service Principal Objects][AAD-App-SP-Objects]. A [client application](#client-application) gains access to a [resource server]( They also surface during the [consent](#consent) process, giving the administrator or resource owner the opportunity to grant/deny the client access to resources in their tenant. -Permission requests are configured on the **API permissions** page for an application in the [Azure portal][AZURE-portal], by selecting the desired "Delegated Permissions" and "Application Permissions" (the latter requires membership in the Global Administrator role). Because a [public client](#client-application) can't securely maintain credentials, it can only request delegated permissions, while a [confidential client](#client-application) has the ability to request both delegated and application permissions. The client's [application object](#application-object) stores the declared permissions in its [requiredResourceAccess property][Graph-App-Resource]. +Permission requests are configured on the **API permissions** page for an application in the [Azure portal], by selecting the desired "Delegated Permissions" and "Application Permissions" (the latter requires membership in the Global Administrator role). Because a [public client](#client-application) can't securely maintain credentials, it can only request delegated permissions, while a [confidential client](#client-application) has the ability to request both delegated and application permissions. The client's [application object](#application-object) stores the declared permissions in its [requiredResourceAccess property][Graph-App-Resource]. ## Refresh token Like [scopes](#scopes), app roles provide a way for a [resource server](#resourc App roles can support two assignment types: "user" assignment implements role-based access control for users/groups that require access to the resource, while "application" assignment implements the same for [client applications](#client-application) that require access. An app role can be defined as user-assignable, app-assignabnle, or both. -Roles are resource-defined strings (for example "Expense approver", "Read-only", "Directory.ReadWrite.All"), managed in the [Azure portal][AZURE-portal] via the resource's [application manifest](#application-manifest), and stored in the resource's [appRoles property][Graph-Sp-Resource]. The Azure portal is also used to assign users to "user" assignable roles, and configure client [application permissions](#permissions) to request "application" assignable roles. +Roles are resource-defined strings (for example "Expense approver", "Read-only", "Directory.ReadWrite.All"), managed in the [Azure portal] via the resource's [application manifest](#application-manifest), and stored in the resource's [appRoles property][Graph-Sp-Resource]. The Azure portal is also used to assign users to "user" assignable roles, and configure client [application permissions](#permissions) to request "application" assignable roles. For a detailed discussion of the application roles exposed by the Microsoft Graph API, see [Graph API Permission Scopes][Graph-Perm-Scopes]. For a step-by-step implementation example, see [Add or remove Azure role assignments using the Azure portal][AAD-RBAC]. For a detailed discussion of the application roles exposed by the Microsoft Grap Like [roles](#roles), scopes provide a way for a [resource server](#resource-server) to govern access to its protected resources. Scopes are used to implement [scope-based][OAuth2-Access-Token-Scopes] access control, for a [client application](#client-application) that has been given delegated access to the resource by its owner. -Scopes are resource-defined strings (for example "Mail.Read", "Directory.ReadWrite.All"), managed in the [Azure portal][AZURE-portal] via the resource's [application manifest](#application-manifest), and stored in the resource's [oauth2Permissions property][Graph-Sp-Resource]. The Azure portal is also used to configure client application [delegated permissions](#permissions) to access a scope. +Scopes are resource-defined strings (for example "Mail.Read", "Directory.ReadWrite.All"), managed in the [Azure portal] via the resource's [application manifest](#application-manifest), and stored in the resource's [oauth2Permissions property][Graph-Sp-Resource]. The Azure portal is also used to configure client application [delegated permissions](#permissions) to access a scope. A best practice naming convention, is to use a "resource.operation.constraint" format. For a detailed discussion of the scopes exposed by Microsoft Graph API, see [Graph API Permission Scopes][Graph-Perm-Scopes]. For scopes exposed by Microsoft 365 services, see [Microsoft 365 API permissions reference][O365-Perm-Ref]. A signed document containing claims, such as an OAuth 2.0 token or SAML 2.0 asse ## Service principal object -When you register/update an application in the [Azure portal][AZURE-portal], the portal creates/updates both an [application object](#application-object) and a corresponding service principal object for that tenant. The application object _defines_ the application's identity configuration globally (across all tenants where the associated application has been granted access), and is the template from which its corresponding service principal object(s) are _derived_ for use locally at run-time (in a specific tenant). +When you register/update an application in the [Azure portal], the portal creates/updates both an [application object](#application-object) and a corresponding service principal object for that tenant. The application object _defines_ the application's identity configuration globally (across all tenants where the associated application has been granted access), and is the template from which its corresponding service principal object(s) are _derived_ for use locally at run-time (in a specific tenant). For more information, see [Application and Service Principal Objects][AAD-App-SP-Objects]. Many of the terms in this glossary are related to the OAuth 2.0 and OpenID Conne [AAD-Multi-Tenant-Overview]:howto-convert-app-to-be-multi-tenant.md [AAD-Security-Token-Claims]: ./active-directory-authentication-scenarios/#claims-in-azure-ad-security-tokens [AAD-Tokens-Claims]:access-tokens.md-[AZURE-portal]: https://portal.azure.com +[Azure portal]: https://portal.azure.com [AAD-RBAC]: ../../role-based-access-control/role-assignments-portal.md [JWT]: https://tools.ietf.org/html/rfc7519 [Microsoft-Graph]: https://developer.microsoft.com/graph |
| active-directory | Howto Convert App To Be Multi Tenant | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/howto-convert-app-to-be-multi-tenant.md | You can also refer to the sample; [Build a multi-tenant SaaS web application tha ## Update registration to be multi-tenant -By default, web app/API registrations in Azure AD are single-tenant upon creation. To make the registration multi-tenant, look for the **Supported account types** section on the **Authentication** pane of the application registration in the [Azure portal][AZURE-portal]. Change the setting to **Accounts in any organizational directory**. +By default, web app/API registrations in Azure AD are single-tenant upon creation. To make the registration multi-tenant, look for the **Supported account types** section on the **Authentication** pane of the application registration in the [Azure portal]. Change the setting to **Accounts in any organizational directory**. When a single-tenant application is created via the Azure portal, one of the items listed on the **Overview** page is the **Application ID URI**. This is one of the ways an application is identified in protocol messages, and can be added at any time. The App ID URI for single tenant apps can be globally unique within that tenant. In contrast, for multi-tenant apps it must be globally unique across all tenants, which ensures that Azure AD can find the app across all tenants. When a single-tenant application validates a token, it checks the signature of t ## Understand user and admin consent and make appropriate code changes -For a user to sign in to an application in Azure AD, the application must be represented in the userΓÇÖs tenant. This allows the organization to do things like apply unique policies when users from their tenant sign in to the application. For a single-tenant application, one can use the registration via the [Azure portal][AZURE-portal]. +For a user to sign in to an application in Azure AD, the application must be represented in the userΓÇÖs tenant. This allows the organization to do things like apply unique policies when users from their tenant sign in to the application. For a single-tenant application, one can use the registration via the [Azure portal]. For a multi-tenant application, the initial registration for the application resides in the Azure AD tenant used by the developer. When a user from a different tenant signs in to the application for the first time, Azure AD asks them to consent to the permissions requested by the application. If they consent, then a representation of the application called a *service principal* is created in the userΓÇÖs tenant, and sign-in can continue. A delegation is also created in the directory that records the userΓÇÖs consent to the application. For details on the application's Application and ServicePrincipal objects, and how they relate to each other, see [Application objects and service principal objects][AAD-App-SP-Objects]. Certain delegated permissions also require a tenant administratorΓÇÖs consent. F If your application uses permissions that require admin consent, consider adding a button or link where the admin can initiate the action. The request your application sends for this action is the usual OAuth2/OpenID Connect authorization request that also includes the `prompt=consent` query string parameter. Once the admin has consented and the service principal is created in the customerΓÇÖs tenant, subsequent sign-in requests don't need the `prompt=consent` parameter. Since the administrator has decided the requested permissions are acceptable, no other users in the tenant are prompted for consent from that point forward. -A tenant administrator can disable the ability for regular users to consent to applications. If this capability is disabled, admin consent is always required for the application to be used in the tenant. If you want to test your application with end-user consent disabled, you can find the configuration switch in the [Azure portal][AZURE-portal] in the **[User settings](https://portal.azure.com/#blade/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/UserSettings/menuId/)** section under **Enterprise applications**. +A tenant administrator can disable the ability for regular users to consent to applications. If this capability is disabled, admin consent is always required for the application to be used in the tenant. If you want to test your application with end-user consent disabled, you can find the configuration switch in the [Azure portal] in the **[User settings](https://portal.azure.com/#blade/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/UserSettings/menuId/)** section under **Enterprise applications**. The `prompt=consent` parameter can also be used by applications that request permissions that don't require admin consent. An example of when this would be used is if the application requires an experience where the tenant admin ΓÇ£signs upΓÇ¥ one time, and no other users are prompted for consent from that point on. The following diagram provides an overview of consent for a multi-tier app regis Users and administrators can revoke consent to your application at any time: * Users revoke access to individual applications by removing them from their [Access Panel Applications][AAD-Access-Panel] list.-* Administrators revoke access to applications by removing them using the [Enterprise applications](https://portal.azure.com/#blade/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/AllApps) section of the [Azure portal][AZURE-portal]. +* Administrators revoke access to applications by removing them using the [Enterprise applications](https://portal.azure.com/#blade/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/AllApps) section of the [Azure portal]. If an administrator consents to an application for all users in a tenant, users can't revoke access individually. Only the administrator can revoke access, and only for the whole application. To learn more about making API calls to Azure AD and Microsoft 365 services like [AAD-Integrating-Apps]:quickstart-v1-integrate-apps-with-azure-ad.md [AAD-Samples-MT]: /samples/browse/?products=azure-active-directory [AAD-Why-To-Integrate]: ./active-directory-how-to-integrate.md-[AZURE-portal]: https://portal.azure.com [MSFT-Graph-overview]: /graph/ [MSFT-Graph-permission-scopes]: /graph/permissions-reference To learn more about making API calls to Azure AD and Microsoft 365 services like [AAD-Security-Token-Claims]: ./active-directory-authentication-scenarios/#claims-in-azure-ad-security-tokens [AAD-Tokens-Claims]:access-tokens.md [AAD-V2-Dev-Guide]: v2-overview.md-[AZURE-portal]: https://portal.azure.com +[Azure portal]: https://portal.azure.com [Duyshant-Role-Blog]: http://www.dushyantgill.com/blog/2014/12/10/roles-based-access-control-in-cloud-applications-using-azure-ad/ [JWT]: https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32 [O365-Perm-Ref]: /graph/permissions-reference |
| active-directory | Msal Net Migration Confidential Client | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/msal-net-migration-confidential-client.md | public partial class AuthWrapper public async Task<AuthenticationResult> GetAuthenticationResult() {- if (app == null) - { - app = ConfidentialClientApplicationBuilder.Create(ClientId) ++ var app = ConfidentialClientApplicationBuilder.Create(ClientId) .WithCertificate(certificate) .WithAuthority(authority) .Build();++ // Setup token caching https://learn.microsoft.com/azure/active-directory/develop/msal-net-token-cache-serialization?tabs=aspnet + // For example, for an in-memory cache with 1GB limit, use + app.AddInMemoryTokenCache(services => + { + // Configure the memory cache options + services.Configure<MemoryCacheOptions>(options => + { + options.SizeLimit = 1024 * 1024 * 1024; // in bytes (1 GB of memory) + }); } var authResult = await app.AcquireTokenForClient( public partial class AuthWrapper #### Benefit from token caching -To benefit from the in-memory cache, the instance of `IConfidentialClientApplication` must be kept in a member variable. If you re-create the confidential client app each time you request a token, you won't benefit from the token cache. +If you don't setup token caching, the token issuer will throttle you, resulting in errors. It also takes a lot less to get a token from the cache (10-20ms) than it is from ESTS (500-30000ms). -You'll need to serialize `AppTokenCache` if you don't use the default in-memory app token cache. Similarly, If you want to implement a distributed token cache, serialize `AppTokenCache`. For details, see [Token cache for a web app or web API (confidential client application)](msal-net-token-cache-serialization.md?tabs=aspnet) and the sample [active-directory-dotnet-v1-to-v2/ConfidentialClientTokenCache](https://github.com/Azure-Samples/active-directory-dotnet-v1-to-v2/tree/master/ConfidentialClientTokenCache). +If you want to implement a distributed token cache, see [Token cache for a web app or web API (confidential client application)](msal-net-token-cache-serialization.md?tabs=aspnet) and the sample [active-directory-dotnet-v1-to-v2/ConfidentialClientTokenCache](https://github.com/Azure-Samples/active-directory-dotnet-v1-to-v2/tree/master/ConfidentialClientTokenCache). [Learn more about the daemon scenario](scenario-daemon-overview.md) and how it's implemented with MSAL.NET or Microsoft.Identity.Web in new applications. public partial class AuthWrapper string resourceId, string tokenUsedToCallTheWebApi) {- if (app == null) - { - app = ConfidentialClientApplicationBuilder.Create(ClientId) + + var app = ConfidentialClientApplicationBuilder.Create(ClientId) .WithCertificate(certificate) .WithAuthority(authority) .Build();- } + // Setup token caching https://learn.microsoft.com/azure/active-directory/develop/msal-net-token-cache-serialization?tabs=aspnet + // For example, for an in-memory cache with 1GB limit. For OBO, it is recommended to use a distributed cache like Redis. + app.AddInMemoryTokenCache(services => + { + // Configure the memory cache options + services.Configure<MemoryCacheOptions>(options => + { + options.SizeLimit = 1024 * 1024 * 1024; // in bytes (1 GB of memory) + }); + } var userAssertion = new UserAssertion(tokenUsedToCallTheWebApi); |
| active-directory | Msal Net Token Cache Serialization | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/msal-net-token-cache-serialization.md | public static async Task<AuthenticationResult> GetTokenAsync(string clientId, X5 Instead of `app.AddInMemoryTokenCache();`, you can use different caching serialization technologies. For example, you can use no-serialization, in-memory, and distributed token cache storage provided by .NET. <a id="no-token-cache-serialization"></a>-#### Token cache without serialization +#### Token cache without serialization -You can specify that you don't want to have any token cache serialization and instead rely on the MSAL.NET internal cache. Use `.WithCacheOptions(CacheOptions.EnableSharedCacheOptions)` when building the application and don't add any serializer. -r. +Use `.WithCacheOptions(CacheOptions.EnableSharedCacheOptions)` when building the application and don't add any serializer. ++> [!IMPORTANT] +> There is no way to control the size of the cache with this option. If you are building a website, a web API, or a multi-tenant S2S app, then use the `In-memory token cache` option. ```CSharp // Create the confidential client application |
| active-directory | Reference App Manifest | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/reference-app-manifest.md | Use the following comments section to provide feedback that helps refine and sha [AAD-DEVELOPER-GLOSSARY]:developer-glossary.md [AAD-GROUPS-FOR-AUTHORIZATION]: http://www.dushyantgill.com/blog/2014/12/10/authorization-cloud-applications-using-ad-groups/ [ADD-UPD-RMV-APP]:quickstart-v1-integrate-apps-with-azure-ad.md-[AZURE-PORTAL]: https://portal.azure.com [DEV-GUIDE-TO-AUTH-WITH-ARM]: http://www.dushyantgill.com/blog/2015/05/23/developers-guide-to-auth-with-azure-resource-manager-api/ [GRAPH-API]: /graph/migrate-azure-ad-graph-planning-checklist [IMPLICIT-GRANT]:v1-oauth2-implicit-grant-flow.md |
| active-directory | Scenario Spa App Registration | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/scenario-spa-app-registration.md | |
| active-directory | How To Web App Dotnet Sign In Prepare Tenant | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/customers/how-to-web-app-dotnet-sign-in-prepare-tenant.md | In this tutorial, you'll; ## Next steps > [!div class="nextstepaction"]-> [Prepare ASP.NET web app](how-to-web-app-dotnet-sign-in-prepare-app.md) +> [Prepare ASP.NET web app](how-to-web-app-dotnet-sign-in-prepare-app.md) |
| active-directory | How To Web App Role Based Access Control | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/customers/how-to-web-app-role-based-access-control.md | In this article, you have learned that you can use *App Roles* or *Groups* to im ## Next steps -- Learn more about [Configuring group claims and app roles in tokens](/security/zero-trust/develop/configure-tokens-group-claims-app-roles).+- Learn more about [Configuring group claims and app roles in tokens](/security/zero-trust/develop/configure-tokens-group-claims-app-roles). |
| active-directory | Sample Browserless App Dotnet Sign In | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/customers/sample-browserless-app-dotnet-sign-in.md | |
| active-directory | Sample Browserless App Node Sign In | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/customers/sample-browserless-app-node-sign-in.md | |
| active-directory | Sample Daemon Node Call Api | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/customers/sample-daemon-node-call-api.md | |
| active-directory | Sample Single Page App Vanillajs Sign In | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/customers/sample-single-page-app-vanillajs-sign-in.md | |
| active-directory | Sample Web App Dotnet Sign In | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/customers/sample-web-app-dotnet-sign-in.md | |
| active-directory | Sample Web App Node Sign In Call Api | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/customers/sample-web-app-node-sign-in-call-api.md | |
| active-directory | Sample Web App Node Sign In | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/customers/sample-web-app-node-sign-in.md | |
| active-directory | Samples Ciam All | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/customers/samples-ciam-all.md | These samples and how-to guides demonstrate how to write a desktop application t > | Language/<br/>Platform | Code sample guide | Build and integrate guide | > | - | -- | - | > | JavaScript, Electron | • [Sign in users](how-to-desktop-app-electron-sample-sign-in.md) | |-> | ASP.NET (MAUI) | • [Sign in users](how-to-desktop-app-maui-sample-sign-in.md) | | +> | ASP.NET (MAUI) | • [Sign in users](how-to-desktop-app-maui-sample-sign-in.md) |• [Sign in users](tutorial-desktop-app-maui-sign-in-prepare-tenant.md)| ### Mobile These samples and how-to guides demonstrate how to write a public client mobile > [!div class="mx-tdCol2BreakAll"] > | Language/<br/>Platform | Code sample guide | Build and integrate guide | > | -- | -- |-- |-> | ASP.NET Core MAUI | • [Sign in users](how-to-mobile-app-maui-sample-sign-in.md) | | +> | ASP.NET Core MAUI | • [Sign in users](how-to-mobile-app-maui-sample-sign-in.md) | • [Sign in users](tutorial-mobile-app-maui-sign-in-prepare-tenant.md)| ### Daemon These samples and how-to guides demonstrate how to write a daemon application th > | Language/<br/>Platform | Code sample guide | Build and integrate guide | > | -- | -- |-- | > | Node.js | • [Call an API](how-to-daemon-node-sample-call-api.md) | • [Call an API](how-to-daemon-node-call-api-overview.md) |+> | .NET | • [Call an API](sample-daemon-dotnet-call-api.md) | • [Call an API](tutorial-daemon-dotnet-call-api-prepare-tenant.md) | + # [**By language/platform**](#tab/language) These samples and how-to guides demonstrate how to write a daemon application th > | App type | Code sample guide | Build and integrate guide | > | - | -- | - | > | Browserless | • [Sign in users](how-to-browserless-app-dotnet-sample-sign-in.md) | • [Sign in users](how-to-browserless-app-dotnet-sign-in-overview.md) |+> | Daemon | • [Call an API](sample-daemon-dotnet-call-api.md) | • [Call an API](tutorial-daemon-dotnet-call-api-prepare-tenant.md) | ### ASP.NET Core These samples and how-to guides demonstrate how to write a daemon application th > [!div class="mx-tdCol2BreakAll"] > | App type | Code sample guide | Build and integrate guide | > | - | -- | - |-> | Desktop | • [Sign in users](how-to-desktop-app-maui-sample-sign-in.md) | | -> | Mobile | • [Sign in users](how-to-mobile-app-maui-sample-sign-in.md) | | +> | Desktop | • [Sign in users](how-to-desktop-app-maui-sample-sign-in.md) | • [Sign in users](tutorial-desktop-app-maui-sign-in-prepare-tenant.md) | +> | Mobile | • [Sign in users](how-to-mobile-app-maui-sample-sign-in.md) | • [Sign in users](tutorial-mobile-app-maui-sign-in-prepare-tenant.md) | ### JavaScript, Vanilla |
| active-directory | Tutorial Desktop App Maui Sign In Prepare App | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/customers/tutorial-desktop-app-maui-sign-in-prepare-app.md | |
| active-directory | Tutorial Desktop App Maui Sign In Prepare Tenant | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/customers/tutorial-desktop-app-maui-sign-in-prepare-tenant.md | |
| active-directory | Tutorial Desktop App Maui Sign In Sign Out | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/customers/tutorial-desktop-app-maui-sign-in-sign-out.md | |
| active-directory | Tutorial Mobile App Maui Sign In Prepare App | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/customers/tutorial-mobile-app-maui-sign-in-prepare-app.md | Download the following image: ## Next steps > [!div class="nextstepaction"]-> [Tutorial: Sign in users in .NET MAUI shell app](tutorial-mobile-app-maui-sign-in-sign-out.md) +> [Tutorial: Sign in users in .NET MAUI shell app](tutorial-mobile-app-maui-sign-in-sign-out.md) |
| active-directory | Tutorial Mobile App Maui Sign In Prepare Tenant | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/customers/tutorial-mobile-app-maui-sign-in-prepare-tenant.md | In this tutorial, you learn how to: ## Next steps > [!div class="nextstepaction"]-> [Tutorial: Create a .NET MAUI shell app](tutorial-mobile-app-maui-sign-in-prepare-app.md) +> [Tutorial: Create a .NET MAUI shell app](tutorial-mobile-app-maui-sign-in-prepare-app.md) |
| active-directory | Tutorial Mobile App Maui Sign In Sign Out | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/customers/tutorial-mobile-app-maui-sign-in-sign-out.md | Run the app by pressing _F5_ or select the _play button_ at the top of Visual St ## Next Steps - [Customize the default branding](how-to-customize-branding-customers.md).-- [Configure sign-in with Google](how-to-google-federation-customers.md).+- [Configure sign-in with Google](how-to-google-federation-customers.md). |
| active-directory | Custom Security Attributes Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/custom-security-attributes-overview.md | Currently, you can add custom security attributes for the following Azure AD obj - Azure AD enterprise applications (service principals) - Managed identities for Azure resources -## How do custom security attributes compare with directory extensions? +## How do custom security attributes compare with extensions? -Here are some ways that custom security attributes compare with [directory extensions](../develop/active-directory-schema-extensions.md): +While both extensions and custom security attributes can be used to extend objects in Azure AD and Microsoft 365, they are suitable for fundamentally different custom data scenarios. Here are some ways that custom security attributes compare with [extensions](/graph/extensibility-overview): -- Directory extensions cannot be used for authorization scenarios and attributes because the access control for the extension attributes is tied to the Azure AD object. Custom security attributes can be used for authorization and attributes needing access control because the custom security attributes can be managed and protected through separate permissions.-- Directory extensions are tied to an application and share the lifecycle of an application. Custom security attributes are tenant wide and not tied to an application.-- Directory extensions support assigning a single value to an attribute. Custom security attributes support assigning multiple values to an attribute.+| Capability | Extensions | Custom security attributes | +|--|--|--| +| Extend Azure AD and Microsoft 365 objects | Yes | Yes | +| Supported objects | Depends on the extension type | Users and service principals | +| Restricted access | No. Anyone with permissions to read the object can read the extension data. | Yes. Read and write access is restricted through a separate set of permissions and RBAC. | +| When to use | Store data to be used by an application <br/> Store non-sensitive data | Store sensitive data <br/> Use for authorization scenarios | +| License requirements | Available in all editions of Azure AD | Requires an Azure AD Premium P1 or P2 license | ++For more information about working with extensions, see [Add custom data to resources using extensions](/graph/extensibility-overview). ## Steps to use custom security attributes |
| active-directory | Whats New Archive | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/whats-new-archive.md | -The primary [What's new in Azure Active Directory? release notes](whats-new.md) article contains updates for the last six months, while this article contains all the older information. +The primary [What's new in Azure Active Directory? release notes](whats-new.md) article contains updates for the last six months, while this article contains Information up to 18 months. The What's new in Azure Active Directory? release notes provide information about: For listing your application in the Azure AD app gallery, read the details here -### ADAL End of Support Announcement +### Microsoft Authentication Library End of Support Announcement **Type:** N/A **Service category:** Other **Product capability:** Developer Experience -As part of our ongoing initiative to improve the developer experience, service reliability, and security of customer applications, we'll end support for the Azure Active Directory Authentication Library (ADAL). The final deadline to migrate your applications to Azure Active Directory Authentication Library (MSAL) has been extended to **June 30, 2023**. +As part of our ongoing initiative to improve the developer experience, service reliability, and security of customer applications, we end support for the Microsoft Authentication Library (Microsoft Authentication Library). The final deadline to migrate your applications to Microsoft Authentication Library (MSAL) has been extended to **June 30, 2023**. ### Why are we doing this? -As we consolidate and evolve the Microsoft Identity platform, we're also investing in making significant improvements to the developer experience and service features that make it possible to build secure, robust and resilient applications. To make these features available to our customers, we needed to update the architecture of our software development kits. As a result of this change, weΓÇÖve decided that the path forward requires us to sunset Azure Active Directory Authentication Library. This allows us to focus on developer experience investments with Azure Active Directory Authentication Library. +As we consolidate and evolve the Microsoft Identity platform, we're also investing in making significant improvements to the developer experience and service features that make it possible to build secure, robust and resilient applications. To make these features available to our customers, we needed to update the architecture of our software development kits. As a result of this change, weΓÇÖve decided that the path forward requires us to sunset Microsoft Authentication Library. This allows us to focus on developer experience investments with Microsoft Authentication Library. ### What happens? We recognize that changing libraries isn't an easy task, and can't be accomplished quickly. We're committed to helping customers plan their migrations to Microsoft Authentication Library and execute them with minimal disruption. -- In June 2020, we [announced the 2-year end of support timeline for ADAL](https://devblogs.microsoft.com/microsoft365dev/end-of-support-timelines-for-azure-ad-authentication-library-adal-and-azure-ad-graph/). -- In December 2022, weΓÇÖve decided to extend the Azure Active Directory Authentication Library end of support to June 2023. +- In June 2020, we [announced the 2-year end of support timeline for Microsoft Authentication Library](https://devblogs.microsoft.com/microsoft365dev/end-of-support-timelines-for-azure-ad-authentication-library-adal-and-azure-ad-graph/). +- In December 2022, weΓÇÖve decided to extend the Microsoft Authentication Library end of support to June 2023. - Through the next six months (January 2023 ΓÇô June 2023) we continue informing customers about the upcoming end of support along with providing guidance on migration. -- On June 2023 we'll officially sunset Azure Active Directory Authentication Library, removing library documentation and archiving all GitHub repositories related to the project. +- On June 2023 we'll officially sunset Microsoft Authentication Library, removing library documentation and archiving all GitHub repositories related to the project. -### How to find out which applications in my tenant are using Azure Active Directory Authentication Library? +### How to find out which applications in my tenant are using Microsoft Authentication Library? -Refer to our post on [Microsoft Q&A](/answers/questions/360928/information-how-to-find-apps-using-adal-in-your-te.html) for details on identifying Azure Active Directory Authentication Library apps with the help of [Azure Workbooks](../../azure-monitor/visualize/workbooks-overview.md). -### If IΓÇÖm using Azure Active Directory Authentication Library, what can I expect after the deadline? +Refer to our post on [Microsoft Q&A](/answers/questions/360928/information-how-to-find-apps-using-adal-in-your-te.html) for details on identifying Microsoft Authentication Library apps with the help of [Azure Workbooks](../../azure-monitor/visualize/workbooks-overview.md). +### If IΓÇÖm using Microsoft Authentication Library, what can I expect after the deadline? - There will be no new releases (security or otherwise) to the library after June 2023. -- We won't accept any incident reports or support requests for Azure Active Directory Authentication Library. Azure Active Directory Authentication Library to Microsoft Authentication Library migration support would continue. -- The underpinning services continue working and applications that depend on Azure Active Directory Authentication Library should continue working. Applications, and the resources they access, are at increased security and reliability risk due to not having the latest updates, service configuration, and enhancements made available through the Microsoft Identity platform. +- We won't accept any incident reports or support requests for Microsoft Authentication Library. Microsoft Authentication Library to Microsoft Authentication Library migration support would continue. +- The underpinning services continue working and applications that depend on Microsoft Authentication Library should continue working. Applications, and the resources they access, are at increased security and reliability risk due to not having the latest updates, service configuration, and enhancements made available through the Microsoft Identity platform. ### What features can I only access with Microsoft Authentication Library? And more. For an up-to-date list, refer to our [migration guide](../develop/msal To make the migration process easier, we published a [comprehensive guide](../develop/msal-migration.md#how-to-migrate-to-msal) that documents the migration paths across different platforms and programming languages. -In addition to the Azure Active Directory Authentication Library to Microsoft Authentication Library update, we recommend migrating from Azure AD Graph API to Microsoft Graph. This change enables you to take advantage of the latest additions and enhancements, such as CAE, across the Microsoft service offering through a single, unified endpoint. You can read more in our [Migrate your apps from Azure AD Graph to Microsoft Graph](/graph/migrate-azure-ad-graph-overview) guide. You can post any questions to [Microsoft Q&A](/answers/topics/azure-active-directory.html) or [Stack Overflow](https://stackoverflow.com/questions/tagged/msal). +In addition to the Microsoft Authentication Library to Microsoft Authentication Library update, we recommend migrating from Azure AD Graph API to Microsoft Graph. This change enables you to take advantage of the latest additions and enhancements, such as CAE, across the Microsoft service offering through a single, unified endpoint. You can read more in our [Migrate your apps from Azure AD Graph to Microsoft Graph](/graph/migrate-azure-ad-graph-overview) guide. You can post any questions to [Microsoft Q&A](/answers/topics/azure-active-directory.html) or [Stack Overflow](https://stackoverflow.com/questions/tagged/msal). Admins can now pause, and resume, the processing of individual dynamic groups in **Service category:** Authentications (Logins) **Product capability:** User Authentication -Update the Azure AD and Microsoft 365 sign-in experience with new company branding capabilities. You can apply your companyΓÇÖs brand guidance to authentication experiences with pre-defined templates. For more information, see: [Configure your company branding](../fundamentals/customize-branding.md). +Update the Azure AD and Microsoft 365 sign-in experience with new company branding capabilities. You can apply your companyΓÇÖs brand guidance to authentication experiences with predefined templates. For more information, see: [Configure your company branding](../fundamentals/customize-branding.md). This functionality greatly enhances recoverability and resilience when using Adm **Product capability:** Platform With the growing adoption and support of IPv6 across enterprise networks, service providers, and devices, many customers are wondering if their users can continue to access their services and applications from IPv6 clients and networks. Today, weΓÇÖre excited to announce our plan to bring IPv6 support to Microsoft Azure Active Directory (Azure AD). This allows customers to reach the Azure AD services over both IPv4 and IPv6 network protocols (dual stack).-For most customers, IPv4 won't completely disappear from their digital landscape, so we aren't planning to require IPv6 or to de-prioritize IPv4 in any Azure Active Directory features or services. +For most customers, IPv4 won't completely disappear from their digital landscape, so we aren't planning to require IPv6 or to deprioritize IPv4 in any Azure Active Directory features or services. We'll begin introducing IPv6 support into Azure AD services in a phased approach, beginning March 31, 2023. We have guidance that is specifically for Azure AD customers who use IPv6 addresses and also use Named Locations in their Conditional Access policies. Azure Service Health supports service outage notifications to Tenant Admins for End users can now enable passwordless phone sign-in for multiple accounts in the Authenticator App on any supported iOS device. Consultants, students, and others with multiple accounts in Azure AD can add each account to Microsoft Authenticator and use passwordless phone sign-in for all of them from the same iOS device. The Azure AD accounts can be in either the same, or different, tenants. Guest accounts aren't supported for multiple account sign-ins from one device. -Note that end users are encouraged to enable the optional telemetry setting in the Authenticator App, if not done so already. For more information, see: [Enable passwordless sign-in with Microsoft Authenticator](../authentication/howto-authentication-passwordless-phone.md) +End users are encouraged to enable the optional telemetry setting in the Authenticator App, if not done so already. For more information, see: [Enable passwordless sign-in with Microsoft Authenticator](../authentication/howto-authentication-passwordless-phone.md) A new Azure AD Connect release fixes several bugs and includes new functionality -Cross-tenant access settings enable you to control how users in your organization collaborate with members of external Azure AD organizations. Now youΓÇÖll have granular inbound and outbound access control settings that work on a per org, user, group, and application basis. These settings also make it possible for you to trust security claims from external Azure AD organizations like multi-factor authentication (MFA), device compliance, and hybrid Azure AD joined devices. For more information, see: [Cross-tenant access with Azure AD External Identities](../external-identities/cross-tenant-access-overview.md). +Cross-tenant access settings enable you to control how users in your organization collaborate with members of external Azure AD organizations. Now you have granular inbound and outbound access control settings that work on a per org, user, group, and application basis. These settings also make it possible for you to trust security claims from external Azure AD organizations like multi-factor authentication (MFA), device compliance, and hybrid Azure AD joined devices. For more information, see: [Cross-tenant access with Azure AD External Identities](../external-identities/cross-tenant-access-overview.md). Cross-tenant access settings enable you to control how users in your organizatio **Product capability:** Outbound to SaaS Applications -Accidental deletion of users in your apps or in your on-premises directory could be disastrous. WeΓÇÖre excited to announce the general availability of the accidental deletions prevention capability. When a provisioning job would cause a spike in deletions, it will first pause and provide you visibility into the potential deletions. You can then accept or reject the deletions and have time to update the jobΓÇÖs scope if necessary. For more information, see [Understand how expression builder in Application Provisioning works](../app-provisioning/expression-builder.md). +Accidental deletion of users in your apps or in your on-premises directory could be disastrous. WeΓÇÖre excited to announce the general availability of the accidental deletions prevention capability. When a provisioning job would cause a spike in deletions, it will first pause and provide you with visibility into the potential deletions. You can then accept or reject the deletions and have time to update the jobΓÇÖs scope if necessary. For more information, see [Understand how expression builder in Application Provisioning works](../app-provisioning/expression-builder.md). For more information on how to use this feature, see: [Dynamic membership rule f **Product capability:** Platform -Azure Service Health will soon support service outage notifications to Tenant Admins for Azure Active Directory issues soon. These outages will also appear on the Azure portal overview page with appropriate links to Azure Service Health. Outage events will be able to be seen by built-in Tenant Administrator Roles. We'll continue to send outage notifications to subscriptions within a tenant for transition. More information will be available when this capability is released. The expected release is for June 2022. +Azure Service Health will soon support service outage notifications to Tenant Admins for Azure Active Directory issues soon. These outages will also appear on the Azure portal overview page with appropriate links to Azure Service Health. Outage events are able to be seen by built-in Tenant Administrator Roles. We continue to send outage notifications to subscriptions within a tenant for transition. More information is available when this capability is released. The expected release is for June 2022. Identity Protection now integrates a signal from Microsoft Defender for Endpoint -This update extends the Azure AD entitlement management access package policy to allow a third approval stage. This will be able to be configured via the Azure portal or Microsoft Graph. For more information, see: [Change approval and requestor information settings for an access package in Azure AD entitlement management](../governance/entitlement-management-access-package-approval-policy.md). +This update extends the Azure AD entitlement management access package policy to allow a third approval stage. This is able to be configured via the Azure portal or Microsoft Graph. For more information, see: [Change approval and requestor information settings for an access package in Azure AD entitlement management](../governance/entitlement-management-access-package-approval-policy.md). For more information about how to better secure your organization by using autom -We announced in April 2020 General Availability of our new combined registration experience, enabling users to register security information for multi-factor authentication and self-service password reset at the same time, which was available for existing customers to opt in. We're happy to announce the combined security information registration experience will be enabled to all non-enabled customers after September 30, 2022. This change doesn't impact tenants created after August 15, 2020, or tenants located in the China region. For more information, see: [Combined security information registration for Azure Active Directory overview](../authentication/concept-registration-mfa-sspr-combined.md). +We announced in April 2020 General Availability of our new combined registration experience, enabling users to register security information for multi-factor authentication and self-service password reset at the same time, which was available for existing customers to opt in. We're happy to announce the combined security information registration experience will be enabled to all nonenabled customers after September 30, 2022. This change doesn't impact tenants created after August 15, 2020, or tenants located in the China region. For more information, see: [Combined security information registration for Azure Active Directory overview](../authentication/concept-registration-mfa-sspr-combined.md). Azure AD Recommendations is now in public preview. This feature provides persona **Product capability:** Access Control -Administrative units now support dynamic membership rules for user and device members. Instead of manually assigning users and devices to administrative units, tenant admins can set up a query for the administrative unit. The membership will be automatically maintained by Azure AD. For more information, see:[Administrative units in Azure Active Directory](../roles/administrative-units.md). +Administrative units now support dynamic membership rules for user and device members. Instead of manually assigning users and devices to administrative units, tenant admins can set up a query for the administrative unit. The membership is automatically maintained by Azure AD. For more information, see:[Administrative units in Azure Active Directory](../roles/administrative-units.md). Azure AD Identity Protection is extending its core capabilities of detecting, in -Cross-tenant access settings enable you to control how users in your organization collaborate with members of external Azure AD organizations. Now youΓÇÖll have granular inbound and outbound access control settings that work on a per org, user, group, and application basis. These settings also make it possible for you to trust security claims from external Azure AD organizations like multi-factor authentication (MFA), device compliance, and hybrid Azure AD joined devices. [Learn more](../external-identities/cross-tenant-access-overview.md) +Cross-tenant access settings enable you to control how users in your organization collaborate with members of external Azure AD organizations. Now you have granular inbound and outbound access control settings that work on a per org, user, group, and application basis. These settings also make it possible for you to trust security claims from external Azure AD organizations like multi-factor authentication (MFA), device compliance, and hybrid Azure AD joined devices. [Learn more](../external-identities/cross-tenant-access-overview.md) For more information about how to better secure your organization by using autom **Product capability:** Privileged Identity Management -We've improved the Privileged Identity management (PIM) time to role activation for SharePoint Online. Now, when activating a role in PIM for SharePoint Online, you should be able to use your permissions right away in SharePoint Online. This change will roll out in stages, so you might not yet see these improvements in your organization. [Learn more](../privileged-identity-management/pim-how-to-activate-role.md) +We've improved the Privileged Identity management (PIM) time to role activation for SharePoint Online. Now, when activating a role in PIM for SharePoint Online, you should be able to use your permissions right away in SharePoint Online. This change rolls out in stages, so you might not yet see these improvements in your organization. [Learn more](../privileged-identity-management/pim-how-to-activate-role.md) ---## January 2022 --### Public preview - Custom security attributes --**Type:** New feature -**Service category:** Directory Management -**Product capability:** Directory - -Enables you to define business-specific attributes that you can assign to Azure AD objects. These attributes can be used to store information, categorize objects, or enforce fine-grained access control. Custom security attributes can be used with Azure attribute-based access control. [Learn more](custom-security-attributes-overview.md). - ---### Public preview - Filter groups in tokens using a substring match --**Type:** New feature -**Service category:** Enterprise Apps -**Product capability:** SSO - -In the past, Azure AD only permitted groups to be filtered based on whether they were assigned to an application. Now, you can also use Azure AD to filter the groups included in the token. You can filter with the substring match on the display name or onPremisesSAMAccountName attributes of the group object on the token. Only groups that the user is a member of will be included in the token. This token will be recognized whether it's on the ObjectID or the on premises SAMAccountName or security identifier (SID). This feature can be used together with the setting to include only groups assigned to the application if desired to further filter the list.[Learn more](../hybrid/how-to-connect-fed-group-claims.md) ----### General availability - Continuous Access Evaluation --**Type:** New feature -**Service category:** Other -**Product capability:** Access Control - -With Continuous access evaluation (CAE), critical security events and policies are evaluated in real time. This includes account disable, password reset, and location change. [Learn more](../conditional-access/concept-continuous-access-evaluation.md). - ---### General Availability - User management enhancements are now available --**Type:** New feature -**Service category:** User Management -**Product capability:** User Management - -The Azure portal has been updated to make it easier to find users in the All users and Deleted users pages. Changes in the preview include: --- More visible user properties including object ID, directory sync status, creation type, and identity issuer.-- **Search now** allows substring search and combined search of names, emails, and object IDs.-- Enhanced filtering by user type (member, guest, and none), directory sync status, creation type, company name, and domain name.-- New sorting capabilities on properties like name, user principal name, creation time, and deletion date.-- A new total users count that updates with any searches or filters.--For more information, go to [User management enhancements (preview) in Azure Active Directory](../enterprise-users/users-search-enhanced.md). ----### General Availability - My Apps customization of default Apps view --**Type:** New feature -**Service category:** My Apps -**Product capability:** End User Experiences --Customization of the default My Apps view in now in general availability. For more information on My Apps, you can go to [Sign in and start apps from the My Apps portal](https://support.microsoft.com/en-us/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510). - ---### General Availability - Audited BitLocker Recovery --**Type:** New feature -**Service category:** Device Access Management -**Product capability:** Device Lifecycle Management - -BitLocker keys are sensitive security items. Audited BitLocker recovery ensures that when BitLocker keys are read, an audit log is generated so that you can trace who accesses this information for given devices. [Learn more](../devices/device-management-azure-portal.md#view-or-copy-bitlocker-keys). ----### General Availability - Download a list of devices --**Type:** New feature -**Service category:** Device Registration and Management -**Product capability:** Device Lifecycle Management --Download a list of your organization's devices to a .csv file for easier reporting and management. [Learn more](../devices/device-management-azure-portal.md#download-devices). - ---### New provisioning connectors in the Azure AD Application Gallery - January 2022 --**Type:** New feature -**Service category:** App Provisioning -**Product capability:** 3rd Party Integration - -You can now automate creating, updating, and deleting user accounts for these newly integrated apps: --- [Autodesk SSO](../saas-apps/autodesk-sso-provisioning-tutorial.md)-- [frankli.io](../saas-apps/frankli-io-provisioning-tutorial.md)-- [Plandisc](../saas-apps/plandisc-provisioning-tutorial.md)-- [Swit](../saas-apps/swit-provisioning-tutorial.md)-- [TerraTrue](../saas-apps/terratrue-provisioning-tutorial.md)-- [TimeClock 365 SAML](../saas-apps/timeclock-365-saml-provisioning-tutorial.md)--For more information about how to better secure your organization by using automated user account provisioning, go to [Automate user provisioning to SaaS applications with Azure AD](../manage-apps/user-provisioning.md). ----### New Federated Apps available in Azure AD Application gallery - January 2022 --**Type:** New feature -**Service category:** Enterprise Apps -**Product capability:** 3rd Party Integration --In January 2022, we've added the following 47 new applications in our App gallery with Federation support: --[Jooto](../saas-apps/jooto-tutorial.md), [Proprli](https://app.proprli.com/), [Pace Scheduler](https://www.pacescheduler.com/accounts/login/), [DRTrack](../saas-apps/drtrack-tutorial.md), [Dining Sidekick](../saas-apps/dining-sidekick-tutorial.md), [Cryotos](https://app.cryotos.com/oauth2/authorization/azure-client), [Emergency Management Systems](https://secure.emsystems.com.au/), [Manifestly Checklists](../saas-apps/manifestly-checklists-tutorial.md), [eLearnPOSH](../saas-apps/elearnposh-tutorial.md), [Scuba Analytics](../saas-apps/scuba-analytics-tutorial.md), [Athena Systems sign-in Platform](../saas-apps/athena-systems-login-platform-tutorial.md), [TimeTrack](../saas-apps/timetrack-tutorial.md), [MiHCM](../saas-apps/mihcm-tutorial.md), [Health Note](https://www.healthnote.com/), [Active Directory SSO for DoubleYou](../saas-apps/active-directory-sso-for-doubleyou-tutorial.md), [Emplifi platform](../saas-apps/emplifi-platform-tutorial.md), [Flexera One](../saas-apps/flexera-one-tutorial.md), [Hypothesis](https://web.hypothes.is/help/authorizing-hypothesis-from-the-azure-ad-app-gallery/), [Recurly](../saas-apps/recurly-tutorial.md), [XpressDox AU Cloud](https://au.xpressdox.com/Authentication/Login.aspx), [Zoom for Intune](https://zoom.us/), [UPWARD AGENT](https://app.upward.jp/login/), [Linux Foundation ID](https://openprofile.dev/), [Asset Planner](../saas-apps/asset-planner-tutorial.md), [Kiho](https://v3.kiho.fi/index/sso), [chezie](https://app.chezie.co/), [Excelity HCM](../saas-apps/excelity-hcm-tutorial.md), [yuccaHR](https://app.yuccahr.com/), [Blue Ocean Brain](../saas-apps/blue-ocean-brain-tutorial.md), [EchoSpan](../saas-apps/echospan-tutorial.md), [Archie](../saas-apps/archie-tutorial.md), [Equifax Workforce Solutions](../saas-apps/equifax-workforce-solutions-tutorial.md), [Palantir Foundry](../saas-apps/palantir-foundry-tutorial.md), [ATP SpotLight and ChronicX](../saas-apps/atp-spotlight-and-chronicx-tutorial.md), [DigiSign](https://app.digisign.org/selfcare/sso), [mConnect](https://mconnect.skooler.com/), [BrightHR](https://login.brighthr.com/), [Mural Identity](../saas-apps/mural-identity-tutorial.md), [CloudClarity](https://portal.cloudclarity.app/dashboard), [Twic](../saas-apps/twic-tutorial.md), [Eduhouse Online](https://app.eduhouse.fi/palvelu/kirjaudu/microsoft), [Bealink](../saas-apps/bealink-tutorial.md), [Time Intelligence Bot](https://teams.microsoft.com/), [SentinelOne](https://sentinelone.com/) --You can also find the documentation of all the applications from: https://aka.ms/AppsTutorial, --For listing your application in the Azure AD app gallery, read the details in: https://aka.ms/AzureADAppRequest ----### Azure Ad access reviews reviewer recommendations now account for non-interactive sign-in information --**Type:** Changed feature -**Service category:** Access Reviews -**Product capability:** Identity Governance --Azure AD access reviews reviewer recommendations now account for non-interactive sign-in information, improving upon original recommendations based on interactive last sign-ins only. Reviewers can now make more accurate decisions based on the last sign-in activity of the users they're reviewing. To learn more about how to create access reviews, go to [Create an access review of groups and applications in Azure AD](../governance/create-access-review.md). - ---### Risk reason for offline Azure AD Threat Intelligence risk detection --**Type:** Changed feature -**Service category:** Identity Protection -**Product capability:** Identity Security & Protection - -The offline Azure AD Threat Intelligence risk detection can now have a risk reason that will help customers with the risk investigation. If a risk reason is available, it will show up as **Additional Info** in the risk details of that risk event. The information can be found in the Risk detections report. It will also be available through the additionalInfo property of the riskDetections API. [Learn more](../identity-protection/howto-identity-protection-investigate-risk.md). - ----## December 2021 --### Tenant enablement of combined security information registration for Azure Active Directory --**Type:** Plan for change -**Service category:** MFA -**Product capability:** Identity Security & Protection - -We previously announced in April 2020, a new combined registration experience enabling users to register authentication methods for SSPR and multi-factor authentication at the same time was generally available for existing customer to opt in. Any Azure AD tenants created after August 2020 automatically have the default experience set to combined registration. Starting in 2022 Microsoft will be enabling the multi-factor authentication and SSPR combined registration experience for existing customers. [Learn more](../authentication/concept-registration-mfa-sspr-combined.md). - ---### Public Preview - Number Matching now available to reduce accidental notification approvals --**Type:** New feature -**Service category:** Microsoft Authenticator App -**Product capability:** User Authentication - -To prevent accidental notification approvals, admins can now require users to enter the number displayed on the sign-in screen when approving a multi-factor authentication notification in the Authenticator app. This feature adds an extra security measure to the Microsoft Authenticator app. [Learn more](../authentication/how-to-mfa-number-match.md). - ---### Pre-authentication error events removed from Azure AD Sign-in Logs --**Type:** Deprecated -**Service category:** Reporting -**Product capability:** Monitoring & Reporting - -We're no longer publishing sign-in logs with the following error codes because these events are pre-authentication events that occur before our service has authenticated a user. Because these events happen before authentication, our service isn't always able to correctly identify the user. If a user continues on to authenticate, the user sign-in will show up in your tenant Sign-in logs. These logs are no longer visible in the Azure portal UX, and querying these error codes in the Graph API will no longer return results. --|Error code | Failure reason| -| | | -|50058| Session information isn't sufficient for single-sign-on.| -|16000| Either multiple user identities are available for the current request or selected account isn't supported for the scenario.| -|500581| Rendering JavaScript. Fetching sessions for single-sign-on on V2 with prompt=none requires JavaScript to verify if any MSA accounts are signed in.| -|81012| The user trying to sign in to Azure AD is different from the user signed into the device.| ------## November 2021 --### Tenant enablement of combined security information registration for Azure Active Directory --**Type:** Plan for change -**Service category:** MFA -**Product capability:** Identity Security & Protection - -We previously announced in April 2020, a new combined registration experience enabling users to register authentication methods for SSPR and multi-factor authentication at the same time was generally available for existing customer to opt in. Any Azure AD tenants created after August 2020 automatically have the default experience set to combined registration. Starting 2022, Microsoft will be enabling the MF). - ---### Windows users will see prompts more often when switching user accounts --**Type:** Fixed -**Service category:** Authentications (Logins) -**Product capability:** User Authentication - -A problematic interaction between Windows and a local Active Directory Federation Services (ADFS) instance can result in users attempting to sign into another account, but be silently signed into their existing account instead, with no warning. For federated IdPs such as ADFS, that support the [prompt=login](/windows-server/identity/ad-fs/operations/ad-fs-prompt-login) pattern, Azure AD will now trigger a fresh sign-in at ADFS when a user is directed to ADFS with a sign-in hint. This ensures that the user is signed into the account they requested, rather than being silently signed into the account they're already signed in with. --For more information, see the [change notice](../develop/reference-breaking-changes.md). - ---### Public preview - Conditional Access Overview Dashboard --**Type:** New feature -**Service category:** Conditional Access -**Product capability:** Monitoring & Reporting - -The new Conditional Access overview dashboard enables all tenants to see insights about the impact of their Conditional Access policies without requiring an Azure Monitor subscription. This built-in dashboard provides tutorials to deploy policies, a summary of the policies in your tenant, a snapshot of your policy coverage, and security recommendations. [Learn more](../conditional-access/overview.md). - ---### Public preview - SSPR writeback is now available for disconnected forests using Azure AD Connect cloud sync --**Type:** New feature -**Service category:** Azure AD Connect Cloud Sync -**Product capability:** Identity Lifecycle Management - -The Public Preview feature for Azure AD Connect Cloud Sync Password writeback provides customers the capability to write back a user's password changes in the cloud to the on-premises directory in real time using the lightweight Azure AD cloud provisioning agent.[Learn more](../authentication/tutorial-enable-cloud-sync-sspr-writeback.md). ----### Public preview - Conditional Access for workload identities --**Type:** New feature -**Service category:** Conditional Access for workload identities -**Product capability:** Identity Security & Protection - -Previously, Conditional Access policies applied only to users when they access apps and services like SharePoint online or the Azure portal. This preview adds support for Conditional Access policies applied to service principals owned by the organization. You can block service principals from accessing resources from outside trusted-named locations or Azure Virtual Networks. [Learn more](../conditional-access/workload-identity.md). ----### Public preview - Extra attributes available as claims --**Type:** Changed feature -**Service category:** Enterprise Apps -**Product capability:** SSO - -Several user attributes have been added to the list of attributes available to map to claims to bring attributes available in claims more in line with what is available on the user object in Microsoft Graph. New attributes include mobilePhone and ProxyAddresses. [Learn more](../develop/reference-claims-mapping-policy-type.md). - ---### Public preview - "Session Lifetime Policies Applied" property in the sign-in logs --**Type:** New feature -**Service category:** Authentications (Logins) -**Product capability:** Identity Security & Protection - -We have recently added other property to the sign-in logs called "Session Lifetime Policies Applied". This property will list all the session lifetime policies that applied to the sign-in for example, Sign-in frequency, Remember multi-factor authentication and Configurable token lifetime. [Learn more](../reports-monitoring/concept-sign-ins.md#authentication-details). - ---### Public preview - Enriched reviews on access packages in entitlement management --**Type:** New feature -**Service category:** User Access Management -**Product capability:** Entitlement Management - -Entitlement Management's enriched review experience allows even more flexibility on access packages reviews. Admins can now choose what happens to access if the reviewers don't respond, provide helper information to reviewers, or decide whether a justification is necessary. [Learn more](../governance/entitlement-management-access-reviews-create.md). - ---### General availability - randomString and redact provisioning functions --**Type:** New feature -**Service category:** Provisioning -**Product capability:** Outbound to SaaS Applications - --The Azure AD Provisioning service now supports two new functions, randomString() and Redact(): -- randomString - generate a string based on the length and characters you would like to include or exclude in your string.-- redact - remove the value of the attribute from the audit and provisioning logs. [Learn more](../app-provisioning/functions-for-customizing-application-data.md#randomstring).----### General availability - Now access review creators can select users and groups to receive notification on completion of reviews --**Type:** New feature -**Service category:** Access Reviews -**Product capability:** Identity Governance - -Now access review creators can select users and groups to receive notification on completion of reviews. [Learn more](../governance/create-access-review.md). - -- -### General availability - Azure AD users can now view and report suspicious sign-ins and manage their accounts within Microsoft Authenticator --**Type:** New feature -**Service category:** Microsoft Authenticator App -**Product capability:** Identity Security & Protection - -This feature allows Azure AD users to manage their work or school accounts within the Microsoft Authenticator app. The management features will allow users to view sign-in history and sign-in activity. Users can also report any suspicious or unfamiliar activity, change their Azure AD account passwords, and update the account's security information. --For more information on how to use this feature visit [View and search your recent sign-in activity from the My Sign-ins page](../user-help/my-account-portal-sign-ins-page.md). ----### General availability - New Microsoft Authenticator app icon --**Type:** New feature -**Service category:** Microsoft Authenticator App -**Product capability:** Identity Security & Protection - -New updates have been made to the Microsoft Authenticator app icon. To learn more about these updates, see the [Microsoft Authenticator app](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/microsoft-authenticator-app-easier-ways-to-add-or-manage/ba-p/2464408) blog post. ----### General availability - Azure AD single sign-on and device-based Conditional Access support in Firefox on Windows 10/11 --**Type:** New feature -**Service category:** Authentications (Logins) -**Product capability:** SSO - -We now support native single sign-on (SSO) support and device-based Conditional Access to Firefox browser on Windows 10 and Windows Server 2019 starting in Firefox version 91. [Learn more](../conditional-access/require-managed-devices.md#prerequisites). - ---### New provisioning connectors in the Azure AD Application Gallery - November 2021 --**Type:** New feature -**Service category:** App Provisioning -**Product capability:** 3rd Party Integration - -You can now automate creating, updating, and deleting user accounts for these newly integrated apps: --- [Appaegis Isolation Access Cloud](../saas-apps/appaegis-isolation-access-cloud-provisioning-tutorial.md)-- [BenQ IAM](../saas-apps/benq-iam-provisioning-tutorial.md)-- [BIC Cloud Design](../saas-apps/bic-cloud-design-provisioning-tutorial.md)-- [Chaos](../saas-apps/chaos-provisioning-tutorial.md)-- [directprint.io](../saas-apps/directprint-io-provisioning-tutorial.md)-- [Documo](../saas-apps/documo-provisioning-tutorial.md)-- [Facebook Work Accounts](../saas-apps/facebook-work-accounts-provisioning-tutorial.md)-- [introDus Pre and Onboarding Platform](../saas-apps/introdus-pre-and-onboarding-platform-provisioning-tutorial.md)-- [Kisi Physical Security](../saas-apps/kisi-physical-security-provisioning-tutorial.md)-- [Klaxoon](../saas-apps/klaxoon-provisioning-tutorial.md)-- [Klaxoon SAML](../saas-apps/klaxoon-saml-provisioning-tutorial.md)-- [MX3 Diagnostics](../saas-apps/mx3-diagnostics-connector-provisioning-tutorial.md)-- [Netpresenter](../saas-apps/netpresenter-provisioning-tutorial.md)-- [Peripass](../saas-apps/peripass-provisioning-tutorial.md)-- [Real Links](../saas-apps/real-links-provisioning-tutorial.md)-- [Sentry](../saas-apps/sentry-provisioning-tutorial.md)-- [Teamgo](../saas-apps/teamgo-provisioning-tutorial.md)-- [Zero](../saas-apps/zero-provisioning-tutorial.md)--For more information about how to better secure your organization by using automated user account provisioning, see [Automate user provisioning to SaaS applications with Azure AD](../manage-apps/user-provisioning.md). - ---### New Federated Apps available in Azure AD Application gallery - November 2021 --**Type:** New feature -**Service category:** Enterprise Apps -**Product capability:** 3rd Party Integration - -In November 2021, we have added following 32 new applications in our App gallery with Federation support: --[Tide - Connector](https://gallery.ctinsuretech-tide.com/), [Virtual Risk Manager - USA](../saas-apps/virtual-risk-manager-usa-tutorial.md), [Xorlia Policy Management](https://app.xoralia.com/), [WorkPatterns](https://app.workpatterns.com/oauth2/login?data_source_type=office_365_account_calendar_workspace_sync&utm_source=azure_sso), [GHAE](../saas-apps/ghae-tutorial.md), [Nodetrax Project](../saas-apps/nodetrax-project-tutorial.md), [Touchstone Benchmarking](https://app.touchstonebenchmarking.com/), [SURFsecureID - Azure AD Multi-Factor Authentication](../saas-apps/surfsecureid-azure-mfa-tutorial.md), [AiDEA](https://truebluecorp.com/en/prodotti/aidea-en/),[R and D Tax Credit --You can also find the documentation of all the applications [here](../saas-apps/tutorial-list.md). --For listing your application in the Azure AD app gallery, read the details [here](../manage-apps/v2-howto-app-gallery-listing.md). ----### Updated "switch organizations" user experience in My Account. --**Type:** Changed feature -**Service category:** My Profile/Account -**Product capability:** End User Experiences - -Updated "switch organizations" user interface in My Account. This visually improves the UI and provides the end-user with clear instructions. Added a manage organizations link to blade per customer feedback. [Learn more](https://support.microsoft.com/account-billing/switch-organizations-in-your-work-or-school-account-portals-c54c32c9-2f62-4fad-8c23-2825ed49d146). - ---## October 2021 - -### Limits on the number of configured API permissions for an application registration will be enforced starting in October 2021 --**Type:** Plan for change -**Service category:** Other -**Product capability:** Developer Experience - -Sometimes, application developers configure their apps to require more permissions than it's possible to grant. To prevent this from happening, a limit on the total number of required permissions that can be configured for an app registration will be enforced. --The total number of required permissions for any single application registration mustn't exceed 400 permissions, across all APIs. The change to enforce this limit will begin rolling out mid-October 2021. Applications exceeding the limit can't increase the number of permissions they're configured for. The existing limit on the number of distinct APIs for which permissions are required remains unchanged and may not exceed 50 APIs. --In the Azure portal, the required permissions are listed under API permissions for the application you wish to configure. Using Microsoft Graph or Microsoft Graph PowerShell, the required permissions are listed in the requiredResourceAccess property of an [application](/graph/api/resources/application) entity. [Learn more](../enterprise-users/directory-service-limits-restrictions.md). - ---### Email one-time passcode on by default change beginning rollout in November 2021 --**Type:** Plan for change -**Service category:** B2B -**Product capability:** B2B/B2C - -Previously, we announced that starting October 31, 2021, Microsoft Azure Active Directory [email one-time passcode](../external-identities/one-time-passcode.md) authentication will become the default method for inviting accounts and tenants for B2B collaboration scenarios. However, because of deployment schedules, we'll begin rolling out on November 1, 2021. Most of the tenants will see the change rolled out in January 2022 to minimize disruptions during the holidays and deployment lock downs. After this change, Microsoft will no longer allow redemption of invitations using Azure Active Directory accounts that are unmanaged. [Learn more](../external-identities/one-time-passcode.md#frequently-asked-questions). - ---### Conditional Access Guest Access Blocking Screen --**Type:** Fixed -**Service category:** Conditional Access -**Product capability:** End User Experiences - -If there's no trust relation between a home and resource tenant, a guest user would have previously been asked to re-register their device, which would break the previous registration. However, the user would end up in a registration loop because only home tenant device registration is supported. In this specific scenario, instead of this loop, we've created a new conditional access blocking page. The page tells the end user that they can't get access to conditional access protected resources as a guest user. [Learn more](../external-identities/b2b-quickstart-add-guest-users-portal.md#prerequisites). - ---### 50105 Errors will now result in a UX error message instead of an error response to the application --**Type:** Fixed -**Service category:** Authentications (Logins) -**Product capability:** Developer Experience - -Azure AD has fixed a bug in an error response that occurs when a user isn't assigned to an app that requires a user assignment. Previously, Azure AD would return error 50105 with the OIDC error code "interaction_required" even during interactive authentication. This would cause well-coded applications to loop indefinitely, as they do interactive authentication and receive an error telling them to do interactive authentication, which they would then do. --The bug has been fixed, so that during non-interactive auth an "interaction_required" error will still be returned. Also, during interactive authentication an error page will be directly displayed to the user. --For greater details, see the change notices for [Azure AD protocols](../develop/reference-breaking-changes.md#error-50105-has-been-fixed-to-not-return-interaction_required-during-interactive-authentication). ----### Public preview - New claims transformation capabilities --**Type:** New feature -**Service category:** Enterprise Apps -**Product capability:** SSO - -The following new capabilities have been added to the claims transformations available for manipulating claims in tokens issued from Azure AD: - -- Join() on NameID. Used to be restricted to joining an email format address with a verified domain. Now Join() can be used on the NameID claim in the same way as any other claim, so NameID transforms can be used to create Windows account style NameIDs or any other string. For now if the result is an email address, the Azure AD will still validate that the domain is one that is verified in the tenant.-- Substring(). A new transformation in the claims configuration UI allows extraction of defined position substrings such as five characters starting at character three - substring(3,5)-- Claims transformations. These transformations can now be performed on Multi-valued attributes, and can emit multi-valued claims. Microsoft Graph can now be used to read/write multi-valued directory schema extension attributes. [Learn more](../develop/active-directory-saml-claims-customization.md).----### Public Preview ΓÇô Flagged Sign-ins --**Type:** New feature -**Service category:** Reporting -**Product capability:** Monitoring & Reporting - -Flagged sign-ins are a feature that will increase the signal to noise ratio for user sign-ins where users need help. The functionality is intended to empower users to raise awareness about sign-in errors they want help with. Also to help admins and help desk workers find the right sign-in events quickly and efficiently. [Learn more](../reports-monitoring/overview-flagged-sign-ins.md). ----### Public preview - Device overview --**Type:** New feature -**Service category:** Device Registration and Management -**Product capability:** Device Lifecycle Management - -The new Device Overview feature provides actionable insights about devices in your tenant. [Learn more](../devices/device-management-azure-portal.md). - ---### Public preview - Azure Active Directory workload identity federation --**Type:** New feature -**Service category:** Enterprise Apps -**Product capability:** Developer Experience - -Azure AD workload identity federation is a new capability that's in public preview. It frees developers from handling application secrets or certificates. This includes secrets in scenarios such as using GitHub Actions and building applications on Kubernetes. Rather than creating an application secret and using that to get tokens for that application, developers can instead use tokens provided by the respective platforms such as GitHub and Kubernetes without having to manage any secrets manually.[Learn more](../develop/workload-identity-federation.md). ----### Public Preview - Updates to Sign-in Diagnostic --**Type:** Changed feature -**Service category:** Reporting -**Product capability:** Monitoring & Reporting - -With this update, the diagnostic covers more scenarios and is made more easily available to admins. --New scenarios covered when using the Sign-in Diagnostic: -- Pass Through Authentication sign-in failures-- Seamless Single-Sign On sign-in failures- -Other changes include: -- Flagged Sign-ins will automatically appear for investigation when using the Sign-in Diagnostic from Diagnose and Solve.-- Sign-in Diagnostic is now available from the Enterprise Apps Diagnose and Solve blade.-- The Sign-in Diagnostic is now available in the Basic Info tab of the Sign-in Log event view for all sign-in events. [Learn more](../reports-monitoring/concept-sign-in-diagnostics-scenarios.md#supported-scenarios).----### General Availability - Privileged Role Administrators can now create Azure AD access reviews on role-assignable groups --**Type:** Fixed -**Service category:** Access Reviews -**Product capability:** Identity Governance - -Privileged Role Administrators can now create Azure AD access reviews on Azure AD role-assignable groups, in addition to Azure AD roles. [Learn more](../governance/deploy-access-reviews.md#who-will-create-and-manage-access-reviews). - ---### General Availability - Azure AD single sign-on and device-based Conditional Access support in Firefox on Windows 10/11 --**Type:** New feature -**Service category:** Authentications (Logins) -**Product capability:** SSO - -We now support native single sign-on (SSO) support and device-based Conditional Access to Firefox browser on Windows 10 and Windows Server 2019 starting in Firefox version 91. [Learn more](../conditional-access/require-managed-devices.md#prerequisites). - ---### General Availability - New app indicator in My Apps --**Type:** New feature -**Service category:** My Apps -**Product capability:** End User Experiences - -Apps that have been recently assigned to the user show up with a "new" indicator. When the app is launched or the page is refreshed, this indicator disappears. [Learn more](/azure/active-directory/user-help/my-apps-portal-end-user-access). - ---### General availability - Custom domain support in Azure AD B2C --**Type:** New feature -**Service category:** B2C - Consumer Identity Management -**Product capability:** B2B/B2C - -Azure AD B2C customers can now enable custom domains so their end-users are redirected to a custom URL domain for authentication. This is done via integration with Azure Front Door's custom domains capability. [Learn more](../../active-directory-b2c/custom-domain.md?pivots=b2c-user-flow). - ---### General availability - Edge Administrator built-in role --**Type:** New feature -**Service category:** RBAC -**Product capability:** Access Control - --Users in this role can create and manage the enterprise site list required for Internet Explorer mode on Microsoft Edge. This role grants permissions to create, edit, and publish the site list and additionally allows access to manage support tickets. [Learn more](/deployedge/edge-ie-mode-cloud-site-list-mgmt) - ---### General availability - Windows 365 Administrator built-in role --**Type:** New feature -**Service category:** RBAC -**Product capability:** Access Control - -Users with this role have global permissions on Windows 365 resources, when the service is present. Additionally, this role contains the ability to manage users and devices to associate a policy, and create and manage groups. [Learn more](../roles/permissions-reference.md) - ---### New Federated Apps available in Azure AD Application gallery - October 2021 --**Type:** New feature -**Service category:** Enterprise Apps -**Product capability:** 3rd Party Integration - -In October 2021 we've added the following 10 new applications in our App gallery with Federation support: --[Adaptive Shield](../saas-apps/adaptive-shield-tutorial.md), [SocialChorus Search](https://socialchorus.com/), [Hiretual-SSO](../saas-apps/hiretual-tutorial.md), [TeamSticker by Communitio](../saas-apps/teamsticker-by-communitio-tutorial.md), [embed signage](../saas-apps/embed-signage-tutorial.md), [JoinedUp](../saas-apps/joinedup-tutorial.md), [VECOS Releezme Locker management system](../saas-apps/vecos-releezme-locker-management-system-tutorial.md), [Altoura](../saas-apps/altoura-tutorial.md), [Dagster Cloud](../saas-apps/dagster-cloud-tutorial.md), [Qualaroo](../saas-apps/qualaroo-tutorial.md) --You can also find the documentation of all the applications here: https://aka.ms/AppsTutorial --For listing your application in the Azure AD app gallery, read the following article: https://aka.ms/AzureADAppRequest ----### Continuous Access Evaluation migration with Conditional Access --**Type:** Changed feature -**Service category:** Conditional Access -**Product capability:** User Authentication - -A new user experience is available for our CAE tenants. Tenants will now access CAE as part of Conditional Access. Any tenants that were previously using CAE for some (but not all) user accounts under the old UX or had previously disabled the old CAE UX will now be required to undergo a one time migration experience.[Learn more](../conditional-access/concept-continuous-access-evaluation.md#migration). - ---### Improved group list blade --**Type:** Changed feature -**Service category:** Group Management -**Product capability:** Directory - -The new group list blade offers more sort and filtering capabilities, infinite scrolling, and better performance. [Learn more](../enterprise-users/groups-members-owners-search.md). - ---### General availability - Google deprecation of Gmail sign-in support on embedded webviews on September 30, 2021 --**Type:** Changed feature -**Service category:** B2B -**Product capability:** B2B/B2C - -Google has deprecated Gmail sign-ins on Microsoft Teams mobile and custom apps that run Gmail authentications on embedded webviews on Sept. 30th, 2021. --If you would like to request an extension, impacted customers with affected OAuth client ID(s) should have received an email from Google Developers with the following information regarding a one-time policy enforcement extension, which must be completed by Jan 31, 2022. --To continue allowing your Gmail users to sign in and redeem, we strongly recommend that you refer toΓÇ»[Embedded vs System Web](../develop/msal-net-web-browsers.md#embedded-vs-system-web-ui) UIΓÇ»in the MSAL.NET documentation and modify your apps to use the system browser for sign-in. All MSAL SDKs use the system web-view by default. --As a workaround, we're deploying the device sign-in flow by October 8. Between today and until then, it's likely that it may not be rolled out to all regions yet (in which case, end-users will be met with an error screen until it gets deployed to your region.) --For more details on the device sign-in flow and details on requesting extension to Google, see [Add Google as an identity provider for B2B guest users](../external-identities/google-federation.md#deprecation-of-web-view-sign-in-support). - ---### Identity Governance Administrator can create and manage Azure AD access reviews of groups and applications --**Type:** Changed feature -**Service category:** Access Reviews -**Product capability:** Identity Governance - -Identity Governance Administrator can create and manage Azure AD access reviews of groups and applications. [Learn more](../governance/deploy-access-reviews.md#who-will-create-and-manage-access-reviews). - ------## September 2021 --### Limits on the number of configured API permissions for an application registration will be enforced starting in October 2021 --**Type:** Plan for change -**Service category:** Other -**Product capability:** Developer Experience - -Occasionally, application developers configure their apps to require more permissions than it's possible to grant. To prevent this from happening, we're enforcing a limit on the total number of required permissions that can be configured for an app registration. --The total number of required permissions for any single application registration must not exceed 400 permissions, across all APIs. The change to enforce this limit will begin rolling out no sooner than mid-October 2021. Applications exceeding the limit can't increase the number of permissions they're configured for. The existing limit on the number of distinct APIs for which permissions are required remains unchanged and can't exceed 50 APIs. --In the Azure portal, the required permissions are listed under Azure Active Directory > Application registrations > (select an application) > API permissions. Using Microsoft Graph or Microsoft Graph PowerShell, the required permissions are listed in the requiredResourceAccess property of an application entity. [Learn more](../enterprise-users/directory-service-limits-restrictions.md). ----### My Apps performance improvements --**Type:** Fixed -**Service category:** My Apps -**Product capability:** End User Experiences - -The load time of My Apps has been improved. Users going to myapps.microsoft.com load My Apps directly, rather than being redirected through another service. [Learn more](../user-help/my-apps-portal-end-user-access.md). ----### Single Page Apps using the `spa` redirect URI type must use a CORS enabled browser for auth --**Type:** Known issue -**Service category:** Authentications (Logins) -**Product capability:** Developer Experience - -The modern Edge browser is now included in the requirement to provide an `Origin` header when redeeming a [single page app authorization code](../develop/v2-oauth2-auth-code-flow.md#redirect-uris-for-single-page-apps-spas). A compatibility fix accidentally exempted the modern Edge browser from CORS controls, and that bug is being fixed during October. A subset of applications depended on CORS being disabled in the browser, which has the side effect of removing the `Origin` header from traffic. This is an unsupported configuration for using Azure AD, and these apps that depended on disabling CORS can no longer use modern Edge as a security workaround. All modern browsers must now include the `Origin` header per HTTP spec, to ensure CORS is enforced. [Learn more](../develop/reference-breaking-changes.md#the-device-code-flow-ux-will-now-include-an-app-confirmation-prompt). ----### General availability - On the My Apps portal, users can choose to view their apps in a list --**Type:** New feature -**Service category:** My Apps -**Product capability:** End User Experiences - -By default, My Apps displays apps in a grid view. Users can now toggle their My Apps view to display apps in a list. [Learn more](../user-help/my-apps-portal-end-user-access.md). - ---### General availability - New and enhanced device-related audit logs --**Type:** New feature -**Service category:** Audit -**Product capability:** Device Lifecycle Management - -Admins can now see various new and improved device-related audit logs. The new audit logs include the create and delete passwordless credentials (Phone sign-in, FIDO2 key, and Windows Hello for Business), register/unregister device and pre-create/delete pre-create device. Additionally, there have been minor improvements to existing device-related audit logs that include adding more device details. [Learn more](../reports-monitoring/concept-audit-logs.md). ----### General availability - Azure AD users can now view and report suspicious sign-ins and manage their accounts within Microsoft Authenticator --**Type:** New feature -**Service category:** Microsoft Authenticator App -**Product capability:** Identity Security & Protection - -This feature allows Azure AD users to manage their work or school accounts within the Microsoft Authenticator app. The management features will allow users to view sign-in history and sign-in activity. They can report any suspicious or unfamiliar activity based on the sign-in history and activity if necessary. Users also can change their Azure AD account passwords and update the account's security information. [Learn more](../user-help/my-account-portal-sign-ins-page.md). - ---### General availability - New MS Graph APIs for role management --**Type:** New feature -**Service category:** RBAC -**Product capability:** Access Control - -New APIs for role management to MS Graph v1.0 endpoint are generally available. Instead of old [directory roles](/graph/api/resources/directoryrole?view=graph-rest-1.0&preserve-view=true), use [unifiedRoleDefinition](/graph/api/resources/unifiedroledefinition?view=graph-rest-1.0&preserve-view=true) and [unifiedRoleAssignment](/graph/api/resources/unifiedroleassignment?view=graph-rest-1.0&preserve-view=true). - ---### General availability - Access Packages can expire after number of hours --**Type:** New feature -**Service category:** User Access Management -**Product capability:** Entitlement Management --It's now possible in entitlement management to configure an access package that will expire in a matter of hours in addition to the previous support for days or specific dates. [Learn more](../governance/entitlement-management-access-package-create.md#lifecycle). - ---### New provisioning connectors in the Azure AD Application Gallery - September 2021 --**Type:** New feature -**Service category:** App Provisioning -**Product capability:** 3rd Party Integration - -You can now automate creating, updating, and deleting user accounts for these newly integrated apps: --- [BLDNG APP](../saas-apps/bldng-app-provisioning-tutorial.md)-- [Cato Networks](../saas-apps/cato-networks-provisioning-tutorial.md)-- [Rouse Sales](../saas-apps/rouse-sales-provisioning-tutorial.md)-- [SchoolStream ASA](../saas-apps/schoolstream-asa-provisioning-tutorial.md)-- [Taskize Connect](../saas-apps/taskize-connect-provisioning-tutorial.md)--For more information about how to better secure your organization by using automated user account provisioning, see [Automate user provisioning to SaaS applications with Azure AD](../manage-apps/user-provisioning.md). - ---### New Federated Apps available in Azure AD Application gallery - September 2021 --**Type:** New feature -**Service category:** Enterprise Apps -**Product capability:** 3rd Party Integration - -In September 2021, we have added following 44 new applications in our App gallery with Federation support --[Studybugs](https://studybugs.com/signin), [Yello](https://yello.co/yello-for-microsoft-teams/), [LawVu](../saas-apps/lawvu-tutorial.md), [Formate eVo Mail](https://www.document-genetics.co.uk/formate-evo-erp-output-management), [Revenue Grid](https://app.revenuegrid.com/login), [Orbit for Office 365](https://azuremarketplace.microsoft.com/marketplace/apps/aad.orbitforoffice365?tab=overview), [Upmarket](https://app.upmarket.ai/), [Alinto Protect](https://protect.alinto.net/), [Cloud Concinnity](https://cloudconcinnity.com/), [Matlantis](https://matlantis.com/), [ModelGen for Visio (MG4V)](https://crecy.com.au/model-gen/), [NetRef: Classroom Management](https://oauth.net-ref.com/microsoft/sso), [VergeSense](../saas-apps/vergesense-tutorial.md), [SafetyCulture](../saas-apps/safety-culture-tutorial.md), [Secutraq](https://secutraq.net/login), [Active and Thriving](../saas-apps/active-and-thriving-tutorial.md), [Inova](https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize?client_id=1bacdba3-7a3b-410b-8753-5cc0b8125f81&response_type=code&redirect_uri=https:%2f%2fbroker.partneringplace.com%2fpartner-companion%2f&code_challenge_method=S256&code_challenge=YZabcdefghijklmanopqrstuvwxyz0123456789._-~&scope=1bacdba3-7a3b-410b-8753-5cc0b8125f81/.default), [TerraTrue](../saas-apps/terratrue-tutorial.md), [Beyond Identity Admin Console](../saas-apps/beyond-identity-admin-console-tutorial.md), [Visult](https://visult.app), [ENGAGE TAG](https://app.engagetag.com/), [Appaegis Isolation Access Cloud](../saas-apps/appaegis-isolation-access-cloud-tutorial.md), [CrowdStrike Falcon Platform](../saas-apps/crowdstrike-falcon-platform-tutorial.md), [MY Emergency Control](https://my-emergency.co.uk/app/auth/login), [AlexisHR](../saas-apps/alexishr-tutorial.md), [Teachme Biz](../saas-apps/teachme-biz-tutorial.md), [Zero Networks](../saas-apps/zero-networks-tutorial.md), [Mavim iMprove](https://improve.mavimcloud.com/), [Azumuta](https://app.azumuta.com/login?microsoft=true), [Frankli](https://beta.frankli.io/login), [Amazon Managed Grafana](../saas-apps/amazon-managed-grafana-tutorial.md), [Productive](../saas-apps/productive-tutorial.md), [Create!Webπâòπâ¡πâ╝](../saas-apps/createweb-tutorial.md), [Evercate](https://evercate.com/), [Ezra Coaching](../saas-apps/ezra-coaching-tutorial.md), [Baldwin Safety and Compliance](../saas-apps/baldwin-safety-&-compliance-tutorial.md), [Nulab Pass (Backlog,Cacoo,Typetalk)](../saas-apps/nulab-pass-tutorial.md), [Metatask](../saas-apps/metatask-tutorial.md), [Contrast Security](../saas-apps/contrast-security-tutorial.md), [Animaker](../saas-apps/animaker-tutorial.md), [Traction Guest](../saas-apps/traction-guest-tutorial.md), [True Office Learning - LIO](../saas-apps/true-office-learning-lio-tutorial.md), [Qiita Team](../saas-apps/qiita-team-tutorial.md) --You can also find the documentation of all the applications here: https://aka.ms/AppsTutorial --For listing your application in the Azure AD app gallery, read the details here: https://aka.ms/AzureADAppRequest ----### Gmail users signing in on Microsoft Teams mobile and desktop clients will sign in with device sign-in flow starting September 30, 2021 --**Type:** Changed feature -**Service category:** B2B -**Product capability:** B2B/B2C - -Starting on September 30 2021, Azure AD B2B guests and Azure AD B2C customers signing in with their self-service signed up or redeemed Gmail accounts will have an extra sign-in step. Users will now be prompted to enter a code in a separate browser window to finish signing in on Microsoft Teams mobile and desktop clients. If you haven't already done so, make sure to modify your apps to use the system browser for sign-in. SeeΓÇ»[Embedded vs System Web UIΓÇ»in the MSAL.NET](../develop/msal-net-web-browsers.md#embedded-vs-system-web-ui) documentation for more information. All MSAL SDKs use the system web-view by default. --As the device sign-in flow will start September 30, 2021, it may not be available in your region immediately. If it's not available yet, your end-users will be met with the error screen shown in the doc until it gets deployed to your region.) For more details on the device sign-in flow and details on requesting extension to Google, see [Add Google as an identity provider for B2B guest users](../external-identities/google-federation.md#deprecation-of-web-view-sign-in-support). - ---### Improved Conditional Access Messaging for Non-compliant Device --**Type:** Changed feature -**Service category:** Conditional Access -**Product capability:** End User Experiences - -The text and design on the Conditional Access blocking screen shown to users when their device is marked as non-compliant has been updated. Users will be blocked until they take the necessary actions to meet their company's device compliance policies. Additionally, we have streamlined the flow for a user to open their device management portal. These improvements apply to all conditional access supported OS platforms. [Learn more](https://support.microsoft.com/account-billing/troubleshooting-the-you-can-t-get-there-from-here-error-message-479a9c42-d9d1-4e44-9e90-24bbad96c251) -----## August 2021 --### New major version of AADConnect available --**Type:** Fixed -**Service category:** AD Connect -**Product capability:** Identity Lifecycle Management - -We've released a new major version of Azure Active Directory Connect. This version contains several updates of foundational components to the latest versions and is recommended for all customers using Azure AD Connect. [Learn more](../hybrid/whatis-azure-ad-connect-v2.md). - ---### Public Preview - Azure AD single sign-on and device-based Conditional Access support in Firefox on Windows 10 --**Type:** New feature -**Service category:** Authentications (Logins) -**Product capability:** SSO - --We now support native single sign-on (SSO) support and device-based Conditional Access to the Firefox browser on Windows 10 and Windows Server 2019. Support is available in Firefox version 91. [Learn more](../conditional-access/require-managed-devices.md#prerequisites). - ---### Public preview - beta MS Graph APIs for Azure AD access reviews returns list of contacted reviewer names --**Type:** New feature -**Service category:** Access Reviews -**Product capability:** Identity Governance - --We've released beta MS Graph API for Azure AD access reviews. The API has methods to return a list of contacted reviewer names in addition to the reviewer type. [Learn more](/graph/api/resources/accessreviewinstance). - ---### General Availability - "Register or join devices" user action in Conditional Access --**Type:** New feature -**Service category:** Conditional Access -**Product capability:** Identity Security & Protection - --The "Register or join devices" user action is generally available in Conditional access. This user action allows you to control multi-factor authentication policies for Azure Active Directory (AD) device registration. Currently, this user action only allows you to enable multi-factor authentication as a control when users register or join devices to Azure AD. Other controls that are dependent on or not applicable to Azure AD device registration continue to be disabled with this user action. [Learn more](../conditional-access/concept-conditional-access-cloud-apps.md#user-actions). ----### General Availability - customers can scope reviews of privileged roles to eligible or permanent assignments --**Type:** New feature -**Service category:** Access Reviews -**Product capability:** Identity Governance - -Administrators can now create access reviews of only permanent or eligible assignments to privileged Azure AD or Azure resource roles. [Learn more](../privileged-identity-management/pim-create-azure-ad-roles-and-resource-roles-review.md). - - --### General availability - assign roles to Azure Active Directory (AD) groups --**Type:** New feature -**Service category:** RBAC -**Product capability:** Access Control - --Assigning roles to Azure AD groups is now generally available. This feature can simplify the management of role assignments in Azure AD for Global Administrators and Privileged Role Administrators. [Learn more](../roles/groups-concept.md). - ---### New Federated Apps available in Azure AD Application gallery - Aug 2021 --**Type:** New feature -**Service category:** Enterprise Apps -**Product capability:** 3rd Party Integration - -In August 2021, we have added following 46 new applications in our App gallery with Federation support: --[Siriux Customer Dashboard](https://portal.siriux.tech/login), [STRUXI](https://struxi.app/), [Autodesk Construction Cloud - Meetings](https://acc.autodesk.com/), [Eccentex AppBase for Azure](../saas-apps/eccentex-appbase-for-azure-tutorial.md), [Bookado](https://adminportal.bookado.io/), [FilingRamp](https://app.filingramp.com/login), [BenQ IAM](../saas-apps/benq-iam-tutorial.md), [Rhombus Systems](../saas-apps/rhombus-systems-tutorial.md), [CorporateExperience](../saas-apps/corporateexperience-tutorial.md), [TutorOcean](../saas-apps/tutorocean-tutorial.md), [Bookado Device](https://adminportal.bookado.io/), [HiFives-AD-SSO](https://app.hifives.in/login/azure), [Darzin](https://au.darzin.com/), [Simply Stakeholders](https://au.simplystakeholders.com/), [KACTUS HCM - Smart People](https://kactusspc.digitalware.co/), [Five9 UC Adapter for Microsoft Teams V2](https://uc.five9.net/?vendor=msteams), [Automation Center](https://automationcenter.cognizantgoc.com/portal/boot/signon), [Cirrus Identity Bridge for Azure AD](../saas-apps/cirrus-identity-bridge-for-azure-ad-tutorial.md), [ShiftWizard SAML](../saas-apps/shiftwizard-saml-tutorial.md), [Safesend Returns](https://www.safesendwebsites.com/), [Brushup](../saas-apps/brushup-tutorial.md), [directprint.io Cloud Print Administration](../saas-apps/directprint-io-cloud-print-administration-tutorial.md), [plain-x](https://app.plain-x.com/#/login),[X-point Cloud](../saas-apps/x-point-cloud-tutorial.md), [SmartHub INFER](../saas-apps/smarthub-infer-tutorial.md), [Fresh Relevance](../saas-apps/fresh-relevance-tutorial.md), [FluentPro G.A. Suite](https://gas.fluentpro.com/Account/SSOLogin?provider=Microsoft), [Clockwork Recruiting](../saas-apps/clockwork-recruiting-tutorial.md), [WalkMe SAML2.0](../saas-apps/walkme-saml-tutorial.md), [Sideways 6](https://app.sideways6.com/account/login?ReturnUrl=/), [Kronos Workforce Dimensions](../saas-apps/kronos-workforce-dimensions-tutorial.md), [SysTrack Cloud Edition](https://cloud.lakesidesoftware.com/Cloud/Account/Login), [mailworx Dynamics CRM Connector](https://www.mailworx.info/), [Palo Alto Networks Cloud Identity Engine - Cloud Authentication Service](../saas-apps/palo-alto-networks-cloud-identity-enginecloud-authentication-service-tutorial.md), [Peripass](https://accounts.peripass.app/v1/sso/challenge), [JobDiva](https://www.jobssos.com/index_azad.jsp?SSO=AZURE&ID=1), [Sanebox For Office365](https://sanebox.com/login), [Tulip](../saas-apps/tulip-tutorial.md), [HP Wolf Security](https://www.hpwolf.com/), [Genesys Engage cloud Email](https://login.microsoftonline.com/common/oauth2/authorize?prompt=consent&accessType=offline&state=07e035a7-6fb0-4411-afd9-efa46c9602f9&resource=https://graph.microsoft.com/&response_type=code&redirect_uri=https://iwd.api01-westus2.dev.genazure.com/iwd/v3/emails/oauth2/microsoft/callback&client_id=36cd21ab-862f-47c8-abb6-79facad09dda), [Meta Wiki](https://meta.dunkel.eu/), [Palo Alto Networks Cloud Identity Engine Directory Sync](https://directory-sync.us.paloaltonetworks.com/directory?instance=L2qoLVONpBHgdJp1M5K9S08Z7NBXlpi54pW1y3DDu2gQqdwKbyUGA11EgeaDfZ1dGwn397S8eP7EwQW3uyE4XL), [Valarea](https://www.valarea.com/en/download), [LanSchool Air](../saas-apps/lanschool-air-tutorial.md), [Catalyst](https://www.catalyst.org/sso-login/), [Webcargo](../saas-apps/webcargo-tutorial.md) --You can also find the documentation of all the applications here: https://aka.ms/AppsTutorial --For listing your application in the Azure AD app gallery, read the details here: https://aka.ms/AzureADAppRequest ----### New provisioning connectors in the Azure AD Application Gallery - August 2021 --**Type:** New feature -**Service category:** App Provisioning -**Product capability:** 3rd Party Integration - -You can now automate creating, updating, and deleting user accounts for these newly integrated apps: --- [Chatwork](../saas-apps/chatwork-provisioning-tutorial.md)-- [Freshservice](../saas-apps/freshservice-provisioning-tutorial.md)-- [InviteDesk](../saas-apps/invitedesk-provisioning-tutorial.md)-- [Maptician](../saas-apps/maptician-provisioning-tutorial.md)--For more information about how to better secure your organization by using automated user account provisioning, see Automate user provisioning to SaaS applications with Azure AD. - ---### Multifactor fraud report ΓÇô new audit event --**Type:** Changed feature -**Service category:** MFA -**Product capability:** Identity Security & Protection - --To help administrators understand that their users are blocked for multi-factor authentication as a result of fraud report, we've added a new audit event. This audit event is tracked when the user reports fraud. The audit log is available in addition to the existing information in the sign-in logs about fraud report. To learn how to get the audit report, see [multi-factor authentication Fraud alert](../authentication/howto-mfa-mfasettings.md#report-suspicious-activity). ----### Improved Low-Risk Detections --**Type:** Changed feature -**Service category:** Identity Protection -**Product capability:** Identity Security & Protection --To improve the quality of low risk alerts that Identity Protection issues, we've modified the algorithm to issue fewer low risk Risky sign-ins. Organizations may see a significant reduction in low risk sign-in in their environment. [Learn more](../identity-protection/concept-identity-protection-risks.md). - ---### Non-interactive risky sign-ins --**Type:** Changed feature -**Service category:** Identity Protection -**Product capability:** Identity Security & Protection - -Identity Protection now emits risky sign-ins on non-interactive sign-ins. Admins can find these risky sign-ins using the **sign-in type** filter in the risky sign-ins report. [Learn more](../identity-protection/howto-identity-protection-investigate-risk.md). - ---### Change from User Administrator to Identity Governance Administrator in Entitlement Management --**Type:** Changed feature -**Service category:** Roles -**Product capability:** Identity Governance - -The permissions assignments to manage access packages and other resources in Entitlement Management are moving from the User Administrator role to the Identity Governance administrator role. --Users that have been assigned the User administrator role can longer create catalogs or manage access packages in a catalog they don't own. If users in your organization have been assigned the User administrator role to configure catalogs, access packages, or policies in entitlement management, they'll need a new assignment. You should instead assign these users the Identity Governance administrator role. [Learn more](../governance/entitlement-management-delegate.md) ----### Microsoft Azure Active Directory connector is deprecated --**Type:** Deprecated -**Service category:** Microsoft Identity Manager -**Product capability:** Identity Lifecycle Management - -The Microsoft Azure Active Directory Connector for FIM is at feature freeze and deprecated. The solution of using FIM and the Azure AD Connector has been replaced. Existing deployments should migrate to [Azure AD Connect](../hybrid/whatis-hybrid-identity.md), Azure AD Connect Sync, or the [Microsoft Graph Connector](/microsoft-identity-manager/microsoft-identity-manager-2016-connector-graph), as the internal interfaces used by the Azure AD Connector for FIM are being removed from Azure AD. [Learn more](/microsoft-identity-manager/microsoft-identity-manager-2016-deprecated-features). ----### Retirement of older Azure AD Connect versions --**Type:** Deprecated -**Service category:** AD Connect -**Product capability:** User Management - -Starting August 31 2022, all V1 versions of Azure AD Connect will be retired. If you haven't already done so, you need to update your server to Azure AD Connect V2.0. You need to make sure you're running a recent version of Azure AD Connect to receive an optimal support experience. --If you run a retired version of Azure AD Connect, it may unexpectedly stop working. You may also not have the latest security fixes, performance improvements, troubleshooting, and diagnostic tools and service enhancements. Also, if you require support we can't provide you with the level of service your organization needs. --See [Azure Active Directory Connect V2.0](../hybrid/whatis-azure-ad-connect-v2.md), what has changed in V2.0 and how this change impacts you. ----### Retirement of support for installing MIM on Windows Server 2008 R2 or SQL Server 2008 R2 --**Type:** Deprecated -**Service category:** Microsoft Identity Manager -**Product capability:** Identity Lifecycle Management - -Deploying MIM Sync, Service, Portal or CM on Windows Server 2008 R2, or using SQL Server 2008 R2 as the underlying database, is deprecated as these platforms are no longer in mainstream support. Installing MIM Sync and other components on Windows Server 2016 or later, and with SQL Server 2016 or later, is recommended. --Deploying MIM for Privileged Access Management with a Windows Server 2012 R2 domain controller in the PRIV forest is deprecated. Use Windows Server 2016 or later Active Directory, with Windows Server 2016 functional level, for your PRIV forest domain. The Windows Server 2012 R2 functional level is still permitted for a CORP forest's domain. [Learn more](/microsoft-identity-manager/microsoft-identity-manager-2016-supported-platforms). ----## July 2021 --### New Google sign-in integration for Azure AD B2C and B2B self-service sign-up and invited external users will stop working starting July 12, 2021 --**Type:** Plan for change -**Service category:** B2B -**Product capability:** B2B/B2C - -Previously we announced that [the exception for Embedded WebViews for Gmail authentication will expire in the second half of 2021](https://www.yammer.com/cepartners/threads/1188371962232832). --On July 7, 2021, we learned from Google that some of these restrictions will apply starting **July 12, 2021**. Azure AD B2B and B2C customers who set up a new Google ID sign-in in their custom or line of business applications to invite external users or enable self-service sign-up will have the restrictions applied immediately. As a result, end-users will be met with an error screen that blocks their Gmail sign-in if the authentication is not moved to a system webview. See the docs linked below for details. --Most apps use system web-view by default, and will not be impacted by this change. This only applies to customers using embedded webviews (the non-default setting.) We advise customers to move their application's authentication to system browsers instead, prior to creating any new Google integrations. To learn how to move to system browsers for Gmail authentications, read the Embedded vs System Web UI section in the [Using web browsers (MSAL.NET)](../develop/msal-net-web-browsers.md#embedded-vs-system-web-ui) documentation. All MSAL SDKs use the system web-view by default. [Learn more](../external-identities/google-federation.md#deprecation-of-web-view-sign-in-support). ----### Google sign-in on embedded web-views expiring September 30, 2021 --**Type:** Plan for change -**Service category:** B2B -**Product capability:** B2B/B2C - --About two months ago we announced that the exception for Embedded WebViews for Gmail authentication will expire in the second half of 2021. --Recently, Google has specified the date to be **September 30, 2021**. --Rolling out globally beginning September 30, 2021, Azure AD B2B guests signing in with their Gmail accounts will now be prompted to enter a code in a separate browser window to finish signing in on Microsoft Teams mobile and desktop clients. This applies to invited guests and guests who signed up using Self-Service Sign-Up. --Azure AD B2C customers who have set up embedded webview Gmail authentications in their custom/line of business apps or have existing Google integrations, will no longer can let their users sign in with Gmail accounts. To mitigate this, make sure to modify your apps to use the system browser for sign-in. For more information, read the Embedded vs System Web UI section in the [Using web browsers (MSAL.NET)](../develop/msal-net-web-browsers.md#embedded-vs-system-web-ui) documentation. All MSAL SDKs use the system web-view by default. --As the device sign-in flow will start rolling out on September 30, 2021, it's likely that it may not be rolled out to your region yet (in which case, your end-users will be met with the error screen shown in the documentation until it gets deployed to your region.) --For details on known impacted scenarios and what experience your users can expect, read [Add Google as an identity provider for B2B guest users](../external-identities/google-federation.md#deprecation-of-web-view-sign-in-support). ----### Bug fixes in My Apps --**Type:** Fixed -**Service category:** My Apps -**Product capability:** End User Experiences - -- Previously, the presence of the banner recommending the use of collections caused content to scroll behind the header. This issue has been resolved. -- Previously, there was another issue when adding apps to a collection, the order of apps in All Apps collection would get randomly reordered. This issue has also been resolved. --For more information on My Apps, read [Sign in and start apps from the My Apps portal](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510). ----### Public preview - Application authentication method policies --**Type:** New feature -**Service category:** MS Graph -**Product capability:** Developer Experience - -Application authentication method policies in MS Graph which allow IT admins to enforce lifetime on application password secret credential or block the use of secrets altogether. Policies can be enforced for an entire tenant as a default configuration and it can be scoped to specific applications or service principals. [Learn more](/graph/api/resources/policy-overview). - ---### Public preview - Authentication Methods registration campaign to download Microsoft Authenticator --**Type:** New feature -**Service category:** Microsoft Authenticator App -**Product capability:** User Authentication - -The Authenticator registration campaign helps admins to move their organizations to a more secure posture by prompting users to adopt the Microsoft Authenticator app. Prior to this feature, there was no way for an admin to push their users to set up the Authenticator app. --The registration campaign comes with the ability for an admin to scope users and groups by including and excluding them from the registration campaign to ensure a smooth adoption across the organization. [Learn more](../authentication/how-to-mfa-registration-campaign.md) - ---### Public preview - Separation of duties check --**Type:** New feature -**Service category:** User Access Management -**Product capability:** Entitlement Management - -In Azure AD entitlement management, an administrator can define that an access package is incompatible with another access package or with a group. Users who have the incompatible memberships will be then unable to request more access. [Learn more](../governance/entitlement-management-access-package-request-policy.md#prevent-requests-from-users-with-incompatible-access). - ---### Public preview - Identity Protection logs in Log Analytics, Storage Accounts, and Event Hubs --**Type:** New feature -**Service category:** Identity Protection -**Product capability:** Identity Security & Protection - -You can now send the risky users and risk detections logs to Azure Monitor, Storage Accounts, or Log Analytics using the Diagnostic Settings in the Azure AD blade. [Learn more](../identity-protection/howto-export-risk-data.md). - ---### Public preview - Application Proxy API addition for backend SSL certificate validation --**Type:** New feature -**Service category:** App Proxy -**Product capability:** Access Control - -The onPremisesPublishing resource type now includes the property, "isBackendCertificateValidationEnabled" which indicates whether backend SSL certificate validation is enabled for the application. For all new Application Proxy apps, the property will be set to true by default. For all existing apps, the property will be set to false. For more information, read the [onPremisesPublishing resource type](/graph/api/resources/onpremisespublishing?view=graph-rest-beta&preserve-view=true) api. - ---### General availability - Improved Authenticator setup experience for add Azure AD account in Microsoft Authenticator app by directly signing into the app. --**Type:** New feature -**Service category:** Microsoft Authenticator App -**Product capability:** User Authentication - -Users can now use their existing authentication methods to directly sign into the Microsoft Authenticator app to set up their credential. Users don't need to scan a QR Code anymore and can use a Temporary Access Pass (TAP) or Password + SMS (or other authentication method) to configure their account in the Authenticator app. --This improves the user credential provisioning process for the Microsoft Authenticator app and gives the end user a self-service method to provision the app. [Learn more](https://support.microsoft.com/account-billing/add-your-work-or-school-account-to-the-microsoft-authenticator-app-43a73ab5-b4e8-446d-9e54-2a4cb8e4e93c#sign-in-with-your-credentials). - ---### General availability - Set manager as reviewer in Azure AD entitlement management access packages --**Type:** New feature -**Service category:** User Access Management -**Product capability:** Entitlement Management - -Access packages in Azure AD entitlement management now support setting the user's manager as the reviewer for regularly occurring access reviews. [Learn more](../governance/entitlement-management-access-reviews-create.md). ----### General availability - Enable external users to self-service sign up in Azure Active Directory using MSA accounts --**Type:** New feature -**Service category:** B2B -**Product capability:** B2B/B2C - -Users can now enable external users to self-service sign up in Azure Active Directory using Microsoft accounts. [Learn more](../external-identities/microsoft-account.md). - -- -### General availability - External Identities Self-Service Sign-Up with Email One-time Passcode --**Type:** New feature -**Service category:** B2B -**Product capability:** B2B/B2C - --Now users can enable external users to self-service sign up in Azure Active Directory using their email and one-time passcode. [Learn more](../external-identities/one-time-passcode.md). - ---### General availability - Anomalous token --**Type:** New feature -**Service category:** Identity Protection -**Product capability:** Identity Security & Protection - -Anomalous token detection is now available in Identity Protection. This feature can detect that there are abnormal characteristics in the token such as time active and authentication from unfamiliar IP address. [Learn more](../identity-protection/concept-identity-protection-risks.md). - ---### General availability - Register or join devices in Conditional Access --**Type:** New feature -**Service category:** Conditional Access -**Product capability:** Identity Security & Protection - -The Register or join devices user action in Conditional access is now in general availability. This user action allows you to control multifactor authentication (MFA) policies for Azure AD device registration. --Currently, this user action only allows you to enable multifactor authentication as a control when users register or join devices to Azure AD. Other controls that are dependent on or not applicable to Azure AD device registration continue to be disabled with this user action. [Learn more](../conditional-access/concept-conditional-access-cloud-apps.md#user-actions). ----### New provisioning connectors in the Azure AD Application Gallery - July 2021 --**Type:** New feature -**Service category:** App Provisioning -**Product capability:** 3rd Party Integration - -You can now automate creating, updating, and deleting user accounts for these newly integrated apps: --- [Clebex](../saas-apps/clebex-provisioning-tutorial.md)-- [Exium](../saas-apps/exium-provisioning-tutorial.md)-- [SoSafe](../saas-apps/sosafe-provisioning-tutorial.md)-- [Talentech](../saas-apps/talentech-provisioning-tutorial.md)-- [Thrive LXP](../saas-apps/thrive-lxp-provisioning-tutorial.md)-- [Vonage](../saas-apps/vonage-provisioning-tutorial.md)-- [Zip](../saas-apps/zip-provisioning-tutorial.md)-- [TimeClock 365](../saas-apps/timeclock-365-provisioning-tutorial.md)--For more information about how to better secure your organization by using automated user account provisioning, read [Automate user provisioning to SaaS applications with Azure AD](../app-provisioning/user-provisioning.md). ----### Changes to security and Microsoft 365 group settings in Azure portal --**Type:** Changed feature -**Service category:** Group Management -**Product capability:** Directory - --In the past, users could create security groups and Microsoft 365 groups in the Azure portal. Now users will have the ability to create groups across Azure portals, PowerShell, and API. Customers are required to verify and update the new settings have been configured for their organization. [Learn More](../enterprise-users/groups-self-service-management.md#group-settings). - ---### "All Apps" collection has been renamed to "Apps" --**Type:** Changed feature -**Service category:** My Apps -**Product capability:** End User Experiences - -In the My Apps portal, the collection that was called "All Apps" has been renamed to be called "Apps". As the product evolves, "Apps" is a more fitting name for this default collection. [Learn more](../manage-apps/my-apps-deployment-plan.md#plan-the-user-experience). - ---## June 2021 --### Context panes to display risk details in Identity Protection Reports --**Type:** Plan for change -**Service category:** Identity Protection -**Product capability:** Identity Security & Protection - -For the Risky users, Risky sign-ins, and Risk detections reports in Identity Protection, the risk details of a selected entry will be shown in a context pane appearing from the right of the page July 2021. The change only impacts the user interface and won't affect any existing functionalities. To learn more about the functionality of these features, refer to [How To: Investigate risk](../identity-protection/howto-identity-protection-investigate-risk.md). - ---### Public preview - create Azure AD access reviews of Service Principals that are assigned to privileged roles --**Type:** New feature -**Service category:** Access Reviews -**Product capability:** Identity Governance - - You can use Azure AD access reviews to review service principal's access to privileged Azure AD and Azure resource roles. [Learn more](../privileged-identity-management/pim-create-azure-ad-roles-and-resource-roles-review.md#create-access-reviews). - ---### Public preview - group owners in Azure AD can create and manage Azure AD access reviews for their groups --**Type:** New feature -**Service category:** Access Reviews -**Product capability:** Identity Governance - -Now group owners in Azure AD can create and manage Azure AD access reviews on their groups. This ability can be enabled by tenant administrators through Azure AD access review settings and is disabled by default. [Learn more](../governance/create-access-review.md#allow-group-owners-to-create-and-manage-access-reviews-of-their-groups). - ---### Public preview - customers can scope access reviews of privileged roles to just users with eligible or active access --**Type:** New feature -**Service category:** Access Reviews -**Product capability:** Identity Governance - -When admins create access reviews of assignments to privileged roles, they can scope the reviews to only eligibly assigned users or only actively assigned users. [Learn more](../privileged-identity-management/pim-create-azure-ad-roles-and-resource-roles-review.md). - ---### Public preview - Microsoft Graph APIs for Mobility (MDM/MAM) management policies --**Type:** New feature -**Service category:** Other -**Product capability:** Device Lifecycle Management - -Microsoft Graph support for the Mobility (MDM/MAM) configuration in Azure AD is in public preview. Administrators can configure user scope and URLs for MDM applications like Intune using Microsoft Graph v1.0. For more information, see [mobilityManagementPolicy resource type](/graph/api/resources/mobilitymanagementpolicy?view=graph-rest-beta&preserve-view=true) ----### General availability - Custom questions in access package request flow in Azure Active Directory entitlement management --**Type:** New feature -**Service category:** User Access Management -**Product capability:** Entitlement Management - -Azure AD entitlement management now supports the creation of custom questions in the access package request flow. This feature allows you to configure custom questions in the access package policy. These questions are shown to requestors who can input their answers as part of the access request process. These answers will be displayed to approvers, giving them helpful information that empowers them to make better decisions on the access request. [Learn more](../governance/entitlement-management-access-package-create.md). ----### General availability - Multi-geo SharePoint sites as resources in Entitlement Management Access Packages --**Type:** New feature -**Service category:** User Access Management -**Product capability:** Entitlement Management - -Access packages in Entitlement Management now support multi-geo SharePoint sites for customers who use the multi-geo capabilities in SharePoint Online. [Learn more](../governance/entitlement-management-catalog-create.md#add-a-multi-geo-sharepoint-site). - ---### General availability - Knowledge Admin and Knowledge Manager built-in roles --**Type:** New feature -**Service category:** RBAC -**Product capability:** Access Control - -Two new roles, Knowledge Administrator and Knowledge Manager are now in general availability. --- Users in the Knowledge Administrator role have full access to all Organizational knowledge settings in the Microsoft 365 admin center. They can create and manage content, like topics and acronyms. Additionally, these users can create content centers, monitor service health, and create service requests. [Learn more](../roles/permissions-reference.md#knowledge-administrator)-- Users in the Knowledge Manager role can create and manage content and are primarily responsible for the quality and structure of knowledge. They have full rights to topic management actions to confirm a topic, approve edits, or delete a topic. This role can also manage taxonomies as part of the term store management tool and create content centers. [Learn more](../roles/permissions-reference.md#knowledge-manager).----### General availability - Cloud App Security Administrator built-in role --**Type:** New feature -**Service category:** RBAC -**Product capability:** Access Control - - Users with this role have full permissions in Cloud App Security. They can add administrators, add Microsoft Cloud App Security (MCAS) policies and settings, upload logs, and do governance actions. [Learn more](../roles/permissions-reference.md#cloud-app-security-administrator). - ---### General availability - Windows Update Deployment Administrator --**Type:** New feature -**Service category:** RBAC -**Product capability:** Access Control - -- Users in this role can create and manage all aspects of Windows Update deployments through the Windows Update for Business deployment service. The deployment service enables users to define settings for when and how updates are deployed. Also, users can specify which updates are offered to groups of devices in their tenant. It also allows users to monitor the update progress. [Learn more](../roles/permissions-reference.md#windows-update-deployment-administrator). - ---### General availability - multi-camera support for Windows Hello --**Type:** New feature -**Service category:** Authentications (Logins) -**Product capability:** User Authentication - -Now with the Windows 10 21H1 update, Windows Hello supports multiple cameras. The update includes defaults to use the external camera when both built-in and outside cameras are present. [Learn more](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/it-tools-to-support-windows-10-version-21h1/ba-p/2365103). --- -### General availability - Access Reviews MS Graph APIs now in v1.0 --**Type:** New feature -**Service category:** Access Reviews -**Product capability:** Identity Governance - -Azure Active Directory access reviews MS Graph APIs are now in v1.0 support fully configurable access reviews features. [Learn more](/graph/api/resources/accessreviewsv2-overview?view=graph-rest-1.0&preserve-view=true). - ---### New provisioning connectors in the Azure AD Application Gallery - June 2021 --**Type:** New feature -**Service category:** App Provisioning -**Product capability:** 3rd Party Integration - -You can now automate creating, updating, and deleting user accounts for these newly integrated apps: --- [askSpoke](../saas-apps/askspoke-provisioning-tutorial.md)-- [Cloud Academy - SSO](../saas-apps/cloud-academy-sso-provisioning-tutorial.md)-- [CheckProof](../saas-apps/checkproof-provisioning-tutorial.md)-- [GoLinks](../saas-apps/golinks-provisioning-tutorial.md)-- [Holmes Cloud](../saas-apps/holmes-cloud-provisioning-tutorial.md)-- [H5mag](../saas-apps/h5mag-provisioning-tutorial.md)-- [LimbleCMMS](../saas-apps/limblecmms-provisioning-tutorial.md)-- [LogMeIn](../saas-apps/logmein-provisioning-tutorial.md)-- [SECURE DELIVER](../saas-apps/secure-deliver-provisioning-tutorial.md)-- [Sigma Computing](../saas-apps/sigma-computing-provisioning-tutorial.md)-- [Smallstep SSH](../saas-apps/smallstep-ssh-provisioning-tutorial.md)-- [Tribeloo](../saas-apps/tribeloo-provisioning-tutorial.md)-- [Twingate](../saas-apps/twingate-provisioning-tutorial.md)--For more information, see [Automate user provisioning to SaaS applications with Azure AD](../app-provisioning/user-provisioning.md). - ---### New Federated Apps available in Azure AD Application gallery - June 2021 --**Type:** New feature -**Service category:** Enterprise Apps -**Product capability:** 3rd Party Integration - -In June 2021, we have added following 42 new applications in our App gallery with Federation support --[Taksel](https://help.ubuntu.com/community/Tasksel), [IDrive360](../saas-apps/idrive360-tutorial.md), [VIDA](../saas-apps/vida-tutorial.md), [ProProfs Classroom](../saas-apps/proprofs-classroom-tutorial.md), [WAN-Sign](../saas-apps/wan-sign-tutorial.md), [Citrix Cloud SAML SSO](../saas-apps/citrix-cloud-saml-sso-tutorial.md), [Fabric](../saas-apps/fabric-tutorial.md), [DssAD](https://cloudlicensing.deepseedsolutions.com/), [RICOH Creative Collaboration RICC](https://www.ricoh-europe.com/products/software-apps/collaboration-board-software/ricc/), [Styleflow](../saas-apps/styleflow-tutorial.md), [Chaos](https://accounts.chaosgroup.com/corporate_login), [Traced Connector](https://control.traced.app/signup), [Squarespace](https://account.squarespace.com/org/azure), [MX3 Diagnostics Connector](https://www.mx3diagnostics.com/), [Ten Spot](https://tenspot.co/api/v1/sso/azure/login/), [Finvari](../saas-apps/finvari-tutorial.md), [Mobile4ERP](https://play.google.com/store/apps/details?id=com.negevsoft.mobile4erp), [WalkMe US OpenID Connect](https://www.walkme.com/), [Neustar UltraDNS](../saas-apps/neustar-ultradns-tutorial.md), [cloudtamer.io](../saas-apps/cloudtamer-io-tutorial.md), [A Cloud Guru](../saas-apps/a-cloud-guru-tutorial.md), [PetroVue](../saas-apps/petrovue-tutorial.md), [Postman](../saas-apps/postman-tutorial.md), [ReadCube Papers](../saas-apps/readcube-papers-tutorial.md), [Peklostroj](https://app.peklostroj.cz/), [SynCloud](https://www.syncloud.org/apps.html), [Polymerhq.io](https://www.polymerhq.io/), [Bonos](../saas-apps/bonos-tutorial.md), [Astra Schedule](../saas-apps/astra-schedule-tutorial.md), [Draup](../saas-apps/draup-inc-tutorial.md), [Inc](../saas-apps/draup-inc-tutorial.md), [Applied Mental Health](../saas-apps/applied-mental-health-tutorial.md), [iHASCO Training](../saas-apps/ihasco-training-tutorial.md), [Nexsure](../saas-apps/nexsure-tutorial.md), [XEOX](https://login.xeox.com/), [Plandisc](https://create.plandisc.com/account/logon), [foundU](../saas-apps/foundu-tutorial.md), [Standard for Success Accreditation](../saas-apps/standard-for-success-accreditation-tutorial.md), [Penji Teams](https://web.penjiapp.com/), [CheckPoint Infinity Portal](../saas-apps/checkpoint-infinity-portal-tutorial.md), [Teamgo](../saas-apps/teamgo-tutorial.md), [Hopsworks.ai](../saas-apps/hopsworks-ai-tutorial.md), [HoloMeeting 2](https://backend2.holomeeting.io/) --You can also find the documentation of all the applications here: https://aka.ms/AppsTutorial --For listing your application in the Azure AD app gallery, read the details here: https://aka.ms/AzureADAppRequest - ---### Device code flow now includes an app verification prompt --**Type:** Changed feature -**Service category:** Authentications (Logins) -**Product capability:** User Authentication - -The [device code flow](../develop/v2-oauth2-device-code.md) has been updated to include one extra user prompt. While signing in, the user will see a prompt asking them to validate the app they're signing into. The prompt ensures that they aren't subject to a phishing attack. [Learn more](../develop/reference-breaking-changes.md#the-device-code-flow-ux-will-now-include-an-app-confirmation-prompt). - ---### User last sign-in date and time is now available on Azure portal --**Type:** Changed feature -**Service category:** User Management -**Product capability:** User Management - -You can now view your users' last sign-in date and time stamp on the Azure portal. The information is available for each user on the user profile page. This information helps you identify inactive users and effectively manage risky events. [Learn more](./active-directory-users-profile-azure-portal.md?context=%2fazure%2factive-directory%2fenterprise-users%2fcontext%2fugr-context). - ---### MIM BHOLD Suite impact of end of support for Microsoft Silverlight --**Type:** Changed feature -**Service category:** Microsoft Identity Manager -**Product capability:** Identity Governance - -Microsoft Silverlight will reach its end of support on October 12, 2021. This change only impacts customers using the Microsoft BHOLD Suite, and doesn't impact other Microsoft Identity Manager scenarios. For more information, see [Silverlight End of Support](https://support.microsoft.com/windows/silverlight-end-of-support-0a3be3c7-bead-e203-2dfd-74f0a64f1788). --Users who haven't installed Microsoft Silverlight in their browser can't use the BHOLD Suite modules, which require Silverlight. This includes the BHOLD Model Generator, BHOLD FIM Self-service integration, and BHOLD Analytics. Customers with an existing BHOLD deployment of one or more of those modules should plan to uninstall those modules from their BHOLD server computers by October 2021. Also, they should plan to uninstall Silverlight from any user computers that were previously interacting with that BHOLD deployment. - ---### My* experiences: End of support for Internet Explorer 11 --**Type:** Deprecated -**Service category:** My Apps -**Product capability:** End User Experiences - --Microsoft 365 and other apps are ending support for Internet Explorer 11 on August 21, 2021, and this includes the My* experiences. The My*s accessed via Internet Explorer won't receive bug fixes or any updates, which may lead to issues. These dates are being driven by the Edge team and may be subject to change. [Learn more](https://blogs.windows.com/windowsexperience/2021/05/19/the-future-of-internet-explorer-on-windows-10-is-in-microsoft-edge/). - ---### Planned deprecation - Malware linked IP address detection in Identity Protection --**Type:** Deprecated -**Service category:** Identity Protection -**Product capability:** Identity Security & Protection - -Starting October 1, 2021, Azure AD Identity Protection will no longer generate the "Malware linked IP address" detection. No action is required and customers will remain protected by the other detections provided by Identity Protection. To learn more about protection policies, refer to [Identity Protection policies](../identity-protection/concept-identity-protection-policies.md). - ---## May 2021 --### Public preview - Azure AD verifiable credentials --**Type:** New feature -**Service category:** Other -**Product capability:** User Authentication - -Azure AD customers can now easily design and issue verifiable credentials. Verifiable credentials can be used to represent proof of employment, education, or any other claim while respecting privacy. Digitally validate any piece of information about anyone and any business. [Learn more](../verifiable-credentials/index.yml). ----### Public preview - Device code flow now includes an app verification prompt --**Type:** New feature -**Service category:** User Authentication -**Product capability:** Authentications (Logins) - -As a security improvement, the [device code flow](../develop/v2-oauth2-device-code.md) has been updated to include another prompt, which validates that the user is signing into the app they expect. The rollout is planned to start in June and expected to be complete by June 30. --To help prevent phishing attacks where an attacker tricks the user into signing into a malicious application, the following prompt is being added: "Are you trying to sign in to [application display name]?". All users will see this prompt while signing in using the device code flow. As a security measure, it can't be removed or bypassed. [Learn more](../develop/reference-breaking-changes.md#the-device-code-flow-ux-will-now-include-an-app-confirmation-prompt). ----### Public preview - build and test expressions for user provisioning --**Type:** New feature -**Service category:** App Provisioning -**Product capability:** Identity Lifecycle Management - -The expression builder allows you to create and test expressions, without having to wait for the full sync cycle. [Learn more](../app-provisioning/functions-for-customizing-application-data.md). ----### Public preview - enhanced audit logs for Conditional Access policy changes --**Type:** New feature -**Service category:** Conditional Access -**Product capability:** Identity Security & Protection - -An important aspect of managing Conditional Access is understanding changes to your policies over time. Policy changes may cause disruptions for your end users, so maintaining a log of changes and enabling admins to revert to previous policy versions is critical. --and showing who made a policy change and when, the audit logs will now also contain a modified properties value. This change gives admins greater visibility into what assignments, conditions, or controls changed. If you want to revert to a previous version of a policy, you can copy the JSON representation of the old version and use the Conditional Access APIs to change the policy to its previous state. [Learn more](../conditional-access/concept-conditional-access-policies.md). ----### Public preview - Sign-in logs include authentication methods used during sign-in --**Type:** New feature -**Service category:** MFA -**Product capability:** Monitoring & Reporting - --Admins can now see the sequential steps users took to sign-in, including which authentication methods were used during sign-in. --To access these details, go to the Azure AD sign-in logs, select a sign-in, and then navigate to the Authentication Method Details tab. Here we have included information such as which method was used, details about the method (for example, phone number, phone name), authentication requirement satisfied, and result details. [Learn more](../reports-monitoring/concept-sign-ins.md). ----### Public preview - PIM adds support for ABAC conditions in Azure Storage roles --**Type:** New feature -**Service category:** Privileged Identity Management -**Product capability:** Privileged Identity Management - -Along with the public preview of attributed-based access control (ABAC) for specific Azure roles, you can also add ABAC conditions inside Privileged Identity Management for your eligible assignments. [Learn more](../../role-based-access-control/conditions-overview.md#conditions-and-azure-ad-pim). ----### General availability - Conditional Access and Identity Protection Reports in B2C --**Type:** New feature -**Service category:** B2C - Consumer Identity Management -**Product capability:** B2B/B2C --B2C now supports Conditional Access and Identity Protection for business-to-consumer (B2C) apps and users. This enables customers to protect their users with granular risk- and location-based access controls. With these features, customers can now look at the signals and create a policy to provide more security and access to your customers. [Learn more](../../active-directory-b2c/conditional-access-identity-protection-overview.md). ----### General availability - KMSI and Password reset now in next generation of user flows --**Type:** New feature -**Service category:** B2C - Consumer Identity Management -**Product capability:** B2B/B2C --The next generation of B2C user flows now supports [keep me signed in (KMSI)](../../active-directory-b2c/session-behavior.md?pivots=b2c-custom-policy#enable-keep-me-signed-in-kmsi) and password reset. The KMSI functionality allows customers to extend the session lifetime for the users of their web and native applications by using a persistent cookie. This feature keeps the session active even when the user closes and reopens the browser. The session is revoked when the user signs out. Password reset allows users to reset their password from the "Forgot your password -' link. This also allows the admin to force reset the user's expired password in the Azure AD B2C directory. [Learn more](../../active-directory-b2c/add-password-reset-policy.md?pivots=b2c-user-flow). - ---### General availability - New Log Analytics workbook Application role assignment activity --**Type:** New feature -**Service category:** User Access Management -**Product capability:** Entitlement Management - -A new workbook has been added for surfacing audit events for application role assignment changes. [Learn more](../governance/entitlement-management-logs-and-reporting.md). ----### General availability - Next generation Azure AD B2C user flows --**Type:** New feature -**Service category:** B2C - Consumer Identity Management -**Product capability:** B2B/B2C - -The new simplified user flow experience offers feature parity with preview features and is the home for all new features. Users can enable new features within the same user flow, reducing the need to create multiple versions with every new feature release. The new, user-friendly UX also simplifies the selection and creation of user flows. Refer to [Create user flows in Azure AD B2C](../../active-directory-b2c/tutorial-create-user-flows.md?pivots=b2c-user-flow) for guidance on using this feature. [Learn more](../../active-directory-b2c/user-flow-versions.md). ----### General availability - Azure Active Directory threat intelligence for sign-in risk --**Type:** New feature -**Service category:** Identity Protection -**Product capability:** Identity Security & Protection - -This new detection serves as an ad-hoc method to allow our security teams to notify you and protect your users by raising their session risk to a High risk when we observe an attack happening. The detection will also mark the associated sign-ins as risky. This detection follows the existing Azure Active Directory threat intelligence for user risk detection to provide complete coverage of the various attacks observed by Microsoft security teams. [Learn more](../identity-protection/concept-identity-protection-risks.md). - ---### General availability - Conditional Access named locations improvements --**Type:** New feature -**Service category:** Conditional Access -**Product capability:** Identity Security & Protection - -IPv6 support in named locations is now generally available. Updates include: --- Added the capability to define IPv6 address ranges-- Increased limit of named locations from 90 to 195-- Increased limit of IP ranges per named location from 1200 to 2000-- Added capabilities to search and sort named locations and filter by location type and trust type-- Added named locations a sign-in belonged to in the sign-in logs- -Additionally, to prevent admins from defining problematically named locations, extra checks have been added to reduce the chance of misconfiguration. [Learn more](../conditional-access/location-condition.md). ----### General availability - Restricted guest access permissions in Azure AD --**Type:** New feature -**Service category:** User Management -**Product capability:** Directory - -Directory level permissions for guest users have been updated. These permissions allow administrators to require extra restrictions and controls on external guest user access. --Admins can now add more restrictions for external guests' access to user and groups' profile and membership information. Also, customers can manage external user access at scale by hiding group memberships, including restricting guest users from seeing memberships of the group(s) they are in. To learn more, see [Restrict guest access permissions in Azure Active Directory](../enterprise-users/users-restrict-guest-permissions.md). - ---### New Federated Apps available in Azure AD Application gallery - May 2021 --**Type:** New feature -**Service category:** Enterprise Apps -**Product capability:** 3rd Party Integration - -You can now automate creating, updating, and deleting user accounts for these newly integrated apps: --- [AuditBoard](../saas-apps/auditboard-provisioning-tutorial.md)-- [Cisco Umbrella User Management](../saas-apps/cisco-umbrella-user-management-provisioning-tutorial.md)-- [Insite LMS](../saas-apps/insite-lms-provisioning-tutorial.md)-- [kpifire](../saas-apps/kpifire-provisioning-tutorial.md)-- [UNIFI](../saas-apps/unifi-provisioning-tutorial.md)--For more information about how to better secure your organization using automated user account provisioning, see [Automate user provisioning to SaaS applications with Azure AD](../app-provisioning/user-provisioning.md). ----### New Federated Apps available in Azure AD Application gallery - May 2021 --**Type:** New feature -**Service category:** Enterprise Apps -**Product capability:** 3rd Party Integration - -In May 2021, we have added following 29 new applications in our App gallery with Federation support --[InviteDesk](https://app.invitedesk.com/login), [Webrecruit ATS](https://id-test.webrecruit.co.uk/), [Workshop](../saas-apps/workshop-tutorial.md), [Gravity Sketch](https://landingpad.me/), [JustLogin](../saas-apps/justlogin-tutorial.md), [Custellence](https://custellence.com/sso/), [WEVO](https://hello.wevoconversion.com/login), [AppTec360 MDM](https://www.apptec360.com/ms/autopilot.html), [Filemail](https://www.filemail.com/login),[Ardoq](../saas-apps/ardoq-tutorial.md), [Leadfamly](../saas-apps/leadfamly-tutorial.md), [Documo](../saas-apps/documo-tutorial.md), [Autodesk SSO](../saas-apps/autodesk-sso-tutorial.md), [Check Point Harmony Connect](../saas-apps/check-point-harmony-connect-tutorial.md), [BrightHire](https://app.brighthire.ai/), [Rescana](../saas-apps/rescana-tutorial.md), [Bluewhale](https://cloud.bluewhale.dk/), [AlacrityLaw](../saas-apps/alacritylaw-tutorial.md), [Equisolve](../saas-apps/equisolve-tutorial.md), [Zip](../saas-apps/zip-tutorial.md), [Cognician](../saas-apps/cognician-tutorial.md), [Acra](https://www.acrasuite.com/), [VaultMe](https://app.vaultme.com/#/signIn), [TAP App Security](../saas-apps/tap-app-security-tutorial.md), [Cavelo Office365 Cloud Connector](https://dashboard.prod.cavelodata.com/), [Clebex](../saas-apps/clebex-tutorial.md), [Banyan Command Center](../saas-apps/banyan-command-center-tutorial.md), [Check Point Remote Access VPN](../saas-apps/check-point-remote-access-vpn-tutorial.md), [LogMeIn](../saas-apps/logmein-tutorial.md) --You can also find the documentation of all the applications from here https://aka.ms/AppsTutorial --For listing your application in the Azure AD app gallery, read the details here https://aka.ms/AzureADAppRequest ----### Improved Conditional Access Messaging for Android and iOS --**Type:** Changed feature -**Service category:** Device Registration and Management -**Product capability:** End User Experiences - -We've updated the wording on the Conditional Access screen shown to users when they're blocked from accessing corporate resources. They'll be blocked until they enroll their device in Mobile Device Management. These improvements apply to the Android and iOS/iPadOS platforms. The following have been changed: --- "Help us keep your device secure" has changed to "Set up your device to get access"-- "Your sign-in was successful but your admin requires your device to be managed by Microsoft to access this resource." to "[Organization's name] requires you to secure this device before you can access [organization's name] email, files, and data." -- "Enroll Now" to "Continue"--The information in [Enroll your Android enterprise device](https://support.microsoft.com/topic/enroll-your-android-enterprise-device-d661c82d-fa28-5dfd-b711-6dff41ae83bb) is out of date. ----### Azure Information Protection service will begin asking for consent --**Type:** Changed feature -**Service category:** Authentications (Logins) -**Product capability:** User Authentication - -The Azure Information Protection service signs users into the tenant that encrypted the document as part of providing access to the document. Starting June, Azure AD will begin prompting the user for consent when this access is given across organizations. This ensures that the user understands that the organization that owns the document will collect some information about the user as part of the document access. [Learn more](/azure/information-protection/known-issues#sharing-external-doc-types-across-tenants). - ---### Provisioning logs schema change impacting Graph API and Azure Monitor integration --**Type:** Changed feature -**Service category:** App Provisioning -**Product capability:** Monitoring & Reporting - -The attributes "Action" and "statusInfo" will be changed to "provisioningAction" and "provisoiningStatusInfo." Update any scripts that you have created using the [provisioning logs Graph API](/graph/api/resources/provisioningobjectsummary) or [Azure Monitor integrations](../app-provisioning/application-provisioning-log-analytics.md). - ---### New ARM API to manage PIM for Azure Resources and Azure AD roles --**Type:** Changed feature -**Service category:** Privileged Identity Management -**Product capability:** Privileged Identity Management - -An updated version of the PIM API for Azure Resource role and Azure AD role has been released. The PIM API for Azure Resource role is now released under the ARM API standard, which aligns with the role management API for regular Azure role assignment. On the other hand, the PIM API for Azure AD roles is also released under graph API aligned with the unifiedRoleManagement APIs. Some of the benefits of this change include: --- Alignment of the PIM API with objects in ARM and Graph for role managementReducing the need to call PIM to onboard new Azure resources. -- All Azure resources automatically work with new PIM API.-- Reducing the need to call PIM for role definition or keeping a PIM resource ID-- Supporting app-only API permissions in PIM for both Azure AD and Azure Resource roles--A previous version of the PIM API under `/privilegedaccess` will continue to function but we recommend you to move to this new API going forward. [Learn more](../privileged-identity-management/pim-apis.md). - ---### Revision of roles in Azure AD entitlement management --**Type:** Changed feature -**Service category:** Roles -**Product capability:** Entitlement Management - -A new role, Identity Governance Administrator, has recently been introduced. This role will be the replacement for the User Administrator role in managing catalogs and access packages in Azure AD entitlement management. If you have assigned administrators to the User Administrator role or have them activate this role to manage access packages in Azure AD entitlement management, switch to the Identity Governance Administrator role instead. The User Administrator role will no longer be providing administrative rights to catalogs or access packages. [Learn more](../governance/identity-governance-overview.md#appendixleast-privileged-roles-for-managing-in-identity-governance-features). ---## April 2021 --### Bug fixed - Azure AD will no longer double-encode the state parameter in responses --**Type:** Fixed -**Service category:** Authentications (Logins) -**Product capability:** User Authentication - -Azure AD has identified, tested, and released a fix for a bug in the `/authorize` response to a client application. Azure AD was incorrectly URL encoding the `state` parameter twice when sending responses back to the client. This can cause a client application to reject the request, due to a mismatch in state parameters. [Learn more](../develop/reference-breaking-changes.md#bug-fix-azure-ad-will-no-longer-url-encode-the-state-parameter-twice). ----### Users can only create security and Microsoft 365 groups in Azure portal being deprecated --**Type:** Plan for change -**Service category:** Group Management -**Product capability:** Directory - -Users will no longer be limited to create security and Microsoft 365 groups only in the Azure portal. The new setting will allow users to create security groups in the Azure portal, PowerShell, and API. Users will be required to verify and update the new setting. [Learn more](../enterprise-users/groups-self-service-management.md). ----### Public preview - External Identities Self-Service Sign-up in Azure AD using Email One-Time Passcode accounts --**Type:** New feature -**Service category:** B2B -**Product capability:** B2B/B2C - -External users can now use Email One-Time Passcode accounts to sign up or sign in to Azure AD 1st party and line-of-business applications. [Learn more](../external-identities/one-time-passcode.md). ----### General availability - External Identities Self-Service Sign Up --**Type:** New feature -**Service category:** B2B -**Product capability:** B2B/B2C - -Self-service sign-up for external users is now in general availability. With this new feature, external users can now self-service sign up to an application. --You can create customized experiences for these external users, including collecting information about your users during the registration process and allowing external identity providers like Facebook and Google. You can also integrate with third-party cloud providers for various functionalities like identity verification or approval of users. [Learn more](../external-identities/self-service-sign-up-overview.md). - ---### General availability - Azure AD B2C Phone Sign-up and Sign-in using Built-in Policy --**Type:** New feature -**Service category:** B2C - Consumer Identity Management -**Product capability:** B2B/B2C - -B2C Phone Sign-up and Sign-in using a built-in policy enable IT administrators and developers of organizations to allow their end-users to sign in and sign up using a phone number in user flows. With this feature, disclaimer links such as privacy policy and terms of use can be customized and shown on the page before the end-user proceeds to receive the one-time passcode via text message. [Learn more](../../active-directory-b2c/phone-authentication-user-flows.md). - ---### New Federated Apps available in Azure AD Application gallery - April 2021 --**Type:** New feature -**Service category:** Enterprise Apps -**Product capability:** 3rd Party Integration --In April 2021, we have added following 31 new applications in our App gallery with Federation support --[Zii Travel Azure AD Connect](https://azuremarketplace.microsoft.com/marketplace/apps/aad.ziitravelazureadconnect?tab=Overview), [Cerby](../saas-apps/cerby-tutorial.md), [Selflessly](https://app.selflessly.io/sign-in), [Apollo CX](https://apollo.cxlabs.de/sso/aad), [Pedagoo](https://account.pedagoo.com/), [Measureup](https://account.measureup.com/), [ProcessUnity](../saas-apps/processunity-tutorial.md), [Cisco Intersight](../saas-apps/cisco-intersight-tutorial.md), [Codility](../saas-apps/codility-tutorial.md), [H5mag](https://account.h5mag.com/auth/request-access/ms365), [Check Point Identity Awareness](../saas-apps/check-point-identity-awareness-tutorial.md), [Jarvis](https://jarvis.live/login), [desknet's NEO](../saas-apps/desknets-neo-tutorial.md), [SDS & Chemical Information Management](../saas-apps/sds-chemical-information-management-tutorial.md), [W├║ru App](../saas-apps/wuru-app-tutorial.md), [Holmes](../saas-apps/holmes-tutorial.md), [Telenor](https://www.telenor.no/kundeservice/internett/wifi/administrere-ruter/), [Yooz US](https://us1.getyooz.com/?kc_idp_hint=microsoft), [Mooncamp](https://app.mooncamp.com/#/login), [inwise SSO](https://app.inwise.com/defaultsso.aspx), [Ecolab Digital Solutions](https://ecolabb2c.b2clogin.com/account.ecolab.com/oauth2/v2.0/authorize?p=B2C_1A_Connect_OIDC_SignIn&client_id=01281626-dbed-4405-a430-66457825d361&nonce=defaultNonce&redirect_uri=https://jwt.ms&scope=openid&response_type=id_token&prompt=login), [Taguchi Digital Marketing System](https://login.taguchi.com.au/), [XpressDox EU Cloud](https://test.xpressdox.com/Authentication/Login.aspx), [EZSSH Client](https://portal.ezssh.io/signup), [KPN Grip](https://www.grip-on-it.com/), [AddressLook](https://portal.bbsonlineservices.net/Manage/AddressLook), [Cornerstone Single Sign-On](../saas-apps/cornerstone-ondemand-tutorial.md) --You can also find the documentation of all the applications here: https://aka.ms/AppsTutorial --For listing your application in the Azure AD app gallery, read the details here: https://aka.ms/AzureADAppRequest ----### New provisioning connectors in the Azure AD Application Gallery - April 2021 --**Type:** New feature -**Service category:** App Provisioning -**Product capability:** 3rd Party Integration - -You can now automate creating, updating, and deleting user accounts for these newly integrated apps: --- [Bentley - Automatic User Provisioning](../saas-apps/bentley-automatic-user-provisioning-tutorial.md)-- [Boxcryptor](../saas-apps/boxcryptor-provisioning-tutorial.md)-- [BrowserStack Single Sign-on](../saas-apps/browserstack-single-sign-on-provisioning-tutorial.md)-- [Eletive](../saas-apps/eletive-provisioning-tutorial.md)-- [Jostle](../saas-apps/jostle-provisioning-tutorial.md)-- [Olfeo SAAS](../saas-apps/olfeo-saas-provisioning-tutorial.md)-- [Proware](../saas-apps/proware-provisioning-tutorial.md)-- [Segment](../saas-apps/segment-provisioning-tutorial.md)--For more information about how to better secure your organization with automated user account provisioning, see [Automate user provisioning to SaaS applications with Azure AD](../app-provisioning/user-provisioning.md). - ---### Introducing new versions of page layouts for B2C --**Type:** Changed feature -**Service category:** B2C - Consumer Identity Management -**Product capability:** B2B/B2C - -The [page layouts](../../active-directory-b2c/page-layout.md) for B2C scenarios on the Azure AD B2C has been updated to reduce security risks by introducing the new versions of jQuery and Handlebars JS. - ---### Updates to Sign-in Diagnostic --**Type:** Changed feature -**Service category:** Reporting -**Product capability:** Monitoring & Reporting - -The scenario coverage of the Sign-in Diagnostic tool has increased. --With this update, the following event-related scenarios will now be included in the sign-in diagnosis results: -- Enterprise Applications configuration problem events.-- Enterprise Applications service provider (application-side) events.-- Incorrect credentials events. --These results will show contextual and relevant details about the event and actions to take to resolve these problems. Also, for scenarios where we don't have deep contextual diagnostics, Sign-in Diagnostic will present more descriptive content about the error event. --For more information, see [What is sign-in diagnostic in Azure AD?](../reports-monitoring/overview-sign-in-diagnostics.md) ---### Azure AD Connect cloud sync general availability refresh -**Type:** Changed feature -**Service category:** Azure AD Connect Cloud Sync -**Product capability:** Directory --Azure AD connect cloud sync now has an updated agent (version# - 1.1.359). For more details on agent updates, including bug fixes, check out the [version history](../cloud-sync/reference-version-history.md). With the updated agent, cloud sync customers can use GMSA cmdlets to set and reset their gMSA permission at a granular level. In addition that, we've changed the limit of syncing members using group scope filtering from 1499 to 50,000 (50K) members. --Check out the newly available [expression builder](../cloud-sync/how-to-expression-builder.md#deploy-the-expression) for cloud sync, which, helps you build complex expressions and simple expressions when you do transformations of attribute values from AD to Azure AD using attribute mapping. ----## March 2021 --### Guidance on how to enable support for TLS 1.2 in your environment, in preparation for upcoming Azure AD TLS 1.0/1.1 deprecation --**Type:** Plan for change -**Service category:** N/A -**Product capability:** Standards --Azure Active Directory will deprecate the following protocols in Azure Active Directory worldwide regions starting June 30, 2021: ---- TLS 1.0-- TLS 1.1-- 3DES cipher suite (TLS_RSA_WITH_3DES_EDE_CBC_SHA)--Affected environments include: --- Azure Commercial Cloud-- Office 365 GCC and WW--For more information, see [Enable support for TLS 1.2 in your environment for Azure AD TLS 1.1 and 1.0 deprecation](/troubleshoot/azure/active-directory/enable-support-tls-environment). ----### Public preview - Azure AD Entitlement management now supports multi-geo SharePoint Online --**Type:** New feature -**Service category:** Other -**Product capability:** Entitlement Management - -For organizations using multi-geo SharePoint Online, you can now include sites from specific multi-geo environments to your Entitlement management access packages. [Learn more](../governance/entitlement-management-catalog-create.md#add-a-multi-geo-sharepoint-site). ----### Public preview - Restore deleted apps from App registrations --**Type:** New feature -**Service category:** Other -**Product capability:** Developer Experience - -Customers can now view, restore, and permanently remove deleted app registrations from the Azure portal. This applies only to applications associated to a directory, not applications from a personal Microsoft account. [Learn more](../develop/howto-restore-app.md). - ---### Public preview - New "User action" in Conditional Access for registering or joining devices --**Type:** New feature -**Service category:** Conditional Access -**Product capability:** Identity Security & Protection - - A new user action called "Register or join devices" in Conditional access is available. This user action allows you to control Azure Active Directory Multi-Factor Authentication (MFA) policies for Azure AD device registration. --Currently, this user action only allows you to enable Azure AD MFA as a control when users register or join devices to Azure AD. Other controls that are dependent on or not applicable to Azure AD device registration are disabled with this user action. [Learn more](../conditional-access/concept-conditional-access-cloud-apps.md#user-actions). - ---### Public preview - Optimize connector groups to use the closest Application Proxy cloud service --**Type:** New feature -**Service category:** App Proxy -**Product capability:** Access Control - -With this new capability, connector groups can be assigned to the closest regional Application Proxy service an application is hosted in. This can improve app performance in scenarios where apps are hosted in regions other than the home tenant's region. [Learn more](../app-proxy/application-proxy-network-topology.md#optimize-connector-groups-to-use-closest-application-proxy-cloud-service). - ---### Public preview - External Identities Self-Service Sign up in Azure AD using Email One-Time Passcode accounts --**Type:** New feature -**Service category:** B2B -**Product capability:** B2B/B2C --External users will now be able to use Email One-Time Passcode accounts to sign up in to Azure AD 1st party and LOB apps. [Learn more](../external-identities/one-time-passcode.md). ----### Public preview - Availability of AD FS sign-ins in Azure AD --**Type:** New feature -**Service category:** Authentications (Logins) -**Product capability:** Monitoring & Reporting - -AD FS sign-in activity can now be integrated with Azure AD activity reporting, providing a unified view of hybrid identity infrastructure. Using the Azure AD sign-ins report, Log Analytics, and Azure Monitor Workbooks, it's possible to do in-depth analysis for both Azure AD and AD FS sign-in scenarios such as AD FS account lockouts, bad password attempts, and spikes of unexpected sign-in attempts. --To learn more, visit [AD FS sign-ins in Azure AD with Connect Health](../hybrid/how-to-connect-health-ad-fs-sign-in.md). ----### General availability - Staged rollout to cloud authentication --**Type:** New feature -**Service category:** AD Connect -**Product capability:** User Authentication - -Staged rollout to cloud authentication is now generally available. The staged rollout feature allows you to selectively test groups of users with cloud authentication methods, such as Passthrough Authentication (PTA) or Password Hash Sync (PHS). Meanwhile, all other users in the federated domains continue to use federation services, such as AD FS or any other federation services to authenticate users. [Learn more](../hybrid/how-to-connect-staged-rollout.md). ----### General availability - User Type attribute can now be updated in the Azure admin portal --**Type:** New feature -**Service category:** User Experience and Management -**Product capability:** User Management - -Customers can now update the user type of Azure AD users when they update their user profile information from the Azure admin portal. The user type can be updated from Microsoft Graph also. To learn more, see [Add or update user profile information](active-directory-users-profile-azure-portal.md). - ---### General availability - Replica Sets for Azure Active Directory Domain Services --**Type:** New feature -**Service category:** Azure AD Domain Services -**Product capability:** Azure AD Domain Services - -The capability of replica sets in Azure AD DS is now generally available. [Learn more](../../active-directory-domain-services/concepts-replica-sets.md). - ---### General availability - Collaborate with your partners using Email One-Time Passcode in the Azure Government cloud --**Type:** New feature -**Service category:** B2B -**Product capability:** B2B/B2C - -Organizations in the Microsoft Azure Government cloud can now enable their guests to redeem invitations with Email One-Time Passcode. This ensures that any guest users with no Azure AD, Microsoft, or Gmail accounts in the Azure Government cloud can still collaborate with their partners by requesting and entering a temporary code to sign in to shared resources. [Learn more](../external-identities/one-time-passcode.md). ----### New Federated Apps available in Azure AD Application gallery - March 2021 --**Type:** New feature -**Service category:** Enterprise Apps -**Product capability:** 3rd Party Integration - -In March 2021 we have added following 37 new applications in our App gallery with Federation support: --[Bambuser Live Video Shopping](https://lcx.bambuser.com/), [DeepDyve Inc](https://www.deepdyve.com/azure-sso), [Moqups](../saas-apps/moqups-tutorial.md), [RICOH Spaces Mobile](https://ricohspaces.app/welcome), [Flipgrid](https://auth.flipgrid.com/), [hCaptcha Enterprise](../saas-apps/hcaptcha-enterprise-tutorial.md), [SchoolStream ASA](https://www.ssk12.com/), [TransPerfect GlobalLink Dashboard](../saas-apps/transperfect-globallink-dashboard-tutorial.md), [SimplificaCI](https://app.simplificaci.com.br/), [Thrive LXP](../saas-apps/thrive-lxp-tutorial.md), [Lexonis TalentScape](../saas-apps/lexonis-talentscape-tutorial.md), [Exium](../saas-apps/exium-tutorial.md), [Sapient](../saas-apps/sapient-tutorial.md), [TrueChoice](../saas-apps/truechoice-tutorial.md), [RICOH Spaces](https://ricohspaces.app/welcome), [Saba Cloud](../saas-apps/learning-at-work-tutorial.md), [Acunetix 360](../saas-apps/acunetix-360-tutorial.md), [Exceed.ai](../saas-apps/exceed-ai-tutorial.md), [GitHub Enterprise Managed User](../saas-apps/github-enterprise-managed-user-tutorial.md), [Enterprise Vault.cloud for Outlook](https://login.microsoftonline.com/common/oauth2/v2.0/authorize?response_type=id_token&scope=openid%20profile%20User.Read&client_id=7176efe5-e954-4aed-b5c8-f5c85a980d3a&nonce=4b9e1981-1bcb-4938-a283-86f6931dc8cb), [Smartlook](../saas-apps/smartlook-tutorial.md), [Accenture Academy](../saas-apps/accenture-academy-tutorial.md), [Onshape](../saas-apps/onshape-tutorial.md), [Tradeshift](../saas-apps/tradeshift-tutorial.md), [JuriBlox](../saas-apps/juriblox-tutorial.md), [SecurityStudio](../saas-apps/securitystudio-tutorial.md), [ClicData](https://app.clicdata.com/), [Evergreen](../saas-apps/evergreen-tutorial.md), [Patchdeck](https://patchdeck.com/ad_auth/authenticate/), [FAX.PLUS](../saas-apps/fax-plus-tutorial.md), [ValidSign](../saas-apps/validsign-tutorial.md), [AWS Single Sign-on](../saas-apps/aws-single-sign-on-tutorial.md), [Nura Space](https://dashboard.nuraspace.com/login), [Broadcom DX SaaS](../saas-apps/broadcom-dx-saas-tutorial.md), [Interplay Learning](https://skilledtrades.interplaylearning.com/#login), [SendPro Enterprise](../saas-apps/sendpro-enterprise-tutorial.md), [FortiSASE SIA](../saas-apps/fortisase-sia-tutorial.md) --You can also find the documentation of all the applications here: https://aka.ms/AppsTutorial --For listing your application in the Azure AD app gallery, read the details here: https://aka.ms/AzureADAppRequest ----### New provisioning connectors in the Azure AD Application Gallery - March 2021 --**Type:** New feature -**Service category:** App Provisioning -**Product capability:** 3rd Party Integration --You can now automate creating, updating, and deleting user accounts for these newly integrated apps: --- [AWS Single Sign-on](../saas-apps/aws-single-sign-on-provisioning-tutorial.md)-- [Bpanda](../saas-apps/bpanda-provisioning-tutorial.md)-- [Britive](../saas-apps/britive-provisioning-tutorial.md)-- [GitHub Enterprise Managed User](../saas-apps/github-enterprise-managed-user-provisioning-tutorial.md)-- [Grammarly](../saas-apps/grammarly-provisioning-tutorial.md)-- [LogicGate](../saas-apps/logicgate-provisioning-tutorial.md)-- [SecureLogin](../saas-apps/secure-login-provisioning-tutorial.md)-- [TravelPerk](../saas-apps/travelperk-provisioning-tutorial.md)--For more information about how to better secure your organization by using automated user account provisioning, see [Automate user provisioning to SaaS applications with Azure AD](../app-provisioning/user-provisioning.md). - ---### Introducing MS Graph API for Company Branding --**Type:** Changed feature -**Service category:** MS Graph -**Product capability:** B2B/B2C --[MS Graph API for the Company Branding](/graph/api/resources/organizationalbrandingproperties) is available for the Azure AD or Microsoft 365 sign-in experience to allow the management of the branding parameters programmatically. ----### General availability - Header-based authentication SSO with Application Proxy --**Type:** Changed feature -**Service category:** App Proxy -**Product capability:** Access Control - -Azure AD Application Proxy native support for header-based authentication is now in general availability. With this feature, you can configure the user attributes required as HTTP headers for the application without additional components needed to deploy. [Learn more](../app-proxy/application-proxy-configure-single-sign-on-with-headers.md). ----### Two-way SMS for MFA Server is no longer supported --**Type:** Deprecated -**Service category:** MFA -**Product capability:** Identity Security & Protection - --Two-way SMS for MFA Server was originally deprecated in 2018, and won't be supported after February 24, 2021. Administrators should enable another method for users who still use two-way SMS. --Email notifications and Azure portal Service Health notifications were sent to affected admins on December 8, 2020 and January 28, 2021. The alerts went to the Owner, Co-Owner, Admin, and Service Admin RBAC roles tied to the subscriptions. [Learn more](../authentication/how-to-authentication-two-way-sms-unsupported.md). - -- -## February 2021 --### Email one-time passcode authentication on by default starting October 2021 --**Type:** Plan for change -**Service category:** B2B -**Product capability:** B2B/B2C - -Starting October 31, 2021, Microsoft Azure Active Directory [email one-time passcode authentication](../external-identities/one-time-passcode.md) will become the default method for inviting accounts and tenants for B2B collaboration scenarios. At this time, Microsoft will no longer allow the redemption of invitations using unmanaged Azure Active Directory accounts. ----### Unrequested but consented permissions will no longer be added to tokens if they would trigger Conditional Access --**Type:** Plan for change -**Service category:** Authentications (Logins) -**Product capability:** Platform - -Currently, applications using [dynamic permissions](../develop/v2-permissions-and-consent.md#requesting-individual-user-consent) are given all of the permissions they're consented to access. This includes applications that are unrequested and even if they trigger conditional access. For example, this can cause an app requesting only `user.read` that also has consent for `files.read`, to be forced to pass the Conditional Access assigned for the `files.read` permission. --To reduce the number of unnecessary Conditional Access prompts, Azure AD is changing the way that unrequested scopes are provided to applications. Apps will only trigger conditional access for permission they explicitly request. For more information, read [What's new in authentication](../develop/reference-breaking-changes.md#conditional-access-will-only-trigger-for-explicitly-requested-scopes). - -- -### Public preview - Use a Temporary Access Pass to register Passwordless credentials --**Type:** New feature -**Service category:** MFA -**Product capability:** Identity Security & Protection --Temporary Access Pass is a time-limited passcode that serves as strong credentials and allows onboarding of Passwordless credentials and recovery when a user has lost or forgotten their strong authentication factor (for example, FIDO2 security key or Microsoft Authenticator) app and needs to sign in to register new strong authentication methods. [Learn more](../authentication/howto-authentication-temporary-access-pass.md). ----### Public preview - Keep me signed in (KMSI) in next generation of user flows --**Type:** New feature -**Service category:** B2C - Consumer Identity Management -**Product capability:** B2B/B2C --The next generation of B2C user flows now supports the [keep me signed in (KMSI)](../../active-directory-b2c/session-behavior.md?pivots=b2c-custom-policy#enable-keep-me-signed-in-kmsi) functionality that allows customers to extend the session lifetime for the users of their web and native applications by using a persistent cookie. feature keeps the session active even when the user closes and reopens the browser, and is revoked when the user signs out. ----### Public preview - Reset redemption status for a guest user --**Type:** New feature -**Service category:** B2B -**Product capability:** B2B/B2C - -Customers can now reinvite existing external guest users to reset their redemption status, which allows the guest user account to remain without them losing any access. [Learn more](../external-identities/reset-redemption-status.md). - ---### Public preview - /synchronization (provisioning) APIs now support application permissions --**Type:** New feature -**Service category:** App Provisioning -**Product capability:** Identity Lifecycle Management - -Customers can now use application.readwrite.ownedby as an application permission to call the synchronization APIs. Note this is only supported for provisioning from Azure AD out into third-party applications (for example, AWS, Data Bricks, etc.). It's currently not supported for HR-provisioning (Workday / Successfactors) or Cloud Sync (AD to Azure AD). [Learn more](/graph/api/resources/provisioningobjectsummary). - ---### General availability - Authentication Policy Administrator built-in role --**Type:** New feature -**Service category:** RBAC -**Product capability:** Access Control - -Users with this role can configure the authentication methods policy, tenant-wide MFA settings, and password protection policy. This role grants permission to manage Password Protection settings: smart lockout configurations and updating the custom banned passwords list. [Learn more](../roles/permissions-reference.md#authentication-policy-administrator). ----### General availability - User collections on My Apps are available now! --**Type:** New feature -**Service category:** My Apps -**Product capability:** End User Experiences - -Users can now create their own groupings of apps on the My Apps app launcher. They can also reorder and hide collections shared with them by their administrator. [Learn more](../user-help/my-apps-portal-user-collections.md). ----### General availability - Autofill in Authenticator --**Type:** New feature -**Service category:** Microsoft Authenticator App -**Product capability:** Identity Security & Protection - -Microsoft Authenticator provides multifactor authentication and account management capabilities, and now also will autofill passwords on sites and apps users visit on their mobile (iOS and Android). --To use autofill on Authenticator, users need to add their personal Microsoft account to Authenticator and use it to sync their passwords. Work or school accounts can't be used to sync passwords at this time. [Learn more](../user-help/user-help-auth-app-faq.md#autofill-for-it-admins). ----### General availability - Invite internal users to B2B collaboration --**Type:** New feature -**Service category:** B2B -**Product capability:** B2B/B2C - -Customers can now invite internal guests to use B2B collaboration instead of sending an invitation to an existing internal account. This allows customers to keep that user's object ID, UPN, group memberships, and app assignments. [Learn more](../external-identities/invite-internal-users.md). ----### General availability - Domain Name Administrator built-in role --**Type:** New feature -**Service category:** RBAC -**Product capability:** Access Control - -Users with this role can manage (read, add, verify, update, and delete) domain names. They can also read directory information about users, groups, and applications, as these objects have domain dependencies. --For on-premises environments, users with this role can configure domain names for federation so that associated users are always authenticated on-premises. These users can then sign into Azure AD-based services with their on-premises passwords via single sign-on. Federation settings need to be synced via Azure AD Connect, so users also have permissions to manage Azure AD Connect. [Learn more](../roles/permissions-reference.md#domain-name-administrator). - ---### New Federated Apps available in Azure AD Application gallery - February 2021 --**Type:** New feature -**Service category:** Enterprise Apps -**Product capability:** 3rd Party Integration - -In February 2021 we have added following 37 new applications in our App gallery with Federation support: --[Loop Messenger Extension](https://loopworks.com/loop-flow-messenger/), [Silverfort Azure AD Adapter](http://www.silverfort.com/), [Interplay Learning](https://skilledtrades.interplaylearning.com/#login), [Nura Space](https://dashboard.nuraspace.com/login), [Yooz EU](https://eu1.getyooz.com/?kc_idp_hint=microsoft), [UXPressia](https://uxpressia.com/users/sign-in), [introDus Pre- and Onboarding Platform](http://app.introdus.dk/login), [Happybot](https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize?client_id=34353e1e-dfe5-4d2f-bb09-2a5e376270c8&response_type=code&redirect_uri=https://api.happyteams.io/microsoft/integrate&response_mode=query&scope=offline_access%20User.Read%20User.Read.All), [LeaksID](https://leaksid.com/), [ShiftWizard](http://www.shiftwizard.com/), [PingFlow SSO](https://app.pingview.io/), [Swiftlane](https://admin.swiftlane.com/login), [Quasydoc SSO](https://www.quasydoc.eu/login), [Fenwick Gold Account](https://businesscentral.dynamics.com/), [SeamlessDesk](https://www.seamlessdesk.com/login), [Learnsoft LMS & TMS](http://www.learnsoft.com/), [P-TH+](https://p-th.jp/), [myViewBoard](https://api.myviewboard.com/auth/microsoft/), [Tartabit IoT Bridge](https://bridge-us.tartabit.com/), [AKASHI](../saas-apps/akashi-tutorial.md), [Rewatch](../saas-apps/rewatch-tutorial.md), [Zuddl](../saas-apps/zuddl-tutorial.md), [Parkalot - Car park management](../saas-apps/parkalot-car-park-management-tutorial.md), [HSB ThoughtSpot](../saas-apps/hsb-thoughtspot-tutorial.md), [IBMid](../saas-apps/ibmid-tutorial.md), [SharingCloud](../saas-apps/sharingcloud-tutorial.md), [PoolParty Semantic Suite](../saas-apps/poolparty-semantic-suite-tutorial.md), [GlobeSmart](../saas-apps/globesmart-tutorial.md), [Samsung Knox and Business Services](../saas-apps/samsung-knox-and-business-services-tutorial.md), [Penji](../saas-apps/penji-tutorial.md), [Kendis- Scaling Agile Platform](../saas-apps/kendis-scaling-agile-platform-tutorial.md), [Maptician](../saas-apps/maptician-tutorial.md), [Olfeo SAAS](../saas-apps/olfeo-saas-tutorial.md), [Sigma Computing](../saas-apps/sigma-computing-tutorial.md), [CloudKnox Permissions Management Platform](../saas-apps/cloudknox-permissions-management-platform-tutorial.md), [Klaxoon SAML](../saas-apps/klaxoon-saml-tutorial.md), [Enablon](../saas-apps/enablon-tutorial.md) --You can also find the documentation of all the applications here: https://aka.ms/AppsTutorial --For listing your application in the Azure AD app gallery, read the details here: https://aka.ms/AzureADAppRequest -- --### New provisioning connectors in the Azure AD Application Gallery - February 2021 --**Type:** New feature -**Service category:** App Provisioning -**Product capability:** 3rd Party Integration - --You can now automate creating, updating, and deleting user accounts for these newly integrated apps: --- [Atea](../saas-apps/atea-provisioning-tutorial.md)-- [Getabstract](../saas-apps/getabstract-provisioning-tutorial.md)-- [HelloID](../saas-apps/helloid-provisioning-tutorial.md)-- [Hoxhunt](../saas-apps/hoxhunt-provisioning-tutorial.md)-- [Iris Intranet](../saas-apps/iris-intranet-provisioning-tutorial.md)-- [Preciate](../saas-apps/preciate-provisioning-tutorial.md)--For more information, read [Automate user provisioning to SaaS applications with Azure AD](../app-provisioning/user-provisioning.md). ----### General availability - 10 Azure Active Directory roles now renamed --**Type:** Changed feature -**Service category:** RBAC -**Product capability:** Access Control - -10 Azure AD built-in roles have been renamed so that they're aligned across the [Microsoft 365 admin center](/microsoft-365/admin/microsoft-365-admin-center-preview), [Azure portal](https://portal.azure.com/), and [Microsoft Graph](https://developer.microsoft.com/graph/). To learn more about the new roles, refer to [Administrator role permissions in Azure Active Directory](../roles/permissions-reference.md#all-roles). -- ----### New Company Branding in multifactor authentication (MFA)/SSPR Combined Registration --**Type:** Changed feature -**Service category:** User Experience and Management -**Product capability:** End User Experiences - -In the past, company logos weren't used on Azure Active Directory sign-in pages. Company branding is now located to the top left of multifactor authentication (MFA)/SSPR Combined Registration. Company branding is also included on My sign-ins and the Security Info page. [Learn more](../fundamentals/customize-branding.md). ----### General availability - Second level manager can be set as alternate approver --**Type:** Changed feature -**Service category:** User Access Management -**Product capability:** Entitlement Management - -An extra option when you select approvers is now available in Entitlement Management. If you select "Manager as approver" for the First Approver, you'll have another option, "Second level manager as alternate approver", available to choose in the alternate approver field. If you select this option, you need to add a fallback approver to forward the request to in case the system can't find the second level manager. [Learn more](../governance/entitlement-management-access-package-approval-policy.md#alternate-approvers). - ---### Authentication Methods Activity Dashboard --**Type:** Changed feature -**Service category:** Reporting -**Product capability:** Monitoring & Reporting - --The refreshed Authentication Methods Activity dashboard gives admins an overview of authentication method registration and usage activity in their tenant. The report summarizes the number of users registered for each method, and also which methods are used during sign-in and password reset. [Learn more](../authentication/howto-authentication-methods-activity.md). - ---### Refresh and session token lifetimes configurability in Configurable Token Lifetime (CTL) are retired --**Type:** Deprecated -**Service category:** Other -**Product capability:** User Authentication - -Refresh and session token lifetimes configurability in CTL are retired. Azure Active Directory no longer honors refresh and session token configuration in existing policies. [Learn more](../develop/configurable-token-lifetimes.md#token-lifetime-policies-for-refresh-tokens-and-session-tokens). - ---## January 2021 --### Secret token will be a mandatory field when configuring provisioning --**Type:** Plan for change -**Service category:** App Provisioning -**Product capability:** Identity Lifecycle Management --In the past, the secret token field could be kept empty when setting up provisioning on the custom / BYOA application. This function was intended to solely be used for testing. We'll update the UI to make the field required. --Customers can work around this requirement for testing purposes by using a feature flag in the browser URL. [Learn more](../app-provisioning/use-scim-to-provision-users-and-groups.md#authorization-to-provisioning-connectors-in-the-application-gallery). - ---### Public Preview - Customize and configure Android shared devices for frontline workers at scale --**Type:** New feature -**Service category:** Device Registration and Management -**Product capability:** Identity Security & Protection - -Azure AD and Microsoft Intune teams have combined to bring the capability to customize, scale, and secure your frontline worker devices. --The following preview capabilities will allow you to: -- Provision Android shared devices at scale with Microsoft Intune-- Secure your access for shift workers using device-based conditional access-- Customize sign-in experiences for the shift workers with Managed Home Screen--To learn more, refer to [Customize and configure shared devices for frontline workers at scale](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/customize-and-configure-shared-devices-for-firstline-workers-at/ba-p/1751708). ----### Public preview - Provisioning logs can now be downloaded as a CSV or JSON --**Type:** New feature -**Service category:** App Provisioning -**Product capability:** Identity Lifecycle Management --Customers can download the provisioning logs as a CSV or JSON file through the UI and via graph API. To learn more, refer to [Provisioning reports in the Azure portal](../reports-monitoring/concept-provisioning-logs.md). ----### Public preview - Assign cloud groups to Azure AD custom roles and admin unit scoped roles --**Type:** New feature -**Service category:** RBAC -**Product capability:** Access Control - -Customers can assign a cloud group to Azure AD custom roles or an admin unit scoped role. To learn how to use this feature, refer to [Use cloud groups to manage role assignments in Azure Active Directory](../roles/groups-concept.md). ----### General Availability - Azure AD Connect cloud sync (previously known as cloud provisioning) --**Type:** New feature -**Service category:** Azure AD Connect cloud sync -**Product capability:** Identity Lifecycle Management - -Azure AD Connect cloud sync is now generally available to all customers. --Azure AD Connect cloud moves the heavy lifting of transform logic to the cloud, reducing your on-premises footprint. Additionally, multiple light-weight agent deployments are available for higher sync availability. [Learn more](https://aka.ms/cloudsyncGA). - --### General Availability - Attack Simulation Administrator and Attack Payload Author built-in roles --**Type:** New feature -**Service category:** RBAC -**Product capability:** Access Control - -Two new roles in Role-Based Access Control are available to assign to users, Attack simulation Administrator and Attack Payload author. --Users in the [Attack Simulation Administrator](../roles/permissions-reference.md#attack-simulation-administrator) role have access for all simulations in the tenant and can: -- create and manage all aspects of attack simulation creation-- launch/scheduling of a simulation-- review simulation results. --Users in the [Attack Payload Author](../roles/permissions-reference.md#attack-payload-author) role can create attack payloads but not actually launch or schedule them. Attack payloads are then available to all administrators in the tenant who can use them to create a simulation. ----### General Availability - Usage Summary Reports Reader built-in role --**Type:** New feature -**Service category:** RBAC -**Product capability:** Access Control - -Users with the Usage Summary Reports Reader role can access tenant level aggregated data and associated insights in Microsoft 365 Admin Center for Usage and Productivity Score. However, they can't access any user level details or insights. --In the Microsoft 365 Admin Center for the two reports, we differentiate between tenant level aggregated data and user level details. This role adds an extra layer of protection to individual user identifiable data. [Learn more](../roles/permissions-reference.md#usage-summary-reports-reader). ----### General availability - Require App protection policy grant in Azure AD Conditional Access --**Type:** New Feature -**Service category:** Conditional Access -**Product capability:** Identity Security & Protection - -Azure AD Conditional Access grant for "Require App Protection policy" is now GA. --The policy provides the following capabilities: -- Allows access only when using a mobile application that supports Intune App protection-- Allows access only when a user has an Intune app protection policy delivered to the mobile application--Learn more on how to set up a conditional access policy for app protection [here](../conditional-access/app-protection-based-conditional-access.md). - ---### General availability - Email One-Time Passcode --**Type:** New feature -**Service category:** B2B -**Product capability:** B2B/B2C - -Email OTP enables organizations around the world to collaborate with anyone by sending a link or invitation via email. Invited users can verify their identity with the one-time passcode sent to their email to access their partner's resources. [Learn more](../external-identities/one-time-passcode.md). - --- ### New provisioning connectors in the Azure AD Application Gallery - January 2021 --**Type:** New feature -**Service category:** App Provisioning -**Product capability:** 3rd Party Integration - -You can now automate creating, updating, and deleting user accounts for these newly integrated apps: -- [Fortes Change Cloud](../saas-apps/fortes-change-cloud-provisioning-tutorial.md)-- [Gtmhub](../saas-apps/gtmhub-provisioning-tutorial.md)-- [monday.com](../saas-apps/mondaycom-provisioning-tutorial.md)-- [Splashtop](../saas-apps/splashtop-provisioning-tutorial.md)-- [Templafy OpenID Connect](../saas-apps/templafy-openid-connect-provisioning-tutorial.md)-- [WEDO](../saas-apps/wedo-provisioning-tutorial.md)--For more information, see [What is automated SaaS app user provisioning in Azure AD?](../app-provisioning/user-provisioning.md) ----### New Federated Apps available in Azure AD Application gallery - January 2021 --**Type:** New feature -**Service category:** Enterprise Apps -**Product capability:** 3rd Party Integration --In January 2021 we have added following 29 new applications in our App gallery with Federation support: --[mySCView](https://www.myscview.com/), [Talentech](https://talentech.com/contact/), [Bipsync](https://www.bipsync.com/), [OroTimesheet](https://app.orotimesheet.com/login.php), [Mio](https://app.m.io/auth/install/microsoft?scopetype=hub), Sovelto Easy, [Supportbench](https://account.supportbench.net/agent/login/),[Bienvenue Formation](https://formation.bienvenue.pro/login), [AIDA Healthcare SSO](https://aidaforparents.com/login/organizations), [International SOS Assistance Products](../saas-apps/international-sos-assistance-products-tutorial.md), [NAVEX One](../saas-apps/navex-one-tutorial.md), [LabLog](../saas-apps/lablog-tutorial.md), [Oktopost SAML](../saas-apps/oktopost-saml-tutorial.md), [EPHOTO DAM](../saas-apps/ephoto-dam-tutorial.md), [Notion](../saas-apps/notion-tutorial.md), [Syndio](../saas-apps/syndio-tutorial.md), [Yello Enterprise](../saas-apps/yello-enterprise-tutorial.md), [Timeclock 365 SAML](../saas-apps/timeclock-365-saml-tutorial.md), [Nalco E-data](https://www.ecolab.com/), [Vacancy Filler](https://app.vacancy-filler.co.uk/VFMVC/Account/Login), [Synerise AI Growth Ecosystem](../saas-apps/synerise-ai-growth-ecosystem-tutorial.md), [Imperva Data Security](../saas-apps/imperva-data-security-tutorial.md), [Illusive Networks](../saas-apps/illusive-networks-tutorial.md), [Proware](../saas-apps/proware-tutorial.md), [Splan Visitor](../saas-apps/splan-visitor-tutorial.md), [Aruba User Experience Insight](../saas-apps/aruba-user-experience-insight-tutorial.md), [Contentsquare SSO](../saas-apps/contentsquare-sso-tutorial.md), [Perimeter 81](../saas-apps/perimeter-81-tutorial.md), [Burp Suite Enterprise Edition](../saas-apps/burp-suite-enterprise-edition-tutorial.md) --You can also find the documentation of all the applications from here https://aka.ms/AppsTutorial --For listing your application in the Azure AD app gallery, read the details here https://aka.ms/AzureADAppRequest ----### Public preview - Second level manager can be set as alternate approver --**Type:** Changed feature -**Service category:** User Access Management -**Product capability:** Entitlement Management - -An extra option when you select approvers is now available in Entitlement Management. If you select "Manager as approver" for the First Approver, you'll have another option, "Second level manager as alternate approver", available to choose in the alternate approver field. If you select this option, you need to add a fallback approver to forward the request to in case the system can't find the second level manager. [Learn more](../governance/entitlement-management-access-package-approval-policy.md#alternate-approvers) - ---### General availability - Navigate to Teams directly from My Access portal --**Type:** Changed feature -**Service category:** User Access Management -**Product capability:** Entitlement Management - -You can now launch Teams directly from the My Access portal. --To do so, sign-in to My Access (https://myaccess.microsoft.com/), navigate to "Access packages", then go to the "Active" tab to see all of the access packages you already have access to. When you expand the selected access package and hover on Teams, you can launch it by clicking on the "Open" button. [Learn more](../governance/entitlement-management-request-access.md). - ---### Improved Logging & End-User Prompts for Risky Guest Users --**Type:** Changed feature -**Service category:** Identity Protection -**Product capability:** Identity Security & Protection - --The Logging and End-User Prompts for Risky Guest Users have been updated. Learn more in [Identity Protection and B2B users](../identity-protection/concept-identity-protection-b2b.md). - ---## December 2020 --### Public preview - Azure AD B2C Phone Sign-up and Sign-in using Built-in Policy --**Type:** New feature -**Service category:** B2C - Consumer Identity Management -**Product capability:** B2B/B2C - -B2C Phone Sign-up and Sign-in using Built-in Policy enable IT administrators and developers of organizations to allow their end-users to sign in and sign up using a phone number in user flows. Read [Set up phone sign-up and sign-in for user flows (preview)](../../active-directory-b2c/phone-authentication-user-flows.md) to learn more. ----### General Availability - Security Defaults now enabled for all new tenants by default --**Type:** New feature -**Service category:** Other -**Product capability:** Identity Security & Protection - -To protect user accounts, all new tenants created on or after November 12, 2020, will come with Security Defaults enabled. Security Defaults enforces multiple policies including: -- Requires all users and admins to register for multifactor authentication (MFA) using the Microsoft Authenticator App-- Requires critical admin roles to use multifactor authentication (MFA) every single time they sign-in. All other users will be prompted for multifactor authentication (MFA) whenever necessary. -- Legacy authentication will be blocked tenant wide. --For more information, read [What are security defaults?](../fundamentals/concept-fundamentals-security-defaults.md) ----### General availability - Support for groups with up to 250K members in AADConnect --**Type:** Changed feature -**Service category:** AD Connect -**Product capability:** Identity Lifecycle Management - -Microsoft has deployed a new endpoint (API) for Azure AD Connect that improves the performance of the synchronization service operations to Azure Active Directory. When you use the new [V2 endpoint](../hybrid/how-to-connect-sync-endpoint-api-v2.md), you'll experience noticeable performance gains on export and import to Azure AD. This new endpoint supports the following scenarios: --- Syncing groups with up to 250k members-- Performance gains on export and import to Azure AD----### General availability - Entitlement Management available for tenants in Azure China cloud --**Type:** New feature -**Service category:** User Access Management -**Product capability:** Entitlement Management - --The capabilities of Entitlement Management are now available for all tenants in the Azure China cloud. For information, visit our [Identity governance documentation](https://docs.azure.cn/zh-cn/active-directory/governance/) site. ----### New provisioning connectors in the Azure AD Application Gallery - December 2020 --**Type:** New feature -**Service category:** App Provisioning -**Product capability:** 3rd Party Integration --You can now automate creating, updating, and deleting user accounts for these newly integrated apps: --- [Bizagi Studio for Digital Process Automation](../saas-apps/bizagi-studio-for-digital-process-automation-provisioning-tutorial.md)-- [CybSafe](../saas-apps/cybsafe-provisioning-tutorial.md)-- [GroupTalk](../saas-apps/grouptalk-provisioning-tutorial.md)-- [PaperCut Cloud Print Management](../saas-apps/papercut-cloud-print-management-provisioning-tutorial.md)-- [Parsable](../saas-apps/parsable-provisioning-tutorial.md)-- [Shopify Plus](../saas-apps/shopify-plus-provisioning-tutorial.md)--For more information about how to better secure your organization by using automated user account provisioning, see [Automate user provisioning to SaaS applications with Azure AD](../app-provisioning/user-provisioning.md). - ---### New Federated Apps available in Azure AD Application gallery - December 2020 --**Type:** New feature -**Service category:** Enterprise Apps -**Product capability:** 3rd Party Integration - -In December 2020 we have added following 18 new applications in our App gallery with Federation support: --[AwareGo](../saas-apps/awarego-tutorial.md), [HowNow SSO](https://gethownow.com/), [ZyLAB ONE Legal Hold](https://www.zylab.com/en/product/legal-hold), [Guider](http://www.guider-ai.com/), [Softcrisis](https://www.softcrisis.se/sv/), [Pims 365](https://www.omega365.com/products/omega-pims), [InformaCast](../saas-apps/informacast-tutorial.md), [RetrieverMediaDatabase](../saas-apps/retrievermediadatabase-tutorial.md), [vonage](../saas-apps/vonage-tutorial.md), [Count Me In - Operations Dashboard](../saas-apps/count-me-in-operations-dashboard-tutorial.md), [ProProfs Knowledge Base](../saas-apps/proprofs-knowledge-base-tutorial.md), [RightCrowd Workforce Management](../saas-apps/rightcrowd-workforce-management-tutorial.md), [JLL TRIRIGA](../saas-apps/jll-tririga-tutorial.md), [Shutterstock](../saas-apps/shutterstock-tutorial.md), [FortiWeb Web Application Firewall](../saas-apps/linkedin-talent-solutions-tutorial.md), [LinkedIn Talent Solutions](../saas-apps/linkedin-talent-solutions-tutorial.md), [Equinix Federation App](../saas-apps/equinix-federation-app-tutorial.md), [KFAdvance](../saas-apps/kfadvance-tutorial.md) --You can also find the documentation of all the applications from here https://aka.ms/AppsTutorial --For listing your application in the Azure AD app gallery, read the details here https://aka.ms/AzureADAppRequest ----### Navigate to Teams directly from My Access portal --**Type:** Changed feature -**Service category:** User Access Management -**Product capability:** Entitlement Management --You can now launch Teams directly from My Access portal. To do so, sign-in to [My Access](https://myaccess.microsoft.com/), navigate to **Access packages**, then go to the **Active** Tab to see all access packages you already have access to. When you expand the access package and hover on Teams, you can launch it by clicking on the **Open** button. --To learn more about using the My Access portal, go to [Request access to an access package in Azure AD entitlement management](../governance/entitlement-management-request-access.md#sign-in-to-the-my-access-portal). ----### Public preview - Second level manager can be set as alternate approver --**Type:** Changed feature -**Service category:** User Access Management -**Product capability:** Entitlement Management --An extra option is now available in the approval process in Entitlement Management. If you select Manager as approver for the First Approver, you'll have another option, Second level manager as alternate approver, available to choose in the alternate approver field. When you select this option, you need to add a fallback approver to forward the request to in case the system can't find the second level manager. --For more information, go to [Change approval settings for an access package in Azure AD entitlement management](../governance/entitlement-management-access-package-approval-policy.md#alternate-approvers). ----## November 2020 --### Azure Active Directory TLS 1.0, TLS 1.1, and 3DES deprecation --**Type:** Plan for change -**Service category:** All Azure AD applications -**Product capability:** Standards --Azure Active Directory will deprecate the following protocols in Azure Active Directory worldwide regions starting June 30, 2021: --- TLS 1.0-- TLS 1.1-- 3DES cipher suite (TLS_RSA_WITH_3DES_EDE_CBC_SHA)--Affected environments are: -- Azure Commercial Cloud-- Office 365 GCC and WW--For guidance to remove deprecating protocols dependencies, please refer to [EEnable support for TLS 1.2 in your environment, in preparation for upcoming Azure AD TLS 1.0/1.1 deprecation](/troubleshoot/azure/active-directory/enable-support-tls-environment). ----### New Federated Apps available in Azure AD Application gallery - November 2020 --**Type:** New feature -**Service category:** Enterprise Apps -**Product capability:** 3rd Party Integration --In November 2020 we have added following 52 new applications in our App gallery with Federation support: --[Travel & Expense Management](https://app.expenseonce.com/Account/Login), [Tribeloo](../saas-apps/tribeloo-tutorial.md), [Itslearning File Picker](https://pmteam.itslearning.com/), [Crises Control](../saas-apps/crises-control-tutorial.md), [CourtAlert](https://www.courtalert.com/), [StealthMail](https://stealthmail.com/), [Edmentum - Study Island](https://app.studyisland.com/cfw/login/), [Virtual Risk Manager](../saas-apps/virtual-risk-manager-tutorial.md), [TIMU](../saas-apps/timu-tutorial.md), [Looker Analytics Platform](../saas-apps/looker-analytics-platform-tutorial.md), [Talview - Recruit](https://recruit.talview.com/login), Real Time Translator, [Klaxoon](https://access.klaxoon.com/login), [Podbean](../saas-apps/podbean-tutorial.md), [zcal](https://zcal.co/signup), [expensemanager](https://api.expense-manager.com/), [En-trak Tenant Experience Platform](https://portal.en-trak.app/), [Appian](../saas-apps/appian-tutorial.md), [Panorays](../saas-apps/panorays-tutorial.md), [Builterra](https://portal.builterra.com/), [EVA Check-in](https://my.evacheckin.com/organization), [HowNow WebApp SSO](../saas-apps/hownow-webapp-sso-tutorial.md), [Coupa Risk Assess](../saas-apps/coupa-risk-assess-tutorial.md), [Lucid (All Products)](../saas-apps/lucid-tutorial.md), [GoBright](https://portal.brightbooking.eu/), [SailPoint IdentityNow](../saas-apps/sailpoint-identitynow-tutorial.md),[Resource Central](../saas-apps/resource-central-tutorial.md), [UiPathStudioO365App](https://www.uipath.com/product/platform), [Jedox](../saas-apps/jedox-tutorial.md), [Cequence Application Security](../saas-apps/cequence-application-security-tutorial.md), [PerimeterX](../saas-apps/perimeterx-tutorial.md), [TrendMiner](../saas-apps/trendminer-tutorial.md), [Lexion](../saas-apps/lexion-tutorial.md), [WorkWare](../saas-apps/workware-tutorial.md), [ProdPad](../saas-apps/prodpad-tutorial.md), [AWS ClientVPN](../saas-apps/aws-clientvpn-tutorial.md), [AppSec Flow SSO](../saas-apps/appsec-flow-sso-tutorial.md), [Luum](../saas-apps/luum-tutorial.md), [Freight Measure](https://www.gpcsl.com/freight.html), [Terraform Cloud](../saas-apps/terraform-cloud-tutorial.md), [Nature Research](../saas-apps/nature-research-tutorial.md), [Play Digital Signage](https://login.playsignage.com/login), [RemotePC](../saas-apps/remotepc-tutorial.md), [Prolorus](../saas-apps/prolorus-tutorial.md), [Hirebridge ATS](../saas-apps/hirebridge-ats-tutorial.md), [Teamgage](https://teamgage.com), [Roadmunk](../saas-apps/roadmunk-tutorial.md), [Sunrise Software Relations CRM](https://cloud.relations-crm.com/), [Procaire](../saas-apps/procaire-tutorial.md), [Mentor® by eDriving: Business](https://www.edriving.com/), [Gradle Enterprise](https://gradle.com/) --You can also find the documentation of all the applications from here https://aka.ms/AppsTutorial --For listing your application in the Azure AD app gallery, read the details here https://aka.ms/AzureADAppRequest ----### Public preview - Custom roles for enterprise apps --**Type:** New feature -**Service category:** RBAC -**Product capability:** Access Control - - [Custom RBAC roles for delegated enterprise application management](../roles/custom-available-permissions.md) is now in public preview. These new permissions build on the custom roles for app registration management, which allows fine-grained control over what access your admins have. Over time, additional permissions to delegate management of Azure AD will be released. --Some common delegation scenarios: -- assignment of user and groups that can access SAML based single sign-on applications-- the creation of Azure AD Gallery applications-- update and read of basic SAML Configurations for SAML based single sign-on applications-- management of signing certificates for SAML based single sign-on applications-- update of expiring sign-in certificates notification email addresses for SAML based single sign-on applications-- update of the SAML token signature and sign-in algorithm for SAML based single sign-on applications-- create, delete, and update of user attributes and claims for SAML-based single sign-on applications-- ability to turn on, off, and restart provisioning jobs-- updates to attribute mapping-- ability to read provisioning settings associated with the object-- ability to read provisioning settings associated with your service principal-- ability to authorize application access for provisioning----### Public preview - Azure AD Application Proxy natively supports single sign-on access to applications that use headers for authentication --**Type:** New feature -**Service category:** App Proxy -**Product capability:** Access Control - -Azure Active Directory (Azure AD) Application Proxy natively supports single sign-on access to applications that use headers for authentication. You can configure header values required by your application in Azure AD. The header values will be sent down to the application via Application Proxy. To learn more, see [Header-based single sign-on for on-premises apps with Azure AD App Proxy](../app-proxy/application-proxy-configure-single-sign-on-with-headers.md) - ---### General Availability - Azure AD B2C Phone Sign-up and Sign-in using Custom Policy --**Type:** New feature -**Service category:** B2C - Consumer Identity Management -**Product capability:** B2B/B2C --With phone number sign-up and sign-in, developers and enterprises can allow their customers to sign up and sign in using a one-time password sent to the user's phone number via SMS. This feature also lets the customer change their phone number if they lose access to their phone. With the power of custom policies, allow developers and enterprises to communicate their brand through page customization. Find out how to [set up phone sign-up and sign-in with custom policies in Azure AD B2C](../../active-directory-b2c/phone-authentication-user-flows.md). - ---### New provisioning connectors in the Azure AD Application Gallery - November 2020 --**Type:** New feature -**Service category:** App Provisioning -**Product capability:** 3rd Party Integration - -You can now automate creating, updating, and deleting user accounts for these newly integrated apps: --- [Adobe Identity Management](../saas-apps/adobe-identity-management-provisioning-tutorial.md)-- [Blogin](../saas-apps/blogin-provisioning-tutorial.md)-- [Clarizen One](../saas-apps/clarizen-one-provisioning-tutorial.md)-- [Contentful](../saas-apps/contentful-provisioning-tutorial.md)-- [GitHub AE](../saas-apps/github-ae-provisioning-tutorial.md)-- [Playvox](../saas-apps/playvox-provisioning-tutorial.md)-- [PrinterLogic SaaS](../saas-apps/printer-logic-saas-provisioning-tutorial.md)-- [Tic - Tac Mobile](../saas-apps/tic-tac-mobile-provisioning-tutorial.md)-- [Visibly](../saas-apps/visibly-provisioning-tutorial.md)--For more information, see [Automate user provisioning to SaaS applications with Azure AD](../app-provisioning/user-provisioning.md). - ---### Public Preview - Email Sign in with ProxyAddresses now deployable via Staged Rollout --**Type:** New feature -**Service category:** Authentications (Logins) -**Product capability:** User Authentication - -Tenant administrators can now use Staged Rollout to deploy Email Sign-In with ProxyAddresses to specific Azure AD groups. This can help while trying out the feature before deploying it to the entire tenant via the Home Realm Discovery policy. Instructions for deploying Email Sign-In with ProxyAddresses via Staged Rollout are in the [documentation](../authentication/howto-authentication-use-email-signin.md). - ---### Limited Preview - Sign-in Diagnostic --**Type:** New feature -**Service category:** Reporting -**Product capability:** Monitoring & Reporting - -With the initial preview release of the Sign-in Diagnostic, admins can now review user sign-ins. Admins can receive contextual, specific, and relevant details and guidance on what happened during a sign-in and how to fix problems. The diagnostic is available in both the Azure AD level, and Conditional Access Diagnose and Solve blades. The diagnostic scenarios covered in this release are Conditional Access, Azure Active Directory Multi-Factor Authentication, and successful sign-in. --For more information, see [What is sign-in diagnostic in Azure AD?](../reports-monitoring/overview-sign-in-diagnostics.md). - ---### Improved Unfamiliar Sign-in Properties --**Type:** Changed feature -**Service category:** Identity Protection -**Product capability:** Identity Security & Protection -- Unfamiliar sign-in properties detections has been updated. Customers may notice more high-risk unfamiliar sign-in properties detections. For more information, see [What is risk?](../identity-protection/concept-identity-protection-risks.md) - ---### Public Preview refresh of Cloud Provisioning agent now available (Version: 1.1.281.0) --**Type:** Changed feature -**Service category:** Azure AD Cloud Provisioning -**Product capability:** Identity Lifecycle Management - -Cloud provisioning agent has been released in public preview and is now available through the portal. This release contains several improvements including, support for GMSA for your domains, which provides better security, improved initial sync cycles, and support for large groups. Check out the release version [history](../app-provisioning/provisioning-agent-release-version-history.md) for more details. - ---### BitLocker recovery key API endpoint now under /informationProtection --**Type:** Changed feature -**Service category:** Device Access Management -**Product capability:** Device Lifecycle Management - -Previously, you could recover BitLocker keys via the /bitlocker endpoint. We'll eventually be deprecating this endpoint, and customers should begin consuming the API that now falls under /informationProtection. --See [BitLocker recovery API](/graph/api/resources/bitlockerrecoverykey) for updates to the documentation to reflect these changes. ----### General Availability of Application Proxy support for Remote Desktop Services HTML5 Web Client --**Type:** Changed feature -**Service category:** App Proxy -**Product capability:** Access Control - -Azure AD Application Proxy support for Remote Desktop Services (RDS) Web Client is now in General Availability. The RDS web client allows users to access Remote Desktop infrastructure through any HTLM5-capable browser such as Microsoft Edge, Internet Explorer 11, Google Chrome, and so on. Users can interact with remote apps or desktops like they would with a local device from anywhere. --By using Azure AD Application Proxy, you can increase the security of your RDS deployment by enforcing pre-authentication and Conditional Access policies for all types of rich client apps. To learn more, see [Publish Remote Desktop with Azure AD Application Proxy](../app-proxy/application-proxy-integrate-with-remote-desktop-services.md) - ---### New enhanced Dynamic Group service is in Public Preview --**Type:** Changed feature -**Service category:** Group Management -**Product capability:** Collaboration - -Enhanced dynamic group service is now in Public Preview. New customers that create dynamic groups in their tenants will be using the new service. The time required to create a dynamic group will be proportional to the size of the group that is being created instead of the size of the tenant. This update will improve performance for large tenants significantly when customers create smaller groups. --The new service also aims to complete member addition and removal because of attribute changes within a few minutes. Also, single processing failures won't block tenant processing. To learn more about creating dynamic groups, see our [documentation](../enterprise-users/groups-create-rule.md). - ---## October 2020 --### Azure AD on-premises Hybrid Agents Impacted by Azure TLS Certificate Changes --**Type:** Plan for change -**Service category:** N/A -**Product capability:** Platform --Microsoft is updating Azure services to use TLS certificates from a different set of Root Certificate Authorities (CAs). This update is due to the current CA certificates not complying with one of the CA/Browser Forum Baseline requirements. This change will impact Azure AD hybrid agents installed on-premises that have hardened environments with a fixed list of root certificates and will need to be updated to trust the new certificate issuers. --This change will result in disruption of service if you don't take action immediately. These agents include [Application Proxy connectors](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/AppProxy) for remote access to on-premises, [Passthrough Authentication](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/AzureADConnect) agents that allow your users to sign in to applications using the same passwords, and [Cloud Provisioning Preview](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/AzureADConnect) agents that perform AD to Azure AD sync. --If you have an environment with firewall rules set to allow outbound calls to only specific Certificate Revocation List (CRL) download, you'll need to allow the following CRL and OCSP URLs. For full details on the change and the CRL and OCSP URLs to enable access to, see [Azure TLS certificate changes](../../security/fundamentals/tls-certificate-changes.md). ----### Provisioning events will be removed from audit logs and published solely to provisioning logs --**Type:** Plan for change -**Service category:** Reporting -**Product capability:** Monitoring & Reporting - -Activity by the SCIM [provisioning service](../app-provisioning/user-provisioning.md) is logged in both the audit logs and provisioning logs. This includes activity such as the creation of a user in ServiceNow, group in GSuite, or import of a role from AWS. In the future, these events will only be published in the provisioning logs. This change is being implemented to avoid duplicate events across logs, and additional costs incurred by customers consuming the logs in log analytics. --We'll provide an update when a date is completed. This deprecation isn't planned for the calendar year 2020. --> [!NOTE] -> This does not impact any events in the audit logs outside of the synchronization events emitted by the provisioning service. Events such as the creation of an application, conditional access policy, a user in the directory, etc. will continue to be emitted in the audit logs. [Learn more](../reports-monitoring/concept-provisioning-logs.md?context=azure%2factive-directory%2fapp-provisioning%2fcontext%2fapp-provisioning-context). - ----### Azure AD On-Premises Hybrid Agents Impacted by Azure Transport Layer Security (TLS) Certificate Changes --**Type:** Plan for change -**Service category:** N/A -**Product capability:** Platform - -Microsoft is updating Azure services to use TLS certificates from a different set of Root Certificate Authorities (CAs). There will be an update because of the current CA certificates not following one of the CA/Browser Forum Baseline requirements. This change will impact Azure AD hybrid agents installed on-premises that have hardened environments with a fixed list of root certificates. These agents will need to be updated to trust the new certificate issuers. --This change will result in disruption of service if you don't take action immediately. These agents include: -- [Application Proxy connectors](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/AppProxy) for remote access to on-premises -- [Passthrough Authentication](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/AzureADConnect) agents that allow your users to sign in to applications using the same passwords-- [Cloud Provisioning Preview](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/AzureADConnect) agents that do AD to Azure AD sync. --If you have an environment with firewall rules set to allow outbound calls to only specific Certificate Revocation List (CRL) download, you'll need to allow CRL and OCSP URLs. For full details on the change and the CRL and OCSP URLs to enable access to, see [Azure TLS certificate changes](../../security/fundamentals/tls-certificate-changes.md). ----[1305958](https://identitydivision.visualstudio.com/IAM/IXR/_queries?id=1305958&triage=true&fullScreen=false&_a=edit) --### Azure Active Directory TLS 1.0 & 1.1, and 3DES Cipher Suite Deprecation --**Type:** Plan for change -**Service category:** N/A -**Product capability:** Standards --Azure Active Directory will deprecate the following protocols in Azure Active Directory worldwide regions starting on January 31, 2022 (This date has been postponed from 30th June 2021 to 31st Jan 2022, to give Administrators more time to remove the dependency on legacy TLS protocols and ciphers (TLS 1.0,1.1 and 3DES)): --- TLS 1.0-- TLS 1.1-- 3DES cipher suite (TLS_RSA_WITH_3DES_EDE_CBC_SHA)--Affected environments are: --- Azure Commercial Cloud-- Office 365 GCC and WW--Users, services, and applications that interact with Azure Active Directory and Microsoft Graph, should use TLS 1.2 and modern cipher suites to maintain a secure connection to Azure Active Directory for Azure, Office 365, and Microsoft 365 services. For additional guidance, refer to [Enable support for TLS 1.2 in your environment, in preparation for upcoming deprecation of Azure AD TLS 1.0/1.1](/troubleshoot/azure/active-directory/enable-support-tls-environment). ----### Azure Active Directory TLS 1.0, TLS 1.1, and 3DES Deprecation in US Gov Cloud --**Type:** Plan for change -**Service category:** All Azure AD applications -**Product capability:** Standards - -Azure Active Directory will deprecate the following protocols starting March 31, 2021: -- TLS 1.0-- TLS 1.1-- 3DES cipher suite (TLS_RSA_WITH_3DES_EDE_CBC_SHA)--All client-server and browser-server combinations should use TLS 1.2 and modern cipher suites to maintain a secure connection to Azure Active Directory for Azure, Office 365, and Microsoft 365 services. --Affected environments are: -- Azure US Gov-- [Office 365 GCC High & DoD](/microsoft-365/compliance/tls-1-2-in-office-365-gcc)--For guidance to remove deprecating protocols dependencies, please refer to [Enable support for TLS 1.2 in your environment for Azure AD TLS 1.1 and 1.0 deprecation](/troubleshoot/azure/active-directory/enable-support-tls-environment). - ---### Assign applications to roles on administrative unit and object scope --**Type:** New feature -**Service category:** RBAC -**Product capability:** Access Control - -This feature enables the ability to assign an application (SPN) to an administrator role on the administrative unit scope. To learn more, refer to [Assign scoped roles to an administrative unit](../roles/admin-units-assign-roles.md). ----### Now you can disable and delete guest users when they're denied access to a resource --**Type:** New feature -**Service category:** Access Reviews -**Product capability:** Identity Governance - -Disable and delete is an advanced control in Azure AD Access Reviews to help organizations better manage external guests in Groups and Apps. If guests are denied in an access review, **disable and delete** will automatically block them from signing in for 30 days. After 30 days, then they'll be removed from the tenant altogether. --For more information about this feature, see [Disable and delete external identities with Azure AD Access Reviews](../governance/access-reviews-external-users.md#disable-and-delete-external-identities-with-azure-ad-access-reviews). - ---### Access Review creators can add custom messages in emails to reviewers --**Type:** New feature -**Service category:** Access Reviews -**Product capability:** Identity Governance - -In Azure AD access reviews, administrators creating reviews can now write a custom message to the reviewers. Reviewers will see the message in the email they receive that prompts them to complete the review. To learn more about using this feature, see step 14 of the [Create a single-stage review](../governance/create-access-review.md#create-a-single-stage-access-review) section. ----### New provisioning connectors in the Azure AD Application Gallery - October 2020 --**Type:** New feature -**Service category:** App Provisioning -**Product capability:** 3rd Party Integration - -You can now automate creating, updating, and deleting user accounts for these newly integrated apps: --- [Apple Business Manager](../saas-apps/apple-business-manager-provision-tutorial.md)-- [Apple School Manager](../saas-apps/apple-school-manager-provision-tutorial.md)-- [Code42](../saas-apps/code42-provisioning-tutorial.md)-- [AlertMedia](../saas-apps/alertmedia-provisioning-tutorial.md)-- [OpenText Directory Services](../saas-apps/open-text-directory-services-provisioning-tutorial.md)-- [Cinode](../saas-apps/cinode-provisioning-tutorial.md)-- [Global Relay Identity Sync](../saas-apps/global-relay-identity-sync-provisioning-tutorial.md)--For more information about how to better secure your organization by using automated user account provisioning, see [Automate user provisioning to SaaS applications with Azure AD](../app-provisioning/user-provisioning.md). - ---### Integration assistant for Azure AD B2C --**Type:** New feature -**Service category:** B2C - Consumer Identity Management -**Product capability:** B2B/B2C - -The Integration Assistant (preview) experience is now available for Azure AD B2C App registrations. This experience helps guide you in configuring your application for common scenarios.. Learn more about [Microsoft identity platform best practices and recommendations](../develop/identity-platform-integration-checklist.md). - ---### View role template ID in Azure portal UI --**Type:** New feature -**Service category:** Azure roles -**Product capability:** Access Control - --You can now view the template ID of each Azure AD role in the Azure portal. In Azure AD, select **description** of the selected role. --It's recommended that customers use role template IDs in their PowerShell script and code, instead of the display name. Role template ID is supported for use to [directoryRoles](/graph/api/resources/directoryrole) and [roleDefinition](/graph/api/resources/unifiedroledefinition) objects. For more information on role template IDs, see [Azure AD built-in roles](../roles/permissions-reference.md). ----### API connectors for Azure AD B2C sign-up user flows is now in public preview --**Type:** New feature -**Service category:** B2C - Consumer Identity Management -**Product capability:** B2B/B2C - --API connectors are now available for use with Azure Active Directory B2C. API connectors enable you to use web APIs to customize your sign-up user flows and integrate with external cloud systems. You can you can use API connectors to: --- Integrate with custom approval workflows-- Validate user input data-- Overwrite user attributes -- Run custom business logic -- Visit the [Use API connectors to customize and extend sign-up](../../active-directory-b2c/api-connectors-overview.md) documentation to learn more. ----### State property for connected organizations in entitlement management --**Type:** New feature -**Service category:** Directory Management -**Product capability:** Entitlement Management - -- All connected organizations will now have an additional property called "State". The state will control how the connected organization will be used in policies that refer to "all configured connected organizations". The value will be either "configured" (meaning the organization is in the scope of policies that use the "all" clause) or "proposed" (meaning that the organization isn't in scope). --Manually created connected organizations will have a default setting of "configured". Meanwhile, automatically created ones (created via policies that allow any user from the internet to request access) will default to "proposed." Any connected organizations created before September 9 2020 will be set to "configured." Admins can update this property as needed. [Learn more](../governance/entitlement-management-organization.md#managing-a-connected-organization-programmatically). - ----### Azure Active Directory External Identities now has premium advanced security settings for B2C --**Type:** New feature -**Service category:** B2C - Consumer Identity Management -**Product capability:** B2B/B2C - -Risk-based Conditional Access and risk detection features of Identity Protection are now available in [Azure AD B2C](../..//active-directory-b2c/conditional-access-identity-protection-overview.md). With these advanced security features, customers can now: -- Leverage intelligent insights to assess risk with B2C apps and end user accounts. Detections include atypical travel, anonymous IP addresses, malware-linked IP addresses, and Azure AD threat intelligence. Portal and API-based reports are also available.-- Automatically address risks by configuring adaptive authentication policies for B2C users. App developers and administrators can mitigate real-time risk by requiring Azure Active Directory Multi-Factor Authentication (MFA) or blocking access depending on the user risk level detected, with additional controls available based on location, group, and app.-- Integrate with Azure AD B2C user flows and custom policies. Conditions can be triggered from built-in user flows in Azure AD B2C or can be incorporated into B2C custom policies. As with other aspects of the B2C user flow, end user experience messaging can be customized. Customization is according to the organization's voice, brand, and mitigation alternatives.- ---### New Federated Apps available in Azure AD Application gallery - October 2020 --**Type:** New feature -**Service category:** Enterprise Apps -**Product capability:** 3rd Party Integration - -In October 2020 we have added following 27 new applications in our App gallery with Federation support: --[Sentry](../saas-apps/sentry-tutorial.md), [Bumblebee - Productivity Superapp](https://app.yellowmessenger.com/user/login), [ABBYY FlexiCapture Cloud](../saas-apps/abbyy-flexicapture-cloud-tutorial.md), [EAComposer](../saas-apps/eacomposer-tutorial.md), [Genesys Cloud Integration for Azure](https://apps.mypurecloud.com/msteams-integration/), [Zone Technologies Portal](https://portail.zonetechnologie.com/signin), [Beautiful.ai](../saas-apps/beautiful.ai-tutorial.md), [Datawiza Access Broker](https://console.datawiza.com/), [ZOKRI](https://app.zokri.com/), [CheckProof](../saas-apps/checkproof-tutorial.md), [Ecochallenge.org](https://events.ecochallenge.org/users/login), [atSpoke](https://www.atspoke.com/), [Appointment Reminder](https://app.appointmentreminder.co.nz/account/login), [Cloud.Market](https://cloud.market/), [TravelPerk](../saas-apps/travelperk-tutorial.md), [Greetly](https://app.greetly.com/), [OrgVitality SSO](../saas-apps/orgvitality-sso-tutorial.md), [Web Cargo Air](../saas-apps/web-cargo-air-tutorial.md), [Loop Flow CRM](../saas-apps/loop-flow-crm-tutorial.md), [Starmind](../saas-apps/starmind-tutorial.md), [Workstem](https://hrm.workstem.com/login), [Retail Zipline](../saas-apps/retail-zipline-tutorial.md), [Hoxhunt](../saas-apps/hoxhunt-tutorial.md), [MEVISIO](../saas-apps/mevisio-tutorial.md), [Samsara](../saas-apps/samsara-tutorial.md), [Nimbus](../saas-apps/nimbus-tutorial.md), [Pulse Secure virtual Traffic Manager](../saas-apps/pulse-secure-virtual-traffic-manager-tutorial.md) --You can also find the documentation of all the applications from here https://aka.ms/AppsTutorial --For listing your application in the Azure AD app gallery, read the details here https://aka.ms/AzureADAppRequest ----### Provisioning logs can now be streamed to log analytics --**Type:** New feature -**Service category:** Reporting -**Product capability:** Monitoring & Reporting - --Publish your provisioning logs to log analytics in order to: -- Store provisioning logs for more than 30 days-- Define custom alerts and notifications-- Build dashboards to visualize the logs-- Execute complex queries to analyze the logs --To learn how to use the feature, see [Understand how provisioning integrates with Azure Monitor logs](../app-provisioning/application-provisioning-log-analytics.md). - ---### Provisioning logs can now be viewed by application owners --**Type:** Changed feature -**Service category:** Reporting -**Product capability:** Monitoring & Reporting - -You can now allow application owners to monitor activity by the provisioning service and troubleshoot issues without providing them a privileged role or making IT a bottleneck. [Learn more](../reports-monitoring/concept-provisioning-logs.md). - ---### Renaming 10 Azure Active Directory roles --**Type:** Changed feature -**Service category:** Azure roles -**Product capability:** Access Control - -Some Azure Active Directory (AD) built-in roles have names that differ from those that appear in Microsoft 365 admin center, the Azure portal, and Microsoft Graph. This inconsistency can cause problems in automated processes. With this update, we're renaming 10 role names to make them consistent. The following table has the new role names: -- ----### Azure AD B2C support for auth code flow for SPAs using MSAL JS 2.x --**Type:** Changed feature -**Service category:** B2C - Consumer Identity Management -**Product capability:** B2B/B2C - -MSAL.js version 2.x now includes support for the authorization code flow for single-page web apps (SPAs). Azure AD B2C will now support the use of the SPA app type on the Azure portal and the use of MSAL.js authorization code flow with PKCE for single-page apps. This will allow SPAs using Azure AD B2C to maintain SSO with newer browsers and abide by newer authentication protocol recommendations. Get started with the [Register a single-page application (SPA) in Azure Active Directory B2C](../../active-directory-b2c/tutorial-register-spa.md) tutorial. ----### Updates to Remember Azure Active Directory Multi-Factor Authentication (MFA) on a trusted device setting --**Type:** Changed feature -**Service category:** MFA -**Product capability:** Identity Security & Protection - --We've recently updated the [remember Azure Active Directory Multi-Factor Authentication (MFA)](../authentication/howto-mfa-mfasettings.md#remember-multi-factor-authentication) on a trusted device feature to extend authentication for up to 365 days. Azure Active Directory (Azure AD) Premium licenses, can also use the [Conditional Access ΓÇô Sign-in Frequency policy](../conditional-access/howto-conditional-access-session-lifetime.md#user-sign-in-frequency) that provides more flexibility for reauthentication settings. --For the optimal user experience, we recommend using Conditional Access sign-in frequency to extend session lifetimes on trusted devices, locations, or low-risk sessions as an alternative to remember multifactor authentication (MFA) on a trusted device setting. To get started, review our [latest guidance on optimizing the reauthentication experience](../authentication/concepts-azure-multi-factor-authentication-prompts-session-lifetime.md). ----## September 2020 --### New provisioning connectors in the Azure AD Application Gallery - September 2020 --**Type:** New feature -**Service category:** App Provisioning -**Product capability:** 3rd Party Integration - -You can now automate creating, updating, and deleting user accounts for these newly integrated apps: --- [Coda](../saas-apps/coda-provisioning-tutorial.md)-- [Cofense Recipient Sync](../saas-apps/cofense-provision-tutorial.md)-- [InVision](../saas-apps/invision-provisioning-tutorial.md)-- [myday](../saas-apps/myday-provision-tutorial.md)-- [SAP Analytics Cloud](../saas-apps/sap-analytics-cloud-provisioning-tutorial.md)-- [Webroot Security Awareness](../saas-apps/webroot-security-awareness-training-provisioning-tutorial.md)--For more information about how to better secure your organization by using automated user account provisioning, see [Automate user provisioning to SaaS applications with Azure AD](../app-provisioning/user-provisioning.md). - --### Cloud Provisioning Public Preview Refresh --**Type:** New feature -**Service category:** Azure AD Cloud Provisioning -**Product capability:** Identity Lifecycle Management - -Azure AD Connect Cloud Provisioning public preview refresh features two major enhancements developed from customer feedback: --- Attribute Mapping Experience through Azure portal-- With this feature, IT Admins can map user, group, or contact attributes from AD to Azure AD using various mapping types present today. Attribute mapping is a feature used for standardizing the values of the attributes that flow from Active Directory to Azure Active Directory. One can determine whether to directly map the attribute value as it is from AD to Azure AD or use expressions to transform the attribute values when provisioning users. [Learn more](../cloud-sync/how-to-attribute-mapping.md) --- On-demand Provisioning or Test User experience-- Once you have set up your configuration, you might want to test to see if the user transformation is working as expected before applying it to all your users in scope. With on-demand provisioning, IT Admins can enter the Distinguished Name (DN) of an AD user and see if they're getting synced as expected. On-demand provisioning provides a great way to ensure that the attribute mappings you did previously work as expected. [Learn More](../cloud-sync/how-to-on-demand-provision.md) - ---### Audited BitLocker Recovery in Azure AD - Public Preview --**Type:** New feature -**Service category:** Device Access Management -**Product capability:** Device Lifecycle Management - -When IT admins or end users read BitLocker recovery key(s) they have access to, Azure Active Directory now generates an audit log that captures who accessed the recovery key. The same audit provides details of the device the BitLocker key was associated with. --End users can [access their recovery keys via My Account](https://support.microsoft.com/account-billing/manage-your-work-or-school-account-connected-devices-from-the-devices-page-6b5a735d-0a7f-4e94-8cfd-f5da6bc13d4e#view-a-bitlocker-key). IT admins can access recovery keys via the [BitLocker recovery key API](/graph/api/resources/bitlockerrecoverykey) or via the Azure portal. To learn more, see [View or copy BitLocker keys in the Azure portal](../devices/device-management-azure-portal.md#view-or-copy-bitlocker-keys). ----### Teams Devices Administrator built-in role --**Type:** New feature -**Service category:** RBAC -**Product capability:** Access Control - -Users with the [Teams Devices Administrator](../roles/permissions-reference.md#teams-devices-administrator) role can manage [Teams-certified devices](https://www.microsoft.com/microsoft-365/microsoft-teams/across-devices/devices) from the Teams Admin Center. --This role allows the user to view all devices at single glance, with the ability to search and filter devices. The user can also check the details of each device including logged-in account and the make and model of the device. The user can change the settings on the device and update the software versions. This role doesn't grant permissions to check Teams activity and call quality of the device. - ---### Advanced query capabilities for Directory Objects --**Type:** New feature -**Service category:** MS Graph -**Product capability:** Developer Experience - -All the new query capabilities introduced for Directory Objects in Azure AD APIs are now available in the v1.0 endpoint and production-ready. Developers can Count, Search, Filter, and Sort Directory Objects and related links using the standard OData operators. --To learn more, see the documentation [here](https://aka.ms/BlogPostMezzoGA), and you can also send feedback with this [brief survey](https://forms.office.com/Pages/ResponsePage.aspx?id=v4j5cvGGr0GRqy180BHbR_yN8EPoGo5OpR1hgmCp1XxUMENJRkNQTk5RQkpWTE44NEk2U0RIV0VZRy4u). - ---### Public preview: continuous access evaluation for tenants who configured Conditional Access policies --**Type:** New feature -**Service category:** Authentications (Logins) -**Product capability:** Identity Security & Protection - -Continuous access evaluation (CAE) is now available in public preview for Azure AD tenants with Conditional Access policies. With CAE, critical security events and policies are evaluated in real time. This includes account disable, password reset, and location change. To learn more, see [Continuous access evaluation](../conditional-access/concept-continuous-access-evaluation.md). ----### Public preview: ask users requesting an access package additional questions to improve approval decisions --**Type:** New feature -**Service category:** User Access Management -**Product capability:** Entitlement Management - -Administrators can now require that users requesting an access package answer additional questions beyond just business justification in Azure AD Entitlement management's My Access portal. The users' answers will then be shown to the approvers to help them make a more accurate access approval decision. To learn more, see [Collect additional requestor information for approval](../governance/entitlement-management-access-package-approval-policy.md#collect-additional-requestor-information-for-approval). - ---### Public preview: Enhanced user management --**Type:** New feature -**Service category:** User Management -**Product capability:** User Management - --The Azure portal has been updated to make it easier to find users in the All users and Deleted users pages. Changes in the preview include: -- More visible user properties including object ID, directory sync status, creation type, and identity issuer.-- Search now allows combined search of names, emails, and object IDs.-- Enhanced filtering by user type (member, guest, and none), directory sync status, creation type, company name, and domain name.-- New sorting capabilities on properties like name, user principal name and deletion date.-- A new total users count that updates with any searches or filters.--For more information, please see [User management enhancements (preview) in Azure Active Directory](../enterprise-users/users-search-enhanced.md). ----### New notes field for Enterprise applications --**Type:** New feature -**Service category:** Enterprise Apps -**Product capability:** SSO --You can add free text notes to Enterprise applications. You can add any relevant information that will help manager applications under Enterprise applications. For more information, see [Quickstart: Configure properties for an application in your Azure Active Directory (Azure AD) tenant](../manage-apps/add-application-portal-configure.md). ----### New Federated Apps available in Azure AD Application gallery - September 2020 --**Type:** New feature -**Service category:** Enterprise Apps -**Product capability:** 3rd Party Integration --In September 2020 we have added following 34 new applications in our App gallery with Federation support: --[VMware Horizon - Unified Access Gateway](), [Pulse Secure PCS](../saas-apps/vmware-horizon-unified-access-gateway-tutorial.md), [Inventory360](../saas-apps/pulse-secure-pcs-tutorial.md), [Frontitude](https://services.enteksystems.de/sso/microsoft/signup), [BookWidgets](https://www.bookwidgets.com/sso/office365), [ZVD_Server](https://zaas.zenmutech.com/user/signin), [HashData for Business](https://hashdata.app/login.xhtml), [SecureLogin](https://securelogin.securelogin.nu/sso/azure/login), [CyberSolutions MAILBASE╬ú/CMSS](../saas-apps/cybersolutions-mailbase-tutorial.md), [CyberSolutions CYBERMAIL╬ú](../saas-apps/cybersolutions-cybermail-tutorial.md), [LimbleCMMS](https://auth.limblecmms.com/), [Glint Inc](../saas-apps/glint-inc-tutorial.md), [zeroheight](../saas-apps/zeroheight-tutorial.md), [Gender Fitness](https://app.genderfitness.com/), [Coeo Portal](https://my.coeo.com/), [Grammarly](../saas-apps/grammarly-tutorial.md), [Fivetran](../saas-apps/fivetran-tutorial.md), [Kumolus](../saas-apps/kumolus-tutorial.md), [RSA Archer Suite](../saas-apps/rsa-archer-suite-tutorial.md), [TeamzSkill](../saas-apps/teamzskill-tutorial.md), [raumf├╝rraum](../saas-apps/raumfurraum-tutorial.md), [Saviynt](../saas-apps/saviynt-tutorial.md), [BizMerlinHR](https://marketplace.bizmerlin.net/bmone/signup), [Mobile Locker](../saas-apps/mobile-locker-tutorial.md), [Zengine](../saas-apps/zengine-tutorial.md), [CloudCADI](https://cloudcadi.com/), [Simfoni Analytics](https://simfonianalytics.com/accounts/microsoft/login/), [Priva Identity & Access Management](https://my.priva.com/), [Nitro Pro](https://www.gonitro.com/nps/product-details/downloads), [Eventfinity](../saas-apps/eventfinity-tutorial.md), [Fexa](../saas-apps/fexa-tutorial.md), [Secured Signing Enterprise Portal](https://www.securedsigning.com/aad/Auth/ExternalLogin/AdminPortal), [Secured Signing Enterprise Portal AAD Setup](https://www.securedsigning.com/aad/Auth/ExternalLogin/AdminPortal), [Wistec Online](https://wisteconline.com/auth/oidc), [Oracle PeopleSoft - Protected by F5 BIG-IP APM](../saas-apps/oracle-peoplesoft-protected-by-f5-big-ip-apm-tutorial.md) --You can also find the documentation of all the applications from here: https://aka.ms/AppsTutorial. --For listing your application in the Azure AD app gallery, read the details here: https://aka.ms/AzureADAppRequest. ----### New delegation role in Azure AD entitlement management: Access package assignment manager --**Type:** New feature -**Service category:** User Access Management -**Product capability:** Entitlement Management - -A new Access Package Assignment Manager role has been added in Azure AD entitlement management to provide granular permissions to manage assignments. You can now delegate tasks to a user in this role, who can delegate assignments management of an access package to a business owner. However, an Access Package Assignment Manager can't alter the access package policies or other properties that are set by the administrators. --With this new role, you benefit from the least privileges needed to delegate management of assignments and maintain administrative control on all other access package configurations. To learn more, see [Entitlement management roles](../governance/entitlement-management-delegate.md#entitlement-management-roles). - ---### Changes to Privileged Identity Management's onboarding flow --**Type:** Changed feature -**Service category:** Privileged Identity Management -**Product capability:** Privileged Identity Management - -Previously, onboarding to Privileged Identity Management (PIM) required user consent and an onboarding flow in PIM's blade that included enrollment in Azure Active Directory Multi-Factor Authentication (MFA). With the recent integration of PIM experience into the Azure AD roles and administrators blade, we are removing this experience. Any tenant with valid P2 license will be auto-onboarded to PIM. --Onboarding to PIM does not have any direct adverse effect on your tenant. You can expect the following changes: -- Additional assignment options such as active vs. eligible with start and end time when you make an assignment in either PIM or Azure AD roles and administrators blade. -- Additional scoping mechanisms, like Administrative Units and custom roles, introduced directly into the assignment experience. -- If you're a global administrator or privileged role administrator, you may start getting a few additional emails like the PIM weekly digest. -- You might also see ms-pim service principal in the audit log related to role assignment. This expected change shouldn't affect your regular workflow.-- For more information, see [Start using Privileged Identity Management](../privileged-identity-management/pim-getting-started.md). ----### Azure AD Entitlement Management: The Select pane of access package resources now shows by default the resources currently in the selected catalog --**Type:** Changed feature -**Service category:** User Access Management -**Product capability:** Entitlement Management - --In the access package creation flow, under the Resource roles tab, the Select pane behavior is changing. Currently, the default behavior is to show all resources that are owned by the user and resources added to the selected catalog. --This experience will be changed to display only the resources currently added in the catalog by default, so that users can easily pick resources from the catalog. The update will help with discoverability of the resources to add to access packages, and reduce risk of inadvertently adding resources owned by the user that aren't part of the catalog. To learn more, see [Create a new access package in Azure AD entitlement management](../governance/entitlement-management-access-package-create.md#resource-roles). - ---## August 2020 - -### Updates to Azure Active Directory Multi-Factor Authentication Server firewall requirements --**Type:** Plan for change -**Service category:** MFA -**Product capability:** Identity Security & Protection - -Starting 1 October 2020, Azure AD Multi-Factor Authentication (MFA) Server firewall requirements will require additional IP ranges. --If you have outbound firewall rules in your organization, update the rules so that your multifactor authentication (MFA) servers can communicate with all the necessary IP ranges. The IP ranges are documented in [Azure Active Directory Multi-Factor Authentication Server firewall requirements](../authentication/howto-mfaserver-deploy.md#azure-multi-factor-authentication-server-firewall-requirements). ----### Upcoming changes to user experience in Identity Secure Score --**Type:** Plan for change -**Service category:** Identity Protection -**Product capability:** Identity Security & Protection --We're updating the Identity Secure Score portal to align with the changes introduced in Microsoft Secure Score's [new release](/microsoft-365/security/mtp/microsoft-secure-score-whats-new). --The preview version with the changes will be available at the beginning of September. The changes in the preview version include: -- "Identity Secure Score" renamed to "Secure Score for Identity" for brand alignment with Microsoft Secure Score-- Points normalized to standard scale and reported in percentages instead of points--In this preview, customers can toggle between the existing experience and the new experience. This preview will last until the end of November 2020. After the preview, the customers will automatically be directed to the new UX experience. ----### New Restricted Guest Access Permissions in Azure AD - Public Preview --**Type:** New feature -**Service category:** Access Control -**Product capability:** User Management --We've updated directory level permissions for guest users. These permissions allow administrators to require additional restrictions and controls on external guest user access. Admins can now add additional restrictions for external guests' access to user and groups' profile and membership information. With this public preview feature, customers can manage external user access at scale by obfuscating group memberships, including restricting guest users from seeing memberships of the group(s) they are in. --To learn more, see [Restricted Guest Access Permissions](../enterprise-users/users-restrict-guest-permissions.md) and [Users Default Permissions](./users-default-permissions.md). - ---### General availability of delta queries for service principals --**Type:** New feature -**Service category:** MS Graph -**Product capability:** Developer Experience - -Microsoft Graph Delta Query now supports the resource type in v1.0: -- Service Principal--Now clients can track changes to those resources efficiently and provides the best solution to synchronize changes to those resources with a local data store. To learn how to configure these resources in a query, see [Use delta query to track changes in Microsoft Graph data](/graph/delta-query-overview). - ---### General availability of delta queries for oAuth2PermissionGrant --**Type:** New feature -**Service category:** MS Graph -**Product capability:** Developer Experience --Microsoft Graph Delta Query now supports the resource type in v1.0: -- OAuth2PermissionGrant--Clients can now track changes to those resources efficiently and provides the best solution to synchronize changes to those resources with a local data store. To learn how to configure these resources in a query, see [Use delta query to track changes in Microsoft Graph data](/graph/delta-query-overview). ----### New Federated Apps available in Azure AD Application gallery - August 2020 --**Type:** New feature -**Service category:** Enterprise Apps -**Product capability:** 3rd Party Integration --In August 2020 we have added following 25 new applications in our App gallery with Federation support: --[Backup365](https://portal.backup365.io/login), [Soapbox](https://app.soapboxhq.com/create?step=auth&provider=azure-ad2-oauth2), [Enlyft Dynamics 365 Connector](http://enlyft.com/), [Serraview Space Utilization Software Solutions](../saas-apps/serraview-space-utilization-software-solutions-tutorial.md), [Uniq](https://web.uniq.app/), [Visibly](../saas-apps/visibly-tutorial.md), [Zylo](../saas-apps/zylo-tutorial.md), [Edmentum - Courseware Assessments Exact Path](https://auth.edmentum.com/elf/login), [CyberLAB](https://cyberlab.evolvesecurity.com/#/welcome), [Altamira HRM](../saas-apps/altamira-hrm-tutorial.md), [WireWheel](../saas-apps/wirewheel-tutorial.md), [Zix Compliance and Capture](https://sminstall.zixcorp.com/teams/teams.php?install_request=true&tenant_id=common), [Greenlight Enterprise Business Controls Platform](../saas-apps/greenlight-enterprise-business-controls-platform-tutorial.md), [Genetec Clearance](https://www.clearance.network/), [iSAMS](../saas-apps/isams-tutorial.md), [VeraSMART](../saas-apps/verasmart-tutorial.md), [Amiko](https://amiko.io/), [Twingate](https://auth.twingate.com/signup), [Funnel Leasing](https://nestiolistings.com/sso/oidc/azure/authorize/), [Scalefusion](https://scalefusion.com/users/sign_in/), [Bpanda](https://goto.bpanda.com/login), [Vivun Calendar Connect](https://app.vivun.com/dashboard/calendar/connect), [FortiGate SSL VPN](../saas-apps/fortigate-ssl-vpn-tutorial.md), [Wandera End User](https://www.wandera.com/) --You can also find the documentation of all the applications from here https://aka.ms/AppsTutorial --For listing your application in the Azure AD app gallery, read the details here https://aka.ms/AzureADAppRequest ----### Resource Forests now available for Azure AD DS --**Type:** New feature -**Service category:** Azure AD Domain Services -**Product capability:** Azure AD Domain Services - -The capability of resource forests in Azure AD Domain Services is now generally available. You can now enable authorization without password hash synchronization to use Azure AD Domain Services, including smart-card authorization. To learn more, see [Replica sets concepts and features for Azure Active Directory Domain Services (preview)](../../active-directory-domain-services/concepts-replica-sets.md). - ---### Regional replica support for Azure AD DS managed domains now available --**Type:** New feature -**Service category:** Azure AD Domain Services -**Product capability:** Azure AD Domain Services - -You can expand a managed domain to have more than one replica set per Azure AD tenant. Replica sets can be added to any peered virtual network in any Azure region that supports Azure AD Domain Services. Additional replica sets in different Azure regions provide geographical disaster recovery for legacy applications if an Azure region goes offline. To learn more, see [Replica sets concepts and features for Azure Active Directory Domain Services (preview)](../../active-directory-domain-services/concepts-replica-sets.md). ----### General Availability of Azure AD My sign-ins --**Type:** New feature -**Service category:** Authentications (Logins) -**Product capability:** End User Experiences - -Azure AD My sign-ins is a new feature that allows enterprise users to review their sign-in history to check for any unusual activity. Additionally, this feature allows end users to report "This wasn't me" or "This was me" on suspicious activities. To learn more about using this feature, see [View and search your recent sign-in activity from the My sign-ins page](https://support.microsoft.com/account-billing/view-and-search-your-work-or-school-account-sign-in-activity-from-my-sign-ins-9e7d108c-8e3f-42aa-ac3a-bca892898972#confirm-unusual-activity). - ---### SAP SuccessFactors HR driven user provisioning to Azure AD is now generally available --**Type:** New feature -**Service category:** App Provisioning -**Product capability:** Identity Lifecycle Management - -You can now integrate SAP SuccessFactors as the authoritative identity source with Azure AD and automate the end-to-end identity lifecycle using HR events like new hires and terminations to drive provisioning and de-provisioning of accounts in Azure AD. --To learn more about how to configure SAP SuccessFactors inbound provisioning to Azure AD, refer to the tutorial [Configure SAP SuccessFactors to Active Directory user provisioning](../saas-apps/sap-successfactors-inbound-provisioning-tutorial.md). - ---### Custom Open ID Connect MS Graph API support for Azure AD B2C --**Type:** New feature -**Service category:** B2C - Consumer Identity Management -**Product capability:** B2B/B2C - -Previously, Custom Open ID Connect providers could only be added or managed through the Azure portal. Now the Azure AD B2C customers can add and manage them through Microsoft Graph APIs beta version as well. To learn how to configure this resource with APIs, see [identityProvider resource type](/graph/api/resources/identityprovider). - ---### Assign Azure AD built-in roles to cloud groups --**Type:** New feature -**Service category:** Azure AD roles -**Product capability:** Access Control --You can now assign Azure AD built-in roles to cloud groups with this new feature. For example, you can assign the SharePoint Administrator role to Contoso_SharePoint_Admins group. You can also use PIM to make the group an eligible member of the role, instead of granting standing access. To learn how to configure this feature, see [Use cloud groups to manage role assignments in Azure Active Directory (preview)](../roles/groups-concept.md). - ---### Insights Business Leader built-in role now available --**Type:** New feature -**Service category:** Azure AD roles -**Product capability:** Access Control - -Users in the Insights Business Leader role can access a set of dashboards and insights via the [Microsoft 365 Insights application](https://www.microsoft.com/microsoft-365/partners/workplaceanalytics). This includes full access to all dashboards and presented insights and data exploration functionality. However, users in this role don't have access to product configuration settings, which is the responsibility of the Insights Administrator role. To learn more about this role, see [Administrator role permissions in Azure Active Directory](../roles/permissions-reference.md#insights-business-leader) - ---### Insights Administrator built-in role now available --**Type:** New feature -**Service category:** Azure AD roles -**Product capability:** Access Control - -Users in the Insights Administrator role can access the full set of administrative capabilities in the [Microsoft 365 Insights application](https://www.microsoft.com/microsoft-365/partners/workplaceanalytics). A user in this role can read directory information, monitor service health, file support tickets, and access the Insights administrator settings aspects. To learn more about this role, see [Administrator role permissions in Azure Active Directory](../roles/permissions-reference.md#insights-administrator) - - --### Application Admin and Cloud Application Admin can manage extension properties of applications --**Type:** Changed feature -**Service category:** Azure AD roles -**Product capability:** Access Control - -Previously, only the Global Administrator could manage the [extension property](/graph/api/application-post-extensionproperty). We're now enabling this capability for the Application Administrator and Cloud Application Administrator as well. - ---### MIM 2016 SP2 hotfix 4.6.263.0 and connectors 1.1.1301.0 --**Type:** Changed feature -**Service category:** Microsoft Identity Manager -**Product capability:** Identity Lifecycle Management --A [hotfix rollup package (build 4.6.263.0)](https://support.microsoft.com/help/4576473/hotfix-rollup-package-build-4-6-263-0-is-available-for-microsoft-ident) is available for Microsoft Identity Manager (MIM) 2016 Service Pack 2 (SP2). This rollup package contains updates for the MIM CM, MIM Synchronization Manager, and PAM components. In addition, the MIM generic connectors build 1.1.1301.0 includes updates for the Graph connector. ----## July 2020 --### As an IT Admin, I want to target client apps using Conditional Access --**Type:** Plan for change -**Service category:** Conditional Access -**Product capability:** Identity Security & Protection - -With the GA release of the client apps condition in Conditional Access, new policies will now apply by default to all client applications. This includes legacy authentication clients. Existing policies will remain unchanged, but the *Configure Yes/No* toggle will be removed from existing policies to easily see which client apps are applied to by the policy. --When creating a new policy, make sure to exclude users and service accounts that are still using legacy authentication; if you don't, they'll be blocked. [Learn more](../conditional-access/concept-conditional-access-conditions.md). - ---### Upcoming SCIM compliance fixes --**Type:** Plan for change -**Service category:** App Provisioning -**Product capability:** Identity Lifecycle Management - -The Azure AD provisioning service uses the SCIM standard for integrating with applications. Our implementation of the SCIM standard is evolving, and we expect to make changes to our behavior around how we perform PATCH operations and set the property "active" on a resource. [Learn more](../app-provisioning/application-provisioning-config-problem-scim-compatibility.md). - ---### Group owner setting on Azure Admin portal will be changed --**Type:** Plan for change -**Service category:** Group Management -**Product capability:** Collaboration --Owner settings on Groups general setting page can be configured to restrict owner assignment privileges to a limited group of users in the Azure Admin portal and Access Panel. We'll soon have the ability to assign group owner privilege not only on these two UX portals but also enforce the policy on the backend to provide consistent behavior across endpoints, such as PowerShell and Microsoft Graph. --We'll start to disable the current setting for the customers who aren't using it and will offer an option to scope users for group owner privilege in the next few months. For guidance on updating group settings, see Edit your group information using [Azure Active Directory](./active-directory-groups-settings-azure-portal.md?context=azure%2factive-directory%2fusers-groups-roles%2fcontext%2fugr-context). ----### Azure Active Directory Registration Service is ending support for TLS 1.0 and 1.1 --**Type:** Plan for change -**Service category:** Device Registration and Management -**Product capability:** Platform --Transport layer security (TLS) 1.2 and update servers and clients will soon communicate with Azure Active Directory Device Registration Service. Support for TLS 1.0 and 1.1 for communication with Azure AD Device Registration service will retire: -- On August 31, 2020, in all sovereign clouds (GCC High, DoD, etc.)-- On October 30, 2020, in all commercial clouds--[Learn more](../devices/reference-device-registration-tls-1-2.md) about TLS 1.2 for the Azure AD Registration Service. ----### Windows Hello for Business Sign Ins visible in Azure AD Sign In Logs --**Type:** Fixed -**Service category:** Reporting -**Product capability:** Monitoring & Reporting - -Windows Hello for Business allows end users to sign into Windows machines with a gesture (such as a PIN or biometric). Azure AD admins may want to differentiate Windows Hello for Business sign-ins from other Windows sign-ins as part of an organization's journey to passwordless authentication. --Admins can now see whether a Windows authentication used Windows Hello for Business by checking the Authentication Details tab for a Windows sign-in event in the Azure AD sign-ins blade in the Azure portal. Windows Hello for Business authentications will include "WindowsHelloForBusiness" in the Authentication Method field. For more information on interpreting Sign-In Logs, please see the [Sign-In Logs documentation](../reports-monitoring/concept-sign-ins.md). - ---### Fixes to group deletion behavior and performance improvements --**Type:** Fixed -**Service category:** App Provisioning -**Product capability:** Identity Lifecycle Management - -Previously, when a group changed from "in-scope" to "out-of-scope" and an admin clicked restart before the change was completed, the group object wasn't being deleted. Now the group object will be deleted from the target application when it goes out of scope (disabled, deleted, unassigned, or didn't pass scoping filter). [Learn more](../app-provisioning/how-provisioning-works.md#incremental-cycles). - ---### Public Preview: Admins can now add custom content in the email to reviewers when creating an access review --**Type:** New feature -**Service category:** Access Reviews -**Product capability:** Identity Governance - -When a new access review is created, the reviewer receives an email requesting them to complete the access review. Many of our customers asked for the ability to add custom content to the email, such as contact information, or other additional supporting content to guide the reviewer. --Now available in public preview, administrators can specify custom content in the email sent to reviewers by adding content in the "advanced" section of Azure AD Access Reviews. For guidance on creating access reviews, see [Create an access review of groups and applications in Azure AD access reviews](../governance/create-access-review.md). - ---### Authorization Code Flow for Single-page apps available --**Type:** New feature -**Service category:** Authentications (Logins) -**Product capability:** Developer Experience - -Because of modern browser 3rd party cookie restrictions such as Safari ITP, SPAs will have to use the authorization code flow rather than the implicit flow to maintain SSO, and MSAL.js v 2.x will now support the authorization code flow. --There are corresponding updates to the Azure portal so you can update your SPA to be type "spa" and use the auth code flow. See [Sign in users and get an access token in a JavaScript SPA using the auth code flow](../develop/quickstart-v2-javascript-auth-code.md) for further guidance. - ---### Azure AD Application Proxy now supports the Remote Desktop Services Web Client --**Type:** New feature -**Service category:** App Proxy -**Product capability:** Access Control --Azure AD Application Proxy now supports the Remote Desktop Services (RDS) Web Client. The RDS web client allows users to access Remote Desktop infrastructure through any HTLM5-capable browser such as Microsoft Edge, Internet Explorer 11, Google Chrome, etc. Users can interact with remote apps or desktops like they would with a local device from anywhere. By using Azure AD Application Proxy you can increase the security of your RDS deployment by enforcing pre-authentication and Conditional Access policies for all types of rich client apps. For guidance, see [Publish Remote Desktop with Azure AD Application Proxy](../app-proxy/application-proxy-integrate-with-remote-desktop-services.md). - ---### Next generation Azure AD B2C user flows in public preview --**Type:** New feature -**Service category:** B2C - Consumer Identity Management -**Product capability:** B2B/B2C - -Simplified user flow experience offers feature parity with preview features and is the home for all new features. Users will be able to enable new features within the same user flow, reducing the need to create multiple versions with every new feature release. Lastly, the new, user-friendly UX simplifies the selection and creation of user flows. Try it now by [creating a user flow](../../active-directory-b2c/tutorial-create-user-flows.md). --For more information about users flows, see [User flow versions in Azure Active Directory B2C](../../active-directory-b2c/user-flow-versions.md). ----### New Federated Apps available in Azure AD Application gallery - July 2020 --**Type:** New feature -**Service category:** Enterprise Apps -**Product capability:** 3rd Party Integration - -In July 2020 we have added following 55 new applications in our App gallery with Federation support: --[Appreiz](https://microsoftteams.appreiz.com/), [Inextor Vault](https://inexto.com/inexto-suite/inextor), [Beekast](https://my.beekast.com/), [Templafy OpenID Connect](https://app.templafy.com/), [PeterConnects receptionist](https://msteams.peterconnects.com/), [AlohaCloud](https://www.alohacloud.com/), Control Tower, [Cocoom](https://start.cocoom.com/), [COINS Construction Cloud](https://sso.coinsconstructioncloud.com/#login/), [Medxnote MT](https://task.teamsmain.medx.im/authorization), [Reflekt](https://reflekt.konsolute.com/login), [Rever](https://app.reverscore.net/access), [MyCompanyArchive](https://login.mycompanyarchive.com/), [GReminders](https://app.greminders.com/o365-oauth), [Titanfile](../saas-apps/titanfile-tutorial.md), [Wootric](../saas-apps/wootric-tutorial.md), [SolarWinds Orion](https://support.solarwinds.com/SuccessCenter/s/orion-platform?language=en_US), [OpenText Directory Services](../saas-apps/opentext-directory-services-tutorial.md), [Datasite](../saas-apps/datasite-tutorial.md), [BlogIn](../saas-apps/blogin-tutorial.md), [IntSights](../saas-apps/intsights-tutorial.md), [kpifire](../saas-apps/kpifire-tutorial.md), [Textline](../saas-apps/textline-tutorial.md), [Cloud Academy - SSO](../saas-apps/cloud-academy-sso-tutorial.md), [Community Spark](../saas-apps/community-spark-tutorial.md), [Chatwork](../saas-apps/chatwork-tutorial.md), [CloudSign](../saas-apps/cloudsign-tutorial.md), [C3M Cloud Control](../saas-apps/c3m-cloud-control-tutorial.md), [SmartHR](https://smarthr.jp/), [NumlyEngage™](../saas-apps/numlyengage-tutorial.md), [Michigan Data Hub Single Sign-On](../saas-apps/michigan-data-hub-single-sign-on-tutorial.md), [Egress](../saas-apps/egress-tutorial.md), [SendSafely](../saas-apps/sendsafely-tutorial.md), [Eletive](https://app.eletive.com/), [Right-Hand Cybersecurity ADI](https://right-hand.ai/), [Fyde Enterprise Authentication](https://enterprise.fyde.com/), [Verme](../saas-apps/verme-tutorial.md), [Lenses.io](../saas-apps/lensesio-tutorial.md), [Momenta](../saas-apps/momenta-tutorial.md), [Uprise](https://app.uprise.co/sign-in), [Q](https://www.moduleq.com/), [CloudCords](../saas-apps/cloudcords-tutorial.md), [TellMe Bot](https://tellme365liteweb.azurewebsites.net/), [Inspire](https://app.inspiresoftware.com/), [Maverics Identity Orchestrator SAML Connector](https://www.strata.io/identity-fabric/), [Smartschool (School Management System)](https://smartschoolz.com/login), [Zepto - Intelligent timekeeping](https://user.zepto-ai.com/signin), [Studi.ly](https://studi.ly/), [Trackplan](http://www.trackplanfm.com/), [Skedda](../saas-apps/skedda-tutorial.md), [WhosOnLocation](../saas-apps/whos-on-location-tutorial.md), [Coggle](../saas-apps/coggle-tutorial.md), [Kemp LoadMaster](https://kemptechnologies.com/cloud-load-balancer/), [BrowserStack Single Sign-on](../saas-apps/browserstack-single-sign-on-tutorial.md) --You can also find the documentation of all the applications from here https://aka.ms/AppsTutorial --For listing your application in the Azure AD app gallery, please read the details here https://aka.ms/AzureADAppRequest ----### View role assignments across all scopes and ability to download them to a csv file --**Type:** Changed feature -**Service category:** Azure AD roles -**Product capability:** Access Control - -You can now view role assignments across all scopes for a role in the "Roles and administrators" tab in the Azure portal. You can also download those role assignments for each role into a CSV file. For guidance on viewing and adding role assignments, see [View and assign administrator roles in Azure Active Directory](../roles/manage-roles-portal.md). - ---### Azure Active Directory Multi-Factor Authentication Software Development (Azure MFA SDK) Deprecation --**Type:** Deprecated -**Service category:** MFA -**Product capability:** Identity Security & Protection - -The Azure Active Directory Multi-Factor Authentication Software Development (Azure MFA SDK) reached the end of life on November 14th, 2018, as first announced in November 2017. Microsoft will be shutting down the SDK service effective on September 30th, 2020. Any calls made to the SDK will fail. --If your organization is using the Azure MFA SDK, you need to migrate by September 30th, 2020: -- Azure MFA SDK for MIM: If you use the SDK with MIM, you should migrate to Azure AD Multi-Factor Authentication (MFA) Server and activate Privileged Access Management (PAM) following these [instructions](/microsoft-identity-manager/working-with-mfaserver-for-mim). -- Azure MFA SDK for customized apps: Consider integrating your app into Azure AD and use Conditional Access to enforce MFA. To get started, review this [page](../manage-apps/plan-an-application-integration.md). ----## June 2020 --### User risk condition in Conditional Access policy --**Type:** Plan for change -**Service category:** Conditional Access -**Product capability:** Identity Security & Protection - --User risk support in Azure AD Conditional Access policy allows you to create multiple user risk-based policies. Different minimum user risk levels can be required for different users and apps. Based on user risk, you can create policies to block access, require multifactor authentication, secure password change, or redirect to Microsoft Cloud App Security to enforce session policy, such as additional auditing. --The user risk condition requires Azure AD Premium P2 because it uses Azure Identity Protection, which is a P2 offering. for more information about conditional access, refer to [Azure AD Conditional Access documentation](../conditional-access/index.yml). ----### SAML SSO now supports apps that require SPNameQualifier to be set when requested --**Type:** Fixed -**Service category:** Enterprise Apps -**Product capability:** SSO - -Some SAML applications require SPNameQualifier to be returned in the assertion subject when requested. Now Azure AD responds correctly when a SPNameQualifier is requested in the request NameID policy. This also works for SP initiated sign-in, and IdP initiated sign-in will follow. ----### Azure AD B2B Collaboration supports inviting MSA and Google users in Azure Government tenants --**Type:** New feature -**Service category:** B2B -**Product capability:** B2B/B2C - --Azure Government tenants using the B2B collaboration features can now invite users that have a Microsoft or Google account. To find out if your tenant can use these capabilities, follow the instructions at [How can I tell if B2B collaboration is available in my Azure US Government tenant?](../external-identities/b2b-government-national-clouds.md#how-can-i-tell-if-b2b-collaboration-is-available-in-my-azure-us-government-tenant). -- -- -### User object in MS Graph v1 now includes externalUserState and externalUserStateChangedDateTime properties --**Type:** New feature -**Service category:** B2B -**Product capability:** B2B/B2C - --The externalUserState and externalUserStateChangedDateTime properties can be used to find invited B2B guests who have not accepted their invitations yet as well as build automation such as deleting users who haven't accepted their invitations after some number of days. These properties are now available in MS Graph v1. For guidance on using these properties, refer to [User resource type](/graph/api/resources/user). - ---### Manage authentication sessions in Azure AD Conditional Access is now generally available --**Type:** New feature -**Service category:** Conditional Access -**Product capability:** Identity Security & Protection - -Authentication session management capabilities allow you to configure how often your users need to provide sign-in credentials and whether they need to provide credentials after closing and reopening browsers to offer more security and flexibility in your environment. - -Additionally, authentication session management used to only apply to the First Factor Authentication on Azure AD joined, Hybrid Azure AD joined, and Azure AD registered devices. Now authentication session management will apply to multifactor authentication (MFA) as well. For more information, see [Configure authentication session management with Conditional Access](../conditional-access/howto-conditional-access-session-lifetime.md). ----### New Federated Apps available in Azure AD Application gallery - June 2020 --**Type:** New feature -**Service category:** Enterprise Apps -**Product capability:** 3rd Party Integration - -In June 2020 we've added the following 29 new applications in our App gallery with Federation support: --[Shopify Plus](../saas-apps/shopify-plus-tutorial.md), [Ekarda](../saas-apps/ekarda-tutorial.md), [MailGates](../saas-apps/mailgates-tutorial.md), [BullseyeTDP](../saas-apps/bullseyetdp-tutorial.md), [Raketa](../saas-apps/raketa-tutorial.md), [Segment](../saas-apps/segment-tutorial.md), [Ai Auditor](https://www.mindbridge.ai/products/ai-auditor/), [Pobuca Connect](https://app.pobu.c), [Smallstep SSH](https://smallstep.com/sso-ssh/) --You can also find the documentation of all the applications from here https://aka.ms/AppsTutorial. -For listing your application in the Azure AD app gallery, please read the details here: https://aka.ms/AzureADAppRequest. ----### API connectors for External Identities self-service sign-up are now in public preview --**Type:** New feature -**Service category:** B2B -**Product capability:** B2B/B2C - -External Identities API connectors enable you to leverage web APIs to integrate self-service sign-up with external cloud systems. This means you can now invoke web APIs as specific steps in a sign-up flow to trigger cloud-based custom workflows. For example, you can use API connectors to: --- Integrate with a custom approval workflows.-- Perform identity proofing-- Validate user input data-- Overwrite user attributes-- Run custom business logic--For more information about all of the experiences possible with API connectors, see [Use API connectors to customize and extend self-service sign-up](../external-identities/api-connectors-overview.md), or [Customize External Identities self-service sign-up with web API integrations](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/customize-external-identities-self-service-sign-up-with-web-api/ba-p/1257364#.XvNz2fImuQg.linkedin). - ---### Provision on-demand and get users into your apps in seconds --**Type:** New feature -**Service category:** App Provisioning -**Product capability:** Identity Lifecycle Management - -The Azure AD provisioning service currently operates on a cyclic basis. The service runs every 40 mins. The [on-demand provisioning capability](https://aka.ms/provisionondemand) allows you to pick a user and provision them in seconds. This capability allows you to quickly troubleshoot provisioning issues, without having to do a restart to force the provisioning cycle to start again. - ---### New permission for using Azure AD entitlement management in Graph --**Type:** New feature -**Service category:** Other -**Product capability:** Entitlement Management - -A new delegated permission EntitlementManagement.Read.All is now available for use with the Entitlement Management API in Microsoft Graph beta. To find out more about the available APIs, see [Working with the Azure AD entitlement management API](/graph/api/resources/entitlementmanagement-overview). ----### Identity Protection APIs available in v1.0 --**Type:** New feature -**Service category:** Identity Protection -**Product capability:** Identity Security & Protection - -The riskyUsers and riskDetections Microsoft Graph APIs are now generally available. Now that they're available at the v1.0 endpoint, we invite you to use them in production. For more information, please check out the [Microsoft Graph docs](/graph/api/resources/identityprotectionroot). - ---### Sensitivity labels to apply policies to Microsoft 365 groups is now generally available --**Type:** New feature -**Service category:** Group Management -**Product capability:** Collaboration - --You can now create sensitivity labels and use the label settings to apply policies to Microsoft 365 groups, including privacy (Public or Private) and external user access policy. You can create a label with the privacy policy to be Private, and external user access policy to not allow to add guest users. When a user applies this label to a group, the group will be private, and no guest users are allowed to be added to the group. --Sensitivity labels are important to protect your business-critical data and enable you to manage groups at scale, in a compliant and secure fashion. For guidance on using sensitivity labels, refer to [Assign sensitivity labels to Microsoft 365 groups in Azure Active Directory (preview)](../enterprise-users/groups-assign-sensitivity-labels.md). - ---### Updates to support for Microsoft Identity Manager for Azure AD Premium customers --**Type:** Changed feature -**Service category:** Microsoft Identity Manager -**Product capability:** Identity Lifecycle Management - -Azure Support is now available for Azure AD integration components of Microsoft Identity Manager 2016, through the end of Extended Support for Microsoft Identity Manager 2016. Read more at [Support update for Azure AD Premium customers using Microsoft Identity Manager](/microsoft-identity-manager/support-update-for-azure-active-directory-premium-customers). ----### The use of group membership conditions in SSO claims configuration is increased --**Type:** Changed feature -**Service category:** Enterprise Apps -**Product capability:** SSO - -Previously, the number of groups you could use when you conditionally change claims based on group membership within any single application configuration was limited to 10. The use of group membership conditions in SSO claims configuration has now increased to a maximum of 50 groups. For more information on how to configure claims, refer to [Enterprise Applications SSO claims configuration](../develop/active-directory-saml-claims-customization.md). ----### Enabling basic formatting on the Sign In Page Text component in Company Branding. --**Type:** Changed feature -**Service category:** Authentications (Logins) -**Product capability:** User Authentication - -The Company Branding functionality on the Azure AD/Microsoft 365 login experience has been updated to allow the customer to add hyperlinks and simple formatting, including bold font, underline, and italics. For guidance on using this functionality, see [Add branding to your organization's Azure Active Directory sign-in page](./customize-branding.md). ----### Provisioning performance improvements --**Type:** Changed feature -**Service category:** App Provisioning -**Product capability:** Identity Lifecycle Management - -The provisioning service has been updated to reduce the time for an [incremental cycle](../app-provisioning/how-provisioning-works.md#incremental-cycles) to complete. This means that users and groups will be provisioned into their applications faster than they were previously. All new provisioning jobs created after 6/10/2020 will automatically benefit from the performance improvements. Any applications configured for provisioning before 6/10/2020 will need to restart once after 6/10/2020 to take advantage of the performance improvements. ----### Announcing the deprecation of ADAL and MS Graph Parity --**Type:** Deprecated -**Service category:** N/A -**Product capability:** Device Lifecycle Management --Now that Microsoft Authentication Libraries (MSAL) is available, we'll no longer add new features to the Azure Active Directory Authentication Libraries (ADAL) and will end security patches on June 30th, 2022. For more information on how to migrate to MSAL, refer to [Migrate applications to Microsoft Authentication Library (MSAL)](../develop/msal-migration.md). --Additionally, we've finished the work to make all Azure AD Graph functionality available through MS Graph. So, Azure AD Graph APIs will receive only bugfix and security fixes through June 30th, 2022. For more information, see [Update your applications to use Microsoft Authentication Library and Microsoft Graph API](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/update-your-applications-to-use-microsoft-authentication-library/ba-p/1257363) - --## May 2020 --### Retirement of properties in signIns, riskyUsers, and riskDetections APIs --**Type:** Plan for change -**Service category:** Identity Protection -**Product capability:** Identity Security & Protection --Currently, enumerated types are used to represent the riskType property in both the riskDetections API and riskyUserHistoryItem (in preview). Enumerated types are also used for the riskEventTypes property in the signIns API. Going forward we'll represent these properties as strings. --Customers should transition to the riskEventType property in the beta riskDetections and riskyUserHistoryItem API, and to riskEventTypes_v2 property in the beta signIns API by September 9th, 2020. At that date, we'll be retiring the current riskType and riskEventTypes properties. For more information, refer to [Changes to risk event properties and Identity Protection APIs on Microsoft Graph](https://developer.microsoft.com/graph/blogs/changes-to-risk-event-properties-and-identity-protection-apis-on-microsoft-graph/). -- --### Deprecation of riskEventTypes property in signIns v1.0 API on Microsoft Graph --**Type:** Plan for change -**Service category:** Reporting -**Product capability:** Identity Security & Protection --Enumerated types will switch to string types when representing risk event properties in Microsoft Graph September 2020. In addition to impacting the preview APIs, this change will also impact the in-production signIns API. --We have introduced a new riskEventsTypes_v2 (string) property to the signIns v1.0 API. We'll retire the current riskEventTypes (enum) property on June 11, 2022 in accordance with our Microsoft Graph deprecation policy. Customers should transition to the riskEventTypes_v2 property in the v1.0 signIns API by June 11, 2022. For more information, see [Deprecation of riskEventTypes property in signIns v1.0 API on Microsoft Graph](https://developer.microsoft.com/graph/blogs/deprecation-of-riskeventtypes-property-in-signins-v1-0-api-on-microsoft-graph//). -- --### Upcoming changes to multifactor authentication (MFA) email notifications --**Type:** Plan for change -**Service category:** MFA -**Product capability:** Identity Security & Protection - --We're making the following changes to the email notifications for cloud multifactor authentication (MFA): --E-mail notifications will be sent from the following address: azure-noreply@microsoft.com and msonlineservicesteam@microsoftonline.com. We're updating the content of fraud alert emails to better indicate the required steps to unblock uses. ----### New self-service sign up for users in federated domains who can't access Microsoft Teams because they aren't synced to Azure Active Directory. --**Type:** Plan for change -**Service category:** Authentications (Logins) -**Product capability:** User Authentication - --Currently, users who are in domains federated in Azure AD, but who aren't synced into the tenant, can't access Teams. Starting at the end of June, this new capability will enable them to do so by extending the existing email verified sign-up feature. This will allow users who can sign in to a federated IdP, but who don't yet have a user object in Azure ID, to have a user object created automatically and be authenticated for Teams. Their user object will be marked as "self-service sign-up." This is an extension of the existing capability to do email verified self-sign up that users in managed domains can do and can be controlled using the same flag. This change will complete rolling out during the following two months. Watch for documentation updates [here](../enterprise-users/directory-self-service-signup.md). - ---### Upcoming fix: The OIDC discovery document for the Azure Government cloud is being updated to reference the correct Graph endpoints. --**Type:** Plan for change -**Service category:** Sovereign Clouds -**Product capability:** User Authentication - -Starting in June, the OIDC discovery document [Microsoft identity platform and OpenID Connect protocol](../develop/v2-protocols-oidc.md) on the [Azure Government cloud](../develop/authentication-national-cloud.md) endpoint (login.microsoftonline.us), will begin to return the correct [National cloud graph](/graph/deployments) endpoint (https://graph.microsoft.us or https://dod-graph.microsoft.us), based on the tenant provided. It currently provides the incorrect Graph endpoint (graph.microsoft.com) "msgraph_host" field. --This bug fix will be rolled out gradually over approximately 2 months. ----### Azure Government users will no longer be able to sign in on login.microsoftonline.com --**Type:** Plan for Change -**Service category:** Sovereign Clouds -**Product capability:** User Authentication - -On 1 June 2018, the official Azure Active Directory (Azure AD) Authority for Azure Government changed from https://login-us.microsoftonline.com to https://login.microsoftonline.us. If you own an application within an Azure Government tenant, you must update your application to sign users in on the.us endpoint. --Starting May 5th, Azure AD will begin enforcing the endpoint change, blocking Azure Government users from signing into apps hosted in Azure Government tenants using the public endpoint (microsoftonline.com). Impacted apps will begin seeing an error AADSTS900439 - USGClientNotSupportedOnPublicEndpoint. --There will be a gradual rollout of this change with enforcement expected to be complete across all apps June 2020. For more details, please see the [Azure Government blog post](https://devblogs.microsoft.com/azuregov/azure-government-aad-authority-endpoint-update/). ----### SAML Single Logout request now sends NameID in the correct format --**Type:** Fixed -**Service category:** Authentications (Logins) -**Product capability:** User Authentication - -When a user clicks on sign-out (for example, in the MyApps portal), Azure AD sends a SAML Single Logout message to each app that is active in the user session and has a Logout URL configured. These messages contain a NameID in a persistent format. --If the original SAML sign-in token used a different format for NameID (for example, email/UPN), then the SAML app cannot correlate the NameID in the logout message to an existing session (as the NameIDs used in both messages are different), which caused the logout message to be discarded by the SAML app and the user to stay logged in. This fix makes the sign-out message consistent with the NameID configured for the application. ----### Hybrid Identity Administrator role is now available with Cloud Provisioning --**Type:** New feature -**Service category:** Azure AD Cloud Provisioning -**Product capability:** Identity Lifecycle Management - -IT Admins can start using the new "Hybrid Admin" role as the least privileged role for setting up Azure AD Connect Cloud Provisioning. With this new role, you no longer have to use the Global Administrator role to set up and configure Cloud Provisioning. [Learn more](../roles/delegate-by-task.md#connect). - ---### New Federated Apps available in Azure AD Application gallery - May 2020 --**Type:** New feature -**Service category:** Enterprise Apps -**Product capability:** 3rd Party Integration - -In May 2020, we've added the following 36 new applications in our App gallery with Federation support: -- [Surveypal](https://www.surveypal.com/app), [Kbot365](https://www.konverso.ai/), [Powell Teams](https://powell-software.com/en/powell-teams-en/), [Talentsoft Assistant](https://msteams.talent-soft.com/), [ASC Recording Insights](https://teams.asc-recording.app/product), [GO1](https://www.go1.com/), [B-Engaged](https://b-engaged.se/), [Competella Contact Center Workgroup](http://www.competella.com/), [Asite](http://www.asite.com/), [ImageSoft Identity](https://identity.imagesoftinc.com/), [My IBISWorld](https://identity.imagesoftinc.com/), [insuite](../saas-apps/insuite-tutorial.md), [Change Process Management](../saas-apps/change-process-management-tutorial.md), [Cyara CX Assurance Platform](../saas-apps/cyara-cx-assurance-platform-tutorial.md), [Smart Global Governance](../saas-apps/smart-global-governance-tutorial.md), [Prezi](../saas-apps/prezi-tutorial.md), [Mapbox](../saas-apps/mapbox-tutorial.md), [Datava Enterprise Service Platform](../saas-apps/datava-enterprise-service-platform-tutorial.md), [Whimsical](../saas-apps/whimsical-tutorial.md), [Trelica](../saas-apps/trelica-tutorial.md), [EasySSO for Confluence](../saas-apps/easysso-for-confluence-tutorial.md), [EasySSO for BitBucket](../saas-apps/easysso-for-bitbucket-tutorial.md), [EasySSO for Bamboo](../saas-apps/easysso-for-bamboo-tutorial.md), [Torii](../saas-apps/torii-tutorial.md), [Axiad Cloud](../saas-apps/axiad-cloud-tutorial.md), [Humanage](../saas-apps/humanage-tutorial.md), [ColorTokens ZTNA](../saas-apps/colortokens-ztna-tutorial.md), [CCH Tagetik](../saas-apps/cch-tagetik-tutorial.md), [ShareVault](../saas-apps/sharevault-tutorial.md), [Vyond](../saas-apps/vyond-tutorial.md), [TextExpander](../saas-apps/textexpander-tutorial.md), [Anyone Home CRM](../saas-apps/anyone-home-crm-tutorial.md), [askSpoke](../saas-apps/askspoke-tutorial.md), [ice Contact Center](../saas-apps/ice-contact-center-tutorial.md) --You can also find the documentation of all the applications from here https://aka.ms/AppsTutorial. --For listing your application in the Azure AD app gallery, please read the details here https://aka.ms/AzureADAppRequest. ----### Report-only mode for Conditional Access is now generally available --**Type:** New feature -**Service category:** Conditional Access -**Product capability:** Identity Security & Protection --[Report-only mode for Azure AD Conditional Access](../conditional-access/concept-conditional-access-report-only.md) lets you evaluate the result of a policy without enforcing access controls. You can test report-only policies across your organization and understand their impact before enabling them, making deployment safer and easier. Over the past few months, we've seen strong adoption of report-only modeΓÇöover 26M users are already in scope of a report-only policy. With the announcement today, new Azure AD Conditional Access policies will be created in report-only mode by default. This means you can monitor the impact of your policies from the moment they're created. And for those of you who use the MS Graph APIs, you can [manage report-only policies programmatically](/graph/api/resources/conditionalaccesspolicy) as well. ----### Self-service sign up for guest users --**Type:** New feature -**Service category:** B2B -**Product capability:** B2B/B2C - -With External Identities in Azure AD, you can allow people outside your organization to access your apps and resources while letting them sign in using whatever identity they prefer. When sharing an application with external users, you might not always know in advance who will need access to the application. With [self-service sign-up](../external-identities/self-service-sign-up-overview.md), you can enable guest users to sign up and gain a guest account for your line of business (LOB) apps. The sign-up flow can be created and customized to support Azure AD and social identities. You can also collect additional information about the user during sign-up. ---- ### Conditional Access Insights and Reporting workbook is generally available --**Type:** New feature -**Service category:** Conditional Access -**Product capability:** Identity Security & Protection --The [insights and reporting workbook](../conditional-access/howto-conditional-access-insights-reporting.md) gives admins a summary view of Azure AD Conditional Access in their tenant. With the capability to select an individual policy, admins can better understand what each policy does and monitor any changes in real time. The workbook streams data stored in Azure Monitor, which you can set up in a few minutes [following these instructions](../reports-monitoring/howto-integrate-activity-logs-with-log-analytics.md). To make the dashboard more discoverable, we've moved it to the new insights and reporting tab within the Azure AD Conditional Access menu. ----### Policy details blade for Conditional Access is in public preview --**Type:** New feature -**Service category:** Conditional Access -**Product capability:** Identity Security & Protection --The new [policy details blade](../conditional-access/troubleshoot-conditional-access.md) displays the assignments, conditions, and controls satisfied during conditional access policy evaluation. You can access the blade by selecting a row in the Conditional Access or Report-only tabs of the Sign-in details. ----### New query capabilities for Directory Objects in Microsoft Graph are in Public Preview --**Type:** New feature -**Service category:** MS Graph -**Product capability:** Developer Experience --New capabilities are being introduced for Microsoft Graph Directory Objects APIs, enabling Count, Search, Filter, and Sort operations. This will give developers the ability to quickly query our Directory Objects without workarounds such as in-memory filtering and sorting. Find out more in this [blog post](https://aka.ms/CountFilterMSGraphAAD). --We're currently in Public Preview, looking for feedback. Please send your comments with this [brief survey](https://aka.ms/MsGraphAADSurveyDocs). ----### Configure SAML-based single sign-on using Microsoft Graph API (Beta) --**Type:** New feature -**Service category:** Enterprise Apps -**Product capability:** SSO - -Support for creating and configuring an application from the Azure AD Gallery using MS Graph APIs in Beta is now available. -If you need to set up SAML-based single sign-on for multiple instances of an application, save time by using the Microsoft Graph APIs to [automate the configuration of SAML-based single sign-on](/graph/application-saml-sso-configure-api). - ---### New provisioning connectors in the Azure AD Application Gallery - May 2020 --**Type:** New feature -**Service category:** App Provisioning -**Product capability:** 3rd Party Integration - -You can now automate creating, updating, and deleting user accounts for these newly integrated apps: --* [8x8](../saas-apps/8x8-provisioning-tutorial.md) -* [Juno Journey](../saas-apps/juno-journey-provisioning-tutorial.md) -* [MediusFlow](../saas-apps/mediusflow-provisioning-tutorial.md) -* [New Relic by Organization](../saas-apps/new-relic-by-organization-provisioning-tutorial.md) -* [Oracle Cloud Infrastructure Console](../saas-apps/oracle-cloud-infrastructure-console-provisioning-tutorial.md) --For more information about how to better secure your organization by using automated user account provisioning, see [Automate user provisioning to SaaS applications with Azure AD](../app-provisioning/user-provisioning.md). ----### SAML Token Encryption is Generally Available --**Type:** New feature -**Service category:** Enterprise Apps -**Product capability:** SSO - -[SAML token encryption](../manage-apps/howto-saml-token-encryption.md) allows applications to be configured to receive encrypted SAML assertions. The feature is now generally available in all clouds. - ---### Group name claims in application tokens is Generally Available --**Type:** New feature -**Service category:** Enterprise Apps -**Product capability:** SSO - -The group claims issued in a token can now be limited to just those groups assigned to the application. This is especially important when users are members of large numbers of groups and there was a risk of exceeding token size limits. With this new capability in place, the ability to [add group names to tokens](../hybrid/how-to-connect-fed-group-claims.md) is generally available. - ---### Workday Writeback now supports setting work phone number attributes --**Type:** New feature -**Service category:** App Provisioning -**Product capability:** Identity Lifecycle Management - -We have enhanced the Workday Writeback provisioning app to now support writeback of work phone number and mobile number attributes. In addition to email and username, you can now configure the Workday Writeback provisioning app to flow phone number values from Azure AD to Workday. For more details on how to configure phone number writeback, refer to the [Workday Writeback](../saas-apps/workday-writeback-tutorial.md) app tutorial. ----### Publisher Verification (preview) --**Type:** New feature -**Service category:** Other -**Product capability:** Developer Experience - -Publisher verification (preview) helps admins and end users understand the authenticity of application developers integrating with the Microsoft identity platform. For details, refer to [Publisher verification (preview)](../develop/publisher-verification-overview.md). - ---### Authorization Code Flow for Single-page apps --**Type:** Changed feature -**Service category:** Authentication -**Product capability:** Developer Experience --Because of modern browser [3rd party cookie restrictions such as Safari ITP](../develop/reference-third-party-cookies-spas.md), SPAs will have to use the authorization code flow rather than the implicit flow to maintain SSO; MSAL.js v 2.x will now support the authorization code flow. There as corresponding updates to the Azure portal so you can update your SPA to be type "spa" and use the auth code flow. For guidance, refer to [Quickstart: Sign in users and get an access token in a JavaScript SPA using the auth code flow](../develop/quickstart-v2-javascript-auth-code.md). ----### Improved Filtering for Devices is in Public Preview --**Type:** Changed Feature -**Service category:** Device Management -**Product capability:** Device Lifecycle Management - -Previously, the only filters you could use were "Enabled" and "Activity date." Now, you can [filter your list of devices on more properties](../devices/device-management-azure-portal.md#view-and-filter-your-devices-preview), including OS type, join type, compliance, and more. These additions should simplify locating a particular device. ----### The new App registrations experience for Azure AD B2C is now generally available --**Type:** Changed Feature -**Service category:** B2C - Consumer Identity Management -**Product capability:** Identity Lifecycle Management - -The new App registrations experience for Azure AD B2C is now generally available. --Previously, you had to manage your B2C consumer-facing applications separately from the rest of your apps using the legacy 'Applications' experience. That meant different app creation experiences across different places in Azure. --The new experience shows all B2C app registrations and Azure AD app registrations in one place and provides a consistent way to manage them. Whether you need to manage a customer-facing app or an app that has access to Microsoft Graph to programmatically manage Azure AD B2C resources, you only need to learn one way to do things. --You can reach the new experience by navigating the Azure AD B2C service and selecting the App registrations blade. The experience is also accessible from the Azure Active Directory service. --The Azure AD B2C App registrations experience is based on the general [App Registration experience](https://developer.microsoft.com/identity/blogs/new-app-registrations-experience-is-now-generally-available/) for Azure AD tenants but is tailored for Azure AD B2C. The legacy "Applications" experience will be deprecated in the future. --For more information, visit [The New app registration experience for Azure AD B2C](../../active-directory-b2c/app-registrations-training-guide.md). ---## April 2020 --### Combined security info registration experience is now generally available --**Type:** New feature --**Service category:** Authentications (Logins) --**Product capability:** Identity Security & Protection --The combined registration experience for Multi-Factor Authentication (MFA) and Self-Service Password Reset (SSPR) is now generally available. This new registration experience enables users to register for multifactor authentication (MFA) and SSPR in a single, step-by-step process. When you deploy the new experience for your organization, users can register in less time and with fewer hassles. Check out the blog post [here](https://bit.ly/3etiRyQ). ----### Continuous Access Evaluation --**Type:** New feature --**Service category:** Authentications (Logins) --**Product capability:** Identity Security & Protection --Continuous Access Evaluation is a new security feature that enables near real-time enforcement of policies on relying parties consuming Azure AD Access Tokens when events happen in Azure AD (such as user account deletion). We're rolling this feature out first for Teams and Outlook clients. For more details, please read our [blog](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/moving-towards-real-time-policy-and-security-enforcement/ba-p/1276933) and [documentation](../conditional-access/concept-continuous-access-evaluation.md). ----### SMS Sign-in: Firstline Workers can sign in to Azure AD-backed applications with their phone number and no password --**Type:** New feature --**Service category:** Authentications (Logins) --**Product capability:** User Authentication --Office is launching a series of mobile-first business apps that cater to non-traditional organizations, and to employees in large organizations that don't use email as their primary communication method. These apps target frontline employees, deskless workers, field agents, or retail employees that may not get an email address from their employer, have access to a computer, or to IT. This project will let these employees sign in to business applications by entering a phone number and roundtripping a code. For more details, please see our [admin documentation](../authentication/howto-authentication-sms-signin.md) and [end user documentation](https://support.microsoft.com/account-billing/set-up-sms-sign-in-as-a-phone-verification-method-0aa5b3b3-a716-4ff2-b0d6-31d2bcfbac42). ----### Invite internal users to use B2B collaboration --**Type:** New feature --**Service category:** B2B --**Product capability:** --We're expanding B2B invitation capability to allow existing internal accounts to be invited to use B2B collaboration credentials going forward. This is done by passing the user object to the Invite API in addition to typical parameters like the invited email address. The user's object ID, UPN, group membership, app assignment, etc. remain intact, but going forward they'll use B2B to authenticate with their home tenant credentials rather than the internal credentials they used before the invitation. For details, see the [documentation](../external-identities/invite-internal-users.md). ----### Report-only mode for Conditional Access is now generally available --**Type:** New feature --**Service category:** Conditional Access --**Product capability:** Identity Security & Protection --[Report-only mode for Azure AD Conditional Access](../conditional-access/concept-conditional-access-report-only.md) lets you evaluate the result of a policy without enforcing access controls. You can test report-only policies across your organization and understand their impact before enabling them, making deployment safer and easier. Over the past few months, we've seen strong adoption of report-only mode, with over 26M users already in scope of a report-only policy. With this announcement, new Azure AD Conditional Access policies will be created in report-only mode by default. This means you can monitor the impact of your policies from the moment they're created. And for those of you who use the MS Graph APIs, you can also [manage report-only policies programmatically](/graph/api/resources/conditionalaccesspolicy). ----### Conditional Access insights and reporting workbook is generally available --**Type:** New feature --**Service category:** Conditional Access --**Product capability:** Identity Security & Protection --The Conditional Access [insights and reporting workbook](../conditional-access/howto-conditional-access-insights-reporting.md) gives admins a summary view of Azure AD Conditional Access in their tenant. With the capability to select an individual policy, admins can better understand what each policy does and monitor any changes in real time. The workbook streams data stored in Azure Monitor, which you can set up in a few minutes [following these instructions](../reports-monitoring/howto-integrate-activity-logs-with-log-analytics.md). To make the dashboard more discoverable, we've moved it to the new insights and reporting tab within the Azure AD Conditional Access menu. ----### Policy details blade for Conditional Access is in public preview --**Type:** New feature --**Service category:** Conditional Access --**Product capability:** Identity Security & Protection --The new [policy details blade](../conditional-access/troubleshoot-conditional-access.md) displays which assignments, conditions, and controls were satisfied during conditional access policy evaluation. You can access the blade by selecting a row in the **Conditional Access** or **Report-only** tabs of the Sign-in details. ----### New Federated Apps available in Azure AD App gallery - April 2020 --**Type:** New feature --**Service category:** Enterprise Apps --**Product capability:** 3rd Party Integration --In April 2020, we've added these 31 new apps with Federation support to the app gallery: --[SincroPool Apps](https://www.sincropool.com/), [SmartDB](https://hibiki.dreamarts.co.jp/smartdb/trial/), [Float](../saas-apps/float-tutorial.md), [LMS365](https://lms.365.systems/), [IWT Procurement Suite](../saas-apps/iwt-procurement-suite-tutorial.md), [Lunni](https://lunni.fi/), [EasySSO for Jira](../saas-apps/easysso-for-jira-tutorial.md), [Virtual Training Academy](https://vta.c3p.c) --For more information about the apps, see [SaaS application integration with Azure Active Directory](../saas-apps/tutorial-list.md). For more information about listing your application in the Azure AD app gallery, see [List your application in the Azure Active Directory application gallery](../manage-apps/v2-howto-app-gallery-listing.md). ----### Microsoft Graph delta query support for oAuth2PermissionGrant available for Public Preview --**Type:** New feature --**Service category:** MS Graph --**Product capability:** Developer Experience --Delta query for oAuth2PermissionGrant is available for public preview! You can now track changes without having to continuously poll Microsoft Graph. [Learn more.](/graph/api/oAuth2PermissionGrant-delta?tabs=http&view=graph-rest-beta&preserve-view=true) ----### Microsoft Graph delta query support for organizational contact generally available --**Type:** New feature --**Service category:** MS Graph --**Product capability:** Developer Experience --Delta query for organizational contacts is generally available! You can now track changes in production apps without having to continuously poll Microsoft Graph. Replace any existing code that continuously polls orgContact data by delta query to significantly improve performance. [Learn more.](/graph/api/orgcontact-delta?tabs=http) ----### Microsoft Graph delta query support for application generally available --**Type:** New feature --**Service category:** MS Graph --**Product capability:** Developer Experience --Delta query for applications is generally available! You can now track changes in production apps without having to continuously poll Microsoft Graph. Replace any existing code that continuously polls application data by delta query to significantly improve performance. [Learn more.](/graph/api/application-delta) ----### Microsoft Graph delta query support for administrative units available for Public Preview --**Type:** New feature --**Service category:** MS Graph --**Product capability:** Developer Experience -Delta query for administrative units is available for public preview! You can now track changes without having to continuously poll Microsoft Graph. [Learn more.](/graph/api/administrativeunit-delta?tabs=http&view=graph-rest-beta&preserve-view=true) ----### Manage authentication phone numbers and more in new Microsoft Graph beta APIs --**Type:** New feature --**Service category:** MS Graph --**Product capability:** Developer Experience --These APIs are a key tool for managing your users' authentication methods. Now you can programmatically pre-register and manage the authenticators used for multifactor authentication (MFA) and self-service password reset (SSPR). This has been one of the most-requested features in the Azure AD Multi-Factor Authentication (MFA), SSPR, and Microsoft Graph spaces. The new APIs we've released in this wave give you the ability to: --- Read, add, update, and remove a user's authentication phones-- Reset a user's password-- Turn on and off SMS-sign-in--For more information, see [Azure AD authentication methods API overview](/graph/api/resources/authenticationmethods-overview). ----### Administrative Units Public Preview --**Type:** New feature --**Service category:** Azure AD roles --**Product capability:** Access Control --Administrative units allow you to grant admin permissions that are restricted to a department, region, or other segment of your organization that you define. You can use administrative units to delegate permissions to regional administrators or to set policy at a granular level. For example, a User account admin could update profile information, reset passwords, and assign licenses for users only in their administrative unit. --Using administrative units, a central administrator could: --- Create an administrative unit for decentralized management of resources-- Assign a role with administrative permissions over only Azure AD users in an administrative unit-- Populate the administrative units with users and groups as needed--For more information, see [Administrative units management in Azure Active Directory (preview)](../roles/administrative-units.md). ----### Printer Administrator and Printer Technician built-in roles --**Type:** New feature --**Service category:** Azure AD roles --**Product capability:** Access Control --**Printer Administrator**: Users with this roleΓÇ»can register printers and manage all aspects of all printer configurations in the Microsoft Universal Print solution, including the Universal Print Connector settings. They can consent to all delegated print permission requests. Printer Administrators also have access to print reports. --**Printer Technician**: Users with this roleΓÇ»can register printers and manage printer status in the Microsoft Universal Print solution. They can also read all connector information. Key tasks a Printer Technician can't do are set user permissions on printers and sharing printers. [Learn more.](../roles/permissions-reference.md#printer-administrator) ----### Hybrid Identity Admin built-in role --**Type:** New feature --**Service category:** Azure AD roles --**Product capability:** Access Control --Users in this role can enable, configure and manage services and settings related to enabling hybrid identity in Azure AD. This role grants the ability to configure Azure AD to one of the three supported authentication methods—Password hash synchronization (PHS), Pass-through authentication (PTA) or Federation (AD FS or 3rd party federation provider)—and to deploy related on-premises infrastructure to enable them. On-premises infrastructure includes Provisioning and PTA agents. This role grants the ability to enable seamless single sign-on (S-SSO) to enable seamless authentication on non-Windows 10 devices or non-Windows Server 2016 computers. In addition, this role grants the ability to see sign-in logs and to access health and analytics for monitoring and troubleshooting purposes. [Learn more.](../roles/permissions-reference.md#hybrid-identity-administrator) ----### Network Administrator built-in role --**Type:** New feature --**Service category:** Azure AD roles --**Product capability:** Access Control --Users with this role can review network perimeter architecture recommendations from Microsoft that are based on network telemetry from their user locations. Network performance for Microsoft 365 relies on careful enterprise customer network perimeter architecture, which is generally user location-specific. This role allows for editing of discovered user locations and configuration of network parameters for those locations to facilitate improved telemetry measurements and design recommendations. [Learn more.](../roles/permissions-reference.md#network-administrator) ----### Bulk activity and downloads in the Azure portal experience --**Type:** New feature --**Service category:** User Management --**Product capability:** Directory --Now you can perform bulk activities on users and groups in Azure AD by uploading a CSV file in the Azure portal experience. You can create users, delete users, and invite guest users. And you can add and remove members from a group. --You can also download lists of Azure AD resources from the Azure portal experience. You can download the list of users in the directory, the list of groups in the directory, and the members of a particular group. --For more information, check out the following: --- [Create users](../enterprise-users/users-bulk-add.md) or [invite guest users](../external-identities/tutorial-bulk-invite.md)-- [Delete users](../enterprise-users/users-bulk-delete.md) or [restore deleted users](../enterprise-users/users-bulk-restore.md)-- [Download list of users](../enterprise-users/users-bulk-download.md) or [Download list of groups](../enterprise-users/groups-bulk-download.md)-- [Add (import) members](../enterprise-users/groups-bulk-import-members.md) or [remove members](../enterprise-users/groups-bulk-remove-members.md) or [Download list of members](../enterprise-users/groups-bulk-download-members.md) for a group----### My Staff delegated user management --**Type:** New feature --**Service category:** User Management --**Product capability:** --My Staff enables Firstline Managers, such as a store manager, to ensure that their staff members are able to access their Azure AD accounts. Instead of relying on a central helpdesk, organizations can delegate common tasks, such as resetting passwords or changing phone numbers, to a Firstline Manager. With My Staff, a user who can't access their account can re-gain access in just a couple of selections, with no helpdesk or IT staff required. For more information, see the [Manage your users with My Staff (preview)](../roles/my-staff-configure.md) and [Delegate user management with My Staff (preview)](https://support.microsoft.com/account-billing/manage-front-line-users-with-my-staff-c65b9673-7e1c-4ad6-812b-1a31ce4460bd). ----### An upgraded end user experience in access reviews --**Type:** Changed feature --**Service category:** Access Reviews --**Product capability:** Identity Governance --We have updated the reviewer experience for Azure AD access reviews in the My Apps portal. At the end of April, your reviewers who are logged in to the Azure AD access reviews reviewer experience will see a banner that will allow them to try the updated experience in My Access. Note that the updated Access reviews experience offers the same functionality as the current experience, but with an improved user interface on top of new capabilities to enable your users to be productive. [You can learn more about the updated experience here](../governance/perform-access-review.md). This public preview will last until the end of July 2020. At the end of July, reviewers who haven't opted into the preview experience will be automatically directed to My Access to perform access reviews. If you wish to have your reviewers permanently switched over to the preview experience in My Access now, [please make a request here](https://forms.microsoft.com/Pages/ResponsePage.aspx?id=v4j5cvGGr0GRqy180BHbR5dv-S62099HtxdeKIcgO-NUOFJaRDFDWUpHRk8zQ1BWVU1MMTcyQ1FFUi4u). ----### Workday inbound user provisioning and writeback apps now support the latest versions of Workday Web Services API --**Type:** Changed feature --**Service category:** App Provisioning --**Product capability:** --Based on customer feedback, we've now updated the Workday inbound user provisioning and writeback apps in the enterprise app gallery to support the latest versions of the Workday Web Services (WWS) API. With this change, customers can specify the WWS API version that they would like to use in the connection string. This gives customers the ability to retrieve more HR attributes available in the releases of Workday. The Workday Writeback app now uses the recommended Change_Work_Contact_Info Workday web service to overcome the limitations of Maintain_Contact_Info. --If no version is specified in the connection string, by default, the Workday inbound provisioning apps will continue to use WWS v21.1 To switch to the latest Workday APIs for inbound user provisioning, customers need to update the connection string as documented [in the tutorial](../saas-apps/workday-inbound-tutorial.md#which-workday-apis-does-the-solution-use-to-query-and-update-workday-worker-profiles) and also update the XPATHs used for Workday attributes as documented in the [Workday attribute reference guide](../app-provisioning/workday-attribute-reference.md#xpath-values-for-workday-web-services-wws-api-v30). --To use the new API for writeback, there are no changes required in the Workday Writeback provisioning app. On the Workday side, ensure that the Workday Integration System User (ISU) account has permissions to invoke the Change_Work_Contact business process as documented in the tutorial section, [Configure business process security policy permissions](../saas-apps/workday-inbound-tutorial.md#configuring-business-process-security-policy-permissions). --We have updated our [tutorial guide](../saas-apps/workday-inbound-tutorial.md) to reflect the new API version support. ----### Users with default access role are now in scope for provisioning --**Type:** Changed feature --**Service category:** App Provisioning --**Product capability:** Identity Lifecycle Management --Historically, users with the default access role have been out of scope for provisioning. We've heard feedback that customers want users with this role to be in scope for provisioning. As of April 16, 2020, all new provisioning configurations allow users with the default access role to be provisioned. Gradually we'll change the behavior for existing provisioning configurations to support provisioning users with this role. [Learn more.](../app-provisioning/application-provisioning-config-problem-no-users-provisioned.md) ----### Updated provisioning UI --**Type:** Changed feature --**Service category:** App Provisioning --**Product capability:** Identity Lifecycle Management --We've refreshed our provisioning experience to create a more focused management view. When you navigate to the provisioning blade for an enterprise application that has already been configured, you'll be able to easily monitor the progress of provisioning and manage actions such as starting, stopping, and restarting provisioning. [Learn more.](../app-provisioning/configure-automatic-user-provisioning-portal.md) ----### Dynamic Group rule validation is now available for Public Preview --**Type:** Changed feature --**Service category:** Group Management --**Product capability:** Collaboration --Azure Active Directory (Azure AD) now provides the means to validate dynamic group rules. On the **Validate rules** tab, you can validate your dynamic rule against sample group members to confirm the rule is working as expected. When creating or updating dynamic group rules, administrators want to know whether a user or a device will be a member of the group. This helps evaluate whether a user or device meets the rule criteria and aids in troubleshooting when membership is not expected. --For more information, see [Validate a dynamic group membership rule (preview)](../enterprise-users/groups-dynamic-rule-validation.md). ----### Identity Secure Score - Security Defaults and multifactor authentication (MFA) improvement action updates --**Type:** Changed feature --**Service category:** N/A --**Product capability:** Identity Security & Protection --**Supporting security defaults for Azure AD improvement actions:** Microsoft Secure Score will be updating improvement actions to support [security defaults in Azure AD](./concept-fundamentals-security-defaults.md), which make it easier to help protect your organization with pre-configured security settings for common attacks. This will affect the following improvement actions: --- Ensure all users can complete multifactor authentication for secure access-- Require multi-factor authentication (MFA) for administrative roles-- Enable policy to block legacy authentication- -**Multifactor authentication (MFA) improvement action updates:** To reflect the need for businesses to ensure the upmost security while applying policies that work with their business, Microsoft Secure Score has removed three improvement actions centered around multifactor authentication and added two. --Removed improvement actions: --- Register all users for multifactor authentication-- Require multifactor authentication (MFA) for all users-- Require multifactor authentication (MFA) for Azure AD privileged roles--Added improvement actions: --- Ensure all users can complete multifactor authentication for secure access-- Require multifactor authentication (MFA) for administrative roles--These new improvement actions require registering your users or admins for multifactor authentication (MFA) across your directory and establishing the right set of policies that fit your organizational needs. The main goal is to have flexibility while ensuring all your users and admins can authenticate with multiple factors or risk-based identity verification prompts. That can take the form of having multiple policies that apply scoped decisions, or setting security defaults (as of March 16th) that let Microsoft decide when to challenge users for multifactor authentication (MFA). [Read more about what's new in Microsoft Secure Score](/microsoft-365/security/mtp/microsoft-secure-score#whats-new). ----## March 2020 --### Unmanaged Azure Active Directory accounts in B2B update for March 2021 --**Type:** Plan for change -**Service category:** B2B -**Product capability:** B2B/B2C - -**Beginning on March 31, 2021**, Microsoft will no longer support the redemption of invitations by creating unmanaged Azure Active Directory (Azure AD) accounts and tenants for B2B collaboration scenarios. In preparation for this, we encourage you to opt in to [email one-time passcode authentication](../external-identities/one-time-passcode.md). ----### Users with the default access role will be in scope for provisioning --**Type:** Plan for change -**Service category:** App Provisioning -**Product capability:** Identity Lifecycle Management - -Historically, users with the default access role have been out of scope for provisioning. We've heard feedback that customers want users with this role to be in scope for provisioning. We're working on deploying a change so that all new provisioning configurations will allow users with the default access role to be provisioned. Gradually, we'll change the behavior for existing provisioning configurations to support provisioning users with this role. No customer action is required. We'll post an update to our [documentation](../app-provisioning/application-provisioning-config-problem-no-users-provisioned.md) once this change is in place. ----### Azure AD B2B collaboration will be available in Microsoft Azure operated by 21Vianet (Azure China 21Vianet) tenants --**Type:** Plan for change -**Service category:** B2B -**Product capability:** B2B/B2C - -The Azure AD B2B collaboration capabilities will be made available in Microsoft Azure operated by 21Vianet (Azure China 21Vianet) tenants, enabling users in an Azure China 21Vianet tenant to collaborate seamlessly with users in other Azure China 21Vianet tenants. [Learn more about Azure AD B2B collaboration](/azure/active-directory/b2b/). --- -### Azure AD B2B Collaboration invitation email redesign --**Type:** Plan for change -**Service category:** B2B -**Product capability:** B2B/B2C - -The [emails](../external-identities/invitation-email-elements.md) that are sent by the Azure AD B2B collaboration invitation service to invite users to the directory will be redesigned to make the invitation information and the user's next steps clearer. ----### HomeRealmDiscovery policy changes will appear in the audit logs --**Type:** Fixed -**Service category:** Audit -**Product capability:** Monitoring & Reporting - -We fixed a bug where changes to the [HomeRealmDiscovery policy](../manage-apps/configure-authentication-for-federated-users-portal.md) weren't included in the audit logs. You'll now be able to see when and how the policy was changed, and by whom. ----### New Federated Apps available in Azure AD App gallery - March 2020 --**Type:** New feature -**Service category:** Enterprise Apps -**Product capability:** 3rd Party Integration - -In March 2020, we've added these 51 new apps with Federation support to the app gallery: --[Cisco AnyConnect](../saas-apps/cisco-anyconnect.md), [Zoho One China](../saas-apps/zoho-one-china-tutorial.md), [PlusPlus](https://test.plusplus.app/auth/login/azuread-outlook/), [Profit.co SAML App](../saas-apps/profitco-saml-app-tutorial.md), [iPoint Service Provider](../saas-apps/ipoint-service-provider-tutorial.md), [contexxt.ai SPHERE](https://contexxt-sphere.com/login), [Wisdom By Invictus](../saas-apps/wisdom-by-invictus-tutorial.md), [Flare Digital Signage](https://pixelnebula.com/), [Logz.io - Cloud Observability for Engineers](../saas-apps/logzio-cloud-observability-for-engineers-tutorial.md), [SpectrumU](../saas-apps/spectrumu-tutorial.md), [BizzContact](https://www.bizzcontact.app/), [Elqano SSO](../saas-apps/elqano-sso-tutorial.md), [MarketSignShare](http://www.signshare.com/), [CrossKnowledge Learning Suite](../saas-apps/crossknowledge-learning-suite-tutorial.md), [Netvision Compas](../saas-apps/netvision-compas-tutorial.md), [FCM HUB](../saas-apps/fcm-hub-tutorial.md), [RIB ) --For more information about the apps, see [SaaS application integration with Azure Active Directory](../saas-apps/tutorial-list.md). For more information about listing your application in the Azure AD app gallery, see [List your application in the Azure Active Directory application gallery](../manage-apps/v2-howto-app-gallery-listing.md). ----### Azure AD B2B Collaboration available in Azure Government tenants --**Type:** New feature -**Service category:** B2B -**Product capability:** B2B/B2C - -The Azure AD B2B collaboration features are now available between some Azure Government tenants. To find out if your tenant is able to use these capabilities, follow the instructions at [How can I tell if B2B collaboration is available in my Azure US Government tenant?](../external-identities/b2b-government-national-clouds.md#how-can-i-tell-if-b2b-collaboration-is-available-in-my-azure-us-government-tenant). ----### Azure Monitor integration for Azure Logs is now available in Azure Government --**Type:** New feature -**Service category:** Reporting -**Product capability:** Monitoring & Reporting - -Azure Monitor integration with Azure AD logs is now available in Azure Government. You can route Azure AD Logs (Audit and Sign-in Logs) to a storage account, event hub and Log Analytics. Please check out the [detailed documentation](../reports-monitoring/concept-activity-logs-azure-monitor.md) as well as [deployment plans for reporting and monitoring](../reports-monitoring/plan-monitoring-and-reporting.md) for Azure AD scenarios. ----### Identity Protection Refresh in Azure Government --**Type:** New feature -**Service category:** Identity Protection -**Product capability:** Identity Security & Protection --We're excited to share that we've now rolled out the refreshed [Azure AD Identity Protection](../identity-protection/overview-identity-protection.md)ΓÇ»experience in the [Microsoft Azure Government portal](https://portal.azure.us/). For more information, see our [announcement blog post](https://techcommunity.microsoft.com/t5/public-sector-blog/identity-protection-refresh-in-microsoft-azure-government/ba-p/1223667). ----### Disaster recovery: Download and store your provisioning configuration --**Type:** New feature -**Service category:** App Provisioning -**Product capability:** Identity Lifecycle Management - -The Azure AD provisioning service provides a rich set of configuration capabilities. Customers need to be able to save their configuration so that they can refer to it later or roll back to a known good version. We've added the ability to download your provisioning configuration as a JSON file and upload it when you need it. [Learn more](../app-provisioning/export-import-provisioning-configuration.md). --- -### SSPR (self-service password reset) now requires two gates for admins in Microsoft Azure operated by 21Vianet (Azure China 21Vianet) --**Type:** Changed feature -**Service category:** Self-Service Password Reset -**Product capability:** Identity Security & Protection - -Previously in Microsoft Azure operated by 21Vianet (Azure China 21Vianet), admins using self-service password reset (SSPR) to reset their own passwords needed only one "gate" (challenge) to prove their identity. In public and other national clouds, admins generally must use two gates to prove their identity when using SSPR. But because we didn't support SMS or phone calls in Azure China 21Vianet, we allowed one-gate password reset by admins. --We're creating SSPR feature parity between Azure China 21Vianet and the public cloud. Going forward, admins must use two gates when using SSPR. SMS, phone calls, and Authenticator app notifications and codes will be supported. [Learn more](../authentication/concept-sspr-policy.md#administrator-reset-policy-differences). ----### Password length is limited to 256 characters --**Type:** Changed feature -**Service category:** Authentications (Logins) -**Product capability:** User Authentication - -To ensure the reliability of the Azure AD service, user passwords are now limited in length to 256 characters. Users with passwords longer than this will be asked to change their password on subsequent login, either by contacting their admin or by using the self-service password reset feature. --This change was enabled on March 13th, 2020, at 10AM PST (18:00 UTC), and the error is AADSTS 50052, InvalidPasswordExceedsMaxLength. See the [breaking change notice](../develop/reference-breaking-changes.md#user-passwords-will-be-restricted-to-256-characters) for more details. ----### Azure AD sign-in logs are now available for all free tenants through the Azure portal --**Type:** Changed feature -**Service category:** Reporting -**Product capability:** Monitoring & Reporting - -Starting now, customers who have free tenants can access the [Azure AD sign-in logs from the Azure portal](../reports-monitoring/concept-sign-ins.md) for up to 7 days. Previously, sign-in logs were available only for customers with Azure Active Directory Premium licenses. With this change, all tenants can access these logs through the portal. --> [!NOTE] -> Customers still need a premium license (Azure Active Directory Premium P1 or P2) to access the sign-in logs through Microsoft Graph API and Azure Monitor. ----### Deprecation of Directory-wide groups option from Groups General Settings on Azure portal --**Type:** Deprecated -**Service category:** Group Management -**Product capability:** Collaboration --To provide a more flexible way for customers to create directory-wide groups that best meet their needs, we've replaced the **Directory-wide Groups** option from the **Groups** > **General** settings in the Azure portal with a link to [dynamic group documentation](../enterprise-users/groups-dynamic-membership.md). We've improved our documentation to include more instructions so administrators can create all-user groups that include or exclude guest users. ----## February 2020 --### Upcoming changes to custom controls --**Type:** Plan for change -**Service category:** MFA -**Product capability:** Identity Security & Protection - -We're planning to replace the current custom controls preview with an approach that allows partner-provided authentication capabilities to work seamlessly with the Azure Active Directory administrator and end user experiences. Today, partner multifactor authentication (MFA) solutions face the following limitations: they work only after a password has been entered; they don't serve as multifactor authentication (MFA) for step-up authentication in other key scenarios; and they don't integrate with end user or administrative credential management functions. The new implementation will allow partner-provided authentication factors to work alongside built-in factors for key scenarios, including registration, usage, multifactor authentication (MFA) claims, step up authentication, reporting, and logging. --Custom controls will continue to be supported in preview alongside the new design until it reaches general availability. At that point, we'll give customers time to migrate to the new design. Because of the limitations of the current approach, we won't onboard new providers until the new design is available. We're working closely with customers and providers and will communicate the timeline as we get closer. [Learn more](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/upcoming-changes-to-custom-controls/ba-p/1144696#). ----### Identity Secure Score - multifactor authentication (MFA) improvement action updates --**Type:** Plan for change -**Service category:** MFA -**Product capability:** Identity Security & Protection - -To reflect the need for businesses to ensure the upmost security while applying policies that work with their business, Microsoft Secure Score is removing three improvement actions centered around multifactor authentication (MFA), and adding two. --The following improvement actions will be removed: --- Register all users for multifactor authentication (MFA)-- Require multifactor authentication (MFA) for all users-- Require multifactor authentication (MFA) for Azure AD privileged roles--The following improvement actions will be added: --- Ensure all users can complete multifactor authentication (MFA) for secure access-- Require multifactor authentication (MFA) for administrative roles--These new improvement actions will require registering your users or admins for multifactor authentication (MFA) across your directory and establishing the right set of policies that fit your organizational needs. The main goal is to have flexibility while ensuring all your users and admins can authenticate with multiple factors or risk-based identity verification prompts. This can take the form of setting security defaults that let Microsoft decide when to challenge users for multifactor authentication (MFA), or having multiple policies that apply scoped decisions. As part of these improvement action updates, Baseline protection policies will no longer be included in scoring calculations. [Read more about what's coming in Microsoft Secure Score](/microsoft-365/security/mtp/microsoft-secure-score-whats-coming). ----### Azure AD Domain Services SKU selection --**Type:** New feature -**Service category:** Azure AD Domain Services -**Product capability:** Azure AD Domain Services - -We've heard feedback that Azure AD Domain Services customers want more flexibility in selecting performance levels for their instances. Starting on February 1, 2020, we switched from a dynamic model (where Azure AD determines the performance and pricing tier based on object count) to a self-selection model. Now customers can choose a performance tier that matches their environment. This change also allows us to enable new scenarios like Resource Forests, and Premium features like daily backups. The object count is now unlimited for all SKUs, but we'll continue to offer object count suggestions for each tier. --**No immediate customer action is required.** For existing customers, the dynamic tier that was in use on February 1, 2020, determines the new default tier. There is no pricing or performance impact as the result of this change. Going forward, Azure AD DS customers will need to evaluate performance requirements as their directory size and workload characteristics change. Switching between service tiers will continue to be a no-downtime operation, and we'll no longer automatically move customers to new tiers based on the growth of their directory. Furthermore, there will be no price increases, and new pricing will align with our current billing model. For more information, see the [Azure AD DS SKUs documentation](../../active-directory-domain-services/administration-concepts.md#azure-ad-ds-skus) and the [Azure AD Domain Services pricing page](https://azure.microsoft.com/pricing/details/active-directory-ds/). --- -### New Federated Apps available in Azure AD App gallery - February 2020 --**Type:** New feature -**Service category:** Enterprise Apps -**Product capability:** 3rd Party Integration - -In February 2020, we've added these 31 new apps with Federation support to the app gallery: --[IamIP Patent Platform](../saas-apps/iamip-patent-platform-tutorial.md), - [Experience Cloud](../saas-apps/experience-cloud-tutorial.md), - [NS1 SSO For Azure](../saas-apps/ns1-sso-azure-tutorial.md), - [Barracuda Email Security Service](https://ess.barracudanetworks.com/sso/azure), - [ABa Reporting](https://myaba.co.uk/client-access/signin/auth/msad), - [In Case of Crisis - Online Portal](../saas-apps/in-case-of-crisis-online-portal-tutorial.md), - [BIC Cloud Design](../saas-apps/bic-cloud-design-tutorial.md), - [Beekeeper Azure AD Data Connector](../saas-apps/beekeeper-azure-ad-data-connector-tutorial.md), - [Korn Ferry Assessments](https://www.kornferry.com/solutions/kf-digital/kf-assess), - [Verkada Command](../saas-apps/verkada-command-tutorial.md), - [Splashtop](../saas-apps/splashtop-tutorial.md), - [Syxsense](../saas-apps/syxsense-tutorial.md), - [EAB Navigate](../saas-apps/eab-navigate-tutorial.md), - [New Relic (Limited Release)](../saas-apps/new-relic-limited-release-tutorial.md), - [Thulium](https://admin.thulium.com/login/instance), - [Ticket Manager](../saas-apps/ticketmanager-tutorial.md), - [Template Chooser for Teams](https://links.officeatwork.com/templatechooser-download-teams), - [Beesy](https://www.beesy.me/index.php/site/login), - [Health Support System](../saas-apps/health-support-system-tutorial.md), - [MURAL](https://app.mural.co/signup), - [Hive](../saas-apps/hive-tutorial.md), - [LavaDo](https://appsource.microsoft.com/product/web-apps/lavaloon.lavado_standard?tab=Overview), - [Wakelet](https://wakelet.com/login), - [Firmex VDR](../saas-apps/firmex-vdr-tutorial.md), - [ThingLink for Teachers and Schools](https://www.thinglink.com/), - [Coda](../saas-apps/coda-tutorial.md), - [NearpodApp](https://nearpod.com/signup/?oc=Microsoft&utm_campaign=Microsoft&utm_medium=site&utm_source=product), - [WEDO](../saas-apps/wedo-tutorial.md), - [InvitePeople](https://invitepeople.com/login), - [Reprints Desk - Article Galaxy](../saas-apps/reprints-desk-article-galaxy-tutorial.md), - [TeamViewer](../saas-apps/teamviewer-tutorial.md) -- -For more information about the apps, see [SaaS application integration with Azure Active Directory](../saas-apps/tutorial-list.md). For more information about listing your application in the Azure AD app gallery, see [List your application in the Azure Active Directory application gallery](../manage-apps/v2-howto-app-gallery-listing.md). --- -### New provisioning connectors in the Azure AD Application Gallery - February 2020 --**Type:** New feature -**Service category:** Enterprise Apps -**Product capability:** 3rd Party Integration - -You can now automate creating, updating, and deleting user accounts for these newly integrated apps: --- [Mixpanel](../saas-apps/mixpanel-provisioning-tutorial.md)-- [TeamViewer](../saas-apps/teamviewer-provisioning-tutorial.md)-- [Azure Databricks](/azure/databricks/administration-guide/users-groups/scim/aad)-- [PureCloud by Genesys](../saas-apps/purecloud-by-genesys-provisioning-tutorial.md)-- [Zapier](../saas-apps/zapier-provisioning-tutorial.md)--For more information about how to better secure your organization by using automated user account provisioning, see [Automate user provisioning to SaaS applications with Azure AD](../app-provisioning/user-provisioning.md). --- -### Azure AD support for FIDO2 security keys in hybrid environments --**Type:** New feature -**Service category:** Authentications (Logins) -**Product capability:** User Authentication - -We're announcing the public preview of Azure AD support for FIDO2 security keys in Hybrid environments. Users can now use FIDO2 security keys to sign in to their Hybrid Azure AD joined Windows 10 devices and get seamless sign-on to their on-premises and cloud resources. Support for Hybrid environments has been the top most-requested feature from our passwordless customers since we initially launched the public preview for FIDO2 support in Azure AD joined devices. Passwordless authentication using advanced technologies like biometrics and public/private key cryptography provide convenience and ease-of-use while being secure. With this public preview, you can now use modern authentication like FIDO2 security keys to access traditional Active Directory resources. For more information, go to [SSO to on-premises resources](../authentication/howto-authentication-passwordless-security-key-on-premises.md). --To get started, visit [enable FIDO2 security keys for your tenant](../authentication/howto-authentication-passwordless-security-key.md) for step-by-step instructions. --- -### The new My Account experience is now generally available --**Type:** Changed feature -**Service category:** My Profile/Account -**Product capability:** End User Experiences - -My Account, the one stop shop for all end-user account management needs, is now generally available! End users can access this new site via URL, or in the header of the new My Apps experience. Learn more about all the self-service capabilities the new experience offers at [My Account Portal Overview](https://support.microsoft.com/account-billing/my-account-portal-for-work-or-school-accounts-eab41bfe-3b9e-441e-82be-1f6e568d65fd). --- -### My Account site URL updating to myaccount.microsoft.com --**Type:** Changed feature -**Service category:** My Profile/Account -**Product capability:** End User Experiences - -The new My Account end user experience will be updating its URL to `https://myaccount.microsoft.com` in the next month. Find more information about the experience and all the account self-service capabilities it offers to end users at [My Account portal help](https://support.microsoft.com/account-billing/my-account-portal-for-work-or-school-accounts-eab41bfe-3b9e-441e-82be-1f6e568d65fd). ----## January 2020 - -### The new My Apps portal is now generally available --**Type:** Plan for change -**Service category:** My Apps -**Product capability:** End User Experiences - -Upgrade your organization to the new My Apps portal that is now generally available! Find more information on the new portal and collections at [Create collections on the My Apps portal](../manage-apps/access-panel-collections.md). --- -### Workspaces in Azure AD have been renamed to collections --**Type:** Changed feature -**Service category:** My Apps -**Product capability:** End User Experiences - -Workspaces, the filters admins can configure to organize their users' apps, will now be referred to as collections. Find more info on how to configure them at [Create collections on the My Apps portal](../manage-apps/access-panel-collections.md). --- -### Azure AD B2C Phone sign-up and sign-in using custom policy (Public Preview) --**Type:** New feature -**Service category:** B2C - Consumer Identity Management -**Product capability:** B2B/B2C - -With phone number sign-up and sign-in, developers and enterprises can allow their customers to sign up and sign in using a one-time password sent to the user's phone number via SMS. This feature also lets the customer change their phone number if they lose access to their phone. With the power of custom policies and phone sign-up and sign-in, allows developers and enterprises to communicate their brand through page customization. Find out how to [set up phone sign-up and sign-in with custom policies in Azure AD B2C](../../active-directory-b2c/phone-authentication-user-flows.md). - -- -### New provisioning connectors in the Azure AD Application Gallery - January 2020 --**Type:** New feature -**Service category:** Enterprise Apps -**Product capability:** 3rd Party Integration - -You can now automate creating, updating, and deleting user accounts for these newly integrated apps: --- [Promapp](../saas-apps/promapp-provisioning-tutorial.md)-- [Zscaler Private Access](../saas-apps/zscaler-private-access-provisioning-tutorial.md)--For more information about how to better secure your organization by using automated user account provisioning, see [Automate user provisioning to SaaS applications with Azure AD](../app-provisioning/user-provisioning.md). --- -### New Federated Apps available in Azure AD App gallery - January 2020 --**Type:** New feature -**Service category:** Enterprise Apps -**Product capability:** 3rd Party Integration - -In January 2020, we've added these 33 new apps with Federation support to the app gallery: --[JOSA](../saas-apps/josa-tutorial.md), [Fastly Edge Cloud](../saas-apps/fastly-edge-cloud-tutorial.md), [Terraform Enterprise](../saas-apps/terraform-enterprise-tutorial.md), [Spintr SSO](../saas-apps/spintr-sso-tutorial.md), [Abibot Netlogistik](https://azuremarketplace.microsoft.com/marketplace/apps/aad.abibotnetlogistik), [SkyKick](https://login.skykick.com/login?state=g6Fo2SBTd3M5Q0xBT0JMd3luS2JUTGlYN3pYTE1remJQZnR1c6N0aWTZIDhCSkwzYVQxX2ZMZjNUaWxNUHhCSXg2OHJzbllTcmYto2NpZNkgM0h6czk3ZlF6aFNJV1VNVWQzMmpHeFFDbDRIMkx5VEc&client=3Hzs97fQzhSIWUMUd32jGxQCl4H2LyTG&protocol=oauth2&audience=https://papi.skykick.com&response_type=code&redirect_uri=https://portal.skykick.com/callback&scope=openid%20profile%20offline_access), [Upshotly](../saas-apps/upshotly-tutorial.md), [LeaveBot](https://appsource.microsoft.com/en-us/product/office/WA200001175), [DataCamp](../saas-apps/datacamp-tutorial.md), [TripActions](../saas-apps/tripactions-tutorial.md), [SmartWork](https://www.intumit.com/teams-smartwork/), [Dotcom-Monitor](../saas-apps/dotcom-monitor-tutorial.md), [SSOGEN - Azure AD SSO Gateway for Oracle E-Business Suite - EBS, PeopleSoft, and JDE](../saas-apps/ssogen-tutorial.md), [Hosted MyCirqa SSO](../saas-apps/hosted-mycirqa-sso-tutorial.md), [Yuhu Property Management Platform](../saas-apps/yuhu-property-management-platform-tutorial.md), [LumApps](https://sites.lumapps.com/login), [Upwork Enterprise](../saas-apps/upwork-enterprise-tutorial.md), [Talentsoft](../saas-apps/talentsoft-tutorial.md), [SmartDB for Microsoft Teams](http://teams.smartdb.jp/login/), [PressPage](../saas-apps/presspage-tutorial.md), [ContractSafe Saml2 SSO](../saas-apps/contractsafe-saml2-sso-tutorial.md), [Maxient Conduct Manager Software](../saas-apps/maxient-conduct-manager-software-tutorial.md), [Helpshift](../saas-apps/helpshift-tutorial.md), [PortalTalk 365](https://www.portaltalk.com/), [CoreView](https://portal.coreview.com/), Squelch Cloud Office365 Connector, [PingFlow Authentication](https://app-staging.pingview.io/), [PrinterLogic SaaS](../saas-apps/printerlogic-saas-tutorial.md), [Taskize Connect](../saas-apps/taskize-connect-tutorial.md), [Sandwai](https://app.sandwai.com/), [EZRentOut](../saas-apps/ezrentout-tutorial.md), [AssetSonar](../saas-apps/assetsonar-tutorial.md), [Akari Virtual Assistant](https://akari.io/akari-virtual-assistant/) --For more information about the apps, see [SaaS application integration with Azure Active Directory](../saas-apps/tutorial-list.md). For more information about listing your application in the Azure AD app gallery, see [List your application in the Azure Active Directory application gallery](../manage-apps/v2-howto-app-gallery-listing.md). ----### Two new Identity Protection detections --**Type:** New feature -**Service category:** Identity Protection -**Product capability:** Identity Security & Protection - -We've added two new sign-in linked detection types to Identity Protection: Suspicious inbox manipulation rules and Impossible travel. These offline detections are discovered by Microsoft Cloud App Security (MCAS) and influence the user and sign-in risk in Identity Protection. For more information on these detections, see our [sign-in risk types](../identity-protection/concept-identity-protection-risks.md). - -- -### Breaking Change: URI Fragments will not be carried through the login redirect --**Type:** Changed feature -**Service category:** Authentications (Logins) -**Product capability:** User Authentication - -Starting on February 8, 2020, when a request is sent to login.microsoftonline.com to sign in a user, the service will append an empty fragment to the request. This prevents a class of redirect attacks by ensuring that the browser wipes out any existing fragment in the request. No application should have a dependency on this behavior. For more information, see [Breaking changes](../develop/reference-breaking-changes.md#february-2020) in the Microsoft identity platform documentation. ----## December 2019 --### Integrate SAP SuccessFactors provisioning into Azure AD and on-premises AD (Public Preview) --**Type:** New feature -**Service category:** App Provisioning -**Product capability:** Identity Lifecycle Management --You can now integrate SAP SuccessFactors as an authoritative identity source in Azure AD. This integration helps you automate the end-to-end identity lifecycle, including using HR-based events, like new hires or terminations, to control provisioning of Azure AD accounts. --For more information about how to set up SAP SuccessFactors inbound provisioning to Azure AD, see the [Configure SAP SuccessFactors automatic provisioning](../saas-apps/sap-successfactors-inbound-provisioning-tutorial.md) tutorial. ----### Support for customized emails in Azure AD B2C (Public Preview) --**Type:** New feature -**Service category:** B2C - Consumer Identity Management -**Product capability:** B2B/B2C --You can now use Azure AD B2C to create customized emails when your users sign up to use your apps. By using DisplayControls (currently in preview) and a third-party email provider (such as, [SendGrid](https://sendgrid.com/), [SparkPost](https://sparkpost.com/), or a custom REST API), you can use your own email template, **From** address, and subject text, as well as support localization and custom one-time password (OTP) settings. --For more information, see [Custom email verification in Azure Active Directory B2C](../../active-directory-b2c/custom-email-sendgrid.md). ----### Replacement of baseline policies with security defaults --**Type:** Changed feature -**Service category:** Other -**Product capability:** Identity Security and Protection --As part of a secure-by-default model for authentication, we're removing the existing baseline protection policies from all tenants. This removal is targeted for completion at the end of February. The replacement for these baseline protection policies is security defaults. If you've been using baseline protection policies, you must plan to move to the new security defaults policy or to Conditional Access. If you haven't used these policies, there is no action for you to take. --For more information about the new security defaults, see [What are security defaults?](./concept-fundamentals-security-defaults.md) For more information about Conditional Access policies, see [Common Conditional Access policies](../conditional-access/concept-conditional-access-policy-common.md). ----## November 2019 --### Support for the SameSite attribute and Chrome 80 --**Type:** Plan for change -**Service category:** Authentications (Logins) -**Product capability:** User Authentication --As part of a secure-by-default model for cookies, the Chrome 80 browser is changing how it treats cookies without the `SameSite` attribute. Any cookie that doesn't specify the `SameSite` attribute will be treated as though it was set to `SameSite=Lax`, which will result in Chrome blocking certain cross-domain cookie sharing scenarios that your app may depend on. To maintain the older Chrome behavior, you can use the `SameSite=None` attribute and add an additional `Secure` attribute, so cross-site cookies can only be accessed over HTTPS connections. Chrome is scheduled to complete this change by February 4, 2020. --We recommend all our developers test their apps using this guidance: --- Set the default value for the **Use Secure Cookie** setting to **Yes**.--- Set the default value for the **SameSite** attribute to **None**.--- Add an additional `SameSite` attribute of **Secure**.--For more information, see [Upcoming SameSite Cookie Changes in ASP.NET and ASP.NET Core](https://devblogs.microsoft.com/aspnet/upcoming-samesite-cookie-changes-in-asp-net-and-asp-net-core/) and [Potential disruption to customer websites and Microsoft products and services in Chrome version 79 and later](https://support.microsoft.com/help/4522904/potential-disruption-to-microsoft-services-in-chrome-beta-version-79). ----### New hotfix for Microsoft Identity Manager (MIM) 2016 Service Pack 2 (SP2) --**Type:** Fixed -**Service category:** Microsoft Identity Manager -**Product capability:** Identity Lifecycle Management --A hotfix rollup package (build 4.6.34.0) is available for Microsoft Identity Manager (MIM) 2016 Service Pack 2 (SP2). This rollup package resolves issues and adds improvements that are described in the "Issues fixed and improvements added in this update" section. --For more information and to download the hotfix package, see [Microsoft Identity Manager 2016 Service Pack 2 (build 4.6.34.0) Update Rollup is available](https://support.microsoft.com/help/4512924/microsoft-identity-manager-2016-service-pack-2-build-4-6-34-0-update-r). ----### New AD FS app activity report to help migrate apps to Azure AD (Public Preview) --**Type:** New feature -**Service category:** Enterprise Apps -**Product capability:** SSO --Use the new Active Directory Federation Services (AD FS) app activity report, in the Azure portal, to identify which of your apps are capable of being migrated to Azure AD. The report assesses all AD FS apps for compatibility with Azure AD, checks for any issues, and gives guidance about preparing individual apps for migration. --For more information, see [Use the AD FS application activity report to migrate applications to Azure AD](../manage-apps/migrate-adfs-application-activity.md). ----### New workflow for users to request administrator consent (Public Preview) --**Type:** New feature -**Service category:** Enterprise Apps -**Product capability:** Access Control --The new admin consent workflow gives admins a way to grant access to apps that require admin approval. If a user tries to access an app, but is unable to provide consent, they can now send a request for admin approval. The request is sent by email, and placed in a queue that's accessible from the Azure portal, to all the admins who have been designated as reviewers. After a reviewer takes action on a pending request, the requesting users are notified of the action. --For more information, see [Configure the admin consent workflow (preview)](../manage-apps/configure-admin-consent-workflow.md). ----### New Azure AD App Registrations Token configuration experience for managing optional claims (Public Preview) --**Type:** New feature -**Service category:** Other -**Product capability:** Developer Experience --The new **Azure AD App Registrations Token configuration** blade on the Azure portal now shows app developers a dynamic list of optional claims for their apps. This new experience helps to streamline Azure AD app migrations and to minimize optional claims misconfigurations. --For more information, see [Provide optional claims to your Azure AD app](../develop/active-directory-optional-claims.md). ----### New two-stage approval workflow in Azure AD entitlement management (Public Preview) --**Type:** New feature -**Service category:** Other -**Product capability:** Entitlement Management --We've introduced a new two-stage approval workflow that allows you to require two approvers to approve a user's request to an access package. For example, you can set it so the requesting user's manager must first approve, and then you can also require a resource owner to approve. If one of the approvers doesn't approve, access isn't granted. --For more information, see [Change request and approval settings for an access package in Azure AD entitlement management](../governance/entitlement-management-access-package-request-policy.md). ----### Updates to the My Apps page along with new workspaces (Public Preview) --**Type:** New feature -**Service category:** My Apps -**Product capability:** 3rd Party Integration --You can now customize the way your organization's users view and access the refreshed My Apps experience. This new experience also includes the new workspaces feature, which makes it easier for your users to find and organize apps. --For more information about the new My Apps experience and creating workspaces, see [Create workspaces on the My Apps portal](../manage-apps/access-panel-collections.md). ----### Google social ID support for Azure AD B2B collaboration (General Availability) --**Type:** New feature -**Service category:** B2B -**Product capability:** User Authentication --New support for using Google social IDs (Gmail accounts) in Azure AD helps to make collaboration simpler for your users and partners. There's no longer a need for your partners to create and manage a new Microsoft-specific account. Microsoft Teams now fully supports Google users on all clients and across the common and tenant-related authentication endpoints. --For more information, see [Add Google as an identity provider for B2B guest users](../external-identities/google-federation.md). ----### Microsoft Edge Mobile Support for Conditional Access and Single Sign-on (General Availability) --**Type:** New feature -**Service category:** Conditional Access -**Product capability:** Identity Security & Protection --Azure AD for Microsoft Edge on iOS and Android now supports Azure AD single sign-on and Conditional Access: --- **Microsoft Edge single sign-on (SSO):** Single sign-on is now available across native clients (such as Microsoft Outlook and Microsoft Edge) for all Azure AD -connected apps.--- **Microsoft Edge conditional access:** Through application-based conditional access policies, your users must use Microsoft Intune-protected browsers, such as Microsoft Edge.--For more information about conditional access and SSO with Microsoft Edge, see the [Microsoft Edge Mobile Support for Conditional Access and single sign-on Now Generally Available](https://techcommunity.microsoft.com/t5/Intune-Customer-Success/Microsoft-Edge-Mobile-Support-for-Conditional-Access-and-Single/ba-p/988179) blog post. For more information about how to set up your client apps using [app-based conditional access](../conditional-access/app-based-conditional-access.md) or [device-based conditional access](../conditional-access/require-managed-devices.md), see [Manage web access using a Microsoft Intune policy-protected browser](/intune/apps/app-configuration-managed-browser). ----### Azure AD entitlement management (General Availability) --**Type:** New feature -**Service category:** Other -**Product capability:** Entitlement Management --Azure AD entitlement management is a new identity governance feature, which helps organizations manage identity and access lifecycle at scale. This new feature helps by automating access request workflows, access assignments, reviews, and expiration across groups, apps, and SharePoint Online sites. --With Azure AD entitlement management, you can more efficiently manage access both for employees and also for users outside your organization who need access to those resources. --For more information, see [What is Azure AD entitlement management?](../governance/entitlement-management-overview.md#license-requirements) ----### Automate user account provisioning for these newly supported SaaS apps --**Type:** New feature -**Service category:** Enterprise Apps -**Product capability:** 3rd Party Integration --You can now automate creating, updating, and deleting user accounts for these newly integrated apps: --[SAP Cloud Platform Identity Authentication Service](../saas-apps/sap-hana-cloud-platform-identity-authentication-tutorial.md), [RingCentral](../saas-apps/ringcentral-provisioning-tutorial.md), [SpaceIQ](../saas-apps/spaceiq-provisioning-tutorial.md), [Miro](../saas-apps/miro-provisioning-tutorial.md), [Cloudgate](../saas-apps/soloinsight-cloudgate-sso-provisioning-tutorial.md), [Infor CloudSuite](../saas-apps/infor-cloudsuite-provisioning-tutorial.md), [OfficeSpace Software](../saas-apps/officespace-software-provisioning-tutorial.md), [Priority Matrix](../saas-apps/priority-matrix-provisioning-tutorial.md) --For more information about how to better secure your organization by using automated user account provisioning, see [Automate user provisioning to SaaS applications with Azure AD](../app-provisioning/user-provisioning.md). ----### New Federated Apps available in Azure AD App gallery - November 2019 --**Type:** New feature -**Service category:** Enterprise Apps -**Product capability:** 3rd Party Integration --In November 2019, we've added these 21 new apps with Federation support to the app gallery: --[Airtable](../saas-apps/airtable-tutorial.md), [Hootsuite](../saas-apps/hootsuite-tutorial.md), [Blue Access for Members (BAM)](../saas-apps/blue-access-for-members-tutorial.md), [Bitly](../saas-apps/bitly-tutorial.md), [Riva](../saas-apps/riva-tutorial.md), [ResLife Portal](https://app.reslifecloud.com/hub5_signin/microsoft_azuread/?g=44BBB1F90915236A97502FF4BE2952CB&c=5&uid=0&ht=2&ref=), [NegometrixPortal Single Sign On (SSO)](../saas-apps/negometrixportal-tutorial.md), [TeamsChamp](https://login.microsoftonline.com/551f45da-b68e-4498-a7f5-a6e1efaeb41c/adminconsent?client_id=ca9bbfa4-1316-4c0f-a9ee-1248ac27f8ab&redirect_uri=https://admin.teamschamp.com/api/adminconsent&state=6883c143-cb59-42ee-a53a-bdb5faabf279), [Motus](../saas-apps/motus-tutorial.md), [MyAryaka](../saas-apps/myaryaka-tutorial.md), [BlueMail](https://loginself1.bluemail.me/), [Beedle](https://teams-web.beedle.co/#/), [Visma](../saas-apps/visma-tutorial.md), [OneDesk](../saas-apps/onedesk-tutorial.md), [Foko Retail](../saas-apps/foko-retail-tutorial.md), [Qmarkets Idea & Innovation Management](../saas-apps/qmarkets-idea-innovation-management-tutorial.md), [Netskope User Authentication](../saas-apps/netskope-user-authentication-tutorial.md), [uniFLOW Online](../saas-apps/uniflow-online-tutorial.md), [Claromentis](../saas-apps/claromentis-tutorial.md), [Jisc Student Voter Registration](../saas-apps/jisc-student-voter-registration-tutorial.md), [e4enable](https://portal.e4enable.com/) --For more information about the apps, see [SaaS application integration with Azure Active Directory](../saas-apps/tutorial-list.md). For more information about listing your application in the Azure AD app gallery, see [List your application in the Azure Active Directory application gallery](../manage-apps/v2-howto-app-gallery-listing.md). ----### New and improved Azure AD application gallery --**Type:** Changed feature -**Service category:** Enterprise Apps -**Product capability:** SSO --We've updated the Azure AD application gallery to make it easier for you to find pre-integrated apps that support provisioning, OpenID Connect, and SAML on your Azure Active Directory tenant. --For more information, see [Add an application to your Azure Active Directory tenant](../manage-apps/add-application-portal.md). ----### Increased app role definition length limit from 120 to 240 characters --**Type:** Changed feature -**Service category:** Enterprise Apps -**Product capability:** SSO --We've heard from customers that the length limit for the app role definition value in some apps and services is too short at 120 characters. In response, we've increased the maximum length of the role value definition to 240 characters. --For more information about using application-specific role definitions, see [Add app roles in your application and receive them in the token](../develop/howto-add-app-roles-in-azure-ad-apps.md). ----## October 2019 --### Deprecation of the identityRiskEvent API for Azure AD Identity Protection risk detections --**Type:** Plan for change -**Service category:** Identity Protection -**Product capability:** Identity Security & Protection --In response to developer feedback, Azure AD Premium P2 subscribers can now perform complex queries on Azure AD Identity Protection's risk detection data by using the new riskDetection API for Microsoft Graph. The existing [identityRiskEvent](/graph/api/resources/identityprotection-root) API beta version will stop returning data around **January 10, 2020**. If your organization is using the identityRiskEvent API, you should transition to the new riskDetection API. --For more information about the new riskDetection API, see the [Risk detection API reference documentation](/graph/api/resources/riskdetection). ----### Application Proxy support for the SameSite Attribute and Chrome 80 --**Type:** Plan for change -**Service category:** App Proxy -**Product capability:** Access Control --A couple of weeks prior to the Chrome 80 browser release, we plan to update how Application Proxy cookies treat the **SameSite** attribute. With the release of Chrome 80, any cookie that doesn't specify the **SameSite** attribute will be treated as though it was set to `SameSite=Lax`. --To help avoid potentially negative impacts due to this change, we're updating Application Proxy access and session cookies by: --- Setting the default value for the **Use Secure Cookie** setting to **Yes**.--- Setting the default value for the **SameSite** attribute to **None**.-- >[!NOTE] - > Application Proxy access cookies have always been transmitted exclusively over secure channels. These changes only apply to session cookies. --For more information about the Application Proxy cookie settings, see [Cookie settings for accessing on-premises applications in Azure Active Directory](../app-proxy/application-proxy-configure-cookie-settings.md). ----### App registrations (legacy) and app management in the Application Registration Portal (apps.dev.microsoft.com) is no longer available --**Type:** Plan for change -**Service category:** N/A -**Product capability:** Developer Experience --Users with Azure AD accounts can no longer register or manage applications using the Application Registration Portal (apps.dev.microsoft.com), or register and manage applications in the App registrations (legacy) experience in the Azure portal. --To learn more about the new App registrations experience, see the [App registrations in the Azure portal training guide](../develop/quickstart-register-app.md). ----### Users are no longer required to re-register during migration from per-user multifactor authentication (MFA) to Conditional Access-based multifactor authentication (MFA) --**Type:** Fixed -**Service category:** MFA -**Product capability:** Identity Security & Protection --We've fixed a known issue whereby when users were required to re-register if they were disabled for per-user MultiFactor Authentication (MFA) and then enabled for multifactor authentication (MFA) through a Conditional Access policy. --To require users to re-register, you can select the **Required re-register multifactor authentication (MFA)** option from the user's authentication methods in the Azure portal. ----### New capabilities to transform and send claims in your SAML token --**Type:** New feature -**Service category:** Enterprise Apps -**Product capability:** SSO --We've added additional capabilities to help you to customize and send claims in your SAML token. These new capabilities include: --- Additional claims transformation functions, helping you to modify the value you send in the claim.--- Ability to apply multiple transformations to a single claim.--- Ability to specify the claim source, based on the user type and the group to which the user belongs.--For detailed information about these new capabilities, including how to use them, see [Customize claims issued in the SAML token for enterprise applications](../develop/active-directory-saml-claims-customization.md). ----### New My Sign-ins page for end users in Azure AD --**Type:** New feature -**Service category:** Authentications (Logins) -**Product capability:** Monitoring & Reporting --We've added a new **My Sign-ins** page (https://mysignins.microsoft.com) to let your organization's users view their recent sign-in history to check for any unusual activity. This new page allows your users to see: --- If anyone is attempting to guess their password.--- If an attacker successfully signed in to their account and from what location.--- What apps the attacker tried to access.--For more information, see the [Users can now check their sign-in history for unusual activity](https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Users-can-now-check-their-sign-in-history-for-unusual-activity/ba-p/916066) blog. ----### Migration of Azure AD Domain Services (Azure AD DS) from classic to Azure Resource Manager virtual networks --**Type:** New feature -**Service category:** Azure AD Domain Services -**Product capability:** Azure AD Domain Services --To our customers who have been stuck on classic virtual networks -- we have great news for you! You can now perform a one-time migration from a classic virtual network to an existing Resource Manager virtual network. After moving to the Resource Manager virtual network, you'll be able to take advantage of the additional and upgraded features such as, fine-grained password policies, email notifications, and audit logs. ----### Updates to the Azure AD B2C page contract layout --**Type:** New feature -**Service category:** B2C - Consumer Identity Management -**Product capability:** B2B/B2C --We've introduced some new changes to version 1.2.0 of the page contract for Azure AD B2C. In this updated version, you can now control the load order for your elements, which can also help to stop the flicker that happens when the style sheet (CSS) is loaded. --For a full list of the changes made to the page contract, see the [Version change log](../../active-directory-b2c/page-layout.md#other-pages-providerselection-claimsconsent-unifiedssd). ----### Update to the My Apps page along with new workspaces (Public preview) --**Type:** New feature -**Service category:** My Apps -**Product capability:** Access Control --You can now customize the way your organization's users view and access the brand-new My Apps experience, including using the new workspaces feature to make it easier for them to find apps. The new workspaces functionality acts as a filter for the apps your organization's users already have access to. --For more information on rolling out the new My Apps experience and creating workspaces, see [Create workspaces on the My Apps (preview) portal](../manage-apps/access-panel-collections.md). ----### Support for the monthly active user-based billing model (General availability) --**Type:** New feature -**Service category:** B2C - Consumer Identity Management -**Product capability:** B2B/B2C --Azure AD B2C now supports monthly active users (MAU) billing. MAU billing is based on the number of unique users with authentication activity during a calendar month. Existing customers can switch to this new billing method at any time. --Starting on November 1, 2019, all new customers will automatically be billed using this method. This billing method benefits customers through cost benefits and the ability to plan ahead. --For more information, see [Upgrade to monthly active users billing model](../../active-directory-b2c/billing.md#switch-to-mau-billing-pre-november-2019-azure-ad-b2c-tenants). ----### New Federated Apps available in Azure AD App gallery - October 2019 --**Type:** New feature -**Service category:** Enterprise Apps -**Product capability:** 3rd Party Integration --In October 2019, we've added these 35 new apps with Federation support to the app gallery: --[In Case of Crisis ΓÇô Mobile](../saas-apps/in-case-of-crisis-mobile-tutorial.md), [Juno Journey](../saas-apps/juno-journey-tutorial.md), [ExponentHR](../saas-apps/exponenthr-tutorial.md), [Tact](https://www.tact.ai/products/tact-assistant), [OpusCapita Cash Management](https://appsource.microsoft.com/product/web-apps/opuscapitagroupoy-1036255.opuscapita-cm), [Salestim](https://www.salestim.com/), [Learnster](../saas-apps/learnster-tutorial.md), [Dynatrace](../saas-apps/dynatrace-tutorial.md), [HunchBuzz](https://login.hunchbuzz.com/integrations/azure/process), [Freshworks](../saas-apps/freshworks-tutorial.md), [eCornell](../saas-apps/ecornell-tutorial.md), [ShipHazmat](../saas-apps/shiphazmat-tutorial.md), [Netskope Cloud Security](../saas-apps/netskope-cloud-security-tutorial.md), [Contentful](../saas-apps/contentful-tutorial.md), [Bindtuning](https://bindtuning.com/login), [HireVue Coordinate ΓÇô Europe](https://www.hirevue.com/), [HireVue Coordinate - USOnly](https://www.hirevue.com/), [HireVue Coordinate - US](https://www.hirevue.com/), [WittyParrot Knowledge Box](https://wittyapi.wittyparrot.com/wittyparrot/api/provision/trail/signup), [Cloudmore](../saas-apps/cloudmore-tutorial.md), [Visit.org](../saas-apps/visitorg-tutorial.md), [Cambium Xirrus EasyPass Portal](https://login.xirrus.com/azure-signup), [Paylocity](../saas-apps/paylocity-tutorial.md), [Mail Luck!](../saas-apps/mail-luck-tutorial.md), [Teamie](https://theteamie.com/), [Velocity for Teams](https://velocity.peakup.org/teams/login), [SIGNL4](https://account.signl4.com/manage), [EAB Navigate IMPL](../saas-apps/eab-navigate-impl-tutorial.md), [ScreenMeet](https://console.screenmeet.com/), [Omega Point](https://pi.ompnt.com/), [Speaking Email for Intune (iPhone)](https://speaking.email/FAQ/98/email-access-via-microsoft-intune), [Speaking Email for Office 365 Direct (iPhone/Android)](https://speaking.email/FAQ/126/email-access-via-microsoft-office-365-direct), [ExactCare SSO](../saas-apps/exactcare-sso-tutorial.md), [iHealthHome Care Navigation System](https://ihealthnav.com/account/signin), [Qubie](https://www.qubie.app/) --For more information about the apps, see [SaaS application integration with Azure Active Directory](../saas-apps/tutorial-list.md). For more information about listing your application in the Azure AD app gallery, see [List your application in the Azure Active Directory application gallery](../manage-apps/v2-howto-app-gallery-listing.md). ----### Consolidated Security menu item in the Azure portal --**Type:** Changed feature -**Service category:** Identity Protection -**Product capability:** Identity Security & Protection --You can now access all of the available Azure AD security features from the new **Security** menu item, and from the **Search** bar, in the Azure portal. Additionally, the new **Security** landing page, called **Security - Getting started**, will provide links to our public documentation, security guidance, and deployment guides. --The new **Security** menu includes: --- Conditional Access-- Identity Protection-- Security Center-- Identity Secure Score-- Authentication methods-- Multifactor authentication (MFA)-- Risk reports - Risky users, Risky sign-ins, Risk detections-- And more...--For more information, see [Security - Getting started](https://portal.azure.com/#blade/Microsoft_AAD_IAM/SecurityMenuBlade/GettingStarted). ----### Office 365 groups expiration policy enhanced with autorenewal --**Type:** Changed feature -**Service category:** Group Management -**Product capability:** Identity Lifecycle Management --The Office 365 groups expiration policy has been enhanced to automatically renew groups that are actively in use by its members. Groups will be autorenewed based on user activity across all the Office 365 apps, including Outlook, SharePoint, and Teams. --This enhancement helps to reduce your group expiration notifications and helps to make sure that active groups continue to be available. If you already have an active expiration policy for your Office 365 groups, you don't need to do anything to turn on this new functionality. --For more information, see [Configure the expiration policy for Office 365 groups](../enterprise-users/groups-lifecycle.md). ----### Updated Azure AD Domain Services (Azure AD DS) creation experience --**Type:** Changed feature -**Service category:** Azure AD Domain Services -**Product capability:** Azure AD Domain Services --We've updated Azure AD Domain Services (Azure AD DS) to include a new and improved creation experience, helping you to create a managed domain in just three clicks! In addition, you can now upload and deploy Azure AD DS from a template. --For more information, see [Tutorial: Create and configure an Azure Active Directory Domain Services instance](../../active-directory-domain-services/tutorial-create-instance.md). ----## September 2019 --### Plan for change: Deprecation of the Power BI content packs --**Type:** Plan for change -**Service category:** Reporting -**Product capability:** Monitoring & Reporting --Starting on October 1, 2019, Power BI will begin to deprecate all content packs, including the Azure AD Power BI content pack. As an alternative to this content pack, you can use Azure AD Workbooks to gain insights into your Azure AD-related services. Additional workbooks are coming, including workbooks about Conditional Access policies in report-only mode, app consent-based insights, and more. --For more information about the workbooks, see [How to use Azure Monitor workbooks for Azure Active Directory reports](../reports-monitoring/howto-use-azure-monitor-workbooks.md). For more information about the deprecation of the content packs, see the [Announcing Power BI template apps general availability](https://powerbi.microsoft.com/blog/announcing-power-bi-template-apps-general-availability/) blog post. ----### My Profile is renaming and integrating with the Microsoft Office account page --**Type:** Plan for change -**Service category:** My Profile/Account -**Product capability:** Collaboration --Starting in October, the My Profile experience will become My Account. As part of that change, everywhere that currently says, **My Profile** will change to **My Account**. On top of the naming change and some design improvements, the updated experience will offer additional integration with the Microsoft Office account page. Specifically, you'll be able to access Office installations and subscriptions from the **Overview Account** page, along with Office-related contact preferences from the **Privacy** page. --For more information about the My Profile (preview) experience, see [My Profile (preview) portal overview](https://support.microsoft.com/account-billing/my-account-portal-for-work-or-school-accounts-eab41bfe-3b9e-441e-82be-1f6e568d65fd). ----### Bulk manage groups and members using CSV files in the Azure portal (Public Preview) --**Type:** New feature -**Service category:** Group Management -**Product capability:** Collaboration --We're pleased to announce public preview availability of the bulk group management experiences in the Azure portal. You can now use a CSV file and the Azure portal to manage groups and member lists, including: --- Adding or removing members from a group.--- Downloading the list of groups from the directory.--- Downloading the list of group members for a specific group.--For more information, see [Bulk add members](../enterprise-users/groups-bulk-import-members.md), [Bulk remove members](../enterprise-users/groups-bulk-remove-members.md), [Bulk download members list](../enterprise-users/groups-bulk-download-members.md), and [Bulk download groups list](../enterprise-users/groups-bulk-download.md). ----### Dynamic consent is now supported through a new admin consent endpoint --**Type:** New feature -**Service category:** Authentications (Logins) -**Product capability:** User Authentication --We've created a new admin consent endpoint to support dynamic consent, which is helpful for apps that want to use the dynamic consent model on the Microsoft Identity platform. --For more information about how to use this new endpoint, see [Using the admin consent endpoint](../develop/v2-admin-consent.md). ----### New Federated Apps available in Azure AD App gallery - September 2019 --**Type:** New feature -**Service category:** Enterprise Apps -**Product capability:** 3rd Party Integration --In September 2019, we've added these 29 new apps with Federation support to the app gallery: --[ScheduleLook](https://schedulelook.bbsonlineservices.net/), [MS Azure SSO Access for Ethidex Compliance Office™ - Single sign-on](../saas-apps/ms-azure-sso-access-for-ethidex-compliance-office-tutorial.md), [iServer Portal](../saas-apps/iserver-portal-tutorial.md), [SKYSITE](../saas-apps/skysite-tutorial.md), [Concur Travel and Expense](../saas-apps/concur-travel-and-expense-tutorial.md), [WorkBoard](../saas-apps/workboard-tutorial.md), `https://apps.yeeflow.com/`, [ARC Facilities](../saas-apps/arc-facilities-tutorial.md), [Luware Stratus Team](https://stratus.emea.luware.cloud/login), [Wide Ideas](https://wideideas.online/wideideas/), [Prisma Cloud](../saas-apps/prisma-cloud-tutorial.md), [RENRAKU](../saas-apps/renraku-tutorial.md), [SealPath Secure Browser](https://protection.sealpath.com/SealPathInterceptorWopiSaas/Open/InstallSealPathEditorOneDrive), [Prisma Cloud](../saas-apps/prisma-cloud-tutorial.md), `https://app.penneo.com/`, `https://app.testhtm.com/settings/email-integration`, [Cintoo Cloud](https://aec.cintoo.com/login), [Whitesource](../saas-apps/whitesource-tutorial.md), [Hosted Heritage Online SSO](../saas-apps/hosted-heritage-online-sso-tutorial.md), [IDC](../saas-apps/idc-tutorial.md), [CakeHR](../saas-apps/cakehr-tutorial.md), [BIS](../saas-apps/bis-tutorial.md), [Coo Kai Team Build](https://ms-contacts.coo-kai.jp/), [Sonarqube](../saas-apps/sonarqube-tutorial.md), [Adobe Identity Management](../saas-apps/tutorial-list.md), [Discovery Benefits SSO](../saas-apps/discovery-benefits-sso-tutorial.md), [Amelio](https://app.amelio.co/), `https://itask.yipinapp.com/` --For more information about the apps, see [SaaS application integration with Azure Active Directory](../saas-apps/tutorial-list.md). For more information about listing your application in the Azure AD app gallery, see [List your application in the Azure Active Directory application gallery](../manage-apps/v2-howto-app-gallery-listing.md). ----### New Azure AD Global Reader role --**Type:** New feature -**Service category:** Azure AD roles -**Product capability:** Access Control --Starting on September 24, 2019, we're going to start rolling out a new Azure Active Directory (AD) role called Global Reader. This rollout will start with production and Global cloud customers (GCC), finishing up worldwide in October. --The Global Reader role is the read-only counterpart to Global Administrator. Users in this role can read settings and administrative information across Microsoft 365 services, but can't take management actions. We've created the Global Reader role to help reduce the number of Global Administrators in your organization. Because Global Administrator accounts are powerful and vulnerable to attack, we recommend that you have fewer than five Global Administrators. We recommend using the Global Reader role for planning, audits, or investigations. We also recommend using the Global Reader role in combination with other limited administrator roles, like Exchange Administrator, to help get work done without requiring the Global Administrator role. --The Global Reader role works with the new Microsoft 365 Admin Center, Exchange Admin Center, Teams Admin Center, Security Center, Microsoft Purview compliance portal, Azure portal, and the Device Management Admin Center. -->[!NOTE] -> At the start of public preview, the Global Reader role won't work with: SharePoint, Privileged Access Management, Customer Lockbox, sensitivity labels, Teams Lifecycle, Teams Reporting & Call Analytics, Teams IP Phone Device Management, and Teams App Catalog. --For more information, see [Administrator role permissions in Azure Active Directory](../roles/permissions-reference.md). ----### Access an on-premises Report Server from your Power BI Mobile app using Azure Active Directory Application Proxy --**Type:** New feature -**Service category:** App Proxy -**Product capability:** Access Control --New integration between the Power BI mobile app and Azure AD Application Proxy allows you to securely sign in to the Power BI mobile app and view any of your organization's reports hosted on the on-premises Power BI Report Server. --For information about the Power BI Mobile app, including where to download the app, see the [Power BI site](https://powerbi.microsoft.com/mobile/). For more information about how to set up the Power BI mobile app with Azure AD Application Proxy, see [Enable remote access to Power BI Mobile with Azure AD Application Proxy](../app-proxy/application-proxy-integrate-with-power-bi.md). ----### New version of the AzureADPreview PowerShell module is available --**Type:** Changed feature -**Service category:** Other -**Product capability:** Directory --New cmdlets were added to the AzureADPreview module, to help define and assign custom roles in Azure AD, including: --- `Add-AzureADMSFeatureRolloutPolicyDirectoryObject`-- `Get-AzureADMSFeatureRolloutPolicy`-- `New-AzureADMSFeatureRolloutPolicy`-- `Remove-AzureADMSFeatureRolloutPolicy`-- `Remove-AzureADMSFeatureRolloutPolicyDirectoryObject`-- `Set-AzureADMSFeatureRolloutPolicy`----### New version of Azure AD Connect --**Type:** Changed feature -**Service category:** Other -**Product capability:** Directory --We've released an updated version of Azure AD Connect for auto-upgrade customers. This new version includes several new features, improvements, and bug fixes. ----### Azure Active Directory Multi-Factor Authentication (MFA) Server, version 8.0.2 is now available --**Type:** Fixed -**Service category:** MFA -**Product capability:** Identity Security & Protection --If you're an existing customer, who activated Azure AD Multi-Factor Authentication (MFA) Server prior to July 1, 2019, you can now download the latest version of Azure AD Multi-Factor Authentication (MFA) Server (version 8.0.2). In this new version, we: --- Fixed an issue so when Azure AD sync changes a user from Disabled to Enabled, an email is sent to the user.--- Fixed an issue so customers can successfully upgrade, while continuing to use the Tags functionality.--- Added the Kosovo (+383) country code.--- Added one-time bypass audit logging to the MultiFactorAuthSvc.log.--- Improved performance for the Web Service SDK.--- Fixed other minor bugs.--Starting July 1, 2019, Microsoft stopped offering multifactor authentication (MFA) Server for new deployments. New customers who require multifactor authentication should use cloud-based Azure AD Multi-Factor Authentication. For more information, see [Planning a cloud-based Azure AD Multi-Factor Authentication deployment](../authentication/howto-mfa-getstarted.md). ----## August 2019 --### Enhanced search, filtering, and sorting for groups is available in the Azure portal (Public Preview) --**Type:** New feature -**Service category:** Group Management -**Product capability:** Collaboration --We're pleased to announce public preview availability of the enhanced groups-related experiences in the Azure portal. These enhancements help you better manage groups and member lists, by providing: --- Advanced search capabilities, such as substring search on groups lists.-- Advanced filtering and sorting options on member and owner lists.-- New search capabilities for member and owner lists.-- More accurate group counts for large groups.--For more information, see [Manage groups in the Azure portal](./active-directory-groups-members-azure-portal.md?context=azure%2factive-directory%2fusers-groups-roles%2fcontext%2fugr-context). ----### New custom roles are available for app registration management (Public Preview) --**Type:** New feature -**Service category:** Azure AD roles -**Product capability:** Access Control --Custom roles (available with an Azure AD P1 or P2 subscription) can now help provide you with fine-grained access, by letting you create role definitions with specific permissions and then to assign those roles to specific resources. Currently, you create custom roles by using permissions for managing app registrations and then assigning the role to a specific app. For more information about custom roles, see [Custom administrator roles in Azure Active Directory (preview)](../roles/custom-overview.md). --If you need other permissions or resources supported, which you don't currently see, you can send feedback to our [Azure feedback site](https://feedback.azure.com/d365community/forum/22920db1-ad25-ec11-b6e6-000d3a4f0789) and we'll add your request to our update road map. ----### New provisioning logs can help you monitor and troubleshoot your app provisioning deployment (Public Preview) --**Type:** New feature -**Service category:** App Provisioning -**Product capability:** Identity Lifecycle Management --New provisioning logs are available to help you monitor and troubleshoot the user and group provisioning deployment. These new log files include information about: --- What groups were successfully created in [ServiceNow](../saas-apps/servicenow-provisioning-tutorial.md)-- What roles were imported from [AWS Single-Account Access](../saas-apps/amazon-web-service-tutorial.md#configure-and-test-azure-ad-sso-for-aws-single-account-access)-- What employees weren't imported from [Workday](../saas-apps/workday-inbound-tutorial.md)--For more information, see [Provisioning reports in the Azure portal (preview)](../reports-monitoring/concept-provisioning-logs.md). ----### New security reports for all Azure AD administrators (General Availability) --**Type:** New feature -**Service category:** Identity Protection -**Product capability:** Identity Security & Protection --By default, all Azure AD administrators will soon be able to access modern security reports within Azure AD. Until the end of September, you'll be able to use the banner at the top of the modern security reports to return to the old reports. --The modern security reports will provide more capabilities from the older versions, including: --- Advanced filtering and sorting-- Bulk actions, such as dismissing user risk-- Confirmation of compromised or safe entities-- Risk state, covering: At risk, Dismissed, Remediated, and Confirmed compromised-- New risk-related detections (available to Azure AD Premium subscribers)--For more information, see [Risky users](../identity-protection/howto-identity-protection-investigate-risk.md#risky-users), [Risky sign-ins](../identity-protection/howto-identity-protection-investigate-risk.md#risky-sign-ins), and [Risk detections](../identity-protection/howto-identity-protection-investigate-risk.md#risk-detections). ----### User-assigned managed identity is available for Virtual Machines and Virtual Machine Scale Sets (General Availability) --**Type:** New feature -**Service category:** Managed identities for Azure resources -**Product capability:** Developer Experience --User-assigned managed identities are now generally available for Virtual Machines and Virtual Machine Scale Sets. As part of this, Azure can create an identity in the Azure AD tenant that's trusted by the subscription in use, and can be assigned to one or more Azure service instances. For more information about user-assigned managed identities, see [What is managed identities for Azure resources?](../managed-identities-azure-resources/overview.md). ----### Users can reset their passwords using a mobile app or hardware token (General Availability) --**Type:** Changed feature -**Service category:** Self Service Password Reset -**Product capability:** User Authentication --Users who have registered a mobile app with your organization can now reset their own password by approving a notification from the Microsoft Authenticator app or by entering a code from their mobile app or hardware token. --For more information, see [How it works: Azure AD self-service password reset](../authentication/concept-sspr-howitworks.md). For more information about the user experience, see [Reset your own work or school password overview](https://support.microsoft.com/account-billing/register-the-password-reset-verification-method-for-a-work-or-school-account-47a55d4a-05b0-4f67-9a63-f39a43dbe20a). ----### ADAL.NET ignores the MSAL.NET shared cache for on-behalf-of scenarios --**Type:** Fixed -**Service category:** Authentications (Logins) -**Product capability:** User Authentication --Starting with Azure AD authentication library (ADAL.NET) version 5.0.0-preview, app developers must [serialize one cache per account for web apps and web APIs](https://github.com/AzureAD/azure-activedirectory-library-for-dotnet/wiki/Token-cache-serialization#custom-token-cache-serialization-in-web-applications--web-api). Otherwise, some scenarios using the [on-behalf-of flow](../develop/scenario-web-api-call-api-app-configuration.md?tabs=java) for Java, along with some specific use cases of `UserAssertion`, may result in an elevation of privilege. To avoid this vulnerability, ADAL.NET now ignores the Microsoft Authentication Library for dotnet (MSAL.NET) shared cache for on-behalf-of scenarios. --For more information about this issue, see [Azure Active Directory Authentication Library Elevation of Privilege Vulnerability](https://portal.msrc.microsoft.com/security-guidance/advisory/CVE-2019-1258). ----### New Federated Apps available in Azure AD App gallery - August 2019 --**Type:** New feature -**Service category:** Enterprise Apps -**Product capability:** 3rd Party Integration --In August 2019, we've added these 26 new apps with Federation support to the app gallery: --[Civic Platform](../saas-apps/civic-platform-tutorial.md), [Amazon Business](../saas-apps/amazon-business-tutorial.md), [ProNovos Ops Manager](../saas-apps/pronovos-ops-manager-tutorial.md), [Cognidox](../saas-apps/cognidox-tutorial.md), [Viareport's Inativ Portal (Europe)](../saas-apps/viareports-inativ-portal-europe-tutorial.md), [Azure Databricks](https://azure.microsoft.com/services/databricks), [Robin](../saas-apps/robin-tutorial.md), [Academy Attendance](../saas-apps/academy-attendance-tutorial.md), [Cousto MySpace](https://cousto.platformers.be/account/login), [Uploadcare](https://uploadcare.com/accounts/signup/), [Carbonite Endpoint Backup](../saas-apps/carbonite-endpoint-backup-tutorial.md), [CPQSync by Cincom](../saas-apps/cpqsync-by-cincom-tutorial.md), [Chargebee](../saas-apps/chargebee-tutorial.md), [deliver.media™ Portal](https://portal.deliver.media), [Frontline Education](../saas-apps/frontline-education-tutorial.md), [F5](https://www.f5.com/products/security/access-policy-manager), [stashcat AD connect](https://www.stashcat.com), [Blink](../saas-apps/blink-tutorial.md), [Vocoli](../saas-apps/vocoli-tutorial.md), [ProNovos Analytics](../saas-apps/pronovos-analytics-tutorial.md), [Sigstr](../saas-apps/sigstr-tutorial.md), [Darwinbox](../saas-apps/darwinbox-tutorial.md), [Watch by Colors](../saas-apps/watch-by-colors-tutorial.md), [Harness](../saas-apps/harness-tutorial.md), [EAB Navigate Strategic Care](../saas-apps/eab-navigate-strategic-care-tutorial.md) --For more information about the apps, see [SaaS application integration with Azure Active Directory](../saas-apps/tutorial-list.md). For more information about listing your application in the Azure AD app gallery, see [List your application in the Azure Active Directory application gallery](../manage-apps/v2-howto-app-gallery-listing.md). ----### New versions of the AzureAD PowerShell and AzureADPreview PowerShell modules are available --**Type:** Changed feature -**Service category:** Other -**Product capability:** Directory --New updates to the AzureAD and AzureAD Preview PowerShell modules are available: --- A new `-Filter` parameter was added to the `Get-AzureADDirectoryRole` parameter in the AzureAD module. This parameter helps you filter on the directory roles returned by the cmdlet.-- New cmdlets were added to the AzureADPreview module, to help define and assign custom roles in Azure AD, including:-- - `Get-AzureADMSRoleAssignment` - - `Get-AzureADMSRoleDefinition` - - `New-AzureADMSRoleAssignment` - - `New-AzureADMSRoleDefinition` - - `Remove-AzureADMSRoleAssignment` - - `Remove-AzureADMSRoleDefinition` - - `Set-AzureADMSRoleDefinition` ----### Improvements to the UI of the dynamic group rule builder in the Azure portal --**Type:** Changed feature -**Service category:** Group Management -**Product capability:** Collaboration --We've made some UI improvements to the dynamic group rule builder, available in the Azure portal, to help you more easily set up a new rule, or change existing rules. This design improvement allows you to create rules with up to five expressions, instead of just one. We've also updated the device property list to remove deprecated device properties. --For more information, see [Manage dynamic membership rules](../enterprise-users/groups-dynamic-membership.md). ----### New Microsoft Graph app permission available for use with access reviews --**Type:** Changed feature -**Service category:** Access Reviews -**Product capability:** Identity Governance --We've introduced a new Microsoft Graph app permission, `AccessReview.ReadWrite.Membership`, which allows apps to automatically create and retrieve access reviews for group memberships and app assignments. This permission can be used by your scheduled jobs or as part of your automation, without requiring a logged-in user context. --For more information, see the [Example how to create Azure AD access reviews using Microsoft Graph app permissions with PowerShell blog](https://techcommunity.microsoft.com/t5/Azure-Active-Directory/Example-how-to-create-Azure-AD-access-reviews-using-Microsoft/m-p/807241). ----### Azure AD activity logs are now available for government cloud instances in Azure Monitor --**Type:** Changed feature -**Service category:** Reporting -**Product capability:** Monitoring & Reporting --We're excited to announce that Azure AD activity logs are now available for government cloud instances in Azure Monitor. You can now send Azure AD logs to your storage account or to an event hub to integrate with your SIEM tools, like [Sumologic](../reports-monitoring/howto-integrate-activity-logs-with-sumologic.md), [Splunk](../reports-monitoring/howto-integrate-activity-logs-with-splunk.md), and [ArcSight](../reports-monitoring/howto-integrate-activity-logs-with-arcsight.md). --For more information about setting up Azure Monitor, see [Azure AD activity logs in Azure Monitor](../reports-monitoring/concept-activity-logs-azure-monitor.md#cost-considerations). ----### Update your users to the new, enhanced security info experience --**Type:** Changed feature -**Service category:** Authentications (Logins) -**Product capability:** User Authentication --On September 25, 2019, we'll be turning off the old, non-enhanced security info experience for registering and managing user security info and only turning on the new, [enhanced version](https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Cool-enhancements-to-the-Azure-AD-combined-MFA-and-password/ba-p/354271). This means that your users will no longer be able to use the old experience. --For more information about the enhanced security info experience, see our [admin documentation](../authentication/concept-registration-mfa-sspr-combined.md) and our [user documentation](https://support.microsoft.com/account-billing/set-up-your-security-info-from-a-sign-in-prompt-28180870-c256-4ebf-8bd7-5335571bf9a8). --#### To turn on this new experience, you must: --1. Sign in to the Azure portal as a Global Administrator or User Administrator. --2. Go to **Azure Active Directory > User settings > Manage settings for access panel preview features**. --3. In the **Users can use preview features for registering and managing security info - enhanced** area, select **Selected**, and then either choose a group of users or choose **All** to turn on this feature for all users in the tenant. --4. In the **Users can use preview features for registering and managing security **info**** area, select **None**. --5. Save your settings. -- After you save your settings, you'll no longer have access to the old security info experience. -->[!Important] ->If you don't complete these steps before September 25, 2019, your Azure Active Directory tenant will be automatically enabled for the enhanced experience. If you have questions, please contact us at registrationpreview@microsoft.com. ----### Authentication requests using POST logins will be more strictly validated --**Type:** Changed feature -**Service category:** Authentications (Logins) -**Product capability:** Standards --Starting on September 2, 2019, authentication requests using the POST method will be more strictly validated against the HTTP standards. Specifically, spaces and double-quotes (") will no longer be removed from request form values. These changes aren't expected to break any existing clients, and will help to make sure that requests sent to Azure AD are reliably handled every time. --For more information, see the [Azure AD breaking changes notices](../develop/reference-breaking-changes.md#post-form-semantics-will-be-enforced-more-strictlyspaces-and-quotes-will-be-ignored). ----## July 2019 --### Plan for change: Application Proxy service update to support only TLS 1.2 --**Type:** Plan for change -**Service category:** App Proxy -**Product capability:** Access Control --To help provide you with our strongest encryption, we're going to begin limiting Application Proxy service access to only TLS 1.2 protocols. This limitation will initially be rolled out to customers who are already using TLS 1.2 protocols, so you won't see the impact. Complete deprecation of the TLS 1.0 and TLS 1.1 protocols will be complete on August 31, 2019. Customers still using TLS 1.0 and TLS 1.1 will receive advanced notice to prepare for this change. --To maintain the connection to the Application Proxy service throughout this change, we recommend that you make sure your client-server and browser-server combinations are updated to use TLS 1.2. We also recommend that you make sure to include any client systems used by your employees to access apps published through the Application Proxy service. --For more information, see [Add an on-premises application for remote access through Application Proxy in Azure Active Directory](../app-proxy/application-proxy-add-on-premises-application.md). ----### Plan for change: Design updates are coming for the Application Gallery --**Type:** Plan for change -**Service category:** Enterprise Apps -**Product capability:** SSO --New user interface changes are coming to the design of the **Add from the gallery** area of the **Add an application** blade. These changes will help you more easily find your apps that support automatic provisioning, OpenID Connect, Security Assertion Markup Language (SAML), and Password single sign-on (SSO). ----### Plan for change: Removal of the multifactor authentication (MFA) server IP address from the Office 365 IP address --**Type:** Plan for change -**Service category:** MFA -**Product capability:** Identity Security & Protection --We're removing the multifactor authentication (MFA) server IP address from the [Office 365 IP Address and URL Web service](/office365/enterprise/office-365-ip-web-service). If you currently rely on these pages to update your firewall settings, you must make sure you're also including the list of IP addresses documented in the **Azure Active Directory Multi-Factor Authentication Server firewall requirements** section of the [Getting started with the Azure Active Directory Multi-Factor Authentication Server](../authentication/howto-mfaserver-deploy.md#azure-multi-factor-authentication-server-firewall-requirements) article. ----### App-only tokens now require the client app to exist in the resource tenant --**Type:** Fixed -**Service category:** Authentications (Logins) -**Product capability:** User Authentication --On July 26, 2019, we changed how we provide app-only tokens through the [client credentials grant](../develop/v2-oauth2-client-creds-grant-flow.md). Previously, apps could get tokens to call other apps, regardless of whether the client app was in the tenant. We've updated this behavior so single-tenant resources, sometimes called Web APIs, can only be called by client apps that exist in the resource tenant. --If your app isn't located in the resource tenant, you'll get an error message that says, `The service principal named <app_name> was not found in the tenant named <tenant_name>. This can happen if the application has not been installed by the administrator of the tenant.` To fix this problem, you must create the client app service principal in the tenant, using either the [admin consent endpoint](../develop/v2-permissions-and-consent.md#using-the-admin-consent-endpoint) or [through PowerShell](../develop/howto-authenticate-service-principal-powershell.md), which ensures your tenant has given the app permission to operate within the tenant. --For more information, see [What's new for authentication?](../develop/reference-breaking-changes.md#app-only-tokens-for-single-tenant-applications-are-only-issued-if-the-client-app-exists-in-the-resource-tenant). --> [!NOTE] -> Existing consent between the client and the API continues to not be required. Apps should still be doing their own authorization checks. ----### New passwordless sign-in to Azure AD using FIDO2 security keys --**Type:** New feature -**Service category:** Authentications (Logins) -**Product capability:** User Authentication --Azure AD customers can now set policies to manage FIDO2 security keys for their organization's users and groups. End users can also self-register their security keys, use the keys to sign in to their Microsoft accounts on web sites while on FIDO-capable devices, and sign-in to their Azure AD-joined Windows 10 devices. --For more information, see [Enable passwordless sign in for Azure AD (preview)](../authentication/concept-authentication-passwordless.md) for administrator-related information, and [Set up security info to use a security key (Preview)](https://support.microsoft.com/account-billing/set-up-a-security-key-as-your-verification-method-2911cacd-efa5-4593-ae22-e09ae14c6698) for end-user-related information. ----### New Federated Apps available in Azure AD App gallery - July 2019 --**Type:** New feature -**Service category:** Enterprise Apps -**Product capability:** 3rd Party Integration --In July 2019, we've added these 18 new apps with Federation support to the app gallery: --[Ungerboeck Software](../saas-apps/ungerboeck-software-tutorial.md), [Bright Pattern Omnichannel Contact Center](../saas-apps/bright-pattern-omnichannel-contact-center-tutorial.md), [Clever Nelly](../saas-apps/clever-nelly-tutorial.md), [AcquireIO](../saas-apps/acquireio-tutorial.md), [Looop](https://www.looop.co/schedule-a-demo/), [productboard](../saas-apps/productboard-tutorial.md), [MS Azure SSO Access for Ethidex Compliance Office™](../saas-apps/ms-azure-sso-access-for-ethidex-compliance-office-tutorial.md), [Hype](../saas-apps/hype-tutorial.md), [Abstract](../saas-apps/abstract-tutorial.md), [Ascentis](../saas-apps/ascentis-tutorial.md), [Flipsnack](https://www.flipsnack.com/accounts/sign-in-sso.html), [Wandera](../saas-apps/wandera-tutorial.md), [TwineSocial](https://twinesocial.com/), [Kallidus](../saas-apps/kallidus-tutorial.md), [HyperAnna](../saas-apps/hyperanna-tutorial.md), [PharmID WasteWitness](https://pharmid.com/), [i2B Connect](https://www.i2b-online.com/sign-up-to-use-i2b-connect-here-sso-access/), [JFrog Artifactory](../saas-apps/jfrog-artifactory-tutorial.md) --For more information about the apps, see [SaaS application integration with Azure Active Directory](../saas-apps/tutorial-list.md). For more information about listing your application in the Azure AD app gallery, see [List your application in the Azure Active Directory application gallery](../manage-apps/v2-howto-app-gallery-listing.md). ----### Automate user account provisioning for these newly supported SaaS apps --**Type:** New feature -**Service category:** Enterprise Apps -**Product capability:** Monitoring & Reporting --You can now automate creating, updating, and deleting user accounts for these newly integrated apps: --- [Dialpad](../saas-apps/dialpad-provisioning-tutorial.md)--- [Federated Directory](../saas-apps/federated-directory-provisioning-tutorial.md)--- [Figma](../saas-apps/figma-provisioning-tutorial.md)--- [Leapsome](../saas-apps/leapsome-provisioning-tutorial.md)--- [Peakon](../saas-apps/peakon-provisioning-tutorial.md)--- [Smartsheet](../saas-apps/smartsheet-provisioning-tutorial.md)--For more information about how to better secure your organization by using automated user account provisioning, see [Automate user provisioning to SaaS applications with Azure AD](../app-provisioning/user-provisioning.md) ----### New Azure AD Domain Services service tag for Network Security Group --**Type:** New feature -**Service category:** Azure AD Domain Services -**Product capability:** Azure AD Domain Services --If you're tired of managing long lists of IP addresses and ranges, you can use the new **AzureActiveDirectoryDomainServices** network service tag in your Azure network security group to help secure inbound traffic to your Azure AD Domain Services virtual network subnet. --For more information about this new service tag, see [Network Security Groups for Azure AD Domain Services](../../active-directory-domain-services/network-considerations.md#network-security-groups-and-required-ports). ----### New Security Audits for Azure AD Domain Services (Public Preview) --**Type:** New feature -**Service category:** Azure AD Domain Services -**Product capability:** Azure AD Domain Services --We're pleased to announce the release of Azure AD Domain Service Security Auditing to public preview. Security auditing helps provide you with critical insight into your authentication services by streaming security audit events to targeted resources, including Azure Storage, Azure Log Analytics workspaces, and Azure Event Hubs, using the Azure AD Domain Service portal. --For more information, see [Enable Security Audits for Azure AD Domain Services (Preview)](../../active-directory-domain-services/security-audit-events.md). ----### New Authentication methods usage & insights (Public Preview) --**Type:** New feature -**Service category:** Self Service Password Reset -**Product capability:** Monitoring & Reporting --The new Authentication methods usage & insights reports can help you to understand how features like Azure AD Multi-Factor Authentication and self-service password reset are being registered and used in your organization, including the number of registered users for each feature, how often self-service password reset is used to reset passwords, and by which method the reset happens. --For more information, see [Authentication methods usage & insights (preview)](../authentication/howto-authentication-methods-activity.md). ----### New security reports are available for all Azure AD administrators (Public Preview) --**Type:** New feature -**Service category:** Identity Protection -**Product capability:** Identity Security & Protection --All Azure AD administrators can now select the banner at the top of existing security reports, such as the **Users flagged for risk** report, to start using the new security experience as shown in the **Risky users** and the **Risky sign-ins** reports. Over time, all of the security reports will move from the older versions to the new versions, with the new reports providing you the following additional capabilities: --- Advanced filtering and sorting--- Bulk actions, such as dismissing user risk--- Confirmation of compromised or safe entities--- Risk state, covering: At risk, Dismissed, Remediated, and Confirmed compromised--For more information, see [Risky users report](../identity-protection/howto-identity-protection-investigate-risk.md#risky-users) and [Risky sign-ins report](../identity-protection/howto-identity-protection-investigate-risk.md#risky-sign-ins). ----### New Security Audits for Azure AD Domain Services (Public Preview) --**Type:** New feature -**Service category:** Azure AD Domain Services -**Product capability:** Azure AD Domain Services --We're pleased to announce the release of Azure AD Domain Service Security Auditing to public preview. Security auditing helps provide you with critical insight into your authentication services by streaming security audit events to targeted resources, including Azure Storage, Azure Log Analytics workspaces, and Azure Event Hubs, using the Azure AD Domain Service portal. --For more information, see [Enable Security Audits for Azure AD Domain Services (Preview)](../../active-directory-domain-services/security-audit-events.md). ----### New B2B direct federation using SAML/WS-Fed (Public Preview) --**Type:** New feature -**Service category:** B2B -**Product capability:** B2B/B2C --Direct federation helps to make it easier for you to work with partners whose IT-managed identity solution is not Azure AD, by working with identity systems that support the SAML or WS-Fed standards. After you set up a direct federation relationship with a partner, any new guest user you invite from that domain can collaborate with you using their existing organizational account, making the user experience for your guests more seamless. --For more information, see [Direct federation with AD FS and third-party providers for guest users (preview)](../external-identities/direct-federation.md). ----### Automate user account provisioning for these newly supported SaaS apps --**Type:** New feature -**Service category:** Enterprise Apps -**Product capability:** Monitoring & Reporting --You can now automate creating, updating, and deleting user accounts for these newly integrated apps: --- [Dialpad](../saas-apps/dialpad-provisioning-tutorial.md)--- [Federated Directory](../saas-apps/federated-directory-provisioning-tutorial.md)--- [Figma](../saas-apps/figma-provisioning-tutorial.md)--- [Leapsome](../saas-apps/leapsome-provisioning-tutorial.md)--- [Peakon](../saas-apps/peakon-provisioning-tutorial.md)--- [Smartsheet](../saas-apps/smartsheet-provisioning-tutorial.md)--For more information about how to better secure your organization by using automated user account provisioning, see [Automate user provisioning to SaaS applications with Azure AD](../app-provisioning/user-provisioning.md). ----### New check for duplicate group names in the Azure portal --**Type:** New feature -**Service category:** Group Management -**Product capability:** Collaboration --Now, when you create or update a group name from the Azure portal, we'll perform a check to see if you are duplicating an existing group name in your resource. If we determine that the name is already in use by another group, you'll be asked to modify your name. --For more information, see [Manage groups in the Azure portal](./active-directory-groups-create-azure-portal.md?context=azure%2factive-directory%2fusers-groups-roles%2fcontext%2fugr-context). ----### Azure AD now supports static query parameters in reply (redirect) URIs --**Type:** New feature -**Service category:** Authentications (Logins) -**Product capability:** User Authentication --Azure AD apps can now register and use reply (redirect) URIs with static query parameters (for example, `https://contoso.com/oauth2?idp=microsoft`) for OAuth 2.0 requests. The static query parameter is subject to string matching for reply URIs, just like any other part of the reply URI. If there's no registered string that matches the URL-decoded redirect-uri, the request is rejected. If the reply URI is found, the entire string is used to redirect the user, including the static query parameter. --Dynamic reply URIs are still forbidden because they represent a security risk and can't be used to retain state information across an authentication request. For this purpose, use the `state` parameter. --Currently, the app registration screens of the Azure portal still block query parameters. However, you can manually edit the app manifest to add and test query parameters in your app. For more information, see [What's new for authentication?](../develop/reference-breaking-changes.md#redirect-uris-can-now-contain-query-string-parameters). ----### Activity logs (MS Graph APIs) for Azure AD are now available through PowerShell Cmdlets --**Type:** New feature -**Service category:** Reporting -**Product capability:** Monitoring & Reporting --We're excited to announce that Azure AD activity logs (Audit and Sign-ins reports) are now available through the Azure AD PowerShell module. Previously, you could create your own scripts using MS Graph API endpoints, and now we've extended that capability to PowerShell cmdlets. --For more information about how to use these cmdlets, see [Azure AD PowerShell cmdlets for reporting](../reports-monitoring/reference-powershell-reporting.md). ----### Updated filter controls for Audit and Sign-in logs in Azure AD --**Type:** Changed feature -**Service category:** Reporting -**Product capability:** Monitoring & Reporting --We've updated the Audit and Sign-in log reports so you can now apply various filters without having to add them as columns on the report screens. Additionally, you can now decide how many filters you want to show on the screen. These updates all work together to make your reports easier to read and more scoped to your needs. --For more information about these updates, see [Filter audit logs](../reports-monitoring/concept-audit-logs.md#filtering-audit-logs) and [Filter sign-in activities](../reports-monitoring/concept-sign-ins.md#filter-sign-in-activities). ----## June 2019 --### New riskDetections API for Microsoft Graph (Public preview) --**Type:** New feature -**Service category:** Identity Protection -**Product capability:** Identity Security & Protection --We're pleased to announce the new riskDetections API for Microsoft Graph is now in public preview. You can use this new API to view a list of your organization's Identity Protection-related user and sign-in risk detections. You can also use this API to more efficiently query your risk detections, including details about the detection type, status, level, and more. --For more information, see the [Risk detection API reference documentation](/graph/api/resources/riskdetection). ----### New Federated Apps available in Azure AD app gallery - June 2019 --**Type:** New feature -**Service category:** Enterprise Apps -**Product capability:** 3rd Party Integration --In June 2019, we've added these 22 new apps with Federation support to the app gallery: --[Azure AD SAML Toolkit](../saas-apps/saml-toolkit-tutorial.md), [Otsuka Shokai (σñºσíÜσòåΣ╝Ü)](../saas-apps/otsuka-shokai-tutorial.md), [ANAQUA](../saas-apps/anaqua-tutorial.md), [Azure VPN Client](https://portal.azure.com/), [ExpenseIn](../saas-apps/expensein-tutorial.md), [Helper Helper](../saas-apps/helper-helper-tutorial.md), [Costpoint](../saas-apps/costpoint-tutorial.md), [GlobalOne](../saas-apps/globalone-tutorial.md), [Mercedes-Benz In-Car Office](https://me.secure.mercedes-benz.com/), [Skore](https://app.justskore.it/), [Oracle Cloud Infrastructure Console](../saas-apps/oracle-cloud-tutorial.md), [CyberArk SAML Authentication](../saas-apps/cyberark-saml-authentication-tutorial.md), [Scrible Edu](https://www.scrible.com/sign-in/#/create-account), [PandaDoc](../saas-apps/pandadoc-tutorial.md), [Vtiger CRM (SAML)](../saas-apps/vtiger-crm-saml-tutorial.md), Oracle Access Manager for Oracle Retail Merchandising, Oracle Access Manager for Oracle E-Business Suite, Oracle IDCS for E-Business Suite, Oracle IDCS for PeopleSoft, Oracle IDCS for JD Edwards --For more information about the apps, see [SaaS application integration with Azure Active Directory](../saas-apps/tutorial-list.md). For more information about listing your application in the Azure AD app gallery, see [List your application in the Azure Active Directory application gallery](../manage-apps/v2-howto-app-gallery-listing.md). ----### Automate user account provisioning for these newly supported SaaS apps --**Type:** New feature -**Service category:** Enterprise Apps -**Product capability:** Monitoring & Reporting --You can now automate creating, updating, and deleting user accounts for these newly integrated apps: --- [Zoom](../saas-apps/zoom-provisioning-tutorial.md)--- [Envoy](../saas-apps/envoy-provisioning-tutorial.md)--- [Proxyclick](../saas-apps/proxyclick-provisioning-tutorial.md)--- [4me](../saas-apps/4me-provisioning-tutorial.md)--For more information about how to better secure your organization by using automated user account provisioning, see [Automate user provisioning to SaaS applications with Azure AD](../app-provisioning/user-provisioning.md) ----### View the real-time progress of the Azure AD provisioning service --**Type:** Changed feature -**Service category:** App Provisioning -**Product capability:** Identity Lifecycle Management --We've updated the Azure AD provisioning experience to include a new progress bar that shows you how far you are in the user provisioning process. This updated experience also provides information about the number of users provisioned during the current cycle, as well as how many users have been provisioned to date. --For more information, see [Check the status of user provisioning](../app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user.md). ----### Company branding now appears on sign out and error screens --**Type:** Changed feature -**Service category:** Authentications (Logins) -**Product capability:** User Authentication --We've updated Azure AD so that your company branding now appears on the sign out and error screens, as well as the sign-in page. You don't have to do anything to turn on this feature, Azure AD simply uses the assets you've already set up in the **Company branding** area of the Azure portal. --For more information about setting up your company branding, see [Add branding to your organization's Azure Active Directory pages](./customize-branding.md). ----### Azure Active Directory Multi-Factor Authentication (MFA) Server is no longer available for new deployments --**Type:** Deprecated -**Service category:** MFA -**Product capability:** Identity Security & Protection --As of July 1, 2019, Microsoft will no longer offer multifactor authentication (MFA) Server for new deployments. New customers who want to require multifactor authentication in their organization must now use cloud-based Azure AD Multi-Factor Authentication. Customers who activated multifactor authentication (MFA) Server prior to July 1 won't see a change. You'll still be able to download the latest version, get future updates, and generate activation credentials. --For more information, see [Getting started with the Azure Active Directory Multi-Factor Authentication Server](../authentication/howto-mfaserver-deploy.md). For more information about cloud-based Azure AD Multi-Factor Authentication, see [Planning a cloud-based Azure AD Multi-Factor Authentication deployment](../authentication/howto-mfa-getstarted.md). ----## May 2019 --### Service change: Future support for only TLS 1.2 protocols on the Application Proxy service --**Type:** Plan for change -**Service category:** App Proxy -**Product capability:** Access Control --To help provide best-in-class encryption for our customers, we're limiting access to only TLS 1.2 protocols on the Application Proxy service. This change is gradually being rolled out to customers who are already only using TLS 1.2 protocols, so you shouldn't see any changes. --Deprecation of TLS 1.0 and TLS 1.1 happens on August 31, 2019, but we'll provide additional advanced notice, so you'll have time to prepare for this change. To prepare for this change make sure your client-server and browser-server combinations, including any clients your users use to access apps published through Application Proxy, are updated to use the TLS 1.2 protocol to maintain the connection to the Application Proxy service. For more information, see [Add an on-premises application for remote access through Application Proxy in Azure Active Directory](../app-proxy/application-proxy-add-on-premises-application.md#prerequisites). ----### Use the usage and insights report to view your app-related sign-in data --**Type:** New feature -**Service category:** Enterprise Apps -**Product capability:** Monitoring & Reporting --You can now use the usage and insights report, located in the **Enterprise applications** area of the Azure portal, to get an application-centric view of your sign-in data, including info about: --- Top used apps for your organization--- Apps with the most failed sign-ins--- Top sign-in errors for each app--For more information about this feature, see [Usage and insights report in the Azure portal](../reports-monitoring/concept-usage-insights-report.md) ----### Automate your user provisioning to cloud apps using Azure AD --**Type:** New feature -**Service category:** Enterprise Apps -**Product capability:** Monitoring & Reporting --Follow these new tutorials to use the Azure AD Provisioning Service to automate the creation, deletion, and updating of user accounts for the following cloud-based apps: --- [Comeet](../saas-apps/comeet-recruiting-software-provisioning-tutorial.md)--- [DynamicSignal](../saas-apps/dynamic-signal-provisioning-tutorial.md)--- [KeeperSecurity](../saas-apps/keeper-password-manager-digitalvault-provisioning-tutorial.md)--You can also follow this new [Dropbox tutorial](../saas-apps/dropboxforbusiness-provisioning-tutorial.md), which provides info about how to provision group objects. --For more information about how to better secure your organization through automated user account provisioning, see [Automate user provisioning to SaaS applications with Azure AD](../app-provisioning/user-provisioning.md). ----### Identity secure score is now available in Azure AD (General availability) --**Type:** New feature -**Service category:** N/A -**Product capability:** Identity Security & Protection --You can now monitor and improve your identity security posture by using the identity secure score feature in Azure AD. The identity secure score feature uses a single dashboard to help you: --- Objectively measure your identity security posture, based on a score between 1 and 223.--- Plan for your identity security improvements--- Review the success of your security improvements--For more information about the identity security score feature, see [What is the identity secure score in Azure Active Directory?](./identity-secure-score.md). ----### New App registrations experience is now available (General availability) --**Type:** New feature -**Service category:** Authentications (Logins) -**Product capability:** Developer Experience --The new [App registrations](https://aka.ms/appregistrations) experience is now in general availability. This new experience includes all the key features you're familiar with from the Azure portal and the Application Registration portal and improves upon them through: --- **Better app management.** Instead of seeing your apps across different portals, you can now see all your apps in one location.--- **Simplified app registration.** From the improved navigation experience to the revamped permission selection experience, it's now easier to register and manage your apps.--- **More detailed information.** You can find more details about your app, including quickstart guides and more.--For more information, see [Microsoft identity platform](../develop/index.yml) and the [App registrations experience is now generally available!](https://developer.microsoft.com/identity/blogs/new-app-registrations-experience-is-now-generally-available/) blog announcement. ----### New capabilities available in the Risky Users API for Identity Protection --**Type:** New feature -**Service category:** Identity Protection -**Product capability:** Identity Security & Protection --We're pleased to announce that you can now use the Risky Users API to retrieve users' risk history, dismiss risky users, and to confirm users as compromised. This change helps you to more efficiently update the risk status of your users and understand their risk history. --For more information, see the [Risky Users API reference documentation](/graph/api/resources/riskyuser). ----### New Federated Apps available in Azure AD app gallery - May 2019 --**Type:** New feature -**Service category:** Enterprise Apps -**Product capability:** 3rd Party Integration --In May 2019, we've added these 21 new apps with Federation support to the app gallery: --[Freedcamp](../saas-apps/freedcamp-tutorial.md), [Real Links](../saas-apps/real-links-tutorial.md), [Kianda](https://app.kianda.com/sso/OpenID/AzureAD/), [Simple Sign](../saas-apps/simple-sign-tutorial.md), [Braze](../saas-apps/braze-tutorial.md), [Displayr](../saas-apps/displayr-tutorial.md), [Templafy](../saas-apps/templafy-tutorial.md), [Marketo Sales Engage](https://toutapp.com/login), [ACLP](../saas-apps/aclp-tutorial.md), [OutSystems](../saas-apps/outsystems-tutorial.md), [Meta4 Global HR](../saas-apps/meta4-global-hr-tutorial.md), [Quantum Workplace](../saas-apps/quantum-workplace-tutorial.md), [Cobalt](../saas-apps/cobalt-tutorial.md), [webMethods API Cloud](../saas-apps/webmethods-integration-cloud-tutorial.md), [RedFlag](https://pocketstop.com/redflag/), [Whatfix](../saas-apps/whatfix-tutorial.md), [Control](../saas-apps/control-tutorial.md), [JOBHUB](../saas-apps/jobhub-tutorial.md), [NEOGOV](../saas-apps/neogov-tutorial.md), [Foodee](../saas-apps/foodee-tutorial.md), [MyVR](../saas-apps/myvr-tutorial.md) --For more information about the apps, see [SaaS application integration with Azure Active Directory](../saas-apps/tutorial-list.md). For more information about listing your application in the Azure AD app gallery, see [List your application in the Azure Active Directory application gallery](../manage-apps/v2-howto-app-gallery-listing.md). ----### Improved groups creation and management experiences in the Azure portal --**Type:** New feature -**Service category:** Group Management -**Product capability:** Collaboration --We've made improvements to the groups-related experiences in the Azure portal. These improvements allow administrators to better manage groups lists, members lists, and to provide additional creation options. --Improvements include: --- Basic filtering by membership type and group type.--- Addition of new columns, such as Source and Email address.--- Ability to multi-select groups, members, and owner lists for easy deletion.--- Ability to choose an email address and add owners during group creation.--For more information, see [Create a basic group and add members using Azure Active Directory](./active-directory-groups-create-azure-portal.md). ----### Configure a naming policy for Office 365 groups in Azure portal (General availability) --**Type:** Changed feature -**Service category:** Group Management -**Product capability:** Collaboration --Administrators can now configure a naming policy for Office 365 groups, using the Azure portal. This change helps to enforce consistent naming conventions for Office 365 groups created or edited by users in your organization. --You can configure naming policy for Office 365 groups in two different ways: --- Define prefixes or suffixes, which are automatically added to a group name.--- Upload a customized set of blocked words for your organization, which aren't allowed in group names (for example, "CEO, Payroll, HR").--For more information, see [Enforce a Naming Policy for Office 365 groups](../enterprise-users/groups-naming-policy.md). ----### Microsoft Graph API endpoints are now available for Azure AD activity logs (General availability) --**Type:** Changed feature -**Service category:** Reporting -**Product capability:** Monitoring & Reporting --We're happy to announce general availability of Microsoft Graph API endpoints support for Azure AD activity logs. With this release, you can now use Version 1.0 of both the Azure AD audit logs, as well as the sign-in logs APIs. --For more information, see [Azure AD audit log API overview](/graph/api/resources/azure-ad-auditlog-overview). ----### Administrators can now use Conditional Access for the combined registration process (Public preview) --**Type:** New feature -**Service category:** Conditional Access -**Product capability:** Identity Security & Protection --Administrators can now create Conditional Access policies for use by the combined registration page. This includes applying policies to allow registration if: --- Users are on a trusted network.--- Users are a low sign-in risk.--- Users are on a managed device.--- Users agree to the organization's terms of use (TOU).--For more information about Conditional Access and password reset, you can see the [Conditional Access for the Azure AD combined MFA and password reset registration experience blog post](https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Conditional-access-for-the-Azure-AD-combined-MFA-and-password/ba-p/566348). For more information about Conditional Access policies for the combined registration process, see [Conditional Access policies for combined registration](../authentication/howto-registration-mfa-sspr-combined.md#conditional-access-policies-for-combined-registration). For more information about the Azure AD terms of use feature, see [Azure Active Directory terms of use feature](../conditional-access/terms-of-use.md). ----## April 2019 --### New Azure AD threat intelligence detection is now available as part of Azure AD Identity Protection --**Type:** New feature -**Service category:** Azure AD Identity Protection -**Product capability:** Identity Security & Protection --Azure AD threat intelligence detection is now available as part of the updated Azure AD Identity Protection feature. This new functionality helps to indicate unusual user activity for a specific user or activity that's consistent with known attack patterns based on Microsoft's internal and external threat intelligence sources. --For more information about the refreshed version of Azure AD Identity Protection, see the [Four major Azure AD Identity Protection enhancements are now in public preview](https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Four-major-Azure-AD-Identity-Protection-enhancements-are-now-in/ba-p/326935) blog and the [What is Azure Active Directory Identity Protection (refreshed)?](../identity-protection/overview-identity-protection.md) article. For more information about Azure AD threat intelligence detection, see the [Azure Active Directory Identity Protection risk detections](../identity-protection/concept-identity-protection-risks.md) article. ----### Azure AD entitlement management is now available (Public preview) --**Type:** New feature -**Service category:** Identity Governance -**Product capability:** Identity Governance --Azure AD entitlement management, now in public preview, helps customers to delegate management of access packages, which defines how employees and business partners can request access, who must approve, and how long they have access. Access packages can manage membership in Azure AD and Office 365 groups, role assignments in enterprise applications, and role assignments for SharePoint Online sites. Read more about entitlement management at the [overview of Azure AD entitlement management](../governance/entitlement-management-overview.md). To learn more about the breadth of Azure AD Identity Governance features, including Privileged Identity Management, access reviews and terms of use, see [What is Azure AD Identity Governance?](../governance/identity-governance-overview.md). ----### Configure a naming policy for Office 365 groups in Azure portal (Public preview) --**Type:** New feature -**Service category:** Group Management -**Product capability:** Collaboration --Administrators can now configure a naming policy for Office 365 groups, using the Azure portal. This change helps to enforce consistent naming conventions for Office 365 groups created or edited by users in your organization. --You can configure naming policy for Office 365 groups in two different ways: --- Define prefixes or suffixes, which are automatically added to a group name.--- Upload a customized set of blocked words for your organization, which are not allowed in group names (for example, "CEO, Payroll, HR").--For more information, see [Enforce a Naming Policy for Office 365 groups](../enterprise-users/groups-naming-policy.md). ----### Azure AD Activity logs are now available in Azure Monitor (General availability) --**Type:** New feature -**Service category:** Reporting -**Product capability:** Monitoring & Reporting --To help address your feedback about visualizations with the Azure AD Activity logs, we're introducing a new Insights feature in Log Analytics. This feature helps you gain insights about your Azure AD resources by using our interactive templates, called Workbooks. These pre-built Workbooks can provide details for apps or users, and include: --- **Sign-ins.** Provides details for apps and users, including sign-in location, the in-use operating system or browser client and version, and the number of successful or failed sign-ins.--- **Legacy authentication and Conditional Access.** Provides details for apps and users using legacy authentication, including multifactor authentication usage triggered by Conditional Access policies, apps using Conditional Access policies, and so on.--- **Sign-in failure analysis.** Helps you to determine if your sign-in errors are occurring due to a user action, policy issues, or your infrastructure.--- **Custom reports.** You can create new, or edit existing Workbooks to help customize the Insights feature for your organization.--For more information, see [How to use Azure Monitor workbooks for Azure Active Directory reports](../reports-monitoring/howto-use-azure-monitor-workbooks.md). ----### New Federated Apps available in Azure AD app gallery - April 2019 --**Type:** New feature -**Service category:** Enterprise Apps -**Product capability:** 3rd Party Integration --In April 2019, we've added these 21 new apps with Federation support to the app gallery: --[SAP Fiori](../saas-apps/sap-fiori-tutorial.md), [HRworks Single Sign-On](../saas-apps/hrworks-single-sign-on-tutorial.md), [Percolate](../saas-apps/percolate-tutorial.md), [MobiControl](../saas-apps/mobicontrol-tutorial.md), [Citrix NetScaler](../saas-apps/citrix-netscaler-tutorial.md), [Shibumi](../saas-apps/shibumi-tutorial.md), [Benchling](../saas-apps/benchling-tutorial.md), [MileIQ](https://mileiq.onelink.me/991934284/7e980085), [PageDNA](../saas-apps/pagedna-tutorial.md), [EduBrite LMS](../saas-apps/edubrite-lms-tutorial.md), [RStudio Connect](../saas-apps/rstudio-connect-tutorial.md), [AMMS](../saas-apps/amms-tutorial.md), [Mitel Connect](../saas-apps/mitel-connect-tutorial.md), [Alibaba Cloud (Role-based SSO)](../saas-apps/alibaba-cloud-service-role-based-sso-tutorial.md), [Certent Equity Management](../saas-apps/certent-equity-management-tutorial.md), [Sectigo Certificate Manager](../saas-apps/sectigo-certificate-manager-tutorial.md), [GreenOrbit](../saas-apps/greenorbit-tutorial.md), [Workgrid](../saas-apps/workgrid-tutorial.md), [monday.com](../saas-apps/mondaycom-tutorial.md), [SurveyMonkey Enterprise](../saas-apps/surveymonkey-enterprise-tutorial.md), [Indiggo](https://indiggolead.com/) --For more information about the apps, see [SaaS application integration with Azure Active Directory](../saas-apps/tutorial-list.md). For more information about listing your application in the Azure AD app gallery, see [List your application in the Azure Active Directory application gallery](../manage-apps/v2-howto-app-gallery-listing.md). ----### New access reviews frequency option and multiple role selection --**Type:** New feature -**Service category:** Access Reviews -**Product capability:** Identity Governance --New updates in Azure AD access reviews allow you to: --- Change the frequency of your access reviews to **semi-annually**, in addition to the previously existing options of weekly, monthly, quarterly, and annually.--- Select multiple Azure AD and Azure resource roles when creating a single access review. In this situation, all roles are set up with the same settings and all reviewers are notified at the same time.--For more information about how to create an access review, see [Create an access review of groups or applications in Azure AD access reviews](../governance/create-access-review.md). ----### Azure AD Connect email alert system(s) are transitioning, sending new email sender information for some customers --**Type:** Changed feature -**Service category:** AD Sync -**Product capability:** Platform --Azure AD Connect is in the process of transitioning our email alert system(s), potentially showing some customers a new email sender. To address this, you must add `azure-noreply@microsoft.com` to your organization's allowlist or you won't be able to continue receiving important alerts from your Office 365, Azure, or your Sync services. ----### UPN suffix changes are now successful between Federated domains in Azure AD Connect --**Type:** Fixed -**Service category:** AD Sync -**Product capability:** Platform --You can now successfully change a user's UPN suffix from one Federated domain to another Federated domain in Azure AD Connect. This fix means you should no longer experience the FederatedDomainChangeError error message during the synchronization cycle or receive a notification email stating, "Unable to update this object in Azure Active Directory, because the attribute [FederatedUser.UserPrincipalName], is not valid. Update the value in your local directory services". -----### Increased security using the app protection-based Conditional Access policy in Azure AD (Public preview) --**Type:** New feature -**Service category:** Conditional Access -**Product capability:** Identity Security & Protection --App protection-based Conditional Access is now available by using the **Require app protection** policy. This new policy helps to increase your organization's security by helping to prevent: --- Users gaining access to apps without a Microsoft Intune license.--- Users being unable to get a Microsoft Intune app protection policy.--- Users gaining access to apps without a configured Microsoft Intune app protection policy.--For more information, see [How to Require app protection policy for cloud app access with Conditional Access](../conditional-access/app-protection-based-conditional-access.md). ----### New support for Azure AD single sign-on and Conditional Access in Microsoft Edge (Public preview) --**Type:** New feature -**Service category:** Conditional Access -**Product capability:** Identity Security & Protection --We've enhanced our Azure AD support for Microsoft Edge, including providing new support for Azure AD single sign-on and Conditional Access. If you've previously used Microsoft Intune Managed Browser, you can now use Microsoft Edge instead. --For more information about setting up and managing your devices and apps using Conditional Access, see [Require managed devices for cloud app access with Conditional Access](../conditional-access/require-managed-devices.md) and [Require approved client apps for cloud app access with Conditional Access](../conditional-access/app-based-conditional-access.md). For more information about how to manage access using Microsoft Edge with Microsoft Intune policies, see [Manage Internet access using a Microsoft Intune policy-protected browser](/intune/app-configuration-managed-browser). ----## March 2019 --### Identity Experience Framework and custom policy support in Azure Active Directory B2C is now available (GA) --**Type:** New feature -**Service category:** B2C - Consumer Identity Management -**Product capability:** B2B/B2C --You can now create custom policies in Azure AD B2C, including the following tasks, which are supported at-scale and under our Azure SLA: --- Create and upload custom authentication user journeys by using custom policies.--- Describe user journeys step-by-step as exchanges between claims providers.--- Define conditional branching in user journeys.--- Transform and map claims for use in real-time decisions and communications.--- Use REST API-enabled services in your custom authentication user journeys. For example, with email providers, CRMs, and proprietary authorization systems.--- Federate with identity providers who are compliant with the OpenIDConnect protocol. For example, with multi-tenant Azure AD, social account providers, or two-factor verification providers.--For more information about creating custom policies, see [Developer notes for custom policies in Azure Active Directory B2C](../../active-directory-b2c/custom-policy-developer-notes.md) and read [Alex Simon's blog post, including case studies](https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Azure-AD-B2C-custom-policies-to-build-your-own-identity-journeys/ba-p/382791). ----### New Federated Apps available in Azure AD app gallery - March 2019 --**Type:** New feature -**Service category:** Enterprise Apps -**Product capability:** 3rd Party Integration --In March 2019, we've added these 14 new apps with Federation support to the app gallery: --[ISEC7 Mobile Exchange Delegate](https://www.isec7.com/english/), [MediusFlow](https://office365.cloudapp.mediusflow.com/), [ePlatform](../saas-apps/eplatform-tutorial.md), [Fulcrum](../saas-apps/fulcrum-tutorial.md), [ExcelityGlobal](../saas-apps/excelityglobal-tutorial.md), [Explanation-Based Auditing System](../saas-apps/explanation-based-auditing-system-tutorial.md), [Lean](../saas-apps/lean-tutorial.md), [Powerschool Performance Matters](../saas-apps/powerschool-performance-matters-tutorial.md), [Cinode](https://cinode.com/), [Iris Intranet](../saas-apps/iris-intranet-tutorial.md), [Empactis](../saas-apps/empactis-tutorial.md), [SmartDraw](../saas-apps/smartdraw-tutorial.md), [Confirmit Horizons](../saas-apps/confirmit-horizons-tutorial.md), [TAS](../saas-apps/tas-tutorial.md) --For more information about the apps, see [SaaS application integration with Azure Active Directory](../saas-apps/tutorial-list.md). For more information about listing your application in the Azure AD app gallery, see [List your application in the Azure Active Directory application gallery](../manage-apps/v2-howto-app-gallery-listing.md). ----### New Zscaler and Atlassian provisioning connectors in the Azure AD gallery - March 2019 --**Type:** New feature -**Service category:** App Provisioning -**Product capability:** 3rd Party Integration --Automate creating, updating, and deleting user accounts for the following apps: --[Zscaler](../saas-apps/zscaler-provisioning-tutorial.md), [Zscaler Beta](../saas-apps/zscaler-beta-provisioning-tutorial.md), [Zscaler One](../saas-apps/zscaler-one-provisioning-tutorial.md), [Zscaler Two](../saas-apps/zscaler-two-provisioning-tutorial.md), [Zscaler Three](../saas-apps/zscaler-three-provisioning-tutorial.md), [Zscaler ZSCloud](../saas-apps/zscaler-zscloud-provisioning-tutorial.md), [Atlassian Cloud](../saas-apps/atlassian-cloud-provisioning-tutorial.md) --For more information about how to better secure your organization through automated user account provisioning, see [Automate user provisioning to SaaS applications with Azure AD](../app-provisioning/user-provisioning.md). ----### Restore and manage your deleted Office 365 groups in the Azure portal --**Type:** New feature -**Service category:** Group Management -**Product capability:** Collaboration --You can now view and manage your deleted Office 365 groups from the Azure portal. This change helps you to see which groups are available to restore, along with letting you permanently delete any groups that aren't needed by your organization. --For more information, see [Restore expired or deleted groups](../enterprise-users/groups-restore-deleted.md#view-and-manage-the-deleted-microsoft-365-groups-that-are-available-to-restore). ----### Single sign-on is now available for Azure AD SAML-secured on-premises apps through Application Proxy (public preview) --**Type:** New feature -**Service category:** App Proxy -**Product capability:** Access Control --You can now provide a single sign-on (SSO) experience for on-premises, SAML-authenticated apps, along with remote access to these apps through Application Proxy. For more information about how to set up SAML SSO with your on-premises apps, see [SAML single sign-on for on-premises applications with Application Proxy (Preview)](../app-proxy/application-proxy-configure-single-sign-on-on-premises-apps.md). ----### Client apps in request loops will be interrupted to improve reliability and user experience --**Type:** New feature -**Service category:** Authentications (Logins) -**Product capability:** User Authentication --Client apps can incorrectly issue hundreds of the same login requests over a short period of time. These requests, whether they're successful or not, all contribute to a poor user experience and heightened workloads for the IDP, increasing latency for all users and reducing the availability of the IDP. --This update sends an `invalid_grant` error: `AADSTS50196: The server terminated an operation because it encountered a loop while processing a request` to client apps that issue duplicate requests multiple times over a short period of time, beyond the scope of normal operation. Client apps that encounter this issue should show an interactive prompt, requiring the user to sign in again. For more information about this change and about how to fix your app if it encounters this error, see [What's new for authentication?](../develop/reference-breaking-changes.md#looping-clients-will-be-interrupted). ----### New Audit Logs user experience now available --**Type:** Changed feature -**Service category:** Reporting -**Product capability:** Monitoring & Reporting --We've created a new Azure AD **Audit logs** page to help improve both readability and how you search for your information. To see the new **Audit logs** page, select **Audit logs** in the **Activity** section of Azure AD. -- --For more information about the new **Audit logs** page, see [Audit activity reports in the Azure portal](../reports-monitoring/concept-audit-logs.md). ----### New warnings and guidance to help prevent accidental administrator lockout from misconfigured Conditional Access policies --**Type:** Changed feature -**Service category:** Conditional Access -**Product capability:** Identity Security & Protection --To help prevent administrators from accidentally locking themselves out of their own tenants through misconfigured Conditional Access policies, we've created new warnings and updated guidance in the Azure portal. For more information about the new guidance, see [What are service dependencies in Azure Active Directory Conditional Access](../conditional-access/service-dependencies.md). ----### Improved end-user terms of use experiences on mobile devices --**Type:** Changed feature -**Service category:** Terms of use -**Product capability:** Governance --We've updated our existing terms of use experiences to help improve how you review and consent to terms of use on a mobile device. You can now zoom in and out, go back, download the information, and select hyperlinks. For more information about the updated terms of use, see [Azure Active Directory terms of use feature](../conditional-access/terms-of-use.md#what-terms-of-use-looks-like-for-users). ----### New Azure AD Activity logs download experience available --**Type:** Changed feature -**Service category:** Reporting -**Product capability:** Monitoring & Reporting --You can now download large amounts of activity logs directly from the Azure portal. This update lets you: --- Download up to 250,000 rows.--- Get notified after the download completes.--- Customize your file name.--- Determine your output format, either JSON or CSV.--For more information about this feature, see [Quickstart: Download an audit report using the Azure portal](../reports-monitoring/howto-download-logs.md) ----### Breaking change: Updates to condition evaluation by Exchange ActiveSync (EAS) --**Type:** Plan for change -**Service category:** Conditional Access -**Product capability:** Access Control --We're in the process of updating how Exchange ActiveSync (EAS) evaluates the following conditions: --- User location, based on country/region or IP address--- Sign-in risk--- Device platform--If you've previously used these conditions in your Conditional Access policies, be aware that the condition behavior might change. For example, if you previously used the user location condition in a policy, you might find the policy now being skipped based on the location of your user. - |
| active-directory | How To Connect Syncservice Features | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/how-to-connect-syncservice-features.md | Connect-MgGraph -Scopes OnPremDirectorySynchronization.Read.All, OnPremDirectory Get-MgDirectoryOnPremisSynchronization | Select-Object -ExpandProperty Features | Format-List ``` -The output looks similar to `Get-MsolDireSyncFeatures`: +The output looks similar to `Get-MsolDirSyncFeatures`: ```powershell BlockCloudObjectTakeoverThroughHardMatchEnabled : False BlockSoftMatchEnabled : False |
| active-directory | Concept Identity Protection Risks | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/identity-protection/concept-identity-protection-risks.md | Real-time detections may not show up in reporting for 5 to 10 minutes. Offline d | [Atypical travel](#atypical-travel) | Offline | Premium | | [Anomalous Token](#anomalous-token) | Offline | Premium | | [Token Issuer Anomaly](#token-issuer-anomaly) | Offline | Premium |-| [Malware linked IP address](#malware-linked-ip-address-deprecated) | Offline | Premium **[This detection has been deprecated](../fundamentals/whats-new-archive.md#planned-deprecationmalware-linked-ip-address-detection-in-identity-protection)**. | +| [Malware linked IP address](#malware-linked-ip-address-deprecated) | Offline | Premium **This detection has been deprecated.** | | [Suspicious browser](#suspicious-browser) | Offline | Premium | | [Unfamiliar sign-in properties](#unfamiliar-sign-in-properties) | Real-time | Premium | | [Malicious IP address](#malicious-ip-address) | Offline | Premium | The algorithm ignores obvious "false positives" contributing to the impossible t #### Malware linked IP address (deprecated) -**Calculated offline**. This risk detection type indicates sign-ins from IP addresses infected with malware that is known to actively communicate with a bot server. This detection matches the IP addresses of the user's device against IP addresses that were in contact with a bot server while the bot server was active. **[This detection has been deprecated](../fundamentals/whats-new-archive.md#planned-deprecationmalware-linked-ip-address-detection-in-identity-protection)**. Identity Protection no longer generates new "Malware linked IP address" detections. Customers who currently have "Malware linked IP address" detections in their tenant will still be able to view, remediate, or dismiss them until the 90-day detection retention time is reached. +**Calculated offline**. This risk detection type indicates sign-ins from IP addresses infected with malware that is known to actively communicate with a bot server. This detection matches the IP addresses of the user's device against IP addresses that were in contact with a bot server while the bot server was active. **This detection has been deprecated**. Identity Protection no longer generates new "Malware linked IP address" detections. Customers who currently have "Malware linked IP address" detections in their tenant will still be able to view, remediate, or dismiss them until the 90-day detection retention time is reached. #### Suspicious browser |
| active-directory | Delete Application Portal | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/delete-application-portal.md | Last updated 06/21/2023 zone_pivot_groups: enterprise-apps-all--+ #Customer intent: As an administrator of an Azure AD tenant, I want to delete an enterprise application. |
| active-directory | Restore Application | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/restore-application.md | |
| active-directory | Powershell Export All App Registrations Secrets And Certs | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/scripts/powershell-export-all-app-registrations-secrets-and-certs.md | |
| active-directory | Powershell Export All Enterprise Apps Secrets And Certs | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/scripts/powershell-export-all-enterprise-apps-secrets-and-certs.md | |
| active-directory | Powershell Export Apps With Expiring Secrets | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/scripts/powershell-export-apps-with-expiring-secrets.md | You can modify the "$Path" variable directly in PowerShell, with a CSV file path For more information on the Microsoft Graph PowerShell module, see [Microsoft Graph PowerShell module overview](/powershell/microsoftgraph/installation). -For other PowerShell examples for Application Management, see [Azure Microsoft Graph PowerShell examples for Application Management](../app-management-powershell-samples.md). +For other PowerShell examples for Application Management, see [Azure Microsoft Graph PowerShell examples for Application Management](../app-management-powershell-samples.md). |
| active-directory | Powershell Export Apps With Secrets Beyond Required | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/scripts/powershell-export-apps-with-secrets-beyond-required.md | |
| active-directory | Groups Role Settings | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/privileged-identity-management/groups-role-settings.md | On the **Notifications** tab on the **Role settings** page, Privileged Identity - **Send emails to both default recipients and more recipients**: You can send emails to both the default recipient and another recipient. Select the default recipient checkbox and add email addresses for other recipients. - **Critical emails only**: For each type of email, you can select the checkbox to receive critical emails only. Privileged Identity Management continues to send emails to the specified recipients only when the email requires immediate action. For example, emails that ask users to extend their role assignment aren't triggered. Emails that require admins to approve an extension request are triggered. +>[!NOTE] +>One event in Privileged Identity Management can generate email notifications to multiple recipients ΓÇô assignees, approvers, or administrators. The maximum number of notifications sent per one event is 1000. If the number of recipients exceeds 1000 ΓÇô only the first 1000 recipients will receive an email notification. This does not prevent other assignees, administrators, or approvers from using their permissions in Microsoft Entra and Privileged Identity Management. + ## Manage role settings by using Microsoft Graph To manage role settings for groups by using PIM APIs in Microsoft Graph, use the [unifiedRoleManagementPolicy resource type and its related methods](/graph/api/resources/unifiedrolemanagementpolicy). |
| active-directory | Pim Email Notifications | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/privileged-identity-management/pim-email-notifications.md | +>[!NOTE] +>One event in Privileged Identity Management can generate email notifications to multiple recipients ΓÇô assignees, approvers, or administrators. The maximum number of notifications sent per one event is 1000. If the number of recipients exceeds 1000 ΓÇô only the first 1000 recipients will receive an email notification. This does not prevent other assignees, administrators, or approvers from using their permissions in Microsoft Entra and Privileged Identity Management. + ## Sender email address and subject line Emails sent from Privileged Identity Management for both Azure AD and Azure resource roles have the following sender email address: |
| active-directory | Pim How To Change Default Settings | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/privileged-identity-management/pim-how-to-change-default-settings.md | On the **Notifications** tab on the **Role settings** page, Privileged Identity - **Send emails to both default recipients and more recipients**: You can send emails to both the default recipient and another recipient. Select the default recipient checkbox and add email addresses for other recipients. - **Critical emails only**: For each type of email, you can select the checkbox to receive critical emails only. With this option, Privileged Identity Management continues to send emails to the specified recipients only when the email requires immediate action. For example, emails that ask users to extend their role assignment aren't triggered. Emails that require admins to approve an extension request are triggered. +>[!NOTE] +>One event in Privileged Identity Management can generate email notifications to multiple recipients ΓÇô assignees, approvers, or administrators. The maximum number of notifications sent per one event is 1000. If the number of recipients exceeds 1000 ΓÇô only the first 1000 recipients will receive an email notification. This does not prevent other assignees, administrators, or approvers from using their permissions in Microsoft Entra and Privileged Identity Management. ## Manage role settings by using Microsoft Graph To manage settings for Azure AD roles by using PIM APIs in Microsoft Graph, use the [unifiedRoleManagementPolicy resource type and related methods](/graph/api/resources/unifiedrolemanagementpolicy). |
| active-directory | Pim How To Configure Security Alerts | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/privileged-identity-management/pim-how-to-configure-security-alerts.md | +>[!NOTE] +>One event in Privileged Identity Management can generate email notifications to multiple recipients ΓÇô assignees, approvers, or administrators. The maximum number of notifications sent per one event is 1000. If the number of recipients exceeds 1000 ΓÇô only the first 1000 recipients will receive an email notification. This does not prevent other assignees, administrators, or approvers from using their permissions in Microsoft Entra and Privileged Identity Management. +  ## License requirements |
| active-directory | Pim Resource Roles Configure Alerts | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/privileged-identity-management/pim-resource-roles-configure-alerts.md | +>[!NOTE] +>One event in Privileged Identity Management can generate email notifications to multiple recipients ΓÇô assignees, approvers, or administrators. The maximum number of notifications sent per one event is 1000. If the number of recipients exceeds 1000 ΓÇô only the first 1000 recipients will receive an email notification. This does not prevent other assignees, administrators, or approvers from using their permissions in Microsoft Entra and Privileged Identity Management. +  ## Review alerts |
| active-directory | Pim Resource Roles Configure Role Settings | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/privileged-identity-management/pim-resource-roles-configure-role-settings.md | On the **Notifications** tab on the **Role settings** page, Privileged Identity - **Send emails to both default recipients and more recipients**: You can send emails to both the default recipient and another recipient. Select the default recipient checkbox and add email addresses for other recipients. - **Critical emails only**: For each type of email, you can select the checkbox to receive critical emails only. Privileged Identity Management continues to send emails to the specified recipients only when the email requires immediate action. For example, emails that ask users to extend their role assignment aren't triggered. Emails that require admins to approve an extension request are triggered. +>[!NOTE] +>One event in Privileged Identity Management can generate email notifications to multiple recipients ΓÇô assignees, approvers, or administrators. The maximum number of notifications sent per one event is 1000. If the number of recipients exceeds 1000 ΓÇô only the first 1000 recipients will receive an email notification. This does not prevent other assignees, administrators, or approvers from using their permissions in Microsoft Entra and Privileged Identity Management. + ## Next steps - [Assign Azure resource roles in Privileged Identity Management](pim-resource-roles-assign-roles.md) |
| active-directory | Get Started Request Api | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/verifiable-credentials/get-started-request-api.md | In the preceding code, provide the following parameters: | Parameter | Condition | Description | | | | |-| Authority | Required | The directory tenant the application plans to operate against. For example: `https://login.microsoftonline.com/{your-tenant}`. (Replace `your-tenant` with your [tenant ID or name](../fundamentals/active-directory-how-to-find-tenant.md).) | +| Authority | Required | The directory tenant the application plans to operate against. For example: `https://login.microsoftonline.com/{your-tenant}`. (Replace `your-tenant` with your [tenant ID or name](/azure/active-directory-b2c/tenant-management-read-tenant-name).) | | Client ID | Required | The application ID that's assigned to your app. You can find this information in the Azure portal, where you registered your app. | | Client secret | Required | The client secret that you generated for your app.| | Scopes | Required | Must be set to `3db474b9-6a0c-4840-96ac-1fceb342124f/.default`. This will produce an access token with a **roles** claim of `VerifiableCredential.Create.All`. | |
| ai-services | Luis Traffic Manager | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/LUIS/luis-traffic-manager.md | This article explains how to manage the traffic across keys with Azure [Traffic [!INCLUDE [updated-for-az](../../../includes/updated-for-az.md)] ## Connect to PowerShell in the Azure portal-In the [Azure][azure-portal] portal, open the PowerShell window. The icon for the PowerShell window is the **>_** in the top navigation bar. By using PowerShell from the portal, you get the latest PowerShell version and you are authenticated. PowerShell in the portal requires an [Azure Storage](https://azure.microsoft.com/services/storage/) account. +In the [Azure portal](https://portal.azure.com), open the PowerShell window. The icon for the PowerShell window is the **>_** in the top navigation bar. By using PowerShell from the portal, you get the latest PowerShell version and you are authenticated. PowerShell in the portal requires an [Azure Storage](https://azure.microsoft.com/services/storage/) account.  Review [middleware](/azure/bot-service/bot-builder-create-middleware?tabs=csaddm [traffic-manager-marketing]: https://azure.microsoft.com/services/traffic-manager/ [traffic-manager-docs]: ../../traffic-manager/index.yml [LUIS]: ./luis-reference-regions.md#luis-website-[azure-portal]: https://portal.azure.com/ [azure-storage]: https://azure.microsoft.com/services/storage/ [routing-methods]: ../../traffic-manager/traffic-manager-routing-methods.md [traffic-manager-endpoints]: ../../traffic-manager/traffic-manager-endpoint-types.md |
| ai-services | Data Formats | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/sentiment-opinion-mining/custom/concepts/data-formats.md | + + Title: Custom sentiment analysis data formats ++description: Learn about the data formats accepted by custom sentiment analysis. ++++++ Last updated : 07/19/2023+++++# Accepted custom sentiment analysis data formats ++If you are trying to [import your data](../how-to/create-project.md#import-a-custom-sentiment-analysis-project) into custom sentiment analysis, it has to follow a specific format. If you don't have data to import, you can [create your project](../how-to/create-project.md) and use Language Studio to [label your documents](../how-to/label-data.md). ++## Labels file format ++Your Labels file should be in the `json` format below to be used in [importing](../how-to/create-project.md#import-a-custom-sentiment-analysis-project) your labels into a project. ++```json +{ + "projectFileVersion": "2023-04-15-preview", + "stringIndexType": "Utf16CodeUnit", + "metadata": { + "projectKind": "CustomTextSentiment", + "storageInputContainerName": "custom-sentiment-2", + "projectName": "sa-test", + "multilingual": false, + "description": "", + "language": "en-us" + }, + "assets": { + "projectKind": "CustomTextSentiment", + "documents": [ + { + "location": "document_1.txt", + "language": "en-us", + "sentimentSpans": [ + { + "category": "positive", + "offset": 0, + "length": 60 + }, + { + "category": "neutral", + "offset": 61, + "length": 31 + } + ], + "dataset": "Train" + }, + { + "location": "document_2.txt", + "language": "en-us", + "sentimentSpans": [ + { + "category": "positive", + "offset": 0, + "length": 50 + }, + { + "category": "positive", + "offset": 51, + "length": 49 + }, + { + "category": "positive", + "offset": 101, + "length": 26 + } + ], + "dataset": "Train" + } + ] + } +} ++``` ++|Key |Placeholder |Value | Example | +|||-|--| +| `multilingual` | `true`| A boolean value that enables you to have documents in multiple languages in your dataset and when your model is deployed you can query the model in any supported language (not necessarily included in your training documents). See [language support](../../language-support.md#multi-lingual-option-custom-sentiment-analysis-only) to learn more about multilingual support. | `true`| +|`projectName`|`{PROJECT-NAME}`|Project name|`myproject`| +| storageInputContainerName|`{CONTAINER-NAME}`|Container name|`mycontainer`| +| `sentimentSpans` | | Array containing all the sentiments and their locations in the document. | | +| `documents` | | Array containing all the documents in your project and list of the entities labeled within each document. | [] | +| `location` | `{DOCUMENT-NAME}` | The location of the documents in the storage container. Since all the documents are in the root of the container this should be the document name.|`doc1.txt`| +| `dataset` | `{DATASET}` | The test set to which this file will go to when split before training. Learn more about data splitting [here](../how-to/train-model.md#data-splitting) . Possible values for this field are `Train` and `Test`. |`Train`| +| `offset` | | The inclusive character position of the start of a sentiment in the text. |`0`| +| `length` | | The length of the bounding box in terms of UTF16 characters. Training only considers the data in this region. |`500`| +| `category` | | The sentiment associated with the span of text specified. | `positive`| +| `offset` | | The start position for the entity text. | `25`| +| `length` | | The length of the entity in terms of UTF16 characters. | `20`| +| `language` | `{LANGUAGE-CODE}` | A string specifying the language code for the document used in your project. If your project is a multilingual project, choose the language code of the majority of the documents. See [Language support](../../language-support.md) for more information about supported language codes. |`en-us`| ++++## Next steps +* You can import your labeled data into your project directly. Learn how to [import project](../how-to/create-project.md#import-a-custom-sentiment-analysis-project) +* See the [how-to article](../how-to/label-data.md) more information about labeling your data. When you're done labeling your data, you can [train your model](../how-to/train-model.md). |
| ai-services | Call Api | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/sentiment-opinion-mining/custom/how-to/call-api.md | + + Title: Send a Custom sentiment analysis request to your custom model +description: Learn how to send requests for Custom sentiment analysis. +++++++ Last updated : 07/19/2023++ms.devlang: csharp, python ++++# Send a Custom sentiment analysis request to your custom model ++After the deployment is added successfully, you can query the deployment to extract entities from your text based on the model you assigned to the deployment. +You can query the deployment programmatically using the [Prediction API](https://aka.ms/ct-runtime-api) or through the client libraries (Azure SDK). ++## Test a deployed Custom sentiment analysis model ++You can use Language Studio to submit the custom entity recognition task and visualize the results. +++<!--:::image type="content" source="../media/test-model-results.png" alt-text="View the test results" lightbox="../media/test-model-results.png":::> +++## Send a sentiment analysis request to your model ++# [Language Studio](#tab/language-studio) +++# [REST API](#tab/rest-api) ++First you need to get your resource key and endpoint: ++++++### Submit a Custom sentiment analysis task +++### Get task results +++## Next steps ++* [Sentiment Analysis overview](../../overview.md) |
| ai-services | Create Project | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/sentiment-opinion-mining/custom/how-to/create-project.md | + + Title: How to create Custom sentiment analysis projects ++description: Learn about the steps for using Azure resources with Custom sentiment analysis. ++++++ Last updated : 07/19/2023+++++# How to create Custom sentiment analysis project ++Use this article to learn how to set up the requirements for starting with Custom sentiment analysis and create a project. ++## Prerequisites ++Before you start using Custom sentiment analysis, you'll need: ++* An Azure subscription - [Create one for free](https://azure.microsoft.com/free/cognitive-services). ++## Create a Language resource ++Before you start using Custom sentiment analysis, you'll need an Azure Language resource. It's recommended to create your Language resource and connect a storage account to it in the Azure portal. Creating a resource in the Azure portal lets you create an Azure storage account at the same time, with all of the required permissions preconfigured. You can also read further in the article to learn how to use a pre-existing resource, and configure it to work with Custom sentiment analysis. ++You also need an Azure storage account where you'll upload your `.txt` documents that will be used to train a model to classify text. ++> [!NOTE] +> * You need to have an **owner** role assigned on the resource group to create a Language resource. +> * If you will connect a pre-existing storage account, you should have an **owner** role assigned to it. ++## Create Language resource and connect storage account +++> [!Note] +> You shouldn't move the storage account to a different resource group or subscription once it's linked with the Language resource. ++++++++> [!NOTE] +> * The process of connecting a storage account to your Language resource is irreversible, it cannot be disconnected later. +> * You can only connect your language resource to one storage account. ++## Using a pre-existing Language resource ++++## Create a Custom sentiment analysis project ++Once your resource and storage container are configured, create a new Custom sentiment analysis project. A project is a work area for building your custom AI models based on your data. Your project can only be accessed by you and others who have access to the Azure resource being used. If you have labeled data, you can [import it](#import-a-custom-sentiment-analysis-project) to get started. ++### [Language Studio](#tab/studio) ++++### [REST APIs](#tab/apis) +++++## Import a Custom sentiment analysis project ++<!--If you have already labeled data, you can use it to get started with the service. Make sure that your labeled data follows the [accepted data formats](../concepts/data-formats.md).--> ++### [Language Studio](#tab/studio) +++### [REST APIs](#tab/apis) +++++## Get project details ++### [Language Studio](#tab/studio) +++### [REST APIs](#tab/apis) +++++## Delete project ++### [Language Studio](#tab/studio) +++### [REST APIs](#tab/apis) +++++## Next steps ++* [Sentiment analysis overview](../../overview.md) +<!--* You should have an idea of the [project schema](design-schema.md) you will use to label your data. ++* After your project is created, you can start [labeling your data](tag-data.md), which will inform your text classification model how to interpret text, and is used for training and evaluation.--> |
| ai-services | Deploy Model | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/sentiment-opinion-mining/custom/how-to/deploy-model.md | + + Title: Deploy a Custom sentiment analysis model ++description: Learn about deploying a model for Custom sentiment analysis. ++++++ Last updated : 07/19/2023+++++# Deploy a Custom sentiment analysis model ++Once you're satisfied with how your model performs, it's ready to be deployed and used to recognize entities in text. Deploying a model makes it available for use through the [prediction API](https://aka.ms/ct-runtime-swagger). ++## Prerequisites ++* A successfully [created project](create-project.md) with a configured Azure storage account. +* Text data that has [been uploaded](design-schema.md#data-preparation) to your storage account. +<!--* [Labeled data](label-data.md) and a successfully [trained model](train-model.md). +* Reviewed the [model evaluation details](view-model-evaluation.md) to determine how your model is performing. ++For more information, see [project development lifecycle](../overview.md#project-development-lifecycle).--> ++## Deploy model ++After you've reviewed your model's performance and decided it can be used in your environment, you need to assign it to a deployment. Assigning the model to a deployment makes it available for use through the [prediction API](https://aka.ms/ct-runtime-swagger). It is recommended to create a deployment named *production* to which you assign the best model you have built so far and use it in your system. You can create another deployment called *staging* to which you can assign the model you're currently working on to be able to test it. You can have a maximum of 10 deployments in your project. ++<!--# [Language Studio](#tab/language-studio) ++ +# [REST APIs](#tab/rest-api) +--> +### Submit deployment job +++### Get deployment job status +++## Swap deployments ++After you are done testing a model assigned to one deployment and you want to assign this model to another deployment you can swap these two deployments. Swapping deployments involves taking the model assigned to the first deployment, and assigning it to the second deployment. Then taking the model assigned to second deployment, and assigning it to the first deployment. You can use this process to swap your *production* and *staging* deployments when you want to take the model assigned to *staging* and assign it to *production*. ++# [Language Studio](#tab/language-studio) +++# [REST APIs](#tab/rest-api) ++++++## Delete deployment ++# [Language Studio](#tab/language-studio) +++# [REST APIs](#tab/rest-api) +++++## Assign deployment resources ++You can [deploy your project to multiple regions](../../../concepts/custom-features/multi-region-deployment.md) by assigning different Language resources that exist in different regions. ++# [Language Studio](#tab/language-studio) +++# [REST APIs](#tab/rest-api) +++++## Unassign deployment resources ++When unassigning or removing a deployment resource from a project, you will also delete all the deployments that have been deployed to that resource's region. ++# [Language Studio](#tab/language-studio) +++# [REST APIs](#tab/rest-api) +++++## Next steps ++* [Sentiment analysis overview](../../overview.md) +<!--After you have a deployment, you can use it to [extract entities](call-api.md) from text.--> |
| ai-services | Design Schema | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/sentiment-opinion-mining/custom/how-to/design-schema.md | + + Title: How to prepare data and define a custom sentiment analysis schema ++description: Learn about data selection and preparation for custom sentient analysis projects. ++++++ Last updated : 07/19/2023+++++# How to prepare data for custom sentiment analysis ++In order to create a Custom sentiment analysis model, you will need quality data to train it. This article covers how you should select and prepare your data, along with defining a schema. Defining the schema is the first step in the project development lifecycle, and it defines the classes that you need your model to classify your text into at runtime. ++## Data selection ++The quality of data you train your model with affects model performance greatly. ++* Use real-life data that reflects your domain's problem space to effectively train your model. You can use synthetic data to accelerate the initial model training process, but it will likely differ from your real-life data and make your model less effective when used. ++* Balance your data distribution as much as possible without deviating far from the distribution in real-life. ++* Use diverse data whenever possible to avoid overfitting your model. Less diversity in training data may lead to your model learning spurious correlations that may not exist in real-life data. + +* Avoid duplicate documents in your data. Duplicate data has a negative effect on the training process, model metrics, and model performance. ++* Consider where your data comes from. If you are collecting data from one person, department, or part of your scenario, you are likely missing diversity that may be important for your model to learn about. ++> [!NOTE] +> If your documents are in multiple languages, select the **multiple languages** option during project creation and set the **language** option to the language of the majority of your documents. ++## Data preparation ++As a prerequisite for creating a Custom sentiment analysis project, your training data needs to be uploaded to a blob container in your storage account. You can create and upload training documents from Azure directly, or through using the Azure Storage Explorer tool. Using the Azure Storage Explorer tool allows you to upload more data quickly. ++* [Create and upload documents from Azure](../../../../../storage/blobs/storage-quickstart-blobs-portal.md#create-a-container) +* [Create and upload documents using Azure Storage Explorer](../../../../../vs-azure-tools-storage-explorer-blobs.md) ++You can only use `.txt`. documents for custom text. If your data is in other format, you can use [CLUtils parse command](https://github.com/microsoft/CognitiveServicesLanguageUtilities/blob/main/CustomTextAnalytics.CLUtils/Solution/CogSLanguageUtilities.ViewLayer.CliCommands/Commands/ParseCommand/README.md) to change your file format. ++## Test set ++When defining the testing set, make sure to include example documents that are not present in the training set. Defining the testing set is an important step to calculate the model performance<!--[model performance](view-model-evaluation.md#model-details)-->. Also, make sure that the testing set include documents that represent all classes used in your project. ++## Next steps ++If you haven't already, create a Custom sentiment analysis project. If it's your first time using Custom sentiment analysis, consider following the [quickstart](../quickstart.md) to create an example project. You can also see the [project requirements](../how-to/create-project.md) for more details on what you need to create a project. |
| ai-services | Label Data | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/sentiment-opinion-mining/custom/how-to/label-data.md | + + Title: How to label your data for Custom sentiment analysis - Azure AI services ++description: Learn about how to label your data for use with the custom Sentiment analysis. ++++++ Last updated : 07/19/2023+++++# Label text data for training your model for Custom sentiment analysis ++Before training your model you need to label your documents with the sentiments you want to categorize them into. This data will be used in the next step when training your model so that your model can learn from the labeled data. If you already have labeled data, you can directly [import](create-project.md) it into your project. Be sure that your data follows the [accepted data format](../concepts/data-formats.md). ++Before creating a Custom sentiment analysis model, you need to have labeled data first. If your data isn't labeled already, you can label it in the [Language Studio](https://aka.ms/languageStudio). Labeled data informs the model how to interpret text, and is used for training and evaluation. ++## Prerequisites ++Before you can label data, you need: ++* [A successfully created project](create-project.md) with a configured Azure blob storage account. +* Documents containing text data that have [been uploaded](design-schema.md#data-preparation) to your storage account. ++See the [project development lifecycle](../../overview.md#project-development-lifecycle) for more information. ++## Data labeling guidelines ++After [preparing your data](design-schema.md) and [creating your project](create-project.md), you will need to label your data. Labeling your data is important so your model knows which documents will be associated with the sentiments you need. When you label your data in [Language Studio](https://aka.ms/languageStudio) (or import labeled data), these labels will be stored in the JSON file in your storage container that you've connected to this project. ++As you label your data, keep in mind: ++* In general, more labeled data leads to better results, provided the data is labeled accurately. ++* There is no fixed number of labels that can guarantee your model will perform the best. Model performance on possible ambiguity in your [data](design-schema.md), and the quality of your labeled data. ++## Label your data ++Use the following steps to label your data: ++1. Go to your project page in [Language Studio](https://aka.ms/languageStudio). ++2. From the left side menu, select **Data labeling**. You can find a list of all documents in your storage container. ++ >[!TIP] + > You can use the filters in top menu to view the unlabeled files so that you can start labeling them. + > You can also use the filters to view the documents that are labeled with a specific sentiment. ++3. Change to a single file view from the left side in the top menu or select a specific file to start labeling. You can find a list of all `.txt` files available in your projects to the left. You can use the **Back** and **Next** button from the bottom of the page to navigate through your documents. ++ > [!NOTE] + > If you enabled multiple languages for your project, you will find a **Language** dropdown in the top menu, which lets you select the language of each document. +++4. In the right side pane, you can add sentiments to your project to start labeling your data with them. <!--You can also use the [auto labeling feature](use-autolabeling.md) to ensure complete labeling.--> ++6. In the right side pane under the **Labels** pivot you can find all the sentiments in your project and the count of labeled instances for each. ++7. In the bottom section of the right side pane you can add the current file you are viewing to the training set or the testing set. By default all the documents are added to your training set. Learn more about [training and testing sets](train-model.md#data-splitting) and how they are used for model training and evaluation. ++ > [!TIP] + > If you are planning on using **Automatic** data splitting use the default option of assigning all the documents into your training set. ++8. Under the **Distribution** pivot you can view the distribution across training and testing sets. You have two options for viewing: + * *Total instances* where you can view count of all labeled instances of a specific sentiment. + * *Documents with at least one label* where each document is counted if it contains at least one labeled instance of this sentiment. ++9. While you're labeling, your changes will be synced periodically, if they have not been saved yet you will find a warning at the top of your page. If you want to save manually, click on **Save labels** button at the bottom of the page. ++## Next steps ++After you've labeled your data, you can begin [training a model](train-model.md) that will learn based on your data. |
| ai-services | Train Model | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/sentiment-opinion-mining/custom/how-to/train-model.md | + + Title: How to train your Custom sentiment analysis model - Azure AI services ++description: Learn about how to train your model for Custom sentiment analysis. ++++++ Last updated : 07/19/2023+++++# How to train a Custom sentiment analysis model ++<!--Training is the process where the model learns from your [labeled data](label-data.md). After training is completed, you'll be able to [view the model's performance](view-model-evaluation.md) to determine if you need to improve your model.--> ++To train a model, start a training job. Only successfully completed jobs create a usable model. Training jobs expire after seven days. After this period, you won't be able to retrieve the job details. If your training job completed successfully and a model was created, it won't be affected by the job expiration. You can only have one training job running at a time, and you can't start other jobs in the same project. ++The training times can be anywhere from a few minutes when dealing with few documents, up to several hours depending on the dataset size and the complexity of your schema. ++++## Prerequisites ++Before you train your model, you need: ++* [A successfully created project](create-project.md) with a configured Azure blob storage account. +<!--* Text data that has [been uploaded](design-schema.md#data-preparation) to your storage account. +* [Labeled data](label-data.md). ++See the [project development lifecycle](../../overview.md#project-development-lifecycle) for more information.--> ++## Data splitting ++Before you start the training process, labeled documents in your project are divided into a training set and a testing set. Each one of them serves a different function. +The **training set** is used in training the model, this is the set from which the model learns the class/classes assigned to each document. +The **testing set** is a blind set that is not introduced to the model during training but only during evaluation. +After the model is trained successfully, it is used to make predictions from the documents in the testing set. Based on these predictions, the model's evaluation metrics will be calculated. +It is recommended to make sure that all your classes are adequately represented in both the training and testing set. ++Custom sentiment analysis supports two methods for data splitting: ++* **Automatically splitting the testing set from training data**: The system will split your labeled data between the training and testing sets, according to the percentages you choose. The system attempts to have a representation of all classes in your training set. The recommended percentage split is 80% for training and 20% for testing. ++ > [!NOTE] + > If you choose the **Automatically splitting the testing set from training data** option, only the data assigned to training set will be split according to the percentages provided. ++* **Use a manual split of training and testing data**: This method enables users to define which labeled documents should belong to which set. <!--This step is only enabled if you have added documents to your testing set during [data labeling](tag-data.md).--> ++## Train model ++# [Language studio](#tab/Language-studio) +++# [REST APIs](#tab/REST-APIs) ++### Start training job +++### Get training job status ++Training could take sometime depending on the size of your training data and complexity of your schema. You can use the following request to keep polling the status of the training job until it is successfully completed. ++ [!INCLUDE [get training model status](../../includes/custom/rest-api/get-training-status.md)] ++++### Cancel training job ++# [Language Studio](#tab/language-studio) +++# [REST APIs](#tab/rest-api) +++++## Next steps ++After training is completed, you will be able to view the model's performance to optionally improve your model if needed. Once you're satisfied with your model, you can deploy it, making it available to use for use. |
| ai-services | Quickstart | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/sentiment-opinion-mining/custom/quickstart.md | + + Title: Quickstart - Custom sentiment analysis ++description: Quickly start building an AI model to identify the sentiment of text. ++++++ Last updated : 07/19/2023+++zone_pivot_groups: usage-custom-language-features +++# Quickstart: Custom sentiment analysis ++Use this article to get started with creating a Custom sentiment analysis project where you can train custom models for detecting the sentiment of text. A model is artificial intelligence software that's trained to do a certain task. For this system, the models classify text, and are trained by learning from tagged data. ++++++++## Next steps ++After you've created a Custom sentiment analysis model, you can: +* [Use the runtime API to classify text](how-to/call-api.md) ++When you start to create your own Custom sentiment analysis projects, use the how-to articles to learn more about developing your model in greater detail: ++* [Data selection](how-to/design-schema.md) +* [Tag data](how-to/label-data.md) +* [Train a model](how-to/train-model.md) +<!--* [View the model's evaluation](how-to/view-model-evaluation.md)--> |
| ai-services | Call Api | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/sentiment-opinion-mining/how-to/call-api.md | The labels are *positive*, *negative*, and *neutral*. At the document level, the | At least one `negative` sentence and at least one `positive` sentence are in the document. | `mixed` | | All sentences in the document are `neutral`. | `neutral` | -Confidence scores range from 1 to 0. Scores closer to 1 indicate a higher confidence in the label's classification, while lower scores indicate lower confidence. For each document or each sentence, the predicted scores associated with the labels (positive, negative, and neutral) add up to 1. For more information, see the [Responsible AI transparency note](/legal/cognitive-services/text-analytics/transparency-note?context=/azure/ai-services/text-analytics/context/context). +Confidence scores range from 1 to 0. Scores closer to 1 indicate a higher confidence in the label's classification, while lower scores indicate lower confidence. For each document or each sentence, the predicted scores associated with the labels (positive, negative, and neutral) add up to 1. For more information, see the [Responsible AI transparency note](/legal/cognitive-services/text-analytics/transparency-note?context=/azure/cognitive-services/text-analytics/context/context). ## Opinion Mining |
| ai-services | Use Containers | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/sentiment-opinion-mining/how-to/use-containers.md | In this article, you learned concepts and workflow for downloading, installing, * You must specify billing information when instantiating a container. > [!IMPORTANT]-> Azure AI containers are not licensed to run without being connected to Azure for metering. Customers need to enable the containers to communicate billing information with the metering service at all times. Azure AI containers do not send customer data (e.g. text that is being analyzed) to Microsoft. +> Azure AI services containers are not licensed to run without being connected to Azure for metering. Customers need to enable the containers to communicate billing information with the metering service at all times. Azure AI services containers do not send customer data (e.g. text that is being analyzed) to Microsoft. ## Next steps |
| ai-services | Language Support | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/sentiment-opinion-mining/language-support.md | Title: Sentiment Analysis and Opinion Mining language support -description: This article explains which languages are supported by the Sentiment Analysis and Opinion Mining features of Azure AI Language. +description: This article explains which languages are supported by the Sentiment Analysis and Opinion Mining features of the Language service. Previously updated : 10/31/2022 Last updated : 07/19/2023 Total supported language codes: 94 | Xhosa (new) | `xh` | 2022-11-01 | | | Yiddish (new) | `yi` | 2022-11-01 | | +## Multi-lingual option (Custom sentiment analysis only) ++With [Custom sentiment analysis](./overview.md?tabs=custom), you can train a model in one language and use to classify documents in another language. This feature is useful because it helps save time and effort. Instead of building separate projects for every language, you can handle multi-lingual dataset in one project. Your dataset doesn't have to be entirely in the same language but you should enable the multi-lingual option for your project while creating or later in project settings. If you notice your model performing poorly in certain languages during the evaluation process, consider adding more data in these languages to your training set. ++You can train your project entirely with English documents, and query it in: French, German, Mandarin, Japanese, Korean, and others. Custom sentiment analysis +makes it easy for you to scale your projects to multiple languages by using multilingual technology to train your models. ++Whenever you identify that a particular language is not performing as well as other languages, you can add more documents for that language in your project. <!--In the [data labeling](./custom/how-to/label-data.md) page in Language Studio, you can select the language of the document you're adding. When you introduce more documents for that language to the model, it is introduced to more of the syntax of that language, and learns to predict it better.--> ++You aren't expected to add the same number of documents for every language. You should build the majority of your project in one language, and only add a few documents in languages you observe aren't performing well. If you create a project that is primarily in English, and start testing it in French, German, and Spanish, you might observe that German doesn't perform as well as the other two languages. In that case, consider adding 5% of your original English documents in German, train a new model and test in German again. You should see better results for German queries. The more labeled documents you add, the more likely the results are going to get better. ++When you add data in another language, you shouldn't expect it to negatively affect other languages. ## Next steps |
| ai-services | Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/sentiment-opinion-mining/overview.md | Title: What is sentiment analysis and opinion mining in Azure AI Language? + Title: What is sentiment analysis and opinion mining in the Language service? description: An overview of the sentiment analysis feature in Azure AI services, which helps you find out what people think of a topic by mining text for clues. -# What is sentiment analysis and opinion mining in Azure AI Language? +# What is sentiment analysis and opinion mining? -Sentiment analysis and opinion mining are features offered by [Azure AI Language](../overview.md), a collection of machine learning and AI algorithms in the cloud for developing intelligent applications that involve written language. These features help you find out what people think of your brand or topic by mining text for clues about positive or negative sentiment, and can associate them with specific aspects of the text. +Sentiment analysis and opinion mining are features offered by [the Language service](../overview.md), a collection of machine learning and AI algorithms in the cloud for developing intelligent applications that involve written language. These features help you find out what people think of your brand or topic by mining text for clues about positive or negative sentiment, and can associate them with specific aspects of the text. Both sentiment analysis and opinion mining work with a variety of [written languages](./language-support.md). The sentiment analysis feature provides sentiment labels (such as "negative", "n Opinion mining is a feature of sentiment analysis. Also known as aspect-based sentiment analysis in Natural Language Processing (NLP), this feature provides more granular information about the opinions related to words (such as the attributes of products or services) in text. +#### [Prebuilt model](#tab/prebuilt) + [!INCLUDE [Typical workflow for pre-configured language features](../includes/overview-typical-workflow.md)] ## Get started with sentiment analysis [!INCLUDE [development options](./includes/development-options.md)] -## Responsible AI +#### [Custom model](#tab/custom) -An AI system includes not only the technology, but also the people who use it, the people who will be affected by it, and the environment in which it's deployed. Read the [transparency note for sentiment analysis](/legal/cognitive-services/language-service/transparency-note-sentiment-analysis?context=/azure/ai-services/language-service/context/context) to learn about responsible AI use and deployment in your systems. You can also see the following articles for more information: +Custom sentiment analysis enables users to build custom AI models to classify text into sentiments pre-defined by the user. By creating a Custom sentiment analysis project, developers can iteratively label data, train, evaluate, and improve model performance before making it available for consumption. The quality of the labeled data greatly impacts model performance. To simplify building and customizing your model, the service offers a custom web portal that can be accessed through the [Language studio](https://aka.ms/languageStudio). You can easily get started with the service by following the steps in this [quickstart](quickstart.md). ++## Project development lifecycle ++Creating a Custom sentiment analysis project typically involves several different steps. +++Follow these steps to get the most out of your model: ++1. **Define your schema**: Know your data and identify the sentiments you want, to avoid ambiguity. ++2. **Label your data**: The quality of data labeling is a key factor in determining model performance. Avoid ambiguity, make sure that your sentiments are clearly separable from each other. ++3. **Train the model**: Your model starts learning from your labeled data. ++4. **View the model's performance**: View the evaluation details for your model to determine how well it performs when introduced to new data. ++5. **Deploy the model**: Deploying a model makes it available for use via the [Analyze API](https://aka.ms/ct-runtime-swagger). ++6. **Classify text**: Use your custom model for sentiment analysis tasks. ++## Reference documentation ++As you use Custom sentiment analysis, see the following reference documentation and samples for the Language service: ++|Development option / language |Reference documentation |Samples | +|||| +|REST APIs (Authoring) | [REST API documentation](https://aka.ms/ct-authoring-swagger) | | +|REST APIs (Runtime) | [REST API documentation](https://aka.ms/ct-runtime-swagger) | | ++ +++## Responsible AI ++An AI system includes not only the technology, but also the people who use it, the people who will be affected by it, and the environment in which it's deployed. Read the [transparency note for sentiment analysis](/legal/cognitive-services/language-service/transparency-note-sentiment-analysis?context=/azure/cognitive-services/language-service/context/context) to learn about responsible AI use and deployment in your systems. You can also see the following articles for more information: ## Next steps -There are two ways to get started using the entity linking feature: -* [Language Studio](../language-studio.md), which is a web-based platform that enables you to try several Language service features without needing to write code. -* The [quickstart article](quickstart.md) for instructions on making requests to the service using the REST API and client library SDK. +* The quickstart articles with instructions on using the service for the first time. + * [Use the prebuilt model](./quickstart.md) + * [Create a custom model](./custom/quickstart.md) |
| ai-services | Quickstart | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/sentiment-opinion-mining/quickstart.md | |
| ai-services | Whats New | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/whats-new.md | +## July 2023 ++* [Custom sentiment analysis](./sentiment-opinion-mining/overview.md) is now available in preview. + ## May 2023 * [Custom Named Entity Recognition (NER) Docker containers](./custom-named-entity-recognition/how-to/use-containers.md) are now available for on-premises deployment. |
| ai-services | Quota | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/openai/how-to/quota.md | To minimize issues related to rate limits, it's a good idea to use the following - Avoid sharp changes in the workload. Increase the workload gradually. - Test different load increase patterns. +## Resource deletion ++When an attempt to delete an Azure OpenAI resource is made from the Azure portal if any deployments are still present deletion is blocked until the associated deployments are deleted. Deleting the deployments first allows quota allocations to be properly freed up so they can be used on new deployments. ++However, if you delete a resource using the REST API or some other programmatic method, this bypasses the need to delete deployments first. When this occurs, the associated quota allocation will remain unavailable to assign to a new deployment for 48 hours until the resource is purged. To trigger an immediate purge for a deleted resource to free up quota, follow the [purge a deleted resource instructions](/azure/ai-services/manage-resources?tabs=azure-portal#purge-a-deleted-resource). + ## Next steps - To review quota defaults for Azure OpenAI, consult the [quotas & limits article](../quotas-limits.md) |
| aks | Configure Azure Cni | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/configure-azure-cni.md | Learn more about networking in AKS in the following articles: <!-- LINKS - External --> [services]: https://kubernetes.io/docs/concepts/services-networking/service/-[portal]: https://portal.azure.com [cni-networking]: https://github.com/Azure/azure-container-networking/blob/master/docs/cni.md [kubenet]: concepts-network.md#kubenet-basic-networking [github]: https://raw.githubusercontent.com/microsoft/Docker-Provider/ci_prod/kubernetes/container-azm-ms-agentconfig.yaml |
| aks | Egress Outboundtype | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/egress-outboundtype.md | The following tables show the supported migration paths between outbound types f ### Supported Migration Paths for Managed VNet -| | loadBalancer | managedNATGateway | userAssignedNATGateway | userDefinedRouting | -||--|-||--| -| loadBalancer | N/A | Supported | Not Supported | Not Supported | -| managedNATGateway | Supported | N/A | Not Supported | Supported | -| userAssignedNATGateway | Supported | Not Supported | N/A | Not Supported | -| userDefinedRouting | Supported | Supported | Supported | N/A | +| Managed VNet |loadBalancer | managedNATGateway | userAssignedNATGateway | userDefinedRouting | +|||-||--| +| loadBalancer | N/A | Supported | Not Supported | Supported | +| managedNATGateway | Supported | N/A | Not Supported | Supported | +| userAssignedNATGateway | Not Supported | Not Supported | N/A | Not Supported | +| userDefinedRouting | Supported | Supported | Not Supported | N/A | ### Supported Migration Paths for BYO VNet -| | loadBalancer | managedNATGateway | userAssignedNATGateway | userDefinedRouting | +| BYO VNet | loadBalancer | managedNATGateway | userAssignedNATGateway | userDefinedRouting | |||-||--|-| loadBalancer | N/A | Supported | Supported | Supported | -| managedNATGateway | Supported | N/A | Not Supported | Not Supported | +| loadBalancer | N/A | Not Supported | Supported | Supported | +| managedNATGateway | Not Supported | N/A | Not Supported | Not Supported | | userAssignedNATGateway | Supported | Not Supported | N/A | Supported |-| userDefinedRouting | Not Supported | Not Supported | Not Supported | N/A | +| userDefinedRouting | Supported | Not Supported | Supported | N/A | ++Migration is only supported between `loadBalancer`, `managedNATGateway` (if using a managed virtual network), `userAssignedNATGateway` and `userDefinedRouting` (if using a custom virtual network). -Migration is only supported between `loadBalancer`, `managedNATGateway` (if using a managed virtual network), and `userDefinedNATGateway` (if using a custom virtual network). +> [!WARNING] +> Migrating the outbound type to user managed types (`userAssignedNATGateway` and `userDefinedRouting`) will change the outbound public IP addresses of the cluster. +> if [Authorized IP ranges](./api-server-authorized-ip-ranges.md) is enabled, please make sure new outbound ip range is appended to authorized ip range. > [!WARNING] > Changing the outbound type on a cluster is disruptive to network connectivity and will result in a change of the cluster's egress IP address. If any firewall rules have been configured to restrict traffic from the cluster, you need to update them to match the new egress IP address. |
| aks | Quick Kubernetes Deploy Bicep Extensibility Kubernetes Provider | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/learn/quick-kubernetes-deploy-bicep-extensibility-kubernetes-provider.md | To learn more about AKS, and walk through a complete code to deployment example, [install-azure-powershell]: /powershell/azure/install-az-ps [connect-azaccount]: /powershell/module/az.accounts/Connect-AzAccount [sp-delete]: ../kubernetes-service-principal.md#additional-considerations-[azure-portal]: https://portal.azure.com [kubernetes-deployment]: ../concepts-clusters-workloads.md#deployments-and-yaml-manifests [kubernetes-service]: ../concepts-network.md#services [ssh-keys]: ../../virtual-machines/linux/create-ssh-keys-detailed.md |
| aks | Quick Kubernetes Deploy Rm Template | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/learn/quick-kubernetes-deploy-rm-template.md | To learn more about AKS, and walk through a complete code to deployment example, [install-azure-powershell]: /powershell/azure/install-az-ps [connect-azaccount]: /powershell/module/az.accounts/Connect-AzAccount [sp-delete]: ../kubernetes-service-principal.md#additional-considerations-[azure-portal]: https://portal.azure.com [kubernetes-deployment]: ../concepts-clusters-workloads.md#deployments-and-yaml-manifests [kubernetes-service]: ../concepts-network.md#services [ssh-keys]: ../../virtual-machines/linux/create-ssh-keys-detailed.md |
| aks | Quick Windows Container Deploy Cli | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/learn/quick-windows-container-deploy-cli.md | To learn more about AKS, and walk through a complete code to deployment example, [az-provider-register]: /cli/azure/provider#az_provider_register [azure-cli-install]: /cli/azure/install-azure-cli [sp-delete]: ../kubernetes-service-principal.md#additional-considerations-[azure-portal]: https://portal.azure.com [kubernetes-deployment]: ../concepts-clusters-workloads.md#deployments-and-yaml-manifests [kubernetes-service]: ../concepts-network.md#services [restricted-vm-sizes]: ../quotas-skus-regions.md#restricted-vm-sizes |
| aks | Network Observability Byo Cli | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/network-observability-byo-cli.md | In this how-to article, you learned how to install and enable AKS Network Observ - For more information about AKS Network Observability, see [What is Azure Kubernetes Service (AKS) Network Observability?](network-observability-overview.md). - To create an AKS cluster with Network Observability and managed Prometheus and Grafana, see [Setup Network Observability for Azure Kubernetes Service (AKS) Azure managed Prometheus and Grafana](network-observability-managed-cli.md).- |
| aks | Network Observability Managed Cli | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/network-observability-managed-cli.md | |
| aks | Open Ai Quickstart | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/open-ai-quickstart.md | Title: Deploy an application that uses OpenAI on Azure Kubernetes Service (AKS) description: Learn how to deploy an application that uses OpenAI on Azure Kubernetes Service (AKS). #Required; article description that is displayed in search results. Last updated 6/29/2023-+ # Deploy an application that uses OpenAI on Azure Kubernetes Service (AKS) Now that you've seen how to add OpenAI functionality to an AKS application, lear [aoai]: ../cognitive-services/openai/index.yml [learn-aoai]: /training/modules/explore-azure-openai- |
| aks | Operator Best Practices Run At Scale | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/operator-best-practices-run-at-scale.md | If your AKS clusters satisfy any of the following criteria, we recommend using t * Clusters running more than 10 nodes on average * Clusters that need to scale beyond 1000 nodes -To scale AKS clusters beyond 1000 nodes, you need to request a node limit quota increase by raising a support ticket in the [Azure portal][Azure portal] up to a maximum of 5000 nodes per cluster. Increasing the node limit doesn't increase other AKS service quota limits, like the number of pods per node. For more information, see [Limits, quotas, and restrictions for AKS resources][quotas-skus-regions]. +To scale AKS clusters beyond 1000 nodes, you need to request a node limit quota increase by [raising a support ticket in the Azure portal][support-ticket] up to a maximum of 5000 nodes per cluster. Increasing the node limit doesn't increase other AKS service quota limits, like the number of pods per node. For more information, see [Limits, quotas, and restrictions for AKS resources][quotas-skus-regions]. To increase the node limit beyond 1000, you must have the following pre-requisites: To increase the node limit beyond 1000, you must have the following pre-requisit [Managed NAT Gateway - Azure Kubernetes Service]: nat-gateway.md [Configure Azure CNI networking for dynamic allocation of IPs and enhanced subnet support in Azure Kubernetes Service (AKS)]: configure-azure-cni-dynamic-ip-allocation.md [max surge]: upgrade-cluster.md?tabs=azure-cli#customize-node-surge-upgrade-[Azure portal]: https://portal.azure.com/#create/Microsoft.Support/Parameters/%7B%0D%0A%09%22subId%22%3A+%22%22%2C%0D%0A%09%22pesId%22%3A+%225a3a423f-8667-9095-1770-0a554a934512%22%2C%0D%0A%09%22supportTopicId%22%3A+%2280ea0df7-5108-8e37-2b0e-9737517f0b96%22%2C%0D%0A%09%22contextInfo%22%3A+%22AksLabelDeprecationMarch22%22%2C%0D%0A%09%22caller%22%3A+%22Microsoft_Azure_ContainerService+%2B+AksLabelDeprecationMarch22%22%2C%0D%0A%09%22severity%22%3A+%223%22%0D%0A%7D +[support-ticket]: https://portal.azure.com/#create/Microsoft.Support/Parameters/%7B%0D%0A%09%22subId%22%3A+%22%22%2C%0D%0A%09%22pesId%22%3A+%225a3a423f-8667-9095-1770-0a554a934512%22%2C%0D%0A%09%22supportTopicId%22%3A+%2280ea0df7-5108-8e37-2b0e-9737517f0b96%22%2C%0D%0A%09%22contextInfo%22%3A+%22AksLabelDeprecationMarch22%22%2C%0D%0A%09%22caller%22%3A+%22Microsoft_Azure_ContainerService+%2B+AksLabelDeprecationMarch22%22%2C%0D%0A%09%22severity%22%3A+%223%22%0D%0A%7D [standard-tier]: free-standard-pricing-tiers.md [throttling-policies]: https://azure.microsoft.com/blog/api-management-advanced-caching-and-throttling-policies/ |
| api-management | Cosmosdb Data Source Policy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/cosmosdb-data-source-policy.md | type Query { * [GraphQL resolver policies](api-management-policies.md#graphql-resolver-policies) |
| app-service | App Service Hybrid Connections | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/app-service-hybrid-connections.md | Things you cannot do with Hybrid Connections include: ## Add and Create Hybrid Connections in your app ## -To create a Hybrid Connection, go to the [Azure portal][portal] and select your app. Select **Networking** > **Configure your Hybrid Connection endpoints**. Here you can see the Hybrid Connections that are configured for your app. +To create a Hybrid Connection, go to the [Azure portal] and select your app. Select **Networking** > **Configure your Hybrid Connection endpoints**. Here you can see the Hybrid Connections that are configured for your app. :::image type="content" source="media/app-service-hybrid-connections/hybridconn-portal.png" alt-text="Screenshot of Hybrid Connection list"::: In addition to there being an App Service plan SKU requirement, there's an addit ## Hybrid Connection Manager ## -The Hybrid Connections feature requires a relay agent in the network that hosts your Hybrid Connection endpoint. That relay agent is called the Hybrid Connection Manager (HCM). To download HCM, from your app in the [Azure portal][portal], select **Networking** > **Configure your Hybrid Connection endpoints**. +The Hybrid Connections feature requires a relay agent in the network that hosts your Hybrid Connection endpoint. That relay agent is called the Hybrid Connection Manager (HCM). To download HCM, from your app in the [Azure portal], select **Networking** > **Configure your Hybrid Connection endpoints**. This tool runs on Windows Server 2012 and later. The HCM runs as a service and connects outbound to Azure Relay on port 443. Each HCM can support multiple Hybrid Connections. Also, any given Hybrid Connect ### Manually add a Hybrid Connection ### -To enable someone outside your subscription to host an HCM instance for a given Hybrid Connection, share the gateway connection string for the Hybrid Connection with them. You can see the gateway connection string in the Hybrid Connection properties in the [Azure portal][portal]. To use that string, select **Enter Manually** in the HCM, and paste in the gateway connection string. +To enable someone outside your subscription to host an HCM instance for a given Hybrid Connection, share the gateway connection string for the Hybrid Connection with them. You can see the gateway connection string in the Hybrid Connection properties in the [Azure portal]. To use that string, select **Enter Manually** in the HCM, and paste in the gateway connection string. :::image type="content" source="media/app-service-hybrid-connections/hybridconn-manual.png" alt-text="Manually add a Hybrid Connection"::: If you have a command-line client for your endpoint, you can test connectivity f <!--Links--> [HCService]: /azure/service-bus-relay/relay-hybrid-connections-protocol/-[portal]: https://portal.azure.com/ +[Azure portal]: https://portal.azure.com/ [oldhc]: /azure/biztalk-services/integration-hybrid-connection-overview/ [sbpricing]: https://azure.microsoft.com/pricing/details/service-bus/ [armclient]: https://github.com/projectkudu/ARMClient/ |
| app-service | Configure Authentication Provider Openid Connect | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/configure-authentication-provider-openid-connect.md | If you are unable to use a configuration metadata document, you will need to gat ## <a name="related-content"> </a>Next steps [!INCLUDE [app-service-mobile-related-content-get-started-users](../../includes/app-service-mobile-related-content-get-started-users.md)]++[Azure portal]: https://portal.azure.com |
| app-service | Configure Common | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/configure-common.md | To add a custom handler: <!-- URL List --> [ASP.NET SignalR]: https://www.asp.net/signalr-[Azure Portal]: https://portal.azure.com/ +[Azure portal]: https://portal.azure.com/ [Configure a custom domain name in Azure App Service]: ./app-service-web-tutorial-custom-domain.md [Set up staging environments in Azure App Service]: ./deploy-staging-slots.md [How to: Monitor web endpoint status]: ./web-sites-monitor.md |
| app-service | Configure Ssl Bindings | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/configure-ssl-bindings.md | tags: buy-ssl-certificates Last updated 04/20/2023 -+ # Secure a custom DNS name with a TLS/SSL binding in Azure App Service |
| app-service | Configure Ssl Certificate | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/configure-ssl-certificate.md | tags: buy-ssl-certificates Last updated 07/28/2023 -+ # Add and manage TLS/SSL certificates in Azure App Service If your certificate authority gives you multiple certificates in the certificate Now, export your merged TLS/SSL certificate with the private key that was used to generate your certificate request. If you generated your certificate request using OpenSSL, then you created a private key file. > [!NOTE]-> OpenSSL v3 creates certificate serials with 20 octets (40 chars) as the X.509 specification allows. Currently only 10 octets (20 chars) is supported when uploading certificate PFX files. -> OpenSSL v3 also changed default cipher from 3DES to AES256, but this can be overridden on the command line. -> OpenSSL v1 uses 3DES as default and only uses 8 octets (16 chars) in the serial, so the PFX files generated are supported without any special modifications. +> OpenSSL v3 changed default cipher from 3DES to AES256, but this can be overridden on the command line -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -machalg SHA1. +> OpenSSL v1 uses 3DES as default, so the PFX files generated are supported without any special modifications. 1. To export your certificate to a PFX file, run the following command, but replace the placeholders _<private-key-file>_ and _<merged-certificate-file>_ with the paths to your private key and your merged certificate file. |
| app-service | Deploy Zip | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/deploy-zip.md | Publish-AzWebApp -ResourceGroupName Default-Web-WestUS -Name MyApp -ArchivePath # [Kudu API](#tab/api) -The following example uses the cURL tool to deploy a ZIP package. Replace the placeholders `<username>`, `<zip-package-path>`, and `<app-name>`. When prompted by cURL, type in the [deployment password](deploy-configure-credentials.md). +The following example uses the cURL tool to deploy a ZIP package. Replace the placeholders `<username>`, `<password>`, `<zip-package-path>`, and `<app-name>`. Use the [deployment credentials](deploy-configure-credentials.md) for authentication. ```bash-curl -X POST -u <username:password> -T "@<zip-package-path>" https://<app-name>.scm.azurewebsites.net/api/publish?type=zip +curl -X POST \ + -H "Content-Type: application/octet-stream" \ + -u '<username>:<password>' \ + -T "<zip-package-path>" \ + "https://<app-name>.scm.azurewebsites.net/api/zipdeploy" ``` [!INCLUDE [deploying to network secured sites](../../includes/app-service-deploy-network-secured-sites.md)] curl -X POST -u <username:password> -T "@<zip-package-path>" https://<app-name>. The following example uses the `packageUri` parameter to specify the URL of an Azure Storage account that the web app should pull the ZIP from. ```bash-curl -X POST -u <username:password> https://<app-name>.scm.azurewebsites.net/api/publish -d '{"packageUri": "https://storagesample.blob.core.windows.net/sample-container/myapp.zip?sv=2021-10-01&sb&sig=slk22f3UrS823n4kSh8Skjpa7Naj4CG3"}' +curl -X PUT \ + -H "Content-Type: application/json" \ + -u '<username>:<password>' \ + -d '{"packageUri": "https://storagesample.blob.core.windows.net/sample-container/myapp.zip?sv=2021-10-01&sb&sig=slk22f3UrS823n4kSh8Skjpa7Naj4CG3"}' \ + "https://<app-name>.scm.azurewebsites.net/api/zipdeploy" ``` # [Kudu UI](#tab/kudu-ui) |
| app-service | App Service App Service Environment Control Inbound Traffic | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/environment/app-service-app-service-environment-control-inbound-traffic.md | The following list contains the ports used by an App Service Environment. All po ## Outbound Connectivity and DNS Requirements For an App Service Environment to function properly, it also requires outbound access to various endpoints. A full list of the external endpoints used by an ASE is in the "Required Network Connectivity" section of the [Network Configuration for ExpressRoute](app-service-app-service-environment-network-configuration-expressroute.md#required-network-connectivity) article. -App Service Environments require a valid DNS infrastructure configured for the virtual network. If the DNS configuration is changed after the creation of an App Service Environment, developers can force an App Service Environment to pick up the new DNS configuration. If you trigger a rolling environment reboot using the **Restart** icon, the environment picks up the new DNS configuration. (The **Restart** icon is located at the top of the App Service Environment management blade, in the [Azure portal][NewPortal].) +App Service Environments require a valid DNS infrastructure configured for the virtual network. If the DNS configuration is changed after the creation of an App Service Environment, developers can force an App Service Environment to pick up the new DNS configuration. If you trigger a rolling environment reboot using the **Restart** icon, the environment picks up the new DNS configuration. (The **Restart** icon is located at the top of the App Service Environment management blade, in the [Azure portal](https://portal.azure.com).) It's also recommended that any custom DNS servers on the vnet be set up ahead of time before creating an App Service Environment. If a virtual network's DNS configuration is changed during the creation of an App Service Environment, the App Service Environment creation process will fail. Similarly, if there's a custom DNS server that's unreachable or unavailable on the other end of a VPN gateway, the App Service Environment creation process will also fail. For more information, see [Securely connecting to Backend resources from an App [NetworkSecurityGroups]: ../../virtual-network/virtual-network-vnet-plan-design-arm.md [IntroToAppServiceEnvironment]: app-service-app-service-environment-intro.md [SecurelyConnecttoBackend]: app-service-app-service-environment-securely-connecting-to-backend-resources.md-[NewPortal]: https://portal.azure.com <!-- IMAGES --> |
| app-service | App Service App Service Environment Network Configuration Expressroute | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/environment/app-service-app-service-environment-network-configuration-expressroute.md | App Service Environment requires the following network connectivity settings to * Inbound network access to required ports for App Service Environment must be allowed. For details, see [How to control inbound traffic to App Service Environment][requiredports]. -To fulfill the DNS requirements, make sure a valid DNS infrastructure is configured and maintained for the virtual network. If the DNS configuration is changed after App Service Environment is created, developers can force App Service Environment to pick up the new DNS configuration. You can trigger a rolling environment reboot by using the **Restart** icon under App Service Environment management in the [Azure portal][NewPortal]. The reboot causes the environment to pick up the new DNS configuration. +To fulfill the DNS requirements, make sure a valid DNS infrastructure is configured and maintained for the virtual network. If the DNS configuration is changed after App Service Environment is created, developers can force App Service Environment to pick up the new DNS configuration. You can trigger a rolling environment reboot by using the **Restart** icon under App Service Environment management in the [Azure portal](https://portal.azure.com). The reboot causes the environment to pick up the new DNS configuration. To fulfill the inbound network access requirements, configure a [network security group (NSG)][NetworkSecurityGroups] on the App Service Environment subnet. The NSG allows the required access [to control inbound traffic to App Service Environment][requiredports]. To get started with App Service Environment for Power Apps, see [Introduction to [DownloadCenterAddressRanges]: https://www.microsoft.com/download/details.aspx?id=41653 [NetworkSecurityGroups]: ../../virtual-network/virtual-network-vnet-plan-design-arm.md [IntroToAppServiceEnvironment]: app-service-app-service-environment-intro.md -[NewPortal]: https://portal.azure.com - <!-- IMAGES --> |
| app-service | Manage Scale Up | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/manage-scale-up.md | For information about the pricing and features of individual App Service plans, > [!NOTE] > To scale up to Premium V3 tier, see [Configure Premium V3 tier for App Service](app-service-configure-premium-tier.md).-> -1. In your browser, open the [Azure portal][portal]. +1. In your browser, open the [Azure portal](https://portal.azure.com). 1. In the left navigation of your App Service app page, select **Scale up (App Service plan)**. For a table of service limits, quotas, and constraints, and supported features i [vmsizes]:https://azure.microsoft.com/pricing/details/app-service/ [SQLaccountsbilling]:https://go.microsoft.com/fwlink/?LinkId=234930 [azuresubscriptions]:https://account.windowsazure.com/subscriptions-[portal]: https://portal.azure.com/ <!-- IMAGES --> [ChooseWHP]: ./media/web-sites-scale/scale1ChooseWHP.png |
| app-service | Overview Managed Identity | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/overview-managed-identity.md | First, you'll need to create a user-assigned identity resource. 1. Run the `az webapp identity assign` command to assign the identity to the app. ```azurepowershell-interactive- az webapp identity assign --resource-group <group-name> --name <app-name> --identities <identity-name> + az webapp identity assign --resource-group <group-name> --name <app-name> --identities <identity-id> ``` # [Azure PowerShell](#tab/ps) az webapp identity remove --name <app-name> --resource-group <group-name> To remove one or more user-assigned identities: ```azurecli-interactive-az webapp identity remove --name <app-name> --resource-group <group-name> --identities <identity-name1>,<identity-name2>,... +az webapp identity remove --name <app-name> --resource-group <group-name> --identities <identity-id1> <identity-id2> ... ``` You can also remove the system assigned identity by specifying `[system]` in `--identities`. |
| application-gateway | Migrate V1 V2 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/application-gateway/migrate-v1-v2.md | description: This article shows you how to migrate Azure Application Gateway and + Last updated 07/05/2023 |
| application-gateway | Retirement Faq | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/application-gateway/retirement-faq.md | On April 28,2023 we announced retirement of Application gateway V1 on 28 April 2 ### What is the official date Application Gateway V1 is cut off from creation? -New Customers aren't allowed to create v1 from 1 July 2023. However, any existing V1 customers can continue to create resources until August 2024 and manage V1 resources until the retirement date of 28 April 2026. +New Customers will not be allowed to create V1 from 1 July 2023 onwards. However, any existing V1 customers can continue to create resources in existing subscriptions until August 2024 and manage V1 resources until the retirement date of 28 April 2026. ### What happens to existing Application Gateway V1 after 28 April 2026? Once the deadline arrives V1 gateways aren't supported. Any V1 SKU resources tha ### What is the definition of a new customer on Application Gateway V1 SKU? -Customers who didn't have Application Gateway V1 SKU in their subscriptions in the month of June 2023 are considered as new customers. These customers wonΓÇÖt be able to create new V1 gateways from 1 July 2023. +Customers who didn't have Application Gateway V1 SKU in their subscriptions as of 4 July 2023 are considered as new customers. These customers wonΓÇÖt be able to create new V1 gateways going forward. ### What is the definition of an existing customer on Application Gateway V1 SKU? -Customers who had active or stopped but allocated Application Gateway V1 SKU in their subscriptions in the month of June 2023, are considered existing customers. These customers get until August 28, 2024 to create new V1 application gateways and until April 28,2026 to migrate their V1 gateways to V2. +Customers who had active or stopped but allocated Application Gateway V1 SKU in their subscriptions as of 4 July 2023, are considered existing customers. These customers get until August 28, 2024 to create new V1 application gateways in their existing subscriptions and until April 28,2026 to migrate their V1 gateways to V2. ### Does this migration plan affect any of my existing workloads that run on Application Gateway V1 SKU? |
| application-gateway | V1 Retirement | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/application-gateway/v1-retirement.md | We announced the deprecation of Application Gateway V1 on **April 28 ,2023**. St - Deprecation announcement: April 28 ,2023 -- No new subscriptions for V1 deployments: July 1,2023 - Application Gateway V1 is no longer available for deployment on new subscriptions from July 1 2023.+- No new subscriptions for V1 deployments: July 1,2023 onwards - Application Gateway V1 is no longer available for deployment on [new subscriptions](./retirement-faq.md#what-is-the-definition-of-a-new-customer-on-application-gateway-v1-sku) from July 1 2023 onwards. - No new V1 deployments: August 28, 2024 - V1 creation is stopped completely for all customers 28 August 2024 onwards. |
| azure-app-configuration | Monitor App Configuration | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-app-configuration/monitor-app-configuration.md | When you have critical applications and business processes relying on Azure reso This article describes the monitoring data generated by App Configuration. App Configuration uses [Azure Monitor](../azure-monitor/overview.md). If you are unfamiliar with the features of Azure Monitor common to all Azure services that use it, read [Monitoring Azure resources with Azure Monitor](../azure-monitor/essentials/monitor-azure-resource.md). -## Monitoring overview page in Azure portal +## Monitoring overview page in the Azure portal The **Overview** page in the Azure portal includes a brief view of the resource usage, such as the total number of requests, number of throttled requests, and request duration per configuration store. This information is useful, but only displays a small amount of the monitoring data available. Some of this monitoring data is collected automatically and is available for analysis as soon as you create the resource. You can enable additional types of data collection with some configuration. > [!div class="mx-imgBorder"] |
| azure-arc | Configure Transparent Data Encryption Sql Managed Instance | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/data/configure-transparent-data-encryption-sql-managed-instance.md | |
| azure-cache-for-redis | Cache Remove Tls 10 11 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-cache-for-redis/cache-remove-tls-10-11.md | description: Learn how to remove TLS 1.0 and 1.1 from your application when comm Previously updated : 03/07/2023 Last updated : 07/13/2023 ms.devlang: csharp, golang, java, javascript, php, python |
| azure-cache-for-redis | Cache Tutorial Functions Getting Started | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-cache-for-redis/cache-tutorial-functions-getting-started.md | The following tutorial shows how to implement basic triggers with Azure Cache fo Create a new **Azure Cache for Redis** instance using the Azure portal or your preferred CLI tool. We use a _Standard C1_ instance, which is a good starting point. Use the [quickstart guide](quickstart-create-redis.md) to get started. -<!--  --> The default settings should suffice. We use a public endpoint for this demo, but we recommend you use a private endpoint for anything in production. -Creating the cache can take a few minutes, so feel move to the next section while creating the cache completes. +Creating the cache can take a few minutes. You can move to the next section while creating the cache completes. ### Set up Visual Studio Code -If you haven’t installed the functions extension for VS Code, search for _Azure Functions_ in the extensions menu, and select **Install**. If you don’t have the C# extension installed, install it, too. +1. If you haven’t installed the functions extension for VS Code, search for _Azure Functions_ in the extensions menu, and select **Install**. If you don’t have the C# extension installed, install it, too. -<!--  --> + :::image type="content" source="media/cache-tutorial-functions-getting-started/cache-code-editor.png" alt-text="Screenshot of the required extensions installed in VS Code."::: -Next, go to the **Azure** tab, and sign-in to your existing Azure account, or create a new one: +1. Next, go to the **Azure** tab, and sign-in to your existing Azure account, or create a new one: -Create a new local folder on your computer to hold the project that you're building. In our example, we use “AzureRedisFunctionDemo”. +1. Create a new local folder on your computer to hold the project that you're building. In our example, we use _RedisAzureFunctionDemo_. -In the Azure tab, create a new functions app by clicking on the lightning bolt icon in the top right of the **Workspace** box in the lower left of the screen. +1. In the Azure tab, create a new functions app by clicking on the lightning bolt icon in the top right of the **Workspace** tab. -<!--  --> + :::image type="content" source="media/cache-tutorial-functions-getting-started/cache-add-resource.png" alt-text="Screenshot showing how to add a new function from VS Code."::: -Select the new folder that you’ve created to start the creation of a new Azure Functions project. You get several on-screen prompts. Select: +1. Select the new folder that you’ve created to start the creation of a new Azure Functions project. You get several on-screen prompts. Select: -- **C#** as the language-- **.NET 6.0 LTS** as the .NET runtime-- **Skip for now** as the project template+ - **C#** as the language + - **.NET 6.0 LTS** as the .NET runtime + - **Skip for now** as the project template -> [!NOTE] -> If you don’t have the .NET Core SDK installed, you’ll be prompted to do so. + > [!NOTE] + > If you don’t have the .NET Core SDK installed, you’ll be prompted to do so. -The new project is created: +1. The new project is created: -<!--  --> + :::image type="content" source="media/cache-tutorial-functions-getting-started/cache-vscode-workspace.png" alt-text="Screenshot of a workspace in VS Code."::: ### Install the necessary NuGet package -You'll need to install `Microsoft.Azure.WebJobs.Extensions.Redis`, the NuGet package for the Redis extension that allows Redis keyspace notifications to be used as triggers in Azure Functions. +You need to install `Microsoft.Azure.WebJobs.Extensions.Redis`, the NuGet package for the Redis extension that allows Redis keyspace notifications to be used as triggers in Azure Functions. Install this package by going to the **Terminal** tab in VS Code and entering the following command: dotnet add package Microsoft.Azure.WebJobs.Extensions.Redis --prerelease ### Configure cache -Go to your newly created Azure Cache for Redis instance. Two steps are needed here. +1. Go to your newly created Azure Cache for Redis instance. -First, enable **keyspace notifications** on the cache to trigger on keys and commands. Go to your cache in the Azure portal and select the **Advanced settings** from the Resource menu. Scroll down to the field labeled _notify-keyspace-events_ and enter “KEA”. Then select Save at the top of the window. “KEA” is a configuration string that enables keyspace notifications for all keys and events. More information on keyspace configuration strings can be found [here](https://redis.io/docs/manual/keyspace-notifications/). +1. Go to your cache in the Azure portal and select the **Advanced settings** from the Resource menu. Scroll down to the field labeled _notify-keyspace-events_ and enter `KEA`. You have enabled **keyspace notifications** on the cache to trigger on keys and commands. -<!--  --> +1. Then select **Save** at the top of the window. “KEA” is a configuration string that enables keyspace notifications for all keys and events. More information on keyspace configuration strings can be found [here](https://redis.io/docs/manual/keyspace-notifications/). -Second, select **Access keys** from the Resource menu and write down/copy the Primary connection string field. We use the access key to connect to the cache. + :::image type="content" source="media/cache-tutorial-functions-getting-started/cache-keyspace-notifications.png" alt-text="Screenshot of Advanced settings selected in the Resource menu and notify-keyspace-events highlighted with a red box."::: -<!--  --> +1. Select **Access keys** from the Resource menu and write down/copy the Primary connection string field. This string is used to connect to the cache. -### Set up the example code --Go back to VS Code, add a file to the project called `RedisFunctions.cs` Copy and paste the code sample: + :::image type="content" source="media/cache-tutorial-functions-getting-started/cache-access-keys.png" alt-text="Screenshot showing the primary access key highlighted with a red box."::: -```csharp -using Microsoft.Extensions.Logging; -using StackExchange.Redis; --namespace Microsoft.Azure.WebJobs.Extensions.Redis.Samples -{ - public static class RedisSamples - { - public const string connectionString = "redisConnectionString"; -- [FunctionName(nameof(PubSubTrigger))] - public static void PubSubTrigger( - [RedisPubSubTrigger(connectionString, "pubsubTest")] string message, - ILogger logger) - { - logger.LogInformation(message); - } +### Set up the example code - [FunctionName(nameof(KeyspaceTrigger))] - public static void KeyspaceTrigger( - [RedisPubSubTrigger(connectionString, "__keyspace@0__:keyspaceTest")] string message, - ILogger logger) - { - logger.LogInformation(message); - } +1. Go back to VS Code, add a file to the project called `RedisFunctions.cs`. - [FunctionName(nameof(KeyeventTrigger))] - public static void KeyeventTrigger( - [RedisPubSubTrigger(connectionString, "__keyevent@0__:del")] string message, - ILogger logger) - { - logger.LogInformation(message); - } +1. Copy and paste the code sample into the new file. - [FunctionName(nameof(ListTrigger))] - public static void ListTrigger( - [RedisListTrigger(connectionString, "listTest")] string entry, - ILogger logger) - { - logger.LogInformation(entry); - } + ```csharp + using Microsoft.Extensions.Logging; + using StackExchange.Redis; - [FunctionName(nameof(StreamTrigger))] - public static void StreamTrigger( - [RedisStreamTrigger(connectionString, "streamTest")] string entry, - ILogger logger) + namespace Microsoft.Azure.WebJobs.Extensions.Redis.Samples + { + public static class RedisSamples {- logger.LogInformation(entry); + public const string connectionString = "redisConnectionString"; ++ [FunctionName(nameof(PubSubTrigger))] + public static void PubSubTrigger( + [RedisPubSubTrigger(connectionString, "pubsubTest")] string message, + ILogger logger) + { + logger.LogInformation(message); + } ++ [FunctionName(nameof(KeyspaceTrigger))] + public static void KeyspaceTrigger( + [RedisPubSubTrigger(connectionString, "__keyspace@0__:keyspaceTest")] string message, + ILogger logger) + { + logger.LogInformation(message); + } ++ [FunctionName(nameof(KeyeventTrigger))] + public static void KeyeventTrigger( + [RedisPubSubTrigger(connectionString, "__keyevent@0__:del")] string message, + ILogger logger) + { + logger.LogInformation(message); + } ++ [FunctionName(nameof(ListTrigger))] + public static void ListTrigger( + [RedisListTrigger(connectionString, "listTest")] string entry, + ILogger logger) + { + logger.LogInformation(entry); + } ++ [FunctionName(nameof(StreamTrigger))] + public static void StreamTrigger( + [RedisStreamTrigger(connectionString, "streamTest")] string entry, + ILogger logger) + { + logger.LogInformation(entry); + } } }-} -``` --This tutorial shows multiple different ways to trigger on Redis activity: + ``` -1. _PubSubTrigger_, which is triggered when activity is published to the pub/sub channel named `pubsubTest` +1. This tutorial shows multiple different ways to trigger on Redis activity: -1. _KeyspaceTrigger_, which is built on the Pub/Sub trigger. Use it to look for changes to the key `keyspaceTest` + - _PubSubTrigger_, which is triggered when activity is published to the pub/sub channel named `pubsubTest` + - _KeyspaceTrigger_, which is built on the Pub/Sub trigger. Use it to look for changes to the key `keyspaceTest` + - _KeyeventTrigger_, which is also built on the Pub/Sub trigger. Use it to look for any use of the`DEL` command. + - _ListTrigger_, which looks for changes to the list `listTest` + - _StreamTrigger_, which looks for changes to the stream `streamTest` -1. _KeyeventTrigger_, which is also built on the Pub/Sub trigger. Use it to look for any use of the`DEL` command. +### Connect to your cache -1. _ListTrigger_, which looks for changes to the list `listTest` +1. In order to trigger on Redis activity, you need to pass in the connection string of your cache instance. This information is stored in the `local.settings.json` file that was automatically created in your folder. Using the [local settings file](../azure-functions/functions-run-local.md#local-settings) is recommended as a security best practice. -1. _StreamTrigger_, which looks for changes to the stream `streamTest` +1. To connect to your cache, add a `ConnectionStrings` section in the `local.settings.json` file and add your connection string using the parameter `redisConnectionString`. It should look like this: -### Connect to your cache -In order to trigger on Redis activity, you need to pass in the connection string of your cache instance. This information will be stored in the `local.settings.json` file that was automatically created in your folder. Using the [local settings file](../azure-functions/functions-run-local.md#local-settings) is recommended as a security best practice. --To connect to your cache, add a `ConnectionStrings` section in the `local.settings.json` file and add your connection string using the parameter `redisConnectionString`. It should look like this: --```json -{ - "IsEncrypted": false, - "Values": { - "AzureWebJobsStorage": "", - "FUNCTIONS_WORKER_RUNTIME": "dotnet", - "redisConnectionString": "<your-connection-string>" - } -} -``` + ```json + { + "IsEncrypted": false, + "Values": { + "AzureWebJobsStorage": "", + "FUNCTIONS_WORKER_RUNTIME": "dotnet", + "redisConnectionString": "<your-connection-string>" + } + } + ``` -<!--  --> > [!IMPORTANT] > This example is simplified for the tutorial. For production use, we recommend that you use [Azure Key Vault](../service-connector/tutorial-portal-key-vault.md) to store connection string information. To connect to your cache, add a `ConnectionStrings` section in the `local.settin ### Build and run the code locally -Switch to the **Run and debug** tab in VS Code and select the green arrow to debug the code locally. If you don’t have Azure Functions core tools installed, you're prompted to do so. In that case, you’ll need to restart VS Code after installing. +1. Switch to the **Run and debug** tab in VS Code and select the green arrow to debug the code locally. If you don’t have Azure Functions core tools installed, you're prompted to do so. In that case, you’ll need to restart VS Code after installing. -The code should build successfully, which you can track in the Terminal output. + The code should build successfully, which you can track in the Terminal output. -To test the trigger functionality, try creating and deleting the _keyspaceTest_ key. You can use any way you prefer to connect to the cache. An easy way is to use the built-in Console tool in the Azure Cache for Redis portal. Bring up the cache instance in the Azure portal, and select **Console** to open it. +1. To test the trigger functionality, try creating and deleting the _keyspaceTest_ key. You can use any way you prefer to connect to the cache. An easy way is to use the built-in Console tool in the Azure Cache for Redis portal. Bring up the cache instance in the Azure portal, and select **Console** to open it. -<!--  --> + :::image type="content" source="media/cache-tutorial-functions-getting-started/cache-console.png" alt-text="Screenshot of C# code and a connection string."::: -After it's open, try the following commands: +1. After it's open, try the following commands: -- `SET keyspaceTest 1`-- `SET keyspaceTest 2`-- `DEL keyspaceTest`-- `PUBLISH pubsubTest testMessage`-- `LPUSH listTest test`-- `XADD streamTest * name Clippy`+ - `SET keyspaceTest 1` + - `SET keyspaceTest 2` + - `DEL keyspaceTest` + - `PUBLISH pubsubTest testMessage` + - `LPUSH listTest test` + - `XADD streamTest * name Clippy` -<!--  --> + :::image type="content" source="media/cache-tutorial-functions-getting-started/cache-console-output.png" alt-text="Screenshot of a console and some Redis commands and results."::: -You should see the triggers activating in the terminal: +1. You should see the triggers activating in the terminal: -<!--  --> + :::image type="content" source="media/cache-tutorial-functions-getting-started/cache-triggers-working-lightbox.png" alt-text="Screenshot of the VS Code editor with code running." lightbox="media/cache-tutorial-functions-getting-started/cache-triggers-working.png"::: ### Deploy code to an Azure function -Create a new Azure function by going back to the Azure tab, expanding your subscription, and right clicking on **Function App**. Select **Create a Function App in Azure…(Advanced)**. +1. Create a new Azure function by going back to the Azure tab, expanding your subscription, and right clicking on **Function App**. Select **Create a Function App in Azure…(Advanced)**. -<!--  --> + :::image type="content" source="media/cache-tutorial-functions-getting-started/cache-create-function-app.png" alt-text="Screenshot of creating a function app in VS Code."::: -You see several prompts on information to configure the new functions app: +1. You see several prompts on information to configure the new functions app: -- Enter a unique name-- Choose **.NET 6** as the runtime stack-- Choose either **Linux** or **Windows** (either works)-- Select an existing or new resource group to hold the Function App-- Choose the same region as your cache instance-- Select **Premium** as the hosting plan-- Create a new App Service plan-- Choose the **EP1** pricing tier.-- Choose an existing storage account or create a new one-- Create a new Application Insights resource. We use the resource to confirm the trigger is working.+ - Enter a unique name + - Choose **.NET 6** as the runtime stack + - Choose either **Linux** or **Windows** (either works) + - Select an existing or new resource group to hold the Function App + - Choose the same region as your cache instance + - Select **Premium** as the hosting plan + - Create a new App Service plan + - Choose the **EP1** pricing tier. + - Choose an existing storage account or create a new one + - Create a new Application Insights resource. We use the resource to confirm the trigger is working. -> [!IMPORTANT] -> Redis triggers are not currently supported on consumption functions. -> + > [!IMPORTANT] + > Redis triggers are not currently supported on consumption functions. + > -Wait a few minutes for the new Function App to be created. It appears in the drop down under **Function App** in your subscription. Right click on the new function app and select **Deploy to Function App…** +1. Wait a few minutes for the new Function App to be created. It appears in the drop-down under **Function App** in your subscription. Right-click on the new function app and select **Deploy to Function App…** -<!--  --> + :::image type="content" source="media/cache-tutorial-functions-getting-started/cache-deploy-to-function.png" alt-text="Screenshot of deploying to a function app in VS Code."::: -The app builds and starts deploying. You can track progress in the **Output Window**. +1. The app builds and starts deploying. You can track progress in the **Output Window**. ### Add connection string information -Navigate to your new Function App in the Azure portal and select the **Configuration** blade from the Resource menu. Select **New application setting** and enter `redisConnectionString` as the Name, with your connection string as the Value. Set Type to _Custom_, and select **Ok** to close the menu and then **Save** on the Configuration page to confirm. The functions app will restart with the new connection string information. +1. Navigate to your new Function App in the Azure portal and select the **Configuration** from the Resource menu. ++1. Select **New application setting** and enter `redisConnectionString` as the Name, with your connection string as the Value. Set Type to _Custom_, and select **Ok** to close the menu and then **Save** on the Configuration page to confirm. The functions app restarts with the new connection string information. ### Test your triggers -Once deployment is complete and the connection string information added, open your Function App in the Azure portal and select **Log Stream** from the Resource menu. Wait for log analytics to connect, and then use the Redis console to activate any of the triggers. You should see the triggers being logged here. +1. Once deployment is complete and the connection string information added, open your Function App in the Azure portal and select **Log Stream** from the Resource menu. ++1. Wait for log analytics to connect, and then use the Redis console to activate any of the triggers. You should see the triggers being logged here. -<!--  --> + :::image type="content" source="media/cache-tutorial-functions-getting-started/cache-log-stream.png" alt-text="Screenshot of log stream for a function app resource in the Resource menu." lightbox="media/cache-tutorial-functions-getting-started/cache-log-stream.png"::: ## Next steps |
| azure-functions | Configure Monitoring | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/configure-monitoring.md | Azure Functions integrates with Application Insights to better enable you to mon You can use Application Insights without any custom configuration. The default configuration can result in high volumes of data. If you're using a Visual Studio Azure subscription, you might hit your data cap for Application Insights. For information about Application Insights costs, see [Application Insights billing](../azure-monitor/logs/cost-logs.md#application-insights-billing). For more information, see [Solutions with high-volume of telemetry](#solutions-with-high-volume-of-telemetry). -Later in this article, you learn how to configure and customize the data that your functions send to Application Insights. For a function app, logging is configured in the *[host.json]* file. +Later in this article, you learn how to configure and customize the data that your functions send to Application Insights. Common logging configuration can be set in the *[host.json]* file. By default, these settings also govern custom logs emitted by your code, though in some cases this behavior can be disabled in favor of options that give you more control over logging. See [Custom logs](#custom-logs) for more information. > [!NOTE] > You can use specially configured application settings to represent specific settings in a *host.json* file for a specific environment. This lets you effectively change *host.json* settings without having to republish the *host.json* file in your project. For more information, see [Override host.json values](functions-host-json.md#override-hostjson-values). +## Custom logs ++By default, custom logs you write are sent to the Functions host, which then sends them to Application Insights through the ["Worker" category](#configure-categories). Some language stacks allow you to instead send the logs directly to Application Insights, giving you full control over how logs you write are emitted. The following table summarizes the options available to each stack: ++| Language stack | Configuration of custom logs | +|-|-| +| .NET (in-process model) | `host.json` | +| .NET (isolated model) | By default: `host.json`<br/>Option to send logs directly: [Configure Application Insights in the HostBuilder](./dotnet-isolated-process-guide.md#application-insights) | +| Node.JS | `host.json` | +| Python | `host.json` | +| Java | By default: `host.json`<br/>Option to send logs directly: [Configure the Application Insights Java agent](../azure-monitor/app/monitor-functions.md#distributed-tracing-for-java-applications) | +| PowerShell | `host.json` | ++When custom logs are sent directly, the host no longer be emits them, and `host.json` no longer controls their behavior. Similarly, the options exposed by each stack only apply to custom logs, and they do not change the behavior of the other runtime logs described in this article. To control the behavior of all logs, you may need to make changes for both configurations. + ## Configure categories The Azure Functions logger includes a *category* for every log. The category indicates which part of the runtime code or your function code wrote the log. Categories differ between version 1.x and later versions. The following chart describes the main categories of logs that the runtime creates: |
| azure-functions | Dotnet Isolated Process Guide | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/dotnet-isolated-process-guide.md | The following code shows an example of a [HostBuilder] pipeline: This code requires `using Microsoft.Extensions.DependencyInjection;`. -A [HostBuilder] is used to build and return a fully initialized [IHost] instance, which you run asynchronously to start your function app. +A [HostBuilder] is used to build and return a fully initialized [`IHost`][IHost] instance, which you run asynchronously to start your function app. :::code language="csharp" source="~/azure-functions-dotnet-worker/samples/FunctionApp/Program.cs" id="docsnippet_host_run"::: Dependency injection is simplified, compared to .NET class libraries. Rather tha The following example injects a singleton service dependency: +```csharp +.ConfigureServices(services => +{ + services.AddSingleton<IHttpResponderService, DefaultHttpResponderService>(); +}) +``` This code requires `using Microsoft.Extensions.DependencyInjection;`. To learn more, see [Dependency injection in ASP.NET Core](/aspnet/core/fundamentals/dependency-injection?view=aspnetcore-5.0&preserve-view=true). To compile your project as ReadyToRun, update your project file by adding the `< ## Execution context -.NET isolated passes a [FunctionContext] object to your function methods. This object lets you get an [ILogger] instance to write to the logs by calling the [GetLogger] method and supplying a `categoryName` string. To learn more, see [Logging](#logging). +.NET isolated passes a [FunctionContext] object to your function methods. This object lets you get an [`ILogger`][ILogger] instance to write to the logs by calling the [GetLogger] method and supplying a `categoryName` string. To learn more, see [Logging](#logging). ## Bindings The following service-specific bindings are currently included in the preview: | Service | Trigger | Input binding | Output binding | |-|-|-|-|-| [Azure Blobs][blob-sdk-types] | **Preview support** | **Preview support** | _SDK types not recommended<sup>1</sup>_ | -| [Azure Queues][queue-sdk-types] | **Preview support** | _Input binding does not exist_ | _SDK types not recommended<sup>1</sup>_ | -| [Azure Service Bus][servicebus-sdk-types] | **Preview support<sup>2</sup>** | _Input binding does not exist_ | _SDK types not recommended<sup>1</sup>_ | -| [Azure Event Hubs][eventhub-sdk-types] | **Preview support** | _Input binding does not exist_ | _SDK types not recommended<sup>1</sup>_ | -| [Azure Cosmos DB][cosmos-sdk-types] | _SDK types not used<sup>3</sup>_ | **Preview support** | _SDK types not recommended<sup>1</sup>_ | -| [Azure Tables][tables-sdk-types] | _Trigger does not exist_ | **Preview support** | _SDK types not recommended<sup>1</sup>_ | -| [Azure Event Grid][eventgrid-sdk-types] | **Preview support** | _Input binding does not exist_ | _SDK types not recommended<sup>1</sup>_ | +| [Azure Blobs][blob-sdk-types] | **Preview support** | **Preview support** | _SDK types not recommended.<sup>1</sup>_ | +| [Azure Queues][queue-sdk-types] | **Preview support** | _Input binding does not exist_ | _SDK types not recommended.<sup>1</sup>_ | +| [Azure Service Bus][servicebus-sdk-types] | **Preview support<sup>2</sup>** | _Input binding does not exist_ | _SDK types not recommended.<sup>1</sup>_ | +| [Azure Event Hubs][eventhub-sdk-types] | **Preview support** | _Input binding does not exist_ | _SDK types not recommended.<sup>1</sup>_ | +| [Azure Cosmos DB][cosmos-sdk-types] | _SDK types not used<sup>3</sup>_ | **Preview support** | _SDK types not recommended<.sup>1</sup>_ | +| [Azure Tables][tables-sdk-types] | _Trigger does not exist_ | **Preview support** | _SDK types not recommended.<sup>1</sup>_ | +| [Azure Event Grid][eventgrid-sdk-types] | **Preview support** | _Input binding does not exist_ | _SDK types not recommended.<sup>1</sup>_ | [blob-sdk-types]: ./functions-bindings-storage-blob.md?tabs=isolated-process%2Cextensionv5&pivots=programming-language-csharp#binding-types [cosmos-sdk-types]: ./functions-bindings-cosmosdb-v2.md?tabs=isolated-process%2Cextensionv4&pivots=programming-language-csharp#binding-types This section shows how to work with the underlying HTTP request and response obj ## Logging -In .NET isolated, you can write to logs by using an [ILogger] instance obtained from a [FunctionContext] object passed to your function. Call the [GetLogger] method, passing a string value that is the name for the category in which the logs are written. The category is usually the name of the specific function from which the logs are written. To learn more about categories, see the [monitoring article](functions-monitoring.md#log-levels-and-categories). +In .NET isolated, you can write to logs by using an [`ILogger`][ILogger] instance obtained from a [FunctionContext] object passed to your function. Call the [GetLogger] method, passing a string value that is the name for the category in which the logs are written. The category is usually the name of the specific function from which the logs are written. To learn more about categories, see the [monitoring article](functions-monitoring.md#log-levels-and-categories). -The following example shows how to get an [ILogger] and write logs inside a function: +The following example shows how to get an [`ILogger`][ILogger] and write logs inside a function: :::code language="csharp" source="~/azure-functions-dotnet-worker/samples/Extensions/Http/HttpFunction.cs" id="docsnippet_logging" ::: -Use various methods of [ILogger] to write various log levels, such as `LogWarning` or `LogError`. To learn more about log levels, see the [monitoring article](functions-monitoring.md#log-levels-and-categories). +Use various methods of [`ILogger`][ILogger] to write various log levels, such as `LogWarning` or `LogError`. To learn more about log levels, see the [monitoring article](functions-monitoring.md#log-levels-and-categories). ++An [`ILogger`][ILogger] is also provided when using [dependency injection](#dependency-injection). ++As part of configuring your app in `Program.cs`, you can also define the behavior for how errors are surfaced to your logs. By default, exceptions thrown by your code may end up wrapped in an `RpcException`. To remove this extra layer, set the `EnableUserCodeExceptions` property to "true" as part of configuring the builder: ++```csharp + var host = new HostBuilder() + .ConfigureFunctionsWorkerDefaults(builder => {}, options => + { + options.EnableUserCodeExceptions = true; + }) + .Build(); +``` ++### Application Insights ++You can configure your isolated process application to emit logs directly [Application Insights](../azure-monitor/app/app-insights-overview.md?tabs=net), giving you control over how those logs are emitted. To do this, you will need to add a reference to [Microsoft.Azure.Functions.Worker.ApplicationInsights, version 1.0.0-preview5 or later](https://www.nuget.org/packages/Microsoft.Azure.Functions.Worker.ApplicationInsights/). You will also need to reference [Microsoft.ApplicationInsights.WorkerService](https://www.nuget.org/packages/Microsoft.ApplicationInsights.WorkerService). Add these packages to your isolated process project: ++```dotnetcli +dotnet add package Microsoft.ApplicationInsights.WorkerService +dotnet add package Microsoft.Azure.Functions.Worker.ApplicationInsights --prerelease +``` ++You then need to call to `AddApplicationInsightsTelemetryWorkerService()` and `ConfigureFunctionsApplicationInsights()` during service configuration in your `Program.cs` file: -An [ILogger] is also provided when using [dependency injection](#dependency-injection). +```csharp + var host = new HostBuilder() + .ConfigureFunctionsWorkerDefaults() + .ConfigureServices(services => { + services.AddApplicationInsightsTelemetryWorkerService(); + services.ConfigureFunctionsApplicationInsights(); + }) + .Build(); + + host.Run(); +``` ++The call to `ConfigureFunctionsApplicationInsights()` adds an `ITelemetryModule` listening to a Functions-defined `ActivitySource`. This creates dependency telemetry needed to support distributed tracing in Application Insights. To learn more about `AddApplicationInsightsTelemetryWorkerService()` and how to use it, see [Application Insights for Worker Service applications](../azure-monitor/app/worker-service.md). ++> [!IMPORTANT] +> The Functions host and the isolated process worker have separate configuration for log levels, etc. Any [Application Insights configuration in host.json](./functions-host-json.md#applicationinsights) will not affect the logging from the worker, and similarly, configuration made in your worker code will not impact logging from the host. You may need to apply changes in both places if your scenario requires customization at both layers. ++The rest of your application continues to work with `ILogger`. However, by default, the Application Insights SDK adds a logging filter that instructs `ILogger` to capture only warnings and more severe logs. If you want to disable this behavior, remove the filter rule as part of service configuration: ++```csharp + var host = new HostBuilder() + .ConfigureFunctionsWorkerDefaults() + .ConfigureServices(services => { + services.AddApplicationInsightsTelemetryWorkerService(); + services.ConfigureFunctionsApplicationInsights(); + services.Configure<LoggerFilterOptions>(options => + { + LoggerFilterRule defaultRule = options.Rules.FirstOrDefault(rule => rule.ProviderName + == "Microsoft.Extensions.Logging.ApplicationInsights.ApplicationInsightsLoggerProvider"); + if (defaultRule is not null) + { + options.Rules.Remove(defaultRule); + } + }); + }) + .Build(); + + host.Run(); +``` ## Debugging when targeting .NET Framework |
| azure-functions | Functions Create Container Registry | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/functions-create-container-registry.md | Title: Create Azure Functions in a local Linux container description: Get started with Azure Functions by creating a containerized function app on your local computer and publishing the image to a container registry. Last updated 06/23/2023 + zone_pivot_groups: programming-languages-set-functions |
| azure-functions | Functions Run Local | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/functions-run-local.md | description: Learn how to code and test Azure Functions from the command prompt ms.assetid: 242736be-ec66-4114-924b-31795fd18884 Last updated 06/26/2023-+ zone_pivot_groups: programming-languages-set-functions |
| azure-government | Documentation Government Csp List | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-government/documentation-government-csp-list.md | Below you can find a list of all the authorized Cloud Solution Providers (CSPs), |[Quest Media & Supplies Inc.](https://www.questsys.com/)| |[Quisitive](https://quisitive.com)| |[Quite Professionals](https://www.quietprofessionalsllc.com)|-|[R3 LLC](https://www.r3.com)| +|[R3 LLC](https://www.r3-it.com)| |[Ravnur Inc.](https://www.ravnur.com)| |[Razor Technology, LLC](https://www.razor-tech.com)| |[Re:discovery Software, Inc.](https://rediscoverysoftware.com)| |
| azure-large-instances | Configure Azure Service Health Alerts | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-large-instances/configure-azure-service-health-alerts.md | + + Title: Configure Azure service health alerts ++description: Explains how to configure Azure service health alerts. +ms. Title: Configure Azure service health alerts ++++ Last updated : 06/01/2023++# Configure Azure Service Health alerts +This article explains how to configure Azure Service Health alerts. ++You can get automatic notifications when there are planned maintenance events or unplanned +downtime that affects your infrastructure. ++Follow these steps to configure Service Health alerts: ++1. Go to the [Microsoft Azure portal](https://portal.Azure.Com). +2. Search for ΓÇ£service healthΓÇ¥ in the search bar and select **Service Health** from the results. ++ :::image type="content" source="media/health-alerts-step-2.png" alt-text="Screenshot of the health alert dashboard."::: ++1. In the Service Health Dashboard, select **Health Alerts**. + :::image type="content" source="media/health-alerts-step-3.png" alt-text="Screenshot of the health alert service issues."::: ++1. Select **Create service health alert**. ++ :::image type="content" source="media/health-alerts-step-4.png" alt-text="Screenshot of create health service alert."::: ++1. Deselect **Select all** under **Services**. + :::image type="content" source="media/health-alerts-step-5.png" alt-text="Screenshot of create health service alert rule."::: ++1. Select **Azure Large Instances**. ++1. Select the regions in which your Azure Large Instances for the Epic workload instances are deployed. +1. Under **Action Groups**, select **Create New**. +1. Fill in the details and select the type of notification for the Action (Examples: Email, SMS, Voice). ++1. Click **OK** to add the Action. +1. Click **OK** to add the Action Group. +1. Verify you see your newly created Action Group. +You will now receive alerts when there are health issues or maintenance actions on your systems. + |
| azure-large-instances | Faq | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-large-instances/faq.md | + + Title: Azure Large Instances FAQ ++description: Provides resolutions for common issues that arise in working with Azure Large Instances for the Epic workload. +++++ Last updated : 06/01/2023+++# Frequently asked questions about the Epic workload on Azure Large Instances ++This article provides answers to frequently asked questions about Azure Large Instances. ++## In which regions is this service available? ++Azure Large Instances is available in the following regions: ++* East US +* US West2 +* US South Central ++## Do I need to give permissions to allow the deployment of a managed resource group in my subscription? ++No, explicit permissions aren't required but you should register the resource provider with your subscription. ++## Why am I not able to see the Azure Large Instances resources in Azure portal? ++Check Azure Policy set up if Azure Large Instances managed RGs aren't reflected in the portal. +Azure subscription you use for Azure Large Instances deployments is registered with the Azure Large Instances infrastructure resource provider by the Microsoft Operations team during the provisioning process. +If you don't see your deployed Azure Large Instances under your subscription, register the resource provider with your subscription. +Ensure that your VNET address space provided in the request is the same as what you configure [Working with Azure large Instances in the Azure portal](work-with-azure-large-instances-in-azure-portal.md) ++## Is it possible to have Azure ARC installed on Azure Large Instances? ++ItΓÇÖs not mandatory, but it's possible. +If you need guidance, [create a support ticket](work-with-azure-large-instances-in-azure-portal.md#open-a-support-request-for-azure-large-instances) with the Azure Customer Support team to help with your setup. ++## How do I monitor Azure Large Instances? ++Azure Large Instances is an IaaS offering and Azure teams are actively monitoring Azure Large Instances infrastructure (network devices, storage appliances, server hardware, etc.). +Customer alerts related to infrastructure are provided only via Azure portalΓÇÖs Service Health. +Customers are highly recommended to set up Service Health alerts to get notified via their preferred communication channels when service issues, planned maintenance, or other changes happen around Azure Large Instances. ++ For more information, see [Configure Azure Service Health Alerts](configure-azure-service-health-alerts.md) ++> [!NOTE] +> Microsoft is not responsible for integration with any other tooling or 3P agents. +Customers are responsible for any additional third-party agents that they would like to install for logging and monitoring on Azure Large Instances infrastructure. ++ItΓÇÖs also recommended to rerun Azure Large Instances GenIO test post third-party agents are installed to check for any performance variations. ++## How does Microsoft communicate unplanned issues? ++Microsoft sends service health notification only through the Azure portal. +We always recommend customers to configure alerts for service health notifications. ++This monitoring and alerting mechanism is different than traditional mechanisms. It's recommended for customers to set up Service Health alerts to their preferred communication channels for service issues, planned maintenance, or other changes that occur around Azure Large Instances. +Not setting this up could cause issues with your Azure Large Instances that might go undetected for a long time and cause downtime if not addressed at the right time. ++[Receive activity log alerts on Azure service notifications using Azure portal](./../service-health/alerts-activity-log-service-notifications-portal.md) +## Based on my business priority, can I request a change in the ΓÇ£PlannedΓÇ¥ maintenance schedule for Azure Large Instances - if I must? ++Microsoft sends a health notification service for both planned and unplanned events. +Ensure you configure health alerts for service health notifications. +If due to any business dependency, you need to request a change in the planned maintenance schedule, the preferred way would be to create a service request. +Planned maintenance doesn't include emergency fixes/patches required which can't be rescheduled. ++## Where do we create an Azure Large Instances-related Service or Support Request? ++You can get Help and support in the Azure portal. +It's available from the Azure portal menu, the global header, or the resource menu for a service and create a Service Request. +In the dropdown menu you can look for the Epic key word and then "Azure Large Instances" and select appropriate service type. ++## What resources are available to learn more? ++See [What is Azure Large Instances?](what-is-azure-large-instances.md). + |
| azure-large-instances | Find Your Subscription Id | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-large-instances/find-your-subscription-id.md | + + Title: Find your Azure Large Instances subscription ID ++description: Explains how to find your Azure Large Instances subscription ID. +ms. Title: Find your subscription ID ++++ Last updated : 06/01/2023+++# Find your subscription ID +This article explains how to find your Azure Large Instances subscription ID. ++A *Subscription ID* is a unique identifier for your service in Azure. +You need it when interacting with the Microsoft Support team. To find your subscription ID, follow these steps: ++1. Go to [Azure support portal](https://portal.Azure.Com) +2. From the left pane, select **Subscriptions**. +3. A new blade called ΓÇ£SubscriptionsΓÇ¥ will open to display your subscriptions. ++1. Choose the subscription you have used for Azure Large Instances. ++++ |
| azure-large-instances | Onboarding Requirements | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-large-instances/onboarding-requirements.md | + + Title: Onboarding requirements for Azure Large Instances ++description: Provides an overview of onboarding requirements for Azure Large Instances. +ms. Title: Onboarding requirements ++++ Last updated : 06/01/2023+++# Azure Large Instances onboarding requirements ++This article explains the actions to take after you receive an environment from the Microsoft Azure Large Instances team. ++## Azure portal ++Use the Azure portal to: + * Create Azure Virtual Network (or networks) and ExpressRoute Gateway or Gateways with High or Ultra Performance Reference. + * Link them with Azure Large Instances stamps using the Circuit/peer ID and Authorization Keys provided by Microsoft team.ΓÇ» ++## VNET address space ++Ensure that the VNET address space provided in your request is the same as what you configure. ++## Time sync ++Setup time synchronization with NTP server.ΓÇ» ++## Jump box ++* Set up a jump box in a VM to connect to Azure Large Instances stamps. +* Change the root password at first login and store password in a secure location.ΓÇ» ++## Satellite server ++Install a red hat satellite server in a VM for RHEL 8.4 and patch download. ++## Azure Large Instances stamps ++* Validate Azure Large Instances stamps and configure and patch OS based on your requirements.ΓÇ» +* Verify that the servers are visible on Azure portal. ++ > [!Note] + > Do *not* place large files like Azure Large Instances installation bits on the boot volume. The Boot volume is small and can fill quickly, which could cause the server to hang (50 GB per OS is the boot limit). ++## Secure Server IP pool address range ++This IP address range is used to assign the individual IP address to Azure Large Instances servers. +The recommended subnet size is a /24 CIDR block. If needed, it can be smaller, with as few as 64 IP addresses. ++From this range, the first 30 IP addresses are reserved for use by Microsoft. +Make sure that you account for this when you choose the size of the range. +This range must NOT overlap with your on-premises or other Azure IP addresses. ++Your corporate network team or service provider should provide an IP address range that's not currently being used inside your network. +This range is an IP address range, which must be submitted to Microsoft when asking for an initial deployment. ++## Optional IP address ranges to submit to Microsoft +ΓÇ» +If you choose to use ExpressRoute Global Reach to enable direct routing from on-premises to Azure Large Instances tenant, you must reserve another /29 IP address range. +This range may not overlap with any of the other IP addresses ranges you defined before.ΓÇ» ++If you choose to use ExpressRoute Global Reach to enable direct routing from an Azure Large Instances tenant in one Azure region to another Azure Large Instances tenant in another Azure region, you must reserve another /29 IP address range. +This range may not overlap with the IP address ranges you defined before.ΓÇ» ++## Using ExpressRoute Fast Path ++You can use ExpressRoute Fast Path to access your Azure Large Instances servers from anywhere, Azure VMs (hub and spoke) and on-premises. ++For setup instructions, see [Enable ExpressRoute Fast Path](#enable-expressroute-fast-path). ++To see the learned routes from Azure Large Instances, one of the options is looking at the Effective Routes table of one of your VMs, as follows: ++1. In Azure portal, select any of your VMs (any connected to the Hub, or to a Spoke connected to the Hub that is connected to Azure Large Instances), select **Networking**, select the network interface name, then select **Effective Routes**. ++2. Make sure to enable accelerated networking with all VMs connecting to Azure Large Instances. ++3. Set up Azure Large Instances solution based on your system requirements and take a system backup.ΓÇ» +4. Take an OS backup.ΓÇ» +5. Set up volume groups. For more information, see [Create a volume group](./workloads/epic/create-a-volume-group.md).ΓÇ» +6. Set up a storage snapshot, backup, and data offload. ++> [!Note] +> A storage snapshot should only be set up after all data-intensive work (for example, Endian conversions) are complete in order to avoid creating unnecessary snapshots while build work is in progress ++The Azure subscription you use for Azure Large Instances deployments is already registered with the Azure Large Instances resource provider by the Microsoft Operations team during the provisioning process. +If you don't see your deployed Azure Large Instances under your subscription, register the resource provider with your subscription. For more information, see Register the resource provider in [What is Azure Large Instances?](what-is-azure-large-instances.md) ++### Enable ExpressRoute Fast Path ++Before you begin, install the latest version of the Azure Resource Manager PowerShell cmdlets, at least 4.0 or later. ++For more information, see these resources: ++* [Azure ExpressRoute overview](https://azure.microsoft.com/products/expressroute/) ++* [How to create a connection between your VPN Gateway and ExpressRoute circuit](https://learn.microsoft.com/shows/azure/expressroute-how-to-create-connection-between-your-vpn-gateway-expressroute-circuit) +++* [How to set up Microsoft peering for your ExpressRoute circuit](https://learn.microsoft.com/shows/azure/expressroute-how-to-set-up-microsoft-peering-your-expressroute-circuit) ++### AuthorizingΓÇ» ++Ensure you have an authorization key for the express route (ER) circuit used for virtual gateway connection to ER circuit. +Also obtain ER circuit resource ID. ++If you donΓÇÖt have this information, obtain the details from the circuit owner. Reach out to Azure Large Instances support by [creating a support ticket](work-with-azure-large-instances-in-azure-portal.md#open-a-support-request-for-azure-large-instances) with the Azure Customer Support team. +### Declare variables ++This example declares the variables using the values for this exercise. +Replace the values with your subscription values. ++```azurecli +$Sub = "Replace_With_Your_Subscription_ID" +$RG = "Your_Resource_Group_Name" +$CircuitName="ExpressRoute Circuit Name" +$Location="Location_Name" #Example: "East US" +$GWName="VNET_Gateway_Name" +$ConnectionName=ΓÇ¥ER Gateway Connection NameΓÇ¥ +$Authkey="ExpressRoute Circuit Authorization Key" +``` +### Login into your account +```azurecli +Login-AzAccount +``` +### Check the subscription for the account. +```azurecli +Get-AzSubscriptionΓÇ» +``` +### Specify the subscription that you want to use ++```azurecli +Select-AzSubscription -SubscriptionId $Sub1ΓÇ» +``` +ΓÇ» +### Enable ER FastPath on the gateway connection.ΓÇ» +```$Circuit = Get-AzExpressRouteCircuit -Name $CircuitName -ResourceGroupName $RG +$GW = Get-AzVirtualNetworkGateway -Name $GWName -ResourceGroupName $RG``` +dotnetcli ++``` +#### Declare a variable for the gateway object ++```azurecli +$gw = Get-AzVirtualNetworkGateway -Name $GWName1 -ResourceGroupName $RG1 ++Enable MSEEv2 using "ExpressRouteGatewayBypass" flag +$connection = New-AzVirtualNetworkGatewayConnection -Name $ConnectionName -ResourceGroupName $RG -ExpressRouteGatewayBypass -VirtualNetworkGateway1 $GW -PeerId $Circuit.Id -ConnectionType ExpressRoute -Location $Location -AuthorizationKey $AuthkeyΓÇ» +``` ++#### Declare a variable for the Express route circuit ID ++```azurecli +$id = "/subscriptions/ΓÇ¥express route subscrioption IDΓÇ¥/resourceGroups/ΓÇ¥ER resource groupΓÇ¥/providers/Microsoft.Network/expressRouteCircuits/ΓÇ¥circuitΓÇ¥ΓÇ» +``` ++#### Enable MSEEv2 using the **ExpressRouteGatewayBypass** flag ++```azurecli +New-AzureRmVirtualNetworkGatewayConnection -Name "Virtual Gateway connection name" -ResourceGroupName $RG1ΓÇ»-Location $Location1 -VirtualNetworkGateway1 $gw -PeerId $id -AuthorizationKey $Authkey -ConnectionType ExpressRouteΓÇ»-ExpressRouteGatewayBypass ΓÇ» +``` +ΓÇ» +### Enable Accelerated Networking on VMs ++To take advantage of low latency access on VMs network stack, enable accelerated networking (AN), also known as SR-IOV, on supported VMs. +For more information, see [Accelerated networking for Windows or Linux virtual machines](./../virtual-network/create-vm-accelerated-networking-cli.md). |
| azure-large-instances | Quality Checks | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-large-instances/quality-checks.md | + + Title: Quality checks for Azure Large Instances ++description: Provides an overview of Azure Large Instances for Epic quality checks. ++ms. Title: Quality checks +++ Last updated : 06/01/2023+++# Quality checks for Azure Large Instances +This article provides an overview of Azure Large Instances for Epic<sup>®</sup> quality checks. ++The Microsoft operations team performs a series of extensive quality checks to ensure that customers' requests to run Azure Large Instances for Epic<sup>®</sup> are fulfilled accurately, and that infrastructure is healthy before handover. +However, customers are advised to perform their own checks to ensure services have been provided as requested, including the following: ++* Basic connectivity +* Latency check +* Server health check from operating system +* OS level sanity checks / configuration checks ++The following sections identify quality checks often performed by Microsoft teams before the infrastructure handover to the customer. ++## Network ++* IP blade information +* Access control list on firewall ++## Compute ++* Number of processors and cores for servers +* Accuracy of memory size for the assigned server +* Latest firmware version on the blades ++## Storage ++* Size of boot LUN and FC LUNs are consistent with the Azure Large Instances on Epic standard configuration +* SAN configuration +* Required VLANs creation ++## Operating System ++* Accuracy of LUNs + |
| azure-large-instances | What Is Azure Large Instances | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-large-instances/what-is-azure-large-instances.md | + + Title: What is Azure Large Instances? ++description: Provides an overview of Azure Large Instances. ++ms. Title: What is Azure Large Instances? ++++ Last updated : 06/01/2023+++# What is Azure Large Instances? ++While Microsoft Azure offers a cloud infrastructure with a wide range of integrated cloud services to meet your business needs, +in some cases, you may need to run services on Azure large servers without a virtualization layer. You may also require root access and control over the operating system (OS). To meet these needs, Azure offers Azure Large Instances for several high-value, mission-critical applications. ++Azure Large Instances is comprised of dedicated large compute instances with the following key features: ++- High-performance storage appropriate to the application (Fiber Channel). + Storage can also be shared across Azure Large Instances to enable features like scale-out clusters or high availability pairs with failed-node-fencing capability. ++- A set of function-specific virtual LANs (VLANs) in an isolated environment. + This environment also has special VLANs you can access if you're running virtual machines (VMs) on one or more Azure Virtual Networks (VNets) in your Azure subscription. + The entire environment is represented as a resource group in that subscription. ++- A large set of Azure Large Instances SKUs is available with Optane memory. + Azure offers the largest range of Azure Large Instances in a hyperscale cloud. ++## Why Azure Large Instances? ++Some workloads in the enterprise consist of technologies that just aren't designed to run in a typical virtualized cloud setting. +They require special architecture, certified hardware, or extraordinarily large servers. Although those technologies have the most sophisticated data protection and business continuity features, they aren't built for the virtualized cloud. +They're more sensitive to latencies and noisy neighbors and require more control over change management and maintenance activity. ++Azure Large Instances is built, certified, and tested for a select set of such applications. Azure was the first to offer such solutions and has since led with the largest portfolio and most sophisticated systems. ++## Azure Large Instances benefits ++Azure Large Instances is intended for critical workloads that require certification to run your enterprise applications. +Azure Large Instances implementations are dedicated only to you, and you'll have full access (root access) to the operating system (OS). +You manage OS and application installation according to your needs. +For security, the instances are provisioned within your Azure Virtual Network (VNet) with no internet connectivity. If you need access to the internet, you need to set up an internet proxy service. ++Only services running on your virtual machines (VMs), and other Azure services in same Tier 2 network, can communicate with your implementation of Azure Large Instances. ++Azure Large Instances offers the following benefits: ++* Non-hypervised Azure Large Instances, single tenant ownership +* Low latency between Azure hosted application VMs to Azure Large Instances implementations (0.35 ms) +* All Flash SSD and NVMe + * Up to 1 PB/tenant + * IOPS up to 1.2 million/tenant + * 40/100-GB network bandwidth + * Accessible via FC +* Redundant power, power supplies, NICs, TORs, ports, WANs, storage, and management +* Hot spares for replacement on a failure (without the need for reconfiguring) +* Customer-coordinated maintenance windows +* Application-aware snapshots, archive, mirroring, and cloning ++## SKU availability in Azure regions ++Azure Large Instances for specialized workloads is available in the following Azure regions: ++* West Europe +* North Europe +* Germany West Central zones support +* East US zones support +* East US 2 zones support +* West US zones support +* West US 2 zones support +* South Central US +* South Central US ++> [!Note] +>Zones support refers to availability zones in which a region where Azure Large Instances can be deployed across zones for high resiliency and availability. This capability enables support for multi-site active-active scaling. ++## Managing Azure Large Instances in Azure ++Depending on your needs, the application topologies of Azure Large Instances can be complex. You may deploy multiple instances in one or more locations. The instances can have shared or dedicated storage, and specialized LAN and WAN connections +Therefore, for Azure Large Instances, Azure offers a consultation with a CSA/GBB in the field who can work with you. ++By the time your Azure Large Instances implementation has been provisioned, the OS, networks, storage volumes, placements in zones and regions, and WAN connections between locations have already been configured. +You're set to register your OS licenses (BYOL), configure the OS, and install the application layer. ++You'll see all the Azure Large Instances resources, and their state and attributes, in the Azure portal. You can also operate the instances, open service requests, and support tickets from there. ++Azure Large Instances is ISO 27001, ISO 27017, ISO 27018, SOC 1, and SOC 2 compliant. It also uses a bring-your-own-license (BYOL) model: OS, specialized workload, and third-party applications. ++As soon as you receive root access and full control, you assume responsibility for the following tasks: ++- Designing and implementing backup and recovery solutions, high availability, and disaster recovery. ++- Licensing, security, and support for the OS and third-party software. ++Microsoft is responsible for: +- Providing the hardware for specialized workloads. +- Provisioning the OS. ++ :::image type="content" source="media/what-is-azure-large-instances/azure-large-instances-support-model.png" alt-text="Screenshot of Azure Large Instances support model." lightbox="media/what-is-azure-large-instances/azure-large-instances-support-model.png" border="false"::: +++## Azure Large Instances stamp ++The Azure Large instance stamp itself combines the following components: ++* **Computing** +Servers based on the generation of Intel Xeon processors that provide the necessary computing capability and are certified for the specialized workload. ++* **Network** +A unified high-speed network fabric interconnects computing, storage, and LAN components. ++* **Storage** +An infrastructure accessed through a unified network fabric. ++Within the multi-tenant infrastructure of the Azure Large instance stamp, customers are deployed in isolated tenants. +When deploying a tenant, you name an Azure subscription within your Azure enrollment. +This Azure subscription is the one billed for your implementation of Azure Large Instances. ++> [!Note] +> A customer implementing Azure Large Instances is isolated into a tenant. +A tenant is isolated in the networking, storage, and compute layer from other tenants. +Storage and compute units assigned to different tenants cannot see each other or communicate with each other on their implementations of Azure Large Instances. ++## Operating system ++The Linux OS version for Azure Large Instances is Red Hat Enterprise Linux (RHEL) 8.4. ++>[!Note] +> Remember,Check properties of an instance Azure Large Instances is a BYOL model. ++Microsoft loads base image with RHEL 8.4, but customers can choose to upgrade to newer versions in collaboration with Microsoft team. ++## Storage ++Azure Large Instances provide highly redundant Fiber Channel storage. +The infrastructure offers deep integration for enterprise workloads like SAP, SQL, and others. +It also provides application-consistent data protection and data-management capabilities. +The self-service management tools offer space-efficient snapshot, cloning, and granular replication capabilities along with single pane of glass monitoring. +The infrastructure enables zero Recovery Point Objective (RPO) and Recovery Time Objective (RTO) capabilities for data availability and business continuity needs. ++The storage infrastructure offers: ++* Up to 4 x 100-GB uplinks. +* Up to 32-GB Fiber channel uplinks. +* All flash SSD and NVMe drive. +* Ultra-low latency and high throughput. +* Scales up to 4 PB of raw storage. +* Up to 11 million IOPS. ++Fiber Channel Protocol (FCP) is supported. ++## Networking ++The architecture of Azure network services is a key component for a successful deployment of specialized workloads in Azure Large Instances. +It's likely that not all IT systems are located in Azure already. Azure offers you network technology to make Azure look like a virtual data center to your on-premises software deployments. +The Azure network functionality required for Azure Large Instances includes: ++* Azure virtual networks connected to the Azure ExpressRoute circuit that connects to your on-premises network assets. +* The ExpressRoute circuit that connects on-premises to Azure should have a minimum bandwidth of 1 Gbps or higher. +* Extended Active Directory and DNS in Azure, or completely running in Azure. +* ExpressRoute lets you extend your on-premises network into the Microsoft cloud over a private connection with a connectivity provider's help. +You can use ExpressRoute Local for cost-effective data transfer between your on-premises location and the Azure region you want. +To extend connectivity across geopolitical boundaries, you can enable ExpressRoute Premium. ++Azure Large Instances is provisioned within your Azure VNet server IP address range. +++The architecture shown is divided into three sections: ++### On-premises (left) +Shows the customer on-premises infrastructure that runs different applications, connecting through the partner or local edge router like Equinix. +For more information, see [Connectivity providers and locations: Azure ExpressRoute](../expressroute/expressroute-locations-providers.md). ++### ExpressRoute (center) +Shows ExpressRoute provisioned using your Azure subscription offering connectivity to Azure edge network. ++### Azure IaaS with VMs (right) +Shows Azure IaaS, and in this case, use of VMs to host your applications, which are provisioned within your Azure virtual network. ++### ExpressRoute Gateway (lower) +Shows using your ExpressRoute Gateway enabled with ExpressRoute FastPath for Azure Large Instances connectivity offering low latency. ++> [!Note] +>To support this configuration, your ExpressRoute Gateway should be UltraPerformance. For more information, [About ExpressRoute virtual network gateways](../expressroute/expressroute-about-virtual-network-gateways.md). +++ |
| azure-large-instances | Work With Azure Large Instances In Azure Portal | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-large-instances/work-with-azure-large-instances-in-azure-portal.md | + + Title: Work with Azure Large Instances in the Azure portal ++description: Shows how to what you can do in the Azure portal with Azure Large Instances. +++ms. Title: Work with Azure Large Instances in the Azure portal +++ Last updated : 06/01/2023+++# Work with Azure Large Instances in the Azure portal ++In this article, you learn what to do in the Azure portal with your implementation of Azure Large Instances. ++> [!Note] +> For now, BareMetal Infrastructure or BareMetal Instances are being used as synonyms with Azure Large Instances. ++## Register the resource provider ++An Azure resource provider for Azure Large Instances enables you to see the instances in the Azure portal. By default, the Azure subscription you use for Azure Large Instances deployments registers the Azure Large Instances resource provider. If you don't see your deployed Azure Large Instances, register the resource provider with your subscription. ++You can register the Azure Large Instance resource provider using the Azure portal or the Azure CLI. ++### [Portal](#tab/azure-portal) +++You need to list your subscription in the Azure portal and then double-click the subscription used to deploy your Azure Large Instances tenant. ++1. Sign in to the Azure portal. +2. On the Azure portal menu, select **All services**. +3. In the **All services** box, enter **subscription**, and then select **Subscriptions**. +4. Select the subscription from the subscription list. +5. Select **Resource providers** and type **BareMetalInfrastructure** in the search box. The resource provider should be Registered, as the image shows. +++> [!Note] +> If the resource provider isn't registered, select **Register**. ++### [Azure CLI](#tab/azure-cli) ++To begin using Azure CLI: +++[comment]: <The following section duplicates the content provided by the INCLUDE above> ++Use the Bash environment in [Azure Cloud Shell](../cloud-shell/overview.md). +For more information, see [Quickstart for Bash in Azure Cloud Shell](../cloud-shell/quickstart.md). ++If you prefer to run CLI reference commands locally, [install](https://learn.microsoft.com/cli/azure/install-azure-cli) the Azure CLI. If you're running on Windows or macOS, consider running Azure CLI in a Docker container. For more information, see [How to run the Azure CLI in a Docker container](https://learn.microsoft.com/cli/azure/run-azure-cli-docker). ++If you're using a local installation, sign in to the Azure CLI by using the [az login command](https://learn.microsoft.com/cli/azure/reference-index?view=azure-cli-latest#az-login). To finish the authentication process, follow the steps displayed in your terminal. For other sign-in options, see [Sign in with the Azure CLI](https://learn.microsoft.com/cli/azure/authenticate-azure-cli). ++When you're prompted, install the Azure CLI extension on first use. For more information about extensions, see [Use extensions with the Azure CLI](https://learn.microsoft.com/cli/azure/azure-cli-extensions-overview). ++Run [az version](https://learn.microsoft.com/cli/azure/reference-index?view=azure-cli-latest#az-version) to find the version and dependent libraries that are installed. To upgrade to the latest version, run [az upgrade](https://learn.microsoft.com/cli/azure/reference-index?view=azure-cli-latest#az-upgrade). ++For more information about resource providers, see [Azure resource providers and types](./../azure-resource-manager/management/resource-providers-and-types.md). ++[comment]: <End of Include content> ++Sign in to the Azure subscription you use for the Azure Large Instances deployment through the Azure CLI. +Register the BareMetalInfrastructure Azure Large Instance resource provider with the az provider register command: ++```azurecli +az provider register --namespace Microsoft.BareMetalInfrastructure +``` ++You can use the az provider list command to see all available providers. ++++For more information about resource providers, see [Azure resource providers and types](../azure-resource-manager/management/resource-providers-and-types.md). ++## Azure Large Instances in the Azure portal ++When you submit an Azure Large Instances deployment request, specify the Azure subscription you're connecting to the Azure Large Instances. Use the same subscription you use to deploy the application layer that works against the Azure Large Instances. ++ During the deployment of your Azure Large Instances, a new [Azure resource group](../azure-resource-manager/management/manage-resources-portal.md) is created in the Azure subscription you used in the deployment request. +This new resource group lists the Azure Large Instances you've deployed in that subscription. ++### [Portal](#tab/azure-portal) ++1. In the Azure portal, in the Azure Large Instances subscription, select **Resource groups**. ++ :::image type="content" source="../baremetal-infrastructure/media/connect-baremetal-infrastructure/view-baremetal-instances-azure-portal.png" alt-text="Screenshot showing the list of Resource groups." lightbox="../baremetal-infrastructure/media/connect-baremetal-infrastructure/view-baremetal-instances-azure-portal.png" border="false"::: ++1. In the list, locate the new resource group. + + :::image type="content" source="../baremetal-infrastructure/media/connect-baremetal-infrastructure/filter-resource-groups.png" alt-text="Screenshot showing the BareMetal instance in a filtered Resource groups list." lightbox="../baremetal-infrastructure/media/connect-baremetal-infrastructure/filter-resource-groups.png" border="false"::: ++1. Select the new resource group to view its details. The image shows one Azure Large Instances tenant deployed. ++### [Azure CLI](#tab/azure-cli) ++To see all your Azure Large Instances, run the [az baremetalinstance list](/cli/azure/baremetalinstance#az-baremetalinstance-list) command for your resource group: ++```azurecli +az baremetalinstance list --resource-group MyResourceGroup ΓÇôoutput table +``` ++> [!TIP] +> The `--output` parameter is a global parameter, available for all commands. The **table** value presents output in a friendly format. For more information, see [Output formats for Azure CLI commands](/cli/azure/format-output-azure-cli). ++> [!Note] +> If you deployed several Azure Large Instances tenants under the same Azure subscription, you will see multiple Azure resource groups. ++++## View the attributes of a single instance ++You can view the details of a single instance. ++### [Portal](#tab/azure-portal) ++In the list of Azure Large Instances, select the single instance you want to view. +++The attributes in the image don't look much different than the Azure virtual machine (VM) attributes. +On the left, you see the Resource group, Azure region, and subscription name and ID. +If you assigned tags, you see them here as well. +By default, the Azure Large Instances don't have tags assigned. ++On the right, you see the name of the Azure Large Instances, operating system (OS), IP address, and SKU that shows the number of CPU threads and memory. +You also see the power state and hardware version (revision of the Azure Large Instances stamp). +The power state indicates whether the hardware unit is powered on or off. The operating system details, however, don't indicate whether it's up and running. ++Also on the right is the [Azure proximity placement group's name](../virtual-machines/co-location.md). +The placement group's name is created automatically for each deployed Azure Large Instances tenant. +Reference the proximity placement group when you deploy the Azure VMs that host the application layer. +Use the proximity placement group associated with the Azure Large Instances to ensure the Azure VMs are deployed close to the Azure Large Instances. ++### [Azure CLI](#tab/azure-cli) ++To see details of an Azure Large Instances instance, run the [az baremetalinstance show](/cli/azure/baremetalinstance#az-baremetalinstance-show) command: ++```azurecli +az baremetalinstance show --resource-group MyResourceGroup --instance-name MyInstanceName +``` ++If you're uncertain of the instance name, run the **az baremetalinstance list** command as previously described. ++++## Check activities of a single instance ++You can check the activities of a single Azure Large Instances tenant. +One of the main activities recorded are restarts of the instance. +The data listed includes: ++* Activity status +* Time the activity triggered +* Subscription ID +* Azure user who triggered the activity ++ :::image type="content" source="../baremetal-infrastructure/media/connect-baremetal-infrastructure/check-activities-single-baremetal-instance.png" alt-text="Screenshot of the BareMetal instance activities." lightbox="../baremetal-infrastructure/media/connect-baremetal-infrastructure/check-activities-single-baremetal-instance.png"::: ++Changes to an instance's metadata in Azure also get recorded in the Activity log. +Besides the restart, you can see the activity of **WriteBareMetalInstances**. +This activity makes no changes on the Azure Large Instances tenant itself, but documents the changes to the unit's metadata in Azure. ++Another activity that gets recorded is adding a tag to or deleting a tag from an instance. ++## Add an Azure tag to or delete an Azure tag from an instance ++You can add Azure tags to an Azure Large Instances tenant or delete them using either the Portal or Azure CLI. ++### [Portal](#tab/azure-portal) + +Tags get assigned just as they do when assigning tags to VMs. +As with VMs, the tags exist in the Azure metadata. +Tags have the same restrictions for Azure Large Instances as for VMs. + +Deleting tags also works the same way as for VMs. +Both applying and deleting a tag is listed in the Azure Large Instances instance's Activity log. ++### [Azure CLI](#tab/azure-cli) ++Assigning tags to Azure Large Instances works the same as assigning tags for VMs. +As with VMs, the tags exist in the Azure metadata. +Tags have the same restrictions for Azure Large Instances as for VMs. ++To add tags to an Azure Large Instances implementation, run the [az baremetalinstance update](/cli/azure/baremetalinstance#az-baremetalinstance-update) command: ++```azurecli +az baremetalinstance update --resource-group MyResourceGroup --instance-name MyALIinstanceName --set tags.Dept=Finance tags.Status=Normal +``` ++Use the same command to remove a tag: ++```azurecli +az baremetalinstance update --resource-group MyResourceGroup --instance-name MyALIinstanceName --remove tags.Dept +``` ++++### Check properties of an instance ++When you acquire the instances, you can go to the Properties section to view the data collected about the instances. +Data collected includes: ++* Azure connectivity +* Storage backend +* ExpressRoute circuit ID +* Unique resource ID +* Subscription ID ++This information is important in support requests and when setting up a storage snapshot configuration. +++### Restart an Azure Large Instances tenant through the Azure portal ++There are various situations in which the operating system won't complete a restart, which requires a power restart of the Azure Large Instances. ++You can do a power restart of the instance directly from the Azure portal or through Azure CLI. ++### [Portal](#tab/azure-portal) ++Select Restart and then Yes to confirm the restart. ++When you restart an AKI instance, you'll experience a delay. +During this delay, the power state moves from **Starting** to **Started**, which means the OS has started up completely. +As a result, after a restart, you can only log into the unit once the state switches to **Started**. ++### [Azure CLI](#tab/azure-cli) ++To restart an Azure Large Instances tenant, use the [az baremetalinstance restart](/cli/azure/baremetalinstance#az-baremetalinstance-restart) command: ++```azurecli +az baremetalinstance restart --resource-group MyResourceGroup --instance-name MyALIinstanceName +``` ++++> [!Important] +> Depending on the amount of memory in your Azure Large Instances, a restart and a reboot of the hardware and operating system can take up to one hour. ++### Open a support request for Azure Large Instances + +You can submit support requests specifically for Azure Large Instances. +1. In Azure portal, under **Help + Support**, create a **[New support request](https://rc.portal.azure.com/#create/Microsoft.Support)** and provide the following information for the ticket: + + * **Issue type:** Select an issue type. + * **Subscription:** Select your subscription. + * **Service:** Select Epic on Azure + * **Problem type:** Azure Large Instances + * **Problem subtype:** Select a subtype for the problem. ++1. Select the **Solutions** tab to find a solution to your problem. If you can't find a solution, go to the next step. ++1. Select the **Details** tab and select whether the issue is with VMs or BareMetal instances. This information helps direct the support request to the correct specialists. ++1. Indicate when the problem began and select the instance region. ++1. Provide more details about the request and upload a file if needed. ++1. Select **Review + Create** to submit the request. ++Support response depends on the support plan chosen by the customer. +For more information, see [Support scope and responsiveness](https://azure.microsoft.com/support/plans/response/). ++ |
| azure-large-instances | Available Skus | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-large-instances/workloads/epic/available-skus.md | + + Title: Available Azure Large Instances SKUs +description: Provides a list of Azure Large Instances for Epic SKUs. ++ms. Title: Available Azure Large Instances SKUs +++++ Last updated : 06/01/2023+++# Azure Large Instances for Epic workload SKUs ++This article provides a list of available Azure Large Instances for Epic<sup>®</sup> workload SKUs. +## Azure Large Instances availability by region ++* West Europe +* North Europe +* Germany West Central with Zones support +* East US with Zones support +* East US 2 +* South Central US +* West US 2 with Zones support ++Azure Large Instances for Epic<sup>®</sup> workload has limited availability and is currently available in the following regions: ++* East US with Zones support +* South Central US +* West US 2 with Zones support ++> [!Note] +> Zones support refers to availability zones within a region where Azure Large Instances can be deployed across zones for high resiliency and availability. This capability enables support for multi-site active-active scaling. ++## Azure Large Instances for Epic availability ++| Name | Type | Availability | +|- |-|| +|4S Compute v1 | S224SE - 4 x Intel® Xeon® Platinum 8380HL processor 112 CPU cores |Available | +|8S Compute v1 | S448SE - 8 x Intel® Xeon® Platinum 8276L processor 224 CPU cores |Available | +|100TB v1 | N100 | Available| +|10TB v1|N10 |Available| ++## Tenant considerations ++A complete Azure Large Instances for Epic stamp isn't exclusively allocated for a single customer's use. +This applies to the racks of compute and storage resources connected through a network fabric deployed in Azure as well. +Azure Large Instances, like Azure, deploys different customer "tenants" that are isolated from one another in the following three levels. ++### Network ++Isolation through virtual networks within the Azure Large Instances stamp for Epic. ++### Storage ++Isolation through storage virtual machines that have storage volumes assigned and isolate storage volumes between tenants. ++### Compute ++Dedicated assignment of server units to a single tenant. +No hard or soft partitioning of server units. +No sharing of a single server or host unit between tenants. ++The deployments of Azure Large Instances units for Epic between different tenants aren't visible to each other. +Azure Large Instances units for Epic deployed in different tenants can't communicate directly with each other on the Azure Large Instances for Epic stamp level. Only Azure Large Instances units for Epic within one tenant can communicate with each other on the Azure Large Instances for Epic stamp level. ++A deployed tenant in the Azure Large Instances stamp is assigned to one Azure subscription for billing purposes. For a network, it can be accessed from virtual networks of other Azure subscriptions within the same Azure enrollment. +If you deploy with another Azure subscription in the same Azure region, you also request for a separated Azure Large Instances tenant. ++++ |
| azure-large-instances | Create A Volume Group | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-large-instances/workloads/epic/create-a-volume-group.md | + + Title: Create a volume group +description: Explains how to create an ALI for Epic volume group. ++ms. Title: Create a volume group ++++ Last updated : 06/01/2023+++# Create a volume group +This article explains how to create an Azure Large Instances for Epic<sup>®</sup> volume group. +1. Discover storage using the following command. ++ `[root@rhel101 ~]# lsblk -do KNAME,TYPE,SIZE,MODEL` ++1. Create physical disk for database and journal using the WWIDs provided in the reference mapping above. ++ `[root@rhel101 ~]# pvcreate /dev/mapper/<WWID` ++1. Create and extend the volume groups. ++```azurecli +[root @themetal05 ~] # vgcreate prodvg -s 8M /dev/mapper/<WWID> +Expected output: Volume group “prodvg” successfully created +[root @themetal05 ~] # vgextend prodvg /dev/mapper/<WWID> +Expected output: Volume group “prodvg” successfully extended +``` ++> [!Note] +> The “-s 8M” physical extent size has been used for the environment and was tested to yield the best performance. ++4. Create logical volume. ++```azurecli +[root @themetal05 ~] # lvcreate -L 2T -n jrnlv -i 8 -I 8M jrnvg +Expected output: Logical volume “jrnlv” created. +[root @themetal05 ~] # lvcreate -L 45T -n prodlv -i 32 -I 8M prodvg +Expected output: Logical volume “prodlv” created. +[root @themetal05 ~]# lvs +Expected output: lists all the logical volumes created. +``` ++> [!Note] + > - `-L 45T` specifies the logical volume size. + > - `-i 32` specifies the number of stripes, this is equal to the number of physical LUNs to scatter the logical volume. + > - `-I 8M` specifies the stripe size. ++5. Make the file system + + `[root @themetal05 ~] # mkfs.xfs /dev/mapper/prodvg-prodlv` ++6. Create the folders to mount. ++```azurecli +[root @themetal05 ~] mkdir /prod0; +[root @themetal05 ~] mkdir /jrn +[root @themetal05 ~] mkdir /prod +``` ++7. Set required permissions. ++```azurecli +[root @themetal05 ~] chmod 755 /prod01 +[root @themetal05 ~] chmod 755 /jrn +[root @themetal05 ~] chmod 755 /prod +[root @themetal05 ~] chown root:root /prod01 +[root @themetal05 ~] chown root:root /jrn +[root @themetal05 ~] chown root:root /prod +``` ++8. Add mount to /etc/fstab ++```azurecli +[root @themetal05 ~] /dev/mapper/prodvg-prod01 /prod01 xfs defaults 0 0 +[root @themetal05 ~] /dev/mapper/jrnvg-jrn /jrn xfs defaults 0 0 +[root @themetal05 ~] /dev/mapper/instvg-prd /prd xfs defaults 0 0 +``` ++9. Mount storage ++ `mount -a` +++++++ |
| azure-linux | Quickstart Terraform | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-linux/quickstart-terraform.md | description: Learn how to quickly create an Azure Linux Container Host for AKS c + ms.editor: schaffererin Last updated 06/27/2023 |
| azure-maps | How To Use Indoor Module | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-maps/how-to-use-indoor-module.md | To use the globally hosted Azure Content Delivery Network version of the *Azure }; ``` + To learn more, see [How to use the Azure Maps map control npm package]. + ## Set the domain and instantiate the Map object Set the map domain with a prefix matching the location of your Creator resource, `US` or `EU`, for example: Learn more about how to add more data to your map: [Use Creator to create indoor maps]: tutorial-creator-indoor-maps.md [visual style editor]: https://azure.github.io/Azure-Maps-Style-Editor [Webpack]: https://webpack.js.org+[How to use the Azure Maps map control npm package]: how-to-use-npm-package.md |
| azure-maps | How To Use Spatial Io Module | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-maps/how-to-use-spatial-io-module.md | You can load the Azure Maps spatial IO module using one of the two options: import * as spatial from "azure-maps-spatial-io"; ``` + To learn more, see [How to use the Azure Maps map control npm package]. + ## Using the Spatial IO module 1. Create a new HTML file. Refer to the Azure Maps Spatial IO documentation: [Spatial IO module]: https://www.npmjs.com/package/azure-maps-spatial-io [subscription key]: quick-demo-map-app.md#get-the-subscription-key-for-your-account [Supported data format details]: spatial-io-supported-data-format-details.md-+[How to use the Azure Maps map control npm package]: how-to-use-npm-package.md |
| azure-maps | How To Use Ts Rest Sdk | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-maps/how-to-use-ts-rest-sdk.md | + + Title: Use Azure Maps TypeScript REST SDK ++description: Learn about the Azure Maps TypeScript REST SDK. See how to load and use this client library to access Azure Maps REST services in web or Node.js applications. ++ Last updated : 07/01/2023+++++++# Use Azure Maps TypeScript REST SDK ++Azure Maps provides a collection of npm modules for the [Azure TypeScript REST SDK]. These modules consist of client libraries that make it easy to use the Azure Maps REST services in web or Node.js applications by using JavaScript or TypeScript. For a complete list of the available modules, see [JavaScript/TypeScript REST SDK Developers Guide]. ++## Use the REST SDK in a web application ++1. Using `@azure-rest/maps-search` as an example, install the package with `npm install @azure-rest/maps-search`. ++1. Create and authenticate a [MapsSearch] client. To create a client to access the Azure Maps Search APIs, you need a credential object. The client supports an [Azure Active Directory credential] or an [Azure Key credential] for authentication. You may need to install either [@azure/identity] or [@azure/core-auth] for different authentication methods. ++ If you use a subscription key for authentication, install the package with `npm install @azure/core-auth`: ++ ```javascript + import MapsSearch from "@azure-rest/maps-search"; + import { AzureKeyCredential } from "@azure/core-auth"; ++ // Get an Azure Maps key at https://azure.com/maps. + const subscriptionKey = "<Your Azure Maps Key>"; ++ // Use AzureKeyCredential with a subscription key. + const credential = new AzureKeyCredential(subscriptionKey); ++ // Use the credential to create a client + const client = MapsSearch(credential); + ``` ++ If you use Azure AD for authentication, install the package with `npm install @azure/identity`: ++ ```javascript + import MapsSearch from "@azure-rest/maps-search"; + import { InteractiveBrowserCredential } from "@azure/identity"; ++ // Enter your Azure AD client and tenant ID. + const clientId = "<Your Azure Active Directory Client Id>"; + const tenantId = "<Your Azure Active Directory Tenant Id>"; ++ // Enter your Azure Maps client ID. + const mapsClientId = "<Your Azure Maps Client Id>"; ++ // Use InteractiveBrowserCredential with Azure AD client and tenant ID. + const credential = new InteractiveBrowserCredential({ + clientId, + tenantId + }); ++ // Use the credential to create a client + const client = MapsSearch(credential, mapsClientId); + ``` ++ For more information, see [Authentication with Azure Maps](azure-maps-authentication.md). ++1. The following code uses the newly created Azure Maps Search client to geocode an address: "1 Microsoft Way, Redmond, WA". The code makes a GET request and displays the results as a table in the body of the page. ++ ```javascript + // Search for "1 microsoft way, redmond, wa". + const html = []; + const response = await client + .path("/search/address/{format}", "json") + .get({ queryParameters: { query: "1 microsoft way, redmond, wa" } }); ++ // Display the total results. + html.push("Total results: ", response.body.summary.numResults, "<br/><br/>"); ++ // Create a table of the results. + html.push("<table><tr><td>Result</td><td>Latitude</td><td>Longitude</td></tr>"); + response.body.results.forEach((result) => { + html.push( + "<tr><td>", + result.address.freeformAddress, + "</td><td>", + result.position.lat, + "</td><td>", + result.position.lon, + "</td></tr>" + ); + }); ++ html.push("</table>"); ++ // Add the resulting HTML to the body of the page. + document.body.innerHTML = html.join(""); + ``` ++The following image is a screenshot showing the results of this sample code, a table with the address searched for, along with the resulting coordinates. +++## Azure Government cloud support ++The Azure Maps Web SDK supports the Azure Government cloud. All JavaScript and CSS URLs used to access the Azure Maps Web SDK remain the same, however the following tasks need to be done to connect to the Azure Government cloud version of the Azure Maps platform. ++When using the interactive map control, add the following line of code before creating an instance of the `Map` class. ++```javascript +atlas.setDomain('atlas.azure.us'); +``` ++Be sure to use an Azure Maps authentication details from the Azure Government cloud platform when authenticating the map and services. ++When using the TypeScript REST SDK, the domain for the services needs to be set when creating an instance of the client. For example, the following code creates an instance of the [MapsSearch] class and points the domain to the Azure Government cloud. ++```javascript +const client = MapsSearch(credential, { baseUrl: 'https://atlas.azure.us'}); +``` ++If directly accessing the Azure Maps REST services, change the URL domain to `atlas.azure.us`. For example, if using the search API service, change the URL domain from `https://atlas.microsoft.com/search/` to `https://atlas.azure.us/search/`. ++## Next steps ++Learn more about the classes and methods used in this article: ++> [!div class="nextstepaction"] +> [MapsSearch](/javascript/api/@azure-rest/maps-search) ++> [!div class="nextstepaction"] +> [AzureKeyCredential](/javascript/api/@azure/core-auth/azurekeycredential) ++> [!div class="nextstepaction"] +> [InteractiveBrowserCredential](/javascript/api/@azure/identity/interactivebrowsercredential) ++For more code samples that use the TypeScript REST SDK with Web SDK integration, see these articles: ++> [!div class="nextstepaction"] +> [Show search results on the map](./map-search-location.md) ++> [!div class="nextstepaction"] +> [Get information from a coordinate](./map-get-information-from-coordinate.md) ++> [!div class="nextstepaction"] +> [Show directions from A to B](./map-route.md) ++[Azure TypeScript REST SDK]: ./rest-sdk-developer-guide.md#javascripttypescript +[JavaScript/TypeScript REST SDK Developers Guide]: ./how-to-dev-guide-js-sdk.md +[MapsSearch]: /javascript/api/@azure-rest/maps-search +[Azure Active Directory credential]: ./how-to-dev-guide-js-sdk.md#using-an-azure-ad-credential +[Azure Key credential]: ./how-to-dev-guide-js-sdk.md#using-a-subscription-key-credential +[@azure/identity]: https://www.npmjs.com/package/@azure/identity +[@azure/core-auth]: https://www.npmjs.com/package/@azure/core-auth |
| azure-maps | Map Add Custom Html | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-maps/map-add-custom-html.md | |
| azure-maps | Map Get Information From Coordinate | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-maps/map-get-information-from-coordinate.md | Title: Show information about a coordinate on a map | Microsoft Azure Maps + Title: Show information about a coordinate on a map + description: Learn how to display information about an address on the map when a user selects a coordinate.-- Previously updated : 07/29/2019-++ Last updated : 07/01/2023+ - # Get information from a coordinate -This article shows how to make a reverse address search that shows the address of a clicked popup location. --There are two ways to make a reverse address search. One way is to query the [Reverse Address Search API] through a service module. The other way is to use the [Fetch API] to make a request to the [Reverse Address Search API] to find an address. Both ways are surveyed below. --## Make a reverse search request via service module -+This article shows how to make a reverse address search that shows the address of a selected popup location. ++There are two ways to make a reverse address search. One way is to query the [Reverse Address Search API] through the TypeScript REST SDK [@azure-rest/maps-search]. The other way is to use the [Fetch API] to make a request to the [Reverse Address Search API] to find an address. Both approaches are described in this article. ++## Make a reverse search request via REST SDK ++```javascript +import * as atlas from "azure-maps-control"; +import MapsSearch from "@azure-rest/maps-search"; +import "azure-maps-control/dist/atlas.min.css"; ++const onload = () => { + // Initialize a map instance. + const map = new atlas.Map("map", { + view: "Auto", + // Add authentication details for connecting to Azure Maps. + authOptions: { + // Use Azure Active Directory authentication. + authType: "aad", + clientId: "<Your Azure Maps Client Id>", + aadAppId: "<Your Azure Active Directory Client Id>", + aadTenant: "<Your Azure Active Directory Tenant Id>" + } + }); ++ map.events.add("load", async () => { + // Use the access token from the map and create an object that implements the TokenCredential interface. + const credential = { + getToken: () => { + return { + token: map.authentication.getToken() + }; + } + }; ++ // Create a Search client. + const client = MapsSearch(credential, "<Your Azure Maps Client Id>"); ++ // Update the style of mouse cursor to a pointer + map.getCanvasContainer().style.cursor = "pointer"; ++ // Create a popup + const popup = new atlas.Popup(); ++ // Upon a mouse click, open a popup at the selected location and render in the popup the address of the selected location + map.events.add("click", async (e) => { + const position = [e.position[1], e.position[0]]; ++ // Execute the reverse address search query and open a popup once a response is received + const response = await client.path("/search/address/reverse/{format}", "json").get({ + queryParameters: { query: position } + }); ++ // Get address data from response + const data = response.body.addresses; ++ // Construct the popup + var popupContent = document.createElement("div"); + popupContent.classList.add("popup-content"); + popupContent.innerHTML = data.length !== 0 ? data[0].address.freeformAddress : "No address for that location!"; + popup.setOptions({ + position: e.position, + content: popupContent + }); ++ // Render the popup on the map + popup.open(map); + }); + }); +}; ++document.body.onload = onload; +``` ++<!-- <iframe height='500' scrolling='no' title='Get information from a coordinate (Service Module)' src='//codepen.io/azuremaps/embed/ejEYMZ/?height=265&theme-id=0&default-tab=js,result&embed-version=2&editable=true' frameborder='no' loading="lazy" allowtransparency='true' allowfullscreen='true'>See the Pen <a href='https://codepen.io/azuremaps/pen/ejEYMZ/'>Get information from a coordinate (Service Module)</a> by Azure Maps (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>. </iframe>+> -In the code above, the first block constructs a map object and sets the authentication mechanism to use the access token. For more information, see [create a map]. +In the previous code example, the first block constructs a map object and sets the authentication mechanism to use Azure Active Directory. For more information, see [Create a map]. -The second code block creates a `TokenCredential` to authenticate HTTP requests to Azure Maps with the access token. It then passes the `TokenCredential` to `atlas.service.MapsURL.newPipeline()` and creates a [Pipeline] instance. The `searchURL` represents a URL to the [Search service]. +The second block of code creates an object that implements the [TokenCredential] interface to authenticate HTTP requests to Azure Maps with the access token. It then passes the credential object to [MapsSearch] and creates an instance of the client. -The third code block updates the style of mouse cursor to a pointer and creates a [popup] object. For more information, see [add a popup on the map]. +The third code block updates the style of mouse cursor to a pointer and creates a [popup] object. For more information, see [Add a popup on the map]. -The fourth block of code adds a mouse click [event listener]. When triggered, it creates a search query with the coordinates of the clicked point. It then uses the [getSearchAddressReverse] method to query the [Get Search Address Reverse API] for the address of the coordinates. A GeoJSON feature collection is then extracted using the `geojson.getFeatures()` method from the response. +The fourth block of code adds a mouse click [event listener]. When triggered, it creates a search query with the coordinates of the selected point. It then makes a GET request to query the [Get Search Address Reverse API] for the address of the coordinates. -The fifth block of code sets up the HTML popup content to display the response address for the clicked coordinate position. +The fifth block of code sets up the HTML popup content to display the response address for the selected coordinate position. -The change of cursor, the popup object, and the click event are all created in the map's [load event listener]. This code structure ensures map fully loads before retrieving the coordinates information. +The change of cursor, the popup object, and the `click` event are all created in the map's [load event listener]. This code structure ensures map fully loads before retrieving the coordinates information. ## Make a reverse search request via Fetch API -Click on the map to make a reverse geocode request for that location using fetch. -+Select a location on the map to make a reverse geocode request for that location using fetch. ++```javascript +import * as atlas from "azure-maps-control"; +import "azure-maps-control/dist/atlas.min.css"; ++const onload = () => { + // Initialize a map instance. + const map = new atlas.Map("map", { + view: "Auto", + // Add authentication details for connecting to Azure Maps. + authOptions: { + // Use Azure Active Directory authentication. + authType: "aad", + clientId: "<Your Azure Maps Client Id>", + aadAppId: "<Your Azure Active Directory Client Id>", + aadTenant: "<Your Azure Active Directory Tenant Id>" + } + }); ++ map.events.add("load", async () => { + // Update the style of mouse cursor to a pointer + map.getCanvasContainer().style.cursor = "pointer"; ++ // Create a popup + const popup = new atlas.Popup(); ++ // Upon a mouse click, open a popup at the selected location and render in the popup the address of the selected location + map.events.add("click", async (e) => { + //Send a request to Azure Maps reverse address search API + let url = "https://atlas.microsoft.com/search/address/reverse/json?"; + url += "&api-version=1.0"; + url += "&query=" + e.position[1] + "," + e.position[0]; ++ // Process request + fetch(url, { + headers: { + Authorization: "Bearer " + map.authentication.getToken(), + "x-ms-client-id": "<Your Azure Maps Client Id>" + } + }) + .then((response) => response.json()) + .then((response) => { + const popupContent = document.createElement("div"); + popupContent.classList.add("popup-content"); + const address = response["addresses"]; + popupContent.innerHTML = + address.length !== 0 ? address[0]["address"]["freeformAddress"] : "No address for that location!"; + popup.setOptions({ + position: e.position, + content: popupContent + }); + // render the popup on the map + popup.open(map); + }); + }); + }); +}; ++document.body.onload = onload; +``` ++<!-- <iframe height='500' scrolling='no' title='Get information from a coordinate' src='//codepen.io/azuremaps/embed/ddXzoB/?height=516&theme-id=0&default-tab=js,result&embed-version=2&editable=true' frameborder='no' loading="lazy" allowtransparency='true' allowfullscreen='true'>See the Pen <a href='https://codepen.io/azuremaps/pen/ddXzoB/'>Get information from a coordinate</a> by Azure Maps (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>. </iframe>+> ++In the previous code example, the first block of code constructs a map object and sets the authentication mechanism to use Azure Active Directory. You can see [Create a map] for instructions. ++The second block of code updates the style of the mouse cursor to a pointer. It instantiates a [popup](/javascript/api/azure-maps-control/atlas.popup#open) object. For more information, see [Add a popup on the map]. -In the code above, the first block of code constructs a map object and sets the authentication mechanism to use the access token. You can see [create a map] for instructions. +The third block of code adds an event listener for mouse clicks. Upon a mouse click, it uses the [Fetch API] to query the Azure Maps [Reverse Address Search API] for the selected coordinates address. For a successful response, it collects the address for the selected location. It defines the popup content and position using the [setOptions] function of the popup class. -The second block of code updates the style of the mouse cursor to a pointer. It instantiates a [popup](/javascript/api/azure-maps-control/atlas.popup#open) object. You can see [add a popup on the map] for instructions. +The change of cursor, the popup object, and the `click` event are all created in the map's [load event listener]. This code structure ensures the map fully loads before retrieving the coordinates information. -The third block of code adds an event listener for mouse clicks. Upon a mouse click, it uses the [Fetch API] to query the Azure Maps [Reverse Address Search API] for the clicked coordinates address. For a successful response, it collects the address for the clicked location. It defines the popup content and position using the [setOptions] function of the popup class. +The following image is a screenshot showing the results of the two code samples. -The change of cursor, the popup object, and the click event are all created in the map's [load event listener]. This code structure ensures the map fully loads before retrieving the coordinates information. ## Next steps See the following articles for full code examples: [Reverse Address Search API]: /rest/api/maps/search/getsearchaddressreverse [Fetch API]: https://fetch.spec.whatwg.org/-[create a map]: map-create.md -[Search service]: /rest/api/maps/search -[Pipeline]: /javascript/api/azure-maps-rest/atlas.service.pipeline +[Create a map]: map-create.md [popup]: /javascript/api/azure-maps-control/atlas.popup#open-[add a popup on the map]: map-add-popup.md +[Add a popup on the map]: map-add-popup.md [event listener]: /javascript/api/azure-maps-control/atlas.map#events-[getSearchAddressReverse]: /javascript/api/azure-maps-rest/atlas.service.searchurl#searchaddressreverse-aborter--geojson-position--searchaddressreverseoptions- [Get Search Address Reverse API]: /rest/api/maps/search/getsearchaddressreverse [load event listener]: /javascript/api/azure-maps-control/atlas.map#events [setOptions]: /javascript/api/azure-maps-control/atlas.popup#setoptions-popupoptions-+[@azure-rest/maps-search]: https://www.npmjs.com/package/@azure-rest/maps-search +[MapsSearch]: /javascript/api/@azure-rest/maps-search +[TokenCredential]: /javascript/api/@azure/identity/tokencredential |
| azure-maps | Map Route | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-maps/map-route.md | Title: Show route directions on a map | Microsoft Azure Maps -description: In this article, you'll learn how to display directions between two locations on a map using the Microsoft Azure Maps Web SDK. -- Previously updated : 07/29/2019-+ Title: Show route directions on a map ++description: This article demonstrates how to display directions between two locations on a map using the Microsoft Azure Maps Web SDK. ++ Last updated : 07/01/2023+ - # Show directions from A to B This article shows you how to make a route request and show the route on the map. -There are two ways to do so. The first way is to query the [Get Route Directions] request in the Azure Maps Route service. The second way is to use the [Fetch API] to make a search request to the [Get Route Directions] request. Both ways are discussed below. --## Query the route via service module -+There are two ways to do so. The first way is to query the [Get Route Directions] API using the TypeScript REST SDK [@azure-rest/maps-route]. The second way is to use the [Fetch API] to make a search request to the [Get Route Directions] API. Both approaches are described in this article. ++## Query the route via REST SDK ++```javascript +import * as atlas from "azure-maps-control"; +import MapsRoute, { toColonDelimitedLatLonString } from "@azure-rest/maps-route"; +import "azure-maps-control/dist/atlas.min.css"; ++const onload = () => { + // Initialize a map instance. + const map = new atlas.Map("map", { + view: "Auto", + // Add authentication details for connecting to Azure Maps. + authOptions: { + // Use Azure Active Directory authentication. + authType: "aad", + clientId: "<Your Azure Maps Client Id>", + aadAppId: "<Your Azure Active Directory Client Id>", + aadTenant: "<Your Azure Active Directory Tenant Id>" + } + }); ++ map.events.add("load", async () => { + // Use the access token from the map and create an object that implements the TokenCredential interface. + const credential = { + getToken: () => { + return { + token: map.authentication.getToken() + }; + } + }; ++ // Create a Route client. + const client = MapsRoute(credential, "<Your Azure Maps Client Id>"); ++ // Create a data source and add it to the map. + const dataSource = new atlas.source.DataSource(); + map.sources.add(dataSource); ++ // Create the GeoJSON objects which represent the start and end points of the route. + const startPoint = new atlas.data.Feature(new atlas.data.Point([-122.130137, 47.644702]), { + Title: "Redmond", + icon: "pin-blue" + }); ++ const endPoint = new atlas.data.Feature(new atlas.data.Point([-122.3352, 47.61397]), { + Title: "Seattle", + icon: "pin-round-blue" + }); ++ // Add the data to the data source. + dataSource.add([startPoint, endPoint]); ++ // Create a layer for rendering the route line under the road labels. + map.layers.add( + new atlas.layer.LineLayer(dataSource, null, { + strokeColor: "#2272B9", + strokeWidth: 5, + lineJoin: "round", + lineCap: "round" + }), + "labels" + ); ++ // Create a layer for rendering the start and end points of the route as symbols. + map.layers.add( + new atlas.layer.SymbolLayer(dataSource, null, { + iconOptions: { + image: ["get", "icon"], + allowOverlap: true, + ignorePlacement: true + }, + textOptions: { + textField: ["get", "title"], + offset: [0, 1.2] + }, + filter: ["any", ["==", ["geometry-type"], "Point"], ["==", ["geometry-type"], "MultiPoint"]] //Only render Point or MultiPoints in this layer. + }) + ); ++ // Get the coordinates of the start and end points. + const coordinates = [ + [startPoint.geometry.coordinates[1], startPoint.geometry.coordinates[0]], + [endPoint.geometry.coordinates[1], endPoint.geometry.coordinates[0]] + ]; ++ // Get the route directions between the start and end points. + const response = await client.path("/route/directions/{format}", "json").get({ + queryParameters: { + query: toColonDelimitedLatLonString(coordinates) + } + }); ++ // Get the GeoJSON feature collection of the route. + const data = getFeatures(response.body.routes); ++ // Add the route data to the data source. + dataSource.add(data); ++ // Update the map view to center over the route. + map.setCamera({ + bounds: data.bbox, + padding: 40 + }); + }); +}; ++/** + * Helper function to convert a route response into a GeoJSON FeatureCollection. + */ +const getFeatures = (routes) => { + const bounds = []; + const features = routes.map((route, index) => { + const multiLineCoords = route.legs.map((leg) => { + return leg.points.map((coord) => { + const position = [coord.longitude, coord.latitude]; + bounds.push(position); + return position; + }); + }); ++ // Include all properties on the route object except legs. + // Legs is used to create the MultiLineString, so we only need the summaries. + // The legSummaries property replaces the legs property with just summary data. + const props = { + ...route, + legSummaries: route.legs.map((leg) => leg.summary), + resultIndex: index + }; + delete props.legs; ++ return { + type: "Feature", + geometry: { + type: "MultiLineString", + coordinates: multiLineCoords + }, + properties: props + }; + }); ++ return { + type: "FeatureCollection", + features: features, + bbox: new atlas.data.BoundingBox.fromLatLngs(bounds) + }; +}; ++document.body.onload = onload; +``` ++<!-- <iframe height='500' scrolling='no' title='Show directions from A to B on a map (Service Module)' src='//codepen.io/azuremaps/embed/RBZbep/?height=265&theme-id=0&default-tab=js,result&embed-version=2&editable=true' frameborder='no' loading="lazy" allowtransparency='true' allowfullscreen='true'>See the Pen <a href='https://codepen.io/azuremaps/pen/RBZbep/'>Show directions from A to B on a map (Service Module)</a> by Azure Maps (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>. </iframe>+> -In the above code, the first block constructs a map object and sets the authentication mechanism to use the access token. You can see [create a map] for instructions. +In the previous code example, the first block constructs a map object and sets the authentication mechanism to use Azure Active Directory. You can see [Create a map] for instructions. -The second block of code creates a `TokenCredential` to authenticate HTTP requests to Azure Maps with the access token. It then passes the `TokenCredential` to `atlas.service.MapsURL.newPipeline()` and creates a [Pipeline] instance. The `routeURL` represents a URL to Azure Maps [Route service]. +The second block of code creates an object that implements the [TokenCredential] interface to authenticate HTTP requests to Azure Maps with the access token. It then passes the credential object to [MapsRoute] and creates an instance of the client. The third block of code creates and adds a [DataSource] object to the map. A line is a [Feature] for LineString. A [LineLayer] renders line objects wrapped A [symbol layer] uses texts or icons to render point-based data wrapped in the [DataSource]. The texts or the icons render as symbols on the map. The fifth block of code creates and adds a symbol layer to the map. -The sixth block of code queries the Azure Maps routing service, which is part of the [service module]. The [calculateRouteDirections] method of the `RouteURL` is used to get a route between the start and end points. A GeoJSON feature collection from the response is then extracted using the `geojson.getFeatures()` method and is added to the datasource. It then renders the response as a route on the map. For more information about adding a line to the map, see [add a line on the map]. +The sixth block of code queries the Azure Maps routing service, which is part of the [MapsRoute] client. A GET request is used to get a route between the start and end points. A GeoJSON feature collection from the response is then extracted using a `getFeatures()` helper function and is added to the datasource. It then renders the response as a route on the map. For more information about adding a line to the map, see [Add a line on the map]. The last block of code sets the bounds of the map using the Map's [setCamera] property. The route query, data source, symbol, line layers, and camera bounds are created ## Query the route via Fetch API +```javascript +import * as atlas from "azure-maps-control"; +import "azure-maps-control/dist/atlas.min.css"; ++const onload = () => { + // Initialize a map instance. + const map = new atlas.Map("map", { + view: "Auto", + // Add authentication details for connecting to Azure Maps. + authOptions: { + // Use Azure Active Directory authentication. + authType: "aad", + clientId: "<Your Azure Maps Client Id>", + aadAppId: "<Your Azure Active Directory Client Id>", + aadTenant: "<Your Azure Active Directory Tenant Id>" + } + }); ++ map.events.add("load", async () => { + // Create a data source and add it to the map. + const dataSource = new atlas.source.DataSource(); + map.sources.add(dataSource); ++ // Create the GeoJSON objects which represent the start and end points of the route. + const startPoint = new atlas.data.Feature(new atlas.data.Point([-122.130137, 47.644702]), { + Title: "Redmond", + icon: "pin-blue" + }); ++ const endPoint = new atlas.data.Feature(new atlas.data.Point([-122.3352, 47.61397]), { + Title: "Seattle", + icon: "pin-round-blue" + }); ++ // Add the data to the data source. + dataSource.add([startPoint, endPoint]); ++ // Create a layer for rendering the route line under the road labels. + map.layers.add( + new atlas.layer.LineLayer(dataSource, null, { + strokeColor: "#2272B9", + strokeWidth: 5, + lineJoin: "round", + lineCap: "round" + }), + "labels" + ); ++ // Create a layer for rendering the start and end points of the route as symbols. + map.layers.add( + new atlas.layer.SymbolLayer(dataSource, null, { + iconOptions: { + image: ["get", "icon"], + allowOverlap: true, + ignorePlacement: true + }, + textOptions: { + textField: ["get", "title"], + offset: [0, 1.2] + }, + filter: ["any", ["==", ["geometry-type"], "Point"], ["==", ["geometry-type"], "MultiPoint"]] //Only render Point or MultiPoints in this layer. + }) + ); ++ // Send a request to the route API + let url = "https://atlas.microsoft.com/route/directions/json?"; + url += "&api-version=1.0"; + url += + "&query=" + + startPoint.geometry.coordinates[1] + + "," + + startPoint.geometry.coordinates[0] + + ":" + + endPoint.geometry.coordinates[1] + + "," + + endPoint.geometry.coordinates[0]; ++ // Process request + fetch(url, { + headers: { + Authorization: "Bearer " + map.authentication.getToken(), + "x-ms-client-id": "<Your Azure Maps Client Id>" + } + }) + .then((response) => response.json()) + .then((response) => { + const bounds = []; + const route = response.routes[0]; + + // Create an array to store the coordinates of each turn + let routeCoordinates = []; + route.legs.forEach((leg) => { + const legCoordinates = leg.points.map((point) => { + const position = [point.longitude, point.latitude]; + bounds.push(position); + return position; + }); + // Add each turn coordinate to the array + routeCoordinates = routeCoordinates.concat(legCoordinates); + }); ++ // Add route line to the dataSource + dataSource.add(new atlas.data.Feature(new atlas.data.LineString(routeCoordinates))); ++ // Update the map view to center over the route. + map.setCamera({ + bounds: new atlas.data.BoundingBox.fromLatLngs(bounds), + padding: 40 + }); + }); + }); +}; ++document.body.onload = onload; +``` ++<!-- <iframe height='500' scrolling='no' title='Show directions from A to B on a map' src='//codepen.io/azuremaps/embed/zRyNmP/?height=469&theme-id=0&default-tab=js,result&embed-version=2&editable=true' frameborder='no' loading="lazy" allowtransparency='true' allowfullscreen='true'>See the Pen <a href='https://codepen.io/azuremaps/pen/zRyNmP/'>Show directions from A to B on a map</a> by Azure Maps (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>. </iframe>+> -In the code above, the first block of code constructs a map object and sets the authentication mechanism to use the access token. You can see [create a map] for instructions. +In the previous code example, the first block of code constructs a map object and sets the authentication mechanism to use Azure Active Directory. You can see [Create a map] for instructions. The second block of code creates and adds a [DataSource] object to the map. -The third code block creates the start and destination points for the route. Then, it adds them to the data source. For more information, see [add a pin on the map]. +The third code block creates the start and destination points for the route. Then, it adds them to the data source. For more information, see [Add a pin on the map]. A [LineLayer] renders line objects wrapped in the [DataSource] as lines on the map. The fourth block of code creates and adds a line layer to the map. See properties of a line layer at [LineLayerOptions]. A [symbol layer] uses text or icons to render point-based data wrapped in the [DataSource] as symbols on the map. The fifth block of code creates and adds a symbol layer to the map. See properties of a symbol layer at [SymbolLayerOptions]. -The next code block creates `SouthWest` and `NorthEast` points from the start and destination points and sets the bounds of the map using the Map's [setCamera] property. +The next block of code uses the [Fetch API] to make a search request to [Get Route Directions]. The response is then parsed. If the response was successful, the latitude and longitude information is used to create an array a line by connecting those points. The line data is then added to data source to render the route on the map. For more information, see [Add a line on the map]. -The last block of code uses the [Fetch API] to make a search request to [Get Route Directions]. The response is then parsed. If the response was successful, the latitude and longitude information is used to create an array a line by connecting those points. The line data is then added to data source to render the route on the map. For more information, see [add a line on the map]. +The last block of code sets the bounds of the map using the Map's [setCamera] property. The route query, data source, symbol, line layers, and camera bounds are created inside the [event listener]. Again, we want to ensure that results are displayed after the map loads fully. +The following image is a screenshot showing the results of the two code samples. ++ ## Next steps > [!div class="nextstepaction"] See the following articles for full code examples: > [Interacting with the map - mouse events](./map-events.md) [Get Route Directions]: /rest/api/maps/route/getroutedirections-[Route service]: /rest/api/maps/route [Fetch API]: https://fetch.spec.whatwg.org/-[create a map]: map-create.md +[Create a map]: map-create.md [DataSource]: /javascript/api/azure-maps-control/atlas.source.datasource-[add a line on the map]: map-add-line-layer.md +[Add a line on the map]: map-add-line-layer.md [setCamera]: /javascript/api/azure-maps-control/atlas.map#setcamera-cameraoptionscameraboundsoptionsanimationoptions- [SymbolLayerOptions]: /javascript/api/azure-maps-control/atlas.symbollayeroptions [LineLayerOptions]: /javascript/api/azure-maps-control/atlas.linelayeroptions-[add a pin on the map]: map-add-pin.md +[Add a pin on the map]: map-add-pin.md [LineLayer]: /javascript/api/azure-maps-control/atlas.layer.linelayer [symbol layer]: /javascript/api/azure-maps-control/atlas.layer.symbollayer-[Pipeline]: /javascript/api/azure-maps-rest/atlas.service.pipeline [event listener]: /javascript/api/azure-maps-control/atlas.map#events--[service module]: how-to-use-services-module.md -[calculateRouteDirections]: /javascript/api/azure-maps-rest/atlas.service.routeurl#methods [LinestringLayerOptions]: /javascript/api/azure-maps-control/atlas.linelayeroptions [Feature]: /javascript/api/azure-maps-control/atlas.data.feature [points]: /javascript/api/azure-maps-control/atlas.data.point+[@azure-rest/maps-route]: https://www.npmjs.com/package/@azure-rest/maps-route +[MapsRoute]: /javascript/api/@azure-rest/maps-route +[TokenCredential]: /javascript/api/@azure/identity/tokencredential |
| azure-maps | Map Search Location | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-maps/map-search-location.md | Title: Show search results on a map | Microsoft Azure Maps -description: In this article, you'll learn how to perform a search request using Microsoft Azure Maps Web SDK and display the results on the map. -- Previously updated : 07/29/2019-+ Title: Show search results on a map ++description: This article demonstrates how to perform a search request using Microsoft Azure Maps Web SDK and display the results on the map. ++ Last updated : 07/01/2023+ - # Show search results on the map This article shows you how to search for location of interest and show the search results on the map. -There are two ways to search for a location of interest. One way is to use a service module to make a search request. The other way is to make a search request to Azure Maps [Fuzzy search API] through the [Fetch API]. Both ways are discussed below. --## Make a search request via service module -+There are two ways to search for a location of interest. One way is to use the TypeScript REST SDK, [@azure-rest/maps-search] to make a search request. The other way is to make a search request to Azure Maps [Fuzzy search API] through the [Fetch API]. Both approaches are described in this article. ++## Make a search request via REST SDK ++```javascript +import * as atlas from "azure-maps-control"; +import MapsSearch from "@azure-rest/maps-search"; +import "azure-maps-control/dist/atlas.min.css"; ++const onload = () => { + // Initialize a map instance. + const map = new atlas.Map("map", { + view: "Auto", + // Add authentication details for connecting to Azure Maps. + authOptions: { + // Use Azure Active Directory authentication. + authType: "aad", + clientId: "<Your Azure Maps Client Id>", + aadAppId: "<Your Azure Active Directory Client Id>", + aadTenant: "<Your Azure Active Directory Tenant Id>" + } + }); ++ map.events.add("load", async () => { + // Use the access token from the map and create an object that implements the TokenCredential interface. + const credential = { + getToken: () => { + return { + token: map.authentication.getToken() + }; + } + }; ++ // Create a Search client. + const client = MapsSearch(credential, "<Your Azure Maps Client Id>"); ++ // Create a data source and add it to the map. + const datasource = new atlas.source.DataSource(); + map.sources.add(datasource); ++ // Add a layer for rendering point data. + const resultLayer = new atlas.layer.SymbolLayer(datasource); + map.layers.add(resultLayer); ++ // Search for gas stations near Seattle. + const response = await client.path("/search/fuzzy/{format}", "json").get({ + queryParameters: { + query: "gasoline station", + lat: 47.6101, + lon: -122.34255 + } + }); ++ // Arrays to store bounds for results. + const bounds = []; ++ // Convert the response into Feature and add it to the data source. + const searchPins = response.body.results.map((result) => { + const position = [result.position.lon, result.position.lat]; + bounds.push(position); + return new atlas.data.Feature(new atlas.data.Point(position), { + position: result.position.lat + ", " + result.position.lon + }); + }); ++ // Add the pins to the data source. + datasource.add(searchPins); ++ // Set the camera to the bounds of the pins + map.setCamera({ + bounds: new atlas.data.BoundingBox.fromLatLngs(bounds), + padding: 40 + }); + }); +}; ++document.body.onload = onload; +``` ++<!-- <iframe height='500' scrolling='no' title='Show search results on a map (Service Module)' src='//codepen.io/azuremaps/embed/zLdYEB/?height=265&theme-id=0&default-tab=js,result&embed-version=2&editable=true' frameborder='no' loading="lazy" allowtransparency='true' allowfullscreen='true'>See the Pen <a href='https://codepen.io/azuremaps/pen/zLdYEB/'>Show search results on a map (Service Module)</a> by Azure Maps (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>. </iframe>+> -In the code above, the first block constructs a map object and sets the authentication mechanism to use the access token. You can see [create a map] for instructions. +In the previous code example, the first block constructs a map object and sets the authentication mechanism to use Azure Active Directory. For more information, see [Create a map]. -The second block of code creates a `TokenCredential` to authenticate HTTP requests to Azure Maps with the access token. It then passes the `TokenCredential` to `atlas.service.MapsURL.newPipeline()` and creates a [Pipeline] instance. The `searchURL` represents a URL to Azure Maps [Search service]. +The second block of code creates an object that implements the [TokenCredential] interface to authenticate HTTP requests to Azure Maps with the access token. It then passes the credential object to [MapsSearch] and creates an instance of the client. The third block of code creates a data source object using the [DataSource] class and add search results to it. A [symbol layer] uses text or icons to render point-based data wrapped in the [DataSource] as symbols on the map. A symbol layer is then created. The data source is added to the symbol layer, which is then added to the map. -The fourth code block uses the [SearchFuzzy] method in the [service module]. It allows you to perform a free form text search via the [Get Search Fuzzy rest API] to search for point of interest. Get requests to the Search Fuzzy API can handle any combination of fuzzy inputs. A GeoJSON feature collection from the response is then extracted using the `geojson.getFeatures()` method and added to the data source, which automatically results in the data being rendered on the map via the symbol layer. +The fourth code block makes a GET request in the [MapsSearch] client. It allows you to perform a free form text search via the [Get Search Fuzzy rest API] to search for point of interest. Get requests to the Search Fuzzy API can handle any combination of fuzzy inputs. The response is then converted to [Feature] objects and added to the data source, which automatically results in the data being rendered on the map via the symbol layer. The last block of code adjusts the camera bounds for the map using the Map's [setCamera] property. The search request, data source, symbol layer, and camera bounds are inside the ## Make a search request via Fetch API +```javascript +import * as atlas from "azure-maps-control"; +import "azure-maps-control/dist/atlas.min.css"; ++const onload = () => { + // Initialize a map instance. + const map = new atlas.Map("map", { + view: "Auto", + // Add authentication details for connecting to Azure Maps. + authOptions: { + // Use Azure Active Directory authentication. + authType: "aad", + clientId: "<Your Azure Maps Client Id>", + aadAppId: "<Your Azure Active Directory Client Id>", + aadTenant: "<Your Azure Active Directory Tenant Id>" + } + }); ++ map.events.add("load", () => { + // Create a data source and add it to the map. + const datasource = new atlas.source.DataSource(); + map.sources.add(datasource); ++ // Add a layer for rendering point data. + const resultLayer = new atlas.layer.SymbolLayer(datasource); + map.layers.add(resultLayer); ++ // Send a request to Azure Maps search API + let url = "https://atlas.microsoft.com/search/fuzzy/json?"; + url += "&api-version=1"; + url += "&query=gasoline%20station"; + url += "&lat=47.6101"; + url += "&lon=-122.34255"; + url += "&radius=100000"; ++ // Parse the API response and create a pin on the map for each result + fetch(url, { + headers: { + Authorization: "Bearer " + map.authentication.getToken(), + "x-ms-client-id": "<Your Azure Maps Client Id>" + } + }) + .then((response) => response.json()) + .then((response) => { + // Arrays to store bounds for results. + const bounds = []; ++ // Convert the response into Feature and add it to the data source. + const searchPins = response.results.map((result) => { + const position = [result.position.lon, result.position.lat]; + bounds.push(position); + return new atlas.data.Feature(new atlas.data.Point(position), { + position: result.position.lat + ", " + result.position.lon + }); + }); ++ // Add the pins to the data source. + datasource.add(searchPins); ++ // Set the camera to the bounds of the pins + map.setCamera({ + bounds: new atlas.data.BoundingBox.fromLatLngs(bounds), + padding: 40 + }); + }); + }); +}; ++document.body.onload = onload; +``` ++<!-- <iframe height='500' scrolling='no' title='Show search results on a map' src='//codepen.io/azuremaps/embed/KQbaeM/?height=265&theme-id=0&default-tab=js,result&embed-version=2&editable=true' frameborder='no' loading="lazy" allowtransparency='true' allowfullscreen='true'>See the Pen <a href='https://codepen.io/azuremaps/pen/KQbaeM/'>Show search results on a map</a> by Azure Maps (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>. </iframe>+> -In the code above, the first block of code constructs a map object. It sets the authentication mechanism to use the access token. You can see [create a map] for instructions. +In the previous code example, the first block of code constructs a map object. It sets the authentication mechanism to use Azure Active Directory. For more information, see [Create a map]. -The second block of code creates a URL to make a search request to. It also creates two arrays to store bounds and pins for search results. +The second block of code creates a data source object using the [DataSource] class and add search results to it. A [symbol layer] uses text or icons to render point-based data wrapped in the [DataSource] as symbols on the map. A symbol layer is then created. The data source is added to the symbol layer, which is then added to the map. -The third block of code uses the [Fetch API]. The [Fetch API] is used to make a request to Azure Maps [Fuzzy search API] to search for the points of interest. The Fuzzy search API can handle any combination of fuzzy inputs. It then handles and parses the search response and adds the result pins to the searchPins array. +The third block of code creates a URL to make a search request to. -The fourth block of code creates a data source object using the [DataSource] class. In the code, we add search results to the source object. A [symbol layer] uses text or icons to render point-based data wrapped in the [DataSource] as symbols on the map. A symbol layer is then created. The data source is added to the symbol layer, which is then added to the map. +The fourth block of code uses the [Fetch API]. The [Fetch API] is used to make a request to Azure Maps [Fuzzy search API] to search for the points of interest. The Fuzzy search API can handle any combination of fuzzy inputs. It then handles and parses the search response and adds the result pins to the searchPins array. The last block of code creates a [BoundingBox] object. It uses the array of results, and then it adjusts the camera bounds for the map using the Map's [setCamera]. It then renders the result pins. The search request, the data source, symbol layer, and the camera bounds are set within the map's [event listener] to ensure that the results are displayed after the map loads fully. +The following image is a screenshot showing the results of the two code samples. ++ ## Next steps > [!div class="nextstepaction"] See the following articles for full code examples: [Fuzzy search API]: /rest/api/maps/search/getsearchfuzzy [Fetch API]: https://fetch.spec.whatwg.org/ [DataSource]: /javascript/api/azure-maps-control/atlas.source.datasource-[Search service]: /rest/api/maps/search -[Pipeline]: /javascript/api/azure-maps-rest/atlas.service.pipeline [symbol layer]: /javascript/api/azure-maps-control/atlas.layer.symbollayer-[create a map]: map-create.md -[SearchFuzzy]: /javascript/api/azure-maps-rest/atlas.service.models.searchgetsearchfuzzyoptionalparams -[service module]: how-to-use-services-module.md +[Create a map]: map-create.md [Get Search Fuzzy rest API]: /rest/api/maps/search/getsearchfuzzy [setCamera]: /javascript/api/azure-maps-control/atlas.map#setcamera-cameraoptionscameraboundsoptionsanimationoptions- [event listener]: /javascript/api/azure-maps-control/atlas.map#events [BoundingBox]: /javascript/api/azure-maps-control/atlas.data.boundingbox+[@azure-rest/maps-search]: https://www.npmjs.com/package/@azure-rest/maps-search +[MapsSearch]: /javascript/api/@azure-rest/maps-search +[TokenCredential]: /javascript/api/@azure/identity/tokencredential +[Feature]: /javascript/api/azure-maps-control/atlas.data.feature |
| azure-maps | Power Bi Visual Add Reference Layer | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-maps/power-bi-visual-add-reference-layer.md | Title: Add a reference layer to Azure Maps Power BI visual- -description: In this article, you will learn how to use the reference layer in Azure Maps Power BI visual. ++description: This article describes how to use the reference layer in Azure Maps Power BI visual. Previously updated : 11/29/2021 Last updated : 07/17/2023 -The reference layer feature lets a secondary spatial dataset be uploaded to the visual and overlaid on the map to provide addition context. This dataset is hosted by Power BI and must be a [GeoJSON file](https://wikipedia.org/wiki/GeoJSON) with a `.json` or `.geojson` file extension. +The reference layer feature lets a secondary spatial dataset be uploaded to the visual and overlaid on the map to provide addition context. Power BI hosts this dataset as a [GeoJSON file] with a `.json` or `.geojson` file extension. To add a **GeoJSON** file as a reference layer, go to the **Format** pane, expand the **Reference layer** section, and press the **+ Add local file** button. After a GeoJSON file is added to the reference layer, the name of the file will appear in place of the **+ Add local file** button with an **X** beside it. Press the **X** button to remove the data from the visual and delete the GeoJSON file from Power BI. -The following map is displays [2016 census tracts for Colorado](https://github.com/Azure-Samples/AzureMapsCodeSamples/tree/master/Static/data/geojson), colored by population. --> [!div class="mx-imgBorder"] ->  +The following map displays [2016 census tracts for Colorado], colored by population. :::image type="content" source="./media/power-bi-visual/reference-layer-CO-census-tract.png" alt-text="A map displaying 2016 census tracts for Colorado, colored by population as a reference layer."::: The following are all settings in the **Format** pane that are available in the | Setting | Description | |-||-| Reference layer data | The data GeoJSON file to upload to the visual as an additional layer within the map. The **+ Add local file** button opens a file dialog the user can use to select a GeoJSON file that has a `.json` or `.geojson` file extension. | +| Reference layer data | The data GeoJSON file to upload to the visual as another layer within the map. The **+ Add local file** button opens a file dialog the user can use to select a GeoJSON file that has a `.json` or `.geojson` file extension. | > [!NOTE] > In this preview of the Azure Maps Power BI visual, the reference layer will only load the first 5,000 shape features to the map. This limit will be increased in a future update. ## Styling data in a reference layer -Properties can be added to each feature within the GeoJSON file to customize how it is styled on the map. This feature uses the simple data layer feature in the Azure Maps Web SDK. For more information, see this document on [supported style properties](spatial-io-add-simple-data-layer.md#default-supported-style-properties). Custom icon images are not supported within the Azure Maps Power BI visual as a security precaution. +Properties can be added to each feature within the GeoJSON file to customize how it's styled on the map. This feature uses the simple data layer feature in the Azure Maps Web SDK. For more information, see this document on [supported style properties]. Custom icon images aren't supported within the Azure Maps Power BI visual as a security precaution. -The following is an example of a GeoJSON point feature that sets its displayed color to red. +The following json is an example of a GeoJSON point feature that sets its displayed color to red. ```json { The following is an example of a GeoJSON point feature that sets its displayed c Add more context to the map: > [!div class="nextstepaction"]-> [Add a tile layer](power-bi-visual-add-tile-layer.md) +> [Add a tile layer] > [!div class="nextstepaction"]-> [Show real-time traffic](power-bi-visual-show-real-time-traffic.md) +> [Show real-time traffic] ++[GeoJSON file]: https://wikipedia.org/wiki/GeoJSON +[2016 census tracts for Colorado]: https://github.com/Azure-Samples/AzureMapsCodeSamples/tree/master/Static/data/geojson +[supported style properties]: spatial-io-add-simple-data-layer.md#default-supported-style-properties +[Add a tile layer]: power-bi-visual-add-tile-layer.md +[Show real-time traffic]: power-bi-visual-show-real-time-traffic.md |
| azure-maps | Power Bi Visual Filled Map | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-maps/power-bi-visual-filled-map.md | Title: Filled map in Azure Maps Power BI Visual -description: In this article, you'll learn about the Filled map feature in Azure Maps Power BI Visual. +description: This article demonstrates using the Filled map feature in Azure Maps Power BI Visual. Previously updated : 04/11/2022 Last updated : 07/19/2023 -<!-- - >- :::image type="content" source="media/power-bi-visual/filled-map-us-teal.png" lightbox="media/power-bi-visual/filled-map-us-teal.png" alt-text="A screenshot showing a map of America with states colored in varying degrees depending on the amount of sales attained in each."::: -The image above shows an example of a filled map. The map of America shows each state with a different shade that represents the sales by state. A viewer can immediately see that California has the most sales followed by Texas, then Florida. +This image shows an example of a filled map. The map of America shows each state with a different shade that represents the sales by state. A viewer can immediately see that California has the most sales followed by Texas, then Florida. ## When to use a filled map Some common uses for filled maps include: ## Prerequisites -This article uses [Sales and Marketing Sample PBIX](https://download.microsoft.com/download/9/7/6/9767913A-29DB-40CF-8944-9AC2BC940C53/Sales%20and%20Marketing%20Sample%20PBIX.pbix) as the data source for demonstration purposes. You can create a new report using this data before continuing if you wish to follow along. +This article uses [Sales and Marketing Sample PBIX] as the data source for demonstration purposes. You can create a new report using this data before continuing if you wish to follow along. ## Filled map settings There are two places where you can adjust filled maps settings: Build and format | Options | Specify the position of the layer relative to other map layers | Drop down menu:<BR>Above labels<BR>Below labels<BR>Below roads | > [!TIP]-> You can use **Conditional formatting** in the **Colors** setting to set the field that your map is based on, as demonstrated in the [Create a filled map](#create-a-filled-map) section below. +> You can use **Conditional formatting** in the **Colors** setting to set the field that your map is based on, as demonstrated in the [Create a filled map](#create-a-filled-map) section. ### Format visuals -| Bucket | Description | -|-|-| -| Location | Geospatial area with a boundary, such as country/region, state, city, county or postal code. Street and address aren't supported in filled map. | -| Legend | Categorical data that will be used to shade the map. | -| Tool Tips (optional) | Determined the data/columns that would be shown in tool tips | +| Bucket | Description | +|-|| +| Location | Geospatial area with a boundary, such as country/region, state, city, county or postal code. Street and address aren't supported in filled map. | +| Legend | Categorical data that is used to shade the map. | +| Tool Tips (optional) | Determined the data/columns that would be shown in tool tips. | ## Create a filled map 1. From the **Fields** pane, select the **Geo > State** field. Notice that it populates the **Location** field in the **Visualizations** pane.- <!-- -  - --> :::image type="content" source="media/power-bi-visual/filled-map-geo-state.png" alt-text="A screenshot showing the selection of the state field from the geo table."::: There are two places where you can adjust filled maps settings: Build and format 1. In the **Visualizations** pane, select **Format your visual** 1. Set **Filled map** to **On**- <!-- -  - --> :::image type="content" source="media/power-bi-visual/filled-map-visualization-setting.png" alt-text="A screenshot showing the filled maps option in the visualizations pane in the Format your visual view."::: 1. Select **Filled maps** to expand that section then select **Colors**. 1. Select **Conditional formatting**.- <!-- -  - --> :::image type="content" source="media/power-bi-visual/filled-map-conditional-formatting.png" alt-text="A screenshot showing the Conditional formatting button in the colors section."::: 1. The **Default color - Filled map** dialog should appear, select the **What field should we base this on?** Drop down, then select **Sales $** from the **SalesFact** table.- <!-- -  - --> - :::image type="content" source="media/power-bi-visual/filled-map-sales.png" lightbox="media/power-bi-visual/filled-map-sales.png" alt-text="A screenshot showing Default color - Filled map dialog box with sales selected from the What field should we base this on? Drop down."::: + :::image type="content" source="media/power-bi-visual/filled-map-sales.png" lightbox="media/power-bi-visual/filled-map-sales.png" alt-text="A screenshot showing Default color - Filled map dialog box with sales selected from the 'What field should we base this on?' drop down list."::: 1. Set the **Minimum** color to white then select the **OK** button. There are two places where you can adjust filled maps settings: Build and format :::image type="content" source="media/power-bi-visual/filled-map-us-minus-alaska.png" lightbox="media/power-bi-visual/filled-map-us-minus-alaska.png" alt-text="A screenshot showing a map of America with states colored in teal with varying degrees of shading depending on the amount of sales attained in each state."::: - <!-- -  - --> - ## Next steps Change how your data is displayed on the map: Customize the visual: > [!div class="nextstepaction"] > [Customize visualization titles, backgrounds, and legends](/power-bi/visuals/power-bi-visualization-customize-title-background-and-legend)++[Sales and Marketing Sample PBIX]: https://download.microsoft.com/download/9/7/6/9767913A-29DB-40CF-8944-9AC2BC940C53/Sales%20and%20Marketing%20Sample%20PBIX.pbix |
| azure-maps | Power Bi Visual Geocode | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-maps/power-bi-visual-geocode.md | Title: Geocoding in Azure Maps Power BI visual -description: In this article, you'll learn about geocoding in Azure Maps Power BI visual. +description: This article describes geocoding in Azure Maps Power BI visual. Last updated 03/16/2022 When entering multiple values into the **Location** field, you create a geo-hier |:-:|-| | 1 | The drill button on the far right, called Drill Mode, allows you to select a map Location and drill down into that specific location one level at a time. For example, if you turn on the drill-down option and select North America, you move down in the hierarchy to the next level--states in North America. For geocoding, Power BI sends Azure Maps country and state data for North America only. The button on the left goes back up one level. | | 2 | The double arrow drills to the next level of the hierarchy for all locations at once. For example, if you're currently looking at countries/regions and then use this option to move to the next level, states, Power BI displays state data for all countries/regions. For geocoding, Power BI sends Azure Maps state data (no country/region data) for all locations. This option is useful if each level of your hierarchy is unrelated to the level above it. |-| 3 | Similar to the drill-down option, except that you don't need to click on the map. It expands down to the next level of the hierarchy remembering the current level's context. For example, if you're currently looking at countries/regions and select this icon, you move down in the hierarchy to the next level--states. For geocoding, Power BI sends data for each state and its corresponding country/region to help Azure Maps geocode more accurately. In most maps, you'll either use this option or the drill-down option on the far right. This will send Azure as much information as possible and result in more accurate location information. | +| 3 | Similar to the drill-down option, except that you don't need to select the map. It expands down to the next level of the hierarchy remembering the current level's context. For example, if you're currently looking at countries/regions and select this icon, you move down in the hierarchy to the next level--states. For geocoding, Power BI sends data for each state and its corresponding country/region to help Azure Maps geocode more accurately. In most maps, you'll either use this option or the drill-down option on the far right. This sends Azure as much information as possible and result in more accurate location information. | ## Categorize geographic fields in Power BI -To ensure fields are correctly geocoded, you can set the Data Category on the data fields in Power BI. In Data view, select the desired column. From the ribbon, select the Modeling tab and then set the Data Category to one of the following: Address, City, Continent, Country, Region, County, Postal Code, State, or Province. These data categories help Azure correctly encode the data. To learn more, see [Data categorization in Power BI Desktop](/power-bi/transform-model/desktop-data-categorization). If you're live connecting to SQL Server Analysis Services, you'll need to set the data categorization outside of Power BI using [SQL Server Data Tools (SSDT)](/sql/ssdt/download-sql-server-data-tools-ssdt). +To ensure fields are correctly geocoded, you can set the Data Category on the data fields in Power BI. In Data view, select the desired column. From the ribbon, select the Modeling tab and then set the Data Category to one of the following properties: Address, City, Continent, Country, Region, County, Postal Code, State, or Province. These data categories help Azure correctly encode the data. To learn more, see [Data categorization in Power BI Desktop]. If you're live connecting to SQL Server Analysis Services, set the data categorization outside of Power BI using [SQL Server Data Tools (SSDT)]. :::image type="content" source="media/power-bi-visual/data-category.png" alt-text="A screenshot showing the data category drop-down list in Power BI desktop."::: Learn about the Azure Maps Power BI visual Pie Chart layer that uses geocoding: > [!div class="nextstepaction"] > [Add a pie chart layer](power-bi-visual-add-pie-chart-layer.md)++[Data categorization in Power BI Desktop]: /power-bi/transform-model/desktop-data-categorization +[SQL Server Data Tools (SSDT)]: /sql/ssdt/download-sql-server-data-tools-ssdt |
| azure-maps | Power Bi Visual Manage Access | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-maps/power-bi-visual-manage-access.md | Title: Manage Azure Maps Power BI visual within your organization -description: In this article, you will learn how to manage Azure Maps Power BI visual within your organization. +description: This article demonstrates how to manage Azure Maps Power BI visual within your organization. Last updated 11/29/2021-Power BI provides the ability for designers and tenant administrators to manage the use of the Azure Maps visual. Below you will find steps each role can take. +Power BI provides the ability for designers and tenant administrators to manage the use of the Azure Maps visual. ## Tenant admin options -In PowerBI.com, tenant administrators can turn off the Azure Maps visual for all users. Select **Settings** > **Admin** **Portal** > **Tenant settings**. When disabled, Power BI will no longer display the Azure Maps visual in the visualizations pane. +In PowerBI.com, tenant administrators can turn off the Azure Maps visual for all users. Select **Settings** > **Admin** **Portal** > **Tenant settings**. When disabled, Power BI doesn't display the Azure Maps visual in the visualizations pane. :::image type="content" source="media/power-bi-visual/tenant-admin-settings.png" alt-text="Power BI admin portal showing tenant settings for the Azure Maps visual."::: |
| azure-maps | Power Bi Visual Show Real Time Traffic | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-maps/power-bi-visual-show-real-time-traffic.md | Title: Show real-time traffic on an Azure Maps Power BI visual -description: In this article, you will learn how to show real-time traffic on an Azure Maps Power BI visual. +description: This article demonstrates how to show real-time traffic on an Azure Maps Power BI visual. Previously updated : 11/29/2021 Last updated : 07/18/2023 -The traffic layer feature overlays real-time traffic data on top of the map. To enable this feature, move the **Traffic layer** slider in the **Format** pane to the **On** position. This will overlay traffic flow data as color coded roads. +The traffic layer feature overlays real-time traffic data on top of the map. To enable this feature, move the **Traffic layer** slider in the **Format** pane to the **On** position. This overlays traffic flow data as color coded roads. :::image type="content" source="media/power-bi-visual/traffic-layer.png" alt-text="A map displaying real-time traffic data."::: |
| azure-maps | Power Bi Visual Understanding Layers | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-maps/power-bi-visual-understanding-layers.md | Title: Layers in an Azure Maps Power BI visual- -description: In this article, you will learn about the different layers available in an Azure Maps Power BI visual. ++description: This article describes the different layers available in an Azure Maps Power BI visual. Previously updated : 11/29/2021 Last updated : 07/19/2023 The second type of layer connects addition external sources of data to map to pr :::column-end::: :::row-end::: -All the data rendering layers, as well as the **Tile layer**, have options for min and max zoom levels that are used to specify a zoom level range these layers should be displayed at. This allows one type of rendering layer to be used at one zoom level and a transition to another rendering layer at another zoom level. +All the data rendering layers and the **Tile layer**, have options for min and max zoom levels that are used to specify a zoom level range these layers should be displayed at. These options allow one type of rendering layer to be used at one zoom level and a transition to another rendering layer at another zoom level. -These layers also have an option to be positioned relative to other layers in the map. When multiple data rendering layers are used, the order in which they are added to the map determines their relative layering order when they have the same **Layer position** value. +These layers can also be positioned relative to other layers in the map. When multiple data rendering layers are used, the order in which they're added to the map determines their relative layering order when they have the same **Layer position** value. ## General layer settings The general layer section of the **Format** pane are common settings that apply to the layers that are connected to the Power BI dataset in the **Fields** pane (Bubble layer, 3D column layer). -| Setting | Description | -|-|| -| Unselected transparency | The transparency of shapes that are not selected, when one or more shapes are selected. | -| Show zeros | Specifies if points that have a size value of zero should be shown on the map using the minimum radius. | -| Show negatives | Specifies if absolute value of negative size values should be plotted. | -| Min data value | The minimum value of the input data to scale against. Good for clipping outliers. | -| Max data value | The maximum value of the input data to scale against. Good for clipping outliers. | +| Setting | Description | +|-|-| +| Unselected transparency | The transparency of shapes that aren't selected, when one or more shapes are selected. | +| Show zeros | Specifies if points that have a size value of zero should be shown on the map using the minimum radius. | +| Show negatives | Specifies if absolute value of negative size values should be plotted. | +| Min data value | The minimum value of the input data to scale against. Good for clipping outliers. | +| Max data value | The maximum value of the input data to scale against. Good for clipping outliers. | ## Next steps |
| azure-maps | Quick Android Map | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-maps/quick-android-map.md | This article shows you how to add the Azure Maps to an Android app. It walks you ## Prerequisites -1. A subscription to [Microsoft Azure](https://azure.microsoft.com). If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin. +1. A subscription to [Microsoft Azure]. If you don't have an Azure subscription, [create a free account] before you begin. -1. [Android Studio](https://developer.android.com/studio/). If you don't have Android Studio, you can get it for free from Google. +1. [Android Studio]. If you don't have Android Studio, you can get it for free from Google. > [!NOTE] > Many of the instructions in this quickstart were created using Android Studio Arctic Fox (2020.3.1). If you use a different version of Android Studio, the steps specific to Android Studio may vary. This article shows you how to add the Azure Maps to an Android app. It walks you Create a new Azure Maps account using the following steps: -1. In the upper left-hand corner of the [Azure portal](https://portal.azure.com), select **Create a resource**. +1. In the upper left-hand corner of the [Azure portal], select **Create a resource**. 2. In the *Search the Marketplace* box, type **Azure Maps**, then select **Azure Maps** from the search results. 3. Select the **Create** button. 4. On the **Create Maps Account** page, enter the following values: Once your Azure Maps account is successfully created, retrieve the subscription 3. Copy the **Primary Key** and save it locally to use later in this tutorial. >[!NOTE]-> For security purposes, it is recommended that you rotate between your primary and secondary keys. To rotate keys, update your app to use the secondary key, deploy, then press the cycle/refresh button beside the primary key to generate a new primary key. The old primary key will be disabled. For more information on key rotation, see [Set up Azure Key Vault with key rotation and auditing](../key-vault/secrets/tutorial-rotation-dual.md) +> For security purposes, it is recommended that you rotate between your primary and secondary keys. To rotate keys, update your app to use the secondary key, deploy, then press the cycle/refresh button beside the primary key to generate a new primary key. The old primary key will be disabled. For more information on key rotation, see [Set up Azure Key Vault with key rotation and auditing]. :::image type="content" source="./media/quick-android-map/get-key.png" alt-text="A screenshot showing the Azure Maps Primary key in the Azure portal."::: Complete the following steps to create a new project with an empty activity in A :::image type="content" source="./media/quick-android-map/3-empty-activity.png" alt-text="A screenshot that shows the Create an Empty Activity screen in Android Studio."::: -1. In the **Empty Activity** screen you'll need to enter values for the following fields: +1. In the **Empty Activity** screen, enter values for the following fields: * **Name**. Enter **AzureMapsApp**. * **Package name**. Use the default **com.example.azuremapsapp**. * **Save location**. Use the default or select a new location to save your project files. Avoid using spaces in the path or filename due to potential problems with the NDK tools. Complete the following steps to create a new project with an empty activity in A * **Minimum SDK**. Select `API 21: Android 5.0.0 (Lollipop)` as the minimum SDK. It's the earliest version supported by the Azure Maps Android SDK. 1. Select **Finish** to create your new project. -See the [Android Studio documentation](https://developer.android.com/studio/intro/) for more help with installing Android Studio and creating a new project. +See the [Android Studio documentation] for more help with installing Android Studio and creating a new project. ## Set up a virtual device To set up an Android Virtual Device (AVD): 1. The **Android Virtual Device Manager** appears. Select **Create Virtual Device**. 1. In the **Phones** category, select **Nexus 5X**, and then select **Next**. -You can learn more about setting up an AVD in the [Android Studio documentation](https://developer.android.com/studio/run/managing-avds). +For more information about setting up an AVD, see [Create and manage virtual devices] in the Android Studio documentation. :::image type="content" source="./media/quick-android-map/4-avd-select-hardware.png" alt-text="A screenshot that shows the Select Hardware screen in Android Virtual Device Manager when creating a new Virtual Device."::: The next step in building your application is to install the Azure Maps Android :::image type="content" source="./media/quick-android-map/project-settings-file.png" alt-text="A screenshot of the project settings file in Android Studio."::: 3. Open the project's **gradle.properties** file, verify that `android.useAndroidX` and `android.enableJetifier` are both set to `true`.- + If the **gradle.properties** file doesn't include `android.useAndroidX` and `android.enableJetifier`, add the next two lines to the end of the file:- + ```gradle android.useAndroidX=true android.enableJetifier=true ```- 4. Open the application **build.gradle** file and do the following: The next step in building your application is to install the Azure Maps Android ::: zone pivot="programming-language-java-android" -6. In the **MainActivity.java** file you'll need to: +6. In the **MainActivity.java** file: * Add imports for the Azure Maps SDK. * Set your Azure Maps authentication information. The next step in building your application is to install the Azure Maps Android ::: zone pivot="programming-language-kotlin" -7. In the **MainActivity.kt** file you'll need to: +7. In the **MainActivity.kt** file: * add imports for the Azure Maps SDK * set your Azure Maps authentication information Android Studio takes a few seconds to build the application. After the build is ## Clean up resources >[!WARNING]-> The tutorials listed in the [Next Steps](#next-steps) section detail how to use and configure Azure Maps with your account. Don't clean up the resources created in this quickstart if you plan to continue to the tutorials. +> The tutorials listed in the [Next Steps] section detail how to use and configure Azure Maps with your account. Don't clean up the resources created in this quickstart if you plan to continue to the tutorials. If you don't plan to continue to the tutorials, take these steps to clean up the resources: If you don't plan on continuing to develop with the Azure Maps Android SDK: For more code examples, see these guides: -* [Manage authentication in Azure Maps](how-to-manage-authentication.md) -* [Change map styles in Android maps](set-android-map-styles.md) -* [Add a symbol layer](how-to-add-symbol-to-android-map.md) -* [Add a line layer](android-map-add-line-layer.md) -* [Add a polygon layer](how-to-add-shapes-to-android-map.md) +* [Manage authentication in Azure Maps] +* [Change map styles in Android maps] +* [Add a symbol layer] +* [Add a line layer] +* [Add a polygon layer] ## Next steps In this quickstart, you created your Azure Maps account and created a demo application. Take a look at the following tutorial to learn more about Azure Maps: > [!div class="nextstepaction"]-> [Load GeoJSON data into Azure Maps](tutorial-load-geojson-file-android.md) +> [Tutorial: Load GeoJSON data into Azure Maps Android SDK] ++[Add a line layer]: android-map-add-line-layer.md +[Add a polygon layer]: how-to-add-shapes-to-android-map.md +[Add a symbol layer]: how-to-add-symbol-to-android-map.md +[Android Studio documentation]: https://developer.android.com/studio/intro +[Android Studio]: https://developer.android.com/studio +[Azure portal]: https://portal.azure.com +[Change map styles in Android maps]: set-android-map-styles.md +[create a free account]: https://azure.microsoft.com/free +[Create and manage virtual devices]: https://developer.android.com/studio/run/managing-avds +[Manage authentication in Azure Maps]: how-to-manage-authentication.md +[Microsoft Azure]: https://azure.microsoft.com +[Next Steps]: #next-steps +[Set up Azure Key Vault with key rotation and auditing]: ../key-vault/secrets/tutorial-rotation-dual.md +[Tutorial: Load GeoJSON data into Azure Maps Android SDK]: tutorial-load-geojson-file-android.md |
| azure-maps | Quick Demo Map App | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-maps/quick-demo-map-app.md | Title: 'Quickstart: Interactive map search with Azure Maps' titeSuffix: Microsoft Azure Maps -description: 'Quickstart: Learn how to create interactive, searchable maps. See how to create an Azure Maps account, get the subscription key, and use the Web SDK to set up map applications' +description: A quickstart that demonstrates how to create interactive, searchable maps. Last updated 12/23/2021-In this quickstart, you will learn how to use Azure Maps to create a map that gives users an interactive search experience. It walks you through these basic steps: +This quickstart demonstrates how to use Azure Maps to create a map that gives users an interactive search experience. It walks you through these basic steps: * Create your own Azure Maps account. * Get your Azure Maps subscription key to use in the demo web application. * Download and open the demo map application. -This quickstart uses the Azure Maps Web SDK, however the Azure Maps service can be used with any map control, such as these popular [open-source map controls](open-source-projects.md#third-party-map-control-plugins) that the Azure Maps team has created plugin's for. +This quickstart uses the Azure Maps Web SDK, however the Azure Maps service can be used with any map control, such as these popular [open-source map controls] that the Azure Maps team has created plugin's for. ## Prerequisites -* If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin. +* If you don't have an Azure subscription, create a [free account] before you begin. -* Sign in to the [Azure portal](https://portal.azure.com). +* Sign in to the [Azure portal]. <a id="createaccount"></a> This quickstart uses the Azure Maps Web SDK, however the Azure Maps service can Create a new Azure Maps account with the following steps: -1. Select **Create a resource** in the upper left-hand corner of the [Azure portal](https://portal.azure.com). +1. Select **Create a resource** in the upper left-hand corner of the [Azure portal]. 2. Type **Azure Maps** in the *Search services and Marketplace* box. 3. Select **Azure Maps** in the drop-down list that appears, then select the **Create** button. 4. On the **Create an Azure Maps Account resource** page, enter the following values then select the **Create** button: Once your Azure Maps account is successfully created, retrieve the subscription :::image type="content" source="./media/quick-demo-map-app/get-key.png" alt-text="Screenshot showing your Azure Maps subscription key in the Azure portal" lightbox="./media/quick-demo-map-app/get-key.png"::: >[!NOTE]-> This quickstart uses the [Shared Key](azure-maps-authentication.md#shared-key-authentication) authentication approach for demonstration purposes, but the preferred approach for any production environment is to use [Azure Active Directory](azure-maps-authentication.md#azure-ad-authentication) authentication. +> This quickstart uses the [Shared Key] authentication approach for demonstration purposes, but the preferred approach for any production environment is to use [Azure Active Directory] authentication. ## Download and update the Azure Maps demo -1. Go to [interactiveSearch.html](https://github.com/Azure-Samples/AzureMapsCodeSamples/blob/master/Samples/Tutorials/Interactive%20Search/Interactive%20Search%20Quickstart.html). Copy the contents of the file. +1. Copy the contents of the file: [Interactive Search Quickstart.html]. 2. Save the contents of this file locally as **AzureMapDemo.html**. Open it in a text editor. 3. Add the **Primary Key** value you got in the preceding section 1. Comment out all of the code in the `authOptions` function, this code is used for Azure Active Directory authentication. Once your Azure Maps account is successfully created, retrieve the subscription ## Clean up resources ->[!WARNING] ->The tutorials listed in the [Next Steps](#next-steps) section detail how to use and configure Azure Maps with your account. Don't clean up the resources created in this quickstart if you plan to continue to the tutorials. +>[!IMPORTANT] +>The tutorials listed in the [Next Steps] section detail how to use and configure Azure Maps with your account. Don't clean up the resources created in this quickstart if you plan to continue to the tutorials. If you don't plan to continue to the tutorials, take these steps to clean up the resources: If you don't plan to continue to the tutorials, take these steps to clean up the For more code examples and an interactive coding experience, see these articles: -* [Find an address with Azure Maps search service](how-to-search-for-address.md) -* [Use the Azure Maps Map Control](how-to-use-map-control.md) +* [Find an address with Azure Maps search service] +* [Use the Azure Maps Map Control] ## Next steps In this quickstart, you created an Azure Maps account and a demo application. Take a look at the following tutorials to learn more about Azure Maps: > [!div class="nextstepaction"]-> [Search nearby points of interest with Azure Maps](tutorial-search-location.md) +> [Search nearby points of interest with Azure Maps] ++[Azure Active Directory]: azure-maps-authentication.md#azure-ad-authentication +[Azure portal]: https://portal.azure.com +[Find an address with Azure Maps search service]: how-to-search-for-address.md +[free account]: https://azure.microsoft.com/free/?WT.mc_id=A261C142F +[Interactive Search Quickstart.html]: https://github.com/Azure-Samples/AzureMapsCodeSamples/blob/master/Samples/Tutorials/Interactive%20Search/Interactive%20Search%20Quickstart.html +[Next Steps]: #next-steps +[open-source map controls]: open-source-projects.md#third-party-map-control-plugins +[Search nearby points of interest with Azure Maps]: tutorial-search-location.md +[Shared Key]: azure-maps-authentication.md#shared-key-authentication +[Use the Azure Maps Map Control]: how-to-use-map-control.md |
| azure-maps | Quick Ios App | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-maps/quick-ios-app.md | If you don't have an Azure subscription, create a [free account] before you begi Create a new Azure Maps account with the following steps: -1. In the upper left-hand corner of the [Azure portal](https://portal.azure.com/) , select **Create a resource**. +1. In the upper left-hand corner of the [Azure portal], select **Create a resource**. 2. In the _Search the Marketplace_ box, type **Azure Maps**. Once your Maps account is successfully created, retrieve the primary key that en 3. Copy the **Primary Key** to your clipboard. Save it locally to use later in this tutorial. >[!NOTE]-> This quickstart uses the [Shared Key](azure-maps-authentication.md#shared-key-authentication) authentication approach for demonstration purposes, but the preferred approach for any production environment is to use [Azure Active Directory](azure-maps-authentication.md#azure-ad-authentication) authentication. +> This quickstart uses [Shared Key authentication] for demonstration purposes, but the preferred approach for any production environment is to use [Azure Active Directory authentication]. <!-- > If you use the Azure subscription key instead of the Azure Maps primary key, your map won't render properly. Also, for security purposes, it is recommended that you rotate between your primary and secondary keys. To rotate keys, update your app to use the secondary key, deploy, then press the cycle/refresh button beside the primary key to generate a new primary key. The old primary key will be disabled. For more information on key rotation, see [Set up Azure Key Vault with key rotation and auditing](../key-vault/secrets/tutorial-rotation-dual.md) --> First, create a new iOS App project. Complete these steps to create an Xcode pro 3. Enter app name, bundle ID then select **Next**. -See the [Creating a Xcode Project for an App](https://developer.apple.com/documentation/xcode/creating-an-xcode-project-for-an-app) for more help with creating a new project. +See the [Creating an Xcode Project for an App] for more help with creating a new project.  The next step in building your application is to install the Azure Maps iOS SDK.  -2. Enter the following in the resulting dialog: +2. Enter the following values in the resulting dialog: * Enter `https://github.com/Azure/azure-maps-ios-sdk-distribution.git` in the search bar that appears in the top right corner. * Select `Up to Next Major Version` in the **Dependency Rule** field. * Enter `1.0.0-pre.3` into the **Dependency Rule** version field. The next step in building your application is to install the Azure Maps iOS SDK. * add import for the Azure Maps SDK * set your Azure Maps authentication information -By setting the authentication information on the AzureMaps class globally using the `AzureMaps.configure(subscriptionKey:)` or `AzureMaps.configure(aadClient:aadAppId:aadTenant:)` you won't need to add your authentication information on every view. +By setting the authentication information on the AzureMaps class globally using the `AzureMaps.configure(subscriptionKey:)` or `AzureMaps.configure(aadClient:aadAppId:aadTenant:)`, you don't need to add your authentication information on every view. 1. Select the run button, as shown in the following graphic (or press `CMD` + `R`), to build your application. Xcode takes a few seconds to build the application. After the build is complete, ## Access map functionality -You can start customing map functionality by getting hold to `AzureMap` instance in a `mapView.onReady` handler. For a MapControl view added above, your sample `ViewController` may look the following way: +You can start customizing map functionality by getting hold to `AzureMap` instance in a `mapView.onReady` handler. Once the `MapControl` view is added, your sample `ViewController` should look similar to the following code: ```swift class ViewController: UIViewController { class ViewController: UIViewController { } ``` -Proceed to [Add a polygon layer to the map in the iOS SDK](add-polygon-layer-map-ios.md) for one such example. +Proceed to [Add a polygon layer to the map in the iOS SDK] for one such example. ## Clean up resources -<!-- -> [!WARNING] -> The tutorials listed in the [Next Steps](#next-steps) section detail how to use and configure Azure Maps with your account. Don't clean up the resources created in this quickstart if you plan to continue to the tutorials. >- Take these steps to clean up the resources created in this quickstart: 1. Close Xcode and delete the project you created. If you don't plan on continuing to develop with the Azure Maps iOS SDK: See the following articles for more code examples: -* [Manage authentication in Azure Maps](how-to-manage-authentication.md) -* [Change map styles in iOS maps](set-map-style-ios-sdk.md) -* [Add a symbol layer](add-symbol-layer-ios.md) -* [Add a line layer](add-line-layer-map-ios.md) -* [Add a polygon layer](add-polygon-layer-map-ios.md) +* [Manage authentication in Azure Maps] +* [Change map styles in iOS maps] +* [Add a symbol layer] +* [Add a line layer] +* [Add a polygon layer] -<!-- -## Next steps +<!--## Next steps In this quickstart, you created your Azure Maps account and created a demo application. Take a look at the following tutorials to learn more about Azure Maps: > [!div class="nextstepaction"] -> [Load GeoJSON data into Azure Maps](tutorial-load-geojson-file-ios.md) >+> [Load GeoJSON data into Azure Maps](tutorial-load-geojson-file-ios.md)--> ++[Add a line layer]: add-line-layer-map-ios.md +[Add a polygon layer to the map in the |