Updates from: 07/30/2022 01:16:27
Service Microsoft Docs article Related commit history on GitHub Change details
active-directory-b2c Authorization Code Flow https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/authorization-code-flow.md
Previously updated : 04/12/2022 Last updated : 07/29/2022
client_id=90c0fe63-bcf2-44d5-8fb7-b8bbc0b29dc6
|{tenant}| Required | Name of your Azure AD B2C tenant| | {policy} | Required | The user flow to be run. Specify the name of a user flow you've created in your Azure AD B2C tenant. For example: `b2c_1_sign_in`, `b2c_1_sign_up`, or `b2c_1_edit_profile`. | | client_id |Required |The application ID assigned to your app in the [Azure portal](https://portal.azure.com). |
-| response_type |Required |The response type, which must include `code` for the authorization code flow. |
+| response_type |Required |The response type, which must include `code` for the authorization code flow. You can receive an ID token if you include it in the response type, such as `code+id_token`, and in this case, the scope needs to include `openid`.|
| redirect_uri |Required |The redirect URI of your app, where authentication responses are sent and received by your app. It must exactly match one of the redirect URIs that you registered in the portal, except that it must be URL-encoded. | | scope |Required |A space-separated list of scopes. The `openid` scope indicates a permission to sign in the user and get data about the user in the form of ID tokens. The `offline_access` scope is optional for web applications. It indicates that your application will need a *refresh token* for extended access to resources.The client-id indicates the token issued are intended for use by Azure AD B2C registered client. The `https://{tenant-name}/{app-id-uri}/{scope}` indicates a permission to protected resources, such as a web API. For more information, see [Request an access token](access-tokens.md#scopes). | | response_mode |Recommended |The method that you use to send the resulting authorization code back to your app. It can be `query`, `form_post`, or `fragment`. |
active-directory-b2c Azure Ad External Identities Videos https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/azure-ad-external-identities-videos.md
Get a deeper view into the features and technical aspects of the Azure AD B2C se
|[Azure AD B2C sign-up sign-in](https://www.youtube.com/watch?v=c8rN1ZaR7wk&list=PL3ZTgFEc7LyuJ8YRSGXBUVItCPnQz3YX0&index=6&t=2s) 10:25 | [:::image type="icon" source="./media/external-identities-videos/customer-sign-up-sign-in.png" border="false":::](https://www.youtube.com/watch?v=c8rN1ZaR7wk&list=PL3ZTgFEc7LyuJ8YRSGXBUVItCPnQz3YX0&index=6) | [Azure AD B2C single sign on and self service password reset](https://www.youtube.com/watch?v=kRV-7PSLK38&list=PL3ZTgFEc7LyuJ8YRSGXBUVItCPnQz3YX0&index=7) 8:40 | [:::image type="icon" source="./media/external-identities-videos/single-sign-on.png" border="false":::](https://www.youtube.com/watch?v=kRV-7PSLK38&list=PL3ZTgFEc7LyuJ8YRSGXBUVItCPnQz3YX0&index=7) | | [Application and identity migration to Azure AD B2C](https://www.youtube.com/watch?v=Xw_YwSJmhIQ&list=PL3ZTgFEc7LyuJ8YRSGXBUVItCPnQz3YX0&index=9) 10:34 | [:::image type="icon" source="./media/external-identities-videos/identity-migration-aad-b2c.png" border="false":::](https://www.youtube.com/watch?v=Xw_YwSJmhIQ&list=PL3ZTgFEc7LyuJ8YRSGXBUVItCPnQz3YX0&index=9) | [Build resilient and scalable flows using Azure AD B2C](https://www.youtube.com/watch?v=8f_Ozpw9yTs&list=PL3ZTgFEc7LyuJ8YRSGXBUVItCPnQz3YX0&index=12) 16:47 | [:::image type="icon" source="./media/external-identities-videos/b2c-scalable-flows.png" border="false":::](https://www.youtube.com/watch?v=8f_Ozpw9yTs&list=PL3ZTgFEc7LyuJ8YRSGXBUVItCPnQz3YX0&index=12) | | [Building a custom CIAM solution with Azure AD B2C and ISV alliances](https://www.youtube.com/watch?v=UZjiGDD0wa8&list=PL3ZTgFEc7LyuJ8YRSGXBUVItCPnQz3YX0&index=8) 10:01 | [:::image type="icon" source="./media/external-identities-videos/build-custom-b2c-solution.png" border="false":::](https://www.youtube.com/watch?v=UZjiGDD0wa8&list=PL3ZTgFEc7LyuJ8YRSGXBUVItCPnQz3YX0&index=8) | [Protecting Web APIs with Azure AD B2C](https://www.youtube.com/watch?v=wuUu71RcsIo&list=PL3ZTgFEc7LyuJ8YRSGXBUVItCPnQz3YX0&index=10) 19:03 | [:::image type="icon" source="./media/external-identities-videos/protecting-web-apis.png" border="false":::](https://www.youtube.com/watch?v=wuUu71RcsIo&list=PL3ZTgFEc7LyuJ8YRSGXBUVItCPnQz3YX0&index=10) |
-| [Integration of SAML with Azure AD B2C](https://www.youtube.com/watch?v=r2TIVBCm7v4&list=PL3ZTgFEc7LyuJ8YRSGXBUVItCPnQz3YX0&index=11) 9:09 | [:::image type="icon" source="./media/external-identities-videos/saml-integration.png" border="false":::](https://www.youtube.com/watch?v=r2TIVBCm7v4&list=PL3ZTgFEc7LyuJ8YRSGXBUVItCPnQz3YX0&index=11) |
+| [Integration of SAML with Azure AD B2C](https://www.youtube.com/watch?v=r2TIVBCm7v4&list=PL3ZTgFEc7LyuJ8YRSGXBUVItCPnQz3YX0&index=11) 9:09 | [:::image type="icon" source="./media/external-identities-videos/saml-integration.png" border="false":::](https://www.youtube.com/watch?v=r2TIVBCm7v4&list=PL3ZTgFEc7LyuJ8YRSGXBUVItCPnQz3YX0&index=11) | [Azure AD B2C Identity Protection and Conditional Access](https://www.youtube.com/watch?v=frn5jVqbmUo&list=PL3ZTgFEc7LyuJ8YRSGXBUVItCPnQz3YX0&index=15) 14:44 | [:::image type="icon" source="./media/external-identities-videos/identity-protection-and-conditional-access.png" border="false":::](https://www.youtube.com/watch?v=frn5jVqbmUo&list=PL3ZTgFEc7LyuJ8YRSGXBUVItCPnQz3YX0&index=15)
## Azure Active Directory B2C how to series
active-directory-b2c Technicalprofiles https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/technicalprofiles.md
The **InputClaim** element contains the following attributes:
| | -- | -- | | ClaimTypeReferenceId | Yes | The identifier of a claim type. The claim is already defined in the claims schema section in the policy file or parent policy file. | | DefaultValue | No | A default value to use to create a claim if the claim indicated by ClaimTypeReferenceId doesn't exist so that the resulting claim can be used as an InputClaim element by the technical profile. |
+|AlwaysUseDefaultValue |No |Forces the use of the default value. |
| PartnerClaimType | No | The identifier of the claim type of the external partner that the specified policy claim type maps to. If the PartnerClaimType attribute isn't specified, the specified policy claim type is mapped to the partner claim type of the same name. Use this property when your claim type name is different from the other party. An example is if the first claim name is *givenName*, while the partner uses a claim named *first_name*. | ## Display claims
active-directory Howto Remove App https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/howto-remove-app.md
Previously updated : 11/15/2020 Last updated : 07/28/2022
To delete an application, be listed as an owner of the application or have admin
## Remove an application authored by another organization
-If you are viewing **App registrations** in the context of a tenant, a subset of the applications that appear under the **All apps** tab are from another tenant and were registered into your tenant during the consent process. More specifically, they are represented by only a service principal object in your tenant, with no corresponding application object. For more information on the differences between application and service principal objects, see [Application and service principal objects in Azure AD](./app-objects-and-service-principals.md).
+If you're viewing **App registrations** in the context of a tenant, a subset of the applications that appear under the **All apps** tab are from another tenant and were registered into your tenant during the consent process. More specifically, they're represented by only a service principal object in your tenant, with no corresponding application object. For more information on the differences between application and service principal objects, see [Application and service principal objects in Azure AD](./app-objects-and-service-principals.md).
-In order to remove an applicationΓÇÖs access to your directory (after having granted consent), the company administrator must remove its service principal. The administrator must have Global Administrator access, and can remove the application through the Azure portal or use the [Azure AD PowerShell Cmdlets](/previous-versions/azure/jj151815(v=azure.100)) to remove access.
+In order to remove an applicationΓÇÖs access to your directory (after having granted consent), the company administrator must remove its service principal. The administrator must have Global Administrator access. To learn how to delete a service principal, see [Delete an enterprise application](../manage-apps/delete-application-portal.md).
## Next steps
active-directory Howto Restore App https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/howto-restore-app.md
Previously updated : 3/22/2021 Last updated : 07/28/2022 #Customer intent: As an application developer, I want to know how to restore or permanently delete my recently deleted application from the Microsoft identity platform. # Restore or remove a recently deleted application with the Microsoft identity platform
-After you delete an app registration, the app remains in a suspended state for 30 days. During that 30-day window, the app registration can be restored, along with all its properties. After that 30-day window passes, app registrations cannot be restored and the permanent deletion process may be automatically started. This functionality only applies to applications associated to a directory. It is not available for applications from a personal Microsoft account, which cannot be restored.
-You can view your deleted applications, restore a deleted application, or permanently delete an application using the App registrations experience under Azure Active Directory (Azure AD) in the Azure portal.
+After you delete an app registration, the app remains in a suspended state for 30 days. During that 30-day window, the app registration can be restored, along with all its properties. After that 30-day window passes, app registrations can't be restored, and the permanent deletion process may be automatically started. This functionality only applies to applications associated to a directory. It isn't available for applications from a personal Microsoft account, which can't be restored.
-Note that neither you nor Microsoft customer support can restore a permanently deleted application or an application deleted more than 30 days ago.
+You can view your deleted applications, restore a deleted application, or permanently delete an application using the **App registrations** experience under Azure Active Directory (Azure AD) in the Azure portal.
-> [!IMPORTANT]
-> The deleted applications portal UI feature [!INCLUDE [PREVIEW BOILERPLATE](../../../includes/active-directory-develop-preview.md)]
+Neither you nor Microsoft customer support can restore a permanently deleted application or an application deleted more than 30 days ago.
## Required permissions You must have one of the following roles to permanently delete applications.
Review the list of applications. Only applications that have been deleted in the
## Restore a recently deleted application
-When an app registration is deleted from the organization, the app is in a suspended state and its configurations are preserved. When you restore an app registration, its configurations are also restored. However, if there were any organization-specific settings in **Enterprise applications** for the application's home tenant, those will not be restored.
+When an app registration is deleted from the organization, the app is in a suspended state, and its configurations are preserved. When you restore an app registration, its configurations are also restored. However, if there were any organization-specific settings in **Enterprise applications** for the application's home tenant, those won't be restored.
-This is because organization-specific settings are stored on a separate object, called the service principal. Settings held on the service principal include permission consents and user and group assignments for a certain organization; these configurations will not be restored when the app is restored. For more information, see [Application and service principal objects](app-objects-and-service-principals.md).
+This is because organization-specific settings are stored on a separate object, called the service principal. Settings held on the service principal include permission consents and user and group assignments for a certain organization; these configurations won't be restored when the app is restored. To learn how to restore the service principal with its previous configurations, see [Restore a recently deleted enterprise application](../manage-apps/restore-application.md).
### To restore an application
active-directory Groups Settings Cmdlets https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/groups-settings-cmdlets.md
To update the value for UsageGuideLinesUrl in the setting template, read the cur
Output: ```powershell
- Name Value
- - --
- EnableMIPLabels True
+ Name Value
+ - --
+ EnableMIPLabels True
CustomBlockedWordsList
- EnableMSStandardBlockedWords False
+ EnableMSStandardBlockedWords False
ClassificationDescriptions DefaultClassification PrefixSuffixNamingRequirement
- AllowGuestsToBeGroupOwner False
- AllowGuestsToAccessGroups True
+ AllowGuestsToBeGroupOwner False
+ AllowGuestsToAccessGroups True
GuestUsageGuidelinesUrl GroupCreationAllowedGroupId
- AllowToAddGuests True
- UsageGuidelinesUrl https://guideline.example.com
+ AllowToAddGuests True
+ UsageGuidelinesUrl https://guideline.example.com
ClassificationList
- EnableGroupCreation True
+ EnableGroupCreation True
+ NewUnifiedGroupWritebackDefault True
``` 3. To remove the value of UsageGuideLinesUrl, edit the URL to be an empty string:
Here are the settings defined in the Group.Unified SettingsTemplate. Unless othe
| <ul><li>AllowToAddGuests<li>Type: Boolean<li>Default: True | A boolean indicating whether or not is allowed to add guests to this directory. <br>This setting may be overridden and become read-only if *EnableMIPLabels* is set to *True* and a guest policy is associated with the sensitivity label assigned to the group.<br>If the AllowToAddGuests setting is set to False at the organization level, any AllowToAddGuests setting at the group level is ignored. If you want to enable guest access for only a few groups, you must set AllowToAddGuests to be true at the organization level, and then selectively disable it for specific groups. | | <ul><li>ClassificationList<li>Type: String<li>Default: "" | A comma-delimited list of valid classification values that can be applied to Microsoft 365 groups. <br>This setting does not apply when EnableMIPLabels == True.| | <ul><li>EnableMIPLabels<li>Type: Boolean<li>Default: "False" |The flag indicating whether sensitivity labels published in Microsoft Purview compliance portal can be applied to Microsoft 365 groups. For more information, see [Assign Sensitivity Labels for Microsoft 365 groups](groups-assign-sensitivity-labels.md). |
+| <ul><li>NewUnifiedGroupWritebackDefault<li>Type: Boolean<li>Default: "True" |The flag that allows an admin to create new Microsoft 365 groups without setting the groupWritebackConfiguration resource type in the request payload. This setting is applicable when group writeback is configured in Azure AD Connect. "NewUnifiedGroupWritebackDefault" is a global Microfot 365 group setting. Default value is true. Updating the setting value to false will change the default writeback behavior for newly created Microsoft 365 groups, and will not change isEnabled property value for existing Microsoft 365 groups. Group admin will need to explicitly update the group isEnabled property value to change the writeback state for existing Microsoft 365 groups. For more information, see [groupWritebackConfiguration resource type](groupwritebackconfiguration?view=graph-rest-beta.md). |
## Example: Configure Guest policy for groups at the directory level 1. Get all the setting templates:
active-directory Groups Write Back Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/groups-write-back-portal.md
# Group writeback in the Azure Active Directory admin center (preview)
-Group writeback is a valuable tool for administrators of Azure Active Directory (Azure AD) tenants being synced with on-premises Active Directory groups. Microsoft is now previewing new capabilities for group writeback. In this preview, you can specify in the Azure AD admin center which groups you want to write back and what youΓÇÖd like each group to write back as. You can write Microsoft 365 groups back to on-premises Active Directory as Distribution, Mail-enabled Security, or Security groups, and write Security groups back as Security groups. Groups are written back with a scope of universalΓÇï.
+Group writeback is a valuable tool for administrators of Azure Active Directory (Azure AD) tenants being synced with on-premises Active Directory groups. Microsoft is now previewing new capabilities for group writeback for tenants with an Azure AD Premium license and Azure AD Connect version 2021 December release or later. In this preview, once you have [enabled Azure AD Connect group writeback](..//hybrid/how-to-connect-group-writeback-v2.md), you can specify in the Azure AD admin center which groups you want to write back and what youΓÇÖd like each group to write back as. You can write Microsoft 365 groups back to on-premises Active Directory as Distribution, Mail-enabled Security, or Security groups, and write Security groups back as Security groups. Groups are written back with a scope of universalΓÇï.
>[!NOTE] > If you were previously writing Microsoft 365 groups back to on-premises Active Directory as universal distribution groups, they will appear in the Azure portal as not enabled for writeback in both the **Groups** page and in the properties page for a group. These pages display a new property introduced for the preview, ΓÇ£writeback enabledΓÇ¥. This property is not set by the current version of group writeback to ensure backward compatibility with the legacy version of group writeback and to avoid breaking existing customer setups.
active-directory Whats New Archive https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/whats-new-archive.md
Title: Archive for What's new in Azure Active Directory? | Microsoft Docs
-description: The What's new release notes in the Overview section of this content set contains 6 months of activity. After 6 months, the items are removed from the main article and put into this archive article.
+description: The What's new release notes in the Overview section of this content set contain six months of activity. After six months, the items are removed from the main article and put into this archive article.
The What's new in Azure Active Directory? release notes provide information abou
+## January 2022
+
+### Public preview - Custom security attributes
+
+**Type:** New feature
+**Service category:** Directory Management
+**Product capability:** Directory
+
+Enables you to define business-specific attributes that you can assign to Azure AD objects. These attributes can be used to store information, categorize objects, or enforce fine-grained access control. Custom security attributes can be used with Azure attribute-based access control. [Learn more](custom-security-attributes-overview.md).
+
++
+### Public preview - Filter groups in tokens using a substring match
+
+**Type:** New feature
+**Service category:** Enterprise Apps
+**Product capability:** SSO
+
+In the past, Azure AD only permitted groups to be filtered based on whether they were assigned to an application. Now, you can also use Azure AD to filter the groups included in the token. You can filter with the substring match on the display name or onPremisesSAMAccountName attributes of the group object on the token. Only groups that the user is a member of will be included in the token. This token will be recognized whether it's on the ObjectID or the on premises SAMAccountName or security identifier (SID). This feature can be used together with the setting to include only groups assigned to the application if desired to further filter the list.[Learn more](../hybrid/how-to-connect-fed-group-claims.md)
+++
+### General availability - Continuous Access Evaluation
+
+**Type:** New feature
+**Service category:** Other
+**Product capability:** Access Control
+
+With Continuous access evaluation (CAE), critical security events and policies are evaluated in real time. This includes account disable, password reset, and location change. [Learn more](../conditional-access/concept-continuous-access-evaluation.md).
+
++
+### General Availability - User management enhancements are now available
+
+**Type:** New feature
+**Service category:** User Management
+**Product capability:** User Management
+
+The Azure AD portal has been updated to make it easier to find users in the All users and Deleted users pages. Changes in the preview include:
+
+- More visible user properties including object ID, directory sync status, creation type, and identity issuer.
+- **Search now** allows substring search and combined search of names, emails, and object IDs.
+- Enhanced filtering by user type (member, guest, and none), directory sync status, creation type, company name, and domain name.
+- New sorting capabilities on properties like name, user principal name, creation time, and deletion date.
+- A new total users count that updates with any searches or filters.
+
+For more information, go to [User management enhancements (preview) in Azure Active Directory](../enterprise-users/users-search-enhanced.md).
+++
+### General Availability - My Apps customization of default Apps view
+
+**Type:** New feature
+**Service category:** My Apps
+**Product capability:** End User Experiences
+
+Customization of the default My Apps view in now in general availability. For more information on My Apps, you can go to [Sign in and start apps from the My Apps portal](https://support.microsoft.com/en-us/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).
+
++
+### General Availability - Audited BitLocker Recovery
+
+**Type:** New feature
+**Service category:** Device Access Management
+**Product capability:** Device Lifecycle Management
+
+BitLocker keys are sensitive security items. Audited BitLocker recovery ensures that when BitLocker keys are read, an audit log is generated so that you can trace who accesses this information for given devices. [Learn more](../devices/device-management-azure-portal.md#view-or-copy-bitlocker-keys).
+++
+### General Availability - Download a list of devices
+
+**Type:** New feature
+**Service category:** Device Registration and Management
+**Product capability:** Device Lifecycle Management
+
+Download a list of your organization's devices to a .csv file for easier reporting and management. [Learn more](../devices/device-management-azure-portal.md#download-devices).
+
++
+### New provisioning connectors in the Azure AD Application Gallery - January 2022
+
+**Type:** New feature
+**Service category:** App Provisioning
+**Product capability:** 3rd Party Integration
+
+You can now automate creating, updating, and deleting user accounts for these newly integrated apps:
+
+- [Autodesk SSO](../saas-apps/autodesk-sso-provisioning-tutorial.md)
+- [Evercate](../saas-apps/evercate-provisioning-tutorial.md)
+- [frankli.io](../saas-apps/frankli-io-provisioning-tutorial.md)
+- [Plandisc](../saas-apps/plandisc-provisioning-tutorial.md)
+- [Swit](../saas-apps/swit-provisioning-tutorial.md)
+- [TerraTrue](../saas-apps/terratrue-provisioning-tutorial.md)
+- [TimeClock 365 SAML](../saas-apps/timeclock-365-saml-provisioning-tutorial.md)
+
+For more information about how to better secure your organization by using automated user account provisioning, go to [Automate user provisioning to SaaS applications with Azure AD](../manage-apps/user-provisioning.md).
+++
+### New Federated Apps available in Azure AD Application gallery - January 2022
+
+**Type:** New feature
+**Service category:** Enterprise Apps
+**Product capability:** 3rd Party Integration
+
+In January 2022, weΓÇÖve added the following 47 new applications in our App gallery with Federation support:
+
+[Jooto](../saas-apps/jooto-tutorial.md), [Proprli](https://app.proprli.com/), [Pace Scheduler](https://www.pacescheduler.com/accounts/login/), [DRTrack](../saas-apps/drtrack-tutorial.md), [Dining Sidekick](../saas-apps/dining-sidekick-tutorial.md), [Cryotos](https://app.cryotos.com/oauth2/authorization/azure-client), [Emergency Management Systems](https://secure.emsystems.com.au/), [Manifestly Checklists](../saas-apps/manifestly-checklists-tutorial.md), [eLearnPOSH](../saas-apps/elearnposh-tutorial.md), [Scuba Analytics](../saas-apps/scuba-analytics-tutorial.md), [Athena Systems sign-in Platform](../saas-apps/athena-systems-login-platform-tutorial.md), [TimeTrack](../saas-apps/timetrack-tutorial.md), [MiHCM](../saas-apps/mihcm-tutorial.md), [Health Note](https://www.healthnote.com/), [Active Directory SSO for DoubleYou](../saas-apps/active-directory-sso-for-doubleyou-tutorial.md), [Emplifi platform](../saas-apps/emplifi-platform-tutorial.md), [Flexera One](../saas-apps/flexera-one-tutorial.md), [Hypothesis](https://web.hypothes.is/help/authorizing-hypothesis-from-the-azure-ad-app-gallery/), [Recurly](../saas-apps/recurly-tutorial.md), [XpressDox AU Cloud](https://au.xpressdox.com/Authentication/Login.aspx), [Zoom for Intune](https://zoom.us/), [UPWARD AGENT](https://app.upward.jp/login/), [Linux Foundation ID](https://openprofile.dev/), [Asset Planner](../saas-apps/asset-planner-tutorial.md), [Kiho](https://v3.kiho.fi/index/sso), [chezie](https://app.chezie.co/), [Excelity HCM](../saas-apps/excelity-hcm-tutorial.md), [yuccaHR](https://app.yuccahr.com/), [Blue Ocean Brain](../saas-apps/blue-ocean-brain-tutorial.md), [EchoSpan](../saas-apps/echospan-tutorial.md), [Archie](../saas-apps/archie-tutorial.md), [Equifax Workforce Solutions](../saas-apps/equifax-workforce-solutions-tutorial.md), [Palantir Foundry](../saas-apps/palantir-foundry-tutorial.md), [ATP SpotLight and ChronicX](../saas-apps/atp-spotlight-and-chronicx-tutorial.md), [DigiSign](https://app.digisign.org/selfcare/sso), [mConnect](https://mconnect.skooler.com/), [BrightHR](https://login.brighthr.com/), [Mural Identity](../saas-apps/mural-identity-tutorial.md), [NordPass SSO](https://app.nordpass.com/login%20use%20%22Log%20in%20to%20business%22%20option), [CloudClarity](https://portal.cloudclarity.app/dashboard), [Twic](../saas-apps/twic-tutorial.md), [Eduhouse Online](https://app.eduhouse.fi/palvelu/kirjaudu/microsoft), [Bealink](../saas-apps/bealink-tutorial.md), [Time Intelligence Bot](https://teams.microsoft.com/), [SentinelOne](https://sentinelone.com/)
+
+You can also find the documentation of all the applications from: https://aka.ms/AppsTutorial,
+
+For listing your application in the Azure AD app gallery, read the details in: https://aka.ms/AzureADAppRequest
+++
+### Azure Ad access reviews reviewer recommendations now account for non-interactive sign-in information
+
+**Type:** Changed feature
+**Service category:** Access Reviews
+**Product capability:** Identity Governance
+
+Azure AD access reviews reviewer recommendations now account for non-interactive sign-in information, improving upon original recommendations based on interactive last sign-ins only. Reviewers can now make more accurate decisions based on the last sign-in activity of the users theyΓÇÖre reviewing. To learn more about how to create access reviews, go to [Create an access review of groups and applications in Azure AD](../governance/create-access-review.md).
+
++
+### Risk reason for offline Azure AD Threat Intelligence risk detection
+
+**Type:** Changed feature
+**Service category:** Identity Protection
+**Product capability:** Identity Security & Protection
+
+The offline Azure AD Threat Intelligence risk detection can now have a risk reason that will help customers with the risk investigation. If a risk reason is available, it will show up as **Additional Info** in the risk details of that risk event. The information can be found in the Risk detections report. It will also be available through the additionalInfo property of the riskDetections API. [Learn more](../identity-protection/howto-identity-protection-investigate-risk.md).
+
+++ ## December 2021 ### Tenant enablement of combined security information registration for Azure Active Directory
We previously announced in April 2020, a new combined registration experience en
**Service category:** Authentications (Logins) **Product capability:** User Authentication
-A problematic interaction between Windows and a local Active Directory Federation Services (ADFS) instance can result in users attempting to sign into another account, but be silently signed into their existing account instead, with no warning. For federated IdPs such as ADFS, that support the [prompt=login](/windows-server/identity/ad-fs/operations/ad-fs-prompt-login) pattern, Azure AD will now trigger a fresh login at ADFS when a user is directed to ADFS with a login hint. This ensures that the user is signed into the account they requested, rather than being silently signed into the account they're already signed in with.
+A problematic interaction between Windows and a local Active Directory Federation Services (ADFS) instance can result in users attempting to sign into another account, but be silently signed into their existing account instead, with no warning. For federated IdPs such as ADFS, that support the [prompt=login](/windows-server/identity/ad-fs/operations/ad-fs-prompt-login) pattern, Azure AD will now trigger a fresh sign-in at ADFS when a user is directed to ADFS with a sign in hint. This ensures that the user is signed into the account they requested, rather than being silently signed into the account they're already signed in with.
For more information, see the [change notice](../develop/reference-breaking-changes.md).
The new Conditional Access overview dashboard enables all tenants to see insight
**Service category:** Azure AD Connect Cloud Sync **Product capability:** Identity Lifecycle Management
-The Public Preview feature for Azure AD Connect Cloud Sync Password writeback provides customers the capability to writeback a userΓÇÖs password changes in the cloud to the on-premises directory in real time using the lightweight Azure AD cloud provisioning agent.[Learn more](../authentication/tutorial-enable-cloud-sync-sspr-writeback.md).
+The Public Preview feature for Azure AD Connect Cloud Sync Password writeback provides customers the capability to write back a userΓÇÖs password changes in the cloud to the on-premises directory in real time using the lightweight Azure AD cloud provisioning agent.[Learn more](../authentication/tutorial-enable-cloud-sync-sspr-writeback.md).
Now access review creators can select users and groups to receive notification o
This feature allows Azure AD users to manage their work or school accounts within the Microsoft Authenticator app. The management features will allow users to view sign-in history and sign-in activity. Users can also report any suspicious or unfamiliar activity, change their Azure AD account passwords, and update the account's security information.
-For more information on how to use this feature visit [View and search your recent sign-in activity from the My sign-ins page](../user-help/my-account-portal-sign-ins-page.md).
+For more information on how to use this feature visit [View and search your recent sign-in activity from the My Sign-ins page](../user-help/my-account-portal-sign-ins-page.md).
For more information about how to better secure your organization by using autom
In November 2021, we have added following 32 new applications in our App gallery with Federation support:
-[Tide - Connector](https://gallery.ctinsuretech-tide.com/), [Virtual Risk Manager - USA](../saas-apps/virtual-risk-manager-usa-tutorial.md), [Xorlia Policy Management](https://app.xoralia.com/), [WorkPatterns](https://app.workpatterns.com/oauth2/login?data_source_type=office_365_account_calendar_workspace_sync&utm_source=azure_sso), [GHAE](../saas-apps/ghae-tutorial.md), [Nodetrax Project](../saas-apps/nodetrax-project-tutorial.md), [Touchstone Benchmarking](https://app.touchstonebenchmarking.com/), [SURFsecureID - Azure AD Multi-Factor Authentication](../saas-apps/surfsecureid-azure-mfa-tutorial.md), [AIDEA](https://truebluecorp.com/en/prodotti/aidea-en/),[R and D Tax Credit
+[Tide - Connector](https://gallery.ctinsuretech-tide.com/), [Virtual Risk Manager - USA](../saas-apps/virtual-risk-manager-usa-tutorial.md), [Xorlia Policy Management](https://app.xoralia.com/), [WorkPatterns](https://app.workpatterns.com/oauth2/login?data_source_type=office_365_account_calendar_workspace_sync&utm_source=azure_sso), [GHAE](../saas-apps/ghae-tutorial.md), [Nodetrax Project](../saas-apps/nodetrax-project-tutorial.md), [Touchstone Benchmarking](https://app.touchstonebenchmarking.com/), [SURFsecureID - Azure AD Multi-Factor Authentication](../saas-apps/surfsecureid-azure-mfa-tutorial.md), [AiDEA](https://truebluecorp.com/en/prodotti/aidea-en/),[R and D Tax Credit
You can also find the documentation of all the applications [here](../saas-apps/tutorial-list.md).
The following new capabilities have been added to the claims transformations ava
-### Public Preview ΓÇô Flagged sign-ins
+### Public Preview ΓÇô Flagged Sign-ins
**Type:** New feature **Service category:** Reporting **Product capability:** Monitoring & Reporting
-Flagged sign-ins is a feature that will increase the signal to noise ratio for user sign-ins where users need help. The functionality is intended to empower users to raise awareness about sign-in errors they want help with. Also to help admins and help desk workers find the right sign-in events quickly and efficiently. [Learn more](../reports-monitoring/overview-flagged-sign-ins.md).
+Flagged sign-ins are a feature that will increase the signal to noise ratio for user sign-ins where users need help. The functionality is intended to empower users to raise awareness about sign-in errors they want help with. Also to help admins and help desk workers find the right sign-in events quickly and efficiently. [Learn more](../reports-monitoring/overview-flagged-sign-ins.md).
New scenarios covered when using the Sign-in Diagnostic:
- Seamless Single-Sign On sign-in failures Other changes include:-- Flagged sign-ins will automatically appear for investigation when using the Sign-in Diagnostic from Diagnose and Solve.
+- Flagged Sign-ins will automatically appear for investigation when using the Sign-in Diagnostic from Diagnose and Solve.
- Sign-in Diagnostic is now available from the Enterprise Apps Diagnose and Solve blade. - The Sign-in Diagnostic is now available in the Basic Info tab of the Sign-in Log event view for all sign-in events. [Learn more](../reports-monitoring/concept-sign-in-diagnostics-scenarios.md#supported-scenarios).
Privileged Role Administrators can now create Azure AD access reviews on Azure A
-### General Availability - Azure AD single Sign on and device-based Conditional Access support in Firefox on Windows 10/11
+### General Availability - Azure AD single Sign-on and device-based Conditional Access support in Firefox on Windows 10/11
**Type:** New feature **Service category:** Authentications (Logins)
The new group list blade offers more sort and filtering capabilities, infinite s
Google has deprecated Gmail sign-ins on Microsoft Teams mobile and custom apps that run Gmail authentications on embedded webviews on Sept. 30th, 2021.
-If you would like to request an extension, impacted customers with affected OAuth client ID(s) should have received an email from Google Developers with the following information regarding a one-time policy enforcement extension, which must be completed by January 31, 2022.
+If you would like to request an extension, impacted customers with affected OAuth client ID(s) should have received an email from Google Developers with the following information regarding a one-time policy enforcement extension, which must be completed by Jan 31, 2022.
To continue allowing your Gmail users to sign in and redeem, we strongly recommend that you refer to [Embedded vs System Web](../develop/msal-net-web-browsers.md#embedded-vs-system-web-ui) UI in the MSAL.NET documentation and modify your apps to use the system browser for sign-in. All MSAL SDKs use the system web-view by default.
-As a workaround, we are deploying the device login flow by October 8. Between today and until then, it is likely that it may not be rolled out to all regions yet (in which case, end-users will be met with an error screen until it gets deployed to your region.)
+As a workaround, we're deploying the device sign-in flow by October 8. Between today and until then, it's likely that it may not be rolled out to all regions yet (in which case, end-users will be met with an error screen until it gets deployed to your region.)
-For more details on the device login flow and details on requesting extension to Google, see [Add Google as an identity provider for B2B guest users](../external-identities/google-federation.md#deprecation-of-web-view-sign-in-support).
+For more details on the device sign-in flow and details on requesting extension to Google, see [Add Google as an identity provider for B2B guest users](../external-identities/google-federation.md#deprecation-of-web-view-sign-in-support).
The load time of My Apps has been improved. Users going to myapps.microsoft.com
**Service category:** Authentications (Logins) **Product capability:** Developer Experience
-The modern Edge browser is now included in the requirement to provide an `Origin` header when redeeming a [single page app authorization code](../develop/v2-oauth2-auth-code-flow.md#redirect-uri-setup-required-for-single-page-apps). A compatibility fix accidentally exempted the modern Edge browser from CORS controls, and that bug is being fixed during October. A subset of applications depended on CORS being disabled in the browser, which has the side effect of removing the `Origin` header from traffic. This is an unsupported configuration for using Azure AD, and these apps that depended on disabling CORS can no longer use modern Edge as a security workaround. All modern browsers must now include the `Origin` header per HTTP spec, to ensure CORS is enforced. [Learn more](../develop/reference-breaking-changes.md#the-device-code-flow-ux-will-now-include-an-app-confirmation-prompt).
+The modern Edge browser is now included in the requirement to provide an `Origin` header when redeeming a [single page app authorization code](../develop/v2-oauth2-auth-code-flow.md#redirect-uri-setup-required-for-single-page-apps). A compatibility fixes accidentally exempted the modern Edge browser from CORS controls, and that bug is being fixed during October. A subset of applications depended on CORS being disabled in the browser, which has the side effect of removing the `Origin` header from traffic. This is an unsupported configuration for using Azure AD, and these apps that depended on disabling CORS can no longer use modern Edge as a security workaround. All modern browsers must now include the `Origin` header per HTTP spec, to ensure CORS is enforced. [Learn more](../develop/reference-breaking-changes.md#the-device-code-flow-ux-will-now-include-an-app-confirmation-prompt).
For listing your application in the Azure AD app gallery, read the details here:
-### Gmail users signing in on Microsoft Teams mobile and desktop clients will sign in with device login flow starting September 30, 2021
+### Gmail users signing in on Microsoft Teams mobile and desktop clients will sign in with device sign-in flow starting September 30, 2021
**Type:** Changed feature **Service category:** B2B **Product capability:** B2B/B2C
-Starting on September 30 2021, Azure AD B2B guests and Azure AD B2C customers signing in with their self-service signed up or redeemed Gmail accounts will have an extra login step. Users will now be prompted to enter a code in a separate browser window to finish signing in on Microsoft Teams mobile and desktop clients. If you haven't already done so, make sure to modify your apps to use the system browser for sign-in. See [Embedded vs System Web UI in the MSAL.NET](../develop/msal-net-web-browsers.md#embedded-vs-system-web-ui) documentation for more information. All MSAL SDKs use the system web-view by default.
+Starting on September 30 2021, Azure AD B2B guests and Azure AD B2C customers signing in with their self-service signed up or redeemed Gmail accounts will have an extra sign-in step. Users will now be prompted to enter a code in a separate browser window to finish signing in on Microsoft Teams mobile and desktop clients. If you haven't already done so, make sure to modify your apps to use the system browser for sign-in. See [Embedded vs System Web UI in the MSAL.NET](../develop/msal-net-web-browsers.md#embedded-vs-system-web-ui) documentation for more information. All MSAL SDKs use the system web-view by default.
-As the device login flow will start September 30, 2021, it may not be available in your region immediately. If it's not available yet, your end-users will be met with the error screen shown in the doc until it gets deployed to your region.) For more details on the device login flow and details on requesting extension to Google, see [Add Google as an identity provider for B2B guest users](../external-identities/google-federation.md#deprecation-of-web-view-sign-in-support).
+As the device sign-in flow will start September 30, 2021, it may not be available in your region immediately. If it's not available yet, your end-users will be met with the error screen shown in the doc until it gets deployed to your region.) For more details on the device sign-in flow and details on requesting extension to Google, see [Add Google as an identity provider for B2B guest users](../external-identities/google-federation.md#deprecation-of-web-view-sign-in-support).
We've released a new major version of Azure Active Directory Connect. This versi
-### Public Preview - Azure AD single Sign on and device-based Conditional Access support in Firefox on Windows 10
+### Public Preview - Azure AD single Sign-on and device-based Conditional Access support in Firefox on Windows 10
**Type:** New feature **Service category:** Authentications (Logins)
Identity Protection now emits risky sign-ins on non-interactive sign-ins. Admins
The permissions assignments to manage access packages and other resources in Entitlement Management are moving from the User Administrator role to the Identity Governance administrator role.
-Users that have been assigned the User administrator role can longer create catalogs or manage access packages in a catalog they don't own. If users in your organization have been assigned the User administrator role to configure catalogs, access packages, or policies in entitlement management, they will need a new assignment. You should instead assign these users the Identity Governance administrator role. [Learn more](../governance/entitlement-management-delegate.md)
+Users that have been assigned the User administrator role can longer create catalogs or manage access packages in a catalog they don't own. If users in your organization have been assigned the User administrator role to configure catalogs, access packages, or policies in entitlement management, they'll need a new assignment. You should instead assign these users the Identity Governance administrator role. [Learn more](../governance/entitlement-management-delegate.md)
Users that have been assigned the User administrator role can longer create cata
**Service category:** Microsoft Identity Manager **Product capability:** Identity Lifecycle Management
-The Microsoft Azure AD Connector for FIM is at feature freeze and deprecated. The solution of using FIM and the Azure AD Connector has been replaced. Existing deployments should migrate to [Azure AD Connect](../hybrid/whatis-hybrid-identity.md), Azure AD Connect Sync, or the [Microsoft Graph Connector](/microsoft-identity-manager/microsoft-identity-manager-2016-connector-graph), as the internal interfaces used by the Azure AD Connector for FIM are being removed from Azure AD. [Learn more](/microsoft-identity-manager/microsoft-identity-manager-2016-deprecated-features).
+The Microsoft Azure Active Directory Connector for FIM is at feature freeze and deprecated. The solution of using FIM and the Azure AD Connector has been replaced. Existing deployments should migrate to [Azure AD Connect](../hybrid/whatis-hybrid-identity.md), Azure AD Connect Sync, or the [Microsoft Graph Connector](/microsoft-identity-manager/microsoft-identity-manager-2016-connector-graph), as the internal interfaces used by the Azure AD Connector for FIM are being removed from Azure AD. [Learn more](/microsoft-identity-manager/microsoft-identity-manager-2016-deprecated-features).
The Microsoft Azure AD Connector for FIM is at feature freeze and deprecated. Th
Starting August 31 2022, all V1 versions of Azure AD Connect will be retired. If you haven't already done so, you need to update your server to Azure AD Connect V2.0. You need to make sure you're running a recent version of Azure AD Connect to receive an optimal support experience.
-If you run a retired version of Azure AD Connect it may unexpectedly stop working. You may also not have the latest security fixes, performance improvements, troubleshooting, and diagnostic tools and service enhancements. Also, if you require support we can't provide you with the level of service your organization needs.
+If you run a retired version of Azure AD Connect, it may unexpectedly stop working. You may also not have the latest security fixes, performance improvements, troubleshooting, and diagnostic tools and service enhancements. Also, if you require support we can't provide you with the level of service your organization needs.
See [Azure Active Directory Connect V2.0](../hybrid/whatis-azure-ad-connect-v2.md), what has changed in V2.0 and how this change impacts you.
Rolling out globally beginning September 30, 2021, Azure AD B2B guests signing i
Azure AD B2C customers who have set up embedded webview Gmail authentications in their custom/line of business apps or have existing Google integrations, will no longer can let their users sign in with Gmail accounts. To mitigate this, make sure to modify your apps to use the system browser for sign-in. For more information, read the Embedded vs System Web UI section in the [Using web browsers (MSAL.NET)](../develop/msal-net-web-browsers.md#embedded-vs-system-web-ui) documentation. All MSAL SDKs use the system web-view by default.
-As the device login flow will start rolling out on September 30, 2021, it is likely that it may not be rolled out to your region yet (in which case, your end-users will be met with the error screen shown in the documentation until it gets deployed to your region.)
+As the device sign-in flow will start rolling out on September 30, 2021, it's likely that it may not be rolled out to your region yet (in which case, your end-users will be met with the error screen shown in the documentation until it gets deployed to your region.)
For details on known impacted scenarios and what experience your users can expect, read [Add Google as an identity provider for B2B guest users](../external-identities/google-federation.md#deprecation-of-web-view-sign-in-support).
Access packages in Azure AD entitlement management now support setting the user'
-### General availability - Enable external users to self-service sign-up in Azure AD using MSA accounts
+### General availability - Enable external users to self-service sign up in Azure Active Directory using MSA accounts
**Type:** New feature **Service category:** B2B **Product capability:** B2B/B2C
-Users can now enable external users to self-service sign-up in Azure Active Directory using Microsoft accounts. [Learn more](../external-identities/microsoft-account.md).
+Users can now enable external users to self-service sign up in Azure Active Directory using Microsoft accounts. [Learn more](../external-identities/microsoft-account.md).
Users can now enable external users to self-service sign-up in Azure Active Dire
**Product capability:** B2B/B2C
-Now users can enable external users to self-service sign-up in Azure Active Directory using their email and one-time passcode. [Learn more](../external-identities/one-time-passcode.md).
+Now users can enable external users to self-service sign up in Azure Active Directory using their email and one-time passcode. [Learn more](../external-identities/one-time-passcode.md).
For the Risky users, Risky sign-ins, and Risk detections reports in Identity Pro
-### General availability - group owners in Azure AD can create and manage Azure AD access reviews for their groups
+### Public preview - group owners in Azure AD can create and manage Azure AD access reviews for their groups
**Type:** New feature **Service category:** Access Reviews
Azure AD customers can now easily design and issue verifiable credentials. Verif
**Service category:** User Authentication **Product capability:** Authentications (Logins)
-As a security improvement, the [device code flow](../develop/v2-oauth2-device-code.md) has been updated to include another prompt, which validates that the user is signing into the app they expect. The rollout is planned to start in June and expected to be complete by June 30.
+As a security improvement, the [device code flow](../develop/v2-oauth2-device-code.md) has been updated to include an another prompt, which validates that the user is signing into the app they expect. The rollout is planned to start in June and expected to be complete by June 30.
-To help prevent phishing attacks where an attacker tricks the user into signing into a malicious application, the following prompt is being added: "Are you trying to sign in to [application display name]?". All users will see this prompt while signing in using the device code flow. As a security measure, it cannot be removed or bypassed. [Learn more](../develop/reference-breaking-changes.md#the-device-code-flow-ux-will-now-include-an-app-confirmation-prompt).
+To help prevent phishing attacks where an attacker tricks the user into signing into a malicious application, the following prompt is being added: "Are you trying to sign in to [application display name]?". All users will see this prompt while signing in using the device code flow. As a security measure, it can't be removed or bypassed. [Learn more](../develop/reference-breaking-changes.md#the-device-code-flow-ux-will-now-include-an-app-confirmation-prompt).
B2C Phone Sign-up and Sign-in using a built-in policy enable IT administrators a
In April 2021, we have added following 31 new applications in our App gallery with Federation support
-[Zii Travel Azure AD Connect](https://azuremarketplace.microsoft.com/marketplace/apps/aad.ziitravelazureadconnect?tab=Overview), [Cerby](../saas-apps/cerby-tutorial.md), [Selflessly](https://app.selflessly.io/sign-in), [Apollo CX](https://apollo.cxlabs.de/sso/aad), [Pedagoo](https://account.pedagoo.com/), [Measureup](https://account.measureup.com/), [ProcessUnity](../saas-apps/processunity-tutorial.md), [Cisco Intersight](../saas-apps/cisco-intersight-tutorial.md), [Codility](../saas-apps/codility-tutorial.md), [H5mag](https://account.h5mag.com/auth/request-access/ms365), [Check Point Identity Awareness](../saas-apps/check-point-identity-awareness-tutorial.md), [Jarvis](https://jarvis.live/login), [desknet's NEO](../saas-apps/desknets-neo-tutorial.md), [SDS & Chemical Information Management](../saas-apps/sds-chemical-information-management-tutorial.md), [W├║ru App](../saas-apps/wuru-app-tutorial.md), [Holmes](../saas-apps/holmes-tutorial.md), [Tide Multi Tenant](https://gallery.tideapp.co.uk/), [Telenor](https://www.telenor.no/kundeservice/internett/wifi/administrere-ruter/), [Yooz US](https://us1.getyooz.com/?kc_idp_hint=microsoft), [Mooncamp](https://app.mooncamp.com/#/login), [inwise SSO](https://app.inwise.com/defaultsso.aspx), [Ecolab Digital Solutions](https://ecolabb2c.b2clogin.com/account.ecolab.com/oauth2/v2.0/authorize?p=B2C_1A_Connect_OIDC_SignIn&client_id=01281626-dbed-4405-a430-66457825d361&nonce=defaultNonce&redirect_uri=https://jwt.ms&scope=openid&response_type=id_token&prompt=login), [Taguchi Digital Marketing System](https://login.taguchi.com.au/), [XpressDox EU Cloud](https://test.xpressdox.com/Authentication/Login.aspx), [EZSSH](https://docs.keytos.io/getting-started/registering-a-new-tenant/registering_app_in_tenant/), [EZSSH Client](https://portal.ezssh.io/signup), [Verto 365](https://www.vertocloud.com/Login/), [KPN Grip](https://www.grip-on-it.com/), [AddressLook](https://portal.bbsonlineservices.net/Manage/AddressLook), [Cornerstone single sign-on](../saas-apps/cornerstone-ondemand-tutorial.md)
+[Zii Travel Azure AD Connect](https://azuremarketplace.microsoft.com/marketplace/apps/aad.ziitravelazureadconnect?tab=Overview), [Cerby](../saas-apps/cerby-tutorial.md), [Selflessly](https://app.selflessly.io/sign-in), [Apollo CX](https://apollo.cxlabs.de/sso/aad), [Pedagoo](https://account.pedagoo.com/), [Measureup](https://account.measureup.com/), [ProcessUnity](../saas-apps/processunity-tutorial.md), [Cisco Intersight](../saas-apps/cisco-intersight-tutorial.md), [Codility](../saas-apps/codility-tutorial.md), [H5mag](https://account.h5mag.com/auth/request-access/ms365), [Check Point Identity Awareness](../saas-apps/check-point-identity-awareness-tutorial.md), [Jarvis](https://jarvis.live/login), [desknet's NEO](../saas-apps/desknets-neo-tutorial.md), [SDS & Chemical Information Management](../saas-apps/sds-chemical-information-management-tutorial.md), [W├║ru App](../saas-apps/wuru-app-tutorial.md), [Holmes](../saas-apps/holmes-tutorial.md), [Tide Multi Tenant](https://gallery.tideapp.co.uk/), [Telenor](https://www.telenor.no/kundeservice/internett/wifi/administrere-ruter/), [Yooz US](https://us1.getyooz.com/?kc_idp_hint=microsoft), [Mooncamp](https://app.mooncamp.com/#/login), [inwise SSO](https://app.inwise.com/defaultsso.aspx), [Ecolab Digital Solutions](https://ecolabb2c.b2clogin.com/account.ecolab.com/oauth2/v2.0/authorize?p=B2C_1A_Connect_OIDC_SignIn&client_id=01281626-dbed-4405-a430-66457825d361&nonce=defaultNonce&redirect_uri=https://jwt.ms&scope=openid&response_type=id_token&prompt=login), [Taguchi Digital Marketing System](https://login.taguchi.com.au/), [XpressDox EU Cloud](https://test.xpressdox.com/Authentication/Login.aspx), [EZSSH](https://docs.keytos.io/getting-started/registering-a-new-tenant/registering_app_in_tenant/), [EZSSH Client](https://portal.ezssh.io/signup), [Verto 365](https://www.vertocloud.com/Login/), [KPN Grip](https://www.grip-on-it.com/), [AddressLook](https://portal.bbsonlineservices.net/Manage/AddressLook), [Cornerstone Single Sign-On](../saas-apps/cornerstone-ondemand-tutorial.md)
You can also find the documentation of all the applications here: https://aka.ms/AppsTutorial
You can now automate creating, updating, and deleting user accounts for these ne
- [Bentley - Automatic User Provisioning](../saas-apps/bentley-automatic-user-provisioning-tutorial.md) - [Boxcryptor](../saas-apps/boxcryptor-provisioning-tutorial.md)-- [BrowserStack single sign-on](../saas-apps/browserstack-single-sign-on-provisioning-tutorial.md)
+- [BrowserStack Single Sign-on](../saas-apps/browserstack-single-sign-on-provisioning-tutorial.md)
- [Eletive](../saas-apps/eletive-provisioning-tutorial.md) - [Jostle](../saas-apps/jostle-provisioning-tutorial.md) - [Olfeo SAAS](../saas-apps/olfeo-saas-provisioning-tutorial.md)
For more information, see [What is sign-in diagnostic in Azure AD?](../reports-m
**Service category:** Azure AD Connect Cloud Sync **Product capability:** Directory
-Azure AD connect cloud sync now has an updated agent (version# - 1.1.359). For more details on agent updates, including bug fixes, check out the [version history](../cloud-sync/reference-version-history.md). With the updated agent, cloud sync customers can use GMSA cmdlets to set and reset their gMSA permission at a granular level. In addition that, we have changed the limit of syncing members using group scope filtering from 1499 to 50,000 (50K) members.
+Azure AD connect cloud sync now has an updated agent (version# - 1.1.359). For more details on agent updates, including bug fixes, check out the [version history](../cloud-sync/reference-version-history.md). With the updated agent, cloud sync customers can use GMSA cmdlets to set and reset their gMSA permission at a granular level. In addition that, we've changed the limit of syncing members using group scope filtering from 1499 to 50,000 (50K) members.
Check out the newly available [expression builder](../cloud-sync/how-to-expression-builder.md#deploy-the-expression) for cloud sync, which, helps you build complex expressions as well as simple expressions when you do transformations of attribute values from AD to Azure AD using attribute mapping.
With this new capability, connector groups can be assigned to the closest region
-### Public preview - External Identities Self-Service Sign-up in Azure AD using Email One-Time Passcode accounts
+### Public preview - External Identities Self-Service Sign up in Azure AD using Email One-Time Passcode accounts
**Type:** New feature **Service category:** B2B
Organizations in the Microsoft Azure Government cloud can now enable their guest
In March 2021 we have added following 37 new applications in our App gallery with Federation support:
-[Bambuser Live Video Shopping](https://lcx.bambuser.com/), [DeepDyve Inc](https://www.deepdyve.com/azure-sso), [Moqups](../saas-apps/moqups-tutorial.md), [RICOH Spaces Mobile](https://ricohspaces.app/welcome), [Flipgrid](https://auth.flipgrid.com/), [hCaptcha Enterprise](../saas-apps/hcaptcha-enterprise-tutorial.md), [SchoolStream ASA](https://www.ssk12.com/), [TransPerfect GlobalLink Dashboard](../saas-apps/transperfect-globallink-dashboard-tutorial.md), [SimplificaCI](https://app.simplificaci.com.br/), [Thrive LXP](../saas-apps/thrive-lxp-tutorial.md), [Lexonis TalentScape](../saas-apps/lexonis-talentscape-tutorial.md), [Exium](../saas-apps/exium-tutorial.md), [Sapient](../saas-apps/sapient-tutorial.md), [TrueChoice](../saas-apps/truechoice-tutorial.md), [RICOH Spaces](https://ricohspaces.app/welcome), [Saba Cloud](../saas-apps/learning-at-work-tutorial.md), [Acunetix 360](../saas-apps/acunetix-360-tutorial.md), [Exceed.ai](../saas-apps/exceed-ai-tutorial.md), [GitHub Enterprise Managed User](../saas-apps/github-enterprise-managed-user-tutorial.md), [Enterprise Vault.cloud for Outlook](https://login.microsoftonline.com/common/oauth2/v2.0/authorize?response_type=id_token&scope=openid%20profile%20User.Read&client_id=7176efe5-e954-4aed-b5c8-f5c85a980d3a&nonce=4b9e1981-1bcb-4938-a283-86f6931dc8cb), [Smartlook](../saas-apps/smartlook-tutorial.md), [Accenture Academy](../saas-apps/accenture-academy-tutorial.md), [Onshape](../saas-apps/onshape-tutorial.md), [Tradeshift](../saas-apps/tradeshift-tutorial.md), [JuriBlox](../saas-apps/juriblox-tutorial.md), [SecurityStudio](../saas-apps/securitystudio-tutorial.md), [ClicData](https://app.clicdata.com/), [Evergreen](../saas-apps/evergreen-tutorial.md), [Patchdeck](https://patchdeck.com/ad_auth/authenticate/), [FAX.PLUS](../saas-apps/fax-plus-tutorial.md), [ValidSign](../saas-apps/validsign-tutorial.md), [AWS single sign-on](../saas-apps/aws-single-sign-on-tutorial.md), [Nura Space](https://dashboard.nuraspace.com/login), [Broadcom DX SaaS](../saas-apps/broadcom-dx-saas-tutorial.md), [Interplay Learning](https://skilledtrades.interplaylearning.com/#login), [SendPro Enterprise](../saas-apps/sendpro-enterprise-tutorial.md), [FortiSASE SIA](../saas-apps/fortisase-sia-tutorial.md)
+[Bambuser Live Video Shopping](https://lcx.bambuser.com/), [DeepDyve Inc](https://www.deepdyve.com/azure-sso), [Moqups](../saas-apps/moqups-tutorial.md), [RICOH Spaces Mobile](https://ricohspaces.app/welcome), [Flipgrid](https://auth.flipgrid.com/), [hCaptcha Enterprise](../saas-apps/hcaptcha-enterprise-tutorial.md), [SchoolStream ASA](https://www.ssk12.com/), [TransPerfect GlobalLink Dashboard](../saas-apps/transperfect-globallink-dashboard-tutorial.md), [SimplificaCI](https://app.simplificaci.com.br/), [Thrive LXP](../saas-apps/thrive-lxp-tutorial.md), [Lexonis TalentScape](../saas-apps/lexonis-talentscape-tutorial.md), [Exium](../saas-apps/exium-tutorial.md), [Sapient](../saas-apps/sapient-tutorial.md), [TrueChoice](../saas-apps/truechoice-tutorial.md), [RICOH Spaces](https://ricohspaces.app/welcome), [Saba Cloud](../saas-apps/learning-at-work-tutorial.md), [Acunetix 360](../saas-apps/acunetix-360-tutorial.md), [Exceed.ai](../saas-apps/exceed-ai-tutorial.md), [GitHub Enterprise Managed User](../saas-apps/github-enterprise-managed-user-tutorial.md), [Enterprise Vault.cloud for Outlook](https://login.microsoftonline.com/common/oauth2/v2.0/authorize?response_type=id_token&scope=openid%20profile%20User.Read&client_id=7176efe5-e954-4aed-b5c8-f5c85a980d3a&nonce=4b9e1981-1bcb-4938-a283-86f6931dc8cb), [Smartlook](../saas-apps/smartlook-tutorial.md), [Accenture Academy](../saas-apps/accenture-academy-tutorial.md), [Onshape](../saas-apps/onshape-tutorial.md), [Tradeshift](../saas-apps/tradeshift-tutorial.md), [JuriBlox](../saas-apps/juriblox-tutorial.md), [SecurityStudio](../saas-apps/securitystudio-tutorial.md), [ClicData](https://app.clicdata.com/), [Evergreen](../saas-apps/evergreen-tutorial.md), [Patchdeck](https://patchdeck.com/ad_auth/authenticate/), [FAX.PLUS](../saas-apps/fax-plus-tutorial.md), [ValidSign](../saas-apps/validsign-tutorial.md), [AWS Single Sign-on](../saas-apps/aws-single-sign-on-tutorial.md), [Nura Space](https://dashboard.nuraspace.com/login), [Broadcom DX SaaS](../saas-apps/broadcom-dx-saas-tutorial.md), [Interplay Learning](https://skilledtrades.interplaylearning.com/#login), [SendPro Enterprise](../saas-apps/sendpro-enterprise-tutorial.md), [FortiSASE SIA](../saas-apps/fortisase-sia-tutorial.md)
You can also find the documentation of all the applications here: https://aka.ms/AppsTutorial
For listing your application in the Azure AD app gallery, read the details here:
You can now automate creating, updating, and deleting user accounts for these newly integrated apps: -- [AWS single sign-on](../saas-apps/aws-single-sign-on-provisioning-tutorial.md)
+- [AWS Single Sign-on](../saas-apps/aws-single-sign-on-provisioning-tutorial.md)
- [Bpanda](../saas-apps/bpanda-provisioning-tutorial.md) - [Britive](../saas-apps/britive-provisioning-tutorial.md) - [GitHub Enterprise Managed User](../saas-apps/github-enterprise-managed-user-provisioning-tutorial.md)
Customers can now reinvite existing external guest users to reset their redempti
**Service category:** App Provisioning **Product capability:** Identity Lifecycle Management
-Customers can now use application.readwrite.ownedby as an application permission to call the synchronization APIs. Note this is only supported for provisioning from Azure AD out into third-party applications (for example, AWS, Data Bricks, etc.). It is currently not supported for HR-provisioning (Workday / Successfactors) or Cloud Sync (AD to Azure AD). [Learn more](/graph/api/resources/provisioningobjectsummary).
+Customers can now use application.readwrite.ownedby as an application permission to call the synchronization APIs. Note this is only supported for provisioning from Azure AD out into third-party applications (for example, AWS, Data Bricks, etc.). It's currently not supported for HR-provisioning (Workday / Successfactors) or Cloud Sync (AD to Azure AD). [Learn more](/graph/api/resources/provisioningobjectsummary).
In the past, company logos weren't used on Azure Active Directory sign-in pages.
**Service category:** User Access Management **Product capability:** Entitlement Management
-An extra option when you select approvers is now available in Entitlement Management. If you select "Manager as approver" for the First Approver, you will have another option, "Second level manager as alternate approver", available to choose in the alternate approver field. If you select this option, you need to add a fallback approver to forward the request to in case the system can't find the second level manager. [Learn more](../governance/entitlement-management-access-package-approval-policy.md#alternate-approvers).
+An extra option when you select approvers is now available in Entitlement Management. If you select "Manager as approver" for the First Approver, you'll have another option, "Second level manager as alternate approver", available to choose in the alternate approver field. If you select this option, you need to add a fallback approver to forward the request to in case the system can't find the second level manager. [Learn more](../governance/entitlement-management-access-package-approval-policy.md#alternate-approvers).
For listing your application in the Azure AD app gallery, read the details here
**Service category:** User Access Management **Product capability:** Entitlement Management
-An extra option when you select approvers is now available in Entitlement Management. If you select "Manager as approver" for the First Approver, you will have another option, "Second level manager as alternate approver", available to choose in the alternate approver field. If you select this option, you need to add a fallback approver to forward the request to in case the system can't find the second level manager. [Learn more](../governance/entitlement-management-access-package-approval-policy.md#alternate-approvers)
+An extra option when you select approvers is now available in Entitlement Management. If you select "Manager as approver" for the First Approver, you'll have another option, "Second level manager as alternate approver", available to choose in the alternate approver field. If you select this option, you need to add a fallback approver to forward the request to in case the system can't find the second level manager. [Learn more](../governance/entitlement-management-access-package-approval-policy.md#alternate-approvers)
For more information, see [Automate user provisioning to SaaS applications with
-### Public Preview - Email sign-in with ProxyAddresses now deployable via Staged Rollout
+### Public Preview - Email Sign-In with ProxyAddresses now deployable via Staged Rollout
**Type:** New feature **Service category:** Authentications (Logins) **Product capability:** User Authentication
-Tenant administrators can now use Staged Rollout to deploy Email sign-in with ProxyAddresses to specific Azure AD groups. This can help while trying out the feature before deploying it to the entire tenant via the Home Realm Discovery policy. Instructions for deploying Email sign-in with ProxyAddresses via Staged Rollout are in the [documentation](../authentication/howto-authentication-use-email-signin.md).
+Tenant administrators can now use Staged Rollout to deploy Email Sign-In with ProxyAddresses to specific Azure AD groups. This can help while trying out the feature before deploying it to the entire tenant via the Home Realm Discovery policy. Instructions for deploying Email Sign-In with ProxyAddresses via Staged Rollout are in the [documentation](../authentication/howto-authentication-use-email-signin.md).
The new service also aims to complete member addition and removal because of att
## October 2020
-### Azure AD on-premises Hybrid Agents Impacted by Azure TLS Certificate Changes
+### Azure AD On-Premises Hybrid Agents Impacted by Azure TLS Certificate Changes
**Type:** Plan for change **Service category:** N/A
Microsoft is updating Azure services to use TLS certificates from a different se
This change will result in disruption of service if you don't take action immediately. These agents include [Application Proxy connectors](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/AppProxy) for remote access to on-premises, [Passthrough Authentication](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/AzureADConnect) agents that allow your users to sign in to applications using the same passwords, and [Cloud Provisioning Preview](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/AzureADConnect) agents that perform AD to Azure AD sync.
-If you have an environment with firewall rules set to allow outbound calls to only specific Certificate Revocation List (CRL) download, you will need to allow the following CRL and OCSP URLs. For full details on the change and the CRL and OCSP URLs to enable access to, see [Azure TLS certificate changes](../../security/fundamentals/tls-certificate-changes.md).
+If you have an environment with firewall rules set to allow outbound calls to only specific Certificate Revocation List (CRL) download, you'll need to allow the following CRL and OCSP URLs. For full details on the change and the CRL and OCSP URLs to enable access to, see [Azure TLS certificate changes](../../security/fundamentals/tls-certificate-changes.md).
We'll provide an update when a date is completed. This deprecation isn't planned
-### Azure AD on-premises Hybrid Agents Impacted by Azure Transport Layer Security (TLS) Certificate Changes
+### Azure AD On-Premises Hybrid Agents Impacted by Azure Transport Layer Security (TLS) Certificate Changes
**Type:** Plan for change **Service category:** N/A
If you have an environment with firewall rules set to allow outbound calls to on
**Service category:** N/A **Product capability:** Standards
-Azure Active Directory will deprecate the following protocols in Azure Active Directory worldwide regions starting on January 31, 2022 (This date has been postponed from 30th June 2021 to 31st January 2022, to give Administrators more time to remove the dependency on legacy TLS protocols and ciphers (TLS 1.0,1.1 and 3DES)):
+Azure Active Directory will deprecate the following protocols in Azure Active Directory worldwide regions starting on January 31, 2022 (This date has been postponed from 30th June 2021 to 31st Jan 2022, to give Administrators more time to remove the dependency on legacy TLS protocols and ciphers (TLS 1.0,1.1 and 3DES)):
- TLS 1.0 - TLS 1.1
Azure AD Connect Cloud Provisioning public preview refresh features two major en
- On-demand Provisioning or Test User experience
- Once you have setup your configuration, you might want to test to see if the user transformation is working as expected before applying it to all your users in scope. With on-demand provisioning, IT Admins can enter the Distinguished Name (DN) of an AD user and see if they're getting synced as expected. On-demand provisioning provides a great way to ensure that the attribute mappings you did previously work as expected. [Learn More](../cloud-sync/how-to-on-demand-provision.md)
+ Once you have set up your configuration, you might want to test to see if the user transformation is working as expected before applying it to all your users in scope. With on-demand provisioning, IT Admins can enter the Distinguished Name (DN) of an AD user and see if they're getting synced as expected. On-demand provisioning provides a great way to ensure that the attribute mappings you did previously work as expected. [Learn More](../cloud-sync/how-to-on-demand-provision.md)
For more information, please see [User management enhancements (preview) in Azur
**Service category:** Enterprise Apps **Product capability:** SSO
-You can add free text notes to Enterprise applications. You can add any relevant information that will help you manage applications under Enterprise applications. For more information, see [Quickstart: Configure properties for an application in your Azure Active Directory (Azure AD) tenant](../manage-apps/add-application-portal-configure.md).
+You can add free text notes to Enterprise applications. You can add any relevant information that will help manager applications under Enterprise applications. For more information, see [Quickstart: Configure properties for an application in your Azure Active Directory (Azure AD) tenant](../manage-apps/add-application-portal-configure.md).
You can add free text notes to Enterprise applications. You can add any relevant
In September 2020 we have added following 34 new applications in our App gallery with Federation support:
-[VMware Horizon - Unified Access Gateway](), [Pulse Secure PCS](../saas-apps/vmware-horizon-unified-access-gateway-tutorial.md), [Inventory360](../saas-apps/pulse-secure-pcs-tutorial.md), [Frontitude](https://services.enteksystems.de/sso/microsoft/signup), [BookWidgets](https://www.bookwidgets.com/sso/office365), [ZVD_Server](https://zaas.zenmutech.com/user/signin), [HashData for Business](https://hashdata.app/login.xhtml), [SecureLogin](https://securelogin.securelogin.nu/sso/azure/login), [CyberSolutions MAILBASEΣ/CMSS](../saas-apps/cybersolutions-mailbase-tutorial.md), [CyberSolutions CYBERMAILΣ](../saas-apps/cybersolutions-cybermail-tutorial.md), [LimbleCMMS](https://auth.limblecmms.com/), [Glint Inc](../saas-apps/glint-inc-tutorial.md), [zeroheight](../saas-apps/zeroheight-tutorial.md), [Gender Fitness](https://app.genderfitness.com/), [Coeo Portal](https://my.coeo.com/), [Grammarly](../saas-apps/grammarly-tutorial.md), [Fivetran](../saas-apps/fivetran-tutorial.md), [Kumolus](../saas-apps/kumolus-tutorial.md), [RSA Archer Suite](../saas-apps/rsa-archer-suite-tutorial.md), [TeamzSkill](../saas-apps/teamzskill-tutorial.md), [raumfürraum](../saas-apps/raumfurraum-tutorial.md), [Saviynt](../saas-apps/saviynt-tutorial.md), [BizMerlinHR](https://marketplace.bizmerlin.net/bmone/signup), [Mobile Locker](../saas-apps/mobile-locker-tutorial.md), [Zengine](../saas-apps/zengine-tutorial.md), [CloudCADI](https://app.cloudcadi.com/login), [Simfoni Analytics](https://simfonianalytics.com/accounts/microsoft/login/), [Priva Identity & Access Management](https://my.priva.com/), [Nitro Pro](https://www.gonitro.com/nps/product-details/downloads), [Eventfinity](../saas-apps/eventfinity-tutorial.md), [Fexa](../saas-apps/fexa-tutorial.md), [Secured Signing Enterprise Portal](https://www.securedsigning.com/aad/Auth/ExternalLogin/AdminPortal), [Secured Signing Enterprise Portal Azure AD Setup](https://www.securedsigning.com/aad/Auth/ExternalLogin/AdminPortal), [Wistec Online](https://wisteconline.com/auth/oidc), [Oracle PeopleSoft - Protected by F5 BIG-IP APM](../saas-apps/oracle-peoplesoft-protected-by-f5-big-ip-apm-tutorial.md)
+[VMware Horizon - Unified Access Gateway](), [Pulse Secure PCS](../saas-apps/vmware-horizon-unified-access-gateway-tutorial.md), [Inventory360](../saas-apps/pulse-secure-pcs-tutorial.md), [Frontitude](https://services.enteksystems.de/sso/microsoft/signup), [BookWidgets](https://www.bookwidgets.com/sso/office365), [ZVD_Server](https://zaas.zenmutech.com/user/signin), [HashData for Business](https://hashdata.app/login.xhtml), [SecureLogin](https://securelogin.securelogin.nu/sso/azure/login), [CyberSolutions MAILBASEΣ/CMSS](../saas-apps/cybersolutions-mailbase-tutorial.md), [CyberSolutions CYBERMAILΣ](../saas-apps/cybersolutions-cybermail-tutorial.md), [LimbleCMMS](https://auth.limblecmms.com/), [Glint Inc](../saas-apps/glint-inc-tutorial.md), [zeroheight](../saas-apps/zeroheight-tutorial.md), [Gender Fitness](https://app.genderfitness.com/), [Coeo Portal](https://my.coeo.com/), [Grammarly](../saas-apps/grammarly-tutorial.md), [Fivetran](../saas-apps/fivetran-tutorial.md), [Kumolus](../saas-apps/kumolus-tutorial.md), [RSA Archer Suite](../saas-apps/rsa-archer-suite-tutorial.md), [TeamzSkill](../saas-apps/teamzskill-tutorial.md), [raumfürraum](../saas-apps/raumfurraum-tutorial.md), [Saviynt](../saas-apps/saviynt-tutorial.md), [BizMerlinHR](https://marketplace.bizmerlin.net/bmone/signup), [Mobile Locker](../saas-apps/mobile-locker-tutorial.md), [Zengine](../saas-apps/zengine-tutorial.md), [CloudCADI](https://app.cloudcadi.com/login), [Simfoni Analytics](https://simfonianalytics.com/accounts/microsoft/login/), [Priva Identity & Access Management](https://my.priva.com/), [Nitro Pro](https://www.gonitro.com/nps/product-details/downloads), [Eventfinity](../saas-apps/eventfinity-tutorial.md), [Fexa](../saas-apps/fexa-tutorial.md), [Secured Signing Enterprise Portal](https://www.securedsigning.com/aad/Auth/ExternalLogin/AdminPortal), [Secured Signing Enterprise Portal AAD Setup](https://www.securedsigning.com/aad/Auth/ExternalLogin/AdminPortal), [Wistec Online](https://wisteconline.com/auth/oidc), [Oracle PeopleSoft - Protected by F5 BIG-IP APM](../saas-apps/oracle-peoplesoft-protected-by-f5-big-ip-apm-tutorial.md)
You can also find the documentation of all the applications from here: https://aka.ms/AppsTutorial.
The Azure AD provisioning service leverages the SCIM standard for integrating wi
Owner settings on Groups general setting page can be configured to restrict owner assignment privileges to a limited group of users in the Azure Admin portal and Access Panel. We will soon have the ability to assign group owner privilege not only on these two UX portals but also enforce the policy on the backend to provide consistent behavior across endpoints, such as PowerShell and Microsoft Graph.
-We will start to disable the current setting for the customers who are not using it and will offer an option to scope users for group owner privilege in the next few months. For guidance on updating group settings, see Edit your group information using [Azure Active Directory](./active-directory-groups-settings-azure-portal.md?context=azure%2factive-directory%2fusers-groups-roles%2fcontext%2fugr-context).
+We will start to disable the current setting for the customers who aren't using it and will offer an option to scope users for group owner privilege in the next few months. For guidance on updating group settings, see Edit your group information using [Azure Active Directory](./active-directory-groups-settings-azure-portal.md?context=azure%2factive-directory%2fusers-groups-roles%2fcontext%2fugr-context).
Transport layer security (TLS) 1.2 and update servers and clients will soon comm
Windows Hello for Business allows end users to sign into Windows machines with a gesture (such as a PIN or biometric). Azure AD admins may want to differentiate Windows Hello for Business sign-ins from other Windows sign-ins as part of an organization's journey to passwordless authentication.
-Admins can now see whether a Windows authentication used Windows Hello for Business by checking the Authentication Details tab for a Windows sign-in event in the Azure AD sign-ins blade in the Azure portal. Windows Hello for Business authentications will include "WindowsHelloForBusiness" in the Authentication Method field. For more information on interpreting sign-in Logs, please see the [sign-in Logs documentation](../reports-monitoring/concept-sign-ins.md).
+Admins can now see whether a Windows authentication used Windows Hello for Business by checking the Authentication Details tab for a Windows sign-in event in the Azure AD sign-ins blade in the Azure portal. Windows Hello for Business authentications will include "WindowsHelloForBusiness" in the Authentication Method field. For more information on interpreting Sign-In Logs, please see the [Sign-In Logs documentation](../reports-monitoring/concept-sign-ins.md).
For more information about users flows, see [User flow versions in Azure Active
In July 2020 we have added following 55 new applications in our App gallery with Federation support:
-[Appreiz](https://microsoftteams.appreiz.com/), [Inextor Vault](https://inexto.com/inexto-suite/inextor), [Beekast](https://my.beekast.com/), [Templafy OpenID Connect](https://app.templafy.com/), [PeterConnects receptionist](https://msteams.peterconnects.com/), [AlohaCloud](https://www.alohacloud.com/), Control Tower, [Cocoom](https://start.cocoom.com/), [COINS Construction Cloud](https://sso.coinsconstructioncloud.com/#login/), [Medxnote MT](https://task.teamsmain.medx.im/authorization), [Reflekt](https://reflekt.konsolute.com/login), [Rever](https://app.reverscore.net/access), [MyCompanyArchive](https://login.mycompanyarchive.com/), [GReminders](https://app.greminders.com/o365-oauth), [Titanfile](../saas-apps/titanfile-tutorial.md), [Wootric](../saas-apps/wootric-tutorial.md), [SolarWinds Orion](https://support.solarwinds.com/SuccessCenter/s/orion-platform?language=en_US), [OpenText Directory Services](../saas-apps/opentext-directory-services-tutorial.md), [Datasite](../saas-apps/datasite-tutorial.md), [BlogIn](../saas-apps/blogin-tutorial.md), [IntSights](../saas-apps/intsights-tutorial.md), [kpifire](../saas-apps/kpifire-tutorial.md), [Textline](../saas-apps/textline-tutorial.md), [Cloud Academy - SSO](../saas-apps/cloud-academy-sso-tutorial.md), [Community Spark](../saas-apps/community-spark-tutorial.md), [Chatwork](../saas-apps/chatwork-tutorial.md), [CloudSign](../saas-apps/cloudsign-tutorial.md), [C3M Cloud Control](../saas-apps/c3m-cloud-control-tutorial.md), [SmartHR](https://smarthr.jp/), [NumlyEngageΓäó](../saas-apps/numlyengage-tutorial.md), [Michigan Data Hub single sign-on](../saas-apps/michigan-data-hub-single-sign-on-tutorial.md), [Egress](../saas-apps/egress-tutorial.md), [SendSafely](../saas-apps/sendsafely-tutorial.md), [Eletive](https://app.eletive.com/), [Right-Hand Cybersecurity ADI](https://right-hand.ai/), [Fyde Enterprise Authentication](https://enterprise.fyde.com/), [Verme](../saas-apps/verme-tutorial.md), [Lenses.io](../saas-apps/lensesio-tutorial.md), [Momenta](../saas-apps/momenta-tutorial.md), [Uprise](https://app.uprise.co/sign-in), [Q](https://q.moduleq.com/login), [CloudCords](../saas-apps/cloudcords-tutorial.md), [TellMe Bot](https://tellme365liteweb.azurewebsites.net/), [Inspire](https://app.inspiresoftware.com/), [Maverics Identity Orchestrator SAML Connector](https://www.strata.io/identity-fabric/), [Smartschool (School Management System)](https://smartschoolz.com/login), [Zepto - Intelligent timekeeping](https://user.zepto-ai.com/signin), [Studi.ly](https://studi.ly/), [Trackplan](http://www.trackplanfm.com/), [Skedda](../saas-apps/skedda-tutorial.md), [WhosOnLocation](../saas-apps/whos-on-location-tutorial.md), [Coggle](../saas-apps/coggle-tutorial.md), [Kemp LoadMaster](https://kemptechnologies.com/cloud-load-balancer/), [BrowserStack single sign-on](../saas-apps/browserstack-single-sign-on-tutorial.md)
+[Appreiz](https://microsoftteams.appreiz.com/), [Inextor Vault](https://inexto.com/inexto-suite/inextor), [Beekast](https://my.beekast.com/), [Templafy OpenID Connect](https://app.templafy.com/), [PeterConnects receptionist](https://msteams.peterconnects.com/), [AlohaCloud](https://www.alohacloud.com/), Control Tower, [Cocoom](https://start.cocoom.com/), [COINS Construction Cloud](https://sso.coinsconstructioncloud.com/#login/), [Medxnote MT](https://task.teamsmain.medx.im/authorization), [Reflekt](https://reflekt.konsolute.com/login), [Rever](https://app.reverscore.net/access), [MyCompanyArchive](https://login.mycompanyarchive.com/), [GReminders](https://app.greminders.com/o365-oauth), [Titanfile](../saas-apps/titanfile-tutorial.md), [Wootric](../saas-apps/wootric-tutorial.md), [SolarWinds Orion](https://support.solarwinds.com/SuccessCenter/s/orion-platform?language=en_US), [OpenText Directory Services](../saas-apps/opentext-directory-services-tutorial.md), [Datasite](../saas-apps/datasite-tutorial.md), [BlogIn](../saas-apps/blogin-tutorial.md), [IntSights](../saas-apps/intsights-tutorial.md), [kpifire](../saas-apps/kpifire-tutorial.md), [Textline](../saas-apps/textline-tutorial.md), [Cloud Academy - SSO](../saas-apps/cloud-academy-sso-tutorial.md), [Community Spark](../saas-apps/community-spark-tutorial.md), [Chatwork](../saas-apps/chatwork-tutorial.md), [CloudSign](../saas-apps/cloudsign-tutorial.md), [C3M Cloud Control](../saas-apps/c3m-cloud-control-tutorial.md), [SmartHR](https://smarthr.jp/), [NumlyEngageΓäó](../saas-apps/numlyengage-tutorial.md), [Michigan Data Hub Single Sign-On](../saas-apps/michigan-data-hub-single-sign-on-tutorial.md), [Egress](../saas-apps/egress-tutorial.md), [SendSafely](../saas-apps/sendsafely-tutorial.md), [Eletive](https://app.eletive.com/), [Right-Hand Cybersecurity ADI](https://right-hand.ai/), [Fyde Enterprise Authentication](https://enterprise.fyde.com/), [Verme](../saas-apps/verme-tutorial.md), [Lenses.io](../saas-apps/lensesio-tutorial.md), [Momenta](../saas-apps/momenta-tutorial.md), [Uprise](https://app.uprise.co/sign-in), [Q](https://q.moduleq.com/login), [CloudCords](../saas-apps/cloudcords-tutorial.md), [TellMe Bot](https://tellme365liteweb.azurewebsites.net/), [Inspire](https://app.inspiresoftware.com/), [Maverics Identity Orchestrator SAML Connector](https://www.strata.io/identity-fabric/), [Smartschool (School Management System)](https://smartschoolz.com/login), [Zepto - Intelligent timekeeping](https://user.zepto-ai.com/signin), [Studi.ly](https://studi.ly/), [Trackplan](http://www.trackplanfm.com/), [Skedda](../saas-apps/skedda-tutorial.md), [WhosOnLocation](../saas-apps/whos-on-location-tutorial.md), [Coggle](../saas-apps/coggle-tutorial.md), [Kemp LoadMaster](https://kemptechnologies.com/cloud-load-balancer/), [BrowserStack Single Sign-on](../saas-apps/browserstack-single-sign-on-tutorial.md)
You can also find the documentation of all the applications from here https://aka.ms/AppsTutorial
You can now view role assignments across all scopes for a role in the "Roles and
-### Azure Active Directory Multi-Factor Authentication Software Development (Azure AD Multi-Factor Authentication SDK) Deprecation
+### Azure Active Directory Multi-Factor Authentication Software Development (Azure MFA SDK) Deprecation
**Type:** Deprecated **Service category:** MFA **Product capability:** Identity Security & Protection
-The Azure Active Directory Multi-Factor Authentication Software Development (Azure AD Multi-Factor Authentication SDK) reached the end of life on November 14th, 2018, as first announced in November 2017. Microsoft will be shutting down the SDK service effective on September 30th, 2020. Any calls made to the SDK will fail.
+The Azure Active Directory Multi-Factor Authentication Software Development (Azure MFA SDK) reached the end of life on November 14th, 2018, as first announced in November 2017. Microsoft will be shutting down the SDK service effective on September 30th, 2020. Any calls made to the SDK will fail.
-If your organization is using the Azure AD Multi-Factor Authentication SDK, you need to migrate by September 30th, 2020:
-- Azure AD Multi-Factor Authentication SDK for MIM: If you use the SDK with MIM, you should migrate to Azure AD Multi-Factor Authentication (MFA) Server and activate Privileged Access Management (PAM) following these [instructions](/microsoft-identity-manager/working-with-mfaserver-for-mim). -- Azure AD Multi-Factor Authentication SDK for customized apps: Consider integrating your app into Azure AD and use Conditional Access to enforce MFA. To get started, review this [page](../manage-apps/plan-an-application-integration.md).
+If your organization is using the Azure MFA SDK, you need to migrate by September 30th, 2020:
+- Azure MFA SDK for MIM: If you use the SDK with MIM, you should migrate to Azure AD Multi-Factor Authentication (MFA) Server and activate Privileged Access Management (PAM) following these [instructions](/microsoft-identity-manager/working-with-mfaserver-for-mim).
+- Azure MFA SDK for customized apps: Consider integrating your app into Azure AD and use Conditional Access to enforce MFA. To get started, review this [page](../manage-apps/plan-an-application-integration.md).
The user risk condition requires Azure AD Premium P2 because it uses Azure Ident
**Service category:** Enterprise Apps **Product capability:** SSO
-Some SAML applications require SPNameQualifier to be returned in the assertion subject when requested. Now Azure AD responds correctly when a SPNameQualifier is requested in the request NameID policy. This also works for SP initiated sign-in, and IdP initiated sign-in will follow. To learn more about SAML protocol in Azure Active Directory, see [Single sign-on SAML protocol](../develop/single-sign-on-saml-protocol.md).
+Some SAML applications require SPNameQualifier to be returned in the assertion subject when requested. Now Azure AD responds correctly when a SPNameQualifier is requested in the request NameID policy. This also works for SP initiated sign-in, and IdP initiated sign-in will follow. To learn more about SAML protocol in Azure Active Directory, see [Single Sign-On SAML protocol](../develop/single-sign-on-saml-protocol.md).
Additionally, authentication session management used to only apply to the First
**Service category:** Enterprise Apps **Product capability:** 3rd Party Integration
-In June 2020 we have added the following 29 new applications in our App gallery with Federation support:
+In June 2020 we've added the following 29 new applications in our App gallery with Federation support:
[Shopify Plus](../saas-apps/shopify-plus-tutorial.md), [Ekarda](../saas-apps/ekarda-tutorial.md), [MailGates](../saas-apps/mailgates-tutorial.md), [BullseyeTDP](../saas-apps/bullseyetdp-tutorial.md), [Raketa](../saas-apps/raketa-tutorial.md), [Segment](../saas-apps/segment-tutorial.md), [Ai Auditor](https://www.mindbridge.ai/products/ai-auditor/), [Pobuca Connect](https://app.pobu.c), [MyCompliance Cloud](https://cloud.metacompliance.com/), [Smallstep SSH](https://smallstep.com/sso-ssh/)
For listing your application in the Azure AD app gallery, please read the detail
External Identities API connectors enable you to leverage web APIs to integrate self-service sign-up with external cloud systems. This means you can now invoke web APIs as specific steps in a sign-up flow to trigger cloud-based custom workflows. For example, you can use API connectors to: -- Integrate with custom approval workflows
+- Integrate with a custom approval workflows.
- Perform identity proofing - Validate user input data - Overwrite user attributes
A new delegated permission EntitlementManagement.Read.All is now available for u
**Service category:** Identity Protection **Product capability:** Identity Security & Protection
-The riskyUsers and riskDetections Microsoft Graph APIs are now generally available. Now that they are available at the v1.0 endpoint, we invite you to use them in production. For more information, please check out the [Microsoft Graph docs](/graph/api/resources/identityprotectionroot).
+The riskyUsers and riskDetections Microsoft Graph APIs are now generally available. Now that they're available at the v1.0 endpoint, we invite you to use them in production. For more information, please check out the [Microsoft Graph docs](/graph/api/resources/identityprotectionroot).
The provisioning service has been updated to reduce the time for an [incremental
**Service category:** N/A **Product capability:** Device Lifecycle Management
-Now that Microsoft Authentication Libraries (MSAL) is available, we will no longer add new features to the Azure Active Directory Authentication Libraries (ADAL) and will end security patches on June 30th, 2022. For more information on how to migrate to MSAL, refer to [Migrate applications to Microsoft Authentication Library (MSAL)](../develop/msal-migration.md).
+Now that Microsoft Authentication Libraries (MSAL) is available, we'll no longer add new features to the Azure Active Directory Authentication Libraries (ADAL) and will end security patches on June 30th, 2022. For more information on how to migrate to MSAL, refer to [Migrate applications to Microsoft Authentication Library (MSAL)](../develop/msal-migration.md).
-Additionally, we have finished the work to make all Azure AD Graph functionality available through MS Graph. So, Azure AD Graph APIs will receive only bugfix and security fixes through June 30th, 2022. For more information, see [Update your applications to use Microsoft Authentication Library and Microsoft Graph API](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/update-your-applications-to-use-microsoft-authentication-library/ba-p/1257363)
+Additionally, we've finished the work to make all Azure AD Graph functionality available through MS Graph. So, Azure AD Graph APIs will receive only bugfix and security fixes through June 30th, 2022. For more information, see [Update your applications to use Microsoft Authentication Library and Microsoft Graph API](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/update-your-applications-to-use-microsoft-authentication-library/ba-p/1257363)
## May 2020
-### Retirement of properties in sign-ins, riskyUsers, and riskDetections APIs
+### Retirement of properties in signIns, riskyUsers, and riskDetections APIs
**Type:** Plan for change **Service category:** Identity Protection **Product capability:** Identity Security & Protection
-Currently, enumerated types are used to represent the riskType property in both the riskDetections API and riskyUserHistoryItem (in preview). Enumerated types are also used for the riskEventTypes property in the sign-ins API. Going forward we will represent these properties as strings.
+Currently, enumerated types are used to represent the riskType property in both the riskDetections API and riskyUserHistoryItem (in preview). Enumerated types are also used for the riskEventTypes property in the signIns API. Going forward we'll represent these properties as strings.
-Customers should transition to the riskEventType property in the beta riskDetections and riskyUserHistoryItem API, and to riskEventTypes_v2 property in the beta sign-ins API by September 9th, 2020. At that date, we will be retiring the current riskType and riskEventTypes properties. For more information, refer to [Changes to risk event properties and Identity Protection APIs on Microsoft Graph](https://developer.microsoft.com/graph/blogs/changes-to-risk-event-properties-and-identity-protection-apis-on-microsoft-graph/).
+Customers should transition to the riskEventType property in the beta riskDetections and riskyUserHistoryItem API, and to riskEventTypes_v2 property in the beta signIns API by September 9th, 2020. At that date, we'll be retiring the current riskType and riskEventTypes properties. For more information, refer to [Changes to risk event properties and Identity Protection APIs on Microsoft Graph](https://developer.microsoft.com/graph/blogs/changes-to-risk-event-properties-and-identity-protection-apis-on-microsoft-graph/).
-### Deprecation of riskEventTypes property in sign-ins v1.0 API on Microsoft Graph
+### Deprecation of riskEventTypes property in signIns v1.0 API on Microsoft Graph
**Type:** Plan for change **Service category:** Reporting **Product capability:** Identity Security & Protection
-Enumerated types will switch to string types when representing risk event properties in Microsoft Graph September 2020. In addition to affecting the preview APIs, this change will also affect the in-production sign-ins API.
+Enumerated types will switch to string types when representing risk event properties in Microsoft Graph September 2020. In addition to impacting the preview APIs, this change will also impact the in-production signIns API.
-We have introduced a new riskEventsTypes_v2 (string) property to the sign-ins v1.0 API. We will retire the current riskEventTypes (enum) property on June 11, 2022 in accordance with our Microsoft Graph deprecation policy. Customers should transition to the riskEventTypes_v2 property in the v1.0 sign-ins API by June 11, 2022. For more information, refer to [Deprecation of riskEventTypes property in sign-ins v1.0 API on Microsoft Graph](https://developer.microsoft.com/graph/blogs/deprecation-of-riskeventtypes-property-in-signins-v1-0-api-on-microsoft-graph//).
+We have introduced a new riskEventsTypes_v2 (string) property to the signIns v1.0 API. We'll retire the current riskEventTypes (enum) property on June 11, 2022 in accordance with our Microsoft Graph deprecation policy. Customers should transition to the riskEventTypes_v2 property in the v1.0 signIns API by June 11, 2022. For more information, see [Deprecation of riskEventTypes property in signIns v1.0 API on Microsoft Graph](https://developer.microsoft.com/graph/blogs/deprecation-of-riskeventtypes-property-in-signins-v1-0-api-on-microsoft-graph//).
We have introduced a new riskEventsTypes_v2 (string) property to the sign-ins v1
**Product capability:** Identity Security & Protection
-We are making the following changes to the email notifications for cloud multifactor authentication (MFA):
+We're making the following changes to the email notifications for cloud multifactor authentication (MFA):
E-mail notifications will be sent from the following address: azure-noreply@microsoft.com and msonlineservicesteam@microsoftonline.com. We're updating the content of fraud alert emails to better indicate the required steps to unblock uses.
E-mail notifications will be sent from the following address: azure-noreply@micr
**Product capability:** User Authentication
-Currently, users who are in domains federated in Azure AD, but who are not synced into the tenant, can't access Teams. Starting at the end of June, this new capability will enable them to do so by extending the existing email verified sign up feature. This will allow users who can sign in to a federated IdP, but who don't yet have a user object in Azure ID, to have a user object created automatically and be authenticated for Teams. Their user object will be marked as "self-service sign up." This is an extension of the existing capability to do email verified self-sign up that users in managed domains can do and can be controlled using the same flag. This change will complete rolling out during the following two months. Watch for documentation updates [here](../enterprise-users/directory-self-service-signup.md).
+Currently, users who are in domains federated in Azure AD, but who aren't synced into the tenant, can't access Teams. Starting at the end of June, this new capability will enable them to do so by extending the existing email verified sign-up feature. This will allow users who can sign in to a federated IdP, but who don't yet have a user object in Azure ID, to have a user object created automatically and be authenticated for Teams. Their user object will be marked as "self-service sign-up." This is an extension of the existing capability to do email verified self-sign up that users in managed domains can do and can be controlled using the same flag. This change will complete rolling out during the following two months. Watch for documentation updates [here](../enterprise-users/directory-self-service-signup.md).
This bug fix will be rolled out gradually over approximately 2 months.
**Service category:** Sovereign Clouds **Product capability:** User Authentication
-On 1 June 2018, the official Azure Active Directory (Azure AD) Authority for Azure Government changed from https://login-us.microsoftonline.com to https://login.microsoftonline.us. If you own an application within an Azure Government tenant, you must update your application to sign users in on the .us endpoint.
+On 1 June 2018, the official Azure Active Directory (Azure AD) Authority for Azure Government changed from https://login-us.microsoftonline.com to https://login.microsoftonline.us. If you own an application within an Azure Government tenant, you must update your application to sign users in on the.us endpoint.
-Starting May 5th, Azure AD will begin enforcing the endpoint change, blocking Azure Government users from signing into apps hosted in Azure Government tenants using the public endpoint (microsoftonline.com). Affected apps will begin seeing an error AADSTS900439 - USGClientNotSupportedOnPublicEndpoint.
+Starting May 5th, Azure AD will begin enforcing the endpoint change, blocking Azure Government users from signing into apps hosted in Azure Government tenants using the public endpoint (microsoftonline.com). Impacted apps will begin seeing an error AADSTS900439 - USGClientNotSupportedOnPublicEndpoint.
There will be a gradual rollout of this change with enforcement expected to be complete across all apps June 2020. For more details, please see the [Azure Government blog post](https://devblogs.microsoft.com/azuregov/azure-government-aad-authority-endpoint-update/).
There will be a gradual rollout of this change with enforcement expected to be c
**Service category:** Authentications (Logins) **Product capability:** User Authentication
-When a user clicks on sign-out (e.g., in the MyApps portal), Azure AD sends a SAML Single Logout message to each app that is active in the user session and has a Logout URL configured. These messages contain a NameID in a persistent format.
+When a user clicks on sign-out (for example, in the MyApps portal), Azure AD sends a SAML Single Logout message to each app that is active in the user session and has a Logout URL configured. These messages contain a NameID in a persistent format.
-If the original SAML sign-in token used a different format for NameID (e.g. email/UPN), then the SAML app cannot correlate the NameID in the logout message to an existing session (as the NameIDs used in both messages are different), which caused the logout message to be discarded by the SAML app and the user to stay logged in. This fix makes the sign-out message consistent with the NameID configured for the application.
+If the original SAML sign-in token used a different format for NameID (for example, email/UPN), then the SAML app cannot correlate the NameID in the logout message to an existing session (as the NameIDs used in both messages are different), which caused the logout message to be discarded by the SAML app and the user to stay logged in. This fix makes the sign-out message consistent with the NameID configured for the application.
If the original SAML sign-in token used a different format for NameID (e.g. emai
**Service category:** Azure AD Cloud Provisioning **Product capability:** Identity Lifecycle Management
-IT Admins can start using the new "Hybrid Admin" role as the least privileged role for setting up Azure AD Connect Cloud Provisioning. With this new role, you no longer have to use the Global Admin role to setup and configure Cloud Provisioning. [Learn more](../roles/delegate-by-task.md#connect).
+IT Admins can start using the new "Hybrid Admin" role as the least privileged role for setting up Azure AD Connect Cloud Provisioning. With this new role, you no longer have to use the Global Admin role to set up and configure Cloud Provisioning. [Learn more](../roles/delegate-by-task.md#connect).
IT Admins can start using the new "Hybrid Admin" role as the least privileged ro
**Service category:** Enterprise Apps **Product capability:** 3rd Party Integration
-In May 2020, we have added the following 36 new applications in our App gallery with Federation support:
+In May 2020, we've added the following 36 new applications in our App gallery with Federation support:
[Moula](https://moula.com.au/pay/merchants), [Surveypal](https://www.surveypal.com/app), [Kbot365](https://www.konverso.ai/), [TackleBox](https://tacklebox.in/), [Powell Teams](https://powell-software.com/en/powell-teams-en/), [Talentsoft Assistant](https://msteams.talent-soft.com/), [ASC Recording Insights](https://teams.asc-recording.app/product), [GO1](https://www.go1.com/), [B-Engaged](https://b-engaged.se/), [Competella Contact Center Workgroup](http://www.competella.com/), [Asite](http://www.asite.com/), [ImageSoft Identity](https://identity.imagesoftinc.com/), [My IBISWorld](https://identity.imagesoftinc.com/), [insuite](../saas-apps/insuite-tutorial.md), [Change Process Management](../saas-apps/change-process-management-tutorial.md), [Cyara CX Assurance Platform](../saas-apps/cyara-cx-assurance-platform-tutorial.md), [Smart Global Governance](../saas-apps/smart-global-governance-tutorial.md), [Prezi](../saas-apps/prezi-tutorial.md), [Mapbox](../saas-apps/mapbox-tutorial.md), [Datava Enterprise Service Platform](../saas-apps/datava-enterprise-service-platform-tutorial.md), [Whimsical](../saas-apps/whimsical-tutorial.md), [Trelica](../saas-apps/trelica-tutorial.md), [EasySSO for Confluence](../saas-apps/easysso-for-confluence-tutorial.md), [EasySSO for BitBucket](../saas-apps/easysso-for-bitbucket-tutorial.md), [EasySSO for Bamboo](../saas-apps/easysso-for-bamboo-tutorial.md), [Torii](../saas-apps/torii-tutorial.md), [Axiad Cloud](../saas-apps/axiad-cloud-tutorial.md), [Humanage](../saas-apps/humanage-tutorial.md), [ColorTokens ZTNA](../saas-apps/colortokens-ztna-tutorial.md), [CCH Tagetik](../saas-apps/cch-tagetik-tutorial.md), [ShareVault](../saas-apps/sharevault-tutorial.md), [Vyond](../saas-apps/vyond-tutorial.md), [TextExpander](../saas-apps/textexpander-tutorial.md), [Anyone Home CRM](../saas-apps/anyone-home-crm-tutorial.md), [askSpoke](../saas-apps/askspoke-tutorial.md), [ice Contact Center](../saas-apps/ice-contact-center-tutorial.md)
For listing your application in the Azure AD app gallery, please read the detail
**Service category:** Conditional Access **Product capability:** Identity Security & Protection
-[Report-only mode for Azure AD Conditional Access](../conditional-access/concept-conditional-access-report-only.md) lets you evaluate the result of a policy without enforcing access controls. You can test report-only policies across your organization and understand their effect before enabling them, making deployment safer and easier. Over the past few months, weΓÇÖve seen strong adoption of report-only modeΓÇöover 26M users are already in scope of a report-only policy. With the announcement today, new Azure AD Conditional Access policies will be created in report-only mode by default. This means you can monitor the effect of your policies from the moment theyΓÇÖre created. And for those of you who use the MS Graph APIs, you can [manage report-only policies programmatically](/graph/api/resources/conditionalaccesspolicy) as well.
+[Report-only mode for Azure AD Conditional Access](../conditional-access/concept-conditional-access-report-only.md) lets you evaluate the result of a policy without enforcing access controls. You can test report-only policies across your organization and understand their impact before enabling them, making deployment safer and easier. Over the past few months, weΓÇÖve seen strong adoption of report-only modeΓÇöover 26M users are already in scope of a report-only policy. With the announcement today, new Azure AD Conditional Access policies will be created in report-only mode by default. This means you can monitor the impact of your policies from the moment theyΓÇÖre created. And for those of you who use the MS Graph APIs, you can [manage report-only policies programmatically](/graph/api/resources/conditionalaccesspolicy) as well.
The new [policy details blade](../conditional-access/troubleshoot-conditional-ac
New capabilities are being introduced for Microsoft Graph Directory Objects APIs, enabling Count, Search, Filter, and Sort operations. This will give developers the ability to quickly query our Directory Objects without workarounds such as in-memory filtering and sorting. Find out more in this [blog post](https://aka.ms/CountFilterMSGraphAAD).
-We are currently in Public Preview, looking for feedback. Please send your comments with this [brief survey](https://aka.ms/MsGraphAADSurveyDocs).
+We're currently in Public Preview, looking for feedback. Please send your comments with this [brief survey](https://aka.ms/MsGraphAADSurveyDocs).
Because of modern browser [3rd party cookie restrictions such as Safari ITP](../
**Service category:** Device Management **Product capability:** Device Lifecycle Management
-Previously, the only filters you could use were "Enabled" and "Activity date." Now, you can [filter your list of devices on more properties](../devices/device-management-azure-portal.md), including OS type, join type, compliance, and more. These additions should simplify locating a particular device.
+Previously, the only filters you could use were "Enabled" and "Activity date." Now, you can [filter your list of devices on more properties](../devices/device-management-azure-portal.md#view-and-filter-your-devices-preview), including OS type, join type, compliance, and more. These additions should simplify locating a particular device.
The combined registration experience for Multi-Factor Authentication (MFA) and S
**Product capability:** Identity Security & Protection
-Continuous Access Evaluation is a new security feature that enables near real-time enforcement of policies on relying parties consuming Azure AD Access Tokens when events happen in Azure AD (such as user account deletion). We are rolling this feature out first for Teams and Outlook clients. For more details, please read our [blog](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/moving-towards-real-time-policy-and-security-enforcement/ba-p/1276933) and [documentation](../conditional-access/concept-continuous-access-evaluation.md).
+Continuous Access Evaluation is a new security feature that enables near real-time enforcement of policies on relying parties consuming Azure AD Access Tokens when events happen in Azure AD (such as user account deletion). We're rolling this feature out first for Teams and Outlook clients. For more details, please read our [blog](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/moving-towards-real-time-policy-and-security-enforcement/ba-p/1276933) and [documentation](../conditional-access/concept-continuous-access-evaluation.md).
We're expanding B2B invitation capability to allow existing internal accounts to
**Product capability:** Identity Security & Protection
-[Report-only mode for Azure AD Conditional Access](../conditional-access/concept-conditional-access-report-only.md) lets you evaluate the result of a policy without enforcing access controls. You can test report-only policies across your organization and understand their effect before enabling them, making deployment safer and easier. Over the past few months, weΓÇÖve seen strong adoption of report-only mode, with over 26M users already in scope of a report-only policy. With this announcement, new Azure AD Conditional Access policies will be created in report-only mode by default. This means you can monitor the effect of your policies from the moment theyΓÇÖre created. And for those of you who use the MS Graph APIs, you can also [manage report-only policies programmatically](/graph/api/resources/conditionalaccesspolicy).
+[Report-only mode for Azure AD Conditional Access](../conditional-access/concept-conditional-access-report-only.md) lets you evaluate the result of a policy without enforcing access controls. You can test report-only policies across your organization and understand their impact before enabling them, making deployment safer and easier. Over the past few months, weΓÇÖve seen strong adoption of report-only mode, with over 26M users already in scope of a report-only policy. With this announcement, new Azure AD Conditional Access policies will be created in report-only mode by default. This means you can monitor the impact of your policies from the moment theyΓÇÖre created. And for those of you who use the MS Graph APIs, you can also [manage report-only policies programmatically](/graph/api/resources/conditionalaccesspolicy).
For more information, see [Administrative units management in Azure Active Direc
**Printer Administrator**: Users with this role can register printers and manage all aspects of all printer configurations in the Microsoft Universal Print solution, including the Universal Print Connector settings. They can consent to all delegated print permission requests. Printer Administrators also have access to print reports.
-**Printer Technician**: Users with this role can register printers and manage printer status in the Microsoft Universal Print solution. They can also read all connector information. Key tasks a Printer Technician cannot do are set user permissions on printers and sharing printers. [Learn more.](../roles/permissions-reference.md#printer-administrator)
+**Printer Technician**: Users with this role can register printers and manage printer status in the Microsoft Universal Print solution. They can also read all connector information. Key tasks a Printer Technician can't do are set user permissions on printers and sharing printers. [Learn more.](../roles/permissions-reference.md#printer-administrator)
For more information, see [Administrative units management in Azure Active Direc
**Product capability:** Access Control
-Users in this role can enable, configure and manage services and settings related to enabling hybrid identity in Azure AD. This role grants the ability to configure Azure AD to one of the three supported authentication methods&#8212;Password hash synchronization (PHS), Pass-through authentication (PTA) or Federation (AD FS or 3rd party federation provider)&#8212;and to deploy related on-premises infrastructure to enable them. On-premises infrastructure includes Provisioning and PTA agents. This role grants the ability to enable Seamless single sign-on (S-SSO) to enable seamless authentication on non-Windows 10 devices or non-Windows Server 2016 computers. In addition, this role grants the ability to see sign-in logs and to access health and analytics for monitoring and troubleshooting purposes. [Learn more.](../roles/permissions-reference.md#hybrid-identity-administrator)
+Users in this role can enable, configure and manage services and settings related to enabling hybrid identity in Azure AD. This role grants the ability to configure Azure AD to one of the three supported authentication methods&#8212;Password hash synchronization (PHS), Pass-through authentication (PTA) or Federation (AD FS or 3rd party federation provider)&#8212;and to deploy related on-premises infrastructure to enable them. On-premises infrastructure includes Provisioning and PTA agents. This role grants the ability to enable Seamless Single Sign-On (S-SSO) to enable seamless authentication on non-Windows 10 devices or non-Windows Server 2016 computers. In addition, this role grants the ability to see sign-in logs and to access health and analytics for monitoring and troubleshooting purposes. [Learn more.](../roles/permissions-reference.md#hybrid-identity-administrator)
For more information, check out the following:
**Product capability:**
-My Staff enables Firstline Managers, such as a store manager, to ensure that their staff members are able to access their Azure AD accounts. Instead of relying on a central helpdesk, organizations can delegate common tasks, such as resetting passwords or changing phone numbers, to a Firstline Manager. With My Staff, a user who canΓÇÖt access their account can re-gain access in just a couple of clicks, with no helpdesk or IT staff required. For more information, see the [Manage your users with My Staff (preview)](../roles/my-staff-configure.md) and [Delegate user management with My Staff (preview)](https://support.microsoft.com/account-billing/manage-front-line-users-with-my-staff-c65b9673-7e1c-4ad6-812b-1a31ce4460bd).
+My Staff enables Firstline Managers, such as a store manager, to ensure that their staff members are able to access their Azure AD accounts. Instead of relying on a central helpdesk, organizations can delegate common tasks, such as resetting passwords or changing phone numbers, to a Firstline Manager. With My Staff, a user who canΓÇÖt access their account can re-gain access in just a couple of selections, with no helpdesk or IT staff required. For more information, see the [Manage your users with My Staff (preview)](../roles/my-staff-configure.md) and [Delegate user management with My Staff (preview)](https://support.microsoft.com/account-billing/manage-front-line-users-with-my-staff-c65b9673-7e1c-4ad6-812b-1a31ce4460bd).
My Staff enables Firstline Managers, such as a store manager, to ensure that the
**Product capability:** Identity Governance
-We have updated the reviewer experience for Azure AD access reviews in the My Apps portal. At the end of April, your reviewers who are logged in to the Azure AD access reviews reviewer experience will see a banner that will allow them to try the updated experience in My Access. Please note that the updated Access reviews experience offers the same functionality as the current experience, but with an improved user interface on top of new capabilities to enable your users to be productive. [You can learn more about the updated experience here](../governance/perform-access-review.md). This public preview will last until the end of July 2020. At the end of July, reviewers who have not opted into the preview experience will be automatically directed to My Access to perform access reviews. If you wish to have your reviewers permanently switched over to the preview experience in My Access now, [please make a request here](https://forms.microsoft.com/Pages/ResponsePage.aspx?id=v4j5cvGGr0GRqy180BHbR5dv-S62099HtxdeKIcgO-NUOFJaRDFDWUpHRk8zQ1BWVU1MMTcyQ1FFUi4u).
+We have updated the reviewer experience for Azure AD access reviews in the My Apps portal. At the end of April, your reviewers who are logged in to the Azure AD access reviews reviewer experience will see a banner that will allow them to try the updated experience in My Access. Note that the updated Access reviews experience offers the same functionality as the current experience, but with an improved user interface on top of new capabilities to enable your users to be productive. [You can learn more about the updated experience here](../governance/perform-access-review.md). This public preview will last until the end of July 2020. At the end of July, reviewers who haven't opted into the preview experience will be automatically directed to My Access to perform access reviews. If you wish to have your reviewers permanently switched over to the preview experience in My Access now, [please make a request here](https://forms.microsoft.com/Pages/ResponsePage.aspx?id=v4j5cvGGr0GRqy180BHbR5dv-S62099HtxdeKIcgO-NUOFJaRDFDWUpHRk8zQ1BWVU1MMTcyQ1FFUi4u).
We have updated the reviewer experience for Azure AD access reviews in the My Ap
**Product capability:**
-Based on customer feedback, we have now updated the Workday inbound user provisioning and writeback apps in the enterprise app gallery to support the latest versions of the Workday Web Services (WWS) API. With this change, customers can specify the WWS API version that they would like to use in the connection string. This gives customers the ability to retrieve more HR attributes available in the releases of Workday. The Workday Writeback app now uses the recommended Change_Work_Contact_Info Workday web service to overcome the limitations of Maintain_Contact_Info.
+Based on customer feedback, we've now updated the Workday inbound user provisioning and writeback apps in the enterprise app gallery to support the latest versions of the Workday Web Services (WWS) API. With this change, customers can specify the WWS API version that they would like to use in the connection string. This gives customers the ability to retrieve more HR attributes available in the releases of Workday. The Workday Writeback app now uses the recommended Change_Work_Contact_Info Workday web service to overcome the limitations of Maintain_Contact_Info.
If no version is specified in the connection string, by default, the Workday inbound provisioning apps will continue to use WWS v21.1 To switch to the latest Workday APIs for inbound user provisioning, customers need to update the connection string as documented [in the tutorial](../saas-apps/workday-inbound-tutorial.md#which-workday-apis-does-the-solution-use-to-query-and-update-workday-worker-profiles) and also update the XPATHs used for Workday attributes as documented in the [Workday attribute reference guide](../app-provisioning/workday-attribute-reference.md#xpath-values-for-workday-web-services-wws-api-v30).
We have updated our [tutorial guide](../saas-apps/workday-inbound-tutorial.md) t
**Product capability:** Identity Lifecycle Management
-Historically, users with the default access role have been out of scope for provisioning. We've heard feedback that customers want users with this role to be in scope for provisioning. As of April 16, 2020, all new provisioning configurations allow users with the default access role to be provisioned. Gradually we will change the behavior for existing provisioning configurations to support provisioning users with this role. [Learn more.](../app-provisioning/application-provisioning-config-problem-no-users-provisioned.md)
+Historically, users with the default access role have been out of scope for provisioning. We've heard feedback that customers want users with this role to be in scope for provisioning. As of April 16, 2020, all new provisioning configurations allow users with the default access role to be provisioned. Gradually we'll change the behavior for existing provisioning configurations to support provisioning users with this role. [Learn more.](../app-provisioning/application-provisioning-config-problem-no-users-provisioned.md)
The [emails](../external-identities/invitation-email-elements.md) that are sent
**Service category:** Audit **Product capability:** Monitoring & Reporting
-We fixed a bug where changes to the [HomeRealmDiscovery policy](../manage-apps/configure-authentication-for-federated-users-portal.md) were not included in the audit logs. You will now be able to see when and how the policy was changed, and by whom.
+We fixed a bug where changes to the [HomeRealmDiscovery policy](../manage-apps/configure-authentication-for-federated-users-portal.md) weren't included in the audit logs. You'll now be able to see when and how the policy was changed, and by whom.
Azure Monitor integration with Azure AD logs is now available in Azure Governmen
**Service category:** Identity Protection **Product capability:** Identity Security & Protection
-We’re excited to share that we have now rolled out the refreshed [Azure AD Identity Protection](../identity-protection/overview-identity-protection.md) experience in the [Microsoft Azure Government portal](https://portal.azure.us/). For more information, see our [announcement blog post](https://techcommunity.microsoft.com/t5/public-sector-blog/identity-protection-refresh-in-microsoft-azure-government/ba-p/1223667).
+We’re excited to share that we've now rolled out the refreshed [Azure AD Identity Protection](../identity-protection/overview-identity-protection.md) experience in the [Microsoft Azure Government portal](https://portal.azure.us/). For more information, see our [announcement blog post](https://techcommunity.microsoft.com/t5/public-sector-blog/identity-protection-refresh-in-microsoft-azure-government/ba-p/1223667).
To provide a more flexible way for customers to create directory-wide groups tha
We're planning to replace the current custom controls preview with an approach that allows partner-provided authentication capabilities to work seamlessly with the Azure Active Directory administrator and end user experiences. Today, partner multifactor authentication (MFA) solutions face the following limitations: they work only after a password has been entered; they don't serve as multifactor authentication (MFA) for step-up authentication in other key scenarios; and they don't integrate with end user or administrative credential management functions. The new implementation will allow partner-provided authentication factors to work alongside built-in factors for key scenarios, including registration, usage, multifactor authentication (MFA) claims, step up authentication, reporting, and logging.
-Custom controls will continue to be supported in preview alongside the new design until it reaches general availability. At that point, we'll give customers time to migrate to the new design. Because of the limitations of the current approach, we won't onboard new providers until the new design is available. We are working closely with customers and providers and will communicate the timeline as we get closer. [Learn more](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/upcoming-changes-to-custom-controls/ba-p/1144696#).
+Custom controls will continue to be supported in preview alongside the new design until it reaches general availability. At that point, we'll give customers time to migrate to the new design. Because of the limitations of the current approach, we won't onboard new providers until the new design is available. We're working closely with customers and providers and will communicate the timeline as we get closer. [Learn more](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/upcoming-changes-to-custom-controls/ba-p/1144696#).
These new improvement actions will require registering your users or admins for
We've heard feedback that Azure AD Domain Services customers want more flexibility in selecting performance levels for their instances. Starting on February 1, 2020, we switched from a dynamic model (where Azure AD determines the performance and pricing tier based on object count) to a self-selection model. Now customers can choose a performance tier that matches their environment. This change also allows us to enable new scenarios like Resource Forests, and Premium features like daily backups. The object count is now unlimited for all SKUs, but we'll continue to offer object count suggestions for each tier.
-**No immediate customer action is required.** For existing customers, the dynamic tier that was in use on February 1, 2020, determines the new default tier. There is no pricing or performance impact as the result of this change. Going forward, Azure AD DS customers will need to evaluate performance requirements as their directory size and workload characteristics change. Switching between service tiers will continue to be a no-downtime operation, and we will no longer automatically move customers to new tiers based on the growth of their directory. Furthermore, there will be no price increases, and new pricing will align with our current billing model. For more information, see the [Azure AD DS SKUs documentation](../../active-directory-domain-services/administration-concepts.md#azure-ad-ds-skus) and the [Azure AD Domain Services pricing page](https://azure.microsoft.com/pricing/details/active-directory-ds/).
+**No immediate customer action is required.** For existing customers, the dynamic tier that was in use on February 1, 2020, determines the new default tier. There is no pricing or performance impact as the result of this change. Going forward, Azure AD DS customers will need to evaluate performance requirements as their directory size and workload characteristics change. Switching between service tiers will continue to be a no-downtime operation, and we'll no longer automatically move customers to new tiers based on the growth of their directory. Furthermore, there will be no price increases, and new pricing will align with our current billing model. For more information, see the [Azure AD DS SKUs documentation](../../active-directory-domain-services/administration-concepts.md#azure-ad-ds-skus) and the [Azure AD Domain Services pricing page](https://azure.microsoft.com/pricing/details/active-directory-ds/).
For more information, see [Add Google as an identity provider for B2B guest user
-### Microsoft Edge Mobile Support for Conditional Access and single sign-on (General Availability)
+### Microsoft Edge Mobile Support for Conditional Access and Single Sign-on (General Availability)
**Type:** New feature **Service category:** Conditional Access **Product capability:** Identity Security & Protection
-Azure AD for Microsoft Edge on iOS and Android now supports Azure AD single sign-on and Conditional Access:
+Azure AD for Microsoft Edge on iOS and Android now supports Azure AD Single Sign-On and Conditional Access:
- **Microsoft Edge single sign-on (SSO):** Single sign-on is now available across native clients (such as Microsoft Outlook and Microsoft Edge) for all Azure AD -connected apps. - **Microsoft Edge conditional access:** Through application-based conditional access policies, your users must use Microsoft Intune-protected browsers, such as Microsoft Edge.
-For more information about conditional access and SSO with Microsoft Edge, see the [Microsoft Edge Mobile Support for Conditional Access and single sign-on Now Generally Available](https://techcommunity.microsoft.com/t5/Intune-Customer-Success/Microsoft-Edge-Mobile-Support-for-Conditional-Access-and-Single/ba-p/988179) blog post. For more information about how to set up your client apps using [app-based conditional access](../conditional-access/app-based-conditional-access.md) or [device-based conditional access](../conditional-access/require-managed-devices.md), see [Manage web access using a Microsoft Intune policy-protected browser](/intune/apps/app-configuration-managed-browser).
+For more information about conditional access and SSO with Microsoft Edge, see the [Microsoft Edge Mobile Support for Conditional Access and Single Sign-on Now Generally Available](https://techcommunity.microsoft.com/t5/Intune-Customer-Success/Microsoft-Edge-Mobile-Support-for-Conditional-Access-and-Single/ba-p/988179) blog post. For more information about how to set up your client apps using [app-based conditional access](../conditional-access/app-based-conditional-access.md) or [device-based conditional access](../conditional-access/require-managed-devices.md), see [Manage web access using a Microsoft Intune policy-protected browser](/intune/apps/app-configuration-managed-browser).
For detailed information about these new capabilities, including how to use them
-### New My sign-ins page for end users in Azure AD
+### New My Sign-ins page for end users in Azure AD
**Type:** New feature **Service category:** Authentications (Logins) **Product capability:** Monitoring & Reporting
-We've added a new **My sign-ins** page (https://mysignins.microsoft.com) to let your organization's users view their recent sign-in history to check for any unusual activity. This new page allows your users to see:
+We've added a new **My Sign-ins** page (https://mysignins.microsoft.com) to let your organization's users view their recent sign-in history to check for any unusual activity. This new page allows your users to see:
- If anyone is attempting to guess their password.
For more information about how to use this new endpoint, see [Using the admin co
In September 2019, we've added these 29 new apps with Federation support to the app gallery:
-[ScheduleLook](https://schedulelook.bbsonlineservices.net/), [MS Azure SSO Access for Ethidex Compliance Office&trade; - single sign-on](../saas-apps/ms-azure-sso-access-for-ethidex-compliance-office-tutorial.md), [iServer Portal](../saas-apps/iserver-portal-tutorial.md), [SKYSITE](../saas-apps/skysite-tutorial.md), [Concur Travel and Expense](../saas-apps/concur-travel-and-expense-tutorial.md), [WorkBoard](../saas-apps/workboard-tutorial.md), `https://apps.yeeflow.com/`, [ARC Facilities](../saas-apps/arc-facilities-tutorial.md), [Luware Stratus Team](https://stratus.emea.luware.cloud/login), [Wide Ideas](https://wideideas.online/wideideas/), [Prisma Cloud](../saas-apps/prisma-cloud-tutorial.md), [JDLT Client Hub](https://clients.jdlt.co.uk/login), [RENRAKU](../saas-apps/renraku-tutorial.md), [SealPath Secure Browser](https://protection.sealpath.com/SealPathInterceptorWopiSaas/Open/InstallSealPathEditorOneDrive), [Prisma Cloud](../saas-apps/prisma-cloud-tutorial.md), `https://app.penneo.com/`, `https://app.testhtm.com/settings/email-integration`, [Cintoo Cloud](https://aec.cintoo.com/login), [Whitesource](../saas-apps/whitesource-tutorial.md), [Hosted Heritage Online SSO](../saas-apps/hosted-heritage-online-sso-tutorial.md), [IDC](../saas-apps/idc-tutorial.md), [CakeHR](../saas-apps/cakehr-tutorial.md), [BIS](../saas-apps/bis-tutorial.md), [Coo Kai Team Build](https://ms-contacts.coo-kai.jp/), [Sonarqube](../saas-apps/sonarqube-tutorial.md), [Adobe Identity Management](../saas-apps/tutorial-list.md), [Discovery Benefits SSO](../saas-apps/discovery-benefits-sso-tutorial.md), [Amelio](https://app.amelio.co/), `https://itask.yipinapp.com/`
+[ScheduleLook](https://schedulelook.bbsonlineservices.net/), [MS Azure SSO Access for Ethidex Compliance Office&trade; - Single sign-on](../saas-apps/ms-azure-sso-access-for-ethidex-compliance-office-tutorial.md), [iServer Portal](../saas-apps/iserver-portal-tutorial.md), [SKYSITE](../saas-apps/skysite-tutorial.md), [Concur Travel and Expense](../saas-apps/concur-travel-and-expense-tutorial.md), [WorkBoard](../saas-apps/workboard-tutorial.md), `https://apps.yeeflow.com/`, [ARC Facilities](../saas-apps/arc-facilities-tutorial.md), [Luware Stratus Team](https://stratus.emea.luware.cloud/login), [Wide Ideas](https://wideideas.online/wideideas/), [Prisma Cloud](../saas-apps/prisma-cloud-tutorial.md), [JDLT Client Hub](https://clients.jdlt.co.uk/login), [RENRAKU](../saas-apps/renraku-tutorial.md), [SealPath Secure Browser](https://protection.sealpath.com/SealPathInterceptorWopiSaas/Open/InstallSealPathEditorOneDrive), [Prisma Cloud](../saas-apps/prisma-cloud-tutorial.md), `https://app.penneo.com/`, `https://app.testhtm.com/settings/email-integration`, [Cintoo Cloud](https://aec.cintoo.com/login), [Whitesource](../saas-apps/whitesource-tutorial.md), [Hosted Heritage Online SSO](../saas-apps/hosted-heritage-online-sso-tutorial.md), [IDC](../saas-apps/idc-tutorial.md), [CakeHR](../saas-apps/cakehr-tutorial.md), [BIS](../saas-apps/bis-tutorial.md), [Coo Kai Team Build](https://ms-contacts.coo-kai.jp/), [Sonarqube](../saas-apps/sonarqube-tutorial.md), [Adobe Identity Management](../saas-apps/tutorial-list.md), [Discovery Benefits SSO](../saas-apps/discovery-benefits-sso-tutorial.md), [Amelio](https://app.amelio.co/), `https://itask.yipinapp.com/`
For more information about the apps, see [SaaS application integration with Azure Active Directory](../saas-apps/tutorial-list.md). For more information about listing your application in the Azure AD app gallery, see [List your application in the Azure Active Directory application gallery](../manage-apps/v2-howto-app-gallery-listing.md).
Starting on September 24, 2019, we're going to start rolling out a new Azure Act
The Global Reader role is the read-only counterpart to Global Administrator. Users in this role can read settings and administrative information across Microsoft 365 services, but can't take management actions. We've created the Global Reader role to help reduce the number of Global Administrators in your organization. Because Global Administrator accounts are powerful and vulnerable to attack, we recommend that you have fewer than five Global Administrators. We recommend using the Global Reader role for planning, audits, or investigations. We also recommend using the Global Reader role in combination with other limited administrator roles, like Exchange Administrator, to help get work done without requiring the Global Administrator role.
-The Global Reader role works with the new Microsoft 365 Admin Center, Exchange Admin Center, Teams Admin Center, Security Center, compliance portal, Azure AD Admin Center, and the Device Management Admin Center.
+The Global Reader role works with the new Microsoft 365 Admin Center, Exchange Admin Center, Teams Admin Center, Security Center, Compliance Center, Azure AD Admin Center, and the Device Management Admin Center.
>[!NOTE] > At the start of public preview, the Global Reader role won't work with: SharePoint, Privileged Access Management, Customer Lockbox, sensitivity labels, Teams Lifecycle, Teams Reporting & Call Analytics, Teams IP Phone Device Management, and Teams App Catalog.
For more information, see [Manage groups in the Azure portal](./active-directory
Custom roles (available with an Azure AD P1 or P2 subscription) can now help provide you with fine-grained access, by letting you create role definitions with specific permissions and then to assign those roles to specific resources. Currently, you create custom roles by using permissions for managing app registrations and then assigning the role to a specific app. For more information about custom roles, see [Custom administrator roles in Azure Active Directory (preview)](../roles/custom-overview.md).
-If you need additional permissions or resources supported, which you don't currently see, you can send feedback to our [Azure feedback site](https://feedback.azure.com/d365community/forum/22920db1-ad25-ec11-b6e6-000d3a4f0789) and we'll add your request to our update road map.
+If you need other permissions or resources supported, which you don't currently see, you can send feedback to our [Azure feedback site](https://feedback.azure.com/d365community/forum/22920db1-ad25-ec11-b6e6-000d3a4f0789) and we'll add your request to our update road map.
For more information, see [Provisioning reports in the Azure Active Directory po
**Service category:** Identity Protection **Product capability:** Identity Security & Protection
-By default, all Azure AD administrators will soon be able to access modern security reports within Azure AD. Until the end of September, you will be able to use the banner at the top of the modern security reports to return to the old reports.
+By default, all Azure AD administrators will soon be able to access modern security reports within Azure AD. Until the end of September, you'll be able to use the banner at the top of the modern security reports to return to the old reports.
-The modern security reports will provide additional capabilities from the older versions, including:
+The modern security reports will provide more capabilities from the older versions, including:
- Advanced filtering and sorting - Bulk actions, such as dismissing user risk
For more information, see [What's new for authentication?](../develop/reference-
**Service category:** Authentications (Logins) **Product capability:** User Authentication
-Azure AD customers can now set policies to manage FIDO2 security keys for their organization's users and groups. End users can also self-register their security keys, use the keys to sign in to their Microsoft accounts on web sites while on FIDO-capable devices, as well as sign-in to their Azure AD-joined Windows 10 devices.
+Azure AD customers can now set policies to manage FIDO2 security keys for their organization's users and groups. End users can also self-register their security keys, use the keys to sign in to their Microsoft accounts on web sites while on FIDO-capable devices, and sign-in to their Azure AD-joined Windows 10 devices.
For more information, see [Enable passwordless sign in for Azure AD (preview)](../authentication/concept-authentication-passwordless.md) for administrator-related information, and [Set up security info to use a security key (Preview)](https://support.microsoft.com/account-billing/set-up-a-security-key-as-your-verification-method-2911cacd-efa5-4593-ae22-e09ae14c6698) for end-user-related information.
Currently, the app registration screens of the Azure portal still block query pa
**Service category:** Reporting **Product capability:** Monitoring & Reporting
-We're excited to announce that Azure AD activity logs (Audit and sign-ins reports) are now available through the Azure AD PowerShell module. Previously, you could create your own scripts using MS Graph API endpoints, and now we've extended that capability to PowerShell cmdlets.
+We're excited to announce that Azure AD activity logs (Audit and Sign-ins reports) are now available through the Azure AD PowerShell module. Previously, you could create your own scripts using MS Graph API endpoints, and now we've extended that capability to PowerShell cmdlets.
For more information about how to use these cmdlets, see [Azure AD PowerShell cmdlets for reporting](../reports-monitoring/reference-powershell-reporting.md).
You can configure naming policy for Office 365 groups in two different ways:
- Define prefixes or suffixes, which are automatically added to a group name. -- Upload a customized set of blocked words for your organization, which are not allowed in group names (for example, "CEO, Payroll, HR").
+- Upload a customized set of blocked words for your organization, which aren't allowed in group names (for example, "CEO, Payroll, HR").
For more information, see [Enforce a Naming Policy for Office 365 groups](../enterprise-users/groups-naming-policy.md).
For more information, see [Enforce a Naming Policy for Office 365 groups](../ent
To help address your feedback about visualizations with the Azure AD Activity logs, we're introducing a new Insights feature in Log Analytics. This feature helps you gain insights about your Azure AD resources by using our interactive templates, called Workbooks. These pre-built Workbooks can provide details for apps or users, and include: -- **sign-ins.** Provides details for apps and users, including sign-in location, the in-use operating system or browser client and version, and the number of successful or failed sign-ins.
+- **Sign-ins.** Provides details for apps and users, including sign-in location, the in-use operating system or browser client and version, and the number of successful or failed sign-ins.
- **Legacy authentication and Conditional Access.** Provides details for apps and users using legacy authentication, including multifactor authentication usage triggered by Conditional Access policies, apps using Conditional Access policies, and so on.
For more information, see [How to use Azure Monitor workbooks for Azure Active D
In April 2019, we've added these 21 new apps with Federation support to the app gallery:
-[SAP Fiori](../saas-apps/sap-fiori-tutorial.md), [HRworks single sign-on](../saas-apps/hrworks-single-sign-on-tutorial.md), [Percolate](../saas-apps/percolate-tutorial.md), [MobiControl](../saas-apps/mobicontrol-tutorial.md), [Citrix NetScaler](../saas-apps/citrix-netscaler-tutorial.md), [Shibumi](../saas-apps/shibumi-tutorial.md), [Benchling](../saas-apps/benchling-tutorial.md), [MileIQ](https://mileiq.onelink.me/991934284/7e980085), [PageDNA](../saas-apps/pagedna-tutorial.md), [EduBrite LMS](../saas-apps/edubrite-lms-tutorial.md), [RStudio Connect](../saas-apps/rstudio-connect-tutorial.md), [AMMS](../saas-apps/amms-tutorial.md), [Mitel Connect](../saas-apps/mitel-connect-tutorial.md), [Alibaba Cloud (Role-based SSO)](../saas-apps/alibaba-cloud-service-role-based-sso-tutorial.md), [Certent Equity Management](../saas-apps/certent-equity-management-tutorial.md), [Sectigo Certificate Manager](../saas-apps/sectigo-certificate-manager-tutorial.md), [GreenOrbit](../saas-apps/greenorbit-tutorial.md), [Workgrid](../saas-apps/workgrid-tutorial.md), [monday.com](../saas-apps/mondaycom-tutorial.md), [SurveyMonkey Enterprise](../saas-apps/surveymonkey-enterprise-tutorial.md), [Indiggo](https://indiggolead.com/)
+[SAP Fiori](../saas-apps/sap-fiori-tutorial.md), [HRworks Single Sign-On](../saas-apps/hrworks-single-sign-on-tutorial.md), [Percolate](../saas-apps/percolate-tutorial.md), [MobiControl](../saas-apps/mobicontrol-tutorial.md), [Citrix NetScaler](../saas-apps/citrix-netscaler-tutorial.md), [Shibumi](../saas-apps/shibumi-tutorial.md), [Benchling](../saas-apps/benchling-tutorial.md), [MileIQ](https://mileiq.onelink.me/991934284/7e980085), [PageDNA](../saas-apps/pagedna-tutorial.md), [EduBrite LMS](../saas-apps/edubrite-lms-tutorial.md), [RStudio Connect](../saas-apps/rstudio-connect-tutorial.md), [AMMS](../saas-apps/amms-tutorial.md), [Mitel Connect](../saas-apps/mitel-connect-tutorial.md), [Alibaba Cloud (Role-based SSO)](../saas-apps/alibaba-cloud-service-role-based-sso-tutorial.md), [Certent Equity Management](../saas-apps/certent-equity-management-tutorial.md), [Sectigo Certificate Manager](../saas-apps/sectigo-certificate-manager-tutorial.md), [GreenOrbit](../saas-apps/greenorbit-tutorial.md), [Workgrid](../saas-apps/workgrid-tutorial.md), [monday.com](../saas-apps/mondaycom-tutorial.md), [SurveyMonkey Enterprise](../saas-apps/surveymonkey-enterprise-tutorial.md), [Indiggo](https://indiggolead.com/)
For more information about the apps, see [SaaS application integration with Azure Active Directory](../saas-apps/tutorial-list.md). For more information about listing your application in the Azure AD app gallery, see [List your application in the Azure Active Directory application gallery](../manage-apps/v2-howto-app-gallery-listing.md).
For more information about the new cookies, see [Cookie settings for accessing o
In January 2019, we've added these 35 new apps with Federation support to the app gallery:
-[Firstbird](../saas-apps/firstbird-tutorial.md), [Folloze](../saas-apps/folloze-tutorial.md), [Talent Palette](../saas-apps/talent-palette-tutorial.md), [Infor CloudSuite](../saas-apps/infor-cloud-suite-tutorial.md), [Cisco Umbrella](../saas-apps/cisco-umbrella-tutorial.md), [Zscaler Internet Access Administrator](../saas-apps/zscaler-internet-access-administrator-tutorial.md), [Expiration Reminder](../saas-apps/expiration-reminder-tutorial.md), [InstaVR Viewer](../saas-apps/instavr-viewer-tutorial.md), [CorpTax](../saas-apps/corptax-tutorial.md), [Verb](https://app.verb.net/login), [OpenLattice](https://openlattice.com/#/), [TheOrgWiki](https://www.theorgwiki.com/signup), [Pavaso Digital Close](../saas-apps/pavaso-digital-close-tutorial.md), [GoodPractice Toolkit](../saas-apps/goodpractice-toolkit-tutorial.md), [Cloud Service PICCO](../saas-apps/cloud-service-picco-tutorial.md), [AuditBoard](../saas-apps/auditboard-tutorial.md), [Zeyna](../saas-apps/zenya-tutorial.md), [Workable](../saas-apps/workable-tutorial.md), [CallPlease](https://webapp.callplease.com/create-account/create-account.html), [GTNexus SSO System](../saas-apps/gtnexus-sso-module-tutorial.md), [CBRE ServiceInsight](../saas-apps/cbre-serviceinsight-tutorial.md), [Deskradar](../saas-apps/deskradar-tutorial.md), [Coralogixv](../saas-apps/coralogix-tutorial.md), [Signagelive](../saas-apps/signagelive-tutorial.md), [ARES for Enterprise](../saas-apps/ares-for-enterprise-tutorial.md), [K2 for Office 365](https://www.k2.com/O365), [Xledger](https://www.xledger.net/), [IDID Manager](../saas-apps/idid-manager-tutorial.md), [HighGear](../saas-apps/highgear-tutorial.md), [Visitly](../saas-apps/visitly-tutorial.md), [Korn Ferry ALP](../saas-apps/korn-ferry-alp-tutorial.md), [Acadia](../saas-apps/acadia-tutorial.md), [Adoddle cSaas Platform](../saas-apps/adoddle-csaas-platform-tutorial.md)
+[Firstbird](../saas-apps/firstbird-tutorial.md), [Folloze](../saas-apps/folloze-tutorial.md), [Talent Palette](../saas-apps/talent-palette-tutorial.md), [Infor CloudSuite](../saas-apps/infor-cloud-suite-tutorial.md), [Cisco Umbrella](../saas-apps/cisco-umbrella-tutorial.md), [Zscaler Internet Access Administrator](../saas-apps/zscaler-internet-access-administrator-tutorial.md), [Expiration Reminder](../saas-apps/expiration-reminder-tutorial.md), [InstaVR Viewer](../saas-apps/instavr-viewer-tutorial.md), [CorpTax](../saas-apps/corptax-tutorial.md), [Verb](https://app.verb.net/login), [OpenLattice](https://openlattice.com/#/), [TheOrgWiki](https://www.theorgwiki.com/signup), [Pavaso Digital Close](../saas-apps/pavaso-digital-close-tutorial.md), [GoodPractice Toolkit](../saas-apps/goodpractice-toolkit-tutorial.md), [Cloud Service PICCO](../saas-apps/cloud-service-picco-tutorial.md), [AuditBoard](../saas-apps/auditboard-tutorial.md), [iProva](../saas-apps/iprova-tutorial.md), [Workable](../saas-apps/workable-tutorial.md), [CallPlease](https://webapp.callplease.com/create-account/create-account.html), [GTNexus SSO System](../saas-apps/gtnexus-sso-module-tutorial.md), [CBRE ServiceInsight](../saas-apps/cbre-serviceinsight-tutorial.md), [Deskradar](../saas-apps/deskradar-tutorial.md), [Coralogixv](../saas-apps/coralogix-tutorial.md), [Signagelive](../saas-apps/signagelive-tutorial.md), [ARES for Enterprise](../saas-apps/ares-for-enterprise-tutorial.md), [K2 for Office 365](https://www.k2.com/O365), [Xledger](https://www.xledger.net/), [iDiD Manager](../saas-apps/idid-manager-tutorial.md), [HighGear](../saas-apps/highgear-tutorial.md), [Visitly](../saas-apps/visitly-tutorial.md), [Korn Ferry ALP](../saas-apps/korn-ferry-alp-tutorial.md), [Acadia](../saas-apps/acadia-tutorial.md), [Adoddle cSaas Platform](../saas-apps/adoddle-csaas-platform-tutorial.md)
For more information about the apps, see [SaaS application integration with Azure Active Directory](../saas-apps/tutorial-list.md). For more information about listing your application in the Azure AD app gallery, see [List your application in the Azure Active Directory application gallery](../manage-apps/v2-howto-app-gallery-listing.md).
For more information, see [Create a dynamic group and check status](../enterpris
-### Simplified single sign-on (SSO) configuration settings for some third-party apps
+### Simplified Single Sign-On (SSO) configuration settings for some third-party apps
**Type:** New feature **Service category:** Enterprise Apps **Product capability:** SSO
-We realize that setting up single sign-on (SSO) for Software as a Service (SaaS) apps can be challenging due to the unique nature of each apps configuration. We've built a simplified configuration experience to auto-populate the SSO configuration settings for the following third-party SaaS apps:
+We realize that setting up Single Sign-On (SSO) for Software as a Service (SaaS) apps can be challenging due to the unique nature of each apps configuration. We've built a simplified configuration experience to auto-populate the SSO configuration settings for the following third-party SaaS apps:
- Zendesk
For more information, see [What is the My Apps portal?](https://support.microsof
-### New Troubleshooting and Support tab on the sign-ins Logs page of the Azure portal
+### New Troubleshooting and Support tab on the Sign-ins Logs page of the Azure portal
**Type:** New feature **Service category:** Reporting **Product capability:** Monitoring & Reporting
-The new **Troubleshooting and Support** tab on the **sign-ins** page of the Azure portal, is intended to help admins and support engineers troubleshoot issues related to Azure AD sign-ins. This new tab provides the error code, error message, and remediation recommendations (if any) to help solve the problem. If you're unable to resolve the problem, we also give you a new way to create a support ticket using the **Copy to clipboard** experience, which populates the **Request ID** and **Date (UTC)** fields for the log file in your support ticket.
+The new **Troubleshooting and Support** tab on the **Sign-ins** page of the Azure portal, is intended to help admins and support engineers troubleshoot issues related to Azure AD sign-ins. This new tab provides the error code, error message, and remediation recommendations (if any) to help solve the problem. If you're unable to resolve the problem, we also give you a new way to create a support ticket using the **Copy to clipboard** experience, which populates the **Request ID** and **Date (UTC)** fields for the log file in your support ticket.
![Sign-in logs showing the new tab](media/whats-new/troubleshooting-and-support.png)
The new **Troubleshooting and Support** tab on the **sign-ins** page of the Azur
**Service category:** Group Management **Product capability:** Collaboration
-With this update, you can now click the **Get custom extension properties** link from the dynamic user group rule builder, enter your unique app ID, and receive the full list of custom extension properties to use when creating a dynamic membership rule for users. This list can also be refreshed to get any new custom extension properties for that app.
+With this update, you can now select the **Get custom extension properties** link from the dynamic user group rule builder, enter your unique app ID, and receive the full list of custom extension properties to use when creating a dynamic membership rule for users. This list can also be refreshed to get any new custom extension properties for that app.
For more information about using custom extension properties for dynamic membership rules, see [Extension properties and custom extension properties](../enterprise-users/groups-dynamic-membership.md#extension-properties-and-custom-extension-properties)
For more information about the apps, see [SaaS application integration with Azur
**Service category:** Enterprise Apps **Product capability:** SSO
-We've introduced new claim transformation methods, ToLower() and ToUpper(), which can be applied to SAML tokens from the SAML-based **single sign-on Configuration** page.
+We've introduced new claim transformation methods, ToLower() and ToUpper(), which can be applied to SAML tokens from the SAML-based **Single Sign-On Configuration** page.
For more information, see [How to customize claims issued in the SAML token for enterprise applications in Azure AD](../develop/active-directory-saml-claims-customization.md)
As part of our updated SAML-based app configuration UI, you'll get:
- A way to set the NameID Format for SAML apps, and a way to set the NameID value as Directory Extensions.
-To turn on this updated view, click the **Try out our new experience** link from the top of the **single sign-on** page. For more information, see [Tutorial: Configure SAML-based single sign-on for an application with Azure Active Directory](../manage-apps/view-applications-portal.md).
+To turn on this updated view, click the **Try out our new experience** link from the top of the **Single Sign-On** page. For more information, see [Tutorial: Configure SAML-based single sign-on for an application with Azure Active Directory](../manage-apps/view-applications-portal.md).
This update lets you see which policies are evaluated when a user signs in along
-### View legacy authentications through sign-ins activity logs
+### View legacy authentications through Sign-ins activity logs
**Type:** New feature **Service category:** Reporting **Product capability:** Monitoring & Reporting
-With the introduction of the **Client App** field in the Sign-in activity logs, customers can now see users that are using legacy authentications. Customers will be able to access this information using the sign-ins Microsoft Graph API or through the Sign-in activity logs in Azure AD portal where you can use the **Client App** control to filter on legacy authentications. Check out the documentation for more details.
+With the introduction of the **Client App** field in the Sign-in activity logs, customers can now see users that are using legacy authentications. Customers will be able to access this information using the Sign-ins Microsoft Graph API or through the Sign-in activity logs in Azure AD portal where you can use the **Client App** control to filter on legacy authentications. Check out the documentation for more details.
We're updating the acceptance string in the TOU end-user UI.
**Current text.** In order to access [tenantName] resources, you must accept the terms of use.<br>**New text.** In order to access [tenantName] resource, you must read the terms of use.
-**Current text:** Choosing to accept means that you agree to all of the above terms of use.<br>**New text:** Please click Accept to confirm that you have read and understood the terms of use.
+**Current text:** Choosing to accept means that you agree to all of the above terms of use.<br>**New text:** Please select Accept to confirm that you have read and understood the terms of use.
If any of your apps use Azure AD Activity Log APIs, follow these steps to ensure
**To update your app permissions** 1. Sign in to the Azure portal, select **Azure Active Directory**, and then select **App Registrations**.
-2. Select your app that uses the Azure AD Activity Logs API, select **Settings**, select **Required permissions**, and then select the **Microsoft Azure Active Directory** API.
+2. Select your app that uses the Azure AD Activity Logs API, select **Settings**, select **Required permissions**, and then select the **Windows Azure Active Directory** API.
3. In the **Delegated permissions** area of the **Enable access** blade, select the box next to **Read directory** data, and then select **Save**. 4. Select **Grant permissions**, and then select **Yes**.
Transport Layer Security (TLS) is a protocol that provides privacy and data inte
The [PCI Security Standards Council](https://www.pcisecuritystandards.org/) has determined that early versions of TLS and Secure Sockets Layer (SSL) must be disabled in favor of enabling new and more secure app protocols, with compliance starting on **June 30, 2018**. This change means that if you connect to Azure AD services and require PCI DSS-compliance, you must disable TLS 1.0. Multiple versions of TLS are available, but TLS 1.2 is the latest version available for Azure Active Directory Services. We highly recommend moving directly to TLS 1.2 for both client/server and browser/server combinations.
-Out-of-date browsers might not support newer TLS versions, such as TLS 1.2. To see which versions of TLS are supported by your browser, go to the [Qualys SSL Labs](https://www.ssllabs.com/) site and click **Test your browser**. We recommend you upgrade to the latest version of your web browser and preferably enable only TLS 1.2.
+Out-of-date browsers might not support newer TLS versions, such as TLS 1.2. To see which versions of TLS are supported by your browser, go to the [Qualys SSL Labs](https://www.ssllabs.com/) site and select **Test your browser**. We recommend you upgrade to the latest version of your web browser and preferably enable only TLS 1.2.
**To enable TLS 1.2, by browser**
For more information about public preview, see the [Azure AD delegated applicati
**Service category:** Authentications (Logins) **Product capability:** Platform
-Software as a Service offering, like Azure Active Directory (Azure AD) are designed to work best by going directly through the Internet, without requiring ExpressRoute or any other private VPN tunnels. Because of this, on **August 1, 2018**, we will stop supporting ExpressRoute for Azure AD services using Azure public peering and Azure communities in Microsoft peering. Any services impacted by this change might notice Azure AD traffic gradually shifting from ExpressRoute to the Internet.
+Software as a Service offering, like Azure Active Directory (Azure AD) are designed to work best by going directly through the Internet, without requiring ExpressRoute or any other private VPN tunnels. Because of this, on **August 1, 2018**, we'll stop supporting ExpressRoute for Azure AD services using Azure public peering and Azure communities in Microsoft peering. Any services impacted by this change might notice Azure AD traffic gradually shifting from ExpressRoute to the Internet.
While we're changing our support, we also know there are still situations where you might need to use a dedicated set of circuits for your authentication traffic. Because of this, Azure AD will continue to support per-tenant IP range restrictions using ExpressRoute and services already on Microsoft peering with the "Other Office 365 Online services" community. If your services are impacted, but you require ExpressRoute, you must do the following:
Access review of groups and apps is now generally available as part of Azure AD
**Service category:** Reporting **Product capability:** Monitoring & Reporting
-Azure AD Activity logs, which, includes sign-ins and Audit logs, are now available through the Microsoft Graph API. We have exposed two end points through the Microsoft Graph API to access these logs. Check out our [documents](../reports-monitoring/concept-reporting-api.md) for programmatic access to Azure AD Reporting APIs to get started.
+Azure AD Activity logs, which, includes Sign-ins and Audit logs, are now available through the Microsoft Graph API. We have exposed two end points through the Microsoft Graph API to access these logs. Check out our [documents](../reports-monitoring/concept-reporting-api.md) for programmatic access to Azure AD Reporting APIs to get started.
For more information, see [Allow or block invitations to B2B users from specific
In April 2018, we've added these 13 new apps with Federation support to our app gallery:
-Criterion HCM, [FiscalNote](../saas-apps/fiscalnote-tutorial.md), [Secret Server (on-premises)](../saas-apps/secretserver-on-premises-tutorial.md), [Dynamic Signal](../saas-apps/dynamicsignal-tutorial.md), [mindWireless](../saas-apps/mindwireless-tutorial.md), [OrgChart Now](../saas-apps/orgchartnow-tutorial.md), [Ziflow](../saas-apps/ziflow-tutorial.md), [AppNeta Performance Monitor](../saas-apps/appneta-tutorial.md), [Elium](../saas-apps/elium-tutorial.md), [Fluxx Labs](../saas-apps/fluxxlabs-tutorial.md), [Cisco Cloud](../saas-apps/ciscocloud-tutorial.md), Shelf, [SafetyNet](../saas-apps/safetynet-tutorial.md)
+Criterion HCM, [FiscalNote](../saas-apps/fiscalnote-tutorial.md), [Secret Server (On-Premises)](../saas-apps/secretserver-on-premises-tutorial.md), [Dynamic Signal](../saas-apps/dynamicsignal-tutorial.md), [mindWireless](../saas-apps/mindwireless-tutorial.md), [OrgChart Now](../saas-apps/orgchartnow-tutorial.md), [Ziflow](../saas-apps/ziflow-tutorial.md), [AppNeta Performance Monitor](../saas-apps/appneta-tutorial.md), [Elium](../saas-apps/elium-tutorial.md), [Fluxx Labs](../saas-apps/fluxxlabs-tutorial.md), [Cisco Cloud](../saas-apps/ciscocloud-tutorial.md), Shelf, [SafetyNet](../saas-apps/safetynet-tutorial.md)
For more information about the apps, see [SaaS application integration with Azure Active Directory](../saas-apps/tutorial-list.md).
For more information, see [How does sign-in on a native client with Seamless SSO
Users get a silent sign-on experience, with Seamless SSO, if an application (for example, `https://contoso.sharepoint.com`) sends sign-in requests to Azure AD's tenant endpoints - that is, `https://login.microsoftonline.com/contoso.com/<..>` or `https://login.microsoftonline.com/<tenant_ID>/<..>` - instead of Azure AD's common endpoint (`https://login.microsoftonline.com/common/<...>`).
-For more information, see [Azure Active Directory Seamless single sign-on](../hybrid/how-to-connect-sso.md).
+For more information, see [Azure Active Directory Seamless Single Sign-On](../hybrid/how-to-connect-sso.md).
For more information, see [Azure Active Directory Seamless single sign-on](../hy
To roll out Seamless SSO to your users, you need to add only one Azure AD URL to the users' Intranet zone settings by using group policy in Active Directory: `https://autologon.microsoftazuread-sso.com`. Previously, customers were required to add two URLs.
-For more information, see [Azure Active Directory Seamless single sign-on](../hybrid/how-to-connect-sso.md).
+For more information, see [Azure Active Directory Seamless Single Sign-On](../hybrid/how-to-connect-sso.md).
For more information, see [Dynamic membership rules for groups in Azure Active D
Previously, even if users explicitly signed out of an application secured by Azure AD, they would be automatically signed back in using Seamless SSO if they were trying to access an Azure AD application again within their corpnet from their domain joined devices. With this change, sign out is supported. This allows users to choose the same or different Azure AD account to sign back in with, instead of being automatically signed in using Seamless SSO.
-For more information, see [Azure Active Directory Seamless single sign-on](../hybrid/how-to-connect-sso.md)
+For more information, see [Azure Active Directory Seamless Single Sign-On](../hybrid/how-to-connect-sso.md)
The navigation experience for managing users and groups has been streamlined. Yo
Azure AD Activity log reports are now available in Microsoft Azure operated by 21Vianet (Azure China 21Vianet) instances. The following logs are included: -- **sign-ins activity logs** - Includes all the sign-ins logs associated with your tenant.
+- **Sign-ins activity logs** - Includes all the sign-ins logs associated with your tenant.
- **Self service Password Audit Logs** - Includes all the SSPR audit logs.
For more information about how to use these reports, see [Azure Active Directory
**Service category:** Reporting **Product capability:** Monitoring & Reporting
-As part of customers feedback to enable non-admin roles to have access to Azure AD activity logs, we have enabled the ability for users who are in the "Report Reader" role to access sign-ins and Audit activity within the Azure portal as well as using the Microsoft Graph API.
+As part of customers feedback to enable non-admin roles to have access to Azure AD activity logs, we've enabled the ability for users who are in the "Report Reader" role to access Sign-ins and Audit activity within the Azure portal as well as using the Microsoft Graph API.
For more information, how to use these reports, see [Azure Active Directory reporting](../reports-monitoring/overview-reports.md).
For more information, see:
**Service category:** Terms of use **Product capability:** Compliance
-When the terms of use are displayed, you can now click **Having trouble viewing? Click here**. Clicking this link opens the terms of use natively on your device. Regardless of the font size in the document or the screen size of device, you can zoom and read the document as needed.
+When the terms of use are displayed, you can now select **Having trouble viewing? Click here**. Clicking this link opens the terms of use natively on your device. Regardless of the font size in the document or the screen size of device, you can zoom and read the document as needed.
For more information about listing your application in the Azure AD app gallery,
The insight you get for a detected risk detection is tied to your Azure AD subscription. With the Azure AD Premium P2 edition, you get the most detailed information about all underlying detections.
-With the Azure AD Premium P1 edition, detections that are not covered by your license appear as the risk detection Sign-in with additional risk detected.
+With the Azure AD Premium P1 edition, detections that aren't covered by your license appear as the risk detection Sign-in with additional risk detected.
For more information, see [Azure Active Directory risk detections](../identity-protection/overview-identity-protection.md).
Due to these new capabilities, the report APIs under the /reports endpoint were
**Service category:** My Apps **Product capability:** Single sign-on
-Azure AD supports automatic sign-in field detection for applications that render an HTML user name and password field. These steps are documented in [How to automatically capture sign-in fields for an application](../manage-apps/troubleshoot-password-based-sso.md#manually-capture-sign-in-fields-for-an-app). You can find this capability by adding a *Non-Gallery* application on the **Enterprise Applications** page in the [Azure portal](https://aad.portal.azure.com). Additionally, you can configure the **Single sign-on** mode on this new application to **Password-based single sign-on**, enter a web URL, and then save the page.
+Azure AD supports automatic sign-in field detection for applications that render an HTML user name and password field. These steps are documented in [How to automatically capture sign-in fields for an application](../manage-apps/troubleshoot-password-based-sso.md#manually-capture-sign-in-fields-for-an-app). You can find this capability by adding a *Non-Gallery* application on the **Enterprise Applications** page in the [Azure portal](https://aad.portal.azure.com). Additionally, you can configure the **Single Sign-on** mode on this new application to **Password-based Single Sign-on**, enter a web URL, and then save the page.
Due to a service issue, this functionality was temporarily disabled. The issue was resolved, and the automatic sign-in field detection is available again.
A hotfix roll-up package (build 4.4.1642.0) is available as of September 25, 201
For more information, see [Hotfix rollup package (build 4.4.1642.0) is available for Identity Manager 2016 Service Pack 1](https://support.microsoft.com/help/4021562). -+
active-directory Whats New https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/whats-new.md
Azure AD receives improvements on an ongoing basis. To stay up to date with the
This page is updated monthly, so revisit it regularly. If you're looking for items older than six months, you can find them in [Archive for What's new in Azure Active Directory](whats-new-archive.md). +
+ ## July 2022
+
+### Public Preview - ADFS to Azure AD: SAML App Multi-Instancing
+
+**Type:** New feature
+**Service category:** Enterprise Apps
+**Product capability:** SSO
+
+Users can now configure multiple instances of the same application within an Azure AD tenant. It's now supported for both IdP, and Service Provider (SP), initiated single sign-on requests. Multiple application accounts can now have a separate service principle to handle instance-specific claims mapping and roles assignment. For more information, see:
+
+- [Configure SAML app multi-instancing for an application - Microsoft Entra | Microsoft Docs](../develop/reference-app-multi-instancing.md)
+- [Customize app SAML token claims - Microsoft Entra | Microsoft Docs](../develop/active-directory-saml-claims-customization.md)
+++++
+### Public Preview - ADFS to Azure AD: Apply RegEx Replace to groups claim content
+
+**Type:** New feature
+**Service category:** Enterprise Apps
+**Product capability:** SSO
+
+
+
+Administrators up until recently has the capability to transform claims using many transformations, however using regular expression for claims transformation wasn't exposed to customers. With this public preview release, administrators can now configure and use regular expressions for claims transformation using portal UX.
+For more information, see:[Customize app SAML token claims - Microsoft Entra | Microsoft Docs](../develop/active-directory-saml-claims-customization.md).
+
++
+
++
+### Public Preview - Azure AD Domain Services - Trusts for User Forests
+
+**Type:** New feature
+**Service category:** Azure AD Domain Services
+**Product capability:** Azure AD Domain Services
+
+
+You can now create trusts on both user and resource forests. On-premises AD DS users can't authenticate to resources in the Azure AD DS resource forest until you create an outbound trust to your on-premises AD DS. An outbound trust requires network connectivity to your on-premises virtual network on which you have installed Azure AD Domain Service. On a user forest, trusts can be created for on-premises AD forests that aren't synchronized to Azure AD DS.
+
+To learn more about trusts and how to deploy your own, visit [How trust relationships work for forests in Active Directory](/azure/active-directory-domain-services/concepts-forest-trust).
+
+
++
+
++
+### New Federated Apps available in Azure AD Application gallery - July 2022
+
+**Type:** New feature
+**Service category:** Enterprise Apps
+**Product capability:** 3rd Party Integration
+
+
+In July 2022 we've added the following 28 new applications in our App gallery with Federation support:
+
+[Lunni Ticket Service](https://ticket.lunni.io/login), [TESMA](https://tesma.com/), [Spring Health](https://benefits.springhealth.com/care), [Sorbet](https://lite.sorbetapp.com/login), [Rainmaker UPS](https://upsairlines.rainmaker.aero/rainmaker.security.web/), [Planview ID](../saas-apps/planview-id-tutorial.md), [Karbonalpha](https://saas.karbonalpha.com/settings/api), [Headspace](../saas-apps/headspace-tutorial.md), [SeekOut](../saas-apps/seekout-tutorial.md), [Stackby](../saas-apps/stackby-tutorial.md), [Infrascale Cloud Backup](../saas-apps/infrascale-cloud-backup-tutorial.md), [Keystone](../saas-apps/keystone-tutorial.md), [LMS・教育管理システム Leaf](../saas-apps/lms-and-education-management-system-leaf-tutorial.md), [ZDiscovery](../saas-apps/zdiscovery-tutorial.md), [ラインズeライブラリアドバンス (Lines eLibrary Advance)](../saas-apps/lines-elibrary-advance-tutorial.md), [Rootly](../saas-apps/rootly-tutorial.md), [Articulate 360](../saas-apps/articulate360-tutorial.md), [Rise.com](../saas-apps/risecom-tutorial.md), [SevOne Network Monitoring System (NMS)](../saas-apps/sevone-network-monitoring-system-tutorial.md), [PGM](https://ups-pgm.4gfactor.com/azure/), [TouchRight Software](https://app.touchrightsoftware.com/), [Tendium](../saas-apps/tendium-tutorial.md), [Training Platform](../saas-apps/training-platform-tutorial.md), [Znapio](https://app.znapio.com/), [Preset](../saas-apps/preset-tutorial.md), [itslearning MS Teams sync](https://itslearning.com/global/), [Veza](../saas-apps/veza-tutorial.md), [Trax](https://app.trax.co/authn/login)
+
+You can also find the documentation of all the applications from here https://aka.ms/AppsTutorial,
+
+For listing your application in the Azure AD app gallery, please read the details here https://aka.ms/AzureADAppRequest
++
+
+
+
++
+### General Availability - No more waiting, provision groups on demand into your SaaS applications.
+
+**Type:** New feature
+**Service category:** Provisioning
+**Product capability:** Identity Lifecycle Management
+
+
+Pick a group of up to five members and provision them into your third-party applications in seconds. Get started testing, troubleshooting, and provisioning to non-Microsoft applications such as ServiceNow, ZScaler, and Adobe. For more information, see: [On-demand provisioning in Azure Active Directory](../app-provisioning/provision-on-demand.md).
+
++
+
+
+### General Availability ΓÇô Protect against by-passing of cloud Azure AD Multi-Factor Authentication when federated with Azure AD
+
+**Type:** New feature
+**Service category:** MS Graph
+**Product capability:** Identity Security & Protection
+
+
+We're delighted to announce a new security protection that prevents bypassing of cloud Azure AD Multi-Factor Authentication when federated with Azure AD. When enabled for a federated domain in your Azure AD tenant, it ensures that a compromised federated account can't bypass Azure AD Multi-Factor Authentication by imitating that a multi factor authentication has already been performed by the identity provider. The protection can be enabled via new security setting, [federatedIdpMfaBehavior](/graph/api/resources/internaldomainfederation?view=graph-rest-beta#federatedidpmfabehavior-values).
+
+
+We highly recommend enabling this new protection when using Azure AD Multi-Factor Authentication as your multi factor authentication for your federated users. To learn more about the protection and how to enable it, visit [Enable protection to prevent by-passing of cloud Azure AD Multi-Factor Authentication when federated with Azure AD](/windows-server/identity/ad-fs/deployment/best-practices-securing-ad-fs#enable-protection-to-prevent-by-passing-of-cloud-azure-ad-multi-factor-authentication-when-federated-with-azure-ad).
+
++
+
+
+### Public preview - New provisioning connectors in the Azure AD Application Gallery - July 2022
+
+**Type:** New feature
+**Service category:** App Provisioning
+**Product capability:** 3rd Party Integration
+
+
+You can now automate creating, updating, and deleting user accounts for these newly integrated apps:
+
+- [Tableau Cloud](../saas-apps/tableau-online-provisioning-tutorial.md)
+
+For more information about how to better secure your organization by using automated user account provisioning, see [Automate user provisioning to SaaS applications with Azure AD](../app-provisioning/user-provisioning.md).
+
++
+
+
+### General Availability - Tenant-based service outage notifications
+
+**Type:** New feature
+**Service category:** Other
+**Product capability:** Platform
+
+
+Azure Service Health supports service outage notifications to Tenant Admins for Azure Active Directory issues. These outages will also appear on the Azure AD Admin Portal Overview page with appropriate links to Azure Service Health. Outage events will be able to be seen by built-in Tenant Administrator Roles. We'll continue to send outage notifications to subscriptions within a tenant for transition. More information is available at: [What are Service Health notifications in Azure Active Directory?](../reports-monitoring/overview-service-health-notifications.md).
+
+
++
+
++
+### Public Preview - Multiple Passwordless Phone sign-in Accounts for iOS devices
+
+**Type:** New feature
+**Service category:** Authentications (Logins)
+**Product capability:** User Authentication
+
+
+End users can now enable passwordless phone sign-in for multiple accounts in the Authenticator App on any supported iOS device. Consultants, students, and others with multiple accounts in Azure AD can add each account to Microsoft Authenticator and use passwordless phone sign-in for all of them from the same iOS device. The Azure AD accounts can be in either the same, or different, tenants. Guest accounts aren't supported for multiple account sign-ins from one device.
++
+Note that end users are encouraged to enable the optional telemetry setting in the Authenticator App, if not done so already. For more information, see: [Enable passwordless sign-in with Microsoft Authenticator](../authentication/howto-authentication-passwordless-phone.md)
+
+
++
+
+
+
+### Public Preview - Azure AD Domain Services - Fine Grain Permissions
+
+**Type:** Changed feature
+**Service category:** Azure AD Domain Services
+**Product capability:** Azure AD Domain Services
+
+
+
+Previously to set up and administer your AAD-DS instance you needed top level permissions of Azure Contributor and Azure AD Global Admin. Now for both initial creation, and ongoing administration, you can utilize more fine grain permissions for enhanced security and control. The prerequisites now minimally require:
+
+- You need [Application Administrator](../roles/permissions-reference.md#application-administrator) and [Groups Administrator](../roles/permissions-reference.md#groups-administrator) Azure AD roles in your tenant to enable Azure AD DS.
+- You need [Domain Services Contributor](/azure/role-based-access-control/built-in-roles#domain-services-contributor) Azure role to create the required Azure AD DS resources.
+
+
+Check out these resources to learn more:
+
+- [Tutorial - Create an Azure Active Directory Domain Services managed domain | Microsoft Docs](/azure/active-directory-domain-services/tutorial-create-instance#prerequisites)
+- [Least privileged roles by task - Azure Active Directory | Microsoft Docs](../roles/delegate-by-task.md#domain-services)
+- [Azure built-in roles - Azure RBAC | Microsoft Docs](/azure/role-based-access-control/built-in-roles#domain-services-contributor)
+
+
++
+
+
+### General Availability- Azure AD Connect update release with new functionality and bug fixes
+
+**Type:** Changed feature
+**Service category:** Provisioning
+**Product capability:** Identity Lifecycle Management
+
+
+
+A new Azure AD Connect release fixes several bugs and includes new functionality. This release is also available for auto upgrade for eligible servers. For more information, see: [Azure AD Connect: Version release history](../hybrid/reference-connect-version-history.md#21150).
++
+
+
+### General Availability - Cross-tenant access settings for B2B collaboration
+
+**Type:** Changed feature
+**Service category:** B2B
+**Product capability:** B2B/B2C
+
+
+
+Cross-tenant access settings enable you to control how users in your organization collaborate with members of external Azure AD organizations. Now youΓÇÖll have granular inbound and outbound access control settings that work on a per org, user, group, and application basis. These settings also make it possible for you to trust security claims from external Azure AD organizations like multi-factor authentication (MFA), device compliance, and hybrid Azure AD joined devices. For more information, see: [Cross-tenant access with Azure AD External Identities](../external-identities/cross-tenant-access-overview.md).
+
++
+
+
+### General Availability- Expression builder with Application Provisioning
+
+**Type:** Changed feature
+**Service category:** Provisioning
+**Product capability:** Outbound to SaaS Applications
+
+
+Accidental deletion of users in your apps or in your on-premises directory could be disastrous. WeΓÇÖre excited to announce the general availability of the accidental deletions prevention capability. When a provisioning job would cause a spike in deletions, it will first pause and provide you visibility into the potential deletions. You can then accept or reject the deletions and have time to update the jobΓÇÖs scope if necessary. For more information, see [Understand how expression builder in Application Provisioning works](../app-provisioning/expression-builder.md).
+
++
+
++
+### Public Preview - Improved app discovery view for My Apps portal
+
+**Type:** Changed feature
+**Service category:** My Apps
+**Product capability:** End User Experiences
+
+
+An improved app discovery view for My Apps is in public preview. The preview shows users more apps in the same space and allows them to scroll between collections. It doesn't currently support drag-and-drop and list view. Users can opt into the preview by selecting Try the preview and opt out by selecting Return to previous view. To learn more about My Apps, see [My Apps portal overview](../manage-apps/myapps-overview.md).
++
+
++
+
++
+### Public Preview - New Azure AD Portal All Devices list
+
+**Type:** Changed feature
+**Service category:** Device Registration and Management
+**Product capability:** End User Experiences
+
+
+
+We're enhancing the All Devices list in the Azure AD Portal to make it easier to filter and manage your devices. Improvements include:
+
+All Devices List:
+
+- Infinite scrolling
+- More devices properties can be filtered on
+- Columns can be reordered via drag and drop
+- Select all devices
+
+For more information, see: [Manage devices in Azure AD using the Azure portal](../devices/device-management-azure-portal.md#view-and-filter-your-devices-preview).
++
+
++
+
++
+### Public Preview - ADFS to Azure AD: Persistent NameID for IDP-initiated Apps
+
+**Type:** Changed feature
+**Service category:** Enterprise Apps
+**Product capability:** SSO
+
+
+Previously the only way to have persistent NameID value was to ΓÇïconfigure user attribute with an empty value. Admins can now explicitly configure the NameID value to be persistent ΓÇïalong with the corresponding format.
+
+For more information, see: [Customize app SAML token claims - Microsoft identity platform | Microsoft Docs](../develop/active-directory-saml-claims-customization.md#attributes).
+
++
+
++
+### Public Preview - ADFS to Azure Active Directory: Customize attrname-formatΓÇï
+
+**Type:** Changed feature
+**Service category:** Enterprise Apps
+**Product capability:** SSO
+
+
+With this new parity update, customers can now integrate non-gallery applications such as Socure DevHub with Azure AD to have SSO via SAML.
+
+For more information, see [Claims mapping policy - Microsoft Entra | Microsoft Docs](../develop/reference-claims-mapping-policy-type.md#claim-schema-entry-elements).
+
++
+
++ ## June 2022
This page is updated monthly, so revisit it regularly. If you're looking for ite
**Type:** New feature **Service category:** App Provisioning
-**Product capability:** Third Party Integration
+**Product capability:** 3rd Party Integration
You can now automate creating, updating, and deleting user accounts for these newly integrated apps:
Customers can be alerted on assignments made outside PIM either directly on the
-Temporary Access Pass (TAP) is now generally available. TAP can be used to securely register password-less methods such as Phone Sign-in, phishing resistant methods such as FIDO2, and even assist in Windows onboarding (AADJ and WHFB). TAP also makes recovery easier when a user has lost or forgotten their strong authentication methods and needs to sign in to register new authentication methods. For more information, see: [Configure Temporary Access Pass in Azure AD to register Passwordless authentication methods](../authentication/howto-authentication-temporary-access-pass.md).
+Temporary Access Pass (TAP) is now generally available. TAP can be used to securely register password-less methods such as Phone Sign-in, phishing resistant methods such as FIDO2, and even help Windows onboarding (AADJ and WHFB). TAP also makes recovery easier when a user has lost or forgotten their strong authentication methods and needs to sign in to register new authentication methods. For more information, see: [Configure Temporary Access Pass in Azure AD to register Passwordless authentication methods](../authentication/howto-authentication-temporary-access-pass.md).
Create "nested" groups with Azure AD Dynamic Groups! This feature enables you to
**Type:** New feature **Service category:** Enterprise Apps
-**Product capability:** Third Party Integration
+**Product capability:** 3rd Party Integration
For listing your application in the Azure AD app gallery, see the details here h
-We're delighted to announce a new security protection that prevents bypassing of cloud Azure AD Multi-Factor Authentication when federated with Azure AD. When enabled for a federated domain in your Azure AD tenant, it ensures that a compromised federated account can't bypass Azure AD Multi-Factor Authentication by imitating that a multi factor authentication has already been performed by the identity provider. The protection can be enabled via new security setting, [federatedIdpMfaBehavior](/graph/api/resources/internaldomainfederation?view=graph-rest-1.0#federatedidpmfabehavior-values&preserve-view=true).
+We're delighted to announce a new security protection that prevents bypassing of cloud Azure AD Multi-Factor Authentication when federated with Azure AD. When enabled for a federated domain in your Azure AD tenant, it ensures that a compromised federated account can't bypass Azure AD Multi-Factor Authentication by imitating that a multi factor authentication has already been performed by the identity provider. The protection can be enabled via new security setting, [federatedIdpMfaBehavior](/graph/api/resources/internaldomainfederation?view=graph-rest-1.0#federatedidpmfabehavior-values).
We highly recommend enabling this new protection when using Azure AD Multi-Factor Authentication as your multi factor authentication for your federated users. To learn more about the protection and how to enable it, visit [Enable protection to prevent by-passing of cloud Azure AD Multi-Factor Authentication when federated with Azure AD](/windows-server/identity/ad-fs/deployment/best-practices-securing-ad-fs#enable-protection-to-prevent-by-passing-of-cloud-azure-ad-multi-factor-authentication-when-federated-with-azure-ad).
User Profile:
-### General availability - More device properties supported for Dynamic Device groups
+### General Availability - More device properties supported for Dynamic Device groups
**Type:** Changed feature **Service category:** Group Management
Azure Service Health will soon support service outage notifications to Tenant Ad
**Type:** New feature **Service category:** Enterprise Apps
-**Product capability:** Third Party Integration
+**Product capability:** 3rd Party Integration
When editing a collection using the My Apps portal, users can now add their own
**Type:** New feature **Service category:** App Provisioning
-**Product capability:** Third Party Integration
+**Product capability:** 3rd Party Integration
You can now automate creating, updating, and deleting user accounts for these newly integrated apps:
For more information about how to better secure your organization by using autom
**Product capability:** Identity Security & Protection
-The sign-ins Microsoft Graph API now supports confirming safe and compromised on risky sign-ins. This public preview functionality is available at the beta endpoint. For more information, please check out the Microsoft Graph documentation: [Sign in: confirmSafe - Microsoft Graph beta | Microsoft Docs](/graph/api/signin-confirmsafe?view=graph-rest-beta&preserve-view=true)
+The sign-ins Microsoft Graph API now supports confirming safe and compromised on risky sign-ins. This public preview functionality is available at the beta endpoint. For more information, please check out the Microsoft Graph documentation: [signIn: confirmSafe - Microsoft Graph beta | Microsoft Docs](/graph/api/signin-confirmsafe?view=graph-rest-beta&preserve-view=true)
Smart Lockout now synchronizes the lockout state across Azure AD data centers, s
## April 2022 +
+### General Availability - Entitlement management separation of duties checks for incompatible access packages
+
+**Type:** Changed feature
+**Service category:** Other
+**Product capability:** Identity Governance
+
+In Azure AD entitlement management, an administrator can now configure the incompatible access packages and groups of an access package in the Azure portal. This prevents a user who already has one of those incompatible access rights from being able to request further access. For more information, see: [Configure separation of duties checks for an access package in Azure AD entitlement management](../governance/entitlement-management-access-package-incompatible.md).
++++ ### General Availability - Microsoft Defender for Endpoint Signal in Identity Protection **Type:** New feature
Identity Protection now integrates a signal from Microsoft Defender for Endpoint
-### General availability - Entitlement management 3 stages of approval
+### General Availability - Entitlement management 3 stages of approval
**Type:** Changed feature **Service category:** Other
With a recent improvement, Smart Lockout now synchronizes the lockout state acro
-### Public Preview - Integration of Microsoft 365 App Certification details into Azure AD UX and Consent Experiences
+### Public Preview - Integration of Microsoft 365 App Certification details into Azure Active Directory UX and Consent Experiences
**Type:** New feature **Service category:** User Access Management
Microsoft 365 Certification status for an app is now available in Azure AD conse
-### General availability - Use Azure AD access reviews to review access of B2B direct connect users in Teams shared channels
+### Public preview - Use Azure AD access reviews to review access of B2B direct connect users in Teams shared channels
**Type:** New feature **Service category:** Access Reviews **Product capability:** Identity Governance
-Use Azure AD access reviews to review access of B2B direct connect users in Teams shared channels. For more information, see: [Include B2B direct connect users and teams accessing Teams Shared Channels in access reviews](../governance/create-access-review.md#include-b2b-direct-connect-users-and-teams-accessing-teams-shared-channels-in-access-reviews).
+Use Azure AD access reviews to review access of B2B direct connect users in Teams shared channels. For more information, see: [Include B2B direct connect users and teams accessing Teams Shared Channels in access reviews (preview)](../governance/create-access-review.md#include-b2b-direct-connect-users-and-teams-accessing-teams-shared-channels-in-access-reviews).
We highly recommend enabling this new protection when using Azure AD Multi-Facto
**Service category:** Enterprise Apps **Product capability:** Third Party Integration
-In April 2022, we added the following 24 new applications in our App gallery with Federation support:
+In April 2022 we added the following 24 new applications in our App gallery with Federation support:
[X-1FBO](https://www.x1fbo.com/), [select Armor](https://app.clickarmor.c) You can also find the documentation of all the applications from here https://aka.ms/AppsTutorial.
With Azure Active Directory (Azure AD) Access Reviews, you can create a download
**Product capability:** Identity Security & Protection
-Azure AD Identity Protection is extending its core capabilities of detecting, investigating, and remediating identity-based risk to workload identities. This allows organizations to better protect their applications, service principals, and managed identities. We're also extending Conditional Access so you can block at-risk workload identities. [Learn more](../identity-protection/concept-workload-identity-risk.md)
+Azure AD Identity Protection is extending its core capabilities of detecting, investigating, and remediating identity-based risk to workload identities. This allows organizations to better protect their applications, service principals, and managed identities. We are also extending Conditional Access so you can block at-risk workload identities. [Learn more](../identity-protection/concept-workload-identity-risk.md)
Use multi-stage reviews to create Azure AD access reviews in sequential stages,
**Product capability:** Third Party Integration
-In February 2022, we added the following 20 new applications in our App gallery with Federation support:
+In February 2022 we added the following 20 new applications in our App gallery with Federation support:
[Embark](../saas-apps/embark-tutorial.md), [FENCE-Mobile RemoteManager SSO](../saas-apps/fence-mobile-remotemanager-sso-tutorial.md), [カオナビ](../saas-apps/kao-navi-tutorial.md), [Adobe Identity Management (OIDC)](../saas-apps/adobe-identity-management-tutorial.md), [AppRemo](../saas-apps/appremo-tutorial.md), [Live Center](https://livecenter.norkon.net/Login), [Offishall](https://app.offishall.io/), [MoveWORK Flow](https://www.movework-flow.fm/login), [Cirros SL](https://www.cirros.net/), [ePMX Procurement Software](https://azure.epmxweb.com/admin/index.php?), [Vanta O365](https://app.vanta.com/connections), [Hubble](../saas-apps/hubble-tutorial.md), [Medigold Gateway](https://gateway.medigoldcore.com), [クラウドログ](../saas-apps/crowd-log-tutorial.md),[Amazing People Schools](../saas-apps/amazing-people-schools-tutorial.md), [Salus](https://salus.com/login), [XplicitTrust Network Access](https://console.xplicittrust.com/#/dashboard), [Spike Email - Mail & Team Chat](https://spikenow.com/web/), [AltheaSuite](https://planmanager.altheasuite.com/), [Balsamiq Wireframes](../saas-apps/balsamiq-wireframes-tutorial.md).
For listing your application in the Azure AD app gallery, please read the detail
**Product capability:** Identity Security & Protection
-Identity Protection has added two new detections from Microsoft Defender for Cloud Apps, formerly MCAS. The Mass Access to Sensitive Files detection detects anomalous user activity, and the Unusual Addition of Credentials to an OAuth app detects suspicious service principal activity.[Learn more](../identity-protection/concept-identity-protection-risks.md)
+Identity Protection has added two new detections from Microsoft Defender for Cloud Apps, (formerly MCAS). The Mass Access to Sensitive Files detection detects anomalous user activity, and the Unusual Addition of Credentials to an OAuth app detects suspicious service principal activity.[Learn more](../identity-protection/concept-identity-protection-risks.md)
For more information about how to better secure your organization by using autom
**Product capability:** Privileged Identity Management
-We have improved the Privileged Identity management (PIM) time to role activation for SharePoint Online. Now, when activating a role in PIM for SharePoint Online, you should be able to use your permissions right away in SharePoint Online. This change will roll out in stages, so you might not yet see these improvements in your organization. [Learn more](../privileged-identity-management/pim-how-to-activate-role.md)
+We've improved the Privileged Identity management (PIM) time to role activation for SharePoint Online. Now, when activating a role in PIM for SharePoint Online, you should be able to use your permissions right away in SharePoint Online. This change will roll out in stages, so you might not yet see these improvements in your organization. [Learn more](../privileged-identity-management/pim-how-to-activate-role.md)
We have improved the Privileged Identity management (PIM) time to role activatio
-## January 2022
-
-### Public preview - Custom security attributes
-
-**Type:** New feature
-**Service category:** Directory Management
-**Product capability:** Directory
-
-Enables you to define business-specific attributes that you can assign to Azure AD objects. These attributes can be used to store information, categorize objects, or enforce fine-grained access control. Custom security attributes can be used with Azure attribute-based access control. [Learn more](custom-security-attributes-overview.md).
-
--
-### Public preview - Filter groups in tokens using a substring match
-
-**Type:** New feature
-**Service category:** Enterprise Apps
-**Product capability:** SSO
-
-In the past, Azure AD only permitted groups to be filtered based on whether they were assigned to an application. Now, you can also use Azure AD to filter the groups included in the token. You can filter with the substring match on the display name or onPremisesSAMAccountName attributes of the group object on the token. Only groups that the user is a member of will be included in the token. This token will be recognized whether it's on the ObjectID or the on premises SAMAccountName or security identifier (SID). This feature can be used together with the setting to include only groups assigned to the application if desired to further filter the list.[Learn more](../hybrid/how-to-connect-fed-group-claims.md)
---
-### General availability - Continuous Access Evaluation
-
-**Type:** New feature
-**Service category:** Other
-**Product capability:** Access Control
-
-With Continuous access evaluation (CAE), critical security events and policies are evaluated in real time. This includes account disable, password reset, and location change. [Learn more](../conditional-access/concept-continuous-access-evaluation.md).
-
--
-### General Availability - User management enhancements are now available
-
-**Type:** New feature
-**Service category:** User Management
-**Product capability:** User Management
-
-The Azure AD portal has been updated to make it easier to find users in the All users and Deleted users pages. Changes in the preview include:
--- More visible user properties including object ID, directory sync status, creation type, and identity issuer.-- **Search now** allows substring search and combined search of names, emails, and object IDs.-- Enhanced filtering by user type (member, guest, and none), directory sync status, creation type, company name, and domain name.-- New sorting capabilities on properties like name, user principal name, creation time, and deletion date.-- A new total users count that updates with any searches or filters.-
-For more information, go to [User management enhancements (preview) in Azure Active Directory](../enterprise-users/users-search-enhanced.md).
---
-### General Availability - My Apps customization of default Apps view
-
-**Type:** New feature
-**Service category:** My Apps
-**Product capability:** End User Experiences
-
-Customization of the default My Apps view in now in general availability. For more information on My Apps, you can go to [Sign in and start apps from the My Apps portal](https://support.microsoft.com/en-us/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).
-
--
-### General Availability - Audited BitLocker Recovery
-
-**Type:** New feature
-**Service category:** Device Access Management
-**Product capability:** Device Lifecycle Management
-
-BitLocker keys are sensitive security items. Audited BitLocker recovery ensures that when BitLocker keys are read, an audit log is generated so that you can trace who accesses this information for given devices. [Learn more](../devices/device-management-azure-portal.md#view-or-copy-bitlocker-keys).
---
-### General Availability - Download a list of devices
-
-**Type:** New feature
-**Service category:** Device Registration and Management
-**Product capability:** Device Lifecycle Management
-
-Download a list of your organization's devices to a .csv file for easier reporting and management. [Learn more](../devices/device-management-azure-portal.md#download-devices).
-
--
-### New provisioning connectors in the Azure AD Application Gallery - January 2022
-
-**Type:** New feature
-**Service category:** App Provisioning
-**Product capability:** 3rd Party Integration
-
-You can now automate creating, updating, and deleting user accounts for these newly integrated apps:
--- [Autodesk SSO](../saas-apps/autodesk-sso-provisioning-tutorial.md)-- [Evercate](../saas-apps/evercate-provisioning-tutorial.md)-- [frankli.io](../saas-apps/frankli-io-provisioning-tutorial.md)-- [Plandisc](../saas-apps/plandisc-provisioning-tutorial.md)-- [Swit](../saas-apps/swit-provisioning-tutorial.md)-- [TerraTrue](../saas-apps/terratrue-provisioning-tutorial.md)-- [TimeClock 365 SAML](../saas-apps/timeclock-365-saml-provisioning-tutorial.md)-
-For more information about how to better secure your organization by using automated user account provisioning, go to [Automate user provisioning to SaaS applications with Azure AD](../manage-apps/user-provisioning.md).
---
-### New Federated Apps available in Azure AD Application gallery - January 2022
-
-**Type:** New feature
-**Service category:** Enterprise Apps
-**Product capability:** 3rd Party Integration
-
-In January 2022, weΓÇÖve added the following 47 new applications in our App gallery with Federation support:
-
-[Jooto](../saas-apps/jooto-tutorial.md), [Proprli](https://app.proprli.com/), [Pace Scheduler](https://www.pacescheduler.com/accounts/login/), [DRTrack](../saas-apps/drtrack-tutorial.md), [Dining Sidekick](../saas-apps/dining-sidekick-tutorial.md), [Cryotos](https://app.cryotos.com/oauth2/authorization/azure-client), [Emergency Management Systems](https://secure.emsystems.com.au/), [Manifestly Checklists](../saas-apps/manifestly-checklists-tutorial.md), [eLearnPOSH](../saas-apps/elearnposh-tutorial.md), [Scuba Analytics](../saas-apps/scuba-analytics-tutorial.md), [Athena Systems sign-in Platform](../saas-apps/athena-systems-login-platform-tutorial.md), [TimeTrack](../saas-apps/timetrack-tutorial.md), [MiHCM](../saas-apps/mihcm-tutorial.md), [Health Note](https://www.healthnote.com/), [Active Directory SSO for DoubleYou](../saas-apps/active-directory-sso-for-doubleyou-tutorial.md), [Emplifi platform](../saas-apps/emplifi-platform-tutorial.md), [Flexera One](../saas-apps/flexera-one-tutorial.md), [Hypothesis](https://web.hypothes.is/help/authorizing-hypothesis-from-the-azure-ad-app-gallery/), [Recurly](../saas-apps/recurly-tutorial.md), [XpressDox Administrative Unit Cloud](https://au.xpressdox.com/Authentication/Login.aspx), [Zoom for Intune](https://zoom.us/), [UPWARD AGENT](https://app.upward.jp/login/), [Linux Foundation ID](https://openprofile.dev/), [Asset Planner](../saas-apps/asset-planner-tutorial.md), [Kiho](https://v3.kiho.fi/index/sso), [chezie](https://app.chezie.co/), [Excelity HCM](../saas-apps/excelity-hcm-tutorial.md), [yuccaHR](https://app.yuccahr.com/), [Blue Ocean Brain](../saas-apps/blue-ocean-brain-tutorial.md), [EchoSpan](../saas-apps/echospan-tutorial.md), [Archie](../saas-apps/archie-tutorial.md), [Equifax Workforce Solutions](../saas-apps/equifax-workforce-solutions-tutorial.md), [Palantir Foundry](../saas-apps/palantir-foundry-tutorial.md), [ATP SpotLight and ChronicX](../saas-apps/atp-spotlight-and-chronicx-tutorial.md), [DigiSign](https://app.digisign.org/selfcare/sso), [mConnect](https://mconnect.skooler.com/), [BrightHR](https://login.brighthr.com/), [Mural Identity](../saas-apps/mural-identity-tutorial.md), [NordPass SSO](https://app.nordpass.com/login%20use%20%22Log%20in%20to%20business%22%20option), [CloudClarity](https://portal.cloudclarity.app/dashboard), [Twic](../saas-apps/twic-tutorial.md), [Eduhouse Online](https://app.eduhouse.fi/palvelu/kirjaudu/microsoft), [Bealink](../saas-apps/bealink-tutorial.md), [Time Intelligence Bot](https://teams.microsoft.com/), [SentinelOne](https://sentinelone.com/)
-
-You can also find the documentation of all the applications from: https://aka.ms/AppsTutorial,
-
-For listing your application in the Azure AD app gallery, read the details in: https://aka.ms/AzureADAppRequest
---
-### Azure Ad access reviews reviewer recommendations now account for non-interactive sign-in information
-
-**Type:** Changed feature
-**Service category:** Access Reviews
-**Product capability:** Identity Governance
-
-Azure AD access reviews reviewer recommendations now account for non-interactive sign-in information, improving upon original recommendations based on interactive last sign-ins only. Reviewers can now make more accurate decisions based on the last sign-in activity of the users theyΓÇÖre reviewing. To learn more about how to create access reviews, go to [Create an access review of groups and applications in Azure AD](../governance/create-access-review.md).
-
--
-### Risk reason for offline Azure AD Threat Intelligence risk detection
-
-**Type:** Changed feature
-**Service category:** Identity Protection
-**Product capability:** Identity Security & Protection
-
-The offline Azure AD Threat Intelligence risk detection can now have a risk reason that will help customers with the risk investigation. If a risk reason is available, it will show up as **Additional Info** in the risk details of that risk event. The information can be found in the Risk detections report. It will also be available through the additionalInfo property of the riskDetections API. [Learn more](../identity-protection/howto-identity-protection-investigate-risk.md).
-
-
active-directory Access Reviews Application Preparation https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/access-reviews-application-preparation.md
na Previously updated : 04/25/2022 Last updated : 07/29/2022
Also, while not required for reviewing access to an application, we recommend al
In order for Azure AD access reviews to be used for an application, then the application must first be integrated with Azure AD. An application being integrated with Azure AD means one of two requirements must be met: * The application relies upon Azure AD for federated SSO, and Azure AD controls authentication token issuance. If Azure AD is the only identity provider for the application, then only users who are assigned to one of the application's roles in Azure AD are able to sign into the application. Those users that are denied by a review lose their application role assignment and can no longer get a new token to sign in to the application.
-* The application relies upon user or group lists that are provided to the application by Azure AD. This fulfillment could be done through a provisioning protocol such as System for Cross-Domain Identity Management (SCIM) or by the application querying Azure AD via Microsoft Graph. Those users that are denied by a review lose their application role assignment or group membership, and when those changes are made available to the application, then the denied users will no longer have access.
+* The application relies upon user or group lists that are provided to the application by Azure AD. This fulfillment could be done through a provisioning protocol such as System for Cross-Domain Identity Management (SCIM) or by the application querying Azure AD via Microsoft Graph, or groups that are written to AD DS. Those users that are denied by a review lose their application role assignment or group membership, and when those changes are made available to the application, then the denied users will no longer have access.
If neither of those criteria are met for an application, as the application doesn't rely upon Azure AD, then access reviews can still be used, however there may be some limitations. Users that aren't in your Azure AD or are not assigned to the application roles in Azure AD, won't be included in the review. Also, the changes to remove denied won't be able to be automatically sent to the application if there is no provisioning protocol that the application supports. The organization must instead have a process to send the results of a completed review to the application.
In order to permit a wide variety of applications and IT requirements to be addr
|Pattern|Application integration pattern|Steps to prepare for an access review| |:||--| |A| The application supports federated SSO, Azure AD is the only identity provider, and the application doesn't rely upon group or role claims. | In this pattern, you'll configure that the application requires individual application role assignments, and that users are assigned to the application. Then to perform the review, you'll create a single access review for the application, of the users assigned to this application role. When the review completes, if a user was denied, then they will be removed from the application role. Azure AD will then no longer issue that user with federation tokens and the user will be unable to sign into that application.|
-|B|If the application uses group claims in addition to application role assignments.| An application may use Azure AD group membership, distinct from application roles to express finer-grained access. Here, you can choose based on your business requirements either to have the users who have application role assignments reviewed, or to review the users who have group memberships. If the groups do not provide comprehensive access coverage, in particular if users may have access to the application even if they aren't a member of those groups, then we recommend reviewing the application role assignments, as in pattern A above.|
-|C| If the application doesn't rely solely on Azure AD for federated SSO, but does support provisioning via SCIM, or via updates to a SQL table of users or an LDAP directory. | In this pattern, you'll configure Azure AD to provision the users with application role assignments to the application's database or directory, update the application role assignments in Azure AD with a list of the users who currently have access, and then create a single access review of the application role assignments. For more information, see [Governing an application's existing users](identity-governance-applications-existing-users.md) to update the application role assignments in Azure AD.|
+|B|If the application uses group claims in addition to application role assignments.| An application may use AD or Azure AD group membership, distinct from application roles to express finer-grained access. Here, you can choose based on your business requirements either to have the users who have application role assignments reviewed, or to review the users who have group memberships. If the groups do not provide comprehensive access coverage, in particular if users may have access to the application even if they aren't a member of those groups, then we recommend reviewing the application role assignments, as in pattern A above.|
+|C| If the application doesn't rely solely on Azure AD for federated SSO, but does support provisioning via SCIM, or via updates to a SQL table of users or a non-AD LDAP directory. | In this pattern, you'll configure Azure AD to provision the users with application role assignments to the application's database or directory, update the application role assignments in Azure AD with a list of the users who currently have access, and then create a single access review of the application role assignments. For more information, see [Governing an application's existing users](identity-governance-applications-existing-users.md) to update the application role assignments in Azure AD.|
### Other options
The integration patterns listed above are applicable to third party SaaS applica
Now that you have identified the integration pattern for the application, check the application as represented in Azure AD is ready for review. 1. In the Azure portal, click **Azure Active Directory**, click **Enterprise Applications**, and check whether your application is on the [list of enterprise applications](../manage-apps/view-applications-portal.md) in your Azure AD tenant.
-1. If the application is not already listed, then check if the application is available the [application gallery](../manage-apps/overview-application-gallery.md) for applications that can be integrated for federated SSO or provisioning. If it is in the gallery, then use the [tutorials](../saas-apps/tutorial-list.md) to configure the application for federation, and if it supports provisioning, also [configure the application](../app-provisioning/configure-automatic-user-provisioning-portal.md) for provisioning.
-1. One the application is in the list of enterprise applications in your tenant, select the application from the list.
+1. If the application is not already listed, then check if the application is available the [application gallery](../manage-apps/overview-application-gallery.md) for applications that can be integrated for federated SSO or provisioning. If it is in the gallery, then use the [tutorials](../saas-apps/tutorial-list.md) to configure the application for federation, and if it supports provisioning, also [configure the application](../app-provisioning/configure-automatic-user-provisioning-portal.md) for provisioning. If the application uses AD security groups, [add the application for remote access through Application Proxy](../app-proxy/application-proxy-add-on-premises-application.md) and [configure group writeback to AD](../hybrid/how-to-connect-group-writeback-v2.md).
+1. Once the application is in the list of enterprise applications in your tenant, select the application from the list.
1. Change to the **Properties** tab. Verify that the **User assignment required?** option is set to **Yes**. If it's set to **No**, all users in your directory, including external identities, can access the application, and you can't review access to the application. ![Screenshot that shows planning app assignments.](./media/deploy-access-review/6-plan-applications-assignment-required.png) 1. Change to the **Roles and administrators** tab. This tab displays the administrative roles, that give rights to control the representation of the application in Azure AD, not the access rights in the application. For each administrative role that has permissions to allow changing the application integration or assignments, and has an assignment to that administrative role, ensure that only authorized users are in that role.
-1. Change to the **Provisioning** tab. If automatic provisioning isn't configured, then Azure AD won't have a way to notify the application when a user's access is removed if denied during the review. Provisioning might not be necessary for some integration patterns, if the application is federated and solely relies upon Azure AD as its identity provider. However, if your application integration is pattern C, and the application doesn't support federated SSO with Azure AD as its only identity provider, then you'll need to configure provisioning from Azure AD to the application. Provisioning will be necessary so that Azure AD can automatically remove the reviewed users from the application when a review completes, and this removal step can be done through a change sent from Azure AD to the application through SCIM, LDAP or SQL.
+1. Change to the **Provisioning** tab. If automatic provisioning isn't configured, then Azure AD won't have a way to notify the application when a user's access is removed if denied during the review. Provisioning might not be necessary for some integration patterns, if the application is federated and solely relies upon Azure AD as its identity provider, or the application uses AD DS groups. However, if your application integration is pattern C, and the application doesn't support federated SSO with Azure AD as its only identity provider, then you'll need to configure provisioning from Azure AD to the application. Provisioning will be necessary so that Azure AD can automatically remove the reviewed users from the application when a review completes, and this removal step can be done through a change sent from Azure AD to the application through SCIM, LDAP or SQL.
* If this is a gallery application that supports provisioning, [configure the application for provisioning](../app-provisioning/configure-automatic-user-provisioning-portal.md). * If the application is a cloud application and supports SCIM, configure [user provisioning with SCIM](../app-provisioning/use-scim-to-provision-users-and-groups.md).
Now that you have identified the integration pattern for the application, check
1. If the application supports federated SSO, then change to the **Conditional Access** tab. Inspect the enabled policies for this application. If there are policies that are enabled, block access, have users assigned to the policies, but no other conditions, then those users may be already blocked from being able to get federated SSO to the application. 1. Change to the **Users and groups** tab. This list contains all the users who are assigned to the application in Azure AD. If the list is empty, then a review of the application will complete immediately, since there isn't any task for the reviewer to perform.
-1. If your application is integrated with pattern C, then you'll need to confirm that the users in this list are the same as those in the applications' internal data store, prior to starting the review. Azure AD does not automatically import the users or their access rights from an application, but you can [assign users to an application role via PowerShell](../manage-apps/assign-user-or-group-access-portal.md). See [Governing an application's existing users](identity-governance-applications-existing-users.md) for how to bring in users from different application data stores into Azure AD.
+1. If your application is integrated with pattern C, then you'll need to confirm that the users in this list are the same as those in the applications' internal data store, prior to starting the review. Azure AD does not automatically import the users or their access rights from an application, but you can [assign users to an application role via PowerShell](../manage-apps/assign-user-or-group-access-portal.md). See [Governing an application's existing users](identity-governance-applications-existing-users.md) for how to bring in users from different application data stores into Azure AD and assign them to an application role.
1. Check whether all users are assigned to the same application role, such as **User**. If users are assigned to multiple roles, then if you create an access review of the application, then all assignments to all of the application's roles will be reviewed together.
-1. Check the list of directory objects assigned to the roles to confirm that there are no groups assigned to the application roles. It's possible to review this application if there is a group assigned to a role; however, a user who is a member of the group assigned to the role, and whose access was denied, won't be automatically removed from the group. We recommend first converting the application to have direct user assignments, rather than members of groups, so that a user whose access is denied during the access review can have their application role assignment removed automatically.
+1. Check the list of directory objects assigned to the roles to confirm that there are no groups assigned to the application roles. It's possible to review this application if there is a group assigned to a role; however, a user who is a member of the group assigned to the role, and whose access was denied, won't be automatically removed from the group. If the application does not itself rely upon groups, then we recommend first converting the application to have direct user assignments, rather than members of groups, so that a user whose access is denied during the access review can have their application role assignment removed automatically. If the application does rely upon groups, and all of the application's groups are assigned to the same application role, then you'll review the group memberships instead of reviewing the application assignments.
Next, if the application integration also requires one or more groups to be reviewed, as described in pattern B, then check each group is ready for review.
Once the reviews have started, you can monitor their progress, and update the ap
1. If you had previously configured provisioning of users to the application, then when the results are applied, Azure AD will begin deprovisioning denied users from the application. You can [monitor the process of deprovisioning users](../app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user.md). If provisioning indicates an error with the application, you can [download the provisioning log](../reports-monitoring/concept-provisioning-logs.md) to investigate if there was a problem with the application.
+1. If you had configured [group writeback](../enterprise-users/groups-write-back-portal.md) for the reviewed groups, then wait until group writeback completes in Azure AD Connect and the changes propagate to all the domain controllers.
+ 1. If provisioning wasn't configured for your application, then you may need to separately copy the list of denied users to the application. For example, in access reviews for a Windows Server AD-managed group, use this [PowerShell sample script](https://github.com/microsoft/access-reviews-samples/tree/master/AzureADAccessReviewsOnPremises). The script outlines the required Microsoft Graph calls and exports the Windows Server AD PowerShell cmdlets to carry out the changes. 1. If you wish, you can also download a [review history report](access-reviews-downloadable-review-history.md) of completed reviews.
-1. How long a user who has been denied continued access is able to continue to use a federated application will depend upon the application's own session lifetime, and on the access token lifetime. To learn more about controlling the lifetime of access tokens, see [configurable token lifetimes](../develop/active-directory-configurable-token-lifetimes.md).
+1. How long a user who has been denied continued access is able to continue to use a federated application will depend upon the application's own session lifetime, and on the access token lifetime. If the applications used Kerberos, since Kerberos caches the group memberships of a user when they sign into a domain, the users may continue to have access until their Kerberos tickets expire. To learn more about controlling the lifetime of access tokens, see [configurable token lifetimes](../develop/active-directory-configurable-token-lifetimes.md).
## Next steps
active-directory Identity Governance Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/identity-governance-overview.md
# What is Azure AD Identity Governance?
-Azure Active Directory (Azure AD) Identity Governance allows you to balance your organization's need for security and employee productivity with the right processes and visibility. It provides you with capabilities to ensure that the right people have the right access to the right resources. These and related Azure AD and Enterprise Mobility + Security features allows you to mitigate access risk by protecting, monitoring, and auditing access to critical assets -- while ensuring employee and business partner productivity.
+Azure Active Directory (Azure AD) Identity Governance allows you to balance your organization's need for security and employee productivity with the right processes and visibility. It provides you with capabilities to ensure that the right people have the right access to the right resources. These and related Azure AD and Enterprise Mobility + Security features allows you to mitigate access risk by protecting, monitoring, and auditing access to critical assets while ensuring employee and business partner productivity.
Identity Governance gives organizations the ability to do the following tasks across employees, business partners and vendors, and across services and applications both on-premises and in clouds:
When a user attempts to access applications, Azure AD enforces [Conditional Acce
## Privileged access lifecycle
-Historically, privileged access has been described by other vendors as a separate capability from Identity Governance. However, at Microsoft, we think governing privileged access is a key part of Identity Governance -- especially given the potential for misuse associated with those administrator rights can cause to an organization. The employees, vendors, and contractors that take on administrative rights need to be governed.
+Historically, privileged access has been described by other vendors as a separate capability from Identity Governance. However, at Microsoft, we think governing privileged access is a key part of Identity Governance especially given the potential for misuse associated with those administrator rights can cause to an organization. The employees, vendors, and contractors that take on administrative rights need to be governed.
![Privileged access lifecycle](./media/identity-governance-overview/privileged-access-lifecycle.png)
active-directory How To Connect Group Writeback V2 https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/how-to-connect-group-writeback-v2.md
To enable group writeback via PowerShell:
Set-ADSyncScheduler -SyncCycleEnabled $true ```
-You've now enabled the group writeback feature.
+You've now enabled the group writeback feature, and can [select the groups for writeback](../enterprise-users/groups-write-back-portal.md).
### Optional Configuration
Limitations and known issues specific to Group Writeback:
## Next steps
-Learn more about [Integrating your on-premises identities with Azure Active Directory](whatis-hybrid-identity.md).
+- Configure [group writeback in the Azure Active Directory Admin Center](../enterprise-users/groups-write-back-portal.md)
+- Learn more about [Integrating your on-premises identities with Azure Active Directory](whatis-hybrid-identity.md).
active-directory Delete Application Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/delete-application-portal.md
Title: 'Quickstart: Delete an enterprise application'
+ Title: 'Delete an enterprise application'
description: Delete an enterprise application in Azure Active Directory. -+ Previously updated : 03/24/2022 Last updated : 07/28/2022 -
+zone_pivot_groups: enterprise-apps-all
+ #Customer intent: As an administrator of an Azure AD tenant, I want to delete an enterprise application.
-# Quickstart: Delete an enterprise application
+# Delete an enterprise application
+
+In this article, you learn how to delete an enterprise application that was added to your Azure Active Directory (Azure AD) tenant.
-In this quickstart, you use the Azure Active Directory Admin Center to delete an application that was added to your Azure Active Directory (Azure AD) tenant.
+When you delete and enterprise application, it will be held in a suspended state in the recycle bin for 30 days. During the 30 days, you can [Restore the application](restore-application.md). Deleted items are automatically hard deleted after the 30-day period. For more information on frequently asked questions about deletion and recovery of applications, see [Deleting and recovering applications FAQs](delete-recover-faq.yml).
-It is recommended that you use a non-production environment to test the steps in this quickstart.
## Prerequisites
To delete an enterprise application, you need:
- An Azure AD user account. If you don't already have one, you can [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F). - One of the following roles: Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal.-- Completion of the steps in [Quickstart: Add an enterprise application](add-application-portal.md).
+- An [enterprise application added to your tenant](add-application-portal.md)
## Delete an enterprise application
-To delete an enterprise application:
-1. Go to the [Azure Active Directory Admin Center](https://aad.portal.azure.com) and sign in using one of the roles listed in the prerequisites.
+1. Sign in to the [Azure AD portal](https://portal.azure.com) and sign in using one of the roles listed in the prerequisites.
1. In the left menu, select **Enterprise applications**. The **All applications** pane opens and displays a list of the applications in your Azure AD tenant. Search for and select the application that you want to delete. For example, **Azure AD SAML Toolkit 1**. 1. In the **Manage** section of the left menu, select **Properties**. 1. At the top of the **Properties** pane, select **Delete**, and then select **Yes** to confirm you want to delete the application from your Azure AD tenant. :::image type="content" source="media/delete-application-portal/delete-application.png" alt-text="Delete an enterprise application.":::
-## Clean up resources
++
+> [!IMPORTANT]
+> Make sure you're using the AzureAD module. This is important if you've installed both the [AzureAD](/powershell/module/azuread/?preserve-view=true&view=azureadps-2.0) module and the AzureADPreview module.
+1. Run the following commands:
+
+ ```powershell
+ Remove-Module AzureADPreview
+ Import-Module AzureAD
+ ```
+
+1. Connect to Azure AD PowerShell:
+
+ ```powershell
+ Connect-AzureAD
+ ```
+1. Get the list of enterprise applications in your tenant.
+
+ ```powershell
+ Get-AzureADServicePrincipal
+ ```
+1. Record the object ID of the enterprise app you want to delete.
+1. Delete the enterprise application.
+
+ ```powershell
+ Remove-AzureADServicePrincipal $ObjectId 'd4142c52-179b-4d31-b5b9-08940873507b'
+ ```
++
+1. Connect to Microsoft Graph PowerShell:
+
+ ```powershell
+ Connect-MgGraph -Scopes 'Application.Read.All'
+ ```
+
+1. Get the list of enterprise applications in your tenant.
+
+ ```powershell
+ Get-MgServicePrincipal
+ ```
+1. Record the object ID of the enterprise app you want to delete.
+1. Delete the enterprise application.
+
+ ```powershell
+ Remove-MgServicePrincipal -ServicePrincipalId 'd4142c52-179b-4d31-b5b9-08940873507b'
++++
+Delete an enterprise application using [Graph Explorer](https://developer.microsoft.com/graph/graph-explorer).
+1. To get the list of applications in your tenant, run the following query.
+
+ ```http
+ GET /servicePrincipals
+ ```
+1. Record the ID of the enterprise app you want to delete.
+1. Delete the enterprise application.
+
+ ```http
+ DELETE /servicePrincipals/{id}
+ ```
-When you are done with this quickstart series, consider deleting the application to clean up your test tenant. Deleting the application was covered in this quickstart.
## Next steps
-Learn more about planning a single sign-on deployment.
-> [!div class="nextstepaction"]
-> [Plan single sign-on deployment](plan-sso-deployment.md)
+- [Restore a deleted enterprise application](restore-application.md)
active-directory Recover Deleted Apps Faq https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/recover-deleted-apps-faq.md
- Title: Frequently asked questions about recovering deleted apps-
-description: Find answers to frequently asked questions (FAQs) about recovering deleted apps and service principals.
------- Previously updated : 05/24/2022------
-# Recover deleted applications in Azure Active Directory FAQs
-
-This page answers frequently asked questions about deleting and restoring deleted application registrations and service principals.
-
-## When I create applications, I'm getting Directory_QuotaExceeded error. How can I avoid this problem?
-A non-admin user can create no more than 250 Azure AD resources that include applications and service principals. Both active resources and deleted resources that are available to restore count toward this quota. Even if you delete more applications that you don't need, they'll still add count to the quota. Hence, to free up the quota, you need to [permanently delete](/graph/api/directory-deleteditems-delete?tabs=http) objects in the deleted items container. You can learn more about the service limits through [this link](/azure/azure-resource-manager/management/azure-subscription-service-limits?msclkid=6cb6cc54c68711ec93eb9539fce3cc28#active-directory-limits).
-
-The quota limit set for Azure AD resources is applicable when creating applications or service principals using a delegated flow such as using Azure AD app registrations or Enterprise apps portal. Creating applications using the Microsoft Graph API programmatically using application flow won't have this restriction.
-
-## Where can I find all the deleted applications and service principals?
-
-Soft-deleted application and service principal objects go into the [deleted items](/graph/api/resources/directory?tabs=http) container and remain available to restore for up to 30 days. After 30 days, they're permanently deleted, and this frees up the quota.
-You find the deleted applications by using one of the following approaches:
--- Using the Azure portal
-
-Recently deleted application objects can be found under the **Deleted applications** tab on the App registrations blade of Azure portal.
-
- :::image type="content" source="media/delete-application-portal/recover-deleted-apps.png" alt-text="Screenshot shows list of deleted items.":::
-
-- Using the Microsoft Graph API-
-Recently deleted application and service principal objects can be found using the [List deletedItems](/graph/api/directory-deleteditems-list?tabs=http) API.
--- Using PowerShell-
-Recently deleted application and service principal objects can be found using the
-[Get-AzureADMSDeletedDirectoryObject](/powershell/module/azuread/get-azureadmsdeleteddirectoryobject?tabs=http) cmdlet.
-
-## How do I restore deleted applications or service principals?
--- Using Microsoft Graph API-
-Deleted objects can be restored using the [Restore deleted item](/graph/api/directory-deleteditems-restore?tabs=http) API.
--- Using PowerShell-
-Deleted objects can be restored using the [Restore-AzureADMSDeletedDirectoryObject](/powershell/module/azuread/restore-azureadmsdeleteddirectoryobject?tabs=http) cmdlet.
-
-## How do I permanently delete soft deleted applications or service principals?
--- Using the Microsoft Graph API-
-Soft deleted objects can be permanently deleted by using the [Permanently delete an item from deleted items](/graph/api/directory-deleteditems-delete?tabs=http) API.
--- Using PowerShell-
-Soft deleted objects can be permanently deleted using the [Remove-AzureADMSDeletedDirectoryObject](/powershell/module/azuread/remove-azureadmsdeleteddirectoryobject?tabs=http) cmdlet.
-
-## Can I configure the interval in which applications and service principals are permanently deleted by Azure AD?
-
-No. You canΓÇÖt configure the periodicity of hard deletion.
-
-## I restored a deleted application using the App registrations portal experience. I don't see the SAML SSO configurations I made to the app prior to deletion.
-
-The SAML SSO configurations are stored on the service principal object. When you restore an application from the App registrations UI, it recovers the app object but creates a new service principal. Hence, the SAML SSO configurations done earlier to the app are lost when restoring a deleted application using the App registrations UI.
-
-To correct this problem, delete the new service principal the app registrations experience created and restore the original service principal using the [Microsoft Graph API](/graph/api/directory-deleteditems-restore?tabs=http) or the [Microsoft Graph PowerShell cmdlet](/powershell/module/azuread/restore-azureadmsdeleteddirectoryobject?tabs=http).
-
-If you recorded the object ID of the service principal before deleting the application, use the [Restore deleted item](/graph/api/directory-deleteditems-restore?tabs=http) API to recover the service principal. Otherwise, use the [list deleted items](/graph/api/directory-deleteditems-list?tabs=http) API to fetch the deleted service principal and filter the results by the client's application ID (**appId**) property using the following syntax:
-
-`https://graph.microsoft.com/v1.0/directory/deletedItems/microsoft.graph.servicePrincipal?$filter=appId eq '{appId}'`
-
-## Why canΓÇÖt I recover managed identities?
-
-[Managed identities](../managed-identities-azure-resources/overview.md) are a special type of service principals. Deleted managed identities canΓÇÖt be recovered currently.
-
-## I canΓÇÖt see the provisioning data from a recovered service principal. How can I recover it back?
-
-After recovering an SP, you may initially see the error in the following screenshot. This issue will resolve itself between 40 mins and 1 day. If you would like the provisioning job to start immediately, you can hit restart to force the provisioning service to run again. Hitting restart will trigger an initial cycle that can take time for customers with 100 K+ users or group memberships.
-
-
-## I recovered my application that was configured for application proxy. I canΓÇÖt see app proxy configurations after the recovery. How can I recover it back?
-
-App proxy configurations can't be recovered through the portal UI. Use the API to recover app proxy settings. Expect a delay of up to 24 hours as the app proxy data gets synced back.
-
-## I canΓÇÖt see the policies I set on the service principal object after the recovery. How can I recover them?
-
-Policies can't be recovered currently. When you restore a service principal, you'll have to configure the policies again.
-
-## Next steps
--- [Delete a service principal](delete-application-portal.md)-- [Delete an application registration](../develop/howto-restore-app.md)
active-directory Restore Application https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/restore-application.md
+
+ Title: 'Restore a soft deleted enterprise application'
+description: Restore a soft deleted enterprise application in Azure Active Directory.
+++++++ Last updated : 07/28/2022+++
+zone_pivot_groups: enterprise-apps-minus-portal
+#Customer intent: As an administrator of an Azure AD tenant, I want to restore a soft deleted enterprise application.
++
+# Restore an enterprise application in Azure AD
+
+In this article, you'll learn how to restore a soft deleted enterprise application in your Azure Active Directory (Azure AD) tenant. Soft deleted enterprise applications can be restored from the recycle bin within the first 30 days after their deletion. After the 30-day window, the enterprise application is permanently deleted and can't be restored.
+
+When an [application registration is deleted](../develop/howto-remove-app.md) in its home tenant through app registrations in the Azure portal, the enterprise application, which is its corresponding service principal also gets deleted. Restoring the deleted application registration through the Azure portal won't restore its corresponding service principal, but will instead create a new one.
+
+Currently, the [soft deleted enterprise applications](delete-application-portal.md) can't be viewed or restored through the Azure portal. Therefore, if you had configurations on the previous enterprise application, you can't restore them through the Azure portal. To recover your previous configurations, first delete the enterprise application that was restored through the Azure portal, then follow the steps in this article to recover the soft deleted enterprise application. For more information on frequently asked questions about deletion and recovery of applications, see [Deleting and recovering applications FAQs](delete-recover-faq.yml.
++
+## Prerequisites
+
+To restore an enterprise application, you need:
+
+- An Azure AD user account. If you don't already have one, you can [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
+- One of the following roles: Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal.
+- A [soft deleted enterprise application](delete-application-portal.md) in your tenant.
+
+## View restorable enterprise applications
++
+> [!IMPORTANT]
+> Make sure you're using the AzureAD module. This is important if you've installed both the [AzureAD](/powershell/module/azuread/?preserve-view=true&view=azureadps-2.0) module and the AzureADPreview module.
+1. Run the following commands:
+
+ ```powershell
+ Remove-Module AzureADPreview
+ Import-Module AzureAD
+ ```
+
+1. Connect to Azure AD PowerShell:
+
+ ```powershell
+ Connect-AzureAD
+ ```
+
+1. To view the recently deleted enterprise application, run the following command:
+
+ ```powershell
+ Get-AzureADMSDeletedDirectoryObject -Id 'd4142c52-179b-4d31-b5b9-08940873507b'
+ ```
++
+1. Run `connect-MgGraph -Scopes "Application.ReadWrite.All"` and sign in with a Global Admin user account.
+
+1. To view the recently deleted enterprise applications, run the following command:
+
+ ```powershell
+ Get-MgDirectoryDeletedItem -DirectoryObjectId 'd4142c52-179b-4d31-b5b9-08940873507b'
+ ```
++
+View and restore recently deleted enterprise applications using [Graph Explorer](https://developer.microsoft.com/graph/graph-explorer).
+
+To get the list of deleted enterprise applications in your tenant, run the following query.
+
+ ```http
+ GET https://graph.microsoft.com/v1.0/directory/deletedItems/microsoft.graph.servicePrincipal
+ ```
+Record the ID of the enterprise application you want to restore.
++
+## Restore an enterprise application
++
+1. To restore the enterprise application, run the following command:
++
+ ```powershell
+ Restore-AzureADMSDeletedDirectoryObject -Id 'd4142c52-179b-4d31-b5b9-08940873507b'
+ ```
++
+1. To restore the enterprise application, run the following command:
+
+ ```powershell
+ Restore-MgDirectoryObject -DirectoryObjectId 'd4142c52-179b-4d31-b5b9-08940873507b'
+ ```
+
+
+1. To restore the enterprise application, run the following query:
+
+ ```http
+ POST https://graph.microsoft.com/v1.0/directory/deletedItems/{id}/restore
+ ```
+
+## Permanently delete an enterprise application
+
+>[!WARNING]
+> Permanently deleting an enterprise application is an irreversible action. Any present configurations on the app will be completely lost. Carefully review the details of the enterprise application to be sure you still want to hard delete it.
++
+To permanently delete a soft deleted enterprise application, run the following command:
+
+```powershell
+Remove-AzureADMSDeletedDirectoryObject -Id 'd4142c52-179b-4d31-b5b9-08940873507b'
+```
+
+
+1. To permanently delete the soft deleted enterprise application, run the following command:
+
+ ```powershell
+ Remove-MgDirectoryDeletedItem -DirectoryObjectId 'd4142c52-179b-4d31-b5b9-08940873507b'
+ ```
+++
+To permanently delete a soft deleted enterprise application, run the following query in Microsoft Graph explorer
+
+```http
+DELETE https://graph.microsoft.com/v1.0/directory/deletedItems/{object-id}
+```
++
+## Next steps
+
+- [Recovery and deletion FAQ](delete-recover-faq.yml)
+- [Applications and service principals](../develop/app-objects-and-service-principals.md)
active-directory Managed Identities Status https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/managed-identities-azure-resources/managed-identities-status.md
The following Azure services support managed identities for Azure resources:
| Azure Service Bus | [Authenticate a managed identity with Azure Active Directory to access Azure Service Bus resources](../../service-bus-messaging/service-bus-managed-service-identity.md) | | Azure Service Fabric | [Using Managed identities for Azure with Service Fabric](../../service-fabric/concepts-managed-identity.md) | | Azure SignalR Service | [Managed identities for Azure SignalR Service](../../azure-signalr/howto-use-managed-identity.md) |
-| Azure Spring Cloud | [How to enable system-assigned managed identity for Azure Spring Cloud application](../../spring-cloud/how-to-enable-system-assigned-managed-identity.md) |
+| Azure Spring Apps | [Enable system-assigned managed identity for an application in Azure Spring Apps](../../spring-apps/how-to-enable-system-assigned-managed-identity.md) |
| Azure SQL | [Azure SQL Transparent Data Encryption with customer-managed key](/azure/azure-sql/database/transparent-data-encryption-byok-overview) | | Azure SQL Managed Instance | [Azure SQL Transparent Data Encryption with customer-managed key](/azure/azure-sql/database/transparent-data-encryption-byok-overview) | | Azure Stack Edge | [Manage Azure Stack Edge secrets using Azure Key Vault](../../databox-online/azure-stack-edge-gpu-activation-key-vault.md#recover-managed-identity-access)
active-directory Overview For Developers https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/managed-identities-azure-resources/overview-for-developers.md
dr.Close();
#### [Java](#tab/java)
-If you use [Azure Spring Apps](../../spring-cloud/index.yml), you can connect to Azure SQL Database with a managed identity without needing to make any changes to your code.
+If you use [Azure Spring Apps](../../spring-apps/index.yml), you can connect to Azure SQL Database with a managed identity without needing to make any changes to your code.
Open the `src/main/resources/application.properties` file, and add `Authentication=ActiveDirectoryMSI;` at the end of the following line. Be sure to use the correct value for `$AZ_DATABASE_NAME` variable.
Open the `src/main/resources/application.properties` file, and add `Authenticati
spring.datasource.url=jdbc:sqlserver://$AZ_DATABASE_NAME.database.windows.net:1433;database=demo;encrypt=true;trustServerCertificate=false;hostNameInCertificate=*.database.windows.net;loginTimeout=30;Authentication=ActiveDirectoryMSI; ```
-Read more about how to [use a managed identity to connect Azure SQL Database to an Azure Spring Apps app](../../spring-cloud/connect-managed-identity-to-azure-sql.md).
+Read more about how to [use a managed identity to connect Azure SQL Database to an Azure Spring Apps app](../../spring-apps/connect-managed-identity-to-azure-sql.md).
active-directory Groups Assign Member Owner https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/privileged-identity-management/groups-assign-member-owner.md
na Previously updated : 06/24/2022 Last updated : 07/29/2022
Follow these steps to make a user eligible to be a member or owner of a privileg
1. Sign in to the [Azure AD admin center](https://aad.portal.azure.com/) with a user in the [Global Administrator](../roles/permissions-reference.md#global-administrator) role, the Privileged Role Administrator role, or the group Owner role.
-1. Select **Groups** and then select the role-assignable group you want to manage. You can search or filter the list.
+1. Select **Groups** and then select the [role-assignable group](concept-privileged-access-versus-role-assignable.md) you want to manage. You can search or filter the list.
![find a role-assignable group to manage in PIM](./media/groups-assign-member-owner/groups-list-in-azure-ad.png)
Follow these steps to make a user eligible to be a member or owner of a privileg
- **Active** assignments don't require the member to perform any action to use the role. Members assigned as active have the privileges assigned to the role at all times.
-1. If the assignment should be permanent (permanently eligible or permanently assigned), select the **Permanently** checkbox. Depending on your organization's settings, the check box might not appear or might not be editable.
+1. If the assignment should be permanent (permanently eligible or permanently assigned), select the **Permanently** checkbox. Depending on your organization's settings, the check box might not appear or might not be editable. For more information, check out the [Configure privileged access group settings](groups-role-settings.md#assignment-duration) article.
1. When finished, select **Assign**.
active-directory Pim Configure https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/privileged-identity-management/pim-configure.md
Previously updated : 10/07/2021 Last updated : 07/29/2022
Privileged Identity Management provides time-based and approval-based role activ
Once you set up Privileged Identity Management, you'll see **Tasks**, **Manage**, and **Activity** options in the left navigation menu. As an administrator, you'll choose between options such as managing **Azure AD roles**, managing **Azure resource** roles, or privileged access groups. When you choose what you want to manage, you see the appropriate set of options for that option.
-![Screenshot of Privileged Identity Management in the Azure portal](./media/pim-configure/pim-quickstart.png)
+![Screenshot of Privileged Identity Management in the Azure portal.](./media/pim-configure/pim-quickstart.png)
## Who can do what? For Azure AD roles in Privileged Identity Management, only a user who is in the Privileged Role Administrator or Global Administrator role can manage assignments for other administrators. Global Administrators, Security Administrators, Global Readers, and Security Readers can also view assignments to Azure AD roles in Privileged Identity Management.
-For Azure resource roles in Privileged Identity Management, only a subscription administrator, a resource Owner, or a resource User Access administrator can manage assignments for other administrators. Users who are Privileged Role Administrators, Security Administrators, or Security Readers do not by default have access to view assignments to Azure resource roles in Privileged Identity Management.
+For Azure resource roles in Privileged Identity Management, only a subscription administrator, a resource Owner, or a resource User Access administrator can manage assignments for other administrators. Users who are Privileged Role Administrators, Security Administrators, or Security Readers don't by default have access to view assignments to Azure resource roles in Privileged Identity Management.
## Terminology
To better understand Privileged Identity Management and its documentation, you s
| time-bound eligible | Duration | A role assignment where a user is eligible to activate the role only within start and end dates. | | time-bound active | Duration | A role assignment where a user can use the role only within start and end dates. | | just-in-time (JIT) access | | A model in which users receive temporary permissions to perform privileged tasks, which prevents malicious or unauthorized users from gaining access after the permissions have expired. Access is granted only when users need it. |
-| principle of least privilege access | | A recommended security practice in which every user is provided with only the minimum privileges needed to accomplish the tasks they are authorized to perform. This practice minimizes the number of Global Administrators and instead uses specific administrator roles for certain scenarios. |
+| principle of least privilege access | | A recommended security practice in which every user is provided with only the minimum privileges needed to accomplish the tasks they're authorized to perform. This practice minimizes the number of Global Administrators and instead uses specific administrator roles for certain scenarios. |
-## Extend and renew assignments
+## Role assignment overview
-After you set up your time-bound owner or member assignments, the first question you might ask is what happens if an assignment expires? In this new version, we provide two options for this scenario:
+The PIM role assignments give you a secure way to grant access to resources in your organization. This section describes the assignment process. It includes assign roles to members, activate assignments, approve or deny requests, extend and renew assignments.
-- Extend ΓÇô When a role assignment nears expiration, the user can use Privileged Identity Management to request an extension for the role assignment-- Renew ΓÇô When a role assignment has already expired, the user can use Privileged Identity Management to request a renewal for the role assignment
+PIM keeps you informed by sending you and other participants [email notifications](pim-email-notifications.md). These emails might also include links to relevant tasks, such activating, approve or deny a request.
+
+The following screenshot shows an email message sent by PIM. The email informs Patti that Alex updated a role assignment for Emily.
+
+![Screenshot shows an email message sent by Privileged Identity Management.](./media/pim-configure/pim-email.png)
+
+### Assign
+
+The assignment process starts by assign roles to members. To grant access to a resource, the administrator assigns roles to users, groups, service principals, or managed identities. The assignment includes the following data:
+
+- The members or owners to assign the role.
+- The scope of the assignment. The scope limits the assigned role to a particular set of resources.
+- The type of the assignment
+ - **Eligible** assignments require the member of the role to perform an action to use the role. Actions might include activation, or requesting approval from designated approvers.
+ - **Active** assignments don't require the member to perform any action to use the role. Members assigned as active have the privileges assigned to the role.
+- The duration of the assignment, using start and end dates or permanent. For eligible assignments, the members can activate or requesting approval during the start and end dates. For active assignments, the members can use the assign role during this period of time.
+
+The following screenshot shows how administrator assigns a role to members.
+
+![Screenshot of Privileged Identity Management role assignment.](./media/pim-configure/role-assignment.png)
++
+For more information, check out the following articles: [Assign Azure AD roles](pim-how-to-add-role-to-user.md), [Assign Azure resource roles](pim-resource-roles-assign-roles.md), and [Assign eligibility for a privileged access group](groups-assign-member-owner.md)
+
+### Activate
+
+If users have been made eligible for a role, then they must activate the role assignment before using the role. To activate the role, users select specific activation duration within the maximum (configured by administrators), and the reason for the activation request.
+
+The following screenshot shows how members activate their role to a limited time.
+
+![Screenshot of Privileged Identity Management role activation.](./media/pim-configure/role-activation.png)
+
+If the role requires [approval](pim-resource-roles-approval-workflow.md) to activate, a notification will appear in the upper right corner of the user's browser informing them the request is pending approval. If an approval isn't required, the member can start using the role.
+
+For more information, check out the following articles: [Activate Azure AD roles](pim-how-to-activate-role.md), [Activate my Azure resource roles](pim-resource-roles-activate-your-roles.md), and [Activate my privileged access group roles](groups-activate-roles.md)
+
+### Approve or deny
+
+Delegated approvers receive email notifications when a role request is pending their approval. Approvers can view, approve or deny these pending requests in PIM. After the request has been approved, the member can start using the role. For example, if a user or a group was assigned with Contribution role to a resource group, they'll be able to manage that particular resource group.
+
+For more information, check out the following articles: [Approve or deny requests for Azure AD roles](azure-ad-pim-approval-workflow.md), [Approve or deny requests for Azure resource roles](pim-resource-roles-approval-workflow.md), and [Approve activation requests for privileged access group](groups-approval-workflow.md)
+
+### Extend and renew assignments
+
+After administrators set up time-bound owner or member assignments, the first question you might ask is what happens if an assignment expires? In this new version, we provide two options for this scenario:
+
+- **Extend** ΓÇô When a role assignment nears expiration, the user can use Privileged Identity Management to request an extension for the role assignment
+- **Renew** ΓÇô When a role assignment has already expired, the user can use Privileged Identity Management to request a renewal for the role assignment
Both user-initiated actions require an approval from a Global Administrator or Privileged Role Administrator. Admins don't need to be in the business of managing assignment expirations. You can just wait for the extension or renewal requests to arrive for simple approval or denial.
+For more information, check out the following articles: [Extend or renew Azure AD role assignments](pim-how-to-renew-extend.md), [Extend or renew Azure resource role assignments](pim-resource-roles-renew-extend.md), and [Extend or renew privileged access group assignments](groups-renew-extend.md)
+ ## Scenarios Privileged Identity Management supports the following scenarios:
With the privileged access groups preview, you can give workload-specific admini
## Invite guest users and assign Azure resource roles in Privileged Identity Management
-Azure Active Directory (Azure AD) guest users are part of the business-to-business (B2B) collaboration capabilities within Azure AD so that you can manage external guest users and vendors as guests in Azure AD. For example, you can use these Privileged Identity Management features for Azure identity tasks with guests such as assigning access to specific Azure resources, specifying assignment duration and end date, or requiring two-step verification on active assignment or activation. For more information on how to invite a guest to your organization and manage their access , see [Add B2B collaboration users in the Azure AD portal](../external-identities/add-users-administrator.md).
+Azure Active Directory (Azure AD) guest users are part of the business-to-business (B2B) collaboration capabilities within Azure AD so that you can manage external guest users and vendors as guests in Azure AD. For example, you can use these Privileged Identity Management features for Azure identity tasks with guests such as assigning access to specific Azure resources, specifying assignment duration and end date, or requiring two-step verification on active assignment or activation. For more information on how to invite a guest to your organization and manage their access, see [Add B2B collaboration users in the Azure AD portal](../external-identities/add-users-administrator.md).
### When would you invite guests?
active-directory Pim How To Configure Security Alerts https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/privileged-identity-management/pim-how-to-configure-security-alerts.md
Previously updated : 06/24/2022 Last updated : 07/29/2022
# Configure security alerts for Azure AD roles in Privileged Identity Management
-Privileged Identity Management (PIM) generates alerts when there is suspicious or unsafe activity in your organization in Azure Active Directory (Azure AD), part of Microsoft Entra. When an alert is triggered, it shows up on the Privileged Identity Management dashboard. Select the alert to see a report that lists the users or roles that triggered the alert.
+Privileged Identity Management (PIM) generates alerts when there's suspicious or unsafe activity in your organization in Azure Active Directory (Azure AD), part of Microsoft Entra. When an alert is triggered, it shows up on the Privileged Identity Management dashboard. Select the alert to see a report that lists the users or roles that triggered the alert.
-![Screenshot that shows the "Alerts" page with a list of alerts and their severity.](./media/pim-how-to-configure-security-alerts/view-alerts.png)
+![Screenshot that shows the alerts page with a list of alerts and their severity.](./media/pim-how-to-configure-security-alerts/view-alerts.png)
## Security alerts This section lists all the security alerts for Azure AD roles, along with how to fix and how to prevent. Severity has the following meaning: - **High**: Requires immediate action because of a policy violation.-- **Medium**: Does not require immediate action but signals a potential policy violation.-- **Low**: Does not require immediate action but suggests a preferable policy change.
+- **Medium**: Doesn't require immediate action but signals a potential policy violation.
+- **Low**: Doesn't require immediate action but suggests a preferable policy change.
### Administrators aren't using their privileged roles
Severity: **Low**
| | Description | | | |
-| **Why do I get this alert?** | Users that have been assigned privileged roles they don't need increases the chance of an attack. It is also easier for attackers to remain unnoticed in accounts that are not actively being used. |
-| **How to fix?** | Review the users in the list and remove them from privileged roles that they do not need. |
+| **Why do I get this alert?** | Users that have been assigned privileged roles they don't need increases the chance of an attack. It's also easier for attackers to remain unnoticed in accounts that aren't actively being used. |
+| **How to fix?** | Review the users in the list and remove them from privileged roles that they don't need. |
| **Prevention** | Assign privileged roles only to users who have a business justification. </br>Schedule regular [access reviews](./pim-create-azure-ad-roles-and-resource-roles-review.md) to verify that users still need their access. | | **In-portal mitigation action** | Removes the account from their privileged role. | | **Trigger** | Triggered if a user goes over a specified number of days without activating a role. |
Severity: **Low**
| | Description | | | |
-| **Why do I get this alert?** | The current Azure AD organization does not have Azure AD Premium P2. |
+| **Why do I get this alert?** | The current Azure AD organization doesn't have Azure AD Premium P2. |
| **How to fix?** | Review information about [Azure AD editions](../fundamentals/active-directory-whatis.md). Upgrade to Azure AD Premium P2. | ### Potential stale accounts in a privileged role
Severity: **Medium**
| | Description | | | |
-| **Why do I get this alert?** | This alert is no longer triggered based on the last password change date of for an account. This alert is for accounts in a privileged role that haven't signed in during the past *n* days, where *n* is a number of days that is configurable between 1-365 days . These accounts might be service or shared accounts that aren't being maintained and are vulnerable to attackers. |
+| **Why do I get this alert?** | This alert is no longer triggered based on the last password change date of for an account. This alert is for accounts in a privileged role that haven't signed in during the past *n* days, where *n* is a number of days that is configurable between 1-365 days. These accounts might be service or shared accounts that aren't being maintained and are vulnerable to attackers. |
| **How to fix?** | Review the accounts in the list. If they no longer need access, remove them from their privileged roles. |
-| **Prevention** | Ensure that accounts that are shared are rotating strong passwords when there is a change in the users that know the password. </br>Regularly review accounts with privileged roles using [access reviews](./pim-create-azure-ad-roles-and-resource-roles-review.md) and remove role assignments that are no longer needed. |
+| **Prevention** | Ensure that accounts that are shared are rotating strong passwords when there's a change in the users that know the password. </br>Regularly review accounts with privileged roles using [access reviews](./pim-create-azure-ad-roles-and-resource-roles-review.md) and remove role assignments that are no longer needed. |
| **In-portal mitigation action** | Removes the account from their privileged role. |
-| **Best practices** | Shared, service, and emergency access accounts that authenticate using a password and are assigned to highly privileged administrative roles such as Global administrator or Security administrator should have their passwords rotated for the following cases:<ul><li>After a security incident involving misuse or compromise of administrative access rights</li><li>After any user's privileges are changed so that they are no longer an administrator (for example, after an employee who was an administrator leaves IT or leaves the organization)</li><li>At regular intervals (for example, quarterly or yearly), even if there was no known breach or change to IT staffing</li></ul>Since multiple people have access to these accounts' credentials, the credentials should be rotated to ensure that people that have left their roles can no longer access the accounts. [Learn more about securing accounts](../roles/security-planning.md) |
+| **Best practices** | Shared, service, and emergency access accounts that authenticate using a password and are assigned to highly privileged administrative roles such as Global administrator or Security administrator should have their passwords rotated for the following cases:<ul><li>After a security incident involving misuse or compromise of administrative access rights</li><li>After any user's privileges are changed so that they're no longer an administrator (for example, after an employee who was an administrator leaves IT or leaves the organization)</li><li>At regular intervals (for example, quarterly or yearly), even if there was no known breach or change to IT staffing</li></ul>Since multiple people have access to these accounts' credentials, the credentials should be rotated to ensure that people that have left their roles can no longer access the accounts. [Learn more about securing accounts](../roles/security-planning.md) |
### Roles are being assigned outside of Privileged Identity Management
Severity: **High**
| | Description | | | |
-| **Why do I get this alert?** | Privileged role assignments made outside of Privileged Identity Management are not properly monitored and may indicate an active attack. |
+| **Why do I get this alert?** | Privileged role assignments made outside of Privileged Identity Management aren't properly monitored and may indicate an active attack. |
| **How to fix?** | Review the users in the list and remove them from privileged roles assigned outside of Privileged Identity Management. You can also enable or disable both the alert and its accompanying email notification in the alert settings. | | **Prevention** | Investigate where users are being assigned privileged roles outside of Privileged Identity Management and prohibit future assignments from there. | | **In-portal mitigation action** | Removes the user from their privileged role. |
Severity: **Low**
| | Description | | | | | **Why do I get this alert?** | Global administrator is the highest privileged role. If a Global Administrator is compromised, the attacker gains access to all of their permissions, which puts your whole system at risk. |
-| **How to fix?** | Review the users in the list and remove any that do not absolutely need the Global administrator role. </br>Assign lower privileged roles to these users instead. |
+| **How to fix?** | Review the users in the list and remove any that don't absolutely need the Global administrator role. </br>Assign lower privileged roles to these users instead. |
| **Prevention** | Assign users the least privileged role they need. | | **In-portal mitigation action** | Removes the account from their privileged role. |
-| **Trigger** | Triggered if two different criteria are met, and you can configure both of them. First, you need to reach a certain threshold of Global administrator role assignments. Second, a certain percentage of your total role assignments must be Global administrators. If you only meet one of these measurements, the alert does not appear. |
+| **Trigger** | Triggered if two different criteria are met, and you can configure both of them. First, you need to reach a certain threshold of Global administrator role assignments. Second, a certain percentage of your total role assignments must be Global administrators. If you only meet one of these measurements, the alert doesn't appear. |
| **Minimum number of Global Administrators** | This setting specifies the number of Global Administrator role assignments, from 2 to 100, that you consider to be too few for your Azure AD organization. | | **Percentage of Global Administrators** | This setting specifies the minimum percentage of administrators who are Global administrators, from 0% to 100%, below which you do not want your Azure AD organization to dip. |
Severity: **Low**
## Customize security alert settings
-On the **Alerts** page, select **Setting**.
+Follow these steps to configure security alerts for Azure AD roles in Privileged Identity Management:
-![Alerts page with Settings highlighted](media/pim-how-to-configure-security-alerts/alert-settings.png)
+1. Sign in to the [Azure portal](https://portal.azure.com/).
-Customize settings on the different alerts to work with your environment and security goals.
+1. Open **Azure AD Privileged Identity Management**. For information about how to add the Privileged Identity Management tile to your dashboard, see [Start using Privileged Identity Management](pim-getting-started.md).
-![Setting page for an alert to enable and configure settings](media/pim-how-to-configure-security-alerts/security-alert-settings.png)
+1. From the left menu, select **Azure AD Roles**.
+
+1. From the left menu, select **Alerts**, and then select **Setting**.
+
+ ![Screenshots of alerts page with the settings highlighted.](media/pim-how-to-configure-security-alerts/alert-settings.png)
+
+1. Customize settings on the different alerts to work with your environment and security goals.
+
+ ![Screenshots of the alert setting page.](media/pim-how-to-configure-security-alerts/security-alert-settings.png)
## Next steps
active-directory Pim Resource Roles Assign Roles https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/privileged-identity-management/pim-resource-roles-assign-roles.md
na Previously updated : 06/24/2022 Last updated : 07/29/2022
# Assign Azure resource roles in Privileged Identity Management
-With Privileged Identity Management (PIM) in Azure Active Directory (Azure AD), part of Microsoft Entra, can manage the built-in Azure resource roles, as well as custom roles, including (but not limited to):
+With Privileged Identity Management (PIM) in Azure Active Directory (Azure AD), part of Microsoft Entra, can manage the built-in Azure resource roles, and custom roles, including (but not limited to):
- Owner - User Access Administrator
Follow these steps to make a user eligible for an Azure resource role.
1. Select **Azure resources**.
-1. Use the resource filter to find the managed resources you're looking for.
+1. Select the **Resource type** you want to manage. For example, such as **Resource**, or **Resource group**. Then select the resource you want to manage to open its overview page.
- ![List of Azure resources to manage](./media/pim-resource-roles-assign-roles/resources-list.png)
-
-1. Select the resource that you want to manage to open the resource overview page.
+ ![Screenshot that shows how to select Azure resources.](./media/pim-resource-roles-assign-roles/resources-list.png)
1. Under **Manage**, select **Roles** to see the list of roles for Azure resources.
- ![Azure resources roles](./media/pim-resource-roles-assign-roles/resources-roles.png)
- 1. Select **Add assignments** to open the **Add assignments** pane.
-1. Select **Select a role** to open the **Select a role** page.
+ ![Screenshot of Azure resources roles.](./media/pim-resource-roles-assign-roles/resources-roles.png)
- ![New assignment pane](./media/pim-resource-roles-assign-roles/resources-select-role.png)
+1. Select a **Role** you want to assign.
+1. Select **No member selected** link to open the **Select a member or group** pane.
-1. Select a role you want to assign and then click **Select**.
+ ![Screenshot of the new assignment pane.](./media/pim-resource-roles-assign-roles/resources-select-role.png)
- The **Select a member or group** pane opens.
+1. Select a member or group you want to assign to the role and then choose **Select**.
-1. Select a member or group you want to assign to the role and then click **Select**.
-
- ![Select a member or group pane](./media/pim-resource-roles-assign-roles/resources-select-member-or-group.png)
+ ![Screenshots that demonstrates how to select a member or group pane](./media/pim-resource-roles-assign-roles/resources-select-member-or-group.png)
1. On the **Settings** tab, in the **Assignment type** list, select **Eligible** or **Active**.
- ![Memberships settings pane](./media/pim-resource-roles-assign-roles/resources-membership-settings-type.png)
+ ![Screenshot of add assignments settings pane.](./media/pim-resource-roles-assign-roles/resources-membership-settings-type.png)
Privileged Identity Management for Azure resources provides two distinct assignment types: - **Eligible** assignments require the member of the role to perform an action to use the role. Actions might include performing a multi-factor authentication (MFA) check, providing a business justification, or requesting approval from designated approvers.
- - **Active** assignments don't require the member to perform any action to use the role. Members assigned as active have the privileges assigned to the role at all times.
+ - **Active** assignments don't require the member to perform any action to use the role. Members assigned as active have the privileges assigned ready to use.
1. To specify a specific assignment duration, change the start and end dates and times. 1. If the role has been defined with actions that permit assignments to that role with conditions, then you can select **Add condition** to add a condition based on the principal user and resource attributes that are part of the assignment.
- ![New assignment - Conditions](./media/pim-resource-roles-assign-roles/new-assignment-conditions.png)
+ ![Screenshot of the new assignment conditions pane.](./media/pim-resource-roles-assign-roles/new-assignment-conditions.png)
Conditions can be entered in the expression builder.
- ![New assignment - Condition built from an expression](./media/pim-resource-roles-assign-roles/new-assignment-condition-expression.png)
+ ![Screenshot of the new assignment condition built from an expression.](./media/pim-resource-roles-assign-roles/new-assignment-condition-expression.png)
1. When finished, select **Assign**. 1. After the new role assignment is created, a status notification is displayed.
- ![New assignment - Notification](./media/pim-resource-roles-assign-roles/resources-new-assignment-notification.png)
+ ![Screenshot of a new assignment notification.](./media/pim-resource-roles-assign-roles/resources-new-assignment-notification.png)
## Assign a role using ARM API Privileged Identity Management supports Azure Resource Manager (ARM) API commands to manage Azure resource roles, as documented in the [PIM ARM API reference](/rest/api/authorization/roleeligibilityschedulerequests). For the permissions required to use the PIM API, see [Understand the Privileged Identity Management APIs](pim-apis.md).
-The following is a sample HTTP request to create an eligible assignment for an Azure role.
+The following example is a sample HTTP request to create an eligible assignment for an Azure role.
### Request
PUT https://management.azure.com/providers/Microsoft.Subscription/subscriptions/
"roleDefinitionId": "/subscriptions/dfa2a084-766f-4003-8ae1-c4aeb893a99f/providers/Microsoft.Authorization/roleDefinitions/c8d4ff99-41c3-41a8-9f60-21dfdad59608", "requestType": "AdminAssign", "scheduleInfo": {
- "startDateTime": "2020-09-09T21:31:27.91Z",
+ "startDateTime": "2022-07-05T21:00:00.91Z",
"expiration": { "type": "AfterDuration", "endDateTime": null,
Status code: 201
"status": "Provisioned", "approvalId": null, "scheduleInfo": {
- "startDateTime": "2020-09-09T21:31:27.91Z",
+ "startDateTime": "2022-07-05T21:00:00.91Z",
"expiration": { "type": "AfterDuration", "endDateTime": null,
Status code: 201
}, "justification": null, "requestorId": "a3bb8764-cb92-4276-9d2a-ca1e895e55ea",
- "createdOn": "2020-09-09T21:32:27.91Z",
+ "createdOn": "2022-07-05T21:00:45.91Z",
"condition": "@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase 'foo_storage_container'", "conditionVersion": "1.0", "expandedProperties": {
Follow these steps to update or remove an existing role assignment.
1. Select **Azure resources**.
-1. Select the resource you want to manage to open its overview page.
+1. Select the **Resource type** you want to manage. For example, such as **Resource**, or **Resource group**. Then select the resource you want to manage to open its overview page.
-1. Under **Manage**, select **Roles** to see the list of roles for Azure resources.
+ ![Screenshot that shows how to select Azure resources to update.](./media/pim-resource-roles-assign-roles/resources-list.png)
- ![Azure resource roles - Select role](./media/pim-resource-roles-assign-roles/resources-update-select-role.png)
+1. Under **Manage**, select **Roles** to list the roles for Azure resources. The following screenshot lists the roles of an Azure Storage account. Select the role that you want to update or remove.
-1. Select the role that you want to update or remove.
+ ![Screenshot that shows the roles of an Azure Storage account.](./media/pim-resource-roles-assign-roles/resources-update-select-role.png)
1. Find the role assignment on the **Eligible roles** or **Active roles** tabs.
- ![Update or remove role assignment](./media/pim-resource-roles-assign-roles/resources-update-remove.png)
+ :::image type="content" source="./media/pim-resource-roles-assign-roles/resources-update-remove.png" alt-text="Screenshot demonstrates how to update or remove role assignment." lightbox="./media/pim-resource-roles-assign-roles/resources-update-remove.png":::
1. To add or update a condition to refine Azure resource access, select **Add** or **View/Edit** in the **Condition** column for the role assignment. Currently, the Storage Blob Data Owner, Storage Blob Data Reader, and the Blob Storage Blob Data Contributor roles in Privileged Identity Management are the only two roles supported as part of the [Azure attribute-based access control public preview](../../role-based-access-control/conditions-overview.md).
- ![Update or remove attributes for access control](./media/pim-resource-roles-assign-roles/resources-abac-update-remove.png)
+1. Select **Add expression** or **Delete** to update the expression. You can also select **Add condition** to add a new condition to your role.
-1. Select **Update** or **Remove** to update or remove the role assignment.
+ :::image type="content" source="./media/pim-resource-roles-assign-roles/resources-abac-update-remove.png" alt-text="Screenshot that demonstrates how to update or remove attributes of a role assignment." lightbox="./media/pim-resource-roles-assign-roles/resources-abac-update-remove.png":::
For information about extending a role assignment, see [Extend or renew Azure resource roles in Privileged Identity Management](pim-resource-roles-renew-extend.md).
active-directory Pim Resource Roles Configure Alerts https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/privileged-identity-management/pim-resource-roles-configure-alerts.md
na Previously updated : 06/24/2022 Last updated : 07/29/2022
# Configure security alerts for Azure roles in Privileged Identity Management
-Privileged Identity Management (PIM) generates alerts when there is suspicious or unsafe activity in your organization in Azure Active Directory (Azure AD), part of Microsoft Entra. When an alert is triggered, it shows up on the Alerts page.
+Privileged Identity Management (PIM) generates alerts when there's suspicious or unsafe activity in your organization in Azure Active Directory (Azure AD), part of Microsoft Entra. When an alert is triggered, it shows up on the Alerts page.
-![Azure resources - Alerts page listing alert, risk level, and count](media/pim-resource-roles-configure-alerts/rbac-alerts-page.png)
+![Screenshot of the alerts page listing alert, risk level, and count.](media/pim-resource-roles-configure-alerts/rbac-alerts-page.png)
## Review alerts Select an alert to see a report that lists the users or roles that triggered the alert, along with remediation guidance.
-![Alert report showing last scan time, description, mitigation steps, type, severity, security impact, and how to prevent next time](media/pim-resource-roles-configure-alerts/rbac-alert-info.png)
+![Screenshot of the alert report showing last scan time, description, mitigation steps, type, severity, security impact, and how to prevent next time.](media/pim-resource-roles-configure-alerts/rbac-alert-info.png)
## Alerts Alert | Severity | Trigger | Recommendation | | | **Too many owners assigned to a resource** | Medium | Too many users have the owner role. | Review the users in the list and reassign some to less privileged roles.
-**Too many permanent owners assigned to a resource** | Medium | Too many users are permanently assigned to a role. | Review the users in the list and re-assign some to require activation for role use.
+**Too many permanent owners assigned to a resource** | Medium | Too many users are permanently assigned to a role. | Review the users in the list and reassign some to require activation for role use.
**Duplicate role created** | Medium | Multiple roles have the same criteria. | Use only one of these roles.
-**Roles are being assigned outside of Privileged Identity Management (Preview)** | High | A role is managed directly through the Azure IAM resource blade or the Azure Resource Manager API | Review the users in the list and remove them from privileged roles assigned outside of Privilege Identity Management.
+**Roles are being assigned outside of Privileged Identity Management (Preview)** | High | A role is managed directly through the Azure IAM resource, or the Azure Resource Manager API. | Review the users in the list and remove them from privileged roles assigned outside of Privilege Identity Management.
> [!NOTE] > During the public preview of the **Roles are being assigned outside of Privileged Identity Management (Preview)** alert, Microsoft supports only permissions that are assigned at the subscription level.
Alert | Severity | Trigger | Recommendation
### Severity - **High**: Requires immediate action because of a policy violation. -- **Medium**: Does not require immediate action but signals a potential policy violation.-- **Low**: Does not require immediate action but suggests a preferred policy change.
+- **Medium**: Doesn't require immediate action but signals a potential policy violation.
+- **Low**: Doesn't require immediate action but suggests a preferred policy change.
## Configure security alert settings
-From the Alerts page, go to **Settings**.
+Follow these steps to configure security alerts for Azure roles in Privileged Identity Management:
-![Alerts page with Settings highlighted](media/pim-resource-roles-configure-alerts/rbac-navigate-settings.png)
+1. Sign in to the [Azure portal](https://portal.azure.com/).
-Customize settings on the different alerts to work with your environment and security goals.
+1. Open **Azure AD Privileged Identity Management**. For information about how to add the Privileged Identity Management tile to your dashboard, see [Start using Privileged Identity Management](pim-getting-started.md).
-![Setting page for an alert to enable and configure settings](media/pim-resource-roles-configure-alerts/rbac-alert-settings.png)
+1. From the left menu, select **Azure resources**.
+
+1. From the list of resources, select your Azure subscription.
+
+1. On the **Alerts** page, select **Settings**.
+
+ ![Screenshot of the alerts page with settings highlighted.](media/pim-resource-roles-configure-alerts/rbac-navigate-settings.png)
+
+1. Customize settings on the different alerts to work with your environment and security goals.
+
+ ![Screenshot of the alert setting.](media/pim-resource-roles-configure-alerts/rbac-alert-settings.png)
## Next steps
active-directory Pim Security Wizard https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/privileged-identity-management/pim-security-wizard.md
Previously updated : 06/27/2022 Last updated : 07/29/2022
Also, keep role assignments permanent if a user has a Microsoft account (in othe
1. Open **Azure AD Privileged Identity Management**.
-1. Select **Azure AD roles** and then select **Discovery and insights (Preview)**. Opening the page begins the discovery process to find relevant role assignments.
+1. From the left menu, select **Azure AD roles** and then select **Discovery and insights (Preview)**. Opening the page begins the discovery process to find relevant role assignments.
![Azure AD roles - Discovery and insights page showing the 3 options](./media/pim-security-wizard/new-preview-link.png)
active-directory Ediwin Saas Edi Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/ediwin-saas-edi-tutorial.md
+
+ Title: 'Tutorial: Azure AD SSO integration with Ediwin SaaS EDI'
+description: Learn how to configure single sign-on between Azure Active Directory and Ediwin SaaS EDI.
++++++++ Last updated : 07/23/2022++++
+# Tutorial: Azure AD SSO integration with Ediwin SaaS EDI
+
+In this tutorial, you'll learn how to integrate Ediwin SaaS EDI with Azure Active Directory (Azure AD). When you integrate Ediwin SaaS EDI with Azure AD, you can:
+
+* Control in Azure AD who has access to Ediwin SaaS EDI.
+* Enable your users to be automatically signed-in to Ediwin SaaS EDI with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
+
+## Prerequisites
+
+To get started, you need the following items:
+
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* Ediwin SaaS EDI single sign-on (SSO) enabled subscription.
+* Along with Cloud Application Administrator, Application Administrator can also add or manage applications in Azure AD.
+For more information, see [Azure built-in roles](../roles/permissions-reference.md).
+
+## Scenario description
+
+In this tutorial, you configure and test Azure AD SSO in a test environment.
+
+* Ediwin SaaS EDI supports **SP** initiated SSO.
+
+## Add Ediwin SaaS EDI from the gallery
+
+To configure the integration of Ediwin SaaS EDI into Azure AD, you need to add Ediwin SaaS EDI from the gallery to your list of managed SaaS apps.
+
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Ediwin SaaS EDI** in the search box.
+1. Select **Ediwin SaaS EDI** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
+
+## Configure and test Azure AD SSO for Ediwin SaaS EDI
+
+Configure and test Azure AD SSO with Ediwin SaaS EDI using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Ediwin SaaS EDI.
+
+To configure and test Azure AD SSO with Ediwin SaaS EDI, perform the following steps:
+
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Ediwin SaaS EDI SSO](#configure-ediwin-saas-edi-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Ediwin SaaS EDI test user](#create-ediwin-saas-edi-test-user)** - to have a counterpart of B.Simon in Ediwin SaaS EDI that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
+
+## Configure Azure AD SSO
+
+Follow these steps to enable Azure AD SSO in the Azure portal.
+
+1. In the Azure portal, on the **Ediwin SaaS EDI** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
+
+ ![Screenshot shows to edit Basic S A M L Configuration.](common/edit-urls.png "Basic Configuration")
+
+1. On the **Basic SAML Configuration** section, perform the following steps:
+
+ a. In the **Identifier** textbox, type a URL using the following pattern:
+ `https://web.sedeb2b.com/<EdiwinDomain>`
+
+ b. In the **Reply URL** textbox, type a URL using the following pattern:
+ `https://web.sedeb2b.com/Ediwin/samlLogin/<EdiwinDomain>`
+
+ c. In the **Sign-on URL** text box, type a URL using the following pattern:
+ `https://web.sedeb2b.com/Ediwin/samlLogin/<EdiwinDomain>`
+
+ > [!Note]
+ > These values are not real. Update these values with the actual Identifier, Reply URL and Sign on URL. Contact [Ediwin SaaS EDI support team](mailto:cau@edicomgroup.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+
+1. On the **Set-up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Federation Metadata XML** and select **Download** to download the certificate and save it on your computer.
+
+ ![Screenshot shows the Certificate download link.](common/metadataxml.png "Certificate")
+
+1. On the **Set up Ediwin SaaS EDI** section, copy the appropriate URL(s) based on your requirement.
+
+ ![Screenshot shows to copy configuration appropriate U R L.](common/copy-configuration-urls.png "Attributes")
+
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called B.Simon.
+
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
+
+### Assign the Azure AD test user
+
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Ediwin SaaS EDI.
+
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Ediwin SaaS EDI**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
+
+## Configure Ediwin SaaS EDI SSO
+
+To configure single sign-on on **Ediwin SaaS EDI** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [Ediwin SaaS EDI support team](mailto:cau@edicomgroup.com). They set this setting to have the SAML SSO connection set properly on both sides.
+
+### Create Ediwin SaaS EDI test user
+
+In this section, you create a user called Britta Simon in Ediwin SaaS EDI. Work with [Ediwin SaaS EDI support team](mailto:cau@edicomgroup.com) to add the users in the Ediwin SaaS EDI platform. Users must be created and activated before you use single sign-on.
+
+## Test SSO
+
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+* Click on **Test this application** in Azure portal. This will redirect to Ediwin SaaS EDI Sign-on URL where you can initiate the login flow.
+
+* Go to Ediwin SaaS EDI Sign-on URL directly and initiate the login flow from there.
+
+* You can use Microsoft My Apps. When you click the Ediwin SaaS EDI tile in the My Apps, this will redirect to Ediwin SaaS EDI Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
+
+## Next steps
+
+Once you configure Ediwin SaaS EDI you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Figbytes Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/figbytes-tutorial.md
+
+ Title: 'Tutorial: Azure AD SSO integration with FigBytes'
+description: Learn how to configure single sign-on between Azure Active Directory and FigBytes.
++++++++ Last updated : 07/21/2022++++
+# Tutorial: Azure AD SSO integration with FigBytes
+
+In this tutorial, you'll learn how to integrate FigBytes with Azure Active Directory (Azure AD). When you integrate FigBytes with Azure AD, you can:
+
+* Control in Azure AD who has access to FigBytes.
+* Enable your users to be automatically signed-in to FigBytes with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
+
+## Prerequisites
+
+To get started, you need the following items:
+
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* FigBytes single sign-on (SSO) enabled subscription.
+* Along with Cloud Application Administrator, Application Administrator can also add or manage applications in Azure AD.
+For more information, see [Azure built-in roles](../roles/permissions-reference.md).
+
+## Scenario description
+
+In this tutorial, you configure and test Azure AD SSO in a test environment.
+
+* FigBytes supports **SP** and **IDP** initiated SSO.
+
+> [!NOTE]
+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
+
+## Add FigBytes from the gallery
+
+To configure the integration of FigBytes into Azure AD, you need to add FigBytes from the gallery to your list of managed SaaS apps.
+
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **FigBytes** in the search box.
+1. Select **FigBytes** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
+
+## Configure and test Azure AD SSO for FigBytes
+
+Configure and test Azure AD SSO with FigBytes using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in FigBytes.
+
+To configure and test Azure AD SSO with FigBytes, perform the following steps:
+
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure FigBytes SSO](#configure-figbytes-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create FigBytes test user](#create-figbytes-test-user)** - to have a counterpart of B.Simon in FigBytes that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
+
+## Configure Azure AD SSO
+
+Follow these steps to enable Azure AD SSO in the Azure portal.
+
+1. In the Azure portal, on the **FigBytes** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
+
+ ![Screenshot shows to edit Basic S A M L Configuration.](common/edit-urls.png "Basic Configuration")
+
+1. On the **Basic SAML Configuration** section, the user does not have to perform any step as the app is already pre-integrated with Azure.
+
+1. Click **Set additional URLs** and perform the following step, if you wish to configure the application in **SP** initiated mode:
+
+ In the **Sign-on URL** text box, type the URL:
+ `https://figbytes.biz/`
+
+1. On the **Set-up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Federation Metadata XML** and select **Download** to download the certificate and save it on your computer.
+
+ ![Screenshot shows the Certificate download link.](common/metadataxml.png "Certificate")
+
+1. On the **Set up FigBytes** section, copy the appropriate URL(s) based on your requirement.
+
+ ![Screenshot shows to copy configuration appropriate U R L.](common/copy-configuration-urls.png "Attributes")
+
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called B.Simon.
+
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
+
+### Assign the Azure AD test user
+
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to FigBytes.
+
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **FigBytes**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
+
+## Configure FigBytes SSO
+
+To configure single sign-on on **FigBytes** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [FigBytes support team](mailto:support@figbytes.com). They set this setting to have the SAML SSO connection set properly on both sides.
+
+### Create FigBytes test user
+
+In this section, you create a user called Britta Simon in FigBytes. Work with [FigBytes support team](mailto:support@figbytes.com) to add the users in the FigBytes platform. Users must be created and activated before you use single sign-on.
+
+## Test SSO
+
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+#### SP initiated:
+
+* Click on **Test this application** in Azure portal. This will redirect to FigBytes Sign-on URL where you can initiate the login flow.
+
+* Go to FigBytes Sign-on URL directly and initiate the login flow from there.
+
+#### IDP initiated:
+
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the FigBytes for which you set up the SSO.
+
+You can also use Microsoft My Apps to test the application in any mode. When you click the FigBytes tile in the My Apps, if configured in SP mode you would be redirected to the application sign-on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the FigBytes for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
+
+## Next steps
+
+Once you configure FigBytes you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Admin Api https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/verifiable-credentials/admin-api.md
+
+ Title: Admin API for managing Microsoft Entra Verified ID
+
+description: Learn how to manage your verifiable credential deployment using Admin API.
+documentationCenter: ''
+++++ Last updated : 07/28/2022++
+#Customer intent: As an administrator, I am trying to learn how to use the Admin API and automate my tenant.
++
+# Verifiable credentials admin API
++
+The Microsoft Entra Verified ID Admin API enables you to manage all aspects of the Verifiable Credential service. It offers a way to set up a brand new service, manage and create Verifiable Credential contracts, revoke Verifiable Credentials and completely opt out the service as well.
+
+> The API is intended for developers comfortable with RESTful APIs and enough permissions on the Azure Active Directory tenant to enable the service
+
+## Base URL
+
+The Admin API is server over HTTPS. All URLs referenced in the documentation have the following base: `https://verifiedid.did.msidentity.com`.
+
+## Authentication
+
+The API is protected through Azure Active Directory and uses OAuth2 bearer tokens. The app registration needs to have the API Permission for `Verifiable Credentials Service Admin` and then when acquiring the access token the app should use scope `6a8b4b39-c021-437c-b060-5a14a3fd65f3/full_access`.
+
+## Onboarding
+
+This API is to help create a new environment so new authorities can be set up. This can be triggered manually by navigating to the Verifiable Credential page in the Azure portal as well. You only need to call this API once and only if you want to set up a brand new environment just with the API.
+
+#### HTTP request
+
+`POST /v1.0/verifiableCredentials/onboard`
+
+Use this endpoint to finish provisioning of the Verifiable Credential service in your tenant. The system creates the rest of the service principals if these aren't provisioned yet.
+
+#### Request headers
+
+| Header | Value |
+| -- | -- |
+| Authorization | Bearer (token). Required |
+| Content-Type | application/json |
+
+#### Request body
+
+Don't supply a request body for this method.
+
+#### Return message
+
+```
+HTTP/1.1 201 Created
+Content-type: application/json
+
+{
+ "id": "f5bf2fc6-7135-4d94-a6fe-c26e4543bc5a",
+ "servicePrincipal": "90e10a26-94cd-49d6-8cd7-cacb10f00686",
+ "status": "Enabled"
+}
+```
+
+Repeatedly calling this API will result in the exact same return message.
+
+## Authorities
+
+This endpoint can be used to create or update a Verifiable Credential service instance.
+
+### Methods
++
+| Methods | Return Type | Description |
+| -- | -- | -- |
+| [Get Authority](#get-authority) | Authority | Read properties of an authority |
+| [List Authority](#list-authorities) | Authority array | Get a list of all configured Authorities/verifiable credential services |
+| [Create Authority](#create-authority) | Authority | Create a new authority |
+| [Update authority](#update-authority) | Authority | Update authority |
+| [Generate Well known DID Configuration](#well-known-did-configuration) | | |
+| [Generate DID Document](#generate-did-document) | | |
+| [Validate Well-known DID config](#validate-well-known-did-configuration) | | |
+| [Rotate Signing Key](#rotate-signing-keys) | | |
++
+### Get authority
+
+Retrieve the properties of a configured authority or verifiable credential service instance.
+
+#### HTTP request
+
+`GET /v1.0/verifiableCredentials/authorities/:authorityId`
+
+Replace the `:authorityId` with the value of one of the configured authorities.
+
+#### Request headers
+
+| Header | Value |
+| -- | -- |
+| Authorization | Bearer (token). Required |
+| Content-Type | application/json |
+
+#### Request body
+
+Don't supply a request body for this method
+
+#### Response message
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+
+{
+ "id": "ffea7eb3-0000-1111-2222-000000000000",
+ "name": "ExampleAuthorityName",
+ "status": "Enabled",
+ "didModel": {
+ "did": "did:ion:EiAVvtjqr_Ji8pXGNtherrMW2FPl5Ays9mII2vP_QTgUWA:eyJkZWx...<SNIP>",
+ "signingKeys": [
+ "https://vccontosokv.vault.azure.net/keys/issuerSigningKeyIon-ffea7eb3-0000-1111-2222-000000000000/5257c49db8164e198b4c5997e8a31ad4"
+ ],
+ "recoveryKeys": [
+ "https://vccontosokv.vault.azure.net/keys/issuerRecoveryKeyIon-ffea7eb3-0000-1111-2222-000000000000/5cfb5458af524da88897522690e01a7e"
+ ],
+ "updateKeys": [
+ "https://vccontosokv.vault.azure.net/keys/issuerUpdateKeyIon-ffea7eb3-0000-1111-2222-000000000000/24494dbbbace4a079422dde943e1b6f0"
+ ],
+ "encryptionKeys": [],
+ "linkedDomainUrls": [
+ "https://www.contoso.com/"
+ ],
+ "didDocumentStatus": "published"
+ },
+ "keyVaultMetadata": {
+ "subscriptionId": "b593ade1-e353-43ab-9fb8-cccf669478d0",
+ "resourceGroup": "verifiablecredentials",
+ "resourceName": "vccontosokv",
+ "resourceUrl": "https://vccontosokv.vault.azure.net/"
+ }
+}
+
+```
+
+The response contains the following properties.
+
+#### Authority type
+
+| Property | Type | Description |
+| -- | -- | -- |
+| `Id` | string | An autogenerated unique ID, which can be used to retrieve or update the specific instance of the verifiable credential service |
+| `name` | string | The friendly name of this instance of the verifiable credential service |
+| `status` | string | status of the service, this value will always be `enabled` |
+| [didModel](#didmodel-type) | didModel | Information about the DID and keys |
+| [keyVaultMetadata](#keyvaultmetadata-type) | keyVaultMeta data | Information about the used Key Vault |
++
+#### didModel type
+
+We support two different didModels. One is `ion` and the other supported method is `web`
+
+#### ION
+
+| Property | Type | Description |
+| -- | -- | -- |
+| `did` | string | The DID for this verifiable credential service instance |
+| `signingKeys` | string array | URL to the signing key |
+| `recoveryKeys` | string array | URL to the recovery key |
+| `encryptionKeys` | string array | URL to the encryption key |
+| `linkedDomainUrls` | string array | Domains linked to this DID |
+| `didDocumentStatus` | string | status of the DID, `published` when it's written to ION otherwise it will be `submitted`|
+
+#### Web
+
+| Property | Type | Description |
+| -- | -- | -- |
+| `did` | string | The DID for this verifiable credential service instance |
+| `signingKeys` | string array | URL to the signing key |
+| `linkedDomainUrls` | string array | Domains linked to this DID, expecting one single entry |
+| [didModel](#didmodel-type) | didModel | Information about the DID and keys |
+| `didDocumentStatus` | string | status of the DID, value is always `published` for this method |
++
+#### keyVaultMetadata type
+
+| Property | Type | Description |
+| -- | -- | -- |
+| `subscriptionId` | string | The Azure subscription this Key Vault resides |
+| `resourceGroup` | string | name of the resource group from this Key Vault |
+| `resouceName` | string | Key Vault name |
+| `resourceUrl` | string | URL to this Key Vault |
++
+### List authorities
+
+Get all configured authorities or verifiable credential services for this tenant
+
+#### HTTP request
+
+`GET /v1.0/verifiableCredentials/authorities`
+
+#### Request headers
+
+| Header | Value |
+| -- | -- |
+| Authorization | Bearer (token). Required |
+| Content-Type | application/json |
+
+#### Request body
+
+Don't supply a request body for this method.
+
+#### Response message
+
+Response message is an array of [Authorities](#authority-type)
+Example:
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+ value:
+
+ [
+ {
+ "id": "ffea7eb3-0000-1111-2222-000000000000",
+ "name": "ContractName",
+ "status": "Enabled",
+ "didModel": {
+ "did": "did:ion:EiAVvtjqr_Ji8pXGNtherrMW2FPl5Ays9mII2vP_QTgUWA:eyJkZWx<SNIP>...",
+ "signingKeys": [
+ "https://vccontosokv.vault.azure.net/keys/issuerSigningKeyIon-ffea7eb3-0000-1111-2222-000000000000/5257c49db8164e198b4c5997e8a31ad4"
+ ],
+ "recoveryKeys": [
+ "https://vccontosokv.vault.azure.net/keys/issuerRecoveryKeyIon-ffea7eb3-0000-1111-2222-000000000000/5cfb5458af524da88897522690e01a7e"
+ ],
+ "updateKeys": [
+ "https://vccontosokv.vault.azure.net/keys/issuerUpdateKeyIon-ffea7eb3-0000-1111-2222-000000000000/24494dbbbace4a079422dde943e1b6f0"
+ ],
+ "encryptionKeys": [],
+ "linkedDomainUrls": [
+ "https://www.contoso.com/"
+ ],
+ "didDocumentStatus": "published"
+ },
+ "keyVaultMetadata": {
+ "subscriptionId": "b593ade1-e353-43ab-9fb8-cccf669478d0",
+ "resourceGroup": "verifiablecredentials",
+ "resourceName": "vccontosokv",
+ "resourceUrl": "https://vccontosokv.vault.azure.net/"
+ }
+ },
+ {
+ "id": "cc55ba22-0000-1111-2222-000000000000",
+ "name": "APItest6",
+ "keyVaultUrl": "https://vccontosokv.vault.azure.net/",
+ "status": "Enabled",
+ "didModel": {
+ "did": "did:ion:EiD_mGdhdAXOS1BV6c7r-CCjetaoRKuAENEwsRM1_QEHMg:eyJkZWx0YSI<SNIP>....",
+ "signingKeys": [
+ "https://vccontosokv.vault.azure.net/keys/issuerSigningKeyIon-cc55ba22-0000-1111-2222-000000000000/f8f149eaee194beb83dfca14714ef62a"
+ ],
+ "recoveryKeys": [
+ "https://vccontosokv.vault.azure.net/keys/issuerRecoveryKeyIon-cc55ba22-0000-1111-2222-000000000000/68f976cc44014eafb354a6fe305b7d4d"
+ ],
+ "updateKeys": [
+ "https://vccontosokv.vault.azure.net/keys/issuerUpdateKeyIon-cc55ba22-0000-1111-2222-000000000000/b85328af0c1f460ea026fbdda9cd6652"
+ ],
+ "encryptionKeys": [],
+ "linkedDomainUrls": [
+ "https://www.contoso.com/"
+ ],
+ "didDocumentStatus": "published"
+ },
+ "keyVaultMetadata": {
+ "subscriptionId": "b593ade1-e353-43ab-9fb8-cccf669478d0",
+ "resourceGroup": "verifiablecredentials",
+ "resourceName": "vccontosokv",
+ "resourceUrl": "https://vccontosokv.vault.azure.net/"
+ }
+ }
+ ]
+}
+```
+
+### Create authority
+
+This call creates a new **private key**, recovery key and update key, stores these in the specified Azure Key Vault and sets the permissions to this Key Vault for the verifiable credential service and a create new **DID** with corresponding DID Document and commits that to the ION network.
+
+#### HTTP request
+
+`POST /v1.0/verifiableCredentials/authorities`
+
+#### Request headers
+
+| Header | Value |
+| -- | -- |
+| Authorization | Bearer (token). Required |
+| Content-Type | application/json |
+
+#### Request body
+
+In the request body, supply a JSON representation of the following
+
+| Property | Type | Description |
+| -- | -- | -- |
+| `name` | string | The display name of this instance of the service |
+| `linkedDomainUrl` | string | The domain linked to this DID |
+| `didMethod` | string | option `web` or `ion` |
+| `keyVaultMetadata` | keyVaultMetadata | meta data for specific key vault |
+
+Example message:
+```
+{
+ "name":"ExampleName",
+ "linkedDomainUrl":"https://www.contoso.com/",
+ "didMethod": "web",
+ "keyVaultMetadata":
+ {
+ "subscriptionId":"b593ade1-e353-43ab-9fb8-cccf669478d0",
+ "resourceGroup":"verifiablecredentials",
+ "resourceName":"vccontosokv",
+ "resourceUrl": "https://vccontosokv.vault.azure.net/"
+ }
+}
+```
+
+#### Response message
+
+When successful the response message contains the name of the [authority](#authority-type)
+
+Example message for did:web:
+```
+{
+ "id": "bacf5333-d68c-01c5-152b-8c9039fbd88d",
+ "name": "APItesta",
+ "status": "Enabled",
+ "didModel": {
+ "did": "did:web:www.contoso.com",
+ "signingKeys": [
+ "https://vcwingtipskv.vault.azure.net/keys/vcSigningKey-bacf5333-d68c-01c5-152b-8c9039fbd88d/5255b9f2d9b94dc19a369ff0d36e3407"
+ ],
+ "recoveryKeys": [],
+ "updateKeys": [],
+ "encryptionKeys": [],
+ "linkedDomainUrls": [
+ "https://www.contoso.com/"
+ ],
+ "didDocumentStatus": "published"
+ },
+ "keyVaultMetadata": {
+ "subscriptionId": "1853e356-bc86-4e54-8bb8-6db4e5eacdbd",
+ "resourceGroup": "verifiablecredentials",
+ "resourceName": "vcwingtipskv",
+ "resourceUrl": "https://vcwingtipskv.vault.azure.net/"
+ },
+ "linkedDomainsVerified": false
+}
+```
++
+Example message for did:ion:
+
+```
+HTTP/1.1 201 Created
+Content-type: application/json
+
+{
+ "id": "cc55ba22-0000-1111-2222-000000000000",
+ "name": "APItest6",
+ "status": "Enabled",
+ "didModel": {
+ "did": "did:ion:EiD_mGdhdAXOS1BV6c7r-CCjetaoRKuAENEwsRM1_QEHMg",
+ "signingKeys": [
+ "https://vccontosokv.vault.azure.net/keys/issuerSigningKeyIon-cc55ba22-0000-1111-2222-000000000000/f8f149eaee194beb83dfca14714ef62a"
+ ],
+ "recoveryKeys": [
+ "https://vccontosokv.vault.azure.net/keys/issuerRecoveryKeyIon-cc55ba22-0000-1111-2222-000000000000/68f976cc44014eafb354a6fe305b7d4d"
+ ],
+ "updateKeys": [
+ "https://vccontosokv.vault.azure.net/keys/issuerUpdateKeyIon-cc55ba22-0000-1111-2222-000000000000/b85328af0c1f460ea026fbdda9cd6652"
+ ],
+ "encryptionKeys": [],
+ "linkedDomainUrls": [
+ "https://www.contoso.com/"
+ ],
+ "didDocumentStatus": "submitted"
+ },
+ "keyVaultMetadata": {
+ "subscriptionId": "b593ade1-e353-43ab-9fb8-cccf669478d0",
+ "resourceGroup": "verifiablecredentials",
+ "resourceName": "vccontosokv",
+ "resourceUrl": "https://vccontosokv.vault.azure.net/"
+ }
+}
+
+```
+
+### Remarks
+
+>You can create multiple authorities with their own DID and private keys, these will not be visible in the UI of the azure portal. Currently we only support having 1 authority. We have not fully tested all scenarios with multiple created authorities. If you are trying this please let us know your experience.
+
+### Update authority
+
+This method can be used to update the display name of this specific instance of the verifiable credential service.
+
+#### HTTP request
+
+`POST /v1.0/verifiableCredentials/authorities/:authorityId`
+
+Replace the value of `:authorityId` with the value of the authority ID you want to update.
+
+#### Request headers
+
+| Header | Value |
+| -- | -- |
+| Authorization | Bearer (token). Required |
+| Content-Type | application/json |
+
+#### Request body
+
+In the request body, supply a JSON representation of the following.
+
+| Property | Type | Description |
+| -- | -- | -- |
+| `name` | string | The display name of this instance of the service |
+
+Example message
+```
+{
+ "name":"ExampleIssuerName"
+}
+```
+
+### Linked domains
+
+It's possible to update the domain related to the DID. This functionality needs to write an update operation to ION to get this update distributed around the world. The update can take some time, currently up to an hour before it's processed and available for other users.
+
+#### HTTP request
+
+`POST /v1.0/verifiableCredentials/authorities/:authorityId/updateLinkedDomains`
+
+replace the value of `:authorityId` with the value of the authority ID you want to update.
+
+#### Request headers
+
+| Header | Value |
+| -- | -- |
+| Authorization | Bearer (token). Required |
+| Content-Type | application/json |
+
+#### Request body
+
+You need to specify the domain you want to publish to the DID Document. Although the value of domains is an array, you should only specify a **single domain**.
+
+In the request body, supply a JSON representation of the following:
+
+| Property | Type | Description |
+| -- | -- | -- |
+| `domainUrls` | string array | link to domain(s), need to start with https and not contain a path |
+
+Example message:
+
+```
+{
+ "domainUrls" : ["https://www.mydomain.com"]
+}
+```
+
+#### Response message
+
+```
+HTTP/1.1 202 Accepted
+Content-type: application/json
+
+Accepted
+```
+
+The didDocumentStatus will switch to `submitted` it will take a while before the change is committed to the ION network.
+
+If you try to submit a change before the operation is completed, you'll get the following error message:
+
+```
+HTTP/1.1 409 Conflict
+Content-type: application/json
+
+{
+ "requestId":"83047b1c5811284ce56520b63b9ba83a","date":"Mon, 07 Feb 2022 18:36:24 GMT",
+ "mscv":"tf5p8EaXIY1iWgYM.1",
+ "error":
+ {
+ "code": "conflict",
+ "innererror": {
+ "code":"ionOperationNotYetPublished",
+ "message":"There is already an operation in queue for this organization's DID (decentralized identifier), please wait until the operation is published to submit a new one."
+ }
+ }
+}
+```
+
+You need to wait until the didDocumentstatus is back to `published` before you can submit another change.
+
+The domain URLs must start with https and not contain any path values.
+
+Possible error messages:
+
+```
+HTTP/1.1 400 Bad Request
+Content-type: application/json
+
+{
+ "requestId":"57c5ac78abb86bbfbc6f9e96d9ae6b18",
+ "date":"Mon, 07 Feb 2022 18:47:14 GMT",
+ "mscv":"+QfihZZk87z0nky2.0",
+ "error": "BadRequest",
+ "innererror": {
+ "code":"parameterUrlSchemeMustBeHttps",
+ "message":"URLs must begin with HTTPS: domains"
+ }
+}
+```
+
+```
+HTTP/1.1 400 Bad Request
+Content-type: application/json
+
+{
+ "requestId":"e65753b03f28f159feaf434eaf140547",
+ "date":"Mon, 07 Feb 2022 18:48:36 GMT",
+ "mscv":"QWB4uvgYzCKuMeKg.0",
+ "error": "BadRequest",
+ "innererror": {
+ "code":"parameterUrlPathMustBeEmpty",
+ "message":"The URL can only include a domain. Please remove any characters after the domain name and try again. linkedDomainUrl"
+ }
+}
+```
++
+#### Remarks
+
+Although it is technically possible to publish multiple domains, we currently only support a single domain per authority.
+
+### Well-known DID configuration
+
+The `generateWellknownDidConfiguration` method generates the signed did-configuration.json file. The file must be uploaded to the `.well-known` folder in the root of the website hosted for the domain in the linked domain of this verifiable credential instance. Instructions can be found [here](how-to-dnsbind.md#distribute-well-known-config).
+
+#### HTTP request
+
+`POST /v1.0/verifiableCredentials/authorities/:authorityId/generateWellknownDidConfiguration`
++
+#### Request headers
+
+| Header | Value |
+| -- | -- |
+| Authorization | Bearer (token). Required |
+| Content-Type | application/json |
+
+#### Request body
+
+You need to specify one of the domains in the linkedDomains of the specified authority.
+
+```
+{
+ "domainUrl":"https://atest/"
+}
+```
+
+#### Response message
+
+Example response message:
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+
+{
+ "@context": "https://identity.foundation/.well-known/contexts/did-configuration-v0.0.jsonld",
+ "linked_dids": [
+ "eyJhbGciOiJFUzI1NksiL...<SNIP>..."
+ ]
+}
+```
+
+Save this result with the file name did-configuration.json and upload this file to the correct folder and website. If you specify a domain not linked to this DID/DID Document, you'll receive an error:
+
+```
+HTTP/1.1 400 Bad Request
+Content-type: application/json
+
+{
+ "requestId":"079192a95fbf56a661c1b2dd0e012af5",
+ "date":"Mon, 07 Feb 2022 18:55:53 GMT",
+ "mscv":"AVQh55YiU3FxMipB.0",
+ "error":
+ {
+ "code":"wellKnownConfigDomainDoesNotExistInIssuer",
+ "message":"The domain used as an input to generate the well-known document is not registered with your organization. Domain: https://wrongdomain/"
+ }
+}
+
+```
+
+#### Remarks
+
+You can point multiple DIDs to the same domain. If you choose this configuration, you need to combine generated tokens and put them in the same did-configuration.json file. The file contains an array of these tokens.
+
+For example:
+```
+{
+ "@context": "https://identity.foundation/.well-known/contexts/did-configuration-v0.0.jsonld",
+ "linked_dids": [
+ "eyJhbG..token1...<SNIP>...",
+ "eyJhbG..token2...<SNIP>..."
+ ]
+}
+```
+
+### Generate DID document
+
+This call generates the DID Document used for DID:WEB identifiers. After generating this DID Document, the administrator has to place the file at the https://domain/.well-known/did.json location.
+
+#### HTTP request
+
+`POST /v1.0/verifiableCredentials/authorities/:authorityId/generateDidDocument`
+
+#### Request headers
+
+| Header | Value |
+| -- | -- |
+| Authorization | Bearer (token). Required |
+| Content-Type | application/json |
+
+#### Request body
+
+Don't supply a request body for this method.
+
+#### Response message
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+
+{
+ "id": "did:web:www.contoso.com",
+ "@context": [
+ "https://www.w3.org/ns/did/v1",
+ {
+ "@base": "did:web:www.contoso.com"
+ }
+ ],
+ "service": [
+ {
+ "id": "#linkeddomains",
+ "type": "LinkedDomains",
+ "serviceEndpoint": {
+ "origins": [
+ "https://www.contoso.com/"
+ ]
+ }
+ },
+ {
+ "id": "#hub",
+ "type": "IdentityHub",
+ "serviceEndpoint": {
+ "instances": [
+ "https://verifiedid.hub.msidentity.com/v1.0/f640a374-b380-42c9-8e14-d174506838e9"
+ ]
+ }
+ }
+ ],
+ "verificationMethod": [
+ {
+ "id": "#a2518db3b6b44332b3b667928a51b0cavcSigningKey-f0a5b",
+ "controller": "did:web:www.contoso.com",
+ "type": "EcdsaSecp256k1VerificationKey2019",
+ "publicKeyJwk": {
+ "crv": "secp256k1",
+ "kty": "EC",
+ "x": "bFkOsjDB_K-hfz-c-ggspVHETMeZm31CtuzOt0PrmZc",
+ "y": "sewHrUNpXvJ7k-_4K8Yq78KgKzT1Vb7kmhK8x7_6h0g"
+ }
+ }
+ ],
+ "authentication": [
+ "#a2518db3b6b44332b3b667928a51b0cavcSigningKey-f0a5b"
+ ],
+ "assertionMethod": [
+ "#a2518db3b6b44332b3b667928a51b0cavcSigningKey-f0a5b"
+ ]
+}
+```
+
+#### Remark
+
+Requires the caller to have the KEY List permissions on the target key vault.
+
+### Validate well-known DID configuration
+
+This call checks your DID setup. It downloads the well known DID configuration and validates if the correct DID is used and the signature is correct.
+
+#### HTTP request
+
+`POST /v1.0/verifiableCredentials/authorities/:authorityId/validateWellKnownDidConfiguration`
+
+#### Request headers
+
+| Header | Value |
+| -- | -- |
+| Authorization | Bearer (token). Required |
+| Content-Type | application/json |
+
+#### Request body
+
+Don't supply a request body for this method.
++
+#### Response message
+
+```
+HTTP/1.1 204 No Content
+Content-type: application/json
+```
+
+### Rotate signing keys
+
+The rotate signing keys update the private key for the did:web authority.
+
+#### HTTP request
+
+`POST /v1.0/verifiableCredentials/authorities/:authorityId/rotateSigningKey`
+
+#### Request headers
+
+| Header | Value |
+| -- | -- |
+| Authorization | Bearer (token). Required |
+| Content-Type | application/json |
+
+#### Request Body
+
+Don't supply a request body for this method.
+
+#### Response message
+
+```
+HTTP/1.1 202 Accepted
+Content-type: application/json
+```
++
+## Contracts
+
+This endpoint allows you to create new contracts, and update existing contracts. Contracts consist of two parts represented by two JSON definitions. Information on how to design and create a contract manually can be found [here](credential-design.md).
+
+- The display definition is used by administrators to control the appearance of a verifiable credential, for example background color, logo and title of the verifiable credential. This file also contains the claims that need to be stored inside the verifiable credential.
+- The rules definition contains the information on how to gather and collect attestations like self-attested claims, another verifiable credential as input or perhaps an ID Token received after a user has signed in to an OIDC compatible identity provider.
+
+### Methods
+
+| Methods | Return Type | Description |
+| -- | -- | -- |
+| [Get contract](#get-contract) | Contract | Read properties of a Contract |
+| [List contracts](#list-contracts) | Contract collection | Get a list of all configured contracts |
+| [Create contract](#create-contract) | Contract | Create a new contract |
+| [Update contract](#update-contract) | Contract | Update contract |
++
+### Get contract
+
+#### HTTP request
+
+`GET /v1.0/verifiableCredentials/authorities/:authorityId/contracts/:contractId`
+
+Replace the ```:authorityId``` and ```:contractId``` with the correct value of the authority and contract.
++
+#### Request headers
+
+| Header | Value |
+| -- | -- |
+| Authorization | Bearer (token). Required |
+| Content-Type | application/json |
+
+#### Request body
+
+Don't supply a request body for this method.
+
+#### Response message
+
+example message:
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+
+{
+ "id": "ZjViZjJmYzYtNzEzNS00ZDk0LWE2ZmUtYzI2ZTQ1NDNiYzVhPHNjcmlwdD5hbGVydCgneWF5IScpOzwvc2NyaXB0Pg",
+ "name": "contractname",
+ "status": "Enabled",
+ "issueNotificationEnabled": false,
+ "availableInVcDirectory": false,
+ "manifestUrl": "...",
+ "issueNotificationAllowedToGroupOids" : null,
+ "rules": rulesModel,
+ "displays": displayModel[]
+}
+```
+
+The response contains the following properties
+
+#### Contract type
+
+| Property | Type | Description |
+| -- | -- | -- |
+| `Id` | string | contract ID |
+| `name` | string | The friendly name of this contract |
+| `status` | string | Always `Enabled` |
+| `manifestUrl` | string | URL to the contract used in the issuance request |
+| `issueNotificationEnabled` | boolean | set to true if users will be notified this VC is ready for them to get issued |
+| `issueNotificationAllowedToGroupOids` | array of groupId strings | array of group IDs this credential will be offered to |
+| `availableInVcDirectory` | boolean | Is this contract published in the Verifiable Credential Network |
+| [rules](#rulesmodel-type) | rulesModel | rules definition |
+| [displays](#displaymodel-type) | displayModel array| display definitions |
+
+#### rulesModel type
+
+| Property | Type | Description |
+| -- | -- | -- |
+|`attestations`| [idTokenAttestation](#idtokenattestation-type) or [idTokenHintAttestation](#idtokenhintattestation-type) and/or [verifiablePresentationAttestation](#verifiablepresentationattestation-type) and/or [selfIssuedAttestation](#selfissuedattestation-type) and/or [accessTokenAttestation](#accesstokenattestation-type) (array) | describing supported inputs for the rules |
+|`validityInterval` | number | this value shows the lifespan of the credential |
+|`vc`| vcType array | types for this contract |
+|`customStatusEndpoint`| [customStatusEndpoint] (#customstatusendpoint-type) (optional) | status endpoint to include in the verifiable credential for this contract |
+
+If the property `customStatusEndpoint` property isn't specified then the `anonymous` status endpoint is used.
+
+#### idTokenAttestation type
+
+| Property | Type | Description |
+| -- | -- | -- |
+| `mapping` | [claimMapping](#claimmapping-type) (optional) | rules to map input claims into output claims in the verifiable credential |
+| `configuration` | string (url) | location of the identity provider's configuration document |
+| `clientId` | string | client ID to use when obtaining the ID token |
+| `redirectUri` | string | redirect uri to use when obtaining the ID token MUST BE vcclient://openid/ |
+| `scope` | string | space delimited list of scopes to use when obtaining the ID token |
+| `required` | boolean (default false) | indicating whether this attestation is required or not |
+
+#### idTokenHintAttestation type
+
+| Property | Type | Description |
+| -- | -- | -- |
+| `mapping` | [claimMapping](#claimmapping-type) (optional) | rules to map input claims into output claims in the verifiable credential |
+| `required` | boolean (default false) | indicating whether this attestation is required or not |
+| `trustedIssuers` | string (array) | a list of DIDs allowed to issue the verifiable credential for this contract |
+
+#### verifiablePresentationAttestation type
+
+| Property | Type | Description |
+| -- | -- | -- |
+| `mapping` | [claimMapping](#claimmapping-type) (optional) | rules to map input claims into output claims in the verifiable credential |
+| `credentialType` | string (optional) | required credential type of the input |
+| `required` | boolean (default false) | indicating whether this attestation is required or not |
+| `trustedIssuers` | string (array) | a list of DIDs allowed to issue the verifiable credential for this contract |
+
+#### selfIssuedAttestation type
+
+| Property | Type | Description |
+| -- | -- | -- |
+| `mapping` | [claimMapping](#claimmapping-type) (optional) | rules to map input claims into output claims in the verifiable credential |
+| `required` | boolean (default false) | indicating whether this attestation is required or not |
+
+#### accessTokenAttestation type
+
+| Property | Type | Description |
+| -- | -- | -- |
+| `mapping` | [claimMapping](#claimmapping-type) (optional) | rules to map input claims into output claims in the verifiable credential |
+| `required` | boolean (default false) | indicating whether this attestation is required or not |
+
+> Supported `inputClaim` values for the `mappings` property are: `givenName`, `displayName`, `preferredLanguage`, `userPrincipalName`, `surname`, `mail`, `jobTitle`, `photo`.
+
+#### claimMapping type
+
+| Property | Type | Description |
+| -- | -- | -- |
+| `inputClaim` | string | the name of the claim to use from the input |
+| `outputClaim` | string | the name of the claim in the verifiable credential |
+| `indexed` | boolean (default false) | indicating whether the value of this claim is used for searching; only one clientMapping object is allowed to be indexed for a given contract |
+| `required` | boolean (default false) | indicating whether this mapping is required or not |
+| `type` | string (optional) | type of claim |
+
+#### customStatusEndpoint type
+
+| Property | Type | Description |
+| -- | -- | -- |
+| `url` | string (url)| the url of the custom status endpoint |
+| `type` | string | the type of the endpoint |
+example:
+
+```
+"rules": {
+ "attestations": {
+ "idTokens": [
+ {
+ "clientId": "2f670d73-624a-41fe-a139-6f1f8f2d2e47",
+ "configuration": "https://bankofwoodgrove.b2clogin.com/bankofwoodgrove.onmicrosoft.com/v2.0/.well-known/openid-configuration?p=B2C_1_si",
+ "redirectUri": "vcclient://openid/",
+ "scope": "openid",
+ "mapping": [
+ {
+ "outputClaim": "givenName",
+ "required": false,
+ "inputClaim": "given_name",
+ "indexed": false
+ },
+ {
+ "outputClaim": "familyName",
+ "required": false,
+ "inputClaim": "family_name",
+ "indexed": true
+ }
+ ],
+ "required": false
+ }
+ ]
+ },
+ "validityInterval": 2592000,
+ "vc": {
+ "type": [
+ "BankofWoodgroveIdentity"
+ ]
+ }
+}
+```
+
+#### displayModel type
+
+| Property | Type | Description |
+| -- | -- | -- |
+|`locale`| string | the locale of this display |
+|`credential` | [displayCredential](#displaycredential-type) | the display properties of the verifiable credential |
+|`consent` | [displayConsent](#displayconsent-type) | supplemental data when the verifiable credential is issued |
+|`claims`| [displayClaims](#displayclaims-type) array | labels for the claims included in the verifiable credential |
+
+#### displayCredential type
+
+| Property | Type | Description |
+| -- | -- | -- |
+|`title`| string | title of the credential |
+|`issuedBy` | string | the name of the issuer of the credential |
+|`backgroundColor` | number (hex)| background color of the credential in hex, for example, #FFAABB |
+|`textColor`| number (hex)| text color of the credential in hex, for example, #FFAABB |
+|`description`| string | supplemental text displayed alongside each credential |
+|`logo`| [displayCredentialLogo](#displaycredentiallogo-type) | the logo to use for the credential |
+
+#### displayCredentialLogo type
+
+| Property | Type | Description |
+| -- | -- | -- |
+|`url`| string (url) | url of the logo (optional if image is specified) |
+|`description` | string | the description of the logo |
+|`image` | string | the base-64 encoded image (optional if url is specified) |
+
+#### displayConsent type
+
+| Property | Type | Description |
+| -- | -- | -- |
+|`title`| string | title of the consent |
+|`instructions` | string | supplemental text to use when displaying consent |
+
+#### displayClaims type
++
+| Property | Type | Description |
+| -- | -- | -- |
+|`label`| string | the label of the claim in display |
+|`claim`| string | the name of the claim to which the label applies |
+|`type`| string | the type of the claim |
+|`description` | string (optional) | the description of the claim |
+
+example:
+```
+{
+ "displays": [
+ {
+ "locale": "en-US",
+ "card": {
+ "backgroundColor": "#FFA500",
+ "description": "ThisisyourBankofWoodgroveIdentity",
+ "issuedBy": "BankofWoodgrove",
+ "textColor": "#FFFF00",
+ "title": "BankofWoodgroveIdentity",
+ "logo": {
+ "description": "Defaultbankofwoodgrovelogo",
+ "uri": "https://didcustomerplayground.blob.core.windows.net/public/VerifiedCredentialExpert_icon.png"
+ }
+ },
+ "consent": {
+ "instructions": "Please login with your bankofWoodgrove account to receive this credential.",
+ "title": "Do you want to accept the verifiedbankofWoodgrove Identity?"
+ },
+ "claims": [
+ {
+ "claim": "vc.credentialSubject.givenName",
+ "label": "Name",
+ "type": "String"
+ },
+ {
+ "claim": "vc.credentialSubject.familyName",
+ "label": "Surname",
+ "type": "String"
+ }
+ ]
+ }
+ ]
+}
+```
+
+### List contracts
+
+This API lists all contracts configured in the current tenant for the specified authority.
+
+#### HTTP request
+
+`GET /v1.0/verifiableCredentials/authorities/:authorityId/contracts`
+
+#### Request headers
+
+| Header | Value |
+| -- | -- |
+| Authorization | Bearer (token). Required |
+| Content-Type | application/json |
+
+#### Request body
+
+Don't supply a request body for this method.
+
+#### Response message
+
+example message:
+
+```
+{
+ value:
+ [
+ {
+ "id": "ZjViZjJmYzYtNzEzNS00ZDk0LWE2ZmUtYzI2ZTQ1NDNiYzVhPHNjcmlwdD5hbGVydCgneWF5IScpOzwvc2NyaXB0Pg",
+ "name": "test1",
+ "authorityId": "ffea7eb3-0000-1111-2222-000000000000",
+ "status": "Enabled",
+ "issueNotificationEnabled": false,
+ "manifestUrl" : "https:/...",
+ "rules": "<rules JSON>",
+ "displays": [{<display JSON}]
+ },
+ {
+ "id": "ZjViZjJmYzYtNzEzNS00ZDk0LWE2ZmUtYzI2ZTQ1NDNiYzVhdGVzdDI",
+ "name": "test2",
+ "authorityId": "cc55ba22-0000-1111-2222-000000000000",
+ "status": "Enabled",
+ "issueNotificationEnabled": false,
+ "manifestUrl" : "https:/...",
+ "rules": "<rules JSON>",
+ "displays": [{<display JSON}]
+ }
+ ]
+}
+```
+
+### Create contract
+
+When creating a contract the name has to be unique in the tenant. In case you have created multiple authorities, the contract name has to be unique across all authorities.
+The name of the contract will be part of the contract URL which is used in the issuance requests.
+
+#### HTTP request
+
+`POST /v1.0/verifiableCredentials/authorities/:authorityId/contracts`
++
+#### Request headers
+
+| Header | Value |
+| -- | -- |
+| Authorization | Bearer (token). Required |
+| Content-Type | application/json |
+
+#### Request body
++
+Example request
+
+```
+{
+ "name": "ExampleContractName1",
+ "rules": "<rules JSON>",
+ "displays": [{<display JSON}],
+}
+```
+
+#### Response message
+
+Example message:
+
+```
+HTTP/1.1 201 Created
+Content-type: application/json
+
+{
+ "id": "GUID",
+ "name": "ExampleContractName1",
+ "issuerId": "cc55ba22-0000-1111-2222-000000000000",
+ "status": "Enabled",
+ "issueNotificationEnabled": false,
+ "rules": "<rules JSON>",
+ "displays": [{<display JSON}],
+ "manifestUrl": "https://..."
+}
+```
++
+### Update contract
+
+This API Allows you to update the contract.
+
+`PATCH /v1.0/verifiableCredentials/authorities/:authorityId/contracts/:contractid`
+
+Example request:
+
+```
+{
+ "rules": "<rules JSON>",
+ "displays": [{<display JSON}],}
+}
+```
+
+#### Response message
+
+Example message:
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+
+{
+ "id": "ZjViZjJmYzYtNzEzNS00ZDk0LWE2ZmUtYzI2ZTQ1NDNiYzVhPHNjcmlwdD5hbGVydCgneWF5IScpOzwvc2NyaXB0Pg",
+ "name": "contractname",
+ "status": "Enabled",
+ "issueNotificationEnabled": false,
+ "availableInVcDirectory": false,
+ "manifestUrl": "https://...",
+ "issueNotificationAllowedToGroupOids" : null,
+ "rules": rulesModel,
+ "displays": displayModel[]
+}
+```
+
+## Credentials
+
+This endpoint allows you to search for issued verifiable credentials, check revocation status and revoke credentials.
+
+### Methods
++
+| Methods | Return Type | Description |
+| -- | -- | -- |
+| [Get credential](#get-credential) | Credential | Read properties of a Credential |
+| [Search credentials](#search-credentials) | Credential collection | Search a list of credentials with a specific claim value |
+| [Revoke credential](#revoke-credential) | | Revoke specific credential |
+
+### Get credential
+This API allows you to retrieve a specific credential and check the status to see if it is revoked or not.
+
+#### HTTP Request
+`GET /v1.0/verifiableCredentials/authorities/:authorityId/contracts/:contractId/credentials/:credentialId`
+
+#### Request headers
+| Header | Value |
+| -- | -- |
+| Authorization | Bearer (token). Required |
+| Content-Type | application/json |
+
+#### Response message
+Example message
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+
+{
+ "id": "urn:pic:aea42fb3724b4ef08bd2d2712e79bda2",
+ "contractId": "ZjViZjJmYzYtNzEzNS00ZDk0LWE2ZmUtYzI2ZTQ1NDNiYzVhdGVzdDM",
+ "status": "valid",
+ "issuedAt": "2017-09-13T21:59:23.9868631Z"
+}
+```
+
+### Search credentials
+
+You are able to [search](how-to-issuer-revoke.md) for verifiable credentials with specific index claims. Since only a hash is stored, you need to search for the specific calculated value. The algorithm you need to use is: Base64Encode(SHA256(contractid + claim value)) An example in C# looks like this:
+
+```csharp
+ string claimvalue = "Bowen";
+ string contractid = "ZjViZjJmYzYtNzEzNS00ZDk0LWE2ZmUtYzI2ZTQ1NDNiYzVhdGVzdDM";
+ string output;
+
+ using (var sha256 = SHA256.Create())
+ {
+ var input = contractid + claimvalue;
+ byte[] inputasbytes = Encoding.UTF8.GetBytes(input);
+ hashedsearchclaimvalue = Convert.ToBase64String(sha256.ComputeHash(inputasbytes));
+ }
+```
+
+The following request shows how to add the calculated value to the filter parameter of the request. At this moment only the filter=indexclaim eq format is supported.
+
+### HTTP request
+
+`GET /v1.0/verifiableCredentials/authorities/:authorityId/contracts/:contractId/credentials?filter=indexclaim eq {hashedsearchclaimvalue}`
+
+#### Request headers
+
+| Header | Value |
+| -- | -- |
+| Authorization | Bearer (token). Required |
+| Content-Type | application/json |
+
+#### Request body
+
+Don't supply a request body for this method.
+
+#### Response message
+
+Example message
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+
+{
+ "value": [
+ {
+ "id": "urn:pic:aea42fb3724b4ef08bd2d2712e79bda2",
+ "contractId": "ZjViZjJmYzYtNzEzNS00ZDk0LWE2ZmUtYzI2ZTQ1NDNiYzVhdGVzdDM",
+ "status": "valid",
+ "issuedAt": 1644029489000
+ }
+ ]
+}
+```
+
+Example message
+```
+{
+ "value": [
+ {
+ "id": "urn:pic:aea42fb3724b4ef08bd2d2712e79bda2",
+ "contractId": "ZjViZjJmYzYtNzEzNS00ZDk0LWE2ZmUtYzI2ZTQ1NDNiYzVhdGVzdDM",
+ "status": "issuerRevoked",
+ "issuedAt": 1644029489000
+ }
+ ]
+}
+```
+
+### Revoke credential
+
+This API allows you to revoke a specific credential, after you searched for the credential by using the search API the credential can be revoked by specifying the specific credential ID.
++
+#### HTTP request
+
+`POST /v1.0/verifiableCredentials/authorities/:authorityId/contracts/:contractId/credentials/:credentialid/revoke`
+
+#### Request headers
+
+| Header | Value |
+| -- | -- |
+| Authorization | Bearer (token). Required |
+| Content-Type | application/json |
+
+#### Request body
+
+Don't supply a request body for this method.
+
+#### Response message
+
+```
+HTTP/1.1 204 No Content
+Content-type: application/json
+```
++
+## Opt-out
+
+This method will completely remove all instances of the verifiable credential service in this tenant. It removes all configured contracts. Every issued verifiable credential can't be checked for revocation. This action can't be undone.
+
+>[!WARNING]
+> This action cannot be undone and will invalidate all issued verifiable credentials and created contracts.
+
+#### HTTP Request
+`POST /v1.0/verifiableCredentials/optout`
+
+#### Request headers
+
+| Header | Value |
+| -- | -- |
+| Authorization | Bearer (token). Required |
+| Content-Type | application/json |
+
+#### Request body
+
+Don't supply a request body for this method
+
+#### Response message
+
+Example response message
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+
+OK
+```
+
+#### Remark
+
+>[!NOTE]
+> If you don't have delete permissions on Key Vault we will return an error message and still opt-out
+
+## Next steps
+
+- [Specify the request service REST API issuance request](issuance-request-api.md)
+- [Entra Verified ID Network API](issuance-request-api.md)
active-directory Credential Design https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/verifiable-credentials/credential-design.md
[!INCLUDE [verifiable credentials announcement](../../../includes/verifiable-credentials-brand.md)]
-Verifiable credentials are made up of two components, *rules* definitions and *display* definitions. A rules definition determines what users need to provide before they receive a verifiable credential. A display definition controls the branding of the credential and styling of the claims.
+Verifiable credentials definitions are made up of two components, *display* definitions and *rules* definitions. A display definition controls the branding of the credential and styling of the claims. A rules definition determines what users need to provide before they receive a verifiable credential.
-This article explains how to modify both types of files to meet the requirements of your organization.
+This article explains how to modify both types of definitions to meet the requirements of your organization.
> [!IMPORTANT] > Microsoft Entra Verified ID is currently in preview. This preview version is provided without a service-level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. > For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
-## Rules definition: Requirements from the user
-
-The rules definition is a simple JSON document that describes important properties of verifiable credentials. In particular, it describes how claims are used to populate your verifiable credential.
-
-### User-input types
+## Display definition: wallet credential visuals
-The following four user-input types are currently available to be configured in the rules definition. They're used by the verifiable credential issuing service to insert claims into a verifiable credential and attest to that information with your decentralized identifier (DID).
+Microsoft Entra Verified ID offer a limited set of options that can be used to reflect your brand. This article provides instructions how to customize your credentials, and best practices for designing credentials that look great after they're issued to users.
-* **ID token**: When this option is configured, you'll need to provide an Open ID Connect configuration URI and include the claims that should be included in the verifiable credential. Users are prompted to 'Sign in' on the Authenticator app to meet this requirement and add the associated claims from their account.
+Microsoft Authenticator, being a decentralized identities wallet, displays verifiable credentials that are issued to users as cards. As a VC administrator, you can choose card colors, icons, and text strings to match your organization's brand.
-* **ID token hint**: The sample App and Tutorial use the ID token Hint. When this option is configured, the relying party app will need to provide claims that should be included in the verifiable credential in the Request Service API issuance request. Where the relying party app gets the claims from is up to the app, but it can come from the current sign-in session, from backend CRM systems or even from self asserted user input.
-
-* **Verifiable credentials**: The end result of an issuance flow is to produce a verifiable credential but you may also ask the user to Present a verifiable credential in order to issue one. The rules definition is able to take specific claims from the presented verifiable credential and include those claims in the newly issued verifiable credential from your organization.
+![Screenshot of a verified credential card in Authenticator, calling out key elements.](media/credential-design/detailed-view.png)
-* **Self-attested claims**: When this option is selected, the user can type information directly into Authenticator. At this time, strings are the only supported input for self attested claims.
-
- ![Detailed view of a verifiable credential card.](media/credential-design/issuance-doc.png)
-
-### Static claims
+Cards also contain customizable fields. You can use these fields to let users know the purpose of the card, the attributes it contains, and more.
-Additionally, you can declare a static claim in the rules definition, but this input doesn't come from the user. The issuer defines a static claim in the rules definition, and it looks like any other claim in the verifiable credential. You add credentialSubject after vc.type and declare the attribute and the claim.
+## Create a credential display definition
-```json
-"vc": {
- "type": [ "StaticClaimCredential" ],
- "credentialSubject": {
- "staticClaim": true,
- "anotherClaim": "Your Claim Here"
- },
- }
-}
-```
+The display definition is a simple JSON document that describes how the wallet app should display the contents of your verifiable credentials.
-## Input type: ID token
+>[!NOTE]
+> This display model is currently used only by Microsoft Authenticator.
-To get an ID token as input, the rules definition needs to configure the well-known endpoint of the OpenID Connect (OIDC)-compatible identity system. In that system you need to register an application with the correct information from the [Issuer service communication examples](issuer-openid.md). Additionally, you need to put client_id in the rules definition and fill in a scope parameter with the correct scopes. For example, Azure Active Directory needs the email scope if you want to return an email claim in the ID token.
+The display definition has the following structure:
```json
- {
- "attestations": {
- "idTokens": [
- {
- "mapping": [
- {
- "outputClaim": "firstName",
- "inputClaim": "given_name",
- "required": true,
- "indexed": false
- },
- {
- "outputClaim": "lastName",
- "inputClaim": "family_name",
- "required": true,
- "indexed": true
- }
- ],
- "configuration": "https://dIdPlayground.b2clogin.com/dIdPlayground.onmicrosoft.com/B2C_1_sisu/v2.0/.well-known/openid-configuration",
- "client_id": "8d5b446e-22b2-4e01-bb2e-9070f6b20c90",
- "redirect_uri": "vcclient://openid/",
- "scope": "openid profile"
- }
- ]
+{
+ "locale": "en-US",
+ "card": {
+ "title": "Verified Credential Expert",
+ "issuedBy": "Microsoft",
+ "backgroundColor": "#000000",
+ "textColor": "#ffffff",
+ "logo": {
+ "uri": "https://didcustomerplayground.blob.core.windows.net/public/VerifiedCredentialExpert_icon.png",
+ "description": "Verified Credential Expert Logo"
},
- "validityInterval": 2592000,
- "vc": {
- "type": ["https://schema.org/EducationalCredential", "https://schemas.ed.gov/universityDiploma2020", "https://schemas.contoso.edu/diploma2020" ]
- }
- }
-```
-
-For more information about properties, see [idTokenAttestation type](rules-and-display-definitions-model.md#idtokenattestation-type).
-
-## Input type: ID token hint
-
-To get an ID token hint as input, the rules definition shouldn't contain configuration for an OIDC identity system. Instead, it should have the special value `https://self-issued.me` for the configuration property. The claims mappings are the same as for the ID token type, but the difference is that the claim values need to be provided by the issuance relying party app in the Request Service API issuance request.
-
-```json
- {
- "attestations": {
- "idTokenHints": [
- {
- "configuration": "https://self-issued.me",
- "mapping": [
- {
- "outputClaim": "firstName",
- "inputClaim": "given_name",
- "required": true,
- "indexed": false
- },
- {
- "outputClaim": "lastName",
- "inputClaim": "family_name",
- "required": true,
- "indexed": true
- }
- ]
- }
- ]
+ "description": "Use your verified credential to prove to anyone that you know all about verifiable credentials."
+ },
+ "consent": {
+ "title": "Do you want to get your Verified Credential?",
+ "instructions": "Sign in with your account to get your card."
+ },
+ "claims": [
+ {
+ "claim": "vc.credentialSubject.firstName",
+ "label": "First name",
+ "type": "String"
},
- "validityInterval": 2592000,
- "vc": {
- "type": ["VerifiedCredentialExpert" ]
+ {
+ "claim": "vc.credentialSubject.lastName",
+ "label": "Last name",
+ "type": "String"
}
- }
-```
-
-For more information about properties, see [idTokenHintAttestation type](rules-and-display-definitions-model.md#idtokenhintattestation-type).
-
-### vc.type: Choose credential types
-
-All verifiable credentials must declare their *type* in their rules definition. The credential type distinguishes your verifiable credentials from credentials that are issued by other organizations, and it ensures interoperability between issuers and verifiers.
-
-To indicate a credential type, provide one or more credential types that the credential satisfies. Each type is represented by a unique string. Often, a URI is used to ensure global uniqueness. The URI doesn't need to be addressable. It's treated as a string.
-
-As an example, a diploma credential issued by Contoso University might declare the following types:
-
-| Type | Purpose |
-| - | - |
-| `https://schema.org/EducationalCredential` | Declares that diplomas issued by Contoso University contain attributes defined by the schema.org `EducationaCredential` object. |
-| `https://schemas.ed.gov/universityDiploma2020` | Declares that diplomas issued by Contoso University contain attributes defined by the U.S. Department of Education. |
-| `https://schemas.contoso.edu/diploma2020` | Declares that diplomas issued by Contoso University contain attributes defined by Contoso University. |
-
-By declaring three types of diplomas, Contoso can issue credentials that satisfy different requests from verifiers. A bank can request a set of `EducationCredential`s from a user, and the diploma can be used to satisfy the request. Or the Contoso University Alumni Association can request a credential of type `https://schemas.contoso.edu/diploma2020`, and the diploma can also satisfy the request.
-
-To ensure interoperability of your credentials, we recommend that you work closely with related organizations to define credential types, schemas, and URIs for use in your industry. Many industry bodies provide guidance on the structure of official documents that can be repurposed for defining the contents of verifiable credentials. You should also work closely with the verifiers of your credentials to understand how they intend to request and consume your verifiable credentials.
-
-## Input type: Verifiable credential
-
-> [!NOTE]
-> Rules definitions that ask for a verifiable credential don't use the presentation exchange format for requesting credentials. This approach will be updated when the issuing service supports the standard, Credential Manifest.
-
-```json
-{
- "attestations": {
- "presentations": [
- {
- "mapping": [
- {
- "outputClaim": "first_name",
- "inputClaim": "$.vc.credentialSubject.firstName ",
- "required": true,
- "indexed": false
- },
- {
- "outputClaim": "last_name",
- "inputClaim": ""$.vc.credentialSubject.lastName ",
- "required": true,
- "indexed": true
- },
- "credentialType": "VerifiedCredentialNinja",
- "contracts": [
- "https://beta.did.msidentity.com/v1.0/3c32ed40-8a10-465b-8ba4-0b1e86882668/verifiableCredential/contracts/VerifiedCredentialNinja"
- ],
- "issuers": [
- {
- "iss": "did:ion:123"
- }
- ]
- }
- ]
- },
- "validityInterval": 25920000,
- "vc": {
- "type": [
- "ProofOfNinjaNinja"
- ]
- }
+ ]
} ```
-For more information about properties, see [verifiablePresentationAttestation type](rules-and-display-definitions-model.md#verifiablepresentationattestation-type).
+For more information about properties, see [displayModel type](rules-and-display-definitions-model.md#displaymodel-type).
-## Input type: Self-attested claims
+## Rules definition: Requirements from the user
-During the issuance flow, users can be asked to input some self-attested information. As of now, the only input type is 'string'.
+The rules definition is a simple JSON document that describes important properties of verifiable credentials. In particular, it describes how claims are used to populate your verifiable credential and the credential type.
```json { "attestations": {
- "selfIssued" :
- {
- "mapping": [
- {
- "outputClaim": "firstName",
- "inputClaim": "firstName",
- "required": true,
- "indexed": false
- },
- {
- "outputClaim": "lasttName",
- "inputClaim": "lastName",
- "required": true,
- "indexed": true
- }
--
- }
+ ...
},
- "validityInterval": 2592001,
+ "validityInterval": 2592000,
"vc": {
- "type": [ "VerifiedCredentialExpert" ]
+ "type": [
+ "VerifiedCredentialExpert"
+ ]
} } ```
-For more information about properties, see [selfIssuedAttestation type](rules-and-display-definitions-model.md#selfissuedattestation-type).
+### Attestations
-## Display definition: Verifiable credentials in Microsoft Authenticator
+The following four attestation types are currently available to be configured in the rules definition. They're used by the verifiable credential issuing service to insert claims into a verifiable credential and attest to that information with your decentralized identifier (DID).
-Verifiable credentials offer a limited set of options that can be used to reflect your brand. This article provides instructions how to customize your credentials, and best practices for designing credentials that look great after they're issued to users.
+* **ID token**: When this option is configured, you'll need to provide an Open ID Connect configuration URI and include the claims that should be included in the verifiable credential. Users are prompted to 'Sign in' on the Authenticator app to meet this requirement and add the associated claims from their account. To configure this option, see this [how to guide](how-to-use-quickstart-idtoken.md)
-Authenticator displays verifiable credentials that are issued to users as cards. As an administrator, you can choose card colors, icons, and text strings to match your organization's brand.
-![Image of a verified credential card in Authenticator, calling out key elements.](media/credential-design/detailed-view.png)
+* **ID token hint**: The sample App and Tutorial use the ID token Hint. When this option is configured, the relying party app will need to provide claims that should be included in the verifiable credential in the Request Service API issuance request. Where the relying party app gets the claims from is up to the app, but it can come from the current sign-in session, from backend CRM systems or even from self asserted user input. To configure this option, please see this [how to guide](how-to-use-quickstart.md)
-Cards also contain customizable fields. You can use these fields to let users know the purpose of the card, the attributes it contains, and more.
+* **Verifiable credentials**: The end result of an issuance flow is to produce a verifiable credential but you may also ask the user to Present a verifiable credential in order to issue one. The rules definition is able to take specific claims from the presented verifiable credential and include those claims in the newly issued verifiable credential from your organization.
-## Create a credential display definition
+* **Self-attested claims**: When this option is selected, the user can type information directly into Authenticator. At this time, strings are the only supported input for self attested claims. To configure this option, please see this [how to guide](how-to-use-quickstart-selfissued.md)
-Much like the rules definition, the display definition is a simple JSON document that describes how the Authenticator app should display the contents of your verifiable credentials.
+For more information about the rules JSON model, see [rulesModel type](rules-and-display-definitions-model.md#rulesmodel-type).
->[!NOTE]
-> This display model is currently used only by Microsoft Authenticator.
+### Credential Types
-The display definition has the following structure:
+All verifiable credentials must declare their *type* in their [rules definition](rules-and-display-definitions-model.md#rulesmodel-type). The credential type distinguishes a verifiable credentials schema from other credentials and it ensures interoperability between issuers and verifiers. To indicate a credential type, provide one or more credential types that the credential satisfies. Each type is represented by a unique string. Often, a URI is used to ensure global uniqueness. The URI doesn't need to be addressable. It's treated as a string. As an example, a diploma credential issued by Contoso University might declare the following types:
-```json
-{
- "default": {
- "locale": "en-US",
- "card": {
- "title": "University Graduate",
- "issuedBy": "Contoso University",
- "backgroundColor": "#212121",
- "textColor": "#FFFFFF",
- "logo": {
- "uri": "https://contoso.edu/images/logo.png",
- "description": "Contoso University Logo"
- },
- "description": "This digital diploma is issued to students and alumni of Contoso University."
- },
- "consent": {
- "title": "Do you want to get your digital diploma from Contoso U?",
- "instructions": "Please log in with your Contoso U account to receive your digital diploma."
- },
- "claims": [
- {
- "claim": "vc.credentialSubject.name",
- "type": "String",
- "label": "Name"
- }
- ]
- }
-}
-```
+| Type | Purpose |
+| - | - |
+| `https://schema.org/EducationalCredential` | Declares that diplomas issued by Contoso University contain attributes defined by the schema.org `EducationaCredential` object. |
+| `https://schemas.ed.gov/universityDiploma2020` | Declares that diplomas issued by Contoso University contain attributes defined by the U.S. Department of Education. |
+| `https://schemas.contoso.edu/diploma2020` | Declares that diplomas issued by Contoso University contain attributes defined by Contoso University. |
-For more information about properties, see [displayModel type](rules-and-display-definitions-model.md#displaymodel-type).
+By declaring three types of diplomas, Contoso can issue credentials that satisfy different requests from verifiers. A bank can request a set of `EducationCredential`s from a user, and the diploma can be used to satisfy the request. Or the Contoso University Alumni Association can request a credential of type `https://schemas.contoso.edu/diploma2020`, and the diploma can also satisfy the request.
+
+To ensure interoperability of your credentials, we recommend that you work closely with related organizations to define credential types, schemas, and URIs for use in your industry. Many industry bodies provide guidance on the structure of official documents that can be repurposed for defining the contents of verifiable credentials. You should also work closely with the verifiers of your credentials to understand how they intend to request and consume your verifiable credentials.
## Next steps Now that you have a better understanding of verifiable credential design and how to create your own, see: - [Issuer service communication examples](issuer-openid.md)-- [Rules and display definition reference](rules-and-display-definitions-model.md)
+- [Rules and display definition reference](rules-and-display-definitions-model.md)
active-directory Decentralized Identifier Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/verifiable-credentials/decentralized-identifier-overview.md
Title: Introduction to Azure Active Directory Verifiable Credentials (preview)
+ Title: Introduction to Microsoft Entra Verified ID (preview)
description: An overview Azure Verifiable Credentials.
editor:
Previously updated : 06/16/2022 Last updated : 06/02/2022
-# Introduction to Azure Active Directory Verifiable Credentials (preview)
+# Introduction to Microsoft Entra Verified ID (preview)
[!INCLUDE [Verifiable Credentials announcement](../../../includes/verifiable-credentials-brand.md)] > [!IMPORTANT]
-> Azure Active Directory Verifiable Credentials is currently in public preview.
+> Microsoft Entra Verified ID is currently in public preview.
> This preview version is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. > For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). Our digital and physical lives are increasingly linked to the apps, services, and devices we use to access a rich set of experiences. This digital transformation allows us to interact with hundreds of companies and thousands of other users in ways that were previously unimaginable.
-But identity data has too often been exposed in security breaches. These breaches affect our social, professional, and financial lives. Microsoft believes that thereΓÇÖs a better way. Every person has a right to an identity that they own and control, one that securely stores elements of their digital identity and preserves privacy. We are building an open, trustworthy, interoperable, and standards-based Decentralized Identity (DID) solution for individuals and organizations.
+But identity data has too often been exposed in security breaches. These breaches affect our social, professional, and financial lives. Microsoft believes that thereΓÇÖs a better way. Every person has a right to an identity that they own and control, one that securely stores elements of their digital identity and preserves privacy. This primer explains how we are joining hands with a diverse community to build an open, trustworthy, interoperable, and standards-based Decentralized Identity (DID) solution for individuals and organizations.
## Why we need Decentralized Identity
-Today we use our digital identity at work, home, and across every app, service, and device we use. Our digital identity is made up of everything we say, do, and experience in our lives. Activities like purchasing tickets for an event, checking into a hotel, or even ordering lunch become part of our identity. Today our identity and information about our online activity are owned and controlled by others. In some cases, even without our knowledge.
+Today we use our digital identity at work, at home, and across every app, service, and device we use. ItΓÇÖs made up of everything we say, do, and experience in our livesΓÇöpurchasing tickets for an event, checking into a hotel, or even ordering lunch. Currently, our identity and all our digital interactions are owned and controlled by other parties, some of whom we arenΓÇÖt even aware of.
Generally, users grant consent to several apps and devices. This approach requires a high degree of vigilance on the user's part to track who has access to what information. On the enterprise front, collaboration with consumers and partners requires high-touch orchestration to securely exchange data in a way that maintains privacy and security for all involved.
We believe a standards-based Decentralized Identity system can unlock a new set
## Lead with open standards
-WeΓÇÖre committed to working closely with customers, partners, and the community to unlock the next generation of Decentralized IdentityΓÇôbased experiences. We are excited to partner with individuals and organizations making incredible contributions in this space. If the DID ecosystem is to grow, standards, technical components, and code deliverables must be open source and accessible to all.
+WeΓÇÖre committed to working closely with customers, partners, and the community to unlock the next generation of Decentralized IdentityΓÇôbased experiences, and weΓÇÖre excited to partner with the individuals and organizations that are making incredible contributions in this space. If the DID ecosystem is to grow, standards, technical components, and code deliverables must be open source and accessible to all.
Microsoft is actively collaborating with members of the Decentralized Identity Foundation (DIF), the W3C Credentials Community Group, and the wider identity community. WeΓÇÖve worked with these groups to identify and develop critical standards, and the following standards have been implemented in our services.
Microsoft is actively collaborating with members of the Decentralized Identity F
Before we can understand DIDs, it helps to compare them with current identity systems. Email addresses and social network IDs are human-friendly aliases for collaboration but are now overloaded to serve as the control points for data access across many scenarios beyond collaboration. This creates a potential problem, because access to these IDs can be removed at any time by external parties.
-Decentralized Identifiers (DIDs) are different. DIDs are user-generated, self-owned, globally unique identifiers rooted in decentralized systems like ION. They possess unique characteristics, like greater assurance of immutability, censorship resistance, and tamper evasiveness. These attributes are critical for any ID system that is intended to provide self-ownership and user control.
+Decentralized Identifiers (DIDs) are different. DIDs are user-generated, self-owned, globally unique identifiers rooted in decentralized systems like ION. They possess unique characteristics, like greater assurance of immutability, censorship resistance, and tamper evasiveness. These attributes are critical for any ID system that is intended to provide self-ownership and user control.
MicrosoftΓÇÖs verifiable credential solution uses decentralized credentials (DIDs) to cryptographically sign as proof that a relying party (verifier) is attesting to information proving they are the owners of a verifiable credential. A basic understanding of DIDs is recommended for anyone creating a verifiable credential solution based on the Microsoft offering.
To deliver on these promises, we need a technical foundation made up of seven ke
![overview of Microsoft's verifiable credential environment](media/decentralized-identifier-overview/microsoft-did-system.png)
-**1. W3C Decentralized Identifiers (DIDs)**
+**1. W3C Decentralized Identifiers (DIDs)**.
IDs users create, own, and control independently of any organization or government. DIDs are globally unique identifiers linked to Decentralized Public Key Infrastructure (DPKI) metadata composed of JSON documents that contain public key material, authentication descriptors, and service endpoints.
-**2. Decentralized system**
+**2. Trust System**.
+In order to be able to resolve DID documents, DIDs are typically recorded on an underlying network of some kind that represents a trust system. Microsoft currently supports two trust systems, which are:
-- ION (Identity Overlay Network) ION is a Layer 2 open, permissionless network based on the purely deterministic Sidetree protocol, which requires no special tokens, trusted validators, or other consensus mechanisms. The linear progression of Bitcoin's time chain is all that's required for its operation. We have open sourced a [npm package](https://www.npmjs.com/package/@decentralized-identity/ion-tools) to make working with the ION network easy to integrate into your apps and services. Libraries include creating a new DID, generating keys and anchoring your DID on the Bitcoin blockchain.
+- ION (Identity Overlay Network) ION is a Layer 2 open, permissionless network based on the purely deterministic Sidetree protocol, which requires no special tokens, trusted validators, or other consensus mechanisms; the linear progression of Bitcoin's time chain is all that's required for its operation. We have open sourced a [npm package](https://www.npmjs.com/package/@decentralized-identity/ion-tools) to make working with the ION network easy to integrate into your apps and services. Libraries include creating a new DID, generating keys and anchoring your DID on the Bitcoin blockchain.
-- `did:web` is a permission based model that allows trust using a web domainΓÇÖs existing reputation.
+- DID:Web is a permission based model that allows trust using a web domainΓÇÖs existing reputation.
-**3. DID User Agent/Wallet: Microsoft Authenticator App**
+**3. DID User Agent/Wallet: Microsoft Authenticator App**.
Enables real people to use decentralized identities and Verifiable Credentials. Authenticator creates DIDs, facilitates issuance and presentation requests for verifiable credentials and manages the backup of your DID's seed through an encrypted wallet file.
-**4. Microsoft Resolver**
+**4. Microsoft Resolver**.
An API that connects to our ION node to look up and resolve DIDs using the ```did:ion``` method and return the DID Document Object (DDO). The DDO includes DPKI metadata associated with the DID such as public keys and service endpoints.
-**5. Azure Active Directory Verified Credentials Service**
+**5. Azure Active Directory Verified Credentials Service**.
An issuance and verification service in Azure and a REST API for [W3C Verifiable Credentials](https://www.w3.org/TR/vc-data-model/) that are signed with the ```did:ion``` method. They enable identity owners to generate, present, and verify claims. This forms the basis of trust between users of the systems. ## A sample scenario
-The scenario we use to explain how Verifiable Credentials work involves:
+The scenario we use to explain how VCs work involves:
-- WoodGrove Inc. a company.-- ProseWare, a company that offers WoodGrove employees discounts.-- Alice, an employee at WoodGrove, Inc. who wants to get a discount from ProseWare
+- Woodgrove Inc. a company.
+- Proseware, a company that offers Woodgrove employees discounts.
+- Alice, an employee at Woodgrove, Inc. who wants to get a discount from Proseware
-Today, Alice provides a username and password to sign in WoodGroveΓÇÖs networked environment. WoodGrove is deploying a verifiable credential solution to provide a more manageable way for Alice to prove that she's an employee of WoodGrove. ProseWare accepts verifiable credentials issued by WoodGrove as proof of employment to offer corporate discounts as part of their corporate discount program.
-Alice requests WoodGrove Inc for a proof of employment verifiable credential. WoodGrove Inc attests Alice's identity and issues a signed verifiable credential that Alice can accept and store in her digital wallet application. Alice can now present this verifiable credential as a proof of employment on the ProseWare site. After a successful presentation of the credential, ProsWare offers discount to Alice and the transaction is logged in Alice's wallet application so that she can track where and to whom she's presented her proof of employment verifiable credential.
+
+Today, Alice provides a username and password to log onto WoodgroveΓÇÖs networked environment. Woodgrove is deploying a verifiable credential solution to provide a more manageable way for Alice to prove that she is an employee of Woodgrove. Proseware accepts verifiable credentials issued by Woodgrove as proof of employment to offer corporate discounts as part of their corporate discount program.
+
+Alice requests Woodgrove Inc for a proof of employment verifiable credential. Woodgrove Inc attests Alice's identity and issues a signed verfiable credential that Alice can accept and store in her digital wallet application. Alice can now present this verifiable credential as a proof of employement on the Proseware site. After a succesfull presentation of the credential, Prosware offers discount to Alice and the transaction is logged in Alice's wallet application so that she can track where and to whom she has presented her proof of employment verifiable credential.
![microsoft-did-overview](media/decentralized-identifier-overview/did-overview.png)
The roles in this scenario are:
![roles in a verifiable credential environment](media/decentralized-identifier-overview/issuer-user-verifier.png)
-**issuer** ΓÇô The issuer is an organization that creates an issuance solution requesting information from a user. The information is used to verify the userΓÇÖs identity. For example, WoodGrove, Inc. has an issuance solution that enables them to create and distribute verifiable credentials (VCs) to all their employees. The employee uses the Authenticator app to sign in with their username and password, which passes an ID token to the issuing service. Once WoodGrove, Inc. validates the ID token submitted, the issuance solution creates a VC that includes claims about the employee and is signed with WoodGrove, Inc. DID. The employee now has a verifiable credential that is signed by their employer, which includes the employees DID as the subject DID.
+**issuer** ΓÇô The issuer is an organization that creates an issuance solution requesting information from a user. The information is used to verify the userΓÇÖs identity. For example, Woodgrove, Inc. has an issuance solution that enables them to create and distribute verifiable credentials (VCs) to all their employees. The employee uses the Authenticator app to sign in with their username and password, which passes an ID token to the issuing service. Once Woodgrove, Inc. validates the ID token submitted, the issuance solution creates a VC that includes claims about the employee and is signed with Woodgrove, Inc. DID. The employee now has a verifiable credential that is signed by their employer, which includes the employees DID as the subject DID.
-**user** ΓÇô The user is the person or entity that is requesting a VC. For example, Alice is a new employee of WoodGrove, Inc. and was previously issued her proof of employment verifiable credential. When Alice needs to provide proof of employment in order to get a discount at ProseWare, she can grant access to the credential in her Authenticator app by signing a verifiable presentation that proves Alice is the owner of the DID. ProseWare is able to validate the credential was issued by WoodGrove, Inc.and Alice is the owner of the credential.
+**user** ΓÇô The user is the person or entity that is requesting a VC. For example, Alice is a new employee of Woodgrove, Inc. and was previously issued her proof of employment verifiable credential. When Alice needs to provide proof of employment in order to get a discount at Proseware, she can grant access to the credential in her Authenticator app by signing a verifiable presentation that proves Alice is the owner of the DID. Proseware is able to validate the credential was issued by Woodgrove, Inc.and Alice is the owner of the credential.
-**verifier** ΓÇô The verifier is a company or entity who needs to verify claims from one or more issuers they trust. For example, ProseWare trusts WoodGrove, Inc. does an adequate job of verifying their employeesΓÇÖ identity and issuing authentic and valid VCs. When Alice tries to order the equipment she needs for her job, ProseWare will use open standards such as SIOP and Presentation Exchange to request credentials from the user proving they are an employee of WoodGrove, Inc. For example, ProseWare might provide Alice a link to a website with a QR code she scans with her phone camera. This initiates the request for a specific VC, which Authenticator will analyze and give Alice the ability to approve the request to prove her employment to ProseWare. ProseWare can use the verifiable credentials service API or SDK, to verify the authenticity of the verifiable presentation. Based on the information provided by Alice they give Alice the discount. If other companies and organizations know that WoodGrove, Inc. issues VCs to their employees, they can also create a verifier solution and use the WoodGrove, Inc. verifiable credential to provide special offers reserved for WoodGrove, Inc. employees.
+**verifier** ΓÇô The verifier is a company or entity who needs to verify claims from one or more issuers they trust. For example, Proseware trusts Woodgrove, Inc. does an adequate job of verifying their employeesΓÇÖ identity and issuing authentic and valid VCs. When Alice tries to order the equipment she needs for her job, Proseware will use open standards such as SIOP and Presentation Exchange to request credentials from the User proving they are an employee of Woodgrove, Inc. For example, Proseware might provide Alice a link to a website with a QR code she scans with her phone camera. This initiates the request for a specific VC, which Authenticator will analyze and give Alice the ability to approve the request to prove her employment to Proseware. Proseware can use the verifiable credentials service API or SDK, to verify the authenticity of the verifiable presentation. Based on the information provided by Alice they give Alice the discount. If other companies and organizations know that Woodgrove, Inc. issues VCs to their employees, they can also create a verifier solution and use the Woodgrove, Inc. verifiable credential to provide special offers reserved for Woodgrove, Inc. employees.
## Next steps
active-directory Error Codes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/verifiable-credentials/error-codes.md
+
+ Title: API Error codes reference
+
+description: Reference of error codes for Microsoft Entra Verified ID APIs
+documentationCenter: ''
+++++ Last updated : 07/29/2022++
+#Customer intent: As an administrator, I am trying to learn how to use the Request Service API and integrate it into my business application.
++
+# Request Service API error codes
++
+Microsoft Entra Verified ID includes the Request Service REST API that allows you to issue and verify a credential. This article specifies the error codes for the Request Service API.
+
+## Error object
+
+During public preview, the Request Service API returned errors in the following format.
+
+```json
+{
+ "requestId": "4bb6726f77af7623ab52962323016442",
+ "date": "Thu, 28 Apr 2022 14:30:54 GMT",
+ "mscv": "17ppwf3uxR10MfRR.1",
+ "error": {
+ "code": "client_request.invalid_include_qr_code",
+ "message": "The request contains `includeQRCode`, but it is not boolean."
+ }
+}
+
+```
+
+This format is now changed into the following to enable both simpler error handling and better support for troubleshooting. In the new format, the outer [error](#error-type) code and message fields have standardized values while the [```innererror```](#inner-error-type) object provide details on what caused the error.
+
+```json
+{
+ "requestId": "782628eb-503a-4978-84f2-d7c634f25b15",
+ "date": "Fri, 29 Apr 2022 11:20:19 GMT",
+ "mscv": "QbBLwF7XAp0dt4Lw.1",
+ "error": {
+ "code": "badRequest",
+ "message": "The request is invalid.",
+ "innererror": {
+ "code": "badOrMissingField",
+ "message": "The request contains `includeQRCode`, but it is not boolean.",
+ "target": "includeQRCode"
+ }
+ }
+}
+```
+
+|Property |Type |Description |
+||||
+| `requestId`| string | An autogenerated request ID.|
+| `date`| date| The time of the error. |
+| `mscv`| string| Internal Microsoft code. |
+| `error` | [Error](#error-type)| The outer error object |
+
+### Error type
+
+The `error` object is now matching the HTTP Status Code returned from the API Call to enable easier error handling for developers.
+
+|Property |Type |Description |
+||||
+| `code` | string| The return error code matching the HTTP Status Code. |
+| `message`| string| A standardized error message that is also dependent on the HTTP status code returned. |
+| `innererror` | [Innererror](#inner-error-type)| Provide details on what caused the error. |
++
+### Error codes and messages
+
+The following are the possible top level `code` values that maps to the different HTTP status codes returned.
+
+|HTTP Status Code |code |message |
+||||
+| 400 | badRequest |The request is invalid.|
+| 401 | unauthorized |The requested resource requires authentication|
+| 403 | forbidden |Missing permissions to fulfill this request.|
+| 404 | notFound |The requested resource doesn't exist.|
+| 405 | methodNotAllowed |The requested method isn't allowed on the requested resource.|
+| 406 | notAcceptable |Requested response format not supported.|
+| 408 | requestTimeout |The request timed out.|
+| 409 | conflict |The server can't fulfill the request due to a server conflict.|
+| 410 | gone |The requested resource is no longer available.|
+| 411 | contentLengthRequired |The Content-Length header is missing.|
+| 412 | preconditionFailed |A precondition for this request failed.|
+| 413 | payloadTooLarge |The payload is too large.|
+| 414 | uriTooLong |The URI is too long.|
+| 415 | unsupportedMediaType |The specified media type is unsupported.|
+| 416 | rangeNotSatisfiable |The requested range of data requested can't be satisfied.|
+| 417 | expectationFailed |The Expect header couldn't be satisfied.|
+| 421 | misdirectedRequest |Unable to produce a response for this request.|
+| 422 | unprocessableEntity |The request contains semantic errors.|
+| 423 | locked |The source or destination resource is locked.|
+| 429 | tooManyRequests |Too many requests, try again later.|
+| 431 | requestHeaderFieldsTooLarge |The request header field is too large.|
+| 500 | internalServerError |A generic error has occurred on the server.|
+| 501 | notImplemented |The server doesn't support the requested function.|
+| 502 | badGateway |bad response received from another gateway.|
+| 503 | serviceUnavailable |The server is temporarily unavailable, please try again later.|
+| 504 | gatewayTimeout |Time out received from another gateway.|
+| 507 | insufficientStorage |Unable to save data for the request.|
+
+### Inner error type
+
+The inner error object contains error specific details useful to the developer to help investigate the current failure.
+
+```json
+{
+ "requestId": "782628eb-503a-4978-84f2-d7c634f25b15",
+ "date": "Fri, 29 Apr 2022 11:20:19 GMT",
+ "mscv": "QbBLwF7XAp0dt4Lw.1",
+ "error": {
+ "code": "badRequest",
+ "message": "The request is invalid.",
+ "innererror": {
+ "code": "badOrMissingField",
+ "message": "The request contains `includeQRCode`, but it is not boolean.",
+ "target": "includeQRCode"
+ }
+ }
+}
+```
+
+|Property |Type |Description |
+||||
+| `code` | string| The internal error code. Contains a standardized code, based on the type of the error |
+| `message`| string| The internal error message. Contains a detailed message of the error. In this example, the `inlcudeQRCode` field is of the wrong type.|
+| `target` | string| Optional. Target contains the field in the request that is causing this error. This field is optional and may not be present, depending on the error type. |
++
+### Inner error codes
+
+|Code|Description|
+|-|-|
+|`badOrMissingField`|returned when validation issues on the request occur. The `target` field contains the field in the request that is causing the issue.|
+|`notFound`|returned when a resource the client is requesting isn't found. The `target` field contains the resource name/id that isn't found.|
+|`tokenError`|returned for any validation issues on tokens like JWT and the likes. The `target` field contains the token name causing the issue, when applicable.|
+|`transientError`|returned for all the cases where the client might be able to get a successful response if they retry the request at a later stage. A common example of when this code is returned is when an HTTP 429 code is returned back|
+
+## Next steps
+
+- [Issuance API specification](issuance-request-api.md)
+- [Presentation API specification](presentation-request-api.md)
active-directory Get Started Request Api https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/verifiable-credentials/get-started-request-api.md
[!INCLUDE [Verifiable Credentials announcement](../../../includes/verifiable-credentials-brand.md)]
-Azure Active Directory (Azure AD) Verifiable Credentials includes the Request Service REST API. This API allows you to issue and verify credentials. This article shows you how to start using the Request Service REST API.
+Microsoft Entra Verified ID includes the Request Service REST API. This API allows you to issue and verify credentials. This article shows you how to start using the Request Service REST API.
> [!IMPORTANT] > The Request Service REST API is currently in preview. This preview version is provided without a service level agreement, and you can occasionally expect breaking changes and deprecation of the API while in preview. The preview version of the API isn't recommended for production workloads. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
Use the [OAuth 2.0 client credentials grant flow](../../active-directory/develop
# [HTTP](#tab/http) ```http
-Refer to to the Microsoft Authentication Library (MSAL) documentation for more information on how to acquire tokens via HTTP.
+POST /{tenant}/oauth2/v2.0/token HTTP/1.1 //Line breaks for clarity
+Host: login.microsoftonline.com
+Content-Type: application/x-www-form-urlencoded
+
+client_id=535fb089-9ff3-47b6-9bfb-4f1264799865
+&scope=3db474b9-6a0c-4840-96ac-1fceb342124f/.default
+&client_secret=sampleCredentia1s
+&grant_type=client_credentials
``` # [C#](#tab/csharp)
const msalConfig = {
}; const cca = new msal.ConfidentialClientApplication(msalConfig); const msalClientCredentialRequest = {
- scopes: ["bbb94529-53a3-4be5-a069-7eaf2712b826/.default"],
+ scopes: ["3db474b9-6a0c-4840-96ac-1fceb342124f/.default"],
skipCache: false, }; module.exports.msalCca = cca;
const result = await mainApp.msalCca.acquireTokenByClientCredential(mainApp.msal
} ```
+# [Python](#tab/python)
+
+```python
+# Initialize MSAL library by using the following code
+msalCca = msal.ConfidentialClientApplication( config["azClientId"],
+ authority="https://login.microsoftonline.com/" + config["azTenantId"],
+ client_credential=config["azClientSecret"],
+ )
+
+# Acquire an access token
+accessToken = ""
+result = msalCca.acquire_token_for_client( scopes="3db474b9-6a0c-4840-96ac-1fceb342124f/.default" )
+if "access_token" in result:
+ accessToken = result['access_token']
+```
+
+# [Java](#tab/java)
+
+```java
+// Initialize MSAL library by using the following code
+ConfidentialClientApplication app = ConfidentialClientApplication.builder(
+ clientId,
+ ClientCredentialFactory.createFromSecret(clientSecret))
+ .authority(authority)
+ .build();
+
+// Acquire an access token
+ClientCredentialParameters clientCredentialParam = ClientCredentialParameters.builder(
+ Collections.singleton(scope))
+ .build();
+CompletableFuture<IAuthenticationResult> future = app.acquireToken(clientCredentialParam);
+IAuthenticationResult result = future.get();
+return result.accessToken();
+```
+ In the preceding code, provide the following parameters:
In the preceding code, provide the following parameters:
| Authority | Required | The directory tenant the application plans to operate against. For example: `https://login.microsoftonline.com/{your-tenant}`. (Replace `your-tenant` with your [tenant ID or name](../fundamentals/active-directory-how-to-find-tenant.md).) | | Client ID | Required | The application ID that's assigned to your app. You can find this information in the Azure portal, where you registered your app. | | Client secret | Required | The client secret that you generated for your app.|
-| Scopes | Required | Must be set to `bbb94529-53a3-4be5-a069-7eaf2712b826/.default`. |
+| Scopes | Required | Must be set to `3db474b9-6a0c-4840-96ac-1fceb342124f/.default`. This will produce an access token with a **roles** claim of `VerifiableCredential.Create.All`. |
For more information about how to get an access token by using a console app's identity, see one of the following articles: [C#](../develop/quickstart-v2-netcore-daemon.md), [Python](../develop/quickstart-v2-python-daemon.md), [Node.js](../develop/quickstart-v2-nodejs-console.md), or [Java](../develop/quickstart-v2-java-daemon.md).
Host: login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded client_id=12345678-0000-0000-00000000000000000
-&scope=bbb94529-53a3-4be5-a069-7eaf2712b826/.default
+&scope=3db474b9-6a0c-4840-96ac-1fceb342124f/.default
&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer &client_assertion=eyJhbGciOiJSUzI1NiIsIng1dCI6Imd4OHRHeXN5amNScUtqRlBuZDdSRnd2d1pJMCJ9.eyJ{a lot of characters here}M8U3bSUKKJDEg &grant_type=client_credentials
const msalConfig = {
}; const cca = new msal.ConfidentialClientApplication(msalConfig); const msalClientCredentialRequest = {
- scopes: ["bbb94529-53a3-4be5-a069-7eaf2712b826/.default"],
+ scopes: ["3db474b9-6a0c-4840-96ac-1fceb342124f/.default"],
skipCache: false, }; module.exports.msalCca = cca;
const result = await mainApp.msalCca.acquireTokenByClientCredential(mainApp.msal
} ```
+# [Python](#tab/python)
+
+```python
+# Initialize MSAL library by using the following code
+with open(config["azCertificatePrivateKeyLocation"], "rb") as file:
+ private_key = file.read()
+with open(config["azCertificateLocation"]) as file:
+ public_certificate = file.read()
+cert = load_pem_x509_certificate(data=bytes(public_certificate, 'UTF-8'), backend=default_backend())
+thumbprint = (cert.fingerprint(hashes.SHA1()).hex())
+msalCca = msal.ConfidentialClientApplication( config["azClientId"],
+ authority="https://login.microsoftonline.com/" + config["azTenantId"],
+ client_credential={
+ "private_key": private_key,
+ "thumbprint": thumbprint,
+ "public_certificate": public_certificate
+ }
+)
+# Acquire an access token
+accessToken = ""
+result = msalCca.acquire_token_for_client( scopes="3db474b9-6a0c-4840-96ac-1fceb342124f/.default" )
+if "access_token" in result:
+ accessToken = result['access_token']
+```
+
+# [Java](#tab/java)
+
+```java
+// Initialize MSAL library by using the following code
+PKCS8EncodedKeySpec spec = new PKCS8EncodedKeySpec(Files.readAllBytes(Paths.get(certKeyLocation)));
+PrivateKey key = KeyFactory.getInstance("RSA").generatePrivate(spec);
+java.io.InputStream certStream = (java.io.InputStream)new ByteArrayInputStream(Files.readAllBytes(Paths.get(certLocation)));
+X509Certificate cert = (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(certStream);
+ConfidentialClientApplication app = ConfidentialClientApplication.builder(
+ clientId,
+ ClientCredentialFactory.createFromCertificate(key, cert))
+ .authority(authority)
+ .build();
+// Acquire an access token
+ClientCredentialParameters clientCredentialParam = ClientCredentialParameters.builder(
+ Collections.singleton(scope))
+ .build();
+CompletableFuture<IAuthenticationResult> future = app.acquireToken(clientCredentialParam);
+IAuthenticationResult result = future.get();
+return result.accessToken();
+```
+ ## Call the API To issue or verify a verifiable credential, follow these steps:
-1. Construct an HTTP POST request to the Request Service REST API. Replace the `{tenantID}` with your tenant ID, or your tenant name.
+1. Construct an HTTP POST request to the Request Service REST API. The `tenantId` is not needed in the URL anymore as it is present as a claim in the `access_token`.
+
+ **Issue**
+ ```http
+ POST https://verifiedid.did.msidentity.com/v1.0/verifiableCredentials/createIssuanceRequest
+ ```
+ **Verify**
```http
- POST https://beta.did.msidentity.com/v1.0/{tenantID}/verifiablecredentials/request
+ POST https://verifiedid.did.msidentity.com/v1.0/verifiableCredentials/createPresentationRequest
``` 1. Attach the access token as a bearer token to the authorization header in an HTTP request.
To issue or verify a verifiable credential, follow these steps:
1. Submit the request to the Request Service REST API.
+The Request Service API returns a HTTP Status Code `201 Created` on a successful call. If the API call returns an error, please check the [error reference documentation](error-codes.md). //TODO
+ ## Issuance request example The following example demonstrates a verifiable credentials issuance request. For information about the payload, see [Request Service REST API issuance specification](issuance-request-api.md). ```http
-POST https://beta.did.msidentity.com/v1.0/contoso.onmicrosoft.com/verifiablecredentials/request
+POST https://verifiedid.did.msidentity.com/v1.0/verifiableCredentials/createIssuanceRequest
Content-Type: application/json Authorization: Bearer <token>
Authorization: Bearer <token>
"url": "https://www.contoso.com/api/issuer/issuanceCallback", "state": "de19cb6b-36c1-45fe-9409-909a51292a9c", "headers": {
- "api-key": "OPTIONAL API-KEY for VERIFIER CALLBACK API"
+ "api-key": "OPTIONAL API-KEY for CALLBACK EVENTS"
} }, "authority": "did:ion:EiCLL8lzCqlGLYTGbjwgR6SN6OkIjO6uUKyF5zM7fQZ8Jg:eyJkZWx0YSI6eyJwYXRjaGVzIjpbeyJhY3Rpb24iOiJyZXBsYWNlIiwiZG9jdW1lbnQiOnsicHVibGljS2V5cyI6W3siaWQiOiJzaWdfOTAyZmM2NmUiLCJwdWJsaWNLZXlKd2siOnsiY3J2Ijoic2VjcDI1NmsxIiwia3R5IjoiRUMiLCJ4IjoiTEdUOWk3aFYzN1dUcFhHcUg5c1VDek...", "registration": { "clientName": "Verifiable Credential Expert Sample" },
- "issuance": {
- "type": "VerifiedCredentialExpert",
- "manifest": "https://beta.did.msidentity.com/v1.0/12345678-0000-0000-0000-000000000000/verifiableCredential/contracts/VerifiedCredentialExpert1",
- "pin": {
- "value": "3539",
- "length": 4
- },
- "claims": {
- "given_name": "Megan",
- "family_name": "Bowen"
- }
+ "type": "VerifiedCredentialExpert",
+ "manifestUrl": "https://verifiedid.did.msidentity.com/v1.0/12345678-0000-0000-0000-000000000000/verifiableCredential/contracts/VerifiedCredentialExpert1",
+ "pin": {
+ "value": "3539",
+ "length": 4
+ },
+ "claims": {
+ "given_name": "Megan",
+ "family_name": "Bowen"
} } ```
For the complete code, see one of the following code samples:
- [C#](https://github.com/Azure-Samples/active-directory-verifiable-credentials-dotnet/blob/main/1-asp-net-core-api-idtokenhint/IssuerController.cs) - [Node.js](https://github.com/Azure-Samples/active-directory-verifiable-credentials-node/blob/main/1-node-api-idtokenhint/issuer.js)
+- [Python](https://github.com/Azure-Samples/active-directory-verifiable-credentials-python/blob/main/1-python-api-idtokenhint/issuer.py)
+- [Java](https://github.com/Azure-Samples/active-directory-verifiable-credentials-java/blob/main/1-java-api-idtokenhint/src/main/java/com/verifiablecredentials/javaaadvcapiidtokenhint/controller/IssuerController.java)
## Presentation request example The following example demonstrates a verifiable credentials presentation request. For information about the payload, see [Request Service REST API presentation specification](presentation-request-api.md). ```http
-POST https://beta.did.msidentity.com/v1.0/contoso.onmicrosoft.com/verifiablecredentials/request
+POST https://verifiedid.did.msidentity.com/v1.0/verifiableCredentials/createPresentationRequest
Content-Type: application/json Authorization: Bearer <token>
Authorization: Bearer <token>
"url": "https://www.contoso.com/api/verifier/presentationCallback", "state": "92d076dd-450a-4247-aa5b-d2e75a1a5d58", "headers": {
- "api-key": "OPTIONAL API-KEY for VERIFIER CALLBACK API"
+ "api-key": "OPTIONAL API-KEY for CALLBACK EVENTS"
} }, "authority": "did:ion:EiCLL8lzCqlGLYTGbjwgR6SN6OkIjO6uUKyF5zM7fQZ8Jg:eyJkZWx0YSI6eyJwYXRjaGVzIjpbeyJhY3Rpb24iOiJyZXBsYWNlIiwiZG9jdW1lbnQiOnsicHVibGljS2V5cyI6W3siaWQiOiJzaWdfOTAyZmM2NmUiLCJwdWJsaWNLZXlKd2siOnsiY3J2Ijoic2VjcDI1NmsxIiwia3R5IjoiRUMiLCJ4IjoiTEdUOWk3aFYzN1dUcFhHcUg5c1VDekxTVlFWcVl3S2JNY1Fsc0RILUZJUSIsInkiOiJiRWo5MDY...", "registration": { "clientName": "Veritable Credential Expert Verifier" },
- "presentation": {
- "includeReceipt": true,
- "requestedCredentials": [
- {
- "type": "VerifiedCredentialExpert",
- "purpose": "So we can see that you a veritable credentials expert",
- "acceptedIssuers": [
- "did:ion:EiCLL8lzCqlGLYTGbjwgR6SN6OkIjO6uUKyF5zM7fQZ8Jg:eyJkZWx0YSI6eyJwYXRjaGVzIjpbeyJhY3Rpb24iOiJyZXBsYWNlIiwiZG9jdW1lbnQiOnsicHVibGljS2V5cyI6W3siaWQiOiJzaWdfOTAyZmM2NmUiLCJwdWJsaWNLZXlKd2siOnsiY3J2Ijoic2VjcDI1NmsxIiwia3R5IjoiRUMiLCJ4IjoiTEdUOWk3aFYzN1dUcFhHcUg5c1VDekxTVlFWcVl3S2JNY1Fsc0RILUZJUSIsInkiO..."
- ]
+ "includeReceipt": true,
+ "requestedCredentials": [
+ {
+ "type": "VerifiedCredentialExpert",
+ "purpose": "So we can see that you a veritable credentials expert",
+ "acceptedIssuers": [
+ "did:ion:EiCLL8lzCqlGLYTGbjwgR6SN6OkIjO6uUKyF5zM7fQZ8Jg:eyJkZWx0YSI6eyJwYXRjaGVzIjpbeyJhY3Rpb24iOiJyZXBsYWNlIiwiZG9jdW1lbnQiOnsicHVibGljS2V5cyI6W3siaWQiOiJzaWdfOTAyZmM2NmUiLCJwdWJsaWNLZXlKd2siOnsiY3J2Ijoic2VjcDI1NmsxIiwia3R5IjoiRUMiLCJ4IjoiTEdUOWk3aFYzN1dUcFhHcUg5c1VDekxTVlFWcVl3S2JNY1Fsc0RILUZJUSIsInkiO..."
+ ],
+ "configuration": {
+ "validation": {
+ "allowRevoked": true,
+ "validateLinkedDomain": true
+ }
}
- ]
- }
+ }
+ ]
} ```
For the complete code, see one of the following code samples:
- [C#](https://github.com/Azure-Samples/active-directory-verifiable-credentials-dotnet/blob/main/1-asp-net-core-api-idtokenhint/VerifierController.cs) - [Node.js](https://github.com/Azure-Samples/active-directory-verifiable-credentials-node/blob/main/1-node-api-idtokenhint/verifier.js)
+- [Python](https://github.com/Azure-Samples/active-directory-verifiable-credentials-python/blob/main/1-python-api-idtokenhint/verifier.py)
+- [Java](https://github.com/Azure-Samples/active-directory-verifiable-credentials-java/blob/main/1-java-api-idtokenhint/src/main/java/com/verifiablecredentials/javaaadvcapiidtokenhint/controller/VerifierController.java)
## Callback events
-The request payload contains the [issuance](issuance-request-api.md#callback-events) and [presentation](presentation-request-api.md#callback-events) callback endpoint. The endpoint is part of your web application, and should be publicly available. Azure AD Verifiable Credentials calls your endpoint to inform your app on certain events. For example, such events might be when a user scans the QR code, uses the deep link the authenticator app, or finishes the presentation process.
+The request payload contains the [issuance](issuance-request-api.md#callback-events) and [presentation](presentation-request-api.md#callback-events) callback endpoint. The endpoint is part of your web application, and should be publicly available via the HTTPS protocol. The Request Service API calls your endpoint to inform your app on certain events. For example, such events might be when a user scans the QR code, uses the deep link the authenticator app, or finishes the presentation process.
The following diagram describes the call your app makes to the Request Service REST API, and the callbacks to your application.
mainApp.app.post('/api/issuer/issuance-request-callback', parser, async (req, re
}) ```
+# [Python](#tab/python)
+
+```python
+@app.route("/api/issuer/issuance-request-callback", methods = ['POST'])
+def issuanceRequestApiCallback():
+ if request.headers['api-key'] != apiKey:
+ return Response( jsonify({'error':'api-key wrong or missing'}), status=401, mimetype='application/json')
+
+ issuanceResponse = request.json
+ if issuanceResponse["code"] == "request_retrieved":
+ cacheData = {
+ "status": issuanceResponse["code"],
+ "message": "QR Code is scanned. Waiting for issuance to complete..."
+ }
+ cache.set( issuanceResponse["state"], json.dumps(cacheData) )
+ return ""
+
+ if issuanceResponse["code"] == "issuance_successful":
+ cacheData = {
+ "status": issuanceResponse["code"],
+ "message": "Credential successfully issued"
+ }
+ cache.set( issuanceResponse["state"], json.dumps(cacheData) )
+ return ""
+
+ if issuanceResponse["code"] == "issuance_error":
+ cacheData = {
+ "status": issuanceResponse["code"],
+ "message": issuanceResponse["error"]["message"]
+ }
+ cache.set( issuanceResponse["state"], json.dumps(cacheData) )
+ return ""
+
+ return ""
+```
+
+# [Java](#tab/java)
+
+```java
+@RequestMapping(value = "/api/issuer/issue-request-callback", method = RequestMethod.POST, produces = "application/json", consumes = "application/json")
+ public ResponseEntity<String> issueRequestCallback( HttpServletRequest request
+ , @RequestHeader HttpHeaders headers
+ , @RequestBody String body ) {
+ ObjectMapper objectMapper = new ObjectMapper();
+ try {
+ if ( !request.getHeader("api-key").equals(apiKey) ) {
+ lgr.info( "api-key wrong or missing" );
+ return ResponseEntity.status(HttpStatus.UNAUTHORIZED).body( "api-key wrong or missing" );
+ }
+ JsonNode presentationResponse = objectMapper.readTree( body );
+ String code = presentationResponse.path("code").asText();
+ ObjectNode data = null;
+ if ( code.equals( "request_retrieved" ) ) {
+ data = objectMapper.createObjectNode();
+ data.put("message", "QR Code is scanned. Waiting for issuance to complete..." );
+ }
+ if ( code.equals("issuance_successful") ) {
+ data = objectMapper.createObjectNode();
+ data.put("message", "Credential successfully issued" );
+ }
+ if ( code.equals( "issuance_error" ) ) {
+ data = objectMapper.createObjectNode();
+ data.put("message", presentationResponse.path("error").path("message").asText() );
+ }
+ if ( data != null ) {
+ data.put("status", code );
+ cache.put( presentationResponse.path("state").asText(), objectMapper.writerWithDefaultPrettyPrinter().writeValueAsString(data) );
+ }
+ } catch (java.io.IOException ex) {
+ ex.printStackTrace();
+ return ResponseEntity.status(HttpStatus.BAD_REQUEST).body( "Technical error" );
+ }
+ return ResponseEntity.ok().body( "{}" );
+ }
+```
+ For the complete code, see the [issuance](https://github.com/Azure-Samples/active-directory-verifiable-credentials-node/blob/main/1-node-api-idtokenhint/issuer.js) and [presentation](https://github.com/Azure-Samples/active-directory-verifiable-credentials-node/blob/main/1-node-api-idtokenhint/verifier.js) code on the GitHub repo.
For the complete code, see the [issuance](https://github.com/Azure-Samples/activ
Learn more about these specifications: - [Issuance API specification](issuance-request-api.md)-- [Presentation API specification](presentation-request-api.md)
+- [Presentation API specification](presentation-request-api.md)
active-directory How To Dnsbind https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/verifiable-credentials/how-to-dnsbind.md
Linking a DID to a domain solves the initial trust problem by allowing any entit
## When do you need to update the domain in your DID?
-In the event where the domain associated with your company changes, you would also need to change the domain in your DID document. You can update the domain in your DID directly from the Azure AD Verifiable Credential portal
+In the event where the domain associated with your company changes, you would also need to change the domain in your DID document. You can update the domain in your DID directly from the [Microsoft Entra Verified ID blade in the Azure portal](https://portal.azure.com/#view/Microsoft_AAD_DecentralizedIdentity/InitialMenuBlade/~/domainUpdateBlade).
## How do we link DIDs and domains?
Yes. You need to wait until the config.json file gets updated before you publish
### How do I know when the linked domain update has successfully completed?
-If the trust system is ION, once the domain changes are published to ION, the domain section inside the Azure AD Verifiable Credentials service will display Published as the status and you should be able to make new changes to the domain. If the trust system is Web, the changes are public as soon as you replace the did-configuration.json file on your web server.
+If the trust system is ION, once the domain changes are published to ION, the domain section inside the Microsoft Entra Verified ID service will display Published as the status and you should be able to make new changes to the domain. If the trust system is Web, the changes are public as soon as you replace the did-configuration.json file on your web server.
>[!IMPORTANT] > No changes to your domain are possible while publishing is in progress.
active-directory How To Issuer Revoke https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/verifiable-credentials/how-to-issuer-revoke.md
Previously updated : 06/03/2022 Last updated : 07/28/2022 #Customer intent: As an administrator, I am trying to learn the process of revoking verifiable credentials that I have issued
[!INCLUDE [Verifiable Credentials announcement](../../../includes/verifiable-credentials-brand.md)]
-As part of the process of working with verifiable credentials (VCs), you not only have to issue credentials, but sometimes you also have to revoke them. In this article we go over the **Status** property part of the VC specification and take a closer look at the revocation process, why we may want to revoke credentials and some data and privacy implications.
+As part of the process of working with verifiable credentials (VCs), you not only have to issue credentials, but sometimes you also have to revoke them. In this article, we go over the **Status** property part of the VC specification and take a closer look at the revocation process, why we may want to revoke credentials and some data and privacy implications.
> [!IMPORTANT]
-> Azure Active Directory Verifiable Credentials is currently in public preview.
+> Microsoft Entra Verified ID is currently in public preview.
> This preview version is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. > For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
-## Status property in verifiable credentials specification
-
-Before we can understand the implications of revoking a verifiable credential, it may help to know what the **status check** is and how it works today.
-
-The [W3C Verifiable Credentials spec](https://www.w3.org/TR/vc-data-model/) references the **status** property in section [4.9:](https://www.w3.org/TR/vc-data-model/#status)
-
-"This specification defines the following **credentialStatus** property for the discovery of information about the current status of a verifiable credential, such as whether it is suspended or revoked."
+## Why you may want to revoke a VC?
-However, the W3C specification does not define a format on how **status check** should be implemented.
+Each customer will have their own unique reason's for wanting to revoke a verifiable credential, but here are some of the common themes we've heard thus far.
-"Defining the data model, formats, and protocols for status schemes are out of scope for this specification. A Verifiable Credential Extension Registry [VC-EXTENSION-REGISTRY] exists that contains available status schemes for implementers who want to implement verifiable credential status checking."
+- Student ID: the student is no longer an active student at the University.
+- Employee ID: the employee is no longer an active employee.
+- State Drivers License: the driver no longer lives in that state.
->[!NOTE]
->For now, Microsoft's status check implementation is proprietary but we are actively working with the DID community to align on a standard.
+## How do I revoke a verifiable credential
-## How does the **status** property work?
+Using the indexed claim in verifiable credentials, you can search for issued verifiable credentials by that claim in the portal and revoke it.
-In every Microsoft issued verifiable credential, there is an attribute called credentialStatus. It's populated with a status API that Microsoft manages on your behalf. Here is an example of what it looks like.
+1. Navigate to the verifiable credentials blade in Azure Active Directory.
+1. Select the verifiable credential type
+1. On the left-hand menu, choose **Revoke a credential**
+ ![Revoke a credential](media/how-to-issuer-revoke/settings-revoke.png)
+1. Search for the index claim of the user you want to revoke. If you haven't indexed a claim, search won't work, and you won't be able to revoke the verifiable credential.
-```json
- "credentialStatus": {
- "id": "https://portableidentitycards.azure-api.net/v1.0/7952032d-d1f3-4c65-993f-1112dab7e191/portableIdentities/card/status",
- "type": "PortableIdentityCardServiceCredentialStatus2020"
- }
-```
+ ![Screenshot of the credential to revoke](media/how-to-issuer-revoke/revoke-search.png)
-The open source Verifiable Credentials SDK handles calling the status API and providing the necessary data.
+ >[!NOTE]
+ >Since we are only storing a hash of the indexed claim from the verifiable credential, only an exact match will populate the search results. We take the input as searched by the IT Admin and we use the same hashing algorithm to see if we have a hash match in our database.
+
+1. Once you've found a match, select the **Revoke** option to the right of the credential you want to revoke.
-Once the API is called and provided the right information, the API will return either a True or False. True being the verifiable credential is still active with the Issuer and False signifying the verifiable credential has been actively revoked by the Issuer.
+ ![Screenshot of a warning letting you know that after revocation the user still has the credential](media/how-to-issuer-revoke/warning.png)
-## Why you may want to revoke a VC?
+1. After successful revocation, you see the status update and a green banner will appear at the top of the page.
+
+ ![screenshot of a successfully revoked verifiable credential message](media/how-to-issuer-revoke/revoke-successful.png)
-Each customer will have their own unique reason's for wanting to revoke a verifiable credential, but here are some of the common themes we have heard thus far.
--- Student ID: the student is no longer an active student at the University.-- Employee ID: the employee is no longer an active employee.-- State Drivers License: the driver no longer lives in that state.
+Now whenever a presentation is sent to the Request Service API it will check if the VC has been revoked.
## How to set up a verifiable credential with the ability to revoke
-All verifiable credential data is not stored with Microsoft by default. Therefore, we do not have any data to reference to revoke a specific verifiable credential ID. The issuer needs to specify a specific field from the verifiable credential attribute for Microsoft to index and subsequently salt and hash.
+Verifiable credential data isn't stored by Microsoft. Therefore, the issuer needs to make one claim, the indexed claim, before the VC is searchable. There can be only one claim that is indexed and if there is none, you won't be able to revoke credentials. The selected claim to index is then salted and hashed and isn't stored as its original value.
>[!NOTE] >Hashing is a one way cryptographic operation that turns an input, called a ```preimage```, and produces an output called a hash that has a fixed length. It is not computationally feasible at this time to reverse a hash operation.
-You can tell Microsoft which attribute of the verifiable credential you would like to index. The implication of indexing is that indexed values may be used to search your verifiable credentials for the VCs you want to revoke.
-
-**Example:** Alice is a Woodgrove employee. Alice left Woodgrove to work at Contoso. Jane, the IT admin for Woodgrove, searches for Alice's email in the Verifiable Credentials Revoke search query. In this example, Jane, indexed the email field of the Woodgrove verified employee credential.
-
-See below for an example of how the Rules file is modified to include the index.
+**Example:** In the below example, the displayName is the index claim and searching can be done via the users full name and nothing else.
```json { "attestations": { "idTokens": [
- {
+ {
+ "clientId": "8d5b446e-22b2-4e01-bb2e-9070f6b20c90",
+ "configuration": "https://didplayground.b2clogin.com/didplayground.onmicrosoft.com/B2C_1_sisu/v2.0/.well-known/openid-configuration",
+ "redirectUri": "vcclient://openid",
+ "scope": "openid profile email",
"mapping": [
- {
- "outputClaim": "Name",
- "inputClaim": "name",
- "required": true,
- "indexed": false
- },
- {
- "outputClaim": "email",
- "inputClaim": "email",
- "required": true,
- "indexed": true
- }
+ {
+ "outputClaim": "displayName",
+ "required": true,
+ "inputClaim": "$.name",
+ "indexed": true
+ },
+ {
+ "outputClaim": "firstName",
+ "required": true,
+ "inputClaim": "$.given_name",
+ "indexed": false
+ },
+ {
+ "outputClaim": "lastName",
+ "required": true,
+ "inputClaim": "$.family_name",
+ "indexed": false
+ }
],
- "configuration": "https://login.microsoftonline.com/tenant-id-here7/v2.0/.well-known/openid-configuration",
- "client_id": "c0d6b785-7a08-494e-8f63-c30744c3be2f",
- "redirect_uri": "vcclient://openid"
+ "required": false
} ] },
- "validityInterval": 25920000,
+ "validityInterval": 2592000,
"vc": {
- "type": ["WoodgroveEmployee"]
+ "type": [
+ "VerifiedCredentialExpert"
+ ]
} } ``` >[!NOTE]
->Only one attribute can be indexed from a rules claims mapping.
+>Only one claim can be indexed from a rules claims mapping.
-## How do I revoke a verifiable credential
-Once an index claim has been set and verifiable credentials have been issued to your users, it's time to see how you can revoke a verifiable credential in the VC blade.
+## How does revocation work?
-1. Navigate to the verifiable credentials blade in Azure Active Directory.
-1. Choose the verifiable credential where you've previously set up the index claim and issued a verifiable credential to a user. =
-1. On the left-hand menu, choose **Revoke a credential**
- ![Revoke a credential](media/how-to-issuer-revoke/settings-revoke.png)
-1. Search for the index attribute of the user you want to revoke.
+Microsoft Entra Verified ID implements the [W3C StatusList2021](https://github.com/w3c-ccg/vc-status-list-2021/tree/343b8b59cddba4525e1ef355356ae760fc75904e). When presentation to the Request Service API happens, the API will do the revocation check for you. The revocation check happens over an anonymous API call to Identity Hub and does not contain any data who is checking if the verifiable credential is still valid or revoked. With the **statusList2021**, Microsoft Entra Verified ID just keeps a flag by the hashed value of the indexed claim to keep track of the revocation status.
- ![Find the credential to revoke](media/how-to-issuer-revoke/revoke-search.png)
+### Verifiable credential data
- >[!NOTE]
- >Since we are only storing a hash of the indexed claim from the verifiable credential, only an exact match will populate the search results. We take the input as searched by the IT Admin and we use the same hashing algorithm to see if we have a hash match in our database.
-
-1. Once you've found a match, select the **Revoke** option to the right of the credential you want to revoke.
+In every Microsoft issued verifiable credential, there is a claim called `credentialStatus`. This data is a navigational map to where in a block of data this VC has its revocation flag.
- ![A warning letting you know that after revocation the user still has the credential](media/how-to-issuer-revoke/warning.png)
+```json
+...
+"credentialStatus": {
+ "id": "urn:uuid:625dfcad-0000-1111-2222-333444445555?bit-index=31",
+ "type": "RevocationList2021Status",
+ "statusListIndex": 31,
+ "statusListCredential": "did:ion:EiDR0Y6zfvnUy2NjO293XNfe9AOL...<SNIP>...?service=IdentityHub&queries=...data..."
+...
+```
+
+### Issuers Identity Hub API endpoint
-1. After successful revocation you see the status update and a green banner will appear at the top of the page.
- ![Verify this domain in settings](media/how-to-issuer-revoke/revoke-successful.png)
+In the issuing party's DID document, the Identity Hub's endpoint is available in the `service` section.
-Now whenever a relying party calls to check the status of this specific verifiable credential, Microsoft's status API, acting on behalf of the tenant, returns a 'false' response.
+```json
+didDocument": {
+ "id": "did:ion:EiD...<SNIP>",
+ "@context": [
+ "https://www.w3.org/ns/did/v1",
+ {
+ "@base": "did:ion:EiD...<SNIP>..."
+ }
+ ],
+ "service": [
+ {
+ "id": "#linkeddomains",
+ "type": "LinkedDomains",
+ "serviceEndpoint": {
+ "origins": [
+ "https://contoso.com/"
+ ]
+ }
+ },
+ {
+ "id": "#hub",
+ "type": "IdentityHub",
+ "serviceEndpoint": {
+ "instances": [
+ "https://verifiedid.hub.msidentity.com/v1.0/11111111-2222-3333-4444-000000000000"
+ ],
+ "origins": [ ]
+ }
+ }
+ ],
+```
## Next steps
-Test out the functionality on your own with a test credential to get used to the flow. You can see information on how to configure your tenant to issue verifiable credentials by [reviewing our tutorials](get-started-verifiable-credentials.md).
+- [How to customize your Microsoft Entra Verified ID](credential-design.md)
active-directory How To Opt Out https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/verifiable-credentials/how-to-opt-out.md
Title: Opt out of the Azure Active Directory Verifiable Credentials (preview)
+ Title: Opt out of the Microsoft Entra Verified ID (preview)
description: Learn how to Opt Out of the Verifiable Credentials Preview documentationCenter: ''
Previously updated : 06/16/2022 Last updated : 06/02/2022 #Customer intent: As an administrator, I am looking for information to help me disable
In this article:
- Effect on existing verifiable credentials. > [!IMPORTANT]
-> Azure Active Directory Verifiable Credentials is currently in public preview.
+> Microsoft Entra Verified ID is currently in public preview.
> This preview version is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. > For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
In this article:
## When do you need to opt out?
-Opting out is a one-way operation, after you opt out your Azure Active Directory Verifiable Credentials environment will be reset. During the public preview, opting out may be required to:
+Opting out is a one-way operation, after you opt-out your Microsoft Entra Verified ID environment will be reset. During the Public Preview opting out may be required to:
- Enable new service capabilities. - Reset your service configuration. - Switch between trust systems ION and Web
-## What happens to your data when you opt out?
+## What happens to your data when you opt-out?
-When you complete opting out of the Azure Active Directory Verifiable Credentials service, the following actions will take place:
+When you complete opting out of the Microsoft Entra Verified ID service, the following actions will take place:
- The DID keys in Key Vault will be [soft deleted](../../key-vault/general/soft-delete-overview.md). - The issuer object will be deleted from our database.
Once an opt-out takes place, you won't be able to recover your DID or conduct an
## Effect on existing verifiable credentials All verifiable credentials already issued will continue to exist. They won't be cryptographically invalidated as your DID will remain resolvable through ION.
-However, when relying parties call the status API, they'll always receive back a failure message.
+However, when relying parties call the status API, they will always receive back a failure message.
-## How to opt out from the Azure Active Directory Verifiable Credentials Public Preview?
+## How to opt-out from the Microsoft Entra Verified ID Public Preview?
1. From the Azure portal search for verifiable credentials. 2. Choose **Organization Settings** from the left side menu.
active-directory How To Register Didwebsite https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/verifiable-credentials/how-to-register-didwebsite.md
[!INCLUDE [Verifiable Credentials announcement](../../../includes/verifiable-credentials-brand.md)] > [!IMPORTANT]
-> Azure Active Directory Verifiable Credentials is currently in public preview.
+> Microsoft Entra Verified ID is currently in public preview.
> This preview version is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. > For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
active-directory How To Use Quickstart Idtoken https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/verifiable-credentials/how-to-use-quickstart-idtoken.md
After you've switched to the custom issue, you have access to a text box with a
## Next steps
-See the [Rules and display definitions reference](rules-and-display-definitions-model.md).
+See the [Rules and display definitions reference](rules-and-display-definitions-model.md).
active-directory How To Use Quickstart Selfissued https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/verifiable-credentials/how-to-use-quickstart-selfissued.md
After you've switched to the custom issue, you have access to a text box with a
## Next steps
-See the [Rules and display definitions reference](rules-and-display-definitions-model.md).
+See the [Rules and display definitions reference](rules-and-display-definitions-model.md).
active-directory How To Use Quickstart Verifiedemployee https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/verifiable-credentials/how-to-use-quickstart-verifiedemployee.md
Title: Tutorial - Issue a Verifiable Credential for directory based claims
+ Title: Tutorial - Issue a Microsoft Entra Verified ID credential for directory based claims
description: In this tutorial, you learn how to issue verifiable credentials, from directory based claims, by using a sample app.
In this article, you learn how to:
## Prerequisites -- [Set up a tenant for Azure AD Verifiable Credentials](verifiable-credentials-configure-tenant.md).
+- [Set up a tenant for Microsoft Entra Verified ID Credentials](verifiable-credentials-configure-tenant.md).
- Complete the tutorial for [issuance](verifiable-credentials-configure-issuer.md) and [verification](verifiable-credentials-configure-verifier.md) of verifiable credentials. - A mobile phone with Microsoft Authenticator that can be used as the test user account.
The configuration file depends on the sample in-use.
## Next steps
-Learn [how to customize your verifiable credentials](credential-design.md).
+Learn [how to customize your verifiable credentials](credential-design.md).
active-directory How To Use Quickstart https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/verifiable-credentials/how-to-use-quickstart.md
After you've switched to the custom issue, you have access to a text box with a
## Next steps For more information, see:-- [Rules and display definitions reference](rules-and-display-definitions-model.md)
+- [Rules and display definitions reference](rules-and-display-definitions-model.md)
active-directory How Use Vcnetwork https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/verifiable-credentials/how-use-vcnetwork.md
+
+ Title: How to use the Microsoft Entra Verified ID Network
+description: In this article, you learn how to use the Microsoft Entra Verified ID Network to verify credentials
+documentationCenter: ''
+++++ Last updated : 07/28/2022++
+#Customer intent: As a verifiable credentials administrator, I want to configure verifying credentials from another party
++
+# Verifying credentials using the Microsoft Entra Verified ID Network
++
+> [!IMPORTANT]
+> Microsoft Entra Verified ID is currently in preview. This preview version is provided without a service-level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.
+> For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
+
+## Prerequisites
+
+To use the Entra Verified ID Network, you need to have completed the following.
+
+- Complete the [Getting Started](get-started-verifiable-credentials.md) and subsequent [tutorial set](enable-your-tenant-verifiable-credentials.md).
+
+## What is the Entra Verified ID Network?
+
+In our scenario, Proseware is a verifier. Woodgrove is the issuer. The verifier needs to know Woodgrove's issuer DID and the verifiable credential (VC) type that represents Woodgrove employees before it can create a presentation request for a verified credential for Woodgrove employees. The necessary information may come from some kind of manual exchange between the companies, this approach would be both a manual and a complex. The Entra Verified ID Network makes this process much easier. Woodgrove, as an issuer, can publish credential types to the Entra Verified ID Network and Proseware, as the verifier, can search for published credential types and schemas in the Entra Verified ID Network. Using this information, Woodgrove can create a [presentation request](presentation-request-api.md#presentation-request-payload) and easily invoke the Request Service API.
+
+![Diagram of Microsoft DID implementation overview](media/decentralized-identifier-overview/did-overview.png)
++
+## How do I use the Entra Verified ID Network?
+
+1. In the start page of Microsoft Entra Verified ID in the Azure portal, you have a Quickstart named **Verification request**. Clicking on **start** will take you to a page where you can browse the Verifiable Credentials Network
+
+ ![Screenshot of the Verified ID Network Quickstart](media/how-use-vcnetwork/vcnetwork-quickstart.png)
+
+1. When you select on the **Select first issuer**, a panel opens on the right side of the screen where you can search for issuers by their linked domains. So if you are looking for something from Woodgrove, you just type `woodgrove` in the search textbox. When you select an issuer in the list, the available credential types will show in the lower part labeled Step 2. Check the type you want to use and select the Add button to get back to the first screen. If the expected linked domain isn't in the list it means that the linked domain isn't verified yet. If the list of credentials is empty, it means that the issuer has verified the linked domain but haven't published any credential types yet.
+
+ ![Screenshot of Verified ID Network Search and select](media/how-use-vcnetwork/vcnetwork-search-select.png)
+
+1. In the first screen we now have Woodgrove in the issuer list and the next step is to select the **Review** button.
+
+ ![Verified ID Network list of isuers](media/how-use-vcnetwork/vcnetwork-issuer-list.png)
+
+1. The Review screen displays a skeleton presentation request JSON payload for the Request Service API. The important pieces of information are the DID inside the **acceptedIssuers** collection and the **type** value. This information is needed to create a presentation request. The request prompts the user for a credential of a certain type issued by a trusted organization.
+
+ ![Verified ID Network issuers details](media/how-use-vcnetwork/vcnetwork-issuer-details.png)
+
+## How do I make my linked domain searchable?
+
+Linked domains that are verified will be searchable. Unverified domains won't be searchable.
+
+## How do I make my credential types visible in the list?
+
+Each credential type that is created has an attribute named `availableInVcDirectory` that makes it visible in the list. You can update this attribute to make the credential type visible or not. See [Admin API reference](admin-api.md#contract-type).
+
+## What is public when a credential type is made visible?
+
+When you make a credential type available in the Entra Verified ID Network, only the **issuing DID**, the credential **type** and its **schema** are made public. Important to note is that this information was already public before making it visible due to how decentralized identities work. Making the credential type visible is just making it searchable in the Entra Verified ID Network.
+
+## Next steps
+
+For more information, see:
+
+- [Learn how to verify Microsoft Entra Verified ID credentials](verifiable-credentials-configure-verifier.md).
+- [Presentation API specification](presentation-request-api.md)
active-directory Introduction To Verifiable Credentials Architecture https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/verifiable-credentials/introduction-to-verifiable-credentials-architecture.md
Previously updated : 06/02/2022 Last updated : 07/19/2022
-# Azure AD Verifiable Credentials architecture overview (preview)
+# Microsoft Entra Verified ID architecture overview (preview)
[!INCLUDE [Verifiable Credentials announcement](../../../includes/verifiable-credentials-brand.md)] > [!IMPORTANT]
-> Azure Active Directory Verifiable Credentials is currently in public preview. This preview version is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see [**Supplemental Terms of Use for Microsoft Azure Previews**](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
+> Microsoft Entra Verified ID is currently in public preview. This preview version is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see [**Supplemental Terms of Use for Microsoft Azure Previews**](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
-ItΓÇÖs important to plan your verifiable credential solution so that in addition to issuing and or validating credentials, you have a complete view of the architectural and business impacts of your solution. If you havenΓÇÖt reviewed them already, we recommend you review [Introduction to Azure Active Directory Verifiable Credentials](decentralized-identifier-overview.md) and the [FAQs](verifiable-credentials-faq.md), and then complete the [Getting Started](get-started-verifiable-credentials.md) tutorial.
+ItΓÇÖs important to plan your verifiable credential solution so that in addition to issuing and or validating credentials, you have a complete view of the architectural and business impacts of your solution. If you havenΓÇÖt reviewed them already, we recommend you review [Introduction to Microsoft Entra Verified ID](decentralized-identifier-overview.md) and the [FAQs](verifiable-credentials-faq.md), and then complete the [Getting Started](get-started-verifiable-credentials.md) tutorial.
-This architectural overview introduces the capabilities and components of the Azure Active Directory Verifiable Credentials service. For more detailed information on issuance and validation, see
+This architectural overview introduces the capabilities and components of the Microsoft Entra Verified ID service. For more detailed information on issuance and validation, see
* [Plan your issuance solution](plan-issuance-solution.md)
Terminology for verifiable credentials (VCs) might be confusing if you're not fa
ΓÇ£A ***decentralized identifier*** is a portable URI-based identifier, also known as a DID, associated with an entity. These identifiers are often used in a verifiable credential and are associated with subjects, issuers, and verifiers.ΓÇ¥.
-* In the preceding diagram, the public keys of the actorΓÇÖs DIDs are shown stored in the decentralized ledger (ION).- in the decentralized identifier document.
+* In the preceding diagram, the public keys of the actorΓÇÖs DIDs are made available via trust system (Web or ION).
ΓÇ£A ***decentralized identifier document***, also referred to as a ***DID document***, is a document that is accessible using a verifiable data registry and contains information related to a specific decentralized identifier, such as the associated repository and public key information.ΓÇ¥
Terminology for verifiable credentials (VCs) might be confusing if you're not fa
* Woodgrove (issuer) signs their employeesΓÇÖ VCs with its public key; similarly, Proseware (verifier) signs requests to present a VC using its key, which is also associated with its DID.
+A ***trust system*** is the foundation in establishing trust between decentralized systems. It can be a distributed ledger or it can be something centralized, such as [DID Web](https://w3c-ccg.github.io/did-method-web/).
+ ΓÇ£A ***distributed ledger*** is a non-centralized system for recording events. These systems establish sufficient confidence for participants to rely upon the data recorded by others to make operational decisions. They typically use distributed databases where different nodes use a consensus protocol to confirm the ordering of cryptographically signed transactions. The linking of digitally signed transactions over time often makes the history of the ledger effectively immutable.ΓÇ¥ * The Microsoft solution uses the ***Identity Overlay Network (ION)*** to provide decentralized public key infrastructure (PKI) capability. As an alternative to ION, Microsoft also offers DID Web as the trust system.
With decentralized identifiers, Woodgrove can provide Alice with a verifiable cr
-By providing Alice the VC, Woodgrove is attesting that Alice is an employee. Woodgrove is a trusted VC issuer in ProsewareΓÇÖs validation solution. This trust in WoodgroveΓÇÖs issuance process allows Proseware to electronically accept the VC as proof that Alice is a Woodgrove employee and provide Alice the discount. As part of validation of the VC Alice presents, Proseware checks the validity of the VC by using the distributed ledger. In this solution:
+By providing Alice the VC, Woodgrove is attesting that Alice is an employee. Woodgrove is a trusted VC issuer in ProsewareΓÇÖs validation solution. This trust in WoodgroveΓÇÖs issuance process allows Proseware to electronically accept the VC as proof that Alice is a Woodgrove employee and provide Alice the discount. As part of validation of the VC Alice presents, Proseware checks the validity of the VC by using the trust system. In this solution:
* Woodgrove enables Alice to provide Proseware proof of employment without Woodgrove having to extend its trust boundary.
-* Proseware doesnΓÇÖt need to expand their trust boundary to validate Alice is an employee of Woodgrove. Proseware can use the VC that Woodgrove provides instead. Because the trust boundary isnΓÇÖt expanded, managing the trust relationship is easier and Proseware can easily end the relationship by not accepting the VCs anymore.
+* Proseware doesnΓÇÖt need to expand their trust boundary to validate Alice is an employee of Woodgrove. Proseware can use the VC that Woodgrove provides instead. Because the trust boundary isnΓÇÖt expanded, managing the trust relationship is easier, and Proseware can easily end the relationship by not accepting the VCs anymore.
* Alice doesnΓÇÖt need to provide Proseware personal information, such as an email. Alice maintains the VC in a wallet application on a personal device. The only person that can use the VC is Alice, and Alice must initiate usage of the credential. Each usage of the VC is recorded by the wallet application, so Alice has a record of when and where the VC is used.
By combining centralized and decentralized identity architectures, the responsib
## How decentralized identity systems work
-In decentralized identity architectures, the issuer, user, and relying party (RP) each have a role in establishing and ensuring ongoing trusted exchange of each otherΓÇÖs credentials. The public keys of the actorsΓÇÖ DIDs are resolvable in ION, which allows signature validation and therefore trust of any artifact, including a verifiable credential. Relying parties can consume verifiable credentials without establishing trust relationships with the issuer. Instead, the issuer provides the subject a credential to present as proof to relying parties. All messages between actors are signed with the actorΓÇÖs DID; DIDs from issuers and verifiers also need to own the DNS domains that generated the requests.
+In decentralized identity architectures, the issuer, user, and relying party (RP) each have a role in establishing and ensuring ongoing trusted exchange of each otherΓÇÖs credentials. The public keys of the actorsΓÇÖ DIDs are resolvable via the trust system, which allows signature validation and therefore trust of any artifact, including a verifiable credential. Relying parties can consume verifiable credentials without establishing trust relationships with the issuer. Instead, the issuer provides the subject a credential to present as proof to relying parties. All messages between actors are signed with the actorΓÇÖs DID; DIDs from issuers and verifiers also need to own the DNS domains that generated the requests.
-For example: When VC holders need to access a resource, they must present the VC to that relying party. They do so by using a wallet application to read the RPΓÇÖs request to present a VC. As a part of reading the request, the wallet application uses the RPΓÇÖs DID to find the RPs public keys using ION, validating that the request to present the VC hasn't been tampered with. The wallet also checks that the DID is referenced in a metadata document hosted in the DNS domain of the RP, to prove domain ownership.
+For example: When VC holders need to access a resource, they must present the VC to that relying party. They do so by using a wallet application to read the RPΓÇÖs request to present a VC. As a part of reading the request, the wallet application uses the RPΓÇÖs DID to find the RPs public keys using the trust system, validating that the request to present the VC hasn't been tampered with. The wallet also checks that the DID is referenced in a metadata document hosted in the DNS domain of the RP, to prove domain ownership.
![How a decentralized identity system works](media/introduction-to-verifiable-credentials-architecture/how-decentralized-works.png)
In this flow, the credential holder interacts with the issuer to request a verif
1. The holder starts the flow by using a browser or native application to access the issuerΓÇÖs web frontend. There, the issuer website drives the user to collect data and executes issuer-specific logic to determine whether the credential can be issued, and its content.)
-1. The issuer web frontend calls the Azure AD VC Service to generate a VC issuance request.
+1. The issuer web frontend calls the Entra Verified ID service to generate a VC issuance request.
1. The web frontend renders a link to the request as a QR code or a device-specific deep link (depending on the device).
In this flow, the credential holder interacts with the issuer to request a verif
1. The wallet downloads the request from the link. The request includes:
- * DID of the issuer. This is used by the wallet app to resolve in ION to find the public keys and linked domains.
+ * DID of the issuer. This is used by the wallet app to resolve via the trust system to find the public keys and linked domains.
* URL with the VC manifest, which specifies the contract requirements to issue the VC. This can include id_token, self-attested attributes that must be provided, or the presentation of another VC.
In this flow, the credential holder interacts with the issuer to request a verif
1. The wallet validates the issuance requests and processes the contract requirements:
- 1. Validates that the issuance request message is signed by the issuerΓÇÖ keys found in the DID document resolved in ION. This ensures that the message hasn't been tampered with.
+ 1. Validates that the issuance request message is signed by the issuerΓÇÖ keys found in the DID document resolved via the trust system. This ensures that the message hasn't been tampered with.
1. Validates that the DNS domain referenced in the issuerΓÇÖs DID document is owned by the issuer. 1. Depending on the VC contract requirements, the wallet might require the holder to collect additional information, for example asking for self-issued attributes, or navigating through an OIDC flow to obtain an id_token.
-1. Submits the artifacts required by the contract to the Azure AD VC Service. The Azure AD VC service returns the VC, signed with the issuerΓÇÖs DID key and the wallet securely stores the VC.
+1. Submits the artifacts required by the contract to the Entra Verified ID service. The Entra Verified ID service returns the VC, signed with the issuerΓÇÖs DID key and the wallet securely stores the VC.
-For detailed information on how to build an issuance solution and architectural considerations, see [Plan your Azure Active Directory Verifiable Credentials issuance solution](plan-issuance-solution.md).
+For detailed information on how to build an issuance solution and architectural considerations, see [Plan your Microsoft Entra Verified ID issuance solution](plan-issuance-solution.md).
### Flow 2: Verifiable credential presentation
In this flow, a holder interacts with a relying party (RP) to present a VC as pa
1. The holder starts the flow by using a browser or native application to access the relying partyΓÇÖs web frontend.
-1. The web frontend calls the Azure AD VC Service to generate a VC presentation request.
+1. The web frontend calls the Entra Verified ID service to generate a VC presentation request.
1. The web frontend renders a link to the request as a QR code or a device-specific deep link (depending on the device).
In this flow, a holder interacts with a relying party (RP) to present a VC as pa
* a [standards based request for credentials](https://identity.foundation/presentation-exchange/) of a schema or credential type.
- * the DID of the RP, which the wallet looks up in ION.
+ * the DID of the RP, which the wallet looks up in the trust system.
1. The wallet validates that the presentation request and finds stored VC(s) that satisfy the request. Based on the required VCs, the wallet guides the subject to select and consent to use the VCs. * After the subject consents to use of the VC, the wallet generates a unique pairwise DID between the subject and the RP.
- Then, the wallet sends a presentation response payload to the Azure AD VC Service signed by the subject. It contains:
+ Then, the wallet sends a presentation response payload to the Entra Verified ID service signed by the subject. It contains:
* The VC(s) the subject consented to.
In this flow, a holder interacts with a relying party (RP) to present a VC as pa
* The RP DID as the ΓÇ£audienceΓÇ¥ of the payload.
-1. The Azure AD VC service validates the response sent by the wallet. Depending on how the original presentation request was created in step 2, this validation can include checking the status of the presented VC with the VC issuer for cases such as revocation.
+1. The Entra Verified ID service validates the response sent by the wallet. Depending on how the original presentation request was created in step 2, this validation can include checking the status of the presented VC with the VC issuer for cases such as revocation.
-1. Upon validation, the Azure AD VC service calls back the RP with the result.
+1. Upon validation, the Entra Verified ID service calls back the RP with the result.
-For detailed information on how to build a validation solution and architectural considerations, see [Plan your Azure Active Directory Verifiable Credentials verification solution](plan-verification-solution.md).
+For detailed information on how to build a validation solution and architectural considerations, see [Plan your Microsoft Entra Verified ID verification solution](plan-verification-solution.md).
## Key Takeaways
To deliver on the aspirations of the [Decentralized Identity Foundation](https:/
* There are no central points of trust establishment between actors in the system. That is, trust boundaries aren't expanded through federation because actors trust specific VCs.
- * ION enables the discovery of any actorΓÇÖs decentralized identifier (DID).
+ * The trust system enables the discovery of any actorΓÇÖs decentralized identifier (DID).
* The solution enables verifiers to validate any verifiable credentials (VCs) from any issuer.
Learn more about architecture for verifiable credentials
* [Plan your verification solution](plan-verification-solution.md)
-* [Get started with Azure Active Directory Verifiable Credentials](get-started-verifiable-credentials.md)
+* [Get started with Microsoft Entra Verified ID](verifiable-credentials-configure-tenant.md)
active-directory Issuance Request Api https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/verifiable-credentials/issuance-request-api.md
Title: Specify the Request Service REST API issuance request (preview)+ description: Learn how to issue a verifiable credential that you've issued. documentationCenter: ''
Previously updated : 10/08/2021 Last updated : 07/19/2022
-#Customer intent: As an administrator, I am trying to learn the process of revoking verifiable credentials that I have issued.
+#Customer intent: As an administrator, I am trying to learn how to use the Request Service API and integrate it into my business application.
# Request Service REST API issuance specification (preview) [!INCLUDE [Verifiable Credentials announcement](../../../includes/verifiable-credentials-brand.md)]
-Azure Active Directory (Azure AD) Verifiable Credentials includes the Request Service REST API. This API allows you to issue and verify a credential. This article specifies the Request Service REST API for an issuance request.
+Microsoft Entra Verified ID includes the Request Service REST API. This API allows you to issue and verify a credential. This article specifies the Request Service REST API for an issuance request. Another article describes [how to call the Request Service REST API](get-started-request-api.md).
## HTTP request
The Request Service REST API issuance request requires the following HTTP header
Construct an HTTP POST request to the Request Service REST API. Replace the `{tenantID}` with your tenant ID or tenant name. ```http
-https://beta.did.msidentity.com/v1.0/{tenantID}/verifiablecredentials/request
+https://verifiedid.did.msidentity.com/v1.0/verifiableCredentials/createIssuanceRequest
``` The following HTTP request demonstrates a request to the Request Service REST API: ```http
-POST https://beta.did.msidentity.com/v1.0/contoso.onmicrosoft.com/verifiablecredentials/request
+POST https://verifiedid.did.msidentity.com/v1.0/verifiableCredentials/createIssuanceRequest
Content-Type: application/json Authorization: Bearer <token> { "includeQRCode": true,
- "callback":ΓÇ»{
- "url":ΓÇ»"https://wwww.contoso.com/vc/callback",
- "state": "Aaaabbbb11112222",
- "headers":ΓÇ»{
- "api-key":ΓÇ»"an-api-key-can-go-here"
-      }
- },
+ "callback":ΓÇ»{
+ "url":ΓÇ»"https://wwww.contoso.com/vc/callback",
+ "state": "Aaaabbbb11112222",
+ "headers":ΓÇ»{
+ "api-key":ΓÇ»"an-api-key-can-go-here"
+   }
+ },
... } ```
The following permission is required to call the Request Service REST API. For m
| Permission type | Permission | |||
-| Application | bbb94529-53a3-4be5-a069-7eaf2712b826/.default|
+| Application | 3db474b9-6a0c-4840-96ac-1fceb342124f/.default|
## Issuance request payload
The issuance request payload contains information about your verifiable credenti
```json {
- "includeQRCode": true,
- "callback": {
- "url": "https://www.contoso.com/api/issuer/issuanceCallback",
- "state": "de19cb6b-36c1-45fe-9409-909a51292a9c",
- "headers": {
- "api-key": "OPTIONAL API-KEY for VERIFIER CALLBACK API"
- }
- },
- "authority": "did:ion:EiCLL8lzCqlGLYTGbjwgR6SN6OkIjO6uUKyF5zM7fQZ8Jg:eyJkZWx0YSI6eyJwYXRjaGVzIjpbeyJhY3Rpb24iOiJyZXBsYWNlIiwiZG9jdW1lbnQiOnsicHVibGljS2V5cyI6W3siaWQiOiJzaWdfOTAyZmM2NmUiLCJwdWJsaWNLZXlKd2siOnsiY3J2Ijoic2VjcDI1NmsxIiwia3R5IjoiRUMiLCJ4IjoiTEdUOWk3aFYzN1dUcFhHcUg5c1VDek...",
- "registration": {
- "clientName": "Verifiable Credential Expert Sample"
- },
- "issuance": {
- "type": "VerifiedCredentialExpert",
- "manifest": "https://beta.did.msidentity.com/v1.0/12345678-0000-0000-0000-000000000000/verifiableCredential/contracts/VerifiedCredentialExpert",
- "pin": {
- "value": "3539",
- "length": 4
- },
- "claims": {
- "given_name": "Megan",
- "family_name": "Bowen"
- }
+ "includeQRCode": true,
+ "callback": {
+ "url": "https://www.contoso.com/api/issuer/issuanceCallback",
+ "state": "de19cb6b-36c1-45fe-9409-909a51292a9c",
+ "headers": {
+ "api-key": "OPTIONAL API-KEY for CALLBACK EVENTS"
}
+ },
+ "authority": "did:ion:EiCLL8lzCqlGLYTGbjwgR6SN6OkIjO6uUKyF5zM7fQZ8Jg:eyJkZWx0YSI6eyJwYXRjaGVzIjpbeyJhY3Rpb24iOiJyZXBsYWNlIiwiZG9jdW1lbnQiOnsicHVibGljS2V5cyI6W3siaWQiOiJzaWdfOTAyZmM2NmUiLCJwdWJsaWNLZXlKd2siOnsiY3J2Ijoic2VjcDI1NmsxIiwia3R5IjoiRUMiLCJ4IjoiTEdUOWk3aFYzN1dUcFhHcUg5c1VDek...",
+ "registration": {
+ "clientName": "Verifiable Credential Expert Sample"
+ },
+ "type": "VerifiedCredentialExpert",
+ "manifest": "https://verifiedid.did.msidentity.com/v1.0/12345678-0000-0000-0000-000000000000/verifiableCredential/contracts/VerifiedCredentialExpert",
+ "claims": {
+ "given_name": "Megan",
+ "family_name": "Bowen"
+ },
+ "pin": {
+ "value": "3539",
+ "length": 4
+ }
} ```
The payload contains the following properties:
|Parameter |Type | Description | |||| | `includeQRCode` | Boolean | Determines whether a QR code is included in the response of this request. Present the QR code and ask the user to scan it. Scanning the QR code launches the authenticator app with this issuance request. Possible values are `true` (default) or `false`. When you set the value to `false`, use the return `url` property to render a deep link. |
+|`callback`| [Callback](#callback-type)| Mandatory. Allows the developer to asynchronously get information on the flow during the verifiable credential issuance process. For example, the developer might want a call when the user has scanned the QR code or if the issuance request succeeds or fails.|
| `authority` | string| The issuer's decentralized identifier (DID). For more information, see [Gather credentials and environment details to set up your sample application](verifiable-credentials-configure-issuer.md).| | `registration` | [RequestRegistration](#requestregistration-type)| Provides information about the issuer that can be displayed in the authenticator app. |
-| `issuance` | [RequestIssuance](#requestissuance-type)| Provides information about the issuance request. |
-|`callback`| [Callback](#callback-type)| Mandatory. Allows the developer to asynchronously get information on the flow during the verifiable credential issuance process. For example, the developer might want a call when the user has scanned the QR code or if the issuance request succeeds or fails.|
+| `type` | string | The verifiable credential type. Should match the type as defined in the verifiable credential manifest. For example: `VerifiedCredentialExpert`. For more information, see [Create the verified credential expert card in Azure](verifiable-credentials-configure-issuer.md). |
+| `manifest` | string| The URL of the verifiable credential manifest document. For more information, see [Gather credentials and environment details to set up your sample application](verifiable-credentials-configure-issuer.md).|
+| `claims` | string| Optional. Used for the `ID token hint` flow to include a collection of assertions made about the subject in the verifiable credential. For PIN code flow, it's important that you provide the user's first name and last name. For more information, see [Verifiable credential names](verifiable-credentials-configure-issuer.md#verifiable-credential-names). |
+| `pin` | [PIN](#pin-type)| Optional. A PIN number to provide extra security during issuance. For PIN code flow, this property is required. You generate a PIN code, and present it to the user in your app. The user must provide the PIN code that you generated. |
+
+There are currently four claims attestation types that you can send in the payload. Microsoft Entra Verified ID uses four ways to insert claims into a verifiable credential and attest to that information with the issuer's DID. The following are the four types:
+
+- ID token
+- ID token hint
+- Verifiable credentials via a verifiable presentation
+- Self-attested claims
+
+You can find detailed information about the input types in [Customizing your verifiable credential](credential-design.md).
### RequestRegistration type
The `RequestRegistration` type provides information registration for the issuer.
> [!NOTE] > At this time, the `RequestRegistration` information isn't presented during the issuance in the Microsoft Authenticator app. This information can, however, be used in the payload.
-### RequestIssuance type
-
-The `RequestIssuance` type provides information required for verifiable credential issuance. There are currently three input types that you can send in `RequestIssuance`. Azure AD Verifiable Credentials uses these types to insert claims into a verifiable credential, and attest to that information with the issuer's DID. The following are the three types:
--- ID token-- Verifiable credentials via a verifiable presentation-- Self-attested claims-
-You can find detailed information about the input types in [Customizing your verifiable credential](credential-design.md).
+### Callback type
-The `RequestIssuance` type contains the following properties:
+The Request Service REST API generates several events to the callback endpoint. Those events allow you to update the UI and continue the process after the results are returned to the application. The `Callback` type contains the following properties:
|Property |Type |Description | ||||
-| `type` | string | The verifiable credential type. Should match the type as defined in the verifiable credential manifest. For example: `VerifiedCredentialExpert`. For more information, see [Create the verified credential expert card in Azure](verifiable-credentials-configure-issuer.md). |
-| `manifest` | string| The URL of the verifiable credential manifest document. For more information, see [Gather credentials and environment details to set up your sample application](verifiable-credentials-configure-issuer.md).|
-| `claims` | string| Optional. Include a collection of assertions made about the subject in the verifiable credential. For PIN code flow, it's important that you provide the user's first name and last name. For more information, see [Verifiable credential names](verifiable-credentials-configure-issuer.md#verifiable-credential-names). |
-| `pin` | [PIN](#pin-type)| Optional. A PIN number to provide extra security during issuance. For PIN code flow, this property is required. You generate a PIN code, and present it to the user in your app. The user must provide the PIN code that you generated. |
+| `url` | string| URI to the callback endpoint of your application. The URI must point to a reachable endpoint on the internet otherwise the service will throw callback URL unreadable error. Accepted formats IPv4, IPv6 or DNS resolvable hostname |
+| `state` | string| Correlates the callback event with the state passed in the original payload. |
+| `headers` | string| Optional. You can include a collection of HTTP headers required by the receiving end of the POST message. The current supported header values are the `api-key` or the `Authorization` headers. Any other header will throw an invalid callback header error|
-### pin type
+### Pin type
The `pin` type defines a PIN code that can be displayed as part of the issuance. `pin` is optional, and, if used, should always be sent out-of-band. When you're using a HASH PIN code, you must define the `salt`, `alg`, and `iterations` properties. `pin` contains the following properties:
The `pin` type defines a PIN code that can be displayed as part of the issuance.
| `alg` | string| The hashing algorithm for the hashed PIN. Supported algorithm: `sha256`. | | `iterations` | integer| The number of hashing iterations. Possible value: `1`.|
-### Callback type
-
-The Request Service REST API generates several events to the callback endpoint. Those events allow you to update the UI and continue the process after the results are returned to the application. The `Callback` type contains the following properties:
-
-|Property |Type |Description |
-||||
-| `url` | string| URI to the callback endpoint of your application. The URI must point to a reachable endpoint on the internet otherwise the service will throw callback URL unreadable error. Accepted formats IPv4, IPv6 or DNS resolvable hostname |
-| `state` | string| Associates with the state passed in the original payload. |
-| `headers` | string| Optional. You can include a collection of HTTP headers required by the receiving end of the POST message. The current supported header values are the `api-key` or the `Authorization` headers. Any other header will throw an invalid callback header error|
- ## Successful response If successful, this method returns a response code (*HTTP 201 Created*), and a collection of event objects in the response body. The following JSON demonstrates a successful response: ```json {
- "requestId":ΓÇ»:"799f23ea-5241-45af-99ad-cf8e5018814e",
- "url":ΓÇ»"openid://vc?request_uri=https://beta.did.msidentity.com/v1.0/12345678-0000-0000-0000-000000000000/verifiablecredentials/request/178319f7-20be-4945-80fb-7d52d47ae82e",
+ "requestId":ΓÇ»"799f23ea-5241-45af-99ad-cf8e5018814e",
+ "url":ΓÇ»"openid://vc?request_uri=https://verifiedid.did.msidentity.com/v1.0/12345678-0000-0000-0000-000000000000/verifiableCredentials/request/178319f7-20be-4945-80fb-7d52d47ae82e",
"expiry": 1622227690, "qrCode": "data:image/png;base64,iVBORw0KggoA<SNIP>" }
The response contains the following properties:
|Property |Type |Description | ||||
-| `requestId`| string | An autogenerated correlation ID. The [callback](#callback-events) uses the same request, allowing you to keep track of the issuance request and its callbacks. |
+| `requestId`| string | An autogenerated request ID. The [callback](#callback-events) uses the same request, allowing you to keep track of the issuance request and its callbacks. |
| `url`| string| A URL that launches the authenticator app and starts the issuance process. You can present this URL to the user if they can't scan the QR code. | | `expiry`| integer| Indicates when the response will expire. | | `qrCode`| string | A QR code that user can scan to start the issuance flow. |
When your app receives the response, the app needs to present the QR code to the
## Error response
-Error responses also can be returned so that the app can handle them appropriately. The following JSON shows an unauthorized error message:
--
-```json
-{
- "requestId": "d60b068e7fbd975896e179b99347866a",
- "date": "Wed, 29 Sep 2021 21:49:00 GMT",
- "error": {
- "code": "unauthorized",
- "message": "Failed to authenticate the request."
- }
-}
-```
-
-The response contains the following properties:
-
-|Property |Type |Description |
-||||
-| `requestId`| string | An autogenerated request ID.|
-| `date`| date| The time of the error. |
-| `error.code` | string| The return error code. |
-| `error.message`| string| The error message. |
+If there is an error with the request, an [error responses](error-codes.md) will be returned and should be handled appropriately by the app.
## Callback events
The callback endpoint is called when a user scans the QR code, uses the deep lin
|Property |Type |Description | |||| | `requestId`| string | Mapped to the original request when the payload was posted to the Verifiable Credentials service.|
-| `code` |string |The code returned when the request has an error. Possible values: <ul><li>`request_retrieved`: The user scanned the QR code or selected the link that starts the issuance flow.</li><li>`issuance_successful`: The issuance of the verifiable credentials was successful.</li><li>`Issuance_error`: There was an error during issuance. For details, see the `error` property.</li></ul> |
+| `code` |string |The code returned when the request has an error. Possible values: <ul><li>`request_retrieved`: The user scanned the QR code or selected the link that starts the issuance flow.</li><li>`issuance_successful`: The issuance of the verifiable credentials was successful.</li><li>`issuance_error`: There was an error during issuance. For details, see the `error` property.</li></ul> |
| `state` |string| Returns the state value that you passed in the original payload. | | `error`| error | When the `code` property value is `Issuance_error`, this property contains information about the error.| | `error.code` | string| The return error code. |
The following example demonstrates a callback payload when the authenticator app
```json {
-    "requestId":"aef2133ba45886ce2c38974339ba1057",
+    "requestId": "799f23ea-5241-45af-99ad-cf8e5018814e",
    "code":"request_retrieved",
-    "state":"Wy0ThUz1gSasAjS1"
+    "state": "de19cb6b-36c1-45fe-9409-909a51292a9c"
} ```
The following example demonstrates a callback payload after the user successfull
```json {
-    "requestId":"87e1cb24-9096-409f-81cb-9e645f23a4ba",
+    "requestId": "799f23ea-5241-45af-99ad-cf8e5018814e",
    "code":"issuance_successful",
-    "state":"f3d94e35-ca5f-4b1b-a7d7-a88caa05e322",
+    "state": "de19cb6b-36c1-45fe-9409-909a51292a9c"
}ΓÇ» ```
The callback endpoint might be called with an error message. The following table
|Message |DefinitionΓÇ» | |||
-| `fetch_contract_error*`| Unable to fetch the verifiable credential contract. This error usually happens when the API can't fetch the manifest you specify in the request payload [RequestIssuance object](#requestissuance-type).|
+| `fetch_contract_error*`| Unable to fetch the verifiable credential contract. This error usually happens when the API can't fetch the manifest you specify in the request payload [RequestIssuance object](#issuance-request-payload).|
| `issuance_service_error*` | The Verifiable Credentials service isn't able to validate requirements, or something went wrong in Verifiable Credentials.| | `unspecified_error`| This error is uncommon, but worth investigating. |
The following example demonstrates a callback payload when an error occurred:
```json {
-    "requestId":"87e1cb24-9096-409f-81cb-9e645f23a4ba",
+    "requestId": "799f23ea-5241-45af-99ad-cf8e5018814e",
    "code": "issuance_error",
-    "state":"f3d94e35-ca5f-4b1b-a7d7-a88caa05e322",
+    "state": "de19cb6b-36c1-45fe-9409-909a51292a9c",
"error": { "code":"IssuanceFlowFailed", "message":"issuance_service_errorΓÇ¥,
active-directory Issuer Openid https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/verifiable-credentials/issuer-openid.md
[!INCLUDE [Verifiable Credentials announcement](../../../includes/verifiable-credentials-brand.md)]
-The Azure AD Verifiable Credential service can issue verifiable credentials by retrieving claims from an ID token generated by your organization's OpenID compliant identity provider. This article instructs you on how to set up your identity provider so Authenticator can communicate with it and retrieve the correct ID Token to pass to the issuing service.
+The Microsoft Entra Verified ID service can issue verifiable credentials by retrieving claims from an ID token generated by your organization's OpenID compliant identity provider. This article instructs you on how to set up your identity provider so Authenticator can communicate with it and retrieve the correct ID Token to pass to the issuing service.
> [!IMPORTANT] > Azure Active Directory Verifiable Credentials is currently in public preview.
The ID token must use the JWT compact serialization format, and must not be encr
## Next steps -- [How to customize your Azure Active Directory Verifiable Credentials](credential-design.md)
+- [How to customize your Azure Active Directory Verifiable Credentials](credential-design.md)
active-directory Plan Issuance Solution https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/verifiable-credentials/plan-issuance-solution.md
Title: Plan your Azure Active Directory Verifiable Credentials issuance solution(preview)
+ Title: Plan your Microsoft Entra Verified ID issuance solution(preview)
description: Learn to plan your end-to-end issuance solution. documentationCenter: ''
Previously updated : 06/03/2022 Last updated : 07/28/2022
-# Plan your Azure Active Directory Verifiable Credentials issuance solution (preview)
+# Plan your Microsoft Entra Verified ID issuance solution (preview)
[!INCLUDE [Verifiable Credentials announcement](../../../includes/verifiable-credentials-brand.md)] >[!IMPORTANT]
-> Azure Active Directory Verifiable Credentials is currently in public preview. This preview version is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see [**Supplemental Terms of Use for Microsoft Azure Previews**](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
+> Microsoft Entra Verified ID is currently in public preview. This preview version is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see [**Supplemental Terms of Use for Microsoft Azure Previews**](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
-ItΓÇÖs important to plan your issuance solution so that in addition to issuing credentials, you have a complete view of the architectural and business impacts of your solution. If you havenΓÇÖt done so, we recommend you view the [Azure Active Directory Verifiable Credentials architecture overview](introduction-to-verifiable-credentials-architecture.md) for foundational information.
+ItΓÇÖs important to plan your issuance solution so that in addition to issuing credentials, you have a complete view of the architectural and business impacts of your solution. If you havenΓÇÖt done so, we recommend you view the [Microsoft Entra Verified ID architecture overview](introduction-to-verifiable-credentials-architecture.md) for foundational information.
## Scope of guidance
-This article covers the technical aspects of planning for a verifiable credential issuance solution using Microsoft products to interoperate with the Identity Overlay Network (ION). The Microsoft solution for verifiable credentials follows the World Wide Web Consortium (W3C) [Verifiable Credentials Data Model 1.0](https://www.w3.org/TR/vc-data-model/) and [Decentralized Identifiers (DIDs) V1.0](https://www.w3.org/TR/did-core/) standards so can interoperate with non-Microsoft services. However, the examples in this content reflect the Microsoft solution stack for verifiable credentials.
+This article covers the technical aspects of planning for a verifiable credential issuance solution. The Microsoft solution for verifiable credentials follows the World Wide Web Consortium (W3C) [Verifiable Credentials Data Model 1.0](https://www.w3.org/TR/vc-data-model/) and [Decentralized Identifiers (DIDs) V1.0](https://www.w3.org/TR/did-core/) standards so can interoperate with non-Microsoft services. However, the examples in this content reflect the Microsoft solution stack for verifiable credentials.
-Out of scope for this content are topics covering supporting technologies that aren't specific to issuance solutions. For example, websites are used in a verifiable credential issuance solution but planning a website deployment isn't covered in detail.
+Out of scope for this content is articles covering supporting technologies that aren't specific to issuance solutions. For example, websites are used in a verifiable credential issuance solution but planning a website deployment isn't covered in detail.
## Components of the solution
As part of your plan for an issuance solution, you must design a solution that e
### Azure Active Directory tenant
-A prerequisite for running the Azure AD Verifiable Credentials service is that it's hosted in an Azure Active Directory (Azure AD) tenant. The Azure AD tenant provides an Identity and Access Management (IAM) control plane for the Azure resources that are part of the solution.
+A prerequisite for running the Microsoft Entra Verified ID service is that it's hosted in an Azure Active Directory (Azure AD) tenant. The Azure AD tenant provides an Identity and Access Management (IAM) control plane for the Azure resources that are part of the solution.
-Each tenant has a single instance of the Azure AD Verifiable Credentials service, and a single decentralized identifier (DID). The DID provides proof that the issuer owns the domain incorporated into the DID. The DID is used by the subject and the verifier to validate the issuer.
+Each tenant uses the multi-tenant Microsoft Entra Verified ID service, and has a decentralized identifier (DID). The DID provides proof that the issuer owns the domain incorporated into the DID. The DID is used by the subject and the verifier to validate the issuer.
### Microsoft Azure services ![Components of an issuance solution, focusing on Azure services](media/plan-issuance-solution/plan-for-issuance-solution-azure-services.png)
-The **Azure Key Vault** service stores your issuer keys, which are generated when you initiate the Azure AD Verifiable Credentials issuance service. The keys and metadata are used to execute credential management operations and provide message security.
+The **Azure Key Vault** service stores your issuer keys, which are generated when you initiate the Microsoft Entra Verified ID issuance service. The keys and metadata are used to execute credential management operations and provide message security.
Each issuer has a single key set used for signing, updating, and recovery. This key set is used for every issuance of every verifiable credential you produce.
-**Azure AD Verifiable Credentials Service** is used to store credential metadata and definitions; specifically, the rules and display definitions for your credentials.
+**Microsoft Entra Verified ID Service** is used to store credential metadata and definitions; specifically, the rules and display definitions for your credentials.
-* Display definitions determine which claims are stored in the VC and how it's displayed in the holderΓÇÖs wallet. The display definition also includes branding and other elements. Rules definitions are limited in size to 50 KB, while display definitions are limited to 150 KB. See [How to customize your verifiable credentials](../verifiable-credentials/credential-design.md).
+* Display definitions determine how claims are displayed in the holderΓÇÖs wallet and also includes branding and other elements. The Display definition can be localized into multiple languages. See [How to customize your verifiable credentials](../verifiable-credentials/credential-design.md).
-* Rules are an issuer-defined model that describes the required inputs of a verifiable credential, the trusted sources of the inputs, and the mapping of input claims to output claims.
+* Rules are an issuer-defined model that describes the required inputs of a verifiable credential. Rules also defined trusted input sources, and the mapping of input claims to output claims stored in the VC. Depending on the type of attestation defined in the rules definition, the input claims can come from different providers. Input claims may come from an OIDC Identity Provider, from an id_token_hint or they may be self asserted during issuance via user input in the wallet.
* **Input** ΓÇô Are a subset of the model in the rules file for client consumption. The subset must describe the set of inputs, where to obtain the inputs and the endpoint to call to obtain a verifiable credential.
-### Azure AD Verifiable Credentials service
+### Microsoft Entra Verified ID service
-![Microsoft Azure AD Verifiable Credentials service](media/plan-issuance-solution/plan-for-issuance-solution-azure-active-directory-verifiable-credentials-vc-services.png)
+![Diagram of Microsoft Microsoft Entra Verified ID service](media/plan-issuance-solution/plan-for-issuance-solution-azure-active-directory-verifiable-credentials-vc-services.png)
-The Azure AD Verifiable Credentials service enables you to issue and revoke VCs based on your configuration. The service:
+The Microsoft Entra Verified ID service enables you to issue and revoke VCs based on your configuration. The service:
-* Provisions the decentralized identifier (DID) and writes the DID document to ION, where it can be used by subjects and verifiers. Each issuer has a single DID per tenant.
+* Provisions the decentralized identifier (DID). Each issuer has a single DID per tenant.
* Provisions key sets to Key Vault.
The Azure AD Verifiable Credentials service enables you to issue and revoke VCs
* Provides REST APIs interface for issuer and verifier web front ends
-### ION
+### Trust System
![ION](media/plan-issuance-solution/plan-for-issuance-solution-ion.png)
-As one alternative for the tenants trust system, Microsoft uses the [Identity Overlay Network (ION)](https://identity.foundation/ion/), [a Sidetree-based network](https://identity.foundation/sidetree/spec/) that uses BitcoinΓÇÖs blockchain for decentralized identifier (DID) implementation. The DID document of the issuer is stored in ION and is used to perform cryptographic signature checks by parties to the transaction. The other alternative for trust system is Web, where the DID document is hosted on the issuers webserver.
+Microsoft Entra Verified ID currently supports two trust system. One is the [Identity Overlay Network (ION)](https://identity.foundation/ion/), [a Sidetree-based network](https://identity.foundation/sidetree/spec/) that uses BitcoinΓÇÖs blockchain for decentralized identifier (DID) implementation. The DID document of the issuer is stored in ION and is used to perform cryptographic signature checks by parties to the transaction. The other alternative for trust system is [DID Web](https://w3c-ccg.github.io/did-method-web/), where the DID document is hosted on the issuers webserver.
### Microsoft Authenticator application ![Microsoft Authenticator application](media/plan-issuance-solution/plan-for-issuance-solution-authenticator.png)
-Microsoft Authenticator is the mobile application that orchestrates the interactions between the user, the Azure AD Verifiable Credentials service, and dependencies that are described in the contract used to issue VCs. It acts as a digital wallet in which the holder of the VC stores the VC, including the private key of the subject of the VC. Authenticator is also the mechanism used to present VCs for verification.
+Microsoft Authenticator is the mobile application that orchestrates the interactions between the user, the Microsoft Entra Verified ID service, and dependencies that are described in the contract used to issue VCs. It acts as a digital wallet in which the holder of the VC stores the VC, including the private key of the subject of the VC. Authenticator is also the mechanism used to present VCs for verification.
### Issuance business logic
Your issuance solution includes a web front end where users request a VC, an ide
A web front end serves issuance requests to the subjectΓÇÖs wallet by generating deep links or QR codes. Based on the configuration of the contract, other components might be required to satisfy the requirements to create a VC.
-These services provide supporting roles that don't necessarily need to integrate with ION or Azure AD Verifiable Credentials issuance service. This layer typically includes:
+These services provide supporting roles that don't necessarily need to integrate with ION or Microsoft Entra Verified ID issuance service. This layer typically includes:
* **Open ID Connect (OIDC)-compliant service or services** are used to obtain id_tokens needed to issue the VC. Existing identity systems such as Azure AD or Azure AD B2C can provide the OIDC-compliant service, as can custom solutions such as Identity Server.
Your specific use cases determine your credential design. The use case will dete
* if credentials will ever need to be revoked
-
- ### Credential Use Cases
-With Azure AD Verifiable Credentials, the most common credential use cases are:
+With Microsoft Entra Verified ID, the most common credential use cases are:
**Identity Verification**: a credential is issued based on multiple criteria. This may include verifying the authenticity of government-issued documents like a passport or driverΓÇÖs license and corelating the information in that document with other information such as:
With Azure AD Verifiable Credentials, the most common credential use cases are:
This kind of credential is a good fit for identity onboarding scenarios of new employees, partners, service providers, students, and other instances where identity verification is essential.
-
- ![Identity verification use case](media/plan-issuance-solution/plan-for-issuance-solution-identity-verification-use-case.png) **Proof of employment/membership**: a credential is issued to prove a relationship between the user and an institution. This kind of credential is a good fit to access loosely coupled business-to-business applications, such as retailers offering discounts to employees or students. One main value of VCs is their portability: Once issued, the user can use the VC in many scenarios.
For more use cases, see [Verifiable Credentials Use Cases (w3.org)](https://www.
As part of the design process, investigate industry-specific schemas, namespaces, and identifiers to which you can align to maximize interoperability and usage. Examples can be found in [Schema.org](https://schema.org/) and the [DIF - Claims and Credentials Working Group.](https://identity.foundation/working-groups/claims-credentials.html)
-Note that common schemas are an area where standards are still emerging. One example of such an effort is the [Verifiable Credentials for Education Task Force](https://github.com/w3c-ccg/vc-ed). We encourage you to investigate and contribute to emerging standards in your organization's industry.
+Common schemas are an area where standards are still emerging. One example of such an effort is the [Verifiable Credentials for Education Task Force](https://github.com/w3c-ccg/vc-ed). We encourage you to investigate and contribute to emerging standards in your organization's industry.
+
+### Credential Type and Attributes
+
+After establishing the use case for a credential, you need to decide the credential type and what attributes to include in the credential. Verifiers can read the claims in the VC presented by the users.
-### Credential Attributes
+All verifiable credentials must declare their *type* in their [rules definition](rules-and-display-definitions-model.md#rulesmodel-type). The credential type distinguishes a verifiable credentials schema from other credentials and it ensures interoperability between issuers and verifiers. To indicate a credential type, provide one or more credential types that the credential satisfies. Each type is represented by a unique string. Often, a URI is used to ensure global uniqueness. The URI doesn't need to be addressable. It's treated as a string. As an example, a diploma credential issued by Contoso University might declare the following types:
-After establishing the use case for a credential, you need to decide what attributes to include in the credential. Verifiers can read the claims in the VC presented by the users.
+| Type | Purpose |
+| - | - |
+| `https://schema.org/EducationalCredential` | Declares that diplomas issued by Contoso University contain attributes defined by the schema.org `EducationaCredential` object. |
+| `https://schemas.ed.gov/universityDiploma2020` | Declares that diplomas issued by Contoso University contain attributes defined by the U.S. Department of Education. |
+| `https://schemas.contoso.edu/diploma2020` | Declares that diplomas issued by Contoso University contain attributes defined by Contoso University. |
In addition to the industry-specific standards and schemas that might be applicable to your scenarios, consider the following aspects:
-* **Minimize private information**: Meet the use cases with the minimal amount of private information necessary. For example, a VC used for e-commerce websites that offers discounts to employees and alumni can be fulfilled by presenting the credential with just the first and last name claims. Additional information such as hiring date, title, department, etc. are not needed.
+* **Minimize private information**: Meet the use cases with the minimal amount of private information necessary. For example, a VC used for e-commerce websites that offers discounts to employees and alumni can be fulfilled by presenting the credential with just the first and last name claims. Additional information such as hiring date, title, department, aren't needed.
* **Favor abstract claims**: Each claim should meet the need while minimizing the detail. For example, a claim named ΓÇ£ageOverΓÇ¥ with discrete values such as ΓÇ£13ΓÇ¥,ΓÇ¥21ΓÇ¥,ΓÇ¥60ΓÇ¥, is more abstract than a date of birth claim.
-* **Plan for revocability**: We recommend you define an index claim to enable mechanisms to find and revoke credentials. You are limited to defining one index claim per contract. It is important to note that values for indexed claims are not stored in the backend, only a hash of the claim value. For more information, see [Revoke a previously issued verifiable credential](../verifiable-credentials/how-to-issuer-revoke.md).
+* **Plan for revocability**: We recommend you define an index claim to enable mechanisms to find and revoke credentials. You are limited to defining one index claim per contract. It is important to note that values for indexed claims aren't stored in the backend, only a hash of the claim value. For more information, see [Revoke a previously issued verifiable credential](../verifiable-credentials/how-to-issuer-revoke.md).
-For additional considerations on credential attributes, refer to the [Verifiable Credentials Data Model 1.0 (w3.org)](https://www.w3.org/TR/vc-data-model/) specification.
+For other considerations on credential attributes, refer to the [Verifiable Credentials Data Model 1.0 (w3.org)](https://www.w3.org/TR/vc-data-model/) specification.
## Plan quality attributes ### Plan for performance
-As with any solution, you must plan for performance. The key areas to focus on are latency, throughput storage, and scalability. During initial phases of a release cycle, performance should not be a concern. However, when adoption of your issuance solution results in many verifiable credentials being issued, performance planning might become a critical part of your solution.
+As with any solution, you must plan for performance. The key areas to focus on are latency and scalability. During initial phases of a release cycle, performance shouldn't be a concern. However, when adoption of your issuance solution results in many verifiable credentials being issued, performance planning might become a critical part of your solution.
The following provides areas to consider when planning for performance:
-* The Azure AD Verifiable Credentials issuance service is deployed in West Europe, North Europe, West US 2, and West Central US Azure regions. You do not select a region to deploy the service to.
+* The Microsoft Entra Verified ID issuance service is deployed in West Europe, North Europe, West US 2, and West Central US Azure regions. If your Azure Active Directory tenant resides within EU, the Microsoft Entra Verified ID service will be in EU too.
-* To limit latency, deploy your issuance frontend website, key vault, and storage in the region listed above that is closest to where requests are expected to originate.
+* To limit latency, deploy your issuance frontend website and key vault in the region listed above that is closest to where requests are expected to originate.
Model based on throughput: * The Issuer service is subject to [Azure Key Vault service limits](../../key-vault/general/service-limits.md).
Model based on throughput:
* Maximum signing performance of a Key Vault is 2,000 signing/~10 seconds. This is about 12,000 signings per minute. This means your solution can support up to 4,000 VC issuances per minute.
-* You cannot control throttling; however, we recommend you read [Azure Key Vault throttling guidance](../../key-vault/general/overview-throttling.md).
+* You can't control throttling; however, we recommend you read [Azure Key Vault throttling guidance](../../key-vault/general/overview-throttling.md).
-* If you are planning a large rollout and onboarding of VCs, consider batching VC creation to ensure you do not exceed limits.
-
-* The issuance service is subject to Azure storage limits. In typical use cases storage should not be a concern. However, if you feel you might exceed storage limits or feel storage might be a bottleneck, review the following:
-
- * We recommend reading [Scalability and performance targets for Blob storage](../../storage/blobs/scalability-targets.md) as part of your planning process. Azure AD Verifiable Credentials issuance service reads rules and displays files, and results are cached by the service.
-
- * We also recommend you review [Performance and scalability checklist for Blob storage - Azure Storage](../../storage/blobs/storage-performance-checklist.md).
+* If you are planning a large rollout and onboarding of VCs, consider batching VC creation to ensure you don't exceed limits.
As part of your plan for performance, determine what you will monitor to better understand the performance of the solution. In addition to application-level website monitoring, consider the following as you define your VC issuance monitoring strategy:
For scalability, consider implementing metrics for the following:
* Attribute lookup
- * Calls to Azure AD Verifiable Credentials issuance service
+ * Calls to Microsoft Entra Verified ID issuance service
* Credential issued
For scalability, consider implementing metrics for the following:
* Time spent (latency)
-* Monitor Azure Key Vault and Storage using the following:
+* Monitor Azure Key Vault using the following:
* [Azure Key Vault monitoring and alerting](../../key-vault/general/alert.md)
To plan for reliability, we recommend:
* For frontend and business layer, your solution can manifest in an unlimited number of ways. As with any solution, for the dependencies you identify, ensure that the dependencies are resilient and monitored.
-If the rare event that the Azure AD Verifiable Credentials issuance service, Azure Key Vault, or Azure Storage services become unavailable, the entire solution will become unavailable.
+If the rare event that the Microsoft Entra Verified ID issuance service or Azure Key Vault services become unavailable, the entire solution will become unavailable.
### Plan for compliance Your organization may have specific compliance needs related to your industry, type of transactions, or country of operation.
-**Data residency**: The Azure AD Verifiable Credentials issuance service is deployed in a subset of Azure regions. The service is used for compute functions only. We do not store values of verifiable credentials in Microsoft systems. However, as part of the issuance process, personal data is sent and used when issuing VCs. Using the VC service should not impact data residency requirements. If, as a part of identity verification you store any personal information, that should be stored in a manner and region that meets your compliance requirements. For Azure-related guidance, visit the Microsoft Trust Center website.
+**Data residency**: The Microsoft Entra Verified ID issuance service is deployed in a subset of Azure regions. The service is used for compute functions only. We don't store values of verifiable credentials in Microsoft systems. However, as part of the issuance process, personal data is sent and used when issuing VCs. Using the VC service shouldn't impact data residency requirements. If, as a part of identity verification you store any personal information, that should be stored in a manner and region that meets your compliance requirements. For Azure-related guidance, visit the Microsoft Trust Center website.
**Revoking credentials**: Determine if your organization will need to revoke credentials. For example, an admin may need to revoke credentials when an employee leaves the company. Or if a credential is issued for a driverΓÇÖs license, and the holder is caught doing something that would cause the driverΓÇÖs license to be suspended, the VC might need to be revoked. For more information, see [Revoke a previously issued verifiable credential](how-to-issuer-revoke.md).
Your organization may have specific compliance needs related to your industry, t
## Plan for operations
-When planning for operations, it is critical you develop a schema to use for troubleshooting, reporting, and distinguishing various customers you support. Additionally, if the operations team is responsible for executing VC revocation, that process must be defined. Each step in the process should be correlated so that you can determine which log entries can be associated with each unique issuance request. For auditing, we recommend you capture each attempt of credential issuing individually. Specifically:
+When planning for operations, it is critical you develop a schema to use for troubleshooting, reporting and distinguishing various customers you support. Additionally, if the operations team is responsible for executing VC revocation, that process must be defined. Each step in the process should be correlated so that you can determine which log entries can be associated with each unique issuance request. For auditing, we recommend you capture each attempt of credential issuing individually. Specifically:
* Generate unique transaction IDs that customers and support engineers can refer to as needed.
As part of your design considerations focused on security, we recommend the foll
* For key management:
- * Create a dedicated Key Vault for VC issuance. Limit Azure Key Vault permissions to the Azure AD Verifiable Credentials issuance service and the issuance service frontend website service principal.
+ * Create a dedicated Key Vault for VC issuance. Limit Azure Key Vault permissions to the Microsoft Entra Verified ID issuance service and the issuance service frontend website service principal.
* Treat Azure Key Vault as a highly privileged system - Azure Key Vault issues credentials to customers. We recommend that no human identities have standing permissions over the Azure Key Vault service. Administrators should have only just I time access to Key Vault. For more best practices for Azure Key Vault usage, refer to [Azure Security Baseline for Key Vault](/security/benchmark/azure/baselines/key-vault-security-baseline).
For security logging and monitoring, we recommend the following:
* Enable logging and alerting of Azure Key Vault to track credential issuance operations, key extraction attempts, permission changes, and to monitor and send alert for configuration changes. More information can be found at [How to enable Key Vault logging](../../key-vault/general/howto-logging.md).
-* Enable logging of your Azure Storage account to monitor and send alert for configuration changes. More information can be found at [Monitoring Azure Blob Storage](../../storage/blobs/monitor-blob-storage.md).
- * Archive logs in a security information and event management (SIEM) systems, such as [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel) for long-term retention. * Mitigate spoofing risks by using the following
For more information on Key Vault implementation and operation, refer to [Best p
[Plan your verification solution](plan-verification-solution.md)
-[Get started with verifiable credentials](get-started-verifiable-credentials.md)
+[Get started with verifiable credentials](get-started-verifiable-credentials.md)
active-directory Plan Verification Solution https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/verifiable-credentials/plan-verification-solution.md
Title: Plan your Azure Active Directory Verifiable Credentials verification solution (preview)
+ Title: Plan your Microsoft Entra Verified ID verification solution (preview)
description: Learn foundational information to plan and design your verification solution documentationCenter: ''
Previously updated : 06/02/2022 Last updated : 07/28/2022
-# Plan your Azure Active Directory Verifiable Credentials verification solution (preview)
+# Plan your Microsoft Entra Verified ID verification solution (preview)
[!INCLUDE [Verifiable Credentials announcement](../../../includes/verifiable-credentials-brand.md)] >[!IMPORTANT]
-> Azure Active Directory Verifiable Credentials is currently in public preview. This preview version is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
+> Microsoft Entra Verified ID is currently in public preview. This preview version is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
-MicrosoftΓÇÖs Azure Active Directory Verifiable Credentials (Azure AD VC) service enables you to trust proofs of user identity without expanding your trust boundary. With Azure AD VC, you create accounts or federate with another identity provider. By using verifiable credentials based on an open standard, a verification exchange enables applications to request credentials that aren't bound to a specific domain. This approach makes it easier to request and verify credentials at scale.
+MicrosoftΓÇÖs Microsoft Entra Verified ID (Azure AD VC) service enables you to trust proofs of user identity without expanding your trust boundary. With Azure AD VC, you create accounts or federate with another identity provider. When a solution implements a verification exchange using verifiable credentials, it enables applications to request credentials that aren't bound to a specific domain. This approach makes it easier to request and verify credentials at scale.
-If you havenΓÇÖt already, we suggest you review the [Azure AD Verifiable Credentials architecture overview](introduction-to-verifiable-credentials-architecture.md). You may also want to review [Plan your Azure AD Verifiable Credentials issuance solution](plan-issuance-solution.md).
+If you havenΓÇÖt already, we suggest you review the [Microsoft Entra Verified ID architecture overview](introduction-to-verifiable-credentials-architecture.md). You may also want to review [Plan your Microsoft Entra Verified ID issuance solution](plan-issuance-solution.md).
## Scope of guidance
-This content covers the technical aspects of planning for a verifiable credential (VC) verification solution using Microsoft products and services. The solution interfaces with the Identity Overlay Network (ION) which acts as the decentralized public key infrastructure (DPKI).
+This content covers the technical aspects of planning for a verifiable credential (VC) verification solution using Microsoft products and services. The solution interfaces with a trust system, where currently supported trust systems are Identity Overlay Network (ION) or DID Web. ION acts as the decentralized public key infrastructure (DPKI) while DID Web is a centralized public key infrastructure.
Supporting technologies that aren't specific to verification solutions are out of scope. For example, websites are used in a verifiable credential verification solution but planning a website deployment isn't covered in detail.
As you plan your verification solution, you must consider what business capabili
As part of your plan for a verification solution, you must enable the interactions between the verifier, the subject, and the issuer. In this article, the terms relying party and verifier are used interchangeably. The following diagram shows the components of your verification architecture.
-![Components of a verification solution](media/plan-verification-solution/plan-verification-solution-architecture.png)
+![Diagram of the components of a verification solution.](media/plan-verification-solution/plan-verification-solution-architecture.png)
-### Azure AD Verifiable Credentials service
+### Microsoft Entra Verified ID service
-In the context of a verifier solution, the Azure AD Verifiable Credentials service is the interface between the Microsoft components of the solution and ION. The service provisions the key set to Key Vault, provisions the decentralized identifier (DID), and writes the DID document to ION, where it can be used by subjects and issuers.
+In the context of a verifier solution, the Microsoft Entra Verified ID service is the interface between the Microsoft components of the solution and the trust system. The service provisions the key set to Key Vault, provisions the decentralized identifier (DID). In the case of ION, the service writes the DID document to the distributed ledger, where it can be used by subjects and issuers.
### Azure Active Directory tenant
-The service requires an Azure AD tenant that provides an Identity and Access Management (IAM) control plane for the Azure resources that are part of the solution. There's a single instance of the Azure AD VC service within a tenant, and it issues a single DID document representing the verifier. If you have multiple relying parties using your verification service, they all use the same verifier DID. The verifier DID provides pointers to the public key that allows subjects and issuers to validate messages that come from the relying party.
+The service requires an Azure AD tenant that provides an Identity and Access Management (IAM) control plane for the Azure resources that are part of the solution. Each Azure AD tenant uses the multi-tenant Microsoft Entra Verified ID service, and it issues a single DID document representing the verifier. If you have multiple relying parties using your verification service, they all use the same verifier DID. The verifier DID provides pointers to the public key that allows subjects and issuers to validate messages that come from the relying party.
+ ### Azure Key Vault
-![Azure Key Vault](./media/plan-verification-solution/plan-verification-solution-key-vault.png)
+![Diagram of the components of a verification solution with Azure Key Vault highlighted.](./media/plan-verification-solution/plan-verification-solution-key-vault.png)
-The Azure Key Vault service stores your verifier keys, which are generated when you enable the Azure AD Verifiable Credentials issuance service. The keys are used to provide message security. Each verifier has a single key set used for signing, updating, and recovering VCs. This key set is used each time you service a verification request. Microsoft key set currently uses Elliptic Curve Cryptography (ECC) [SECP256k1](https://en.bitcoin.it/wiki/Secp256k1). We're exploring other cryptographic signature schemas that will be adopted by the broader DID community.
+The Azure Key Vault service stores your verifier keys, which are generated when you enable the Microsoft Entra Verified ID issuance service. The keys are used to provide message security. Each verifier has a single key set used for signing, updating, and recovering VCs. This key set is used each time you service a verification request. Microsoft key set currently uses Elliptic Curve Cryptography (ECC) [SECP256k1](https://en.bitcoin.it/wiki/Secp256k1). We're exploring other cryptographic signature schemas that will be adopted by the broader DID community.
-### Azure AD VC APIs
+### Request Service API
-![Azure AD VC APIs](./media/plan-verification-solution/plan-verification-solution-apis.png)
+![Diagram of the components of a verification solution with request Service API highlighted.](./media/plan-verification-solution/plan-verification-solution-apis.png)
Application programming interfaces (APIs) provide developers a method to abstract interactions between components of the solution to execute verification operations.
-### ION
-
-![Azure AD VC ION](./media/plan-verification-solution/plan-verification-solution-ion.png)
+### Trust System
-As one alternative for the tenants trust system, Microsoft uses the [Identity Overlay Network (ION)](https://identity.foundation/ion/), [a Sidetree-based network](https://identity.foundation/sidetree/spec/)that uses BitcoinΓÇÖs blockchain for decentralized identifier (DID) implementation. The DID document of the issuer is stored in ION and is used to perform cryptographic signature checks by parties to the transaction. The other alternative for trust system is Web, where the DID document is hosted on the issuers webserver.
+![Diagram of the components of a verification solution with the trust system highlighted.](./media/plan-verification-solution/plan-verification-solution-ion.png)
+Microsoft Entra Verified ID currently supports two trust system. One is [Identity Overlay Network (ION)](https://identity.foundation/ion/), [a Sidetree-based network](https://identity.foundation/sidetree/spec/)that uses BitcoinΓÇÖs blockchain for decentralized identifier (DID) implementation. The DID document of the issuer is stored in ION and is used to perform cryptographic signature checks by parties to the transaction. The other alternative for trust system is [DID Web](https://w3c-ccg.github.io/did-method-web/), where the DID document is hosted on the issuers webserver.
### Microsoft Authenticator application
-![Microsoft Authenticator application](media/plan-verification-solution/plan-verification-solution-authenticator.png)
+![Diagram of the components of a verification solution with Microsoft Authenticator application highlighted.](media/plan-verification-solution/plan-verification-solution-authenticator.png)
-Microsoft Authenticator is the mobile application that orchestrates the interactions between the relying party, the user, the Azure AD Verifiable Credentials issuance service, and dependencies described in the contract used to issue VCs. Microsoft Authenticator acts as a digital wallet in which the holder of the VC stores the VC. It's also the mechanism used to present VCs for verification.
+Microsoft Authenticator is the mobile application that orchestrates the interactions between the relying party, the user, the Microsoft Entra Verified ID issuance service, and dependencies described in the contract used to issue VCs. Microsoft Authenticator acts as a digital wallet in which the holder of the VC stores the VC. It's also the mechanism used to present VCs for verification.
### Relying party (RP)
-![Relying party components](media/plan-verification-solution/plan-verification-solution-relying-party.png)
+![Diagram of the components of a verification solution with Relying party components highlighted.](media/plan-verification-solution/plan-verification-solution-relying-party.png)
#### Web front end
-The relying party web front end uses the Azure AD VC APIs to verify VCs by generating deep links or QR codes that are consumed by the subjectΓÇÖs wallet. Depending on the scenario, the front end can be a publicly accessible or internal website to enable end-user experiences that require verification. However, the endpoints that the wallet accesses must be publicly accessible. Specifically, it controls redirection to the wallet with specific request parameters. This is accomplished using the Microsoft-provided APIs.
+The relying party web front end uses the Request Service API to verify VCs by generating deep links or QR codes that are consumed by the subjectΓÇÖs wallet. Depending on the scenario, the front end can be a publicly accessible or internal website to enable end-user experiences that require verification. However, the endpoints that the wallet accesses must be publicly accessible. Specifically, it controls redirection to the wallet with specific request parameters. This is accomplished using the Microsoft-provided APIs.
#### Business logic
The following are examples of designs to satisfy specific use cases. The first i
### Account onboarding
-Verifiable credentials can also be used to enable faster onboarding by replacing some human interactions. VCs can be used to onboard employees, students, citizens, or others to access services. For example, rather than an employee needing to go to a central office to activate an employee badge, they can use a VC to verify their identity to activate a badge that is delivered to them remotely. Rather than a citizen receiving a code they must redeem to access governmental services, they can use a VC to prove their identity and gain access.
+Verifiable credentials can be used to enable faster onboarding by replacing some human interactions. VCs can be used to onboard employees, students, citizens, or others to access services. For example, rather than an employee needing to go to a central office to activate an employee badge, they can use a VC to verify their identity to activate a badge that is delivered to them remotely. Rather than a citizen receiving a code they must redeem to access governmental services, they can use a VC to prove their identity and gain access.
-![Account onboarding scenario](media/plan-verification-solution/plan-verification-solution-onboarding.png)
+![Diagram showing the account onboarding scenario.](media/plan-verification-solution/plan-verification-solution-onboarding.png)
#### Other elements
-**Onboarding portal**: A web front end that orchestrates the Azure AD VC APIs calls for VC presentation and validation, and the logic to onboard accounts.
+**Onboarding portal**: A web front end that orchestrates the Request Service API calls for VC presentation and validation, and the logic to onboard accounts.
**Custom logic / workflows**: Specific logic with organization-specific steps before and after updating the user account. Examples might include approval workflows, other validations, logging, notifications, and so on.
Verifiable credentials can also be used to enable faster onboarding by replacing
* To invite users to Azure AD using B2B collaboration, the RP website can use a service principal that is granted the MS Graph scope of User.Invite.All to create invitations.
- * If your RP is running in Azure, use Managed Identities to call Microsoft Graph; this will remove the risks of managing service principal credentials in code or configuration files. To learn more about Managed identities, go to [Managed identities for Azure resources.](../managed-identities-azure-resources/overview.md)
+ * If your RP is running in Azure, use Managed Identities to call Microsoft Graph. Using managed identities removes the risks of managing service principal credentials in code or configuration files. To learn more about Managed identities, go to [Managed identities for Azure resources.](../managed-identities-azure-resources/overview.md)
### Accessing high-value applications inside organizations Verifiable credentials can be used as other proof to access to sensitive applications inside the organization. For example, VCs can also be used to provide employees with access to line-of-business applications based on achieving specific criteria, such as a certification.
-![Access inside of the trust boundary](media/plan-verification-solution/plan-verification-solution-inside-trust-boundary-access.png)
+![Diagram of the components of a verification solution with other elements included.](media/plan-verification-solution/plan-verification-solution-inside-trust-boundary-access.png)
#### Other elements
-**Relying party web frontend**: This is the web frontend of the application that is enhanced through Azure AD Verifiable Credential API calls for VC presentation and validation, based on your business requirements.
+**Relying party web frontend**: This is the web frontend of the application that is enhanced through Request Service API calls for VC presentation and validation, based on your business requirements.
**User access authorization logic**: Logic layer in the application that authorizes user access and is enhanced to consume the user attributes inside the VC to make authorization decisions.
Verifiable credentials can also be used by relying parties that want to grant ac
The decentralized nature of verifiable credentials enables this scenario without establishing federation relationships.
-![Access outside of the trust boundary](media/plan-verification-solution/plan-verification-solution-outside-trust-boundary-access.png)
+![Diagram of the components of a verification solution showing that access is taking place from outside of the trust boundary.](media/plan-verification-solution/plan-verification-solution-outside-trust-boundary-access.png)
#### Other elements
-**Relying party web frontend**: This is the web frontend of the application that is enhanced through Azure AD Verifiable Credential API calls for VC presentation and validation, based on your business requirements.
+**Relying party web frontend**: This is the web frontend of the application that is enhanced through Request Service API calls for VC presentation and validation, based on your business requirements.
**User access authorization logic**: Logic layer in the application that authorizes user access and is enhanced to consume the user attributes inside the VC to make authorization decisions.
Verifiable credentials can be used as an approach to account recovery. For examp
Note: While the scenario we describe in this section is specific to recover Azure AD accounts, this approach can also be used to recover accounts in other systems.
-![Account recovery solution](media/plan-verification-solution/plan-verification-solution-account-recovery.png)
+![Diagram of the components of a verification solution showing the account recovery scenario.](media/plan-verification-solution/plan-verification-solution-account-recovery.png)
#### Other Elements
You can use information in presented VCs to build a user profile. If you want to
* Consider using the ΓÇ£subΓÇ¥ claim as an immutable identifier of the user. This is an opaque unique attribute that will be constant for a given subject/RP pair.
- * Define a mechanism to deprovision the user profile from the application. Due to the decentralized nature of the Azure AD Verifiable Credentials system, there is no application user provisioning lifecycle.
+ * Define a mechanism to deprovision the user profile from the application. Due to the decentralized nature of the Microsoft Entra Verified ID system, there is no application user provisioning lifecycle.
* Do not store personal data claims returned in the VC token.
You can use information in presented VCs to build a user profile. If you want to
## Plan for performance
-As with any solution, you must plan for performance. Focus areas include latency, throughput, and scalability. During initial phases of a release cycle, performance should not be a concern. However, when adoption of your solution results in many verifiable credentials being verified, performance planning might become a critical part of your solution.
+As with any solution, you must plan for performance. Focus areas include latency, throughput, and scalability. During initial phases of a release cycle, performance shouldn't be a concern. However, when adoption of your solution results in many verifiable credentials being verified, performance planning might become a critical part of your solution.
The following provides areas to consider when planning for performance:
-* The Azure AD Verifiable Credentials issuance service is deployed in West Europe, North Europe, West US 2, and West Central US Azure regions. To limit latency, deploy your verification front end (website) and key vault in the region listed above that is closest to where requests are expected to originate from.
+* The Microsoft Entra Verified ID issuance service is deployed in West Europe, North Europe, West US 2, and West Central US Azure regions. To limit latency, deploy your verification front end (website) and key vault in the region listed above that is closest to where requests are expected to originate from.
* Model based on throughput:
The following provides areas to consider when planning for performance:
To best plan for high availability and disaster recovery, we suggest the following:
-* Azure AD Verifiable Credentials service is deployed in the West Europe, North Europe, West US 2, and West Central US Azure regions. Consider deploying your supporting web servers and supporting applications in one of those regions, specifically in the ones from which you expect most of your validation traffic to originate.
+* Microsoft Entra Verified ID service is deployed in the West Europe, North Europe, West US 2, and West Central US Azure regions. Consider deploying your supporting web servers and supporting applications in one of those regions, specifically in the ones from which you expect most of your validation traffic to originate.
* Review and incorporate best practices from [Azure Key Vault availability and redundancy](../../key-vault/general/disaster-recovery-guidance.md) as you design for your availability and redundancy goals.
As you are designing for security, consider the following:
* Define a dedicated service principal for a website accessing the Key Vault.
-* Only the Azure AD Verifiable Credentials service and the website service principals should have permissions to use Key Vault to sign messages with the private key.
+* Only the Microsoft Entra Verified ID service and the website service principals should have permissions to use Key Vault to sign messages with the private key.
* Don't assign any human identity administrative permissions to the Key Vault. For more information on Key Vault best practices, see [Azure Security Baseline for Key Vault](../../key-vault/general/security-baseline.md).
As part of your operational planning, consider monitoring the following:
Learn more about architecting VC solutions
- * [Azure AD Verifiable Credentials overview](introduction-to-verifiable-credentials-architecture.md)
+ * [Microsoft Entra Verified ID overview](introduction-to-verifiable-credentials-architecture.md)
- * [Plan your Azure AD Verifiable Credentials issuance solution](plan-issuance-solution.md)
+ * [Plan your Microsoft Entra Verified ID issuance solution](plan-issuance-solution.md)
Implement Verifiable Credentials
- * [Introduction to Azure Active Directory Verifiable Credentials](decentralized-identifier-overview.md)
+ * [Introduction to Microsoft Entra Verified ID](decentralized-identifier-overview.md)
* [Get started with Verifiable Credentials](get-started-verifiable-credentials.md)
-[FAQs](verifiable-credentials-faq.md)
+[FAQs](verifiable-credentials-faq.md)
active-directory Presentation Request Api https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/verifiable-credentials/presentation-request-api.md
Title: Specify the Request Service REST API verify request (preview)+ description: Learn how to start a presentation request in Verifiable Credentials documentationCenter: ''
Previously updated : 06/02/2022 Last updated : 07/28/2022
-#Customer intent: As an administrator, I am trying to learn the process of revoking verifiable credentials that I have issued.
+#Customer intent: As an administrator, I am trying to learn how to use the Request Service API and integrate it into my business application.
# Request Service REST API presentation specification (preview) [!INCLUDE [Verifiable Credentials announcement](../../../includes/verifiable-credentials-brand.md)]
-Azure Active Directory (Azure AD) Verifiable Credentials includes the Request Service REST API. This API allows you to issue and verify a credential. This article specifies the Request Service REST API for a presentation request. The presentation request asks the user to present a verifiable credential, and then verify the credential.
+Microsoft Entra Verified ID includes the Request Service REST API. This API allows you to issue and verify a credential. This article specifies the Request Service REST API for a presentation request. The presentation request asks the user to present a verifiable credential, and then verify the credential.
+Another article describes [how to call the Request Service REST API](get-started-request-api.md).
## HTTP request
The Request Service REST API presentation request requires the following HTTP he
|`Authorization`| Attach the access token as a bearer token to the authorization header in an HTTP request. For example, `Authorization: Bearer <token>`.| |`Content-Type`| `Application/json`|
-Construct an HTTP POST request to the Request Service REST API. Replace the `{tenantID}` with your tenant ID or tenant name.
+Construct an HTTP POST request to the Request Service REST API. The `tenantId` isn't needed in the URL anymore since it is present as a claim in the `access_token`.
```http
-https://beta.did.msidentity.com/v1.0/{tenantID}/verifiablecredentials/request
+https://verifiedid.did.msidentity.com/v1.0/verifiableCredentials/createPresentationRequest
``` The following HTTP request demonstrates a presentation request to the Request Service REST API: ```http
-POST https://beta.did.msidentity.com/v1.0/contoso.onmicrosoft.com/verifiablecredentials/request
+POST https://verifiedid.did.msidentity.com/v1.0/verifiableCredentials/createPresentationRequest
Content-Type: application/json Authorization: Bearer <token>
The presentation request payload contains information about your verifiable cred
```json { "includeQRCode": true,
+ "includeReceipt": true,
+ "authority": "did:ion:EiCLL8lzCqlGLYTGbjwgR6SN6OABCO6uUKyF5zM7fQZ8Jg:eyJ...<SNIP>...",
+ "registration": {
+ "clientName": "Veritable Credential Expert Verifier"
+ },
"callback": { "url": "https://www.contoso.com/api/verifier/presentationCallback", "state": "92d076dd-450a-4247-aa5b-d2e75a1a5d58", "headers": {
- "api-key": "OPTIONAL API-KEY for VERIFIER CALLBACK API"
+ "api-key": "OPTIONAL API-KEY for CALLBACK EVENTS"
} },
- "authority": "did:ion:EiCLL8lzCqlGLYTGbjwgR6SN6OkIjO6uUKyF5zM7fQZ8Jg:eyJkZWx0YSI6eyJwYXRjaGVzIjpbeyJhY3Rpb24iOiJyZXBsYWNlIiwiZG9jdW1lbnQiOnsicHVibGljS2V5cyI6W3siaWQiOiJzaWdfOTAyZmM2NmUiLCJwdWJsaWNLZXlKd2siOnsiY3J2Ijoic2VjcDI1NmsxIiwia3R5IjoiRUMiLCJ4IjoiTEdUOWk3aFYzN1dUcFhHcUg5c1VDekxTVlFWcVl3S2JNY1Fsc0RILUZJUSIsInkiOiJiRWo5MDY...",
- "registration": {
- "clientName": "Veritable Credential Expert Verifier"
- },
- "presentation": {
- "includeReceipt": true,
- "requestedCredentials": [
- {
- "type": "VerifiedCredentialExpert",
- "purpose": "So we can see that you a veritable credentials expert",
- "acceptedIssuers": [
- "did:ion:EiCLL8lzCqlGLYTGbjwgR6SN6OkIjO6uUKyF5zM7fQZ8Jg:eyJkZWx0YSI6eyJwYXRjaGVzIjpbeyJhY3Rpb24iOiJyZXBsYWNlIiwiZG9jdW1lbnQiOnsicHVibGljS2V5cyI6W3siaWQiOiJzaWdfOTAyZmM2NmUiLCJwdWJsaWNLZXlKd2siOnsiY3J2Ijoic2VjcDI1NmsxIiwia3R5IjoiRUMiLCJ4IjoiTEdUOWk3aFYzN1dUcFhHcUg5c1VDekxTVlFWcVl3S2JNY1Fsc0RILUZJUSIsInkiO..."
- ]
+ "requestedCredentials": [
+ {
+ "type": "VerifiedCredentialExpert",
+ "purpose": "So we can see that you a veritable credentials expert",
+ "acceptedIssuers": [
+ "did:ion:EiCLL8lzCqlGLYTGbjwgR6SN6OABCO6uUKyF5zM7fQZ8Jg:eyJ...<SNIP>..."
+ ],
+ "configuration": {
+ "validation": {
+ "allowRevoked": false,
+ "validateLinkedDomain": false
+ }
}
- ]
- }
+ }
+ ]
} ```
The payload contains the following properties.
|Parameter |Type | Description | ||||
-| `includeQRCode` | Boolean | Determines whether a QR code is included in the response of this request. Present the QR code and ask the user to scan it. Scanning the QR code launches the authenticator app with this presentation request. Possible values are `true` (default) or `false`. When you set the value to `false`, use the return `url` property to render a deep link. |
+| `includeQRCode` | Boolean | Determines whether a QR code is included in the response of this request. Present the QR code and ask the user to scan it. Scanning the QR code launches the authenticator app with this presentation request. Possible values are `true` (default) or `false`. When you set the value to `false`, use the return `url` property to render a deep link. |
+| `includeReceipt` | Boolean | Determines whether a receipt should be included in the response of this request. Possible values are `true` or `false` (default). The receipt contains the original payload sent from the authenticator to the Verifiable Credentials service. The receipt is useful for troubleshooting or if you have the need to ge the full details of the payload. There's otherwise no need be set this value to `true `by default. In the `OpenId Connect SIOP` request, the receipt contains the ID token from the original request. |
| `authority` | string| Your decentralized identifier (DID) of your verifier Azure AD tenant. For more information, see [Gather tenant details to set up your sample application](verifiable-credentials-configure-verifier.md#gather-tenant-details-to-set-up-your-sample-application).| | `registration` | [RequestRegistration](#requestregistration-type)| Provides information about the verifier. |
-| `presentation` | [RequestPresentation](#requestpresentation-type)| Provides information about the verifiable credentials presentation request. |
|`callback`| [Callback](#callback-type)| Mandatory. Allows the developer to update the UI during the verifiable credential presentation process. When the user completes the process, continue the process after the results are returned to the application.|
+| `requestedCredentials` | collection| A collection of [RequestCredential](#requestcredential-type) objects.|
+ ### RequestRegistration type
The following screenshot shows the `clientName` property and the display name of
![Screenshot that shows how to approve the presentation request.](media/presentation-request-api/approve-presentation-request.jpg)
-### RequestPresentation type
+### Callback type
-The `RequestPresentation` type provides information required for verifiable credential presentation. `RequestPresentation` contains the following properties:
+The Request Service REST API generates several events to the callback endpoint. Those events allow you to update the UI and continue the process after the results are returned to the application. The `Callback` type contains the following properties:
|Property |Type |Description | ||||
-| `includeReceipt` | Boolean | Determines whether a receipt should be included in the response of this request. Possible values are `true` or `false` (default). The receipt contains the original payload sent from the authenticator to the Verifiable Credentials service. The receipt is useful for troubleshooting, and shouldn't be set by default. In the `OpenId Connect SIOP` request, the receipt contains the ID token from the original request. |
-| `requestedCredentials` | collection| A collection of [RequestCredential](#requestcredential-type) objects.|
+| `url` | string| URI to the callback endpoint of your application. The URI must point to a reachable endpoint on the internet otherwise the service will throw a callback URL unreadable error. Accepted inputs IPv4, IPv6 or DNS resolvable hostname. |
+| `state` | string| Correlates the callback event with the state passed in the original payload. |
+| `headers` | string| Optional. You can include a collection of HTTP headers required by the receiving end of the POST message. The current supported header values are the `api-key` or the `Authorization` headers. Any other header will throw an invalid callback header error.|
### RequestCredential type
The `RequestCredential` provides information about the requested credentials the
| `type`| string| The verifiable credential type. The `type` must match the type as defined in the `issuer` verifiable credential manifest (for example, `VerifiedCredentialExpert`). To get the issuer manifest, see [Gather credentials and environment details to set up your sample application](verifiable-credentials-configure-issuer.md). Copy the **Issue credential URL**, open it in a web browser, and check the **id** property. | | `purpose`| string | Provide information about the purpose of requesting this verifiable credential. | | `acceptedIssuers`| string collection | A collection of issuers' DIDs that could issue the type of verifiable credential that subjects can present. To get your issuer DID, see [Gather credentials and environment details to set up your sample application](verifiable-credentials-configure-issuer.md), and copy the value of the **Decentralized identifier (DID)**. |
+| `configuration.validation` | [Configuration.Validation](#configurationvalidation-type) | Optional settings for presentation validation.|
-### Callback type
+### Configuration.Validation type
-The Request Service REST API generates several events to the callback endpoint. Those events allow you to update the UI and continue the process after the results are returned to the application. The `Callback` type contains the following properties:
+The `Configuration.Validation` provides information about the presented credentials should be validated. It contains the following properties:
|Property |Type |Description | ||||
-| `url` | string| URI to the callback endpoint of your application. The URI must point to a reachable endpoint on the internet otherwise the service will throw a callback URL unreadable error. Accepted inputs IPv4, IPv6 or DNS resolvable hostname. |
-| `state` | string| Associates with the state passed in the original payload. |
-| `headers` | string| Optional. You can include a collection of HTTP headers required by the receiving end of the POST message. The current supported header values are the `api-key` or the `Authorization` headers. Any other header will throw an invalid callback header error.|
+| `allowRevoked` | Boolean | Determines if a revoked credential should be accepted. Default is `false` (it shouldn't be accepted). |
+| `validateLinkedDomain` | Boolean | Determines if the linked domain should be validated. Default is `true` (it should be validated). Setting this flag to `false` means you'll accept credentials from unverified linked domain. Setting this flag to `true` means the linked domain will be validated and only verified domains will be accepted. |
## Successful response
If successful, this method returns a response code (*HTTP 201 Created*), and a c
```json { "requestId": "e4ef27ca-eb8c-4b63-823b-3b95140eac11",
- "url": "openid://vc/?request_uri=https://beta.did.msidentity.com/v1.0/87654321-0000-0000-0000-000000000000/verifiablecredentials/request/e4ef27ca-eb8c-4b63-823b-3b95140eac11",
+ "url": "openid://vc/?request_uri=https://verifiedid.did.msidentity.com/v1.0/12345678-0000-0000-0000-000000000000/verifiableCredentials/request/e4ef27ca-eb8c-4b63-823b-3b95140eac11",
"expiry": 1633017751, "qrCode":ΓÇ»"data:image/png;base64,iVBORw0KGgoA<SNIP>" }
The response contains the following properties:
|Property |Type |Description | ||||
-| `requestId`| string | An autogenerated correlation ID. The [callback](#callback-events) uses the same request, allowing you to keep track of the presentation request and its callbacks. |
+| `requestId`| string | An autogenerated request ID. The [callback](#callback-events) uses the same request, allowing you to keep track of the presentation request and its callbacks. |
| `url`| string| A URL that launches the authenticator app and starts the presentation process. You can present this URL to the user if they can't scan the QR code. | | `expiry`| integer| Indicates when the response will expire. | | `qrCode`| string | A QR code that the user can scan to start the presentation flow. |
When your app receives the response, the app needs to present the QR code to the
## Error response
-Error responses also can be returned so that the app can handle them appropriately. The following JSON shows an unauthorized error message:
--
-```json
-{
- "requestId": "fb888ac646c96083de83b099b2678de0",
- "date": "Wed, 29 Sep 2021 21:49:00 GMT",
- "error": {
- "code": "unauthorized",
- "message": "Failed to authenticate the request."
- }
-}
-```
-
-The response contains the following properties:
-
-|Property |Type |Description |
-||||
-| `requestId`| string | An autogenerated request ID.|
-| `date`| date | The time of the error. |
-| `error.code` | string | The return error code. |
-| `error.message`| string | The error message. |
+If there's an error with the request, an [error responses](error-codes.md) is returned, and should be handled appropriately by the app.
## Callback events
The callback endpoint is called when a user scans the QR code, uses the deep lin
| `state` |string| Returns the state value that you passed in the original payload. | | `subject`|string | The verifiable credential user DID.| | `issuers`| array |Returns an array of verifiable credentials requested. For each verifiable credential, it provides: </li><li>The verifiable credential type(s).</li><li>The issuer's DID</li><li>The claims retrieved.</li><li>The verifiable credential issuer's domain. </li><li>The verifiable credential issuer's domain validation status. </li></ul> |
-| `receipt`| string | Optional. The receipt contains the original payload sent from the wallet to the Verifiable Credentials service. The receipt should be used for troubleshooting/debugging only. The format in the receipt is not fix and can change based on the wallet and version used.|
+| `receipt`| string | Optional. The receipt contains the original payload sent from the wallet to the Verifiable Credentials service. The receipt should be used for troubleshooting/debugging only. The format in the receipt isn't fix and can change based on the wallet and version used.|
The following example demonstrates a callback payload when the authenticator app starts the presentation request: ```json {
-    "requestId":"aef2133ba45886ce2c38974339ba1057",
+    "requestId": "e4ef27ca-eb8c-4b63-823b-3b95140eac11",
    "code":"request_retrieved",
-    "state":"Wy0ThUz1gSasAjS1"
+    "state": "92d076dd-450a-4247-aa5b-d2e75a1a5d58"
} ```
The following example demonstrates a callback payload after the verifiable crede
```json {
- "requestId": "87e1cb24-9096-409f-81cb-9e645f23a4ba",
+ "requestId": "e4ef27ca-eb8c-4b63-823b-3b95140eac11",
"code": "presentation_verified",
- "state": "f3d94e35-ca5f-4b1b-a7d7-a88caa05e322",
+ "state": "92d076dd-450a-4247-aa5b-d2e75a1a5d58",
"subject": "did:ion:EiAlrenrtD3Lsw0GlbzS1O2YFdy3Xtu8yo35W<SNIP>…", "issuers": [ {
The following example demonstrates a callback payload after the verifiable crede
"VerifiedCredentialExpert" ], "claims": {
- "firstName": "John",
- "lastName": "Doe"
+ "firstName": "Megan",
+ "lastName": "Bowen"
}, "domain": "https://contoso.com/", "verified": "DNS",
- "issuer": "did:ion:….."
+ "authority": "did:ion:….."
} ], "receipt": {
active-directory Vc Network Api https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/verifiable-credentials/vc-network-api.md
+
+ Title: Entra Verified ID Network API
+
+description: Learn how to use the Entra Verified ID Network API
+documentationCenter: ''
+++++ Last updated : 07/29/2022++
+#Customer intent: As a verifiable credentials developer, I want to configure verifying credentials from another party
++
+# Entra Verified ID network API
++
+The Microsoft Entra Verified ID Network API enables you to search for published credentials in the [Entra Verified ID Network](how-use-vcnetwork.md).
+
+>[!NOTE]
+>The API is intended for developers comfortable with RESTful APIs.
+
+## Base URL
+
+The Entra Verified Network API is served over HTTPS. All URLs referenced in the documentation have the following base: `https://verifiedid.did.msidentity.com`.
+
+## Authentication
+
+The API is protected through Azure Active Directory and uses OAuth2 bearer tokens. The app registration needs to have the API Permission for `Verifiable Credentials Service Admin` and then when acquiring the access token the app should use scope `6a8b4b39-c021-437c-b060-5a14a3fd65f3/full_access`.
+
+## Searching for issuers
+
+This API is used to search for issuers available in the Entra Verified ID Network. You can search for issuers by their **linked domain** name. The value supplied for the `filter` parameter will be used to find issuers that have onboarded to Entra Verified ID and have a verified linked domain. Currently you can only filter by `linkeddomainurls` and with operator `like`. There will be a maximum of 15 issuers in the response.
+
+#### HTTP request
+
+`GET /v1.0/verifiableCredentialsNetwork/authorities?filter=linkeddomainurls%20like%20Woodgrove`
+
+#### Request headers
+
+| Header | Value |
+| -- | -- |
+| Authorization | Bearer (token). Required |
+| Content-Type | application/json |
+
+#### Request parameters
+
+| Parameter | value |
+| -- | -- |
+| filter | linkeddomainurls like Woodgrove |
++
+#### Return message
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+
+[
+ {
+ "id": "0459a193-1111-2222-3333-444455556666",
+ "tenantId": "55eafede-1111-2222-3333-444455556666",
+ "did": "did:web:bank.woodgrove.com...<SNIP>...",
+ "name": "WoodgroveBank",
+ "linkedDomainUrls": [
+ "https://bank.woodgrove.com/"
+ ]
+ },
+ {
+ "id": "6e0e41cb-1111-2222-3333-444455556666",
+ "tenantId": "7f448f57-1111-2222-3333-444455556666",
+ "did": "did:web:woodgrove.com...<SNIP>...",
+ "name": "Woodgrove",
+ "linkedDomainUrls": [
+ "https://woodgrove.com/"
+ ]
+ }
+]
+```
+
+## Searching for published credential types by an issuer
+
+This API is used search for published credential types for a specific issuer. You need to know the issuers `tenantId` and `issuerId`. The return message is a collection of published credential types and their respective claims. There will be a maximum of 100 credential types in the response.
+
+#### HTTP request
+
+`GET /v1.0/tenants/:tenantId/verifiableCredentialsNetwork/authorities/:issuerId/contracts/`
+
+#### Request headers
+
+| Header | Value |
+| -- | -- |
+| Authorization | Bearer (token). Required |
+| Content-Type | application/json |
+
+#### Request parameters
+
+| Parameter | value |
+| -- | -- |
+| tenantId | TenantId obtained from the search by linked domain name |
+| issuerId | IssuerId obtained from the search by linked domain name |
++
+#### Return message
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+
+[
+ {
+ "name": "Verified employee 1",
+ "types": [
+ "VerifiedEmployee"
+ ],
+ "claims": [
+ "displayName",
+ "givenName",
+ "jobTitle",
+ "preferredLanguage",
+ "surname",
+ "mail",
+ "revocationId",
+ "photo"
+ ]
+ }
+]
+```
+
+## Next steps
+
+Learn more about [Entra Verified ID Network](how-use-vcnetwork.md).
active-directory Verifiable Credentials Configure Issuer https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/verifiable-credentials/verifiable-credentials-configure-issuer.md
Title: Tutorial - Issue Azure AD Verifiable Credentials from an application (preview)
+ Title: Tutorial - Issue Microsoft Entra Verified ID credentials from an application (preview)
description: In this tutorial, you learn how to issue verifiable credentials by using a sample app.
Last updated 06/16/2022
-# Issue Azure AD Verifiable Credentials from an application (preview)
+# Issue Microsoft Entra Verified ID credentials from an application (preview)
[!INCLUDE [Verifiable Credentials announcement](../../../includes/verifiable-credentials-brand.md)]
In this article, you learn how to:
> - Run the sample application and issue your first verified credential expert card. > - Verify your verified credential expert card.
-The following diagram illustrates the Azure AD Verifiable Credentials architecture and the component you configure.
+The following diagram illustrates the Microsoft Entra Verified ID architecture and the component you configure.
![Diagram that illustrates the Azure A D Verifiable Credentials architecture.](media/verifiable-credentials-configure-issuer/verifiable-credentials-architecture.png) ## Prerequisites -- [Set up a tenant for Azure AD Verifiable Credentials](./verifiable-credentials-configure-tenant.md).
+- [Set up a tenant for Microsoft Entra Verified ID](./verifiable-credentials-configure-tenant.md).
- To clone the repository that hosts the sample app, install [GIT](https://git-scm.com/downloads). - [Visual Studio Code](https://code.visualstudio.com/Download), or similar code editor. - [.NET 5.0](https://dotnet.microsoft.com/download/dotnet/5.0).
The following diagram illustrates the Azure AD Verifiable Credentials architectu
## Create the verified credential expert card in Azure
-In this step, you create the verified credential expert card by using Azure AD Verifiable Credentials. After you create the credential, your Azure AD tenant can issue it to users who initiate the process.
+In this step, you create the verified credential expert card by using Microsoft Entra Verified ID. After you create the credential, your Azure AD tenant can issue it to users who initiate the process.
1. Using the [Azure portal](https://portal.azure.com/), search for *verifiable credentials*. Then select **Verifiable Credentials (Preview)**. 1. After you [set up your tenant](verifiable-credentials-configure-tenant.md), the **Create credential** should appear. Alternatively, you can select **Credentials** in the left hand menu and select **+ Add a credential**.
In this step, you create the verified credential expert card by using Azure AD V
], "required": false }
- ]
- },
- "validityInterval": 2592000,
- "vc": {
- "type": [
- "VerifiedCredentialExpert"
- ]
+ ],
+ "validityInterval": 2592000,
+ "vc": {
+ "type": [
+ "VerifiedCredentialExpert"
+ ]
+ }
} } ```
Now you'll make modifications to the sample app's issuer code to update it with
1. Under the *active-directory-verifiable-credentials-dotnet-main* folder, open Visual Studio Code, and select the project inside the *1-asp-net-core-api-idtokenhint* folder.
-1. Under the project root folder, open the *appsettings.json* file. This file contains information about your Azure AD Verifiable Credentials. Update the following properties with the information that you recorded in earlier steps:
+1. Under the project root folder, open the *appsettings.json* file. This file contains information about your Microsoft Entra Verified ID environment. Update the following properties with the information that you recorded in earlier steps:
1. **Tenant ID:** your tenant ID 1. **Client ID:** your client ID
The following JSON demonstrates a complete *appsettings.json* file:
```json { "AppSettings": {
- "Endpoint": "https://beta.did.msidentity.com/v1.0/{0}/verifiablecredentials/request",
+ "Endpoint": "https://verifiedid.did.msidentity.com/v1.0",
"VCServiceScope": "3db474b9-6a0c-4840-96ac-1fceb342124f/.default", "Instance": "https://login.microsoftonline.com/{0}", "TenantId": "12345678-0000-0000-0000-000000000000",
The following JSON demonstrates a complete *appsettings.json* file:
"CertificateName": "[Or instead of client secret: Enter here the name of a certificate (from the user cert store) as registered with your application]", "IssuerAuthority": "did:web:example.com...", "VerifierAuthority": "did:web:example.com...",
- "CredentialManifest": "https://beta.did.msidentity.com/v1.0/12345678-0000-0000-0000-000000000000/verifiableCredential/contracts/VerifiedCredentialExpert"
+ "CredentialManifest": "https://verifiedid.did.msidentity.com/v1.0/12345678-0000-0000-0000-000000000000/verifiableCredential/contracts/VerifiedCredentialExpert"
} } ```
Now you're ready to issue your first verified credential expert card by running
1. From Visual Studio Code, run the *Verifiable_credentials_DotNet* project. Or, from your operating system's command line, run: ```
- cd active-directory-verifiable-credentials-dotnet/1-asp-net-core-api-idtokenhint dotnet build "AspNetCoreVerifiableCredentials.csproj" -c Debug -o .\\bin\\Debug\\netcoreapp3. dotnet run
+ cd active-directory-verifiable-credentials-dotnet/1-asp-net-core-api-idtokenhint
+ dotnet build "AspNetCoreVerifiableCredentials.csproj" -c Debug -o .\\bin\\Debug\\netcoreapp3.
+ dotnet run
``` 1. In another command prompt window, run the following command. This command runs [ngrok](https://ngrok.com/) to set up a URL on 5000, and make it publicly available on the internet.
public async Task<ActionResult> issuanceRequest()
## Next steps In the [next step](verifiable-credentials-configure-verifier.md), learn how a third-party application, also known as a relying party application, can verify your credentials with its own Azure AD tenant verifiable credentials API service.-
active-directory Verifiable Credentials Configure Tenant https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/verifiable-credentials/verifiable-credentials-configure-tenant.md
Title: Tutorial - Configure your tenant for Azure AD Verifiable Credentials (preview)
+ Title: Tutorial - Configure your tenant for Microsoft Entra Verified ID (preview)
description: In this tutorial, you learn how to configure your tenant to support the Verifiable Credentials service.
Last updated 06/27/2022
-# Configure your tenant for Azure AD Verifiable Credentials (preview)
+# Configure your tenant for Microsoft Entra Verified ID (preview)
[!INCLUDE [Verifiable Credentials announcement](../../../includes/verifiable-credentials-brand.md)]
-Azure Active Directory (Azure AD) Verifiable Credentials safeguards your organization with an identity solution that's seamless and decentralized. The service allows you to issue and verify credentials. For issuers, Azure AD provides a service that they can customize and use to issue their own verifiable credentials. For verifiers, the service provides a free REST API that makes it easy to request and accept verifiable credentials in your apps and services.
+Microsoft Entra Verified ID safeguards your organization with an identity solution that's seamless and decentralized. The service allows you to issue and verify credentials. For issuers, Azure AD provides a service that they can customize and use to issue their own verifiable credentials. For verifiers, the service provides a free REST API that makes it easy to request and accept verifiable credentials in your apps and services.
In this tutorial, you learn how to configure your Azure AD tenant so it can use the verifiable credentials service.
Specifically, you learn how to:
> - Set up the Verifiable Credentials service. > - Register an application in Azure AD.
-The following diagram illustrates the Azure AD Verifiable Credentials architecture and the component you configure.
+The following diagram illustrates the Microsoft Entra Verified ID architecture and the component you configure.
-![Diagram that illustrates the Azure AD Verifiable Credentials architecture.](media/verifiable-credentials-configure-tenant/verifiable-credentials-architecture.png)
+![Diagram that illustrates the Microsoft Entra Verified ID architecture.](media/verifiable-credentials-configure-tenant/verifiable-credentials-architecture.png)
## Prerequisites
The following diagram illustrates the Azure AD Verifiable Credentials architectu
[Azure Key Vault](../../key-vault/general/basic-concepts.md) is a cloud service that enables the secure storage and access of secrets and keys. The Verifiable Credentials service stores public and private keys in Azure Key Vault. These keys are used to sign and verify credentials.
-If you don't have an Azure Key Vault instance available, follow [these steps](../../key-vault/general/quick-create-portal.md) to create a key vault using the Azure portal.
+If you don't have an Azure Key Vault instance available, follow [these steps](/azure/key-vault/general/quick-create-portal) to create a key vault using the Azure portal.
>[!NOTE] >By default, the account that creates a vault is the only one with access. The Verifiable Credentials service needs access to the key vault. You must configure the key vault with an access policy that allows the account used during configuration to create and delete keys. The account used during configuration also requires permission to sign to create the domain binding for Verifiable Credentials. If you use the same account while testing, modify the default policy to grant the account sign permission, in addition to the default permissions granted to vault creators. ### Set access policies for the key vault
-A Key Vault [access policy](../../key-vault/general/assign-access-policy.md) defines whether a specified security principal can perform operations on Key Vault secrets and keys. Set access policies in your key vault for both the Azure AD Verifiable Credentials service administrator account, and for the Request Service API principal that you created.
+A Key Vault [access policy](../../key-vault/general/assign-access-policy.md) defines whether a specified security principal can perform operations on Key Vault secrets and keys. Set access policies in your key vault for both the Microsoft Entra Verified ID service administrator account, and for the Request Service API principal that you created.
After you create your key vault, Verifiable Credentials generates a set of keys used to provide message security. These keys are stored in Key Vault. You use a key set for signing, updating, and recovering verifiable credentials. ### Set access policies for the Verifiable Credentials Admin user
The Verifiable Credentials Service Request is the Request Service API, and it ne
## Set up Verifiable Credentials
-To set up Azure AD Verifiable Credentials, follow these steps:
+To set up Microsoft Entra Verified ID, follow these steps:
1. In the [Azure portal](https://portal.azure.com/), search for *verifiable credentials*. Then, select **Verifiable Credentials (Preview)**.
To set up Azure AD Verifiable Credentials, follow these steps:
## Register an application in Azure AD
-Azure AD Verifiable Credentials Service Request needs to get access tokens to issue and verify. To get access tokens, register a web application and grant API permission for the API Verifiable Credential Request Service that you set up in the previous step.
+Microsoft Entra Verified ID needs to get access tokens to issue and verify. To get access tokens, register a web application and grant API permission for the API Verifiable Credential Request Service that you set up in the previous step.
1. Sign in to the [Azure portal](https://portal.azure.com/) with your administrative account.
Azure AD Verifiable Credentials Service Request needs to get access tokens to is
### Grant permissions to get access tokens
-In this step, you grant permissions to the Verifiable Credentials Service Request Service principal.
+In this step, you grant permissions to the **Verifiable Credentials Service Request** Service principal.
To add the required permissions, follow these steps:
Once that you have successfully completed the verification steps, you are ready
## Next steps -- [Learn how to issue Azure AD Verifiable Credentials from a web application](verifiable-credentials-configure-issuer.md).-- [Learn how to verify Azure AD Verifiable Credentials](verifiable-credentials-configure-verifier.md).
+- [Learn how to issue Microsoft Entra Verified ID credentials from a web application](verifiable-credentials-configure-issuer.md).
+- [Learn how to verify Microsoft Entra Verified ID credentials](verifiable-credentials-configure-verifier.md).
active-directory Verifiable Credentials Configure Verifier https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/verifiable-credentials/verifiable-credentials-configure-verifier.md
Title: Tutorial - Configure Azure AD Verifiable Credentials verifier (preview)
+ Title: Tutorial - Configure Microsoft Entra Verified ID verifier (preview)
description: In this tutorial, you learn how to configure your tenant to verify credentials.
Last updated 06/16/2022
-# Configure Azure AD Verifiable Credentials verifier (preview)
+# Configure Microsoft Entra Verified ID verifier (preview)
[!INCLUDE [Verifiable Credentials announcement](../../../includes/verifiable-credentials-brand.md)]
-In [Issue Azure AD Verifiable Credentials from an application (preview)](verifiable-credentials-configure-issuer.md), you learn how to issue and verify credentials by using the same Azure Active Directory (Azure AD) tenant. In this tutorial, you go over the steps needed to present and verify your first verifiable credential: a verified credential expert card.
+In [Issue Microsoft Entra Verified ID credentials from an application (preview)](verifiable-credentials-configure-issuer.md), you learn how to issue and verify credentials by using the same Azure Active Directory (Azure AD) tenant. In this tutorial, you go over the steps needed to present and verify your first verifiable credential: a verified credential expert card.
As a verifier, you unlock privileges to subjects that possess verified credential expert cards. In this tutorial, you run a sample application from your local computer that asks you to present a verified credential expert card, and then verifies it.
In this article, you learn how to:
> [!div class="checklist"] > > - Download the sample application code to your local computer
-> - Set up Azure AD Verifiable Credentials on your Azure AD tenant
+> - Set up Microsoft Entra Verified ID on your Azure AD tenant
> - Gather credentials and environment details to set up your sample application, and update the sample application with your verified credential expert card details > - Run the sample application and initiate a verifiable credential issuance process ## Prerequisites -- [Set up a tenant for Azure AD Verifiable Credentials](verifiable-credentials-configure-tenant.md).
+- [Set up a tenant for Microsoft Entra Verified ID](verifiable-credentials-configure-tenant.md).
- If you want to clone the repository that hosts the sample app, install [Git](https://git-scm.com/downloads). - [Visual Studio Code](https://code.visualstudio.com/Download) or similar code editor. - [.NET 5.0](https://dotnet.microsoft.com/download/dotnet/5.0).
In this article, you learn how to:
## Gather tenant details to set up your sample application
-Now that you've set up your Azure AD Verifiable Credentials service, you're going to gather some information about your environment and the verifiable credentials you set. You use these pieces of information when you set up your sample application.
+Now that you've set up your Microsoft Entra Verified ID service, you're going to gather some information about your environment and the verifiable credentials you set. You use these pieces of information when you set up your sample application.
1. From **Verifiable credentials (Preview)**, select **Organization settings**. 1. Copy the **Tenant identifier** value, and record it for later.
Now that you've set up your Azure AD Verifiable Credentials service, you're goin
The following screenshot demonstrates how to copy the required values:
-![Screenshot that demonstrates how to copy the required values from Azure AD Verifiable Credentials.](media/verifiable-credentials-configure-verifier/tenant-settings.png)
+![Screenshot that demonstrates how to copy the required values from Microsoft Entra Verified ID.](media/verifiable-credentials-configure-verifier/tenant-settings.png)
## Download the sample code
Now make modifications to the sample app's issuer code to update it with your ve
1. In the *active-directory-verifiable-credentials-dotnet-main* directory, open **Visual Studio Code**. Select the project inside the *1. asp-net-core-api-idtokenhint* directory.
-1. Under the project root folder, open the *appsettings.json* file. This file contains information about your credentials in Azure AD Verifiable Credentials. Update the following properties with the information that you collected during earlier steps.
+1. Under the project root folder, open the *appsettings.json* file. This file contains information about your credentials in Microsoft Entra Verified ID environment. Update the following properties with the information that you collected during earlier steps.
1. **Tenant ID**: Your tenant ID 1. **Client ID**: Your client ID
The following JSON demonstrates a complete *appsettings.json* file:
{ "AppSettings": {
- "Endpoint": "https://beta.did.msidentity.com/v1.0/{0}/verifiablecredentials/request",
- "VCServiceScope": "bbb94529-53a3-4be5-a069-7eaf2712b826/.default",
+ "Endpoint": "https://verifiedid.did.msidentity.com/v1.0",
+ "VCServiceScope": "3db474b9-6a0c-4840-96ac-1fceb342124f/.default",
"Instance": "https://login.microsoftonline.com/{0}", "TenantId": "987654321-0000-0000-0000-000000000000", "ClientId": "555555555-0000-0000-0000-000000000000", "ClientSecret": "123456789012345678901234567890", "VerifierAuthority": "did:ion:EiDJzvzaBMb_EWTWUFEasKzL2nL-BJPhQTzYWjA_rRz3hQ:eyJkZWx0YSI6eyJwYXRjaGVzIjpbeyJhY3Rpb24iOiJyZXBsYWNlIiwiZG9jdW1lbnQiOnsicHVibGljS2V5cyI6W3siaWQiOiJzaWdfMmNhMzY2YmUiLCJwdWJsaWNLZXlKd2siOnsiY3J2Ijoic2VjcDI1NmsxIiwia3R5IjoiRUMiLCJ4IjoiZDhqYmduRkRGRElzR1ZBTWx5aDR1b2RwOGV4Q2dpV3dWUGhqM0N...",
- "CredentialManifest": " https://beta.did.msidentity.com/v1.0/987654321-0000-0000-0000-000000000000/verifiableCredential/contracts/VerifiedCredentialExpert"
+ "CredentialManifest": " https://verifiedid.did.msidentity.com/v1.0/987654321-0000-0000-0000-000000000000/verifiableCredential/contracts/VerifiedCredentialExpert"
} } ```
Now you are ready to present and verify your first verified credential expert ca
1. From Visual Studio Code, run the *Verifiable_credentials_DotNet* project. Or from the command shell, run the following commands: ```bash
- cd active-directory-verifiable-credentials-dotnet/1. asp-net-core-api-idtokenhint dotnet build "asp-net-core-api-idtokenhint.csproj" -c Debug -o .\bin\Debug\netcoreapp3.1
+ cd active-directory-verifiable-credentials-dotnet/1. asp-net-core-api-idtokenhint
+ dotnet build "asp-net-core-api-idtokenhint.csproj" -c Debug -o .\bin\Debug\netcoreapp3.1
dotnet run ```
-1. In another terminal, run the following command. This command runs the [ngrok](https://ngrok.com/) to set up a URL on 3000 and make it publicly available on the internet.
+1. In another terminal, run the following command. This command runs the [ngrok](https://ngrok.com/) to set up a URL on 5000 and make it publicly available on the internet.
```bash
- ngrok http 3000
+ ngrok http 5000
``` >[!NOTE]
Now you are ready to present and verify your first verified credential expert ca
## Next steps
-Learn [how to customize your verifiable credentials](credential-design.md).
+Learn [how to customize your verifiable credentials](credential-design.md).
active-directory Verifiable Credentials Faq https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/verifiable-credentials/verifiable-credentials-faq.md
Resetting requires that you opt out and opt back into the Azure Active Directory
1. In the [Azure portal](https://portal.azure.com), go to Azure Active Directory for the subscription you use for your Azure Active Directory Verifiable credentials deployment. 1. Under Manage, select Properties :::image type="content" source="media/verifiable-credentials-faq/region.png" alt-text="settings delete and opt out":::
-1. See the value for Country or Region. If the value is a country or a region in Europe, your Azure AD Verifiable Credentials service will be set up in Europe.
+1. See the value for Country or Region. If the value is a country or a region in Europe, your Microsoft Entra Verified ID service will be set up in Europe.
### How can I check if my tenant has the new Hub endpoint?
Resetting requires that you opt out and opt back into the Azure Active Directory
"type": "IdentityHub", "serviceEndpoint": { "instances": [
- "https://beta.hub.msidentity.com/v1.0/12345678-0000-0000-0000-000000000000"
+ "https://verifiedid.hub.msidentity.com/v1.0/12345678-0000-0000-0000-000000000000"
], "origins": [] }
No, at this point it isn't possible to keep your tenant's DID after you have opt
## Next steps -- [How to customize your Azure Active Directory Verifiable Credentials](credential-design.md)
+- [How to customize your Azure Active Directory Verifiable Credentials](credential-design.md)
active-directory Verifiable Credentials Standards https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/verifiable-credentials/verifiable-credentials-standards.md
Today, we have a working JWT verifiable credentials presentation profile that su
## Next steps -- [Get started with verifiable credentials](verifiable-credentials-configure-tenant.md)
+- [Get started with verifiable credentials](verifiable-credentials-configure-tenant.md)
active-directory Whats New https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/verifiable-credentials/whats-new.md
Previously updated : 06/27/2022 Last updated : 07/28/2022
This article lists the latest features, improvements, and changes in the Microsoft Entra Verified ID service.
+## July 2022
+
+- The Request Service APIs have a **new hostname** `verifiedid.did.msidentity.com`. The `beta.did.msidentity` and the `beta.eu.did.msidentity` will continue to work, but you should change your application and configuration. Also, you no longer need to specify `.eu.` for an EU tenant.
+- Request Service API have **new endpoints** and **updated JSON payloads**. For issuance, see [Issuance API specification](issuance-request-api.md#issuance-request-payload) and for presentation, see [Presentation API specification](presentation-request-api.md#presentation-request-payload). The old endpoints and JSON payloads will continue to work, but you should change your applications to use the new endpoints and payloads.
+- Request Service API **[Error codes](error-codes.md)** have been **updated**
+- The **[Admin API](admin-api.md)** is made **public** and is documented. The Azure portal is using the Admin API and with this REST API you can automate the onboarding or your tenant and creation of credential contracts.
+- Find issuers and credentials to verify via the [The Microsoft Entra Verified ID Network](how-use-vcnetwork.md).
+- For migrating your Azure Storage based credentials to become Managed Credentials there is a PowerShell script in the [github samples repo](https://github.com/Azure-Samples/active-directory-verifiable-credentials/tree/contractmigration/scripts/contractmigration) for the task.
+
+- We also made the following updates to our Plan and design docs:
+ - (updated) [architecture planning overview](introduction-to-verifiable-credentials-architecture.md).
+ - (updated) [Plan your issuance solution](plan-issuance-solution.md).
+ - (updated) [Plan your verification solution](plan-verification-solution.md).
+ ## June 2022 - We are adding support for the [did:web](https://w3c-ccg.github.io/did-method-web/) method. Any new tenant that starts using the Verifiable Credentials Service after June 14, 2022 will have Web as a new, default, trust system when [onboarding](verifiable-credentials-configure-tenant.md#set-up-verifiable-credentials). VC Administrators can still choose to use ION when setting a tenant. If you want to use did:web instead of ION or viceversa, you will need to [reconfigure your tenant](verifiable-credentials-faq.md?#how-do-i-reset-the-azure-ad-verifiable-credentials-service).
This article lists the latest features, improvements, and changes in the Microso
> You need to migrate your Azure Storage based credentials to become Managed Credentials. We'll soon provide migration instructions. - We made the following updates to our docs:
- - (new) [Current supported open standards for Microsoft Entra Verified ID](verifiable-credentials-standards.md).
- - (new) [How to create verifiable credentials for ID token hint](how-to-use-quickstart.md).
- - (new) [How to create verifiable credentials for ID token](how-to-use-quickstart-idtoken.md).
- - (new) [How to create verifiable credentials for self-asserted claims](how-to-use-quickstart-selfissued.md).
- - (new) [Rules and Display definition model specification](rules-and-display-definitions-model.md).
- - (new) [Creating an Azure AD tenant for development](how-to-create-a-free-developer-account.md).
+ - (new) [Current supported open standards for Microsoft Entra Verified ID](verifiable-credentials-standards.md).
+ - (new) [How to create verifiable credentials for ID token hint](how-to-use-quickstart.md).
+ - (new) [How to create verifiable credentials for ID token](how-to-use-quickstart-idtoken.md).
+ - (new) [How to create verifiable credentials for self-asserted claims](how-to-use-quickstart-selfissued.md).
+ - (new) [Rules and Display definition model specification](rules-and-display-definitions-model.md).
+ - (new) [Creating an Azure AD tenant for development](how-to-create-a-free-developer-account.md).
## May 2022
It's a good idea to start using the API soon, because the NodeJS SDK will be dep
## April 2021
-You can now issue [verifiable credentials](decentralized-identifier-overview.md) in Azure AD. This service is useful when you need to present proof of employment, education, or any other claim. The holder of such a credential can decide when, and with whom, to share their credentials. Each credential is signed by using cryptographic keys associated with the decentralized identity that the user owns and controls.
+You can now issue [verifiable credentials](decentralized-identifier-overview.md) in Azure AD. This service is useful when you need to present proof of employment, education, or any other claim. The holder of such a credential can decide when, and with whom, to share their credentials. Each credential is signed by using cryptographic keys associated with the decentralized identity that the user owns and controls.
advisor Advisor Cost Recommendations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/advisor/advisor-cost-recommendations.md
Advisor uses machine-learning algorithms to identify low utilization and to iden
Advisor identifies resources that have not been used at all over the last 7 days and makes a recommendation to shut them down. -- Metrics considered are CPU and Outbound Network utilization (memory is not considered for shutdown recommendations since weΓÇÖve found that relying on CPU and Network provide enough signals for this recommendation)-- The last 7 days of utilization data are considered-- Metrics are sampled every 30 seconds, aggregated to 1 min and then further aggregated to 30 mins (we take the average of max values while aggregating to 30 mins)
+- Recommendation criteria include **CPU** and **Outbound Network utilization** metrics. **Memory** is not considered since weΓÇÖve found that **CPU** and **Outbound Network utilization** are sufficient.
+- The last 7 days of utilization data are analyzed
+- Metrics are sampled every 30 seconds, aggregated to 1 min and then further aggregated to 30 mins (we take the max of average values while aggregating to 30 mins)
- A shutdown recommendation is created if: - P95th of the maximum value of CPU utilization summed across all cores is less than 3%. - P100 of average CPU in last 3 days (sum over all cores) <= 2%
Advisor identifies resources that have not been used at all over the last 7 days
### Resize SKU recommendations
-Advisor considers resizing virtual machines when it's possible to fit the current load on a more appropriate SKU, which costs less than the current one (we currently consider retail rates only during recommendation generation).
+Advisor recommends resizing virtual machines when it's possible to fit the current load on a more appropriate SKU, which is less expensive (based on retail rates).
-- Metrics considered are CPU, Memory and Outbound Network utilization -- The last 7 days of utilization data are considered-- Metrics are sampled every 30 seconds, aggregated to 1 min and then further aggregated to 30 mins (we take the average of max values while aggregating to 30 mins)
+- Recommendation criteria include **CPU**, **Memory** and **Outbound Network utilization**.
+- The last 7 days of utilization data are analyzed
+- Metrics are sampled every 30 seconds, aggregated to 1 min and then further aggregated to 30 mins (we take the max of average values while aggregating to 30 mins)
- An appropriate SKU is determined based on the following criteria: - Performance of the workloads on the new SKU should not be impacted. - Target for user-facing workloads:
Advisor considers resizing virtual machines when it's possible to fit the curren
- The new SKU has the same Accelerated Networking and Premium Storage capabilities - The new SKU is supported in the current region of the Virtual Machine with the recommendation - The new SKU is less expensive -- Advisor determines the type of workload (user-facing/non user-facing) by analyzing the CPU utilization characteristics of the workload. This is based on some fascinating findings by Microsoft Research. You can find more details here: [Prediction-Based Power Oversubscription in Cloud Platforms - Microsoft Research](https://www.microsoft.com/research/publication/prediction-based-power-oversubscription-in-cloud-platforms/).-- Advisor recommends not just smaller SKUs in the same family (for example D3v2 to D2v2) but also SKUs in a newer version (for example D3v2 to D2v3) or even a completely different family (for example D3v2 to E3v2) based on the best fit and the cheapest costs with no performance impacts.
+- Advisor determines if a workload is user-facing by analyzing its CPU utilization characteristics. The approach is based on findings by Microsoft Research. You can find more details here: [Prediction-Based Power Oversubscription in Cloud Platforms - Microsoft Research](https://www.microsoft.com/research/publication/prediction-based-power-oversubscription-in-cloud-platforms/).
+- Advisor recommends not just smaller SKUs in the same family (for example D3v2 to D2v2) but also SKUs in a newer version (for example D3v2 to D2v3) or a different family (for example D3v2 to E3v2) based on the best fit and the cheapest costs with no performance impacts.
### Burstable recommendations
-This is a special type of resize recommendation, where Advisor analyzes workloads to determine eligibility to run on specialized SKUs called Burstable SKUs that allow for variable workload performance requirements and are generally cheaper than general purpose SKUs. Learn more about burstable SKUs here: [B-series burstable - Azure Virtual Machines](../virtual-machines/sizes-b-series-burstable.md).
+We evaluate is workloads are eligible to run on specialized SKUs called **Burstable SKUs** that support variable workload performance requirements and are less expensive than general purpose SKUs. Learn more about burstable SKUs here: [B-series burstable - Azure Virtual Machines](../virtual-machines/sizes-b-series-burstable.md).
- A burstable SKU recommendation is made if:-- The average CPU utilization is less than a burstable SKUs' baseline performance
+- The average **CPU utilization** is less than a burstable SKUs' baseline performance
- If the P95 of CPU is less than two times the burstable SKUs' baseline performance - If the current SKU does not have accelerated networking enabled (burstable SKUs donΓÇÖt support accelerated networking yet) - If we determine that the Burstable SKU credits are sufficient to support the average CPU utilization over 7 days
advisor Advisor Reference Operational Excellence Recommendations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/advisor/advisor-reference-operational-excellence-recommendations.md
You can get these recommendations on the **Operational Excellence** tab of the A
## Spring Cloud
-### Update your outdated Azure Spring Cloud SDK to the latest version
+### Update your outdated Azure Spring Apps SDK to the latest version
-We have identified API calls from an outdated Azure Spring Cloud SDK. We recommend upgrading to the latest version for the latest fixes, performance improvements, and new feature capabilities.
+We have identified API calls from an outdated Azure Spring Apps SDK. We recommend upgrading to the latest version for the latest fixes, performance improvements, and new feature capabilities.
-Learn more about [Spring Cloud Service - SpringCloudUpgradeOutdatedSDK (Update your outdated Azure Spring Cloud SDK to the latest version)](../spring-cloud/index.yml).
+Learn more about [Spring Cloud Service - SpringCloudUpgradeOutdatedSDK (Update your outdated Azure Spring Apps SDK to the latest version)](../spring-apps/index.yml).
-### Update Azure Spring Cloud API Version
+### Update Azure Spring Apps API Version
-We have identified API calls from outdated Azure Spring Cloud API for resources under this subscription. We recommend switching to the latest Spring Cloud API version. You need to update your existing code to use the latest API version. Also, you need to upgrade your Azure SDK and Azure CLI to the latest version. This ensures you receive the latest features and performance improvements.
+We have identified API calls from outdated Azure Spring Apps API for resources under this subscription. We recommend switching to the latest Spring Cloud API version. You need to update your existing code to use the latest API version. Also, you need to upgrade your Azure SDK and Azure CLI to the latest version. This ensures you receive the latest features and performance improvements.
-Learn more about [Spring Cloud Service - UpgradeAzureSpringCloudAPI (Update Azure Spring Cloud API Version)](../spring-cloud/index.yml).
+Learn more about [Spring Cloud Service - UpgradeAzureSpringCloudAPI (Update Azure Spring Apps API Version)](../spring-apps/index.yml).
## Automation
advisor Advisor Reference Performance Recommendations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/advisor/advisor-reference-performance-recommendations.md
We have detected that you do not have up-to-date table statistics which may be i
Learn more about [SQL data warehouse - UpdateTableStatisticsSqlDW (Update statistics on table columns)](https://aka.ms/learnmorestatistics).
-### Right-size overutilized SQL Databases
-
-We've analyzed the DTU consumption of your SQL Database over the past 14 days and identified SQL Databases with high usage. You can improve your database performance by right-sizing to the recommended SKU based on the 95th percentile of your everyday workload
-
-Learn more about [SQL database - sqlRightsizePerformance (Right-size overutilized SQL Databases)](https://aka.ms/SQLDBrecommendation).
- ### Scale up to optimize cache utilization with SQL Data Warehouse We have detected that you had high cache used percentage with a low hit percentage. This indicates high cache eviction which can impact the performance of your workload.
aks Kubernetes Service Principal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/kubernetes-service-principal.md
ls -la $HOME/.azure/aksServicePrincipal.json
The default expiration time for the service principal credentials is one year. If your *aksServicePrincipal.json* file is older than one year, delete the file and retry deploying the AKS cluster.
+**General Azure CLI troubleshooting**
++ ### [Azure PowerShell](#tab/azure-powershell) The service principal credentials for an AKS cluster are cached by Azure PowerShell. If these credentials have expired, you encounter errors during deployment of the AKS cluster. The following error message when running [New-AzAksCluster][new-azakscluster] may indicate a problem with the cached service principal credentials:
aks Quick Kubernetes Deploy Cli https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/learn/quick-kubernetes-deploy-cli.md
The following output example resembles successful creation of the resource group
## Create AKS cluster
-Create an AKS cluster using the [az aks create][az-aks-create] command with the *--enable-addons monitoring* parameter to enable [Container insights][azure-monitor-containers]. The following example creates a cluster named *myAKSCluster* with one node and enables a system-assigned managed identity:
+Create an AKS cluster using the [az aks create][az-aks-create] command with the `--enable-addons monitoring` and `--enable-msi-auth-for-monitoring` parameter to enable [Azure Monitor Container insights][azure-monitor-containers] with managed identity authentication (preview). The following example creates a cluster named *myAKSCluster* with one node and enables a system-assigned managed identity:
```azurecli-interactive
-az aks create -g myResourceGroup -n myAKSCluster --enable-managed-identity --node-count 1 --enable-addons monitoring
+az aks create -g myResourceGroup -n myAKSCluster --enable-managed-identity --node-count 1 --enable-addons monitoring --enable-msi-auth-for-monitoring --generate-ssh-keys
``` After a few minutes, the command completes and returns JSON-formatted information about the cluster.
app-service Deploy Ftp https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/deploy-ftp.md
In the same management page for your app where you copied the deployment credent
# [Azure CLI](#tab/cli)
-Run the [az webapp deployment list-publishing-profiles](/cli/azure/webapp/deployment#az-webapp-deployment-list-publishing-profiles) command. The following example uses a [JMES path](https://jmespath.org/) to extract the FTP/S endpoints from the output.
+Run the [az webapp deployment list-publishing-profiles](/cli/azure/webapp/deployment#az-webapp-deployment-list-publishing-profiles) command. The following example uses a [JMESPath query](/cli/azure/query-azure-cli) to extract the FTP/S endpoints from the output.
```azurecli-interactive az webapp deployment list-publishing-profiles --name <app-name> --resource-group <group-name> --query "[?ends_with(profileName, 'FTP')].{profileName: profileName, publishUrl: publishUrl}"
app-service Networking https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/environment/networking.md
Title: App Service Environment networking
description: App Service Environment networking details Previously updated : 02/17/2022 Last updated : 08/01/2022
You can put your web application firewall devices, such as Azure Application Gat
Your application will use one of the default outbound addresses for egress traffic to public endpoints. If you want to customize the outbound address of your applications on an App Service Environment, you can add a NAT gateway to your subnet.
+> [!NOTE]
+> Outbound SMTP connectivity (port 25) is supported for App Service Environment v3. However, the supportability is determined by the subscription where the virtual network is deployed. For virtual networks created before 1. August 2022, you will have to re-enable outbound SMTP connectivity support on the subscription. For more information on subscription type support and how to request support to re-enable outbound SMTP connectivity, see [Troubleshoot outbound SMTP connectivity problems in Azure](../../virtual-network/troubleshoot-outbound-smtp-connectivity.md).
+ ## Private endpoint In order to enable Private Endpoints for apps hosted in your App Service Environment, you must first enable this feature at the App Service Environment level.
az appservice ase update --name myasename --allow-new-private-endpoint-connectio
For more information about Private Endpoint and Web App, see [Azure Web App Private Endpoint][privateendpoint] - ## DNS The following sections describe the DNS considerations and configuration that apply inbound to and outbound from your App Service Environment.
The apps in your App Service Environment will use the DNS that your virtual netw
## Limitations
-While App Service Environment does deploy into your virtual network, there are a few networking features that aren't available:
-
-* Sending SMTP traffic. Although you can still have email-triggered alerts, your app can't send outbound traffic on port 25.
-* Using Azure Network Watcher or NSG flow to monitor outbound traffic.
+While App Service Environment does deploy into your virtual network, you currently cannot use Azure Network Watcher or NSG flow to monitor outbound traffic.
## More resources
app-service Using An Ase https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/environment/using-an-ase.md
To create an app in an ASE:
Every App Service app runs in an App Service plan. App Service Environments hold App Service plans, and App Service plans hold apps. When you scale an app, you also scale the App Service plan and all the apps in that same plan.
-When you scale an App Service plan, the needed infrastructure is added automatically. There's a time delay to scale operations while the infrastructure is being added. If you do several scale operations in sequence, the first infrastructure scale request is acted on and the others are queued. When the first scale operation finishes, the other infrastructure requests all operate together. And when the infrastructure is added, the App Service plans are assigned as appropriate. Creating a new App Service plan is itself a scale operation because it requests additional hardware.
+When you scale an App Service plan, the needed infrastructure is added automatically. There's a time delay to scale operations while the infrastructure is being added. If you do several scale operations in sequence, the first infrastructure scale request is acted on and the others are queued. When the first scale operation finishes, the other infrastructure requests all operate together. And when the infrastructure is added, the App Service plans are assigned as appropriate. Creating a new App Service plan is itself a scale operation because it requests additional hardware. A scale operation usually takes 30-60 minutes to complete.
In the multitenant App Service, scaling is immediate because a pool of resources is readily available to support it. In an ASE, there's no such buffer, and resources are allocated based on need.
app-service Overview Vnet Integration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/overview-vnet-integration.md
Title: Integrate your app with an Azure virtual network
description: Integrate your app in Azure App Service with Azure virtual networks. Previously updated : 06/30/2022 Last updated : 08/01/2022
Through application routing or configuration routing options, you can configure
Application routing applies to traffic that is sent from your app after it has been started. See [configuration routing](#configuration-routing) for traffic during start up. When you configure application routing, you can either route all traffic or only private traffic (also known as [RFC1918](https://datatracker.ietf.org/doc/html/rfc1918#section-3) traffic) into your virtual network. You configure this behavior through the **Route All** setting. If **Route All** is disabled, your app only routes private traffic into your virtual network. If you want to route all your outbound app traffic into your virtual network, make sure that **Route All** is enabled.
-> [!NOTE]
-> * Only traffic configured in application or configuration routing is subject to the NSGs and UDRs that are applied to your integration subnet.
-> * When **Route All** is enabled, outbound traffic from your app is still sent from the addresses that are listed in your app properties, unless you provide routes that direct the traffic elsewhere.
+* Only traffic configured in application or configuration routing is subject to the NSGs and UDRs that are applied to your integration subnet.
+* When **Route All** is enabled, outbound traffic from your app is still sent from the addresses that are listed in your app properties, unless you provide routes that direct the traffic elsewhere.
Learn [how to configure application routing](./configure-vnet-integration-routing.md). We recommend that you use the **Route All** configuration setting to enable routing of all traffic. Using the configuration setting allows you to audit the behavior with [a built-in policy](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F33228571-70a4-4fa1-8ca1-26d0aba8d6ef). The existing `WEBSITE_VNET_ROUTE_ALL` app setting can still be used, and you can enable all traffic routing with either setting.
+> [!NOTE]
+> Outbound SMTP connectivity (port 25) is supported for App Service when the SMTP traffic is routed through the virtual network integration. The supportability is determined by the subscription where the virtual network is deployed. For virtual networks created before 1. August 2022, you will have to re-enable outbound SMTP connectivity support on the subscription. For more information on subscription type support and how to request support to re-enable outbound SMTP connectivity, see [Troubleshoot outbound SMTP connectivity problems in Azure](../virtual-network/troubleshoot-outbound-smtp-connectivity.md).
+ #### Configuration routing When you are using virtual network integration, you can configure how parts of the configuration traffic is managed. By default, configuration traffic will go directly over the public route, but for the mentioned individual components, you can actively configure it to be routed through the virtual network integration.
-> [!NOTE]
-> * Windows containers don't support pulling custom container images over virtual network integration.
-> * Backup/restore to private storage accounts is currently not supported.
-> * Configure SSL/TLS certificates from private Key Vaults is currently not supported.
-> * App Service Logs to private storage accounts is currently not supported. We recommend using Diagnostics Logging and allowing Trusted Services for the storage account.
- ##### Content storage Bringing your own storage for content in often used in Functions where [content storage](./../azure-functions/configure-networking-how-to.md#restrict-your-storage-account-to-a-virtual-network) is configured as part of the Functions app.
When using custom containers for Linux, you can pull the container over the virt
App settings using Key Vault references will attempt to get secrets over the public route. If the Key Vault is blocking public traffic and the app is using virtual network integration, an attempt will then be made to get the secrets through the virtual network integration.
+> [!NOTE]
+> * Windows containers don't support pulling custom container images over virtual network integration.
+> * Backup/restore to private storage accounts is currently not supported.
+> * Configure SSL/TLS certificates from private Key Vaults is currently not supported.
+> * App Service Logs to private storage accounts is currently not supported. We recommend using Diagnostics Logging and allowing Trusted Services for the storage account.
+ #### Network routing You can use route tables to route outbound traffic from your app without restriction. Common destinations can include firewall devices or gateways. You can also use a [network security group](../virtual-network/network-security-groups-overview.md) (NSG) to block outbound traffic to resources in your virtual network or the internet. An NSG that's applied to your integration subnet is in effect regardless of any route tables applied to your integration subnet.
app-service Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/overview.md
Azure App Service is a fully managed platform as a service (PaaS) offering for d
* **API and mobile features** - App Service provides turn-key CORS support for RESTful API scenarios, and simplifies mobile app scenarios by enabling authentication, offline data sync, push notifications, and more. * **Serverless code** - Run a code snippet or script on-demand without having to explicitly provision or manage infrastructure, and pay only for the compute time your code actually uses (see [Azure Functions](../azure-functions/index.yml)).
-Besides App Service, Azure offers other services that can be used for hosting websites and web applications. For most scenarios, App Service is the best choice. For microservice architecture, consider [Azure Spring-Cloud Service](../spring-cloud/index.yml) or [Service Fabric](https://azure.microsoft.com/documentation/services/service-fabric). If you need more control over the VMs on which your code runs, consider [Azure Virtual Machines](https://azure.microsoft.com/documentation/services/virtual-machines/). For more information about how to choose between these Azure services, see [Azure App Service, Virtual Machines, Service Fabric, and Cloud Services comparison](/azure/architecture/guide/technology-choices/compute-decision-tree).
+Besides App Service, Azure offers other services that can be used for hosting websites and web applications. For most scenarios, App Service is the best choice. For microservice architecture, consider [Azure Spring Apps](../spring-apps/index.yml) or [Service Fabric](https://azure.microsoft.com/documentation/services/service-fabric). If you need more control over the VMs on which your code runs, consider [Azure Virtual Machines](https://azure.microsoft.com/documentation/services/virtual-machines/). For more information about how to choose between these Azure services, see [Azure App Service, Virtual Machines, Service Fabric, and Cloud Services comparison](/azure/architecture/guide/technology-choices/compute-decision-tree).
## App Service on Linux
applied-ai-services Language Support https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/applied-ai-services/form-recognizer/language-support.md
Previously updated : 06/06/2022 Last updated : 07/29/2022
Language| Locale code |
|:--|:-:| |English (United States)|en-us|
-## Receipt and business card models
+## Receipt model
>[!NOTE] > It's not necessary to specify a locale. This is an optional parameter. The Form Recognizer deep-learning technology will auto-detect the language of the text in your image.
-Pre-Built Receipt and Business Cards support all English receipts and business cards with the following locales:
+Receipt supports all English receipts with the following locales:
|Language| Locale code | |:--|:-:|
Pre-Built Receipt and Business Cards support all English receipts and business c
## Business card model
+>[!NOTE]
+ > It's not necessary to specify a locale. This is an optional parameter. The Form Recognizer deep-learning technology will auto-detect the language of the text in your image.
+
+Business Card supports all English business cards with the following locales:
+
+|Language| Locale code |
+|:--|:-:|
+|English (Australia)|`en-au`|
+|English (Canada)|`en-ca`|
+|English (United Kingdom)|`en-gb`|
+|English (India|`en-in`|
+|English (United States)| `en-us`|
+ The **2022-06-30-preview** release includes Japanese language support: |Language| Locale code |
Language| Locale code |
|Portuguese (**2022-06-30-preview**)|pt| |Dutch (**2022-06-30-preview**)| nl|
-## ID documents
+## ID document model
This technology is currently available for US driver licenses and the biographical page from international passports (excluding visa and other travel documents).
attestation Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/attestation/overview.md
Client applications can be designed to take advantage of TPM attestation by dele
### AMD SEV-SNP attestation
-Azure [Confidential VM](../confidential-computing/confidential-vm-overview.md) (CVM) is based on [AMD processors with SEV-SNP technology](../confidential-computing/virtual-machine-solutions-amd.md) and aims to improve VM security posture by removing trust in host, hypervisor and Cloud Service Provider (CSP). To achieve this, CVM offers VM OS disk encryption option with platform-managed keys and binds the disk encryption keys to the virtual machine's TPM. When a CVM boots up, SNP report containing the guest VM firmware measurements will be sent to Azure Attestation. The service validates the measurements and issues an attestation token that is used to release keys from [Managed-HSM](../key-vault/managed-hsm/overview.md) or [Azure Key Vault](../key-vault/general/basic-concepts.md). These keys are used to decrypt the vTPM state of the guest VM, unlock the OS disk and start the CVM. The attestation and key release process is performed automatically on each CVM boot, and the process ensures the CVM boots up only upon successful attestation of the hardware.
+Azure [Confidential VM](../confidential-computing/confidential-vm-overview.md) (CVM) is based on [AMD processors with SEV-SNP technology](../confidential-computing/virtual-machine-solutions-amd.md). CVM offers VM OS disk encryption option with platform-managed keys or customer-managed keys and binds the disk encryption keys to the virtual machine's TPM. When a CVM boots up, SNP report containing the guest VM firmware measurements will be sent to Azure Attestation. The service validates the measurements and issues an attestation token that is used to release keys from [Managed-HSM](../key-vault/managed-hsm/overview.md) or [Azure Key Vault](../key-vault/general/basic-concepts.md). These keys are used to decrypt the vTPM state of the guest VM, unlock the OS disk and start the CVM. The attestation and key release process is performed automatically on each CVM boot, and the process ensures the CVM boots up only upon successful attestation of the hardware.
### Trusted Launch attestation
automation Manage Change Tracking https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automation/change-tracking/manage-change-tracking.md
File content tracking allows you to view the contents of a file before and after
* You can connect the storage account to only one Automation account. * Change Tracking and Inventory must be enabled in your Automation account.
+>[!NOTE]
+> If the file size appears >1.25MB, then FileContentChecksum is incorrect due to memory constraints in the checksum calculation.
+ ### Enable tracking for file content changes Use the following steps to enable tracking for changes to file contents:
automation Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automation/change-tracking/overview.md
Change Tracking and Inventory doesn't support or has the following limitations:
- ***.exe** files stored on Windows - The **Max File Size** column and values are unused in the current implementation. - If you are tracking file changes, it is limited to a file size of 5 MB or less.
+- If the file size appears >1.25MB, then FileContentChecksum is incorrect due to memory constraints in the checksum calculation.
- If you try to collect more than 2500 files in a 30-minute collection cycle, Change Tracking and Inventory performance might be degraded. - If network traffic is high, change records can take up to six hours to display. - If you modify a configuration while a machine or server is shut down, it might post changes belonging to the previous configuration.
availability-zones Cross Region Replication Azure https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/availability-zones/cross-region-replication-azure.md
For applications that support multiple active regions, we recommend that you use
## Benefits of cross-region replication
-Architecting cross-regional replication for your services and data can be decided on a per-service basis. You'll necessarily take a cost-benefit analysis approach based on your organization's strategic and business requirements. Primary and ripple benefits of cost-region replication are complex, extensive, and deserve elaboration. These benefits include:
+Architecting cross-regional replication for your services and data can be decided on a per-service basis. You'll necessarily take a cost-benefit analysis approach based on your organization's strategic and business requirements. Primary and ripple benefits of cross-region replication are complex, extensive, and deserve elaboration. These benefits include:
- **Region recovery sequence**: If a geography-wide outage occurs, recovery of one region is prioritized out of every enabled set of regions. Applications that are deployed across enabled region sets are guaranteed to have one of the regions prioritized for recovery. If an application is deployed across regions, any of which isn't enabled for cross-regional replication, recovery can be delayed. - **Sequential updating**: Planned Azure system updates for your enabled regions are staggered chronologically to minimize downtime, impact of bugs, and any logical failures in the rare event of a faulty update.
azure-arc Troubleshoot Agent Onboard https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/servers/troubleshoot-agent-onboard.md
# Troubleshoot Azure Arc-enabled servers agent connection issues
-This article provides information on troubleshooting and resolving issues that may occur while attempting to configure the Azure Connected Machine agent for Windows or Linux. Both the interactive and at-scale installation methods when configuring connection to the service are included. For general information, see [Azure Arc-enabled servers overview](./overview.md).
+This article provides information for troubleshooting issues that may occur configuring the Azure Connected Machine agent for Windows or Linux. Both the interactive and at-scale installation methods when configuring connection to the service are included. For general information, see [Azure Arc-enabled servers overview](./overview.md).
## Agent error codes
-If you receive an error when configuring the Azure Arc-enabled servers agent, the following table can help you identify the probable cause and suggested steps to resolve your problem. You will need the `AZCM0000` ("0000" can be any 4 digit number) error code printed to the console or script output to proceed.
+Use the following table to identify and resolve issues when configuring the Azure Arc-enabled servers agent. You will need the `AZCM0000` ("0000" can be any four digit number) error code printed to the console or script output.
| Error code | Probable cause | Suggested remediation | ||-|--|
If you receive an error when configuring the Azure Arc-enabled servers agent, th
| AZCM0012 | The access token provided is invalid | Obtain a new access token and try again | | AZCM0013 | The tags provided are invalid | Check that the tags are enclosed in double quotes, separated by commas, and that any names or values with spaces are enclosed in single quotes: `--tags "SingleName='Value with spaces',Location=Redmond"` | AZCM0014 | The cloud is invalid | Specify a supported cloud: `AzureCloud` or `AzureUSGovernment` |
-| AZCM0015 | The correlation ID specified is not a valid GUID | Provide a valid GUID for `--correlation-id` |
+| AZCM0015 | The correlation ID specified isn't a valid GUID | Provide a valid GUID for `--correlation-id` |
| AZCM0016 | Missing a mandatory parameter | Review the output to identify which parameters are missing | | AZCM0017 | The resource name is invalid | Specify a name that only uses alphanumeric characters, hyphens and/or underscores. The name cannot end with a hyphen or underscore. | | AZCM0018 | The command was executed without administrative privileges | Retry the command with administrator or root privileges in an elevated command prompt or console session. |
If you receive an error when configuring the Azure Arc-enabled servers agent, th
| AZCM0042 | Creation of the Azure Arc-enabled server resource failed | Verify that the user/service principal specified has access to create Azure Arc-enabled server resources in the specified resource group. | | AZCM0043 | Deletion of the Azure Arc-enabled server resource failed | Verify that the user/service principal specified has access to delete Azure Arc-enabled server resources in the specified resource group. If the resource no longer exists in Azure, use the `--force-local-only` flag to proceed. | | AZCM0044 | A resource with the same name already exists | Specify a different name for the `--resource-name` parameter or delete the existing Azure Arc-enabled server in Azure and try again. |
-| AZCM0061 | Unable to reach the agent service | Verify you are running the command in an elevated user context (administrator/root) and that the HIMDS service is running on your server. |
+| AZCM0061 | Unable to reach the agent service | Verify you're running the command in an elevated user context (administrator/root) and that the HIMDS service is running on your server. |
| AZCM0062 | An error occurred while connecting the server | Review other error codes in the output for more specific information. If the error occurred after the Azure resource was created, you need to delete the Arc server from your resource group before retrying. |
-| AZCM0063 | An error occurred while disconnecting the server | Review other error codes in the output for more specific information. If you continue to encounter this error, you can delete the resource in Azure and then run `azcmagent disconnect --force-local-only` on the server to disconnect the agent. |
+| AZCM0063 | An error occurred while disconnecting the server | Review other error codes in the output for more specific information. If you continue to encounter this error, you can delete the resource in Azure, and then run `azcmagent disconnect --force-local-only` on the server to disconnect the agent. |
| AZCM0064 | The agent service is not responding | Check the status of the `himds` service to ensure it is running. Start the service if it is not running. If it is running, wait a minute then try again. | | AZCM0065 | An internal agent communication error occurred | Contact Microsoft Support for assistance | | AZCM0066 | The agent web service is not responding or unavailable | Contact Microsoft Support for assistance | | AZCM0067 | The agent is already connected to Azure | Run `azcmagent disconnect` to remove the current connection, then try again. | | AZCM0068 | An internal error occurred while disconnecting the server from Azure | Contact Microsoft Support for assistance |
+| AZCM0070 | Unable to obtain local config | The Hybrid Instance Metadata service (HIMDS) might not be running. Check the status of your HIMDS service (for Windows) or the HIMDS daemon (for Linux). |
| AZCM0081 | An error occurred while downloading the Azure Active Directory managed identity certificate | If this message is encountered while attempting to connect the server to Azure, the agent won't be able to communicate with the Azure Arc service. Delete the resource in Azure and try connecting again. | | AZCM0101 | The command was not parsed successfully | Run `azcmagent <command> --help` to review the correct command syntax | | AZCM0102 | Unable to retrieve the computer hostname | Run `hostname` to check for any system-level error messages, then contact Microsoft Support. |
azure-cache-for-redis Cache Best Practices Development https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-cache-for-redis/cache-best-practices-development.md
While you can connect from outside of Azure, it isn't recommended *especially wh
## Rely on hostname not public IP address
-The public IP address assigned to your cache can change as a result of a scale operation or backend improvement. We recommend relying on the hostname, in the form `<cachename>.redis.cache.windows.net`, instead of an explicit public IP address.
+The public IP address assigned to your cache can change as a result of a scale operation or backend improvement. We recommend relying on the hostname instead of an explicit public IP address. Here are the recommended forms for the various tiers:
+
+|Tier | Form |
+|-|-|
+| Basic, Standard, Premium | `<cachename>.redis.cache.windows.net` |
+| Enterprise, Enterprise Flash | `<DNS name>.<Azure region>.redisenterprise.cache.azure.net.` |
## Choose an appropriate Redis version
azure-fluid-relay Architecture https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-fluid-relay/concepts/architecture.md
fluid.url: https://fluidframework.com/docs/build/overview/
# Overview of Azure Fluid Relay architecture
-> [!NOTE]
-> This preview version is provided without a service-level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.
- There are three primary concepts to understand when building an application with Fluid. - Service
There are three primary concepts to understand when building an application with
## Service
-Fluid clients require a centralized service that all connected clients use to send and receive operations. When using Fluid in an application you must use the correct package that corresponds to the underlying service you are connecting to.
+Fluid clients require a centralized service that all connected clients use to send and receive operations. When using Fluid in an application, you must use the correct package that corresponds to the underlying service you're connecting to.
-For the Azure Fluid Relay service this package is **@fluidframework/azure-client**. This package helps create and load Fluid containers hosted on Azure via Azure Fluid Relay.
+For the Azure Fluid Relay service, this package is **@fluidframework/azure-client**. This package helps create and load Fluid containers hosted on Azure via Azure Fluid Relay.
## Container The **container** is the primary unit of encapsulation in Fluid. It consists of a collection of shared objects and supporting APIs to manage the lifecycle of the container and the objects within it.
-Creating new containers is a client-driven action and container lifetimes are bound to the data stored on the supporting server. When getting existing containers it's important to consider the previous state of the container.
+Creating new containers is a client-driven action and container lifetimes are bound to the data stored on the supporting server. When getting existing containers, it's important to consider the previous state of the container.
-For more about containers see [Containers](https://fluidframework.com/docs/build/containers/) on fluidframework.com.
+For more about containers, see [Containers](https://fluidframework.com/docs/build/containers/) on fluidframework.com.
## Shared objects A **shared object** is an object type that powers collaborative data by exposing a specific API. Many shared objects can exist within the context of a container and they can be created either statically or dynamically. **Distributed Data Structures(DDSes)** and **DataObjects** are both types of shared objects.
-For more information see [Data modeling](https://fluidframework.com/docs/build/data-modeling/) on fluidframework.com.
+For more information, see [Data modeling](https://fluidframework.com/docs/build/data-modeling/) on fluidframework.com.
## Package structure There are two primary **packages** you'll use when building with Fluid. The **fluid-framework** package and a service-specific client package like **azure-client**.
-For more information see [Packages](https://fluidframework.com/docs/build/packages/) on fluidframework.com.
+For more information, see [Packages](https://fluidframework.com/docs/build/packages/) on fluidframework.com.
### The fluid-framework package
azure-fluid-relay Authentication Authorization https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-fluid-relay/concepts/authentication-authorization.md
fluid.url: https://fluidframework.com/docs/build/auth/
# Authentication and authorization in your app
-> [!NOTE]
-> This preview version is provided without a service-level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.
- Security is critical to modern web applications. Fluid Framework, as a part of your web application architecture is an important piece of infrastructure to secure. Fluid Framework is a layered architecture, and auth-related concepts are implemented based on the Fluid service it's connecting to. This means that, although there are common authentication themes across all Fluid services, the details and specifics will differ for each service. ## Azure Fluid Relay service
azure-fluid-relay Container Management https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-fluid-relay/concepts/container-management.md
# Managing Fluid containers
-> [!NOTE]
-> This preview version is provided without a service-level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.
- A Container is the atomic unit of storage in the Azure Fluid Relay service and represents the data stored from a Fluid session, including operations and snapshots. The Fluid runtime uses the container to rehydrate the state of a Fluid session when a user joins for the first time or rejoins after leaving. When building an application with the Fluid Framework, there are several things you need to account for regarding container creation and management, as summarized in this diagram.
azure-fluid-relay Data Encryption https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-fluid-relay/concepts/data-encryption.md
# Data encryption in Azure Fluid Relay
-> [!NOTE]
-> This preview version is provided without a service-level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.
- Azure Fluid Relay leverages the encryption-at-rest capability of [Azure Kubernetes Service](../../aks/enable-host-encryption.md), [Azure Cosmos DB](../../cosmos-db/database-encryption-at-rest.md) and [Azure Blob Storage](../../storage/common/storage-service-encryption.md). The service-to-service communication between Azure Fluid Relay and these resources is TLS encrypted and is enclosed in with the Azure Virtual Network boundary, protected from external interference by Network Security Rules. The diagram below shows at a high level how Azure Fluid Relay is implemented and how it handles data storage.
The diagram below shows at a high level how Azure Fluid Relay is implemented and
### How much more does Azure Fluid Relay cost if encryption is enabled?
-Encryption-at-rest is enabled by default. There is no additional cost.
+Encryption-at-rest is enabled by default. There's no additional cost.
### Who manages the encryption keys?
The keys are managed by Microsoft.
### How often are encryption keys rotated?
-Microsoft has a set of internal guidelines for encryption key rotation which Azure Fluid Relay follows. The specific guidelines are not published. Microsoft does publish the [Security Development Lifecycle (SDL)](https://www.microsoft.com/sdl/default.aspx), which is seen as a subset of internal guidance and has useful best practices for developers.
+Microsoft has a set of internal guidelines for encryption key rotation which Azure Fluid Relay follows. The specific guidelines aren't published. Microsoft does publish the [Security Development Lifecycle (SDL)](https://www.microsoft.com/sdl/default.aspx), which is seen as a subset of internal guidance and has useful best practices for developers.
### Can I use my own encryption keys?
-Yes. For more information, refer to [Customer-managed keys for Azure Fluid Relay encryption](../concepts/customer-managed-keys.md).
+Yes. For more information, see [Customer-managed keys for Azure Fluid Relay encryption](../concepts/customer-managed-keys.md).
### What regions have encryption turned on?
All Azure Fluid Relay regions have encryption turned on for all user data.
### Does encryption affect the performance latency and throughput?
-A: There is no impact or changes to performance with encryption at rest enabled.
+A: There's no impact or changes to performance with encryption at rest enabled.
## See also
azure-fluid-relay Data Storage https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-fluid-relay/concepts/data-storage.md
# Data storage in Azure Fluid Relay
-> [!NOTE]
-> This preview version is provided without a service-level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.
- A Container is the atomic unit of storage in the Azure Fluid Relay service and represents the data stored from a Fluid session, including operations and snapshots. The Fluid runtime uses the container to rehydrate the state of a Fluid session when a user joins for the first time or rejoins after leaving.
-You have control of the Azure region where container data is stored. During the provisioning of the Azure Fluid Relay resource, you can select the region where you want that data to be stored at-rest. All containers created in that Azure Fluid Relay resource will be stored in that region. Once selected, the region cannot be changed. You will need to create a new Azure Fluid Relay resource in another region to store data in a different region.
+You have control of the Azure region where container data is stored. During the provisioning of the Azure Fluid Relay resource, you can select the region where you want that data to be stored at-rest. All containers created in that Azure Fluid Relay resource will be stored in that region. Once selected, the region can't be changed. You'll need to create a new Azure Fluid Relay resource in another region to store data in a different region.
-To deliver a highly available service, the container data is replicated to another region. This helps in the cases where disaster recovery is needed in face of a full regional outage. Internally, Azure Fluid Relay uses Azure Blob Storage cross-region replication to achieve that. The region where data is replicated is defined by the Azure regional pairs listed on the [Cross-region replication in Azure](../../availability-zones/cross-region-replication-azure.md#azure-cross-region-replication-pairings-for-all-geographies) page.
+To deliver a highly available service, the container data is replicated to another region. This data replication helps in the cases where disaster recovery is needed in face of a full regional outage. Internally, Azure Fluid Relay uses Azure Blob Storage cross-region replication to achieve that. The region where data is replicated is defined by the Azure regional pairs listed on the [Cross-region replication in Azure](../../availability-zones/cross-region-replication-azure.md#azure-cross-region-replication-pairings-for-all-geographies) page.
## Single region offering
-For regions that have the cross-region replication done outside of the geography (like Brazil South), Azure Fluid Relay provides a single region offering. You can select between the cross-region replication or this single region offering during the provisioning of the Azure Fluid Relay resource. Note that if you select the single region offering, you do not get the benefits of recovery from regional outage. Your application will experience downtime for the entire time the region is down.
+For regions that have the cross-region replication done outside of the geography (like Brazil South), Azure Fluid Relay provides a single region offering. You can select between the cross-region replication or this single region offering during the provisioning of the Azure Fluid Relay resource. If you select the single region offering, you don't get the benefits of recovery from regional outage. Your application will experience downtime for the entire time the region is down.
## What about in-transit data? During the sessionΓÇÖs lifetime, some data may live temporarily in-transit outside the region selected during resource provisioning. This allows the Azure Fluid Relay service to distribute changes in the DDSes between users at lower latency by placing the session in the closest region to your end users. The result is a better user experience for your end users.
-For the single region offering, in-transit data is scoped to the region selected. This may result in higher latencies distributing changes in DDSes to your end users if they are not close to that region.
+For the single region offering, in-transit data is scoped to the region selected. This may result in higher latencies distributing changes in DDSes to your end users if they aren't near that region.
-If the Fluid container is required for the duration of the collaborative session only, you can delete the container from the Azure Fluid Relay service. This helps you control the storage cost of your Azure Fluid Relay resource.
+If the Fluid container is required during the collaborative session only, you can delete the container from the Azure Fluid Relay service. This helps you control the storage cost of your Azure Fluid Relay resource.
## See also
azure-fluid-relay Data Structures https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-fluid-relay/concepts/data-structures.md
fluid.url: https://fluidframework.com/docs/data-structures/overview/
# Distributed data structures
-> [!NOTE]
-> This preview version is provided without a service-level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.
- The Fluid Framework provides developers with distributed data structures (DDSes) that automatically ensure that each connected client has access to the same state. The APIs provided by DDSes are designed to be familiar to programmers who've used common data structures before. > [!NOTE]
These DDSes are used for storing sequential data. They are optimistic. Sequence
### Common issues and best practices for sequence DDSes -- Store only immutable data as an item in a sequence. The only way to change the value of an item is to first remove it from the sequence and then insert a new value at the position where the old value was. But because other clients can insert and remove, there's no reliable way of getting the new value into the the desired position.
+- Store only immutable data as an item in a sequence. The only way to change the value of an item is to first remove it from the sequence and then insert a new value at the position where the old value was. But because other clients can insert and remove, there's no reliable way of getting the new value into the desired position.
## Strings
azure-fluid-relay Version Compatibility https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-fluid-relay/concepts/version-compatibility.md
# Version compatibility with Fluid Framework releases
-> [!NOTE]
-> This preview version is provided without a service-level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.
- To connect your application to Azure Fluid Relay service, you'll use the **@fluidframework/azure-client** library. You'll also use the **fluid-framework** library to use the core data structures and provided by the Fluid Framework.
azure-fluid-relay Azure Function Token Provider https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-fluid-relay/how-tos/azure-function-token-provider.md
fluid.url: https://fluidframework.com/docs/build/tokenproviders/
In the [Fluid Framework](https://fluidframework.com/), TokenProviders are responsible for creating and signing tokens that the `@fluidframework/azure-client` uses to make requests to the Azure Fluid Relay service. The Fluid Framework provides a simple, insecure TokenProvider for development purposes, aptly named **InsecureTokenProvider**. Each Fluid service must implement a custom TokenProvider based on the particular service's authentication and security considerations.
-Each Azure Fluid Relay resource you create is assigned a **tenant ID** and its own unique **tenant secret key**. The secret key is a **shared secret**. Your app/service knows it, and the Azure Fluid Relay service knows it. TokenProviders must know the secret key to sign requests, but the secret key cannot be included in client code.
+Each Azure Fluid Relay resource you create is assigned a **tenant ID** and its own unique **tenant secret key**. The secret key is a **shared secret**. Your app/service knows it, and the Azure Fluid Relay service knows it. TokenProviders must know the secret key to sign requests, but the secret key can't be included in client code.
## Implement an Azure Function to sign tokens
The complete solution has two pieces:
### Create an endpoint for your TokenProvider using Azure Functions
-[Azure Functions](../../azure-functions/functions-overview.md) are a fast way to create such an HTTPS endpoint. The example below implements that pattern in a class called **AzureFunctionTokenProvider**. It accepts the URL to your Azure Function, `userId` and`userName`. This specific implementation is also provided for you as an export from the `@fluidframework/azure-client` package.
+Using [Azure Functions](../../azure-functions/functions-overview.md) is a fast way to create such an HTTPS endpoint. The example below implements that pattern in a class called **AzureFunctionTokenProvider**. It accepts the URL to your Azure Function, `userId` and`userName`. This specific implementation is also provided for you as an export from the `@fluidframework/azure-client` package.
This example demonstrates how to create your own **HTTPTrigger Azure Function** that fetches the token by passing in your tenant key.
const httpTrigger: AzureFunction = async function (context: Context, req: HttpRe
export default httpTrigger; ```
-The `generateToken` function, found in the `@fluidframework/azure-service-utils` package, generates a token for the given user that is signed using the tenant's secret key. This method enables the token to be returned to the client without exposing the secret. Instead, the token is generated server-side using the secret to provide scoped access to the given document. The example ITokenProvider below makes HTTP requests to this Azure Function to retrieve tokens.
+The `generateToken` function, found in the `@fluidframework/azure-service-utils` package, generates a token for the given user that is signed using the tenant's secret key. This method enables the token to be returned to the client without exposing the secret. Instead, the token is generated server-side using the secret to provide scoped access to the given document. The example ITokenProvider below makes HTTP requests to this Azure Function to retrieve the tokens.
### Deploy the Azure Function
-Azure Functions can be deployed in several ways. See the **Deploy** section of the [Azure Functions documentation](../../azure-functions/functions-continuous-deployment.md) for more information about deploying Azure Functions.
+Azure Functions can be deployed in several ways. For more information, see the **Deploy** section of the [Azure Functions documentation](../../azure-functions/functions-continuous-deployment.md) for more information about deploying Azure Functions.
### Implement the TokenProvider
-TokenProviders can be implemented in many ways, but must implement two separate API calls: `fetchOrdererToken` and `fetchStorageToken`. These APIs are responsible for fetching tokens for the Fluid orderer and storage services respectively. Both functions return `TokenResponse` objects representing the token value. The Fluid Framework runtime calls these two APIs as needed to retrieve tokens. Note that while your application code is using only one service endpoint to establish conectivity with the Azure Fluid Relay service, the azure-client internally in conjunction with the service translate that one endpoint to an orderer and storage endpoint pair. Those two endpoints are used from that point on for that session. That is why you need to implement the two separate functions for fetching tokens, one for each.
+TokenProviders can be implemented in many ways, but must implement two separate API calls: `fetchOrdererToken` and `fetchStorageToken`. These APIs are responsible for fetching tokens for the Fluid orderer and storage services respectively. Both functions return `TokenResponse` objects representing the token value. The Fluid Framework runtime calls these two APIs as needed to retrieve tokens. Note that while your application code is using only one service endpoint to establish connectivity with the Azure Fluid Relay service, the azure-client internally in conjunction with the service translate that one endpoint to an orderer and storage endpoint pair. Those two endpoints are used from that point on for that session which is why you need to implement the two separate functions for fetching tokens, one for each.
-To ensure that the tenant secret key is kept secure, it is stored in a secure backend location and is only accessible from within the Azure Function. To retrieve tokens, you need to make a `GET` or `POST` request to your deployed Azure Function, providing the `tenantID` and `documentId`, and `userID`/`userName`. The Azure Function is responsible for the mapping between the tenant ID and a tenant key secret to appropriately generate and sign the token.
+To ensure that the tenant secret key is kept secure, it's stored in a secure backend location and is only accessible from within the Azure Function. To retrieve tokens, you need to make a `GET` or `POST` request to your deployed Azure Function, providing the `tenantID` and `documentId`, and `userID`/`userName`. The Azure Function is responsible for the mapping between the tenant ID and a tenant key secret to appropriately generate and sign the token.
This example implementation below uses the [axios](https://www.npmjs.com/package/axios) library to make HTTP requests. You can use other libraries or approaches to making an HTTP request from server code.
azure-fluid-relay Connect Fluid Azure Service https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-fluid-relay/how-tos/connect-fluid-azure-service.md
fluid.url: https://fluidframework.com/docs/deployment/azure-frs/
# How to: Connect to an Azure Fluid Relay service
-> [!NOTE]
-> This preview version is provided without a service-level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.
- This article walks through the steps to get your Azure Fluid Relay service provisioned and ready to use. > [!IMPORTANT]
The sections below will explain how to use `AzureClient` in your own application
## Connecting to the service
-To connect to an Azure Fluid Relay instance you first need to create an `AzureClient`. You must provide some configuration parameters including the the tenant ID, orderer and storage URLs, and a token provider to generate the JSON Web Token (JWT) that will be used to authorize the current user against the service. The `@fluidframework/test-client-utils` package provides an `InsecureTokenProvider` that can be used for development purposes.
+To connect to an Azure Fluid Relay instance, you first need to create an `AzureClient`. You must provide some configuration parameters including the tenant ID, service URL, and a token provider to generate the JSON Web Token (JWT) that will be used to authorize the current user against the service. The `@fluidframework/test-client-utils` package provides an `InsecureTokenProvider` that can be used for development purposes.
> [!CAUTION] > The `InsecureTokenProvider` should only be used for development purposes because **using it exposes the tenant key secret in your client-side code bundle.** This must be replaced with an implementation of `ITokenProvider` that fetches the token from your own backend service that is responsible for signing it with the tenant key.
Now that you have an instance of `AzureClient`, you can start using it to create
### Token providers
-The [AzureFunctionTokenProvider](https://github.com/microsoft/FluidFramework/blob/main/azure/packages/azure-client/src/AzureFunctionTokenProvider.ts) is an implementation of `ITokenProvider` which ensures your tenant key secret is not exposed in your client-side bundle code. The `AzureFunctionTokenProvider` takes in your Azure Function URL appended by `/api/GetAzureToken` along with the current user object. Later on, it makes a `GET` request to your Azure Function by passing in the tenantId, documentId and userId/userName as optional parameters.
+The [AzureFunctionTokenProvider](https://github.com/microsoft/FluidFramework/blob/main/azure/packages/azure-client/src/AzureFunctionTokenProvider.ts) is an implementation of `ITokenProvider` that ensures your tenant key secret is not exposed in your client-side bundle code. The `AzureFunctionTokenProvider` takes in your Azure Function URL appended by `/api/GetAzureToken` along with the current user object. Later on, it makes a `GET` request to your Azure Function by passing in the tenantId, documentId and userId/userName as optional parameters.
```javascript const config = {
const { container, services } = await azureClient.createContainer(
const id = await container.attach(); ```
-The `container.attach()` call is when the container actually becomes connected to the service and is recorded in its blob storage. It returns an `id` which is the unique identifier to this container instance.
+The `container.attach()` call is when the container actually becomes connected to the service and is recorded in its blob storage. It returns an `id` that is the unique identifier to this container instance.
Any client that wants to join the same collaborative session needs to call `getContainer` with the same container `id`.
The container being fetched back will hold the `initialObjects` as defined in th
Calls to `createContainer` and `getContainer` return two values: a `container` -- described above -- and a `services` object.
-The `container` contains the Fluid data model and is service-agnostic. Any code you write against this container object returned by the `AzureClient` is reusable with the client for another service. An example of this is if you prototyped your scenario using `TinyliciousClient`, then all of your code interacting with the shared objects within the Fluid container can be reused when moving to using `AzureClient`.
+The `container` contains the Fluid data model and is service-agnostic. Any code you write against this container object returned by the `AzureClient` is reusable with the client for another service. An example is if you prototyped your scenario using `TinyliciousClient`, then all of your code interacting with the shared objects within the Fluid container can be reused when moving to using `AzureClient`.
The `services` object contains data that is specific to the Azure Fluid Relay service. This object contains an `audience` value that can be used to manage the roster of users that are currently connected to the container.
audience.on("membersChanged", onAudienceChanged);
`audience` also emits events for when the roster of members changes. `membersChanged` will fire for any roster changes, whereas `memberAdded` and `memberRemoved` will fire for their respective changes with the `clientId` and `member` values that have been modified. After any of these events fire, a new call to `getMembers` will return the updated member roster.
-A sample `AzureMember` object looks like the following:
+A sample `AzureMember` object looks like:
```json {
A sample `AzureMember` object looks like the following:
} ```
-Alongside the user ID, name and additional details, `AzureMember` objects also hold an array of `connections`. If the user is logged into the session with only one client, `connections` will only have one value in it with the ID of the client and if is in read/write mode. However, if the same user is logged in from multiple clients (i.e. they are logged in from different devices or have multiple browser tabs open with the same container), `connections` here will hold multiple values for each client. In the example data above, we can see that a user with name "Test User" and ID "0e662aca-9d7d-4ff0-8faf-9f8672b70f15" currently has the container open from two different clients. The values in the `additionalDetails` field match up to the values provided in the `AzureFunctionTokenProvider` token generation.
+Alongside the user ID, name and additional details, `AzureMember` objects also hold an array of `connections`. If the user is logged into the session with only one client, `connections` will only have one value in it with the ID of the client, and whether is in read/write mode. However, if the same user is logged in from multiple clients (that is, they are logged in from different devices or have multiple browser tabs open with the same container), `connections` here will hold multiple values for each client. In the example data above, we can see that a user with name "Test User" and ID "0e662aca-9d7d-4ff0-8faf-9f8672b70f15" currently has the container open from two different clients. The values in the `additionalDetails` field match up to the values provided in the `AzureFunctionTokenProvider` token generation.
These functions and events can be combined to present a real-time view of the users in the current session.
azure-fluid-relay Container Deletion https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-fluid-relay/how-tos/container-deletion.md
# Delete Fluid containers in Azure Fluid Relay
-> [!NOTE]
-> This preview version is provided without a service-level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.
- In this scenario, we will be deleting an existing Fluid container. Once a container is deleted, applications referencing the container will no longer be able to access the container or its data. ## Requirements to delete a Fluid container
az rest --method get --uri https://management.azure.com/subscriptions/<subscript
**frsResourceName**: Name of your Fluid Relay resource. Note that this is different from the tenantId of the Fluid Relay resource.
-**apiVersion**: API Version of resource provider. Minimum supported version is **2021-08-30-preview**.
+**apiVersion**: API Version of resource provider. Minimum supported version is **2022-06-01**.
## Sample output
azure-fluid-relay Fluid Json Web Token https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-fluid-relay/how-tos/fluid-json-web-token.md
# Azure Fluid Relay token contract
-> [!NOTE]
-> This preview version is provided without a service-level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.
- Requests sent to Azure Fluid Relay should contain a JWT token in the authorization header. This token should be [signed by the tenant key](../concepts/authentication-authorization.md). ## Claims
azure-fluid-relay Local Mode With Azure Client https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-fluid-relay/how-tos/local-mode-with-azure-client.md
# How to: Use AzureClient for local testing
-> [!NOTE]
-> This preview version is provided without a service-level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.
- This article walks through the steps to configure **AzureClient** in local mode and use it to test your Fluid application locally. ## Configure and create an AzureClient
This article walks through the steps to configure **AzureClient** in local mode
const azureClient = new AzureClient(clientProps); ```
-This example uses the **InsecureTokenProvider** to generate and sign authentication tokens that the Azure Fluid Relay service will accept. However, as the name implies, this is insecure and should not be used in production environments. For more information about InsecureTokenProvider, refer to [Authentication and authorization in your app](https://fluidframework.com/docs/build/auth/#the-token-provider).
+This example uses the **InsecureTokenProvider** to generate and sign authentication tokens that the Azure Fluid Relay service will accept. However, as the name implies, this implementation is insecure and shouldn't be used in production environments. For more information about InsecureTokenProvider, see [Authentication and authorization in your app](https://fluidframework.com/docs/build/auth/#the-token-provider).
-To run locally, you first configure the orderer and storage URLs to point to the domain and port that the local Azure Fluid Relay service instance is running at (http://localhost:7070 by default). The final step is to set the `tenantId` to `LOCAL_MODE_TENANT_ID`. All of these settings together configure AzureClient to work with a local Azure Fluid Relay service.
+To run locally, you first configure the endpoint to point to the domain, and port that the local Azure Fluid Relay service instance is running at (http://localhost:7070 by default). The final step is to set the `tenantId` to `LOCAL_MODE_TENANT_ID`. All of these settings together configure AzureClient to work with a local Azure Fluid Relay service.
## Enabling debug logging
azure-fluid-relay Provision Fluid Azure Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-fluid-relay/how-tos/provision-fluid-azure-portal.md
Last updated 10/05/2021 + # How to: Provision an Azure Fluid Relay service
-> [!NOTE]
-> This preview version is provided without a service-level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.
- Before you can connect your app to an Azure Fluid Relay, you must provision an Azure Fluid Relay server resource in your Azure account. This article walks through the steps to get your Azure Fluid Relay service provisioned and ready to use. ## Prerequisites
Each Azure Fluid Relay server resource provides a tenant for you to use in your
4. Select a location for the namespace. > [!NOTE]
- > During the public preview, the only West US 2, West Europe, and SoutheastAsia regions are supported
+ > Currently, the only regions supported are: West US 2, West Europe, and SoutheastAsia.
5. Click the **Review + Create** button at the bottom of the page.
azure-fluid-relay Test Automation https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-fluid-relay/how-tos/test-automation.md
fluid.url: https://fluidframework.com/docs/testing/testing/
# How to: Use test automation with Azure Fluid Relay
-> [!NOTE]
-> This preview version is provided without a service-level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.
- Testing and automation are crucial to maintaining the quality and longevity of your code. Internally, Fluid uses a range of unit and integration tests powered by [Mocha](https://mochajs.org/), [Jest](https://jestjs.io/), [Puppeteer](https://github.com/puppeteer/puppeteer), and [Webpack](https://webpack.js.org/). You can run tests using the local **@fluidframework/azure-local-service** or using a test tenant in Azure Fluid Relay service. **AzureClient** can be configured to connect to both a remote service and a local service, which enables you to use a single client type between tests against live and local service instances. The only difference is the configuration used to create the client.
azure-fluid-relay Validate Document Creator https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-fluid-relay/how-tos/validate-document-creator.md
fluid.url: https://fluidframework.com/docs/apis/azure-client/itokenprovider/
# How to: Validate a User Created a Document
-> [!NOTE]
-> This preview version is provided without a service-level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.
-
-When creating a document in Azure Fluid Relay, the JWT provided by the `ITokenProvider` for the creation request can only be used once. After creating a document, the client must generate a new JWT that contains the document ID provided by the service at creation time. If an application has an authorization service that manages document access control, it will need to know who created a document with a given ID in order to authorize the generation of a new JWT for access to that document.
+When you create a document in Azure Fluid Relay, the JWT provided by the `ITokenProvider` for the creation request can only be used once. After creating a document, the client must generate a new JWT that contains the document ID provided by the service at creation time. If an application has an authorization service that manages document access control, it will need to know who created a document with a given ID in order to authorize the generation of a new JWT for access to that document.
## Inform an Authorization Service when a document is Created An application can tie into the document creation lifecycle by implementing a public `documentPostCreateCallback()` property in its `TokenProvider`. This callback will be triggered directly after creating the document, before a client requests the new JWT it needs to gain read/write permissions to the document that was created.
-The `documentPostCreateCallback()` receives 2 parameters: 1) the ID of the document that was created and 2) a JWT signed by the service with no permission scopes. The authorization service can verify the given JWT and use the information in the JWT to grant the correct user permissions for the newly created document.
+The `documentPostCreateCallback()` receives two parameters: 1) the ID of the document that was created and 2) a JWT signed by the service with no permission scopes. The authorization service can verify the given JWT and use the information in the JWT to grant the correct user permissions for the newly created document.
### Create an endpoint for your document creation callback
export default httpTrigger;
### Implement the `documentPostCreateCallback`
-This example implementation below extends the [AzureFunctionTokenProvider](https://fluidframework.com/docs/apis/azure-client/azurefunctiontokenprovider/) and uses the [axios](https://www.npmjs.com/package/axios) library to make a simple HTTP request to the Azure Function used for generating tokens.
+This example implementation below extends the [AzureFunctionTokenProvider](https://fluidframework.com/docs/apis/azure-client/azurefunctiontokenprovider/) and uses the [axios](https://www.npmjs.com/package/axios) library to make a HTTP request to the Azure Function used for generating tokens.
```typescript import { AzureFunctionTokenProvider, AzureMember } from "@fluidframework/azure-client";
azure-fluid-relay Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-fluid-relay/overview/overview.md
# Azure Fluid Relay overview
-> [!NOTE]
-> This preview version is provided without a service-level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.
- The [Fluid Framework](https://fluidframework.com/) is an open source, platform independent framework. [Azure Fluid Relay](../overview/overview.md) is a managed offering for the Fluid Framework that helps developers build real-time collaborative experiences and replicate state across connected JavaScript clients in real-time. ## What is the Fluid Framework?
The following steps are a typical flow.
1. Fluid runtime incorporates that operation into local data and raises a "valueChanged" event. 1. Client code handles that event (updates view, runs business logic).
-## Getting to version 1.0
-
-The core technology powering Fluid Framework is mature and stable. However, the layers built on top of that foundation are still a work in progress. Over the coming months we will be evolving APIs, adding new features, and working to further simplify using the framework. These changes are driven by Microsoft's use of Fluid internally and by requirements we are gathering from developers currently building on Fluid.
-
-Fluid Framework is not ready to power production-quality solutions yet. But we are excited to open source it now to give developers an opportunity to explore, learn, and contribute both through feedback and through direct participation.
azure-fluid-relay Quickstart Dice Roll https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-fluid-relay/quickstarts/quickstart-dice-roll.md
# Quickstart: Dice roller
-> [!NOTE]
-> This preview version is provided without a service-level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.
-
-In this quickstart, we'll walk through through the process of creating a dice roller app that uses the Azure Fluid Relay service. The quickstart is broken into two parts. In part one, we'll create the app itself and run it against a local Fluid server. In part two, we'll reconfigure the app to run against the Azure Fluid Relay service instead of the local dev server.
+In this quickstart, we'll walk through the process of creating a dice roller app that uses the Azure Fluid Relay service. The quickstart is broken into two parts. In part one, we'll create the app itself and run it against a local Fluid server. In part two, we'll reconfigure the app to run against the Azure Fluid Relay service instead of the local dev server.
The sample code used in this quickstart is available [here](https://github.com/microsoft/FluidHelloWorld/tree/main-azure).
azure-functions Durable Functions Create First Csharp https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/durable/durable-functions-create-first-csharp.md
In this section, you use Visual Studio Code to create a local Azure Functions pr
| Prompt | Value | Description | | | -- | -- | | Select a language for your function app project | C# | Create a local C# Functions project. |
- | Select a version | Azure Functions v3 | You only see this option when the Core Tools aren't already installed. In this case, Core Tools are installed the first time you run the app. |
+ | Select a version | Azure Functions v4 | You only see this option when the Core Tools aren't already installed. In this case, Core Tools are installed the first time you run the app. |
| Select a template for your project's first function | Skip for now | | | Select how you would like to open your project | Open in current window | Reopens Visual Studio Code in the folder you selected. |
azure-functions Quickstart Java https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/durable/quickstart-java.md
To complete this tutorial, you need:
- [Apache Maven](https://maven.apache.org), version 3.0 or above. - Latest version of the [Azure Functions Core Tools](../functions-run-local.md).
- - For Azure Functions 3.x, Core Tools **v3.0.4585** or newer is required.
- For Azure Functions 4.x, Core Tools **v4.0.4590** or newer is required. - An Azure Storage account, which requires that you have an Azure subscription.
azure-functions Quickstart Js Vscode https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/durable/quickstart-js-vscode.md
In this section, you use Visual Studio Code to create a local Azure Functions pr
| Prompt | Value | Description | | | -- | -- | | Select a language for your function app project | JavaScript | Create a local Node.js Functions project. |
- | Select a version | Azure Functions v3 | You only see this option when the Core Tools aren't already installed. In this case, Core Tools are installed the first time you run the app. |
+ | Select a version | Azure Functions v4 | You only see this option when the Core Tools aren't already installed. In this case, Core Tools are installed the first time you run the app. |
| Select a template for your project's first function | Skip for now | | | Select how you would like to open your project | Open in current window | Reopens VS Code in the folder you selected. |
azure-functions Quickstart Powershell Vscode https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/durable/quickstart-powershell-vscode.md
In this section, you use Visual Studio Code to create a local Azure Functions pr
| Prompt | Value | Description | | | -- | -- | | Select a language for your function app project | PowerShell | Create a local PowerShell Functions project. |
- | Select a version | Azure Functions v3 | You only see this option when the Core Tools aren't already installed. In this case, Core Tools are installed the first time you run the app. |
+ | Select a version | Azure Functions v4 | You only see this option when the Core Tools aren't already installed. In this case, Core Tools are installed the first time you run the app. |
| Select a template for your project's first function | Skip for now | | | Select how you would like to open your project | Open in current window | Reopens VS Code in the folder you selected. |
azure-functions Quickstart Python Vscode https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/durable/quickstart-python-vscode.md
In this section, you use Visual Studio Code to create a local Azure Functions pr
| Prompt | Value | Description | | | -- | -- | | Select a language for your function app project | Python | Create a local Python Functions project. |
- | Select a version | Azure Functions v3 | You only see this option when the Core Tools aren't already installed. In this case, Core Tools are installed the first time you run the app. |
+ | Select a version | Azure Functions v4 | You only see this option when the Core Tools aren't already installed. In this case, Core Tools are installed the first time you run the app. |
| Python version | Python 3.6, 3.7, or 3.8 | Visual Studio Code will create a virtual environment with the version you select. | | Select a template for your project's first function | Skip for now | | | Select how you would like to open your project | Open in current window | Reopens Visual Studio Code in the folder you selected. |
azure-functions Functions Reference Node https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/functions-reference-node.md
You can see the current version that the runtime is using by logging `process.ve
# [Windows](#tab/windows-setting-the-node-version)
-For Windows function apps, target the version in Azure by setting the `WEBSITE_NODE_DEFAULT_VERSION` [app setting](functions-how-to-use-azure-function-app-settings.md#settings) to a supported LTS version, such as `~14`.
+For Windows function apps, target the version in Azure by setting the `WEBSITE_NODE_DEFAULT_VERSION` [app setting](functions-how-to-use-azure-function-app-settings.md#settings) to a supported LTS version, such as `~16`.
# [Linux](#tab/linux-setting-the-node-version)
azure-functions Functions Run Local https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/functions-run-local.md
Starting with version 2.x, Core Tools runs on [Windows](?tabs=windows#v2), [macO
# [Windows](#tab/windows/v4)
-The following steps use a Windows installer (MSI) to install Core Tools v4.x. For more information about other package-based installers, see the [Core Tools readme](https://github.com/Azure/azure-functions-core-tools/blob/master/README.md#windows).
+The following steps use a Windows installer (MSI) to install Core Tools v4.x. For more information about other package-based installers, see the [Core Tools readme](https://github.com/Azure/azure-functions-core-tools/blob/v4.x/README.md#windows).
Download and run the Core Tools installer, based on your version of Windows:
azure-government Azure Services In Fedramp Auditscope https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-government/compliance/azure-services-in-fedramp-auditscope.md
This article provides a detailed list of Azure, Dynamics 365, Microsoft 365, and
| [Azure Service Manager (RDFE)](/previous-versions/azure/ee460799(v=azure.100)) | &#x2705; | &#x2705; | | [Azure Sign-up portal](https://signup.azure.com/) | &#x2705; | &#x2705; | | [Azure Sphere](/azure-sphere/) | &#x2705; | &#x2705; |
+| [Azure Spring Apps](../../spring-apps/index.yml) | &#x2705; | &#x2705; |
| [Azure Stack Edge](../../databox-online/index.yml) (formerly Data Box Edge) **&ast;** | &#x2705; | &#x2705; | | [Azure Virtual Desktop](../../virtual-desktop/index.yml) (formerly Windows Virtual Desktop) | &#x2705; | &#x2705; | | [Azure VMware Solution](../../azure-vmware/index.yml) | &#x2705; | &#x2705; |
This article provides a detailed list of Azure, Dynamics 365, Microsoft 365, and
| [Service Health](../../service-health/index.yml) | &#x2705; | &#x2705; | | [SignalR Service](../../azure-signalr/index.yml) | &#x2705; | &#x2705; | | [Site Recovery](../../site-recovery/index.yml) | &#x2705; | &#x2705; |
-| [Spring Cloud](../../spring-cloud/index.yml) | &#x2705; | &#x2705; |
| [SQL Database](/azure/azure-sql/database/sql-database-paas-overview) | &#x2705; | &#x2705; | | [SQL Server Registry](/sql/sql-server/end-of-support/sql-server-extended-security-updates) | &#x2705; | &#x2705; | | [SQL Server Stretch Database](../../sql-server-stretch-database/index.yml) | &#x2705; | &#x2705; |
azure-government Documentation Government Overview Wwps https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-government/documentation-government-overview-wwps.md
recommendations: false Previously updated : 07/25/2022 Last updated : 07/29/2022 # Azure for secure worldwide public sector cloud adoption
Based on customer feedback, Microsoft has started to invest in higher-level [sce
#### *Homomorphic encryption*
-[Homomorphic encryption](https://www.microsoft.com/research/project/homomorphic-encryption/) refers to a special type of encryption technology that allows for computations to be performed on encrypted data, without requiring access to a key needed to decrypt the data. The results of the computation are encrypted and can be revealed only by the owner of the encryption key. In this manner, only the encrypted data are processed in the cloud and only you can reveal the results of the computation.
+[Homomorphic encryption](https://homomorphicencryption.org/introduction/) refers to a special type of encryption technology that allows for computations to be performed on encrypted data, without requiring access to a key needed to decrypt the data. The results of the computation are encrypted and can be revealed only by the owner of the encryption key. In this manner, only the encrypted data are processed in the cloud and only you can reveal the results of the computation.
To help you adopt homomorphic encryption, [Microsoft SEAL](https://www.microsoft.com/research/project/microsoft-seal/) provides a set of encryption libraries that allow computations to be performed directly on encrypted data. This approach enables you to build end-to-end encrypted data storage and compute services where you never need to share your encryption keys with the cloud service. Microsoft SEAL aims to make homomorphic encryption easy to use and available to everyone. It provides a simple and convenient API and comes with several detailed examples demonstrating how the library can be used correctly and securely.
azure-monitor Diagnostics Extension Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/agents/diagnostics-extension-overview.md
See the following articles for details on installing and configuring the diagnos
### Azure Cloud Service (classic) Web and Worker Roles - [Introduction to Cloud Service Monitoring](../../cloud-services/cloud-services-how-to-monitor.md) - [Enabling Azure Diagnostics in Azure Cloud Services](../../cloud-services/cloud-services-dotnet-diagnostics.md)-- [Application Insights for Azure cloud services](../app/cloudservices.md)<br>[Trace the flow of a Cloud Services application with Azure Diagnostics](../../cloud-services/cloud-services-dotnet-diagnostics-trace-flow.md)
+- [Application Insights for Azure cloud services](../app/azure-web-apps-net-core.md)<br>[Trace the flow of a Cloud Services application with Azure Diagnostics](../../cloud-services/cloud-services-dotnet-diagnostics-trace-flow.md)
### Azure Service Fabric - [Monitor and diagnose services in a local machine development setup](../../service-fabric/service-fabric-diagnostics-how-to-monitor-and-diagnose-services-locally.md)
azure-monitor Diagnostics Extension To Application Insights https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/agents/diagnostics-extension-to-application-insights.md
Example configuration of a sink for Application Insights:
- The **ApplicationInsights** element specifies instrumentation key of the Application insights resource where the Azure diagnostics data is sent. - If you don't have an existing Application Insights resource, see [Create a new Application Insights resource](../app/create-new-resource.md) for more information on creating a resource and getting the instrumentation key.
- - If you are developing a Cloud Service with Azure SDK 2.8 and later, this instrumentation key is automatically populated. The value is based on the **APPINSIGHTS_INSTRUMENTATIONKEY** service configuration setting when packaging the Cloud Service project. See [Use Application Insights with Cloud Services](../app/cloudservices.md).
+ - If you are developing a Cloud Service with Azure SDK 2.8 and later, this instrumentation key is automatically populated. The value is based on the **APPINSIGHTS_INSTRUMENTATIONKEY** service configuration setting when packaging the Cloud Service project. See [Use Application Insights with Cloud Services](../app/azure-web-apps-net-core.md).
- The **Channels** element contains one or more **Channel** elements. - The *name* attribute uniquely refers to that channel.
In the previous configuration, the following lines have the following meanings:
- **You cannot send blob data collected by Azure diagnostics extension to Application Insights.** For example, anything specified under the *Directories* node. For Crash Dumps the actual crash dump is sent to blob storage and only a notification that the crash dump was generated is sent to Application Insights. ## Next Steps
-* Learn how to [view your Azure diagnostics information](../app/cloudservices.md) in Application Insights.
+* Learn how to [view your Azure diagnostics information](../app/azure-web-apps-net-core.md) in Application Insights.
* Use [PowerShell](../../cloud-services/cloud-services-diagnostics-powershell.md) to enable the Azure diagnostics extension for your application. * Use [Visual Studio](/visualstudio/azure/vs-azure-tools-diagnostics-for-cloud-services-and-virtual-machines) to enable the Azure diagnostics extension for your application
azure-monitor Diagnostics Extension Versions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/agents/diagnostics-extension-versions.md
Added Storage Type to PublicConfig. StorageType can be *Table*, *Blob*, *TableAn
Added the ability to route to EventHub. ### Diagnostics extension 1.5
-Added the sinks element and the ability to send diagnostics data to [Application Insights](../app/cloudservices.md) making it easier to diagnose issues across your application as well as the system and infrastructure level.
+Added the sinks element and the ability to send diagnostics data to [Application Insights](../app/azure-web-apps-net-core.md) making it easier to diagnose issues across your application as well as the system and infrastructure level.
### Azure SDK 2.6 and diagnostics extension 1.3 For Cloud Service projects in Visual Studio, the following changes were made. (These changes also apply to later versions of Azure SDK.)
azure-monitor Asp Net Dependencies https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/asp-net-dependencies.md
For ASP.NET applications, full SQL query text is collected with the help of byte
| | | | Azure Web App |In your web app control panel, [open the Application Insights pane](../../azure-monitor/app/azure-web-apps.md) and enable SQL Commands under .NET | | IIS Server (Azure VM, on-premises, and so on.) | Either use the [Microsoft.Data.SqlClient](https://www.nuget.org/packages/Microsoft.Data.SqlClient) NuGet package or use the Status Monitor PowerShell Module to [install the Instrumentation Engine](../../azure-monitor/app/status-monitor-v2-api-reference.md#enable-instrumentationengine) and restart IIS. |
-| Azure Cloud Service | Add [startup task to install StatusMonitor](../../azure-monitor/app/cloudservices.md#set-up-status-monitor-to-collect-full-sql-queries-optional) <br> Your app should be onboarded to ApplicationInsights SDK at build time by installing NuGet packages for [ASP.NET](./asp-net.md) or [ASP.NET Core applications](./asp-net-core.md) |
+| Azure Cloud Service | Add [startup task to install StatusMonitor](../../azure-monitor/app/azure-web-apps-net-core.md) <br> Your app should be onboarded to ApplicationInsights SDK at build time by installing NuGet packages for [ASP.NET](./asp-net.md) or [ASP.NET Core applications](./asp-net-core.md) |
| IIS Express | Use the [Microsoft.Data.SqlClient](https://www.nuget.org/packages/Microsoft.Data.SqlClient) NuGet package. | Azure Web Jobs | Use the [Microsoft.Data.SqlClient](https://www.nuget.org/packages/Microsoft.Data.SqlClient) NuGet package.
azure-monitor Cloudservices https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/cloudservices.md
- Title: Application Insights for Azure cloud services | Microsoft Docs
-description: Monitor your web and worker roles effectively with Application Insights
-- Previously updated : 06/02/2022---
-# Application Insights for Azure cloud services
-[Application Insights][start] can monitor [Azure cloud service apps](https://azure.microsoft.com/services/cloud-services/) for availability, performance, failures, and usage by combining data from Application Insights SDKs with [Azure Diagnostics](../agents/diagnostics-extension-overview.md) data from your cloud services. With the feedback you get about the performance and effectiveness of your app in the wild, you can make informed choices about the direction of the design in each development lifecycle.
-
-![Overview dashboard](./media/cloudservices/overview-graphs.png)
--
-## Prerequisites
-Before you begin, you need:
-
-* An [Azure](https://azure.com) subscription.
-
- [Sign in](https://azure.microsoft.com/auth/signin) with your Microsoft account for Windows, Xbox Live, or other Microsoft cloud services.
-
-* Microsoft Azure tools 2.9 or later.
-* Developer Analytics Tools 7.10 or later.
-
-## Get started quickly
-The quickest and easiest way to monitor your cloud service with Application Insights is to choose that option when you publish your service to Azure.
-
-![Example Diagnostics Settings page](./media/cloudservices/azure-cloud-application-insights.png)
-
-This option instruments your app at runtime, giving you all the telemetry that you need to monitor requests, exceptions, and dependencies in your web role. It also monitors performance counters from your worker roles. Any diagnostics traces generated by your app are also sent to Application Insights.
-
-If this option is all you need, you're done.
-
-Your next steps are [viewing metrics from your app](../essentials/metrics-charts.md) and [querying your data with Analytics](../logs/log-query-overview.md).
-
-To monitor performance in the browser, you might also want to set up [availability tests](./monitor-web-app-availability.md) and [add code to your webpages](./javascript.md).
-
-The next sections discuss the following additional options:
-
-* Send data from various components and build configurations to separate resources.
-* Add custom telemetry from your app.
-
-## Sample app instrumented with Application Insights
-In this [sample app](https://github.com/MohanGsk/ApplicationInsights-Home/tree/master/Samples/AzureEmailService), Application Insights is added to a cloud service with two worker roles hosted in Azure.
-
-In the next section, you learn how to adapt your own cloud service project in the same way.
-
-## Plan resources and resource groups
-The telemetry from your app is stored, analyzed, and displayed in an Azure resource of type Application Insights.
-
-Each resource belongs to a resource group. Resource groups are used to manage costs, to grant access to team members, and to deploy updates in a single coordinated transaction. For example, you could [write a script to deploy](../../azure-resource-manager/templates/deploy-powershell.md) an Azure cloud service and its Application Insights monitoring resources all in one operation.
-
-### Resources for components
-
-We recommend that you [add a dimension property to each telemetry item](./api-filtering-sampling.md#addmodify-properties-itelemetryinitializer) that identifies its source role. In this approach, metric charts, such as exceptions, normally show an aggregation of the counts from the various roles, but you can segment the chart by the role identifier, as necessary. You can also filter searches by the same dimension. This alternative makes it a bit easier to view everything at the same time, but it could also lead to some confusion between the roles.
-
-Browser telemetry is usually included in the same resource as its server-side web role.
-
-Put the Application Insights resources for the various components in one resource group. This approach makes it easy to manage them together.
-
-### Separate development, test, and production
-If you are developing custom events for your next feature while the previous version is live, you want to send the development telemetry to a separate Application Insights resource. Otherwise, it can be hard to find your test telemetry among all the traffic from the live site.
-
-To avoid this situation, create separate resources for each build configuration or "stamp" (development, test, production, and so on) of your system. Put the resources for each build configuration in a separate resource group.
-
-To send the telemetry to the appropriate resources, you can set up the Application Insights SDK so that it picks up a different instrumentation key, depending on the build configuration.
-
-Learn how to [dynamically set the instrumentation key](./separate-resources.md#dynamic-ikey) for different stages.
-
-## Create an Application Insights resource for each role
-
-If you've decided to create a separate resource for each role, and perhaps a separate set for each build configuration, it's easiest to create them all in the Application Insights portal. If you create resources a lot, you can [automate the process](./powershell.md).
-
-1. In the [Azure portal][portal], select **New** > **Developer Services** > **Application Insights**.
-
- ![Application Insights pane](./media/cloudservices/01-new.png)
-
-1. In the **Application Type** drop-down list, select **ASP.NET web application**.
-
-Each resource is identified by an instrumentation key. You might need this key later if you want to manually configure or verify the configuration of the SDK.
--
-## Set up Azure Diagnostics for each role
-Set this option to monitor your app with Application Insights. For web roles, this option provides performance monitoring, alerts, diagnostics, and usage analysis. For other roles, you can search and monitor Azure Diagnostics such as restart, performance counters, and calls to System.Diagnostics.Trace.
-
-1. In Visual Studio Solution Explorer, under **\<YourCloudService>** > **Roles**, open the properties of each role.
-
-1. In **Configuration**, select the **Send diagnostics data to Application Insights** check box, and then select the Application Insights resource that you created earlier.
-
-If you have decided to use a separate Application Insights resource for each build configuration, select the configuration first.
-
-![Configure Application Insights](./media/cloudservices/configure-azure-diagnostics.png)
-
-This has the effect of inserting your Application Insights instrumentation keys into the files named *ServiceConfiguration.\*.cscfg*. Here is the [Sample code](https://github.com/MohanGsk/ApplicationInsights-Home/blob/master/Samples/AzureEmailService/AzureEmailService/ServiceConfiguration.Cloud.cscfg).
-
-If you want to vary the level of diagnostics information that's sent to Application Insights, you can do so [by editing the *.cscfg* files directly](../agents/diagnostics-extension-to-application-insights.md).
-
-## <a name="sdk"></a>Install the SDK in each project
-With this option, you can add custom business telemetry to any role. The option provides a closer analysis of how your app is used and performs.
-
-In Visual Studio, configure the Application Insights SDK for each cloud app project.
-
-1. To configure **web roles**, right-click the project, and then select **Configure Application Insights** or **Add > Application Insights telemetry**.
-
-1. To configure **worker roles**:
-
- a. Right-click the project, and then select **Manage NuGet Packages**.
-
- b. Add [Application Insights for Windows Servers](https://www.nuget.org/packages/Microsoft.ApplicationInsights.WindowsServer/).
-
-1. To configure the SDK to send data to the Application Insights resource:
-
- a. In a suitable startup function, set the instrumentation key from the configuration setting in the *.cscfg* file:
-
- ```csharp
- TelemetryConfiguration configuration = TelemetryConfiguration.CreateDefault();
- configuration.InstrumentationKey = RoleEnvironment.GetConfigurationSettingValue("APPINSIGHTS_INSTRUMENTATIONKEY");
- var telemetryClient = new TelemetryClient(configuration);
- ```
-
- b. Repeat "step a" for each role in your app. See the examples:
-
- * [Web role](https://github.com/MohanGsk/ApplicationInsights-Home/blob/master/Samples/AzureEmailService/MvcWebRole/Global.asax.cs#L27)
- * [Worker role](https://github.com/MohanGsk/ApplicationInsights-Home/blob/master/Samples/AzureEmailService/WorkerRoleA/WorkerRoleA.cs#L232)
- * [For webpages](https://github.com/MohanGsk/ApplicationInsights-Home/blob/master/Samples/AzureEmailService/MvcWebRole/Views/Shared/_Layout.cshtml#L13)
-
-1. Set the *ApplicationInsights.config* file to be copied always to the output directory.
-
- A message in the *.config* file asks you to place the instrumentation key there. However, for cloud apps, it's better to set it from the *.cscfg* file. This approach ensures that the role is correctly identified in the portal.
-
-## Set up Status Monitor to collect full SQL Queries (optional)
-
-This step is only needed if you want to capture full SQL queries on .NET Framework.
-
-1. In `\*.csdef` file Add [startup task](../../cloud-services/cloud-services-startup-tasks.md) for each role similar to
-
- ```xml
- <Startup>
- <Task commandLine="AppInsightsAgent\InstallAgent.bat" executionContext="elevated" taskType="simple">
- <Environment>
- <Variable name="ApplicationInsightsAgent.DownloadLink" value="http://go.microsoft.com/fwlink/?LinkID=522371" />
- <Variable name="RoleEnvironment.IsEmulated">
- <RoleInstanceValue xpath="/RoleEnvironment/Deployment/@emulated" />
- </Variable>
- </Environment>
- </Task>
- </Startup>
- ```
-
-2. Download [InstallAgent.bat](https://github.com/MohanGsk/ApplicationInsights-Home/blob/master/Samples/AzureEmailService/WorkerRoleA/AppInsightsAgent/InstallAgent.bat) and [InstallAgent.ps1](https://github.com/MohanGsk/ApplicationInsights-Home/blob/master/Samples/AzureEmailService/WorkerRoleA/AppInsightsAgent/InstallAgent.ps1), put them into the `AppInsightsAgent` folder on each role project. Make sure to copy them to the output directory through Visual Studio file properties or build scripts.
-
-3. On all Worker Roles, add environment variables:
-
- ```xml
- <Environment>
- <Variable name="COR_ENABLE_PROFILING" value="1" />
- <Variable name="COR_PROFILER" value="{324F817A-7420-4E6D-B3C1-143FBED6D855}" />
- <Variable name="MicrosoftInstrumentationEngine_Host" value="{CA487940-57D2-10BF-11B2-A3AD5A13CBC0}" />
- </Environment>
- ```
-
-## Run and publish the app
-
-1. Run your app, and sign in to Azure.
-
-1. Open the Application Insights resources that you created.
-
- Individual data points are displayed in [Search][diagnostic], and aggregated data is displayed in [Metric Explorer](../essentials/metrics-charts.md).
-
-1. Add more telemetry (see the next sections) and then publish your app to get live diagnostics and usage feedback.
-
-If there is no data, do the following:
-
-1. To view individual events, open the [Search][diagnostic] tile.
-1. In the app, open various pages so that it generates some telemetry.
-1. Wait a few seconds, and then click **Refresh**.
-
-## View Azure Diagnostics events
-You can find the [Azure Diagnostics](../agents/diagnostics-extension-overview.md) information in Application Insights in the following locations:
-
-* Performance counters are displayed as custom metrics.
-* Windows event logs are shown as traces and custom events.
-* Application logs, ETW logs, and any diagnostics infrastructure logs appear as traces.
-
-To view performance counters and counts of events, open [Metrics Explorer](../essentials/metrics-charts.md) and add the following chart:
-
-![Azure Diagnostics data](./media/cloudservices/23-wad.png)
-
-To search across the various trace logs that are sent by Azure Diagnostics, use [Search](./diagnostic-search.md) or an [Analytics query](../logs/log-analytics-tutorial.md). For example, suppose you have an unhandled exception that has caused a role to crash and recycle. That information would show up in the Application channel of Windows Event Log. You can use Search to view the Windows Event Log error and get the full stack trace for the exception. Doing so helps you find the root cause of the issue.
-
-![Azure Diagnostics search](./media/cloudservices/25-wad.png)
-
-## More telemetry
-The next sections discuss how to get additional telemetry from various aspects of your app.
-
-## Track requests from worker roles
-In web roles, the requests module automatically collects data about HTTP requests. For examples of how you can override the default collection behavior, see the [sample MVCWebRole](https://github.com/MohanGsk/ApplicationInsights-Home/tree/master/Samples/AzureEmailService/MvcWebRole).
-
-You can capture the performance of calls to worker roles by tracking them in the same way as HTTP requests. In Application Insights, the Request telemetry type measures a unit of named server-side work that can be timed and can independently succeed or fail. Although HTTP requests are captured automatically by the SDK, you can insert your own code to track requests to worker roles.
-
-See the two sample worker roles instrumented to report requests:
-* [WorkerRoleA](https://github.com/MohanGsk/ApplicationInsights-Home/tree/master/Samples/AzureEmailService/WorkerRoleA)
-* [WorkerRoleB](https://github.com/MohanGsk/ApplicationInsights-Home/tree/master/Samples/AzureEmailService/WorkerRoleB)
-
-## Exceptions
-For information about how to collect unhandled exceptions from various web app types, see [Monitoring exceptions in Application Insights](./asp-net-exceptions.md).
-
-The sample web role has MVC5 and Web API 2 controllers. The unhandled exceptions from the two are captured with the following handlers:
-
-* [AiHandleErrorAttribute](https://github.com/MohanGsk/ApplicationInsights-Home/blob/master/Samples/AzureEmailService/MvcWebRole/Telemetry/AiHandleErrorAttribute.cs) set up for MVC5 controllers [as shown in this example](https://github.com/MohanGsk/ApplicationInsights-Home/blob/master/Samples/AzureEmailService/MvcWebRole/App_Start/FilterConfig.cs#L12)
-* [AiWebApiExceptionLogger](https://github.com/MohanGsk/ApplicationInsights-Home/blob/master/Samples/AzureEmailService/MvcWebRole/Telemetry/AiWebApiExceptionLogger.cs) set up for Web API 2 controllers [as shown in this example](https://github.com/MohanGsk/ApplicationInsights-Home/blob/master/Samples/AzureEmailService/MvcWebRole/App_Start/WebApiConfig.cs#L25)
-
-For worker roles, you can track exceptions in two ways:
-
-* Use TrackException(ex).
-* If you have added the Application Insights trace listener NuGet package, you can use System.Diagnostics.Trace to log exceptions [as shown in this example](https://github.com/MohanGsk/ApplicationInsights-Home/blob/master/Samples/AzureEmailService/WorkerRoleA/WorkerRoleA.cs#L107).
-
-## Performance counters
-The following counters are collected by default:
-
-* \Process(??APP_WIN32_PROC??)\% Processor Time
-* \Memory\Available Bytes
-* \.NET CLR Exceptions(??APP_CLR_PROC??)\# of Exceps Thrown / sec
-* \Process(??APP_WIN32_PROC??)\Private Bytes
-* \Process(??APP_WIN32_PROC??)\IO Data Bytes/sec
-* \Processor(_Total)\% Processor Time
-
-For web roles, these counters are also collected:
-
-* \ASP.NET Applications(??APP_W3SVC_PROC??)\Requests/Sec
-* \ASP.NET Applications(??APP_W3SVC_PROC??)\Request Execution Time
-* \ASP.NET Applications(??APP_W3SVC_PROC??)\Requests In Application Queue
-
-You can specify additional custom or other Windows performance counters by editing *ApplicationInsights.config* [as shown in this example](https://github.com/MohanGsk/ApplicationInsights-Home/blob/master/Samples/AzureEmailService/WorkerRoleA/ApplicationInsights.config#L14).
-
- ![Performance counters](./media/cloudservices/002-servers.png)
-
-## Correlated telemetry for worker roles
-For a rich diagnostics experience, you can view what led to a failed or high latency request. With web roles, the SDK automatically sets up a correlation between related telemetry.
-
-To achieve this view for worker roles, you can use a custom telemetry initializer to set a common Operation.Id context attribute for all the telemetry. Doing so lets you view at a glance whether the latency or failure issue was caused by a dependency or your code.
-
-Here's how:
-
-* Set the correlationId into a CallContext [as shown in this example](https://github.com/MohanGsk/ApplicationInsights-Home/blob/master/Samples/AzureEmailService/WorkerRoleA/WorkerRoleA.cs#L36). In this case, we are using the Request ID as the correlationId.
-* Add a custom TelemetryInitializer implementation, to set the Operation.Id to the correlationId that was set previously. For an example, see [ItemCorrelationTelemetryInitializer](https://github.com/MohanGsk/ApplicationInsights-Home/blob/master/Samples/AzureEmailService/WorkerRoleA/Telemetry/ItemCorrelationTelemetryInitializer.cs#L13).
-* Add the custom telemetry initializer. You could do so in the *ApplicationInsights.config* file or in code [as shown in this example](https://github.com/MohanGsk/ApplicationInsights-Home/blob/master/Samples/AzureEmailService/WorkerRoleA/WorkerRoleA.cs#L233).
-
-## Client telemetry
-To get browser-based telemetry, such as page view counts, page load times, or script exceptions, and to write custom telemetry in your page scripts, see [Add the JavaScript SDK to your webpages][client].
-
-## Availability tests
-To make sure your app stays live and responsive, [Set up web tests][availability].
-
-## Display everything together
-For an overall picture of your system, you can display the key monitoring charts together on one [dashboard](./overview-dashboard.md). For example, you could pin the request and failure counts of each role.
-
-If your system uses other Azure services, such as Stream Analytics, include their monitoring charts as well.
-
-If you have a client mobile app, use [App Center](../app/mobile-center-quickstart.md). Create queries in [Analytics](../logs/log-query-overview.md) to display the event counts, and pin them to the dashboard.
-
-## Example
-[The example](https://github.com/MohanGsk/ApplicationInsights-Home/tree/master/Samples/AzureEmailService) monitors a service that has a web role and two worker roles.
-
-## Exception "method not found" on running in Azure cloud services
-Did you build for .NET [LTS](https://dotnet.microsoft.com/platform/support/policy/dotnet-core)? Earlier versions aren't automatically supported in Azure cloud services roles. [Install .NET LTS on each role](../../cloud-services/cloud-services-dotnet-install-dotnet.md) before running your app.
-
-## Next steps
-* [Configure sending Azure Diagnostics to Application Insights](../agents/diagnostics-extension-to-application-insights.md)
-* [Automatically create Application Insights resources](./powershell.md)
-* [Automate Azure Diagnostics](./powershell-azure-diagnostics.md)
-* [Azure Functions](https://github.com/christopheranderson/azure-functions-app-insights-sample)
-
-[api]: ./api-custom-events-metrics.md
-[availability]: ./monitor-web-app-availability.md
-[azure]: ./app-insights-overview.md
-[client]: ./javascript.md
-[diagnostic]: ./diagnostic-search.md
-[netlogs]: ./asp-net-trace-logs.md
-[portal]: https://portal.azure.com/
-[qna]: ../faq.yml
-[redfield]: ./status-monitor-v2-overview.md
-[start]: ./app-insights-overview.md
azure-monitor Platforms https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/platforms.md
* [Azure VM and Azure virtual machine scale sets](./azure-vm-vmss-apps.md) * [Azure App Service](./azure-web-apps.md) * [Azure Functions](../../azure-functions/functions-monitoring.md)
-* [Azure Cloud Services](./cloudservices.md), including both web and worker roles
+* [Azure Cloud Services](./azure-web-apps-net-core.md), including both web and worker roles
### Auto-instrumentation (enable without code changes) * [ASP.NET - for web apps hosted with IIS](./status-monitor-v2-overview.md)
azure-monitor Powershell Azure Diagnostics https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/powershell-azure-diagnostics.md
Remove-AzureServiceDiagnosticsExtension -ServiceName "MyService" -Role "WebRole"
## See also
-* [Monitor Azure Cloud Services apps with Application Insights](./cloudservices.md)
+* [Monitor Azure Cloud Services apps with Application Insights](./azure-web-apps-net-core.md)
* [Send Azure Diagnostics to Application Insights](../agents/diagnostics-extension-to-application-insights.md)
azure-monitor Separate Resources https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/separate-resources.md
When you are developing the next version of a web application, you don't want to mix up the [Application Insights](../../azure-monitor/app/app-insights-overview.md) telemetry from the new version and the already released version. To avoid confusion, send the telemetry from different development stages to separate Application Insights resources, with separate instrumentation keys (ikeys). To make it easier to change the instrumentation key as a version moves from one stage to another, it can be useful to set the ikey in code instead of in the configuration file.
-(If your system is an Azure Cloud Service, there's [another method of setting separate ikeys](../../azure-monitor/app/cloudservices.md).)
+(If your system is an Azure Cloud Service, there's [another method of setting separate ikeys](../../azure-monitor/app/azure-web-apps-net-core.md).)
[!INCLUDE [azure-monitor-log-analytics-rebrand](../../../includes/azure-monitor-instrumentation-key-deprecation.md)]
azure-monitor Autoscale Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/autoscale/autoscale-overview.md
You can set up autoscale via
| API Management service|[Automatically scale an Azure API Management instance](../../api-management/api-management-howto-autoscale.md) | Azure Data Explorer Clusters|[Manage Azure Data Explorer clusters scaling to accommodate changing demand](/azure/data-explorer/manage-cluster-horizontal-scaling)| | Logic Apps |[Adding integration service environment (ISE) capacity](../../logic-apps/ise-manage-integration-service-environment.md#add-ise-capacity)|
-| Spring Cloud |[Set up autoscale for microservice applications](../../spring-cloud/how-to-setup-autoscale.md)|
+| Spring Cloud |[Set up autoscale for microservice applications](../../spring-apps/how-to-setup-autoscale.md)|
| Service Bus |[Automatically update messaging units of an Azure Service Bus namespace](../../service-bus-messaging/automate-update-messaging-units.md)| | Azure SignalR Service | [Automatically scale units of an Azure SignalR service](../../azure-signalr/signalr-howto-scale-autoscale.md) | | Media Services | [Autoscaling in Media Services](/azure/media-services/latest/release-notes#autoscaling) |
azure-monitor Change Analysis Enable https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/change/change-analysis-enable.md
ms.contributor: cawa Previously updated : 07/11/2022 Last updated : 07/29/2022
The Change Analysis service:
- Easily navigate through all resource changes. - Identify relevant changes in the troubleshooting or monitoring context.
-Register the `Microsoft.ChangeAnalysis` resource provider with an Azure Resource Manager subscription to make the tracked properties and proxied settings change data available. The `Microsoft.ChangeAnalysis` resource is automatically registered as you either:
+Register the `Microsoft.ChangeAnalysis` resource provider with an Azure Resource Manager subscription to make the resource properties and configuration change data available. The `Microsoft.ChangeAnalysis` resource is automatically registered as you either:
- Enter any UI entry point, like the Web App **Diagnose and Solve Problems** tool, or - Bring up the Change Analysis standalone tab.
azure-monitor Change Analysis Troubleshoot https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/change/change-analysis-troubleshoot.md
ms.contributor: cawa Previously updated : 03/21/2022 Last updated : 07/28/2022
If your changes still don't show after 6 hours, contact the [Change Analysis hel
### Failed to query Microsoft.ChangeAnalysis resource provider. Often, this message includes: `Azure Lighthouse subscription is not supported, the changes are only available in the subscription's home tenant`.
-Currently, the Change Analysis resource provider is limited to registration through Azure Lighthouse subscription for users outside of home tenant. We are working on addressing this limitation.
+Azure Lighthouse allows for cross-tenant resource administration. However, cross-tenant support needs to be built for each resource provider. Currently, Change Analysis has not built this support. If you're signed into one tenant, you can't query for resource or subscription changes whose home is in another tenant.
-If this is a blocking issue for you, we can provide a workaround that involves creating a service principal and explicitly assigning the role to allow the access. Contact the [Change Analysis help team](mailto:changeanalysishelp@microsoft.com) to learn more about it.
+If this is a blocking issue for you, we'd like to hear your feedback! [Contact the Change Analysis help team](mailto:changeanalysishelp@microsoft.com) to describe how you're trying to use Change Analysis.
## An error occurred while getting changes. Please refresh this page or come back later to view changes.
azure-monitor Change Analysis Visualizations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/change/change-analysis-visualizations.md
ms.contributor: cawa Previously updated : 07/11/2022 Last updated : 07/28/2022
# Visualizations for Change Analysis in Azure Monitor (preview)
-## Standalone UI
+Change Analysis provides data for various management and troubleshooting scenarios to help you understand what changes to your application might have caused the issues. You can view the Change Analysis data through several channels:
-Change Analysis lives in a standalone pane under Azure Monitor, where you can view all changes and application dependency/resource insights. You can access Change Analysis through a couple of entry points:
+## The Change Analysis standalone UI
+
+You can access Change Analysis in a standalone pane under Azure Monitor, where you can view all changes and application dependency/resource insights. You can access Change Analysis through a couple of entry points:
In the Azure portal, search for Change Analysis to launch the experience.
Send any feedback to the [Change Analysis team](mailto:changeanalysisteam@micros
:::image type="content" source="./media/change-analysis/change-analysis-feedback.png" alt-text="Screenshot of feedback button in Change Analysis tab"::: - ### Multiple subscription support The UI supports selecting multiple subscriptions to view resource changes. Use the subscription filter:
The UI supports selecting multiple subscriptions to view resource changes. Use t
## Diagnose and solve problems tool
-From your resource's overview page in Azure portal, select **Diagnose and solve problems** the left menu. As you enter the Diagnose and Solve Problems tool, the **Microsoft.ChangeAnalysis** resource provider will automatically be registered.
+From your resource's overview page in Azure portal, you can view change data by selecting **Diagnose and solve problems** the left menu. As you enter the Diagnose and Solve Problems tool, the **Microsoft.ChangeAnalysis** resource provider will automatically be registered.
### Diagnose and solve problems tool for Web App
You can view Change Analysis data for [multiple Azure resources](./change-analys
## Activity Log change history Use the [View change history](../essentials/activity-log.md#view-change-history) feature to call the Azure Monitor Change Analysis service backend to view changes associated with an operation. Changes returned include:+ - Resource level changes from [Azure Resource Graph](../../governance/resource-graph/overview.md). - Resource properties from [Azure Resource Manager](../../azure-resource-manager/management/overview.md). - In-guest changes from PaaS services, such as App Services web app.
You can also drill to Change Analysis logs via a chart you've created or pinned
## Next steps -- Learn how to [troubleshoot problems in Change Analysis](change-analysis-troubleshoot.md)
+- Learn how to [troubleshoot problems in Change Analysis](change-analysis-troubleshoot.md)
azure-monitor Change Analysis https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/change/change-analysis.md
ms.contributor: cawa Previously updated : 06/29/2022 Last updated : 07/29/2022
Azure Monitor Change Analysis service supports resource property level changes i
## Data sources Azure Monitor's Change Analysis queries for:-- Azure Resource Manager tracked properties.-- Proxied configurations.
+- Azure Resource Manager resource properties.
+- Configuration changes.
- Web app in-guest changes. Change Analysis also tracks resource dependency changes to diagnose and monitor an application end-to-end.
-### Azure Resource Manager tracked properties changes
+### Azure Resource Manager resource properties changes
Using [Azure Resource Graph](../../governance/resource-graph/overview.md), Change Analysis provides a historical record of how the Azure resources that host your application have changed over time. The following tracked settings can be detected: - Managed identities - Platform OS upgrade - Hostnames
-### Azure Resource Manager proxied setting changes
+### Azure Resource Manager configuration changes
Unlike Azure Resource Graph, Change Analysis securely queries and computes IP Configuration rules, TLS settings, and extension versions to provide more change details in the app.
azure-monitor Container Insights Enable Arc Enabled Clusters https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/containers/container-insights-enable-arc-enabled-clusters.md
- To view the monitoring data, you need to have [Log Analytics Reader](../logs/manage-access.md#azure-rbac) role assignment on the Log Analytics workspace. - The following endpoints need to be enabled for outbound access in addition to the ones mentioned under [connecting a Kubernetes cluster to Azure Arc](../../azure-arc/kubernetes/quickstart-connect-cluster.md#meet-network-requirements).
+ **Azure public cloud**
+ | Endpoint | Port | |-|| | `*.ods.opinsights.azure.com` | 443 |
| `*.monitoring.azure.com` | 443 | | `login.microsoftonline.com` | 443 |
+ The following table lists the additional firewall configuration required for managed identity authentication.
+
+ |Agent resource| Purpose | Port |
+ |--|||
+ | `global.handler.control.monitor.azure.com` | Access control service | 443 |
+ | `<cluster-region-name>.handler.control.monitor.azure.com` | Fetch data collection rules for specific AKS cluster | 443 |
+
+ **Azure Government cloud**
+ If your Azure Arc-enabled Kubernetes resource is in Azure US Government environment, following endpoints need to be enabled for outbound access: | Endpoint | Port |
| `*.ods.opinsights.azure.us` | 443 | | `*.oms.opinsights.azure.us` | 443 | | `dc.services.visualstudio.com` | 443 |
-
+
+ The following table lists the additional firewall configuration required for managed identity authentication.
+
+ |Agent resource| Purpose | Port |
+ |--|||
+ | `global.handler.control.monitor.azure.cn` | Access control service | 443 |
+ | `<cluster-region-name>.handler.control.monitor.azure.cn` | Fetch data collection rules for specific AKS cluster | 443 |
+ - If you are using an Arc enabled cluster on AKS, and previously installed [monitoring for AKS](./container-insights-enable-existing-clusters.md), please ensure that you have [disabled monitoring](./container-insights-optout.md) before proceeding to avoid issues during the extension install
Run the following commands to locate the full Azure Resource Manager identifier
>[!TIP] > This `id` can also be found in the *Overview* blade of the Log Analytics workspace through the Azure portal.
-## Create extension instance using Azure CLI
+## Create extension instance
+
+## [CLI](#tab/create-cli)
### Option 1 - With default values
This option uses the following defaults:
az k8s-extension create --name azuremonitor-containers --cluster-name <cluster-name> --resource-group <resource-group> --cluster-type connectedClusters --extension-type Microsoft.AzureMonitor.Containers ```
+To use [managed identity authentication (preview)](container-insights-onboard.md#authentication), add the `configuration-settings` parameter as in the following:
+
+```azurecli
+az k8s-extension create --name azuremonitor-containers --cluster-name <cluster-name> --resource-group <resource-group> --cluster-type connectedClusters --extension-type Microsoft.AzureMonitor.Containers --configuration-settings omsagent.useAADAuth=true
+```
++ ### Option 2 - With existing Azure Log Analytics workspace You can use an existing Azure Log Analytics workspace in any subscription on which you have *Contributor* or a more permissive role assignment.
If the Azure Arc-enabled Kubernetes cluster is on Azure Stack Edge, then a custo
az k8s-extension create --name azuremonitor-containers --cluster-name <cluster-name> --resource-group <resource-group> --cluster-type connectedClusters --extension-type Microsoft.AzureMonitor.Containers --configuration-settings omsagent.logsettings.custommountpath=/home/data/docker ``` + >[!NOTE] > If you are explicitly specifying the version of the extension to be installed in the create command, then ensure that the version specified is >= 2.8.2.
-## Create extension instance using Azure portal
+## [Azure portal](#tab/create-portal)
>[!IMPORTANT] > If you are deploying Azure Monitor on a Kubernetes cluster running on top of Azure Stack Edge, then the Azure CLI option needs to be followed instead of the Azure portal option as a custom mount path needs to be set for these clusters.
az k8s-extension create --name azuremonitor-containers --cluster-name <cluster-n
4. You can now choose the [Log Analytics workspace](../logs/quick-create-workspace.md) to send your metrics and logs data to.
-5. Select the 'Configure' button to deploy the Azure Monitor Container Insights cluster extension.
+5. To use managed identity authentication, select the *Use managed identity (preview)* checkbox.
+
+6. Select the 'Configure' button to deploy the Azure Monitor Container Insights cluster extension.
### Onboarding from Azure Monitor blade
az k8s-extension create --name azuremonitor-containers --cluster-name <cluster-n
3. Click on the 'Enable' link next to the cluster that you want to enable monitoring for.
-4. Choose the Log Analytics workspace and select the 'Configure' button to continue.
+4. Choose the Log Analytics workspace.
-## Create extension instance using Azure Resource Manager
+5. To use managed identity authentication, select the *Use managed identity (preview)* checkbox.
+
+6. Select the 'Configure' button to continue.
+
+## [Resource Manager](#tab/create-arm)
1. Download Azure Resource Manager template and parameter:
az k8s-extension create --name azuremonitor-containers --cluster-name <cluster-n
az deployment group create --resource-group <resource-group> --template-file ./arc-k8s-azmon-extension-arm-template.json --parameters @./arc-k8s-azmon-extension-arm-template-params.json ``` ++ ## Verify extension installation status Once you have successfully created the Azure Monitor extension for your Azure Arc-enabled Kubernetes cluster, you can additionally check the status of installation using the Azure portal or CLI. Successful installations should show the status as 'Installed'. If your status is showing 'Failed' or remains in the 'Pending' state for long periods of time, proceed to the Troubleshooting section below.
-### Azure portal
+### [Azure portal](#tab/verify-portal)
1. In the Azure portal, select the Azure Arc-enabled Kubernetes cluster with the extension installing 2. Select the 'Extensions' item under the 'Settings' section of the resource blade 3. You should see an extension with the name 'azuremonitor-containers' listed, with the listed status in the 'Install status' column
-### Azure CLI
+### [CLI](#tab/verify-cli)
Run the following command to show the latest status of the `Microsoft.AzureMonitor.Containers` extension ```azurecli az k8s-extension show --name azuremonitor-containers --cluster-name <cluster-name> --resource-group <resource-group> --cluster-type connectedClusters -n azuremonitor-containers ``` ++
+## Migrate to managed identity authentication (preview)
+Use the flowing guidance to migrate an existing extension instance to managed identity authentication (preview).
+
+## [CLI](#tab/migrate-cli)
+First retrieve the Log Analytics workspace configured for Container insights extension.
+
+```cli
+az k8s-extension show --name azuremonitor-containers --cluster-name \<cluster-name\> --resource-group \<resource-group\> --cluster-type connectedClusters -n azuremonitor-containers
+```
+
+Enable Container insights extension with managed identity authentication option using the workspace returned in the first step.
+
+```cli
+az k8s-extension create --name azuremonitor-containers --cluster-name \<cluster-name\> --resource-group \<resource-group\> --cluster-type connectedClusters --extension-type Microsoft.AzureMonitor.Containers --configuration-settings omsagent.useAADAuth=true logAnalyticsWorkspaceResourceID=\<workspace-resource-id\>
+```
+
+## [Resource Manager](#tab/migrate-arm)
++
+1. Download the template at [https://aka.ms/arc-k8s-azmon-extension-msi-arm-template](https://aka.ms/arc-k8s-azmon-extension-msi-arm-template) and save it as **arc-k8s-azmon-extension-msi-arm-template.json**.
+
+2. Download the parameter file at [https://aka.ms/arc-k8s-azmon-extension-msi-arm-template-params](https://aka.ms/arc-k8s-azmon-extension-msi-arm-template) and save it as **arc-k8s-azmon-extension-msi-arm-template-params.json**.
+
+3. Edit the values in the parameter file.
+
+ - For **workspaceDomain**, use *opinsights.azure.com* for Azure public cloud and *opinsights.azure.us* for Azure Government cloud.
+ - Specify the tags in the **resourceTagValues** parameter if you want to use any Azure tags on the Azure resources that will be created as part of the Container insights extension.
+
+4. Deploy the template to create Container Insights extension.
+
+```cli
+az login
+az account set --subscription "Subscription Name"
+az deployment group create --resource-group <resource-group> --template-file ./arc-k8s-azmon-extension-msi-arm-template.json --parameters @./arc-k8s-azmon-extension-msi-arm-template-params.json
+```
+++ ## Delete extension instance The following command only deletes the extension instance, but doesn't delete the Log Analytics workspace. The data within the Log Analytics resource is left intact.
azure-monitor Container Insights Enable Existing Clusters https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/containers/container-insights-enable-existing-clusters.md
-# Enable monitoring of Azure Kubernetes Service (AKS) cluster already deployed
+# Enable monitoring for existing Azure Kubernetes Service (AKS) cluster
This article describes how to set up Container insights to monitor managed Kubernetes cluster hosted on [Azure Kubernetes Service](../../aks/index.yml) that have already been deployed in your subscription. If you're connecting an existing AKS cluster to an Azure Log Analytics workspace in another subscription, the Microsoft.ContainerService resource provider must be registered in the subscription in which the Log Analytics workspace was created. For more information, see [Register resource provider](../../azure-resource-manager/management/resource-providers-and-types.md#register-resource-provider).
-## Enable using Azure CLI
+
+## [CLI](#tab/azure-cli)
+
+> [!NOTE]
+> Azure CLI version 2.39.0 or higher required for managed identity authentication.
The following step enables monitoring of your AKS cluster using Azure CLI. In this example, you are not required to pre-create or specify an existing workspace. This command simplifies the process for you by creating a default workspace in the default resource group of the AKS cluster subscription if one does not already exist in the region. The default workspace created resembles the format of *DefaultWorkspace-\<GUID>-\<Region>*.
If you would rather integrate with an existing workspace, perform the following
provisioningState : Succeeded ```
-## Enable using Terraform
+## [Terraform](#tab/terraform)
+To enable monitoring using Terraform, do the following:
1. Add the **oms_agent** add-on profile to the existing [azurerm_kubernetes_cluster resource](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/kubernetes_cluster)
If you would rather integrate with an existing workspace, perform the following
3. The metrics are not collected by default through Terraform, so once onboarded, there is an additional step to assign the monitoring metrics publisher role, which is required to [enable the metrics](./container-insights-update-metrics.md#update-one-cluster-by-using-the-azure-cli).
-## Enable from Azure Monitor in the portal
+## [Azure Monitor portal](#tab/portal-azure-monitor)
To enable monitoring of your AKS cluster in the Azure portal from Azure Monitor, do the following:
To enable monitoring of your AKS cluster in the Azure portal from Azure Monitor,
>[!NOTE] >If you want to create a new Log Analytics workspace for storing the monitoring data from the cluster, follow the instructions in [Create a Log Analytics workspace](../logs/quick-create-workspace.md). Be sure to create the workspace in the same subscription that the AKS container is deployed to.
+6. Select **Use managed identity** if you want to use [managed identity authentication with the Azure Monitor agent](container-insights-onboard.md#authentication).
+ After you've enabled monitoring, it might take about 15 minutes before you can view health metrics for the cluster.
-## Enable directly from AKS cluster in the portal
+## [AKS portal](#tab/portal-aks)
To enable monitoring directly from one of your AKS clusters in the Azure portal, do the following:
To enable monitoring directly from one of your AKS clusters in the Azure portal,
>[!NOTE] >If you want to create a new Log Analytics workspace for storing the monitoring data from the cluster, follow the instructions in [Create a Log Analytics workspace](../logs/quick-create-workspace.md). Be sure to create the workspace in the same subscription that the AKS container is deployed to.
+6. Select **Use managed identity** if you want to use [managed identity authentication with the Azure Monitor agent](container-insights-onboard.md#authentication).
++ After you've enabled monitoring, it might take about 15 minutes before you can view operational data for the cluster.
-## Enable using an Azure Resource Manager template
+## [Resource Manager template](#tab/arm)
+ This method includes two JSON templates. One template specifies the configuration to enable monitoring, and the other contains parameter values that you configure to specify the following:
This method includes two JSON templates. One template specifies the configuratio
>[!NOTE] >The template needs to be deployed in the same resource group as the cluster.
->
-The Log Analytics workspace has to be created before you enable monitoring using Azure PowerShell or CLI. To create the workspace, you can set it up through [Azure Resource Manager](../logs/resource-manager-workspace.md), through [PowerShell](../logs/powershell-workspace-configuration.md?toc=%2fpowershell%2fmodule%2ftoc.json), or in the [Azure portal](../logs/quick-create-workspace.md).
-If you are unfamiliar with the concept of deploying resources by using a template, see:
+### Prerequisites
+The Log Analytics workspace must be created before you deploy the Resource Manager template.
-* [Deploy resources with Resource Manager templates and Azure PowerShell](../../azure-resource-manager/templates/deploy-powershell.md)
-* [Deploy resources with Resource Manager templates and the Azure CLI](../../azure-resource-manager/templates/deploy-cli.md)
+### Create or download templates
-If you choose to use the Azure CLI, you first need to install and use the CLI locally. You must be running the Azure CLI version 2.0.59 or later. To identify your version, run `az --version`. If you need to install or upgrade the Azure CLI, see [Install the Azure CLI](/cli/azure/install-azure-cli).
+**If you want to enable [managed identity authentication (preview)](container-insights-onboard.md#authentication)**
+
+1. Download the template at [https://aka.ms/aks-enable-monitoring-msi-onboarding-template-file](https://aka.ms/aks-enable-monitoring-msi-onboarding-template-file) and save it as **existingClusterOnboarding.json**.
+
+2. Download the parameter file at [https://aka.ms/aks-enable-monitoring-msi-onboarding-template-parameter-file](https://aka.ms/aks-enable-monitoring-msi-onboarding-template-parameter-file) and save it as **existingClusterParam.json**.
+
+3. Edit the values in the parameter file.
+
+ - For **aksResourceId** and **aksResourceLocation**, use the values on the **AKS Overview** page for the AKS cluster.
+ - For **workspaceResourceId**, use the resource ID of your Log Analytics workspace.
+ - For **resourceTagValues**, match the existing tag values specified for the existing Container insights extension DCR of the cluster and the name of the data collection rule, which will be MSCI-\<clusterName\>-\<clusterRegion\> and this resource created in Log Analytics Workspace Resource Group. If this first-time onboarding, you can set the arbitrary tag values.
-### Create and execute a template
-1. Copy and paste the following JSON syntax into your file:
+**If you don't want to enable [managed identity authentication (preview)](container-insights-onboard.md#authentication)**
+
+1. Save the following JSON as **existingClusterOnboarding.json**.
```json {
If you choose to use the Azure CLI, you first need to install and use the CLI lo
} ```
-2. Save this file as **existingClusterOnboarding.json** to a local folder.
-
-3. Paste the following JSON syntax into your file:
+2. Save the following JSON as **existingClusterParam.json**.
```json {
If you choose to use the Azure CLI, you first need to install and use the CLI lo
} ```
-4. Edit the values for **aksResourceId** and **aksResourceLocation** using the values on the **AKS Overview** page for the AKS cluster. The value for **workspaceResourceId** is the full resource ID of your Log Analytics workspace, which includes the workspace name.
+2. Download the parameter file at [https://aka.ms/aks-enable-monitoring-msi-onboarding-template-parameter-file](https://aka.ms/aks-enable-monitoring-msi-onboarding-template-parameter-file) and save as **existingClusterParam.json**.
- Edit the values for **aksResourceTagValues** to match the existing tag values specified for the AKS cluster.
+3. Edit the values in the parameter file.
-5. Save this file as **existingClusterParam.json** to a local folder.
+ - For **aksResourceId** and **aksResourceLocation**, use the values on the **AKS Overview** page for the AKS cluster.
+ - For **workspaceResourceId**, use the resource ID of your Log Analytics workspace.
+ - For **aksResourceTagValues**, use the existing tag values specified for the AKS cluster.
-6. You are ready to deploy this template.
- * To deploy with Azure PowerShell, use the following commands in the folder that contains the template:
+### Deploy template
- ```powershell
- New-AzResourceGroupDeployment -Name OnboardCluster -ResourceGroupName <ResourceGroupName> -TemplateFile .\existingClusterOnboarding.json -TemplateParameterFile .\existingClusterParam.json
- ```
+If you are unfamiliar with the concept of deploying resources by using a template, see:
- The configuration change can take a few minutes to complete. When it's completed, a message is displayed that's similar to the following and includes the result:
+* [Deploy resources with Resource Manager templates and Azure PowerShell](../../azure-resource-manager/templates/deploy-powershell.md)
+* [Deploy resources with Resource Manager templates and the Azure CLI](../../azure-resource-manager/templates/deploy-cli.md)
- ```output
- provisioningState : Succeeded
- ```
+If you choose to use the Azure CLI, you first need to install and use the CLI locally. You must be running the Azure CLI version 2.0.59 or later. To identify your version, run `az --version`. If you need to install or upgrade the Azure CLI, see [Install the Azure CLI](/cli/azure/install-azure-cli).
- * To deploy with Azure CLI, run the following commands:
- ```azurecli
- az login
- az account set --subscription "Subscription Name"
- az deployment group create --resource-group <ResourceGroupName> --template-file ./existingClusterOnboarding.json --parameters @./existingClusterParam.json
- ```
+#### To deploy with Azure PowerShell:
- The configuration change can take a few minutes to complete. When it's completed, a message is displayed that's similar to the following and includes the result:
+```powershell
+New-AzResourceGroupDeployment -Name OnboardCluster -ResourceGroupName <ResourceGroupName> -TemplateFile .\existingClusterOnboarding.json -TemplateParameterFile .\existingClusterParam.json
+```
- ```output
- provisioningState : Succeeded
- ```
+The configuration change can take a few minutes to complete. When it's completed, a message is displayed that's similar to the following and includes the result:
- After you've enabled monitoring, it might take about 15 minutes before you can view health metrics for the cluster.
+```output
+provisioningState : Succeeded
+```
+
+#### To deploy with Azure CLI, run the following commands:
+
+```azurecli
+az login
+az account set --subscription "Subscription Name"
+az deployment group create --resource-group <ResourceGroupName> --template-file ./existingClusterOnboarding.json --parameters @./existingClusterParam.json
+```
+
+The configuration change can take a few minutes to complete. When it's completed, a message is displayed that's similar to the following and includes the result:
+
+```output
+provisioningState : Succeeded
+```
+
+After you've enabled monitoring, it might take about 15 minutes before you can view health metrics for the cluster.
++ ## Verify agent and solution deployment
After a few minutes, the command completes and returns JSON-formatted informatio
} ```
+## Migrate to managed identity authentication
+
+### Existing clusters with service principal
+AKS Clusters with service principal must first disable monitoring and then upgrade to managed identity. Only Azure public cloud, Azure China cloud, and Azure Government cloud are currently supported for this migration.
++
+1. Disable monitoring with the following command:
+
+ ```cli
+ az aks disable-addons -a monitoring -g <resource-group-name> -n <cluster-name> --workspace-resource-id <workspace-resource-id>
+ ```
+
+2. Upgrade cluster to system managed identity with the following command:
+
+ ```cli
+ az aks update -g <resource-group-name> -n <cluster-name> --enable-managed-identity --workspace-resource-id <workspace-resource-id>
+ ```
+
+3. Enable Monitoring addon with managed identity authentication with the following command:
+
+ ```cli
+ az aks enable-addons -a monitoring --enable-msi-auth-for-monitoring -g <resource-group-name> -n <cluster-name> --workspace-resource-id <workspace-resource-id>
+ ```
+
+### Existing clusters with system assigned identity
+AKS Clusters with system assigned identity must first disable monitoring and then upgrade to managed identity. Only Azure public cloud, Azure China cloud, and Azure Government cloud are currently supported for this migration.
+
+1. Disable monitoring with the following command:
+
+ ```cli
+ az aks disable-addons -a monitoring -g <resource-group-name> -n <cluster-name> --workspace-resource-id <workspace-resource-id>
+ ```
+
+2. Enable Monitoring addon with Managed Identity Auth Option
+
+ ```cli
+ az aks enable-addons -a monitoring --enable-msi-auth-for-monitoring -g <resource-group-name> -n <cluster-name> --workspace-resource-id <workspace-resource-id>
+ ```
+
+## Limitations
+
+- Enabling managed identity authentication (preview) is not currently supported using Terraform or Azure Policy.
+- When you enable managed identity authentication (preview), a data collection rule is created with the name *MSCI-\<cluster-name\>-\<cluster-region\>*. This name cannot currently be modified.
+ ## Next steps * If you experience issues while attempting to onboard the solution, review the [troubleshooting guide](container-insights-troubleshoot.md)
azure-monitor Container Insights Enable New Cluster https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/containers/container-insights-enable-new-cluster.md
This article describes how to set up Container insights to monitor managed Kuber
To enable monitoring of a new AKS cluster created with Azure CLI, follow the step in the quickstart article under the section [Create AKS cluster](../../aks/learn/quick-kubernetes-deploy-cli.md). >[!NOTE]
->If you choose to use the Azure CLI, you first need to install and use the CLI locally. You must be running the Azure CLI version 2.0.74 or later. To identify your version, run `az --version`. If you need to install or upgrade the Azure CLI, see [Install the Azure CLI](/cli/azure/install-azure-cli).
+>If you choose to use the Azure CLI, you first need to install and use the CLI locally. You must be running the Azure CLI version 2.39.0 or later. To identify your version, run `az --version`. If you need to install or upgrade the Azure CLI, see [Install the Azure CLI](/cli/azure/install-azure-cli).
>If you have installed the aks-preview CLI extension version 0.4.12 or higher, remove any changes you have made to enable a preview extension as it can override the default Azure CLI behavior since AKS Preview features aren't available in Azure US Governmnet cloud. ## Enable using Terraform
azure-monitor Container Insights Onboard https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/containers/container-insights-onboard.md
The versions of Kubernetes and support policy are the same as those [supported i
Before you start, make sure that you've met the following requirements: **Log Analytics workspace**
-Container insights supports a [Log Analytics workspace](../logs/log-analytics-workspace-overview.md) in the regions that are listed in [Products available by region](https://azure.microsoft.com/global-infrastructure/services/?regions=all&products=monitor). For a list of the supported mapping pairs to use for the default workspace, see [Region mappings supported by Container insights](container-insights-region-mapping.md).
+Container insights stores its data in a [Log Analytics workspace](../logs/log-analytics-workspace-overview.md). It supports workspaces in the regions that are listed in [Products available by region](https://azure.microsoft.com/global-infrastructure/services/?regions=all&products=monitor). For a list of the supported mapping pairs to use for the default workspace, see [Region mappings supported by Container insights](container-insights-region-mapping.md).
You can let the onboarding experience create a default workspace in the default resource group of the AKS cluster subscription. If you already have a workspace though, then you will most likely want to use that one. See [Designing your Azure Monitor Logs deployment](../logs/design-logs-deployment.md) for details.
If you have a Kubernetes cluster with Windows nodes, then please review and conf
The following table lists the proxy and firewall configuration information that's required for the containerized agent to communicate with Container insights. All network traffic from the agent is outbound to Azure Monitor.
+**Azure public cloud**
+ |Agent resource|Port | |--|| | `*.ods.opinsights.azure.com` | 443 |
The following table lists the proxy and firewall configuration information that'
| `*.monitoring.azure.com` | 443 | | `login.microsoftonline.com` | 443 |
+The following table lists the additional firewall configuration required for managed identity authentication.
+
+|Agent resource| Purpose | Port |
+|--|||
+| `global.handler.control.monitor.azure.com` | Access control service | 443 |
+| `<cluster-region-name>.handler.control.monitor.azure.com` | Fetch data collection rules for specific AKS cluster | 443 |
+
+**Azure China 21Vianet cloud**
+ The following table lists the proxy and firewall configuration information for Azure China 21Vianet:
-|Agent resource|Port |Description |
+|Agent resource| Purpose | Port |
|--||-|
-| `*.ods.opinsights.azure.cn` | 443 | Data ingestion |
-| `*.oms.opinsights.azure.cn` | 443 | OMS onboarding |
-| `dc.services.visualstudio.com` | 443 | For agent telemetry that uses Azure Public Cloud Application Insights |
+| `*.ods.opinsights.azure.cn` | Data ingestion | 443 |
+| `*.oms.opinsights.azure.cn` | OMS onboarding | 443 |
+| `dc.services.visualstudio.com` | For agent telemetry that uses Azure Public Cloud Application Insights | 443 |
++
+The following table lists the additional firewall configuration required for managed identity authentication.
+
+|Agent resource| Purpose | Port |
+|--|||
+| `global.handler.control.monitor.azure.cn` | Access control service | 443 |
+| `<cluster-region-name>.handler.control.monitor.azure.cn` | Fetch data collection rules for specific AKS cluster | 443 |
+
+**Azure Government cloud**
The following table lists the proxy and firewall configuration information for Azure US Government:
-|Agent resource|Port |Description |
+|Agent resource| Purpose | Port |
|--||-|
-| `*.ods.opinsights.azure.us` | 443 | Data ingestion |
-| `*.oms.opinsights.azure.us` | 443 | OMS onboarding |
-| `dc.services.visualstudio.com` | 443 | For agent telemetry that uses Azure Public Cloud Application Insights |
+| `*.ods.opinsights.azure.us` | Data ingestion | 443 |
+| `*.oms.opinsights.azure.us` | OMS onboarding | 443 |
+| `dc.services.visualstudio.com` | For agent telemetry that uses Azure Public Cloud Application Insights | 443 |
+
+The following table lists the additional firewall configuration required for managed identity authentication.
+
+|Agent resource| Purpose | Port |
+|--|||
+| `global.handler.control.monitor.azure.us` | Access control service | 443 |
+| `<cluster-region-name>.handler.control.monitor.azure.us` | Fetch data collection rules for specific AKS cluster | 443 |
++
+## Authentication
+Container Insights now supports authentication using managed identity (preview). This is a secure and simplified authentication model where the monitoring agent uses the clusterΓÇÖs managed identity to send data to Azure Monitor. It replaces the existing legacy certificate-based local authentication and removes the requirement of adding a *Monitoring Metrics Publisher* role to the cluster.
+
+> [!NOTE]
+> Container Insights preview features are available on a self-service, opt-in basis. Previews are provided "as is" and "as available," and they're excluded from the service-level agreements and limited warranty. Container Insights previews are partially covered by customer support on a best-effort basis. As such, these features aren't meant for production use. For more information, see [Frequently asked questions about Azure Kubernetes Service (AKS)](../../aks/faq.md).
## Agent
-Container insights relies on a containerized Log Analytics agent for Linux. This specialized agent collects performance and event data from all nodes in the cluster, and the agent is automatically deployed and registered with the specified Log Analytics workspace during deployment.
+
+### Azure Monitor agent
+When using managed identity authentication (preview), Container insights relies on a containerized Azure Monitor agent for Linux. This specialized agent collects performance and event data from all nodes in the cluster, and the agent is automatically deployed and registered with the specified Log Analytics workspace during deployment.
++
+### Log Analytics agent
+When not using managed identity authentication, Container insights relies on a containerized Log Analytics agent for Linux. This specialized agent collects performance and event data from all nodes in the cluster, and the agent is automatically deployed and registered with the specified Log Analytics workspace during deployment.
The agent version is *microsoft/oms:ciprod04202018* or later, and it's represented by a date in the following format: *mmddyyyy*. When a new version of the agent is released, it's automatically upgraded on your managed Kubernetes clusters that are hosted on Azure Kubernetes Service (AKS). To track which versions are released, see [agent release announcements](https://github.com/microsoft/docker-provider/tree/ci_feature_prod).
To enable Container insights, use one of the methods that's described in the fol
| Deployment state | Method | ||--|
-| New Kubernetes cluster | [Enable monitoring for a new AKS cluster using the Azure CLI](../../aks/learn/quick-kubernetes-deploy-cli.md)|
+| New Kubernetes cluster | [Enable monitoring for a new AKS cluster using the Azure CLI](../../aks/learn/quick-kubernetes-deploy-cli.md) |
| | [Enable for a new AKS cluster by using the open-source tool Terraform](container-insights-enable-new-cluster.md#enable-using-terraform)| | | [Enable for a new OpenShift cluster by using an Azure Resource Manager template](container-insights-azure-redhat-setup.md#enable-for-a-new-cluster-using-an-azure-resource-manager-template) | | | [Enable for a new OpenShift cluster by using the Azure CLI](/azure/openshift/#az-openshift-create) |
-| Existing AKS cluster | [Enable monitoring for an existing AKS cluster using the Azure CLI](container-insights-enable-existing-clusters.md#enable-using-azure-cli) |
-| |[Enable for an existing AKS cluster using Terraform](container-insights-enable-existing-clusters.md#enable-using-terraform) |
-| | [Enable for an existing AKS cluster from Azure Monitor](container-insights-enable-existing-clusters.md#enable-from-azure-monitor-in-the-portal)|
-| | [Enable directly from an AKS cluster in the Azure portal](container-insights-enable-existing-clusters.md#enable-directly-from-aks-cluster-in-the-portal)|
-| | [Enable for AKS cluster using an Azure Resource Manager template](container-insights-enable-existing-clusters.md#enable-using-an-azure-resource-manager-template)|
-| Existing non-AKS Kubernetes cluster | [Enable for non-AKS Kubernetes cluster hosted outside of Azure and enabled with Azure Arc using the Azure CLI](container-insights-enable-arc-enabled-clusters.md#create-extension-instance-using-azure-cli). |
-| | [Enable for non-AKS Kubernetes cluster hosted outside of Azure and enabled with Azure Arc using a preconfigured Azure Resource Manager template](container-insights-enable-arc-enabled-clusters.md#create-extension-instance-using-azure-resource-manager) |
-| | [Enable for non-AKS Kubernetes cluster hosted outside of Azure and enabled with Azure Arc from the multicluster page Azure Monitor](container-insights-enable-arc-enabled-clusters.md#create-extension-instance-using-azure-portal) |
+| Existing AKS cluster | [Enable monitoring for an existing AKS cluster using the Azure CLI](container-insights-enable-existing-clusters.md?tabs=azure-powershell) |
+| | [Enable for an existing AKS cluster using Terraform](container-insights-enable-existing-clusters.md?tabs=terraform) |
+| | [Enable for an existing AKS cluster from Azure Monitor portal](container-insights-enable-existing-clusters.md?tabs=portal-azure-monitor)|
+| | [Enable directly from an AKS cluster in the Azure portal](container-insights-enable-existing-clusters.md?tabs=portal-aks)|
+| | [Enable for AKS cluster using an Azure Resource Manager template](container-insights-enable-existing-clusters.md?tabs=aks)|
+| Existing non-AKS Kubernetes cluster | [Enable for non-AKS Kubernetes cluster hosted outside of Azure and enabled with Azure Arc using the Azure CLI](container-insights-enable-arc-enabled-clusters.md?tabs=create-cli#create-extension-instance). |
+| | [Enable for non-AKS Kubernetes cluster hosted outside of Azure and enabled with Azure Arc using a preconfigured Azure Resource Manager template](container-insights-enable-arc-enabled-clusters.md?tabs=create-arm#create-extension-instance) |
+| | [Enable for non-AKS Kubernetes cluster hosted outside of Azure and enabled with Azure Arc from the multicluster page Azure Monitor](container-insights-enable-arc-enabled-clusters.md?tabs=create-portal#create-extension-instance) |
## Next steps Once you've enabled monitoring, you can begin analyzing the performance of your Kubernetes clusters that are hosted on Azure Kubernetes Service (AKS), Azure Stack, or another environment. To learn how to use Container insights, see [View Kubernetes cluster performance](container-insights-analyze.md).
azure-monitor Data Platform https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/data-platform.md
na Previously updated : 07/19/2022 Last updated : 07/28/2022
Read more about distributed tracing at [What is distributed tracing?](app/distri
[Changes](./change/change-analysis-visualizations.md) are a series of events that occur in your Azure application, from the infrastructure layer through application deployment. Changes are traced on a subscription-level using [the Change Analysis tool](./change/change-analysis.md). The Change Analysis tool increases observability by building on the power of [Azure Resource Graph](../governance/resource-graph/overview.md) to provide detailed insights into your application changes.
-Once [Change Analysis is enabled](./change/change-analysis-enable.md), the `Microsoft.ChangeAnalysis` resource provider is registered with an Azure Resource Manager subscription to make the tracked properties and proxied settings change data available. Change Analysis' [integrations with Monitoring and Diagnostics tools](./change/change-analysis-visualizations.md) provide data for various management and troubleshooting scenarios to help users understand what changes might have caused the issues.
+Once [Change Analysis is enabled](./change/change-analysis-enable.md), the `Microsoft.ChangeAnalysis` resource provider is registered with an Azure Resource Manager subscription to make the resource properties and configuration change data available. Change Analysis provides data for various management and troubleshooting scenarios to help users understand what changes might have caused the issues:
+- Troubleshoot your application via the [Diagnose & solve problems tool](./change/change-analysis-enable.md).
+- Perform general management and monitoring via the [Change Analysis standalone UI](./change/change-analysis-visualizations.md#the-change-analysis-standalone-ui) and [the activity log](./change/change-analysis-visualizations.md#activity-log-change-history).
+- [Learn more about how to view data results for other scenarios](./change/change-analysis-visualizations.md).
Read more about Change Analysis, including data sources in [Use Change Analysis in Azure Monitor](./change/change-analysis.md).
azure-monitor Solutions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/insights/solutions.md
Monitoring solutions can contain multiple types of Azure resources. You can view
To list the monitoring solutions installed in your subscription:
-1. Go to the [Azure portal](https://portal.azure.com). Search for and select **Solutions**.
+1.Select the **Solutions** menu in the Azure portal.
Solutions installed in all your workspaces are listed. The name of the solution is followed by the name of the workspace where it's installed. 1. Use the dropdown boxes at the top of the screen to filter by subscription or resource group.
You can remove any installed monitoring solution, except **LogManagment**, which
### [Portal](#tab/portal)
-To remove an installed solution by using the portal, find it in the [list of installed solutions](#list-installed-monitoring-solutions). Select the name of the solution to open its summary page, and then select **Delete**.
+To remove an installed solution by using the portal, find it in the [list of installed solutions](#list-installed-monitoring-solutions). Select the name of the solution for the workspace you want to remove it from to open its summary page, and then select **Delete**.
### [Azure CLI](#tab/azure-cli)
azure-monitor Monitor Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/monitor-reference.md
The following table lists Azure services and the data they collect into Azure Mo
| [Azure Analysis Services](../analysis-services/index.yml) | Microsoft.AnalysisServices/servers | [**Yes**](./essentials/metrics-supported.md#microsoftanalysisservicesservers) | [**Yes**](./essentials/resource-logs-categories.md#microsoftanalysisservicesservers) | | | | [API Management](../api-management/index.yml) | Microsoft.ApiManagement/service | [**Yes**](./essentials/metrics-supported.md#microsoftapimanagementservice) | [**Yes**](./essentials/resource-logs-categories.md#microsoftapimanagementservice) | | | | [Azure App Configuration](../azure-app-configuration/index.yml) | Microsoft.AppConfiguration/configurationStores | [**Yes**](./essentials/metrics-supported.md#microsoftappconfigurationconfigurationstores) | [**Yes**](./essentials/resource-logs-categories.md#microsoftappconfigurationconfigurationstores) | | |
- | [Azure Spring Cloud](../spring-cloud/overview.md) | Microsoft.AppPlatform/Spring | [**Yes**](./essentials/metrics-supported.md#microsoftappplatformspring) | [**Yes**](./essentials/resource-logs-categories.md#microsoftappplatformspring) | | |
+ | [Azure Spring Apps](../spring-apps/overview.md) | Microsoft.AppPlatform/Spring | [**Yes**](./essentials/metrics-supported.md#microsoftappplatformspring) | [**Yes**](./essentials/resource-logs-categories.md#microsoftappplatformspring) | | |
| [Azure Attestation Service](../attestation/overview.md) | Microsoft.Attestation/attestationProviders | No | [**Yes**](./essentials/resource-logs-categories.md#microsoftattestationattestationproviders) | | | | [Azure Automation](../automation/index.yml) | Microsoft.Automation/automationAccounts | [**Yes**](./essentials/metrics-supported.md#microsoftautomationautomationaccounts) | [**Yes**](./essentials/resource-logs-categories.md#microsoftautomationautomationaccounts) | | | | [Azure VMware Solution](../azure-vmware/index.yml) | Microsoft.AVS/privateClouds | [**Yes**](./essentials/metrics-supported.md#microsoftavsprivateclouds) | [**Yes**](./essentials/resource-logs-categories.md#microsoftavsprivateclouds) | | |
azure-monitor Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/overview.md
description: Overview of Microsoft services and functionalities that contribute
Previously updated : 04/27/2022 Last updated : 07/25/2022
Azure Monitor uses a version of the [Kusto Query Language](/azure/kusto/query/)
![Diagram that shows logs data flowing into Log Analytics for analysis.](media/overview/logs.png)
-Change Analysis alerts you to live site issues, outages, component failures, or other change data. It also provides insights into those application changes, increases observability, and reduces the mean time to repair. You automatically register the `Microsoft.ChangeAnalysis` resource provider with an Azure Resource Manager subscription by going to Change Analysis via the Azure portal. For web app in-guest changes, you can enable Change Analysis by using the [Diagnose and solve problems tool](./change/change-analysis-visualizations.md#diagnose-and-solve-problems-tool).
+Change Analysis alerts you to live site issues, outages, component failures, or other change data. It also provides insights into those application changes, increases observability, and reduces the mean time to repair. You automatically register the `Microsoft.ChangeAnalysis` resource provider with an Azure Resource Manager subscription by going to Change Analysis via the Azure portal. For web app in-guest changes, you can enable Change Analysis by using the [Diagnose and solve problems tool](./change/change-analysis-enable.md#enable-web-app-in-guest-change-collection-via-azure-portal).
Change Analysis builds on [Azure Resource Graph](../governance/resource-graph/overview.md) to provide a historical record of how your Azure resources have changed over time. It detects managed identities, platform operating system upgrades, and hostname changes. Change Analysis securely queries IP configuration rules, TLS settings, and extension versions to provide more detailed change data.
Azure resources generate a significant amount of monitoring data. Azure Monitor
| Metrics | Metrics are numerical values that describe some aspect of a system at a particular point in time. They are collected at regular intervals and are identified with a timestamp, a name, a value, and one or more defining labels. Metrics can be aggregated using a variety of algorithms, compared to other metrics, and analyzed for trends over time.<br><br>Metrics in Azure Monitor are stored in a time-series database which is optimized for analyzing time-stamped data. For more information, see [Azure Monitor Metrics](essentials/data-platform-metrics.md). | | Logs | [Logs](logs/data-platform-logs.md) are events that occurred within the system. They can contain different kinds of data and may be structured or free form text with a timestamp. They may be created sporadically as events in the environment generate log entries, and a system under heavy load will typically generate more log volume.<br><br>Logs in Azure Monitor are stored in a Log Analytics workspace that's based on [Azure Data Explorer](/azure/data-explorer/) which provides a powerful analysis engine and [rich query language](/azure/kusto/query/). For more information, see [Azure Monitor Logs](logs/data-platform-logs.md). | | Distributed traces | Traces are series of related events that follow a user request through a distributed system. They can be used to determine behavior of application code and the performance of different transactions. While logs will often be created by individual components of a distributed system, a trace measures the operation and performance of your application across the entire set of components.<br><br>Distributed tracing in Azure Monitor is enabled with the [Application Insights SDK](app/distributed-tracing.md), and trace data is stored with other application log data collected by Application Insights and stored in Azure Monitor Logs. For more information, see [What is Distributed Tracing?](app/distributed-tracing.md). |
+| Changes | Changes are a series of events that occur in your Azure application and resources. Change Analysis is a subscription-level observability tool that's built on the power of Azure Resource Graph. <br><br> Once Change Analysis is enabled, the `Microsoft.ChangeAnalysis` resource provider is registered with an Azure Resource Manager subscription. Change Analysis' integrations with Monitoring and Diagnostics tools provide data to help users understand what changes might have caused the issues. Read more about Change Analysis in [Use Change Analysis in Azure Monitor](./change/change-analysis.md). |
> [!NOTE]
azure-monitor Profiler Cloudservice https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/profiler/profiler-cloudservice.md
In this article, you will:
## Track requests with Application Insights
-When publishing your CloudService to Azure portal, add the [Application Insights SDK to Azure Cloud Services](../app/cloudservices.md).
+When publishing your CloudService to Azure portal, add the [Application Insights SDK to Azure Cloud Services](../app/azure-web-apps-net-core.md).
:::image type="content" source="./media/profiler-cloudservice/enable-app-insights.png" alt-text="Screenshot showing the checkbox for sending information to Application Insights.":::
azure-monitor Vminsights Configure Workspace https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/vm/vminsights-configure-workspace.md
Previously updated : 06/07/2022 Last updated : 06/22/2022 # Configure Log Analytics workspace for VM insights VM insights collects its data from one or more Log Analytics workspaces in Azure Monitor. Prior to onboarding agents, you must create and configure a workspace. This article describes the requirements of the workspace and to configure it for VM insights.
+> [!IMPORTANT]
+> Configuration of the Log Analytics workspace is only required for using VM insights with virtual machines using Log Analytics agent. Virtual machines using Azure Monitor agent do not use the *VMInsights* solution that's installed in this configuration. To support Azure Monitor agent, a standard Log Analytics workspace just needs be created as described in [Create Log Analytics workspace](#create-log-analytics-workspace).
+ ## Overview A single subscription can use any number of workspaces depending on your requirements. The only requirement of the workspace is that it be located in a supported location and be configured with the *VMInsights* solution.
Access Log Analytics workspaces in the Azure portal from the **Log Analytics wor
[![Log Anlytics workspaces](media/vminsights-configure-workspace/log-analytics-workspaces.png)](media/vminsights-configure-workspace/log-analytics-workspaces.png#lightbox)
-You can create a new Log Analytics workspace using any of the following methods. See Design a Log Analytics workspace configuration(../logs/workspace-design.md) for guidance on determining the number of workspaces you should use in your environment and how to design their access strategy.
+You can create a new Log Analytics workspace using any of the following methods. See [Design a Log Analytics workspace configuration](../logs/workspace-design.md) for guidance on determining the number of workspaces you should use in your environment and how to design their access strategy.
* [Azure portal](../logs/quick-create-workspace.md)
New-AzResourceGroupDeployment -Name ConfigureWorkspace -ResourceGroupName my-res
+## Remove VMInsights solution from workspace
+If you have completely migrated your virtual machines to Azure Monitor agent and no longer want to support virtual machines with the Log Analytics agent in your workspace, then you should remove the *VMInisghts* solution from the workspace. This will ensure that you don't collect data from any Log Analytics agents that inadvertently remain.
+
+To remove the *VMInsights*solution, use the same process as [removing any other solution from a workspace](../insights/solutions.md#remove-a-monitoring-solution).
+
+1. Select the **Solutions** menu in the Azure portal.
+2. Locate the *VMInsights* solution for your workspace and select it to view its detail.
+3. Click **Delete**
## Next steps - See [Onboard agents to VM insights](vminsights-enable-overview.md) to connect agents to VM insights.
azure-monitor Vminsights Enable Hybrid https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/vm/vminsights-enable-hybrid.md
This article describes how to enable VM insights for a virtual machine outside o
> [!IMPORTANT] > The recommended method of enabling hybrid VMs is first enabling [Azure Arc for servers](../../azure-arc/servers/overview.md) so that the VMs can be enabled for VM insights using processes similar to Azure VMs. This article describes how to onboard hybrid VMs if you choose not to use Azure Arc. ++ ## Prerequisites - [Create and configure a Log Analytics workspace](./vminsights-configure-workspace.md).
azure-monitor Vminsights Enable Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/vm/vminsights-enable-overview.md
description: Learn how to deploy and configure VM insights. Find out the system
Previously updated : 06/08/2022 Last updated : 06/24/2022
This article provides an overview of the options available to enable VM insights
- Virtual machines hosted in another cloud environment. ## Installation options and supported machines
-The following table shows the installation methods available for different supported machines.
+The following table shows the installation methods available for enabling VM insights on supported machines.
| Method | Scope | |:|:|
-| [Azure portal](vminsights-enable-portal.md) | Single Azure virtual machine, Azure virtual machine scale set, or Azure Arc machine |
-| [Azure Policy](vminsights-enable-policy.md) | Multiple Azure virtual machines, Azure virtual machine scale sets, or Azure Arc machines |
-| [PowerShell](vminsights-enable-powershell.md) | Multiple Azure virtual machines, Azure virtual machine scale sets, or Azure Arc machines |
-| [Manual install](vminsights-enable-hybrid.md) | Virtual machines or physical computers on-premises other cloud environments |
+| [Azure portal](vminsights-enable-portal.md) | Enable individual machines with the Azure portal. |
+| [Azure Policy](vminsights-enable-policy.md) | Create policy to automatically enable when a supported machine is created. |
+| [Resource Manager templates](../vm/vminsights-enable-resource-manager.md) | Enable multiple machines using any of the supported methods to deploy a Resource Manager template such as CLI and PowerShell. |
+| [PowerShell](vminsights-enable-powershell.md) | Use a PowerShell script to enable multiple machines. Log Analytics agent only. |
+| [Manual install](vminsights-enable-hybrid.md) | Virtual machines or physical computers on-premises other cloud environments. Log Analytics agent only |
## Supported Azure Arc machines VM insights is available for Azure Arc-enabled servers in regions where the Arc extension service is available. You must be running version 0.9 or above of the Arc Agent.
-| Connected source | Supported | Description |
-|:--|:--|:--|
-| Windows agents | Yes | Along with the [Log Analytics agent for Windows](../agents/log-analytics-agent.md), Windows agents need the Dependency agent. For more information, see [supported operating systems](../agents/agents-overview.md#supported-operating-systems). |
-| Linux agents | Yes | Along with the [Log Analytics agent for Linux](../agents/log-analytics-agent.md), Linux agents need the Dependency agent. For more information, see [supported operating systems](#supported-operating-systems). |
-| System Center Operations Manager management group | No | |
- ## Supported operating systems
-VM insights supports any operating system that supports the Log Analytics agent and Dependency agent. See [Overview of Azure Monitor agents
+VM insights supports any operating system that supports the Dependency agent and either the Azure Monitor agent (preview) or Log Analytics agent. See [Overview of Azure Monitor agents
](../agents/agents-overview.md#supported-operating-systems) for a complete list. > [!IMPORTANT] > If the ethernet device for your virtual machine has more than nine characters, then it wonΓÇÖt be recognized by VM insights and data wonΓÇÖt be sent to the InsightsMetrics table. The agent will collect data from [other sources](../agents/agent-data-sources.md).
-> [!IMPORTANT]
-> The VM insights guest health feature has more limited operating system support while it's in public preview. See [Enable VM insights guest health (preview)](../vm/vminsights-health-enable.md) for a detailed list.
### Linux considerations See the following list of considerations on Linux support of the Dependency agent that supports VM insights:
VM insights requires a Log Analytics workspace. See [Configure Log Analytics wor
> [!NOTE] > VM Insights does not support sending data to more than one Log Analytics workspace (multi-homing). > +
+## Network requirements
+
+- See [Network requirements](../agents/log-analytics-agent.md#network-requirements) for the network requirements for the Log Analytics agent.
+- The dependency agent requires a connection from the virtual machine to the address 169.254.169.254. This is the Azure metadata service endpoint. Ensure that firewall settings allow connections to this endpoint.
+ ## Agents
-When you enable VM insights for a machine, the following two agents are installed. See [Network requirements](../agents/log-analytics-agent.md#network-requirements) for the network requirements for these agents.
+When you enable VM insights for a machine, the following agents are installed. See [Network requirements](../agents/log-analytics-agent.md#network-requirements) for the network requirements for these agents.
-- [Log Analytics agent](../agents/log-analytics-agent.md). Collects events and performance data from the virtual machine or virtual machine scale set and delivers it to the Log Analytics workspace. Deployment methods for the Log Analytics agent on Azure resources use the VM extension for [Windows](../../virtual-machines/extensions/oms-windows.md) and [Linux](../../virtual-machines/extensions/oms-linux.md).-- Dependency agent. Collects discovered data about processes running on the virtual machine and external process dependencies, which are used by the [Map feature in VM insights](../vm/vminsights-maps.md). The Dependency agent relies on the Log Analytics agent to deliver its data to Azure Monitor. Deployment methods for the Dependency agent on Azure resources use the VM extension for [Windows](../../virtual-machines/extensions/agent-dependency-windows.md) and [Linux](../../virtual-machines/extensions/agent-dependency-linux.md).
+> [!IMPORTANT]
+> VM insights support for Azure Monitor agent is currently in public preview. Azure Monitor agent includes several advantages over Log Analytics agent, and is the preferred agent for virtual machines and virtual machine scale sets. See [Migrate to Azure Monitor agent from Log Analytics agent](../agents/azure-monitor-agent-migration.md) for comparison of the agent and information on migrating.
-> [!NOTE]
-> The Log Analytics agent is the same agent used by System Center Operations Manager. VM insights can monitor agents that are also monitored by Operations Manager if they are directly connected, and you install the Dependency agent on them. Agents connected to Azure Monitor through a [management group connection](../tform/../agents/om-agents.md) cannot be monitored by VM insights.
+- [Azure Monitor agent](../agents/azure-monitor-agent-overview.md) or [Log Analytics agent](../agents/log-analytics-agent.md). Collects data from the virtual machine or virtual machine scale set and delivers it to the Log Analytics workspace.
+- Dependency agent. Collects discovered data about processes running on the virtual machine and external process dependencies, which are used by the [Map feature in VM insights](../vm/vminsights-maps.md). The Dependency agent relies on the Azure Monitor agent or Log Analytics agent to deliver its data to Azure Monitor.
-The following are multiple methods for deploying these agents.
+## Changes for Azure Monitor agent
+There are several changes in the process for enabling VM insights when using the Azure Monitor agent.
-| Method | Description |
-|:|:|
-| [Azure portal](../vm/vminsights-enable-portal.md) | Install both agents on a single virtual machine, virtual machine scale set, or hybrid virtual machines connected with Azure Arc. |
-| [Resource Manager templates](../vm/vminsights-enable-resource-manager.md) | Install both agents using any of the supported methods to deploy a Resource Manager template including CLI and PowerShell. |
-| [Azure Policy](../vm/vminsights-enable-policy.md) | Assign Azure Policy initiative to automatically install the agents when a virtual machine or virtual machine scale set is created. |
-| [Manual install](../vm/vminsights-enable-hybrid.md) | Install the agents in the guest operating system on computers hosted outside of Azure including in your datacenter or other cloud environments. |
+**Workspace configuration.** You no longer need to [enable VM insights on the Log Analytics workspace](vminsights-configure-workspace.md) since the VMinsights management pack isn't used by Azure Monitor agent.
+**Data collection rule.** Azure Monitor agent uses [data collection rules](../essentials/data-collection-rule-overview.md) to configure its data collection. VM insights creates a data collection rule that is automtically deployed if you enable your machine using the Azure portal. If you use other methods to onboard your machines, then you may need to install the data collection rule first.
-## Network requirements
+**Agent deployment.** There are minor changes to the the process for onboarding virtual machines and virtual machine scale sets to VM insights in the Azure portal. You must now select which agent you want to use, and you must select a data collection rule for Azure Monitor agent. See [Enable VM insights in the Azure portal](vminsights-enable-portal.md) for details.
-- See [Network requirements](../agents/log-analytics-agent.md#network-requirements) for the network requirements for the Log Analytics agent.-- The dependency agent requires a connection from the virtual machine to the address 169.254.169.254. This is the Azure metadata service endpoint. Ensure that firewall settings allow connections to this endpoint.
+## Data collection rule (Azure Monitor agent)
+When you enable VM insights on a machine with the Azure Monitor agent you must specify a [data collection rule (DCR)](../essentials/data-collection-rule-overview.md) to use. The DCR specifies the data to collect and the workspace to use. VM insights creates a default DCR if one doesn't already exist. See [Enable VM insights for Azure Monitor agent
+](vminsights-enable-portal.md#enable-vm-insights-for-azure-monitor-agent) for more information on creating and editing the VM insights data collection rule.
-## Management packs
+> [!IMPORTANT]
+> It's not recommended to create your own DCR to support VM insights. The DCR created by VM insights includes a special data stream required for its operation. While you can edit this DCR to collect additional data such as Windows and Syslog events, you should create additional DCRs and associate with the machine.
+
+The DCR is defined by the options in the following table.
+
+| Option | Description |
+|:|:|
+| Guest performance | Specifies whether to collect performance data from the guest operating system. This is required for all machines. |
+| Processes and dependencies | Collected details about processes running on the virtual machine and dependencies between machines. This enables the [map feature in VM insights](vminsights-maps.md). This is optional and enables the [VM insights map feature](vminsights-maps.md) for the machine. |
+| Log Analytics workspace | Workspace to store the data. Only workspaces with VM insights will be listed. |
+
+## Management packs (Log Analytics agent)
When a Log Analytics workspace is configured for VM insights, two management packs are forwarded to all the Windows computers connected to that workspace. The management packs are named *Microsoft.IntelligencePacks.ApplicationDependencyMonitor* and *Microsoft.IntelligencePacks.VMInsights* and are written to *%Programfiles%\Microsoft Monitoring Agent\Agent\Health Service State\Management Packs*. The data source used by the *ApplicationDependencyMonitor* management pack is **%Program files%\Microsoft Monitoring Agent\Agent\Health Service State\Resources\<AutoGeneratedID>\Microsoft.EnterpriseManagement.Advisor.ApplicationDependencyMonitorDataSource.dll*. The data source used by the *VMInsights* management pack is *%Program files%\Microsoft Monitoring Agent\Agent\Health Service State\Resources\<AutoGeneratedID>\ Microsoft.VirtualMachineMonitoringModule.dll*.
+## Migrate from Log Analytics agent
+The Azure Monitor agent and the Log Analytics agent can both be installed on the same machine during migration. You should be careful that running both agents may lead to duplication of data and increased cost. If a machine has both agents installed, you'll have a warning in the Azure portal that you may be collecting duplicate data.
+
+> [!WARNING]
+> Collecting duplicate data from a single machine with both the Azure Monitor agent and Log Analytics agent can result in the following consequences:
+>
+> - Additional ingestion cost from sending duplicate data to the Log Analytics workspace.
+> - The map feature of VM insights may be inaccurate since it does not check for duplicate data.
++
+You must remove the Log Analytics agent yourself from any machines that are using it. Before you do this, ensure that the machine is not relying any other solutions that require the Log Analytics agent. See [Migrate to Azure Monitor agent from Log Analytics agent](../agents/azure-monitor-agent-migration.md) for details.
+
+After you verify that no Log Analytics agents are still connected to your Log Analytics workspace, you can [remove the VMInsights solution from the workspace](vminsights-configure-workspace.md#remove-vminsights-solution-from-workspace) which is no longer needed.
+
+> [!NOTE]
+> To check if you have any machines with both agents sending data to your Log Analytics workspace, run the following [log query](../logs/log-query-overview.md) in [Log Analytics](../logs/log-analytics-overview.md). This will show the last heartbeat for each computer. If a computer has both agents, then it will return two records each with a different `category`. The Azure Monitor agent will have a `category` of *Azure Monitor Agent*. The Log Analytics agent will have a `category` of *Direct Agent*.
+>
+> ```KQL
+> Heartbeat
+> | summarize max(TimeGenerated) by Computer, Category
+> | sort by Computer
+> ```
++ ## Diagnostic and usage data Microsoft automatically collects usage and performance data through your use of the Azure Monitor service. Microsoft uses this data to improve the quality, security, and integrity of the service.
azure-monitor Vminsights Enable Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/vm/vminsights-enable-policy.md
This article explains how to enable VM insights for Azure virtual machines or hy
If you're not familiar with Azure Policy, get a brief introduction at [Deploy Azure Monitor at scale using Azure Policy](../best-practices.md). + > [!NOTE] > To use Azure Policy with Azure virtual machine scale sets, or to work with Azure Policy directly to enable Azure virtual machines, see [Deploy Azure Monitor at scale using Azure Policy](../best-practices.md).
azure-monitor Vminsights Enable Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/vm/vminsights-enable-portal.md
Title: Enable Azure Monitor for single virtual machine or virtual machine scale set in the Azure portal
+ Title: Enable VM insights in the Azure portal
description: Learn how to enable VM insights on a single Azure virtual machine or virtual machine scale set using the Azure portal.
Last updated 06/08/2022
-# Enable Azure Monitor for single virtual machine or virtual machine scale set in the Azure portal
-This article describes how to enable VM insights for a virtual machine or virtual machine scale set using the Azure portal. This procedure can be used for the following:
+# Enable VM insights in the Azure portal
+This article describes how to enable VM insights using the Azure portal for the following :
- Azure virtual machine - Azure virtual machine scale set
This article describes how to enable VM insights for a virtual machine or virtua
## Prerequisites -- [Create and configure a Log Analytics workspace](./vminsights-configure-workspace.md). Alternatively, you can create a new workspace during this process.
+- [Create a Log Analytics workspace](./vminsights-configure-workspace.md). You can create a new workspace during this process, but you should use an existing workspace if you already have one. See [Log Analytics workspace overview](../logs/log-analytics-workspace-overview.md) and [Design a Log Analytics workspace architecture](../logs/workspace-design.md) for more information.
- See [Supported operating systems](./vminsights-enable-overview.md#supported-operating-systems) to ensure that the operating system of the virtual machine or virtual machine scale set you're enabling is supported.
+- See [Manage the Azure Monitor agent](../agents/azure-monitor-agent-manage.md#prerequisites) for prerequisites related to Azure Monitor agent.
-## Enable VM insights
-From the Azure portal, select **Virtual machines**, **Virtual machine scale sets**, or **Servers - Azure Arc** and select a resource from the list. In the **Monitoring** section of the menu, select **Insights** and then **Enable**. The following example shows an Azure virtual machine, but the menu is similar for Azure virtual machine scale set or Azure Arc.
+> [!NOTE]
+> This process describes enabling VM insights from the **Monitor** menu in the Azure portal. You can perform the same process from the **Insights** menu for a particular virtual machine or virtual machine scale set.
+
+## View monitored and unmonitored machines
+Open VM insights by selecting **Virtual Machines** from the **Monitor** menu in the Azure portal. The **Overview** page lists all of the virtual machines and virtual machine scale sets in the selected subscriptions. Machines will either be included in the **Monitored** or **Not monitored** tab depending on whether the machine is currently being monitored by VM insights.
-![Enable VM insights for a VM](media/vminsights-enable-portal/enable-vminsights-vm-portal.png)
+A machine may be listed in **Not monitored** even though it has the Azure Monitor or Log Analytics agent installed but has not been enabled for VM insights. If a virtual machine has the Log Analytics agent installed but not the Dependency agent, it will be listed as not monitored. In this case, the Azure Monitor agent will be started without being given the option for the Log Analytics agent.
+
+> [!NOTE]
+> **Data collection rule** column has replaced the **Workspace** column on the **Overview** page to support the [Azure Monitor agent](vminsights-enable-overview.md#agents). This either shows the data collection rules used by the Azure Monitor agent for each machine, or it gives the option to configure with the Azure Monitor agent.
-If the virtual machine isn't already connected to a Log Analytics workspace, then you'll be prompted to select one. If you haven't previously [created a workspace](../logs/quick-create-workspace.md), then you can select a default for the location where the virtual machine or virtual machine scale set is deployed in the subscription. This workspace will be created and configured if it doesn't already exist. If you select an existing workspace, it will be configured for VM insights if it wasn't already.
+## Enable VM insights for Azure Monitor agent
> [!NOTE]
-> If you select a workspace that wasn't previously configured for VM insights, the *VMInsights* management pack will be added to this workspace. This will be applied to any agent already connected to the workspace, whether or not it's enabled for VM insights. Performance data will be collected from these virtual machines and stored in the *InsightsMetrics* table.
+> A system-assigned managed identity will be added for a machine as part of the installation process of the Azure Monitor agent if one doesn't already exist.
+
+Use this procedure to enable an unmonitored virtual machine or virtual machine scale set using Azure Monitor agent.
+
+1. Select **Virtual Machines** from the **Monitor** menu in the Azure portal.
+
+1. From the **Overview** page, select **Not Monitored**.
+
+2. Click the **Enable** button next to any machine that you want to enable. If a machine is currently running, then you must start it to enable it.
+
+ :::image type="content" source="media/vminsights-enable-portal/enable-unmonitored.png" lightbox="media/vminsights-enable-portal/enable-unmonitored.png" alt-text="Screenshot with unmonitored machines in V M insights.":::
+
+3. Click **Enable** on the introduction page to view the configuration.
+
+4. Select **Azure Monitor agent** from the **Monitoring configuration** page and then select **Azure Monitor agent**.
+
+5. If a [data collection rule (DCR)](vminsights-enable-overview.md#data-collection-rule-azure-monitor-agent) hasn't already been created for unmonitored machines, then one will be created with the following details.
+
+ - **Guest performance** enabled.
+ - **Processes and dependencies** disabled.
+
+6. If you want this configuration, then click **Configure** to start the agent installation, or select a different data collection rule from the dropdown. Only data collection rules enabled for VM insights will be included.
+
+7. If you want a different configuration or want to use a different Log Analytics workspace, then click **Create new** to create a new data collection rule. This will allow you to select a workspace and specify whether you want to collect processes and dependencies to enable the [map feature in VM insights](vminsights-maps.md).
++
+6. Click **Configure** to start the configuration process. It will take several minutes for the agent to be installed and data to start being collected. You'll receive status messages as the configuration is performed.
+
+7. If you use a manual upgrade model for your virtual machine scale set, upgrade the instances to complete the setup. You can start the upgrades from the **Instances** page, in the **Settings** section.
++++
+## Enable VM insights for Log Analytics agent
+Use this procedure to enable an unmonitored virtual machine or virtual machine scale set using Log Analytics agent.
+
+1. Select **Virtual Machines** from the **Monitor** menu in the Azure portal.
+
+1. From the **Overview** page, select **Not Monitored**.
+
+2. Click the **Enable** button next to any machine that you want to enable. If a machine is currently running, then you must start it to enable it.
+
+
+3. Click **Enable** on the introduction page to view the configuration.
+
+4. Select **Azure Monitor agent** from the **Monitoring configuration** page and then select **Log Analytics agent**.
+
+5. If the virtual machine isn't already connected to a Log Analytics workspace, then you'll be prompted to select one. If you haven't previously [created a workspace](../logs/quick-create-workspace.md), then you can select a default for the location where the virtual machine or virtual machine scale set is deployed in the subscription. This workspace will be created and configured if it doesn't already exist. If you select an existing workspace, it will be configured for VM insights if it wasn't already.
+
+ > [!NOTE]
+ > If you select a workspace that wasn't previously configured for VM insights, the *VMInsights* management pack will be added to this workspace. This will be applied to any agent already connected to the workspace, whether or not it's enabled for VM insights. Performance data will be collected from these virtual machines and stored in the *InsightsMetrics* table.
+
+6. Click **Configure** to modify the configuration. The only option you can modify is the workspace. You will receive status messages as the configuration is performed.
+
+7. If you use a manual upgrade model for your virtual machine scale set, upgrade the instances to complete the setup. You can start the upgrades from the **Instances** page, in the **Settings** section.
++
+## Enable Azure Monitor agent on monitored machines
+Use this procedure to add the Azure Monitor agent to machines that are already enabled with the Log Analytics agent.
+
+1. Select **Virtual Machines** from the **Monitor** menu in the Azure portal.
+
+2. From the **Overview** page, select **Monitored**.
+
+3. Click **Configure using Azure Monitor agent** next to any machine that you want to enable. If a machine is currently running, then you must start it to enable it.
+
+ :::image type="content" source="media/vminsights-enable-portal/add-azure-monitor-agent.png" lightbox="media/vminsights-enable-portal/add-azure-monitor-agent.png" alt-text="Screenshot showing monitoring configuration to Azure Monitor agent to monitored machine.":::
-![Select workspace](media/vminsights-enable-portal/select-workspace.png)
-You will receive status messages as the configuration is performed.
+1. Follow the process described in [Enable VM insights for Azure Monitor agent
+](#enable-vm-insights-for-azure-monitor-agent) to select a data collection rule. The only difference is that the data collection rule hasn't created for monitored machines has **Processes and dependencies** enabled for backward compatibility with the Log Analytics agent.
+
+ :::image type="content" source="media/vminsights-enable-portal/enable-monitored-configure-azure-monitor-agent.png" lightbox="media/vminsights-enable-portal/enable-monitored-configure-azure-monitor-agent.png" alt-text="Screenshot showing monitoring configuration for Azure Monitor agent for monitored machine.":::
->[!NOTE]
->If you use a manual upgrade model for your virtual machine scale set, upgrade the instances to complete the setup. You can start the upgrades from the **Instances** page, in the **Settings** section.
+5. With both agents installed, a warning will be displayed indicating that you may be collecting duplicate data.
-![Enable VM insights monitoring deployment processing](media/vminsights-enable-portal/onboard-vminsights-vm-portal-status.png)
+ :::image type="content" source="media/vminsights-enable-portal/both-agents-installed.png" lightbox="media/vminsights-enable-portal/both-agents-installed.png" alt-text="Screenshot showing warning message for both agents installed":::
+ > [!WARNING]
+ > Collecting duplicate data from a single machine with both the Azure Monitor agent and Log Analytics agent can result in the following consequences:
+ >
+ > - Additional ingestion cost from sending duplicate data to the Log Analytics workspace.
+ > - The map feature of VM insights may be inaccurate since it does not check for duplicate data.
+ >
+ > See [Migrate from Log Analytics agent](vminsights-enable-overview.md#migrate-from-log-analytics-agent).
+4. Once you've verified that the Azure Monitor agent has been enabled, remove the Log Analytics agent from the machine to prevent duplicate data collection.
## Next steps
azure-monitor Vminsights Enable Powershell https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/vm/vminsights-enable-powershell.md
This article describes how to enable VM insights on Azure virtual machines using
- Azure virtual machine - Azure virtual machine scale set
+> [!NOTE]
+> This article only applies to the Log Analytics agent. To enable VM insights with the Azure monitor agent, use other installation methods described in [Enable VM insights overview](vminsights-enable-overview.md).
## Prerequisites - [Create and configure a Log Analytics workspace](./vminsights-configure-workspace.md).
To enable VM insights for multiple VMs or virtual machine scale sets, use the Po
- The scoped resource group that's specified by *ResourceGroup*. - A single VM or virtual machine scale set that's specified by *Name*.
-For each virtual machine or virtual machine scale set, the script verifies whether the VM extension for the Log Analytics agent and Dependency agent are already installed. If both extensions are installed, the script tries to reinstall it. If both extensions aren't installed, the script installs them.
+For each virtual machine or virtual machine scale set, the script verifies whether the VM extension for the Log Analytics agent and Dependency agent is already installed. If both extensions are installed, the script tries to reinstall it. If both extensions aren't installed, the script installs them.
Verify you are using Azure PowerShell module Az version 1.0.0 or later with `Enable-AzureRM` compatibility aliases enabled. Run `Get-Module -ListAvailable Az` to find the version. If you need to upgrade, see [Install Azure PowerShell module](/powershell/azure/install-az-ps). If you're running PowerShell locally, you also need to run `Connect-AzAccount` to create a connection with Azure.
azure-monitor Vminsights Enable Resource Manager https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/vm/vminsights-enable-resource-manager.md
This article describes how to enable VM insights for a virtual machine or virtua
## Prerequisites -- [Create and configure a Log Analytics workspace](./vminsights-configure-workspace.md).
+- [Create and configure a Log Analytics workspace](./vminsights-configure-workspace.md). The workspace must be in the same region as the data collection rule for Azure Monitor agent.
- See [Supported operating systems](./vminsights-enable-overview.md#supported-operating-systems) to ensure that the operating system of the virtual machine or virtual machine scale set you're enabling is supported.
+- See [Manage the Azure Monitor agent](../agents/azure-monitor-agent-manage.md#prerequisites) for prerequisites related to Azure Monitor agent.
## Resource Manager templates
+Azure Resource Manager templates are available for download that onboard virtual machines and virtual machine scale sets. A different set of templates is used for Azure Monitor agent and Log Analytics agent. The templates install the required agents and perform the configuration required to onboard to ma