Updates from: 07/06/2021 03:03:08
Service Microsoft Docs article Related commit history on GitHub Change details
active-directory-b2c Configure Authentication Sample Android App https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/configure-authentication-sample-android-app.md
+
+ Title: Configure authentication in a sample Android application using Azure Active Directory B2C
+description: Using Azure Active Directory B2C to sign in and sign up users in an Android application.
++++++ Last updated : 07/05/2021+++++
+# Configure authentication in a sample Android application using Azure Active Directory B2C
+
+This article uses a sample Android application (Kotlin and Java) to illustrate how to add Azure Active Directory B2C (Azure AD B2C) authentication to your mobile apps.
+
+## Overview
+
+OpenID Connect (OIDC) is an authentication protocol built on OAuth 2.0, which you can securely use to sign-in in a user to an application. This mobile app sample uses [MSAL](../active-directory/develop/msal-overview.md) library with OpenId Connect authorization code PKCE flow. The MSAL library is a Microsoft provided library that simplifies adding authentication and authorization support to mobile apps.
+
+The sign-in flow involves following steps:
+
+1. The user opens the app and selects **sign-in**.
+1. The app opens the mobile device's system browser, and starts an authentication request to Azure AD B2C.
+1. The user [signs-up or signs-in](add-sign-up-and-sign-in-policy.md), [resets the password](add-password-reset-policy.md), or signs-in with a [social account](add-identity-provider.md).
+1. Upon successful sign-in, Azure AD B2C returns an authorization code to the app.
+1. The app takes the following actions:
+ 1. Exchanges the authorization code to an ID token, access token and refresh token.
+ 1. Reads the ID token claims.
+ 1. Stores the tokens to an in-memory cache for later use.
+
+### App registration overview
+
+To enable your app to sign in with Azure AD B2C and call a web API, register two applications in the Azure AD B2C directory.
+
+- The **mobile application** registration enables your app to sign in with Azure AD B2C. During app registration, specify the *Redirect URI*. The redirect URI is the endpoint to which the user is redirected by Azure AD B2C after they authenticate with Azure AD B2C is completed. The app registration process generates an *Application ID*, also known as the *client ID*, that uniquely identifies your mobile app. For example, **App ID: 1**.
+
+- The **web API** registration enables your app to call a protected web API. The registration exposes the web API permissions (scopes). The app registration process generates an *Application ID*, that uniquely identifies your web API. For example, **App ID: 2**. Grant your mobile app (App ID: 1) permissions to the web API scopes (App ID: 2).
++
+The following diagrams describe the apps registration and the application architecture.
+
+![Mobile app with web API call registrations and tokens](./media/configure-authentication-sample-android-app/mobile-app-with-api-architecture.png)
+
+### Call to a web API
++
+### Sign-out
++
+## Prerequisites
+
+A computer that's running:
++
+- [Java Development Kit (JDK)](https://openjdk.java.net/) 8, or above.
+- [Apache Maven](https://maven.apache.org/)
+- [Android API Level 16](https://developer.android.com/studio/releases/platforms), or above.
+- [Android studio](https://developer.android.com/studio), or another code editor.
++
+## Step 1: Configure your user flow
++
+## Step 2: Register mobile applications
+
+In this step, create the mobile app and the web API application registration, and specify the scopes of your web API.
+
+### 2.1 Register the web API app
++
+### 2.2 Configure web API app scopes
+++
+### 2.3 Register the mobile app
+
+Follow these steps to create the mobile app registration:
+
+1. Select **App registrations**, and then select **New registration**.
+1. Enter a **Name** for the application. For example, *android-app1*.
+1. Under **Supported account types**, select **Accounts in any identity provider or organizational directory (for authenticating users with user flows)**.
+1. Under **Redirect URI**, select **Public client/native (mobile & desktop)**, and then in the URL text box, enter one of the following URIs:
+ - For the Kotlin sample: `msauth://com.azuresamples.msalandroidkotlinapp/1wIqXSqBj7w%2Bh11ZifsnqwgyKrY%3D`
+ - For the Java sample: `msauth://com.azuresamples.msalandroidapp/1wIqXSqBj7w%2Bh11ZifsnqwgyKrY%3D`
+1. Select **Register**.
+1. After the app registration is completed, select **Overview**.
+1. Record the **Application (client) ID** for use in a later step when you configure the mobile application.
+
+ ![Get your mobile application ID](./media/configure-authentication-sample-android-app/get-azure-ad-b2c-app-id.png)
++
+### 2.4 Grant the mobile app permissions for the web API
++
+## Step 3: Get the Android mobile app sample
+
+Download one of the following samples: [Kotlin](https://github.com/Azure-Samples/ms-identity-android-kotlin/archive/refs/heads/master.zip), or [Java](https://github.com/Azure-Samples/ms-identity-android-java/archive/refs/heads/master.zip). Extract the sample ZIP file to your working folder.
+
+Or clone the sample Android mobile application from GitHub.
+
+#### [Kotlin](#tab/kotlin)
++
+```bash
+git clone https://github.com/Azure-Samples/ms-identity-android-kotlin
+```
+
+#### [Java](#tab/java)
+
+```bash
+git clone https://github.com/Azure-Samples/ms-identity-android-java
+```
+
+
++
+## Step 4: Configure the sample web API
+
+This sample acquires an access token with the relevant scopes the mobile app can use to for a web API. To call a web API from code, follow these steps:
+
+1. Use an existing web API, or create a new one. For more information, see [Enable authentication in your own web API using Azure AD B2C](enable-authentication-web-api.md).
+1. Change the sample code to [call a web API](enable-authentication-android-app.md#call-a-web-api).
+
+## Step 5: Configure the sample mobile app
+
+Open the sample project with Android Studio, or other code editor. Then open the `/app/src/main/res/raw/auth_config_b2c.json` file.
+
+The *auth_config_b2c.json* configuration file contains information about your Azure AD B2C identity provider. The mobile app uses this information to establish a trust relationship with Azure AD B2C, sign-in the user in and out, acquire tokens, and validate them.
+
+Update the following properties of the app settings:
+
+|Key |Value |
+|||
+| [client_id](../active-directory/develop/msal-client-application-configuration.md#client-id) | The mobile application ID from [step 2.3](#23-register-the-mobile-app). |
+| [redirect_uri](../active-directory/develop/msal-client-application-configuration.md#redirect-uri) | The mobile application redirect URI from [step 2.3](#23-register-the-mobile-app). |
+| [authorities](../active-directory/develop/msal-client-application-configuration.md#authority)| The authority is a URL that indicates a directory that MSAL can request tokens from. Use the following format: `https://<your-tenant-name>.b2clogin.com/<your-tenant-name>.onmicrosoft.com/<your-sign-in-sign-up-policy>`. Replace the `<your-tenant-name>` with your Azure AD B2C [tenant name](tenant-management.md#get-your-tenant-name). Then, replace the `<your-sign-in-sign-up-policy>` with the user flows, or custom policy you created in [step 1](#step-1-configure-your-user-flow). |
++
+Open the `B2CConfiguration` class, and update the following class members:
+
+|Key |Value |
+|||
+| Policies| List of the user flows, or custom policies you created in [step 1](#step-1-configure-your-user-flow).|
+| azureAdB2CHostName| The first part of your Azure AD B2C [tenant name](tenant-management.md#get-your-tenant-name). For example, `https://contoso.b2clogin.com`.|
+| tenantName| Your Azure AD B2C tenant full [tenant name](tenant-management.md#get-your-tenant-name). For example, `contoso.onmicrosoft.com`.|
+| scopes| The web API scopes you created in [step 2.4](#24-grant-the-mobile-app-permissions-for-the-web-api).|
++
+## Step 6: Run and test the mobile app
+
+1. Build and run the project.
+1. Select the hamburger icon.
+
+ ![Screenshot demonstrate how to select the hamburger icon.](./media/configure-authentication-sample-android-app/select-hamburger-icon.png)
+
+1. Select **B2C mode**.
+
+ ![Screenshot demonstrate how to select B2C mode.](./media/configure-authentication-sample-android-app/select-azure-ad-b2c-mode.png)
+
+1. Select **RUN USER FLOW**.
+
+ ![Screenshot demonstrate how to start the sign-in flow.](./media/configure-authentication-sample-android-app/select-policy-and-sign-in.png)
+
+1. Sign-up or sign-in with your Azure AD B2C local or social account.
+
+1. After successful authentication, you'll see your display name in the navigation bar.
+
+ ![Azure AD B2C access token and user ID.](./media/configure-authentication-sample-android-app/access-token.png)
+
+## Next steps
+
+* Learn how to [Enable authentication in your own Android application](enable-authentication-android-app.md)
+* [Configure authentication options in an Android application](enable-authentication-android-app-options.md)
+* [Enable authentication in your own web API](enable-authentication-web-api.md)
active-directory-b2c Configure Authentication Sample Spa App https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/configure-authentication-sample-spa-app.md
Previously updated : 06/25/2021 Last updated : 07/05/2021
In this step, you create the SPA app and the web API application registrations,
[!INCLUDE [active-directory-b2c-app-integration-api-scopes](../../includes/active-directory-b2c-app-integration-api-scopes.md)]
-### 2.3 Register the client app
+### 2.3 Register the SPA app
-Follow these steps to create the app registration:
+Follow these steps to create the SPA app registration:
1. Sign in to the [Azure portal](https://portal.azure.com). 1. Select the **Directory + Subscription** icon in the portal toolbar, and then select the directory that contains your Azure AD B2C tenant.
Now that you've obtained the SPA app sample, update the code with your Azure AD
|File |Key |Value | ||||
-|authConfig.js|clientId| The SPA application ID from [step 2.1](#21-register-the-web-api-application).|
+|authConfig.js|clientId| The SPA application ID from [step 2.3](#23-register-the-spa-app).|
|policies.js| names| The user flows, or custom policy you created in [step 1](#step-1-configure-your-user-flow).| |policies.js|authorities|Your Azure AD B2C [tenant name](tenant-management.md#get-your-tenant-name). For example, `contoso.onmicrosoft.com`. Then, replace with the user flows, or custom policy you created in [step 1](#step-1-configure-your-user-flow). For example, `https://<your-tenant-name>.b2clogin.com/<your-tenant-name>.onmicrosoft.com/<your-sign-in-sign-up-policy>`| |policies.js|authorityDomain|Your Azure AD B2C [tenant name](tenant-management.md#get-your-tenant-name). For example, `contoso.onmicrosoft.com`.|
-|apiConfig.js|b2cScopes|The scopes you [created for the web API](#22-configure-scopes). For example, `b2cScopes: ["https://<your-tenant-name>.onmicrosoft.com/tasks-api/tasks.read"]`.|
+|apiConfig.js|b2cScopes|The web API scopes you created in [step 2.2](#22-configure-scopes). For example, `b2cScopes: ["https://<your-tenant-name>.onmicrosoft.com/tasks-api/tasks.read"]`.|
|apiConfig.js|webApi|The URL of the web API, `http://localhost:5000/tasks`.| Your resulting code should look similar to following sample:
active-directory-b2c Configure Authentication Sample Web App With Api https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/configure-authentication-sample-web-app-with-api.md
Previously updated : 06/28/2021 Last updated : 07/05/2021
Under the project root folder, open the `appsettings.json` file. This file conta
|||| |AzureAdB2C|Instance| The first part of your Azure AD B2C [tenant name](tenant-management.md#get-your-tenant-name). For example, `https://contoso.b2clogin.com`.| |AzureAdB2C|Domain| Your Azure AD B2C tenant full [tenant name](tenant-management.md#get-your-tenant-name). For example, `contoso.onmicrosoft.com`.|
-|AzureAdB2C|ClientId| The web application ID from [step 2.1](#21-register-the-web-api-app).|
+|AzureAdB2C|ClientId| The web application ID from [step 2.3](#23-register-the-web-app).|
|AzureAdB2C | ClientSecret | The web application secret from [step 2.4](#24-create-a-web-app-client-secret). | |AzureAdB2C|SignUpSignInPolicyId|The user flows or custom policy you created in [step 1](#step-1-configure-your-user-flow).|
-| TodoList | TodoListScope | The scopes you created in [step 2.5](#25-grant-the-web-app-permissions-for-the-web-api).|
+| TodoList | TodoListScope | The web API scopes you created in [step 2.5](#25-grant-the-web-app-permissions-for-the-web-api).|
| TodoList | TodoListBaseAddress | The base URI of your web API, for example `https://localhost:44332`| Your final configuration file should look like the following JSON:
active-directory-b2c Enable Authentication Android App Options https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/enable-authentication-android-app-options.md
+
+ Title: Enable Android mobile application options using Azure Active Directory B2C
+description: Enable the use of Android mobile application options by using several ways.
++++++ Last updated : 07/05/2021+++++
+# Configure authentication options in an Android application using Azure Active Directory B2C
+
+This article describes ways in which you can customize and enhance the Azure Active Directory B2C (Azure AD B2C) authentication experience for your Android application. Before you start, familiarize yourself with the following articles: [Configure authentication in a sample Android application](configure-authentication-sample-android-app.md), or [Enable authentication in your own Android app using Azure Active Directory B2C](enable-authentication-android-app.md).
++
+To use a custom domain and your tenant ID in the authentication URL, follow the guidance in [Enable custom domains](custom-domain.md). Find your MSAL configuration object and change the **authorities** with your custom domain name and tenant ID.
++
+#### [Kotlin](#tab/kotlin)
+
+The following Kotlin code shows the MSAL config object before the change:
+
+```kotlin
+val parameters = AcquireTokenParameters.Builder()
+ .startAuthorizationFromActivity(activity)
+ .fromAuthority("https://contoso.b2clogin.com/fabrikamb2c.contoso.com/B2C_1_susi")
+ // More settings here
+ .build()
+
+b2cApp!!.acquireToken(parameters)
+```
+
+The following Kotlin code shows the MSAL config object after the change:
+
+```kotlin
+val parameters = AcquireTokenParameters.Builder()
+ .startAuthorizationFromActivity(activity)
+ .fromAuthority("https://custom.domain.com/00000000-0000-0000-0000-000000000000/B2C_1_susi")
+ // More settings here
+ .build()
+
+b2cApp!!.acquireToken(parameters)
+```
++
+#### [Java](#tab/java)
+
+The following Kotlin code shows the MSAL config object before the change:
+
+```java
+AcquireTokenParameters parameters = new AcquireTokenParameters.Builder()
+ .startAuthorizationFromActivity(getActivity())
+ .fromAuthority("https://contoso.b2clogin.com/fabrikamb2c.contoso.com/B2C_1_susi")
+ // More settings here
+ .build();
+
+b2cApp.acquireToken(parameters);
+```
+The following Kotlin code shows the MSAL config object after the change:
+
+```java
+AcquireTokenParameters parameters = new AcquireTokenParameters.Builder()
+ .startAuthorizationFromActivity(getActivity())
+ .fromAuthority("https://custom.domain.com/00000000-0000-0000-0000-000000000000/B2C_1_susi")
+ // More settings here
+ .build();
+
+b2cApp.acquireToken(parameters);
+```
+
+
++
+1. If you're using a custom policy, add the required input claim as described in [Set up direct sign-in](direct-signin.md#prepopulate-the-sign-in-name).
+1. Find your MSAL configuration object and add the **withLoginHint()** method with the login hint.
+
+#### [Kotlin](#tab/kotlin)
++
+```kotlin
+val parameters = AcquireTokenParameters.Builder()
+ .startAuthorizationFromActivity(activity)
+ .withLoginHint("bob@contoso.com")
+ // More settings here
+ .build()
+
+b2cApp!!.acquireToken(parameters)
+```
+
+#### [Java](#tab/java)
+
+```java
+AcquireTokenParameters parameters = new AcquireTokenParameters.Builder()
+ .startAuthorizationFromActivity(getActivity())
+ .withLoginHint("bob@contoso.com")
+ // More settings here
+ .build();
+
+b2cApp.acquireToken(parameters);
+
+```
+
+
++
+1. Check the domain name of your external identity provider. For more information, see [Redirect sign-in to a social provider](direct-signin.md#redirect-sign-in-to-a-social-provider).
+1. Create or use an exiting list object to store extra query parameters.
+1. Add the `domain_hint` parameter with the corresponding domain name to the list. For example, `facebook.com`.
+1. Pass the extra query parameters list into the MSAL configuration object's `withAuthorizationQueryStringParameters` method.
+
+#### [Kotlin](#tab/kotlin)
+
+```kotlin
+val extraQueryParameters: MutableList<Pair<String, String>> = ArrayList()
+extraQueryParameters.add(Pair("domain_hint", "facebook.com"))
+
+val parameters = AcquireTokenParameters.Builder()
+ .startAuthorizationFromActivity(activity)
+ .withAuthorizationQueryStringParameters(extraQueryParameters)
+ // More settings here
+ .build()
+
+b2cApp!!.acquireToken(parameters)
+```
+
+#### [Java](#tab/java)
+
+```java
+List<Pair<String, String>> extraQueryParameters = new ArrayList<>();
+extraQueryParameters.add( new Pair<String, String>("domain_hint", "facebook.com"));
+
+AcquireTokenParameters parameters = new AcquireTokenParameters.Builder()
+ .startAuthorizationFromActivity(getActivity())
+ .withAuthorizationQueryStringParameters(extraQueryParameters)
+ // More settings here
+ .build();
+
+b2cApp.acquireToken(parameters);
+```
+
+
++
+1. [Configure Language customization](language-customization.md).
+1. Create or use an exiting list object to store extra query parameters.
+1. Add the `ui_locales` parameter with the corresponding language code to the list. For example, `en-us`.
+1. Pass the extra query parameters list into the MSAL configuration object's `withAuthorizationQueryStringParameters` method.
+
+#### [Kotlin](#tab/kotlin)
+
+```kotlin
+val extraQueryParameters: MutableList<Pair<String, String>> = ArrayList()
+extraQueryParameters.add(Pair("ui_locales", "en-us"))
+
+val parameters = AcquireTokenParameters.Builder()
+ .startAuthorizationFromActivity(activity)
+ .withAuthorizationQueryStringParameters(extraQueryParameters)
+ // More settings here
+ .build()
+
+b2cApp!!.acquireToken(parameters)
+```
+
+#### [Java](#tab/java)
+
+```java
+List<Pair<String, String>> extraQueryParameters = new ArrayList<>();
+extraQueryParameters.add( new Pair<String, String>("ui_locales", "en-us"));
+
+AcquireTokenParameters parameters = new AcquireTokenParameters.Builder()
+ .startAuthorizationFromActivity(getActivity())
+ .withAuthorizationQueryStringParameters(extraQueryParameters)
+ // More settings here
+ .build();
+
+b2cApp.acquireToken(parameters);
+```
+
+
++
+1. Configure the [ContentDefinitionParameters](customize-ui-with-html.md#configure-dynamic-custom-page-content-uri) element.
+1. Create or use an exiting list object to store extra query parameters.
+1. Add the custom query string parameter, such as `campaignId`. Set the parameter value. For example, `germany-promotion`.
+1. Pass the extra query parameters list into the MSAL configuration object's `withAuthorizationQueryStringParameters` method.
+
+#### [Kotlin](#tab/kotlin)
+
+```kotlin
+val extraQueryParameters: MutableList<Pair<String, String>> = ArrayList()
+extraQueryParameters.add(Pair("campaignId", "germany-promotion"))
+
+val parameters = AcquireTokenParameters.Builder()
+ .startAuthorizationFromActivity(activity)
+ .withAuthorizationQueryStringParameters(extraQueryParameters)
+ // More settings here
+ .build()
+
+b2cApp!!.acquireToken(parameters)
+```
+
+#### [Java](#tab/java)
+
+```java
+List<Pair<String, String>> extraQueryParameters = new ArrayList<>();
+extraQueryParameters.add( new Pair<String, String>("campaignId", "germany-promotion"));
+
+AcquireTokenParameters parameters = new AcquireTokenParameters.Builder()
+ .startAuthorizationFromActivity(getActivity())
+ .withAuthorizationQueryStringParameters(extraQueryParameters)
+ // More settings here
+ .build();
+
+b2cApp.acquireToken(parameters);
+```
+
+
++
+1. In your custom policy, define an [ID token hint technical profile](id-token-hint.md).
+1. In your code, generate or acquire an ID token, and set the token to a variable. For example, `idToken`.
+1. Create or use an exiting list object to store extra query parameters.
+1. Add the `id_token_hint` parameter with the corresponding variable that stores the ID token.
+1. Pass the extra query parameters list into the MSAL configuration object's `withAuthorizationQueryStringParameters` method.
+
+#### [Kotlin](#tab/kotlin)
+
+```kotlin
+val extraQueryParameters: MutableList<Pair<String, String>> = ArrayList()
+extraQueryParameters.add(Pair("id_token_hint", idToken))
+
+val parameters = AcquireTokenParameters.Builder()
+ .startAuthorizationFromActivity(activity)
+ .withAuthorizationQueryStringParameters(extraQueryParameters)
+ // More settings here
+ .build()
+
+b2cApp!!.acquireToken(parameters)
+```
+
+#### [Java](#tab/java)
+
+```java
+List<Pair<String, String>> extraQueryParameters = new ArrayList<>();
+extraQueryParameters.add( new Pair<String, String>("id_token_hint", idToken));
+
+AcquireTokenParameters parameters = new AcquireTokenParameters.Builder()
+ .startAuthorizationFromActivity(getActivity())
+ .withAuthorizationQueryStringParameters(extraQueryParameters)
+ // More settings here
+ .build();
+
+b2cApp.acquireToken(parameters);
+```
+
+
+++
+## Next steps
+
+- Learn more: [MSAL for Android configuration options](https://github.com/AzureAD/microsoft-authentication-library-for-android/wiki)
active-directory-b2c Enable Authentication Android App https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/enable-authentication-android-app.md
+
+ Title: Enable authentication in an Android app - Azure AD B2C
+description: Enable authentication in an Android application using Azure Active Directory B2C building blocks. Learn how to use Azure AD B2C to sign in and sign up users in an Android application.
++++++ Last updated : 07/05/2021+++++
+# Enable authentication in your own Android application using Azure Active Directory B2C
+
+This article shows you how to add Azure Active Directory B2C (Azure AD B2C) authentication to your own Android mobile application.
+
+Use this article with [Configure authentication in a sample Android application](./configure-authentication-sample-android-app.md), substituting the sample Android app with your own Android app. After completing the steps in this article, your application will accept sign-ins via Azure AD B2C.
+
+## Prerequisites
+
+Review the prerequisites and integration steps in [Configure authentication in a sample Android application](configure-authentication-sample-android-app.md) article.
+
+## Create an Android app project
+
+If you don't already have an Android application, follow these steps to set up a new project.
+
+1. Open Android Studio, and select **Start a new Android Studio project**.
+2. Select **Basic Activity** and select **Next**.
+3. Name your application.
+4. Save the package name. You'll enter it later into the Azure portal.
+5. Change the language from **Kotlin** to **Java**.
+6. Set the **Minimum API level** to **API 19** or higher, and then select **Finish**.
+7. In the project view, choose **Project** in the drop-down to display source and non-source project files, open **app/build.gradle**, and set `targetSdkVersion` to `28`.
+
+## Install the dependencies
+
+In the Android Studio project window, navigate to **app** > **build.gradle** and add the following:
+
+```gradle
+apply plugin: 'com.android.application'
+
+allprojects {
+ repositories {
+ mavenCentral()
+ google()
+ mavenLocal()
+ maven {
+ url 'https://pkgs.dev.azure.com/MicrosoftDeviceSDK/DuoSDK-Public/_packaging/Duo-SDK-Feed/maven/v1'
+ }
+ maven {
+ name "vsts-maven-adal-android"
+ url "https://identitydivision.pkgs.visualstudio.com/_packaging/AndroidADAL/maven/v1"
+ credentials {
+ username System.getenv("ENV_VSTS_MVN_ANDROIDADAL_USERNAME") != null ? System.getenv("ENV_VSTS_MVN_ANDROIDADAL_USERNAME") : project.findProperty("vstsUsername")
+ password System.getenv("ENV_VSTS_MVN_ANDROIDADAL_ACCESSTOKEN") != null ? System.getenv("ENV_VSTS_MVN_ANDROIDADAL_ACCESSTOKEN") : project.findProperty("vstsMavenAccessToken")
+ }
+ }
+ jcenter()
+ }
+}
+dependencies{
+ implementation 'com.microsoft.identity.client:msal:2.+'
+ }
+packagingOptions{
+ exclude("META-INF/jersey-module-version")
+}
+```
++
+## Add the authentication components
+
+The [sample code](configure-authentication-sample-android-app.md#step-3-get-the-android-mobile-app-sample) is made up of the following components. Add these components from the sample Android app to your own app.
+
+|Component |Type | Source |Description |
+|||||
+| B2CUser| Class| [Kotlin](https://github.com/Azure-Samples/ms-identity-android-kotlin/blob/master/app/src/main/java/com/azuresamples/msalandroidkotlinapp/B2CUser.kt) [Java](https://github.com/Azure-Samples/ms-identity-android-java/blob/master/app/src/main/java/com/azuresamples/msalandroidapp/B2CUser.java)| Represents a B2C user. This class allows users to sign in with multiple policies. |
+| B2CModeFragment | Fragment class| [Kotlin](https://github.com/Azure-Samples/ms-identity-android-kotlin/blob/master/app/src/main/java/com/azuresamples/msalandroidkotlinapp/B2CModeFragment.kt) [Java](https://github.com/Azure-Samples/ms-identity-android-java/blob/master/app/src/main/java/com/azuresamples/msalandroidapp/B2CModeFragment.java)| A fragment represents a modular portion of the sign-in with Azure AD B2C user interface within your main activity. This fragment contains most of the authentication code. |
+| fragment_b2c_mode.xml | Fragment layout| [Kotlin](https://github.com/Azure-Samples/ms-identity-android-kotlin/blob/master/app/src/main/res/layout/fragment_b2c_mode.xml) [Java](https://github.com/Azure-Samples/ms-identity-android-java/blob/master/app/src/main/res/layout/fragment_b2c_mode.xml) | Defines the structure for a user interface for the B2CModeFragment fragment component. |
+| B2CConfiguration| Class| [Kotlin](https://github.com/Azure-Samples/ms-identity-android-kotlin/blob/master/app/src/main/java/com/azuresamples/msalandroidkotlinapp/B2CConfiguration.kt) [Java](https://github.com/Azure-Samples/ms-identity-android-java/blob/master/app/src/main/java/com/azuresamples/msalandroidapp/B2CConfiguration.java)| A configuration file contains information about your Azure AD B2C identity provider. The mobile app uses this information to establish a trust relationship with Azure AD B2C, sign the user in and out, acquire tokens, and validate them. For more configuration settings, see the auth_config_b2c.json file. |
+|auth_config_b2c.json | JSON file| [Kotlin](https://github.com/Azure-Samples/ms-identity-android-kotlin/blob/master/app/src/main/res/raw/auth_config_b2c.json) [Java](https://github.com/Azure-Samples/ms-identity-android-java/blob/master/app/src/main/res/raw/auth_config_b2c.json)| A configuration file contains information about your Azure AD B2C identity provider. The mobile app uses this information to establish a trust relationship with Azure AD B2C, sign the user in and out, acquire tokens, and validate them. For more configuration settings, see the B2CConfiguration class. |
+
+## Configure your Android app
+
+After you [add the authentication components](#add-the-authentication-components), configure your Android app with your Azure AD B2C settings. Azure AD B2C identity provider settings are configured in the auth_config_b2c.json file and B2CConfiguration class.
+
+Follow the guidance for how to [Configure the sample mobile app](configure-authentication-sample-android-app.md#step-5-configure-the-sample-mobile-app).
+
+## Set the redirect URI
+
+In this section, configure where your application listens to the Azure AD B2C token response.
++
+1. Generate a new development Signature Hash. This will change for each development environment.
+
+ On Windows operating system:
+
+ ```
+ keytool -exportcert -alias androiddebugkey -keystore %HOMEPATH%\.android\debug.keystore | openssl sha1 -binary | openssl base64
+ ```
+
+ On IOS operating system:
+
+ ```dotnetcli
+ keytool -exportcert -alias androiddebugkey -keystore ~/.android/debug.keystore | openssl sha1 -binary | openssl base64
+ ```
+
+ For a production environment, use the following command:
+
+ ```
+ keytool -exportcert -alias SIGNATURE_ALIAS -keystore PATH_TO_KEYSTORE | openssl sha1 -binary | openssl base64
+ ```
+
+ For more help with signing your apps, check out [Signing your Android app](https://developer.android.com/studio/publish/app-signing).
+
+1. In **app** > **src** > **main** > **AndroidManifest.xml**, add the `BrowserTabActivity` activity below to the application body:
+
+ ```xml
+ <!--Intent filter to capture System Browser or Authenticator calling back to our app after sign-in-->
+ <activity
+ android:name="com.microsoft.identity.client.BrowserTabActivity">
+ <intent-filter>
+ <action android:name="android.intent.action.VIEW" />
+ <category android:name="android.intent.category.DEFAULT" />
+ <category android:name="android.intent.category.BROWSABLE" />
+ <data android:scheme="msauth"
+ android:host="Package_Name"
+ android:path="/Signature_Hash" />
+ </intent-filter>
+ </activity>
+ ```
+1. Replace the `Signature_Hash` with the hash you generated.
+1. Replace the `Package_Name` with your Android package name.
+
+Follow these steps to update the mobile app registration with your app redirect URI:
+
+1. Sign in to the [Azure portal](https://portal.azure.com).
+1. Select the **Directory + Subscription** icon in the portal toolbar, and then select the directory that contains your Azure AD B2C tenant.
+1. In the Azure portal, search for and select **Azure AD B2C**.
+1. Select **App registrations**, and then select the application you registered in [2.3 Register the mobile app](configure-authentication-sample-android-app.md#23-register-the-mobile-app).
+1. Select **Authentication**.
+1. Under **Android**, select **Add URI**.
+1. Enter the **Package name**, and **Signature hash**.
+1. Select **Save**.
+
+Your redirect URI and the `BrowserTabActivity` activity should look similar to the following sample:
+
+#### [Kotlin](#tab/kotlin)
+
+The redirect URL for the sample Android:
+
+```kotlin
+msauth://com.azuresamples.msalandroidkotlinapp/1wIqXSqBj7w%2Bh11ZifsnqwgyKrY%3D
+```
+
+Then the intent filter uses the same pattern, as in the following XML snippet:
+
+```xml
+<activity android:name="com.microsoft.identity.client.BrowserTabActivity">
+ <intent-filter>
+ <action android:name="android.intent.action.VIEW" />
+ <category android:name="android.intent.category.DEFAULT" />
+ <category android:name="android.intent.category.BROWSABLE" />
+ <data
+ android:host="com.azuresamples.msalandroidkotlinapp"
+ android:path="/1wIqXSqBj7w+h11ZifsnqwgyKrY="
+ android:scheme="msauth" />
+ </intent-filter>
+</activity>
+```
+++
+#### [Java](#tab/java)
+
+The redirect URL for the sample Android:
+
+```
+msauth://com.azuresamples.msalandroidapp/1wIqXSqBj7w%2Bh11ZifsnqwgyKrY%3D
+```
+
+Then the intent filter uses the same pattern, as in the following XML snippet:
+
+```xml
+<activity android:name="com.microsoft.identity.client.BrowserTabActivity">
+<intent-filter>
+ <action android:name="android.intent.action.VIEW" />
+
+ <category android:name="android.intent.category.DEFAULT" />
+ <category android:name="android.intent.category.BROWSABLE" />
+
+ <data
+ android:host="com.azuresamples.msalandroidapp"
+ android:path="/1wIqXSqBj7w+h11ZifsnqwgyKrY="
+ android:scheme="msauth" />
+</intent-filter>
+</activity>
+```
+
+
+
+## Code building blocks
+
+This section describes the code building blocks that enable the authentication for your Android app. The following table lists the B2CModeFragment's methods and how to customize your code.
+
+### Instantiate a public client application
+
+Public client applications are not trusted to safely keep application secrets and they don't have client secrets. In the [onCreate](https://developer.android.com/reference/android/app/Fragment#onCreate(android.os.Bundle)), or [onCreateView](https://developer.android.com/reference/android/app/Fragment#onCreateView(android.view.LayoutInflater,%20android.view.ViewGroup,%20android.os.Bundle)) instantiate MSAL using the multiple account public client application object.
+
+The `MultipleAccountPublicClientApplication` class is used to create MSAL-based apps that allow multiple accounts to be signed in at the same time. It allows sign-in with multiple Azure AD B2C user flows or custom policies. For example, a user signs-in with a [sign-up or sign-in](add-sign-up-and-sign-in-policy.md) user flow, and later runs an [edit profile](add-profile-editing-policy.md) user flow.
+
+The following code snippet demonstrates how to initiate the MSAL library with the `auth_config_b2c.json` configuration JSON file.
+
+#### [Kotlin](#tab/kotlin)
++
+```kotlin
+PublicClientApplication.createMultipleAccountPublicClientApplication(context!!,
+ R.raw.auth_config_b2c,
+ object : IMultipleAccountApplicationCreatedListener {
+ override fun onCreated(application: IMultipleAccountPublicClientApplication) {
+ // Set the MultipleAccountPublicClientApplication to the class member b2cApp
+ b2cApp = application
+ // Load the account (if there is any)
+ loadAccounts()
+ }
+
+ override fun onError(exception: MsalException) {
+ // Error handling
+ displayError(exception)
+ }
+ })
+```
+
+#### [Java](#tab/java)
+
+```java
+PublicClientApplication.createMultipleAccountPublicClientApplication(getContext(),
+ R.raw.auth_config_b2c,
+ new IPublicClientApplication.IMultipleAccountApplicationCreatedListener() {
+ @Override
+ public void onCreated(IMultipleAccountPublicClientApplication application) {
+ // Set the MultipleAccountPublicClientApplication to the class member b2cApp
+ b2cApp = application;
+
+ // Load the account (if there is any)
+ loadAccounts();
+ }
+
+ @Override
+ public void onError(MsalException exception) {
+ // Error handling
+ displayError(exception);
+ }
+ });
+```
+
+
+
+### Load accounts
+
+When the app comes to the foreground, the app loads the existing account to determine if the user is signed in or not. Use this method to update the UI with the authentication state. For example, enable or disable the sign-out button.
+
+The following code snippet demonstrates how to load the accounts.
+
+#### [Kotlin](#tab/kotlin)
++
+```kotlin
+private fun loadAccounts() {
+ if (b2cApp == null) {
+ return
+ }
+ b2cApp!!.getAccounts(object : LoadAccountsCallback {
+ override fun onTaskCompleted(result: List<IAccount>) {
+ users = B2CUser.getB2CUsersFromAccountList(result)
+ updateUI(users)
+ }
+
+ override fun onError(exception: MsalException) {
+ displayError(exception)
+ }
+ })
+ }
+```
+
+#### [Java](#tab/java)
+
+```java
+private void loadAccounts() {
+ if (b2cApp == null) {
+ return;
+ }
+
+ b2cApp.getAccounts(new IPublicClientApplication.LoadAccountsCallback() {
+ @Override
+ public void onTaskCompleted(final List<IAccount> result) {
+ users = B2CUser.getB2CUsersFromAccountList(result);
+ updateUI(users);
+ }
+
+ @Override
+ public void onError(MsalException exception) {
+ displayError(exception);
+ }
+ });
+}
+```
+
+
+
+### Interactive authorization request
+
+An interactive authorization request is a flow where the user is prompted for sign-up or sign-in. The `initializeUI` method configures the `runUserFlowButton` click event. When the user selects the **RUN USER FLOW** button, the app takes the user to Azure AD B2C to complete the sign-in flow.
+
+The `runUserFlowButton.setOnClickListener` method prepares the `AcquireTokenParameters` object with relevant data about the authorization request. Then the `acquireToken` method prompts the user to complete the sign-up or sign-in flow.
+
+The following code snippet demonstrates how to start the interactive authorization request.
+
+#### [Kotlin](#tab/kotlin)
++
+```kotlin
+val parameters = AcquireTokenParameters.Builder()
+ .startAuthorizationFromActivity(activity)
+ .fromAuthority(getAuthorityFromPolicyName(policy_list.getSelectedItem().toString()))
+ .withScopes(B2CConfiguration.scopes)
+ .withPrompt(Prompt.LOGIN)
+ .withCallback(authInteractiveCallback)
+ .build()
+
+b2cApp!!.acquireToken(parameters)
+```
+
+#### [Java](#tab/java)
+
+```java
+AcquireTokenParameters parameters = new AcquireTokenParameters.Builder()
+ .startAuthorizationFromActivity(getActivity())
+ .fromAuthority(B2CConfiguration.getAuthorityFromPolicyName(policyListSpinner.getSelectedItem().toString()))
+ .withScopes(B2CConfiguration.getScopes())
+ .withPrompt(Prompt.LOGIN)
+ .withCallback(getAuthInteractiveCallback())
+ .build();
+
+b2cApp.acquireToken(parameters);
+```
+
+
+
+
+### Interactive authorization request callback
+
+Once the user finishes the authorization flow (successfully or unsuccessfully), the result is returned to the `getAuthInteractiveCallback()` callback method.
+
+The callback method passes the `AuthenticationResult` object, or an error message in the `MsalException` object. Use this method to:
+
+- Update the mobile app UI with information after the sign-in has completed
+- Reload the accounts object
+- Call a web API service with an access token
+- Handle authentication errors
+
+The following code snippet demonstrates the use of the interactive authentication callback.
+
+#### [Kotlin](#tab/kotlin)
++
+```kotlin
+private val authInteractiveCallback: AuthenticationCallback
+ private get() = object : AuthenticationCallback {
+ override fun onSuccess(authenticationResult: IAuthenticationResult) {
+ /* Successfully got a token, use it to call a protected resource; web API */
+ Log.d(TAG, "Successfully authenticated")
+
+ /* display result info */
+ displayResult(authenticationResult)
+
+ /* Reload account asynchronously to get the up-to-date list. */
+ loadAccounts()
+ }
+
+ override fun onError(exception: MsalException) {
+ val B2C_PASSWORD_CHANGE = "AADB2C90118"
+ if (exception.message!!.contains(B2C_PASSWORD_CHANGE)) {
+ txt_log!!.text = """
+ The user clicks the 'Forgot Password' link in a sign-up or sign-in user flow.
+ Your application needs to handle this error code by running a specific user flow that resets the password.
+ """.trimIndent()
+ return
+ }
+
+ /* Failed to acquireToken */Log.d(TAG, "Authentication failed: $exception")
+ displayError(exception)
+ if (exception is MsalClientException) {
+ /* Exception inside MSAL, more info inside MsalError.java */
+ } else if (exception is MsalServiceException) {
+ /* Exception when communicating with the STS, likely config issue */
+ }
+ }
+
+ override fun onCancel() {
+ /* User canceled the authentication */
+ Log.d(TAG, "User cancelled login.")
+ }
+ }
+```
+
+#### [Java](#tab/java)
+
+```java
+private AuthenticationCallback getAuthInteractiveCallback() {
+ return new AuthenticationCallback() {
+
+ @Override
+ public void onSuccess(IAuthenticationResult authenticationResult) {
+ /* Successfully got a token, use it to call a protected resource - MSGraph */
+ Log.d(TAG, "Successfully authenticated");
+
+ /* display result info */
+ displayResult(authenticationResult);
+
+ /* Reload account asynchronously to get the up-to-date list. */
+ loadAccounts();
+ }
+
+ @Override
+ public void onError(MsalException exception) {
+ final String B2C_PASSWORD_CHANGE = "AADB2C90118";
+ if (exception.getMessage().contains(B2C_PASSWORD_CHANGE)) {
+ logTextView.setText("The user clicks the 'Forgot Password' link in a sign-up or sign-in user flow.\n" +
+ "Your application needs to handle this error code by running a specific user flow that resets the password.");
+ return;
+ }
+
+ /* Failed to acquireToken */
+ Log.d(TAG, "Authentication failed: " + exception.toString());
+ displayError(exception);
+
+ if (exception instanceof MsalClientException) {
+ /* Exception inside MSAL, more info inside MsalError.java */
+ } else if (exception instanceof MsalServiceException) {
+ /* Exception when communicating with the STS, likely config issue */
+ }
+ }
+
+ @Override
+ public void onCancel() {
+ /* User canceled the authentication */
+ Log.d(TAG, "User cancelled login.");
+ }
+ };
+}
+```
+
+
+
+## Call a web API
+
+To call a [token-based authorization web API](enable-authentication-web-api.md), the app needs to have a valid access token. The app takes the following steps:
++
+1. Acquires an access token with the required permissions (scopes) for the web API endpoint.
+1. Passes the access token as a bearer token in the authorization header of the HTTP request using this format:
+
+```http
+Authorization: Bearer <access-token>
+```
+
+When users [sign in interactively](#interactive-authorization-request), the app gets an access token in the `getAuthInteractiveCallback` callback method. For consecutive web API calls, use the acquire token silent procedure as described in this section.
+
+Before calling a web API, call the `acquireTokenSilentAsync` method with the appropriate scopes for your web API endpoint. The MSAL library takes the following steps:
+
+1. Attempts to fetch an access token with the requested scopes from the token cache. If the token is present, the token is returned.
+1. If the token isn't present in the token cache, MSAL attempts to use its refresh token to acquire a new token.
+1. If the refresh token doesn't exist or has expired, an exception is returned. It's recommended to prompt the user to [sign in interactively](#interactive-authorization-request).
+
+The following code snippet demonstrates how to acquire an access token:
+
+#### [Kotlin](#tab/kotlin)
+
+The `acquireTokenSilentButton` button click event acquires an access token with the provided scopes.
+
+```kotlin
+btn_acquireTokenSilently.setOnClickListener(View.OnClickListener {
+ if (b2cApp == null) {
+ return@OnClickListener
+ }
+ val selectedUser = users!![user_list.getSelectedItemPosition()]
+ selectedUser.acquireTokenSilentAsync(b2cApp!!,
+ policy_list.getSelectedItem().toString(),
+ B2CConfiguration.scopes,
+ authSilentCallback)
+})
+```
+
+The `authSilentCallback` callback method returns an access token and calls a web API:
+
+```kotlin
+private val authSilentCallback: SilentAuthenticationCallback
+ private get() = object : SilentAuthenticationCallback {
+ override fun onSuccess(authenticationResult: IAuthenticationResult) {
+ Log.d(TAG, "Successfully authenticated")
+
+ /* Call your web API here*/
+ callWebAPI(authenticationResult)
+ }
+
+ override fun onError(exception: MsalException) {
+ /* Failed to acquireToken */
+ Log.d(TAG, "Authentication failed: $exception")
+ displayError(exception)
+ if (exception is MsalClientException) {
+ /* Exception inside MSAL, more info inside MsalError.java */
+ } else if (exception is MsalServiceException) {
+ /* Exception when communicating with the STS, likely config issue */
+ } else if (exception is MsalUiRequiredException) {
+ /* Tokens expired or no session, retry with interactive */
+ }
+ }
+ }
+```
+
+The following example demonstrates how to call a protected web API with a bearer token:
+
+```kotlin
+@Throws(java.lang.Exception::class)
+private fun callWebAPI(authenticationResult: IAuthenticationResult) {
+ val accessToken = authenticationResult.accessToken
+ val thread = Thread {
+ try {
+ val url = URL("https://your-app-service.azurewebsites.net/helo")
+ val conn = url.openConnection() as HttpsURLConnection
+ conn.setRequestProperty("Accept", "application/json")
+
+ // Set the bearer token
+ conn.setRequestProperty("Authorization", "Bearer $accessToken")
+ if (conn.responseCode == HttpURLConnection.HTTP_OK) {
+ val br = BufferedReader(InputStreamReader(conn.inputStream))
+ var strCurrentLine: String?
+ while (br.readLine().also { strCurrentLine = it } != null) {
+ Log.d(TAG, strCurrentLine)
+ }
+ }
+ conn.disconnect()
+ } catch (e: IOException) {
+ e.printStackTrace()
+ } catch (e: Exception) {
+ e.printStackTrace()
+ }
+ }
+ thread.start()
+}
+```
+
+#### [Java](#tab/java)
+
+The `acquireTokenSilentButton` button click event acquires an access token with the provided scopes.
+
+```java
+acquireTokenSilentButton.setOnClickListener(new View.OnClickListener() {
+ @Override
+ public void onClick(View v) {
+ if (b2cApp == null) {
+ return;
+ }
+
+ final B2CUser selectedUser = users.get(b2cUserList.getSelectedItemPosition());
+ selectedUser.acquireTokenSilentAsync(b2cApp,
+ policyListSpinner.getSelectedItem().toString(),
+ B2CConfiguration.getScopes(),
+ getAuthSilentCallback());
+ }
+});
+```
+
+The `authSilentCallback` callback method returns an access token and calls a web API:
+
+```java
+private SilentAuthenticationCallback getAuthSilentCallback() {
+ return new SilentAuthenticationCallback() {
+
+ @Override
+ public void onSuccess(IAuthenticationResult authenticationResult) {
+ Log.d(TAG, "Successfully authenticated");
+
+ /* Call your web API here*/
+ callWebAPI(authenticationResult);
+ }
+
+ @Override
+ public void onError(MsalException exception) {
+ /* Failed to acquireToken */
+ Log.d(TAG, "Authentication failed: " + exception.toString());
+ displayError(exception);
+
+ if (exception instanceof MsalClientException) {
+ /* Exception inside MSAL, more info inside MsalError.java */
+ } else if (exception instanceof MsalServiceException) {
+ /* Exception when communicating with the STS, likely config issue */
+ } else if (exception instanceof MsalUiRequiredException) {
+ /* Tokens expired or no session, retry with interactive */
+ }
+ }
+ };
+}
+```
+
+The following example demonstrates how to call a protected web API with a bearer token:
+
+```java
+private void callWebAPI(IAuthenticationResult authenticationResult) throws Exception {
+ final String accessToken = authenticationResult.getAccessToken();
+
+
+ Thread thread = new Thread(new Runnable() {
+
+ @Override
+ public void run() {
+ try {
+ URL url = new URL("https://your-app-service.azurewebsites.net/helo");
+ HttpsURLConnection conn = (HttpsURLConnection)url.openConnection();
+ conn.setRequestProperty("Accept", "application/json");
+
+ // Set the bearer token
+ conn.setRequestProperty("Authorization", "Bearer " + accessToken);
+
+ if (conn.getResponseCode() == HttpURLConnection.HTTP_OK) {
+ BufferedReader br = new BufferedReader(new InputStreamReader(conn.getInputStream()));
+ String strCurrentLine;
+ while ((strCurrentLine = br.readLine()) != null) {
+ Log.d(TAG, strCurrentLine);
+ }
+ }
+ conn.disconnect();
+ } catch (IOException e) {
+ e.printStackTrace();
+ } catch (Exception e) {
+ e.printStackTrace();
+ }
+ }
+ });
+
+ thread.start();
+
+ }
+```
+
+
+
+### Add permission to perform network operations
+
+To perform network operations in your application, include the following permission to your manifest. For more information, see [Connect to the network](https://developer.android.com/training/basics/network-ops/connecting).
+
+```xml
+<uses-permission android:name="android.permission.INTERNET"/>
+```
+
+## Next steps
+
+* [Configure authentication options in an Android application](enable-authentication-android-app-options.md)
+* [Enable authentication in your own web API](enable-authentication-web-api.md)
active-directory-b2c Enable Authentication Spa App Options https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/enable-authentication-spa-app-options.md
Previously updated : 06/11/2021 Last updated : 07/05/2021
-# Configure authentication in a sample Single Page application using Azure Active Directory B2C options
+# Configure authentication options in a Single Page application using Azure Active Directory B2C
This article describes ways you can customize and enhance the Azure Active Directory B2C (Azure AD B2C) authentication experience for your Single Page Application. Before you start, familiarize yourself with the following article: [Configure authentication in a sample web application](configure-authentication-sample-spa-app.md).
active-directory-b2c Enable Authentication Spa App https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/enable-authentication-spa-app.md
To configure the authentication library, follow these steps:
}; ```
-1. Replace `<Application-ID>` with your app registration application ID. For more information, see [Configure authentication in a sample SPA application article](./configure-authentication-sample-spa-app.md#23-register-the-client-app).
+1. Replace `<Application-ID>` with your app registration application ID. For more information, see [Configure authentication in a sample SPA application article](./configure-authentication-sample-spa-app.md#23-register-the-spa-app).
> [!TIP] > For more MSAL object configuration options, see the [Authentication options](./enable-authentication-spa-app-options.md) article.
active-directory-b2c Enable Authentication Web App With Api Options https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/enable-authentication-web-app-with-api-options.md
Previously updated : 06/11/2021 Last updated : 07/05/2021
-# Configure authentication in a sample web application that calls a web API using Azure Active Directory B2C options
+# Configure authentication options in a web application that calls a web API using Azure Active Directory B2C
This article describes ways you can customize and enhance the Azure Active Directory B2C (Azure AD B2C) authentication experience for your web application that calls a web API. Before you start, familiarize yourself with the following articles: [Configure authentication in a sample web application](configure-authentication-sample-web-app-with-api.md) or [Enable authentication in your own web application](enable-authentication-web-app-with-api.md).
active-directory-b2c Enable Authentication Web Application Options https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/enable-authentication-web-application-options.md
Previously updated : 06/11/2021 Last updated : 07/05/2021
-# Configure authentication in a sample web application using Azure Active Directory B2C options
+# Configure authentication options in a web application using Azure Active Directory B2C
This article describes ways you can customize and enhance the Azure Active Directory B2C (Azure AD B2C) authentication experience for your web application. Before you start, it is important to familiarize yourself with the following articles: [Configure authentication in a sample web application](configure-authentication-sample-web-app.md) or [Enable authentication in your own web application](enable-authentication-web-application.md).
azure-arc Custom Locations https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/kubernetes/custom-locations.md
If you are logged into Azure CLI using a service principal, to enable this featu
1. Deploy the Azure service cluster extension of the Azure service instance you eventually want on your cluster:
- * Azure Arc enabled Data Services
+ * [Azure Arc enabled Data Services](../dat#create-the-arc-data-services-extension)
- ```azurecli
- az k8s-extension create --name <extensionInstanceName> --extension-type microsoft.arcdataservices --cluster-type connectedClusters -c <clusterName> -g <resourceGroupName> --scope cluster --release-namespace arc --config Microsoft.CustomLocation.ServiceAccount=sa-bootstrapper
- ```
> [!NOTE] > Outbound proxy without authentication and outbound proxy with basic authentication are supported by the Arc enabled Data Services cluster extension. Outbound proxy that expects trusted certificates is currently not supported.
- * [Azure App Service on Azure Arc](../../app-service/overview-arc-integration.md)
+ * [Azure App Service on Azure Arc](../../app-service/manage-create-arc-environment.md#install-the-app-service-extension)
- ```azurecli
- az k8s-extension create --name <extensionInstanceName> --extension-type 'Microsoft.Web.Appservice' --cluster-type connectedClusters -c <clusterName> -g <resourceGroupName> --scope cluster --release-namespace appservice-ns --configuration-settings "Microsoft.CustomLocation.ServiceAccount=default" --configuration-settings "appsNamespace=appservice-ns"
- ```
-
- * [Event Grid on Kubernetes](../../event-grid/kubernetes/overview.md)
-
- ```azurecli
- az k8s-extension create --name <extensionInstanceName> --extension-type Microsoft.EventGrid --cluster-type connectedClusters -c <clusterName> -g <resourceGroupName> --scope cluster --release-namespace eventgrid-ext --configuration-protected-settings-file protected-settings-extension.json --configuration-settings-file settings-extension.json
- ```
+ * [Event Grid on Kubernetes](../../event-grid/kubernetes/install-k8s-extension.md)
1. Get the Azure Resource Manager identifier of the Azure Arc enabled Kubernetes cluster, referenced in later steps as `connectedClusterId`:
azure-monitor Annotations https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/app/annotations.md
Title: Release annotations for Application Insights | Microsoft Docs description: Learn how to create annotations to track deployment or other significant events with Application Insights. Previously updated : 05/27/2021 Last updated : 07/02/2021
If you can't use one the deployment tasks in the previous section, then you need
:::image type="content" source="./media/annotations/inline-script.png" alt-text="Screenshot of Azure CLI task settings with Script Type, Script Location, Inline Script, and Script Arguments highlighted." lightbox="./media/annotations/inline-script.png":::
+ Below is an example of metadata you can set in the optional releaseProperties argument using [build](/azure/devops/pipelines/build/variables#build-variables-devops-services) and [release](/azure/devops/pipelines/release/variables#default-variablesrelease) variables.
+
+
+ ```powershell
+ -releaseProperties @{
+ "BuildNumber"="$(Build.BuildNumber)";
+ "BuildRepositoryName"="$(Build.Repository.Name)";
+ "BuildRepositoryProvider"="$(Build.Repository.Provider)";
+ "ReleaseDefinitionName"="$(Build.DefinitionName)";
+ "ReleaseDescription"="Triggered by $(Build.DefinitionName) $(Build.BuildNumber)";
+ "ReleaseEnvironmentName"="$(Release.EnvironmentName)";
+ "ReleaseId"="$(Release.ReleaseId)";
+ "ReleaseName"="$(Release.ReleaseName)";
+ "ReleaseRequestedFor"="$(Release.RequestedFor)";
+ "ReleaseWebUrl"="$(Release.ReleaseWebUrl)";
+ "SourceBranch"="$(Build.SourceBranch)";
+ "TeamFoundationCollectionUri"="$(System.TeamFoundationCollectionUri)" }
+ ```
+ 1. Save. ## Create release annotations with Azure CLI
You can use the CreateReleaseAnnotation PowerShell script to create annotations
|releaseName | The name to give the created release annotation. | | |releaseProperties | Used to attach custom metadata to the annotation. | Optional| + ## View annotations > [!NOTE]
You only need to install the extension once for your Azure DevOps organization.
Create a separate API key for each of your Azure Pipelines release templates.
-1. Sign in to the [Azure portal](https://portal.azure.com) and open the Application Insights resource that monitors your application. Or if you don't have one, [create a new Application Insights resource](./app-insights-overview.md).
+1. Sign in to the [Azure portal](https://portal.azure.com) and open the Application Insights resource that monitors your application. Or if you don't have one, [create a new Application Insights resource](create-workspace-resource.md).
1. Open the **API Access** tab and copy the **Application Insights ID**.
azure-monitor Log Analytics Workspace Insights Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/logs/log-analytics-workspace-insights-overview.md
In our demo workspace, you can clearly see that 3 Kuberbetes clusters send far m
### Health tab
-This tab shows the workspace health state and when it was last reported, as well as operational [errors and warnings](../logs/monitor-workspace.md) (retrieved from the _LogOperation table).
-
+This tab shows the workspace health state and when it was last reported, as well as operational [errors and warnings](../logs/monitor-workspace.md) (retrieved from the _LogOperation table). You can find more details on the listed issues as well as mitigation steps in [here](../logs/monitor-workspace.md#categories).
:::image type="content" source="media/log-analytics-workspace-insights-overview/workspace-health.png" alt-text="Screenshot of the workspace health tab" lightbox="media/log-analytics-workspace-insights-overview/workspace-health.png":::
azure-monitor Logs Data Export https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/logs/logs-data-export.md
Log Analytics workspace data export continuously exports data from a Log Analyti
- Scheduled export from a log query using a Logic App. This is similar to the data export feature but allows you to send filtered or aggregated data to Azure storage. This method though is subject to [log query limits](../service-limits.md#log-analytics-workspaces), see [Archive data from Log Analytics workspace to Azure storage using Logic App](logs-export-logic-app.md). - One time export to local machine using PowerShell script. See [Invoke-AzOperationalInsightsQueryExport](https://www.powershellgallery.com/packages/Invoke-AzOperationalInsightsQueryExport). - ## Limitations - Configuration currently can be performed using CLI or REST requests. Azure portal or PowerShell are not supported yet.
Log Analytics workspace data export continuously exports data from a Log Analyti
- Supported tables currently are limited those specified in the [supported tables](#supported-tables) section below. For example, custom log tables currently aren't supported. - If the data export rule includes an unsupported table, the operation will succeed, but no data will be exported for that table until the table gets supported. - If the data export rule includes a table that doesn't exist, it will fail with error `Table <tableName> does not exist in the workspace`.-- Data export will be available in all regions, but currently it's not available in the following: Azure Government regions, Japan West, Brazil south east, Norway East, Norway West, UAE North, UAE Central, Australia Central 2, Switzerland North, Switzerland West, Germany West Central, South India, France South, Japan West
+- Data export will be available in all regions, but currently not available in the following: Switzerland North, Switzerland West, Germany West Central, Australia Central 2, UAE Central, UAE North, Japan West, Brazil Southeast, Norway East, Norway West, France South, South India, Korea South, Jio India Central, Jio India West, Canada East, West US 3, Sweden Central, Sweden South.
- You can define up to 10 enabled rules in your workspace. Additional rules are allowed but in disable state. - Destination must be unique across all export rules in your workspace. - The destination storage account or event hub must be in the same region as the Log Analytics workspace.
azure-monitor Logs Dedicated Clusters https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/logs/logs-dedicated-clusters.md
There are two modes of billing for usage on a cluster. These can be specified by
1. **Cluster**: in this case (which is the default), billing for ingested data is done at the cluster level. The ingested data quantities from each workspace associated to a cluster are aggregated to calculate the daily bill for the cluster.
-2. **Workspaces**: the Commitment Tier costs for your Cluster are attributed proportionately to the workspaces in the cluster, by each workspace's data ingestion volume (after accounting for per-node allocations from [Azure Security Center](../../security-center/index.yml) for each workspace.) This full details of this pricing model are explained [here]( https://docs.microsoft.com/azure/azure-monitor/platform/manage-cost-storage#log-analytics-dedicated-clusters).
+2. **Workspaces**: the Commitment Tier costs for your Cluster are attributed proportionately to the workspaces in the cluster, by each workspace's data ingestion volume (after accounting for per-node allocations from [Azure Security Center](../../security-center/index.yml) for each workspace.) This full details of this pricing model are explained [here](./manage-cost-storage.md#log-analytics-dedicated-clusters).
If your workspace is using legacy Per Node pricing tier, when it is linked to a cluster it will be billed based on data ingested against the clusterΓÇÖs Commitment Tier, and no longer Per Node. Per-node data allocations from Azure Security Center will continue to be applied.
-Complete details are billing for Log Analytics dedicated clusters are available [here]( https://docs.microsoft.com/azure/azure-monitor/platform/manage-cost-storage#log-analytics-dedicated-clusters).
+Complete details are billing for Log Analytics dedicated clusters are available [here](./manage-cost-storage.md#log-analytics-dedicated-clusters).
## Asynchronous operations and status check
The *principalId* GUID is generated by the managed identity service for the *Clu
When a workspace is linked to a dedicated cluster, new data that is ingested into the workspace is routed to the new cluster while existing data remains on the existing cluster. If the dedicated cluster is encrypted using customer-managed keys (CMK), only new data is encrypted with the key. The system is abstracting this difference from the users and the users just query the workspace as usual while the system performs cross-cluster queries on the backend.
-A cluster can be linked to up to 100 workspaces. Linked workspaces are located in the same region as the cluster. To protect the system backend and avoid fragmentation of data, a workspace canΓÇÖt be linked to a cluster more than twice a month.
+A cluster can be linked to up to 1000 workspaces. Linked workspaces are located in the same region as the cluster. To protect the system backend and avoid fragmentation of data, a workspace canΓÇÖt be linked to a cluster more than twice a month.
To perform the link operation, you need to have 'write' permissions to both the workspace and the *cluster* resource:
After you create your *Cluster* resource and it is fully provisioned, you can ed
- **billingType** - The *billingType* property determines the billing attribution for the *cluster* resource and its data: - **Cluster** (default) - The costs for your Cluster are attributed to the *Cluster* resource. - **Workspaces** - The costs for your Cluster are attributed proportionately to the workspaces in the Cluster, with the *Cluster* resource being billed some of the usage if the total ingested data for the day is under the Commitment Tier. See [Log Analytics Dedicated Clusters](./manage-cost-storage.md#log-analytics-dedicated-clusters) to learn more about the Cluster pricing model.
- - **Identity** - The identity to be used to authenticate to your Key Valt. This can be System-assigned or User-assigned.
+ - **Identity** - The identity to be used to authenticate to your Key Vault. This can be System-assigned or User-assigned.
>[!IMPORTANT] >Cluster update should not include both identity and key identifier details in the same operation. If you need to update both, the update should be in two consecutive operations.
azure-netapp-files Azacsnap Cmd Ref Backup https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-netapp-files/azacsnap-cmd-ref-backup.md
azacsnap -c backup --volume data --prefix hana_TEST --retention 9 --trim
The command does not output to the console, but does write to a log file, a result file, and `/var/log/messages`.
-The *log file* is made up of the command name + the -c option + the config filename. By default
-a log filename for a `-c backup` run with a default config filename `azacsnap-backup-azacsnap.log`.
+In this example the *log file* name is `azacsnap-backup-azacsnap.log` (see [Log files](#log-files))
-The *result* file has the same base name as the log file, with `.result` as its suffix, for
-example `azacsnap-backup-azacsnap.result` that contains the following output:
+When running the `-c backup` with the `--volume data` option a result file is also generated as a file to allow
+for quickly checking the result of a backup. The *result* file has the same base name as the log file, with `.result` as its suffix.
+
+In this example the *result file* name is `azacsnap-backup-azacsnap.result` and contains the following output:
```bash cat logs/azacsnap-backup-azacsnap.result
azacsnap -c backup --volume other --prefix logs_TEST --retention 9
The command does not output to the console, but does write to a log file only. It does _not_ write to a result file or `/var/log/messages`.
-The *log file* is made up of the command name + the -c option + the config filename. By default
-a log filename for a `-c backup` run with a default config filename `azacsnap-backup-azacsnap.log`.
+In this example the *log file* name is `azacsnap-backup-azacsnap.log` (see [Log files](#log-files)).
## Example with `other` parameter (to backup host OS)
azacsnap -c backup --volume other --prefix boot_TEST --retention 9 --configfile
The command does not output to the console, but does write to a log file only. It does _not_ write to a result file or `/var/log/messages`.
-The *log file* name in this example is `azacsnap-backup-bootVol.log`.
+In this example the *log file* name is `azacsnap-backup-bootVol.log` (see [Log files](#log-files)).
## Log files
azure-video-analyzer Analyze Live Video Custom Vision https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-video-analyzer/video-analyzer-docs/analyze-live-video-custom-vision.md
After you're finished, you can export the model to a Docker container by using t
2. `docker image ls` This command checks if the new image is in your local registry.
- 3. `docker run -p 127.0.0.1:80:80 -d cvtruck`
-
- This command should publish the Docker's exposed port (80) onto your local machine's port (80).
- 4. `docker container ls`
-
- This command checks the port mappings and if the Docker container is running successfully on your machine. The output should be something like:
-
- ```
- CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
- 8b7505398367 cvtruck "/bin/sh -c 'python …" 13 hours ago Up 25 seconds 127.0.0.1:80->80/tcp practical_cohen
- ```
- 5. `curl -X POST http://127.0.0.1:80/score -F imageData=@<path to any image file that has the toy delivery truck in it>`
-
- This command tests the container on the local machine. If the image has the same delivery truck as we trained the model on, the output should be something like the following example. It suggests the delivery truck was detected with 90.12% probability.
-
- ```
- {"created":"2020-03-20T07:10:47.827673","id":"","iteration":"","predictions":[{"boundingBox":{"height":0.66167289,"left":-0.03923762,"top":0.12781593,"width":0.70003178},"probability":0.90128148,"tagId":0,"tagName":"delivery truck"},{"boundingBox":{"height":0.63733053,"left":0.25220079,"top":0.0876643,"width":0.53331227},"probability":0.59745145,"tagId":0,"tagName":"delivery truck"}],"project":""}
- ```
+
+## Set up your development environment
## Examine the sample files
After you're finished, you can export the model to a Docker container by using t
- A module named `rtspsim`, which simulates an RTSP server that acts as the source of a live video feed. - A module named `cv`, which as the name suggests is the Custom Vision toy truck detection model that applies Custom Vision to the images and returns multiple tag types. (Our model was trained on only one tag, delivery truck.)
-## Prepare for monitoring events
-
-Right-click the ava-sample-device, and select **Start Monitoring Built-in Event Endpoint**. You need this step to monitor the IoT Hub events in the **OUTPUT** window of Visual Studio Code.
-![Screenshot that shows Start Monitoring Built-in Event Endpoint.](./media/custom-vision/start-monitoring.png)
## Run the sample program
-If you open the topology for this tutorial in a browser, you'll see that the value of `inferencingUrl` has been set to `http://cv/image`. This setting means the inference server will return results after detecting toy trucks, if any, in the live video.
+If you open the topology for this tutorial in a browser, you'll see that the value of `inferencingUrl` has been set to `http://cv/score`. This setting means the inference server will return results after detecting toy trucks, if any, in the live video.
1. In Visual Studio Code, open the **Extensions** tab (or select **Ctrl+Shift+X**) and search for Azure IoT Hub. 2. Right-click and select **Extension Settings**.
If you open the topology for this tutorial in a browser, you'll see that the val
"parameters": [ { "name": "inferencingUrl",
- "value": "http://cv/image"
+ "value": "http://cv/score"
}, { "name": "rtspUrl",
cognitive-services Deploy Anomaly Detection On Container Instances https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Anomaly-Detector/How-to/deploy-anomaly-detection-on-container-instances.md
Last updated 04/01/2020
-# Deploy an Anomaly Detector container to Azure Container Instances
+# Deploy an Anomaly Detector univariate container to Azure Container Instances
Learn how to deploy the Cognitive Services [Anomaly Detector](../anomaly-detector-container-howto.md) container to Azure [Container Instances](../../../container-instances/index.yml). This procedure demonstrates the creation of an Anomaly Detector resource. Then we discuss pulling the associated container image. Finally, we highlight the ability to exercise the orchestration of the two from a browser. Using containers can shift the developers' attention away from managing infrastructure to instead focusing on application development.
cognitive-services Deploy Anomaly Detection On Iot Edge https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Anomaly-Detector/How-to/deploy-anomaly-detection-on-iot-edge.md
Last updated 12/03/2020
-# Deploy an Anomaly Detector module to IoT Edge
+# Deploy an Anomaly Detector univariate module to IoT Edge
Learn how to deploy the Cognitive Services [Anomaly Detector](../anomaly-detector-container-howto.md) module to an IoT Edge device. Once it's deployed into IoT Edge, the module runs in IoT Edge together with other modules as container instances. It exposes the exact same APIs as an Anomaly Detector container instance running in a standard docker container environment.
cognitive-services Identify Anomalies https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Anomaly-Detector/How-to/identify-anomalies.md
Last updated 10/01/2019
-# How to: Use the Anomaly Detector API on your time series data
+# How to: Use the Anomaly Detector univariate API on your time series data
The [Anomaly Detector API](https://westus2.dev.cognitive.microsoft.com/docs/services/AnomalyDetector/operations/post-timeseries-entire-detect) provides two methods of anomaly detection. You can either detect anomalies as a batch throughout your times series, or as your data is generated by detecting the anomaly status of the latest data point. The detection model returns anomaly results along with each data point's expected value, and the upper and lower anomaly detection boundaries. you can use these values to visualize the range of normal values, and anomalies in the data.
-## Anomaly detection modes
+## Anomaly detection modes
The Anomaly Detector API provides detection modes: batch and streaming.
cognitive-services Anomaly Detector Container Configuration https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Anomaly-Detector/anomaly-detector-container-configuration.md
Last updated 05/07/2020
-# Configure Anomaly Detector containers
+# Configure Anomaly Detector univariate containers
The **Anomaly Detector** container runtime environment is configured using the `docker run` command arguments. This container has several required settings, along with a few optional settings. Several [examples](#example-docker-run-commands) of the command are available. The container-specific settings are the billing settings.
cognitive-services Anomaly Detection Best Practices https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Anomaly-Detector/concepts/anomaly-detection-best-practices.md
Title: Best practices when using the Anomaly Detector API
+ Title: Best practices when using the Anomaly Detector univariate API
description: Learn about best practices when detecting anomalies with the Anomaly Detector API.
Last updated 01/22/2021
-# Best practices for using the Anomaly Detector API
+# Best practices for using the Anomaly Detector univariate API
The Anomaly Detector API is a stateless anomaly detection service. The accuracy and performance of its results can be impacted by:
cognitive-services Best Practices Multivariate https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Anomaly-Detector/concepts/best-practices-multivariate.md
keywords: anomaly detection, machine learning, algorithms
-# Multivariate Anomaly Detector best practices
+# Best practices for using the Anomaly Detector multivariate API
This article will provide guidance around recommended practices to follow when using the multivariate Anomaly Detector (MVAD) APIs. In this tutorial, you'll:
cognitive-services Multivariate Architecture https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Anomaly-Detector/concepts/multivariate-architecture.md
keywords: anomaly detection, machine learning, algorithms
-# Predictive maintenance solution with Anomaly Detector multivariate
+# Predictive maintenance solution with Anomaly Detector (multivariate)
Many different industries need predictive maintenance solutions to reduce risks and gain actionable insights through processing data from their equipment. Predictive maintenance evaluates the condition of equipment by performing online monitoring. The goal is to perform maintenance before the equipment degrades or breaks down.
cognitive-services Troubleshoot https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Anomaly-Detector/concepts/troubleshoot.md
keywords: anomaly detection, machine learning, algorithms
This article provides guidance on how to troubleshoot and remediate common error messages when using the multivariate API.
-### Multivariate error codes
+## Multivariate error codes
-#### Common Errors
+### Common Errors
| Error Code | HTTP Error Code | Error Message | Comment | | -- | | - | |
This article provides guidance on how to troubleshoot and remediate common error
| `StorageReadError` | 403 | | Same as `StorageWriteError`. | | `UnexpectedError` | 500 | | Please contact us with detailed error information. You could take the support options from [this document](/azure/cognitive-services/cognitive-services-support-options?context=/azure/cognitive-services/anomaly-detector/context/context) or email us at [AnomalyDetector@microsoft.com](mailto:AnomalyDetector@microsoft.com) |
-#### Train a Multivariate Anomaly Detection Model
+### Train a Multivariate Anomaly Detection Model
| Error Code | HTTP Error Code | Error Message | Comment | | | | | |
This article provides guidance on how to troubleshoot and remediate common error
| `RequiredEndTime` | 400 | The `'endTime'` field is required in the request. | Your training request has not specified a value for the `'startTime'` field. Example: `{"endTime": "2021-01-01T00:00:00Z"}`. | | `InvalidSlidingWindow` | 400 | The `'slidingWindow'` field must be an integer between 28 and 2880. | `'slidingWindow'` must be an integer between 28 and 2880 (inclusive). |
-#### Get Multivariate Model with Model ID
+### Get Multivariate Model with Model ID
| Error Code | HTTP Error Code | Error Message | Comment | | | | - | | | `ModelNotExist` | 404 | The model does not exist. | The model with corresponding model ID does not exist. Please check the model ID in the request URL. |
-#### Anomaly Detection with a Trained Model
+### Anomaly Detection with a Trained Model
| Error Code | HTTP Error Code | Error Message | Comment | | -- | | | |
This article provides guidance on how to troubleshoot and remediate common error
| `ModelNotReady` | 400 | The model is not ready yet. | The model is not ready yet. Please wait for a while until the training process completes. | | `InvalidFileSize` | 413 | File \<file> exceeds the file size limit (\<size limit> bytes). | The size of inference data exceeds the upper limit (2GB currently). Please use less data for inference. |
-#### Get Detection Results
+### Get Detection Results
| Error Code | HTTP Error Code | Error Message | Comment | | - | | -- | | | `ResultNotExist` | 404 | The result does not exist. | The result per request does not exist. Either inference has not completed or result has expired (7 days). |
-#### Data Processing Errors
+### Data Processing Errors
+ The following error codes do not have associated HTTP Error codes. | Error Code | Error Message | Comment |
cognitive-services Overview Multivariate https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Anomaly-Detector/overview-multivariate.md
Title: What is the Anomaly Detector Multivariate API?
-description: Overview of new Anomaly Detector public preview multivariate APIs.
+description: Overview of new Anomaly Detector preview multivariate APIs.
keywords: anomaly detection, machine learning, algorithms
-# Multivariate time series Anomaly Detection (public preview)
+# Multivariate time series Anomaly Detection (preview)
The new **multivariate anomaly detection** APIs further enable developers by easily integrating advanced AI for detecting anomalies from groups of metrics, without the need for machine learning knowledge or labeled data. Dependencies and inter-correlations between up to 300 different signals are now automatically counted as key factors. This new capability helps you to proactively protect your complex systems such as software applications, servers, factory machines, spacecraft, or even your business, from failures.
To run the Notebook, you should get a valid Anomaly Detector API **subscription
## Region support
-The public preview of Anomaly Detector multivariate is currently available in six regions: West US2, West Europe, East US2, South Central US, East US, and UK South.
+The preview of Anomaly Detector multivariate is currently available in six regions: West US2, West Europe, East US2, South Central US, East US, and UK South.
## Algorithms
cognitive-services Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Anomaly-Detector/overview.md
keywords: anomaly detection, machine learning, algorithms
-# What is the Anomaly Detector API?
+# What is the Anomaly Detector univariate API?
[!INCLUDE [TLS 1.2 enforcement](../../../includes/cognitive-services-tls-announcement.md)]
cognitive-services Client Libraries https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Anomaly-Detector/quickstarts/client-libraries.md
keywords: anomaly detection, algorithms
-# Quickstart: Use the Anomaly Detector client library
+# Quickstart: Use the Anomaly Detector univariate client library
::: zone pivot="programming-language-csharp"
cognitive-services Batch Anomaly Detection Powerbi https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Anomaly-Detector/tutorials/batch-anomaly-detection-powerbi.md
Last updated 09/10/2020
-# Tutorial: Visualize anomalies using batch detection and Power BI
+# Tutorial: Visualize anomalies using batch detection and Power BI (univariate)
Use this tutorial to find anomalies within a time series data set as a batch. Using Power BI desktop, you will take an Excel file, prepare the data for the Anomaly Detector API, and visualize statistical anomalies throughout it.
defender-for-iot How To Connect Sensor By Proxy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/defender-for-iot/organizations/how-to-connect-sensor-by-proxy.md
+
+ Title: Connect sensors with a proxy
+description: Learn how to configure Azure Defender for IoT to communicate with a sensor through a proxy with no direct internet access.
+ Last updated : 07/04/2021++
+# Connect Azure Defender for IoT sensors without direct internet access by using a proxy
+
+This article describes how to configure Azure Defender for IoT to communicate with a sensor through a proxy with no direct internet access. Connect the sensor with a forwarding proxy that has HTTP tunneling, and uses the HTTP CONNECT command for connectivity. The instructions here are given uses the open-source Squid proxy, any other proxy that supports CONNECT can be used.
+
+The proxy uses an encrypted SSL tunnel, to transfers data from the sensors to the service. The proxy doesn't inspect, analyze, or cache any data.
+
+The following diagram shows data going from Azure Defender to IoT sensor in the OT segment to cloud via a proxy located in the IT network, and industrial DMZ.
++
+## Set up your system
+
+For this scenario we will be installing, and configuring the latest version of [Squid](http://www.squid-cache.org/) on an Ubuntu 18 server.
+
+> [!Note]
+> Azure Defender for IoT does not offer support for Squid or any other proxy service.
+
+**To install Squid proxy on an Ubuntu 18 server**:
+
+1. Sign in to your designated proxy Ubuntu machine.
+
+1. Launch a terminal window.
+
+1. Update your software to the latest version using the following command.
+
+ ```bash
+ sudo apt-get update
+ ```
+
+1. Install the Squid package using the following command.
+
+ ```bash
+ sudo apt-get install squid
+ ```
+
+1. Locate the squid configuration file that is located at `/etc/squid/squid.conf`, and `/etc/squid/conf.d/`.
+
+1. Make a backup of the original file using the following command.
+
+ ```bash
+ sudo cp -v /etc/squid/squid.conf{,.factory}'/etc/squid/squid.conf' -> '/etc/squid/squid.conf.factory sudo nano /etc/squid/squid.conf
+ ```
+
+1. Open `/etc/squid/squid.conf` in a text editor.
+
+1. Search for `# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS`.
+
+1. Add `acl sensor1 src <sensor-ip>`, and `http_access allow sensor1` into the file.
+
+ :::image type="content" source="media/how-to-connect-sensor-by-proxy/add-lines.png" alt-text="Add the following two lines into the text and save the file.":::
+
+1. (Optional) Add more sensors by adding an extra line for each sensor.
+
+1. Enable the Squid service to start at launch with the following command.
+
+ ```bash
+ sudo systemctl enable squid
+ ```
+
+## Set up a sensor to use Squid
+
+**To set up a sensor to use Squid**:
+
+1. Sign in to the sensor.
+
+1. Navigate to **System settings** > **Network**.
+
+1. Select **Enable Proxy**.
+
+ :::image type="content" source="media/how-to-connect-sensor-by-proxy/enable-proxy.png" alt-text="Select enable proxy from the Sensor Network Configuration window.":::
+
+1. Enter the proxy address.
+
+1. Enter a port. The default port is `3128`.
+
+1. (Optional) Enter a proxy user, and password.
+
+1. Select **Save**.
+
+## See also
+
+[Manage your subscriptions](how-to-manage-subscriptions.md).
event-hubs Add Custom Data Event https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/event-hubs/add-custom-data-event.md
let eventData = { body: "First event", properties: { "event-type": "com.microsof
See the following quickstarts and samples. - Quickstarts: [.NET](event-hubs-dotnet-standard-getstarted-send.md), [Java](event-hubs-java-get-started-send.md), [Python](event-hubs-python-get-started-send.md), [JavaScript](event-hubs-node-get-started-send.md)-- Samples on GitHub: [.NET](https://github.com/Azure/azure-sdk-for-net/tree/master/sdk/eventhub/Azure.Messaging.EventHubs/samples), [Java](https://github.com/Azure/azure-sdk-for-java/blob/master/sdk/eventhubs/azure-messaging-eventhubs/src/samples), [Python](https://github.com/Azure/azure-sdk-for-python/blob/azure-eventhub_5.3.1/sdk/eventhub/azure-eventhub/samples), [JavaScript](https://github.com/Azure/azure-sdk-for-js/tree/master/sdk/eventhub/event-hubs/samples/javascript), [TypeScript](https://github.com/Azure/azure-sdk-for-js/tree/master/sdk/eventhub/event-hubs/samples/typescript)
+- Samples on GitHub: [.NET](https://github.com/Azure/azure-sdk-for-net/tree/master/sdk/eventhub/Azure.Messaging.EventHubs/samples), [Java](https://github.com/Azure/azure-sdk-for-java/blob/master/sdk/eventhubs/azure-messaging-eventhubs/src/samples), [Python](https://github.com/Azure/azure-sdk-for-python/blob/azure-eventhub_5.3.1/sdk/eventhub/azure-eventhub/samples), [JavaScript](https://github.com/Azure/azure-sdk-for-js/tree/main/sdk/eventhub/event-hubs/samples/v5/javascript), [TypeScript](https://github.com/Azure/azure-sdk-for-js/tree/main/sdk/eventhub/event-hubs/samples/v5/typescript)
event-hubs Event Hubs Capture Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/event-hubs/event-hubs-capture-overview.md
A native support to Azure Blob storage is available, which makes it easy to quer
[Apache Drill: Azure Blob Storage Plugin][Apache Drill: Azure Blob Storage Plugin]
-To easily query captured files, you can create and execute a VM with Apache Drill enabled via a container to access Azure Blob storage. See the following sample: [Streaming at Scale with Event Hubs Capture](https://github.com/Azure-Samples/streaming-at-scale/tree/main/eventhubs-capture).
+To easily query captured files, you can create and execute a VM with Apache Drill enabled via a container to access Azure Blob storage. See the following sample: [Streaming at Scale with Event Hubs Capture](https://github.com/Azure-Samples/streaming-at-scale/tree/main/eventhubs-capture-databricks-delta).
### Use Apache Spark
event-hubs Event Hubs Geo Dr https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/event-hubs/event-hubs-geo-dr.md
Review the following samples or reference documentation.
- [Java - azure-messaging-eventhubs samples](https://github.com/Azure/azure-sdk-for-java/tree/master/sdk/eventhubs/azure-messaging-eventhubs/src/samples/java/com/azure/messaging/eventhubs) - [Java - azure-eventhubs samples](https://github.com/Azure/azure-event-hubs/tree/master/samples/Java) - [Python samples](https://github.com/Azure/azure-sdk-for-python/tree/master/sdk/eventhub/azure-eventhub/samples)-- [JavaScript samples](https://github.com/Azure/azure-sdk-for-js/tree/master/sdk/eventhub/event-hubs/samples/javascript)-- [TypeScript samples](https://github.com/Azure/azure-sdk-for-js/tree/master/sdk/eventhub/event-hubs/samples/typescript)
+- [JavaScript samples](https://github.com/Azure/azure-sdk-for-js/tree/main/sdk/eventhub/event-hubs/samples/v5/javascript)
+- [TypeScript samples](https://github.com/Azure/azure-sdk-for-js/tree/main/sdk/eventhub/event-hubs/samples/v5/typescript)
- [REST API reference](/rest/api/eventhub/) [2]: ./media/event-hubs-geo-dr/geo2.png-
event-hubs Event Hubs Node Get Started Send https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/event-hubs/event-hubs-node-get-started-send.md
In this section, you create a JavaScript application that sends events to an eve
[![Verify that the event hub received the messages](./media/getstarted-dotnet-standard-send-v2/verify-messages-portal.png)](./media/getstarted-dotnet-standard-send-v2/verify-messages-portal.png#lightbox) > [!NOTE]
- > For the complete source code, including additional informational comments, go to the [GitHub sendEvents.js page](https://github.com/Azure/azure-sdk-for-js/blob/master/sdk/eventhub/event-hubs/samples/javascript/sendEvents.js).
+ > For the complete source code, including additional informational comments, go to the [GitHub sendEvents.js page](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/eventhub/event-hubs/samples/v5/javascript/sendEvents.js).
Congratulations! You have now sent events to an event hub.
Congratulations! You have now received events from your event hub. The receiver
## Next steps Check out these samples on GitHub: -- [JavaScript samples](https://github.com/Azure/azure-sdk-for-js/tree/master/sdk/eventhub/event-hubs/samples/javascript)-- [TypeScript samples](https://github.com/Azure/azure-sdk-for-js/tree/master/sdk/eventhub/event-hubs/samples/typescript)
+- [JavaScript samples](https://github.com/Azure/azure-sdk-for-js/tree/main/sdk/eventhub/event-hubs/samples/v5/javascript)
+- [TypeScript samples](https://github.com/Azure/azure-sdk-for-js/tree/main/sdk/eventhub/event-hubs/samples/v5/typescript)
hdinsight Apache Spark Intellij Tool Plugin https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/hdinsight/spark/apache-spark-intellij-tool-plugin.md
In this article, you learn how to:
## Prerequisites
-* An Apache Spark cluster on HDInsight. For instructions, see [Create Apache Spark clusters in Azure HDInsight](apache-spark-jupyter-spark-sql.md).
+* An Apache Spark cluster on HDInsight. For instructions, see [Create Apache Spark clusters in Azure HDInsight](apache-spark-jupyter-spark-sql.md). Only HDinsight clusters in public cloud are supported while other secure cloud types (e.g. government clouds) are not.
* [Oracle Java Development kit](https://www.oracle.com/technetwork/java/javase/downloads/jdk8-downloads-2133151.html). This article uses Java version 8.0.202.
migrate Prepare For Migration https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/migrate/prepare-for-migration.md
Title: Prepare machines for migration with Azure Migrate
+ Title: Prepare machines for migration with Azure Migrate
description: Learn how to prepare on-premises machines for migration with Azure Migrate.
Review the tables to identify the changes you need to make.
Required changes are summarized in the table.
-**Action** | **VMware (agentless migration)** | **VMware (agent-based)/physical machines** | **Windows on Hyper-V**
+**Action** | **VMware (agentless migration)** | **VMware (agent-based)/physical machines** | **Windows on Hyper-V**
| | | **Configure the SAN policy as Online All**<br/><br/> | Set automatically for machines running Windows Server 2008 R2 or later.<br/><br/> Configure manually for earlier operating systems. | Set automatically in most cases. | Configure manually. **Install Hyper-V Guest Integration** | [Install manually](prepare-windows-server-2003-migration.md#install-on-vmware-vms) on machines running Windows Server 2003. | [Install manually](prepare-windows-server-2003-migration.md#install-on-vmware-vms) on machines running Windows Server 2003. | [Install manually](prepare-windows-server-2003-migration.md#install-on-hyper-v-vms) on machines running Windows Server 2003.
Required changes are summarized in the table.
By default, Azure VMs are assigned drive D to use as temporary storage. - This drive assignment causes all other attached storage drive assignments to increment by one letter.-- For example, if your on-premises installation uses a data disk that is assigned to drive D for application installations, the assignment for this drive increments to drive E after you migrate the VM to Azure.
+- For example, if your on-premises installation uses a data disk that is assigned to drive D for application installations, the assignment for this drive increments to drive E after you migrate the VM to Azure.
- To prevent this automatic assignment, and to ensure that Azure assigns the next free drive letter to its temporary volume, set the storage area network (SAN) policy to **OnlineAll**: Configure this setting manually as follows:
Azure Migrate completes these actions automatically for these versions
- SUSE Linux Enterprise Server 15 SP0, 15 SP1, 12, 11 - Ubuntu 19.04, 19.10, 18.04LTS, 16.04LTS, 14.04LTS (Azure Linux VM agent is also installed automatically during migration) - Debian 9, 8, 7-- Oracle Linux 6, 7.7, 7.7-CI
+- Oracle Linux 6, 7.7, 7.7-CI
For other versions, prepare machines as summarized in the table.
For other versions, prepare machines as summarized in the table.
**Update network interfaces** | Update network interfaces to receive IP address based on DHCP.nst | Update manually for all versions except those called out above. **Enable ssh** | Ensure ssh is enabled and the sshd service is set to start automatically on reboot.<br/><br/> Ensure that incoming ssh connection requests are not blocked by the OS firewall or scriptable rules.| Enable manually for all versions except those called out above. + The following table summarizes the steps performed automatically for the operating systems listed above.
On on-premises Windows machines:
2. Make sure [required services](../virtual-machines/windows/prepare-for-upload-vhd-image.md#check-the-windows-services) are running. 3. Enable remote desktop (RDP) to allow remote connections to the on-premises machine. Learn how to [use PowerShell to enable RDP](../virtual-machines/windows/prepare-for-upload-vhd-image.md#update-remote-desktop-registry-settings). 4. To access an Azure VM over the internet after migration, in Windows Firewall on the on-premises machine, allow TCP and UDP in the Public profile, and set RDP as an allowed app for all profiles.
-5. If you want to access an Azure VM over a site-to-site VPN after migration, in Windows Firewall on the on-premises machine, allow RDP for the Domain and Private profiles. Learn how to [allow RDP traffic](../virtual-machines/windows/prepare-for-upload-vhd-image.md#configure-windows-firewall-rules).
+5. If you want to access an Azure VM over a site-to-site VPN after migration, in Windows Firewall on the on-premises machine, allow RDP for the Domain and Private profiles. Learn how to [allow RDP traffic](../virtual-machines/windows/prepare-for-upload-vhd-image.md#configure-windows-firewall-rules).
6. Make sure there are no Windows updates pending on the on-premises VM when you migrate. If there are, updates might start installing on the Azure VM after migration, and you won't be able to sign into the VM until updates finish.
After migration, complete these steps on the Azure VMs that are created:
Decide which method you want to use to [migrate VMware VMs](server-migrate-overview.md) to Azure, or begin migrating [Hyper-V VMs](tutorial-migrate-hyper-v.md) or [physical servers or virtualized or cloud VMs](tutorial-migrate-physical-virtual-machines.md). + ## See what's supported For VMware VMs, Server Migration supports [agentless or agent-based migration](server-migrate-overview.md). - **VMware VMs**: Verify [migration requirements and support](migrate-support-matrix-vmware-migration.md) for VMware VMs. - **Hyper-V VMs**: Verify [migration requirements and support](migrate-support-matrix-hyper-v-migration.md) for Hyper-V VMs.-- **Physical machines**: Verify [migration requirements and support](migrate-support-matrix-physical-migration.md) for on-premises physical machines and other virtualized servers.
+- **Physical machines**: Verify [migration requirements and support](migrate-support-matrix-physical-migration.md) for on-premises physical machines and other virtualized servers.
migrate Troubleshoot Dependencies https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/migrate/troubleshoot-dependencies.md
The list of agentless dependency analysis errors is summarized in the table belo
| **9011:** The file containing the discovered metadata cannot be found on the server. | This could be a transient issue due to an internal error. | The issue should automatically resolve in the next cycle within 24 hours. If the issue persists, submit a Microsoft support case. | | **9012:** The file containing the discovered metadata on the server is empty. | This could be a transient issue due to an internal error. | The issue should automatically resolve in the next cycle within 24 hours. If the issue persists, submit a Microsoft support case. | | **9013:** A new temporary user profile is getting created on logging in the server each time. | A new temporary user profile is getting created on logging in the server each time. | Please submit a Microsoft support case to help troubleshoot this issue. |
-| **9014:** Unable to retrieve the file containing the discovered metadata due to an error encountered on the ESXi host. Error code: %ErrorCode; Details: %ErrorMessage | Encountered an error on the ESXi host \<HostName>. Error code: %ErrorCode; Details: %ErrorMessage | Ensure that port 443 is open on the ESXi host on which the server is running.|
+| **9014:** Unable to retrieve the file containing the discovered metadata due to an error encountered on the ESXi host. Error code: %ErrorCode; Details: %ErrorMessage | Encountered an error on the ESXi host \<HostName>. Error code: %ErrorCode; Details: %ErrorMessage | Ensure that port 443 is open on the ESXi host on which the server is running.<br/><br/> [Learn more](troubleshoot-dependencies.md#error-9014-httpgetrequesttoretrievefilefailed) on how to remediate the issue.|
| **9015:** The vCenter Server user account provided for server discovery does not have Guest operations privileges enabled. | The required privileges of Guest Operations has not been enabled on the vCenter Server user account. | Ensure that the vCenter Server user account has privileges enabled for Virtual Machines > Guest Operations, in order to interact with the server and pull the required data. <br/><br/> [Learn more](tutorial-discover-vmware.md#prepare-vmware) on how to set up the vCenter Server account with required privileges. | | **9016:** Unable to discover the metadata as the guest operations agent on the server is outdated. | Either the VMware tools is not installed on the server or the installed version is not up-to-date. | Ensure that the VMware tools is installed and running up-to-date on the server. The VMware Tools version must be version 10.2.1 or later. | | **9017:** The file containing the discovered metadata cannot be found on the server. | This could be a transient issue due to an internal error. | Please submit a Microsoft support case to help troubleshoot this issue. |
-| **9018:** PowerShell is not installed on the server. | PowerShell cannot be found on the server. | Ensure that PowerShell version 2.0 or later is installed on the server.|
+| **9018:** PowerShell is not installed on the server. | PowerShell cannot be found on the server. | Ensure that PowerShell version 2.0 or later is installed on the server. <br/><br/> [Learn more](troubleshoot-dependencies.md#error-9018-powershellnotfound) on how to remediate the issue.|
| **9019:** Unable to discover the metadata due to guest operation failures on the server. | VMware guest operations failed on the server.The issue was encountered when trying the following credentials on the server: <FriendlyNameOfCredentials>. | Ensure that the server credentials provided on the appliance are valid and username provided in the credentials is in UPN format. (find the friendly name of the credentials tried by Azure Migrate in the possible causes) | | **9020:** Unable to create the file required to contain the discovered metadata on the server. | The role associated to the credentials provided on the appliance or a group policy on-premises is restricting the creation of file in the required folder. The issue was encountered when trying the following credentials on the server: <FriendlyNameOfCredentials>. | 1. Check if the credentials provided on the appliance has create file permission on the folder \<folder path/folder name> in the server. <br/>2. If the credentials provided on the appliance do not have the required permissions, either provide another set of credentials or edit an existing one. (find the friendly name of the credentials tried by Azure Migrate in the possible causes) | | **9021:** Unable to create the file required to contain the discovered metadata at right path on the server. | VMware tools is reporting an incorrect file path to create the file. | Ensure that VMware tools later than version 10.2.0 is installed and running on the server. |
-| **9022:** The access is denied to run the Get-WmiObject cmdlet on the server. | The role associated to the credentials provided on the appliance or a group policy on-premises is restricting access to WMI object. The issue was encountered when trying the following credentials on the server: \<FriendlyNameOfCredentials>. | 1. Check if the credentials provided on the appliance has create file Administrator privileges and has WMI enabled. <br/> 2. If the credentials provided on the appliance do not have the required permissions, either provide another set of credentials or edit an existing one. (find the friendly name of the credentials tried by Azure Migrate in the possible causes).|
+| **9022:** The access is denied to run the Get-WmiObject cmdlet on the server. | The role associated to the credentials provided on the appliance or a group policy on-premises is restricting access to WMI object. The issue was encountered when trying the following credentials on the server: \<FriendlyNameOfCredentials>. | 1. Check if the credentials provided on the appliance has create file Administrator privileges and has WMI enabled. <br/> 2. If the credentials provided on the appliance do not have the required permissions, either provide another set of credentials or edit an existing one. (find the friendly name of the credentials tried by Azure Migrate in the possible causes).<br/><br/> [Learn more](troubleshoot-dependencies.md#error-9022-getwmiobjectaccessdenied) on how to remediate the issue.|
| **9023:** Unable to run PowerShell as the %SystemRoot% environment variable value is empty. | The value of %SystemRoot% environment variable is empty for the server. | 1. Check if the environment variable is returning an empty value by running echo %systemroot% command on the impacted server. <br/> 2. If issue persists, submit a Microsoft support case. | | **9024:** Unable to perform discovery as the %TEMP% environment variable value is empty. | The value of %TEMP% environment variable is empty for the server. | 1. Check if the environment variable is returning an empty value by running echo %temp% command on the impacted server. <br/> 2. If issue persists, submit a Microsoft support case. | | **9025:** Unable to perform discovery PowerShell is corrupted on the server. | PowerShell is corrupted on the server. | Reinstall PowerShell and verify that it is running on the impacted server. |
The list of agentless dependency analysis errors is summarized in the table belo
| **9029:** The credentials provided on the appliance do not have access permissions to run PowerShell. | The credentials provided on the appliance do not have access permissions to run PowerShell. The issue was encountered when trying the following credentials on the server: \<FriendlyNameOfCredentials>. | 1. Ensure that the credentials provided on the appliance can access PowerShell on the server.<br/> 2. If the credentials provided on the appliance do not have the required access, either provide another set of credentials or edit an existing one. (find the friendly name of the credentials tried by Azure Migrate in the possible causes) | | **9030:** Unable to gather the discovered metadata as the ESXi host where the server is hosted is in a disconnected state. | The ESXi host on which server is residing is in a disconnected state. | Ensure that the ESXi host running the server is in a connected state. | | **9031:** Unable to gather the discovered metadata as the ESXi host where the server is hosted is not responding. | The ESXi host on which server is residing is in an invalid state. | Ensure that the ESXi host running the server is in a running and connected state. |
-| **9032:** Unable to discover due to an internal error. | The issue encountered is due to an internal error. | Follow the steps given below the table to remediate the issue. If the issue persists, open a Microsoft support case. |
+| **9032:** Unable to discover due to an internal error. | The issue encountered is due to an internal error. | Follow the steps [here](troubleshoot-dependencies.md#error-9032-invalidrequest) to remediate the issue. If the issue persists, open a Microsoft support case. |
| **9033:** Unable to discover as the username of the credentials provided on the appliance for the server have invalid characters. | The credentials provided on the appliance contain invalid characters in the username. The issue was encountered when trying the following credentials on the server: \<FriendlyNameOfCredentials>. | Ensure that the credentials provided on the appliance do not have any invalid characters in the username. You can go back to the appliance configuration manager to edit the credentials. (find the friendly name of the credentials tried by Azure Migrate in the possible causes). | | **9034:** Unable to discover as the username of the credentials provided on the appliance for the server is not in UPN format. | The credentials provided on the appliance do not have the username in the UPN format. The issue was encountered when trying the following credentials on the server: \<FriendlyNameOfCredentials>. | Ensure that the credentials provided on the appliance have their username in the User Principal Name (UPN) format. You can go back to the appliance configuration manager to edit the credentials. (find the friendly name of the credentials tried by Azure Migrate in the possible causes). | | **9035:** Unable to discover as PowerShell language mode in not set correctly. | PowerShell language mode is not set to 'Full language'. | Ensure that PowerShell language mode is set to 'Full Language'. |
The list of agentless dependency analysis errors is summarized in the table belo
| **9037:** The metadata collection is temporarily paused due to high response time from the server. | The server is taking too long to respond. | The issue should automatically resolve in the next cycle within 24 hours. If the issue persists, submit a Microsoft support case. | | **10000:** Operation system type running on the server is not supported. | Operating system running on the server is neither Windows nor Linux. | Only Windows and Linux OS types are supported. \<GuestOSName> operating system is not supported currently. | | **10001:** The script required to gather discovery metadata is not found on the server. | The script required to perform discovery may have been deleted or removed from the expected location. | Please submit a Microsoft support case to help troubleshoot this issue. |
-| **10002:** The discovery operations timed out on the server. | This could be a transient issue due to the discovery agent on the appliance not working as expected. | The issue should automatically resolve in the next cycle within 24 hours.|
+| **10002:** The discovery operations timed out on the server. | This could be a transient issue due to the discovery agent on the appliance not working as expected. | The issue should automatically resolve in the next cycle within 24 hours. If it isnt resolved, follow the steps [here](troubleshoot-dependencies.md#error-10002-scriptexecutiontimedoutonvm) to remediate the issue. If the issue still persists, open a Microsoft support case.|
| **10003:** The process executing the discovery operations exited with an error. | The process executing the discovery operations exited abruptly due to an error.| The issue should automatically resolve in the next cycle within 24 hours. If the issue persists, submit a Microsoft support case. | | **10004:** Credentials not provided on the appliance for the server OS type. | The credentials for the server OS type were not added on the appliance. | 1. Ensure that you add the credentials for the OS type of the impacted server on the appliance.<br/> 2. You can now add multiple server credentials on the appliance. |
-| **10005:** Credentials provided on the appliance for the server are invalid. | The credentials provided on the appliance are not valid. The issue was encountered when trying the following credentials on the server: \<FriendlyNameOfCredentials>. | 1. Ensure that the credentials provided on the appliance are valid and the server is accessible using the credentials.<br/> 2. You can now add multiple server credentials on the appliance.<br/> 3. Go back to the appliance configuration manager to either provide another set of credentials or edit an existing one. (find the friendly name of the credentials tried by Azure Migrate in the possible causes).|
+| **10005:** Credentials provided on the appliance for the server are invalid. | The credentials provided on the appliance are not valid. The issue was encountered when trying the following credentials on the server: \<FriendlyNameOfCredentials>. | 1. Ensure that the credentials provided on the appliance are valid and the server is accessible using the credentials.<br/> 2. You can now add multiple server credentials on the appliance.<br/> 3. Go back to the appliance configuration manager to either provide another set of credentials or edit an existing one. (find the friendly name of the credentials tried by Azure Migrate in the possible causes). <br/><br/> [Learn more](troubleshoot-dependencies.md#error-10005-guestcredentialnotvalid) on how to remediate the issue.|
| **10006:** Operation system type running on the server is not supported. | Operating system running on the server is neither Windows nor Linux. | Only Windows and Linux OS types are supported. \<GuestOSName> operating system is not supported currently. | | **10007:** Unable to process the discovered metadata from the server. | An error ocuured when parsing the contents of the file containing the discovered metadata. | Please submit a Microsoft support case to help troubleshoot this issue. | | **10008:** Unable to create the file required to contain the discovered metadata on the server. | The role associated to the credentials provided on the appliance or a group policy on-premises is restricting the creation of file in the required folder. The issue was encountered when trying the following credentials on the server: <FriendlyNameOfCredentials>. | 1. Check if the credentials provided on the appliance has create file permission on the folder \<folder path/folder name> in the server.<br/> 2. If the credentials provided on the appliance do not have the required permissions, either provide another set of credentials or edit an existing one. (find the friendly name of the credentials tried by Azure Migrate in the possible causes) | | **10009:** Unable to write the discovered metadata in the file on the server. | The role associated to the credentials provided on the appliance or a group policy on-premises is restricting writing in the file on the server. The issue was encountered when trying the following credentials on the server: \<FriendlyNameOfCredentials>. | 1. Check if the credentials provided on the appliance has write file permission on the folder <folder path/folder name> in the server.<br/> 2. If the credentials provided on the appliance do not have the required permissions, either provide another set of credentials or edit an existing one. (find the friendly name of the credentials tried by Azure Migrate in the possible causes) | | **10010:** Unable to discover as the command- %CommandName; required to collect some metadata is missing on the server. | The package containing the command %CommandName; is not installed on the server. | Ensure that the package containing the command %CommandName; is installed on the server. | | **10011:** The credentials provided on the appliance were used to log in and log off for an interactive session. | The interactive log in and log off forces the registry keys to be unloaded in the profile of the account, being used.This condition makes the keys unavailable for future use. | Use the resolution methods documented [here](https://go.microsoft.com/fwlink/?linkid=2132821) |
-| **10012:** Credentials have not been provided on the appliance for the server. | Either no credentials have been provided for the server or you have provided domain credentials with incorrect domain name on the appliance.| 1. Ensure that the credentials are provided on the appliance for the server and the server is accessible using the credentials. <br/> 2. You can now add multiple credentials on the appliance for servers.Go back to the appliance configuration manager to provide credentials for the server.|
+| **10012:** Credentials have not been provided on the appliance for the server. | Either no credentials have been provided for the server or you have provided domain credentials with incorrect domain name on the appliance.[Learn more](troubleshoot-dependencies.md#error-10012-credentialnotprovided) about the cause of this error. | 1. Ensure that the credentials are provided on the appliance for the server and the server is accessible using the credentials. <br/> 2. You can now add multiple credentials on the appliance for servers.Go back to the appliance configuration manager to provide credentials for the server.|
+ ## Error 970: DependencyMapInsufficientPrivilegesException
The error usually comes for servers running Windows Server 2008 or lower.
### Remediation You need to install the required PowerShell version (2.0 or later) at this location on the server: ($SYSTEMROOT)\System32\WindowsPowershell\v1.0\powershell.exe. [Learn more](https://docs.microsoft.com/powershell/scripting/windows-powershell/install/installing-windows-powershell) on how to install PowerShell in Windows Server.
-After installing the required PowerShell version, you can verify if the error was resolved by following steps below under "Mitigation verification using VMware PowerCLI".
+After installing the required PowerShell version, you can verify if the error was resolved by following steps [here](troubleshoot-dependencies.md#mitigation-verification-using-vmware-powercli).
## Error 9022: GetWMIObjectAccessDenied
Make sure that the user account provided in the appliance has access to WMI Name
11. Ensure you grant execute permissions and select "This namespace and subnamespaces" in the 'Applies to:' drop-down. 12. Select 'Apply' button to save the settings and close all dialog boxes.
-After getting the required access, you can verify if the error was resolved by following steps below under "Mitigation verification using VMware PowerCLI".
+After getting the required access, you can verify if the error was resolved by following steps [here](troubleshoot-dependencies.md#mitigation-verification-using-vmware-powercli).
## Error 9032: InvalidRequest
There can be multiple reasons for this issue, one of the reason is when the user
### Remediation - Make sure the username of the server credentials does not have invalid XML characters and is in username@domain.com format popularly known as UPN format.-- After editing the credentials on the appliance, you can verify if the error was resolved by following steps below under "Mitigation verification using VMware PowerCLI".
+- After editing the credentials on the appliance, you can verify if the error was resolved by following steps [here](troubleshoot-dependencies.md#mitigation-verification-using-vmware-powercli).
## Error 10002: ScriptExecutionTimedOutOnVm
There can be multiple reasons for this issue, one of the reason is when the user
- Ensure that you are able to login into the impacted server using the same credential provided in the appliance. - You can try using another user account (for the same domain, in case server is domain-joined) for that server instead of Administrator account . - The issue can happen when Global Catalog <-> Domain Controller communication is broken. You can check this by creating a new user account in the domain controller and providing the same in the appliance. This might also require restarting the Domain controller.-- After taking the remediation steps, you can verify if the error was resolved by following steps below under "Mitigation verification using VMware PowerCLI".
+- After taking the remediation steps, you can verify if the error was resolved by following steps [here](troubleshoot-dependencies.md#mitigation-verification-using-vmware-powercli).
## Error 10012: CredentialNotProvided
This error occurs when you have provided a domain credential with a wrong domain
### Remediation - Go to appliance configuration manager to add a server credential or edit an existing one as explained in the cause.-- After taking the remediation steps, you can verify if the error was resolved by following steps below under "Mitigation verification using VMware PowerCLI".
+- After taking the remediation steps, you can verify if the error was resolved by following steps [here](troubleshoot-dependencies.md#mitigation-verification-using-vmware-powercli).
## Mitigation verification using VMware PowerCLI
migrate Troubleshoot Discovery https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/migrate/troubleshoot-discovery.md
The list of software inventory errors are summarized in the table below.
| **9011:** The file containing the discovered metadata cannot be found on the server. | This could be a transient issue due to an internal error. | The issue should automatically resolve in the next cycle within 24 hours. If the issue persists, submit a Microsoft support case. | | **9012:** The file containing the discovered metadata on the server is empty. | This could be a transient issue due to an internal error. | The issue should automatically resolve in the next cycle within 24 hours. If the issue persists, submit a Microsoft support case. | | **9013:** A new temporary user profile is getting created on logging in the server each time. | A new temporary user profile is getting created on logging in the server each time. | Please submit a Microsoft support case to help troubleshoot this issue. |
-| **9014:** Unable to retrieve the file containing the discovered metadata due to an error encountered on the ESXi host. Error code: %ErrorCode; Details: %ErrorMessage | Encountered an error on the ESXi host \<HostName>. Error code: %ErrorCode; Details: %ErrorMessage | Ensure that port 443 is open on the ESXi host on which the server is running.|
+| **9014:** Unable to retrieve the file containing the discovered metadata due to an error encountered on the ESXi host. Error code: %ErrorCode; Details: %ErrorMessage | Encountered an error on the ESXi host \<HostName>. Error code: %ErrorCode; Details: %ErrorMessage | Ensure that port 443 is open on the ESXi host on which the server is running.<br/><br/> [Learn more](troubleshoot-discovery.md#error-9014-httpgetrequesttoretrievefilefailed) on how to remediate the issue.|
| **9015:** The vCenter Server user account provided for server discovery does not have Guest operations privileges enabled. | The required privileges of Guest Operations has not been enabled on the vCenter Server user account. | Ensure that the vCenter Server user account has privileges enabled for Virtual Machines > Guest Operations, in order to interact with the server and pull the required data. <br/><br/> [Learn more](tutorial-discover-vmware.md#prepare-vmware) on how to set up the vCenter Server account with required privileges. | | **9016:** Unable to discover the metadata as the guest operations agent on the server is outdated. | Either the VMware tools is not installed on the server or the installed version is not up-to-date. | Ensure that the VMware tools is installed and running up-to-date on the server. The VMware Tools version must be version 10.2.1 or later. | | **9017:** The file containing the discovered metadata cannot be found on the server. | This could be a transient issue due to an internal error. | Please submit a Microsoft support case to help troubleshoot this issue. |
-| **9018:** PowerShell is not installed on the server. | PowerShell cannot be found on the server. | Ensure that PowerShell version 2.0 or later is installed on the server.|
+| **9018:** PowerShell is not installed on the server. | PowerShell cannot be found on the server. | Ensure that PowerShell version 2.0 or later is installed on the server. <br/><br/> [Learn more](troubleshoot-discovery.md#error-9018-powershellnotfound) on how to remediate the issue.|
| **9019:** Unable to discover the metadata due to guest operation failures on the server. | VMware guest operations failed on the server.The issue was encountered when trying the following credentials on the server: <FriendlyNameOfCredentials>. | Ensure that the server credentials provided on the appliance are valid and username provided in the credentials is in UPN format. (find the friendly name of the credentials tried by Azure Migrate in the possible causes) | | **9020:** Unable to create the file required to contain the discovered metadata on the server. | The role associated to the credentials provided on the appliance or a group policy on-premises is restricting the creation of file in the required folder. The issue was encountered when trying the following credentials on the server: <FriendlyNameOfCredentials>. | 1. Check if the credentials provided on the appliance has create file permission on the folder \<folder path/folder name> in the server. <br/>2. If the credentials provided on the appliance do not have the required permissions, either provide another set of credentials or edit an existing one. (find the friendly name of the credentials tried by Azure Migrate in the possible causes) | | **9021:** Unable to create the file required to contain the discovered metadata at right path on the server. | VMware tools is reporting an incorrect file path to create the file. | Ensure that VMware tools later than version 10.2.0 is installed and running on the server. |
-| **9022:** The access is denied to run the Get-WmiObject cmdlet on the server. | The role associated to the credentials provided on the appliance or a group policy on-premises is restricting access to WMI object. The issue was encountered when trying the following credentials on the server: \<FriendlyNameOfCredentials>. | 1. Check if the credentials provided on the appliance has create file Administrator privileges and has WMI enabled. <br/> 2. If the credentials provided on the appliance do not have the required permissions, either provide another set of credentials or edit an existing one. (find the friendly name of the credentials tried by Azure Migrate in the possible causes).|
+| **9022:** The access is denied to run the Get-WmiObject cmdlet on the server. | The role associated to the credentials provided on the appliance or a group policy on-premises is restricting access to WMI object. The issue was encountered when trying the following credentials on the server: \<FriendlyNameOfCredentials>. | 1. Check if the credentials provided on the appliance has create file Administrator privileges and has WMI enabled. <br/> 2. If the credentials provided on the appliance do not have the required permissions, either provide another set of credentials or edit an existing one. (find the friendly name of the credentials tried by Azure Migrate in the possible causes).<br/><br/> [Learn more](troubleshoot-discovery.md#error-9022-getwmiobjectaccessdenied) on how to remediate the issue.|
| **9023:** Unable to run PowerShell as the %SystemRoot% environment variable value is empty. | The value of %SystemRoot% environment variable is empty for the server. | 1. Check if the environment variable is returning an empty value by running echo %systemroot% command on the impacted server. <br/> 2. If issue persists, submit a Microsoft support case. | | **9024:** Unable to perform discovery as the %TEMP% environment variable value is empty. | The value of %TEMP% environment variable is empty for the server. | 1. Check if the environment variable is returning an empty value by running echo %temp% command on the impacted server. <br/> 2. If issue persists, submit a Microsoft support case. | | **9025:** Unable to perform discovery PowerShell is corrupted on the server. | PowerShell is corrupted on the server. | Reinstall PowerShell and verify that it is running on the impacted server. |
The list of software inventory errors are summarized in the table below.
| **9029:** The credentials provided on the appliance do not have access permissions to run PowerShell. | The credentials provided on the appliance do not have access permissions to run PowerShell. The issue was encountered when trying the following credentials on the server: \<FriendlyNameOfCredentials>. | 1. Ensure that the credentials provided on the appliance can access PowerShell on the server.<br/> 2. If the credentials provided on the appliance do not have the required access, either provide another set of credentials or edit an existing one. (find the friendly name of the credentials tried by Azure Migrate in the possible causes) | | **9030:** Unable to gather the discovered metadata as the ESXi host where the server is hosted is in a disconnected state. | The ESXi host on which server is residing is in a disconnected state. | Ensure that the ESXi host running the server is in a connected state. | | **9031:** Unable to gather the discovered metadata as the ESXi host where the server is hosted is not responding. | The ESXi host on which server is residing is in an invalid state. | Ensure that the ESXi host running the server is in a running and connected state. |
-| **9032:** Unable to discover due to an internal error. | The issue encountered is due to an internal error. | Follow the steps given below the table to remediate the issue. If the issue persists, open a Microsoft support case. |
+| **9032:** Unable to discover due to an internal error. | The issue encountered is due to an internal error. | Follow the steps [here](troubleshoot-discovery.md#error-9032-invalidrequest) to remediate the issue. If the issue persists, open a Microsoft support case. |
| **9033:** Unable to discover as the username of the credentials provided on the appliance for the server have invalid characters. | The credentials provided on the appliance contain invalid characters in the username. The issue was encountered when trying the following credentials on the server: \<FriendlyNameOfCredentials>. | Ensure that the credentials provided on the appliance do not have any invalid characters in the username. You can go back to the appliance configuration manager to edit the credentials. (find the friendly name of the credentials tried by Azure Migrate in the possible causes). | | **9034:** Unable to discover as the username of the credentials provided on the appliance for the server is not in UPN format. | The credentials provided on the appliance do not have the username in the UPN format. The issue was encountered when trying the following credentials on the server: \<FriendlyNameOfCredentials>. | Ensure that the credentials provided on the appliance have their username in the User Principal Name (UPN) format. You can go back to the appliance configuration manager to edit the credentials. (find the friendly name of the credentials tried by Azure Migrate in the possible causes). | | **9035:** Unable to discover as PowerShell language mode in not set correctly. | PowerShell language mode is not set to 'Full language'. | Ensure that PowerShell language mode is set to 'Full Language'. |
The list of software inventory errors are summarized in the table below.
| **9037:** The metadata collection is temporarily paused due to high response time from the server. | The server is taking too long to respond. | The issue should automatically resolve in the next cycle within 24 hours. If the issue persists, submit a Microsoft support case. | | **10000:** Operation system type running on the server is not supported. | Operating system running on the server is neither Windows nor Linux. | Only Windows and Linux OS types are supported. \<GuestOSName> operating system is not supported currently. | | **10001:** The script required to gather discovery metadata is not found on the server. | The script required to perform discovery may have been deleted or removed from the expected location. | Please submit a Microsoft support case to help troubleshoot this issue. |
-| **10002:** The discovery operations timed out on the server. | This could be a transient issue due to the discovery agent on the appliance not working as expected. | The issue should automatically resolve in the next cycle within 24 hours.|
+| **10002:** The discovery operations timed out on the server. | This could be a transient issue due to the discovery agent on the appliance not working as expected. | The issue should automatically resolve in the next cycle within 24 hours. If it isnt resolved, follow the steps [here](troubleshoot-discovery.md#error-10002-scriptexecutiontimedoutonvm) to remediate the issue. If the issue still persists, open a Microsoft support case.|
| **10003:** The process executing the discovery operations exited with an error. | The process executing the discovery operations exited abruptly due to an error.| The issue should automatically resolve in the next cycle within 24 hours. If the issue persists, submit a Microsoft support case. | | **10004:** Credentials not provided on the appliance for the server OS type. | The credentials for the server OS type were not added on the appliance. | 1. Ensure that you add the credentials for the OS type of the impacted server on the appliance.<br/> 2. You can now add multiple server credentials on the appliance. |
-| **10005:** Credentials provided on the appliance for the server are invalid. | The credentials provided on the appliance are not valid. The issue was encountered when trying the following credentials on the server: \<FriendlyNameOfCredentials>. | 1. Ensure that the credentials provided on the appliance are valid and the server is accessible using the credentials.<br/> 2. You can now add multiple server credentials on the appliance.<br/> 3. Go back to the appliance configuration manager to either provide another set of credentials or edit an existing one. (find the friendly name of the credentials tried by Azure Migrate in the possible causes).|
+| **10005:** Credentials provided on the appliance for the server are invalid. | The credentials provided on the appliance are not valid. The issue was encountered when trying the following credentials on the server: \<FriendlyNameOfCredentials>. | 1. Ensure that the credentials provided on the appliance are valid and the server is accessible using the credentials.<br/> 2. You can now add multiple server credentials on the appliance.<br/> 3. Go back to the appliance configuration manager to either provide another set of credentials or edit an existing one. (find the friendly name of the credentials tried by Azure Migrate in the possible causes). <br/><br/> [Learn more](troubleshoot-discovery.md#error-10005-guestcredentialnotvalid) on how to remediate the issue.|
| **10006:** Operation system type running on the server is not supported. | Operating system running on the server is neither Windows nor Linux. | Only Windows and Linux OS types are supported. \<GuestOSName> operating system is not supported currently. | | **10007:** Unable to process the discovered metadata from the server. | An error ocuured when parsing the contents of the file containing the discovered metadata. | Please submit a Microsoft support case to help troubleshoot this issue. | | **10008:** Unable to create the file required to contain the discovered metadata on the server. | The role associated to the credentials provided on the appliance or a group policy on-premises is restricting the creation of file in the required folder. The issue was encountered when trying the following credentials on the server: <FriendlyNameOfCredentials>. | 1. Check if the credentials provided on the appliance has create file permission on the folder \<folder path/folder name> in the server.<br/> 2. If the credentials provided on the appliance do not have the required permissions, either provide another set of credentials or edit an existing one. (find the friendly name of the credentials tried by Azure Migrate in the possible causes) | | **10009:** Unable to write the discovered metadata in the file on the server. | The role associated to the credentials provided on the appliance or a group policy on-premises is restricting writing in the file on the server. The issue was encountered when trying the following credentials on the server: \<FriendlyNameOfCredentials>. | 1. Check if the credentials provided on the appliance has write file permission on the folder <folder path/folder name> in the server.<br/> 2. If the credentials provided on the appliance do not have the required permissions, either provide another set of credentials or edit an existing one. (find the friendly name of the credentials tried by Azure Migrate in the possible causes) | | **10010:** Unable to discover as the command- %CommandName; required to collect some metadata is missing on the server. | The package containing the command %CommandName; is not installed on the server. | Ensure that the package containing the command %CommandName; is installed on the server. | | **10011:** The credentials provided on the appliance were used to log in and log off for an interactive session. | The interactive log in and log off forces the registry keys to be unloaded in the profile of the account, being used.This condition makes the keys unavailable for future use. | Use the resolution methods documented [here](https://go.microsoft.com/fwlink/?linkid=2132821) |
-| **10012:** Credentials have not been provided on the appliance for the server. | Either no credentials have been provided for the server or you have provided domain credentials with incorrect domain name on the appliance.| 1. Ensure that the credentials are provided on the appliance for the server and the server is accessible using the credentials. <br/> 2. You can now add multiple credentials on the appliance for servers.Go back to the appliance configuration manager to provide credentials for the server.|
+| **10012:** Credentials have not been provided on the appliance for the server. | Either no credentials have been provided for the server or you have provided domain credentials with incorrect domain name on the appliance.[Learn more](troubleshoot-discovery.md#error-10012-credentialnotprovided) about the cause of this error. | 1. Ensure that the credentials are provided on the appliance for the server and the server is accessible using the credentials. <br/> 2. You can now add multiple credentials on the appliance for servers.Go back to the appliance configuration manager to provide credentials for the server.|
## Error 9014: HTTPGetRequestToRetrieveFileFailed
The error usually comes for servers running Windows Server 2008 or lower.
### Remediation You need to install the required PowerShell version (2.0 or later) at this location on the server: ($SYSTEMROOT)\System32\WindowsPowershell\v1.0\powershell.exe. [Learn more](https://docs.microsoft.com/powershell/scripting/windows-powershell/install/installing-windows-powershell) on how to install PowerShell in Windows Server.
-After installing the required PowerShell version, you can verify if the error was resolved by following steps below under "Mitigation verification using VMware PowerCLI".
+After installing the required PowerShell version, you can verify if the error was resolved by following steps [here](troubleshoot-discovery.md#mitigation-verification-using-vmware-powercli).
## Error 9022: GetWMIObjectAccessDenied
Make sure that the user account provided in the appliance has access to WMI Name
11. Ensure you grant execute permissions and select "This namespace and subnamespaces" in the 'Applies to:' drop-down. 12. Select 'Apply' button to save the settings and close all dialog boxes.
-After getting the required access, you can verify if the error was resolved by following steps below under "Mitigation verification using VMware PowerCLI".
+After getting the required access, you can verify if the error was resolved by following steps [here](troubleshoot-discovery.md#mitigation-verification-using-vmware-powercli).
## Error 9032: InvalidRequest
There can be multiple reasons for this issue, one of the reason is when the user
### Remediation - Make sure the username of the server credentials does not have invalid XML characters and is in username@domain.com format popularly known as UPN format.-- After editing the credentials on the appliance, you can verify if the error was resolved by following steps below under "Mitigation verification using VMware PowerCLI".
+- After editing the credentials on the appliance, you can verify if the error was resolved by following steps [here](troubleshoot-discovery.md#mitigation-verification-using-vmware-powercli).
## Error 10002: ScriptExecutionTimedOutOnVm
There can be multiple reasons for this issue, one of the reason is when the user
- Ensure that you are able to login into the impacted server using the same credential provided in the appliance. - You can try using another user account (for the same domain, in case server is domain-joined) for that server instead of Administrator account . - The issue can happen when Global Catalog <-> Domain Controller communication is broken. You can check this by creating a new user account in the domain controller and providing the same in the appliance. This might also require restarting the Domain controller.-- After taking the remediation steps, you can verify if the error was resolved by following steps below under "Mitigation verification using VMware PowerCLI".
+- After taking the remediation steps, you can verify if the error was resolved by following steps [here](troubleshoot-discovery.md#mitigation-verification-using-vmware-powercli).
## Error 10012: CredentialNotProvided
This error occurs when you have provided a domain credential with a wrong domain
### Remediation - Go to appliance configuration manager to add a server credential or edit an existing one as explained in the cause.-- After taking the remediation steps, you can verify if the error was resolved by following steps below under "Mitigation verification using VMware PowerCLI".
+- After taking the remediation steps, you can verify if the error was resolved by following steps [here](troubleshoot-discovery.md#mitigation-verification-using-vmware-powercli).
## Mitigation verification using VMware PowerCLI After using the mitigation steps on the errors listed above, you can verify if the mitigation worked by running few PowerCLI commands from the appliance server. If the commands succeed, it means that the issue is now resolved else you need to check and follow the remediation steps again.
migrate Tutorial App Containerization Aspnet App Service https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/migrate/tutorial-app-containerization-aspnet-app-service.md
+
+ Title: Azure App Containerization ASP.NET; Containerization and migration of ASP.NET applications to Azure App Service.
+description: Tutorial:Containerize & migrate ASP.NET applications to Azure App Service.
++++ Last updated : 07/02/2021++
+# ASP.NET app containerization and migration to Azure App Service
+
+In this article, you'll learn how to containerize ASP.NET applications and migrate them to [Azure App Service](https://azure.microsoft.com/services/app-service/) using the Azure Migrate: App Containerization tool. The containerization process doesnΓÇÖt require access to your codebase and provides an easy way to containerize existing applications. The tool works by using the running state of the applications on a server to determine the application components and helps you package them in a container image. The containerized application can then be deployed on Azure App Service.
+
+The Azure Migrate: App Containerization tool currently supports -
+
+- Containerizing ASP.NET apps and deploying them on Windows containers on App Service.
+- Containerizing ASP.NET apps and deploying them on Windows containers on Azure Kubernetes Service. [Learn more](./tutorial-app-containerization-aspnet-kubernetes.md)
+- Containerizing Java Web Apps on Apache Tomcat (on Linux servers) and deploying them on Linux containers on AKS. [Learn more](./tutorial-app-containerization-java-kubernetes.md)
+- Containerizing Java Web Apps on Apache Tomcat (on Linux servers) and deploying them on Linux containers on App Service. [Learn more](./tutorial-app-containerization-java-app-service.md)
+
+The Azure Migrate: App Containerization tool helps you to -
+
+- **Discover your application**: The tool remotely connects to the application servers running your ASP.NET application and discovers the application components. The tool creates a Dockerfile that can be used to create a container image for the application.
+- **Build the container image**: You can inspect and further customize the Dockerfile as per your application requirements and use that to build your application container image. The application container image is pushed to an Azure Container Registry you specify.
+- **Deploy to Azure App Service**: The tool then generates the deployment files needed to deploy the containerized application to Azure App Service.
+
+> [!NOTE]
+> The Azure Migrate: App Containerization tool helps you discover specific application types (ASP.NET and Java web apps on Apache Tomcat) and their components on an application server. To discover servers and the inventory of apps, roles, and features running on on-premises machines, use Azure Migrate: Discovery and assessment capability. [Learn more](./tutorial-discover-vmware.md)
+
+While all applications won't benefit from a straight shift to containers without significant rearchitecting, some of the benefits of moving existing apps to containers without rewriting include:
+
+- **Improved infrastructure utilization:** With containers, multiple applications can share resources and be hosted on the same infrastructure. This can help you consolidate infrastructure and improve utilization.
+- **Simplified management:** By hosting your applications on modern managed platform like AKS and App Service, you can simplify your management practices. You can achieve this by retiring or reducing the infrastructure maintenance and management processes that you'd traditionally perform with owned infrastructure.
+- **Application portability:** With increased adoption and standardization of container specification formats and platforms, application portability is no longer a concern.
+- **Adopt modern management with DevOps:** Helps you adopt and standardize on modern practices for management and security and transition to DevOps.
++
+In this tutorial, you'll learn how to:
+
+> [!div class="checklist"]
+> * Set up an Azure account.
+> * Install the Azure Migrate: App Containerization tool.
+> * Discover your ASP.NET application.
+> * Build the container image.
+> * Deploy the containerized application on App Service.
+
+> [!NOTE]
+> Tutorials show you the simplest deployment path for a scenario so that you can quickly set up a proof-of-concept. Tutorials use default options where possible, and don't show all possible settings and paths.
+
+## Prerequisites
+
+Before you begin this tutorial, you should:
+
+**Requirement** | **Details**
+ |
+**Identify a machine to install the tool** | A Windows machine to install and run the Azure Migrate: App Containerization tool. The Windows machine could be a server (Windows Server 2016 or later) or client (Windows 10) operating system, meaning that the tool can run on your desktop as well. <br/><br/> The Windows machine running the tool should have network connectivity to the servers/virtual machines hosting the ASP.NET applications to be containerized.<br/><br/> Ensure that 6-GB space is available on the Windows machine running the Azure Migrate: App Containerization tool for storing application artifacts. <br/><br/> The Windows machine should have internet access, directly or via a proxy. <br/> <br/>Install the Microsoft Web Deploy tool on the machine running the App Containerization helper tool and application server if not already installed. You can download the tool from [here](https://aka.ms/webdeploy3.6)
+**Application servers** | Enable PowerShell remoting on the application servers: Log in to the application server and Follow [these](/powershell/module/microsoft.powershell.core/enable-psremoting) instructions to turn on PowerShell remoting. <br/><br/> If the application server is running Window Server 2008 R2, ensure that PowerShell 5.1 is installed on the application server. Follow the instruction [here](/powershell/scripting/windows-powershell/wmf/setup/install-configure) to download and install PowerShell 5.1 on the application server. <br/><br/> Install the Microsoft Web Deploy tool on the machine running the App Containerization helper tool and application server if not already installed. You can download the tool from [here](https://aka.ms/webdeploy3.6)
+**ASP.NET application** | The tool currently supports <br/><br/> - ASP.NET applications using Microsoft .NET framework 3.5 or later.<br/> - Application servers running Windows Server 2008 R2 or later (application servers should be running PowerShell version 5.1). <br/> - Applications running on Internet Information Services (IIS) 7.5 or later. <br/><br/> The tool currently doesn't support <br/><br/> - Applications requiring Windows authentication (AKS doesnΓÇÖt support gMSA currently). <br/> - Applications that depend on other Windows services hosted outside IIS.
++
+## Prepare an Azure user account
+
+If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/pricing/free-trial/) before you begin.
+
+Once your subscription is set up, you'll need an Azure user account with:
+- Owner permissions on the Azure subscription
+- Permissions to register Azure Active Directory apps
+
+If you just created a free Azure account, you're the owner of your subscription. If you're not the subscription owner, work with the owner to assign the permissions as follows:
+
+1. In the Azure portal, search for "subscriptions", and under **Services**, select **Subscriptions**.
+
+ ![Search box to search for the Azure subscription.](./media/tutorial-discover-vmware/search-subscription.png)
+
+2. In the **Subscriptions** page, select the subscription in which you want to create an Azure Migrate project.
+3. In the subscription, select **Access control (IAM)** > **Check access**.
+4. In **Check access**, search for the relevant user account.
+5. In **Add a role assignment**, click **Add**.
+
+ ![Search for a user account to check access and assign a role.](./media/tutorial-discover-vmware/azure-account-access.png)
+
+6. In **Add role assignment**, select the Owner role, and select the account (azmigrateuser in our example). Then click **Save**.
+
+ ![Opens the Add Role assignment page to assign a role to the account.](./media/tutorial-discover-vmware/assign-role.png)
+
+7. Your Azure account also needs **permissions to register Azure Active Directory apps.**
+8. In Azure portal, navigate to **Azure Active Directory** > **Users** > **User Settings**.
+9. In **User settings**, verify that Azure AD users can register applications (set to **Yes** by default).
+
+ ![Verify in User Settings that users can register Active Directory apps.](./media/tutorial-discover-vmware/register-apps.png)
+
+10. In case the *App registrations* settings is set to *No*, request the tenant/global admin to assign the required permission. Alternately, the tenant/global admin can assign the **Application Developer** role to an account to allow the registration of Azure Active Directory App. [Learn more](../active-directory/fundamentals/active-directory-users-assign-role-azure-portal.md).
+
+## Download and install Azure Migrate: App Containerization tool
+
+1. [Download](https://go.microsoft.com/fwlink/?linkid=2134571) the Azure Migrate: App Containerization installer on a Windows machine.
+2. Launch PowerShell in administrator mode and change the PowerShell directory to the folder containing the installer.
+3. Run the installation script using the command
+
+ ```powershell
+ .\AppContainerizationInstaller.ps1
+ ```
+
+## Launch the App Containerization tool
+
+1. Open a browser on any machine that can connect to the Windows machine running the App Containerization tool, and open the tool URL: **https://*machine name or IP address*: 44369**.
+
+ Alternately, you can open the app from the desktop by selecting the app shortcut.
+
+2. If you see a warning stating that says your connection isnΓÇÖt private, click Advanced and choose to proceed to the website. This warning appears as the web interface uses a self-signed TLS/SSL certificate.
+3. At the sign in screen, use the local administrator account on the machine to sign in.
+4. Select **ASP.NET web apps** as the type of application you want to containerize.
+5. To specify target Azure service, select **Containers on Azure App Service**.
+![Default load-up for App Containerization tool.](./media/tutorial-containerize-apps-aks/tool-home.png)
+
+### Complete tool pre-requisites
+1. Accept the **license terms**, and read the third-party information.
+6. In the tool web app > **Set up prerequisites**, do the following steps:
+ - **Connectivity**: The tool checks that the Windows machine has internet access. If the machine uses a proxy:
+ - Click on **Set up proxy** to specify the proxy address (in the form IP address or FQDN) and listening port.
+ - Specify credentials if the proxy needs authentication.
+ - Only HTTP proxy is supported.
+ - If you've added proxy details or disabled the proxy and/or authentication, click on **Save** to trigger connectivity check again.
+ - **Install updates**: The tool will automatically check for latest updates and install them. You can also manually install the latest version of the tool from [here](https://go.microsoft.com/fwlink/?linkid=2134571).
+ - **Install Microsoft Web Deploy tool**: The tool will check that the Microsoft Web Deploy tool is installed on the Windows machine running the Azure Migrate: App Containerization tool.
+ - **Enable PowerShell remoting**: The tool will inform you to ensure that PowerShell remoting is enabled on the application servers running the ASP.NET applications to be containerized.
++
+## Sign in to Azure
+
+Click **Sign in** to log in to your Azure account.
+
+1. You'll need a device code to authenticate with Azure. Clicking on sign in will open a modal with the device code.
+2. Click on **Copy code & sign in** to copy the device code and open an Azure sign in prompt in a new browser tab. If it doesn't appear, make sure you've disabled the pop-up blocker in the browser.
+
+ ![Modal showing device code.](./media/tutorial-containerize-apps-aks/login-modal.png)
+
+3. On the new tab, paste the device code and complete sign in using your Azure account credentials. You can close the browser tab after sign in is complete and return to the App Containerization tool's web interface.
+4. Select the **Azure tenant** that you want to use.
+5. Specify the **Azure subscription** that you want to use.
+
+## Discover ASP.NET applications
+
+The App Containerization helper tool connects remotely to the application servers using the provided credentials and attempts to discover ASP.NET applications hosted on the application servers.
+
+1. Specify the **IP address/FQDN and the credentials** of the server running the ASP.NET application that should be used to remotely connect to the server for application discovery.
+ - The credentials provided must be for a local administrator (Windows) on the application server.
+ - For domain accounts (the user must be an administrator on the application server), prefix the username with the domain name in the format *<domain\username>*.
+ - You can run application discovery for upto five servers at a time.
+
+2. Click **Validate** to verify that the application server is reachable from the machine running the tool and that the credentials are valid. Upon successful validation, the status column will show the status as **Mapped**.
+
+ ![Screenshot for server IP and credentials.](./media/tutorial-containerize-apps-aks/discovery-credentials-asp.png)
+
+3. Click **Continue** to start application discovery on the selected application servers.
+
+4. Upon successful completion of application discovery, you can select the list of applications to containerize.
+
+ ![Screenshot for discovered ASP.NET application.](./media/tutorial-containerize-apps-aks/discovered-app-asp.png)
++
+4. Use the checkbox to select the applications to containerize.
+5. **Specify container name**: Specify a name for the target container for each selected application. The container name should be specified as <*name:tag*> where the tag is used for container image. For example, you can specify the target container name as *appname:v1*.
+
+### Parameterize application configurations
+Parameterizing the configuration makes it available as a deployment time parameter. This allows you to configure this setting while deploying the application as opposed to having it hard-coded to a specific value in the container image. For example, this option is useful for parameters like database connection strings.
+1. Click **app configurations** to review detected configurations.
+2. Select the checkbox to parameterize the detected application configurations.
+3. Click **Apply** after selecting the configurations to parameterize.
+
+ ![Screenshot for app configuration parameterization ASP.NET application.](./media/tutorial-containerize-apps-aks/discovered-app-configs-asp.png)
+
+### Externalize file system dependencies
+
+ You can add other folders that your application uses. Specify if they should be part of the container image or are to be externalized to persistent storage through Azure file share. Using external persistent storage works great for stateful applications that store state outside the container or have other static content stored on the file system.
+
+1. Click **Edit** under App Folders to review the detected application folders. The detected application folders have been identified as mandatory artifacts needed by the application and will be copied into the container image.
+
+2. Click **Add folders** and specify the folder paths to be added.
+3. To add multiple folders to the same volume, provide comma (`,`) separated values.
+4. Select **Azure file share** as the storage option if you want the folders to be stored outside the container on persistent storage.
+5. Click **Save** after reviewing the application folders.
+ ![Screenshot for app volumes storage selection.](./media/tutorial-containerize-apps-aks/discovered-app-volumes-asp.png)
+
+6. Click **Continue** to proceed to the container image build phase.
+
+## Build container image
++
+1. **Select Azure Container Registry**: Use the dropdown to select an [Azure Container Registry](../container-registry/index.yml) that will be used to build and store the container images for the apps. You can use an existing Azure Container Registry or choose to create a new one using the Create new registry option.
+
+ ![Screenshot for app ACR selection.](./media/tutorial-containerize-apps-aks/build-aspnet-app.png)
+
+> [!NOTE]
+> Only Azure container registries with admin user enabled are displayed. The admin account is currently required for deploying an image from an Azure container registry to Azure App Service. [Learn more](/azure/container-registry/container-registry-authentication#admin-account)
+
+2. **Review the Dockerfile**: The Dockerfile needed to build the container images for each selected application are generated at the beginning of the build step. Click **Review** to review the Dockerfile. You can also add any necessary customizations to the Dockerfile in the review step and save the changes before starting the build process.
+
+3. **Trigger build process**: Select the applications to build images for and click **Build**. Clicking build will start the container image build for each application. The tool keeps monitoring the build status continuously and will let you proceed to the next step upon successful completion of the build.
+
+4. **Track build status**: You can also monitor progress of the build step by clicking the **Build in Progress** link under the status column. The link takes a couple of minutes to be active after you've triggered the build process.
+
+5. Once the build is completed, click **Continue** to specify deployment settings.
+
+ ![Screenshot for app container image build completion.](./media/tutorial-containerize-apps-aks/build-aspnet-app-completed.png)
+
+## Deploy the containerized app on Azure App Service
+
+Once the container image is built, the next step is to deploy the application as a container on [Azure App Service](https://azure.microsoft.com/services/app-service/).
+
+1. **Select the Azure App Service plan**: Specify the Azure App Service plan that the application should use.
+
+ - If you donΓÇÖt have an App Service plan or would like to create a new App Service plan to use, you can choose to create on from the tool by clicking **Create new App Service plan**.
+ - Click **Continue** after selecting the App Service plan.
+
+2. **Specify secret store**: If you had opted to parameterize application configurations, then specify the secret store to be used for the application. You can choose Azure Key Vault or App Service application settings for managing your application secrets. [Learn more](/azure/app-service/configure-common#configure-connection-strings)
+
+ - If you've selected App Service application settings for managing secrets, then click **Continue**.
+ - If you'd like to use an Azure Key Vault for managing your application secrets, then specify the Azure Key Vault that you'd want to use.
+ - If you donΓÇÖt have an Azure Key Vault or would like to create a new Key Vault, you can choose to create on from the tool by clicking **Create new Azure Key Vault**.
+ - The tool will automatically assign the necessary permissions for managing secrets through the Key Vault.
+
+3. **Specify Azure file share**: If you had added more directories/folders and selected the Azure file share option for persistent storage, then specify the Azure file share to be used by Azure Migrate: App Containerization tool during the deployment process. The tool will copy over the application directories/folders that are configured for Azure file storage and mount them on the application container during deployment.ΓÇ»
+
+ - If you don't have an Azure file share or would like to create a new Azure file share, you can choose to create on from the tool by clicking **Create new Storage Account and file share**.
+
+4. **Application deployment configuration**: Once you've completed the steps above, you'll need to specify the deployment configuration for the application. Click **Configure** to customize the deployment for the application. In the configure step you can provide the following customizations:
+ - **Name**: Specify a unique app name for the application. This name will be used to generate the application URL and used as a prefix for other resources being created as part of this deployment.
+ - **Application configuration**: For any application configurations that were parameterized, provide the values to use for the current deployment.
+ - **Storage configuration**: Review the information for any application directories/folders that were configured for persistent storage.
+
+ ![Screenshot for deployment app configuration.](./media/tutorial-containerize-apps-aks/deploy-aspnet-app-config.png)
+
+5. **Deploy the application**: Once the deployment configuration for the application is saved, the tool will generate the Kubernetes deployment YAML for the application.
+ - Click **Review** to review the deployment configuration for the applications.
+ - Select the application to deploy.
+ - Click **Deploy** to start deployments for the selected applications
+
+ ![Screenshot for app deployment configuration.](./media/tutorial-containerize-apps-aks/deploy-java-app-deploy.png)
+
+ - Once the application is deployed, you can click the *Deployment status* column to track the resources that were deployed for the application.
++
+## Troubleshoot issues
+
+To troubleshoot any issues with the tool, you can look at the log files on the Windows machine running the App Containerization tool. Tool log files are located at *C:\ProgramData\Microsoft Azure Migrate App Containerization\Logs* folder.
+
+## Next steps
+
+- Containerizing ASP.NET web apps and deploying them on Windows containers on AKS. [Learn more](./tutorial-app-containerization-aspnet-kubernetes.md)
+- Containerizing Java web apps on Apache Tomcat (on Linux servers) and deploying them on Linux containers on AKS. [Learn more](./tutorial-app-containerization-java-kubernetes.md)
+- Containerizing Java web apps on Apache Tomcat (on Linux servers) and deploying them on Linux containers on App Service. [Learn more](./tutorial-app-containerization-java-app-service.md)
migrate Tutorial App Containerization Aspnet Kubernetes https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/migrate/tutorial-app-containerization-aspnet-kubernetes.md
Previously updated : 3/2/2021 Last updated : 6/30/2021 # ASP.NET app containerization and migration to Azure Kubernetes Service
In this article, you'll learn how to containerize ASP.NET applications and migra
The Azure Migrate: App Containerization tool currently supports - -- Containerizing ASP.NET apps and deploying them on Windows containers on AKS.-- Containerizing Java Web Apps on Apache Tomcat (on Linux servers) and deploying them on Linux containers on AKS. [Learn more](./tutorial-containerize-java-kubernetes.md)-
+- Containerizing ASP.NET apps and deploying them on Windows containers on Azure Kubernetes Service.
+- Containerizing ASP.NET apps and deploying them on Windows containers on Azure App Service. [Learn more](./tutorial-app-containerization-aspnet-app-service.md)
+- Containerizing Java Web Apps on Apache Tomcat (on Linux servers) and deploying them on Linux containers on AKS. [Learn more](./tutorial-app-containerization-java-kubernetes.md)
+- Containerizing Java Web Apps on Apache Tomcat (on Linux servers) and deploying them on Linux containers on App Service. [Learn more](./tutorial-app-containerization-java-app-service.md)
The Azure Migrate: App Containerization tool helps you to -
The Azure Migrate: App Containerization tool helps you to -
While all applications won't benefit from a straight shift to containers without significant rearchitecting, some of the benefits of moving existing apps to containers without rewriting include: - **Improved infrastructure utilization:** With containers, multiple applications can share resources and be hosted on the same infrastructure. This can help you consolidate infrastructure and improve utilization.-- **Simplified management:** By hosting your applications on a modern managed infrastructure platform like AKS, you can simplify your management practices while still retaining control over your infrastructure. You can achieve this by retiring or reducing the infrastructure maintenance and management processes that you'd traditionally perform with owned infrastructure.-- **Application portability:** With increased adoption and standardization of container specification formats and orchestration platforms, application portability is no longer a concern.-- **Adopt modern management with DevOps:** Helps you adopt and standardize on modern practices for management and security with Infrastructure as Code and transition to DevOps.
+- **Simplified management:** By hosting your applications on a modern managed platform like AKS and App Service, you can simplify your management practices. You can achieve this by retiring or reducing the infrastructure maintenance and management processes that you'd traditionally perform with owned infrastructure.
+- **Application portability:** With increased adoption and standardization of container specification formats and platforms, application portability is no longer a concern.
+- **Adopt modern management with DevOps:** Helps you adopt and standardize on modern practices for management and security and transition to DevOps.
In this tutorial, you'll learn how to:
Before you begin this tutorial, you should:
**Requirement** | **Details** | **Identify a machine to install the tool** | A Windows machine to install and run the Azure Migrate: App Containerization tool. The Windows machine could be a server (Windows Server 2016 or later) or client (Windows 10) operating system, meaning that the tool can run on your desktop as well. <br/><br/> The Windows machine running the tool should have network connectivity to the servers/virtual machines hosting the ASP.NET applications to be containerized.<br/><br/> Ensure that 6-GB space is available on the Windows machine running the Azure Migrate: App Containerization tool for storing application artifacts. <br/><br/> The Windows machine should have internet access, directly or via a proxy. <br/> <br/>Install the Microsoft Web Deploy tool on the machine running the App Containerization helper tool and application server if not already installed. You can download the tool from [here](https://aka.ms/webdeploy3.6)
-**Application servers** | Enable PowerShell remoting on the application servers: Login to the application server and Follow [these](/powershell/module/microsoft.powershell.core/enable-psremoting) instructions to turn on PowerShell remoting. <br/><br/> If the application server is running Window Server 2008 R2, ensure that PowerShell 5.1 is installed on the application server. Follow the instruction [here](/powershell/scripting/windows-powershell/wmf/setup/install-configure) to download and install PowerShell 5.1 on the application server. <br/><br/> Install the Microsoft Web Deploy tool on the machine running the App Containerization helper tool and application server if not already installed. You can download the tool from [here](https://aka.ms/webdeploy3.6)
+**Application servers** | Enable PowerShell remoting on the application servers: Log in to the application server and Follow [these](/powershell/module/microsoft.powershell.core/enable-psremoting) instructions to turn on PowerShell remoting. <br/><br/> If the application server is running Window Server 2008 R2, ensure that PowerShell 5.1 is installed on the application server. Follow the instruction [here](/powershell/scripting/windows-powershell/wmf/setup/install-configure) to download and install PowerShell 5.1 on the application server. <br/><br/> Install the Microsoft Web Deploy tool on the machine running the App Containerization helper tool and application server if not already installed. You can download the tool from [here](https://aka.ms/webdeploy3.6)
**ASP.NET application** | The tool currently supports <br/><br/> - ASP.NET applications using Microsoft .NET framework 3.5 or later.<br/> - Application servers running Windows Server 2008 R2 or later (application servers should be running PowerShell version 5.1). <br/> - Applications running on Internet Information Services (IIS) 7.5 or later. <br/><br/> The tool currently doesn't support <br/><br/> - Applications requiring Windows authentication (AKS doesnΓÇÖt support gMSA currently). <br/> - Applications that depend on other Windows services hosted outside IIS.
If you just created a free Azure account, you're the owner of your subscription.
10. In case the 'App registrations' settings is set to 'No', request the tenant/global admin to assign the required permission. Alternately, the tenant/global admin can assign the **Application Developer** role to an account to allow the registration of Azure Active Directory App. [Learn more](../active-directory/fundamentals/active-directory-users-assign-role-azure-portal.md). - ## Download and install Azure Migrate: App Containerization tool 1. [Download](https://go.microsoft.com/fwlink/?linkid=2134571) the Azure Migrate: App Containerization installer on a Windows machine.
If you just created a free Azure account, you're the owner of your subscription.
Alternately, you can open the app from the desktop by selecting the app shortcut. 2. If you see a warning stating that says your connection isnΓÇÖt private, click Advanced and choose to proceed to the website. This warning appears as the web interface uses a self-signed TLS/SSL certificate.
-3. At the sign-in screen, use the local administrator account on the machine to sign-in.
-4. For specify application type, select **ASP.NET web apps** as the type of application you want to containerize.
+3. At the sign in screen, use the local administrator account on the machine to sign in.
+4. Select **ASP.NET web apps** as the type of application you want to containerize.
+5. To specify target Azure service, select **Containers on Azure Kubernetes Service**.
![Default load-up for App Containerization tool.](./media/tutorial-containerize-apps-aks/tool-home.png) - ### Complete tool pre-requisites 1. Accept the **license terms**, and read the third-party information. 6. In the tool web app > **Set up prerequisites**, do the following steps:
If you just created a free Azure account, you're the owner of your subscription.
- **Enable PowerShell remoting**: The tool will inform you to ensure that PowerShell remoting is enabled on the application servers running the ASP.NET applications to be containerized.
-## Log in to Azure
+## Sign in to Azure
-Click **Login** to log in to your Azure account.
+Click **Sign in** to log in to your Azure account.
-1. You'll need a device code to authenticate with Azure. Clicking on Login will open a modal with the device code.
-2. Click on **Copy code & Login** to copy the device code and open an Azure Login prompt in a new browser tab. If it doesn't appear, make sure you've disabled the pop-up blocker in the browser.
+1. You'll need a device code to authenticate with Azure. Clicking on sign in will open a modal with the device code.
+2. Click on **Copy code & sign in** to copy the device code and open an Azure sign in prompt in a new browser tab. If it doesn't appear, make sure you've disabled the pop-up blocker in the browser.
![Modal showing device code.](./media/tutorial-containerize-apps-aks/login-modal.png)
-3. On the new tab, paste the device code and complete log in using your Azure account credentials. You can close the browser tab after log in is complete and return to the App Containerization tool's web interface.
+3. On the new tab, paste the device code and complete sign in using your Azure account credentials. You can close the browser tab after sign in is complete and return to the App Containerization tool's web interface.
4. Select the **Azure tenant** that you want to use. 5. Specify the **Azure subscription** that you want to use.
The App Containerization helper tool connects remotely to the application server
2. Click **Validate** to verify that the application server is reachable from the machine running the tool and that the credentials are valid. Upon successful validation, the status column will show the status as **Mapped**.
- ![Screenshot for server IP and credentials.](./media/tutorial-containerize-apps-aks/discovery-credentials.png)
+ ![Screenshot for server IP and credentials.](./media/tutorial-containerize-apps-aks/discovery-credentials-asp.png)
3. Click **Continue** to start application discovery on the selected application servers. 4. Upon successful completion of application discovery, you can select the list of applications to containerize.
- ![Screenshot for discovered ASP.NET application.](./media/tutorial-containerize-apps-aks/discovered-app.png)
+ ![Screenshot for discovered ASP.NET application.](./media/tutorial-containerize-apps-aks/discovered-app-asp.png)
4. Use the checkbox to select the applications to containerize.
Parameterizing the configuration makes it available as a deployment time paramet
2. Select the checkbox to parameterize the detected application configurations. 3. Click **Apply** after selecting the configurations to parameterize.
- ![Screenshot for app configuration parameterization ASP.NET application.](./media/tutorial-containerize-apps-aks/discovered-app-configs.png)
+ ![Screenshot for app configuration parameterization ASP.NET application.](./media/tutorial-containerize-apps-aks/discovered-app-configs-asp.png)
### Externalize file system dependencies
Parameterizing the configuration makes it available as a deployment time paramet
3. To add multiple folders to the same volume, provide comma (`,`) separated values. 4. Select **Persistent Volume** as the storage option if you want the folders to be stored outside the container on a Persistent Volume. 5. Click **Save** after reviewing the application folders.
- ![Screenshot for app volumes storage selection.](./media/tutorial-containerize-apps-aks/discovered-app-volumes.png)
+ ![Screenshot for app volumes storage selection.](./media/tutorial-containerize-apps-aks/discovered-app-volumes-asp.png)
6. Click **Continue** to proceed to the container image build phase.
Once the container image is built, the next step is to deploy the application as
- If you donΓÇÖt have an AKS cluster or would like to create a new AKS cluster to deploy the application to, you can choose to create on from the tool by clicking **Create new AKS cluster**. - The AKS cluster created using the tool will be created with a Windows node pool. The cluster will be configured to allow it to pull images from the Azure Container Registry that was created earlier (if create new registry option was chosen). - Click **Continue** after selecting the AKS cluster.
+2. **Specify secret store**: If you had opted to parameterize application configurations, then specify the secret store to be used for the application. You can choose Azure Key Vault or App Service application settings for managing your application secrets. [Learn more](/azure/app-service/configure-common#configure-connection-strings)
+
+ - If you've selected App Service application settings for managing secrets, then click **Continue**.
+ - If you'd like to use an Azure Key Vault for managing your application secrets, then specify the Azure Key Vault that you'd want to use.
+ - If you donΓÇÖt have an Azure Key Vault or would like to create a new Key Vault, you can choose to create on from the tool by clicking **Create new Azure Key Vault**.
+ - The tool will automatically assign the necessary permissions for managing secrets through the Key Vault.
-2. **Specify Azure file share**: If you had added more folders and selected the Persistent Volume option, then specify the Azure file share that should be used by Azure Migrate: App Containerization tool during the deployment process. The tool will create new directories in this Azure file share to copy over the application folders that are configured for Persistent Volume storage. Once the application deployment is complete, the tool will clean up the Azure file share by deleting the directories it had created.
+3. **Specify Azure file share**: If you had added more folders and selected the Persistent Volume option, then specify the Azure file share that should be used by Azure Migrate: App Containerization tool during the deployment process. The tool will create new directories in this Azure file share to copy over the application folders that are configured for Persistent Volume storage. Once the application deployment is complete, the tool will clean up the Azure file share by deleting the directories it had created.
- If you don't have an Azure file share or would like to create a new Azure file share, you can choose to create on from the tool by clicking **Create new Storage Account and file share**.
-3. **Application deployment configuration**: Once you've completed the steps above, you'll need to specify the deployment configuration for the application. Click **Configure** to customize the deployment for the application. In the configure step you can provide the following customizations:
+4. **Application deployment configuration**: Once you've completed the steps above, you'll need to specify the deployment configuration for the application. Click **Configure** to customize the deployment for the application. In the configure step you can provide the following customizations:
- **Prefix string**: Specify a prefix string to use in the name for all resources that are created for the containerized application in the AKS cluster. - **SSL certificate**: If your application requires an https site binding, specify the PFX file that contains the certificate to be used for the binding. The PFX file shouldn't be password protected and the original site shouldn't have multiple bindings. - **Replica Sets**: Specify the number of application instances (pods) that should run inside the containers.
Once the container image is built, the next step is to deploy the application as
- Click **Apply** to save the deployment configuration. - Click **Continue** to deploy the application.
- ![Screenshot for deployment app configuration.](./media/tutorial-containerize-apps-aks/deploy-aspnet-app-config.png)
+ ![Screenshot for deployment app configuration.](./media/tutorial-containerize-apps-aks/deploy-aspnet-app-config-aks.png)
4. **Deploy the application**: Once the deployment configuration for the application is saved, the tool will generate the Kubernetes deployment YAML for the application.
- - Click **Edit** to review and customize the Kubernetes deployment YAML for the applications.
+ - Click **Review** to review and customize the Kubernetes deployment YAML for the applications.
- Select the application to deploy. - Click **Deploy** to start deployments for the selected applications
- ![Screenshot for app deployment configuration.](./media/tutorial-containerize-apps-aks/deploy-aspnet-app-deploy.png)
+ ![Screenshot for app deployment configuration.](./media/tutorial-containerize-apps-aks/deploy-aspnet-app-deploy-aks.png)
- Once the application is deployed, you can click the *Deployment status* column to track the resources that were deployed for the application.
To troubleshoot any issues with the tool, you can look at the log files on the W
## Next steps -- Containerizing Java Web Apps on Apache Tomcat (on Linux servers) and deploying them on Linux containers on AKS. [Learn more](./tutorial-containerize-java-kubernetes.md)
+- Containerizing ASP.NET web apps and deploying them on Windows containers on App Service. [Learn more](./tutorial-app-containerization-aspnet-app-service.md)
+- Containerizing Java web apps on Apache Tomcat (on Linux servers) and deploying them on Linux containers on AKS. [Learn more](./tutorial-app-containerization-java-kubernetes.md)
+- Containerizing Java web apps on Apache Tomcat (on Linux servers) and deploying them on Linux containers on App Service. [Learn more](./tutorial-app-containerization-java-app-service.md)
migrate Tutorial App Containerization Java App Service https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/migrate/tutorial-app-containerization-java-app-service.md
+
+ Title: Azure App Containerization Java; Containerization and migration of Java web applications to Azure App Service.
+description: Tutorial:Containerize & migrate Java web applications to Azure App Service.
++++ Last updated : 3/2/2021++
+# Java web app containerization and migration to Azure App Service
+
+In this article, you'll learn how to containerize Java web applications (running on Apache Tomcat) and migrate them to [Azure App Service](https://azure.microsoft.com/services/app-service/) using the Azure Migrate: App Containerization tool. The containerization process doesnΓÇÖt require access to your codebase and provides an easy way to containerize existing applications. The tool works by using the running state of the applications on a server to determine the application components and helps you package them in a container image. The containerized application can then be deployed on Azure App Service.
+
+The Azure Migrate: App Containerization tool currently supports -
+
+- Containerizing Java Web Apps on Apache Tomcat (on Linux servers) and deploying them on Linux containers on App Service.
+- Containerizing Java Web Apps on Apache Tomcat (on Linux servers) and deploying them on Linux containers on AKS. [Learn more](./tutorial-app-containerization-java-kubernetes.md)
+- Containerizing ASP.NET apps and deploying them on Windows containers on AKS. [Learn more](./tutorial-app-containerization-aspnet-kubernetes.md)
+- Containerizing ASP.NET apps and deploying them on Windows containers on App Service. [Learn more](./tutorial-app-containerization-aspnet-app-service.md)
++
+The Azure Migrate: App Containerization tool helps you to -
+
+- **Discover your application**: The tool remotely connects to the application servers running your Java web application (running on Apache Tomcat) and discovers the application components. The tool creates a Dockerfile that can be used to create a container image for the application.
+- **Build the container image**: You can inspect and further customize the Dockerfile as per your application requirements and use that to build your application container image. The application container image is pushed to an Azure Container Registry you specify.
+- **Deploy to Azure App Service**: The tool then generates the deployment files needed to deploy the containerized application to Azure App Service.
+
+> [!NOTE]
+> The Azure Migrate: App Containerization tool helps you discover specific application types (ASP.NET and Java web apps on Apache Tomcat) and their components on an application server. To discover servers and the inventory of apps, roles, and features running on on-premises machines, use Azure Migrate: Discovery and assessment capability. [Learn more](./tutorial-discover-vmware.md)
+
+While all applications won't benefit from a straight shift to containers without significant rearchitecting, some of the benefits of moving existing apps to containers without rewriting include:
+
+- **Improved infrastructure utilization:** With containers, multiple applications can share resources and be hosted on the same infrastructure. This can help you consolidate infrastructure and improve utilization.
+- **Simplified management:** By hosting your applications on a modern managed platform like AKS and App Service, you can simplify your management practices. You can achieve this by retiring or reducing the infrastructure maintenance and management processes that you'd traditionally perform with owned infrastructure.
+- **Application portability:** With increased adoption and standardization of container specification formats and platforms, application portability is no longer a concern.
+- **Adopt modern management with DevOps:** Helps you adopt and standardize on modern practices for management and security and transition to DevOps.
++
+In this tutorial, you'll learn how to:
+
+> [!div class="checklist"]
+> * Set up an Azure account.
+> * Install the Azure Migrate: App Containerization tool.
+> * Discover your Java web application.
+> * Build the container image.
+> * Deploy the containerized application on App Service.
+
+> [!NOTE]
+> Tutorials show you the simplest deployment path for a scenario so that you can quickly set up a proof-of-concept. Tutorials use default options where possible, and don't show all possible settings and paths.
+
+## Prerequisites
+
+Before you begin this tutorial, you should:
+
+**Requirement** | **Details**
+ |
+**Identify a machine to install the tool** | A Windows machine to install and run the Azure Migrate: App Containerization tool. The Windows machine could be a server (Windows Server 2016 or later) or client (Windows 10) operating system, meaning that the tool can run on your desktop as well. <br/><br/> The Windows machine running the tool should have network connectivity to the servers/virtual machines hosting the Java web applications to be containerized.<br/><br/> Ensure that 6-GB space is available on the Windows machine running the Azure Migrate: App Containerization tool for storing application artifacts. <br/><br/> The Windows machine should have internet access, directly or via a proxy.
+**Application servers** | - Enable Secure Shell (SSH) connection on port 22 on the server(s) running the Java application(s) to be containerized. <br/>
+**Java web application** | The tool currently supports <br/><br/> - Applications running on Tomcat 8 or later.<br/> - Application servers on Ubuntu Linux 16.04/18.04/20.04, Debian 7/8, CentOS 6/7, Red Hat Enterprise Linux 5/6/7. <br/> - Applications using Java version 7 or later. <br/><br/> The tool currently doesn't support <br/><br/> - Applications servers running multiple Tomcat instances <br/>
++
+## Prepare an Azure user account
+
+If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/pricing/free-trial/) before you begin.
+
+Once your subscription is set up, you'll need an Azure user account with:
+- Owner permissions on the Azure subscription
+- Permissions to register Azure Active Directory apps
+
+If you just created a free Azure account, you're the owner of your subscription. If you're not the subscription owner, work with the owner to assign the permissions as follows:
+
+1. In the Azure portal, search for "subscriptions", and under **Services**, select **Subscriptions**.
+
+ ![Search box to search for the Azure subscription.](./media/tutorial-discover-vmware/search-subscription.png)
+
+2. In the **Subscriptions** page, select the subscription in which you want to create an Azure Migrate project.
+3. In the subscription, select **Access control (IAM)** > **Check access**.
+4. In **Check access**, search for the relevant user account.
+5. In **Add a role assignment**, click **Add**.
+
+ ![Search for a user account to check access and assign a role.](./media/tutorial-discover-vmware/azure-account-access.png)
+
+6. In **Add role assignment**, select the Owner role, and select the account (azmigrateuser in our example). Then click **Save**.
+
+ ![Opens the Add Role assignment page to assign a role to the account.](./media/tutorial-discover-vmware/assign-role.png)
+
+7. Your Azure account also needs **permissions to register Azure Active Directory apps.**
+8. In Azure portal, navigate to **Azure Active Directory** > **Users** > **User Settings**.
+9. In **User settings**, verify that Azure AD users can register applications (set to **Yes** by default).
+
+ ![Verify in User Settings that users can register Active Directory apps.](./media/tutorial-discover-vmware/register-apps.png)
+
+10. In case the 'App registrations' settings is set to 'No', request the tenant/global admin to assign the required permission. Alternately, the tenant/global admin can assign the **Application Developer** role to an account to allow the registration of Azure Active Directory App. [Learn more](../active-directory/fundamentals/active-directory-users-assign-role-azure-portal.md).
+
+## Download and install Azure Migrate: App Containerization tool
+
+1. [Download](https://go.microsoft.com/fwlink/?linkid=2134571) the Azure Migrate: App Containerization installer on a Windows machine.
+2. Launch PowerShell in administrator mode and change the PowerShell directory to the folder containing the installer.
+3. Run the installation script using the command
+
+ ```powershell
+ .\AppContainerizationInstaller.ps1
+ ```
+
+## Launch the App Containerization tool
+
+1. Open a browser on any machine that can connect to the Windows machine running the App Containerization tool, and open the tool URL: **https://*machine name or IP address*: 44369**.
+
+ Alternately, you can open the app from the desktop by selecting the app shortcut.
+
+2. If you see a warning stating that says your connection isnΓÇÖt private, click Advanced and choose to proceed to the website. This warning appears as the web interface uses a self-signed TLS/SSL certificate.
+3. At the sign-in screen, use the local administrator account on the machine to sign in.
+4. Select **Java web apps on Tomcat** as the type of application you want to containerize.
+5. To specify target Azure service, select **Containers on Azure App Service**.
+![Default load-up for App Containerization tool.](./media/tutorial-containerize-apps-aks/tool-home.png)
+
+### Complete tool pre-requisites
+1. Accept the **license terms**, and read the third-party information.
+6. In the tool web app > **Set up prerequisites**, do the following steps:
+ - **Connectivity**: The tool checks that the Windows machine has internet access. If the machine uses a proxy:
+ - Click on **Set up proxy** to specify the proxy address (in the form IP address or FQDN) and listening port.
+ - Specify credentials if the proxy needs authentication.
+ - Only HTTP proxy is supported.
+ - If you've added proxy details or disabled the proxy and/or authentication, click on **Save** to trigger connectivity check again.
+ - **Install updates**: The tool will automatically check for latest updates and install them. You can also manually install the latest version of the tool from [here](https://go.microsoft.com/fwlink/?linkid=2134571).
+ - **Enable Secure Shell (SSH)**: The tool will inform you to ensure that Secure Shell (SSH) is enabled on the application servers running the Java web applications to be containerized.
++
+## Sign in to Azure
+
+Click **Sign in** to log in to your Azure account.
+
+1. You'll need a device code to authenticate with Azure. Clicking on sign in will open a modal with the device code.
+2. Click on **Copy code & sign in** to copy the device code and open an Azure sign in prompt in a new browser tab. If it doesn't appear, make sure you've disabled the pop-up blocker in the browser.
+
+ ![Modal showing device code.](./media/tutorial-containerize-apps-aks/login-modal.png)
+
+3. On the new tab, paste the device code and complete sign in using your Azure account credentials. You can close the browser tab after sign in is complete and return to the App Containerization tool's web interface.
+4. Select the **Azure tenant** that you want to use.
+5. Specify the **Azure subscription** that you want to use.
+
+## Discover Java web applications
+
+The App Containerization helper tool connects remotely to the application servers using the provided credentials and attempts to discover Java web applications (running on Apache Tomcat) hosted on the application servers.
+
+1. Specify the **IP address/FQDN and the credentials** of the server running the Java web application that should be used to remotely connect to the server for application discovery.
+ - The credentials provided must be for a root account (Linux) on the application server.
+ - For domain accounts (the user must be an administrator on the application server), prefix the username with the domain name in the format *<domain\username>*.
+ - You can run application discovery for upto five servers at a time.
+
+2. Click **Validate** to verify that the application server is reachable from the machine running the tool and that the credentials are valid. Upon successful validation, the status column will show the status as **Mapped**.
+
+ ![Screenshot for server IP and credentials.](./media/tutorial-containerize-apps-aks/discovery-credentials.png)
+
+3. Click **Continue** to start application discovery on the selected application servers.
+
+4. Upon successful completion of application discovery, you can select the list of applications to containerize.
+
+ ![Screenshot for discovered Java web application.](./media/tutorial-containerize-apps-aks/discovered-app.png)
++
+4. Use the checkbox to select the applications to containerize.
+5. **Specify container name**: Specify a name for the target container for each selected application. The container name should be specified as <*name:tag*> where the tag is used for container image. For example, you can specify the target container name as *appname:v1*.
+
+### Parameterize application configurations
+Parameterizing the configuration makes it available as a deployment time parameter. This allows you to configure this setting while deploying the application as opposed to having it hard-coded to a specific value in the container image. For example, this option is useful for parameters like database connection strings.
+1. Click **app configurations** to review detected configurations.
+2. Select the checkbox to parameterize the detected application configurations.
+3. Click **Apply** after selecting the configurations to parameterize.
+
+ ![Screenshot for app configuration parameterization Java application.](./media/tutorial-containerize-apps-aks/discovered-app-configs.png)
+
+### Externalize file system dependencies
+
+ You can add other folders that your application uses. Specify if they should be part of the container image or are to be externalized to persistent storage through Azure file share. Using external persistent storage works great for stateful applications that store state outside the container or have other static content stored on the file system.
+
+1. Click **Edit** under App Folders to review the detected application folders. The detected application folders have been identified as mandatory artifacts needed by the application and will be copied into the container image.
+
+2. Click **Add folders** and specify the folder paths to be added.
+3. To add multiple folders to the same volume, provide comma (`,`) separated values.
+4. Select **Azure file share** as the storage option if you want the folders to be stored outside the container on persistent storage.
+5. Click **Save** after reviewing the application folders.
+ ![Screenshot for app volumes storage selection.](./media/tutorial-containerize-apps-aks/discovered-app-volumes.png)
+
+6. Click **Continue** to proceed to the container image build phase.
+
+## Build container image
++
+1. **Select Azure Container Registry**: Use the dropdown to select an [Azure Container Registry](../container-registry/index.yml) that will be used to build and store the container images for the apps. You can use an existing Azure Container Registry or choose to create a new one using the Create new registry option.
+
+ ![Screenshot for app ACR selection.](./media/tutorial-containerize-apps-aks/build-java-app.png)
+
+> [!NOTE]
+> Only Azure container registries with admin user enabled are displayed. The admin account is currently required for deploying an image from an Azure container registry to Azure App Service. [Learn more](/azure/container-registry/container-registry-authentication#admin-account)
+
+2. **Review the Dockerfile**: The Dockerfile needed to build the container images for each selected application are generated at the beginning of the build step. Click **Review** to review the Dockerfile. You can also add any necessary customizations to the Dockerfile in the review step and save the changes before starting the build process.
+
+3. **Configure Application Insights**: You can enable monitoring for your Java apps running on App Service without instrumenting your code. The tool will install the Java standalone agent as part of the container image. Once configured during deployment, the Java agent will automatically collect a multitude of requests, dependencies, logs, and metrics for your application that can be used for monitoring with Application Insights. This option is enabled by default for all Java applications.
+
+4. **Trigger build process**: Select the applications to build images for and click **Build**. Clicking build will start the container image build for each application. The tool keeps monitoring the build status continuously and will let you proceed to the next step upon successful completion of the build.
+
+5. **Track build status**: You can also monitor progress of the build step by clicking the **Build in Progress** link under the status column. The link takes a couple of minutes to be active after you've triggered the build process.
+
+6. Once the build is completed, click **Continue** to specify deployment settings.
+
+ ![Screenshot for app container image build completion.](./media/tutorial-containerize-apps-aks/build-java-app-completed.png)
+
+## Deploy the containerized app on Azure App Service
+
+Once the container image is built, the next step is to deploy the application as a container on [Azure App Service](https://azure.microsoft.com/services/app-service/).
+
+1. **Select the Azure App Service plan**: Specify the Azure App Service plan that the application should use.
+
+ - If you donΓÇÖt have an App Service plan or would like to create a new App Service plan to use, you can choose to create on from the tool by clicking **Create new App Service plan**.
+ - Click **Continue** after selecting the App Service plan.
+
+2. **Specify secret store and monitoring workspace**: If you had opted to parameterize application configurations, then specify the secret store to be used for the application. You can choose Azure Key Vault or App Service application settings for managing your application secrets. [Learn more](/azure/app-service/configure-common#configure-connection-strings)
+
+ - If you've selected App Service application settings for managing secrets, then click **Continue**.
+ - If you'd like to use an Azure Key Vault for managing your application secrets, then specify the Azure Key Vault that you'd want to use.
+ - If you donΓÇÖt have an Azure Key Vault or would like to create a new Key Vault, you can choose to create on from the tool by clicking **Create new**.
+ - The tool will automatically assign the necessary permissions for managing secrets through the Key Vault.
+ - **Monitoring workspace**: If you'd selected to enabled monitoring with Application Insights, then specify the Application Insights resource that you'd want to use. This option won't be visible if you had disabled monitoring integration.
+ - If you donΓÇÖt have an Application Insights resource or would like to create a new resource, you can choose to create on from the tool by clicking **Create new**.
+
+3. **Specify Azure file share**: If you had added more directories/folders and selected the Azure file share option for persistent storage, then specify the Azure file share to be used by Azure Migrate: App Containerization tool during the deployment process. The tool will copy over the application directories/folders that are configured for Azure file storage and mount them on the application container during deployment.ΓÇ»
+
+ - If you don't have an Azure file share or would like to create a new Azure file share, you can choose to create on from the tool by clicking **Create new Storage Account and file share**.
+
+4. **Application deployment configuration**: Once you've completed the steps above, you'll need to specify the deployment configuration for the application. Click **Configure** to customize the deployment for the application. In the configure step you can provide the following customizations:
+ - **Name**: Specify a unique app name for the application. This name will be used to generate the application URL and used as a prefix for other resources being created as part of this deployment.
+ - **Application configuration**: For any application configurations that were parameterized, provide the values to use for the current deployment.
+ - **Storage configuration**: Review the information for any application directories/folders that were configured for persistent storage.
+
+ ![Screenshot for deployment app configuration.](./media/tutorial-containerize-apps-aks/deploy-java-app-config.png)
+
+5. **Deploy the application**: Once the deployment configuration for the application is saved, the tool will generate the Kubernetes deployment YAML for the application.
+ - Click **Review** to review the deployment configuration for the applications.
+ - Select the application to deploy.
+ - Click **Deploy** to start deployments for the selected applications
+
+ ![Screenshot for app deployment configuration.](./media/tutorial-containerize-apps-aks/deploy-java-app-deploy.png)
+
+ - Once the application is deployed, you can click the *Deployment status* column to track the resources that were deployed for the application.
++
+## Troubleshoot issues
+
+To troubleshoot any issues with the tool, you can look at the log files on the Windows machine running the App Containerization tool. Tool log files are located at *C:\ProgramData\Microsoft Azure Migrate App Containerization\Logs* folder.
+
+## Next steps
+
+- Containerizing Java web apps on Apache Tomcat (on Linux servers) and deploying them on Linux containers on AKS. [Learn more](./tutorial-app-containerization-java-kubernetes.md)
+- Containerizing ASP.NET web apps and deploying them on Windows containers on AKS. [Learn more](./tutorial-app-containerization-aspnet-kubernetes.md)
+- Containerizing ASP.NET web apps and deploying them on Windows containers on Azure App Service. [Learn more](./tutorial-app-containerization-aspnet-app-service.md)
migrate Tutorial App Containerization Java Kubernetes https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/migrate/tutorial-app-containerization-java-kubernetes.md
Previously updated : 3/2/2021 Last updated : 6/30/2021 # Java web app containerization and migration to Azure Kubernetes Service
In this article, you'll learn how to containerize Java web applications (running
The Azure Migrate: App Containerization tool currently supports - -- Containerizing ASP.NET apps and deploying them on Windows containers on AKS. [Learn more](./tutorial-app-containerization-aspnet-kubernetes.md)-- Containerizing Java Web Apps on Apache Tomcat (on Linux servers) and deploying them on Linux containers on AKS.
+- Containerizing Java Web Apps on Apache Tomcat (on Linux servers) and deploying them on Linux containers on AKS.
+- Containerizing Java Web Apps on Apache Tomcat (on Linux servers) and deploying them on Linux containers on App Service. [Learn more](./tutorial-app-containerization-java-app-service.md)
+- Containerizing ASP.NET apps and deploying them on Windows containers on AKS. [Learn more](./tutorial-app-containerization-aspnet-kubernetes.md)
+- Containerizing ASP.NET apps and deploying them on Windows containers on App Service. [Learn more](./tutorial-app-containerization-aspnet-app-service.md)
The Azure Migrate: App Containerization tool helps you to -
The Azure Migrate: App Containerization tool helps you to -
While all applications won't benefit from a straight shift to containers without significant rearchitecting, some of the benefits of moving existing apps to containers without rewriting include: - **Improved infrastructure utilization:** With containers, multiple applications can share resources and be hosted on the same infrastructure. This can help you consolidate infrastructure and improve utilization.-- **Simplified management:** By hosting your applications on a modern managed infrastructure platform like AKS, you can simplify your management practices while still retaining control over your infrastructure. You can achieve this by retiring or reducing the infrastructure maintenance and management processes that you'd traditionally perform with owned infrastructure.-- **Application portability:** With increased adoption and standardization of container specification formats and orchestration platforms, application portability is no longer a concern.-- **Adopt modern management with DevOps:** Helps you adopt and standardize on modern practices for management and security with Infrastructure as Code and transition to DevOps.
+- **Simplified management:** By hosting your applications on a modern managed platform like AKS and App Service, you can simplify your management practices. You can achieve this by retiring or reducing the infrastructure maintenance and management processes that you'd traditionally perform with owned infrastructure.
+- **Application portability:** With increased adoption and standardization of container specification formats and platforms, application portability is no longer a concern.
+- **Adopt modern management with DevOps:** Helps you adopt and standardize on modern practices for management and security and transition to DevOps.
In this tutorial, you'll learn how to:
If you just created a free Azure account, you're the owner of your subscription.
![Opens the Add Role assignment page to assign a role to the account.](./media/tutorial-discover-vmware/assign-role.png) 7. Your Azure account also needs **permissions to register Azure Active Directory apps.**
-8. In Azure portal, navigate to **Azure Active Directory** > **Users** > **User Settings**.
-9. In **User settings**, verify that Azure AD users can register applications (set to **Yes** by default).
+8. In Azure portal, navigate to **Azure Active Directory** > **Users** > **User Settings**.
+9. In **User settings**, verify that Azure AD users can register applications (set to **Yes** by default).
![Verify in User Settings that users can register Active Directory apps.](./media/tutorial-discover-vmware/register-apps.png)
-10. In case the 'App registrations' settings is set to 'No', request the tenant/global admin to assign the required permission. Alternately, the tenant/global admin can assign the **Application Developer** role to an account to allow the registration of Azure Active Directory App. [Learn more](../active-directory/fundamentals/active-directory-users-assign-role-azure-portal.md).
+10. In case the 'App registrations' settings is set to 'No', request the tenant/global admin to assign the required permission. Alternately, the tenant/global admin can assign the **Application Developer** role to an account to allow the registration of Azure Active Directory App. [Learn more](../active-directory/fundamentals/active-directory-users-assign-role-azure-portal.md).
## Download and install Azure Migrate: App Containerization tool
If you just created a free Azure account, you're the owner of your subscription.
## Launch the App Containerization tool
-1. Open a browser on any machine that can connect to the Windows machine running the App Containerization tool, and open the tool URL: **https://*machine name or IP address*: 44368**.
+1. Open a browser on any machine that can connect to the Windows machine running the App Containerization tool, and open the tool URL: **https://*machine name or IP address*: 44369**.
Alternately, you can open the app from the desktop by selecting the app shortcut. 2. If you see a warning stating that says your connection isnΓÇÖt private, click Advanced and choose to proceed to the website. This warning appears as the web interface uses a self-signed TLS/SSL certificate. 3. At the sign-in screen, use the local administrator account on the machine to sign-in.
-4. For specify application type, select **Java web apps on Tomcat** as the type of application you want to containerize.
-
+4. Select **Java web apps on Tomcat** as the type of application you want to containerize.
+5. To specify target Azure service, select **Containers on Azure Kubernetes Service**.
![Default load-up for App Containerization tool.](./media/tutorial-containerize-apps-aks/tool-home.png) - ### Complete tool pre-requisites 1. Accept the **license terms**, and read the third-party information. 6. In the tool web app > **Set up prerequisites**, do the following steps:
If you just created a free Azure account, you're the owner of your subscription.
- **Enable Secure Shell (SSH)**: The tool will inform you to ensure that Secure Shell (SSH) is enabled on the application servers running the Java web applications to be containerized.
-## Login to Azure
+## Sign in to Azure
-Click **Login** to log in to your Azure account.
+Click **Sign in** to log in to your Azure account.
-1. You'll need a device code to authenticate with Azure. Clicking on Login will open a modal with the device code.
-2. Click on **Copy code & Login** to copy the device code and open an Azure Login prompt in a new browser tab. If it doesn't appear, make sure you've disabled the pop-up blocker in the browser.
+1. You'll need a device code to authenticate with Azure. Clicking on sign in will open a modal with the device code.
+2. Click on **Copy code & sign in** to copy the device code and open an Azure sign in prompt in a new browser tab. If it doesn't appear, make sure you've disabled the pop-up blocker in the browser.
![Modal showing device code.](./media/tutorial-containerize-apps-aks/login-modal.png)
-3. On the new tab, paste the device code and complete log in using your Azure account credentials. You can close the browser tab after log in is complete and return to the App Containerization tool's web interface.
+3. On the new tab, paste the device code and complete sign in using your Azure account credentials. You can close the browser tab after sign in is complete and return to the App Containerization tool's web interface.
4. Select the **Azure tenant** that you want to use. 5. Specify the **Azure subscription** that you want to use.
Parameterizing the configuration makes it available as a deployment time paramet
6. Click **Continue** to proceed to the container image build phase. - ## Build container image
Parameterizing the configuration makes it available as a deployment time paramet
2. **Review the Dockerfile**: The Dockerfile needed to build the container images for each selected application are generated at the beginning of the build step. Click **Review** to review the Dockerfile. You can also add any necessary customizations to the Dockerfile in the review step and save the changes before starting the build process.
-3. **Trigger build process**: Select the applications to build images for and click **Build**. Clicking build will start the container image build for each application. The tool keeps monitoring the build status continuously and will let you proceed to the next step upon successful completion of the build.
+3. **Configure Application Insights**: You can enable monitoring for your Java apps running on App Service without instrumenting your code. The tool will install the Java standalone agent as part of the container image. Once configured during deployment, the Java agent will automatically collect a multitude of requests, dependencies, logs, and metrics for your application that can be used for monitoring with Application Insights. This option is enabled by default for all Java applications.
-4. **Track build status**: You can also monitor progress of the build step by clicking the **Build in Progress** link under the status column. The link takes a couple of minutes to be active after you've triggered the build process.
+4. **Trigger build process**: Select the applications to build images for and click **Build**. Clicking build will start the container image build for each application. The tool keeps monitoring the build status continuously and will let you proceed to the next step upon successful completion of the build.
-5. Once the build is completed, click **Continue** to specify deployment settings.
+5. **Track build status**: You can also monitor progress of the build step by clicking the **Build in Progress** link under the status column. The link takes a couple of minutes to be active after you've triggered the build process.
+
+6. Once the build is completed, click **Continue** to specify deployment settings.
![Screenshot for app container image build completion.](./media/tutorial-containerize-apps-aks/build-java-app-completed.png)
Once the container image is built, the next step is to deploy the application as
- If you donΓÇÖt have an AKS cluster or would like to create a new AKS cluster to deploy the application to, you can choose to create on from the tool by clicking **Create new AKS cluster**. - The AKS cluster created using the tool will be created with a Linux node pool. The cluster will be configured to allow it to pull images from the Azure Container Registry that was created earlier (if create new registry option was chosen). - Click **Continue** after selecting the AKS cluster.
+2. **Specify secret store and monitoring workspace**: If you had opted to parameterize application configurations, then specify the secret store to be used for the application. You can choose Azure Key Vault or Kubernetes Secrets for managing your application secrets.
+
+ - If you've selected Kubernetes secrets for managing secrets, then click **Continue**.
+ - If you'd like to use an Azure Key Vault for managing your application secrets, then specify the Azure Key Vault that you'd want to use.
+ - If you donΓÇÖt have an Azure Key Vault or would like to create a new Key Vault, you can choose to create on from the tool by clicking **Create new**.
+ - The tool will automatically assign the necessary permissions for managing secrets through the Key Vault.
+ - **Monitoring workspace**: If you'd selected to enabled monitoring with Application Insights, then specify the Application Insights resource that you'd want to use. This option won't be visible if you had disabled monitoring integration.
+ - If you donΓÇÖt have an Application Insights resource or would like to create a new resource, you can choose to create on from the tool by clicking **Create new**.
2. **Specify Azure file share**: If you had added more folders and selected the Persistent Volume option, then specify the Azure file share that should be used by Azure Migrate: App Containerization tool during the deployment process. The tool will create new directories in this Azure file share to copy over the application folders that are configured for Persistent Volume storage. Once the application deployment is complete, the tool will clean up the Azure file share by deleting the directories it had created.
Once the container image is built, the next step is to deploy the application as
- Click **Apply** to save the deployment configuration. - Click **Continue** to deploy the application.
- ![Screenshot for deployment app configuration.](./media/tutorial-containerize-apps-aks/deploy-java-app-config.png)
+ ![Screenshot for deployment app configuration.](./media/tutorial-containerize-apps-aks/deploy-java-app-config-aks.png)
4. **Deploy the application**: Once the deployment configuration for the application is saved, the tool will generate the Kubernetes deployment YAML for the application.
- - Click **Edit** to review and customize the Kubernetes deployment YAML for the applications.
+ - Click **Review** to review and customize the Kubernetes deployment YAML for the applications.
- Select the application to deploy. - Click **Deploy** to start deployments for the selected applications
- ![Screenshot for app deployment configuration.](./media/tutorial-containerize-apps-aks/deploy-java-app-deploy.png)
+ ![Screenshot for app deployment configuration.](./media/tutorial-containerize-apps-aks/deploy-java-app-deploy-aks.png)
- Once the application is deployed, you can click the *Deployment status* column to track the resources that were deployed for the application.
To troubleshoot any issues with the tool, you can look at the log files on the W
## Next steps -- Containerizing ASP.NET apps and deploying them on Windows containers on AKS. [Learn more](./tutorial-app-containerization-aspnet-kubernetes.md)
+- Containerizing Java web apps on Apache Tomcat (on Linux servers) and deploying them on Linux containers on App Service. [Learn more](./tutorial-app-containerization-java-app-service.md)
+- Containerizing ASP.NET web apps and deploying them on Windows containers on AKS. [Learn more](./tutorial-app-containerization-aspnet-kubernetes.md)
+- Containerizing ASP.NET web apps and deploying them on Windows containers on Azure App Service. [Learn more](./tutorial-app-containerization-aspnet-app-service.md)
security-center Alerts Reference https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/security-center/alerts-reference.md
Previously updated : 06/08/2021 Last updated : 07/04/2021
At the bottom of this page, there's a table describing the Azure Security Center
| **Vulnerability scanner detected**<br>(AppServices_WpScanner) | Azure App Service activity log indicates that a possible vulnerability scanner was used on your App Service resource.<br>The suspicious activity detected resembles that of tools targeting WordPress applications.<br>If your App Service resource isnΓÇÖt hosting a WordPress site, it isnΓÇÖt vulnerable to this specific code injection exploit and you can safely suppress this alert for the resource. To learn how to suppress Azure Defender alerts, see https://docs.microsoft.com/azure/security-center/alerts-suppression-rules.<br>(Applies to: App Service on Windows and App Service on Linux) | PreAttack | Medium | | **Web fingerprinting detected**<br>(AppServices_WebFingerprinting) | Azure App Service activity log indicates a possible web fingerprinting activity on your App Service resource.<br>The suspicious activity detected is associated with a tool called Blind Elephant. The tool fingerprint web servers and tries to detect the installed applications and version.<br>Attackers often use this tool for probing the web application to find vulnerabilities.<br>(Applies to: App Service on Windows and App Service on Linux) | PreAttack | Medium | | **Website is tagged as malicious in threat intelligence feed**<br>(AppServices_SmartScreen) | Your website as described below is marked as a malicious site by Windows SmartScreen. If you think this is a false positive, contact Windows SmartScreen via report feedback link provided.<br>(Applies to: App Service on Windows and App Service on Linux) | Collection | Medium |
-| | |
-
+| **Possible loss of data detected**<br>(AppServices_DataEgressArtifacts)| Analysis of host/device data detected a possible data egress condition. Attackers will often egress data from machines they have compromised.<br>(Applies to: App Service on Linux)|Collection, Exfiltration|Medium||
+| **Detected suspicious file download**<br>(AppServices_SuspectDownloadArtifacts)|Analysis of host data has detected suspicious download of remote file.<br>(Applies to: App Service on Linux)|Persistence|Medium|
+|||||
## <a name="alerts-k8scluster"></a>Alerts for containers - Kubernetes clusters
Azure Defender alerts for container hosts aren't limited to the alerts below. Ma
| Alert | Description | MITRE tactics<br>([Learn more](#intentions)) | Severity | |||:--:|-|
-| **A possible vulnerability to SQL Injection**<br>(SQL.VM_VulnerabilityToSqlInjection<br>SQL.DB_VulnerabilityToSqlInjection<br>SQL.MI_VulnerabilityToSqlInjection<br>SQL.DW_VulnerabilityToSqlInjection) | An application has generated a faulty SQL statement in the database. This can indicate a possible vulnerability to SQL injection attacks. There are two possible reasons for a faulty statement. A defect in application code might have constructed the faulty SQL statement. Or, application code or stored procedures didn't sanitize user input when constructing the faulty SQL statement, which can be exploited for SQL injection. ) | - | Medium |
+| **A possible vulnerability to SQL Injection**<br>(SQL.VM_VulnerabilityToSqlInjection<br>SQL.DB_VulnerabilityToSqlInjection<br>SQL.MI_VulnerabilityToSqlInjection<br>SQL.DW_VulnerabilityToSqlInjection) | An application has generated a faulty SQL statement in the database. This can indicate a possible vulnerability to SQL injection attacks. There are two possible reasons for a faulty statement. A defect in application code might have constructed the faulty SQL statement. Or, application code or stored procedures didn't sanitize user input when constructing the faulty SQL statement, which can be exploited for SQL injection. ) | PreAttack | Medium |
| **Attempted logon by a potentially harmful application**<br>(SQL.DB_HarmfulApplication<br>SQL.VM_HarmfulApplication<br>SQL.MI_HarmfulApplication<br>SQL.DW_HarmfulApplication) | A potentially harmful application attempted to access SQL server '{name}'. ) | PreAttack | High | | **Log on from an unusual Azure Data Center**<br>(SQL.DB_DataCenterAnomaly<br>SQL.VM_DataCenterAnomaly<br>SQL.DW_DataCenterAnomaly<br>SQL.MI_DataCenterAnomaly) | There has been a change in the access pattern to an SQL Server, where someone has signed in to the server from an unusual Azure Data Center. In some cases, the alert detects a legitimate action (a new application or Azure service). In other cases, the alert detects a malicious action (attacker operating from breached resource in Azure). ) | Probing | Low | | **Log on from an unusual location**<br>(SQL.DB_GeoAnomaly<br>SQL.VM_GeoAnomaly<br>SQL.DW_GeoAnomaly<br>SQL.MI_GeoAnomaly) | There has been a change in the access pattern to SQL Server, where someone has signed in to the server from an unusual geographical location. In some cases, the alert detects a legitimate action (a new application or developer maintenance). In other cases, the alert detects a malicious action (a former employee or external attacker). ) | Exploitation | Medium |
security-center Custom Dashboards Azure Workbooks https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/security-center/custom-dashboards-azure-workbooks.md
Last updated 06/13/2021
Workbooks provide a rich set of capabilities for visualizing your Azure data. For detailed examples of each visualization type, see the [visualizations examples and documentation](../azure-monitor/visualize/workbooks-text-visualizations.md).
-Within Azure Security Center, you can access the built-in reports to track your organizationΓÇÖs security posture. You can also build custom reports to view a wide range of data from Security Center or other supported data sources.
+Within Azure Security Center, you can access the built-in workbooks to track your organizationΓÇÖs security posture. You can also build custom workbooks to view a wide range of data from Security Center or other supported data sources.
## Availability
Within Azure Security Center, you can access the built-in reports to track your
||:| | Release state: | General Availability (GA) | | Pricing: | Free |
-| Required roles and permissions: | To save workbooks, you must have at least Workbook Contributor permissions on the target resource group |
+| Required roles and permissions: | To save workbooks, you must have at least [Workbook Contributor](../role-based-access-control/built-in-roles.md#workbook-contributor) permissions on the target resource group |
| Clouds: | ![Yes](./media/icons/yes-icon.png) Commercial clouds<br>![Yes](./media/icons/yes-icon.png) National/Sovereign (US Gov, Azure China) | | | | ## Workbooks gallery in Azure Security Center
-With the integrated Azure Workbooks functionality, Azure Security Center makes it straightforward to build your own custom, interactive reports. Security Center also includes a workbook gallery with the following reports ready for your customization:
+With the integrated Azure Workbooks functionality, Azure Security Center makes it straightforward to build your own custom, interactive workbooks. Security Center also includes a gallery with the following workbooks ready for your customization:
- **Secure Score Over Time** - Track your subscriptions' scores and changes to recommendations for your resources - **System Updates** - View missing system updates by resources, OS, severity, and more
With the integrated Azure Workbooks functionality, Azure Security Center makes i
:::image type="content" source="media/custom-dashboards-azure-workbooks/workbooks-gallery-security-center.png" alt-text="Gallery of built-in workbooks in Azure Security Center.":::
-Choose one of the supplied reports or create your own.
+Choose one of the supplied workbooks or create your own.
> [!TIP]
-> Use the **Edit** button to customize any of the supplied reports to your satisfaction. When you're done editing, select **Save** and your changes will be saved to a new workbook.
+> Use the **Edit** button to customize any of the supplied workbooks to your satisfaction. When you're done editing, select **Save** and your changes will be saved to a new workbook.
> > :::image type="content" source="media/custom-dashboards-azure-workbooks/editing-supplied-workbooks.png" alt-text="Editing the supplied workbooks to customize them for your particular needs.":::
-### Use the 'Secure Score Over Time' report
+### Use the 'Secure Score Over Time' workbook
-This report uses secure score data from your Log Analytics workspace. That data needs to be exported from the continuous export tool as described in [Configure continuous export from the Security Center pages in Azure portal](continuous-export.md?tabs=azure-portal).
+This workbook uses secure score data from your Log Analytics workspace. That data needs to be exported from the continuous export tool as described in [Configure continuous export from the Security Center pages in Azure portal](continuous-export.md?tabs=azure-portal).
When you set up the continuous export, set the export frequency to both **streaming updates** and **snapshots**. :::image type="content" source="media/custom-dashboards-azure-workbooks/export-frequency-both.png" alt-text="For the secure score over time workbook you'll need to select both of these options from the export frequency settings in your continuous export configuration"::: > [!NOTE]
-> Snapshots get exported weekly, so you'll need to wait at least one week for the first snapshot to be exported before you can view data in this report.
+> Snapshots get exported weekly, so you'll need to wait at least one week for the first snapshot to be exported before you can view data in this workbook.
> [!TIP] > To configure continuous export across your organization, use the supplied Azure Policy 'DeployIfNotExist' policies described in [Configure continuous export at scale](continuous-export.md?tabs=azure-policy).
-The secure score over time report has five graphs for the subscriptions reporting to the selected workspaces:
+The secure score over time workbook has five graphs for the subscriptions reporting to the selected workspaces:
|Graph |Example | |||
-|**Score trends for the last week and month**<br>Use this section to monitor the current score and general trends of the scores for your subscriptions.|:::image type="content" source="media/custom-dashboards-azure-workbooks/secure-score-over-time-table-1.png" alt-text="Trends for secure score on the built-in report.":::|
+|**Score trends for the last week and month**<br>Use this section to monitor the current score and general trends of the scores for your subscriptions.|:::image type="content" source="media/custom-dashboards-azure-workbooks/secure-score-over-time-table-1.png" alt-text="Trends for secure score on the built-in workbook.":::|
|**Aggregated score for all selected subscriptions**<br>Hover your mouse over any point in the trend line to see the aggregated score at any date in the selected time range.|:::image type="content" source="media/custom-dashboards-azure-workbooks/secure-score-over-time-table-2.png" alt-text="Aggregated score for all selected subscriptions.":::| |**Recommendations with the most unhealthy resources**<br>This table helps you triage the recommendations that have had the most resources changed to unhealthy over the selected period.|:::image type="content" source="media/custom-dashboards-azure-workbooks/secure-score-over-time-table-3.png" alt-text="Recommendations with the most unhealthy resources.":::| |**Scores for specific security controls**<br>Security Center's security controls are logical groupings of recommendations. This chart shows you, at a glance, the weekly scores for all of your controls.|:::image type="content" source="media/custom-dashboards-azure-workbooks/secure-score-over-time-table-4.png" alt-text="Scores for your security controls over the selected time period.":::| |**Resources changes**<br>Recommendations with the most resources that have changed state (healthy, unhealthy, or not applicable) during the selected period are listed here. Select any recommendation from the list to open a new table listing the specific resources.|:::image type="content" source="media/custom-dashboards-azure-workbooks/secure-score-over-time-table-5.png" alt-text="Recommendations with the most resources that have changed health state.":::|
-### Use the 'System Updates' report
+### Use the 'System Updates' workbook
-This report is based on the security recommendation "System updates should be installed on your machines".
+This workbook is based on the security recommendation "System updates should be installed on your machines".
-The report helps you identify machines with outstanding updates.
+The workbook helps you identify machines with outstanding updates.
You can view the situation for the selected subscriptions according to: - The list of resources with outstanding updates - The list of updates missing from your resources
-### Use the 'Vulnerability Assessment Findings' report
+### Use the 'Vulnerability Assessment Findings' workbook
Security Center includes vulnerability scanners for your machines, containers in container registries, and SQL servers.
Findings for each of these scanners are reported in separate recommendations:
- Vulnerability assessment findings on your SQL databases should be remediated - Vulnerability assessment findings on your SQL servers on machines should be remediated
-This report gathers these findings and organizes them by severity, resource type, and category.
+This workbook gathers these findings and organizes them by severity, resource type, and category.
## Import workbooks from other workbook galleries
You'll find your saved workbook in the **Recently modified workbooks** category.
This article described Security Center's integrated Azure Monitor Workbooks page with built-in reports and the option to build your own custom, interactive reports. - Learn more about [Azure Monitor Workbooks](../azure-monitor/visualize/workbooks-overview.md)-- The built-in reports pull their data from Security Center's recommendations. Learn about the many security recommendations in [Security recommendations - a reference guide](recommendations-reference.md)
+- The built-in workbooks pull their data from Security Center's recommendations. Learn about the many security recommendations in [Security recommendations - a reference guide](recommendations-reference.md)
security-center Release Notes Archive https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/security-center/release-notes-archive.md
These tools have been enhanced and expanded in the following ways:
- **Regulatory compliance assessment data added (in preview).** You can now continuously export updates to regulatory compliance assessments, including for any custom initiatives, to a Log Analytics workspace or Event Hub. This feature is unavailable on national/sovereign clouds.
- :::image type="content" source="media/release-notes/continuous-export-regulatory-compliance-option.png" alt-text="The options for including regulatory compliant assessment information with your continuous export data.":::
+ :::image type="content" source="media/release-notes/continuous-export-regulatory-compliance-option.png" alt-text="The options for including regulatory compliance assessment information with your continuous export data.":::
## November 2020
security-center Security Center Permissions https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/security-center/security-center-permissions.md
Title: Permissions in Azure Security Center | Microsoft Docs
-description: This article explains how Azure Security Center uses role-based access control to assign permissions to users and identifies the allowed actions for each role.
+description: This article explains how Azure Security Center uses role-based access control to assign permissions to users and identify the permitted actions for each role.
Previously updated : 01/03/2021 Last updated : 07/04/2021 # Permissions in Azure Security Center
-Azure Security Center uses [Azure role-based access control (Azure RBAC)](../role-based-access-control/role-assignments-portal.md), which provides [built-in roles](../role-based-access-control/built-in-roles.md) that can be assigned to users, groups, and services in Azure.
+Security Center uses [Azure role-based access control (Azure RBAC)](../role-based-access-control/role-assignments-portal.md), which provides [built-in roles](../role-based-access-control/built-in-roles.md) that can be assigned to users, groups, and services in Azure.
-Security Center assesses the configuration of your resources to identify security issues and vulnerabilities. In Security Center, you only see information related to a resource when you are assigned the role of Owner, Contributor, or Reader for the subscription or resource group that a resource belongs to.
+Security Center assesses the configuration of your resources to identify security issues and vulnerabilities. In Security Center, you only see information related to a resource when you are assigned the role of Owner, Contributor, or Reader for the subscription or the resource's resource group.
-In addition to these roles, there are two specific Security Center roles:
+In addition to the built-in roles, there are two roles specific to Security Center:
* **Security Reader**: A user that belongs to this role has viewing rights to Security Center. The user can view recommendations, alerts, a security policy, and security states, but cannot make changes. * **Security Admin**: A user that belongs to this role has the same rights as the Security Reader and can also update the security policy and dismiss alerts and recommendations. > [!NOTE]
-> The security roles, Security Reader and Security Admin, have access only in Security Center. The security roles do not have access to other service areas of Azure such as Storage, Web & Mobile, or Internet of Things.
->
+> The security roles, Security Reader and Security Admin, have access only in Security Center. The security roles do not have access to other Azure services such as Storage, Web & Mobile, or Internet of Things.
## Roles and allowed actions The following table displays roles and allowed actions in Security Center.
-| Action | Security Reader / <br> Reader | Security Admin | Resource Group Contributor / <br> Resource Group Owner | Subscription Contributor | Subscription Owner |
-|:-|:--:|:--:|::|::|::|
-| Edit security policy | - | Γ£ö | - | - | Γ£ö |
-| Add/assign initiatives (including) regulatory compliance standards) | - | - | - | - | Γ£ö |
-| Enable / disable Azure Defender | - | Γ£ö | - | - | Γ£ö |
-| Enable / disable auto-provisioning | - | Γ£ö | - | Γ£ö | Γ£ö |
+| **Action** | [Security Reader](../role-based-access-control/built-in-roles.md#security-reader) / <br> [Reader](../role-based-access-control/built-in-roles.md#reader) | [Security Admin](../role-based-access-control/built-in-roles.md#security-admin) | [Contributor](../role-based-access-control/built-in-roles.md#contributor) / [Owner](../role-based-access-control/built-in-roles.md#owner)| [Contributor](../role-based-access-control/built-in-roles.md#contributor)| [Owner](../role-based-access-control/built-in-roles.md#owner)|
+|:-|:--:|:--:|::|::|::|
+||||**(Resource group level)**|**(Subscription level)**|**(Subscription level)**|
+| Add/assign initiatives (including) regulatory compliance standards) | - | - | - | - | Γ£ö |
+| Edit security policy | - | Γ£ö | - | - | Γ£ö |
+| Enable / disable Azure Defender plans | - | Γ£ö | - | - | Γ£ö |
+| Enable / disable auto-provisioning | - | Γ£ö | - | Γ£ö | Γ£ö |
+| Dismiss alerts | - | Γ£ö | - | Γ£ö | Γ£ö |
| Apply security recommendations for a resource</br> (and use [Fix](security-center-remediate-recommendations.md#fix-button)) | - | - | Γ£ö | Γ£ö | Γ£ö |
-| Dismiss alerts | - | Γ£ö | - | Γ£ö | Γ£ö |
-| View alerts and recommendations | Γ£ö | Γ£ö | Γ£ö | Γ£ö | Γ£ö |
+| View alerts and recommendations | Γ£ö | Γ£ö | Γ£ö | Γ£ö | Γ£ö |
+||||||
> [!NOTE] > We recommend that you assign the least permissive role needed for users to complete their tasks. For example, assign the Reader role to users who only need to view information about the security health of a resource but not take action, such as applying recommendations or editing policies.
->
->
## Next steps This article explained how Security Center uses Azure RBAC to assign permissions to users and identified the allowed actions for each role. Now that you're familiar with the role assignments needed to monitor the security state of your subscription, edit security policies, and apply recommendations, learn how to:
sentinel Migration https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/sentinel/migration.md
+
+ Title: Migrate to Azure Sentinel from an existing SIEM.
+description: Learn how to best migrate from an existing SIEM to Azure Sentinel, for scalable, intelligent security analytics across your organization.
+
+documentationcenter: na
+++ Last updated : 07/04/2021+++
+# Migrate to Azure Sentinel from an existing SIEM
+
+Your security operations center (SOC) team will use centralized security information and event management (SIEM) and security orchestration, automation, and response (SOAR) solutions to protect your increasingly decentralized digital estate.
+
+Legacy SIEMs are often on-premises, and can maintain good coverage of your on-premises assets. However, on-premises architectures may have insufficient coverage for your cloud assets, such as in Azure, Microsoft 365, AWS, or Google Cloud Platform (GCP). In contrast, Azure Sentinel can ingest data from both on-premises and cloud assets, ensuring coverage over your entire estate.
+
+This article describes how to migrate from an existing, legacy SIEM to Azure Sentinel, either in a side-by-side configuration or by transitioning to a full Azure Sentinel deployment.
+
+## Plan your migration
+
+You may have decided to start a direct or gradual transition to Azure Sentinel, depending on your business needs and available resources.
+
+You'll want to plan your migration properly to ensure that transition doesn't introduce gaps in coverage, which could put your organization's security in jeopardy.
+
+To start, identify your key core capabilities and first-priority requirements. Evaluate the key use cases your current SIEM covers, and decide which detections and capabilities where Azure Sentinel needs to continue providing coverage.
+
+You'll add more in-process planning at each step of your migration process, as you consider the exact data sources and detection rules you want to migrate. For more information, see [Migrate your data](#migrate-your-data) and [Migrate analytics rules](#migrate-analytics-rules).
+
+> [!TIP]
+> Your current SIEM may have an overwhelming number of detections and use cases. Decide which ones are most useful to your business and determine which ones may not need to be migrated. For example, check to see which detections produced results within the past year.
+>
+
+### Compare your legacy SIEM to Azure Sentinel
+
+Compare your legacy SIEM to Azure Sentinel to help refine your migration completion criteria, and understand where you can extract more value with Azure Sentinel.
+
+For example, evaluate the following key areas:
+
+|Evaluation area |Description |
+|||
+|**Attack detection coverage.** | Compare how well each SIEM can detect the full range of attacks, using [MITRE ATT&CK](https://attack.mitre.org/) or a similar framework. |
+|**Responsiveness.** | Measure the mean time to acknowledge (MTTA), which is the time between an alert appearing in the SIEM and an analyst starting work on it. This time will probably be similar between SIEMs. |
+|**Mean time to remediate (MTTR).** | Compare the MTTR for incidents investigated by each SIEM, assuming analysts at equivalent skill levels. |
+|**Hunting speed and agility.** | Measure how fast teams can hunt, starting from a fully formed hypothesis, to querying the data, to getting the results on each SIEM platform. |
+|**Capacity growth friction.** | Compare the level of difficulty in adding capacity as usage grows. Keep in mind that cloud services and applications tend to generate more log data than traditional on-premises workloads. |
+| | |
+
+If you have limited or no investment in an existing on-premises SIEM, moving to Azure Sentinel can be a straightforward, direct deployment. However, enterprises that are heavily invested in a legacy SIEM typically require a multi-stage process to accommodate transition tasks.
+
+Although Azure Sentinel provides extended data and response for both on-premises the cloud, you may want to start your migration slowly, by running Azure Sentinel and your legacy SIEM [side-by-side](#select-a-side-by-side-approach-and-method). In a side-by-side architecture local resources can use the on-premises SIEM and cloud resources and new workloads use cloud-based analytics.
+
+Unless you choose a long-term side-by-side configuration, complete your migration to a full Azure Sentinel deployment to access lower infrastructure costs, real-time threat analysis, and cloud-scalability.
+
+## Select a side-by-side approach and method
+
+Use a side-by-side architecture either as a short-term, transitional phase that leads to a completely cloud-hosted SIEM, or as a medium- to long-term operational model, depending on the SIEM needs of your organization.
+
+For example, while the recommended architecture is to use a side-by-side architecture just long enough to complete the migration, your organization may want stay with your side-by-side configuration for longer, such as if you aren't ready to move away from your legacy SIEM. Typically, organizations who use a long-term, side-by-side configuration use Azure Sentinel to analyze only their cloud data.
+
+Consider the pros and cons for each approach when deciding which one to use in your migration.
+
+> [!NOTE]
+> Many organizations avoid running multiple on-premises analytics solutions because of cost and complexity.
+>
+> Azure Sentinel provides [pay-as-you-go pricing](azure-sentinel-billing.md) and flexible infrastructure, giving SOC teams time to adapt to the change. Migrate and test your content at a pace that works best for your organization.
+>
+### Short-term approach
+
+ :::column span="":::
+ **Pros**
+
+ - Gives SOC staff time to adapt to new processes as workloads and analytics migrate.
+
+ - Gains deep correlation across all data sources for hunting scenarios.
+
+ - Eliminates having to do analytics between SIEMs, create forwarding rules, and close investigations in two places.
+
+ - Enables your SOC team to quickly downgrade legacy SIEM solutions, eliminating infrastructure and licensing costs.
+ :::column-end:::
+ :::column span="":::
+ **Cons**
+
+ - Can require a steep learning curve for SOC staff.
+ :::column-end:::
+
+### Medium- to long-term approach
+
+ :::column span="":::
+ **Pros**
+
+ - Lets you use key Azure Sentinel benefits, like AI, ML, and investigation capabilities, without moving completely away from your legacy SIEM.
+
+ - Saves money compared to your legacy SIEM, by analyzing cloud or Microsoft data in Azure Sentinel.
+ :::column-end:::
+ :::column span="":::
+ **Cons**
+
+ - Increases complexity by separating analytics across different databases.
+
+ - Splits case management and investigations for multi-environment incidents.
+
+ - Incurs greater staff and infrastructure costs.
+
+ - Requires SOC staff to be knowledgeable about two different SIEM solutions.
+ :::column-end:::
+++
+### Send alerts from a legacy SIEM to Azure Sentinel (Recommended)
+
+Send alerts, or indicators of anomalous activity, from your legacy SIEM to Azure Sentinel.
+
+- Ingest and analyze cloud data in Azure Sentinel
+- Use your legacy SIEM to analyze on-premises data and generate alerts.
+- Forward the alerts from your on-premises SIEM into Azure Sentinel to establish a single interface.
+
+For example, forward alerts using [Logstash](connect-logstash.md), [APIs](/rest/api/securityinsights/), or [Syslog](connect-syslog.md), and store them in [JSON](https://techcommunity.microsoft.com/t5/azure-sentinel/tip-easily-use-json-fields-in-sentinel/ba-p/768747) format in your Azure Sentinel [Log Analytics workspace](/azure/azure-monitor/logs/quick-create-workspace).
+
+By sending alerts from your legacy SIEM to Azure Sentinel, your team can cross-correlate and investigate those alerts in Azure Sentinel. The team can still access the legacy SIEM for deeper investigation if needed. Meanwhile, you can continue migrating data sources over an extended transition period.
+
+This recommended, side-by-side migration method provides you with full value from Azure Sentinel and the ability to migrate data sources at the pace that's right for your organization. This approach avoids duplicating costs for data storage and ingestion while you move your data sources over.
+
+For more information, see:
+
+- [Migrate QRadar offenses to Azure Sentinel](https://techcommunity.microsoft.com/t5/azure-sentinel/migrating-qradar-offenses-to-azure-sentinel/ba-p/2102043)
+- [Export data from Splunk to Azure Sentinel](https://techcommunity.microsoft.com/t5/azure-sentinel/how-to-export-data-from-splunk-to-azure-sentinel/ba-p/1891237).
++
+### Send alerts and enriched incidents from Azure Sentinel to a legacy SIEM
+
+Analyze some data in Azure Sentinel, such as cloud data, and then send the generated alerts to a legacy SIEM. Use the *legacy* SIEM as your single interface to do cross-correlation with the alerts that Azure Sentinel generated. You can still use Azure Sentinel for deeper investigation of the Azure Sentinel-generated alerts.
+
+This configuration is cost effective, as you can move your cloud data analysis to Azure Sentinel without duplicating costs or paying for data twice. You still have the freedom to migrate at your own pace. As you continue to shift data sources and detections over to Azure Sentinel, it becomes easier to migrate to Azure Sentinel as your primary interface. However, simply forwarding enriched incidents to a legacy SIEM limits the value you get from Azure Sentinel's investigation, hunting, and automation capabilities.
+
+For more information, see:
+
+- [Send enriched Azure Sentinel alerts to your legacy SIEM](https://techcommunity.microsoft.com/t5/azure-sentinel/sending-enriched-azure-sentinel-alerts-to-3rd-party-siem-and/ba-p/1456976)
+- [Send enriched Azure Sentinel alerts to IBM QRadar](https://techcommunity.microsoft.com/t5/azure-sentinel/azure-sentinel-side-by-side-with-qradar/ba-p/1488333)
+- [Ingest Azure Sentinel alerts into Splunk](https://techcommunity.microsoft.com/t5/azure-sentinel/azure-sentinel-side-by-side-with-splunk/ba-p/1211266)
+
+### Other methods
+
+The following table describes side-by-side configurations that are *not* recommended, with details as to why:
+
+|Method |Description |
+|||
+|**Send Azure Sentinel logs to your legacy SIEM** | With this method, you'll continue to experience the cost and scale challenges of your on-premises SIEM. <br><br>You'll pay for data ingestion in Azure Sentinel, along with storage costs in your legacy SIEM, and you can't take advantage of Azure Sentinel's SIEM and SOAR detections, analytics, User Entity Behavior Analytics (UEBA), AI, or investigation and automation tools. |
+|**Send logs from a legacy SIEM to Azure Sentinel** | While this method provides you with the full functionality of Azure Sentinel, your organization still pays for two different data ingestion sources. Besides adding architectural complexity, this model can result in higher costs. |
+|**Use Azure Sentinel and your legacy SIEM as two fully separate solutions** | You could use Azure Sentinel to analyze some data sources, like your cloud data, and continue to use your on-premises SIEM for other sources. This setup allows for clear boundaries for when to use each solution, and avoids duplication of costs. <br><br>However, cross-correlation becomes difficult, and you can't fully diagnose attacks that cross both sets of data sources. In today's landscape, where threats often move laterally across an organization, such visibility gaps can pose significant security risks. |
+| | |
+++
+## Migrate your data
+
+Make sure that you migrate only the data that represents your current key use cases.
+
+1. Determine the data that's needed to support each of your use cases.
+
+1. Determine whether your current data sources provide valuable data.
+
+1. Identify any visibility gaps in your current SIEM, and how you can close them.
+
+1. For each data source, consider whether you need to ingest raw logs, which can be costly, or whether enriched alerts provide enough context for your key use cases.
+
+ For example, you can ingest enriched data from security products across the organization, and use Azure Sentinel to correlate across them, without having to ingest raw logs from the data sources themselves.
+
+1. Use any of the following resources to ingest data:
+
+ - Use **Azure Sentinel's [built-in data connectors](connect-data-sources.md)** to start ingesting data. For example, you may want to start a [free trial](azure-sentinel-billing.md#free-trial) with your cloud data, or use [free data connectors](azure-sentinel-billing.md#free-data-sources) to ingest data from other Microsoft products.
+
+ - Use **[Syslog](connect-data-sources.md#syslog), [Common Event Format (CEF)](connect-data-sources.md#common-event-format-cef), or [REST APIs](connect-data-sources.md#rest-api-integration)** to connect other data sources.
+
+ For more information, see [Azure Sentinel partner data connectors](partner-data-connectors.md) and the [Azure Sentinel solutions catalog](sentinel-solutions-catalog.md).
+
+> [!TIP]
+> - Limiting yourself to only free data sources may limit your ability to test with data that's important to you. When testing, consider limited data ingestion from both free and paid data connectors to get the most out of your test results.
+>
+> - As you migrate detections and build use cases in Azure Sentinel, stay mindful of the data you ingest, and verify its value to your key priorities. Revisit data collection conversations to ensure data depth and breadth across your use cases.
+>
+
+## Migrate analytics rules
+
+Azure Sentinel uses machine learning analytics to create high-fidelity and actionable incidents, and some of your existing detections may be redundant in Azure Sentinel. Therefore, do not migrate all of your detection and analytics rules blindly:
+
+- Make sure to select use cases that justify rule migration, considering business priority and efficiency.
+
+- Review [built-in analytics rules](tutorial-detect-threats-built-in.md) that may already address your use cases. In Azure Sentinel, go to the **Configuration > Analytics > Rule templates** tab to create rules based on built-in templates.
+
+- Review any rules that haven't triggered any alerts in the past 6-12 months, and determine whether they're still relevant.
+
+- Eliminate low-level threats or alerts that you routinely ignore.
+
+**To migrate your analytics rules to Azure Sentinel**:
+
+1. Verify that your have a testing system in place for each rule you want to migrate.
+
+ 1. **Prepare a validation process** for your migrated rules, including full test scenarios and scripts.
+
+ 1. **Ensure that your team has useful resources** to test your migrated rules.
+
+ 1. **Confirm that you have any required data sources connected,** and review your data connection methods.
+
+1. Verify whether your detections are available as built-in templates in Azure Sentinel:
+
+ - **If the built-in rules are sufficient**, use built-in rule templates to create rules for your own workspace.
+
+ In Azure Sentinel, go to the **Configuration > Analytics > Rule templates** tab, and create and update each relevant analytics rule.
+
+ For more information, see [Detect threats out-of-the-box](tutorial-detect-threats-built-in.md).
+
+ - **If you have detections that aren't covered by Azure Sentinel's built-in rules**, try an online query converter, such as [Uncoder.io](https://uncoder.io/) to convert your queries to KQL.
+
+ Identify the trigger condition and rule action, and then construct and review your KQL query.
+
+ - **If neither the built-in rules nor an online rule converter is sufficient**, you'll need to create the rule manually. In such cases, use the following steps to start creating your rule:
+
+ 1. **Identify the data sources you want to use in your rule**. You'll want to create a mapping table between data sources and data tables in Azure Sentinel to identify the tables you want to query.
+
+ 1. **Identify any attributes, fields, or entities** in your data that you want to use in your rules.
+
+ 1. **Identify your rule criteria and logic**. At this stage, you may want to use rule templates as samples for how to construct your KQL queries.
+
+ Consider filters, correlation rules, active lists, reference sets, watchlists, detection anomalies, aggregations, and so on. You might use references provided by your legacy SIEM to understand how to best map your query syntax.
+
+ For example, see:
+
+ - [Sample rule mapping between ArcSight/QRadar and Azure Sentinel](https://github.com/Azure/Azure-Sentinel/blob/master/Tools/RuleMigration/Rule%20Logic%20Mappings.md)
+ - [SPL to KQL mapping samples](https://github.com/Azure/Azure-Sentinel/blob/master/Tools/RuleMigration/Rule%20Logic%20Mappings.md)
+
+ 1. **Identify the trigger condition and rule action, and then construct and review your KQL query**. When reviewing your query, consider KQL optimization guidance resources.
+
+1. Test the rule with each of your relevant use cases. If it doesn't provided expected results, you may want to review the KQL and test it again.
+
+1. When you're satisfied, you can consider the rule migrated. Create a playbook for your rule action as needed. For more information, see [Automate threat response with playbooks in Azure Sentinel](automate-responses-with-playbooks.md).
+
+**For more information, see**:
+
+- [**Create custom analytics rules to detect threats**](tutorial-detect-threats-custom.md). Use [alert grouping](tutorial-detect-threats-custom.md#alert-grouping) to reduce alert fatigue by grouping alerts that occur within a given timeframe.
+- [**Map data fields to entities in Azure Sentinel**](map-data-fields-to-entities.md) to enable SOC engineers to define entities as part of the evidence to track during an investigation. Entity mapping also makes it possible for SOC analysts to take advantage of an intuitive [investigation graph (tutorial-investigate-cases.md#use-the-investigation-graph-to-deep-dive) that can help reduce time and effort.
+- [**Investigate incidents with UEBA data**](investigate-with-ueba.md), as an example of how to use evidence to surface events, alerts, and any bookmarks associated with a particular incident in the incident preview pane.
+- [**Kusto Query Language (KQL)**](/azure/data-explorer/kusto/query/), which you can use to send read-only requests to your [Log Analytics](/azure/azure-monitor/logs/log-analytics-tutorial) database to process data and return results. KQL is also used across other Microsoft services, such as [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/security/endpoint-defender) and [Application Insights](/azure/azure-monitor/app/app-insights-overview).
+
+## Use automation to streamline processes
+
+Use automated workflows to group and prioritize alerts into a common incident, and modify its priority.
+
+For more information, see:
+
+- [Security Orchestration, Automation, and Response (SOAR) in Azure Sentinel](automation-in-azure-sentinel.md).
+- [Automate threat response with playbooks in Azure Sentinel](automate-responses-with-playbooks.md)
+- [Automate incident handling in Azure Sentinel with automation rules](automate-incident-handling-with-automation-rules.md)
+
+## Retire your legacy SIEM
+
+Use the following checklist to make sure that you're fully migrated to Azure Sentinel and are ready to retire your legacy SIEM:
++
+|Readiness area |Details |
+|||
+|**Technology readiness** | **Check critical data**: Make sure all sources and alerts are available in Azure Sentinel. <br><br>**Archive all records**: Save critical past incident and case records, raw data optional, to retain institutional history. |
+|**Process readiness** | **Playbooks**: Update [investigation and hunting processes](tutorial-investigate-cases.md) to Azure Sentinel.<br><br>**Metrics**: Ensure that you can get all key metrics from Azure Sentinel.<br><br>**Workbooks**: Create [custom workbooks](tutorial-monitor-your-data.md) or use built-in workbook templates to quickly gain insights as soon as you [connect to data sources](connect-data-sources.md).<br><br>**Incidents**: Make sure to transfer all current incidents to the new system, including required source data. |
+|**People readiness** | **SOC analysts**: Make sure everyone on your team is trained on Azure Sentinel and is comfortable leaving the legacy SIEM. |
+| | |
+## Next steps
+
+After migration, explore Microsoft's Azure Sentinel resources to expand your skills and get the most out of Azure Sentinel.
+
+Also consider increasing your threat protection by using Azure Sentinel alongside [Microsoft 365 Defender](/azure/sentinel/microsoft-365-defender-sentinel-integration) and [Azure Defender](/azure/security-center/azure-defender) for [integrated threat protection](https://www.microsoft.com/security/business/threat-protection). Benefit from the breadth of visibility that Azure Sentinel delivers, while diving deeper into detailed threat analysis.
+
+For more information, see:
+
+- [Rule migration best practices](https://techcommunity.microsoft.com/t5/azure-sentinel/best-practices-for-migrating-detection-rules-from-arcsight/ba-p/2216417)
+- [Webinar: Best Practices for Converting Detection Rules](https://www.youtube.com/watch?v=njXK1h9lfR4)
+- [Security Orchestration, Automation, and Response (SOAR) in Azure Sentinel](automation-in-azure-sentinel.md)
+- [Manage your SOC better with incident metrics](manage-soc-with-incident-metrics.md)
+- [Azure Sentinel learning path](/learn/paths/security-ops-sentinel/)
+- [SC-200 Microsoft Security Operations Analyst certification](/learn/certifications/exams/sc-200)
+- [Azure Sentinel Ninja training](https://techcommunity.microsoft.com/t5/azure-sentinel/become-an-azure-sentinel-ninja-the-complete-level-400-training/ba-p/1246310)
+- [Investigate an attack on a hybrid environment with Azure Sentinel](https://mslearn.cloudguides.com/guides/Investigate%20an%20attack%20on%20a%20hybrid%20environment%20with%20Azure%20Sentinel)
sentinel Sap Solution Log Reference https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/sentinel/sap-solution-log-reference.md
This article is intended for advanced SAP users.
Available by using RFC with a custom service based on standard services.
-### ABAPAuditLog_CL log schema
+### ABAPChangeDocsLog_CL log schema
| Field | Description |
For more information, see:
- [Tutorial: Deploy the Azure Sentinel solution for SAP](sap-deploy-solution.md) - [Azure Sentinel SAP solution detailed SAP requirements](sap-solution-detailed-requirements.md) - [Deploy the Azure Sentinel SAP data connector on-premises](sap-solution-deploy-alternate.md)-- [Azure Sentinel SAP solution: built-in security content](sap-solution-security-content.md)
+- [Azure Sentinel SAP solution: built-in security content](sap-solution-security-content.md)
site-recovery Azure To Azure Support Matrix https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/site-recovery/azure-to-azure-support-matrix.md
Data disk - standard storage account | Supported |
Data disk - premium storage account | Supported | If a VM has disks spread across premium and standard storage accounts, you can select a different target storage account for each disk, to ensure you have the same storage configuration in the target region. Managed disk - standard | Supported in Azure regions in which Azure Site Recovery is supported. | Managed disk - premium | Supported in Azure regions in which Azure Site Recovery is supported. |
+Disk subscription limits | Up to 3000 protected disks per Subscription | Ensure that the Source or Target subscription does not have more than 3000 ASR-protected Disks (Both Data and OS).
Standard SSD | Supported | Redundancy | LRS and GRS are supported.<br/><br/> ZRS isn't supported. Cool and hot storage | Not supported | VM disks aren't supported on cool and hot storage
storage Point In Time Restore Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/storage/blobs/point-in-time-restore-overview.md
Point-in-time restore for block blobs has the following limitations and known is
- Only block blobs in a standard general-purpose v2 storage account can be restored as part of a point-in-time restore operation. Append blobs, page blobs, and premium block blobs are not restored. - If you have deleted a container during the retention period, that container will not be restored with the point-in-time restore operation. If you attempt to restore a range of blobs that includes blobs in a deleted container, the point-in-time restore operation will fail. To learn about protecting containers from deletion, see [Soft delete for containers (preview)](soft-delete-container-overview.md). - If a blob has moved between the hot and cool tiers in the period between the present moment and the restore point, the blob is restored to its previous tier. Restoring block blobs in the archive tier is not supported. For example, if a blob in the hot tier was moved to the archive tier two days ago, and a restore operation restores to a point three days ago, the blob is not restored to the hot tier. To restore an archived blob, first move it out of the archive tier. For more information, see [Rehydrate blob data from the archive tier](storage-blob-rehydration.md).
+- If an immutable storage policy is set and blobs are protected by policy, a restore can be submitted but, any immutable blobs will not be modified. A restore in this case will not yield a consistent state to the restore date and time given.
- A block that has been uploaded via [Put Block](/rest/api/storageservices/put-block) or [Put Block from URL](/rest/api/storageservices/put-block-from-url), but not committed via [Put Block List](/rest/api/storageservices/put-block-list), is not part of a blob and so is not restored as part of a restore operation. - A blob with an active lease cannot be restored. If a blob with an active lease is included in the range of blobs to restore, the restore operation will fail atomically. Break any active leases prior to initiating the restore operation. - Snapshots are not created or deleted as part of a restore operation. Only the base blob is restored to its previous state.
storage Storage Account Create https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/storage/common/storage-account-create.md
Every Resource Manager resource, including an Azure storage account, must belong
To create an Azure storage account with the Azure portal, follow these steps: 1. From the left portal menu, select **Storage accounts** to display a list of your storage accounts.
-1. On the **Storage accounts** page, select **New**.
+1. On the **Storage accounts** page, select **Create**.
Options for your new storage account are organized into tabs in the **Create a storage account** page. The following sections describe each of the tabs and their options.
virtual-machines Image Builder https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/virtual-machines/windows/image-builder.md
az role definition create --role-definition ./aibRoleImageCreation.json
# grant role definition to the user assigned identity az role assignment create \ --assignee $imgBuilderCliId \
- --role $imageRoleDefName \
+ --role "$imageRoleDefName" \
--scope /subscriptions/$subscriptionID/resourceGroups/$imageResourceGroup ```