Updates from: 07/24/2021 03:05:50
Service Microsoft Docs article Related commit history on GitHub Change details
active-directory-b2c Threat Management https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/threat-management.md
Previously updated : 05/15/2021 Last updated : 07/22/2021
active-directory Concept Registration Mfa Sspr Combined https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/authentication/concept-registration-mfa-sspr-combined.md
Previously updated : 06/28/2021 Last updated : 07/23/2021
This article outlines what combined security registration is. To get started wit
Before enabling the new experience, review this administrator-focused documentation and the user-focused documentation to ensure you understand the functionality and effect of this feature. Base your training on the [user documentation](../user-help/security-info-setup-signin.md) to prepare your users for the new experience and help to ensure a successful rollout.
-Azure AD combined security information registration is not currently available to national clouds like Azure Germany or Azure China 21Vianet. It is available for Azure US Government.
+Azure AD combined security information registration is available for Azure US Government but not Azure Germany or Azure China 21Vianet.
> [!IMPORTANT] > Users that are enabled for both the original preview and the enhanced combined registration experience see the new behavior. Users that are enabled for both experiences see only the My Account experience. The *My Account* aligns with the look and feel of combined registration and provides a seamless experience for users. Users can see My Account by going to [https://myaccount.microsoft.com](https://myaccount.microsoft.com).
There are two modes of combined registration: interrupt and manage.
For both modes, users who have previously registered a method that can be used for Multi-Factor Authentication need to perform Multi-Factor Authentication before they can access their security info. Users must confirm their information before continuing to use their previously registered methods. ++ ### Interrupt mode
-Combined registration respects both Multi-Factor Authentication and SSPR policies, if both are enabled for your tenant. These policies control whether a user is interrupted for registration during sign-in and which methods are available for registration.
+Combined registration adheres to both Multi-Factor Authentication and SSPR policies, if both are enabled for your tenant. These policies control whether a user is interrupted for registration during sign-in and which methods are available for registration. If only an SSPR policy is enabled, then users will be able to skip the registration interruption and complete it at a later time.
The following are sample scenarios where users might be prompted to register or refresh their security info:
When registration is enforced, users are shown the minimum number of methods nee
Consider the following example scenario: -- A user is enabled for SSPR. The SSPR policy required two methods to reset and has enabled mobile app code, email, and phone.-- This user is required to register two methods.
- - The user is shown authenticator app and phone by default.
- - The user can choose to register email instead of authenticator app or phone.
+- A user is enabled for SSPR. The SSPR policy requires two methods to reset and has enabled Authenticator app, email, and phone.
+- When the user chooses to register, two methods are required:
+ - The user is shown Authenticator app and phone by default.
+ - The user can choose to register email instead of Authenticator app or phone.
The following flowchart describes which methods are shown to a user when interrupted to register during sign-in:
active-directory Howto Mfa Getstarted https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/authentication/howto-mfa-getstarted.md
Risk policies include:
If your users were enabled using per-user enabled and enforced Azure AD Multi-Factor Authentication the following PowerShell can assist you in making the conversion to Conditional Access based Azure AD Multi-Factor Authentication.
-Run this PowerShell in an ISE window or save as a `.PS1` file to run locally.
+Run this PowerShell in an ISE window or save as a `.PS1` file to run locally. The operation can only be done by using the [MSOnline module](/powershell/module/msonline/?view=azureadps-1.0#msonline).
```PowerShell # Sets the MFA requirement state
active-directory Howto Mfa Userstates https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/authentication/howto-mfa-userstates.md
After you enable users, notify them via email. Tell the users that a prompt is d
If your users were enabled using per-user enabled and enforced Azure AD Multi-Factor Authentication the following PowerShell can assist you in making the conversion to Conditional Access based Azure AD Multi-Factor Authentication.
-Run this PowerShell in an ISE window or save as a `.PS1` file to run locally.
+Run this PowerShell in an ISE window or save as a `.PS1` file to run locally. The operation can only be done by using the [MSOnline module](/powershell/module/msonline/?view=azureadps-1.0#msonline).
```PowerShell # Sets the MFA requirement state
active-directory Concept Conditional Access Grant https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/conditional-access/concept-conditional-access-grant.md
Selecting this checkbox will require users to perform Azure AD Multi-Factor Auth
Organizations who have deployed Microsoft Intune can use the information returned from their devices to identify devices that meet specific compliance requirements. This policy compliance information is forwarded from Intune to Azure AD where Conditional Access can make decisions to grant or block access to resources. For more information about compliance policies, see the article [Set rules on devices to allow access to resources in your organization using Intune](/intune/protect/device-compliance-get-started).
-A device can be marked as compliant by Intune (for any device OS) or by third-party MDM system for Windows 10 devices. Jamf pro is the only supported third-party MDM system. More information about integration can be found in the article, [Integrate Jamf Pro with Intune for compliance](/intune/protect/conditional-access-integrate-jamf).
+A device can be marked as compliant by Intune (for any device OS) or by third-party MDM system for Windows 10 devices. A list of supported third-party MDM systems can be found in the article [Support third-party device compliance partners in Intune](/mem/intune/protect/device-compliance-partners).
Devices must be registered in Azure AD before they can be marked as compliant. More information about device registration can be found in the article, [What is a device identity](../devices/overview.md).
active-directory Quickstart V2 Aspnet Core Webapp https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/quickstart-v2-aspnet-core-webapp.md
In this quickstart, you download and run a code sample that demonstrates how an
> 1. Open the solution in Visual Studio 2019. > 1. Open the *appsettings.json* file and modify the following code: >
+> ```json
+> "Domain": "[Enter the domain of your tenant, e.g. contoso.onmicrosoft.com]",
+> "ClientId": "Enter_the_Application_Id_here",
+> "TenantId": "common",
+> ```
>-
- :::code language="json" source="~/sample-active-directory-aspnetcore-webapp-openidconnect-v2/appsettings.json" range="4,5,6":::
- > - Replace `Enter_the_Application_Id_here` with the application (client) ID of the application that you registered in the Azure portal. You can find the **Application (client) ID** value on the app's **Overview** page. > - Replace `common` with one of the following: > - If your application supports **Accounts in this organizational directory only**, replace this value with the directory (tenant) ID (a GUID) or the tenant name (for example, `contoso.onmicrosoft.com`). You can find the **Directory (tenant) ID** value on the app's **Overview** page.
This section gives an overview of the code required to sign in users. This overv
The *Microsoft.AspNetCore.Authentication* middleware uses a `Startup` class that's run when the hosting process starts: -
- :::code language="csharp" source="~/sample-active-directory-aspnetcore-webapp-openidconnect-v2/Startup.cs" id="Configure_service_ref_for_docs_ms" highlight="3,4":::
-
+```csharp
+public void ConfigureServices(IServiceCollection services)
+{
+ services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
+ .AddMicrosoftIdentityWebApp(Configuration.GetSection("AzureAd"));
+
+ services.AddControllersWithViews(options =>
+ {
+ var policy = new AuthorizationPolicyBuilder()
+ .RequireAuthenticatedUser()
+ .Build();
+ options.Filters.Add(new AuthorizeFilter(policy));
+ });
+ services.AddRazorPages()
+ .AddMicrosoftIdentityUI();
+}
+```
The `AddAuthentication()` method configures the service to add cookie-based authentication. This authentication is used in browser scenarios and to set the challenge to OpenID Connect.
The line that contains `.AddMicrosoftIdentityWebApp` adds Microsoft identity pla
The `Configure()` method contains two important methods, `app.UseAuthentication()` and `app.UseAuthorization()`, that enable their named functionality. Also in the `Configure()` method, you must register Microsoft Identity Web routes with at least one call to `endpoints.MapControllerRoute()` or a call to `endpoints.MapControllers()`:
- :::code language="csharp" source="~/sample-active-directory-aspnetcore-webapp-openidconnect-v2/Startup.cs" id="endpoint_map_ref_for_docs_ms":::
-
+```csharp
+app.UseAuthentication();
+app.UseAuthorization();
+
+app.UseEndpoints(endpoints =>
+{
+ endpoints.MapControllerRoute(
+ name: "default",
+ pattern: "{controller=Home}/{action=Index}/{id?}");
+ endpoints.MapRazorPages();
+});
+```
### Attribute for protecting a controller or methods
active-directory Security Best Practices For App Registration https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/security-best-practices-for-app-registration.md
While it's convenient to use password secrets as a credential, we strongly recom
| Use [certificate credentials](./active-directory-certificate-credentials.md) | Use Password credentials | | Use Key Vault with [Managed identities](../managed-identities-azure-resources/overview.md) | Share credentials across apps | | Rollover frequently | Have many credentials on one app |
-| -- | Let stale credentials hang around |
+| -- | Leave stale credentials available |
| -- | Commit credentials in code | ## AppId URI configuration
active-directory Licensing Service Plan Reference https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/enterprise-users/licensing-service-plan-reference.md
description: Identifier map to manage Azure Active Directory licensing in the Az
keywords: Azure Active Directory licensing service plans documentationcenter: ''-+ editor: ''
Last updated 5/13/2021-+
active-directory Google Federation https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/external-identities/google-federation.md
You can also give Google guest users a direct link to an application or resource
Starting September 30, 2021, Google is [deprecating embedded web-view sign-in support](https://developers.googleblog.com/2016/08/modernizing-oauth-interactions-in-native-apps.html). If your apps authenticate users with an embedded web-view and you're using Google federation with [Azure AD B2C](../../active-directory-b2c/identity-provider-google.md) or Azure AD B2B for [external user invitations](google-federation.md) or [self-service sign-up](identity-providers.md), Google Gmail users won't be able to authenticate. The following are known scenarios that will impact Gmail users:
+- Microsoft apps (e.g. Teams and PowerApps) on Windows
- Windows apps that use the [WebView](/windows/communitytoolkit/controls/wpf-winforms/webview) control, [WebView2](/microsoft-edge/webview2/), or the older WebBrowser control, for authentication. These apps should migrate to using the Web Account Manager (WAM) flow. - Android applications using the WebView UI element - iOS applications using UIWebView/WKWebview - [Apps using ADAL](../develop/howto-get-list-of-all-active-directory-auth-library-apps.md) This change does not affect:--- Microsoft apps on Windows - Web apps - Mobile apps using system web-views for authentication ([SFSafariViewController](https://developer.apple.com/documentation/safariservices/sfsafariviewcontroller) on iOS, [Custom Tabs](https://developer.chrome.com/docs/android/custom-tabs/overview/) on Android). - Google Workspace identities, for example when youΓÇÖre using [SAML-based federation](direct-federation.md) with Google Workspace
Modify your apps to use the system browser for sign-in. For details, see [Embedd
Before Google puts these changes into place on September 30, 2021, Microsoft will deploy a workaround for apps still using embedded web-views to ensure that authentication isn't blocked. Users who sign in with a Gmail account in an embedded web-view will be prompted to enter a code in a separate browser to finish signing in.
+Alternatively, you can have your existing and new Gmail users sign in with email one-time passcode. To have your Gmail users use email one-time passcode:
+1. [Enable email one-time passcode](one-time-passcode.md#enable-email-one-time-passcode)
+2. [Remove Google Federation](google-federation.md#how-do-i-remove-google-federation)
+3. [Reset redemption status](reset-redemption-status.md) of your Gmail users so they can use email one-time passcode going forward.
+ Applications that are migrated to an allowed web-view for authentication won't be affected, and users will be allowed to authenticate via Google as usual. If applications are not migrated to an allowed web-view for authentication, then affected Gmail users will see the following screen.
active-directory Redemption Experience https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/external-identities/redemption-experience.md
To unblock users who can't redeem an invitation due to a conflicting [Contact ob
1. Delete the conflicting Contact object. 2. Delete the guest user in the Azure portal (the user's "Invitation accepted" property should be in a pending state). 3. Re-invite the guest user.
-4. Wait for the user to redeem invitation
-5. Add the user's Contact email back into Exchange and any DLs they should be a part of
+4. Wait for the user to redeem invitation.
+5. Add the user's Contact email back into Exchange and any DLs they should be a part of.
## Invitation redemption flow
When a guest signs in to access resources in a partner organization for the firs
![Screenshot showing the Apps access panel](media/redemption-experience/myapps.png)
+> [!NOTE]
+> The consent experience appears only after the user signs in, and not before. There are some scenarios where the consent experience will not be displayed to the user, for example:
+> - The user already accepted the consent experience
+> - The admin [grants tenant-wide admin consent to an application](/azure/active-directory/manage-apps/grant-admin-consent)
+ In your directory, the guest's **Invitation accepted** value changes to **Yes**. If an MSA was created, the guestΓÇÖs **Source** shows **Microsoft Account**. For more information about guest user account properties, see [Properties of an Azure AD B2B collaboration user](user-properties.md).
+If you see an error that requires admin consent while accessing an application, see [how to grant admin consent to apps](../develop/v2-admin-consent.md).
## Next steps
In your directory, the guest's **Invitation accepted** value changes to **Yes**.
- [Add Azure Active Directory B2B collaboration users in the Azure portal](add-users-administrator.md) - [How do information workers add B2B collaboration users to Azure Active Directory?](add-users-information-worker.md) - [Add Azure Active Directory B2B collaboration users by using PowerShell](customize-invitation-api.md#powershell)-- [Leave an organization as a guest user](leave-the-organization.md)
+- [Leave an organization as a guest user](leave-the-organization.md)
active-directory How To Upgrade Previous Version https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/hybrid/how-to-upgrade-previous-version.md
During in-place upgrade, there may be changes introduced that require specific s
If you are using Azure AD Connect with non-standard connector (for example, Generic LDAP Connector and Generic SQL Connector), you must refresh the corresponding connector configuration in the [Synchronization Service Manager](./how-to-connect-sync-service-manager-ui-connectors.md) after in-place upgrade. For details on how to refresh the connector configuration, refer to article section [Connector Version Release History - Troubleshooting](/microsoft-identity-manager/reference/microsoft-identity-manager-2016-connector-version-history#troubleshooting). If you do not refresh the configuration, import and export run steps will not work correctly for the connector. You will receive the following error in the application event log with message *"Assembly version in AAD Connector configuration ("X.X.XXX.X") is earlier than the actual version ("X.X.XXX.X") of "C:\Program Files\Microsoft Azure AD Sync\Extensions\Microsoft.IAM.Connector.GenericLdap.dll".* ## Swing migration
-If you have a complex deployment or many objects, it might be impractical to do an in-place upgrade on the live system. For some customers, this process might take multiple days--and during this time, no delta changes are processed. You can also use this method when you plan to make substantial changes to your configuration and you want to try them out before they're pushed to the cloud.
+If you have a complex deployment or many objects, or if you need to upgrade the Windows Server operating system, it might be impractical to do an in-place upgrade on the live system. For some customers, this process might take multiple days--and during this time, no delta changes are processed. You can also use this method when you plan to make substantial changes to your configuration and you want to try them out before they're pushed to the cloud.
The recommended method for these scenarios is to use a swing migration. You need (at least) two servers--one active server and one staging server. The active server (shown with solid blue lines in the following picture) is responsible for the active production load. The staging server (shown with dashed purple lines) is prepared with the new release or configuration. When it's fully ready, this server is made active. The previous active server, which now has the old version or configuration installed, is made into the staging server and is upgraded.
There may be situations where you do not want these overrides to take place imme
To add the overrides for both full import and full synchronization on an arbitrary connector, run the following cmdlet: `Set-ADSyncSchedulerConnectorOverride -ConnectorIdentifier <Guid> -FullImportRequired $true -FullSyncRequired $true`
+## Upgrading the server Operating System
+
+If you need to upgrade the operating system of your Azure AD Connect server, do not use an in place upgrade of the OS. Instead, prepare a new server with the desired operating system and perform [a swing migration](#swing-migration).
+ ## Troubleshooting The following section contains troubleshooting and information that you can use if you encounter an issue upgrading Azure AD Connect.
If you want to install a newer version of Azure AD Connect: close the Azure AD C
## Next steps
-Learn more about [integrating your on-premises identities with Azure Active Directory](whatis-hybrid-identity.md).
+Learn more about [integrating your on-premises identities with Azure Active Directory](whatis-hybrid-identity.md).
active-directory Reference Connect Version History https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/hybrid/reference-connect-version-history.md
Please follow this link to read more about [auto upgrade](how-to-connect-install
7/20/2021: Released for download only, not available for auto upgrade ### Functional changes - We have upgraded the LocalDB components of SQL Server to SQL 2019.
+ - This release requires Windows Server 2016 or newer, due to the requirements of SQL Server 2019. Note that an in-place upgrade of Windows Server on an Azure AD Connect server is not supported, so you may need to use a [swing migration](how-to-upgrade-previous-version.md#swing-migration).
- In this release we enforce the use of TLS 1.2. If you have enabled your Windows Server for TLS 1.2, AADConnect will use this protocol. If TLS 1.2 is not enabled on the server you will see an error message when attempting to install AADConnect and the installation will not continue until you have enabled TLS 1.2. Note that you can use the new ΓÇ£Set-ADSyncToolsTls12ΓÇ¥ cmdlets to enable TLS 1.2 on your server. - With this release, you can use a user with the user role ΓÇ£Hybrid Identity AdministratorΓÇ¥ to authenticate when you install Azure AD Connect. You no longer need the Global Administrator role for this. - We have upgraded the Visual C++ runtime library to version 14 as a prerequisite for SQL Server 2019 - This release uses the MSAL library for authentication, and we have removed the older ADAL library, which will be retired in 2022. - We no longer apply permissions on the AdminSDHolders, following Windows security guidance. We changed the parameter "SkipAdminSdHolders" to "IncludeAdminSdHolders" in the ADSyncConfig.psm1 module.
- - Passwords will now be reevaluated when the password last set value is changed, regardless of whether the password itself is changed. If for a user the password is set to ΓÇ£Must change passwordΓÇ¥ then this status is synced to Azure AD, and when the user attempts to sign in in Azure AD they will be prompted to reset their password.
+ - Passwords will now be reevaluated when an expired password is "unexpired", regardless of whether the password itself is changed. If for a user the password is set to ΓÇ£Must change password at next logonΓÇ¥, and this flag is cleared (thus "unexpiring" the password) then the "unexpired" status and the password hash are synced to Azure AD, and when the user attempts to sign in in Azure AD they can use the unexpired password.
+To sync an expired password from Active Directory to Azure Active Directory please use the [Synchronizing temporary passwords](how-to-connect-password-hash-synchronization.md#synchronizing-temporary-passwords-and-force-password-change-on-next-logon) feature in Azure AD Connect. Note that you will need to enable password writeback to use this feature, so the password the use updates is written back to Active Directory too.
- We have added two new cmdlets to the ADSyncTools module to enable or retrieve TLS 1.2 settings from the Windows Server. - Get-ADSyncToolsTls12 - Set-ADSyncToolsTls12
active-directory Add Application Portal Assign Users https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/add-application-portal-assign-users.md
Title: 'Quickstart: Assign users to an app that uses Azure Active Directory as an identity provider'
+ Title: 'Quickstart: Assign users to an application'
+ description: This quickstart walks through the process of allowing users to use an app that you have setup to use Azure AD as an identity provider.
Previously updated : 07/12/2021 Last updated : 07/23/2021 +
-# Quickstart: Assign users to an app that is using Azure AD as an identity provider
+# Quickstart: Assign users to an application
In the previous quickstart, you configured the properties for an app. When you set the properties you configured the experience for both assigned and unassigned users. This quickstart walks through the process of assigning users to the app.
active-directory Add Application Portal Configure https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/add-application-portal-configure.md
Title: 'Quickstart: Configure properties for an application in your Azure Active Directory (Azure AD) tenant'
+ Title: 'Quickstart: Configure properties for an application'
+ description: This quickstart uses the Azure portal to configure an application that has been registered with your Azure Active Directory (Azure AD) tenant.
Previously updated : 07/12/2021 Last updated : 07/23/2021 +
-# Quickstart: Configure properties for an application in your Azure Active Directory (Azure AD) tenant
+# Quickstart: Configure properties for an application
In the previous quickstart, you added an application to your Azure Active Directory (Azure AD) tenant. When you add an application, you're letting your Azure AD tenant know it's the identity provider for the app. Now you'll configure some of the properties for the app.
active-directory Add Application Portal Setup Oidc Sso https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/add-application-portal-setup-oidc-sso.md
Title: 'Quickstart: Set up OIDC-based single sign-on (SSO) for an application in your Azure Active Directory (Azure AD) tenant'
+ Title: 'Quickstart: Set up OIDC-based single sign-on for an application'
+ description: This quickstart walks through the process of setting up OIDC-based single sign-on (SSO) for an application in your Azure Active Directory (Azure AD) tenant.
Previously updated : 07/01/2020 Last updated : 07/23/2020 +
-# Quickstart: Set up OIDC-based single sign-on (SSO) for an application in your Azure Active Directory (Azure AD) tenant
+# Quickstart: Set up OIDC-based single sign-on for an application
Get started with simplified user logins by setting up single sign-on (SSO) for an application that you added to your Azure Active Directory (Azure AD) tenant. After you set up SSO, your users can sign in to an application by using their Azure AD credentials. SSO is included in the free edition of Azure AD.
active-directory Add Application Portal Setup Sso https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/add-application-portal-setup-sso.md
Title: 'Quickstart: Set up SAML-based single sign-on (SSO) for an application in your Azure Active Directory (Azure AD) tenant'
+ Title: 'Quickstart: Set up SAML-based single sign-on for an application'
+ description: This quickstart walks through the process of setting up SAML-based single sign-on (SSO) for an application in your Azure Active Directory (Azure AD) tenant.
Previously updated : 07/01/2020 Last updated : 07/23/2020 +
-# Quickstart: Set up SAML-based single sign-on (SSO) for an application in your Azure Active Directory (Azure AD) tenant
+# Quickstart: Set up SAML-based single sign-on for an application
Get started with simplified user logins by setting up single sign-on (SSO) for an application that you added to your Azure Active Directory (Azure AD) tenant. After you set up SSO, your users can sign in to an application by using their Azure AD credentials. SSO is included in the free edition of Azure AD.
active-directory Add Application Portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/add-application-portal.md
Title: 'Quickstart: Add an application to your Azure Active Directory (Azure AD) tenant'
+ Title: 'Quickstart: Add an application to your tenant'
+ description: This quickstart uses the Azure portal to add a gallery application to your Azure Active Directory (Azure AD) tenant.
Previously updated : 06/23/2021 Last updated : 07/23/2021 +
-# Quickstart: Add an application to your Azure Active Directory (Azure AD) tenant
+# Quickstart: Add an application to your tenant
Azure Active Directory (Azure AD) has a gallery that contains thousands of pre-integrated applications. Many of the applications your organization uses are probably already in the gallery.
active-directory Delete Application Portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/delete-application-portal.md
Title: 'Quickstart: Delete an application from your Azure Active Directory (Azure AD) tenant'
+ Title: 'Quickstart: Delete an application from your tenant'
+ description: This quickstart uses the Azure portal to delete an application from your Azure Active Directory (Azure AD) tenant.
Previously updated : 07/16/2021 Last updated : 07/23/2021 +
-# Quickstart: Delete an application from your Azure Active Directory (Azure AD) tenant
+# Quickstart: Delete an application from your tenant
This quickstart uses the Azure portal to delete an application that was added to your Azure Active Directory (Azure AD) tenant.
active-directory Migrate Application Authentication To Azure Active Directory https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/migrate-application-authentication-to-azure-active-directory.md
Azure AD provides a centralized access location to manage your migrated apps. Go
You can also use the [Azure portal](https://portal.azure.com/) to audit all your apps from a centralized location, -- **Audit your app** using **Enterprise Applications, Audit, or access the same information from the [Azure AD Reporting API](../reports-monitoring/concept-reporting-api.md) to integrate into your favorite tools.
+- **Audit your app** using **Enterprise Applications, Audit**, or access the same information from the [Azure AD Reporting API](../reports-monitoring/concept-reporting-api.md) to integrate into your favorite tools.
- **View the permissions for an app** using **Enterprise Applications, Permissions** for apps using OAuth / OpenID Connect.
active-directory View Applications Portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/view-applications-portal.md
Title: 'Quickstart: View the list of applications that are using your Azure Active Directory (Azure AD) tenant for identity management'
-description: In this Quickstart, use the Azure portal to view the list of applications that are registered to use your Azure Active Directory (Azure AD) tenant for identity management.
+ Title: 'Quickstart: View the list of applications in your tenant'
+
+description: In this quickstart, use the Azure portal to view the list of applications that are registered to use your Azure Active Directory (Azure AD) tenant for identity management.
Previously updated : 07/09/2021 Last updated : 07/22/2021 -+
-# Quickstart: View the list of applications that are using your Azure Active Directory (Azure AD) tenant for identity management
+# Quickstart: View the list of applications in your tenant
Get started using Azure AD as your Identity and Access Management (IAM) system for the applications your organization uses. In this quickstart you will view the applications, also known as apps, that are already set up to use your Azure AD tenant as their Identity Provider (IdP).
active-directory Permissions Reference https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/roles/permissions-reference.md
Previously updated : 06/18/2021 Last updated : 07/23/2021
Users with this role can manage Azure AD identity governance configuration, incl
> [!div class="mx-tableFixed"] > | Actions | Description | > | | |
-> | microsoft.directory/accessReviews/allProperties/allTasks | Create and delete access reviews, and read and update all properties of access reviews in Azure AD |
+> | microsoft.directory/accessReviews/allProperties/allTasks | Create and delete access reviews, read and update all properties of access reviews, and manage access reviews of groups in Azure AD |
+> | microsoft.directory/accessReviews/definitions.applications/allTasks | Manage access reviews of application role assignments in Azure AD |
> | microsoft.directory/entitlementManagement/allProperties/allTasks | Create and delete resources, and read and update all properties in Azure AD entitlement management | > | microsoft.directory/groups/members/update | Update members of Security groups and Microsoft 365 groups, excluding role-assignable groups | > | microsoft.directory/servicePrincipals/appRoleAssignedTo/update | Update service principal role assignments |
active-directory View Assignments https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/roles/view-assignments.md
This article describes how to list roles you have assigned in Azure Active Direc
For more information, see [Prerequisites to use PowerShell or Graph Explorer](prerequisites.md).
-## List role assignments in the Azure portal
+## Azure portal
This procedure describes how to list role assignments with organization-wide scope.
This procedure describes how to list role assignments with organization-wide sco
![List role assignments and permissions when you open a role from the list](./media/view-assignments/role-assignments.png)
-## List my role assignments
+### List my role assignments
It's easy to list your own permissions as well. Select **Your Role** on the **Roles and administrators** page to see the roles that are currently assigned to you.
-## Download role assignments
+### Download role assignments
To download all assignments for a specific role, on the **Roles and administrators** page, select a role, and then select **Download role assignments**. A CSV file that lists assignments at all scopes for that role is downloaded. ![download all assignments for a role](./media/view-assignments/download-role-assignments.png)
-## List role assignments using PowerShell
+### List role assignments with single-application scope
+
+This section describes how to list role assignments with single-application scope. This feature is currently in public preview.
+
+1. Sign in to the [Azure AD admin center](https://aad.portal.azure.com).
+1. Select **App registrations**, and then select the app registration to view its properties. You might have to select **All applications** to see the complete list of app registrations in your Azure AD organization.
+
+ ![Create or edit app registrations from the App registrations page](./media/view-assignments/app-reg-all-apps.png)
+
+1. In the app registration, select **Roles and administrators**, and then select a role to view its properties.
+
+ ![List app registration role assignments from the App registrations page](./media/view-assignments/app-reg-assignments.png)
+
+1. Select **Assignments** to list the role assignments. Opening the assignments page from within the app registration shows you the role assignments that are scoped to this Azure AD resource.
+
+ ![List app registration role assignments from the properties of an app registration](./media/view-assignments/app-reg-assignments-2.png)
++
+## PowerShell
This section describes viewing assignments of a role with organization-wide scope. This article uses the [Azure Active Directory PowerShell Version 2](/powershell/module/azuread/#directory_roles) module. To view single-application scope assignments using PowerShell, you can use the cmdlets in [Assign custom roles with PowerShell](custom-assign-powershell.md).
$role = Get-AzureADDirectoryRole -ObjectId "5b3fe201-fa8b-4144-b6f1-875829ff7543
Get-AzureADDirectoryRoleMember -ObjectId $role.ObjectId | Get-AzureADUser ```
-## List role assignments using the Microsoft Graph API
+## Microsoft Graph API
This section describes how to list role assignments with organization-wide scope. To list single-application scope role assignments using Graph API, you can use the operations in [Assign custom roles with Graph API](custom-assign-graph.md).
Response
``` HTTP HTTP/1.1 200 OK {
- "id":"CtRxNqwabEKgwaOCHr2CGJIiSDKQoTVJrLE9etXyrY0-1"
+ "id":"CtRxNqwabEKgwaOCHr2CGJIiSDKQoTVJrLE9etXyrY0-1",
"principalId":"ab2e1023-bddc-4038-9ac1-ad4843e7e539", "roleDefinitionId":"3671d40a-1aac-426c-a0c1-a3821ebd8218", "resourceScopes":["/"] } ```
-## List role assignments with single-application scope
-
-This section describes how to list role assignments with single-application scope. This feature is currently in public preview.
-
-1. Sign in to the [Azure AD admin center](https://aad.portal.azure.com).
-1. Select **App registrations**, and then select the app registration to view its properties. You might have to select **All applications** to see the complete list of app registrations in your Azure AD organization.
-
- ![Create or edit app registrations from the App registrations page](./media/view-assignments/app-reg-all-apps.png)
-
-1. In the app registration, select **Roles and administrators**, and then select a role to view its properties.
-
- ![List app registration role assignments from the App registrations page](./media/view-assignments/app-reg-assignments.png)
-
-1. Select **Assignments** to list the role assignments. Opening the assignments page from within the app registration shows you the role assignments that are scoped to this Azure AD resource.
-
- ![List app registration role assignments from the properties of an app registration](./media/view-assignments/app-reg-assignments-2.png)
- ## Next steps * Feel free to share with us on the [Azure AD administrative roles forum](https://feedback.azure.com/forums/169401-azure-active-directory?category_id=166032).
active-directory 10000Ftplans Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/10000ftplans-tutorial.md
Previously updated : 05/03/2021 Last updated : 07/23/2021 # Tutorial: Azure Active Directory integration with 10,000ft Plans
Follow these steps to enable Azure AD SSO in the Azure portal.
In this section, you'll create a test user in the Azure portal called B.Simon.
-1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1.In the Azure portal, in the **Azure services** pane, select **Users**, and then select **All users**.
1. Select **New user** at the top of the screen. 1. In the **User** properties, follow these steps: 1. In the **Name** field, enter `B.Simon`.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **10,000ft Plans**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.
-1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. Select **Add user/group**, then select **Users and groups** in the **Add Assignment** dialog.
1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen. 1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected. 1. In the **Add Assignment** dialog, click the **Assign** button.
active-directory 360Online Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/360online-tutorial.md
Previously updated : 05/13/2021 Last updated : 07/22/2021 # Tutorial: Azure Active Directory integration with 360 Online
Follow these steps to enable Azure AD SSO in the Azure portal.
In this section, you'll create a test user in the Azure portal called B.Simon.
-1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. In the Azure portal, in the **Azure services** pane, select **Users**, and then select **All users**.
1. Select **New user** at the top of the screen. 1. In the **User** properties, follow these steps: 1. In the **Name** field, enter `B.Simon`.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **360 Online**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.
-1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. Select **Add user/group**, then select **Users and groups** in the **Add Assignment** dialog.
1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen. 1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected. 1. In the **Add Assignment** dialog, click the **Assign** button.
active-directory Appraisd Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/appraisd-tutorial.md
Previously updated : 05/27/2019 Last updated : 07/21/2021
In this tutorial, you'll learn how to integrate Appraisd with Azure Active Direc
* Enable your users to be automatically signed-in to Appraisd with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
To get started, you need the following items:
## Scenario description
-In this tutorial, you configure and test Azure AD SSO in a test environment. Appraisd supports **SP and IDP** initiated SSO.
+In this tutorial, you configure and test Azure AD SSO in a test environment.
+
+* Appraisd supports **SP and IDP** initiated SSO.
-## Adding Appraisd from the gallery
+## Add Appraisd from the gallery
To configure the integration of Appraisd into Azure AD, you need to add Appraisd from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **Appraisd** in the search box. 1. Select **Appraisd** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD single sign-on
+## Configure and test Azure AD SSO for Appraisd
Configure and test Azure AD SSO with Appraisd using a test user called **B. Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Appraisd.
-To configure and test Azure AD SSO with Appraisd, complete the following building blocks:
+To configure and test Azure AD SSO with Appraisd, perform the following steps:
-1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** to enable your users to use this feature.
-2. **[Configure Appraisd](#configure-appraisd)** to configure the SSO settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** to test Azure AD single sign-on with B. Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** to enable B. Simon to use Azure AD single sign-on.
-5. **[Create Appraisd test user](#create-appraisd-test-user)** to have a counterpart of B. Simon in Appraisd that is linked to the Azure AD representation of user.
-6. **[Test SSO](#test-sso)** to verify whether the configuration works.
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Appraisd SSO](#configure-appraisd-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Appraisd test user](#create-appraisd-test-user)** - to have a counterpart of B.Simon in Appraisd that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-### Configure Azure AD SSO
+## Configure Azure AD SSO
Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **Appraisd** application integration page, find the **Manage** section and select **Single sign-on**.
+1. In the Azure portal, on the **Appraisd** application integration page, find the **Manage** section and select **Single sign-on**.
1. On the **Select a Single sign-on method** page, select **SAML**.
-1. On the **Set up Single Sign-On with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up Single Sign-On with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
Follow these steps to enable Azure AD SSO in the Azure portal.
a. Click **Set additional URLs**.
- b. In the **Relay State** text box, type a URL: `<TENANTCODE>`
+ b. In the **Relay State** text box, type the value: `<TENANTCODE>`
c. If you wish to configure the application in **SP** initiated mode, in the **Sign-on URL** text box, type a URL using the following pattern: `https://app.appraisd.com/saml/<TENANTCODE>`
Follow these steps to enable Azure AD SSO in the Azure portal.
![Copy configuration URLs](common/copy-configuration-urls.png)
-### Configure Appraisd
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called B. Simon.
+
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B. Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B. Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
+
+### Assign the Azure AD test user
+
+In this section, you'll enable B. Simon to use Azure single sign-on by granting access to Appraisd.
+
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Appraisd**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B. Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
+1. In the **Add Assignment** dialog, click the **Assign** button.
+
+## Configure Appraisd SSO
1. To automate the configuration within Appraisd, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**.
Follow these steps to enable Azure AD SSO in the Azure portal.
4. On the top right of the page, click on **Settings** icon, then navigate to **Configuration**.
- ![Screenshot shows the Configuration link called out.](./media/appraisd-tutorial/tutorial_appraisd_sett.png)
+ ![Screenshot shows the Configuration link called out.](./media/appraisd-tutorial/settings.png)
5. From the Left side of menu, click on **SAML single sign-on**.
- ![Screenshot shows the Configuration options with the SAML single sign-on option highlighted.](./media/appraisd-tutorial/tutorial_appraisd_single.png)
+ ![Screenshot shows the Configuration options with the SAML single sign-on option highlighted.](./media/appraisd-tutorial/configuration.png)
6. On the **SAML 2.0 Single Sign-On configuration** page, perform the following steps:
- ![Screenshot shows the SAML 2.0 Single Sign-On configuration page where you can edit the Default Relay State and Service-initiated login U R L.](./media/appraisd-tutorial/tutorial_appraisd_saml.png)
+ ![Screenshot shows the SAML 2.0 Single Sign-On configuration page where you can edit the Default Relay State and Service-initiated login U R L.](./media/appraisd-tutorial/service-page.png)
a. Copy the **Default Relay State** value and paste it in **Relay State** textbox in **Basic SAML Configuration** on Azure portal.
Follow these steps to enable Azure AD SSO in the Azure portal.
7. Scroll down the same page under **Identifying users**, perform the following steps:
- ![Screenshot shows Identifying users where you can enter values from this step.](./media/appraisd-tutorial/tutorial_appraisd_identifying.png)
+ ![Screenshot shows Identifying users where you can enter values from this step.](./media/appraisd-tutorial/identifying-users.png)
a. In the **Identity Provider Single Sign-On URL** textbox, paste the value of **Login URL**, which you have copied from the Azure portal and click **Save**.
Follow these steps to enable Azure AD SSO in the Azure portal.
c. In Notepad, open the base-64 encoded certificate that you downloaded from the Azure portal, copy its content, and then paste it into the **X.509 Certificate** box and click **Save**.
-### Create an Azure AD test user
-
-In this section, you'll create a test user in the Azure portal called B. Simon.
-
-1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
-1. Select **New user** at the top of the screen.
-1. In the **User** properties, follow these steps:
- 1. In the **Name** field, enter `B. Simon`.
- 1. In the **User name** field, enter the username@companydomain.extension. For example, `B. Simon@contoso.com`.
- 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
- 1. Click **Create**.
-
-### Assign the Azure AD test user
-
-In this section, you'll enable B. Simon to use Azure single sign-on by granting access to Appraisd.
-
-1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
-1. In the applications list, select **Appraisd**.
-1. In the app's overview page, find the **Manage** section and select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add User link](common/add-assign-user.png)
-
-1. In the **Users and groups** dialog, select **B. Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
-1. In the **Add Assignment** dialog, click the **Assign** button.
- ### Create Appraisd test user To enable Azure AD users sign in to Appraisd, they must be provisioned into Appraisd. In Appraisd, provisioning is a manual task.
To enable Azure AD users sign in to Appraisd, they must be provisioned into Appr
1. Sign in to Appraisd as a Security Administrator.
-2. On the top right of the page, click on **Settings** icon, then navigate to **Administration centre**.
+2. On the top right of the page, click on **Settings** icon, then navigate to **Administration center**.
- ![Screenshot shows the Settings options where you can select Administration centre.](./media/appraisd-tutorial/tutorial_appraisd_admin.png)
+ ![Screenshot shows the Settings options where you can select Administration center.](./media/appraisd-tutorial/admin.png)
3. In the toolbar at the top of the page, click **People**, then navigate to **Add a new user**.
- ![Screenshot shows the Appraisd page with People and Add a new user called out.](./media/appraisd-tutorial/tutorial_appraisd_user.png)
+ ![Screenshot shows the Appraisd page with People and Add a new user called out.](./media/appraisd-tutorial/user.png)
4. On the **Add a new user** page, perform the following steps:
- ![Screenshot shows the Add a new user page.](./media/appraisd-tutorial/tutorial_appraisd_newuser.png)
+ ![Screenshot shows the Add a new user page.](./media/appraisd-tutorial/new-user.png)
a. In **First name** text box, enter the first name of user like **Britta**.
To enable Azure AD users sign in to Appraisd, they must be provisioned into Appr
d. Click **Add user**.
-### Test SSO
+## Test SSO
+
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+#### SP initiated:
+
+* Click on **Test this application** in Azure portal. This will redirect to Appraisd Sign on URL where you can initiate the login flow.
+
+* Go to Appraisd Sign-on URL directly and initiate the login flow from there.
-When you select the Appraisd tile in the Access Panel, you should be automatically signed in to the Appraisd for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+#### IDP initiated:
-## Additional Resources
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the Appraisd for which you set up the SSO.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+You can also use Microsoft My Apps to test the application in any mode. When you click the Appraisd tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Appraisd for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure Appraisd you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Carlsonwagonlit Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/carlsonwagonlit-tutorial.md
Previously updated : 02/12/2019 Last updated : 07/21/2021 # Tutorial: Azure Active Directory integration with Carlson Wagonlit Travel
-In this tutorial, you learn how to integrate Carlson Wagonlit Travel with Azure Active Directory (Azure AD).
-Integrating Carlson Wagonlit Travel with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate Carlson Wagonlit Travel with Azure Active Directory (Azure AD). When you integrate Carlson Wagonlit Travel with Azure AD, you can:
-* You can control in Azure AD who has access to Carlson Wagonlit Travel.
-* You can enable your users to be automatically signed-in to Carlson Wagonlit Travel (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to Carlson Wagonlit Travel.
+* Enable your users to be automatically signed-in to Carlson Wagonlit Travel with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites
-To configure Azure AD integration with Carlson Wagonlit Travel, you need the following items:
+To get started, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial [here](https://azure.microsoft.com/pricing/free-trial/)
-* Carlson Wagonlit Travel single sign-on enabled subscription
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* Carlson Wagonlit Travel single sign-on (SSO) enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* Carlson Wagonlit Travel supports **IDP** initiated SSO
-
-## Adding Carlson Wagonlit Travel from the gallery
-
-To configure the integration of Carlson Wagonlit Travel into Azure AD, you need to add Carlson Wagonlit Travel from the gallery to your list of managed SaaS apps.
-
-**To add Carlson Wagonlit Travel from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add new application, click **New application** button on the top of dialog.
-
- ![The New application button](common/add-new-app.png)
+* Carlson Wagonlit Travel supports **IDP** initiated SSO.
-4. In the search box, type **Carlson Wagonlit Travel**, select **Carlson Wagonlit Travel** from result panel then click **Add** button to add the application.
+> [!NOTE]
+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
- ![Carlson Wagonlit Travel in the results list](common/search-new-app.png)
+## Add Carlson Wagonlit Travel from the gallery
-## Configure and test Azure AD single sign-on
-
-In this section, you configure and test Azure AD single sign-on with Carlson Wagonlit Travel based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in Carlson Wagonlit Travel needs to be established.
-
-To configure and test Azure AD single sign-on with Carlson Wagonlit Travel, you need to complete the following building blocks:
-
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure Carlson Wagonlit Travel Single Sign-On](#configure-carlson-wagonlit-travel-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create Carlson Wagonlit Travel test user](#create-carlson-wagonlit-travel-test-user)** - to have a counterpart of Britta Simon in Carlson Wagonlit Travel that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
-
-### Configure Azure AD single sign-on
+To configure the integration of Carlson Wagonlit Travel into Azure AD, you need to add Carlson Wagonlit Travel from the gallery to your list of managed SaaS apps.
-In this section, you enable Azure AD single sign-on in the Azure portal.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Carlson Wagonlit Travel** in the search box.
+1. Select **Carlson Wagonlit Travel** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-To configure Azure AD single sign-on with Carlson Wagonlit Travel, perform the following steps:
+## Configure and test Azure AD SSO for Carlson Wagonlit Travel
-1. In the [Azure portal](https://portal.azure.com/), on the **Carlson Wagonlit Travel** application integration page, select **Single sign-on**.
+Configure and test Azure AD SSO with Carlson Wagonlit Travel using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Carlson Wagonlit Travel.
- ![Configure single sign-on link](common/select-sso.png)
+To configure and test Azure AD SSO with Carlson Wagonlit Travel, perform the following steps:
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Carlson Wagonlit Travel SSO](#configure-carlson-wagonlit-travel-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Carlson Wagonlit Travel test user](#create-carlson-wagonlit-travel-test-user)** - to have a counterpart of B.Simon in Carlson Wagonlit Travel that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
- ![Single sign-on select mode](common/select-saml-option.png)
+## Configure Azure AD SSO
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
+Follow these steps to enable Azure AD SSO in the Azure portal.
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+1. In the Azure portal, on the **Carlson Wagonlit Travel** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
-4. On the **Basic SAML Configuration** section, perform the following steps:
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
- ![Carlson Wagonlit Travel Domain and URLs single sign-on information](common/idp-identifier.png)
+4. On the **Basic SAML Configuration** section, perform the following step:
In the **Identifier** text box, type the value: `cwt-stage`
To configure Azure AD single sign-on with Carlson Wagonlit Travel, perform the f
![Copy configuration URLs](common/copy-configuration-urls.png)
- a. Login URL
-
- b. Azure Ad Identifier
-
- c. Logout URL
-
-### Configure Carlson Wagonlit Travel Single Sign-On
-
-To configure single sign-on on **Carlson Wagonlit Travel** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [Carlson Wagonlit Travel support team](https://www.mycwt.com/traveler-help/). They set this setting to have the SAML SSO connection set properly on both sides.
- ### Create an Azure AD test user
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user**, at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field, enter **BrittaSimon**.
-
- b. In the **User name** field, type **brittasimon\@yourcompanydomain.extension**
- For example, BrittaSimon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
+In this section, you'll create a test user in the Azure portal called B.Simon.
- d. Click **Create**.
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
### Assign the Azure AD test user
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to Carlson Wagonlit Travel.
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Carlson Wagonlit Travel.
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Carlson Wagonlit Travel**.
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Carlson Wagonlit Travel**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
- ![Enterprise applications blade](common/enterprise-applications.png)
+## Configure Carlson Wagonlit Travel SSO
-2. In the applications list, select **Carlson Wagonlit Travel**.
-
- ![The Carlson Wagonlit Travel link in the Applications list](common/all-applications.png)
-
-3. In the menu on the left, select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
-
-5. In the **Users and groups** dialog, select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
-
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
-
-7. In the **Add Assignment** dialog, click the **Assign** button.
+To configure single sign-on on **Carlson Wagonlit Travel** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [Carlson Wagonlit Travel support team](https://www.mycwt.com/traveler-help/). They set this setting to have the SAML SSO connection set properly on both sides.
### Create Carlson Wagonlit Travel test user In this section, you create a user called Britta Simon in Carlson Wagonlit Travel. Work with [Carlson Wagonlit Travel support team](https://www.mycwt.com/traveler-help/) to add the users in the Carlson Wagonlit Travel platform. Users must be created and activated before you use single sign-on.
-### Test single sign-on
-
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+## Test SSO
-When you click the Carlson Wagonlit Travel tile in the Access Panel, you should be automatically signed in to the Carlson Wagonlit Travel for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+In this section, you test your Azure AD single sign-on configuration with following options.
-## Additional Resources
+* Click on Test this application in Azure portal and you should be automatically signed in to the Carlson Wagonlit Travel for which you set up the SSO.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+* You can use Microsoft My Apps. When you click the Carlson Wagonlit Travel tile in the My Apps, you should be automatically signed in to the Carlson Wagonlit Travel for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure Carlson Wagonlit Travel you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Cloudtamer Io Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/cloudtamer-io-tutorial.md
Previously updated : 06/09/2021 Last updated : 07/21/2021
To configure and test Azure AD SSO with cloudtamer.io, perform the following ste
1. **[Create cloudtamer.io test user](#create-cloudtamerio-test-user)** - to have a counterpart of B.Simon in cloudtamer.io that is linked to the Azure AD representation of user. 1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
+### Begin cloudtamer.io SSO Configuration
+
+1. Log in to cloudtamer.io website as an administrator.
+
+1. Click on **+** plus icon at the top right corner and select **IDMS**.
+
+ ![Screenshot for IDMS create.](./media/cloudtamer-io-tutorial/idms-creation.png)
+
+1. Leave this screen open and copy values from this screen into the Azure AD configuration.
+ ## Configure Azure AD SSO Follow these steps to enable Azure AD SSO in the Azure portal.
Follow these steps to enable Azure AD SSO in the Azure portal.
1. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, enter the values for the following fields:
- a. In the **Identifier** text box, type a URL using the following pattern:
- `https://<CUSTOMERDOMAIN>.<EXTENSION>/api/v1/saml/auth/<id>`
+ a. In the **Identifier** text box, paste the **IDENTITY PROVIDER ISSUER (ENTITY ID)** from cloudtamer.io into this box.
- b. In the **Reply URL** text box, type a URL using the following pattern:
- `https://<CUSTOMERDOMAIN>.<EXTENSION>/api/v1/saml/callback`
+ b. In the **Reply URL** text box, paste the **SERVICE PROVIDER ACS URL** from cloudtamer.io into this box.
1. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode:
Follow these steps to enable Azure AD SSO in the Azure portal.
`https://<CUSTOMERDOMAIN>.<EXTENSION>/login` > [!NOTE]
- > These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact [cloudtamer.io Client support team](mailto:support@cloudtamer.io) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+ > The value is not real. Update the value with the actual Sign-on URL. You can refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Federation Metadata XML** and select **Download** to download the certificate and save it on your computer.
Follow these steps to enable Azure AD SSO in the Azure portal.
1. On the **Set up cloudtamer.io** section, copy the appropriate URL(s) based on your requirement. ![Copy configuration URLs](common/copy-configuration-urls.png)+ ### Create an Azure AD test user In this section, you'll create a test user in the Azure portal called B.Simon.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
## Configure cloudtamer.io SSO
-1. Log in to cloudtamer.io website as an administrator.
-
-1. Click on **+** plus icon at the top right corner and select **IDMS**.
-
- ![Screenshot for IDMS create.](./media/cloudtamer-io-tutorial/idms-creation.png)
- 1. Perform the following steps in the **Add IDMS** page: ![Screenshot for IDMS adding.](./media/cloudtamer-io-tutorial/configuration.png)
active-directory Dmarcian Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/dmarcian-tutorial.md
Previously updated : 08/01/2019 Last updated : 07/21/2021
In this tutorial, you'll learn how to integrate dmarcian with Azure Active Direc
* Enable your users to be automatically signed-in to dmarcian with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* dmarcian supports **SP and IDP** initiated SSO
+* dmarcian supports **SP and IDP** initiated SSO.
-## Adding dmarcian from the gallery
+## Add dmarcian from the gallery
To configure the integration of dmarcian into Azure AD, you need to add dmarcian from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **dmarcian** in the search box. 1. Select **dmarcian** from results panel and then add the app. Wait a few seconds while the app is added to your tenant. -
-## Configure and test Azure AD single sign-on
+## Configure and test Azure AD SSO for dmarcian
Configure and test Azure AD SSO with dmarcian using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in dmarcian.
-To configure and test Azure AD SSO with dmarcian, complete the following building blocks:
+To configure and test Azure AD SSO with dmarcian, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
-2. **[Configure dmarcian SSO](#configure-dmarcian-sso)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
-5. **[Create dmarcian test user](#create-dmarcian-test-user)** - to have a counterpart of B.Simon in dmarcian that is linked to the Azure AD representation of user.
-6. **[Test SSO](#test-sso)** - to verify whether the configuration works.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure dmarcian SSO](#configure-dmarcian-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create dmarcian test user](#create-dmarcian-test-user)** - to have a counterpart of B.Simon in dmarcian that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-### Configure Azure AD SSO
+## Configure Azure AD SSO
Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **dmarcian** application integration page, find the **Manage** section and select **Single sign-on**.
+1. In the Azure portal, on the **dmarcian** application integration page, find the **Manage** section and select **Single sign-on**.
1. On the **Select a Single sign-on method** page, select **SAML**.
-1. On the **Set up Single Sign-On with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up Single Sign-On with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
Follow these steps to enable Azure AD SSO in the Azure portal.
a. In the **Identifier** text box, type a URL using the following pattern:
- ```http
- https://us.dmarcian.com/sso/saml/<ACCOUNT_ID>/sp.xml
- https://dmarcian-eu.com/sso/saml/<ACCOUNT_ID>/sp.xml
- https://dmarcian-ap.com/sso/saml/<ACCOUNT_ID>/sp.xml
- ```
+ | **Identifier** |
+ |--|
+ | `https://us.dmarcian.com/sso/saml/<ACCOUNT_ID>/sp.xml` |
+ | `https://dmarcian-eu.com/sso/saml/<ACCOUNT_ID>/sp.xml` |
+ | `https://dmarcian-ap.com/sso/saml/<ACCOUNT_ID>/sp.xml` |
+
b. In the **Reply URL** text box, type a URL using the following pattern:
- ```http
- https://us.dmarcian.com/login/<ACCOUNT_ID>/handle/
- https://dmarcian-eu.com/login/<ACCOUNT_ID>/handle/
- https://dmarcian-ap.com/login/<ACCOUNT_ID>/handle/
- ```
+ | **Reply URL** |
+ |-|
+ | `https://us.dmarcian.com/login/<ACCOUNT_ID>/handle/` |
+ | `https://dmarcian-eu.com/login/<ACCOUNT_ID>/handle/` |
+ | `https://dmarcian-ap.com/login/<ACCOUNT_ID>/handle/` |
+
5. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode: In the **Sign-on URL** text box, type a URL using the following pattern:
- ```http
- https://us.dmarcian.com/login/<ACCOUNT_ID>
- https://dmarcian-eu.com/login/<ACCOUNT_ID>
- https://dmarciam-ap.com/login/<ACCOUNT_ID>
- ```
+ | **Sign-on URL** |
+ |--|
+ | `https://us.dmarcian.com/login/<ACCOUNT_ID>` |
+ | `https://dmarcian-eu.com/login/<ACCOUNT_ID>` |
+ | `https://dmarciam-ap.com/login/<ACCOUNT_ID>` |
> [!NOTE] > These values are not real. You will update these values with the actual Identifier, Reply URL and Sign-On URL which is explained later in the tutorial.
Follow these steps to enable Azure AD SSO in the Azure portal.
![The Certificate download link](common/copy-metadataurl.png)
-### Configure dmarcian SSO
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called B.Simon.
+
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
+
+### Assign the Azure AD test user
+
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to dmarcian.
+
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **dmarcian**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
+1. In the **Add Assignment** dialog, click the **Assign** button.
+
+## Configure dmarcian SSO
1. To automate the configuration within dmarcian, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**.
Follow these steps to enable Azure AD SSO in the Azure portal.
4. Click on **Profile** on the top-right corner and navigate to **Preferences**.
- ![The Preferences](./media/dmarcian-tutorial/tutorial_dmarcian_pref.png)
+ ![The Preferences](./media/dmarcian-tutorial/profile.png)
5. Scroll down and click on **Single Sign-On** section, then click on **Configure**.
- ![The single](./media/dmarcian-tutorial/tutorial_dmarcian_sso.png)
+ ![The single](./media/dmarcian-tutorial/configure.png)
6. On the **SAML Single Sign-On** page set the **Status** as **Enabled** and perform the following steps:
- ![The authentication](./media/dmarcian-tutorial/tutorial_dmarcian_auth.png)
+ ![The authentication](./media/dmarcian-tutorial/status.png)
- * Under **Add dmarcian to your Identity Provider** section, click **COPY** to copy the **Assertion Consumer Service URL** for your instance and paste it in **Reply URL** textbox in **Basic SAML Configuration section** on Azure portal.
+ a. Under **Add dmarcian to your Identity Provider** section, click **COPY** to copy the **Assertion Consumer Service URL** for your instance and paste it in **Reply URL** textbox in **Basic SAML Configuration section** on Azure portal.
- * Under **Add dmarcian to your Identity Provider** section, click **COPY** to copy the **Entity ID** for your instance and paste it in **Identifier** textbox in **Basic SAML Configuration section** on Azure portal.
+ b. Under **Add dmarcian to your Identity Provider** section, click **COPY** to copy the **Entity ID** for your instance and paste it in **Identifier** textbox in **Basic SAML Configuration section** on Azure portal.
- * Under **Set up Authentication** section, in the **Identity Provider Metadata** textbox paste the **App Federation Metadata Url**, which you have copied from Azure portal.
+ c. Under **Set up Authentication** section, in the **Identity Provider Metadata** textbox paste the **App Federation Metadata Url**, which you have copied from Azure portal.
- * Under **Set up Authentication** section, in the **Attribute Statements** textbox paste the url `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress`
+ d. Under **Set up Authentication** section, in the **Attribute Statements** textbox paste the url `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress`
- * Under **Set up Login URL** section, copy the **Login URL** for your instance and paste it in **Sign-on URL** textbox in **Basic SAML Configuration section** on Azure portal.
+ e. Under **Set up Login URL** section, copy the **Login URL** for your instance and paste it in **Sign-on URL** textbox in **Basic SAML Configuration section** on Azure portal.
- > [!Note]
- > You can modify the **Login URL** according to your organization.
+ > [!Note]
+ > You can modify the **Login URL** according to your organization.
- * Click **Save**.
-
-### Create an Azure AD test user
-
-In this section, you'll create a test user in the Azure portal called B.Simon.
-
-1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
-1. Select **New user** at the top of the screen.
-1. In the **User** properties, follow these steps:
- 1. In the **Name** field, enter `B.Simon`.
- 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
- 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
- 1. Click **Create**.
-
-### Assign the Azure AD test user
-
-In this section, you'll enable B.Simon to use Azure single sign-on by granting access to dmarcian.
-
-1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
-1. In the applications list, select **dmarcian**.
-1. In the app's overview page, find the **Manage** section and select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add User link](common/add-assign-user.png)
-
-1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
-1. In the **Add Assignment** dialog, click the **Assign** button.
+ f. Click **Save**.
### Create dmarcian test user
To enable Azure AD users to sign in to dmarcian, they must be provisioned into d
2. Click on **Profile** on the top right-corner and navigate to **Manage Users**.
- ![The user](./media/dmarcian-tutorial/tutorial_dmarcian_user.png)
+ ![The user](./media/dmarcian-tutorial/user.png)
3. On the right side of **SSO Users** section, click on **Add New User**.
- ![The add user](./media/dmarcian-tutorial/tutorial_dmarcian_addnewuser.png)
+ ![The add user](./media/dmarcian-tutorial/new-user.png)
4. On the **Add New User** popup, perform the following steps:
- ![The new user](./media/dmarcian-tutorial/tutorial_dmarcian_save.png)
+ ![The new user](./media/dmarcian-tutorial/save-user.png)
a. In the **New User Email** textbox, enter the email of user like **brittasimon\@contoso.com**.
To enable Azure AD users to sign in to dmarcian, they must be provisioned into d
c. Click **Add User**.
-### Test SSO
+## Test SSO
+
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+#### SP initiated:
+
+* Click on **Test this application** in Azure portal. This will redirect to dmarcian Sign on URL where you can initiate the login flow.
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+* Go to dmarcian Sign-on URL directly and initiate the login flow from there.
-When you click the dmarcian tile in the Access Panel, you should be automatically signed in to the dmarcian for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+#### IDP initiated:
-## Additional Resources
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the dmarcian for which you set up the SSO.
-- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](./tutorial-list.md)
+You can also use Microsoft My Apps to test the application in any mode. When you click the dmarcian tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the dmarcian for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure dmarcian you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Fuze Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/fuze-tutorial.md
Previously updated : 02/18/2019 Last updated : 07/21/2021 # Tutorial: Azure Active Directory integration with Fuze
-In this tutorial, you learn how to integrate Fuze with Azure Active Directory (Azure AD).
-Integrating Fuze with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate Fuze with Azure Active Directory (Azure AD). When you integrate Fuze with Azure AD, you can:
-* You can control in Azure AD who has access to Fuze.
-* You can enable your users to be automatically signed-in to Fuze (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to Fuze.
+* Enable your users to be automatically signed-in to Fuze with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites
-To configure Azure AD integration with Fuze, you need the following items:
+To get started, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial [here](https://azure.microsoft.com/pricing/free-trial/)
-* Fuze single sign-on enabled subscription
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* Fuze single sign-on (SSO) enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* Fuze supports **SP** initiated SSO
-
-* Fuze supports **Just In Time** user provisioning
-
-## Adding Fuze from the gallery
-
-To configure the integration of Fuze into Azure AD, you need to add Fuze from the gallery to your list of managed SaaS apps.
-
-**To add Fuze from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
+* Fuze supports **SP** initiated SSO.
-3. To add new application, click **New application** button on the top of dialog.
+* Fuze supports **Just In Time** user provisioning.
- ![The New application button](common/add-new-app.png)
+> [!NOTE]
+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
-4. In the search box, type **Fuze**, select **Fuze** from result panel then click **Add** button to add the application.
+## Add Fuze from the gallery
- ![Fuze in the results list](common/search-new-app.png)
-
-## Configure and test Azure AD single sign-on
-
-In this section, you configure and test Azure AD single sign-on with Fuze based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in Fuze needs to be established.
-
-To configure and test Azure AD single sign-on with Fuze, you need to complete the following building blocks:
-
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure Fuze Single Sign-On](#configure-fuze-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create Fuze test user](#create-fuze-test-user)** - to have a counterpart of Britta Simon in Fuze that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
-
-### Configure Azure AD single sign-on
+To configure the integration of Fuze into Azure AD, you need to add Fuze from the gallery to your list of managed SaaS apps.
-In this section, you enable Azure AD single sign-on in the Azure portal.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Fuze** in the search box.
+1. Select **Fuze** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-To configure Azure AD single sign-on with Fuze, perform the following steps:
+## Configure and test Azure AD SSO for Fuze
-1. In the [Azure portal](https://portal.azure.com/), on the **Fuze** application integration page, select **Single sign-on**.
+Configure and test Azure AD SSO with Fuze using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Fuze.
- ![Configure single sign-on link](common/select-sso.png)
+To configure and test Azure AD SSO with Fuze, perform the following steps:
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Fuze SSO](#configure-fuze-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Fuze test user](#create-fuze-test-user)** - to have a counterpart of B.Simon in Fuze that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
- ![Single sign-on select mode](common/select-saml-option.png)
+## Configure Azure AD SSO
-3. On the **Set-up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
+Follow these steps to enable Azure AD SSO in the Azure portal.
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+1. In the Azure portal, on the **Fuze** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
-4. On the **Basic SAML Configuration** section, perform the following steps:
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
- ![Fuze Domain and URLs single sign-on information](common/sp-signonurl.png)
+4. On the **Basic SAML Configuration** section, perform the following step:
- In the **Sign-on URL** text box, type a URL:
+ In the **Sign-on URL** text box, type the URL:
`https://www.thinkingphones.com/jetspeed/portal/` 5. On the **Set-up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Federation Metadata XML** from the given options as per your requirement and save it on your computer.
To configure Azure AD single sign-on with Fuze, perform the following steps:
![Copy configuration URLs](common/copy-configuration-urls.png)
- a. Login URL
-
- b. Azure Ad Identifier
-
- c. Logout URL
-
-### Configure Fuze Single Sign-On
-
-To configure single sign-on on **Fuze** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [Fuze support team](https://www.fuze.com/support). They set this setting to have the SAML SSO connection set properly on both sides.
- ### Create an Azure AD test user
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field, enter **BrittaSimon**.
-
- b. In the **User name** field, type **brittasimon\@yourcompanydomain.extension**
- For example, BrittaSimon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
+In this section, you'll create a test user in the Azure portal called B.Simon.
- d. Click **Create**.
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
### Assign the Azure AD test user
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to Fuze.
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Fuze.
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Fuze**.
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Fuze**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
- ![Enterprise applications blade](common/enterprise-applications.png)
+## Configure Fuze SSO
-2. In the applications list, select **Fuze**.
-
- ![The Fuze link in the Applications list](common/all-applications.png)
-
-3. In the menu on the left, select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
-
-5. In the **Users and groups** dialog, select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
-
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog, select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
-
-7. In the **Add Assignment** dialog, click the **Assign** button.
+To configure single sign-on on **Fuze** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [Fuze support team](https://www.fuze.com/support). They set this setting to have the SAML SSO connection set properly on both sides.
### Create Fuze test user
-Fuze application supports just in time user provision, so users will get created automatically when they sign in. For any other clarification, contact Fuze [support](https://www.fuze.com/support).
+In this section, a user called B.Simon is created in Fuze. Fuze supports just-in-time user provisioning, which is enabled by default. There's no action item for you in this section. If a user doesn't already exist in Fuze, a new one is created after authentication.
-### Test single sign-on
+## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
-When you click the Fuze tile in the Access Panel, you should be automatically signed in to the Fuze for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* Click on **Test this application** in Azure portal. This will redirect to Fuze Sign-on URL where you can initiate the login flow.
-## Additional Resources
+* Go to Fuze Sign-on URL directly and initiate the login flow from there.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+* You can use Microsoft My Apps. When you click the Fuze tile in the My Apps, this will redirect to Fuze Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure Fuze you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Greenhouse Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/greenhouse-tutorial.md
Previously updated : 03/26/2021 Last updated : 07/21/2021 # Tutorial: Azure Active Directory integration with Greenhouse
Follow these steps to enable Azure AD SSO in the Azure portal.
1. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, enter the values for the following fields:
- a. In the **Identifier** text box, type a URL using the following pattern:
- `https://<COMPANYNAME>.greenhouse.io`
+ a. In the **Identifier** text box, type the value:
+ `greenhouse.io`
- b. In the **Reply URL** text box, type a URL using one of the following patterns:
-
- | Reply URL|
- | -- |
- | `https://<COMPANYNAME>.greenhouse.io/users/saml/consume` |
- | `https://app.greenhouse.io/<ENTITY ID>/users/saml/consume` |
- |
+ b. In the **Reply URL** text box, type a URL using the following pattern:
+ `https://<COMPANYNAME>.greenhouse.io/<ENTITY ID>/users/saml/consume`
1. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode:
- In the **Sign-on URL** text box, type a URL using the following pattern:
- `https://<COMPANYNAME>.greenhouse.io`
+ In the **Sign-on URL** text box, type the URL:
+ `https://app.greenhouse.io`
> [!NOTE]
- > These values are not real. Update these values with the actual Identifier, Reply URL and Sign on URL. Contact [Greenhouse Client support team](https://www.greenhouse.io/contact) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+ > The value is not real. Update the value with the actual Reply URL. Contact [Greenhouse Client support team](https://www.greenhouse.io/contact) to get the value. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
4. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Federation Metadata XML** from the given options as per your requirement and save it on your computer.
active-directory Imagerelay Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/imagerelay-tutorial.md
Previously updated : 02/20/2019 Last updated : 07/21/2021 # Tutorial: Azure Active Directory integration with Image Relay
-In this tutorial, you learn how to integrate Image Relay with Azure Active Directory (Azure AD).
-Integrating Image Relay with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate Image Relay with Azure Active Directory (Azure AD). When you integrate Image Relay with Azure AD, you can:
-* You can control in Azure AD who has access to Image Relay.
-* You can enable your users to be automatically signed-in to Image Relay (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to Image Relay.
+* Enable your users to be automatically signed-in to Image Relay with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites
-To configure Azure AD integration with Image Relay, you need the following items:
+To get started, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial [here](https://azure.microsoft.com/pricing/free-trial/)
-* Image Relay single sign-on enabled subscription
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* Image Relay single sign-on (SSO) enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* Image Relay supports **SP** initiated SSO
+* Image Relay supports **SP** initiated SSO.
-## Adding Image Relay from the gallery
+## Add Image Relay from the gallery
To configure the integration of Image Relay into Azure AD, you need to add Image Relay from the gallery to your list of managed SaaS apps.
-**To add Image Relay from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add new application, click **New application** button on the top of dialog.
-
- ![The New application button](common/add-new-app.png)
-
-4. In the search box, type **Image Relay**, select **Image Relay** from result panel then click **Add** button to add the application.
-
- ![Image Relay in the results list](common/search-new-app.png)
-
-## Configure and test Azure AD single sign-on
-
-In this section, you configure and test Azure AD single sign-on with Image Relay based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in Image Relay needs to be established.
-
-To configure and test Azure AD single sign-on with Image Relay, you need to complete the following building blocks:
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Image Relay** in the search box.
+1. Select **Image Relay** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure Image Relay Single Sign-On](#configure-image-relay-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create Image Relay test user](#create-image-relay-test-user)** - to have a counterpart of Britta Simon in Image Relay that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
+## Configure and test Azure AD SSO for Image Relay
-### Configure Azure AD single sign-on
+Configure and test Azure AD SSO with Image Relay using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Image Relay.
-In this section, you enable Azure AD single sign-on in the Azure portal.
+To configure and test Azure AD SSO with Image Relay, perform the following steps:
-To configure Azure AD single sign-on with Image Relay, perform the following steps:
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Image Relay SSO](#configure-image-relay-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Image Relay test user](#create-image-relay-test-user)** - to have a counterpart of B.Simon in Image Relay that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-1. In the [Azure portal](https://portal.azure.com/), on the **Image Relay** application integration page, select **Single sign-on**.
+## Configure Azure AD SSO
- ![Configure single sign-on link](common/select-sso.png)
+Follow these steps to enable Azure AD SSO in the Azure portal.
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
+1. In the Azure portal, on the **Image Relay** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
- ![Single sign-on select mode](common/select-saml-option.png)
-
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
-
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
4. On the **Basic SAML Configuration** section, perform the following steps:
- ![Image Relay Domain and URLs single sign-on information](common/sp-identifier.png)
-
- a. In the **Sign on URL** text box, type a URL using the following pattern:
- `https://<companyname>.imagerelay.com/`
+ a. In the **Identifier (Entity ID)** text box, type a URL using the following pattern:
+ `https://<COMPANYNAME>.imagerelay.com/sso/metadata`
- b. In the **Identifier (Entity ID)** text box, type a URL using the following pattern:
- `https://<companyname>.imagerelay.com/sso/metadata`
+ b. In the **Sign on URL** text box, type a URL using the following pattern:
+ `https://<COMPANYNAME>.imagerelay.com/`
> [!NOTE]
- > These values are not real. Update these values with the actual Sign on URL and Identifier. Contact [Image Relay Client support team](http://support.imagerelay.com/) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+ > These values are not real. Update these values with the actual Identifier and Sign on URL. Contact [Image Relay Client support team](http://support.imagerelay.com/) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
4. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Certificate (Base64)** from the given options as per your requirement and save it on your computer.
To configure Azure AD single sign-on with Image Relay, perform the following ste
![Copy configuration URLs](common/copy-configuration-urls.png)
- a. Login URL
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called B.Simon.
- b. Azure Ad Identifier
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
- c. Logout URL
+### Assign the Azure AD test user
-### Configure Image Relay Single Sign-On
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Image Relay.
+
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Image Relay**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
+
+## Configure Image Relay SSO
1. In another browser window, sign in to your Image Relay company site as an administrator. 2. In the toolbar on the top, click the **Users & Permissions** workload.
- ![Screenshot shows Users & Permissions selected from the toolbar.](./media/imagerelay-tutorial/tutorial_imagerelay_06.png)
+ ![Screenshot shows Users & Permissions selected from the toolbar.](./media/imagerelay-tutorial/users.png)
3. Click **Create New Permission**.
- ![Screenshot shows a text box to enter Permission title and an option to choose Permission Type.](./media/imagerelay-tutorial/tutorial_imagerelay_08.png)
+ ![Screenshot shows a text box to enter Permission title and an option to choose Permission Type.](./media/imagerelay-tutorial/create-permission.png)
4. In the **Single Sign On Settings** workload, select the **This Group can only sign-in via Single Sign On** check box, and then click **Save**.
- ![Screenshot shows the Single Sign On Settings where you can select the option.](./media/imagerelay-tutorial/tutorial_imagerelay_09.png)
+ ![Screenshot shows the Single Sign On Settings where you can select the option.](./media/imagerelay-tutorial/save-settings.png)
5. Go to **Account Settings**.
- ![Screenshot shows the Account Settings toolbar option.](./media/imagerelay-tutorial/tutorial_imagerelay_10.png)
+ ![Screenshot shows the Account Settings toolbar option.](./media/imagerelay-tutorial/account.png)
6. Go to the **Single Sign On Settings** workload.
- ![Screenshot shows the Single Sign On Settings menu option.](./media/imagerelay-tutorial/tutorial_imagerelay_11.png)
+ ![Screenshot shows the Single Sign On Settings menu option.](./media/imagerelay-tutorial/settings.png)
7. On the **SAML Settings** dialog, perform the following steps:
- ![Screenshot shows the SAML Settings dialog box where you can enter the information.](./media/imagerelay-tutorial/tutorial_imagerelay_12.png)
+ ![Screenshot shows the SAML Settings dialog box where you can enter the information.](./media/imagerelay-tutorial/information.png)
a. In **Login URL** textbox, paste the value of **Login URL** which you have copied from Azure portal.
To configure Azure AD single sign-on with Image Relay, perform the following ste
e. Under **x.509 Certificate**, click **Update Certificate**.
- ![Screenshot shows the option to Update Certificate.](./media/imagerelay-tutorial/tutorial_imagerelay_17.png)
+ ![Screenshot shows the option to Update Certificate.](./media/imagerelay-tutorial/certificate.png)
f. Open the downloaded certificate in notepad, copy the content, and then paste it into the **x.509 Certificate** textbox.
- ![Screenshot shows the x dot 509 Certificate.](./media/imagerelay-tutorial/tutorial_imagerelay_18.png)
+ ![Screenshot shows the x dot 509 Certificate.](./media/imagerelay-tutorial/update-certificate.png)
g. In **Just-In-Time User Provisioning** section, select the **Enable Just-In-Time User Provisioning**.
- ![Screenshot shows the Just-In-Time User Provisioning section with the enable control selected.](./media/imagerelay-tutorial/tutorial_imagerelay_19.png)
+ ![Screenshot shows the Just-In-Time User Provisioning section with the enable control selected.](./media/imagerelay-tutorial/provisioning.png)
h. Select the permission group (for example, **SSO Basic**) which is allowed to sign in only through single sign-on.
- ![Screenshot shows the Just-In-Time User Provisioning section with S S O Basic selected.](./media/imagerelay-tutorial/tutorial_imagerelay_20.png)
+ ![Screenshot shows the Just-In-Time User Provisioning section with S S O Basic selected.](./media/imagerelay-tutorial/user-provisioning.png)
i. Click **Save**.
-### Create an Azure AD test user
-
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field enter **BrittaSimon**.
-
- b. In the **User name** field type **brittasimon\@yourcompanydomain.extension**
- For example, BrittaSimon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
-
- d. Click **Create**.
-
-### Assign the Azure AD test user
-
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to Image Relay.
-
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Image Relay**.
-
- ![Enterprise applications blade](common/enterprise-applications.png)
-
-2. In the applications list, select **Image Relay**.
-
- ![The Image Relay link in the Applications list](common/all-applications.png)
-
-3. In the menu on the left, select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
-
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
-
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
-
-7. In the **Add Assignment** dialog click the **Assign** button.
- ### Create Image Relay test user The objective of this section is to create a user called Britta Simon in Image Relay.
The objective of this section is to create a user called Britta Simon in Image R
1. Sign-on to your Image Relay company site as an administrator.
-2. Go to **Users & Permissions** and select **Create SSO User**.
+2. Go to **Users & Permissions** and select **Create SSO User**.
- ![Screenshot shows Create S S O User selected from the menu.](./media/imagerelay-tutorial/tutorial_imagerelay_21.png)
+ ![Screenshot shows Create S S O User selected from the menu.](./media/imagerelay-tutorial/create-user.png)
3. Enter the **Email**, **First Name**, **Last Name**, and **Company** of the user you want to provision and select the permission group (for example, SSO Basic) which is the group that can sign in only through single sign-on.
- ![Screenshot shows Create a S S O User page where you can enter the required information.](./media/imagerelay-tutorial/tutorial_imagerelay_22.png)
+ ![Screenshot shows Create a S S O User page where you can enter the required information.](./media/imagerelay-tutorial/user-details.png)
4. Click **Create**.
-### Test single sign-on
+## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
-When you click the Image Relay tile in the Access Panel, you should be automatically signed in to the Image Relay for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* Click on **Test this application** in Azure portal. This will redirect to Image Relay Sign-on URL where you can initiate the login flow.
-## Additional Resources
+* Go to Image Relay Sign-on URL directly and initiate the login flow from there.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+* You can use Microsoft My Apps. When you click the Image Relay tile in the My Apps, this will redirect to Image Relay Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure Image Relay you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Iwt Procurement Suite Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/iwt-procurement-suite-tutorial.md
Previously updated : 04/23/2020 Last updated : 07/22/2021
In this tutorial, you'll learn how to integrate IWT Procurement Suite with Azure
* Enable your users to be automatically signed-in to IWT Procurement Suite with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* IWT Procurement Suite supports **IDP** initiated SSO
-* Once you configure IWT Procurement Suite you can enforce session control, which protect exfiltration and infiltration of your organizationΓÇÖs sensitive data in real-time. Session control extend from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
+* IWT Procurement Suite supports **IDP** initiated SSO.
-## Adding IWT Procurement Suite from the gallery
+## Add IWT Procurement Suite from the gallery
To configure the integration of IWT Procurement Suite into Azure AD, you need to add IWT Procurement Suite from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **IWT Procurement Suite** in the search box. 1. Select **IWT Procurement Suite** from results panel and then add the app. Wait a few seconds while the app is added to your tenant. -
-## Configure and test Azure AD single sign-on for IWT Procurement Suite
+## Configure and test Azure AD SSO for IWT Procurement Suite
Configure and test Azure AD SSO with IWT Procurement Suite using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in IWT Procurement Suite.
-To configure and test Azure AD SSO with IWT Procurement Suite, complete the following building blocks:
+To configure and test Azure AD SSO with IWT Procurement Suite, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature. 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
To configure and test Azure AD SSO with IWT Procurement Suite, complete the foll
Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **IWT Procurement Suite** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **IWT Procurement Suite** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
-1. On the **Set up single sign-on with SAML** page, enter the values for the following fields:
+1. On the **Set up single sign-on with SAML** page, perform the following steps:
a. In the **Identifier** text box, type a URL using the following pattern: `https://[customersubdomain].ionwave.net/sso/[customerid]`
Follow these steps to enable Azure AD SSO in the Azure portal.
![image](common/default-attributes.png) -- 1. On the **Set up single sign-on with SAML** page, In the **SAML Signing Certificate** section, click copy button to copy **App Federation Metadata Url** and save it on your computer. ![The Certificate download link](common/copy-metadataurl.png)+ ### Create an Azure AD test user In this section, you'll create a test user in the Azure portal called B.Simon.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **IWT Procurement Suite**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen. 1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen. 1. In the **Add Assignment** dialog, click the **Assign** button.
In this section, you create a user called Britta Simon in IWT Procurement Suite.
## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
-
-When you click the IWT Procurement Suite tile in the Access Panel, you should be automatically signed in to the IWT Procurement Suite for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
-
-## Additional resources
--- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](./tutorial-list.md)--- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md)
+In this section, you test your Azure AD single sign-on configuration with following options.
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+* Click on Test this application in Azure portal and you should be automatically signed in to the IWT Procurement Suite for which you set up the SSO.
-- [Try IWT Procurement Suite with Azure AD](https://aad.portal.azure.com/)
+* You can use Microsoft My Apps. When you click the IWT Procurement Suite tile in the My Apps, you should be automatically signed in to the IWT Procurement Suite for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is session control in Microsoft Cloud App Security?](/cloud-app-security/proxy-intro-aad)
+## Next steps
-- [How to protect IWT Procurement Suite with advanced visibility and controls](/cloud-app-security/proxy-intro-aad)
+Once you configure IWT Procurement Suite you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Mercell Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/mercell-tutorial.md
Previously updated : 02/20/2019 Last updated : 07/21/2021 # Tutorial: Azure Active Directory integration with Mercell
-In this tutorial, you learn how to integrate Mercell with Azure Active Directory (Azure AD).
-Integrating Mercell with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate Mercell with Azure Active Directory (Azure AD). When you integrate Mercell with Azure AD, you can:
-* You can control in Azure AD who has access to Mercell.
-* You can enable your users to be automatically signed-in to Mercell (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to Mercell.
+* Enable your users to be automatically signed-in to Mercell with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites
-To configure Azure AD integration with Mercell, you need the following items:
+To get started, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial [here](https://azure.microsoft.com/pricing/free-trial/)
-* Mercell single sign-on enabled subscription
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* Mercell single sign-on (SSO) enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* Mercell supports **IDP** initiated SSO
-
-* Mercell supports **Just In Time** user provisioning
-
-## Adding Mercell from the gallery
-
-To configure the integration of Mercell into Azure AD, you need to add Mercell from the gallery to your list of managed SaaS apps.
-
-**To add Mercell from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
+* Mercell supports **IDP** initiated SSO.
-3. To add new application, click **New application** button on the top of dialog.
+* Mercell supports **Just In Time** user provisioning.
- ![The New application button](common/add-new-app.png)
+> [!NOTE]
+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
-4. In the search box, type **Mercell**, select **Mercell** from result panel then click **Add** button to add the application.
+## Add Mercell from the gallery
- ![Mercell in the results list](common/search-new-app.png)
-
-## Configure and test Azure AD single sign-on
-
-In this section, you configure and test Azure AD single sign-on with Mercell based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in Mercell needs to be established.
-
-To configure and test Azure AD single sign-on with Mercell, you need to complete the following building blocks:
-
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure Mercell Single Sign-On](#configure-mercell-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create Mercell test user](#create-mercell-test-user)** - to have a counterpart of Britta Simon in Mercell that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
-
-### Configure Azure AD single sign-on
+To configure the integration of Mercell into Azure AD, you need to add Mercell from the gallery to your list of managed SaaS apps.
-In this section, you enable Azure AD single sign-on in the Azure portal.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Mercell** in the search box.
+1. Select **Mercell** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-To configure Azure AD single sign-on with Mercell, perform the following steps:
+## Configure and test Azure AD SSO for Mercell
-1. In the [Azure portal](https://portal.azure.com/), on the **Mercell** application integration page, select **Single sign-on**.
+Configure and test Azure AD SSO with Mercell using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Mercell.
- ![Configure single sign-on link](common/select-sso.png)
+To configure and test Azure AD SSO with Mercell, perform the following steps:
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Mercell SSO](#configure-mercell-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Mercell test user](#create-mercell-test-user)** - to have a counterpart of B.Simon in Mercell that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
- ![Single sign-on select mode](common/select-saml-option.png)
+## Configure Azure AD SSO
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
+Follow these steps to enable Azure AD SSO in the Azure portal.
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+1. In the Azure portal, on the **Mercell** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
-4. On the **Basic SAML Configuration** section, perform the following steps:
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
- ![Mercell Domain and URLs single sign-on information](common/idp-identifier.png)
+4. On the **Basic SAML Configuration** section, perform the following step:
- In the **Identifier** text box, type a URL:
+ In the **Identifier** text box, type the URL:
`https://my.mercell.com/` 5. On the **Set up Single Sign-On with SAML** page, In the **SAML Signing Certificate** section, click copy button to copy **App Federation Metadata Url** and save it on your computer. ![The Certificate download link](common/copy-metadataurl.png)
-### Configure Mercell Single Sign-On
-
-To configure single sign-on on **Mercell** side, you need to send the **App Federation Metadata Url** to [Mercell support team](mailto:webmaster@mercell.com). They set this setting to have the SAML SSO connection set properly on both sides.
- ### Create an Azure AD test user
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
+In this section, you'll create a test user in the Azure portal called B.Simon.
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field enter **BrittaSimon**.
-
- b. In the **User name** field type **brittasimon\@yourcompanydomain.extension**
- For example, BrittaSimon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
-
- d. Click **Create**.
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
### Assign the Azure AD test user
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to Mercell.
-
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Mercell**.
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Mercell.
- ![Enterprise applications blade](common/enterprise-applications.png)
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Mercell**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
-2. In the applications list, select **Mercell**.
+## Configure Mercell SSO
- ![The Mercell link in the Applications list](common/all-applications.png)
-
-3. In the menu on the left, select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
-
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
-
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
-
-7. In the **Add Assignment** dialog click the **Assign** button.
+To configure single sign-on on **Mercell** side, you need to send the **App Federation Metadata Url** to [Mercell support team](mailto:webmaster@mercell.com). They set this setting to have the SAML SSO connection set properly on both sides.
### Create Mercell test user
In this section, a user called Britta Simon is created in Mercell. Mercell suppo
>[!Note] >If you need to create a user manually, contact [Mercell support team](mailto:webmaster@mercell.com).
-### Test single sign-on
-
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+## Test SSO
-When you click the Mercell tile in the Access Panel, you should be automatically signed in to the Mercell for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+In this section, you test your Azure AD single sign-on configuration with following options.
-## Additional Resources
+* Click on Test this application in Azure portal and you should be automatically signed in to the Mercell for which you set up the SSO.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+* You can use Microsoft My Apps. When you click the Mercell tile in the My Apps, you should be automatically signed in to the Mercell for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure Mercell you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Mindwireless Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/mindwireless-tutorial.md
Previously updated : 10/15/2019 Last updated : 07/21/2021
In this tutorial, you'll learn how to integrate mindWireless with Azure Active D
* Enable your users to be automatically signed-in to mindWireless with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* mindWireless supports **IDP** initiated SSO
+* mindWireless supports **IDP** initiated SSO.
-## Adding mindWireless from the gallery
+## Add mindWireless from the gallery
To configure the integration of mindWireless into Azure AD, you need to add mindWireless from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **mindWireless** in the search box. 1. Select **mindWireless** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD single sign-on for mindWireless
+## Configure and test Azure AD SSO for mindWireless
Configure and test Azure AD SSO with mindWireless using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in mindWireless.
-To configure and test Azure AD SSO with mindWireless, complete the following building blocks:
+To configure and test Azure AD SSO with mindWireless, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
- * **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
- * **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
1. **[Configure mindWireless SSO](#configure-mindwireless-sso)** - to configure the single sign-on settings on application side.
- * **[Create mindWireless test user](#create-mindwireless-test-user)** - to have a counterpart of B.Simon in mindWireless that is linked to the Azure AD representation of user.
+ 1. **[Create mindWireless test user](#create-mindwireless-test-user)** - to have a counterpart of B.Simon in mindWireless that is linked to the Azure AD representation of user.
1. **[Test SSO](#test-sso)** - to verify whether the configuration works. ## Configure Azure AD SSO Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **mindWireless** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **mindWireless** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
-1. On the **Set up single sign-on with SAML** page, enter the values for the following fields:
+1. On the **Set up single sign-on with SAML** page, perform the following steps:
a. In the **Identifier** text box, type a URL using the following pattern:
- `https://<subdomain>.mwsmart.com/`
+ `https://<SUBDOMAIN>.mwsmart.com/`
b. In the **Reply URL** text box, type a URL using the following pattern:
- `https://<subdomain>.mwsmart.com/SAML/AssertionConsumerService.aspx`
+ `https://<SUBDOMAIN>.mwsmart.com/SAML/AssertionConsumerService.aspx`
> [!NOTE] > These values are not real. Update these values with the actual Identifier and Reply URL. Contact [mindWireless Client support team](mailto:sdulloor@mindwireless.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **mindWireless**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen. 1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen. 1. In the **Add Assignment** dialog, click the **Assign** button.
In this section, you create a user called B.Simon in mindWireless. Work with [m
## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
-
-When you click the mindWireless tile in the Access Panel, you should be automatically signed in to the mindWireless for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
-
-## Additional resources
+In this section, you test your Azure AD single sign-on configuration with following options.
-- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](./tutorial-list.md)
+* Click on Test this application in Azure portal and you should be automatically signed in to the mindWireless for which you set up the SSO.
-- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md)
+* You can use Microsoft My Apps. When you click the mindWireless tile in the My Apps, you should be automatically signed in to the mindWireless for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+## Next steps
-- [Try mindWireless with Azure AD](https://aad.portal.azure.com/)
+Once you configure mindWireless you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Nuclino Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/nuclino-tutorial.md
Previously updated : 10/17/2019 Last updated : 07/21/2021
In this tutorial, you'll learn how to integrate Nuclino with Azure Active Direct
* Enable your users to be automatically signed-in to Nuclino with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* Nuclino supports **SP and IDP** initiated SSO
-* Nuclino supports **Just In Time** user provisioning
+* Nuclino supports **SP and IDP** initiated SSO.
+* Nuclino supports **Just In Time** user provisioning.
-## Adding Nuclino from the gallery
+## Add Nuclino from the gallery
To configure the integration of Nuclino into Azure AD, you need to add Nuclino from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **Nuclino** in the search box. 1. Select **Nuclino** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD single sign-on for Nuclino
+## Configure and test Azure AD SSO for Nuclino
Configure and test Azure AD SSO with Nuclino using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Nuclino.
-To configure and test Azure AD SSO with Nuclino, complete the following building blocks:
+To configure and test Azure AD SSO with Nuclino, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature. 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
To configure and test Azure AD SSO with Nuclino, complete the following building
Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **Nuclino** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **Nuclino** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
-1. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, enter the values for the following fields:
+1. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, perform the following steps:
a. In the **Identifier** text box, type a URL using the following pattern: `https://api.nuclino.com/api/sso/<UNIQUE-ID>/metadata`
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **Nuclino**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen. 1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen. 1. In the **Add Assignment** dialog, click the **Assign** button.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
4. Click on the **ICON**.
- ![Screenshot that shows the "Menu" icon selected next to "Azure A D S S O".](./media/nuclino-tutorial/configure1.png)
+ ![Screenshot that shows the "Menu" icon selected next to "Azure A D S S O".](./media/nuclino-tutorial/menu.png)
5. Click on the **Azure AD SSO** and select **Team settings** from the dropdown.
- ![Screenshot that shows the "Azure A D S S O" drop-down with "Team settings" selected.](./media/nuclino-tutorial/configure2.png)
+ ![Screenshot that shows the "Azure A D S S O" drop-down with "Team settings" selected.](./media/nuclino-tutorial/team-settings.png)
6. Select **Authentication** from left navigation pane.
- ![Screenshot that shows "Authentication" selected.](./media/nuclino-tutorial/configure3.png)
+ ![Screenshot that shows "Authentication" selected.](./media/nuclino-tutorial/authentication.png)
7. In the **Authentication** section, perform the following steps:
- ![Nuclino Configuration](./media/nuclino-tutorial/configure4.png)
+ ![Nuclino Configuration](./media/nuclino-tutorial/configuration.png)
a. Select **SAML-based single sign-on (SSO)**.
In this section, a user called B.Simon is created in Nuclino. Nuclino supports j
## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+#### SP initiated:
+
+* Click on **Test this application** in Azure portal. This will redirect to Nuclino Sign on URL where you can initiate the login flow.
-When you click the Nuclino tile in the Access Panel, you should be automatically signed in to the Nuclino for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* Go to Nuclino Sign-on URL directly and initiate the login flow from there.
-## Additional resources
+#### IDP initiated:
-- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](./tutorial-list.md)
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the Nuclino for which you set up the SSO.
-- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md)
+You can also use Microsoft My Apps to test the application in any mode. When you click the Nuclino tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Nuclino for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+## Next steps
-- [Try Nuclino with Azure AD](https://aad.portal.azure.com/)
+Once you configure Nuclino you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Orgvitality Sso Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/orgvitality-sso-tutorial.md
Previously updated : 09/29/2020 Last updated : 07/22/2021
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* OrgVitality SSO supports **IDP** initiated SSO
+* OrgVitality SSO supports **IDP** initiated SSO.
-## Adding OrgVitality SSO from the gallery
+## Add OrgVitality SSO from the gallery
To configure the integration of OrgVitality SSO into Azure AD, you need to add OrgVitality SSO from the gallery to your list of managed SaaS apps.
To configure the integration of OrgVitality SSO into Azure AD, you need to add O
1. In the **Add from the gallery** section, type **OrgVitality SSO** in the search box. 1. Select **OrgVitality SSO** from results panel and then add the app. Wait a few seconds while the app is added to your tenant. - ## Configure and test Azure AD SSO for OrgVitality SSO Configure and test Azure AD SSO with OrgVitality SSO using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in OrgVitality SSO.
To configure and test Azure AD SSO with OrgVitality SSO, perform the following s
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature. 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon. 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
-1. **[Configure OrgVitality SSO SSO](#configure-orgvitality-sso-sso)** - to configure the single sign-on settings on application side.
+1. **[Configure OrgVitality SSO](#configure-orgvitality-sso)** - to configure the single sign-on settings on application side.
1. **[Create OrgVitality SSO test user](#create-orgvitality-sso-test-user)** - to have a counterpart of B.Simon in OrgVitality SSO that is linked to the Azure AD representation of user. 1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
Follow these steps to enable Azure AD SSO in the Azure portal.
1. In the Azure portal, on the **OrgVitality SSO** application integration page, find the **Manage** section and select **single sign-on**. 1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
-1. On the **Basic SAML Configuration** section, enter the values for the following fields:
+1. On the **Basic SAML Configuration** section, perform the following steps:
a. In the **Identifier** text box, type a URL using the following pattern: `https://rpt.orgvitality.com/<COMPANY_NAME>/`
Follow these steps to enable Azure AD SSO in the Azure portal.
1. On the **Set up OrgVitality SSO** section, copy the appropriate URL(s) based on your requirement. ![Copy configuration URLs](common/copy-configuration-urls.png)+ ### Create an Azure AD test user In this section, you'll create a test user in the Azure portal called B.Simon.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected. 1. In the **Add Assignment** dialog, click the **Assign** button.
-## Configure OrgVitality SSO SSO
+## Configure OrgVitality SSO
To configure single sign-on on **OrgVitality SSO** side, you need to send the downloaded **Certificate (Base64)** and appropriate copied URLs from Azure portal to [OrgVitality SSO support team](https://orgvitality.com/contact-us/). They set this setting to have the SAML SSO connection set properly on both sides.
In this section, you create a user called Britta Simon in OrgVitality SSO. Work
In this section, you test your Azure AD single sign-on configuration with following options.
-1. Click on Test this application in Azure portal and you should be automatically signed in to the OrgVitality SSO for which you set up the SSO
+* Click on Test this application in Azure portal and you should be automatically signed in to the OrgVitality SSO for which you set up the SSO.
-1. You can use Microsoft Access Panel. When you click the OrgVitality SSO tile in the Access Panel, you should be automatically signed in to the OrgVitality SSO for which you set up the SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* You can use Microsoft My Apps. When you click the OrgVitality SSO tile in the My Apps, you should be automatically signed in to the OrgVitality SSO for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure OrgVitality SSO you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
+Once you configure OrgVitality SSO you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Skillsbase Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/skillsbase-tutorial.md
Previously updated : 03/07/2019 Last updated : 07/22/2021 # Tutorial: Azure Active Directory integration with Skills Base
-In this tutorial, you learn how to integrate Skills Base with Azure Active Directory (Azure AD).
-Integrating Skills Base with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate Skills Base with Azure Active Directory (Azure AD). When you integrate Skills Base with Azure AD, you can:
-* You can control in Azure AD who has access to Skills Base.
-* You can enable your users to be automatically signed-in to Skills Base (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to Skills Base.
+* Enable your users to be automatically signed-in to Skills Base with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites
-To configure Azure AD integration with Skills Base, you need the following items:
+To get started, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial [here](https://azure.microsoft.com/pricing/free-trial/)
-* Skills Base single sign-on enabled subscription
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* Skills Base single sign-on (SSO) enabled subscription.
> [!NOTE] > This integration is also available to use from Azure AD US Government Cloud environment. You can find this application in the Azure AD US Government Cloud Application Gallery and configure it in the same way as you do from public cloud.
To configure Azure AD integration with Skills Base, you need the following items
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* Skills Base supports **SP** initiated SSO
-* Skills Base supports **Just In Time** user provisioning
-
-## Adding Skills Base from the gallery
-
-To configure the integration of Skills Base into Azure AD, you need to add Skills Base from the gallery to your list of managed SaaS apps.
-
-**To add Skills Base from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add new application, click **New application** button on the top of dialog.
-
- ![The New application button](common/add-new-app.png)
-
-4. In the search box, type **Skills Base**, select **Skills Base** from result panel then click **Add** button to add the application.
+* Skills Base supports **SP** initiated SSO.
+* Skills Base supports **Just In Time** user provisioning.
- ![Skills Base in the results list](common/search-new-app.png)
-
-## Configure and test Azure AD single sign-on
-
-In this section, you configure and test Azure AD single sign-on with Skills Base based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in Skills Base needs to be established.
-
-To configure and test Azure AD single sign-on with Skills Base, you need to complete the following building blocks:
+> [!NOTE]
+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure Skills Base Single Sign-On](#configure-skills-base-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create Skills Base test user](#create-skills-base-test-user)** - to have a counterpart of Britta Simon in Skills Base that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
+## Add Skills Base from the gallery
-### Configure Azure AD single sign-on
+To configure the integration of Skills Base into Azure AD, you need to add Skills Base from the gallery to your list of managed SaaS apps.
-In this section, you enable Azure AD single sign-on in the Azure portal.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Skills Base** in the search box.
+1. Select **Skills Base** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-To configure Azure AD single sign-on with Skills Base, perform the following steps:
+## Configure and test Azure AD SSO for Skills Base
-1. In the [Azure portal](https://portal.azure.com/), on the **Skills Base** application integration page, select **Single sign-on**.
+Configure and test Azure AD SSO with Skills Base using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Skills Base.
- ![Configure single sign-on link](common/select-sso.png)
+To configure and test Azure AD SSO with Skills Base, perform the following steps:
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Skills Base SSO](#configure-skills-base-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Skills Base test user](#create-skills-base-test-user)** - to have a counterpart of B.Simon in Skills Base that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
- ![Single sign-on select mode](common/select-saml-option.png)
+## Configure Azure AD SSO
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
+Follow these steps to enable Azure AD SSO in the Azure portal.
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+1. In the Azure portal, on the **Skills Base** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
-4. On the **Basic SAML Configuration** section, perform the following steps:
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
- ![Skills Base Domain and URLs single sign-on information](common/sp-signonurl.png)
+4. On the **Basic SAML Configuration** section, perform the following step:
In the **Sign-on URL** text box, type a URL using the following pattern: `https://app.skills-base.com/o/<customer-unique-key>`
To configure Azure AD single sign-on with Skills Base, perform the following ste
![Copy configuration URLs](common/copy-configuration-urls.png)
- a. Login URL
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called B.Simon.
+
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
+
+### Assign the Azure AD test user
- b. Azure AD Identifier
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Skills Base.
- c. Logout URL
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Skills Base**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
-### Configure Skills Base Single Sign-On
+## Configure Skills Base SSO
1. In a different web browser window, login to Skills Base as a Security Administrator. 2. From the left side of menu, under **ADMIN** click **Authentication**.
- ![The admin](./media/skillsbase-tutorial/tutorial_skillsbase_auth.png)
+ ![The admin](./media/skillsbase-tutorial/admin.png)
3. On the **Authentication** Page, select Single Sign-On as **SAML 2**.
- ![Screenshot shows the Authentication page with SAML 2 selected for Sing Sign-on.](./media/skillsbase-tutorial/tutorial_skillsbase_single.png)
+ ![Screenshot shows the Authentication page with SAML 2 selected for Sing Sign-on.](./media/skillsbase-tutorial/configuration.png)
4. On the **Authentication** Page, Perform the following steps:
- ![Screenshot shows the Authentication page where you can enter the values described.](./media/skillsbase-tutorial/tutorial_skillsbase_save.png)
+ ![Screenshot shows the Authentication page where you can enter the values described.](./media/skillsbase-tutorial/save-configuration.png)
a. Click on **Update IdP metadata** button next to **Status** option and paste the contents of Metadata XML that you downloaded from the Azure portal in the specified textbox.
To configure Azure AD single sign-on with Skills Base, perform the following ste
b. Click **Save**.
-### Create an Azure AD test user
-
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field enter **BrittaSimon**.
-
- b. In the **User name** field type **brittasimon@yourcompanydomain.extension**
- For example, BrittaSimon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
-
- d. Click **Create**.
-
-### Assign the Azure AD test user
-
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to Skills Base.
-
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Skills Base**.
-
- ![Enterprise applications blade](common/enterprise-applications.png)
-
-2. In the applications list, select **Skills Base**.
-
- ![The Skills Base link in the Applications list](common/all-applications.png)
-
-3. In the menu on the left, select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
-
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
-
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
-
-7. In the **Add Assignment** dialog click the **Assign** button.
- ### Create Skills Base test user In this section, a user called Britta Simon is created in Skills Base. Skills Base supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in Skills Base, a new one is created after authentication.
In this section, a user called Britta Simon is created in Skills Base. Skills Ba
> [!Note] > If you need to create a user manually, follow the instructions [here](http://wiki.skills-base.net/index.php?title=Adding_people_and_enabling_them_to_log_in).
-### Test single sign-on
+## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
-When you click the Skills Base tile in the Access Panel, you should be automatically signed in to the Skills Base for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* Click on **Test this application** in Azure portal. This will redirect to Skills Base Sign-on URL where you can initiate the login flow.
-## Additional Resources
+* Go to Skills Base Sign-on URL directly and initiate the login flow from there.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+* You can use Microsoft My Apps. When you click the Skills Base tile in the My Apps, this will redirect to Skills Base Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure Skills Base you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Target Process Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/target-process-tutorial.md
Previously updated : 03/07/2019 Last updated : 07/22/2021 # Tutorial: Azure Active Directory integration with TargetProcess
-In this tutorial, you learn how to integrate TargetProcess with Azure Active Directory (Azure AD).
-Integrating TargetProcess with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate TargetProcess with Azure Active Directory (Azure AD). When you integrate TargetProcess with Azure AD, you can:
-* You can control in Azure AD who has access to TargetProcess.
-* You can enable your users to be automatically signed-in to TargetProcess (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to TargetProcess.
+* Enable your users to be automatically signed-in to TargetProcess with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites
-To configure Azure AD integration with TargetProcess, you need the following items:
+To get started, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial [here](https://azure.microsoft.com/pricing/free-trial/)
-* TargetProcess single sign-on enabled subscription
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* TargetProcess single sign-on (SSO) enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* TargetProcess supports **SP** initiated SSO
-* TargetProcess supports **Just In Time** user provisioning
+* TargetProcess supports **SP** initiated SSO.
+* TargetProcess supports **Just In Time** user provisioning.
-## Adding TargetProcess from the gallery
+## Add TargetProcess from the gallery
To configure the integration of TargetProcess into Azure AD, you need to add TargetProcess from the gallery to your list of managed SaaS apps.
-**To add TargetProcess from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add new application, click **New application** button on the top of dialog.
-
- ![The New application button](common/add-new-app.png)
-
-4. In the search box, type **TargetProcess**, select **TargetProcess** from result panel then click **Add** button to add the application.
-
- ![TargetProcess in the results list](common/search-new-app.png)
-
-## Configure and test Azure AD SSO
-
-In this section, you configure and test Azure AD single sign-on with TargetProcess based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in TargetProcess needs to be established.
-
-To configure and test Azure AD single sign-on with TargetProcess, you need to complete the following building blocks:
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **TargetProcess** in the search box.
+1. Select **TargetProcess** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure TargetProcess Single Sign-On](#configure-targetprocess-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create TargetProcess test user](#create-targetprocess-test-user)** - to have a counterpart of Britta Simon in TargetProcess that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
+## Configure and test Azure AD SSO for TargetProcess
-### Configure Azure AD single sign-on
+Configure and test Azure AD SSO with TargetProcess using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in TargetProcess.
-In this section, you enable Azure AD single sign-on in the Azure portal.
+To configure and test Azure AD SSO with TargetProcess, perform the following steps:
-To configure Azure AD single sign-on with TargetProcess, perform the following steps:
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure TargetProcess SSO](#configure-targetprocess-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create TargetProcess test user](#create-targetprocess-test-user)** - to have a counterpart of B.Simon in TargetProcess that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-1. In the [Azure portal](https://portal.azure.com/), on the **TargetProcess** application integration page, select **Single sign-on**.
+## Configure Azure AD SSO
- ![Configure single sign-on link](common/select-sso.png)
+Follow these steps to enable Azure AD SSO in the Azure portal.
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
+1. In the Azure portal, on the **TargetProcess** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
- ![Single sign-on select mode](common/select-saml-option.png)
-
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
-
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
4. On the **Basic SAML Configuration** section, perform the following steps:
- ![TargetProcess Domain and URLs single sign-on information](common/sp-identifier.png)
-
- a. In the **Sign on URL** text box, type a URL using the following pattern:
- `https://<subdomain>.tpondemand.com/`
+ a. In the **Identifier (Entity ID)** text box, type a URL using the following pattern:
+ `https://<SUBDOMAIN>.tpondemand.com/`
- b. In the **Identifier (Entity ID)** text box, type a URL using the following pattern:
- `https://<subdomain>.tpondemand.com/`
+ b. In the **Sign on URL** text box, type a URL using the following pattern:
+ `https://<SUBDOMAIN>.tpondemand.com/`
> [!NOTE]
- > These values are not real. Update these values with the actual Sign on URL and Identifier. Contact [TargetProcess Client support team](mailto:support@targetprocess.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+ > These values are not real. Update these values with the actual Identifier and Sign on URL. Contact [TargetProcess Client support team](mailto:support@targetprocess.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
5. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Certificate (Base64)** from the given options as per your requirement and save it on your computer.
To configure Azure AD single sign-on with TargetProcess, perform the following s
![Copy configuration URLs](common/copy-configuration-urls.png)
- a. Login URL
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called B.Simon.
- b. Azure AD Identifier
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
- c. Logout URL
+### Assign the Azure AD test user
-### Configure TargetProcess Single Sign-On
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to TargetProcess.
+
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **TargetProcess**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
+
+## Configure TargetProcess SSO
1. To automate the configuration within **TargetProcess**, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**.
- ![image](./media/target-process-tutorial/install_extension.png)
+ ![image](./media/target-process-tutorial/install-extension.png)
1. After adding extension to the browser, click on **setup TargetProcess** will direct you to the TargetProcess application. From there, provide the admin credentials to sign into TargetProcess. The browser extension will automatically configure the application for you and automate steps 3-7.
To configure Azure AD single sign-on with TargetProcess, perform the following s
1. In the menu on the top, click **Setup**.
- ![Setup](./media/target-process-tutorial/tutorial_target_process_05.png)
+ ![Setup](./media/target-process-tutorial/menu.png)
1. Click **Settings** tab.
- ![Settings](./media/target-process-tutorial/tutorial_target_process_06.png)
+ ![Settings](./media/target-process-tutorial/profile.png)
1. Click **Single Sign-on** tab.
- ![click Single Sign-On](./media/target-process-tutorial/tutorial_target_process_07.png)
+ ![click Single Sign-On](./media/target-process-tutorial/personal-settings.png)
1. On the Single Sign-on settings dialog, perform the following steps:
- ![Configure Single Sign-On](./media/target-process-tutorial/tutorial_target_process_08.png)
+ ![Configure Single Sign-On](./media/target-process-tutorial/certificate.png)
a. Click **Enable Single Sign-on**.
To configure Azure AD single sign-on with TargetProcess, perform the following s
e. Click **Save**.
-### Create an Azure AD test user
-
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field enter **BrittaSimon**.
-
- b. In the **User name** field type **brittasimon\@yourcompanydomain.extension**
- For example, BrittaSimon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
-
- d. Click **Create**.
-
-### Assign the Azure AD test user
-
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to TargetProcess.
-
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **TargetProcess**.
-
- ![Enterprise applications blade](common/enterprise-applications.png)
-
-2. In the applications list, select **TargetProcess**.
-
- ![The TargetProcess link in the Applications list](common/all-applications.png)
-
-3. In the menu on the left, select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
-
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
-
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
-
-7. In the **Add Assignment** dialog click the **Assign** button.
- ### Create TargetProcess test user In this section, a user called Britta Simon is created in TargetProcess. TargetProcess supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in TargetProcess, a new one is created after authentication.
In this section, a user called Britta Simon is created in TargetProcess. TargetP
> [!Note] > If you need to create a user manually, contact [TargetProcess support team](mailto:support@targetprocess.com).
-### Test single sign-on
+## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
-When you click the TargetProcess tile in the Access Panel, you should be automatically signed in to the TargetProcess for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* Click on **Test this application** in Azure portal. This will redirect to TargetProcess Sign-on URL where you can initiate the login flow.
-## Additional Resources
+* Go to TargetProcess Sign-on URL directly and initiate the login flow from there.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+* You can use Microsoft My Apps. When you click the TargetProcess tile in the My Apps, this will redirect to TargetProcess Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure TargetProcess you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Teamwork Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/teamwork-tutorial.md
Previously updated : 04/08/2019 Last updated : 07/22/2021 # Tutorial: Azure Active Directory integration with Teamwork.com
-In this tutorial, you learn how to integrate Teamwork.com with Azure Active Directory (Azure AD).
-Integrating Teamwork.com with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate Teamwork.com with Azure Active Directory (Azure AD). When you integrate Teamwork.com with Azure AD, you can:
-* You can control in Azure AD who has access to Teamwork.com.
-* You can enable your users to be automatically signed-in to Teamwork.com (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to Teamwork.com.
+* Enable your users to be automatically signed-in to Teamwork.com with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites To configure Azure AD integration with Teamwork.com, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/)
-* Teamwork.com single sign-on enabled subscription
+* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/).
+* Teamwork.com single sign-on enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* Teamwork.com supports **SP** initiated SSO
-
-## Adding Teamwork.com from the gallery
-
-To configure the integration of Teamwork.com into Azure AD, you need to add Teamwork.com from the gallery to your list of managed SaaS apps.
-
-**To add Teamwork.com from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click the **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add a new application, click the **New application** button at the top of the dialog.
+* Teamwork.com supports **SP** initiated SSO.
- ![The New application button](common/add-new-app.png)
+> [!NOTE]
+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
-4. In the search box, type **Teamwork.com**, select **Teamwork.com** from the result panel then click the **Add** button to add the application.
+## Add Teamwork.com from the gallery
- ![Teamwork.com in the results list](common/search-new-app.png)
-
-## Configure and test Azure AD single sign-on
-
-In this section, you configure and test Azure AD single sign-on with Teamwork.com based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in Teamwork.com needs to be established.
-
-To configure and test Azure AD single sign-on with Teamwork.com, you need to complete the following building blocks:
-
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure Teamwork.com Single Sign-On](#configure-teamworkcom-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create Teamwork.com test user](#create-teamworkcom-test-user)** - to have a counterpart of Britta Simon in Teamwork.com that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
+To configure the integration of Teamwork.com into Azure AD, you need to add Teamwork.com from the gallery to your list of managed SaaS apps.
-### Configure Azure AD single sign-on
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Teamwork.com** in the search box.
+1. Select **Teamwork.com** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-In this section, you enable Azure AD single sign-on in the Azure portal.
+## Configure and test Azure AD SSO for Teamwork.com
-To configure Azure AD single sign-on with Teamwork.com, perform the following steps:
+Configure and test Azure AD SSO with Teamwork.com using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Teamwork.com.
-1. In the [Azure portal](https://portal.azure.com/), on the **Teamwork.com** application integration page, select **Single sign-on**.
+To configure and test Azure AD SSO with Teamwork.com, perform the following steps:
- ![Configure single sign-on link](common/select-sso.png)
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Teamwork.com SSO](#configure-teamworkcom-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Teamwork.com test user](#create-teamworkcom-test-user)** - to have a counterpart of B.Simon in Teamwork.com that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
+## Configure Azure AD SSO
- ![Single sign-on select mode](common/select-saml-option.png)
+Follow these steps to enable Azure AD SSO in the Azure portal.
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
+1. In the Azure portal, on the **Teamwork.com** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
4. On the **Basic SAML Configuration** section, perform the following steps:
- ![Teamwork.com Domain and URLs single sign-on information](common/sp-identifier.png)
+ a. In the **Identifier (Entity ID)** text box, type one of the following URLs:
- a. In the **Sign on URL** text box, type a URL using the following pattern:
- `https://<company name>.teamwork.com`
+ | **Identifier** |
+ ||
+ | `https://teamwork.com/saml` |
+ | `https://eu.teamwork.com/saml` |
- b. In the **Identifier (Entity ID)** text box, type the URL:
-
- - `https://teamwork.com/saml`
- - `https://eu.teamwork.com/saml`
+ b. In the **Sign on URL** text box, type a URL using the following pattern:
+ `https://<COMPANYNAME>.teamwork.com`
> [!NOTE] > This Sign-on URL value is not real. Update this value with the actual Sign-On URL. Contact [Teamwork.com support team](mailto:support@teamwork.com) to get this value. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
To configure Azure AD single sign-on with Teamwork.com, perform the following st
![Copy configuration URLs](common/copy-configuration-urls.png)
- a. Login URL
-
- b. Azure AD Identifier
-
- c. Logout URL
-
-### Configure Teamwork.com Single Sign-On
-
-To configure single sign-on on **Teamwork.com** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [Teamwork.com support team](mailto:support@teamwork.com). They set this setting to have the SAML SSO connection set properly on both sides.
- ### Create an Azure AD test user
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field enter **BrittaSimon**.
-
- b. In the **User name** field type `brittasimon@yourcompanydomain.extension`. For example, BrittaSimon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
+In this section, you'll create a test user in the Azure portal called B.Simon.
- d. Click **Create**.
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
### Assign the Azure AD test user
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to Teamwork.com.
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Teamwork.com.
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Teamwork.com**.
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Teamwork.com**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
- ![Enterprise applications blade](common/enterprise-applications.png)
+## Configure Teamwork.com SSO
-2. In the applications list, select **Teamwork.com**.
-
- ![The Teamwork.com link in the Applications list](common/all-applications.png)
-
-3. In the menu on the left, select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
-
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
-
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
-
-7. In the **Add Assignment** dialog click the **Assign** button.
+To configure single sign-on on **Teamwork.com** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [Teamwork.com support team](mailto:support@teamwork.com). They set this setting to have the SAML SSO connection set properly on both sides.
### Create Teamwork.com test user In this section, you create a user called Britta Simon in Teamwork.com. Work with [Teamwork.com support team](mailto:support@teamwork.com) to add the users in the Teamwork.com platform. Users must be created and activated before you use single sign-on.
-### Test single sign-on
+## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
-When you click the Teamwork.com tile in the Access Panel, you should be automatically signed in to the Teamwork.com for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* Click on **Test this application** in Azure portal. This will redirect to Teamwork.com Sign-on URL where you can initiate the login flow.
-## Additional resources
+* Go to Teamwork.com Sign-on URL directly and initiate the login flow from there.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+* You can use Microsoft My Apps. When you click the Teamwork.com tile in the My Apps, this will redirect to Teamwork.com Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure Teamwork.com you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Textexpander Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/textexpander-tutorial.md
Previously updated : 05/22/2020 Last updated : 07/21/2021
In this tutorial, you'll learn how to integrate TextExpander with Azure Active D
* Enable your users to be automatically signed-in to TextExpander with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* TextExpander supports **IDP** initiated SSO
-* TextExpander supports **Just In Time** user provisioning
-* Once you configure TextExpander you can enforce session control, which protect exfiltration and infiltration of your organizationΓÇÖs sensitive data in real-time. Session control extend from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
+* TextExpander supports **IDP** initiated SSO.
+* TextExpander supports **Just In Time** user provisioning.
-## Adding TextExpander from the gallery
+## Add TextExpander from the gallery
To configure the integration of TextExpander into Azure AD, you need to add TextExpander from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **TextExpander** in the search box. 1. Select **TextExpander** from results panel and then add the app. Wait a few seconds while the app is added to your tenant. -
-## Configure and test Azure AD single sign-on for TextExpander
+## Configure and test Azure AD SSO for TextExpander
Configure and test Azure AD SSO with TextExpander using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in TextExpander.
-To configure and test Azure AD SSO with TextExpander, complete the following building blocks:
+To configure and test Azure AD SSO with TextExpander, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature. 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
To configure and test Azure AD SSO with TextExpander, complete the following bui
Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **TextExpander** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **TextExpander** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
-1. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, enter the values for the following fields:
+1. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, perform the following steps:
a. In the **Identifier** text box, type a URL using the following pattern: `https://app.textexpander.com/acs/<ORGID>`
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **TextExpander**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen. 1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen. 1. In the **Add Assignment** dialog, click the **Assign** button.
In this section, a user called Britta Simon is created in TextExpander. TextExpa
## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
-
-When you click the TextExpander tile in the Access Panel, you should be automatically signed in to the TextExpander for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
-
-## Additional resources
--- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](./tutorial-list.md)--- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md)
+In this section, you test your Azure AD single sign-on configuration with following options.
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+* Click on Test this application in Azure portal and you should be automatically signed in to the TextExpander for which you set up the SSO.
-- [Try TextExpander with Azure AD](https://aad.portal.azure.com/)
+* You can use Microsoft My Apps. When you click the TextExpander tile in the My Apps, you should be automatically signed in to the TextExpander for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is session control in Microsoft Cloud App Security?](/cloud-app-security/proxy-intro-aad)
+## Next steps
-- [How to protect TextExpander with advanced visibility and controls](/cloud-app-security/proxy-intro-aad)
+Once you configure TextExpander you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Timeclock 365 Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/timeclock-365-provisioning-tutorial.md
+
+ Title: 'Tutorial: Configure TimeClock 365 for automatic user provisioning with Azure Active Directory | Microsoft Docs'
+description: Learn how to automatically provision and de-provision user accounts from Azure AD to TimeClock 365.
+
+documentationcenter: ''
+
+writer: Zhchia
++
+ms.assetid: dc5e95c8-d878-43dd-918e-69e1686b4db6
+++
+ na
+ms.devlang: na
+ Last updated : 07/16/2021+++
+# Tutorial: Configure TimeClock 365 for automatic user provisioning
+
+This tutorial describes the steps you need to perform in both TimeClock 365 and Azure Active Directory (Azure AD) to configure automatic user provisioning. When configured, Azure AD automatically provisions and de-provisions users and groups to [TimeClock 365](https://timeclock365.com/) using the Azure AD Provisioning service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../app-provisioning/user-provisioning.md).
++
+## Capabilities Supported
+> [!div class="checklist"]
+> * Create users in TimeClock 365
+> * Remove users in TimeClock 365 when they do not require access anymore
+> * Keep user attributes synchronized between Azure AD and TimeClock 365
+> * [Single sign-on](../manage-apps/add-application-portal-setup-oidc-sso.md) to TimeClock 365 (recommended).
+
+## Prerequisites
+
+The scenario outlined in this tutorial assumes that you already have the following prerequisites:
+
+* [An Azure AD tenant](../develop/quickstart-create-new-tenant.md)
+* A user account in Azure AD with [permission](../roles/permissions-reference.md) to configure provisioning (for example, Application Administrator, Cloud Application administrator, Application Owner, or Global Administrator).
+* A [TimeClock 365](https://timeclock365.com/) tenant.
+* A user account in TimeClock 365 with Admin permissions.
+
+## Step 1. Plan your provisioning deployment
+1. Learn about [how the provisioning service works](../app-provisioning/user-provisioning.md).
+1. Determine who will be in [scope for provisioning](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
+1. Determine what data to [map between Azure AD and TimeClock 365](../app-provisioning/customize-application-attributes.md).
+
+## Step 2. Configure TimeClock 365 to support provisioning with Azure AD
+
+1. Login to [Timeclock365 admin console](https://live.timeclock365.com).
+
+1. Navigate to **Settings > Company profile > General**.
+
+ ![Generate Token Page](media/timeclock-365-provisioning-tutorial/generate-token-page.png)
+
+1. Scroll down to **Azure user synchronization**.Copy and save the **Azure AD token**. This value will be entered in the **Secret Token** * field in the Provisioning tab of your TimeClock 365 application in the Azure portal.
+
+ ![Generate Token](media/timeclock-365-provisioning-tutorial/generate-token.png)
+
+1. `https://live.timeclock365.com/scim` will be entered in the **Tenant URL** field in the Provisioning tab of your TimeClock 365 application in the Azure portal.
+
+## Step 3. Add TimeClock 365 from the Azure AD application gallery
+
+Add TimeClock 365 from the Azure AD application gallery to start managing provisioning to TimeClock 365. If you have previously setup TimeClock 365 for SSO you can use the same application. However it is recommended that you create a separate app when testing out the integration initially. Learn more about adding an application from the gallery [here](../manage-apps/add-application-portal.md).
+
+## Step 4. Define who will be in scope for provisioning
+
+The Azure AD provisioning service allows you to scope who will be provisioned based on assignment to the application and or based on attributes of the user / group. If you choose to scope who will be provisioned to your app based on assignment, you can use the following [steps](../manage-apps/assign-user-or-group-access-portal.md) to assign users and groups to the application. If you choose to scope who will be provisioned based solely on attributes of the user or group, you can use a scoping filter as described [here](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
+
+* When assigning users and groups to TimeClock 365, you must select a role other than **Default Access**. Users with the Default Access role are excluded from provisioning and will be marked as not effectively entitled in the provisioning logs. If the only role available on the application is the default access role, you can [update the application manifest](../develop/howto-add-app-roles-in-azure-ad-apps.md) to add additional roles.
+
+* Start small. Test with a small set of users and groups before rolling out to everyone. When scope for provisioning is set to assigned users and groups, you can control this by assigning one or two users or groups to the app. When scope is set to all users and groups, you can specify an [attribute based scoping filter](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
++
+## Step 5. Configure automatic user provisioning to TimeClock 365
+
+This section guides you through the steps to configure the Azure AD provisioning service to create, update, and disable users and/or groups in TimeClock 365 based on user and/or group assignments in Azure AD.
+
+### To configure automatic user provisioning for TimeClock 365 in Azure AD:
+
+1. Sign in to the [Azure portal](https://portal.azure.com). Select **Enterprise Applications**, then select **All applications**.
+
+ ![Enterprise applications blade](common/enterprise-applications.png)
+
+1. In the applications list, select **TimeClock 365**.
+
+ ![The TimeClock 365 link in the Applications list](common/all-applications.png)
+
+1. Select the **Provisioning** tab.
+
+ ![Provisioning tab](common/provisioning.png)
+
+1. Set the **Provisioning Mode** to **Automatic**.
+
+ ![Provisioning tab automatic](common/provisioning-automatic.png)
+
+1. In the **Admin Credentials** section, input your TimeClock 365 **Tenant URL** and **Secret Token**. Click **Test Connection** to ensure Azure AD can connect to TimeClock 365. If the connection fails , ensure your TimeClock 365 account has Admin permissions and try again.
+
+ ![Token](common/provisioning-testconnection-tenanturltoken.png)
+
+1. In the **Notification Email** field, enter the email address of a person or group who should receive the provisioning error notifications and select the **Send an email notification when a failure occurs** check box.
+
+ ![Notification Email](common/provisioning-notification-email.png)
+
+1. Select **Save**.
+
+1. In the **Mappings** section, select **Synchronize Azure Active Directory Users to TimeClock 365**.
+
+1. Review the user attributes that are synchronized from Azure AD to TimeClock 365 in the **Attribute-Mapping** section. The attributes selected as **Matching** properties are used to match the user accounts in TimeClock 365 for update operations. If you choose to change the [matching target attribute](../app-provisioning/customize-application-attributes.md), you will need to ensure that the TimeClock 365 API supports filtering users based on that attribute. Select the **Save** button to commit any changes.
+
+ |Attribute|Type|Supported for filtering|
+ ||||
+ |userName|String|&check;
+ |active|Boolean|
+ |displayName|String|
+ |emails[type eq "work"].value|String|
+ |externalId|String|
+ |urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:employeeNumber|String|
+ |urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:manager|String|
+
+1. To configure scoping filters, refer to the following instructions provided in the [Scoping filter tutorial](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
+
+1. To enable the Azure AD provisioning service for TimeClock 365, change the **Provisioning Status** to **On** in the **Settings** section.
+
+ ![Provisioning Status Toggled On](common/provisioning-toggle-on.png)
+
+1. Define the users and/or groups that you would like to provision to TimeClock 365 by choosing the desired values in **Scope** in the **Settings** section.
+
+ ![Provisioning Scope](common/provisioning-scope.png)
+
+1. When you are ready to provision, click **Save**.
+
+ ![Saving Provisioning Configuration](common/provisioning-configuration-save.png)
+
+This operation starts the initial synchronization cycle of all users and groups defined in **Scope** in the **Settings** section. The initial cycle takes longer to perform than subsequent cycles, which occur approximately every 40 minutes as long as the Azure AD provisioning service is running.
+
+## Step 6. Monitor your deployment
+Once you've configured provisioning, use the following resources to monitor your deployment:
+
+* Use the [provisioning logs](../reports-monitoring/concept-provisioning-logs.md) to determine which users have been provisioned successfully or unsuccessfully
+* Check the [progress bar](../app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user.md) to see the status of the provisioning cycle and how close it is to completion
+* If the provisioning configuration seems to be in an unhealthy state, the application will go into quarantine. Learn more about quarantine states [here](../app-provisioning/application-provisioning-quarantine-status.md).
+
+## More resources
+
+* [Managing user account provisioning for Enterprise Apps](../app-provisioning/configure-automatic-user-provisioning-portal.md)
+* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+
+## Next steps
+
+* [Learn how to review logs and get reports on provisioning activity](../app-provisioning/check-status-user-account-provisioning.md)
active-directory Workboard Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/workboard-tutorial.md
Previously updated : 09/05/2019 Last updated : 07/21/2021
In this tutorial, you'll learn how to integrate WorkBoard with Azure Active Dire
* Enable your users to be automatically signed-in to WorkBoard with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* WorkBoard supports **SP and IDP** initiated SSO
+* WorkBoard supports **SP and IDP** initiated SSO.
-## Adding WorkBoard from the gallery
+## Add WorkBoard from the gallery
To configure the integration of WorkBoard into Azure AD, you need to add WorkBoard from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **WorkBoard** in the search box. 1. Select **WorkBoard** from results panel and then add the app. Wait a few seconds while the app is added to your tenant. -
-## Configure and test Azure AD single sign-on for WorkBoard
+## Configure and test Azure AD SSO for WorkBoard
Configure and test Azure AD SSO with WorkBoard using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in WorkBoard.
-To configure and test Azure AD SSO with WorkBoard, complete the following building blocks:
+To configure and test Azure AD SSO with WorkBoard, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature. 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
To configure and test Azure AD SSO with WorkBoard, complete the following buildi
Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **WorkBoard** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **WorkBoard** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
-1. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, enter the values for the following fields:
+1. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, perform the following steps:
a. In the **Identifier** text box, type a URL using the following pattern: `https://www.myworkboard.com/lib/php/simplesaml/www/module.php/saml/sp/metadata.php/<ENVIRONMENTNAME>`
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **WorkBoard**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen. 1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen. 1. In the **Add Assignment** dialog, click the **Assign** button.
In this section, you create a user called B.Simon in WorkBoard. Work with [Work
## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+#### SP initiated:
+
+* Click on **Test this application** in Azure portal. This will redirect to WorkBoard Sign on URL where you can initiate the login flow.
-When you click the WorkBoard tile in the Access Panel, you should be automatically signed in to the WorkBoard for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* Go to WorkBoard Sign-on URL directly and initiate the login flow from there.
-## Additional resources
+#### IDP initiated:
-- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](./tutorial-list.md)
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the WorkBoard for which you set up the SSO.
-- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md)
+You can also use Microsoft My Apps to test the application in any mode. When you click the WorkBoard tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the WorkBoard for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+## Next steps
-- [Try WorkBoard with Azure AD](https://aad.portal.azure.com/)
+Once you configure WorkBoard you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Zeroheight Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/zeroheight-tutorial.md
Previously updated : 09/09/2020 Last updated : 07/21/2021
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* zeroheight supports **SP** initiated SSO
+* zeroheight supports **SP** initiated SSO.
-## Adding zeroheight from the gallery
+## Add zeroheight from the gallery
To configure the integration of zeroheight into Azure AD, you need to add zeroheight from the gallery to your list of managed SaaS apps.
To configure the integration of zeroheight into Azure AD, you need to add zerohe
1. In the **Add from the gallery** section, type **zeroheight** in the search box. 1. Select **zeroheight** from results panel and then add the app. Wait a few seconds while the app is added to your tenant. - ## Configure and test Azure AD SSO for zeroheight Configure and test Azure AD SSO with zeroheight using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in zeroheight.
-To configure and test Azure AD SSO with zeroheight, complete the following building blocks:
+To configure and test Azure AD SSO with zeroheight, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature. 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
Follow these steps to enable Azure AD SSO in the Azure portal.
1. In the Azure portal, on the **zeroheight** application integration page, find the **Manage** section and select **single sign-on**. 1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
-1. On the **Basic SAML Configuration** section, enter the values for the following fields:
-
- a. In the **Sign on URL** text box, type the URL:
- `https://zeroheight.com/sso`
+1. On the **Basic SAML Configuration** section, perform the following steps:
- b. In the **Identifier (Entity ID)** text box, type a URL using the following pattern:
+ a. In the **Identifier (Entity ID)** text box, type a value using the following pattern:
`zeroheight:<CUSTOM_ID>`
- c. In the **Reply URL** text box, type a URL using the following pattern:
+ b. In the **Reply URL** text box, type a URL using the following pattern:
`https://zeroheight.com/sso/acs/<CUSTOM_ID>`
+ c. In the **Sign on URL** text box, type the URL:
+ `https://zeroheight.com/sso`
+ > [!NOTE] > These values are not real. Update these values with the actual Identifier and Reply URL. Contact [zeroheight Client support team](mailto:support@zeroheight.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
In this section, you create a user called Britta Simon in zeroheight. Work with
In this section, you test your Azure AD single sign-on configuration with following options.
-1. Click on **Test this application** in Azure portal. This will redirect to zeroheight Sign-on URL where you can initiate the login flow.
+* Click on **Test this application** in Azure portal. This will redirect to zeroheight Sign-on URL where you can initiate the login flow.
-2. Go to zeroheight Sign-on URL directly and initiate the login flow from there.
+* Go to zeroheight Sign-on URL directly and initiate the login flow from there.
-3. You can use Microsoft Access Panel. When you click the zeroheight tile in the Access Panel, this will redirect to zeroheight Sign-on URL. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* You can use Microsoft My Apps. When you click the zeroheight tile in the My Apps, this will redirect to zeroheight Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next Steps
advisor Resource Graph Samples https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/advisor/resource-graph-samples.md
+
+ Title: Azure Resource Graph sample queries for Azure Advisor
+description: Sample Azure Resource Graph queries for Azure Advisor showing use of resource types and tables to access Azure Advisor related resources and properties.
Last updated : 07/21/2021+++
+# Azure Resource Graph sample queries for Azure Advisor
+
+This page is a collection of [Azure Resource Graph](../governance/resource-graph/overview.md)
+sample queries for Azure Advisor. For a complete list of Azure Resource Graph samples, see
+[Resource Graph samples by Category](../governance/resource-graph/samples/samples-by-category.md)
+and [Resource Graph samples by Table](../governance/resource-graph/samples/samples-by-table.md).
+
+## Sample queries
++
+## Next steps
+
+- Learn more about the [query language](../governance/resource-graph/concepts/query-language.md).
+- Learn more about how to [explore resources](../governance/resource-graph/concepts/explore-resources.md).
+- See samples of [Starter language queries](../governance/resource-graph/samples/starter.md).
+- See samples of [Advanced language queries](../governance/resource-graph/samples/advanced.md).
aks Internal Lb https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/internal-lb.md
internal-app LoadBalancer 10.0.248.59 10.240.0.7 80:30555/TCP 2m
## Specify an IP address
-If you would like to use a specific IP address with the internal load balancer, add the *loadBalancerIP* property to the load balancer YAML manifest. In this scenario, the specified IP address must reside in the same subnet as the AKS cluster and must not already be assigned to a resource. For example, you shouldn't use an IP address in the range designated for the Kubernetes subnet.
+If you would like to use a specific IP address with the internal load balancer, add the *loadBalancerIP* property to the load balancer YAML manifest. In this scenario, the specified IP address must reside in the same subnet as the AKS cluster but can't already be assigned to a resource. For example, an IP address in the range designated for the Kubernetes subnet within the AKS cluster shouldn't be used.
```yaml apiVersion: v1
aks Support Policies https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/support-policies.md
Although you can sign in to and change agent nodes, doing this operation is disc
## Network ports, access, and NSGs
-You may only customize the NSGs on custom subnets. You may not customize NSGs on managed subnets or at the NIC level of the agent nodes. AKS has egress requirements to specific endpoints, to control egress and ensure the necessary connectivity, see [limit egress traffic](limit-egress-traffic.md).
+You may only customize the NSGs on custom subnets. You may not customize NSGs on managed subnets or at the NIC level of the agent nodes. AKS has egress requirements to specific endpoints, to control egress and ensure the necessary connectivity, see [limit egress traffic](limit-egress-traffic.md). For ingress, the requirements are based on the applications you have deployed to cluster.
## Stopped or de-allocated clusters
aks Virtual Nodes https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/virtual-nodes.md
This article gives you an overview of the region availability and networking req
## Regional availability
-All regions, where ACI supports VNET SKUs, are supported for virtual nodes deployments.
+All regions, where ACI supports VNET SKUs, are supported for virtual nodes deployments. For more details, see [Resource availability for Azure Container Instances in Azure regions](../container-instances/container-instances-region-availability.md).
For available CPU and Memory SKUs in each region, please check the [Azure Container Instances Resource availability for Azure Container Instances in Azure regions - Linux container groups](../container-instances/container-instances-region-availability.md#linux-container-groups)
api-management Api Management Howto Add Products https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/api-management/api-management-howto-add-products.md
az apim product api delete --resource-group apim-hello-word-resource-group \
> [!TIP]
-> You can create or update a user's subscription to a product with custom subscription keys through a [REST API](/rest/api/apimanagement/2019-12-01/subscription/createorupdate) or PowerShell command.
+> You can create or update a user's subscription to a product with custom subscription keys through a [REST API](/rest/api/apimanagement/2020-12-01/subscription/create-or-update) or PowerShell command.
## Next steps
api-management Api Management Howto App Insights https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/api-management/api-management-howto-app-insights.md
Before you can use Application Insights, you first need to create an instance of
:::image type="content" source="media/api-management-howto-app-insights/apim-app-insights-logger-2.png" alt-text="Screenshot that shows where to view the newly created Application Insights logger with instrumentation key"::: > [!NOTE]
-> Behind the scene, a [Logger](/rest/api/apimanagement/2019-12-01/logger/createorupdate) entity is created in your API Management instance, containing the Instrumentation Key of the Application Insights instance.
+> Behind the scene, a [Logger](/rest/api/apimanagement/2020-12-01/logger/create-or-update) entity is created in your API Management instance, containing the Instrumentation Key of the Application Insights instance.
## Enable Application Insights logging for your API
Before you can use Application Insights, you first need to create an instance of
> Overriding the default value **0** in the **Number of payload bytes to log** setting may significantly decrease the performance of your APIs. > [!NOTE]
-> Behind the scene, a [Diagnostic](/rest/api/apimanagement/2019-12-01/diagnostic/createorupdate) entity named 'applicationinsights' is created at the API level.
+> Behind the scene, a [Diagnostic](/rest/api/apimanagement/2020-12-01/diagnostic/create-or-update) entity named 'applicationinsights' is created at the API level.
| Setting name | Value type | Description | |-|--|--|
api-management Api Management Howto Disaster Recovery Backup Restore https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/api-management/api-management-howto-disaster-recovery-backup-restore.md
Replace `{tenant id}`, `{application id}`, and `{redirect uri}` using the follow
## Calling the backup and restore operations
-The REST APIs are [Api Management Service - Backup](/rest/api/apimanagement/2019-12-01/apimanagementservice/backup) and [Api Management Service - Restore](/rest/api/apimanagement/2019-12-01/apimanagementservice/restore).
+The REST APIs are [Api Management Service - Backup](/rest/api/apimanagement/2020-12-01/api-management-service/backup) and [Api Management Service - Restore](/rest/api/apimanagement/2020-12-01/api-management-service/restore).
Before calling the "backup and restore" operations described in the following sections, set the authorization request header for your REST call.
api-management Api Management Using With Vnet https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/api-management/api-management-using-with-vnet.md
Previously updated : 06/08/2021 Last updated : 07/23/2021
The IP Addresses are divided by **Azure Environment**. When allowing inbound req
|--|-|| | Azure Public| South Central US (Global)| 104.214.19.224| | Azure Public| North Central US (Global)| 52.162.110.80|
-| Azure Public| West Central US| 52.253.135.58|
-| Azure Public| Korea Central| 40.82.157.167|
-| Azure Public| UK West| 51.137.136.0|
-| Azure Public| Japan West| 40.81.185.8|
-| Azure Public| North Central US| 40.81.47.216|
-| Azure Public| UK South| 51.145.56.125|
-| Azure Public| West India| 40.81.89.24|
-| Azure Public| East US| 52.224.186.99|
-| Azure Public| West Europe| 51.145.179.78|
-| Azure Public| Japan East| 52.140.238.179|
-| Azure Public| France Central| 40.66.60.111|
-| Azure Public| Canada East| 52.139.80.117|
-| Azure Public| UAE North| 20.46.144.85|
+| Azure Public| Australia Central| 20.37.52.67|
+| Azure Public| Australia Central 2| 20.39.99.81|
+| Azure Public| Australia East| 20.40.125.155|
+| Azure Public| Australia Southeast| 20.40.160.107|
| Azure Public| Brazil South| 191.233.24.179| | Azure Public| Brazil Southeast| 191.232.18.181|
-| Azure Public| Southeast Asia| 40.90.185.46|
-| Azure Public| South Africa North| 102.133.130.197|
| Azure Public| Canada Central| 52.139.20.34|
-| Azure Public| Korea South| 40.80.232.185|
+| Azure Public| Canada East| 52.139.80.117|
| Azure Public| Central India| 13.71.49.1|
-| Azure Public| West US| 13.64.39.16|
-| Azure Public| Australia Southeast| 20.40.160.107|
-| Azure Public| Australia Central| 20.37.52.67|
-| Azure Public| South India| 20.44.33.246|
| Azure Public| Central US| 13.86.102.66|
-| Azure Public| Australia East| 20.40.125.155|
-| Azure Public| West US 2| 51.143.127.203|
-| Azure Public| West US 3| 20.150.167.160|
-| Azure Public| East US 2 EUAP| 52.253.229.253|
| Azure Public| Central US EUAP| 52.253.159.160|
-| Azure Public| South Central US| 20.188.77.119|
-| Azure Public| East US 2| 20.44.72.3|
-| Azure Public| North Europe| 52.142.95.35|
| Azure Public| East Asia| 52.139.152.27|
+| Azure Public| East US| 52.224.186.99|
+| Azure Public| East US 2| 20.44.72.3|
+| Azure Public| East US 2 EUAP| 52.253.229.253|
+| Azure Public| France Central| 40.66.60.111|
| Azure Public| France South| 20.39.80.2|
-| Azure Public| Switzerland West| 51.107.96.8|
-| Azure Public| Australia Central 2| 20.39.99.81|
-| Azure Public| UAE Central| 20.37.81.41|
-| Azure Public| Switzerland North| 51.107.0.91|
-| Azure Public| South Africa West| 102.133.0.79|
-| Azure Public| Germany West Central| 51.116.96.0|
| Azure Public| Germany North| 51.116.0.0|
+| Azure Public| Germany West Central| 51.116.96.0|
+| Azure Public| Japan East| 52.140.238.179|
+| Azure Public| Japan West| 40.81.185.8|
+| Azure Public| Jio India Central| 20.192.234.160|
+| Azure Public| Jio India West| 20.193.202.160|
+| Azure Public| Korea Central| 40.82.157.167|
+| Azure Public| Korea South| 40.80.232.185|
+| Azure Public| North Central US| 40.81.47.216|
+| Azure Public| North Europe| 52.142.95.35|
| Azure Public| Norway East| 51.120.2.185| | Azure Public| Norway West| 51.120.130.134|
+| Azure Public| South Africa North| 102.133.130.197|
+| Azure Public| South Africa West| 102.133.0.79|
+| Azure Public| South Central US| 20.188.77.119|
+| Azure Public| South India| 20.44.33.246|
+| Azure Public| Southeast Asia| 40.90.185.46|
+| Azure Public| Switzerland North| 51.107.0.91|
+| Azure Public| Switzerland West| 51.107.96.8|
+| Azure Public| UAE Central| 20.37.81.41|
+| Azure Public| UAE North| 20.46.144.85|
+| Azure Public| UK South| 51.145.56.125|
+| Azure Public| UK West| 51.137.136.0|
+| Azure Public| West Central US| 52.253.135.58|
+| Azure Public| West Europe| 51.145.179.78|
+| Azure Public| West India| 40.81.89.24|
+| Azure Public| West US| 13.64.39.16|
+| Azure Public| West US 2| 51.143.127.203|
+| Azure Public| West US 3| 20.150.167.160|
| Azure China 21Vianet| China North (Global)| 139.217.51.16| | Azure China 21Vianet| China East (Global)| 139.217.171.176| | Azure China 21Vianet| China North| 40.125.137.220|
api-management Developer Portal Deprecated Migration https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/api-management/developer-portal-deprecated-migration.md
When you migrate from the deprecated portal, keep in mind the following changes:
- If you changed the default e-mail notification templates to include an explicitly defined deprecated portal URL, change them to either use the portal URL parameter or point to the new portal URL. If the templates use the built-in portal URL parameter instead, no changes are required. - *Issues* and *Applications* aren't supported in the new developer portal. - Direct integration with Facebook, Microsoft, Twitter, and Google as identity providers isn't supported in the new developer portal. You can integrate with those providers via Azure AD B2C.-- If you use delegation, change the return URL in your applications and use the [*Get Shared Access Token* API endpoint](/rest/api/apimanagement/2019-12-01/user/getsharedaccesstoken) instead of the *Generate SSO URL* endpoint.
+- If you use delegation, change the return URL in your applications and use the [*Get Shared Access Token* API endpoint](/rest/api/apimanagement/2020-12-01/user/get-shared-access-token) instead of the *Generate SSO URL* endpoint.
- If you use Azure AD as an identity provider: - Change the return URL in your application to point to the new developer portal domain.
When you migrate from the deprecated portal, keep in mind the following changes:
Learn more about the developer portal: - [Azure API Management developer portal overview](api-management-howto-developer-portal.md)-- [Access and customize the developer portal](api-management-howto-developer-portal-customize.md)
+- [Access and customize the developer portal](api-management-howto-developer-portal-customize.md)
api-management Developer Portal Faq https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/api-management/developer-portal-faq.md
Among other authentication methods, the developer portal supports single sign-on
https://contoso.com/signin-sso?token=[user-specific token] ``` ### Generate user tokens
-You can generate *user-specific tokens* (including admin tokens) using the [Get Shared Access Token](/rest/api/apimanagement/2019-12-01/user/getsharedaccesstoken) operation of the [API Management REST API](/rest/api/apimanagement/apimanagementrest/api-management-rest).
+You can generate *user-specific tokens* (including admin tokens) using the [Get Shared Access Token](/rest/api/apimanagement/2020-12-01/user/get-shared-access-token) operation of the [API Management REST API](/rest/api/apimanagement/apimanagementrest/api-management-rest).
> [!NOTE] > The token must be URL-encoded.
api-management Import Function App As Api https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/api-management/import-function-app-as-api.md
Import of an Azure Function App automatically generates:
* Host key inside the Function App with the name apim-{*your Azure API Management service instance name*}, * Named value inside the Azure API Management instance with the name {*your Azure Function App instance name*}-key, which contains the created host key.
-For APIs created after April 4th 2019, the host key is passed in HTTP requests from API Management to the Function App in a header. Older APIs pass the host key as [a query parameter](../azure-functions/functions-bindings-http-webhook-trigger.md#api-key-authorization). You can change this behavior through the `PATCH Backend` [REST API call](/rest/api/apimanagement/2019-12-01/backend/update#backendcredentialscontract) on the *Backend* entity associated with the Function App.
+For APIs created after April 4th 2019, the host key is passed in HTTP requests from API Management to the Function App in a header. Older APIs pass the host key as [a query parameter](../azure-functions/functions-bindings-http-webhook-trigger.md#api-key-authorization). You can change this behavior through the `PATCH Backend` [REST API call](/rest/api/apimanagement/2020-12-01/backend/update#backendcredentialscontract) on the *Backend* entity associated with the Function App.
> [!WARNING] > Removing or changing either the Azure Function App host key value or the Azure API Management named value will break the communication between the services. The values do not sync automatically.
app-service Overview Hosting Plans https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/overview-hosting-plans.md
In App Service (Web Apps, API Apps, or Mobile Apps), an app always runs in an _A
When you create an App Service plan in a certain region (for example, West Europe), a set of compute resources is created for that plan in that region. Whatever apps you put into this App Service plan run on these compute resources as defined by your App Service plan. Each App Service plan defines:
+- Operating System (Windows, Linux)
- Region (West US, East US, etc.) - Number of VM instances - Size of VM instances (Small, Medium, Large) - Pricing tier (Free, Shared, Basic, Standard, Premium, PremiumV2, PremiumV3, Isolated)
-The _pricing tier_ of an App Service plan determines what App Service features you get and how much you pay for the plan. There are a few categories of pricing tiers:
+The _pricing tier_ of an App Service plan determines what App Service features you get and how much you pay for the plan. The pricing tiers available to your App Service plan depend on the operating system selected at creation time. There are a few categories of pricing tiers:
- **Shared compute**: **Free** and **Shared**, the two base tiers, runs an app on the same Azure VM as other App Service apps, including apps of other customers. These tiers allocate CPU quotas to each app that runs on the shared resources, and the resources cannot scale out. - **Dedicated compute**: The **Basic**, **Standard**, **Premium**, **PremiumV2**, and **PremiumV3** tiers run apps on dedicated Azure VMs. Only apps in the same App Service plan share the same compute resources. The higher the tier, the more VM instances are available to you for scale-out.
automation Add User Assigned Identity https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automation/add-user-assigned-identity.md
If you don't have an Azure subscription, create a [free account](https://azure.m
- A system-assigned managed identity. For instructions, see [Using a system-assigned managed identity for an Azure Automation account (preview)](enable-managed-identity-for-automation.md). -- A user-assigned managed identity. For instructions, see [Create a user-assigned managed identity](/active-directory/managed-identities-azure-resources/how-to-manage-ua-identity-portal#create-a-user-assigned-managed-identity).
+- A user-assigned managed identity. For instructions, see [Create a user-assigned managed identity](../active-directory/managed-identities-azure-resources/how-to-manage-ua-identity-portal.md#create-a-user-assigned-managed-identity).
- The user-assigned managed identity and the target Azure resources that your runbook manages using that identity must be in the same Azure subscription.
automation Automation Hybrid Runbook Worker https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automation/automation-hybrid-runbook-worker.md
Title: Azure Automation Hybrid Runbook Worker overview
description: This article provides an overview of the Hybrid Runbook Worker, which you can use to run runbooks on machines in your local datacenter or cloud provider. Previously updated : 01/22/2021 Last updated : 07/22/2021 + # Hybrid Runbook Worker overview Runbooks in Azure Automation might not have access to resources in other clouds or in your on-premises environment because they run on the Azure cloud platform. You can use the Hybrid Runbook Worker feature of Azure Automation to run runbooks directly on the machine that's hosting the role and against resources in the environment to manage those local resources. Runbooks are stored and managed in Azure Automation and then delivered to one or more assigned machines.
A Hybrid Runbook Worker can run on either the Windows or the Linux operating sys
When Azure Automation [Update Management](./update-management/overview.md) is enabled, any machine connected to your Log Analytics workspace is automatically configured as a system Hybrid Runbook Worker. To configure it as a user Windows Hybrid Runbook Worker, see [Deploy a Windows Hybrid Runbook Worker](automation-windows-hrw-install.md) and for Linux, see [Deploy a Linux Hybrid Runbook Worker](automation-linux-hrw-install.md).
+## Runbook Worker limits
+
+The following table shows the maximum number of system and user hybrid runbook workers in an Automation account. If you have more than 4,000 machines to manage, we recommend creating another Automation account.
+
+|Worker type| Maximum number supported per Automation Account.|
+|||
+|System|4000|
+|User |4000|
+ ## How does it work? ![Hybrid Runbook Worker overview](media/automation-hybrid-runbook-worker/automation.png)
In addition to the standard addresses and ports required for the Hybrid Runbook
You can run [Azure Automation State Configuration](automation-dsc-overview.md) on a Hybrid Runbook Worker. To manage the configuration of servers that support the Hybrid Runbook Worker, you must add the servers as DSC nodes. See [Enable machines for management by Azure Automation State Configuration](automation-dsc-onboarding.md).
-## Runbook Worker limits
-
-The maximum number of Hybrid Worker groups per Automation Account is 4000, and is applicable for both system & user hybrid workers. If you have more than 4,000 machines to manage, we recommend creating another Automation account.
- ## Runbooks on a Hybrid Runbook Worker You might have runbooks that manage resources on the local machine or run against resources in the local environment where a user Hybrid Runbook Worker is deployed. In this case, you can choose to run your runbooks on the hybrid worker instead of in an Automation account. Runbooks run on a Hybrid Runbook Worker are identical in structure to those that you run in the Automation account. See [Run runbooks on a Hybrid Runbook Worker](automation-hrw-run-runbooks.md).
automation Automation Security Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automation/automation-security-overview.md
An Automation account can be granted two types of identities:
- A user-assigned identity is a standalone Azure resource that can be assigned to your app. An app can have multiple user-assigned identities. > [!NOTE]
-> User assigned identities are supported for cloud jobs only. To learn more about the different managed identities, see [Manage identity types](/active-directory/managed-identities-azure-resources/overview.md#managed-identity-types).
+> User assigned identities are supported for cloud jobs only. To learn more about the different managed identities, see [Manage identity types](../active-directory/managed-identities-azure-resources/overview.md#managed-identity-types).
For details on using managed identities, see [Enable managed identity for Azure Automation (preview)](enable-managed-identity-for-automation.md).
For runbooks that use Hybrid Runbook Workers on Azure VMs, you can use [runbook
* To create an Automation account from the Azure portal, see [Create a standalone Azure Automation account](automation-create-standalone-account.md). * If you prefer to create your account using a template, see [Create an Automation account using an Azure Resource Manager template](quickstart-create-automation-account-template.md). * For authentication using Amazon Web Services, see [Authenticate runbooks with Amazon Web Services](automation-config-aws-account.md).
-* For a list of Azure services that support the managed identities for Azure resources feature, see [Services that support managed identities for Azure resources](../active-directory/managed-identities-azure-resources/services-support-managed-identities.md).
+* For a list of Azure services that support the managed identities for Azure resources feature, see [Services that support managed identities for Azure resources](../active-directory/managed-identities-azure-resources/services-support-managed-identities.md).
automation Quickstart Create Automation Account Template https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automation/quickstart-create-automation-account-template.md
description: This quickstart shows how to create an Automation account by using the Azure Resource Manager template. Previously updated : 01/07/2021 Last updated : 07/20/2021
If you're new to Azure Automation and Azure Monitor, it's important that you und
2. Enter the values.
+ When you attempt to run the ARM template from PowerShell, CLI, or the Templates feature in the portal, if the `_artifactsLocation` parameter is not properly set, you will receive an error message similar to the following:
+
+ `"message": "Deployment template validation failed: 'The template resource '_artifactsLocation' at line '96' and column '31' is not valid: The language expression property 'templateLink' doesn't exist, available properties are 'template, templateHash, parameters, mode, debugSetting, provisioningState'.. Please see https://aka.ms/arm-template-expressions for usage details.'."`
+
+ To prevent this, when running from the Templates feature in the portal, specify the following for the `_artifactsLocation` parameter - `https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/quickstarts/microsoft.automation/101-automation/azuredeploy.json`.
+
+ When you run from PowerShell, include the parameter and its value `-TemplateUri https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/quickstarts/microsoft.automation/101-automation/azuredeploy.json`.
+
+ When you run from Azure CLI, include the parameter and its value - `--template-uri https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/quickstarts/microsoft.automation/101-automation/azuredeploy.json`.
+
+ For reference about PowerShell/CLI, see the following - [Create Azure Automation account (microsoft.com)](https://azure.microsoft.com/resources/templates/101-automation/) under the **Use the template** section.
+ 3. The deployment can take a few minutes to finish. When completed, the output is similar to the following: ![Example result when deployment is complete](media/quickstart-create-automation-account-template/template-output.png)
automation Enable From Template https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automation/update-management/enable-from-template.md
If you're new to Azure Automation and Azure Monitor, it's important that you und
```json {
- "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "1.0.0.0",
- "parameters": {
- "workspaceName": {
- "type": "string",
- "metadata": {
- "description": "Workspace name"
- }
- },
- "sku": {
- "type": "string",
- "allowedValues": [
- "pergb2018",
- "Free",
- "Standalone",
- "PerNode",
- "Standard",
- "Premium"
- ],
- "defaultValue": "pergb2018",
- "metadata": {
- "description": "Pricing tier: perGB2018 or legacy tiers (Free, Standalone, PerNode, Standard or Premium), which are not available to all customers."
- }
- },
- "dataRetention": {
- "type": "int",
- "defaultValue": 30,
- "minValue": 7,
- "maxValue": 730,
- "metadata": {
- "description": "Number of days to retain data."
- }
- },
- "location": {
- "type": "string",
- "defaultValue": "[resourceGroup().location]",
- "metadata": {
- "description": "Specifies the location in which to create the workspace."
- }
- },
- "automationAccountName": {
- "type": "string",
- "metadata": {
- "description": "Automation account name"
- }
- },
- "automationAccountLocation": {
- "type": "string",
- "metadata": {
- "description": "Specifies the location in which to create the Automation account."
- }
- },
- "sampleGraphicalRunbookName": {
- "type": "String",
- "defaultValue": "AzureAutomationTutorial"
- },
- "sampleGraphicalRunbookDescription": {
- "type": "String",
- "defaultValue": " An example runbook that gets all the Resource Manager resources by using the Run As account (service principal)."
- },
- "samplePowerShellRunbookName": {
- "type": "String",
- "defaultValue": "AzureAutomationTutorialScript"
- },
- "samplePowerShellRunbookDescription": {
- "type": "String",
- "defaultValue": " An example runbook that gets all the Resource Manager resources by using the Run As account (service principal)."
- },
- "samplePython2RunbookName": {
- "type": "String",
- "defaultValue": "AzureAutomationTutorialPython2"
- },
- "samplePython2RunbookDescription": {
- "type": "String",
- "defaultValue": " An example runbook that gets all the Resource Manager resources by using the Run As account (service principal)."
- },
- "_artifactsLocation": {
- "type": "string",
- "defaultValue": "[deployment().properties.templateLink.uri]",
- "metadata": {
- "description": "URI to artifacts location"
- }
- },
- "_artifactsLocationSasToken": {
- "type": "securestring",
- "defaultValue": "",
- "metadata": {
- "description": "The sasToken required to access _artifactsLocation. When the template is deployed using the accompanying scripts, a sasToken will be automatically generated"
- }
- }
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspaceName": {
+ "type": "string",
+ "metadata": {
+ "description": "Workspace name"
+ }
+ },
+ "sku": {
+ "type": "string",
+ "defaultValue": "pergb2018",
+ "allowedValues": [
+ "pergb2018",
+ "Free",
+ "Standalone",
+ "PerNode",
+ "Standard",
+ "Premium"
+ ],
+ "metadata": {
+ "description": "Pricing tier: perGB2018 or legacy tiers (Free, Standalone, PerNode, Standard or Premium), which are not available to all customers."
+ }
},
- "variables": {
+ "dataRetention": {
+ "type": "int",
+ "defaultValue": 30,
+ "minValue": 7,
+ "maxValue": 730,
+ "metadata": {
+ "description": "Number of days to retain data."
+ }
+ },
+ "location": {
+ "type": "string",
+ "defaultValue": "[resourceGroup().location]",
+ "metadata": {
+ "description": "Specifies the location in which to create the workspace."
+ }
+ },
+ "automationAccountName": {
+ "type": "string",
+ "metadata": {
+ "description": "Automation account name"
+ }
+ },
+ "sampleGraphicalRunbookName": {
+ "type": "String",
+ "defaultValue": "AzureAutomationTutorial"
+ },
+ "sampleGraphicalRunbookDescription": {
+ "type": "String",
+ "defaultValue": "An example runbook that gets all the Resource Manager resources by using the Run As account (service principal)."
+ },
+ "samplePowerShellRunbookName": {
+ "type": "String",
+ "defaultValue": "AzureAutomationTutorialScript"
+ },
+ "samplePowerShellRunbookDescription": {
+ "type": "String",
+ "defaultValue": "An example runbook that gets all the Resource Manager resources by using the Run As account (service principal)."
+ },
+ "samplePython2RunbookName": {
+ "type": "String",
+ "defaultValue": "AzureAutomationTutorialPython2"
+ },
+ "samplePython2RunbookDescription": {
+ "type": "String",
+ "defaultValue": "An example runbook that gets all the Resource Manager resources by using the Run As account (service principal)."
+ },
+ "_artifactsLocation": {
+ "type": "string",
+ "defaultValue": "[deployment().properties.templateLink.uri]",
+ "metadata": {
+ "description": "URI to artifacts location"
+ }
+ },
+ "_artifactsLocationSasToken": {
+ "type": "securestring",
+ "defaultValue": "",
+ "metadata": {
+ "description": "The sasToken required to access _artifactsLocation. When the template is deployed using the accompanying scripts, a sasToken will be automatically generated"
+ }
+ }
+ },
+ "variables": {
"Updates": { "name": "[concat('Updates', '(', parameters('workspaceName'), ')')]", "galleryName": "Updates" }
+ },
+ "resources": [
+ {
+ "type": "Microsoft.OperationalInsights/workspaces",
+ "apiVersion": "2020-08-01",
+ "name": "[parameters('workspaceName')]",
+ "location": "[parameters('location')]",
+ "properties": {
+ "sku": {
+ "name": "[parameters('sku')]"
+ },
+ "retentionInDays": "[parameters('dataRetention')]",
+ "features": {
+ "searchVersion": 1,
+ "legacy": 0
+ }
+ }
},
- "resources": [
+ {
+ "apiVersion": "2015-11-01-preview",
+ "location": "[parameters('location')]",
+ "name": "[variables('Updates').name]",
+ "type": "Microsoft.OperationsManagement/solutions",
+ "id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.OperationsManagement/solutions/', variables('Updates').name)]",
+ "dependsOn": [
+ "[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
+ ],
+ "properties": {
+ "workspaceResourceId": "[resourceId('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
+ },
+ "plan": {
+ "name": "[variables('Updates').name]",
+ "publisher": "Microsoft",
+ "promotionCode": "",
+ "product": "[concat('OMSGallery/', variables('Updates').galleryName)]"
+ }
+ },
+ {
+ "type": "Microsoft.Automation/automationAccounts",
+ "apiVersion": "2020-01-13-preview",
+ "name": "[parameters('automationAccountName')]",
+ "location": "[parameters('location')]",
+ "dependsOn": [
+ "[parameters('workspaceName')]"
+ ],
+ "identity": {
+ "type": "SystemAssigned"
+ },
+ "properties": {
+ "sku": {
+ "name": "Basic"
+ }
+ },
+ "resources": [
{
- "type": "Microsoft.OperationalInsights/workspaces",
- "apiVersion": "2020-03-01-preview",
- "name": "[parameters('workspaceName')]",
- "location": "[parameters('location')]",
- "properties": {
- "sku": {
- "name": "[parameters('sku')]"
- },
- "retentionInDays": "[parameters('dataRetention')]",
- "features": {
- "searchVersion": 1,
- "legacy": 0
- }
+ "type": "runbooks",
+ "apiVersion": "2020-01-13-preview",
+ "name": "[parameters('sampleGraphicalRunbookName')]",
+ "location": "[parameters('location')]",
+ "dependsOn": [
+ "[parameters('automationAccountName')]"
+ ],
+ "properties": {
+ "runbookType": "GraphPowerShell",
+ "logProgress": "false",
+ "logVerbose": "false",
+ "description": "[parameters('sampleGraphicalRunbookDescription')]",
+ "publishContentLink": {
+ "uri": "[uri(parameters('_artifactsLocation'), concat('scripts/AzureAutomationTutorial.graphrunbook', parameters('_artifactsLocationSasToken')))]",
+ "version": "1.0.0.0"
}
+ }
}, {
- "apiVersion": "2015-11-01-preview",
- "location": "[parameters('location')]",
- "name": "[variables('Updates').name]",
- "type": "Microsoft.OperationsManagement/solutions",
- "id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.OperationsManagement/solutions/', variables('Updates').name)]",
- "dependsOn": [
- "[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
- ],
- "properties": {
- "workspaceResourceId": "[resourceId('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
- },
- "plan": {
- "name": "[variables('Updates').name]",
- "publisher": "Microsoft",
- "promotionCode": "",
- "product": "[concat('OMSGallery/', variables('Updates').galleryName)]"
+ "type": "runbooks",
+ "apiVersion": "2020-01-13-preview",
+ "name": "[parameters('samplePowerShellRunbookName')]",
+ "location": "[parameters('location')]",
+ "dependsOn": [
+ "[parameters('automationAccountName')]"
+ ],
+ "properties": {
+ "runbookType": "PowerShell",
+ "logProgress": "false",
+ "logVerbose": "false",
+ "description": "[parameters('samplePowerShellRunbookDescription')]",
+ "publishContentLink": {
+ "uri": "[uri(parameters('_artifactsLocation'), concat('scripts/AzureAutomationTutorial.ps1', parameters('_artifactsLocationSasToken')))]",
+ "version": "1.0.0.0"
}
+ }
}, {
- "type": "Microsoft.Automation/automationAccounts",
- "apiVersion": "2020-01-13-preview",
- "name": "[parameters('automationAccountName')]",
- "location": "[parameters('automationAccountLocation')]",
- "dependsOn": [
- "[parameters('workspaceName')]"
- ],
- "properties": {
- "sku": {
- "name": "Basic"
- }
- },
- "resources": [
- {
- "type": "runbooks",
- "apiVersion": "2018-06-30",
- "name": "[parameters('sampleGraphicalRunbookName')]",
- "location": "[parameters('automationAccountLocation')]",
- "dependsOn": [
- "[parameters('automationAccountName')]"
- ],
- "properties": {
- "runbookType": "GraphPowerShell",
- "logProgress": "false",
- "logVerbose": "false",
- "description": "[parameters('sampleGraphicalRunbookDescription')]",
- "publishContentLink": {
- "uri": "[uri(parameters('_artifactsLocation'), concat('scripts/AzureAutomationTutorial.graphrunbook', parameters('_artifactsLocationSasToken')))]",
- "version": "1.0.0.0"
- }
- }
- },
- {
- "type": "runbooks",
- "apiVersion": "2018-06-30",
- "name": "[parameters('samplePowerShellRunbookName')]",
- "location": "[parameters('automationAccountLocation')]",
- "dependsOn": [
- "[parameters('automationAccountName')]"
- ],
- "properties": {
- "runbookType": "PowerShell",
- "logProgress": "false",
- "logVerbose": "false",
- "description": "[parameters('samplePowerShellRunbookDescription')]",
- "publishContentLink": {
- "uri": "[uri(parameters('_artifactsLocation'), concat('scripts/AzureAutomationTutorial.ps1', parameters('_artifactsLocationSasToken')))]",
- "version": "1.0.0.0"
- }
- }
- },
- {
- "type": "runbooks",
- "apiVersion": "2018-06-30",
- "name": "[parameters('samplePython2RunbookName')]",
- "location": "[parameters('automationAccountLocation')]",
- "dependsOn": [
- "[parameters('automationAccountName')]"
- ],
- "properties": {
- "runbookType": "Python2",
- "logProgress": "false",
- "logVerbose": "false",
- "description": "[parameters('samplePython2RunbookDescription')]",
- "publishContentLink": {
- "uri": "[uri(parameters('_artifactsLocation'), concat('scripts/AzureAutomationTutorialPython2.py', parameters('_artifactsLocationSasToken')))]",
- "version": "1.0.0.0"
- }
- }
- }
- ]
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/linkedServices",
- "apiVersion": "2020-03-01-preview",
- "name": "[concat(parameters('workspaceName'), '/' , 'Automation')]",
- "location": "[parameters('location')]",
- "dependsOn": [
- "[parameters('workspaceName')]",
- "[parameters('automationAccountName')]"
- ],
- "properties": {
- "resourceId": "[resourceId('Microsoft.Automation/automationAccounts', parameters('automationAccountName'))]"
+ "type": "runbooks",
+ "apiVersion": "2020-01-13-preview",
+ "name": "[parameters('samplePython2RunbookName')]",
+ "location": "[parameters('location')]",
+ "dependsOn": [
+ "[parameters('automationAccountName')]"
+ ],
+ "properties": {
+ "runbookType": "Python2",
+ "logProgress": "false",
+ "logVerbose": "false",
+ "description": "[parameters('samplePython2RunbookDescription')]",
+ "publishContentLink": {
+ "uri": "[uri(parameters('_artifactsLocation'), concat('scripts/AzureAutomationTutorialPython2.py', parameters('_artifactsLocationSasToken')))]",
+ "version": "1.0.0.0"
}
+ }
}
- ]
+ ]
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/linkedServices",
+ "apiVersion": "2020-08-01",
+ "name": "[concat(parameters('workspaceName'), '/' , 'Automation')]",
+ "location": "[parameters('location')]",
+ "dependsOn": [
+ "[parameters('workspaceName')]",
+ "[parameters('automationAccountName')]"
+ ],
+ "properties": {
+ "resourceId": "[resourceId('Microsoft.Automation/automationAccounts', parameters('automationAccountName'))]"
+ }
+ }
+ ]
} ```
If you're new to Azure Automation and Azure Monitor, it's important that you und
**PowerShell** ```powershell
- New-AzResourceGroupDeployment -Name <deployment-name> -ResourceGroupName <resource-group-name> -TemplateFile deployUMSolutiontemplate.json
+ New-AzResourceGroupDeployment `
+ -Name <deployment-name> `
+ -ResourceGroupName <resource-group-name> `
+ -TemplateFile deployUMSolutiontemplate.json `
+ -_artifactsLocation "https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/quickstarts/microsoft.automation/101-automation/azuredeploy.json"
``` **Azure CLI** ```azurecli
- az deployment group create --resource-group <my-resource-group> --name <my-deployment-name> --template-file deployUMSolutiontemplate.json
+ az deployment group create --resource-group <my-resource-group> --name <my-deployment-name> --template-file deployUMSolutiontemplate.json --parameters _artifactsLocation="https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/quickstarts/microsoft.automation/101-automation/azuredeploy.json"
``` The deployment can take a few minutes to complete. When it finishes, you see a message similar to the following that includes the result:
azure-app-configuration Pull Key Value Devops Pipeline https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-app-configuration/pull-key-value-devops-pipeline.md
Title: Pull settingsfromo App Configuration with Azure Pipelines
+ Title: Pull settings to App Configuration with Azure Pipelines
description: Learn to use Azure Pipelines to pull key-values to an App Configuration Store
azure-arc Create Data Controller Direct Azure Portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/data/create-data-controller-direct-azure-portal.md
This article describes how to deploy the Azure Arc data controller in direct con
Before you begin, verify that you have completed the prerequisites in [Deploy data controller - direct connect mode - prerequisites](create-data-controller-direct-prerequisites.md).
+>[!NOTE]
+>You first need to deploy an Arc enabled Kubernetes data services extension usign the Azure CLI.
+>
+>```azurecli
+>az k8s-extension create -c "{connected_cluster_name}" -g "{resource_group_name}" --name "arcdataservices" --cluster-type "connectedClusters" --extension-type "microsoft.arcdataservices" --scope "cluster" --release-namespace {namespace} --config "Microsoft.CustomLocation.ServiceAccount=sa-bootstrapper"
+>```
++ ## Deploy Azure Arc data controller Azure Arc data controller create flow can be launched from the Azure portal in one of the following ways:
azure-arc Resource Graph Samples https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/kubernetes/resource-graph-samples.md
+
+ Title: Azure Resource Graph sample queries for Azure Arc-enabled Kubernetes
+description: Sample Azure Resource Graph queries for Azure Arc-enabled Kubernetes showing use of resource types and tables to access Azure Arc-enabled Kubernetes related resources and properties.
Last updated : 07/21/2021++++++
+# Azure Resource Graph sample queries for Azure Arc-enabled Kubernetes
+
+This page is a collection of [Azure Resource Graph](../../governance/resource-graph/overview.md)
+sample queries for Azure Arc-enabled Kubernetes. For a complete list of Azure Resource Graph
+samples, see
+[Resource Graph samples by Category](../../governance/resource-graph/samples/samples-by-category.md)
+and [Resource Graph samples by Table](../../governance/resource-graph/samples/samples-by-table.md).
+
+## Sample queries
++
+## Next steps
+
+- Learn more about the [query language](../../governance/resource-graph/concepts/query-language.md).
+- Learn more about how to [explore resources](../../governance/resource-graph/concepts/explore-resources.md).
+- See samples of [Starter language queries](../../governance/resource-graph/samples/starter.md).
+- See samples of [Advanced language queries](../../governance/resource-graph/samples/advanced.md).
azure-arc Resource Graph Samples https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/resource-graph-samples.md
+
+ Title: Azure Resource Graph sample queries for Azure Arc
+description: Sample Azure Resource Graph queries for Azure Arc showing use of resource types and tables to access Azure Arc related resources and properties.
Last updated : 07/21/2021+++
+# Azure Resource Graph sample queries for Azure Arc
+
+This page is a collection of [Azure Resource Graph](../governance/resource-graph/overview.md) sample
+queries for Azure Arc. For a complete list of Azure Resource Graph samples, see
+[Resource Graph samples by Category](../governance/resource-graph/samples/samples-by-category.md)
+and [Resource Graph samples by Table](../governance/resource-graph/samples/samples-by-table.md).
+
+## Sample queries
++
+## Next steps
+
+- Learn more about the [query language](../governance/resource-graph/concepts/query-language.md).
+- Learn more about how to [explore resources](../governance/resource-graph/concepts/explore-resources.md).
+- See samples of [Starter language queries](../governance/resource-graph/samples/starter.md).
+- See samples of [Advanced language queries](../governance/resource-graph/samples/advanced.md).
azure-arc Agent Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/servers/agent-overview.md
Arc-enabled servers Connected Machine agent is designed to manage agent and syst
- The Extension Service agent is limited to use up to 5% of the CPU. - This only applies to install/uninstall/upgrade operations. Once installed, extensions are responsible for their own resource utilization and the 5% CPU limit does not apply.
- - The Log Analytics agent and Azure Monitor Agent is allowed to use up to 60% of the CPU during their install/upgrade/uninstall operations on Red Hat Linux, CentOS, and other enterprise Linux variants. The limit is higher for this combination of extensions and operating systems to accommodate the performance impact of [SELinux](https://www.redhat.com/topics/linux/what-is-selinux) on these systems.
+ - The Log Analytics agent and Azure Monitor Agent is allowed to use up to 60% of the CPU during their install/upgrade/uninstall operations on Red Hat Linux, CentOS, and other enterprise Linux variants. The limit is higher for this combination of extensions and operating systems to accommodate the performance impact of [SELinux](https://www.redhat.com/en/topics/linux/what-is-selinux) on these systems.
## Next steps
azure-functions Durable Functions Error Handling https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-functions/durable/durable-functions-error-handling.md
Invoke-DurableActivity -FunctionName 'FlakyFunction' -RetryOptions $retryOptions
The activity function call in the previous example takes a parameter for configuring an automatic retry policy. There are several options for customizing the automatic retry policy:
-* **Max number of attempts**: The maximum number of retry attempts.
+* **Max number of attempts**: The maximum number of attempts. If set to 1, there will be no retry.
* **First retry interval**: The amount of time to wait before the first retry attempt. * **Backoff coefficient**: The coefficient used to determine rate of increase of backoff. Defaults to 1. * **Max retry interval**: The maximum amount of time to wait in between retry attempts.
azure-functions Streaming Logs https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-functions/streaming-logs.md
Title: Stream execution logs in Azure Functions
-description: 115-145 characters including spaces. This abstract displays in the search result.
+description: Learn how you can stream logs for functions in near real time.
Last updated 9/1/2020
azure-government Azure Secure Isolation Guidance https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-government/azure-secure-isolation-guidance.md
Previously updated : 03/04/2021 Last updated : 07/22/2021 # Azure guidance for secure isolation
A brief summary of isolation approaches is provided below.
- **User access controls with authentication and identity separation** ΓÇô All data in Azure irrespective of the type or storage location is associated with a subscription. A cloud tenant can be viewed as a dedicated instance of Azure Active Directory (Azure AD) that customer organization receives and owns when they sign up for a Microsoft cloud service. The identity and access stack helps enforce isolation among subscriptions, including limiting access to resources within a subscription only to authorized users. - **Compute isolation** ΓÇô Azure provides customers with both logical and physical compute isolation for processing. Logical isolation is implemented via:
- - *Hypervisor isolation* for services that provide cryptographically certain isolation by using separate virtual machines and leveraging Azure Hypervisor isolation.
- - *Drawbridge isolation* inside a virtual machine (VM) for services that provide cryptographically certain isolation for workloads running on the same virtual machine by leveraging isolation provided by [Drawbridge](https://www.microsoft.com/research/project/drawbridge/). These services provide small units of processing using customer code.
- - *User context-based isolation* for services that are comprised solely of Microsoft-controlled code and customer code is not allowed to run. </br>
+ - *Hypervisor isolation* for services that provide cryptographically certain isolation by using separate virtual machines and using Azure Hypervisor isolation.
+ - *Drawbridge isolation* inside a virtual machine (VM) for services that provide cryptographically certain isolation for workloads running on the same virtual machine by using isolation provided by [Drawbridge](https://www.microsoft.com/research/project/drawbridge/). These services provide small units of processing using customer code.
+ - *User context-based isolation* for services that are composed solely of Microsoft-controlled code and customer code is not allowed to run. </br>
In addition to robust logical compute isolation available by design to all Azure tenants, customers who desire physical compute isolation can utilize Azure Dedicated Host or Isolated Virtual Machines, which are deployed on server hardware dedicated to a single customer. - **Networking isolation** ΓÇô Azure Virtual Network (VNet) helps ensure that each customerΓÇÖs private network traffic is logically isolated from traffic belonging to other customers. Services can communicate using public IPs or private (VNet) IPs. Communication between customer VMs remains private within a VNet. Customers can connect their VNets via [VNet peering](../virtual-network/virtual-network-peering-overview.md) or [VPN gateways](../vpn-gateway/vpn-gateway-about-vpngateways.md), depending on their connectivity options, including bandwidth, latency, and encryption requirements. Customers can use [network security groups](../virtual-network/network-security-groups-overview.md) (NSGs) to achieve network isolation and protect their Azure resources from the Internet while accessing Azure services that have public endpoints. Customers can use Virtual Network [service tags](../virtual-network/service-tags-overview.md) to define network access controls on [network security groups](../virtual-network/network-security-groups-overview.md#security-rules) or [Azure Firewall](../firewall/service-tags.md). A service tag represents a group of IP address prefixes from a given Azure service. Microsoft manages the address prefixes encompassed by the service tag and automatically updates the service tag as addresses change, thereby reducing the complexity of frequent updates to network security rules. Moreover, customers can use [Azure Private Link](../private-link/private-link-overview.md) to access Azure PaaS services over a private endpoint in their VNet, ensuring that traffic between their VNet and the service travels across the Microsoft global backbone network, which eliminates the need to expose the service to the public Internet. Finally, Azure provides customers with options to encrypt data in transit, including [Transport Layer Security (TLS) end-to-end encryption](../application-gateway/ssl-overview.md) of network traffic with [TLS termination using Azure Key Vault certificates](../application-gateway/key-vault-certs.md), [VPN encryption](../vpn-gateway/vpn-gateway-about-compliance-crypto.md) using IPsec, and ExpressRoute encryption using [MACsec with customer-managed keys (CMK) support](../expressroute/expressroute-about-encryption.md#point-to-point-encryption-by-macsec-faq).-- **Storage isolation** ΓÇô To ensure cryptographic certainty of logical data isolation, Azure Storage relies on data encryption at rest using advanced algorithms with multiple ciphers. This process relies on multiple encryption keys, as well as services such as Azure Key Vault and Azure AD to ensure secure key access and centralized key management. Azure Storage service encryption ensures that data is automatically encrypted before persisting it to Azure Storage and decrypted before retrieval. All data written to Azure Storage is [encrypted through FIPS 140-2 validated 256-bit AES encryption](../storage/common/storage-service-encryption.md#about-azure-storage-encryption) and customers have the option to use Azure Key Vault for customer-managed keys (CMK). Azure Storage service encryption encrypts the page blobs that store Azure Virtual Machine disks. Additionally, Azure Disk encryption may optionally be used to encrypt Azure Windows and Linux IaaS Virtual Machine disks to increase storage isolation and assure cryptographic certainty of customer data stored in Azure. This encryption includes managed disks.
+- **Storage isolation** ΓÇô To ensure cryptographic certainty of logical data isolation, Azure Storage relies on data encryption at rest using advanced algorithms with multiple ciphers. This process relies on multiple encryption keys and services such as Azure Key Vault and Azure AD to ensure secure key access and centralized key management. Azure Storage service encryption ensures that data is automatically encrypted before persisting it to Azure Storage and decrypted before retrieval. All data written to Azure Storage is [encrypted through FIPS 140 validated 256-bit AES encryption](../storage/common/storage-service-encryption.md#about-azure-storage-encryption) and customers have the option to use Azure Key Vault for customer-managed keys (CMK). Azure Storage service encryption encrypts the page blobs that store Azure Virtual Machine disks. Additionally, Azure Disk encryption may optionally be used to encrypt Azure Windows and Linux IaaS Virtual Machine disks to increase storage isolation and assure cryptographic certainty of customer data stored in Azure. This encryption includes managed disks.
- **Security assurance processes and practices** ΓÇô Azure isolation assurance is further enforced by MicrosoftΓÇÖs internal use of the [Security Development Lifecycle](https://www.microsoft.com/securityengineering/sdl/) (SDL) and other strong security assurance processes to protect attack surfaces and mitigate threats. Microsoft has established industry-leading processes and tooling that provides high confidence in the Azure isolation guarantee.
-In line with the [shared responsibility](../security/fundamentals/shared-responsibility.md) model in cloud computing, as customer workloads get migrated from an on-premises datacenter to the cloud, the delineation of responsibility between the customer and cloud service provider varies depending on the cloud service model. For example, with the Infrastructure as a Service (IaaS) model, MicrosoftΓÇÖs responsibility ends at the Hypervisor layer, and customers are responsible for all layers above the virtualization layer, including maintaining the base operating system in guest VMs. Customers can leverage Azure isolation technologies to achieve the desired level of isolation for their applications and data deployed in the cloud.
+In line with the [shared responsibility](../security/fundamentals/shared-responsibility.md) model in cloud computing, as customer workloads get migrated from an on-premises datacenter to the cloud, the delineation of responsibility between the customer and cloud service provider varies depending on the cloud service model. For example, with the Infrastructure as a Service (IaaS) model, MicrosoftΓÇÖs responsibility ends at the Hypervisor layer, and customers are responsible for all layers above the virtualization layer, including maintaining the base operating system in guest VMs. Customers can deploy Azure isolation technologies to achieve the desired level of isolation for their applications and data deployed in the cloud.
Throughout this article, call-out boxes outline important considerations or actions considered to be part of customerΓÇÖs responsibility. For example, customers can use Azure Key Vault to store their secrets, including encryption keys that remain under customer control.
All data in Azure irrespective of the type or storage location is associated wit
> - For definitions and general deployment models, see **[NIST SP 800-207](https://csrc.nist.gov/publications/detail/sp/800-207/final)** *Zero Trust Architecture*. ### Azure Active Directory
-The separation of the accounts used to administer cloud applications is critical to achieving logical isolation. Account isolation in Azure is achieved using [Azure Active Directory](../active-directory/fundamentals/active-directory-whatis.md) (Azure AD) and its capabilities to support granular [Azure role-based access control](../role-based-access-control/overview.md) (Azure RBAC). Each Azure account is associated with one Azure AD tenant. Users, groups, and applications from that directory can manage resources in Azure. Customers can assign appropriate access rights using the Azure portal, Azure command-line tools, and Azure Management APIs. Each Azure AD tenant is distinct and separate from other Azure ADs. An Azure AD instance is logically isolated using security boundaries to prevent customer data and identity information from co-mingling, thereby ensuring that users and administrators of one Azure AD cannot access or compromise data in another Azure AD instance, either maliciously or accidentally. Azure AD runs physically isolated on dedicated servers that are logically isolated to a dedicated network segment and where host-level packet filtering and Windows Firewall services provide additional protections from untrusted traffic.
+The separation of the accounts used to administer cloud applications is critical to achieving logical isolation. Account isolation in Azure is achieved using [Azure Active Directory](../active-directory/fundamentals/active-directory-whatis.md) (Azure AD) and its capabilities to support granular [Azure role-based access control](../role-based-access-control/overview.md) (Azure RBAC). Each Azure account is associated with one Azure AD tenant. Users, groups, and applications from that directory can manage resources in Azure. Customers can assign appropriate access rights using the Azure portal, Azure command-line tools, and Azure Management APIs. Each Azure AD tenant is distinct and separate from other Azure ADs. An Azure AD instance is logically isolated using security boundaries to prevent customer data and identity information from co-mingling, thereby ensuring that users and administrators of one Azure AD cannot access or compromise data in another Azure AD instance, either maliciously or accidentally. Azure AD runs physically isolated on dedicated servers that are logically isolated to a dedicated network segment and where host-level packet filtering and Windows Firewall services provide extra protections from untrusted traffic.
Azure AD implements extensive **data protection features**, including tenant isolation and access control, data encryption in transit, secrets encryption and management, disk level encryption, advanced cryptographic algorithms used by various Azure AD components, data operational considerations for insider access, and more. Detailed information is available from a whitepaper [Active Directory Data Security Considerations](https://aka.ms/AADDataWhitePaper).
Proper protection and management of cryptographic keys is essential for data sec
- **Vault** supports software-protected and hardware security module (HSM)-protected secrets, keys, and certificates. - **Managed HSM** supports only HSM-protected cryptographic keys.
-**Customers who require additional security for their most sensitive customer data stored in Azure services can encrypt it using their own encryption keys they control in Azure Key Vault.**
+**Customers who require extra security for their most sensitive customer data stored in Azure services can encrypt it using their own encryption keys they control in Azure Key Vault.**
The Azure Key Vault service provides an abstraction over the underlying HSMs. It provides a REST API to enable service use from cloud applications and authentication through [Azure Active Directory](../active-directory/fundamentals/active-directory-whatis.md) (Azure AD) to allow an organization to centralize and customize authentication, disaster recovery, high availability, and elasticity. Azure Key Vault supports [cryptographic keys](../key-vault/keys/about-keys.md) of various types, sizes, and curves, including RSA and Elliptic Curve keys. With managed HSMs, support is also available for AES symmetric keys.
Customers can also use the [Azure Key Vault solution in Azure Monitor](../azure-
#### Vault
-**[Vaults](../key-vault/general/overview.md)** provide a multi-tenant, low-cost, easy to deploy, zone-resilient (where available), and highly available key management solution suitable for most common cloud application scenarios. Vaults can store and safeguard [secrets, keys, and certificates](../key-vault/general/about-keys-secrets-certificates.md). They can be either software-protected (standard tier) or HSM-protected (premium tier). To see a comparison between the standard and premium tiers, see the [Azure Key Vault pricing page](https://azure.microsoft.com/pricing/details/key-vault/). Software-protected secrets, keys, and certificates are safeguarded by Azure, using industry-standard algorithms and key lengths. Customers who require additional assurances can choose to safeguard their secrets, keys, and certificates in vaults protected by multi-tenant HSMs. The corresponding HSMs are validated according to the [FIPS 140-2 standard](/azure/compliance/offerings/offering-fips-140-2), and have an overall Security Level 2 rating (certificate [#2643](https://csrc.nist.gov/Projects/cryptographic-module-validation-program/Certificate/2643)), which includes requirements for physical tamper evidence and role-based authentication. These HSMs meet Security Level 3 rating for several areas, including physical security, electromagnetic interference / electromagnetic compatibility (EMI/EMC), design assurance, and roles, services, and authentication.
+**[Vaults](../key-vault/general/overview.md)** provide a multi-tenant, low-cost, easy to deploy, zone-resilient (where available), and highly available key management solution suitable for most common cloud application scenarios. Vaults can store and safeguard [secrets, keys, and certificates](../key-vault/general/about-keys-secrets-certificates.md). They can be either software-protected (standard tier) or HSM-protected (premium tier). To see a comparison between the standard and premium tiers, see the [Azure Key Vault pricing page](https://azure.microsoft.com/pricing/details/key-vault/). Software-protected secrets, keys, and certificates are safeguarded by Azure, using industry-standard algorithms and key lengths. Customers who require extra assurances can choose to safeguard their secrets, keys, and certificates in vaults protected by multi-tenant HSMs. The corresponding HSMs are validated according to the [FIPS 140 standard](/azure/compliance/offerings/offering-fips-140-2), and have an overall Security Level 2 rating, which includes requirements for physical tamper evidence and role-based authentication. These HSMs meet Security Level 3 rating for several areas, including physical security, electromagnetic interference / electromagnetic compatibility (EMI/EMC), design assurance, and roles, services, and authentication.
Vaults enable support for [customer-managed keys](../security/fundamentals/encryption-models.md) (CMK) where customers can control their own keys in HSMs and use them to encrypt data at rest for a wide range of Azure services. As mentioned previously, customers can [import or generate encryption keys](../key-vault/keys/hsm-protected-keys.md) in HSMs ensuring that keys never leave the HSM boundary to support bring your own key (BYOK) scenarios.
When customers create a key vault in a resource group, they can [manage access](
#### Managed HSM
-**[Managed HSM](../key-vault/managed-hsm/overview.md)** provides a single-tenant, fully managed, highly available, zone-resilient (where available) HSM as a service to store and manage your cryptographic keys. It is most suitable for applications and usage scenarios that handle high value keys. It also helps customers meet the most stringent security, compliance, and regulatory requirements. Managed HSM uses FIPS 140-2 Level 3 validated HSMs (certificate [#3718](https://csrc.nist.gov/projects/cryptographic-module-validation-program/Certificate/3718)) to protect your cryptographic keys. Each managed HSM pool is an isolated single-tenant instance with its own [security domain](../key-vault/managed-hsm/security-domain.md) controlled by the customer and isolated cryptographically from instances belonging to other customers. Cryptographic isolation relies on [Intel Software Guard Extensions](https://software.intel.com/sgx) (SGX) technology that provides encrypted code and data to help ensure customer control.
+**[Managed HSM](../key-vault/managed-hsm/overview.md)** provides a single-tenant, fully managed, highly available, zone-resilient (where available) HSM as a service to store and manage your cryptographic keys. It is most suitable for applications and usage scenarios that handle high value keys. It also helps customers meet the most stringent security, compliance, and regulatory requirements. Managed HSM uses [FIPS 140 Level 3 validated HSMs](/azure/compliance/offerings/offering-fips-140-2) to protect your cryptographic keys. Each managed HSM pool is an isolated single-tenant instance with its own [security domain](../key-vault/managed-hsm/security-domain.md) controlled by the customer and isolated cryptographically from instances belonging to other customers. Cryptographic isolation relies on [Intel Software Guard Extensions](https://software.intel.com/sgx) (SGX) technology that provides encrypted code and data to help ensure customer control.
-When a managed HSM is created, the requestor also provides a list of data plane administrators. Only these administrators are able to [access the managed HSM data plane](../key-vault/managed-hsm/access-control.md) to perform key operations and manage data plane role assignments (managed HSM local RBAC). The permission model for both the management and data planes uses the same syntax, but permissions are enforced at different levels, and role assignments use different scopes. Management plane Azure RBAC is enforced by Azure Resource Manager while data plane managed HSM local RBAC is enforced by the managed HSM itself.
+When a managed HSM is created, the requestor also provides a list of data plane administrators. Only these administrators are able to [access the managed HSM data plane](../key-vault/managed-hsm/access-control.md) to perform key operations and manage data plane role assignments (managed HSM local RBAC). The permission model for both the management and data planes uses the same syntax, but permissions are enforced at different levels, and role assignments use different scopes. Management plane Azure RBAC is enforced by Azure Resource Manager while data plane-managed HSM local RBAC is enforced by the managed HSM itself.
> [!IMPORTANT] > Unlike with key vaults, granting users management plane access to managed HSMs does not grant them any data plane access to keys or data plane role assignments managed HSM local RBAC. This isolation is by design to prevent inadvertent expansion of privileges affecting access to keys stored in managed HSMs.
Microsoft Azure compute platform is based on [machine virtualization](../securit
Physical servers hosting VMs are grouped into clusters and they are independently managed by a scaled-out and redundant platform software component called the **[Fabric Controller](../security/fundamentals/isolation-choices.md#the-azure-fabric-controller)** (FC). Each FC manages the lifecycle of VMs running in its cluster, including provisioning and monitoring the health of the hardware under its control. For example, the FC is responsible for recreating VM instances on healthy servers when it determines that a server has failed. It also allocates infrastructure resources to tenant workloads and it manages unidirectional communication from the Host to virtual machines. Dividing the compute infrastructure into clusters isolates faults at the FC level and prevents certain classes of errors from affecting servers beyond the cluster in which they occur.
-The FC is the brain of the Azure compute platform and the Host Agent is its proxy, integrating servers into the platform so that the FC can deploy, monitor, and manage the virtual machines for customers and Azure cloud services. The Hypervisor/Host OS pairing leverages decades of MicrosoftΓÇÖs experience in operating system security, including security focused investments in [Microsoft Hyper-V](/windows-server/virtualization/hyper-v/hyper-v-technology-overview) to provide strong isolation of Guest VMs. Hypervisor isolation is discussed later in this section, including assurances for strongly defined security boundaries enforced by the Hypervisor, defense-in-depth exploit mitigation, and strong security assurance processes.
+The FC is the brain of the Azure compute platform and the Host Agent is its proxy, integrating servers into the platform so that the FC can deploy, monitor, and manage the virtual machines for customers and Azure cloud services. The Hypervisor/Host OS pairing applies decades of MicrosoftΓÇÖs experience in operating system security, including security focused investments in [Microsoft Hyper-V](/windows-server/virtualization/hyper-v/hyper-v-technology-overview) to provide strong isolation of Guest VMs. Hypervisor isolation is discussed later in this section, including assurances for strongly defined security boundaries enforced by the Hypervisor, defense-in-depth exploit mitigation, and strong security assurance processes.
### Management network isolation There are three Virtual Local Area Networks (VLANs) in each compute hardware cluster, as shown in Figure 5:
The Hypervisor and the Host OS provide network packet filters so untrusted VMs c
### Management console and management plane The Azure Management Console and Management Plane follow strict security architecture principles of least privilege to secure and isolate tenant processing: -- **Management Console (MC)** ΓÇô The MC in Azure Cloud is comprised of the Azure portal GUI and the Azure Resource Manager API layers. They both utilize user credentials to authenticate and authorized all operations. -- **Management Plane (MP)** ΓÇô This layer performs the actual management actions and is comprised of the Compute Resource Provider (CRP), Fabric Controller (FC), Fabric Agent (FA), and the underlying Hypervisor (which has its own Hypervisor Agent to service communication). These layers all utilize system contexts that are granted the least permissions needed to perform their operations.
+- **Management Console (MC)** ΓÇô The MC in Azure Cloud is composed of the Azure portal GUI and the Azure Resource Manager API layers. They both utilize user credentials to authenticate and authorized all operations.
+- **Management Plane (MP)** ΓÇô This layer performs the actual management actions and is composed of the Compute Resource Provider (CRP), Fabric Controller (FC), Fabric Agent (FA), and the underlying Hypervisor (which has its own Hypervisor Agent to service communication). These layers all utilize system contexts that are granted the least permissions needed to perform their operations.
-The Azure FC allocates infrastructure resources to tenants and manages unidirectional communications from the Host OS to Guest VMs. The VM placement algorithm of the Azure FC is highly sophisticated and nearly impossible to predict. The FA resides in the Host OS and it manages tenant VMs. The collection of the Azure Hypervisor, Host OS and FA, and customer VMs comprise a compute node, as shown in Figure 4. FCs manage FAs although FCs exist outside of compute nodes (separate FCs manage compute and storage clusters). If a customer updates their applicationΓÇÖs configuration file while running in the MC, the MC communicates through CRP with the FC and the FC communicates with the FA.
+The Azure FC allocates infrastructure resources to tenants and manages unidirectional communications from the Host OS to Guest VMs. The VM placement algorithm of the Azure FC is highly sophisticated and nearly impossible to predict. The FA resides in the Host OS and it manages tenant VMs. The collection of the Azure Hypervisor, Host OS and FA, and customer VMs comprise a compute node, as shown in Figure 4. FCs manage FAs although FCs exist outside of compute nodes (separate FCs exist to manage compute and storage clusters). If a customer updates their applicationΓÇÖs configuration file while running in the MC, the MC communicates through CRP with the FC and the FC communicates with the FA.
CRP is the front-end service for Azure Compute, exposing consistent compute APIs through Azure Resource Manager, thereby enabling customers to create and manage virtual machine resources and extensions via simple templates.
-Communications among various components (e.g., Azure Resource Manager to and from CRP, CRP to and from FC, FC to and from Hypervisor Agent) all operate on different communication channels with different identities and different permissions sets. This design follows common least-privilege models to ensure that a compromise of any single layer will prevent additional actions. Separate communications channels ensure that communications cannot bypass any layer in the chain. Figure 6 illustrates how the MC and MP securely communicate within the Azure cloud for Hypervisor interaction initiated by a userΓÇÖs [OAuth 2.0 authentication to Azure Active Directory](../active-directory/azuread-dev/v1-protocols-oauth-code.md).
+Communications among various components (for example, Azure Resource Manager to and from CRP, CRP to and from FC, FC to and from Hypervisor Agent) all operate on different communication channels with different identities and different permissions sets. This design follows common least-privilege models to ensure that a compromise of any single layer will prevent more actions. Separate communications channels ensure that communications cannot bypass any layer in the chain. Figure 6 illustrates how the MC and MP securely communicate within the Azure cloud for Hypervisor interaction initiated by a userΓÇÖs [OAuth 2.0 authentication to Azure Active Directory](../active-directory/azuread-dev/v1-protocols-oauth-code.md).
:::image type="content" source="./media/secure-isolation-fig6.png" alt-text="Management Console and Management Plane interaction for secure management flow" border="false"::: **Figure 6.** Management Console and Management Plane interaction for secure management flow
-All management commands are authenticated via RSA signed certificate or JSON Web Token (JWT). Authentication and command channels are encrypted via Transport Layer Security (TLS) 1.2 as described in *[Data encryption in transit](#data-encryption-in-transit)* section. Server certificates are used to provide TLS connectivity to the authentication providers where a separate authorization mechanism is used, e.g., Azure Active Directory or datacenter Security Token Service (dSTS). dSTS is a token provider like Azure Active Directory that is isolated to the Microsoft datacenter and utilized for service level communications.
+All management commands are authenticated via RSA signed certificate or JSON Web Token (JWT). Authentication and command channels are encrypted via Transport Layer Security (TLS) 1.2 as described in *[Data encryption in transit](#data-encryption-in-transit)* section. Server certificates are used to provide TLS connectivity to the authentication providers where a separate authorization mechanism is used, for example, Azure Active Directory or datacenter Security Token Service (dSTS). dSTS is a token provider like Azure Active Directory that is isolated to the Microsoft datacenter and utilized for service level communications.
Figure 6 illustrates the management flow corresponding to a user command to stop a virtual machine. The steps enumerated in Table 1 apply to other management commands in the same way and utilize the same encryption and authentication flow.
Figure 6 illustrates the management flow corresponding to a user command to stop
|**5.**|Azure Resource Manager sends request to CRP. Call is authenticated via OAuth using a JSON Web Token representing the Azure Resource Manager system identity from dSTS, thus transition from user to system context.|JSON Web Token (dSTS)|TLS 1.2| |**6.**|CRP validates the request and determines which fabric controller can complete the request. CRP requests a certificate from dSTS based on its client certificate so that it can connect to the specific Fabric Controller (FC) that is the target of the command. Token will grant permissions only to that specific FC if CRP is allowed to communicate to that FC.|Client Certificate|TLS 1.2| |**7.**|CRP then sends the request to the correct FC with the JSON Web Token that was created by dSTS.|JSON Web Token (dSTS)|TLS 1.2|
-|**8.**|FC then validates the command is allowed and comes from a trusted source. Then it establishes a secure TLS connection to the correct Fabric Agent (FA) in the cluster that can execute the command by using a certificate that is unique to the target FA and the FC. Once the secure connection is established the command is transmitted.|Mutual Certificate|TLS 1.2|
+|**8.**|FC then validates the command is allowed and comes from a trusted source. Then it establishes a secure TLS connection to the correct Fabric Agent (FA) in the cluster that can execute the command by using a certificate that is unique to the target FA and the FC. Once the secure connection is established, the command is transmitted.|Mutual Certificate|TLS 1.2|
|**9.**|The FA again validates the command is allowed and comes from a trusted source. Once validated, the FA will establish a secure connection using mutual certificate authentication and issue the command to the Hypervisor Agent that is only accessible by the FA.|Mutual Certificate|TLS 1.2| |**10.**|Hypervisor Agent on the host executes an internal call to stop the VM.|System Context|N.A.|
-Commands generated through all steps of the process identified in this section and sent to the FC and FA on each node, are written to a local audit log and distributed to multiple analytics systems for stream processing in order to monitor system health and track security events and patterns. Tracking includes events that were processed successfully, as well as events that were invalid. Invalid requests are processed by the intrusion detection systems to detect anomalies.
+Commands generated through all steps of the process identified in this section and sent to the FC and FA on each node, are written to a local audit log and distributed to multiple analytics systems for stream processing in order to monitor system health and track security events and patterns. Tracking includes events that were processed successfully and events that were invalid. Invalid requests are processed by the intrusion detection systems to detect anomalies.
### Logical isolation implementation options Azure provides isolation of compute processing through a multi-layered approach, including:-- **Hypervisor isolation** for services that provide cryptographically certain isolation by using separate virtual machines and leveraging Azure Hypervisor isolation. Examples: *App Service, Azure Container Instances, Azure Databricks, Azure Functions, Azure Kubernetes Service, Azure Machine Learning, Cloud Services, Data Factory, Service Fabric, Virtual Machines, Virtual Machine Scale Sets.*-- **Drawbridge isolation** inside a VM for services that provide cryptographically certain isolation to workloads running on the same virtual machine by leveraging isolation provided by [Drawbridge](https://www.microsoft.com/research/project/drawbridge/). These services provide small units of processing using customer code. To provide security isolation, Drawbridge runs a user process together with a light-weight version of the Windows kernel (library OS) inside a *pico-process*. A pico-process is a secured process with no direct access to services or resources of the Host system. Examples: *Automation, Azure Database for MySQL, Azure Database for PostgreSQL, Azure SQL Database, Azure Stream Analytics.*-- **User context-based isolation** for services that are comprised solely of Microsoft-controlled code and customer code is not allowed to run. Examples: *API Management, Application Gateway, Azure Active Directory, Azure Backup, Azure Cache for Redis, Azure DNS, Azure Information Protection, Azure IoT Hub, Azure Key Vault, Azure portal, Azure Monitor (including Log Analytics), Azure Security Center, Azure Site Recovery, Container Registry, Content Delivery Network, Event Grid, Event Hubs, Load Balancer, Service Bus, Storage, Virtual Network, VPN Gateway, Traffic Manager.*
+- **Hypervisor isolation** for services that provide cryptographically certain isolation by using separate virtual machines and using Azure Hypervisor isolation. Examples: *App Service, Azure Container Instances, Azure Databricks, Azure Functions, Azure Kubernetes Service, Azure Machine Learning, Cloud Services, Data Factory, Service Fabric, Virtual Machines, Virtual Machine Scale Sets.*
+- **Drawbridge isolation** inside a VM for services that provide cryptographically certain isolation to workloads running on the same virtual machine by using isolation provided by [Drawbridge](https://www.microsoft.com/research/project/drawbridge/). These services provide small units of processing using customer code. To provide security isolation, Drawbridge runs a user process together with a light-weight version of the Windows kernel (library OS) inside a *pico-process*. A pico-process is a secured process with no direct access to services or resources of the Host system. Examples: *Automation, Azure Database for MySQL, Azure Database for PostgreSQL, Azure SQL Database, Azure Stream Analytics.*
+- **User context-based isolation** for services that are composed solely of Microsoft-controlled code and customer code is not allowed to run. Examples: *API Management, Application Gateway, Azure Active Directory, Azure Backup, Azure Cache for Redis, Azure DNS, Azure Information Protection, Azure IoT Hub, Azure Key Vault, Azure portal, Azure Monitor (including Log Analytics), Azure Security Center, Azure Site Recovery, Container Registry, Content Delivery Network, Event Grid, Event Hubs, Load Balancer, Service Bus, Storage, Virtual Network, VPN Gateway, Traffic Manager.*
These logical isolation options are discussed in the rest of this section.
Hypervisor isolation in Azure is based on [Microsoft Hyper-V](/windows-server/vi
The Target of Evaluation (TOE) was composed of Windows 10 and Windows Server Standard and Datacenter Editions (version 1903, May 2019 update), including Windows Server 2016 and 2019 Hyper-V evaluation platforms (&#8220;Windows&#8221;). TOE enforces the following security policies as described in the report: - **Security Audit** ΓÇô Windows has the ability to collect audit data, review audit logs, protect audit logs from overflow, and restrict access to audit logs. Audit information generated by the system includes the date and time of the event, the user identity that caused the event to be generated, and other event-specific data. Authorized administrators can review, search, and sort audit records. Authorized administrators can also configure the audit system to include or exclude potentially auditable events to be audited based on a wide range of characteristics. In the context of this evaluation, the protection profile requirements cover generating audit events, selecting which events should be audited, and providing secure storage for audit event entries.-- **Cryptographic Support** ΓÇô Windows provides FIPS 140-2 Cryptographic Algorithm Validation Program (CAVP) validated cryptographic functions that support encryption/decryption, cryptographic signatures, cryptographic hashing, cryptographic key agreement (which is not studied in this evaluation), and random number generation. The TOE additionally provides support for public keys, credential management, and certificate validation functions and provides support for the National Security AgencyΓÇÖs Suite B cryptographic algorithms. Windows also provides extensive auditing support of cryptographic operations, the ability to replace cryptographic functions and random number generators with alternative implementations, and a key isolation service designed to limit the potential exposure of secret and private keys. In addition to using cryptography for its own security functions, Windows offers access to the cryptographic support functions for user-mode and kernel-mode programs. Public key certificates generated and used by Windows authenticate users and machines as well as protect both user and system data in transit.
+- **Cryptographic Support** ΓÇô Windows provides FIPS 140 Cryptographic Algorithm Validation Program (CAVP) validated cryptographic functions that support encryption/decryption, cryptographic signatures, cryptographic hashing, cryptographic key agreement (which is not studied in this evaluation), and random number generation. The TOE additionally provides support for public keys, credential management, and certificate validation functions and provides support for the National Security AgencyΓÇÖs Suite B cryptographic algorithms. Windows also provides extensive auditing support of cryptographic operations, the ability to replace cryptographic functions and random number generators with alternative implementations, and a key isolation service designed to limit the potential exposure of secret and private keys. In addition to using cryptography for its own security functions, Windows offers access to the cryptographic support functions for user-mode and kernel-mode programs. Public key certificates generated and used by Windows authenticate users and machines, and protect both user and system data in transit.
- **User Data Protection** ΓÇô In the context of this evaluation Windows protects user data and provides virtual private networking capabilities. - **Identification and Authentication** ΓÇô Each Windows user must be identified and authenticated based on administrator-defined policy prior to performing any TSF-mediated functions. Windows maintains databases of accounts including their identities, authentication information, group associations, and privilege and logon rights associations. Windows account policy functions include the ability to define the minimum password length, the number of failed logon attempts, the duration of lockout, and password age. - **Protection of the TOE Security Functions (TSF)** ΓÇô Windows provides several features to ensure the protection of TOE security functions. Specifically, Windows:
More information is available from the [third-party certification report](https:
The critical Hypervisor isolation is provided through: - Strongly defined security boundaries enforced by the Hypervisor-- Defense-in-depth exploit mitigations
+- Defense-in-depth exploits mitigations
- Strong security assurance processes These technologies are described in the rest of this section. **They enable Azure Hypervisor to offer strong security assurances for tenant separation in a multi-tenant cloud.**
Customer code executes in a Hypervisor VM and benefits from Hypervisor enforced
:::image type="content" source="./media/secure-isolation-fig7.png" alt-text="Compute isolation with Azure Hypervisor"::: **Figure 7.** Compute isolation with Azure Hypervisor (see online [glossary of terms](/virtualization/hyper-v-on-windows/reference/hyper-v-architecture#glossary))
-The Azure Hypervisor acts like a micro-kernel, passing all hardware access requests from Guest VMs using a Virtualization Service Client (VSC) to the Host OS for processing by using a shared-memory interface called VMBus. The Host OS proxies the hardware requests using a Virtualization Service Provider (VSP) that prevents users from obtaining raw read/write/execute access to the system and mitigates the risk of sharing system resources. The privileged Root partition (also known as Host OS) has direct access to the physical devices/peripherals on the system (e.g., storage controllers, GPUs, networking adapters, etc.). The Host OS allows Guest partitions to share the use of these physical devices by exposing virtual devices to each Guest partition. Consequently, an operating system executing in a Guest partition has access to virtualized peripheral devices that are provided by VSPs executing in the Root partition. These virtual device representations can take one of three forms:
+The Azure Hypervisor acts like a micro-kernel, passing all hardware access requests from Guest VMs using a Virtualization Service Client (VSC) to the Host OS for processing by using a shared-memory interface called VMBus. The Host OS proxies the hardware requests using a Virtualization Service Provider (VSP) that prevents users from obtaining raw read/write/execute access to the system and mitigates the risk of sharing system resources. The privileged Root partition (also known as Host OS) has direct access to the physical devices/peripherals on the system (for example, storage controllers, GPUs, networking adapters, etc.). The Host OS allows Guest partitions to share the use of these physical devices by exposing virtual devices to each Guest partition. So, an operating system executing in a Guest partition has access to virtualized peripheral devices that are provided by VSPs executing in the Root partition. These virtual device representations can take one of three forms:
- **Emulated devices** ΓÇô The Host OS may expose a virtual device with an interface identical to what would be provided by a corresponding physical device. In this case, an operating system in a Guest partition would use the same device drivers as it does when running on a physical system. The Host OS would emulate the behavior of a physical device to the Guest partition. - **Para-virtualized devices** ΓÇô The Host OS may expose virtual devices with a virtualization-specific interface using the VMBus shared memory interface between the Host OS and the Guest. In this model, the Guest partition uses device drivers specifically designed to implement a virtualized interface. These para-virtualized devices are sometimes referred to as &#8220;synthetic&#8221; devices.
The Azure Hypervisor acts like a micro-kernel, passing all hardware access reque
Virtualization extensions in the Host CPU enable the Azure Hypervisor to enforce isolation between partitions. The following fundamental CPU capabilities provide the hardware building blocks for Hypervisor isolation: -- **Second-level address translation** ΓÇô the Hypervisor controls what memory resources a partition is allowed to access through the use of second-level page tables provided by the CPUΓÇÖs memory management unit (MMU). The CPUΓÇÖs MMU uses second-level address translation under Hypervisor control to enforce protection on memory accesses performed by:
+- **Second-level address translation** ΓÇô the Hypervisor controls what memory resources a partition is allowed to access by using second-level page tables provided by the CPUΓÇÖs memory management unit (MMU). The CPUΓÇÖs MMU uses second-level address translation under Hypervisor control to enforce protection on memory accesses performed by:
- CPU when running under the context of a partition. - I/O devices that are being accessed directly by Guest partitions.-- **CPU context** ΓÇô the Hypervisor leverages virtualization extensions in the CPU to restrict privileges and CPU context that can be accessed while a Guest partition is running. The Hypervisor also uses these facilities to save and restore state when sharing CPUs between multiple partitions to ensure isolation of CPU state between the partitions.
+- **CPU context** ΓÇô the Hypervisor uses virtualization extensions in the CPU to restrict privileges and CPU context that can be accessed while a Guest partition is running. The Hypervisor also uses these facilities to save and restore state when sharing CPUs between multiple partitions to ensure isolation of CPU state between the partitions.
-The Azure Hypervisor makes extensive use of these processor facilities to provide isolation between partitions. The emergence of speculative side channel attacks has identified potential weaknesses in some of these processor isolation capabilities. In a multi-tenant architecture, any cross-VM attack across different tenants involves two steps: placing an adversary-controlled VM on the same Host as one of the victim VMs, and then breaching the logical isolation boundary to perform a side-channel attack. Azure provides protection from both threat vectors by using an advanced VM placement algorithm enforcing memory and process separation for logical isolation, as well as secure network traffic routing with cryptographic certainty at the Hypervisor. As discussed in section titled *[Exploitation of vulnerabilities in virtualization technologies](#exploitation-of-vulnerabilities-in-virtualization-technologies)* later in the article, the Azure Hypervisor has been architected to provide robust isolation within the hypervisor itself that helps mitigate a wide range of sophisticated side channel attacks.
+The Azure Hypervisor makes extensive use of these processor facilities to provide isolation between partitions. The emergence of speculative side channel attacks has identified potential weaknesses in some of these processor isolation capabilities. In a multi-tenant architecture, any cross-VM attack across different tenants involves two steps: placing an adversary-controlled VM on the same Host as one of the victim VMs, and then breaching the logical isolation boundary to perform a side-channel attack. Azure provides protection from both threat vectors by using an advanced VM placement algorithm enforcing memory and process separation for logical isolation, and secure network traffic routing with cryptographic certainty at the Hypervisor. As discussed in section titled *[Exploitation of vulnerabilities in virtualization technologies](#exploitation-of-vulnerabilities-in-virtualization-technologies)* later in the article, the Azure Hypervisor has been architected to provide robust isolation within the hypervisor itself that helps mitigate a wide range of sophisticated side channel attacks.
The Azure Hypervisor defined security boundaries provide the base level isolation primitives for strong segmentation of code, data, and resource between potentially hostile multi-tenants on shared hardware. These isolation primitives are used to create multi-tenant resource isolation scenarios including: - **Isolation of network traffic between potentially hostile guests** ΓÇô Virtual Network (VNet) provides isolation of network traffic between tenants as part of its fundamental design, as described later in *[Separation of tenant network traffic](#separation-of-tenant-network-traffic)* section. VNet forms an isolation boundary where the VMs within a VNet can only communicate with each other. Any traffic destined to a VM from within the VNet or external senders without the proper policy configured will be dropped by the Host and not delivered to the VM.-- **Isolation for encryption keys and cryptographic material** ΓÇô Customers can further augment the isolation capabilities with the use of [hardware security managers or specialized key storage](../security/fundamentals/encryption-overview.md), e.g., storing encryption keys in FIPS 140-2 validated hardware security modules via [Azure Key Vault](../key-vault/general/overview.md).
+- **Isolation for encryption keys and cryptographic material** ΓÇô Customers can further augment the isolation capabilities with the use of [hardware security managers or specialized key storage](../security/fundamentals/encryption-overview.md), for example, storing encryption keys in FIPS 140 validated hardware security modules via [Azure Key Vault](../key-vault/general/overview.md).
- **Scheduling of system resources** ΓÇô Azure design includes guaranteed availability and segmentation of compute, memory, storage, and both direct and para-virtualized device access. The Azure Hypervisor meets the security objectives shown in Table 2.
The Azure Hypervisor meets the security objectives shown in Table 2.
|**Management access**|Management functions are exercised only by authorized administrators, connected over secure connections with a principle of least privilege enforced by fine grained role access control mechanism.| |**Audit**|Azure provides audit capability to capture and protect system data so that it can later be inspected.|
-##### *Defense-in-depth exploit mitigations*
+##### *Defense-in-depth exploits mitigations*
To further mitigate the risk of a security compromise, Microsoft has invested in numerous defense-in-depth mitigations in Azure systems software, hardware, and firmware to provide strong real-world isolation guarantees to Azure customers. As mentioned previously, Azure Hypervisor isolation is based on [Microsoft Hyper-V](/virtualization/hyper-v-on-windows/reference/hyper-v-architecture) technology, which enables Azure Hypervisor to benefit from decades of Microsoft experience in operating system security and investments in Hyper-V technology for virtual machine isolation. Listed below are some key design principles adopted by Microsoft to secure Hyper-V:
Listed below are some key design principles adopted by Microsoft to secure Hyper
- Many components use [smart pointers](/cpp/cpp/smart-pointers-modern-cpp) to eliminate the risk of [use-after-free](https://owasp.org/www-community/vulnerabilities/Using_freed_memory) bugs. - Most Hyper-V kernel-mode code uses a heap allocator that zeros on allocation to eliminate uninitialized memory bugs. - Eliminate common vulnerability classes with compiler mitigations
- - All Hyper-V code is compiled with InitAll which [eliminates uninitialized stack variables](https://msrc-blog.microsoft.com/2020/05/13/solving-uninitialized-stack-memory-on-windows/). This approach was implemented because many historical vulnerabilities in Hyper-V were caused by uninitialized stack variables.
+ - All Hyper-V code is compiled with InitAll, which [eliminates uninitialized stack variables](https://msrc-blog.microsoft.com/2020/05/13/solving-uninitialized-stack-memory-on-windows/). This approach was implemented because many historical vulnerabilities in Hyper-V were caused by uninitialized stack variables.
- All Hyper-V code is compiled with [stack canaries](https://en.wikipedia.org/wiki/Stack_buffer_overflow#Stack_canaries) to dramatically reduce the risk of stack overflow vulnerabilities. - Find issues that make their way into the product - All Windows code has a set of static analysis rules run across it.
Listed below are some key design principles adopted by Microsoft to secure Hyper
- [Control Flow Guard (CFG)](/windows/win32/secbp/control-flow-guard) ΓÇô Provides course grained control flow protection to indirect calls and jumps. - NoChildProcess ΓÇô The worker process cannot create child processes (useful for bypassing CFG). - NoLowImages / NoRemoteImages ΓÇô The worker process cannot load DLLΓÇÖs over the network or DLLΓÇÖs that were written to disk by a sandboxed process.
- - NoWin32k ΓÇô The worker process cannot communicate with Win32k which makes sandbox escapes more difficult.
+ - NoWin32k ΓÇô The worker process cannot communicate with Win32k, which makes sandbox escapes more difficult.
- Heap randomization ΓÇô Windows ships with one of the most secure heap implementations of any operating system. - [Address Space Layout Randomization (ASLR)](https://en.wikipedia.org/wiki/Address_space_layout_randomization) ΓÇô Randomizes the layout of heaps, stacks, binaries, and other data structures in the address space to make exploitation less reliable. - [Data Execution Prevention (DEP/NX)](/windows/win32/win7appqual/dep-nx-protection) ΓÇô Only pages of memory intended to contain code are executable.
Microsoft investments in Hyper-V security benefit Azure Hypervisor directly. The
|Mitigation|Security Impact|Mitigation Details| |-|||
-|**Control flow Integrity**|Increases cost to perform control flow integrity attacks (e.g., return-orientedΓÇöprogramming exploits)|[Control Flow Guard](https://www.blackhat.com/docs/us-16/materials/us-16-Weston-Windows-10-Mitigation-Improvements.pdf) (CFG) ensures indirect control flow transfers are instrumented at compile time and enforced by the kernel (user-mode) or secure kernel (kernel-mode), mitigating stack return vulnerabilities.|
-|**User-mode code integrity**|Protects against malicious and unwanted binary execution in user mode|Address Space Layout Randomization (ASLR) forced on all binaries in host partition, all code compiled with SDL security checks (e.g., `strict_gs`), [arbitrary code generation restrictions](https://blogs.windows.com/msedgedev/2017/02/23/mitigating-arbitrary-native-code-execution/) in place on host processes prevent injection of runtime-generated code.|
-|**Hypervisor enforced user and kernel mode code integrity**|No code loaded into code pages marked for execution until authenticity of code is verified|[Virtualization-based Security](/windows-hardware/design/device-experiences/oem-vbs) (VBS) leverages memory isolation to create a secure world to enforce policy and store sensitive code and secrets. With Hypervisor enforced Code Integrity (HVCI), the secure world is used to prevent unsigned code from being injected into the normal world kernel.|
+|**Control flow Integrity**|Increases cost to perform control flow integrity attacks (for example, return-orientedΓÇöprogramming exploits)|[Control Flow Guard](https://www.blackhat.com/docs/us-16/materials/us-16-Weston-Windows-10-Mitigation-Improvements.pdf) (CFG) ensures indirect control flow transfers are instrumented at compile time and enforced by the kernel (user-mode) or secure kernel (kernel-mode), mitigating stack return vulnerabilities.|
+|**User-mode code integrity**|Protects against malicious and unwanted binary execution in user mode|Address Space Layout Randomization (ASLR) forced on all binaries in host partition, all code compiled with SDL security checks (for example, `strict_gs`), [arbitrary code generation restrictions](https://blogs.windows.com/msedgedev/2017/02/23/mitigating-arbitrary-native-code-execution/) in place on host processes prevent injection of runtime-generated code.|
+|**Hypervisor enforced user and kernel mode code integrity**|No code loaded into code pages marked for execution until authenticity of code is verified|[Virtualization-based Security](/windows-hardware/design/device-experiences/oem-vbs) (VBS) uses memory isolation to create a secure world to enforce policy and store sensitive code and secrets. With Hypervisor enforced Code Integrity (HVCI), the secure world is used to prevent unsigned code from being injected into the normal world kernel.|
|**Hardware root-of-trust with platform secure boot**|Ensures host only boots exact firmware and OS image required|Windows [secure boot](/windows-hardware/design/device-experiences/oem-secure-boot) validates that Azure Hypervisor infrastructure is only bootable in a known good configuration, aligned to Azure firmware, hardware, and kernel production versions.| |**Reduced attack surface VMM**|Protects against escalation of privileges in VMM user functions|The Azure Hypervisor Virtual Machine Manager (VMM) contains both user and kernel mode components. User mode components are isolated to prevent break-out into kernel mode functions in addition to numerous layered mitigations.| Moreover, Azure has adopted an assume-breach security strategy implemented via [Red Teaming](https://download.microsoft.com/download/C/1/9/C1990DBA-502F-4C2A-848D-392B93D9B9C3/Microsoft_Enterprise_Cloud_Red_Teaming.pdf). This approach relies on a dedicated team of security researchers and engineers who conduct continuous ongoing testing of Azure systems and operations using the same tactics, techniques, and procedures as real adversaries against live production infrastructure, without the foreknowledge of the Azure infrastructure and platform engineering or operations teams. This approach tests security detection and response capabilities and helps identify production vulnerabilities in Azure Hypervisor and other systems, including configuration errors, invalid assumptions, or other security issues in a controlled manner. Microsoft invests heavily in these innovative security measures for continuous Azure threat mitigation. ##### *Strong security assurance processes*
-The attack surface in Hyper-V is [well understood](https://msrc-blog.microsoft.com/2018/12/10/first-steps-in-hyper-v-research/). It has been the subject of [ongoing research](https://msrc-blog.microsoft.com/2019/09/11/attacking-the-vm-worker-process/) and thorough security reviews. Microsoft has been transparent about the Hyper-V attack surface and underlying security architecture as demonstrated during a public [presentation at a Black Hat conference](https://github.com/Microsoft/MSRC-Security-Research/blob/master/presentations/2018_08_BlackHatUSA/A%20Dive%20in%20to%20Hyper-V%20Architecture%20and%20Vulnerabilities.pdf) in 2018. Microsoft stands behind the robustness and quality of Hyper-V isolation with a [$250,000 bug bounty program](https://www.microsoft.com/msrc/bounty-hyper-v) for critical Remote Code Execution (RCE), information disclosure, and Denial of Service (DOS) vulnerabilities reported in Hyper-V. By leveraging the same Hyper-V technology in Windows Server and Azure cloud platform, the publicly available documentation and bug bounty program ensure that security improvements will accrue to all users of Microsoft products and services. Table 4 summarizes the key attack surface points from the Black Hat presentation.
+The attack surface in Hyper-V is [well understood](https://msrc-blog.microsoft.com/2018/12/10/first-steps-in-hyper-v-research/). It has been the subject of [ongoing research](https://msrc-blog.microsoft.com/2019/09/11/attacking-the-vm-worker-process/) and thorough security reviews. Microsoft has been transparent about the Hyper-V attack surface and underlying security architecture as demonstrated during a public [presentation at a Black Hat conference](https://github.com/Microsoft/MSRC-Security-Research/blob/master/presentations/2018_08_BlackHatUSA/A%20Dive%20in%20to%20Hyper-V%20Architecture%20and%20Vulnerabilities.pdf) in 2018. Microsoft stands behind the robustness and quality of Hyper-V isolation with a [$250,000 bug bounty program](https://www.microsoft.com/msrc/bounty-hyper-v) for critical Remote Code Execution (RCE), information disclosure, and Denial of Service (DOS) vulnerabilities reported in Hyper-V. By using the same Hyper-V technology in Windows Server and Azure cloud platform, the publicly available documentation and bug bounty program ensure that security improvements will accrue to all users of Microsoft products and services. Table 4 summarizes the key attack surface points from the Black Hat presentation.
**Table 4.** Hyper-V attack surface details
The attack surface in Hyper-V is [well understood](https://msrc-blog.microsoft.c
To protect these attack surfaces, Microsoft has established industry-leading processes and tooling that provides high confidence in the Azure isolation guarantee. As described in *[Security assurance processes and practices](#security-assurance-processes-and-practices)* section later in this article, the approach includes purpose-built fuzzing, penetration testing, security development lifecycle, mandatory security training, security reviews, security intrusion detection based on Guest ΓÇô Host threat indicators, and automated build alerting of changes to the attack surface area. This mature multi-dimensional assurance process helps augment the isolation guarantees provided by the Azure Hypervisor by mitigating the risk of security vulnerabilities. > [!NOTE]
-> Azure has adopted an industry leading approach to ensure Hypervisor-based tenant separation that has been strengthened and improved over two decades of Microsoft investments in Hyper-V technology for virtual machine isolation. The outcome of this approach is a robust Hypervisor that helps ensure tenant separation via 1) strongly defined security boundaries, 2) defense-in-depth exploit mitigations, and 3) strong security assurances processes.
+> Azure has adopted an industry leading approach to ensure Hypervisor-based tenant separation that has been strengthened and improved over two decades of Microsoft investments in Hyper-V technology for virtual machine isolation. The outcome of this approach is a robust Hypervisor that helps ensure tenant separation via 1) strongly defined security boundaries, 2) defense-in-depth exploits mitigations, and 3) strong security assurances processes.
#### Drawbridge isolation For services that provide small units of processing using customer code, requests from multiple tenants are executed within a single VM and isolated using Microsoft [Drawbridge](https://www.microsoft.com/research/project/drawbridge/) technology. To provide security isolation, Drawbridge runs a user process together with a light-weight version of the Windows kernel (Library OS) inside a *pico-process*. A pico-process is a lightweight, secure isolation container with minimal kernel API surface and no direct access to services or resources of the Host system. The only external calls the pico-process can make are to the Drawbridge Security Monitor through the Drawbridge Application Binary Interface (ABI), as shown in Figure 8.
A normal Windows process can call more than 1200 functions that result in access
Like a virtual machine, the pico-process is much easier to secure than a traditional OS interface because it is significantly smaller, stateless, and has fixed and easily described semantics. Another added benefit of the small ABI / driver syscall interface is the ability to audit / fuzz the driver code with little effort. For example, syscall fuzzers can fuzz the ABI with high coverage numbers in a relatively short amount of time. #### User context-based isolation
-In cases where an Azure service is comprised of Microsoft-controlled code and customer code is not allowed to run, the isolation is provided by a user context. These services accept only user configuration inputs and data for processing ΓÇô arbitrary code is not allowed. For these services, a user context is provided to establish the data that can be accessed and what Azure role-based access control (Azure RBAC) operations are allowed. This context is established by Azure Active Directory (Azure AD) as described earlier in *[Identity-based isolation](#identity-based-isolation)* section. Once the user has been identified and authorized, the Azure service creates an application user context that is attached to the request as it moves through execution, providing assurance that user operations are separated and properly isolated.
+In cases where an Azure service is composed of Microsoft-controlled code and customer code is not allowed to run, the isolation is provided by a user context. These services accept only user configuration inputs and data for processing ΓÇô arbitrary code is not allowed. For these services, a user context is provided to establish the data that can be accessed and what Azure role-based access control (Azure RBAC) operations are allowed. This context is established by Azure Active Directory (Azure AD) as described earlier in *[Identity-based isolation](#identity-based-isolation)* section. Once the user has been identified and authorized, the Azure service creates an application user context that is attached to the request as it moves through execution, providing assurance that user operations are separated and properly isolated.
### Physical isolation In addition to robust logical compute isolation available by design to all Azure tenants, customers who desire physical compute isolation can utilize Azure Dedicated Host or Isolated Virtual Machines, which are both dedicated to a single customer.
In addition to robust logical compute isolation available by design to all Azure
> [!NOTE] > Customers can deploy a dedicated host using the **[Azure portal](../virtual-machines/dedicated-hosts-portal.md)**, Azure **[PowerShell](../virtual-machines/windows/dedicated-hosts-powershell.md)**, and Azure **[Command-Line Interface](../virtual-machines/linux/dedicated-hosts-cli.md)** (CLI).
-Customers can deploy both Windows and Linux virtual machines into dedicated hosts by selecting the server and CPU type, number of cores, and additional features. Dedicated Host enables control over platform maintenance events by allowing customers to opt in to a maintenance window to reduce potential impact to their provisioned services. Most maintenance events have little to no impact on customer VMs; however, customers in highly regulated industries or with sensitive workloads may want to have control over any potential maintenance impact.
+Customers can deploy both Windows and Linux virtual machines into dedicated hosts by selecting the server and CPU type, number of cores, and extra features. Dedicated Host enables control over platform maintenance events by allowing customers to opt in to a maintenance window to reduce potential impact to their provisioned services. Most maintenance events have little to no impact on customer VMs; however, customers in highly regulated industries or with sensitive workloads may want to have control over any potential maintenance impact.
> [!NOTE] > Microsoft provides detailed customer guidance on **[Windows](../virtual-machines/windows/quick-create-portal.md)** and **[Linux](../virtual-machines/linux/quick-create-portal.md)** Azure Virtual Machine provisioning using the Azure portal, Azure PowerShell, and Azure CLI.
Azure provides network isolation for each deployment and enforces the following
- When customers put VMs on a VNet, those VMs get their own address spaces that are invisible, and hence, not reachable from VMs outside of a deployment or virtual network (unless configured to be visible via public IP addresses). Customer environments are open only through the ports that customers specify for public access; if the VM is defined to have a public IP address, then all ports are open for public access. #### Packet flow and network path protection
-AzureΓÇÖs hyperscale network is designed to provide uniform high capacity between servers, performance isolation between services (including customers), and Ethernet Layer-2 semantics. Azure uses a number of networking implementations to achieve these goals: flat addressing to allow service instances to be placed anywhere in the network; load balancing to spread traffic uniformly across network paths; and end-system based address resolution to scale to large server pools, without introducing complexity to the network control plane.
+AzureΓÇÖs hyperscale network is designed to provide uniform high capacity between servers, performance isolation between services (including customers), and Ethernet Layer-2 semantics. Azure uses several networking implementations to achieve these goals: flat addressing to allow service instances to be placed anywhere in the network; load balancing to spread traffic uniformly across network paths; and end-system based address resolution to scale to large server pools, without introducing complexity to the network control plane.
These implementations give each service the illusion that all the servers assigned to it, and only those servers, are connected by a single non-interfering Ethernet switch ΓÇô a Virtual Layer 2 (VL2) ΓÇô and maintain this illusion even as the size of each service varies from one server to hundreds of thousands. This VL2 implementation achieves traffic performance isolation, ensuring that it is not possible that the traffic of one service could be affected by the traffic of any other service, as if each service were connected by a separate physical switch.
This section explains how packets flow through the Azure network, and how the to
The Azure network uses [two different IP-address families](/windows-server/networking/sdn/technologies/hyper-v-network-virtualization/hyperv-network-virtualization-technical-details-windows-server#packet-encapsulation): -- **Customer address (CA)** is the customer defined/chosen VNet IP address, also referred to as Virtual IP (VIP). The network infrastructure operates using CAs, which are externally routable. All switches and interfaces are assigned CAs, and switches run an IP-based (Layer-3) link-state routing protocol that disseminates only these CAs. This design allows switches to obtain the complete switch-level topology, as well as forward packets encapsulated with CAs along shortest paths.
+- **Customer address (CA)** is the customer defined/chosen VNet IP address, also referred to as Virtual IP (VIP). The network infrastructure operates using CAs, which are externally routable. All switches and interfaces are assigned CAs, and switches run an IP-based (Layer-3) link-state routing protocol that disseminates only these CAs. This design allows switches to obtain the complete switch-level topology, and forward packets encapsulated with CAs along shortest paths.
- **Provider address (PA)** is the Azure assigned internal fabric address that is not visible to users and is also referred to as Dynamic IP (DIP). No traffic goes directly from the Internet to a server; all traffic from the Internet must go through a Software Load Balancer (SLB) and be encapsulated to protect the internal Azure address space by only routing packets to valid Azure internal IP addresses and ports. Network Address Translation (NAT) separates internal network traffic from external traffic. Internal traffic uses [RFC 1918](https://datatracker.ietf.org/doc/rfc1918/) address space or private address space ΓÇô the provider addresses (PAs) ΓÇô that is not externally routable. The translation is performed at the SLBs. Customer addresses (CAs) that are externally routable are translated into internal provider addresses (PAs) that are only routable within Azure. These addresses remain unaltered no matter how their serversΓÇÖ locations change due to virtual-machine migration or reprovisioning. Each PA is associated with a CA, which is the identifier of the Top of Rack (ToR) switch to which the server is connected. VL2 uses a scalable, reliable directory system to store and maintain the mapping of PAs to CAs, and this mapping is created when servers are provisioned to a service and assigned PA addresses. An agent running in the network stack on every server, called the VL2 agent, invokes the directory systemΓÇÖs resolution service to learn the actual location of the destination and then tunnels the original packet there.
-Azure assigns servers IP addresses that act as names alone, with no topological significance. AzureΓÇÖs VL2 addressing scheme separates these server names (PAs) from their locations (CAs). The crux of offering Layer-2 semantics is having servers believe they share a single large IP subnet ΓÇô i.e., the entire PA space ΓÇô with other servers in the same service, while eliminating the Address Resolution Protocol (ARP) and Dynamic Host Configuration Protocol (DHCP) scaling bottlenecks that plague large Ethernet deployments.
+Azure assigns servers IP addresses that act as names alone, with no topological significance. AzureΓÇÖs VL2 addressing scheme separates these server names (PAs) from their locations (CAs). The crux of offering Layer-2 semantics is having servers believe they share a single large IP subnet ΓÇô that is, the entire PA space ΓÇô with other servers in the same service, while eliminating the Address Resolution Protocol (ARP) and Dynamic Host Configuration Protocol (DHCP) scaling bottlenecks that plague large Ethernet deployments.
-Figure 9 depicts a sample packet flow where sender S sends packets to destination D via a randomly chosen intermediate switch using IP-in-IP encapsulation. PAs are from 20/8, and CAs are from 10/8. H(ft) denotes a hash of the [5-tuple](https://www.techopedia.com/definition/28190/5-tuple), which is comprised of source IP, source port, destination IP, destination port, and protocol type. The ToR translates the PA to the CA, sends to the Intermediate switch, which sends to the destination CA ToR switch, which translates to the destination PA.
+Figure 9 depicts a sample packet flow where sender S sends packets to destination D via a randomly chosen intermediate switch using IP-in-IP encapsulation. PAs are from 20/8, and CAs are from 10/8. H(ft) denotes a hash of the [5-tuple](https://www.techopedia.com/definition/28190/5-tuple), which is composed of source IP, source port, destination IP, destination port, and protocol type. The ToR translates the PA to the CA, sends to the Intermediate switch, which sends to the destination CA ToR switch, which translates to the destination PA.
:::image type="content" source="./media/secure-isolation-fig9.png" alt-text="Sample packet flow"::: **Figure 9.** Sample packet flow
Figure 9 depicts a sample packet flow where sender S sends packets to destinatio
A server cannot send packets to a PA if the directory service refuses to provide it with a CA through which it can route its packets, which means that the directory service enforces access control policies. Further, since the directory system knows which server is making the request when handling a lookup, it can **enforce fine-grained isolation policies**. For example, it could enforce a policy that only servers belonging to the same service can communicate with each other. #### Traffic flow patterns
-To route traffic between servers, which use PA addresses, on an underlying network that knows routes for CA addresses, the VL2 agent on each server captures packets from the host, and encapsulates them with the CA address of the ToR switch of the destination. Once the packet arrives at the CA (i.e., the destination ToR switch), the destination ToR switch decapsulates the packet and delivers it to the destination PA carried in the inner header. The packet is first delivered to one of the Intermediate switches, decapsulated by the switch, delivered to the ToRΓÇÖs CA, decapsulated again, and finally sent to the destination. This approach is depicted in Figure 10 using two possible traffic patterns: 1) external traffic (orange line) traversing over ExpressRoute or the Internet to a VNet, and 2) internal traffic (blue line) between two VNets. Both traffic flows follow a similar pattern to isolate and protect network traffic.
+To route traffic between servers, which use PA addresses, on an underlying network that knows routes for CA addresses, the VL2 agent on each server captures packets from the host, and encapsulates them with the CA address of the ToR switch of the destination. Once the packet arrives at the CA (that is, the destination ToR switch), the destination ToR switch decapsulates the packet and delivers it to the destination PA carried in the inner header. The packet is first delivered to one of the Intermediate switches, decapsulated by the switch, delivered to the ToRΓÇÖs CA, decapsulated again, and finally sent to the destination. This approach is depicted in Figure 10 using two possible traffic patterns: 1) external traffic (orange line) traversing over ExpressRoute or the Internet to a VNet, and 2) internal traffic (blue line) between two VNets. Both traffic flows follow a similar pattern to isolate and protect network traffic.
:::image type="content" source="./media/secure-isolation-fig10.png" alt-text="Separation of tenant network traffic using VNets"::: **Figure 10.** Separation of tenant network traffic using VNets
-**External traffic (orange line)** ΓÇô For external traffic, Azure provides multiple layers of assurance to enforce isolation depending on traffic patterns. When a customer places a public IP on their VNet gateway, traffic from the public Internet or customer on-premises network that is destined for that IP address will be routed to an Internet Edge Router. Alternatively, when a customer establishes private peering over an ExpressRoute connection, it is connected with an Azure VNet via VNet Gateway. This set-up aligns connectivity from the physical circuit and makes the private IP address space from the on-premises location addressable. Azure then uses Border Gateway Protocol (BGP) to share routing details with the on-premises network to establish end-to-end connectivity. When communication begins with a resource within the VNet, the network traffic traverses as normal until it reaches a Microsoft ExpressRoute Edge (MSEE) Router. In both cases, VNets provide the means for Azure VMs to act as part of customerΓÇÖs on-premises network. A cryptographically protected [IPsec/IKE tunnel](../vpn-gateway/vpn-gateway-about-vpn-devices.md#ipsec) is established between Azure and customerΓÇÖs internal network (e.g., via [Azure VPN Gateway](../vpn-gateway/tutorial-site-to-site-portal.md) or [Azure ExpressRoute Private Peering](../virtual-wan/vpn-over-expressroute.md)), enabling the VM to connect securely to customerΓÇÖs on-premises resources as though it was directly on that network.
+**External traffic (orange line)** ΓÇô For external traffic, Azure provides multiple layers of assurance to enforce isolation depending on traffic patterns. When a customer places a public IP on their VNet gateway, traffic from the public Internet or customer on-premises network that is destined for that IP address will be routed to an Internet Edge Router. Alternatively, when a customer establishes private peering over an ExpressRoute connection, it is connected with an Azure VNet via VNet Gateway. This set-up aligns connectivity from the physical circuit and makes the private IP address space from the on-premises location addressable. Azure then uses Border Gateway Protocol (BGP) to share routing details with the on-premises network to establish end-to-end connectivity. When communication begins with a resource within the VNet, the network traffic traverses as normal until it reaches a Microsoft ExpressRoute Edge (MSEE) Router. In both cases, VNets provide the means for Azure VMs to act as part of customerΓÇÖs on-premises network. A cryptographically protected [IPsec/IKE tunnel](../vpn-gateway/vpn-gateway-about-vpn-devices.md#ipsec) is established between Azure and customerΓÇÖs internal network (for example, via [Azure VPN Gateway](../vpn-gateway/tutorial-site-to-site-portal.md) or [Azure ExpressRoute Private Peering](../virtual-wan/vpn-over-expressroute.md)), enabling the VM to connect securely to customerΓÇÖs on-premises resources as though it was directly on that network.
At the Internet Edge Router or the MSEE Router, the packet is encapsulated using Generic Routing Encapsulation (GRE). This encapsulation uses a unique identifier specific to the VNet destination and the destination address, which is used to appropriately route the traffic to the identified VNet. Upon reaching the VNet Gateway, which is a special VNet used only to accept traffic from outside of an Azure VNet, the encapsulation is verified by the Azure network fabric to ensure: a) the endpoint receiving the packet is a match to the unique VNet ID used to route the data, and b) the destination address requested exists in this VNet. Once verified, the packet is routed as internal traffic from the VNet Gateway to the final requested destination address within the VNet. This approach ensures that traffic from external networks travels only to Azure VNet for which it is destined, enforcing isolation.
-**Internal traffic (blue line)** ΓÇô Internal traffic also uses GRE encapsulation/tunneling. When two resources in an Azure VNet attempt to establish communications between each other, the Azure network fabric reaches out to the Azure VNet routing directory service that is part of the Azure network fabric. The directory services use the customer address (CA) and the requested destination address to determine the provider address (PA). This information, including the VNet identifier, CA, and PA, is then used to encapsulate the traffic with GRE. The Azure network uses this information to properly route the encapsulated data to the appropriate Azure host using the PA. The encapsulation is reviewed by the Azure network fabric to confirm: (1) the PA is a match, (2) the CA is located at this PA, and (3) the VNet identifier is a match. Once all three are verified, the encapsulation is removed and routed to the CA as normal traffic (e.g., to a VM endpoint). This approach provides VNet isolation assurance based on correct traffic routing between cloud services.
+**Internal traffic (blue line)** ΓÇô Internal traffic also uses GRE encapsulation/tunneling. When two resources in an Azure VNet attempt to establish communications between each other, the Azure network fabric reaches out to the Azure VNet routing directory service that is part of the Azure network fabric. The directory services use the customer address (CA) and the requested destination address to determine the provider address (PA). This information, including the VNet identifier, CA, and PA, is then used to encapsulate the traffic with GRE. The Azure network uses this information to properly route the encapsulated data to the appropriate Azure host using the PA. The encapsulation is reviewed by the Azure network fabric to confirm: (1) the PA is a match, (2) the CA is located at this PA, and (3) the VNet identifier is a match. Once all three are verified, the encapsulation is removed and routed to the CA as normal traffic (for example, to a VM endpoint). This approach provides VNet isolation assurance based on correct traffic routing between cloud services.
Azure VNets implement several mechanisms to ensure secure traffic between tenants. These mechanisms align to existing industry standards and security practices, and prevent well-known attack vectors including: -- **Prevent IP address spoofing** ΓÇô Whenever encapsulated traffic is transmitted by a VNet, the service reverifies the information on the receiving end of the transmission. The traffic is looked up and encapsulated independently at the start of the transmission, as well as reverified at the receiving endpoint to ensure the transmission was performed appropriately. This verification is done with an internal VNet feature called SpoofGuard, which verifies that the source and destination are valid and allowed to communicate, thereby preventing mismatches in expected encapsulation patterns that might otherwise permit spoofing. The GRE encapsulation processes prevent spoofing as any GRE encapsulation and encryption not done by the Azure network fabric is treated as dropped traffic.
+- **Prevent IP address spoofing** ΓÇô Whenever encapsulated traffic is transmitted by a VNet, the service reverifies the information on the receiving end of the transmission. The traffic is looked up and encapsulated independently at the start of the transmission, and reverified at the receiving endpoint to ensure the transmission was performed appropriately. This verification is done with an internal VNet feature called SpoofGuard, which verifies that the source and destination are valid and allowed to communicate, thereby preventing mismatches in expected encapsulation patterns that might otherwise permit spoofing. The GRE encapsulation processes prevent spoofing as any GRE encapsulation and encryption not done by the Azure network fabric is treated as dropped traffic.
- **Provide network segmentation across customers with overlapping network spaces** ΓÇô Azure VNetΓÇÖs implementation relies on established tunneling standards such as the GRE, which in turn allows the use of customer-specific unique identifiers (VNet IDs) throughout the cloud. The VNet identifiers are used as scoping identifiers. This approach ensures that a customer is always operating within their unique address space, overlapping address spaces between tenants, and the Azure network fabric. Anything that has not been encapsulated with a valid VNet ID is blocked within the Azure network fabric. In the example described above, any encapsulated traffic not performed by the Azure network fabric is discarded.-- **Prevent traffic from crossing between VNets** ΓÇô Preventing traffic from crossing between VNets is done through the same mechanisms that handle address overlap and prevent spoofing. Traffic crossing between VNets is rendered infeasible by using unique VNet IDs established per tenant in combination with verification of all traffic at the source and destination. Users do not have access to the underlying transmission mechanisms that rely on these IDs to perform the encapsulation. Consequently, any attempt to encapsulate and simulate these mechanisms would lead to dropped traffic.
+- **Prevent traffic from crossing between VNets** ΓÇô Preventing traffic from crossing between VNets is done through the same mechanisms that handle address overlap and prevent spoofing. Traffic crossing between VNets is rendered infeasible by using unique VNet IDs established per tenant in combination with verification of all traffic at the source and destination. Users do not have access to the underlying transmission mechanisms that rely on these IDs to perform the encapsulation. Therefore, any attempt to encapsulate and simulate these mechanisms would lead to dropped traffic.
In addition to these key protections, all unexpected traffic originating from the Internet is dropped by default. Any packet entering the Azure network will first encounter an Edge router. Edge routers intentionally allow all inbound traffic into the Azure network except spoofed traffic. This basic traffic filtering protects the Azure network from known bad malicious traffic. Azure also implements DDoS protection at the network layer, collecting logs to throttle or block traffic based on real time and historical data analysis, and mitigates attacks on demand.
Customers are also able to utilize Azure services to further isolate and protect
At the infrastructure layer, Azure implements a Hypervisor firewall to protect all tenants running on top of the Hypervisor within virtual machines from unauthorized access. This Hypervisor firewall is distributed as part of the NSG rules deployed to the Host, implemented in the Hypervisor, and configured by the Fabric Controller agent, as shown in Figure 4. The Host OS instances utilize the built-in Windows Firewall to implement fine-grained ACLs at a greater granularity than router ACLs and are maintained by the same software that provisions tenants, so they are never out of date. They are applied using the Machine Configuration File (MCF) to Windows Firewall.
-At the top of the operating system stack is the Guest OS, which customers utilize as their operating system. By default, this layer does not allow any inbound communication to cloud service or virtual network, essentially making it part of a private network. For PaaS Web and Worker roles, remote access is not permitted by default. It is possible for customers to enable Remote Desktop Protocol (RDP) access as an explicit option. For IaaS VMs created using the Azure portal, RDP and remote PowerShell ports are opened by default; however, port numbers are assigned randomly. For IaaS VMs created via PowerShell, RDP and remote PowerShell ports must be opened explicitly. If the administrator chooses to keep the RDP and remote PowerShell ports open to the Internet, the account allowed to create RDP and PowerShell connections should be secured with a strong password. Even if ports are open, customers can define ACLs on the public IPs for additional protection if desired.
+At the top of the operating system stack is the Guest OS, which customers utilize as their operating system. By default, this layer does not allow any inbound communication to cloud service or virtual network, essentially making it part of a private network. For PaaS Web and Worker roles, remote access is not permitted by default. It is possible for customers to enable Remote Desktop Protocol (RDP) access as an explicit option. For IaaS VMs created using the Azure portal, RDP and remote PowerShell ports are opened by default; however, port numbers are assigned randomly. For IaaS VMs created via PowerShell, RDP and remote PowerShell ports must be opened explicitly. If the administrator chooses to keep the RDP and remote PowerShell ports open to the Internet, the account allowed to create RDP and PowerShell connections should be secured with a strong password. Even if ports are open, customers can define ACLs on the public IPs for extra protection if desired.
### Service tags Customers can use Virtual Network [service tags](../virtual-network/service-tags-overview.md) to achieve network isolation and protect their Azure resources from the Internet while accessing Azure services that have public endpoints. With service tags, customers can define network access controls on [network security groups](../virtual-network/network-security-groups-overview.md#security-rules) or [Azure Firewall](../firewall/service-tags.md). A service tag represents a group of IP address prefixes from a given Azure service. Microsoft manages the address prefixes encompassed by the service tag and automatically updates the service tag as addresses change, thereby reducing the complexity of frequent updates to network security rules.
Azure provides many options for [encrypting data in transit](../security/fundame
> [!IMPORTANT] > Customers can increase security by enabling encryption in transit. For example, customers can use **[Azure Application Gateway](../application-gateway/ssl-overview.md)** to configure **[end-to-end encryption](../application-gateway/application-gateway-end-to-end-ssl-powershell.md)** of network traffic and rely on **[Azure Key Vault integration](../application-gateway/key-vault-certs.md)** for TLS termination.
-Across Azure services, traffic to and from the service is [protected by TLS 1.2](https://azure.microsoft.com/updates/azuretls12/) leveraging RSA-2048 for key exchange and AES-256 for data encryption. The corresponding crypto modules are FIPS 140-2 validated as part of the Microsoft [Windows FIPS validation program](/windows/security/threat-protection/fips-140-validation#modules-used-by-windows-server).
+Across Azure services, traffic to and from the service is [protected by TLS 1.2](https://azure.microsoft.com/updates/azuretls12/) using RSA-2048 for key exchange and AES-256 for data encryption. The corresponding crypto modules are FIPS 140 validated as part of the Microsoft [Windows FIPS validation program](/windows/security/threat-protection/fips-140-validation#modules-used-by-windows-server).
TLS provides strong authentication, message privacy, and integrity. [Perfect Forward Secrecy](https://en.wikipedia.org/wiki/Forward_secrecy) (PFS) protects connections between customerΓÇÖs client systems and Microsoft cloud services by generating a unique session key for every session a customer initiate. PFS protects past sessions against potential future key compromises. This combination makes it more difficult to intercept and access data in transit.
TLS provides strong authentication, message privacy, and integrity. [Perfect For
**Azure Storage transactions:** When interacting with Azure Storage through the Azure portal, all transactions take place over HTTPS. Moreover, customers can configure their storage accounts to accept requests only from secure connections by setting the &#8220;[secure transfer required](../storage/common/storage-require-secure-transfer.md)&#8221; property for the storage account. The &#8220;secure transfer required&#8221; option is enabled by default when creating a Storage account in the Azure portal.
-[Azure Files](../storage/files/storage-files-introduction.md) offers fully managed file shares in the cloud that are accessible via the industry-standard [Server Message Block](/windows/win32/fileio/microsoft-smb-protocol-and-cifs-protocol-overview) (SMB) protocol. By default, all Azure storage accounts [have encryption in transit enabled](../storage/files/storage-files-planning.md#encryption-in-transit). Consequently, when mounting a share over SMB or accessing it through the Azure portal (or PowerShell, CLI, and Azure SDKs), Azure Files will only allow the connection if it is made with SMB 3.0+ with encryption or over HTTPS.
+[Azure Files](../storage/files/storage-files-introduction.md) offers fully managed file shares in the cloud that are accessible via the industry-standard [Server Message Block](/windows/win32/fileio/microsoft-smb-protocol-and-cifs-protocol-overview) (SMB) protocol. By default, all Azure storage accounts [have encryption in transit enabled](../storage/files/storage-files-planning.md#encryption-in-transit). Therefore, when mounting a share over SMB or accessing it through the Azure portal (or PowerShell, CLI, and Azure SDKs), Azure Files will only allow the connection if it is made with SMB 3.0+ with encryption or over HTTPS.
#### CustomerΓÇÖs datacenter connection to Azure region **VPN encryption:** [Virtual Network](../virtual-network/virtual-networks-overview.md) (VNet) provides a means for Azure Virtual Machines (VMs) to act as part of a customerΓÇÖs internal (on-premises) network. With VNet, customers choose the address ranges of non-globally-routable IP addresses to be assigned to the VMs so that they will not collide with addresses the customer is using elsewhere. Customers have options to securely connect to a VNet from their on-premises infrastructure or remote locations. -- **Site-to-Site** (IPsec/IKE VPN tunnel) ΓÇô A cryptographically protected &#8220;tunnel&#8221; is established between Azure and the customerΓÇÖs internal network, allowing an Azure VM to connect to the customerΓÇÖs back-end resources as though it was directly on that network. This type of connection requires a [VPN device](../vpn-gateway/vpn-gateway-vpn-faq.md#s2s) located on-premises that has an externally facing public IP address assigned to it. Customers can use [Azure VPN Gateway](../vpn-gateway/vpn-gateway-about-vpngateways.md) to send encrypted traffic between their VNet and their on-premises infrastructure across the public Internet, e.g., a [site-to-site VPN](../vpn-gateway/tutorial-site-to-site-portal.md) relies on IPsec for transport encryption. Azure VPN Gateway supports a wide range of encryption algorithms that are FIPS 140-2 validated. Moreover, customers can configure Azure VPN Gateway to use [custom IPsec/IKE policy](../vpn-gateway/vpn-gateway-about-compliance-crypto.md) with specific cryptographic algorithms and key strengths instead of relying on the default Azure policies. IPsec encrypts data at the IP level (Network Layer 3).
+- **Site-to-Site** (IPsec/IKE VPN tunnel) ΓÇô A cryptographically protected &#8220;tunnel&#8221; is established between Azure and the customerΓÇÖs internal network, allowing an Azure VM to connect to the customerΓÇÖs back-end resources as though it was directly on that network. This type of connection requires a [VPN device](../vpn-gateway/vpn-gateway-vpn-faq.md#s2s) located on-premises that has an externally facing public IP address assigned to it. Customers can use [Azure VPN Gateway](../vpn-gateway/vpn-gateway-about-vpngateways.md) to send encrypted traffic between their VNet and their on-premises infrastructure across the public Internet, for example, a [site-to-site VPN](../vpn-gateway/tutorial-site-to-site-portal.md) relies on IPsec for transport encryption. Azure VPN Gateway supports a wide range of encryption algorithms that are FIPS 140 validated. Moreover, customers can configure Azure VPN Gateway to use [custom IPsec/IKE policy](../vpn-gateway/vpn-gateway-about-compliance-crypto.md) with specific cryptographic algorithms and key strengths instead of relying on the default Azure policies. IPsec encrypts data at the IP level (Network Layer 3).
- **Point-to-Site** (VPN over SSTP, OpenVPN, and IPsec) ΓÇô A secure connection is established from an individual client computer to customerΓÇÖs VNet using Secure Socket Tunneling Protocol (SSTP), OpenVPN, or IPsec. As part of the [Point-to-Site VPN](../vpn-gateway/vpn-gateway-howto-point-to-site-resource-manager-portal.md) configuration, customers need to install a certificate and a VPN client configuration package, which allow the client computer to connect to any VM within the VNet. [Point-to-Site VPN](../vpn-gateway/point-to-site-about.md) connections do not require a VPN device or a public facing IP address.
-In addition to controlling the type of algorithm that is supported for VPN connections, Azure provides customers with the ability to enforce that all traffic leaving a VNet may only be routed through a VNet Gateway (e.g., Azure VPN Gateway). This enforcement allows customers to ensure that traffic may not leave a VNet without being encrypted. A VPN Gateway can be used for [VNet-to-VNet](../vpn-gateway/vpn-gateway-howto-vnet-vnet-resource-manager-portal.md) connections while also providing a secure tunnel with IPsec/IKE. Azure VPN uses [Pre-Shared Key (PSK) authentication](../vpn-gateway/vpn-gateway-vpn-faq.md#how-does-my-vpn-tunnel-get-authenticated) whereby Microsoft generates a PSK when the VPN tunnel is created. Customers can change the autogenerated PSK to their own.
+In addition to controlling the type of algorithm that is supported for VPN connections, Azure provides customers with the ability to enforce that all traffic leaving a VNet may only be routed through a VNet Gateway (for example, Azure VPN Gateway). This enforcement allows customers to ensure that traffic may not leave a VNet without being encrypted. A VPN Gateway can be used for [VNet-to-VNet](../vpn-gateway/vpn-gateway-howto-vnet-vnet-resource-manager-portal.md) connections while also providing a secure tunnel with IPsec/IKE. Azure VPN uses [Pre-Shared Key (PSK) authentication](../vpn-gateway/vpn-gateway-vpn-faq.md#how-does-my-vpn-tunnel-get-authenticated) whereby Microsoft generates a PSK when the VPN tunnel is created. Customers can change the autogenerated PSK to their own.
-**ExpressRoute encryption:** [ExpressRoute](../expressroute/expressroute-introduction.md) allows customers to create private connections between Microsoft datacenters and their on-premises infrastructure or colocation facility. ExpressRoute connections do not go over the public Internet and offer lower latency and higher reliability than IPsec protected VPN connections. [ExpressRoute locations](../expressroute/expressroute-locations-providers.md) are the entry points to MicrosoftΓÇÖs global network backbone and they may or may not match the location of Azure regions. Once the network traffic enters the Microsoft backbone, it is guaranteed to traverse that private networking infrastructure instead of the public Internet. Customers can use ExpressRoute with several data [encryption options](../expressroute/expressroute-about-encryption.md), including [MACsec](https://1.ieee802.org/security/802-1ae/) that enables customers to store [MACsec encryption keys in Azure Key Vault](../expressroute/expressroute-about-encryption.md#point-to-point-encryption-by-macsec-faq). MACsec encrypts data at the Media Access Control (MAC) level, i.e., data link layer (Network Layer 2). Both AES-128 and AES-256 block ciphers are [supported for encryption](../expressroute/expressroute-about-encryption.md#which-cipher-suites-are-supported-for-encryption). Customers can use MACsec to encrypt the physical links between their network devices and Microsoft network devices when they connect to Microsoft via [ExpressRoute Direct](../expressroute/expressroute-erdirect-about.md). ExpressRoute Direct allows for direct fiber connections from customer's edge to the Microsoft Enterprise edge routers at the peering locations.
+**ExpressRoute encryption:** [ExpressRoute](../expressroute/expressroute-introduction.md) allows customers to create private connections between Microsoft datacenters and their on-premises infrastructure or colocation facility. ExpressRoute connections do not go over the public Internet and offer lower latency and higher reliability than IPsec protected VPN connections. [ExpressRoute locations](../expressroute/expressroute-locations-providers.md) are the entry points to MicrosoftΓÇÖs global network backbone and they may or may not match the location of Azure regions. Once the network traffic enters the Microsoft backbone, it is guaranteed to traverse that private networking infrastructure instead of the public Internet. Customers can use ExpressRoute with several data [encryption options](../expressroute/expressroute-about-encryption.md), including [MACsec](https://1.ieee802.org/security/802-1ae/) that enables customers to store [MACsec encryption keys in Azure Key Vault](../expressroute/expressroute-about-encryption.md#point-to-point-encryption-by-macsec-faq). MACsec encrypts data at the Media Access Control (MAC) level, that is, data link layer (Network Layer 2). Both AES-128 and AES-256 block ciphers are [supported for encryption](../expressroute/expressroute-about-encryption.md#which-cipher-suites-are-supported-for-encryption). Customers can use MACsec to encrypt the physical links between their network devices and Microsoft network devices when they connect to Microsoft via [ExpressRoute Direct](../expressroute/expressroute-erdirect-about.md). ExpressRoute Direct allows for direct fiber connections from customer's edge to the Microsoft Enterprise edge routers at the peering locations.
Customers can enable IPsec in addition to MACsec on their ExpressRoute Direct ports, as shown in Figure 11. Using Azure VPN Gateway, customers can set up an [IPsec tunnel over Microsoft Peering](../expressroute/site-to-site-vpn-over-microsoft-peering.md) of customerΓÇÖs ExpressRoute circuit between customerΓÇÖs on-premises network and customerΓÇÖs Azure VNet. MACsec secures the physical connection between customerΓÇÖs on-premises network and Microsoft. IPsec secures the end-to-end connection between customerΓÇÖs on-premises network and their VNets in Azure. MACsec and IPsec can be enabled independently.
Moreover, all Azure traffic traveling within a region or between regions is [enc
> Customers should review Azure **[best practices](../security/fundamentals/data-encryption-best-practices.md#protect-data-in-transit)** for the protection of data in transit to help ensure that all data in transit is encrypted. For key Azure PaaS storage services (for example, Azure SQL Database, SQL Managed Instance, and Azure Synapse Analytics), data encryption in transit is **[enforced by default](../azure-sql/database/security-overview.md#information-protection-and-encryption)**. ### Third-party network virtual appliances
-Azure provides customers with many features to help them achieve their security and isolation goals, including [Azure Security Center](../security-center/security-center-introduction.md), [Azure Monitor](../azure-monitor/overview.md), [Azure Firewall](../firewall/overview.md), [Azure VPN Gateway](../vpn-gateway/vpn-gateway-about-vpngateways.md), [Network Security Groups](../virtual-network/network-security-groups-overview.md), [Azure Application Gateway](../application-gateway/overview.md), [Azure DDoS Protection](../ddos-protection/ddos-protection-overview.md), [Network Watcher](../network-watcher/network-watcher-monitoring-overview.md), [Azure Sentinel](../sentinel/overview.md), and [Azure Policy](../governance/policy/overview.md). In addition to the built-in capabilities that Azure provides, customers can use third-party [network virtual appliances](https://azure.microsoft.com/solutions/network-appliances/) to accommodate their specific network isolation requirements while at the same time leveraging existing in-house skills. Azure supports a wide range of appliances, including offerings from F5, Palo Alto Networks, Cisco, Check Point, Barracuda, Citrix, Fortinet, and many others. Network appliances support network functionality and services in the form of VMs in customer virtual networks and deployments.
+Azure provides customers with many features to help them achieve their security and isolation goals, including [Azure Security Center](../security-center/security-center-introduction.md), [Azure Monitor](../azure-monitor/overview.md), [Azure Firewall](../firewall/overview.md), [Azure VPN Gateway](../vpn-gateway/vpn-gateway-about-vpngateways.md), [Network Security Groups](../virtual-network/network-security-groups-overview.md), [Azure Application Gateway](../application-gateway/overview.md), [Azure DDoS Protection](../ddos-protection/ddos-protection-overview.md), [Network Watcher](../network-watcher/network-watcher-monitoring-overview.md), [Azure Sentinel](../sentinel/overview.md), and [Azure Policy](../governance/policy/overview.md). In addition to the built-in capabilities that Azure provides, customers can use third-party [network virtual appliances](https://azure.microsoft.com/solutions/network-appliances/) to accommodate their specific network isolation requirements while at the same time applying existing in-house skills. Azure supports a wide range of appliances, including offerings from F5, Palo Alto Networks, Cisco, Check Point, Barracuda, Citrix, Fortinet, and many others. Network appliances support network functionality and services in the form of VMs in customer virtual networks and deployments.
The cumulative effect of network isolation restrictions is that each cloud service acts as though it were on an isolated network where VMs within the cloud service can communicate with one another, identifying one another by their source IP addresses with confidence that no other parties can impersonate their peer VMs. They can also be configured to accept incoming connections from the Internet over specific ports and protocols and to ensure that all network traffic leaving customer Virtual Networks is always encrypted.
The cumulative effect of network isolation restrictions is that each cloud servi
> - **[Azure network security white paper](https://azure.microsoft.com/resources/azure-network-security/)** ## Storage isolation
-Microsoft Azure separates customer VM-based computation resources from storage as part of its [fundamental design](../security/fundamentals/isolation-choices.md#storage-isolation). The separation allows computation and storage to scale independently, making it easier to provide multi-tenancy and isolation. Consequently, Azure Storage runs on separate hardware with no network connectivity to Azure Compute except logically.
+Microsoft Azure separates customer VM-based computation resources from storage as part of its [fundamental design](../security/fundamentals/isolation-choices.md#storage-isolation). The separation allows computation and storage to scale independently, making it easier to provide multi-tenancy and isolation. So, Azure Storage runs on separate hardware with no network connectivity to Azure Compute except logically.
Each Azure [subscription](/azure/cloud-adoption-framework/decision-guides/subscriptions/) can have one or more storage accounts. Azure storage supports various [authentication options](/rest/api/storageservices/authorize-requests-to-azure-storage), including:
Customer data in an Azure Storage account is [always replicated](../storage/comm
- **Locally redundant storage (LRS)** replicates three copies (or the erasure coded equivalent, as described later) of customer data within a single data center. A write request to an LRS storage account returns successfully only after the data is written to all three replicas. Each replica resides in separate fault and upgrade domains within a scale unit (set of storage racks within a data center). - **Zone-redundant storage (ZRS)** replicates customer data synchronously across three storage clusters in a single [region](../availability-zones/az-overview.md#regions). Each storage cluster is physically separated from the others and is in its own [Availability Zone](../availability-zones/az-overview.md#availability-zones) (AZ). A write request to a ZRS storage account returns successfully only after the data is written to all replicas across the three clusters.-- **Geo-redundant storage (GRS)** replicates customer data to a [secondary (paired) region](../best-practices-availability-paired-regions.md) region that is hundreds of kilometers away from the primary region. GRS storage accounts are durable even in the case of a complete regional outage or a disaster in which the primary region isn't recoverable. For a storage account with GRS or RA-GRS enabled, all data is first replicated with LRS. An update is first committed to the primary location and replicated using LRS. The update is then replicated asynchronously to the secondary region using GRS. When data is written to the secondary location, it's also replicated within that location using LRS.
+- **Geo-redundant storage (GRS)** replicates customer data to a [secondary (paired) region](../best-practices-availability-paired-regions.md) region that is hundreds of kilometers away from the primary region. GRS storage accounts are durable even during a complete regional outage or a disaster in which the primary region isn't recoverable. For a storage account with GRS or RA-GRS enabled, all data is first replicated with LRS. An update is first committed to the primary location and replicated using LRS. The update is then replicated asynchronously to the secondary region using GRS. When data is written to the secondary location, it's also replicated within that location using LRS.
- **Read-access geo-redundant storage (RA-GRS)** is based on GRS. It provides read-only access to the data in the secondary location, in addition to geo-replication across two regions. With RA-GRS, customers can read from the secondary region regardless of whether Microsoft initiates a failover from the primary to secondary region. - **Geo-zone-redundant storage (GZRS)** combines the high availability of ZRS with protection from regional outages as provided by GRS. Data in a GZRS storage account is replicated across three AZs in the primary region and also replicated to a secondary geographic region for protection from regional disasters. Each Azure region is paired with another region within the same geography, together making a [regional pair](../best-practices-availability-paired-regions.md).-- **Read-access geo-zone-redundant storage (RA-GZRS)** is based on GZRS. Customers can optionally enable read access to data in the secondary region with RA-GZRS if their applications need to be able to read data in the event of a disaster in the primary region.
+- **Read-access geo-zone-redundant storage (RA-GZRS)** is based on GZRS. Customers can optionally enable read access to data in the secondary region with RA-GZRS if their applications need to be able to read data following a disaster in the primary region.
### High-level Azure Storage architecture
-Azure Storage production systems consist of storage stamps and the location service (LS), as shown in Figure 12. A storage stamp is a cluster of racks of storage nodes, where each rack is built as a separate fault domain with redundant networking and power. The LS manages all the storage stamps, as well as the account namespace across all stamps. It allocates accounts to storage stamps and manages them across the storage stamps for load balancing and disaster recovery. The LS itself is distributed across two geographic locations for its own disaster recovery ([Calder, et al., 2011](https://sigops.org/s/conferences/sosp/2011/current/2011-Cascais/printable/11-calder.pdf)).
+Azure Storage production systems consist of storage stamps and the location service (LS), as shown in Figure 12. A storage stamp is a cluster of racks of storage nodes, where each rack is built as a separate fault domain with redundant networking and power. The LS manages all the storage stamps and the account namespace across all stamps. It allocates accounts to storage stamps and manages them across the storage stamps for load balancing and disaster recovery. The LS itself is distributed across two geographic locations for its own disaster recovery ([Calder, et al., 2011](https://sigops.org/s/conferences/sosp/2011/current/2011-Cascais/printable/11-calder.pdf)).
:::image type="content" source="./media/secure-isolation-fig12.png" alt-text="High-level Azure Storage architecture"::: **Figure 12.** High-level Azure Storage architecture (Source: [Calder, et al., 2011](https://sigops.org/s/conferences/sosp/2011/current/2011-Cascais/printable/11-calder.pdf))
-There are three layers within a storage stamp: front-end, partition, and stream, which are described in the rest of this section.
+There are three layers within a storage stamp: front-end, partition, and stream. These layers are described in the rest of this section.
#### Front-end layer The front-end (FE) layer consists of a set of stateless servers that take the incoming requests, authenticate and authorize the requests, and then route them to a partition server in the Partition Layer. The FE layer knows what partition server to forward each request to, since each front-end server caches a partition map. The partition map keeps track of the partitions for the service being accessed and what partition server is controlling (serving) access to each partition in the system. The FE servers also stream large objects directly from the stream layer.
All data blocks stored in stream extent nodes have a 64-bit cyclic redundancy ch
Customer data in Azure Storage relies on data encryption at rest to provide cryptographic certainty for logical data isolation. Customers can choose between platform-managed encryption keys or customer-managed encryption keys. The handling of data encryption and decryption is transparent to customers, as discussed in the next section. ### Data encryption at rest
-Azure provides extensive options for [data encryption at rest](../security/fundamentals/encryption-atrest.md) to help customers safeguard their data and meet their compliance needs using both Microsoft-managed encryption keys, as well as customer-managed encryption keys. For more information, see [data encryption models](../security/fundamentals/encryption-models.md). This process relies on multiple encryption keys, as well as services such as Azure Key Vault and Azure Active Directory to ensure secure key access and centralized key management.
+Azure provides extensive options for [data encryption at rest](../security/fundamentals/encryption-atrest.md) to help customers safeguard their data and meet their compliance needs using both Microsoft-managed encryption keys and customer-managed encryption keys. For more information, see [data encryption models](../security/fundamentals/encryption-models.md). This process relies on multiple encryption keys and services such as Azure Key Vault and Azure Active Directory to ensure secure key access and centralized key management.
> [!NOTE]
-> Customers who require additional security and isolation assurances for their most sensitive customer data stored in Azure services can encrypt it using their own encryption keys they control in Azure Key Vault.
+> Customers who require extra security and isolation assurances for their most sensitive customer data stored in Azure services can encrypt it using their own encryption keys they control in Azure Key Vault.
-In general, controlling key access and ensuring efficient bulk encryption and decryption of data is accomplished via the following types of encryption keys (as shown in Figure 16), although additional encryption keys can be used as described in *[Storage service encryption](#storage-service-encryption)* section.
+In general, controlling key access and ensuring efficient bulk encryption and decryption of data is accomplished via the following types of encryption keys (as shown in Figure 16), although other encryption keys can be used as described in *[Storage service encryption](#storage-service-encryption)* section.
-- **Data Encryption Key (DEK)** is a symmetric AES-256 key that is utilized for bulk encryption and decryption of a partition or a block of data. The cryptographic modules are FIPS 140-2 validated as part of the [Windows FIPS validation program](/windows/security/threat-protection/fips-140-validation#modules-used-by-windows-server). Access to DEKs is needed by the resource provider or application instance that is responsible for encrypting and decrypting a specific block of data. A single resource may have many partitions and many DEKs. When a DEK is replaced with a new key, only the data in its associated block must be re-encrypted with the new key. DEK is encrypted by the Key Encryption Key (KEK) and is never stored unencrypted.-- **Key Encryption Key (KEK)** is an asymmetric RSA key that is optionally provided by the customer. This key is utilized to encrypt the Data Encryption Key (DEK) using Azure Key Vault and exists only in Azure Key Vault. As mentioned previously in *[Data encryption key management](#data-encryption-key-management)* section, Azure Key Vault can use FIPS 140-2 validated hardware security modules (HSMs) to safeguard encryption keys. These keys are not exportable and there can be no clear-text version of the KEK outside the HSMs ΓÇô the binding is enforced by the underlying HSM. KEK is never exposed directly to the resource provider or other services. Access to KEK is controlled by permissions in Azure Key Vault and access to Azure Key Vault must be authenticated through Azure Active Directory. These permissions can be revoked to block access to this key and, by extension, the data that is encrypted using this key as the root of the key chain.
+- **Data Encryption Key (DEK)** is a symmetric AES-256 key that is utilized for bulk encryption and decryption of a partition or a block of data. The cryptographic modules are FIPS 140 validated as part of the [Windows FIPS validation program](/windows/security/threat-protection/fips-140-validation#modules-used-by-windows-server). Access to DEKs is needed by the resource provider or application instance that is responsible for encrypting and decrypting a specific block of data. A single resource may have many partitions and many DEKs. When a DEK is replaced with a new key, only the data in its associated block must be re-encrypted with the new key. DEK is encrypted by the Key Encryption Key (KEK) and is never stored unencrypted.
+- **Key Encryption Key (KEK)** is an asymmetric RSA key that is optionally provided by the customer. This key is utilized to encrypt the Data Encryption Key (DEK) using Azure Key Vault and exists only in Azure Key Vault. As mentioned previously in *[Data encryption key management](#data-encryption-key-management)* section, Azure Key Vault can use FIPS 140 validated hardware security modules (HSMs) to safeguard encryption keys. These keys are not exportable and there can be no clear-text version of the KEK outside the HSMs ΓÇô the binding is enforced by the underlying HSM. KEK is never exposed directly to the resource provider or other services. Access to KEK is controlled by permissions in Azure Key Vault and access to Azure Key Vault must be authenticated through Azure Active Directory. These permissions can be revoked to block access to this key and, by extension, the data that is encrypted using this key as the root of the key chain.
:::image type="content" source="./media/secure-isolation-fig16.png" alt-text="Data Encryption Keys are encrypted using customerΓÇÖs key stored in Azure Key Vault"::: **Figure 16.** Data Encryption Keys are encrypted using customerΓÇÖs key stored in Azure Key Vault Therefore, key hierarchy involves both DEK and KEK. DEK is encrypted with KEK and stored separately for efficient access by resource providers in bulk encryption and decryption operations. However, only an entity with access to the KEK can decrypt the DEK. The entity that has access to the KEK may be different than the entity that requires the DEK. Since the KEK is required to decrypt the DEK, the KEK is effectively a single point by which DEK can be deleted via deletion of the KEK.
-Detailed information about various [data encryption models](../security/fundamentals/encryption-models.md) and specifics on key management for a wide range of Azure platform services is available in online documentation. Moreover, some Azure services provide additional [encryption models](../security/fundamentals/encryption-overview.md#azure-encryption-models), including client-side encryption, to further encrypt their data using more granular controls. The rest of this section covers encryption implementation for key Azure storage scenarios such as Storage service encryption and Azure Disk encryption for IaaS Virtual Machines, including server-side encryption for managed disks.
+Detailed information about various [data encryption models](../security/fundamentals/encryption-models.md) and specifics on key management for a wide range of Azure platform services is available in online documentation. Moreover, some Azure services provide other [encryption models](../security/fundamentals/encryption-overview.md#azure-encryption-models), including client-side encryption, to further encrypt their data using more granular controls. The rest of this section covers encryption implementation for key Azure storage scenarios such as Storage service encryption and Azure Disk encryption for IaaS Virtual Machines, including server-side encryption for managed disks.
> [!TIP] > Customers should review published Azure data encryption documentation for guidance on how to protect their data.
Detailed information about various [data encryption models](../security/fundamen
> - **[Data encryption best practices](../security/fundamentals/data-encryption-best-practices.md)** #### Storage service encryption
-Azure [Storage service encryption](../storage/common/storage-service-encryption.md) for data at rest ensures that data is automatically encrypted before persisting it to Azure Storage and decrypted before retrieval. All data written to Azure Storage is encrypted through FIPS 140-2 validated 256-bit AES encryption, and the handling of encryption, decryption, and key management in Storage service encryption is transparent to customers. By default, Microsoft controls the encryption keys and is responsible for key rotation, usage, and access. Keys are stored securely and protected inside a Microsoft key store. This option provides the most convenience for customers given that all Azure Storage services are supported.
+Azure [Storage service encryption](../storage/common/storage-service-encryption.md) for data at rest ensures that data is automatically encrypted before persisting it to Azure Storage and decrypted before retrieval. All data written to Azure Storage is encrypted through FIPS 140 validated 256-bit AES encryption, and the handling of encryption, decryption, and key management in Storage service encryption is transparent to customers. By default, Microsoft controls the encryption keys and is responsible for key rotation, usage, and access. Keys are stored securely and protected inside a Microsoft key store. This option provides the most convenience for customers given that all Azure Storage services are supported.
However, customers can also choose to manage encryption with their own keys by specifying: -- [Customer-managed key](../storage/common/customer-managed-keys-overview.md) for managing Azure Storage encryption whereby the key is stored in Azure Key Vault. This option provides a lot of flexibility for customers to create, rotate, disable, and revoke access to customer-managed keys. Customers must use Azure Key Vault to store customer-managed keys. Both key vaults and managed HSMs are supported, as described previously in *[Azure Key Vault](#azure-key-vault)* section.
+- [Customer-managed key](../storage/common/customer-managed-keys-overview.md) for managing Azure Storage encryption whereby the key is stored in Azure Key Vault. This option provides much flexibility for customers to create, rotate, disable, and revoke access to customer-managed keys. Customers must use Azure Key Vault to store customer-managed keys. Both key vaults and managed HSMs are supported, as described previously in *[Azure Key Vault](#azure-key-vault)* section.
- [Customer-provided key](../storage/blobs/encryption-customer-provided-keys.md) for encrypting and decrypting Blob storage only whereby the key can be stored in Azure Key Vault or in another key store on customer premises to meet regulatory compliance requirements. Customer-provided keys enable customers to pass an encryption key to Storage service using Blob APIs as part of read or write operations. > [!NOTE] > Customers can configure customer-managed keys (CMK) with Azure Key Vault using the **[Azure portal](../storage/common/customer-managed-keys-configure-key-vault.md)**, **[PowerShell](../storage/common/customer-managed-keys-configure-key-vault.md)**, or **[Azure CLI](../storage/common/customer-managed-keys-configure-key-vault.md)** command-line tool. Customers can **[use .NET to specify a customer-provided key](../storage/blobs/storage-blob-customer-provided-key.md)** on a request to Blob storage.
-Storage service encryption is enabled by default for all new and existing storage accounts and it [cannot be disabled](../storage/common/storage-service-encryption.md#about-azure-storage-encryption). As shown in Figure 17, the encryption process leverages the following keys to help ensure cryptographic certainty of data isolation at rest:
+Storage service encryption is enabled by default for all new and existing storage accounts and it [cannot be disabled](../storage/common/storage-service-encryption.md#about-azure-storage-encryption). As shown in Figure 17, the encryption process uses the following keys to help ensure cryptographic certainty of data isolation at rest:
- *Data Encryption Key (DEK)* is a symmetric AES-256 key that is used for bulk encryption and it is unique per storage account in Azure Storage. It is generated by the Azure Storage service as part of the storage account creation. This key is encrypted by the Key Encryption Key (KEK) and is never stored unencrypted. - *Key Encryption Key (KEK)* is an asymmetric RSA-2048 key that is used to encrypt the Data Encryption Key (DEK) using Azure Key Vault and exists only in Azure Key Vault. It is never exposed directly to the Azure Storage service or other services. Customers must use Azure Key Vault to store their customer-managed keys for Storage service encryption. -- *Stamp Key (SK)* is a symmetric AES-256 key that provides a third layer of encryption key security and is unique to each Azure Storage stamp, i.e., cluster of storage hardware. This key is used to perform a final wrap of the DEK that results in the following key chain hierarchy: SK(KEK(DEK)).
+- *Stamp Key (SK)* is a symmetric AES-256 key that provides a third layer of encryption key security and is unique to each Azure Storage stamp, that is, cluster of storage hardware. This key is used to perform a final wrap of the DEK that results in the following key chain hierarchy: SK(KEK(DEK)).
These three keys are combined to protect any data that is written to Azure Storage and provide cryptographic certainty for logical data isolation in Azure Storage. As mentioned previously, Azure Storage service encryption is enabled by default and it cannot be disabled.
Azure Disk encryption relies on two encryption keys for implementation, as descr
- *Data Encryption Key (DEK)* is a symmetric AES-256 key used to encrypt OS and Data volumes through BitLocker or DM-Crypt. DEK itself is encrypted and stored in an internal location close to the data. - *Key Encryption Key (KEK)* is an asymmetric RSA-2048 key used to encrypt the Data Encryption Keys. KEK is kept in Azure Key Vault under customer control including granting access permissions through Azure Active Directory.
-The DEK, encrypted with the KEK, is stored separately and only an entity with access to the KEK can decrypt the DEK. Access to the KEK is guarded by Azure Key Vault where customers can choose to store their keys in [FIPS 140-2 validated hardware security modules](../key-vault/keys/hsm-protected-keys-byok.md).
+The DEK, encrypted with the KEK, is stored separately and only an entity with access to the KEK can decrypt the DEK. Access to the KEK is guarded by Azure Key Vault where customers can choose to store their keys in [FIPS 140 validated hardware security modules](../key-vault/keys/hsm-protected-keys-byok.md).
-For [Windows VMs](../virtual-machines/windows/disk-encryption-faq.yml), Azure Disk encryption selects the encryption method in BitLocker based on the version of Windows, e.g., XTS-AES 256 bit for Windows Server 2012 or greater. These crypto modules are FIPS 140-2 validated as part of the Microsoft [Windows FIPS validation program](/windows/security/threat-protection/fips-140-validation#modules-used-by-windows-server). For [Linux VMs](../virtual-machines/linux/disk-encryption-faq.yml), Azure Disk encryption uses the decrypt default of aes-xts-plain64 with a 256-bit volume master key that is FIPS 140-2 validated as part of DM-Crypt validation obtained by suppliers of Linux IaaS VM images in Microsoft Azure Marketplace.
+For [Windows VMs](../virtual-machines/windows/disk-encryption-faq.yml), Azure Disk encryption selects the encryption method in BitLocker based on the version of Windows, for example, XTS-AES 256 bit for Windows Server 2012 or greater. These crypto modules are FIPS 140 validated as part of the Microsoft [Windows FIPS validation program](/windows/security/threat-protection/fips-140-validation#modules-used-by-windows-server). For [Linux VMs](../virtual-machines/linux/disk-encryption-faq.yml), Azure Disk encryption uses the decrypt default of aes-xts-plain64 with a 256-bit volume master key that is FIPS 140 validated as part of DM-Crypt validation obtained by suppliers of Linux IaaS VM images in Microsoft Azure Marketplace.
##### *Server-side encryption for managed disks*
-[Azure managed disks](../virtual-machines/managed-disks-overview.md) are block-level storage volumes that are managed by Azure and used with Azure Windows and Linux virtual machines. They simplify disk management for Azure IaaS VMs by handling storage account management transparently for customers. Azure managed disks automatically encrypt customer data by default using [256-bit AES encryption](../virtual-machines/disk-encryption.md) that is FIPS 140-2 validated. For encryption key management, customers have the following choices:
+[Azure managed disks](../virtual-machines/managed-disks-overview.md) are block-level storage volumes that are managed by Azure and used with Azure Windows and Linux virtual machines. They simplify disk management for Azure IaaS VMs by handling storage account management transparently for customers. Azure managed disks automatically encrypt customer data by default using [256-bit AES encryption](../virtual-machines/disk-encryption.md) that is FIPS 140 validated. For encryption key management, customers have the following choices:
- [Platform-managed keys](../virtual-machines/disk-encryption.md#platform-managed-keys) is the default choice that provides transparent data encryption at rest for managed disks whereby keys are managed by Microsoft. - [Customer-managed keys](../virtual-machines/disk-encryption.md#customer-managed-keys) enables customers to have control over their own keys that can be imported into Azure Key Vault or generated inside Azure Key Vault. This approach relies on two sets of keys as described previously: DEK and KEK. DEK encrypts the data using an AES-256 based encryption and is in turn encrypted by an RSA-2048 KEK that is stored in Azure Key Vault. Only key vaults can be used to safeguard customer-managed keys; managed HSMs do not support Azure Disk encryption.
The sectors on the physical disk associated with the deleted data become immedia
Customers are not provided with direct access to the underlying physical storage. Since customer software only addresses virtual disks, there is no way to express a request to read from or write to a physical address that is allocated to a different customer or a physical address that is free. For more information, see the blog post on [data cleansing and leakage](/archive/blogs/walterm/microsoft-azure-data-security-data-cleansing-and-leakage).
-Conceptually, this rationale applies regardless of the software that keeps track of reads and writes. In the case of [Azure SQL Database](../security/fundamentals/isolation-choices.md#sql-database-isolation), it is the SQL Database software that does this enforcement. For Azure Storage, it is the Azure Storage software. In the case of non-durable drives of a VM, it is the VHD handling code of the Host OS. The mapping from virtual to physical address takes place outside of the customer VM.
+Conceptually, this rationale applies regardless of the software that keeps track of reads and writes. For [Azure SQL Database](../security/fundamentals/isolation-choices.md#sql-database-isolation), it is the SQL Database software that does this enforcement. For Azure Storage, it is the Azure Storage software. For non-durable drives of a VM, it is the VHD handling code of the Host OS. The mapping from virtual to physical address takes place outside of the customer VM.
-Finally, as described in *[Data encryption at rest](#data-encryption-at-rest)* section and depicted in Figure 16, the encryption key hierarchy relies on the Key Encryption Key (KEK) which can be kept in Azure Key Vault under customer control (i.e., customer-managed key ΓÇô CMK) and used to encrypt the Data Encryption Key (DEK), which in turns encrypts data at rest using AES-256 symmetric encryption. Data in Azure Storage is encrypted at rest by default and customers can choose to have encryption keys under their own control. In this manner, customers can also prevent access to their data stored in Azure. Moreover, since the KEK is required to decrypt the DEKs, the KEK is effectively a single point by which DEK can be deleted via deletion of the KEK.
+Finally, as described in *[Data encryption at rest](#data-encryption-at-rest)* section and depicted in Figure 16, the encryption key hierarchy relies on the Key Encryption Key (KEK) which can be kept in Azure Key Vault under customer control (that is, customer-managed key ΓÇô CMK) and used to encrypt the Data Encryption Key (DEK), which in turns encrypts data at rest using AES-256 symmetric encryption. Data in Azure Storage is encrypted at rest by default and customers can choose to have encryption keys under their own control. In this manner, customers can also prevent access to their data stored in Azure. Moreover, since the KEK is required to decrypt the DEKs, the KEK is effectively a single point by which DEK can be deleted via deletion of the KEK.
### Data retention
-At all times during the term of customerΓÇÖs Azure subscription, customer has the ability to access, extract, and delete customer data stored in Azure.
+Always during the term of customerΓÇÖs Azure subscription, customer has the ability to access, extract, and delete customer data stored in Azure.
-If a subscription expires or is terminated, Microsoft will preserve customer data for a 90-day retention period to permit customers to extract data or renew their subscriptions. After this retention period, Microsoft will delete all customer data within an additional 90 days, i.e., customer data will be permanently deleted 180 days after expiration or termination. Given the data retention procedure, customers can control how long their data is stored by timing when they end the service with Microsoft. It is recommended that customers do not terminate their service until they have extracted all data so that the initial 90-day retention period can act as a safety buffer should customers later realize they missed something.
+If a subscription expires or is terminated, Microsoft will preserve customer data for a 90-day retention period to permit customers to extract data or renew their subscriptions. After this retention period, Microsoft will delete all customer data within an another 90 days, that is, customer data will be permanently deleted 180 days after expiration or termination. Given the data retention procedure, customers can control how long their data is stored by timing when they end the service with Microsoft. It is recommended that customers do not terminate their service until they have extracted all data so that the initial 90-day retention period can act as a safety buffer should customers later realize they missed something.
-If the customer deleted an entire storage account by mistake, they should contact [Azure Support](https://azure.microsoft.com/support/options/) promptly for assistance with recovery. Customers can [create and manage support requests](../azure-portal/supportability/how-to-create-azure-support-request.md) in the Azure portal. A storage account deleted within a subscription is retained for two weeks to allow for recovery from accidental deletion, after which it is permanently deleted. However, when a storage object (e.g., blob, file, queue, table) is itself deleted, the delete operation is immediate and irreversible. Unless the customer made a backup, deleted storage objects cannot be recovered. For Blob storage, customers can implement additional protection against accidental or erroneous modifications or deletions by enabling [soft delete](../storage/blobs/soft-delete-blob-overview.md). When [soft delete is enabled](../storage/blobs/soft-delete-blob-enable.md) for a storage account, blobs, blob versions, and snapshots in that storage account may be recovered after they are deleted, within a retention period specified by the customer. To avoid retention of data after storage account or subscription deletion, customers can delete storage objects individually before deleting the storage account or subscription.
+If the customer deleted an entire storage account by mistake, they should contact [Azure Support](https://azure.microsoft.com/support/options/) promptly for assistance with recovery. Customers can [create and manage support requests](../azure-portal/supportability/how-to-create-azure-support-request.md) in the Azure portal. A storage account deleted within a subscription is retained for two weeks to allow for recovery from accidental deletion, after which it is permanently deleted. However, when a storage object (for example, blob, file, queue, table) is itself deleted, the delete operation is immediate and irreversible. Unless the customer made a backup, deleted storage objects cannot be recovered. For Blob storage, customers can implement extra protection against accidental or erroneous modifications or deletions by enabling [soft delete](../storage/blobs/soft-delete-blob-overview.md). When [soft delete is enabled](../storage/blobs/soft-delete-blob-enable.md) for a storage account, blobs, blob versions, and snapshots in that storage account may be recovered after they are deleted, within a retention period specified by the customer. To avoid retention of data after storage account or subscription deletion, customers can delete storage objects individually before deleting the storage account or subscription.
-For accidental deletion involving Azure SQL Database, customers should check backups that the service makes automatically (e.g., full database backup is done weekly, and differential database backups are done hourly) and use point-in-time restore. Also, individual services (e.g., Azure DevOps) can have their own policies for [accidental data deletion](/azure/devops/organizations/security/data-protection#mistakes-happen).
+For accidental deletion involving Azure SQL Database, customers should check backups that the service makes automatically (for example, full database backup is done weekly, and differential database backups are done hourly) and use point-in-time restore. Also, individual services (such as Azure DevOps) can have their own policies for [accidental data deletion](/azure/devops/organizations/security/data-protection#mistakes-happen).
### Data destruction If a disk drive used for storage suffers a hardware failure, it is securely [erased or destroyed](https://www.microsoft.com/trustcenter/privacy/data-management) before decommissioning. The data on the drive is erased to ensure that the data cannot be recovered by any means. When such devices are decommissioned, Microsoft follows the [NIST SP 800-88 R1](https://csrc.nist.gov/publications/detail/sp/800-88/rev-1/final) disposal process with data classification aligned to FIPS 199 Moderate. Magnetic, electronic, or optical media are purged or destroyed in accordance with the requirements established in NIST SP 800-88 R1 where the terms are defined as follows: -- **Purge:** &#8220;a media sanitization process that protects the confidentiality of information against a laboratory attack&#8221;, which involves &#8220;resources and knowledge to use nonstandard systems to conduct data recovery attempts on media outside their normal operating environment&#8221; using &#8220;signal processing equipment and specially trained personnel.&#8221; Note: For hard disk drives (including ATA, SCSI, SATA, SAS, etc.) a firmware-level secure-erase command (single-pass) is acceptable, or a software-level three pass overwrite and verification (ones, zeros, random) of the entire physical media including recovery areas, if any. For solid state disks (SSD), a firmware-level secure-erase command is necessary.
+- **Purge:** &#8220;a media sanitization process that protects the confidentiality of information against a laboratory attack&#8221;, which involves &#8220;resources and knowledge to use nonstandard systems to conduct data recovery attempts on media outside their normal operating environment&#8221; using &#8220;signal processing equipment and specially trained personnel.&#8221; Note: For hard disk drives (including ATA, SCSI, SATA, SAS, etc.) a firmware-level secure-erase command (single-pass) is acceptable, or a software-level three-pass overwrite and verification (ones, zeros, random) of the entire physical media including recovery areas, if any. For solid state disks (SSD), a firmware-level secure-erase command is necessary.
- **Destroy:** &#8220;a variety of methods, including disintegration, incineration, pulverizing, shredding, and melting&#8221; after which the media &#8220;cannot be reused as originally intended.&#8221; Purge and Destroy operations must be performed using tools and processes approved by the Microsoft Cloud + AI Security Group. Records must be kept of the erasure and destruction of assets. Devices that fail to complete the Purge successfully must be degaussed (for magnetic media only) or Destroyed.
Azure isolation assurance is further enforced by MicrosoftΓÇÖs internal use of t
- **Security Development Lifecycle (SDL)** ΓÇô The Microsoft SDL introduces security and privacy considerations throughout all phases of the development process, helping developers build highly secure software, address security compliance requirements, and reduce development costs. The guidance, best practices, [tools](https://www.microsoft.com/securityengineering/sdl/resources), and processes in the Microsoft SDL are [practices](https://www.microsoft.com/securityengineering/sdl/practices) used internally to build all Azure services and create more secure products and services. This process is also publicly documented to share MicrosoftΓÇÖs learnings with the broader industry and incorporate industry feedback to create a stronger security development process. - **Tooling and processes** ΓÇô All Azure code is subject to an extensive set of both static and dynamic analysis tools that identify potential vulnerabilities, ineffective security patterns, memory corruption, user privilege issues, and other critical security problems.
- - *Purpose built fuzzing* ΓÇô A testing technique used to find security vulnerabilities in software products and services. It consists of repeatedly feeding modified, or fuzzed, data to software inputs to trigger hangs, exceptions, and crashes, i.e., fault conditions that could be leveraged by an attacker to disrupt or take control of applications and services. The Microsoft SDL recommends [fuzzing](https://www.microsoft.com/research/blog/a-brief-introduction-to-fuzzing-and-why-its-an-important-tool-for-developers/) all attack surfaces of a software product, especially those surfaces that expose a data parser to untrusted data.
- - *Live-site penetration testing* ΓÇô Microsoft conducts [ongoing live-site penetration testing](https://download.microsoft.com/download/C/1/9/C1990DBA-502F-4C2A-848D-392B93D9B9C3/Microsoft_Enterprise_Cloud_Red_Teaming.pdf) to improve cloud security controls and processes, as part of the Red Teaming program described later in this section. Penetration testing is a security analysis of a software system performed by skilled security professionals simulating the actions of a hacker. The objective of a penetration test is to uncover potential vulnerabilities resulting from coding errors, system configuration faults, or other operational deployment weaknesses. The tests are conducted against Azure infrastructure and platforms as well as MicrosoftΓÇÖs own tenants, applications, and data. Customer tenants, applications, and data hosted in Azure are never targeted; however, customers can conduct [their own penetration testing](../security/fundamentals/pen-testing.md) of their applications deployed in Azure.
+ - *Purpose built fuzzing* ΓÇô A testing technique used to find security vulnerabilities in software products and services. It consists of repeatedly feeding modified, or fuzzed, data to software inputs to trigger hangs, exceptions, and crashes, which are fault conditions that could be used by an attacker to disrupt or take control of applications and services. The Microsoft SDL recommends [fuzzing](https://www.microsoft.com/research/blog/a-brief-introduction-to-fuzzing-and-why-its-an-important-tool-for-developers/) all attack surfaces of a software product, especially those surfaces that expose a data parser to untrusted data.
+ - *Live-site penetration testing* ΓÇô Microsoft conducts [ongoing live-site penetration testing](https://download.microsoft.com/download/C/1/9/C1990DBA-502F-4C2A-848D-392B93D9B9C3/Microsoft_Enterprise_Cloud_Red_Teaming.pdf) to improve cloud security controls and processes, as part of the Red Teaming program described later in this section. Penetration testing is a security analysis of a software system performed by skilled security professionals simulating the actions of a hacker. The objective of a penetration test is to uncover potential vulnerabilities resulting from coding errors, system configuration faults, or other operational deployment weaknesses. The tests are conducted against Azure infrastructure and platforms and MicrosoftΓÇÖs own tenants, applications, and data. Customer tenants, applications, and data hosted in Azure are never targeted; however, customers can conduct [their own penetration testing](../security/fundamentals/pen-testing.md) of their applications deployed in Azure.
- *Threat modeling* ΓÇô A core element of the Microsoft SDL. ItΓÇÖs an engineering technique used to help identify threats, attacks, vulnerabilities, and countermeasures that could affect applications and services. [Threat modeling](../security/develop/threat-modeling-tool-getting-started.md) is part of the Azure routine development lifecycle. - *Automated build alerting of changes to attack surface area* ΓÇô [Attack Surface Analyzer](https://github.com/microsoft/attacksurfaceanalyzer) is a Microsoft-developed open-source security tool that analyzes the attack surface of a target system and reports on potential security vulnerabilities introduced during the installation of software or system misconfiguration. The core feature of Attack Surface Analyzer is the ability to &#8220;diff&#8221; an operating system's security configuration, before and after a software component is installed. This feature is important because most installation processes require elevated privileges, and once granted, can lead to unintended system configuration changes.-- **Mandatory security training** ΓÇô The Microsoft Azure security training and awareness program requires all personnel responsible for Azure development and operations to take essential training as well as any additional training based on individual job requirements. These procedures provide a standard approach, tools, and techniques used to implement and sustain the awareness program. Microsoft has implemented a security awareness program called STRIKE that provides monthly e-mail communication to all Azure engineering personnel about security awareness and allows employees to register for in-person or online security awareness training. STRIKE offers a series of security training events throughout the year, as well as STRIKE Central, which is a centralized online resource for security awareness, training, documentation, and community engagement.-- **Bug Bounty Program** ΓÇô Microsoft strongly believes that close partnership with academic and industry researchers drives a higher level of security assurance for customers and their data. Security researchers play an integral role in the Azure ecosystem by discovering vulnerabilities missed in the software development process. The [Microsoft Bug Bounty Program](https://www.microsoft.com/msrc/bounty) is designed to supplement and encourage research in relevant technologies (e.g., encryption, spoofing, hypervisor isolation, elevation of privileges, etc.) to better protect AzureΓÇÖs infrastructure and customer data. As an example, for each critical vulnerability identified in the Azure Hypervisor, Microsoft compensates security researchers up to $250,000 ΓÇô a significant amount to incentivize participation and vulnerability disclosure. The bounty range for [vulnerability reports on Azure services](https://www.microsoft.com/msrc/bounty-microsoft-azure) is up to $300,000.
+- **Mandatory security training** ΓÇô The Microsoft Azure security training and awareness program requires all personnel responsible for Azure development and operations to take essential training and any extra training based on individual job requirements. These procedures provide a standard approach, tools, and techniques used to implement and sustain the awareness program. Microsoft has implemented a security awareness program called STRIKE that provides monthly e-mail communication to all Azure engineering personnel about security awareness and allows employees to register for in-person or online security awareness training. STRIKE offers a series of security training events throughout the year plus STRIKE Central, which is a centralized online resource for security awareness, training, documentation, and community engagement.
+- **Bug Bounty Program** ΓÇô Microsoft strongly believes that close partnership with academic and industry researchers drives a higher level of security assurance for customers and their data. Security researchers play an integral role in the Azure ecosystem by discovering vulnerabilities missed in the software development process. The [Microsoft Bug Bounty Program](https://www.microsoft.com/msrc/bounty) is designed to supplement and encourage research in relevant technologies (for example, encryption, spoofing, hypervisor isolation, elevation of privileges, etc.) to better protect AzureΓÇÖs infrastructure and customer data. As an example, for each critical vulnerability identified in the Azure Hypervisor, Microsoft compensates security researchers up to $250,000 ΓÇô a significant amount to incentivize participation and vulnerability disclosure. The bounty range for [vulnerability reports on Azure services](https://www.microsoft.com/msrc/bounty-microsoft-azure) is up to $300,000.
- **Red Team activities** ΓÇô Microsoft utilizes [Red Teaming](https://download.microsoft.com/download/C/1/9/C1990DBA-502F-4C2A-848D-392B93D9B9C3/Microsoft_Enterprise_Cloud_Red_Teaming.pdf), a form of live site penetration testing against Microsoft-managed infrastructure, services, and applications. Microsoft simulates real-world breaches, continuously monitors security, and practices security incident response to test and improve the security of Azure. Red Teaming is predicated on the Assume Breach security strategy and executed by two core groups: Red Team (attackers) and Blue Team (defenders). The approach is designed to test Azure systems and operations using the same tactics, techniques, and procedures as real adversaries against live production infrastructure, without the foreknowledge of the infrastructure and platform Engineering or Operations teams. This approach tests security detection and response capabilities, and helps identify production vulnerabilities, configuration errors, invalid assumptions, or other security issues in a controlled manner. Every Red Team breach is followed by full disclosure between the Red Team and Blue Team to identify gaps, address findings, and significantly improve breach response. When migrating to the cloud, customers accustomed to traditional on-premises data center deployment will usually conduct a risk assessment to gauge their threat exposure and formulate mitigating measures. In many of these instances, security considerations for traditional on-premises deployment tend to be well understood whereas the corresponding cloud options tend to be new. The next section is intended to help customers with this comparison.
When migrating to the cloud, customers accustomed to traditional on-premises dat
A multi-tenant cloud platform implies that multiple customer applications and data are stored on the same physical hardware. Azure uses [logical isolation](../security/fundamentals/isolation-choices.md) to segregate each customer's applications and data. This approach provides the scale and economic benefits of multi-tenant cloud services while rigorously helping enforce controls designed to keep customers from accessing one another's data or applications. This section addresses concerns common to customers who are migrating from traditional on-premises physically isolated infrastructure to the cloud. ### Physical versus logical security considerations
-Table 6 provides a summary of key security considerations for physically isolated on-premises deployments (e.g., bare metal) versus logically isolated cloud-based deployments (e.g., Azure). ItΓÇÖs useful to review these considerations prior to examining risks identified to be specific to shared cloud environments.
+Table 6 provides a summary of key security considerations for physically isolated on-premises deployments (bare metal) versus logically isolated cloud-based deployments (Azure). ItΓÇÖs useful to review these considerations prior to examining risks identified to be specific to shared cloud environments.
**Table 6.** Key security considerations for physical versus logical isolation
Table 6 provides a summary of key security considerations for physically isolate
|**Security analytics**|- Security analytics dependent on host-based security solutions, which assume host/security software has not been compromised|- Outside VM (hypervisor based) forensics/snapshot capability allows assessment of potentially compromised workloads| |**Security policy**|- Security policy verification (patch scanning, vulnerability scanning, etc.) subject to tampering by compromised host </br>- Inconsistent security policy applied across customer entities|- Outside VM verification of security policies </br>- Possible to enforce uniform security policies across customer entities| |**Logging and monitoring**|- Varied logging and security analytics solutions|- Common Azure platform logging and security analytics solutions </br>- Most existing on-premises / varied logging and security analytics solutions also work|
-|**Malicious insider**|- Persistent threat caused by system admins having elevated access rights typically for the duration of employment|- Greatly reduced threat because admins have no default access rights|
+|**Malicious insider**|- Persistent threat caused by system admins having elevated access rights typically for during employment|- Greatly reduced threat because admins have no default access rights|
Listed below are key risks that are unique to shared cloud environments that may need to be addressed when accommodating sensitive data and workloads.
A multi-tenant cloud platform implies that multiple customer applications and da
Azure addresses the perceived risk of resource sharing by providing a trustworthy foundation for assuring multi-tenant, cryptographically certain, logically isolated cloud services using a common set of principles: -- User access controls with authentication and identity separation that leverages Azure Active Directory and Azure role-based access control (Azure RBAC).
+- User access controls with authentication and identity separation that uses Azure Active Directory and Azure role-based access control (Azure RBAC).
- Compute isolation for processing, including both logical and physical compute isolation. - Networking isolation including separation of network traffic and data encryption in transit.-- Storage isolation with data encryption at rest using advanced algorithms with multiple ciphers and encryption keys, as well as provisions for customer-managed keys (CMK) under customer control in Azure Key Vault.
+- Storage isolation with data encryption at rest using advanced algorithms with multiple ciphers and encryption keys and provisions for customer-managed keys (CMK) under customer control in Azure Key Vault.
- Security assurance processes embedded in service design to correctly develop logically isolated services, including Security Development Lifecycle (SDL) and other strong security assurance processes to protect attack surfaces and mitigate risks. In line with the shared responsibility model in cloud computing, this article provides customer guidance for activities that are part of the customer responsibility. It also explores design principles and technologies available in Azure to help customers achieve their secure isolation objectives.
azure-government Documentation Government Csp List https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-government/documentation-government-csp-list.md
Below you can find a list of all the authorized Cloud Solution Providers, AOS-G
|[Airnet Group](https://www.airnetgroup.com/)| |[AIS Network](https://www.aisn.net/)| |[Alcala Consulting Inc.](https://www.alcalaconsulting.com/)|
-|[Alexan Consulting Enterprise Services, LLC (ACES)](http://www.acesred.com)|
+|Alexan Consulting Enterprise Services, LLC (ACES)|
|[Alliance Enterprises, Inc.](https://www.allianceenterprises.com)| |[Alvarez Technology Group](https://www.alvareztg.com/)| |[Amalgama Technologies Inc](http://amalgamatetech.com/)|
azure-government Documentation Government Overview Wwps https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-government/documentation-government-overview-wwps.md
Previously updated : 06/29/2021 Last updated : 07/22/2021 # Azure for secure worldwide public sector cloud adoption
Azure and Azure Stack Hub can help you unlock new hybrid use cases for externall
Azure Stack Hub brings the following [value proposition for key scenarios](/azure-stack/operator/azure-stack-overview) shown in Figure 5: -- **Edge and disconnected solutions:** Address latency and connectivity requirements by processing data locally in Azure Stack Hub and then aggregating in Azure for further analytics, with common application logic across both, connected or disconnected. Aircraft, ship, or truck-delivered, Azure Stack Hub meets the tough demands of exploration, construction, agriculture, oil and gas, manufacturing, disaster response, government, and military efforts in the most extreme conditions and remote locations. For example, with Azure Stack Hub architecture for [edge and disconnected solutions](/azure/architecture/solution-ideas/articles/ai-at-the-edge-disconnected), you can bring the next generation of AI-enabled hybrid applications to the edge where the data lives and integrate it with existing applications for low-latency intelligence.
+- **Edge and disconnected solutions:** Address latency and connectivity requirements by processing data locally in Azure Stack Hub and then aggregating in Azure for further analytics, with common application logic across both (connected or disconnected). Aircraft, ship, or truck-delivered, Azure Stack Hub meets the tough demands of exploration, construction, agriculture, oil and gas, manufacturing, disaster response, government, and military efforts in the most extreme conditions and remote locations. For example, with Azure Stack Hub architecture for [edge and disconnected solutions](/azure/architecture/solution-ideas/articles/ai-at-the-edge-disconnected), you can bring the next generation of AI-enabled hybrid applications to the edge where the data lives and integrate it with existing applications for low-latency intelligence.
- **Cloud applications to meet data sovereignty:** Deploy a single application differently depending on the country or region. You can develop and deploy applications in Azure, with full flexibility to deploy on-premises with Azure Stack Hub based on the need to meet data sovereignty or custom compliance requirements. For example, with Azure Stack Hub architecture for [data sovereignty](/azure/architecture/solution-ideas/articles/data-sovereignty-and-gravity), you can transmit data from an Azure VNet to Azure Stack Hub VNet over private connection and ultimately store data in a SQL Server database running in a VM on Azure Stack Hub. You can use Azure Stack Hub to accommodate even more restrictive requirements such as the need to deploy solutions in a disconnected environment managed by security-cleared, in-country personnel. These disconnected environments may not be permitted to connect to the Internet for any purpose because of the security classification they operate at. - **Cloud application model on-premises:** Use Azure Stack Hub to update and extend legacy applications and make them cloud ready. With App Service on Azure Stack Hub, you can create a web front end to consume modern APIs with modern clients while taking advantage of consistent programming models and skills. For example, with Azure Stack Hub architecture for [legacy system modernization](/azure/architecture/solution-ideas/articles/unlock-legacy-data), you can apply a consistent DevOps process, Azure Web Apps, containers, serverless computing, and microservices architectures to modernize legacy applications while integrating and preserving legacy data in mainframe and core line-of-business systems.
Azure Stack Hub protects your data at the storage subsystem level using [encrypt
Azure Stack Edge brings the following [value proposition for key use cases](../databox-online/azure-stack-edge-gpu-overview.md#use-cases) shown in Figure 6: -- **Inference with Azure Machine Learning:** Inference is a part of deep learning that takes place after model training, such as the prediction stage resulting from applying learned capability to new data. For example, itΓÇÖs the part that recognizes a vehicle in a target image after the model has been trained by processing many tagged vehicle images, often augmented by computer synthesized images (also known as synthetics). With Azure Stack Edge, you can run Machine Learning (ML) models to get results quickly and act on them before the data is sent to the cloud. The necessary subset of data (in case of bandwidth constraints) or the full data set is transferred to the cloud to continue to retrain and improve customerΓÇÖs ML models.
+- **Inference with Azure Machine Learning:** Inference is a part of deep learning that takes place after model training, such as the prediction stage resulting from applying learned capability to new data. For example, itΓÇÖs the part that recognizes a vehicle in a target image after the model has been trained by processing many tagged vehicle images, often augmented by computer synthesized images (also known as synthetics). With Azure Stack Edge, you can run Machine Learning (ML) models to get results quickly and act on them before the data is sent to the cloud. The necessary subset of data (if there are bandwidth constraints) or the full data set is transferred to the cloud to continue to retrain and improve customerΓÇÖs ML models.
- **Preprocess data:** Analyze data from on-premises or IoT devices to quickly obtain results while staying close to where data is generated. Azure Stack Edge transfers the full data set (or just the necessary subset of data when bandwidth is an issue) to the cloud to perform more advanced processing or deeper analytics. Preprocessing can be used to aggregate data, modify data (for example, remove personally identifiable information or other sensitive data), transfer data needed for deeper analytics in the cloud, and analyze and react to IoT events. - **Transfer data over network to Azure:** Use Azure Stack Edge to transfer data to Azure to enable further compute and analytics or for archival purposes.
This section provides an overview of select use cases that showcase Azure capabi
### Processing highly sensitive or regulated data on Azure Stack Hub
-Microsoft provides Azure Stack Hub as an on-premises, cloud-consistent experience for customers who do not have the ability to connect directly to the Internet, or where certain workload types are required to be hosted in-country due to law, compliance, or sentiment. Azure Stack Hub offers IaaS and PaaS services and shares the same APIs as the public Azure cloud. Azure Stack Hub is available in scale units of 4, 8, and 16 servers in a single-server rack, and 4 servers in a military-specification, ruggedized set of transit cases, or multiple racks in a modular data center configuration.
+Microsoft provides Azure Stack Hub as an on-premises, cloud-consistent experience for customers who do not have the ability to connect directly to the Internet, or where certain workload types are required to be hosted in-country due to law, compliance, or sentiment. Azure Stack Hub offers IaaS and PaaS services and shares the same APIs as the global Azure cloud. Azure Stack Hub is available in scale units of 4, 8, and 16 servers in a single-server rack, and 4 servers in a military-specification, ruggedized set of transit cases, or multiple racks in a modular data center configuration.
Azure Stack Hub is a solution if you operate in scenarios where:
This section addresses common customer questions related to Azure public, privat
- **Customer separation:** How does Microsoft logically or physically separate customers within its cloud environment? Is there an option for my organization to ensure complete physical separation? **Answer:** Azure uses [logical isolation](./azure-secure-isolation-guidance.md) to separate your applications and data from other customers. This approach provides the scale and economic benefits of multi-tenant cloud services while rigorously enforcing controls designed to keep your data and applications off limits to other customers. There is also an option to enforce physical compute isolation via [Azure Dedicated Host](https://azure.microsoft.com/services/virtual-machines/dedicated-host/), which provides physical servers that can host one or more Azure VMs and are dedicated to one Azure subscription. You can provision dedicated hosts within a region, availability zone, and fault domain. You can then place VMs directly into provisioned hosts using whatever configuration best meets your needs. Dedicated Host provides hardware isolation at the physical server level, enabling you to place your Azure VMs on an isolated and dedicated physical server that runs only your organizationΓÇÖs workloads to meet corporate compliance requirements. - **Data encryption at rest and in transit:** Does Microsoft enforce data encryption by default? Does Microsoft support customer-managed encryption keys? **Answer:** Yes, many Azure services, including Azure Storage and Azure SQL Database, encrypt data by default and support customer-managed keys. Azure [Storage encryption for data at rest](../storage/common/storage-service-encryption.md) ensures that data is automatically encrypted before persisting it to Azure Storage and decrypted before retrieval. You can use [your own encryption keys](../storage/common/customer-managed-keys-configure-key-vault.md) for Azure Storage encryption at rest and manage your keys in Azure Key Vault. Storage encryption is enabled by default for all new and existing storage accounts and it cannot be disabled. When provisioning storage accounts, you can enforce ΓÇ£[secure transfer required](../storage/common/storage-require-secure-transfer.md)ΓÇ¥ option, which allows access only from secure connections. This option is enabled by default when creating a storage account in the Azure portal. Azure SQL Database enforces [data encryption in transit](../azure-sql/database/security-overview.md#information-protection-and-encryption) by default and provides [transparent data encryption](../azure-sql/database/transparent-data-encryption-tde-overview.md) (TDE) at rest [by default](https://azure.microsoft.com/updates/newly-created-azure-sql-databases-encrypted-by-default/) allowing you to use Azure Key Vault and *[bring your own key](../azure-sql/database/transparent-data-encryption-byok-overview.md)* (BYOK) functionality to control key management tasks including key permissions, rotation, deletion, and so on. - **Data encryption during processing:** Can Microsoft protect my data while it is being processed in memory? **Answer:** Yes, [Azure confidential computing](https://azure.microsoft.com/solutions/confidential-compute/) supports two different technologies for data encryption while in use. First, you can use VMs based on Intel Xeon processors with [Intel Software Guard Extensions](https://software.intel.com/sgx) (SGX) technology. With this approach, data is protected inside a hardware-based trusted execution environment (TEE, also known as enclave), which is created by securing a portion of the processor and memory. Only authorized code is permitted to run and to access data, so application code and data are protected against viewing and modification from outside of TEE. Second, you can use VMs based on AMD EPYC 3rd Generation CPUs for lift and shift scenarios without requiring any application code changes. These AMD EPYC CPUs make it possible to encrypt your entire virtual machine at runtime. The encryption keys used for VM encryption are generated and safeguarded by a dedicated secure processor on the EPYC CPU and cannot be extracted by any external means.-- **FIPS 140 validation:** Does Microsoft offer FIPS 140 Level 3 validated hardware security modules (HSMs) in Azure? If so, can I store AES-256 symmetric encryption keys in these HSMs? **Answer:** Azure Key Vault [Managed HSM](../key-vault/managed-hsm/overview.md) provides a fully managed, highly available, single-tenant HSM as a service that uses FIPS 140 Level 3 validated HSMs (certificate [#3718](https://csrc.nist.gov/projects/cryptographic-module-validation-program/Certificate/3718)). Each Managed HSM instance is bound to a separate security domain controlled by you and isolated cryptographically from instances belonging to other customers. With Managed HSMs, support is available for AES 128-bit and 256-bit symmetric keys.
+- **FIPS 140 validation:** Does Microsoft offer FIPS 140 Level 3 validated hardware security modules (HSMs) in Azure? If so, can I store AES-256 symmetric encryption keys in these HSMs? **Answer:** Azure Key Vault [Managed HSM](../key-vault/managed-hsm/overview.md) provides a fully managed, highly available, single-tenant HSM as a service that uses [FIPS 140 Level 3 validated HSMs](/azure/compliance/offerings/offering-fips-140-2). Each Managed HSM instance is bound to a separate security domain controlled by you and isolated cryptographically from instances belonging to other customers. With Managed HSMs, support is available for AES 128-bit and 256-bit symmetric keys.
- **Customer provided cryptography:** Can I use my own cryptography or encryption hardware? **Answer:** Yes, you can use your own HSMs deployed on-premises with your own crypto algorithms. However, if you expect to use customer-managed keys for services integrated with [Azure Key Vault](https://azure.microsoft.com/services/key-vault/) (for example, Azure Storage, SQL Database, Disk encryption, and others), then you must use hardware security modules (HSMs) and [cryptography supported by Azure Key Vault](../key-vault/keys/about-keys.md). - **Access to customer data by Microsoft personnel:** How does Microsoft restrict access to my data by Microsoft engineers? **Answer:** Microsoft engineers [do not have default access](https://www.microsoft.com/trust-center/privacy/data-access) to your data in the cloud. Instead, they can be granted access, under management oversight, only when necessary using a [restricted access workflow](https://www.youtube.com/watch?v=lwjPGtGGe84&feature=youtu.be&t=25m). Most customer support requests can be resolved without accessing your data as Microsoft engineers rely heavily on logs for troubleshooting and support. If a Microsoft engineer requires elevated access to your data as part of the support workflow, you can use [Customer Lockbox](../security/fundamentals/customer-lockbox-overview.md) for Azure to control how a Microsoft engineer accesses your data. Customer Lockbox for Azure puts you in charge of that decision by enabling you to approve/deny such elevated access requests. For more information on how Microsoft restricts insider access to your data, see [Restrictions on insider access](./documentation-government-plan-security.md#restrictions-on-insider-access). ### Operations -- **Code review:** What can Microsoft do to prevent malicious code from being inserted into services that my organization uses? Can I review Microsoft code deployments? **Answer:** Microsoft has invested heavily in security assurance processes and practices to correctly develop logically isolated services and systems. For more information, see [Security assurance processes and practices](./azure-secure-isolation-guidance.md#security-assurance-processes-and-practices). For more information about Azure Hypervisor isolation, see [Defense-in-depth exploit mitigations](./azure-secure-isolation-guidance.md#defense-in-depth-exploit-mitigations). Microsoft has full control over all source code that comprises Azure services. For example, the procedure for patching guest VMs differs greatly from traditional on-premises patching where patch verification is necessary following installation. In Azure, patches are not applied to guest VMs; instead, the VM is simply restarted and when the VM boots, it is guaranteed to boot from a known good image that Microsoft controls. There is no way to insert malicious code into the image or interfere with the boot process. PaaS VMs offer more advanced protection against persistent malware infections than traditional physical server solutions, which if compromised by an attacker can be difficult to clean, even after the vulnerability is corrected. With PaaS VMs, reimaging is a routine part of operations, and it can help clean out intrusions that have not even been detected. This approach makes it more difficult for a compromise to persist. You cannot review Azure source code; however, online access to view source code is available for key products through the Microsoft [Government Security Program](https://www.microsoft.com/securityengineering/gsp) (GSP).
+- **Code review:** What can Microsoft do to prevent malicious code from being inserted into services that my organization uses? Can I review Microsoft code deployments? **Answer:** Microsoft has invested heavily in security assurance processes and practices to correctly develop logically isolated services and systems. For more information, see [Security assurance processes and practices](./azure-secure-isolation-guidance.md#security-assurance-processes-and-practices). For more information about Azure Hypervisor isolation, see [Defense-in-depth exploit mitigations](./azure-secure-isolation-guidance.md#defense-in-depth-exploits-mitigations). Microsoft has full control over all source code that comprises Azure services. For example, the procedure for patching guest VMs differs greatly from traditional on-premises patching where patch verification is necessary following installation. In Azure, patches are not applied to guest VMs; instead, the VM is simply restarted and when the VM boots, it is guaranteed to boot from a known good image that Microsoft controls. There is no way to insert malicious code into the image or interfere with the boot process. PaaS VMs offer more advanced protection against persistent malware infections than traditional physical server solutions, which if compromised by an attacker can be difficult to clean, even after the vulnerability is corrected. With PaaS VMs, reimaging is a routine part of operations, and it can help clean out intrusions that have not even been detected. This approach makes it more difficult for a compromise to persist. You cannot review Azure source code; however, online access to view source code is available for key products through the Microsoft [Government Security Program](https://www.microsoft.com/securityengineering/gsp) (GSP).
- **DevOps personnel (cleared nationals):** What controls or clearance levels does Microsoft have for the personnel that have DevOps access to cloud environments or physical access to data centers? **Answer:** Microsoft conducts [background screening](./documentation-government-plan-security.md#screening) on operations personnel with access to production systems and physical data center infrastructure. Microsoft cloud background check includes verification of education and employment history upon hire, and extra checks conducted every two years thereafter (where permissible by law), including criminal history check, OFAC list, BIS denied persons list, and DDTC debarred parties list. - **Data center site options:** Is Microsoft willing to deploy a data center to a specific physical location to meet more advanced security requirements? **Answer:** You should inquire with your Microsoft account team regarding options for data center locations. - **Service availability guarantee:** How can my organization ensure that Microsoft (or particular government or other entity) canΓÇÖt turn off our cloud services? **Answer:** You should review the Microsoft [Online Services Terms](https://www.microsoft.com/licensing/terms/productoffering) (OST) and the OST [Data Protection Addendum](https://aka.ms/DPA) (DPA) for contractual commitments Microsoft makes regarding service availability and use of online services.-- **Non-traditional cloud service needs:** What options does Microsoft provide for periodically internet free/disconnected environments? **Answer:** In addition to [Azure Stack Hub](https://azure.microsoft.com/products/azure-stack/hub/) which is intended for on-premises deployment and disconnected scenarios, a ruggedized and field-deployable version called [Tactical Azure Stack Hub](https://www.delltechnologies.com/en-us/collaterals/unauth/data-sheets/products/converged-infrastructure/dell-emc-integrated-system-for-azure-stack-hub-tactical-spec-sheet.pdf) is also available to address tactical edge deployments for limited or no connectivity, fully mobile requirements, and harsh conditions requiring military specification solutions.
+- **Non-traditional cloud service needs:** What options does Microsoft provide for periodically internet free/disconnected environments? **Answer:** In addition to [Azure Stack Hub](https://azure.microsoft.com/products/azure-stack/hub/), which is intended for on-premises deployment and disconnected scenarios, a ruggedized and field-deployable version called [Tactical Azure Stack Hub](https://www.delltechnologies.com/en-us/collaterals/unauth/data-sheets/products/converged-infrastructure/dell-emc-integrated-system-for-azure-stack-hub-tactical-spec-sheet.pdf) is also available to address tactical edge deployments for limited or no connectivity, fully mobile requirements, and harsh conditions requiring military specification solutions.
### Transparency and audit
azure-maps About Azure Maps https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-maps/about-azure-maps.md
To learn more about the service, see the [Mobility services documentation](/rest
### Render service
-The [Render service V2 (Preview)](/rest/api/maps/renderv2) introduces a new version of the [Get Map Tile V2 API](/rest/api/maps/renderv2/getmaptilepreview). The Get Map Tile V2 API now allows customers to request Azure Maps road tiles, weather tiles, or the map tiles created using Azure Maps Creator. It's recommended that you use the new Get Map Tile V2 API.
+The [Render service V2 (Preview)](/rest/api/maps/renderv2) introduces a new version of the [Get Map Tile V2 API](/rest/api/maps/render-v2/get-map-tile). The Get Map Tile V2 API now allows customers to request Azure Maps road tiles, weather tiles, or the map tiles created using Azure Maps Creator. It's recommended that you use the new Get Map Tile V2 API.
:::image type="content" source="./media/about-azure-maps/intro_map.png" border="false" alt-text="Example of a map from the Render service V2":::
Weather services offer APIs that developers can use to retrieve weather informat
Developers can use the [Get Weather along route API](/rest/api/maps/weather/getweatheralongroute) to retrieve weather information along a particular route. Also, the service supports the generation of weather notifications for waypoints that are affected by weather hazards, such as flooding or heavy rain.
-The [Get Map Tile V2 API](/rest/api/maps/renderv2/getmaptilepreview) allows you to request past, current, and future radar and satellite tiles.
+The [Get Map Tile V2 API](/rest/api/maps/render-v2/get-map-tile) allows you to request past, current, and future radar and satellite tiles.
![Example of map with real-time weather radar tiles](media/about-azure-maps/intro_weather.png)
Try a sample app that showcases Azure Maps:
Stay up to date on Azure Maps:
-[Azure Maps blog](https://azure.microsoft.com/blog/topics/azure-maps/)
+[Azure Maps blog](https://azure.microsoft.com/blog/topics/azure-maps/)
azure-maps Create Data Source Android Sdk https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-maps/create-data-source-android-sdk.md
A vector tile source describes how to access a vector tile layer. Use the `Vecto
Azure Maps adheres to the [Mapbox Vector Tile Specification](https://github.com/mapbox/vector-tile-spec), an open standard. Azure Maps provides the following vector tiles services as part of the platform: -- Road tiles [documentation](/rest/api/maps/renderv2/getmaptilepreview) | [data format details](https://developer.tomtom.com/maps-api/maps-api-documentation-vector/tile)
+- Road tiles [documentation](/rest/api/maps/render-v2/get-map-tile) | [data format details](https://developer.tomtom.com/maps-api/maps-api-documentation-vector/tile)
- Traffic incidents [documentation](/rest/api/maps/traffic/gettrafficincidenttile) | [data format details](https://developer.tomtom.com/traffic-api/traffic-api-documentation-traffic-incidents/vector-incident-tiles) - Traffic flow [documentation](/rest/api/maps/traffic/gettrafficflowtile) | [data format details](https://developer.tomtom.com/traffic-api/traffic-api-documentation-traffic-flow/vector-flow-tiles)-- Azure Maps Creator also allows custom vector tiles to be created and accessed through the [Render V2-Get Map Tile API](/rest/api/maps/renderv2/getmaptilepreview)
+- Azure Maps Creator also allows custom vector tiles to be created and accessed through the [Render V2-Get Map Tile API](/rest/api/maps/render-v2/get-map-tile)
> [!TIP] > When using vector or raster image tiles from the Azure Maps render service with the web SDK, you can replace `atlas.microsoft.com` with the placeholder `azmapsdomain.invalid`. This placeholder will be replaced with the same domain used by the map and will automatically append the same authentication details as well. This greatly simplifies authentication with the render service when using Azure Active Directory authentication.
azure-maps Create Data Source Web Sdk https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-maps/create-data-source-web-sdk.md
A vector tile source describes how to access a vector tile layer. Use the [Vecto
Azure Maps adheres to the [Mapbox Vector Tile Specification](https://github.com/mapbox/vector-tile-spec), an open standard. Azure Maps provides the following vector tiles services as part of the platform: -- Road tiles [documentation](/rest/api/maps/renderv2/getmaptilepreview) | [data format details](https://developer.tomtom.com/maps-api/maps-api-documentation-vector/tile)
+- Road tiles [documentation](/rest/api/maps/render-v2/get-map-tile) | [data format details](https://developer.tomtom.com/maps-api/maps-api-documentation-vector/tile)
- Traffic incidents [documentation](/rest/api/maps/traffic/gettrafficincidenttile) | [data format details](https://developer.tomtom.com/traffic-api/traffic-api-documentation-traffic-incidents/vector-incident-tiles) - Traffic flow [documentation](/rest/api/maps/traffic/gettrafficflowtile) | [data format details](https://developer.tomtom.com/traffic-api/traffic-api-documentation-traffic-flow/vector-flow-tiles)-- Azure Maps Creator also allows custom vector tiles to be created and accessed through the [Render V2-Get Map Tile API](/rest/api/maps/renderv2/getmaptilepreview)
+- Azure Maps Creator also allows custom vector tiles to be created and accessed through the [Render V2-Get Map Tile API](/rest/api/maps/render-v2/get-map-tile)
> [!TIP] > When using vector or raster image tiles from the Azure Maps render service with the web SDK, you can replace `atlas.microsoft.com` with the placeholder `{azMapsDomain}`. This placeholder will be replaced with the same domain used by the map and will automatically append the same authentication details as well. This greatly simplifies authentication with the render service when using Azure Active Directory authentication.
azure-maps Creator Indoor Maps https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-maps/creator-indoor-maps.md
An application can use a feature stateset to dynamically render features in a fa
### Render V2-Get Map Tile API
-The Azure Maps [Render V2-Get Map Tile API](/rest/api/maps/renderv2/getmaptilepreview) has been extended to support Creator tilesets.
+The Azure Maps [Render V2-Get Map Tile API](/rest/api/maps/render-v2/get-map-tile) has been extended to support Creator tilesets.
Applications can use the Render V2-Get Map Tile API to request tilesets. The tilesets can then be integrated into a map control or SDK. For an example of a map control that uses the Render V2 service, see [Indoor Maps Module](#indoor-maps-module).
As you begin to develop solutions for indoor maps, you can discover ways to inte
You can use the Azure Maps Creator List, Update, and Delete API to list, update, and delete your datasets, tilesets, and feature statesets. >[!NOTE]
->When you review a list of items to determine whether to delete them, consider the impact of that deletion on all dependent API or applications. For example, if you delete a tileset that's being used by an application by means of the [Render V2-Get Map Tile API](/rest/api/maps/renderv2/getmaptilepreview), the application fails to render that tileset.
+>When you review a list of items to determine whether to delete them, consider the impact of that deletion on all dependent API or applications. For example, if you delete a tileset that's being used by an application by means of the [Render V2-Get Map Tile API](/rest/api/maps/render-v2/get-map-tile), the application fails to render that tileset.
### Example: Updating a dataset
azure-maps Drawing Tools Events https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-maps/drawing-tools-events.md
When using drawing tools on a map, it's useful to react to certain events as the
| `drawingchanged` | Fired when any coordinate in a shape has been added or changed. | | `drawingchanging` | Fired when any preview coordinate for a shape is being displayed. For example, this event will fire multiple times as a coordinate is dragged. | | `drawingcomplete` | Fired when a shape has finished being drawn or taken out of edit mode. |
+| `drawingerased` | Fired when a shape is erased from the drawing manager when in `erase-geometry` mode. |
| `drawingmodechanged` | Fired when the drawing mode has changed. The new drawing mode is passed into the event handler. | | `drawingstarted` | Fired when the user starts drawing a shape or puts a shape into edit mode. |
azure-maps Drawing Tools Interactions Keyboard Shortcuts https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-maps/drawing-tools-interactions-keyboard-shortcuts.md
The drawing tools support keyboard shortcuts. These keyboard shortcuts are funct
| `C` | Completes any drawing that is in progress and sets the drawing mode to idle. Focus will move to top-level map element. | | `Escape` | Cancels any drawing that is in progress and sets the drawing mode to idle. Focus will move to top-level map element. | | `F` | Adds a coordinate to a point, line, or polygon if the mouse is over the map. Equivalent action of clicking the map when in click or hybrid mode. This shortcut allows for more precise and faster drawings. You can use one hand to position the mouse and other to press the button without moving the mouse from the press gesture. |
+| `Delete` or `Backspace` | If shapes is selected while the edit mode, delete them. |
## Next steps
azure-maps Map Add Controls https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-maps/map-add-controls.md
Below is the complete running code sample of the above functionality.
<br/>
-<iframe height='500' scrolling='no' title='Adding a pitch control' src='//codepen.io/azuremaps/embed/xJrwaP/?height=265&theme-id=0&default-tab=js,result&embed-version=2&editable=true' frameborder='no' loading="lazy" allowtransparency='true' allowfullscreen='true' style='width: 100%;'>See the Pen <a href='https://codepen.io/azuremaps/pen/xJrwaP/'>Adding a pitch control</a> by Azure Maps (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.
+<iframe height='500' scrolling='no' title='Adding a pitch control' src='//codepen.io/azuremaps/embed/xJrwaP/?height=500&theme-id=0&default-tab=js,result&embed-version=2&editable=true' frameborder='no' loading="lazy" allowtransparency='true' allowfullscreen='true' style='width: 100%;'>See the Pen <a href='https://codepen.io/azuremaps/pen/xJrwaP/'>Adding a pitch control</a> by Azure Maps (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.
</iframe> ## Add compass control
Below is the complete running code sample of the above functionality.
<br/>
-<iframe height='500' scrolling='no' title='Adding a rotate control' src='//codepen.io/azuremaps/embed/GBEoRb/?height=265&theme-id=0&default-tab=js,result&embed-version=2&editable=true' frameborder='no' loading="lazy" allowtransparency='true' allowfullscreen='true' style='width: 100%;'>See the Pen <a href='https://codepen.io/azuremaps/pen/GBEoRb/'>Adding a rotate control</a> by Azure Maps (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.
+<iframe height='500' scrolling='no' title='Adding a rotate control' src='//codepen.io/azuremaps/embed/GBEoRb/?height=500&theme-id=0&default-tab=js,result&embed-version=2&editable=true' frameborder='no' loading="lazy" allowtransparency='true' allowfullscreen='true' style='width: 100%;'>See the Pen <a href='https://codepen.io/azuremaps/pen/GBEoRb/'>Adding a rotate control</a> by Azure Maps (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.
</iframe> ## A Map with all controls
Multiple controls can be put into an array and added to the map all at once and
```javascript map.controls.add([
- new atlas.control.ZoomControl(),
- new atlas.control.CompassControl(),
- new atlas.control.PitchControl(),
- new atlas.control.StyleControl()
+ new atlas.control.ZoomControl(),
+ new atlas.control.CompassControl(),
+ new atlas.control.PitchControl(),
+ new atlas.control.StyleControl()
], {
- position: "top-right"
+ position: "top-right"
}); ```
The following code sample adds the zoom, compass, pitch, and style picker contro
<br/>
-<iframe height='500' scrolling='no' title='A map with all the controls' src='//codepen.io/azuremaps/embed/qyjbOM/?height=265&theme-id=0&default-tab=js,result&embed-version=2&editable=true' frameborder='no' loading="lazy" allowtransparency='true' allowfullscreen='true' style='width: 100%;'>See the Pen <a href='https://codepen.io/azuremaps/pen/qyjbOM/'>A map with all the controls</a> by Azure Maps (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.
+<iframe height='500' scrolling='no' title='A map with all the controls' src='//codepen.io/azuremaps/embed/qyjbOM/?height=500&theme-id=0&default-tab=js,result&embed-version=2&editable=true' frameborder='no' loading="lazy" allowtransparency='true' allowfullscreen='true' style='width: 100%;'>See the Pen <a href='https://codepen.io/azuremaps/pen/qyjbOM/'>A map with all the controls</a> by Azure Maps (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.
</iframe> The style picker control is defined by the [StyleControl](/javascript/api/azure-maps-control/atlas.control.stylecontrol) class. For more information on using the style picker control, see [choose a map style](choose-map-style.md).
Here is a tool to test out the various options for customizing the controls.
(<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>. </iframe>
-If you want to create customized navigation controls, create a class that extends from the `atlas.Control` class or create an HTML element and position it above the map div. Have this UI control call the maps `setCamera` function to move the map.
+If you want to create customized navigation controls, create a class that extends from the `atlas.Control` class or create an HTML element and position it above the map div. Have this UI control call the maps `setCamera` function to move the map.
## Next steps
azure-maps Map Add Drawing Toolbar https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-maps/map-add-drawing-toolbar.md
Below is the complete running code sample of the functionality above:
## Change drawing rendering style
-The style of the shapes that are drawn can be customized by retrieving the underlying layers of the drawing manager by using the `drawingManager.getLayers()` function and then setting options on the individual layers. The drag handles that appear for coordinates when editing a shape are HTML markers. The style of the drag handles can be customized by passing HTML marker options into the `dragHandleStyle` and `secondaryDragHandleStyle` options of the drawing manager.
+The style of the shapes that are drawn can be customized by retrieving the underlying layers of the drawing manager by using the `drawingManager.getLayers()` and `drawingManager.getPreviewLayers()` functions and then setting options on the individual layers. The drag handles that appear for coordinates when editing a shape are HTML markers. The style of the drag handles can be customized by passing HTML marker options into the `dragHandleStyle` and `secondaryDragHandleStyle` options of the drawing manager.
The following code gets the rendering layers from the drawing manager and modifies their options to change rendering style for drawing. In this case, points will be rendered with a blue marker icon. Lines will be red and four pixels wide. Polygons will have a green fill color and an orange outline. It then changes the styles of the drag handles to be square icons.
layers.polygonOutlineLayer.setOptions({
strokeColor: 'orange' }); +
+//Get preview rendering layers from the drawing manager and modify line styles to be dashed.
+var previewLayers = drawingManager.getPreviewLayers();
+previewLayers.lineLayer.setOptions({ strokeColor: 'red', strokeWidth: 4, strokeDashArray: [3,3] });
+previewLayers.polygonOutlineLayer.setOptions({ strokeColor: 'orange', strokeDashArray: [3, 3] });
+ //Update the style of the drag handles that appear when editting. drawingManager.setOptions({ //Primary drag handle that represents coordinates in the shape.
Below is the complete running code sample of the functionality above:
(<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>. </iframe>
+> [!NOTE]
+> When in edit mode, shapes can be rotated. Rotation is supported from MultiPoint, LineString, MultiLineString, Polygon, MultiPolygon, and Rectangle geometries. Point and Circle geometries can not be rotated.
## Next steps
azure-maps Map Add Heat Map Layer Android https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-maps/map-add-heat-map-layer-android.md
The following video shows a map running the above code, which scales the radius
![Animation showing a map zooming with a heat map layer showing a consistent geospatial size](media/map-add-heat-map-layer-android/android-consistent-zoomable-heat-map-layer.gif)
+The `zoom` expression can only be used in `step` and `interpolate` expressions. The following expression can be used to approximate a radius in meters. This expression uses a placeholder `radiusMeters` which you should replace with your desired radius. This expression calculates the approximate pixel radius for a zoom level at the equator for zoom levels 0 and 24, and uses an `exponential interpolation` expression to scale between these values the same way the tiling system in the map works.
+ ::: zone pivot="programming-language-java-android"
+```java
+interpolate(
+ exponential(2),
+ zoom(),
+ stop(1, product(radiusMeters, 0.000012776039596366526)),
+ stop(24, product(radiusMeters, 214.34637593279402))
+)
+```
+ > [!TIP] > When you enable clustering on the data source, points that are close to one another are grouped together as a clustered point. You can use the point count of each cluster as the weight expression for the heat map. This can significantly reduce the number of points to be rendered. The point count of a cluster is stored in a `point_count` property of the point feature: >
The following video shows a map running the above code, which scales the radius
::: zone pivot="programming-language-kotlin"
+```kotlin
+interpolate(
+ exponential(2),
+ zoom(),
+ stop(1, product(radiusMeters, 0.000012776039596366526)),
+ stop(24, product(radiusMeters, 214.34637593279402))
+)
+```
+ > [!TIP] > When you enable clustering on the data source, points that are close to one another are grouped together as a clustered point. You can use the point count of each cluster as the weight expression for the heat map. This can significantly reduce the number of points to be rendered. The point count of a cluster is stored in a `point_count` property of the point feature: >
azure-maps Map Add Heat Map Layer https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-maps/map-add-heat-map-layer.md
Scaling the radius so that it doubles with each zoom level creates a heat map th
(<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>. </iframe>
+The `zoom` expression can only be used in `step` and `interpolate` expressions. The following expression can be used to approximate a radius in meters. This expression uses a placeholder `radiusMeters` which you should replace with your desired radius. This expression calculates the approximate pixel radius for a zoom level at the equator for zoom levels 0 and 24, and uses an `exponential interpolation` expression to scale between these values the same way the tiling system in the map works.
+
+```json
+[
+ `'interpolate',
+ ['exponential', 2],
+ ['zoom'],
+ 0, ['*', radiusMeters, 0.000012776039596366526],
+ 24, [`'*', radiusMeters, 214.34637593279402]
+]
+```
+ > [!TIP] > When you enable clustering on the data source, points that are close to one another are grouped together as a clustered point. You can use the point count of each cluster as the weight expression for the heat map. This can significantly reduce the number of points to be rendered. The point count of a cluster is stored in a `point_count` property of the point feature: > ```JavaScript
azure-maps Map Add Snap Grid https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-maps/map-add-snap-grid.md
+
+ Title: Add snap grid to the map | Microsoft Azure Maps
+description: How to add a snap grid to a map using Azure Maps Web SDK
++ Last updated : 07/20/2021++++++
+# Add a snap grid to the map
+
+A snap grid makes it easier to draw shapes with shared edges and nodes, and straighter lines. Snapping shapes to a grid is useful when drawing building outlines or network paths on the map.
+
+The resolution of the snapping grid is in pixels. The grid is square and relative to the nearest integer zoom level. The grid scales by a factor of two relative to physical real-world area with each zoom level.
+
+## Use a snap grid
+
+Create a snap grid using the `atlas.drawing.SnapGridManager` class and pass in a reference to the map you want to connect the manager to. Set the `showGrid` option to `true` if you want to make the grid visible. To snap a shape to the grid, pass it into the snap grid managers `snapShape` function. If you want to snap an array of positions, pass it into the `snapPositions` function.
+
+The following example snaps an HTML marker to a grid when it is dragged. Drawing tools are used to snap drawn shapes to the grid when the `drawingcomplete` event fires.
+
+<br/>
+
+<iframe height="500" style="width: 100%;" scrolling="no" title="Use a snapping grid" src="https://codepen.io/azuremaps/embed/rNmzvXO?default-tab=js%2Cresult" frameborder="no" loading="lazy" allowtransparency="true" allowfullscreen="true">
+ See the Pen <a href="https://codepen.io/azuremaps/pen/rNmzvXO">
+ Use a snapping grid</a> by Azure Maps (<a href="https://codepen.io/azuremaps">@azuremaps</a>)
+ on <a href="https://codepen.io">CodePen</a>.
+</iframe>
++
+## Snap grid options
+
+The following example shows the different customization options available for the snap grid manager. The grid line styles can be customized by retrieving the underlying line layer using the snap grid managers `getGridLayer` function.
+
+<br/>
+
+<iframe height="700" style="width: 100%;" scrolling="no" title="Snap grid options" src="https://codepen.io/azuremaps/embed/RwVZJry?default-tab=result" frameborder="no" loading="lazy" allowtransparency="true" allowfullscreen="true">
+ See the Pen <a href="https://codepen.io/azuremaps/pen/RwVZJry">
+ Snap grid options</a> by Azure Maps (<a href="https://codepen.io/azuremaps">@azuremaps</a>)
+ on <a href="https://codepen.io">CodePen</a>.
+</iframe>
++
+## Next steps
+
+Learn how to use other features of the drawing tools module:
+
+> [!div class="nextstepaction"]
+> [Get shape data](map-get-shape-data.md)
+
+> [!div class="nextstepaction"]
+> [React to drawing events](drawing-tools-events.md)
+
+> [!div class="nextstepaction"]
+> [Interaction types and keyboard shortcuts](drawing-tools-interactions-keyboard-shortcuts.md)
azure-maps Map Add Tile Layer https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-maps/map-add-tile-layer.md
The following screenshot shows the above code overlaying a web-mapping service o
<br/>
-<iframe height="265" style="width: 100%;" scrolling="no" title="WMS Tile Layer" src="https://codepen.io/azuremaps/embed/BapjZqr?height=500&theme-id=0&default-tab=js,result&embed-version=2&editable=true" frameborder="no" loading="lazy" allowtransparency="true" allowfullscreen="true">
+<iframe height="500" style="width: 100%;" scrolling="no" title="WMS Tile Layer" src="https://codepen.io/azuremaps/embed/BapjZqr?height=500&theme-id=0&default-tab=js,result&embed-version=2&editable=true" frameborder="no" loading="lazy" allowtransparency="true" allowfullscreen="true">
See the Pen <a href='https://codepen.io/azuremaps/pen/BapjZqr'>WMS Tile Layer</a> by Azure Maps (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>. </iframe>
azure-maps Open Source Projects https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-maps/open-source-projects.md
The following is a list of open-source projects that extend the capabilities of
|-|-| | [Azure Maps Code Samples](https://github.com/Azure-Samples/AzureMapsCodeSamples) | A collection of code samples for using Azure Maps in web-based apps. | | [Azure Maps Gov Cloud Code Samples](https://github.com/Azure-Samples/AzureMapsCodeSamples) | A collection of code samples for using Azure Maps through Azure Government Cloud. |
-| [Azure Maps & Azure Active Directory Samples](https://github.com/Azure-Samples/Azure-Maps-AzureAD-Samples) | A collection of samples that show how to use Azure Active Directory with Azure Maps. |
+| [Azure Maps & Azure Active Directory Samples](https://github.com/Azure-Samples/Azure-Maps-AzureAD-Samples) | A collection of samples that show how to use Azure Active Directory with Azure Maps. |
| [LiveMaps](https://github.com/Azure-Samples/LiveMaps) | Sample application to provide live indoor maps visualization of IoT data on top of Azure Maps using Azure Maps Creator | | [Azure Maps Jupyter Notebook samples](https://github.com/Azure-Samples/Azure-Maps-Jupyter-Notebook) | A collection of python samples using the Azure Maps REST services. | | [Azure Maps .NET UWP IoT Remote Control](https://github.com/Azure-Samples/azure-maps-dotnet-webgl-uwp-iot-remote-control) | This is a sample application that shows how to build a remotely controlled map using Azure Maps and IoT hub services. |
The following is a list of open-source projects that extend the capabilities of
| Project Name | Description | |-|-|
-| [Azure Maps Cesium plugin](https://github.com/azure-samples/azure-maps-cesium) | A [Cesium JS](https://cesium.com/cesiumjs/) plugin that makes it easy to integrate Azure Maps services such as [tile layers](/rest/api/maps/renderv2/getmaptilepreview) and [geocoding services](/rest/api/maps/search). |
-| [Azure Maps Leaflet plugin](https://github.com/azure-samples/azure-maps-leaflet) | A [leaflet](https://leafletjs.com/) JavaScript plugin that makes it easy to overlay tile layers from the [Azure Maps tile services](/rest/api/maps/renderv2/getmaptilepreview). |
- | [Azure Maps OpenLayers plugin](https://github.com/azure-samples/azure-maps-openlayers) | A [OpenLayers](https://www.openlayers.org/) JavaScript plugin that makes it easy to overlay tile layers from the [Azure Maps tile services](/rest/api/maps/renderv2/getmaptilepreview). |
+| [Azure Maps Cesium plugin](https://github.com/azure-samples/azure-maps-cesium) | A [Cesium JS](https://cesium.com/cesiumjs/) plugin that makes it easy to integrate Azure Maps services such as [tile layers](/rest/api/maps/render-v2/get-map-tile) and [geocoding services](/rest/api/maps/search). |
+| [Azure Maps Leaflet plugin](https://github.com/azure-samples/azure-maps-leaflet) | A [leaflet](https://leafletjs.com/) JavaScript plugin that makes it easy to overlay tile layers from the [Azure Maps tile services](/rest/api/maps/render-v2/get-map-tile). |
+ | [Azure Maps OpenLayers plugin](https://github.com/azure-samples/azure-maps-openlayers) | A [OpenLayers](https://www.openlayers.org/) JavaScript plugin that makes it easy to overlay tile layers from the [Azure Maps tile services](/rest/api/maps/render-v2/get-map-tile). |
**Tools and resources**
azure-maps Power Bi Visual Add Tile Layer https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-maps/power-bi-visual-add-tile-layer.md
parameters:
- `{quadkey}` - Tile `quadkey` identifier based on the Bing Maps tile system naming convention. - `{bbox-epsg-3857}` - A bounding box string with the format `{west},{south},{east},{north}` in the EPSG 3857 spatial reference system.
-As an example, the following is a formatted tile URL for the [weather radar tile service](/rest/api/maps/renderv2/getmaptilepreview) in Azure Maps. Note that `[subscription-key]` is a placeholder for your Azure Maps subscription key.
+As an example, the following is a formatted tile URL for the [weather radar tile service](/rest/api/maps/render-v2/get-map-tile) in Azure Maps. Note that `[subscription-key]` is a placeholder for your Azure Maps subscription key.
> `https://atlas.microsoft.com/map/tile?zoom={z}&x={x}&y={y}&tilesetId=microsoft.weather.radar.main&api-version=2.0&subscription-key=[subscription-key]`
azure-maps Set Drawing Options https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-maps/set-drawing-options.md
The previous examples demonstrated how to customize drawing options while instan
</iframe>
+### Put a shape into edit mode
+
+Programmatically put an existing shape into edit mode by passing it into the drawing managers `edit` function. If the shape is a GeoJSON feature, wrap it with the `atls.Shape` class before passing it in.
+
+To programmatically take a shape out of edit mode, set the drawing managers mode to `idle`.
+
+```javascript
+//If you are starting with a GeoJSON feature, wrap it with the atlas.Shape class.
+var feature = {
+ "type": "Feature",
+ "geometry": {
+ "type": "Point",
+ "coordinates": [0,0]
+ },
+ "properties": {}
+};
+
+var shape = new atlas.Shape(feature);
+
+//Pass the shape into the edit function of the drawing manager.
+drawingManager.edit(shape);
+
+//Later, to programmatically take shape out of edit mode, set mode to idle.
+drawingManager.setOptions({ mode: 'idle' });
+```
+
+> [!NOTE]
+> When a shape is passed into the `edit` function of the drawing manager, it is added to the data source maintained by the drawing manager. If the shape was previously in another data source, it will be removed from that data source.
+
+To add shapes to the drawing manager so the end user can view and edit, but don't want to programmatically put them into edit mode, retrieve the data source from the drawing manager and add your shapes to it.
+
+```javascript
+//The shape(s) you want to add to the drawing manager so
+var shape = new atlas.Shape(feature);
+
+//Retrieve the data source from the drawing manager.
+var source = drawingManager.getSource();
+
+//Add your shape.
+source.add(shape);
+```
+ ## Next steps Learn how to use additional features of the drawing tools module:
azure-maps Weather Services Concepts https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-maps/weather-services-concepts.md
Some of the Weather service (Preview) APIs return the `iconCode` in the response
## Radar and satellite imagery color scale
-Via [Get Map Tile v2 API](/rest/api/maps/renderv2/getmaptilepreview) users can request latest radar and infrared satellite images. See below guide to help interpret colors used for radar and satellite tiles.
+Via [Get Map Tile v2 API](/rest/api/maps/render-v2/get-map-tile) users can request latest radar and infrared satellite images. See below guide to help interpret colors used for radar and satellite tiles.
### Radar Images
Below is the list of available Index groups (indexGroupId):
Neutral | 2 | 3.99 At Risk | 4 | 5.99 At High Risk | 6 | 7.99
- At Extreme Risk | 8 | 10
+ At Extreme Risk | 8 | 10
azure-monitor Agents Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/agents/agents-overview.md
Previously updated : 01/12/2021 Last updated : 07/22/2021 # Overview of Azure Monitor agents
The following tables provide a quick comparison of the Azure Monitor agents for
| **Environments supported** | Azure<br>Other cloud (Azure Arc)<br>On-premises (Azure Arc) | Azure | Azure<br>Other cloud<br>On-premises | Azure<br>Other cloud<br>On-premises | Azure<br>Other cloud<br>On-premises | | **Agent requirements** | None | None | None | None | Requires Log Analytics agent | | **Data collected** | Syslog<br>Performance | Syslog<br>Performance | Performance | Syslog<br>Performance| Process dependencies<br>Network connection metrics |
-| **Data sent to** | Azure Monitor Logs<br>Azure Monitor Metrics | Azure Storage<br>Event Hub | Azure Monitor Metrics | Azure Monitor Logs | Azure Monitor Logs<br>(through Log Analytics agent) |
+| **Data sent to** | Azure Monitor Logs<br>Azure Monitor Metrics<sup>1</sup> | Azure Storage<br>Event Hub | Azure Monitor Metrics | Azure Monitor Logs | Azure Monitor Logs<br>(through Log Analytics agent) |
| **Services and**<br>**features**<br>**supported** | Log Analytics<br>Metrics explorer | | Metrics explorer | VM insights<br>Log Analytics<br>Azure Automation<br>Azure Security Center<br>Azure Sentinel | VM insights<br>Service Map |
+<sup>1</sup> There's a limitation today on Azure Monitor Agent for Linux wherein using Azure Monitor Metrics as the *only* destination is not supported. Using it alongwith Azure Monitor Logs works. This limitation will be addressed in the next extension update.
## Azure Monitor agent
azure-monitor Azure Monitor Agent Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/agents/azure-monitor-agent-overview.md
description: Overview of the Azure Monitor agent (AMA), which collects monitorin
Previously updated : 06/25/2021 Last updated : 07/22/2021
The Azure Monitor agent sends data to Azure Monitor Metrics or a Log Analytics w
| Data Source | Destinations | Description | |:|:|:|
-| Performance | Azure Monitor Metrics<br>Log Analytics workspace | Numerical values measuring performance of different aspects of operating system and workloads. |
+| Performance | Azure Monitor Metrics<sup>1</sup><br>Log Analytics workspace | Numerical values measuring performance of different aspects of operating system and workloads. |
| Windows Event logs | Log Analytics workspace | Information sent to the Windows event logging system. | | Syslog | Log Analytics workspace | Information sent to the Linux event logging system. |
+<sup>1</sup> There's a limitation today on Azure Monitor Agent for Linux wherein using Azure Monitor Metrics as the *only* destination is not supported. Using it alongwith Azure Monitor Logs works. This limitation will be addressed in the next extension update.
## Supported operating systems See [Supported operating systems](agents-overview.md#supported-operating-systems) for a list of the Windows and Linux operating system versions that are currently supported by the Azure Monitor agent.
azure-monitor Ip Collection https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/app/ip-collection.md
This behavior is by design to help avoid unnecessary collection of personal data
## Overriding default behavior
-While the default is to not collect IP addresses. We still offer the flexibility to override this behavior. However, we recommend verifying that collection doesn't break any compliance requirements or local regulations.
+While the default is to not collect IP addresses, we still offer the flexibility to override this behavior. However, we recommend verifying that collection doesn't break any compliance requirements or local regulations.
To learn more about personal data handling in Application Insights, consult the [guidance for personal data](../logs/personal-data-mgmt.md).
azure-monitor Worker Service https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/app/worker-service.md
using Microsoft.ApplicationInsights.WindowsServer.TelemetryChannel;
## Sample applications
-[.NET Core Console Application](https://github.com/microsoft/ApplicationInsights-dotnet/tree/develop/examples/WorkerServiceSDK/ConsoleAppWithApplicationInsights)
+[.NET Core Console Application](https://github.com/microsoft/ApplicationInsights-dotnet/tree/develop/examples/ConsoleApp)
Use this sample if you are using a Console Application written in either .NET Core (2.0 or higher) or .NET Framework (4.7.2 or higher)
-[ASP.NET Core background tasks with HostedServices](https://github.com/microsoft/ApplicationInsights-dotnet/tree/develop/examples/WorkerServiceSDK/BackgroundTasksWithHostedService)
+[ASP.NET Core background tasks with HostedServices](https://github.com/microsoft/ApplicationInsights-dotnet/tree/develop/examples/BackgroundTasksWithHostedService)
Use this sample if you are in ASP.NET Core 2.1/2.2, and creating background tasks as per official guidance [here](/aspnet/core/fundamentals/host/hosted-services)
-[.NET Core 3.0 Worker Service](https://github.com/microsoft/ApplicationInsights-dotnet/tree/develop/examples/WorkerServiceSDK/WorkerServiceSampleWithApplicationInsights)
+[.NET Core 3.0 Worker Service](https://github.com/microsoft/ApplicationInsights-dotnet/tree/develop/examples/WorkerService)
Use this sample if you have a .NET Core 3.0 Worker Service application as per official guidance [here](/aspnet/core/fundamentals/host/hosted-services?tabs=visual-studio#worker-service-template) ## Open-source SDK
azure-monitor Vminsights Troubleshoot https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/vm/vminsights-troubleshoot.md
If the agents appear to be installed correctly but you don't see any data in the
### Has your Log Analytics workspace reached its data limit? Check the [capacity reservations and the pricing for data ingestion](https://azure.microsoft.com/pricing/details/monitor/).
-### Is your virtual machine sending log and performance data to Azure Monitor Logs?
+### Is your virtual machine agent connected to Azure Monitor Logs?
Open Log Analytics from **Logs** in the Azure Monitor menu in the Azure portal. Run the following query for your computer: ```kuso
-Usage
-| where Computer == "my-computer"
-| summarize sum(Quantity), any(QuantityUnit) by DataType
+Heartbeat
+| where Computer == "my-computer"
+| sort by TimeGenerated desc
```
-If you don't see any data, then you may have problems with your agent. See the section above for agent troubleshooting information.
+If you don't see any data or if the computer hasn't sent a heartbeat recently, then you may have problems with your agent. See the section above for agent troubleshooting information.
## Virtual machine doesn't appear in map view
azure-percept How To Set Up Advanced Network Settings https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-percept/how-to-set-up-advanced-network-settings.md
+
+ Title: Set up advanced network settings on the Azure Percept DK
+description: This article walks user through the Advanced Network Settings during the Azure Percept DK setup experience
++++ Last updated : 7/19/2021+++
+# Set up Advanced Network Settings on the Azure Percept DK
+
+The Azure Percept DK allows you to control various networking components on the dev kit. This is done via the Advanced Networking Settings in the setup experience. To access these settings, you must [start the setup experience](./quickstart-percept-dk-set-up.md) and select **Access advanced network settings** on the **Network connection** page.
++
+## Select the security setting
+IPv4 and IPv6 are both supported on the Azure Percept DK for local connectivity.
+
+> [!NOTE]
+> Azure IoTHub [does not supports IPv6](https://docs.microsoft.com/azure/iot-hub/iot-hub-understand-ip-address#support-for-ipv6). IPv4 must be used to communicate with IoTHub.
+1. Select the IPv4 radio button and then select an item under Network Settings to change its IPv4 settings
+1. Select the IPv6 radio button and then select an item under Network Settings to change its IPv6 settings
+1. The **Network setting** options may change depending on your selection
++
+## Define a Static IP Address
+
+1. From the **Advanced network settings** page, select **Define a static IP address** from the list
+1. Select your **Network interface** from the drop-down menu
+1. Uncheck **Dynamic IP address**
+1. Enter your static IP address
+1. Enter your subnet IP address (also known as your subnet mask)
+1. Enter your gateway IP address (also known as your default gateway)
+1. If applicable, enter your DNS address
+1. Select **Save**
+1. Select **Back** to return to the main **Advanced networking settings** page
+
+## Define DNS server for Docker
+These settings allow you to modify or add new Docker DNS IP addresses.
+
+> [!NOTE]
+> The Docker service is configured to only accept IPv4 DNS entries. Entries added from the IPv6 screens will be ignored.
+
+1. From the **Advanced network settings** page, select **Define DNS server for Docker** from the list
+1. Enter your Docker IPv4 DNS address
+1. Select **Save**
+1. Select **Back** to return to the main **Advanced networking settings** page
+
+## Define Bridge Internet Protocol for Docker
+The Bridge Internet Protocol screens allow you to change the IPv4 address space for Docker containers.
+
+If your deviceΓÇÖs IP address shares the same route as the Azure Percept DevkitΓÇÖs Docker service (172.17.x.x), then you'll need to change DockerΓÇÖs Bridge to something else to allow communications between Docker containers and Azure IoTHub.
+
+1. From the **Advanced network settings** page, select **Define Bridge Internet Protocol for Docker** from the list
+1. Type in the Docker Bridge Internet Protocol IPv4 address (BIP)
+1. Select **Save**
+1. Select **Back** to return to the main **Advanced networking settings** page
+
+## Define an internet proxy server
+This option allows you to define a proxy server.
+
+1. From the **Advanced network settings** page, select **Define an internet proxy server** from the list
+1. Check the **Use a proxy server** box to enable this option.
+1. Enter the **HTTP address** of your proxy server (if applicable)
+1. Enter the **HTTPS address** of your proxy server (if applicable)
+1. Enter the **FTP address** of your proxy server (if applicable)
+1. In the **No proxy addresses** box, enter any IP addresses that the proxy server shouldn't be used for
+1. Select **Save**
+1. Select **Back** to return to the main **Advanced networking settings** page
+
+## Setup Zero Touch Provisioning
+
+> [!IMPORTANT]
+> The **Setup Zero Touch Provisioning** setting are not currently functional
+
+This option allows you to turn your Azure Percept DK into a [Wi-Fi Easy Connect<sup>TM</sup> Bulk Configurator](https://techcommunity.microsoft.com/t5/internet-of-things/simplify-wi-fi-iot-device-onboarding-with-zero-touch/ba-p/2161129#:~:text=A%20Wi-Fi%20Easy%20Connect%E2%84%A2%20Configurator%2C%20paired%20with%20the,device%20to%20any%20WPA2-Personal%20or%20WPA3-Personal%20wireless%20LAN.) for onboarding multiple devices at once to your Wi-Fi infrastructure.
+
+## Define access point passphrase
+This option allows you to update the Azure Percept DK Wi-Fi access point passphrase.
+
+> [!CAUTION]
+> You will be immediately disconnected from the Wi-Fi access point after saving your new passphrase. Please reconnect using the new passphrase to regain access.
+
+Passphrase requirements:
+- Must be between 12 and 123 characters long
+- Must contain at least one lower case, one upper case, one number, and one special character.
+
+1. From the **Advanced network settings** page, select **Define access point passphrase** from the list
+1. Enter a new passphrase
+1. Select **Save**
+1. Select **Back** to return to the main **Advanced networking settings** page
+
+## Next steps
+After you have finished making changes in **Advanced network settings**, select the **Back** button to [continue through the Azure Percept DK setup experience](./quickstart-percept-dk-set-up.md).
+
azure-percept How To Update Via Usb https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-percept/how-to-update-via-usb.md
This guide will show you how to successfully update your dev kit's operating sys
## Prerequisites - An Azure Percept DK-- A Windows, Linux, or OS X based host computer with Wi-Fi capability and an available USB-C or USB-A port
+- A Windows or Linux-based host computer with Wi-Fi capability and an available USB-C or USB-A port
- A USB-C to USB-A cable (optional, sold separately) - An SSH login account, created during the [Azure Percept DK setup experience](./quickstart-percept-dk-set-up.md) - A hex wrench, shipped with the dev kit, to remove the screws on the back of the dev kit (if using the DIP switch method)
+> [!NOTE]
+> **Mac users** - Updating the Azure Percept DK over a USB connection will not work using a Mac as the host computer.
+ ## Download software tools and update files 1. [NXP UUU tool](https://github.com/NXPmicro/mfgtools/releases). Download the **Latest Release** uuu.exe file (for Windows) or the uuu file (for Linux) under the **Assets** tab. UUU is a tool created by NXP used to update NXP dev boards.
azure-percept Quickstart Percept Dk Set Up https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-percept/quickstart-percept-dk-set-up.md
To verify if your Azure account is an ΓÇ£ownerΓÇ¥ or ΓÇ£contributorΓÇ¥ within th
1. Select your Wi-Fi network from the list of available networks and click **connect**. Enter your network password when prompted.
+ > [!NOTE]
+ > **Mac users** - When going through the setup experience on a Mac, it initially opens in a window rather than a web browser. The window isn't persisted once the connection switches from the device's access point to Wi-Fi. Open a web browser and go to https://10.1.1.1, which will allow you to complete the setup experience.
+ 1. Once your dev kit has successfully connected to your network of choice, the page will show the IPv4 address assigned to your dev kit. **Write down the IPv4 address displayed on the page.** You will need the IP address when connecting to your dev kit over SSH for troubleshooting and device updates. :::image type="content" source="./media/quickstart-percept-dk-setup/main-04-success-wi-fi.png" alt-text="Copy IP address.":::
azure-percept Speech Module Interface Workflow https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-percept/speech-module-interface-workflow.md
+
+ Title: Azure Percept speech module interface workflow
+description: Describes the workflow and available methods for the Azure Percept speech module
++++ Last updated : 7/19/2021+++
+# Azure Percept speech module interface workflow
+
+This article describes how the Azure Percept speech module interacts with IoT Hub. It does so via Module Twin and Module methods. Furthermore, it lists the direct method calls used to invoke the speech module.
+
+## Speech module interaction with IoT hub via Module Twin and Module method
+- IoT Hub uses Module Twin to deploy speech module settings and the settings are saved in the properties. The speech module can update device information and telemetry to IoT hub by Module Twin reported properties.
+- IoT Hub can send control requests to speech module via the Module method.
+- IoT Hub can get speech module status via the Module method.
+
+For more details, please refer to [Understand and use module twins in IoT Hub](https://docs.microsoft.com/azure/iot-hub/iot-hub-devguide-module-twins).
++
+## Speech module states
+- **IoTInitialized**: Indicates IoT module is initialized and the network between speech module and edge Hub module is connected.
+- **Authenticating**: Azure Audio device authentication is processing.
+- **Authenticated**: Azure Audio device authentication is finished. If failed, IoT hub will get an error message.
+- **MicDiscovering**: Start to enumerate microphone array via ALSA interface.
+- **MicDiscovered**: Enum microphone array is finished. If failed, IoT hub will get an error message.
+- **SpeechConfigured**: CC configuring is finished. If failed, IoT hub will get an error message.
+- **SpeechStarted**: Indicates bot is configured and is running.
+- **SpeechStopped**: Indicates bot is stopped.
+- **DeviceRemoved**: Indicates Azure Audio device is removed.
++
+## Speech bot states
+Querying speech bot states is only supported under the **SpeechStarted** speech module state.
+- **Ready**: KWS is ready and waiting for voice activation.
+- **Listening**: bot is listening to the voice input.
+- **Thinking**: bot is waiting for response.
+- **Speaking**: bot gets response and speaking the response.
+
+## Interaction between IoT Hub and the speech module
+This section describes how IoT Hub interacts with the speech module. As the diagram shows, there are three types of messages.
+- Deployment with needed properties and update with reported properties
+- Module method invoke
+- Update telemetry
++
+IoT Hub invokes the module method with two parameters:
+- The module method name (case sensitive)
+- The method payload
+
+The speech module responds with:
+- A status code
+ - **0** = idle
+ - **102** = processing
+ - **200** = success
+ - **202** = pending
+ - **500** = failure
+ - **501** = not present
+- A status payload
+
+Here's an example using the module method GetModuleState:
+1. Invoke the method with these parameters:
+ - String: "GetModuleState"
+ - Unspecified
+1. Response:
+ - Status code: 200
+ - Payload: "DeviceRemoved"
+
+## Next steps
+Try to apply these concepts when [configuring a voice assistant application using Azure IoT Hub](./how-to-configure-voice-assistant.md).
azure-relay Authenticate Application https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-relay/authenticate-application.md
+
+ Title: Authenticate from an application - Azure Relay (Preview)
+description: This article provides information about authenticating an application with Azure Active Directory to access Azure Relay resources.
+ Last updated : 07/02/2021++
+# Authenticate and authorize an application with Azure Active Directory to access Azure Relay entities (Preview)
+Azure Relay supports using Azure Active Directory (Azure AD) to authorize requests to Azure Relay entities (Hybrid Connections, WCF Relays). With Azure AD, you can use Azure role-based access control (Azure RBAC) to grant permissions to a security principal, which may be a user, group, or application service principal. To learn more about roles and role assignments, see [Understanding the different roles](../role-based-access-control/overview.md).
+++
+## Authenticate from an app
+A key advantage of using Azure AD with Azure Relay is that your credentials no longer need to be stored in your code. Instead, you can request an OAuth 2.0 access token from Microsoft identity platform. Azure AD authenticates the security principal (a user, a group, or service principal) running the application. If authentication succeeds, Azure AD returns the access token to the application, and the application can then use the access token to authorize requests to Azure Relay.
+
+Following sections shows you how to configure your console application for authentication with Microsoft Identity Platform 2.0. For more information, see [Microsoft Identity Platform (v2.0) overview](../active-directory/develop/v2-overview.md).
+
+For an overview of the OAuth 2.0 code grant flow, see [Authorize access to Azure Active Directory web applications using the OAuth 2.0 code grant flow](../active-directory/develop/v2-oauth2-auth-code-flow.md).
+
+### Register your application with an Azure AD tenant
+The first step in using Azure AD to authorize Azure Relay entities is registering your client application with an Azure AD tenant from the Azure portal. When you register your client application, you supply information about the application to AD. Azure AD then provides a client ID (also called an application ID) that you can use to associate your application with Azure AD runtime.
+
+For step-by-step instructions to register your application with Azure AD, see [Quickstart: Register an application with Azure AD](../active-directory/develop/quickstart-register-app.md#register-an-application).
+
+> [!IMPORTANT]
+> Make note of the **Directory (tenant) ID** and the **Application (client) ID**. You will need these values to run the sample application.
+
+### Create a client secret
+The application needs a client secret to prove its identity when requesting a token. In the same article linked above, see the [Add a client secret](../active-directory/develop/quickstart-register-app.md#add-a-client-secret) section to create a client secret.
+
+> [!IMPORTANT]
+> Make note of the **Client Secret**. You will need it to run the sample application.
+
+## Assign Azure roles using the Azure portal
+Assign one of the Azure Relay roles to the application's service principal at the desired scope (Relay entity, namespace, resource group, subscription). For detailed steps, see [Assign Azure roles using the Azure portal](../role-based-access-control/role-assignments-portal.md).
+
+## Run the sample
+
+1. Download the console application sample from [GitHub](https://github.com/Azure/azure-relay/tree/master/samples/hybrid-connections/dotnet/rolebasedaccesscontrol).
+1. Run the application locally on your computer per the instructions from the [README article](https://github.com/Azure/azure-relay/tree/master/samples/hybrid-connections/dotnet/rolebasedaccesscontrol#rolebasedaccesscontrol-hybrid-connection-sample).
+
+ > [!NOTE]
+ > Follow the same steps above to run the [sample console application for WCF Relay](https://github.com/Azure/azure-relay/tree/master/samples/wcf-relay/RoleBasedAccessControl).
+
+#### Highlighted code from the sample
+Here's the code from the sample that shows how to use Azure AD authentication to connect to the Azure Relay service.
+
+1. Create a [TokenProvider](/dotnet/api/microsoft.azure.relay.tokenprovider) object by using the `TokenProvider.CreateAzureActiveDirectoryTokenProvider` method.
+
+ If you haven't already created an app registration, see the [Register your application with Azure AD](#register-your-application-with-an-azure-ad-tenant) section to create it and then create a client secret as mentioned in the [Create a client secret](#create-a-client-secret) section.
+
+ If you want to use an existing app registration, follow these instructions to get **Application (client) ID** and **Directory (tenant) ID**.
+
+ 1. Sign in to the [Azure portal](https://portal.azure.com).
+ 1. Search for and select **Azure Active Directory** using the search bar at the top.
+ 1. On the **Azure Active Directory** page, select **App registrations** in the **Manage** section on the left menu.
+ 1. Select your app registration.
+ 1. On the page for your app registration, you will see the values for **Application (client) ID** and **Directory (tenant) ID**.
+
+ To get the **client secret**, follow these steps:
+ 1. On the page your app registration, select **Certificates & secrets** on the left menu.
+ 1. Use the copy button in the **Value** column for the secret in the **Client secrets** section.
+
+
+ ```csharp
+ static TokenProvider GetAadTokenProvider(string clientId, string tenantId, string clientSecret)
+ {
+ return TokenProvider.CreateAzureActiveDirectoryTokenProvider(
+ async (audience, authority, state) =>
+ {
+ IConfidentialClientApplication app = ConfidentialClientApplicationBuilder.Create(clientId)
+ .WithAuthority(authority)
+ .WithClientSecret(clientSecret)
+ .Build();
+
+ var authResult = await app.AcquireTokenForClient(new [] { $"{audience}/.default" }).ExecuteAsync();
+ return authResult.AccessToken;
+ },
+ $"https://login.microsoftonline.com/{tenantId}");
+ }
+ ```
+1. Create a [HybridConnectionListener](/dotnet/api/microsoft.azure.relay.hybridconnectionlistener.-ctor#Microsoft_Azure_Relay_HybridConnectionListener__ctor_System_Uri_Microsoft_Azure_Relay_TokenProvider_) or [HybridConnectionClient](/dotnet/api/microsoft.azure.relay.hybridconnectionclient.-ctor#microsoft-azure-relay-hybridconnectionclient-ctor(system-uri-microsoft-azure-relay-tokenprovider)) object by passing the hybrid connection URI and the token provider you created in the previous step.
+
+ **Listener:**
+ ```csharp
+ var listener = new HybridConnectionListener(hybridConnectionUri, tokenProvider);
+ ```
+
+ **Sender:**
+ ```csharp
+ var sender = new HybridConnectionClient(hybridConnectionUri, tokenProvider);
+ ```
+
+## Next steps
+- To learn more about Azure RBAC, see [What is Azure role-based access control (Azure RBAC)](../role-based-access-control/overview.md)?
+- To learn how to assign and manage Azure role assignments with Azure PowerShell, Azure CLI, or the REST API, see these articles:
+ - [Add or remove Azure role assignments using Azure PowerShell](../role-based-access-control/role-assignments-powershell.md)
+ - [Add or remove Azure role assignments using Azure CLI](../role-based-access-control/role-assignments-cli.md)
+ - [Add or remove Azure role assignments using the REST API](../role-based-access-control/role-assignments-rest.md)
+ - [Add or remove Azure role assignments using Azure Resource Manager Templates](../role-based-access-control/role-assignments-template.md)
+
+To learn more about Azure Relay, see the following topics.
+- [What is Relay?](relay-what-is-it.md)
+- [Get started with Azure Relay Hybrid connections WebSockets](relay-hybrid-connections-dotnet-get-started.md)
+- [Get stated with Azure Relay Hybrid connections HTTP requests](relay-hybrid-connections-http-requests-dotnet-get-started.md)
++++++++
azure-relay Authenticate Managed Identity https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-relay/authenticate-managed-identity.md
+
+ Title: Authenticate with managed identities for Azure Relay resources (preview)
+description: This article describes how to use managed identities to access with Azure Relay resources.
+ Last updated : 07/19/2021++
+# Authenticate a managed identity with Azure Active Directory to access Azure Relay resources (preview)
+[Managed identities for Azure resources](../active-directory/managed-identities-azure-resources/overview.md) is a cross-Azure feature that enables you to create a secure identity associated with the deployment under which your application code runs. You can then associate that identity with access-control roles that grant custom permissions for accessing specific Azure resources that your application needs.
+
+With managed identities, the Azure platform manages this runtime identity. You don't need to store and protect access keys in your application code or configuration, either for the identity itself, or for the resources you need to access. A Relay client app running inside an Azure App Service application or in a virtual machine with enabled managed entities for Azure resources support doesn't need to handle SAS rules and keys, or any other access tokens. The client app only needs the endpoint address of the Relay namespace. When the app connects, Relay binds the managed entity's context to the client in an operation that is shown in an example later in this article. Once it's associated with a managed identity, your Relay client can do all authorized operations. Authorization is granted by associating a managed entity with Relay roles.
++
+## Enable managed identity
+First, enable managed identity for the Azure resource that needs to access Azure Relay entities (hybrid connections or WCF relays). For an example, if your Relay client application is running on an Azure VM, enable managed identity for the VM by following instructions from the [Configure managed identity for an Azure VM](../active-directory/managed-identities-azure-resources/qs-configure-portal-windows-vm.md) article. Once you've enabled this setting, a new managed service identity is created in your Azure Active Directory (Azure AD).
+
+For a list of services that support managed identities, see [Services that support managed identities for Azure resources](../active-directory/managed-identities-azure-resources/services-support-managed-identities.md).
+
+## Assign an Azure Relay role to the managed identity
+After you enable the managed identity, assign one of the Azure Relay roles (Azure Relay Owner, Azure Relay Listener, or Azure Relay Sender) to the identity at the appropriate scope. When the Azure role is assigned to a managed identity, the managed identity is granted access to Relay entities at the appropriate scope.
+
+The following section uses a simple application that runs under a managed identity on an Azure VM instance and accesses Relay resources.
+
+## Sample app on VM accessing Relay entities
+
+1. Download the [Hybrid Connections sample console application](https://github.com/Azure/azure-relay/tree/master/samples/hybrid-connections/dotnet/rolebasedaccesscontrol) to your computer from GitHub.
+1. [Create an Azure VM](../virtual-machines/windows/quick-create-portal.md). For this sample, use a Windows 10 image.
+1. Enable system-assigned identity or a user-assigned identity for the Azure VM. For instructions, see [Enable identity for a VM](../active-directory/managed-identities-azure-resources/qs-configure-portal-windows-vm.md).
+1. Assign one of the Relay roles to the managed service identity at the desired scope (Relay entity, Relay namespace, resource group, subscription). For detailed steps, see [Assign Azure roles using the Azure portal](../role-based-access-control/role-assignments-portal.md).
+1. Build the console app locally on your local computer as per instructions from the [README document](https://github.com/Azure/azure-relay/tree/master/samples/hybrid-connections/dotnet/rolebasedaccesscontrol#rolebasedaccesscontrol-hybrid-connection-sample).
+1. Copy the executable under \<your local path\>\RoleBasedAccessControl\bin\Debug folder to the VM. You can use RDP to connect to your Azure VM. For more information, see [How to connect and sign on to an Azure virtual machine running Windows](../virtual-machines/windows/connect-logon.md).
+1. Run RoleBasedAccessControl.exe on the Azure VM as per instructions from the [README document](https://github.com/Azure/azure-relay/tree/master/samples/hybrid-connections/dotnet/rolebasedaccesscontrol#rolebasedaccesscontrol-hybrid-connection-sample).
+
+ > [!NOTE]
+ > Follow the same steps above to run the [console application for WCF Relays](https://github.com/Azure/azure-relay/tree/master/samples/wcf-relay/RoleBasedAccessControl).
+
+#### Highlighted code from the sample
+Here's the code from the sample that shows how to use Azure AD authentication to connect to the Azure Relay service.
+
+1. Create a [TokenProvider](/dotnet/api/microsoft.azure.relay.tokenprovider) object by using the `TokenProvider.CreateManagedIdentityTokenProvider` method.
+
+ - If you are using a **system-assigned managed identity:**
+ ```csharp
+ TokenProvider.CreateManagedIdentityTokenProvider();
+ ```
+ - If you are using a **user-assigned managed identity**, get the **Client ID** for the user-assigned identity from the **Managed Identity** page in the Azure portal. For instructions, see [List user-assigned managed identities](../active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities.md?pivots=identity-mi-methods-azp#list-user-assigned-managed-identities).
+ ```csharp
+ var managedCredential = new ManagedIdentityCredential(clientId);
+ tokenProvider = TokenProvider.CreateManagedIdentityTokenProvider(managedCredential);
+ ```
+1. Create a [HybridConnectionListener](/dotnet/api/microsoft.azure.relay.hybridconnectionlistener.-ctor#Microsoft_Azure_Relay_HybridConnectionListener__ctor_System_Uri_Microsoft_Azure_Relay_TokenProvider_) or [HybridConnectionClient](/dotnet/api/microsoft.azure.relay.hybridconnectionclient.-ctor#microsoft-azure-relay-hybridconnectionclient-ctor(system-uri-microsoft-azure-relay-tokenprovider)) object by passing the hybrid connection URI and the token provider you created in the previous step.
+
+ **Listener:**
+ ```csharp
+ var listener = new HybridConnectionListener(hybridConnectionUri, tokenProvider);
+ ```
+
+ **Sender:**
+ ```csharp
+ var sender = new HybridConnectionClient(hybridConnectionUri, tokenProvider);
+ ```
+
+## Next steps
+To learn more about Azure Relay, see the following topics.
+- [What is Relay?](relay-what-is-it.md)
+- [Get started with Azure Relay Hybrid connections WebSockets](relay-hybrid-connections-dotnet-get-started.md)
+- [Get stated with Azure Relay Hybrid connections HTTP requests](relay-hybrid-connections-http-requests-dotnet-get-started.md)
+++
azure-relay Diagnostic Logs https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-relay/diagnostic-logs.md
Title: Diagnostics logs for Hybrid Connections description: This article provides an overview of all the activity and diagnostics logs that are available for Azure Relay. Previously updated : 06/23/2020 Last updated : 06/23/2021 # Enable diagnostics logs for Azure Relay Hybrid Connections When you start using your Azure Relay Hybrid Connections, you might want to monitor how and when your listeners and senders are opened and closed, and how your Hybrid Connections are created and messages are sent. This article provides an overview of activity and diagnostics logs provided by the Azure Relay service.
azure-relay Ip Firewall Virtual Networks https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-relay/ip-firewall-virtual-networks.md
Title: Configure IP firewall for Azure Relay namespace description: This article describes how to Use firewall rules to allow connections from specific IP addresses to Azure Relay namespaces. Previously updated : 06/23/2020 Last updated : 06/23/2021 # Configure IP firewall for an Azure Relay namespace
azure-relay Move Across Regions https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-relay/move-across-regions.md
Title: Move an Azure Relay namespace to another region description: This article shows you how to move an Azure Relay namespace from the current region to another region. Previously updated : 09/03/2020 Last updated : 06/03/2021
azure-relay Network Security https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-relay/network-security.md
Title: Network security for Azure Relay description: This article describes how to use IP firewall rules and private endpoints with Azure Relay. Previously updated : 06/23/2020 Last updated : 06/23/2021 # Network security for Azure Relay
azure-relay Private Link Service https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-relay/private-link-service.md
Title: Integrate Azure Relay with Azure Private Link Service description: Learn how to integrate Azure Relay with Azure Private Link Service Previously updated : 09/24/2020 Last updated : 06/24/2021
azure-relay Relay Api Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-relay/relay-api-overview.md
Title: Azure Relay API overview | Microsoft Docs
description: This article provides an overview of available Azure Relay APIs (.NET Standard, .NET Framework, Node.js, etc.) Previously updated : 06/23/2020 Last updated : 06/23/2021 # Available Relay APIs
azure-relay Relay Authentication And Authorization https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-relay/relay-authentication-and-authorization.md
Title: Azure Relay authentication and authorization | Microsoft Docs description: This article provides an overview of Shared Access Signature (SAS) authentication with the Azure Relay service. Previously updated : 06/23/2020 Last updated : 07/19/2021 # Azure Relay authentication and authorization
+There are two ways to authenticate and authorize access to Azure Relay resources: Azure Activity Directory (Azure AD) and Shared Access Signatures (SAS). This article gives you details on using these two types of security mechanisms.
-Applications can authenticate to Azure Relay using Shared Access Signature (SAS) authentication. SAS authentication enables applications to authenticate to the Azure Relay service using an access key configured on the Relay namespace. You can then use this key to generate a Shared Access Signature token that clients can use to authenticate to the relay service.
+## Azure Active Directory (Preview)
+Azure AD integration for Azure Relay resources provides Azure role-based access control (Azure RBAC) for fine-grained control over a clientΓÇÖs access to resources. You can use Azure RBAC to grant permissions to a security principal, which may be a user, a group, or an application service principal. The security principal is authenticated by Azure AD to return an OAuth 2.0 token. The token can be used to authorize a request to access an Azure Relay resource.
+
+For more information about authenticating with Azure AD, see the following articles:
+- [Authenticate with managed identities](authenticate-managed-identity.md)
+- [Authenticate from an Azure Active Directory application](authenticate-application.md)
+
+> [!IMPORTANT]
+> Authorizing users or applications using OAuth 2.0 token returned by Azure AD provides superior security and ease of use over shared access signatures (SAS). With Azure AD, there is no need to store tokens in your code and risk potential security vulnerabilities. We recommend that you use Azure AD with your Azure Relay applications when possible.
+
+### Built-in roles
+For Azure Relay, the management of namespaces and all related resources through the Azure portal and the Azure resource management API is already protected using the Azure RBAC model. Azure provides the below Azure built-in roles for authorizing access to a Relay namespace:
-## Shared Access Signature authentication
+| Role | Description |
+| - | -- |
+| Azure Relay Owner | Use this role to grant **full** access to Azure Relay resources. |
+| Azure Relay Listener | Use this role to grant **listen and entity read** access to Azure Relay resources. |
+| Azure Relay Sender | Use this role to grant **send and entity read** access to Azure Relay resources. |
++
+## Shared Access Signature
+Applications can authenticate to Azure Relay using Shared Access Signature (SAS) authentication. SAS authentication enables applications to authenticate to the Azure Relay service using an access key configured on the Relay namespace. You can then use this key to generate a Shared Access Signature token that clients can use to authenticate to the relay service.
[SAS authentication](../service-bus-messaging/service-bus-sas.md) enables you to grant a user access to Azure Relay resources with specific rights. SAS authentication involves the configuration of a cryptographic key with associated rights on a resource. Clients can then gain access to that resource by presenting a SAS token, which consists of the resource URI being accessed and an expiry signed with the configured key.
You can configure keys for SAS on a Relay namespace. Unlike Service Bus messagin
![A dialog box titled "Create Hybrid Connection" has a "Name" text box and a check box labeled "Requires Client Authentication", which is checked.][0]
-To use SAS, you can configure a [SharedAccessAuthorizationRule](/dotnet/api/microsoft.servicebus.messaging.sharedaccessauthorizationrule) object on a Relay namespace that consists of the following:
+To use SAS, you can configure a [SharedAccessAuthorizationRule](/dotnet/api/microsoft.servicebus.messaging.sharedaccessauthorizationrule) object on a Relay namespace that consists of the following properties:
* *KeyName* that identifies the rule. * *PrimaryKey* is a cryptographic key used to sign/validate SAS tokens. * *SecondaryKey* is a cryptographic key used to sign/validate SAS tokens. * *Rights* representing the collection of Listen, Send, or Manage rights granted.
-Authorization rules configured at the namespace level can grant access to all relay connections in a namespace for clients with tokens signed using the corresponding key. Up to 12 such authorization rules can be configured on a Relay namespace. By default, a [SharedAccessAuthorizationRule](/dotnet/api/microsoft.servicebus.messaging.sharedaccessauthorizationrule) with all rights is configured for every namespace when it is first provisioned.
+Authorization rules configured at the namespace level can grant access to all relay connections in a namespace for clients with tokens signed using the corresponding key. Up to 12 such authorization rules can be configured on a Relay namespace. By default, a [SharedAccessAuthorizationRule](/dotnet/api/microsoft.servicebus.messaging.sharedaccessauthorizationrule) with all rights is configured for every namespace when it's first provisioned.
To access an entity, the client requires a SAS token generated using a specific [SharedAccessAuthorizationRule](/dotnet/api/microsoft.servicebus.messaging.sharedaccessauthorizationrule). The SAS token is generated using the HMAC-SHA256 of a resource string that consists of the resource URI to which access is claimed, and an expiry with a cryptographic key associated with the authorization rule.
azure-relay Relay Create Namespace Portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-relay/relay-create-namespace-portal.md
Title: Create a Relay namespace using the Azure portal | Microsoft Docs description: This article provides a walkthrough that shows you how to create a Relay namespace using the Azure portal. Previously updated : 06/23/2020 Last updated : 06/23/2021 # Create a Relay namespace using the Azure portal
azure-relay Relay Exceptions https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-relay/relay-exceptions.md
Title: Azure Relay exceptions and how to resolve them | Microsoft Docs description: List of Azure Relay exceptions and suggested actions you can take to help resolve them. Previously updated : 06/23/2020 Last updated : 06/23/2021 # Azure Relay exceptions
azure-relay Relay Hybrid Connections Dotnet Api Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-relay/relay-hybrid-connections-dotnet-api-overview.md
Title: Overview of Azure Relay .NET Standard APIs | Microsoft Docs
description: This article summarizes some of the key an overview of Azure Relay Hybrid Connections .NET Standard API. Previously updated : 06/23/2020 Last updated : 06/23/2021 # Azure Relay Hybrid Connections .NET Standard API overview
azure-relay Relay Hybrid Connections Dotnet Get Started https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-relay/relay-hybrid-connections-dotnet-get-started.md
Title: Azure Relay Hybrid Connections - WebSockets in .NET
description: Write a C# console application for Azure Relay Hybrid Connections WebSockets. Previously updated : 06/23/2020 Last updated : 06/23/2021 # Get started with Relay Hybrid Connections WebSockets in .NET
azure-relay Relay Hybrid Connections Http Requests Dotnet Get Started https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-relay/relay-hybrid-connections-http-requests-dotnet-get-started.md
Title: Azure Relay Hybrid Connections - HTTP requests in .NET
description: Write a C# console application for Azure Relay Hybrid Connections HTTP requests in .NET. Previously updated : 06/23/2020 Last updated : 06/23/2021 # Get started with Relay Hybrid Connections HTTP requests in .NET
azure-relay Relay Hybrid Connections Http Requests Node Get Started https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-relay/relay-hybrid-connections-http-requests-node-get-started.md
Title: Azure Relay Hybrid Connections - HTTP requests in Node description: Write a Node.js console application for Azure Relay Hybrid Connections HTTP requests in Node. Previously updated : 06/23/2020 Last updated : 06/23/2021
azure-relay Relay Hybrid Connections Node Get Started https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-relay/relay-hybrid-connections-node-get-started.md
Title: Azure Relay Hybrid Connections - WebSockets in Node description: Write a Node.js console application for Azure Relay Hybrid Connections WebSockets Previously updated : 06/23/2020 Last updated : 06/23/2021
azure-relay Relay Hybrid Connections Node Ws Api Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-relay/relay-hybrid-connections-node-ws-api-overview.md
Title: Overview of the Azure Relay Node APIs | Microsoft Docs description: This article provides an overview of the Node.js API for the Azure Relay service. It also shows how to use the hyco-ws Node package. Previously updated : 06/23/2020 Last updated : 06/23/2021
azure-relay Relay Hybrid Connections Protocol https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-relay/relay-hybrid-connections-protocol.md
Title: Azure Relay Hybrid Connections protocol guide | Microsoft Docs description: This article describes the client-side interactions with the Hybrid Connections relay for connecting clients in listener and sender roles. Previously updated : 06/23/2020 Last updated : 06/23/2021 # Azure Relay Hybrid Connections protocol
azure-relay Relay Metrics Azure Monitor https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-relay/relay-metrics-azure-monitor.md
Title: Azure Relay metrics in Azure Monitor | Microsoft Docs
description: This article provides information on how you can use Azure Monitor to monitor to state of Azure Relay. Previously updated : 06/23/2020 Last updated : 06/23/2021 # Azure Relay metrics in Azure Monitor
azure-relay Relay Migrate Acs Sas https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-relay/relay-migrate-acs-sas.md
Title: Azure Relay - Migrate to Shared Access Signature authorization description: Describes how to migrate Azure Relay applications from using Azure Active Directory Access Control Service to Shared Access Signature authorization. Previously updated : 06/23/2020 Last updated : 06/23/2021 # Azure Relay - Migrate from Azure Active Directory Access Control Service to Shared Access Signature authorization
azure-relay Relay Port Settings https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-relay/relay-port-settings.md
Title: Azure Relay port settings | Microsoft Docs description: This article includes a table that describes the required configuration for port values for Azure Relay. Previously updated : 06/23/2020 Last updated : 06/23/2021 # Azure Relay port settings
azure-relay Relay What Is It https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-relay/relay-what-is-it.md
Title: What is Azure Relay? | Microsoft Docs description: This article provides an overview of the Azure Relay service, which allows you to develop cloud applications that consume on-premises services running in your corporate network without opening a firewall connection or making intrusive changes to your network infrastructure. Previously updated : 06/23/2020 Last updated : 06/23/2021 # What is Azure Relay?
azure-relay Service Bus Dotnet Hybrid App Using Service Bus Relay https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-relay/service-bus-dotnet-hybrid-app-using-service-bus-relay.md
Title: Azure Windows Communication Foundation (WCF) Relay hybrid on-premises/clo
description: Learn how to expose an on-premises WCF service to a web application in the cloud by using Azure Relay Previously updated : 06/23/2020 Last updated : 06/23/2021 # Expose an on-premises WCF service to a web application in the cloud by using Azure Relay
azure-relay Service Bus Relay Rest Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-relay/service-bus-relay-rest-tutorial.md
Title: 'Tutorial: REST tutorial using Azure Relay'
description: 'Tutorial: Build an Azure Relay host application that exposes a REST-based interface.' Previously updated : 06/23/2020 Last updated : 06/23/2021 # Tutorial: Azure WCF Relay REST tutorial
azure-relay Service Bus Relay Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-relay/service-bus-relay-tutorial.md
Title: Expose an on-prem WCF REST service to clients using Azure Relay
description: This tutorial describes how to expose an on-premises WCF REST service to an external client by using Azure WCF Relay. Previously updated : 06/23/2020 Last updated : 06/23/2021 # Tutorial: Expose an on-premises WCF REST service to external client by using Azure WCF Relay
azure-sql Auditing Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/auditing-overview.md
Previously updated : 06/24/2021 Last updated : 07/22/2021 # Auditing for Azure SQL Database and Azure Synapse Analytics
The following section describes the configuration of auditing using the Azure po
Auditing of Microsoft Support operations for Azure SQL Server allows you to audit Microsoft support engineers' operations when they need to access your server during a support request. The use of this capability, along with your auditing, enables more transparency into your workforce and allows for anomaly detection, trend visualization, and data loss prevention.
-To enable Auditing of Microsoft Support operations navigate to **Auditing** under the Security heading in your **Azure SQL server** pane, and switch **Auditing of Microsoft support operations** to **ON**.
+To enable auditing of Microsoft Support operations navigate to **Auditing** under the Security heading in your Azure **SQL server** pane, and switch **Enable Auditing of Microsoft support operations** to **ON**.
![Screenshot of Microsoft Support Operations](./media/auditing-overview/support-operations.png)
AzureDiagnostics
| where Category == "DevOpsOperationsAudit" ```
+You have the option of choosing a different storage destination for this auditing log, or use the same auditing configuration for your server.
++ ### <a id="audit-storage-destination"></a>Audit to storage destination To configure writing audit logs to a storage account, select **Storage** when you get to the **Auditing** section. Select the Azure storage account where logs will be saved, and then select the retention period by opening **Advanced properties**. Then click **Save**. Logs older than the retention period are deleted.
azure-sql Ledger Append Only Ledger Tables https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/ledger-append-only-ledger-tables.md
Title: "Azure SQL Database append-only ledger tables" description: This article provides information on append-only ledger table schema and views in Azure SQL Database.- Previously updated : "05/25/2021"+ Last updated : "07/23/2021"
[!INCLUDE[appliesto-sqldb](../includes/appliesto-sqldb.md)] > [!NOTE]
-> Azure SQL Database ledger is currently in public preview and available in West Central US.
+> Azure SQL Database ledger is currently in public preview and available in West Europe, Brazil South, and West Central US.
Append-only ledger tables allow only `INSERT` operations on your tables, which ensures that privileged users such as database administrators can't alter data through traditional [Data Manipulation Language](/sql/t-sql/queries/queries) operations. Append-only ledger tables are ideal for systems that don't update or delete records, such as security information event and management systems or blockchain systems where data needs to be replicated from the blockchain to a database. Because there are no `UPDATE` or `DELETE` operations on an append-only table, there's no need for a corresponding history table as there is with [updatable ledger tables](ledger-updatable-ledger-tables.md).
azure-sql Ledger Audit https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/ledger-audit.md
Title: "Azure SQL Database audit events with ledger-enabled tables" description: Overview of Azure SQL Database ledger auditing capabilities- Previously updated : "05/25/2021"+ Last updated : "07/23/2021"
[!INCLUDE[appliesto-sqldb](../includes/appliesto-sqldb.md)] > [!NOTE]
-> Azure SQL Database ledger is currently in public preview and available in West Central US.
+> Azure SQL Database ledger is currently in public preview and available in West Europe, Brazil South, and West Central US.
When you perform forensics activities with ledger-enabled tables, data is captured in the ledger view and database ledger. Other action IDs are added to the SQL audit logs, too. The following tables outline these new audit logging events. The conditions that trigger the events follow each table.
azure-sql Ledger Create A Single Database With Ledger Enabled https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/ledger-create-a-single-database-with-ledger-enabled.md
Previously updated : 05/25/2021 Last updated : "07/23/2021"+ # Quickstart: Create a database in Azure SQL Database with ledger enabled
Last updated 05/25/2021
[!INCLUDE[appliesto-sqldb](../includes/appliesto-sqldb.md)] > [!NOTE]
-> Azure SQL Database ledger is currently in public preview and available in West Central US.
+> Azure SQL Database ledger is currently in public preview and available in West Europe, Brazil South, and West Central US.
In this quickstart, you create a [ledger database](ledger-overview.md#ledger-database) in Azure SQL Database and configure [automatic digest storage with Azure Blob Storage](ledger-digest-management-and-database-verification.md#automatic-generation-and-storage-of-database-digests) by using the Azure portal. For more information about ledger, see [Azure SQL Database ledger](ledger-overview.md).
azure-sql Ledger Database Ledger https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/ledger-database-ledger.md
Title: "Database ledger" description: This article provides information on ledger database tables and associated views in Azure SQL Database.- Previously updated : "05/25/2021"+ Last updated : "07/23/2021"
[!INCLUDE[appliesto-sqldb](../includes/appliesto-sqldb.md)] > [!NOTE]
-> Azure SQL Database ledger is currently in public preview and available in West Central US.
+> Azure SQL Database ledger is currently in public preview and available in West Europe, Brazil South, and West Central US.
The database ledger is part of the ledger feature of Azure SQL Database. The database ledger incrementally captures the state of a database as the database evolves over time, while updates occur on ledger tables. It logically uses a blockchain and [Merkle tree data structures](/archive/msdn-magazine/2018/march/blockchain-blockchain-fundamentals).
azure-sql Ledger Digest Management And Database Verification https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/ledger-digest-management-and-database-verification.md
Title: "Digest management and database verification" description: This article provides information on digest management and database verification for a ledger database in Azure SQL Database.- Previously updated : "05/25/2021" + Last updated : "07/23/2021"
[!INCLUDE[appliesto-sqldb](../includes/appliesto-sqldb.md)] > [!NOTE]
-> Azure SQL Database ledger is currently in public preview and available in West Central US.
+> Azure SQL Database ledger is currently in public preview and available in West Europe, Brazil South, and West Central US.
Azure SQL Database ledger provides a form of data integrity called *forward integrity*, which provides evidence of data tampering on data in your ledger tables. For example, if a banking transaction occurs on a ledger table where a balance has been updated to value `x`, and an attacker later modifies the data by changing the balance from `x` to `y`, database verification will detect this tampering activity.
azure-sql Ledger How To Access Acl Digest https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/ledger-how-to-access-acl-digest.md
Title: "Access the digests stored in Azure Confidential Ledger" description: Access the digests stored in Azure Confidential Ledger with an Azure SQL Database ledger.- Previously updated : "05/25/2021"+ Last updated : "07/23/2021"
[!INCLUDE[appliesto-sqldb](../includes/appliesto-sqldb.md)] > [!NOTE]
-> Azure SQL Database ledger is currently in public preview and available in West Central US.
+> Azure SQL Database ledger is currently in public preview and available in West Europe, Brazil South, and West Central US.
This article shows you how to access an [Azure SQL Database ledger](ledger-overview.md) digest stored in [Azure Confidential Ledger](../../confidential-ledger/index.yml) to get end-to-end security and integrity guarantees. Throughout this article, we'll explain how to access and verify integrity of the stored information.
azure-sql Ledger How To Append Only Ledger Tables https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/ledger-how-to-append-only-ledger-tables.md
Title: "Create and use append-only ledger tables" description: Learn how to create and use append-only ledger tables in Azure SQL Database.- Previously updated : "05/25/2021"+ Last updated : "07/23/2021"
[!INCLUDE[appliesto-sqldb](../includes/appliesto-sqldb.md)] > [!NOTE]
-> Azure SQL Database ledger is currently in public preview and available in West Central US.
+> Azure SQL Database ledger is currently in public preview and available in West Europe, Brazil South, and West Central US.
This article shows you how to create an [append-only ledger table](ledger-append-only-ledger-tables.md) in Azure SQL Database. Next, you'll insert values in your append-only ledger table and then attempt to make updates to the data. Finally, you'll view the results by using the ledger view. We'll use an example of a card key access system for a facility, which is an append-only system pattern. Our example will give you a practical look at the relationship between the append-only ledger table and its corresponding ledger view.
azure-sql Ledger How To Updatable Ledger Tables https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/ledger-how-to-updatable-ledger-tables.md
Title: "Create and use updatable ledger tables" description: Learn how to create and use updatable ledger tables in Azure SQL Database.- Previously updated : "05/25/2021"+ Last updated : "07/23/2021"
[!INCLUDE[appliesto-sqldb](../includes/appliesto-sqldb.md)] > [!NOTE]
-> Azure SQL Database ledger is currently in public preview and available in West Central US.
+> Azure SQL Database ledger is currently in public preview and available in West Europe, Brazil South, and West Central US.
This article shows you how to create an [updatable ledger table](ledger-updatable-ledger-tables.md) in Azure SQL Database. Next, you'll insert values in your updatable ledger table and then make updates to the data. Finally, you'll view the results by using the ledger view. We'll use an example of a banking application that tracks banking customers' balances in their accounts. Our example will give you a practical look at the relationship between the updatable ledger table and its corresponding history table and ledger view.
azure-sql Ledger Limits https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/ledger-limits.md
Title: "Limitations for Azure SQL Database ledger" description: Limitations of the ledger feature in Azure SQL Database- Previously updated : "05/25/2021"+ Last updated : "07/23/2021"
[!INCLUDE[appliesto-sqldb](../includes/appliesto-sqldb.md)] > [!NOTE]
-> Azure SQL Database ledger is currently in public preview and available in West Central US.
+> Azure SQL Database ledger is currently in public preview and available in West Europe, Brazil South, and West Central US.
This article provides an overview of the limitations of ledger tables used with Azure SQL Database.
azure-sql Ledger Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/ledger-overview.md
Title: "Azure SQL Database ledger overview" description: Learn the basics of the Azure SQL Database ledger feature.- Previously updated : "05/25/2021"+ Last updated : "07/23/2021"
[!INCLUDE[appliesto-sqldb](../includes/appliesto-sqldb.md)] > [!NOTE]
-> Azure SQL Database ledger is currently in public preview and available in West Central US.
+> Azure SQL Database ledger is currently in public preview and available in West Europe, Brazil South, and West Central US.
Establishing trust around the integrity of data stored in database systems has been a longstanding problem for all organizations that manage financial, medical, or other sensitive data. The ledger feature of [Azure SQL Database](sql-database-paas-overview.md) provides tamper-evidence capabilities in your database. You can cryptographically attest to other parties, such as auditors or other business parties, that your data hasn't been tampered with.
azure-sql Ledger Updatable Ledger Tables https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/ledger-updatable-ledger-tables.md
Title: "Azure SQL Database updatable ledger tables" description: This article provides information on updatable ledger tables, ledger schema, and ledger views in Azure SQL Database.- Previously updated : "05/25/2021"+ Last updated : "07/23/2021"
[!INCLUDE[appliesto-sqldb](../includes/appliesto-sqldb.md)] > [!NOTE]
-> Azure SQL Database ledger is currently in public preview and available in West Central US.
+> Azure SQL Database ledger is currently in public preview and available in West Europe, Brazil South, and West Central US.
Updatable ledger tables are system-versioned tables on which users can perform updates and deletes while also providing tamper-evidence capabilities. When updates or deletes occur, all earlier versions of a row are preserved in a secondary table, known as the history table. The history table mirrors the schema of the updatable ledger table. When a row is updated, the latest version of the row remains in the ledger table, while its earlier version is inserted into the history table by the system, transparently to the application.
azure-sql Ledger Verify Database https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/ledger-verify-database.md
Previously updated : 05/25/2021 Last updated : "07/23/2021"+ # Verify a ledger table to detect tampering
Last updated 05/25/2021
[!INCLUDE[appliesto-sqldb](../includes/appliesto-sqldb.md)] > [!NOTE]
-> Azure SQL Database ledger is currently in public preview and available in West Central US.
+> Azure SQL Database ledger is currently in public preview and available in West Europe, Brazil South, and West Central US.
In this article, you'll verify the integrity of the data in your Azure SQL Database ledger tables. If you selected **Enable automatic digest storage** when you [created your database in SQL Database](ledger-create-a-single-database-with-ledger-enabled.md), follow the Azure portal instructions to automatically generate the Transact-SQL (T-SQL) script needed to verify the database ledger in the [query editor](connect-query-portal.md). Otherwise, follow the T-SQL instructions by using [SQL Server Management Studio](/sql/ssms/download-sql-server-management-studio-ssms) or [Azure Data Studio](/sql/azure-data-studio/download-azure-data-studio).
azure-sql Long Term Retention Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/long-term-retention-overview.md
If you modify the above policy and set W=0 (no weekly backups), the cadence of b
## Geo-replication and long-term backup retention
-If you're using active geo-replication or failover groups as your business continuity solution, you should prepare for eventual failovers and configure the same LTR policy on the secondary database or instance. Your LTR storage cost won't increase as backups aren't generated from the secondaries. The backups are only created when the secondary becomes primary the backups will be created. It ensures non-interrupted generation of the LTR backups when the failover is triggered and the primary moves to the secondary region.
+If you're using active geo-replication or failover groups as your business continuity solution, you should prepare for eventual failovers and configure the same LTR policy on the secondary database or instance. Your LTR storage cost won't increase as backups aren't generated from the secondaries. The backups are only created when the secondary becomes primary. It ensures non-interrupted generation of the LTR backups when the failover is triggered and the primary moves to the secondary region.
> [!NOTE] > When the original primary database recovers from an outage that caused the failover, it will become a new secondary. Therefore, the backup creation will not resume and the existing LTR policy will not take effect until it becomes the primary again.
azure-sql Maintenance Window https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/maintenance-window.md
Previously updated : 05/02/2021 Last updated : 07/22/2021 # Maintenance window (Preview)
Choosing a maintenance window other than the default is currently available in t
- Australia SouthEast - Brazil South - Canada Central
+- Canada East
+- Central India
- Central US - East US - East US2 - East Asia
+- France South
- Germany West Central - Japan East
+- Korea Central*
- NorthCentral US - North Europe - SouthCentral US - SouthEast Asia - UK South - UK West
+- West Central US
- West Europe - West US - West US2
+*Available only for Azure SQL Managed Instance
+ ## Gateway maintenance for Azure SQL Database To get the maximum benefit from maintenance windows, make sure your client applications are using the redirect connection policy. Redirect is the recommended connection policy, where clients establish connections directly to the node hosting the database, leading to reduced latency and improved throughput.
azure-sql Move Resources Across Regions https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/move-resources-across-regions.md
This article provides a general workflow for moving resources to a different reg
> [!NOTE] > This article applies to migrations within the Azure public cloud or within the same sovereign cloud.
+> [!NOTE]
+> To move Azure SQL databases and elastic pools to a different Azure region, you can also use Azure Resource Mover (in preview). Refer [this tutorial](https://docs.microsoft.com/azure/resource-mover/tutorial-move-region-sql) for detailed steps to do the same.
+ [!INCLUDE [updated-for-az](../../../includes/updated-for-az.md)] ## Move a database
azure-sql Resource Graph Samples https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/resource-graph-samples.md
+
+ Title: Azure Resource Graph sample queries for Azure SQL Database
+description: Sample Azure Resource Graph queries for Azure SQL Database showing use of resource types and tables to access Azure SQL Database related resources and properties.
Last updated : 07/21/2021+++++++
+# Azure Resource Graph sample queries for Azure SQL Database
+
+This page is a collection of [Azure Resource Graph](../../governance/resource-graph/overview.md)
+sample queries for Azure SQL Database. For a complete list of Azure Resource Graph samples, see
+[Resource Graph samples by Category](../../governance/resource-graph/samples/samples-by-category.md)
+and [Resource Graph samples by Table](../../governance/resource-graph/samples/samples-by-table.md).
+
+## Sample queries
++
+## Next steps
+
+- Learn more about the [query language](../../governance/resource-graph/concepts/query-language.md).
+- Learn more about how to [explore resources](../../governance/resource-graph/concepts/explore-resources.md).
+- See samples of [Starter language queries](../../governance/resource-graph/samples/starter.md).
+- See samples of [Advanced language queries](../../governance/resource-graph/samples/advanced.md).
azure-video-analyzer Access Policies https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-video-analyzer/video-analyzer-docs/access-policies.md
Title: Azure Video Analyzer access policies description: This article explains how Azure Video Analyzer uses JWT tokens in access policies to secure videos. Previously updated : 05/10/2021 Last updated : 06/01/2021
azure-video-analyzer Analyze Live Video Custom Vision https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-video-analyzer/video-analyzer-docs/analyze-live-video-custom-vision.md
Title: Get started with Azure Video Analyzer description: This tutorial walks you through the steps to analyze live video with Azure Video Analyzer on IoT Edge and Azure Custom Vision. Previously updated : 04/21/2021 Last updated : 06/01/2021 zone_pivot_groups: video-analyzer-programming-languages
azure-video-analyzer Analyze Live Video Use Your Model Grpc https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-video-analyzer/video-analyzer-docs/analyze-live-video-use-your-model-grpc.md
Title: Analyze live video with your own gRPC model
description: This quickstart describes how to analyze live video with your own gRPC model with Video Analyzer. Previously updated : 04/21/2021 Last updated : 06/01/2021 zone_pivot_groups: video-analyzer-programming-languages
azure-video-analyzer Analyze Live Video Use Your Model Http https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-video-analyzer/video-analyzer-docs/analyze-live-video-use-your-model-http.md
Title: Analyze live video with your own model - HTTP
description: This quickstart describes how to analyze live video with your own model (HTTP) with Video Analyzer. Previously updated : 04/01/2021 Last updated : 06/01/2021 zone_pivot_groups: video-analyzer-programming-languages
azure-video-analyzer Analyze Live Video Without Recording https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-video-analyzer/video-analyzer-docs/analyze-live-video-without-recording.md
Title: Analyzing live video without recording - Azure description: A pipeline topology can be used to just extract analytics from a live video stream, without having to record it on the edge or in the cloud. This article discusses this concept. Previously updated : 03/27/2021 Last updated : 06/01/2021 # Analyzing live videos without recording
azure-video-analyzer Computer Vision For Spatial Analysis https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-video-analyzer/video-analyzer-docs/computer-vision-for-spatial-analysis.md
Previously updated : 04/01/2021 Last updated : 06/01/2021 # Tutorial: Live Video with Computer Vision for Spatial Analysis (preview)
azure-video-analyzer Configure Signal Gate https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-video-analyzer/video-analyzer-docs/configure-signal-gate.md
Title: Configuring a signal gate for event-based video recording - Azure description: This article provides guidance about how to configure a signal gate in a pipeline. Previously updated : 4/12/2021 Last updated : 06/01/2021
Some system defined variables that you can use are:
## Next steps
-Try out the [Event-based video recording tutorial](record-event-based-live-video.md). Start by editing the [topology.json](https://raw.githubusercontent.com/Azure/video-analyzer/main/pipelines/live/topologies/evr-hubMessage-video-sink/topology.json). Modify the parameters for the signalgateProcessor node, and then follow the rest of the tutorial. Review the video recordings to analyze the effect of the parameters.
+Try out the [Event-based video recording tutorial](record-event-based-live-video.md). Start by editing the [topology.json](https://raw.githubusercontent.com/Azure/video-analyzer/main/pipelines/live/topologies/evr-hubMessage-video-sink/topology.json). Modify the parameters for the signalgateProcessor node, and then follow the rest of the tutorial. Review the video recordings to analyze the effect of the parameters.
azure-video-analyzer Continuous Video Recording https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-video-analyzer/video-analyzer-docs/continuous-video-recording.md
Title: Continuous video recording from the edge - Azure Video Analyzer
description: Continuous video recording (CVR) refers to the process of continuously recording from a live video source. This topic discusses what CVR is and how to use it with Azure Video Analyzer. Previously updated : 05/10/2021 Last updated : 06/01/2021
azure-video-analyzer Create Pipeline Vs Code Extension https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-video-analyzer/video-analyzer-docs/create-pipeline-vs-code-extension.md
Title: Azure Video Analyzer Visual Studio Code extension
description: This quickstart walks you through the steps to get started with Azure Video Analyzer Visual Studio Code extension. Previously updated : 04/30/2021 Last updated : 06/01/2021
azure-video-analyzer Create Video Analyzer Account https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-video-analyzer/video-analyzer-docs/create-video-analyzer-account.md
Title: Create an Azure Video Analyzer account
description: This topic explains how to create an account for Azure Video Analyzer. Previously updated : 05/01/2021 Last updated : 06/01/2021 # Create a Video Analyzer account
Learn how to [deploy Video Analyzer on an IoT Edge device][docs-deploy-on-edge].
[docs-arm-template]: ../../azure-resource-manager/templates/overview.md [docs-deploy-on-edge]: deploy-iot-edge-device.md [click-to-deploy]: https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fgist.githubusercontent.com%2Fbennage%2F58523b2e6a4d3bf213f16893d894dcaf%2Fraw%2Fazuredeploy.json
-<!-- TODO update the link above! -->
+<!-- TODO update the link above! -->
azure-video-analyzer Customer Managed Keys https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-video-analyzer/video-analyzer-docs/customer-managed-keys.md
description: You can use a customer managed key (that is, bring your own key) wi
Previously updated : 05/04/2021 Last updated : 06/01/2021 # Customer managed keys with Azure Video Analyzer
azure-video-analyzer Deploy Iot Edge Device https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-video-analyzer/video-analyzer-docs/deploy-iot-edge-device.md
Title: Deploy Azure Video Analyzer to an IoT Edge device - Azure description: This article lists the steps that will help you deploy Azure Video Analyzer to your IoT Edge device. You would do this, for example, if you have access to a local Linux machine. Previously updated : 04/07/2021 Last updated : 06/01/2021 # Deploy Azure Video Analyzer to an IoT Edge device
azure-video-analyzer Deploy Iot Edge Linux On Windows https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-video-analyzer/video-analyzer-docs/deploy-iot-edge-linux-on-windows.md
Title: Deploy to an IoT Edge for Linux on Windows - Azure description: This article provides guidance on how to deploy to an IoT Edge for Linux on Windows device. Previously updated : 05/25/2021 Last updated : 06/01/2021
azure-video-analyzer Deploy On Stack Edge https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-video-analyzer/video-analyzer-docs/deploy-on-stack-edge.md
Title: Deploy Azure Video Analyzer on Azure Stack Edge description: This article lists the steps that will help you deploy Azure Video Analyzer on your Azure Stack Edge. Previously updated : 01/06/2021 Last updated : 06/01/2021 # Deploy Azure Video Analyzer on Azure Stack Edge
Follow these instructions to connect to your IoT hub by using the Azure IoT Tool
## Next steps
-[Detect motion and emit events](detect-motion-emit-events-quickstart.md)
+[Detect motion and emit events](detect-motion-emit-events-quickstart.md)
azure-video-analyzer Detect Motion Emit Events Quickstart https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-video-analyzer/video-analyzer-docs/detect-motion-emit-events-quickstart.md
Title: Detect motion and emit events from the edge - Azure description: This quickstart shows you how to use Azure Video Analyzer to detect motion and emit events, by programmatically calling direct methods. Previously updated : 03/17/2021 Last updated : 06/01/2021 zone_pivot_groups: ams-lva-edge-programming-languages
If you intend to try the other quickstarts, then you should keep the resources y
- Review additional challenges for advanced users: - Use an [IP camera](https://en.wikipedia.org/wiki/IP_camera) that supports RTSP instead of using the RTSP simulator. You can find IP cameras that support RTSP on the [ONVIF conformant products](https://www.onvif.org/conformant-products/) page. Look for devices that conform with profiles G, S, or T.
- - Use an AMD64 or x64 Linux device rather than using a Linux VM in Azure. This device must be in the same network as the IP camera. Follow the instructions in [Install Azure IoT Edge runtime on Linux](../../iot-edge/how-to-install-iot-edge.md?preserve-view=true&view=iotedge-2020-11). Then follow the instructions in [Deploy your first IoT Edge module to a virtual Linux device](../../iot-edge/quickstart-linux.md?preserve-view=true&view=iotedge-2020-11) register the device with Azure IoT Hub.
+ - Use an AMD64 or x64 Linux device rather than using a Linux VM in Azure. This device must be in the same network as the IP camera. Follow the instructions in [Install Azure IoT Edge runtime on Linux](../../iot-edge/how-to-install-iot-edge.md?preserve-view=true&view=iotedge-2020-11). Then follow the instructions in [Deploy your first IoT Edge module to a virtual Linux device](../../iot-edge/quickstart-linux.md?preserve-view=true&view=iotedge-2020-11) register the device with Azure IoT Hub.
azure-video-analyzer Detect Motion Record Video Clips Cloud https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-video-analyzer/video-analyzer-docs/detect-motion-record-video-clips-cloud.md
Title: Detect motion, record video with Azure Video Analyzer description: This quickstart shows how to use Azure Video Analyzer edge module in order to detect motion in a live video stream and record video to the Video Analyzer account. Previously updated : 04/03/2021 Last updated : 06/01/2021 # Quickstart: Detect motion, record video to Video Analyzer
azure-video-analyzer Detect Motion Record Video Edge Devices https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-video-analyzer/video-analyzer-docs/detect-motion-record-video-edge-devices.md
Title: Detect motion and record video on edge devices - Azure description: Use Azure Video Analyzer to analyze the live video feed from a (simulated) IP camera. It shows how to detect if any motion is present, and if so, record an MP4 video clip to the local file system on the edge device. The quickstart uses an Azure VM as an IoT Edge device and also uses a simulated live video stream. Previously updated : 04/01/2021 Last updated : 06/01/2021 zone_pivot_groups: video-analyzer-programming-languages
azure-video-analyzer Develop Deploy Grpc Inference Srv https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-video-analyzer/video-analyzer-docs/develop-deploy-grpc-inference-srv.md
Title: Develop and deploy a gRPC inference server - Azure Video Analyzer
description: This article provides guidance on how to develop and deploy a gRPC inference server to be used with Azure Video Analyzer. Previously updated : 04/01/2021 Last updated : 06/01/2021
azure-video-analyzer Direct Methods https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-video-analyzer/video-analyzer-docs/direct-methods.md
Title: Use direct methods in Azure Video Analyzer - Azure description: Azure Video Analyzer exposes several direct methods. The direct methods are based on the conventions described in this topic. Previously updated : 05/06/2021 Last updated : 06/01/2021 # Azure Video Analyzer Direct methods
azure-video-analyzer Event Based Video Recording Concept https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-video-analyzer/video-analyzer-docs/event-based-video-recording-concept.md
Title: Azure Video Analyzer event-based video recording - Azure description: Azure Video Analyzer event-based video recording (EVR) refers to the process of recording video when triggered by an event. The event in question could originate due to processing of the video signal itself (for example, when motion is detected) or could be from an independent source (for example, a door sensor signals that the door has been opened). A few use cases related to EVR are described in this article. Previously updated : 05/13/2021 Last updated : 06/01/2021 # Event-based video recording
azure-video-analyzer Get Started Detect Motion Emit Events Portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-video-analyzer/video-analyzer-docs/get-started-detect-motion-emit-events-portal.md
Title: Get started with Azure Video Analyzer using the Azure portal - Azure
description: This quickstart walks you through the steps to get started with Azure Video Analyzer by using the Azure portal. Previously updated : 05/25/2021 Last updated : 06/01/2021 # Quickstart: Get started with Azure Video Analyzer in the Azure portal
azure-video-analyzer Get Started Detect Motion Emit Events https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-video-analyzer/video-analyzer-docs/get-started-detect-motion-emit-events.md
Title: Get started with Azure Video Analyzer - Azure
description: This quickstart walks you through the steps to get started with Azure Video Analyzer. It uses an Azure VM as an IoT Edge device and a simulated live video stream. Previously updated : 04/21/2021 Last updated : 06/01/2021
azure-video-analyzer Grpc Extension Protocol https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-video-analyzer/video-analyzer-docs/grpc-extension-protocol.md
Title: gRPC extension protocol - Azure description: Azure Video Analyzer allows you to enhance its processing capabilities through a pipeline extension node. The gRPC extension processor enables extensibility scenarios using the highly performant, structured, gRPC-based protocol. Previously updated : 05/15/2021 Last updated : 06/01/2021
azure-video-analyzer Http Extension Protocol https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-video-analyzer/video-analyzer-docs/http-extension-protocol.md
Title: HTTP extension protocol - Azure description: Azure Video Analyzer allows you to enhance its processing capabilities through a pipeline extension node. HTTP extension processor enables extensibility scenarios using the HTTP protocol, where performance and/or optimal resource utilization is not the primary concern. Previously updated : 03/30/2021 Last updated : 06/01/2021
azure-video-analyzer Inference Metadata Schema https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-video-analyzer/video-analyzer-docs/inference-metadata-schema.md
Title: Inference metadata schema - Azure description: In Azure Video Analyzer, each inference object regardless of using HTTP-based contract or gRPC based contract follows the object model described in this topic. Previously updated : 04/11/2021 Last updated : 06/01/2021
The example below contains a single event with some supported inference types:
## Next steps - [gRPC data contract](./grpc-extension-protocol.md)-- [HTTP data contract](./http-extension-protocol.md)
+- [HTTP data contract](./http-extension-protocol.md)
azure-video-analyzer Manage Recording Policy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-video-analyzer/video-analyzer-docs/manage-recording-policy.md
Title: Manage recording policy with Azure Video Analyzer
description: This topic explains how to manage recording policy with Azure Video Analyzer. Previously updated : 04/04/2021 Last updated : 06/01/2021 # Manage recording policy with Video Analyzer
azure-video-analyzer Managed Identity https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-video-analyzer/video-analyzer-docs/managed-identity.md
Title: Managed identities with Azure Video Analyzer
description: This topic explains how to use managed identities with Azure Video Analyzer. Previously updated : 05/04/2021 Last updated : 06/01/2021
azure-video-analyzer Module Twin Configuration Schema https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-video-analyzer/video-analyzer-docs/module-twin-configuration-schema.md
Title: Azure Video Analyzer module twin JSON schema description: This article provides an overview of an Azure Video Analyzer module twin JSON schema. Previously updated : 04/30/2021 Last updated : 06/01/2021 # Module twin configuration schema
azure-video-analyzer Monitor Log Edge https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-video-analyzer/video-analyzer-docs/monitor-log-edge.md
Title: Monitoring and logging - Azure description: This article provides an overview of monitoring and logging in Azure Video Analyzer. Previously updated : 04/27/2020 Last updated : 06/01/2021 # Monitor and log on IoT Edge
azure-video-analyzer Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-video-analyzer/video-analyzer-docs/overview.md
Title: What is Azure Video Analyzer
description: This topic provides an overview of Azure Video Analyzer. Previously updated : 03/11/2021 Last updated : 06/01/2021 # What is Azure Video Analyzer? (preview)
azure-video-analyzer Pipeline Extension https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-video-analyzer/video-analyzer-docs/pipeline-extension.md
Title: Pipeline extension - Azure Video Analyzer
description: Azure Video Analyzer allows you to extend the pipeline processing capabilities through a pipeline extension node. This article describes the pipeline extension node. Previously updated : 03/30/2021 Last updated : 06/01/2021
azure-video-analyzer Pipeline https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-video-analyzer/video-analyzer-docs/pipeline.md
Title: Azure Video Analyzer pipeline description: An Azure Video Analyzer pipeline lets you define where input data should be captured from, how it should be processed, and where the results should be delivered. A pipeline consists of nodes that are connected to achieve the desired flow of data. Previously updated : 05/13/2021 Last updated : 06/01/2021 # Pipeline
azure-video-analyzer Playback Recordings How To https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-video-analyzer/video-analyzer-docs/playback-recordings-how-to.md
Title: Playback of video recordings - Azure Video Analyzer
description: You can use Azure Video Analyzer for continuous video recording, whereby you can record video into the cloud for weeks or months. You can also limit your recording to clips that are of interest, via event-based recording. This article talks about how to playback such recordings. Previously updated : 05/13/2021 Last updated : 06/01/2021 # Playback of video recordings
azure-video-analyzer Player Widget https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-video-analyzer/video-analyzer-docs/player-widget.md
Title: Using the Azure Video Analyzer player widget
description: This reference article explains how to add a Video Analyzer player widget to your application. Previously updated : 05/11/2021 Last updated : 06/01/2021
azure-video-analyzer Production Readiness https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-video-analyzer/video-analyzer-docs/production-readiness.md
Title: Production readiness and best practices description: This article provides guidance on how to configure and deploy the Azure Video Analyzer module in production environments. Previously updated : 04/26/2021 Last updated : 06/01/2021 # Production readiness and best practices
azure-video-analyzer Quotas Limitations https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-video-analyzer/video-analyzer-docs/quotas-limitations.md
Title: Azure Video Analyzer quotas and limitations - Azure
description: This article describes Azure Video Analyzer quotas and limitations. Previously updated : 05/26/2021 Last updated : 06/01/2021 # Video Analyzer quotas and limitations
azure-video-analyzer Record Event Based Live Video https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-video-analyzer/video-analyzer-docs/record-event-based-live-video.md
Title: Event-based video recording to the cloud and playback from the cloud tutorial - Azure description: In this tutorial, you'll learn how to use Azure Video Analyzer to record an event-based video recording to the cloud and play it back from the cloud. Previously updated : 04/13/2021 Last updated : 06/01/2021 # Tutorial: Event-based video recording and playback
azure-video-analyzer Release Notes https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-video-analyzer/video-analyzer-docs/release-notes.md
Title: Azure Video Analyzer release notes - Azure description: This topic provides release notes of Azure Video Analyzer releases, improvements, bug fixes, and known issues. Previously updated : 05/25/2021 Last updated : 06/01/2021 # Azure Video Analyzer release notes
azure-video-analyzer Sdk https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-video-analyzer/video-analyzer-docs/sdk.md
description: Learn about the Azure Video Analyzer SDKs
Previously updated : 05/14/2021 Last updated : 06/01/2021
The following platforms are supported:
[docs-direct-methods]: direct-methods.md [docs-iot-hub-sdks]: ../../iot-hub/iot-hub-devguide-sdks.md
-[REST API]: https://aka.ms/ava/api/rest
+[REST API]: https://aka.ms/ava/api/rest
azure-video-analyzer Terminology https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-video-analyzer/video-analyzer-docs/terminology.md
Title: Azure Video Analyzer terminology
description: This article provides an overview of Azure Video Analyzer terminology. Previously updated : 05/10/2021 Last updated : 06/01/2021 # Azure Video Analyzer terminology
azure-video-analyzer Track Objects Live Video https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-video-analyzer/video-analyzer-docs/track-objects-live-video.md
Title: Track objects in a live video with Azure Video Analyzer description: This quickstart shows you how to use Azure Video Analyzer edge module to track objects in a live video feed from a (simulated) IP camera. You will see how to apply a computer vision model to detect objects in a subset of the frames in the live video feed. You can then use an object tracker node to track those objects in the other frames. Previously updated : 05/01/2021 Last updated : 06/01/2021 # Quickstart: Track objects in a live video
azure-video-analyzer Use Azure Portal To Invoke Direct Methods https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-video-analyzer/video-analyzer-docs/use-azure-portal-to-invoke-direct-methods.md
Title: How to use Azure portal to invoke direct methods for Azure Video Analyzer description: This article is an overview using the Azure portal to invoke direct methods for Azure Video Analyzer. Previously updated : 03/31/2021 Last updated : 06/01/2021 # Use Azure portal to invoke direct methods for Azure Video Analyzer
azure-video-analyzer Use Continuous Video Recording https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-video-analyzer/video-analyzer-docs/use-continuous-video-recording.md
Title: Continuous video recording and playback tutorial - Azure Video Analyzer description: In this tutorial, you'll learn how to use Azure Video Analyzer to continuously record video to the cloud and play back that recording. Previously updated : 04/01/2021 Last updated : 06/01/2021 # Tutorial: Continuous video recording and playback
azure-video-analyzer Use Intel Grpc Video Analytics Serving Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-video-analyzer/video-analyzer-docs/use-intel-grpc-video-analytics-serving-tutorial.md
Title: Analyze live videos by using Intel OpenVINOΓäó DL Streamer ΓÇô Edge AI E
description: This tutorial shows you how to use the Intel OpenVINOΓäó DL Streamer ΓÇô Edge AI Extension from Intel to analyze a live video feeds from a (simulated) IP camera. Previously updated : 05/18/2021 Last updated : 06/01/2021 # Tutorial: Analyze live video with Intel OpenVINOΓäó DL Streamer ΓÇô Edge AI Extension
azure-video-analyzer Use Intel Openvino Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-video-analyzer/video-analyzer-docs/use-intel-openvino-tutorial.md
Title: Analyze live video using OpenVINOΓäó Model Server ΓÇô AI Extension from
description: In this tutorial, you will use an AI model server with pre-trained models provided by Intel to analyze the live video feed from a (simulated) IP camera. Previously updated : 05/18/2021 Last updated : 06/01/2021
azure-video-analyzer Use Line Crossing https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-video-analyzer/video-analyzer-docs/use-line-crossing.md
Title: Detect when objects cross a virtual line in a live video with Azure Video Analyzer description: This quickstart shows you how to use Azure Video Analyzer to detect when objects cross a line in a live video feed from a (simulated) IP camera. Previously updated : 05/18/2021 Last updated : 06/01/2021 # Tutorial: Detect when objects cross a virtual line in a live video
azure-video-analyzer Video Recording https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-video-analyzer/video-analyzer-docs/video-recording.md
Title: Record video for playback with Azure Video Analyzer
description: This article discusses recording of video for playback with Azure Video Analyzer. Previously updated : 03/30/2021 Last updated : 06/01/2021
azure-video-analyzer Visual Studio Code Extension https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-video-analyzer/video-analyzer-docs/visual-studio-code-extension.md
Title: Use Azure Video Analyzer Visual Studio Code extension
description: This reference article explains how to use the various pieces of functionality in the Azure Video Analyzer Visual Studio Code extension. Previously updated : 05/01/2021 Last updated : 06/01/2021
azure-vmware Configure Alerts For Azure Vmware Solution https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-vmware/configure-alerts-for-azure-vmware-solution.md
Title: Configure alerts and work with metrics in Azure VMware Solution description: Learn how to use alerts to receive notifications. Also learn how to work with metrics to gain deeper insights into your Azure VMware Solution private cloud. Previously updated : 04/02/2021 Last updated : 07/23/2021 # Configure Azure Alerts in Azure VMware Solution In this article, you'll learn how to configure [Azure Action Groups](../azure-monitor/alerts/action-groups.md) in [Microsoft Azure Alerts](../azure-monitor/alerts/alerts-overview.md) to receive notifications of triggered events that you define. You'll also learn about using [Azure Monitor Metrics](../azure-monitor/essentials/data-platform-metrics.md) to gain deeper insights into your Azure VMware Solution private cloud.
+>[!NOTE]
+>Incidents affecting the availability of an Azure VMware Solution host and its corresponding restoration are sent automatically to the Account Administrator, Service Administrator (Classic Permission), Co-Admins (Classic Permission), and Owners (RBAC Role) of the subscription(s) containing Azure VMware Solution private clouds.
## Supported metrics and activities
azure-vmware Deploy Traffic Manager Balance Workloads https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-vmware/deploy-traffic-manager-balance-workloads.md
The following steps verify the configuration of your application gateways.
A window opens showing various information on the application gateway.
- :::image type="content" source="media/traffic-manager/backend-pool-config.png" alt-text="Screenshot of Application gateway page showing details of the selected application gateway." lightbox="media/traffic-manager/backend-pool-config.png":::
+ :::image type="content" source="media/traffic-manager/backend-pool-configuration.png" alt-text="Screenshot of Application gateway page showing details of the selected application gateway." lightbox="media/traffic-manager/backend-pool-configuration.png":::
1. Select **Backend pools** to verify the configuration of one of the backend pools. You see one VM backend pool member configured as a web server with an IP address of 172.29.1.10.
The following steps verify the configuration of the NSX-T segment in the Azure V
1. Select **Segments** to view your configured segments. You see Contoso-segment1 connected to Contoso-T01 gateway, a Tier-1 flexible router.
- :::image type="content" source="media/traffic-manager/nsx-t-segment-avs.png" alt-text="Screenshot showing segment profiles in NSX-T Manager." lightbox="media/traffic-manager/nsx-t-segment-avs.png":::
+ :::image type="content" source="media/traffic-manager/nsx-t-segment-azure-vmware-solution.png" alt-text="Screenshot showing segment profiles in NSX-T Manager." lightbox="media/traffic-manager/nsx-t-segment-azure-vmware-solution.png":::
1. Select **Tier-1 Gateways** to see a list of Tier-1 gateways with the number of linked segments.
azure-vmware Disaster Recovery Using Vmware Site Recovery Manager https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-vmware/disaster-recovery-using-vmware-site-recovery-manager.md
Title: Deploy disaster recovery with VMware Site Recovery Manager description: Deploy disaster recovery with VMware Site Recovery Manager (SRM) in your Azure VMware Solution private cloud. Previously updated : 07/15/2021 Last updated : 07/22/2021 # Deploy disaster recovery with VMware Site Recovery Manager
The workflow diagram shows the Primary Azure VMware Solution to secondary workfl
1. In your on-premises datacenter, install VMware SRM and vSphere. >[!NOTE]
- >Use the [Two-site Topology with one vCenter Server instance per PSC](https://docs.vmware.com/en/Site-Recovery-Manager/8.3/com.VMware.srm.install_config.doc/GUID-F474543A-88C5-4030-BB86-F7CC51DADE22.html) deployment model. Also, make sure that the [required vSphere Replication Network ports](https://kb.VMware.com/s/article/2087769) are opened.
+ >Use the [Two-site Topology with one vCenter Server instance per PSC](https://docs.vmware.com/en/Site-Recovery-Manager/8.4/com.vmware.srm.install_config.doc/GUID-F474543A-88C5-4030-BB86-F7CC51DADE22.html) deployment model. Also, make sure that the [required vSphere Replication Network ports](https://kb.VMware.com/s/article/2087769) are opened.
1. In your Azure VMware Solution private cloud, under **Manage**, select **Add-ons** > **Disaster recovery**.
VMware and Microsoft support teams will engage each other as needed to troublesh
- [Pre-requisites and Best Practices for SRM installation](https://docs.vmware.com/en/Site-Recovery-Manager/8.3/com.vmware.srm.install_config.doc/GUID-BB0C03E4-72BE-4C74-96C3-97AC6911B6B8.html) - [Network ports for SRM](https://docs.vmware.com/en/Site-Recovery-Manager/8.3/com.vmware.srm.install_config.doc/GUID-499D3C83-B8FD-4D4C-AE3D-19F518A13C98.html) - [Network ports for vSphere Replication](https://kb.vmware.com/s/article/2087769)-
azure-vmware Production Ready Deployment Steps https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-vmware/production-ready-deployment-steps.md
An Azure VMware Solution private cloud requires an Azure Virtual Network and an
Define whether you want to use an *existing* OR *new* ExpressRoute virtual network gateway. If you decide to use a *new* virtual network gateway, you'll create it after you create your private cloud. It's acceptable to use an existing ExpressRoute virtual network gateway, and for planning purposes, make note of which ExpressRoute virtual network gateway you'll use.
azure-vmware Tutorial Access Private Cloud https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-vmware/tutorial-access-private-cloud.md
In this tutorial, you learn how to:
1. In the resource group, select **+ Add** then search and select **Microsoft Windows 10**, and then select **Create**.
- :::image type="content" source="media/tutorial-access-private-cloud/ss8-azure-w10vm-create.png" alt-text="Screenshot of how to add a new Windows 10 VM for a jump box." border="true":::
+ :::image type="content" source="media/tutorial-access-private-cloud/ss8-azure-w10vm-create.png" alt-text="Screenshot of how to add a new Windows 10 VM for a jump box.":::
1. Enter the required information in the fields, and then select **Review + create**.
In this tutorial, you learn how to:
The URLs and user credentials for private cloud vCenter and NSX-T Manager display.
- :::image type="content" source="media/tutorial-access-private-cloud/ss4-display-identity.png" alt-text="Screenshot showing the private cloud vCenter and NSX Manager URLs and credentials." border="true" lightbox="media/tutorial-access-private-cloud/ss4-display-identity.png":::
+ :::image type="content" source="media/tutorial-access-private-cloud/ss4-display-identity.png" alt-text="Screenshot showing the private cloud vCenter and NSX Manager URLs and credentials." lightbox="media/tutorial-access-private-cloud/ss4-display-identity.png":::
1. Navigate to the VM you created in the preceding step and connect to the virtual machine.
cloud-services Cloud Services Guestos Msrc Releases https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cloud-services/cloud-services-guestos-msrc-releases.md
The following tables show the Microsoft Security Response Center (MSRC) updates
| Product Category | Parent KB Article | Vulnerability Description | Guest OS | Date First Introduced | | | | | | | | Rel 21-06 | [5003646] | Latest Cumulative Update(LCU) | [6.32] | June 8, 2021 |
-| Rel 21-06 | [4580325] | Flash update | [3.98], [4.91], [5.56], [6.32] | Oct 13, 2020 |
+| Rel 21-06 | 4580325 | Flash update | [3.98], [4.91], [5.56], [6.32] | Oct 13, 2020 |
| Rel 21-06 | [5003636] | IE Cumulative Updates | [2.111], [3.98], [4.91] | June 8, 2021 | | Rel 21-06 | [5003638] | Latest Cumulative Update(LCU) | [5.56] | June 8, 2021 | | Rel 21-06 | [4578952] | .NET Framework 3.5 Security and Quality Rollup  | [2.111] | Oct 13, 2020 |
The following tables show the Microsoft Security Response Center (MSRC) updates
| Rel 21-06 | [4052623] | Update for Microsoft Defender antimalware platform | [6.32], [5.56] | May 13, 2021 | [5003646]: https://support.microsoft.com/kb/5003646
-[4580325]: https://support.microsoft.com/kb/4580325
+ [5003636]: https://support.microsoft.com/kb/5003636 [5003638]: https://support.microsoft.com/kb/5003638 [4578952]: https://support.microsoft.com/kb/4578952
The following tables show the Microsoft Security Response Center (MSRC) updates
| Product Category | Parent KB Article | Vulnerability Description | Guest OS | Date First Introduced | | | | | | | | Rel 21-05 | [5003171] | Latest Cumulative Update(LCU) | [6.31] | May 11, 2021 |
-| Rel 21-05 | [4580325] | Flash update | [3.97], [4.90], [5.55], [6.31] | Oct 13, 2020 |
+| Rel 21-05 | 4580325 | Flash update | [3.97], [4.90], [5.55], [6.31] | Oct 13, 2020 |
| Rel 21-05 | [5003165] | IE Cumulative Updates | [2.110], [3.97], [4.90] | May 11, 2021 | | Rel 21-05 | [5003197] | Latest Cumulative Update(LCU) | [5.55] | May 11, 2021 | | Rel 21-05 | [4578952] | .NET Framework 3.5 Security and Quality Rollup  | [2.110] | Oct 13, 2020 |
The following tables show the Microsoft Security Response Center (MSRC) updates
| Rel 21-05 | [4494174] | Microcode  | [6.31] | Sep 1, 2020 | [5003171]: https://support.microsoft.com/kb/5003171
-[4580325]: https://support.microsoft.com/kb/4580325
+ [5003165]: https://support.microsoft.com/kb/5003165 [5003197]: https://support.microsoft.com/kb/5003197 [4578952]: https://support.microsoft.com/kb/4578952
The following tables show the Microsoft Security Response Center (MSRC) updates
| Product Category | Parent KB Article | Vulnerability Description | Guest OS | Date First Introduced | | | | | | | | Rel 21-04 | [5001342] | Latest Cumulative Update(LCU) | [6.30] | Apr 13, 2021 |
-| Rel 21-04 | [4580325] | Flash update | [3.96], [4.89], [5.54], [6.30] | Oct 13, 2020 |
+| Rel 21-04 | 4580325 | Flash update | [3.96], [4.89], [5.54], [6.30] | Oct 13, 2020 |
| Rel 21-04 | [5000800] | IE Cumulative Updates | [2.109], [3.96], [4.89] | Mar 9, 2021 | | Rel 21-04 | [5001347] | Latest Cumulative Update(LCU) | [5.54] | Apr 13, 2021 | | Rel 21-04 | [4578952] | .NET Framework 3.5 Security and Quality Rollup  | [2.109] | Oct 13, 2020 |
The following tables show the Microsoft Security Response Center (MSRC) updates
| Rel 21-04 | [4494174] | Microcode  | [6.30] | Sep 1, 2020 | [5001342]: https://support.microsoft.com/kb/5001342
-[4580325]: https://support.microsoft.com/kb/4580325
+ [5000800]: https://support.microsoft.com/kb/5000800 [5001347]: https://support.microsoft.com/kb/5001347 [4578952]: https://support.microsoft.com/kb/4578952
The following tables show the Microsoft Security Response Center (MSRC) updates
| Product Category | Parent KB Article | Vulnerability Description | Guest OS | Date First Introduced | | | | | | | | Rel 21-03 | [5000822] | Latest Cumulative Update(LCU) | [6.29] | Mar 9, 2021 |
-| Rel 21-03 | [4580325] | Flash update | [3.95], [4.88], [5.53], [6.29] | Oct 13, 2020 |
+| Rel 21-03 | 4580325 | Flash update | [3.95], [4.88], [5.53], [6.29] | Oct 13, 2020 |
| Rel 21-03 | [5000800] | IE Cumulative Updates | [2.108], [3.95], [4.88] | Mar 9, 2021 | | Rel 21-03 | [5000803] | Latest Cumulative Update(LCU) | [5.53] | Mar 9, 2021 | | Rel 21-03 | [4578952] | .NET Framework 3.5 Security and Quality Rollup  | [2.108] | Oct 13, 2020 |
The following tables show the Microsoft Security Response Center (MSRC) updates
| Rel 21-03 | [4494174] | Microcode  | [6.29] | Sep 1, 2020 | [5000822]: https://support.microsoft.com/kb/5000822
-[4580325]: https://support.microsoft.com/kb/4580325
+ [5000800]: https://support.microsoft.com/kb/5000800 [5000803]: https://support.microsoft.com/kb/5000803 [4578952]: https://support.microsoft.com/kb/4578952
The following tables show the Microsoft Security Response Center (MSRC) updates
| Product Category | Parent KB Article | Vulnerability Description | Guest OS | Date First Introduced | | | | | | | | Rel 21-02 | [4601345] | Latest Cumulative Update(LCU) | [6.28] | Feb 9, 2021 |
-| Rel 21-02 | [4580325] | Flash update | [3.94], [4.87], [5.52], [6.28] | Oct 13, 2020 |
+| Rel 21-02 | 4580325 | Flash update | [3.94], [4.87], [5.52], [6.28] | Oct 13, 2020 |
| Rel 21-02 | [4586768] | IE Cumulative Updates | [2.107], [3.94], [4.87] | Nov 10, 2020 | | Rel 21-02 | [4601318] | Latest Cumulative Update(LCU) | [5.52] | Feb 9, 2021 | | Rel 21-02 | [4578952] | .NET Framework 3.5 Security and Quality Rollup | [2.107] | Jan 12, 2021 |
The following tables show the Microsoft Security Response Center (MSRC) updates
| Rel 21-02 | [4494174] | Microcode | [6.28] | Sep 1, 2020 | [4601345]: https://support.microsoft.com/kb/4601345
-[4580325]: https://support.microsoft.com/kb/4580325
+ [4586768]: https://support.microsoft.com/kb/4586768 [4601318]: https://support.microsoft.com/kb/4601318 [4578952]: https://support.microsoft.com/kb/4578952
The following tables show the Microsoft Security Response Center (MSRC) updates
| Product Category | Parent KB Article | Vulnerability Description | Guest OS | Date First Introduced | | | | | | | | Rel 21-01 | [4598230] | Latest Cumulative Update (LCU) | [6.27] | Jan 12, 2021 |
-| Rel 21-01 | [4580325] | Flash update | [3.93], [4.86], [5.51], [6.27] | Oct 13, 2020 |
+| Rel 21-01 | 4580325 | Flash update | [3.93], [4.86], [5.51], [6.27] | Oct 13, 2020 |
| Rel 21-01 | [4586768] | IE Cumulative Updates | [2.106], [3.93], [4.86] | Nov 10, 2020 | | Rel 21-01 | [4598243] | Latest Cumulative Update (LCU) | [5.51] | Jan 12, 2021 | | Rel 21-01 | [4578952] | .NET Framework 3.5 Security and Quality Rollup | [2.106] | Jan 12, 2021 |
The following tables show the Microsoft Security Response Center (MSRC) updates
| Rel 21-01 | [4494174] | Microcode | [6.27] | Sep 3, 2020 | [4598230]: https://support.microsoft.com/kb/4598230
-[4580325]: https://support.microsoft.com/kb/4580325
+ [4586768]: https://support.microsoft.com/kb/4586768 [4598243]: https://support.microsoft.com/kb/4598243 [4578952]: https://support.microsoft.com/kb/4578952
The following tables show the Microsoft Security Response Center (MSRC) updates
| Product Category | Parent KB Article | Vulnerability Description | Guest OS | Date First Introduced | | | | | | | | Rel 20-12 | [4592440] | Latest Cumulative Update | [6.26] | Dec 8, 2020 |
-| Rel 20-12 | [4580325] | Flash update | [3.92], [4.85], [5.50], [6.26] | Oct 13, 2020 |
+| Rel 20-12 | 4580325 | Flash update | [3.92], [4.85], [5.50], [6.26] | Oct 13, 2020 |
| Rel 20-12 | [4586768] | IE Cumulative Updates | [2.105], [3.92], [4.85] | Nov 10, 2020 | | Rel 20-12 | [4593226] | Latest Cumulative Update | [5.50] | Dec 8, 2020 | | Rel 20-12 | [4052623] | Defender | [5.50], [6.26] | Dec 13, 2020 |
The following tables show the Microsoft Security Response Center (MSRC) updates
| Rel 20-12 | [4494174] | Microcode | [6.26] | Sep 3, 2020 | [4592440]: https://support.microsoft.com/kb/4592440
-[4580325]: https://support.microsoft.com/kb/4580325
+ [4586768]: https://support.microsoft.com/kb/4586768 [4593226]: https://support.microsoft.com/kb/4593226 [4052623]: https://support.microsoft.com/kb/4052623
The following tables show the Microsoft Security Response Center (MSRC) updates
| | | | | | | Rel 20-11 OOB | [4594442] | Latest Cumulative Update | [6.25] | Nov 17, 2020 | | Rel 20-11 OOB | [4594441] | Latest Cumulative Update | [5.49] | Nov 19, 2020 |
-| Rel 20-11 | [4580325] | Flash Update | [3.91], [4.84], [5.49], [6.25] | Oct 13, 2020 |
+| Rel 20-11 | 4580325 | Flash Update | [3.91], [4.84], [5.49], [6.25] | Oct 13, 2020 |
| Rel 20-11 | [4586768] | IE Cumulative Update | [2.104], [3.91], [4.84] | Nov 10, 2020 | | Rel 20-11 | [4578952] | .NET Framework 3.5 Security and Quality Rollup | [2.104] | Nov 10, 2020 | | Rel 20-11 | [4578955] | .NET Framework 4.5.2 Security and Quality Rollup | [2.104] | Nov 10, 2020 |
The following tables show the Microsoft Security Response Center (MSRC) updates
[4594442]: https://support.microsoft.com/kb/4594442 [4594441]: https://support.microsoft.com/kb/4594441
-[4580325]: https://support.microsoft.com/kb/4580325
+ [4586768]: https://support.microsoft.com/kb/4586768 [4578952]: https://support.microsoft.com/kb/4578952 [4578955]: https://support.microsoft.com/kb/4578955
The following tables show the Microsoft Security Response Center (MSRC) updates
| Product Category | Parent KB Article | Vulnerability Description | Guest OS | Date First Introduced | | | | | | | | Rel 20-10 | [4577010] | IE Cumulative Update | [2.103], [3.90], [4.83] | Sep 8, 2020 |
-| Rel 20-10 | [4580325] | Flash Update | [3.90], [4.83], [5.48], [6.24] | Oct 13, 2020 |
+| Rel 20-10 | 4580325 | Flash Update | [3.90], [4.83], [5.48], [6.24] | Oct 13, 2020 |
| Rel 20-10 | [4577668] | Latest Cumulative Update | [6.24] | Oct 13, 2020 | | Rel 20-10 | [4580346] | Latest Cumulative Update | [5.48] | Oct 13, 2020 | | Rel 20-10 | [4580970] | Servicing Stack update | [2.103] | Oct 13, 2020 |
The following tables show the Microsoft Security Response Center (MSRC) updates
[4577010]: https://support.microsoft.com/kb/4577010
-[4580325]: https://support.microsoft.com/kb/4580325
+ [4577668]: https://support.microsoft.com/kb/4577668 [4580346]: https://support.microsoft.com/kb/4580346 [4580970]: https://support.microsoft.com/kb/4580970
cognitive-services Use Persondirectory https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Face/Face-API-How-to-Topics/use-persondirectory.md
First, you should define a data model like the following to handle the status re
public class AsyncStatus { [DataMember(Name = "status")]
- public string AsyncStatus { get; set; }
+ public string Status { get; set; }
[DataMember(Name = "createdTime")] public DateTime CreatedTime { get; set; }
The response will contain a Boolean value indicating whether the service conside
In this guide, you learned how to use the **PersonDirectory** structure to store face and person data for your Face app. Next, learn the best practices for adding your users' face data.
-* [Best practices for adding users](../enrollment-overview.md)
+* [Best practices for adding users](../enrollment-overview.md)
cognitive-services Luis Container Howto https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/LUIS/luis-container-howto.md
Previously updated : 03/02/2021 Last updated : 07/22/2021 keywords: on-premises, Docker, container
If you don't have an Azure subscription, create a [free account](https://azure.m
To run the LUIS container, note the following prerequisites:
-|Required|Purpose|
-|--|--|
-|Docker Engine| You need the Docker Engine installed on a [host computer](#the-host-computer). Docker provides packages that configure the Docker environment on [macOS](https://docs.docker.com/docker-for-mac/), [Windows](https://docs.docker.com/docker-for-windows/), and [Linux](https://docs.docker.com/engine/installation/#supported-platforms). For a primer on Docker and container basics, see the [Docker overview](https://docs.docker.com/engine/docker-overview/).<br><br> Docker must be configured to allow the containers to connect with and send billing data to Azure. <br><br> **On Windows**, Docker must also be configured to support Linux containers.<br><br>|
-|Familiarity with Docker | You should have a basic understanding of Docker concepts, like registries, repositories, containers, and container images, as well as knowledge of basic `docker` commands.|
-|Azure `Cognitive Services` resource and LUIS [packaged app](luis-how-to-start-new-app.md) file |In order to use the container, you must have:<br><br>* A _Cognitive Services_ Azure resource and the associated billing key the billing endpoint URI. Both values are available on the Overview and Keys pages for the resource and are required to start the container. <br>* A trained or published app packaged as a mounted input to the container with its associated App ID. You can get the packaged file from the LUIS portal or the Authoring APIs. If you are getting LUIS packaged app from the [authoring APIs](#authoring-apis-for-package-file), you will also need your _Authoring Key_.<br><br>These requirements are used to pass command-line arguments to the following variables:<br><br>**{AUTHORING_KEY}**: This key is used to get the packaged app from the LUIS service in the cloud and upload the query logs back to the cloud. The format is `xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx`.<br><br>**{APP_ID}**: This ID is used to select the App. The format is `xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx`.<br><br>**{API_KEY}**: This key is used to start the container. You can find the endpoint key in two places. The first is the Azure portal within the _Cognitive Services_ resource's keys list. The endpoint key is also available in the LUIS portal on the Keys and Endpoint settings page. Do not use the starter key.<br><br>**{ENDPOINT_URI}**: The endpoint as provided on the Overview page.<br><br>The [authoring key and endpoint key](luis-limits.md#key-limits) have different purposes. Do not use them interchangeably. |
+* [Docker](https://docs.docker.com/) installed on a host computer. Docker must be configured to allow the containers to connect with and send billing data to Azure.
+ * On Windows, Docker must also be configured to support Linux containers.
+ * You should have a basic understanding of [Docker concepts](https://docs.docker.com/get-started/overview/).
+* A <a href="https://ms.portal.azure.com/#create/Microsoft.CognitiveServicesLUISAllInOne" title="Create a LUIS resource" target="_blank">LUIS resource </a> with the free (F0) or standard (S) [pricing tier](https://azure.microsoft.com/pricing/details/cognitive-services/language-understanding-intelligent-services/).
+* A trained or published app packaged as a mounted input to the container with its associated App ID. You can get the packaged file from the LUIS portal or the Authoring APIs. If you are getting LUIS packaged app from the [authoring APIs](#authoring-apis-for-package-file), you will also need your _Authoring Key_.
[!INCLUDE [Gathering required container parameters](../containers/includes/container-gathering-required-parameters.md)]
+### App ID `{APP_ID}`
+
+This ID is used to select the app. You can find the app ID in the [LUIS portal](https://www.luis.ai/) by clicking **Manage** at the top of the screen for your app, and then **Settings**.
++
+### Authoring key `{AUTHORING_KEY}`
+
+This key is used to get the packaged app from the LUIS service in the cloud and upload the query logs back to the cloud. You will need your authoring key if you [export your app using the REST API](#export-published-apps-package-from-api), described later in the article.
+
+You can get your authoring key from the [LUIS portal](https://www.luis.ai/) by clicking **Manage** at the top of the screen for your app, and then **Azure Resources**.
+++ ### Authoring APIs for package file Authoring APIs for packaged apps:
cognitive-services Releasenotes https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Speech-Service/releasenotes.md
# Speech Service release notes
+## Speech SDK 1.18.0: 2021-July release
+
+**Note**: Get started with the Speech SDK [here](speech-sdk.md#get-the-speech-sdk).
+
+**Highlights summary**
+- Ubuntu 16.04 reached end of life in April of 2021. In conjunction with Azure DevOps and Github we will drop support for 16.04 in September 2021. Please migrate ubuntu-16.04 workflows to ubuntu-18.04 or newer before then.
+
+#### New features
+
+- **C++**: Simple Language Pattern matching with the Intent Recognizer now makes it easier to implement simple intent recognition scenarios. See documentation [here](https://docs.microsoft.com/azure/cognitive-services/speech-service/get-started-intent-recognition?pivots=programming-language-cpp).
+- **C++/C#/Java**: We added a new API, `GetActivationPhrasesAsync()` to the `VoiceProfileClient` class for receiving a list of valid activation phrases in speaker recognition enrollment phase for independent recognition scenarios.
+ - **Important**: The Speaker Recognition feature is in Preview. All voice profiles created in Preview will be discontinued 90 days after the Speaker Recognition feature is moved out of Preview into General Availability. At that point the Preview voice profiles will stop functioning.
+-**Python**: Added support for continuous Language Identification (LID) on the existing `SpeechRecognizer` and `TranslationRecognizer` objects. See documentation [here](https://docs.microsoft.com/azure/cognitive-services/speech-service/how-to-automatic-language-detection?pivots=programming-language-python).
+- **Python**: Added a new Python object named `SourceLanguageRecognizer` to do one-time or continuous LID (without recognition or translation). See documentation [here](https://docs.microsoft.com/python/api/azure-cognitiveservices-speech/azure.cognitiveservices.speech.sourcelanguagerecognizer?view=azure-python).
+-Support AAD authentication and User assigned Managed Identity
+- **JavaScript** `getActivationPhrasesAsync` API added to `VoiceProfileClient` class for receiving a list of valid activation phrases in speaker recognition enrollment phase for independent recognition scenarios.
+- **JavaScript** `VoiceProfileClient`'s `enrollProfileAsync` API is now async awaitable. See this independent identification code for example usage.
+
+#### Bug fixes
+
+- **Java**: Fixed synthesis error when the synthesis text contains surrogate characters. Details [here](https://github.com/Azure-Samples/cognitive-services-speech-sdk/issues/1118).
+- **JavaScript**: Browser microphone audio processing now uses `AudioWorkletNode` instead of deprecated `ScriptProcessorNode`. Details [here](https://github.com/microsoft/cognitive-services-speech-sdk-js/issues/391).
+- **JavaScript**: Correctly keep conversations alive during long running conversation translation scenarios. Details [here](https://github.com/microsoft/cognitive-services-speech-sdk-js/issues/389).
+- **JavaScript**: Fixed issue with recognizer reconnecting to a mediastream in continuous recognition. Details [here]- (https://github.com/microsoft/cognitive-services-speech-sdk-js/issues/385).
+- **JavaScript**: Fixed issue with recognizer reconnecting to a pushStream in continuous recognition. Details [here](https://github.com/microsoft/cognitive-services-speech-sdk-js/pull/399).
+- **JavaScript**: Corrected word level offset calculation in detailed recognition results. Details [here](https://github.com/microsoft/cognitive-services-speech-sdk-js/issues/394).
+
+#### Samples
+-Java quickstart samples updated [here](https://github.com/Azure-Samples/cognitive-services-speech-sdk/tree/master/samples/java).
+-JavaScript speaker recognition samples updated to show new usage of `enrollProfileAsync()`. See samples [here](https://github.com/Azure-Samples/cognitive-services-speech-sdk/tree/master/samples/js/node).
+ ## Text-to-speech 2021-June release **Speech Studio updates**
- **C++/C#/Java/Python/Objective-C/Go**: We now expose the latency and underrun time in `SpeechSynthesisResult` to help you monitor and diagnose speech synthesis latency issues. See details for [C++](/cpp/cognitive-services/speech/speechsynthesisresult), [C#](/dotnet/api/microsoft.cognitiveservices.speech.speechsynthesisresult), [Java](/java/api/com.microsoft.cognitiveservices.speech.speechsynthesisresult), [Python](/python/api/azure-cognitiveservices-speech/azure.cognitiveservices.speech.speechsynthesisresult), [Objective-C](/objectivec/cognitive-services/speech/spxspeechsynthesisresult) and [Go](https://pkg.go.dev/github.com/Microsoft/cognitive-services-speech-sdk-go#readme-reference). - **C++/C#/Jav#neural-voices) to change the default. - **C++/C#/Java/Python/Objective-C/Go**: We added a Gender property to the synthesis voice info to make it easier to select voices based on gender. This addresses [GitHub issue #1055](https://github.com/Azure-Samples/cognitive-services-speech-sdk/issues/1055).-- **C++, C#, Java, JavaScript**: We now support `retrieveEnrollmentResultAsync`, `getAuthorizationPhrasesAsync` and `getAllProfilesAsync()` in Speaker Recognition to ease user management of all voice profiles for a given account. See documentation for [C++](/cpp/cognitive-services/speech/voiceprofileclient), [C#](/dotnet/api/microsoft.cognitiveservices.speech.voiceprofileclient), [Java](/java/api/com.microsoft.cognitiveservices.speech.voiceprofileclient), [JavaScript](/javascript/api/microsoft-cognitiveservices-speech-sdk/voiceprofileclient). This addresses [GitHub issue #338](https://github.com/microsoft/cognitive-services-speech-sdk-js/issues/338).
+- **C++, C#, Java, JavaScript**: We now support `retrieveEnrollmentResultAsync`, `getAuthorizationPhrasesAsync` and `getAllProfilesAsync()` in Speaker Recognition to ease user management of all voice profiles for a given account. See documentation for [C++](/cpp/cognitive-services/speech/speaker-voiceprofileclient), [C#](/dotnet/api/microsoft.cognitiveservices.speech.speaker.voiceprofileclient), [Java](/java/api/com.microsoft.cognitiveservices.speech.voiceprofileclient), [JavaScript](/javascript/api/microsoft-cognitiveservices-speech-sdk/voiceprofileclient). This addresses [GitHub issue #338](https://github.com/microsoft/cognitive-services-speech-sdk-js/issues/338).
- **JavaScript**: We added retry for connection failures that will make your JavaScript based speech applications more robust. #### Improvements
The [bookmark element](speech-synthesis-markup.md#bookmark-element) allows you t
- **C++/C#/Jav#bookmark-element). - **Java**: Added support for speaker recognition APIs. Details [here](/java/api/com.microsoft.cognitiveservices.speech.speakerrecognizer). - **C++/C#/Java/JavaScript/Objective-C/Python**: Added two new output audio formats with WebM container for TTS (Webm16Khz16BitMonoOpus and Webm24Khz16BitMonoOpus). These are better formats for streaming audio with the Opus codec. Details for [C++](/cpp/cognitive-services/speech/microsoft-cognitiveservices-speech-namespace#speechsynthesisoutputformat), [C#](/dotnet/api/microsoft.cognitiveservices.speech.speechsynthesisoutputformat), [Java](/java/api/com.microsoft.cognitiveservices.speech.speechsynthesisoutputformat), [JavaScript](/javascript/api/microsoft-cognitiveservices-speech-sdk/speechsynthesisoutputformat), [Objective-C](/objectivec/cognitive-services/speech/spxspeechsynthesisoutputformat), [Python](/python/api/azure-cognitiveservices-speech/azure.cognitiveservices.speech.speechsynthesisoutputformat).-- **C++/C#/Java**: Added support for retrieving voice profile for speaker recognition scenario. Details for [C++](/cpp/cognitive-services/speech/speakerrecognizer), [C#](/dotnet/api/microsoft.cognitiveservices.speech.speakerrecognizer), and [Java](/java/api/com.microsoft.cognitiveservices.speech.speakerrecognizer).
+- **C++/C#/Java**: Added support for retrieving voice profile for speaker recognition scenario. Details for [C++](/cpp/cognitive-services/speech/speaker-speakerrecognizer), [C#](/en-us/dotnet/api/microsoft.cognitiveservices.speech.speaker.speakerrecognizer), and [Java](/java/api/com.microsoft.cognitiveservices.speech.speakerrecognizer).
- **C++/C#/Java/Objective-C/Python**: Added support for separate shared library for audio microphone and speaker control. This allows to use the SDK in environments that do not have required audio library dependencies. - **Objective-C/Swift**: Added support for module framework with umbrella header. This allows to import Speech SDK as a module in iOS/Mac Objective-C/Swift apps. This addresses [GitHub issue #452](https://github.com/Azure-Samples/cognitive-services-speech-sdk/issues/452). - **Python**: Added support for [Python 3.9](./quickstarts/setup-platform.md?pivots=programming-language-python) and dropped support for Python 3.5 per Python's [end-of-life for 3.5](https://devguide.python.org/devcycle/#end-of-life-branches).
cognitive-services Speech Container Howto https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Speech-Service/speech-container-howto.md
Containers enable you to run some of the Speech service APIs in your own environ
Speech containers enable customers to build a speech application architecture that is optimized for both robust cloud capabilities and edge locality. There are several containers available, which use the same [pricing](https://azure.microsoft.com/pricing/details/cognitive-services/speech-services/) as the cloud-based Azure Speech Services. -
-> [!IMPORTANT]
-> To use the speech containers you must submit an online request, and have it approved. See the **Request approval to the run the container** section below for more information.
- | Container | Features | Latest | Release status | |--|--|--|--| | Speech-to-text | Analyzes sentiment and transcribes continuous real-time speech or batch audio recordings with intermediate results. | 2.12.0 | Generally Available |
If you don't have an Azure subscription, create a [free account](https://azure.m
## Prerequisites
+> [!IMPORTANT]
+> To use the speech containers you must submit an online request, and have it approved. See the **Request approval to the run the container** section below for more information.
+ You must meet the following prerequisites before using Speech service containers. If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/cognitive-services/) before you begin. * [Docker](https://docs.docker.com/) installed on a host computer. Docker must be configured to allow the containers to connect with and send billing data to Azure.
cognitive-services Deploy Label Tool https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/form-recognizer/deploy-label-tool.md
Follow these steps to create a new resource using the Azure portal:
6. Now let's configure your Docker container. All fields are required unless otherwise noted: <!-- markdownlint-disable MD025 -->
-# [v2.1](#tab/v2-1)
* Options - Select **Single Container** * Image Source - Select **Private Registry**
After you have created your web app, you can enable the continuous deployment op
:::image type="content" source="media/label-tool/continuous-deployment.png" alt-text="Screenshot: enlargement of container settings for continuous deployment." lightbox="media/label-tool/continuous-deployment-bigger.png":::
-# [v2.0](#tab/v2-0)
-
-* Options - Select **Single Container**
-* Image Source - Select **Private Registry**
-* Server URL - Set to `https://mcr.microsoft.com`
-* Username (Optional) - Create a username.
-* Password (Optional) - Create a secure password that you'll remember.
-* Image and tag - Set to `mcr.microsoft.com/azure-cognitive-services/custom-form/labeltool:latest`
-* Startup command - Set to `./run.sh eula=accept`
-
-
- > [!NOTE] > When creating your web app, you can also configure authorization/authentication. This is not necessary to get started.
There's a few things you need know about this command:
From the Azure CLI, run this command to create a web app resource for the sample labeling tool: <!-- markdownlint-disable MD024 -->
-# [v2.1](#tab/v2-1)
```azurecli DNS_NAME_LABEL=aci-demo-$RANDOM
az container create \
```
-# [v2.0](#tab/v2-0)
-
-```azurecli
-DNS_NAME_LABEL=aci-demo-$RANDOM
-
-az container create \
- --resource-group <resource_group_name> \
- --name <name> \
- --image mcr.microsoft.com/azure-cognitive-services/custom-form/labeltool:latest \
- --ports 3000 \
- --dns-name-label $DNS_NAME_LABEL \
- --location <region name> \
- --cpu 2 \
- --memory 8 \
- --command-line "./run.sh eula=accept"
-```
---- ### Connect to Azure AD for authorization It's recommended that you connect your web app to Azure Active Directory (Azure AD). This connection ensures that only users with valid credentials can sign in and use your web app. Follow the instructions in [Configure your App Service app](../../app-service/configure-authentication-provider-aad.md) to connect to Azure Active Directory.
communication-services Teams Interop https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/communication-services/concepts/teams-interop.md
> > Preview APIs and SDKs are provided without a service-level agreement, and are not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
-Azure Communication Services can be used to build custom applications that interact with Microsoft Teams. End users of your Communication Services application can interact with Teams participants over voice, video, chat, and screen sharing.
+Azure Communication Services can be used to build custom applications that interact with Microsoft Teams. End users of your Communication Services application can interact with Teams participants over voice, video, chat, and screen sharing. The following video demonstrates this capability:
++
+<br>
+<br>
++
+> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RWGTqQ]
+ Azure Communication Services supports two types of Teams interoperability depending on the identity of the end user:
container-registry Resource Graph Samples https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/container-registry/resource-graph-samples.md
+
+ Title: Azure Resource Graph sample queries for Azure Container Registry
+description: Sample Azure Resource Graph queries for Azure Container Registry showing use of resource types and tables to access Azure Container Registry related resources and properties.
Last updated : 07/21/2021++++++
+# Azure Resource Graph sample queries for Azure Container Registry
+
+This page is a collection of [Azure Resource Graph](../governance/resource-graph/overview.md) sample
+queries for Azure Container Registry. For a complete list of Azure Resource Graph samples, see
+[Resource Graph samples by Category](../governance/resource-graph/samples/samples-by-category.md)
+and [Resource Graph samples by Table](../governance/resource-graph/samples/samples-by-table.md).
+
+## Sample queries
++
+## Next steps
+
+- Learn more about the [query language](../governance/resource-graph/concepts/query-language.md).
+- Learn more about how to [explore resources](../governance/resource-graph/concepts/explore-resources.md).
+- See samples of [Starter language queries](../governance/resource-graph/samples/starter.md).
+- See samples of [Advanced language queries](../governance/resource-graph/samples/advanced.md).
cosmos-db Best Practice Dotnet https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cosmos-db/best-practice-dotnet.md
Watch the video below to learn more about using the .NET SDK from a Cosmos DB en
| <input type="checkbox" unchecked /> | SDK Version | Always using the [latest version](sql-api-sdk-dotnet-standard.md) of the Cosmos DB SDK available for optimal performance. | | <input type="checkbox" unchecked /> | Singleton Client | Use a [single instance](/dotnet/api/microsoft.azure.cosmos.cosmosclient?view=azure-dotnet&preserve-view=true) of `CosmosClient` for the lifetime of your application for [better performance](performance-tips-dotnet-sdk-v3-sql.md#sdk-usage). | | <input type="checkbox" unchecked /> | Regions | Make sure to run your application in the same [Azure region](distribute-data-globally.md) as your Azure Cosmos DB account, whenever possible to reduce latency. Enable 2-4 regions and replicate your accounts in multiple regions for [best availability](distribute-data-globally.md). For production workloads, enable [automatic failover](how-to-manage-database-account.md#configure-multiple-write-regions). In the absence of this configuration, the account will experience loss of write availability for all the duration of the write region outage, as manual failover will not succeed due to lack of region connectivity. To learn how to add multiple regions using the .NET SDK visit [here](tutorial-global-distribution-sql-api.md) |
-| <input type="checkbox" unchecked /> | Availability and Failovers | Set the [ApplicationPreferredRegions](/dotnet/api/microsoft.azure.cosmos.cosmosclientoptions.applicationpreferredregions?view=azure-dotnet&preserve-view=true) or [ApplicationRegion](/dotnet/api/microsoft.azure.cosmos.cosmosclientoptions.applicationregion?view=azure-dotnet) in the v3 SDK, and the [PreferredLocations](/dotnet/api/microsoft.azure.documents.client.connectionpolicy.preferredlocations?view=azure-dotnet&preserve-view=true) in the v2 SDK using the [preferred regions list](./tutorial-global-distribution-sql-api.md?tabs=dotnetv3%2capi-async#preferred-locations). During failovers, write operations are sent to the current write region and all reads are sent to the first region within your preferred regions list. For more information about regional failover mechanics see the [availability troubleshooting guide](troubleshoot-sdk-availability.md). |
+| <input type="checkbox" unchecked /> | Availability and Failovers | Set the [ApplicationPreferredRegions](/dotnet/api/microsoft.azure.cosmos.cosmosclientoptions.applicationpreferredregions?view=azure-dotnet&preserve-view=true) or [ApplicationRegion](/dotnet/api/microsoft.azure.cosmos.cosmosclientoptions.applicationregion?view=azure-dotnet&preserve-view=true) in the v3 SDK, and the [PreferredLocations](/dotnet/api/microsoft.azure.documents.client.connectionpolicy.preferredlocations?view=azure-dotnet&preserve-view=true) in the v2 SDK using the [preferred regions list](./tutorial-global-distribution-sql-api.md?tabs=dotnetv3%2capi-async#preferred-locations). During failovers, write operations are sent to the current write region and all reads are sent to the first region within your preferred regions list. For more information about regional failover mechanics see the [availability troubleshooting guide](troubleshoot-sdk-availability.md). |
| <input type="checkbox" unchecked /> | CPU | You may run into connectivity/availability issues due to lack of resources on your client machine. Monitor your CPU utilization on nodes running the Azure Cosmos DB client, and scale up/out if usage is very high. | | <input type="checkbox" unchecked /> | Hosting | Use [Windows 64-bit host](performance-tips.md#hosting) processing for best performance, whenever possible. | | <input type="checkbox" unchecked /> | Connectivity Modes | Use [Direct mode](sql-sdk-connection-modes.md) for the best performance. For instructions on how to do this, see the [V3 SDK documentation](performance-tips-dotnet-sdk-v3-sql.md#networking) or the [V2 SDK documentation](performance-tips.md#networking).|
cosmos-db Cassandra Secondary Index https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cosmos-db/cassandra-secondary-index.md
The Cassandra API in Azure Cosmos DB leverages the underlying indexing infrastru
In general, it's not advised to execute filter queries on the columns that aren't partitioned. You must use ALLOW FILTERING syntax explicitly, which results in an operation that may not perform well. In Azure Cosmos DB you can run such queries on low cardinality attributes because they fan out across partitions to retrieve the results.
-It's not advised to create an index on a frequently updated column. It is prudent to create an index when you define the table. This ensures that data and indexes are in a consistent state. In case you create a new index on the existing data, currently, you can't track the index progress change for the table. If you need to track the progress for this operation, you have to request the progress change via a [support ticket]( https://docs.microsoft.com/azure/azure-portal/supportability/how-to-create-azure-support-request).
+It's not advised to create an index on a frequently updated column. It is prudent to create an index when you define the table. This ensures that data and indexes are in a consistent state. In case you create a new index on the existing data, currently, you can't track the index progress change for the table. If you need to track the progress for this operation, you have to request the progress change via a [support ticket](../azure-portal/supportability/how-to-create-azure-support-request.md).
> [!NOTE]
cosmos-db Cosmosdb Monitor Resource Logs https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cosmos-db/cosmosdb-monitor-resource-logs.md
Platform metrics and the Activity logs are collected automatically, whereas you
|CassandraRequests | Cassandra | Logs user-initiated requests from the front end to serve requests to Azure Cosmos DB's API for Cassandra. When you enable this category, make sure to disable DataPlaneRequests. | `operationName`, `requestCharge`, `piiCommandText` | |GremlinRequests | Gremlin | Logs user-initiated requests from the front end to serve requests to Azure Cosmos DB's API for Gremlin. When you enable this category, make sure to disable DataPlaneRequests. | `operationName`, `requestCharge`, `piiCommandText`, `retriedDueToRateLimiting` | |QueryRuntimeStatistics | SQL | This table details query operations executed against a SQL API account. By default, the query text and its parameters are obfuscated to avoid logging personal data with full text query logging available by request. | `databasename`, `partitionkeyrangeid`, `querytext` |
- |PartitionKeyStatistics | All APIs | Logs the statistics of logical partition keys by representing the storage size (KB) of the partition keys. This table is useful when troubleshooting storage skews. This PartitionKeyStatistics log is only emitted if the following condition are true: <br/><ul><li> At least 1% of the documents have same logical partition key. </li><li> There are at least 100 such keys partition keys. </li><li> Out of all the keys, the top 3 keys with largest storage size are captured by the PartitionKeyStatistics log. </li></ul> If the previous conditions are not met, the partition key statistics data is not available. It's okay if the above conditions are not met for your account. | `subscriptionId`, `regionName`, `partitionKey`, `sizeKB` |
+ |PartitionKeyStatistics | All APIs | Logs the statistics of logical partition keys by representing the storage size (KB) of the partition keys. This table is useful when troubleshooting storage skews. This PartitionKeyStatistics log is only emitted if the following conditions are true: <br/><ul><li> At least 1% of the documents have same logical partition key. </li><li> Out of all the keys, the top 3 keys with largest storage size are captured by the PartitionKeyStatistics log. </li></ul> If the previous conditions are not met, the partition key statistics data is not available. It's okay if the above conditions are not met for your account, which typically indicates you have no logical partition storage skew. | `subscriptionId`, `regionName`, `partitionKey`, `sizeKB` |
|PartitionKeyRUConsumption | SQL API | Logs the aggregated per-second RU/s consumption of partition keys. This table is useful for troubleshooting hot partitions. Currently, Azure Cosmos DB reports partition keys for SQL API accounts only and for point read/write and stored procedure operations. | `subscriptionId`, `regionName`, `partitionKey`, `requestCharge`, `partitionKeyRangeId` | |ControlPlaneRequests | All APIs | Logs details on control plane operations i.e. creating an account, adding or removing a region, updating account replication settings etc. | `operationName`, `httpstatusCode`, `httpMethod`, `region` | |TableApiRequests | Table API | Logs user-initiated requests from the front end to serve requests to Azure Cosmos DB's API for Table. When you enable this category, make sure to disable DataPlaneRequests. | `operationName`, `requestCharge`, `piiCommandText` |
cosmos-db How To Configure Integrated Cache https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cosmos-db/how-to-configure-integrated-cache.md
This article describes how to provision a dedicated gateway, configure the integ
> [!NOTE] > If you are using the latest .NET or Java SDK version, the default connection mode is direct mode. In order to use the integrated cache, you must override this default.
-If you're using the Java SDK, you must also manually set [contentResponseOnWriteEnabled](/java/api/com.azure.cosmos.cosmosclientbuilder.contentresponseonwriteenabled?view=azure-java-stable) to `true` within the `CosmosClientBuilder`. If you're using any other SDK, this value already defaults to `true`, so you don't need to make any changes.
+If you're using the Java SDK, you must also manually set [contentResponseOnWriteEnabled](/java/api/com.azure.cosmos.cosmosclientbuilder.contentresponseonwriteenabled?view=azure-java-stable&preserve-view=true) to `true` within the `CosmosClientBuilder`. If you're using any other SDK, this value already defaults to `true`, so you don't need to make any changes.
## Adjust request consistency
cosmos-db Performance Tips Java https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cosmos-db/performance-tips-java.md
So if you're asking "How can I improve my database performance?" consider the fo
<a id="max-connection"></a> 3. **Increase MaxPoolSize per host when using Gateway mode**
- Azure Cosmos DB requests are made over HTTPS/REST when using Gateway mode, and are subjected to the default connection limit per hostname or IP address. You may need to set the MaxPoolSize to a higher value (200-1000) so that the client library can utilize multiple simultaneous connections to Azure Cosmos DB. In the Azure Cosmos DB Sync Java SDK v2, the default value for [ConnectionPolicy.getMaxPoolSize](/java/api/com.microsoft.azure.documentdb.connectionpolicy.getmaxpoolsize) is 100. Use [setMaxPoolSize]( https://docs.microsoft.com/java/api/com.microsoft.azure.documentdb.connectionpolicy.setmaxpoolsize) to change the value.
+ Azure Cosmos DB requests are made over HTTPS/REST when using Gateway mode, and are subjected to the default connection limit per hostname or IP address. You may need to set the MaxPoolSize to a higher value (200-1000) so that the client library can utilize multiple simultaneous connections to Azure Cosmos DB. In the Azure Cosmos DB Sync Java SDK v2, the default value for [ConnectionPolicy.getMaxPoolSize](/java/api/com.microsoft.azure.documentdb.connectionpolicy.getmaxpoolsize) is 100. Use [setMaxPoolSize](/java/api/com.microsoft.azure.documentdb.connectionpolicy.setmaxpoolsize) to change the value.
4. **Tuning parallel queries for partitioned collections**
cosmos-db Resource Graph Samples https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cosmos-db/resource-graph-samples.md
+
+ Title: Azure Resource Graph sample queries for Azure Cosmos DB
+description: Sample Azure Resource Graph queries for Azure Cosmos DB showing use of resource types and tables to access Azure Cosmos DB related resources and properties.
Last updated : 07/21/2021++++++
+# Azure Resource Graph sample queries for Azure Cosmos DB
+
+This page is a collection of [Azure Resource Graph](../governance/resource-graph/overview.md) sample
+queries for Azure Cosmos DB. For a complete list of Azure Resource Graph samples, see
+[Resource Graph samples by Category](../governance/resource-graph/samples/samples-by-category.md)
+and [Resource Graph samples by Table](../governance/resource-graph/samples/samples-by-table.md).
+
+## Sample queries
++
+## Next steps
+
+- Learn more about the [query language](../governance/resource-graph/concepts/query-language.md).
+- Learn more about how to [explore resources](../governance/resource-graph/concepts/explore-resources.md).
+- See samples of [Starter language queries](../governance/resource-graph/samples/starter.md).
+- See samples of [Advanced language queries](../governance/resource-graph/samples/advanced.md).
data-factory Connector Troubleshoot Guide https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/connector-troubleshoot-guide.md
Azure Cosmos DB calculates RUs, see [Request units in Azure Cosmos DB](../cosmos
- **Message**: `User does not have permission to perform this action.` -- **Recommendation**: Make sure the user configured in the Azure Synapse Analytics connector must have 'CONTROL' permission on the target database while using PolyBase to load data. For more detailed information, refer to this [document](https://docs.microsoft.com/azure/data-factory/connector-azure-sql-data-warehouse#required-database-permission).
+- **Recommendation**: Make sure the user configured in the Azure Synapse Analytics connector must have 'CONTROL' permission on the target database while using PolyBase to load data. For more detailed information, refer to this [document](./connector-azure-sql-data-warehouse.md#required-database-permission).
## Azure Table Storage
For more troubleshooting help, try these resources:
* [Azure videos](https://azure.microsoft.com/resources/videos/index/?sort=newest&services=data-factory) * [Microsoft Q&A page](/answers/topics/azure-data-factory.html) * [Stack Overflow forum for Data Factory](https://stackoverflow.com/questions/tagged/azure-data-factory)
-* [Twitter information about Data Factory](https://twitter.com/hashtag/DataFactory)
+* [Twitter information about Data Factory](https://twitter.com/hashtag/DataFactory)
data-factory How To Clean Up Ssisdb Logs With Elastic Jobs https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/how-to-clean-up-ssisdb-logs-with-elastic-jobs.md
Once you provision an Azure-SQL Server Integration Services (SSIS) integration r
In the Project Deployment Model, your Azure-SSIS IR will deploy SSIS projects into SSISDB, fetch SSIS packages to run from SSISDB, and write package execution logs back into SSISDB. To manage the accumulated logs, we've provided relevant SSISDB properties and stored procedure that can be invoked automatically via ADF, Azure SQL Managed Instance Agent, or Elastic Database Jobs. ## SSISDB log clean-up properties and stored procedure
-To configure SSISDB log clean-up properties, you can connect to SSISDB hosted by your Azure SQL Database server/Managed Instance using SQL Server Management Studio (SSMS), see [Connecting to SSISDB](https://docs.microsoft.com/sql/integration-services/lift-shift/ssis-azure-deploy-run-monitor-tutorial?view=sql-server-ver15#connect-to-the-ssisdb-database). Once connected, on the **Object Explorer** window of SSMS, you can expand the **Integration Services Catalogs** node, right-click on the **SSISDB** subnode, and select the **Properties** menu item to open **Catalog Properties** dialog box. On the **Catalog Properties** dialog box, you can find the following SSISDB log clean-up properties:
+To configure SSISDB log clean-up properties, you can connect to SSISDB hosted by your Azure SQL Database server/Managed Instance using SQL Server Management Studio (SSMS), see [Connecting to SSISDB](/sql/integration-services/lift-shift/ssis-azure-deploy-run-monitor-tutorial?view=sql-server-ver15&preserve-view=true#connect-to-the-ssisdb-database). Once connected, on the **Object Explorer** window of SSMS, you can expand the **Integration Services Catalogs** node, right-click on the **SSISDB** subnode, and select the **Properties** menu item to open **Catalog Properties** dialog box. On the **Catalog Properties** dialog box, you can find the following SSISDB log clean-up properties:
- **Clean Logs Periodically**: Enables automatic clean-up of package execution logs, by default set to *True*. - **Retention Period (days)**: Specifies the maximum age of retained logs (in days), by default set to *365* and older logs are deleted by automatic clean-up.
data-factory Self Hosted Integration Runtime Auto Update https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/self-hosted-integration-runtime-auto-update.md
You can check the last update datetime in your self-hosted integration runtime c
:::image type="content" source="media/create-self-hosted-integration-runtime/shir-auto-update-2.png" alt-text="Screenshot of checking the update time":::
-You can use this [PowerShell command](https://docs.microsoft.com/powershell/module/az.datafactory/get-azdatafactoryv2integrationruntime?view=azps-6.1.0#example-5--get-self-hosted-integration-runtime-with-detail-status) to get the auto-update version.
+You can use this [PowerShell command](/powershell/module/az.datafactory/get-azdatafactoryv2integrationruntime?view=azps-6.1.0&preserve-view=true#example-5--get-self-hosted-integration-runtime-with-detail-status) to get the auto-update version.
> [!NOTE] > If you have multiple self-hosted integration runtime nodes, there is no downtime during auto-update. The auto-update happens in one node first while others are working on tasks. When the first node finishes the update, it will take over the remain tasks when other nodes are updating. If you only have one self-hosted integration runtime, then it has some downtime during the auto-update.
databox Data Box Deploy Ordered https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/databox/data-box-deploy-ordered.md
Previously updated : 06/10/2021 Last updated : 07/22/2021 #Customer intent: As an IT admin, I need to be able to order Data Box to upload on-premises data from my server onto Azure.
This tutorial describes how you can order an Azure Data Box. In this tutorial, y
> * Track the order > * Cancel the order
+> [!NOTE]
+> To get answers to frequently asked questions about Data Box orders and shipments, see [Data Box FAQ](data-box-faq.yml).
+ ## Prerequisites # [Portal](#tab/portal)
databox Data Box Portal Customer Managed Shipping https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/databox/data-box-portal-customer-managed-shipping.md
Previously updated : 06/22/2021 Last updated : 07/22/2021
This article describes self-managed shipping tasks to order, pick up, and drop-off of an Azure Data Box device. You can manage the Data Box device using the Azure portal.
+> [!NOTE]
+> To get answers to frequently asked questions about Data Box orders and shipments, see [Data Box FAQ](data-box-faq.yml).
+ ## Prerequisites Self-managed shipping is available as an option when you [Order Azure Data Box](data-box-deploy-ordered.md). Self-managed shipping is only available in the following regions:
event-hubs Event Hubs Get Connection String https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/event-hubs/event-hubs-get-connection-string.md
Title: Get connection string - Azure Event Hubs | Microsoft Docs description: This article provides instructions for getting a connection string that clients can use to connect to Azure Event Hubs. Previously updated : 06/23/2020 - Last updated : 07/23/2021 # Get an Event Hubs connection string
This article walks you through various ways of obtaining the connection string.
3. Select **Event Hubs** in the **Analytics** section. 4. In the list of event hubs, select your event hub. 6. On the **Event Hubs Namespace** page, select **Shared Access Policies** on the left menu.-
- ![Shared Access Policies menu item](./media/event-hubs-get-connection-string/event-hubs-get-connection-string1.png)
7. Select a **shared access policy** in the list of policies. The default one is named: **RootManageSharedAccessPolicy**. You can add a policy with appropriate permissions (read, write), and use that policy.
- ![Event Hubs shared access policies](./media/event-hubs-get-connection-string/event-hubs-get-connection-string2.png)
+ :::image type="content" source="./media/event-hubs-get-connection-string/event-hubs-get-connection-string2.png" alt-text="Event Hubs shared access policies":::
8. Select the **copy** button next to the **Connection string-primary key** field.
- ![Event Hubs - get connection string](./media/event-hubs-get-connection-string/event-hubs-get-connection-string3.png)
+ :::image type="content" source="./media/event-hubs-get-connection-string/event-hubs-get-connection-string3.png" alt-text="Event Hubs - get connection string":::
## Getting the connection string with Azure PowerShell
This article walks you through various ways of obtaining the connection string.
You can use the [Get-AzEventHubKey](/powershell/module/az.eventhub/get-azeventhubkey) to get the connection string for the specific policy/rule name as shown below: ```azurepowershell-interactive
-Get-AzEventHubKey -ResourceGroupName dummyresourcegroup -NamespaceName dummynamespace -AuthorizationRuleName RootManageSharedAccessKey
+Get-AzEventHubKey -ResourceGroupName MYRESOURCEGROUP -NamespaceName MYEHUBNAMESPACE -AuthorizationRuleName RootManageSharedAccessKey
``` ## Getting the connection string with Azure CLI You can use the following to get the connection string for the namespace: ```azurecli-interactive
-az eventhubs namespace authorization-rule keys list --resource-group dummyresourcegroup --namespace-name dummynamespace --name RootManageSharedAccessKey
+az eventhubs namespace authorization-rule keys list --resource-group MYRESOURCEGROUP --namespace-name MYEHUBNAMESPACE --name RootManageSharedAccessKey
``` Or you can use the following to get the connection string for an EventHub entity: ```azurecli-interactive
-az eventhubs eventhub authorization-rule keys list --resource-group dummyresourcegroup --namespace-name dummynamespace --eventhub-name dummyeventhub --name RootManageSharedAccessKey
+az eventhubs eventhub authorization-rule keys list --resource-group MYRESOURCEGROUP --namespace-name MYEHUBNAMESPACE --eventhub-name MYEHUB --name RootManageSharedAccessKey
``` For more information about Azure CLI commands for Event Hubs, see [Azure CLI for Event Hubs](/cli/azure/eventhubs).
firewall Forced Tunneling https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/firewall/forced-tunneling.md
have a default route not going directly to the Internet are disabled.
## Forced tunneling configuration
-To support forced tunneling, Service Management traffic is separated from customer traffic. An additional dedicated subnet named *AzureFirewallManagementSubnet* (minimum subnet size /26) is required with its own associated public IP address. The only route allowed on this subnet is a default route to the Internet, and BGP route propagation must be disabled.
+To support forced tunneling, Service Management traffic is separated from customer traffic. An additional dedicated subnet named *AzureFirewallManagementSubnet* (minimum subnet size /26) is required with its own associated public IP address. The only route allowed on this subnet is a default route to the Internet, and **Propagate gateway routes** must be disabled.
-If you have a default route advertised via BGP to force traffic to on-premises, you must create the *AzureFirewallSubnet* and *AzureFirewallManagementSubnet* before deploying your firewall and have a UDR with a default route to the Internet, and **Propagate gateway routes** disabled.
+If you have a default route advertised via BGP to force traffic to on-premises, you must create the *AzureFirewallSubnet* and *AzureFirewallManagementSubnet* before deploying your firewall. *AzureFirewallManagementSubnet* must have a UDR with a default route to the Internet, and **Propagate gateway routes** disabled.
Within this configuration, the *AzureFirewallSubnet* can now include routes to any on-premises firewall or NVA to process traffic before it's passed to the Internet. You can also publish these routes via BGP to *AzureFirewallSubnet* if **Propagate gateway routes** is enabled on this subnet.
firewall Protect Windows Virtual Desktop https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/firewall/protect-windows-virtual-desktop.md
Title: Use Azure Firewall to protect Windows Virtual Desktop
+ Title: Use Azure Firewall to protect Azure Virtual Desktop
description: Learn how to use Azure Firewall to protect Windows Virtual Desktop deployments
Last updated 05/06/2020
-# Use Azure Firewall to protect Window Virtual Desktop deployments
+# Use Azure Firewall to protect Azure Virtual Desktop deployments
Windows Virtual Desktop is a desktop and app virtualization service that runs on Azure. When an end user connects to a Windows Virtual Desktop environment, their session is run by a host pool. A host pool is a collection of Azure virtual machines that register to Windows Virtual Desktop as session hosts. These virtual machines run in your virtual network and are subject to the virtual network security controls. They need outbound Internet access to the Windows Virtual Desktop service to operate properly and might also need outbound Internet access for end users. Azure Firewall can help you lock down your environment and filter outbound traffic. [ ![Windows Virtual Desktop architecture](media/protect-windows-virtual-desktop/windows-virtual-desktop-architecture-diagram.png) ](media/protect-windows-virtual-desktop/windows-virtual-desktop-architecture-diagram.png#lightbox)
-Follow the guidelines in this article to provide additional protection for your Windows Virtual Desktop host pool using Azure Firewall.
+Follow the guidelines in this article to provide additional protection for your Azure Virtual Desktop host pool using Azure Firewall.
## Prerequisites
+ - A deployed Azure Virtual Desktop environment and host pool.
For more information, see [Tutorial: Create a host pool by using the Azure Marketplace](../virtual-desktop/create-host-pools-azure-marketplace.md) and [Create a host pool with an Azure Resource Manager template](../virtual-desktop/virtual-desktop-fall-2019/create-host-pools-arm-template.md). To learn more about Windows Virtual Desktop environments see [Windows Virtual Desktop environment](../virtual-desktop/environment-setup.md).
-## Host pool outbound access to Windows Virtual Desktop
+## Host pool outbound access to Azure Virtual Desktop
-The Azure virtual machines you create for Windows Virtual Desktop must have access to several Fully Qualified Domain Names (FQDNs) to function properly. Azure Firewall provides a Windows Virtual Desktop FQDN Tag to simplify this configuration. Use the following steps to allow outbound Windows Virtual Desktop platform traffic:
+The Azure virtual machines you create for Azure Virtual Desktop must have access to several Fully Qualified Domain Names (FQDNs) to function properly. Azure Firewall provides a Azure Virtual Desktop FQDN Tag to simplify this configuration. Use the following steps to allow outbound Azure Virtual Desktop platform traffic:
-- Deploy Azure Firewall and configure your Windows Virtual Desktop host pool subnet User Defined Route (UDR) to route default traffic (0.0.0.0/0) via the Azure Firewall. Your default route now points to the firewall.
+- Deploy Azure Firewall and configure your Azure Virtual Desktop host pool subnet User Defined Route (UDR) to route default traffic (0.0.0.0/0) via the Azure Firewall. Your default route now points to the firewall.
- Create an application rule collection and add a rule to enable the *WindowsVirtualDesktop* FQDN tag. The source IP address range is the host pool virtual network, the protocol is **https**, and the destination is **WindowsVirtualDesktop**. -- The set of required storage and service bus accounts for your Windows Virtual Desktop host pool is deployment specific, so it isn't yet captured in the WindowsVirtualDesktop FQDN tag. You can address this in one of the following ways:
+- The set of required storage and service bus accounts for your Azure Virtual Desktop host pool is deployment specific, so it isn't yet captured in the WindowsVirtualDesktop FQDN tag. You can address this in one of the following ways:
- Allow https access from your host pool subnet to *xt.blob.core.windows.net, *eh.servicebus.windows.net. These wildcard FQDNs enable the required access, but are less restrictive. - Use the following log analytics query to list the exact required FQDNs after deployment of WVD hostpool, and then allow them explicitly in your firewall application rules:
The Azure virtual machines you create for Windows Virtual Desktop must have acce
- Create a network rule collection add the following rules: - Allow DNS ΓÇô allow traffic from your ADDS private IP address to * for TCP and UDP ports 53.
- - Allow KMS ΓÇô allow traffic from your Windows Virtual Desktop virtual machines to Windows Activation Service TCP port 1688. For more information about the destination IP addresses, see [Windows activation fails in forced tunneling scenario](/troubleshoot/azure/virtual-machines/custom-routes-enable-kms-activation#solution).
+ - Allow KMS ΓÇô allow traffic from your Azure Virtual Desktop virtual machines to Windows Activation Service TCP port 1688. For more information about the destination IP addresses, see [Windows activation fails in forced tunneling scenario](/troubleshoot/azure/virtual-machines/custom-routes-enable-kms-activation#solution).
> [!NOTE] > Some deployments may not need DNS rules, for example Azure Active Directory Domain controllers forward DNS queries to Azure DNS at 168.63.129.16.
The Azure virtual machines you create for Windows Virtual Desktop must have acce
Depending on your organization needs, you may want to enable secure outbound Internet access for your end users. In cases where the list of allowed destinations is well-defined (for example, [Microsoft 365 access](/microsoft-365/enterprise/microsoft-365-ip-web-service)) you can use Azure Firewall application and network rules to configure the required access. This routes end-user traffic directly to the Internet for best performance.
-If you want to filter outbound user Internet traffic using an existing on-premises secure web gateway, you can configure web browsers or other applications running on the Windows Virtual Desktop host pool with an explicit proxy configuration. For example, see [How to use Microsoft Edge command-line options to configure proxy settings](/deployedge/edge-learnmore-cmdline-options-proxy-settings). These proxy settings only influence your end-user Internet access, allowing the Windows Virtual Desktop platform outbound traffic directly via Azure Firewall.
+If you want to filter outbound user Internet traffic using an existing on-premises secure web gateway, you can configure web browsers or other applications running on the Azure Virtual Desktop host pool with an explicit proxy configuration. For example, see [How to use Microsoft Edge command-line options to configure proxy settings](/deployedge/edge-learnmore-cmdline-options-proxy-settings). These proxy settings only influence your end-user Internet access, allowing the Azure Virtual Desktop platform outbound traffic directly via Azure Firewall.
## Additional considerations
You may need to configure additional firewall rules, depending on your requireme
## Next steps -- Learn more about Windows Virtual Desktop: [What is Windows Virtual Desktop?](../virtual-desktop/overview.md)
+- Learn more about Azure Virtual Desktop: [What is Azure Virtual Desktop?](../virtual-desktop/overview.md)
healthcare-apis Convert Data https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/healthcare-apis/fhir/convert-data.md
> or might have constrained capabilities. For more information, see > [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
-The $convert-data custom endpoint in the Azure API for FHIR is meant for data conversion from different formats to FHIR. It uses the Liquid template engine and the templates from the [FHIR Converter](https://github.com/microsoft/FHIR-Converter) project as the default templates. You can customize these conversion templates as needed. Currently it supports HL7v2 to FHIR conversion.
+The $convert-data custom endpoint in the FHIR service is meant for data conversion from different data types to FHIR. It uses the Liquid template engine and the templates from the [FHIR Converter](https://github.com/microsoft/FHIR-Converter) project as the default templates. You can customize these conversion templates as needed. Currently it supports two types of conversion, **C-CDA to FHIR** and **HL7v2 to FHIR** conversion.
## Use the $convert-data endpoint
+The `$convert-data` operation is integrated into the FHIR service to run as part of the service. You can make API calls to the server to convert your data into FHIR:
+ `https://<<FHIR service base URL>>/$convert-data`
-$convert-data takes a [Parameter](http://hl7.org/fhir/parameters.html) resource in the request body as described below:
+### Parameter Resource
-**Parameter Resource:**
+$convert-data takes a [Parameter](http://hl7.org/fhir/parameters.html) resource in the request body as described in the table below. In the API call request body, you would include the following parameters:
| Parameter Name | Description | Accepted values | | -- | -- | -- |
-| inputData | Data to be converted. | A valid value of JSON String datatype|
-| inputDataType | Data type of input. | ```HL7v2``` |
-| templateCollectionReference | Reference to a template collection. It can be a reference either to the **Default templates**, or a custom template image that's registered with Azure API for FHIR. See below to learn about customizing the templates, hosting those on ACR, and registering to the Azure API for FHIR. | ```microsofthealth/fhirconverter:default```, \<RegistryServer\>/\<imageName\>@\<imageDigest\> |
-| rootTemplate | The root template to use while transforming the data. | ```ADT_A01```, ```OML_O21```, ```ORU_R01```, ```VXU_V04``` |
+| inputData | Data to be converted. | A valid JSON String|
+| inputDataType | Data type of input. | ```HL7v2```, ``Ccda`` |
+| templateCollectionReference | Reference to an [OCI image ](https://github.com/opencontainers/image-spec) template collection on [Azure Container Registry (ACR)](https://azure.microsoft.com/en-us/services/container-registry/). It is the image containing Liquid templates to use for conversion. It can be a reference either to the default templates or a custom template image that is registered within the FHIR service. See below to learn about customizing the templates, hosting those on ACR, and registering to the FHIR service. | For **HL7v2** default templates: <br>```microsofthealth/fhirconverter:default``` <br>``microsofthealth/hl7v2templates:default``<br><br>For **C-CDA** default templates: ``microsofthealth/ccdatemplates:default`` <br>\<RegistryServer\>/\<imageName\>@\<imageDigest\>, \<RegistryServer\>/\<imageName\>:\<imageTag\> |
+| rootTemplate | The root template to use while transforming the data. | For **HL7v2**:<br>```ADT_A01```, ```OML_O21```, ```ORU_R01```, ```VXU_V04```<br><br> For **C-CDA**:<br>```CCD```, `ConsultationNote`, `DischargeSummary`, `HistoryandPhysical`, `OperativeNote`, `ProcedureNote`, `ProgressNote`, `ReferralNote`, `TransferSummary` |
> [!WARNING]
-> Default templates help you get started quickly. However, these may get updated when we upgrade the Azure API for FHIR. In order to have consistent data conversion behavior across different versions of Azure API for FHIR, you must host your own copy of templates on an Azure Container Registry, register those to the Azure API for FHIR, and use in your API calls as described later.
+> Default templates are released under MIT License and are **not** supported by Microsoft Support.
+>
+> Default templates are provided only to help you get started quickly. They may get updated when we update versions of the Azure API for FHIR. Therefore, you must verify the conversion behavior and **host your own copy of templates** on an Azure Container Registry, register those to the Azure API for FHIR, and use in your API calls in order to have consistent data conversion behavior across the different versions of Azure API for FHIR.
+ **Sample request:**
In the table below, you'll find the IP address for the Azure region where the Az
Make a call to the $convert-data API specifying your template reference in the templateCollectionReference parameter.
-`<RegistryServer>/<imageName>@<imageDigest>`
+`<RegistryServer>/<imageName>@<imageDigest>`
iot-central Overview Iot Central Tour https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/iot-central/core/overview-iot-central-tour.md
This article introduces you to Azure IoT Central UI. You can use the UI to creat
## IoT Central homepage
-The [IoT Central homepage](https://aka.ms/iotcentral-get-started) page is the place to learn more about the latest news and features available on IoT Central, create new applications, and see and launch your existing applications.
+The [IoT Central homepage](https://apps.azureiotcentral.com/) page is the place to learn more about the latest news and features available on IoT Central, create new applications, and see and launch your existing applications.
:::image type="content" source="media/overview-iot-central-tour/iot-central-homepage.png" alt-text="IoT Central homepage":::
To learn more, see the [Create an Azure IoT Central application](quick-deploy-io
### Launch your application
-You launch your IoT Central application by navigating to the URL you chose during app creation. You can also see a list of all the applications you have access to in the [IoT Central app manager](https://aka.ms/iotcentral-apps).
+You launch your IoT Central application by navigating to the URL you chose during app creation. You can also see a list of all the applications you have access to in the [IoT Central app manager](https://apps.azureiotcentral.com/myapps).
:::image type="content" source="media/overview-iot-central-tour/app-manager.png" alt-text="IoT Central app manager":::
iot-central Overview Iot Central https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/iot-central/core/overview-iot-central.md
Last updated 04/19/2021
-+ # What is Azure IoT Central?
This article outlines, for IoT Central:
- The typical user roles associated with a project. - How to create your application.-- How to connect your devices to your application-- How to manage your application.-- Azure IoT Edge capabilities in IoT Central.-- How to connect your Azure IoT Edge runtime powered devices to your application.
+- How to connect your devices to your application.
+- How to integrate your application with other services.
+- How to administer your application.
+- Pricing options.
## User roles
iot-edge How To Continuous Integration Continuous Deployment Classic https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/iot-edge/how-to-continuous-integration-continuous-deployment-classic.md
Unless otherwise specified, the procedures in this article do not explore all th
For this article, all you need is the solution folder created by the IoT Edge templates in either Visual Studio Code or Visual Studio. You don't need to build, push, deploy, or debug this code before proceeding. You'll set up those processes in Azure Pipelines.
- If you're creating a new solution, clone your repository locally first. Then, when you create the solution you can choose to create it directly in the repository folder. You can easily commit and push the new files from there.
+ Know the path to the **deployment.template.json** file in your solution, which is used in several steps. If you're unfamiliar with the role of the deployment template, see [Learn how to deploy modules and establish routes](module-composition.md).
+
+ >[!TIP]
+ >If you're creating a new solution, clone your repository locally first. Then, when you create the solution you can choose to create it directly in the repository folder. You can easily commit and push the new files from there.
* A container registry where you can push module images. You can use [Azure Container Registry](../container-registry/index.yml) or a third-party registry. * An active Azure [IoT hub](../iot-hub/iot-hub-create-through-portal.md) with at least two IoT Edge devices for testing the separate test and production deployment stages. You can follow the quickstart articles to create an IoT Edge device on [Linux](quickstart-linux.md) or [Windows](quickstart.md)
iot-edge How To Continuous Integration Continuous Deployment https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/iot-edge/how-to-continuous-integration-continuous-deployment.md
In this article, you learn how to use the built-in [Azure IoT Edge tasks](/azure
Unless otherwise specified, the procedures in this article do not explore all the functionality available through task parameters. For more information, see the following resources: * [Task version](/azure/devops/pipelines/process/tasks?tabs=yaml#task-versions)
-* **Advanced** - If applicable, specify modules that you do not want built.
* [Control Options](/azure/devops/pipelines/process/tasks?tabs=yaml#task-control-options) * [Environment Variables](/azure/devops/pipelines/process/variables?tabs=yaml#environment-variables) * [Output variables](/azure/devops/pipelines/process/variables?tabs=yaml#use-output-variables-from-tasks)
Unless otherwise specified, the procedures in this article do not explore all th
* An Azure Repos repository. If you don't have one, you can [Create a new Git repo in your project](/azure/devops/repos/git/create-new-repo). For this article, we created a repository called **IoTEdgeRepo**. * An IoT Edge solution committed and pushed to your repository. If you want to create a new sample solution for testing this article, follow the steps in [Develop and debug modules in Visual Studio Code](how-to-vs-code-develop-module.md) or [Develop and debug C# modules in Visual Studio](./how-to-visual-studio-develop-module.md). For this article, we created a solution in our repository called **IoTEdgeSolution**, which has the code for a module named **filtermodule**.
- For this article, all you need is the solution folder created by the IoT Edge templates in either Visual Studio Code or Visual Studio. You don't need to build, push, deploy, or debug this code before proceeding. You'll set up those processes in Azure Pipelines.
+ For this article, all you need is the solution folder created by the IoT Edge templates in either Visual Studio Code or Visual Studio. You don't need to build, push, deploy, or debug this code before proceeding. You'll set up those processes in Azure Pipelines.
- If you're creating a new solution, clone your repository locally first. Then, when you create the solution you can choose to create it directly in the repository folder. You can easily commit and push the new files from there.
+ Know the path to the **deployment.template.json** file in your solution, which is used in several steps. If you're unfamiliar with the role of the deployment template, see [Learn how to deploy modules and establish routes](module-composition.md).
+
+ >[!TIP]
+ >If you're creating a new solution, clone your repository locally first. Then, when you create the solution you can choose to create it directly in the repository folder. You can easily commit and push the new files from there.
* A container registry where you can push module images. You can use [Azure Container Registry](../container-registry/index.yml) or a third-party registry. * An active Azure [IoT hub](../iot-hub/iot-hub-create-through-portal.md) with at least two IoT Edge devices for testing the separate test and production deployment stages. You can follow the quickstart articles to create an IoT Edge device on [Linux](quickstart-linux.md) or [Windows](quickstart.md)
key-vault Resource Graph Samples https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/key-vault/resource-graph-samples.md
+
+ Title: Azure Resource Graph sample queries for Azure Key Vault
+description: Sample Azure Resource Graph queries for Azure Key Vault showing use of resource types and tables to access Azure Key Vault related resources and properties.
Last updated : 07/21/2021++++++
+# Azure Resource Graph sample queries for Azure Key Vault
+
+This page is a collection of [Azure Resource Graph](../governance/resource-graph/overview.md) sample
+queries for Azure Key Vault. For a complete list of Azure Resource Graph samples, see
+[Resource Graph samples by Category](../governance/resource-graph/samples/samples-by-category.md)
+and [Resource Graph samples by Table](../governance/resource-graph/samples/samples-by-table.md).
+
+## Sample queries
++
+## Next steps
+
+- Learn more about the [query language](../governance/resource-graph/concepts/query-language.md).
+- Learn more about how to [explore resources](../governance/resource-graph/concepts/explore-resources.md).
+- See samples of [Starter language queries](../governance/resource-graph/samples/starter.md).
+- See samples of [Advanced language queries](../governance/resource-graph/samples/advanced.md).
lighthouse Create Eligible Authorizations https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/lighthouse/how-to/create-eligible-authorizations.md
To include eligible authorizations when you onboard a customer, use one of the t
|To onboard this (with eligible authorizations) |Use this Azure Resource Manager template |And modify this parameter file | ||||
-|Subscription |[subscription.json](https://github.com/Azure/Azure-Lighthouse-samples/blob/master/templates/delegated-resource-management-eligible-authorizations/subscription/subscription.json) |[subscription.parameters.json](https://github.com/Azure/Azure-Lighthouse-samples/blob/master/templates/delegated-resource-management-eligible-authorizations/subscription.parameters.json) |
+|Subscription |[subscription.json](https://github.com/Azure/Azure-Lighthouse-samples/blob/master/templates/delegated-resource-management-eligible-authorizations/subscription/subscription.json) |[subscription.parameters.json](https://github.com/Azure/Azure-Lighthouse-samples/blob/master/templates/delegated-resource-management-eligible-authorizations/subscription/subscription.Parameters.json) |
|Subscription (with approvers) |[subscription-managing-tenant-approvers.json](https://github.com/Azure/Azure-Lighthouse-samples/blob/master/templates/delegated-resource-management-eligible-authorizations/subscription/subscription-managing-tenant-approvers.json) |[subscription-managing-tenant-approvers.parameters.json](https://github.com/Azure/Azure-Lighthouse-samples/blob/master/templates/delegated-resource-management-eligible-authorizations/subscription/subscription-managing-tenant-approvers.parameters.json) | |Resource group |[rg.json](https://github.com/Azure/Azure-Lighthouse-samples/blob/master/templates/delegated-resource-management-eligible-authorizations/rg/rg.json) |[rg.parameters.json](https://github.com/Azure/Azure-Lighthouse-samples/blob/master/templates/delegated-resource-management-eligible-authorizations/rg/rg.parameters.json) | |Resource group (with approvers) |[rg-managing-tenant-approvers.json](https://github.com/Azure/Azure-Lighthouse-samples/blob/master/templates/delegated-resource-management-eligible-authorizations/rg/rg-managing-tenant-approvers.json) |[rg-managing-tenant-approvers.parameters.json](https://github.com/Azure/Azure-Lighthouse-samples/blob/master/templates/delegated-resource-management-eligible-authorizations/rg/rg-managing-tenant-approvers.parameters.json) |
The **subscription-managing-tenant-approvers.json** template, which can be used
### Define eligible authorizations in your parameters file
-The [subscription-managing-tenant-approvers.Parameters.json sample template](https://github.com/Azure/Azure-Lighthouse-samples/blob/master/templates/delegated-resource-management-eligible-authorizations/subscription/subscription-managing-tenant-approvers.Parameters.json) can be used to define authorizations, including eligible authorizations, when onboarding a subscription.
+The [subscription-managing-tenant-approvers.Parameters.json sample template](https://github.com/Azure/Azure-Lighthouse-samples/blob/master/templates/delegated-resource-management-eligible-authorizations/subscription/subscription-managing-tenant-approvers.parameters.json) can be used to define authorizations, including eligible authorizations, when onboarding a subscription.
Each of your eligible authorizations must be defined in the `eligibleAuthorizations` parameter. This example includes one eligible authorization.
logic-apps Secure Single Tenant Workflow Virtual Network Private Endpoint https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/logic-apps/secure-single-tenant-workflow-virtual-network-private-endpoint.md
ms.suite: integration Previously updated : 05/25/2021 Last updated : 07/25/2021 # As a developer, I want to connect to my single-tenant workflows from virtual networks using private endpoints.
In your logic app settings, set `AzureWebJobsStorage` to the connection string f
### Considerations for private endpoints on storage accounts -- Create different private endpoints for each of the Table, Queue, and Blob storage services.
+- Create different private endpoints for each of the Table, Queue, Blob, and File storage services.
- Route all outbound traffic through your virtual network by using this setting:
machine-learning Concept Workspace https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/machine-learning/concept-workspace.md
There are multiple ways to create a workspace:
> [!NOTE] > The workspace name is case-insensitive.
+## <a name="sub-resources"></a> Sub resources
+
+These sub resources are the main resources that are made in the AML workspace.
+
+* VMs: provide computing power for your AML workspace and are an integral part in deploying and training models.
+* Load Balancer: a network load balancer is created for each compute instance and compute cluster to manage traffic even while the compute instance/cluster is stopped.
+* Virtual Network: these help Azure resources communicate with one another, the internet, and other on-premises networks.
+* Bandwidth: encapsulates all outbound data transfers across regions.
+ ## <a name="resources"></a> Associated resources When you create a new workspace, it automatically creates several Azure resources that are used by the workspace:
machine-learning How To Access Azureml Behind Firewall https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/machine-learning/how-to-access-azureml-behind-firewall.md
In this article, learn how to configure Azure Firewall to control access to your
> [!NOTE] > The information in this article applies to Azure Machine Learning workspace whether it uses a private endpoint or a service endpoint.
+> [!TIP]
+> This article is part of a series on securing an Azure Machine Learning workflow. See the other articles in this series:
+>
+> * [Virtual network overview](how-to-network-security-overview.md)
+> * [Secure the workspace resources](how-to-secure-workspace-vnet.md)
+> * [Secure the training environment](how-to-secure-training-vnet.md)
+> * [Secure the inference environment](how-to-secure-inferencing-vnet.md)
+> * [Enable studio functionality](how-to-enable-studio-virtual-network.md)
+> * [Use custom DNS](how-to-custom-dns.md)
+ ## Required public internet access [!INCLUDE [machine-learning-required-public-internet-access](../../includes/machine-learning-public-internet-access.md)]
The hosts in this section are used to install Visual Studio Code packages to est
## Next steps
-* [Tutorial: Deploy and configure Azure Firewall using the Azure portal](../firewall/tutorial-firewall-deploy-portal.md)
-* [Secure Azure ML experimentation and inference jobs within an Azure Virtual Network](how-to-network-security-overview.md)
+This article is part of a series on securing an Azure Machine Learning workflow. See the other articles in this series:
+
+* [Virtual network overview](how-to-network-security-overview.md)
+* [Secure the workspace resources](how-to-secure-workspace-vnet.md)
+* [Secure the training environment](how-to-secure-training-vnet.md)
+* [Secure the inference environment](how-to-secure-inferencing-vnet.md)
+* [Enable studio functionality](how-to-enable-studio-virtual-network.md)
+* [Use custom DNS](how-to-custom-dns.md)
+
+For more information on configuring Azure Firewall, see [Tutorial: Deploy and configure Azure Firewall using the Azure portal](../firewall/tutorial-firewall-deploy-portal.md).
machine-learning How To Custom Dns https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/machine-learning/how-to-custom-dns.md
When using an Azure Machine Learning workspace with a private endpoint, there ar
> [!IMPORTANT] > This article covers how to find the fully qualified domain names (FQDN) and IP addresses for these entries if you would like to manually register DNS records in your DNS solution. Additionally this article provides architecture recommendations for how to configure your custom DNS solution to automatically resolve FQDNs to the correct IP addresses. This article does NOT provide information on configuring the DNS records for these items. Consult the documentation for your DNS software for information on how to add records.
+> [!TIP]
+> This article is part of a series on securing an Azure Machine Learning workflow. See the other articles in this series:
+>
+> * [Virtual network overview](how-to-network-security-overview.md)
+> * [Secure the workspace resources](how-to-secure-workspace-vnet.md)
+> * [Secure the training environment](how-to-secure-training-vnet.md)
+> * [Secure the inference environment](how-to-secure-inferencing-vnet.md)
+> * [Enable studio functionality](how-to-enable-studio-virtual-network.md)
+> * [Use a firewall](how-to-access-azureml-behind-firewall.md)
## Prerequisites - An Azure Virtual Network that uses [your own DNS server](../virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances.md#name-resolution-that-uses-your-own-dns-server).
If after running through the above steps you are unable to access the workspace
## Next steps
-For information on using Azure Machine Learning with a virtual network, see the [virtual network overview](how-to-network-security-overview.md).
+This article is part of a series on securing an Azure Machine Learning workflow. See the other articles in this series:
+
+* [Virtual network overview](how-to-network-security-overview.md)
+* [Secure the workspace resources](how-to-secure-workspace-vnet.md)
+* [Secure the training environment](how-to-secure-training-vnet.md)
+* [Secure the inference environment](how-to-secure-inferencing-vnet.md)
+* [Enable studio functionality](how-to-enable-studio-virtual-network.md)
+* [Use a firewall](how-to-access-azureml-behind-firewall.md)
For information on integrating Private Endpoints into your DNS configuration, see [Azure Private Endpoint DNS configuration](../private-link/private-endpoint-dns.md).
machine-learning How To Deploy Continuously Deploy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/machine-learning/how-to-deploy-continuously-deploy.md
- Title: Continuously deploy Azure Machine Learning models-
-description: 'Learn how to continuously deploy models with the Azure Machine Learning DevOps extension. Automatically check for, and deploy, new model versions.'
----- Previously updated : 08/03/2020-----
-# Continuously deploy models
-
-This article shows how to use continuous deployment in Azure DevOps to automatically check for new versions of registered models and push those new models into production.
-
-## Prerequisites
-
-This article assumes you have already registered a model in your Azure Machine Learning workspace. See [this tutorial](how-to-train-scikit-learn.md) for an example of training and registering a scikit-learn model.
-
-## Continuously deploy models
-
-You can continuously deploy models by using the Machine Learning extension for [Azure DevOps](https://azure.microsoft.com/services/devops/). You can use the Machine Learning extension for Azure DevOps to trigger a deployment pipeline when a new machine learning model is registered in an Azure Machine Learning workspace.
-
-1. Sign up for [Azure Pipelines](/azure/devops/pipelines/get-started/pipelines-sign-up), which makes continuous integration and delivery of your application to any platform or cloud possible. (Note that Azure Pipelines isn't the same as [Machine Learning pipelines](concept-ml-pipelines.md#compare).)
-
-1. [Create an Azure DevOps project.](/azure/devops/organizations/projects/create-project)
-
-1. Install the [Machine Learning extension for Azure Pipelines](https://marketplace.visualstudio.com/items?itemName=ms-air-aiagility.vss-services-azureml&targetId=6756afbe-7032-4a36-9cb6-2771710cadc2&utm_source=vstsproduct&utm_medium=ExtHubManageList).
-
-1. Use service connections to set up a service principal connection to your Azure Machine Learning workspace so you can access your artifacts. Go to project settings, select **Service connections**, and then select **Azure Resource Manager**:
-
- [![Select Azure Resource Manager](media/how-to-deploy-and-where/view-service-connection.png)](media/how-to-deploy-and-where/view-service-connection-expanded.png)
-
-1. In the **Scope level** list, select **AzureMLWorkspace**, and then enter the rest of the values:
-
- ![Select AzureMLWorkspace](media/how-to-deploy-and-where/resource-manager-connection.png)
-
-1. To continuously deploy your machine learning model by using Azure Pipelines, under pipelines, select **release**. Add a new artifact, and then select the **AzureML Model** artifact and the service connection that you created earlier. Select the model and version to trigger a deployment:
-
- [![Select AzureML Model](media/how-to-deploy-and-where/enable-modeltrigger-artifact.png)](media/how-to-deploy-and-where/enable-modeltrigger-artifact-expanded.png)
-
-1. Enable the model trigger on your model artifact. When you turn on the trigger, every time the specified version (that is, the newest version) of that model is registered in your workspace, an Azure DevOps release pipeline is triggered.
-
- [![Enable the model trigger](media/how-to-deploy-and-where/set-modeltrigger.png)](media/how-to-deploy-and-where/set-modeltrigger-expanded.png)
-
-## Next steps
-
-Check out the below projects on GitHub for more examples of continuous deployment for ML models.
-
-* [Microsoft/MLOps](https://github.com/Microsoft/MLOps)
-* [Microsoft/MLOpsPython](https://github.com/microsoft/MLOpsPython)
machine-learning How To Enable Studio Virtual Network https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/machine-learning/how-to-enable-studio-virtual-network.md
In this article, you learn how to:
> - Access the studio from a resource inside of a virtual network. > - Understand how the studio impacts storage security.
-This article is part five of a five-part series that walks you through securing an Azure Machine Learning workflow. We highly recommend that you read through the previous parts to set up a virtual network environment.
-
-See the other articles in this series:
-
-[1. VNet overview](how-to-network-security-overview.md) > [2. Secure the workspace](how-to-secure-workspace-vnet.md) > [3. Secure the training environment](how-to-secure-training-vnet.md) > [4. Secure the inferencing environment](how-to-secure-inferencing-vnet.md) > **5. Enable studio functionality**
+> [!TIP]
+> This article is part of a series on securing an Azure Machine Learning workflow. See the other articles in this series:
+>
+> * [Virtual network overview](how-to-network-security-overview.md)
+> * [Secure the workspace resources](how-to-secure-workspace-vnet.md)
+> * [Secure the training environment](how-to-secure-training-vnet.md)
+> * [Secure the inference environment](how-to-secure-inferencing-vnet.md)
+> * [Use custom DNS](how-to-custom-dns.md)
+> * [Use a firewall](how-to-access-azureml-behind-firewall.md)
## Prerequisites
Some storage services, such as Azure Storage Account, have firewall settings tha
> Azure Machine Learning studio is supported when using the Azure Firewall service. For more information, see [Use your workspace behind a firewall](how-to-access-azureml-behind-firewall.md). ## Next steps
-This article is part five of a five-part virtual network series. See the rest of the articles to learn how to secure a virtual network:
-
-* [Part 1: Virtual network overview](how-to-network-security-overview.md)
-* [Part 2: Secure the workspace resources](how-to-secure-workspace-vnet.md)
-* [Part 3: Secure the training environment](how-to-secure-training-vnet.md)
-* [Part 4: Secure the inferencing environment](how-to-secure-inferencing-vnet.md)
+This article is part of a series on securing an Azure Machine Learning workflow. See the other articles in this series:
-Also see the article on using [custom DNS](how-to-custom-dns.md) for name resolution.
+* [Virtual network overview](how-to-network-security-overview.md)
+* [Secure the workspace resources](how-to-secure-workspace-vnet.md)
+* [Secure the training environment](how-to-secure-training-vnet.md)
+* [Secure the inference environment](how-to-secure-inferencing-vnet.md)
+* [Use custom DNS](how-to-custom-dns.md)
+* [Use a firewall](how-to-access-azureml-behind-firewall.md)
machine-learning How To Network Security Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/machine-learning/how-to-network-security-overview.md
Secure Azure Machine Learning workspace resources and compute environments using virtual networks (VNets). This article uses an example scenario to show you how to configure a complete virtual network.
-This article is part one of a five-part series that walks you through securing an Azure Machine Learning workflow. We highly recommend that you read through this overview article to understand the concepts first.
-
-Here are the other articles in this series:
-
-**1. VNet overview** > [2. Secure the workspace](how-to-secure-workspace-vnet.md) > [3. Secure the training environment](how-to-secure-training-vnet.md) > [4. Secure the inferencing environment](how-to-secure-inferencing-vnet.md) > [5. Enable studio functionality](how-to-enable-studio-virtual-network.md)
+> [!TIP]
+> This article is part of a series on securing an Azure Machine Learning workflow. See the other articles in this series:
+>
+> * [Secure the workspace resources](how-to-secure-workspace-vnet.md)
+> * [Secure the training environment](how-to-secure-training-vnet.md)
+> * [Secure the inference environment](how-to-secure-inferencing-vnet.md)
+> * [Enable studio functionality](how-to-enable-studio-virtual-network.md)
+> * [Use custom DNS](how-to-custom-dns.md)
+> * [Use a firewall](how-to-access-azureml-behind-firewall.md)
## Prerequisites
The following table compares how services access different parts of an Azure Mac
* **Inferencing compute access** - Access Azure Kubernetes Services (AKS) compute clusters with private IP addresses.
-The next five sections show you how to secure the network scenario described above. To secure your network, you must:
+The next sections show you how to secure the network scenario described above. To secure your network, you must:
1. Secure the [**workspace and associated resources**](#secure-the-workspace-and-associated-resources). 1. Secure the [**training environment**](#secure-the-training-environment).
For more information on the required domain names and IP addresses, see [how to
## Next steps
-This article is part one of a five-part virtual network series. See the rest of the articles to learn how to secure a virtual network:
-
-* [Part 2: Virtual network overview](how-to-secure-workspace-vnet.md)
-* [Part 3: Secure the training environment](how-to-secure-training-vnet.md)
-* [Part 4: Secure the inferencing environment](how-to-secure-inferencing-vnet.md)
-* [Part 5: Enable studio functionality](how-to-enable-studio-virtual-network.md)
+This article is part of a series on securing an Azure Machine Learning workflow. See the other articles in this series:
-Also see the article on using [custom DNS](how-to-custom-dns.md) for name resolution.
+* [Secure the workspace resources](how-to-secure-workspace-vnet.md)
+* [Secure the training environment](how-to-secure-training-vnet.md)
+* [Secure the inference environment](how-to-secure-inferencing-vnet.md)
+* [Enable studio functionality](how-to-enable-studio-virtual-network.md)
+* [Use custom DNS](how-to-custom-dns.md)
+* [Use a firewall](how-to-access-azureml-behind-firewall.md)
machine-learning How To Secure Inferencing Vnet https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/machine-learning/how-to-secure-inferencing-vnet.md
In this article, you learn how to secure inferencing environments with a virtual network in Azure Machine Learning.
-This article is part four of a five-part series that walks you through securing an Azure Machine Learning workflow. We highly recommend that you read through [Part one: VNet overview](how-to-network-security-overview.md) to understand the overall architecture first.
-
-See the other articles in this series:
-
-[1. VNet overview](how-to-network-security-overview.md) > [Secure the workspace](how-to-secure-workspace-vnet.md) > [3. Secure the training environment](how-to-secure-training-vnet.md) > **4. Secure the inferencing environment** > [5. Enable studio functionality](how-to-enable-studio-virtual-network.md)
+> [!TIP]
+> This article is part of a series on securing an Azure Machine Learning workflow. See the other articles in this series:
+>
+> * [Virtual network overview](how-to-network-security-overview.md)
+> * [Secure the workspace resources](how-to-secure-workspace-vnet.md)
+> * [Secure the training environment](how-to-secure-training-vnet.md)
+> * [Enable studio functionality](how-to-enable-studio-virtual-network.md)
+> * [Use custom DNS](how-to-custom-dns.md)
+> * [Use a firewall](how-to-access-azureml-behind-firewall.md)
In this article you learn how to secure the following inferencing resources in a virtual network: > [!div class="checklist"]
If you don't want to use the default outbound rules and you do want to limit the
## Next steps
-This article is part four of a five-part virtual network series. See the rest of the articles to learn how to secure a virtual network:
-
-* [Part 1: Virtual network overview](how-to-network-security-overview.md)
-* [Part 2: Secure the workspace resources](how-to-secure-workspace-vnet.md)
-* [Part 3: Secure the training environment](how-to-secure-training-vnet.md)
-* [Part 5: Enable studio functionality](how-to-enable-studio-virtual-network.md)
+This article is part of a series on securing an Azure Machine Learning workflow. See the other articles in this series:
-Also see the article on using [custom DNS](how-to-custom-dns.md) for name resolution.
+* [Virtual network overview](how-to-network-security-overview.md)
+* [Secure the workspace resources](how-to-secure-workspace-vnet.md)
+* [Secure the training environment](how-to-secure-training-vnet.md)
+* [Enable studio functionality](how-to-enable-studio-virtual-network.md)
+* [Use custom DNS](how-to-custom-dns.md)
+* [Use a firewall](how-to-access-azureml-behind-firewall.md)
machine-learning How To Secure Training Vnet https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/machine-learning/how-to-secure-training-vnet.md
In this article, you learn how to secure training environments with a virtual network in Azure Machine Learning.
-This article is part three of a five-part series that walks you through securing an Azure Machine Learning workflow. We highly recommend that you read through [Part one: VNet overview](how-to-network-security-overview.md) to understand the overall architecture first.
-
-See the other articles in this series:
-
-[1. VNet overview](how-to-network-security-overview.md) > [2. Secure the workspace](how-to-secure-workspace-vnet.md) > **3. Secure the training environment** > [4. Secure the inferencing environment](how-to-secure-inferencing-vnet.md) > [5. Enable studio functionality](how-to-enable-studio-virtual-network.md)
+> [!TIP]
+> This article is part of a series on securing an Azure Machine Learning workflow. See the other articles in this series:
+>
+> * [Virtual network overview](how-to-network-security-overview.md)
+> * [Secure the workspace resources](how-to-secure-workspace-vnet.md)
+> * [Secure the inference environment](how-to-secure-inferencing-vnet.md)
+> * [Enable studio functionality](how-to-enable-studio-virtual-network.md)
+> * [Use custom DNS](how-to-custom-dns.md)
+> * [Use a firewall](how-to-access-azureml-behind-firewall.md)
+>
+> For a tutorial on creating a secure workspace, compute cluster, and compute instance, see [Tutorial: Create a secure workspace](tutorial-create-secure-workspace.md).
In this article you learn how to secure the following training compute resources in a virtual network: > [!div class="checklist"]
In this article you learn how to secure the following training compute resources
* If you plan to secure the virtual network by restricting traffic, see the [Required public internet access](#required-public-internet-access) section. * The subnet used to deploy compute cluster/instance shouldn't be delegated to any other service. For example, it shouldn't be delegated to ACI. - ### Azure Databricks * The virtual network must be in the same subscription and region as the Azure Machine Learning workspace.
Attach the VM or HDInsight cluster to your Azure Machine Learning workspace. For
## Next steps
-This article is part three of a five-part virtual network series. See the rest of the articles to learn how to secure a virtual network:
-
-* [Part 1: Virtual network overview](how-to-network-security-overview.md)
-* [Part 2: Secure the workspace resources](how-to-secure-workspace-vnet.md)
-* [Part 4: Secure the inferencing environment](how-to-secure-inferencing-vnet.md)
-* [Part 5: Enable studio functionality](how-to-enable-studio-virtual-network.md)
+This article is part of a series on securing an Azure Machine Learning workflow. See the other articles in this series:
-Also see the article on using [custom DNS](how-to-custom-dns.md) for name resolution.
+* [Virtual network overview](how-to-network-security-overview.md)
+* [Secure the workspace resources](how-to-secure-workspace-vnet.md)
+* [Secure the inference environment](how-to-secure-inferencing-vnet.md)
+* [Enable studio functionality](how-to-enable-studio-virtual-network.md)
+* [Use custom DNS](how-to-custom-dns.md)
+* [Use a firewall](how-to-access-azureml-behind-firewall.md)
machine-learning How To Secure Workspace Vnet https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/machine-learning/how-to-secure-workspace-vnet.md
In this article, you learn how to secure an Azure Machine Learning workspace and its associated resources in a virtual network.
-This article is part two of a five-part series that walks you through securing an Azure Machine Learning workflow. We highly recommend that you read through [Part one: VNet overview](how-to-network-security-overview.md) to understand the overall architecture first.
-
-See the other articles in this series:
-
-[1. VNet overview](how-to-network-security-overview.md) > **2. Secure the workspace** > [3. Secure the training environment](how-to-secure-training-vnet.md) > [4. Secure the inferencing environment](how-to-secure-inferencing-vnet.md) > [5. Enable studio functionality](how-to-enable-studio-virtual-network.md)
+> [!TIP]
+> This article is part of a series on securing an Azure Machine Learning workflow. See the other articles in this series:
+>
+> * [Virtual network overview](how-to-network-security-overview.md)
+> * [Secure the training environment](how-to-secure-training-vnet.md)
+> * [Secure the inference environment](how-to-secure-inferencing-vnet.md)
+> * [Enable studio functionality](how-to-enable-studio-virtual-network.md)
+> * [Use custom DNS](how-to-custom-dns.md)
+> * [Use a firewall](how-to-access-azureml-behind-firewall.md)
+>
+> For a tutorial on creating a secure workspace, see [Tutorial: Create a secure workspace](tutorial-create-secure-workspace.md).
In this article you learn how to enable the following workspaces resources in a virtual network: > [!div class="checklist"]
In this article you learn how to enable the following workspaces resources in a
> - Azure Key Vault > - Azure Container Registry
-> [!TIP]
-> For a tutorial on creating a secure workspace, see [Tutorial: Create a secure workspace](tutorial-create-secure-workspace.md).
- ## Prerequisites + Read the [Network security overview](how-to-network-security-overview.md) article to understand common virtual network scenarios and overall virtual network architecture.
The following methods can be used to connect to the secure workspace:
## Next steps
-This article is part two of a five-part virtual network series. See the rest of the articles to learn how to secure a virtual network:
-
-* [Part 1: Virtual network overview](how-to-network-security-overview.md)
-* [Part 3: Secure the training environment](how-to-secure-training-vnet.md)
-* [Part 4: Secure the inferencing environment](how-to-secure-inferencing-vnet.md)
-* [Part 5: Enable studio functionality](how-to-enable-studio-virtual-network.md)
+This article is part of a series on securing an Azure Machine Learning workflow. See the other articles in this series:
-Also see the article on using [custom DNS](how-to-custom-dns.md) for name resolution.
+* [Virtual network overview](how-to-network-security-overview.md)
+* [Secure the training environment](how-to-secure-training-vnet.md)
+* [Secure the inference environment](how-to-secure-inferencing-vnet.md)
+* [Enable studio functionality](how-to-enable-studio-virtual-network.md)
+* [Use custom DNS](how-to-custom-dns.md)
+* [Use a firewall](how-to-access-azureml-behind-firewall.md)
machine-learning How To Train With Custom Image https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/machine-learning/how-to-train-with-custom-image.md
except ComputeTargetException:
print(compute_target.get_status().serialize()) ``` +
+>[!IMPORTANT]
+>Use CPU SKUs for any image build on compute.
++ ## Configure your training job For this tutorial, use the training script *train.py* on [GitHub](https://github.com/Azure/azureml-examples/blob/main/python-sdk/workflows/train/fastai/pets/src/train.py). In practice, you can take any custom training script and run it, as is, with Azure Machine Learning.
run.wait_for_completion(show_output=True)
## Next steps In this article, you trained a model by using a custom Docker image. See these other articles to learn more about Azure Machine Learning: * [Track run metrics](how-to-log-view-metrics.md) during training.
-* [Deploy a model](./how-to-deploy-custom-container.md) by using a custom Docker image.
+* [Deploy a model](./how-to-deploy-custom-container.md) by using a custom Docker image.
machine-learning How To Use Environments https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/machine-learning/how-to-use-environments.md
run = exp.submit(src)
> [!NOTE] > To disable the run history or run snapshots, use the setting under `src.run_config.history`.
+>[!IMPORTANT]
+> Use CPU SKUs for any image build on compute.
+ If you don't specify the environment in your run configuration, then the service creates a default environment when you submit your run. ## Use environments for web service deployment
machine-learning Overview What Is Azure Ml https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/machine-learning/overview-what-is-azure-ml.md
Azure Machine Learning provides all the tools developers and data scientists nee
You can even use [MLflow to track metrics and deploy models](how-to-use-mlflow.md) or Kubeflow to [build end-to-end workflow pipelines](https://www.kubeflow.org/docs/azure/).
-## Build ML models in with the Python SDK
+## Build ML models with the Python SDK
Start training on your local machine using the Azure Machine Learning <a href="/python/api/overview/azure/ml/intro" target="_blank">Python SDK</a>. Then, you can scale out to the cloud.
marketplace Azure Vm Create Listing https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/marketplace/azure-vm-create-listing.md
description: Configure virtual machine offer listing details on Azure Marketplac
-- Previously updated : 10/19/2020++ Last updated : 10/20/2020 # Configure virtual machine offer listing details
marketplace Azure Vm Create Plans https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/marketplace/azure-vm-create-plans.md
description: Create plans for a virtual machine offer on Azure Marketplace.
--++ Last updated 07/05/2021
marketplace Azure Vm Create Preview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/marketplace/azure-vm-create-preview.md
description: Add a preview audience for a virtual machine offer on Azure Marketp
--++ Last updated 10/19/2020
marketplace Azure Vm Create Properties https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/marketplace/azure-vm-create-properties.md
description: Configure virtual machine offer properties on Azure Marketplace.
--++ Last updated 10/19/2020
marketplace Azure Vm Create Resell Csp https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/marketplace/azure-vm-create-resell-csp.md
description: Resell your offer through Cloud Solution Providers (CSP) on Azure M
-- Previously updated : 11/05/2020++ Last updated : 11/06/2020 # Resell your offer through CSP
marketplace Azure Vm Create Using Own Image https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/marketplace/azure-vm-create-using-own-image.md
Previously updated : 06/23/2021 Last updated : 07/22/2021 # Create a virtual machine using your own image
Ask the owner to run either one of these commands (in either case, use the Susbs
az login az provider register --namespace Microsoft.PartnerCenterIngestion --subscription {subscriptionId} ```
-
+ ```powershell Connect-AzAccount Select-AzSubscription -SubscriptionId {subscriptionId}
Register-AzResourceProvider -ProviderNamespace Microsoft.PartnerCenterIngestion
``` > [!NOTE]
-> You donΓÇÖt need to generate SAS URIs as you can now publish a SIG Image on Partner Center. However, if you still need to refer to the SAS URI generation steps, see [How to generate a SAS URI for a VM image](azure-vm-get-sas-uri.md).
+> You donΓÇÖt need to generate SAS URIs as you can now publish a Shared image gallery (SIG) Image on Partner Center, without using APIs. <br/> <br/>If you *are* publishing using APIs, you would need to generate SAS URIs instead of using a SIG, see [How to generate a SAS URI for a VM image](azure-vm-get-sas-uri.md).
## Next steps
marketplace Azure Vm Create https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/marketplace/azure-vm-create.md
description: Create a virtual machine offer on Azure Marketplace.
--++ Last updated 04/08/2021
Select **Save draft** before continuing to the next tab in the left-nav menu, **
## Next steps - [Configure virtual machine offer properties](azure-vm-create-properties.md)-- [Offer listing best practices](gtm-offer-listing-best-practices.md)
+- [Offer listing best practices](gtm-offer-listing-best-practices.md)
marketplace Marketplace Virtual Machines https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/marketplace/marketplace-virtual-machines.md
Before you start, [Create a commercial marketplace account in Partner Center](cr
### Technical fundamentals
-The process of designing, building, and testing offers takes time and requires expertise in both the Azure platform and the technologies used to build your offer. Your engineering team should have a working knowledge of [Azure Virtual Machines](https://azure.microsoft.com/services/virtual-machines/), [Azure Storage](https://azure.microsoft.com/services/?filter=storage#storage), and [Azure Networking](https://azure.microsoft.com/services/?filter=networking#networking), as well as proficiency with the [design and architecture of Azure applications](https://azure.microsoft.com/solutions/architecture/). See these additional technical resources:
+The process of designing, building, and testing offers takes time and requires expertise in both the Azure platform and the technologies used to build your offer. Your engineering team should have a working knowledge of [Azure Virtual Machines](https://azure.microsoft.com/services/virtual-machines/), [Azure Storage](https://azure.microsoft.com/services/?filter=storage#storage), and [Azure Networking](https://azure.microsoft.com/services/?filter=networking#networking), as well as proficiency with the [design and architecture of Azure applications](https://azure.microsoft.com/solutions/architecture/). See these additional technical resources:
- Tutorials - [Linux VMs](../virtual-machines/linux/tutorial-manage-vm.md)
marketplace Summary Dashboard https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/marketplace/summary-dashboard.md
You can find a month range selection at the top-right corner of each page. Custo
### Orders widget
-The Orders widget on the Summary** dashboard displays the current orders for all your transact-based offers. The Orders widget displays a count and trend of all purchased orders (excluding canceled orders) for the selected computation period. The percentage value **Orders** represents the amount of growth during the selected computation period.
+The Orders widget on the **Summary** dashboard displays the current orders for all your transact-based offers. The Orders widget displays a count and trend of all purchased orders (excluding canceled orders) for the selected computation period. The percentage value **Orders** represents the amount of growth during the selected computation period.
[![Illustrates the Orders widget on the summary dashboard.](./media/summary-dashboard/orders-widget.png)](./media/summary-dashboard/orders-widget.png#lightbox)
Note the following:
- For detailed information about your customers, including growth trends, see [Customer Dashboard in commercial marketplace analytics](customer-dashboard.md). - For a list of your download requests over the last 30 days, see [Downloads Dashboard in commercial marketplace analytics](downloads-dashboard.md). - To see a consolidated view of customer feedback for offers on Azure Marketplace and AppSource, see [Ratings & Reviews analytics dashboard in Partner Center](ratings-reviews.md).-- For frequently asked questions about commercial marketplace analytics and for a comprehensive dictionary of data terms, see [Commercial marketplace analytics terminology and common questions](./analytics-faq.yml).
+- For frequently asked questions about commercial marketplace analytics and for a comprehensive dictionary of data terms, see [Commercial marketplace analytics terminology and common questions](./analytics-faq.yml).
media-services Filters Dynamic Manifest Rest Howto https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/media-services/latest/filters-dynamic-manifest-rest-howto.md
When delivering your content to customers (streaming Live events or Video on Demand) your client might need more flexibility than what's described in the default asset's manifest file. Azure Media Services enables you to define account filters and asset filters for your content. + For detailed description of this feature and scenarios where it is used, see [Dynamic Manifests](filters-dynamic-manifest-concept.md) and [Filters](filters-concept.md). This topic shows how to define a filter for a Video on Demand asset and use REST APIs to create [Account Filters](/rest/api/media/accountfilters) and [Asset Filters](/rest/api/media/assetfilters).
media-services Media Services Apis Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/media-services/latest/media-services-apis-overview.md
[!INCLUDE [media services api v3 logo](./includes/v3-hr.md)]
-As a developer, you can use Media Services [REST API](/rest/api/media/) or client libraries that allow you to interact with the REST API to easily create, manage, and maintain custom media workflows. The [Media Services v3](https://aka.ms/ams-v3-rest-sdk) API is based on the OpenAPI specification (formerly known as a Swagger).
+As a developer, you can use client libraries for (.NET, Python, Node.js, Java, Go, and Ruby) that allow you to interact with the REST API to easily create, manage, and maintain custom media workflows. The [Media Services v3](https://aka.ms/ams-v3-rest-sdk) API is based on the OpenAPI specification (formerly known as a Swagger).
This article discusses rules that apply to entities and APIs when you develop with Media Services v3. + ## Accessing the Azure Media Services API To be authorized to access Media Services resources and the Media Services API, you must first be authenticated. Media Services supports [Azure Active Directory (Azure AD)-based](../../active-directory/fundamentals/active-directory-whatis.md) authentication. Two common authentication options are:
see [Access Azure Media Services API](./access-api-howto.md).
### Samples See the following samples that show how to connect with Azure AD service principal:-
-* [Connect with REST](setup-postman-rest-how-to.md)
-* [Connect with Java](configure-connect-java-howto.md)
* [Connect with .NET](configure-connect-dotnet-howto.md) * [Connect with Node.js](configure-connect-nodejs-howto.md) * [Connect with Python](configure-connect-python-howto.md)
+* [Connect with Java](configure-connect-java-howto.md)
+* [Connect with REST](setup-postman-rest-how-to.md)
## Naming conventions
To get all the needed values, see [Access Azure Media Services API](./access-api
* [Connect to Media Services with Java](configure-connect-java-howto.md) * [Connect to Media Services with .NET](configure-connect-dotnet-howto.md) * [Connect to Media Services with Node.js](configure-connect-nodejs-howto.md)
-* [Connect to Media Services with Python](configure-connect-python-howto.md)
+* [Connect to Media Services with Python](configure-connect-python-howto.md)
media-services Questions Collection https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/media-services/latest/questions-collection.md
This article gives answers to frequently asked questions about Azure Media Servi
### What are the Azure portal limitations for Media Services v3?
-You can use the [Azure portal](https://portal.azure.com/) to manage v3 live events, view v3 assets and jobs, get info about accessing APIs, encrypt content. <br/>For all other management tasks (for example, managing transforms and jobs or analyzing v3 content), use the [REST API](/rest/api/medi#sdks).
+You can use the [Azure portal](https://portal.azure.com/) to manage v3 live events, view v3 assets and jobs, get info about accessing APIs, encrypt content. <br/>For all other management tasks (for example, managing transforms and jobs or analyzing v3 content), use the [CLI](/cli/azure/ams), or one of the supported client [SDKs](media-services-apis-overview.md#sdks).
If your video was previously uploaded into the Media Services account using Media Services v3 API or the content was generated based on a live output, you will not see the **Encode**, **Analyze**, or **Encrypt** buttons in the Azure portal. Use the Media Services v3 APIs to perform these tasks.
media-services Samples Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/media-services/latest/samples-overview.md
This article contains a list of all the samples available for Media Services organized by method and SDK. Samples include .NET, Node.JS (Typescript), Python and Java as well as REST with Postman.
-## REST Postman collection
-
-The [REST Postman](https://github.com/Azure-Samples/media-services-v3-rest-postman) samples includes a Postman environment and collection for you to import into the Postman client. The Postman collection samples are recommended for getting familiar with the API structure and how it works with Azure Resource Management (ARM), as well as the structure of calls from the client SDKs.
-
-For production workloads you should be using the client SDKs that wrap this REST API as they support retry policies defined by the Azure Resource Management gateway. If you choose to implement REST API calls directly you should be aware that there are cases where retries are required to achieve higher SLAs.
- ## Samples by SDK You'll find description and links to the samples you may be looking for in each of the tabs.
You'll find description and links to the samples you may be looking for in each
|[Hello World - list assets](https://github.com/Azure-Samples/media-services-v3-node-tutorials/blob/main/AMSv3Samples/HelloWorld-ListAssets/list-assets.ts)|Basic example on how to connect and list assets | |[Live streaming](https://github.com/Azure-Samples/media-services-v3-node-tutorials/tree/main/AMSv3Samples/Live/index.ts)| Basic live streaming example. **WARNING**, make sure to check that all resources are cleaned up and no longer billing in portal when using live| |[Upload and stream HLS and DASH](https://github.com/Azure-Samples/media-services-v3-node-tutorials/tree/main/AMSv3Samples/StreamFilesSample/index.ts)| Basic example for uploading a local file or encoding from a source URL. Sample shows how to use storage SDK to download content, and shows how to stream to a player |
-|[Upload and stream HLS and DASH with Playready and Widevine DRM](https://github.com/Azure-Samples/media-services-v3-node-tutorials/tree/main/AMSv3Samples/StreamFilesWithDRMSample/index.ts)| Demonstrates how to encode and stream using Widevine and PlayReady DRM |
+|[Upload and stream HLS and DASH with PlayReady and Widevine DRM](https://github.com/Azure-Samples/media-services-v3-node-tutorials/tree/main/AMSv3Samples/StreamFilesWithDRMSample/index.ts)| Demonstrates how to encode and stream using Widevine and PlayReady DRM |
|[Upload and use AI to index videos and audio](https://github.com/Azure-Samples/media-services-v3-node-tutorials/tree/main/AMSv3Samples/VideoIndexerSample/index.ts)| Example of using the Video and Audio Analyzer presets to generate metadata and insights from a video or audio file | ## [Python](#tab/python)
You'll find description and links to the samples you may be looking for in each
|[EncodingWithMESPredefinedPreset](https://github.com/Azure-Samples/media-services-v3-java/tree/master/VideoEncoding/EncodingWithMESPredefinedPreset)|How to submit a job using a built-in preset and an HTTP URL input, publish output asset for streaming, and download results for verification.| +
+## REST Postman collection
+
+The [REST Postman](https://github.com/Azure-Samples/media-services-v3-rest-postman) samples includes a Postman environment and collection for you to import into the Postman client. The Postman collection samples are recommended for getting familiar with the API structure and how it works with Azure Resource Management (ARM), as well as the structure of calls from the client SDKs.
+
media-services Setup Postman Rest How To https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/media-services/latest/setup-postman-rest-how-to.md
[!INCLUDE [media services api v3 logo](./includes/v3-hr.md)]
-This article shows you how to configure **Postman** so it can be used to call Azure Media Services (AMS) REST APIs. The article shows how to import environment and collection files into **Postman**. The collection contains grouped definitions of HTTP requests that call Azure Media Services (AMS) REST APIs. The environment file contains variables that are used by the collection.
+This article shows you how to configure **Postman** so it can be used to call Azure Media Services (AMS) REST APIs. This is provided as a learning tool, and not recommended for production applications. Production applications should use the supported client SDKs, which contain Azure Resource Management retry policies built-in.
++
+The article shows how to import environment and collection files into **Postman**. The collection contains grouped definitions of HTTP requests that call Azure Media Services (AMS) REST APIs. The environment file contains variables that are used by the collection.
Before you start developing, review [Developing with Media Services v3 APIs](media-services-apis-overview.md).
media-services Stream Files Tutorial With Rest https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/media-services/latest/stream-files-tutorial-with-rest.md
Azure Media Services enables you to encode your media files into formats that can be played on a wide variety of browsers and devices. For example, you might want to stream your content in Apple's HLS or MPEG DASH formats. Before streaming, you should encode your high-quality digital media file. For encoding guidance, see [Encoding concept](encode-concept.md).
-This tutorial shows you how to encode a file based on a URL and stream the video with Azure Media Services using REST.
+This tutorial shows you how to encode a file based on a URL and stream the video with Azure Media Services using REST.
++ ![Play the video](./media/stream-files-tutorial-with-api/final-video.png)
media-services Transform Custom Preset Rest How To https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/media-services/latest/transform-custom-preset-rest-how-to.md
When encoding with Azure Media Services, you can get started quickly with one of the recommended built-in presets, based on industry best practices, as demonstrated in the [Streaming files](stream-files-tutorial-with-rest.md#create-a-transform) tutorial. You can also build a custom preset to target your specific scenario or device requirements. ++ ## Considerations When creating custom presets, the following considerations apply:
media-services Transform Generate Thumbnails Rest How To https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/media-services/latest/transform-generate-thumbnails-rest-how-to.md
You can use Media Encoder Standard to generate one or more thumbnails from your input video in [JPEG](https://en.wikipedia.org/wiki/JPEG), [PNG](https://en.wikipedia.org/wiki/Portable_Network_Graphics), or [BMP](https://en.wikipedia.org/wiki/BMP_file_format) image file formats. ++ ## Recommended reading and practice It is recommended that you become familiar with custom transforms by reading [How to encode with a custom transform - REST](transform-custom-preset-rest-how-to.md).
media-services Transform Subclip Video Rest How To https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/media-services/latest/transform-subclip-video-rest-how-to.md
You can trim or subclip a video when encoding it using a [Job](/rest/api/media/j
The REST example in this topic creates a job that trims a video as it submits an encoding job. ++ ## Prerequisites To complete the steps described in this topic, you have to:
migrate Common Questions Discovery Assessment https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/migrate/common-questions-discovery-assessment.md
For agent-based dependency visualization:
- Use a [script to install the Dependency agent](../azure-monitor/vm/vminsights-enable-hybrid.md#dependency-agent). - For MMA, [use the command line or automation](../azure-monitor/agents/log-analytics-agent.md#installation-options), or use a [script](https://gallery.technet.microsoft.com/scriptcenter/Install-OMS-Agent-with-2c9c99ab).-- In addition to scripts, you can use deployment tools like Microsoft Endpoint Configuration Manager and [Intigua](https://www.intigua.com/intigua-for-azure-migration) to deploy the agents.
+- In addition to scripts, you can use deployment tools like Microsoft Endpoint Configuration Manager and Intigua to deploy the agents.
## What operating systems does MMA support?
You can [visualize dependencies](./how-to-create-a-group.md#refine-a-group-with-
## Next steps
-Read the [Azure Migrate overview](migrate-services-overview.md).
+Read the [Azure Migrate overview](migrate-services-overview.md).
migrate How To Create Group Machine Dependencies https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/migrate/how-to-create-group-machine-dependencies.md
To install the agent on a Windows server:
4. In **Agent Setup Options**, select **Azure Log Analytics** > **Next**. 5. Click **Add** to add a new Log Analytics workspace. Paste in the workspace ID and key that you copied from the portal. Click **Next**.
-You can install the agent from the command line or using an automated method such as Configuration Manager or [Intigua](https://www.intigua.com/intigua-for-azure-migration).
+You can install the agent from the command line or using an automated method such as Configuration Manager or Intigua.
- [Learn more](../azure-monitor/agents/log-analytics-agent.md#installation-options) about using these methods to install the MMA agent. - The MMA agent can also be installed using this [script](https://github.com/brianbar-MSFT/Install-MMA). - [Learn more](../azure-monitor/agents/agents-overview.md#supported-operating-systems) about the Windows operating systems supported by MMA.
VMConnection
## Next steps
-[Create an assessment](how-to-create-assessment.md) for a group.
+[Create an assessment](how-to-create-assessment.md) for a group.
mysql Concepts Backup https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/mysql/concepts-backup.md
The Basic storage is the backend storage supporting [Basic tier servers](concept
Transaction log backups occur every five minutes.
-#### General purpose storage servers with up to 4-TB storage
+#### General purpose storage v1 servers (supports up to 4-TB storage)
The General purpose storage is the backend storage supporting [General Purpose](concepts-pricing-tiers.md) and [Memory Optimized tier](concepts-pricing-tiers.md) server. For servers with general purpose storage up to 4 TB, full backups occur once every week. Differential backups occur twice a day. Transaction log backups occur every five minutes. The backups on general purpose storage up to 4-TB storage are not snapshot-based and consumes IO bandwidth at the time of backup. For large databases (> 1 TB) on 4-TB storage, we recommend you consider - Provisioning more IOPs to account for backup IOs OR - Alternatively, migrate to general purpose storage that supports up to 16-TB storage if the underlying storage infrastructure is available in your preferred [Azure regions](./concepts-pricing-tiers.md#storage). There is no additional cost for general purpose storage that supports up to 16-TB storage. For assistance with migration to 16-TB storage, please open a support ticket from Azure portal.
-#### General purpose storage servers with up to 16-TB storage
+#### General purpose storage v2 servers (supports up to 16-TB storage)
In a subset of [Azure regions](./concepts-pricing-tiers.md#storage), all newly provisioned servers can support general purpose storage up to 16-TB storage. In other words, storage up to 16-TB storage is the default general purpose storage for all the [regions](concepts-pricing-tiers.md#storage) where it is supported. Backups on these 16-TB storage servers are snapshot-based. The first full snapshot backup is scheduled immediately after a server is created. That first full snapshot backup is retained as the server's base backup. Subsequent snapshot backups are differential backups only.
Differential snapshot backups occur at least once a day. Differential snapshot b
Transaction log backups occur every five minutes.
+For more information of Basic and General purpose storage, refer [storage documentation](./concepts-pricing-tiers.md#storage).
+ ### Backup retention Backups are retained based on the backup retention period setting on the server. You can select a retention period of 7 to 35 days. The default retention period is 7 days. You can set the retention period during server creation or later by updating the backup configuration using [Azure portal](./howto-restore-server-portal.md#set-backup-configuration) or [Azure CLI](./howto-restore-server-cli.md#set-backup-configuration).
mysql Concepts Pricing Tiers https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/mysql/concepts-pricing-tiers.md
Compute resources are provided as vCores, which represent the logical CPU of the
The storage you provision is the amount of storage capacity available to your Azure Database for MySQL server. The storage is used for the database files, temporary files, transaction logs, and the MySQL server logs. The total amount of storage you provision also defines the I/O capacity available to your server.
-| Storage attribute | Basic | General purpose | Memory optimized |
+Azure Database for MySQL ΓÇô Single Server supports the following the backend storage for the servers.
+
+| Storage type | Basic | General purpose v1 | General purpose v2 |
|:|:-|:--|:|
-| Storage type | Basic Storage | General Purpose Storage | General Purpose Storage |
-| Storage size | 5 GB to 1 TB | 5 GB to 16 TB | 5 GB to 16 TB |
+| Storage size | 5 GB to 1 TB | 5 GB to 4 TB | 5 GB to 16 TB |
| Storage increment size | 1 GB | 1 GB | 1 GB |
-| IOPS | Variable |3 IOPS/GB<br/>Min 100 IOPS<br/>Max 20,000 IOPS | 3 IOPS/GB<br/>Min 100 IOPS<br/>Max 20,000 IOPS |
-
-> [!NOTE]
-> Storage up to 16TB and 20,000 IOPS is supported in the following regions: East US, East US 2, Central US, Brazil South, West US, North Central US, South Central US, North Europe, West Europe, UK South, UK West, Southeast Asia, East Asia, Japan East, Japan West, Korea Central, Korea South, Australia East, Australia South East, West US 2, West Central US, Canada East, and Canada Central.
->
-> All other regions support up to 4TB of storage and up to 6000 IOPS.
->
+| IOPS | Variable |3 IOPS/GB<br/>Min 100 IOPS<br/>Max 6000 IOPS | 3 IOPS/GB<br/>Min 100 IOPS<br/>Max 20,000 IOPS |
+>[!NOTE]
+> Basic storage does not provide an IOPS guarantee. In General Purpose storage, the IOPS scale with the provisioned storage size in a 3:1 ratio.
+
+### Basic storage
+Basic storage is the backend storage supporting Basic pricing tier servers. Basic storage leverages Azure standard storage in the backend where iops provisioned are not guaranteed and latency is variable. Basic tier is best suited for workloads that require light compute, low cost and I/O performance for development or small-scale infrequently used applications.
+
+### General purpose storage
+General purpose storage is the backend storage supporting General Purpose and Memory Optimized tier server. In General Purpose storage, the IOPS scale with the provisioned storage size in a 3:1 ratio. There are two generations of general purpose storage as described below:
+
+#### General purpose storage v1 (Supports up to 4-TB)
+General purpose storage v1 is based on the legacy storage technology which can support up to 4-TB storage and 6000 IOPs per server. General purpose storage v1 is optimized to leverage memory from the compute nodes running MySQL engine for local caching and backups. The backup process on general purpose storage v1 reads from the data and log files in the memory of the compute nodes and copies it to the target backup storage for retention up to 35 days. As a result, the memory and io consumption of storage during backups is relatively higher.
+
+All Azure regions supports General purpose storage v1
+
+For General Purpose or Memory Optimized server on general purpose storage v1, we recommend you consider
+
+* Plan for compute sku tier accounting for 10-30% excess memory for storage caching and backup buffers
+* Provision 10% higher IOPs than required by