| Service | Microsoft Docs article | Related commit history on GitHub | Change details |
|---|---|---|---|
| active-directory-b2c | Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/overview.md | Use Azure AD B2C to facilitate identity verification and proofing by collecting :::image type="content" source="./media/overview/scenario-idproofing.png" alt-text="A diagram showing the user flow for third-party identity proofing."::: -You have learned some of the things you can do with Azure AD B2C as your business-to-customer identity platform. The following sections of this overview walk you through a demo application that uses Azure AD B2C. You're also welcome to move on directly to a more in-depth [technical overview of Azure AD B2C](technical-overview.md). --## Example: WoodGrove Groceries --[WoodGrove Groceries][woodgrove] is a live web application created by Microsoft to demonstrate several Azure AD B2C features. The next few sections review some of the authentication options provided by Azure AD B2C to the WoodGrove website. --### Business overview --WoodGrove is an online grocery store that sells groceries to both individual consumers and business customers. Their business customers buy groceries on behalf of their company, or businesses that they manage. --### Sign-in options --WoodGrove Groceries offers several sign-in options based on the relationship their customers have with the store: --* **Individual** customers can sign-up or sign in with individual accounts, such as with a social identity provider or an email address and password. -* **Business** customers can sign-up or sign in with their enterprise credentials. -* **Partners** and suppliers are individuals who supply the grocery store with products to sell. Partner identity is provided by [Azure Active Directory B2B](../active-directory/external-identities/what-is-b2b.md). -- --### Authenticate individual customers --When a customer selects **Sign in with your personal account**, they're redirected to a customized sign-in page hosted by Azure AD B2C. You can see in the following image that we've customized the user interface (UI) to look and feel just like the WoodGrove Groceries website. WoodGrove's customers should be unaware that the authentication experience is hosted and secured by Azure AD B2C. -- --WoodGrove allows their customers to sign-up and sign in by using their Google, Facebook, or Microsoft accounts as their identity provider. Or, they can sign-up by using their email address and a password to create what's called a *local account*. --When a customer selects **Sign-up with your personal account** and then **Sign-up now**, they're presented with a custom sign-up page. -- --After entering an email address and selecting **Send verification code**, Azure AD B2C sends them the code. Once they enter their code, select **Verify code**, and then enter the other information on the form, they must also agree to the terms of service. --Clicking the **Create** button causes Azure AD B2C to redirect the user back to the WoodGrove Groceries website. When it redirects, Azure AD B2C passes an OpenID Connect authentication token to the WoodGrove web application. The user is now signed-in and ready to go, their display name shown in the top-right corner to indicate they're signed in. -- --### Authenticate business customers --When a customer selects one of the options under **Business customers**, the WoodGrove Groceries website invokes a different Azure AD *B2C policy* than it does for individual customers. You learn what a *B2C policy* is in [technical overview of Azure AD B2C](technical-overview.md) --This policy presents the user with an option to use their corporate credentials for sign-up and sign-in. In the WoodGrove example, users are prompted to sign in with any work or school account. This policy uses a [multi-tenant Azure AD application](../active-directory/develop/howto-convert-app-to-be-multi-tenant.md) and the `/common` Azure AD endpoint to federate Azure AD B2C with any Microsoft 365 customer in the world. --### Authenticate partners --The **Sign in with your supplier account** link uses Azure Active Directory B2B's collaboration functionality. Azure AD B2B is a family of features in Azure Active Directory to manage partner identities. Those identities can be federated from Azure Active Directory for access into Azure AD B2C-protected applications. --Learn more about Azure AD B2B in [What is guest user access in Azure Active Directory B2B?](../active-directory/external-identities/what-is-b2b.md). --<!-- UNCOMMENT WHEN REPO IS UPDATED WITH LATEST DEMO CODE -### Sample code --If you'd like to jump right into the code to see how the WoodGrove Groceries application is built, you can find the repository on GitHub: --[Azure-Samples/active-directory-external-identities-woodgrove-demo][woodgrove-repo] (GitHub) >+You have learned some of the things you can do with Azure AD B2C as your business-to-customer identity platform. You may now move on directly to a more in-depth [technical overview of Azure AD B2C](technical-overview.md). ## Next steps Now that you have an idea of what Azure AD B2C is and some of the scenarios it c > [!div class="nextstepaction"] > [Azure AD B2C technical overview >](technical-overview.md) -<!-- LINKS - External --> -[woodgrove]: https://aka.ms/ciamdemo -[woodgrove-repo]: https://github.com/Azure-Samples/active-directory-external-identities-woodgrove-demo + |
| active-directory-b2c | Publish App To Azure Ad App Gallery | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/publish-app-to-azure-ad-app-gallery.md | To allow employees and consumers from any Azure AD tenant to sign in by using Az In your app, copy the URL of the sign-in endpoint. If you use the [web application sample](configure-authentication-sample-web-app.md), the sign-in URL is `https://localhost:5001/MicrosoftIdentity/Account/SignIn?`. This URL is where the Azure AD app gallery takes users to sign in to your app. -In production environments, the app registration redirect URI is ordinarily a publicly accessible endpoint where your app is running, such as `https://woodgrovedemo.com/Account/SignIn`. The reply URL must begin with `https`. +In production environments, the app registration redirect URI is ordinarily a publicly accessible endpoint where your app is running. The reply URL must begin with `https`. ## Step 4: Publish your Azure AD B2C app |
| active-directory-b2c | Technical Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/technical-overview.md | In Azure AD B2C, you can craft your users' identity experiences so that the page > [!NOTE] > Customizing the pages rendered by third parties when using social accounts is limited to the options provided by that identity provider, and are outside the control of Azure AD B2C. - For information on UI customization, see: * [Customize the user interface](customize-ui.md) For information on UI customization, see: ## Custom domain -You can customize your Azure AD B2C domain in the redirect URIs for your application. Custom domain allows you to create a seamless experience so that the pages that are shown blend seamlessly with the domain name of your application. ---From the user's perspective, they remain in your domain during the sign-in process rather than redirecting to the Azure AD B2C default domain .b2clogin.com. +You can customize your Azure AD B2C domain in the redirect URIs for your application. Custom domain allows you to create a seamless experience so that the pages that are shown blend seamlessly with the domain name of your application. From the user's perspective, they remain in your domain during the sign-in process rather than redirecting to the Azure AD B2C default domain .b2clogin.com. For more information, see [Enable custom domains](custom-domain.md). |
| active-directory-b2c | Whats New Docs | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/whats-new-docs.md | +## June 2023 ++### New articles ++- [Microsoft Azure Active Directory B2C external identity video series](external-identities-videos.md) +- [Manage directory size quota of your Azure Active Directory B2C tenant](tenant-management-directory-quota.md) ++### Updated articles ++- [Tutorial: Create an Azure Active Directory B2C tenant](tutorial-create-tenant.md) - [Azure AD B2C] Azure AD B2C Go-Local opt-in feature +- [Tutorial: Configure security analytics for Azure Active Directory B2C data with Microsoft Sentinel](configure-security-analytics-sentinel.md) - Removing product name from filename and links. Exempt from Acrolinx by prior arrangement +- [Tutorial: Configure Azure Active Directory B2C with Azure Web Application Firewall](partner-web-application-firewall.md) - Removing product name from filename and links. Exempt from Acrolinx by prior arrangement +- [Title not found in: #240919](azure-ad-external-identities-videos.md) - Delete azure-ad-external-identities-videos.md +- [Build a global identity solution with funnel-based approach](b2c-global-identity-funnel-based-design.md) - Removing product name from filename and links. Exempt from Acrolinx by prior arrangement +- [Azure Active Directory B2C global identity framework proof of concept for funnel-based configuration](b2c-global-identity-proof-of-concept-funnel.md) - Removing product name from filename and links. Exempt from Acrolinx by prior arrangement +- [Azure Active Directory B2C global identity framework proof of concept for region-based configuration](b2c-global-identity-proof-of-concept-regional.md) - Removing product name from filename and links. Exempt from Acrolinx by prior arrangement +- [Build a global identity solution with region-based approach](b2c-global-identity-region-based-design.md) - Removing product name from filename and links. Exempt from Acrolinx by prior arrangement +- [Azure Active Directory B2C global identity framework](b2c-global-identity-solutions.md) - Removing product name from filename and links. Exempt from Acrolinx by prior arrangement +- [Azure Active Directory B2C: What's new](whats-new-docs.md) - [Azure AD B2C] What is new May 2023 +- [Use the Azure portal to create and delete consumer users in Azure AD B2C](manage-users-portal.md) - [Azure AD B2C] Revoke user's session +- [Monitor Azure AD B2C with Azure Monitor](azure-monitor.md) - Added steps to disable Azure monitor + ## May 2023 ### New articles Welcome to what's new in Azure Active Directory B2C documentation. This article - [Configure Transmit Security with Azure Active Directory B2C for passwordless authentication](partner-bindid.md) - Update partner-bindid.md - [Tutorial: Enable secure hybrid access for applications with Azure Active Directory B2C and F5 BIG-IP](partner-f5.md) - Update partner-f5.md -## March 2023 --### Updated articles --- [Configure SAML identity provider options with Azure Active Directory B2C](identity-provider-generic-saml-options.md)-- [Tutorial: Configure BioCatch with Azure Active Directory B2C](partner-biocatch.md)-- [Tutorial: Configure Nok Nok Passport with Azure Active Directory B2C for passwordless FIDO2 authentication](partner-nok-nok.md)-- [Pass an identity provider access token to your application in Azure Active Directory B2C](idp-pass-through-user-flow.md)-- [Tutorial: Configure Haventec Authenticate with Azure Active Directory B2C for single-step, multi-factor passwordless authentication](partner-haventec.md)-- [Configure Trusona Authentication Cloud with Azure Active Directory B2C](partner-trusona.md)-- [Tutorial: Configure IDEMIA Mobile ID with Azure Active Directory B2C](partner-idemia.md)-- [Configure Azure Active Directory B2C with Bluink eID-Me for identity verification](partner-eid-me.md)-- [Tutorial: Configure Azure Active Directory B2C with BlokSec for passwordless authentication](partner-bloksec.md)-- [Tutorial: Configure Azure Active Directory B2C with Azure Web Application Firewall](partner-web-application-firewall.md)-- [Tutorial to configure Saviynt with Azure Active Directory B2C](partner-saviynt.md)-- [Tutorial: Configure Keyless with Azure Active Directory B2C](partner-keyless.md)-- [Tutorial: Configure security analytics for Azure Active Directory B2C data with Microsoft Sentinel](configure-security-analytics-sentinel.md)-- [Configure authentication in a sample Python web app by using Azure AD B2C](configure-authentication-sample-python-web-app.md)-- [Billing model for Azure Active Directory B2C](billing.md)-- [Azure Active Directory B2C: Region availability & data residency](data-residency.md)-- ['Azure AD B2C: Frequently asked questions (FAQ)'](faq.yml)-- [Tutorial: Create an Azure Active Directory B2C tenant](tutorial-create-tenant.md)- -## February 2023 --### Updated articles --- [Azure Active Directory B2C code samples](integrate-with-app-code-samples.md)-- [JSON claims transformations](json-transformations.md)-- [Set up sign-in for a specific Azure Active Directory organization in Azure Active Directory B2C](identity-provider-azure-ad-single-tenant.md)-- [Page layout versions](page-layout.md) |
| active-directory | How To Mfa Server Migration Utility | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/how-to-mfa-server-migration-utility.md | The **Settings** option allows you to change the settings for the migration proc :::image type="content" border="true" source="./media/how-to-mfa-server-migration-utility/settings.png" alt-text="Screenshot of settings."::: -- Migrate ΓÇô This setting allows you to specify which method(s) should be migrated for the selection of users+- Migrate ΓÇô there are three options for migrating the user's default authentication method: + - Always migrate + - Only migrate if not already set in Azure AD + - Set to the most secure method available if not already set in Azure AD + + These options provide flexibility when you migrate the default method. In addition, the Authentication methods policy is checked during migration. If the default method being migrated isn't allowed by policy, it's set to the most secure method available instead. + - User Match ΓÇô Allows you to specify a different on-premises Active Directory attribute for matching Azure AD UPN instead of the default match to userPrincipalName: - The migration utility tries direct matching to UPN before using the on-premises Active Directory attribute. - If no match is found, it calls a Windows API to find the Azure AD UPN and get the SID, which it uses to search the MFA Server user list. |
| active-directory | Certificate Credentials | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/certificate-credentials.md | Client assertions can be used anywhere a client secret would be used. For exampl The [MSAL.NET library handles this scenario](msal-net-client-assertions.md) in a single line of code. -The [.NET Core daemon console application using Microsoft identity platform](https://github.com/Azure-Samples/active-directory-dotnetcore-daemon-v2) code sample on GitHub shows how an application uses its own credentials for authentication. It also shows how you can [create a self-signed certificate](https://github.com/Azure-Samples/active-directory-dotnetcore-daemon-v2/tree/master/1-Call-MSGraph#optional-use-the-automation-script) using the `New-SelfSignedCertificate` PowerShell cmdlet. You can also use the [app creation scripts](https://github.com/Azure-Samples/active-directory-dotnetcore-daemon-v2/blob/master/1-Call-MSGraph/AppCreationScripts-withCert/AppCreationScripts.md) in the sample repo to create certificates, compute the thumbprint, and so on. +The [.NET Core daemon console application using Microsoft identity platform](https://github.com/Azure-Samples/active-directory-dotnetcore-daemon-v2) code sample on GitHub shows how an application uses its own credentials for authentication. It also shows how you can [create a self-signed certificate](https://github.com/Azure-Samples/active-directory-dotnetcore-daemon-v2/tree/master/1-Call-MSGraph#optional-use-the-automation-script) using the `New-SelfSignedCertificate` PowerShell cmdlet. You can also use the [app creation scripts](https://github.com/Azure-Samples/active-directory-dotnetcore-daemon-v2/blob/master/1-Call-MSGraph/AppCreationScripts/AppCreationScripts.md) in the sample repo to create certificates, compute the thumbprint, and so on. |
| active-directory | Sample V2 Code | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/sample-v2-code.md | These samples show how to write a single-page application secured with Microsoft > | - | -- | - | -- | > | Angular | • [Sign in users](https://github.com/Azure-Samples/ms-identity-javascript-angular-tutorial/tree/main/1-Authentication/1-sign-in/README.md)<br/>• [Sign in users (B2C)](https://github.com/Azure-Samples/ms-identity-javascript-angular-tutorial/tree/main/1-Authentication/2-sign-in-b2c/README.md) <br/> • [Call Microsoft Graph](https://github.com/Azure-Samples/ms-identity-javascript-angular-tutorial/tree/main/2-Authorization-I/1-call-graph/README.md)<br/>• [Call .NET Core web API](https://github.com/Azure-Samples/ms-identity-javascript-angular-tutorial/tree/main/3-Authorization-II/1-call-api)<br/>• [Call .NET Core web API (B2C)](https://github.com/Azure-Samples/ms-identity-javascript-angular-tutorial/tree/main/3-Authorization-II/2-call-api-b2c)<br/>• [Call Microsoft Graph via OBO](https://github.com/Azure-Samples/ms-identity-javascript-angular-tutorial/blob/main/6-AdvancedScenarios/1-call-api-obo/README.md)<br/>• [Use App Roles for access control](https://github.com/Azure-Samples/ms-identity-javascript-angular-tutorial/tree/main/5-AccessControl/1-call-api-roles/README.md)<br/> • [Use Security Groups for access control](https://github.com/Azure-Samples/ms-identity-javascript-angular-tutorial/tree/main/5-AccessControl/2-call-api-groups/README.md)<br/>• [Deploy to Azure Storage and App Service](https://github.com/Azure-Samples/ms-identity-javascript-angular-tutorial/tree/main/4-Deployment/README.md)| [MSAL Angular](/javascript/api/@azure/msal-angular/) | • Authorization code with PKCE<br/>• On-behalf-of (OBO) <br/>• Continuous Access Evaluation (CAE) | > | Blazor WebAssembly | • [Sign in users](https://github.com/Azure-Samples/ms-identity-blazor-wasm/blob/main/WebApp-OIDC/MyOrg/README.md)<br/>• [Sign in users (B2C)](https://github.com/Azure-Samples/ms-identity-blazor-wasm/blob/main/WebApp-OIDC/B2C/README.md)<br/>• [Call Microsoft Graph](https://github.com/Azure-Samples/ms-identity-blazor-wasm/blob/main/WebApp-graph-user/Call-MSGraph/README.md)<br/>• [Deploy to Azure App Service](https://github.com/Azure-Samples/ms-identity-blazor-wasm/blob/main/Deploy-to-Azure/README.md) | [MSAL.js](/javascript/api/overview/msal-overview) | Implicit Flow |-> | JavaScript | • [Sign in users](https://github.com/Azure-Samples/ms-identity-javascript-tutorial/tree/main/1-Authentication/1-sign-in/README.md)<br/>• [Sign in users (B2C)](https://github.com/Azure-Samples/ms-identity-javascript-tutorial/tree/main/1-Authentication/2-sign-in-b2c/README.md) <br/> • [Call Microsoft Graph](https://github.com/Azure-Samples/ms-identity-javascript-tutorial/tree/main/2-Authorization-I/1-call-graph/README.md)<br/>• [Call Node.js web API](https://github.com/Azure-Samples/ms-identity-javascript-tutorial/tree/main/3-Authorization-II/1-call-api/README.md)<br/>• [Call Node.js web API (B2C)](https://github.com/Azure-Samples/ms-identity-javascript-tutorial/tree/main/3-Authorization-II/2-call-api-b2c/README.md)<br/>• [Call Microsoft Graph via OBO](https://github.com/Azure-Samples/ms-identity-javascript-tutorial/tree/main/4-AdvancedGrants/1-call-api-graph/README.md)<br/>• [Call Node.js web API via OBO and CA](https://github.com/Azure-Samples/ms-identity-javascript-tutorial/tree/main/4-AdvancedGrants/2-call-api-api-c)| [MSAL.js](/javascript/api/overview/msal-overview) | • Authorization code with PKCE<br/>• On-behalf-of (OBO) <br/>• Conditional Access | -> | React | • [Sign in users](https://github.com/Azure-Samples/ms-identity-javascript-react-tutorial/tree/main/1-Authentication/1-sign-in/README.md)<br/>• [Sign in users (B2C)](https://github.com/Azure-Samples/ms-identity-javascript-react-tutorial/tree/main/1-Authentication/2-sign-in-b2c/README.md)<br/>• [Sign-in users on both server and client side apps](https://github.com/Azure-Samples/ms-identity-javascript-react-tutorial/blob/main/6-AdvancedScenarios/4-sign-in-hybrid/README.md)<br/> • [Call Microsoft Graph](https://github.com/Azure-Samples/ms-identity-javascript-react-tutorial/tree/main/2-Authorization-I/1-call-graph/README.md)<br/>• [Call Azure REST API and Azure Storage](https://github.com/Azure-Samples/ms-identity-javascript-react-tutorial/tree/main/2-Authorization-I/2-call-arm)<br/>• [Call Node.js web API](https://github.com/Azure-Samples/ms-identity-javascript-react-tutorial/tree/main/3-Authorization-II/1-call-api)<br/>• [Call Node.js web API (B2C)](https://github.com/Azure-Samples/ms-identity-javascript-react-tutorial/tree/main/3-Authorization-II/2-call-api-b2c)<br/>• [Call Microsoft Graph via OBO](https://github.com/Azure-Samples/ms-identity-javascript-react-tutorial/tree/main/6-AdvancedScenarios/1-call-api-obo/README.md)<br/>• [Use App Roles for access control](https://github.com/Azure-Samples/ms-identity-javascript-react-tutorial/tree/main/5-AccessControl/1-call-api-roles/README.md)<br/>• [Use Security Groups for access control](https://github.com/Azure-Samples/ms-identity-javascript-react-tutorial/tree/main/5-AccessControl/2-call-api-groups/README.md)<br/>• [Deploy to Azure Storage and App Service](https://github.com/Azure-Samples/ms-identity-javascript-react-tutorial/tree/main/4-Deployment/1-deploy-storage/README.md)<br/>• [Deploy to Azure Static Web Apps](https://github.com/Azure-Samples/ms-identity-javascript-react-tutorial/tree/main/4-Deployment/2-deploy-static/README.md)<br/>• [Use step-up authentication to call Node.js web API](https://github.com/Azure-Samples/ms-identity-javascript-react-tutorial/blob/main/6-AdvancedScenarios/3-call-api-acrs/README.md)| [MSAL React](/javascript/api/@azure/msal-react) | • Authorization code with PKCE<br/>• On-behalf-of (OBO) <br/>• Conditional Access (CA) <br/>• Conditional Access Auth Context (acrs) <br/>• Continuous Access Evaluation (CAE) | +> | JavaScript | • [Sign in users](https://github.com/Azure-Samples/ms-identity-javascript-tutorial/tree/main/1-Authentication/1-sign-in/README.md)<br/>• [Sign in users (B2C)](https://github.com/Azure-Samples/ms-identity-javascript-tutorial/tree/main/1-Authentication/2-sign-in-b2c/README.md) <br/> • [Call Microsoft Graph](https://github.com/Azure-Samples/ms-identity-javascript-tutorial/tree/main/2-Authorization-I/1-call-graph/README.md)<br/>• [Call Node.js web API](https://github.com/Azure-Samples/ms-identity-javascript-tutorial/tree/main/3-Authorization-II/1-call-api/README.md)<br/>• [Call Node.js web API (B2C)](https://github.com/Azure-Samples/ms-identity-javascript-tutorial/tree/main/3-Authorization-II/2-call-api-b2c/README.md) <br/>• [Deploy to Azure Storage and App Service](https://github.com/Azure-Samples/ms-identity-javascript-tutorial/tree/main/4-Deployment/README.md) | [MSAL.js](/javascript/api/overview/msal-overview) | • Authorization code with PKCE<br/>• | +> | React | • [Sign in users](https://github.com/Azure-Samples/ms-identity-javascript-react-tutorial/tree/main/1-Authentication/1-sign-in/README.md)<br/>• [Sign in users (B2C)](https://github.com/Azure-Samples/ms-identity-javascript-react-tutorial/tree/main/1-Authentication/2-sign-in-b2c/README.md)<br/>• [Sign-in users on both server and client side apps](https://github.com/Azure-Samples/ms-identity-javascript-react-tutorial/blob/main/6-AdvancedScenarios/4-sign-in-hybrid/README.md)<br/> • [Call Microsoft Graph](https://github.com/Azure-Samples/ms-identity-javascript-react-tutorial/tree/main/2-Authorization-I/1-call-graph/README.md)<br/>• [Call Azure REST API and Azure Storage](https://github.com/Azure-Samples/ms-identity-javascript-react-tutorial/tree/main/2-Authorization-I/2-call-arm)<br/>• [Call Node.js web API](https://github.com/Azure-Samples/ms-identity-javascript-react-tutorial/tree/main/3-Authorization-II/1-call-api)<br/>• [Call Node.js web API (B2C)](https://github.com/Azure-Samples/ms-identity-javascript-react-tutorial/tree/main/3-Authorization-II/2-call-api-b2c)<br/>• [Call Microsoft Graph via OBO](https://github.com/Azure-Samples/ms-identity-javascript-react-tutorial/tree/main/6-AdvancedScenarios/1-call-api-obo/README.md)<br/>• [Use App Roles for access control](https://github.com/Azure-Samples/ms-identity-javascript-react-tutorial/tree/main/5-AccessControl/1-call-api-roles/README.md)<br/>• [Use Security Groups for access control](https://github.com/Azure-Samples/ms-identity-javascript-react-tutorial/tree/main/5-AccessControl/2-call-api-groups/README.md)<br/>• [Deploy to Azure Static Web Apps](https://github.com/Azure-Samples/ms-identity-javascript-react-tutorial/tree/main/4-Deployment/2-deploy-static/README.md)<br/>• [Use step-up authentication to call Node.js web API](https://github.com/Azure-Samples/ms-identity-javascript-react-tutorial/blob/main/6-AdvancedScenarios/3-call-api-acrs/README.md)| [MSAL React](/javascript/api/@azure/msal-react) | • Authorization code with PKCE<br/>• On-behalf-of (OBO) <br/>• Conditional Access (CA) <br/>• Conditional Access Auth Context (acrs) <br/>• Continuous Access Evaluation (CAE) | ### Web applications The following samples illustrate web applications that sign in users. Some sampl > | ASP.NET | • [Microsoft Graph Training Sample](https://github.com/microsoftgraph/msgraph-training-aspnetmvcapp) <br/> • [Sign in users and call Microsoft Graph](https://github.com/Azure-Samples/ms-identity-aspnet-webapp-openidconnect) <br/> • [Sign in users and call Microsoft Graph with admin restricted scope](https://github.com/azure-samples/active-directory-dotnet-admin-restricted-scopes-v2) <br/> • [Quickstart: Sign in users](https://github.com/AzureAdQuickstarts/AppModelv2-WebApp-OpenIDConnect-DotNet) | [MSAL.NET](/entra/msal/dotnet) | • OpenID connect <br/> • Authorization code | > | Java </p> Spring |Azure AD Spring Boot Starter Series <br/> • [Sign in users](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/4.%20Spring%20Framework%20Web%20App%20Tutorial/1-Authentication/sign-in) <br/> • [Sign in users (B2C)](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/4.%20Spring%20Framework%20Web%20App%20Tutorial/1-Authentication/sign-in-b2c) <br/> • [Call Microsoft Graph](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/4.%20Spring%20Framework%20Web%20App%20Tutorial/2-Authorization-I/call-graph) <br/> • [Use App Roles for access control](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/4.%20Spring%20Framework%20Web%20App%20Tutorial/3-Authorization-II/roles) <br/> • [Use Groups for access control](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/4.%20Spring%20Framework%20Web%20App%20Tutorial/3-Authorization-II/groups) <br/> • [Deploy to Azure App Service](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/4.%20Spring%20Framework%20Web%20App%20Tutorial/4-Deployment/deploy-to-azure-app-service) <br/> • [Protect a web API](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/4.%20Spring%20Framework%20Web%20App%20Tutorial/3-Authorization-II/protect-web-api) | • [MSAL Java](/java/api/com.microsoft.aad.msal4j) <br/> • Azure AD Boot Starter | Authorization code | > | Java </p> Servlets | Spring-less Servlet Series <br/> • [Sign in users](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/3.%20Java%20Servlet%20Web%20App%20Tutorial/1-Authentication/sign-in) <br/> • [Sign in users (B2C)](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/3.%20Java%20Servlet%20Web%20App%20Tutorial/1-Authentication/sign-in-b2c) <br/> • [Call Microsoft Graph](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/3.%20Java%20Servlet%20Web%20App%20Tutorial/2-Authorization-I/call-graph) <br/> • [Use App Roles for access control](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/3.%20Java%20Servlet%20Web%20App%20Tutorial/3-Authorization-II/roles) <br/> • [Use Security Groups for access control](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/3.%20Java%20Servlet%20Web%20App%20Tutorial/3-Authorization-II/groups) <br/> • [Deploy to Azure App Service](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/3.%20Java%20Servlet%20Web%20App%20Tutorial/4-Deployment/deploy-to-azure-app-service) | [MSAL Java](/java/api/com.microsoft.aad.msal4j) | Authorization code |-> | Node.js </p> Express | Express web app series <br/> • [Sign in users](https://github.com/Azure-Samples/ms-identity-javascript-nodejs-tutorial/blob/main/1-Authentication/1-sign-in/README.md)<br/> • [Sign in users (B2C)](https://github.com/Azure-Samples/ms-identity-javascript-nodejs-tutorial/blob/main/1-Authentication/2-sign-in-b2c/README.md)<br/> • [Call Microsoft Graph](https://github.com/Azure-Samples/ms-identity-javascript-nodejs-tutorial/blob/main/2-Authorization/1-call-graph/README.md) <br/> • [Call Microsoft Graph via BFF proxy](https://github.com/Azure-Samples/ms-identity-node) <br/> • [Deploy to Azure App Service](https://github.com/Azure-Samples/ms-identity-javascript-nodejs-tutorial/blob/main/3-Deployment/README.md)<br/> • [Use App Roles for access control](https://github.com/Azure-Samples/ms-identity-javascript-nodejs-tutorial/blob/main/4-AccessControl/1-app-roles/README.md)<br/> • [Use Security Groups for access control](https://github.com/Azure-Samples/ms-identity-javascript-nodejs-tutorial/blob/main/4-AccessControl/2-security-groups/README.md) | [MSAL Node](/javascript/api/@azure/msal-node) | • Authorization code <br/>• Backend-for-Frontend (BFF) proxy | +> | Node.js </p> Express | Express web app series <br/> • [Quickstart: sign in users](https://github.com/Azure-Samples/ms-identity-node/blob/main/README.md)<br/> • [Sign in users](https://github.com/Azure-Samples/ms-identity-javascript-nodejs-tutorial/blob/main/1-Authentication/1-sign-in/README.md)<br/> • [Sign in users (B2C)](https://github.com/Azure-Samples/ms-identity-javascript-nodejs-tutorial/blob/main/1-Authentication/2-sign-in-b2c/README.md)<br/> • [Call Microsoft Graph](https://github.com/Azure-Samples/ms-identity-javascript-nodejs-tutorial/blob/main/2-Authorization/1-call-graph/README.md) <br/> • [Call Microsoft Graph via BFF proxy](https://github.com/Azure-Samples/ms-identity-node) <br/> • [Deploy to Azure App Service](https://github.com/Azure-Samples/ms-identity-javascript-nodejs-tutorial/blob/main/3-Deployment/README.md)<br/> • [Use App Roles for access control](https://github.com/Azure-Samples/ms-identity-javascript-nodejs-tutorial/blob/main/4-AccessControl/1-app-roles/README.md)<br/> • [Use Security Groups for access control](https://github.com/Azure-Samples/ms-identity-javascript-nodejs-tutorial/blob/main/4-AccessControl/2-security-groups/README.md) | [MSAL Node](/javascript/api/@azure/msal-node) | • Authorization code <br/>• Backend-for-Frontend (BFF) proxy | > | Python </p> Flask | Flask Series <br/> • [Sign in users](https://github.com/Azure-Samples/ms-identity-python-flask-tutorial) <br/> • [Sign in users (B2C)](https://github.com/Azure-Samples/ms-identity-python-flask-tutorial) <br/>• [A template to sign in AAD or B2C users, and optionally call a downstream API (Microsoft Graph)](https://github.com/Azure-Samples/ms-identity-python-webapp) <br/> • [Call Microsoft Graph](https://github.com/Azure-Samples/ms-identity-python-flask-tutorial) <br/> • [Deploy to Azure App Service](https://github.com/Azure-Samples/ms-identity-python-flask-tutorial) | [MSAL Python](/python/api/msal/overview-msal) | Authorization code | > | Python </p> Django | Django Series <br/> • [Sign in users](https://github.com/Azure-Samples/ms-identity-python-django-tutorial/tree/main/1-Authentication/sign-in) <br/> • [Sign in users (B2C)](https://github.com/Azure-Samples/ms-identity-python-django-tutorial/tree/main/1-Authentication/sign-in-b2c) <br/> • [Call Microsoft Graph](https://github.com/Azure-Samples/ms-identity-python-django-tutorial/tree/main/2-Authorization-I/call-graph) <br/> • [Deploy to Azure App Service](https://github.com/Azure-Samples/ms-identity-python-django-tutorial/tree/main/3-Deployment/deploy-to-azure-app-service)| [MSAL Python](/python/api/msal/overview-msal) | Authorization code | > | Ruby | Graph Training <br/> • [Sign in users and call Microsoft Graph](https://github.com/microsoftgraph/msgraph-training-rubyrailsapp) | OmniAuth OAuth2 | Authorization code | The following samples show how to protect an Azure Function using HttpTrigger an > | Language/<br/>Platform | Code sample(s) <br/> on GitHub |Auth<br/> libraries |Auth flow | > | -- | -- |-- |-- | > | .NET | [.NET Azure function web API secured by Azure AD](https://github.com/Azure-Samples/ms-identity-dotnet-webapi-azurefunctions) | [MSAL.NET](/entra/msal/dotnet) | Authorization code |-> | Node.js | [Node.js Azure function web API secured by Azure AD](https://github.com/Azure-Samples/ms-identity-nodejs-webapi-azurefunctions) | [MSAL Node](/javascript/api/@azure/msal-node) | Authorization bearer | -> | Node.js | [Call Microsoft Graph API on behalf of a user](https://github.com/Azure-Samples/ms-identity-nodejs-webapi-onbehalfof-azurefunctions) | [MSAL Node](/javascript/api/@azure/msal-node) | On-Behalf-Of (OBO)| > | Python | [Python Azure function web API secured by Azure AD](https://github.com/Azure-Samples/ms-identity-python-webapi-azurefunctions) | [MSAL Python](/python/api/msal/overview-msal) | Authorization code | ### Browserless (Headless) The following samples show how to build applications for the JavaScript language > | App type | Code sample(s) <br/> on GitHub |Auth<br/> libraries |Auth flow | > | -- | -- |-- |-- |-> | Single-page application | • [Sign in users](https://github.com/Azure-Samples/ms-identity-javascript-tutorial/tree/main/1-Authentication/1-sign-in/README.md)<br/>• [Sign in users (B2C)](https://github.com/Azure-Samples/ms-identity-javascript-tutorial/tree/main/1-Authentication/2-sign-in-b2c/README.md) <br/> • [Call Microsoft Graph](https://github.com/Azure-Samples/ms-identity-javascript-tutorial/tree/main/2-Authorization-I/1-call-graph/README.md)<br/>• [Call Node.js web API](https://github.com/Azure-Samples/ms-identity-javascript-tutorial/tree/main/3-Authorization-II/1-call-api/README.md)<br/>• [Call Node.js web API (B2C)](https://github.com/Azure-Samples/ms-identity-javascript-tutorial/tree/main/3-Authorization-II/2-call-api-b2c/README.md)<br/>• [Call Microsoft Graph via OBO](https://github.com/Azure-Samples/ms-identity-javascript-tutorial/tree/main/4-AdvancedGrants/1-call-api-graph/README.md)<br/>• [Call Node.js web API via OBO and CA](https://github.com/Azure-Samples/ms-identity-javascript-tutorial/tree/main/4-AdvancedGrants/2-call-api-api-c)| [MSAL.js](/javascript/api/overview/msal-overview) | • Authorization code with PKCE<br/>• On-behalf-of (OBO) <br/>• Conditional Access | +> | Single-page application | • [Sign in users](https://github.com/Azure-Samples/ms-identity-javascript-tutorial/tree/main/1-Authentication/1-sign-in/README.md)<br/>• [Sign in users (B2C)](https://github.com/Azure-Samples/ms-identity-javascript-tutorial/tree/main/1-Authentication/2-sign-in-b2c/README.md) <br/> • [Call Microsoft Graph](https://github.com/Azure-Samples/ms-identity-javascript-tutorial/tree/main/2-Authorization-I/1-call-graph/README.md)<br/>• [Call Node.js web API](https://github.com/Azure-Samples/ms-identity-javascript-tutorial/tree/main/3-Authorization-II/1-call-api/README.md)<br/>• [Call Node.js web API (B2C)](https://github.com/Azure-Samples/ms-identity-javascript-tutorial/tree/main/3-Authorization-II/2-call-api-b2c/README.md) <br/>• [Deploy to Azure Storage and App Service](https://github.com/Azure-Samples/ms-identity-javascript-tutorial/tree/main/4-Deployment/README.md)| [MSAL.js](/javascript/api/overview/msal-overview) | • Authorization code with PKCE<br/>• On-behalf-of (OBO) <br/>• Conditional Access | #### Angular The following samples show how to build applications for the JavaScript language > | -- | -- |-- |-- | > | Web API | • [Protect a Node.js web API](https://github.com/Azure-Samples/ms-identity-javascript-tutorial/tree/main/3-Authorization-II/1-call-api) <br/> • [Protect a Node.js Web API with Azure AD B2C](https://github.com/Azure-Samples/active-directory-b2c-javascript-nodejs-webapi) | [MSAL Node](/javascript/api/@azure/msal-node) | Authorization bearer | > | Desktop | [Sign in users](https://github.com/Azure-Samples/ms-identity-javascript-nodejs-desktop) | [MSAL Node](/javascript/api/@azure/msal-node) | Authorization code with PKCE |-> | Azure Functions as web APIs | [Node.js Azure function web API secured by Azure AD](https://github.com/Azure-Samples/ms-identity-nodejs-webapi-azurefunctions) | [MSAL Node](/javascript/api/@azure/msal-node) | Authorization bearer | -> | Azure Functions as web APIs | [Call Microsoft Graph API on behalf of a user](https://github.com/Azure-Samples/ms-identity-nodejs-webapi-onbehalfof-azurefunctions) | [MSAL Node](/javascript/api/@azure/msal-node) | On-Behalf-Of (OBO) | > | Service, daemon | [Call Microsoft Graph with secret](https://github.com/Azure-Samples/ms-identity-javascript-nodejs-console) | [MSAL Node](/javascript/api/@azure/msal-node) | Client credentials grant | > | Microsoft Teams applications | [Teams Tab app: single sign-on (SSO) and call Microsoft Graph](https://github.com/OfficeDev/Microsoft-Teams-Samples/tree/main/samples/tab-sso/nodejs) | [MSAL Node](/javascript/api/@azure/msal-node) | On-Behalf-Of (OBO) | The following samples show how to build applications for the JavaScript language > [!div class="mx-tdCol2BreakAll"] > | App type | Code sample(s) <br/> on GitHub |Auth<br/> libraries |Auth flow | > | -- | -- |-- |-- |-> | Single-page application | • [Sign in users](https://github.com/Azure-Samples/ms-identity-javascript-react-tutorial/tree/main/1-Authentication/1-sign-in/README.md)<br/>• [Sign in users (B2C)](https://github.com/Azure-Samples/ms-identity-javascript-react-tutorial/tree/main/1-Authentication/2-sign-in-b2c/README.md)<br/>• [Sign-in users on both server and client side apps](https://github.com/Azure-Samples/ms-identity-javascript-react-tutorial/blob/main/6-AdvancedScenarios/4-sign-in-hybrid/README.md)<br/> • [Call Microsoft Graph](https://github.com/Azure-Samples/ms-identity-javascript-react-tutorial/tree/main/2-Authorization-I/1-call-graph/README.md)<br/>• [Call Azure REST API and Azure Storage](https://github.com/Azure-Samples/ms-identity-javascript-react-tutorial/tree/main/2-Authorization-I/2-call-arm)<br/>• [Call Node.js web API](https://github.com/Azure-Samples/ms-identity-javascript-react-tutorial/tree/main/3-Authorization-II/1-call-api)<br/>• [Call Node.js web API (B2C)](https://github.com/Azure-Samples/ms-identity-javascript-react-tutorial/tree/main/3-Authorization-II/2-call-api-b2c)<br/>• [Call Microsoft Graph via OBO](https://github.com/Azure-Samples/ms-identity-javascript-react-tutorial/tree/main/6-AdvancedScenarios/1-call-api-obo/README.md)<br/>• [Use App Roles for access control](https://github.com/Azure-Samples/ms-identity-javascript-react-tutorial/tree/main/5-AccessControl/1-call-api-roles/README.md)<br/>• [Use Security Groups for access control](https://github.com/Azure-Samples/ms-identity-javascript-react-tutorial/tree/main/5-AccessControl/2-call-api-groups/README.md)<br/>• [Deploy to Azure Storage and App Service](https://github.com/Azure-Samples/ms-identity-javascript-react-tutorial/tree/main/4-Deployment/1-deploy-storage/README.md)<br/>• [Deploy to Azure Static Web Apps](https://github.com/Azure-Samples/ms-identity-javascript-react-tutorial/tree/main/4-Deployment/2-deploy-static/README.md)<br/>• [Use step-up authentication to call Node.js web API](https://github.com/Azure-Samples/ms-identity-javascript-react-tutorial/blob/main/6-AdvancedScenarios/3-call-api-acrs/README.md)| [MSAL React](/javascript/api/@azure/msal-react) | • Authorization code with PKCE<br/>• On-behalf-of (OBO) <br/>• Conditional Access (CA) <br/>• Conditional Access Auth Context (acrs) <br/>• Continuous Access Evaluation (CAE) | +> | Single-page application | • [Sign in users](https://github.com/Azure-Samples/ms-identity-javascript-react-tutorial/tree/main/1-Authentication/1-sign-in/README.md)<br/>• [Sign in users (B2C)](https://github.com/Azure-Samples/ms-identity-javascript-react-tutorial/tree/main/1-Authentication/2-sign-in-b2c/README.md)<br/>• [Sign-in users on both server and client side apps](https://github.com/Azure-Samples/ms-identity-javascript-react-tutorial/blob/main/6-AdvancedScenarios/4-sign-in-hybrid/README.md)<br/> • [Call Microsoft Graph](https://github.com/Azure-Samples/ms-identity-javascript-react-tutorial/tree/main/2-Authorization-I/1-call-graph/README.md)<br/>• [Call Azure REST API and Azure Storage](https://github.com/Azure-Samples/ms-identity-javascript-react-tutorial/tree/main/2-Authorization-I/2-call-arm)<br/>• [Call Node.js web API](https://github.com/Azure-Samples/ms-identity-javascript-react-tutorial/tree/main/3-Authorization-II/1-call-api)<br/>• [Call Node.js web API (B2C)](https://github.com/Azure-Samples/ms-identity-javascript-react-tutorial/tree/main/3-Authorization-II/2-call-api-b2c)<br/>• [Call Microsoft Graph via OBO](https://github.com/Azure-Samples/ms-identity-javascript-react-tutorial/tree/main/6-AdvancedScenarios/1-call-api-obo/README.md)<br/>• [Use App Roles for access control](https://github.com/Azure-Samples/ms-identity-javascript-react-tutorial/tree/main/5-AccessControl/1-call-api-roles/README.md)<br/>• [Use Security Groups for access control](https://github.com/Azure-Samples/ms-identity-javascript-react-tutorial/tree/main/5-AccessControl/2-call-api-groups/README.md)<br/>• [Deploy to Azure Static Web Apps](https://github.com/Azure-Samples/ms-identity-javascript-react-tutorial/tree/main/4-Deployment/2-deploy-static/README.md)<br/>• [Use step-up authentication to call Node.js web API](https://github.com/Azure-Samples/ms-identity-javascript-react-tutorial/blob/main/6-AdvancedScenarios/3-call-api-acrs/README.md)| [MSAL React](/javascript/api/@azure/msal-react) | • Authorization code with PKCE<br/>• On-behalf-of (OBO) <br/>• Conditional Access (CA) <br/>• Conditional Access Auth Context (acrs) <br/>• Continuous Access Evaluation (CAE) | ### Java The following samples show how to build applications with Kotlin. > | -- | -- |-- |-- | > | Mobile | [Sign in users and call Microsoft Graph](https://github.com/Azure-Samples/ms-identity-android-kotlin) | [MSAL Android](https://github.com/AzureAD/microsoft-authentication-library-for-android) | Authorization code with PKCE | -### PowerShell --The following samples show how to build applications with PowerShell. --> [!div class="mx-tdCol2BreakAll"] -> | App type | Code sample(s) <br/> on GitHub |Auth<br/> libraries |Auth flow | -> | -- | -- |-- |-- | -> | Desktop | [Call Microsoft Graph by signing in users using username/password](https://github.com/azure-samples/active-directory-dotnetcore-console-up-v2) | [MSAL.NET](/entra/msal/dotnet) | Resource owner password credentials | - ### Ruby The following samples show how to build applications with Ruby. The following samples show how to build applications with Ruby. > | -- | -- |-- |-- | > | Web application | Graph Training <br/> • [Sign in users and call Microsoft Graph](https://github.com/microsoftgraph/msgraph-training-rubyrailsapp) | OmniAuth OAuth2 | Authorization code | -### XAML --The following samples show how to build applications with XAML. --> [!div class="mx-tdCol2BreakAll"] -> | App type | Code sample(s) <br/> on GitHub |Auth<br/> libraries |Auth flow | -> | -- | -- |-- |-- | -> | Desktop | • [Sign in users and call ASP.NET Core web API](https://github.com/Azure-Samples/active-directory-dotnet-native-aspnetcore-v2/tree/master/1.%20Desktop%20app%20calls%20Web%20API) <br/> • [Sign in users and call Microsoft Graph](https://github.com/azure-samples/active-directory-dotnet-desktop-msgraph-v2) | [MSAL.NET](/entra/msal/dotnet) | Authorization code with PKCE | - ### Universal Windows Platform (UWP) The following samples show how to build applications with Universal Windows Platform (UWP). The following samples show how to build applications with Windows Presentation F > | App type | Code sample(s) <br/> on GitHub |Auth<br/> libraries |Auth flow | > | -- | -- |-- |-- | > | Desktop | [Sign in users and call Microsoft Graph](https://github.com/Azure-Samples/active-directory-dotnet-native-aspnetcore-v2/tree/master/2.%20Web%20API%20now%20calls%20Microsoft%20Graph) | [MSAL.NET](/entra/msal/dotnet) | Authorization code with PKCE |+> | Desktop | • [Sign in users and call ASP.NET Core web API](https://github.com/Azure-Samples/active-directory-dotnet-native-aspnetcore-v2/tree/master/1.%20Desktop%20app%20calls%20Web%20API) <br/> • [Sign in users and call Microsoft Graph](https://github.com/azure-samples/active-directory-dotnet-desktop-msgraph-v2) | [MSAL.NET](/entra/msal/dotnet) | Authorization code with PKCE | |
| active-directory | Scenario Spa App Registration | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/scenario-spa-app-registration.md | You've now completed the registration of your single-page application (SPA) and Follow the [tutorial](tutorial-v2-javascript-auth-code.md) for further guidance. -## Redirect URI: [MSAL.js 1.0 with implicit flow](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/lib/msal-core) +## Redirect URI: [MSAL.js 1.0 with implicit flow](/javascript/api/overview/msal-overview) Follow these steps to add a redirect URI for a single-page app that uses MSAL.js 1.3 or earlier and the implicit grant flow. Applications that use MSAL.js 1.3 or earlier do not support the auth code flow. |
| active-directory | Scenario Spa Sign In | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/scenario-spa-sign-in.md | The choice between a pop-up or redirect experience depends on your application f - If you don't want users to move away from your main application page during authentication, we recommend the pop-up method. Because the authentication redirect happens in a pop-up window, the state of the main application is preserved. -- If users have browser constraints or policies where pop-up windows are disabled, you can use the redirect method. Use the redirect method with the Internet Explorer browser, because there are [known issues with pop-up windows on Internet Explorer](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/internet-explorer.md#popups).+- If users have browser constraints or policies where pop-up windows are disabled, you can use the redirect method. Use the redirect method with the Internet Explorer browser, because there are [known issues with pop-up windows on Internet Explorer](/azure/active-directory/develop/msal-js-use-ie-browser). ## Sign-in with a pop-up window |
| active-directory | Clean Up Stale Guest Accounts | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/clean-up-stale-guest-accounts.md | Title: Clean up stale guest accounts -description: Clean up stale guest accounts using access reviews + Title: Monitor and clean up stale guest accounts +description: Monitor and clean up stale guest accounts using access reviews --- Previously updated : 08/29/2022+++ Last updated : 06/29/2023+ -# Clean up stale guest accounts using access reviews +# Monitor and clean up stale guest accounts using access reviews -As users collaborate with external partners, itΓÇÖs possible that many guest accounts get created in Azure Active Directory (Azure AD) tenants over time. When collaboration ends and the users no longer access your tenant, the guest accounts may become stale. Admins can use Access Reviews to automatically review inactive guest users and block them from signing in, and later, delete them from the directory. +As users collaborate with external partners, itΓÇÖs possible that many guest accounts get created in Azure Active Directory (Azure AD) tenants over time. When collaboration ends and the users no longer access your tenant, the guest accounts may become stale. Administrators can monitor guest accounts at scale using inactive guest insights. Administrators can also use Access Reviews to automatically review inactive guest users, block them from signing in, and, delete them from the directory. Learn more about [how to manage inactive user accounts in Azure AD](../reports-monitoring/howto-manage-inactive-user-accounts.md). -There are a few recommended patterns that are effective at cleaning up stale guest accounts: +There are a few recommended patterns that are effective at monitoring and cleaning up stale guest accounts: -1. Create a multi-stage review whereby guests self-attest whether they still need access. A second-stage reviewer assesses results and makes a final decision. Guests with denied access are disabled and later deleted. +1. Monitor guest accounts at scale with intelligent insights into inactive guests in your organization using inactive guest report. Customize the inactivity threshold depending on your organizationΓÇÖs needs, narrow down the scope of guest users you want to monitor and identify the guest users that may be inactive. -2. Create a review to remove inactive external guests. Admins define inactive as period of days. They disable and later delete guests that donΓÇÖt sign in to the tenant within that time frame. By default, this doesn't affect recently created users. [Learn more about how to identify inactive accounts](../reports-monitoring/howto-manage-inactive-user-accounts.md#how-to-detect-inactive-user-accounts). +2. Create a multi-stage review whereby guests self-attest whether they still need access. A second-stage reviewer assesses results and makes a final decision. Guests with denied access are disabled and later deleted. ++3. Create a review to remove inactive external guests. Admins define inactive as period of days. They disable and later delete guests that donΓÇÖt sign in to the tenant within that time frame. By default, this doesn't affect recently created users. [Learn more about how to identify inactive accounts](../reports-monitoring/howto-manage-inactive-user-accounts.md#how-to-detect-inactive-user-accounts). ++Use the following instructions to learn how to enhance monitoring of inactive guest accounts at scale and create Access Reviews that follow these patterns. Consider the configuration recommendations and then make the needed changes that suit your environment. ++## Monitor guest accounts at scale with inactive guest insights (Preview) +1. Sign in to the Azure portal and open the [Identity Governance](https://portal.azure.com/#blade/Microsoft_AAD_ERM/DashboardBlade/) page. ++2. Access the inactive guest account report by navigating to "Guest access governance" card and click on "View inactive guests" ++3. You will see the inactive guest report which will provide insights about inactive guest users based on 90 days of inactivity. The threshold is set to 90 days by default but can be configured using "Edit inactivity threshold" based on your organization's needs. ++4. The following insights are provided as part of this report: + + - Guest account overview (total guests and inactive guests with further categorization of guests who have never signed in or signed in at least once) + - Guest inactivity distribution (Percentage distribution of guest users based on days since last sign in) + - Guest inactivity overview (Guest inactivity guidance to configure inactivity threshold) + - Guest accounts summary (A tabular view with details of all guest accounts with insights into their activity state. The Activity state could be active or inactive based on the configured inactivity threshold) ++5. The inactive days are calculated based on last sign in date if the user has signed in atleast once. For users who have never signed in, the inactive days are calculated based on creation date. ++ ### License requirements ++> [!NOTE] +> When you access the report for the first time, the insights in this report may not be available immediately and may take some time to generate. If you are getting an error, please follow the instructions ensuring you have Microsoft Entra ID Governance license or wait for some time to see the report generated. +> The inactive days calculation is based on the 2 parameters (last sign in date and creation date). If both of the dates are not available in the system, then we consider User state change date i.e. the date when the user state was last changed. This will give us the closest accurate inactivity duration for those special situations. -Use the following instructions to learn how to create Access Reviews that follow these patterns. Consider the configuration recommendations and then make the needed changes that suit your environment. ## Create a multi-stage review for guests to self-attest continued access |
| active-directory | Add Users Information Worker | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/add-users-information-worker.md | +# Customer intent: As a tenant administrator, I want to learn how can my users invite guest users to an app. # How users in your organization can invite guest users to an app -After a guest user has been added to the directory in Azure AD, an application owner can send the guest user a direct link to the app they want to share. Azure AD admins can also set up self-service management for gallery or SAML-based apps in their Azure AD tenant. This way, application owners can manage their own guest users, even if the guest users havenΓÇÖt been added to the directory yet. When an app is configured for self-service, the application owner uses their Access Panel to invite a guest user to an app or add a guest user to a group that has access to the app. Self-service app management for gallery and SAML-based apps requires some initial setup by an admin. Follow the summary of the setup steps (for more detailed instructions, see [Prerequisites](#prerequisites) later on this page): +After a guest user has been added to the directory in Azure AD, an application owner can send the guest user a direct link to the app they want to share. Azure AD admins can also set up self-service management for gallery or SAML-based apps in their Azure AD tenant. This way, application owners can manage their own guest users, even if the guest users havenΓÇÖt been added to the directory yet. When an app is configured for self-service, the application owner uses their Access Panel to invite a guest user to an app or add a guest user to a group that has access to the app. ++Self-service app management for gallery and SAML-based apps requires some initial setup by an admin. Follow the summary of the setup steps (for more detailed instructions, see [Prerequisites](#prerequisites) later on this page): - Enable self-service group management for your tenant - Create a group to assign to the app and make the user an owner After a guest user has been added to the directory in Azure AD, an application o > [!NOTE] > * This article describes how to set up self-service management for gallery and SAML-based apps that youΓÇÖve added to your Azure AD tenant. You can also [set up self-service Microsoft 365 groups](../enterprise-users/groups-self-service-management.md) so your users can manage access to their own Microsoft 365 groups. For more ways users can share Office files and apps with guest users, see [Guest access in Microsoft 365 groups](https://support.office.com/article/guest-access-in-office-365-groups-bfc7a840-868f-4fd6-a390-f347bf51aff6) and [Share SharePoint files or folders](https://support.office.com/article/share-sharepoint-files-or-folders-1fe37332-0f9a-4719-970e-d2578da4941c).-> * Users are only able to invite guests if they have the [**Guest inviter**](../roles/permissions-reference.md#guest-inviter -) role. +> * Users are only able to invite guests if they have the **Guest inviter** role. + ## Invite a guest user to an app from the Access Panel After an app is configured for self-service, application owners can use their own Access Panel to invite a guest user to the app they want to share. The guest user doesn't necessarily need to be added to Azure AD in advance. 1. Open your Access Panel by going to `https://myapps.microsoft.com`.-2. Point to the app, select the ellipses (**...**), and then select **Manage app**. +2. Point to the app, select the ellipses (**...**), and then select **Manage your application**. :::image type="content" source="media/add-users-iw/access-panel-manage-app.png" alt-text="Screenshot showing the Manage app sub-menu for the Salesforce app."::: |
| active-directory | Overview Solutions Customers | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/customers/overview-solutions-customers.md | Azure Active Directory (Azure AD) for customers offers solutions that let you qu ## Get started -To try out the demo environment, go to [Woodgrove Groceries](https://wggdemo.net/) and select from a list of use cases that illustrate different sign-in options and business cases. +To try out the demo environment, go to [Woodgrove Groceries](https://woodgrovedemo.com/) and select from a list of use cases that illustrate different sign-in options and business cases. :::image type="content" source="media/overview-solutions-customers/demo-woodgrove.png" alt-text="Screenshot of the Woodgrove Groceries demo home page."::: You can enable email one-time passcode in the admin center under **Authenticatio When users authenticate to your application with Azure Active Directory, a security token is returned to your application. The security token contains claims that are statements about the user, such as name, unique identifier, or application roles. Beyond the default set of claims that are contained in the security token you can define your own custom claims from external systems using a REST API you develop. -In this use case, you can sign in or sign up with your credentials. Then after you're successfully authenticated, from the Woodgrove top bar select your name and check your profile. It contains information that return by the Azure AD custom extension REST API. +In this use case, you can sign in or sign up with your credentials. Then after you're successfully authenticated, from the top bar select your name and check your profile. It contains information that return by the Azure AD custom extension REST API. If you want to understand how custom extensions work, you can refer to the [Custom extension overview](/azure/active-directory/develop/custom-extension-overview) article. For information on custom claims providers, you can check out the [Custom claims provider](/azure/active-directory/develop/custom-claims-provider-overview) article. If you would like to delete your account and personal information, visit the **D To delete your account on the **Woodgrove Groceries** page, select the icon with your name located in the top-right corner of the page. On the **Edit your profile** page select **Delete your account**. +## Next steps ++- Learn more about [planning for Azure AD for customers](concept-planning-your-solution.md). +- [Create a tenant](quickstart-tenant-setup.md). + |
| active-directory | Whats New Docs | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/whats-new-docs.md | +## June 2023 ++### Updated articles ++- [Set up tenant restrictions V2 (Preview)](tenant-restrictions-v2.md) Microsoft Teams updates. +- [Invite guest users to an app](add-users-information-worker.md) Link and structure updates. + ## May 2023 ### New article Welcome to what's new in Azure Active Directory External Identities documentatio - [Code and Azure PowerShell samples](code-samples.md) Minor text updates. - [Azure Active Directory](default-account.md) Minor text updates. -## March 2023 --### Updated articles --- [Invite internal users to B2B collaboration](invite-internal-users.md)-- [Federation with SAML/WS-Fed identity providers for guest users](direct-federation.md)-- [Add Azure Active Directory (Azure AD) as an identity provider for External Identities](default-account.md)-- [Quickstart: Add a guest user with PowerShell](b2b-quickstart-invite-powershell.md)-- [Billing model for Azure AD External Identities](external-identities-pricing.md)-- [Tutorial: Enforce multi-factor authentication for B2B guest users](b2b-tutorial-require-mfa.md)- |
| active-directory | Whats New Archive | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/whats-new-archive.md | Azure AD access reviews reviewer recommendations now account for non-interactive The offline Azure AD Threat Intelligence risk detection can now have a risk reason that will help customers with the risk investigation. If a risk reason is available, it will show up as **Additional Info** in the risk details of that risk event. The information can be found in the Risk detections report. It will also be available through the additionalInfo property of the riskDetections API. [Learn more](../identity-protection/howto-identity-protection-investigate-risk.md). ---## December 2021 --### Tenant enablement of combined security information registration for Azure Active Directory --**Type:** Plan for change -**Service category:** MFA -**Product capability:** Identity Security & Protection - -We previously announced in April 2020, a new combined registration experience enabling users to register authentication methods for SSPR and multi-factor authentication at the same time was generally available for existing customer to opt in. Any Azure AD tenants created after August 2020 automatically have the default experience set to combined registration. Starting in 2022 Microsoft will be enabling the multi-factor authentication and SSPR combined registration experience for existing customers. [Learn more](../authentication/concept-registration-mfa-sspr-combined.md). - ---### Public Preview - Number Matching now available to reduce accidental notification approvals --**Type:** New feature -**Service category:** Microsoft Authenticator App -**Product capability:** User Authentication - -To prevent accidental notification approvals, admins can now require users to enter the number displayed on the sign-in screen when approving a multi-factor authentication notification in the Authenticator app. This feature adds an extra security measure to the Microsoft Authenticator app. [Learn more](../authentication/how-to-mfa-number-match.md). - ---### Pre-authentication error events removed from Azure AD Sign-in Logs --**Type:** Deprecated -**Service category:** Reporting -**Product capability:** Monitoring & Reporting - -We're no longer publishing sign-in logs with the following error codes because these events are pre-authentication events that occur before our service has authenticated a user. Because these events happen before authentication, our service isn't always able to correctly identify the user. If a user continues on to authenticate, the user sign-in will show up in your tenant Sign-in logs. These logs are no longer visible in the Azure portal UX, and querying these error codes in the Graph API will no longer return results. --|Error code | Failure reason| -| | | -|50058| Session information isn't sufficient for single-sign-on.| -|16000| Either multiple user identities are available for the current request or selected account isn't supported for the scenario.| -|500581| Rendering JavaScript. Fetching sessions for single-sign-on on V2 with prompt=none requires JavaScript to verify if any MSA accounts are signed in.| -|81012| The user trying to sign in to Azure AD is different from the user signed into the device.| ------## November 2021 --### Tenant enablement of combined security information registration for Azure Active Directory --**Type:** Plan for change -**Service category:** MFA -**Product capability:** Identity Security & Protection - -We previously announced in April 2020, a new combined registration experience enabling users to register authentication methods for SSPR and multi-factor authentication at the same time was generally available for existing customer to opt in. Any Azure AD tenants created after August 2020 automatically have the default experience set to combined registration. Starting 2022, Microsoft will be enabling the MF). - ---### Windows users will see prompts more often when switching user accounts --**Type:** Fixed -**Service category:** Authentications (Logins) -**Product capability:** User Authentication - -A problematic interaction between Windows and a local Active Directory Federation Services (ADFS) instance can result in users attempting to sign into another account, but be silently signed into their existing account instead, with no warning. For federated IdPs such as ADFS, that support the [prompt=login](/windows-server/identity/ad-fs/operations/ad-fs-prompt-login) pattern, Azure AD will now trigger a fresh sign-in at ADFS when a user is directed to ADFS with a sign-in hint. This ensures that the user is signed into the account they requested, rather than being silently signed into the account they're already signed in with. --For more information, see the [change notice](../develop/reference-breaking-changes.md). - ---### Public preview - Conditional Access Overview Dashboard --**Type:** New feature -**Service category:** Conditional Access -**Product capability:** Monitoring & Reporting - -The new Conditional Access overview dashboard enables all tenants to see insights about the impact of their Conditional Access policies without requiring an Azure Monitor subscription. This built-in dashboard provides tutorials to deploy policies, a summary of the policies in your tenant, a snapshot of your policy coverage, and security recommendations. [Learn more](../conditional-access/overview.md). - ---### Public preview - SSPR writeback is now available for disconnected forests using Azure AD Connect cloud sync --**Type:** New feature -**Service category:** Azure AD Connect Cloud Sync -**Product capability:** Identity Lifecycle Management - -The Public Preview feature for Azure AD Connect Cloud Sync Password writeback provides customers the capability to write back a user's password changes in the cloud to the on-premises directory in real time using the lightweight Azure AD cloud provisioning agent.[Learn more](../authentication/tutorial-enable-cloud-sync-sspr-writeback.md). ----### Public preview - Conditional Access for workload identities --**Type:** New feature -**Service category:** Conditional Access for workload identities -**Product capability:** Identity Security & Protection - -Previously, Conditional Access policies applied only to users when they access apps and services like SharePoint online or the Azure portal. This preview adds support for Conditional Access policies applied to service principals owned by the organization. You can block service principals from accessing resources from outside trusted-named locations or Azure Virtual Networks. [Learn more](../conditional-access/workload-identity.md). ----### Public preview - Extra attributes available as claims --**Type:** Changed feature -**Service category:** Enterprise Apps -**Product capability:** SSO - -Several user attributes have been added to the list of attributes available to map to claims to bring attributes available in claims more in line with what is available on the user object in Microsoft Graph. New attributes include mobilePhone and ProxyAddresses. [Learn more](../develop/reference-claims-mapping-policy-type.md). - ---### Public preview - "Session Lifetime Policies Applied" property in the sign-in logs --**Type:** New feature -**Service category:** Authentications (Logins) -**Product capability:** Identity Security & Protection - -We have recently added other property to the sign-in logs called "Session Lifetime Policies Applied". This property will list all the session lifetime policies that applied to the sign-in for example, Sign-in frequency, Remember multi-factor authentication and Configurable token lifetime. [Learn more](../reports-monitoring/concept-sign-ins.md#authentication-details). - ---### Public preview - Enriched reviews on access packages in entitlement management --**Type:** New feature -**Service category:** User Access Management -**Product capability:** Entitlement Management - -Entitlement Management's enriched review experience allows even more flexibility on access packages reviews. Admins can now choose what happens to access if the reviewers don't respond, provide helper information to reviewers, or decide whether a justification is necessary. [Learn more](../governance/entitlement-management-access-reviews-create.md). - ---### General availability - randomString and redact provisioning functions --**Type:** New feature -**Service category:** Provisioning -**Product capability:** Outbound to SaaS Applications - --The Azure AD Provisioning service now supports two new functions, randomString() and Redact(): -- randomString - generate a string based on the length and characters you would like to include or exclude in your string.-- redact - remove the value of the attribute from the audit and provisioning logs. [Learn more](../app-provisioning/functions-for-customizing-application-data.md#randomstring).----### General availability - Now access review creators can select users and groups to receive notification on completion of reviews --**Type:** New feature -**Service category:** Access Reviews -**Product capability:** Identity Governance - -Now access review creators can select users and groups to receive notification on completion of reviews. [Learn more](../governance/create-access-review.md). - -- -### General availability - Azure AD users can now view and report suspicious sign-ins and manage their accounts within Microsoft Authenticator --**Type:** New feature -**Service category:** Microsoft Authenticator App -**Product capability:** Identity Security & Protection - -This feature allows Azure AD users to manage their work or school accounts within the Microsoft Authenticator app. The management features will allow users to view sign-in history and sign-in activity. Users can also report any suspicious or unfamiliar activity, change their Azure AD account passwords, and update the account's security information. --For more information on how to use this feature visit [View and search your recent sign-in activity from the My Sign-ins page](../user-help/my-account-portal-sign-ins-page.md). ----### General availability - New Microsoft Authenticator app icon --**Type:** New feature -**Service category:** Microsoft Authenticator App -**Product capability:** Identity Security & Protection - -New updates have been made to the Microsoft Authenticator app icon. To learn more about these updates, see the [Microsoft Authenticator app](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/microsoft-authenticator-app-easier-ways-to-add-or-manage/ba-p/2464408) blog post. ----### General availability - Azure AD single sign-on and device-based Conditional Access support in Firefox on Windows 10/11 --**Type:** New feature -**Service category:** Authentications (Logins) -**Product capability:** SSO - -We now support native single sign-on (SSO) support and device-based Conditional Access to Firefox browser on Windows 10 and Windows Server 2019 starting in Firefox version 91. [Learn more](../conditional-access/require-managed-devices.md#prerequisites). - ---### New provisioning connectors in the Azure AD Application Gallery - November 2021 --**Type:** New feature -**Service category:** App Provisioning -**Product capability:** 3rd Party Integration - -You can now automate creating, updating, and deleting user accounts for these newly integrated apps: --- [Appaegis Isolation Access Cloud](../saas-apps/appaegis-isolation-access-cloud-provisioning-tutorial.md)-- [BenQ IAM](../saas-apps/benq-iam-provisioning-tutorial.md)-- [BIC Cloud Design](../saas-apps/bic-cloud-design-provisioning-tutorial.md)-- [Chaos](../saas-apps/chaos-provisioning-tutorial.md)-- [directprint.io](../saas-apps/directprint-io-provisioning-tutorial.md)-- [Documo](../saas-apps/documo-provisioning-tutorial.md)-- [Facebook Work Accounts](../saas-apps/facebook-work-accounts-provisioning-tutorial.md)-- [introDus Pre and Onboarding Platform](../saas-apps/introdus-pre-and-onboarding-platform-provisioning-tutorial.md)-- [Kisi Physical Security](../saas-apps/kisi-physical-security-provisioning-tutorial.md)-- [Klaxoon](../saas-apps/klaxoon-provisioning-tutorial.md)-- [Klaxoon SAML](../saas-apps/klaxoon-saml-provisioning-tutorial.md)-- [MX3 Diagnostics](../saas-apps/mx3-diagnostics-connector-provisioning-tutorial.md)-- [Netpresenter](../saas-apps/netpresenter-provisioning-tutorial.md)-- [Peripass](../saas-apps/peripass-provisioning-tutorial.md)-- [Real Links](../saas-apps/real-links-provisioning-tutorial.md)-- [Sentry](../saas-apps/sentry-provisioning-tutorial.md)-- [Teamgo](../saas-apps/teamgo-provisioning-tutorial.md)-- [Zero](../saas-apps/zero-provisioning-tutorial.md)--For more information about how to better secure your organization by using automated user account provisioning, see [Automate user provisioning to SaaS applications with Azure AD](../manage-apps/user-provisioning.md). - ---### New Federated Apps available in Azure AD Application gallery - November 2021 --**Type:** New feature -**Service category:** Enterprise Apps -**Product capability:** 3rd Party Integration - -In November 2021, we have added following 32 new applications in our App gallery with Federation support: --[Tide - Connector](https://gallery.ctinsuretech-tide.com/), [Virtual Risk Manager - USA](../saas-apps/virtual-risk-manager-usa-tutorial.md), [Xorlia Policy Management](https://app.xoralia.com/), [WorkPatterns](https://app.workpatterns.com/oauth2/login?data_source_type=office_365_account_calendar_workspace_sync&utm_source=azure_sso), [GHAE](../saas-apps/ghae-tutorial.md), [Nodetrax Project](../saas-apps/nodetrax-project-tutorial.md), [Touchstone Benchmarking](https://app.touchstonebenchmarking.com/), [SURFsecureID - Azure AD Multi-Factor Authentication](../saas-apps/surfsecureid-azure-mfa-tutorial.md), [AiDEA](https://truebluecorp.com/en/prodotti/aidea-en/),[R and D Tax Credit --You can also find the documentation of all the applications [here](../saas-apps/tutorial-list.md). --For listing your application in the Azure AD app gallery, read the details [here](../manage-apps/v2-howto-app-gallery-listing.md). ----### Updated "switch organizations" user experience in My Account. --**Type:** Changed feature -**Service category:** My Profile/Account -**Product capability:** End User Experiences - -Updated "switch organizations" user interface in My Account. This visually improves the UI and provides the end-user with clear instructions. Added a manage organizations link to blade per customer feedback. [Learn more](https://support.microsoft.com/account-billing/switch-organizations-in-your-work-or-school-account-portals-c54c32c9-2f62-4fad-8c23-2825ed49d146). - ---## October 2021 - -### Limits on the number of configured API permissions for an application registration will be enforced starting in October 2021 --**Type:** Plan for change -**Service category:** Other -**Product capability:** Developer Experience - -Sometimes, application developers configure their apps to require more permissions than it's possible to grant. To prevent this from happening, a limit on the total number of required permissions that can be configured for an app registration will be enforced. --The total number of required permissions for any single application registration mustn't exceed 400 permissions, across all APIs. The change to enforce this limit will begin rolling out mid-October 2021. Applications exceeding the limit can't increase the number of permissions they're configured for. The existing limit on the number of distinct APIs for which permissions are required remains unchanged and may not exceed 50 APIs. --In the Azure portal, the required permissions are listed under API permissions for the application you wish to configure. Using Microsoft Graph or Microsoft Graph PowerShell, the required permissions are listed in the requiredResourceAccess property of an [application](/graph/api/resources/application) entity. [Learn more](../enterprise-users/directory-service-limits-restrictions.md). - ---### Email one-time passcode on by default change beginning rollout in November 2021 --**Type:** Plan for change -**Service category:** B2B -**Product capability:** B2B/B2C - -Previously, we announced that starting October 31, 2021, Microsoft Azure Active Directory [email one-time passcode](../external-identities/one-time-passcode.md) authentication will become the default method for inviting accounts and tenants for B2B collaboration scenarios. However, because of deployment schedules, we'll begin rolling out on November 1, 2021. Most of the tenants will see the change rolled out in January 2022 to minimize disruptions during the holidays and deployment lock downs. After this change, Microsoft will no longer allow redemption of invitations using Azure Active Directory accounts that are unmanaged. [Learn more](../external-identities/one-time-passcode.md#frequently-asked-questions). - ---### Conditional Access Guest Access Blocking Screen --**Type:** Fixed -**Service category:** Conditional Access -**Product capability:** End User Experiences - -If there's no trust relation between a home and resource tenant, a guest user would have previously been asked to re-register their device, which would break the previous registration. However, the user would end up in a registration loop because only home tenant device registration is supported. In this specific scenario, instead of this loop, we've created a new conditional access blocking page. The page tells the end user that they can't get access to conditional access protected resources as a guest user. [Learn more](../external-identities/b2b-quickstart-add-guest-users-portal.md#prerequisites). - ---### 50105 Errors will now result in a UX error message instead of an error response to the application --**Type:** Fixed -**Service category:** Authentications (Logins) -**Product capability:** Developer Experience - -Azure AD has fixed a bug in an error response that occurs when a user isn't assigned to an app that requires a user assignment. Previously, Azure AD would return error 50105 with the OIDC error code "interaction_required" even during interactive authentication. This would cause well-coded applications to loop indefinitely, as they do interactive authentication and receive an error telling them to do interactive authentication, which they would then do. --The bug has been fixed, so that during non-interactive auth an "interaction_required" error will still be returned. Also, during interactive authentication an error page will be directly displayed to the user. --For greater details, see the change notices for [Azure AD protocols](../develop/reference-breaking-changes.md#error-50105-has-been-fixed-to-not-return-interaction_required-during-interactive-authentication). ----### Public preview - New claims transformation capabilities --**Type:** New feature -**Service category:** Enterprise Apps -**Product capability:** SSO - -The following new capabilities have been added to the claims transformations available for manipulating claims in tokens issued from Azure AD: - -- Join() on NameID. Used to be restricted to joining an email format address with a verified domain. Now Join() can be used on the NameID claim in the same way as any other claim, so NameID transforms can be used to create Windows account style NameIDs or any other string. For now if the result is an email address, the Azure AD will still validate that the domain is one that is verified in the tenant.-- Substring(). A new transformation in the claims configuration UI allows extraction of defined position substrings such as five characters starting at character three - substring(3,5)-- Claims transformations. These transformations can now be performed on Multi-valued attributes, and can emit multi-valued claims. Microsoft Graph can now be used to read/write multi-valued directory schema extension attributes. [Learn more](../develop/active-directory-saml-claims-customization.md).----### Public Preview – Flagged Sign-ins --**Type:** New feature -**Service category:** Reporting -**Product capability:** Monitoring & Reporting - -Flagged sign-ins are a feature that will increase the signal to noise ratio for user sign-ins where users need help. The functionality is intended to empower users to raise awareness about sign-in errors they want help with. Also to help admins and help desk workers find the right sign-in events quickly and efficiently. [Learn more](../reports-monitoring/overview-flagged-sign-ins.md). ----### Public preview - Device overview --**Type:** New feature -**Service category:** Device Registration and Management -**Product capability:** Device Lifecycle Management - -The new Device Overview feature provides actionable insights about devices in your tenant. [Learn more](../devices/device-management-azure-portal.md). - ---### Public preview - Azure Active Directory workload identity federation --**Type:** New feature -**Service category:** Enterprise Apps -**Product capability:** Developer Experience - -Azure AD workload identity federation is a new capability that's in public preview. It frees developers from handling application secrets or certificates. This includes secrets in scenarios such as using GitHub Actions and building applications on Kubernetes. Rather than creating an application secret and using that to get tokens for that application, developers can instead use tokens provided by the respective platforms such as GitHub and Kubernetes without having to manage any secrets manually.[Learn more](../develop/workload-identity-federation.md). ----### Public Preview - Updates to Sign-in Diagnostic --**Type:** Changed feature -**Service category:** Reporting -**Product capability:** Monitoring & Reporting - -With this update, the diagnostic covers more scenarios and is made more easily available to admins. --New scenarios covered when using the Sign-in Diagnostic: -- Pass Through Authentication sign-in failures-- Seamless Single-Sign On sign-in failures- -Other changes include: -- Flagged Sign-ins will automatically appear for investigation when using the Sign-in Diagnostic from Diagnose and Solve.-- Sign-in Diagnostic is now available from the Enterprise Apps Diagnose and Solve blade.-- The Sign-in Diagnostic is now available in the Basic Info tab of the Sign-in Log event view for all sign-in events. [Learn more](../reports-monitoring/concept-sign-in-diagnostics-scenarios.md#supported-scenarios).----### General Availability - Privileged Role Administrators can now create Azure AD access reviews on role-assignable groups --**Type:** Fixed -**Service category:** Access Reviews -**Product capability:** Identity Governance - -Privileged Role Administrators can now create Azure AD access reviews on Azure AD role-assignable groups, in addition to Azure AD roles. [Learn more](../governance/deploy-access-reviews.md#who-will-create-and-manage-access-reviews). - ---### General Availability - Azure AD single sign-on and device-based Conditional Access support in Firefox on Windows 10/11 --**Type:** New feature -**Service category:** Authentications (Logins) -**Product capability:** SSO - -We now support native single sign-on (SSO) support and device-based Conditional Access to Firefox browser on Windows 10 and Windows Server 2019 starting in Firefox version 91. [Learn more](../conditional-access/require-managed-devices.md#prerequisites). - ---### General Availability - New app indicator in My Apps --**Type:** New feature -**Service category:** My Apps -**Product capability:** End User Experiences - -Apps that have been recently assigned to the user show up with a "new" indicator. When the app is launched or the page is refreshed, this indicator disappears. [Learn more](/azure/active-directory/user-help/my-apps-portal-end-user-access). - ---### General availability - Custom domain support in Azure AD B2C --**Type:** New feature -**Service category:** B2C - Consumer Identity Management -**Product capability:** B2B/B2C - -Azure AD B2C customers can now enable custom domains so their end-users are redirected to a custom URL domain for authentication. This is done via integration with Azure Front Door's custom domains capability. [Learn more](../../active-directory-b2c/custom-domain.md?pivots=b2c-user-flow). - ---### General availability - Edge Administrator built-in role --**Type:** New feature -**Service category:** RBAC -**Product capability:** Access Control - --Users in this role can create and manage the enterprise site list required for Internet Explorer mode on Microsoft Edge. This role grants permissions to create, edit, and publish the site list and additionally allows access to manage support tickets. [Learn more](/deployedge/edge-ie-mode-cloud-site-list-mgmt) - ---### General availability - Windows 365 Administrator built-in role --**Type:** New feature -**Service category:** RBAC -**Product capability:** Access Control - -Users with this role have global permissions on Windows 365 resources, when the service is present. Additionally, this role contains the ability to manage users and devices to associate a policy, and create and manage groups. [Learn more](../roles/permissions-reference.md) - ---### New Federated Apps available in Azure AD Application gallery - October 2021 --**Type:** New feature -**Service category:** Enterprise Apps -**Product capability:** 3rd Party Integration - -In October 2021 we've added the following 10 new applications in our App gallery with Federation support: --[Adaptive Shield](../saas-apps/adaptive-shield-tutorial.md), [SocialChorus Search](https://socialchorus.com/), [Hiretual-SSO](../saas-apps/hiretual-tutorial.md), [TeamSticker by Communitio](../saas-apps/teamsticker-by-communitio-tutorial.md), [embed signage](../saas-apps/embed-signage-tutorial.md), [JoinedUp](../saas-apps/joinedup-tutorial.md), [VECOS Releezme Locker management system](../saas-apps/vecos-releezme-locker-management-system-tutorial.md), [Altoura](../saas-apps/altoura-tutorial.md), [Dagster Cloud](../saas-apps/dagster-cloud-tutorial.md), [Qualaroo](../saas-apps/qualaroo-tutorial.md) --You can also find the documentation of all the applications here: https://aka.ms/AppsTutorial --For listing your application in the Azure AD app gallery, read the following article: https://aka.ms/AzureADAppRequest ----### Continuous Access Evaluation migration with Conditional Access --**Type:** Changed feature -**Service category:** Conditional Access -**Product capability:** User Authentication - -A new user experience is available for our CAE tenants. Tenants will now access CAE as part of Conditional Access. Any tenants that were previously using CAE for some (but not all) user accounts under the old UX or had previously disabled the old CAE UX will now be required to undergo a one time migration experience.[Learn more](../conditional-access/concept-continuous-access-evaluation.md#migration). - ---### Improved group list blade --**Type:** Changed feature -**Service category:** Group Management -**Product capability:** Directory - -The new group list blade offers more sort and filtering capabilities, infinite scrolling, and better performance. [Learn more](../enterprise-users/groups-members-owners-search.md). - ---### General availability - Google deprecation of Gmail sign-in support on embedded webviews on September 30, 2021 --**Type:** Changed feature -**Service category:** B2B -**Product capability:** B2B/B2C - -Google has deprecated Gmail sign-ins on Microsoft Teams mobile and custom apps that run Gmail authentications on embedded webviews on Sept. 30th, 2021. --If you would like to request an extension, impacted customers with affected OAuth client ID(s) should have received an email from Google Developers with the following information regarding a one-time policy enforcement extension, which must be completed by Jan 31, 2022. --To continue allowing your Gmail users to sign in and redeem, we strongly recommend that you refer to [Embedded vs System Web](../develop/msal-net-web-browsers.md#embedded-vs-system-web-ui) UI in the MSAL.NET documentation and modify your apps to use the system browser for sign-in. All MSAL SDKs use the system web-view by default. --As a workaround, we're deploying the device sign-in flow by October 8. Between today and until then, it's likely that it may not be rolled out to all regions yet (in which case, end-users will be met with an error screen until it gets deployed to your region.) --For more details on the device sign-in flow and details on requesting extension to Google, see [Add Google as an identity provider for B2B guest users](../external-identities/google-federation.md#deprecation-of-web-view-sign-in-support). - ---### Identity Governance Administrator can create and manage Azure AD access reviews of groups and applications --**Type:** Changed feature -**Service category:** Access Reviews -**Product capability:** Identity Governance - -Identity Governance Administrator can create and manage Azure AD access reviews of groups and applications. [Learn more](../governance/deploy-access-reviews.md#who-will-create-and-manage-access-reviews). - ------## September 2021 --### Limits on the number of configured API permissions for an application registration will be enforced starting in October 2021 --**Type:** Plan for change -**Service category:** Other -**Product capability:** Developer Experience - -Occasionally, application developers configure their apps to require more permissions than it's possible to grant. To prevent this from happening, we're enforcing a limit on the total number of required permissions that can be configured for an app registration. --The total number of required permissions for any single application registration must not exceed 400 permissions, across all APIs. The change to enforce this limit will begin rolling out no sooner than mid-October 2021. Applications exceeding the limit can't increase the number of permissions they're configured for. The existing limit on the number of distinct APIs for which permissions are required remains unchanged and can't exceed 50 APIs. --In the Azure portal, the required permissions are listed under Azure Active Directory > Application registrations > (select an application) > API permissions. Using Microsoft Graph or Microsoft Graph PowerShell, the required permissions are listed in the requiredResourceAccess property of an application entity. [Learn more](../enterprise-users/directory-service-limits-restrictions.md). ----### My Apps performance improvements --**Type:** Fixed -**Service category:** My Apps -**Product capability:** End User Experiences - -The load time of My Apps has been improved. Users going to myapps.microsoft.com load My Apps directly, rather than being redirected through another service. [Learn more](../user-help/my-apps-portal-end-user-access.md). ----### Single Page Apps using the `spa` redirect URI type must use a CORS enabled browser for auth --**Type:** Known issue -**Service category:** Authentications (Logins) -**Product capability:** Developer Experience - -The modern Edge browser is now included in the requirement to provide an `Origin` header when redeeming a [single page app authorization code](../develop/v2-oauth2-auth-code-flow.md#redirect-uris-for-single-page-apps-spas). A compatibility fix accidentally exempted the modern Edge browser from CORS controls, and that bug is being fixed during October. A subset of applications depended on CORS being disabled in the browser, which has the side effect of removing the `Origin` header from traffic. This is an unsupported configuration for using Azure AD, and these apps that depended on disabling CORS can no longer use modern Edge as a security workaround. All modern browsers must now include the `Origin` header per HTTP spec, to ensure CORS is enforced. [Learn more](../develop/reference-breaking-changes.md#the-device-code-flow-ux-will-now-include-an-app-confirmation-prompt). ----### General availability - On the My Apps portal, users can choose to view their apps in a list --**Type:** New feature -**Service category:** My Apps -**Product capability:** End User Experiences - -By default, My Apps displays apps in a grid view. Users can now toggle their My Apps view to display apps in a list. [Learn more](../user-help/my-apps-portal-end-user-access.md). - ---### General availability - New and enhanced device-related audit logs --**Type:** New feature -**Service category:** Audit -**Product capability:** Device Lifecycle Management - -Admins can now see various new and improved device-related audit logs. The new audit logs include the create and delete passwordless credentials (Phone sign-in, FIDO2 key, and Windows Hello for Business), register/unregister device and pre-create/delete pre-create device. Additionally, there have been minor improvements to existing device-related audit logs that include adding more device details. [Learn more](../reports-monitoring/concept-audit-logs.md). ----### General availability - Azure AD users can now view and report suspicious sign-ins and manage their accounts within Microsoft Authenticator --**Type:** New feature -**Service category:** Microsoft Authenticator App -**Product capability:** Identity Security & Protection - -This feature allows Azure AD users to manage their work or school accounts within the Microsoft Authenticator app. The management features will allow users to view sign-in history and sign-in activity. They can report any suspicious or unfamiliar activity based on the sign-in history and activity if necessary. Users also can change their Azure AD account passwords and update the account's security information. [Learn more](../user-help/my-account-portal-sign-ins-page.md). - ---### General availability - New MS Graph APIs for role management --**Type:** New feature -**Service category:** RBAC -**Product capability:** Access Control - -New APIs for role management to MS Graph v1.0 endpoint are generally available. Instead of old [directory roles](/graph/api/resources/directoryrole?view=graph-rest-1.0&preserve-view=true), use [unifiedRoleDefinition](/graph/api/resources/unifiedroledefinition?view=graph-rest-1.0&preserve-view=true) and [unifiedRoleAssignment](/graph/api/resources/unifiedroleassignment?view=graph-rest-1.0&preserve-view=true). - ---### General availability - Access Packages can expire after number of hours --**Type:** New feature -**Service category:** User Access Management -**Product capability:** Entitlement Management --It's now possible in entitlement management to configure an access package that will expire in a matter of hours in addition to the previous support for days or specific dates. [Learn more](../governance/entitlement-management-access-package-create.md#lifecycle). - ---### New provisioning connectors in the Azure AD Application Gallery - September 2021 --**Type:** New feature -**Service category:** App Provisioning -**Product capability:** 3rd Party Integration - -You can now automate creating, updating, and deleting user accounts for these newly integrated apps: --- [BLDNG APP](../saas-apps/bldng-app-provisioning-tutorial.md)-- [Cato Networks](../saas-apps/cato-networks-provisioning-tutorial.md)-- [Rouse Sales](../saas-apps/rouse-sales-provisioning-tutorial.md)-- [SchoolStream ASA](../saas-apps/schoolstream-asa-provisioning-tutorial.md)-- [Taskize Connect](../saas-apps/taskize-connect-provisioning-tutorial.md)--For more information about how to better secure your organization by using automated user account provisioning, see [Automate user provisioning to SaaS applications with Azure AD](../manage-apps/user-provisioning.md). - ---### New Federated Apps available in Azure AD Application gallery - September 2021 --**Type:** New feature -**Service category:** Enterprise Apps -**Product capability:** 3rd Party Integration - -In September 2021, we have added following 44 new applications in our App gallery with Federation support --[Studybugs](https://studybugs.com/signin), [Yello](https://yello.co/yello-for-microsoft-teams/), [LawVu](../saas-apps/lawvu-tutorial.md), [Formate eVo Mail](https://www.document-genetics.co.uk/formate-evo-erp-output-management), [Revenue Grid](https://app.revenuegrid.com/login), [Orbit for Office 365](https://azuremarketplace.microsoft.com/marketplace/apps/aad.orbitforoffice365?tab=overview), [Upmarket](https://app.upmarket.ai/), [Alinto Protect](https://protect.alinto.net/), [Cloud Concinnity](https://cloudconcinnity.com/), [Matlantis](https://matlantis.com/), [ModelGen for Visio (MG4V)](https://crecy.com.au/model-gen/), [NetRef: Classroom Management](https://oauth.net-ref.com/microsoft/sso), [VergeSense](../saas-apps/vergesense-tutorial.md), [SafetyCulture](../saas-apps/safety-culture-tutorial.md), [Secutraq](https://secutraq.net/login), [Active and Thriving](../saas-apps/active-and-thriving-tutorial.md), [Inova](https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize?client_id=1bacdba3-7a3b-410b-8753-5cc0b8125f81&response_type=code&redirect_uri=https:%2f%2fbroker.partneringplace.com%2fpartner-companion%2f&code_challenge_method=S256&code_challenge=YZabcdefghijklmanopqrstuvwxyz0123456789._-~&scope=1bacdba3-7a3b-410b-8753-5cc0b8125f81/.default), [TerraTrue](../saas-apps/terratrue-tutorial.md), [Beyond Identity Admin Console](../saas-apps/beyond-identity-admin-console-tutorial.md), [Visult](https://visult.app), [ENGAGE TAG](https://app.engagetag.com/), [Appaegis Isolation Access Cloud](../saas-apps/appaegis-isolation-access-cloud-tutorial.md), [CrowdStrike Falcon Platform](../saas-apps/crowdstrike-falcon-platform-tutorial.md), [MY Emergency Control](https://my-emergency.co.uk/app/auth/login), [AlexisHR](../saas-apps/alexishr-tutorial.md), [Teachme Biz](../saas-apps/teachme-biz-tutorial.md), [Zero Networks](../saas-apps/zero-networks-tutorial.md), [Mavim iMprove](https://improve.mavimcloud.com/), [Azumuta](https://app.azumuta.com/login?microsoft=true), [Frankli](https://beta.frankli.io/login), [Amazon Managed Grafana](../saas-apps/amazon-managed-grafana-tutorial.md), [Productive](../saas-apps/productive-tutorial.md), [Create!Webフロー](../saas-apps/createweb-tutorial.md), [Evercate](https://evercate.com/), [Ezra Coaching](../saas-apps/ezra-coaching-tutorial.md), [Baldwin Safety and Compliance](../saas-apps/baldwin-safety-&-compliance-tutorial.md), [Nulab Pass (Backlog,Cacoo,Typetalk)](../saas-apps/nulab-pass-tutorial.md), [Metatask](../saas-apps/metatask-tutorial.md), [Contrast Security](../saas-apps/contrast-security-tutorial.md), [Animaker](../saas-apps/animaker-tutorial.md), [Traction Guest](../saas-apps/traction-guest-tutorial.md), [True Office Learning - LIO](../saas-apps/true-office-learning-lio-tutorial.md), [Qiita Team](../saas-apps/qiita-team-tutorial.md) --You can also find the documentation of all the applications here: https://aka.ms/AppsTutorial --For listing your application in the Azure AD app gallery, read the details here: https://aka.ms/AzureADAppRequest ----### Gmail users signing in on Microsoft Teams mobile and desktop clients will sign in with device sign-in flow starting September 30, 2021 --**Type:** Changed feature -**Service category:** B2B -**Product capability:** B2B/B2C - -Starting on September 30 2021, Azure AD B2B guests and Azure AD B2C customers signing in with their self-service signed up or redeemed Gmail accounts will have an extra sign-in step. Users will now be prompted to enter a code in a separate browser window to finish signing in on Microsoft Teams mobile and desktop clients. If you haven't already done so, make sure to modify your apps to use the system browser for sign-in. See [Embedded vs System Web UI in the MSAL.NET](../develop/msal-net-web-browsers.md#embedded-vs-system-web-ui) documentation for more information. All MSAL SDKs use the system web-view by default. --As the device sign-in flow will start September 30, 2021, it may not be available in your region immediately. If it's not available yet, your end-users will be met with the error screen shown in the doc until it gets deployed to your region.) For more details on the device sign-in flow and details on requesting extension to Google, see [Add Google as an identity provider for B2B guest users](../external-identities/google-federation.md#deprecation-of-web-view-sign-in-support). - ---### Improved Conditional Access Messaging for Non-compliant Device --**Type:** Changed feature -**Service category:** Conditional Access -**Product capability:** End User Experiences - -The text and design on the Conditional Access blocking screen shown to users when their device is marked as non-compliant has been updated. Users will be blocked until they take the necessary actions to meet their company's device compliance policies. Additionally, we have streamlined the flow for a user to open their device management portal. These improvements apply to all conditional access supported OS platforms. [Learn more](https://support.microsoft.com/account-billing/troubleshooting-the-you-can-t-get-there-from-here-error-message-479a9c42-d9d1-4e44-9e90-24bbad96c251) -----## August 2021 --### New major version of AADConnect available --**Type:** Fixed -**Service category:** AD Connect -**Product capability:** Identity Lifecycle Management - -We've released a new major version of Azure Active Directory Connect. This version contains several updates of foundational components to the latest versions and is recommended for all customers using Azure AD Connect. [Learn more](../hybrid/whatis-azure-ad-connect-v2.md). - ---### Public Preview - Azure AD single sign-on and device-based Conditional Access support in Firefox on Windows 10 --**Type:** New feature -**Service category:** Authentications (Logins) -**Product capability:** SSO - --We now support native single sign-on (SSO) support and device-based Conditional Access to the Firefox browser on Windows 10 and Windows Server 2019. Support is available in Firefox version 91. [Learn more](../conditional-access/require-managed-devices.md#prerequisites). - ---### Public preview - beta MS Graph APIs for Azure AD access reviews returns list of contacted reviewer names --**Type:** New feature -**Service category:** Access Reviews -**Product capability:** Identity Governance - --We've released beta MS Graph API for Azure AD access reviews. The API has methods to return a list of contacted reviewer names in addition to the reviewer type. [Learn more](/graph/api/resources/accessreviewinstance). - ---### General Availability - "Register or join devices" user action in Conditional Access --**Type:** New feature -**Service category:** Conditional Access -**Product capability:** Identity Security & Protection - --The "Register or join devices" user action is generally available in Conditional access. This user action allows you to control multi-factor authentication policies for Azure Active Directory (AD) device registration. Currently, this user action only allows you to enable multi-factor authentication as a control when users register or join devices to Azure AD. Other controls that are dependent on or not applicable to Azure AD device registration continue to be disabled with this user action. [Learn more](../conditional-access/concept-conditional-access-cloud-apps.md#user-actions). ----### General Availability - customers can scope reviews of privileged roles to eligible or permanent assignments --**Type:** New feature -**Service category:** Access Reviews -**Product capability:** Identity Governance - -Administrators can now create access reviews of only permanent or eligible assignments to privileged Azure AD or Azure resource roles. [Learn more](../privileged-identity-management/pim-create-azure-ad-roles-and-resource-roles-review.md). - - --### General availability - assign roles to Azure Active Directory (AD) groups --**Type:** New feature -**Service category:** RBAC -**Product capability:** Access Control - --Assigning roles to Azure AD groups is now generally available. This feature can simplify the management of role assignments in Azure AD for Global Administrators and Privileged Role Administrators. [Learn more](../roles/groups-concept.md). - ---### New Federated Apps available in Azure AD Application gallery - Aug 2021 --**Type:** New feature -**Service category:** Enterprise Apps -**Product capability:** 3rd Party Integration - -In August 2021, we have added following 46 new applications in our App gallery with Federation support: --[Siriux Customer Dashboard](https://portal.siriux.tech/login), [STRUXI](https://struxi.app/), [Autodesk Construction Cloud - Meetings](https://acc.autodesk.com/), [Eccentex AppBase for Azure](../saas-apps/eccentex-appbase-for-azure-tutorial.md), [Bookado](https://adminportal.bookado.io/), [FilingRamp](https://app.filingramp.com/login), [BenQ IAM](../saas-apps/benq-iam-tutorial.md), [Rhombus Systems](../saas-apps/rhombus-systems-tutorial.md), [CorporateExperience](../saas-apps/corporateexperience-tutorial.md), [TutorOcean](../saas-apps/tutorocean-tutorial.md), [Bookado Device](https://adminportal.bookado.io/), [HiFives-AD-SSO](https://app.hifives.in/login/azure), [Darzin](https://au.darzin.com/), [Simply Stakeholders](https://au.simplystakeholders.com/), [KACTUS HCM - Smart People](https://kactusspc.digitalware.co/), [Five9 UC Adapter for Microsoft Teams V2](https://uc.five9.net/?vendor=msteams), [Automation Center](https://automationcenter.cognizantgoc.com/portal/boot/signon), [Cirrus Identity Bridge for Azure AD](../saas-apps/cirrus-identity-bridge-for-azure-ad-tutorial.md), [ShiftWizard SAML](../saas-apps/shiftwizard-saml-tutorial.md), [Safesend Returns](https://www.safesendwebsites.com/), [Brushup](../saas-apps/brushup-tutorial.md), [directprint.io Cloud Print Administration](../saas-apps/directprint-io-cloud-print-administration-tutorial.md), [plain-x](https://app.plain-x.com/#/login),[X-point Cloud](../saas-apps/x-point-cloud-tutorial.md), [SmartHub INFER](../saas-apps/smarthub-infer-tutorial.md), [Fresh Relevance](../saas-apps/fresh-relevance-tutorial.md), [FluentPro G.A. Suite](https://gas.fluentpro.com/Account/SSOLogin?provider=Microsoft), [Clockwork Recruiting](../saas-apps/clockwork-recruiting-tutorial.md), [WalkMe SAML2.0](../saas-apps/walkme-saml-tutorial.md), [Sideways 6](https://app.sideways6.com/account/login?ReturnUrl=/), [Kronos Workforce Dimensions](../saas-apps/kronos-workforce-dimensions-tutorial.md), [SysTrack Cloud Edition](https://cloud.lakesidesoftware.com/Cloud/Account/Login), [mailworx Dynamics CRM Connector](https://www.mailworx.info/), [Palo Alto Networks Cloud Identity Engine - Cloud Authentication Service](../saas-apps/palo-alto-networks-cloud-identity-enginecloud-authentication-service-tutorial.md), [Peripass](https://accounts.peripass.app/v1/sso/challenge), [JobDiva](https://www.jobssos.com/index_azad.jsp?SSO=AZURE&ID=1), [Sanebox For Office365](https://sanebox.com/login), [Tulip](../saas-apps/tulip-tutorial.md), [HP Wolf Security](https://www.hpwolf.com/), [Genesys Engage cloud Email](https://login.microsoftonline.com/common/oauth2/authorize?prompt=consent&accessType=offline&state=07e035a7-6fb0-4411-afd9-efa46c9602f9&resource=https://graph.microsoft.com/&response_type=code&redirect_uri=https://iwd.api01-westus2.dev.genazure.com/iwd/v3/emails/oauth2/microsoft/callback&client_id=36cd21ab-862f-47c8-abb6-79facad09dda), [Meta Wiki](https://meta.dunkel.eu/), [Palo Alto Networks Cloud Identity Engine Directory Sync](https://directory-sync.us.paloaltonetworks.com/directory?instance=L2qoLVONpBHgdJp1M5K9S08Z7NBXlpi54pW1y3DDu2gQqdwKbyUGA11EgeaDfZ1dGwn397S8eP7EwQW3uyE4XL), [Valarea](https://www.valarea.com/en/download), [LanSchool Air](../saas-apps/lanschool-air-tutorial.md), [Catalyst](https://www.catalyst.org/sso-login/), [Webcargo](../saas-apps/webcargo-tutorial.md) --You can also find the documentation of all the applications here: https://aka.ms/AppsTutorial --For listing your application in the Azure AD app gallery, read the details here: https://aka.ms/AzureADAppRequest ----### New provisioning connectors in the Azure AD Application Gallery - August 2021 --**Type:** New feature -**Service category:** App Provisioning -**Product capability:** 3rd Party Integration - -You can now automate creating, updating, and deleting user accounts for these newly integrated apps: --- [Chatwork](../saas-apps/chatwork-provisioning-tutorial.md)-- [Freshservice](../saas-apps/freshservice-provisioning-tutorial.md)-- [InviteDesk](../saas-apps/invitedesk-provisioning-tutorial.md)-- [Maptician](../saas-apps/maptician-provisioning-tutorial.md)--For more information about how to better secure your organization by using automated user account provisioning, see Automate user provisioning to SaaS applications with Azure AD. - ---### Multifactor fraud report – new audit event --**Type:** Changed feature -**Service category:** MFA -**Product capability:** Identity Security & Protection - --To help administrators understand that their users are blocked for multi-factor authentication as a result of fraud report, we've added a new audit event. This audit event is tracked when the user reports fraud. The audit log is available in addition to the existing information in the sign-in logs about fraud report. To learn how to get the audit report, see [multi-factor authentication Fraud alert](../authentication/howto-mfa-mfasettings.md#report-suspicious-activity). ----### Improved Low-Risk Detections --**Type:** Changed feature -**Service category:** Identity Protection -**Product capability:** Identity Security & Protection --To improve the quality of low risk alerts that Identity Protection issues, we've modified the algorithm to issue fewer low risk Risky sign-ins. Organizations may see a significant reduction in low risk sign-in in their environment. [Learn more](../identity-protection/concept-identity-protection-risks.md). - ---### Non-interactive risky sign-ins --**Type:** Changed feature -**Service category:** Identity Protection -**Product capability:** Identity Security & Protection - -Identity Protection now emits risky sign-ins on non-interactive sign-ins. Admins can find these risky sign-ins using the **sign-in type** filter in the risky sign-ins report. [Learn more](../identity-protection/howto-identity-protection-investigate-risk.md). - ---### Change from User Administrator to Identity Governance Administrator in Entitlement Management --**Type:** Changed feature -**Service category:** Roles -**Product capability:** Identity Governance - -The permissions assignments to manage access packages and other resources in Entitlement Management are moving from the User Administrator role to the Identity Governance administrator role. --Users that have been assigned the User administrator role can longer create catalogs or manage access packages in a catalog they don't own. If users in your organization have been assigned the User administrator role to configure catalogs, access packages, or policies in entitlement management, they'll need a new assignment. You should instead assign these users the Identity Governance administrator role. [Learn more](../governance/entitlement-management-delegate.md) ----### Microsoft Azure Active Directory connector is deprecated --**Type:** Deprecated -**Service category:** Microsoft Identity Manager -**Product capability:** Identity Lifecycle Management - -The Microsoft Azure Active Directory Connector for FIM is at feature freeze and deprecated. The solution of using FIM and the Azure AD Connector has been replaced. Existing deployments should migrate to [Azure AD Connect](../hybrid/whatis-hybrid-identity.md), Azure AD Connect Sync, or the [Microsoft Graph Connector](/microsoft-identity-manager/microsoft-identity-manager-2016-connector-graph), as the internal interfaces used by the Azure AD Connector for FIM are being removed from Azure AD. [Learn more](/microsoft-identity-manager/microsoft-identity-manager-2016-deprecated-features). ----### Retirement of older Azure AD Connect versions --**Type:** Deprecated -**Service category:** AD Connect -**Product capability:** User Management - -Starting August 31 2022, all V1 versions of Azure AD Connect will be retired. If you haven't already done so, you need to update your server to Azure AD Connect V2.0. You need to make sure you're running a recent version of Azure AD Connect to receive an optimal support experience. --If you run a retired version of Azure AD Connect, it may unexpectedly stop working. You may also not have the latest security fixes, performance improvements, troubleshooting, and diagnostic tools and service enhancements. Also, if you require support we can't provide you with the level of service your organization needs. --See [Azure Active Directory Connect V2.0](../hybrid/whatis-azure-ad-connect-v2.md), what has changed in V2.0 and how this change impacts you. ----### Retirement of support for installing MIM on Windows Server 2008 R2 or SQL Server 2008 R2 --**Type:** Deprecated -**Service category:** Microsoft Identity Manager -**Product capability:** Identity Lifecycle Management - -Deploying MIM Sync, Service, Portal or CM on Windows Server 2008 R2, or using SQL Server 2008 R2 as the underlying database, is deprecated as these platforms are no longer in mainstream support. Installing MIM Sync and other components on Windows Server 2016 or later, and with SQL Server 2016 or later, is recommended. --Deploying MIM for Privileged Access Management with a Windows Server 2012 R2 domain controller in the PRIV forest is deprecated. Use Windows Server 2016 or later Active Directory, with Windows Server 2016 functional level, for your PRIV forest domain. The Windows Server 2012 R2 functional level is still permitted for a CORP forest's domain. [Learn more](/microsoft-identity-manager/microsoft-identity-manager-2016-supported-platforms). ----## July 2021 --### New Google sign-in integration for Azure AD B2C and B2B self-service sign-up and invited external users will stop working starting July 12, 2021 --**Type:** Plan for change -**Service category:** B2B -**Product capability:** B2B/B2C - -Previously we announced that [the exception for Embedded WebViews for Gmail authentication will expire in the second half of 2021](https://www.yammer.com/cepartners/threads/1188371962232832). --On July 7, 2021, we learned from Google that some of these restrictions will apply starting **July 12, 2021**. Azure AD B2B and B2C customers who set up a new Google ID sign-in in their custom or line of business applications to invite external users or enable self-service sign-up will have the restrictions applied immediately. As a result, end-users will be met with an error screen that blocks their Gmail sign-in if the authentication is not moved to a system webview. See the docs linked below for details. --Most apps use system web-view by default, and will not be impacted by this change. This only applies to customers using embedded webviews (the non-default setting.) We advise customers to move their application's authentication to system browsers instead, prior to creating any new Google integrations. To learn how to move to system browsers for Gmail authentications, read the Embedded vs System Web UI section in the [Using web browsers (MSAL.NET)](../develop/msal-net-web-browsers.md#embedded-vs-system-web-ui) documentation. All MSAL SDKs use the system web-view by default. [Learn more](../external-identities/google-federation.md#deprecation-of-web-view-sign-in-support). ----### Google sign-in on embedded web-views expiring September 30, 2021 --**Type:** Plan for change -**Service category:** B2B -**Product capability:** B2B/B2C - --About two months ago we announced that the exception for Embedded WebViews for Gmail authentication will expire in the second half of 2021. --Recently, Google has specified the date to be **September 30, 2021**. --Rolling out globally beginning September 30, 2021, Azure AD B2B guests signing in with their Gmail accounts will now be prompted to enter a code in a separate browser window to finish signing in on Microsoft Teams mobile and desktop clients. This applies to invited guests and guests who signed up using Self-Service Sign-Up. --Azure AD B2C customers who have set up embedded webview Gmail authentications in their custom/line of business apps or have existing Google integrations, will no longer can let their users sign in with Gmail accounts. To mitigate this, make sure to modify your apps to use the system browser for sign-in. For more information, read the Embedded vs System Web UI section in the [Using web browsers (MSAL.NET)](../develop/msal-net-web-browsers.md#embedded-vs-system-web-ui) documentation. All MSAL SDKs use the system web-view by default. --As the device sign-in flow will start rolling out on September 30, 2021, it's likely that it may not be rolled out to your region yet (in which case, your end-users will be met with the error screen shown in the documentation until it gets deployed to your region.) --For details on known impacted scenarios and what experience your users can expect, read [Add Google as an identity provider for B2B guest users](../external-identities/google-federation.md#deprecation-of-web-view-sign-in-support). ----### Bug fixes in My Apps --**Type:** Fixed -**Service category:** My Apps -**Product capability:** End User Experiences - -- Previously, the presence of the banner recommending the use of collections caused content to scroll behind the header. This issue has been resolved. -- Previously, there was another issue when adding apps to a collection, the order of apps in All Apps collection would get randomly reordered. This issue has also been resolved. --For more information on My Apps, read [Sign in and start apps from the My Apps portal](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510). ----### Public preview - Application authentication method policies --**Type:** New feature -**Service category:** MS Graph -**Product capability:** Developer Experience - -Application authentication method policies in MS Graph which allow IT admins to enforce lifetime on application password secret credential or block the use of secrets altogether. Policies can be enforced for an entire tenant as a default configuration and it can be scoped to specific applications or service principals. [Learn more](/graph/api/resources/policy-overview). - ---### Public preview - Authentication Methods registration campaign to download Microsoft Authenticator --**Type:** New feature -**Service category:** Microsoft Authenticator App -**Product capability:** User Authentication - -The Authenticator registration campaign helps admins to move their organizations to a more secure posture by prompting users to adopt the Microsoft Authenticator app. Prior to this feature, there was no way for an admin to push their users to set up the Authenticator app. --The registration campaign comes with the ability for an admin to scope users and groups by including and excluding them from the registration campaign to ensure a smooth adoption across the organization. [Learn more](../authentication/how-to-mfa-registration-campaign.md) - ---### Public preview - Separation of duties check --**Type:** New feature -**Service category:** User Access Management -**Product capability:** Entitlement Management - -In Azure AD entitlement management, an administrator can define that an access package is incompatible with another access package or with a group. Users who have the incompatible memberships will be then unable to request more access. [Learn more](../governance/entitlement-management-access-package-request-policy.md#prevent-requests-from-users-with-incompatible-access). - ---### Public preview - Identity Protection logs in Log Analytics, Storage Accounts, and Event Hubs --**Type:** New feature -**Service category:** Identity Protection -**Product capability:** Identity Security & Protection - -You can now send the risky users and risk detections logs to Azure Monitor, Storage Accounts, or Log Analytics using the Diagnostic Settings in the Azure AD blade. [Learn more](../identity-protection/howto-export-risk-data.md). - ---### Public preview - Application Proxy API addition for backend SSL certificate validation --**Type:** New feature -**Service category:** App Proxy -**Product capability:** Access Control - -The onPremisesPublishing resource type now includes the property, "isBackendCertificateValidationEnabled" which indicates whether backend SSL certificate validation is enabled for the application. For all new Application Proxy apps, the property will be set to true by default. For all existing apps, the property will be set to false. For more information, read the [onPremisesPublishing resource type](/graph/api/resources/onpremisespublishing?view=graph-rest-beta&preserve-view=true) api. - ---### General availability - Improved Authenticator setup experience for add Azure AD account in Microsoft Authenticator app by directly signing into the app. --**Type:** New feature -**Service category:** Microsoft Authenticator App -**Product capability:** User Authentication - -Users can now use their existing authentication methods to directly sign into the Microsoft Authenticator app to set up their credential. Users don't need to scan a QR Code anymore and can use a Temporary Access Pass (TAP) or Password + SMS (or other authentication method) to configure their account in the Authenticator app. --This improves the user credential provisioning process for the Microsoft Authenticator app and gives the end user a self-service method to provision the app. [Learn more](https://support.microsoft.com/account-billing/add-your-work-or-school-account-to-the-microsoft-authenticator-app-43a73ab5-b4e8-446d-9e54-2a4cb8e4e93c#sign-in-with-your-credentials). - ---### General availability - Set manager as reviewer in Azure AD entitlement management access packages --**Type:** New feature -**Service category:** User Access Management -**Product capability:** Entitlement Management - -Access packages in Azure AD entitlement management now support setting the user's manager as the reviewer for regularly occurring access reviews. [Learn more](../governance/entitlement-management-access-reviews-create.md). ----### General availability - Enable external users to self-service sign up in Azure Active Directory using MSA accounts --**Type:** New feature -**Service category:** B2B -**Product capability:** B2B/B2C - -Users can now enable external users to self-service sign up in Azure Active Directory using Microsoft accounts. [Learn more](../external-identities/microsoft-account.md). - -- -### General availability - External Identities Self-Service Sign-Up with Email One-time Passcode --**Type:** New feature -**Service category:** B2B -**Product capability:** B2B/B2C - --Now users can enable external users to self-service sign up in Azure Active Directory using their email and one-time passcode. [Learn more](../external-identities/one-time-passcode.md). - ---### General availability - Anomalous token --**Type:** New feature -**Service category:** Identity Protection -**Product capability:** Identity Security & Protection - -Anomalous token detection is now available in Identity Protection. This feature can detect that there are abnormal characteristics in the token such as time active and authentication from unfamiliar IP address. [Learn more](../identity-protection/concept-identity-protection-risks.md#sign-in-risk). - ---### General availability - Register or join devices in Conditional Access --**Type:** New feature -**Service category:** Conditional Access -**Product capability:** Identity Security & Protection - -The Register or join devices user action in Conditional access is now in general availability. This user action allows you to control multifactor authentication (MFA) policies for Azure AD device registration. --Currently, this user action only allows you to enable multifactor authentication as a control when users register or join devices to Azure AD. Other controls that are dependent on or not applicable to Azure AD device registration continue to be disabled with this user action. [Learn more](../conditional-access/concept-conditional-access-cloud-apps.md#user-actions). ----### New provisioning connectors in the Azure AD Application Gallery - July 2021 --**Type:** New feature -**Service category:** App Provisioning -**Product capability:** 3rd Party Integration - -You can now automate creating, updating, and deleting user accounts for these newly integrated apps: --- [Clebex](../saas-apps/clebex-provisioning-tutorial.md)-- [Exium](../saas-apps/exium-provisioning-tutorial.md)-- [SoSafe](../saas-apps/sosafe-provisioning-tutorial.md)-- [Talentech](../saas-apps/talentech-provisioning-tutorial.md)-- [Thrive LXP](../saas-apps/thrive-lxp-provisioning-tutorial.md)-- [Vonage](../saas-apps/vonage-provisioning-tutorial.md)-- [Zip](../saas-apps/zip-provisioning-tutorial.md)-- [TimeClock 365](../saas-apps/timeclock-365-provisioning-tutorial.md)--For more information about how to better secure your organization by using automated user account provisioning, read [Automate user provisioning to SaaS applications with Azure AD](../app-provisioning/user-provisioning.md). ----### Changes to security and Microsoft 365 group settings in Azure portal --**Type:** Changed feature -**Service category:** Group Management -**Product capability:** Directory - --In the past, users could create security groups and Microsoft 365 groups in the Azure portal. Now users will have the ability to create groups across Azure portals, PowerShell, and API. Customers are required to verify and update the new settings have been configured for their organization. [Learn More](../enterprise-users/groups-self-service-management.md#group-settings). - ---### "All Apps" collection has been renamed to "Apps" --**Type:** Changed feature -**Service category:** My Apps -**Product capability:** End User Experiences - -In the My Apps portal, the collection that was called "All Apps" has been renamed to be called "Apps". As the product evolves, "Apps" is a more fitting name for this default collection. [Learn more](../manage-apps/my-apps-deployment-plan.md#plan-the-user-experience). - ---## June 2021 --### Context panes to display risk details in Identity Protection Reports --**Type:** Plan for change -**Service category:** Identity Protection -**Product capability:** Identity Security & Protection - -For the Risky users, Risky sign-ins, and Risk detections reports in Identity Protection, the risk details of a selected entry will be shown in a context pane appearing from the right of the page July 2021. The change only impacts the user interface and won't affect any existing functionalities. To learn more about the functionality of these features, refer to [How To: Investigate risk](../identity-protection/howto-identity-protection-investigate-risk.md). - ---### Public preview - create Azure AD access reviews of Service Principals that are assigned to privileged roles --**Type:** New feature -**Service category:** Access Reviews -**Product capability:** Identity Governance - - You can use Azure AD access reviews to review service principal's access to privileged Azure AD and Azure resource roles. [Learn more](../privileged-identity-management/pim-create-azure-ad-roles-and-resource-roles-review.md#create-access-reviews). - ---### Public preview - group owners in Azure AD can create and manage Azure AD access reviews for their groups --**Type:** New feature -**Service category:** Access Reviews -**Product capability:** Identity Governance - -Now group owners in Azure AD can create and manage Azure AD access reviews on their groups. This ability can be enabled by tenant administrators through Azure AD access review settings and is disabled by default. [Learn more](../governance/create-access-review.md#allow-group-owners-to-create-and-manage-access-reviews-of-their-groups). - ---### Public preview - customers can scope access reviews of privileged roles to just users with eligible or active access --**Type:** New feature -**Service category:** Access Reviews -**Product capability:** Identity Governance - -When admins create access reviews of assignments to privileged roles, they can scope the reviews to only eligibly assigned users or only actively assigned users. [Learn more](../privileged-identity-management/pim-create-azure-ad-roles-and-resource-roles-review.md). - ---### Public preview - Microsoft Graph APIs for Mobility (MDM/MAM) management policies --**Type:** New feature -**Service category:** Other -**Product capability:** Device Lifecycle Management - -Microsoft Graph support for the Mobility (MDM/MAM) configuration in Azure AD is in public preview. Administrators can configure user scope and URLs for MDM applications like Intune using Microsoft Graph v1.0. For more information, see [mobilityManagementPolicy resource type](/graph/api/resources/mobilitymanagementpolicy?view=graph-rest-beta&preserve-view=true) ----### General availability - Custom questions in access package request flow in Azure Active Directory entitlement management --**Type:** New feature -**Service category:** User Access Management -**Product capability:** Entitlement Management - -Azure AD entitlement management now supports the creation of custom questions in the access package request flow. This feature allows you to configure custom questions in the access package policy. These questions are shown to requestors who can input their answers as part of the access request process. These answers will be displayed to approvers, giving them helpful information that empowers them to make better decisions on the access request. [Learn more](../governance/entitlement-management-access-package-create.md). ----### General availability - Multi-geo SharePoint sites as resources in Entitlement Management Access Packages --**Type:** New feature -**Service category:** User Access Management -**Product capability:** Entitlement Management - -Access packages in Entitlement Management now support multi-geo SharePoint sites for customers who use the multi-geo capabilities in SharePoint Online. [Learn more](../governance/entitlement-management-catalog-create.md#add-a-multi-geo-sharepoint-site). - ---### General availability - Knowledge Admin and Knowledge Manager built-in roles --**Type:** New feature -**Service category:** RBAC -**Product capability:** Access Control - -Two new roles, Knowledge Administrator and Knowledge Manager are now in general availability. --- Users in the Knowledge Administrator role have full access to all Organizational knowledge settings in the Microsoft 365 admin center. They can create and manage content, like topics and acronyms. Additionally, these users can create content centers, monitor service health, and create service requests. [Learn more](../roles/permissions-reference.md#knowledge-administrator)-- Users in the Knowledge Manager role can create and manage content and are primarily responsible for the quality and structure of knowledge. They have full rights to topic management actions to confirm a topic, approve edits, or delete a topic. This role can also manage taxonomies as part of the term store management tool and create content centers. [Learn more](../roles/permissions-reference.md#knowledge-manager).----### General availability - Cloud App Security Administrator built-in role --**Type:** New feature -**Service category:** RBAC -**Product capability:** Access Control - - Users with this role have full permissions in Cloud App Security. They can add administrators, add Microsoft Cloud App Security (MCAS) policies and settings, upload logs, and do governance actions. [Learn more](../roles/permissions-reference.md#cloud-app-security-administrator). - ---### General availability - Windows Update Deployment Administrator --**Type:** New feature -**Service category:** RBAC -**Product capability:** Access Control - -- Users in this role can create and manage all aspects of Windows Update deployments through the Windows Update for Business deployment service. The deployment service enables users to define settings for when and how updates are deployed. Also, users can specify which updates are offered to groups of devices in their tenant. It also allows users to monitor the update progress. [Learn more](../roles/permissions-reference.md#windows-update-deployment-administrator). - ---### General availability - multi-camera support for Windows Hello --**Type:** New feature -**Service category:** Authentications (Logins) -**Product capability:** User Authentication - -Now with the Windows 10 21H1 update, Windows Hello supports multiple cameras. The update includes defaults to use the external camera when both built-in and outside cameras are present. [Learn more](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/it-tools-to-support-windows-10-version-21h1/ba-p/2365103). --- -### General availability - Access Reviews MS Graph APIs now in v1.0 --**Type:** New feature -**Service category:** Access Reviews -**Product capability:** Identity Governance - -Azure Active Directory access reviews MS Graph APIs are now in v1.0 support fully configurable access reviews features. [Learn more](/graph/api/resources/accessreviewsv2-overview?view=graph-rest-1.0&preserve-view=true). - ---### New provisioning connectors in the Azure AD Application Gallery - June 2021 --**Type:** New feature -**Service category:** App Provisioning -**Product capability:** 3rd Party Integration - -You can now automate creating, updating, and deleting user accounts for these newly integrated apps: --- [askSpoke](../saas-apps/askspoke-provisioning-tutorial.md)-- [Cloud Academy - SSO](../saas-apps/cloud-academy-sso-provisioning-tutorial.md)-- [CheckProof](../saas-apps/checkproof-provisioning-tutorial.md)-- [GoLinks](../saas-apps/golinks-provisioning-tutorial.md)-- [Holmes Cloud](../saas-apps/holmes-cloud-provisioning-tutorial.md)-- [H5mag](../saas-apps/h5mag-provisioning-tutorial.md)-- [LimbleCMMS](../saas-apps/limblecmms-provisioning-tutorial.md)-- [LogMeIn](../saas-apps/logmein-provisioning-tutorial.md)-- [SECURE DELIVER](../saas-apps/secure-deliver-provisioning-tutorial.md)-- [Sigma Computing](../saas-apps/sigma-computing-provisioning-tutorial.md)-- [Smallstep SSH](../saas-apps/smallstep-ssh-provisioning-tutorial.md)-- [Tribeloo](../saas-apps/tribeloo-provisioning-tutorial.md)-- [Twingate](../saas-apps/twingate-provisioning-tutorial.md)--For more information, see [Automate user provisioning to SaaS applications with Azure AD](../app-provisioning/user-provisioning.md). - ---### New Federated Apps available in Azure AD Application gallery - June 2021 --**Type:** New feature -**Service category:** Enterprise Apps -**Product capability:** 3rd Party Integration - -In June 2021, we have added following 42 new applications in our App gallery with Federation support --[Taksel](https://help.ubuntu.com/community/Tasksel), [IDrive360](../saas-apps/idrive360-tutorial.md), [VIDA](../saas-apps/vida-tutorial.md), [ProProfs Classroom](../saas-apps/proprofs-classroom-tutorial.md), [WAN-Sign](../saas-apps/wan-sign-tutorial.md), [Citrix Cloud SAML SSO](../saas-apps/citrix-cloud-saml-sso-tutorial.md), [Fabric](../saas-apps/fabric-tutorial.md), [DssAD](https://cloudlicensing.deepseedsolutions.com/), [RICOH Creative Collaboration RICC](https://www.ricoh-europe.com/products/software-apps/collaboration-board-software/ricc/), [Styleflow](../saas-apps/styleflow-tutorial.md), [Chaos](https://accounts.chaosgroup.com/corporate_login), [Traced Connector](https://control.traced.app/signup), [Squarespace](https://account.squarespace.com/org/azure), [MX3 Diagnostics Connector](https://www.mx3diagnostics.com/), [Ten Spot](https://tenspot.co/api/v1/sso/azure/login/), [Finvari](../saas-apps/finvari-tutorial.md), [Mobile4ERP](https://play.google.com/store/apps/details?id=com.negevsoft.mobile4erp), [WalkMe US OpenID Connect](https://www.walkme.com/), [Neustar UltraDNS](../saas-apps/neustar-ultradns-tutorial.md), [cloudtamer.io](../saas-apps/cloudtamer-io-tutorial.md), [A Cloud Guru](../saas-apps/a-cloud-guru-tutorial.md), [PetroVue](../saas-apps/petrovue-tutorial.md), [Postman](../saas-apps/postman-tutorial.md), [ReadCube Papers](../saas-apps/readcube-papers-tutorial.md), [Peklostroj](https://app.peklostroj.cz/), [SynCloud](https://www.syncloud.org/apps.html), [Polymerhq.io](https://www.polymerhq.io/), [Bonos](../saas-apps/bonos-tutorial.md), [Astra Schedule](../saas-apps/astra-schedule-tutorial.md), [Draup](../saas-apps/draup-inc-tutorial.md), [Inc](../saas-apps/draup-inc-tutorial.md), [Applied Mental Health](../saas-apps/applied-mental-health-tutorial.md), [iHASCO Training](../saas-apps/ihasco-training-tutorial.md), [Nexsure](../saas-apps/nexsure-tutorial.md), [XEOX](https://login.xeox.com/), [Plandisc](https://create.plandisc.com/account/logon), [foundU](../saas-apps/foundu-tutorial.md), [Standard for Success Accreditation](../saas-apps/standard-for-success-accreditation-tutorial.md), [Penji Teams](https://web.penjiapp.com/), [CheckPoint Infinity Portal](../saas-apps/checkpoint-infinity-portal-tutorial.md), [Teamgo](../saas-apps/teamgo-tutorial.md), [Hopsworks.ai](../saas-apps/hopsworks-ai-tutorial.md), [HoloMeeting 2](https://backend2.holomeeting.io/) --You can also find the documentation of all the applications here: https://aka.ms/AppsTutorial --For listing your application in the Azure AD app gallery, read the details here: https://aka.ms/AzureADAppRequest - ---### Device code flow now includes an app verification prompt --**Type:** Changed feature -**Service category:** Authentications (Logins) -**Product capability:** User Authentication - -The [device code flow](../develop/v2-oauth2-device-code.md) has been updated to include one extra user prompt. While signing in, the user will see a prompt asking them to validate the app they're signing into. The prompt ensures that they aren't subject to a phishing attack. [Learn more](../develop/reference-breaking-changes.md#the-device-code-flow-ux-will-now-include-an-app-confirmation-prompt). - ---### User last sign-in date and time is now available on Azure portal --**Type:** Changed feature -**Service category:** User Management -**Product capability:** User Management - -You can now view your users' last sign-in date and time stamp on the Azure portal. The information is available for each user on the user profile page. This information helps you identify inactive users and effectively manage risky events. [Learn more](./active-directory-users-profile-azure-portal.md?context=%2fazure%2factive-directory%2fenterprise-users%2fcontext%2fugr-context). - ---### MIM BHOLD Suite impact of end of support for Microsoft Silverlight --**Type:** Changed feature -**Service category:** Microsoft Identity Manager -**Product capability:** Identity Governance - -Microsoft Silverlight will reach its end of support on October 12, 2021. This change only impacts customers using the Microsoft BHOLD Suite, and doesn't impact other Microsoft Identity Manager scenarios. For more information, see [Silverlight End of Support](https://support.microsoft.com/windows/silverlight-end-of-support-0a3be3c7-bead-e203-2dfd-74f0a64f1788). --Users who haven't installed Microsoft Silverlight in their browser can't use the BHOLD Suite modules, which require Silverlight. This includes the BHOLD Model Generator, BHOLD FIM Self-service integration, and BHOLD Analytics. Customers with an existing BHOLD deployment of one or more of those modules should plan to uninstall those modules from their BHOLD server computers by October 2021. Also, they should plan to uninstall Silverlight from any user computers that were previously interacting with that BHOLD deployment. - ---### My* experiences: End of support for Internet Explorer 11 --**Type:** Deprecated -**Service category:** My Apps -**Product capability:** End User Experiences - --Microsoft 365 and other apps are ending support for Internet Explorer 11 on August 21, 2021, and this includes the My* experiences. The My*s accessed via Internet Explorer won't receive bug fixes or any updates, which may lead to issues. These dates are being driven by the Edge team and may be subject to change. [Learn more](https://blogs.windows.com/windowsexperience/2021/05/19/the-future-of-internet-explorer-on-windows-10-is-in-microsoft-edge/). - ---### Planned deprecation - Malware linked IP address detection in Identity Protection --**Type:** Deprecated -**Service category:** Identity Protection -**Product capability:** Identity Security & Protection - -Starting October 1, 2021, Azure AD Identity Protection will no longer generate the "Malware linked IP address" detection. No action is required and customers will remain protected by the other detections provided by Identity Protection. To learn more about protection policies, refer to [Identity Protection policies](../identity-protection/concept-identity-protection-policies.md). - ---## May 2021 --### Public preview - Azure AD verifiable credentials --**Type:** New feature -**Service category:** Other -**Product capability:** User Authentication - -Azure AD customers can now easily design and issue verifiable credentials. Verifiable credentials can be used to represent proof of employment, education, or any other claim while respecting privacy. Digitally validate any piece of information about anyone and any business. [Learn more](../verifiable-credentials/index.yml). ----### Public preview - Device code flow now includes an app verification prompt --**Type:** New feature -**Service category:** User Authentication -**Product capability:** Authentications (Logins) - -As a security improvement, the [device code flow](../develop/v2-oauth2-device-code.md) has been updated to include another prompt, which validates that the user is signing into the app they expect. The rollout is planned to start in June and expected to be complete by June 30. --To help prevent phishing attacks where an attacker tricks the user into signing into a malicious application, the following prompt is being added: "Are you trying to sign in to [application display name]?". All users will see this prompt while signing in using the device code flow. As a security measure, it can't be removed or bypassed. [Learn more](../develop/reference-breaking-changes.md#the-device-code-flow-ux-will-now-include-an-app-confirmation-prompt). ----### Public preview - build and test expressions for user provisioning --**Type:** New feature -**Service category:** App Provisioning -**Product capability:** Identity Lifecycle Management - -The expression builder allows you to create and test expressions, without having to wait for the full sync cycle. [Learn more](../app-provisioning/functions-for-customizing-application-data.md). ----### Public preview - enhanced audit logs for Conditional Access policy changes --**Type:** New feature -**Service category:** Conditional Access -**Product capability:** Identity Security & Protection - -An important aspect of managing Conditional Access is understanding changes to your policies over time. Policy changes may cause disruptions for your end users, so maintaining a log of changes and enabling admins to revert to previous policy versions is critical. --and showing who made a policy change and when, the audit logs will now also contain a modified properties value. This change gives admins greater visibility into what assignments, conditions, or controls changed. If you want to revert to a previous version of a policy, you can copy the JSON representation of the old version and use the Conditional Access APIs to change the policy to its previous state. [Learn more](../conditional-access/concept-conditional-access-policies.md). ----### Public preview - Sign-in logs include authentication methods used during sign-in --**Type:** New feature -**Service category:** MFA -**Product capability:** Monitoring & Reporting - --Admins can now see the sequential steps users took to sign-in, including which authentication methods were used during sign-in. --To access these details, go to the Azure AD sign-in logs, select a sign-in, and then navigate to the Authentication Method Details tab. Here we have included information such as which method was used, details about the method (for example, phone number, phone name), authentication requirement satisfied, and result details. [Learn more](../reports-monitoring/concept-sign-ins.md). ----### Public preview - PIM adds support for ABAC conditions in Azure Storage roles --**Type:** New feature -**Service category:** Privileged Identity Management -**Product capability:** Privileged Identity Management - -Along with the public preview of attributed-based access control (ABAC) for specific Azure roles, you can also add ABAC conditions inside Privileged Identity Management for your eligible assignments. [Learn more](../../role-based-access-control/conditions-overview.md#conditions-and-azure-ad-pim). ----### General availability - Conditional Access and Identity Protection Reports in B2C --**Type:** New feature -**Service category:** B2C - Consumer Identity Management -**Product capability:** B2B/B2C --B2C now supports Conditional Access and Identity Protection for business-to-consumer (B2C) apps and users. This enables customers to protect their users with granular risk- and location-based access controls. With these features, customers can now look at the signals and create a policy to provide more security and access to your customers. [Learn more](../../active-directory-b2c/conditional-access-identity-protection-overview.md). ----### General availability - KMSI and Password reset now in next generation of user flows --**Type:** New feature -**Service category:** B2C - Consumer Identity Management -**Product capability:** B2B/B2C --The next generation of B2C user flows now supports [keep me signed in (KMSI)](../../active-directory-b2c/session-behavior.md?pivots=b2c-custom-policy#enable-keep-me-signed-in-kmsi) and password reset. The KMSI functionality allows customers to extend the session lifetime for the users of their web and native applications by using a persistent cookie. This feature keeps the session active even when the user closes and reopens the browser. The session is revoked when the user signs out. Password reset allows users to reset their password from the "Forgot your password -' link. This also allows the admin to force reset the user's expired password in the Azure AD B2C directory. [Learn more](../../active-directory-b2c/add-password-reset-policy.md?pivots=b2c-user-flow). - ---### General availability - New Log Analytics workbook Application role assignment activity --**Type:** New feature -**Service category:** User Access Management -**Product capability:** Entitlement Management - -A new workbook has been added for surfacing audit events for application role assignment changes. [Learn more](../governance/entitlement-management-logs-and-reporting.md). ----### General availability - Next generation Azure AD B2C user flows --**Type:** New feature -**Service category:** B2C - Consumer Identity Management -**Product capability:** B2B/B2C - -The new simplified user flow experience offers feature parity with preview features and is the home for all new features. Users can enable new features within the same user flow, reducing the need to create multiple versions with every new feature release. The new, user-friendly UX also simplifies the selection and creation of user flows. Refer to [Create user flows in Azure AD B2C](../../active-directory-b2c/tutorial-create-user-flows.md?pivots=b2c-user-flow) for guidance on using this feature. [Learn more](../../active-directory-b2c/user-flow-versions.md). ----### General availability - Azure Active Directory threat intelligence for sign-in risk --**Type:** New feature -**Service category:** Identity Protection -**Product capability:** Identity Security & Protection - -This new detection serves as an ad-hoc method to allow our security teams to notify you and protect your users by raising their session risk to a High risk when we observe an attack happening. The detection will also mark the associated sign-ins as risky. This detection follows the existing Azure Active Directory threat intelligence for user risk detection to provide complete coverage of the various attacks observed by Microsoft security teams. [Learn more](../identity-protection/concept-identity-protection-risks.md#user-linked-detections). - ---### General availability - Conditional Access named locations improvements --**Type:** New feature -**Service category:** Conditional Access -**Product capability:** Identity Security & Protection - -IPv6 support in named locations is now generally available. Updates include: --- Added the capability to define IPv6 address ranges-- Increased limit of named locations from 90 to 195-- Increased limit of IP ranges per named location from 1200 to 2000-- Added capabilities to search and sort named locations and filter by location type and trust type-- Added named locations a sign-in belonged to in the sign-in logs- -Additionally, to prevent admins from defining problematically named locations, extra checks have been added to reduce the chance of misconfiguration. [Learn more](../conditional-access/location-condition.md). ----### General availability - Restricted guest access permissions in Azure AD --**Type:** New feature -**Service category:** User Management -**Product capability:** Directory - -Directory level permissions for guest users have been updated. These permissions allow administrators to require extra restrictions and controls on external guest user access. --Admins can now add more restrictions for external guests' access to user and groups' profile and membership information. Also, customers can manage external user access at scale by hiding group memberships, including restricting guest users from seeing memberships of the group(s) they are in. To learn more, see [Restrict guest access permissions in Azure Active Directory](../enterprise-users/users-restrict-guest-permissions.md). - ---### New Federated Apps available in Azure AD Application gallery - May 2021 --**Type:** New feature -**Service category:** Enterprise Apps -**Product capability:** 3rd Party Integration - -You can now automate creating, updating, and deleting user accounts for these newly integrated apps: --- [AuditBoard](../saas-apps/auditboard-provisioning-tutorial.md)-- [Cisco Umbrella User Management](../saas-apps/cisco-umbrella-user-management-provisioning-tutorial.md)-- [Insite LMS](../saas-apps/insite-lms-provisioning-tutorial.md)-- [kpifire](../saas-apps/kpifire-provisioning-tutorial.md)-- [UNIFI](../saas-apps/unifi-provisioning-tutorial.md)--For more information about how to better secure your organization using automated user account provisioning, see [Automate user provisioning to SaaS applications with Azure AD](../app-provisioning/user-provisioning.md). ----### New Federated Apps available in Azure AD Application gallery - May 2021 --**Type:** New feature -**Service category:** Enterprise Apps -**Product capability:** 3rd Party Integration - -In May 2021, we have added following 29 new applications in our App gallery with Federation support --[InviteDesk](https://app.invitedesk.com/login), [Webrecruit ATS](https://id-test.webrecruit.co.uk/), [Workshop](../saas-apps/workshop-tutorial.md), [Gravity Sketch](https://landingpad.me/), [JustLogin](../saas-apps/justlogin-tutorial.md), [Custellence](https://custellence.com/sso/), [WEVO](https://hello.wevoconversion.com/login), [AppTec360 MDM](https://www.apptec360.com/ms/autopilot.html), [Filemail](https://www.filemail.com/login),[Ardoq](../saas-apps/ardoq-tutorial.md), [Leadfamly](../saas-apps/leadfamly-tutorial.md), [Documo](../saas-apps/documo-tutorial.md), [Autodesk SSO](../saas-apps/autodesk-sso-tutorial.md), [Check Point Harmony Connect](../saas-apps/check-point-harmony-connect-tutorial.md), [BrightHire](https://app.brighthire.ai/), [Rescana](../saas-apps/rescana-tutorial.md), [Bluewhale](https://cloud.bluewhale.dk/), [AlacrityLaw](../saas-apps/alacritylaw-tutorial.md), [Equisolve](../saas-apps/equisolve-tutorial.md), [Zip](../saas-apps/zip-tutorial.md), [Cognician](../saas-apps/cognician-tutorial.md), [Acra](https://www.acrasuite.com/), [VaultMe](https://app.vaultme.com/#/signIn), [TAP App Security](../saas-apps/tap-app-security-tutorial.md), [Cavelo Office365 Cloud Connector](https://dashboard.prod.cavelodata.com/), [Clebex](../saas-apps/clebex-tutorial.md), [Banyan Command Center](../saas-apps/banyan-command-center-tutorial.md), [Check Point Remote Access VPN](../saas-apps/check-point-remote-access-vpn-tutorial.md), [LogMeIn](../saas-apps/logmein-tutorial.md) --You can also find the documentation of all the applications from here https://aka.ms/AppsTutorial --For listing your application in the Azure AD app gallery, read the details here https://aka.ms/AzureADAppRequest ----### Improved Conditional Access Messaging for Android and iOS --**Type:** Changed feature -**Service category:** Device Registration and Management -**Product capability:** End User Experiences - -We've updated the wording on the Conditional Access screen shown to users when they're blocked from accessing corporate resources. They'll be blocked until they enroll their device in Mobile Device Management. These improvements apply to the Android and iOS/iPadOS platforms. The following have been changed: --- "Help us keep your device secure" has changed to "Set up your device to get access"-- "Your sign-in was successful but your admin requires your device to be managed by Microsoft to access this resource." to "[Organization's name] requires you to secure this device before you can access [organization's name] email, files, and data." -- "Enroll Now" to "Continue"--The information in [Enroll your Android enterprise device](https://support.microsoft.com/topic/enroll-your-android-enterprise-device-d661c82d-fa28-5dfd-b711-6dff41ae83bb) is out of date. ----### Azure Information Protection service will begin asking for consent --**Type:** Changed feature -**Service category:** Authentications (Logins) -**Product capability:** User Authentication - -The Azure Information Protection service signs users into the tenant that encrypted the document as part of providing access to the document. Starting June, Azure AD will begin prompting the user for consent when this access is given across organizations. This ensures that the user understands that the organization that owns the document will collect some information about the user as part of the document access. [Learn more](/azure/information-protection/known-issues#sharing-external-doc-types-across-tenants). - ---### Provisioning logs schema change impacting Graph API and Azure Monitor integration --**Type:** Changed feature -**Service category:** App Provisioning -**Product capability:** Monitoring & Reporting - -The attributes "Action" and "statusInfo" will be changed to "provisioningAction" and "provisoiningStatusInfo." Update any scripts that you have created using the [provisioning logs Graph API](/graph/api/resources/provisioningobjectsummary) or [Azure Monitor integrations](../app-provisioning/application-provisioning-log-analytics.md). - ---### New ARM API to manage PIM for Azure Resources and Azure AD roles --**Type:** Changed feature -**Service category:** Privileged Identity Management -**Product capability:** Privileged Identity Management - -An updated version of the PIM API for Azure Resource role and Azure AD role has been released. The PIM API for Azure Resource role is now released under the ARM API standard, which aligns with the role management API for regular Azure role assignment. On the other hand, the PIM API for Azure AD roles is also released under graph API aligned with the unifiedRoleManagement APIs. Some of the benefits of this change include: --- Alignment of the PIM API with objects in ARM and Graph for role managementReducing the need to call PIM to onboard new Azure resources. -- All Azure resources automatically work with new PIM API.-- Reducing the need to call PIM for role definition or keeping a PIM resource ID-- Supporting app-only API permissions in PIM for both Azure AD and Azure Resource roles--A previous version of the PIM API under `/privilegedaccess` will continue to function but we recommend you to move to this new API going forward. [Learn more](../privileged-identity-management/pim-apis.md). - ---### Revision of roles in Azure AD entitlement management --**Type:** Changed feature -**Service category:** Roles -**Product capability:** Entitlement Management - -A new role, Identity Governance Administrator, has recently been introduced. This role will be the replacement for the User Administrator role in managing catalogs and access packages in Azure AD entitlement management. If you have assigned administrators to the User Administrator role or have them activate this role to manage access packages in Azure AD entitlement management, switch to the Identity Governance Administrator role instead. The User Administrator role will no longer be providing administrative rights to catalogs or access packages. [Learn more](../governance/identity-governance-overview.md#appendixleast-privileged-roles-for-managing-in-identity-governance-features). ---## April 2021 --### Bug fixed - Azure AD will no longer double-encode the state parameter in responses --**Type:** Fixed -**Service category:** Authentications (Logins) -**Product capability:** User Authentication - -Azure AD has identified, tested, and released a fix for a bug in the `/authorize` response to a client application. Azure AD was incorrectly URL encoding the `state` parameter twice when sending responses back to the client. This can cause a client application to reject the request, due to a mismatch in state parameters. [Learn more](../develop/reference-breaking-changes.md#bug-fix-azure-ad-will-no-longer-url-encode-the-state-parameter-twice). ----### Users can only create security and Microsoft 365 groups in Azure portal being deprecated --**Type:** Plan for change -**Service category:** Group Management -**Product capability:** Directory - -Users will no longer be limited to create security and Microsoft 365 groups only in the Azure portal. The new setting will allow users to create security groups in the Azure portal, PowerShell, and API. Users will be required to verify and update the new setting. [Learn more](../enterprise-users/groups-self-service-management.md). ----### Public preview - External Identities Self-Service Sign-up in Azure AD using Email One-Time Passcode accounts --**Type:** New feature -**Service category:** B2B -**Product capability:** B2B/B2C - -External users can now use Email One-Time Passcode accounts to sign up or sign in to Azure AD 1st party and line-of-business applications. [Learn more](../external-identities/one-time-passcode.md). ----### General availability - External Identities Self-Service Sign Up --**Type:** New feature -**Service category:** B2B -**Product capability:** B2B/B2C - -Self-service sign-up for external users is now in general availability. With this new feature, external users can now self-service sign up to an application. --You can create customized experiences for these external users, including collecting information about your users during the registration process and allowing external identity providers like Facebook and Google. You can also integrate with third-party cloud providers for various functionalities like identity verification or approval of users. [Learn more](../external-identities/self-service-sign-up-overview.md). - ---### General availability - Azure AD B2C Phone Sign-up and Sign-in using Built-in Policy --**Type:** New feature -**Service category:** B2C - Consumer Identity Management -**Product capability:** B2B/B2C - -B2C Phone Sign-up and Sign-in using a built-in policy enable IT administrators and developers of organizations to allow their end-users to sign in and sign up using a phone number in user flows. With this feature, disclaimer links such as privacy policy and terms of use can be customized and shown on the page before the end-user proceeds to receive the one-time passcode via text message. [Learn more](../../active-directory-b2c/phone-authentication-user-flows.md). - ---### New Federated Apps available in Azure AD Application gallery - April 2021 --**Type:** New feature -**Service category:** Enterprise Apps -**Product capability:** 3rd Party Integration --In April 2021, we have added following 31 new applications in our App gallery with Federation support --[Zii Travel Azure AD Connect](https://azuremarketplace.microsoft.com/marketplace/apps/aad.ziitravelazureadconnect?tab=Overview), [Cerby](../saas-apps/cerby-tutorial.md), [Selflessly](https://app.selflessly.io/sign-in), [Apollo CX](https://apollo.cxlabs.de/sso/aad), [Pedagoo](https://account.pedagoo.com/), [Measureup](https://account.measureup.com/), [ProcessUnity](../saas-apps/processunity-tutorial.md), [Cisco Intersight](../saas-apps/cisco-intersight-tutorial.md), [Codility](../saas-apps/codility-tutorial.md), [H5mag](https://account.h5mag.com/auth/request-access/ms365), [Check Point Identity Awareness](../saas-apps/check-point-identity-awareness-tutorial.md), [Jarvis](https://jarvis.live/login), [desknet's NEO](../saas-apps/desknets-neo-tutorial.md), [SDS & Chemical Information Management](../saas-apps/sds-chemical-information-management-tutorial.md), [Wúru App](../saas-apps/wuru-app-tutorial.md), [Holmes](../saas-apps/holmes-tutorial.md), [Telenor](https://www.telenor.no/kundeservice/internett/wifi/administrere-ruter/), [Yooz US](https://us1.getyooz.com/?kc_idp_hint=microsoft), [Mooncamp](https://app.mooncamp.com/#/login), [inwise SSO](https://app.inwise.com/defaultsso.aspx), [Ecolab Digital Solutions](https://ecolabb2c.b2clogin.com/account.ecolab.com/oauth2/v2.0/authorize?p=B2C_1A_Connect_OIDC_SignIn&client_id=01281626-dbed-4405-a430-66457825d361&nonce=defaultNonce&redirect_uri=https://jwt.ms&scope=openid&response_type=id_token&prompt=login), [Taguchi Digital Marketing System](https://login.taguchi.com.au/), [XpressDox EU Cloud](https://test.xpressdox.com/Authentication/Login.aspx), [EZSSH Client](https://portal.ezssh.io/signup), [KPN Grip](https://www.grip-on-it.com/), [AddressLook](https://portal.bbsonlineservices.net/Manage/AddressLook), [Cornerstone Single Sign-On](../saas-apps/cornerstone-ondemand-tutorial.md) --You can also find the documentation of all the applications here: https://aka.ms/AppsTutorial --For listing your application in the Azure AD app gallery, read the details here: https://aka.ms/AzureADAppRequest ----### New provisioning connectors in the Azure AD Application Gallery - April 2021 --**Type:** New feature -**Service category:** App Provisioning -**Product capability:** 3rd Party Integration - -You can now automate creating, updating, and deleting user accounts for these newly integrated apps: --- [Bentley - Automatic User Provisioning](../saas-apps/bentley-automatic-user-provisioning-tutorial.md)-- [Boxcryptor](../saas-apps/boxcryptor-provisioning-tutorial.md)-- [BrowserStack Single Sign-on](../saas-apps/browserstack-single-sign-on-provisioning-tutorial.md)-- [Eletive](../saas-apps/eletive-provisioning-tutorial.md)-- [Jostle](../saas-apps/jostle-provisioning-tutorial.md)-- [Olfeo SAAS](../saas-apps/olfeo-saas-provisioning-tutorial.md)-- [Proware](../saas-apps/proware-provisioning-tutorial.md)-- [Segment](../saas-apps/segment-provisioning-tutorial.md)--For more information about how to better secure your organization with automated user account provisioning, see [Automate user provisioning to SaaS applications with Azure AD](../app-provisioning/user-provisioning.md). - ---### Introducing new versions of page layouts for B2C --**Type:** Changed feature -**Service category:** B2C - Consumer Identity Management -**Product capability:** B2B/B2C - -The [page layouts](../../active-directory-b2c/page-layout.md) for B2C scenarios on the Azure AD B2C has been updated to reduce security risks by introducing the new versions of jQuery and Handlebars JS. - ---### Updates to Sign-in Diagnostic --**Type:** Changed feature -**Service category:** Reporting -**Product capability:** Monitoring & Reporting - -The scenario coverage of the Sign-in Diagnostic tool has increased. --With this update, the following event-related scenarios will now be included in the sign-in diagnosis results: -- Enterprise Applications configuration problem events.-- Enterprise Applications service provider (application-side) events.-- Incorrect credentials events. --These results will show contextual and relevant details about the event and actions to take to resolve these problems. Also, for scenarios where we don't have deep contextual diagnostics, Sign-in Diagnostic will present more descriptive content about the error event. --For more information, see [What is sign-in diagnostic in Azure AD?](../reports-monitoring/overview-sign-in-diagnostics.md) ---### Azure AD Connect cloud sync general availability refresh -**Type:** Changed feature -**Service category:** Azure AD Connect Cloud Sync -**Product capability:** Directory --Azure AD connect cloud sync now has an updated agent (version# - 1.1.359). For more details on agent updates, including bug fixes, check out the [version history](../cloud-sync/reference-version-history.md). With the updated agent, cloud sync customers can use GMSA cmdlets to set and reset their gMSA permission at a granular level. In addition that, we've changed the limit of syncing members using group scope filtering from 1499 to 50,000 (50K) members. --Check out the newly available [expression builder](../cloud-sync/how-to-expression-builder.md#deploy-the-expression) for cloud sync, which, helps you build complex expressions and simple expressions when you do transformations of attribute values from AD to Azure AD using attribute mapping. ----## March 2021 --### Guidance on how to enable support for TLS 1.2 in your environment, in preparation for upcoming Azure AD TLS 1.0/1.1 deprecation --**Type:** Plan for change -**Service category:** N/A -**Product capability:** Standards --Azure Active Directory will deprecate the following protocols in Azure Active Directory worldwide regions starting June 30, 2021: ---- TLS 1.0-- TLS 1.1-- 3DES cipher suite (TLS_RSA_WITH_3DES_EDE_CBC_SHA)--Affected environments include: --- Azure Commercial Cloud-- Office 365 GCC and WW--For more information, see [Enable support for TLS 1.2 in your environment for Azure AD TLS 1.1 and 1.0 deprecation](/troubleshoot/azure/active-directory/enable-support-tls-environment). ----### Public preview - Azure AD Entitlement management now supports multi-geo SharePoint Online --**Type:** New feature -**Service category:** Other -**Product capability:** Entitlement Management - -For organizations using multi-geo SharePoint Online, you can now include sites from specific multi-geo environments to your Entitlement management access packages. [Learn more](../governance/entitlement-management-catalog-create.md#add-a-multi-geo-sharepoint-site). ----### Public preview - Restore deleted apps from App registrations --**Type:** New feature -**Service category:** Other -**Product capability:** Developer Experience - -Customers can now view, restore, and permanently remove deleted app registrations from the Azure portal. This applies only to applications associated to a directory, not applications from a personal Microsoft account. [Learn more](../develop/howto-restore-app.md). - ---### Public preview - New "User action" in Conditional Access for registering or joining devices --**Type:** New feature -**Service category:** Conditional Access -**Product capability:** Identity Security & Protection - - A new user action called "Register or join devices" in Conditional access is available. This user action allows you to control Azure Active Directory Multi-Factor Authentication (MFA) policies for Azure AD device registration. --Currently, this user action only allows you to enable Azure AD MFA as a control when users register or join devices to Azure AD. Other controls that are dependent on or not applicable to Azure AD device registration are disabled with this user action. [Learn more](../conditional-access/concept-conditional-access-cloud-apps.md#user-actions). - ---### Public preview - Optimize connector groups to use the closest Application Proxy cloud service --**Type:** New feature -**Service category:** App Proxy -**Product capability:** Access Control - -With this new capability, connector groups can be assigned to the closest regional Application Proxy service an application is hosted in. This can improve app performance in scenarios where apps are hosted in regions other than the home tenant's region. [Learn more](../app-proxy/application-proxy-network-topology.md#optimize-connector-groups-to-use-closest-application-proxy-cloud-service). - ---### Public preview - External Identities Self-Service Sign up in Azure AD using Email One-Time Passcode accounts --**Type:** New feature -**Service category:** B2B -**Product capability:** B2B/B2C --External users will now be able to use Email One-Time Passcode accounts to sign up in to Azure AD 1st party and LOB apps. [Learn more](../external-identities/one-time-passcode.md). ----### Public preview - Availability of AD FS sign-ins in Azure AD --**Type:** New feature -**Service category:** Authentications (Logins) -**Product capability:** Monitoring & Reporting - -AD FS sign-in activity can now be integrated with Azure AD activity reporting, providing a unified view of hybrid identity infrastructure. Using the Azure AD sign-ins report, Log Analytics, and Azure Monitor Workbooks, it's possible to do in-depth analysis for both Azure AD and AD FS sign-in scenarios such as AD FS account lockouts, bad password attempts, and spikes of unexpected sign-in attempts. --To learn more, visit [AD FS sign-ins in Azure AD with Connect Health](../hybrid/how-to-connect-health-ad-fs-sign-in.md). ----### General availability - Staged rollout to cloud authentication --**Type:** New feature -**Service category:** AD Connect -**Product capability:** User Authentication - -Staged rollout to cloud authentication is now generally available. The staged rollout feature allows you to selectively test groups of users with cloud authentication methods, such as Passthrough Authentication (PTA) or Password Hash Sync (PHS). Meanwhile, all other users in the federated domains continue to use federation services, such as AD FS or any other federation services to authenticate users. [Learn more](../hybrid/how-to-connect-staged-rollout.md). ----### General availability - User Type attribute can now be updated in the Azure admin portal --**Type:** New feature -**Service category:** User Experience and Management -**Product capability:** User Management - -Customers can now update the user type of Azure AD users when they update their user profile information from the Azure admin portal. The user type can be updated from Microsoft Graph also. To learn more, see [Add or update user profile information](active-directory-users-profile-azure-portal.md). - ---### General availability - Replica Sets for Azure Active Directory Domain Services --**Type:** New feature -**Service category:** Azure AD Domain Services -**Product capability:** Azure AD Domain Services - -The capability of replica sets in Azure AD DS is now generally available. [Learn more](../../active-directory-domain-services/concepts-replica-sets.md). - ---### General availability - Collaborate with your partners using Email One-Time Passcode in the Azure Government cloud --**Type:** New feature -**Service category:** B2B -**Product capability:** B2B/B2C - -Organizations in the Microsoft Azure Government cloud can now enable their guests to redeem invitations with Email One-Time Passcode. This ensures that any guest users with no Azure AD, Microsoft, or Gmail accounts in the Azure Government cloud can still collaborate with their partners by requesting and entering a temporary code to sign in to shared resources. [Learn more](../external-identities/one-time-passcode.md). ----### New Federated Apps available in Azure AD Application gallery - March 2021 --**Type:** New feature -**Service category:** Enterprise Apps -**Product capability:** 3rd Party Integration - -In March 2021 we have added following 37 new applications in our App gallery with Federation support: --[Bambuser Live Video Shopping](https://lcx.bambuser.com/), [DeepDyve Inc](https://www.deepdyve.com/azure-sso), [Moqups](../saas-apps/moqups-tutorial.md), [RICOH Spaces Mobile](https://ricohspaces.app/welcome), [Flipgrid](https://auth.flipgrid.com/), [hCaptcha Enterprise](../saas-apps/hcaptcha-enterprise-tutorial.md), [SchoolStream ASA](https://www.ssk12.com/), [TransPerfect GlobalLink Dashboard](../saas-apps/transperfect-globallink-dashboard-tutorial.md), [SimplificaCI](https://app.simplificaci.com.br/), [Thrive LXP](../saas-apps/thrive-lxp-tutorial.md), [Lexonis TalentScape](../saas-apps/lexonis-talentscape-tutorial.md), [Exium](../saas-apps/exium-tutorial.md), [Sapient](../saas-apps/sapient-tutorial.md), [TrueChoice](../saas-apps/truechoice-tutorial.md), [RICOH Spaces](https://ricohspaces.app/welcome), [Saba Cloud](../saas-apps/learning-at-work-tutorial.md), [Acunetix 360](../saas-apps/acunetix-360-tutorial.md), [Exceed.ai](../saas-apps/exceed-ai-tutorial.md), [GitHub Enterprise Managed User](../saas-apps/github-enterprise-managed-user-tutorial.md), [Enterprise Vault.cloud for Outlook](https://login.microsoftonline.com/common/oauth2/v2.0/authorize?response_type=id_token&scope=openid%20profile%20User.Read&client_id=7176efe5-e954-4aed-b5c8-f5c85a980d3a&nonce=4b9e1981-1bcb-4938-a283-86f6931dc8cb), [Smartlook](../saas-apps/smartlook-tutorial.md), [Accenture Academy](../saas-apps/accenture-academy-tutorial.md), [Onshape](../saas-apps/onshape-tutorial.md), [Tradeshift](../saas-apps/tradeshift-tutorial.md), [JuriBlox](../saas-apps/juriblox-tutorial.md), [SecurityStudio](../saas-apps/securitystudio-tutorial.md), [ClicData](https://app.clicdata.com/), [Evergreen](../saas-apps/evergreen-tutorial.md), [Patchdeck](https://patchdeck.com/ad_auth/authenticate/), [FAX.PLUS](../saas-apps/fax-plus-tutorial.md), [ValidSign](../saas-apps/validsign-tutorial.md), [AWS Single Sign-on](../saas-apps/aws-single-sign-on-tutorial.md), [Nura Space](https://dashboard.nuraspace.com/login), [Broadcom DX SaaS](../saas-apps/broadcom-dx-saas-tutorial.md), [Interplay Learning](https://skilledtrades.interplaylearning.com/#login), [SendPro Enterprise](../saas-apps/sendpro-enterprise-tutorial.md), [FortiSASE SIA](../saas-apps/fortisase-sia-tutorial.md) --You can also find the documentation of all the applications here: https://aka.ms/AppsTutorial --For listing your application in the Azure AD app gallery, read the details here: https://aka.ms/AzureADAppRequest ----### New provisioning connectors in the Azure AD Application Gallery - March 2021 --**Type:** New feature -**Service category:** App Provisioning -**Product capability:** 3rd Party Integration --You can now automate creating, updating, and deleting user accounts for these newly integrated apps: --- [AWS Single Sign-on](../saas-apps/aws-single-sign-on-provisioning-tutorial.md)-- [Bpanda](../saas-apps/bpanda-provisioning-tutorial.md)-- [Britive](../saas-apps/britive-provisioning-tutorial.md)-- [GitHub Enterprise Managed User](../saas-apps/github-enterprise-managed-user-provisioning-tutorial.md)-- [Grammarly](../saas-apps/grammarly-provisioning-tutorial.md)-- [LogicGate](../saas-apps/logicgate-provisioning-tutorial.md)-- [SecureLogin](../saas-apps/secure-login-provisioning-tutorial.md)-- [TravelPerk](../saas-apps/travelperk-provisioning-tutorial.md)--For more information about how to better secure your organization by using automated user account provisioning, see [Automate user provisioning to SaaS applications with Azure AD](../app-provisioning/user-provisioning.md). - ---### Introducing MS Graph API for Company Branding --**Type:** Changed feature -**Service category:** MS Graph -**Product capability:** B2B/B2C --[MS Graph API for the Company Branding](/graph/api/resources/organizationalbrandingproperties) is available for the Azure AD or Microsoft 365 sign-in experience to allow the management of the branding parameters programmatically. ----### General availability - Header-based authentication SSO with Application Proxy --**Type:** Changed feature -**Service category:** App Proxy -**Product capability:** Access Control - -Azure AD Application Proxy native support for header-based authentication is now in general availability. With this feature, you can configure the user attributes required as HTTP headers for the application without additional components needed to deploy. [Learn more](../app-proxy/application-proxy-configure-single-sign-on-with-headers.md). ----### Two-way SMS for MFA Server is no longer supported --**Type:** Deprecated -**Service category:** MFA -**Product capability:** Identity Security & Protection - --Two-way SMS for MFA Server was originally deprecated in 2018, and won't be supported after February 24, 2021. Administrators should enable another method for users who still use two-way SMS. --Email notifications and Azure portal Service Health notifications were sent to affected admins on December 8, 2020 and January 28, 2021. The alerts went to the Owner, Co-Owner, Admin, and Service Admin RBAC roles tied to the subscriptions. [Learn more](../authentication/how-to-authentication-two-way-sms-unsupported.md). - -- -## February 2021 --### Email one-time passcode authentication on by default starting October 2021 --**Type:** Plan for change -**Service category:** B2B -**Product capability:** B2B/B2C - -Starting October 31, 2021, Microsoft Azure Active Directory [email one-time passcode authentication](../external-identities/one-time-passcode.md) will become the default method for inviting accounts and tenants for B2B collaboration scenarios. At this time, Microsoft will no longer allow the redemption of invitations using unmanaged Azure Active Directory accounts. ----### Unrequested but consented permissions will no longer be added to tokens if they would trigger Conditional Access --**Type:** Plan for change -**Service category:** Authentications (Logins) -**Product capability:** Platform - -Currently, applications using [dynamic permissions](../develop/v2-permissions-and-consent.md#requesting-individual-user-consent) are given all of the permissions they're consented to access. This includes applications that are unrequested and even if they trigger conditional access. For example, this can cause an app requesting only `user.read` that also has consent for `files.read`, to be forced to pass the Conditional Access assigned for the `files.read` permission. --To reduce the number of unnecessary Conditional Access prompts, Azure AD is changing the way that unrequested scopes are provided to applications. Apps will only trigger conditional access for permission they explicitly request. For more information, read [What's new in authentication](../develop/reference-breaking-changes.md#conditional-access-will-only-trigger-for-explicitly-requested-scopes). - -- -### Public preview - Use a Temporary Access Pass to register Passwordless credentials --**Type:** New feature -**Service category:** MFA -**Product capability:** Identity Security & Protection --Temporary Access Pass is a time-limited passcode that serves as strong credentials and allows onboarding of Passwordless credentials and recovery when a user has lost or forgotten their strong authentication factor (for example, FIDO2 security key or Microsoft Authenticator) app and needs to sign in to register new strong authentication methods. [Learn more](../authentication/howto-authentication-temporary-access-pass.md). ----### Public preview - Keep me signed in (KMSI) in next generation of user flows --**Type:** New feature -**Service category:** B2C - Consumer Identity Management -**Product capability:** B2B/B2C --The next generation of B2C user flows now supports the [keep me signed in (KMSI)](../../active-directory-b2c/session-behavior.md?pivots=b2c-custom-policy#enable-keep-me-signed-in-kmsi) functionality that allows customers to extend the session lifetime for the users of their web and native applications by using a persistent cookie. feature keeps the session active even when the user closes and reopens the browser, and is revoked when the user signs out. ----### Public preview - Reset redemption status for a guest user --**Type:** New feature -**Service category:** B2B -**Product capability:** B2B/B2C - -Customers can now reinvite existing external guest users to reset their redemption status, which allows the guest user account to remain without them losing any access. [Learn more](../external-identities/reset-redemption-status.md). - ---### Public preview - /synchronization (provisioning) APIs now support application permissions --**Type:** New feature -**Service category:** App Provisioning -**Product capability:** Identity Lifecycle Management - -Customers can now use application.readwrite.ownedby as an application permission to call the synchronization APIs. Note this is only supported for provisioning from Azure AD out into third-party applications (for example, AWS, Data Bricks, etc.). It's currently not supported for HR-provisioning (Workday / Successfactors) or Cloud Sync (AD to Azure AD). [Learn more](/graph/api/resources/provisioningobjectsummary). - ---### General availability - Authentication Policy Administrator built-in role --**Type:** New feature -**Service category:** RBAC -**Product capability:** Access Control - -Users with this role can configure the authentication methods policy, tenant-wide MFA settings, and password protection policy. This role grants permission to manage Password Protection settings: smart lockout configurations and updating the custom banned passwords list. [Learn more](../roles/permissions-reference.md#authentication-policy-administrator). ----### General availability - User collections on My Apps are available now! --**Type:** New feature -**Service category:** My Apps -**Product capability:** End User Experiences - -Users can now create their own groupings of apps on the My Apps app launcher. They can also reorder and hide collections shared with them by their administrator. [Learn more](../user-help/my-apps-portal-user-collections.md). ----### General availability - Autofill in Authenticator --**Type:** New feature -**Service category:** Microsoft Authenticator App -**Product capability:** Identity Security & Protection - -Microsoft Authenticator provides multifactor authentication and account management capabilities, and now also will autofill passwords on sites and apps users visit on their mobile (iOS and Android). --To use autofill on Authenticator, users need to add their personal Microsoft account to Authenticator and use it to sync their passwords. Work or school accounts can't be used to sync passwords at this time. [Learn more](../user-help/user-help-auth-app-faq.md#autofill-for-it-admins). ----### General availability - Invite internal users to B2B collaboration --**Type:** New feature -**Service category:** B2B -**Product capability:** B2B/B2C - -Customers can now invite internal guests to use B2B collaboration instead of sending an invitation to an existing internal account. This allows customers to keep that user's object ID, UPN, group memberships, and app assignments. [Learn more](../external-identities/invite-internal-users.md). ----### General availability - Domain Name Administrator built-in role --**Type:** New feature -**Service category:** RBAC -**Product capability:** Access Control - -Users with this role can manage (read, add, verify, update, and delete) domain names. They can also read directory information about users, groups, and applications, as these objects have domain dependencies. --For on-premises environments, users with this role can configure domain names for federation so that associated users are always authenticated on-premises. These users can then sign into Azure AD-based services with their on-premises passwords via single sign-on. Federation settings need to be synced via Azure AD Connect, so users also have permissions to manage Azure AD Connect. [Learn more](../roles/permissions-reference.md#domain-name-administrator). - ---### New Federated Apps available in Azure AD Application gallery - February 2021 --**Type:** New feature -**Service category:** Enterprise Apps -**Product capability:** 3rd Party Integration - -In February 2021 we have added following 37 new applications in our App gallery with Federation support: --[Loop Messenger Extension](https://loopworks.com/loop-flow-messenger/), [Silverfort Azure AD Adapter](http://www.silverfort.com/), [Interplay Learning](https://skilledtrades.interplaylearning.com/#login), [Nura Space](https://dashboard.nuraspace.com/login), [Yooz EU](https://eu1.getyooz.com/?kc_idp_hint=microsoft), [UXPressia](https://uxpressia.com/users/sign-in), [introDus Pre- and Onboarding Platform](http://app.introdus.dk/login), [Happybot](https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize?client_id=34353e1e-dfe5-4d2f-bb09-2a5e376270c8&response_type=code&redirect_uri=https://api.happyteams.io/microsoft/integrate&response_mode=query&scope=offline_access%20User.Read%20User.Read.All), [LeaksID](https://leaksid.com/), [ShiftWizard](http://www.shiftwizard.com/), [PingFlow SSO](https://app.pingview.io/), [Swiftlane](https://admin.swiftlane.com/login), [Quasydoc SSO](https://www.quasydoc.eu/login), [Fenwick Gold Account](https://businesscentral.dynamics.com/), [SeamlessDesk](https://www.seamlessdesk.com/login), [Learnsoft LMS & TMS](http://www.learnsoft.com/), [P-TH+](https://p-th.jp/), [myViewBoard](https://api.myviewboard.com/auth/microsoft/), [Tartabit IoT Bridge](https://bridge-us.tartabit.com/), [AKASHI](../saas-apps/akashi-tutorial.md), [Rewatch](../saas-apps/rewatch-tutorial.md), [Zuddl](../saas-apps/zuddl-tutorial.md), [Parkalot - Car park management](../saas-apps/parkalot-car-park-management-tutorial.md), [HSB ThoughtSpot](../saas-apps/hsb-thoughtspot-tutorial.md), [IBMid](../saas-apps/ibmid-tutorial.md), [SharingCloud](../saas-apps/sharingcloud-tutorial.md), [PoolParty Semantic Suite](../saas-apps/poolparty-semantic-suite-tutorial.md), [GlobeSmart](../saas-apps/globesmart-tutorial.md), [Samsung Knox and Business Services](../saas-apps/samsung-knox-and-business-services-tutorial.md), [Penji](../saas-apps/penji-tutorial.md), [Kendis- Scaling Agile Platform](../saas-apps/kendis-scaling-agile-platform-tutorial.md), [Maptician](../saas-apps/maptician-tutorial.md), [Olfeo SAAS](../saas-apps/olfeo-saas-tutorial.md), [Sigma Computing](../saas-apps/sigma-computing-tutorial.md), [CloudKnox Permissions Management Platform](../saas-apps/cloudknox-permissions-management-platform-tutorial.md), [Klaxoon SAML](../saas-apps/klaxoon-saml-tutorial.md), [Enablon](../saas-apps/enablon-tutorial.md) --You can also find the documentation of all the applications here: https://aka.ms/AppsTutorial --For listing your application in the Azure AD app gallery, read the details here: https://aka.ms/AzureADAppRequest -- --### New provisioning connectors in the Azure AD Application Gallery - February 2021 --**Type:** New feature -**Service category:** App Provisioning -**Product capability:** 3rd Party Integration - --You can now automate creating, updating, and deleting user accounts for these newly integrated apps: --- [Atea](../saas-apps/atea-provisioning-tutorial.md)-- [Getabstract](../saas-apps/getabstract-provisioning-tutorial.md)-- [HelloID](../saas-apps/helloid-provisioning-tutorial.md)-- [Hoxhunt](../saas-apps/hoxhunt-provisioning-tutorial.md)-- [Iris Intranet](../saas-apps/iris-intranet-provisioning-tutorial.md)-- [Preciate](../saas-apps/preciate-provisioning-tutorial.md)--For more information, read [Automate user provisioning to SaaS applications with Azure AD](../app-provisioning/user-provisioning.md). ----### General availability - 10 Azure Active Directory roles now renamed --**Type:** Changed feature -**Service category:** RBAC -**Product capability:** Access Control - -10 Azure AD built-in roles have been renamed so that they're aligned across the [Microsoft 365 admin center](/microsoft-365/admin/microsoft-365-admin-center-preview), [Azure portal](https://portal.azure.com/), and [Microsoft Graph](https://developer.microsoft.com/graph/). To learn more about the new roles, refer to [Administrator role permissions in Azure Active Directory](../roles/permissions-reference.md#all-roles). -- ----### New Company Branding in multifactor authentication (MFA)/SSPR Combined Registration --**Type:** Changed feature -**Service category:** User Experience and Management -**Product capability:** End User Experiences - -In the past, company logos weren't used on Azure Active Directory sign-in pages. Company branding is now located to the top left of multifactor authentication (MFA)/SSPR Combined Registration. Company branding is also included on My sign-ins and the Security Info page. [Learn more](../fundamentals/customize-branding.md). ----### General availability - Second level manager can be set as alternate approver --**Type:** Changed feature -**Service category:** User Access Management -**Product capability:** Entitlement Management - -An extra option when you select approvers is now available in Entitlement Management. If you select "Manager as approver" for the First Approver, you'll have another option, "Second level manager as alternate approver", available to choose in the alternate approver field. If you select this option, you need to add a fallback approver to forward the request to in case the system can't find the second level manager. [Learn more](../governance/entitlement-management-access-package-approval-policy.md#alternate-approvers). - ---### Authentication Methods Activity Dashboard --**Type:** Changed feature -**Service category:** Reporting -**Product capability:** Monitoring & Reporting - --The refreshed Authentication Methods Activity dashboard gives admins an overview of authentication method registration and usage activity in their tenant. The report summarizes the number of users registered for each method, and also which methods are used during sign-in and password reset. [Learn more](../authentication/howto-authentication-methods-activity.md). - ---### Refresh and session token lifetimes configurability in Configurable Token Lifetime (CTL) are retired --**Type:** Deprecated -**Service category:** Other -**Product capability:** User Authentication - -Refresh and session token lifetimes configurability in CTL are retired. Azure Active Directory no longer honors refresh and session token configuration in existing policies. [Learn more](../develop/configurable-token-lifetimes.md#token-lifetime-policies-for-refresh-tokens-and-session-tokens). - ---## January 2021 --### Secret token will be a mandatory field when configuring provisioning --**Type:** Plan for change -**Service category:** App Provisioning -**Product capability:** Identity Lifecycle Management --In the past, the secret token field could be kept empty when setting up provisioning on the custom / BYOA application. This function was intended to solely be used for testing. We'll update the UI to make the field required. --Customers can work around this requirement for testing purposes by using a feature flag in the browser URL. [Learn more](../app-provisioning/use-scim-to-provision-users-and-groups.md#authorization-to-provisioning-connectors-in-the-application-gallery). - ---### Public Preview - Customize and configure Android shared devices for frontline workers at scale --**Type:** New feature -**Service category:** Device Registration and Management -**Product capability:** Identity Security & Protection - -Azure AD and Microsoft Intune teams have combined to bring the capability to customize, scale, and secure your frontline worker devices. --The following preview capabilities will allow you to: -- Provision Android shared devices at scale with Microsoft Intune-- Secure your access for shift workers using device-based conditional access-- Customize sign-in experiences for the shift workers with Managed Home Screen--To learn more, refer to [Customize and configure shared devices for frontline workers at scale](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/customize-and-configure-shared-devices-for-firstline-workers-at/ba-p/1751708). ----### Public preview - Provisioning logs can now be downloaded as a CSV or JSON --**Type:** New feature -**Service category:** App Provisioning -**Product capability:** Identity Lifecycle Management --Customers can download the provisioning logs as a CSV or JSON file through the UI and via graph API. To learn more, refer to [Provisioning reports in the Azure portal](../reports-monitoring/concept-provisioning-logs.md). ----### Public preview - Assign cloud groups to Azure AD custom roles and admin unit scoped roles --**Type:** New feature -**Service category:** RBAC -**Product capability:** Access Control - -Customers can assign a cloud group to Azure AD custom roles or an admin unit scoped role. To learn how to use this feature, refer to [Use cloud groups to manage role assignments in Azure Active Directory](../roles/groups-concept.md). ----### General Availability - Azure AD Connect cloud sync (previously known as cloud provisioning) --**Type:** New feature -**Service category:** Azure AD Connect cloud sync -**Product capability:** Identity Lifecycle Management - -Azure AD Connect cloud sync is now generally available to all customers. --Azure AD Connect cloud moves the heavy lifting of transform logic to the cloud, reducing your on-premises footprint. Additionally, multiple light-weight agent deployments are available for higher sync availability. [Learn more](https://aka.ms/cloudsyncGA). - --### General Availability - Attack Simulation Administrator and Attack Payload Author built-in roles --**Type:** New feature -**Service category:** RBAC -**Product capability:** Access Control - -Two new roles in Role-Based Access Control are available to assign to users, Attack simulation Administrator and Attack Payload author. --Users in the [Attack Simulation Administrator](../roles/permissions-reference.md#attack-simulation-administrator) role have access for all simulations in the tenant and can: -- create and manage all aspects of attack simulation creation-- launch/scheduling of a simulation-- review simulation results. --Users in the [Attack Payload Author](../roles/permissions-reference.md#attack-payload-author) role can create attack payloads but not actually launch or schedule them. Attack payloads are then available to all administrators in the tenant who can use them to create a simulation. ----### General Availability - Usage Summary Reports Reader built-in role --**Type:** New feature -**Service category:** RBAC -**Product capability:** Access Control - -Users with the Usage Summary Reports Reader role can access tenant level aggregated data and associated insights in Microsoft 365 Admin Center for Usage and Productivity Score. However, they can't access any user level details or insights. --In the Microsoft 365 Admin Center for the two reports, we differentiate between tenant level aggregated data and user level details. This role adds an extra layer of protection to individual user identifiable data. [Learn more](../roles/permissions-reference.md#usage-summary-reports-reader). ----### General availability - Require App protection policy grant in Azure AD Conditional Access --**Type:** New Feature -**Service category:** Conditional Access -**Product capability:** Identity Security & Protection - -Azure AD Conditional Access grant for "Require App Protection policy" is now GA. --The policy provides the following capabilities: -- Allows access only when using a mobile application that supports Intune App protection-- Allows access only when a user has an Intune app protection policy delivered to the mobile application--Learn more on how to set up a conditional access policy for app protection [here](../conditional-access/app-protection-based-conditional-access.md). - ---### General availability - Email One-Time Passcode --**Type:** New feature -**Service category:** B2B -**Product capability:** B2B/B2C - -Email OTP enables organizations around the world to collaborate with anyone by sending a link or invitation via email. Invited users can verify their identity with the one-time passcode sent to their email to access their partner's resources. [Learn more](../external-identities/one-time-passcode.md). - --- ### New provisioning connectors in the Azure AD Application Gallery - January 2021 --**Type:** New feature -**Service category:** App Provisioning -**Product capability:** 3rd Party Integration - -You can now automate creating, updating, and deleting user accounts for these newly integrated apps: -- [Fortes Change Cloud](../saas-apps/fortes-change-cloud-provisioning-tutorial.md)-- [Gtmhub](../saas-apps/gtmhub-provisioning-tutorial.md)-- [monday.com](../saas-apps/mondaycom-provisioning-tutorial.md)-- [Splashtop](../saas-apps/splashtop-provisioning-tutorial.md)-- [Templafy OpenID Connect](../saas-apps/templafy-openid-connect-provisioning-tutorial.md)-- [WEDO](../saas-apps/wedo-provisioning-tutorial.md)--For more information, see [What is automated SaaS app user provisioning in Azure AD?](../app-provisioning/user-provisioning.md) ----### New Federated Apps available in Azure AD Application gallery - January 2021 --**Type:** New feature -**Service category:** Enterprise Apps -**Product capability:** 3rd Party Integration --In January 2021 we have added following 29 new applications in our App gallery with Federation support: --[mySCView](https://www.myscview.com/), [Talentech](https://talentech.com/contact/), [Bipsync](https://www.bipsync.com/), [OroTimesheet](https://app.orotimesheet.com/login.php), [Mio](https://app.m.io/auth/install/microsoft?scopetype=hub), Sovelto Easy, [Supportbench](https://account.supportbench.net/agent/login/),[Bienvenue Formation](https://formation.bienvenue.pro/login), [AIDA Healthcare SSO](https://aidaforparents.com/login/organizations), [International SOS Assistance Products](../saas-apps/international-sos-assistance-products-tutorial.md), [NAVEX One](../saas-apps/navex-one-tutorial.md), [LabLog](../saas-apps/lablog-tutorial.md), [Oktopost SAML](../saas-apps/oktopost-saml-tutorial.md), [EPHOTO DAM](../saas-apps/ephoto-dam-tutorial.md), [Notion](../saas-apps/notion-tutorial.md), [Syndio](../saas-apps/syndio-tutorial.md), [Yello Enterprise](../saas-apps/yello-enterprise-tutorial.md), [Timeclock 365 SAML](../saas-apps/timeclock-365-saml-tutorial.md), [Nalco E-data](https://www.ecolab.com/), [Vacancy Filler](https://app.vacancy-filler.co.uk/VFMVC/Account/Login), [Synerise AI Growth Ecosystem](../saas-apps/synerise-ai-growth-ecosystem-tutorial.md), [Imperva Data Security](../saas-apps/imperva-data-security-tutorial.md), [Illusive Networks](../saas-apps/illusive-networks-tutorial.md), [Proware](../saas-apps/proware-tutorial.md), [Splan Visitor](../saas-apps/splan-visitor-tutorial.md), [Aruba User Experience Insight](../saas-apps/aruba-user-experience-insight-tutorial.md), [Contentsquare SSO](../saas-apps/contentsquare-sso-tutorial.md), [Perimeter 81](../saas-apps/perimeter-81-tutorial.md), [Burp Suite Enterprise Edition](../saas-apps/burp-suite-enterprise-edition-tutorial.md) --You can also find the documentation of all the applications from here https://aka.ms/AppsTutorial --For listing your application in the Azure AD app gallery, read the details here https://aka.ms/AzureADAppRequest ----### Public preview - Second level manager can be set as alternate approver --**Type:** Changed feature -**Service category:** User Access Management -**Product capability:** Entitlement Management - -An extra option when you select approvers is now available in Entitlement Management. If you select "Manager as approver" for the First Approver, you'll have another option, "Second level manager as alternate approver", available to choose in the alternate approver field. If you select this option, you need to add a fallback approver to forward the request to in case the system can't find the second level manager. [Learn more](../governance/entitlement-management-access-package-approval-policy.md#alternate-approvers) - ---### General availability - Navigate to Teams directly from My Access portal --**Type:** Changed feature -**Service category:** User Access Management -**Product capability:** Entitlement Management - -You can now launch Teams directly from the My Access portal. --To do so, sign-in to My Access (https://myaccess.microsoft.com/), navigate to "Access packages", then go to the "Active" tab to see all of the access packages you already have access to. When you expand the selected access package and hover on Teams, you can launch it by clicking on the "Open" button. [Learn more](../governance/entitlement-management-request-access.md). - ---### Improved Logging & End-User Prompts for Risky Guest Users --**Type:** Changed feature -**Service category:** Identity Protection -**Product capability:** Identity Security & Protection - --The Logging and End-User Prompts for Risky Guest Users have been updated. Learn more in [Identity Protection and B2B users](../identity-protection/concept-identity-protection-b2b.md). - -- |
| active-directory | Access Reviews Application Preparation | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/access-reviews-application-preparation.md | Organizations with compliance requirements or risk management plans will have se To use Azure AD for an access review of access to an application, you must have one of the following licenses in your tenant: -* Azure AD Premium P2 +* Microsoft Azure AD Premium P2 or Microsoft Entra ID Governance * Enterprise Mobility + Security (EMS) E5 license While using the access reviews feature does not require users to have those licenses assigned to them to use the feature, you'll need to have at least as many licenses in your tenant as the number of member (non-guest) users who will be configured as reviewers. |
| active-directory | Access Reviews External Users | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/access-reviews-external-users.md | ->A valid Azure AD Premium P2, Enterprise Mobility + Security E5 paid, or trial license is required to use Azure AD access reviews. For more information, see [Azure Active Directory editions](../fundamentals/active-directory-whatis.md). +>A valid Microsoft Azure AD Premium P2 or Microsoft Entra ID Governance, Enterprise Mobility + Security E5 paid, or trial license is required to use Azure AD access reviews. For more information, see [Azure Active Directory editions](../fundamentals/active-directory-whatis.md). ## Why review users from external organizations in your tenant? |
| active-directory | Access Reviews Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/access-reviews-overview.md | Depending on what you want to review, you'll either create your access review in ## License requirements ++>[!NOTE] +>Creating a review on [inactive user](review-recommendations-access-reviews.md#inactive-user-recommendations) and with [use-to-group affiliation](review-recommendations-access-reviews.md#user-to-group-affiliation) recommendations requires a Microsoft Entra ID Governance license. ## Next steps |
| active-directory | Apps | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/apps.md | Microsoft Entra identity governance can be integrated with many other applicatio | SAML-based apps | | ΓùÅ | | [SAP Analytics Cloud](../../active-directory/saas-apps/sap-analytics-cloud-provisioning-tutorial.md) | ΓùÅ | ΓùÅ | | [SAP Cloud Platform](../../active-directory/saas-apps/sap-cloud-platform-identity-authentication-provisioning-tutorial.md) | ΓùÅ | ΓùÅ |+| [SAP ECC 7.0](../../active-directory/app-provisioning/on-premises-sap-connector-configure.md) | ΓùÅ | | | SAP R/3 | ΓùÅ | | | [SAP HANA](../../active-directory/saas-apps/saphana-tutorial.md) | ΓùÅ | ΓùÅ | | [SAP SuccessFactors to Active Directory](../../active-directory/saas-apps/sap-successfactors-inbound-provisioning-tutorial.md) | ΓùÅ | ΓùÅ | |
| active-directory | Complete Access Review | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/complete-access-review.md | As an administrator, you [create an access review of groups or applications](cre ## Prerequisites -- Azure AD Premium P2+- Microsoft Azure AD Premium P2 or Microsoft Entra ID Governance - Global administrator, User administrator, or Identity Governance administrator to manage access of reviews on groups and applications. Global administrators and Privileged Role administrators can manage reviews of role-assignable groups See [Use Azure AD groups to manage role assignments](../roles/groups-concept.md) - Security readers have read access. |
| active-directory | Conditional Access Exclusion | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/conditional-access-exclusion.md | -> A valid Azure AD Premium P2, Enterprise Mobility + Security E5 paid, or trial license is required to use Azure AD access reviews. For more information, see [Azure Active Directory editions](../fundamentals/active-directory-whatis.md). +> A valid Microsoft Azure AD Premium P2 or Microsoft Entra ID Governance, Enterprise Mobility + Security E5 paid, or trial license is required to use Azure AD access reviews. For more information, see [Azure Active Directory editions](../fundamentals/active-directory-whatis.md). ## Why would you exclude users from policies? |
| active-directory | Create Access Review Pim For Groups | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/create-access-review-pim-for-groups.md | This article describes how to create one or more access reviews for PIM for Grou ## Prerequisites -- Azure AD Premium P2.+- Microsoft Azure AD Premium P2 or Microsoft Entra ID Governance. - Only Global administrators and Privileged Role administrators can create reviews on PIM for Groups. For more information, see [Use Azure AD groups to manage role assignments](../roles/groups-concept.md). For more information, see [License requirements](access-reviews-overview.md#license-requirements). |
| active-directory | Create Access Review | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/create-access-review.md | This article describes how to create one or more access reviews for group member ## Prerequisites -- Azure AD Premium P2.+- Microsoft Azure AD Premium P2 or Microsoft Entra ID Governance licenses. +- Creating a review on [inactive user](review-recommendations-access-reviews.md#inactive-user-recommendations) and with [use-to-group affiliation](review-recommendations-access-reviews.md#user-to-group-affiliation) recommendations requires a Microsoft Entra ID Governance license. - Global administrator, User administrator, or Identity Governance administrator to create reviews on groups or applications. - Global administrators and Privileged Role administrators can create reviews on role-assignable groups. For more information, see [Use Azure AD groups to manage role assignments](../roles/groups-concept.md). - Microsoft 365 and Security group owner. A multi-stage review allows the administrator to define two or three sets of rev  -1. The duration of each recurrence are set to the sum of the duration day(s) you specified in each stage. +1. The duration of each recurrence is set to the sum of the duration day(s) you specified in each stage. 1. Specify the **Review recurrence**, the **Start date**, and **End date** for the review. The recurrence type must be at least as long as the total duration of the recurrence (i.e., the max duration for a weekly review recurrence is 7 days). |
| active-directory | Create Lifecycle Workflow | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/create-lifecycle-workflow.md | You can create and customize workflows for common scenarios by using templates, ## Prerequisites -The preview of lifecycle workflows requires Azure Active Directory (Azure AD) Premium P2. For more information, see [License requirements](what-are-lifecycle-workflows.md#license-requirements). + ## Create a lifecycle workflow by using a template in the Azure portal |
| active-directory | Customize Workflow Email | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/customize-workflow-email.md | For more information on these customizable parameters, see [Common email task pa ## Prerequisites -- Azure Active Directory (Azure AD) Premium P2. For more information, see [License requirements](what-are-lifecycle-workflows.md#license-requirements). ## Customize email by using the Azure portal |
| active-directory | Delete Lifecycle Workflow | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/delete-lifecycle-workflow.md | When a workflow is deleted, it enters a soft-delete state. During this period, y ## Prerequisites -The preview of lifecycle workflows requires Azure Active Directory (Azure AD) Premium P2. For more information, see [License requirements](what-are-lifecycle-workflows.md#license-requirements). + ## Delete a workflow by using the Azure portal |
| active-directory | Entitlement Management Access Package Assignments | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/entitlement-management-access-package-assignments.md | In entitlement management, you can see who has been assigned to access packages, To use entitlement management and assign users to access packages, you must have one of the following licenses: -- Azure AD Premium P2+- Microsoft Azure AD Premium P2 or Microsoft Entra ID Governance - Enterprise Mobility + Security (EMS) E5 license ## View who has an assignment |
| active-directory | Entitlement Management Access Package Auto Assignment Policy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/entitlement-management-access-package-auto-assignment-policy.md | This article describes how to create an access package automatic assignment poli You'll need to have attributes populated on the users who will be in scope for being assigned access. The attributes you can use in the rules criteria of an access package assignment policy are those attributes listed in [supported properties](../enterprise-users/groups-dynamic-membership.md#supported-properties), along with [extension attributes and custom extension properties](../enterprise-users/groups-dynamic-membership.md#extension-properties-and-custom-extension-properties). These attributes can be brought into Azure AD from [Graph](/graph/api/resources/user), an HR system such as [SuccessFactors](../app-provisioning/sap-successfactors-integration-reference.md), [Azure AD Connect cloud sync](../cloud-sync/how-to-attribute-mapping.md) or [Azure AD Connect sync](../hybrid/how-to-connect-sync-feature-directory-extensions.md). The rules can include up to 5000 users per policy. +## License requirements ++ ## Create an automatic assignment policy (Preview) To create a policy for an access package, you need to start from the access package's policy tab. Follow these steps to create a new policy for an access package. |
| active-directory | Entitlement Management Access Package First | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/entitlement-management-access-package-first.md | This rest of this article uses the Azure portal to configure and demonstrate ent To use entitlement management, you must have one of the following licenses: -- Azure AD Premium P2+- Microsoft Azure AD Premium P2 or Microsoft Entra ID Governance - Enterprise Mobility + Security (EMS) E5 license For more information, see [License requirements](entitlement-management-overview.md#license-requirements). An *access package* is a bundle of resources that a team or project needs and is 1. In the left menu, select **Identity Governance** -1. In the left menu, select **Access packages**. If you see **Access denied**, ensure that an Azure AD Premium P2 license is present in your directory. +1. In the left menu, select **Access packages**. If you see **Access denied**, ensure that a Microsoft Azure AD Premium P2 or Microsoft Entra ID Governance license is present in your directory. 1. Select **New access package**. |
| active-directory | Entitlement Management Access Package Incompatible | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/entitlement-management-access-package-incompatible.md | If youΓÇÖve been using Microsoft Identity Manager or other on-premises identity To use entitlement management and assign users to access packages, you must have one of the following licenses: -- Azure AD Premium P2+- Microsoft Azure AD Premium P2 or Microsoft Entra ID Governance - Enterprise Mobility + Security (EMS) E5 license ## Configure another access package or group membership as incompatible for requesting access to an access package |
| active-directory | Entitlement Management Access Reviews Create | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/entitlement-management-access-reviews-create.md | To reduce the risk of stale access, you should enable periodic reviews of users ## Prerequisites To enable reviews of access packages, you must meet the prerequisites for creating an access package:-- Azure AD Premium P2+- Microsoft Azure AD Premium P2 or Microsoft Entra ID Governance - Global administrator, Identity Governance administrator, User administrator, Catalog owner, or Access package manager For more information, see [License requirements](entitlement-management-overview.md#license-requirements). |
| active-directory | Entitlement Management Access Reviews Review Access | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/entitlement-management-access-reviews-review-access.md | Entitlement management simplifies how enterprises manage access to groups, appli ## Prerequisites To review users' active access package assignments, the creator of a review must satisfy these prerequisites:-- Azure AD Premium P2+- Microsoft Azure AD Premium P2 or Microsoft Entra ID Governance - Global administrator, Identity Governance administrator, or User administrator For more information, see [License requirements](entitlement-management-overview.md#license-requirements). |
| active-directory | Entitlement Management Group Licenses | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/entitlement-management-group-licenses.md | In this tutorial, you play the role of an IT administrator for Woodgrove Bank. Y To use entitlement management, you must have one of these licenses: -- Azure AD Premium P2+- Microsoft Azure AD Premium P2 or Microsoft Entra ID Governance - Enterprise Mobility + Security (EMS) E5 For more information, see [License requirements](entitlement-management-overview.md#license-requirements). |
| active-directory | Entitlement Management Logic Apps Integration | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/entitlement-management-logic-apps-integration.md | Entitlement management use cases that can be integrated with Logic Apps include These triggers to Logic Apps are controlled in a tab within access package policies called **Rules**. Additionally, a **Custom Extensions** tab on the Catalog page shows all added Logic Apps extensions for a given Catalog. This article describes how to create and add logic apps to catalogs and access packages in entitlement management. +## License requirements +++ ## Create and add a Logic App workflow to a catalog for use in entitlement management **Prerequisite roles:** Global administrator, Identity Governance administrator, Catalog owner or Resource Group Owner |
| active-directory | Entitlement Management Onboard External User | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/entitlement-management-onboard-external-user.md | In this tutorial, you work for WoodGrove Bank as an IT administrator. YouΓÇÖve b Approval is needed by an internal sponsor for collaborating organizations. Also, you've been informed that the partner's access needs to expire after 60 days. To use entitlement management, you must have one of the following licenses: -- Azure AD Premium P2+- Microsoft Azure AD Premium P2 or Microsoft Entra ID Governance - Enterprise Mobility + Security (EMS) E5 license For more information, see [License requirements](entitlement-management-overview.md#license-requirements). For more information, see [License requirements](entitlement-management-overview 2. In the left menu, select **Identity Governance**. -3. In the left menu, select **Access packages**. If you see Access denied, ensure that an Azure AD Premium P2 license is present in your directory. +3. In the left menu, select **Access packages**. If you see Access denied, ensure that a Microsoft Azure AD Premium P2 or Microsoft Entra ID Governance license is present in your directory. 4. Select **New access package**. |
| active-directory | Entitlement Management Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/entitlement-management-overview.md | To better understand entitlement management and its documentation, you can refer ## License requirements ### How many licenses must you have? -Ensure that your directory has at least as many Azure AD Premium P2 licenses as you have: +Ensure that your directory has at least as many Microsoft Azure AD Premium P2 or Microsoft Entra ID Governance licenses as you have: - Member users who *can* request an access package. - Member users who *request* an access package. Ensure that your directory has at least as many Azure AD Premium P2 licenses as - Member users who *review assignments* for an access package. - Member users who have a *direct assignment* or an *automatic assignment* to an access package. -For guest users, licensing needs will depend on the [licensing model](../external-identities/external-identities-pricing.md) youΓÇÖre using. However, the below guest usersΓÇÖ activities are considered Azure AD Premium P2 usage: +For guest users, licensing needs will depend on the [licensing model](../external-identities/external-identities-pricing.md) youΓÇÖre using. However, the below guest usersΓÇÖ activities are considered Microsoft Azure AD Premium P2 or Microsoft Entra ID Governance usage: - Guest users who *request* an access package. - Guest users who *approve requests* for an access package. - Guest users who *review assignments* for an access package. - Guest users who have a *direct assignment* to an access package. -Azure AD Premium P2 licenses are **not** required for the following tasks: +Microsoft Azure AD Premium P2 or Microsoft Entra ID Governance licenses are **not** required for the following tasks: - No licenses are required for users with the Global Administrator role who set up the initial catalogs, access packages, and policies, and delegate administrative tasks to other users. - No licenses are required for users who have been delegated administrative tasks, such as catalog creator, catalog owner, and access package manager. |
| active-directory | Entitlement Management Reprocess Access Package Assignments | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/entitlement-management-reprocess-access-package-assignments.md | This article describes how to reprocess assignments in an existing access packag To use entitlement management and assign users to access packages, you must have one of the following licenses: -- Azure AD Premium P2+- Microsoft Azure AD Premium P2 or Microsoft Entra ID Governance - Enterprise Mobility + Security (EMS) E5 license ## Open an existing access package and reprocess user assignments |
| active-directory | Entitlement Management Reprocess Access Package Requests | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/entitlement-management-reprocess-access-package-requests.md | This article describes how to reprocess requests for an existing access package. To use entitlement management and assign users to access packages, you must have one of the following licenses: -- Azure AD Premium P2+- Microsoft Azure AD Premium P2 or Microsoft Entra ID Governance - Enterprise Mobility + Security (EMS) E5 license ## Open an existing access package and reprocess user requests |
| active-directory | Entitlement Management Troubleshoot | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/entitlement-management-troubleshoot.md | This article describes some items you should check to help you troubleshoot enti ## Administration -* If you get an access denied message when configuring entitlement management, and you're a Global administrator, ensure that your directory has an [Azure AD Premium P2 (or EMS E5) license](entitlement-management-overview.md#license-requirements). If you've recently renewed an expired Azure AD Premium P2 subscription, then it may take 8 hours for this license renewal to be visible. +* If you get an access denied message when configuring entitlement management, and you're a Global administrator, ensure that your directory has an [Microsoft Azure AD Premium P2 or Microsoft Entra ID Governance (or EMS E5) license](entitlement-management-overview.md#license-requirements). If you've recently renewed an expired Microsoft Azure AD Premium P2 or Microsoft Entra ID Governance subscription, then it may take 8 hours for this license renewal to be visible. -* If your tenant's Azure AD Premium P2 license has expired, then you won't be able to process new access requests or perform access reviews. +* If your tenant's Microsoft Azure AD Premium P2 or Microsoft Entra ID Governance license has expired, then you won't be able to process new access requests or perform access reviews. * If you get an access denied message when creating or viewing access packages, and you're a member of a Catalog creator group, you must [create a catalog](entitlement-management-catalog-create.md) prior to creating your first access package. |
| active-directory | Entitlement Management Verified Id Settings | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/entitlement-management-verified-id-settings.md | This article describes how to configure the verified ID requirement settings for Before you begin, you must set up your tenant to use the [Microsoft Entra Verified ID service](../verifiable-credentials/decentralized-identifier-overview.md). You can find detailed instructions on how to do that here: [Configure your tenant for Microsoft Entra Verified ID](../verifiable-credentials/verifiable-credentials-configure-tenant.md). ++## License requirements ++ ## Create an access package with verified ID requirements + To add a verified ID requirement to an access package, you must start from the access packageΓÇÖs requests tab. Follow these steps to add a verified ID requirement to a new access package. |
| active-directory | Governance Dashboard | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/governance-dashboard.md | + + Title: 'Identity Governance dashboard (Preview)' +description: This article shows how to use the new identity governance dashboard +++++++ Last updated : 06/20/2023+++++# Identity Governance dashboard (Preview) ++In this article, we provide guidance on how to use the Microsoft Identity Governance dashboard. ++## About the dashboard +Microsoft Identity Governance dashboard discovers usage information about various Identity Governance & Administration (IGA) features configured in your tenant. It then gives you at-a-glance view of your current state of Identity Governance, with actionable buttons and quickly accessible links to feature documentation. ++## Using the dashboard ++We understand that implementing Identity Governance is a journey, and you may be in different stages of this journey. +* If you are just getting started, use the dashboard to assess the complexity of your IT landscape. Identify the number of users and guests in your tenant. Discover business apps and privileged roles in your tenant and review capabilities provided by Microsoft Identity Governance to put together an implementation plan that addresses your security & compliance needs. +* If you have already deployed certain governance capabilities, use the dashboard to understand the coverage of your governance automations and find implementation gaps. For example, maybe you have automated birthright access using [entitlement management](https://go.microsoft.com/fwlink/?linkid=2210375), but you have not set up periodic [access reviews](https://go.microsoft.com/fwlink/?linkid=2211313). Use the call-to-action links in the dashboard to further improve your identity governance posture. ++## Data displayed on the dashboard +You can access the dashboard by logging into the Microsoft Entra admin center and selecting the "Dashboard" blade under "Identity Governance". +The dashboard experience is made up of the following main components: +* **Glanceable cards**: These cards provide high level insights into whatΓÇÖs happening in your tenant from the perspective of employee, guest, privileged identities, and application access governance. The navigation links in the glanceable cards point to Identity Governance quick start guides and tutorials. +* **Identity Governance status**: This visual shows your identity landscape in terms of number of employees, guests, business apps, groups, and privileged roles. It then highlights the various Microsoft Identity Governance feature sets configured to better govern these entities. If a feature is not configured, you can use the "Configure Now" option to open the configuration landing blade for that feature. +* **Tutorials**: This section contains tutorials of popular Identity governance use cases for quick access. +* **Highlights**: Use the content in this section to stay informed about the latest Identity Governance features and learn how customers are using Identity Governance to improve their security and compliance posture. ++>[!NOTE] +>The Graph APIs on the dashboard will operate in the context of the logged in user using delegated permission model. To view the dashboard with full fidelity, we recommend using the Global administrator / Global reader role. ++## Troubleshooting dashboard errors ++You may see two types of errors on the dashboard: ++* **Service error**: This error indicates that the dashboard was unable to retrieve data due to a backend service error. The service error could be intermittent. Try refreshing the dashboard to see if the issue resolves automatically. If the issue persists, contact Microsoft support. +* **Permission error**: This error indicates that the dashboard was unable to retrieve data either due to insufficient permissions or data access issues or license issues. Check the role assigned to the logged in user and ensure your tenant has the right license. To view the dashboard with full fidelity, at a minimum we recommend assigning the Global reader role. +++## Next steps ++- [What are Lifecycle workflows?](what-are-lifecycle-workflows.md) +- [What are Azure AD access reviews](access-reviews-overview.md) +- [What is Microsoft Entra entitlement management?](entitlement-management-overview.md) +- [What is Microsoft Entra Privileged Identity Management?](../privileged-identity-management/pim-configure.md) |
| active-directory | Identity Governance Applications Existing Users | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/identity-governance-applications-existing-users.md | +## License requirements + ### Application migrated to Azure AD after using its own identity provider In the first scenario, the application already exists in the environment. Previously, the application used its own identity provider or data store to track which users had access. When you create an assignment for a user to an access package, Azure AD entitlem - You must have one of the following licenses in your tenant: - - Azure AD Premium P2 + - Microsoft Azure AD Premium P2 or Microsoft Entra ID Governance - Enterprise Mobility + Security E5 license - You need to have an appropriate administrative role. If this is the first time you're performing these steps, you need the Global Administrator role to authorize the use of Microsoft Graph PowerShell in your tenant. |
| active-directory | Identity Governance Applications Not Provisioned Users | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/identity-governance-applications-not-provisioned-users.md | For more information on those first two scenarios, where the application support This article covers the third scenario. For some legacy applications it might not be feasible to remove other identity providers or local credential authentication from the application, or enable support for provisioning protocols for those applications. For those applications, if you want to use Azure AD to review who has access to that application, or remove someone's access from that application, you'll need to create assignments in Azure AD that represent application users. This article covers that scenario of an application that does not use Azure AD as its identity provider and does not support provisioning. +## License requirements + ## Terminology This article illustrates the process for managing application role assignments by using the [Microsoft Graph PowerShell cmdlets](https://www.powershellgallery.com/packages/Microsoft.Graph). It uses the following Microsoft Graph terminology. When you create an assignment for a user to an access package, Azure AD entitlem - You must have one of the following licenses in your tenant: - - Azure AD Premium P2 + - Microsoft Azure AD Premium P2 or Microsoft Entra ID Governance - Enterprise Mobility + Security E5 license - You need to have an appropriate administrative role. If this is the first time you're performing these steps, you need the Global Administrator role to authorize the use of Microsoft Graph PowerShell in your tenant. |
| active-directory | Identity Governance Applications Prepare | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/identity-governance-applications-prepare.md | Organizations with compliance requirements or risk management plans have sensiti In addition to the application access governance scenario, you can also use identity governance and the other Microsoft Entra features for other scenarios, such as [reviewing and removing users from other organizations](../governance/access-reviews-external-users.md) or [managing users who are excluded from Conditional Access policies](../governance/conditional-access-exclusion.md). If your organization has multiple administrators in Azure AD or Azure, uses B2B or self-service group management, then you should [plan an access reviews deployment](deploy-access-reviews.md) for those scenarios. +## License requirements + ## Getting started with governing access to applications Microsoft Entra identity governance can be integrated with many applications, using [standards](../fundamentals/auth-sync-overview.md) such as OpenID Connect, SAML, SCIM, SQL and LDAP. Through these standards, you can use Azure AD with many popular SaaS applications, on-premises applications, and applications that your organization has developed. Once you've prepared your Azure AD environment, as described in the section below, the three step plan covers how to connect an application to Azure AD and enable identity governance features to be used for that application. Before you begin the process of governing application access from Azure AD, you * **Ensure your Azure AD and Microsoft Online Services environment is ready for the [compliance requirements](../standards/standards-overview.md) for the applications to be integrated and properly licensed**. Compliance is a shared responsibility among Microsoft, cloud service providers (CSPs), and organizations. To use Azure AD to govern access to applications, you must have one of the following licenses in your tenant: - * Azure AD Premium P2 + * Microsoft Azure AD Premium P2 or Microsoft Entra ID Governance * Enterprise Mobility + Security (EMS) E5 license Your tenant needs to have at least as many licenses as the number of member (non-guest) users who have or can request access to the applications, approve, or review access to the applications. With an appropriate license for those users, you can then govern access to up to 1500 applications per user. |
| active-directory | Identity Governance Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/identity-governance-overview.md | Title: Identity Governance - Microsoft Entra -description: Microsoft Entra Identity Governance allows you to balance your organization's need for security and employee productivity with the right processes and visibility. + Title: Microsoft Entra ID Governance +description: Microsoft Entra ID Governance allows you to balance your organization's need for security and employee productivity with the right processes and visibility. documentationcenter: '' -# What is Microsoft Entra Identity Governance? +# What is Microsoft Entra ID Governance? -Microsoft Entra Identity Governance allows you to balance your organization's need for security and employee productivity with the right processes and visibility. It provides you with capabilities to ensure that the right people have the right access to the right resources. These and related Azure AD and Enterprise Mobility + Security features allows you to mitigate access risk by protecting, monitoring, and auditing access to critical assets while ensuring employee and business partner productivity. +Microsoft Entra ID Governance allows you to balance your organization's need for security and employee productivity with the right processes and visibility. It provides you with capabilities to ensure that the right people have the right access to the right resources. These and related Azure AD and Enterprise Mobility + Security features allows you to mitigate access risk by protecting, monitoring, and auditing access to critical assets while ensuring employee and business partner productivity. -Identity Governance gives organizations the ability to do the following tasks across employees, business partners and vendors, and across services and applications both on-premises and in clouds: +ID Governance gives organizations the ability to do the following tasks across employees, business partners and vendors, and across services and applications both on-premises and in clouds: - Govern the identity lifecycle - Govern access lifecycle In addition to the features listed above, additional Microsoft Entra features fr |Privileged access|Just-in-time and scheduled access, alerting, approval workflows for Azure AD roles (including custom roles) and Azure Resource roles.|[Azure AD PIM](../privileged-identity-management/pim-configure.md)| |Auditing|Admins can be alerted of creation of admin accounts.|[Microsoft Entra PIM alerts](../privileged-identity-management/pim-how-to-configure-security-alerts.md)| +## License requirements + ## Getting started Check out the [Getting started tab](https://portal.azure.com/#view/Microsoft_AAD_ERM/DashboardBlade/~/GettingStarted) of **Identity Governance** in the Azure portal to start using entitlement management, access reviews, Privileged Identity Management, and Terms of use, and see some common use cases. |
| active-directory | Lifecycle Workflows Deployment | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/lifecycle-workflows-deployment.md | For more information on deployment plans, see [Azure AD deployment plans](../fun ## License requirements >[!Note] >Be aware that if your license expires, any workflows that you have created will stop working. |
| active-directory | Manage Access Review | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/manage-access-review.md | With access reviews, you can easily ensure that users or guests have appropriate ## Prerequisites -- Azure AD Premium P2+- Microsoft Azure AD Premium P2 or Microsoft Entra ID Governance For more information, see [License requirements](access-reviews-overview.md#license-requirements). |
| active-directory | Manage Guest Access With Access Reviews | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/manage-guest-access-with-access-reviews.md | You also can easily ensure that guest users have appropriate access. You can ask ## Prerequisites -- Azure AD Premium P2+- Microsoft Azure AD Premium P2 or Microsoft Entra ID Governance For more information, [License requirements](access-reviews-overview.md#license-requirements). |
| active-directory | Manage User Access With Access Reviews | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/manage-user-access-with-access-reviews.md | With Microsoft Entra, you can easily ensure that users have appropriate access. ## Prerequisites -- Azure AD Premium P2+- Microsoft Azure AD Premium P2 or Microsoft Entra ID Governance For more information, see [License requirements](access-reviews-overview.md#license-requirements). |
| active-directory | Review Recommendations Access Reviews | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/review-recommendations-access-reviews.md | Decision makers who review users' access and perform access reviews can use syst ## Prerequisites -- Azure AD Premium P2+Creating a review on [inactive user](#inactive-user-recommendations) and with [user-to-group affiliation](#user-to-group-affiliation) recommendations require a Microsoft Entra ID Governance license. For more information, see [License requirements](access-reviews-overview.md#license-requirements). ## Inactive user recommendations A user is considered 'inactive' if they haven't signed into the tenant within the last 30 days. This behavior is adjusted for reviews of application assignments, which checks each user's last activity in the app as opposed to the entire tenant. When inactive user recommendations are enabled for an access review, the last sign-in date for each user is evaluated once the review starts, and any user that has not signed-in within 30 days are given a recommended action of Deny. Additionally, when these decision helpers are enabled, reviewers are able to see the last sign-in date for all users being reviewed. This sign-in date, and the resulting recommendation, is determined when the review begins and won't get updated while the review is in-progress. -## User-to-Group Affiliation (preview) +## User-to-Group Affiliation Making the review experience easier and more accurate empowers IT admins and reviewers to make more informed decisions. This Machine Learning based recommendation opens the journey to automate access reviews, thereby enabling intelligent automation and reducing access rights attestation fatigue. User-to-Group Affiliation in an organizationΓÇÖs chart is defined as two or more users who share similar characteristics in an organization's reporting structure. If this decision helper is enabled by the creator of the access review, reviewer > [!NOTE] > This feature is only available for users in your directory. A user should have a manager attribute and should be a part of an organizational hierarchy for the User-to-group Affiliation to work.+> +>Groups with more than 600 users are not supported. The following image has an example of an organization's reporting structure in a cosmetics company: |
| active-directory | Tutorial Offboard Custom Workflow Portal | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/tutorial-offboard-custom-workflow-portal.md | For more information, see [Run a workflow on demand](on-demand-workflow.md). ## Prerequisites -The preview of lifecycle workflows requires Azure Active Directory (Azure AD) Premium P2. For more information, see [License requirements](what-are-lifecycle-workflows.md#license-requirements). + ## Before you begin |
| active-directory | Tutorial Onboard Custom Workflow Portal | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/tutorial-onboard-custom-workflow-portal.md | This prehire scenario generates a temporary access pass for our new employee and ## Prerequisites -The Lifecycle Workflows preview requires Azure AD Premium P2. For more information, see [License requirements](what-are-lifecycle-workflows.md#license-requirements). + ## Before you begin |
| active-directory | Tutorial Scheduled Leaver Portal | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/tutorial-scheduled-leaver-portal.md | This post off-boarding scenario runs a scheduled workflow and accomplishes the f ## Prerequisites -The Lifecycle Workflows preview requires Azure AD Premium P2. For more information, see [License requirements](what-are-lifecycle-workflows.md#license-requirements). + ## Before you begin |
| active-directory | Understanding Lifecycle Workflows | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/understanding-lifecycle-workflows.md | The following document provides an overview of a workflow created using Lifecycl ## License requirements ## Permissions and Roles |
| active-directory | What Are Lifecycle Workflows | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/what-are-lifecycle-workflows.md | You can use lifecycle workflows to address any of the following conditions: ## License requirements -During this preview, you can: +With Lifecycle Workflows, you can: - Create, manage, and delete workflows up to the total limit of 50 workflows. - Trigger on-demand and scheduled workflow execution. |
| active-directory | Concept Identity Protection Risks | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/identity-protection/concept-identity-protection-risks.md | Premium detections are visible only to Azure AD Premium P2 customers. Customers | Atypical travel | Offline | This risk detection type identifies two sign-ins originating from geographically distant locations, where at least one of the locations may also be atypical for the user, given past behavior. The algorithm takes into account multiple factors including the time between the two sign-ins and the time it would have taken for the user to travel from the first location to the second. This risk may indicate that a different user is using the same credentials. <br><br> The algorithm ignores obvious "false positives" contributing to the impossible travel conditions, such as VPNs and locations regularly used by other users in the organization. The system has an initial learning period of the earliest of 14 days or 10 logins, during which it learns a new user's sign-in behavior. | | Anomalous Token | Offline | This detection indicates that there are abnormal characteristics in the token such as an unusual token lifetime or a token that is played from an unfamiliar location. This detection covers Session Tokens and Refresh Tokens. <br><br> **NOTE:** Anomalous token is tuned to incur more noise than other detections at the same risk level. This tradeoff is chosen to increase the likelihood of detecting replayed tokens that may otherwise go unnoticed. Because this is a high noise detection, there's a higher than normal chance that some of the sessions flagged by this detection are false positives. We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user. If the location, application, IP address, User Agent, or other characteristics are unexpected for the user, the tenant admin should consider this risk as an indicator of potential token replay. | | Token Issuer Anomaly | Offline |This risk detection indicates the SAML token issuer for the associated SAML token is potentially compromised. The claims included in the token are unusual or match known attacker patterns. |-| Malware linked IP address | Offline | This risk detection type indicates sign-ins from IP addresses infected with malware that is known to actively communicate with a bot server. This detection matches the IP addresses of the user's device against IP addresses that were in contact with a bot server while the bot server was active. <br><br> **[This detection has been deprecated](../fundamentals/whats-new-archive.md#planned-deprecationmalware-linked-ip-address-detection-in-identity-protection)**. Identity Protection will no longer generate new "Malware linked IP address" detections. Customers who currently have "Malware linked IP address" detections in their tenant will still be able to view, remediate, or dismiss them until the 90-day detection retention time is reached.| +| Malware linked IP address | Offline | This risk detection type indicates sign-ins from IP addresses infected with malware that is known to actively communicate with a bot server. This detection matches the IP addresses of the user's device against IP addresses that were in contact with a bot server while the bot server was active. <br><br> **This detection has been deprecated**. Identity Protection will no longer generate new "Malware linked IP address" detections. Customers who currently have "Malware linked IP address" detections in their tenant will still be able to view, remediate, or dismiss them until the 90-day detection retention time is reached.| | Suspicious browser | Offline | Suspicious browser detection indicates anomalous behavior based on suspicious sign-in activity across multiple tenants from different countries in the same browser. | | Unfamiliar sign-in properties | Real-time |This risk detection type considers past sign-in history to look for anomalous sign-ins. The system stores information about previous sign-ins, and triggers a risk detection when a sign-in occurs with properties that are unfamiliar to the user. These properties can include IP, ASN, location, device, browser, and tenant IP subnet. Newly created users will be in "learning mode" period where the unfamiliar sign-in properties risk detection will be turned off while our algorithms learn the user's behavior. The learning mode duration is dynamic and depends on how much time it takes the algorithm to gather enough information about the user's sign-in patterns. The minimum duration is five days. A user can go back into learning mode after a long period of inactivity. <br><br> We also run this detection for basic authentication (or legacy protocols). Because these protocols don't have modern properties such as client ID, there's limited telemetry to reduce false positives. We recommend our customers to move to modern authentication. <br><br> Unfamiliar sign-in properties can be detected on both interactive and non-interactive sign-ins. When this detection is detected on non-interactive sign-ins, it deserves increased scrutiny due to the risk of token replay attacks. | | Malicious IP address | Offline | This detection indicates sign-in from a malicious IP address. An IP address is considered malicious based on high failure rates because of invalid credentials received from the IP address or other IP reputation sources. | |
| active-directory | App Management Powershell Samples | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/app-management-powershell-samples.md | For more information about the cmdlets used in these samples, see [Applications] |**Application Management scripts**|| | [Export secrets and certs (app registrations)](scripts/powershell-export-all-app-registrations-secrets-and-certs.md) | Export secrets and certificates for app registrations in Azure Active Directory tenant. | | [Export secrets and certs (enterprise apps)](scripts/powershell-export-all-enterprise-apps-secrets-and-certs.md) | Export secrets and certificates for enterprise apps in Azure Active Directory tenant. |-| [Export expiring secrets and certs](scripts/powershell-export-apps-with-expriring-secrets.md) | Export App Registrations with expiring secrets and certificates and their Owners in Azure Active Directory tenant. | +| [Export expiring secrets and certs](scripts/powershell-export-apps-with-expiring-secrets.md) | Export App Registrations with expiring secrets and certificates and their Owners in Azure Active Directory tenant. | | [Export secrets and certs expiring beyond required date](scripts/powershell-export-apps-with-secrets-beyond-required.md) | Export App Registrations with secrets and certificates expiring beyond the required date in Azure Active Directory tenant. This uses the non interactive Client_Credentials Oauth flow. | |
| active-directory | Concept Pim For Groups | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/privileged-identity-management/concept-pim-for-groups.md | To learn more about Azure AD built-in roles and their permissions, see [Azure AD One Azure AD tenant can have up to 500 role-assignable groups. To learn more about Azure AD service limits and restrictions, see [Azure AD service limits and restrictions](../enterprise-users/directory-service-limits-restrictions.md). -Azure AD role-assignable group feature is not part of Azure AD Privileged Identity Management (Azure AD PIM). It requires Azure AD Premium P1 or P2 license. +Azure AD role-assignable group feature is not part of Azure AD Privileged Identity Management (Azure AD PIM). It requires a Microsft Entra Premium P1, P2, or Micrsoft Entra ID Governance license. ## Relationship between role-assignable groups and PIM for Groups |
| active-directory | Groups Assign Member Owner | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/privileged-identity-management/groups-assign-member-owner.md | When a membership or ownership is assigned, the assignment: - Can't be removed within five minutes of it being assigned >[!NOTE]->Every user who is eligible for membership in or ownership of a PIM for Groups must have an Azure AD Premium P2 license. For more information, see [License requirements to use Privileged Identity Management](subscription-requirements.md). +>Every user who is eligible for membership in or ownership of a PIM for Groups must have a Microsoft Entra Premuim P2 or Microsoft Entra ID Governance license. For more information, see [License requirements to use Privileged Identity Management](subscription-requirements.md). ## Assign an owner or member of a group |
| active-directory | Pim Configure | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/privileged-identity-management/pim-configure.md | Organizations want to minimize the number of people who have access to secure in However, users still need to carry out privileged operations in Azure AD, Azure, Microsoft 365, or SaaS apps. Organizations can give users just-in-time privileged access to Azure and Azure AD resources and can oversee what those users are doing with their privileged access. ## License requirements For information about licenses for users, see [License requirements to use Privileged Identity Management](subscription-requirements.md). |
| active-directory | Pim Create Roles And Resource Roles Review | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/privileged-identity-management/pim-create-roles-and-resource-roles-review.md | The need for access to privileged Azure resource and Azure AD roles by employees ## Prerequisites ++For more information about licenses for PIM, refer to [License requirements to use Privileged Identity Management](subscription-requirements.md). To create access reviews for Azure resources, you must be assigned to the [Owner](../../role-based-access-control/built-in-roles.md#owner) or the [User Access Administrator](../../role-based-access-control/built-in-roles.md#user-access-administrator) role for the Azure resources. To create access reviews for Azure AD roles, you must be assigned to the [Global Administrator](../roles/permissions-reference.md#global-administrator) or the [Privileged Role Administrator](../roles/permissions-reference.md#privileged-role-administrator) role. -Access Reviews for **Service Principals** requires an Entra Workload Identities Premium plan in addition to Azure AD Premium P2 license. +Access Reviews for **Service Principals** requires an Entra Workload Identities Premium plan in addition to Microsoft Entra Premium P2 or Microsoft Entra ID Governance licenses. - Workload Identities Premium licensing: You can view and acquire licenses on the [Workload Identities blade](https://portal.azure.com/#view/Microsoft_Azure_ManagedServiceIdentity/WorkloadIdentitiesBlade) in the Azure portal. |
| active-directory | Pim Getting Started | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/privileged-identity-management/pim-getting-started.md | Use Privileged Identity Management (PIM) to manage, control, and monitor access To use Privileged Identity Management, you must have one of the following licenses: -- Azure AD Premium P2-- Enterprise Mobility + Security (EMS) E5+- [!INCLUDE [active-directory-p2-governance-either-license.md](../../../includes/active-directory-p2-governance-either-license.md)] + For more information, see [License requirements to use Privileged Identity Management](subscription-requirements.md). |
| active-directory | Pim How To Add Role To User | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/privileged-identity-management/pim-how-to-add-role-to-user.md | The following is an example of the response. The response object shown here migh ## Update or remove an existing role assignment -Follow these steps to update or remove an existing role assignment. **Azure AD P2 licensed customers only**: Don't assign a group as Active to a role through both Azure AD and Privileged Identity Management (PIM). For a detailed explanation, see [Known issues](../roles/groups-concept.md#known-issues). +Follow these steps to update or remove an existing role assignment. **Microsoft Entra Premium P2 or Microsoft Entra ID Governance licensed customers only**: Don't assign a group as Active to a role through both Azure AD and Privileged Identity Management (PIM). For a detailed explanation, see [Known issues](../roles/groups-concept.md#known-issues). 1. Open **Azure AD Privileged Identity Management**. |
| active-directory | Pim How To Configure Security Alerts | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/privileged-identity-management/pim-how-to-configure-security-alerts.md | Privileged Identity Management (PIM) generates alerts when there's suspicious or  +## License requirements + ## Security alerts This section lists all the security alerts for Azure AD roles, along with how to fix and how to prevent. Severity has the following meaning: Severity: **Low** | **Prevention** | [Require MFA](pim-how-to-change-default-settings.md) for every role. | | **In-portal mitigation action** | Makes multi-factor authentication required for activation of the privileged role. | -### The organization doesn't have Azure AD Premium P2 +### The organization doesn't have Microsoft Entra Premium P2 or Microsoft Entra ID Governance Severity: **Low** | | Description | | | |-| **Why do I get this alert?** | The current Azure AD organization doesn't have Azure AD Premium P2. | -| **How to fix?** | Review information about [Azure AD editions](../fundamentals/active-directory-whatis.md). Upgrade to Azure AD Premium P2. | +| **Why do I get this alert?** | The current Azure AD organization doesn't have Microsoft Entra Premium P2 or Microsoft Entra ID Governance. | +| **How to fix?** | Review information about [Azure AD editions](../fundamentals/active-directory-whatis.md). Upgrade to Microsoft Entra Premium P2 or Microsoft Entra ID Governance. | ### Potential stale accounts in a privileged role |
| active-directory | Subscription Requirements | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/privileged-identity-management/subscription-requirements.md | -To use Privileged Identity Management (PIM) in Azure Active Directory (Azure AD), part of Microsoft Entra, a tenant must have a valid license. Licenses must also be assigned to the administrators and relevant users. This article describes the license requirements to use Privileged Identity Management. +To use Privileged Identity Management (PIM) in Azure Active Directory (Azure AD), part of Microsoft Entra, a tenant must have a valid license. Licenses must also be assigned to the administrators and relevant users. This article describes the license requirements to use Privileged Identity Management. To use Privileged Identity Management, you must have one of the following licenses: -## Valid licenses --You will need an Azure AD license to use PIM and all of it's settings. Currently, you can scope an access review to service principals with access to Azure AD and Azure resource roles (Preview) with an Azure Active Directory Premium P2 edition active in your tenant. The licensing model for service principals will be finalized for general availability of this feature and additional licenses may be required. [!INCLUDE [Azure AD Premium P2 license](../../../includes/active-directory-p2-license.md)] --## Licenses you must have +- [!INCLUDE [active-directory-p2-governance-either-license.md](../../../includes/active-directory-p2-governance-either-license.md)] -Ensure that your directory has Azure AD Premium P2 licenses for the following categories of users: -- Users with eligible and/or time-bound assignments to Azure AD or Azure roles managed using PIM-- Users with eligible and/or time-bound assignments as members or owners of PIM for Groups-- Users able to approve or reject activation requests in PIM-- Users assigned to an access review-- Users who perform access reviews+## Valid licenses -Azure AD Premium P2 licenses are **not** required for the following tasks: +You will need either Microsoft Entra ID Governance licenses or Azure AD Premium P2 licenses to use PIM and all of its settings. Currently, you can scope an access review to service principals with access to Azure AD and Azure resource roles with an Microsoft Entra Premuim P2 or Microsoft Entra ID Governance edition active in your tenant. The licensing model for service principals will be finalized for general availability of this feature and additional licenses may be required. -- No licenses are required for users who set up PIM, configure policies, receive alerts, and set up access reviews.+## Licenses you must have +Ensure that your tenant has either Microsoft Entra ID Governance or Microsoft Azure AD Premium P2 licenses for all users whose identities or access is governed or who interact with an identity governance feature. -For more information about licenses, see [Assign or remove licenses using the Azure portal](../fundamentals/license-users-groups.md). ## Example license scenarios Here are some example license scenarios to help you determine the number of lice ## When a license expires -If an Azure AD Premium P2, EMS E5, or trial license expires, Privileged Identity Management features will no longer be available in your directory: +If a Microsoft Azure AD Premuim P2, Microsoft Entra ID Governance, or trial license expires, Privileged Identity Management features will no longer be available in your directory: - Permanent role assignments to Azure AD roles will be unaffected. - The Privileged Identity Management service in the Azure portal, as well as the Graph API cmdlets and PowerShell interfaces of Privileged Identity Management, will no longer be available for users to activate privileged roles, manage privileged access, or perform access reviews of privileged roles. |
| aks | Open Ai Quickstart | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/open-ai-quickstart.md | + + Title: Deploy an application that uses OpenAI on Azure Kubernetes Service (AKS) +description: Learn how to deploy an application that uses OpenAI on Azure Kubernetes Service (AKS). #Required; article description that is displayed in search results. + Last updated : 6/29/2023++++# Deploy an application that uses OpenAI on Azure Kubernetes Service (AKS) ++In this article, you will learn how to deploy an application that uses Azure OpenAI or OpenAI on AKS. With OpenAI, you can easily adapt different AI models, such as content generation, summarization, semantic search, and natural language to code generation, for your specific tasks. ++This article also walks you through how to run a sample multi-container solution representative of real-world implementations. The multi-container solution is comprised of applications written in multiple languages and frameworks, including: +- Golang with Gin +- Rust with Actix-Web +- JavaScript with Vue.js and Fastify +- Python with FastAPI ++These applications provide front ends for customers and store admins, REST APIs for sending data to RabbitMQ message queue and MongoDB database, and console apps to simulate traffic. ++The codebase for [AKS Store Demo][aks-store-demo] can be found on GitHub. ++## Before you begin ++- You need an Azure account with an active subscription. If you don't have one, [create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F). +- For this demo, you can either use Azure OpenAI service or OpenAI service. If you plan on using Azure OpenAI service, you need to enable it for your Azure subscription by filling out the [Request Access to Azure OpenAI Service][aoai-access] form. +- If you plan on using OpenAI, sign up on the [OpenAI website][open-ai-landing]. +++## Create a resource group +An [Azure resource group][azure-resource-group] is a logical group in which Azure resources are deployed and managed. When you create a resource group, you're prompted to specify a location. This location is the storage location of your resource group metadata and where your resources run in Azure if you don't specify another region during resource creation. ++The following example creates a resource group named *myResourceGroup* in the *eastus* location. ++* Create a resource group using the [`az group create`][az-group-create] command. ++ ```azurecli-interactive + az group create --name myResourceGroup --location eastus + ``` + + The following output example resembles the successful creation of the resource group: ++ ```json + { + "id": "/subscriptions/<guid>/resourceGroups/myResourceGroup", + "location": "eastus", + "managedBy": null, + "name": "myResourceGroup", + "properties": { + "provisioningState": "Succeeded" + }, + "tags": null, + "type": "Microsoft.Resources/resourceGroups" + } + ``` ++## Create an AKS cluster +The following example creates a cluster named *myAKSCluster* in the resource group *myResourceGroup* created earlier. ++* Create an AKS cluster using the [`az aks create`][az-aks-create] command. ++ ```azurecli-interactive + az aks create --resource-group myResourceGroup --name myAKSCluster --generate-ssh-keys + ``` ++ After a few minutes, the command completes and returns JSON-formatted information about the cluster. ++## Connect to the cluster ++To manage a Kubernetes cluster, use the Kubernetes command-line client, [kubectl][kubectl]. `kubectl` is already installed if you use Azure Cloud Shell. ++1. Install `kubectl` locally using the [`az aks install-cli`][az-aks-install-cli] command. ++ ```azurecli + az aks install-cli + ``` + Use `sudo az aks install-cli` if elevated permission is required on Linux-based system. ++2. Configure `kubectl` to connect to your Kubernetes cluster using the [`az aks get-credentials`][az-aks-get-credentials] command. ++ This command executes the following operations: ++ * Downloads credentials and configures the Kubernetes CLI to use them. + * Uses `~/.kube/config`, the default location for the [Kubernetes configuration file][kubeconfig-file]. Specify a different location for your Kubernetes configuration file using *--file* argument. ++ ```azurecli-interactive + az aks get-credentials --resource-group myResourceGroup --name myAKSCluster + ``` ++3. Verify the connection to your cluster using the [`kubectl get`][kubectl-get] command. This command returns a list of the cluster nodes. ++ ```bash + kubectl get nodes + ``` ++ The following output example shows the single node created in the previous steps. Make sure the node status is *Ready*. ++ ```output + NAME STATUS ROLES AGE VERSION + aks-nodepool1-31469198-vmss000000 Ready agent 3h29m v1.25.6 + aks-nodepool1-31469198-vmss000001 Ready agent 3h29m v1.25.6 + aks-nodepool1-31469198-vmss000002 Ready agent 3h29m v1.25.6 + ``` ++## Deploy the application +++For the [AKS Store application][aks-store-demo], this manifest includes the following Kubernetes deployments and +- Product Service: Shows product information +- Order Service: Places orders +- Makeline Service: Processes orders from the queue and completes the orders +- Store Front: Web application for customers to view products and place orders +- Store Admin: Web application for store employees to view orders in the queue and manage product information +- Virtual Customer: Simulates order creation on a scheduled basis +- Virtual Worker: Simulates order completion on a scheduled basis +- Mongo DB: NoSQL instance for persisted data +- Rabbit MQ: Message queue for an order queue ++1. Create a file named `aks-store.yaml` and copy the following manifest. + ```yaml + apiVersion: apps/v1 + kind: Deployment + metadata: + name: mongodb + spec: + replicas: 1 + selector: + matchLabels: + app: mongodb + template: + metadata: + labels: + app: mongodb + spec: + nodeSelector: + "kubernetes.io/os": linux + containers: + - name: mongodb + image: mcr.microsoft.com/mirror/docker/library/mongo:4.2 + ports: + - containerPort: 27017 + name: mongodb + resources: {} + + apiVersion: v1 + kind: Service + metadata: + name: mongodb + spec: + ports: + - port: 27017 + selector: + app: mongodb + type: ClusterIP + + apiVersion: apps/v1 + kind: Deployment + metadata: + name: rabbitmq + spec: + replicas: 1 + selector: + matchLabels: + app: rabbitmq + template: + metadata: + labels: + app: rabbitmq + spec: + nodeSelector: + "kubernetes.io/os": linux + containers: + - name: rabbitmq + image: mcr.microsoft.com/mirror/docker/library/rabbitmq:3.10-management-alpine + ports: + - containerPort: 5672 + name: rabbitmq-amqp + - containerPort: 15672 + name: rabbitmq-http + env: + - name: RABBITMQ_DEFAULT_USER + value: "username" + - name: RABBITMQ_DEFAULT_PASS + value: "password" + resources: {} + + apiVersion: v1 + kind: Service + metadata: + name: rabbitmq + spec: + selector: + app: rabbitmq + ports: + - name: rabbitmq-amqp + port: 5672 + targetPort: 5672 + - name: rabbitmq-http + port: 15672 + targetPort: 15672 + type: ClusterIP + + apiVersion: apps/v1 + kind: Deployment + metadata: + name: order-service + spec: + replicas: 1 + selector: + matchLabels: + app: order-service + template: + metadata: + labels: + app: order-service + spec: + nodeSelector: + "kubernetes.io/os": linux + containers: + - name: order-service + image: ghcr.io/azure-samples/aks-store-demo/order-service:latest + ports: + - containerPort: 3000 + env: + - name: ORDER_QUEUE_PROTOCOL + value: "amqp" + - name: ORDER_QUEUE_HOSTNAME + value: "rabbitmq" + - name: ORDER_QUEUE_PORT + value: "5672" + - name: ORDER_QUEUE_USERNAME + value: "username" + - name: ORDER_QUEUE_PASSWORD + value: "password" + - name: FASTIFY_ADDRESS + value: "0.0.0.0" + resources: {} + initContainers: + - name: wait-for-rabbitmq + image: busybox + command: ['sh', '-c', 'until nc -zv rabbitmq 5672; do echo waiting for rabbitmq; sleep 2; done;'] + + apiVersion: v1 + kind: Service + metadata: + name: order-service + spec: + type: ClusterIP + ports: + - name: http + port: 3000 + targetPort: 3000 + selector: + app: order-service + + apiVersion: apps/v1 + kind: Deployment + metadata: + name: makeline-service + spec: + replicas: 1 + selector: + matchLabels: + app: makeline-service + template: + metadata: + labels: + app: makeline-service + spec: + nodeSelector: + "kubernetes.io/os": linux + containers: + - name: makeline-service + image: ghcr.io/azure-samples/aks-store-demo/makeline-service:latest + ports: + - containerPort: 3001 + env: + - name: ORDER_QUEUE_CONNECTION_STRING + value: "amqp://username:password@rabbitmq:5672/" + - name: ORDER_QUEUE_NAME + value: "orders" + - name: ORDER_DB_CONNECTION_STRING + value: "mongodb://mongodb:27017" + - name: ORDER_DB_NAME + value: "orderdb" + - name: ORDER_DB_COLLECTION_NAME + value: "orders" + resources: {} + + apiVersion: v1 + kind: Service + metadata: + name: makeline-service + spec: + type: ClusterIP + ports: + - name: http + port: 3001 + targetPort: 3001 + selector: + app: makeline-service + + apiVersion: apps/v1 + kind: Deployment + metadata: + name: product-service + spec: + replicas: 1 + selector: + matchLabels: + app: product-service + template: + metadata: + labels: + app: product-service + spec: + nodeSelector: + "kubernetes.io/os": linux + containers: + - name: product-service + image: ghcr.io/azure-samples/aks-store-demo/product-service:latest + ports: + - containerPort: 3002 + resources: {} + + apiVersion: v1 + kind: Service + metadata: + name: product-service + spec: + type: ClusterIP + ports: + - name: http + port: 3002 + targetPort: 3002 + selector: + app: product-service + + apiVersion: apps/v1 + kind: Deployment + metadata: + name: store-front + spec: + replicas: 1 + selector: + matchLabels: + app: store-front + template: + metadata: + labels: + app: store-front + spec: + nodeSelector: + "kubernetes.io/os": linux + containers: + - name: store-front + image: ghcr.io/azure-samples/aks-store-demo/store-front:latest + ports: + - containerPort: 8080 + name: store-front + env: + - name: VUE_APP_ORDER_SERVICE_URL + value: "http://order-service:3000/" + - name: VUE_APP_PRODUCT_SERVICE_URL + value: "http://product-service:3002/" + resources: {} + + apiVersion: v1 + kind: Service + metadata: + name: store-front + spec: + ports: + - port: 80 + targetPort: 8080 + selector: + app: store-front + type: LoadBalancer + + apiVersion: apps/v1 + kind: Deployment + metadata: + name: store-admin + spec: + replicas: 1 + selector: + matchLabels: + app: store-admin + template: + metadata: + labels: + app: store-admin + spec: + nodeSelector: + "kubernetes.io/os": linux + containers: + - name: store-admin + image: ghcr.io/azure-samples/aks-store-demo/store-admin:latest + ports: + - containerPort: 8081 + name: store-admin + env: + - name: VUE_APP_PRODUCT_SERVICE_URL + value: "http://product-service:3002/" + - name: VUE_APP_MAKELINE_SERVICE_URL + value: "http://makeline-service:3001/" + - name: VUE_APP_AI_SERVICE_URL + value: "http://ai-service:5001/" + resources: {} + + apiVersion: v1 + kind: Service + metadata: + name: store-admin + spec: + ports: + - port: 80 + targetPort: 8081 + selector: + app: store-admin + type: LoadBalancer + + apiVersion: apps/v1 + kind: Deployment + metadata: + name: virtual-customer + spec: + replicas: 1 + selector: + matchLabels: + app: virtual-customer + template: + metadata: + labels: + app: virtual-customer + spec: + nodeSelector: + "kubernetes.io/os": linux + containers: + - name: virtual-worker + image: ghcr.io/azure-samples/aks-store-demo/virtual-customer:latest + env: + - name: ORDER_SERVICE_URL + value: http://order-service:3000/ + - name: ORDERS_PER_HOUR + value: "100" + resources: {} + + apiVersion: apps/v1 + kind: Deployment + metadata: + name: virtual-worker + spec: + replicas: 1 + selector: + matchLabels: + app: virtual-worker + template: + metadata: + labels: + app: virtual-worker + spec: + nodeSelector: + "kubernetes.io/os": linux + containers: + - name: virtual-worker + image: ghcr.io/azure-samples/aks-store-demo/virtual-worker:latest + env: + - name: MAKELINE_SERVICE_URL + value: http://makeline-service:3001 + - name: ORDERS_PER_HOUR + value: "100" + resources: {} + ``` ++1. Deploy the application using the [`kubectl apply`][kubectl-apply] command and specify the name of your yaml manifest. + ```bash + kubectl apply -f aks-store.yaml + ``` ++ The following example resembles output showing successfully created deployments and services. ++ ```output + deployment.apps/mongodb created + service/mongodb created + deployment.apps/rabbitmq created + service/rabbitmq created + deployment.apps/order-service created + service/order-service created + deployment.apps/makeline-service created + service/makeline-service created + deployment.apps/product-service created + service/product-service created + deployment.apps/store-front created + service/store-front created + deployment.apps/store-admin created + service/store-admin created + deployment.apps/virtual-customer created + deployment.apps/virtual-worker created + ``` ++## Deploy OpenAI +You can either use Azure OpenAI or OpenAI and run your application on AKS. ++### [Azure OpenAI](#tab/aoai) +1. Enable Azure OpenAI on your Azure subscription by filling out the [Request Access to Azure OpenAI Service][aoai-access] form. +1. In the Azure portal, create an Azure OpenAI instance. +1. Select the Azure OpenAI instance you created. +1. Select **Keys and Endpoints** to generate a key. +1. Select **Model Deployments** > **Managed Deployments** to open the [Azure OpenAI studio][aoai-studio]. +1. Create a new deployment using the **text-davinci-003** model. ++For more information on how to create a deployment in Azure OpenAI, check out [Get started generating text using Azure OpenAI Service][aoai-get-started]. ++### [OpenAI](#tab/openai) +1. [Generate an OpenAI key][open-ai-new-key] by selecting **Create new secret key** and save the key. You will need this key in the [next step](#deploy-the-ai-service). +1. [Start a paid plan][openai-paid] to use OpenAI API. + ++## Deploy the AI service ++Now that the application is deployed, you can deploy the Python-based microservice that uses OpenAI to automatically generate descriptions for new products being added to the store's catalog. +### [Azure OpenAI](#tab/aoai) +1. Create a file named `ai-service.yaml` and copy the following manifest into it. + ```yaml + apiVersion: apps/v1 + kind: Deployment + metadata: + name: ai-service + spec: + replicas: 1 + selector: + matchLabels: + app: ai-service + template: + metadata: + labels: + app: ai-service + spec: + nodeSelector: + "kubernetes.io/os": linux + containers: + - name: order-service + image: ghcr.io/azure-samples/aks-store-demo/ai-service:latest + ports: + - containerPort: 5001 + env: + - name: USE_AZURE_OPENAI + value: "True" + - name: AZURE_OPENAI_DEPLOYMENT_NAME + value: "" + - name: AZURE_OPENAI_ENDPOINT + value: "" + - name: OPENAI_API_KEY + value: "" + resources: {} + + apiVersion: v1 + kind: Service + metadata: + name: ai-service + spec: + type: ClusterIP + ports: + - name: http + port: 5001 + targetPort: 5001 + selector: + app: ai-service + ``` +1. Set the environment variable `USE_AZURE_OPENAI` to `"True"` +1. Get your Azure OpenAI Deployment name from [Azure OpenAI studio][aoai-studio], and fill in the `AZURE_OPENAI_DEPLOYMENT_NAME` value. +1. Get your Azure OpenAI endpoint and Azure OpenAI API key from the Azure portal by clicking on **Keys and Endpoint** in the left blade of the resource. Fill in your `AZURE_OPENAI_ENDPOINT` and `OPENAI_API_KEY` in the yaml accordingly. +1. Deploy the application using the [`kubectl apply`][kubectl-apply] command and specify the name of your yaml manifest. + ```bash + kubectl apply -f ai-service.yaml + ``` + The following example resembles output showing successfully created deployments and services. + ```output + deployment.apps/ai-service created + service/ai-service created + ``` +### [OpenAI](#tab/openai) +1. Create a file named `ai-service.yaml` and copy the following manifest into it. + ```yaml + apiVersion: apps/v1 + kind: Deployment + metadata: + name: ai-service + spec: + replicas: 1 + selector: + matchLabels: + app: ai-service + template: + metadata: + labels: + app: ai-service + spec: + nodeSelector: + "kubernetes.io/os": linux + containers: + - name: order-service + image: ghcr.io/azure-samples/aks-store-demo/ai-service:latest + ports: + - containerPort: 5001 + env: + - name: USE_AZURE_OPENAI + value: "False" + - name: OPENAI_API_KEY + value: "" + - name: OPENAI_ORG_ID + value: "" + resources: {} + + apiVersion: v1 + kind: Service + metadata: + name: ai-service + spec: + type: ClusterIP + ports: + - name: http + port: 5001 + targetPort: 5001 + selector: + app: ai-service + ``` +1. Set the environment variable `USE_AZURE_OPENAI` to `"False"` +1. Set the environment variable `OPENAI_API_KEY` by pasting in the OpenAI key you generated in the [last step](#deploy-openai). +1. [Find your OpenAI organization ID][open-ai-org-id], copy the value, and set the `OPENAI_ORG_ID` environment variable. +1. Deploy the application using the [`kubectl apply`][kubectl-apply] command and specify the name of your yaml manifest. + ```bash + kubectl apply -f ai-service.yaml + ``` + The following example resembles output showing successfully created deployments and services. + ```output + deployment.apps/ai-service created + service/ai-service created + ``` +++> [!NOTE] +> Directly adding sensitive information, such as API keys, to your Kubernetes manifest files isn't secure and may accidentally get committed to code repositories. We added it here for simplicity. For production workloads, use [Managed Identity][managed-identity] to authenticate to Azure OpenAI service instead or store your secrets in [Azure Key Vault][key-vault]. ++## Test the application +1. See the status of the deployed pods using the [kubectl get pods][kubectl-get] command. ++ ```bash + kubectl get pods + ``` + Make sure all the pods are *Running* before continuing to the next step. + ```output + NAME READY STATUS RESTARTS AGE + makeline-service-7db94dc7d4-8g28l 1/1 Running 0 99s + mongodb-78f6d95f8-nptbz 1/1 Running 0 99s + order-service-55cbd784bb-6bmfb 1/1 Running 0 99s + product-service-6bf4d65f74-7cbvk 1/1 Running 0 99s + rabbitmq-9855984f9-94nlm 1/1 Running 0 99s + store-admin-7f7d768c48-9hn8l 1/1 Running 0 99s + store-front-6786c64d97-xq5s9 1/1 Running 0 99s + virtual-customer-79498f8667-xzsb7 1/1 Running 0 99s + virtual-worker-6d77fff4b5-7g7rj 1/1 Running 0 99s + ``` ++1. To get the IP of the store admin web application and store front web application, use the `kubectl get service` command. + + ```bash + kubectl get service store-admin + ``` + The application exposes the Store Admin site to the internet via a public load balancer provisioned by the Kubernetes service. This process can take a few minutes to complete. **EXTERNAL IP** initially shows *pending*, until the service comes up and shows the IP address. + ```output + NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE + store-admin LoadBalancer 10.0.142.228 40.64.86.161 80:32494/TCP 50m + ``` + Repeat the same step for the service named store-front. + +1. Open a web browser and browse to the external IP address of your service. In the example shown here, open 40.64.86.161 to see Store Admin in the browser. Repeat the same step for Store Front. +1. In store admin, click on the products tab, then select **Add Products**. +1. When the ai-service is running successfully, you should see the Ask OpenAI button next to the description field. Fill in the name, price, and keywords, then click Ask OpenAI to generate a product description. Then click save product. See the picture for an example of adding a new product. +1. You can now see the new product you created on Store Admin used by sellers. In the picture, you can see Jungle Monkey Chew Toy is added. +1. You can also see the new product you created on Store Front used by buyers. In the picture, you can see Jungle Monkey Chew Toy is added. Remember to get the IP address of store front by using [kubectl get service][kubectl-get]. ++## Next steps +Now that you've seen how to add OpenAI functionality to an AKS application, learn more about what you can do with generative AI for your use cases. Here are some resources to get started: +- [Azure OpenAI Service Documentation][aoai] +- [Microsoft Learn | Introduction to Azure OpenAI Services][learn-aoai] +- [OpenAI Platform][openai-platform] +- [Project Miyagi - Envisioning sample for Copilot stack][miyagi] ++<!-- Links external --> +[aks-store-demo]: https://github.com/Azure-Samples/aks-store-demo +[kubectl]: https://kubernetes.io/docs/reference/kubectl/ +[kubeconfig-file]: https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/ +[kubectl-get]: https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#get +[kubectl-apply]: https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#apply +[aoai-studio]: https://oai.azure.com/portal/ +[open-ai-landing]: https://openai.com/ +[open-ai-new-key]: https://platform.openai.com/account/api-keys +[open-ai-org-id]: https://platform.openai.com/account/org-settings +[aoai-access]: https://aka.ms/oai/access +[openai-paid]: https://platform.openai.com/account/billing/overview +[openai-platform]: https://platform.openai.com/ +[miyagi]: https://github.com/Azure-Samples/miyagi ++<!-- Links internal --> +[azure-resource-group]: ../azure-resource-manager/management/overview.md +[az-group-create]: /cli/azure/group#az-group-create +[az-aks-create]: /cli/azure/aks#az-aks-create +[az-aks-install-cli]: /cli/azure/aks#az-aks-install-cli +[az-aks-get-credentials]: /cli/azure/aks#az-aks-get-credentials +[aoai-get-started]: ../cognitive-services/openai/quickstart.md +[managed-identity]: /azure/cognitive-services/openai/how-to/managed-identity#authorize-access-to-managed-identities +[key-vault]: csi-secrets-store-driver.md +[aoai]: ../cognitive-services/openai/index.yml +[learn-aoai]: /training/modules/explore-azure-openai |
| api-management | Api Management Howto Aad B2c | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-howto-aad-b2c.md | For an overview of options to secure the developer portal, see [Secure access to > * This article has been updated with steps to configure an Azure AD B2C app using the Microsoft Authentication Library ([MSAL](../active-directory/develop/msal-overview.md)). > * If you previously configured an Azure AD B2C app for user sign-in using the Azure AD Authentication Library (ADAL), we recommend that you [migrate to MSAL](#migrate-to-msal). + ## Prerequisites * An Azure Active Directory B2C tenant in which to create an application. For more information, see [Azure Active Directory B2C overview](../active-directory-b2c/overview.md). * An API Management instance. If you don't already have one, [create an Azure API Management instance](get-started-create-service-instance.md). - ## Configure sign up and sign in user flow In this section, you'll create a user flow in your Azure Active Directory B2C tenant containing both sign up and sign in policies. For detailed steps, see [Create user flows and custom policies in Azure Active Directory B2C](../active-directory-b2c/tutorial-create-user-flows.md?pivots=b2c-us). 1. In the [Azure portal](https://portal.azure.com), access your Azure Active Directory B2C tenant. 1. Under **Policies**, select **User flows** > **+ New user flow**.-1. On the **Create a user flow** page, select the **Sign up and sign in** user flow. -1. Provide the following information: +1. On the **Create a user flow** page, select the **Sign up and sign in** user flow. Select the **Recommended** version and then select **Create**. +1. On the **Create** page, provide the following information: 1. Enter a unique name for the user flow. 1. In **Identity providers**, select **Email signup**.- 1. In **User attributes and token claims**, select the attributes and claims needed for the API Management developer portal (not needed for the legacy developer portal). - * **Attributes**: Given Name, Surname - * **Claims**: Given Name, Surname, Email Addresses, UserΓÇÖs ObjectID + 1. In **User attributes and token claims**, select the following attributes and claims that are needed for the API Management developer portal (not needed for the legacy developer portal). + * **Collect attributes**: Given Name, Surname + * **Return claims**: Given Name, Surname, Email Addresses, UserΓÇÖs ObjectID -  +  1. Select **Create**. ## Configure identity provider for developer portal In this section, you'll create a user flow in your Azure Active Directory B2C te * To add other settings, see steps later in the article. 1. In the **Add identity provider** window, copy the **Redirect URL**. - :::image type="content" source="media/api-management-howto-aad-b2c/b2c-identity-provider-redirect-url.png" alt-text="Copy redirect URL"::: + :::image type="content" source="media/api-management-howto-aad-b2c/b2c-identity-provider-redirect-url.png" alt-text="Screenshot of the redirect URL in the portal."::: 1. Return to the browser tab for your Azure Active Directory B2C tenant in the Azure portal. Select **App registrations** > **+ New registration**. 1. In the **Register an application** page, enter your application's registration information. * In the **Name** section, enter an application name of your choosing.- * In the **Supported account types** section, select **Accounts in any identity provider or organizational directory (for authenticating users with user flows)**. For more information, see [Register an application](../active-directory/develop/quickstart-register-app.md#register-an-application). + * In the **Supported account types** section, select **Accounts in any organizational directory (for authenticating users with user flows)**. For more information, see [Register an application](../active-directory/develop/quickstart-register-app.md#register-an-application). * In **Redirect URI**, select **Single-page application (SPA)** and paste the redirect URL you saved from a previous step. * In **Permissions**, select **Grant admin consent to openid and offline_access permissions.** * Select **Register** to create the application. - :::image type="content" source="media/api-management-howto-aad-b2c/b2c-app-registration.png" alt-text="Register a new application"::: + :::image type="content" source="media/api-management-howto-aad-b2c/b2c-app-registration.png" alt-text="Screenshot of registering a new application in the portal."::: 1. On the app **Overview** page, find the **Application (client) ID** and copy the value to the clipboard. - :::image type="content" source="media/api-management-howto-aad-b2c/b2c-app-id.png" alt-text="Application ID"::: + :::image type="content" source="media/api-management-howto-aad-b2c/b2c-app-id.png" alt-text="Screenshot of the Overview page in the portal."::: 1. Switch back to the API Management **Add identity provider** page and paste the ID into the **Client Id** text box. 1. Switch back to the B2C app registration. Select **Certificates & secrets** > **+ New client secret**. - :::image type="content" source="media/api-management-howto-aad-b2c/generate-app-key.png" alt-text="Create client secret"::: + :::image type="content" source="media/api-management-howto-aad-b2c/generate-app-key.png" alt-text="Screenshot of creating a client secret in the portal."::: * In the **Add a client secret** page, enter a **Description** and select **Add**.- * Record the key in a safe location. This secret value is never displayed again after you leave this page. + * Record the **Value** in a safe location. This secret value is never displayed again after you leave this page. 1. Switch back to the API Management **Add identity provider** page, and paste the key into the **Client secret** text box.-1. Switch back to the B2C app registration. In the left menu, under **Manage**, select **Authentication**. - * Under **Implicit grant and hybrid flows**, select both the **Access tokens** and **ID tokens** check boxes. - * Select **Save**. -1. Switch back in the API Management **Add identity provider** page. +1. Continuing on the **Add identity provider** page: * In **Signin tenant**, specify the domain name of the Azure Active Directory B2C tenant. * The **Authority** field lets you control the Azure Active Directory B2C login URL to use. Set the value to **<your_b2c_tenant_name>.b2clogin.com**.- * Specify the **Signup Policy** and **Signin Policy** from the B2C tenant policies. + * Specify the **Sign-up Policy** and **Sign-in Policy** using the name of the user flow you created in a previous step. * Optionally provide the **Profile Editing Policy** and **Password Reset Policy**. - :::image type="content" source="media/api-management-howto-aad-b2c/add-identity-provider.png" alt-text="Active Directory B2c identity provider configuration"::: + :::image type="content" source="media/api-management-howto-aad-b2c/add-identity-provider.png" alt-text="Screenshot of the Active Directory B2C identity provider configuration in the portal."::: 1. After you've specified the desired configuration, select **Add**. 1. Republish the developer portal for the Azure AD B2C configuration to take effect. In the left menu, under **Developer portal**, select **Portal overview** > **Publish**. If you previously configured an Azure AD B2C app for user sign-in using the ADAL ### Update Azure AD B2C app for MSAL compatibility -For steps, see [Switch redirect URIs to the single-page application type](../active-directory/develop/migrate-spa-implicit-to-auth-code.md#switch-redirect-uris-to-spa-platform). +For steps to update the Azure AD B2C app, see [Switch redirect URIs to the single-page application type](../active-directory/develop/migrate-spa-implicit-to-auth-code.md#switch-redirect-uris-to-spa-platform). ### Update identity provider configuration In the developer portal, sign-in with Azure Active Directory B2C is possible wit 1. On the **Sign in** page, select **Azure Active Directory B2C**. - :::image type="content" source="media/api-management-howto-aad-b2c/developer-portal-sign-in.png" alt-text="Sign in to developer portal"::: -1. You're redirected to the signup policy that you configured in the previous section. Choose to sign up by using your email address in the Active Directory B2C tenant + :::image type="content" source="media/api-management-howto-aad-b2c/developer-portal-sign-in.png" alt-text="Screenshot of signing in to developer portal."::: +1. You're redirected to the signup policy that you configured in the previous section. Choose to sign up by using your email address in the Active Directory B2C tenant. When the signup is complete, you're redirected back to the developer portal. You're now signed in to the developer portal for your API Management service instance. The **Sign-up form: OAuth** widget represents a form used for signing up with OA 1. Open a new browser window and go to the legacy developer portal. Click the **Sign up** button. - :::image type="content" source="media/api-management-howto-aad-b2c/b2c-dev-portal.png" alt-text="Sign up in legacy developer portal"::: + :::image type="content" source="media/api-management-howto-aad-b2c/b2c-dev-portal.png" alt-text="Screenshot of sign up in legacy developer portal."::: 1. Choose to sign up with **Azure Active Directory B2C**. - :::image type="content" source="media/api-management-howto-aad-b2c/b2c-dev-portal-b2c-button.png" alt-text="Sign up with Azure Active Directory B2C"::: + :::image type="content" source="media/api-management-howto-aad-b2c/b2c-dev-portal-b2c-button.png" alt-text="Screenshot of sign up with Azure Active Directory B2C in legacy developer portal."::: 1. You're redirected to the signup policy you configured in the previous section. Choose to sign up by using your email address or one of your existing social accounts. |
| api-management | Authorizations Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/authorizations-overview.md | At runtime API Management can't fetch new tokens, and an error occurs. ### Is this feature supported using API Management running inside a VNet? -Yes, as long as outbound connectivity on port 443 is enabled to the **ServiceConnectors** service tag. For more information, see [Virtual network configuration reference](virtual-network-reference.md#required-ports). +Yes, as long as outbound connectivity on port 443 is enabled to the **AzureConnectors** service tag. For more information, see [Virtual network configuration reference](virtual-network-reference.md#required-ports). ### What happens when an authorization provider is deleted? All underlying authorizations and access policies are also deleted. ### Are the access tokens cached by API Management? -The access token is cached by the API management until 3 minutes before the token expiration time. -+In the dedicated service tiers, the access token is cached by the API management until 3 minutes before the token expiration time. Access tokens aren't cached in the Consumption tier. ## Next steps Learn how to: - Configure [identity providers](authorizations-configure-common-providers.md) for authorizations - Configure and use an authorization for the [Microsoft Graph API](authorizations-how-to-azure-ad.md) or the [GitHub API](authorizations-how-to-github.md) - Configure [multiple authorization connections](configure-authorization-connection.md) for a provider+ |
| app-service | App Service Asp Net Migration | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/app-service-asp-net-migration.md | description: A collection of .NET migration resources available to Azure App Ser Previously updated : 06/28/2022 Last updated : 06/29/2023 ms.devlang: csharp |
| app-service | App Service Migration Assess Net | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/app-service-migration-assess-net.md | description: Assess .NET web apps before migrating to Azure App Service Previously updated : 06/28/2022 Last updated : 06/29/2023 ms.devlang: csharp |
| app-service | Quickstart Custom Container | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/quickstart-custom-container.md | Title: 'Quickstart: Run a custom container on App Service' description: Get started with containers on Azure App Service by deploying your first custom container. Previously updated : 03/11/2022 Last updated : 06/29/2023 zone_pivot_groups: app-service-containers-windows-linux-portal-ps-cli zone_pivot_groups: app-service-containers-windows-linux-portal-ps-cli :::zone pivot="container-windows-cli" [!INCLUDE [quickstart-custom-container-windows-cli-pivot.md](includes/quickstart-custom-container/quickstart-custom-container-windows-cli-pivot.md)] |
| azure-arc | Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/resource-bridge/overview.md | While Azure has a number of redundancy features at every level of failure, if a The following private cloud environments and their versions are officially supported for Arc resource bridge: -* VMware vSphere version 6.7, 7.0 +* VMware vSphere version 6.7, 7.0, 8.0 * Azure Stack HCI * SCVMM |
| azure-arc | Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/vmware-vsphere/overview.md | To deliver this experience, you need to deploy the [Azure Arc resource bridge](. ## Supported VMware vSphere versions -Azure Arc-enabled VMware vSphere (preview) works with vCenter Server versions 6.7 and 7. +Azure Arc-enabled VMware vSphere (preview) works with vCenter Server versions 6.7, 7 and 8. > [!NOTE] > Azure Arc-enabled VMware vSphere (preview) supports vCenters with a maximum of 9500 VMs. If your vCenter has more than 9500 VMs, it is not recommended to use Arc-enabled VMware vSphere with it at this point. |
| azure-arc | Quick Start Connect Vcenter To Arc Using Script | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/vmware-vsphere/quick-start-connect-vcenter-to-arc-using-script.md | First, the script deploys a virtual appliance called [Azure Arc resource bridge ### vCenter Server -- vCenter Server version 6.7 or 7.+- vCenter Server version 6.7, 7 or 8. - A virtual network that can provide internet access, directly or through a proxy. It must also be possible for VMs on this network to communicate with the vCenter server on TCP port (usually 443). |
| azure-arc | Support Matrix For Arc Enabled Vmware Vsphere | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/vmware-vsphere/support-matrix-for-arc-enabled-vmware-vsphere.md | The following requirements must be met in order to use Azure Arc-enabled VMware ### Supported vCenter Server versions -Azure Arc-enabled VMware vSphere (preview) works with vCenter Server versions 6.7 and 7. +Azure Arc-enabled VMware vSphere (preview) works with vCenter Server versions 6.7, 7 and 8. > [!NOTE] > Azure Arc-enabled VMware vSphere (preview) currently supports vCenters with a maximum of 9500 VMs. If your vCenter has more than 9500 VMs, it is not recommended to use Arc-enabled VMware vSphere with it at this point. |
| azure-functions | Functions Reference Python | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/functions-reference-python.md | Azure Functions supports the following Python versions: | Functions version | Python\* versions | | -- | :--: |-| 4.x | 3.10<br/>3.9<br/> 3.8<br/>3.7 | +| 4.x | 3.11 (preview) <br/>3.10<br/>3.9<br/> 3.8<br/>3.7 | | 3.x | 3.9<br/> 3.8<br/>3.7 | | 2.x | 3.7 | The Python standard library contains a list of built-in Python modules that are To view the library for your Python version, go to: -* [Python 3.7 standard library](https://docs.python.org/3.7/library/) * [Python 3.8 standard library](https://docs.python.org/3.8/library/) * [Python 3.9 standard library](https://docs.python.org/3.9/library/) * [Python 3.10 standard library](https://docs.python.org/3.10/library/)+* [Python 3.11 standard library](https://docs.python.org/3.11/library/) ### Azure Functions Python worker dependencies |
| azure-linux | How To Install Certs | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-linux/how-to-install-certs.md | + + Title: Installing certificates on the Azure Linux Container Host for AKS +description: How to install certificates on the Azure Linux Container Host for AKS. +++ms.editor: schaffererin ++ Last updated : 06/30/2023++++# Installing certificates on the Azure Linux Container host for AKS ++By default, the Azure Linux Container Host for AKS image has a minimal set of root certs to trust certain Microsoft resources, such as packages.microsoft.com. All Microsoft certificates aren't automatically included in our image, which is consistent with the least-privilege principle and gives you the flexibility to opt in to just the root certificates you need and to customize your image. ++The `ca-certificates-base` is preinstalled in the container host image and contains certificates from a small set of Microsoft-owned CAs. It consists of certificates from Microsoft's root and intermediate CAs. This package allows your container host to trust a minimal set of servers, all of which were verified and had their certificates issued by Microsoft. ++The `ca-certificates` cover the root CAs trust by Microsoft through the [Microsoft Trusted Root Program](/security/trusted-root/participants-list). ++The directory `/etc/pki/ca-trust/source/` contains the CA certificates and trust settings in the PEM file format. The trust settings found here are interpreted with a high priority, higher than the ones found in `/usr/share/pki/ca-trust-source/`. ++For more information on the Azure Linux Container Host for AKS image certifications, see the [GitHub documentation](https://github.com/microsoft/CBL-Mariner/blob/2.0/toolkit/docs/security/ca-certificates.md). ++## Add a certificate in the PEM or DER file format ++You can add individual or multiple certificates to your Azure Linux Container Host for AKS image. To add a certificate in the simple PEM or DER file format to the list of CAs trusted on the system, follow these steps: ++1. Save your certificate under `etc/pki/ca-trust/source/anchors/`. +1. Run `update-ca-trust` to consolidate CA certificates and associated trust. ++## Add a certificate in the extended BEGIN TRUSTED file format ++If your certificate is in the extended BEGIN TRUSTED file format (which may contain distrust trust flags or trust flags for usages other than TLS), then follow these steps: ++1. Save your certificate under `etc/pki/ca-trust/source/`. +2. Run `update-ca-trust` to consolidate CA certificates and associated trust. ++## Next steps ++- Learn more about [Azure Linux Container Host core concepts](./concepts-core.md). +- Follow our tutorial to [Deploy, manage, and update applications](./tutorial-azure-linux-create-cluster.md). +- Get started by [Creating an Azure Linux Container Host for AKS cluster using Azure CLI](./quickstart-azure-cli.md). |
| azure-monitor | Diagnostics Extension Windows Install | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/agents/diagnostics-extension-windows-install.md | The public settings are defined in the [Public element](diagnostics-extension-sc ## PowerShell deployment -PowerShell can be used to deploy the Azure Diagnostics extension to an existing virtual machine by using [Set-AzVMDiagnosticsExtension](/powershell/module/servicemanagement/azure.service/set-azurevmdiagnosticsextension), as in the following example: +PowerShell can be used to deploy the Azure Diagnostics extension to an existing virtual machine by using [Set-AzVMDiagnosticsExtension](/powershell/module/servicemanagement/azure/set-azurevmdiagnosticsextension), as in the following example: ```powershell Set-AzVMDiagnosticsExtension -ResourceGroupName "myvmresourcegroup" ` |
| azure-monitor | Alerts Types | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/alerts/alerts-types.md | The information in this table can help you decide when to use each type of alert |Metric alert|Metric data is stored in the system already pre-computed. Metric alerts are useful when you want to be alerted about data that requires little or no manipulation. Use metric alerts if the data you want to monitor is available in metric data.|Each metric alert rule is charged based on the number of time series that are monitored. | |Log alert|You can use log alerts to perform advanced logic operations on your data. If the data you want to monitor is available in logs, or requires advanced logic, you can use the robust features of Kusto Query Language (KQL) for data manipulation by using log alerts.|Each log alert rule is billed based on the interval at which the log query is evaluated. More frequent query evaluation results in a higher cost. For log alerts configured for [at-scale monitoring](#splitting-by-dimensions-in-log-alert-rules), the cost also depends on the number of time series created by the dimensions resulting from your query. | |Activity log alert|Activity logs provide auditing of all actions that occurred on resources. Use activity log alerts to be alerted when a specific event happens to a resource like a restart, a shutdown, or the creation or deletion of a resource. Service Health alerts and Resource Health alerts let you know when there's an issue with one of your services or resources.|For more information, see the [pricing page](https://azure.microsoft.com/pricing/details/monitor/).|-|Prometheus alerts|Prometheus alerts are primarily used for alerting on performance and health of Kubernetes clusters, including Azure Kubernetes Service. The alert rules are based on PromQL, which is an open-source query language. |Prometheus alert rules are only charged on the data queried by the rules. For more information, see the [pricing page](https://azure.microsoft.com/pricing/details/monitor/). | +|Prometheus alerts|Prometheus alerts are used for alerting on Prometheus metrics stored in [Azure Monitor managed services for Prometheus](../essentials/prometheus-metrics-overview.md). The alert rules are based on the PromQL open-source query language. |Prometheus alert rules are only charged on the data queried by the rules. For more information, see the [pricing page](https://azure.microsoft.com/pricing/details/monitor/). | ## Metric alerts Smart detection works for web apps hosted in the cloud or on your own servers th ## Prometheus alerts -Prometheus alerts are based on Prometheus metric values stored in [Azure Monitor managed services for Prometheus](../essentials/prometheus-metrics-overview.md). Prometheus alert rules are configured as part of [Prometheus rule groups](/azure/azure-monitor/essentials/prometheus-rule-groups). They fire when the result of a PromQL expression resolves to true. Fired Prometheus alerts are displayed and managed like other alert types. +Prometheus alerts are used to monitor metrics stored in [Azure Monitor managed services for Prometheus](../essentials/prometheus-metrics-overview.md). Prometheus alert rules are configured as part of [Prometheus rule groups](/azure/azure-monitor/essentials/prometheus-rule-groups). They fire when the result of a PromQL expression resolves to true. Fired Prometheus alerts are displayed and managed like other alert types. ## Next steps - Get an [overview of alerts](alerts-overview.md). Prometheus alerts are based on Prometheus metric values stored in [Azure Monitor + |
| azure-monitor | Api Custom Events Metrics | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/api-custom-events-metrics.md | Yes, the [data access API](/rest/api/application-insights/). Other ways to extra ### Why are my calls to custom events and metrics APIs ignored? -The Application Insights SDK isn't compatible with auto-instrumentation. If auto-instrumentation is enabled, calls to <code class="notranslate">Track()</code> and other custom events and metrics APIs will be ignored. +The Application Insights SDK isn't compatible with autoinstrumentation. If autoinstrumentation is enabled, calls to <code class="notranslate">Track()</code> and other custom events and metrics APIs will be ignored. -Turn off auto-instrumentation in the Azure portal on the Application Insights tab of the App Service page or set <code class="notranslate">ApplicationInsightsAgent_EXTENSION_VERSION</code> to <code class="notranslate">disabled</code>. +Turn off autoinstrumentation in the Azure portal on the Application Insights tab of the App Service page or set <code class="notranslate">ApplicationInsightsAgent_EXTENSION_VERSION</code> to <code class="notranslate">disabled</code>. ## <a name="next"></a>Next steps |
| azure-monitor | Application Insights Asp Net Agent | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/application-insights-asp-net-agent.md | Application Insights Agent (formerly named Status Monitor V2) is a PowerShell mo It replaces Status Monitor. Telemetry is sent to the Azure portal, where you can [monitor](./app-insights-overview.md) your app. -For a complete list of supported auto-instrumentation scenarios, see [Supported environments, languages, and resource providers](codeless-overview.md#supported-environments-languages-and-resource-providers). +For a complete list of supported autoinstrumentation scenarios, see [Supported environments, languages, and resource providers](codeless-overview.md#supported-environments-languages-and-resource-providers). > [!NOTE] > The module currently supports codeless instrumentation of ASP.NET and ASP.NET Core web apps hosted with IIS. Use an SDK to instrument Java and Node.js applications. Updated the Application Insights .NET/.NET Core SDK to 2.18.1-redfield ### 2.0.0-beta1 -Added the ASP.NET Core auto-instrumentation feature +Added the ASP.NET Core autoinstrumentation feature |
| azure-monitor | Azure Vm Vmss Apps | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/azure-vm-vmss-apps.md | This article walks you through enabling Application Insights monitoring by using ## Enable Application Insights -Auto-instrumentation is easy to enable. Advanced configuration isn't required. +Autoinstrumentation is easy to enable. Advanced configuration isn't required. -For a complete list of supported auto-instrumentation scenarios, see [Supported environments, languages, and resource providers](codeless-overview.md#supported-environments-languages-and-resource-providers). +For a complete list of supported autoinstrumentation scenarios, see [Supported environments, languages, and resource providers](codeless-overview.md#supported-environments-languages-and-resource-providers). > [!NOTE]-> Auto-instrumentation is available for ASP.NET, ASP.NET Core IIS-hosted applications, and Java. Use an SDK to instrument Node.js and Python applications hosted on Azure virtual machines and virtual machine scale sets. +> Autoinstrumentation is available for ASP.NET, ASP.NET Core IIS-hosted applications, and Java. Use an SDK to instrument Node.js and Python applications hosted on Azure virtual machines and virtual machine scale sets. ### [.NET Framework](#tab/net) Updated Application Insights .NET/.NET Core SDK to 2.18.1 - red field. ### 2.8.41 -Added the ASP.NET Core auto-instrumentation feature. +Added the ASP.NET Core autoinstrumentation feature. ## Next steps * Learn how to [deploy an application to an Azure virtual machine scale set](../../virtual-machine-scale-sets/virtual-machine-scale-sets-deploy-app.md). |
| azure-monitor | Azure Web Apps Java | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/azure-web-apps-java.md | The recommended way to enable application monitoring for Java applications runni Turning on application monitoring in Azure portal will automatically instrument your application with Application Insights, and doesn't require any code changes. You can apply extra configurations, and then based on your specific scenario you [add your own custom telemetry](./opentelemetry-add-modify.md?tabs=java#modify-telemetry) if needed. -### Auto-instrumentation through Azure portal +### Autoinstrumentation through Azure portal You can turn on monitoring for your Java apps running in Azure App Service just with one selection, no code change required. The integration adds [Application Insights Java 3.x](./opentelemetry-enable.md?tabs=java) and auto-collects telemetry. -For a complete list of supported auto-instrumentation scenarios, see [Supported environments, languages, and resource providers](codeless-overview.md#supported-environments-languages-and-resource-providers). +For a complete list of supported autoinstrumentation scenarios, see [Supported environments, languages, and resource providers](codeless-overview.md#supported-environments-languages-and-resource-providers). 1. **Select Application Insights** in the Azure control panel for your app service, then select **Enable**. |
| azure-monitor | Azure Web Apps Net Core | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/azure-web-apps-net-core.md | Enabling monitoring on your ASP.NET Core-based web applications running on [Azur [!INCLUDE [azure-monitor-log-analytics-rebrand](../../../includes/azure-monitor-instrumentation-key-deprecation.md)] -## Enable auto-instrumentation monitoring +## Enable autoinstrumentation monitoring -For a complete list of supported auto-instrumentation scenarios, see [Supported environments, languages, and resource providers](codeless-overview.md#supported-environments-languages-and-resource-providers). +For a complete list of supported autoinstrumentation scenarios, see [Supported environments, languages, and resource providers](codeless-overview.md#supported-environments-languages-and-resource-providers). # [Windows](#tab/Windows) > [!IMPORTANT]-> Only .NET Core [Long Term Support](https://dotnet.microsoft.com/platform/support/policy/dotnet-core) is supported for auto-instrumentation on Windows. +> Only .NET Core [Long Term Support](https://dotnet.microsoft.com/platform/support/policy/dotnet-core) is supported for autoinstrumentation on Windows. [Trim self-contained deployments](/dotnet/core/deploying/trimming/trim-self-contained) is *not supported*. Use [manual instrumentation](./asp-net-core.md) via code instead. > [!NOTE]-> Auto-instrumentation used to be known as "codeless attach" before October 2021. +> Autoinstrumentation used to be known as "codeless attach" before October 2021. See the following [Enable monitoring](#enable-monitoring) section to begin setting up Application Insights with your App Service resource. # [Linux](#tab/Linux) > [!IMPORTANT]-> Only ASP.NET Core 6.0 is supported for auto-instrumentation on Linux. +> Only ASP.NET Core 6.0 is supported for autoinstrumentation on Linux. [Trim self-contained deployments](/dotnet/core/deploying/trimming/trim-self-contained) is *not supported*. Use [manual instrumentation](./asp-net-core.md) via code instead. To check which version of the extension you're running, go to `https://yoursiten Starting with version 2.8.9, the preinstalled site extension is used. If you're using an earlier version, you can update via one of two ways: -* [Upgrade by enabling via the portal](#enable-auto-instrumentation-monitoring): Even if you have the Application Insights extension for App Service installed, the UI shows only the **Enable** button. Behind the scenes, the old private site extension will be removed. +* [Upgrade by enabling via the portal](#enable-autoinstrumentation-monitoring): Even if you have the Application Insights extension for App Service installed, the UI shows only the **Enable** button. Behind the scenes, the old private site extension will be removed. * [Upgrade through PowerShell](#enable-through-powershell): 1. Set the application settings to enable the preinstalled site extension `ApplicationInsightsAgent`. For more information, see [Enable through PowerShell](#enable-through-powershell). What follows is our step-by-step troubleshooting guide for extension/agent-based - Confirm that **Application Insights Extension Status** is `Pre-Installed Site Extension, version 2.8.x.xxxx, is running.` - If it isn't running, follow the instructions in the section [Enable Application Insights monitoring](#enable-auto-instrumentation-monitoring). + If it isn't running, follow the instructions in the section [Enable Application Insights monitoring](#enable-autoinstrumentation-monitoring). - Confirm that the status source exists and looks like `Status source D:\home\LogFiles\ApplicationInsights\status\status_RD0003FF0317B6_4248_1.json`. What follows is our step-by-step troubleshooting guide for extension/agent-based * The value `Auto-Instrumentation enabled successfully` is displayed. If a similar value isn't present, it means the application isn't running or isn't supported. To ensure that the application is running, try manually visiting the application URL/application endpoints, which will allow the runtime information to become available. * **IKeyExists** is `True`. If it's `False`, add `APPINSIGHTS_INSTRUMENTATIONKEY` and `APPLICATIONINSIGHTS_CONNECTION_STRING` with your ikey GUID to your application settings. - :::image type="content" source="media/azure-web-apps-net-core/auto-instrumentation-status.png" alt-text="Screenshot that shows the auto-instrumentation status webpage." lightbox="media/azure-web-apps-net-core/auto-instrumentation-status.png"::: + :::image type="content" source="media/azure-web-apps-net-core/auto-instrumentation-status.png" alt-text="Screenshot that shows the autoinstrumentation status webpage." lightbox="media/azure-web-apps-net-core/auto-instrumentation-status.png"::: ### Default website deployed with web apps doesn't support automatic client-side monitoring |
| azure-monitor | Azure Web Apps Net | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/azure-web-apps-net.md | -> Manually adding an Application Insights site extension via **Development Tools** > **Extensions** is deprecated. This method of extension installation was dependent on manual updates for each new version. The latest stable release of the extension is now [preinstalled](https://github.com/projectkudu/kudu/wiki/Azure-Site-Extensions) as part of the App Service image. The files are located in *d:\Program Files (x86)\SiteExtensions\ApplicationInsightsAgent* and are automatically updated with each stable release. If you follow the auto-instrumentation instructions to enable monitoring, it will automatically remove the deprecated extension for you. +> Manually adding an Application Insights site extension via **Development Tools** > **Extensions** is deprecated. This method of extension installation was dependent on manual updates for each new version. The latest stable release of the extension is now [preinstalled](https://github.com/projectkudu/kudu/wiki/Azure-Site-Extensions) as part of the App Service image. The files are located in *d:\Program Files (x86)\SiteExtensions\ApplicationInsightsAgent* and are automatically updated with each stable release. If you follow the autoinstrumentation instructions to enable monitoring, it will automatically remove the deprecated extension for you. -If both auto-instrumentation monitoring and manual SDK-based instrumentation are detected, only the manual instrumentation settings will be honored. This arrangement prevents duplicate data from being sent. To learn more, see the [Troubleshooting section](#troubleshooting). +If both autoinstrumentation monitoring and manual SDK-based instrumentation are detected, only the manual instrumentation settings will be honored. This arrangement prevents duplicate data from being sent. To learn more, see the [Troubleshooting section](#troubleshooting). [!INCLUDE [azure-monitor-log-analytics-rebrand](../../../includes/azure-monitor-instrumentation-key-deprecation.md)] -## Enable auto-instrumentation monitoring +## Enable autoinstrumentation monitoring -For a complete list of supported auto-instrumentation scenarios, see [Supported environments, languages, and resource providers](codeless-overview.md#supported-environments-languages-and-resource-providers). +For a complete list of supported autoinstrumentation scenarios, see [Supported environments, languages, and resource providers](codeless-overview.md#supported-environments-languages-and-resource-providers). > [!NOTE] > The combination of `APPINSIGHTS_JAVASCRIPT_ENABLED` and `urlCompression` isn't supported. For more information, see the explanation in the [Troubleshooting section](#appinsights_javascript_enabled-and-urlcompression-isnt-supported). To check which version of the extension you're running, go to `https://yoursiten Starting with version 2.8.9, the preinstalled site extension is used. If you're on an earlier version, you can update via one of two ways: -* [Upgrade by enabling via the portal](#enable-auto-instrumentation-monitoring): Even if you have the Application Insights extension for App Service installed. The UI shows only the **Enable** button. Behind the scenes, the old private site extension will be removed. +* [Upgrade by enabling via the portal](#enable-autoinstrumentation-monitoring): Even if you have the Application Insights extension for App Service installed. The UI shows only the **Enable** button. Behind the scenes, the old private site extension will be removed. * [Upgrade through PowerShell](#enable-through-powershell): 1. Set the application settings to enable the preinstalled site extension `ApplicationInsightsAgent`. For more information, see [Enable through PowerShell](#enable-through-powershell). Here's our step-by-step troubleshooting guide for extension/agent-based monitori - Confirm that `Application Insights Extension Status` is `Pre-Installed Site Extension, version 2.8.x.xxxx` and is running. - If it isn't running, follow the instructions to [enable Application Insights monitoring](#enable-auto-instrumentation-monitoring). + If it isn't running, follow the instructions to [enable Application Insights monitoring](#enable-autoinstrumentation-monitoring). - Confirm that the status source exists and looks like `Status source D:\home\LogFiles\ApplicationInsights\status\status_RD0003FF0317B6_4248_1.json`. The following table provides a more detailed explanation of what these values me ### System.IO.FileNotFoundException after 2.8.44 upgrade -The 2.8.44 version of auto-instrumentation upgrades Application Insights SDK to 2.20.0. The Application Insights SDK has an indirect reference to `System.Runtime.CompilerServices.Unsafe.dll` through `System.Diagnostics.DiagnosticSource.dll`. If the application has [binding redirect](/dotnet/framework/configure-apps/file-schema/runtime/bindingredirect-element) for `System.Runtime.CompilerServices.Unsafe.dll` and if this library isn't present in the application folder, it might throw `System.IO.FileNotFoundException`. +The 2.8.44 version of autoinstrumentation upgrades Application Insights SDK to 2.20.0. The Application Insights SDK has an indirect reference to `System.Runtime.CompilerServices.Unsafe.dll` through `System.Diagnostics.DiagnosticSource.dll`. If the application has [binding redirect](/dotnet/framework/configure-apps/file-schema/runtime/bindingredirect-element) for `System.Runtime.CompilerServices.Unsafe.dll` and if this library isn't present in the application folder, it might throw `System.IO.FileNotFoundException`. To resolve this issue, remove the binding redirect entry for `System.Runtime.CompilerServices.Unsafe.dll` from the web.config file. If the application wanted to use `System.Runtime.CompilerServices.Unsafe.dll`, set the binding redirect as shown here: |
| azure-monitor | Azure Web Apps Nodejs | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/azure-web-apps-nodejs.md | The easiest way to enable application monitoring for Node.js applications runnin Turning on application monitoring in Azure portal will automatically instrument your application with Application Insights, and doesn't require any code changes. > [!NOTE]-> If both auto-instrumentation monitoring and manual SDK-based instrumentation are detected, only the manual instrumentation settings will be honored. This is to prevent duplicate data from being sent. To learn more about this, check out the [troubleshooting section](#troubleshooting) in this article. +> If both autoinstrumentation monitoring and manual SDK-based instrumentation are detected, only the manual instrumentation settings will be honored. This is to prevent duplicate data from being sent. To learn more about this, check out the [troubleshooting section](#troubleshooting) in this article. -### Auto-instrumentation through Azure portal +### Autoinstrumentation through Azure portal -For a complete list of supported auto-instrumentation scenarios, see [Supported environments, languages, and resource providers](codeless-overview.md#supported-environments-languages-and-resource-providers). +For a complete list of supported autoinstrumentation scenarios, see [Supported environments, languages, and resource providers](codeless-overview.md#supported-environments-languages-and-resource-providers). You can turn on monitoring for your Node.js apps running in Azure App Service just with one click, no code change required. Application Insights for Node.js is integrated with Azure App Service on Linux - both code-based and custom containers, and with App Service on Windows for code-based apps. |
| azure-monitor | Azure Web Apps | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/azure-web-apps.md | It's now easier than ever to enable monitoring on your web applications based on There are two ways to enable monitoring for applications hosted on App Service: -- **Auto-instrumentation application monitoring** (ApplicationInsightsAgent).+- **Autoinstrumentation application monitoring** (ApplicationInsightsAgent). This method is the easiest to enable, and no code change or advanced configurations are required. It's often referred to as "runtime" monitoring. For App Service, we recommend that at a minimum you enable this level of monitoring. Based on your specific scenario, you can evaluate whether more advanced monitoring through manual instrumentation is needed. - For a complete list of supported auto-instrumentation scenarios, see [Supported environments, languages, and resource providers](codeless-overview.md#supported-environments-languages-and-resource-providers). + For a complete list of supported autoinstrumentation scenarios, see [Supported environments, languages, and resource providers](codeless-overview.md#supported-environments-languages-and-resource-providers). - The following platforms are supported for auto-instrumentation monitoring: + The following platforms are supported for autoinstrumentation monitoring: - [.NET Core](./azure-web-apps-net-core.md) - [.NET](./azure-web-apps-net.md) There are two ways to enable monitoring for applications hosted on App Service: This approach is much more customizable, but it requires the following approaches: SDK for [.NET Core](./asp-net-core.md), [.NET](./asp-net.md), [Node.js](./nodejs.md), [Python](./opencensus-python.md), and a standalone agent for [Java](./opentelemetry-enable.md?tabs=java). This method also means you must manage the updates to the latest version of the packages yourself. - If you need to make custom API calls to track events/dependencies not captured by default with auto-instrumentation monitoring, you need to use this method. To learn more, see [Application Insights API for custom events and metrics](./api-custom-events-metrics.md). + If you need to make custom API calls to track events/dependencies not captured by default with autoinstrumentation monitoring, you need to use this method. To learn more, see [Application Insights API for custom events and metrics](./api-custom-events-metrics.md). -If both auto-instrumentation monitoring and manual SDK-based instrumentation are detected, in .NET only the manual instrumentation settings are honored, while in Java only the auto-instrumentation are emitting the telemetry. This practice is to prevent duplicate data from being sent. +If both autoinstrumentation monitoring and manual SDK-based instrumentation are detected, in .NET only the manual instrumentation settings are honored, while in Java only the autoinstrumentation are emitting the telemetry. This practice is to prevent duplicate data from being sent. > [!NOTE] > Snapshot Debugger and Profiler are only available in .NET and .NET Core. To find which version of the extension you're currently using, go to `https://<y ## Next steps -Learn how to enable auto-instrumentation application monitoring for your [.NET Core](./azure-web-apps-net-core.md), [.NET](./azure-web-apps-net.md), [Java](./azure-web-apps-java.md), or [Nodejs](./azure-web-apps-nodejs.md) application running on App Service. +Learn how to enable autoinstrumentation application monitoring for your [.NET Core](./azure-web-apps-net-core.md), [.NET](./azure-web-apps-net.md), [Java](./azure-web-apps-java.md), or [Nodejs](./azure-web-apps-nodejs.md) application running on App Service. |
| azure-monitor | Codeless Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/codeless-overview.md | Links are provided to more information for each supported scenario. - <a name="Agent">3</a>: An agent must be deployed and configured. > [!NOTE]-> Auto-instrumentation was known as "codeless attach" before October 2021. +> Autoinstrumentation was known as "codeless attach" before October 2021. ## JavaScript (Web) SDK Loader Script injection by configuration |
| azure-monitor | Distributed Tracing Telemetry Correlation | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/distributed-tracing-telemetry-correlation.md | Azure Monitor provides two experiences for consuming distributed trace data: the To enable distributed tracing for an application, add the right agent, SDK, or library to each service based on its programming language. -### Enable via Application Insights through auto-instrumentation or SDKs +### Enable via Application Insights through autoinstrumentation or SDKs The Application Insights agents and SDKs for .NET, .NET Core, Java, Node.js, and JavaScript all support distributed tracing natively. Instructions for installing and configuring each Application Insights SDK are available for: |
| azure-monitor | Java Get Started Supplemental | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/java-get-started-supplemental.md | -In the following sections, you will find information on how to get Java auto-instrumentation for specific technical environments. +In the following sections, you will find information on how to get Java autoinstrumentation for specific technical environments. ## Azure App Service |
| azure-monitor | Javascript Feature Extensions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/javascript-feature-extensions.md | See the dedicated [troubleshooting article](/troubleshoot/azure/azure-monitor/ap - See the [documentation on utilizing HEART workbook](usage-heart.md) for expanded product analytics. - See the [GitHub repository](https://github.com/microsoft/ApplicationInsights-JS/tree/master/extensions/applicationinsights-clickanalytics-js) and [npm Package](https://www.npmjs.com/package/@microsoft/applicationinsights-clickanalytics-js) for the Click Analytics Autocollection Plug-in. - Use [Events Analysis in the Usage experience](usage-segmentation.md) to analyze top clicks and slice by available dimensions.-- Use the [Telemetry Viewer extension](https://github.com/microsoft/ApplicationInsights-JS/tree/master/tools/chrome-debug-extension) to list out the individual events in the network payload and monitor the internal calls within Application Insights. - See [Log Analytics](../logs/log-analytics-tutorial.md#write-a-query) if you arenΓÇÖt familiar with the process of writing a query. - Build a [workbook](../visualize/workbooks-overview.md) or [export to Power BI](../logs/log-powerbi.md) to create custom visualizations of click data. |
| azure-monitor | Javascript Framework Extensions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/javascript-framework-extensions.md | var appInsights = new ApplicationInsights({ appInsights.loadAppInsights(); ``` -Wrap your component with the higher-order component function to enable Application Insights on it: --```javascript -import React from 'react'; -import { withAITracking } from '@microsoft/applicationinsights-react-js'; -import { reactPlugin, appInsights } from './AppInsights'; --// To instrument various React components usage tracking, apply the `withAITracking` higher-order -// component function. --class MyComponent extends React.Component { - ... -} --// withAITracking takes 4 parameters (reactPlugin, Component, ComponentName, className). -// The first two are required and the other two are optional. --export default withAITracking(reactPlugin, MyComponent); -``` --For `react-router v6` or other scenarios where router history isn't exposed, Application Insights configuration `enableAutoRouteTracking` can be used to auto-track router changes: --```javascript -var reactPlugin = new ReactPlugin(); -var appInsights = new ApplicationInsights({ - config: { - connectionString: 'YOUR_CONNECTION_STRING_GOES_HERE', - enableAutoRouteTracking: true, - extensions: [reactPlugin] - } -}); -appInsights.loadAppInsights(); -``` - > [!TIP] > If you're adding the Click Analytics plug-in, see [Use the Click Analytics plug-in](./javascript-feature-extensions.md#use-the-plug-in) to continue with the setup process. appInsights.loadAppInsights(); ``` -#### Disabling automatic device info collection --```typescript -import { ApplicationInsights } from '@microsoft/applicationinsights-web'; --var RNPlugin = new ReactNativePlugin(); -var appInsights = new ApplicationInsights({ - config: { - instrumentationKey: 'YOUR_INSTRUMENTATION_KEY_GOES_HERE', - disableDeviceCollection: true, - extensions: [RNPlugin] - } -}); -appInsights.loadAppInsights(); -``` --#### Using your own device info collection class --```typescript -import { ApplicationInsights } from '@microsoft/applicationinsights-web'; --// Simple inline constant implementation -const myDeviceInfoModule = { - getModel: () => "deviceModel", - getDeviceType: () => "deviceType", - // v5 returns a string while latest returns a promise - getUniqueId: () => "deviceId", // This "may" also return a Promise<string> -}; --var RNPlugin = new ReactNativePlugin(); -RNPlugin.setDeviceInfoModule(myDeviceInfoModule); --var appInsights = new ApplicationInsights({ - config: { - instrumentationKey: 'YOUR_INSTRUMENTATION_KEY_GOES_HERE', - extensions: [RNPlugin] - } -}); --appInsights.loadAppInsights(); -``` - > [!TIP] > If you're adding the Click Analytics plug-in, see [Use the Click Analytics plug-in](./javascript-feature-extensions.md#use-the-plug-in) to continue with the setup process. export class AppComponent { } ``` -To track uncaught exceptions, set up ApplicationinsightsAngularpluginErrorService in `app.module.ts`: --> [!IMPORTANT] -> When using the ErrorService, there is an implicit dependency on the `@microsoft/applicationinsights-analytics-js` extension. you MUST include either the `'@microsoft/applicationinsights-web'` or include the `@microsoft/applicationinsights-analytics-js` extension. Otherwise, unhandled errors caught by the error service will not be sent. +> [!TIP] +> If you're adding the Click Analytics plug-in, see [Use the Click Analytics plug-in](./javascript-feature-extensions.md#use-the-plug-in) to continue with the setup process. -```js -import { ApplicationinsightsAngularpluginErrorService } from '@microsoft/applicationinsights-angularplugin-js'; + -@NgModule({ - ... - providers: [ - { - provide: ErrorHandler, - useClass: ApplicationinsightsAngularpluginErrorService - } - ] - ... -}) -export class AppModule { } -``` +## Add configuration -To chain more custom error handlers, create custom error handlers that implement IErrorService: +### [React](#tab/react) -```javascript -import { IErrorService } from '@microsoft/applicationinsights-angularplugin-js'; +### React router configuration -export class CustomErrorHandler implements IErrorService { - handleError(error: any) { - ... - } -} -``` +| Name | Type | Required? | Default | Description | +||--|--||| +| history | object | Optional | null | Track router history. For more information, see the [React router package documentation](https://reactrouter.com/en/main).<br><br>To track router history, most users can use the `enableAutoRouteTracking` field in the [JavaScript SDK configuration](./javascript-sdk-configuration.md#sdk-configuration). This field collects the same data for page views as the `history` object.<br><br>Use the `history` object when you're using a router implementation that doesn't update the browser URL, which is what the configuration listens to. You shouldn't enable both the `enableAutoRouteTracking` field and `history` object, because you'll get multiple page view events. | -And pass errorServices array through extensionConfig: +The following code example shows how to enable the `enableAutoRouteTracking` field. ```javascript-extensionConfig: { - [angularPlugin.identifier]: { - router: this.router, - error - } - } +var reactPlugin = new ReactPlugin(); +var appInsights = new ApplicationInsights({ + config: { + connectionString: 'YOUR_CONNECTION_STRING_GOES_HERE', + enableAutoRouteTracking: true, + extensions: [reactPlugin] + } +}); +appInsights.loadAppInsights(); ``` -> [!TIP] -> If you're adding the Click Analytics plug-in, see [Use the Click Analytics plug-in](./javascript-feature-extensions.md#use-the-plug-in) to continue with the setup process. +### React components usage tracking -+To instrument React components with usage tracking, apply the `withAITracking` higher-order component function. To enable Application Insights for a component, wrap `withAITracking` around the component: -## Add configuration +```javascript +import React from 'react'; +import { withAITracking } from '@microsoft/applicationinsights-react-js'; +import { reactPlugin, appInsights } from './AppInsights'; -### [React](#tab/react) +// To instrument various React components usage tracking, apply the `withAITracking` higher-order +// component function. -### React router configuration +class MyComponent extends React.Component { + ... +} -| Name | Type | Required? | Default | Description | -||--|--||| -| history | object | Optional | null | Track router history. For more information, see the [React router package documentation](https://reactrouter.com/en/main).<br><br>To track router history, most users can use the `enableAutoRouteTracking` field in the [JavaScript SDK configuration](./javascript-sdk-configuration.md#sdk-configuration). This field collects the same data for page views as the `history` object. Use the `history` object when you're using a router implementation that doesn't update the browser URL, which is what the configuration listens to. You shouldn't enable both the `enableAutoRouteTracking` field and `history` object, because you'll get multiple page view events. | +// withAITracking takes 4 parameters (reactPlugin, Component, ComponentName, className). +// The first two are required and the other two are optional. -### React components usage tracking +export default withAITracking(reactPlugin, MyComponent); +``` -To instrument various React components usage tracking, apply the `withAITracking` higher-order component function. +It measures time from the [`ComponentDidMount`](https://react.dev/reference/react/Component#componentdidmount) event through the [`ComponentWillUnmount`](https://react.dev/reference/react/Component#componentwillunmount) event. To make the result more accurate, it subtracts the time in which the user was idle by using `React Component Engaged Time = ComponentWillUnmount timestamp - ComponentDidMount timestamp - idle time`. -It measures time from the `ComponentDidMount` event through the `ComponentWillUnmount` event. To make the result more accurate, it subtracts the time in which the user was idle by using `React Component Engaged Time = ComponentWillUnmount timestamp - ComponentDidMount timestamp - idle time`. +#### Explore your data -To see this metric in the Azure portal, go to the Application Insights resource and select the **Metrics** tab. Configure the empty charts to display the custom metric name `React Component Engaged Time (seconds)`. Select the aggregation (for example, sum or avg) of your metric and split by `Component Name`. +To see the `React Component Engaged Time (seconds)` in [Metrics Explorer](../essentials/metrics-getting-started.md), go to the Application Insights resource and select the **Metrics** tab. Configure the empty charts to display the custom metric name `React Component Engaged Time (seconds)`. Select the aggregation of your metric and [split](../essentials/metrics-getting-started.md#apply-dimension-filters-and-splitting) by `Component Name`. :::image type="content" source="./media/javascript-react-plugin/chart.png" lightbox="./media/javascript-react-plugin/chart.png" alt-text="Screenshot that shows a chart that displays the custom metric React Component Engaged Time (seconds) split by Component Name"::: export default MyComponent; #### useTrackMetric -The `useTrackMetric` Hook replicates the functionality of the `withAITracking` higher-order component, without adding another component to the component structure. The Hook takes two arguments. First is the Application Insights instance, which can be obtained from the `useAppInsightsContext` Hook. The second is an identifier for the component for tracking, such as its name. +The `useTrackMetric` Hook replicates the functionality of the `withAITracking` higher-order component, without adding another component to the component structure. The Hook takes two arguments: ++- The Application Insights instance, which can be obtained from the `useAppInsightsContext` Hook. +- An identifier for the component for tracking, such as its name. ```javascript import React from "react"; const MyComponent = () => { export default MyComponent; ``` -It operates like the higher-order component, but it responds to Hooks lifecycle events rather than a component lifecycle. The Hook needs to be explicitly provided to user events if there's a need to run on particular interactions. +It operates like the higher-order component, but it responds to Hooks lifecycle events rather than a component lifecycle. If there's a need to run on particular interactions, the Hook needs to be explicitly provided to user events. #### useTrackEvent When the Hook is used, a data payload can be provided to it to add more data to ### React error boundaries -[Error boundaries](https://react.dev/reference/react/Component#catching-rendering-errors-with-an-error-boundary) provide a way to gracefully handle an exception when it occurs within a React application. When such an error occurs, it's likely that the exception needs to be logged. The React plug-in for Application Insights provides an error boundary component that automatically logs the error when it occurs. +[React error boundaries](https://react.dev/reference/react/Component#catching-rendering-errors-with-an-error-boundary) provide a way to gracefully handle an exception when it occurs within a React application. When such an error occurs, it's likely that the exception needs to be logged. The React plug-in for Application Insights provides an error boundary component that automatically logs the error when it occurs. ```javascript import React from "react"; export interface IDeviceInfoModule { If events are getting "blocked" because the `Promise` returned via `getUniqueId` is never resolved / rejected, you can call `setDeviceId()` on the plugin to "unblock" this waiting state. There is also an automatic timeout configured via `uniqueIdPromiseTimeout` (defaults to 5 seconds), which will internally call `setDeviceId()` with any previously configured value. +### Disable automatic device info collection ++If you donΓÇÖt want to collect the device information, you can set `disableDeviceCollection` to `true`. ++```typescript +import { ApplicationInsights } from '@microsoft/applicationinsights-web'; ++var RNPlugin = new ReactNativePlugin(); +var appInsights = new ApplicationInsights({ + config: { + connectionString: 'YOUR_CONNECTION_STRING_GOES_HERE', + disableDeviceCollection: true, + extensions: [RNPlugin] + } +}); +appInsights.loadAppInsights(); +``` ++### Use your own device info collection class ++If you want to override your own deviceΓÇÖs information, you can use `myDeviceInfoModule` to collect your own device information. ++```typescript +import { ApplicationInsights } from '@microsoft/applicationinsights-web'; ++// Simple inline constant implementation +const myDeviceInfoModule = { + getModel: () => "deviceModel", + getDeviceType: () => "deviceType", + // v5 returns a string while latest returns a promise + getUniqueId: () => "deviceId", // This "may" also return a Promise<string> +}; ++var RNPlugin = new ReactNativePlugin(); +RNPlugin.setDeviceInfoModule(myDeviceInfoModule); ++var appInsights = new ApplicationInsights({ + config: { + connectionString: 'YOUR_CONNECTION_STRING_GOES_HERE', + extensions: [RNPlugin] + } +}); ++appInsights.loadAppInsights(); +``` + ### [Angular](#tab/angular) -None. +### Track uncaught exceptions ++To track uncaught exceptions, set up ApplicationinsightsAngularpluginErrorService in `app.module.ts`: ++> [!IMPORTANT] +> When using the ErrorService, there is an implicit dependency on the `@microsoft/applicationinsights-analytics-js` extension. you MUST include either the `'@microsoft/applicationinsights-web'` or include the `@microsoft/applicationinsights-analytics-js` extension. Otherwise, unhandled errors caught by the error service will not be sent. ++```js +import { ApplicationinsightsAngularpluginErrorService } from '@microsoft/applicationinsights-angularplugin-js'; ++@NgModule({ + ... + providers: [ + { + provide: ErrorHandler, + useClass: ApplicationinsightsAngularpluginErrorService + } + ] + ... +}) +export class AppModule { } +``` ++### Chain more custom error handlers ++To chain more custom error handlers: ++1. Create custom error handlers that implement IErrorService. ++ ```javascript + import { IErrorService } from '@microsoft/applicationinsights-angularplugin-js'; ++ export class CustomErrorHandler implements IErrorService { + handleError(error: any) { + ... + } + } + ``` ++1. Pass errorServices array through extensionConfig. ++ ```javascript + extensionConfig: { + [angularPlugin.identifier]: { + router: this.router, + error + } + } + ``` |
| azure-monitor | Javascript Sdk Configuration | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/javascript-sdk-configuration.md | The Azure Application Insights JavaScript SDK provides configuration for trackin > [!div class="checklist"] > - [SDK configuration](#sdk-configuration)-> - [Cookie configuration and management](#cookies) +> - [Cookie management and configuration](#cookie-management) > - [Source map un-minify support](#source-map) > - [Tree shaking optimized code](#tree-shaking) These configuration fields are optional and default to false unless otherwise st | Name | Type | Default | Description | ||||-| | accountId | string | null | An optional account ID, if your app groups users into accounts. No spaces, commas, semicolons, equals, or vertical bars |-| sessionRenewalMs | numeric | 1800000 | A session is logged if the user is inactive for this amount of time in milliseconds. Default is 30 minutes | -| sessionExpirationMs | numeric | 86400000 | A session is logged if it has continued for this amount of time in milliseconds. Default is 24 hours | -| maxBatchSizeInBytes | numeric | 10000 | Max size of telemetry batch. If a batch exceeds this limit, it's immediately sent and a new batch is started | -| maxBatchInterval | numeric | 15000 | How long to batch telemetry for before sending (milliseconds) | -| disableExceptionTracking | boolean | false | If true, exceptions aren't autocollected. Default is false. | -| disableTelemetry | boolean | false | If true, telemetry isn't collected or sent. Default is false. | -| enableDebug | boolean | false | If true, **internal** debugging data is thrown as an exception **instead** of being logged, regardless of SDK logging settings. Default is false. <br>***Note:*** Enabling this setting results in dropped telemetry whenever an internal error occurs. It can be useful for quickly identifying issues with your configuration or usage of the SDK. If you don't want to lose telemetry while debugging, consider using `loggingLevelConsole` or `loggingLevelTelemetry` instead of `enableDebug`. | -| loggingLevelConsole | numeric | 0 | Logs **internal** Application Insights errors to console. <br>0: off, <br>1: Critical errors only, <br>2: Everything (errors & warnings) | -| loggingLevelTelemetry | numeric | 1 | Sends **internal** Application Insights errors as telemetry. <br>0: off, <br>1: Critical errors only, <br>2: Everything (errors & warnings) | -| diagnosticLogInterval | numeric | 10000 | (internal) Polling interval (in ms) for internal logging queue | -| samplingPercentage | numeric | 100 | Percentage of events that is sent. Default is 100, meaning all events are sent. Set it if you wish to preserve your data cap for large-scale applications. | -| autoTrackPageVisitTime | boolean | false | If true, on a pageview, the _previous_ instrumented page's view time is tracked and sent as telemetry and a new timer is started for the current pageview. It's sent as a custom metric named `PageVisitTime` in `milliseconds` and is calculated via the Date [now()](https://developer.mozilla.org/docs/Web/JavaScript/Reference/Global_Objects/Date/now) function (if available) and falls back to (new Date()).[getTime()](https://developer.mozilla.org/docs/Web/JavaScript/Reference/Global_Objects/Date/getTime) if now() is unavailable (IE8 or less). Default is false. | -| disableAjaxTracking | boolean | false | If true, Ajax calls aren't autocollected. Default is false. | -| disableFetchTracking | boolean | false | The default setting for `disableFetchTracking` is `false`, meaning it's enabled. However, in versions prior to 2.8.10, it was disabled by default. When set to `true`, Fetch requests aren't automatically collected. The default setting changed from `true` to `false` in version 2.8.0. | -| excludeRequestFromAutoTrackingPatterns | string[] \| RegExp[] | undefined | Provide a way to exclude specific route from automatic tracking for XMLHttpRequest or Fetch request. If defined, for an Ajax / fetch request that the request url matches with the regex patterns, auto tracking is turned off. Default is undefined. | | addRequestContext | (requestContext: IRequestionContext) => {[key: string]: any} | undefined | Provide a way to enrich dependencies logs with context at the beginning of api call. Default is undefined. You need to check if `xhr` exists if you configure `xhr` related context. You need to check if `fetch request` and `fetch response` exist if you configure `fetch` related context. Otherwise you may not get the data you need. |-| overridePageViewDuration | boolean | false | If true, default behavior of trackPageView is changed to record end of page view duration interval when trackPageView is called. If false and no custom duration is provided to trackPageView, the page view performance is calculated using the navigation timing API. Default is false. | -| maxAjaxCallsPerView | numeric | 500 | Default 500 - controls how many Ajax calls are monitored per page view. Set to -1 to monitor all (unlimited) Ajax calls on the page. | -| disableDataLossAnalysis | boolean | true | If false, internal telemetry sender buffers are checked at startup for items not yet sent. | -| disableCorrelationHeaders | boolean | false | If false, the SDK adds two headers ('Request-Id' and 'Request-Context') to all dependency requests to correlate them with corresponding requests on the server side. Default is false. | +| ajaxPerfLookupDelay | numeric | 25 | Defaults to 25 ms. The amount of time to wait before reattempting to find the windows.performance timings for an Ajax request, time is in milliseconds and is passed directly to setTimeout(). +| appId | string | null | AppId is used for the correlation between AJAX dependencies happening on the client-side with the server-side requests. When Beacon API is enabled, it can't be used automatically, but can be set manually in the configuration. Default is null | +| autoTrackPageVisitTime | boolean | false | If true, on a pageview, the _previous_ instrumented page's view time is tracked and sent as telemetry and a new timer is started for the current pageview. It's sent as a custom metric named `PageVisitTime` in `milliseconds` and is calculated via the Date [now()](https://developer.mozilla.org/docs/Web/JavaScript/Reference/Global_Objects/Date/now) function (if available) and falls back to (new Date()).[getTime()](https://developer.mozilla.org/docs/Web/JavaScript/Reference/Global_Objects/Date/getTime) if now() is unavailable (IE8 or less). Default is false. | +| convertUndefined | `any` | undefined | Provide user an option to convert undefined field to user defined value. +| cookieCfg | [ICookieCfgConfig](#cookie-management)<br>[Optional]<br>(Since 2.6.0) | undefined | Defaults to cookie usage enabled see [ICookieCfgConfig](#cookie-management) settings for full defaults. | +| cookieDomain | alias for [`cookieCfg.domain`](#cookie-management)<br>[Optional] | null | Custom cookie domain. It's helpful if you want to share Application Insights cookies across subdomains.<br>(Since v2.6.0) If `cookieCfg.domain` is defined it takes precedence over this value. | +| cookiePath | alias for [`cookieCfg.path`](#cookie-management)<br>[Optional]<br>(Since 2.6.0) | null | Custom cookie path. It's helpful if you want to share Application Insights cookies behind an application gateway.<br>If `cookieCfg.path` is defined, it takes precedence. | +| correlationHeaderDomains | string[] | undefined | Enable correlation headers for specific domains | | correlationHeaderExcludedDomains | string[] | undefined | Disable correlation headers for specific domains | | correlationHeaderExcludePatterns | regex[] | undefined | Disable correlation headers using regular expressions |-| correlationHeaderDomains | string[] | undefined | Enable correlation headers for specific domains | +| createPerfMgr | (core: IAppInsightsCore, notification +| customHeaders | `[{header: string, value: string}]` | undefined | The ability for the user to provide extra headers when using a custom endpoint. customHeaders aren't added on browser shutdown moment when beacon sender is used. And adding custom headers isn't supported on IE9 or earlier. +| diagnosticLogInterval | numeric | 10000 | (internal) Polling interval (in ms) for internal logging queue | +| disableAjaxTracking | boolean | false | If true, Ajax calls aren't autocollected. Default is false. | +| disableCookiesUsage | alias for [`cookieCfg.enabled`](#cookie-management)<br>[Optional] | false | Default false. A boolean that indicates whether to disable the use of cookies by the SDK. If true, the SDK doesn't store or read any data from cookies.<br>(Since v2.6.0) If `cookieCfg.enabled` is defined it takes precedence. Cookie usage can be re-enabled after initialization via the core.getCookieMgr().setEnabled(true). | +| disableCorrelationHeaders | boolean | false | If false, the SDK adds two headers ('Request-Id' and 'Request-Context') to all dependency requests to correlate them with corresponding requests on the server side. Default is false. | +| disableDataLossAnalysis | boolean | true | If false, internal telemetry sender buffers are checked at startup for items not yet sent. | +| disableExceptionTracking | boolean | false | If true, exceptions aren't autocollected. Default is false. | +| disableFetchTracking | boolean | false | The default setting for `disableFetchTracking` is `false`, meaning it's enabled. However, in versions prior to 2.8.10, it was disabled by default. When set to `true`, Fetch requests aren't automatically collected. The default setting changed from `true` to `false` in version 2.8.0. | | disableFlushOnBeforeUnload | boolean | false | Default false. If true, flush method isn't called when onBeforeUnload event triggers |+| disableIkeyDeprecationMessage | boolean | true | Disable instrumentation Key deprecation error message. If true, error messages are NOT sent. +| disableInstrumentationKeyValidation | boolean | false | If true, instrumentation key validation check is bypassed. Default value is false. +| disableTelemetry | boolean | false | If true, telemetry isn't collected or sent. Default is false. | +| disableXhr | boolean | false | Don't use XMLHttpRequest or XDomainRequest (for IE < 9) by default instead attempt to use fetch() or sendBeacon. If no other transport is available, it uses XMLHttpRequest | +| distributedTracingMode | numeric or `DistributedTracingModes` | `DistributedTracingModes.AI_AND_W3C` | Sets the distributed tracing mode. If AI_AND_W3C mode or W3C mode is set, W3C trace context headers (traceparent/tracestate) are generated and included in all outgoing requests. AI_AND_W3C is provided for back-compatibility with any legacy Application Insights instrumented services. +| enableAjaxErrorStatusText | boolean | false | Default false. If true, include response error data text boolean in dependency event on failed AJAX requests. | +| enableAjaxPerfTracking | boolean | false | Default false. Flag to enable looking up and including extra browser window.performance timings in the reported Ajax (XHR and fetch) reported metrics. +| enableAutoRouteTracking | boolean | false | Automatically track route changes in Single Page Applications (SPA). If true, each route change sends a new Pageview to Application Insights. Hash route changes (`example.com/foo#bar`) are also recorded as new page views.<br>***Note***: If you enable this field, don't enable the `history` object for [React router configuration](./javascript-framework-extensions.md?tabs=react#react-router-configuration) because you'll get multiple page view events. +| enableCorsCorrelation | boolean | false | If true, the SDK adds two headers ('Request-Id' and 'Request-Context') to all CORS requests to correlate outgoing AJAX dependencies with corresponding requests on the server side. Default is false | +| enableDebug | boolean | false | If true, **internal** debugging data is thrown as an exception **instead** of being logged, regardless of SDK logging settings. Default is false. <br>***Note:*** Enabling this setting results in dropped telemetry whenever an internal error occurs. It can be useful for quickly identifying issues with your configuration or usage of the SDK. If you don't want to lose telemetry while debugging, consider using `loggingLevelConsole` or `loggingLevelTelemetry` instead of `enableDebug`. | +| enablePerfMgr | boolean | false | When enabled (true) it creates local perfEvents for code that has been instrumented to emit perfEvents (via the doPerf() helper). It can be used to identify performance issues within the SDK based on your usage or optionally within your own instrumented code. +| enableRequestHeaderTracking | boolean | false | If true, AJAX & Fetch request headers is tracked, default is false. If ignoreHeaders isn't configured, Authorization and X-API-Key headers aren't logged. +| enableResponseHeaderTracking | boolean | false | If true, AJAX & Fetch request's response headers is tracked, default is false. If ignoreHeaders isn't configured, WWW-Authenticate header isn't logged. | enableSessionStorageBuffer | boolean | true | Default true. If true, the buffer with all unsent telemetry is stored in session storage. The buffer is restored on page load |-| cookieCfg | [ICookieCfgConfig](#cookies)<br>[Optional]<br>(Since 2.6.0) | undefined | Defaults to cookie usage enabled see [ICookieCfgConfig](#cookies) settings for full defaults. | -| disableCookiesUsage | alias for [`cookieCfg.enabled`](#cookies)<br>[Optional] | false | Default false. A boolean that indicates whether to disable the use of cookies by the SDK. If true, the SDK doesn't store or read any data from cookies.<br>(Since v2.6.0) If `cookieCfg.enabled` is defined it takes precedence. Cookie usage can be re-enabled after initialization via the core.getCookieMgr().setEnabled(true). | -| cookieDomain | alias for [`cookieCfg.domain`](#cookies)<br>[Optional] | null | Custom cookie domain. It's helpful if you want to share Application Insights cookies across subdomains.<br>(Since v2.6.0) If `cookieCfg.domain` is defined it takes precedence over this value. | -| cookiePath | alias for [`cookieCfg.path`](#cookies)<br>[Optional]<br>(Since 2.6.0) | null | Custom cookie path. It's helpful if you want to share Application Insights cookies behind an application gateway.<br>If `cookieCfg.path` is defined, it takes precedence. | +| enableUnhandledPromiseRejectionTracking | boolean | false | If true, unhandled promise rejections are autocollected as a JavaScript error. When disableExceptionTracking is true (don't track exceptions), the config value is ignored and unhandled promise rejections aren't reported. +| eventsLimitInMem | number | 10000 | The number of events that can be kept in memory before the SDK starts to drop events when not using Session Storage (the default). +| excludeRequestFromAutoTrackingPatterns | string[] \| RegExp[] | undefined | Provide a way to exclude specific route from automatic tracking for XMLHttpRequest or Fetch request. If defined, for an Ajax / fetch request that the request url matches with the regex patterns, auto tracking is turned off. Default is undefined. | +| idLength | numeric | 22 | Identifies the default length used to generate new random session and user IDs. Defaults to 22, previous default value was 5 (v2.5.8 or less), if you need to keep the previous maximum length you should set the value to 5. +| ignoreHeaders | string[] | ["Authorization", "X-API-Key", "WWW-Authenticate"] | AJAX & Fetch request and response headers to be ignored in log data. To override or discard the default, add an array with all headers to be excluded or an empty array to the configuration. +| isBeaconApiDisabled | boolean | true | If false, the SDK sends all telemetry using the [Beacon API](https://www.w3.org/TR/beacon) | +| isBrowserLinkTrackingEnabled | boolean | false | Default is false. If true, the SDK tracks all [Browser Link](/aspnet/core/client-side/using-browserlink) requests. | | isRetryDisabled | boolean | false | Default false. If false, retry on 206 (partial success), 408 (timeout), 429 (too many requests), 500 (internal server error), 503 (service unavailable), and 0 (offline, only if detected) | | isStorageUseDisabled | boolean | false | If true, the SDK doesn't store or read any data from local and session storage. Default is false. |-| isBeaconApiDisabled | boolean | true | If false, the SDK sends all telemetry using the [Beacon API](https://www.w3.org/TR/beacon) | -| disableXhr | boolean | false | Don't use XMLHttpRequest or XDomainRequest (for IE < 9) by default instead attempt to use fetch() or sendBeacon. If no other transport is available, it uses XMLHttpRequest | +| loggingLevelConsole | numeric | 0 | Logs **internal** Application Insights errors to console. <br>0: off, <br>1: Critical errors only, <br>2: Everything (errors & warnings) | +| loggingLevelTelemetry | numeric | 1 | Sends **internal** Application Insights errors as telemetry. <br>0: off, <br>1: Critical errors only, <br>2: Everything (errors & warnings) | +| maxAjaxCallsPerView | numeric | 500 | Default 500 - controls how many Ajax calls are monitored per page view. Set to -1 to monitor all (unlimited) Ajax calls on the page. | +| maxAjaxPerfLookupAttempts | numeric | 3 | Defaults to 3. The maximum number of times to look for the window.performance timings (if available) is required. Not all browsers populate the window.performance before reporting the end of the XHR request. For fetch requests, it's added after it's complete. +| maxBatchInterval | numeric | 15000 | How long to batch telemetry for before sending (milliseconds) | +| maxBatchSizeInBytes | numeric | 10000 | Max size of telemetry batch. If a batch exceeds this limit, it's immediately sent and a new batch is started | +| namePrefix | string | undefined | An optional value that is used as name postfix for localStorage and session cookie name. | onunloadDisableBeacon | boolean | false | Default false. when tab is closed, the SDK sends all remaining telemetry using the [Beacon API](https://www.w3.org/TR/beacon) | | onunloadDisableFetch | boolean | false | If fetch keepalive is supported don't use it for sending events during unload, it may still fall back to fetch() without keepalive |+| overridePageViewDuration | boolean | false | If true, default behavior of trackPageView is changed to record end of page view duration interval when trackPageView is called. If false and no custom duration is provided to trackPageView, the page view performance is calculated using the navigation timing API. Default is false. | +| perfEvtsSendAll | boolean | false | When _enablePerfMgr_ is enabled and the [IPerfManager](https://github.com/microsoft/ApplicationInsights-JS/blob/master/shared/AppInsightsCore/src/JavaScriptSDK.Interfaces/IPerfManager.ts) fires a [INotificationManager](https://github.com/microsoft/ApplicationInsights-JS/blob/master/shared/AppInsightsCore/src/JavaScriptSDK.Interfaces/INotificationManager.ts).perfEvent() this flag determines whether an event is fired (and sent to all listeners) for all events (true) or only for 'parent' events (false <default>).<br />A parent [IPerfEvent](https://github.com/microsoft/ApplicationInsights-JS/blob/master/shared/AppInsightsCore/src/JavaScriptSDK.Interfaces/IPerfEvent.ts) is an event where no other IPerfEvent is still running at the point of the event being created and its _parent_ property isn't null or undefined. Since v2.5.7 +| samplingPercentage | numeric | 100 | Percentage of events that is sent. Default is 100, meaning all events are sent. Set it if you wish to preserve your data cap for large-scale applications. | | sdkExtension | string | null | Sets the sdk extension name. Only alphabetic characters are allowed. The extension name is added as a prefix to the 'ai.internal.sdkVersion' tag (for example, 'ext_javascript:2.0.0'). Default is null. |-| isBrowserLinkTrackingEnabled | boolean | false | Default is false. If true, the SDK tracks all [Browser Link](/aspnet/core/client-side/using-browserlink) requests. | -| appId | string | null | AppId is used for the correlation between AJAX dependencies happening on the client-side with the server-side requests. When Beacon API is enabled, it can't be used automatically, but can be set manually in the configuration. Default is null | -| enableCorsCorrelation | boolean | false | If true, the SDK adds two headers ('Request-Id' and 'Request-Context') to all CORS requests to correlate outgoing AJAX dependencies with corresponding requests on the server side. Default is false | -| namePrefix | string | undefined | An optional value that is used as name postfix for localStorage and session cookie name. | sessionCookiePostfix | string | undefined | An optional value that is used as name postfix for session cookie name. If undefined, namePrefix is used as name postfix for session cookie name.+| sessionExpirationMs | numeric | 86400000 | A session is logged if it has continued for this amount of time in milliseconds. Default is 24 hours | +| sessionRenewalMs | numeric | 1800000 | A session is logged if the user is inactive for this amount of time in milliseconds. Default is 30 minutes | | userCookiePostfix | string | undefined | An optional value that is used as name postfix for user cookie name. If undefined, no postfix is added on user cookie name.-| enableAutoRouteTracking | boolean | false | Automatically track route changes in Single Page Applications (SPA). If true, each route change sends a new Pageview to Application Insights. Hash route changes (`example.com/foo#bar`) are also recorded as new page views.<br>***Note***: If you enable this field, you shouldn't also enable the `history` object for [React router configuration](./javascript-framework-extensions.md?tabs=react#react-router-configuration) because you'll get multiple page view events. -| enableRequestHeaderTracking | boolean | false | If true, AJAX & Fetch request headers is tracked, default is false. If ignoreHeaders isn't configured, Authorization and X-API-Key headers aren't logged. -| enableResponseHeaderTracking | boolean | false | If true, AJAX & Fetch request's response headers is tracked, default is false. If ignoreHeaders isn't configured, WWW-Authenticate header isn't logged. -| ignoreHeaders | string[] | ["Authorization", "X-API-Key", "WWW-Authenticate"] | AJAX & Fetch request and response headers to be ignored in log data. To override or discard the default, add an array with all headers to be excluded or an empty array to the configuration. -| enableAjaxErrorStatusText | boolean | false | Default false. If true, include response error data text boolean in dependency event on failed AJAX requests. | -| enableAjaxPerfTracking | boolean | false | Default false. Flag to enable looking up and including extra browser window.performance timings in the reported Ajax (XHR and fetch) reported metrics. -| maxAjaxPerfLookupAttempts | numeric | 3 | Defaults to 3. The maximum number of times to look for the window.performance timings (if available) is required. Not all browsers populate the window.performance before reporting the end of the XHR request. For fetch requests, it's added after it's complete. -| ajaxPerfLookupDelay | numeric | 25 | Defaults to 25 ms. The amount of time to wait before reattempting to find the windows.performance timings for an Ajax request, time is in milliseconds and is passed directly to setTimeout(). -| distributedTracingMode | numeric or `DistributedTracingModes` | `DistributedTracingModes.AI_AND_W3C` | Sets the distributed tracing mode. If AI_AND_W3C mode or W3C mode is set, W3C trace context headers (traceparent/tracestate) are generated and included in all outgoing requests. AI_AND_W3C is provided for back-compatibility with any legacy Application Insights instrumented services. -| enableUnhandledPromiseRejectionTracking | boolean | false | If true, unhandled promise rejections are autocollected as a JavaScript error. When disableExceptionTracking is true (don't track exceptions), the config value is ignored and unhandled promise rejections aren't reported. -| disableInstrumentationKeyValidation | boolean | false | If true, instrumentation key validation check is bypassed. Default value is false. -| enablePerfMgr | boolean | false | [Optional] When enabled (true) it creates local perfEvents for code that has been instrumented to emit perfEvents (via the doPerf() helper). It can be used to identify performance issues within the SDK based on your usage or optionally within your own instrumented code. -| perfEvtsSendAll | boolean | false | [Optional] When _enablePerfMgr_ is enabled and the [IPerfManager](https://github.com/microsoft/ApplicationInsights-JS/blob/master/shared/AppInsightsCore/src/JavaScriptSDK.Interfaces/IPerfManager.ts) fires a [INotificationManager](https://github.com/microsoft/ApplicationInsights-JS/blob/master/shared/AppInsightsCore/src/JavaScriptSDK.Interfaces/INotificationManager.ts).perfEvent() this flag determines whether an event is fired (and sent to all listeners) for all events (true) or only for 'parent' events (false <default>).<br />A parent [IPerfEvent](https://github.com/microsoft/ApplicationInsights-JS/blob/master/shared/AppInsightsCore/src/JavaScriptSDK.Interfaces/IPerfEvent.ts) is an event where no other IPerfEvent is still running at the point of the event being created and its _parent_ property isn't null or undefined. Since v2.5.7 -| createPerfMgr | (core: IAppInsightsCore, notification -| idLength | numeric | 22 | [Optional] Identifies the default length used to generate new random session and user IDs. Defaults to 22, previous default value was 5 (v2.5.8 or less), if you need to keep the previous maximum length you should set the value to 5. -| customHeaders | `[{header: string, value: string}]` | undefined | [Optional] The ability for the user to provide extra headers when using a custom endpoint. customHeaders aren't added on browser shutdown moment when beacon sender is used. And adding custom headers isn't supported on IE9 or earlier. -| convertUndefined | `any` | undefined | [Optional] Provide user an option to convert undefined field to user defined value. -| eventsLimitInMem | number | 10000 | [Optional] The number of events that can be kept in memory before the SDK starts to drop events when not using Session Storage (the default). -| disableIkeyDeprecationMessage | boolean | true | [Optional] Disable instrumentation Key deprecation error message. If true, error messages are NOT sent. -## Cookies +## Cookie management -The Azure Application Insights JavaScript SDK provides instance-based cookie management that allows you to control the use of cookies. +Starting from version 2.6.0, the Azure Application Insights JavaScript SDK provides instance-based cookie management that can be disabled and re-enabled after initialization. -You can control cookies by enabling or disabling them, setting custom domains and paths, and customizing the functions for managing cookies. +If you disabled cookies during initialization using the `disableCookiesUsage` or `cookieCfg.enabled` configurations, you can re-enable them using the `setEnabled` function of the ICookieMgr object. ++The instance-based cookie management replaces the previous CoreUtils global functions of `disableCookies()`, `setCookie()`, `getCookie()`, and `deleteCookie()`. ++To take advantage of the tree-shaking enhancements introduced in version 2.6.0, it's recommended to no longer use the global functions. ### Cookie configuration The ICookieMgrConfig options are defined in the following table. | setCookie | `(name: string, value: string) => void` | null | Function to set the named cookie with the specified value, only called when adding or updating a cookie. | | delCookie | `(name: string, value: string) => void` | null | Function to delete the named cookie with the specified value, separated from setCookie to avoid the need to parse the value to determine whether the cookie is being added or removed. If not provided it uses the internal cookie parsing / caching. | -### Cookie management --Starting from version 2.6.0, the Azure Application Insights JavaScript SDK provides instance-based cookie management that can be disabled and re-enabled after initialization. --If you disabled cookies during initialization using the `disableCookiesUsage` or `cookieCfg.enabled` configurations, you can re-enable them using the `setEnabled` function of the ICookieMgr object. --The instance-based cookie management replaces the previous CoreUtils global functions of `disableCookies()`, `setCookie()`, `getCookie()`, and `deleteCookie()`. --To take advantage of the tree-shaking enhancements introduced in version 2.6.0, it's recommended to no longer use the global functions - ## Source map Source map support helps you debug minified JavaScript code with the ability to unminify the minified callstack of your exception telemetry. |
| azure-monitor | Javascript Sdk Upgrade | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/javascript-sdk-upgrade.md | Upgrading to the new version of the Application Insights JavaScript SDK can prov To manually refresh the current pageview ID, for example, in single-page applications, use `appInsights.properties.context.telemetryTrace.traceID = Microsoft.ApplicationInsights.Telemetry.Util.generateW3CId()`. > [!NOTE]- > To keep the trace ID unique, where you previously used `Util.newId()`, now use `Util.generateW3CId()`. Both ultimately end up being the operation ID. + > To keep the trace ID unique, now use `Util.generateW3CId()` where you previously used `Util.newId()`. Both ultimately end up being the operation ID. If you're using the current application insights PRODUCTION SDK (1.0.20) and want to see if the new SDK works in runtime, update the URL depending on your current SDK loading scenario. |
| azure-monitor | Javascript Sdk | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/javascript-sdk.md | If you want to use the extra features provided by plugins for specific framework :::image type="content" source="media/javascript-sdk/confirm-data-flowing.png" alt-text="Screenshot of the Application Insights Transaction search pane in the Azure portal with the Page View option selected. The page views are highlighted." lightbox="media/javascript-sdk/confirm-data-flowing.png"::: -If you can't run the application or you aren't getting data as expected, see the dedicated [troubleshooting article](/troubleshoot/azure/azure-monitor/app-insights/javascript-sdk-troubleshooting). - ## Support -- If you're having trouble with enabling Application Insights, see the dedicated [troubleshooting article](/troubleshoot/azure/azure-monitor/app-insights/javascript-sdk-troubleshooting).+- If you can't run the application or you aren't getting data as expected, see the dedicated [troubleshooting article](/troubleshoot/azure/azure-monitor/app-insights/javascript-sdk-troubleshooting). - For common question about the JavaScript SDK, see the [FAQ](/azure/azure-monitor/faq#can-i-filter-out-or-modify-some-telemetry-). - For Azure support issues, open an [Azure support ticket](https://azure.microsoft.com/support/create-ticket/). - For a list of open issues related to the Application Insights JavaScript SDK, see the [GitHub Issues Page](https://github.com/microsoft/ApplicationInsights-JS/issues).+- Use the [Telemetry Viewer extension](https://github.com/microsoft/ApplicationInsights-JS/tree/master/tools/chrome-debug-extension) to list out the individual events in the network payload and monitor the internal calls within Application Insights. ## Next steps |
| azure-monitor | Kubernetes Codeless | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/kubernetes-codeless.md | -For a list of supported auto-instrumentation scenarios, see [Supported environments, languages, and resource providers](codeless-overview.md#supported-environments-languages-and-resource-providers). +For a list of supported autoinstrumentation scenarios, see [Supported environments, languages, and resource providers](codeless-overview.md#supported-environments-languages-and-resource-providers). ## Java After the Java agent is enabled, it automatically collects a multitude of requests, dependencies, logs, and metrics from the most widely used libraries and frameworks. |
| azure-monitor | Migrate From Instrumentation Keys To Connection Strings | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/migrate-from-instrumentation-keys-to-connection-strings.md | This section provides answers to common questions. The connection string is also included in the Resource Manager resource properties for your Application Insights resource, under the field name `ConnectionString`. -### How does this affect auto-instrumentation? +### How does this affect autoinstrumentation? -Auto-instrumentation scenarios aren't affected. +Autoinstrumentation scenarios aren't affected. -### Can I use Azure AD authentication with auto-instrumentation? +### Can I use Azure AD authentication with autoinstrumentation? -You can't enable [Azure AD authentication](azure-ad-authentication.md) for [auto-instrumentation](codeless-overview.md) scenarios. We have plans to address this limitation in the future. +You can't enable [Azure AD authentication](azure-ad-authentication.md) for [autoinstrumentation](codeless-overview.md) scenarios. We have plans to address this limitation in the future. ### What's the difference between global and regional ingestion? |
| azure-monitor | Opentelemetry Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/opentelemetry-overview.md | At a basic level, "instrumenting" is simply enabling an application to capture t There are two methods to instrument your application: -- Automatic instrumentation (auto-instrumentation)+- Automatic instrumentation (autoinstrumentation) - Manual instrumentation -**Auto-instrumentation** enables telemetry collection through configuration without touching the application's code. Although it's more convenient, it tends to be less configurable. It's also not available in all languages. See [Auto-Instrumentation Supported Environments and Languages](codeless-overview.md). When auto-instrumentation is available, it's the easiest way to enable Azure Monitor Application Insights. +**Autoinstrumentation** enables telemetry collection through configuration without touching the application's code. Although it's more convenient, it tends to be less configurable. It's also not available in all languages. See [Autoinstrumentation supported environments and languages](codeless-overview.md). When autoinstrumentation is available, it's the easiest way to enable Azure Monitor Application Insights. **Manual instrumentation** is coding against the Application Insights or OpenTelemetry API. In the context of a user, it typically refers to installing a language-specific SDK in an application. There are two options for manual instrumentation: Application Insights | OpenTelemetry | Auto-collectors | Instrumentation libraries Channel | Exporter-Codeless / Agent-based | Auto-instrumentation +Codeless / Agent-based | Autoinstrumentation Traces | Logs Requests | Server Spans Dependencies | Other Span Types (Client, Internal, etc.) Dependencies | Other Span Types (Client, Internal, etc.) Select your enablement approach: -- [Auto-instrumentation](codeless-overview.md)+- [Autoinstrumentation](codeless-overview.md) - Application Insights SDKs - [ASP.NET](./asp-net.md) - [ASP.NET Core](./asp-net-core.md) |
| azure-monitor | Pre Aggregated Metrics Log Metrics | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/pre-aggregated-metrics-log-metrics.md | This article explains the difference between "traditional" Application Insights ## Log-based metrics -In the past, the application monitoring telemetry data model in Application Insights was solely based on a few predefined types of events, such as requests, exceptions, dependency calls, and page views. Developers can use the SDK to emit these events manually by writing code that explicitly invokes the SDK. Or they can rely on the automatic collection of events from auto-instrumentation. In either case, the Application Insights back end stores all collected events as logs. The Application Insights panes in the Azure portal act as an analytical and diagnostic tool for visualizing event-based data from logs. +In the past, the application monitoring telemetry data model in Application Insights was solely based on a few predefined types of events, such as requests, exceptions, dependency calls, and page views. Developers can use the SDK to emit these events manually by writing code that explicitly invokes the SDK. Or they can rely on the automatic collection of events from autoinstrumentation. In either case, the Application Insights back end stores all collected events as logs. The Application Insights panes in the Azure portal act as an analytical and diagnostic tool for visualizing event-based data from logs. Using logs to retain a complete set of events can bring great analytical and diagnostic value. For example, you can get an exact count of requests to a particular URL with the number of distinct users who made these calls. Or you can get detailed diagnostic traces, including exceptions and dependency calls for any user session. Having this type of information can improve visibility into the application health and usage. It can also cut down the time necessary to diagnose issues with an app. |
| azure-monitor | Sampling | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/sampling.md | In Metrics Explorer, rates such as request and exception counts are multiplied b ### Configuring sampling overrides and fixed-rate sampling for Java applications -By default no sampling is enabled in the Java auto-instrumentation and SDK. Currently the Java auto-instrumentation, [sampling overrides](./java-standalone-sampling-overrides.md) and fixed rate sampling are supported. Adaptive sampling isn't supported in Java. +By default no sampling is enabled in the Java autoinstrumentation and SDK. Currently the Java autoinstrumentation, [sampling overrides](./java-standalone-sampling-overrides.md) and fixed rate sampling are supported. Adaptive sampling isn't supported in Java. -#### Configuring Java auto-instrumentation +#### Configuring Java autoinstrumentation * To configure sampling overrides that override the default sampling rate and apply different sampling rates to selected requests and dependencies, use the [sampling override guide](./java-standalone-sampling-overrides.md#getting-started). * To configure fixed-rate sampling that applies to all of your telemetry, use the [fixed rate sampling guide](./java-standalone-config.md#sampling). |
| azure-monitor | Sdk Support Guidance | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/sdk-support-guidance.md | Support engineers are expected to provide SDK update guidance according to the f > * Preview refers to beta versions. > [!TIP]-> Switching to [auto-instrumentation](codeless-overview.md) eliminates the need for manual SDK updates. +> Switching to [autoinstrumentation](codeless-overview.md) eliminates the need for manual SDK updates. > [!WARNING] > Only commercially reasonable support is provided for Preview versions of the SDK. If a support incident requires escalation to development for further guidance, customers will be asked to use a fully supported SDK version to continue support. Commercially reasonable support does not include an option to engage Microsoft product development resources; technical workarounds may be limited or not possible. |
| azure-monitor | Statsbeat | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/statsbeat.md | Title: Statsbeat in Application Insights | Microsoft Docs -description: Statistics about Application Insights SDKs and Auto-Instrumentation +description: Statistics about Application Insights SDKs and AutoInstrumentation Last updated 08/24/2022 |
| azure-monitor | Tutorial Asp Net Core | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/tutorial-asp-net-core.md | -This article describes how to enable Application Insights for an [ASP.NET Core](/aspnet/core) application deployed as an Azure Web App. This implementation uses an SDK-based approach. An [auto-instrumentation approach](./codeless-overview.md) is also available. +This article describes how to enable Application Insights for an [ASP.NET Core](/aspnet/core) application deployed as an Azure Web App. This implementation uses an SDK-based approach. An [autoinstrumentation approach](./codeless-overview.md) is also available. Application Insights can collect the following telemetry from your ASP.NET Core application: For the latest updates and bug fixes, see the [release notes](./release-notes.md * [Dependency Injection in ASP.NET Core](/aspnet/core/fundamentals/dependency-injection) * [Logging in ASP.NET Core](/aspnet/core/fundamentals/logging) * [.NET trace logs in Application Insights](./asp-net-trace-logs.md)-* [Auto-instrumentation for Application Insights](./codeless-overview.md) +* [Autoinstrumentation for Application Insights](./codeless-overview.md) |
| azure-monitor | Container Insights Cost Config | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/containers/container-insights-cost-config.md | az aks enable-addons -a monitoring --enable-msi-auth-for-monitoring -g <clusterR 1. In the Azure portal, select the AKS cluster that you wish to monitor 2. From the resource pane on the left, select the 'Insights' item under the 'Monitoring' section. 3. If you have not previously configured Container Insights, select the 'Configure Azure Monitor' button. For clusters already onboarded to Insights, select the "Monitoring Settings" button in the toolbar -4. If you are configuring Container Insights for the first time or have not migrated to using [managed identity authentication (preview)](../containers/container-insights-onboard.md#authentication), select the "Use managed identity (preview)" checkbox +4. If you are configuring Container Insights for the first time or have not migrated to using [managed identity authentication](../containers/container-insights-onboard.md#authentication), select the "Use managed identity" checkbox [](media/container-insights-cost-config/cost-settings-onboarding.png#lightbox) 5. Using the dropdown, choose one of the "Cost presets", for more configuration, you may select the "Edit collection settings" [](media/container-insights-cost-config/advanced-collection-settings.png#lightbox) az deployment group create --resource-group <ClusterResourceGroupName> --templat ## [Azure CLI](#tab/create-CLI) ```azcli-az k8s-extension create --name azuremonitor-containers --cluster-name <cluster-name> --resource-group <resource-group> --cluster-type provisionedclusters --cluster-resource-provider "microsoft.hybridcontainerservice" --extension-type Microsoft.AzureMonitor.Containers --configuration-settings amalogs.useAADAuth=true dataCollectionSettings='{\"interval\": \"1m\",\"namespaceFilteringMode\": \"Include\", \"namespaces\": [ \"kube-system\"]}' +az k8s-extension create --name azuremonitor-containers --cluster-name <cluster-name> --resource-group <resource-group> --cluster-type provisionedclusters --cluster-resource-provider "microsoft.hybridcontainerservice" --extension-type Microsoft.AzureMonitor.Containers --configuration-settings amalogs.useAADAuth=true dataCollectionSettings='{"interval":"1m","namespaceFilteringMode":"Include", "namespaces": ["kube-system"]}' ``` +>[!NOTE] +> When deploying on a Windows machine, the dataCollectionSettings field must be escaped. For example, dataCollectionSettings={\"interval\":\"1m\",\"namespaceFilteringMode\": \"Include\", \"namespaces\": [ \"kube-system\"]} instead of dataCollectionSettings='{"interval":"1m","namespaceFilteringMode": "Include", "namespaces": [ "kube-system"]}' + The collection settings can be modified through the input of the `dataCollectionSettings` field. * `interval`: The frequency of data collection, the input scheme must be a number between [1, 30] followed by m to denote minutes. az deployment group create --resource-group <ClusterResourceGroupName> --templat ## [Azure CLI](#tab/create-CLI) ```azcli-az k8s-extension create --name azuremonitor-containers --cluster-name <cluster-name> --resource-group <resource-group> --cluster-type connectedClusters --extension-type Microsoft.AzureMonitor.Containers --configuration-settings amalogsagent.useAADAuth=true dataCollectionSettings='{\"interval\": \"1m\",\"namespaceFilteringMode\": \"Include\", \"namespaces\": [ \"kube-system\"]}' +az k8s-extension create --name azuremonitor-containers --cluster-name <cluster-name> --resource-group <resource-group> --cluster-type connectedClusters --extension-type Microsoft.AzureMonitor.Containers --configuration-settings amalogs.useAADAuth=true dataCollectionSettings='{"interval":"1m","namespaceFilteringMode": "Include", "namespaces": [ "kube-system"]}' ``` +>[!NOTE] +> When deploying on a Windows machine, the dataCollectionSettings field must be escaped. For example, dataCollectionSettings={\"interval\":\"1m\",\"namespaceFilteringMode\": \"Include\", \"namespaces\": [ \"kube-system\"]} instead of dataCollectionSettings='{"interval":"1m","namespaceFilteringMode": "Include", "namespaces": [ "kube-system"]}' + The collection settings can be modified through the input of the `dataCollectionSettings` field. * `interval`: The frequency of data collection, the input scheme must be a number between [1, 30] followed by m to denote minutes. The collection settings can be modified through the input of the `dataCollection 1. In the Azure portal, select the Arc cluster that you wish to monitor 2. From the resource pane on the left, select the 'Insights' item under the 'Monitoring' section. 3. If you have not previously configured Container Insights, select the 'Configure Azure Monitor' button. For clusters already onboarded to Insights, select the "Monitoring Settings" button in the toolbar -4. If you are configuring Container Insights for the first time, select the "Use managed identity (preview)" checkbox +4. If you are configuring Container Insights for the first time, select the "Use managed identity" checkbox [](media/container-insights-cost-config/cost-settings-onboarding.png#lightbox) 5. Using the dropdown, choose one of the "Cost presets", for more configuration, you may select the "Edit advanced collection settings" [](media/container-insights-cost-config/advanced-collection-settings.png#lightbox) To update your data collection Settings, modify the values in parameter files an ## Troubleshooting -- Only clusters using [managed identity authentication (preview)](../containers/container-insights-onboard.md#authentication), are able to use this feature.+- Only clusters using [managed identity authentication](../containers/container-insights-onboard.md#authentication), are able to use this feature. - Missing data in your container insights charts is an expected behavior for namespace exclusion, if excluding all namespaces ## Limitations |
| azure-monitor | Container Insights Log Query | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/containers/container-insights-log-query.md | KubePodInv These queries are generated from the [out of the box visualizations](./container-insights-analyze.md) from container insights. You can choose to use these if you have enabled custom [cost optimization settings](./container-insights-cost-config.md), in lieu of the default charts. -### Node CPU and memory utilization --The required tables for this chart include Perf and KubeNodeInventory. --```kusto - let trendBinSize = 5m; - let MaxListSize = 1000; - let clusterId = 'clusterResourceID'; //update with resource ID - let clusterIdToken = strcat(clusterId, "/"); - - let materializedPerfData = materialize(Perf -| where InstanceName startswith clusterIdToken -| where ObjectName == 'K8SNode' -| summarize arg_max(TimeGenerated, *) by CounterName, Computer, bin(TimeGenerated, trendBinSize) -| where CounterName == 'cpuCapacityNanoCores' or CounterName == 'memoryCapacityBytes' or CounterName == 'cpuUsageNanoCores' or CounterName == 'memoryRssBytes' -| project TimeGenerated, Computer, CounterName, CounterValue -| summarize StoredValue = max(CounterValue) by Computer, CounterName, bin(TimeGenerated, trendBinSize)); -- let rawData = KubeNodeInventory -| where ClusterId =~ clusterId -| summarize arg_max(TimeGenerated, *) by Computer, bin(TimeGenerated, trendBinSize) -| join( materializedPerfData -| where CounterName == 'cpuCapacityNanoCores' or CounterName == 'memoryCapacityBytes' -| project Computer, CounterName = iif(CounterName == 'cpuCapacityNanoCores', 'cpu', 'memory'), CapacityValue = StoredValue, TimeGenerated ) on Computer, TimeGenerated -| join kind=inner( materializedPerfData -| where CounterName == 'cpuUsageNanoCores' or CounterName == 'memoryRssBytes' -| project Computer, CounterName = iif(CounterName == 'cpuUsageNanoCores', 'cpu', 'memory'), UsageValue = StoredValue, TimeGenerated ) on Computer, CounterName, TimeGenerated -| project Computer, CounterName, TimeGenerated, UsagePercent = UsageValue * 100.0 / CapacityValue; -- rawData -| summarize Min = min(UsagePercent), Avg = avg(UsagePercent), Max = max(UsagePercent), percentiles(UsagePercent, 50, 90, 95) by bin(TimeGenerated, trendBinSize), CounterName -| sort by TimeGenerated asc -| project CounterName, TimeGenerated, Min, Avg, Max, P50 = percentile_UsagePercent_50, P90 = percentile_UsagePercent_90, P95 = percentile_UsagePercent_95 -| summarize makelist(TimeGenerated, MaxListSize), makelist(Min, MaxListSize), makelist(Avg, MaxListSize), makelist(Max, MaxListSize), makelist(P50, MaxListSize), makelist(P90, MaxListSize), makelist(P95, MaxListSize) by CounterName -| join ( rawData -| summarize Min = min(UsagePercent), Avg = avg(UsagePercent), Max = max(UsagePercent), percentiles(UsagePercent, 50, 90, 95) by CounterName ) on CounterName -| project ClusterId = clusterId, CounterName, Min, Avg, Max, P50 = percentile_UsagePercent_50, P90 = percentile_UsagePercent_90, P95 = percentile_UsagePercent_95, list_TimeGenerated, list_Min, list_Avg, list_Max, list_P50, list_P90, list_P95 -``` ### Node count by status The required tables for this chart include KubeNodeInventory. |
| azure-monitor | Data Platform Metrics | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/essentials/data-platform-metrics.md | Azure Monitor provides REST APIs that allow you to get data in and out of Azure - **Azure Monitor Metrics REST API** - Allows you to access Azure Monitor platform metrics definitions and values. For more information, see [Azure Monitor REST API](/rest/api/monitor/). For information on how to use the API, see the [Azure monitoring REST API walkthrough](./rest-api-walkthrough.md). - **Azure Monitor Metrics Data plane REST API** - [Azure Monitor Metrics data plane API](/rest/api/monitor/metrics-data-plane/) is a high-volume API designed for customers with large volume metrics queries. It's similar to the existing standard Azure Monitor Metrics REST API, but provides the capability to retrieve metric data for up to 50 resource IDs in the same subscription and region in a single batch API call. This improves query throughput and reduces the risk of throttling. +## Security ++All communication between connected systems and the Azure Monitor service is encrypted using the TLS 1.2 (HTTPS) protocol. The Microsoft SDL process is followed to ensure all Azure services are up-to-date with the most recent advances in cryptographic protocols. ++Secure connection is established between the agent and the Azure Monitor service using certificate-based authentication and TLS with port 443. Azure Monitor uses a secret store to generate and maintain keys. Private keys are rotated every 90 days and are stored in Azure and are managed by the Azure operations who follow strict regulatory and compliance practices. For more information on security, see [Encryption of data in transit](../../security/fundamentals/encryption-overview.md#encryption-of-data-in-transit), [Encryption of data at rest](../../security/fundamentals/encryption-atrest.md), and [Azure Monitor Logs data security](../logs/data-security.md) ## Metrics Explorer For more information, see [Getting started with Azure Monitor Metrics Explorer]( ## Data structure -Data that Azure Monitor Metrics collects is stored in a time-series database that's optimized for analyzing time-stamped data. Each set of metric values is a time series with the following properties: +Data that Azure Monitor Metrics collects, is stored in a time-series database that's optimized for analyzing time-stamped data. Each set of metric values is a time series with the following properties: * The time when the value was collected. * The resource that the value is associated with. |
| azure-monitor | Change Pricing Tier | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/logs/change-pricing-tier.md | Title: Change pricing tier for Log Analytics workspace description: Details on how to change pricing tier for Log Analytics workspace in Azure Monitor. +++ Last updated 03/25/2022 |
| azure-monitor | Data Security | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/logs/data-security.md | |
| azure-monitor | Logs Export Logic App | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/logs/logs-export-logic-app.md | description: This article describes a method to use Azure Logic Apps to query da Previously updated : 05/01/2023 Last updated : 07/02/2023 |
| azure-monitor | Monitor Workspace | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/logs/monitor-workspace.md | Title: Monitor operational issues logged in your Azure Monitor Log Analytics wor description: The article describes how to monitor the health of your Log Analytics workspace by using data in the Operation table. Previously updated : 03/21/2022 Last updated : 07/02/2023 |
| azure-monitor | Move Workspace Region | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/logs/move-workspace-region.md | Title: Move a Log Analytics workspace to another Azure region by using the Azure description: Use an Azure Resource Manager template to move a Log Analytics workspace from one Azure region to another by using the Azure portal. Previously updated : 08/17/2021 Last updated : 07/02/2023 |
| azure-monitor | Powershell Workspace Configuration | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/logs/powershell-workspace-configuration.md | description: PowerShell samples show how to configure a Log Analytics workspace Previously updated : 03/28/2022 Last updated : 07/02/2023 |
| azure-monitor | Private Link Configure | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/logs/private-link-configure.md | Title: Configure your private link description: This article shows the steps to configure a private link.-+ Last updated 1/5/2022 |
| azure-monitor | Private Link Security | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/logs/private-link-security.md | Title: Use Azure Private Link to connect networks to Azure Monitor description: Set up an Azure Monitor Private Link Scope to securely connect networks to Azure Monitor.-+ Last updated 1/5/2022 |
| azure-monitor | Quick Create Workspace | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/logs/quick-create-workspace.md | description: Learn how to create a Log Analytics workspace to enable management Previously updated : 03/28/2022 Last updated : 07/02/2023 # Customer intent: As a DevOps engineer or IT expert, I want to set up a workspace to collect logs from multiple data sources from Azure, on-premises, and third-party cloud deployments. |
| azure-monitor | Grafana Plugin | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/visualize/grafana-plugin.md | Title: Monitor Azure services and applications by using Grafana description: Route Azure Monitor and Application Insights data so that you can view it in Grafana. Previously updated : 04/22/2022 Last updated : 06/21/2023 # Monitor your Azure services in Grafana -You can monitor Azure services and applications by using [Grafana](https://grafana.com/) and the included [Azure Monitor data source plug-in](https://grafana.com/docs/grafana/latest/datasources/azuremonitor/). The plug-in retrieves data from three Azure +You can monitor Azure services and applications by using [Grafana](https://grafana.com/) and the included [Azure Monitor data source plug-in](https://grafana.com/docs/grafana/latest/datasources/azuremonitor/). The plug-in retrieves data from these Azure ++- [Azure Monitor Metrics](../essentials/data-platform-metrics.md) for numeric time series data from Azure resources. +- [Azure Monitor Logs](../logs/data-platform-logs.md) for log and performance data from Azure resources that enables you to query by using the powerful Kusto Query Language (KQL). You can use Application Insights log queries to retrieve Application Insights log based metrics + - [Application Insights log based metrics](../essentials/app-insights-metrics.md) to let you analyze the health of your monitored apps. You can use Application Insights log queries in Grafana to use the Application Insights log metrics data. +- [Azure Resource Graph](../../governance/resource-graph/overview.md) to quickly query and identify Azure resources across subscriptions. -- Azure Monitor Metrics for numeric time series data from Azure resources.-- Azure Monitor Logs for log and performance data from Azure resources that enables you to query by using the powerful Kusto Query Language (KQL).-- Azure Resource Graph to quickly query and identify Azure resources across subscriptions. You can then display this performance and availability data on your Grafana dashboard. To set up a local Grafana server, [download and install Grafana in your local en ## Sign in to Grafana > [!IMPORTANT]-> The Internet Explorer browser and older Microsoft Edge browsers aren't compatible with Grafana. You must use a chromium-based browser including Microsoft Edge. For more information, see [Supported web browsers for Grafana](https://grafana.com/docs/grafana/latest/installation/requirements/#supported-web-browsers). +> Internet Explorer and the older Microsoft Edge browsers aren't compatible with Grafana. You must use a chromium-based browser including Microsoft Edge. For more information, see [Supported web browsers for Grafana](https://grafana.com/docs/grafana/latest/installation/requirements/#supported-web-browsers). Sign in to Grafana by using the endpoint URL of your Azure Managed Grafana workspace or your server's IP address. If you're hosting Grafana on your own Azure Virtual Machines or Azure App Servic  +## Use out-of-the-box dashboards ++Azure Monitor contains out-of-the-box dashboards to use with Azure Managed Grafana and the Azure Monitor plugin. ++ +Azure Monitor also supports out-of-the-box dashboards for seamless integration with Azure Monitor managed service for Prometheus. These dashboards are automatically deployed to Azure Managed Grafana when linked to Azure Monitor managed service for Prometheus. + ## Build a Grafana dashboard 1. Go to the Grafana home page and select **New Dashboard**. In addition to building your panels in Grafana, you can also quickly pin Azure M [](media/grafana-plugin/grafana-pin-to-expanded.png#lightbox) -## Optional: Monitor your custom metrics in the same Grafana server --You can also install Telegraf and InfluxDB to collect and plot both custom and agent-based metrics for the same Grafana instance. There are many data source plug-ins that you can use to bring these metrics together in a dashboard. --You can also reuse this setup to include metrics from your Prometheus server. Use the Prometheus data source plug-in in Grafana's plug-in gallery. --Here are good reference articles on how to use Telegraf, InfluxDB, Prometheus, and Docker: --Here's an image of a full Grafana dashboard that has metrics from Azure Monitor and Application Insights. -- - ## Advanced Grafana features Grafana has advanced features. Usage One of the many useful features of Grafana is the dashboard playlist. You can create multiple dashboards and add them to a playlist configuring an interval for each dashboard to show. Select **Play** to see the dashboards cycle through. You might want to display them on a large wall monitor to provide a status board for your group. +## Optional: Monitor other datasources in the same Grafana dashboards ++There are many data source plug-ins that you can use to bring these metrics together in a dashboard. ++Here are good reference articles on how to use Telegraf, InfluxDB, Azure Monitor managed service for Prometheus, and Docker: + - [How to configure data sources for Azure Managed Grafana](../../managed-grafan) + - [Use Azure Monitor managed service for Prometheus as data source for Grafana using managed system identity](../essentials/prometheus-grafana.md) + - [How to monitor system Metrics with the TICK Stack on Ubuntu 16.04](https://www.digitalocean.com/community/tutorials/how-to-monitor-system-metrics-with-the-tick-stack-on-ubuntu-16-04) + - [A monitoring solution for Docker hosts, containers, and containerized services](https://stefanprodan.com/2016/a-monitoring-solution-for-docker-hosts-containers-and-containerized-services/) +Here's an image of a full Grafana dashboard that has metrics from Azure Monitor and Application Insights. ++ ## Clean up resources If you've set up a Grafana environment on Azure, you're charged when resources are running whether you're using them or not. To avoid incurring additional charges, clean up the resource group created in this article. |
| azure-resource-manager | Parameter Files | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/bicep/parameter-files.md | From Bicep CLI, you can build a Bicep parameters file into a JSON parameters fil ## Deploy Bicep file with parameters file -From Azure CLI, pass a local parameters file using `@` and the parameters file name. For example, `storage.bicepparam` or `@storage.parameters.json`. +From Azure CLI, you can pass both a json based local parameters file using `@` and the parameters file name and a .bicepparam based local parameters file just using the file name. For example, `storage.bicepparam` or `@storage.parameters.json`. ```azurecli az deployment group create \ |
| azure-video-indexer | Face Redaction With Api | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-video-indexer/face-redaction-with-api.md | + + Title: Redact faces with Azure Video Indexer API +description: This article shows how to use Azure Video Indexer face redaction feature using API. + Last updated : 06/26/2023+++# Redact faces with Azure Video Indexer API ++Azure Video Indexer enables customers to detect and identify faces. Face redaction enables you to modify your video in order to blur faces of selected individuals. A few minutes of footage that contains multiple faces can take hours to redact manually, but with this preset the face redaction process requires just a few simple steps. ++This article shows how to do the face redaction with an API. The face redaction API includes a **Face Redaction** preset that offers scalable face detection and redaction (blurring) in the cloud. ++The following video shows how to redact a video with Azure Video Indexer API. ++> [!VIDEO https://www.microsoft.com/videoplayer/embed/RW16UBo] ++The article demonstrates each step of how to redact faces with the API in detail. ++## Compliance, privacy, and security ++As an important [reminder](limited-access-features.md), you must comply with all applicable laws in your use of analytics in Azure Video Indexer. ++Face service access is limited based on eligibility and usage criteria in order to support our Responsible AI principles. Face service is only available to Microsoft managed customers and partners. Use the [Face Recognition intake form](https://customervoice.microsoft.com/Pages/ResponsePage.aspx?id=v4j5cvGGr0GRqy180BHbR7en2Ais5pxKtso_Pz4b1_xUQjA5SkYzNDM4TkcwQzNEOE1NVEdKUUlRRCQlQCN0PWcu) to apply for access. For more information, see the [Face limited access page](https://learn.microsoft.com/legal/cognitive-services/computer-vision/limited-access-identity?context=%2Fazure%2Fcognitive-services%2Fcomputer-vision%2Fcontext%2Fcontext). ++## Redactor terminology and hierarchy ++The Face Redactor in Video Indexer relies on the output of the existing Video Indexer Face Detection results provided in our Video Standard and Advanced Analysis presets. In order to redact a video, you must first upload a video to Video Indexer and perform an analysis using the **standard** or **Advanced** video presets. This can be done using the [Azure Video Indexer website](https://www.videoindexer.ai/media/library) or [API](https://api-portal.videoindexer.ai/api-details#api=Operations&operation=Upload-Video). You can then use the Redactor API to reference this video using the `videoId` and we create a new video with the redacted faces. ++## Blurring kinds ++The Face Redaction comes with several options, which can be provided in the request body. ++|Blurring Kind number |Blurring Kind name |Example| +|||| +|0| MediumBlur|:::image type="content" source="./media/face-redaction-with-api/medium-blur.png" alt-text="Picture of the Azure Video Indexer medium blur kind.":::| +|1| HighBlur|:::image type="content" source="./media/face-redaction-with-api/high-blur.png" alt-text="Picture of the Azure Video Indexer high blur kind.":::| +|2| LowBlur|:::image type="content" source="./media/face-redaction-with-api/low-blur.png" alt-text="Picture of the Azure Video Indexer low blur kind.":::| +|3| BoundingBox|:::image type="content" source="./media/face-redaction-with-api/bounding-boxes.png" alt-text="Picture of the Azure Video Indexer bounding boxes kind.":::| +|4| Black|:::image type="content" source="./media/face-redaction-with-api/black-boxes.png" alt-text="Picture of the Azure Video Indexer black boxes kind.":::| ++You can specify the blurring kind in the request body using the `blurringKind`. For example: ++```json +{ + "faces": { + "blurringKind": "HighBlur" + } +} +``` ++Or when using the BlurringKind number: ++```json +{ + "faces": { + "blurringKind": 1 + } +} +``` ++## Filters ++You can apply filters to instruct which face IDs should be blurred. You can specify the IDs of the faces in a comma separated array in the json body. Additionally using the scope you can instruct to exclude or include these faces for redaction. This way you have the option to achieve a behavior of “redact all faces except these IDs” or “redact only these IDs” by specifying the least number of IDs. See examples below. ++### Exclude scope ++Redact all faces except 1001 and 1016, use the `Exclude` scope. ++```json +{ + "faces": { + "blurringKind": "HighBlur", + "filter": { + "ids": [1001, 1016], + "scope": "Exclude" + } + } +} +``` ++### Include scope ++Redact only face IDs 1001 and 1016, use the `Include` scope. ++```json +{ + "faces": { + "blurringKind": "HighBlur", + "filter": { + "ids": [1001, 1016], + "scope": "Include" + } + } +} +``` ++### Redact all faces ++To redact all faces, remove the filter entirely. ++```json +{ + "faces": { + "blurringKind": "HighBlur", + } +} +``` ++To retrieve the Face ID, you can go to the indexed video and retrieve the [artifact file](https://api-portal.videoindexer.ai/api-details#api=Operations&operation=Get-Video-Artifact-Download-Url). This artifact contains a faces.json and a thumbnail zip file with all the faces. You can match the face to the ID and decide which face IDs need to be redacted. ++## Create a redactor job ++To create a Redactor job, you can invoke the following API call: ++```json +POST https://api.videoindexer.ai/{location}/Accounts/{accountId}/Videos/{videoId}/redact[?name][&priority][&privacy][&externalId][&streamingPreset][&callbackUrl][&accessToken] +``` ++The following values are mandatory: ++|Name |Value |Description | +|||| +|**Accountid** |`{accountId}`| The ID of your Video Indexer account.| +|**Location** |`{location}`| The location of your Video Indexer account that is, Westus.| +|**AccessToken** |`{token}`|The token with Account Contributor rights generated through the [Azure Resource Manager](https://learn.microsoft.com/rest/api/videoindexer/stable/generate/access-token?tabs=HTTP) REST API.| +|**Videoid** |`{videoId}`|The video ID of the source video to redact. You can retrieve the video ID using the [List Video](https://api-portal.videoindexer.ai/api-details#api=Operations&operation=List-Videos) API.| +|**Name** |`{name}`|The name of the new redacted video.| ++A sample request would be: ++``` +https://api.videoindexer.ai/westeurope/Accounts/<id>/Videos/<id>/redact?priority=Low&name=testredaction&privacy=Private&streamingPreset=Default +``` ++We can specify the token as authorization header with a key value type of bearertoken:{token} or you can provide it as query param using `?token={token}` ++Additionally we need to add a request body in json format with the redaction job options that is: ++```json +{ + "faces": { + "blurringKind": "HighBlur" + } +} +``` ++When successful you receive an HTTP 202 ACCEPTED. ++## Monitor job status ++In the response of the job creation request you receive an HTTP header `Location` with a URL to the job. You can perform a GET request to this url with the same token to see the status of the redaction job. An example url would be: ++``` +https://api.videoindexer.ai/westeurope/Accounts/<id>/Jobs/<id> +``` ++Response ++```json +{ + "creationTime": "2023-05-11T11:22:57.6114155Z", + "lastUpdateTime": "2023-05-11T11:23:01.7993563Z", + "progress": 20, + "jobType": "Redaction", + "state": "Processing" +} +``` ++Calling the same url once the redaction job has completed you get a Storage SAS url to the redacted video again in the `Location` header. For instance: ++``` +https://api.videoindexer.ai/westeurope/Accounts/<id>/Videos/<id>/SourceFile/DownloadUrl +``` ++This will redirect to the mp4 stored on the Azure Storage Account. ++## FAQ ++|Question|Answer| +||| +|Can I upload a video and redact in one operation? |No, you need to first upload and analyze a video using the Index Video API and reference the indexed video in your redaction job.| +|Can I use the [Azure Video Indexer website](https://www.videoindexer.ai/) to redact a video? |No, Currently you can only use the API to create redaction jobs.| +|Can I play back the redacted video using the Video Indexer [website](https://www.videoindexer.ai/)?|Yes, the redacted video is visible in the Video Indexer like any other indexed video, however it doesn't contain any insights. | +|How do I delete a redacted video? |You can use the [Delete Video](https://api-portal.videoindexer.ai/api-details#api=Operations&operation=Delete-Video) API and provide the `Videoid` of the redacted video. | +|Do I need to pass Facial Identification gating to use Redactor? |Unless you're a US Police Department, no, even when you’re gated we continue to offer Face Detection. We don't offer Face Identification when gated. You can however redact all faces in a video with just the Face Detection. | +|Not all faces are properly redacted. What can I do? |Redaction relies on the initial Face Detection and tracking output of the Analysis pipeline. While we detect all faces most of the time there can be circumstances where we haven't detected a face. This can have several reasons like face angle, number of frames the face was present and quality of the source video. See our [Face insights](face-detection.md) documentation for more information. | +|Can I redact other objects than faces? |No, currently we only have face redaction. If you have the need for other objects, provide feedback to our product in the [Azure User Voice](https://feedback.azure.com/d365community/forum/8952b9e3-e03b-ec11-8c62-00224825aadf) channel. | +|How Long is a SAS URL valid to download the redacted video? |<!--The SAS URL is valid for xxxx. -->To download the redacted video after the SAS url expired, you need to call the initial Job status URL. It's best to keep these `Jobstatus` URLs in a database in your backend for future reference. | ++## Error codes ++### Response: 404 Not Found ++Account not found or video not found. ++Response headers +Name +Required +Type +Description +x-ms-request-id +false +string ++A globally unique identifier (GUID) for the request which is assigned by the server for instrumentation purposes. The server makes sure all logs associated with handling the request can be linked to the server request id so a client can provide this request id in support tickets so support engineers could find the logs linked to this particular request. The server makes sure this request id never repeats itself. ++application/json +ErrorResponse ++Name +Required +Type +Description +ErrorType +false +ErrorType +Message +false +string +*default* ++```json +{ + "ErrorType": "GENERAL", + "Message": "string" +} +``` ++### Response: 400 Bad Request ++Invalid input or cannot redact the video since its original upload failed. Please upload the video again. ++Response headers +Name +Required +Type +Description +x-ms-request-id +false +string ++A globally unique identifier (GUID) for the request which is assigned by the server for instrumentation purposes. The server makes sure all logs associated with handling the request can be linked to the server request id so a client can provide this request id in support tickets so support engineers could find the logs linked to this particular request. The server makes sure this request id never repeats itself. ++application/json +ErrorResponse ++Name +Required +Type +Description +ErrorType +false +ErrorType +Message +false +string +*default* ++```json +{ + "ErrorType": "GENERAL", + "Message": "string" +} +``` ++### Response: 409 Conflict ++Video is already being indexed. ++Response headers +Name +Required +Type +Description +x-ms-request-id +false +string ++A globally unique identifier (GUID) for the request which is assigned by the server for instrumentation purposes. The server makes sure all logs associated with handling the request can be linked to the server request id so a client can provide this request id in support tickets so support engineers could find the logs linked to this particular request. The server makes sure this request id never repeats itself. ++application/json +ErrorResponse ++Name +Required +Type +Description +ErrorType +false +ErrorType +Message +false +string +*default* ++```json +{ + "ErrorType": "GENERAL", + "Message": "string" +} +``` ++### Response: 401 Unauthorized ++Response headers ++Name +Required +Type +Description +x-ms-request-id +false +string ++A globally unique identifier (GUID) for the request which is assigned by the server for instrumentation purposes. The server makes sure all logs associated with handling the request can be linked to the server request id so a client can provide this request id in support tickets so support engineers could find the logs linked to this particular request. The server makes sure this request id never repeats itself. ++application/json +ErrorResponse ++Name +Required +Type +Description +ErrorType +false +ErrorType +Message +false +string +*default* ++```json +{ + "ErrorType": "USER_NOT_ALLOWED", + "Message": "Access token is not authorized to access account 'SampleAccountId'." +} +``` ++### Response: 500 Internal Server Error ++Response headers +Name +Required +Type +Description +x-ms-request-id +false +string ++A globally unique identifier (GUID) for the request which is assigned by the server for instrumentation purposes. The server makes sure all logs associated with handling the request can be linked to the server request id so a client can provide this request id in support tickets so support engineers could find the logs linked to this particular request. The server makes sure this request id never repeats itself. ++application/json +ErrorResponse + +Name +Required +Type +Description +ErrorType +false +ErrorType +Message +false +string +*default* ++```json +{ + "ErrorType": "GENERAL", + "Message": "There was an error." +} +``` ++### Response: 429 Too many requests ++Too many requests were sent, use Retry-After response header to decide when to send the next request. ++Response headers ++Name +Required +Type +Description +Retry-After +false +integer +A non-negative decimal integer indicating the seconds to delay after the response is received +x-ms-request-id +false +string ++A globally unique identifier (GUID) for the request which is assigned by the server for instrumentation purposes. The server makes sure all logs associated with handling the request can be linked to the server request id so a client can provide this request id in support tickets so support engineers could find the logs linked to this particular request. The server makes sure this request id never repeats itself. ++### Response: 504 Gateway Timeout ++Server didn't respond to gateway within expected time. ++Response headers +Name +Required +Type +Description +x-ms-request-id +false +string ++A globally unique identifier (GUID) for the request which is assigned by the server for instrumentation purposes. The server makes sure all logs associated with handling the request can be linked to the server request id so a client can provide this request id in support tickets so support engineers could find the logs linked to this particular request. The server makes sure this request id never repeats itself. ++application/json +*default* ++```json +{ + "ErrorType": "SERVER_TIMEOUT", + "Message": "Server did not respond to gateway within expected time" +} +``` ++## Next steps ++- [Azure Video Indexer](https://azure.microsoft.com/pricing/details/video-indexer/) +- Also, see [Azure pricing](https://azure.microsoft.com/pricing/) for encoding, streaming, and storage billed by the respective Azure service providers. |
| azure-video-indexer | Release Notes | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-video-indexer/release-notes.md | To stay up-to-date with the most recent Azure Video Indexer developments, this a * Bug fixes * Deprecated functionality +## July 2023 ++You can now redact faces with Azure Video Indexer API. For more information see [Redact faces with Azure Video Indexer API](face-redaction-with-api.md). ++## June 2023 ++### FAQ - following the Azure Media Services retirement announcement ++For more information, see [AMS deprecation FAQ](ams-deprecation-faq.yml). ++### Retirement of adaptive bitrate support for new indexing jobs ++Starting December 2023, Azure Video Indexer will no longer support adaptive bitrate for new video processing jobs. Moving forward, only single bitrate videos will be supported, with the option to choose no bitrate adaptation. ++Existing videos that were indexed already with adaptive bitrate work with no change. ++Any API call with Adaptive Bitrate after that date, will be converted to single bitrate avoiding failures. ++Guidelines to customers: Make the necessary adjustments to your video encoding and ingestion processes to accommodate this update. ++### New ARM experience without AMS ++The deprecation of the AMS dependency has led to a breaking change in the account creation form and the create API for new ARM-based accounts, starting December 2023. As part of the updated workflow, the option to associate an AMS account during account creation will be removed, and will be replaced by adding storage entity. ++Guidelines to customers: We're working on a new implementation without AMS and will provide more details in our documentation. Once available, review the updated documentation and modify your account creation process accordingly to avoid any disruptions. + ## May 2023 ### API breaking change We're introducing a change in behavior that may break your existing query logic. |API |Current|New|The breaking change| |||||-|List Videos|• List all videos/projects according to 'IsBase' boolean parameter. If 'IsBase' is not defined, list both.<br/>• Returns videos in all states (In progress/Proccessed/Failed). |• List Videos API will Return only videos (with paging) in all states.<br/>• List Projects API will return only projects (with paging).|• List videos API was divided into two new API’s **List Videos** and **List Projects**<br/>• The 'IsBase' parameter no longer has a meaning. | -|Search Videos|• Search all videos/projects according to 'IsBase' boolean parameter. If 'IsBase' is not defined, search both. <br/>• Search videos in all states (In progress/Proccessed/Failed). |Search only processed videos.|• Search Videos API will only search videos and not projects.<br/>• The 'IsBase' parameter no longer has a meaning.<br/>• Search Videos API will only search Processed videos (and not Failed/InProgress ones.)| +|List Videos|• List all videos/projects according to 'IsBase' boolean parameter. If 'IsBase' isn't defined, list both.<br/>• Returns videos in all states (In progress/Proccessed/Failed). |• List Videos API will Return only videos (with paging) in all states.<br/>• List Projects API returns only projects (with paging).|• List videos API was divided into two new API’s **List Videos** and **List Projects**<br/>• The 'IsBase' parameter no longer has a meaning. | +|Search Videos|• Search all videos/projects according to 'IsBase' boolean parameter. If 'IsBase' isn't defined, search both. <br/>• Search videos in all states (In progress/Proccessed/Failed). |Search only processed videos.|• Search Videos API will only search videos and not projects.<br/>• The 'IsBase' parameter no longer has a meaning.<br/>• Search Videos API will only search Processed videos (and not Failed/InProgress ones.)| ### Support for HTTP/2 Azure Video Indexer is now integrated with Azure Resource Health enabling you to ### The animation character recognition model has been retired -The **animation character recognition** model has been retired on March 1st, 2023. For any related issues, [open a support ticket via the Azure portal](https://portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade/overview). +The **animation character recognition** model has been retired on March 1, 2023. For any related issues, [open a support ticket via the Azure portal](https://portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade/overview). ### Excluding sensitive AI models For more information, see [Considerations and limitations when choosing a use ca ### Support for storage behind firewall -It is good practice to lock storage accounts and disable public access to enhance or comply with enterprise security policy. Video Indexer can now access non-public accessible storage accounts using the [Azure Trusted Service](https://learn.microsoft.com/azure/storage/common/storage-network-security?tabs=azure-portal#trusted-access-based-on-a-managed-identity) exception using Managed Identities. You can read more how to set it up in our [how-to](storage-behind-firewall.md). +It's good practice to lock storage accounts and disable public access to enhance or comply with enterprise security policy. Video Indexer can now access non-public accessible storage accounts using the [Azure Trusted Service](https://learn.microsoft.com/azure/storage/common/storage-network-security?tabs=azure-portal#trusted-access-based-on-a-managed-identity) exception using Managed Identities. You can read more how to set it up in our [how-to](storage-behind-firewall.md). ### New custom speech and pronunciation training |
| azure-video-indexer | Video Indexer Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-video-indexer/video-indexer-overview.md | +> [!IMPORTANT] +> Following [Azure Media Services retirement announcement](https://aka.ms/ams-retirement), Azure Video Indexer makes the following announcements: [June release notes](release-notes.md#june-2023). +> +> Also checkout related [AMS deprecation FAQ](ams-deprecation-faq.yml). + [!INCLUDE [regulation](./includes/regulation.md)] [!INCLUDE [Gate notice](./includes/face-limited-access.md)] |
| cognitive-services | Models | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/openai/concepts/models.md | Azure OpenAI now supports automatic updates for select model deployments. On mod :::image type="content" source="../media/models/auto-update.png" alt-text="Screenshot of the deploy model UI of Azure OpenAI Studio." lightbox="../media/models/auto-update.png"::: -### Auto update to latest +### Auto update to default -When **Auto-update to latest** is selected your model deployment will be automatically updated within two weeks of a new version being released. +When **Auto-update to default** is selected your model deployment will be automatically updated within two weeks of a new version being released. -If you are still in the early testing phases for completion and chat completion based models we recommend deploying models with **auto-update to latest** set whenever it is available. For embeddings models while we recommend using the latest model version, you should choose when you want to upgrade since embeddings generated with an earlier model version will not be interchangeable with the new version. +If you are still in the early testing phases for completion and chat completion based models we recommend deploying models with **auto-update to default** set whenever it is available. For embeddings models while we recommend using the latest model version, you should choose when you want to upgrade since embeddings generated with an earlier model version will not be interchangeable with the new version. ### Specific model version When you select a specific model version for a deployment this version will rema ### GPT-35-Turbo 0301 and GPT-4 0314 expiration -The original `gpt-35-turbo` (`0301`) and both `gpt-4` (`0314`) models will expire no earlier than September 30th, 2023. Upon expiration deployments will automatically be upgraded to the default version at the time of expiry. If you would like your deployment to stop accepting completion requests rather than upgrading, then you will be able to set the model upgrade option to expire through the API. We will publish guidelines on this by September 1. +The original `gpt-35-turbo` (`0301`) and both `gpt-4` (`0314`) models will expire no earlier than October 15th, 2023. Upon expiration, deployments will automatically be upgraded to the default version. If you would like your deployment to stop accepting completion requests rather than upgrading, then you will be able to set the model upgrade option to expire through the API. We will publish guidelines on this by September 1. ### Viewing deprecation dates These models can be used with Completion API requests. `gpt-35-turbo` is the onl | text-davinci-002 | East US, South Central US, West Europe | N/A | 4,097 | Jun 2021 | | text-davinci-003 | East US, West Europe | N/A | 4,097 | Jun 2021 | | text-davinci-fine-tune-002 | N/A | N/A | | |-| gpt-35-turbo<sup>1</sup> (ChatGPT) | East US, France Central, South Central US, UK South, West Europe | N/A | 4,096 | Sep 2021 | +| gpt-35-turbo<sup>1</sup> (0301) | East US, France Central, South Central US, UK South, West Europe | N/A | 4,096 | Sep 2021 | +| gpt-35-turbo (0613) | East US, France Central, UK South | N/A | 4,096 | Sep 2021 | +| gpt-35-turbo-16k (0613) | East US, France Central, UK South | N/A | 16,384 | Sep 2021 | -<br><sup>1</sup> Currently, only version `0301` of this model is available. +<sup>1</sup> Version `0301` of gpt-35-turbo will be deprecated no earlier than October 15th, 2023 in favor of version `0613`. ### GPT-4 Models These models can only be used with the Chat Completion API. | Model ID | Base model Regions | Fine-Tuning Regions | Max Request (tokens) | Training Data (up to) | | | | | | |-| `gpt-4` <sup>1,</sup><sup>2</sup> | East US, France Central | N/A | 8,192 | September 2021 | -| `gpt-4-32k` <sup>1,</sup><sup>2</sup> | East US, France Central | N/A | 32,768 | September 2021 | +| `gpt-4` <sup>1,</sup><sup>2</sup> (0314) | East US, France Central | N/A | 8,192 | September 2021 | +| `gpt-4-32k` <sup>1,</sup><sup>2</sup> (0314) | East US, France Central | N/A | 32,768 | September 2021 | +| `gpt-4` <sup>1</sup> (0613) | East US, France Central | N/A | 8,192 | September 2021 | +| `gpt-4-32k` <sup>1</sup> (0613) | East US, France Central | N/A | 32,768 | September 2021 | <sup>1</sup> The model is [only available by request](https://aka.ms/oai/get-gpt4).<br>-<sup>2</sup> Currently, only version `0314` of this model is available. +<sup>2</sup> Version `0314` of gpt-4 and gpt-4-32k will be deprecated no earlier than October 15th, 2023 in favor of version `0613`. ### Dall-E Models |
| cognitive-services | Whats New | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/openai/whats-new.md | keywords: - [Azure OpenAI on your data](./concepts/use-your-data.md) is now available in preview, enabling you to chat with OpenAI models such as ChatGPT and GPT-4 and receive responses based on your data. +### New versions of gpt-35-turbo and gpt-4 models ++- gpt-35-turbo (version 0613) +- gpt-35-turbo-16k (version 0613) +- gpt-4 (version 0613) +- gpt-4-32k (version 0613) + ### UK South - Azure OpenAI is now available in the UK South region. Check the [models page](concepts/models.md), for the latest information on model availability in each region. |
| communication-services | Virtual Visits | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/tutorials/virtual-visits.md | The app service generated by the Sample Builder is a stand-alone artifact, desig ### Identity & security The Sample BuilderΓÇÖs consumer experience doesn't authenticate the end user, but provides [Azure Communication Services user access tokens](../quickstarts/identity/access-tokens.md) to any random visitor. That isnΓÇÖt realistic for most scenarios, and you want to implement an authentication scheme.++### Customizations +Kindly be aware that the code sample presented here is intended as a foundation for your virtual appointments application. It is crucial to understand that adjustments tailored to your unique use case will be essential. We recommend reviewing the code, making the necessary modifications, and referring to the accompanying documentation for assistance. |
| confidential-computing | Confidential Computing Deployment Models | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/confidential-computing/confidential-computing-deployment-models.md | Azure confidential computing supports multiple deployment models. These differen ## Infrastructure as a Service (IaaS) -For Infrastructure as a Service (IaaS), you can use confidential virtual machines (VMs) in confidential computing. You can use VMs based on [Intel Software Guard Extensions (SGX) application enclaves](confidential-computing-enclaves.md) or AMD SEV-SNP technology. +Under Infrastructure as a Service (IaaS) deployment model, you can use confidential virtual machines (VMs) in confidential computing. You can use VMs based on [AMD Secure Encrypted Virtualization Secure Nested Paging (SEV-SNP)](confidential-vm-overview.md), [Intel Trust Domain Extensions (TDX)](tdx-confidential-vm-overview.md) or [Intel Software Guard Extensions (SGX) application enclaves](confidential-computing-enclaves.md). ++Infrastructure as a Service (IaaS) is a cloud computing deployment model that grants access to scalable computing resources, such as servers, storage, networking, and virtualization, on demand. By adopting IaaS deployment model, organizations can forego the process of procuring, configuring, and managing their own infrastructure, instead only paying for the resources they utilize. This makes it a cost-effective solution. ++In the domain of cloud computing, IaaS deployment model enables businesses to rent individual services from cloud service providers like Azure. Azure assumes responsibility for managing and maintaining the infrastructure, empowering organizations to concentrate on installing, configuring, and managing their software. Azure also offers supplementary services such as comprehensive billing management, logging, monitoring, storage resiliency, and security. ++Scalability constitutes another significant advantage of IaaS deployment model in cloud computing. Enterprises can swiftly scale their resources up and down according to their requirements. This flexibility facilitates faster development life cycles, accelerating time to market for new products and ideas. Additionally, IaaS deployment model ensures reliability by eliminating single points of failure. Even in the event of a hardware component failure, the service remains accessible. ++In conclusion, IaaS deployment model in combination with Azure Confidential Computing offers benefits, including cost savings, increased efficiency, innovation opportunities, reliability, high scalability, and all secured by a robust and comprehensive security solution designed specifically to protect highly sensitive data. ## Platform as a Service (PaaS) You might opt for a confidential container-based approach when: - You're building a modern cloud-native solution. You also have full control of source code and the deployment process. - You need multi-cloud support. -Both options offer the highest security level for Azure services. There are some differences in the security postures of [confidential VMs](#confidential-vms-on-amd-sev-snp) and [confidential containers](#secure-enclaves-on-intel-sgx) as follows. +Both options offer the highest security level for Azure services. ++There are some differences in the security postures of [confidential VMs](#confidential-vms-on-amd-sev-snp) and [confidential containers](#secure-enclaves-on-intel-sgx) as follows. ### Confidential VMs on AMD SEV-SNP |
| cost-management-billing | Mca Enterprise Operations | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cost-management-billing/manage/mca-enterprise-operations.md | To view charges for subscriptions that belonged to an account, go to the [subscr You can view charges for a subscription either on the [subscriptions page](https://portal.azure.com/#blade/Microsoft_Azure_Billing/SubscriptionsBlade) or the Azure cost analysis. For more information on Azure cost analysis, see [explore and analyze costs with Cost analysis](../costs/quick-acm-cost-analysis.md). +> [!NOTE] +> To understand what could change upon migration from Enterprise Agreement to Microsoft Customer Agreement, refer [this](https://learn.microsoft.com/azure/cost-management-billing/costs/migrate-cost-management-api) document. + ## Need help? Contact support If you need help, [contact support](https://portal.azure.com/?#blade/Microsoft_Azure_Support/HelpAndSupportBlade) to get your issue resolved quickly. |
| cost-management-billing | Mca Section Invoice | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cost-management-billing/manage/mca-section-invoice.md | tags: billing Previously updated : 04/05/2023 Last updated : 06/30/2023 Once you have customized your billing account based on your needs, you can link ### Link existing subscriptions and products -If you have existing Azure subscriptions or other products such as Azure Marketplace and App source resources, you can move them from their existing invoice section to another invoice section to reorganize your costs. +If you have existing Azure subscriptions or other products such as Azure Marketplace and App source resources, you can move them from their existing invoice section to another invoice section to reorganize your costs. However, you can't change the invoice section for a reservation or savings plan. 1. Sign in to the [Azure portal](https://portal.azure.com). |
| cost-management-billing | How To View Csp Reservations | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cost-management-billing/reservations/how-to-view-csp-reservations.md | +Roles assigned with Azure Lighthouse aren't supported by reservations. To view reservations, you need to be a global admin or an admin agent in the customer's tenant. ++## View reservations + 1. Contact your global admin to get yourself added as an **admin agent** in your tenant. The option is available to global admins in the Partner Center. It's under **Settings** (the gear symbol on the top right of the page) > **User management**. 1. After you have admin agent privilege, go to the Azure portal using the **Admin on Behalf Of** link. |
| defender-for-cloud | Attack Path Reference | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/attack-path-reference.md | Last updated 04/13/2023 This article lists the attack paths, connections, and insights used in Defender Cloud Security Posture Management (CSPM). - You need to [enable Defender CSPM](enable-enhanced-security.md#enable-defender-plans-to-get-the-enhanced-security-features) to view attack paths.-- What you see in your environment depends on the resources you're protecting, and your customized configuration. +- What you see in your environment depends on the resources you're protecting, and your customized configuration. Learn more about [the cloud security graph, attack path analysis, and the cloud security explorer](concept-attack-path.md). Prerequisite: For a list of prerequisites, see the [Availability table](how-to-m |--|--| | Internet exposed VM has high severity vulnerabilities | A virtual machine is reachable from the internet and has high severity vulnerabilities. | | Internet exposed VM has high severity vulnerabilities and high permission to a subscription | A virtual machine is reachable from the internet, has high severity vulnerabilities, and identity and permission to a subscription. |-| Internet exposed VM has high severity vulnerabilities and read permission to a data store with sensitive data (Preview) | A virtual machine is reachable from the internet, has high severity vulnerabilities and read permission to a data store containing sensitive data. <br/> Prerequisite: [Enable data-aware security for storage accounts in Defender CSPM](data-security-posture-enable.md), or [leverage Microsoft Purview Data Catalog to protect sensitive data](information-protection.md). | +| Internet exposed VM has high severity vulnerabilities and read permission to a data store with sensitive data | A virtual machine is reachable from the internet, has high severity vulnerabilities and read permission to a data store containing sensitive data. <br/> Prerequisite: [Enable data-aware security for storage accounts in Defender CSPM](data-security-posture-enable.md), or [leverage Microsoft Purview Data Catalog to protect sensitive data](information-protection.md). | | Internet exposed VM has high severity vulnerabilities and read permission to a data store | A virtual machine is reachable from the internet and has high severity vulnerabilities and read permission to a data store. | | Internet exposed VM has high severity vulnerabilities and read permission to a Key Vault | A virtual machine is reachable from the internet and has high severity vulnerabilities and read permission to a key vault. | | VM has high severity vulnerabilities and high permission to a subscription | A virtual machine has high severity vulnerabilities and has high permission to a subscription. |-| VM has high severity vulnerabilities and read permission to a data store with sensitive data (Preview) | A virtual machine has high severity vulnerabilities and read permission to a data store containing sensitive data. <br/>Prerequisite: [Enable data-aware security for storage accounts in Defender CSPM](data-security-posture-enable.md), or [leverage Microsoft Purview Data Catalog to protect sensitive data](information-protection.md). | +| VM has high severity vulnerabilities and read permission to a data store with sensitive data | A virtual machine has high severity vulnerabilities and read permission to a data store containing sensitive data. <br/>Prerequisite: [Enable data-aware security for storage accounts in Defender CSPM](data-security-posture-enable.md), or [leverage Microsoft Purview Data Catalog to protect sensitive data](information-protection.md). | | VM has high severity vulnerabilities and read permission to a key vault | A virtual machine has high severity vulnerabilities and read permission to a key vault. | | VM has high severity vulnerabilities and read permission to a data store | A virtual machine has high severity vulnerabilities and read permission to a data store. | Prerequisite: [Enable agentless scanning](enable-vulnerability-assessment-agentl |--|--| | Internet exposed EC2 instance has high severity vulnerabilities and high permission to an account | An AWS EC2 instance is reachable from the internet, has high severity vulnerabilities and has permission to an account. | | Internet exposed EC2 instance has high severity vulnerabilities and read permission to a DB | An AWS EC2 instance is reachable from the internet, has high severity vulnerabilities and has permission to a database. |-| Internet exposed EC2 instance has high severity vulnerabilities and read permission to S3 bucket | An AWS EC2 instance is reachable from the internet, has high severity vulnerabilities and has an IAM role attached with permission to an S3 bucket via an IAM policy, or via a bucket policy, or via both an IAM policy and a bucket policy. -| Internet exposed EC2 instance has high severity vulnerabilities and read permission to a S3 bucket with sensitive data (Preview) | An AWS EC2 instance is reachable from the internet has high severity vulnerabilities and has an IAM role attached with permission to an S3 bucket containing sensitive data via an IAM policy, or via a bucket policy, or via both an IAM policy and bucket policy. <br/> Prerequisite: [Enable data-aware security for S3 buckets in Defender CSPM](data-security-posture-enable.md), or [leverage Microsoft Purview Data Catalog to protect sensitive data](information-protection.md). | +| Internet exposed EC2 instance has high severity vulnerabilities and read permission to S3 bucket | An AWS EC2 instance is reachable from the internet, has high severity vulnerabilities and has an IAM role attached with permission to an S3 bucket via an IAM policy, or via a bucket policy, or via both an IAM policy and a bucket policy. | +| Internet exposed EC2 instance has high severity vulnerabilities and read permission to a S3 bucket with sensitive data | An AWS EC2 instance is reachable from the internet has high severity vulnerabilities and has an IAM role attached with permission to an S3 bucket containing sensitive data via an IAM policy, or via a bucket policy, or via both an IAM policy and bucket policy. <br/> Prerequisite: [Enable data-aware security for S3 buckets in Defender CSPM](data-security-posture-enable.md), or [leverage Microsoft Purview Data Catalog to protect sensitive data](information-protection.md). | | Internet exposed EC2 instance has high severity vulnerabilities and read permission to a KMS | An AWS EC2 instance is reachable from the internet, has high severity vulnerabilities and has an IAM role attached with permission to an AWS Key Management Service (KMS) via an IAM policy, or via an AWS Key Management Service (KMS) policy, or via both an IAM policy and an AWS KMS policy.|-| Internet exposed EC2 instance has high severity vulnerabilities | An AWS EC2 instance is reachable from the internet and has high severity vulnerabilities. | -| EC2 instance with high severity vulnerabilities has high privileged permissions to an account | An AWS EC2 instance has high severity vulnerabilities and has permissions to an account. | -| EC2 instance with high severity vulnerabilities has read permissions to a data store |An AWS EC2 instance has high severity vulnerabilities and has an IAM role attached which is granted with permissions to an S3 bucket via an IAM policy or via a bucket policy, or via both an IAM policy and a bucket policy. | -| EC2 instance with high severity vulnerabilities has read permissions to a data store with sensitive data (Preview) | An AWS EC2 instance has high severity vulnerabilities and has an IAM role attached which is granted with permissions to an S3 bucket containing sensitive data via an IAM policy or via a bucket policy, or via both an IAM and bucket policy. <br/> Prerequisite: [Enable data-aware security for S3 buckets in Defender CSPM](data-security-posture-enable.md), or [leverage Microsoft Purview Data Catalog to protect sensitive data](information-protection.md). | +| Internet exposed EC2 instance has high severity vulnerabilities | An AWS EC2 instance is reachable from the internet and has high severity vulnerabilities. | +| EC2 instance with high severity vulnerabilities has high privileged permissions to an account | An AWS EC2 instance has high severity vulnerabilities and has permissions to an account. | +| EC2 instance with high severity vulnerabilities has read permissions to a data store |An AWS EC2 instance has high severity vulnerabilities and has an IAM role attached which is granted with permissions to an S3 bucket via an IAM policy or via a bucket policy, or via both an IAM policy and a bucket policy. | +| EC2 instance with high severity vulnerabilities has read permissions to a data store with sensitive data | An AWS EC2 instance has high severity vulnerabilities and has an IAM role attached which is granted with permissions to an S3 bucket containing sensitive data via an IAM policy or via a bucket policy, or via both an IAM and bucket policy. <br/> Prerequisite: [Enable data-aware security for S3 buckets in Defender CSPM](data-security-posture-enable.md), or [leverage Microsoft Purview Data Catalog to protect sensitive data](information-protection.md). | | EC2 instance with high severity vulnerabilities has read permissions to a KMS key | An AWS EC2 instance has high severity vulnerabilities and has an IAM role attached which is granted with permissions to an AWS Key Management Service (KMS) key via an IAM policy, or via an AWS Key Management Service (KMS) policy, or via both an IAM and AWS KMS policy. | ### Azure data Prerequisite: [Enable agentless scanning](enable-vulnerability-assessment-agentl | SQL on VM has a user account with commonly used username and allows code execution on the VM (Preview) | SQL on VM has a local user account with a commonly used username (which is prone to brute force attacks), and has vulnerabilities allowing code execution and lateral movement to the underlying VM. <br/> Prerequisite: [Enable Microsoft Defender for SQL servers on machines](defender-for-sql-usage.md)| | SQL on VM has a user account with commonly used username and known vulnerabilities (Preview) | SQL on VM has a local user account with a commonly used username (which is prone to brute force attacks), and has known vulnerabilities (CVEs). <br/> Prerequisite: [Enable Microsoft Defender for SQL servers on machines](defender-for-sql-usage.md)| | Managed database with excessive internet exposure allows basic (local user/password) authentication (Preview) | Database can be accessed through the internet from any public IP and allows authentication using username and password (basic authentication mechanism) which exposes the DB to brute force attacks. |-| Internet exposed VM has high severity vulnerabilities and a hosted database installed (Preview) | An attacker with network access to the DB machine can exploit the vulnerabilities and gain remote code execution. -| Private Azure blob storage container replicates data to internet exposed and publicly accessible Azure blob storage container (Preview) | An internal Azure storage container replicates its data to another Azure storage container which is reachable from the internet and allows public access, and poses this data at risk. | -| Internet exposed Azure Blob Storage container with sensitive data is publicly accessible (Preview) | A blob storage account container with sensitive data is reachable from the internet and allows public read access without authorization required. <br/> Prerequisite: [Enable data-aware security for storage accounts in Defender CSPM](data-security-posture-enable.md).| +| Internet exposed VM has high severity vulnerabilities and a hosted database installed (Preview) | An attacker with network access to the DB machine can exploit the vulnerabilities and gain remote code execution.| +| Private Azure blob storage container replicates data to internet exposed and publicly accessible Azure blob storage container | An internal Azure storage container replicates its data to another Azure storage container which is reachable from the internet and allows public access, and poses this data at risk. | +| Internet exposed Azure Blob Storage container with sensitive data is publicly accessible | A blob storage account container with sensitive data is reachable from the internet and allows public read access without authorization required. <br/> Prerequisite: [Enable data-aware security for storage accounts in Defender CSPM](data-security-posture-enable.md).| ### AWS data | Attack path display name | Attack path description | |--|--|-| Internet exposed AWS S3 Bucket with sensitive data is publicly accessible (Preview) | An S3 bucket with sensitive data is reachable from the internet and allows public read access without authorization required. <br/> Prerequisite: [Enable data-aware security for S3 buckets in Defender CSPM](data-security-posture-enable.md), or [leverage Microsoft Purview Data Catalog to protect sensitive data](information-protection.md). | +| Internet exposed AWS S3 Bucket with sensitive data is publicly accessible | An S3 bucket with sensitive data is reachable from the internet and allows public read access without authorization required. <br/> Prerequisite: [Enable data-aware security for S3 buckets in Defender CSPM](data-security-posture-enable.md), or [leverage Microsoft Purview Data Catalog to protect sensitive data](information-protection.md). | |Internet exposed SQL on EC2 instance has a user account with commonly used username and allows code execution on the underlying compute (Preview) | Internet exposed SQL on EC2 instance has a user account with commonly used username and allows code execution on the underlying compute. <br/> Prerequisite: [Enable Microsoft Defender for SQL servers on machines](defender-for-sql-usage.md). | |Internet exposed SQL on EC2 instance has a user account with commonly used username and known vulnerabilities (Preview) | SQL on EC2 instance is reachable from the internet, has a local user account with a commonly used username (which is prone to brute force attacks), and has known vulnerabilities (CVEs). <br/> Prerequisite: [Enable Microsoft Defender for SQL servers on machines](defender-for-sql-usage.md) | |SQL on EC2 instance has a user account with commonly used username and allows code execution on the underlying compute (Preview) | SQL on EC2 instance has a local user account with commonly used username (which is prone to brute force attacks), and has vulnerabilities allowing code execution and lateral movement to the underlying compute. <br/> Prerequisite: [Enable Microsoft Defender for SQL servers on machines](defender-for-sql-usage.md) | | SQL on EC2 instance has a user account with commonly used username and known vulnerabilities (Preview) |SQL on EC2 instance [EC2Name] has a local user account with commonly used username (which is prone to brute force attacks), and has known vulnerabilities (CVEs). <br/> Prerequisite: [Enable Microsoft Defender for SQL servers on machines](defender-for-sql-usage.md) | |Managed database with excessive internet exposure allows basic (local user/password) authentication (Preview) | Database can be accessed through the internet from any public IP and allows authentication using username and password (basic authentication mechanism) which exposes the DB to brute force attacks. |-|Internet exposed EC2 instance has high severity vulnerabilities and a hosted database installed (Preview) | An attacker with network access to the DB machine can exploit the vulnerabilities and gain remote code execution. -| Private AWS S3 bucket replicates data to internet exposed and publicly accessible AWS S3 bucket (Preview) | An internal AWS S3 bucket replicates its data to another S3 bucket which is reachable from the internet and allows public access, and poses this data at risk. | +|Internet exposed EC2 instance has high severity vulnerabilities and a hosted database installed (Preview) | An attacker with network access to the DB machine can exploit the vulnerabilities and gain remote code execution.| +| Private AWS S3 bucket replicates data to internet exposed and publicly accessible AWS S3 bucket | An internal AWS S3 bucket replicates its data to another S3 bucket which is reachable from the internet and allows public access, and poses this data at risk. | | RDS snapshot is publicly available to all AWS accounts (Preview) | A snapshot of an RDS instance or cluster is publicly accessible by all AWS accounts. | | Internet exposed managed database allows basic (local user/password) authentication (Preview) | A database can be accessed through the internet and allows user/password authentication only which exposes the DB to brute force attacks. | | Internet exposed SQL on EC2 instance has a user account with commonly used username and allows code execution on the underlying compute (Preview) | SQL on EC2 instance is reachable from the internet, has a local user account with commonly used username (which is prone to brute force attacks), and has vulnerabilities allowing code execution and lateral movement to the underlying compute | | Internet exposed SQL on EC2 instance has a user account with commonly used username and known vulnerabilities (Preview) | SQL on EC2 instance is reachable from the internet, has a local user account with commonly used username (which is prone to brute force attacks), and has known vulnerabilities (CVEs) | | SQL on EC2 instance has a user account with commonly used username and allows code execution on the underlying compute (Preview) | SQL on EC2 instance has a local user account with commonly used username (which is prone to brute force attacks), and has vulnerabilities allowing code execution and lateral movement to the underlying compute | | SQL on EC2 instance has a user account with commonly used username and known vulnerabilities (Preview) | SQL on EC2 instance has a local user account with commonly used username (which is prone to brute force attacks), and has known vulnerabilities (CVEs) |-| Private AWS S3 bucket replicates data to internet exposed and publicly accessible AWS S3 bucket (Preview) | Private AWS S3 bucket is replicating data to internet exposed and publicly accessible AWS S3 bucket | -| Private AWS S3 bucket with sensitive data replicates data to internet exposed and publicly accessible AWS S3 bucket (Preview) | Private AWS S3 bucket with sensitive data is replicating data to internet exposed and publicly accessible AWS S3 bucket| +| Private AWS S3 bucket replicates data to internet exposed and publicly accessible AWS S3 bucket | Private AWS S3 bucket is replicating data to internet exposed and publicly accessible AWS S3 bucket | +| Private AWS S3 bucket with sensitive data replicates data to internet exposed and publicly accessible AWS S3 bucket | Private AWS S3 bucket with sensitive data is replicating data to internet exposed and publicly accessible AWS S3 bucket| | RDS snapshot is publicly available to all AWS accounts (Preview) | RDS snapshot is publicly available to all AWS accounts | ### Azure containers This section lists all of the cloud security graph components (connections and i |--|--|--| | Exposed to the internet | Indicates that a resource is exposed to the internet. Supports port filtering. [Learn more](concept-data-security-posture-prepare.md#exposed-to-the-internetallows-public-access) | Azure virtual machine, AWS EC2, Azure storage account, Azure SQL server, Azure Cosmos DB, AWS S3, Kubernetes pod, Azure SQL Managed Instance, Azure MySQL Single Server, Azure MySQL Flexible Server, Azure PostgreSQL Single Server, Azure PostgreSQL Flexible Server, Azure MariaDB Single Server, Synapse Workspace, RDS Instance | | Allows basic authentication (Preview) | Indicates that a resource allows basic (local user/password or key-based) authentication | Azure SQL Server, RDS Instance |-| Contains sensitive data (Preview) <br/> <br/> Prerequisite: [Enable data-aware security for storage accounts in Defender CSPM](data-security-posture-enable.md), or [leverage Microsoft Purview Data Catalog to protect sensitive data](information-protection.md). | Indicates that a resource contains sensitive data. | Azure Storage Account, Azure Storage Account Container, AWS S3 bucket, Azure SQL Server, Azure SQL Database, Azure Data Lake Storage Gen2, Azure Database for PostgreSQL, Azure Database for MySQL, Azure Synapse Analytics, Azure Cosmos DB accounts | +| Contains sensitive data <br/> <br/> Prerequisite: [Enable data-aware security for storage accounts in Defender CSPM](data-security-posture-enable.md), or [leverage Microsoft Purview Data Catalog to protect sensitive data](information-protection.md). | Indicates that a resource contains sensitive data. | Azure Storage Account, Azure Storage Account Container, AWS S3 bucket, Azure SQL Server, Azure SQL Database, Azure Data Lake Storage Gen2, Azure Database for PostgreSQL, Azure Database for MySQL, Azure Synapse Analytics, Azure Cosmos DB accounts | | Moves data to (Preview) | Indicates that a resource transfers its data to another resource | Storage account container, AWS S3, AWS RDS instance, AWS RDS cluster | | Gets data from (Preview) | Indicates that a resource gets its data from another resource | Storage account container, AWS S3, AWS RDS instance, AWS RDS cluster | | Has tags | Lists the resource tags of the cloud resource | All Azure and AWS resources | This section lists all of the cloud security graph components (connections and i | Member of | Indicates that the source identity is a member of the target identities group | Azure AD group, Azure AD user | Azure AD group | | Maintains | Indicates that the source Kubernetes entity manages the life cycle of the target Kubernetes entity | Kubernetes workload controller, Kubernetes replica set, Kubernetes stateful set, Kubernetes daemon set, Kubernetes jobs, Kubernetes cron job | Kubernetes pod | - ## Next steps - [Identify and analyze risks across your environment](concept-attack-path.md) |
| defender-for-cloud | Concept Data Security Posture | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/concept-data-security-posture.md | -# About data-aware security posture (preview) +# About data-aware security posture As digital transformation accelerates, organizations move data to the cloud at an exponential rate using multiple data stores such as object stores and managed/hosted databases. The dynamic and complex nature of the cloud has increased data threat surfaces and risks. This causes challenges for security teams around data visibility and protecting the cloud data estate. |
| defender-for-cloud | Defender For Apis Deploy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/defender-for-apis-deploy.md | Title: Protect your APIs with Defender for APIs in Defender for Cloud (Preview) description: Learn about deploying the Defender for APIs plan in Defender for Cloud--++ Last updated 06/29/2023 |
| defender-for-cloud | Defender For Apis Introduction | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/defender-for-apis-introduction.md | Title: Overview of the Microsoft Defender for APIs plan in Microsoft Defender for Cloud description: Learn about the benefits of the Microsoft Defender for APIs plan in Microsoft Defender for Cloud Last updated 04/05/2023--++ |
| defender-for-cloud | Defender For Apis Manage | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/defender-for-apis-manage.md | Title: Manage the Defender for APIs plan in Microsoft Defender for Cloud description: Manage your Defender for APIs deployment in Microsoft Defender for Cloud--++ Last updated 03/23/2023 |
| defender-for-cloud | Defender For Apis Posture | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/defender-for-apis-posture.md | Title: Investigate your API security findings and posture in Microsoft Defender for Cloud description: Learn how to analyze your API security alerts and posture in Microsoft Defender for Cloud--++ Last updated 05/08/2023 |
| defender-for-cloud | Defender For Apis Prepare | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/defender-for-apis-prepare.md | Title: Support and prerequisites for deploying the Defender for APIs plan in Microsoft Defender for Cloud description: Learn about the requirements for Defender for APIs deployment in Microsoft Defender for Cloud--++ Last updated 03/23/2023 |
| defender-for-cloud | Defender For Containers Introduction | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/defender-for-containers-introduction.md | You can learn more about [Kubernetes data plane hardening](kubernetes-workload-p ## Vulnerability assessment -Defender for Containers scans the containers in Azure Container Registry (ACR) and Amazon AWS Elastic Container Registry (ECR) to notify you if there are known vulnerabilities in your images. When the scan completes, Defender for Containers provides details for each vulnerability detected, a security classification for each vulnerability detected, and guidance on how to remediate issues and protect vulnerable attack surfaces. +Defender for Containers scans the container images in Azure Container Registry (ACR) and Amazon AWS Elastic Container Registry (ECR) to notify you if there are known vulnerabilities in your images. When the scan completes, Defender for Containers provides details for each vulnerability detected, a security classification for each vulnerability detected, and guidance on how to remediate issues and protect vulnerable attack surfaces. Learn more about: |
| defender-for-cloud | Express Configuration Azure Commands | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/express-configuration-azure-commands.md | Title: Express configuration Azure Command Line Interface (CLI) commands reference description: In this article, you can review the Express configuration Azure Command Line Interface (CLI) commands reference and copy example scripts to use in your environments. --++ Last updated 06/04/2023 |
| defender-for-cloud | Express Configuration Powershell Commands | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/express-configuration-powershell-commands.md | Title: Express configuration PowerShell commands reference description: In this article, you can review the Express configuration PowerShell commands reference and copy example scripts to use in your environments. --++ Last updated 06/04/2023 |
| defender-for-cloud | Express Configuration Sql Commands | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/express-configuration-sql-commands.md | Title: Express configuration PowerShell wrapper module description: In this article, you can review the express configuration SQL vulnerability assessment PowerShell commands reference and copy example scripts to use in your environments. --++ Last updated 06/01/2023 |
| defender-for-cloud | Release Notes | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/release-notes.md | Title: Release notes for Microsoft Defender for Cloud description: This page is updated frequently with the latest updates in Defender for Cloud. Previously updated : 06/25/2023 Last updated : 06/28/2023 # What's new in Microsoft Defender for Cloud? To learn about *planned* changes that are coming soon to Defender for Cloud, see If you're looking for items older than six months, you can find them in the [Archive for What's new in Microsoft Defender for Cloud](release-notes-archive.md). +## July 2023 ++Updates in July include: ++|Date |Update | +||| +| July 1 | [Data Aware Security Posture is now Generally Available](#data-aware-security-posture-is-now-generally-available) | ++### Data Aware Security Posture is now Generally Available ++July 1, 2023 ++Data-aware security posture in Microsoft Defender for Cloud is now Generally Available. It helps customers to reduce data risk, and respond to data breaches. Using data-aware security posture you can: ++- Automatically discover sensitive data resources across Azure and AWS. +- Evaluate data sensitivity, data exposure, and how data flows across the organization. +- Proactively and continuously uncover risks that might lead to data breaches. +- Detect suspicious activities that might indicate ongoing threats to sensitive data resources ++For more information, see [Data-aware security posture in Microsoft Defender for Cloud](concept-data-security-posture.md). + ## June 2023 Updates in June include: Updates in June include: |Date |Update | ||| | June 26 | [Streamlined multicloud account onboarding with enhanced settings](#streamlined-multicloud-account-onboarding-with-enhanced-settings) |- June 25 | [Private Endpoint support for Malware Scanning in Defender for Storage](#private-endpoint-support-for-malware-scanning-in-defender-for-storage) +| June 25 | [Private Endpoint support for Malware Scanning in Defender for Storage](#private-endpoint-support-for-malware-scanning-in-defender-for-storage) | June 15 | [Control updates were made to the NIST 800-53 standards in regulatory compliance](#control-updates-were-made-to-the-nist-800-53-standards-in-regulatory-compliance) | |June 11 | [Planning of cloud migration with an Azure Migrate business case now includes Defender for Cloud](#planning-of-cloud-migration-with-an-azure-migrate-business-case-now-includes-defender-for-cloud) | |June 7 | [Express configuration for vulnerability assessments in Defender for SQL is now Generally Available](#express-configuration-for-vulnerability-assessments-in-defender-for-sql-is-now-generally-available) | |
| devtest-labs | Devtest Lab Resize Vm | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/devtest-labs/devtest-lab-resize-vm.md | description: Learn how to change the size of a virtual machine (VM) in Azure Dev Previously updated : 02/15/2022+ Last updated : 06/30/2023 # Resize a lab VM in Azure DevTest Labs |
| devtest-labs | Network Isolation | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/devtest-labs/network-isolation.md | description: Learn how to enable and configure network isolation for labs in Azu Previously updated : 03/21/2022+ Last updated : 06/30/2023 # Network isolation in Azure DevTest Labs To enable network isolation for the **Default** virtual network and subnet that 1. Next to **Isolate lab resources**, select **Yes**. 1. Finish creating the lab. - + :::image type="content" source="./media/network-isolation/isolate-lab-resources.png" alt-text="Screenshot that shows enabling network isolation for the default network."::: After you create the lab, no further action is needed. The lab handles isolating resources from now on. To use a different, existing virtual network for the lab, and enable network iso 1. During [lab creation](devtest-lab-create-lab.md), on the **Networking** tab of the **Create DevTest Lab** screen, select a network from the dropdown list. The list only shows networks in the same region and subscription as the lab. -  + :::image type="content" source="./media/network-isolation/create-lab.png" alt-text="Screenshot that shows selecting a virtual network."::: 1. Select a subnet. -  + :::image type="content" source="./media/network-isolation/create-lab-subnet.png" alt-text="Screenshot that shows selecting a subnet."::: 1. Next to **Isolate lab resources**, select **Yes**. -  + :::image type="content" source="./media/network-isolation/isolate-my-vnet.png" alt-text="Screenshot that shows enabling network isolation for a selected network."::: 1. Finish creating the lab. If you enabled network isolation for a virtual network other than the default, c  1. On the storage account page, select **Networking** from the left navigation. On the **Firewalls and virtual networks** tab, ensure that **Allow Azure services on the trusted services list to access this storage account.** is selected.+ + :::image type="content" source="./media/network-isolation/allow-trusted-services.png" alt-text="Screenshot that shows allowing trusted services access to a resource group."::: DevTest Labs is a [trusted Microsoft service](../storage/common/storage-network-security.md#trusted-microsoft-services), so selecting this option lets the lab operate normally in a network isolated mode. 1. Select **Add existing virtual network**. -  + :::image type="content" source="./media/network-isolation/add-existing-virtual-network.png" alt-text="Screenshot that shows the resource group networking pane with add existing virtual network highlighted."::: -1. On the **Add networks** pane, select the virtual network and subnet you chose when you created the lab, and then select **Enable**. --  +1. On the **Add networks** pane, select the virtual network and subnet you chose when you created the lab, and then select **Add**. -1. Once the service endpoint is successfully enabled, select **Add**. + :::image type="content" source="./media/network-isolation/add-network-pane.png" alt-text="Screenshot that shows the add network pane with virtual networks, subnets, and Add highlighted."::: 1. On the **Networking** page, select **Save**.--  + Azure Storage now allows inbound connections from the added virtual network, which enables the lab to operate successfully in a network isolated mode. You can automate these steps with PowerShell or Azure CLI to configure network i 1. On the resource group **Overview** page, select the lab's key vault. -  + :::image type="content" source="./media/network-isolation/key-vault.png" alt-text="Screenshot that shows selecting the lab's key vault."::: -1. On the key vault page, select **Networking** from the left navigation. On the **Firewalls and virtual networks** tab, ensure that **Allow trusted Microsoft services to bypass this firewall** is set to **Yes**. +1. On the key vault page, select **Networking** from the left navigation. On the **Firewalls and virtual networks** tab, ensure that **Allow trusted Microsoft services to bypass this firewall** is selected. -1. Select **Add existing virtual networks**. + :::image type="content" source="./media/network-isolation/key-vault-allow-access.png" alt-text="Screenshot that shows allowing trusted services access to a key vault."::: -  +1. Select **Add existing virtual networks**. + + :::image type="content" source="./media/network-isolation/networking-key-vault.png" alt-text="Screenshot that shows the key vault networking pane with add existing virtual network highlighted."::: 1. On the **Add networks** pane, select the virtual network and subnet you chose when you created the lab, and then select **Enable**.+ + :::image type="content" source="./media/network-isolation/key-vault-enable-network.png" alt-text="Screenshot that shows enabling a virtual network and subnet in a key vault."::: 1. Once the service endpoint is successfully enabled, select **Add**.-+ + :::image type="content" source="./media/network-isolation/key-vault-add-network.png" alt-text="Screenshot that shows adding a virtual network and subnet in a key vault."::: 1. On the **Networking** page, select **Save**. ## Considerations |
| digital-twins | Concepts Models | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/digital-twins/concepts-models.md | In DTDL v2, semantic types are natively supported. For more information on seman The following example shows a DTDL v2 Sensor model with a semantic type telemetry for Temperature, and a semantic type property for Humidity. > [!NOTE] > *"Property"* or *"Telemetry"* must be the first element of the `@type` array, followed by the semantic type. Otherwise, the field may not be visible in [Azure Digital Twins Explorer](concepts-azure-digital-twins-explorer.md). |
| event-hubs | Event Hubs Dedicated Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/event-hubs/event-hubs-dedicated-overview.md | With self-serve scalable clusters, you can purchase up to 10 CUs for a cluster i If you need a cluster larger than 10 CU, you can [submit a support request](event-hubs-dedicated-cluster-create-portal.md#submit-a-support-request) to scale up your cluster after its creation. > [!IMPORTANT] -> Self-serve scalable Dedicated clusters currently don't support [availability zones](../availability-zones/az-overview.md#azure-regions-with-availability-zones). If you need to use AZ with your Dedicated cluster, then you need to explicitly create a Legacy Dedicated cluster. +> Self-serve scalable Dedicated can be deployed with [availability zones](../availability-zones/az-overview.md#azure-regions-with-availability-zones) enabled with 3 CUs but you won't be able to use the self-serve scaling capability to scale the cluster. You must instead [submit a support request](event-hubs-> Dedicated-cluster-create-portal.md#submit-a-support-request) to scale the AZ enabled cluster. ### Legacy clusters Event Hubs Dedicated clusters created prior to the availability of self-serve scalable clusters are referred to as legacy clusters. |
| expressroute | About Public Peering | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/expressroute/about-public-peering.md | Title: Create and manage Azure ExpressRoute public peering description: Learn about and manage Azure public peering - Previously updated : 12/16/2019 Last updated : 06/30/2023 - # Create and manage ExpressRoute public peering This article helps you create and manage public peering routing configuration fo ## Connectivity -Connectivity is always initiated from your WAN to Microsoft Azure services. Microsoft Azure services will not be able to initiate connections into your network through this routing domain. If your ExpressRoute circuit is enabled for Azure public peering, you can access the [public IP ranges used in Azure](../virtual-network/ip-services/public-ip-addresses.md#public-ip-addresses) over the circuit. +Connectivity is always initiated from your WAN to Microsoft Azure services. Microsoft Azure services can't initiate connections into your network through this routing domain. If your ExpressRoute circuit is enabled for Azure public peering, you can access the [public IP ranges used in Azure](../virtual-network/ip-services/public-ip-addresses.md#public-ip-addresses) over the circuit. -Once public peering is enabled, you can connect to most Azure services. We do not allow you to selectively pick services for which we advertise routes to. +Once public peering is enabled, you can connect to most Azure services. We don't allow you to selectively pick services for which we advertise routes to. * Services such as Azure Storage, SQL Databases, and Websites are offered on public IP addresses. * Through the public peering routing domain, you can privately connect to services hosted on public IP addresses, including VIPs of your cloud services. Once public peering is enabled, you can connect to most Azure services. We do no ## <a name="services"></a>Services -This section shows the services available over public peering. Because public peering is deprecated, there is no plan to add new or additional services to public peering. If you use public peering and the service you want to use is supported only over Microsoft peering, you must switch to Microsoft peering. See [Microsoft peering](expressroute-faqs.md#microsoft-peering) for a list of supported services. +This section shows the services available over public peering. Because public peering is deprecated, there's no plan to add new or more services to public peering. If you use public peering and the service you want to use is support only over Microsoft peering, you must switch to Microsoft peering. See [Microsoft peering](expressroute-faqs.md#microsoft-peering) for a list of supported services. **Supported:** This section shows the services available over public peering. Because public pe * Multi-factor Authentication Server (legacy) * Traffic Manager -To validate availability for a specific service, you can check the documentation for that service to see if there is a reserved range published for that service. Then you may look up the IP ranges of the target service and compare with the ranges listed in the [Azure IP Ranges and Service Tags ΓÇô Public Cloud XML file](https://www.microsoft.com/download/details.aspx?id=56519). Alternatively, you can open a support ticket for the service in question for clarification. +To validate availability for a specific service, you can check the documentation for that service to see if there's a reserved range published for that service. Then you may look up the IP ranges of the target service and compare with the ranges listed in the [Azure IP Ranges and Service Tags ΓÇô Public Cloud XML file](https://www.microsoft.com/download/details.aspx?id=56519). Alternatively, you can open a support ticket for the service in question for clarification. ## <a name="compare"></a>Peering comparison You can define custom route filters within your network to consume only the rout [!INCLUDE [CloudShell](../../includes/expressroute-cloudshell-powershell-about.md)] -Because public peering is deprecated, you cannot configure public peering on a new ExpressRoute circuit. +Because public peering is deprecated, you can't configure public peering on a new ExpressRoute circuit. 1. Verify that you have an ExpressRoute circuit that is provisioned and also enabled. Use the following example: Because public peering is deprecated, you cannot configure public peering on a n ``` 2. Configure Azure public peering for the circuit. Make sure that you have the following information before you proceed further. - * A /30 subnet for the primary link. This must be a valid public IPv4 prefix. - * A /30 subnet for the secondary link. This must be a valid public IPv4 prefix. + * A /30 subnet for the primary link. This IP must be a valid public IPv4 prefix. + * A /30 subnet for the secondary link. This IP must be a valid public IPv4 prefix. * A valid VLAN ID to establish this peering on. Ensure that no other peering in the circuit uses the same VLAN ID. * AS number for peering. You can use both 2-byte and 4-byte AS numbers. * Optional: Set-AzExpressRouteCircuit -ExpressRouteCircuit $ckt [!INCLUDE [CloudShell](../../includes/expressroute-cloudshell-powershell-about.md)] -1. Check the ExpressRoute circuit to ensure it is provisioned and also enabled. Use the following example: +1. Check the ExpressRoute circuit to ensure it's provisioned and also enabled. Use the following example: ```azurecli-interactive az network express-route list Set-AzExpressRouteCircuit -ExpressRouteCircuit $ckt 2. Configure Azure public peering for the circuit. Make sure that you have the following information before you proceed further. - * A /30 subnet for the primary link. This must be a valid public IPv4 prefix. - * A /30 subnet for the secondary link. This must be a valid public IPv4 prefix. + * A /30 subnet for the primary link. This IP must be a valid public IPv4 prefix. + * A /30 subnet for the secondary link. This IP must be a valid public IPv4 prefix. * A valid VLAN ID to establish this peering on. Ensure that no other peering in the circuit uses the same VLAN ID. * AS number for peering. You can use both 2-byte and 4-byte AS numbers. * **Optional -** An MD5 hash if you choose to use one. az network express-route peering delete -g ExpressRouteResourceGroup --circuit-n ## <a name="portal"></a>Azure portal steps -To configure peering, use the PowerShell or CLI steps contained in this article. To manage a peering, you can use the sections below. For reference, these steps look similar to managing a [Microsoft peering in the portal](expressroute-howto-routing-portal-resource-manager.md#msft). +To configure peering, use the PowerShell or CLI steps contained in this article. To manage a peering, you can use the following sections. For reference, these steps look similar to managing a [Microsoft peering in the portal](expressroute-howto-routing-portal-resource-manager.md#msft). ### <a name="get"></a>To view Azure public peering details |
| expressroute | About Upgrade Circuit Bandwidth | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/expressroute/about-upgrade-circuit-bandwidth.md | -ExpressRoute is a dedicated and private connection to Microsoft's global network. Connectivity is facilitated by an ExpressRoute partner's network, or a direct connection to the Microsoft Enterprise Edge (MSEE) devices. Once physical connectivity has been configured and tested, you can enable layer-2 and layer-3 connectivity by creating an ExpressRoute circuit and configuring peering. +ExpressRoute is a dedicated and private connection to Microsoft's global network. Connectivity is facilitated through an ExpressRoute partner's network, or a direct connection to the Microsoft Enterprise Edge (MSEE) devices. Once physical connectivity has been configured and tested, you can enable layer-2 and layer-3 connectivity by creating an ExpressRoute circuit and configuring peering. ## <a name="considerations"></a>Capacity considerations ### Insufficient capacity for physical connection -An ExpressRoute circuit is created on a physical connection between Microsoft and a ExpressRoute Partner. The physical connection has a fixed capacity. If you're unable to increase your circuit size that means that the underlying physical connection for your existing circuit doesnΓÇÖt have capacity for the upgrade. You'll need to create a new circuit if you want to change the circuit size. +An ExpressRoute circuit is created on a physical connection between Microsoft and a ExpressRoute Partner. The physical connection has a fixed capacity. If you're unable to increase your circuit size that means that the underlying physical connection for your existing circuit doesnΓÇÖt have capacity for the upgrade. You need to create a new circuit if you want to change the circuit size. -After you've successfully created the new ExpressRoute circuit you should link your existing virtual networks to this circuit. You can then test and validate the connectivity of the new ExpressRoute circuit before you deprovision the old circuit. These are the recommended migration steps to minimize down time and disruption to your production work load. +After you've successfully created the new ExpressRoute circuit, you should link your existing virtual networks to this circuit. You can then test and validate the connectivity of the new ExpressRoute circuit before you deprovision the old circuit. These recommended migration steps minimize down time and disruption to your production work load. ### <a name="bandwidth"></a>Insufficient ExpressRoute partner bandwidth |
| expressroute | Bgp Communities | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/expressroute/bgp-communities.md | A Border Gateway Protocol (BGP) community is a group of IP prefixes that share a * Access a predefined regional BGP community value for all your virtual networks deployed in a region. -Once these values are configured on your virtual networks, ExpressRoute will preserve them on the corresponding private IP prefixes shared with your on-premises. When these prefixes are learned on-premises, they're learned along with the configured BGP community values. +Once these values are configured on your virtual networks, ExpressRoute preserves them on the corresponding private IP prefixes shared with your on-premises. When these prefixes are learned on-premises, they're learned along with the configured BGP community values. ## Using community values for multi-region networks A common scenario for when to use ExpressRoute is when you want to access workloads deployed in an Azure virtual network. ExpressRoute facilitates the exchange of Azure and on-premises private IP address ranges using a BGP session over a private connection. This feature enables a seamless extension of your existing networks into the cloud. -When you have multiple ExpressRoute connections to virtual networks in different Azure regions, traffic can take more than one path. A hybrid network architecture diagram below demonstrates the emergence of a suboptimal route when establishing a mesh network with multiple regions and ExpressRoute circuits: +When you have multiple ExpressRoute connections to virtual networks in different Azure regions, traffic can take more than one path. A hybrid network architecture diagram demonstrates the emergence of a suboptimal route when establishing a mesh network with multiple regions and ExpressRoute circuits: :::image type="content" source="./media/bgp-communities/bgp-community.png" alt-text="Diagram of optimal and suboptimal routing with ExpressRoute."::: To ensure traffic going to **Region A** takes the optimal path over **ER Circuit 1**, the customer could configure a route filter on-premises to ensure that **Region A** routes gets only learned at the customer edge from **ER Circuit 1**, and not learned at all by **ER Circuit 2**. This approach requires you to maintain a comprehensive list of IP prefixes in each region and regularly update this list whenever a new virtual network gets added or a private IP address space gets expanded in the cloud. As you continue to grow your presence in the Cloud, this burden can become excessive. -When virtual network IP prefixes gets learned on-premises with custom and regional BGP community values, you can configure your route filters based on these values instead of specific IP prefixes. When you decide to expand your address spaces or create more virtual networks in an existing region, you don't need to modify your route filter. The route filter will already have rules for the corresponding community values. With the use of BGP communities, your multi-region hybrid networking will be simplified. +When virtual network IP prefixes gets learned on-premises with custom and regional BGP community values, you can configure your route filters based on these values instead of specific IP prefixes. When you decide to expand your address spaces or create more virtual networks in an existing region, you don't need to modify your route filter. The route filter already has rules for the corresponding community values. With the use of BGP communities, your multi-region hybrid networking is simplified. ## Other uses of BGP communities -Another reason to configure a BGP community value on a virtual network connected to ExpressRoute is to understand where traffic is originating from within an Azure region. As you deploy more virtual networks and adopt more complex network topologies within an Azure region, troubleshooting connectivity and performance issues can become more difficult. With custom BGP community values configured on each virtual network within a region, you can quickly identify where the traffic was originating from in Azure. Being able to identify the source virtual network will help you narrow down your investigation. +Another reason to configure a BGP community value on a virtual network connected to ExpressRoute is to understand where traffic is originating from within an Azure region. As you deploy more virtual networks and adopt more complex network topologies within an Azure region, troubleshooting connectivity and performance issues can become more difficult. With custom BGP community values configured on each virtual network within a region, you can quickly identify where the traffic was originating from in Azure. Being able to identify the source virtual network helps you narrow down your investigation. ## Next steps |
| expressroute | Cross Network Connectivity | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/expressroute/cross-network-connectivity.md | description: This page describes an application scenario for cross network conne Previously updated : 04/03/2019 Last updated : 06/30/2023 # Cross-network connectivity -Fabrikam Inc. has a large physical presence and Azure deployment in East US. Fabrikam has back-end connectivity between its on-premises and Azure deployments via ExpressRoute. Similarly, Contoso Ltd. has a presence and Azure deployment in West US. Contoso has back-end connectivity between its on-premises and Azure deployments via ExpressRoute. +Fabrikam Inc. has a large physical presence and Azure deployment in East US. Fabrikam has a back-end connectivity between its on-premises and Azure deployments through ExpressRoute. Similarly, Contoso Ltd. has a presence and Azure deployment in West US. Contoso has a back-end connectivity between its on-premises and Azure deployments through ExpressRoute. Fabrikam Inc. acquires Contoso Ltd. Following the merger, Fabrikam wants to interconnect the networks. The following figure illustrates the scenario:  -The dashed arrows in the middle of the above figure indicate the desired network interconnections. Specifically, there are three types cross connections desired: 1) Fabrikam and Contoso VNets cross connect, 2) Cross regional on-premises and VNets cross connects (that is, connecting Fabrikam on-premises network to Contoso VNet and connecting Contoso on-premises network to Fabrikam VNet), and 3) Fabrikam and Contoso on-premises network cross connect. +The dashed arrows in the middle of the above figure indicate the desired network interconnections. Specifically, there are three types cross connections desired: ++1. Fabrikam and Contoso virtual network cross connect +1. Cross regional on-premises and virtual network cross connects. That is, connecting Fabrikam on-premises network to Contoso virtual network and connecting Contoso on-premises network to Fabrikam virtual network. +1. Fabrikam and Contoso on-premises network cross connect The following table shows the route table of the private peering of the ExpressRoute of Contoso Ltd., before the merger. The following table shows the routes known to the Fabrikam subscription VM. Pay  -VNet peering directly links two virtual networks (see there are no next hop for *VNetGlobalPeering* entry in the above two tables) +VNet peering directly links two virtual networks (see there are no next hop for *VNetGlobalPeering* entry in the two tables) ## Cross connecting VNets to the on-premises networks |
| expressroute | Expressroute Asymmetric Routing | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/expressroute/expressroute-asymmetric-routing.md | Title: 'Azure ExpressRoute: Asymmetric routing' description: This article walks you through the issues you might face with asymmetric routing in a network that has multiple links to a destination. - Previously updated : 12/14/2020 Last updated : 06/30/2023 - + # Asymmetric routing with multiple network paths+ This article explains how network traffic might take different paths when multiple routes are available between network source and destination. There are two concepts you need to know to understand asymmetric routing. The first is the effect of multiple network paths. The other is how devices, like a firewall keep state. These types of devices are called stateful devices. When these two factors are combined, they can create a scenario in which network traffic gets dropped by the stateful device. The traffic is dropped because it didn't detect that the traffic originated from itself. ## Multiple network paths+ When an enterprise network has only one link to the internet through an internet service provider, all traffic to and from the internet travels the same path. It's common that companies purchase multiple circuits to create redundant paths to improve network uptime. With this type of configuration it's possible that traffic goes out one link to the internet and returns through a different link. This scenario is commonly known as asymmetric routing. In asymmetric routing, the return network traffic takes a different path from the original out going flow.  Although asymmetric routing usually occurs when going to the internet. It also happens when a combination of multiple paths gets introduced. The first example is when you have an internet path and a private path that goes to the same destination. The second example is when you have multiple private paths that are also going to the same destination. -Each router along the path between the source and destination will compute the best path to take to reach the destination. The router determines of best possible path based on two main factors: +Each router along the path between the source and destination computes the best path to take to reach the destination. The router determines of best possible path based on two main factors: * Routing between external networks is based on a routing protocol, Border Gateway Protocol (BGP). BGP takes advertisements from neighbors and runs them through a series of steps to determine the best path to the intended destination. It stores the best path in its routing table.-* The length of a subnet mask associated with a route influences routing paths. If a router receives multiple advertisements for the same IP address, the router will select the path with the longer subnet mask because it's considered a more specific route. +* The length of a subnet mask associated with a route influences routing paths. If a router receives multiple advertisements for the same IP address, the router selects the path with the longer subnet mask because it's considered a more specific route. ## Stateful devices+ Routers look at the IP header of a packet for routing purposes. Some devices look even deeper inside the packet. Typically, these devices look at Layer 4 - Transmission Control Protocol (TCP) or User Datagram Protocol (UDP), or even Layer 7 (Application Layer) headers. These kinds of devices are either security devices or bandwidth-optimization devices. A firewall is a common example of a stateful device. A firewall permits or rejects packets to pass through its interfaces based on various criteria. These criteria include but aren't limited to protocol, TCP/UDP port, and URL headers. This level of packet inspection can put a heavy processing load on the device. A firewall is a common example of a stateful device. A firewall permits or rejec To improve performance, the firewall inspects the first packet of a flow. If it allows the packet to pass through its interfaces, it keeps the flow information in its state table. Any ensuing packets related to this flow are then allowed based on the initial determination. A packet that is part of an existing flow may arrive at the firewall of which it didn't originate from. Since it has no prior state information about the initial flow, the firewall drops the packet. ## Asymmetric routing with ExpressRoute+ When you connect to Microsoft through Azure ExpressRoute, your network changes like this: * You have multiple links to Microsoft. One link is your existing Internet connection, and the other is through your ExpressRoute connection. Certain traffic destined for Microsoft might go through the internet connection but return over your ExpressRoute connection. The same can also happen when traffic goes over ExpressRoute but return over the internet path.-* You received more specific IP addresses from the ExpressRoute circuit. So when traffic from your network goes to Microsoft for services offered through ExpressRoute, your routers will always prefer the ExpressRoute connection. +* You received more specific IP addresses from the ExpressRoute circuit. So when traffic from your network goes to Microsoft for services offered through ExpressRoute, your routers always prefer the ExpressRoute connection. To understand the effect of how these two changes have on a network, letΓÇÖs consider some scenarios. As an example, you have a circuit to the internet and you consume all Microsoft services through the internet. The traffic from your network to and from Microsoft traverses the same internet link and passes through a firewall. The firewall records the flow when it sees the first packet. Every ensuing packets of that conversation are permitted because the flow exists in the state table. To understand the effect of how these two changes have on a network, letΓÇÖs con You then bring up an ExpressRoute circuit to consume services offered by Microsoft over ExpressRoute. All other services from Microsoft are consumed over the internet. You deploy a separate firewall at your edge that is connected to ExpressRoute connection. Microsoft advertises more specific prefixes to your network over ExpressRoute for certain services. Your routing infrastructure chooses ExpressRoute as the preferred path for those prefixes. -If you don't advertise your public IP addresses to Microsoft over ExpressRoute. Microsoft will communicate with your public IP addresses through the internet. Traffic sent from your network to Microsoft uses the ExpressRoute connection but the return traffic from Microsoft will then use the internet path. When the firewall at your edge sees a response packet for a flow that it doesn't know about, it will drop those packets. +If you don't advertise your public IP addresses to Microsoft over ExpressRoute. Microsoft communicates with your public IP addresses through the internet. Traffic sent from your network to Microsoft uses the ExpressRoute connection but the return traffic from Microsoft uses the internet path. When the firewall at your edge sees a response packet for a flow that it doesn't know about, it drops those packets. -If you choose to advertise the same network address translation (NAT) pool for ExpressRoute and for the internet. You'll see similar issues with the clients in your network on private IP addresses. Requests for services like Windows Update will go through the internet because IP addresses for these services aren't advertised over ExpressRoute. However, the return traffic will come back through ExpressRoute. Since Microsoft received an IP address with the same subnet mask from the internet and ExpressRoute, the preferred path is always ExpressRoute. If a firewall or another stateful device on your network edge facing the ExpressRoute connection has no prior information about a flow, it will drop those packets. +If you choose to advertise the same network address translation (NAT) pool for ExpressRoute and for the internet. You see similar issues with the clients in your network on private IP addresses. Requests for services like Windows Update will go through the internet because IP addresses for these services aren't advertised over ExpressRoute. However, the return traffic comes back through ExpressRoute. Since Microsoft received an IP address with the same subnet mask from the internet and ExpressRoute, the preferred path is always ExpressRoute. If a firewall or another stateful device on your network edge facing the ExpressRoute connection has no prior information about a flow, it drops those packets. ## Asymmetric routing solutions You have two available options to solve the problem of asymmetric routing. The first is through routing, and the second is by using a source-based NAT (SNAT). You have two available options to solve the problem of asymmetric routing. The f ### Routing Make sure your public IP addresses are advertised to appropriate wide area network (WAN) links. For example, if you want to use the internet for authentication traffic and ExpressRoute for your mail traffic. Don't advertise your Active Directory Federation Services (AD FS) public IP addresses over ExpressRoute. Also be sure not to expose your on-premises AD FS server to IP addresses that the router receives over ExpressRoute. Routes received over ExpressRoute are more specific so they make ExpressRoute the preferred path for authentication traffic to Microsoft. If you don't pay attention to how routing is done in your network asymmetric routing problems can arise. -If you want to use ExpressRoute for authentication, make sure you're advertising AD FS public IP addresses over ExpressRoute without NAT. When configured this way, the traffic that originates from Microsoft goes to your on-premises AD FS server will go over ExpressRoute. The return traffic from your network that goes to Microsoft will use ExpressRoute because it's the preferred route over the internet. +If you want to use ExpressRoute for authentication, make sure you're advertising AD FS public IP addresses over ExpressRoute without NAT. When configured this way, the traffic that originates from Microsoft goes to your on-premises AD FS server will go over ExpressRoute. The return traffic from your network that goes to Microsoft uses ExpressRoute because it's the preferred route over the internet. ### Source-based NAT-Another way to solve the asymmetric routing problem is by using SNAT. For example, you choose not to advertise the public IP address of an on-premises Simple Mail Transfer Protocol (SMTP) server over ExpressRoute. Instead you intend to use the internet for this type of communication. A request originating from Microsoft that goes to your on-premises SMTP server traverses the internet. You SNAT the incoming request to an internal IP address. The return traffic from the SMTP server will go to the edge firewall (which you use for NAT) instead of through ExpressRoute. As the result, the return traffic will take the internet path. +Another way to solve the asymmetric routing problem is by using SNAT. For example, you choose not to advertise the public IP address of an on-premises Simple Mail Transfer Protocol (SMTP) server over ExpressRoute. Instead you intend to use the internet for this type of communication. A request originating from Microsoft that goes to your on-premises SMTP server traverses the internet. You SNAT the incoming request to an internal IP address. The return traffic from the SMTP server goes to the edge firewall (which you use for NAT) instead of through ExpressRoute. As the result, the return traffic takes the internet path.  |
| expressroute | Expressroute Bfd | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/expressroute/expressroute-bfd.md | Title: 'Azure ExpressRoute: Configure BFD' description: This article provides instructions on how to configure BFD (Bidirectional Forwarding Detection) over private-peering of an ExpressRoute circuit. - Previously updated : 12/14/2020 Last updated : 06/30/2023 - + # Configure BFD over ExpressRoute ExpressRoute supports Bidirectional Forwarding Detection (BFD) both over private and Microsoft peering. When you enable BFD over ExpressRoute, you can speed up the link failure detection between Microsoft Enterprise edge (MSEE) devices and the routers that your ExpressRoute circuit gets configured (CE/PE). You can configure ExpressRoute over your edge routing devices or your Partner Edge routing devices (if you went with managed Layer 3 connection service). This document walks you through the need for BFD, and how to enable BFD over ExpressRoute. You can enable ExpressRoute circuit either by Layer 2 connections or managed Lay On the MSEE devices, BGP keep-alive and hold-time are typically configured as 60 and 180 seconds respectively. For that reason when a link failure happens it can take up to three minutes to detect any link failure and switch traffic to alternate connection. -You can control the BGP timers by configuring a lower BGP keep-alive and hold-time on your edge peering device. If the BGP timers aren't the same between the two peering devices, the BGP session will establish using the lower time value. The BGP keep-alive can be set as low as three seconds, and the hold-time as low as 10 seconds. However, setting a very aggressive BGP timer is not recommended because the protocol is process intensive. +You can control the BGP timers by configuring a lower BGP keep-alive and hold-time on your edge peering device. If the BGP timers aren't the same between the two peering devices, the BGP session establishes using the lower time value. The BGP keep-alive can be set as low as three seconds, and the hold-time as low as 10 seconds. However, setting an aggressive BGP timer isn't recommended because the protocol is process intensive. In this scenario, BFD can help. BFD provides low-overhead link failure detection in a subsecond time interval. In this scenario, BFD can help. BFD provides low-overhead link failure detection BFD is configured by default under all the newly created ExpressRoute private and Microsoft peering interfaces on the MSEEs. As such, to enable BFD, you only need to configure BFD on both your primary and secondary devices. Configuring BFD is two-step process. You configure the BFD on the interface and then link it to the BGP session. -An example CE/PE (using Cisco IOS XE) configuration is shown below. +An example CE/PE (using Cisco IOS XE) configuration is shown as followed: ```console interface TenGigabitEthernet2/0/0.150 |
| expressroute | Expressroute Config Samples Routing | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/expressroute/expressroute-config-samples-routing.md | Title: 'Azure ExpressRoute: Router configuration samples' description: Use these interface and routing configuration samples for Cisco IOS-XE and Juniper MX series routers as examples to work with Azure ExpressRoute. - Previously updated : 04/27/2021 Last updated : 06/30/2023 This page provides interface and routing configuration samples for Cisco IOS-XE > [!IMPORTANT] > Samples on this page are purely for guidance. You must work with your vendor's sales/technical team and your networking team to find appropriate configurations to meet your needs. Microsoft won't support issues related to configurations listed in this page. Contact your device vendor for support issues. > -> ## MTU and TCP MSS settings on router interfaces-The maximum transmission unit (MTU) for the ExpressRoute interface is 1500, which is the typical default MTU for an Ethernet interface on a router. Unless your router has a different MTU by default, there is no need to specify a value on the router interface. +The maximum transmission unit (MTU) for the ExpressRoute interface is 1500, which is the typical default MTU for an Ethernet interface on a router. Unless your router has a different MTU by default, there's no need to specify a value on the router interface. -Unlike an Azure VPN gateway, the TCP maximum segment size (MSS) for an ExpressRoute circuit does not need to be specified. +Unlike an Azure VPN gateway, the TCP maximum segment size (MSS) for an ExpressRoute circuit doesn't need to be specified. The router configuration samples in this article apply to all peerings. Review [ExpressRoute peerings](expressroute-circuit-peerings.md) and [ExpressRoute routing requirements](expressroute-routing.md) for more details on routing. - ## Cisco IOS-XE based routers The samples in this section apply to any router running the IOS-XE OS family. ### Configure interfaces and subinterfaces-You'll need one subinterface per peering in every router that you connect to Microsoft. A subinterface can be identified with a VLAN ID or a stacked pair of VLAN IDs and an IP address. +You need one subinterface per peering in every router that you connect to Microsoft. A subinterface can be identified with a VLAN ID or a stacked pair of VLAN IDs and an IP address. **Dot1Q interface definition** -This sample provides the subinterface definition for a subinterface with a single VLAN ID. The VLAN ID is unique per peering. The last octet of your IPv4 address will always be an odd number. +This sample provides the subinterface definition for a subinterface with a single VLAN ID. The VLAN ID is unique per peering. The last octet of your IPv4 address is always an odd number. ```console interface GigabitEthernet<Interface_Number>.<Number> interface GigabitEthernet<Interface_Number>.<Number> **QinQ interface definition** -This sample provides the subinterface definition for a subinterface with two VLAN IDs. The outer VLAN ID (s-tag), if used, remains the same across all peerings. The inner VLAN ID (c-tag) is unique per peering. The last octet of your IPv4 address will always be an odd number. +This sample provides the subinterface definition for a subinterface with two VLAN IDs. The outer VLAN ID (s-tag), if used, remains the same across all peerings. The inner VLAN ID (c-tag) is unique per peering. The last octet of your IPv4 address is always an odd number. ```console interface GigabitEthernet<Interface_Number>.<Number> interface GigabitEthernet<Interface_Number>.<Number> ``` ### Set up eBGP sessions-You must set up a BGP session with Microsoft for every peering. Set up a BGP session by using the following sample. If the IPv4 address that you used for your subinterface was a.b.c.d, then the IP address of the BGP neighbor (Microsoft) will be a.b.c.d+1. The last octet of the BGP neighbor's IPv4 address will always be an even number. +You must set up a BGP session with Microsoft for every peering. Set up a BGP session by using the following sample. If the IPv4 address that you used for your subinterface was a.b.c.d, then the IP address of the BGP neighbor (Microsoft) is a.b.c.d+1. The last octet of the BGP neighbor's IPv4 address is always an even number. ```console router bgp <Customer_ASN> route-map <MS_Prefixes_Inbound> permit 10 ### Configure BFD -You'll configure BFD in two places: one at the interface level and another at BGP level. The example here is for the QinQ interface. +You configure BFD in two places: one at the interface level and another at BGP level. The example here's for the QinQ interface. ```console interface GigabitEthernet<Interface_Number>.<Number> The samples in this section apply to any Juniper MX series router. **Dot1Q interface definition** -This sample provides the subinterface definition for a subinterface with a single VLAN ID. The VLAN ID is unique per peering. The last octet of your IPv4 address will always be an odd number. +This sample provides the subinterface definition for a subinterface with a single VLAN ID. The VLAN ID is unique per peering. The last octet of your IPv4 address is always an odd number. ```console interfaces { This sample provides the subinterface definition for a subinterface with a singl **QinQ interface definition** -This sample provides the subinterface definition for a subinterface with two VLAN IDs. The outer VLAN ID (s-tag), if used, remains the same across all peerings. The inner VLAN ID (c-tag) is unique per peering. The last octet of your IPv4 address will always be an odd number. +This sample provides the subinterface definition for a subinterface with two VLAN IDs. The outer VLAN ID (s-tag), if used, remains the same across all peerings. The inner VLAN ID (c-tag) is unique per peering. The last octet of your IPv4 address is always an odd number. ```console interfaces { This sample provides the subinterface definition for a subinterface with two VLA ``` ### Set up eBGP sessions-You must set up a BGP session with Microsoft for every peering. Set up a BGP session by using the following sample. If the IPv4 address that you used for your subinterface was a.b.c.d, then the IP address of the BGP neighbor (Microsoft) will be a.b.c.d+1. The last octet of the BGP neighbor's IPv4 address will always be an even number. +You must set up a BGP session with Microsoft for every peering. Set up a BGP session by using the following sample. If the IPv4 address that you used for your subinterface was a.b.c.d, then the IP address of the BGP neighbor (Microsoft) is a.b.c.d+1. The last octet of the BGP neighbor's IPv4 address is always an even number. ```console routing-options { For MACSec configuration, Connectivity Association Key (CAK) and Connectivity As ``` ## Next steps-See the [ExpressRoute FAQ](expressroute-faqs.md) for more details. ++For more information about ExpressRoute, see the [ExpressRoute FAQ](expressroute-faqs.md). |
| expressroute | Expressroute Connect Azure To Public Cloud | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/expressroute/expressroute-connect-azure-to-public-cloud.md | Title: 'Connecting Azure to public clouds | Microsoft Docs' description: Describe various ways to connect Azure to other public clouds - Previously updated : 07/24/2019 Last updated : 06/30/2023 # Connecting Azure with public clouds -Many enterprises are pursuing a multi-cloud strategy because of business and technical goals. These include cost, flexibility, feature availability, redundancy, data sovereignty etc. This strategy helps them leverage best of both clouds. +Many enterprises are pursuing a multicloud strategy because of business and technical goals. These include cost, flexibility, feature availability, redundancy, data sovereignty etc. This strategy helps them use the best of both clouds. -This approach also poses challenges for the enterprise in terms of network and application architecture. Some of these challenges are latency and data throughput. To address these challenges customers are looking to connect to multiple clouds directly. Some service providers provide a solution to connect multiple cloud providers for the customers. In other cases, customer can deploy their own router to connect multiple public clouds. +This approach also poses challenges for the enterprise in terms of network and application architecture. Some of these challenges are latency and data throughput. To address these challenges you are looking to connect to multiple clouds directly. Some service providers provide a solution to connect multiple cloud providers for their customers. In other cases, customer can deploy their own router to connect multiple public clouds. ## Connectivity via ExpressRoute-ExpressRoute lets customers extend their on-premises networks into the Microsoft cloud over a private connection facilitated by a connectivity provider. With ExpressRoute, customers can establish connections to Microsoft cloud services. +ExpressRoute lets you extend their on-premises networks into the Microsoft cloud over a private connection facilitated by a connectivity provider. With ExpressRoute, you can establish connections to Microsoft cloud services. There are three ways to connect via ExpressRoute. 1. Layer3 provider-2. Layer2 provider -3. Direct connection +1. Layer2 provider +1. Direct connection -### Layer3 Provider +### Layer 3 Provider -Layer3 providers are commonly known as IP VPN or MPLS VPN providers. Customers leverage these providers for multipoint connectivity between their data centers, branches and the cloud. Customers connect to the L3 provider via BGP or via static default route. Service provider advertises routes between the customer sites, datacenters and public cloud. +Layer 3 providers are commonly known as IP VPN or MPLS VPN providers. You use these providers for multipoint connectivity between their data centers, branches and the cloud. you connect to the L3 provider via BGP or via static default route. Service provider advertises routes between the customer sites, datacenters and public cloud. -When connecting through Layer3 provider, Microsoft will advertise customer VNET routes to the service provider over BGP. The provider can have two different implementations. +When you're connecting through Layer 3 provider, Microsoft will advertise customer VNET routes to the service provider over BGP. The provider can have two different implementations.  -Provider may be landing each cloud provider in a separate VRF, if traffic from all the cloud providers will reach at customer router. If customer is running BGP with service provider, then these routes will be re-advertised to other cloud providers by default. +Provider may be landing each cloud provider in a separate VRF, if traffic from all the cloud providers reach at customer router. If customer is running BGP with service provider, then these routes are readvertised to other cloud providers by default. -If service provider is landing all the cloud providers in the same VRF, then routes will be advertised to other cloud providers from the service provider directly. This is assuming standard BGP operation where eBGP routes are advertised to other eBGP neighbors by default. +If service provider is landing all the cloud providers in the same VRF, then routes are advertised to other cloud providers from the service provider directly. This set up is assuming standard BGP operation where eBGP routes are advertised to other eBGP neighbors by default. Each public cloud has different prefix limit so while distributing the routes service provider should take caution in distributing the routes. -### Layer2 Provider and Direct connection +### Layer 2 Provider and Direct connection ++Although physical connectivity in both models is different, but at layer3 BGP is established directly between MSEE and the customer router. For ExpressRoute Direct, you connect to the MSEE directly. While in Layer 2, service provider extends VLAN from your on-premises to the cloud you run BGP on top of layer2 network to connect their DCs to the cloud. -Although physical connectivity in both models is different, but at layer3 BGP is established directly between MSEE and the customer router. For ExpressRoute Direct customer connects to MSEE directly. While in case of Layer2, service provider extends VLAN from customer premises to the cloud. Customers run BGP on top of layer2 network to connect their DCs to the cloud. -In both cases, customer will have point-to-point connections to each of the public clouds. Customer will establish separate BGP connection to each public cloud. Routes received by one cloud provider will be advertised to other cloud provider by default. Each cloud provider has different prefix limit so while advertising the routes customer should take care of these limits. Customer can use usual BGP knobs with Microsoft while advertising routes from other public clouds. ++In both cases, customer has point-to-point connections to each of the public clouds. Customer establishes separate BGP connection to each public cloud. Routes received by one cloud provider get advertised to other cloud provider by default. Each cloud provider has different prefix limit so while advertising the routes customer should take care of these limits. Customer can use usual BGP knobs with Microsoft while advertising routes from other public clouds. ## Direct connection with ExpressRoute -Customers can choose to connect ExpressRoute directly to the cloud provider's direct connectivity offering. Two cloud providers will be connected back to back and BGP will be established directly between their routers. This type of connection is available with Oracle today. +You can choose to connect ExpressRoute directly to the cloud provider's direct connectivity offering. Two cloud providers are connected back to back and BGP gets established directly between their routers. This type of connection is available with Oracle today. ## Site-to-site VPN -Customers can leverage Internet to connect their instances in Azure with other public clouds. Almost all the cloud providers offer site-to-site VPN capabilities. However, there could be incompatibilities because of lack of certain variants. For example, some cloud providers only support IKEv1 so there is a VPN termination endpoint required in that cloud. For those cloud providers supporting IKEv2 a direct tunnel can be established between VPN gateways at both cloud providers. +You can use the Internet to connect their instances in Azure with other public clouds. Almost all the cloud providers offer site-to-site VPN capabilities. However, there could be incompatibilities because of lack of certain variants. For example, some cloud providers only support IKEv1 so there's a VPN termination endpoint required in that cloud. For those cloud providers supporting IKEv2, a direct tunnel can be established between VPN gateways at both cloud providers. -Site-to-site VPN is not considered a high throughput and low latency solution. However, it can be used as a backup to physical connectivity. +Site-to-site VPN isn't considered a high throughput and low latency solution. However, it can be used as a backup to physical connectivity. ## Next steps See [ExpressRoute FAQ][ER-FAQ] for any further questions on ExpressRoute and virtual network connectivity. |
| expressroute | Expressroute For Cloud Solution Providers | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/expressroute/expressroute-for-cloud-solution-providers.md | -ExpressRoute is composed of a pair of circuits for high availability that are attached to a single customer's subscription(s) and cannot be shared by multiple customers. Each circuit should be terminated in a different router to maintain the high availability. +ExpressRoute is composed of a pair of circuits for high availability that are attached to a single customer's subscription(s) and can't be shared by multiple customers. Each circuit should be terminated in a different router to maintain the high availability. > [!NOTE] > There are limits to the bandwidth and number of connections possible on each ExpressRoute circuit. If a single customer's needs exceed these limits, they will require multiple ExpressRoute circuits for their hybrid network implementation. > -> Microsoft Azure provides a growing number of services that you can offer to your customers. ExpressRoute helps you and your customers take advantage of these services by providing high-speed low latency access to the Microsoft Azure environment. ## Microsoft Azure management+ Microsoft provides CSPs with APIs to manage the Azure customer subscriptions by allowing programmatic integration with your own Service Management systems. Supported management capabilities can be found [here](/previous-versions/windows/mt844538(v=win.10)). ## Microsoft Azure resource management-The contract you have with your customer will determine how the subscription will be managed. The CSP can directly manage the creation and maintenance of resources or the customer can maintain control of the Microsoft Azure subscription and create the Azure resources as they need. If your customer manages the creation of resources in their Microsoft Azure subscription, they will use one of two models: ΓÇ£*Connect-Through*ΓÇ¥ model, or ΓÇ£*Direct-To*ΓÇ¥ model. These models are described in detail in the following sections. ++The contract you have with your customer determines how the subscription will be managed. The CSP can directly manage the creation and maintenance of resources or the customer can maintain control of the Microsoft Azure subscription and create the Azure resources as they need. If your customer manages the creation of resources in their Microsoft Azure subscription, they use one of two models: ΓÇ£*Connect-Through*ΓÇ¥ model, or ΓÇ£*Direct-To*ΓÇ¥ model. These models are described in detail in the following sections. ### Connect-through model+  In the connect-through model, the CSP creates a direct connection between your datacenter and your customerΓÇÖs Azure subscription. The direct connection is made using ExpressRoute, connecting your network with Azure. Then your customer connects to your network. This scenario requires that the customer passes through the CSP network to access Azure services. -If your customer has other Azure subscriptions not managed by the you, they would use the public Internet or their own private connection to connect to those services provisioned under the non-CSP subscription. +If your customer has other Azure subscriptions not managed by you, they would use the public Internet or their own private connection to connect to those services provisioned under the non-CSP subscription. -For CSP managing Azure services, it is assumed that the CSP has a previously established customer identity store, which would then be replicated into Azure Active Directory for management of their CSP subscription through Administrate-On-Behalf-Of (AOBO). Key drivers for this scenario include where a given partner or service provider has an established relationship with the customer, the customer is consuming provider services currently or the partner has a desire to provide a combination of provider-hosted and Azure-hosted solutions to provide flexibility and address customer challenges that cannot be satisfied by CSP alone. This model is illustrated in the **figure** below. +For CSP managing Azure services, it's assumed that the CSP has a previously established customer identity store, which would then be replicated into Azure Active Directory for management of their CSP subscription through Administrate-On-Behalf-Of (AOBO). Key drivers for this scenario include where a given partner or service provider has an established relationship with the customer, the customer is consuming provider services currently or the partner has a desire to provide a combination of provider-hosted and Azure-hosted solutions to provide flexibility and address customer challenges that can't be satisfied by CSP alone. This model is illustrated in the following **figure**.  ### Connect-to model+  In the Connect-To model, the service provider creates a direct connection between their customerΓÇÖs datacenter and the CSP provisioned Azure subscription using ExpressRoute over the customerΓÇÖs (customer) network. In the Connect-To model, the service provider creates a direct connection betwee > [!NOTE] > For ExpressRoute the customer would need to create and maintain the ExpressRoute circuit. > -> -This connectivity scenario requires that the customer connects directly through a customer network to access CSP-managed Azure subscription, using a direct network connection that is created, owned, and managed either wholly or in part by the customer. For these customers, it is assumed that the provider does not currently have a customer identity store established, and the provider would assist the customer in replicating their current identify store into Azure Active Directory for management of their subscription through AOBO. Key drivers for this scenario include where a given partner or service provider has an established relationship with the customer, the customer is consuming provider services currently, or the partner has a desire to provide services that are based solely on Azure-hosted solutions without the need for an existing provider datacenter or infrastructure. +This connectivity scenario requires that the customer connects directly through a customer network to access CSP-managed Azure subscription, using a direct network connection that is created, owned, and managed either wholly or in part by the customer. For these customers, it's assumed that the provider doesn't currently have a customer identity store established, and the provider would assist the customer in replicating their current identify store into Azure Active Directory for management of their subscription through AOBO. Key drivers for this scenario include where a given partner or service provider has an established relationship with the customer, the customer is consuming provider services currently, or the partner has a desire to provide services that are based solely on Azure-hosted solutions without the need for an existing provider datacenter or infrastructure.  The choices between these two options are based on your customerΓÇÖs needs and your current need to provide Azure services. The details of these models and the associated role-based access control, networking, and identity design patterns are covered in details in the following links: * **Azure role-based access control (Azure RBAC)** ΓÇô Azure RBAC is based on Azure Active Directory. For more information on Azure RBAC, see [here](../role-based-access-control/role-assignments-portal.md).-* **Networking** ΓÇô Covers the various topics of networking in Microsoft Azure. +* **Networking** ΓÇô Covers the various articles of networking in Microsoft Azure. * **Azure Active Directory (Azure AD)** ΓÇô Azure AD provides the identity management for Microsoft Azure and third-party SaaS applications. For more information about Azure AD, see [here](../active-directory/index.yml). ## Network speeds ExpressRoute supports the connection of multiple VNets to a single ExpressRoute ExpressRoute can be configured to support three types of traffic ([routing domains](#expressroute-routing-domains)) over a single ExpressRoute circuit. This traffic is segregated into private peering, Microsoft peering, and public peering (deprecated). You can choose one or all types of traffic to be sent over a single ExpressRoute circuit or use multiple ExpressRoute circuits depending on the size of the ExpressRoute circuit and isolation required by your customer. The security posture of your customer may not allow public traffic and private traffic to traverse over the same circuit. ### Connect-through model-In a connect-through configuration, you will be responsible for all of the networking underpinnings to connect your customer's datacenter resources to the subscriptions hosted in Azure. Each of your customers that want to use Azure capabilities will need their own ExpressRoute connection, which will be managed by you. You will use the same methods the customer would use to procure the ExpressRoute circuit. You will follow the same steps outlined in the article [ExpressRoute workflows](expressroute-workflows.md) for circuit provisioning and circuit states. You will then configure the Border Gateway Protocol (BGP) routes to control the traffic flowing between the on-premises network and Azure VNet. +In a connect-through configuration, you're responsible for all of the networking underpinnings to connect your customer's datacenter resources to the subscriptions hosted in Azure. Each of your customers that want to use Azure capabilities need their own ExpressRoute connection, which will be managed by you. You use the same methods the customer would use to procure the ExpressRoute circuit. You follow the same steps outlined in the article [ExpressRoute workflows](expressroute-workflows.md) for circuit provisioning and circuit states. You'll then configure the Border Gateway Protocol (BGP) routes to control the traffic flowing between the on-premises network and Azure VNet. ### Connect-to model-In a connect-to configuration, your customer already has an existing connection to Azure or will initiate a connection to the internet service provider linking ExpressRoute from their own datacenter directly to Azure, instead of your datacenter. To begin the provisioning process, your customer will follow the steps as described in the Connect-Through model, above. Once the circuit has been established, your customer will need to configure the on-premises routers to be able to access both your network and Azure VNets. +In a connect-to configuration, your customer already has an existing connection to Azure or will initiate a connection to the internet service provider linking ExpressRoute from their own datacenter directly to Azure, instead of your datacenter. To begin the provisioning process, your customer follows the steps as described in the Connect-Through model, above. Once the circuit has been established, your customer needs to configure the on-premises routers to be able to access both your network and Azure VNets. You can assist with setting up the connection and configuring the routes to allow the resources in your datacenter(s) to communicate with the client resources in your datacenter, or with the resources hosted in Azure. ## ExpressRoute routing domains-ExpressRoute offers two routing domains for new circuits: private peering and Microsoft peering. Each of the routing domains is configured with identical routers in active-active configuration for high availability. For more details on ExpressRoute routing domains look [here](expressroute-circuit-peerings.md). +ExpressRoute offers two routing domains for new circuits: private peering and Microsoft peering. Each of the routing domains is configured with identical routers in active-active configuration for high availability. For more details on ExpressRoute routing domains, look [here](expressroute-circuit-peerings.md). -You can define custom routes filters to allow only the route(s) you want to allow or need. For more information or to see how to make these changes see article: [Create and modify routing for an ExpressRoute circuit using PowerShell](expressroute-howto-routing-classic.md) for more details about routing filters. +You can define custom routes filters to allow only the route(s) you want to allow or need. For more information or to, see how to make these changes see article: [Create and modify routing for an ExpressRoute circuit using PowerShell](expressroute-howto-routing-classic.md) for more details about routing filters. > [!NOTE]-> For Microsoft Peering, connectivity must be though a public IP address owned by the customer or CSP and must adhere to all defined rules. For more information, see the [ExpressRoute Prerequisites](expressroute-prerequisites.md) page. +> For Microsoft Peering, connectivity must be through a public IP address owned by the customer or CSP and must adhere to all defined rules. For more information, see the [ExpressRoute Prerequisites](expressroute-prerequisites.md) page. > > User-defined routes allow the control of traffic outbound from the assigned subn ## Security Depending on which model is in use, Connect-To or Connect-Through, your customer defines the security policies in their VNet or provides the security policy requirements to the CSP to define to their VNets. The following security criteria can be defined: -1. **Customer Isolation** ΓÇö The Azure platform provides customer isolation by storing Customer ID and VNet info in a secure database, which is used to encapsulate each customerΓÇÖs traffic in a GRE tunnel. +1. **Customer Isolation**ΓÇöThe Azure platform provides customer isolation by storing Customer ID and VNet info in a secure database, which is used to encapsulate each customerΓÇÖs traffic in a GRE tunnel. 2. **Network Security Group (NSG)** rules are for defining allowed traffic into and out of the subnets within VNets in Azure. By default, the NSG contains Block rules to block traffic from the Internet to the VNet and Allow rules for traffic within a VNet. For more information about Network Security Groups, look [here](https://azure.microsoft.com/blog/network-security-groups/).-3. **Force tunneling** ΓÇöThis is an option to redirect internet bound traffic originating in Azure to be redirected over the - ExpressRoute connection to the on premises datacenter. For more information about Forced tunneling look [here](expressroute-routing.md#advertising-default-routes). -4. **Encryption** ΓÇö Even though the ExpressRoute circuits are dedicated to a specific customer, there is the possibility that the network provider could be breached, allowing an intruder to examine packet traffic. To address this potential, a customer or CSP can encrypt traffic over the connection by defining IPSec tunnel-mode policies for all traffic flowing between the on premises resources and Azure resources (refer to the optional Tunnel mode IPSec for Customer 1 in Figure 5: ExpressRoute Security, above). The second option would be to use a firewall appliance at each the end point of the ExpressRoute circuit. This will require additional third-party firewall VMs/Appliances to be installed on both ends to encrypt the traffic over the ExpressRoute circuit. +3. **Force tunneling**ΓÇöThis is an option to redirect internet bound traffic originating in Azure to be redirected over the + ExpressRoute connection to the on premises datacenter. For more information about Forced tunneling, look [here](expressroute-routing.md#advertising-default-routes). +4. **Encryption**ΓÇöEven though the ExpressRoute circuits are dedicated to a specific customer, there's the possibility that the network provider could be breached, allowing an intruder to examine packet traffic. To address this potential, a customer or CSP can encrypt traffic over the connection by defining IPSec tunnel-mode policies for all traffic flowing between the on premises resources and Azure resources (refer to the optional Tunnel mode IPSec for Customer 1 in Figure 5: ExpressRoute Security, above). The second option would be to use a firewall appliance at each the end point of the ExpressRoute circuit. This requires another third-party firewall VMs/Appliances to be installed on both ends to encrypt the traffic over the ExpressRoute circuit.  ## Next steps-The Cloud Solution Provider service provides you a way to increase your value to your customers without the need for expensive infrastructure and capability purchases, while maintaining your position as the primary outsourcing provider. Seamless integration with Microsoft Azure can be accomplished through the CSP API, allowing you to integrate management of Microsoft Azure within your existing management frameworks. +The Cloud Solution Provider service provides you with a way to increase your value to your customers without the need for expensive infrastructure and capability purchases, while maintaining your position as the primary outsourcing provider. Seamless integration with Microsoft Azure can be accomplished through the CSP API, allowing you to integrate management of Microsoft Azure within your existing management frameworks. Additional Information can be found at the following links: |
| expressroute | Expressroute Howto Add Ipv6 Portal | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/expressroute/expressroute-howto-add-ipv6-portal.md | -> Some aspects of the portal experience are still being implemented. Therefore, please follow the exact order of instructions provided in this document to successfully add IPv6 support via the portal. Specifically, please make sure to create your virtual network and subnet, or add IPv6 address space to your existing virtual network and GatewaySubnet, *prior* to creating a new virtual network gateway in the portal. +> Some aspects of the portal experience are still being implemented. Therefore, follow the exact order of steps provided in this document to successfully add IPv6 support via the portal. Specifically, make sure to create your virtual network and subnet, or add IPv6 address space to your existing virtual network and GatewaySubnet, *prior* to creating a new virtual network gateway in the portal. ## Sign in to the Azure portal From a browser, go to the [Azure portal](https://portal.azure.com), and then sig :::image type="content" source="./media/expressroute-howto-add-ipv6-portal/navigate-to-peering.png" alt-text="Screenshot of ExpressRoute overview page."::: -1. Add an IPv6 Private Peering to your existing IPv4 Private Peering configuration by selecting "Both" for **Subnets**, or only enable IPv6 Private Peering on your new circuit by selecting "IPv6". Provide a pair of /126 IPv6 subnets that you own for your primary link and secondary links. From each of these subnets, you'll assign the first usable IP address to your router as Microsoft uses the second usable IP for its router. **Save** your peering configuration once you've specified all parameters. +1. Add an IPv6 Private Peering to your existing IPv4 Private Peering configuration by selecting "Both" for **Subnets**, or only enable IPv6 Private Peering on your new circuit by selecting "IPv6". Provide a pair of /126 IPv6 subnets that you own for your primary link and secondary links. From each of these subnets, you assign the first usable IP address to your router as Microsoft uses the second usable IP for its router. **Save** your peering configuration once you've specified all parameters. :::image type="content" source="./media/expressroute-howto-add-ipv6-portal/add-ipv6-peering.png" alt-text="Screenshot of adding Ipv6 on private peering page."::: From a browser, go to the [Azure portal](https://portal.azure.com), and then sig ## Update your connection to an existing virtual network -Follow the steps below if you have an existing environment of Azure resources that you would like to use your IPv6 Private Peering with. +Follow these steps if you have an existing environment of Azure resources that you would like to use your IPv6 Private Peering with. 1. Navigate to the virtual network that your ExpressRoute circuit is connected to. Follow the steps below if you have an existing environment of Azure resources th :::image type="content" source="./media/expressroute-howto-add-ipv6-portal/add-ipv6-gateway-space.png" alt-text="Screenshot of add Ipv6 address space to the subnet."::: -1. If you have an existing zone-redundant gateway, run the following in PowerShell to enable IPv6 connectivity (note that it may take up to 1 hour for changes to reflect). Otherwise, [create the virtual network gateway](./expressroute-howto-add-gateway-portal-resource-manager.md) using any SKU and a Standard, Static public IP address. If you plan to use FastPath, use UltraPerformance or ErGw3AZ (note that this option is only available for circuits using ExpressRoute Direct). +1. If you have an existing zone-redundant gateway, run the following command in PowerShell to enable IPv6 connectivity (note that it may take up to 1 hour for changes to reflect). Otherwise, [create the virtual network gateway](./expressroute-howto-add-gateway-portal-resource-manager.md) using any SKU and a Standard, Static public IP address. If you plan to use FastPath, use UltraPerformance or ErGw3AZ (note that this option is only available for circuits using ExpressRoute Direct). ```azurepowershell-interactive $gw = Get-AzVirtualNetworkGateway -Name "GatewayName" -ResourceGroupName "ExpressRouteResourceGroup" Follow the steps below if you have an existing environment of Azure resources th ## Create a connection to a new virtual network -Follow the steps below if you plan to connect to a new set of Azure resources using your IPv6 Private Peering. +Follow these steps if you plan to connect to a new set of Azure resources using your IPv6 Private Peering. 1. Create a dual-stack virtual network with both IPv4 and IPv6 address space. For more information, see [Create a virtual network](../virtual-network/quick-create-portal.md#create-a-virtual-network). 1. [Create the dual-stack gateway subnet](expressroute-howto-add-gateway-portal-resource-manager.md#create-the-gateway-subnet). -1. [Create the virtual network gateway](expressroute-howto-add-gateway-resource-manager.md) using any SKU and a Standard, Static public IP address. If you plan to use FastPath, use UltraPerformance or ErGw3AZ (note that this option is only available for circuits using ExpressRoute Direct). **NOTE:** Please use the PowerShell instructions for this step as the Azure portal experience is still under development. +1. [Create the virtual network gateway](expressroute-howto-add-gateway-resource-manager.md) using any SKU and a Standard, Static public IP address. If you plan to use FastPath, use UltraPerformance or ErGw3AZ (note that this option is only available for circuits using ExpressRoute Direct). **NOTE:** Use the PowerShell instructions for this step as the Azure portal experience is still under development. 1. [Link your virtual network to your ExpressRoute circuit](expressroute-howto-linkvnet-portal-resource-manager.md). ## Limitations-While IPv6 support is available for connections to deployments in Public Azure regions, it doesn't support the following use cases: -* Connections to *existing* ExpressRoute gateways that are not zone-redundant. Note that *newly* created ExpressRoute gateways of any SKU (both zone-redundant and not) using a Standard, Static IP address can be used for dual-stack ExpressRoute connections +While IPv6 support is available for connections to deployments in global Azure regions, it doesn't support the following use cases: ++* Connections to *existing* ExpressRoute gateways that aren't zone-redundant. *Newly* created ExpressRoute gateways of any SKU (both zone-redundant and not) using a Standard, Static IP address can be used for dual-stack ExpressRoute connections * Use of ExpressRoute with virtual WAN * FastPath with non-ExpressRoute Direct circuits * FastPath with circuits in the following peering locations: Dubai-* Coexistence with VPN Gateway for IPv6 traffic. You can still configure coexistence with VPN Gateway in a dual-stack vnet, but VPN Gateway will only support IPv4 traffic. +* Coexistence with VPN Gateway for IPv6 traffic. You can still configure coexistence with VPN Gateway in a dual-stack vnet, but VPN Gateway only supports IPv4 traffic. ## Next steps |
| expressroute | Expressroute Howto Coexist Classic | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/expressroute/expressroute-howto-coexist-classic.md | description: This article walks you through configuring ExpressRoute and a Site- documentationcenter: na - Previously updated : 12/06/2019 Last updated : 06/30/2023 -- + # Configure ExpressRoute and Site-to-Site coexisting connections (classic) > [!div class="op_single_selector"] > * [PowerShell - Resource Manager](expressroute-howto-coexist-resource-manager.md) > * [PowerShell - Classic](expressroute-howto-coexist-classic.md) > -> -This article helps you configure ExpressRoute and Site-to-Site VPN connections that coexist. Having the ability to configure Site-to-Site VPN and ExpressRoute has several advantages. You can configure Site-to-Site VPN as a secure failover path for ExpressRoute, or use Site-to-Site VPNs to connect to sites that are not connected through ExpressRoute. We will cover the steps to configure both scenarios in this article. This article applies to the classic deployment model. This configuration is not available in the portal. +This article helps you configure ExpressRoute and Site-to-Site VPN connections that coexist. Having the ability to configure Site-to-Site VPN and ExpressRoute has several advantages. You can configure Site-to-Site VPN as a secure failover path for ExpressRoute, or use Site-to-Site VPNs to connect to sites that aren't connected through ExpressRoute. We cover the steps to configure both scenarios in this article. This article applies to the classic deployment model. This configuration isn't available in the portal. [!INCLUDE [expressroute-classic-end-include](../../includes/expressroute-classic-end-include.md)] This article helps you configure ExpressRoute and Site-to-Site VPN connections t [!INCLUDE [vpn-gateway-classic-rm](../../includes/vpn-gateway-classic-rm-include.md)] > [!IMPORTANT]-> ExpressRoute circuits must be pre-configured before you follow the instructions below. Make sure that you have followed the guides to [create an ExpressRoute circuit](expressroute-howto-circuit-classic.md) and [configure routing](expressroute-howto-routing-classic.md) before you follow the steps below. -> +> An ExpressRoute circuit must be pre-configured before you follow the instructions in this article. Make sure that you have followed the guides to [create an ExpressRoute circuit](expressroute-howto-circuit-classic.md) and [configure routing](expressroute-howto-routing-classic.md) before you proceeding. > ## Limits and limitations-* **Transit routing is not supported.** You cannot route (via Azure) between your local network connected via Site-to-Site VPN and your local network connected via ExpressRoute. -* **Point-to-site is not supported.** You can't enable point-to-site VPN connections to the same VNet that is connected to ExpressRoute. Point-to-site VPN and ExpressRoute cannot coexist for the same VNet. +* **Transit routing is not supported.** You can't route (via Azure) between your local network connected via Site-to-Site VPN and your local network connected via ExpressRoute. +* **Point-to-site is not supported.** You can't enable point-to-site VPN connections to the same VNet that is connected to ExpressRoute. Point-to-site VPN and ExpressRoute can't coexist for the same VNet. * **Forced tunneling cannot be enabled on the Site-to-Site VPN gateway.** You can only "force" all Internet-bound traffic back to your on-premises network via ExpressRoute. * **Basic SKU gateway is not supported.** You must use a non-Basic SKU gateway for both the [ExpressRoute gateway](expressroute-about-virtual-network-gateways.md) and the [VPN gateway](../vpn-gateway/vpn-gateway-about-vpngateways.md). * **Only route-based VPN gateway is supported.** You must use a route-based [VPN Gateway](../vpn-gateway/vpn-gateway-about-vpngateways.md). * **Static route should be configured for your VPN gateway.** If your local network is connected to both ExpressRoute and a Site-to-Site VPN, you must have a static route configured in your local network to route the Site-to-Site VPN connection to the public Internet. ## Configuration designs+ ### Configure a Site-to-Site VPN as a failover path for ExpressRoute-You can configure a Site-to-Site VPN connection as a backup for ExpressRoute. This applies only to virtual networks linked to the Azure private peering path. There is no VPN-based failover solution for services accessible through Azure public and Microsoft peerings. The ExpressRoute circuit is always the primary link. Data will flow through the Site-to-Site VPN path only if the ExpressRoute circuit fails. ++You can configure a Site-to-Site VPN connection as a backup for ExpressRoute. This set up only applies to virtual networks linked to the Azure private peering path. There's no VPN-based failover solution for services accessible through Azure public and Microsoft peerings. The ExpressRoute circuit is always the primary link. Data flow through the Site-to-Site VPN path only if the ExpressRoute circuit fails. > [!NOTE] > While ExpressRoute circuit is preferred over Site-to-Site VPN when both routes are the same, Azure will use the longest prefix match to choose the route towards the packet's destination. You can configure your network where some sites connect directly to Azure over S > ## Selecting the steps to use-There are two different sets of procedures to choose from in order to configure connections that can coexist. The configuration procedure that you select will depend on whether you have an existing virtual network that you want to connect to, or you want to create a new virtual network. ++There are two different sets of procedures to choose from in order to configure connections that can coexist. The configuration procedure that you select depends on whether you have an existing virtual network that you want to connect to, or you want to create a new virtual network. * I don't have a VNet and need to create one. - If you donΓÇÖt already have a virtual network, this procedure will walk you through creating a new virtual network using the classic deployment model and creating new ExpressRoute and Site-to-Site VPN connections. To configure, follow the steps in the article section [To create a new virtual network and coexisting connections](#new). + If you donΓÇÖt already have a virtual network, this procedure walks you through creating a new virtual network using the classic deployment model and creating new ExpressRoute and Site-to-Site VPN connections. To configure, follow the steps in the article section [To create a new virtual network and coexisting connections](#new). * I already have a classic deployment model VNet. - You may already have a virtual network in place with an existing Site-to-Site VPN connection or ExpressRoute connection. The article section [To configure coexisting connections for an already existing VNet](#add) will walk you through deleting the gateway, and then creating new ExpressRoute and Site-to-Site VPN connections. Note that when creating the new connections, the steps must be completed in a very specific order. Don't use the instructions in other articles to create your gateways and connections. + You may already have a virtual network in place with an existing Site-to-Site VPN connection or ExpressRoute connection. The article section [To configure coexisting connections for an already existing VNet](#add) walk you through deleting the gateway, and then creating new ExpressRoute and Site-to-Site VPN connections. When you create new connections, the steps must be completed in a specific order. Don't use the instructions in other articles to create your gateways and connections. - In this procedure, creating connections that can coexist will require you to delete your gateway, and then configure new gateways. This means you will have downtime for your cross-premises connections while you delete and recreate your gateway and connections, but you will not need to migrate any of your VMs or services to a new virtual network. Your VMs and services will still be able to communicate out through the load balancer while you configure your gateway if they are configured to do so. + In this procedure, creating connections that can coexist requires you to delete your gateway, and then configure new gateways. You experience downtime for your cross-premises connections while you delete and recreate your gateway and connections, but you don't need to migrate any of your VMs or services to a new virtual network. Your VMs and services can still communicate out through the load balancer while you configure your gateway if they're configured to do so. ## Install PowerShell cmdlets [!INCLUDE [classic powershell install instructions](../../includes/expressroute-poweshell-classic-install-include.md)] ## <a name="new"></a>To create a new virtual network and coexisting connections-This procedure will walk you through creating a VNet and create Site-to-Site and ExpressRoute connections that will coexist. +This procedure walks you through creating a VNet and creates Site-to-Site and ExpressRoute connections that coexist. -1. You'll need to install the latest version of the Azure PowerShell cmdlets. See [How to install and configure Azure PowerShell](/powershell/azure/) for more information about installing the PowerShell cmdlets. Note that the cmdlets that you'll use for this configuration may be slightly different than what you might be familiar with. Be sure to use the cmdlets specified in these instructions. -2. Create a schema for your virtual network. For more information about the configuration schema, see [Azure Virtual Network configuration schema](/previous-versions/azure/reference/jj157100(v=azure.100)). +1. You need to install the latest version of the [Azure PowerShell cmdlets](/powershell/azure/). The cmdlets that you use for this configuration may be slightly different than what you might be familiar with. Be sure to use the cmdlets specified in these instructions. ++1. Create a schema for your virtual network. For more information about the configuration schema, see [Azure Virtual Network configuration schema](/previous-versions/azure/reference/jj157100(v=azure.100)). When you create your schema, make sure you use the following values: * The gateway subnet for the virtual network must be /27 or a shorter prefix (such as /26 or /25).- * The gateway connection type is "Dedicated". + * The gateway connection type is *Dedicated*. ```xml <VirtualNetworkSite name="MyAzureVNET" Location="Central US"> This procedure will walk you through creating a VNet and create Site-to-Site and </Gateway> </VirtualNetworkSite> ```-3. After creating and configuring your xml schema file, upload the file. This will create your virtual network. +1. After creating and configuring your xml schema file, upload the file to create your virtual network. Use the following cmdlet to upload your file, replacing the value with your own. ```azurepowershell Set-AzureVNetConfig -ConfigurationPath 'C:\NetworkConfig.xml' ```-4. <a name="gw"></a>Create an ExpressRoute gateway. Be sure to specify the GatewaySKU as *Standard*, *HighPerformance*, or *UltraPerformance* and the GatewayType as *DynamicRouting*. +1. <a name="gw"></a>Create an ExpressRoute gateway. Be sure to specify the GatewaySKU as *Standard*, *HighPerformance*, or *UltraPerformance* and the GatewayType as *DynamicRouting*. Use the following sample, substituting the values for your own. ```azurepowershell New-AzureVNetGateway -VNetName MyAzureVNET -GatewayType DynamicRouting -GatewaySKU HighPerformance ```-5. Link the ExpressRoute gateway to the ExpressRoute circuit. After this step has been completed, the connection between your on-premises network and Azure, through ExpressRoute, is established. +1. Link the ExpressRoute gateway to the ExpressRoute circuit. After this step has been completed, the connection between your on-premises network and Azure, through ExpressRoute, is established. ```azurepowershell New-AzureDedicatedCircuitLink -ServiceKey <service-key> -VNetName MyAzureVNET ```-6. <a name="vpngw"></a>Next, create your Site-to-Site VPN gateway. The GatewaySKU must be *Standard*, *HighPerformance*, or *UltraPerformance* and the GatewayType must be *DynamicRouting*. +1. <a name="vpngw"></a>Next, create your Site-to-Site VPN gateway. The GatewaySKU must be *Standard*, *HighPerformance*, or *UltraPerformance* and the GatewayType must be *DynamicRouting*. ```azurepowershell New-AzureVirtualNetworkGateway -VNetName MyAzureVNET -GatewayName S2SVPN -GatewayType DynamicRouting -GatewaySKU HighPerformance This procedure will walk you through creating a VNet and create Site-to-Site and OperationId : 42773656-85e1-a6b6-8705-35473f1e6f6a OperationStatus : Succeeded ```-7. Create a local site VPN gateway entity. This command doesnΓÇÖt configure your on-premises VPN gateway. Rather, it allows you to provide the local gateway settings, such as the public IP and the on-premises address space, so that the Azure VPN gateway can connect to it. +1. Create a local site VPN gateway entity. This command doesnΓÇÖt configure your on-premises VPN gateway. Rather, it allows you to provide the local gateway settings, such as the public IP and the on-premises address space, so that the Azure VPN gateway can connect to it. > [!IMPORTANT] > The local site for the Site-to-Site VPN is not defined in the netcfg. Instead, you must use this cmdlet to specify the local site parameters. You cannot define it using either portal, or the netcfg file.- > > Use the following sample, replacing the values with your own. This procedure will walk you through creating a VNet and create Site-to-Site and > [!NOTE] > If your local network has multiple routes, you can pass them all in as an array. $MyLocalNetworkAddress = @("10.1.2.0/24","10.1.3.0/24","10.2.1.0/24") - > - > + > To retrieve the virtual network gateway settings, including the gateway ID and the public IP, use the `Get-AzureVirtualNetworkGateway` cmdlet. See the following example. This procedure will walk you through creating a VNet and create Site-to-Site and OperationStatus : Succeeded ``` - 1. Configure your local VPN device to connect to the new gateway. Use the information that you retrieved in step 6 when configuring your VPN device. For more information about VPN device configuration, see [VPN Device Configuration](../vpn-gateway/vpn-gateway-about-vpn-devices.md).-2. Link the Site-to-Site VPN gateway on Azure to the local gateway. ++1. Link the Site-to-Site VPN gateway on Azure to the local gateway. In this example, connectedEntityId is the local gateway ID, which you can find by running `Get-AzureLocalNetworkGateway`. You can find virtualNetworkGatewayId by using the `Get-AzureVirtualNetworkGateway` cmdlet. After this step, the connection between your local network and Azure via the Site-to-Site VPN connection is established. This procedure will walk you through creating a VNet and create Site-to-Site and ``` ## <a name="add"></a>To configure coexisting connections for an already existing VNet-If you have an existing virtual network, check the gateway subnet size. If the gateway subnet is /28 or /29, you must first delete the virtual network gateway and increase the gateway subnet size. The steps in this section will show you how to do that. -If the gateway subnet is /27 or larger and the virtual network is connected via ExpressRoute, you can skip the steps below and proceed to ["Step 6 - Create a Site-to-Site VPN gateway"](#vpngw) in the previous section. +If you have an existing virtual network, check the gateway subnet size. If the gateway subnet is /28 or /29, you must first delete the virtual network gateway and increase the gateway subnet size. The steps in this section show you how to do that. ++If the gateway subnet is /27 or larger and the virtual network is connected via ExpressRoute, you can skip these steps and proceed to ["Step 6 - Create a Site-to-Site VPN gateway"](#vpngw) in the previous section. > [!NOTE] > When you delete the existing gateway, your local premises will lose the connection to your virtual network while you are working on this configuration. > > -1. You'll need to install the latest version of the Azure Resource Manager PowerShell cmdlets. See [How to install and configure Azure PowerShell](/powershell/azure/) for more information about installing the PowerShell cmdlets. Note that the cmdlets that you'll use for this configuration may be slightly different than what you might be familiar with. Be sure to use the cmdlets specified in these instructions. -2. Delete the existing ExpressRoute or Site-to-Site VPN gateway. Use the following cmdlet, replacing the values with your own. +1. You need to install the latest version of the [Azure Resource Manager PowerShell cmdlets](/powershell/azure/). The cmdlets that you use for this configuration may be slightly different than what you might be familiar with. Be sure to use the cmdlets specified in these instructions. ++1. Delete the existing ExpressRoute or Site-to-Site VPN gateway. Use the following cmdlet, replacing the values with your own. ```azurepowershell Remove-AzureVNetGateway ΓÇôVnetName MyAzureVNET ```-3. Export the virtual network schema. Use the following PowerShell cmdlet, replacing the values with your own. +1. Export the virtual network schema. Use the following PowerShell cmdlet, replacing the values with your own. ```azurepowershell Get-AzureVNetConfig ΓÇôExportToFile "C:\NetworkConfig.xml" ```-4. Edit the network configuration file schema so that the gateway subnet is /27 or a shorter prefix (such as /26 or /25). See the following example. +1. Edit the network configuration file schema so that the gateway subnet is /27 or a shorter prefix (such as /26 or /25). See the following example. > [!NOTE] > If you don't have enough IP addresses left in your virtual network to increase the gateway subnet size, you need to add more IP address space. For more information about the configuration schema, see [Azure Virtual Network configuration schema](/previous-versions/azure/reference/jj157100(v=azure.100)). If the gateway subnet is /27 or larger and the virtual network is connected via <AddressPrefix>10.17.159.224/27</AddressPrefix> </Subnet> ```-5. If your previous gateway was a Site-to-Site VPN, you must also change the connection type to **Dedicated**. +1. If your previous gateway was a Site-to-Site VPN, you must also change the connection type to **Dedicated**. ```xml <Gateway> If the gateway subnet is /27 or larger and the virtual network is connected via </ConnectionsToLocalNetwork> </Gateway> ```-6. At this point, you'll have a VNet with no gateways. To create new gateways and complete your connections, you can proceed with [Step 4 - Create an ExpressRoute gateway](#gw), found in the preceding set of steps. +1. At this point, you have a VNet with no gateways. To create new gateways and complete your connections, you can proceed with [Step 4 - Create an ExpressRoute gateway](#gw), found in the preceding set of steps. ## Next steps+ For more information about ExpressRoute, see the [ExpressRoute FAQ](expressroute-faqs.md) |
| expressroute | Expressroute Howto Ipsec Transport Private Windows | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/expressroute/expressroute-howto-ipsec-transport-private-windows.md | Title: 'Azure ExpressRoute private peering: Configure IPsec transport mode - Win description: How to enable IPsec transport mode between Azure Windows VMs and on-premises Windows hosts through ExpressRoute private peering using GPOs and OUs. - Previously updated : 01/07/2021 Last updated : 06/30/2023 -- + # Configure IPsec transport mode for ExpressRoute private peering -This article helps you create IPsec tunnels in transport mode over ExpressRoute private peering. The tunnel is created between Azure VMs running Windows and on-premises Windows hosts. The steps in this article for this configuration use group policy objects. While it's possible to create this configuration without using organizational units (OUs) and group policy objects (GPOs). The combination of OUs and GPOs will help simplify the control of your security policies and allows you to quickly scale up. The steps in this article assume you already have an Active Directory configuration and you're familiar with using OUs and GPOs. +This article helps you create IPsec tunnels in transport mode over ExpressRoute private peering. The tunnel is created between Azure VMs running Windows and on-premises Windows hosts. The steps in this article for this configuration use group policy objects. While it's possible to create this configuration without using organizational units (OUs) and group policy objects (GPOs). The combination of OUs and GPOs help simplify the control of your security policies and allows you to quickly scale up. The steps in this article assume you already have an Active Directory configuration and you're familiar with using OUs and GPOs. ## About this configuration -The configuration in the following steps uses a single Azure virtual network (VNet) with ExpressRoute private peering. However, this configuration can span over other Azure VNets and on-premises networks. This article will help you define an IPsec encryption policy that you can apply to a group of Azure VMs or on-premises hosts. These Azure VMs or on-premises hosts are part of the same OU. You configure encryption between the Azure VMs (vm1 and vm2), and the on-premises host1 only for HTTP traffic with destination port 8080. Different types of IPsec policy can be created based on your requirements. +The configuration in the following steps uses a single Azure virtual network (VNet) with ExpressRoute private peering. However, this configuration can span over other Azure VNets and on-premises networks. This article helps you define an IPsec encryption policy that you can apply to a group of Azure VMs or on-premises hosts. These Azure VMs or on-premises hosts are part of the same OU. You configure encryption between the Azure VMs (vm1 and vm2), and the on-premises host1 only for HTTP traffic with destination port 8080. Different types of IPsec policy can be created based on your requirements. ### Working with OUs The security policy associated with an OU is pushed to the computers via GPO. A few advantages to using OUs, rather than applying policies to a single host, are: * Associating a policy with an OU guarantees that computers that belong to the same OU get the same policies.-* Changing the security policy associated with OU will apply the changes to all hosts in the OU. +* Changing the security policy associated with OU applies the changes to all hosts in the OU. ### Diagrams Ensure that you meet the following prerequisites: * You must have an active ExpressRoute circuit. * For information about creating an ExpressRoute circuit, see [Create an ExpressRoute circuit](expressroute-howto-circuit-arm.md). - * Verify that the circuit is enabled by your connectivity provider. + * Verify that the circuit get enabled by your connectivity provider. * Verify that you have Azure private peering configured for your circuit. See the [configure routing](expressroute-howto-routing-arm.md) article for routing instructions. - * Verify that you have a VNet and a virtual network gateway created and fully provisioned. Follow the instructions to [create a virtual network gateway for ExpressRoute](expressroute-howto-add-gateway-resource-manager.md). A virtual network gateway for ExpressRoute uses the GatewayType 'ExpressRoute', not VPN. + * Verify that you have a VNet and a virtual network gateway created and fully provisioned. Follow the instructions to [create a virtual network gateway for ExpressRoute](expressroute-howto-add-gateway-resource-manager.md). A virtual network gateway for ExpressRoute uses the GatewayType *ExpressRoute*, not VPN. * The ExpressRoute virtual network gateway must be connected to the ExpressRoute circuit. For more information, see [Connect a VNet to an ExpressRoute circuit](expressroute-howto-linkvnet-arm.md). Ensure that you meet the following prerequisites: ## <a name="creategpo"></a>1. Create a GPO -1. Create a new GPO linked to an OU by opening the Group Policy Management snap-in. Then locate the OU to which the GPO will be linked. In the example, the OU is named **IPSecOU**. +1. Create a new GPO linked to an OU by opening the Group Policy Management snap-in. Then locate the OU to which the GPO gets linked. In the example, the OU is named **IPSecOU**. [![9]][9] 2. In the Group Policy Management snap-in, select the OU, and right-click. In the dropdown, select "**Create a GPO in this domain, and Link it here…**". Create a filter list that specifies encrypted HTTP traffic with destination port 7. On the **IP Protocol Type** page, select **TCP**. Then, select **Next**. [![30]][30]-8. On the **IP Protocol Port** page, select **From any port** and **To this port:**. Type **8080** in the text box. These settings specify only the HTTP traffic on destination port 8080 will be encrypted. Then, select **Next**. +8. On the **IP Protocol Port** page, select **From any port** and **To this port:**. Type **8080** in the text box. These settings specify only the HTTP traffic on destination port 8080 gets encrypted. Then, select **Next**. [![31]][31] 9. View the IP filter list. The configuration of the IP Filter List **azure-onpremises-HTTP8080** triggers encryption for all traffic that matches the following criteria: To encrypt the same type of traffic from the on-premises host to the Azure VM, y [![36]][36] -If encryption is required between an on-premises location and an Azure subnet to protect an application. Instead of modifying the existing IP filter list, you can add a new IP filter list. Associating two or more IP filters lists to the same IPsec policy will provide you with more flexibility. You can modify or remove an IP filter list without affecting the other IP filter lists. +If encryption is required between an on-premises location and an Azure subnet to protect an application. Instead of modifying the existing IP filter list, you can add a new IP filter list. Associating two or more IP filters lists to the same IPsec policy can provide you with more flexibility. You can modify or remove an IP filter list without affecting the other IP filter lists. ## <a name="ipsecpolicy"></a>6. Create an IPsec security policy Add to the IPsec policy the **IP Filter List** and **Filter Action** that you pr [![42]][42] 3. A rule provides the option to define the IPsec mode: tunnel mode or transport mode. - * In tunnel mode, the original packet is encapsulated by a set of IP headers. Tunnel mode protects the internal routing information by encrypting the IP header of the original packet. Tunnel mode is widely implemented between gateways in site-to-site VPN scenarios. Tunnel mode is in most of cases used for end-to-end encryption between hosts. + * In tunnel mode, the original packet gets encapsulated with a set of IP headers. Tunnel mode protects the internal routing information by encrypting the IP header of the original packet. Tunnel mode is widely implemented between gateways in site-to-site VPN scenarios. Tunnel mode is in most of cases used for end-to-end encryption between hosts. * Transport mode encrypts only the payload and ESP trailer; the IP header of the original packet isn't encrypted. In transport mode, the IP source and IP destination of the packets are unchanged. Add to the IPsec policy the **IP Filter List** and **Filter Action** that you pr 6. Select the existing Filter Action **myEncryption** that you created previously. [![46]][46]-7. Windows supports four distinct types of authentications: Kerberos, certificates, NTLMv2, and pre-shared key. Since we're working with domain-joined hosts, select **Active Directory default (Kerberos V5 protocol)**, and then select **Next**. +7. Windows supports four distinct types of authentications: Kerberos, certificates, NTLMv2, and preshared key. Since we're working with domain-joined hosts, select **Active Directory default (Kerberos V5 protocol)**, and then select **Next**. [![47]][47] 8. The new policy creates the security rule: **azure-onpremises-HTTP8080**. Select **OK**. The IPsec policy requires all HTTP connections on the destination port 8080 to u [![49]][49] 2. To assign the security group policy to the OU **IPSecOU**, right-click the security policy and chose **Assign**.- Every computer that belongs to the OU will have the security group policy assigned. + Every computer that belongs to the OU has the security group policy assigned. [![50]][50] |
| expressroute | Expressroute Howto Linkvnet Classic | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/expressroute/expressroute-howto-linkvnet-classic.md | Title: 'Azure ExpressRoute: Link a VNet to a circuit: classic' description: This document provides an overview of how to link virtual networks (VNets) to ExpressRoute circuits by using the classic deployment model and PowerShell. - Previously updated : 12/06/2019 Last updated : 06/30/2023 -This article will help you link virtual networks (VNets) to Azure ExpressRoute circuits using PowerShell. A single VNet can be linked to up to four ExpressRoute circuits. Use the steps in this article to create a new link to each ExpressRoute circuit you are connecting to. The ExpressRoute circuits can be in the same subscription, different subscriptions, or a mix of both. This article applies to virtual networks created using the classic deployment model. +This article helps you link virtual networks (VNets) to Azure ExpressRoute circuits using PowerShell. A single VNet can be linked to up to four ExpressRoute circuits. Use the steps in this article to create a new link to each ExpressRoute circuit you're connecting to. The ExpressRoute circuits can be in the same subscription, different subscriptions, or a mix of both. This article applies to virtual networks created using the classic deployment model. You can link up to 10 virtual networks to an ExpressRoute circuit. All virtual networks must be in the same geopolitical region. You can link a larger number of virtual networks to your ExpressRoute circuit, or link virtual networks that are in other geopolitical regions if you enable the ExpressRoute premium add-on. Check the [FAQ](expressroute-faqs.md) for more details about the premium add-on. You can link up to 10 virtual networks to an ExpressRoute circuit. All virtual n [!INCLUDE [classic powershell install instructions](../../includes/expressroute-poweshell-classic-install-include.md)] ## Connect a virtual network in the same subscription to a circuit+ You can link a virtual network to an ExpressRoute circuit by using the following cmdlet. Make sure that the virtual network gateway is created and is ready for linking before you run the cmdlet. ```powershell New-AzureDedicatedCircuitLink -ServiceKey "*****************************" -VNetN Provisioned ``` ## Remove a virtual network link to a circuit+ You can remove a virtual network link to an ExpressRoute circuit by using the following cmdlet. Make sure that the current subscription is selected for the given virtual network. ```powershell Remove-AzureDedicatedCircuitLink -ServiceKey "*****************************" -VN ``` ## Connect a virtual network in a different subscription to a circuit+ You can share an ExpressRoute circuit across multiple subscriptions. The following figure shows a simple schematic of how sharing works for ExpressRoute circuits across multiple subscriptions. Each of the smaller clouds within the large cloud is used to represent subscriptions that belong to different departments within an organization. Each of the departments within the organization can use their own subscription for deploying their services--but the departments can share a single ExpressRoute circuit to connect back to your on-premises network. A single department (in this example: IT) can own the ExpressRoute circuit. Other subscriptions within the organization can use the ExpressRoute circuit. Each of the smaller clouds within the large cloud is used to represent subscript  ### Administration-The *circuit owner* is the administrator/coadministrator of the subscription in which the ExpressRoute circuit is created. The circuit owner can authorize administrators/coadministrators of other subscriptions, referred to as *circuit users*, to use the dedicated circuit that they own. Circuit users who are authorized to use the organization's ExpressRoute circuit can link the virtual network in their subscription to the ExpressRoute circuit after they are authorized. -The circuit owner has the power to modify and revoke authorizations at any time. Revoking an authorization will result in all links being deleted from the subscription whose access was revoked. +The *circuit owner* is the administrator/coadministrator of the subscription in which the ExpressRoute circuit is created. The circuit owner can authorize administrators/coadministrators of other subscriptions, referred to as *circuit users*, to use the dedicated circuit that they own. Circuit users who are authorized to use the organization's ExpressRoute circuit can link the virtual network in their subscription to the ExpressRoute circuit after they're authorized. ++The circuit owner has the power to modify and revoke authorizations at any time. Revoking an authorization results in all links being deleted from the subscription whose access was revoked. > [!NOTE] > Circuit owner is not an built-in RBAC role or defined on the ExpressRoute resource. The circuit owner has the power to modify and revoke authorizations at any time. **Creating an authorization** -The circuit owner authorizes the administrators of other subscriptions to use the specified circuit. In the following example, the administrator of the circuit (Contoso IT) enables the administrator of another subscription (Dev-Test) to link up to two virtual networks to the circuit. The Contoso IT administrator enables this by specifying the Dev-Test Microsoft ID. The cmdlet doesn't send email to the specified Microsoft ID. The circuit owner needs to explicitly notify the other subscription owner that the authorization is complete. +The circuit owner authorizes the administrators of other subscriptions to use the specified circuit. In the following example, the administrator of the circuit (Contoso IT) enables the administrator of another subscription (Dev-Test) to link up to two virtual networks to the circuit. The Contoso IT administrator enables this authorization by specifying the Dev-Test Microsoft ID. The cmdlet doesn't send email to the specified Microsoft ID. The circuit owner needs to explicitly notify the other subscription owner that the authorization is complete. ```powershell New-AzureDedicatedCircuitLinkAuthorization -ServiceKey "**************************" -Description "Dev-Test Links" -Limit 2 -MicrosoftIds 'devtest@contoso.com' |
| expressroute | Expressroute Howto Reset Peering Portal | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/expressroute/expressroute-howto-reset-peering-portal.md | Title: 'Azure ExpressRoute: Reset circuit peerings by using the Azure portal' description: Learn how to disable and enable peerings of an Azure ExpressRoute circuit by using the Azure portal. - Previously updated : 11/30/2020 Last updated : 06/30/2023 -> [!Note] +> [!NOTE] > The first time you configure the peerings on your ExpressRoute circuit, the peerings are enabled by default. Resetting your ExpressRoute peerings might be helpful in the following scenarios: * You're testing your disaster recovery design and implementation. For example, assume that you have two ExpressRoute circuits. You can disable the peerings of one circuit and force your network traffic to use the other circuit. -* You want to enable Bidirectional Forwarding Detection (BFD) on Azure private peering or Microsoft peering. If your ExpressRoute circuit was created before August 1, 2018, on Azure private peering or before January 10, 2020, on Microsoft peering, BFD was not enabled by default. Reset the peering to enable BFD. +* You want to enable Bidirectional Forwarding Detection (BFD) on Azure private peering or Microsoft peering. If your ExpressRoute circuit was created before August 1, 2018, on Azure private peering or before January 10, 2020, on Microsoft peering, BFD wasn't enabled by default. Reset the peering to enable BFD. ## Sign in to the Azure portal |
| expressroute | Expressroute Howto Routing Arm | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/expressroute/expressroute-howto-routing-arm.md | This tutorial helps you create and manage routing configuration for an ExpressRo > * [PowerShell (classic)](expressroute-howto-routing-classic.md) > -These instructions only apply to circuits created with service providers offering Layer 2 connectivity services. If you're using a service provider that offers managed Layer 3 services (typically an IPVPN, like MPLS), your connectivity provider will configure and manage routing for you. +These instructions only apply to circuits created with service providers offering Layer 2 connectivity services. If you're using a service provider that offers managed Layer 3 services, typically an IPVPN, like MPLS, your connectivity provider configures and manages network routing for you. > [!IMPORTANT] > We currently do not advertise peerings configured by service providers through the service management portal. We are working on enabling this capability soon. Check with your service provider before configuring BGP peerings. This section helps you create, get, update, and delete the Azure private peering 1. Import the PowerShell module for ExpressRoute. - Install the latest PowerShell installer from [PowerShell Gallery](https://www.powershellgallery.com/). Then import the Azure Resource Manager modules into the PowerShell session in order to start using the ExpressRoute cmdlets. You'll need to run PowerShell as an Administrator. + Install the latest PowerShell installer from [PowerShell Gallery](https://www.powershellgallery.com/). Then import the Azure Resource Manager modules into the PowerShell session in order to start using the ExpressRoute cmdlets. You need to run PowerShell as an Administrator. ```azurepowershell-interactive Install-Module Az This section helps you create, get, update, and delete the Azure private peering ``` 4. Configure Azure private peering for the circuit. Make sure that you have the following items before you continue with the next steps: - * A pair of subnets that are not part of any address space reserved for virtual networks. One subnet will be used for the primary link, while the other will be used for the secondary link. From each of these subnets, you will assign the first usable IP address to your router as Microsoft uses the second usable IP for its router. You have three options for this pair of subnets: + * A pair of subnets that aren't part of any address space reserved for virtual networks. One subnet is used for the primary link, while the other is used for the secondary link. From each of these subnets, you assign the first usable IP address to your router as Microsoft uses the second usable IP for its router. You have three options for this pair of subnets: * IPv4: Two /30 subnets. * IPv6: Two /126 subnets. * Both: Two /30 subnets and two /126 subnets. |
| expressroute | Expressroute Howto Set Global Reach Portal | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/expressroute/expressroute-howto-set-global-reach-portal.md | Enable connectivity between your on-premises networks. There are separate sets o :::image type="content" source="./media/expressroute-howto-set-global-reach-portal/add-global-reach-configuration.png" alt-text="Screenshot of adding Global Reach in Overview tab."::: -1. Select **Save** to complete the Global Reach configuration. When the operation completes, you'll have connectivity between your two on-premises networks through both ExpressRoute circuits. +1. Select **Save** to complete the Global Reach configuration. When the operation completes, you have connectivity between your two on-premises networks through both ExpressRoute circuits. :::image type="content" source="./media/expressroute-howto-set-global-reach-portal/save-configuration.png" alt-text="Screenshot of the save button for Global Reach configuration."::: Enable connectivity between your on-premises networks. There are separate sets o ### ExpressRoute circuits in different Azure subscriptions -If the two circuits aren't in the same Azure subscription, you'll need authorization. In the following configuration, authorization is generated from circuit 2's subscription. The authorization key is then passed to circuit 1. +If the two circuits aren't in the same Azure subscription, you need authorization. In the following configuration, authorization is generated from circuit 2's subscription. The authorization key is then passed to circuit 1. 1. Generate an authorization key. If the two circuits aren't in the same Azure subscription, you'll need authoriza :::image type="content" source="./media/expressroute-howto-set-global-reach-portal/add-global-reach-configuration-with-authorization.png" alt-text="Screenshot of Add Global Reach with authorization key."::: -1. Select **Save** to complete the Global Reach configuration. When the operation completes, you'll have connectivity between your two on-premises networks through both ExpressRoute circuits. +1. Select **Save** to complete the Global Reach configuration. When the operation completes, you have connectivity between your two on-premises networks through both ExpressRoute circuits. ## Verify the configuration |
| expressroute | Expressroute Howto Set Global Reach | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/expressroute/expressroute-howto-set-global-reach.md | Title: 'Azure ExpressRoute: Configure Global Reach' description: This article helps you link ExpressRoute circuits together to make a private network between your on-premises networks and enable Global Reach. - Previously updated : 02/25/2019 Last updated : 06/30/2023 - # Configure ExpressRoute Global Reach This article helps you configure ExpressRoute Global Reach using PowerShell. For ## Before you begin -Before you start configuration, confirm the following: +Before you start configuration, confirm the following information: * You understand ExpressRoute circuit provisioning [workflows](expressroute-workflows.md). * Your ExpressRoute circuits are in a provisioned state. Enable connectivity between your on-premises networks. There are separate sets o $ckt_1 = Get-AzExpressRouteCircuit -Name "Your_circuit_1_name" -ResourceGroupName "Your_resource_group" $ckt_2 = Get-AzExpressRouteCircuit -Name "Your_circuit_2_name" -ResourceGroupName "Your_resource_group" ```-2. Run the following command against circuit 1, and pass in the private peering ID of circuit 2. When running the command, note the following: +2. Run the following command against circuit 1, and pass in the private peering ID of circuit 2. * The private peering ID looks similar to the following example: ``` /subscriptions/{your_subscription_id}/resourceGroups/{your_resource_group}/providers/Microsoft.Network/expressRouteCircuits/{your_circuit_name}/peerings/AzurePrivatePeering ```- * *-AddressPrefix* must be a /29 IPv4 subnet, for example, "10.0.0.0/29". We use IP addresses in this subnet to establish connectivity between the two ExpressRoute circuits. You shouldnΓÇÖt use the addresses in this subnet in your Azure virtual networks, or in your on-premises network. + * *-AddressPrefix* must be a /29 IPv4 subnet, for example, `10.0.0.0/29`. We use IP addresses in this subnet to establish connectivity between the two ExpressRoute circuits. You shouldnΓÇÖt use the addresses in this subnet in your Azure virtual networks, or in your on-premises network. ```azurepowershell-interactive Add-AzExpressRouteCircuitConnectionConfig -Name 'Your_connection_name' -ExpressRouteCircuit $ckt_1 -PeerExpressRouteCircuitPeering $ckt_2.Peerings[0].Id -AddressPrefix '__.__.__.__/29' Enable connectivity between your on-premises networks. There are separate sets o Set-AzExpressRouteCircuit -ExpressRouteCircuit $ckt_1 ``` -When the previous operation completes, you will have connectivity between your on-premises networks on both sides through your two ExpressRoute circuits. +When the previous operation completes, you have connectivity between your on-premises networks on both sides through your two ExpressRoute circuits. ### ExpressRoute circuits in different Azure subscriptions -If the two circuits are not in the same Azure subscription, you need authorization. In the following configuration, authorization is generated in the circuit 2 subscription, and the authorization key is passed to circuit 1. +If the two circuits aren't in the same Azure subscription, you need authorization. In the following configuration, authorization is generated in the circuit 2 subscription, and the authorization key is passed to circuit 1. 1. Generate an authorization key. If the two circuits are not in the same Azure subscription, you need authorizati Set-AzExpressRouteCircuit -ExpressRouteCircuit $ckt_2 ``` - Make a note of the private peering ID of circuit 2, as well as the authorization key. + Make a note of the private peering ID of circuit 2, and the authorization key. 2. Run the following command against circuit 1. Pass in the private peering ID of circuit 2 and the authorization key. ```azurepowershell-interactive If the two circuits are not in the same Azure subscription, you need authorizati Set-AzExpressRouteCircuit -ExpressRouteCircuit $ckt_1 ``` -When the previous operation completes, you will have connectivity between your on-premises networks on both sides through your two ExpressRoute circuits. +When the previous operation completes, you have connectivity between your on-premises networks on both sides through your two ExpressRoute circuits. ## Verify the configuration Use the following command to verify the configuration on the circuit where the c $ckt_1 = Get-AzExpressRouteCircuit -Name "Your_circuit_1_name" -ResourceGroupName "Your_resource_group" ``` -If you simply run *$ckt_1* in PowerShell, you see *CircuitConnectionStatus* in the output. It tells you whether the connectivity is established, "Connected", or "Disconnected". +If you simply run *$ckt_1* in PowerShell, you see *CircuitConnectionStatus* in the output. It tells you whether the connectivity is established, **Connected** or **Disconnected**. ## Disable connectivity After the previous operation is complete, you no longer have connectivity betwee ## Update connectivity configuration -To update the Global Reach connectivity configuration run the following command against one of the ExpressRoute circuits. +To update the Global Reach connectivity configuration, run the following command against one of the ExpressRoute circuits. ```azurepowershell-interactive $ckt_1 = Get-AzExpressRouteCircuit -Name "Your_circuit_1_name" -ResourceGroupName "Your_resource_group" |
| expressroute | Expressroute Move | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/expressroute/expressroute-move.md | You can use a single ExpressRoute circuit to connect virtual networks that are d  ## ExpressRoute circuits that are created in the classic deployment model+ ExpressRoute circuits created in the classic deployment model need to migrate to the Resource Manager deployment model first. Only then can enable connectivity to both the classic and the Resource Manager deployment models. Connectivity isn't lost or disrupted when a connection is being moved. All circuit-to-virtual network links in the classic deployment model within the same subscription and cross-subscription are preserved. After the move has successfully completed, the ExpressRoute circuit will behave exactly like an ExpressRoute circuit that was created in the Resource Manager deployment model. You can now create connections to virtual networks in the Resource Manager deployment model. -Once you've moved the ExpressRoute circuit to the Resources Manager deployment model, you can only manage it in Resource Manager deployment model. Operations for managing peerings, updating circuit properties, and deleting circuits will only be available through the Resource Manager deployment model. Refer to the following section for further details on how you can manage access to both deployment models. +Once you've moved the ExpressRoute circuit to the Resources Manager deployment model, you can only manage it in Resource Manager deployment model. Operations for managing peerings, updating circuit properties, and deleting circuits is only available through the Resource Manager deployment model. You don't have to involve your connectivity provider to move your circuit to the Resource Manager deployment model. ## ExpressRoute circuits that are created in the Resource Manager deployment model+ You can enable ExpressRoute circuits that are created in the Resource Manager deployment model to be accessible from both deployment models. Any ExpressRoute circuit in your subscription can be configured to have access from both deployment models. * ExpressRoute circuits that were created in the Resource Manager deployment model don't have access to the classic deployment model by default. You can enable ExpressRoute circuits that are created in the Resource Manager de > [!IMPORTANT] > All quotas that are documented on the [service limits](../azure-resource-manager/management/azure-subscription-service-limits.md) page apply. As an example, a standard circuit can have at most 10 virtual network links/connections across both the classic and the Resource Manager deployment models. > -> ## Controlling access to the classic deployment model+ You can enable an ExpressRoute circuit to link to virtual networks in both deployment models. To do so, set the **allowClassicOperations** parameter on the ExpressRoute circuit. Setting **allowClassicOperations** to TRUE enables you to link virtual networks from both deployment models to the ExpressRoute circuit. Setting **allowClassicOperations** to TRUE enables you to link virtual networks Setting **allowClassicOperations** to FALSE blocks access to the circuit from the classic deployment model. However, all virtual networks linked in the classic deployment model are still preserved. The ExpressRoute circuit isn't visible in the classic deployment model. ## Supported operations in the classic deployment model+ The following classic operations are supported on an ExpressRoute circuit when **allowClassicOperations** is set to TRUE: * Get ExpressRoute circuit information However, when **allowClassicOperations** is set to TRUE, you can't execute the f * Delete ExpressRoute circuits ## Communication between the classic and the Resource Manager deployment models+ The ExpressRoute circuit acts like a bridge between the classic and the Resource Manager deployment models. Traffic between virtual networks for both deployment models can pass through the ExpressRoute circuit if both virtual networks are linked to the same circuit. Aggregate throughput is limited by the throughput capacity of the virtual network gateway. Traffic doesn't enter the connectivity provider's networks or your networks in such cases. Traffic flow between the virtual networks is fully contained within the Microsoft network. ## Access to Azure public and Microsoft peering resources+ You can continue to access resources that are typically accessible through Azure public peering and Microsoft peering without any disruption. ## What's supported+ This section describes what's supported for ExpressRoute circuits: * You can use a single ExpressRoute circuit to access virtual networks that are deployed in the classic and the Resource Manager deployment models.-* You can move an ExpressRoute circuit from the classic to the Resource Manager deployment model. Once moved, the ExpressRoute circuit will continue to operate like any other ExpressRoute circuit that is created in the Resource Manager deployment model. -* You can move only the ExpressRoute circuit. Circuit links, virtual networks, and VPN gateways cannot be moved through this operation. -* After an ExpressRoute circuit has been moved to the Resource Manager deployment model, you can manage the life cycle of the ExpressRoute circuit only by using the Resource Manager deployment model. This means that you can run operations like adding/updating/deleting peerings, updating circuit properties (such as bandwidth, SKU, and billing type), and deleting circuits only in the Resource Manager deployment model. +* You can move an ExpressRoute circuit from the classic to the Resource Manager deployment model. Once moved, the ExpressRoute circuit continues to operate like any other ExpressRoute circuit that is created in the Resource Manager deployment model. +* You can move only the ExpressRoute circuit. Circuit links, virtual networks, and VPN gateways can't be moved through this operation. +* After an ExpressRoute circuit has been moved to the Resource Manager deployment model, you can manage the life cycle of the ExpressRoute circuit only by using the Resource Manager deployment model. You can run operations like adding/updating/deleting peerings, updating circuit properties (such as bandwidth, SKU, and billing type), and deleting circuits only in the Resource Manager deployment model. * The ExpressRoute circuit acts like a bridge between the classic and the Resource Manager deployment models. Traffic between virtual machines in classic virtual networks and virtual machines in Resource Manager virtual networks can communicate through ExpressRoute if both virtual networks are linked to the same ExpressRoute circuit. * Cross-subscription connectivity is supported in both the classic and the Resource Manager deployment models. * After you move an ExpressRoute circuit from the classic model to the Azure Resource Manager model, you can [migrate the virtual networks linked to the ExpressRoute circuit](expressroute-migration-classic-resource-manager.md). ## What's not supported+ This section describes what's not supported for ExpressRoute circuits: * Managing the life cycle of an ExpressRoute circuit from the classic deployment model. * Azure role-based access control (Azure RBAC) support for the classic deployment model. You can't run Azure RBAC controls to a circuit in the classic deployment model. Any administrator/coadministrator of the subscription can link or unlink virtual networks to the circuit. ## Configuration+ Follow the instructions that are described in [Move an ExpressRoute circuit from the classic to the Resource Manager deployment model](expressroute-howto-move-arm.md). ## Next steps+ * [Migrate the virtual networks linked to the ExpressRoute circuit from the classic model to the Azure Resource Manager model](expressroute-migration-classic-resource-manager.md) * For workflow information, see [ExpressRoute circuit provisioning workflows and circuit states](expressroute-workflows.md). * To configure your ExpressRoute connection: |
| expressroute | Expressroute Nat | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/expressroute/expressroute-nat.md | Title: 'Azure ExpressRoute: NAT requirements for circuits' description: This page provides detailed requirements for configuring and managing NAT for ExpressRoute circuits. - Previously updated : 09/18/2019 Last updated : 06/30/2023 - + # ExpressRoute NAT requirements-To connect to Microsoft cloud services using ExpressRoute, youΓÇÖll need to set up and manage NATs. Some connectivity providers offer setting up and managing NAT as a managed service. Check with your connectivity provider to see if they offer such a service. If not, you must adhere to the requirements described below. ++To connect to Microsoft cloud services using ExpressRoute, you need to set up and manage NATs. Some connectivity providers offer setting up and managing NAT as a managed service. Check with your connectivity provider to see if they offer such a service. If not, you must adhere to the requirements described in this article. Review the [ExpressRoute circuits and routing domains](expressroute-circuit-peerings.md) page to get an overview of the various routing domains. To meet the public IP address requirements for Azure public and Microsoft peering, we recommend that you set up NAT between your network and Microsoft. This section provides a detailed description of the NAT infrastructure you need to set up. ## NAT requirements for Microsoft peering-The Microsoft peering path lets you connect to Microsoft cloud services that are not supported through the Azure public peering path. The list of services includes Microsoft 365 services, such as Exchange Online, SharePoint Online, and Skype for Business. Microsoft expects to support bi-directional connectivity on the Microsoft peering. Traffic destined to Microsoft cloud services must be SNATed to valid public IPv4 addresses before they enter the Microsoft network. Traffic destined to your network from Microsoft cloud services must be SNATed at your Internet edge to prevent [asymmetric routing](expressroute-asymmetric-routing.md). The figure below provides a high-level picture of how the NAT should be set up for Microsoft peering. ++The Microsoft peering path lets you connect to Microsoft cloud services that aren't supported through the Azure public peering path. The list of services includes Microsoft 365 services, such as Exchange Online, SharePoint Online, and Skype for Business. Microsoft expects to support bi-directional connectivity on the Microsoft peering. Traffic destined to Microsoft cloud services must be SNATed to valid public IPv4 addresses before they enter the Microsoft network. Traffic destined to your network from Microsoft cloud services must be SNATed at your Internet edge to prevent [asymmetric routing](expressroute-asymmetric-routing.md). The following figure provides a high-level picture of how the NAT should be set up for Microsoft peering.  ### Traffic originating from your network destined to Microsoft-* You must ensure that traffic is entering the Microsoft peering path with a valid public IPv4 address. Microsoft must be able to validate the owner of the IPv4 NAT address pool against the regional routing internet registry (RIR) or an internet routing registry (IRR). A check will be performed based on the AS number being peered with and the IP addresses used for the NAT. Refer to the [ExpressRoute routing requirements](expressroute-routing.md) page for information on routing registries. -* IP addresses used for the Azure public peering setup and other ExpressRoute circuits must not be advertised to Microsoft through the BGP session. There is no restriction on the length of the NAT IP prefix advertised through this peering. ++* You must ensure that traffic is entering the Microsoft peering path with a valid public IPv4 address. Microsoft must be able to validate the owner of the IPv4 NAT address pool against the regional routing internet registry (RIR) or an internet routing registry (IRR). A check is performed based on the AS number being peered with and the IP addresses used for the NAT. Refer to the [ExpressRoute routing requirements](expressroute-routing.md) page for information on routing registries. +* IP addresses used for the Azure public peering setup and other ExpressRoute circuits must not be advertised to Microsoft through the BGP session. There's no restriction on the length of the NAT IP prefix advertised through this peering. > [!IMPORTANT] > The NAT IP pool advertised to Microsoft must not be advertised to the Internet. This will break connectivity to other Microsoft services. > - > ### Traffic originating from Microsoft destined to your network+ * Certain scenarios require Microsoft to initiate connectivity to service endpoints hosted within your network. A typical example of the scenario would be connectivity to ADFS servers hosted in your network from Microsoft 365. In such cases, you must leak appropriate prefixes from your network into the Microsoft peering. -* You must SNAT Microsoft traffic at the Internet edge for service endpoints within your network to prevent [asymmetric routing](expressroute-asymmetric-routing.md). Requests **and replies** with a destination IP that match a route received via ExpressRoute will always be sent via ExpressRoute. Asymmetric routing exists if the request is received via the Internet with the reply sent via ExpressRoute. SNATing the incoming Microsoft traffic at the Internet edge forces reply traffic back to the Internet edge, resolving the problem. +* You must SNAT Microsoft traffic at the Internet edge for service endpoints within your network to prevent [asymmetric routing](expressroute-asymmetric-routing.md). Requests **and replies** with a destination IP that match a route received from ExpressRoute always go through ExpressRoute. Asymmetric routing exists if the request is received via the Internet with the reply sent via ExpressRoute. SNATing the incoming Microsoft traffic at the Internet edge forces reply traffic back to the Internet edge, resolving the problem.  The Azure public peering path enables you to connect to all services hosted in A > Connectivity to Microsoft Azure services on public peering is always initiated from your network into the Microsoft network. Therefore, sessions cannot be initiated from Microsoft Azure services to your network over ExpressRoute. If attempted, packets sent to these advertised IPs will use the internet instead of ExpressRoute. > -Traffic destined to Microsoft Azure on public peering must be SNATed to valid public IPv4 addresses before they enter the Microsoft network. The figure below provides a high-level picture of how the NAT could be set up to meet the above requirement. +Traffic destined to Microsoft Azure on public peering must be SNATed to valid public IPv4 addresses before they enter the Microsoft network. The following figure provides a high-level picture of how the NAT could be set up to meet the above requirement.  ### NAT IP pool and route advertisements-You must ensure that traffic is entering the Azure public peering path with valid public IPv4 address. Microsoft must be able to validate the ownership of the IPv4 NAT address pool against a regional routing Internet registry (RIR) or an Internet routing registry (IRR). A check will be performed based on the AS number being peered with and the IP addresses used for the NAT. Refer to the [ExpressRoute routing requirements](expressroute-routing.md) page for information on routing registries. +You must ensure that traffic is entering the Azure public peering path with valid public IPv4 address. Microsoft must be able to validate the ownership of the IPv4 NAT address pool against a regional routing Internet registry (RIR) or an Internet routing registry (IRR). A check is performed based on the AS number being peered with and the IP addresses used for the NAT. Refer to the [ExpressRoute routing requirements](expressroute-routing.md) page for information on routing registries. -There are no restrictions on the length of the NAT IP prefix advertised through this peering. You must monitor the NAT pool and ensure that you are not starved of NAT sessions. +There are no restrictions on the length of the NAT IP prefix advertised through this peering. You must monitor the NAT pool and ensure that you aren't starved of NAT sessions. > [!IMPORTANT] > The NAT IP pool advertised to Microsoft must not be advertised to the Internet. This will break connectivity to other Microsoft services. |
| expressroute | Expressroute Network Insights | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/expressroute/expressroute-network-insights.md | This article explains how Network Insights can help you view your ExpressRoute :::image type="content" source="./media/expressroute-network-insights/topology-hovered.png" alt-text="Screenshot of hovering over topology view resources." lightbox="./media/expressroute-network-insights/topology-hovered-expanded.png"::: -## View a detailed and pre-loaded metrics dashboard +## View a detailed and preloaded metrics dashboard Once you review the topology of your ExpressRoute setup using the functional dependency view, select **View detailed metrics** to navigated to the detailed metrics view to understand the performance of your circuit. This view offers an organized list of linked resources and a rich dashboard of important ExpressRoute metrics. |
| expressroute | Expressroute Qos | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/expressroute/expressroute-qos.md | Title: 'Azure ExpressRoute: QoS requirements' description: This page provides detailed requirements for configuring and managing QoS. Skype for Business/voice services are discussed. - Previously updated : 04/22/2019 Last updated : 06/30/2023 - + # ExpressRoute QoS requirements-Skype for Business has various workloads that require differentiated QoS treatment. If you plan to consume voice services through ExpressRoute, you should adhere to the requirements described below. ++Skype for Business has various workloads that require differentiated QoS treatment. If you plan to consume voice services through ExpressRoute, you should adhere to the requirements described in this article.  > [!NOTE] > QoS requirements apply to the Microsoft peering only. The DSCP values in your network traffic received on Azure private peering will be kept as is, but they won't be used to prioritize the traffic on Microsoft's network. > -> -The following table provides a list of DSCP markings used by Microsoft Teams and Skype for Business. Refer to [Managing QoS for Skype for Business](/SkypeForBusiness/manage/network-management/qos/managing-quality-of-service-QoS) for more information. +The following table provides a list of DSCP markings used by Microsoft Teams and Skype for Business. For more information, see [Managing QoS for Skype for Business](/SkypeForBusiness/manage/network-management/qos/managing-quality-of-service-QoS) for more information. | **Traffic Class** | **Treatment (DSCP Marking)** | **Microsoft Teams and Skype for Business Workloads** | | | | | |
| expressroute | Expressroute Troubleshooting Arp Resource Manager | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/expressroute/expressroute-troubleshooting-arp-resource-manager.md | -> This document is intended to help you diagnose and fix simple issues. It is not intended to be a replacement for Microsoft support. You must open a support ticket with [Microsoft support](https://portal.azure.com/?#blade/Microsoft_Azure_Support/HelpAndSupportBlade) if you are unable to solve the problem using the guidance described below. +> This document is intended to help you diagnose and fix simple issues. It is not intended to be a replacement for Microsoft support. You must open a support ticket with [Microsoft support](https://portal.azure.com/?#blade/Microsoft_Azure_Support/HelpAndSupportBlade) if you are unable to solve the problem using the guidance described in this article. > [!INCLUDE [updated-for-az](../../includes/hybrid-az-ps.md)] Age InterfaceProperty IpAddress MacAddress 0 Microsoft 10.0.0.2 aaaa.bbbb.cccc ``` - The following section provides information on how you can view the ARP tables seen by the ExpressRoute edge routers. ## Prerequisites for learning ARP tables-Ensure that the information below is true before you progress further: -* A valid ExpressRoute circuit configured with at least one peering. The circuit must be fully configured by the connectivity provider. You or your connectivity provider must have configured at least Azure private, Azure public, or Microsoft peering on this circuit. +Ensure that the following information is true before you progress further: ++* A valid ExpressRoute circuit configured with at least one peering. The circuit must be fully configured with the connectivity provider. You or your connectivity provider must have configured at least Azure private, Azure public, or Microsoft peering on this circuit. * IP address ranges used to configure the peerings. Review the ip address assignment examples in the [ExpressRoute routing requirements page](expressroute-routing.md) to understand how ip addresses get mapped to interfaces. You can get information on the peering configuration by reviewing the [ExpressRoute peering configuration page](expressroute-howto-routing-arm.md). * Information from your networking team / connectivity provider on the MAC addresses of interfaces used with these IP addresses. * You must have the latest PowerShell module for Azure (version 1.50 or newer). > [!NOTE]-> If layer 3 is provided by the service provider and the ARP tables are blank in the portal/output below, refresh the Circuit configuration using the refresh button on the portal. This operation will apply the right routing configuration on your circuit. -> +> If layer 3 is provided by the service provider and the ARP tables are blank in the portal, refresh the circuit configuration using the refresh button in the portal. This operation will apply the right routing configuration on your circuit. > ## Getting the ARP tables for your ExpressRoute circuit Get-AzExpressRouteCircuitARPTable -ResourceGroupName $RG -ExpressRouteCircuitNam Get-AzExpressRouteCircuitARPTable -ResourceGroupName $RG -ExpressRouteCircuitName $Name -PeeringType AzurePrivatePeering -DevicePath Secondary ``` -Sample output is shown below for one of the paths +Sample output for one of the paths: ```output Age InterfaceProperty IpAddress MacAddress Get-AzExpressRouteCircuitARPTable -ResourceGroupName $RG -ExpressRouteCircuitNam Get-AzExpressRouteCircuitARPTable -ResourceGroupName $RG -ExpressRouteCircuitName $Name -PeeringType AzurePublicPeering -DevicePath Secondary ``` -Sample output is shown below for one of the paths +Sample output for one of the paths: ```output Age InterfaceProperty IpAddress MacAddress Get-AzExpressRouteCircuitARPTable -ResourceGroupName $RG -ExpressRouteCircuitNam ``` -Sample output is shown below for one of the paths +Sample output for one of the paths: ```output Age InterfaceProperty IpAddress MacAddress Age InterfaceProperty IpAddress MacAddress ## How to use this information-The ARP table of a peering can be used to determine validate layer 2 configuration and connectivity. This section provides an overview of how ARP tables will look under different scenarios. ++The ARP table of a peering can be used to determine and validate layer 2 configuration and connectivity. This section provides an overview of how ARP tables look under different scenarios. ### ARP table when a circuit is in operational state (expected state)-* The ARP table will have an entry for the on-premises side with a valid IP address and MAC address. The same can be seen for the Microsoft side. -* The last octet of the on-premises ip address will always be an odd number. -* The last octet of the Microsoft ip address will always be an even number. -* The same MAC address will appear on the Microsoft side for all three peerings (primary / secondary). +* The ARP table has an entry for the on-premises side with a valid IP address and MAC address. The same can be seen for the Microsoft side. +* The last octet of the on-premises ip address is an odd number. +* The last octet of the Microsoft ip address is an even number. +* The same MAC address appears on the Microsoft side for all three peerings (primary / secondary). ```output Age InterfaceProperty IpAddress MacAddress Age InterfaceProperty IpAddress MacAddress ``` ### ARP table when on-premises / connectivity provider side has problems-If a problem with the on-premises or connectivity provider occurs, the ARP table will show one of two things. You'll either see the on-premises MAC address show incomplete or only see the Microsoft entry in the ARP table. ++If a problem with the on-premises or connectivity provider occurs, the ARP table shows one of two things. You see the on-premises MAC address show incomplete or only see the Microsoft entry in the ARP table. ```output Age InterfaceProperty IpAddress MacAddress Age InterfaceProperty IpAddress MacAddress > ### ARP table when Microsoft side has problems-* You won't see an ARP table shown for a peering if there are issues on the Microsoft side. ++* You don't see an ARP table shown for a peering if there are issues on the Microsoft side. * Open a support ticket with [Microsoft support](https://portal.azure.com/?#blade/Microsoft_Azure_Support/HelpAndSupportBlade). Specify that you have an issue with layer 2 connectivity. ## Next Steps |
| expressroute | Expressroute Workflows | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/expressroute/expressroute-workflows.md | Title: 'Azure ExpressRoute: Circuit configuration workflow' description: This page shows the workflow for configuring ExpressRoute circuits and peerings - Previously updated : 08/24/2020 Last updated : 06/30/2023 -- # ExpressRoute workflows for circuit provisioning and circuit states You can ensure that the circuit has been provisioned successfully by verifying t ### 5. Configure routing domains -Configure routing domains. If your connectivity provider manages Layer 3 configuration, they will configure routing for your circuit. If your connectivity provider only offers Layer 2 services or if you are using ExpressRoute Direct, you must configure routing per the guidelines described in the [Routing requirements](expressroute-routing.md) and [Routing configuration](expressroute-howto-routing-classic.md) articles. +Configure routing domains. If your connectivity provider manages Layer 3 configuration, they configure routing for your circuit. If your connectivity provider only offers Layer 2 services or if you're using ExpressRoute Direct, you must configure routing per the guidelines described in the [Routing requirements](expressroute-routing.md) and [Routing configuration](expressroute-howto-routing-classic.md) articles. #### For Azure private peering Enable private peering to connect to VMs and cloud services deployed within the #### For Microsoft peering -Enable this to access Microsoft online services, such as Microsoft 365. Additionally, all Azure PaaS services are accessible through Microsoft peering. You must ensure that you use a separate proxy/edge to connect to Microsoft than the one you use for the Internet. Using the same edge for both ExpressRoute and the Internet will cause asymmetric routing and cause connectivity outages for your network. +Enable this peering to access Microsoft online services, such as Microsoft 365. Additionally, all Azure PaaS services are accessible through Microsoft peering. You must ensure that you use a separate proxy/edge to connect to Microsoft than the one you use for the Internet. Using the same edge for both ExpressRoute and the Internet causes asymmetric routing and you experience connectivity issues for your network. * IPv4 subnets: * Peering subnet for path 1 (/30) - must be public IP This section outlines the possible states of an ExpressRoute circuit created und **At creation time** -The ExpressRoute circuit will report the following states at resource creation. +The ExpressRoute circuit reports the following states at resource creation. ```output ServiceProviderProvisioningState : NotProvisioned Status : Enabled **When the connectivity provider is in the process of provisioning the circuit** -The ExpressRoute circuit will report the following states while the connectivity provider is working to provision the circuit. +The ExpressRoute circuit reports the following states while the connectivity provider is working to provision the circuit. ```output ServiceProviderProvisioningState : Provisioning Status : Enabled **When the connectivity provider has completed the provisioning process** -The ExpressRoute circuit will report the following states once the connectivity provider has successfully provisioned the circuit. +The ExpressRoute circuit reports the following states once the connectivity provider has successfully provisioned the circuit. ```output ServiceProviderProvisioningState : Provisioned Status : Enabled **When the connectivity provider is deprovisioning the circuit** -If the ExpressRoute circuit needs to be deprovisioned, the circuit will report the following states once the service provider has completed the deprovisioning process. +If the ExpressRoute circuit needs to be deprovisioned, the circuit reports the following states once the service provider has completed the deprovisioning process. ```output ServiceProviderProvisioningState : NotProvisioned You can choose to re-enable it if needed, or run PowerShell cmdlets to delete th The BGP provisioning state reports if the BGP session has been enabled on the Microsoft Edge. The state must be enabled to use private or Microsoft peering. -It is important to check the BGP session state especially for Microsoft peering. In addition to the BGP provisioning state, there is another state called *advertised public prefixes state*. The advertised public prefixes state must be in the *configured* state, both for the BGP session to be up and for your routing to work end-to-end. +It's important to check the BGP session state especially for Microsoft peering. In addition to the BGP provisioning state, there's another state called *advertised public prefixes state*. The advertised public prefixes state must be in the *configured* state, both for the BGP session to be up and for your routing to work end-to-end. -If the advertised public prefix state is set to a *validation needed* state, the BGP session is not enabled, as the advertised prefixes did not match the AS number in any of the routing registries. +If the advertised public prefix state is set to a *validation needed* state, the BGP session isn't enabled, as the advertised prefixes didn't match the AS number in any of the routing registries. > [!IMPORTANT] > If the advertised public prefixes state is in *manual validation* state, you need to open a support ticket with [Microsoft support](https://portal.azure.com/?#blade/Microsoft_Azure_Support/HelpAndSupportBlade) and provide evidence that you own the IP addresses advertised along with the associated Autonomous System number. > -> ## Next steps |
| expressroute | How To Configure Coexisting Gateway Portal | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/expressroute/how-to-configure-coexisting-gateway-portal.md | Title: 'Configure ExpressRoute and S2S VPN coexisting connections: Azure portal' description: Configure ExpressRoute and a Site-to-Site VPN connection that can coexist for the Resource Manager model using the Azure portal. - Previously updated : 02/15/2022 Last updated : 06/30/2023 -This article helps you configure ExpressRoute and Site-to-Site VPN connections that coexist. Having the ability to configure Site-to-Site VPN and ExpressRoute has several advantages. You can configure Site-to-Site VPN as a secure failover path for ExpressRoute, or use Site-to-Site VPNs to connect to sites that aren't connected through ExpressRoute. We'll cover the steps to configure both scenarios in this article. This article applies to the Resource Manager deployment model. +This article helps you configure ExpressRoute and Site-to-Site VPN connections that coexist. Having the ability to configure Site-to-Site VPN and ExpressRoute has several advantages. You can configure Site-to-Site VPN as a secure failover path for ExpressRoute, or use Site-to-Site VPNs to connect to sites that aren't connected through ExpressRoute. We cover the steps to configure both scenarios in this article. This article applies to the Resource Manager deployment model. Configuring Site-to-Site VPN and ExpressRoute coexisting connections has several advantages: * You can configure a Site-to-Site VPN as a secure failover path for ExpressRoute. * Alternatively, you can use Site-to-Site VPNs to connect to sites that aren't connected through ExpressRoute. -The steps to configure both scenarios are covered in this article. You can configure either gateway first. Typically, you'll incur no downtime when adding a new gateway or gateway connection. +The steps to configure both scenarios are covered in this article. You can configure either gateway first. Typically, you incur no downtime when adding a new gateway or gateway connection. >[!NOTE] >If you want to create a Site-to-Site VPN over an ExpressRoute connection, see [Site-to-site over Microsoft peering](site-to-site-vpn-over-microsoft-peering.md). The steps to configure both scenarios are covered in this article. You can confi * **Only route-based VPN gateway is supported.** You must use a route-based [VPN gateway](../vpn-gateway/vpn-gateway-about-vpngateways.md). You also can use a route-based VPN gateway with a VPN connection configured for 'policy-based traffic selectors' as described in [Connect to multiple policy-based VPN devices](../vpn-gateway/vpn-gateway-connect-multiple-policybased-rm-ps.md). * **ExpressRoute-VPN Gateway coexist configurations are not supported on the Basic SKU**. * **If you want to use transit routing between ExpressRoute and VPN, the ASN of Azure VPN Gateway must be set to 65515.** Azure VPN Gateway supports the BGP routing protocol. For ExpressRoute and Azure VPN to work together, you must keep the Autonomous System Number of your Azure VPN gateway at its default value, 65515. If you previously selected an ASN other than 65515 and you change the setting to 65515, you must reset the VPN gateway for the setting to take effect.-* **The gateway subnet must be /27 or a shorter prefix**, (such as /26, /25), or you'll receive an error message when you add the ExpressRoute virtual network gateway. -* **Coexistence in a dual-stack vnet is not supported.** If you're using ExpressRoute IPv6 support and a dual-stack ExpressRoute gateway, coexistence with VPN Gateway won't be possible. +* **The gateway subnet must be /27 or a shorter prefix**, such as /26, /25, or you receive an error message when you add the ExpressRoute virtual network gateway. +* **Coexistence in a dual-stack vnet is not supported.** If you're using ExpressRoute IPv6 support and a dual-stack ExpressRoute gateway, coexistence with VPN Gateway isn't possible. ## Configuration designs You can configure a Site-to-Site VPN connection as a backup for ExpressRoute. Th ### Configure a Site-to-Site VPN to connect to sites not connected through ExpressRoute You can configure your network where some sites connect directly to Azure over Site-to-Site VPN, and some sites connect through ExpressRoute. ## Selecting the steps to use There are two different sets of procedures to choose from. The configuration procedure that you select depends on whether you have an existing virtual network that you want to connect to, or you want to create a new virtual network. There are two different sets of procedures to choose from. The configuration pro You may already have a virtual network in place with an existing Site-to-Site VPN connection or ExpressRoute connection. In this scenario if the gateway subnet prefix is /28 or longer (/29, /30, etc.), you have to delete the existing gateway. The [To configure coexisting connections for an already existing VNet](#to-configure-coexisting-connections-for-an-already-existing-vnet) section walks you through deleting the gateway, and then creating new ExpressRoute and Site-to-Site VPN connections. - If you delete and recreate your gateway, you'll have downtime for your cross-premises connections. However, your VMs and services will still be able to communicate out through the load balancer while you configure your gateway if they're configured to do so. + If you delete and recreate your gateway, you have downtime for your cross-premises connections. However, your VMs and services can communicate out through the load balancer while you configure your gateway if they're configured to do so. ## To create a new virtual network and coexisting connections -This procedure walks you through creating a VNet and Site-to-Site and ExpressRoute connections that will coexist. +This procedure walks you through creating a VNet and Site-to-Site and ExpressRoute connections that coexist. 1. Sign in to the [Azure portal](https://portal.azure.com). This procedure walks you through creating a VNet and Site-to-Site and ExpressRou ## To configure coexisting connections for an already existing VNet -If you have a virtual network that has only one virtual network gateway (let's say, Site-to-Site VPN gateway) and you want to add another gateway of a different type (let's say, ExpressRoute gateway), check the gateway subnet size. If the gateway subnet is /27 or larger, you can skip the steps below and follow the steps in the previous section to add either a Site-to-Site VPN gateway or an ExpressRoute gateway. If the gateway subnet is /28 or /29, you've to first delete the virtual network gateway and increase the gateway subnet size. The steps in this section show you how to do that. +If you have a virtual network that has only one virtual network gateway, for example, a Site-to-Site VPN gateway and you want to add another gateway of a different type, for example, ExpressRoute gateway, check the gateway subnet size. If the gateway subnet is /27 or larger, you can skip the following steps and follow the steps in the previous section to add either a Site-to-Site VPN gateway or an ExpressRoute gateway. If the gateway subnet is /28 or /29, you have to first delete the virtual network gateway and increase the gateway subnet size. The steps in this section show you how to do that. 1. Delete the existing ExpressRoute or Site-to-site VPN gateway. If you have a virtual network that has only one virtual network gateway (let's s ## To add point-to-site configuration to the VPN gateway -You can add a Point-to-Site configuration to your co-existing set by following the instruction in [Configuring Point-to-Site VPN connection using Azure certificate authentication](../vpn-gateway/vpn-gateway-howto-point-to-site-resource-manager-portal.md#addresspool) +You can add a Point-to-Site configuration to your coexisting set by following the instruction in [Configuring Point-to-Site VPN connection using Azure certificate authentication](../vpn-gateway/vpn-gateway-howto-point-to-site-resource-manager-portal.md#addresspool) ## To enable transit routing between ExpressRoute and Azure VPN-If you want to enable connectivity between one of your local networks that is connected to ExpressRoute and another of your local network that is connected to a site-to-site VPN connection, you'll need to set up [Azure Route Server](../route-server/expressroute-vpn-support.md). ++If you want to enable connectivity between one of your local networks that is connected to ExpressRoute and another of your local network that is connected to a site-to-site VPN connection, you need to set up [Azure Route Server](../route-server/expressroute-vpn-support.md). ## Next steps For more information about ExpressRoute, see the [ExpressRoute FAQ](expressroute-faqs.md). |
| expressroute | How To Configure Connection Monitor | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/expressroute/how-to-configure-connection-monitor.md | Create a workspace in the subscription that has the VNets link to the ExpressRou | Subscription | Select the subscription with the ExpressRoute circuit. | | Resource Group | Create a new or select an existing resource group. | | Name | Enter a name to identify this workspace. |- | Region | Select a region where this workspace will be created in. | + | Region | Select a region where this workspace is created in. | :::image type="content" source="./media/how-to-configure-connection-monitor/create-workspace-basic.png" alt-text="Screenshot of basic tab for create Log Analytics workspace."::: Create a workspace in the subscription that has the VNets link to the ExpressRou ## <a name="npm"></a>Configure monitoring solution -Complete the Azure PowerShell script below by replacing the values for *$SubscriptionId*, *$location*, *$resourceGroup*, and *$workspaceName*. Then run the script to configure the monitoring solution. +Complete the Azure PowerShell script by replacing the values for *$SubscriptionId*, *$location*, *$resourceGroup*, and *$workspaceName*. Then run the script to configure the monitoring solution. ```azurepowershell-interactive $subscriptionId = "Subscription ID should come here" Once you've configured the monitoring solution. Continue to the next step of ins :::image type="content" source="./media/how-to-configure-connection-monitor/copy-id-key.png" alt-text="Screenshot of workspace ID and primary key."::: -1. For Windows machines, download and run this PowerShell script [*EnableRules.ps1*](https://aka.ms/npmpowershellscript) in a PowerShell window with Administrator privileges. The PowerShell script will open the relevant firewall port for the TCP transactions. +1. For Windows machines, download and run this PowerShell script [*EnableRules.ps1*](https://aka.ms/npmpowershellscript) in a PowerShell window with Administrator privileges. The PowerShell script opens the relevant firewall port for the TCP transactions. For Linux machines, the port number needs to be changed manually with the following steps: Once you've configured the monitoring solution. Continue to the next step of ins It's recommended that you install the Log Analytics agent on at least two servers on both sides of the ExpressRoute connection for redundancy. For example, your on-premises and Azure virtual network. Use the following steps to install agents: -1. Select the appropriate operating system below for the steps to install the Log Analytics agent on your servers. +1. Select the appropriate operating system for the steps to install the Log Analytics agent on your servers. * [Windows](../azure-monitor/agents/agent-windows.md#install-the-agent) * [Linux](../azure-monitor/agents/agent-linux.md) Rules for a firewall can block communication between the source and destination #### Windows -For Windows machines, you can run a PowerShell script to create the registry keys that are required by the Connection Monitor. This script also creates the Windows Firewall rules to allow monitoring agents to create TCP connections with each other. The registry keys created by the script specify whether to log the debug logs, and the path for the logs file. It also defines the agent TCP port used for communication. The values for these keys are automatically set by the script. You shouldn't manually change these keys. +For Windows machines, you can run a PowerShell script to create the registry keys required by the Connection Monitor. This script also creates the Windows Firewall rules to allow monitoring agents to create TCP connections with each other. The registry keys created by the script specify whether to log the debug logs, and the path for the logs file. It also defines the agent TCP port used for communication. The values for these keys get automatically set by the script. You shouldn't manually change these keys. Port 8084 is opened by default. You can use a custom port by providing the parameter 'portNumber' to the script. However, if you do so, you must specify the same port for all the servers on which you run the script. For a high-level overview of how to create a connection monitor, tests, and test :::image type="content" source="./media/how-to-configure-connection-monitor/connection-monitor-basic.png" alt-text="Screenshot of basic tab for creating Connection Monitor."::: -1. On the Add test group details page, you'll add the source and destination endpoints for your test group. You 'll also set up the test configurations between them. Enter a **Name** for this test group. +1. On the *Add test group details* page, you add the source and destination endpoints for your test group. You also set up the test configurations between them. Enter a **Name** for this test group. :::image type="content" source="./media/how-to-configure-connection-monitor/add-test-group-details.png" alt-text="Screenshot of add test group details page."::: For a high-level overview of how to create a connection monitor, tests, and test :::image type="content" source="./media/how-to-configure-connection-monitor/topology.png" alt-text="Screenshot of network topology in connection monitor." lightbox="./media/how-to-configure-connection-monitor/topology-expanded.png"::: - Selecting any hop in the topology view will display additional information about the hop. Any issues detected by the connection monitor about the hop will also be displayed here. + Selecting any hop in the topology view displays additional information about the hop. Any issues detected by the connection monitor about the hop get displayed here. :::image type="content" source="./media/how-to-configure-connection-monitor/hop-details.png" alt-text="Screenshot of more information for a network hop."::: |
| expressroute | How To Npm | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/expressroute/how-to-npm.md | Title: 'Azure ExpressRoute: Configure NPM for circuits' description: Configure cloud-based network monitoring (NPM) for Azure ExpressRoute circuits. This covers monitoring over ExpressRoute private peering and Microsoft peering. - Previously updated : 07/28/2019 Last updated : 06/30/2023 -- + # Configure Network Performance Monitor for ExpressRoute (deprecated) This article helps you configure a Network Performance Monitor extension to monitor ExpressRoute. Network Performance Monitor (NPM) is a cloud-based network monitoring solution that monitors connectivity between Azure cloud deployments and on-premises locations (Branch offices, etc.). NPM is part of Azure Monitor logs. NPM offers an extension for ExpressRoute that lets you monitor network performance over ExpressRoute circuits that are configured to use private peering or Microsoft peering. When you configure NPM for ExpressRoute, you can detect network issues to identify and eliminate. This service is also available for Azure Government Cloud. You can: ## <a name="workflow"></a>Workflow -Monitoring agents are installed on multiple servers, both on-premises and in Azure. The agents communicate with each other, but do not send data, they send TCP handshake packets. The communication between the agents allows Azure to map the network topology and path the traffic could take. +Monitoring agents are installed on multiple servers, both on-premises and in Azure. The agents communicate with each other, but don't send data, they send TCP handshake packets. The communication between the agents allows Azure to map the network topology and path the traffic could take. -1. Create an NPM Workspace. This is the same as a Log Analytics workspace. -2. Install and configure software agents. (If you only want to monitor over Microsoft Peering, you do not need to install and configure software agents.): +1. Create an NPM Workspace. This workspace is the same as a Log Analytics workspace. +2. Install and configure software agents. (If you only want to monitor over Microsoft Peering, you don't need to install and configure software agents.): * Install monitoring agents on the on-premises servers and the Azure VMs (for private peering). * Configure settings on the monitoring agent servers to allow the monitoring agents to communicate. (Open firewall ports, etc.) 3. Configure network security group (NSG) rules to allow the monitoring agent installed on Azure VMs to communicate with on-premises monitoring agents. 4. Set up monitoring: Auto-Discover and manage which networks are visible in NPM. -If you are already using Network Performance Monitor to monitor other objects or services, and you already have Workspace in one of the supported regions, you can skip Step 1 and Step 2, and begin your configuration with Step 3. +If you're already using Network Performance Monitor to monitor other objects or services, and you already have Workspace in one of the supported regions, you can skip Step 1 and Step 2, and begin your configuration with Step 3. ## <a name="configure"></a>Step 1: Create a Workspace Create a workspace in the subscription that has the VNets link to the ExpressRoute circuit(s). -1. In the [Azure portal](https://portal.azure.com), select the Subscription that has the VNETs peered to your ExpressRoute circuit. Then, search the list of services in the **Marketplace** for 'Network Performance Monitor'. In the return, click to open the **Network Performance Monitor** page. +1. In the [Azure portal](https://portal.azure.com), select the Subscription that has the VNETs peered to your ExpressRoute circuit. Then, search the list of services in the **Marketplace** for 'Network Performance Monitor'. In the return, select to open the **Network Performance Monitor** page. >[!NOTE] >You can create a new workspace, or use an existing workspace. If you want to use an existing workspace, you must make sure that the workspace has been migrated to the new query language. [More information...](../azure-monitor/logs/log-query-overview.md) > <br><br>-2. At the bottom of the main **Network Performance Monitor** page, click **Create** to open **Network Performance Monitor - Create new solution** page. Click **Log Analytics Workspace - select a workspace** to open the Workspaces page. Click **+ Create New Workspace** to open the Workspace page. +2. At the bottom of the main **Network Performance Monitor** page, select **Create** to open **Network Performance Monitor - Create new solution** page. Select **Log Analytics Workspace - select a workspace** to open the Workspaces page. Select **+ Create New Workspace** to open the Workspace page. 3. On the **Log Analytics workspace** page, select **Create New**, then configure the following settings: * Log Analytics Workspace - Type a name for your Workspace. Create a workspace in the subscription that has the VNets link to the ExpressRou > <br><br>-4. Click **OK** to save and deploy the settings template. Once the template validates, click **Create** to deploy the Workspace. -5. After the Workspace has been deployed, navigate to the **NetworkMonitoring(name)** resource that you created. Validate the settings, then click **Solution requires additional configuration**. +4. Select **OK** to save and deploy the settings template. Once the template validates, select **Create** to deploy the Workspace. +5. After the Workspace has been deployed, navigate to the **NetworkMonitoring(name)** resource that you created. Validate the settings then select **Solution requires additional configuration**.  Create a workspace in the subscription that has the VNets link to the ExpressRou ### <a name="download"></a>2.1: Download the agent setup file -1. Go to the **Common Settings** tab of the **Network Performance Monitor Configuration** page for your resource. Click the agent that corresponds to your server's processor from the **Install Log Analytics Agents** section, and download the setup file. +1. Go to the **Common Settings** tab of the **Network Performance Monitor Configuration** page for your resource. Select the agent that corresponds to your server's processor from the **Install Log Analytics Agents** section, and download the setup file. 2. Next, copy the **Workspace ID** and **Primary Key** to Notepad. 3. From the **Configure Log Analytics Agents for monitoring using TCP protocol** section, download the PowerShell Script. The PowerShell script helps you open the relevant firewall port for the TCP transactions. Create a workspace in the subscription that has the VNets link to the ExpressRou ### <a name="installagent"></a>2.2: Install a monitoring agent on each monitoring server (on each VNET that you want to monitor) -We recommend that you install at least two agents on each side of the ExpressRoute connection for redundancy (for example, on-premises, Azure VNETs). The agent must be installed on a Windows Server (2008 SP1 or later). Monitoring ExpressRoute circuits using Windows Desktop OS and Linux OS is not supported. Use the following steps to install agents: +We recommend that you install at least two agents on each side of the ExpressRoute connection for redundancy (for example, on-premises, Azure VNETs). The agent must be installed on a Windows Server (2008 SP1 or later). Monitoring ExpressRoute circuits using Windows Desktop OS and Linux OS isn't supported. Use the following steps to install agents: >[!NOTE] >Agents pushed by SCOM (includes [MMA](/previous-versions/system-center/system-center-2012-R2/dn465154(v=sc.12))) may not be able to consistently detect their location if they are hosted in Azure. We recommend that you do not use these agents in Azure VNETs to monitor ExpressRoute. > 1. Run **Setup** to install the agent on each server that you want to use for monitoring ExpressRoute. The server you use for monitoring can either be a VM, or on-premises, and must have Internet access. You need to install at least one agent on-premises, and one agent on each network segment that you want to monitor in Azure.-2. On the **Welcome** page, click **Next**. -3. On the **License Terms** page, read the license, and then click **I Agree**. -4. On the **Destination Folder** page, change or keep the default installation folder, and then click **Next**. -5. On the **Agent Setup Options** page, you can choose to connect the agent to Azure Monitor logs or Operations Manager. Or, you can leave the choices blank if you want to configure the agent later. After making your selection(s), click **Next**. +2. On the **Welcome** page, select **Next**. +3. On the **License Terms** page, read the license, and then select **I Agree**. +4. On the **Destination Folder** page, change or keep the default installation folder, and then select **Next**. +5. On the **Agent Setup Options** page, you can choose to connect the agent to Azure Monitor logs or Operations Manager. Or, you can leave the choices blank if you want to configure the agent later. After making your selection(s), select **Next**. - * If you chose to connect to **Azure Log Analytics**, paste the **Workspace ID** and **Workspace Key** (Primary Key) that you copied into Notepad in the previous section. Then, click **Next**. + * If you chose to connect to **Azure Log Analytics**, paste the **Workspace ID** and **Workspace Key** (Primary Key) that you copied into Notepad in the previous section. Then, select **Next**. - * If you chose to connect to **Operations Manager**, on the **Management Group Configuration** page, type the **Management Group Name**, **Management Server**, and the **Management Server Port**. Then, click **Next**. + * If you chose to connect to **Operations Manager**, on the **Management Group Configuration** page, type the **Management Group Name**, **Management Server**, and the **Management Server Port**. Then, select **Next**. - * On the **Agent Action Account** page, choose either the **Local System** account, or **Domain or Local Computer Account**. Then, click **Next**. + * On the **Agent Action Account** page, choose either the **Local System** account, or **Domain or Local Computer Account**. Then, select **Next**. -6. On the **Ready to Install** page, review your choices, and then click **Install**. -7. On the **Configuration completed successfully** page, click **Finish**. +6. On the **Ready to Install** page, review your choices, and then select **Install**. +7. On the **Configuration completed successfully** page, select **Finish**. 8. When complete, the Microsoft Monitoring Agent appears in the Control Panel. You can review your configuration there, and verify that the agent is connected to Azure Monitor logs. When connected, the agent displays a message stating: **The Microsoft Monitoring Agent has successfully connected to the Microsoft Operations Management Suite service**. 9. Repeat this procedure for each VNET that you need to be monitored. ### <a name="proxy"></a>2.3: Configure proxy settings (optional) -If you are using a web proxy to access the Internet, use the following steps to configure proxy settings for the Microsoft Monitoring Agent. Perform these steps for each server. If you have many servers that you need to configure, you might find it easier to use a script to automate this process. If so, see [To configure proxy settings for the Microsoft Monitoring Agent using a script](../azure-monitor/agents/agent-windows.md). +If you're using a web proxy to access the Internet, use the following steps to configure proxy settings for the Microsoft Monitoring Agent. Perform these steps for each server. If you have many servers that you need to configure, you might find it easier to use a script to automate this process. If so, see [To configure proxy settings for the Microsoft Monitoring Agent using a script](../azure-monitor/agents/agent-windows.md). To configure proxy settings for the Microsoft Monitoring Agent using the Control Panel: 1. Open the **Control Panel**. 2. Open **Microsoft Monitoring Agent**.-3. Click the **Proxy Settings** tab. +3. Select the **Proxy Settings** tab. 4. Select **Use a proxy server** and type the URL and port number, if one is needed. If your proxy server requires authentication, type the username and password to access the proxy server.  You can easily verify whether your agents are communicating. 1. On a server with the monitoring agent, open the **Control Panel**. 2. Open the **Microsoft Monitoring Agent**.-3. Click the **Azure Log Analytics** tab. +3. Select the **Azure Log Analytics** tab. 4. In the **Status** column, you should see that the agent connected successfully to Azure Monitor logs.  You can easily verify whether your agents are communicating. To use the TCP protocol, you must open firewall ports to ensure that the monitoring agents can communicate. -You can run a PowerShell script to create the registry keys that are required by the Network Performance Monitor. This script also creates the Windows Firewall rules to allow monitoring agents to create TCP connections with each other. The registry keys created by the script specify whether to log the debug logs, and the path for the logs file. It also defines the agent TCP port used for communication. The values for these keys are automatically set by the script. You should not manually change these keys. +You can run a PowerShell script to create the registry keys that required by the Network Performance Monitor. This script also creates the Windows Firewall rules to allow monitoring agents to create TCP connections with each other. The registry keys created by the script specify whether to log the debug logs, and the path for the logs file. It also defines the agent TCP port used for communication. The values for these keys get set automatically by the script. You shouldn't manually change these keys. Port 8084 is opened by default. You can use a custom port by providing the parameter 'portNumber' to the script. However, if you do so, you must specify the same port for all the servers on which you run the script. On the agent servers, open a PowerShell window with administrative privileges. R ## <a name="opennsg"></a>Step 3: Configure network security group rules -To monitor agent servers that are in Azure, you must configure network security group (NSG) rules to allow TCP traffic on a port used by NPM for synthetic transactions. The default port is 8084. This allows a monitoring agent installed on an Azure VM to communicate with an on-premises monitoring agent. +To monitor agent servers that are in Azure, you must configure network security group (NSG) rules to allow TCP traffic on a port used by NPM for synthetic transactions. The default port is 8084, allowing a monitoring agent installed on an Azure VM to communicate with an on-premises monitoring agent. For more information about NSG, see [Network Security Groups](../virtual-network/tutorial-filter-network-traffic.md). For more information about NSG, see [Network Security Groups](../virtual-network ## <a name="setupmonitor"></a>Step 4: Discover peering connections -1. Navigate to the Network Performance Monitor overview tile by going to the **All Resources** page, then click on the allowlisted NPM Workspace. +1. Navigate to the Network Performance Monitor overview tile by going to the **All Resources** page, then select on the allowlisted NPM Workspace. -2. Click the **Network Performance Monitor** overview tile to bring up the dashboard. The dashboard contains an ExpressRoute page, which shows that ExpressRoute is in an 'unconfigured state'. Click **Feature Setup** to open the Network Performance Monitor configuration page. +2. Select the **Network Performance Monitor** overview tile to bring up the dashboard. The dashboard contains an ExpressRoute page, which shows that ExpressRoute is in an *unconfigured state*. Select **Feature Setup** to open the Network Performance Monitor configuration page. -3. On the configuration page, navigate to the 'ExpressRoute Peerings' tab, located on the left side panel. Next, click **Discover Now**. +3. On the configuration page, navigate to the 'ExpressRoute Peerings' tab, located on the left side panel. Next, select **Discover Now**. -4. When discovery completes, you will see a list containing the following items: +4. When discovery completes, you see a list containing the following items: * All of the Microsoft peering connections in the ExpressRoute circuit(s) that are associated with this subscription. * All of the private peering connections that connect to the VNets associated with this subscription. In this section, you configure the monitors. Follow the steps for the type of pe ### Private peering -For private peering, when discovery completes, you see will rules for unique **Circuit Name** and **VNet Name**. Initially, these rules are disabled. +For private peering, when discovery completes, you see rules for unique **Circuit Name** and **VNet Name**. Initially, these rules are disabled.  1. Check the **Monitor this peering** checkbox. 2. Select the checkbox **Enable Health Monitoring for this peering**. 3. Choose the monitoring conditions. You can set custom thresholds to generate health events by typing threshold values. Whenever the value of the condition goes above its selected threshold for the selected network/subnetwork pair, a health event is generated.-4. Click the ON-PREM AGENTS **Add Agents** button to add the on-premises servers from which you want to monitor the private peering connection. Make sure that you only choose agents that have connectivity to the Microsoft service endpoint that you specified in the section for Step 2. The on-premises agents must be able to reach the endpoint using the ExpressRoute connection. +4. Select the ON-PREM AGENTS **Add Agents** button to add the on-premises servers from which you want to monitor the private peering connection. Make sure that you only choose agents that have connectivity to the Microsoft service endpoint that you specified in the section for Step 2. The on-premises agents must be able to reach the endpoint using the ExpressRoute connection. 5. Save the settings.-6. After enabling the rules and selecting the values and agents you want to monitor, there is a wait of approximately 30-60 minutes for the values to begin populating and the **ExpressRoute Monitoring** tiles to become available. +6. After enabling the rules and selecting the values and agents you want to monitor, there's a wait of approximately 30-60 minutes for the values to begin populating and the **ExpressRoute Monitoring** tiles to become available. ### Microsoft peering -For Microsoft peering, click the Microsoft peering connection(s) that you want to monitor, and configure the settings. +For Microsoft peering, select the Microsoft peering connection(s) that you want to monitor, and configure the settings. 1. Check the **Monitor this peering** checkbox. 2. (Optional) You can change the target Microsoft service endpoint. By default, NPM chooses a Microsoft service endpoint as the target. NPM monitors connectivity from your on-premises servers to this target endpoint through ExpressRoute. - * To change this target endpoint, click the **(edit)** link under **Target:**, and select another Microsoft service target endpoint from the list of URLs. + * To change this target endpoint, select the **(edit)** link under **Target:**, and select another Microsoft service target endpoint from the list of URLs. <br> - * You can use a custom URL or IP Address. This option is particularly relevant if you are using Microsoft peering to establish a connection to Azure PaaS services, such as Azure Storage, SQL databases, and Websites that are offered on public IP addresses. To do this, click the link **(Use custom URL or IP Address instead)** at the bottom of the URL list, then enter the public endpoint of your Azure PaaS service that is connected through the ExpressRoute Microsoft peering. + * You can use a custom URL or IP Address. This option is relevant if you're using Microsoft peering to establish a connection to Azure PaaS services, such as Azure Storage, SQL databases, and Websites that are offered on public IP addresses. Select the link **(Use custom URL or IP Address instead)** at the bottom of the URL list, then enter the public endpoint of your Azure PaaS service that is connected through the ExpressRoute Microsoft peering. <br> - * If you are using these optional settings, make sure that only the Microsoft service endpoint is selected here. The endpoint must be connected to ExpressRoute and reachable by the on-premises agents. + * If you're using these optional settings, make sure that only the Microsoft service endpoint is selected here. The endpoint must be connected to ExpressRoute and reachable by the on-premises agents. 3. Select the checkbox **Enable Health Monitoring for this peering**. 4. Choose the monitoring conditions. You can set custom thresholds to generate health events by typing threshold values. Whenever the value of the condition goes above its selected threshold for the selected network/subnetwork pair, a health event is generated.-5. Click the ON-PREM AGENTS **Add Agents** button to add the on-premises servers from which you want to monitor the Microsoft peering connection. Make sure that you only choose agents that have connectivity to the Microsoft service endpoints that you specified in the section for Step 2. The on-premises agents must be able to reach the endpoint using the ExpressRoute connection. +5. Select the ON-PREM AGENTS **Add Agents** button to add the on-premises servers from which you want to monitor the Microsoft peering connection. Make sure that you only choose agents that have connectivity to the Microsoft service endpoints that you specified in the section for Step 2. The on-premises agents must be able to reach the endpoint using the ExpressRoute connection. 6. Save the settings.-7. After enabling the rules and selecting the values and agents you want to monitor, there is a wait of approximately 30-60 minutes for the values to begin populating and the **ExpressRoute Monitoring** tiles to become available. +7. After enabling the rules and selecting the values and agents you want to monitor, there's a wait of approximately 30-60 minutes for the values to begin populating and the **ExpressRoute Monitoring** tiles to become available. ## <a name="explore"></a>Step 6: View monitoring tiles -Once you see the monitoring tiles, your ExpressRoute circuits and connection resources are being monitored by NPM. You can click on Microsoft Peering tile to drill down on the health of Microsoft Peering connections. +Once you see the monitoring tiles, your ExpressRoute circuits and connection resources gets monitored by NPM. You can select on Microsoft Peering tile to drill down on the health of Microsoft Peering connections.  The NPM page contains a page for ExpressRoute that shows an overview of the heal ### <a name="circuits"></a>List of circuits -To view a list of all monitored ExpressRoute circuits, click the **ExpressRoute circuits** tile. You can select a circuit and view its health state, trend charts for packet loss, bandwidth utilization, and latency. The charts are interactive. You can select a custom time window for plotting the charts. You can drag the mouse over an area on the chart to zoom in and see fine-grained data points. +To view a list of all monitored ExpressRoute circuits, select the **ExpressRoute circuits** tile. You can select a circuit and view its health state, trend charts for packet loss, bandwidth utilization, and latency. The charts are interactive. You can select a custom time window for plotting the charts. You can drag the mouse over an area on the chart to zoom in and see fine-grained data points.  The bandwidth, latency, and loss charts are interactive. You can zoom into any s ### <a name="peerings"></a>Peerings list -To view list of all connections to virtual networks over private peering, click the **Private Peerings** tile on the dashboard. Here, you can select a virtual network connection and view its health state, trend charts for packet loss, bandwidth utilization, and latency. +To view list of all connections to virtual networks over private peering, select the **Private Peerings** tile on the dashboard. Here, you can select a virtual network connection and view its health state, trend charts for packet loss, bandwidth utilization, and latency.  ### <a name="nodes"></a>Nodes view -To view list of all the links between the on-premises nodes and Azure VMs/Microsoft service endpoints for the chosen ExpressRoute peering connection, click **View node links**. You can view the health status of each link, as well as the trend of loss and latency associated with them. +To view list of all the links between the on-premises nodes and Azure VMs/Microsoft service endpoints for the chosen ExpressRoute peering connection, select **View node links**. You can view the health status of each link, and the trend of loss and latency associated with them.  ### <a name="topology"></a>Circuit topology -To view circuit topology, click the **Topology** tile. This takes you to the topology view of the selected circuit or peering. The topology diagram provides the latency for each segment on the network. Each layer 3 hop is represented by a node of the diagram. Clicking on a hop reveals more details about the hop. +To view circuit topology, select the **Topology** tile. The topology diagram provides the latency for each segment on the network. Each layer 3 hop gets represented by a node of the diagram. Clicking on a hop reveals more details about the hop. -You can increase the level of visibility to include on-premises hops by moving the slider bar below **Filters**. Moving the slider bar to the left or right, increases/decreases the number of hops in the topology graph. The latency across each segment is visible, which allows for faster isolation of high latency segments on your network. +You can increase the level of visibility to include on-premises hops by moving the slider bar below **Filters**. Moving the slider bar left or right increases or decreases the number of hops in the topology graph. The latency across each segment is visible, which allows for faster isolation of high latency segments on your network.  |
| expressroute | Howto Circuit Cli | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/expressroute/howto-circuit-cli.md | This quickstart describes how to create an Azure ExpressRoute circuit by using t ### Sign in to your Azure account and select your subscription -To begin your configuration, sign in to your Azure account. If you use the Cloud Shell "Try It", you're signed in automatically. Use the following examples to help you connect: +To begin your configuration, sign in to your Azure account. If you use the Cloud Shell Try It, you're signed in automatically. Use the following examples to help you connect: ```azurecli-interactive az login az account set --subscription "<subscription ID>" ### Get the list of supported providers, locations, and bandwidths -Before you create an ExpressRoute circuit, you need the list of supported connectivity providers, locations, and bandwidth options. The CLI command `az network express-route list-service-providers` returns this information, which youΓÇÖll use in later steps: +Before you create an ExpressRoute circuit, you need the list of supported connectivity providers, locations, and bandwidth options. The CLI command `az network express-route list-service-providers` returns this information, which you use in later steps: ```azurecli-interactive az network express-route list-service-providers The response is similar to the following example: }, ``` -Check the response to see if your connectivity provider is listed. Make a note of the following information, which you'll need when you create a circuit: +Check the response to see if your connectivity provider is listed. Make a note of the following information, which you need when you create a circuit: * Name * PeeringLocations To use the ExpressRoute circuit, it must be in the following state: ### Periodically check the status and the state of the circuit key -Checking the status and the state of the service key will let you know when your provider has provisioned your circuit. After the circuit has been configured, *ServiceProviderProvisioningState* appears as *Provisioned*, as shown in the following example: +Checking the status and the state of the service key lets you know when your provider has provisioned your circuit. After the circuit has been configured, *ServiceProviderProvisioningState* appears as *Provisioned*, as shown in the following example: ```azurecli-interactive az network express-route show --resource-group ExpressRouteResourceGroup --name MyCircuit For step-by-step instructions, see the [ExpressRoute circuit routing configurati > [!IMPORTANT] > These instructions only apply to circuits that are created with service providers that offer layer 2 connectivity services. If you're using a service provider that offers managed layer 3 services (typically an IP VPN, like MPLS), your connectivity provider configures and manages routing for you. >-> ### Link a virtual network to an ExpressRoute circuit The circuit now has the ExpressRoute premium add-on features enabled. We begin b Before disabling the ExpressRoute premium add-on, understand the following criteria: * Before you downgrade from premium to standard, you must ensure that the number of virtual networks that are linked to the circuit is less than 10. If you don't, your update request fails, and we bill you at premium rates.-* All virtual networks in other geopolitical regions must be first unlinked. If you don't remove the link, your update request will fail and we continue to bill you at premium rates. -* Your route table must be less than 4,000 routes for private peering. If your route table size is greater than 4,000 routes, the BGP session will drop. The BGP session won't be re-enabled until the number of advertised prefixes is under 4,000. +* All virtual networks in other geopolitical regions must be first unlinked. If you don't remove the link, your update request fails and we continue to bill you at premium rates. +* Your route table must be less than 4,000 routes for private peering. If your route table size is greater than 4,000 routes, the BGP session drops. The BGP session doesn't reestablish until the number of advertised prefixes is under 4,000. You can disable the ExpressRoute premium add-on for the existing circuit by using the following example: After you decide the size you need, use the following command to resize your cir az network express-route update -n MyCircuit -g ExpressRouteResourceGroup --bandwidth 1000 ``` -Your circuit will be upgraded on the Microsoft side. Next, you must contact your connectivity provider to update configurations on their side to match this change. After you make this notification, we begin billing you for the updated bandwidth option. +Your circuit is upgraded on the Microsoft side. Next, you must contact your connectivity provider to update configurations on their side to match this change. After you make this notification, we begin billing you for the updated bandwidth option. ### To move the SKU from metered to unlimited To deprovision and delete an ExpressRoute circuit, make sure you understand the * All virtual networks must be unlinked from the ExpressRoute circuit. If this operation fails, check to see if any virtual networks are linked to the circuit. * If the ExpressRoute circuit service provider provisioning state is **Provisioning** or **Provisioned** you must work with your service provider to deprovision the circuit on their side. We continue to reserve resources and bill you until the service provider completes deprovisioning the circuit and notifies us.-* If the service provider has deprovisioned the circuit meaning the service provider provisioning state gets set to **Not provisioned**, you can delete the circuit. The billing for the circuit will then stop. +* If the service provider has deprovisioned the circuit meaning the service provider provisioning state gets set to **Not provisioned**, you can delete the circuit. The billing for the circuit stop. ## Clean up resources |
| expressroute | Maintenance Alerts | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/expressroute/maintenance-alerts.md | Title: 'How to view and configure alerts for Azure ExpressRoute circuit maintenance' description: Learn how to configure custom alerts for ExpressRoute circuit maintenance using the Service Health page in the Azure portal. -+ Previously updated : 05/10/2021- Last updated : 06/30/2023+ # How to view and configure alerts for Azure ExpressRoute circuit maintenance -> * During a maintenance activity or in case of unplanned events impacting one of the connection, Microsoft will prefer to use AS path prepending to drain traffic over to the healthy connection. You will need to ensure the traffic is able to route over the healthy path when path prepend is configured from Microsoft and required route advertisements are configured appropriately to avoid any service disruption. +> * During a maintenance activity or in case of unplanned events impacting one of the connection, Microsoft will prefer to use AS path prepending to drain traffic over to the healthy connection. You will need to ensure the traffic is able to route over the healthy path when path prepend is configure from Microsoft and required route advertisements are configured appropriately to avoid any service disruption. > * Terminating ExpressRoute BGP connections on stateful devices can cause issues with failover during planned or unplanned maintenances by Microsoft or your ExpressRoute Provider. You should test your set up to ensure your traffic will failover properly, and when possible, terminate BGP sessions on stateless devices.-> * During maintenance between the Microsoft edge and core network, BGP availability will appear down even if the BGP session between the customer edge and Microsoft edge remains up. For information about maintenance between the Microsoft edge and core network, make sure to have your maintenance alerts turned on and configured correctly using the guidance below. +> * During maintenance between the Microsoft edge and core network, BGP availability will appear down even if the BGP session between the customer edge and Microsoft edge remains up. For information about maintenance between the Microsoft edge and core network, make sure to have your maintenance alerts turned on and configured correctly using the guidance in this article. > ## View planned maintenance ExpressRoute uses Azure Service Health to notify you of planned and upcoming Exp ## Create alerts and notifications for maintenance events -1. Azure Service Health supports customized alerting for maintenance events. To configure an alert for ExpressRoute Circuit maintenance, navigate to **Health alerts** under the *Alerts* section on the left side of the page. Here you'll see a table of previously configured alerts. +1. Azure Service Health supports customized alerting for maintenance events. To configure an alert for ExpressRoute Circuit maintenance, navigate to **Health alerts** under the *Alerts* section on the left side of the page. Here you see a table of previously configured alerts. 1. To create a new alert, select **Add service health alert** at the top of the page. |
| expressroute | Quickstart Create Expressroute Vnet Bicep | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/expressroute/quickstart-create-expressroute-vnet-bicep.md | description: This quickstart shows you how to create an ExpressRoute circuit usi Previously updated : 03/24/2022 Last updated : 06/30/2023 If you don't have an Azure subscription, create a [free account](https://azure.m The Bicep file used in this quickstart is from [Azure Quickstart Templates](https://azure.microsoft.com/resources/templates/expressroute-private-peering-vnet). -In this quickstart, you'll create an ExpressRoute circuit with *Equinix* as the service provider. The circuit will be using a *Premium SKU*, with a bandwidth of *50 Mbps*, and the peering location of *Washington DC*. Private peering will be enabled with a primary and secondary subnet of *192.168.10.16/30* and *192.168.10.20/30* respectively. A virtual network will also be created along with a *HighPerformance ExpressRoute gateway*. +In this quickstart, you create an ExpressRoute circuit with *Equinix* as the service provider. The circuit is using a *Premium SKU*, with a bandwidth of *50 Mbps*, and the peering location of *Washington DC*. Private peering is enabled with a primary and secondary subnet of *192.168.10.16/30* and *192.168.10.20/30* respectively. A virtual network gets created along with a *HighPerformance ExpressRoute gateway*. :::code language="bicep" source="~/quickstart-templates/quickstarts/microsoft.network/expressroute-private-peering-vnet/main.bicep"::: |
| expressroute | Quickstart Create Expressroute Vnet Template | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/expressroute/quickstart-create-expressroute-vnet-template.md | -If your environment meets the prerequisites and you're familiar with using ARM templates, select the **Deploy to Azure** button. The template will open in the Azure portal. +If your environment meets the prerequisites and you're familiar with using ARM templates, select the **Deploy to Azure** button. The template opens in the Azure portal. [](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2Fquickstarts%2Fmicrosoft.network%2Fexpressroute-private-peering-vnet%2Fazuredeploy.json) If you don't have an Azure subscription, create a [free account](https://azure.m The template used in this quickstart is from [Azure Quickstart Templates](https://azure.microsoft.com/resources/templates/expressroute-private-peering-vnet). -In this quickstart, you'll create an ExpressRoute circuit with *Equinix* as the service provider. The circuit will be using a *Premium SKU*, with a bandwidth of *50 Mbps*, and the peering location of *Washington DC*. Private peering will be enabled with a primary and secondary subnet of *192.168.10.16/30* and *192.168.10.20/30* respectively. A virtual network will also be created along with a *HighPerformance ExpressRoute gateway*. +In this quickstart, you create an ExpressRoute circuit with *Equinix* as the service provider. The circuit is using a *Premium SKU*, with a bandwidth of *50 Mbps*, and the peering location of *Washington DC*. Private peering is enabled with a primary and secondary subnet of *192.168.10.16/30* and *192.168.10.20/30* respectively. A virtual network gets created along with a *HighPerformance ExpressRoute gateway*. :::code language="json" source="~/quickstart-templates/quickstarts/microsoft.network/expressroute-private-peering-vnet/azuredeploy.json"::: Azure PowerShell is used to deploy the template. In addition to Azure PowerShell ## Clean up resources -When you no longer need the resources that you created with the ExpressRoute circuit, delete the resource group. This removes the ExpressRoute circuit and all the related resources. +When you no longer need the resources that you created with the ExpressRoute circuit, delete the resource group to remove the ExpressRoute circuit and all the related resources. To delete the resource group, call the `Remove-AzResourceGroup` cmdlet: |
| expressroute | Reset Circuit | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/expressroute/reset-circuit.md | Title: 'Reset a failed circuit - ExpressRoute: PowerShell: Azure | Microsoft Doc description: This article helps you reset an ExpressRoute circuit that is in a failed state. - Previously updated : 01/07/2021 Last updated : 06/30/2023 -- + # Reset a failed ExpressRoute circuit -When an operation on an ExpressRoute circuit doesn't complete successfully, the circuit may go into a 'failed' state. This article will help you reset a failed Azure ExpressRoute circuit. +When an operation on an ExpressRoute circuit doesn't complete successfully, the circuit may go into a 'failed' state. This article helps you reset a failed Azure ExpressRoute circuit. [!INCLUDE [updated-for-az](../../includes/hybrid-az-ps.md)] When an operation on an ExpressRoute circuit doesn't complete successfully, the 1. Install the latest version of the Azure Resource Manager PowerShell cmdlets. For more information, see [Install and configure Azure PowerShell](/powershell/azure/install-azure-powershell). -2. Open your PowerShell console with elevated privileges, and connect to your account. Use the following example to help you connect: +1. Open your PowerShell console with elevated privileges, and connect to your account. Use the following example to help you connect: ```azurepowershell-interactive Connect-AzAccount ```-3. If you have multiple Azure subscriptions, check the subscriptions for the account. +1. If you have multiple Azure subscriptions, check the subscriptions for the account. ```azurepowershell-interactive Get-AzSubscription ```-4. Specify the subscription that you want to use. +1. Specify the subscription that you want to use. ```azurepowershell-interactive Select-AzSubscription -SubscriptionName "Replace_with_your_subscription_name" ```-5. Run the following commands to reset a circuit that is in a failed state: +1. Run the following commands to reset a circuit that is in a failed state: ```azurepowershell-interactive $ckt = Get-AzExpressRouteCircuit -Name "ExpressRouteARMCircuit" -ResourceGroupName "ExpressRouteResourceGroup" |
| expressroute | Using Expressroute For Microsoft365 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/expressroute/using-expressroute-for-microsoft365.md | For more information about ExpressRoute, see the [Introduction to ExpressRoute][ Often time there's confusion about whether or not ExpressRoute can be used for routing Microsoft 365 SaaS traffic. ExpressRoute offers Microsoft peering, which allows you to access most public endpoints in the Microsoft network. With the use of a *Route Filter*, you can select Microsoft 365 service prefixes that you want to advertise over Microsoft peering to your on-premises network. These routes enable routing Microsoft 365 service traffic over the ExpressRoute circuit. -In this article, you'll learn about when it's necessary to use ExpressRoute to route Microsoft 365 traffic. +In this article, you learn about when it's necessary to use ExpressRoute to route Microsoft 365 traffic. ## Network requirements of Microsoft 365 traffic To address the stringent network latency requirements, Microsoft 365 shortens ro * Dynamically routing the end-user connection to the nearest Microsoft 365 entry point. * From the entry point, traffic is efficiently routed within the Microsoft's global network to the nearest Microsoft 365 data center. -Microsoft 365 entry points are serviced by Azure Front Door. Azure Front Door is a widely distributed service present at Microsoft global edge network that creates a fast, secure, and highly scalable SaaS applications. For more information about how Azure Front Door accelerates web application performance, see [What is Azure Front Door?][AFD]. When choosing the nearest Microsoft 365 data center, Microsoft takes into consideration data sovereignty regulations within the geo-political region. +Microsoft 365 entry points get serviced by Azure Front Door. Azure Front Door is a widely distributed service present at Microsoft global edge network that creates a fast, secure, and highly scalable SaaS applications. For more information about how Azure Front Door accelerates web application performance, see [What is Azure Front Door?][AFD]. When selecting the nearest Microsoft 365 data center, Microsoft takes into consideration data sovereignty regulations within the geo-political region. ## What is geo-pinning connections? -When you force a client-server to pass traffic through certain network device(s) located in a geographical location, that is referred to as geo-pinning the network connection. In a traditional network architecture, the underlying design principle is that the clients-servers are statically located which commonly geo-pins connections. +When you force a client-server to pass traffic through certain network device(s) located in a geographical location that is referred to as geo-pinning the network connection. In a traditional network architecture, the underlying design principle is that the clients-servers are statically located which commonly geo-pins connections. For example, when you force your enterprise Internet connections to traverse through your corporate network. The egress is from a central location, typically via a set of proxy-servers or firewalls, you're geo-pinning the Internet connections. Another example of geo-pinning is when you have a SaaS application architecture that you force traffic through an intermediate datacenter in a region or using one or more intermediate network devices. |
| expressroute | Virtual Network Connectivity Guidance | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/expressroute/virtual-network-connectivity-guidance.md | Even though ExpressRoute supports virtual network to virtual network connectivit ### ExpressRoute virtual network gateway in the data path -Virtual networks that are connected to an ExpressRoute circuit are established by deploying a virtual network gateway. The gateway facilitates the management plane and data path connectivity to virtual machines (VMs) and private endpoints defined in a virtual network. These gateway resources have bandwidth, connections-per-second and packets-per-second limitations. For more information about these limitations, see [About ExpressRoute gateways](expressroute-about-virtual-network-gateways.md). When virtual network to virtual network connectivity goes through ExpressRoute, the virtual network gateway can be the source of bottleneck in terms of bandwidth and data path or control plane limitations. When you configure virtual network peering, the virtual network gateway isn't in the data path. Therefore, you won't experience those limitations seen with VNet to VNet connectivity going through ExpressRoute. +Virtual networks that are connected to an ExpressRoute circuit are established by deploying a virtual network gateway. The gateway facilitates the management plane and data path connectivity to virtual machines (VMs) and private endpoints defined in a virtual network. These gateway resources have bandwidth, connections-per-second and packets-per-second limitations. For more information about these limitations, see [About ExpressRoute gateways](expressroute-about-virtual-network-gateways.md). When virtual network to virtual network connectivity goes through ExpressRoute, the virtual network gateway can be the source of bottleneck in terms of bandwidth and data path or control plane limitations. When you configure virtual network peering, the virtual network gateway isn't in the data path. Therefore, you don't experience those limitations seen with VNet to VNet connectivity going through ExpressRoute. ### Higher latency -ExpressRoute connectivity is managed by a pair of Microsoft Enterprise Edge (MSEE) devices located at [ExpressRoute peering locations](expressroute-locations-providers.md#expressroute-locations). ExpressRoute peering locations are physically separate from Azure regions, when virtual network to virtual network connectivity is enabled using ExpressRoute. Traffic from the virtual network leaves the origin Azure region and passes through the MSEE devices at the peering location. Then that traffic will go through Microsoft's global network to reach the destination Azure region. With VNet peering, traffic flows from the origin Azure region directly to the destination Azure region using Microsoft's global network, without the extra hop of the MSEE devices. Since the extra hop is no longer in the data path, you'll see lower latency and an overall better experience with your applications and network traffic. +ExpressRoute connectivity gets managed by a pair of Microsoft Enterprise Edge (MSEE) devices located at [ExpressRoute peering locations](expressroute-locations-providers.md#expressroute-locations). ExpressRoute peering locations are physically separate from Azure regions, when virtual network to virtual network connectivity is enabled using ExpressRoute. Traffic from the virtual network leaves the origin Azure region and passes through the MSEE devices at the peering location. Then that traffic goes through Microsoft's global network to reach the destination Azure region. With VNet peering, traffic flows from the origin Azure region directly to the destination Azure region using Microsoft's global network, without the extra hop of the MSEE devices. Since the extra hop is no longer in the data path, you see lower latency and an overall better experience with your applications and network traffic. ## Next steps |
| firewall | Deploy Multi Public Ip Powershell | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/firewall/deploy-multi-public-ip-powershell.md | +- **SNAT** - Additional ports are available for outbound SNAT connections, reducing the potential for SNAT port exhaustion. Azure Firewall randomly selects the source public IP address to use for a connection. If you have any downstream filtering on your network, you need to allow all public IP addresses associated with your firewall. Consider using a [public IP address prefix](../virtual-network/ip-services/public-ip-address-prefix.md) to simplify this configuration. Azure Firewall with multiple public IP addresses is available via the Azure portal, Azure PowerShell, Azure CLI, REST, and templates. You can deploy an Azure Firewall with up to 250 public IP addresses. |
| frontdoor | Create Front Door Cli | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/create-front-door-cli.md | -In this quickstart, you'll learn how to create an Azure Front Door Standard/Premium profile using Azure CLI. You'll create this profile using two Web Apps as your origin, and add a WAF security policy. You can then verify connectivity to your Web Apps using the Azure Front Door endpoint hostname. +In this quickstart, you learn how to create an Azure Front Door Standard/Premium profile using Azure CLI. You create this profile using two Web Apps as your origin, and add a WAF security policy. You can then verify connectivity to your Web Apps using the Azure Front Door endpoint hostname. + [!INCLUDE [ddos-waf-recommendation](../../includes/ddos-waf-recommendation.md)] az group create --name myRGFD --location centralus ``` ## Create an Azure Front Door profile -In this step, you'll create the Azure Front Door profile that your two App services will use as your origin. +In this step, you create the Azure Front Door profile that your two App services use as your origin. Run [az afd profile create](/cli/azure/afd/profile#az-afd-profile-create) to create an Azure Front Door profile. az afd profile create \ ## Create two instances of a web app -In this step, you'll create two web app instances that run in different Azure regions for this tutorial. Both the web application instances run in Active/Active mode, so either one can service traffic. This configuration differs from an *Active/Stand-By* configuration, where one acts as a failover. +In this step, you create two web app instances that run in different Azure regions for this tutorial. Both the web application instances run in Active/Active mode, so either one can service traffic. This configuration differs from an *Active/Stand-By* configuration, where one acts as a failover. ### Create app service plans -Before you can create the web apps you'll need two app service plans, one in *Central US* and the second in *East US*. +Before you can create the web apps you need two app service plans, one in *Central US* and the second in *East US*. Run [az appservice plan create](/cli/azure/appservice/plan#az-appservice-plan-create&preserve-view=true) to create your app service plans. az afd profile create \ ``` ### Add an endpoint -In this step, you'll create an endpoint in your Front Door profile. In Front Door Standard/Premium, an *endpoint* is a logical grouping of one or more routes that are associated with domain names. Each endpoint is assigned a domain name by Front Door, and you can associate endpoints with custom domains by using routes. Front Door profiles can also contain multiple endpoints. +In this step, you create an endpoint in your Front Door profile. In Front Door Standard/Premium, an *endpoint* is a logical grouping of one or more routes that are associated with domain names. Each endpoint is assigned a domain name by Front Door, and you can associate endpoints with custom domains by using routes. Front Door profiles can also contain multiple endpoints. Run [az afd endpoint create](/cli/azure/afd/endpoint#az-afd-endpoint-create) to create an endpoint in your profile. az afd endpoint create \ --enabled-state Enabled ``` -For more information about endpoints in Front Door, please read [Endpoints in Azure Front Door](./endpoint.md). +For more information about endpoints in Front Door, see [Endpoints in Azure Front Door](./endpoint.md). ### Create an origin group -You'll now create an origin group that will define the traffic and expected responses for your app instances. Origin groups also define how origins should be evaluated by health probes, which you'll also define in this step. +Create an origin group that defines the traffic and expected responses for your app instances. Origin groups also define how origins get evaluated by health probes, which you can define in this step. Run [az afd origin-group create](/cli/azure/afd/origin-group#az-afd-origin-group-create) to create an origin group that contains your two web apps. az afd origin-group create \ ### Add an origin to the group -You'll now add both of your app instances created earlier as origins to your new origin group. Origins in Front Door refers to applications that Front Door will retrieve contents from when caching isn't enabled or when a cache gets missed. +Add both of your app instances created earlier as origins to your new origin group. Origins in Front Door refer to applications that Front Door retrieves contents from when caching isn't enabled or when a cache gets missed. Run [az afd origin create](/cli/azure/afd/origin#az-afd-origin-create) to add your first app instance as an origin to your origin group. az afd origin create \ --https-port 443 ``` -For more information about origins, origin groups and health probes, please read [Origins and origin groups in Azure Front Door](./origin.md) +For more information about origins, origin groups and health probes, see [Origins and origin groups in Azure Front Door](./origin.md) ### Add a route -You'll now add a route to map the endpoint that you created earlier to the origin group. This route forwards requests from the endpoint to your origin group. +Add a route to map the endpoint that you created earlier to the origin group. This route forwards requests from the endpoint to your origin group. Run [az afd route create](/cli/azure/afd/route#az-afd-route-create) to map your endpoint to the origin group. az afd route create \ --link-to-default-domain Enabled ``` -To learn more about routes in Azure Front Door, please read [Traffic routing methods to origin](./routing-methods.md). +To learn more about routes in Azure Front Door, see [Traffic routing methods to origin](./routing-methods.md). ## Create a new security policy Azure Web Application Firewall (WAF) on Front Door provides centralized protection for your web applications, defending them against common exploits and vulnerabilities. -In this tutorial, you'll create a WAF policy that adds two managed rules. You can also create WAF policies with custom rules +In this tutorial, you create a WAF policy that adds two managed rules. You can also create WAF policies with custom rules ### Create a WAF policy Run [az network front-door waf-policy create](/cli/azure/network/front-door/waf-policy#az-network-front-door-waf-policy-create) to create a new WAF policy for your Front Door. This example creates a policy that is enabled and in prevention mode. > [!NOTE]-> Managed rules will only work with Front Door Premium SKU. You can opt for Standard SKU below to use custom rules. +> Managed rules will only work with Front Door Premium tier. You can opt for Standard tier to use onlu custom rules. ```azurecli-interactive az network front-door waf-policy create \ az network front-door waf-policy create \ > [!NOTE] > If you select `Detection` mode, your WAF doesn't block any requests. -To learn more about WAF policy settings for Front Door, please read [Policy settings for Web Application Firewall on Azure Front Door](../web-application-firewall/afds/waf-front-door-policy-settings.md). +To learn more about WAF policy settings for Front Door, see [Policy settings for Web Application Firewall on Azure Front Door](../web-application-firewall/afds/waf-front-door-policy-settings.md). ### Assign managed rules to the WAF policy az network front-door waf-policy managed-rules add \ --version 1.0 ``` -To learn more about managed rules in Front Door, please read [Web Application Firewall DRS rule groups and rules](../web-application-firewall/afds/waf-front-door-drs.md). +To learn more about managed rules in Front Door, see [Web Application Firewall DRS rule groups and rules](../web-application-firewall/afds/waf-front-door-drs.md). ### Create the security policy -You'll now apply these two WAF polcies to your Front Door by creating a security policy. This will apply the Azure-managed rules to the endpoint that you defined earlier. +Now apply these two WAF policies to your Front Door by creating a security policy. This setting applies the Azure-managed rules to the endpoint that you defined earlier. Run [az afd security-policy create](/cli/azure/afd/security-policy#az-afd-security-policy-create) to apply your WAF policy to the endpoint's default domain. > [!NOTE]-> Substitute 'mysubscription' with your Azure Subscription ID in the domains and waf-policy parameters below. Run [az account subscription list](/cli/azure/account/subscription#az-account-subscription-list) to get Subscription ID details. +> Substitute 'mysubscription' with your Azure Subscription ID in the domains and waf-policy parameters. Run [az account subscription list](/cli/azure/account/subscription#az-account-subscription-list) to get Subscription ID details. ```azurecli-interactive Run [az afd endpoint show](/cli/azure/afd/endpoint#az-afd-endpoint-show) to get ```azurecli-interactive az afd endpoint show --resource-group myRGFD --profile-name contosoafd --endpoint-name contosofrontend ```-In a browser, go to the endpoint hostname: `contosofrontend-<hash>.z01.azurefd.net`. Your request will automatically get routed to the least latent Web App in the origin group. +In a browser, go to the endpoint hostname: `contosofrontend-<hash>.z01.azurefd.net`. Your request automatically gets routed to the least latent Web App in the origin group. :::image type="content" source="./media/create-front-door-portal/front-door-web-app-origin-success.png" alt-text="Screenshot of the message: Your web app is running and waiting for your content"::: -To test instant global failover, we'll use the following steps: +To test instant global failover, we use the following steps: -1. Open a browser, as described above, and go to the endpoint hostname: `contosofrontend-<hash>.z01.azurefd.net`. +1. Open a browser and go to the endpoint hostname: `contosofrontend-<hash>.z01.azurefd.net`. 2. Stop one of the Web Apps by running [az webapp stop](/cli/azure/webapp#az-webapp-stop&preserve-view=true) To test instant global failover, we'll use the following steps: :::image type="content" source="./media/create-front-door-portal/web-app-stopped-message.png" alt-text="Screenshot of the message: Both instances of the web app stopped"::: -6. Restart one of the Web Apps by running [az webapp start](/cli/azure/webapp#az-webapp-start&preserve-view=true). Refresh your browser and the page will go back to normal. +6. Restart one of the Web Apps by running [az webapp start](/cli/azure/webapp#az-webapp-start&preserve-view=true). Refresh your browser and the page go back to normal. ```azurecli-interactive az webapp start --name WebAppContoso-01 --resource-group myRGFD |
| frontdoor | Create Front Door Portal | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/create-front-door-portal.md | In this quickstart, you'll learn how to create an Azure Front Door profile using With *Custom create*, you deploy two App services. Then, you create the Azure Front Door profile using the two App services as your origin. Lastly, you'll verify connectivity to your App services using the Azure Front Door frontend hostname. + [!INCLUDE [ddos-waf-recommendation](../../includes/ddos-waf-recommendation.md)] ## Prerequisites |
| frontdoor | Create Front Door Powershell | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/create-front-door-powershell.md | |
| governance | Query Language | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/resource-graph/concepts/query-language.md | Title: Understand the query language description: Describes Resource Graph tables and the available Kusto data types, operators, and functions usable with Azure Resource Graph. Previously updated : 06/15/2022 Last updated : 06/27/2023 + # Understanding the Azure Resource Graph query language -The query language for the Azure Resource Graph supports a number of operators and functions. Each +The query language for the Azure Resource Graph supports many operators and functions. Each work and operate based on [Kusto Query Language (KQL)](/azure/data-explorer/kusto/query/index). To learn about the-query language used by Resource Graph, start with the -[tutorial for KQL](/azure/data-explorer/kusto/query/tutorial). +query language used by Resource Graph, start with the [tutorial for KQL](/azure/data-explorer/kusto/query/tutorial). This article covers the language components supported by Resource Graph: This article covers the language components supported by Resource Graph: Resource Graph provides several tables for the data it stores about Azure Resource Manager resource types and their properties. Some tables can be used with `join` or `union` operators to get-properties from related resource types. Here is the list of tables available in Resource Graph: +properties from related resource types. Here's the list of tables available in Resource Graph: |Resource Graph table |Can `join` other tables? |Description | |||| Resources ## Extended properties -As a _preview_ feature, some of the resource types in Resource Graph have additional type-related +As a _preview_ feature, some of the resource types in Resource Graph have more type-related properties available to query beyond the properties provided by Azure Resource Manager. This set of values, known as _extended properties_, exists on a supported resource type in `properties.extended`. To see which resource types have _extended properties_, use the following different behaviors. ### Supported tabular/top level operators -Here is the list of KQL tabular operators supported by Resource Graph with specific samples: +Here's the list of KQL tabular operators supported by Resource Graph with specific samples: |KQL |Resource Graph sample query |Notes | |||| Here is the list of KQL tabular operators supported by Resource Graph with speci |[union](/azure/data-explorer/kusto/query/unionoperator) |[Combine results from two queries into a single result](../samples/advanced.md#unionresults) |Single table allowed: _T_ `| union` \[`kind=` `inner`\|`outer`\] \[`withsource=`_ColumnName_\] _Table_. Limit of 3 `union` legs in a single query. Fuzzy resolution of `union` leg tables isn't allowed. May be used within a single table or between the _Resources_ and _ResourceContainers_ tables. | |[where](/azure/data-explorer/kusto/query/whereoperator) |[Show resources that contain storage](../samples/starter.md#show-storage) | | -There is a default limit of 3 `join` and 3 `mv-expand` operators in a single Resource Graph SDK query. You can request an increase in these limits for your tenant through **Help + support**. +There's a default limit of 3 `join` and 3 `mv-expand` operators in a single Resource Graph SDK query. You can request an increase in these limits for your tenant through **Help + support**. To support the "Open Query" portal experience, Azure Resource Graph Explorer has a higher global limit than Resource Graph SDK. which is different from the name of the management group. When `managementGroups resources from the first 5,000 subscriptions in or under the specified management group hierarchy are included. `managementGroups` can't be used at the same time as `subscriptions`. -Example: Query all resources within the hierarchy of the management group named 'My Management -Group' with ID 'myMG'. +Example: Query all resources within the hierarchy of the management group named `My Management +Group` with ID `myMG`. - REST API URI Group' with ID 'myMG'. } ``` -The `AuthorizationScopeFilter` parameter enables you to list Azure Policy assignments inherited from upper scopes. The `AuthorizationScopeFilter` parameter accepts the following values: +The `AuthorizationScopeFilter` parameter enables you to list Azure Policy assignments and Azure RBAC role assignments in the `AuthorizationResources` table that are inherited from upper scopes. The `AuthorizationScopeFilter` parameter accepts the following values for the `PolicyResources` and `AuthorizationResources` tables: -- **AtScopeAndBelow** (default if not specified): Returns policy assignments for the given scope and all child scopes-- **AtScopeAndAbove**: Returns policy assignments for the given scope and all parent scopes, but not child scopes-- **AtScopeAboveAndBelow**: Returns policy assignments for the given scope, all parent scopes and all child scopes-- **AtScopeExact**: Returns policy assignments only for the given scope; no parent or child scopes are included+- **AtScopeAndBelow** (default if not specified): Returns assignments for the given scope and all child scopes +- **AtScopeAndAbove**: Returns assignments for the given scope and all parent scopes, but not child scopes +- **AtScopeAboveAndBelow**: Returns assignments for the given scope, all parent scopes and all child scopes +- **AtScopeExact**: Returns assignments only for the given scope; no parent or child scopes are included > [!NOTE]-> To use the `AuthorizationScope` parameter, be sure to reference the **2021-06-01-preview** API version in your requests. +> To use the `AuthorizationScopeFilter` parameter, be sure to use the **2021-06-01-preview** or later API version in your requests. Example: Get all policy assignments at the **myMG** management group and Tenant Root (parent) scopes. query or the property name is interpreted incorrectly and doesn't provide the ex where type=~'Microsoft.Insights/alertRules' | project name, properties.condition.['odata.type'] ``` -- `$` - Escape the character in the property name. The escape character used depends on the shell- Resource Graph is run from. +- `$` - Escape the character in the property name. The escape character used depends on the shell that runs Resource Graph. - **bash** - `\` |
| governance | Supported Tables Resources | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/resource-graph/reference/supported-tables-resources.md | Title: Supported Azure Resource Manager resource types description: Provide a list of the Azure Resource Manager resource types supported by Azure Resource Graph and Change History. Previously updated : 10/26/2022 Last updated : 06/27/2023 + # Azure Resource Graph table and resource type reference -Azure Resource Graph supports the following **resource types** of -[Azure Resource Manager](../../../azure-resource-manager/management/overview.md). Each **resource type** is -part of a **table** in Resource Graph. +Azure Resource Graph supports the following **resource types** of [Azure Resource Manager](../../../azure-resource-manager/management/overview.md). Each **resource type** is part of a **table** in Resource Graph. ## advisorresources For sample queries for this table, see [Resource Graph sample queries for kubern - microsoft.maintenance/maintenanceconfigurations/applyupdates - microsoft.maintenance/updates +## managedservicesresources ++- microsoft.managedservices/registrationassignments +- microsoft.managedservices/registrationdefinitions + ## networkresources - microsoft.network/networkgroupmemberships |
| governance | Samples By Category | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/resource-graph/samples/samples-by-category.md | Last updated 07/07/2022 + # Azure Resource Graph sample queries by category This page is a collection of Azure Resource Graph sample queries grouped by general and service Otherwise, use <kbd>Ctrl</kbd>-<kbd>F</kbd> to use your browser's search feature [!INCLUDE [azure-resource-graph-samples-cat-azure-policy-guest-configuration](../../../../includes/resource-graph/samples/bycat/azure-policy-guest-configuration.md)] +## Azure RBAC +++++ ## Azure Service Health [!INCLUDE [azure-resource-graph-samples-cat-azure-service-health](../../../../includes/resource-graph/samples/bycat/azure-service-health.md)] |
| governance | Samples By Table | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/resource-graph/samples/samples-by-table.md | Last updated 02/14/2023 + # Azure Resource Graph sample queries by table This page is a collection of Azure Resource Graph sample queries grouped by table. To jump to a details, see [Resource Graph tables](../concepts/query-language.md#resource-grap [!INCLUDE [azure-resource-graph-samples-table-advisorresources](../../../../includes/resource-graph/samples/bytable/advisorresources.md)] +## AuthorizationResources +++++ ## ExtendedLocationResources [!INCLUDE [azure-resource-graph-samples-table-extendedlocationresources](../../../../includes/resource-graph/samples/bytable/extendedlocationresources.md)] |
| healthcare-apis | Export Data | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/healthcare-apis/azure-api-for-fhir/export-data.md | The Azure API For FHIR supports $export at the following levels: With export, data is exported in multiple files each containing resources of only one type. The number of resources in an individual file will be limited. The maximum number of resources is based on system performance. It is currently set to 50,000, but can change. The result is that you may get multiple files for a resource type, which will be enumerated (for example, `Patient-1.ndjson`, `Patient-2.ndjson`). -> [!Note] +> [!NOTE] > `Patient/$export` and `Group/[ID]/$export` may export duplicate resources if the resource is in a compartment of more than one resource, or is in multiple groups. In addition, checking the export status through the URL returned by the location header during the queuing is supported along with canceling the actual export job. The Azure API for FHIR supports the following query parameters. All of these par | \_container | No | Specifies the container within the configured storage account where the data should be exported. If a container is specified, the data will be exported into a folder into that container. If the container isnΓÇÖt specified, the data will be exported to a new container. | | \_till | No | Allows you to only export resources that have been modified till the time provided. This parameter is applicable to only System-Level export. In this case, if historical versions have not been disabled or purged, export guarantees true snapshot view, or, in other words, enables time travel. | -> [!Note] +> [!NOTE] > Only storage accounts in the same subscription as that for Azure API for FHIR are allowed to be registered as the destination for $export operations. ## Secure Export to Azure Storage Azure API for FHIR is provisioned. | West US 2 | 40.64.135.77 | > [!NOTE]-> The above steps are similar to the configuration steps described in the document **Converting your data to FHIR**. For more information, see [Configure the ACR firewall](../../healthcare-apis/fhir/convert-data.md#step-6-optional-configure-the-azure-container-registry-firewall-for-secure-access). +> The above steps are similar to the configuration steps described in the document **Converting your data to FHIR**. For more information, see [Configure the ACR firewall](../../healthcare-apis/fhir/configure-settings-convert-data.md#step-6-configure-the-azure-container-registry-firewall-for-secure-access). ### Allowing specific IP addresses for the Azure storage account in the same region The configuration process is the same as above except a specific IP address range in CIDR format is used instead, 100.64.0.0/10. The reason why the IP address range, which includes 100.64.0.0 ΓÇô 100.127.255.255, must be specified is because the actual IP address used by the service varies, but will be within the range, for each $export request. -> [!Note] +> [!NOTE] > It is possible that a private IP address within the range of 10.0.2.0/24 may be used instead. In that case, the $export operation will not succeed. You can retry the $export request, but there is no guarantee that an IP address within the range of 100.64.0.0/10 will be used next time. That's the known networking behavior by design. The alternative is to configure the storage account in a different region. ## Next steps |
| healthcare-apis | Configure Export Data | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/healthcare-apis/fhir/configure-export-data.md | -Ensure you are granted with application role - 'FHIR Data exporter role' prior to configuring export. To understand more on application roles, see [Authentication and Authorization for FHIR service](https://learn.microsoft.com/azure/healthcare-apis/authentication-authorization). +Ensure you are granted with application role - 'FHIR Data exporter role' prior to configuring export. To understand more on application roles, see [Authentication and Authorization for FHIR service](../../healthcare-apis/authentication-authorization.md). Below are three steps in setting up the `$export` operation for the FHIR service- The final step is to specify the ADLS Gen2 account that the FHIR service will us After you've completed this final configuration step, you're ready to export data from the FHIR service. See [How to export FHIR data](./export-data.md) for details on performing `$export` operations with the FHIR service. -> [!Note] +> [!NOTE] > Only storage accounts in the same subscription as the FHIR service are allowed to be registered as the destination for `$export` operations. ## Securing the FHIR service `$export` operation Add-AzStorageAccountNetworkRule -ResourceGroupName $resourceGroupName -Name $sto After running this command, in the **Firewall** section under **Resource instances** you will see **2 selected** in the **Instance name** dropdown list. These are the names of the workspace instance and FHIR service instance that you just registered as Microsoft Trusted Resources. - :::image type="content" source="media/export-data/storage-networking-2.png" alt-text="Screenshot of Azure Storage Networking Settings with resource type and instance names." lightbox="media/export-data/storage-networking-2.png"::: You're now ready to securely export FHIR data to the storage account. Note that the storage account is on selected networks and isn't publicly accessible. To securely access the files, you can enable [private endpoints](../../storage/common/storage-private-endpoints.md) for the storage account. Select **Enabled from selected virtual networks and IP addresses**. Under the Fi | West US 2 | 40.64.135.77 | > [!NOTE]-> The above steps are similar to the configuration steps described in the document **Converting your data to FHIR**. For more information, see [Configure the ACR firewall](./convert-data.md#step-6-optional-configure-the-azure-container-registry-firewall-for-secure-access). +> The above steps are similar to the configuration steps described in the document **Converting your data to FHIR**. For more information, see [Configure the ACR firewall](configure-settings-convert-data.md#step-6-configure-the-azure-container-registry-firewall-for-secure-access). ### Allowing specific IP addresses to access the Azure storage account in the same region The configuration process for IP addresses in the same region is just like above except a specific IP address range in Classless Inter-Domain Routing (CIDR) format is used instead (i.e., 100.64.0.0/10). The reason why the IP address range (100.64.0.0 ΓÇô 100.127.255.255) must be specified is because an IP address for the FHIR service will be allocated each time an `$export` request is made. -> [!Note] +> [!NOTE] > It is possible that a private IP address within the range of 10.0.2.0/24 may be used, but there is no guarantee that the `$export` operation will succeed in such a case. You can retry if the `$export` request fails, but until an IP address within the range of 100.64.0.0/10 is used, the request will not succeed. This network behavior for IP address ranges is by design. The alternative is to configure the storage account in a different region. ## Next steps |
| healthcare-apis | Configure Settings Convert Data | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/healthcare-apis/fhir/configure-settings-convert-data.md | + + Title: Configure settings for $convert-data using the Azure portal - Azure Health Data Services +description: Learn how to configure settings for $convert-data using the Azure portal. ++++ Last updated : 06/30/2022++++# Configure settings for $convert-data using the Azure portal ++> [!NOTE] +> [Fast Healthcare Interoperability Resources (FHIR®)](https://www.hl7.org/fhir/) is an open healthcare specification. ++In this article, learn how to configure settings for `$convert-data` using the Azure portal to convert your existing health data into [FHIR R4](https://www.hl7.org/fhir/R4/https://docsupdatetracker.net/index.html). ++## Default templates ++Microsoft publishes a set of predefined sample Liquid templates from the FHIR Converter project to support FHIR data conversion. These templates are only provided to help get you started with your data conversion workflow. It's recommended that you customize and host your own templates that support your own data conversion requirements. For information on customized templates, see [Customize templates](#customize-templates). + +The default templates are hosted in a public container registry and require no further configurations or settings for your FHIR service. +To access and use the default templates for your conversion requests, ensure that when invoking the `$convert-data` operation, the `templateCollectionReference` request parameter has the appropriate value based on the type of data input. ++* [HL7v2 templates](https://github.com/microsoft/FHIR-Converter/tree/main/data/Templates/Hl7v2) +* [C-CDA templates](https://github.com/microsoft/FHIR-Converter/tree/main/data/Templates/Ccda) +* [JSON templates](https://github.com/microsoft/FHIR-Converter/tree/main/data/Templates/Json) +* [FHIR STU3 templates](https://github.com/microsoft/FHIR-Converter/tree/main/data/Templates/Stu3ToR4) ++> [!WARNING] +> Default templates are released under the MIT License and are *not* supported by Microsoft Support. +> +> The default templates are provided only to help you get started with your data conversion workflow. These default templates are not intended for production and might change when Microsoft releases updates for the FHIR service. To have consistent data conversion behavior across different versions of the FHIR service, you must do the following: +> +> 1. Host your own copy of the templates in an Azure Container Registry instance. +> 2. Register the templates to the FHIR service. +> 3. Use your registered templates in your API calls. +> 4. Verify that the conversion behavior meets your requirements. +> +> For more information on hosting your own templates, see [Host your own templates](configure-settings-convert-data.md#host-your-own-templates) ++## Customize templates ++You can use the [FHIR Converter Visual Studio Code extension](https://marketplace.visualstudio.com/items?itemName=ms-azuretools.vscode-health-fhir-converter) to customize templates according to your specific requirements. The extension provides an interactive editing experience and makes it easy to download Microsoft-published templates and sample data. ++> [!NOTE] +> The FHIR Converter extension for Visual Studio Code is available for HL7v2, C-CDA, and JSON Liquid templates. FHIR STU3 to FHIR R4 Liquid templates are currently not supported. ++The provided default templates can be used as a base starting point if needed, on top of which your customizations can be added. When making updates to the templates, consider following these guidelines to avoid unintended conversion results. The template should be authored in a way such that it yields a valid structure for a FHIR Bundle resource. ++For instance, the Liquid templates should have a format such as the following code: ++```json +<liquid assignment line 1 > +<liquid assignment line 2 > +. +. +<liquid assignment line n > +{ + "resourceType": "Bundle", + "type": "xxx", + <...liquid code...> + "identifier": + { + "value":"xxxxx", + }, + "id":"xxxx", + "entry": [ + <...liquid code...> + ] +} +``` ++The overall template follows the structure and expectations for a FHIR Bundle resource, with the FHIR Bundle JSON being at the root of the file. If you choose to add custom fields to the template that arenΓÇÖt part of the FHIR specification for a bundle resource, the conversion request could still succeed. However, the converted result could potentially have unexpected output and wouldn't yield a valid FHIR Bundle resource that can be persisted in the FHIR service as is. ++For example, consider the following code: ++```json +<liquid assignment line 1 > +<liquid assignment line 2 > +. +. +<liquid assignment line n > +{ + ΓÇ£customfield_messageΓÇ¥: ΓÇ£I will have a message hereΓÇ¥, + ΓÇ£customfield_dataΓÇ¥: { + "resourceType": "Bundle", + "type": "xxx", + <...liquid code...> + "identifier": + { + "value":"xxxxx", + }, + "id":"xxxx", + "entry": [ + <...liquid code...> + ] + } +} +``` ++In the example code, two example custom fields `customfield_message` and `customfield_data` that aren't FHIR properties per the specification and the FHIR Bundle resource seem to be nested under `customfield_data` (that is, the FHIR Bundle JSON isn't at the root of the file). This template doesnΓÇÖt align with the expected structure around a FHIR Bundle resource. As a result, the conversion request might succeed using the provided template. However, the returned converted result could potentially have unexpected output (due to certain post conversion processing steps being skipped). It wouldn't be considered a valid FHIR Bundle (since it's nested and has non FHIR specification properties) and attempting to persist the result in your FHIR service fails. + +## Host your own templates ++We recommend that you host your own copy of templates in an Azure Container Registry (ACR) instance. Hosting your own templates and using them for `$convert-data` operations involves the following six steps: ++1. [Create an Azure Container Registry instance](#step-1-create-an-azure-container-registry-instance) +2. [Push the templates to your Azure Container Registry instance](#step-2-push-the-templates-to-your-azure-container-registry-instance) +3. [Enable Azure Managed Identity in your FHIR service instance](#step-3-enable-azure-managed-identity-in-your-fhir-service-instance) +4. [Provide Azure Container Registry access to the FHIR service managed identity](#step-4-provide-azure-container-registry-access-to-the-fhir-service-managed-identity) +5. [Register the Azure Container Registry server in the FHIR service](#step-5-register-the-azure-container-registry-server-in-the-fhir-service) +6. [Configure the Azure Container Registry firewall for secure access](#step-6-configure-the-azure-container-registry-firewall-for-secure-access) ++### Step 1: Create an Azure Container Registry instance ++Read the [Introduction to container registries in Azure](../../container-registry/container-registry-intro.md) and follow the instructions for creating your own Azure Container Registry instance. We recommend that you place your Azure Container Registry instance in the same resource group as your FHIR service. ++### Step 2: Push the templates to your Azure Container Registry instance ++After you create an Azure Container Registry instance, you can use the **FHIR Converter: Push Templates** command in the [FHIR Converter extension](https://marketplace.visualstudio.com/items?itemName=ms-azuretools.vscode-health-fhir-converter) to push your custom templates to your Azure Container Registry instance. Alternatively, you can use the [Template Management CLI tool](https://github.com/microsoft/FHIR-Converter/blob/main/docs/TemplateManagementCLI.md) for this purpose. ++To maintain different versions of custom templates in your ACR, you may push the image containing your custom templates into your ACR instance with different image tags. +* For more information about ACR registries, repositories, and artifacts, see [About registries, repositories, and artifacts](../../container-registry/container-registry-concepts.md). +* For more information about image tag best practices, see [Recommendations for tagging and versioning container images](../../container-registry/container-registry-image-tag-version.md). ++To reference specific template versions in the API, be sure to use the exact image name and tag that contains the versioned template to be used. For the API parameter `templateCollectionReference`, use the appropriate **image name + tag** (for example: `<RegistryServer>/<imageName>:<imageTag>`). ++### Step 3: Enable Azure Managed Identity in your FHIR service instance ++1. Go to your instance of the FHIR service in the Azure portal, and then select the **Identity** option. ++2. Change the status to **On** to enable Managed Identity in the FHIR service. ++  ++### Step 4: Provide Azure Container Registry access to the FHIR service managed identity ++1. In your resource group, go to your **Container Registry** instance, and then select the **Access control (IAM)** tab. ++2. Select **Add** > **Add role assignment**. If the **Add role assignment** option is unavailable, ask your Azure administrator to grant you the permissions for performing this task. ++  ++ :::image type="content" source="../../../includes/role-based-access-control/media/add-role-assignment-menu-generic.png" alt-text="Screenshot of the 'Access control' pane and the 'Add role assignment' menu."::: ++3. On the **Role** pane, select the [AcrPull](../../role-based-access-control/built-in-roles.md#acrpull) role. ++ [](../../../includes/role-based-access-control/media/add-role-assignment-page.png#lightbox) ++4. On the **Members** tab, select **Managed identity**, and then select **Select members**. ++5. Select your Azure subscription. ++6. Select **System-assigned managed identity**, and then select the FHIR service you're working with. ++7. On the **Review + assign** tab, select **Review + assign** to assign the role. ++For more information about assigning roles in the Azure portal, see [Azure built-in roles](../../role-based-access-control/role-assignments-portal.md). ++### Step 5: Register the Azure Container Registry server in the FHIR service ++You can register the Azure Container Registry server by using the Azure portal. ++To use the Azure portal: ++1. In your FHIR service instance, under **Transfer and transform data**, select **Artifacts**. A list of currently registered Azure Container Registry servers is displayed. +3. Select **Add** and then, in the dropdown list, select your registry server. +4. Select **Save**. ++  ++You can register up to 20 Azure Container Registry servers in the FHIR service. ++> [!NOTE] +> It might take a few minutes for the registration to take effect. ++### Step 6: Configure the Azure Container Registry firewall for secure access ++1. In the Azure portal, on the left pane, select **Networking** for the Azure Container Registry instance. ++  ++2. On the **Public access** tab, select **Selected networks**. ++3. In the **Firewall** section, specify the IP address in the **Address range** box. ++Add IP ranges to allow access from the Internet or your on-premises networks. ++The following table lists the IP addresses for the Azure regions where the FHIR service is available: ++| Azure region | Public IP address | +|:|:| +| Australia East | 20.53.47.210 | +| Brazil South | 191.238.72.227 | +| Canada Central | 20.48.197.161 | +| Central India | 20.192.47.66 | +| East US | 20.62.134.242, 20.62.134.244, 20.62.134.245 | +| East US 2 | 20.62.60.115, 20.62.60.116, 20.62.60.117 | +| France Central | 51.138.211.19 | +| Germany North | 51.116.60.240 | +| Germany West Central | 20.52.88.224 | +| Japan East | 20.191.167.146 | +| Japan West | 20.189.228.225 | +| Korea Central | 20.194.75.193 | +| North Central US | 52.162.111.130, 20.51.0.209 | +| North Europe | 52.146.137.179 | +| Qatar Central | 20.21.36.225 | +| South Africa North | 102.133.220.199 | +| South Central US | 20.65.134.83 | +| Southeast Asia | 20.195.67.208 | +| Sweden Central | 51.12.28.100 | +| Switzerland North | 51.107.247.97 | +| UK South | 51.143.213.211 | +| UK West | 51.140.210.86 | +| West Central US | 13.71.199.119 | +| West Europe | 20.61.103.243, 20.61.103.244 | +| West US 2 | 20.51.13.80, 20.51.13.84, 20.51.13.85 | +| West US 3 | 20.150.245.165 | ++You can also completely disable public access to your Azure Container Registry instance while still allowing access from your FHIR service. To do so: ++1. In the Azure portal container registry, select **Networking**. +2. Select the **Public access** tab, select **Disabled**, and then select **Allow trusted Microsoft services to access this container registry**. ++ ++### Verify the $convert-data operation ++Make a call to the `$convert-data` operation by specifying your template reference in the `templateCollectionReference` parameter: ++`<RegistryServer>/<imageName>@<imageDigest>` ++You should receive a `Bundle` response that contains the health data converted into the FHIR format. ++## Next steps ++In this article, you've learned how to configure settings for `$convert-data` for converting health data into FHIR by using the FHIR service in Azure Health Data Services. ++To learn about the frequently asked questions (FAQs) for `$convert-data`, see + +> [!div class="nextstepaction"] +> [Frequently asked questions about $convert-data](frequently-asked-questions-convert-data.md) ++For information about how to import FHIR data into the FHIR service, see: + +> [!div class="nextstepaction"] +> [Import operation](import-data.md) ++For information about how to export FHIR data from the FHIR service, see: + +> [!div class="nextstepaction"] +> [Export operation](export-data.md) ++FHIR® is a registered trademark of Health Level Seven International, registered in the U.S. Trademark Office and is used with their permission. |
| healthcare-apis | Convert Data | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/healthcare-apis/fhir/convert-data.md | - Title: Convert your data to FHIR in Azure Health Data Services -description: This article describes how to use the $convert-data endpoint and custom converter templates to convert data to FHIR in Azure Health Data Services. ----- Previously updated : 03/09/2023------# Convert your data to FHIR --By using the `$convert-data` custom endpoint in the FHIR service, you can convert health data from various formats to FHIR. The `$convert-data` operation uses [Liquid](https://shopify.github.io/liquid/) templates from the [FHIR Converter](https://github.com/microsoft/FHIR-Converter) project for FHIR data conversion. You can customize these conversion templates as needed. Currently, the `$convert-data` operation supports three types of data conversion: -* HL7v2 to FHIR -* C-CDA to FHIR -* JSON to FHIR (intended for custom conversion mapping) -* FHIR STU3 to FHIR R4 --> [!NOTE] -> You can use the `$convert-data` endpoint as a component within an ETL (extract, transform, load) pipeline for the conversion of health data formats into the FHIR format. However, the `$convert-data` operation is not an ETL pipeline in itself. For a complete workflow as you convert your data to FHIR, we recommend that you use an ETL engine that's based on Azure Logic Apps or Azure Data Factory. The workflow might include: data reading and ingestion, data validation, making `$convert-data` API calls, data pre/post-processing, data enrichment, data deduplication, and loading the data for persistence in the FHIR service. --## Use the `$convert-data` endpoint --The `$convert-data` operation is integrated into the FHIR service as a RESTful API action. You can call the `$convert-data` endpoint as follows: --`POST {{fhirurl}}/$convert-data` --The health data for conversion is delivered to the FHIR service in the body of the `$convert-data` request. If the request is successful, the FHIR service will return a FHIR `Bundle` response with the data converted to FHIR. --### Parameters Resource --A `$convert-data` API call packages the health data for conversion inside a JSON-formatted [Parameters Resource](http://hl7.org/fhir/parameters.html) in the body of the request. The parameters are described in the following table: --| Parameter name | Description | Accepted values | -| -- | -- | -- | -| `inputData` | Data payload to be converted to FHIR. | For `Hl7v2`: string <br> For `Ccda`: XML <br> For `Json`: JSON <br> For `FHIR STU3`: JSON| -| `inputDataType` | Type of data input. | `Hl7v2`, `Ccda`, `Json`, `Fhir` | -| `templateCollectionReference` | Reference to an [OCI image](https://github.com/opencontainers/image-spec) template collection in [Azure Container Registry](https://azure.microsoft.com/services/container-registry/). The reference is to an image that contains Liquid templates to use for conversion. It can refer either to default templates or to a custom template image that's registered within the FHIR service. The following sections cover customizing the templates, hosting them on Azure Container Registry, and registering to the FHIR service. | For **default/sample** templates: <br> **HL7v2** templates: <br>`microsofthealth/fhirconverter:default` <br>``microsofthealth/hl7v2templates:default``<br> **C-CDA** templates: <br> ``microsofthealth/ccdatemplates:default`` <br> **JSON** templates: <br> ``microsofthealth/jsontemplates:default`` <br> **FHIR STU3** templates: <br> ``microsofthealth/stu3tor4templates:default`` <br><br> For **custom** templates: <br> `<RegistryServer>/<imageName>@<imageDigest>`, `<RegistryServer>/<imageName>:<imageTag>` | -| `rootTemplate` | The root template to use while transforming the data. | For **HL7v2**:<br> "AD |