Updates from: 07/06/2022 01:08:56
Service Microsoft Docs article Related commit history on GitHub Change details
active-directory-b2c Partner Akamai https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/partner-akamai.md
Akamai WAF integration includes the following components:
- **Azure AD B2C Tenant** ΓÇô The authorization server, responsible for verifying the userΓÇÖs credentials using the custom policies defined in the tenant. It's also known as the identity provider. -- [**Azure Front Door**](../frontdoor/front-door-overview.md) ΓÇô Responsible for enabling custom domains for Azure B2C tenant. All traffic from Cloudflare WAF will be routed to Azure Front Door before arriving at Azure AD B2C tenant.
+- [**Azure Front Door**](../frontdoor/front-door-overview.md) ΓÇô Responsible for enabling custom domains for Azure B2C tenant. All traffic from Akamai WAF will be routed to Azure Front Door before arriving at Azure AD B2C tenant.
- [**Akamai WAF**](https://www.akamai.com/us/en/resources/waf.jsp) ΓÇô The web application firewall, which manages all traffic that is sent to the authorization server.
active-directory-domain-services Concepts Forest Trust https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/concepts-forest-trust.md
Previously updated : 06/07/2021 Last updated : 07/05/2022
Administrators can use *Active Directory Domains and Trusts*, *Netdom* and *Nlte
## Next steps
-To learn more about forest trusts, see [How do forest trusts work in Azure AD DS?][concepts-trust]
- To get started with creating a managed domain with a forest trust, see [Create and configure an Azure AD DS managed domain][tutorial-create-advanced]. You can then [Create an outbound forest trust to an on-premises domain][create-forest-trust]. <!-- LINKS - INTERNAL -->
-[concepts-trust]: concepts-forest-trust.md
[tutorial-create-advanced]: tutorial-create-instance-advanced.md [create-forest-trust]: tutorial-create-forest-trust.md
active-directory On Premises Scim Provisioning https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/on-premises-scim-provisioning.md
Previously updated : 11/17/2021 Last updated : 07/05/2022
The Azure Active Directory (Azure AD) provisioning service supports a [SCIM 2.0]
To provision users to SCIM-enabled apps: 1. [Download](https://aka.ms/OnPremProvisioningAgent) the provisioning agent and copy it onto the virtual machine or server that your SCIM endpoint is hosted on.
- 1. Copy the agent onto the virtual machine or server that your SCIM endpoint is hosted on.
1. Open the provisioning agent installer, agree to the terms of service, and select **Install**. 1. Open the provisioning agent wizard, and select **On-premises provisioning** when prompted for the extension you want to enable. 1. Provide credentials for an Azure AD administrator when you're prompted to authorize. Hybrid administrator or global administrator is required.
active-directory Provision On Demand https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/provision-on-demand.md
Title: Provision a user on demand by using Azure Active Directory
+ Title: Provision a user or group on demand using the Azure Active Directory provisioning service
description: Learn how to provision users on demand in Azure Active Directory.
Previously updated : 03/09/2022 Last updated : 06/30/2022 # On-demand provisioning in Azure Active Directory
-Use on-demand provisioning to provision a user into an application in seconds. Among other things, you can use this capability to:
+Use on-demand provisioning to provision a user or group in seconds. Among other things, you can use this capability to:
* Troubleshoot configuration issues quickly. * Validate expressions that you've defined.
Use on-demand provisioning to provision a user into an application in seconds. A
1. Select your application, and then go to the provisioning configuration page. 1. Configure provisioning by providing your admin credentials. 1. Select **Provision on demand**.
-1. Search for a user by first name, last name, display name, user principal name, or email address.
+1. Search for a user by first name, last name, display name, user principal name, or email address. Alternatively, you can search for a group and pick up to 5 users.
> [!NOTE] > For Cloud HR provisioning app (Workday/SuccessFactors to AD/Azure AD), the input value is different. > For Workday scenario, please provide "WorkerID" or "WID" of the user in Workday.
Use on-demand provisioning to provision a user into an application in seconds. A
1. Select **Provision** at the bottom of the page. + ## Understand the provisioning steps
Finally, the provisioning service takes an action, such as creating, updating, d
Here's an example of what you might see after the successful on-demand provisioning of a user: #### View details
The **View details** section displays the attributes that were modified in the t
#### Troubleshooting tips * Failures for exporting changes can vary greatly. Check the [documentation for provisioning logs](../reports-monitoring/concept-provisioning-logs.md#error-codes) for common failures.
+* On-demand provisioning says the group or user can't be provisioned because they're not assigned to the application. Note that there is a replicate delay of up to a few minutes between when an object is assigned to an application and that assignment being honored by on-demand provisioning. You may need to wait a few minutes and try again.
## Frequently asked questions
There are currently a few known limitations to on-demand provisioning. Post your
> The following limitations are specific to the on-demand provisioning capability. For information about whether an application supports provisioning groups, deletions, or other capabilities, check the tutorial for that application. * Amazon Web Services (AWS) application does not support on-demand provisioning.
-* On-demand provisioning of groups and roles isn't supported.
+* On-demand provisioning of groups supports updating up to 5 members at a time
+* On-demand provisioning of roles isn't supported.
* On-demand provisioning supports disabling users that have been unassigned from the application. However, it doesn't support disabling or deleting users that have been disabled or deleted from Azure AD. Those users won't appear when you search for a user.
-* Provisioning multiple roles on a user isn't supported by on-demand provisioning.
## Next steps
active-directory Howto Device Identity Virtual Desktop Infrastructure https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/howto-device-identity-virtual-desktop-infrastructure.md
Previously updated : 02/15/2022 Last updated : 07/05/2022
Before configuring device identities in Azure AD for your VDI environment, famil
<sup>2</sup> **Windows down-level** devices represent Windows 7, Windows 8.1, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2. For support information on Windows 7, see [Support for Windows 7 is ending](https://www.microsoft.com/microsoft-365/windows/end-of-windows-7-support). For support information on Windows Server 2008 R2, see [Prepare for Windows Server 2008 end of support](https://www.microsoft.com/cloud-platform/windows-server-2008).
-<sup>3</sup> A **Federated** identity infrastructure environment represents an environment with an identity provider such as AD FS or other third-party IDP.
+<sup>3</sup> A **Federated** identity infrastructure environment represents an environment with an identity provider such as AD FS or other third-party IDP. In a federated identity infrastructure environment, computers follow the [managed device registration flow](device-registration-how-it-works.md#hybrid-azure-ad-joined-in-managed-environments) based on the [AD Service Connection Point (SCP) settings](hybrid-azuread-join-manual.md#configure-a-service-connection-point).
<sup>4</sup> A **Managed** identity infrastructure environment represents an environment with Azure AD as the identity provider deployed with either [password hash sync (PHS)](../hybrid/whatis-phs.md) or [pass-through authentication (PTA)](../hybrid/how-to-connect-pta.md) with [seamless single sign-on](../hybrid/how-to-connect-sso.md).
active-directory Hybrid Azuread Join Manual https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/hybrid-azuread-join-manual.md
Previously updated : 02/15/2022 Last updated : 07/05/2022
After these configurations are complete, follow the guidance to [verify registra
Your devices use a service connection point (SCP) object during the registration to discover Azure AD tenant information. In your on-premises Active Directory instance, the SCP object for the hybrid Azure AD joined devices must exist in the configuration naming context partition of the computer's forest. There's only one configuration naming context per forest. In a multi-forest Active Directory configuration, the service connection point must exist in all forests that contain domain-joined computers.
+The SCP object contains two keywords values ΓÇô `azureADid:<TenantID>` and `azureADName:<verified domain>`. The `<verified domain>` value in the `azureADName` keyword dictates the type of the device registration flow (federated or managed) the device will follow after reading the SCP value from your on-premises Active Directory instance. More about the managed and federated flows can be found in the article [How Azure AD device registration works](device-registration-how-it-works.md).
+ You can use the [**Get-ADRootDSE**](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee617246(v=technet.10)) cmdlet to retrieve the configuration naming context of your forest. For a forest with the Active Directory domain name *fabrikam.com*, the configuration naming context is:
active-directory Licensing Service Plan Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/licensing-service-plan-reference.md
When managing licenses in [the Azure portal](https://portal.azure.com/#blade/Mic
| Dynamics 365 for Talent | SKU_Dynamics_365_for_HCM_Trial | 3a256e9a-15b6-4092-b0dc-82993f4debc6 | DYN365_CDS_DYN_APPS (2d925ad8-2479-4bd8-bb76-5b80f1d48935)<br/>Dynamics_365_Hiring_Free_PLAN (f815ac79-c5dd-4bcc-9b78-d97f7b817d0d)<br/>Dynamics_365_Onboarding_Free_PLAN (300b8114-8555-4313-b861-0c115d820f50)<br/>Dynamics_365_for_HCM_Trial (5ed38b64-c3b7-4d9f-b1cd-0de18c9c4331)<br/>EXCHANGE_S_FOUNDATION (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>FLOW_DYN_APPS (7e6d7d78-73de-46ba-83b1-6d25117334ba)<br/>POWERAPPS_DYN_APPS (874fc546-6efe-4d22-90b8-5c4e7aa59f4b) | Common Data Service (2d925ad8-2479-4bd8-bb76-5b80f1d48935)<br/>Dynamics 365 for Talent: Attract (f815ac79-c5dd-4bcc-9b78-d97f7b817d0d)<br/>Dynamics 365 for Talent: Onboard (300b8114-8555-4313-b861-0c115d820f50)<br/>Dynamics 365 for HCM Trial (5ed38b64-c3b7-4d9f-b1cd-0de18c9c4331)<br/>Exchange Foundation (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>Flow for Dynamics 365 (7e6d7d78-73de-46ba-83b1-6d25117334ba)<br/>PowerApps for Dynamics 365 (874fc546-6efe-4d22-90b8-5c4e7aa59f4b) | | DYNAMICS 365 FOR TEAM MEMBERS ENTERPRISE EDITION | DYN365_ENTERPRISE_TEAM_MEMBERS | 8e7a3d30-d97d-43ab-837c-d7701cef83dc | DYN365_Enterprise_Talent_Attract_TeamMember (643d201a-9884-45be-962a-06ba97062e5e)<br/>DYN365_Enterprise_Talent_Onboard_TeamMember (f2f49eef-4b3f-4853-809a-a055c6103fe0)<br/>DYN365_ENTERPRISE_TEAM_MEMBERS (6a54b05e-4fab-40e7-9828-428db3b336fa)<br/>DYNAMICS_365_FOR_OPERATIONS_TEAM_MEMBERS (f5aa7b45-8a36-4cd1-bc37-5d06dea98645)<br/>Dynamics_365_for_Retail_Team_members (c0454a3d-32b5-4740-b090-78c32f48f0ad)<br/>Dynamics_365_for_Talent_Team_members (d5156635-0704-4f66-8803-93258f8b2678)<br/>FLOW_DYN_TEAM (1ec58c70-f69c-486a-8109-4b87ce86e449)<br/>POWERAPPS_DYN_TEAM (52e619e2-2730-439a-b0d3-d09ab7e8b705)<br/>PROJECT_ESSENTIALS (1259157c-8581-4875-bca7-2ffb18c51bda)<br/>SHAREPOINTENTERPRISE (5dbe027f-2339-4123-9542-606e4d348a72)<br/>SHAREPOINTWAC (e95bec33-7c88-4a70-8e19-b10bd9d0c014) | DYNAMICS 365 FOR TALENT - ATTRACT EXPERIENCE TEAM MEMBER (643d201a-9884-45be-962a-06ba97062e5e)<br/>DYNAMICS 365 FOR TALENT - ONBOARD EXPERIENCE (f2f49eef-4b3f-4853-809a-a055c6103fe0)<br/>DYNAMICS 365 FOR TEAM MEMBERS (6a54b05e-4fab-40e7-9828-428db3b336fa)<br/>DYNAMICS 365 FOR OPERATIONS TEAM MEMBERS (f5aa7b45-8a36-4cd1-bc37-5d06dea98645)<br/>DYNAMICS 365 FOR RETAIL TEAM MEMBERS (c0454a3d-32b5-4740-b090-78c32f48f0ad)<br/>DYNAMICS 365 FOR TALENT TEAM MEMBERS (d5156635-0704-4f66-8803-93258f8b2678)<br/>FLOW FOR DYNAMICS 365 (1ec58c70-f69c-486a-8109-4b87ce86e449)<br/>POWERAPPS FOR DYNAMICS 365 (52e619e2-2730-439a-b0d3-d09ab7e8b705)<br/>PROJECT ONLINE ESSENTIALS (1259157c-8581-4875-bca7-2ffb18c51bda)<br/>SHAREPOINT ONLINE (PLAN 2) (5dbe027f-2339-4123-9542-606e4d348a72)<br/>OFFICE ONLINE (e95bec33-7c88-4a70-8e19-b10bd9d0c014) | | Dynamics 365 Guides | GUIDES_USER | 0a389a77-9850-4dc4-b600-bc66fdfefc60 | DYN365_CDS_GUIDES (1315ade1-0410-450d-b8e3-8050e6da320f)<br/>GUIDES (0b2c029c-dca0-454a-a336-887285d6ef07)<br/>POWERAPPS_GUIDES (816971f4-37c5-424a-b12b-b56881f402e7) | Common Data Service (1315ade1-0410-450d-b8e3-8050e6da320f)<br/>Dynamics 365 Guides (0b2c029c-dca0-454a-a336-887285d6ef07)<br/>Power Apps for Guides (816971f4-37c5-424a-b12b-b56881f402e7) |
-| Dynamics 365 Marketing Business Edition | DYN365_BUSINESS_MARKETING | 238e2f8d-e429-4035-94db-6926be4ffe7b | DYN365_BUSINESS_Marketing (393a0c96-9ba1-4af0-8975-fa2f853a25ac)<br/>EXCHANGE_S_FOUNDATION (113feb6c-3fe4-4440-bddc-54d774bf0318) | Dynamics 365 Marketing (393a0c96-9ba1-4af0-8975-fa2f853a25ac)<br/>Exchange Foundation (113feb6c-3fe4-4440-bddc-54d774bf0318) |
| Dynamics 365 Operations - Device | Dynamics_365_for_Operations_Devices | 3bbd44ed-8a70-4c07-9088-6232ddbd5ddd | DYN365_RETAIL_DEVICE (ceb28005-d758-4df7-bb97-87a617b93d6c)<br/>Dynamics_365_for_OperationsDevices (2c9fb43e-915a-4d61-b6ca-058ece89fd66)<br/>EXCHANGE_S_FOUNDATION (113feb6c-3fe4-4440-bddc-54d774bf0318) | Dynamics 365 for Retail Device (ceb28005-d758-4df7-bb97-87a617b93d6c)<br/>Dynamics 365 for Operations Devices (2c9fb43e-915a-4d61-b6ca-058ece89fd66)<br/>Exchange Foundation (113feb6c-3fe4-4440-bddc-54d774bf0318) | | Dynamics 365 Operations - Sandbox Tier 2:Standard Acceptance Testing | Dynamics_365_for_Operations_Sandbox_Tier2_SKU | e485d696-4c87-4aac-bf4a-91b2fb6f0fa7 | Dynamics_365_for_Operations_Sandbox_Tier2 (d8ba6fb2-c6b1-4f07-b7c8-5f2745e36b54)<br/>EXCHANGE_S_FOUNDATION (113feb6c-3fe4-4440-bddc-54d774bf0318) | Dynamics 365 for Operations non-production multi-box instance for standard acceptance testing (Tier 2) (d8ba6fb2-c6b1-4f07-b7c8-5f2745e36b54)<br/>Exchange Foundation (113feb6c-3fe4-4440-bddc-54d774bf0318) | | Dynamics 365 Operations - Sandbox Tier 4:Standard Performance Testing | Dynamics_365_for_Operations_Sandbox_Tier4_SKU | f7ad4bca-7221-452c-bdb6-3e6089f25e06 | Dynamics_365_for_Operations_Sandbox_Tier4 (f6b5efb1-1813-426f-96d0-9b4f7438714f)<br/>EXCHANGE_S_FOUNDATION (113feb6c-3fe4-4440-bddc-54d774bf0318) | Dynamics 365 for Operations, Enterprise Edition - Sandbox Tier 4:Standard Performance Testing (f6b5efb1-1813-426f-96d0-9b4f7438714f)<br/>Exchange Foundation (113feb6c-3fe4-4440-bddc-54d774bf0318) |
When managing licenses in [the Azure portal](https://portal.azure.com/#blade/Mic
| Microsoft 365 F5 Security Add-on | SPE_F5_SEC | 67ffe999-d9ca-49e1-9d2c-03fb28aa7a48 | MTP (bf28f719-7844-4079-9c78-c1307898e192)<br/>ATP_ENTERPRISE (f20fedf3-f3c3-43c3-8267-2bfdd51c0939)<br/>THREAT_INTELLIGENCE (8e0c0a52-6a6c-4d40-8370-dd62790dcd70)<br/>WINDEFATP (871d91ec-ec1a-452b-a83f-bd76c7d770ef)<br/>AAD_PREMIUM_P2 (eec0eb4f-6444-4f95-aba0-50c24d67f998)<br/>ADALLOM_S_STANDALONE (2e2ddb96-6af9-4b1d-a3f0-d6ecfd22edb2)<br/>ATA (14ab5db5-e6c4-4b20-b4bc-13e36fd2227f) | Microsoft 365 Defender (bf28f719-7844-4079-9c78-c1307898e192)<br/>Microsoft Defender for Office 365 (Plan 1) (f20fedf3-f3c3-43c3-8267-2bfdd51c0939)<br/>Microsoft Defender for Office 365 (Plan 2) (8e0c0a52-6a6c-4d40-8370-dd62790dcd70)<br/>Microsoft Defender for Endpoint (871d91ec-ec1a-452b-a83f-bd76c7d770ef)<br/>Azure Active Directory Premium P2 (eec0eb4f-6444-4f95-aba0-50c24d67f998)<br/>Microsoft Defender for Cloud Apps (2e2ddb96-6af9-4b1d-a3f0-d6ecfd22edb2)<br/>Microsoft Defender for Identity (14ab5db5-e6c4-4b20-b4bc-13e36fd2227f) | | Microsoft 365 F5 Security + Compliance Add-on | SPE_F5_SECCOMP | 32b47245-eb31-44fc-b945-a8b1576c439f | LOCKBOX_ENTERPRISE (9f431833-0334-42de-a7dc-70aa40db46db)<br/>BPOS_S_DlpAddOn (9bec7e34-c9fa-40b7-a9d1-bd6d1165c7ed)<br/>EXCHANGE_S_ARCHIVE_ADDON (176a09a6-7ec5-4039-ac02-b2791c6ba793)<br/>INFORMATION_BARRIERS (c4801e8a-cb58-4c35-aca6-f2dcc106f287)<br/>Content_Explorer (d9fa6af4-e046-4c89-9226-729a0786685d)<br/>MIP_S_CLP2 (efb0351d-3b08-4503-993d-383af8de41e3)<br/>M365_ADVANCED_AUDITING (2f442157-a11c-46b9-ae5b-6e39ff4e5849)<br/>MICROSOFT_COMMUNICATION_COMPLIANCE (a413a9ff-720c-4822-98ef-2f37c2a21f4c)<br/>MTP (bf28f719-7844-4079-9c78-c1307898e192)<br/>COMMUNICATIONS_DLP (6dc145d6-95dd-4191-b9c3-185575ee6f6b)<br/>CUSTOMER_KEY (6db1f1db-2b46-403f-be40-e39395f08dbb)<br/>DATA_INVESTIGATIONS (46129a58-a698-46f0-aa5b-17f6586297d9)<br/>ATP_ENTERPRISE (f20fedf3-f3c3-43c3-8267-2bfdd51c0939)<br/>THREAT_INTELLIGENCE (8e0c0a52-6a6c-4d40-8370-dd62790dcd70)<br/>INFO_GOVERNANCE (e26c2fcc-ab91-4a61-b35c-03cdc8dddf66)<br/>INSIDER_RISK (d587c7a3-bda9-4f99-8776-9bcf59c84f75)<br/>ML_CLASSIFICATION (d2d51368-76c9-4317-ada2-a12c004c432f)<br/>RECORDS_MANAGEMENT (65cc641f-cccd-4643-97e0-a17e3045e541)<br/>EQUIVIO_ANALYTICS (4de31727-a228-4ec3-a5bf-8e45b5ca48cc)<br/>PAM_ENTERPRISE (b1188c4c-1b36-4018-b48b-ee07604f6feb)<br/>PREMIUM_ENCRYPTION (617b097b-4b93-4ede-83de-5f075bb5fb2f)<br/>WINDEFATP (871d91ec-ec1a-452b-a83f-bd76c7d770ef)<br/>MICROSOFTENDPOINTDLP (64bfac92-2b17-4482-b5e5-a0304429de3e)<br/>AAD_PREMIUM_P2 (eec0eb4f-6444-4f95-aba0-50c24d67f998)<br/>RMS_S_PREMIUM2 (5689bec4-755d-4753-8b61-40975025187c)<br/>ADALLOM_S_STANDALONE (2e2ddb96-6af9-4b1d-a3f0-d6ecfd22edb2)<br/>ATA (14ab5db5-e6c4-4b20-b4bc-13e36fd2227f) | Customer Lockbox (9f431833-0334-42de-a7dc-70aa40db46db)<br/>Data Loss Prevention (9bec7e34-c9fa-40b7-a9d1-bd6d1165c7ed)<br/>Exchange Online Archiving (176a09a6-7ec5-4039-ac02-b2791c6ba793)<br/>Information Barriers (c4801e8a-cb58-4c35-aca6-f2dcc106f287)<br/>Information Protection and Governance Analytics - Premium (d9fa6af4-e046-4c89-9226-729a0786685d)<br/>Information Protection for Office 365 - Premium (efb0351d-3b08-4503-993d-383af8de41e3)<br/>Microsoft 365 Advanced Auditing (2f442157-a11c-46b9-ae5b-6e39ff4e5849)<br/>Microsoft 365 Communication Compliance (a413a9ff-720c-4822-98ef-2f37c2a21f4c)<br/>Microsoft 365 Defender (bf28f719-7844-4079-9c78-c1307898e192)<br/>Microsoft Communications DLP (6dc145d6-95dd-4191-b9c3-185575ee6f6b)<br/>Microsoft Customer Key (6db1f1db-2b46-403f-be40-e39395f08dbb)<br/>Microsoft Data Investigations (46129a58-a698-46f0-aa5b-17f6586297d9)<br/>Microsoft Defender for Office 365 (Plan 1) (f20fedf3-f3c3-43c3-8267-2bfdd51c0939)<br/>Microsoft Defender for Office 365 (Plan 2) (8e0c0a52-6a6c-4d40-8370-dd62790dcd70)<br/>Microsoft Information Governance (e26c2fcc-ab91-4a61-b35c-03cdc8dddf66)<br/>Microsoft Insider Risk Management (d587c7a3-bda9-4f99-8776-9bcf59c84f75)<br/>Microsoft ML-Based Classification (d2d51368-76c9-4317-ada2-a12c004c432f)<br/>Microsoft Records Management (65cc641f-cccd-4643-97e0-a17e3045e541)<br/>Office 365 Advanced eDiscovery (4de31727-a228-4ec3-a5bf-8e45b5ca48cc)<br/>Office 365 Privileged Access Management (b1188c4c-1b36-4018-b48b-ee07604f6feb)<br/>Premium Encryption in Office 365 (617b097b-4b93-4ede-83de-5f075bb5fb2f)<br/>Microsoft Defender for Endpoint (871d91ec-ec1a-452b-a83f-bd76c7d770ef)<br/>Microsoft Endpoint DLP (64bfac92-2b17-4482-b5e5-a0304429de3e)<br/>Azure Active Directory Premium P2 (eec0eb4f-6444-4f95-aba0-50c24d67f998)<br/>Azure Information Protection Premium P2 (5689bec4-755d-4753-8b61-40975025187c)<br/>Microsoft Defender for Cloud Apps (2e2ddb96-6af9-4b1d-a3f0-d6ecfd22edb2)<br/>Microsoft Defender for Identity (14ab5db5-e6c4-4b20-b4bc-13e36fd2227f) | | MICROSOFT FLOW FREE | FLOW_FREE | f30db892-07e9-47e9-837c-80727f46fd3d | DYN365_CDS_VIRAL (17ab22cd-a0b3-4536-910a-cb6eb12696c0)<br/>EXCHANGE_S_FOUNDATION (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>FLOW_P2_VIRAL (50e68c76-46c6-4674-81f9-75456511b170) | COMMON DATA SERVICE - VIRAL (17ab22cd-a0b3-4536-910a-cb6eb12696c0)<br/>EXCHANGE FOUNDATION (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>FLOW FREE (50e68c76-46c6-4674-81f9-75456511b170) |
-| MICROSOFT 365 AUDIO CONFERENCING FOR GCC | MCOMEETADV_GOV | 2d3091c7-0712-488b-b3d8-6b97bde6a1f5 | EXCHANGE_S_FOUNDATION_GOV (922ba911-5694-4e99-a794-73aed9bfeec8)<br/>MCOMEETADV_GOV (f544b08d-1645-4287-82de-8d91f37c02a1) | EXCHANGE FOUNDATION FOR GOVERNMENT (922ba911-5694-4e99-a794-73aed9bfeec8)<br/>MICROSOFT 365 AUDIO CONFERENCING FOR GOVERNMENT (f544b08d-1645-4287-82de-8d91f37c02a1) |
| Microsoft 365 E5 Suite Features | M365_E5_SUITE_COMPONENTS | 99cc8282-2f74-4954-83b7-c6a9a1999067 | Content_Explorer (d9fa6af4-e046-4c89-9226-729a0786685d)<br/>INSIDER_RISK (d587c7a3-bda9-4f99-8776-9bcf59c84f75)<br/>ML_CLASSIFICATION (d2d51368-76c9-4317-ada2-a12c004c432f)<br/>SAFEDOCS (bf6f5520-59e3-4f82-974b-7dbbc4fd27c7)<br/>MICROSOFTENDPOINTDLP (64bfac92-2b17-4482-b5e5-a0304429de3e) | Information Protection and Governance Analytics - Premium (d9fa6af4-e046-4c89-9226-729a0786685d)<br/>Microsoft Insider Risk Management (d587c7a3-bda9-4f99-8776-9bcf59c84f75)<br/>Microsoft ML-Based Classification (d2d51368-76c9-4317-ada2-a12c004c432f)<br/>Office 365 SafeDocs (bf6f5520-59e3-4f82-974b-7dbbc4fd27c7)<br/>Microsoft Endpoint DLP (64bfac92-2b17-4482-b5e5-a0304429de3e) | | Microsoft 365 F1 | M365_F1_COMM | 50f60901-3181-4b75-8a2c-4c8e4c1d5a72 | AAD_PREMIUM (41781fb2-bc02-4b7c-bd55-b576c07bb09d)<br/>RMS_S_PREMIUM (6c57d4b6-3b23-47a5-9bc9-69f17b4947b3)<br/>ADALLOM_S_DISCOVERY (932ad362-64a8-4783-9106-97849a1a30b9)<br/>DYN365_CDS_O365_F1 (ca6e61ec-d4f4-41eb-8b88-d96e0e14323f)<br/>EXCHANGE_S_DESKLESS (4a82b400-a79f-41a4-b4e2-e94f5787b113)<br/>RMS_S_ENTERPRISE (bea4c11e-220a-4e6d-8eb8-8ea15d019f90)<br/>MFA_PREMIUM (8a256a2b-b617-496d-b51b-e76466e88db0)<br/>MICROSOFTBOOKINGS (199a5c09-e0ca-4e37-8f7c-b05d533e1ea2)<br/>INTUNE_A (c1ec4a95-1f05-45b3-a911-aa3fa01094f5)<br/>PROJECTWORKMANAGEMENT (b737dad2-2f6c-4c65-90e3-ca563267e8b9)<br/>MICROSOFT_SEARCH (94065c59-bc8e-4e8b-89e5-5138d471eaff)<br/>STREAM_O365_K (3ffba0d2-38e5-4d5e-8ec0-98f2b05c09d9)<br/>TEAMS1 (57ff2da0-773e-42df-b2af-ffb7a2317929)<br/>INTUNE_O365 (882e1d05-acd1-4ccb-8708-6ee03664b117)<br/>SHAREPOINTDESKLESS (902b47e5-dcb2-4fdc-858b-c63a90a2bdb9)<br/>MCOIMP (afc06cb0-b4f4-4473-8286-d644f70d8faf)<br/>YAMMER_ENTERPRISE (7547a3fe-08ee-4ccb-b430-5077c5041653) | AAD_PREMIUM (41781fb2-bc02-4b7c-bd55-b576c07bb09d)<br/> RMS_S_PREMIUM (6c57d4b6-3b23-47a5-9bc9-69f17b4947b3)<br/>ADALLOM_S_DISCOVERY (932ad362-64a8-4783-9106-97849a1a30b9)<br/>DYN365_CDS_O365_F1 (ca6e61ec-d4f4-41eb-8b88-d96e0e14323f)<br/>EXCHANGE_S_DESKLESS (4a82b400-a79f-41a4-b4e2-e94f5787b113)<br/>RMS_S_ENTERPRISE (bea4c11e-220a-4e6d-8eb8-8ea15d019f90)<br/>MFA_PREMIUM (8a256a2b-b617-496d-b51b-e76466e88db0)<br/>MICROSOFTBOOKINGS (199a5c09-e0ca-4e37-8f7c-b05d533e1ea2)<br/>INTUNE_A (c1ec4a95-1f05-45b3-a911-aa3fa01094f5)<br/>PROJECTWORKMANAGEMENT (b737dad2-2f6c-4c65-90e3-ca563267e8b9)<br/>MICROSOFT_SEARCH (94065c59-bc8e-4e8b-89e5-5138d471eaff)<br/>STREAM_O365_K (3ffba0d2-38e5-4d5e-8ec0-98f2b05c09d9)<br/>TEAMS1 (57ff2da0-773e-42df-b2af-ffb7a2317929)<br/>INTUNE_O365 (882e1d05-acd1-4ccb-8708-6ee03664b117)<br/>SHAREPOINTDESKLESS (902b47e5-dcb2-4fdc-858b-c63a90a2bdb9)<br/>MCOIMP (afc06cb0-b4f4-4473-8286-d644f70d8faf)<br/>YAMMER_ENTERPRISE (7547a3fe-08ee-4ccb-b430-5077c5041653) | | Microsoft 365 F3 GCC | M365_F1_GOV | 2a914830-d700-444a-b73c-e3f31980d833 | AAD_PREMIUM (41781fb2-bc02-4b7c-bd55-b576c07bb09d)<br/>RMS_S_PREMIUM_GOV (1b66aedf-8ca1-4f73-af76-ec76c6180f98)<br/>RMS_S_ENTERPRISE_GOV (6a76346d-5d6e-4051-9fe3-ed3f312b5597)<br/>DYN365_CDS_O365_F1_GCC (29007dd3-36c0-4cc2-935d-f5bca2c2c473)<br/>CDS_O365_F1_GCC (5e05331a-0aec-437e-87db-9ef5934b5771)<br/>EXCHANGE_S_DESKLESS_GOV (88f4d7ef-a73b-4246-8047-516022144c9f)<br/>FORMS_GOV_F1 (bfd4133a-bbf3-4212-972b-60412137c428)<br/>MFA_PREMIUM (8a256a2b-b617-496d-b51b-e76466e88db0)<br/>INTUNE_A (c1ec4a95-1f05-45b3-a911-aa3fa01094f5)<br/>MICROSOFT_SEARCH (94065c59-bc8e-4e8b-89e5-5138d471eaff)<br/>STREAM_O365_K_GOV (d65648f1-9504-46e4-8611-2658763f28b8)<br/>TEAMS_GOV (304767db-7d23-49e8-a945-4a7eb65f9f28)<br/>INTUNE_O365 (882e1d05-acd1-4ccb-8708- 6ee03664b117)<br/>PROJECTWORKMANAGEMENT_GOV (5b4ef465-7ea1-459a-9f91-033317755a51)<br/>SHAREPOINTWAC_GOV (8f9f0f3b-ca90-406c-a842-95579171f8ec)<br/>OFFICEMOBILE_SUBSCRIPTION_GOV (4ccb60ee-9523-48fd-8f63-4b090f1ad77a)<br/>POWERAPPS_O365_S1_GOV (49f06c3d-da7d-4fa0-bcce-1458fdd18a59)<br/>FLOW_O365_S1_GOV (5d32692e-5b24-4a59-a77e-b2a8650e25c1)<br/>SHAREPOINTDESKLESS_GOV (b1aeb897-3a19-46e2-8c27-a609413cf193)<br/>MCOIMP_GOV (8a9f17f1-5872-44e8-9b11-3caade9dc90f)<br/>BPOS_S_TODO_FIRSTLINE (80873e7a-cd2a-4e67-b061-1b5381a676a5)<br/>WHITEBOARD_FIRSTLINE1 (36b29273-c6d0-477a-aca6-6fbe24f538e3) | Azure Active Directory Premium P1 (41781fb2-bc02-4b7c-bd55-b576c07bb09d)<br/>Azure Information Protection Premium P1 for GCC (1b66aedf-8ca1-4f73-af76-ec76c6180f98)<br/>Azure Rights Management (6a76346d-5d6e-4051-9fe3-ed3f312b5597)<br/>Common Data Service - O365 F1 GCC (29007dd3-36c0-4cc2-935d-f5bca2c2c473)<br/>Common Data Service for Teams_F1 GCC (5e05331a-0aec-437e-87db-9ef5934b5771)<br/>Exchange Online (Kiosk) for Government (88f4d7ef-a73b-4246-8047-516022144c9f)<br/>Forms for Government (Plan F1) (bfd4133a-bbf3-4212-972b-60412137c428)<br/>Microsoft Azure Multi-Factor Authentication (8a256a2b-b617-496d-b51b-e76466e88db0)<br/>Microsoft Intune (c1ec4a95-1f05-45b3-a911-aa3fa01094f5)<br/>Microsoft Search (94065c59-bc8e-4e8b-89e5-5138d471eaff)<br/>Microsoft Stream for O365 for Government (F1) (d65648f1-9504-46e4-8611-2658763f28b8)<br/>Microsoft Teams for Government (304767db-7d23-49e8-a945-4a7eb65f9f28)<br/>Mobile Device Management for Office 365 (882e1d05-acd1-4ccb-8708-6ee03664b117)<br/>Office 365 Planner for Government (5b4ef465-7ea1-459a-9f91-033317755a51)<br/>Office for the Web for Government (8f9f0f3b-ca90-406c-a842-95579171f8ec)<br/>Office Mobile Apps for Office 365 for GCC (4ccb60ee-9523-48fd-8f63-4b090f1ad77a)<br/>Power Apps for Office 365 F3 for Government (49f06c3d-da7d-4fa0-bcce-1458fdd18a59)<br/>Power Automate for Office 365 F3 for Government (5d32692e-5b24-4a59-a77e-b2a8650e25c1)<br/>SharePoint KioskG (b1aeb897-3a19-46e2-8c27-a609413cf193)<br/>Skype for Business Online (Plan 1) for Government (8a9f17f1-5872-44e8-9b11-3caade9dc90f)<br/>To-Do (Firstline) (80873e7a-cd2a-4e67-b061-1b5381a676a5)<br/>Whiteboard (Firstline) (36b29273-c6d0-477a-aca6-6fbe24f538e3) |
When managing licenses in [the Azure portal](https://portal.azure.com/#blade/Mic
| Office 365 A1 for faculty | STANDARDWOFFPACK_FACULTY | 94763226-9b3c-4e75-a931-5c89701abe66 | AAD_BASIC_EDU (1d0f309f-fdf9-4b2a-9ae7-9c48b91f1426)<br/>DYN365_CDS_O365_P1 (40b010bb-0b69-4654-ac5e-ba161433f4b4)<br/>EducationAnalyticsP1 (a9b86446-fa4e-498f-a92a-41b447e03337)<br/>EXCHANGE_S_STANDARD 9aaf7827-d63c-4b61-89c3-182f06f82e5c)<br/>INFORMATION_BARRIERS (c4801e8a-cb58-4c35-aca6-f2dcc106f287)<br/>RMS_S_ENTERPRISE (bea4c11e-220a-4e6d-8eb8-8ea15d019f90)<br/>OFFICE_FORMS_PLAN_2 (9b5de886-f035-4ff2-b3d8-c9127bea3620)<br/>KAIZALA_O365_P2 (54fc630f-5a40-48ee-8965-af0503c1386e)<br/>PROJECTWORKMANAGEMENT (b737dad2-2f6c-4c65-90e3-ca563267e8b9)<br/>MICROSOFT_SEARCH (94065c59-bc8e-4e8b-89e5-5138d471eaff)<br/>Deskless (8c7d2df8-86f0-4902-b2ed-a0458298f3b3)<br/>STREAM_O365_E3 (9e700747-8b1d-45e5-ab8d-ef187ceec156)<br/>TEAMS1 (57ff2da0-773e-42df-b2af-ffb7a2317929)<br/>INTUNE_O365 (882e1d05-acd1-4ccb-8708-6ee03664b117)<br/>Nucleus (db4d623d-b514-490b-b7ef-8885eee514de)<br/>SHAREPOINTWAC_EDU (e03c7e47-402c-463c-ab25-949079bedb21)<br/>OFFICEMOBILE_SUBSCRIPTION (c63d4d19-e8cb-460e-b37c-4d6c34603745)<br/>POWERAPPS_O365_P2 (c68f8d98-5534-41c8-bf36-22fa496fa792)<br/>FLOW_O365_P2 (76846ad7-7776-4c40-a281-a386362dd1b9)<br/>PROJECT_O365_P1 (a55dfd10-0864-46d9-a3cd-da5991a3e0e2)<br/>SCHOOL_DATA_SYNC_P1 (c33802dd-1b50-4b9a-8bb9-f13d2cdeadac)<br/>SHAREPOINTSTANDARD_EDU (0a4983bb-d3e5-4a09-95d8-b2d0127b3df5)<br/>MCOSTANDARD (0feaeb32-d00e-4d66-bd5a-43b5b83db82c)<br/>SWAY (a23b959c-7ce8-4e57-9140-b90eb88a9e97)<br/>BPOS_S_TODO_2 (c87f142c-d1e9-4363-8630-aaea9c4d9ae5)<br/>VIVA_LEARNING_SEEDED (b76fb638-6ba6-402a-b9f9-83d28acb3d86)<br/>WHITEBOARD_PLAN1 (b8afc642-032e-4de5-8c0a-507a7bba7e5d)<br/>YAMMER_EDU (2078e8df-cff6-4290-98cb-5408261a760a) | Azure Active Directory Basic for Education (1d0f309f-fdf9-4b2a-9ae7-9c48b91f1426)<br/>Common Data Service - O365 P1 (40b010bb-0b69-4654-ac5e-ba161433f4b4)<br/>Education Analytics (a9b86446-fa4e-498f-a92a-41b447e03337)<br/>Exchange Online (Plan 1) (9aaf7827-d63c-4b61-89c3-182f06f82e5c)<br/>Information Barriers (c4801e8a-cb58-4c35-aca6-f2dcc106f287)<br/>Microsoft Azure Active Directory Rights (bea4c11e-220a-4e6d-8eb8-8ea15d019f90)<br/>Microsoft Forms (Plan 2) (9b5de886-f035-4ff2-b3d8-c9127bea3620)<br/>Microsoft Kaizala Pro Plan 2 (54fc630f-5a40-48ee-8965-af0503c1386e)<br/>Microsoft Planner (b737dad2-2f6c-4c65-90e3-ca563267e8b9)<br/>Microsoft Search (94065c59-bc8e-4e8b-89e5-5138d471eaff)<br/>Microsoft StaffHub (8c7d2df8-86f0-4902-b2ed-a0458298f3b3)<br/>Microsoft Stream for Office 365 E3 (9e700747-8b1d-45e5-ab8d-ef187ceec156)<br/>Microsoft Teams (57ff2da0-773e-42df-b2af-ffb7a2317929)<br/>Mobile Device Management for Office 365 (882e1d05-acd1-4ccb-8708-6ee03664b117)<br/>Nucleus (db4d623d-b514-490b-b7ef-8885eee514de)<br/>Office for the Web for Education (e03c7e47-402c-463c-ab25-949079bedb21)<br/>Office Mobile Apps for Office 365 (c63d4d19-e8cb-460e-b37c-4d6c34603745)<br/>Power Apps for Office 365 (c68f8d98-5534-41c8-bf36-22fa496fa792)<br/>Power Automate for Office 365 (76846ad7-7776-4c40-a281-a386362dd1b9)<br/>Project for Office (Plan E1) (a55dfd10-0864-46d9-a3cd-da5991a3e0e2)<br/>School Data Sync (Plan 1) (c33802dd-1b50-4b9a-8bb9-f13d2cdeadac)<br/>SharePoint (Plan 1) for Education (0a4983bb-d3e5-4a09-95d8-b2d0127b3df5)<br/>Skype for Business Online (Plan 2) (0feaeb32-d00e-4d66-bd5a-43b5b83db82c)<br/>Sway (a23b959c-7ce8-4e57-9140-b90eb88a9e97)<br/>To-Do (Plan 2) (c87f142c-d1e9-4363-8630-aaea9c4d9ae5)<br/>Viva Learning Seeded (b76fb638-6ba6-402a-b9f9-83d28acb3d86)<br/>Whiteboard (Plan 1) (b8afc642-032e-4de5-8c0a-507a7bba7e5d)<br/>Yammer for Academic (2078e8df-cff6-4290-98cb-5408261a760a) | | Office 365 A1 Plus for faculty | STANDARDWOFFPACK_IW_FACULTY | 78e66a63-337a-4a9a-8959-41c6654dfb56 | AAD_BASIC_EDU (1d0f309f-fdf9-4b2a-9ae7-9c48b91f1426)<br/>DYN365_CDS_O365_P1 (40b010bb-0b69-4654-ac5e-ba161433f4b4)<br/>EducationAnalyticsP1 (a9b86446-fa4e-498f-a92a-41b447e03337)<br/>EXCHANGE_S_STANDARD (9aaf7827-d63c-4b61-89c3-182f06f82e5c)<br/>INFORMATION_BARRIERS (c4801e8a-cb58-4c35-aca6-f2dcc106f287)<br/>OFFICESUBSCRIPTION (43de0ff5-c92c-492b-9116-175376d08c38)<br/>RMS_S_ENTERPRISE (bea4c11e-220a-4e6d-8eb8-8ea15d019f90)<br/>OFFICE_FORMS_PLAN_2 (9b5de886-f035-4ff2-b3d8-c9127bea3620)<br/>KAIZALA_O365_P2 (54fc630f-5a40-48ee-8965-af0503c1386e)<br/>PROJECTWORKMANAGEMENT (b737dad2-2f6c-4c65-90e3-ca563267e8b9)<br/>MICROSOFT_SEARCH (94065c59-bc8e-4e8b-89e5-5138d471eaff)<br/>Deskless (8c7d2df8-86f0-4902-b2ed-a0458298f3b3)<br/>STREAM_O365_E3 (9e700747-8b1d-45e5-ab8d-ef187ceec156)<br/>TEAMS1 (57ff2da0-773e-42df-b2af-ffb7a2317929)<br/>INTUNE_O365 (882e1d05-acd1-4ccb-8708-6ee03664b117)<br/>SHAREPOINTWAC_EDU (e03c7e47-402c-463c-ab25-949079bedb21)<br/>POWERAPPS_O365_P2 (c68f8d98-5534-41c8-bf36-22fa496fa792)<br/>FLOW_O365_P2 (76846ad7-7776-4c40-a281-a386362dd1b9)<br/>PROJECT_O365_P1 (a55dfd10-0864-46d9-a3cd-da5991a3e0e2)<br/>SCHOOL_DATA_SYNC_P1 (c33802dd-1b50-4b9a-8bb9-f13d2cdeadac)<br/>SHAREPOINTSTANDARD_EDU (0a4983bb-d3e5-4a09-95d8-b2d0127b3df5)<br/>MCOSTANDARD (0feaeb32-d00e-4d66-bd5a-43b5b83db82c)<br/>SWAY (a23b959c-7ce8-4e57-9140-b90eb88a9e97)<br/>BPOS_S_TODO_2 (c87f142c-d1e9-4363-8630-aaea9c4d9ae5)<br/>VIVA_LEARNING_SEEDED (b76fb638-6ba6-402a-b9f9-83d28acb3d86)<br/>WHITEBOARD_PLAN1 (b8afc642-032e-4de5-8c0a-507a7bba7e5d)<br/>YAMMER_EDU (2078e8df-cff6-4290-98cb-5408261a760a) | Azure Active Directory Basic for Education (1d0f309f-fdf9-4b2a-9ae7-9c48b91f1426)<br/>Common Data Service - O365 P1 (40b010bb-0b69-4654-ac5e-ba161433f4b4)<br/>Education Analytics (a9b86446-fa4e-498f-a92a-41b447e03337)<br/>Exchange Online (Plan 1) (9aaf7827-d63c-4b61-89c3-182f06f82e5c)<br/>Information Barriers (c4801e8a-cb58-4c35-aca6-f2dcc106f287)<br/>Microsoft 365 Apps for Enterprise (43de0ff5-c92c-492b-9116-175376d08c38)<br/>Microsoft Azure Active Directory Rights (bea4c11e-220a-4e6d-8eb8-8ea15d019f90)<br/>Microsoft Forms (Plan 2) (9b5de886-f035-4ff2-b3d8-c9127bea3620)<br/>Microsoft Kaizala Pro Plan 2 (54fc630f-5a40-48ee-8965-af0503c1386e)<br/>Microsoft Planner (b737dad2-2f6c-4c65-90e3-ca563267e8b9)<br/>Microsoft Search (94065c59-bc8e-4e8b-89e5-5138d471eaff)<br/>Microsoft StaffHub (8c7d2df8-86f0-4902-b2ed-a0458298f3b3)<br/>Microsoft Stream for Office 365 E3 (9e700747-8b1d-45e5-ab8d-ef187ceec156)<br/>Microsoft Teams (57ff2da0-773e-42df-b2af-ffb7a2317929)<br/>Mobile Device Management for Office 365 (882e1d05-acd1-4ccb-8708-6ee03664b117)<br/>Office for the Web for Education (e03c7e47-402c-463c-ab25-949079bedb21)<br/>Power Apps for Office 365 (c68f8d98-5534-41c8-bf36-22fa496fa792)<br/>Power Automate for Office 365 (76846ad7-7776-4c40-a281-a386362dd1b9)<br/>Project for Office (Plan E1) (a55dfd10-0864-46d9-a3cd-da5991a3e0e2)<br/>School Data Sync (Plan 1) (c33802dd-1b50-4b9a-8bb9-f13d2cdeadac)<br/>SharePoint (Plan 1) for Education (0a4983bb-d3e5-4a09-95d8-b2d0127b3df5)<br/>Skype for Business Online (Plan 2) (0feaeb32-d00e-4d66-bd5a-43b5b83db82c)<br/>Sway (a23b959c-7ce8-4e57-9140-b90eb88a9e97)<br/>To-Do (Plan 2) (c87f142c-d1e9-4363-8630-aaea9c4d9ae5)<br/>Viva Learning Seeded (b76fb638-6ba6-402a-b9f9-83d28acb3d86)<br/>Whiteboard (Plan 1) (b8afc642-032e-4de5-8c0a-507a7bba7e5d)<br/>Yammer for Academic (2078e8df-cff6-4290-98cb-5408261a760a) | | Office 365 A1 for students | STANDARDWOFFPACK_STUDENT | 314c4481-f395-4525-be8b-2ec4bb1e9d91 | AAD_BASIC_EDU (1d0f309f-fdf9-4b2a-9ae7-9c48b91f1426)<br/>DYN365_CDS_O365_P1 (40b010bb-0b69-4654-ac5e-ba161433f4b4)<br/>EducationAnalyticsP1 (a9b86446-fa4e-498f-a92a-41b447e03337)<br/>EXCHANGE_S_STANDARD (9aaf7827-d63c-4b61-89c3-182f06f82e5c)<br/>INFORMATION_BARRIERS (c4801e8a-cb58-4c35-aca6-f2dcc106f287)<br/>RMS_S_ENTERPRISE (bea4c11e-220a-4e6d-8eb8-8ea15d019f90)<br/>OFFICE_FORMS_PLAN_2 (9b5de886-f035-4ff2-b3d8-c9127bea3620)<br/>KAIZALA_O365_P2 (54fc630f-5a40-48ee-8965-af0503c1386e)<br/>PROJECTWORKMANAGEMENT (b737dad2-2f6c-4c65-90e3-ca563267e8b9)<br/>MICROSOFT_SEARCH (94065c59-bc8e-4e8b-89e5-5138d471eaff)<br/>Deskless (8c7d2df8-86f0-4902-b2ed-a0458298f3b3)<br/>STREAM_O365_E3 (9e700747-8b1d-45e5-ab8d-ef187ceec156)<br/>TEAMS1 (57ff2da0-773e-42df-b2af-ffb7a2317929)<br/>INTUNE_O365 (882e1d05-acd1-4ccb-8708-6ee03664b117)<br/>SHAREPOINTWAC_EDU (e03c7e47-402c-463c-ab25-949079bedb21)<br/>OFFICEMOBILE_SUBSCRIPTION (c63d4d19-e8cb-460e-b37c-4d6c34603745)<br/>POWERAPPS_O365_P2 (c68f8d98-5534-41c8-bf36-22fa496fa792)<br/>FLOW_O365_P2 (76846ad7-7776-4c40-a281-a386362dd1b9)<br/>PROJECT_O365_P1 (a55dfd10-0864-46d9-a3cd-da5991a3e0e2)<br/>SCHOOL_DATA_SYNC_P1 (c33802dd-1b50-4b9a-8bb9-f13d2cdeadac)<br/>SHAREPOINTSTANDARD_EDU (0a4983bb-d3e5-4a09-95d8-b2d0127b3df5)<br/>MCOSTANDARD (0feaeb32-d00e-4d66-bd5a-43b5b83db82c)<br/>SWAY (a23b959c-7ce8-4e57-9140-b90eb88a9e97)<br/>BPOS_S_TODO_2 (c87f142c-d1e9-4363-8630-aaea9c4d9ae5)<br/>WHITEBOARD_PLAN1 (b8afc642-032e-4de5-8c0a-507a7bba7e5d)<br/>YAMMER_EDU (2078e8df-cff6-4290-98cb-5408261a760a) | Azure Active Directory Basic for Education (1d0f309f-fdf9-4b2a-9ae7-9c48b91f1426)<br/>Common Data Service - O365 P1 (40b010bb-0b69-4654-ac5e-ba161433f4b4)<br/>Education Analytics (a9b86446-fa4e-498f-a92a-41b447e03337)<br/>Exchange Online (Plan 1) (9aaf7827-d63c-4b61-89c3-182f06f82e5c)<br/>Information Barriers (c4801e8a-cb58-4c35-aca6-f2dcc106f287)<br/>Microsoft Azure Active Directory Rights (bea4c11e-220a-4e6d-8eb8-8ea15d019f90)<br/> Microsoft Forms (Plan 2) (9b5de886-f035-4ff2-b3d8-c9127bea3620)<br/>Microsoft Kaizala Pro Plan 2 (54fc630f-5a40-48ee-8965-af0503c1386e)<br/>Microsoft Planner (b737dad2-2f6c-4c65-90e3-ca563267e8b9)<br/>Microsoft Search (94065c59-bc8e-4e8b-89e5-5138d471eaff)<br/>Microsoft StaffHub (8c7d2df8-86f0-4902-b2ed-a0458298f3b3)<br/>Microsoft Stream for Office 365 E3 (9e700747-8b1d-45e5-ab8d-ef187ceec156)<br/>Microsoft Teams (57ff2da0-773e-42df-b2af-ffb7a2317929)<br/>Mobile Device Management for Office 365 (882e1d05-acd1-4ccb-8708-6ee03664b117)<br/>Office for the Web for Education (e03c7e47-402c-463c-ab25-949079bedb21)<br/>Office Mobile Apps for Office 365 (c63d4d19-e8cb-460e-b37c-4d6c34603745)<br/>Power Apps for Office 365 (c68f8d98-5534-41c8-bf36-22fa496fa792)<br/>Power Automate for Office 365 (76846ad7-7776-4c40-a281-a386362dd1b9)<br/>Project for Office (Plan E1) (a55dfd10-0864-46d9-a3cd-da5991a3e0e2)<br/>School Data Sync (Plan 1) (c33802dd-1b50-4b9a-8bb9-f13d2cdeadac)<br/>SharePoint (Plan 1) for Education (0a4983bb-d3e5-4a09-95d8-b2d0127b3df5)<br/>Skype for Business Online (Plan 2) (0feaeb32-d00e-4d66-bd5a-43b5b83db82c)<br/>Sway (a23b959c-7ce8-4e57-9140-b90eb88a9e97)<br/>To-Do (Plan 2) (c87f142c-d1e9-4363-8630-aaea9c4d9ae5)<br/>Whiteboard (Plan 1) (b8afc642-032e-4de5-8c0a-507a7bba7e5d)<br/>Yammer for Academic (2078e8df-cff6-4290-98cb-5408261a760a) |
-| Office 365 A1 Plus for students | STANDARDWOFFPACK_IW_STUDENT | e82ae690-a2d5-4d76-8d30-7c6e01e6022e | AAD_BASIC_EDU (1d0f309f-fdf9-4b2a-9ae7-9c48b91f1426)<br/> DYN365_CDS_O365_P1 (40b010bb-0b69-4654-ac5e-ba161433f4b4)<br/>EducationAnalyticsP1 (a9b86446-fa4e-498f-a92a-41b447e03337)<br/>EXCHANGE_S_STANDARD (9aaf7827-d63c-4b61-89c3-182f06f82e5c)<br/>INFORMATION_BARRIERS (c4801e8a-cb58-4c35-aca6-f2dcc106f287)<br/>OFFICESUBSCRIPTION (43de0ff5-c92c-492b-9116-175376d08c38)<br/>RMS_S_ENTERPRISE (bea4c11e-220a-4e6d-8eb8-8ea15d019f90)<br/>OFFICE_FORMS_PLAN_2 (9b5de886-f035-4ff2-b3d8-c9127bea3620)<br/>KAIZALA_O365_P2 (54fc630f-5a40-48ee-8965-af0503c1386e)<br/>PROJECTWORKMANAGEMENT (b737dad2-2f6c-4c65-90e3-ca563267e8b9)<br/>MICROSOFT_SEARCH (94065c59-bc8e-4e8b-89e5-5138d471eaff)<br/>Deskless (8c7d2df8-86f0-4902-b2ed-a0458298f3b3)<br/>STREAM_O365_E3 (9e700747-8b1d-45e5-ab8d-ef187ceec156)<br/>TEAMS1 (57ff2da0-773e-42df-b2af-ffb7a2317929)<br/>INTUNE_O365 (882e1d05-acd1-4ccb-8708-6ee03664b117)<br/>SHAREPOINTWAC_EDU (e03c7e47-402c-463c-ab25-949079bedb21)<br/>POWERAPPS_O365_P2 (c68f8d98-5534-41c8-bf36-22fa496fa792)<br/>FLOW_O365_P2 (76846ad7-7776-4c40-a281-a386362dd1b9)<br/>PROJECT_O365_P1 (a55dfd10-0864-46d9-a3cd-da5991a3e0e2)<br/>SCHOOL_DATA_SYNC_P1 (c33802dd-1b50-4b9a-8bb9-f13d2cdeadac)<br/>SHAREPOINTSTANDARD_EDU (0a4983bb-d3e5-4a09-95d8-b2d0127b3df5)<br/>MCOSTANDARD (0feaeb32-d00e-4d66-bd5a-43b5b83db82c)<br/>SWAY (a23b959c-7ce8-4e57-9140-b90eb88a9e97)<br/>BPOS_S_TODO_2 (c87f142c-d1e9-4363-8630-aaea9c4d9ae5)<br/>WHITEBOARD_PLAN1 (b8afc642-032e-4de5-8c0a-507a7bba7e5d)<br/>YAMMER_EDU (2078e8df-cff6-4290-98cb-5408261a760a) | Azure Active Directory Basic for Education (1d0f309f-fdf9-4b2a-9ae7-9c48b91f1426)<br/>Common Data Service - O365 P1 (40b010bb-0b69-4654-ac5e-ba161433f4b4)<br/>Education Analytics (a9b86446-fa4e-498f-a92a-41b447e03337)<br/>Exchange Online (Plan 1) (9aaf7827-d63c-4b61-89c3-182f06f82e5c)<br/>Information Barriers (c4801e8a-cb58-4c35-aca6-f2dcc106f287)<br/>Microsoft 365 Apps for Enterprise (43de0ff5-c92c-492b-9116-175376d08c38)<br/>Microsoft Azure Active Directory Rights (bea4c11e-220a-4e6d-8eb8-8ea15d019f90)<br/>Microsoft Forms (Plan 2) (9b5de886-f035-4ff2-b3d8-c9127bea3620)<br/>Microsoft Kaizala Pro Plan 2 (54fc630f-5a40-48ee-8965-af0503c1386e)<br/>Microsoft Planner (b737dad2-2f6c-4c65-90e3-ca563267e8b9)<br/>Microsoft Search (94065c59-bc8e-4e8b-89e5-5138d471eaff)<br/>Microsoft StaffHub (8c7d2df8-86f0-4902-b2ed-a0458298f3b3)<br/>Microsoft Stream for Office 365 E3 (9e700747-8b1d-45e5-ab8d-ef187ceec15 6)<br/>Microsoft Teams (57ff2da0-773e-42df-b2af-ffb7a2317929)<br/>Mobile Device Management for Office 365 (882e1d05-acd1-4ccb-8708-6ee03664b117)<br/>Office for the Web for Education (e03c7e47-402c-463c-ab25-949079bedb21)<br/>Power Apps for Office 365 (c68f8d98-5534-41c8-bf36-22fa496fa792)<br/>Power Automate for Office 365 (76846ad7-7776-4c40-a281-a386362dd1b9)<br/>Project for Office (Plan E1) (a55dfd10-0864-46d9-a3cd-da5991a3e0e2)<br/>School Data Sync (Plan 1) (c33802dd-1b50-4b9a-8bb9-f13d2cdeadac)<br/>SharePoint (Plan 1) for Education (0a4983bb-d3e5-4a09-95d8-b2d0127b3df5)<br/>Skype for Business Online (Plan 2) (0feaeb32-d00e-4d66-bd5a-43b5b83db82c)<br/>Sway (a23b959c-7ce8-4e57-9140-b90eb88a9e97)<br/>To-Do (Plan 2) (c87f142c-d1e9-4363-8630-aaea9c4d9ae5)<br/>Whiteboard (Plan 1) (b8afc642-032e-4de5-8c0a-507a7bba7e5d)<br/>Yammer for Academic (2078e8df-cff6-4290-98cb-5408261a760a) |
+| Office 365 A1 Plus for students | STANDARDWOFFPACK_IW_STUDENT | e82ae690-a2d5-4d76-8d30-7c6e01e6022e | AAD_BASIC_EDU (1d0f309f-fdf9-4b2a-9ae7-9c48b91f1426)<br/> DYN365_CDS_O365_P1 (40b010bb-0b69-4654-ac5e-ba161433f4b4)<br/>EducationAnalyticsP1 (a9b86446-fa4e-498f-a92a-41b447e03337)<br/>EXCHANGE_S_STANDARD (9aaf7827-d63c-4b61-89c3-182f06f82e5c)<br/>INFORMATION_BARRIERS (c4801e8a-cb58-4c35-aca6-f2dcc106f287)<br/>OFFICESUBSCRIPTION (43de0ff5-c92c-492b-9116-175376d08c38)<br/>RMS_S_ENTERPRISE (bea4c11e-220a-4e6d-8eb8-8ea15d019f90)<br/>OFFICE_FORMS_PLAN_2 (9b5de886-f035-4ff2-b3d8-c9127bea3620)<br/>KAIZALA_O365_P2 (54fc630f-5a40-48ee-8965-af0503c1386e)<br/>PROJECTWORKMANAGEMENT (b737dad2-2f6c-4c65-90e3-ca563267e8b9)<br/>MICROSOFT_SEARCH (94065c59-bc8e-4e8b-89e5-5138d471eaff)<br/>Deskless (8c7d2df8-86f0-4902-b2ed-a0458298f3b3)<br/>STREAM_O365_E3 (9e700747-8b1d-45e5-ab8d-ef187ceec156)<br/>TEAMS1 (57ff2da0-773e-42df-b2af-ffb7a2317929)<br/>INTUNE_O365 (882e1d05-acd1-4ccb-8708-6ee03664b117)<br/>SHAREPOINTWAC_EDU (e03c7e47-402c-463c-ab25-949079bedb21)<br/>POWERAPPS_O365_P2 (c68f8d98-5534-41c8-bf36-22fa496fa792)<br/>FLOW_O365_P2 (76846ad7-7776-4c40-a281-a386362dd1b9)<br/>PROJECT_O365_P1 (a55dfd10-0864-46d9-a3cd-da5991a3e0e2)<br/>SCHOOL_DATA_SYNC_P1 (c33802dd-1b50-4b9a-8bb9-f13d2cdeadac)<br/>SHAREPOINTSTANDARD_EDU (0a4983bb-d3e5-4a09-95d8-b2d0127b3df5)<br/>MCOSTANDARD (0feaeb32-d00e-4d66-bd5a-43b5b83db82c)<br/>SWAY (a23b959c-7ce8-4e57-9140-b90eb88a9e97)<br/>BPOS_S_TODO_2 (c87f142c-d1e9-4363-8630-aaea9c4d9ae5)<br/>WHITEBOARD_PLAN1 (b8afc642-032e-4de5-8c0a-507a7bba7e5d)<br/>YAMMER_EDU (2078e8df-cff6-4290-98cb-5408261a760a) | Azure Active Directory Basic for Education (1d0f309f-fdf9-4b2a-9ae7-9c48b91f1426)<br/>Common Data Service - O365 P1 (40b010bb-0b69-4654-ac5e-ba161433f4b4)<br/>Education Analytics (a9b86446-fa4e-498f-a92a-41b447e03337)<br/>Exchange Online (Plan 1) (9aaf7827-d63c-4b61-89c3-182f06f82e5c)<br/>Information Barriers (c4801e8a-cb58-4c35-aca6-f2dcc106f287)<br/>Microsoft 365 Apps for Enterprise (43de0ff5-c92c-492b-9116-175376d08c38)<br/>Microsoft Azure Active Directory Rights (bea4c11e-220a-4e6d-8eb8-8ea15d019f90)<br/>Microsoft Forms (Plan 2) (9b5de886-f035-4ff2-b3d8-c9127bea3620)<br/>Microsoft Kaizala Pro Plan 2 (54fc630f-5a40-48ee-8965-af0503c1386e)<br/>Microsoft Planner (b737dad2-2f6c-4c65-90e3-ca563267e8b9)<br/>Microsoft Search (94065c59-bc8e-4e8b-89e5-5138d471eaff)<br/>Microsoft StaffHub (8c7d2df8-86f0-4902-b2ed-a0458298f3b3)<br/>Microsoft Stream for Office 365 E3 (9e700747-8b1d-45e5-ab8d-ef187ceec156)<br/>Microsoft Teams (57ff2da0-773e-42df-b2af-ffb7a2317929)<br/>Mobile Device Management for Office 365 (882e1d05-acd1-4ccb-8708-6ee03664b117)<br/>Office for the Web for Education (e03c7e47-402c-463c-ab25-949079bedb21)<br/>Power Apps for Office 365 (c68f8d98-5534-41c8-bf36-22fa496fa792)<br/>Power Automate for Office 365 (76846ad7-7776-4c40-a281-a386362dd1b9)<br/>Project for Office (Plan E1) (a55dfd10-0864-46d9-a3cd-da5991a3e0e2)<br/>School Data Sync (Plan 1) (c33802dd-1b50-4b9a-8bb9-f13d2cdeadac)<br/>SharePoint (Plan 1) for Education (0a4983bb-d3e5-4a09-95d8-b2d0127b3df5)<br/>Skype for Business Online (Plan 2) (0feaeb32-d00e-4d66-bd5a-43b5b83db82c)<br/>Sway (a23b959c-7ce8-4e57-9140-b90eb88a9e97)<br/>To-Do (Plan 2) (c87f142c-d1e9-4363-8630-aaea9c4d9ae5)<br/>Whiteboard (Plan 1) (b8afc642-032e-4de5-8c0a-507a7bba7e5d)<br/>Yammer for Academic (2078e8df-cff6-4290-98cb-5408261a760a) |
| Office 365 A3 for faculty | ENTERPRISEPACKPLUS_FACULTY | e578b273-6db4-4691-bba0-8d691f4da603 | AAD_BASIC_EDU (1d0f309f-fdf9-4b2a-9ae7-9c48b91f1426)<br/>DYN365_CDS_O365_P2 (4ff01e01-1ba7-4d71-8cf8-ce96c3bbcf14)<br/>CDS_O365_P2 (95b76021-6a53-4741-ab8b-1d1f3d66a95a)<br/>EducationAnalyticsP1 (a9b86446-fa4e-498f-a92a-41b447e03337)<br/>EXCHANGE_S_ENTERPRISE (efb87545-963c-4e0d-99df-69c6916d9eb0)<br/>MIP_S_CLP1 (5136a095-5cf0-4aff-bec3-e84448b38ea5)<br/>MYANALYTICS_P2 (33c4f319-9bdd-48d6-9c4d-410b750a4a5a)<br/>OFFICESUBSCRIPTION (43de0ff5-c92c-492b-9116-175376d08c38)<br/>RMS_S_ENTERPRISE (bea4c11e-220a-4e6d-8eb8-8ea15d019f90)<br/>MICROSOFTBOOKINGS (199a5c09-e0ca-4e37-8f7c-b05d533e1ea2)<br/>OFFICE_FORMS_PLAN_2 (9b5de886-f035-4ff2-b3d8-c9127bea3620)<br/>KAIZALA_O365_P3 (aebd3021-9f8f-4bf8-bbe3-0ed2f4f047a1)<br/>PROJECTWORKMANAGEMENT (b737dad2-2f6c-4c65-90e3-ca563267e8b9)<br/>MICROSOFT_SEARCH (94065c59-bc8e-4e8b-89e5-5138d471eaff)<br/>Deskless (8c7d2df8-86f0-4902-b2ed-a0458298f3b3)<br/>STREAM_O365_E3 (9e700747-8b1d-45e5-ab8d-ef187ceec156)<br/>TEAMS1 (57ff2da0-773e-42df-b2af-ffb7a2317929)<br/>INTUNE_O365 (882e1d05-acd1-4ccb-8708-6ee03664b117)<br/>ADALLOM_S_O365 (8c098270-9dd4-4350-9b30-ba4703f3b36b)<br/>SHAREPOINTWAC_EDU (e03c7e47-402c-463c-ab25-949079bedb21)<br/>POWERAPPS_O365_P2 (c68f8d98-5534-41c8-bf36-22fa496fa792)<br/>FLOW_O365_P2 (76846ad7-7776-4c40-a281-a386362dd1b9)<br/>POWER_VIRTUAL_AGENTS_O365_P2 (041fe683-03e4-45b6-b1af-c0cdc516daee)<br/>PROJECT_O365_P2 (31b4e2fc-4cd6-4e7d-9c1b-41407303bd66)<br/>SCHOOL_DATA_SYNC_P2 (500b6a2a-7a50-4f40-b5f9-160e5b8c2f48)<br/>SHAREPOINTENTERPRISE_EDU (63038b2c-28d0-45f6-bc36-33062963b498)<br/>MCOSTANDARD (0feaeb32-d00e-4d66-bd5a-43b5b83db82c)<br/>SWAY (a23b959c-7ce8-4e57-9140-b90eb88a9e97)<br/>BPOS_S_TODO_2 (c87f142c-d1e9-4363-8630-aaea9c4d9ae5)<br/>WHITEBOARD_PLAN2 (94a54592-cd8b-425e-87c6-97868b000b91)<br/> YAMMER_EDU (2078e8df-cff6-4290-98cb-5408261a760a) | Azure Active Directory Basic for EDU (1d0f309f-fdf9-4b2a-9ae7-9c48b91f1426)<br/>Common Data Service - O365 P2 (4ff01e01-1ba7-4d71-8cf8-ce96c3bbcf14)<br/>Common Data Service for Teams_P2 (95b76021-6a53-4741-ab8b-1d1f3d66a95a)<br/>Education Analytics (a9b86446-fa4e-498f-a92a-41b447e03337)<br/>Exchange Online (Plan 2) (efb87545-963c-4e0d-99df-69c6916d9eb0)<br/>Information Protection for Office 365 ΓÇô Standard (5136a095-5cf0-4aff-bec3-e84448b38ea5)<br/>Insights by MyAnalytics (33c4f319-9bdd-48d6-9c4d-410b750a4a5a)<br/>Microsoft 365 Apps for enterprise (43de0ff5-c92c-492b-9116-175376d08c38)<br/>Microsoft Azure Active Directory Rights (bea4c11e-220a-4e6d-8eb8-8ea15d019f90)<br/>Microsoft Bookings (199a5c09-e0ca-4e37-8f7c-b05d533e1ea2)<br/>Microsoft Forms (Plan 2) (9b5de886-f035-4ff2-b3d8-c9127bea3620)<br/>Microsoft Kaizala Pro Plan 3 (aebd3021-9f8f-4bf8-bbe3-0ed2f4f047a1)<br/>Microsoft Planner (b737dad2-2f6c-4c65-90e3-ca563267e8b9)<br/>Microsoft Search (94065c59-bc8e-4e8b-89e5-5138d471eaff)<br/>Microsoft StaffHub (8c7d2df8-86f0-4902-b2ed-a0458298f3b3)<br/>Microsoft Stream for O365 E3 SKU (9e700747-8b1d-45e5-ab8d-ef187ceec156)<br/>Microsoft Teams (57ff2da0-773e-42df-b2af-ffb7a2317929)<br/>Mobile Device Management for Office 365 (882e1d05-acd1-4ccb-8708-6ee03664b117)<br/>Office 365 Advanced Security Management (8c098270-9dd4-4350-9b30-ba4703f3b36b)<br/>Office for the web (Education) (e03c7e47-402c-463c-ab25-949079bedb21)<br/>Power Apps for Office 365 (c68f8d98-5534-41c8-bf36-22fa496fa792)<br/>Power Automate for Office 365 (76846ad7-7776-4c40-a281-a386362dd1b9)<br/>Power Virtual Agents for Office 365 P2 (041fe683-03e4-45b6-b1af-c0cdc516daee)<br/>Project for Office (Plan E3) (31b4e2fc-4cd6-4e7d-9c1b-41407303bd66)<br/>School Data Sync (Plan 2) (500b6a2a-7a50-4f40-b5f9-160e5b8c2f48)<br/>SharePoint Plan 2 for EDU (63038b2c-28d0-45f6-bc36-33062963b498)<br/>Skype for Business Online (Plan 2) (0feaeb32-d00e-4d66-bd5a-43b5b83db82c)<br/>Sway (a23b959c-7ce8-4e57-9140-b90eb88a9e97)<br/>To-Do (Plan 2) (c87f142c-d1e9-4363-8630-aaea9c4d9ae5)<br/>Whiteboard (Plan 2) (94a54592-cd8b-425e-87c6-97868b000b91)<br/>Yammer for Academic (2078e8df-cff6-4290-98cb-5408261a760a) | | Office 365 A3 for students | ENTERPRISEPACKPLUS_STUDENT | 98b6e773-24d4-4c0d-a968-6e787a1f8204 | AAD_BASIC_EDU (1d0f309f-fdf9-4b2a-9ae7-9c48b91f1426)<br/>DYN365_CDS_O365_P2 (4ff01e01-1ba7-4d71-8cf8-ce96c3bbcf14)<br/>CDS_O365_P2 (95b76021-6a53-4741-ab8b-1d1f3d66a95a)<br/>EducationAnalyticsP1 (a9b86446-fa4e-498f-a92a-41b447e03337)<br/>EXCHANGE_S_ENTERPRISE (efb87545-963c-4e0d-99df-69c6916d9eb0)<br/>MIP_S_CLP1 (5136a095-5cf0-4aff-bec3-e84448b38ea5)<br/>MYANALYTICS_P2 (33c4f319-9bdd-48d6-9c4d-410b750a4a5a)<br/>OFFICESUBSCRIPTION (43de0ff5-c92c-492b-9116-175376d08c38)<br/>RMS_S_ENTERPRISE (bea4c11e-220a-4e6d-8eb8-8ea15d019f90)<br/>MICROSOFTBOOKINGS (199a5c09-e0ca-4e37-8f7c-b05d533e1ea2)<br/>OFFICE_FORMS_PLAN_2 (9b5de886-f035-4ff2-b3d8-c9127bea3620)<br/>KAIZALA_O365_P3 (aebd3021-9f8f-4bf8-bbe3-0ed2f4f047a1)<br/>PROJECTWORKMANAGEMENT (b737dad2-2f6c-4c65-90e3-ca563267e8b9)<br/>MICROSOFT_SEARCH (94065c59-bc8e-4e8b-89e5-5138d471eaff)<br/>Deskless (8c7d2df8-86f0-4902-b2ed-a0458298f3b3)<br/>STREAM_O365_E3 (9e700747-8b1d-45e5-ab8d-ef187ceec156)<br/>TEAMS1 (57ff2da0-773e-42df-b2af-ffb7a2317929)<br/>INTUNE_O365 (882e1d05-acd1-4ccb-8708-6ee03664b117)<br/>ADALLOM_S_O365 (8c098270-9dd4-4350-9b30-ba4703f3b36b)<br/>SHAREPOINTWAC_EDU (e03c7e47-402c-463c-ab25-949079bedb21)<br/>POWERAPPS_O365_P2 (c68f8d98-5534-41c8-bf36-22fa496fa792)<br/>FLOW_O365_P2 (76846ad7-7776-4c40-a281-a386362dd1b9)<br/>POWER_VIRTUAL_AGENTS_O365_P2 (041fe683-03e4-45b6-b1af-c0cdc516daee)<br/>PROJECT_O365_P2 (31b4e2fc-4cd6-4e7d-9c1b-41407303bd66)<br/>SCHOOL_DATA_SYNC_P2 (500b6a2a-7a50-4f40-b5f9-160e5b8c2f48)<br/>SHAREPOINTENTERPRISE_EDU (63038b2c-28d0-45f6-bc36-33062963b498)<br/>MCOSTANDARD (0feaeb32-d00e-4d66-bd5a-43b5b83db82c)<br/>SWAY (a23b959c-7ce8-4e57-9140-b90eb88a9e97)<br/>BPOS_S_TODO_2 (c87f142c-d1e9-4363-8630-aaea9c4d9ae5)<br/>WHITEBOARD_PLAN2 (94a54592-cd8b-425e-87c6-97868b000b91)<br/>YAMMER_EDU (2078e8df-cff6-4290-98cb-5408261a760a) | Azure Active Directory Basic for Education (1d0f309f-fdf9-4b2a-9ae7-9c48b91f1426)<br/>Common Data Service - O365 P2 (4ff01e01-1ba7-4d71-8cf8-ce96c3bbcf14)<br/>Common Data Service for Teams_P2 (95b76021-6a53-4741-ab8b-1d1f3d66a95a)<br/>Education Analytics (a9b86446-fa4e-498f-a92a-41b447e03337)<br/>Exchange Online (Plan 2) (efb87545-963c-4e0d-99df-69c6916d9eb0)<br/>Information Protection for Office 365 ΓÇô Standard (5136a095-5cf0-4aff-bec3-e84448b38ea5)<br/>Insights by MyAnalytics (33c4f319-9bdd-48d6-9c4d-410b750a4a5a)<br/>Microsoft 365 Apps for Enterprise (43de0ff5-c92c-492b-9116-175376d08c38)<br/>Microsoft Azure Active Directory Rights (bea4c11e-220a-4e6d-8eb8-8ea15d019f90)<br/>Microsoft Bookings (199a5c09-e0ca-4e37-8f7c-b05d533e1ea2)<br/>Microsoft Forms (Plan 2) (9b5de886-f035-4ff2-b3d8-c9127bea3620)<br/>Microsoft Kaizala Pro Plan 3 (aebd3021-9f8f-4bf8-bbe3-0ed2f4f047a1)<br/>Microsoft Planner (b737dad2-2f6c-4c65-90e3-ca563267e8b9)<br/>Microsoft Search (94065c59-bc8e-4e8b-89e5-5138d471eaff)<br/>Microsoft StaffHub (8c7d2df8-86f0-4902-b2ed-a0458298f3b3)<br/>Microsoft Stream for O365 E3 SKU (9e700747-8b1d-45e5-ab8d-ef187ceec156)<br/>Microsoft Teams (57ff2da0-773e-42df-b2af-ffb7a2317929)<br/>Mobile Device Management for Office 365 (882e1d05-acd1-4ccb-8708-6ee03664b117)<br/>Office 365 Advanced Security Management (8c098270-9dd4-4350-9b30-ba4703f3b36b)<br/>Office for the Web for Education (e03c7e47-402c-463c-ab25-949079bedb21)<br/>Power Apps for Office 365 (c68f8d98-5534-41c8-bf36-22fa496fa792)<br/>Power Automate for Office 365 (76846ad7-7776-4c40-a281-a386362dd1b9)<br/>Power Virtual Agents for Office 365 P2 (041fe683-03e4-45b6-b1af-c0cdc516daee)<br/>Project for Office (Plan E3) (31b4e2fc-4cd6-4e7d-9c1b-41407303bd66)<br/>School Data Sync (Plan 2) (500b6a2a-7a50-4f40-b5f9-160e5b8c2f48)<br/>SharePoint (Plan 2) for Education (63038b2c-28d0-45f6-bc36-33062963b498)<br/>Skype for Business Online (Plan 2) (0feaeb32-d00e-4d66-bd5a-43b5b83db82c)<br/>Sway (a23b959c-7ce8-4e57-9140-b90eb88a9e97)<br/>To-Do (Plan 2) (c87f142c-d1e9-4363-8630-aaea9c4d9ae5)<br/>Whiteboard (Plan 2) (94a54592-cd8b-425e-87c6-97868b000b91)<br/>Yammer for Academic (2078e8df-cff6-4290-98cb-5408261a760a) | | Office 365 A5 for faculty| ENTERPRISEPREMIUM_FACULTY | a4585165-0533-458a-97e3-c400570268c4 | AAD_BASIC_EDU (1d0f309f-fdf9-4b2a-9ae7-9c48b91f1426)<br/>RMS_S_ENTERPRISE (bea4c11e-220a-4e6d-8eb8-8ea15d019f90)<br/>LOCKBOX_ENTERPRISE (9f431833-0334-42de-a7dc-70aa40db46db)<br/>EducationAnalyticsP1 (a9b86446-fa4e-498f-a92a-41b447e03337)<br/>EXCHANGE_S_ENTERPRISE (efb87545-963c-4e0d-99df-69c6916d9eb0)<br/>FLOW_O365_P3 (07699545-9485-468e-95b6-2fca3738be01)<br/>INFORMATION_BARRIERS (c4801e8a-cb58-4c35-aca6-f2dcc106f287)<br/>MIP_S_CLP2 (efb0351d-3b08-4503-993d-383af8de41e3)<br/>MIP_S_CLP1 (5136a095-5cf0-4aff-bec3-e84448b38ea5)<br/>M365_ADVANCED_AUDITING (2f442157-a11c-46b9-ae5b-6e39ff4e5849)<br/>MCOMEETADV (3e26ee1f-8a5f-4d52-aee2-b81ce45c8f40)<br/>MCOEV (4828c8ec-dc2e-4779-b502-87ac9ce28ab7)<br/>MICROSOFTBOOKINGS (199a5c09-e0ca-4e37-8f7c-b05d533e1ea2)<br/>COMMUNICATIONS_COMPLIANCE (41fcdd7d-4733-4863-9cf4-c65b83ce2df4)<br/>COMMUNICATIONS_DLP (6dc145d6-95dd-4191-b9c3-185575ee6f6b)<br/>CUSTOMER_KEY (6db1f1db-2b46-403f-be40-e39395f08dbb)<br/>DATA_INVESTIGATIONS (46129a58-a698-46f0-aa5b-17f6586297d9)<br/>OFFICE_FORMS_PLAN_3 (96c1e14a-ef43-418d-b115-9636cdaa8eed)<br/>INFO_GOVERNANCE (e26c2fcc-ab91-4a61-b35c-03cdc8dddf66)<br/>KAIZALA_STANDALONE (0898bdbb-73b0-471a-81e5-20f1fe4dd66e)<br/>EXCHANGE_ANALYTICS (34c0d7a0-a70f-4668-9238-47f9fc208882)<br/>PROJECTWORKMANAGEMENT (b737dad2-2f6c-4c65-90e3-ca563267e8b9)<br/>RECORDS_MANAGEMENT (65cc641f-cccd-4643-97e0-a17e3045e541)<br/>MICROSOFT_SEARCH (94065c59-bc8e-4e8b-89e5-5138d471eaff)<br/>Deskless (8c7d2df8-86f0-4902-b2ed-a0458298f3b3)<br/>STREAM_O365_E5 (6c6042f5-6f01-4d67-b8c1-eb99d36eed3e)<br/>TEAMS1 (57ff2da0-773e-42df-b2af-ffb7a2317929)<br/>INTUNE_O365 (882e1d05-acd1-4ccb-8708-6ee03664b117)<br/>EQUIVIO_ANALYTICS (4de31727-a228-4ec3-a5bf-8e45b5ca48cc)<br/>ADALLOM_S_O365 (8c098270-9dd4-4350-9b30-ba4703f3b36b)<br/>ATP_ENTERPRISE (f20fedf3-f3c3-43c3-8267-2bfdd51c0939)<br/>THREAT_INTELLIGENCE (8e0c0a52-6a6c-4d40-8370-dd62790dcd70)<br/>PAM_ENTERPRISE (b1188c4c-1b36-4018-b48b-ee07604f6feb)<br/>OFFICESUBSCRIPTION (43de0ff5-c92c-492b-9116-175376d08c38)<br/>SHAREPOINTWAC_EDU (e03c7e47-402c-463c-ab25-949079bedb21)<br/>BI_AZURE_P2 (70d33638-9c74-4d01-bfd3-562de28bd4ba)<br/>POWERAPPS_O365_P3 (9c0dab89-a30c-4117-86e7-97bda240acd2)<br/>PREMIUM_ENCRYPTION (617b097b-4b93-4ede-83de-5f075bb5fb2f)<br/>SCHOOL_DATA_SYNC_P2 (500b6a2a-7a50-4f40-b5f9-160e5b8c2f48)<br/>SHAREPOINTENTERPRISE_EDU (63038b2c-28d0-45f6-bc36-33062963b498)<br/>MCOSTANDARD (0feaeb32-d00e-4d66-bd5a-43b5b83db82c)<br/>SWAY (a23b959c-7ce8-4e57-9140-b90eb88a9e97)<br/>BPOS_S_TODO_3 (3fb82609-8c27-4f7b-bd51-30634711ee67)<br/>WHITEBOARD_PLAN3 (4a51bca5-1eff-43f5-878c-177680f191af)<br/>YAMMER_EDU (2078e8df-cff6-4290-98cb-5408261a760a) | Azure Active Directory Basic for EDU (1d0f309f-fdf9-4b2a-9ae7-9c48b91f1426)<br/>Azure Rights Management (bea4c11e-220a-4e6d-8eb8-8ea15d019f90)<br/>Customer Lockbox (9f431833-0334-42de-a7dc-70aa40db46db)<br/>Education Analytics (a9b86446-fa4e-498f-a92a-41b447e03337)<br/>Exchange Online (Plan 2) (efb87545-963c-4e0d-99df-69c6916d9eb0)<br/>Flow for Office 365 (07699545-9485-468e-95b6-2fca3738be01)<br/>Information Barriers (c4801e8a-cb58-4c35-aca6-f2dcc106f287)<br/>Information Protection for Office 365 - Premium (efb0351d-3b08-4503-993d-383af8de41e3)<br/>Information Protection for Office 365 - Standard (5136a095-5cf0-4aff-bec3-e84448b38ea5)<br/>Microsoft 365 Advanced Auditing (2f442157-a11c-46b9-ae5b-6e39ff4e5849)<br/>Microsoft 365 Audio Conferencing (3e26ee1f-8a5f-4d52-aee2-b81ce45c8f40)<br/>Microsoft 365 Phone System (4828c8ec-dc2e-4779-b502-87ac9ce28ab7)<br/>Microsoft Bookings (199a5c09-e0ca-4e37-8f7c-b05d533e1ea2)<br/>Microsoft Communications Compliance (41fcdd7d-4733-4863-9cf4-c65b83ce2df4)<br/>Microsoft Communications DLP (6dc145d6-95dd-4191-b9c3-185575ee6f6b)<br/>Microsoft Customer Key (6db1f1db-2b46-403f-be40-e39395f08dbb)<br/>Microsoft Data Investigations (46129a58-a698-46f0-aa5b-17f6586297d9)<br/>Microsoft Forms (Plan 3) (96c1e14a-ef43-418d-b115-9636cdaa8eed)<br/>Microsoft Information Governance (e26c2fcc-ab91-4a61-b35c-03cdc8dddf66)<br/>Microsoft Kaizala (0898bdbb-73b0-471a-81e5-20f1fe4dd66e)<br/>Microsoft MyAnalytics (Full) (34c0d7a0-a70f-4668-9238-47f9fc208882)<br/>Microsoft Planner (b737dad2-2f6c-4c65-90e3-ca563267e8b9)<br/>Microsoft Records Management (65cc641f-cccd-4643-97e0-a17e3045e541)<br/>Microsoft Search (94065c59-bc8e-4e8b-89e5-5138d471eaff)<br/>Microsoft StaffHub (8c7d2df8-86f0-4902-b2ed-a0458298f3b3)<br/>Microsoft Stream for O365 E5 SKU (6c6042f5-6f01-4d67-b8c1-eb99d36eed3e)<br/>Microsoft Teams (57ff2da0-773e-42df-b2af-ffb7a2317929)<br/>Mobile Device Management for Office 365 (882e1d05-acd1-4ccb-8708-6ee03664b117)<br/>Office 365 Advanced eDiscovery (4de31727-a228-4ec3-a5bf-8e45b5ca48cc)<br/>Office 365 Advanced Security Management (8c098270-9dd4-4350-9b30-ba4703f3b36b)<br/>Microsoft Defender for Office 365 (Plan 1) (f20fedf3-f3c3-43c3-8267-2bfdd51c0939)<br/>Microsoft Defender for Office 365 (Plan 2) (8e0c0a52-6a6c-4d40-8370-dd62790dcd70)<br/>Office 365 Privileged Access Management (b1188c4c-1b36-4018-b48b-ee07604f6feb)<br/>Office 365 ProPlus (43de0ff5-c92c-492b-9116-175376d08c38)<br/>Office for the web (Education) (e03c7e47-402c-463c-ab25-949079bedb21)<br/>Power BI Pro (70d33638-9c74-4d01-bfd3-562de28bd4ba)<br/>PowerApps for Office 365 Plan 3 (9c0dab89-a30c-4117-86e7-97bda240acd2)<br/>Premium Encryption in Office 365 (617b097b-4b93-4ede-83de-5f075bb5fb2f)<br/>School Data Sync (Plan 2) (500b6a2a-7a50-4f40-b5f9-160e5b8c2f48)<br/>SharePoint Plan 2 for EDU (63038b2c-28d0-45f6-bc36-33062963b498)<br/>Skype for Business Online (Plan 2) (0feaeb32-d00e-4d66-bd5a-43b5b83db82c)<br/>Sway (a23b959c-7ce8-4e57-9140-b90eb88a9e97)<br/>To-Do (Plan 3) (3fb82609-8c27-4f7b-bd51-30634711ee67)<br/>Whiteboard (Plan 3) (4a51bca5-1eff-43f5-878c-177680f191af)<br/>Yammer for Academic (2078e8df-cff6-4290-98cb-5408261a760a) |
When managing licenses in [the Azure portal](https://portal.azure.com/#blade/Mic
| Office 365 E5 | ENTERPRISEPREMIUM | c7df2760-2c81-4ef7-b578-5b5392b571df | DYN365_CDS_O365_P3 (28b0fa46-c39a-4188-89e2-58e979a6b014)<br/>CDS_O365_P3 (afa73018-811e-46e9-988f-f75d2b1b8430)<br/>LOCKBOX_ENTERPRISE (9f431833-0334-42de-a7dc-70aa40db46db)<br/>MIP_S_Exchange (cd31b152-6326-4d1b-ae1b-997b625182e6)<br/>EXCHANGE_S_ENTERPRISE (efb87545-963c-4e0d-99df-69c6916d9eb0)<br/>GRAPH_CONNECTORS_SEARCH_INDEX (a6520331-d7d4-4276-95f5-15c0933bc757)<br/>INFORMATION_BARRIERS (c4801e8a-cb58-4c35-aca6-f2dcc106f287)<br/>Content_Explorer (d9fa6af4-e046-4c89-9226-729a0786685d)<br/>ContentExplorer_Standard (2b815d45-56e4-4e3a-b65c-66cb9175b560)<br/>MIP_S_CLP2 (efb0351d-3b08-4503-993d-383af8de41e3)<br/>MIP_S_CLP1 (5136a095-5cf0-4aff-bec3-e84448b38ea5)<br/>MYANALYTICS_P2 (33c4f319-9bdd-48d6-9c4d-410b750a4a5a)<br/>MICROSOFT_COMMUNICATION_COMPLIANCE (a413a9ff-720c-4822-98ef-2f37c2a21f4c)<br/>M365_ADVANCED_AUDITING (2f442157-a11c-46b9-ae5b-6e39ff4e5849)<br/>OFFICESUBSCRIPTION (43de0ff5-c92c-492b-9116-175376d08c38)<br/>MCOMEETADV (3e26ee1f-8a5f-4d52-aee2-b81ce45c8f40)<br/>MTP (bf28f719-7844-4079-9c78-c1307898e192)<br/>MCOEV (4828c8ec-dc2e-4779-b502-87ac9ce28ab7)<br/>RMS_S_ENTERPRISE (bea4c11e-220a-4e6d-8eb8-8ea15d019f90)<br/>MICROSOFTBOOKINGS (199a5c09-e0ca-4e37-8f7c-b05d533e1ea2)<br/>COMMUNICATIONS_DLP (6dc145d6-95dd-4191-b9c3-185575ee6f6b)<br/>CUSTOMER_KEY (6db1f1db-2b46-403f-be40-e39395f08dbb)<br/>DATA_INVESTIGATIONS (46129a58-a698-46f0-aa5b-17f6586297d9)<br/>ATP_ENTERPRISE (f20fedf3-f3c3-43c3-8267-2bfdd51c0939)<br/>THREAT_INTELLIGENCE (8e0c0a52-6a6c-4d40-8370-dd62790dcd70)<br/>EXCEL_PREMIUM (531ee2f8-b1cb-453b-9c21-d2180d014ca5)<br/>FORMS_PLAN_E5 (e212cbc7-0961-4c40-9825-01117710dcb1)<br/>INFO_GOVERNANCE (e26c2fcc-ab91-4a61-b35c-03cdc8dddf66)<br/>KAIZALA_STANDALONE (0898bdbb-73b0-471a-81e5-20f1fe4dd66e)<br/>EXCHANGE_ANALYTICS (34c0d7a0-a70f-4668-9238-47f9fc208882)<br/>PROJECTWORKMANAGEMENT (b737dad2-2f6c-4c65-90e3-ca563267e8b9)<br/>RECORDS_MANAGEMENT (65cc641f-cccd-4643-97e0-a17e3045e541)<br/>MICROSOFT_SEARCH (94065c59-bc8e-4e8b-89e5-5138d471eaff)<br/>Deskless (8c7d2df8-86f0-4902-b2ed-a0458298f3b3)<br/>STREAM_O365_E5 (6c6042f5-6f01-4d67-b8c1-eb99d36eed3e)<br/>TEAMS1 (57ff2da0-773e-42df-b2af-ffb7a2317929)<br/>INTUNE_O365 (882e1d05-acd1-4ccb-8708-6ee03664b117)<br/>EQUIVIO_ANALYTICS (4de31727-a228-4ec3-a5bf-8e45b5ca48cc)<br/>ADALLOM_S_O365 (8c098270-9dd4-4350-9b30-ba4703f3b36b)<br/>PAM_ENTERPRISE (b1188c4c-1b36-4018-b48b-ee07604f6feb)<br/>SHAREPOINTWAC (e95bec33-7c88-4a70-8e19-b10bd9d0c014)<br/>FLOW_O365_P3 (07699545-9485-468e-95b6-2fca3738be01)<br/>BI_AZURE_P2 (70d33638-9c74-4d01-bfd3-562de28bd4ba)<br/>POWER_VIRTUAL_AGENTS_O365_P3 (ded3d325-1bdc-453e-8432-5bac26d7a014)<br/>POWERAPPS_O365_P3 (9c0dab89-a30c-4117-86e7-97bda240acd2)<br/>PREMIUM_ENCRYPTION (617b097b-4b93-4ede-83de-5f075bb5fb2f)<br/>PROJECT_O365_P3 (b21a6b06-1988-436e-a07b-51ec6d9f52ad)<br/>COMMUNICATIONS_COMPLIANCE (41fcdd7d-4733-4863-9cf4-c65b83ce2df4)<br/>SHAREPOINTENTERPRISE (5dbe027f-2339-4123-9542-606e4d348a72)<br/>MCOSTANDARD (0feaeb32-d00e-4d66-bd5a-43b5b83db82c)<br/>SWAY (a23b959c-7ce8-4e57-9140-b90eb88a9e97)<br/>BPOS_S_TODO_3 (3fb82609-8c27-4f7b-bd51-30634711ee67)<br/>WHITEBOARD_PLAN3 (4a51bca5-1eff-43f5-878c-177680f191af)<br/>YAMMER_ENTERPRISE (7547a3fe-08ee-4ccb-b430-5077c5041653) | Common Data Service - O365 P3 (28b0fa46-c39a-4188-89e2-58e979a6b014)<br/>Common Data Service for Teams_P3 (afa73018-811e-46e9-988f-f75d2b1b8430)<br/>Customer Lockbox (9f431833-0334-42de-a7dc-70aa40db46db)<br/>Data Classification in Microsoft 365 (cd31b152-6326-4d1b-ae1b-997b625182e6)<br/>Exchange Online (Plan 2) (efb87545-963c-4e0d-99df-69c6916d9eb0)<br/>Graph Connectors Search with Index (a6520331-d7d4-4276-95f5-15c0933bc757)<br/>Information Barriers (c4801e8a-cb58-4c35-aca6-f2dcc106f287)<br/>Information Protection and Governance Analytics ΓÇô Premium (d9fa6af4-e046-4c89-9226-729a0786685d)<br/>Information Protection and Governance Analytics ΓÇô Standard (2b815d45-56e4-4e3a-b65c-66cb9175b560)<br/>Information Protection for Office 365 ΓÇô Premium (efb0351d-3b08-4503-993d-383af8de41e3)<br/>Information Protection for Office 365 ΓÇô Standard (5136a095-5cf0-4aff-bec3-e84448b38ea5)<br/>Insights by MyAnalytics (33c4f319-9bdd-48d6-9c4d-410b750a4a5a)<br/>M365 Communication Compliance (a413a9ff-720c-4822-98ef-2f37c2a21f4c)<br/>Microsoft 365 Advanced Auditing (2f442157-a11c-46b9-ae5b-6e39ff4e5849)<br/>Microsoft 365 Apps for enterprise (43de0ff5-c92c-492b-9116-175376d08c38)<br/>Microsoft 365 Audio Conferencing (3e26ee1f-8a5f-4d52-aee2-b81ce45c8f40)<br/>Microsoft 365 Defender (bf28f719-7844-4079-9c78-c1307898e192)<br/>Microsoft 365 Phone System (4828c8ec-dc2e-4779-b502-87ac9ce28ab7)<br/>Microsoft Azure Active Directory Rights (bea4c11e-220a-4e6d-8eb8-8ea15d019f90)<br/>Microsoft Bookings (199a5c09-e0ca-4e37-8f7c-b05d533e1ea2)<br/>Microsoft Communications DLP (6dc145d6-95dd-4191-b9c3-185575ee6f6b)<br/>Microsoft Customer Key (6db1f1db-2b46-403f-be40-e39395f08dbb)<br/>Microsoft Data Investigations (46129a58-a698-46f0-aa5b-17f6586297d9)<br/>Microsoft Defender for Office 365 (Plan 1) (f20fedf3-f3c3-43c3-8267-2bfdd51c0939)<br/>Microsoft Defender for Office 365 (Plan 2) (8e0c0a52-6a6c-4d40-8370-dd62790dcd70)<br/>Microsoft Excel Advanced Analytics (531ee2f8-b1cb-453b-9c21-d2180d014ca5)<br/>Microsoft Forms (Plan E5) (e212cbc7-0961-4c40-9825-01117710dcb1)<br/>Microsoft Information Governance (e26c2fcc-ab91-4a61-b35c-03cdc8dddf66)<br/>Microsoft Kaizala (0898bdbb-73b0-471a-81e5-20f1fe4dd66e)<br/>Microsoft MyAnalytics (Full) (34c0d7a0-a70f-4668-9238-47f9fc208882)<br/>Microsoft Planner (b737dad2-2f6c-4c65-90e3-ca563267e8b9)<br/>Microsoft Records Management (65cc641f-cccd-4643-97e0-a17e3045e541)<br/>Microsoft Search (94065c59-bc8e-4e8b-89e5-5138d471eaff)<br/>Microsoft StaffHub (8c7d2df8-86f0-4902-b2ed-a0458298f3b3)<br/>Microsoft Stream for O365 E5 SKU (6c6042f5-6f01-4d67-b8c1-eb99d36eed3e)<br/>Microsoft Teams (57ff2da0-773e-42df-b2af-ffb7a2317929)<br/>Mobile Device Management for Office 365 (882e1d05-acd1-4ccb-8708-6ee03664b117)<br/>Office 365 Advanced eDiscovery (4de31727-a228-4ec3-a5bf-8e45b5ca48cc)<br/>Office 365 Advanced Security Management (8c098270-9dd4-4350-9b30-ba4703f3b36b)<br/>Office 365 Privileged Access Management (b1188c4c-1b36-4018-b48b-ee07604f6feb)<br/>Office for the web (e95bec33-7c88-4a70-8e19-b10bd9d0c014)<br/>Power Automate for Office 365 (07699545-9485-468e-95b6-2fca3738be01)<br/>Power BI Pro (70d33638-9c74-4d01-bfd3-562de28bd4ba)<br/>Power Virtual Agents for Office 365 P3 (ded3d325-1bdc-453e-8432-5bac26d7a014)<br/>PowerApps for Office 365 Plan 3 (9c0dab89-a30c-4117-86e7-97bda240acd2)<br/>Premium Encryption in Office 365 (617b097b-4b93-4ede-83de-5f075bb5fb2f)<br/>Project for Office (Plan E5) (b21a6b06-1988-436e-a07b-51ec6d9f52ad)<br/>Microsoft Communications Compliance (41fcdd7d-4733-4863-9cf4-c65b83ce2df4)<br/>SharePoint (Plan 2) (5dbe027f-2339-4123-9542-606e4d348a72)<br/>Skype for Business Online (Plan 2) (0feaeb32-d00e-4d66-bd5a-43b5b83db82c)<br/>Sway (a23b959c-7ce8-4e57-9140-b90eb88a9e97)<br/>To-Do (Plan 3) (3fb82609-8c27-4f7b-bd51-30634711ee67)<br/>Whiteboard (Plan 3) (4a51bca5-1eff-43f5-878c-177680f191af)<br/>Yammer Enterprise (7547a3fe-08ee-4ccb-b430-5077c5041653) | | OFFICE 365 E5 WITHOUT AUDIO CONFERENCING | ENTERPRISEPREMIUM_NOPSTNCONF | 26d45bd9-adf1-46cd-a9e1-51e9a5524128 | ADALLOM_S_O365 (8c098270-9dd4-4350-9b30-ba4703f3b36b)<br/>BI_AZURE_P2 (70d33638-9c74-4d01-bfd3-562de28bd4ba)<br/>BPOS_S_TODO_3 (3fb82609-8c27-4f7b-bd51-30634711ee67)<br/>Deskless (8c7d2df8-86f0-4902-b2ed-a0458298f3b3)<br/>EQUIVIO_ANALYTICS (4de31727-a228-4ec3-a5bf-8e45b5ca48cc)<br/>EXCHANGE_ANALYTICS (34c0d7a0-a70f-4668-9238-47f9fc208882)<br/>EXCHANGE_S_ENTERPRISE (efb87545-963c-4e0d-99df-69c6916d9eb0)<br/>FLOW_O365_P3 (07699545-9485-468e-95b6-2fca3738be01)<br/>FORMS_PLAN_E5 (e212cbc7-0961-4c40-9825-01117710dcb1)<br/>LOCKBOX_ENTERPRISE (9f431833-0334-42de-a7dc-70aa40db46db)<br/>MCOEV (4828c8ec-dc2e-4779-b502-87ac9ce28ab7)<br/>MCOSTANDARD (0feaeb32-d00e-4d66-bd5a-43b5b83db82c)<br/>OFFICESUBSCRIPTION (43de0ff5-c92c-492b-9116-175376d08c38)<br/>POWERAPPS_O365_P3 (9c0dab89-a30c-4117-86e7-97bda240acd2)<br/>PROJECTWORKMANAGEMENT (b737dad2-2f6c-4c65-90e3-ca563267e8b9)<br/>RMS_S_ENTERPRISE (bea4c11e-220a-4e6d-8eb8-8ea15d019f90)<br/>SHAREPOINTENTERPRISE (5dbe027f-2339-4123-9542-606e4d348a72)<br/>SHAREPOINTWAC (e95bec33-7c88-4a70-8e19-b10bd9d0c014)<br/>STREAM_O365_E5 (6c6042f5-6f01-4d67-b8c1-eb99d36eed3e)<br/>SWAY (a23b959c-7ce8-4e57-9140-b90eb88a9e97)<br/>TEAMS1 (57ff2da0-773e-42df-b2af-ffb7a2317929)<br/>THREAT_INTELLIGENCE (8e0c0a52-6a6c-4d40-8370-dd62790dcd70)<br/>YAMMER_ENTERPRISE (7547a3fe-08ee-4ccb-b430-5077c5041653) | OFFICE 365 CLOUD APP SECURITY (8c098270-9dd4-4350-9b30-ba4703f3b36b)<br/>POWER BI PRO (70d33638-9c74-4d01-bfd3-562de28bd4ba)<br/>BPOS_S_TODO_3 (3fb82609-8c27-4f7b-bd51-30634711ee67)<br/>MICROSOFT STAFFHUB (8c7d2df8-86f0-4902-b2ed-a0458298f3b3)<br/>OFFICE 365 ADVANCED EDISCOVERY (4de31727-a228-4ec3-a5bf-8e45b5ca48cc)<br/>EXCHANGE_ANALYTICS (34c0d7a0-a70f-4668-9238-47f9fc208882)<br/>EXCHANGE ONLINE (PLAN 2) (efb87545-963c-4e0d-99df-69c6916d9eb0)<br/>FLOW FOR OFFICE 365 (07699545-9485-468e-95b6-2fca3738be01)<br/>MICROSOFT FORMS (PLAN E5) (e212cbc7-0961-4c40-9825-01117710dcb1)<br/>LOCKBOX_ENTERPRISE (9f431833-0334-42de-a7dc-70aa40db46db)<br/>PHONE SYSTEM (4828c8ec-dc2e-4779-b502-87ac9ce28ab7)<br/>SKYPE FOR BUSINESS ONLINE (PLAN 2) (0feaeb32-d00e-4d66-bd5a-43b5b83db82c)<br/>OFFICESUBSCRIPTION (43de0ff5-c92c-492b-9116-175376d08c38)<br/>POWERAPPS FOR OFFICE 365 (9c0dab89-a30c-4117-86e7-97bda240acd2)<br/>MICROSOFT PLANNER(b737dad2-2f6c-4c65-90e3-ca563267e8b9)<br/>MICROSOFT AZURE ACTIVE DIRECTORY RIGHTS (bea4c11e-220a-4e6d-8eb8-8ea15d019f90)<br/>SHAREPOINT ONLINE (PLAN 2) (5dbe027f-2339-4123-9542-606e4d348a72)<br/>OFFICE ONLINE (e95bec33-7c88-4a70-8e19-b10bd9d0c014)<br/>MICROSOFT STREAM FOR O365 E5 SKU (6c6042f5-6f01-4d67-b8c1-eb99d36eed3e)<br/>SWAY (a23b959c-7ce8-4e57-9140-b90eb88a9e97)<br/>TEAMS1 (57ff2da0-773e-42df-b2af-ffb7a2317929)<br/>OFFICE 365 ADVANCED THREAT PROTECTION (PLAN 2) (8e0c0a52-6a6c-4d40-8370-dd62790dcd70)<br/>YAMMER_ENTERPRISE (7547a3fe-08ee-4ccb-b430-5077c5041653) | | OFFICE 365 F3 | DESKLESSPACK | 4b585984-651b-448a-9e53-3b10f069cf7f | DYN365_CDS_O365_F1 (ca6e61ec-d4f4-41eb-8b88-d96e0e14323f)<br/>CDS_O365_F1 (90db65a7-bf11-4904-a79f-ef657605145b)<br/>EXCHANGE_S_DESKLESS (4a82b400-a79f-41a4-b4e2-e94f5787b113)<br/>RMS_S_BASIC (31cf2cfc-6b0d-4adc-a336-88b724ed8122)<br/>MICROSOFTBOOKINGS (199a5c09-e0ca-4e37-8f7c-b05d533e1ea2)<br/>FORMS_PLAN_K (f07046bd-2a3c-4b96-b0be-dea79d7cbfb8)<br/>KAIZALA_O365_P1 (73b2a583-6a59-42e3-8e83-54db46bc3278)<br/>PROJECTWORKMANAGEMENT (b737dad2-2f6c-4c65-90e3-ca563267e8b9)<br/>MICROSOFT_SEARCH (94065c59-bc8e-4e8b-89e5-5138d471eaff)<br/>Deskless (8c7d2df8-86f0-4902-b2ed-a0458298f3b3)<br/>STREAM_O365_K (3ffba0d2-38e5-4d5e-8ec0-98f2b05c09d9)<br/>TEAMS1 (57ff2da0-773e-42df-b2af-ffb7a2317929)<br/>INTUNE_O365 (882e1d05-acd1-4ccb-8708-6ee03664b117)<br/>SHAREPOINTWAC (e95bec33-7c88-4a70-8e19-b10bd9d0c014)<br/>OFFICEMOBILE_SUBSCRIPTION (c63d4d19-e8cb-460e-b37c-4d6c34603745)<br/>POWERAPPS_O365_S1 (e0287f9f-e222-4f98-9a83-f379e249159a)<br/>FLOW_O365_S1 (bd91b1a4-9f94-4ecf-b45b-3a65e5c8128a)<br/>POWER_VIRTUAL_AGENTS_O365_F1 (ba2fdb48-290b-4632-b46a-e4ecc58ac11a)<br/>PROJECT_O365_F3 (7f6f28c2-34bb-4d4b-be36-48ca2e77e1ec)<br/>SHAREPOINTDESKLESS (902b47e5-dcb2-4fdc-858b-c63a90a2bdb9)<br/>MCOIMP (afc06cb0-b4f4-4473-8286-d644f70d8faf)<br/>SWAY (a23b959c-7ce8-4e57-9140-b90eb88a9e97)<br/>BPOS_S_TODO_FIRSTLINE (80873e7a-cd2a-4e67-b061-1b5381a676a5)<br/>WHITEBOARD_FIRSTLINE1 (36b29273-c6d0-477a-aca6-6fbe24f538e3)<br/>YAMMER_ENTERPRISE (7547a3fe-08ee-4ccb-b430-5077c5041653) | Common Data Service - O365 F1 (ca6e61ec-d4f4-41eb-8b88-d96e0e14323f)<br/>Common Data Service for Teams_F1 (90db65a7-bf11-4904-a79f-ef657605145b)<br/>Exchange Online Kiosk (4a82b400-a79f-41a4-b4e2-e94f5787b113)<br/>Microsoft Azure Rights Management Service (31cf2cfc-6b0d-4adc-a336-88b724ed8122)<br/>Microsoft Bookings (199a5c09-e0ca-4e37-8f7c-b05d533e1ea2)<br/>Microsoft Forms (Plan F1) (f07046bd-2a3c-4b96-b0be-dea79d7cbfb8)<br/>Microsoft Kaizala Pro Plan 1 (73b2a583-6a59-42e3-8e83-54db46bc3278)<br/>Microsoft Planner (b737dad2-2f6c-4c65-90e3-ca563267e8b9)<br/>Microsoft Search (94065c59-bc8e-4e8b-89e5-5138d471eaff)<br/>Microsoft StaffHub (8c7d2df8-86f0-4902-b2ed-a0458298f3b3)<br/>Microsoft Stream for Office 365 F3 (3ffba0d2-38e5-4d5e-8ec0-98f2b05c09d9)<br/>Microsoft Teams (57ff2da0-773e-42df-b2af-ffb7a2317929)<br/>Mobile Device Management for Office 365 (882e1d05-acd1-4ccb-8708-6ee03664b117)<br/>Office for the Web (e95bec33-7c88-4a70-8e19-b10bd9d0c014)<br/>Office Mobile Apps for Office 365 (c63d4d19-e8cb-460e-b37c-4d6c34603745)<br/>Power Apps for Office 365 F3 (e0287f9f-e222-4f98-9a83-f379e249159a)<br/>Power Automate for Office 365 F3 (bd91b1a4-9f94-4ecf-b45b-3a65e5c8128a)<br/>Power Virtual Agents for Office 365 F1 (ba2fdb48-290b-4632-b46a-e4ecc58ac11a)<br/>Project for Office (Plan F) (7f6f28c2-34bb-4d4b-be36-48ca2e77e1ec)<br/>SharePoint Kiosk (902b47e5-dcb2-4fdc-858b-c63a90a2bdb9)<br/>Skype for Business Online (Plan 1) (afc06cb0-b4f4-4473-8286-d644f70d8faf)<br/>Sway (a23b959c-7ce8-4e57-9140-b90eb88a9e97)<br/>To-Do (Firstline) (80873e7a-cd2a-4e67-b061-1b5381a676a5)<br/>Whiteboard (Firstline) (36b29273-c6d0-477a-aca6-6fbe24f538e3)<br/>Yammer Enterprise (7547a3fe-08ee-4ccb-b430-5077c5041653) |
-| Office 365 G1 GCC | STANDARDPACK_GOV | 3f4babde-90ec-47c6-995d-d223749065d1 | DYN365_CDS_O365_P1_GCC (8eb5e9bc-783f-4425-921a-c65f45dd72c6)<br/>CDS_O365_P1_GCC (959e5dec-6522-4d44-8349-132c27c3795a)<br/>EXCHANGE_S_STANDARD_GOV (e9b4930a-925f-45e2-ac2a-3f7788ca6fdd)<br/>FORMS_GOV_E1 (f4cba850-4f34-4fd2-a341-0fddfdce1e8f)<br/>MYANALYTICS_P2_GOV (6e5b7995-bd4f-4cbd-9d19-0e32010c72f0)<br/>MICROSOFT_SEARCH (94065c59-bc8e-4e8b-89e5-5138d471eaff)<br/>STREAM_O365_E1_GOV (15267263-5986-449d-ac5c-124f3b49b2d6)<br/>TEAMS_GOV (304767db-7d23-49e8-a945-4a7eb65f9f28)<br/>INTUNE_O365 (882e1d05-acd1-4ccb-8708-6ee03664b117)<br/>PROJECTWORKMANAGEMENT_GOV (5b4ef465-7ea1-459a-9f91-033317755a51)<br/>SHAREPOINTWAC_GOV (8f9f0f3b-ca90-406c-a842-95579171f8ec)<br/>OFFICEMOBILE_SUBSCRIPTION_GOV (4ccb60ee-9523-48fd-8f63-4b090f1ad77a)<br/>POWERAPPS_O365_P1_GOV (c42aa49a-f357-45d5-9972-bc29df885fee)<br/>FLOW_O365_P1_GOV (ad6c8870-6356-474c-901c-64d7da8cea48)<br/>SharePoint Plan 1G (f9c43823-deb4-46a8-aa65-8b551f0c4f8a)<br/>MCOSTANDARD_GOV (a31ef4a2-f787-435e-8335-e47eb0cafc94)<br/>BPOS_S_TODO_1 (5e62787c-c316-451f-b873-1d05acd4d12c)<br/>WHITEBOARD_PLAN1 (b8afc642-032e-4de5-8c0a-507a7bba7e5d) | Common Data Service - O365 P1 GCC (8eb5e9bc-783f-4425-921a-c65f45dd72c6)<br/>Common Data Service for Teams_P1 GCC (959e5dec-6522-4d44-8349-132c27c3795a)<br/>Exchange Online (Plan 1) for Government (e9b4930a-925f-45e2-ac2a-3f7788ca6fdd)<br/>Forms for Government (Plan E1) (f4cba850-4f34-4fd2-a341-0fddfdce1e8f)<br/>Insights by MyAnalytics for Government (6e5b7995-bd4f-4cbd-9d19-0e32010c72f0)<br/>Microsoft Search (94065c59-bc8e-4e8b-89e5-5138d471eaff)<br/>Microsoft Stream for O365 for Government (E1) (15267263-5986-449d-ac5c-124f3b49b2d6)<br/>Microsoft Teams for Government(304767db-7d23-49e8-a945- 4a7eb65f9f28)<br/>Mobile Device Management for Office 365 (882e1d05-acd1-4ccb-8708-6ee03664b117)<br/>Office 365 Planner for Government (5b4ef465-7ea1-459a-9f91-033317755a51)<br/>Office for the Web for Government (8f9f0f3b-ca90-406c-a842-95579171f8ec)<br/>Office Mobile Apps for Office 365 for GCC (4ccb60ee-9523-48fd-8f63-4b090f1ad77a)<br/> Power Apps for Office 365 for Government (c42aa49a-f357-45d5-9972-bc29df885fee)<br/>Power Automate for Office 365 for Government (ad6c8870-6356-474c-901c-64d7da8cea48)<br/>SharePoint Plan 1G (f9c43823-deb4-46a8-aa65-8b551f0c4f8a)<br/>Skype for Business Online (Plan 2) for Government (a31ef4a2-f787-435e-8335-e47eb0cafc94)<br/>To-Do (Plan 1) (5e62787c-c316-451f-b873-1d05acd4d12c)<br/>Whiteboard (Plan 1) (b8afc642-032e-4de5-8c0a-507a7bba7e5d) |
+| Office 365 G1 GCC | STANDARDPACK_GOV | 3f4babde-90ec-47c6-995d-d223749065d1 | DYN365_CDS_O365_P1_GCC (8eb5e9bc-783f-4425-921a-c65f45dd72c6)<br/>CDS_O365_P1_GCC (959e5dec-6522-4d44-8349-132c27c3795a)<br/>EXCHANGE_S_STANDARD_GOV (e9b4930a-925f-45e2-ac2a-3f7788ca6fdd)<br/>FORMS_GOV_E1 (f4cba850-4f34-4fd2-a341-0fddfdce1e8f)<br/>MYANALYTICS_P2_GOV (6e5b7995-bd4f-4cbd-9d19-0e32010c72f0)<br/>MICROSOFT_SEARCH (94065c59-bc8e-4e8b-89e5-5138d471eaff)<br/>STREAM_O365_E1_GOV (15267263-5986-449d-ac5c-124f3b49b2d6)<br/>TEAMS_GOV (304767db-7d23-49e8-a945-4a7eb65f9f28)<br/>INTUNE_O365 (882e1d05-acd1-4ccb-8708-6ee03664b117)<br/>PROJECTWORKMANAGEMENT_GOV (5b4ef465-7ea1-459a-9f91-033317755a51)<br/>SHAREPOINTWAC_GOV (8f9f0f3b-ca90-406c-a842-95579171f8ec)<br/>OFFICEMOBILE_SUBSCRIPTION_GOV (4ccb60ee-9523-48fd-8f63-4b090f1ad77a)<br/>POWERAPPS_O365_P1_GOV (c42aa49a-f357-45d5-9972-bc29df885fee)<br/>FLOW_O365_P1_GOV (ad6c8870-6356-474c-901c-64d7da8cea48)<br/>SharePoint Plan 1G (f9c43823-deb4-46a8-aa65-8b551f0c4f8a)<br/>MCOSTANDARD_GOV (a31ef4a2-f787-435e-8335-e47eb0cafc94)<br/>BPOS_S_TODO_1 (5e62787c-c316-451f-b873-1d05acd4d12c)<br/>WHITEBOARD_PLAN1 (b8afc642-032e-4de5-8c0a-507a7bba7e5d) | Common Data Service - O365 P1 GCC (8eb5e9bc-783f-4425-921a-c65f45dd72c6)<br/>Common Data Service for Teams_P1 GCC (959e5dec-6522-4d44-8349-132c27c3795a)<br/>Exchange Online (Plan 1) for Government (e9b4930a-925f-45e2-ac2a-3f7788ca6fdd)<br/>Forms for Government (Plan E1) (f4cba850-4f34-4fd2-a341-0fddfdce1e8f)<br/>Insights by MyAnalytics for Government (6e5b7995-bd4f-4cbd-9d19-0e32010c72f0)<br/>Microsoft Search (94065c59-bc8e-4e8b-89e5-5138d471eaff)<br/>Microsoft Stream for O365 for Government (E1) (15267263-5986-449d-ac5c-124f3b49b2d6)<br/>Microsoft Teams for Government (304767db-7d23-49e8-a945- 4a7eb65f9f28)<br/>Mobile Device Management for Office 365 (882e1d05-acd1-4ccb-8708-6ee03664b117)<br/>Office 365 Planner for Government (5b4ef465-7ea1-459a-9f91-033317755a51)<br/>Office for the Web for Government (8f9f0f3b-ca90-406c-a842-95579171f8ec)<br/>Office Mobile Apps for Office 365 for GCC (4ccb60ee-9523-48fd-8f63-4b090f1ad77a)<br/> Power Apps for Office 365 for Government (c42aa49a-f357-45d5-9972-bc29df885fee)<br/>Power Automate for Office 365 for Government (ad6c8870-6356-474c-901c-64d7da8cea48)<br/>SharePoint Plan 1G (f9c43823-deb4-46a8-aa65-8b551f0c4f8a)<br/>Skype for Business Online (Plan 2) for Government (a31ef4a2-f787-435e-8335-e47eb0cafc94)<br/>To-Do (Plan 1) (5e62787c-c316-451f-b873-1d05acd4d12c)<br/>Whiteboard (Plan 1) (b8afc642-032e-4de5-8c0a-507a7bba7e5d) |
| OFFICE 365 G3 GCC | ENTERPRISEPACK_GOV | 535a3a29-c5f0-42fe-8215-d3b9e1f38c4a | RMS_S_ENTERPRISE_GOV (6a76346d-5d6e-4051-9fe3-ed3f312b5597)<br/>DYN365_CDS_O365_P2_GCC (06162da2-ebf9-4954-99a0-00fee96f95cc)<br/>CDS_O365_P2_GCC (a70bbf38-cdda-470d-adb8-5804b8770f41)<br/>EXCHANGE_S_ENTERPRISE_GOV (8c3069c0-ccdb-44be-ab77-986203a67df2)<br/>FORMS_GOV_E3 (24af5f65-d0f3-467b-9f78-ea798c4aeffc)<br/>Content_Explorer (d9fa6af4-e046-4c89-9226-729a0786685d)<br/>ContentExplorer_Standard (2b815d45-56e4-4e3a-b65c-66cb9175b560)<br/>MIP_S_CLP1 (5136a095-5cf0-4aff-bec3-e84448b38ea5)<br/>MYANALYTICS_P2_GOV (6e5b7995-bd4f-4cbd-9d19-0e32010c72f0)<br/>OFFICESUBSCRIPTION_GOV (de9234ff-6483-44d9-b15e-dca72fdd27af)<br/>MICROSOFTBOOKINGS (199a5c09-e0ca-4e37-8f7c-b05d533e1ea2)<br/>STREAM_O365_E3_GOV (2c1ada27-dbaa-46f9-bda6-ecb94445f758)<br/>TEAMS_GOV (304767db-7d23-49e8-a945-4a7eb65f9f28)<br/>INTUNE_O365 (882e1d05-acd1-4ccb-8708-6ee03664b117)<br/>PROJECTWORKMANAGEMENT_GOV (5b4ef465-7ea1-459a-9f91-033317755a51)<br/>SHAREPOINTWAC_GOV (8f9f0f3b-ca90-406c-a842-95579171f8ec)<br/>POWERAPPS_O365_P2_GOV (0a20c815-5e81-4727-9bdc-2b5a117850c3)<br/>FLOW_O365_P2_GOV (c537f360-6a00-4ace-a7f5-9128d0ac1e4b)<br/>SHAREPOINTENTERPRISE_GOV (153f85dd-d912-4762-af6c-d6e0fb4f6692)<br/>MCOSTANDARD_GOV (a31ef4a2-f787-435e-8335-e47eb0cafc94) | AZURE RIGHTS MANAGEMENT (6a76346d-5d6e-4051-9fe3-ed3f312b5597)<br/>COMMON DATA SERVICE - O365 P2 GCC (06162da2-ebf9-4954-99a0-00fee96f95cc)<br/>COMMON DATA SERVICE FOR TEAMS_P2 GCC (a70bbf38-cdda-470d-adb8-5804b8770f41)<br/>EXCHANGE PLAN 2G (8c3069c0-ccdb-44be-ab77-986203a67df2)<br/>FORMS FOR GOVERNMENT (PLAN E3) (24af5f65-d0f3-467b-9f78-ea798c4aeffc)<br/>INFORMATION PROTECTION AND GOVERNANCE ANALYTICS ΓÇô PREMIUM (d9fa6af4-e046-4c89-9226-729a0786685d)<br/>INFORMATION PROTECTION AND GOVERNANCE ANALYTICS ΓÇô STANDARD (2b815d45-56e4-4e3a-b65c-66cb9175b560)<br/>INFORMATION PROTECTION FOR OFFICE 365 ΓÇô STANDARD (5136a095-5cf0-4aff-bec3-e84448b38ea5)<br/>INSIGHTS BY MYANALYTICS FOR GOVERNMENT (6e5b7995-bd4f-4cbd-9d19-0e32010c72f0)<br/>MICROSOFT 365 APPS FOR ENTERPRISE G (de9234ff-6483-44d9-b15e-dca72fdd27af)<br/>MICROSOFT BOOKINGS (199a5c09-e0ca-4e37-8f7c-b05d533e1ea2)<br/>MICROSOFT STREAM FOR O365 FOR GOVERNMENT (E3) (2c1ada27-dbaa-46f9-bda6-ecb94445f758)<br/>MICROSOFT TEAMS FOR GOVERNMENT (304767db-7d23-49e8-a945-4a7eb65f9f28)<br/>MOBILE DEVICE MANAGEMENT FOR OFFICE 365 (882e1d05-acd1-4ccb-8708-6ee03664b117)<br/>OFFICE 365 PLANNER FOR GOVERNMENT (5b4ef465-7ea1-459a-9f91-033317755a51)<br/>OFFICE FOR THE WEB (GOVERNMENT) (8f9f0f3b-ca90-406c-a842-95579171f8ec)<br/>POWER APPS FOR OFFICE 365 FOR GOVERNMENT (0a20c815-5e81-4727-9bdc-2b5a117850c3)<br/>POWER AUTOMATE FOR OFFICE 365 FOR GOVERNMENT (c537f360-6a00-4ace-a7f5-9128d0ac1e4b)<br/>SHAREPOINT PLAN 2G (153f85dd-d912-4762-af6c-d6e0fb4f6692)<br/>SKYPE FOR BUSINESS ONLINE (PLAN 2) FOR GOVERNMENT (a31ef4a2-f787-435e-8335-e47eb0cafc94) | | Office 365 G5 GCC | ENTERPRISEPREMIUM_GOV | 8900a2c0-edba-4079-bdf3-b276e293b6a8 | RMS_S_ENTERPRISE_GOV (6a76346d-5d6e-4051-9fe3-ed3f312b5597)<br/>DYN365_CDS_O365_P3_GCC (a7d3fb37-b6df-4085-b509-50810d991a39)<br/>CDS_O365_P3_GCC (bce5e5ca-c2fd-4d53-8ee2-58dfffed4c10)<br/>LOCKBOX_ENTERPRISE_GOV (89b5d3b1-3855-49fe-b46c-87c66dbc1526)<br/>EXCHANGE_S_ENTERPRISE_GOV (8c3069c0-ccdb-44be-ab77-986203a67df2)<br/>FORMS_GOV_E5 (843da3a8-d2cc-4e7a-9e90-dc46019f964c)<br/>INFORMATION_BARRIERS (c4801e8a-cb58-4c35-aca6-f2dcc106f287)<br/>Content_Explorer (d9fa6af4-e046-4c89-9226-729a0786685d)<br/>ContentExplorer_Standard (2b815d45-56e4-4e3a-b65c-66cb9175b560)<br/>MIP_S_CLP2 (efb0351d-3b08-4503-993d-383af8de41e3)<br/>MIP_S_CLP1 (5136a095-5cf0-4aff-bec3-e84448b38ea5)<br/>MICROSOFT_COMMUNICATION_COMPLIANCE (a413a9ff-720c-4822-98ef-2f37c2a21f4c)<br/>M365_ADVANCED_AUDITING (2f442157-a11c-46b9-ae5b-6e39ff4e5849)<br/>OFFICESUBSCRIPTION_GOV (de9234ff-6483-44d9-b15e-dca72fdd27af)<br/>MCOMEETADV_GOV (f544b08d-1645-4287-82de-8d91f37c02a1)<br/>MTP (bf28f719-7844-4079-9c78-c1307898e192)<br/>MCOEV_GOV (db23fce2-a974-42ef-9002-d78dd42a0f22)<br/>MICROSOFTBOOKINGS (199a5c09-e0ca-4e37-8f7c-b05d533e1ea2)<br/>COMMUNICATIONS_DLP (6dc145d6-95dd-4191-b9c3-185575ee6f6b)<br/>CUSTOMER_KEY (6db1f1db-2b46-403f-be40-e39395f08dbb)<br/>ATP_ENTERPRISE_GOV (493ff600-6a2b-4db6-ad37-a7d4eb214516)<br/>THREAT_INTELLIGENCE_GOV (900018f1-0cdb-4ecb-94d4-90281760fdc6)<br/>INFO_GOVERNANCE (e26c2fcc-ab91-4a61-b35c-03cdc8dddf66)<br/>EXCHANGE_ANALYTICS_GOV (208120d1-9adb-4daf-8c22-816bd5d237e7)<br/>RECORDS_MANAGEMENT (65cc641f-cccd-4643-97e0-a17e3045e541)<br/>STREAM_O365_E5_GOV (92c2089d-9a53-49fe-b1a6-9e6bdf959547)<br/>TEAMS_GOV (304767db-7d23-49e8-a945-4a7eb65f9f28)<br/>INTUNE_O365 (882e1d05-acd1-4ccb-8708-6ee03664b117)<br/>EQUIVIO_ANALYTICS_GOV (d1cbfb67-18a8-4792-b643-630b7f19aad1)<br/>ADALLOM_S_O365 (8c098270-9dd4-4350-9b30-ba4703f3b36b)<br/>PROJECTWORKMANAGEMENT_GOV (5b4ef465-7ea1-459a-9f91-033317755a51)<br/>SHAREPOINTWAC_GOV (8f9f0f3b-ca90-406c-a842-95579171f8ec)<br/>POWERAPPS_O365_P3_GOV (0eacfc38-458a-40d3-9eab-9671258f1a3e)<br/>FLOW_O365_P3_GOV (8055d84a-c172-42eb-b997-6c2ae4628246)<br/>BI_AZURE_P_2_GOV (944e9726-f011-4353-b654-5f7d2663db76)<br/>PREMIUM_ENCRYPTION (617b097b-4b93-4ede-83de-5f075bb5fb2f)<br/>SHAREPOINTENTERPRISE_GOV (153f85dd-d912-4762-af6c-d6e0fb4f6692)<br/>MCOSTANDARD_GOV (a31ef4a2-f787-435e-8335-e47eb0cafc94) | RMS_S_ENTERPRISE_GOV (6a76346d-5d6e-4051-9fe3-ed3f312b5597)<br/>DYN365_CDS_O365_P3_GCC (a7d3fb37-b6df-4085-b509-50810d991a39)<br/>CDS_O365_P3_GCC (bce5e5ca-c2fd-4d53-8ee2-58dfffed4c10)<br/>LOCKBOX_ENTERPRISE_GOV (89b5d3b1-3855-49fe-b46c-87c66dbc1526)<br/>EXCHANGE_S_ENTERPRISE_GOV (8c3069c0-ccdb-44be-ab77-986203a67df2)<br/>FORMS_GOV_E5 (843da3a8-d2cc-4e7a-9e90-dc46019f964c)<br/>INFORMATION_BARRIERS (c4801e8a-cb58-4c35-aca6-f2dcc106f287)<br/>Content_Explorer (d9fa6af4-e046-4c89-9226-729a0786685d)<br/>ContentExplorer_Standard (2b815d45-56e4-4e3a-b65c-66cb9175b560)<br/>MIP_S_CLP2 (efb0351d-3b08-4503-993d-383af8de41e3)<br/>MIP_S_CLP1 (5136a095-5cf0-4aff-bec3-e84448b38ea5)<br/>MICROSOFT_COMMUNICATION_COMPLIANCE (a413a9ff-720c-4822-98ef-2f37c2a21f4c)<br/>M365_ADVANCED_AUDITING (2f442157-a11c-46b9-ae5b-6e39ff4e5849)<br/>OFFICESUBSCRIPTION_GOV (de9234ff-6483-44d9-b15e-dca72fdd27af)<br/>MCOMEETADV_GOV (f544b08d-1645-4287-82de-8d91f37c02a1)<br/>MTP (bf28f719-7844-4079-9c78-c1307898e192)<br/>MCOEV_GOV (db23fce2-a974-42ef-9002-d78dd42a0f22)<br/>MICROSOFTBOOKINGS (199a5c09-e0ca-4e37-8f7c-b05d533e1ea2)<br/>COMMUNICATIONS_DLP (6dc145d6-95dd-4191-b9c3-185575ee6f6b)<br/>CUSTOMER_KEY (6db1f1db-2b46-403f-be40-e39395f08dbb)<br/>ATP_ENTERPRISE_GOV (493ff600-6a2b-4db6-ad37-a7d4eb214516)<br/>THREAT_INTELLIGENCE_GOV (900018f1-0cdb-4ecb-94d4-90281760fdc6)<br/>INFO_GOVERNANCE (e26c2fcc-ab91-4a61-b35c-03cdc8dddf66)<br/>EXCHANGE_ANALYTICS_GOV (208120d1-9adb-4daf-8c22-816bd5d237e7)<br/>RECORDS_MANAGEMENT (65cc641f-cccd-4643-97e0-a17e3045e541)<br/>STREAM_O365_E5_GOV (92c2089d-9a53-49fe-b1a6-9e6bdf959547)<br/>TEAMS_GOV (304767db-7d23-49e8-a945-4a7eb65f9f28)<br/>INTUNE_O365 (882e1d05-acd1-4ccb-8708-6ee03664b117)<br/>EQUIVIO_ANALYTICS_GOV (d1cbfb67-18a8-4792-b643-630b7f19aad1)<br/>ADALLOM_S_O365 (8c098270-9dd4-4350-9b30-ba4703f3b36b)<br/>PROJECTWORKMANAGEMENT_GOV (5b4ef465-7ea1-459a-9f91-033317755a51)<br/>SHAREPOINTWAC_GOV (8f9f0f3b-ca90-406c-a842-95579171f8ec)<br/>POWERAPPS_O365_P3_GOV (0eacfc38-458a-40d3-9eab-9671258f1a3e)<br/>FLOW_O365_P3_GOV (8055d84a-c172-42eb-b997-6c2ae4628246)<br/>BI_AZURE_P_2_GOV (944e9726-f011-4353-b654-5f7d2663db76)<br/>PREMIUM_ENCRYPTION (617b097b-4b93-4ede-83de-5f075bb5fb2f)<br/>SHAREPOINTENTERPRISE_GOV (153f85dd-d912-4762-af6c-d6e0fb4f6692)<br/>MCOSTANDARD_GOV (a31ef4a2-f787-435e-8335-e47eb0cafc94) | | Office 365 Advanced Compliance for GCC | EQUIVIO_ANALYTICS_GOV | 1a585bba-1ce3-416e-b1d6-9c482b52fcf6 | LOCKBOX_ENTERPRISE_GOV (89b5d3b1-3855-49fe-b46c-87c66dbc1526)<br/>INFORMATION_BARRIERS (c4801e8a-cb58-4c35-aca6-f2dcc106f287)<br/>Content_Explorer (d9fa6af4-e046-4c89-9226-729a0786685d)<br/>ContentExplorer_Standard (2b815d45-56e4-4e3a-b65c-66cb9175b560)<br/>MIP_S_CLP2 (efb0351d-3b08-4503-993d-383af8de41e3)<br/>MIP_S_CLP1 (5136a095-5cf0-4aff-bec3-e84448b38ea5)<br/>M365_ADVANCED_AUDITING (2f442157-a11c-46b9-ae5b-6e39ff4e5849)<br/>MICROSOFT_COMMUNICATION_COMPLIANCE (a413a9ff-720c-4822-98ef-2f37c2a21f4c)<br/>COMMUNICATIONS_DLP (6dc145d6-95dd-4191-b9c3-185575ee6f6b)<br/>CUSTOMER_KEY (6db1f1db-2b46-403f-be40-e39395f08dbb)<br/>INFO_GOVERNANCE (e26c2fcc-ab91-4a61-b35c-03cdc8dddf66)<br/> RECORDS_MANAGEMENT (65cc641f-cccd-4643-97e0-a17e3045e541)<br/>EQUIVIO_ANALYTICS_GOV (d1cbfb67-18a8-4792-b643-630b7f19aad1)<br/>PREMIUM_ENCRYPTION (617b097b-4b93-4ede-83de-5f075bb5fb2f) | Customer Lockbox for Government (89b5d3b1-3855-49fe-b46c-87c66dbc1526)<br/>Information Barriers (c4801e8a-cb58-4c35-aca6-f2dcc106f287)<br/>Information Protection and Governance Analytics -Premium (d9fa6af4-e046-4c89-9226-729a0786685d)<br/>Information Protection and Governance Analytics ΓÇô Standard (2b815d45-56e4-4e3a-b65c-66cb9175b560)<br/>Information Protection for Office 365 ΓÇô Premium (efb0351d-3b08-4503-993d-383af8de41e3)<br/>Information Protection for Office 365 ΓÇô Standard (5136a095-5cf0-4aff-bec3-e84448b38ea5)<br/>Microsoft 365 Advanced Auditing (2f442157-a11c-46b9-ae5b-6e39ff4e5849)<br/>Microsoft 365 Communication Compliance (a413a9ff-720c-4822-98ef-2f37c2a21f4c)<br/>Microsoft Communications DLP (6dc145d6-95dd-4191-b9c3-185575ee6f6b)<br/>Microsoft Customer Key (6db1f1db-2b46-403f-be40-e39395f08dbb)<br/>Microsoft Information Governance (e26c2fcc-ab91-4a61-b35c-03cdc8dddf66)<br/>Microsoft Records Management (65cc641f-cccd-4643-97e0-a17e3045e541)<br/>Office 365 Advanced eDiscovery for Government (d1cbfb67-18a8-4792-b643-630b7f19aad1)<br/>Premium Encryption in Office 365 (617b097b-4b93-4ede-83de-5f075bb5fb2f) |
When managing licenses in [the Azure portal](https://portal.azure.com/#blade/Mic
| Project Plan 1 (for Department) | PROJECT_PLAN1_DEPT | 84cd610f-a3f8-4beb-84ab-d9d2c902c6c9 | DYN365_CDS_FOR_PROJECT_P1 (a6f677b3-62a6-4644-93e7-2a85d240845e)<br/>EXCHANGE_S_FOUNDATION (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>Power_Automate_For_Project_P1 (00283e6b-2bd8-440f-a2d5-87358e4c89a1)<br/>PROJECT_ESSENTIALS (1259157c-8581-4875-bca7-2ffb18c51bda)<br/>PROJECT_P1 (4a12c688-56c6-461a-87b1-30d6f32136f9)<br/>SHAREPOINTSTANDARD (c7699d2e-19aa-44de-8edf-1736da088ca1) | Common Data Service for Project P1 (a6f677b3-62a6-4644-93e7-2a85d240845e)<br/>Exchange Foundation (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>Power Automate for Project P1 (00283e6b-2bd8-440f-a2d5-87358e4c89a1)<br/>Project Online Essentials (1259157c-8581-4875-bca7-2ffb18c51bda)<br/>Project P1 (4a12c688-56c6-461a-87b1-30d6f32136f9)<br/>SHAREPOINT STANDARD (c7699d2e-19aa-44de-8edf-1736da088ca1) | | Project Plan 3 | PROJECTPROFESSIONAL | 53818b1b-4a27-454b-8896-0dba576410e6 | DYN365_CDS_PROJECT (50554c47-71d9-49fd-bc54-42a2765c555c)<br/>EXCHANGE_S_FOUNDATION (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>FLOW_FOR_PROJECT (fa200448-008c-4acb-abd4-ea106ed2199d)<br/>SHAREPOINTWAC (e95bec33-7c88-4a70-8e19-b10bd9d0c014)<br/>PROJECT_CLIENT_SUBSCRIPTION (fafd7243-e5c1-4a3a-9e40-495efcb1d3c3)<br/>SHAREPOINT_PROJECT (fe71d6c3-a2ea-4499-9778-da042bf08063)<br/>PROJECT_PROFESSIONAL (818523f5-016b-4355-9be8-ed6944946ea7)<br/>SHAREPOINTENTERPRISE (5dbe027f-2339-4123-9542-606e4d348a72) | Common Data Service for Project (50554c47-71d9-49fd-bc54-42a2765c555c)<br/>Exchange Foundation (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>Flow for Project (fa200448-008c-4acb-abd4-ea106ed2199d)<br/>Office for the web (e95bec33-7c88-4a70-8e19-b10bd9d0c014)<br/>Project Online Desktop Client (fafd7243-e5c1-4a3a-9e40-495efcb1d3c3)<br/>Project Online Service (fe71d6c3-a2ea-4499-9778-da042bf08063)<br/>Project P3 (818523f5-016b-4355-9be8-ed6944946ea7)<br/>SharePoint (Plan 2) (5dbe027f-2339-4123-9542-606e4d348a72) | | Project Plan 3 (for Department) | PROJECT_PLAN3_DEPT | 46102f44-d912-47e7-b0ca-1bd7b70ada3b | DYN365_CDS_PROJECT (50554c47-71d9-49fd-bc54-42a2765c555c)<br/>EXCHANGE_S_FOUNDATION (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>FLOW_FOR_PROJECT (fa200448-008c-4acb-abd4-ea106ed2199d)<br/>SHAREPOINTWAC (e95bec33-7c88-4a70-8e19-b10bd9d0c014)<br/>PROJECT_CLIENT_SUBSCRIPTION (fafd7243-e5c1-4a3a-9e40-495efcb1d3c3)<br/>SHAREPOINT_PROJECT (fe71d6c3-a2ea-4499-9778-da042bf08063)<br/>PROJECT_PROFESSIONAL (818523f5-016b-4355-9be8-ed6944946ea7)<br/>SHAREPOINTENTERPRISE (5dbe027f-2339-4123-9542-606e4d348a72) | Common Data Service for Project (50554c47-71d9-49fd-bc54-42a2765c555c)<br/>Exchange Foundation (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>Flow for Project (fa200448-008c-4acb-abd4-ea106ed2199d)<br/>Office for the Web (e95bec33-7c88-4a70-8e19-b10bd9d0c014)<br/>Project Online Desktop Client (fafd7243-e5c1-4a3a-9e40-495efcb1d3c3)<br/>Project Online Service (fe71d6c3-a2ea-4499-9778-da042bf08063)<br/>Project P3 (818523f5-016b-4355-9be8-ed6944946ea7)<br/>SharePoint (Plan 2) (5dbe027f-2339-4123-9542-606e4d348a72) |
-| Project Plan 3 for GCC | PROJECTPROFESSIONAL_GOV | 074c6829-b3a0-430a-ba3d-aca365e57065 | SHAREPOINTWAC_GOV (8f9f0f3b-ca90-406c-a842-95579171f8ec)<br/>PROJECT_CLIENT_SUBSCRIPTION_GOV (45c6831b-ad74-4c7f-bd03-7c2b3fa39067)<br/>SHAREPOINT_PROJECT_GOV (e57afa78-1f19-4542-ba13-b32cd4d8f472)<br/>SHAREPOINTENTERPRISE_GOV (153f85dd-d912-4762-af6c-d6e0fb4f6692) | Office for the web (Government) (8f9f0f3b-ca90-406c-a842-95579171f8ec)<br/>Project Online Desktop Client for Government(45c6831b- ad74-4c7f-bd03-7c2b3fa39067)<br/>Project Online Service for Government (e57afa78-1f19-4542-ba13-b32cd4d8f472)<br/>SharePoint Plan 2G (153f85dd-d912-4762-af6c-d6e0fb4f6692) |
+| Project Plan 3 for GCC | PROJECTPROFESSIONAL_GOV | 074c6829-b3a0-430a-ba3d-aca365e57065 | SHAREPOINTWAC_GOV (8f9f0f3b-ca90-406c-a842-95579171f8ec)<br/>PROJECT_CLIENT_SUBSCRIPTION_GOV (45c6831b-ad74-4c7f-bd03-7c2b3fa39067)<br/>SHAREPOINT_PROJECT_GOV (e57afa78-1f19-4542-ba13-b32cd4d8f472)<br/>SHAREPOINTENTERPRISE_GOV (153f85dd-d912-4762-af6c-d6e0fb4f6692) | Office for the web (Government) (8f9f0f3b-ca90-406c-a842-95579171f8ec)<br/>Project Online Desktop Client for Government (45c6831b- ad74-4c7f-bd03-7c2b3fa39067)<br/>Project Online Service for Government (e57afa78-1f19-4542-ba13-b32cd4d8f472)<br/>SharePoint Plan 2G (153f85dd-d912-4762-af6c-d6e0fb4f6692) |
| Project Plan 5 for GCC | PROJECTPREMIUM_GOV | f2230877-72be-4fec-b1ba-7156d6f75bd6 | EXCHANGE_S_FOUNDATION_GOV (922ba911-5694-4e99-a794-73aed9bfeec8)<br/>SHAREPOINTWAC_GOV (8f9f0f3b-ca90-406c-a842-95579171f8ec)<br/>PROJECT_CLIENT_SUBSCRIPTION_GOV (45c6831b-ad74-4c7f-bd03-7c2b3fa39067)<br/>SHAREPOINT_PROJECT_GOV (e57afa78-1f19-4542-ba13-b32cd4d8f472)<br/>SHAREPOINTENTERPRISE_GOV (153f85dd-d912-4762-af6c-d6e0fb4f6692) | Exchange Foundation for Government (922ba911-5694-4e99-a794-73aed9bfeec8)<br/>Office for the web (Government) (8f9f0f3b-ca90-406c-a842-95579171f8ec)<br/>Project Online Desktop Client for Government (45c6831b-ad74-4c7f-bd03-7c2b3fa39067)<br/>Project Online Service for Government (e57afa78-1f19-4542-ba13-b32cd4d8f472)<br/>SharePoint Plan 2G (153f85dd-d912-4762-af6c-d6e0fb4f6692) | | Rights Management Adhoc | RIGHTSMANAGEMENT_ADHOC | 8c4ce438-32a7-4ac5-91a6-e22ae08d9c8b | EXCHANGE_S_FOUNDATION (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>RMS_S_ADHOC (7a39d7dd-e456-4e09-842a-0204ee08187b) | Exchange Foundation (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>Rights Management Adhoc (7a39d7dd-e456-4e09-842a-0204ee08187b) | | Rights Management Service Basic Content Protection | RMSBASIC | 093e8d14-a334-43d9-93e3-30589a8b47d0 | EXCHANGE_S_FOUNDATION (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>RMS_S_BASIC (31cf2cfc-6b0d-4adc-a336-88b724ed8122) | Exchange Foundation (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>Microsoft Azure Rights Management Service (31cf2cfc-6b0d-4adc-a336-88b724ed8122) |
active-directory Whatis Aadc Admin Agent https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/whatis-aadc-admin-agent.md
Previously updated : 09/04/2019 Last updated : 06/30/2022 # What is the Azure AD Connect Admin Agent? +
+>[!NOTE]
+>The Azure AD Connect Admin Agent is no longer part of the Azure AD Connect installation and cannot be used with Azure AD Connect versions 2.1.12.0 and newer.
+ The Azure AD Connect Administration Agent is a new component of Azure Active Directory Connect that can be installed on an Azure Active Directory Connect server. It is used to collect specific data from your Active Directory environment that helps a Microsoft support engineer to troubleshoot issues when you open a support case. >[!NOTE] >The admin agent is not installed and enabled by default. You must install the agent in order to collect data to assist with support cases.
-When installed, the Azure AD Connect Administration Agent waits for specific requests for data from Azure Active Directory, gets the requested data from the sync environment and sends it to Azure Active Directory, where it is presented to the Microsoft support engineer.
+The Azure AD Connect Administration Agent waits for specific requests for data from Azure Active Directory. The agent then takes the requested data from the sync environment and sends it to Azure AD, where it is presented to the Microsoft support engineer.
-The information that the Azure AD Connect Administration Agent retrieves from your environment is not stored in any way - it is only displayed to the Microsoft support engineer to assist them in investigating and troubleshooting the Azure Active Directory Connect related support case that you opened
+The information that the Azure AD Connect Administration Agent retrieves from your environment is not stored. The information is only displayed to the Microsoft support engineer to assist them in investigating and troubleshooting the Azure Active Directory Connect related support case.
The Azure AD Connect Administration Agent is not installed on the Azure AD Connect Server by default. ## Install the Azure AD Connect Administration Agent on the Azure AD Connect server
Prerequisites:
![admin agent](media/whatis-aadc-admin-agent/adminagent0.png)
-The Azure AD Connect Administration Agent binaries are placed in the AAD Connect server. To install the agent, do the following:
+The Azure AD Connect Administration Agent binaries are placed in the Azure AD Connect server. To install the agent, use the following steps:
-1. Open powershell in admin mode
+1. Open PowerShell in admin mode
2. Navigate to the directory where the application is located cd "C:\Program Files\Microsoft Azure Active Directory Connect\Tools" 3. Run ConfigureAdminAgent.ps1
-When prompted, please enter your Azure AD global admin credentials. This should be the same credentials entered during Azure AD Connect installation.
+When prompted, please enter your Azure AD global admin credentials. These credentials should be the same credentials entered during Azure AD Connect installation.
After the agent is installed, you'll see the following two new programs in the "Add/Remove Programs" list in the Control Panel of your server: ![Screenshot that shows the Add/Remove Programs list that includes the new programs you added.](media/whatis-aadc-admin-agent/adminagent1.png) ## What data in my Sync service is shown to the Microsoft service engineer?
-When you open a support case the Microsoft Support Engineer can see, for a given user, the relevant data in Active Directory, the Active Directory connector space in the Azure Active Directory Connect server, the Azure Active Directory connector space in the Azure Active Directory Connect server and the Metaverse in the Azure Active Directory Connect server.
+When you open a support case, the Microsoft Support Engineer can see, for a given user:
+
+ - the relevant data in Active Directory
+ - the Active Directory connector space in the Azure Active Directory Connect server
+ - the Azure Active Directory connector space in the Azure Active Directory Connect server
+ - the Metaverse in the Azure Active Directory Connect server.
The Microsoft Support Engineer cannot change any data in your system and cannot see any passwords. ## What if I don't want the Microsoft support engineer to access my data?
-Once the agent is installed, If you do not want the Microsoft service engineer to access your data for a support call, you can disable the functionality by modifying the service config file as described below:
+Once the agent is installed, if you do not want the Microsoft service engineer to access your data for a support call, you can disable the functionality by modifying the service config file as described below:
1. Open **C:\Program Files\Microsoft Azure AD Connect Administration Agent\AzureADConnectAdministrationAgentService.exe.config** in notepad. 2. Disable **UserDataEnabled** setting as shown below. If **UserDataEnabled** setting exists and is set to true, then set it to false. If the setting does not exist, then add the setting as shown below.
Once the agent is installed, If you do not want the Microsoft service engineer t
![Screenshot that shows where to restart the Azure AD Administrator Agent service.](media/whatis-aadc-admin-agent/adminagent2.png) ## Next steps
-Learn more about [Integrating your on-premises identities with Azure Active Directory](whatis-hybrid-identity.md).
+Learn more about [Integrating your on-premises identities with Azure Active Directory](whatis-hybrid-identity.md)
active-directory F5 Big Ip Oracle Jde Easy Button https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/f5-big-ip-oracle-jde-easy-button.md
-# Tutorial: Configure F5ΓÇÖs BIG-IP Easy Button for SSO to Oracle JDE
+# Tutorial: Configure F5ΓÇÖs BIG-IP Easy Button for SSO to Oracle JDE
In this article, learn to secure Oracle JD Edwards (JDE) using Azure Active Directory (Azure AD), through F5ΓÇÖs BIG-IP Easy Button guided configuration.
active-directory Whats New Docs https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/whats-new-docs.md
# Azure Active Directory application management: What's new
-Welcome to what's new in Azure Active Directory application management documentation. This article lists new docs that have been added and those that have had significant updates in the last three months. To learn what's new with the application management service, see [What's new in Azure Active Directory](../fundamentals/whats-new.md).
+Welcome to what's new in Azure Active Directory (Azure AD) application management documentation. This article lists new docs that have been added and those that have had significant updates in the last three months. To learn what's new with the application management service, see [What's new in Azure AD](../fundamentals/whats-new.md).
-## June
+## June 2022
### Updated articles - [Protect against consent phishing](protect-against-consent-phishing.md)-- [Request to Publish your application in the Azure Active Directory application gallery](v2-howto-app-gallery-listing.md)
+- [Request to publish your application in the Azure AD application gallery](v2-howto-app-gallery-listing.md)
## May 2022
Welcome to what's new in Azure Active Directory application management documenta
### Updated articles -- [Tutorial: Configure Datawiza with Azure Active Directory for secure hybrid access](datawiza-with-azure-ad.md)
+- [Tutorial: Configure Datawiza with Azure AD for secure hybrid access](datawiza-with-azure-ad.md)
- [Tutorial: Manage certificates for federated single sign-on](tutorial-manage-certificates-for-federated-single-sign-on.md)-- [Tutorial: Migrate Okta federation to Azure Active Directory-managed authentication](migrate-okta-federation-to-azure-active-directory.md)
+- [Tutorial: Migrate Okta federation to Azure AD-managed authentication](migrate-okta-federation-to-azure-active-directory.md)
- [Tutorial: Migrate Okta sync provisioning to Azure AD Connect-based synchronization](migrate-okta-sync-provisioning-to-azure-active-directory.md) ## March 2022
Welcome to what's new in Azure Active Directory application management documenta
- [Configure the admin consent workflow](configure-admin-consent-workflow.md) - [Grant tenant-wide admin consent to an application](grant-admin-consent.md)-- [Integrate F5 BIG-IP with Azure Active Directory](f5-aad-integration.md)
+- [Integrate F5 BIG-IP with Azure AD](f5-aad-integration.md)
- [Manage app consent policies](manage-app-consent-policies.md)-- [Plan Azure Active Directory My Apps configuration](my-apps-deployment-plan.md)
+- [Plan Azure AD My Apps configuration](my-apps-deployment-plan.md)
- [Quickstart: View enterprise applications](view-applications-portal.md) - [Review admin consent requests](review-admin-consent-requests.md) - [Tutorial: Configure F5 BIG-IP Easy Button for header-based and LDAP SSO](f5-big-ip-ldap-header-easybutton.md)
active-directory Admin Units Members Add https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/roles/admin-units-members-add.md
> Administrative units support for devices is currently in PREVIEW. > See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
-In Azure Active Directory (Azure AD), you can add users, groups, or devices to an administrative unit to restrict the scope of role permissions. Adding a group to an administrative unit brings the group itself into the management scope of any group administrator who is also scoped to that administrative unit. For additional details on what scoped administrators can do, see [Administrative units in Azure Active Directory](administrative-units.md).
+In Azure Active Directory (Azure AD), you can add users, groups, or devices to an administrative unit to restrict the scope of role permissions. Adding a group to an administrative unit brings the group itself into the management scope of the administrative unit, but **not** the members of the group. For additional details on what scoped administrators can do, see [Administrative units in Azure Active Directory](administrative-units.md).
This article describes how to add users, groups, or devices to administrative units manually. For information about how to add users or devices to administrative units dynamically using rules, see [Manage users or devices for an administrative unit with dynamic membership rules](admin-units-members-dynamic.md).
api-management Authorizations How To https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/authorizations-how-to.md
Four steps are needed to set up an authorization with the authorization code gra
1. Sign in to your GitHub account if you're prompted to do so. 1. Select **Authorize** so that the application can access the signed-in userΓÇÖs account.
- :::image type="content" source="media/authorizations-how-to/consent-to-authorization.png" alt-text="Screenshot of consenting to authorize with Github.":::
+ :::image type="content" source="media/authorizations-how-to/consent-to-authorization.png" alt-text="Screenshot of consenting to authorize with GitHub.":::
After authorization, the browser is redirected to API Management and the window is closed. If prompted during redirection, select **Allow access**. In API Management, select **Next**. 1. On the **Access policy** page, create an access policy so that API Management has access to use the authorization. Ensure that a managed identity is configured for API Management. [Learn more about managed identities in API Management](api-management-howto-use-managed-service-identity.md#create-a-system-assigned-managed-identity).
app-service How To Custom Domain Suffix https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/environment/how-to-custom-domain-suffix.md
+
+ Title: Configure custom domain suffix for App Service Environment
+description: Configure a custom domain suffix for the Azure App Service Environment.
++ Last updated : 07/05/2022+
+zone_pivot_groups: app-service-environment-portal-arm
++
+# Custom domain suffix for App Service Environments
+
+An App Service Environment is an Azure App Service feature that provides a fully isolated and dedicated environment for running App Service apps securely at high scale. The DNS settings for your App Service Environment's default domain suffix don't restrict your apps to only being accessible by those names. Custom domain suffix is an internal load balancer (ILB) App Service Environment feature that allows you to use your own domain suffix to access the apps in your App Service Environment.
+
+If you don't have an App Service Environment, see [How to Create an App Service Environment v3](./creation.md).
+
+> [!NOTE]
+> This article covers the features, benefits, and use cases of App Service Environment v3, which is used with App Service Isolated v2 plans.
+>
+
+The custom domain suffix defines a root domain that can be used by the App Service Environment. In the public variation of Azure App Service, the default root domain for all web apps is *azurewebsites.net*. For ILB App Service Environments, the default root domain is *appserviceenvironment.net*. However, since an ILB App Service Environment is internal to a customer's virtual network, customers can use a root domain in addition to the default one that makes sense for use within a company's internal virtual network. For example, a hypothetical Contoso Corporation might use a default root domain of *internal-contoso.com* for apps that are intended to only be resolvable and accessible within Contoso's virtual network. An app in this virtual network could be reached by accessing *APP-NAME.internal-contoso.com*.
+
+The custom domain name works for app requests but doesn't for the scm site. The scm site is only available at *APP-NAME.scm.ASE-NAME.appserviceenvironment.net*.
+
+The custom domain suffix is for the App Service Environment. This feature is different from a custom domain binding on an App Service. For more information on custom domain bindings, see [Map an existing custom DNS name to Azure App Service](../app-service-web-tutorial-custom-domain.md).
+
+## Prerequisites
+
+- ILB variation of App Service Environment v3.
+- Valid SSL/TLS certificate must be stored in an Azure Key Vault. For more information on using certificates with App Service, see [Add a TLS/SSL certificate in Azure App Service](../configure-ssl-certificate.md).
+
+### Managed identity
+
+A [managed identity](../../active-directory/managed-identities-azure-resources/overview.md) is used to authenticate against the Azure Key Vault where the SSL/TLS certificate is stored. If you don't currently have a managed identity associated with your App Service Environment, you'll need to configure one.
+
+You can use either a system assigned or user assigned managed identity. To create a user assigned managed identity, see [manage user-assigned managed identities](../../active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities.md). If you'd like to use a system assigned managed identity and don't already have one assigned to your App Service Environment, the Custom domain suffix portal experience will guide you through the creation process. Alternatively, you can go to the **Identity** page for your App Service Environment and configure and assign your managed identities there.
+
+To enable a system assigned managed identity, set the Status to On.
++
+To assign a user assigned managed identity, select "Add", and find the managed identity you want to use.
++
+Once you assign the managed identity to your App Service Environment, ensure the managed identity has sufficient permissions for the Azure Key Vault. You can either use a vault access policy or Azure role-based access control.
+
+If you use a vault access policy, the managed identity will need at a minimum the "Get" secrets permission for the key vault.
++
+If you choose to use Azure role-based access control to manage access to your key vault, you'll need to give your managed identity at a minimum the "Key Vault Secrets User" role.
++
+### Certificate
+
+The certificate for custom domain suffix must be stored in an Azure Key Vault. App Service Environment will use the managed identity you selected to get the certificate. The Key Vault must be publicly accessible, however you can lock down the key vault by restricting access to your App Service Environment's outbound IPs. You can find your App Service Environment's outbound IPs under "Default outbound addresses" on the **IP addresses** page for your App Service Environment. You'll need to add both IPs to your key vault's firewall rules. For more information on key vault network security and firewall rules, see [Configure Azure Key Vault firewalls and virtual networks](../../key-vault/general/network-security.md#key-vault-firewall-enabled-ipv4-addresses-and-rangesstatic-ips).
++
+Your certificate must be a wildcard certificate for the selected custom domain name. For example, *contoso.com* would need a certificate covering **.contoso.com*.
++
+## Use the Azure portal to configure custom domain suffix
+
+1. From the [Azure portal](https://portal.azure.com), navigate to the **Custom domain suffix** page for your App Service Environment.
+1. Enter your custom domain name.
+1. Select the managed identity you've defined for your App Service Environment. You can use either a system assigned or user assigned managed identity. You'll be able to configure your managed identity if you haven't done so already directly from the custom domain suffix page using the "Add identity" option in the managed identity selection box.
+1. Select the certificate for the custom domain suffix.
+1. Select "Save" at the top of the page. To see the latest configuration updates, you may need to refresh your browser page.
+1. It will take a few minutes for the custom domain suffix configuration to be set. Select "Refresh" at the top of the page to check the status. The banner will update with the latest progress. Once complete, the banner will state that the custom domain suffix is configured.
+++
+## Use Azure Resource Manager to configure custom domain suffix
+
+To configure a custom domain suffix for your App Service Environment using an Azure Resource Manager template, you'll need to include the below properties. Ensure that you've met the [prerequisites](#prerequisites) and that your managed identity and certificate are accessible and have the appropriate permissions for the Azure Key Vault.
+
+You'll need to configure the managed identity and ensure it exists before assigning it in your template. For more information on managed identities, see the [managed identity overview](../../active-directory/managed-identities-azure-resources/overview.md).
+
+### Use a user assigned managed identity
+
+```json
+"resources": [
+{
+ "apiVersion": "2022-03-01",
+ "type": "Microsoft.Web/hostingEnvironments",
+ "name": ...,
+ "location": ...,
+ "identity": {
+ "type": "UserAssigned",
+ "userAssignedIdentities": {
+ "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/asev3-cdns-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/ase-cdns-managed-identity"
+ }
+ },
+ "properties": {
+ "customDnsSuffixConfiguration": {
+ "dnsSuffix": "antares-test.net",
+ "certificateUrl": "https://kv-sample-key-vault.vault.azure.net/secrets/wildcard-antares-test-net",
+ "keyVaultReferenceIdentity": "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/asev3-cdns-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/ase-cdns-managed-identity"
+ },
+ "internalLoadBalancingMode": "Web, Publishing",
+ etc...
+ }
+}
+```
+
+### Use a system assigned managed identity
+
+```json
+"resources": [
+{
+ "apiVersion": "2022-03-01",
+ "type": "Microsoft.Web/hostingEnvironments",
+ "name": ...,
+ "location": ...,
+ "identity": {
+ "type": "SystemAssigned"
+ }
+ "properties": {
+ "customDnsSuffixConfiguration": {
+ "dnsSuffix": "antares-test.net",
+ "certificateUrl": "https://kv-sample-key-vault.vault.azure.net/secrets/wildcard-antares-test-net",
+ "keyVaultReferenceIdentity": "systemassigned"
+ },
+ "internalLoadBalancingMode": "Web, Publishing",
+ etc...
+ }
+}
+```
+
+## Use Azure Resource Explorer to configure custom domain suffix
+
+Alternatively, you can update your existing ILB App Service Environment using [Azure Resource Explorer](https://resources.azure.com).
+
+1. In Resource Explorer, go to the node for the App Service Environment (**subscriptions** > **{your Subscription}** > **resourceGroups** > **{your Resource Group}** > **providers** > **Microsoft.Web** > **hostingEnvironments**). Then select the specific App Service Environment that you want to update.
+1. Select **Read/Write** in the upper toolbar to allow interactive editing in Resource Explorer.
+1. Select the **Edit** button to make the Resource Manager template editable.
+1. Scroll to the bottom of the right pane. The **customDnsSuffixConfiguration** attribute is at the bottom.
+1. Enter your values for **dnsSuffix**, **certificateUrl**, and **keyVaultReferenceIdentity**.
+1. Navigate to the **identity** attribute and enter the details associated with the managed identity you're using.
+1. Select the **PUT** button that's located at the top to commit the change to the App Service Environment.
+1. The **provisioningState** under **customDnsSuffixConfiguration** will provide a status on the configuration update.
++
+## DNS configuration
+
+To access your apps in your App Service Environment using your custom domain suffix, you'll need to either configure your own DNS server or configure DNS in an Azure private DNS zone for your custom domain.
+
+If you want to use your own DNS server, add the following records:
+
+1. Create a zone for your custom domain.
+1. Create an A record in that zone that points * to the inbound IP address used by your App Service Environment.
+1. Create an A record in that zone that points @ to the inbound IP address used by your App Service Environment.
+
+To configure DNS in Azure DNS private zones:
+
+1. Create an Azure DNS private zone named for your custom domain. In the example below, the custom domain is *internal-contoso.com*.
+1. Create an A record in that zone that points * to the inbound IP address used by your App Service Environment.
+1. Create an A record in that zone that points @ to the inbound IP address used by your App Service Environment.
+1. Link your Azure DNS private zone to your App Service Environment's virtual network.
+
+For more information on configuring DNS for your domain, see [Use an App Service Environment](./using.md#dns-configuration).
+
+## Access your apps
+
+After configuring the custom domain suffix and DNS for your App Service Environment, you can go to the **Custom domains** page for one of your App Service apps in your App Service Environment and confirm the addition of the assigned custom domain for the app.
++
+Apps on the ILB App Service Environment can be accessed securely over HTTPS by going to either the custom domain you configured or the default domain *appserviceenvironment.net* like in the previous image. The ability to access your apps using the default App Service Environment domain and your custom domain is a unique feature that is only supported on App Service Environment v3.
+
+However, just like apps running on the public multi-tenant service, you can also configure custom host names for individual apps, and then configure unique SNI [TLS/SSL certificate bindings for individual apps](./overview-certificates.md#tls-settings).
+
+## Troubleshooting
+
+If your permissions or network settings for your managed identity, key vault, or App Service Environment aren't set appropriately, you won't be able to configure a custom domain suffix, and you'll receive an error similar to the example below. Review the [prerequisites](#prerequisites) to ensure you've set the needed permissions. You'll also see a similar error message if the App Service platform detects that your certificate is degraded or expired.
++
+## Next steps
+
+> [!div class="nextstepaction"]
+> [Using an App Service Environment v3](using.md)
+
+> [!div class="nextstepaction"]
+> [App Service Environment v3 Networking](networking.md)
+
+> [!div class="nextstepaction"]
+> [Tutorial: Map an existing custom DNS name to Azure App Service](../app-service-web-tutorial-custom-domain.md)
app-service Migration Alternatives https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/environment/migration-alternatives.md
Once your migration and any testing with your new environment is complete, delet
- **Do I need to change anything about my apps to get them to run on App Service Environment v3?** No, apps that run on App Service Environment v1 and v2 shouldn't need any modifications to run on App Service Environment v3. - **What if my App Service Environment has a custom domain suffix?**
- App Service Environment v3 doesn't support custom domain suffixes at this time. You won't be able to migrate until it's supported if you want to continue using this feature.
+ The migration feature doesn't support migration of App Service Environments with custom domain suffixes at this time. You won't be able to migrate until it's supported.
- **What if my App Service Environment is zone pinned?** Zone pinning isn't a supported feature on App Service Environment v3. Use [zone redundancy](overview-zone-redundancy.md) instead. - **What properties of my App Service Environment will change?**
app-service Using An Ase https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/environment/using-an-ase.md
In an ILB ASE, the domain suffix used for app creation is *.&lt;asename&gt;.apps
For information about how to create an ILB ASE, see [Create and use an ILB ASE][MakeILBASE].
-The SCM URL is used to access the Kudu console or for publishing your app by using Web Deploy. For information on the Kudu console, see [Kudu console for Azure App Service][Kudu]. The Kudu console gives you a web UI for debugging, uploading files, editing files, and much more.
+The SCM URL is used to access the Kudu console or for publishing your app by using Web Deploy. The Kudu console gives you a web UI for debugging, uploading files, editing files, and much more.
### DNS configuration
For more specific examples, use: az find "az appservice ase"
[Pricing]: https://azure.microsoft.com/pricing/details/app-service/ [ARMOverview]: ../../azure-resource-manager/management/overview.md [ConfigureSSL]: ../configure-ssl-certificate.md
-[Kudu]: https://azure.microsoft.com/resources/videos/super-secret-kudu-debug-console-for-azure-web-sites/
[AppDeploy]: ../deploy-local-git.md [ASEWAF]: ./integrate-with-application-gateway.md [AppGW]: ../../web-application-firewall/ag/ag-overview.md
app-service Overview Vnet Integration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/overview-vnet-integration.md
App settings using Key Vault references will attempt to get secrets over the pub
#### Network routing
-You can use route tables to route outbound traffic from your app to wherever you want. Route tables affect your destination traffic. Route tables only apply to traffic routed through the virtual network integration. See [application routing](#application-routing) and [configuration routing](#configuration-routing) for details. Common destinations can include firewall devices or gateways. Routes that are set on your integration subnet won't affect replies to inbound app requests.
+You can use route tables to route outbound traffic from your app without restriction. Common destinations can include firewall devices or gateways. You can also use a [network security group](../virtual-network/network-security-groups-overview.md) (NSG) to block outbound traffic to resources in your virtual network or the internet. An NSG that's applied to your integration subnet is in effect regardless of any route tables applied to your integration subnet.
-When you want to route outbound traffic on-premises, you can use a route table to send outbound traffic to your Azure ExpressRoute gateway. If you do route traffic to a gateway, set routes in the external network to send any replies back.
+Route tables and network security groups only apply to traffic routed through the virtual network integration. See [application routing](#application-routing) and [configuration routing](#configuration-routing) for details. Routes wont affect replies to inbound app requests and inbound rules in an NSG don't apply to your app because virtual network integration affects only outbound traffic from your app. To control inbound traffic to your app, use the Access Restrictions feature.
-Border Gateway Protocol (BGP) routes also affect your app traffic. If you have BGP routes from something like an ExpressRoute gateway, your app outbound traffic is affected. Similar to user-defined routes, BGP routes affect traffic according to your routing scope setting.
+When configuring network security groups or route tables that affect outbound traffic, you must make sure you consider your application dependencies. Application dependencies include endpoints that your app needs during runtime. Besides APIs and services the app is calling, this could also be derived endpoints like certificate revocation list (CRL) check endpoints and identity/authentication endpoint, for example Azure Active Directory. If you are using [continuous deployment in App Service](./deploy-continuous-deployment.md), you might also need to allow endpoints depending on type and language. Specifically for [Linux continuous deployment](https://github.com/microsoft/Oryx/blob/main/doc/hosts/appservice.md#network-dependencies), you will need to allow `oryx-cdn.microsoft.io:443`.
-### Network security groups
-
-An app that uses virtual network integration can use a [network security group](../virtual-network/network-security-groups-overview.md) to block outbound traffic to resources in your virtual network or the internet. To block traffic to public addresses, enable [Route All](#application-routing). When **Route All** isn't enabled, NSGs are only applied to RFC1918 traffic from your app.
-
-An NSG that's applied to your integration subnet is in effect regardless of any route tables applied to your integration subnet.
-
-The inbound rules in an NSG don't apply to your app because virtual network integration affects only outbound traffic from your app. To control inbound traffic to your app, use the Access Restrictions feature.
+When you want to route outbound traffic on-premises, you can use a route table to send outbound traffic to your Azure ExpressRoute gateway. If you do route traffic to a gateway, set routes in the external network to send any replies back. Border Gateway Protocol (BGP) routes also affect your app traffic. If you have BGP routes from something like an ExpressRoute gateway, your app outbound traffic is affected. Similar to user-defined routes, BGP routes affect traffic according to your routing scope setting.
### Service endpoints
app-service Security Controls Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/security-controls-policy.md
Title: Azure Policy Regulatory Compliance controls for Azure App Service description: Lists Azure Policy Regulatory Compliance controls available for Azure App Service. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 06/16/2022 Last updated : 07/04/2022
compliant with the specific standard.
## Release notes
+### July 2022
+
+- Deprecation of the following policies:
+ - **Ensure API app has 'Client Certificates (Incoming client certificates)' set to 'On'**
+ - **Ensure that 'Python version' is the latest, if used as a part of the API app**
+ - **CORS should not allow every resource to access your API App**
+ - **Managed identity should be used in your API App**
+ - **Remote debugging should be turned off for API Apps**
+ - **Ensure that 'PHP version' is the latest, if used as a part of the API app**
+ - **API apps should use an Azure file share for its content directory**
+ - **FTPS only should be required in your API App**
+ - **Ensure that 'Java version' is the latest, if used as a part of the API app**
+ - **Ensure that 'HTTP Version' is the latest, if used to run the API app**
+ - **Latest TLS version should be used in your API App**
+ - **Authentication should be enabled on your API app**
+- **Function apps should have 'Client Certificates (Incoming client certificates)' enabled**
+ - Update scope of policy to include slots
+ - Update scope of policy to exclude Logic apps
+- **Ensure WEB app has 'Client Certificates (Incoming client certificates)' set to 'On'**
+ - Rename of policy to "App Service apps should have 'Client Certificates (Incoming client certificates)' enabled"
+ - Update scope of policy to include slots
+ - Update scope of policy to include all app types except Function apps
+- **Ensure that 'Python version' is the latest, if used as a part of the Web app**
+ - Rename of policy to "App Service apps that use Python should use the latest 'Python version'"
+ - Update scope of policy to include all app types except Function apps
+- **Ensure that 'Python version' is the latest, if used as a part of the Function app**
+ - Rename of policy to "Function apps that use Python should use the latest 'Python version'"
+ - Update scope of policy to exclude Logic apps
+- **CORS should not allow every resource to access your Web Applications**
+ - Rename of policy to "App Service apps should not have CORS configured to allow every resource to access your apps"
+ - Update scope of policy to include all app types except Function apps
+- **CORS should not allow every resource to access your Function Apps**
+ - Rename of policy to "Function apps should not have CORS configured to allow every resource to access your apps"
+ - Update scope of policy to exclude Logic apps
+- **Managed identity should be used in your Function App**
+ - Rename of policy to "Function apps should use managed identity"
+ - Update scope of policy to exclude Logic apps
+- **Managed identity should be used in your Web App**
+ - Rename of policy to "App Service apps should use managed identity"
+ - Update scope of policy to include all app types except Function apps
+- **Remote debugging should be turned off for Function Apps**
+ - Rename of policy to "Function apps should have remote debugging turned off"
+ - Update scope of policy to exclude Logic apps
+- **Remote debugging should be turned off for Web Applications**
+ - Rename of policy to "App Service apps should have remote debugging turned off"
+ - Update scope of policy to include all app types except Function apps
+- **Ensure that 'PHP version' is the latest, if used as a part of the WEB app**
+ - Rename of policy to "App Service apps that use PHP should use the latest 'PHP version'"
+ - Update scope of policy to include all app types except Function apps
+- **App Service slots should have local authentication methods disabled for SCM site deployment**
+ - Rename of policy to "App Service app slots should have local authentication methods disabled for SCM site deployments"
+- **App Service should have local authentication methods disabled for SCM site deployments**
+ - Rename of policy to "App Service apps should have local authentication methods disabled for SCM site deployments"
+- **App Service slots should have local authentication methods disabled for FTP deployments**
+ - Rename of policy to "App Service app slots should have local authentication methods disabled for FTP deployments"
+- **App Service should have local authentication methods disabled for FTP deployments**
+ - Rename of policy to "App Service apps should have local authentication methods disabled for FTP deployments"
+- **Function apps should use an Azure file share for its content directory**
+ - Update scope of policy to include slots
+ - Update scope of policy to exclude Logic apps
+- **Web apps should use an Azure file share for its content directory**
+ - Rename of policy to "App Service apps should use an Azure file share for its content directory"
+ - Update scope of policy to include slots
+ - Update scope of policy to include all app types except Function apps
+- **FTPS only should be required in your Function App**
+ - Rename of policy to "Function apps should require FTPS only"
+ - Update scope of policy to exclude Logic apps
+- **FTPS should be required in your Web App**
+ - Rename of policy to "App Service apps should require FTPS only"
+ - Update scope of policy to include all app types except Function apps
+- **Ensure that 'Java version' is the latest, if used as a part of the Function app**
+ - Rename of policy to "Function apps that use Java should use the latest 'Java version'"
+ - Update scope of policy to exclude Logic apps
+- **Ensure that 'Java version' is the latest, if used as a part of the Web app**
+ - Rename of policy to "App Service apps that use Java should use the latest 'Java version"
+ - Update scope of policy to include all app types except Function apps
+- **App Service should use private link**
+ - Rename of policy to "App Service apps should use private link"
+- **Configure App Services to use private DNS zones**
+ - Rename of policy to "Configure App Service apps to use private DNS zones"
+- **App Service Apps should be injected into a virtual network**
+ - Rename of policy to "App Service apps should be injected into a virtual network"
+ - Update scope of policy to include slots
+- **Ensure that 'HTTP Version' is the latest, if used to run the Web app**
+ - Rename of policy to "App Service apps should use latest 'HTTP Version'"
+ - Update scope of policy to include all app types except Function apps
+- **Ensure that 'HTTP Version' is the latest, if used to run the Function app**
+ - Rename of policy to "Function apps should use latest 'HTTP Version'"
+ - Update scope of policy to exclude Logic apps
+- **Latest TLS version should be used in your Web App**
+ - Rename of policy to "App Service apps should use the latest TLS version"
+ - Update scope of policy to include all app types except Function apps
+- **Latest TLS version should be used in your Function App**
+ - Rename of policy to "Function apps should use the latest TLS version"
+ - Update scope of policy to exclude Logic apps
+- **App Service Environment should disable TLS 1.0 and 1.1**
+ - Rename of policy to "App Service Environment should have TLS 1.0 and 1.1 disabled"
+- **Resource logs in App Services should be enabled**
+ - Rename of policy to "App Service apps should have resource logs enabled"
+- **Authentication should be enabled on your web app**
+ - Rename of policy to "App Service apps should have authentication enabled"
+- **Authentication should be enabled on your Function app**
+ - Rename of policy to "Function apps should have authentication enabled"
+ - Update scope of policy to exclude Logic apps
+- **App Service Environment should enable internal encryption**
+ - Rename of policy to "App Service Environment should have internal encryption enabled"
+- **Function apps should only be accessible over HTTPS**
+ - Update scope of policy to exclude Logic apps
+- **App Service should use a virtual network service endpoint**
+ - Rename of policy to "App Service apps should use a virtual network service endpoint"
+ - Update scope of policy to include all app types except Function apps
+ ### June 2022 -- Deprecation of policy "API App should only be accessible over HTTPS"-- Rename of policy "Web Application should only be accessible over HTTPS" to "App Service apps should only be accessible over HTTPS"-- Update scope of policy "App Service apps should only be accessible over HTTPS" to include all app types except Function apps-- Update scope of policy "App Service apps should only be accessible over HTTPS" to include slots-- Update scope of policy "Function apps should only be accessible over HTTPS" to include slots-- Update logic of policy "App Service apps should use a SKU that supports private link" to include checks on App Service plan tier or name so that the policy supports Terraform deployments-- Update list of supported SKUs of policy "App Service apps should use a SKU that supports private link" to include the Basic and Standard tiers
+- Deprecation of policy **API App should only be accessible over HTTPS**
+- **Web Application should only be accessible over HTTPS**
+ - Rename of policy to "App Service apps should only be accessible over HTTPS"
+ - Update scope of policy to include all app types except Function apps
+ - Update scope of policy to include slots
+- **Function apps should only be accessible over HTTPS**
+ - Update scope of policy to include slots
+- **App Service apps should use a SKU that supports private link**
+ - Update logic of policy to include checks on App Service plan tier or name so that the policy supports Terraform deployments
+ - Update list of supported SKUs of policy to include the Basic and Standard tiers
## Next steps
application-gateway Application Gateway Components https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/application-gateway/application-gateway-components.md
Listeners support the following ports and protocols.
### Ports
-A port is where a listener listens for the client request. You can configure ports ranging from 1 to 65502 for the v1 SKU and 1 to 65199 for the v2 SKU.
+A port is where a listener listens for the client request. You can configure ports for v1 and v2 SKUs as per below.
+
+| SKU | Supported port range | Exception(s) |
+| - | - | - |
+| V2 | 1 to 64999 | 22 |
+| V1 | 1 to 65502 | 3389 |
### Protocols
azure-cache-for-redis Cache Best Practices Memory Management https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-cache-for-redis/cache-best-practices-memory-management.md
Add monitoring on memory usage to ensure that you don't run out of memory and ha
Configure your [maxmemory-reserved setting](cache-configure.md#memory-policies) to improve system responsiveness: -- A sufficient reservation setting is especially important for write-heavy workloads or if you're storing values of 100 KB or more in your cache. By default when you create a cache, 10% of the available memory is reserved for `maxmemory-reserved`. Another 10% is reserved for `maxfragmentationmemory-reserved`. You can increase the amount reserved if you have write-heavy loads.
+- A sufficient reservation setting is especially important for write-heavy workloads or if you're storing values of 100 KB or more in your cache. By default when you create a cache, approximately 10% of the available memory is reserved for `maxmemory-reserved`. Another 10% is reserved for `maxfragmentationmemory-reserved`. You can increase the amount reserved if you have write-heavy loads.
- The `maxmemory-reserved` setting configures the amount of memory, in MB per instance in a cluster, that is reserved for non-cache operations, such as replication during failover. Setting this value allows you to have a more consistent Redis server experience when your load varies. This value should be set higher for workloads that write large amounts of data. When memory is reserved for such operations, it's unavailable for storage of cached data. The allowed range for `maxmemory-reserved` is 10% - 60% of `maxmemory`. If you try to set these values lower than 10% or higher than 60%, they are re-evaluated and set to the 10% minimum and 60% maximum. The values are rendered in megabytes.
azure-maps Clustering Point Data Web Sdk https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-maps/clustering-point-data-web-sdk.md
The `DataSource` class provides the following methods related to clustering as w
|--|-|-| | getClusterChildren(clusterId: number) | Promise&lt;Array&lt;Feature&lt;Geometry, any&gt; \| Shape&gt;&gt; | Retrieves the children of the given cluster on the next zoom level. These children may be a combination of shapes and subclusters. The subclusters will be features with properties matching ClusteredProperties. | | getClusterExpansionZoom(clusterId: number) | Promise&lt;number&gt; | Calculates a zoom level at which the cluster will start expanding or break apart. |
-| getClusterLeaves(clusterId: number, limit: number, offset: number) | Promise&lt;Array&lt;Feature&lt;Geometry, any&gt; \| Shape&gt;&gt; | Retrieves all points in a cluster. Set the `limit` to return a subset of the points, and use the `offset` to page through the points. |
+| getClusterLeaves(clusterId: number, limit: number, offset: number) | Promise&lt;Array&lt;Feature&lt;Geometry, any&gt; \| Shape&gt;&gt; | Retrieves the points in a cluster. By default the first 10 points are returned. To page through the points, use `limit` to specify the number of points to return, and `offset` to step through the index of points. To return all points, set `limit` to `Infinity` and don't set `offset`. |
## Display clusters using a bubble layer
See code examples to add functionality to your app:
> [Add a symbol layer](map-add-pin.md) > [!div class="nextstepaction"]
-> [Add a heat map layer](map-add-heat-map-layer.md)
+> [Add a heat map layer](map-add-heat-map-layer.md)
azure-monitor Alerts Action Rules https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/alerts/alerts-action-rules.md
Some common use cases for alert processing rules include:
### Notification suppression during planned maintenance
-Many customers set up a planned maintenance time for their resources, either on a one-off basis or on a regular schedule. The planned maintenance may cover a single resource like a virtual machine, or multiple resources like all virtual machines in a resource group. Those customers may choose to stop receiving alert notifications for those resources during the maintenance window.
-
-Other customers do not need to receive alert notifications at all outside of their business hours.
+Many customers set up a planned maintenance time for their resources, either on a one-off basis or on a regular schedule. The planned maintenance may cover a single resource like a virtual machine, or multiple resources like all virtual machines in a resource group. So, you may want to stop receiving alert notifications for those resources during the maintenance window. In other cases, you may prefer to not receive alert notifications at all outside of your business hours. Alert processing rules allow you to achieve that.
-You could suppress alert notifications by disabling the alert rules themselves, but this approach has several limitations:
- * You could disable the relevant alert rule at the beginning of the maintenance window. Once the maintenance is over, you can then re-enable the alert rule. However, this approach is only practical if the scope of the alert rule is exactly the scope of the resources under maintenance. For example, a single alert rule might cover multiple resources, but only one of those resources is going through maintenance. So, if you disable the alert rule, you will miss valid alerts on the remaining resources covered by that rule.
+You could alternatively suppress alert notifications by disabling the alert rules themselves at the beginning of the maintenance window, and re-enabling them once the maintenance is over. In that case, the alerts won't fire in the first place. However, that approach has several limitations:
+ * This approach is only practical if the scope of the alert rule is exactly the scope of the resources under maintenance. For example, a single alert rule might cover multiple resources, but only a few of those resources are going through maintenance. So, if you disable the alert rule, you will not be alerted when the remaining resources covered by that rule run into issues.
* You may have many alert rules that cover the resource. Updating all of them is time consuming and error prone.
- * You might have some alerts that are not created by an alert rule at all.
+ * You might have some alerts that are not created by an alert rule at all, like alerts from Azure Backup.
+
In all these cases, an alert processing rule provides an easy way to achieve the notification suppression goal. ### Management at scale
This action adds one or more action groups to the affected fired alerts.
### When should this rule apply?
-You may optionally control when will the rule apply. By default, the rule is applied unconditionally as long as it is enabled. However, you can select a one-off window for this rule to apply, or have a recurring window such as a weekly recurrence.
+You may optionally control when will the rule apply. By default, the rule is always active. However, you can select a one-off window for this rule to apply, or have a recurring window such as a weekly recurrence.
## Configuring an alert processing rule
In the second tab (**Rule settings**), you select which action to apply on the a
![Alert processing rules wizard - rule settings tab.](media/alerts-action-rules/action-rules-wizard-rule-settings-tab.png)
-In the third tab (**Scheduling**), you select an optional schedule for the rule. By default the rule works all the time, as long as it is not disabled. However, you can set it to work **on a specific time**, or **set up a recurring schedule**.
+In the third tab (**Scheduling**), you select an optional schedule for the rule. By default the rule works all the time, unless you disable it. However, you can set it to work **on a specific time**, or **set up a recurring schedule**.
Let's see an example of a schedule for a one-off, overnight, planned maintenance. It starts in the evening until the next morning, in a specific timezone: ![Alert processing rules wizard - scheduling tab - one-off schedule.](media/alerts-action-rules/action-rules-wizard-scheduling-tab-once.png)
azure-monitor Alerts Common Schema Definitions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/alerts/alerts-common-schema-definitions.md
Any alert instance describes the resource that was affected and the cause of the
| monitorCondition | When an alert fires, the alert's monitor condition is set to **Fired**. When the underlying condition that caused the alert to fire clears, the monitor condition is set to **Resolved**. | | monitoringService | The monitoring service or solution that generated the alert. The fields for the alert context are dictated by the monitoring service. | | alertTargetIds | The list of the Azure Resource Manager IDs that are affected targets of an alert. For a log alert defined on a Log Analytics workspace or Application Insights instance, it's the respective workspace or application. |
-| configurationItems | The list of affected resources of an alert. The configuration items can be different from the alert targets in some cases, e.g. in metric-for-log or log alerts defined on a Log Analytics workspace, where the configuration items are the actual resources sending the telemetry, and not the workspace. This field is used by ITSM systems to correlate alerts to resources in a CMDB. |
+| configurationItems |The list of affected resources of an alert.<br>In some cases, the configuration items can be different from the alert targets. For example, in metric-for-log or log alerts defined on a Log Analytics workspace, the configuration items are the actual resources sending the telemetry, and not the workspace.<br><ul><li>In the log alerts API (Scheduled Query Rules) v2021-08-01, the configurationItem values are taken from explicitly defined dimensions in this priority: 'Computer', '_ResourceId', 'ResourceId', 'Resource'.</li><li>In earlier versions of the log alerts API, the configurationItem values are taken implicitly from the results in this priority: 'Computer', '_ResourceId', 'ResourceId', 'Resource'.</li></ul>In ITSM systems, the configurationItems field is used to correlate alerts to resources in a CMDB. |
| originAlertId | The ID of the alert instance, as generated by the monitoring service generating it. | | firedDateTime | The date and time when the alert instance was fired in Coordinated Universal Time (UTC). | | resolvedDateTime | The date and time when the monitor condition for the alert instance is set to **Resolved** in UTC. Currently only applicable for metric alerts.|
azure-monitor Alerts Metric https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/alerts/alerts-metric.md
You can learn more about how metric alerts work from [metric alerts overview](./
The following procedure describes how to create a metric alert rule in Azure portal:
-1. In [Azure portal](https://portal.azure.com), click on **Monitor**. The Monitor blade consolidates all your monitoring settings and data in one view.
+1. In [Azure portal](https://portal.azure.com), click on **All Services -> Monitor**. The Monitor blade consolidates all your monitoring settings and data in one view.
2. Click **Alerts**, then expand the **+ Create** menu and select **Alert rule**.
azure-monitor Alerts Types https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/alerts/alerts-types.md
This table can help you decide when to use what type of alert. For more detailed
|Alert Type |When to Use |Pricing Information| ||||
-|Metric alert|Metric alerts are useful when you want to be alerted about data that requires little or no manipulation. Metric data is stored in the system already pre-computed, so metric alerts are less expensive than log alerts. If the data you want to monitor is available in metric data, you would want to metric alerts.|Each metrics alert rule is charged based on the number of time-series that are monitored. |
+|Metric alert|Metric alerts are useful when you want to be alerted about data that requires little or no manipulation. Metric data is stored in the system already pre-computed, so metric alerts are less expensive than log alerts. If the data you want to monitor is available in metric data, using metric alerts is recommended.|Each metrics alert rule is charged based on the number of time-series that are monitored. |
|Log alert|Log alerts allow you to perform advanced logic operations on your data. If the data you want to monitor is available in logs, or requires advanced logic, you can use the robust features of KQL for data manipulation using log alerts. Log alerts are more expensive than metric alerts.|Each Log Alert rule is billed based the interval at which the log query is evaluated (more frequent query evaluation results in a higher cost). Additionally, for Log Alerts configured for [at scale monitoring](#splitting-by-dimensions-in-log-alert-rules), the cost will also depend on the number of time series created by the dimensions resulting from your query. | |Activity Log alert|Activity logs provide auditing of all actions that occurred on resources. Use activity log alerts to be alerted when a specific event happens to a resource, for example, a restart, a shutdown, or the creation or deletion of a resource.|For more information, see the [pricing page](https://azure.microsoft.com/pricing/details/monitor/).|
azure-monitor Change Analysis Enable https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/change/change-analysis-enable.md
+
+ Title: Enable Change Analysis | Microsoft Docs
+description: Use Change Analysis in Azure Monitor to track and troubleshoot issues on your live site.
+++
+ms.contributor: cawa
Last updated : 07/05/2022 ++++
+# Enable Change Analysis
+
+The Change Analysis service:
+- Computes and aggregates change data from the data sources mentioned earlier.
+- Provides a set of analytics for users to:
+ - Easily navigate through all resource changes.
+ - Identify relevant changes in the troubleshooting or monitoring context.
+
+Register the `Microsoft.ChangeAnalysis` resource provider with an Azure Resource Manager subscription to make the tracked properties and proxied settings change data available. The `Microsoft.ChangeAnalysis` resource is automatically registered as you either:
+- Enter the Web App **Diagnose and Solve Problems** tool, or
+- Bring up the Change Analysis standalone tab.
+
+In this guide, you'll learn the two ways to enable Change Analysis for web app in-guest changes:
+- For one or a few web apps, enable Change Analysis via the UI.
+- For a large number of web apps (for example, 50+ web apps), enable Change Analysis using the provided PowerShell script.
+
+## Enable Change Analysis via the Azure portal UI
+
+For web app in-guest changes, separate enablement is required for scanning code files within a web app. For more information, see [Change Analysis in the Diagnose and solve problems tool](change-analysis-visualizations.md#diagnose-and-solve-problems-tool) section.
+
+> [!NOTE]
+> You may not immediately see web app in-guest file changes and configuration changes. Restart your web app and you should be able to view changes within 30 minutes. If not, refer to [the troubleshooting guide](./change-analysis-troubleshoot.md#cannot-see-in-guest-changes-for-newly-enabled-web-app).
+
+1. Navigate to Azure Monitor's Change Analysis UI in the portal.
+
+1. Enable web app in-guest change tracking by either:
+
+ - Selecting **Enable Now** in the banner, or
+
+ :::image type="content" source="./media/change-analysis/enable-changeanalysis.png" alt-text="Screenshot of the Application Changes options from the banner.":::
+
+ - Selecting **Configure** from the top menu.
+
+ :::image type="content" source="./media/change-analysis/configure-button.png" alt-text="Screenshot of the Application Changes options from the top menu.":::
+
+1. Toggle on **Change Analysis** status and select **Save**.
+
+ :::image type="content" source="./media/change-analysis/change-analysis-on.png" alt-text="Screenshot of the Enable Change Analysis user interface.":::
+
+ - The tool displays all web apps under an App Service plan, which you can toggle on and off individually.
+
+ :::image type="content" source="./media/change-analysis/change-analysis-on-2.png" alt-text="Screenshot of the Enable Change Analysis user interface expanded.":::
+
+You can also view change data via the **Web App Down** and **Application Crashes** detectors. The graph summarizes:
+- The change types over time.
+- Details on those changes.
+
+By default, the graph displays changes from within the past 24 hours help with immediate problems.
++
+## Enable Change Analysis at scale using PowerShell
+
+If your subscription includes several web apps, run the following script to enable *all web apps* in your subscription.
+
+### Pre-requisites
+
+PowerShell Az Module. Follow instructions at [Install the Azure PowerShell module](/powershell/azure/install-az-ps)
+
+### Run the following script:
+
+```PowerShell
+# Log in to your Azure subscription
+Connect-AzAccount
+
+# Get subscription Id
+$SubscriptionId = Read-Host -Prompt 'Input your subscription Id'
+
+# Make Feature Flag visible to the subscription
+Set-AzContext -SubscriptionId $SubscriptionId
+
+# Register resource provider
+Register-AzResourceProvider -ProviderNamespace "Microsoft.ChangeAnalysis"
+
+# Enable each web app
+$webapp_list = Get-AzWebApp | Where-Object {$_.kind -eq 'app'}
+foreach ($webapp in $webapp_list)
+{
+ $tags = $webapp.Tags
+ $tags["hidden-related:diagnostics/changeAnalysisScanEnabled"]=$true
+ Set-AzResource -ResourceId $webapp.Id -Tag $tags -Force
+}
+```
+
+## Next steps
+
+- Learn about [visualizations in Change Analysis](change-analysis-visualizations.md)
+- Learn how to [troubleshoot problems in Change Analysis](change-analysis-troubleshoot.md)
+- Enable Application Insights for [Azure App Services apps](../../azure-monitor/app/azure-web-apps.md).
+- Enable Application Insights for [Azure VM and Azure virtual machine scale set IIS-hosted apps](../../azure-monitor/app/azure-vm-vmss-apps.md).
azure-monitor Change Analysis https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/change/change-analysis.md
ms.contributor: cawa Previously updated : 05/20/2022 Last updated : 06/29/2022
Building on the power of [Azure Resource Graph](../../governance/resource-graph/
> [!NOTE] > Change Analysis is currently only available in Public Azure Cloud.
-## Overview
+## Change Analysis architecture
Change Analysis detects various types of changes, from the infrastructure layer through application deployment. Change Analysis is a subscription-level Azure resource provider that: - Checks resource changes in the subscription.
Network resources are usually provisioned in the same resource group as the reso
:::image type="content" source="./media/change-analysis/network-changes.png" alt-text="Screenshot of Networking changes":::
-## Azure Monitor's Change Analysis service enablement
-
-The Change Analysis service:
-- Computes and aggregates change data from the data sources mentioned earlier. -- Provides a set of analytics for users to:
- - Easily navigate through all resource changes.
- - Identify relevant changes in the troubleshooting or monitoring context.
-
-### Enable Change Analysis
-
-You'll need to register the `Microsoft.ChangeAnalysis` resource provider with an Azure Resource Manager subscription to make the tracked properties and proxied settings change data available. The `Microsoft.ChangeAnalysis` resource is automatically registered as you either:
-- Enter the Web App **Diagnose and Solve Problems** tool, or -- Bring up the Change Analysis standalone tab.-
-### Enable Change Analysis for web app in-guest changes
-
-For web app in-guest changes, separate enablement is required for scanning code files within a web app. For more information, see [Change Analysis in the Diagnose and solve problems tool](change-analysis-visualizations.md#diagnose-and-solve-problems-tool) section.
-
-> [!NOTE]
-> You may not immediately see web app in-guest file changes and configuration changes. Restart your web app and you should be able to view changes within 30 minutes. If not, refer to [the troubleshooting guide](./change-analysis-troubleshoot.md#cannot-see-in-guest-changes-for-newly-enabled-web-app).
-
-1. Select **Availability and Performance**.
-
- :::image type="content" source="./media/change-analysis/availability-and-performance.png" alt-text="Screenshot of the Availability and Performance troubleshooting options":::
-
-2. Select **Application Changes (Preview)**.
-
- :::image type="content" source="./media/change-analysis/application-changes.png" alt-text="Screenshot of the Application Changes button":::
-
- The link leads to Azure Monitor's Change Analysis UI scoped to the web app.
-
-3. Enable web app in-guest change tracking by either:
-
- - Selecting **Enable Now** in the banner, or
-
- :::image type="content" source="./media/change-analysis/enable-changeanalysis.png" alt-text="Screenshot of the Application Changes options from the banner":::
-
- - Selecting **Configure** from the top menu.
-
- :::image type="content" source="./media/change-analysis/configure-button.png" alt-text="Screenshot of the Application Changes options from the top menu":::
-
-4. Toggle on **Change Analysis** status and select **Save**.
-
- :::image type="content" source="./media/change-analysis/change-analysis-on.png" alt-text="Screenshot of the Enable Change Analysis user interface":::
-
- - The tool displays all web apps under an App Service plan, which you can toggle on and off individually.
-
- :::image type="content" source="./media/change-analysis/change-analysis-on-2.png" alt-text="Screenshot of the Enable Change Analysis user interface expanded":::
-
-You can also view change data via the **Web App Down** and **Application Crashes** detectors. The graph summarizes:
-- The change types over time.-- Details on those changes. -
-By default, the graph displays changes from within the past 24 hours help with immediate problems.
--
-### Enable Change Analysis at scale for Web App in-guest file and environment variable changes
-
-If your subscription includes several web apps, enabling the service at the web app level would be inefficient. Instead, run the following script to enable all web apps in your subscription.
-
-#### Pre-requisites
-
-PowerShell Az Module. Follow instructions at [Install the Azure PowerShell module](/powershell/azure/install-az-ps)
-
-#### Run the following script:
-
-```PowerShell
-# Log in to your Azure subscription
-Connect-AzAccount
-
-# Get subscription Id
-$SubscriptionId = Read-Host -Prompt 'Input your subscription Id'
-
-# Make Feature Flag visible to the subscription
-Set-AzContext -SubscriptionId $SubscriptionId
-
-# Register resource provider
-Register-AzResourceProvider -ProviderNamespace "Microsoft.ChangeAnalysis"
-
-# Enable each web app
-$webapp_list = Get-AzWebApp | Where-Object {$_.kind -eq 'app'}
-foreach ($webapp in $webapp_list)
-{
- $tags = $webapp.Tags
- $tags[ΓÇ£hidden-related:diagnostics/changeAnalysisScanEnabledΓÇ¥]=$true
- Set-AzResource -ResourceId $webapp.Id -Tag $tags -Force
-}
-
-```
- ## Next steps
+- Learn about [enabling Change Analysis](change-analysis-enable.md)
- Learn about [visualizations in Change Analysis](change-analysis-visualizations.md) - Learn how to [troubleshoot problems in Change Analysis](change-analysis-troubleshoot.md) - Enable Application Insights for [Azure App Services apps](../../azure-monitor/app/azure-web-apps.md).
azure-monitor Log Analytics Workspace Insights Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/logs/log-analytics-workspace-insights-overview.md
Previously updated : 06/27/2021 Last updated : 06/27/2022
azure-monitor Logs Export Logic App https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/logs/logs-export-logic-app.md
SecurityEvent
| project TimeGenerated , Account , AccountType , Computer ```
-When you export the data on a schedule, use the ingestion_time() function in your query to ensure that you donΓÇÖt miss late arriving data. If data is delayed due to network or platform issues, using the ingestion time ensures that data is included in the next Logic App execution. See *Add Azure Monitor Logs action* under [Logic App procedure]](#logic-app-procedure) for an example.
+When you export the data on a schedule, use the ingestion_time() function in your query to ensure that you donΓÇÖt miss late arriving data. If data is delayed due to network or platform issues, using the ingestion time ensures that data is included in the next Logic App execution. See *Add Azure Monitor Logs action* under [Logic App procedure](#logic-app-procedure) for an example.
## Prerequisites Following are prerequisites that must be completed before this procedure.
azure-monitor View Designer Conversion Access https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/visualize/view-designer-conversion-access.md
- Title: Azure Monitor view designer to workbooks conversion summary and access
-description: Permissions required for accessing workbooks when transitioning from views in Azure Monitor.
--- Previously updated : 02/07/2020---
-# View designer to workbooks conversion summary and access
-[View designer](view-designer.md) is a feature of Azure Monitor that allows you to create custom views to help you visualize data in your Log Analytics workspace, with charts, lists, and timelines. They are being phased out and replaced with workbooks, which provide additional functionality. This article details how you can create an overview summary and permissions required to access workbooks.
-
-## Creating your Workspace Summary from Azure Dashboard
-View designer users may be familiar with having an overview tile to represent a set of views. To maintain a visual overview like the view designer workspace summary, workbooks offers pinned steps, which can be pinned to your [Azure portal dashboard](../../azure-portal/azure-portal-dashboards.md). Just like the overview tiles in Workspace summary, pinned workbook items will link directly to the workbook view.
-
-You can take advantage of the high level of customization features provided with Azure dashboards, which allows auto refresh, moving, sizing, and additional filtering for your pinned items and visualizations.
-
-![Screenshot shows a customized Azure dashboard titled Workspace Summary.](media/view-designer-conversion-access/dashboard.png)
-
-Create a new Azure dashboard or select an existing dashboard to begin pinning workbooks items.
-
-To pin individual item, you will need to enable the pin icon for your specific step. To do so, select the corresponding **Edit** button for your step, then select the gear icon to open **Advanced Settings**. Check the option to **Always show the pin icon on this step**, and a pin icon will appear in the upper right corner of your step. This pin enables you to pin specific visualizations to your dashboard, like the overview tiles.
-
-![Pin step](media/view-designer-conversion-access/pin-step.png)
--
-You may also wish to pin multiple visualizations from the Workbook or the entire Workbook content to a dashboard. To pin the entire workbook, select **Edit** in the top toolbar to toggle **Edit Mode**. A pin icon will appear, allowing you to either pin the entire Workbook item or all of the individual steps and visualizations in the workbook.
-
-![Pin all](media/view-designer-conversion-access/pin-all.png)
-
-## Sharing and Viewing Permissions
-
-You can share your workbooks by selecting the **Share** icon from the top tool bar while in **Edit Mode**. You will be prompted to move your workbook to **Shared Reports**, which will generate a link that provides direct access to the workbook.
-
-In order for a user to view a shared workbook, they must have access to both the subscription and resource group the workbook is saved under.
-
-![Subscription-based access](media/view-designer-conversion-access/subscription-access.png)
-
-## Next steps
--- [Common tasks](view-designer-conversion-tasks.md)
azure-monitor View Designer Conversion Examples https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/visualize/view-designer-conversion-examples.md
- Title: Azure Monitor view designer to workbooks conversion examples
-description: Examples for transitioning from views to workbooks in Azure Monitor.
--- Previously updated : 02/07/2020---
-# View designer conversion examples
-
-To replicate the view designer tabbed workbook, copy and paste the following code into the Advanced editor, denoted by the </> symbol in toolbar
-
-![Advanced Editor Toolbar](media/view-designer-conversion-examples/toolbar.png)
-
-Users may have to update their query settings and subscriptions to their own accessible resources
-
-## Vertical
-
-```Json
-{
- "version": "Notebook/1.0",
- "items": [
- {
- "type": 9,
- "content": {
- "version": "KqlParameterItem/1.0",
- "crossComponentResources": [
- "/subscriptions/1f3fa6d2-851c-4a91-9087-1a050f3a9c38/resourcegroups/defaultresourcegroup-eus/providers/microsoft.operationalinsights/workspaces/defaultworkspace-1f3fa6d2-851c-4a91-9087-1a050f3a9c38-eus"
- ],
- "parameters": [
- {
- "id": "f90c348b-4933-4b02-8959-1246d4ceb19c",
- "version": "KqlParameterItem/1.0",
- "name": "Subscription",
- "type": 6,
- "isRequired": true,
- "value": "/subscriptions/5c038d14-3833-463f-a492-de956f63f12a",
- "typeSettings": {
- "additionalResourceOptions": [
- "value::1"
- ],
- "includeAll": false
- }
- },
- {
- "id": "98860972-bc1f-4305-b15e-7c529c8def06",
- "version": "KqlParameterItem/1.0",
- "name": "TimeRange",
- "type": 4,
- "isRequired": true,
- "value": {
- "durationMs": 86400000
- },
- "typeSettings": {
- "selectableValues": [
- {
- "durationMs": 300000
- },
- {
- "durationMs": 900000
- },
- {
- "durationMs": 1800000
- },
- {
- "durationMs": 3600000
- },
- {
- "durationMs": 14400000
- },
- {
- "durationMs": 43200000
- },
- {
- "durationMs": 86400000
- },
- {
- "durationMs": 172800000
- },
- {
- "durationMs": 259200000
- },
- {
- "durationMs": 604800000
- },
- {
- "durationMs": 1209600000
- },
- {
- "durationMs": 2419200000
- },
- {
- "durationMs": 2592000000
- },
- {
- "durationMs": 5184000000
- },
- {
- "durationMs": 7776000000
- }
- ]
- }
- }
- ],
- "style": "pills",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
- },
- "name": "parameters - 5"
- },
- {
- "type": 3,
- "content": {
- "version": "KqlItem/1.0",
- "query": "search *\r\n| where TimeGenerated {TimeRange}\r\n | summarize AggregatedValue = count() by Type | order by AggregatedValue desc\r\n| render piechart ",
- "size": 1,
- "showAnalytics": true,
- "title": "Data Type Distribution",
- "exportToExcelOptions": "visible",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "crossComponentResources": [
- "/subscriptions/5c038d14-3833-463f-a492-de956f63f12a/resourceGroups/Aul-RG/providers/Microsoft.OperationalInsights/workspaces/AUL-Test"
- ]
- },
- "customWidth": "50",
- "showPin": true,
- "name": "query - 0",
- "styleSettings": {
- "showBorder": true
- }
- },
- {
- "type": 3,
- "content": {
- "version": "KqlItem/1.0",
- "query": "search * | summarize Count = count() by Type",
- "size": 1,
- "showAnalytics": true,
- "timeContext": {
- "durationMs": 0
- },
- "timeContextFromParameter": "TimeRange",
- "exportToExcelOptions": "visible",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "crossComponentResources": [
- "/subscriptions/5c038d14-3833-463f-a492-de956f63f12a/resourceGroups/Aul-RG/providers/Microsoft.OperationalInsights/workspaces/AUL-Test"
- ],
- "gridSettings": {
- "formatters": [
- {
- "columnMatch": "Type",
- "formatter": 0,
- "formatOptions": {
- "showIcon": true
- }
- },
- {
- "columnMatch": "Count",
- "formatter": 4,
- "formatOptions": {
- "showIcon": true,
- "aggregation": "Count"
- },
- "numberFormat": {
- "unit": 17,
- "options": {
- "style": "decimal"
- }
- }
- }
- ],
- "labelSettings": [
- {
- "columnId": "Type",
- "label": "Type"
- },
- {
- "columnId": "Count",
- "label": "Count"
- }
- ]
- }
- },
- "customWidth": "50",
- "name": "query - 1",
- "styleSettings": {
- "showBorder": true
- }
- },
- {
- "type": 3,
- "content": {
- "version": "KqlItem/1.0",
- "query": "search *\r\n| summarize AggregatedValue = count() by Type, bin(TimeGenerated, 1h)\r\n| sort by TimeGenerated desc\r\n| render linechart\r\n",
- "size": 1,
- "showAnalytics": true,
- "title": "Data Types Over Time",
- "timeContext": {
- "durationMs": 0
- },
- "timeContextFromParameter": "TimeRange",
- "exportToExcelOptions": "visible",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "crossComponentResources": [
- "/subscriptions/5c038d14-3833-463f-a492-de956f63f12a/resourceGroups/Aul-RG/providers/Microsoft.OperationalInsights/workspaces/AUL-Test"
- ]
- },
- "customWidth": "50",
- "showPin": true,
- "name": "query - 2",
- "styleSettings": {
- "showBorder": true
- }
- },
- {
- "type": 3,
- "content": {
- "version": "KqlItem/1.0",
- "query": "search * | summarize Count = count() by Type",
- "size": 1,
- "showAnalytics": true,
- "timeContext": {
- "durationMs": 0
- },
- "timeContextFromParameter": "TimeRange",
- "exportToExcelOptions": "visible",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "crossComponentResources": [
- "/subscriptions/5c038d14-3833-463f-a492-de956f63f12a/resourceGroups/Aul-RG/providers/Microsoft.OperationalInsights/workspaces/AUL-Test"
- ],
- "gridSettings": {
- "formatters": [
- {
- "columnMatch": "Type",
- "formatter": 0,
- "formatOptions": {
- "showIcon": true
- }
- },
- {
- "columnMatch": "Count",
- "formatter": 4,
- "formatOptions": {
- "showIcon": true
- },
- "numberFormat": {
- "unit": 17,
- "options": {
- "style": "decimal"
- }
- }
- }
- ],
- "labelSettings": [
- {
- "columnId": "Type",
- "label": "Type"
- },
- {
- "columnId": "Count",
- "label": "Count"
- }
- ]
- }
- },
- "customWidth": "50",
- "name": "query - 3",
- "styleSettings": {
- "showBorder": true
- }
- },
- {
- "type": 3,
- "content": {
- "version": "KqlItem/1.0",
- "query": "search *\r\n| summarize AggregatedValue = count() by Computer | summarize Count = count()",
- "size": 1,
- "showAnalytics": true,
- "title": "Computers sending data",
- "timeContext": {
- "durationMs": 0
- },
- "timeContextFromParameter": "TimeRange",
- "exportToExcelOptions": "visible",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "crossComponentResources": [
- "/subscriptions/5c038d14-3833-463f-a492-de956f63f12a/resourceGroups/Aul-RG/providers/Microsoft.OperationalInsights/workspaces/AUL-Test"
- ],
- "visualization": "tiles",
- "tileSettings": {
- "titleContent": {
- "formatter": 1,
- "formatOptions": {
- "showIcon": true
- }
- },
- "leftContent": {
- "columnMatch": "Count",
- "formatter": 12,
- "formatOptions": {
- "showIcon": true
- }
- },
- "showBorder": false
- }
- },
- "customWidth": "50",
- "showPin": true,
- "name": "query - 5",
- "styleSettings": {
- "showBorder": true
- }
- }
- ],
- "defaultResourceIds": [
- "/subscriptions/1f3fa6d2-851c-4a91-9087-1a050f3a9c38/resourcegroups/defaultresourcegroup-eus/providers/microsoft.operationalinsights/workspaces/defaultworkspace-1f3fa6d2-851c-4a91-9087-1a050f3a9c38-eus",
- "/subscriptions/1f3fa6d2-851c-4a91-9087-1a050f3a9c38/resourcegroups/defaultresourcegroup-eus/providers/microsoft.operationalinsights/workspaces/defaultworkspace-1f3fa6d2-851c-4a91-9087-1a050f3a9c38-eus"
- ],
- "fallbackResourceIds": [
- "/subscriptions/1f3fa6d2-851c-4a91-9087-1a050f3a9c38/resourcegroups/defaultresourcegroup-eus/providers/microsoft.operationalinsights/workspaces/defaultworkspace-1f3fa6d2-851c-4a91-9087-1a050f3a9c38-eus",
- "/subscriptions/1f3fa6d2-851c-4a91-9087-1a050f3a9c38/resourcegroups/defaultresourcegroup-eus/providers/microsoft.operationalinsights/workspaces/defaultworkspace-1f3fa6d2-851c-4a91-9087-1a050f3a9c38-eus"
- ],
- "styleSettings": {},
- "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
-}
-```
-
-## Tabbed
-
-```Json
-{
- "version": "Notebook/1.0",
- "items": [
- {
- "type": 9,
- "content": {
- "version": "KqlParameterItem/1.0",
- "crossComponentResources": [],
- "parameters": [
- {
- "id": "81018bf4-b214-4d2f-bfac-9efb30ea7afb",
- "version": "KqlParameterItem/1.0",
- "name": "Subscription",
- "type": 6,
- "isRequired": true,
- "value": "",
- "typeSettings": {
- "additionalResourceOptions": [],
- "includeAll": false
- }
- },
- {
- "id": "12e24ac4-d5f3-42ec-9c32-118fd5438150",
- "version": "KqlParameterItem/1.0",
- "name": "TimeRange",
- "type": 4,
- "isRequired": true,
- "value": {
- "durationMs": 86400000
- },
- "typeSettings": {
- "selectableValues": [
- {
- "durationMs": 300000
- },
- {
- "durationMs": 900000
- },
- {
- "durationMs": 1800000
- },
- {
- "durationMs": 3600000
- },
- {
- "durationMs": 14400000
- },
- {
- "durationMs": 43200000
- },
- {
- "durationMs": 86400000
- },
- {
- "durationMs": 172800000
- },
- {
- "durationMs": 259200000
- },
- {
- "durationMs": 604800000
- },
- {
- "durationMs": 1209600000
- },
- {
- "durationMs": 2419200000
- },
- {
- "durationMs": 2592000000
- },
- {
- "durationMs": 5184000000
- },
- {
- "durationMs": 7776000000
- }
- ]
- }
- }
- ],
- "style": "pills",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
- },
- "name": "parameters - 6"
- },
- {
- "type": 11,
- "content": {
- "version": "LinkItem/1.0",
- "style": "tabs",
- "links": [
- {
- "cellValue": "selectedTab",
- "linkTarget": "parameter",
- "linkLabel": "Data Type Distribution",
- "subTarget": "DataType",
- "style": "link"
- },
- {
- "cellValue": "selectedTab",
- "linkTarget": "parameter",
- "linkLabel": "Data Types Over Time",
- "subTarget": "OverTime",
- "style": "link"
- },
- {
- "cellValue": "selectedTab",
- "linkTarget": "parameter",
- "linkLabel": "Computers Sending Data",
- "subTarget": "Computers",
- "style": "link"
- }
- ]
- },
- "name": "links - 5"
- },
- {
- "type": 3,
- "content": {
- "version": "KqlItem/1.0",
- "query": "search * | summarize AggregatedValue = count() by Type | order by AggregatedValue desc\r\n| render piechart ",
- "size": 1,
- "showAnalytics": true,
- "title": "Data Type Distribution",
- "timeContext": {
- "durationMs": 0
- },
- "timeContextFromParameter": "TimeRange",
- "exportToExcelOptions": "visible",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "crossComponentResources": []
- },
- "conditionalVisibility": {
- "parameterName": "selectedTab",
- "comparison": "isEqualTo",
- "value": "DataType"
- },
- "customWidth": "50",
- "showPin": true,
- "name": "query - 0",
- "styleSettings": {
- "showBorder": true
- }
- },
- {
- "type": 3,
- "content": {
- "version": "KqlItem/1.0",
- "query": "search * | summarize Count = count() by Type",
- "size": 1,
- "showAnalytics": true,
- "timeContext": {
- "durationMs": 0
- },
- "timeContextFromParameter": "TimeRange",
- "exportToExcelOptions": "visible",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "crossComponentResources": [
- ],
- "gridSettings": {
- "formatters": [
- {
- "columnMatch": "Type",
- "formatter": 0,
- "formatOptions": {
- "showIcon": true
- }
- },
- {
- "columnMatch": "Count",
- "formatter": 4,
- "formatOptions": {
- "showIcon": true,
- "aggregation": "Count"
- },
- "numberFormat": {
- "unit": 17,
- "options": {
- "style": "decimal"
- }
- }
- }
- ],
- "labelSettings": [
- {
- "columnId": "Type",
- "label": "Type"
- },
- {
- "columnId": "Count",
- "label": "Count"
- }
- ]
- }
- },
- "conditionalVisibility": {
- "parameterName": "selectedTab",
- "comparison": "isEqualTo",
- "value": "DataType"
- },
- "customWidth": "50",
- "name": "query - 1",
- "styleSettings": {
- "showBorder": true
- }
- },
- {
- "type": 3,
- "content": {
- "version": "KqlItem/1.0",
- "query": "search *\r\n| summarize AggregatedValue = count() by Type, bin(TimeGenerated, 1h)\r\n| sort by TimeGenerated desc\r\n| render linechart\r\n",
- "size": 1,
- "showAnalytics": true,
- "title": "Data Types Over Time",
- "timeContext": {
- "durationMs": 0
- },
- "timeContextFromParameter": "TimeRange",
- "exportToExcelOptions": "visible",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "crossComponentResources": [
- ]
- },
- "conditionalVisibility": {
- "parameterName": "selectedTab",
- "comparison": "isEqualTo",
- "value": "OverTime"
- },
- "customWidth": "50",
- "showPin": true,
- "name": "query - 2",
- "styleSettings": {
- "showBorder": true
- }
- },
- {
- "type": 3,
- "content": {
- "version": "KqlItem/1.0",
- "query": "search * | summarize Count = count() by Type",
- "size": 1,
- "showAnalytics": true,
- "timeContext": {
- "durationMs": 0
- },
- "timeContextFromParameter": "TimeRange",
- "exportToExcelOptions": "visible",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "crossComponentResources": [
- ],
- "gridSettings": {
- "formatters": [
- {
- "columnMatch": "Type",
- "formatter": 0,
- "formatOptions": {
- "showIcon": true
- }
- },
- {
- "columnMatch": "Count",
- "formatter": 4,
- "formatOptions": {
- "showIcon": true
- },
- "numberFormat": {
- "unit": 17,
- "options": {
- "style": "decimal"
- }
- }
- }
- ],
- "labelSettings": [
- {
- "columnId": "Type",
- "label": "Type"
- },
- {
- "columnId": "Count",
- "label": "Count"
- }
- ]
- }
- },
- "conditionalVisibility": {
- "parameterName": "selectedTab",
- "comparison": "isEqualTo",
- "value": "OverTime"
- },
- "customWidth": "50",
- "name": "query - 3",
- "styleSettings": {
- "showBorder": true
- }
- },
- {
- "type": 3,
- "content": {
- "version": "KqlItem/1.0",
- "query": "search *\r\n| summarize AggregatedValue = count() by Computer | summarize Count = count()",
- "size": 1,
- "showAnalytics": true,
- "title": "Computers sending data",
- "timeContext": {
- "durationMs": 0
- },
- "timeContextFromParameter": "TimeRange",
- "exportToExcelOptions": "visible",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "crossComponentResources": [
- ],
- "visualization": "tiles",
- "tileSettings": {
- "titleContent": {
- "formatter": 1,
- "formatOptions": {
- "showIcon": true
- }
- },
- "leftContent": {
- "columnMatch": "Count",
- "formatter": 12,
- "formatOptions": {
- "showIcon": true
- }
- },
- "showBorder": false
- }
- },
- "conditionalVisibility": {
- "parameterName": "selectedTab",
- "comparison": "isEqualTo",
- "value": "Computers"
- },
- "customWidth": "50",
- "showPin": true,
- "name": "query - 5",
- "styleSettings": {
- "showBorder": true
- }
- }
- ],
- "defaultResourceIds": [
- ],
- "fallbackResourceIds": [
- ],
- "styleSettings": {},
- "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
-}
-```
azure-monitor View Designer Conversion Options https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/visualize/view-designer-conversion-options.md
- Title: Azure Monitor view designer to workbooks conversion options
-description: Conversion options for transitioning from views to workbooks in Azure Monitor.
--- Previously updated : 02/07/2020---
-# Azure Monitor view designer to workbooks conversion options
-[View designer](view-designer.md) is a feature of Azure Monitor that allows you to create custom views to help you visualize data in your Log Analytics workspace, with charts, lists, and timelines. They are being phased out and replaced with workbooks which provide additional functionality. This article compares fundamental concepts between the two and options for converting views to workbooks.
-
-## Basic workbook designs
-
-View designer has a fixed static style of representation, while workbooks enable freedom to include and modify how the data is represented. The images below depict two examples of how you might arrange workbooks when converting views.
-
-[Vertical workbook](view-designer-conversion-examples.md#vertical)
-![Vertical](media/view-designer-conversion-options/view-designer-vertical.png)
-
-[Tabbed workbook](view-designer-conversion-examples.md#tabbed)
-![Data type distribution tab](media/view-designer-conversion-options/distribution-tab.png)
-![Data types over time tab](media/view-designer-conversion-options/over-time-tab.png)
-
-## Tile conversion
-View designer uses the overview tile feature to represent and summarize the overall state. These are represented in seven tiles, ranging from numbers to charts. In workbooks, users can create similar visualizations and pin them to resemble the original style of overview tiles.
-
-![Gallery](media/view-designer-conversion-options/overview.png)
--
-## View dashboard conversion
-View designer tiles typically consist of two sections, a visualization and a list that matches the data from the visualization, for example the **Donut & List** tile.
-
-![Donut](media/view-designer-conversion-options/donut-example.png)
-
-With workbooks, we allow the user to choose to query one or both sections of the view. Formulating queries in workbooks is a simple two-step process. First, the data is generated from the query, and second, the data is rendered as a visualization. An example of how this view would be recreated in workbooks is as follows:
-
-![Convert](media/view-designer-conversion-options/convert-donut.png)
--
-## Next steps
-- [Accessing workbooks & permissions](view-designer-conversion-access.md)
azure-monitor View Designer Conversion Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/visualize/view-designer-conversion-overview.md
- Title: Azure Monitor view designer to workbooks transition guide
-description: Transition from views to workbooks in Azure Monitor.
--- Previously updated : 08/04/2020---
-# Azure Monitor view designer to workbooks transition guide
-[View designer](view-designer.md) is a feature of Azure Monitor that allows you to create custom views to help you visualize data in your Log Analytics workspace, with charts, lists, and timelines. They have been transitioned to Workbooks to provide a flexible canvas for data analysis and creation of rich visual reports within the Azure portal. This article helps you make the transition from View designer to Workbooks.
--
-## Workbooks overview
-[Workbooks](../vm/vminsights-workbooks.md) combine text,ΓÇ»[log queries](/azure/data-explorer/kusto/query/), metrics, and parameters into rich interactive reports. Team members with the same access to Azure resources are also able to edit workbooks.
-
-Workbooks are helpful for scenarios such as:
--- Exploring the usage of your virtual machine when you don't know the metrics of interest in advance: CPU utilization, disk space, memory, network dependencies, etc. Unlike other usage analytics tools, workbooks let you combine multiple kinds of visualizations and analyses, making them great for this kind of free-form exploration.-- Explaining to your team how a recently provisioned VM is performing, by showing metrics for key counters and other log events.-- Sharing the results of a resizing experiment of your VM with other members of your team. You can explain the goals for the experiment with text, then show each usage metric and analytics queries used to evaluate the experiment, along with clear call-outs for whether each metric was above or below target.-- Reporting the impact of an outage on the usage of your VM, combining data, text explanation, and a discussion of next steps to prevent outages in the future.--
-## Why convert view designer dashboards to workbooks?
-
-View designer offers the ability to generate different query-based views and visualizations. However, many high-level customizations remain limited, such as formatting the grids and tile layouts or selecting alternative graphics to represent your data. View designer is restricted to a total of nine distinct tiles to represent your data.
-
-Workbooks is a platform that unlocks the full potential of your data. workbooks not only retain all the capabilities, but also supports additional functionality through text, metrics, parameters, and much more. For example, workbooks allow users to consolidate dense grids and add search bars to easily filter and analyze the data.
-
-### Advantages of using Workbooks over View Designer
-
-* Supports both logs and metrics.
-* Allows both personal views for individual access control and shared workbooks views.
-* Custom layout options with tabs, sizing, and scaling controls.
-* Support for querying across multiple Log Analytics workspaces, Application Insights applications, and subscriptions.
-* Enables custom parameters that dynamically update associated charts and visualizations.
-* Template gallery support from public GitHub.
-
-While this guide offers simple steps to directly recreate several of the commonly used view designer views, workbooks allow users to have the freedom to create and design any of their own custom visualizations and metrics. The following screenshot is from the [Workspace usage template](https://go.microsoft.com/fwlink/?linkid=874159&resourceId=Azure%20Monitor&featureName=Workbooks&itemId=community-Workbooks%2FAzure%20Monitor%20-%20Workspaces%2FWorkspace%20Usage&workbookTemplateName=Workspace%20Usage&func=NavigateToPortalFeature&type=workbook) and shows an example of what workbooks are capable of creating:
--
-![Example of workbooks application](media/view-designer-conversion-overview/workbook-template-example.jpg)
----
-## Next steps
--- [Conversion options](view-designer-conversion-options.md)
azure-monitor View Designer Conversion Tasks https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/visualize/view-designer-conversion-tasks.md
- Title: Azure Monitor view designer to workbooks conversion common tasks
-description: Common tasks when transitioning from views to workbooks in Azure Monitor.
--- Previously updated : 02/07/2020---
-# View designer to workbooks conversion common tasks
-[View designer](view-designer.md) is a feature of Azure Monitor that allows you to create custom views to help you visualize data in your Log Analytics workspace, with charts, lists, and timelines. They are being phased out and replaced with workbooks which provide additional functionality. This article details tasks that are common in converting views to workbooks.
--
-## Quickstart with preset view designer templates
-
-Workbooks in Log Analytics workspaces already have templates made to match some of the views in view designer. Under the **View Designer Guides** category, select **View Designer Transition Guide** to learn about your options or select one of the preset templates.
-
-![Example templates](media/view-designer-conversion-tasks/templates.png)
-
-## Enabling time range filter
-View designer has a built-in default time range filter, however, in workbooks this setting is not enabled by default. Workbooks do allow users to create their own time range filters that might be more applicable to their data logs. The steps to generate the filter are listed below:
-
-Select the **Add parameters** option. The default **Style** is set to *Pills*.
-
-![Add Param](media/view-designer-conversion-tasks/add-param.png)
-
- Select the **Add Parameter** button.
-
-![Add Parameter](media/view-designer-conversion-tasks/add-parameter.png)
-
-From the sidebar menu, in the **Parameter name** textbox, type *TimeRange*. Set **Parameter Type** as *Time Range Picker*. Select the **Required?** checkbox.
-
-![Parameter Menu](media/view-designer-conversion-tasks/parameter-menu.png)
-
-Save the parameter in the upper left corner of the sidebar menu. You can leave the dropdown as *unset* by default or select a default **TimeRange** value, such as *24 hours*. Select **Done Editing**.
-
-Parameters can be used in queries by adding curly braces {} around your parameter name. More details on parameters can be found in the [Workbooks documentation on parameters](https://github.com/microsoft/Application-Insights-Workbooks/blob/master/Documentation/Parameters/Parameters.md).
-
-## Updating queries with the TimeRange parameter
-
-### Option 1: Select TimeRange from the Time Range dropdown
-
-![Time Parameter](media/view-designer-conversion-tasks/time-parameter.png)
-
-### Option 2: Update your log queries
-
-In your query add the line: `| where TimeGenerated {TimeRange}` as in the following example:
-
-Original query
-```KQL
-search *
-| summarize count() by Type
-```
-
-Updated query
-```KQL
-search *
-| where TimeGenerated {TimeRange}
-| summarize count() by Type
-```
-
-## Including a List
-Most of the view designer views include a list, and you can reproduce this standard list in a workbook.
-
-![Tile list](media/view-designer-conversion-tasks/tile-list.png)
-
-Add a visualization by clicking **Add query** from the cell options.
-
-![Add Param](media/view-designer-conversion-tasks/add-param.png)
-
-View designer employs a default query that matches the syntax from the Original example. This can be updated by changing the query to the updated form as in the following example:
-
-Original query
-```KQL
-search *
-| summarize AggregatedValue = count() by Type
-```
-
-Updated query
-```KQL
-search *
-| summarize Count = count() by Type
-```
-
-This will generate a list that looks similar to the following:
-
-![List Example](media/view-designer-conversion-tasks/list-example.png)
-
-## Enabling sparklines
-A common feature for grids is to add sparklines to summarize various data patterns over time. View designer offers the **Enable Sparklines** feature for all lists, as does workbooks. To include sparklines in your data that match view designer,join the data with your original query as in the following example:
-
-Original query
-```KQL
-search *
-| summarize AggregatedValue = count() by Type) on Type
-```
-
-Updated query
-```KQL
-search *
-| summarize AggregatedValue = count() by Type
-| join kind = inner (search *
- | make-series Trend = count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by Type) on Type
-| project Type, AggregatedValue, Trend
-```
-
-Select **Column Settings**.
-![Column Settings](media/view-designer-conversion-tasks/column-settings.png)
-
-Update the **Column renderer** dropdown to be a *Spark area*.
-![Sparklines](media/view-designer-conversion-tasks/sparkline.png)
-
-Save the settings and run the query again to update your table to include a sparkline.
-
-The resulting grid will look similar to following:
-![Sparkline example](media/view-designer-conversion-tasks/sparkline-example.png)
-
-## Advanced cell settings
-To mirror view designer, you can perform tasks such as changing the size of workbook cells or adding pins and external links to logs.
-
-To access **Advanced Settings** select the gear icon at the bottom of each cell.
-
-![Advanced settings](media/view-designer-conversion-tasks/advanced-settings.png)
-
-This will display a menu with various options:
-
-![Advanced settings settings](media/view-designer-conversion-tasks/advanced-settings-settings.png)
-
-To add a pin and a link to an external query select the corresponding checkboxes. To add a title to your cell, type the desired title into the **Chart title** section.
-
-By default any workbooks cell is set to take up the entire page width, but you can adjust this by scaling the cell down under the **Style** tab of the **Advanced Settings** menu
-
-![Advanced settings style](media/view-designer-conversion-tasks/advanced-settings-style.png)
-
-
-## Additional parameters
-Select **Add Parameter** to create a new parameter in your workbook.
-
-To select a Subscription, type *Subscription* into the **Parameter name** field in the side menu and select *Subscription Picker* from the **Parameter type** dropdown
-
-![Subscription Menu](media/view-designer-conversion-tasks/subscription-filter.png)
-
-To select a Resource, type *Resource* into the **Parameter name** field in the side menu and select *Resource Picker* from the **Parameter type** dropdown.
-
-![Resource Menu](media/view-designer-conversion-tasks/resource-filter.png)
-
-This will insert dropdowns to let you access your various subscriptions and resources.
-
-![Subscription Resource Dropdown](media/view-designer-conversion-tasks/subscription-resource.png)
--
-## Next steps
-- [Tile conversions](view-designer-conversion-tiles.md)
azure-monitor View Designer Conversion Tiles https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/visualize/view-designer-conversion-tiles.md
- Title: Azure Monitor view designer to workbooks tile conversions
-description: Details for converting tiles to workbooks when transitioning from views in Azure Monitor.
--- Previously updated : 02/07/2020---
-# Azure Monitor view designer tile conversions
-[View designer](view-designer.md) is a feature of Azure Monitor that allows you to create custom views to help you visualize data in your Log Analytics workspace, with charts, lists, and timelines. They are being phased out and replaced with workbooks which provide additional functionality. This article provides details for converting different tiles to workbooks.
-
-## Donut & list tile
-
-![Donut List](media/view-designer-conversion-tiles/donut-list.png)
-
-Recreating the donut & list tile in workbooks involves two separate visualizations. For the donut portion there are two options.
-For both start by selecting **Add query** and paste the original query from view designer into the cell.
-
-**Option 1:** Select **Pie Chart** from the **Visualization** dropdown:
- ![Pie chart visualization menu](media/view-designer-conversion-tiles/pie-chart.png)
-
-**Option 2:** Select **Set by query** from the **Visualization** dropdown and add `| render piechart` to the query:
-
- ![Visualization Menu](media/view-designer-conversion-tiles/set-by-query.png)
-
-**Example**
-
-Original query
-```KQL
-search *
-| summarize AggregatedValue = count() by Type
-| order by AggregatedValue desc
-```
-
-Updated query
-```KQL
-search *
-| summarize AggregatedValue = count() by Type
-| order by AggregatedValue desc
-| render piechart
-```
-
-For creating a list and enabling sparklines, see the article on [common tasks](view-designer-conversion-tasks.md).
-
-Following is an example of how the donut & list tile might be reinterpreted in workbooks:
-
-![Donut list workbooks](media/view-designer-conversion-tiles/donut-workbooks.png)
-
-## Line chart & list tile
-![Line chart List](media/view-designer-conversion-tiles/line-list.png)
-
-To recreate the line chart portion update the query as follows:
-
-Original query
-```KQL
-search *
-| summarize AggregatedValue = count() by Type
-```
-
-Updated query
-```KQL
-search *
-| make-series Count = count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by Type
-```
-
-There are two options for visualizing the line chart
-
-**Option 1:** Select **Line chart** from the **Visualization** dropdown:
-
- ![Line chart Menu](media/view-designer-conversion-tiles/line-visualization.png)
-
-**Option 2:** Select **Set by query** from the **Visualization** dropdown and add `| render linechart` to the query:
-
- ![Visualization Menu](media/view-designer-conversion-tiles/set-by-query.png)
-
-**Example**
-
-```KQL
-search *
-| make-series Count = count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by Type
-| render linechart_
-```
-
-For creating a list and enabling sparklines, see the article on [common tasks](view-designer-conversion-tasks.md).
-
-Following is an example of how the line chart & list tile might be reinterpreted in workbooks:
-
-![Line chart list workbooks](media/view-designer-conversion-tiles/line-workbooks.png)
-
-## Number & list tile
-
- ![Tile list](media/view-designer-conversion-tiles/tile-list-example.png)
-
-For the number tile, update the query as follows:
-
-Original query
-```KQL
-search *
-| summarize AggregatedValue = count() by Computer | count
-```
-
-Updated query
-```KQL
-search *
-| summarize AggregatedValue = count() by Computer
-| summarize Count = count()
-```
-
-Change the Visualization dropdown to **Tiles** and then select **Tile Settings**.
- ![Tile Visualization](media/view-designer-conversion-tiles/tile-visualization.png)
-
-Leave the **Title** section blank and select **Left**. Change the value for **Use column:** to **Count**, and **Column Renderer** to **Big Number**:
-
-![Tile Settings](media/view-designer-conversion-tiles/tile-settings.png)
-
-
-For creating a list and enabling sparklines, see the article on [common tasks](view-designer-conversion-tasks.md).
-
-Following is an example of how the number & list tile might be reinterpreted in workbooks:
-
-![Number List Workbooks](media/view-designer-conversion-tiles/number-workbooks.png)
-
-## Timeline & List
-
- ![Timeline List](media/view-designer-conversion-tiles/time-list.png)
-
-For the timeline update your query as follows:
-
-Original query
-```KQL
-search *
-| sort by TimeGenerated desc
-```
-
-Updated query
-```KQL
-search *
-| summarize Count = count() by Computer, bin(TimeGenerated,{TimeRange:grain})
-```
-
-There are two options for visualizing the query as a bar chart:
-
-**Option 1:** Select **Bar chart** from the **Visualization** dropdown:
- ![Barchart visualization](media/view-designer-conversion-tiles/bar-visualization.png)
-
-**Option 2:** Select **Set by query** from the **Visualization** dropdown and add `| render barchart` to the query:
-
- ![Visualization menu](media/view-designer-conversion-tiles/set-by-query.png)
-
-
-For creating a list and enabling sparklines, see the article on [common tasks](view-designer-conversion-tasks.md).
-
-Following is an example of how the timeline & list tile might be reinterpreted in workbooks:
-
-![Timeline List Workbooks](media/view-designer-conversion-tiles/time-workbooks.png)
-
-## Next steps
--- [Overview of view designer to workbooks transition](view-designer-conversion-overview.md)
azure-monitor Workbooks Chart Visualizations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/visualize/workbooks-chart-visualizations.md
The series setting tab lets you adjust the labels and colors shown for series in
- The `Comment` field is useful for template authors, as this comment may be used by translators to localize the display labels. ![Screenshot of series settings.](./media/workbooks-chart-visualizations/series-settings.png)-
-## Next steps
--- Learn how to create a [tile in workbooks](workbooks-tile-visualizations.md).-- Learn how to create [interactive workbooks](workbooks-interactive.md).
azure-monitor Workbooks Configurations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/visualize/workbooks-configurations.md
+
+ Title: Azure Monitor workbooks with custom parameters
+description: Simplify complex reporting with prebuilt and custom parameterized workbooks
++++
+ ibiza
+ Last updated : 07/20/2020++
+# Workbook Configuration Options
+There are several ways you can configure Workbooks to suit your needs.
+
+## Workbook settings
+The workbooks settings has these tabs to help you configure your workbook.
++
+|Settings tab |Description |
+|||
+|Resources|This tab contains the resources that appear as default selections in this workbook.<br>The resource marked as the **Owner** resource is where the workbook will be saved, and the location of the workbooks and templates you'll see when browsing. The owner resource can't be removed.<br> You can add a default resource by selecting **Add Resources**. You can remove resources by selecting a resource or several resources, and selecting **Remove Selected Resources**. When you're done adding and removing resources, select **Apply Changes**.|
+|Versions| This tab contains a list of all the available versions of this workbook. Select a version and use the toolbar to compare, view, or restore versions. Previous workbook versions are available for 90 days.<br><ul><li>**Compare**: Compare the JSON of the previous workbook to the most recently saved version.</li><li>**View**: Opens the selected version of the workbook in a context pane.</li><li>**Restore**: Saves a new copy of the workbook with the contents of the selected version and overwrites any existing current content. You'll be prompted to confirm this action.</li></ul><br>|
+|Style |In this tab, you can set a padding and spacing style for the whole workbook. The possible options are `Wide`, `Standard`, `Narrow`, `None`. `Standard` is the default style setting.|
+|Pin |While in pin mode, you can select **Pin Workbook** to pin an item from this workbook to a dashboard. Select **Link to Workbook**, to pin a static link to this workbook on your dashboard. You can choose a specific item in your workbook to pin.|
+|Trusted hosts |In this tab, you can enable a trusted source or mark this workbook as trusted in this browser. See [trusted hosts](#trusted-hosts) for detailed information. |
+
+> [!NOTE]
+> Version history is not available for [Bring your own storage](workbooks-bring-your-own-storage.md) workbooks.
+
+**Versions tab**
++
+**Comparing versions**
+
+### Trusted hosts
+Enable trusted source or mark this workbook as trusted in this browser.
+
+| Control | Definition |
+| -- | -- |
+| Mark Workbook as trusted | If enabled, this Workbook will be able to call any endpoint, whether the host is marked as trusted or not. A workbook is trusted if it's a new workbook, an existing workbook is saved, or it's explicitly marked as a trusted workbook |
+| URL grid | A grid to explicitly add trusted hosts. |
+
+## Interactivity
+
+There are several ways that you can create interactive reports and experiences in workbooks.
+ - **Parameters**: When a user updates a [parameter](workbooks-parameters.md), any control that uses the parameter automatically refreshes and redraws to reflect the new value. This is how most of the Azure portal reports support interactivity. Workbooks provide this functionality in a straight-forward manner with minimal user effort.
+ - **Grid, tile, and chart selections**: You can construct scenarios where clicking a row in a grid updates subsequent charts based on the content of the row. For example, if you have a grid that shows a list of requests and some statistics like failure counts, you can set it up so that if you click on the row of a request, the detailed charts below update to show only that request. Learn how to [set up a grid row click](#set-up-a-grid-row-click).
+ - **Grid Cell Clicks**: You to add interactivity with a special type of grid column renderer called a [link renderer](#link-renderer-actions). A link renderer converts a grid cell into a hyperlink based on the contents of the cell. Workbooks support many kinds of link renderers including renderers that open resource overview blades, property bag viewers, App Insights search, usage, transaction tracing, etc. Learn how to [set up a grid cell click](#set-up-grid-cell-clicks).
+ - **Conditional Visibility**: You can make controls appear or disappear based on the values of parameters. This allows you to have reports that look different based on user input or telemetry state. For example, you can show consumers a summary when there are no issues, and show detailed information when there's something wrong. Learn how to [set up conditional visibility](#set-conditional-visibility).
+ - **Export parameters with multi-selections**: You can export parameters from query and metrics workbook items when a row or multiple rows are selected.Learn how to [set up multi-selects in grids and charts](#set-up-multi-selects-in-grids-and-charts).
++
+### Set up a grid row click
+
+1. Make sure you are in **Edit** mode by selecting the **Edit** in the toolbar.
+1. Select **Add query** to add a log query control to the workbook.
+1. Select the `log` query type, the resource type, and the target resources.
+1. Use the Query editor to enter the KQL for your analysis:
+
+ ```kusto
+ requests
+ | summarize AllRequests = count(), FailedRequests = countif(success == false) by Request = name
+ | order by AllRequests desc
+ ```
+
+1. Select **Run query** to see the results.
+1. Select **Advanced Settings** icon in query footer. This opens up the advanced settings pane.
+1. Select the **When an item is selected, export a parameter** checkbox.
+1. Select **Add Parameter** and fill in the following information:
+ - **Field to export**: `Request`
+ - **Parameter name**: `SelectedRequest`
+ - **Default value**: `All requests`
+1. [Optional.]If you want to export the entire contents of the selected row instead of just a particular column, leave the `Field to export` property unset. The entire row contents is exported as json to the parameter. On the referencing KQL control, use the `todynamic` function to parse the json and access the individual columns.
+1. Select **Save**.
+
+ :::image type="content" source="media/workbooks-configurations/workbooks-export-parameters-add.png" alt-text="Screenshot showing the advanced workbooks editor with settings for exporting fields as parameters.":::
+
+1. Select **Done Editing**.
+1. Add another query control as in the steps above.
+1. Use the Query editor to enter the KQL for your analysis.
+ ```kusto
+ requests
+ | where name == '{SelectedRequest}' or 'All Requests' == '{SelectedRequest}'
+ | summarize ['{SelectedRequest}'] = count() by bin(timestamp, 1h)
+ ```
+1. Select **Run query** to see the results.
+1. Change **Visualization** to `Area chart`.
+1. Choose a row to select in the first grid. Note how the area chart below filters to the selected request.
+
+The resulting report looks like this in edit mode:
+
+ :::image type="content" source="media/workbooks-configurations/workbooks-interactivity-grid-create.png" alt-text="Screenshot showing workbooks with the first two queries in edit mode.":::
+
+The following image shows a more elaborate interactive report in read mode based on the same principles. The report uses grid clicks to export parameters, which in turn is used in two charts and a text block.
+
+ :::image type="content" source="media/workbooks-configurations/workbooks-interactivity-grid-read.png" alt-text="Screenshot showing a workbook report using grid clicks.":::
+
+### Set up grid cell clicks
+
+1. Make sure you are in **Edit** mode by selecting the **Edit** in the toolbar.
+1. Select **Add query** to add a log query control to the workbook.
+1. Select the `log` query type, resource type and the target resources.
+1. Use the Query editor to enter the KQL for your analysis:
+
+ ```kusto
+ requests
+ | summarize Count = count(), Sample = any(pack_all()) by Request = name
+ | order by Count desc
+ ```
+
+1. Select **Run query** to see the results.
+1. Select **Column Settings** to open the settings pane.
+1. In the **Columns** section, set:
+ - Sample - Column Renderer: `Link`, View to open: `Cell Details`, Link Label: `Sample`
+ - Count - Column Renderer: `Bar`, Color palette: `Blue`, Minimum value: `0`
+ - Request - Column Renderer: `Automatic`
+ - Select **Save and Close** to apply changes.
+
+ :::image type="content" source="media/workbooks-configurations/workbooks-column-settings.png" alt-text="Screenshot showing the workbooks column setting's tab.":::
+
+1. Select a **Sample** link in the grid to open a pane with the details of a sampled request.
+
+ :::image type="content" source="media/workbooks-configurations/workbooks-grid-link-details.png" alt-text="Screenshot showing the detail pane of the sampled request in workbooks.":::
+
+### Link Renderer Actions
+
+| Link action | Action on click |
+|:- |:-|
+|Generic Details| Shows the row values in a property grid context tab |
+|Cell Details| Shows the cell value in a property grid context tab. Useful when the cell contains a dynamic type with information (for example, json with request properties like location, role instance, etc.). |
+|Cell Details| Shows the cell value in a property grid context tab. Useful when the cell contains a dynamic type with information (for example, json with request properties like location, role instance, etc.). |
+|Custom Event Details| Opens the Application Insights search details with the custom event ID (`itemId`) in the cell |
+|Details| Similar to Custom Event Details, except for dependencies, exceptions, page views, requests, and traces. |
+|Custom Event User Flows| Opens the Application Insights User Flows experience pivoted on the custom event name in the cell |
+|User Flows| Similar to Custom Event User Flows except for exceptions, page views and requests |
+|User Timeline| Opens the user timeline with the user ID (user_Id) in the cell |
+|Session Timeline| Opens the Application Insights search experience for the value in the cell (for example, search for text 'abc' where abc is the value in the cell) |
+|Resource overview| Open the resource's overview in the portal based on the resource ID value in the cell |
+
+### Set conditional visibility
+
+1. Follow the steps in the [Setting up interactivity on grid row click](#set-up-a-grid-row-click) section to set up two interactive controls.
+1. Add a new parameter with these values:
+ - Name: `ShowDetails`
+ - Parameter type: `Drop down`
+ - Required: `checked`
+ - Get data from: `JSON`
+ - JSON Input: `["Yes", "No"]`
+ - Save to commit changes.
+
+ :::image type="content" source="media/workbooks-configurations/workbooks-edit-parameter.png" alt-text="Screenshot showing editing an interactive parameter in workbooks.":::
+
+1. Set the parameter value to `Yes`.
+
+ :::image type="content" source="media/workbooks-configurations/workbooks-set-parameter.png" alt-text="Screenshot showing setting an interactive parameter value in workbooks.":::
+
+1. In the query control with the area chart, select **Advanced Settings** (the gear icon).
+1. If the `ShowDetails` parameter value is set to `Yes`, select **Make this item conditionally visible**.
+1. Select **Done Editing** to commit the changes.
+1. On the workbook toolbar, select **Done Editing**.
+1. Switch the value of `ShowDetails` parameter to `No`. Notice that the chart below disappears.
+
+The following image shows the case where `ShowDetails` is `Yes`:
+
+ :::image type="content" source="media/workbooks-configurations/workbooks-conditional-visibility-visible.png" alt-text="Screenshot showing a workbook with a conditional item that is visible.":::
+
+The image below shows the hidden case where `ShowDetails` is `No`
++
+### Set up multi-selects in grids and charts
+
+Query and metrics items can export parameters when a row or multiple rows are selected.
++
+1. In the query step displaying the grid, select **Advanced settings**.
+2. Select the `When items are selected, export parameters` checkbox.
+1. Select the `allow selection of multiple values` checkbox.
+ - The displayed visualization allows multi-selecting and the exported parameter's values will be arrays of values, like when using multi-select dropdown parameters.
+ - If unchecked, the display visualization only captures the last selected item and only exports a single value at a time.
+1. Use the **Add Parameter** button for each parameter you want to export. A pop-up window appears with the settings for the parameter to be exported.
+
+When single selection is enabled, you can specify which field of the original data to export. Fields include parameter name, parameter type, and default value to use if nothing is selected.
+
+When multi-selection is enabled, you specify which field of the original data to export. Fields include parameter name, parameter type, quote with and delimiter. The quote with and delimiter values are used when turning arrow values into text when being replaced in a query. In multi-selection, if no values are selected, the default value is an empty array.
+
+> [!NOTE]
+> For multi select, only unique values are exported. For example, you will not see output array values like " 1,1,2,1". The array output will be get "1,2".
+
+If you leave the `Field to export` setting empty in the export settings, all the available fields in the data will be exported as a stringified JSON object of key:value pairs. For grids and titles, the string includes the fields in the grid. For charts, the available fields are x,y,series, and label (depending on the type of chart).
+
+While the default behavior is to export a parameter as text, if you know that the field is a subscription or resource ID, use that as the export parameter type. This allows the parameter to be used downstream in places that require those types of parameters.
azure-monitor Workbooks Create Workbook https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/visualize/workbooks-create-workbook.md
Text is added through a markdown control into which an author can add their cont
### Add text to an Azure workbook
-1. Make sure you are in **Edit** mode by selecting the **Edit** in the toolbar. Add a query by doing either of these steps:
+1. Make sure you are in **Edit** mode by selecting the **Edit** in the toolbar.
+1. Add text by doing either of these steps:
- Select **Add**, and **Add text** below an existing element, or at the bottom of the workbook. - Select the ellipses (...) to the right of the **Edit** button next to one of the elements in the workbook, then select **Add** and then **Add text**. 1. Enter markdown text into the editor field.
For example, you can query Azure Resource Health to help you view any service pr
### Add a query to an Azure Workbook
-1. Make sure you are in **Edit** mode by selecting the **Edit** in the toolbar. Add a query by doing either of these steps:
+1. Make sure you are in **Edit** mode by selecting the **Edit** in the toolbar.
+1. Add a query by doing either of these steps:
- Select **Add**, and **Add query** below an existing element, or at the bottom of the workbook. - Select the ellipses (...) to the right of the **Edit** button next to one of the elements in the workbook, then select **Add** and then **Add query**. 1. Select the [data source](workbooks-data-sources.md) for your query. The other fields are determined based on the data source you choose.
Workbooks allow you to control how your parameter controls are presented to cons
### Add a parameter to an Azure Workbook
-1. Make sure you are in **Edit** mode by selecting the **Edit** in the toolbar. Add a parameter by doing either of these steps:
+1. Make sure you are in **Edit** mode by selecting the **Edit** in the toolbar.
+1. Add a parameter by doing either of these steps:
- Select **Add**, and **Add parameter** below an existing element, or at the bottom of the workbook. - Select the ellipses (...) to the right of the **Edit** button next to one of the elements in the workbook, then select **Add** and then **Add parameter**. 1. In the new parameter pane that pops up enter values for these fields:
The example below shows the number of transactions in a storage account over the
### Add a metric chart to an Azure Workbook
-1. Make sure you are in **Edit** mode by selecting the **Edit** in the toolbar. Add a metric chart by doing either of these steps:
+1. Make sure you are in **Edit** mode by selecting the **Edit** in the toolbar.
+1. Add a metric chart by doing either of these steps:
- Select **Add**, and **Add metric** below an existing element, or at the bottom of the workbook. - Select the ellipses (...) to the right of the **Edit** button next to one of the elements in the workbook, then select **Add** and then **Add metric**. 1. Select a **resource type**, the resources to target, the metric namespace and name, and the aggregation to use.
Groups in workbooks are useful for several things:
### Add a group to your workbook
-1. Make sure you are in **Edit** mode by selecting the **Edit** in the toolbar. Add a parameter by doing either of these steps:
+1. Make sure you are in **Edit** mode by selecting the **Edit** in the toolbar.
+1. Add a group by doing either of these steps:
- Select **Add**, and **Add group** below an existing element, or at the bottom of the workbook. - Select the ellipses (...) to the right of the **Edit** button next to one of the elements in the workbook, then select **Add** and then **Add group**.
azure-monitor Workbooks Interactive https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/visualize/workbooks-interactive.md
- Title: Azure Monitor workbooks with custom parameters
-description: Simplify complex reporting with prebuilt and custom parameterized workbooks
----- Previously updated : 07/20/2020--
-# Interactive Workbooks
-
-Workbooks allow authors to create interactive reports and experiences for their consumers. Interactivity is supported in a number of ways.
-
-## Parameter Changes
-
-When a workbook user updates a parameter, any control that uses the parameter automatically refreshes and redraws to reflect the new state. This is how most of the Azure portal reports support interactivity. Workbooks provide this in a straight forward manner with minimal user effort.
-
-Learn more about [Parameters in Workbooks](workbooks-parameters.md)
-
-## Grid, tile, chart selections
-
-Workbooks allow authors to construct scenarios where clicking a row in a grid updates subsequent charts based on the content of the row.
-
-For instance, a user can have a grid that shows a list of requests and some stats like failure counts. They could set up it up such that clicking a row corresponding to a request, will result in detailed charts below updating to filter down to just that request.
-
-### Setting up interactivity on grid row click
-
-1. Switch the workbook to edit mode by clicking on the _Edit_ toolbar item.
-2. Use the _Add query_ link to add a log query control to the workbook.
-3. Select the query type as _Log_, resource type (for example, Application Insights) and the resources to target.
-4. Use the Query editor to enter the KQL for your analysis
-
- ```kusto
- requests
- | summarize AllRequests = count(), FailedRequests = countif(success == false) by Request = name
- | order by AllRequests desc
- ```
-
-5. `Run query` to see the results
-6. Select the _Advanced Settings_ icon on the query footer (the icon looks like a gear). This opens up the advanced settings pane.
-7. Check the setting: `When an item is selected, export a parameter`.
-8. Under the setting you checked, select *Add Parameter* and fill it out with the information below.
- 1. Field to export: `Request`
- 2. Parameter name: `SelectedRequest`
- 3. Default value: `All requests`
-9. Select Save
-
- ![Screenshot showing the advanced editor with settings for exporting fields as parameters.](./media/workbooks-interactive/export-parameters-add.png)
-
-10. Select `Done Editing`.
-11. Add another query control using steps 2 and 3.
-12. Use the Query editor to enter the KQL for your analysis.
- ```kusto
- requests
- | where name == '{SelectedRequest}' or 'All Requests' == '{SelectedRequest}'
- | summarize ['{SelectedRequest}'] = count() by bin(timestamp, 1h)
- ```
-13. `Run query` to see the results.
-14. Change _Visualization_ to `Area chart`.
-15. Choose a row to select in the first grid. Note how the area chart below filters to the selected request.
-
-The resulting report looks like this in edit mode:
-
-![Screenshot of the first two query in edit mode.](./media/workbooks-interactive//interactivity-grid-create.png)
-
-The image below shows a more elaborate interactive report in read mode based on the same principles. The report uses grid clicks to export parameters - which in turn is used in two charts and a text block.
-
-![Screenshot a report using grid clicks in read mode.](./media/workbooks-interactive/interactivity-grid-read-mode.png)
-
-### Exporting the contents of an entire row
-
-It is sometimes desirable to export the entire contents of the selected row instead of just a particular column. In such cases, leave the `Field to export` property unset in step 7.1 above. Workbooks will export the entire row contents as a json to the parameter.
-
-On the referencing KQL control, use the `todynamic` function to parse the json and access the individual columns.
-
-## Grid Cell Clicks
-
-Workbooks allow authors to add interactivity via a special type of grid column renderer called a `link renderer`. A link renderer converts a grid cell into a hyperlink based on the contents of the cell. Workbooks support many kinds of link renderers - including ones that allow opening resource overview blades, property bag viewers, App Insights search, usage, transaction tracing, etc.
-
-### Setting up interactivity using grid cell clicks
-
-1. Switch the workbook to edit mode by clicking on the _Edit_ toolbar item.
-2. Use the _Add query_ link to add a log query control to the workbook.
-3. Select the query type as _Log_, resource type (for example, Application Insights) and the resources to target.
-4. Use the Query editor to enter the KQL for your analysis
-
- ```kusto
- requests
- | summarize Count = count(), Sample = any(pack_all()) by Request = name
- | order by Count desc
- ```
-
-5. `Run query` to see the results
-6. Select _Column Settings_ to open the settings pane.
-7. In the _Columns_ section, set:
- 1. _Sample_ - Column Renderer: `Link`, View to open: `Cell Details`, Link Label: `Sample`
- 2. _Count_ - Column Renderer: `Bar`, Color palette: `Blue`, Minimum value: `0`
- 3. _Request_ - Column Renderer: `Automatic`
- 4. Select _Save and Close_ to apply changes
-
- ![Screenshot of the column setting's tab.](./media/workbooks-interactive/column-settings.png)
-
-8. Click on one of the `Sample` links in the grid. This opens up a pane with the details of a sampled request.
-
- ![Screenshot of the detail pane of the sampled request.](./media/workbooks-interactive/details.png)
-
-### Link Renderer Actions
-
-| Link action | Action on click |
-|:- |:-|
-| `Generic Details` | Shows the row values in a property grid context tab |
-| `Cell Details` | Shows the cell value in a property grid context tab. Useful when the cell contains a dynamic type with information (for example, json with request properties like location, role instance, etc.). |
-| `Cell Details` | Shows the cell value in a property grid context tab. Useful when the cell contains a dynamic type with information (for example, json with request properties like location, role instance, etc.). |
-| `Custom Event Details` | Opens the Application Insights search details with the custom event ID (`itemId`) in the cell |
-| `* Details` | Similar to Custom Event Details, except for dependencies, exceptions, page views, requests, and traces. |
-| `Custom Event User Flows` | Opens the Application Insights User Flows experience pivoted on the custom event name in the cell |
-| `* User Flows` | Similar to Custom Event User Flows except for exceptions, page views and requests |
-| `User Timeline` | Opens the user timeline with the user ID (user_Id) in the cell |
-| `Session Timeline` | Opens the Application Insights search experience for the value in the cell (for example, search for text 'abc' where abc is the value in the cell) |
-| `Resource overview` | Open the resource's overview in the portal based on the resource ID value in the cell |
-
-## Conditional Visibility
-
-Workbook allows users to make certain controls appear or disappear based on values of the parameters. This allows authors to have reports look different based on user input or telemetry state. An example is showing consumers just a summary when things are good but show full details when something is wrong.
-
-### Setting up interactivity using conditional visibility
-
-1. Follow the steps in the [Setting up interactivity on grid row click](#setting-up-interactivity-on-grid-row-click) section to set up two interactive controls.
-2. Add a new parameter at the top:
- 1. Name: `ShowDetails`
- 2. Parameter type: `Drop down`
- 3. Required: `checked`
- 4. Get data from: `JSON`
- 5. JSON Input: `["Yes", "No"]`
- 6. Save to commit changes.
-
- ![After selecting the add parameter button the edit parameter pane is displayed.](./media/workbooks-interactive/edit-parameter.png)
-
-3. Set parameter value to `Yes`
-
- ![Above the done editing button is the a drop down that will let you set the parameter value](./media/workbooks-interactive/set-parameter.png)
-
-4. In the query control with the area chart, select the _Advanced Settings_ icon (gear icon)
-5. Check the setting `Make this item conditionally visible`
- 1. This item is visible if `ShowDetails` parameter value `equals` `Yes`
-6. Select _Done Editing_ to commit changes.
-7. Select _Done Editing_ on the workbook tool bar to enter read mode.
-8. Switch the value of parameter `ShowDetails` to `No`. Notice that the chart below disappears.
-
-The image below shows the visible case where `ShowDetails` is `Yes`
-
-![Screenshot showing the conditional visibility where the chart is visible](./media/workbooks-interactive/interactivity-conditional-visibility-visible.png)
-
-The image below shows the hidden case where `ShowDetails` is `No`
-
-![Screenshot showing the conditional visibility where the chart is hidden](./media/workbooks-interactive/interactivity-conditional-visibility-invisible.png)
-
-## Interactivity with multiple selections in grids and charts
-
-Query and metrics steps can also export one or more parameters when a row (or multiple rows) is selected.
-
-![Screenshot showing the export parameters settings with multiple parameters. ](./media/workbooks-interactive/interactivity-export-parameters.png)
-
-1. In the query step displaying the grid, go to the advanced settings.
-2. Check the `When items are selected, export parameters` checkbox. Additional controls will appear.
-3. Check the `allow selection of multiple values` checkbox.
- 1. The displayed visualization will allow multi-select and exported parameter's values will be arrays of values, like when using multi-select dropdown parameters.
- 2. If unchecked the display visualization will only respect the last selected item. Only exporting a single value at a time.
-4. For each parameter you wish to export, use the *Add Parameter* button. A pop-up window will appear, containing the settings for the parameter to be exported.
-
-When single selection is enabled, the author can specify which field of the original data to export. Fields include parameter name, parameter type, and default value to use if nothing is selected (optional).
-
-When multi-selection is enabled, the author specifies which field of the original data to export. Fields include parameter name, parameter type, quote with and delimiter. The quote with and delimiter values are used when turning the arrow values into text when being replaced in a query. In multi-select if no values are selected, then the default value is an empty array.
-
-> [!NOTE]
-> For multi select, only unique values will be exported, you will not see output array values like " 1,1,2,1" you will get "1,2" as the output values.
-
-You can leave the "Field to export" setting empty in the export settings. If you do, all the available fields in the data will be exported as a stringified JSON object of key:value pairs. For grids and titles, this will be all of the fields in the grid. For charts, the available fields will be x,y,series, and label (depending on the type of chart).
-
-While the default behavior is to export a parameter as text, if you know that the field is a subscription or resource ID, use that as the export parameter type. This will allow the parameter to be used downstream in places that require those types of parameters.
-
-## Next steps
-
azure-monitor Workbooks Renderers https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/visualize/workbooks-renderers.md
These rendering options can be used with grids, tiles, and graphs to produce the
## Link actions
-If the **Link** renderer is selected or the **Make this item a link** checkbox is selected, the author can configure a link action to occur when the user selects the cell to taking the user to another view with context coming from the cell, or to open up a url.
+If the **Link** renderer is selected or the **Make this item a link** checkbox is selected, the author can configure a link action to occur when the user selects the cell to taking the user to another view with context coming from the cell, or to open up a url. See link renderer actions for more details.
## Using thresholds with links
azure-resource-manager Bicep Functions String https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/bicep/bicep-functions-string.md
description: Describes the functions to use in a Bicep file to work with strings
Previously updated : 03/10/2022 Last updated : 07/05/2022 # String functions for Bicep
The output from the preceding example with the default values is:
| lastString | Int | 0 | | notFound | Int | -1 |
+## join
+
+`join(inputArray, delimiter)`
+
+Joins a string array into a single string, separated using a delimiter.
+
+Namespace: [sys](bicep-functions.md#namespaces-for-functions).
+
+### Parameters
+
+| Parameter | Required | Type | Description |
+|: |: |: |: |
+| inputArray | Yes |An array of string. |An array of strings to join. |
+| delimiter | Yes |The delimiter to use for splitting the string. |
+
+### Return value
+
+A string.
+
+### Examples
+
+The following example joins the input string array into strings delimited by either a comma or a semi-colon.
+
+```bicep
+var arrayString = [
+ 'one'
+ 'two'
+ 'three'
+]
+
+output firstOutput string = join(arrayString, ',')
+output secondOutput string = join(arrayString, ';')
+```
+
+The output from the preceding example with the default values is:
+
+| Name | Type | Value |
+| - | - | -- |
+| firstOutput | String | "one,two,three" |
+| secondOutput | String | "one;two;three" |
+
+This function requires **Bicep version 0.8.2 or later**.
+ <a id="json"></a> ## json
azure-resource-manager Bicep Functions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/bicep/bicep-functions.md
Title: Bicep functions description: Describes the functions to use in a Bicep file to retrieve values, work with strings and numerics, and retrieve deployment information. Previously updated : 07/01/2022 Last updated : 07/05/2022 # Bicep functions
Bicep provides the following functions for working with strings. All of these fu
* [format](./bicep-functions-string.md#format) * [guid](./bicep-functions-string.md#guid) * [indexOf](./bicep-functions-string.md#indexof)
+* [join](./bicep-functions-string.md#join)
* [last](./bicep-functions-string.md#last) * [lastIndexOf](./bicep-functions-string.md#lastindexof) * [length](./bicep-functions-string.md#length)
azure-resource-manager Data Types https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/bicep/data-types.md
var myVar = 'what\'s up?'
All strings in Bicep support interpolation. To inject an expression, surround it by `${` and `}`. Expressions that are referenced can't span multiple lines. ```bicep
-var storageName = 'storage${uniqueString(resourceGroup().id)}
+var storageName = 'storage${uniqueString(resourceGroup().id)}'
``` ## Multi-line strings
azure-resource-manager Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/bicep/overview.md
To decompile an existing ARM template to Bicep, see [Decompiling ARM template JS
To learn about the resources that are available in your Bicep file, see [Bicep resource reference](/azure/templates/)
-Bicep examples can be found in the [Bicep GitHub repo](https://github.com/Azure/bicep/tree/main/docs/examples).
+Bicep examples can be found in the [Bicep GitHub repo](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts)
## About the language
azure-resource-manager Resource Name Rules https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/management/resource-name-rules.md
In the following tables, the term alphanumeric refers to:
> [!div class="mx-tableFixed"] > | Entity | Scope | Length | Valid Characters | > | | | | |
-> | communicationServices | global | 1-63 | Alphanumerics and hyphens.<br><br>Can't use underscores. |
+> | communicationServices | global | 1-63 | Alphanumerics and hyphens.<br><br>Can't start or end with hyphen.<br><br>Can't use underscores. |
## Microsoft.ConfidentialLedger
azure-resource-manager Template Functions String https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/templates/template-functions-string.md
Resource Manager provides the following functions for working with strings in yo
* [format](#format) * [guid](#guid) * [indexOf](#indexof)
+* [join](#join)
* [json](#json) * [last](#last) * [lastIndexOf](#lastindexof)
The output from the preceding example with the default values is:
| lastString | Int | 0 | | notFound | Int | -1 |
+## join
+
+`join(inputArray, delimiter)`
+
+Joins a string array into a single string, separated using a delimiter.
+
+In Bicep, use the [join](../bicep/bicep-functions-string.md#join) function.
+
+### Parameters
+
+| Parameter | Required | Type | Description |
+|: |: |: |: |
+| inputArray |Yes |array of string |An array of string to join. |
+| delimiter |Yes |The delimiter to use for splitting the string. |
+
+### Return value
+
+A string.
+
+### Examples
+
+The following example joins the input string array into strings delimited by using different delimiters.
++
+The output from the preceding example is:
+
+| Name | Type | Value |
+| - | - | -- |
+| firstOutput | String | "one,two,three" |
+| secondOutput | String | "one;two;three" |
+ <a id="json"></a> ## json
azure-resource-manager Template Functions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/templates/template-functions.md
Resource Manager provides the following functions for working with strings:
* [format](template-functions-string.md#format) * [guid](template-functions-string.md#guid) * [indexOf](template-functions-string.md#indexof)
+* [join](template-functions-string.md#join)
* [last](template-functions-string.md#last) * [lastIndexOf](template-functions-string.md#lastindexof) * [length](template-functions-string.md#length)
azure-sql-edge Create External Stream Transact Sql https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-sql-edge/create-external-stream-transact-sql.md
WITH ( <with_options> )
The staging area for high-throughput data ingestion into Azure Synapse Analytics - Reserved for future usage. Does not apply to Azure SQL Edge.
+For more information about supported input and output options corresponding to the data source type, see [Azure Stream Analytics - Input Overview](../../stream-analytics/stream-analytics-add-inputs.md) and [Azure Stream Analytics - Outputs Overview](../../stream-analytics/stream-analytics-define-outputs.md) respectively.
## Examples
azure-sql-edge Create Stream Analytics Job https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-sql-edge/create-stream-analytics-job.md
The streaming job can have any one of the following statuses:
| Stopped | The streaming job has been stopped. | | Failed | The streaming job failed. This is generally an indication of a fatal error during processing. |
+> [!NOTE]
+> Since the streaming job is executed asynchronously, the job might encounter errors at runtime. In order to troubleshoot a streaming job failure, use the `sys.sp_get_streaming_job` stored procedure, or review the docker log from the Azure SQL Edge container, which can provide the error details from the streaming job.
+ ## Next steps - [View metadata associated with streaming jobs in Azure SQL Edge](streaming-catalog-views.md) -- [Create an external stream](create-external-stream-transact-sql.md)
+- [Create an external stream](create-external-stream-transact-sql.md)
azure-sql-edge Deploy Dacpac https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-sql-edge/deploy-dacpac.md
SQL Database dacpac and bacpac packages can be deployed to SQL Edge using the `M
To deploy (or import) a SQL Database DAC package `(*.dacpac)` or a BACPAC file `(*.bacpac)` using Azure Blob storage and a zip file, follow the steps below.
-1. Create/Extract a DAC package or Export a Bacpac File using the mechanism mentioned below.
+1. Create/Extract a DAC package or Export a Bacpac File using one of the mechanism mentioned below.
+ - Use [SQL Database Project Extension - Azure Data Studio](/sql/azure-data-studio/extensions/sql-database-project-extension-getting-started) to [create a new database project or export an existing database](/sql/azure-data-studio/extensions/sql-database-project-extension-getting-started)
- Create or extract a SQL Database DAC package. See [Extracting a DAC from a database](/sql/relational-databases/data-tier-applications/extract-a-dac-from-a-database/) for information on how to generate a DAC package for an existing SQL Server database. - Exporting a deployed DAC package or a database. See [Export a Data-tier Application](/sql/relational-databases/data-tier-applications/export-a-data-tier-application/) for information on how to generate a bacpac file for an existing SQL Server database.
+> [!NOTE]
+> If you are using external streaming jobs as part of the database, please ensure the following:
+>
+> - The generated dacpac will capture all the SQL Server Objects corresponding to the inputs/output streams and the streaming jobs. But the jobs will not be automatically started. In order to have the external streaming job automatically started after deployment, add a post-deployment script that restarts the jobs as follows:
+>
+> ```
+> exec sys.sp_stop_streaming_job @name=N'<JOB NAME>';
+> GO
+> exec sys.sp_start_streaming_job @name=N'<JOB NAME>';
+> GO
+> ```
+>
+> - Ensure any credentials required by the external streaming jobs to access input or output streams are provided as part of the dacpac.
+++ 2. Zip the `*.dacpac` or the `*.bacpac` file and upload it to an Azure Blob storage account. For more information on uploading files to Azure Blob storage, see [Upload, download, and list blobs with the Azure portal](../storage/blobs/storage-quickstart-blobs-portal.md). 3. Generate a shared access signature for the zip file by using the Azure portal. For more information, see [Delegate access with shared access signatures (SAS)](../storage/common/storage-sas-overview.md).
During some DACPAC or BACPAC deployments users may encounter a command timeouts,
- [Deploy SQL Edge through Azure portal](deploy-portal.md). - [Stream Data](stream-data.md)-- [Machine learning and AI with ONNX in SQL Edge](onnx-overview.md)
+- [Machine learning and AI with ONNX in SQL Edge](onnx-overview.md)
azure-web-pubsub Quickstart Bicep Template https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-web-pubsub/quickstart-bicep-template.md
+
+ Title: 'Quickstart: Create an Azure Web PubSub service with a Bicep file'
+description: Learn how to create an Azure Web PubSub service by using a Bicep file to create the resource, and PowerShell or Azure CLI for deployment to a resource group.
++ Last updated : 06/15/2022+++++
+# Quickstart: Use Bicep to deploy Azure Web PubSub Service
+
+This quickstart describes how to use Bicep to create an Azure Web PubSub service using Azure CLI or PowerShell.
++
+## Prerequisites
+
+If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.
+
+## Review the Bicep file
+
+The template used in this quickstart is from [Azure Quickstart Templates](https://azure.microsoft.com/resources/templates/azure-web-pubsub/).
++
+## Deploy the Bicep file
+
+1. Save the Bicep file as **main.bicep** to your local computer.
+1. Deploy the Bicep file using either Azure CLI or Azure PowerShell.
+
+ # [CLI](#tab/CLI)
+
+ ```azurecli
+ az group create --name exampleRG --location eastus
+ az deployment group create --resource-group exampleRG --template-file main.bicep
+ ```
+
+ # [PowerShell](#tab/PowerShell)
+
+ ```azurepowershell
+ New-AzResourceGroup -Name exampleRG -Location eastus
+ New-AzResourceGroupDeployment -ResourceGroupName exampleRG -TemplateFile ./main.bicep
+ ```
+
+
+
+ When the deployment finishes, you should see a message indicating the deployment succeeded.
+
+## Review deployed resources
+
+Use the Azure portal, Azure CLI, or Azure PowerShell to list the deployed resources in the resource group.
+
+# [CLI](#tab/CLI)
+
+```azurecli-interactive
+az resource list --resource-group exampleRG
+```
+
+# [PowerShell](#tab/PowerShell)
+
+```azurepowershell-interactive
+Get-AzResource -ResourceGroupName exampleRG
+```
++
+## Clean up resources
+
+When no longer needed, use the Azure portal, Azure CLI, or Azure PowerShell to delete the resource group and its resources.
+
+# [CLI](#tab/CLI)
+
+```azurecli-interactive
+az group delete --name exampleRG
+```
+
+# [PowerShell](#tab/PowerShell)
+
+```azurepowershell-interactive
+Remove-AzResourceGroup -Name exampleRG
+```
+
+## Next steps
+
+For a step-by-step tutorial that guides you through the process of creating a Bicep file using Visual Studio Code, see:
+
+> [!div class="nextstepaction"]
+> [Quickstart: Create Bicep files with Visual Studio Code](../azure-resource-manager/bicep/quickstart-create-bicep-use-visual-studio-code.md)
azure-web-pubsub Tutorial Serverless Iot https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-web-pubsub/tutorial-serverless-iot.md
Previously updated : 06/01/2022 Last updated : 06/30/2022 # Tutorial: Visualize IoT device data from IoT Hub using Azure Web PubSub service and Azure Functions
-In this tutorial, you learn how to use Azure Web PubSub service and Azure Functions to build a serverless application with real-time data visualization from IoT Hub.
+In this tutorial, you'll learn how to use Azure Web PubSub service and Azure Functions to build a serverless application with real-time data visualization from IoT Hub.
In this tutorial, you learn how to:
In this tutorial, you learn how to:
[!INCLUDE [iot-hub-include-create-hub](../../includes/iot-hub-include-create-hub-quickstart.md)] ## Create a Web PubSub instance+ If you already have a Web PubSub instance in your Azure subscription, you can skip this section. [!INCLUDE [create-instance-cli](includes/cli-awps-creation.md)] - ## Create and run the functions locally
-1. Make sure you have [Azure Functions Core Tools](https://github.com/Azure/azure-functions-core-tools#installing) installed. And then create an empty directory for the project. Run command under this working directory.
+1. Create an empty folder for the project, and then run the following command in the new folder.
# [JavaScript](#tab/javascript) ```bash
If you already have a Web PubSub instance in your Azure subscription, you can sk
```
-2. Update `host.json`'s `extensionBundle` to version larger than _3.3.0_ which contains Web PubSub support.
+2. Update `host.json`'s `extensionBundle` to version _3.3.0_ or later to get Web PubSub support.
```json {
If you already have a Web PubSub instance in your Azure subscription, you can sk
func new -n index -t HttpTrigger ``` # [JavaScript](#tab/javascript)
- - Update `index/index.js` with following code that serve the html content as a static site.
+ - Update `index/index.js` with following code, which serves the HTML content as a static site.
```js var fs = require("fs"); var path = require("path");
If you already have a Web PubSub instance in your Azure subscription, you can sk
```
-4. Create this _https://docsupdatetracker.net/index.html_ file under the same folder as file _index.js_:
+4. Create an `https://docsupdatetracker.net/index.html` file under the same folder as file `index.js`.
```html <!doctype html>
If you already have a Web PubSub instance in your Azure subscription, you can sk
</html> ```
-5. Create a `negotiate` function to help clients get service connection url with access token.
+5. Create a `negotiate` function that clients use to get a service connection URL and access token.
```bash func new -n negotiate -t HttpTrigger ``` # [JavaScript](#tab/javascript)
- - Update `negotiate/function.json` to include input binding [`WebPubSubConnection`](reference-functions-bindings.md#input-binding), with the following json codes.
+ - Update `negotiate/function.json` to include an input binding [`WebPubSubConnection`](reference-functions-bindings.md#input-binding), with the following json code.
```json { "bindings": [
If you already have a Web PubSub instance in your Azure subscription, you can sk
] } ```
- - Update `negotiate/index.js` and to return the `connection` binding which contains the generated token.
+ - Update `negotiate/index.js` to return the `connection` binding that contains the generated token.
```js module.exports = function (context, req, connection) { // Add your own auth logic here
If you already have a Web PubSub instance in your Azure subscription, you can sk
}; ```
-6. Create a `messagehandler` function to generate notifications with template `"IoT Hub (Event Hub)"`.
+6. Create a `messagehandler` function to generate notifications by using the `"IoT Hub (Event Hub)"` template.
```bash func new --template "IoT Hub (Event Hub)" --name messagehandler ``` # [JavaScript](#tab/javascript)
- - Update _messagehandler/function.json_ to add [Web PubSub output binding](reference-functions-bindings.md#output-binding) with the following json code. Please note that we use variable `%hubName%` as the hub name for both IoT eventHubName and Web PubSub hub.
+ - Update _messagehandler/function.json_ to add [Web PubSub output binding](reference-functions-bindings.md#output-binding) with the following json code. We use variable `%hubName%` as the hub name for both IoT eventHubName and Web PubSub hub.
```json { "bindings": [
If you already have a Web PubSub instance in your Azure subscription, you can sk
] } ```
- - Update `messagehandler/index.js` with the following code. It sends every message from IoT hub to every client connected to Web PubSub service using Web PubSub output bindings.
+ - Update `messagehandler/index.js` with the following code. It sends every message from IoT hub to every client connected to Web PubSub service using the Web PubSub output bindings.
```js module.exports = function (context, IoTHubMessages) { IoTHubMessages.forEach((message) => {
If you already have a Web PubSub instance in your Azure subscription, you can sk
}; ```
-7. Update the Function settings
+7. Update the Function settings.
- 1. Add `hubName` setting and replace `{YourIoTHubName}` with the hub name you used when creating your IoT Hub:
+ 1. Add `hubName` setting and replace `{YourIoTHubName}` with the hub name you used when creating your IoT Hub.
```bash func settings add hubName "{YourIoTHubName}" ```
- 2. Get the **Service Connection String** for IoT Hub using below CLI command:
+ 2. Get the **Service Connection String** for IoT Hub.
```azcli az iot hub connection-string show --policy-name service --hub-name {YourIoTHubName} --output table --default-eventhub ```
- And set `IOTHubConnectionString` using below command, replacing `<iot-connection-string>` with the value:
+ Set `IOTHubConnectionString`, replacing `<iot-connection-string>` with the value.
```bash func settings add IOTHubConnectionString "<iot-connection-string>" ```
- 3. Get the **Connection String** for Web PubSub using below CLI command:
+ 3. Get the **Connection String** for Web PubSub.
```azcli az webpubsub key show --name "<your-unique-resource-name>" --resource-group "<your-resource-group>" --query primaryConnectionString ```
- And set `WebPubSubConnectionString` using below command, replacing `<webpubsub-connection-string>` with the value:
+ Set `WebPubSubConnectionString`, replacing `<webpubsub-connection-string>` with the value.
```bash func settings add WebPubSubConnectionString "<webpubsub-connection-string>" ``` > [!NOTE]
- > `IoT Hub (Event Hub)` Function trigger used in the sample has dependency on Azure Storage, but you can use local storage emulator when the Function is running locally. If you got some error like `There was an error performing a read operation on the Blob Storage Secret Repository. Please ensure the 'AzureWebJobsStorage' connection string is valid.`, you'll need to download and enable [Storage Emulator](../storage/common/storage-use-emulator.md).
+ > The `IoT Hub (Event Hub)` function trigger used in the sample has dependency on Azure Storage, but you can use a local storage emulator when the function is running locally. If you get an error such as `There was an error performing a read operation on the Blob Storage Secret Repository. Please ensure the 'AzureWebJobsStorage' connection string is valid.`, you'll need to download and enable [Storage Emulator](../storage/common/storage-use-emulator.md).
-8. Run the function locally
+8. Run the function locally.
Now you're able to run your local function by command below.
If you already have a Web PubSub instance in your Azure subscription, you can sk
func start ```
- And checking the running logs, you can visit your local host static page by visiting: `https://localhost:7071/api/index`.
+ You can visit your local host static page by visiting: `https://localhost:7071/api/index`.
## Run the device to send data ### Register a device
-A device must be registered with your IoT hub before it can connect.
-
-If you already have a device registered in your IoT hub, you can skip this section.
+A device must be registered with your IoT hub before it can connect. If you already have a device registered in your IoT hub, you can skip this section.
1. Run the [az iot hub device-identity create](/cli/azure/iot/hub/device-identity#az-iot-hub-device-identity-create) command in Azure Cloud Shell to create the device identity.
- **YourIoTHubName**: Replace this placeholder below with the name you chose for your IoT hub.
+ **YourIoTHubName**: Replace this placeholder with the name you chose for your IoT hub.
```azurecli-interactive az iot hub device-identity create --hub-name {YourIoTHubName} --device-id simDevice ```
-2. Run the [az iot hub device-identity connection-string show](/cli/azure/iot/hub/device-identity/connection-string#az-iot-hub-device-identity-connection-string-show) command in Azure Cloud Shell to get the _device connection string_ for the device you just registered:
+2. Run the [Az PowerShell module iot hub device-identity connection-string show](/cli/azure/iot/hub/device-identity/connection-string#az-iot-hub-device-identity-connection-string-show) command in Azure Cloud Shell to get the _device connection string_ for the device you just registered:
**YourIoTHubName**: Replace this placeholder below with the name you chose for your IoT hub.
If you already have a device registered in your IoT hub, you can skip this secti
az iot hub device-identity connection-string show --hub-name {YourIoTHubName} --device-id simDevice --output table ```
- Make a note of the device connection string, which looks like:
+ Make a note of the device connection string, which looks like this:
`HostName={YourIoTHubName}.azure-devices.net;DeviceId=simDevice;SharedAccessKey={YourSharedAccessKey}` - For quickest results, simulate temperature data using the [Raspberry Pi Azure IoT Online Simulator](https://azure-samples.github.io/raspberry-pi-web-simulator/#Getstarted). Paste in the **device connection string**, and select the **Run** button. -- If you have a physical Raspberry Pi and BME280 sensor, you may measure and report real temperature and humidity values by following the [Connect Raspberry Pi to Azure IoT Hub (Node.js)](../iot-hub/iot-hub-raspberry-pi-kit-node-get-started.md) tutorial.
+- If you have a physical Raspberry Pi and BME280 sensor, you can measure and report real temperature and humidity values by following the [Connect Raspberry Pi to Azure IoT Hub (Node.js)](../iot-hub/iot-hub-raspberry-pi-kit-node-get-started.md) tutorial.
## Run the visualization website
-Open function host index page: `http://localhost:7071/api/index` to view the real-time dashboard. Register multiple devices and you can see the dashboard updates multiple devices in real-time. Open multiple browsers and you can see every page are updated in real-time.
+Open function host index page: `http://localhost:7071/api/index` to view the real-time dashboard. Register multiple devices and you'll see the dashboard updates multiple devices in real-time. Open multiple browsers and you'll see every page is updated in real-time.
:::image type="content" source="media/tutorial-serverless-iot/iot-devices-sample.png" alt-text="Screenshot of multiple devices data visualization using Web PubSub service.":::
Open function host index page: `http://localhost:7071/api/index` to view the rea
## Next steps
-In this quickstart, you learned how to run a serverless chat application. Now, you could start to build your own application.
- > [!div class="nextstepaction"] > [Tutorial: Create a simple chatroom with Azure Web PubSub](/azure/azure-web-pubsub/tutorial-build-chat)
backup Backup Azure Manage Vms https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/backup/backup-azure-manage-vms.md
Title: Manage and monitor Azure VM backups description: Learn how to manage and monitor Azure VM backups by using the Azure Backup service. Previously updated : 06/03/2022 Last updated : 07/05/2022
To protect your data, Azure Backup includes the soft delete feature. With soft d
### Backup item where primary data source no longer exists
-* If Azure VMs configured for Azure Backup are either deleted or moved without stopping protection, then both scheduled backup jobs and on demand (ad-hoc) backup jobs will fail with the error UserErrorVmNotFoundV2. The backup pre-check will appear as critical only for failed on-demand backup jobs (failed scheduled jobs aren't displayed).
+* If Azure VMs configured for Azure Backup are deleted or moved (to another resource group or subscription) without stopping protection, then both scheduled backup jobs and on-demand backup jobs will fail with the error *UserErrorVmNotFoundV2*. The backup pre-check will appear as critical only for failed on-demand backup jobs (failed scheduled jobs doesn't appear).
* These backup items remain active in the system adhering to the backup and retention policy set by the user. The backed-up data for these Azure VMs will be retained according to the retention policy. The expired recovery points (except the most recent recovery point) are cleaned according to the retention range set in the backup policy. * To avoid any additional cost, we recommend deleting the backup items where the primary data source no longer exists. This is in a scenario where the backup item/data for the deleted resources is no longer required, since the most recent recovery point is retained forever and you're charged according to the applicable backup pricing.
backup Backup Azure Vms Troubleshoot https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/backup/backup-azure-vms-troubleshoot.md
Title: Troubleshoot backup errors with Azure VMs
description: In this article, learn how to troubleshoot errors encountered with backup and restore of Azure virtual machines. Previously updated : 06/16/2022 Last updated : 07/04/2022
To resolve this issue, use the [restore disks](./backup-azure-arm-restore-vms.md
### UserErrorMarketPlaceVMNotSupported - VM creation failed due to Market Place purchase request being not present
-Error code: UserErrorMarketPlaceVMNotSupported
-Error message: VM creation failed due to Market Place purchase request being not present.
+**Error code**: UserErrorMarketPlaceVMNotSupported
-Azure Backup supports backup and restore of VMs which are available in Azure Marketplace. This error occurs when you are trying to restore a VM (with a specific Plan/Publisher setting) which is no longer available in Azure Marketplace, [Learn more here](/legal/marketplace/participation-policy#offering-suspension-and-removal).
+**Error message**: VM creation failed due to Market Place purchase request being not present.
-In this scenario, it may not be possible to create the VM from the restored disks.
+Azure Backup supports backup and restore of VMs that are available in Azure Marketplace. This error occurs when you try to restore a VM (with a specific Plan/Publisher setting), which is no longer available in Azure Marketplace. [Learn more here](/azure/marketplace/deprecate-vm).
-If the publisher doesn't have any Marketplace information, you can use the data disks to retrieve your data and you can attach them to an existing VM.
+In this scenario, a partial failure happens where the disks are restored, but the VM isn't restored. This is because it's not possible to create a new VM from the restored disks.
+
+If the publisher doesn't have any Marketplace information, you can attach the restored disk(s) (that were created during partial failure) as data disks to an existing VM.
### ExtensionConfigParsingFailure - Failure in parsing the config for the backup extension
backup Backup Managed Disks https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/backup/backup-managed-disks.md
Title: Back up Azure Managed Disks description: Learn how to back up Azure Managed Disks from the Azure portal. Previously updated : 03/10/2022 Last updated : 07/05/2022
A Backup vault is a storage entity in Azure that holds backup data for various n
![Select backup schedule frequency](./media/backup-managed-disks/backup-schedule-frequency.png)
- Azure Disk Backup offers multiple backups per day. If you require more frequent backups, choose the **Hourly** backup frequency with the ability to take backups with intervals of every 4, 6, 8 or 12 hours. The backups are scheduled based on the **Time** interval selected. For example, if you select **Every 4 hours**, then the backups are taken at approximately in the interval of every 4 hours so the backups are distributed equally across the day. If a once a day backup is sufficient, then choose the **Daily** backup frequency. In the daily backup frequency, you can specify the time of the day when your backups are taken. It's important to note that the time of the day indicates the backup start time and not the time when the backup completes. The time required for completing the backup operation is dependent on various factors including size of the disk, and churn rate between consecutive backups. However, Azure Disk backup is an agentless backup that uses [incremental snapshots](../virtual-machines/disks-incremental-snapshots.md), which doesn't impact the production application performance.
+ Azure Disk Backup offers multiple backups per day. If you require more frequent backups, choose the **Hourly** backup frequency with the ability to take backups with intervals of every *1*, *2*, *4*, *6*, *8*, or *12* hours. The backups are scheduled based on the **Time** interval selected. For example, if you select **Every 4 hours**, then the backups are taken at approximately in the interval of every 4 hours so the backups are distributed equally across the day. If a once a day backup is sufficient, then choose the **Daily** backup frequency. In the daily backup frequency, you can specify the time of the day when your backups are taken. It's important to note that the time of the day indicates the backup start time and not the time when the backup completes. The time required for completing the backup operation is dependent on various factors including size of the disk, and churn rate between consecutive backups. However, Azure Disk backup is an agentless backup that uses [incremental snapshots](../virtual-machines/disks-incremental-snapshots.md), which doesn't impact the production application performance.
1. In the **Backup policy** tab, select retention settings that meet the recovery point objective (RPO) requirement.
backup Backup Support Matrix Iaas https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/backup/backup-support-matrix-iaas.md
Here's how you can back up and restore Azure VMs with the Azure Backup service.
| | | Direct backup of Azure VMs | Back up the entire VM. | No additional agent is needed on the Azure VM. Azure Backup installs and uses an extension to the [Azure VM agent](../virtual-machines/extensions/agent-windows.md) that's running on the VM. | Restore as follows:<br/><br/> - **Create a basic VM**. This is useful if the VM has no special configuration such as multiple IP addresses.<br/><br/> - **Restore the VM disk**. Restore the disk. Then attach it to an existing VM, or create a new VM from the disk by using PowerShell.<br/><br/> - **Replace VM disk**. If a VM exists and it uses managed disks (unencrypted), you can restore a disk and use it to replace an existing disk on the VM.<br/><br/> - **Restore specific files/folders**. You can restore files/folders from a VM instead of from the entire VM. Direct backup of Azure VMs (Windows only) | Back up specific files/folders/volume. | Install the [Azure Recovery Services agent](backup-azure-file-folder-backup-faq.yml).<br/><br/> You can run the MARS agent alongside the backup extension for the Azure VM agent to back up the VM at file/folder level. | Restore specific folders/files.
-Back up Azure VM to backup server | Back up files/folders/volumes; system state/bare metal files; app data to System Center DPM or to Microsoft Azure Backup Server (MABS).<br/><br/> DPM/MABS then backs up to the backup vault. | Install the DPM/MABS protection agent on the VM. The MARS agent is installed on DPM/MABS.| Restore files/folders/volumes; system state/bare metal files; app data.
+Back up Azure VM to the backup server | Back up files/folders/volumes; system state/bare metal files; app data to System Center DPM or to Microsoft Azure Backup Server (MABS).<br/><br/> DPM/MABS then backs up to the backup vault. | Install the DPM/MABS protection agent on the VM. The MARS agent is installed on DPM/MABS.| Restore files/folders/volumes; system state/bare metal files; app data.
Learn more about backup [using a backup server](backup-architecture.md#architecture-back-up-to-dpmmabs) and about [support requirements](backup-support-matrix-mabs-dpm.md).
Automatic clock adjustment | Not supported.<br/><br/> Azure Backup doesn't autom
[Security features for hybrid backup](./backup-azure-security-feature.md) |Disabling security features isn't supported. Back up the VM whose machine time is changed | Not supported.<br/><br/> If the machine time is changed to a future date-time after enabling backup for that VM, however even if the time change is reverted, successful backup isn't guaranteed. Multiple Backups Per Day | Supported (in preview), using *Enhanced policy* (in preview). <br><br> For hourly backup, the minimum RPO is 4 hours and the maximum is 24 hours. You can set the backup schedule to 4, 6, 8, 12, and 24 hours respectively. Learn about how to [back up an Azure VM using Enhanced policy](backup-azure-vms-enhanced-policy.md).
+Back up a VM with deprecated plan when publisher has removed it from Azure Marketplace | Not supported. <br><br> Backup is possible. However, restore will fail. <br><br> If you've already configured backup for VM with deprecated virtual machine offer and encounter restore error, see [Troubleshoot backup errors with Azure VMs](backup-azure-vms-troubleshoot.md#usererrormarketplacevmnotsupportedvm-creation-failed-due-to-market-place-purchase-request-being-not-present).
## Operating system support (Windows)
backup Multi User Authorization https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/backup/multi-user-authorization.md
This document includes the following:
- Ensure the Resource Guard and the Recovery Services vault are in the same Azure region. - Ensure the Backup admin does **not** have **Contributor** permissions on the Resource Guard. You can choose to have the Resource Guard in another subscription of the same directory or in another directory to ensure maximum isolation.-- Ensure that your subscriptions containing the Recovery Services vault as well as the Resource Guard (in different subscriptions or tenants) are registered to use the **Microsoft.RecoveryServices** provider. For more details, see [Azure resource providers and types](../azure-resource-manager/management/resource-providers-and-types.md#register-resource-provider-1).
+- Ensure that your subscriptions containing the Recovery Services vault as well as the Resource Guard (in different subscriptions or tenants) are registered to use the providers - **Microsoft.RecoveryServices** and **Microsoft.DataProtection** . For more details, see [Azure resource providers and types](../azure-resource-manager/management/resource-providers-and-types.md#register-resource-provider-1).
Learn about various [MUA usage scenarios](multi-user-authorization-concept.md#usage-scenarios).
Disabling MUA is a protected operation, and hence, is protected using MUA. This
1. Choose the Directory that contains the Resource Guard and verify access using the Authenticate button (if applicable). 1. After **authentication**, click **Save**. With the right access, the request should be successfully completed.
- :::image type="content" source="./media/multi-user-authorization/disable-mua.png" alt-text="Screenshot showing to disable multi-user authentication.":::
+ :::image type="content" source="./media/multi-user-authorization/disable-mua.png" alt-text="Screenshot showing to disable multi-user authentication.":::
backup Use Archive Tier Support https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/backup/use-archive-tier-support.md
To enable a subscription, follow these steps:
:::image type="content" source="./media/use-archive-tier-support/select-preview-feature-inline.png" alt-text="Screenshot showing to select the Preview Feature option." lightbox="./media/use-archive-tier-support/select-preview-feature-expanded.png":::
-1. Select **Smart Tiering for Archive**.
+1. Select **Smart Tiering for Azure Backup**.
:::image type="content" source="./media/use-archive-tier-support/select-smart-tiering-for-archive-inline.png" alt-text="Screenshot showing to select Smart Tiering for Archive option." lightbox="./media/use-archive-tier-support/select-smart-tiering-for-archive-expanded.png":::
cognitive-services Concept Brand Detection https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/Computer-vision/concept-brand-detection.md
Previously updated : 01/05/2022 Last updated : 07/05/2022
cognitive-services Concept Categorizing Images https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/Computer-vision/concept-categorizing-images.md
Title: Image categorization - Computer Vision
-description: Learn concepts related to the image categorization feature of the Computer Vision API.
+description: Learn concepts related to the image categorization feature of the Image Analysis API.
Previously updated : 04/17/2019 Last updated : 07/05/2022 # Categorize images by subject matter
-In addition to tags and a description, Computer Vision returns the taxonomy-based categories detected in an image. Unlike tags, categories are organized in a parent/child hereditary hierarchy, and there are fewer of them (86, as opposed to thousands of tags). All category names are in English. Categorization can be done by itself or alongside the newer tags model.
+In addition to tags and a description, Image Analysis can return the taxonomy-based categories detected in an image. Unlike tags, categories are organized in a parent/child hierarchy, and there are fewer of them (86, as opposed to thousands of tags). All category names are in English. Categorization can be done by itself or alongside the newer tags model.
-## The 86-category concept
+## The 86-category hierarchy
Computer vision can categorize an image broadly or specifically, using the list of 86 categories in the following diagram. For the full taxonomy in text format, see [Category Taxonomy](category-taxonomy.md).
cognitive-services Concept Detecting Adult Content https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/Computer-vision/concept-detecting-adult-content.md
Previously updated : 10/01/2019 Last updated : 07/05/2022
Computer Vision can detect adult material in images so that developers can restrict the display of these images in their software. Content flags are applied with a score between zero and one so developers can interpret the results according to their own preferences.
-> [!NOTE]
-> Much of this functionality is offered by the [Azure Content Moderator](../content-moderator/overview.md) service. See this alternative for solutions to more rigorous content moderation scenarios, such as text moderation and human review workflows.
- Try out the adult content detection features quickly and easily in your browser using Vision Studio. > [!div class="nextstepaction"]
cognitive-services Analyze Video https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/Computer-vision/how-to/analyze-video.md
Previously updated : 09/09/2019 Last updated : 07/05/2022 ms.devlang: csharp
while (true)
## Implement the solution
-### Get started quickly
+### Get sample code
To help get your app up and running as quickly as possible, we've implemented the system that's described in the preceding section. It's intended to be flexible enough to accommodate many scenarios, while being easy to use. To access the code, go to the [Video frame analysis sample](https://github.com/Microsoft/Cognitive-Samples-VideoFrameAnalysis/) page on GitHub.
By using this approach, you can visualize the detected face immediately. You can
![The LiveCameraSample app displaying an image with tags](../../Video/Images/FramebyFrame.jpg)
-### Integrate the samples into your codebase
+### Integrate samples into your codebase
To get started with this sample, do the following:
When you're ready to integrate the samples, reference the VideoFrameAnalyzer lib
The image-, voice-, video-, and text-understanding capabilities of VideoFrameAnalyzer use Azure Cognitive Services. Microsoft receives the images, audio, video, and other data that you upload (via this app) and might use them for service-improvement purposes. We ask for your help in protecting the people whose data your app sends to Azure Cognitive Services.
-## Summary
+## Next steps
In this article, you learned how to run near real-time analysis on live video streams by using the Face and Computer Vision services. You also learned how you can use our sample code to get started. Feel free to provide feedback and suggestions in the [GitHub repository](https://github.com/Microsoft/Cognitive-Samples-VideoFrameAnalysis/). To provide broader API feedback, go to our [UserVoice](https://feedback.azure.com/d365community/forum/09041fae-0b25-ec11-b6e6-000d3a4f0858) site.
+- [Call the Image Analysis API (how to)](call-analyze-image.md)
cognitive-services Identity Analyze Video https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/Computer-vision/how-to/identity-analyze-video.md
Title: "Example: Real-time video analysis - Face"
description: Use the Face service to perform near-real-time analysis on frames taken from a live video stream. -+ -+ Previously updated : 03/01/2018- Last updated : 07/05/2022+ ms.devlang: csharp
-# Example: How to Analyze Videos in Real-time
+# Example: How to analyze videos in real time
[!INCLUDE [Gate notice](../includes/identity-gate-notice.md)]
-This guide will demonstrate how to perform near-real-time analysis on frames taken from a live video stream. The basic components in such a system are:
+This guide will demonstrate how to perform near-real-time analysis on frames taken from a live video stream. The basic steps in this system are:
- Acquire frames from a video source - Select which frames to analyze - Submit these frames to the API - Consume each analysis result that is returned from the API call
-These samples are written in C# and the code can be found on GitHub here: [https://github.com/Microsoft/Cognitive-Samples-VideoFrameAnalysis](https://github.com/Microsoft/Cognitive-Samples-VideoFrameAnalysis/).
+These samples are written in C# and the code can be found [on GitHub](https://github.com/Microsoft/Cognitive-Samples-VideoFrameAnalysis/).
-## The Approach
+## Methods
There are multiple ways to solve the problem of running near-real-time analysis on video streams. We will start by outlining three approaches in increasing levels of sophistication.
-### A Simple Approach
+### Using infinite loop
The simplest design for a near-real-time analysis system is an infinite loop, where each iteration grabs a frame, analyzes it, and then consumes the result:
while (true)
This code launches each analysis in a separate Task, which can run in the background while we continue grabbing new frames. With this method we avoid blocking the main thread while waiting for an API call to return, but we have lost some of the guarantees that the simple version provided. Multiple API calls might occur in parallel, and the results might get returned in the wrong order. This could also cause multiple threads to enter the ConsumeResult() function simultaneously, which could be dangerous, if the function is not thread-safe. Finally, this simple code does not keep track of the Tasks that get created, so exceptions will silently disappear. Therefore, the final step is to add a "consumer" thread that will track the analysis tasks, raise exceptions, kill long-running tasks, and ensure that the results get consumed in the correct order.
-### A Producer-Consumer Design
+### Producer-consumer design
In our final "producer-consumer" system, we have a producer thread that looks similar to our previous infinite loop. However, instead of consuming analysis results as soon as they are available, the producer simply puts the tasks into a queue to keep track of them.
while (true)
} ```
-## Implementing the Solution
+## Implementation
-### Getting Started
+### Get sample code
To get your app up and running as quickly as possible, you will use a flexible implementation of the system described above. To access the code, go to [https://github.com/Microsoft/Cognitive-Samples-VideoFrameAnalysis](https://github.com/Microsoft/Cognitive-Samples-VideoFrameAnalysis).
-The library contains the class FrameGrabber, which implements the producer-consumer system discussed above to process video frames from a webcam. The user can specify the exact form of the API call, and the class uses events to let the calling code know when a new frame is acquired or a new analysis result is available.
+The library contains the class **FrameGrabber**, which implements the producer-consumer system discussed above to process video frames from a webcam. The user can specify the exact form of the API call, and the class uses events to let the calling code know when a new frame is acquired or a new analysis result is available.
To illustrate some of the possibilities, there are two sample apps that use the library. The first is a simple console app, and a simplified version of it is reproduced below. It grabs frames from the default webcam, and submits them to the Face service for face detection.
In most modes, there will be a visible delay between the live video on the left,
![HowToAnalyzeVideo](../../Video/Images/FramebyFrame.jpg)
-### Integrating into your codebase
+### Integrate into your codebase
To get started with this sample, follow these steps:
To get started with this sample, follow these steps:
- For LiveCameraSample, the keys should be entered into the Settings pane of the app. They will be persisted across sessions as user data.
-When you're ready to integrate, **reference the VideoFrameAnalyzer library from your own projects.**
+When you're ready to integrate, reference the **VideoFrameAnalyzer** library from your own projects.
-## Summary
+## Next steps
In this guide, you learned how to run near-real-time analysis on live video streams using the Face, Computer Vision, and Emotion APIs, and how to use our sample code to get started. Feel free to provide feedback and suggestions in the [GitHub repository](https://github.com/Microsoft/Cognitive-Samples-VideoFrameAnalysis/) or, for broader API feedback, on our [UserVoice](https://feedback.azure.com/d365community/forum/09041fae-0b25-ec11-b6e6-000d3a4f0858) site.
-## Related Topics
- [Call the detect API](identity-detect-faces.md)
cognitive-services Spatial Analysis Web App https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/Computer-vision/spatial-analysis-web-app.md
Most of the **Environment Variables** for the IoT Edge Module are already set in
"value": "accept" }, "BILLING":{
- "value": "<Use a key from your Computer Vision resource>"
+ "value": "<Use the endpoint from your Computer Vision resource>"
}, "APIKEY":{
- "value": "<Use the endpoint from your Computer Vision resource>"
+ "value": "<Use a key from your Computer Vision resource>"
} ```
cognitive-services Whats New https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/Computer-vision/whats-new.md
Learn what's new in the service. These items may be release notes, videos, blog
Vision Studio is UI tool that lets you explore, build, and integrate features from Azure Cognitive Services for Vision into your applications.
-Language Studio provides you with a platform to try several service features, and see what they return in a visual manner. It also provides you with an easy-to-use experience to create custom projects and models to work on your data. Using the Studio, you can get started without needing to write code, and then use the available client libraries and REST APIs in your application.
+Vision Studio provides you with a platform to try several service features, and see what they return in a visual manner. Using the Studio, you can get started without needing to write code, and then use the available client libraries and REST APIs in your application.
### Responsible AI for Face
cognitive-services Export Model Python https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/Custom-Vision-Service/export-model-python.md
Previously updated : 01/05/2022 Last updated : 07/05/2022 ms.devlang: python
# Tutorial: Run a TensorFlow model in Python
-After you have [exported your TensorFlow model](./export-your-model.md) from the Custom Vision Service, this quickstart will show you how to use this model locally to classify images.
+After you've [exported your TensorFlow model](./export-your-model.md) from the Custom Vision Service, this quickstart will show you how to use this model locally to classify images.
> [!NOTE] > This tutorial applies only to models exported from "General (compact)" image classification projects. If you exported other models, please visit our [sample code repository](https://github.com/Azure-Samples/customvision-export-samples).
cognitive-services Export Your Model https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/Custom-Vision-Service/export-your-model.md
Previously updated : 10/27/2021 Last updated : 07/05/2022 # Export your model for use with mobile devices
-Custom Vision Service allows classifiers to be exported to run offline. You can embed your exported classifier into an application and run it locally on a device for real-time classification.
+Custom Vision Service lets you export your classifiers to be run offline. You can embed your exported classifier into an application and run it locally on a device for real-time classification.
## Export options
cognitive-services Getting Started Improving Your Classifier https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/Custom-Vision-Service/getting-started-improving-your-classifier.md
Previously updated : 02/09/2021 Last updated : 07/05/2022
The following is a general pattern to help you train a more accurate model:
## Prevent overfitting
-Sometimes, a model will learn to make predictions based on arbitrary characteristics that your images have in common. For example, if you are creating a classifier for apples vs. citrus, and you've used images of apples in hands and of citrus on white plates, the classifier may give undue importance to hands vs. plates, rather than apples vs. citrus.
-
-![Image of unexpected classification](./media/getting-started-improving-your-classifier/unexpected.png)
+Sometimes a model will learn to make predictions based on arbitrary characteristics that your images have in common. For example, if you're creating a classifier for apples vs. citrus, and you've used images of apples in hands and of citrus on white plates, the classifier may give undue importance to hands vs. plates, rather than apples vs. citrus.
To correct this problem, provide images with different angles, backgrounds, object size, groups, and other variations. The following sections expand upon these concepts.
It's also important to consider the relative quantities of your training data. F
## Data variety
-Be sure to use images that are representative of what will be submitted to the classifier during normal use. Otherwise, your model could learn to make predictions based on arbitrary characteristics that your images have in common. For example, if you are creating a classifier for apples vs. citrus, and you've used images of apples in hands and of citrus on white plates, the classifier may give undue importance to hands vs. plates, rather than apples vs. citrus.
+Be sure to use images that are representative of what will be submitted to the classifier during normal use. Otherwise, your model could learn to make predictions based on arbitrary characteristics that your images have in common. For example, if you're creating a classifier for apples vs. citrus, and you've used images of apples in hands and of citrus on white plates, the classifier may give undue importance to hands vs. plates, rather than apples vs. citrus.
-![Image of unexpected classification](./media/getting-started-improving-your-classifier/unexpected.png)
+![Photo of fruits with unexpected matching.](./media/getting-started-improving-your-classifier/unexpected.png)
To correct this problem, include a variety of images to ensure that your model can generalize well. Below are some ways you can make your training set more diverse: * __Background:__ Provide images of your object in front of different backgrounds. Photos in natural contexts are better than photos in front of neutral backgrounds as they provide more information for the classifier.
- ![Image of background samples](./media/getting-started-improving-your-classifier/background.png)
+ ![Photo of background samples.](./media/getting-started-improving-your-classifier/background.png)
-* __Lighting:__ Provide images with varied lighting (that is, taken with flash, high exposure, and so on), especially if the images used for prediction have different lighting. It is also helpful to use images with varying saturation, hue, and brightness.
+* __Lighting:__ Provide images with varied lighting (that is, taken with flash, high exposure, and so on), especially if the images used for prediction have different lighting. It's also helpful to use images with varying saturation, hue, and brightness.
- ![Image of lighting samples](./media/getting-started-improving-your-classifier/lighting.png)
+ ![Photo of lighting samples.](./media/getting-started-improving-your-classifier/lighting.png)
* __Object Size:__ Provide images in which the objects vary in size and number (for example, a photo of bunches of bananas and a closeup of a single banana). Different sizing helps the classifier generalize better.
- ![Image of size samples](./media/getting-started-improving-your-classifier/size.png)
+ ![Photo of size samples.](./media/getting-started-improving-your-classifier/size.png)
-* __Camera Angle:__ Provide images taken with different camera angles. Alternatively, if all of your photos must be taken with fixed cameras (such as surveillance cameras), be sure to assign a different label to every regularly-occurring object to avoid overfitting&mdash;interpreting unrelated objects (such as lampposts) as the key feature.
+* __Camera Angle:__ Provide images taken with different camera angles. Alternatively, if all of your photos must be taken with fixed cameras (such as surveillance cameras), be sure to assign a different label to every regularly occurring object to avoid overfitting&mdash;interpreting unrelated objects (such as lampposts) as the key feature.
- ![Image of angle samples](./media/getting-started-improving-your-classifier/angle.png)
+ ![Photo of angle samples.](./media/getting-started-improving-your-classifier/angle.png)
* __Style:__ Provide images of different styles of the same class (for example, different varieties of the same fruit). However, if you have objects of drastically different styles (such as Mickey Mouse vs. a real-life mouse), we recommend you label them as separate classes to better represent their distinct features.
- ![Image of style samples](./media/getting-started-improving-your-classifier/style.png)
+ ![Photo of style samples.](./media/getting-started-improving-your-classifier/style.png)
## Negative images (classifiers only)
-If you're using an image classifier, you may need to add _negative samples_ to help make your classifier more accurate. Negative samples are images which do not match any of the other tags. When you upload these images, apply the special **Negative** label to them.
+If you're using an image classifier, you may need to add _negative samples_ to help make your classifier more accurate. Negative samples are images that don't match any of the other tags. When you upload these images, apply the special **Negative** label to them.
Object detectors handle negative samples automatically, because any image areas outside of the drawn bounding boxes are considered negative.
Object detectors handle negative samples automatically, because any image areas
> > On the other hand, in cases where the negative images are just a variation of the images used in training, it is likely that the model will classify the negative images as a labeled class due to the great similarities. For example, if you have an orange vs. grapefruit classifier, and you feed in an image of a clementine, it may score the clementine as an orange because many features of the clementine resemble those of oranges. If your negative images are of this nature, we recommend you create one or more additional tags (such as **Other**) and label the negative images with this tag during training to allow the model to better differentiate between these classes.
-## Consider occlusion and truncation (object detectors only)
+## Occlusion and truncation (object detectors only)
-If you want your object detector to detect truncated objects (object is partially cut out of the image) or occluded objects (object is partially blocked by another object in the image), you'll need to include training images that cover those cases.
+If you want your object detector to detect truncated objects (objects that are partially cut out of the image) or occluded objects (objects that are partially blocked by other objects in the image), you'll need to include training images that cover those cases.
> [!NOTE] > The issue of objects being occluded by other objects is not to be confused with **Overlap Threshold**, a parameter for rating model performance. The **Overlap Threshold** slider on the [Custom Vision website](https://customvision.ai) deals with how much a predicted bounding box must overlap with the true bounding box to be considered correct.
When you use or test the model by submitting images to the prediction endpoint,
![screenshot of the predictions tab, with images in view](./media/getting-started-improving-your-classifier/predictions.png)
-2. Hover over an image to see the tags that were predicted by the model. Images are sorted so that the ones which can bring the most improvements to the model are listed the top. To use a different sorting method, make a selection in the __Sort__ section.
+2. Hover over an image to see the tags that were predicted by the model. Images are sorted so that the ones that can bring the most improvements to the model are listed the top. To use a different sorting method, make a selection in the __Sort__ section.
- To add an image to your existing training data, select the image, set the correct tag(s), and click __Save and close__. The image will be removed from __Predictions__ and added to the set of training images. You can view it by selecting the __Training Images__ tab.
+ To add an image to your existing training data, select the image, set the correct tag(s), and select __Save and close__. The image will be removed from __Predictions__ and added to the set of training images. You can view it by selecting the __Training Images__ tab.
- ![Image of the tagging page](./media/getting-started-improving-your-classifier/tag.png)
+ ![Screenshot of the tagging page.](./media/getting-started-improving-your-classifier/tag.png)
3. Then use the __Train__ button to retrain the model.
cognitive-services Limits And Quotas https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/Custom-Vision-Service/limits-and-quotas.md
Previously updated : 05/13/2021 Last updated : 07/05/2022
The number of training images per project and tags per project are expected to i
> [!NOTE] > Images smaller than than 256 pixels will be accepted but upscaled.
-> Image aspect ratio should not be larger than 25
+> Image aspect ratio should not be larger than 25:1.
cognitive-services Test Your Model https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/Custom-Vision-Service/test-your-model.md
Previously updated : 10/27/2021 Last updated : 07/05/2022
After you train your Custom Vision model, you can quickly test it using a locall
![The Quick Test button is shown in the upper right corner of the window.](./media/test-your-model/quick-test-button.png)
-2. In the **Quick Test** window, select in the **Submit Image** field and enter the URL of the image you want to use for your test. If you want to use a locally stored image instead, select the **Browse local files** button and select a local image file.
+1. In the **Quick Test** window, select in the **Submit Image** field and enter the URL of the image you want to use for your test. If you want to use a locally stored image instead, select the **Browse local files** button and select a local image file.
- ![Image of the submit image page](./media/test-your-model/submit-image.png)
+ ![Screenshot of the submit image page.](./media/test-your-model/submit-image.png)
The image you select appears in the middle of the page. Then the prediction results appear below the image in the form of a table with two columns, labeled **Tags** and **Confidence**. After you view the results, you may close the **Quick Test** window.
You can now take the image submitted previously for testing and use it to retrai
> [!TIP] > The default view shows images from the current iteration. You can use the __Iteration__ drop down field to view images submitted during previous iterations.
-2. Hover over an image to see the tags that were predicted by the classifier.
+1. Hover over an image to see the tags that were predicted by the classifier.
> [!TIP] > Images are ranked, so that the images that can bring the most gains to the classifier are at the top. To select a different sorting, use the __Sort__ section. To add an image to your training data, select the image, manually select the tag(s), and then select __Save and close__. The image is removed from __Predictions__ and added to the training images. You can view it by selecting the __Training Images__ tab.
- ![Image of the tagging page](./media/test-your-model/tag-image.png)
+ ![Screenshot of the tagging page.](./media/test-your-model/tag-image.png)
-3. Use the __Train__ button to retrain the classifier.
+1. Use the __Train__ button to retrain the classifier.
## Next steps
cognitive-services Whats New https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/Custom-Vision-Service/whats-new.md
Learn what's new in the service. These items may be release notes, videos, blog posts, and other types of information. Bookmark this page to keep up to date with the service.
+## May 2022
+
+### Estimated Minimum Budget
+- In Custom Vision Portal, users are now able to view the minimum estimated budget needed to train their project. This estimate (shown in hours) is calculated based on volume of images uploaded by user and domain selected by user.
## October 2020
Learn what's new in the service. These items may be release notes, videos, blog
## Cognitive Service updates
-[Azure update announcements for Cognitive Services](https://azure.microsoft.com/updates/?product=cognitive-services)
+[Azure update announcements for Cognitive Services](https://azure.microsoft.com/updates/?product=cognitive-services)
cognitive-services How To Audio Content Creation https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/Speech-Service/how-to-audio-content-creation.md
The users you grant access to need to set up a [Microsoft account](https://accou
To add users to a Speech resource so that they can use Audio Content Creation, do the following:
-1. In the [Azure portal](https://portal.azure.com/), search for and select **Cognitive Services**, and then select the Speech resource that you want to add users to.
-1. Select **Access control (IAM)**, select **Add**, and then select **Add role assignment (preview)** to open the **Add role assignment** pane.
-1. Select the **Role** tab, and then select the **Cognitive Service User** role. If you want to give a user ownership of this Speech resource, select the **Owner** role.
-1. Select the **Members** tab, enter a user's email address and select the user's name in the directory. The email address must be linked to a Microsoft account that's trusted by Azure Active Directory. Users can easily sign up for a [Microsoft account](https://account.microsoft.com/account) by using their personal email address.
-1. Select the **Review + assign** tab, and then select **Review + assign** to assign the role to a user.
+
+1. In the [Azure portal](https://portal.azure.com/), select **All services**.
+1. Then select the **Cognitive Services**, and navigate to your specific Speech resource.
+ > [!NOTE]
+ > You can also set up Azure RBAC for whole resource groups, subscriptions, or management groups. Do this by selecting the desired scope level and then navigating to the desired item (for example, selecting **Resource groups** and then clicking through to your wanted resource group).
+1. Select **Access control (IAM)** on the left navigation pane.
+1. Select **Add** -> **Add role assignment**.
+1. On the **Role** tab on the next screen, select a role you want to add (in this case, **Owner**).
+1. On the **Members** tab, enter a user's email address and select the user's name in the directory. The email address must be linked to a Microsoft account that's trusted by Azure Active Directory. Users can easily sign up for a [Microsoft account](https://account.microsoft.com/account) by using their personal email address.
+1. On the **Review + assign** tab, select **Review + assign** to assign the role.
Here is what happens next:
Users now visit or refresh the [Audio Content Creation](https://aka.ms/audiocont
If they can't find the available Speech resource, they can check to ensure that they're in the right directory. To do so, they select the account profile at the upper right and then select **Switch** next to **Current directory**. If there's more than one directory available, it means they have access to multiple directories. They can switch to different directories and go to **Settings** to see whether the right Speech resource is available. - Users who are in the same Speech resource will see each other's work in Audio Content Creation studio. If you want each individual user to have a unique and private workplace in Audio Content Creation, [create a new Speech resource](#step-2-create-a-speech-resource) for each user and give each user the unique access to the Speech resource. ### Remove users from a Speech resource
cognitive-services Data Filtering https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/Translator/custom-translator/data-filtering.md
Last updated 08/17/2020 -+ #Customer intent: As a Custom Translator, I want to understand how data is filtered before training a model.
cognitive-services Document Formats Naming Convention https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/Translator/custom-translator/document-formats-naming-convention.md
Last updated 12/06/2021 -+ #Customer intent: As a Custom Translator user, I want to understand how to format and name my documents.
cognitive-services Faq https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/Translator/custom-translator/faq.md
Last updated 08/17/2020 -+ #Customer intent: As a Custom Translator user, I want to review frequently asked questions.
cognitive-services How To Create Project https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/Translator/custom-translator/how-to-create-project.md
Last updated 12/06/2021 -+ #Customer intent: As a Custom Translator user, I want to understand how to create project, so that I can build and manage a project.
cognitive-services How To Manage Settings https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/Translator/custom-translator/how-to-manage-settings.md
Last updated 12/06/2021 -+ #Customer intent: As a Custom Translator user, I want to understand how to manage settings, so that I can create workspace, share workspace, and manage key in Custom Translator.
cognitive-services How To Search Edit Delete Projects https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/Translator/custom-translator/how-to-search-edit-delete-projects.md
Last updated 12/06/2021 -+ #Customer intent: As a Custom Translator user, I want to understand how to search, edit, delete projects, so that I can manage my projects effeciently. # Search, edit, and delete projects
cognitive-services How To Train Model https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/Translator/custom-translator/how-to-train-model.md
Last updated 12/06/2021 -+ #Customer intent: As a Custom Translator user, I want to understand how to train, so that I can start start building my custom translation model.
cognitive-services How To Upload Document https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/Translator/custom-translator/how-to-upload-document.md
Last updated 12/06/2021 -+ #Customer intent: As a Custom Translator user, I want to know how to upload document, so that I can start uploading my documents to train my model .
cognitive-services How To View Document Details https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/Translator/custom-translator/how-to-view-document-details.md
Last updated 12/06/2021 -+ #Customer intent: As a Custom Translator user, I want to understand how to view document details, so that I can to review list of extracted sentences in a document.
cognitive-services How To View Model Details https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/Translator/custom-translator/how-to-view-model-details.md
Last updated 12/06/2021 -+ #Customer intent: As a Custom Translator user, I want to understand how to view the model details, so that I can review details of each translation model.
cognitive-services How To View System Test Results https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/Translator/custom-translator/how-to-view-system-test-results.md
Last updated 12/06/2021 -+ #Customer intent: As a Custom Translator user, I want to understand how to view system test results, so that I can review test results and analyze my training.
cognitive-services Quickstart Build Deploy Custom Model https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/Translator/custom-translator/quickstart-build-deploy-custom-model.md
Last updated 04/26/2022 -+ #Customer intent: As a user, I want to understand how to use Custom Translator so that I can build, deploy, and use a custom model for translation. # Quickstart: Build, deploy, and use a custom model for translation
cognitive-services Release Notes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/Translator/custom-translator/release-notes.md
Last updated 05/03/2021 -+ # Custom Translator release notes
cognitive-services Sentence Alignment https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/Translator/custom-translator/sentence-alignment.md
Last updated 04/19/2021 -+ #Customer intent: As a Custom Translator user, I want to know how sentence alignment works, so that I can have better understanding of underlying process of sentence extraction, pairing, filtering, aligning.
cognitive-services Training And Model https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/Translator/custom-translator/training-and-model.md
Last updated 12/06/2021 -+ #Customer intent: As a Custom Translator user, I want to concept of a model and training, so that I can efficiently use training, tuning and testing datasets the helps me build a translation model.
cognitive-services Unsupported Language Deployments https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/Translator/custom-translator/unsupported-language-deployments.md
Last updated 04/24/2019 -+ # Unsupported language deployments
cognitive-services What Is Bleu Score https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/Translator/custom-translator/what-is-bleu-score.md
Last updated 08/17/2020 -+ #Customer intent: As a Custom Translator user, I want to understand how BLEU score works so that I understand system test outcome better.
cognitive-services What Is Dictionary https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/Translator/custom-translator/what-is-dictionary.md
Last updated 12/06/2021 -+ #Customer intent: As a Custom Translator, I want to understand how to use a dictionary to build a custom translation model.
cognitive-services Workspace And Project https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/Translator/custom-translator/workspace-and-project.md
Last updated 08/17/2020 -+ #Customer intent: As a Custom Translator user, I want to concept of a project, so that I can use it efficiently. # What is a Custom Translator workspace?
cognitive-services Cognitive Services Development Options https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/cognitive-services-development-options.md
Power Automate is a service in the [Power Platform](/power-platform/) that helps
### Continuous integration and deployment
-You can use Azure DevOps and GitHub actions to manage your deployments. In the [section below](#continuous-integration-and-delivery-with-devops-and-github-actions), we have two examples of CI/CD integrations to train and deploy custom models for Speech and the Language Understanding (LUIS) service.
+You can use Azure DevOps and GitHub Actions to manage your deployments. In the [section below](#continuous-integration-and-delivery-with-devops-and-github-actions), we have two examples of CI/CD integrations to train and deploy custom models for Speech and the Language Understanding (LUIS) service.
* **Target user(s)**: Developers, data scientists, and data engineers * **Benefits**: Allows you to continuously adjust, update, and deploy applications and models programmatically. There is significant benefit when regularly using your data to improve and update models for Speech, Vision, Language, and Decision.
The tools that you will use to train and configure models are different from tho
### Continuous integration and delivery with DevOps and GitHub Actions
-Language Understanding and the Speech service offer continuous integration and continuous deployment solutions that are powered by Azure DevOps and GitHub actions. These tools are used for automated training, testing, and release management of custom models.
+Language Understanding and the Speech service offer continuous integration and continuous deployment solutions that are powered by Azure DevOps and GitHub Actions. These tools are used for automated training, testing, and release management of custom models.
* [CI/CD for Custom Speech](./speech-service/how-to-custom-speech-continuous-integration-continuous-deployment.md) * [CI/CD for LUIS](./luis/luis-concept-devops-automation.md)
cognitive-services Create Project https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/language-service/conversational-language-understanding/how-to/create-project.md
You can export a Conversational Language Understanding project as a JSON file at
[!INCLUDE [Language Studio project details](../includes/language-studio/project-details.md)]
-### [Rest APIs](#tab/rest-api)
+### [REST APIs](#tab/rest-api)
cognitive-services Create Project https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/language-service/custom-named-entity-recognition/how-to/create-project.md
Once your resource and storage container are configured, create a new custom NER
[!INCLUDE [Language Studio project creation](../includes/language-studio/create-project.md)]
-### [Rest APIs](#tab/rest-api)
+### [REST APIs](#tab/rest-api)
If you have already labeled data, you can use it to get started with the service
[!INCLUDE [Import project](../includes/language-studio/import-project.md)]
-### [Rest APIs](#tab/rest-api)
+### [REST APIs](#tab/rest-api)
[!INCLUDE [Import project](../includes/rest-api/import-project.md)]
If you have already labeled data, you can use it to get started with the service
[!INCLUDE [Language Studio project details](../includes/language-studio/project-details.md)]
-### [Rest APIs](#tab/rest-api)
+### [REST APIs](#tab/rest-api)
If you have already labeled data, you can use it to get started with the service
[!INCLUDE [Delete project using Language studio](../includes/language-studio/delete-project.md)]
-### [Rest APIs](#tab/rest-api)
+### [REST APIs](#tab/rest-api)
[!INCLUDE [Delete project using the REST API](../includes/rest-api/delete-project.md)]
cognitive-services Create Project https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/language-service/custom-text-classification/how-to/create-project.md
Once your resource and storage container are configured, create a new custom tex
[!INCLUDE [Language Studio project creation](../includes/language-studio/create-project.md)]
-### [Rest APIs](#tab/apis)
+### [REST APIs](#tab/apis)
If you have already labeled data, you can use it to get started with the service
[!INCLUDE [Import project](../includes/language-studio/import-project.md)]
-### [Rest APIs](#tab/apis)
+### [REST APIs](#tab/apis)
[!INCLUDE [Import project](../includes/rest-api/import-project.md)]
If you have already labeled data, you can use it to get started with the service
[!INCLUDE [Language Studio project details](../includes/language-studio/project-details.md)]
-### [Rest APIs](#tab/apis)
+### [REST APIs](#tab/apis)
If you have already labeled data, you can use it to get started with the service
[!INCLUDE [Delete project using Language Studio](../includes/language-studio/delete-project.md)]
-### [Rest APIs](#tab/apis)
+### [REST APIs](#tab/apis)
[!INCLUDE [Delete project using the REST API](../includes/rest-api/delete-project.md)]
cognitive-services Create Project https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/language-service/orchestration-workflow/how-to/create-project.md
You can export an orchestration workflow project as a JSON file at any time.
[!INCLUDE [Language Studio project details](../includes/language-studio/project-details.md)]
-### [Rest APIs](#tab/rest-api)
+### [REST APIs](#tab/rest-api)
container-apps Networking https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-apps/networking.md
As you create a custom VNET, keep in mind the following situations:
- If you want your container app to restrict all outside access, create an [internal Container Apps environment](vnet-custom-internal.md). -- When you provide your own VNET, the network needs a single subnet.
+- When you provide your own VNET, you need to provide a subnet that is dedicated to the Container App Environment you will deploy. This subnet cannot be used by other services.
- Network addresses are assigned from a subnet range you define as the environment is created.
The second URL grants access to the log streaming service and the console. If ne
## Ports and IP addresses
-The VNET associated with a Container Apps environment uses a single subnet with 255 addresses.
+The subnet associated with a Container App Environment must have a CIDR prefix of /23.
The following ports are exposed for inbound connections.
There's no forced tunneling in Container Apps routes.
## Managed resources
-When you deploy an internal or an external environment into your own network, a new resource group prefixed with `MC_` is created in the Azure subscription where your environment is hosted. This resource group contains infrastructure components managed by the Azure Container Apps platform, and shouldn't be modified. The resource group contains Public IP addresses used specifically for outbound connectivity from your environment and a load balancer. As the load balancer is created in your subscription, there are extra costs associated with deploying the service to a custom virtual network.
+When you deploy an internal or an external environment into your own network, a new resource group prefixed with `MC_` is created in the Azure subscription where your environment is hosted. This resource group contains infrastructure components managed by the Azure Container Apps platform, and shouldn't be modified. The resource group contains Public IP addresses used specifically for outbound connectivity from your environment and a load balancer. In addition to the [Azure Container Apps billing](https://docs.microsoft.com/azure/container-apps/billing), you will be billed for the following:
+- Three standard static [public IPs](https://azure.microsoft.com/pricing/details/ip-addresses/) if using an internal environment, or four standard static [public IPs](https://azure.microsoft.com/pricing/details/ip-addresses/) if using an external environment.
+- Two standard [Load Balancers](https://azure.microsoft.com/pricing/details/load-balancer/) if using an internal environment, or one standard [Load Balancer](https://azure.microsoft.com/pricing/details/load-balancer/) if using an external environment. Each load balancer has less than six rules. The cost of data processed (GB) includes both ingress and egress for management operations.
+ ## Next steps - [Deploy with an external environment](vnet-custom.md)-- [Deploy with an internal environment](vnet-custom-internal.md)
+- [Deploy with an internal environment](vnet-custom-internal.md)
container-apps Service Connector https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-apps/service-connector.md
Last updated 06/16/2022
# Customer intent: As an app developer, I want to connect a containerized app to a storage account in the Azure portal using Service Connector.
-# How to connect a Container Apps instance to a backing service
+# Connect a container app to a cloud service with Service Connector
Azure Container Apps allows you to use Service Connector to connect to cloud services in just a few steps. Service Connector manages the configuration of the network settings and connection information between different services. To view all supported services, [learn more about Service Connector](../service-connector/overview.md#what-services-are-supported-in-service-connector).
container-instances Monitor Azure Container Instances Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-instances/monitor-azure-container-instances-reference.md
The following schemas are in use by Azure Container Instances.
## See also - See [Monitoring Azure Container Instances](monitor-azure-container-instances.md) for a description of monitoring Azure Container Instances.-- See [Monitoring Azure resources with Azure Monitor](/azure/azure-monitor/insights/monitor-azure-resources) for details on monitoring Azure resources.
+- See [Monitoring Azure resources with Azure Monitor](/azure/azure-monitor/essentials/monitor-azure-resource) for details on monitoring Azure resources.
cosmos-db How To Provision Throughput Cassandra https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/cassandra/how-to-provision-throughput-cassandra.md
If you are using a different API, see [SQL API](../how-to-provision-container-th
1. Sign in to the [Azure portal](https://portal.azure.com/).
-1. [Create a new Azure Cosmos account](../mongodb/create-mongodb-dotnet.md#create-a-database-account), or select an existing Azure Cosmos account.
+1. [Create a new Azure Cosmos account](../mongodb/create-mongodb-dotnet.md#create-an-azure-cosmos-db-account), or select an existing Azure Cosmos account.
1. Open the **Data Explorer** pane, and select **New Table**. Next, provide the following details:
cosmos-db How To Provision Throughput Gremlin https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/graph/how-to-provision-throughput-gremlin.md
If you are using a different API, see [SQL API](../how-to-provision-container-th
1. Sign in to the [Azure portal](https://portal.azure.com/).
-1. [Create a new Azure Cosmos account](../mongodb/create-mongodb-dotnet.md#create-a-database-account), or select an existing Azure Cosmos account.
+1. [Create a new Azure Cosmos account](../mongodb/create-mongodb-dotnet.md#create-an-azure-cosmos-db-account), or select an existing Azure Cosmos account.
1. Open the **Data Explorer** pane, and select **New Graph**. Next, provide the following details:
cosmos-db Create Mongodb Dotnet https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/mongodb/create-mongodb-dotnet.md
Title: Build a web API using Azure Cosmos DB's API for MongoDB and .NET SDK
-description: Presents a .NET code sample you can use to connect to and query using Azure Cosmos DB's API for MongoDB.
--
+ Title: Quickstart - Azure Cosmos DB MongoDB API for .NET with MongoDB drier
+description: Learn how to build a .NET app to manage Azure Cosmos DB MongoDB API account resources in this quickstart.
++
+ms.devlang: dotnet
Previously updated : 05/02/2020 Last updated : 07/05/2022
-# Quickstart: Build a .NET web API using Azure Cosmos DB's API for MongoDB
+# Quickstart: Azure Cosmos DB MongoDB API for .NET with the MongoDB driver
[!INCLUDE[appliesto-mongodb-api](../includes/appliesto-mongodb-api.md)]
-> [!div class="op_single_selector"]
-> * [.NET](create-mongodb-dotnet.md)
-> * [Python](create-mongodb-python.md)
-> * [Java](create-mongodb-java.md)
-> * [Node.js](create-mongodb-nodejs.md)
-> * [Golang](create-mongodb-go.md)
->
+Get started with MongoDB to create databases, collections, and docs within your Cosmos DB resource. Follow these steps to install the package and try out example code for basic tasks.
-This quickstart demonstrates how to:
-1. Create an [Azure Cosmos DB API for MongoDB account](mongodb-introduction.md)
-2. Build a product catalog web API using the [MongoDB .NET driver](https://docs.mongodb.com/ecosystem/drivers/csharp/)
-3. Import sample data
+> [!NOTE]
+> The [example code snippets](https://github.com/Azure-Samples/cosmos-db-mongodb-api-dotnet-samples) are available on GitHub as a .NET project.
-## Prerequisites to run the sample app
+[MongoDB API reference documentation](https://www.mongodb.com/docs/drivers/csharp) | [MongoDB Package (NuGet)](https://www.nuget.org/packages/MongoDB.Driver)
-* Latest [!INCLUDE [cosmos-db-visual-studio](../includes/cosmos-db-visual-studio.md)]
-* [.NET 5.0](https://dotnet.microsoft.com/download/dotnet/5.0)
-* An Azure account with an active subscription. [Create an Azure account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F). You can also [try Azure Cosmos DB](https://azure.microsoft.com/try/cosmosdb/) without an Azure subscription, free of charge and commitments.
+## Prerequisites
-## Create a database account
+* An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free).
+* [.NET 6.0](https://dotnet.microsoft.com/en-us/download)
+* [Azure Command-Line Interface (CLI)](/cli/azure/install-azure-cli) or [Azure PowerShell](/powershell/azure/install-az-ps)
+### Prerequisite check
-## Learn the object model
+* In a terminal or command window, run ``dotnet --list-sdks`` to check that .NET 6.x is one of the available versions.
+* Run ``az --version`` (Azure CLI) or ``Get-Module -ListAvailable AzureRM`` (Azure PowerShell) to check that you have the appropriate Azure command-line tools installed.
-Before you continue building the application, let's look into the hierarchy of resources in the API for MongoDB and the object model that's used to create and access these resources. The API for MongoDB creates resources in the following order:
+## Setting up
-* Azure Cosmos DB API for MongoDB account
-* Databases
-* Collections
-* Documents
+This section walks you through creating an Azure Cosmos account and setting up a project that uses the MongoDB NuGet packages.
-To learn more about the hierarchy of entities, see the [Azure Cosmos DB resource model](../account-databases-containers-items.md) article.
+### Create an Azure Cosmos DB account
-## Install the sample app template
+This quickstart will create a single Azure Cosmos DB account using the MongoDB API.
-This sample is a dotnet project template, which can be installed to create a local copy. Run the following commands in a command window:
+#### [Azure CLI](#tab/azure-cli)
-```bash
-mkdir "C:\cosmos-samples"
-cd "C:\cosmos-samples"
-dotnet new -i Microsoft.Azure.Cosmos.Templates
-dotnet new cosmosmongo-webapi
-```
-The preceding commands:
+#### [PowerShell](#tab/azure-powershell)
-1. Create the *C:\cosmos-samples* directory for the sample. Choose a folder appropriate for your operating system.
-1. Change your current directory to the *C:\cosmos-samples* folder.
-1. Install the project template, making it available globally from the dotnet CLI.
-1. Create a local sample app using the project template.
-If you don't wish to use the dotnet CLI, you can also [download the project templates as a ZIP file](https://github.com/Azure/azure-cosmos-dotnet-templates). This sample is in the `Templates/APIForMongoDBQuickstart-WebAPI` folder.
+#### [Portal](#tab/azure-portal)
-## Review the code
-The following steps are optional. If you're interested in learning how the database resources are created in the code, review the following snippets. Otherwise, skip ahead to [Update the application settings](#update-the-application-settings).
+
-### Setup connection
+### Get MongoDB connection string
-The following snippet is from the *Services/MongoService.cs* file.
+#### [Azure CLI](#tab/azure-cli)
-* The following class represents the client and is injected by the .NET framework into services that consume it:
- ```cs
- public class MongoService
- {
- private static MongoClient _client;
+#### [PowerShell](#tab/azure-powershell)
- public MongoService(IDatabaseSettings settings)
- {
- _client = new MongoClient(settings.MongoConnectionString);
- }
- public MongoClient GetClient()
- {
- return _client;
- }
- }
- ```
+#### [Portal](#tab/azure-portal)
-### Setup product catalog data service
-The following snippets are from the *Services/ProductService.cs* file.
+
-* The following code retrieves the database and the collection and will create them if they don't already exist:
+### Create a new .NET app
- ```csharp
- private readonly IMongoCollection<Product> _products;
+Create a new .NET application in an empty folder using your preferred terminal. Use the [``dotnet new console``](/dotnet/core/tools/dotnet-newt) to create a new console app.
- public ProductService(MongoService mongo, IDatabaseSettings settings)
- {
- var db = mongo.GetClient().GetDatabase(settings.DatabaseName);
- _products = db.GetCollection<Product>(settings.ProductCollectionName);
- }
- ```
+```console
+dotnet new console -o <app-name>
+```
-* The following code retrieves a document by sku, a unique product identifier:
+### Install the NuGet package
+
+Add the [MongoDB.Driver](https://www.nuget.org/packages/MongoDB.Driver) NuGet package to the new .NET project. Use the [``dotnet add package``](/dotnet/core/tools/dotnet-add-package) command specifying the name of the NuGet package.
+
+```console
+dotnet add package MongoDb.Driver
+```
- ```csharp
- public Task<Product> GetBySkuAsync(string sku)
- {
- return _products.Find(p => p.Sku == sku).FirstOrDefaultAsync();
- }
- ```
+### Configure environment variables
-* The following code creates a product and inserts it into the collection:
- ```csharp
- public Task CreateAsync(Product product)
- {
- _products.InsertOneAsync(product);
- }
- ```
+## Object model
-* The following code finds and updates a product:
+Before you start building the application, let's look into the hierarchy of resources in Azure Cosmos DB. Azure Cosmos DB has a specific object model used to create and access resources. The Azure Cosmos DB creates resources in a hierarchy that consists of accounts, databases, collections, and docs.
- ```csharp
- public Task<Product> UpdateAsync(Product update)
- {
- return _products.FindOneAndReplaceAsync(
- Builders<Product>.Filter.Eq(p => p.Sku, update.Sku),
- update,
- new FindOneAndReplaceOptions<Product> { ReturnDocument = ReturnDocument.After });
- }
- ```
+ Hierarchical diagram showing an Azure Cosmos DB account at the top. The account has two child database nodes. One of the database nodes includes two child collection nodes. The other database node includes a single child collection node. That single collection node has three child doc nodes.
- Similarly, you can delete documents by using the [collection.DeleteOne()](https://docs.mongodb.com/stitch/mongodb/actions/collection.deleteOne/https://docsupdatetracker.net/index.html) method.
+You'll use the following MongoDB classes to interact with these resources:
-## Update the application settings
+- [``MongoClient``](https://mongodb.github.io/mongo-csharp-driver/2.16/apidocs/html/T_MongoDB_Driver_MongoClient.htm) - This class provides a client-side logical representation for the MongoDB API layer on Cosmos DB. The client object is used to configure and execute requests against the service.
+- [``MongoDatabase``](https://mongodb.github.io/mongo-csharp-driver/2.16/apidocs/html/T_MongoDB_Driver_MongoDatabase.htm) - This class is a reference to a database that may, or may not, exist in the service yet. The database is validated server-side when you attempt to access it or perform an operation against it.
+- [``Collection``](https://mongodb.github.io/mongo-csharp-driver/2.16/apidocs/html/T_MongoDB_Driver_MongoCollection.htm) - This class is a reference to a collection that also may not exist in the service yet. The collection is validated server-side when you attempt to work with it.
-From the Azure portal, copy the connection string information:
+## Code examples
-1. In the [Azure portal](https://portal.azure.com/), select your Cosmos DB account, in the left navigation select **Connection String**, and then select **Read-write Keys**. You'll use the copy buttons on the right side of the screen to copy the primary connection string into the *appsettings.json* file in the next step.
+* [Authenticate the client](#authenticate-the-client)
+* [Create a database](#create-a-database)
+* [Create a container](#create-a-collection)
+* [Create an item](#create-an-item)
+* [Get an item](#get-an-item)
+* [Query items](#query-items)
-2. Open the *appsettings.json* file.
+The sample code described in this article creates a database named ``adventureworks`` with a collection named ``products``. The ``products`` collection is designed to contain product details such as name, category, quantity, and a sale indicator. Each product also contains a unique identifier.
-3. Copy the **primary connection string** value from the portal (using the copy button) and make it the value of the **DatabaseSettings.MongoConnectionString** property in the **appsettings.json** file.
+### Authenticate the client
-4. Review the **database name** value in the **DatabaseSettings.DatabaseName** property in the **appsettings.json** file.
+From the project directory, open the *Program.cs* file. In your editor, add a using directive for ``MongoDB.Driver``.
-5. Review the **collection name** value in the **DatabaseSettings.ProductCollectionName** property in the **appsettings.json** file.
-> [!WARNING]
-> Never check passwords or other sensitive data into source code.
+Define a new instance of the ``MongoClient`` class using the constructor, and [``Environment.GetEnvironmentVariable``](/dotnet/api/system.environment.getenvironmentvariables) to read the connection string you set earlier.
-You've now updated your app with all the info it needs to communicate with Cosmos DB.
-## Load sample data
+### Create a database
-[Download](https://www.mongodb.com/try/download/database-tools) [mongoimport](https://docs.mongodb.com/database-tools/mongoimport/#mongodb-binary-bin.mongoimport), a CLI tool that easily imports small amounts of JSON, CSV, or TSV data. We'll use mongoimport to load the sample product data provided in the `Data` folder of this project.
+Use the [``MongoClient.GetDatabase``](https://mongodb.github.io/mongo-csharp-driver/2.16/apidocs/html/M_MongoDB_Driver_MongoClient_GetDatabase.htm) method to create a new database if it doesn't already exist. This method will return a reference to the existing or newly created database.
-From the Azure portal, copy the connection information and enter it in the command below:
-```bash
-mongoimport --host <HOST>:<PORT> -u <USERNAME> -p <PASSWORD> --db cosmicworks --collection products --ssl --jsonArray --writeConcern="{w:0}" --file Data/products.json
+### Create a collection
+
+The [``MongoDatabase.GetCollection``](https://mongodb.github.io/mongo-csharp-driver/2.16/apidocs/html/M_MongoDB_Driver_MongoDatabase_GetCollection.htm) will create a new collection if it doesn't already exist and return a reference to the collection.
++
+### Create an item
+
+The easiest way to create a new item in a collection is to create a C# [class](/dotnet/csharp/language-reference/keywords/class) or [record](/dotnet/csharp/language-reference/builtin-types/record) type with all of the members you want to serialize into JSON. In this example, the C# record has a unique identifier, a *category* field for the partition key, and extra *name*, *quantity*, and *sale* fields.
+
+```csharp
+public record Product(
+ string Id,
+ string Category,
+ string Name,
+ int Quantity,
+ bool Sale
+);
```
-1. In the [Azure portal](https://portal.azure.com/), select your Azure Cosmos DB API for MongoDB account, in the left navigation select **Connection String**, and then select **Read-write Keys**.
+Create an item in the collection using the `Product` record by calling [``IMongoCollection<TDocument>.InsertOne``](https://mongodb.github.io/mongo-csharp-driver/2.16/apidocs/html/M_MongoDB_Driver_IMongoCollection_1_InsertOne_1.htm).
-1. Copy the **HOST** value from the portal (using the copy button) and enter it in place of **\<HOST\>**.
-1. Copy the **PORT** value from the portal (using the copy button) and enter it in place of **\<PORT\>**.
+### Get an item
-1. Copy the **USERNAME** value from the portal (using the copy button) and enter it in place of **\<USERNAME\>**.
+In Azure Cosmos DB, you can retrieve items by composing queries using Linq. In the SDK, call [``IMongoCollection.FindAsync<>``](https://mongodb.github.io/mongo-csharp-driver/2.16/apidocs/html/M_MongoDB_Driver_IMongoCollection_1_FindAsync__1.htm) and pass in a C# expression to filter the results.
-1. Copy the **PASSWORD** value from the portal (using the copy button) and enter it in place of **\<PASSWORD\>**.
-1. Review the **database name** value and update it if you created something other than `cosmicworks`.
+### Query items
-1. Review the **collection name** value and update it if you created something other than `products`.
+After you insert an item, you can run a query to get all items that match a specific filter by treating the collection as an `IQueryable`. This example uses an expression to filter products by category. Once the call to `AsQueryable` is made, call [``MongoQueryable.Where``](https://mongodb.github.io/mongo-csharp-driver/2.16/apidocs/html/M_MongoDB_Driver_Linq_MongoQueryable_Where__1.htm) to retrieve a set of filtered items.
-> [!Note]
-> If you would like to skip this step you can create documents with the correct schema using the POST endpoint provided as part of this web api project.
-## Run the app
+## Run the code
-From Visual Studio, select CTRL + F5 to run the app. The default browser is launched with the app.
+This app creates an Azure Cosmos MongoDb API database and collection. The example then creates an item and then reads the exact same item back. Finally, the example creates a second item and then performs a query that should return multiple items. With each step, the example outputs metadata to the console about the steps it has performed.
-If you prefer the CLI, run the following command in a command window to start the sample app. This command will also install project dependencies and build the project, but won't automatically launch the browser.
+To run the app, use a terminal to navigate to the application directory and run the application.
-```bash
+```dotnetcli
dotnet run ```
-After the application is running, navigate to `https://localhost:5001/swagger/https://docsupdatetracker.net/index.html` to see the [swagger documentation](https://swagger.io/) for the web api and to submit sample requests.
+The output of the app should be similar to this example:
-Select the API you would like to test and select "Try it out".
+```output
+Single product name:
+Yamba Surfboard
+Multiple products:
+Yamba Surfboard
+Sand Surfboard
+```
+## Clean up resources
-Enter any necessary parameters and select "Execute."
+When you no longer need the Azure Cosmos DB SQL API account, you can delete the corresponding resource group.
-## Clean up resources
+### [Azure CLI / Resource Manager template](#tab/azure-cli)
+
+Use the [``az group delete``](/cli/azure/group#az-group-delete) command to delete the resource group.
+
+```azurecli-interactive
+az group delete --name $resourceGroupName
+```
+
+### [PowerShell](#tab/azure-powershell)
+Use the [``Remove-AzResourceGroup``](/powershell/module/az.resources/remove-azresourcegroup) cmdlet to delete the resource group.
-## Next steps
+```azurepowershell-interactive
+$parameters = @{
+ Name = $RESOURCE_GROUP_NAME
+}
+Remove-AzResourceGroup @parameters
+```
+
+### [Portal](#tab/azure-portal)
+
+1. Navigate to the resource group you previously created in the Azure portal.
-In this quickstart, you've learned how to create an API for MongoDB account, create a database and a collection with code, and run a web API app. You can now import other data to your database.
+ > [!TIP]
+ > In this quickstart, we recommended the name ``msdocs-cosmos-quickstart-rg``.
+1. Select **Delete resource group**.
-Trying to do capacity planning for a migration to Azure Cosmos DB? You can use information about your existing database cluster for capacity planning.
-* If all you know is the number of vcores and servers in your existing database cluster, read about [estimating request units using vCores or vCPUs](../convert-vcore-to-request-unit.md)
-* If you know typical request rates for your current database workload, read about [estimating request units using Azure Cosmos DB capacity planner](estimate-ru-capacity-planner.md)
+ :::image type="content" source="media/delete-account-portal/delete-resource-group-option.png" lightbox="media/delete-account-portal/delete-resource-group-option.png" alt-text="Screenshot of the Delete resource group option in the navigation bar for a resource group.":::
-> [!div class="nextstepaction"]
-> [Import MongoDB data into Azure Cosmos DB](../../dms/tutorial-mongodb-cosmos-db.md?toc=%2fazure%2fcosmos-db%2ftoc.json%253ftoc%253d%2fazure%2fcosmos-db%2ftoc.json)
+1. On the **Are you sure you want to delete** dialog, enter the name of the resource group, and then select **Delete**.
+
+ :::image type="content" source="media/delete-account-portal/delete-confirmation.png" lightbox="media/delete-account-portal/delete-confirmation.png" alt-text="Screenshot of the delete confirmation page for a resource group.":::
++
cosmos-db Feature Support 42 https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/mongodb/feature-support-42.md
Azure Cosmos DB supports GridFS through any GridFS-compatible Mongo driver.
Azure Cosmos DB supports automatic, native replication at the lowest layers. This logic is extended out to achieve low-latency, global replication as well. Cosmos DB does not support manual replication commands.
-## Retryable Writes
+## Retryable Writes (preview)
+Retryable writes enables MongoDB drivers to automatically retry certain write operations in case of failure, but results in more stringent requirements for certain operations, which match MongoDB protocol requirements. With this feature enabled, update operations, including deletes, in sharded collections will require the shard key to be included in the query filter or update statement.
-Cosmos DB does not yet support retryable writes. Client drivers must add the 'retryWrites=false' URL parameter to their connection string. More URL parameters can be added by prefixing them with an '&'.
+For example, with a sharded collection, sharded on key ΓÇ£countryΓÇ¥: To delete all the documents with the field city = "NYC", the application will need to execute the operation for all shard key (country) values if Retryable writes is enabled.
+
+db.coll.deleteMany({"country": "USA", "city": "NYC"}) ΓÇô Success
+
+db.coll.deleteMany({"city": "NYC"})- Fails with error ShardKeyNotFound(61)
+
+To enable the feature, [add the EnableMongoRetryableWrites capability](how-to-configure-capabilities.md) to your database account.
## Sharding
cosmos-db Find Request Unit Charge Mongodb https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/mongodb/find-request-unit-charge-mongodb.md
The RU charge is exposed by a custom [database command](https://docs.mongodb.com
1. Sign in to the [Azure portal](https://portal.azure.com/).
-1. [Create a new Azure Cosmos account](create-mongodb-dotnet.md#create-a-database-account) and feed it with data, or select an existing account that already contains data.
+1. [Create a new Azure Cosmos account](create-mongodb-dotnet.md#create-an-azure-cosmos-db-account) and feed it with data, or select an existing account that already contains data.
1. Go to the **Data Explorer** pane, and then select the container you want to work on.
cosmos-db How To Configure Capabilities https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/mongodb/how-to-configure-capabilities.md
+
+ Title: Configure your API for MongoDB account capabilities
+description: Learn how to configure your API for MongoDB account capabilities
+++ Last updated : 07/01/2022+++
+# Configure your API for MongoDB account capabilities
+
+Capabilities are features that can be added or removed to your API for MongoDB account. Many of these features affect account behavior so it's important to be fully aware of the impact a capability will have before enabling or disabling it. Several capabilities are set on API for MongoDB accounts by default, and cannot be changed or removed. One example is the EnableMongo capability. This article will demonstrate how to enable and disable a capability.
+
+## Enable a capability
+1. Retrieve your existing account capabilities:
+```powershell
+az cosmosdb show -n <account_name> -g <azure_resource_group>
+```
+You should see a capability section similar to this:
+```powershell
+"capabilities": [
+ {
+ "name": "EnableMongo"
+ }
+]
+```
+Copy each of these capabilities. In this example, we have EnableMongo and DisableRateLimitingResponses.
+
+2. Set the new capability on your database account. The list of capabilities should include the list of previously enabled capabilities, since only the explicitly named capabilities will be set on your account. For example, if you want to add the capability "DisableRateLimitingResponses", you would run the following command:
+```powershell
+az cosmosdb update -n <account_name> -g <azure_resource_group> --capabilities EnableMongo, DisableRateLimitingResponses
+```
+
+## Disable a capability
+1. Retrieve your existing account capabilities:
+```powershell
+az cosmosdb show -n <account_name> -g <azure_resource_group>
+```
+You should see a capability section similar to this:
+```powershell
+"capabilities": [
+ {
+ "name": "EnableMongo"
+ },
+ {
+ "name": "DisableRateLimitingResponses"
+ }
+]
+```
+Copy each of these capabilities. In this example, we have EnableMongo and DisableRateLimitingResponses.
+
+2. Remove the capability from your database account. The list of capabilities should include the list of previously enabled capabilities you want to keep, since only the explicitly named capabilities will be set on your account. For example, if you want to remove the capability "DisableRateLimitingResponses", you would run the following command:
+```powershell
+az cosmosdb update -n <account_name> -g <azure_resource_group> --capabilities EnableMongo
+```
+
+## Next steps
+
+- Learn how to [use Studio 3T](connect-using-mongochef.md) with Azure Cosmos DB API for MongoDB.
+- Learn how to [use Robo 3T](connect-using-robomongo.md) with Azure Cosmos DB API for MongoDB.
+- Explore MongoDB [samples](nodejs-console-app.md) with Azure Cosmos DB API for MongoDB.
+- Trying to do capacity planning for a migration to Azure Cosmos DB? You can use information about your existing database cluster for capacity planning.
+ - If all you know is the number of vCores and servers in your existing database cluster, read about [estimating request units using vCores or vCPUs](../convert-vcore-to-request-unit.md).
+ - If you know typical request rates for your current database workload, read about [estimating request units using Azure Cosmos DB capacity planner](estimate-ru-capacity-planner.md).
cosmos-db How To Create Container Mongodb https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/mongodb/how-to-create-container-mongodb.md
This article explains the different ways to create a collection in Azure Cosmos
1. Sign in to the [Azure portal](https://portal.azure.com/).
-1. [Create a new Azure Cosmos account](create-mongodb-dotnet.md#create-a-database-account), or select an existing account.
+1. [Create a new Azure Cosmos account](create-mongodb-dotnet.md#create-an-azure-cosmos-db-account), or select an existing account.
1. Open the **Data Explorer** pane, and select **New Container**. Next, provide the following details:
cosmos-db How To Provision Throughput Mongodb https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/mongodb/how-to-provision-throughput-mongodb.md
If you are using a different API, see [SQL API](../how-to-provision-container-th
1. Sign in to the [Azure portal](https://portal.azure.com/).
-1. [Create a new Azure Cosmos account](create-mongodb-dotnet.md#create-a-database-account), or select an existing Azure Cosmos account.
+1. [Create a new Azure Cosmos account](create-mongodb-dotnet.md#create-an-azure-cosmos-db-account), or select an existing Azure Cosmos account.
1. Open the **Data Explorer** pane, and select **New Collection**. Next, provide the following details:
cosmos-db Nodejs Console App https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/mongodb/nodejs-console-app.md
This example shows you how to build a console app using Node.js and Azure Cosmos
To use this example, you must:
-* [Create](create-mongodb-dotnet.md#create-a-database-account) a Cosmos account configured to use Azure Cosmos DB's API for MongoDB.
+* [Create](create-mongodb-dotnet.md#create-an-azure-cosmos-db-account) a Cosmos account configured to use Azure Cosmos DB's API for MongoDB.
* Retrieve your [connection string](connect-mongodb-account.md) information. ## Create the app
data-factory Azure Ssis Integration Runtime Express Virtual Network Injection https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/azure-ssis-integration-runtime-express-virtual-network-injection.md
Last updated 02/15/2022--++
data-factory Azure Ssis Integration Runtime Package Store https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/azure-ssis-integration-runtime-package-store.md
description: Learn how to manage packages with Azure-SSIS Integration Runtime pa
--++ Last updated 10/22/2021
data-factory Azure Ssis Integration Runtime Standard Virtual Network Injection https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/azure-ssis-integration-runtime-standard-virtual-network-injection.md
Last updated 02/15/2022--++
data-factory Azure Ssis Integration Runtime Virtual Network Configuration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/azure-ssis-integration-runtime-virtual-network-configuration.md
Last updated 02/15/2022--++
data-factory Built In Preinstalled Components Ssis Integration Runtime https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/built-in-preinstalled-components-ssis-integration-runtime.md
description: List all built-in and preinstalled components, such as clients, dri
--++ Last updated 02/15/2022
data-factory Configure Azure Ssis Integration Runtime Performance https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/configure-azure-ssis-integration-runtime-performance.md
Last updated 02/15/2022
--++ # Configure the Azure-SSIS Integration Runtime for high performance
data-factory Configure Bcdr Azure Ssis Integration Runtime https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/configure-bcdr-azure-ssis-integration-runtime.md
ms.devlang: powershell--++
data-factory Connector Rest https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/connector-rest.md
Title: Copy and transform data from and to a REST endpoint by using Azure Data Factory
+ Title: Copy and transform data from and to a REST endpoint
description: Learn how to use Copy Activity to copy data and use Data Flow to transform data from a cloud or on-premises REST source to supported sink data stores, or from supported source data store to a REST sink in Azure Data Factory or Azure Synapse Analytics pipelines.
data-factory Connector Troubleshoot Guide https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/connector-troubleshoot-guide.md
Previously updated : 10/13/2021 Last updated : 06/29/2022
The errors below are general to the copy activity and could occur with any conne
- **Recommendation**: Retry if the message shows that it's a transient issue. If the problem persists, contact the support team.
+## General connector errors
+
+### Error code: UserErrorOdbcInvalidQueryString
+
+- **Message**: `The following ODBC Query is not valid: '%'.`
+
+- **Cause**: You provide a wrong or invalid query to fetch the data/schemas.
+
+- **Recommendation**: Verify your query is valid and can return dat) if you want to execute non-query scripts and your data store is supported. Alternatively, consider to use stored procedure that returns a dummy result to execute your non-query scripts.
+ ## Next steps For more troubleshooting help, try these resources:
data-factory Create Azure Ssis Integration Runtime Deploy Packages https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/create-azure-ssis-integration-runtime-deploy-packages.md
Last updated 10/22/2021--++ # Deploy SSIS packages
data-factory Create Azure Ssis Integration Runtime Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/create-azure-ssis-integration-runtime-portal.md
Last updated 02/15/2022--++
data-factory Create Azure Ssis Integration Runtime Powershell https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/create-azure-ssis-integration-runtime-powershell.md
Last updated 02/15/2022--++
data-factory Create Azure Ssis Integration Runtime Resource Manager Template https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/create-azure-ssis-integration-runtime-resource-manager-template.md
Last updated 02/15/2022--++
data-factory Create Azure Ssis Integration Runtime https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/create-azure-ssis-integration-runtime.md
Last updated 02/15/2022--++
data-factory Enable Aad Authentication Azure Ssis Ir https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/enable-aad-authentication-azure-ssis-ir.md
ms.devlang: powershell --++ Last updated 02/15/2022
data-factory How To Clean Up Ssisdb Logs With Elastic Jobs https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/how-to-clean-up-ssisdb-logs-with-elastic-jobs.md
Last updated 02/15/2022--++
data-factory How To Configure Azure Ssis Ir Custom Setup https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/how-to-configure-azure-ssis-ir-custom-setup.md
description: This article describes how to use the custom setup interface for an
--++ Last updated 02/15/2022
data-factory How To Configure Azure Ssis Ir Enterprise Edition https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/how-to-configure-azure-ssis-ir-enterprise-edition.md
Last updated 02/15/2022--++ # Provision Enterprise Edition for the Azure-SSIS Integration Runtime
data-factory How To Develop Azure Ssis Ir Licensed Components https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/how-to-develop-azure-ssis-ir-licensed-components.md
Title: Install licensed components for Azure-SSIS integration runtime
description: Learn how an ISV can develop and install paid or licensed custom components for the Azure-SSIS integration runtime --++ Last updated 02/17/2022
data-factory How To Invoke Ssis Package Azure Enabled Dtexec https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/how-to-invoke-ssis-package-azure-enabled-dtexec.md
Last updated 10/22/2021--++ # Run SQL Server Integration Services packages with the Azure-enabled dtexec utility
data-factory How To Invoke Ssis Package Ssdt https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/how-to-invoke-ssis-package-ssdt.md
description: Learn how to execute SSIS packages in Azure from SSDT.
--++ Last updated 10/22/2021
data-factory How To Invoke Ssis Package Ssis Activity Powershell https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/how-to-invoke-ssis-package-ssis-activity-powershell.md
ms.devlang: powershell --++ Last updated 10/22/2021
data-factory How To Invoke Ssis Package Ssis Activity https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/how-to-invoke-ssis-package-ssis-activity.md
ms.devlang: powershell --++ Last updated 02/15/2022
data-factory How To Invoke Ssis Package Stored Procedure Activity https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/how-to-invoke-ssis-package-stored-procedure-activity.md
Title: Run SSIS package with Stored Procedure Activity - Azure description: This article describes how to run a SQL Server Integration Services (SSIS) package in an Azure Data Factory pipeline by using the Stored Procedure Activity.-+ ms.devlang: powershell Last updated 02/15/2022-+ # Run an SSIS package with the Stored Procedure activity
data-factory How To Schedule Azure Ssis Integration Runtime https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/how-to-schedule-azure-ssis-integration-runtime.md
ms.devlang: powershell Last updated 02/15/2022--++ # How to start and stop Azure-SSIS Integration Runtime on a schedule
data-factory How To Use Sql Managed Instance With Ir https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/how-to-use-sql-managed-instance-with-ir.md
Title: Use Azure SQL Managed Instance with Azure-SQL Server Integration Services (SSIS) in Azure Data Factory description: Learn how to use Azure SQL Managed Instance with SQL Server Integration Services (SSIS) in Azure Data Factory. --++
data-factory Join Azure Ssis Integration Runtime Virtual Network Powershell https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/join-azure-ssis-integration-runtime-virtual-network-powershell.md
Last updated 02/15/2022--++
data-factory Join Azure Ssis Integration Runtime Virtual Network Ui https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/join-azure-ssis-integration-runtime-virtual-network-ui.md
Last updated 02/15/2022--++
data-factory Join Azure Ssis Integration Runtime Virtual Network https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/join-azure-ssis-integration-runtime-virtual-network.md
Last updated 02/15/2022--++
data-factory Manage Azure Ssis Integration Runtime https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/manage-azure-ssis-integration-runtime.md
Last updated 02/17/2022--++ # Reconfigure the Azure-SSIS integration runtime
data-factory Sap Change Data Capture Data Partitioning Template https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/sap-change-data-capture-data-partitioning-template.md
Title: SAP change data capture solution (Preview) - data partitioning template description: This topic describes how to use the SAP data partitioning template for SAP change data capture (Preview) in Azure Data Factory.-+ Last updated 06/01/2022-+ # Auto-generate a pipeline from the SAP data partitioning template
data-factory Sap Change Data Capture Data Replication Template https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/sap-change-data-capture-data-replication-template.md
Title: SAP change data capture solution (Preview) - data replication template description: This topic describes how to use the SAP data replication template for SAP change data capture (Preview) in Azure Data Factory.-+ Last updated 06/01/2022-+ # Auto-generate a pipeline from the SAP data replication template
data-factory Sap Change Data Capture Debug Shir Logs https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/sap-change-data-capture-debug-shir-logs.md
Title: SAP change data capture solution (Preview) - Debug issues using SHIR logs description: This topic describes how to debug issues with Copy activity for SAP change data capture (Preview) using self-hosted integration runtime (SHIR) logs in Azure Data Factory.-+ Last updated 06/01/2022-+ # Debug ADF copy activity issues by sending SHIR logs
data-factory Sap Change Data Capture Introduction Architecture https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/sap-change-data-capture-introduction-architecture.md
Title: SAP change data capture solution (Preview) - introduction and architecture description: This topic introduces and describes the architecture for SAP change data capture (Preview) in Azure Data Factory.-+ Last updated 06/01/2022-+ # SAP change data capture (CDC) solution in Azure Data Factory (Preview)
data-factory Sap Change Data Capture Management https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/sap-change-data-capture-management.md
Title: SAP change data capture solution (Preview) - management description: This article describes how to manage SAP change data capture (Preview) in Azure Data Factory.-+ Last updated 06/01/2022-+ # Management of SAP change data capture (CDC) (Preview) in Azure Data Factory
data-factory Sap Change Data Capture Prepare Linked Service Source Dataset https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/sap-change-data-capture-prepare-linked-service-source-dataset.md
Title: SAP change data capture solution (Preview) - Prepare linked service and dataset description: This article introduces and describes preparation of the linked service and source dataset for SAP change data capture (Preview) in Azure Data Factory.-+ Last updated 06/01/2022-+ # Prepare the SAP ODP linked service and source dataset for the SAP CDC solution in Azure Data Factory (Preview)
data-factory Sap Change Data Capture Prerequisites Configuration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/sap-change-data-capture-prerequisites-configuration.md
Title: SAP change data capture solution (Preview) - prerequisites and configuration description: This topic introduces and describes the prerequisites and configuration of SAP change data capture (Preview) in Azure Data Factory.-+ Last updated 06/01/2022-+ # SAP change data capture (CDC) solution prerequisites and configuration in Azure Data Factory (Preview)
data-factory Sap Change Data Capture Shir Preparation https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/sap-change-data-capture-shir-preparation.md
Title: SAP change data capture solution (Preview) - SHIR preparation description: This article introduces and describes preparation of the self-hosted integration runtime (SHIR) for SAP change data capture (Preview) in Azure Data Factory.-+ Last updated 06/01/2022-+ # Self-hosted integration runtime (SHIR) preparation for the SAP change data capture (CDC) solution in Azure Data Factory (Preview)
data-factory Deploy Azure Ssis Integration Runtime Powershell https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/scripts/deploy-azure-ssis-integration-runtime-powershell.md
description: This PowerShell script creates an Azure-SSIS integration runtime th
--++ Last updated 10/22/2021
data-factory Self Hosted Integration Runtime Proxy Ssis https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/self-hosted-integration-runtime-proxy-ssis.md
description: Learn how to configure a self-hosted integration runtime as a proxy
--++ Last updated 02/16/2022
data-factory Ssis Azure Connect With Windows Auth https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/ssis-azure-connect-with-windows-auth.md
Last updated 02/15/2022
--++
data-factory Ssis Azure Files File Shares https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/ssis-azure-files-file-shares.md
Last updated 02/15/2022
--++
data-factory Ssis Integration Runtime Diagnose Connectivity Faq https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/ssis-integration-runtime-diagnose-connectivity-faq.md
-+ Last updated 02/15/2022
data-factory Ssis Integration Runtime Management Troubleshoot https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/ssis-integration-runtime-management-troubleshoot.md
-+ Last updated 02/15/2022
data-factory Ssis Integration Runtime Ssis Activity Faq https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/ssis-integration-runtime-ssis-activity-faq.md
description: "This article provides troubleshooting guidance for SSIS package ex
---+++ Last updated 02/21/2022
data-factory Tutorial Deploy Ssis Packages Azure Powershell https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/tutorial-deploy-ssis-packages-azure-powershell.md
ms.devlang: powershell
Last updated 10/22/2021--++ # Set up an Azure-SSIS IR in Azure Data Factory by using PowerShell
data-factory Tutorial Deploy Ssis Packages Azure https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/tutorial-deploy-ssis-packages-azure.md
Last updated 10/22/2021--++ # Provision the Azure-SSIS integration runtime in Azure Data Factory
data-factory Tutorial Deploy Ssis Virtual Network https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/tutorial-deploy-ssis-virtual-network.md
Title: Tutorial to configure Azure-SSIS integration runtime to join a virtual network description: Learn how to configure Azure-SSIS integration runtime to join a virtual network. --++
defender-for-cloud Defender For Kubernetes Introduction https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/defender-for-kubernetes-introduction.md
Title: Microsoft Defender for Kubernetes - the benefits and features description: Learn about the benefits and features of Microsoft Defender for Kubernetes. Previously updated : 05/08/2022 Last updated : 07/05/2022 -- # Introduction to Microsoft Defender for Kubernetes (deprecated)
For a full list of the cluster level alerts, see alerts with "K8S_" prefix in th
- [What happens to subscriptions with Microsoft Defender for Kubernetes or Microsoft Defender for Containers enabled?](#what-happens-to-subscriptions-with-microsoft-defender-for-kubernetes-or-microsoft-defender-for-containers-enabled) - [Is Defender for Containers a mandatory upgrade?](#is-defender-for-containers-a-mandatory-upgrade) - [Does the new plan reflect a price increase?](#does-the-new-plan-reflect-a-price-increase)
+- [How can I calculate my potential price change?](#how-can-i-calculate-my-potential-price-change)
### What happens to subscriptions with Microsoft Defender for Kubernetes or Microsoft Defender for Containers enabled?
If you haven't enabled them yet, or create a new subscription, these plans can n
No. Subscriptions that have either Microsoft Defender for Kubernetes or Microsoft Defender for Containers Registries enabled doesn't need to be upgraded to the new Microsoft Defender for Containers plan. However, they won't benefit from the new and improved capabilities and theyΓÇÖll have an upgrade icon shown alongside them in the Azure portal. ### Does the new plan reflect a price increase?
-No. ThereΓÇÖs no direct price increase. The new comprehensive Container security plan combines Kubernetes protection and container registry image scanning, and removes the previous dependency on the (paid) Defender for Servers plan.
+
+The new comprehensive Container security plan combines Kubernetes protection and container registry image scanning, and removes the previous dependency on the (paid) Defender for Servers plan. Pricing is dependant on your container architecture and coverage. For example, your price may change depending on the number of images in your Container Registry, or the number of Kubernetes nodes among other reasons.
+
+### How can I calculate my potential price change?
+
+In order to help you understand your costs, Defender for Cloud offers the Price Estimation workbook as part of its published Workbooks. The Price Estimation workbook allows you to estimate the expected price for Defender for Cloud plans before enabling them.
+
+Your price is dependant on your container architecture and coverage. For example, your price may change depending on the number of images in your Container Registry, or the number of Kubernetes nodes among other reasons.
+
+You can learn [how to enable and use](https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/microsoft-defender-for-cloud-price-estimation-dashboard/ba-p/3247622) the Price Estimation workbook.
## Next steps
defender-for-cloud Upcoming Changes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/upcoming-changes.md
Title: Important changes coming to Microsoft Defender for Cloud description: Upcoming changes to Microsoft Defender for Cloud that you might need to be aware of and for which you might need to plan Previously updated : 06/28/2022 Last updated : 07/05/2022 # Important upcoming changes to Microsoft Defender for Cloud
If you're looking for the latest release notes, you'll find them in the [What's
| Planned change | Estimated date for change | |--|--|
-| [GA support for Arc-enabled Kubernetes clusters](#ga-support-for-arc-enabled-kubernetes-clusters) | July 2022 |
| [Changes to recommendations for managing endpoint protection solutions](#changes-to-recommendations-for-managing-endpoint-protection-solutions) | June 2022 | | [Key Vault recommendations changed to "audit"](#key-vault-recommendations-changed-to-audit) | June 2022 |
-| [Multiple changes to identity recommendations](#multiple-changes-to-identity-recommendations) | July 2022 |
| [Deprecating three VM alerts](#deprecating-three-vm-alerts) | June 2022|
+| [Multiple changes to identity recommendations](#multiple-changes-to-identity-recommendations) | July 2022 |
| [Deprecate API App policies for App Service](#deprecate-api-app-policies-for-app-service) | July 2022 |-
-### GA support for Arc-enabled Kubernetes clusters
-
-**Estimated date for change:** July 2022
-
-Defender for Containers is currently a preview feature for Arc-enabled Kubernetes clusters. In July, Arc-enabled Kubernetes clusters will be charged according to the listing on the [pricing page](https://azure.microsoft.com/pricing/details/defender-for-cloud/). Customers that already have clusters onboarded to Arc (on the subscription level) will incur charges.
+| [Change in pricing of Runtime protection for Arc-enabled Kubernetes clusters](#change-in-pricing-of-runtime-protection-for-arc-enabled-kubernetes-clusters) | August 2022 |
### Changes to recommendations for managing endpoint protection solutions
The Key Vault recommendations listed here are currently disabled so that they do
| Key Vault secrets should have an expiration date | 14257785-9437-97fa-11ae-898cfb24302b | | Key Vault keys should have an expiration date | 1aabfa0d-7585-f9f5-1d92-ecb40291d9f2 |
+### Deprecating three VM alerts
+
+**Estimated date for change:** June 2022
+
+The following table lists the alerts that will be deprecated during June 2022.
+
+| Alert name | Description | Tactics | Severity |
+|--|--|--|--|
+| **Docker build operation detected on a Kubernetes node** <br>(VM_ImageBuildOnNode) | Machine logs indicate a build operation of a container image on a Kubernetes node. While this behavior might be legitimate, attackers might build their malicious images locally to avoid detection. | Defense Evasion | Low |
+| **Suspicious request to Kubernetes API** <br>(VM_KubernetesAPI) | Machine logs indicate that a suspicious request was made to the Kubernetes API. The request was sent from a Kubernetes node, possibly from one of the containers running in the node. Although this behavior can be intentional, it might indicate that the node is running a compromised container. | LateralMovement | Medium |
+| **SSH server is running inside a container** <br>(VM_ContainerSSH) | Machine logs indicate that an SSH server is running inside a Docker container. While this behavior can be intentional, it frequently indicates that a container is misconfigured or breached. | Execution | Medium |
+
+These alerts are used to notify a user about suspicious activity connected to a Kubernetes cluster. The alerts will be replaced with matching alerts that are part of the Microsoft Defender for Cloud Container alerts (`K8S.NODE_ImageBuildOnNode`, `K8S.NODE_ KubernetesAPI` and `K8S.NODE_ ContainerSSH`) which will provide improved fidelity and comprehensive context to investigate and act on the alerts. Learn more about alerts for [Kubernetes Clusters](alerts-reference.md).
+ ### Multiple changes to identity recommendations **Estimated date for change:** July 2022
This update, will rename two recommendations, and revise their descriptions. The
|Description|User accounts that have been blocked from signing in, should be removed from your subscriptions. <br> These accounts can be targets for attackers looking to find ways to access your data without being noticed.|User accounts that have been blocked from signing into Active Directory, should be removed from your subscriptions.<br> Learn more about securing the identity perimeter in [Azure Identity Management and access control security best practices](../security/fundamentals/identity-management-best-practices.md).| | Related policy | [Deprecated accounts should be removed from your subscription](https://ms.portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2fproviders%2fMicrosoft.Authorization%2fpolicyDefinitions%2f6b1cbf55-e8b6-442f-ba4c-7246b6381474) | Subscriptions should be purged of accounts that are blocked in Active Directory and have read and write permissions. |
-### Deprecating three VM alerts
-
-**Estimated date for change:** June 2022
-
-The following table lists the alerts that will be deprecated during June 2022.
-
-| Alert name | Description | Tactocs | Severity |
-|--|--|--|--|
-| **Docker build operation detected on a Kubernetes node** <br>(VM_ImageBuildOnNode) | Machine logs indicate a build operation of a container image on a Kubernetes node. While this behavior might be legitimate, attackers might build their malicious images locally to avoid detection. | Defense Evasion | Low |
-| **Suspicious request to Kubernetes API** <br>(VM_KubernetesAPI) | Machine logs indicate that a suspicious request was made to the Kubernetes API. The request was sent from a Kubernetes node, possibly from one of the containers running in the node. Although this behavior can be intentional, it might indicate that the node is running a compromised container. | LateralMovement | Medium |
-| **SSH server is running inside a container** <br>(VM_ContainerSSH) | Machine logs indicate that an SSH server is running inside a Docker container. While this behavior can be intentional, it frequently indicates that a container is misconfigured or breached. | Execution | Medium |
-
-These alerts are used to notify a user about suspicious activity connected to a Kubernetes cluster. The alerts will be replaced with matching alerts that are part of the Microsoft Defender for Cloud Container alerts (`K8S.NODE_ImageBuildOnNode`, `K8S.NODE_ KubernetesAPI` and `K8S.NODE_ ContainerSSH`) which will provide improved fidelity and comprehensive context to investigate and act on the alerts. Learn more about alerts for [Kubernetes Clusters](alerts-reference.md).
- ### Deprecate API App policies for App Service **Estimated date for change:** July 2022
We will be deprecating the following policies to corresponding policies that alr
| `Ensure that 'Java version' is the latest, if used as a part of the API app` | `App Service apps that use Java should use the latest 'Java version` | | `Latest TLS version should be used in your API App` | `App Service apps should use the latest TLS version` |
+### Change in pricing of runtime protection for Arc-enabled Kubernetes clusters
+
+**Estimated date for change:** August 2022
+
+Runtime protection is currently a preview feature for Arc-enabled Kubernetes clusters. In August, Arc-enabled Kubernetes clusters will be charged for runtime protection. You can view pricing details on the [pricing page](https://azure.microsoft.com/pricing/details/defender-for-cloud/). Subscriptions with Kubernetes clusters already onboarded to Arc, will begin to incur charges in August.
+ ## Next steps For all recent changes to Defender for Cloud, see [What's new in Microsoft Defender for Cloud?](release-notes.md)
defender-for-cloud Update Regulatory Compliance Packages https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/update-regulatory-compliance-packages.md
Microsoft tracks the regulatory standards themselves and automatically improves
## What regulatory compliance standards are available in Defender for Cloud?
-By default, every subscription has the **Azure Security Benchmark** assigned. This is the Microsoft-authored, Azure-specific guidelines for security and compliance best practices based on common compliance frameworks. [Learn more about Azure Security Benchmark](/security/benchmark/azure/introduction).
+By default, every Azure subscription has the **Azure Security Benchmark** assigned. This is the Microsoft-authored, Azure-specific guidelines for security and compliance best practices based on common compliance frameworks. [Learn more about Azure Security Benchmark](/security/benchmark/azure/introduction).
Available regulatory standards:
Available regulatory standards:
- FedRAMP H - FedRAMP M
+By default, every AWS connector subscription has the **AWS Foundational Security Best Practices** assigned. This is the AWS-specific guidelines for security and compliance best practices based on common compliance frameworks.
+
+Available AWS regulatory standards:
+- AWS CIS 1.2.0
+- AWS PCI DSS 3.2.1
+
+By default, every GCP connector subscription has the **GCP Default** assigned. This is the GCP-specific guidelines for security and compliance best practices based on common compliance frameworks.
+
+Available GCP regulatory standards:
+- GCP CIS 1.1.0
+- GCP CIS 1.2.0
+- GCP ISO 27001
+- GCP NIST 800 53
+- PCI DSS 3.2.1
+ > [!TIP] > Standards are added to the dashboard as they become available. The preceding list might not contain recently added standards.
To add standards to your dashboard:
- The subscription must have Defender for Cloud's enhanced security features enabled - The user must have owner or policy contributor permissions
-### Add a standard
+### Add a standard to your Azure resources
1. From Defender for Cloud's menu, select **Regulatory compliance** to open the regulatory compliance dashboard. Here you can see the compliance standards currently assigned to the currently selected subscriptions.
defender-for-iot Dell Edge 5200 https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-iot/organizations/appliance-catalog/dell-edge-5200.md
Continue understanding system requirements for physical or virtual appliances. F
Then, use any of the following procedures to continue: -- [Purchase sensors or download software for sensors](../how-to-manage-sensors-on-the-cloud.md#purchase-sensors-or-download-software-for-sensors)
+- [Purchase sensors or download software for sensors](../onboard-sensors.md#purchase-sensors-or-download-software-for-sensors)
- [Download software for an on-premises management console](../how-to-manage-the-on-premises-management-console.md#download-software-for-the-on-premises-management-console) - [Install software](../how-to-install-software.md)
defender-for-iot Dell Poweredge R340 Xl Legacy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-iot/organizations/appliance-catalog/dell-poweredge-r340-xl-legacy.md
Continue understanding system requirements for physical or virtual appliances. F
Then, use any of the following procedures to continue: -- [Purchase sensors or download software for sensors](../how-to-manage-sensors-on-the-cloud.md#purchase-sensors-or-download-software-for-sensors)
+- [Purchase sensors or download software for sensors](../onboard-sensors.md#purchase-sensors-or-download-software-for-sensors)
- [Download software for an on-premises management console](../how-to-manage-the-on-premises-management-console.md#download-software-for-the-on-premises-management-console) - [Install software](../how-to-install-software.md)
defender-for-iot Hpe Edgeline El300 https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-iot/organizations/appliance-catalog/hpe-edgeline-el300.md
Continue understanding system requirements for physical or virtual appliances. F
Then, use any of the following procedures to continue: -- [Purchase sensors or download software for sensors](../how-to-manage-sensors-on-the-cloud.md#purchase-sensors-or-download-software-for-sensors)
+- [Purchase sensors or download software for sensors](../onboard-sensors.md#purchase-sensors-or-download-software-for-sensors)
- [Download software for an on-premises management console](../how-to-manage-the-on-premises-management-console.md#download-software-for-the-on-premises-management-console) - [Install software](../how-to-install-software.md)
defender-for-iot Hpe Proliant Dl20 Plus Enterprise https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-iot/organizations/appliance-catalog/hpe-proliant-dl20-plus-enterprise.md
Continue understanding system requirements for physical or virtual appliances. F
Then, use any of the following procedures to continue: -- [Purchase sensors or download software for sensors](../how-to-manage-sensors-on-the-cloud.md#purchase-sensors-or-download-software-for-sensors)
+- [Purchase sensors or download software for sensors](../onboard-sensors.md#purchase-sensors-or-download-software-for-sensors)
- [Download software for an on-premises management console](../how-to-manage-the-on-premises-management-console.md#download-software-for-the-on-premises-management-console) - [Install software](../how-to-install-software.md)
defender-for-iot Hpe Proliant Dl20 Plus Smb https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-iot/organizations/appliance-catalog/hpe-proliant-dl20-plus-smb.md
Continue understanding system requirements for physical or virtual appliances. F
Then, use any of the following procedures to continue: -- [Purchase sensors or download software for sensors](../how-to-manage-sensors-on-the-cloud.md#purchase-sensors-or-download-software-for-sensors)
+- [Purchase sensors or download software for sensors](../onboard-sensors.md#purchase-sensors-or-download-software-for-sensors)
- [Download software for an on-premises management console](../how-to-manage-the-on-premises-management-console.md#download-software-for-the-on-premises-management-console) - [Install software](../how-to-install-software.md)
defender-for-iot Hpe Proliant Dl360 https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-iot/organizations/appliance-catalog/hpe-proliant-dl360.md
Continue understanding system requirements for physical or virtual appliances. F
Then, use any of the following procedures to continue: -- [Purchase sensors or download software for sensors](../how-to-manage-sensors-on-the-cloud.md#purchase-sensors-or-download-software-for-sensors)
+- [Purchase sensors or download software for sensors](../onboard-sensors.md#purchase-sensors-or-download-software-for-sensors)
- [Download software for an on-premises management console](../how-to-manage-the-on-premises-management-console.md#download-software-for-the-on-premises-management-console) - [Install software](../how-to-install-software.md)
defender-for-iot Neousys Nuvo 5006Lp https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-iot/organizations/appliance-catalog/neousys-nuvo-5006lp.md
Continue understanding system requirements for physical or virtual appliances. F
Then, use any of the following procedures to continue: -- [Purchase sensors or download software for sensors](../how-to-manage-sensors-on-the-cloud.md#purchase-sensors-or-download-software-for-sensors)
+- [Purchase sensors or download software for sensors](../onboard-sensors.md#purchase-sensors-or-download-software-for-sensors)
- [Download software for an on-premises management console](../how-to-manage-the-on-premises-management-console.md#download-software-for-the-on-premises-management-console) - [Install software](../how-to-install-software.md)
defender-for-iot Virtual Management Hyper V https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-iot/organizations/appliance-catalog/virtual-management-hyper-v.md
Continue understanding system requirements for physical or virtual appliances. F
Then, use any of the following procedures to continue: -- [Purchase sensors or download software for sensors](../how-to-manage-sensors-on-the-cloud.md#purchase-sensors-or-download-software-for-sensors)
+- [Purchase sensors or download software for sensors](../onboard-sensors.md#purchase-sensors-or-download-software-for-sensors)
- [Download software for an on-premises management console](../how-to-manage-the-on-premises-management-console.md#download-software-for-the-on-premises-management-console) - [Install software](../how-to-install-software.md)
defender-for-iot Virtual Management Vmware https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-iot/organizations/appliance-catalog/virtual-management-vmware.md
Continue understanding system requirements for physical or virtual appliances. F
Then, use any of the following procedures to continue: -- [Purchase sensors or download software for sensors](../how-to-manage-sensors-on-the-cloud.md#purchase-sensors-or-download-software-for-sensors)
+- [Purchase sensors or download software for sensors](../onboard-sensors.md#purchase-sensors-or-download-software-for-sensors)
- [Download software for an on-premises management console](../how-to-manage-the-on-premises-management-console.md#download-software-for-the-on-premises-management-console) - [Install software](../how-to-install-software.md)
defender-for-iot Virtual Sensor Hyper V https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-iot/organizations/appliance-catalog/virtual-sensor-hyper-v.md
While a virtual switch doesn't have mirroring capabilities, you can use *Promisc
*Promiscuous mode* is a mode of operation and a security, monitoring, and administration technique that is defined at the virtual switch or portgroup level. When promiscuous mode is used, any of the virtual machineΓÇÖs network interfaces in the same portgroup can view all network traffic that goes through that virtual switch. By default, promiscuous mode is turned off.
-For more information, see [Purdue reference model and Defender for IoT](../plan-network-monitoring.md#purdue-reference-model-and-defender-for-iot).
+For more information, see [Purdue reference model and Defender for IoT](../best-practices/understand-network-architecture.md#purdue-reference-model-and-defender-for-iot).
### Prerequisites
Continue understanding system requirements for physical or virtual appliances. F
Then, use any of the following procedures to continue: -- [Purchase sensors or download software for sensors](../how-to-manage-sensors-on-the-cloud.md#purchase-sensors-or-download-software-for-sensors)
+- [Purchase sensors or download software for sensors](../onboard-sensors.md#purchase-sensors-or-download-software-for-sensors)
- [Download software for an on-premises management console](../how-to-manage-the-on-premises-management-console.md#download-software-for-the-on-premises-management-console) - [Install software](../how-to-install-software.md)
defender-for-iot Virtual Sensor Vmware https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-iot/organizations/appliance-catalog/virtual-sensor-vmware.md
Title: OT sensor VM (VMWare ESXi) - Microsoft Defender for IoT
-description: Learn about deploying a Microsoft Defender for IoT OT sensor as a virtual appliance using VMWare ESXi.
+ Title: OT sensor VM (VMware ESXi) - Microsoft Defender for IoT
+description: Learn about deploying a Microsoft Defender for IoT OT sensor as a virtual appliance using VMware ESXi.
Last updated 04/24/2022
-# OT network sensor VM (VMWare ESXi)
+# OT network sensor VM (VMware ESXi)
-This article describes an OT sensor deployment on a virtual appliance using VMWare ESXi.
+This article describes an OT sensor deployment on a virtual appliance using VMware ESXi.
| Appliance characteristic |Details | |||
While a virtual switch doesn't have mirroring capabilities, you can use *Promisc
*Promiscuous mode* is a mode of operation and a security, monitoring, and administration technique that is defined at the virtual switch or portgroup level. When promiscuous mode is used, any of the virtual machineΓÇÖs network interfaces that are in the same portgroup can view all network traffic that goes through that virtual switch. By default, promiscuous mode is turned off.
-For more information, see [Purdue reference model and Defender for IoT](../plan-network-monitoring.md#purdue-reference-model-and-defender-for-iot).
+For more information, see [Purdue reference model and Defender for IoT](../best-practices/understand-network-architecture.md#purdue-reference-model-and-defender-for-iot).
**To configure a SPAN port with ESXi**:
Continue understanding system requirements for physical or virtual appliances. F
Then, use any of the following procedures to continue: -- [Purchase sensors or download software for sensors](../how-to-manage-sensors-on-the-cloud.md#purchase-sensors-or-download-software-for-sensors)
+- [Purchase sensors or download software for sensors](../onboard-sensors.md#purchase-sensors-or-download-software-for-sensors)
- [Download software for an on-premises management console](../how-to-manage-the-on-premises-management-console.md#download-software-for-the-on-premises-management-console) - [Install software](../how-to-install-software.md)
defender-for-iot Ys Techsystems Ys Fit2 https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-iot/organizations/appliance-catalog/ys-techsystems-ys-fit2.md
Continue understanding system requirements for physical or virtual appliances. F
Then, use any of the following procedures to continue: -- [Purchase sensors or download software for sensors](../how-to-manage-sensors-on-the-cloud.md#purchase-sensors-or-download-software-for-sensors)
+- [Purchase sensors or download software for sensors](../onboard-sensors.md#purchase-sensors-or-download-software-for-sensors)
- [Download software for an on-premises management console](../how-to-manage-the-on-premises-management-console.md#download-software-for-the-on-premises-management-console) - [Install software](../how-to-install-software.md)
defender-for-iot Architecture Connections https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-iot/organizations/architecture-connections.md
While you'll need to migrate your connections before the [legacy version reaches
After migrating, you can remove any relevant IoT Hubs from your subscription as they'll no longer be required for your sensor connections.
-For more information, see [Update a standalone sensor version](how-to-manage-individual-sensors.md#update-a-standalone-sensor-version) and [Migration for existing customers](connect-sensors.md#migration-for-existing-customers).
+For more information, see [Update OT system software](update-ot-software.md) and [Migration for existing customers](connect-sensors.md#migration-for-existing-customers).
## Next steps
defender-for-iot Plan Network Monitoring https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-iot/organizations/best-practices/plan-network-monitoring.md
+
+ Title: Plan your sensor connections for OT monitoring - Microsoft Defender for IoT
+description: Learn about best practices for planning your OT network monitoring with Microsoft Defender for IoT.
+ Last updated : 06/02/2022++
+# Plan your sensor connections for OT monitoring
+
+After you've [understood your network's OT architecture and how the Purdue module applies](understand-network-architecture.md), start planning your sensor connections in a Microsoft Defender for IoT deployment.
++
+## Sensor placement considerations
+
+We recommend that Defender for IoT monitors traffic from Purdue layers 1 and 2. For some architectures, if OT traffic exists on layer 3, Defender for IoT will also monitor layer 3 traffic.
+
+Review your OT and ICS network diagram together with your site engineers to define the best place to connect to Defender for IoT, and where you can get the most relevant traffic for monitoring. We recommend that you meet with the local network and operational teams to clarify expectations. Create lists of the following data about your network:
+
+- Known devices
+- Estimated number of devices
+- Vendors and industrial protocols
+- Switch models and whether they support port mirroring
+- Switch managers, including external resources
+- OT networks on your site
+
+## Multi-sensor deployments
+
+The following table lists best practices when deploying multiple Defender for IoT sensors:
+
+| **Number** | **Meters** | **Dependency** | **Number of sensors** |
+|--|--|--|--|
+| The maximum distance between switches | 80 meters | Prepared Ethernet cable | More than 1 |
+| Number of OT networks | More than 1 | No physical connectivity | More than 1 |
+| Number of switches | Can use RSPAN configuration | Up to eight switches with local span close to the sensor by cabling distance | More than 1 |
++
+## Questions for planning your network connections
+
+While you're reviewing your site architecture to determine whether or not to monitor a specific switch, considering the following questions:
+
+- What is the cost/benefit versus the importance of monitoring this switch?
+
+- If a switch is unmanaged, can you monitor the traffic from a higher-level switch? If the ICS architecture is a [ring topology](sample-connectivity-models.md#sample-ring-topology), only one switch in the ring needs monitoring.
+
+- What is the security or operational risk in the network?
+
+- Can you monitor the switch's VLAN? Is the VLAN visible in another switch that you can monitor?
+
+Other common questions to consider when planning your network connections to Defender for IoT include:
+
+- What are the overall goals of the implementation? Are a complete inventory and accurate network map important?
+
+- Are there multiple or redundant networks in the ICS? Are all the networks being monitored?
+
+- Are there communications between the ICS and the enterprise (business) network? Are these communications being monitored?
+
+- Are VLANs configured in the network design?
+
+- How is maintenance of the ICS performed, with fixed or transient devices?
+
+- Where are firewalls installed in the monitored networks?
+
+- Is there any routing in the monitored networks?
+
+- What OT protocols are active on the monitored networks?
+
+- If we connect to this switch, will we see communication between the HMI and the PLCs?
+
+- What is the physical distance between the ICS switches and the enterprise firewall?
+
+- Can unmanaged switches be replaced with managed switches, or is the use of network TAPs an option?
+
+- Is there any serial communication in the network? If yes, show it on the network diagram.
+
+- If the Defender for IoT appliance should be connected to that switch, is there physical available rack space in that cabinet?
+
+## Next steps
+
+After you've understood your own network's OT architecture and planned out your deployment, learn more about methods for traffic mirroring and passive or active monitoring, and browse sample connectivity methods.
+
+For more information, see:
+
+- [Traffic mirroring methods for OT monitoring](traffic-mirroring-methods.md)
+- [Sample OT network connectivity models](sample-connectivity-models.md)
+
defender-for-iot Sample Connectivity Models https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-iot/organizations/best-practices/sample-connectivity-models.md
+
+ Title: Sample OT network connectivity models - Microsoft Defender for IoT
+description: This article describes sample connectivity methods for Microsoft Defender for IoT OT sensor connections.
Last updated : 06/02/2022+++
+# Sample OT network connectivity models
+
+This article provides sample network models for Microsoft Defender for IoT sensor connections.
+
+## Sample: Ring topology
+
+The following diagram shows an example of a ring network topology, in which each switch or node connects to exactly two other switches, forming a single continuous pathway for the traffic.
++
+## Sample: Linear bus and star topology
+
+In a star network, every host is connected to a central hub. In its simplest form, one central hub acts as a conduit to transmit messages. In the following example, lower switches aren't monitored, and traffic that remains local to these switches won't be seen. Devices might be identified based on ARP messages, but connection information will be missing.
++
+## Sample: Multi-layer, multi-tenant network
+
+The following diagram is a general abstraction of a multilayer, multitenant network, with an expansive cybersecurity ecosystem typically operated by an SOC and MSSP.
+
+Typically, NTA sensors are deployed in layers 0 to 3 of the OSI model.
++
+## Next steps
+
+After you've [understood your own network's OT architecture](understand-network-architecture.md) and [planned out your deployment](plan-network-monitoring.md), learn more about methods for traffic mirroring and passive or active monitoring.
+
+For more information, see:
+
+- [Traffic mirroring methods for OT monitoring](traffic-mirroring-methods.md)
defender-for-iot Traffic Mirroring Methods https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-iot/organizations/best-practices/traffic-mirroring-methods.md
+
+ Title: Traffic mirroring methods - Microsoft Defender for IoT
+description: This article describes traffic mirroring methods for OT monitoring with Microsoft Defender for IoT.
Last updated : 06/02/2022+++
+# Traffic mirroring methods for OT monitoring
+
+This article describes traffic mirroring methods for OT monitoring with Microsoft Defender for IoT.
+
+To see only relevant information for traffic analysis, you need to connect Defender for IoT to a mirroring port on a switch or a TAP that includes only industrial ICS and SCADA traffic.
+
+For example:
++
+You can monitor switch traffic using a switch SPAN port, by report SPAN (RSPAN), or active and passive aggregation TAP. Use the following tabs to learn more about each method.
+
+> [!NOTE]
+> SPAN and RSPAN are Cisco terminology. Other brands of switches have similar functionality but might use different terminology.
+>
+
+## Switch SPAN port
+
+A switch port analyzer mirrors local traffic from interfaces on the switch to interface on the same switch. Considerations for switch SPAN ports include:
+
+- Verify that the relevant switch supports the port mirroring function.
+
+- The mirroring option is disabled by default.
+
+- We recommend that you configure all of the switch's ports, even if no data is connected to them. Otherwise, a rogue device might be connected to an unmonitored port, and it wouldn't be alerted on the sensor.
+
+- On OT networks that utilize broadcast or multicast messaging, configure the switch to mirror only RX (Receive) transmissions. Otherwise, multicast messages will be repeated for as many active ports, and the bandwidth is multiplied.
+
+For example, use the following configurations to set up a switch SPAN port for a Cisco 2960 switch with 24 ports running IOS.
+
+> [!NOTE]
+> The configuration samples below are intended only as guidance and not as instructions. Mirror ports on other Cisco operating systems and other switch brands are configured differently.
+
+**On a SPAN port configuration terminal**:
+
+```cli
+Cisco2960# configure terminal
+Cisco2960(config)# monitor session 1 source interface fastehernet 0/2 - 23 rx
+Cisco2960(config)# monitor session 1 destination interface fastethernet 0/24
+Cisco2960(config)# end
+Cisco2960# show monitor 1
+Cisco2960# running-copy startup-config
+```
+
+**In the configuration user interface**
+
+1. Enter global configuration mode.
+1. Configure first 23 ports as session source (mirror only RX packets).
+1. Configure port 24 to be a session destination.
+1. Return to privileged EXEC mode.
+1. Verify the port mirroring configuration.
+1. Save the configuration.
+
+### Monitoring multiple VLANs
+
+Defender for IoT allows monitoring VLANs configured in your network without any extra configuration, as long as the network switch is configured to send VLAN tags to Defender for IoT.
+
+For example, the following commands must be configured on a Cisco switch to support monitoring VLANs in Defender for IoT:
+
+**Monitor session**: This command is responsible for the process of sending VLANs to the SPAN port.
+
+```cli
+monitor session 1 source interface Gi1/2
+monitor session 1 filter packet type good Rx
+monitor session 1 destination interface fastEthernet1/1 encapsulation dot1q
+```
+
+**Monitor Trunk Port F.E. Gi1/1**: VLANs are configured on the trunk port.
+
+```cli
+interface GigabitEthernet1/1
+switchport trunk encapsulation dot1q
+switchport mode trunk
+```
+
+## Remote SPAN (RSPAN)
+
+A remote SPAN (RSPAN) session mirrors traffic from multiple distributed source ports into a dedicated remote VLAN. The data in the VLAN is then delivered through trunked ports across multiple switches to a specific switch that contains the physical destination port. This port connects to the Defender for IoT platform.
+
+Consider the following when configuring RSPAN:
+
+- RSPAN is an advanced feature that requires a special VLAN to carry the traffic that SPAN monitors between switches. Make sure that your switch supports RSPAN.
+- The mirroring option is disabled by default.
+- The remote VLAN must be allowed on the trunked port between the source and destination switches.
+- All switches that connect the same RSPAN session must be from the same vendor.
+- Make sure that the trunk port that's sharing the remote VLAN between the switches isn't defined as a mirror session source port.
+- The remote VLAN increases the bandwidth on the trunked port by the size of the mirrored session's bandwidth. Verify that the switch's trunk port supports the increased bandwidth.
+
+The following diagram shows an example of a remote VLAN architecture:
++
+For example, use the following steps to set up an RSPAN for a Cisco 2960 switch with 24 ports running IOS.
+
+**To configure the source switch**:
+
+1. Enter global configuration mode.
+
+1. Create a dedicated VLAN.
+
+1. Identify the VLAN as the RSPAN VLAN.
+
+1. Return to "configure terminal" mode.
+
+1. Configure all 24 ports as session sources.
+
+1. Configure the RSPAN VLAN to be the session destination.
+
+1. Return to privileged EXEC mode.
+
+1. Verify the port mirroring configuration.
+
+**To configure the destination switch**:
+
+1. Enter global configuration mode.
+
+1. Configure the RSPAN VLAN to be the session source.
+
+1. Configure physical port 24 to be the session destination.
+
+1. Return to privileged EXEC mode.
+
+1. Verify the port mirroring configuration.
+
+1. Save the configuration.
+
+## Active and passive aggregation (TAP)
+
+An active or passive aggregation TAP is installed inline to the network cable and duplicates both RX and TX to the monitoring sensor.
+
+The terminal access point (TAP) is a hardware device that allows network traffic to flow from port A to port B, and from port B to port A, without interruption. It creates an exact copy of both sides of the traffic flow, continuously, without compromising network integrity. Some TAPs aggregate transmit and receive traffic by using switch settings if desired. If aggregation isn't supported, each TAP uses two sensor ports to monitor send and receive traffic.
+
+The advantages of TAPs include:
+
+- TAPs are hardware-based and can't be compromised
+- TAPs pass all traffic, even damaged messages, which the switches often drop
+- TAPs aren't processor sensitive, so packet timing is exact where switches handle the mirror function as a low-priority task that can affect the timing of the mirrored packets
+
+For forensic purposes, a TAP is the best device.
+
+TAP aggregators can also be used for port monitoring. These devices are processor-based and aren't as intrinsically secure as hardware TAPs, and therefore might not reflect exact packet timing.
+
+The following diagram shows an example of a network setup with an active and passive TAP:
++
+### Common TAP models
+
+The following TAP models have been tested for compatibility with Defender for IoT. Other vendors and models might also be compatible.
+
+- **Garland P1GCCAS**
+
+ :::image type="content" source="../media/how-to-set-up-your-network/garland-p1gccas-v2.png" alt-text="Screenshot of Garland P1GCCAS." border="false":::
+
+ When using a Garland TAP, make sure jumpers are set as follows:
+
+ :::image type="content" source="../media/how-to-set-up-your-network/jumper-setup-v2.jpg" alt-text="Screenshot of US Robotics switch.":::
+
+- **IXIA TPA2-CU3**
+
+ :::image type="content" source="../media/how-to-set-up-your-network/ixia-tpa2-cu3-v2.png" alt-text="Screenshot of IXIA TPA2-CU3." border="false":::
+
+- **US Robotics USR 4503**
+
+ :::image type="content" source="../media/how-to-set-up-your-network/us-robotics-usr-4503-v2.png" alt-text="Screenshot of US Robotics USR 4503.":::
+
+ When using a US Robotics TAP, make sure **Aggregation mode** is active.
++
+## Next steps
+
+After you've [understood your own network's OT architecture](understand-network-architecture.md) and [planned out your deployment](plan-network-monitoring.md), learn more about sample connectivity methods and active or passive monitoring.
+
+For more information, see:
+
+- [Sample OT network connectivity models](sample-connectivity-models.md)
defender-for-iot Understand Network Architecture https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-iot/organizations/best-practices/understand-network-architecture.md
+
+ Title: Understand your OT network architecture - Microsoft Defender for IoT
+description: Describes the Purdue reference module in relation to Microsoft Defender for IoT to help you understand more about your own OT network architecture.
Last updated : 06/02/2022+++
+# Understand your OT network architecture
+
+When planning your network monitoring, you must understand your system network architecture and how it will need to connect to Defender for IoT. Also, understand where each of your system elements falls in the Purdue Reference model for Industrial Control System (ICS) OT network segmentation.
+
+Defender for IoT network sensors receive traffic from multiple sources, either by switch mirror ports (SPAN ports) or network TAPs. The network sensor's management port connects to the business, corporate, or sensor management network for network management from the Azure portal or an on-premises management system.
+
+For example:
++
+## Purdue reference model and Defender for IoT
+
+The Purdue Reference Model is a model for Industrial Control System (ICS)/OT network segmentation that defines six layers, components and relevant security controls for those networks.
+
+Each device type in your OT network falls in a specific level of the Purdue model. The following image shows how devices in your network spread across the Purdue model and connect to Defender for IoT services.
++
+The following table describes each level of the Purdue model when applied to Defender for IoT devices:
+
+|Name |Description |
+|||
+|**Level 0**: Cell and area | Level 0 consists of a wide variety of sensors, actuators, and devices involved in the basic manufacturing process. These devices perform the basic functions of the industrial automation and control system, such as: <br><br>- Driving a motor<br>- Measuring variables<br>- Setting an output<br>- Performing key functions, such as painting, welding, and bending |
+| **Level 1**: Process control | Level 1 consists of embedded controllers that control and manipulate the manufacturing process whose key function is to communicate with the Level 0 devices. In discrete manufacturing, those devices are programmable logic controllers (PLCs) or remote telemetry units (RTUs). In process manufacturing, the basic controller is called a distributed control system (DCS). |
+|**Level 2**: Supervisory | Level 2 represents the systems and functions associated with the runtime supervision and operation of an area of a production facility. These usually include the following: <br><br>- Operator interfaces or human-machine interfaces (HMIs) <br>- Alarms or alerting systems <br> - Process historian and batch management systems <br>- Control room workstations <br><br>These systems communicate with the PLCs and RTUs in Level 1. In some cases, they communicate or share data with the site or enterprise (Level 4 and Level 5) systems and applications. These systems are primarily based on standard computing equipment and operating systems (Unix or Microsoft Windows). |
+|**Levels 3 and 3.5**: Site-level and industrial perimeter network | The site level represents the highest level of industrial automation and control systems. The systems and applications that exist at this level manage site-wide industrial automation and control functions. Levels 0 through 3 are considered critical to site operations. The systems and functions that exist at this level might include the following: <br><br>- Production reporting (for example, cycle times, quality index, predictive maintenance) <br>- Plant historian <br>- Detailed production scheduling<br>- Site-level operations management <br>-0 Device and material management <br>- Patch launch server <br>- File server <br>- Industrial domain, Active Directory, terminal server <br><br>These systems communicate with the production zone and share data with the enterprise (Level 4 and Level 5) systems and applications. |
+|**Levels 4 and 5**: Business and enterprise networks | Level 4 and Level 5 represent the site or enterprise network where the centralized IT systems and functions exist. The IT organization directly manages the services, systems, and applications at these levels. |
+
+## Next steps
+
+After you've understood your own OT network architecture, learn more about how to plan your Defender for IoT deployment in your network. Continue with [Plan your sensor connections](plan-network-monitoring.md).
+
+For more information, see:
+
+- [Traffic mirroring methods for OT monitoring](traffic-mirroring-methods.md)
+- [Sample OT network connectivity models](sample-connectivity-models.md)
defender-for-iot Concept Supported Protocols https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-iot/organizations/concept-supported-protocols.md
Title: Protocols supported by Microsoft Defender for IoT description: Learn about protocols that are supported by Microsoft Defender for IoT. Previously updated : 03/16/2022 Last updated : 06/02/2022
Defender for IoT can detect the following protocols when identifying assets and
|**Toshiba** |Toshiba Computer Link | |**Yokogawa** | Centum ODEQ (Centum / ProSafe DCS)<br> HIS Equalize<br> Vnet/IP | -
-## Supported protocols for active monitoring
-
-Defender for IoT can detect the following protocols using active monitoring, such as ping sweeps and queries:
--
-|Brand / Vendor |Protocols |
-|||
-|**IETF** | Ping Sweep <br>SNMP Network Layout Query<br>SNMP Query |
-|**Microsoft** | Windows WMI Query (req. WMI/WinRM): hardware, BIOS, version, software, patches |
-|**Rockwell Automation** | ENIP Query<br> ENIP Scan<br> EtherNet/IP CIP (CIP Query) |
-|**Siemens** | Siemens S7 |
-- ## Don't see your protocol here?
defender-for-iot Configure Active Monitoring https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-iot/organizations/configure-active-monitoring.md
+
+ Title: Configure active monitoring for OT networks - Microsoft Defender for IoT
+description: Describes the available methods for configuring active monitoring on your OT network with Microsoft Defender for IoT.
Last updated : 06/02/2022+++
+# Configure active monitoring for OT networks
+
+This article describes how to configure active monitoring on OT networks with Microsoft Defender for IoT, including methods for Windows Event monitoring and reverse DNS lookup.
+
+## Plan your active monitoring
+
+> [!IMPORTANT]
+> Active monitoring runs detection activity directly in your network and may cause some downtime. Take care when configuring active monitoring so that you only scan necessary resources.
+
+When planning active monitoring:
+
+- **Verify the following questions**:
+
+ - Can the devices you want to scan be discovered by the default Defender for IoT monitoring? If so, active monitoring may be unnecessary.
+ - Are you able to run active queries on your network and on the devices you want to scan? To make sure, try running an active query on a staging environment.
+
+ Use the answers to these questions to determine exactly which sites and address ranges you want to monitor.
+
+- **Identify maintenance windows** where you can schedule active monitoring intervals safely.
+
+- **Identify active monitoring owners**, which are personnel who can supervise the active monitoring activity and stop the monitoring process if needed.
+
+- **Determine which active monitoring method to use**:
+
+ - Use [Windows Endpoint Monitoring](configure-windows-endpoint-monitoring.md) to monitor WMI events
+ - Use [DNS lookup](configure-reverse-dns-lookup.md) for device data enrichment
+
+## Configure network access
+
+Before you can configure active monitoring, you must also configure your network to allow the sensor's management port IP address access to the OT network where your devices reside.
+
+For example, the following image highlights in grey the extra network access you must configure from the management interface to the OT network.
+++
+## Next steps
+
+Use one of the following procedures to configure active monitoring in your OT network:
+
+- [Configure Windows Endpoint monitoring](configure-windows-endpoint-monitoring.md)
+- [Configure DNS servers for reverse lookup resolution for OT monitoring](configure-reverse-dns-lookup.md)
+
+For more information, see:
+
+- [View your device inventory from a sensor console](how-to-investigate-sensor-detections-in-a-device-inventory.md)
+- [View your device inventory from the Azure portal](how-to-manage-device-inventory-for-organizations.md)
defender-for-iot Configure Reverse Dns Lookup https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-iot/organizations/configure-reverse-dns-lookup.md
+
+ Title: Configure reverse DNS lookup for OT active monitoring - Microsoft Defender for IoT
+description: This article describes how to configure reverse DNS lookup for active monitoring with Microsoft Defender for IoT.
Last updated : 06/02/2022+++
+# Configure DNS servers for reverse lookup resolution for OT monitoring
+
+This procedure describes how to enhance device data enrichment in Microsoft Defender for IoT by configuring multiple DNS servers to carryout reverse lookups.
+
+Use reverse DNS lookup to resolve host names or FQDNs associated with the IP addresses detected in network subnets. For example, if a sensor discovers an IP address, it might query multiple DNS servers to resolve the host name. Host names appear in the Defender for IoT device inventory, device map, and reports.
+
+All CIDR formats are supported.
+
+## Define DNS servers
+
+1. On your sensor console, select **System settings**> **Network monitoring** and under **Active Discovery**, select **Reverse DNS Lookup**.
+
+1. Use the **Schedule Reverse Lookup** options to define your scan as in fixed intervals, per hour, or at a specific time.
+
+ If you select **By specific times**, use a 24-hour clock, such as **14:30** for **2:30 PM**. Select the **+** button on the side to add additional, specific times that you want the lookup to run.
+
+1. Select **Add DNS Server**, and then populate your fields as needed to define the following fields:
+
+ - **DNS server address**, which is the DNS server IP address
+ - **DNS server port**
+ - **Number of labels**, which is the number of domain labels you want to display. To get this value, resolve the network IP address to device FQDNs. You can enter up to 30 characters in this field.
+ - **Subnets**, which is the subnets that you want to the DNS server to query
+
+1. Toggle on the **Enabled** option at the top to start the reverse lookup query as scheduled, and then select **Save** to finish the configuration.
+
+## Test the DNS configuration
+
+Use a test device to verify that the reverse DNS lookup settings you'd defined work as expected.
+
+1. On your sensor console, select **System settings**> **Network monitoring** and under **Active Discovery**, select **Reverse DNS Lookup**.
+
+1. Make sure that the **Enabled** toggle is selected.
+
+1. Select **Test**.
+
+1. In the **DSN reverse lookup test for server** dialog, enter an address in the **Lookup Address** and then select **Test**.
+
+## Next steps
+
+Learn more about active monitoring options. For more information, see:
+
+- [Configure active monitoring for OT networks](configure-active-monitoring.md)
+- [Configure Windows Endpoint monitoring](configure-windows-endpoint-monitoring.md)
defender-for-iot Configure Windows Endpoint Monitoring https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-iot/organizations/configure-windows-endpoint-monitoring.md
+
+ Title: Configure Windows Endpoint Monitoring for OT active monitoring - Microsoft Defender for IoT
+description: This article describes how to configure Windows Endpoint Monitoring with active monitoring with Microsoft Defender for IoT.
Last updated : 06/02/2022+++
+# Configure Windows Endpoint monitoring
+
+This article describes how to configure Windows Endpoint Monitoring (WEM) to have Microsoft Defender for IoT selectively and actively probe Windows systems.
+
+WEM can provide more focused and accurate information about your Windows devices, such as service pack levels.
+
+## Supported protocols
+
+Currently the only protocol supported for Windows Endpoint Monitoring with Defender for IoT is WMI, Microsoft's standard scripting language for managing Windows systems.
+
+## Prerequisites
+
+Make sure that you've completed the prerequisites listed in [Configure active monitoring for OT networks](configure-active-monitoring.md), and have confirmed that active monitoring is right for your network.
++
+Before you can configure a WEM scan from your OT sensor console, you'll also need to configure a firewall rule, and WMI domain scanning on your Windows machine.
+
+## Configure the required firewall rule
+
+Configure a firewall rule that opens outgoing traffic from the sensor to the scanned subnet by using UDP port 135 and all TCP ports above 1024.
+
+## Configure WMI domain scanning
+
+Before you can configure a WEM scan from your sensor, you need to configure WMI domain scanning on the Windows machine you'll be scanning. <!--where are these procedures being performed?-->
+
+This procedure describes how to configure WMI scanning using a Group Policy Object (GPO), updating your firewall settings, defining permissions for your WMI namespace, and defining a local group.
+
+### Prerequisites for WMI domain scanning
+
+- Make sure that the Windows Management Instrumentation service (**winmgmt**) is in the automatic start mode.
+- Create a user named **wmiuser**. Make sure this user is a member of the Domain users on your Windows machine.
+
+### Configure a Group Policy Object (GPO)
+
+1. On your Windows machine, [create a new GPO](/windows/security/threat-protection/windows-firewall/create-a-group-policy-object) named **WMIAccess**.
+
+1. Right-click your new **WMIAccess** GPO and select **Edit**.
+
+1. In the **Group Policy Management Editor** window, select **Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options**.
+
+1. Navigate to and double-click the **DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax** policy to open the properties window to the **Template Security Policy Setting** tab.
+
+ Use the following steps to configure access for this policy:
+
+ 1. Select **Edit Security** and then in the **Access Permission** dialog, select **Add**.
+
+ 1. In the **Enter the object names to select** box, enter **wmiuser**. Select **Check Names** to verify the setting, and then select **OK**.
+
+ The **wmiuser (wmiuser@DOMAIN.local)** is now listed in the **Access Permission** dialog.
+
+ 1. In the **Access Permission** dialog:
+
+ 1. In the **Group or user names** list, select **wmiuser**
+ 1. In the **Permissions for ANONYMOUS LOGON** box below, select **Allow** for both **Local Access** and **Remote Access**.
+
+ Select **OK** to close the **Access Permissions** dialog.
+
+1. Back in the **Group Policy Management Editor** window, make sure that you have **Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options** selected.
+
+1. Navigate to and double-click the **DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax** policy to open the properties window to the **Template Security Policy Setting** tab.
+
+ Use the following steps to configure access for this policy:
+
+ 1. Select **Edit Security** and then in the **Access Permission** dialog, select **Add**.
+
+ 1. In the **Enter the object names to select** box, enter **wmiuser**. Select **Check Names** to verify the setting, and then select **OK**.
+
+ The **wmiuser (wmiuser@DOMAIN.local)** is now listed in the **Access Permission** dialog.
+
+ 1. In the **Access Permission** dialog:
+
+ 1. In the **Group or user names** list, select **wmiuser**
+ 1. In the **Permissions for Administrators** box below, select **Allow** for the **Local Launch**, **Remote Launch**, **Local Activation**, and **Remote Activation** options.
+
+ Select **OK** to close the **Access Permissions** dialog.
+
+### Configure your firewall
+
+1. Navigate back to your **WMIAccess** GPO you'd created [earlier](#configure-a-group-policy-object-gpo), and select **Edit**.
+
+1. In the **Group Policy Management Editor** dialog, go to **Computer Configuration > Windows Settings > Security Settings** and expand the **Windows Defender Firewall with Advanced Security** node.
+
+1. Under **Windows Defender Firewall with Advanced Security**, right-click **Inbound Rules** and select **New Rule...**
+
+1. In the **New Inbound Rule Wizard**, select **Predefined** and then select **Windows Management Instrumentation** from the drop-down menu.
+
+1. Select **Next** to continue. In the **Predefined Rules** pane, make sure that all rules in the **Rules** box are selected.
+
+1. Select **Next** to continue, and then select **Allow the connection** > **Finish**.
+
+### Configure permissions for your WMI namespace
+
+This procedure describes how to define permissions for your WMI namespace, and cannot be completed with a regular GPO.
+
+If you'll be using a non-admin account to run your WEM scans, this procedure is critical and must be performed exactly as instructed to allow sign-in attempts using WMI.
+
+1. On your Windows machine, open a **Run** dialog and enter **wmimgmt.msc**.
+
+1. In the **wmimgmt - [Console Root\WMI Control (Local)]** dialog, right-click **WMI Control (Local)** and select **Properties**.
+
+1. In the **WMI Control (Local) Properties** dialog, select the **Security** tab > **Root** > **Security**.
+
+1. In the **Security for ROOT\SECURITY** dialog, make sure that the **wmiuser** account is listed in the **Group or user names** box:
+
+ 1. Select **Add**, and in the **Enter the object names to select** box, enter **wmiuser**.
+ 1. Select **Check Names** > **OK**.
+
+1. In the **Group or user names** box, select the **wmiuser** account. In the **Permissions for Authenticated Users** box below, select **Allow** for the following permissions:
+
+ - **Execute Methods**
+ - **Enable Account**
+ - **Remote Enable**
+ - **Read Security**
+
+1. In the **Security for ROOT\SECURITY** dialog, select **Advanced**. Then, in the **Advanced Security Settings for Root** dialog, select the **wmiuser** account > **Edit**.
+
+1. In the **Permissions Entry for Root** dialog, from the **Apply To** drop-down menu, select **This namespace and all subnamespaces**.
+
+ > [!NOTE]
+ > You must apply permissions recursively to the entire tree.
+ >
+
+1. Select **OK** until all dialog boxes you'd opened in this procedure are closed.
+
+### Add your wmiuser account to the local Performance Log Users group
+
+1. Sign in to your Windows machine with a user you know is part of the **Performance Log Users** group.
+
+1. Open a **Run** dialog and enter **compmgmt.msc**.
+
+1. In the **Computer Management** dialog, select **Computer Management (Local) > System Tools > Local Users and Groups > Groups** and double-click **Performance Log Users**.
+
+1. Select **Add** and then, in the **Enter the object names to select**, enter **wmiuser** to add the **wmiuser** to the group. Select **Check Names** and then **OK** until all dialog boxes you'd opened in this procedure are closed.
++
+## Configure a WEM scan on your sensor console
+
+**To configure a WEM scan**:
+
+1. On your OT sensor console, select **System settings**> **Network monitoring** > **Active discovery** > **Windows Endpoint Monitoring (WMI)**.
+
+1. In the **Edit scan ranges configuration** section, enter the ranges you want to scan and add the username and password required to access those resources.
+
+ - We recommend enter values with domain or local administrator privileges for the best scanning results.
+ - Select **Import ranges** to import a CSV file with a set of ranges you want to scan. Make sure your CSV file includes the following data: **FROM**, **TO**, **USER**, **PASSWORD**, **DISABLE**, where **DISABLE** is defined as **TRUE**/**FALSE**.
+ - To get a csv list of all ranges currently configured for WEM scans, select **Export ranges**.
+
+1. In the **Scan will run** area, define whether you want to run the scan in in intervals, every few hours, or by a specific time. If you select **By specific time**, an additional **Add scan time** option appears, which you can use to configure several scans running at specific times.
+
+ While you can configure your WEM scan to run as often as you like, only one WEM scan can run at a time.
+
+1. Select **Save** and then do one of the following:
+
+ - To run your scan manually now, select **Apply changes** > **Manually scan**.
+
+ - To let your scan run later as configured, select **Apply changes** and then close the pane as needed.
+
+**To view scan results:**
+
+1. When your scan is finished, go back to the **System settings**> **Network monitoring** > **Active discovery** > **Windows Endpoint Monitoring (WMI)** page on your sensor console.
+
+1. Select **View Scan Results**. A .csv file with the scan results is downloaded to your computer.
+
+## Next steps
+
+Learn more about active monitoring options. For more information, see:
+
+- [Configure active monitoring for OT networks](configure-active-monitoring.md)
+- [Configure DNS servers for reverse lookup resolution for OT monitoring](configure-reverse-dns-lookup.md)
defender-for-iot Connect Sensors https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-iot/organizations/connect-sensors.md
Title: Connect OT sensors to Microsoft Defender for IoT in the cloud description: Learn how to connect your Microsoft Defender for IoT OT sensors to the cloud Previously updated : 03/13/2022 Last updated : 06/02/2022 # Connect your OT sensors to the cloud
Before you start, make sure that you have:
- **IoT Hub**: `*.azure-devices.net` - **Threat Intelligence**: `*.blob.core.windows.net` - **EventHub**: `*.servicebus.windows.net`
+ - **Microsoft Download Center**: `download.microsoft.com`
> [!IMPORTANT] > Microsoft Defender for IoT does not offer support for Squid or any other proxy services. It is the customer's responsibility to set up and maintain the proxy service.
Use the following procedure to create a scale set to use with your sensor connec
acl allowed_http_sites dstdomain .azure-devices.net acl allowed_http_sites dstdomain .blob.core.windows.net acl allowed_http_sites dstdomain .servicebus.windows.net
+ acl allowed_http_sites dstdomain .download.microsoft.com
http_access allow allowed_http_sites # allowlisting acl SSL_ports port 443
This procedure describes how to install and configure a connection between your
- **IoT Hub**: `*.azure-devices.net` - **Threat Intelligence**: `*.blob.core.windows.net` - **Eventhub**: `*.servicebus.windows.net`
+ - **Microsoft download site**: `download.microsoft.com`
> [!IMPORTANT] > Some organizations must define firewall rules by IP addresses. If this is true for your organization, it's important to know that the Azure public IP ranges are updated weekly.
This section describes what you need to configure a direct sensor connection to
- **IoT Hub**: `*.azure-devices.net` - **Threat Intelligence**: `*.blob.core.windows.net` - **Eventhub**: `*.servicebus.windows.net`
+ - **Microsoft Download Center**: `download.microsoft.com`
1. Azure public IP addresses are updated weekly. If you must define firewall rules based on IP addresses, make sure to download the new JSON file each week and make the required changes on your site to correctly identify services running in Azure. You'll need the updated IP ranges for **AzureIoTHub**, **Storage**, and **EventHub**. See the [latest IP ranges](https://www.microsoft.com/en-us/download/details.aspx?id=56519).
If you're an existing customer with a production deployment and sensors connecte
For any connectivity resources outside of Defender for IoT, such as a VPN or proxy, consult with Microsoft solution architects to ensure correct configurations, security, and high availability.
-1. **If you have legacy sensor versions installed**, we recommend that you update your sensors at least to a version 22.1.x or higher. In this case, make sure that you reactivate each sensor and update your firewall rules.
+1. **If you have legacy sensor versions installed**, we recommend that you update your sensors at least to a version 22.1.x or higher. In this case, make sure that you've updated your firewall rules and activated your sensor with a new activation file.
Sign in to each sensor after the update to verify that the activation file was applied successfully. Also check the Defender for IoT **Sites and sensors** page in the Azure portal to make sure that the updated sensors show as **Connected**.
- For more information, see [Update a standalone sensor version](how-to-manage-individual-sensors.md#update-a-standalone-sensor-version) and [Sensor access to Azure portal](how-to-set-up-your-network.md#sensor-access-to-azure-portal).
+ For more information, see [Update OT system software](update-ot-software.md) and [Sensor access to Azure portal](how-to-set-up-your-network.md#sensor-access-to-azure-portal).
1. **Start migrating with a test lab or reference project** where you can validate your connection and fix any issues found.
If you're an existing customer with a production deployment and sensors connecte
- **IoT Hub**: `*.azure-devices.net` - **Threat Intelligence**: `*.blob.core.windows.net` - **EventHub**: `*.servicebus.windows.net`-
+ - **Microsoft Download Center**: `download.microsoft.com`
While you'll need to migrate your connections before the [legacy version reaches end of support](release-notes.md#versioning-and-support-for-on-premises-software-versions), you can currently deploy a hybrid network of sensors, including legacy software versions with their IoT Hub connections, and sensors with the connection methods described in this article.
defender-for-iot Getting Started https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-iot/organizations/getting-started.md
Last updated 03/24/2022
This quickstart takes you through the initial steps of setting up Defender for IoT, including: -- Add an Azure subscription to Defender for IoT
+- Add Defender for IoT to an Azure subscription
- Identify and plan solution architecture You can use this procedure to set up a Defender for IoT trial. The trial provides 30-day support for 1000 devices and a virtual sensor, which you can use to monitor traffic, analyze data, generate alerts, understand network risks and vulnerabilities and more.
Before you start, make sure that you have:
- An Azure account. If you don't already have an Azure account, you can [create your Azure free account today](https://azure.microsoft.com/free/). -- Access to an Azure subscription with the **Subscription Contributor** role.
+- Access to an Azure subscription with the subscription **Owner** or **Contributor** role.
If you're using a Defender for IoT sensor version earlier than 22.1.x, you must also have an Azure IoT Hub (Free or Standard tier) **Contributor** role, for cloud-connected management. Make sure that the **Microsoft Defender for IoT** feature is enabled.
Defender for IoT users require the following permissions:
| View details and access software, activation files and threat intelligence packages | Γ£ô | Γ£ô | Γ£ô | Γ£ô | | Recover passwords | Γ£ô | Γ£ô | Γ£ô | Γ£ô |
+For more information, see [Azure roles](/azure/role-based-access-control/rbac-and-directory-admin-roles).
+ ### Supported service regions Defender for IoT routes all traffic from all European regions to the *West Europe* regional datacenter. It routes traffic from all remaining regions to the *Central US* regional datacenter.
-If you're using a legacy version of the sensor traffic are connecting sensors through your own IoT Hub, the IoT Hub supported regions are also relevant for your organization. For more information, see [IoT Hub supported regions](https://azure.microsoft.com/global-infrastructure/services/?products=iot-hub).
+If you're using a legacy version of the sensor traffic and are connecting through your own IoT Hub, the IoT Hub supported regions are also relevant for your organization. For more information, see [IoT Hub supported regions](https://azure.microsoft.com/global-infrastructure/services/?products=iot-hub).
## Identify and plan your OT solution architecture If you're working with an OT network, we recommend that you identify system requirements and plan your system architecture before you start, even if you plan to start with a trial subscription.
-If you're setting up network monitoring for enterprise IoT systems, you can skip directly to [Add a subscription to Defender for IoT](#add-a-subscription-to-defender-for-iot).
+> [!NOTE]
+> If you're setting up network monitoring for Enterprise IoT systems, you can skip directly to [Add a Defender for IoT plan to an Azure subscription](#add-a-defender-for-iot-plan-to-an-azure-subscription).
**When working with an OT network**:
Microsoft Defender for IoT supports both physical and virtual deployments. For p
For more information, see: -- [Best practices for planning your OT network monitoring](plan-network-monitoring.md)
+- [Best practices for planning your OT network monitoring](best-practices/plan-network-monitoring.md)
- [Sensor connection methods](architecture-connections.md) - [Prepare your OT network for Microsoft Defender for IoT](how-to-set-up-your-network.md) - [Predeployment checklist](pre-deployment-checklist.md)-- [Identify required appliances](how-to-identify-required-appliances.md).
+- [Identify required appliances](how-to-identify-required-appliances.md)
+
+## Add a Defender for IoT plan to an Azure subscription
+
+This procedure describes how to add a Defender for IoT plan to an Azure subscription.
-## Add a subscription to Defender for IoT
+**To add a Defender for IoT plan to an Azure subscription:**
-This procedure describes how to add a new Azure subscription to Defender for IoT. If you're planning to monitor both OT and enterprise IoT networks, we recommend adding separate subscriptions.
+1. In the Azure portal, go to **Defender for IoT** > **Plans and pricing**.
-**To add your subscription**
+1. Select **Add plan**.
-1. In the Azure portal, go to **Defender for IoT** > **Pricing**.
+1. In the **Plan settings** pane, define the plan:
-1. Select **Add** to add a new subscription, and then define the following values:
+ - **Subscription**. Select the subscription where you would like to add a plan.
+ - Toggle on the **OT - Operational / ICS networks** and/or **EIoT - Enterprise IoT for corporate networks** options as needed for your network types.
+ - **Price plan**. Select a monthly or annual commitment, or a [trial](how-to-manage-subscriptions.md#about-defender-for-iot-trials). Microsoft Defender for IoT provides a 30-day free trial for the first 1,000 committed devices for evaluation purposes.
+
+ For more information, see the [Microsoft Defender for IoT pricing page](https://azure.microsoft.com/pricing/details/iot-defender/).
- - **Purchase method**. Select a monthly or annual commitment, or a trial. Microsoft Defender for IoT provides a 30-day free trial for the first 1,000 committed devices for evaluation purposes.
+ - **Committed sites** (for OT annual commitment only). Enter the number of committed sites.
- For more information, see the **Microsoft Defender for IoT** section of the [Microsoft Defender for Cloud pricing page](https://azure.microsoft.com/pricing/details/defender-for-cloud/).
+ - **Number of devices**. If you selected a monthly or annual commitment, enter the number of devices you'll want to monitor. If you selected a trial, this section doesn't appear as you have a default of 1000 devices.
- - **Subscription**. Select a subscription where you have a **Subscription Contributor** role.
+ :::image type="content" source="media/how-to-manage-subscriptions/onboard-plan.png" alt-text="Screenshot of adding a plan to your subscription.":::
- - **Committed devices**. If you selected a monthly or annual commitment, enter the number of devices you'll want to monitor. If you selected a trial, this section doesn't appear as you have a default of 1000 devices.
+1. Select **Next**.
-1. Select the **I accept the terms** option, and then select **Save**.
+1. **Review & purchase**. Review the listed charges for your selections and **accept the terms and conditions**.
-Your subscription is shown in the **Pricing** grid. For example:
+1. Select **Purchase**.
+Your plan will be shown under the associated subscription in the **Plans and pricing** grid.
-For more information, see [Manage Defender for IoT subscriptions](how-to-manage-subscriptions.md).
+For more information, see [Manage your subscriptions](how-to-manage-subscriptions.md).
## Next steps
defender-for-iot How To Activate And Set Up Your On Premises Management Console https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-iot/organizations/how-to-activate-and-set-up-your-on-premises-management-console.md
After you sign in for the first time, you need to activate the on-premises manag
:::image type="content" source="media/how-to-manage-sensors-from-the-on-premises-management-console/multiple-subscriptions.png" alt-text="Screenshot that shows selecting multiple subscriptions." lightbox="media/how-to-manage-sensors-from-the-on-premises-management-console/multiple-subscriptions.png":::
- If you haven't already onboarded a subscription, see [Onboard a subscription](how-to-manage-subscriptions.md#onboard-a-subscription).
+ If you haven't already onboarded Defender for IoT to a subscription, see [Onboard a Defender for IoT plan to a subscription](how-to-manage-subscriptions.md#onboard-a-defender-for-iot-plan-to-a-subscription).
> [!Note] > If you delete a subscription, you must upload a new activation file to the on-premises management console that was affiliated with the deleted subscription.
After activating an on-premises management console, you'll need to apply new act
|Location |Activation process | |||
-|**On-premises management console** | Apply a new activation file on your on-premises management console if you've [modified the number of committed devices](how-to-manage-subscriptions.md#update-committed-devices-in-a-subscription) in your subscription. |
-|**Cloud-connected sensors** | Cloud-connected sensors remain activated for as long as your Azure subscription with your Defender for IoT plan is active. <br><br>However, you'll also need to apply a new activation file when [updating your sensor software](how-to-manage-individual-sensors.md#download-a-new-activation-file-for-version-221x-or-higher) from a legacy version to version 22.2.x. |
+|**On-premises management console** | Apply a new activation file on your on-premises management console if you've [modified the number of committed devices](how-to-manage-subscriptions.md#edit-a-plan) in your subscription. |
+|**Cloud-connected sensors** | Cloud-connected sensors remain activated for as long as your Azure subscription with your Defender for IoT plan is active. <br><br>However, you'll also need to apply a new activation file when [updating your sensor software](update-ot-software.md#download-and-apply-a-new-activation-file) from a legacy version to version 22.2.x. |
| **Locally-managed** | Apply a new activation file to locally-managed sensors every year. After a sensor's activation file has expired, the sensor will continue to monitor your network, but you'll see a warning message when signing in to the sensor. | For more information, see [Manage Defender for IoT subscriptions](how-to-manage-subscriptions.md).
defender-for-iot How To Activate And Set Up Your Sensor https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-iot/organizations/how-to-activate-and-set-up-your-sensor.md
After activating a sensor, you'll need to apply new activation files as follows:
|Location |Activation process | |||
-|**Cloud-connected sensors** | Cloud-connected sensors remain activated for as long as your Azure subscription with your Defender for IoT plan is active. <br><br>However, you'll also need to apply a new activation file when [updating your sensor software](how-to-manage-individual-sensors.md#download-a-new-activation-file-for-version-221x-or-higher) from a legacy version to version 22.2.x. |
+|**Cloud-connected sensors** | Cloud-connected sensors remain activated for as long as your Azure subscription with your Defender for IoT plan is active. <br><br>However, you'll also need to apply a new activation file when [updating your sensor software](update-ot-software.md#download-and-apply-a-new-activation-file) from a legacy version to version 22.2.x. |
| **Locally-managed** | Apply a new activation file to locally-managed sensors every year. After a sensor's activation file has expired, the sensor will continue to monitor your network, but you'll see a warning message when signing in to the sensor. | For more information, see [Manage Defender for IoT subscriptions](how-to-manage-subscriptions.md) and [Manage the on-premises management console](how-to-manage-the-on-premises-management-console.md).
You can access console tools from the side menu. Tools help you:
| --|--| | Overview | View a dashboard with high-level information about your sensor deployment, alerts, traffic, and more. | | Device map | View the network devices, device connections, Purdue levels, and device properties in a map. Various zoom, highlight, and filter options are available to help you gain the insight you need. For more information, see [Investigate sensor detections in the Device Map](how-to-work-with-the-sensor-device-map.md#investigate-sensor-detections-in-the-device-map). |
-| Device inventory | The Device inventory displays a list of device attributes that this sensor detects. Options are available to: <br /> - Sort, or filter the information according to the table fields, and see the filtered information displayed. <br /> - Export information to a CSV file. <br /> - Import Windows registry details. For more information, see [Investigate sensor detections in a device inventory](how-to-investigate-sensor-detections-in-a-device-inventory.md#investigate-sensor-detections-in-an-inventory).|
+| Device inventory | The **Device inventory** displays a list of device attributes that this sensor detects. Options are available to: <br /> - Sort, or filter the information according to the table fields, and see the filtered information displayed. <br /> - Export information to a CSV file. <br /> - Import Windows registry details. For more information, see [View your device inventory from a sensor console](how-to-investigate-sensor-detections-in-a-device-inventory.md).|
| Alerts | Alerts are triggered when sensor engines detect changes or suspicious activity in network traffic that requires your attention. For more information, see [View alerts on your sensor](how-to-view-alerts.md#view-alerts-on-your-sensor).| ### Analyze
defender-for-iot How To Control What Traffic Is Monitored https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-iot/organizations/how-to-control-what-traffic-is-monitored.md
Title: Control what traffic is monitored
-description: Sensors automatically perform deep packet detection for IT and OT traffic and resolve information about network devices, such as device attributes and network behavior. Several tools are available to control the type of traffic that each sensor detects.
Previously updated : 02/03/2022
+description: Sensors automatically perform deep packet detection for IT and OT traffic and resolve information about network devices, such as device attributes and network behavior. Several tools are available to control the type of traffic that each sensor detects.
Last updated : 06/02/2022
The sensor console presents the most current IP address associated with the devi
- The Data Mining report and Device Inventory report consolidate all activity learned from the device as one entity, regardless of the IP address changes. These reports indicate which addresses were defined as DHCP addresses.
- :::image type="content" source="media/how-to-control-what-traffic-is-monitored/populated-device-inventory-screen-v2.png" alt-text="Screenshot that shows device inventory.":::
+ :::image type="content" source="media/how-to-control-what-traffic-is-monitored/populated-device-inventory-screen-v2.png" alt-text="Screenshot that shows device inventory." lightbox="media/how-to-control-what-traffic-is-monitored/populated-device-inventory-screen-v2.png":::
- The **Device Properties** window indicates if the device was defined as a DHCP device.
The sensor console presents the most current IP address associated with the devi
6. Select **Save**.
-## Configure DNS servers for reverse lookup resolution
-
-To enhance device enrichment, you can configure multiple DNS servers to carryout reverse lookups. You can resolve host names or FQDNs associated with the IP addresses detected in network subnets. For example, if a sensor discovers an IP address, it might query multiple DNS servers to resolve the host name.
-
-All CIDR formats are supported.
-
-The host name appears in the device inventory, and device map, and in reports.
-
-You can schedule reverse lookup resolution schedules for specific hourly intervals, such as every 12 hours. Or you can schedule a specific time.
-
-**To define DNS servers:**
-
-1. Select **System settings**> **Network monitoring**, then select **Reverse DNS Lookup**.
-
-2. Select **Add DNS Server**.
-
-3. In the **Schedule Reverse lookup** field, choose either:
-
- - Intervals (per hour).
-
- - A specific time. Use European formatting. For example, use **14:30** and not **2:30 PM**.
-
-4. In the **DNS server address** field, enter the DNS IP address.
-
-5. In the **DNS server port** field, enter the DNS port.
-
-6. Resolve the network IP addresses to device FQDNs. In the **Number of labels** field, add the number of domain labels to display. Up to 30 characters are displayed from left to right.
-
-7. In the **Subnets** field, enter the subnets that you want the DNS server to query.
-
-8. Select the **Enable** toggle if you want to initiate the reverse lookup.
-
-1. Select **Save**.
-
-### Test the DNS configuration
-
-By using a test device, verify that the settings you defined work properly:
-
-1. Enable the **DNS Lookup** toggle.
-
-2. Select **Test**.
-
-3. Enter an address in **Lookup Address** for the **DNS reverse lookup test for server** dialog box.
-
-4. Select **Test**.
-
-## Configure Windows Endpoint Monitoring
-
-With the Windows Endpoint Monitoring capability, you can configure Microsoft Defender for IoT to selectively probe Windows systems. This provides you with more focused and accurate information about your devices, such as service pack levels.
-
-You can configure probing with specific ranges and hosts, and configure it to be performed only as often as desired. You accomplish selective probing by using the Windows Management Instrumentation (WMI), which is Microsoft's standard scripting language for managing Windows systems.
-
-> [!NOTE]
-> - You can run only one scan at a time.
-> - You get the best results with users who have domain or local administrator privileges.
-> - Before you begin the WMI configuration, configure a firewall rule that opens outgoing traffic from the sensor to the scanned subnet by using UDP port 135 and all TCP ports above 1024.
-
-When the probe is finished, a log file with all the probing attempts is available from the option to export a log. The log contains all the IP addresses that were probed. For each IP address, the log shows success and failure information. There's also an error code, which is a free string derived from the exception. The scan of the last log only is kept in the system.
-
-You can perform scheduled scans or manual scans. When a scan is finished, you can view the results in a CSV file.
-
-**Prerequisites**
-
-Configure a firewall rule that opens outgoing traffic from the sensor to the scanned subnet by using UDP port 135 and all TCP ports above 1024.
-
-**To configure an automatic scan:**
-
-1. Select **System settings**> **Network monitoring**, then select **Windows Endpoint Monitoring (WMI)**.
-
-1. In the **Edit scan ranges configuration** section, enter the ranges you want to scan and add your username and password.
-
-3. Define how you want to run the scan:
-
- - **By fixed intervals (in hours)**: Set the scan schedule according to intervals in hours.
-
- - **By specific times**: Set the scan schedule according to specific times and select **Save Scan**.
-
-8. Select **Save**. The dialog box closes.
-
-**To perform a manual scan:**
-
-1. Define the scan ranges.
-
-3. Select **Save** and **Apply changes** and then select **Manually scan**.
-
-**To view scan results:**
-
-1. When the scan is finished, select **View Scan Results**. A .csv file with the scan results is downloaded to your computer.
## Next steps For more information, see:
+- [Configure active monitoring for OT networks](configure-active-monitoring.md)
- [Investigate sensor detections in a device inventory](how-to-investigate-sensor-detections-in-a-device-inventory.md) - [Investigate sensor detections in the device map](how-to-work-with-the-sensor-device-map.md)
defender-for-iot How To Install Software https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-iot/organizations/how-to-install-software.md
Title: Defender for IoT installation
+ Title: Install OT system software - Microsoft Defender for IoT
description: Learn how to install a sensor and the on-premises management console for Microsoft Defender for IoT. Last updated 01/06/2022
-# Defender for IoT software installation
+# Install OT system software
This article describes how to install software for OT sensors and on-premises management consoles. You might need the procedures in this article if you're reinstalling software on a preconfigured appliance, or if you've chosen to install software on your own appliances.
defender-for-iot How To Investigate Sensor Detections In A Device Inventory https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-iot/organizations/how-to-investigate-sensor-detections-in-a-device-inventory.md
Title: Gain insight into devices discovered by a specific sensor
-description: The device inventory displays an extensive range of device attributes that a sensor detects.
+ Title: View your device inventory from a sensor console
+description: The device inventory displays an extensive range of device attributes that a sensor detects.
Last updated 06/09/2022
-# Investigate sensor detections in an inventory
+# View your device inventory from a sensor console
-The device inventory displays an extensive range of device attributes that your sensor detects. Use the inventory to gain insight and full visibility of the devices on your network.
+The device inventory displays an extensive range of device attributes that your sensor detects. Use the inventory to gain insight and full visibility of the devices on your network.
:::image type="content" source="media/how-to-inventory-sensor/inventory-sensor.png" alt-text="Screenshot that shows the Device inventory main screen.":::
In addition to learning OT devices, you can discover Microsoft Windows workstati
Two options are available for retrieving this information: -- Active polling by using scheduled WMI scans.
+- Active polling with scheduled WMI scans. For more information, see [Configure Windows Endpoint monitoring](configure-windows-endpoint-monitoring.md).
- Local surveying by distributing and running a script on the device. Working with local scripts bypasses the risks of running WMI polling on an endpoint. It's also useful for regulated networks with waterfalls and one-way elements.
You can survey the following Windows operating systems:
- Windows 10 -- Windows Server 2003/2008/2012/2016
+- Windows 11
+
+- Windows Server 2003/2008/2012/2016/2019
### Before you begin
defender-for-iot How To Manage Cloud Alerts https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-iot/organizations/how-to-manage-cloud-alerts.md
Title: View and manage alerts in the Defender for IoT portal on Azure description: View and manage alerts detected by cloud-connected network sensors in the Defender for IoT portal on Azure. Previously updated : 02/02/2022 Last updated : 06/02/2022
-# View and manage alerts on the Defender for IoT portal (Preview)
+# View and manage alerts from the Azure portal
-This article describes Defender for IoT alert capabilities for alerts displayed on the Defender for IoT portal on Azure.
+This article describes how to manage your alerts from Defender for IoT on the Azure portal.
+
+If you're integrating with Microsoft Sentinel, the alert details and entity information are also sent to Microsoft Sentinel, where you can also view them from the **Alerts** page.
## About alerts
-Defender for IoT alerts lets you enhance the security and operation of your network by giving you real-time information about:
+Defender for IoT alerts enhance your network security and operations with real-time details about events logged, such as:
- Deviations from authorized network activity and device configurations - Protocol and operational anomalies
Defender for IoT alerts lets you enhance the security and operation of your netw
:::image type="content" source="media/how-to-view-manage-cloud-alerts/main-alert-page.png" alt-text="Screenshot of the Alerts page in the Azure portal." lightbox="media/how-to-view-manage-cloud-alerts/main-alert-page.png":::
-Alerts triggered by Defender for IoT are displayed on the Alerts page in the Azure portal. Use the Alerts page to:
--- Learn when an alert was detected.-- Investigate the alert by reviewing an extensive range of alert information. This may include, source and destination details, PCAP information, vendor, firmware and OS details, and MITRE ATT&CK information.-- Manage the alert by taking remediation steps on the device or network process, or changing the device status or severity.-- Integrate alert details with other Microsoft services. For example, with Microsoft Sentinel playbooks and workbooks. See [About the Defender for IoT and Microsoft Sentinel Integration](concept-sentinel-integration.md).-
-### How is the Alerts page populated?
-
-The Alerts page is populated by with alert information detected by sensors that are set up for cloud-connection to the Defender for IoT portal on Azure.
+Use the **Alerts** page on the Azure portal to take any of the following actions:
-Alert details triggered by these sensors and aggregated in the Alerts page:
+- **Understand when an alert was detected**.
-- Provides comprehensive insight into threats, anomalies, deviations and misconfigurations across your entire network.
+- **Investigate the alert** by reviewing alert details, such as the traffic's source and destination, vendor, related firmware and operating system, and related MITRE ATT&CK tactics.
-- Helps SOC teams better understand how sensors are handling activity across the network.
+- **Manage the alert** by taking remediation steps on the device or network process, or changing the device status or severity.
-## Alert types and messages
+- **Integrate alert details with other Microsoft services**, such as Microsoft Sentinel playbooks and workbooks. For more information, see [OT threat monitoring in enterprise SOCs](concept-sentinel-integration.md).
-You can view alert messages you may receive. Reviewing alert types and messages ahead of time will help you plan remediation and integration with playbooks.
+The alerts displayed on the Azure portal are alerts that have been detected by cloud-connected, Defender for IoT sensors. For more information, see [Alert types and descriptions](alert-engine-messages.md).
-For more information, see [Alert types and descriptions](alert-engine-messages.md#alert-types-and-descriptions).
+> [!TIP]
+> We recommend that you review alert types and messages to help you understand and plan remediation actions and playbook integrations.
## View alerts
-This section describes the information available in the Alerts table.
+This section describes how to view alert details in the Azure portal.
-**To view default alert information:**
+**To view Defender for IoT alerts on the Azure portal**:
-1. Navigate to the Defender for IoT portal on Azure.
+Go to **Defender for IoT** > **Alerts (Preview)**.
-1. Select **Alerts (Preview)**. The following alert information is available by default.
+The following alert details are displayed by default in the grid:
- | Parameter | Description
- |--|--|
- | **Severity**| A predefined alert severity assigned by the sensor. The severity can be updated. See [Manage alert status and severity](#manage-alert-status-and-severity) for details.
- | **Name** | The alert title.
- | **Site** | The site associated with the sensor. This site name is defined when you register a sensor with Microsoft Defender for IoT on the Azure portal. The name can be viewed in the Sites and Sensors page on the portal. See [View onboarded sensors](how-to-manage-sensors-on-the-cloud.md#manage-on-boarded-sensors) for information on registered sensors.
- | **Engine** | The sensor engine that detected the Operational Technology (OT) traffic. To learn more about engines, see [Detection engines](how-to-control-what-traffic-is-monitored.md#detection-engines). For device builders, the term micro-agent will be displayed.
- | **Detection time** | The first time the alert was detected. The alert traffic may occur several times after the first detection. If the alert Status is **New**, the detection time won't change. If the alert is Closed and the traffic is seen again, a new detection time will be displayed.
- | **Status** | The alert status: New, Active, Closed
- | **Source device** | The IP address, MAC, or device name.
- | **Tactics** | The MITRE ATT&CK stage.
-
-**To view additional information:**
-
-1. Select **Edit columns** from the Alerts page.
-1. In the Edit Columns dialog box, select **Add Column** and choose an item to add. The following items are available:
+| Column | Description
+|--|--|
+| **Severity**| A predefined alert severity assigned by the sensor. Update the sensor severity as needed. For more information, see [Manage alert status and severity(#manage-alert-status-and-severity).
+| **Name** | The alert title. |
+| **Site** | The site associated with the sensor that detected the alert, as listed on the **Sites and sensors** page. For more information, see [Sensor management options from the Azure portal](how-to-manage-sensors-on-the-cloud.md#sensor-management-options-from-the-azure-portal).|
+| **Engine** | The sensor engine that detected the Operational Technology (OT) traffic. For more information, see [Detection engines](how-to-control-what-traffic-is-monitored.md#detection-engines). For device builders, the term *micro-agent* is displayed instead. |
+| **Detection time** | The time the alert was detected, for as long as the alert status remains **New**. If an alert is closed and the same traffic is seen again, this alert time is updated to the new time. |
+| **Status** | The alert status: *New*, *Active*, *Closed* |
+| **Source device** | The IP address, MAC, or device name. |
+| **Tactics** | The MITRE ATT&CK stage. |
+
+Select **Edit columns** to add other details to the grid, including:
+
+| Column | Description
+|--|--|
+| **Source device address** |The IP address of the source device. |
+| **Destination device address** | The IP address of the destination device. |
+| **Destination device** | The IP address, MAC, or destination device name.|
+| **ID** |The unique alert ID.|
+| **Protocol** | The protocol detected in the network traffic for this alert.|
+| **Sensor** | The sensor that detected the alert.|
+| **Zone** | The zone assigned to the sensor that detected the alert.|
+| **Category**| The category associated with the alert, such as *operational issues*,*custom alerts*, or *illegal commands*. |
+| **Type**| The internal name of the alert. |
+### Filter alerts displayed
- | Parameter | Description
- |--|--|
- | **Source device address** |The IP address of the source device. |
- | **Destination device address** | The IP address of the destination device. |
- | **Destination device** | The IP address, MAC, or destination device name.
- | **ID** |The unique alert ID.
- | **Protocol** | The protocol detected in the network traffic for this alert.
- | **Sensor** | The sensor that detected the alert.
- | **Zone** | The zone assigned to the sensor that detected the alert.
- | **Category**| The category associated with the alert, for example scans, operational issues, custom alerts, illegal commands. Filtering the Alerts page by category helps you quickly find information important to you. For a list of categories available, see [Customize the view by category](#customize-the-view-by-category).
- | **Type**| The internal name of the alert.
+Use the **Search** box, **Time range**, and **Add filter** options to filter the alerts displayed by specific parameters or help locate a specific alert.
-### Customize the view
+For example, filter alerts by **Category**:
-Various Alerts page options help you easily find and view alerts and alert information important to you.
-**To filter the view:**
+Supported categories include:
-1. Use the **Search**, **Time Range**, and **Filter** options at the top of the Alerts page.
+ :::column span="":::
+ - Abnormal Communication Behavior
+ - Abnormal HTTP Communication Behavior
+ - Authentication
+ - Backup
+ - Bandwidth Anomalies
+ - Buffer overflow
+ - Command Failures
+ - Configuration changes
+ - Custom Alerts
+ - Discovery
+ - Firmware change
+ - Illegal commands
+ :::column-end:::
+ :::column span="":::
+ - Internet Access
+ - Operation Failures
+ - Operational issues
+ - Programming
+ - Remote access
+ - Restart/Stop Commands
+ - Scan
+ - Sensor traffic
+ - Suspicion of malicious activity
+ - Suspicion of Malware
+ - Unauthorized Communication Behavior
+ - Unresponsive
+ :::column-end:::
- :::image type="content" source="media/how-to-view-manage-cloud-alerts/filters-on-alerts-page.png" alt-text="Screenshot of the filters bar on the Alerts page in the Azure portal.":::
+### Group alerts displayed
-**To group alerts:**
+Use the **Group by** menu at the top right to collapse the grid into subsections according to specific parameters.
-1. Select **Group by** at the top right of the Alerts page.
-1. Group the view by the:
- - alert severity
- - alert name
- - site associated with alert
- - engine associated with the alert
+For example, while the total number of alerts appears above the grid, you may want more specific information about alert count breakdown, such as the number of alerts with a specific severity, protocol, or site.
-### Customize the view by category
+Supported grouping options include *Severity*, *Name*, *Site*, and *Engine*.
-Use the category filter to quickly find information important to you. Using category filters also gives you information regarding the number of alerts for each category. For example, 50 operational alerts, 13 firmware changes or 23 command failures.
+## View alert details
+Select an alert in the grid to display more details in the pane on the right, including the alert description, traffic source and destination, and more.
-The following categories are available:
-- Abnormal Communication Behavior-- Abnormal HTTP Communication Behavior-- Authentication-- Backup-- Bandwidth Anomalies-- Buffer overflow-- Command Failures-- Configuration changes-- Custom Alerts-- Discovery-- Firmware change-- Illegal commands -- Internet Access-- Operation Failures -- Operational issues-- Programming-- Remote access-- Restart/Stop Commands-- Scan-- Sensor traffic-- Suspicion of malicious activity-- Suspicion of Malware-- Unauthorized Communication Behavior-- Unresponsive
-### Understand the alert count breakdown
+Select **View full details** to learn more, or **Take action** to jump directly to the suggested remediation steps.
-The number of alerts currently detected appears on the top-left section of the Alerts page. You may want more specific information about the alert count breakdown, for example the number of alerts associated with a certain alert severity, protocol or site.
-**To view an alert count breakdown:**
+## Remediate alerts
-1. Select **Group by** and select a group. The number of alerts is displayed for each group.
+On each alert details page, the **Take Action** tab lists recommended remediation steps for the alert, designed specifically to help SOC teams understand OT issues and resolutions.
- :::image type="content" source="media/how-to-view-manage-cloud-alerts/group-by-severity.png" alt-text="Screenshot of the Alerts page, filtered by severity.":::
-1. Alternatively use the **Add filter** option to choose a subject of interest and select **Column.** The column dropdown shows the number alerts associated with the column name.
+## Manage alert status and severity
- :::image type="content" source="media/how-to-view-manage-cloud-alerts/alert-count-breakdown.png" alt-text="Screenshot of Alert filters showing protocols with count for each protocol.":::
+You can update alert status or severity for a single alert or for a group of alerts.
-## View alert descriptions and other details
+*Learn* an alert to indicate to Defender for IoT that the detected network traffic is authorized. Learned alerts won't be triggered again the next time the same traffic is detected on your network. For more information, see [Learn and unlearn alert traffic](how-to-manage-the-alert-event.md#learn-and-unlearn-alert-traffic).
-View more information about the alert, such as:
-- the alert description-- links to related MITRE ATT&CK information-- details about protocols-- traffic and entities associated with the alert-- alert remediation steps
+- **To manage a single alert**:
-**To view details:**
+ 1. Select an alert in the grid.
+ 1. Either on the details pane on the right, or in an alert details page itself, select the new status and/or severity.
-1. Select an alert.
-1. The details pane opens with the alert description, source, and destination information and other details.
+- **To manage multiple alerts in bulk**:
- :::image type="content" source="media/how-to-view-manage-cloud-alerts/alert-detected.png" alt-text="Screenshot of an alert selected from Alerts page in the Azure portal.":::
+ 1. Select the alerts in the grid that you want to modify.
+ 1. Use the :::image type="icon" source="media/how-to-manage-sensors-on-the-cloud/status-icon.png" border="false"::: **Change status** and/or :::image type="icon" source="media/how-to-manage-sensors-on-the-cloud/severity-icon.png" border="false"::: **Change severity** options in the toolbar to update the status and/or the severity for all the selected alerts.
-1. To view more details and review remediation steps, select **View full details**. The Alert Details pane provides more information about source device and related entities. Related links in the MITRE Partnership website are also available.
+- **To learn one or more alerts**, do one of the following:
- :::image type="content" source="media/how-to-view-manage-cloud-alerts/alert-full-details.png" alt-text="Screenshot of a selected alert with full details.":::
-
-If you're integrating with Microsoft Sentinel, the Alert details and entity information are sent to Microsoft Sentinel.
+ - Select one or more alerts in the grid and then select :::image type="icon" source="media/how-to-manage-sensors-on-the-cloud/learn-icon.png" border="false"::: **Learn** in the toolbar.
+ - On an alert details page, in the **Take Action** tab, select **Learn**.
-### Alert remediation steps
-Defender for IoT provides remediation steps you can carry out for the alert. Remediation steps are designed to help SOC teams better understand OT issues and resolutions.
+ - Select one or more alerts in the grid and then select :::image type="icon" source="media/how-to-manage-sensors-on-the-cloud/learn-icon.png" border="false"::: **Learn** in the toolbar.
+ - On an alert details page, in the **Take Action** tab, select **Learn**.
-**To view the alert remediation:**
+### Managing alerts in a hybrid deployment
-1. Select an alert from the Alerts page.
-1. Select **Take action** in the dialog box that opens.
+Users working in hybrid deployments may be managing alerts in Defender for IoT on the Azure portal, the sensor, and an on-premises management console.
- :::image type="content" source="media/how-to-view-manage-cloud-alerts/take-action-cloud-alert.png" alt-text="Screenshot of a remediation action for a sample alert in the Azure portal.":::
+Alert management across all interfaces functions as follows:
-## Manage alert status and severity
+- **Alert statuses are fully synchronized** between the Azure portal and the sensor. This means that when you set an alert status to **Closed** on either the Azure portal or the sensor, the alert status is updated in the other location as well.
-You can change the alert status and severity for a single alert or for a group of alerts.
+ Setting an alert status to **Closed** or **Muted** on a sensor updates the alert status to **Closed** on the Azure portal. Alert statuses are also synchronized between the sensor and the on-premises management console to keep all management sources updated with the correct alert statuses.
-**To change the alert status:**
+ [Learning](#manage-alert-status-and-severity) an alert in Azure also updates the alert in the sensor console.
-1. Select an alert or group of alerts.
-1. Select **Change status** and select a status (New, Active, Closed).
+- **Alert Exclusion rules**: If you're working with an on-premises management console, you may have defined alert *Exclusion rules* to determine the rules detected by relevant sensors.
-Changes to status aren't reflected in the on-premises management console or sensor.
+ Alerts excluded because they meet criteria for a specific exclusion rule are not displayed on the sensor, or in the Azure portal. For more information, see [Create alert exclusion rules](how-to-work-with-alerts-on-premises-management-console.md#create-alert-exclusion-rules).
-**To change the alert severity:**
+## Access alert PCAP data (Public preview)
-1. Select an alert or group of alerts.
-1. Select **Change severity** and select a severity.
+To access raw traffic files for your alert, known as packet capture files or PCAP files, select **Download PCAP** in the top-left corner of your alert details page.
-Changes to severity aren't reflected in the on-premises management console or sensor.
+For example:
-## On-premises alert management
-Users working in hybrid deployments may be managing alerts on both the Microsoft Defender for IoT portal, Alerts page, and on on-premises sensors and the management console.
+The portal requests the file from the sensor that detected the alert and downloads it to your Azure storage.
-Users working with alerts in Azure and on-premises should understand how alert management between the portal and the on-premises components operates.
+Downloading the PCAP file can take several minutes, depending on the quality of your sensor connectivity.
- Parameter | Description
-|--|--|
-| **Alert Exclusion rules**| Alert *Exclusion rules* defined in the on-premises management console affect the rules detected by managed sensors. As a result, the alerts excluded be these rules won't be displayed in the Alerts page. See [Create alert exclusion rules](how-to-work-with-alerts-on-premises-management-console.md#create-alert-exclusion-rules) for more information.
-| **Managing alerts on-premises** | Alerts **Learned**, **Acknowledged**, or **Muted** in the on-premises management console or in sensors aren't simultaneously updated in Alerts page on the Defender for IoT Cloud Alerts page. This means that this alert will stay open on the Cloud. However another alert won't be triggered from the on-premises components for this activity.
-| **Managing alert in the portal Alerts page** | Changing the status of an alert to **New**, **Active**, or **Closed** on the Alerts page or changing the alert severity on the Alerts page doesn't affect the alert status or severity in the on-premises management console or sensors.
+> [!TIP]
+> Accessing PCAP files directly from the Azure portal supports SOC or OT security engineers who want to investigate alerts from Defender for IoT or Microsoft Sentinel, without having to access each sensor separately. For more information, see [OT threat monitoring in enterprise SOCs](concept-sentinel-integration.md).
+>
## Next steps
-For more information, see [Gain insight into global, regional, and local threats](how-to-gain-insight-into-global-regional-and-local-threats.md#gain-insight-into-global-regional-and-local-threats).
+For more information, see [Gain insight into global, regional, and local threats](how-to-gain-insight-into-global-regional-and-local-threats.md#gain-insight-into-global-regional-and-local-threats).
defender-for-iot How To Manage Device Inventory For Organizations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-iot/organizations/how-to-manage-device-inventory-for-organizations.md
Title: Manage your IoT devices with the device inventory for organizations
+ Title: View your device inventory from the Azure portal
description: Learn how to manage your IoT devices with the device inventory for organizations. Last updated 03/09/2022
-# Manage your IoT devices with the device inventory for organizations
+# View your device inventory from the Azure portal
> [!NOTE] > The **Device inventory** page in Defender for IoT on the Azure portal is in PREVIEW. The [Azure Preview Supplemental Terms](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) include other legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
The following device fields are supported for editing in the Device inventory pa
## Export the device inventory to CSV
-You can export your device inventory to a CSV file. Any filters that you apply to the device inventory table will be exported, when you export the table.
+You can export a maximum of 30,000 devices at a time from your device inventory to a CSV file. If you have filters applied to the table, only the devices shown are exported to the CSV file.
Select the :::image type="icon" source="media/how-to-manage-device-inventory-on-the-cloud/export-button.png" border="false"::: button to export your current device inventory to a CSV file.
defender-for-iot How To Manage Individual Sensors https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-iot/organizations/how-to-manage-individual-sensors.md
Title: Manage individual sensors description: Learn how to manage individual sensors, including managing activation files, certificates, performing backups, and updating a standalone sensor. Previously updated : 03/10/2022 Last updated : 06/02/2022 # Manage individual sensors
-This article describes how to manage individual sensors. Tasks include managing activation files, performing backups, and updating a standalone sensor.
+This article describes how to manage individual sensors, such as managing activation files, certificates, backups, and more.
-You can also do certain sensor management tasks from the on-premises management console, where multiple sensors can be managed simultaneously.
-
-You use the Azure portal for sensor onboarding and registration.
+You can also perform some management tasks for multiple sensors simultaneously from the Azure portal or an on-premises management console. For more information, see [Next steps](#next-steps).
## Manage sensor activation files
The console will display restore failures.
- Sign in to an administrative account and enter `$ sudo cyberx-management-system-restore`.
-## Update a standalone sensor version
-
-This procedure describes how to update a standalone sensor version. If you are upgrading from a version higher than 22.1.x, you can jump straight to [Update your sensor software version](#update-your-sensor-software-version).
-
-However, if you're upgrading from a version earlier than 22.1.x, make sure to [Download a new activation file for version 22.1.x or higher](#download-a-new-activation-file-for-version-221x-or-higher) before you upgrade, and then [reactivate your sensor](#reactivate-your-sensor-for-version-221x-or-higher) after upgrading.
-
-Updates from legacy versions may require a series of upgrades. For example, if you still have a sensor version 3.1.1 installed, you'll need to first upgrade to version 10.5.5, and then to a 22.x version.
-
-### Download a new activation file for version 22.1.x or higher
-
-Version [22.1.x ](release-notes.md#update-to-version-221x) is a large upgrade with more complicated background processes. You should expect this upgrade to take more time than earlier upgrades have required.
-
-1. Update your firewall rules between the sensor and the Azure portal. For more information, see [Sensor access to Azure portal](how-to-set-up-your-network.md#sensor-access-to-azure-portal).
-
-1. In Defender for IoT, select **Sites and sensors** on the left.
-
-1. Select the site where you want to update your sensor, and then navigate to the sensor you want to update.
-
-1. Expand the row for your sensor, select the options **...** menu on the right of the row, and then select **Prepare to update to 22.x**.
-
- :::image type="content" source="media/how-to-manage-sensors-on-the-cloud/prepare-to-update.png" alt-text="Screenshot of the Prepare to update option." lightbox="media/how-to-manage-sensors-on-the-cloud/prepare-to-update.png":::
-
-1. In the **Prepare to update sensor to version 22.X** message, select **Let's go**.
-
-1. When the new activation file is ready, download it and verify that the sensor status has switched to **Pending activation**.
-
-### Update your sensor software version
-
-1. In the Azure portal, go to **Defender for IoT** > **Getting started** > **Updates**.
-
-1. From the **Sensors** section, select **Download** for the sensor update, and save your `<legacy/upstream>-sensor-secured-patcher-<version number>.tar` file locally. For example:
-
- :::image type="content" source="media/how-to-manage-individual-sensors/updates-page.png" alt-text="Screenshot of the Updates page of Defender for IoT.":::
-
-1. On your sensor console, select **System Settings** > **Sensor management** > **Software Update**.
-
-1. On the **Software Update** pane on the right, select **Upload file**, and then navigate to and select your downloaded `legacy-sensor-secured-patcher-<Version number>.tar` file.
-
- :::image type="content" source="media/how-to-manage-individual-sensors/upgrade-pane-v2.png" alt-text="Screenshot of the update pane.":::
-
- The update process starts, and may take about 30 minutes. During your upgrade, the system is rebooted twice.
-
- Sign in when prompted, and then return to the **System Settings** > **Sensor management** > **Software Update** pane to confirm that the new version is listed.
-
- :::image type="content" source="media/how-to-manage-individual-sensors/defender-for-iot-version.png" alt-text="Screenshot of the upgrade version that appears after you sign in.":::
-
-### Reactivate your sensor for version 22.1.x or higher
-
-If you're upgrading from a legacy version to version 22.1.x or higher, make sure to reactivate your sensor using the activation file you downloaded earlier.
-
-1. On your sensor, select **System settings > Sensor management > Subscription & Mode Activation**.
-
-1. In the **Subscription & Mode Activation** pane that appears on the right, select **Select file**, and then browse to and select your new activation file.
-
-1. In Defender for IoT on the Azure portal, monitor your sensor's activation status. When the sensor is fully activated:
-
- - The sensor's **Overview** page shows an activation status of **Valid**.
- - In the Azure portal, on the **Sites and sensors** page, the sensor is listed as **OT cloud connected** and with the updated sensor version.
-
-Your legacy sensors will continue to appear in the **Sites and sensors** page until you delete them. For more information, see [Manage on-boarded sensors](how-to-manage-sensors-on-the-cloud.md#manage-on-boarded-sensors).
-
-> [!NOTE]
-> After upgrading to version 22.1.x, the new upgrade log can be found at the following path, accessed via SSH and the *cyberx_host* user: `/opt/sensor/logs/legacy-upgrade.log`.
->
## Forward sensor failure alerts You can forward alerts to third parties to provide details about:
To access system properties:
3. Select **System Properties** from the **General** section.
+## Download a diagnostics log for support
+
+This procedure describes how to download a diagnostics log to send to support in connection with a specific support ticket.
+
+This feature is supported for the following sensor versions:
+
+- **22.1.1** - Download a diagnostic log from the sensor console
+- **22.1.3** - For locally-managed sensors, [upload a diagnostics log](how-to-manage-sensors-on-the-cloud.md#upload-a-diagnostics-log-for-support-public-preview) from the **Sites and sensors** page in the Azure portal. This file is automatically sent to support when you open a ticket on a cloud-connected sensor.
+
+**To download a diagnostics log**:
+
+1. On the sensor console, select **System settings** > **Backup & Restore** > **Backup**.
+
+1. Under **Logs**, select **Support Ticket Diagnostics**, and then select **Export**.
+
+ :::image type="content" source="media/release-notes/support-ticket-diagnostics.png" alt-text="Screenshot of the Backup & Restore pane showing the Support Ticket Diagnostics option." lightbox="media/release-notes/support-ticket-diagnostics.png":::
+
+1. For a locally-managed sensor, version 22.1.3 or higher, continue with [Upload a diagnostics log for support](how-to-manage-sensors-on-the-cloud.md#upload-a-diagnostics-log-for-support-public-preview).
## Next steps For more information, see:
+- [Activate and set up your sensor](how-to-activate-and-set-up-your-sensor.md)
+- [Connect your OT sensors to the cloud](connect-sensors.md)
+- [Track sensor activity](how-to-track-sensor-activity.md)
+- [Update OT system software](update-ot-software.md)
+- [Manage sensors with Defender for IoT in the Azure portal](how-to-manage-sensors-on-the-cloud.md)
- [Threat intelligence research and packages](how-to-work-with-threat-intelligence-packages.md)- - [Manage sensors from the management console](how-to-manage-sensors-from-the-on-premises-management-console.md)
+- [Troubleshoot the sensor and on-premises management console](how-to-troubleshoot-the-sensor-and-on-premises-management-console.md)
defender-for-iot How To Manage Sensors From The On Premises Management Console https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-iot/organizations/how-to-manage-sensors-from-the-on-premises-management-console.md
Title: Manage sensors from the on-premises management console description: Learn how to manage sensors from the management console, including updating sensor versions, pushing system settings to sensors, managing certificates, and enabling and disabling engines on sensors. Previously updated : 04/28/2022 Last updated : 06/02/2022 # Manage sensors from the management console
-This article describes how to manage sensors from the management console, including:
+This article describes how to manage OT sensors from an on-premises management console, such as pushing system settings to individual sensors, or enabling or disabling specific engines on your sensors.
-- Push system settings to sensors--- Enable and disable engines on sensors--- Update sensor versions
+For more information, see [Next steps](#next-steps).
## Push configurations
You can define the following sensor system settings from the management console:
1. Select **Save**.
-## Update sensor versions
-
-You can update several sensors simultaneously from the on-premises management console.
-
-If you're upgrading an on-premises management console and managed sensors, first update the management console, and then update the sensors. The sensor update process won't succeed if you don't update the on-premises management console first.
-
-**To update several sensors**:
-
-1. Verify that you've already updated the on-premises management console to the version that you're updating the sensors. For more information, see [Update the software version](how-to-manage-the-on-premises-management-console.md#update-the-software-version).
-
-1. On the Azure portal, go to **Defender for IoT** > **Updates**. Under **Sensors**, select **Download** and save the file.
- :::image type="content" source="media/how-to-manage-sensors-from-the-on-premises-management-console/update-screen.png" alt-text="Screenshot of the Updates page.":::
-1. Sign in to the on-premises management console, and select **System Settings**.
-
-1. Under **Sensor Engine Configuration**, select any sensor you want to update, and then select **Automatic Version Updates** > **Save Changes**. For example:
-
- :::image type="content" source="media/how-to-manage-sensors-from-the-on-premises-management-console/automatic-updates.png" alt-text="Screenshot of on-premises management console with Automatic Version Updates selected." lightbox="media/how-to-manage-sensors-from-the-on-premises-management-console/automatic-updates.png":::
-
-1. On the right, select **Version** update, and then browse to and select the update file you'd downloaded from the Azure portal.
-
-Monitor the update status of each sensor connected to your on-premises management console in the **Site Management** page. For any update that failed, reattempt the update or open a support ticket for assistance.
-
-## Update threat intelligence packages
+## Update threat intelligence packages
The data package for threat intelligence is provided with each new Defender for IoT version, or if needed between releases. The package contains signatures (including malware signatures), CVEs, and other security content.
To restore by using the CLI:
## Next steps
-For more information, see [Manage individual sensors](how-to-manage-individual-sensors.md).
+For more information, see:
+
+- [Manage individual sensors](how-to-manage-individual-sensors.md)
+- [Activate and set up your sensor](how-to-activate-and-set-up-your-sensor.md)
+- [Connect your OT sensors to the cloud](connect-sensors.md)
+- [Track sensor activity](how-to-track-sensor-activity.md)
+- [Update OT system software](update-ot-software.md)
+- [Manage sensors with Defender for IoT in the Azure portal](how-to-manage-sensors-on-the-cloud.md)
+- [Threat intelligence research and packages](how-to-work-with-threat-intelligence-packages.md)
+- [Troubleshoot the sensor and on-premises management console](how-to-troubleshoot-the-sensor-and-on-premises-management-console.md)
+
defender-for-iot How To Manage Sensors On The Cloud https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-iot/organizations/how-to-manage-sensors-on-the-cloud.md
Title: Manage sensors with Defender for IoT in the Azure portal
-description: Learn how to onboard, view, and manage sensors with Defender for IoT in the Azure portal.
Previously updated : 03/30/2022
+description: Learn how to view, and manage sensors with Defender for IoT in the Azure portal.
Last updated : 06/02/2022 # Manage sensors with Defender for IoT in the Azure portal
-This article describes how to onboard, view, and manage sensors with [Defender for IoT in the Azure portal](https://portal.azure.com/#blade/Microsoft_Azure_IoT_Defender/IoTDefenderDashboard/Getting_Started).
+This article describes how to view and manage sensors with [Defender for IoT in the Azure portal](https://portal.azure.com/#blade/Microsoft_Azure_IoT_Defender/IoTDefenderDashboard/Getting_Started).
## Purchase sensors or download software for sensors
This procedure describes how to use the Azure portal to contact vendors for pre-
1. Install your software. For more information, see [Defender for IoT installation](how-to-install-software.md). + ## Onboard sensors Onboard a sensor by registering it with Microsoft Defender for IoT. For OT sensors, you'll also need to download a sensor activation file.
For more information, see [Activate and set up your sensor](how-to-activate-and-
1. In the **Sensor version** field, select which software version is installed on your sensor machine. We recommend that you select **22.X and above** to get all of the latest features and enhancements.
- If you haven't yet upgraded to version 22.x, see [Update a standalone sensor version](how-to-manage-individual-sensors.md#update-a-standalone-sensor-version) and [Reactivate a sensor for upgrades to version 22.x](#reactivate-a-sensor-for-upgrades-to-version-22x-from-a-legacy-version).
+ If you haven't yet upgraded to version 22.x, see [Update Defender for IoT OT monitoring software](update-ot-software.md).
1. In the **Site** section, select the **Resource name** and enter the **Display name** for your site. Add any tags as needed to help you identify your sensor.
Make the downloaded activation file accessible to the sensor console admin so th
> As opposed to OT sensors, where you define your sensor's site, all Enterprise IoT sensors are automatically added to the **Enterprise network** site.
-## Manage on-boarded sensors
-
-Sensors that you've on-boarded to Defender for IoT are listed on the Defender for IoT **Sites and sensors** page. This page supports the following management tasks:
--- **Export sensor data**. To export a CSV file with details about all sensors listed, select **Export** at the top of the page.--- **Edit sensor details**. To edit a sensor zone, or to toggle on/off the **Automatic Threat Intelligence Update** option, select the **...** options menu at the right of a sensor row > **Edit**.
- Make your changes as needed and select **Save**.
+## Sensor management options from the Azure portal
-- **Delete a sensor**. Delete sensors if you're no longer working with them. Select the **...** options menu at the right of a sensor row > **Delete sensor**.
+Sensors that you've on-boarded to Defender for IoT are listed on the Defender for IoT **Sites and sensors** page. From the **Sites and sensors** page, do any of the following:
-- **Download an activation file**. You'll need to download a new activation file for your sensor if you want to [reactivate the sensor](#reactivate-a-sensor). Select the **...** options menu at the right of a sensor row > **Download activation file**.
+|Task |Steps |
+|||
+| **Push threat intelligence updates** | Select your sensor in the grid > **Push Threat Intelligence update**. For more information, see [Threat intelligence research and packages](how-to-work-with-threat-intelligence-packages.md). |
+|**Prepare an OT sensor to update to software version 22.x or higher** | Select your sensor in the grid > **Prepare to update to 22.X**. For more information, see: <br><br>-[Reactivate a sensor for upgrades to version 22.x from a legacy version](how-to-manage-sensors-on-the-cloud.md#reactivate-an-ot-sensor-for-upgrades-to-version-22x-from-a-legacy-version)<br>- [Update Defender for IoT OT monitoring software](update-ot-software.md#download-and-apply-a-new-activation-file) |
+|**Export sensor data** |Select **Export** at the top of the page. A CSV file is downloaded with details about all sensors listed. |
+|**Download an activation file** | From the **...** options menu at the right of a sensor row. For more information, see [Reactivate a sensor](#reactivate-a-sensor). |
+|**Edit a sensor zone** | From the **...** options menu at the right of a sensor row, select **Edit**. From the **Zone** menu, select a zone, or **Create new zone**. Select **Submit** to save your changes. |
+|**Edit automatic threat intelligence updates** | From the **...** options menu at the right of a sensor row, select **Edit**. Toggle the **Automatic Threat Intelligence Updates (Preview)** option on or off as needed. Select **Submit** to save your changes. |
+|**Delete a sensor** | Delete sensors only if you're no longer working with them. From the **...** options menu at the right of a sensor row, select **Delete sensor**. |
-- **Prepare to update to 22.X**. Use this option specifically when upgrading sensors to version 22.x. For more information, see [below](#reactivate-a-sensor-for-upgrades-to-version-22x-from-a-legacy-version). ## Reactivate a sensor
You may need to reactivate your sensor because you want to:
In such cases, do the following:
-1. [Delete your existing sensor](#manage-on-boarded-sensors).
-1. [Onboard your sensor](#onboard-sensors), registering it again with any new settings.
+1. [Delete your existing sensor](#sensor-management-options-from-the-azure-portal).
+1. [Onboard the sensor again](onboard-sensors.md#onboard-ot-sensors), registering it with any new settings.
1. [Upload your new activation file](how-to-manage-individual-sensors.md#upload-new-activation-files).
-### Reactivate a sensor for upgrades to version 22.x from a legacy version
+### Reactivate an OT sensor for upgrades to version 22.x from a legacy version
-If you're updating your sensor version from a legacy version to 22.1.x or higher, you'll need a different activation procedure than for earlier releases.
+If you're updating your OT sensor version from a legacy version to 22.1.x or higher, you'll need a different activation procedure than for earlier releases.
-Make sure that you've started with the relevant updates steps for this update. For more information, see [Update a standalone sensor version](how-to-manage-individual-sensors.md#update-a-standalone-sensor-version).
+Make sure that you've started with the relevant updates steps for this update. For more information, see [Update OT system software](update-ot-software.md).
> [!NOTE] > After upgrading to version 22.1.x, the new upgrade log can be found at the following path, accessed via SSH and the *cyberx_host* user: `/opt/sensor/logs/legacy-upgrade.log`. >
+## Upload a diagnostics log for support (Public preview)
+
+If you need to open a support ticket for a locally managed sensor, upload a diagnostics log to the Azure portal for the support team.
+
+> [!TIP]
+> For cloud-connected sensors, the diagnostics log is automatically available to your support team when you open a support ticket.
+>
+
+**To upload a diagnostics report**:
+
+1. Make sure you have the diagnostics report available for upload. For more information, see [Download a diagnostics log for support](how-to-manage-individual-sensors.md#download-a-diagnostics-log-for-support).
+
+1. In Defender for IoT in the Azure portal, go to the **Sites and sensors** page and select the locally-managed sensor that's related to your support ticket.
+
+1. For your selected sensor, select the **...** options menu on the right > **Send diagnostic files to support (Preview)**. For example:
+
+ :::image type="content" source="media/how-to-manage-sensors-on-the-cloud/upload-diagnostics-log.png" alt-text="Screenshot of the send diagnostic files to support option." lightbox="media/how-to-manage-sensors-on-the-cloud/upload-diagnostics-log.png":::
++ ## Next steps [View and manage alerts on the Defender for IoT portal (Preview)](how-to-manage-cloud-alerts.md)
defender-for-iot How To Manage Subscriptions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-iot/organizations/how-to-manage-subscriptions.md
Title: Manage subscriptions
-description: Subscriptions consist of managed committed devices and can be onboarded or offboarded as needed.
+ Title: Manage Defender for IoT plans on Azure subscriptions
+description: Manage Defender for IoT plans on your Azure subscriptions.
Last updated 11/09/2021
-# Manage Defender for IoT subscriptions
+# Manage Defender for IoT plans
-Your Defender for IoT deployment is managed through your Microsoft Defender for IoT account subscriptions. You can onboard, edit, and offboard your subscriptions to Defender for IoT in the [Azure portal](https://portal.azure.com/#blade/Microsoft_Azure_IoT_Defender/IoTDefenderDashboard/Getting_Started).
+Your Defender for IoT deployment is managed through a Microsoft Defender for IoT plan on your Azure subscriptions. You can onboard, edit, and cancel a Defender for IoT plan from your subscriptions in the [Azure portal](https://portal.azure.com/#blade/Microsoft_Azure_IoT_Defender/IoTDefenderDashboard/Getting_Started).
-For each subscription, you'll be asked to define a number of *committed devices*. Committed devices are the approximate number of devices that will be monitored in your enterprise.
+For each plan, you'll be asked to define the number of *committed devices*. Committed devices are the approximate number of devices that will be monitored in your enterprise.
> [!NOTE] > If you've come to this page because you are a [former CyberX customer](https://blogs.microsoft.com/blog/2020/06/22/microsoft-acquires-cyberx-to-accelerate-and-secure-customers-iot-deployments) and have questions about your account, reach out to your account manager for guidance.
For each subscription, you'll be asked to define a number of *committed devices*
You're billed based on the number of committed devices associated with each subscription.
-The billing cycle for Microsoft Defender for IoT follows a calendar month. Changes you make to committed devices during the month are implemented one hour after confirming your update, and are reflected in your monthly bill. Subscription *offboarding* also takes effect one hour after confirming the offboard.
+The billing cycle for Microsoft Defender for IoT follows a calendar month. Changes you make to committed devices during the month are implemented one hour after confirming your update and are reflected in your monthly bill. Removal of Defender for IoT from a subscription also takes effect one hour after canceling a plan.
-Your enterprise may have more than one paying entity. If this is the case you can onboard more than one subscription.
+Your enterprise may have more than one paying entity. If so, you can onboard, edit, or cancel a plan for more than one subscription.
-Before you subscribe, you should have a sense of how many devices you would like your subscriptions to cover.
+Before you add a plan or services, we recommend that you have a sense of how many devices you would like to monitor. If you're working with OT networks, see [Best practices for planning your OT network monitoring](plan-network-monitoring.md).
-Users can also work with trial subscription, which supports monitoring a limited number of devices for 30 days. See [Microsoft Defender for IoT pricing](https://azure.microsoft.com/pricing/details/iot-defender/) information on committed device prices.
+Users can also work with a trial commitment, which supports monitoring a limited number of devices for 30 days. For more information, see the [Microsoft Defender for IoT pricing page](https://azure.microsoft.com/pricing/details/iot-defender/).
### What's a device? [!INCLUDE [devices-inventoried](includes/devices-inventoried.md)]
-## Requirements
+## Prerequisites
-Before you onboard a subscription, verify that:
+Before you onboard a plan, verify that:
- Your Azure account is set up.-- You have the required Azure user permissions.
+- You have the required Azure [user permissions](getting-started.md#permissions).
### Azure account subscription requirements To get started with Microsoft Defender for IoT, you must have a Microsoft Azure account subscription.
-If you do not have a subscription, you can sign up for a free account. For more information see, https://azure.microsoft.com/free/.
+If you don't have a subscription, you can sign up for a free account. For more information, see https://azure.microsoft.com/free/.
-If you already have access to an Azure subscription, but it isn't listed when subscribing to Defender for IoT, check your account details and confirm your permissions with the subscription owner. See https://portal.azure.com/#blade/Microsoft_Azure_Billing/SubscriptionsBlade.
+If you already have access to an Azure subscription, but it isn't listed when adding a Defender for IoT plan, check your account details and confirm your permissions with the subscription owner. For more information, see https://portal.azure.com/#blade/Microsoft_Azure_Billing/SubscriptionsBlade.
### User permission requirements
-Azure **Subscription Owners** and **Subscription Contributor**s can onboard, update, and offboard Microsoft Defender for IoT subscriptions.
+Azure **Security admin**, **Subscription owners** and **Subscription contributors** can onboard, update, and remove Defender for IoT. For more information on user permissions, see [Defender for IoT user permissions](getting-started.md#permissions).
### Calculate the number of devices you need to monitor
Collect the total number of devices in your network and remove:
For more information, see [What's a device?](#whats-a-device)
-## Onboard a trial subscription
+## Onboard a Defender for IoT plan to a subscription
-If you would like to evaluate Defender for IoT, you can use a trial subscription. The trial is valid for 30 days and supports 1000 committed devices. Using the trial lets you deploy one or more Defender for IoT sensors on your network. Use the sensors to monitor traffic, analyze data, generate alerts, learn about network risks and vulnerabilities, and more. The trial also allows you to download an on-premises management console to view aggregated information generated by sensors.
+This procedure describes how to add a Defender for IoT plan to an Azure subscription.
-This section describes how to create a trial subscription for a sensor.
+**To onboard a Defender for IoT plan to a subscription:**
-**To create a trial subscription:**
+1. In the Azure portal, go to **Defender for IoT** > **Plans and pricing**.
-1. Navigate to [Defender for IoT: Getting started](https://portal.azure.com/#blade/Microsoft_Azure_IoT_Defender/IoTDefenderDashboard/Getting_Started) in the Azure portal.
-1. Select **Onboard subscription**.
-1. In the Pricing page, select **Start with a Trial**.
-1. Select a subscription from the Onboard trial subscription pane and then select **Evaluate**.
-1. Confirm your evaluation.
-1. Onboard a sensor or set up a sensor, if required.
+1. Select **Add plan**.
-## Onboard a subscription
+1. In the **Plan settings** pane, define the plan:
-This section describes how to onboard a subscription.
+ - **Subscription**. Select the subscription where you would like to add a plan.
+ - Toggle on the **OT - Operational / ICS networks** and/or **EIoT - Enterprise IoT for corporate networks** options as needed for your network types.
+ - **Price plan**. Select a monthly or annual commitment, or a [trial](#about-defender-for-iot-trials). Microsoft Defender for IoT provides a 30-day free trial for the first 1,000 committed devices for evaluation purposes.
+
+ For more information, see the [Microsoft Defender for IoT pricing page](https://azure.microsoft.com/pricing/details/iot-defender/).
-**To onboard a subscription:**
+ - **Committed sites** (for OT annual commitment only). Enter the number of committed sites.
-1. Go to [Defender for IoT: Getting started](https://portal.azure.com/#blade/Microsoft_Azure_IoT_Defender/IoTDefenderDashboard/Getting_Started) in the Azure portal.
-1. Select **Onboard subscription**.
-1. In the Pricing page, select **Subscribe**.
-1. In the **Onboard subscription** pane, select a subscription and the number of committed devices from the drop-down menu.
+ - **Number of devices**. If you selected a monthly or annual commitment, enter the number of devices you'll want to monitor. If you selected a trial, this section doesn't appear as you have a default of 1000 devices.
- :::image type="content" source="media/how-to-manage-subscriptions/onboard-subscription.png" alt-text="select your subscription and the number of committed devices." lightbox="media/how-to-manage-subscriptions/onboard-subscription.png":::
+ :::image type="content" source="media/how-to-manage-subscriptions/onboard-plan.png" alt-text="Screenshot of adding a plan to your subscription. ":::
-1. Select **Subscribe**.
-1. Confirm your subscription.
-1. If you haven't done so already, onboard a sensor or Set up a sensor.
+1. Select **Next**.
-## Update committed devices in a subscription
+1. **Review & purchase**. Review the listed charges for your selections and **accept the terms and conditions**.
-You may need to update your subscription with more committed devices, or fewer committed devices. More devices may require monitoring if, for example, you are increasing existing site coverage, discovered more devices than expected or there are network changes such as adding switches.
+1. Select **Purchase**.
-**To update a subscription:**
-1. Go to [Defender for IoT: Getting started](https://portal.azure.com/#blade/Microsoft_Azure_IoT_Defender/IoTDefenderDashboard/Getting_Started) in the Azure portal.
-1. Select **Onboard subscription**.
-1. Select the subscription, and then select the three dots (...).
-1. Select **Edit**.
-1. Update the committed devices and select **Save**.
-2. In the confirmation dialog box that opens, select **Confirm.**
+Your plan will be shown under the associated subscription in the **Plans and pricing** grid.
-Changes in device commitment will take effect one hour after confirming the change. Billing for these changes will be reflected at the beginning of the month following confirmation of the change.
+### About Defender for IoT trials
-You will need to upload a new activation file to your on-premises management console. The activation file reflects the new number of committed devices. See[Upload an activation file](how-to-manage-the-on-premises-management-console.md#upload-an-activation-file).
+If you would like to evaluate Defender for IoT, you can use a trial commitment. The trial is valid for 30 days and supports 1000 committed devices. Using the trial lets you deploy one or more Defender for IoT sensors on your network. Use the sensors to monitor traffic, analyze data, generate alerts, learn about network risks and vulnerabilities, and more. The trial also allows you to download an on-premises management console to view aggregated information generated by sensors.
+
-## Offboard a subscription
+## Edit a plan
-You may need to offboard a subscription, for example if you need to work with a new payment entity. Subscription offboarding takes effect one hour after confirming the offboard. Your upcoming monthly bill will reflect this change.
+You may need to make changes to your plan, such as to update the number of committed devices or committed sites, change your plan commitment, or remove OT or Enterprise IoT from your plan.
-Remove all sensors that are associated with the subscription prior to offboarding. For more information on how to delete a sensor, see [Delete a sensor](how-to-manage-sensors-on-the-cloud.md#manage-on-boarded-sensors).
+For example, you may have more devices that require monitoring if you're increasing existing site coverage, have discovered more devices than expected, or there are network changes such as adding switches. If the actual number of devices exceeds the number of committed devices on your plan, you'll see a warning on the **Plans and pricing** page, and will need to adjust the number of committed devices on your plan accordingly.
-**To offboard a subscription:**
+**To edit a plan:**
-1. Go to [Defender for IoT: Getting started](https://portal.azure.com/#blade/Microsoft_Azure_IoT_Defender/IoTDefenderDashboard/Getting_Started) in the Azure portal.
-1. Select the subscription, and then select the three dots (...).
+1. In the Azure portal, go to **Defender for IoT** > **Plans and pricing**.
-1. Select **Offboard subscription**.
+1. On the subscription row, select the options menu (**...**) at the right.
-1. In the confirmation popup, select the checkbox to confirm you have deleted all sensors associated with the subscription.
+1. Select **Edit plan**.
- :::image type="content" source="media/how-to-manage-sensors-on-the-cloud/offboard-popup.png" alt-text="Select the checkbox and select offboard to offboard your sensor.":::
+1. Make your changes as needed:
+ - Update the number of committed devices
+ - Update the number of sites (OT only)
+ - Remove an OT or Enterprise IoT network from your plan by toggling off the **OT - Operational / ICS networks** or **EIoT - Enterprise IoT for corporate networks** options as needed.
-1. Select **Offboard**.
+1. Select **Next**.
-## Apply a new subscription
+1. On the **Review & purchase** pane, review your selections, and then accept the terms and conditions.
-Business considerations may require that you apply a different subscription to your deployment than the one currently being used. If you change the subscription, you will need to upload a new sensor activation file. The file contains information on subscription expiration dates.
+1. Select **Save**.
-**To apply a new subscription:**
+Changes to your plan will take effect one hour after confirming the change. Billing for these changes will be reflected at the beginning of the month following confirmation of the change.
+
+> [!NOTE]
+> **For an on-premises management console:**
+ After any changes are made, you will need to upload a new activation file to your on-premises management console. The activation file reflects the new number of committed devices. For more information, see [Upload an activation file](how-to-manage-the-on-premises-management-console.md#upload-an-activation-file).
++
+## Cancel a Defender for IoT plan from a subscription
+
+You may need to cancel a Defender for IoT plan from your Azure subscription, for example, if you need to work with a new payment entity. Your changes take effect one hour after confirmation. Your upcoming monthly bill will reflect this change.
+This option removes all Defender for IoT services from the subscription, including both OT and Enterprise IOT services.
+
+Delete all sensors that are associated with the subscription prior to removing the plan. For more information, see [Sensor management options from the Azure portal](how-to-manage-sensors-on-the-cloud.md#sensor-management-options-from-the-azure-portal).
+
+**To cancel Defender for IoT from a subscription:**
+
+1. In the Azure portal, go to **Defender for IoT** > **Plans and pricing**.
+
+1. On the subscription row, select the options menu (**...**) at the right.
+
+1. Select **Cancel plan**.
+
+1. In the plan cancellation dialog, confirm that you've removed all associated sensors, and then select **Confirm cancellation** to remove the Defender for IoT plan from the subscription.
++
+## Move existing sensors to a different subscription
+
+Business considerations may require that you apply your existing IoT sensors to a different subscription than the one youΓÇÖre currently using. To do this, you'll need to onboard a new plan and register the sensors under the new subscription, and then remove them from the old subscription. This process may include some downtime, and historic data isn't migrated.
+
+**To switch to a new subscription**:
+
+1. [Onboard a new plan to the new subscription you want to use](#onboard-a-defender-for-iot-plan-to-a-subscription). To avoid double billing, onboard the new plan as a [trial](#about-defender-for-iot-trials) until you've removed the sensors from the legacy subscription.
+
+1. Register your sensors under the new subscription. For more information, see [Set up an Enterprise IoT sensor](tutorial-getting-started-eiot-sensor.md#set-up-an-enterprise-iot-sensor).
+
+1. [Upload a new activation](how-to-manage-individual-sensors.md#upload-new-activation-files) file for your sensors.
+
+1. Delete the sensor identities from the legacy subscription. For more information, see [Sensor management options from the Azure portal](how-to-manage-sensors-on-the-cloud.md#sensor-management-options-from-the-azure-portal)..
+
+1. If relevant, [cancel the Defender for IoT plan](#cancel-a-defender-for-iot-plan-from-a-subscription) from the legacy subscription.
-1. Delete the subscription currently being used.
-1. Select a new subscription.
-1. Download an activation file for the sensor associated with the subscription.
-1. Upload the activation file to the sensor.
## Next steps - [Manage sensors with Defender for IoT in the Azure portal](how-to-manage-sensors-on-the-cloud.md) - [Activate and set up your on-premises management console](how-to-activate-and-set-up-your-on-premises-management-console.md)+
+- [Create an additional Azure subscription](/azure/cost-management-billing/manage/create-subscription)
+
+- [Upgrade your Azure subscription](/azure/cost-management-billing/manage/upgrade-azure-subscription)
defender-for-iot How To Manage The Alert Event https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-iot/organizations/how-to-manage-the-alert-event.md
Title: Manage alert events
-description: Manage alerts detected in your network.
+ Title: Manage alert events from the sensor console - Microsoft Defender for IoT
+description: Manage alerts detected in your network from a Defender for IoT sensor.
Last updated 02/06/2022
-# Manage alerts
+# Manage alerts from the sensor console
-This article describes how to manage alerts.
+This article describes how to manage alerts from the sensor console.
## About managing alerts
defender-for-iot How To Manage The On Premises Management Console https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-iot/organizations/how-to-manage-the-on-premises-management-console.md
Title: Manage the on-premises management console description: Learn about on-premises management console options like backup and restore, defining the host name, and setting up a proxy to sensors. Previously updated : 11/09/2021 Last updated : 06/02/2022
You onboard the on-premises management console from the Azure portal.
## Download software for the on-premises management console
-This procedure describes how to use the Azure portal to download software for you to install on your own appliances for an on-premises management console.
+You may need to download software for your on-premises management console if you're installing Defender for IoT software on your own appliances, or updating software versions.
-1. In the Azure portal, go to **Defender for IoT** > **Getting started** > **On-premises management console**.
+**To download on-premises management console software**:
-1. Make sure that you have a supported appliance available. For more information, see [Which appliances do I need?](ot-appliance-sizing.md).
+1. In the Azure portal, go to **Defender for IoT** > **Getting started** > **On-premises management console** or **Updates**.
-1. Under **Select version**, select the software version you want to install. We recommend that you always select the most recent version.
+1. Select **Download** for your on-premises management console software update. Save your `management-secured-patcher-<version>.tar` file locally. For example:
-1. Select **Download**. Download the sensor software and save it in a location that you can access from your selected appliance.
-
-1. Install your software. For more information, see [Defender for IoT installation](how-to-install-software.md).
+ :::image type="content" source="media/update-ot-software/on-premises-download.png" alt-text="Screenshot of the Download option for the on-premises management console." lightbox="media/update-ot-software/on-premises-download.png":::
## Upload an activation file
After initial activation, the number of monitored devices might exceed the numbe
**To upload an activation file:**
-1. Go to the Microsoft Defender for IoT **Pricing** page.
+1. Go to the Microsoft Defender for IoT **Plans and pricing** page.
1. Select the **Download the activation file for the management console** tab. The activation file is downloaded. :::image type="content" source="media/how-to-manage-sensors-from-the-on-premises-management-console/cloud_download_opm_activation_file.png" alt-text="Download the activation file.":::
To reset your password:
> [!NOTE] > The sensor is linked to the subscription that it was originally connected to. You can recover the password only by using the same subscription that it's attached to.
-## Update the software version
-
-The following procedure describes how to update the on-premises management console software version. The update process takes about 30 minutes.
-
-If you are working with an on-premises management console and managed sensors, **update the management console first**.
-
-1. Go to the [Azure portal](https://portal.azure.com/).
-
-1. Go to Defender for IoT.
-
-1. Go to the **Updates** page.
-
-1. Select a version from the on-premises management console section.
-
-1. Select **Download** and save the file.
-
-1. Sign into the on-premises management console and select **System Settings** from the side menu.
-
-1. On the **Version Update** pane, select **Update**.
-
-1. Select the file that you downloaded from the Defender for IoT **Updates** page.
## Mail server settings
To define:
`mail.sender=` 1. Enter the SMTP server name and sender and select enter. + ## Next steps For more information, see: -- [Manage sensors from the management console](how-to-manage-sensors-from-the-on-premises-management-console.md)-
+- [Install OT system software](how-to-install-software.md)
+- [Update OT system software](update-ot-software.md)
- [Manage individual sensors](how-to-manage-individual-sensors.md)
+- [Manage sensors from the management console](how-to-manage-sensors-from-the-on-premises-management-console.md)
+- [Troubleshoot the sensor and on-premises management console](how-to-troubleshoot-the-sensor-and-on-premises-management-console.md)
defender-for-iot How To Set Up High Availability https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-iot/organizations/how-to-set-up-high-availability.md
Perform the update in the following order. Make sure each step is complete befor
sudo cyberx-management-trusted-hosts-apply ```
-1. Update both the primary and secondary appliances to the new version. For more information, see [Update the software version](how-to-manage-the-on-premises-management-console.md#update-the-software-version).
+1. Update both the primary and secondary appliances to the new version. For more information, see [Update an on-premises management console](update-ot-software.md#update-an-on-premises-management-console).
1. Set up high availability again, on both the primary and secondary appliances. For more information, see [Create the primary and secondary pair](#create-the-primary-and-secondary-pair).
defender-for-iot How To Set Up Your Network https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-iot/organizations/how-to-set-up-your-network.md
Title: Prepare your OT network for Microsoft Defender for IoT description: Learn about solution architecture, network preparation, prerequisites, and other information needed to ensure that you successfully set up your network to work with Microsoft Defender for IoT appliances. Previously updated : 02/22/2022 Last updated : 06/02/2022
Before performing the procedures in this article, make sure that you understand
- [Microsoft Defender for IoT system architecture](architecture.md) - [Sensor connection methods](architecture-connections.md)-- [Best practices for planning your OT network monitoring](plan-network-monitoring.md)
+- [Best practices for planning your OT network monitoring](best-practices/plan-network-monitoring.md)
## On-site deployment tasks
Use the following tables to ensure that required firewalls are open on your work
| Protocol | Transport | In/Out | Port | Purpose | Source | Destination | |--|--|--|--|--|--|--|
-| HTTPS | TCP | Out | 443 | Access to Azure | Sensor | `*.azure-devices.net`<br> `*.blob.core.windows.net`<br> `*.servicebus.windows.net` |
+| HTTPS | TCP | Out | 443 | Access to Azure | Sensor | `*.azure-devices.net`<br> `*.blob.core.windows.net`<br> `*.servicebus.windows.net`<br> `download.microsoft.com` |
+| HTTPS | TCP | Out | 443 | Remote sensor upgrades from the Azure portal | Sensor| `download.microsoft.com`|
### Sensor access to the on-premises management console
defender-for-iot How To View Alerts https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-iot/organizations/how-to-view-alerts.md
Title: View alerts details on the sensor Alerts page description: View alerts detected by your Defender for IoT sensor. Previously updated : 02/06/2022 Last updated : 06/02/2022
If your deployment was set up to work with cloud-connected sensors, Alert detect
Viewing alerts in the portal provides significant advantages. For example, it lets you: - Display an aggregated view of alert activity in all enterprise sensors-- learn about related MITRE ATT&CK techniques, tactics and stages
+- Understand related MITRE ATT&CK techniques, tactics and stages
- View alerts based on the site - Change the severity of an alert
You can manage an alert incident by:
- Changing the status of an alert. -- Instructing sensors to learn, acknowledge or mute activity detected.
+- Instructing sensors to learn, close, or mute activity detected.
- Create alert groups for display at SOC solutions.
defender-for-iot How To Work With Threat Intelligence Packages https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-iot/organizations/how-to-work-with-threat-intelligence-packages.md
Title: Update threat intelligence data description: The threat intelligence data package is provided with each new Defender for IoT version, or if needed between releases. Previously updated : 11/09/2021 Last updated : 06/02/2022
-# Threat intelligence research and packages #
-## Overview ##
+# Threat intelligence research and packages
+## Overview
Security teams at Microsoft carry out proprietary ICS threat intelligence and vulnerability research. These teams include MSTIC (Microsoft Threat Intelligence Center), DART (Microsoft Detection and Response Team), DCU (Digital Crimes Unit), and Section 52 (IoT/OT/ICS domain experts that track ICS-specific zero-days, reverse-engineering malware, campaigns, and adversaries)
Security teams gain the benefit of:
This intelligence provides contextual information to enrich Microsoft platform analytics and supports the company's managed services for incident response and breach investigation. Threat intelligence packages contain signatures (including malware signatures), CVEs, and other security content.
-## When are packages delivered ##
+## When are packages delivered
Threat intelligence packages are provided approximately once a month, or if needed more frequently. Announcements about new packages are available from: https://techcommunity.microsoft.com/t5/azure-defender-for-iot/bd-p/AzureDefenderIoT. You can also see the most current package delivered from the **Threat intelligence update** section of the **Updates** page on Defender for IoT in the Azure portal.
-## Update threat intelligence packages to your sensors ##
+## Update threat intelligence packages to your sensors
Three options are available for updating threat intelligence packages to your sensors:
Three options are available for updating threat intelligence packages to your se
Users with Defender for IoT Security Reader permissions can automatically and manually push packages to sensors.
-### Automatically push threat intelligence updates to sensors ###
+### Automatically push threat intelligence updates to sensors
Threat intelligence packages can be automatically updated to *cloud connected* sensors as they're released by Defender for IoT. Ensure automatic package update by onboarding your cloud connected sensor with the **Automatic Threat Intelligence Updates** option enabled. For more information, see [Onboard a sensor](tutorial-onboarding.md#onboard-and-activate-the-virtual-sensor).
-### Manually push threat intelligence updates to sensors ###
+### Manually push threat intelligence updates to sensors
Your *cloud connected* sensors can be automatically updated with threat intelligence packages. However, if you would like to take a more conservative approach, you can push packages from Defender for IoT to sensors only when you feel it's required. This gives you the ability to control when a package is installed, without the need to download and then upload it to your sensors.
Your *cloud connected* sensors can be automatically updated with threat intellig
1. Go to the Microsoft Defender for IoT **Sites and Sensors** page. 1. Select the ellipsis (...) for a sensor and then select **Push Threat Intelligence update**. The **Threat Intelligence update status** field displays the update progress.
-#### Change the threat intelligence update mode ####
+#### Change the threat intelligence update mode
You can change the sensor threat intelligence update mode after initial onboarding.
You can change the sensor threat intelligence update mode after initial onboardi
1. Select the ellipsis (...) for a sensor and then select **Edit**. 1. Enable or disable the **Automatic Threat Intelligence Updates** toggle.
-### Download packages and upload to sensors ###
+### Download packages and upload to sensors
Packages can be downloaded the Azure portal and manually uploaded to individual sensors. If the on-premises management console manages your sensors, you can download threat intelligence packages to the management console and push them to multiple sensors simultaneously.
This option is available for both *cloud connected* and *locally managed* sensor
7. Upload the package.
-## Review package update status on the sensor ##
+## Review package update status on the sensor
The package update status and version information are displayed in the sensor **System Settings**, **Threat Intelligence** section.
-## Review package information for cloud connected sensors ##
+## Review package information for cloud connected sensors
Review the following information about threat intelligence packages for your cloud connected sensors:
Review the following information about threat intelligence packages for your clo
- Threat intelligence update mode - Threat intelligence update status
-To review threat intelligence information:
+**To review threat intelligence information**:
1. Go to the Microsoft Defender for IoT **Sites and Sensors** page.+ 1. Review the **Threat Intelligence version** installed on each sensor. Version naming is based on the day the package was built by Defender for IoT.
-1. Review the **Threat Intelligence mode** . *Automatic* indicates that newly available packages will be automatically installed on sensors as they're released by Defender for IoT. *Manual* indicates that you can push newly available packages directly to sensors as needed.
+
+1. Review the **Threat Intelligence mode** . *Automatic* indicates that newly available packages will be automatically installed on sensors as they're released by Defender for IoT.
+
+ *Manual* indicates that you can push newly available packages directly to sensors as needed.
+ 1. Review the **Threat Intelligence update status**. The following statuses may be displayed: -- Failed-- In Progress-- Update Available-- Ok
+ - Failed
+ - In Progress
+ - Update Available
+ - Ok
If cloud connected threat intelligence updates fail, review connection information in the **Sensor status** and **Last connected UTC** columns in the **Sites and Sensors** page.
defender-for-iot Onboard Sensors https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-iot/organizations/onboard-sensors.md
+
+ Title: Onboard sensors to Defender for IoT in the Azure portal
+description: Learn how to onboard sensors to Defender for IoT in the Azure portal.
Last updated : 06/02/2022+++
+# Onboard sensors to Defender for IoT in the Azure portal
+
+This article describes how to onboard sensors with [Defender for IoT in the Azure portal](https://portal.azure.com/#blade/Microsoft_Azure_IoT_Defender/IoTDefenderDashboard/Getting_Started).
+
+## Purchase sensors or download software for sensors
+
+This procedure describes how to use the Azure portal to contact vendors for pre-configured appliances, or how to download software for you to install on your own appliances.
+
+1. In the Azure portal, go to **Defender for IoT** > **Getting started** > **Sensor**.
+
+1. Do one of the following:
+
+ - To buy a pre-configured appliance, select **Contact** under **Buy preconfigured appliance**. This opens an email to [hardware.sales@arrow.com](mailto:hardware.sales@arrow.com) with a template request for Defender for IoT appliances. For more information, see [Pre-configured physical appliances for OT monitoring](ot-pre-configured-appliances.md).
+
+ - To install software on your own appliances, do the following:
+
+ 1. Make sure that you have a supported appliance available.
+
+ 1. Under *Select version**, select the software version you want to install. We recommend that you always select the most recent version.
+
+ 1. Select **Download**. Download the sensor software and save it in a location that you can access from your selected appliance.
+
+ 1. Install your software. For more information, see [Defender for IoT installation](how-to-install-software.md).
+
+## Onboard OT sensors
+
+Onboard an OT sensor by registering it with Microsoft Defender for IoT and downloading a sensor activation file.
+
+> [!NOTE]
+> Enterprise IoT sensors also require onboarding and activation, with slightly different steps. For more information, see [Tutorial: Get started with Enterprise IoT](tutorial-getting-started-eiot-sensor.md).
+>
+
+**Prerequisites**: Make sure that you've set up your sensor and configured your SPAN port or TAP. For more information, see [Defender for IoT installation](how-to-install-software.md).
+
+**To onboard your sensor to Defender for IoT**:
+
+1. In the Azure portal, navigate to **Defender for IoT** > **Getting started** and select **Set up OT/ICS Security**. Alternately, from the Defender for IoT **Sites and sensors** page, select **Onboard OT sensor**.
+
+1. By default, on the **Set up OT/ICS Security** page, **Step 1: Did you set up a sensor?** and **Step 2: Configure SPAN port or TAPΓÇï** of the wizard are collapsed. If you haven't completed these steps, do so before continuing.
+
+1. In **Step 3: Register this sensor with Microsoft Defender for IoT** enter or select the following values for your sensor:
+
+ 1. In the **Sensor name** field, enter a meaningful name for your sensor. We recommend including your sensor's IP address as part of the name, or using another easily identifiable name, that can help you keep track between the registration name in the Azure portal and the IP address of the sensor shown in the sensor console.
+
+ 1. In the **Subscription** field, select your Azure subscription.
+
+ 1. Toggle on the **Cloud connected** option to have your sensor connected to other Azure services, such as Microsoft Sentinel, and to push [threat intelligence packages](how-to-work-with-threat-intelligence-packages.md) from Defender for IoT to your sensors.
+
+ 1. In the **Sensor version** field, select which software version is installed on your sensor machine. We recommend that you select **22.X and above** to get all of the latest features and enhancements.
+
+ If you haven't yet upgraded to version 22.x, see [Update Defender for IoT OT monitoring software](update-ot-software.md).
+
+ 1. In the **Site** section, select the **Resource name** and enter the **Display name** for your site. Add any tags as needed to help you identify your sensor.
+
+ 1. In the **Zone** field, select a zone from the menu, or select **Create Zone** to create a new one.
+
+1. Select **Register**.
+
+A success message appears and your activation file is automatically downloaded, and your sensor is now shown under the configured site on the Defender for IoT **Sites and sensors** page.
+
+However, until you activate your sensor, the sensor's status will show as **Pending Activation**.
+
+Make the downloaded activation file accessible to the sensor console admin so that they can activate the sensor. For more information, see [Upload new activation files](how-to-manage-individual-sensors.md#upload-new-activation-files).
+
+## Onboard Enterprise IoT sensors
+
+For more information, see [Tutorial: Get started with Enterprise IoT](tutorial-getting-started-eiot-sensor.md).
+
+## Next steps
+
+- [Activate and set up your sensor](how-to-activate-and-set-up-your-sensor.md)
+- [Manage sensors with Defender for IoT in the Azure portal](how-to-manage-sensors-on-the-cloud.md)
+- [Manage individual sensors](how-to-manage-individual-sensors.md)
+- [View and manage alerts on the Defender for IoT portal (Preview)](how-to-manage-cloud-alerts.md)
defender-for-iot Ot Appliance Sizing https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-iot/organizations/ot-appliance-sizing.md
Continue understanding system requirements, including options for ordering pre-c
Then, use any of the following procedures to continue: -- [Purchase sensors or download software for sensors](how-to-manage-sensors-on-the-cloud.md#purchase-sensors-or-download-software-for-sensors)
+- [Purchase sensors or download software for sensors](onboard-sensors.md#purchase-sensors-or-download-software-for-sensors)
- [Download software for an on-premises management console](how-to-manage-the-on-premises-management-console.md#download-software-for-the-on-premises-management-console) - [Install software](how-to-install-software.md)
defender-for-iot Ot Pre Configured Appliances https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-iot/organizations/ot-pre-configured-appliances.md
Use the links in the tables below to jump to articles with more details about ea
Microsoft has partnered with [Arrow Electronics](https://www.arrow.com/) to provide pre-configured sensors. To purchase a pre-configured sensor, contact Arrow at: [hardware.sales@arrow.com](mailto:hardware.sales@arrow.com).
-For more information, see [Purchase sensors or download software for sensors](how-to-manage-sensors-on-the-cloud.md#purchase-sensors-or-download-software-for-sensors)
+For more information, see [Purchase sensors or download software for sensors](onboard-sensors.md#purchase-sensors-or-download-software-for-sensors)
> [!TIP] > Pre-configured physical appliances have been validated for Defender for IoT OT system monitoring, and have the following advantages over installing your own software:
Continue understanding system requirements for physical or virtual appliances. F
Use any of the following procedures to continue: -- [Purchase sensors or download software for sensors](how-to-manage-sensors-on-the-cloud.md#purchase-sensors-or-download-software-for-sensors)
+- [Purchase sensors or download software for sensors](onboard-sensors.md#purchase-sensors-or-download-software-for-sensors)
- [Download software for an on-premises management console](how-to-manage-the-on-premises-management-console.md#download-software-for-the-on-premises-management-console) - [Install software](how-to-install-software.md)
defender-for-iot Ot Virtual Appliances https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-iot/organizations/ot-virtual-appliances.md
Continue understanding system requirements for physical or virtual appliances. F
Then, use any of the following procedures to continue: -- [Purchase sensors or download software for sensors](how-to-manage-sensors-on-the-cloud.md#purchase-sensors-or-download-software-for-sensors)
+- [Purchase sensors or download software for sensors](onboard-sensors.md#purchase-sensors-or-download-software-for-sensors)
- [Download software for an on-premises management console](how-to-manage-the-on-premises-management-console.md#download-software-for-the-on-premises-management-console) - [Install software](how-to-install-software.md)
defender-for-iot Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-iot/organizations/overview.md
Title: Overview - Microsoft Defender for IoT for organizations description: Learn about Microsoft Defender for IoT's features for end-user organizations and comprehensive IoT security for OT and Enterprise IoT networks. Previously updated : 03/23/2022 Last updated : 06/02/2022
Agentless monitoring in Defender for IoT provides visibility and security into n
A centralized user experience lets the security team visualize and secure all their IT, IoT, and OT devices regardless of where the devices are located. + ## Support for cloud, on-premises, and hybrid networks Defender for IoT can support various network configurations:
defender-for-iot Plan Network Monitoring https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-iot/organizations/plan-network-monitoring.md
- Title: OT network monitoring best practices for Microsoft Defender for IoT
-description: Learn about best practices for planning your OT network monitoring with Microsoft Defender for IoT.
- Previously updated : 03/27/2022--
-# Best practices for planning your OT network monitoring
-
-This article reviews best practices that we recommend following when planning your OT network monitoring with Microsoft Defender for IoT.
-
-Review these best practices when planning your network. For more information, see [Quickstart: Get started with Defender for IoT](getting-started.md) and [About Microsoft Defender for IoT network setup](how-to-set-up-your-network.md).
-
-## Understand your network architecture
-
-When planning your network monitoring, you must understand your system network architecture and how it will need to connect to Defender for IoT. Also, understand where each of your system elements falls in the Purdue Reference model for Industrial Control System (ICS) OT network segmentation.
-
-Defender for IoT network sensors receive traffic from multiple sources, either by switch mirror ports (SPAN ports) or network TAPs. The network sensor's management port connects to the business, corporate, or sensor management network for network management from the Azure portal or an on-premises management system.
-
-For example:
--
-### Purdue reference model and Defender for IoT
-
-The Purdue Reference Model is a model for Industrial Control System (ICS)/OT network segmentation that defines six layers, components and relevant security controls for those networks.
-
-Each device type in your OT network falls in a specific level of the Purdue model. The following image shows how devices in your network spread across the Purdue model and connect to Defender for IoT services.
--
-The following table describes each level of the Purdue model when applied to Defender for IoT devices:
-
-|Name |Description |
-|||
-|**Level 0**: Cell and area | Level 0 consists of a wide variety of sensors, actuators, and devices involved in the basic manufacturing process. These devices perform the basic functions of the industrial automation and control system, such as: <br><br>- Driving a motor<br>- Measuring variables<br>- Setting an output<br>- Performing key functions, such as painting, welding, and bending |
-| **Level 1**: Process control | Level 1 consists of embedded controllers that control and manipulate the manufacturing process whose key function is to communicate with the Level 0 devices. In discrete manufacturing, those devices are programmable logic controllers (PLCs) or remote telemetry units (RTUs). In process manufacturing, the basic controller is called a distributed control system (DCS). |
-|**Level 2**: Supervisory | Level 2 represents the systems and functions associated with the runtime supervision and operation of an area of a production facility. These usually include the following: <br><br>- Operator interfaces or human-machine interfaces (HMIs) <br>- Alarms or alerting systems <br> - Process historian and batch management systems <br>- Control room workstations <br><br>These systems communicate with the PLCs and RTUs in Level 1. In some cases, they communicate or share data with the site or enterprise (Level 4 and Level 5) systems and applications. These systems are primarily based on standard computing equipment and operating systems (Unix or Microsoft Windows). |
-|**Levels 3 and 3.5**: Site-level and industrial perimeter network | The site level represents the highest level of industrial automation and control systems. The systems and applications that exist at this level manage site-wide industrial automation and control functions. Levels 0 through 3 are considered critical to site operations. The systems and functions that exist at this level might include the following: <br><br>- Production reporting (for example, cycle times, quality index, predictive maintenance) <br>- Plant historian <br>- Detailed production scheduling<br>- Site-level operations management <br>-0 Device and material management <br>- Patch launch server <br>- File server <br>- Industrial domain, Active Directory, terminal server <br><br>These systems communicate with the production zone and share data with the enterprise (Level 4 and Level 5) systems and applications. |
-|**Levels 4 and 5**: Business and enterprise networks | Level 4 and Level 5 represent the site or enterprise network where the centralized IT systems and functions exist. The IT organization directly manages the services, systems, and applications at these levels. |
-
-## Plan your sensor connections
-
-We recommend that Defender for IoT monitors traffic from Purdue layers 1 and 2. For some architectures, if OT traffic exists on layer 3, Defender for IoT will also monitor layer 3 traffic.
-
-While you're reviewing your site architecture to determine whether or not to monitor a specific switch, considering the following questions:
--- What is the cost/benefit versus the importance of monitoring this switch?-- If a switch is unmanaged, can you monitor the traffic from a higher-level switch? If the ICS architecture is a [ring topology](#sample-ring-topology), only one switch in the ring needs monitoring.-- What is the security or operational risk in the network?-- Can you monitor the switch's VLAN? Is the VLAN visible in another switch that you can monitor?-
-Review your OT and ICS network diagram together with your site engineers to define the best place to connect to Defender for IoT, and where you can get the most relevant traffic for monitoring. We recommend that you meet with the local network and operational teams to clarify expectations. Create lists of the following data about your network:
--- Known devices-- Estimated number of devices-- Vendors and industrial protocols-- Switch models and whether they support port mirroring-- Switch managers, including external resources-- OT networks on your site-
-For more information, see [Sample: Multi-layer, multi-tenant network](#sample-multi-layer-multi-tenant-network) and [More questions for planning your network connections](#more-questions-for-planning-your-network-connections).
--
-## Multi-sensor deployments
-
-The following table lists best practices when deploying multiple Defender for IoT sensors:
-
-| **Number** | **Meters** | **Dependency** | **Number of sensors** |
-|--|--|--|--|
-| The maximum distance between switches | 80 meters | Prepared Ethernet cable | More than 1 |
-| Number of OT networks | More than 1 | No physical connectivity | More than 1 |
-| Number of switches | Can use RSPAN configuration | Up to eight switches with local span close to the sensor by cabling distance | More than 1 |
-
-## Traffic mirroring
-
-To see only relevant information for traffic analysis, you need to connect the Defender for IoT platform to a mirroring port on a switch or a TAP that includes only industrial ICS and SCADA traffic.
-
-For example:
--
-You can monitor switch traffic using a switch SPAN port, by report SPAN (RSPAN), or active and passive aggregation TAP. Use the following tabs to learn more about each method.
-
-> [!NOTE]
-> SPAN and RSPAN are Cisco terminology. Other brands of switches have similar functionality but might use different terminology.
->
-
-# [Switch SPAN port](#tab/switch-span-port)
-
-A switch port analyzer mirrors local traffic from interfaces on the switch to interface on the same switch. Considerations for switch SPAN ports include:
--- Verify that the relevant switch supports the port mirroring function.--- The mirroring option is disabled by default.--- We recommend that you configure all of the switch's ports, even if no data is connected to them. Otherwise, a rogue device might be connected to an unmonitored port, and it wouldn't be alerted on the sensor.--- On OT networks that utilize broadcast or multicast messaging, configure the switch to mirror only RX (Receive) transmissions. Otherwise, multicast messages will be repeated for as many active ports, and the bandwidth is multiplied.-
-For example, use the following configurations to set up a switch SPAN port for a Cisco 2960 switch with 24 ports running IOS.
-
-> [!NOTE]
-> The configuration samples below are intended only as guidance and not as instructions. Mirror ports on other Cisco operating systems and other switch brands are configured differently.
-
-**On a SPAN port configuration terminal**:
-
-```cli
-Cisco2960# configure terminal
-Cisco2960(config)# monitor session 1 source interface fastehernet 0/2 - 23 rx
-Cisco2960(config)# monitor session 1 destination interface fastethernet 0/24
-Cisco2960(config)# end
-Cisco2960# show monitor 1
-Cisco2960# running-copy startup-config
-```
-
-**In the configuration user interface**
-
-1. Enter global configuration mode
-1. Configure first 23 ports as session source (mirror only RX packets)
-1. Configure port 24 to be a session destination
-1. Return to privileged EXEC mode
-1. Verify the port mirroring configuration
-1. Save the configuration
-
-#### Monitoring multiple VLANs
-
-Defender for IoT allows monitoring VLANs configured in your network without any extra configuration, as long as the network switch is configured to send VLAN tags to Defender for IoT.
-
-For example, the following commands must be configured on a Cisco switch to support monitoring VLANs in Defender for IoT:
-
-**Monitor session**: This command is responsible for the process of sending VLANs to the SPAN port.
-
-```cli
-monitor session 1 source interface Gi1/2
-monitor session 1 filter packet type good Rx
-monitor session 1 destination interface fastEthernet1/1 encapsulation dot1q
-```
-
-**Monitor Trunk Port F.E. Gi1/1**: VLANs are configured on the trunk port.
-
-```cli
-interface GigabitEthernet1/1
-switchport trunk encapsulation dot1q
-switchport mode trunk
-```
-
-# [Remote SPAN (RSPAN)](#tab/rspan)
-
-A remote SPAN (RSPAN) session mirrors traffic from multiple distributed source ports into a dedicated remote VLAN. The data in the VLAN is then delivered through trunked ports across multiple switches to a specific switch that contains the physical destination port. This port connects to the Defender for IoT platform.
-
-Consider the following when configuring RSPAN:
--- RSPAN is an advanced feature that requires a special VLAN to carry the traffic that SPAN monitors between switches. Make sure that your switch supports RSPAN.-- The mirroring option is disabled by default.-- The remote VLAN must be allowed on the trunked port between the source and destination switches.-- All switches that connect the same RSPAN session must be from the same vendor.-- Make sure that the trunk port that's sharing the remote VLAN between the switches isn't defined as a mirror session source port.-- The remote VLAN increases the bandwidth on the trunked port by the size of the mirrored session's bandwidth. Verify that the switch's trunk port supports the increased bandwidth.-
-The following diagram shows an example of a remote VLAN architecture:
--
-For example, use the following steps to set up an RSPAN for a Cisco 2960 switch with 24 ports running IOS.
-
-**To configure the source switch**:
-
-1. Enter global configuration mode.
-
-1. Create a dedicated VLAN.
-
-1. Identify the VLAN as the RSPAN VLAN.
-
-1. Return to "configure terminal" mode.
-
-1. Configure all 24 ports as session sources.
-
-1. Configure the RSPAN VLAN to be the session destination.
-
-1. Return to privileged EXEC mode.
-
-1. Verify the port mirroring configuration.
-
-**To configure the destination switch**:
-
-1. Enter global configuration mode.
-
-1. Configure the RSPAN VLAN to be the session source.
-
-1. Configure physical port 24 to be the session destination.
-
-1. Return to privileged EXEC mode.
-
-1. Verify the port mirroring configuration.
-
-1. Save the configuration.
-
-# [Active and passive aggregation (TAP)](#tab/TAP)
-
-An active or passive aggregation TAP is installed inline to the network cable and duplicates both RX and TX to the monitoring sensor.
-
-The terminal access point (TAP) is a hardware device that allows network traffic to flow from port A to port B, and from port B to port A, without interruption. It creates an exact copy of both sides of the traffic flow, continuously, without compromising network integrity. Some TAPs aggregate transmit and receive traffic by using switch settings if desired. If aggregation isn't supported, each TAP uses two sensor ports to monitor send and receive traffic.
-
-The advantages of TAPs include:
--- TAPs are hardware-based and can't be compromised-- TAPs pass all traffic, even damaged messages, which the switches often drop-- TAPs aren't processor sensitive, so packet timing is exact where switches handle the mirror function as a low-priority task that can affect the timing of the mirrored packets-
-For forensic purposes, a TAP is the best device.
-
-TAP aggregators can also be used for port monitoring. These devices are processor-based and aren't as intrinsically secure as hardware TAPs, and therefore might not reflect exact packet timing.
-
-The following diagram shows an example of a network setup with an active and passive TAP:
--
-#### Common TAP models
-
-The following TAP models have been tested for compatibility with Defender for IoT. Other vendors and models might also be compatible.
--- **Garland P1GCCAS**-
- :::image type="content" source="media/how-to-set-up-your-network/garland-p1gccas-v2.png" alt-text="Screenshot of Garland P1GCCAS." border="false":::
-
- When using a Garland TAP, make sure jumpers are set as follows:
-
- :::image type="content" source="media/how-to-set-up-your-network/jumper-setup-v2.jpg" alt-text="Screenshot of US Robotics switch.":::
--- **IXIA TPA2-CU3**-
- :::image type="content" source="media/how-to-set-up-your-network/ixia-tpa2-cu3-v2.png" alt-text="Screenshot of IXIA TPA2-CU3." border="false":::
--- **US Robotics USR 4503**-
- :::image type="content" source="media/how-to-set-up-your-network/us-robotics-usr-4503-v2.png" alt-text="Screenshot of US Robotics USR 4503.":::
-
- When using a US Robotics TAP, make sure **Aggregation mode** is active.
---
-## Sample connectivity models
-
-This section provides sample network models for Defender for IoT sensor connections.
-
-### Sample: Ring topology
-
-The following diagram shows an example of a ring network topology, in which each switch or node connects to exactly two other switches, forming a single continuous pathway for the traffic.
--
-### Sample: Linear bus and star topology
-
-In a star network, every host is connected to a central hub. In its simplest form, one central hub acts as a conduit to transmit messages. In the following example, lower switches aren't monitored, and traffic that remains local to these switches won't be seen. Devices might be identified based on ARP messages, but connection information will be missing.
--
-### Sample: Multi-layer, multi-tenant network
-
-The following diagram is a general abstraction of a multilayer, multitenant network, with an expansive cybersecurity ecosystem typically operated by an SOC and MSSP.
-
-Typically, NTA sensors are deployed in layers 0 to 3 of the OSI model.
---
-## More questions for planning your network connections
-
-This section lists more, common questions to consider when planning your network connections to Defender for IoT:
--- What are the overall goals of the implementation? Are a complete inventory and accurate network map important?--- Are there multiple or redundant networks in the ICS? Are all the networks being monitored?--- Are there communications between the ICS and the enterprise (business) network? Are these communications being monitored?--- Are VLANs configured in the network design?--- How is maintenance of the ICS performed, with fixed or transient devices?--- Where are firewalls installed in the monitored networks?--- Is there any routing in the monitored networks?--- What OT protocols are active on the monitored networks?--- If we connect to this switch, will we see communication between the HMI and the PLCs?--- What is the physical distance between the ICS switches and the enterprise firewall?--- Can unmanaged switches be replaced with managed switches, or is the use of network TAPs an option?--- Is there any serial communication in the network? If yes, show it on the network diagram.--- If the Defender for IoT appliance should be connected to that switch, is there physical available rack space in that cabinet?-
-## Next steps
-
-For more information, see:
--- [Welcome to Microsoft Defender for IoT for organizations](overview.md)-- [Quickstart: Get started with Defender for IoT](getting-started.md)-- [About Microsoft Defender for IoT network setup](how-to-set-up-your-network.md)
defender-for-iot Pre Deployment Checklist https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-iot/organizations/pre-deployment-checklist.md
Review your industrial network architecture to define the proper location for th
For more information, see: - [Quickstart: Get started with Defender for IoT](getting-started.md)-- [Best practices for planning your OT network monitoring](plan-network-monitoring.md)
+- [Best practices for planning your OT network monitoring](best-practices/plan-network-monitoring.md)
- [Prepare your network for Microsoft Defender for IoT](how-to-set-up-your-network.md)
defender-for-iot References Work With Defender For Iot Cli Commands https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-iot/organizations/references-work-with-defender-for-iot-cli-commands.md
When you're using the tool:
## Sign out of a support shell
-Starting in version 22.1.3, you're automatically signed out of an SSH session after an inactive period of 300 seconds.
+You're automatically signed out of an SSH session after an inactive period of 300 seconds.
To sign out of your session manually, enter the following command:
defender-for-iot Release Notes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-iot/organizations/release-notes.md
Title: What's new in Microsoft Defender for IoT description: This article lets you know what's new in the latest release of Defender for IoT. Previously updated : 05/25/2022 Last updated : 07/05/2022 # What's new in Microsoft Defender for IoT?
Last updated 05/25/2022
This article lists Microsoft Defender for IoT's new features and enhancements for end-user organizations from the last nine months.
-Features released earlier than nine months ago are listed in [What's new archive for in Microsoft Defender for IoT for organizations](release-notes-archive.md).
+Features released earlier than nine months ago are listed in [What's new archive for Microsoft Defender for IoT for organizations](release-notes-archive.md).
Noted features listed below are in PREVIEW. The [Azure Preview Supplemental Terms](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) include other legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
Noted features listed below are in PREVIEW. The [Azure Preview Supplemental Term
The Defender for IoT architecture uses on-premises sensors and management servers. This section describes the servicing information and timelines for the available on-premises software versions. -- Each General Availability (GA) version of the Defender for IoT sensor and on-premises management console software is supported for nine months after release. Fixes and new functionality are applied to each new version and aren't applied to older versions.
+- **Starting in version 22.1.x**, each General Availability (GA) version of the Defender for IoT sensor and on-premises management console software is supported for nine months after its first minor release date, not including hotfix releases.
-- Software update packages include new functionality and security patches. Urgent, high-risk security updates are applied in minor versions that may be released throughout the quarter.
+ Release versions have the following syntax: **[Major][Minor][Hotfix]**
+
+ Therefore, for example, all **22.1.x** versions, including all hotfix versions, are supported for nine months after the first **22.1.x** release.
+
+ Fixes and new functionality are applied to each new version and are not applied to older versions.
+
+- **Software update packages include new functionality and security patches**. Urgent, high-risk security updates are applied in minor versions that may be released throughout the quarter.
+
+- **Features available from the Azure portal that are dependent on a specific sensor version** are only available for sensors that have the required version installed, or higher.
For more information, see the [Microsoft Security Development Lifecycle practices](https://www.microsoft.com/en-us/securityengineering/sdl/), which describes Microsoft's SDK practices, including training, compliance, threat modeling, design requirements, tools such as Microsoft Component Governance, pen testing, and more.
For more information, see the [Microsoft Security Development Lifecycle practice
> Manual changes to software packages may have detrimental effects on the sensor and on-premises management console. Microsoft is unable to support deployments with manual changes made to packages. >
+> [!TIP]
+> - Version numbers are listed only in this article, and not in detailed descriptions elsewhere in the documentation. To understand whether a feature is supported in your sensor version, check the listed features for that sensor version on this page.
+>
+> - When updating your sensor software version, make sure to also update your on-premises management console. For more information, see [Update Defender for IoT OT monitoring software](update-ot-software.md).
+ **Current versions of the sensor and on-premises management console software include**: | Version | Date released | End support date | |--|--|--|
-| 22.1.5 | 06/2022 | 03/2023 |
-| 22.1.4 | 04/2022 | 12/2022 |
-| 22.1.3 | 03/2022 | 11/2022 |
+| 22.2.3 | 07/2022 | 4/2023 |
+| 22.1.5 | 06/2022 | 10/2023 |
+| 22.1.4 | 04/2022 | 10/2022 |
+| 22.1.3 | 03/2022 | 10/2022 |
| 22.1.1 | 02/2022 | 10/2022 | | 10.5.5 | 12/2021 | 09/2022 | | 10.5.4 | 12/2021 | 09/2022 | | 10.5.3 | 10/2021 | 07/2022 | | 10.5.2 | 10/2021 | 07/2022 |
-## June 2022
+## July 2022
-**Sensor software version**: 22.1.5
+- [Enterprise IoT purchase experience and Defender for Endpoint integration in GA](#enterprise-iot-purchase-experience-and-defender-for-endpoint-integration-in-ga)
+
+**Sensor software version**: 22.2.3
+
+- [PCAP access from the Azure portal](#pcap-access-from-the-azure-portal-public-preview)
+- [Bi-directional alert synch between sensors and the Azure portal](#bi-directional-alert-synch-between-sensors-and-the-azure-portal-public-preview)
+- [Support diagnostic log enhancements](#support-diagnostic-log-enhancements-public-preview)
+- [Improved security for uploading protocol plugins](#improved-security-for-uploading-protocol-plugins)
+
+To update to version 22.2.3:
+
+- From version 22.1.x, update directly to version 22.2.3
+- From version 10.x, first update to version 21.1.6, and then update again to 22.2.3
+
+For more information, see [Update Defender for IoT OT monitoring software](update-ot-software.md).
+
+### Enterprise IoT purchase experience and Defender for Endpoint integration in GA
+
+Defender for IoTΓÇÖs new purchase experience and the Enterprise IoT integration with Microsoft Defender for Endpoint is now in General Availability (GA). With this update, we've made the following updates and improvements:
+
+- An updated **Plans and pricing** page with an enhanced onboarding process, as well as smooth onboarding directly in Defender for Endpoint. For more information, see [Manage your subscriptions](how-to-manage-subscriptions.md) and the [Defender for Endpoint documentation](/microsoft-365/security/defender-endpoint/enable-microsoft-defender-for-iot-integration).
+
+- Seamless integration with Microsoft Defender for Endpoint to view detected Enterprise IoT devices, and their related alerts, vulnerabilities, and recommendations in the Microsoft 365 Security portal. For more information, see the [Enterprise IoT tutorial](tutorial-getting-started-eiot-sensor.md) and the [Defender for Endpoint documentation](/microsoft-365/security/defender-endpoint/enable-microsoft-defender-for-iot-integration). You can continue to view detected Enterprise IoT devices on the Defender for IoT **Device inventory** page in the Azure portal.
+
+- All Enterprise IoT sensors are now automatically added to the same site in Defender for IoT, named **Enterprise network**. When onboarding a new Enterprise IoT device, you only need to define a sensor name and select your subscription, without defining a site or zone.
+
+> [!NOTE]
+> The Enterprise IoT network sensor and all detections remain in Public Preview.
+
+### PCAP access from the Azure portal (Public preview)
+
+Now you can access the raw traffic files, known as packet capture files or PCAP files, directly from the Azure portal. This feature supports SOC or OT security engineers who want to investigate alerts from Defender for IoT or Microsoft Sentinel, without having to access each sensor separately.
++
+PCAP files are downloaded to your Azure storage.
+
+For more information, see [View and manage alerts from the Azure portal](how-to-manage-cloud-alerts.md).
+
+### Bi-directional alert synch between sensors and the Azure portal (Public preview)
+
+For sensors updated to version 22.2.1, alert statuses and learn statuses are now fully synchronized between the sensor console and the Azure portal. For example, this means that you can close an alert on the Azure portal or the sensor console, and the alert status is updated in both locations.
+
+*Learn* an alert from either the Azure portal or the sensor console to ensure that it's not triggered again the next time the same network traffic is detected.
-- Bug fixes related to OT monitoring software updates and sensor-cloud connections.
+The sensor console is also synchronized with an on-premises management console, so that alert statuses and learn statuses remain up-to-date across your management interfaces.
-## May 2022
+For more information, see:
+
+- [View and manage alerts from the Azure portal](how-to-manage-cloud-alerts.md)
+- [View alerts on your sensor](how-to-view-alerts.md)
+- [Manage alerts from the sensor console](how-to-manage-the-alert-event.md)
+- [Work with alerts on the on-premises management console](how-to-work-with-alerts-on-premises-management-console.md)
+
+### Support diagnostic log enhancements (Public preview)
+
+Starting in sensor version [22.1.1](#new-support-diagnostics-log), you've been able to download a diagnostic log from the sensor console to send to support when you open a ticket.
+
+Now, for locally-managed sensors, you can upload that diagnostic log directly on the Azure portal.
++
+> [!TIP]
+> For cloud-connected sensors, starting from sensor version [22.1.3](#march-2022), the diagnostic log is automatically available to support when you open the ticket.
+>
+For more information, see:
+
+- [Download a diagnostics log for support](how-to-manage-individual-sensors.md#download-a-diagnostics-log-for-support)
+- [Upload a diagnostics log for support](how-to-manage-sensors-on-the-cloud.md#upload-a-diagnostics-log-for-support-public-preview)
++
+### Improved security for uploading protocol plugins
+
+This version of the sensor provides an improved security for uploading proprietary plugins you've created using the Horizon SDK.
++
+For more information, see [Manage proprietary protocols with Horizon plugins](resources-manage-proprietary-protocols.md).
+
+## June 2022
+
+**Sensor software version**: 22.1.5
We've recently optimized and enhanced our documentation as follows: - [Updated appliance catalog for OT environments](#updated-appliance-catalog-for-ot-environments) - [Documentation reorganization for end-user organizations](#documentation-reorganization-for-end-user-organizations) + ### Updated appliance catalog for OT environments We've refreshed and revamped the catalog of supported appliances for monitoring OT environments. These appliances support flexible deployment options for environments of all sizes and can be used to host both the OT monitoring sensor and on-premises management consoles.
Check out our new structure to follow through viewing devices and assets, managi
- [Quickstart: Get started with Defender for IoT](getting-started.md) - [Tutorial: Microsoft Defender for IoT trial setup](tutorial-onboarding.md) - [Tutorial: Get started with Enterprise IoT](tutorial-getting-started-eiot-sensor.md)-- [Plan your sensor connections for OT monitoring](plan-network-monitoring.md)
+- [Plan your sensor connections for OT monitoring](best-practices/plan-network-monitoring.md)
- [About Microsoft Defender for IoT network setup](how-to-set-up-your-network.md) > [!NOTE]
Check out our new structure to follow through viewing devices and assets, managi
## April 2022
-**Sensor software version**: 22.1.4
+- [Extended device property data in the Device inventory](#extended-device-property-data-in-the-device-inventory)
### Extended device property data in the Device inventory
+**Sensor software version**: 22.1.4
+ Starting for sensors updated to version 22.1.4, the **Device inventory** page on the Azure portal shows extended data for the following fields: - **Description**
Starting for sensors updated to version 22.1.4, the **Device inventory** page on
For more information, see [Manage your device inventory from the Azure portal](how-to-manage-device-inventory-for-organizations.md). - ## March 2022
+**Sensor version**: 22.1.3
+ - [Use Azure Monitor workbooks with Microsoft Defender for IoT](#use-azure-monitor-workbooks-with-microsoft-defender-for-iot-public-preview) - [IoT OT Threat Monitoring with Defender for IoT solution GA](#iot-ot-threat-monitoring-with-defender-for-iot-solution-ga) - [Edit and delete devices from the Azure portal](#edit-and-delete-devices-from-the-azure-portal-public-preview) - [Key state alert updates](#key-state-alert-updates-public-preview) - [Sign out of a CLI session](#sign-out-of-a-cli-session) + ### Use Azure Monitor workbooks with Microsoft Defender for IoT (Public preview) [Azure Monitor workbooks](../../azure-monitor/visualize/workbooks-overview.md) provide graphs and dashboards that visually reflect your data, and are now available directly in Microsoft Defender for IoT with data from [Azure Resource Graph](../../governance/resource-graph/index.yml).
For more information, see [Work with Defender for IoT CLI commands](references-w
## February 2022
+**Sensor software version**: 22.1.1
+ - [New sensor installation wizard](#new-sensor-installation-wizard) - [Sensor redesign and unified Microsoft product experience](#sensor-redesign-and-unified-microsoft-product-experience) - [Enhanced sensor Overview page](#enhanced-sensor-overview-page)
If you're on a legacy version, you may need to run a series of updates in order
After you've upgraded to version 22.1.x, the new upgrade log can be found at the following path, accessed via SSH and the *cyberx_host* user: `/opt/sensor/logs/legacy-upgrade.log`.
-For more information, see [Update a standalone sensor version](how-to-manage-individual-sensors.md#update-a-standalone-sensor-version) and [Update sensor versions from the on-premises management console](how-to-manage-sensors-from-the-on-premises-management-console.md#update-sensor-versions).
+For more information, see [Update OT system software](update-ot-software.md).
> [!NOTE] > Upgrading to version 22.1.x is a large update, and you should expect the update process to require more time than previous updates.
The following Defender for IoT options and configurations have been moved, remov
## December 2021
+**Sensor software version**: 10.5.4
+ - [Enhanced integration with Microsoft Sentinel (Preview)](#enhanced-integration-with-microsoft-sentinel-preview) - [Apache Log4j vulnerability](#apache-log4j-vulnerability) - [Alerting](#alerting)
This new functionality is available on the following alerts:
## November 2021
+**Sensor software version**: 10.5.3
+ The following feature enhancements are available with version 10.5.3 of Microsoft Defender for IoT. - The on-premises management console, has a new [ServiceNow Integration API - ΓÇ£/external/v3/integration/ (Preview)](references-work-with-defender-for-iot-apis.md#servicenow-integration-apiexternalv3integration-preview).
The following feature enhancements are available with version 10.5.3 of Microsof
## October 2021
+**Sensor software version**: 10.5.2
+ The following feature enhancements are available with version 10.5.2 of Microsoft Defender for IoT. - [PLC operating mode detections (Public Preview)](#plc-operating-mode-detections-public-preview)
defender-for-iot Resources Manage Proprietary Protocols https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-iot/organizations/resources-manage-proprietary-protocols.md
+
+ Title: Manage proprietary protocols (Horizon) - Microsoft Defender for IoT
+description: Defender for IoT Horizon delivers an Open Development Environment (ODE) used to secure IoT and ICS devices running proprietary protocols.
Last updated : 11/09/2021+++
+# Manage proprietary protocols with Horizon plugins
+
+You can use the Microsoft Defender for IoT Horizon SDK to develop your plugins to support proprietary protocols used for your IoT and ICS devices.
+
+## About Horizon
+
+Horizon provides:
+
+ - Unlimited, full support for common, proprietary, custom protocols or protocols that deviate from any standard.
+ - A new level of flexibility and scope for DPI development.
+ - A tool that exponentially expands OT visibility and control, without the need to upgrade to new versions.
+ - The security of allowing proprietary development without divulging sensitive information.
+
+Use the Horizon SDK to design dissector plugins that decode network traffic so it can be processed by automated Defender for IoT network analysis programs.
+
+Protocol dissectors are developed as external plugins and are integrated with an extensive range of Defender for IoT services, for example services that provide monitoring, alerting, and reporting capabilities.
+
+Contact <ms-horizon-support@microsoft.com> for details about working with the Open Development Environment (ODE) SDK and creating protocol plugins.
+
+## Add a plugin to your sensor
+
+**Prerequisites**:
+
+- Access to the plugin developed for your proprietary protocol and the signing certificate you created for it
+- Credentials for the Administrator, Cyberx, or Support users
+
+After you've developed and tested a dissector plugin for proprietary protocols, add it to any sensors where it's needed.
+
+**To upload your plugin to a sensor**:
+
+1. Sign in to your sensor machine via CLI as the *Administrator*, *Cyberx*, or *Support* user.
+
+1. Go the `/var/cyberx/properties/horizon.properties` file and verify that the `ui.enabled` property is set to `true` (`horizon.properties:ui.enabled=true`)
+
+1. Sign in to the sensor console as the *Administrator*, *Cyberx*, or *Support*.
+
+1. Select **System settings > Network monitoring > Protocols DPI (Horizon Plugins)**.
+
+ The **Protocols DPI (Horizon Plugins)** page lists all of the infrastructure plugins provided out-of-the-box by Defender for IoT and any other plugin you've created and uploaded to the sensor.
+
+ :::image type="content" source="media/release-notes/horizon.png" alt-text="Screenshot of the new Protocols D P I (Horizon Plugins) page." lightbox="media/release-notes/horizon.png":::
++
+1. Select **Upload signing certificate**, and then browse to and select the certificate you created for your plugin.
+
+1. Select **Upload protocol plugin**, and then browse to and select your plugin file.
+
+### Toggle a plugin on or off
+
+After you've uploaded a plugin, you can toggle it on or off as needed. Sensors do not handle protocol traffic defined for a plugin that's currently toggled off (disabled).
+
+> [!NOTE]
+> Infrastructure plugins cannot be toggled off.
+
+## Monitor plugin performance
+
+Use the data shown on the **Protocols DPI (Horizon Plugins)** page in the sensor console to understand details about your plugin usage. To help locate a specific plugin, use the **Search** box to enter part of all of a plugin name.
+
+The **Protocols DPI (Horizon Plugins)** lists the following data per plugin:
+
+|Column name |Description |
+|||
+|**Plugin** | Defines the plugin name |
+|**Type** | The plugin type, including APPLICATION or INFRASTRUCTURE. |
+|**Time** | The time that data was last analyzed using the plugin. The time stamp is updated every five seconds. |
+|**PPS** | The number of packets analyzed per second by the plugin. |
+|**Bandwidth** | The average bandwidth detected by the plugin within the last five seconds. |
+|**Malforms** | The number of malform errors detected in the last five seconds. Malformed validations are used after the protocol has been positively validated. If there is a failure to process the packets based on the protocol, a failure response is returned. |
+|**Warnings** | The number of warnings detected, such as when packets match the structure and specifications, but unexpected behavior is detected, based on the plugin warning configuration. |
+| **Errors** | The number of errors detected in the last five seconds for packets that failed basic protocol validations for the packets that match protocol definitions. |
+
+Horizon log data is available for export in the **Dissection statistics** and **Dissection Logs**, log files. For more information, see [Export troubleshooting logs](how-to-troubleshoot-the-sensor-and-on-premises-management-console.md).
+
+## Create custom alert rules for Horizon-based traffic
+
+After adding a proprietary plugin to your sensor, you might want to configure custom alert rules for your proprietary protocol. Custom, conditioned-based alert triggers and messages helps to pinpoint specific network activity and effectively update your security, IT, and operational teams.
+
+Use custom alerts to detect traffic based on protocols and underlying protocols in a proprietary Horizon plugin, or a combination of protocol fields from all protocol layers. Custom alerts also let you write your own alert titles and messages, and handle protocol fields and values in the alert message text.
+
+For example, in an environment running MODBUS, you may want to generate an alert when the sensor detects a write command to a memory register on a specific IP address and ethernet destination, or an alert when any access is performed to a specific IP address.
+
+**When an alert is triggered by a Horizon-based custom alert rule**:
+
+- The alert is listed on the sensor and on-premises management consoles **Alerts** pages, and in integrated partner systems when you've configured forwarding rules.
+
+- The alert always has a severity of *Critical*.
+
+- The alert includes static text under the **Manage this Event** section, indicating that the alert was generated by your organizationΓÇÖs security team.
+
+For more information, see [Customize alert rules](how-to-accelerate-alert-incident-response.md#customize-alert-rules).
+
+## Next steps
+
+For more information, see [Microsoft Defender for IoT - supported IoT, OT, ICS, and SCADA protocols](concept-supported-protocols.md).
defender-for-iot Tutorial Getting Started Eiot Sensor https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-iot/organizations/tutorial-getting-started-eiot-sensor.md
Title: Get started with enterprise IoT - Microsoft Defender for IoT
+ Title: Get started with Enterprise IoT - Microsoft Defender for IoT
description: In this tutorial, you'll learn how to onboard to Microsoft Defender for IoT with an Enterprise IoT deployment Last updated 12/12/2021
-# Tutorial: Get started with Enterprise IoT
+# Tutorial: Get started with Enterprise IoT monitoring
-This tutorial will help you learn how to get started with your Enterprise IoT deployment.
+This tutorial will help you learn how to get started with your Enterprise IoT monitoring deployment.
-Defender for IoT has extended the agentless capabilities to go beyond operational environments, and advance into the realm of enterprise environments. Coverage is now available to the entire breadth of IoT devices in your environment, including everything from corporate printers, cameras, to purpose-built devices, proprietary, and unique devices.
+Microsoft Defender for IoT has extended the agentless capabilities to go beyond operational environments, and advance into the realm of enterprise environments. Defender for IoT supports the entire breadth of IoT devices in your environment, including everything from corporate printers, cameras, to purpose-built devices, proprietary, and unique devices.
+
+You can extend your analytics capabilities to view alerts, vulnerabilities and recommendations for your enterprise devices with the Microsoft Defender for Endpoint integration. For more information, see the [Defender for Endpoint documentation](/microsoft-365/security/defender-endpoint/enable-microsoft-defender-for-iot-integration).
In this tutorial, you learn how to:
In this tutorial, you learn how to:
> * Set up an Enterprise IoT sensor > * Install the sensor > * Validate your setup
-> * View your enterprise IoT devices in the Enterprise IoT device inventory
-
-## Prerequisites
-
-Before you start, make sure that you have the following:
--- Completed [Quickstart: Get started with Defender for IoT](getting-started.md) so that you have an Azure subscription added to Defender for IoT. If you already have a subscription that is onboarded for Microsoft Defender for IoT for OT environments, you'll need to perform the same procedure again to add a new subscription.--- The following Azure permissions:
+> * View detected Enterprise IoT devices in the Azure portal
+> * View devices, alerts, vulnerabilities, and recommendations in Defender for Endpoint
+> [!IMPORTANT]
+> The **Enterprise IoT network sensor** is currently in **PREVIEW**. See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
+## Prerequisites
-There's a minimum security level needed to access different parts of Microsoft Defender for IoT. You must have a level of Security Owner, or a Subscription contributor of the subscription to onboard a subscription, and commit to a pricing plan. Security Reader level permissions to access the Defender for IoT user interface.
+Before you start, make sure that you have:
-The following table describes user access permissions to Microsoft Defender for IoT portal tools:
+- A Defender for IoT plan added to your Azure subscription. You can add a plan from Defender for IoT in the Azure portal, or from Defender for Endpoint. If you already have a subscription that has Defender for IoT onboarded for OT environments, youΓÇÖll need to edit the plan to add Enterprise IoT.
+For more information, see [Quickstart: Get started with Defender for IoT](getting-started.md), [Edit a plan](how-to-manage-subscriptions.md#edit-a-plan), or the [Defender for Endpoint documentation](/microsoft-365/security/defender-endpoint/enable-microsoft-defender-for-iot-integration).
-| Permission | Security reader | Security admin | Subscription contributor | Subscription owner |
-|--|--|--|--|--|
-| View details and access software, activation files, and threat intelligence packages | Γ£ô | Γ£ô | Γ£ô | Γ£ô |
-| Onboard a sensor | | Γ£ô | Γ£ô | Γ£ô |
-| Update pricing | | | Γ£ô | Γ£ô |
+- The Azure permissions, as listed in [Quickstart: Getting Started with Defender for IoT](getting-started.md#permissions).
## Set up a server or Virtual Machine (VM)
The environment will now have to be prepared.
* **IoT Hub**: *.azure-devices.net
-You can also download, and add the [Azure public IP ranges](https://www.microsoft.com/download/details.aspx?id=56519) to your firewall will allow the Azure resources that are specified above along with their region.
+You can also download and add the [Azure public IP ranges](https://www.microsoft.com/download/details.aspx?id=56519) so your firewall will allow the Azure resources that are specified above, along with their region.
> [!Note]
-> The Azure public IP range are updated weekly. New ranges appearing in the file will not be used in Azure for at least one week. Please download the new json file every week and perform the necessary changes at your site to correctly identify services running in Azure.
+> The Azure public IP ranges are updated weekly. New ranges appearing in the file will not be used in Azure for at least one week. Please download the new json file every week and perform the necessary changes at your site to correctly identify services running in Azure.
## Set up an Enterprise IoT sensor
-A sensor is needed to discover, and continuously monitor Enterprise IoT devices. The sensor will use the Enterprise IoT network, and endpoint sensors to gain comprehensive visibility.
+A sensor is needed to discover and continuously monitor Enterprise IoT devices. The sensor will use the Enterprise IoT network and endpoint sensors to gain comprehensive visibility.
**Prerequisites**: Make sure that you've completed [Set up a server or Virtual Machine (VM)](#set-up-a-server-or-virtual-machine-vm) and [Prepare your environment](#prepare-your-environment), including verifying that you have the listed required resources. **To set up an Enterprise IoT sensor**:
-1. Navigate to the [Azure portal](https://portal.azure.com#home).
+1. In the Azure portal, go to **Defender for IoT** > **Getting started**.
1. Select **Set up Enterprise IoT Security**.
A sensor is needed to discover, and continuously monitor Enterprise IoT devices.
## Install the sensor
-Run the command that you received, and saved when you registered the Enterprise IoT sensor.
+Run the command that you received and saved when you registered the Enterprise IoT sensor. The installation process checks to see if the required Docker version is already installed. If itΓÇÖs not, the sensor installation also installs the latest Docker version.
**To install the sensor**: 1. Sign in to the sensor's CLI using a terminal, such as PUTTY, or MobaXterm.
-1. Run the command that you saved from the [Set up an Enterprise IoT sensor](#set-up-an-enterprise-iot-sensor).
+1. Run the command that you saved from [setting up an Enterprise IoT sensor](#set-up-an-enterprise-iot-sensor).
1. When the command is complete, the installation wizard will appear.
The installation will now finish.
## Validate your setup
-1. Wait 1 minute after the installation is completed, and run the following command to process the sanity of your system.
+1. Wait 1 minute after the installation has completed, and run the following command to process the sanity of your system.
```bash sudo docker ps
The installation will now finish.
Ensure that packets are being sent to the Event Hubs.
-## View your enterprise IoT devices in the Enterprise IoT device inventory
-
-Once you've validated your setup, the device inventory will start to populate with all of your devices after 15 minutes.
+## View detected Enterprise IoT devices in Azure
-**To view your populated device inventory**:
+You can view your devices and network information in the Defender for IoT **Device inventory** page.
-1. Navigate to the [Azure portal](https://portal.azure.com/#home).
+Once you've validated your setup, the **Device inventory** page will start to populate with all of your devices after 15 minutes.
-1. Search for, and select **Defender for IoT**.
-
-1. From the left side toolbar, select **Device inventory**.
-
-The device inventory is where you'll be able to view all of your device systems, and network information.
+To view your device inventory in the Azure portal, go to **Defender for IoT** > **Device inventory**.
You can also view your sensors from the **Sites and sensors** page. Enterprise IoT sensors are all automatically added to the same site, named **Enterprise network**.
For more information, see:
- [Manage your IoT devices with the device inventory for organizations](how-to-manage-device-inventory-for-organizations.md) - [Manage sensors with Defender for IoT in the Azure portal](how-to-manage-sensors-on-the-cloud.md)
+> [!TIP]
+> If you don't see your Enterprise IoT data in Defender for IoT as expected, make sure that you're viewing the Azure portal with the correct subscriptions selected. For more information, see [Manage Azure portal settings](/azure/azure-portal/set-preferences).
+
+## Microsoft Defender for Endpoint integration
+
+Once youΓÇÖve onboarded a plan and set up your sensor, your device data integrates automatically with Microsoft Defender for Endpoint. Discovered devices appear in both the Defender for IoT and Defender for Endpoint portals, extending security analytics capabilities for your Enterprise IoT devices and providing complete coverage.
+
+In Defender for Endpoint, you can view discovered IoT devices and related alerts, vulnerabilities, and recommendations. For more information, see:
+
+- [Microsoft Defender for IoT integration](/microsoft-365/security/defender-endpoint/enable-microsoft-defender-for-iot-integration)
+- [Defender for Endpoint device inventory](/microsoft-365/security/defender-endpoint/machines-view-overview)
+- [View and organize the Microsoft Defender for Endpoint Alerts queue](/microsoft-365/security/defender-endpoint/alerts-queue)
+- [Vulnerabilities in my organization](/microsoft-365/security/defender-vulnerability-management/)
+- [Security recommendations](/microsoft-365/security/defender-vulnerability-management/tvm-security-recommendation)
+ ## Remove the sensor (optional)
-You can use the following command to Remove the sensor.
+Remove a sensor that's no longer in use from Defender for IoT.
+
+**To remove a sensor**, run the following command:
```bash sudo apt purge -y microsoft-eiot-sensor
defender-for-iot Tutorial Onboarding https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-iot/organizations/tutorial-onboarding.md
Title: Get started with Microsoft Defender for IoT for OT security description: This tutorial describes how to use Microsoft Defender for IoT to set up a network for OT system security. Previously updated : 03/24/2022 Last updated : 06/02/2022 # Tutorial: Get started with Microsoft Defender for IoT for OT security
Before continuing, make sure that your sensor can access the cloud using HTTP on
- **IoT Hub**: `*.azure-devices.net` - **Threat Intelligence**: `*.blob.core.windows.net` - **Eventhub**: `*.servicebus.windows.net`
+- **Microsoft Download Center**: `download.microsoft.com`
> [!TIP] > Defender for IoT supports other cloud-connection methods, including proxies or multi-cloud vendors. For more information, see [OT sensor cloud connection methods](architecture-connections.md), [Connect your OT sensors to the cloud](connect-sensors.md), [Cloud-connected vs local sensors](architecture.md#cloud-connected-vs-local-sensors).
defender-for-iot Update Ot Software https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-iot/organizations/update-ot-software.md
+
+ Title: Update Defender for IoT OT monitoring software versions
+description: Learn how to update (upgrade) Defender for IoT software on OT sensors and on-premises management servers.
Last updated : 06/02/2022+++
+# Update Defender for IoT OT monitoring software
+
+This article describes how to update Defender for IoT software versions on OT sensor and on-premises management console appliances.
+
+You can purchase preconfigured appliances for your sensors and on-premises management consoles, or install software on your own hardware machines. In either case, you'll need to update software versions to use new features for OT sensors and on-premises management consoles.
+
+For more information, see [Which appliances do I need?](ot-appliance-sizing.md), [Pre-configured physical appliances for OT monitoring](ot-pre-configured-appliances.md), and [What's new in Microsoft Defender for IoT?](release-notes.md).
+
+## Legacy version updates vs. recent version updates
+
+When downloading your update files from the Azure portal, youΓÇÖll see the option to download different files for different types of updates. Update files differ depending on the version youΓÇÖre updating from and updating to.
+
+Make sure to select the file that matches your upgrade scenario.
+
+Updates from legacy versions may require a series of software updates. For example, if you still have a sensor version 3.1.1 installed, you'll need to first upgrade to version 10.5.5, and then to a 22.x version.
++
+## Verify network requirements
+
+- Make sure that your sensors can reach the Azure data center address ranges and set up any extra resources required for the connectivity method your organization is using.
+
+ For more information, see [OT sensor cloud connection methods](architecture-connections.md) and [Connect your OT sensors to the cloud](connect-sensors.md).
+
+- Make sure that your firewall rules are configured as needed for the new version you're updating to. For example, the new version may require a new or modified firewall rule to support [sensor access to the Azure portal](how-to-set-up-your-network.md#sensor-access-to-azure-portal).
+
+ For more information, see [Networking requirements](how-to-set-up-your-network.md#networking-requirements).
+
+## Update an on-premises management console
+
+This procedure describes how to update Defender for IoT software on an on-premises management console, and is only relevant if your organization is using an on-premises management console to manage multiple sensors simultaneously.
+
+In such cases, make sure to update your on-premises management consoles *before* you update software on your sensors. This process takes about 30 minutes.
+
+> [!IMPORTANT]
+> The software version on your on-premises management console must be equal to that of your most up-to-date sensor version. Each on-premises management console version is backwards compatible to older, supported sensor versions, but cannot connect to newer sensor versions.
+>
+
+**To update on-premises management console software**:
+
+1. In the Azure portal, go to **Defender for IoT** > **Getting started** > **Updates**.
+
+1. Scroll down to the **On-premises management console** section, and select **Download** for the software update. Save your `management-secured-patcher-<version>.tar` file locally. For example:
+
+ :::image type="content" source="media/update-ot-software/on-premises-download.png" alt-text="Screenshot of the Download option for the on-premises management console." lightbox="media/update-ot-software/on-premises-download.png":::
+
+ Make sure to select the version for the update you're performing. For more information, see [Legacy version updates vs. recent version updates](#legacy-version-updates-vs-recent-version-updates).
+
+1. On your on-premises management console, select **System Settings** > **Version Update**.
+
+1. In the **Upload File** dialog, select **BROWSE FILE** and then browse to and select the update file you'd downloaded from the Azure portal.
+
+ The update process starts, and may take about 30 minutes. During your upgrade, the system is rebooted twice.
+
+ Sign in when prompted and check the version number listed in the bottom-left corner to confirm that the new version is listed.
+++
+## Update your sensors
+
+You can update software on your sensors individually, directly from each sensor console, or in bulk from the on-premises management console. Select one of the following tabs for the steps required in each method.
+
+> [!NOTE]
+> If you are updating from software versions earlier than [22.1.x](release-notes.md#update-to-version-221x), note that this version has a large update with more complicated background processes. Expect this update to take more time than earlier updates have required.
+>
+
+> [!IMPORTANT]
+> If you're using an on-premises management console to manage your sensors, make sure to update your on-premises management console software *before* you update your sensor software.
+>
+> On-premises management software is backwards compatible, and can connect to sensors with earlier versions installed, but not later versions. If you update your sensor software before updating your on-premises management console, the updated sensor will be disconnected from the on-premises management console.
+>
+> For more information, see [Update an on-premises management console](#update-an-on-premises-management-console).
+>
+
+# [From each sensor](#tab/sensor)
+
+This procedure describes how to manually download the new sensor software version and then run your update directly on the sensor console.
+
+**To update sensor software directly from the sensor console**:
+
+1. In the Azure portal, go to **Defender for IoT** > **Getting started** > **Updates**.
+
+1. From the **Sensors** section, select **Download** for the sensor update, and save your `<legacy/upstream>-sensor-secured-patcher-<version number>.tar` file locally. For example:
+
+ :::image type="content" source="media/how-to-manage-individual-sensors/updates-page.png" alt-text="Screenshot of the Updates page of Defender for IoT." lightbox="media/how-to-manage-individual-sensors/updates-page.png":::
+
+ Make sure you're downloading the correct file for the update you're performing. For more information, see [Legacy version updates vs. recent version updates](#legacy-version-updates-vs-recent-version-updates).
+
+1. On your sensor console, select **System Settings** > **Sensor management** > **Software Update**.
+
+1. On the **Software Update** pane on the right, select **Upload file**, and then navigate to and select your downloaded `legacy-sensor-secured-patcher-<Version number>.tar` file.
+
+ :::image type="content" source="media/how-to-manage-individual-sensors/upgrade-pane-v2.png" alt-text="Screenshot of the Software Update pane on the sensor." lightbox="media/how-to-manage-individual-sensors/upgrade-pane-v2.png":::
+
+ The update process starts, and may take about 30 minutes. During your upgrade, the system is rebooted twice.
+
+ Sign in when prompted, and then return to the **System Settings** > **Sensor management** > **Software Update** pane to confirm that the new version is listed.
+
+ :::image type="content" source="media/how-to-manage-individual-sensors/defender-for-iot-version.png" alt-text="Screenshot of the upgrade version that appears after you sign in." lightbox="media/how-to-manage-individual-sensors/defender-for-iot-version.png":::
+
+# [From an on-premises management console](#tab/onprem)
+
+This procedure describes how to update several sensors simultaneously from an on-premises management console.
+
+**Prerequisites**:
+
+If you're upgrading an on-premises management console and managed sensors, [first update the management console](#update-an-on-premises-management-console), and then update the sensors.
+
+The sensor update process won't succeed if you don't update the on-premises management console first.
+
+**To update several sensors**:
+
+1. On the Azure portal, go to **Defender for IoT** > **Updates**. Under **Sensors**, select **Download** and save the file.
+
+ :::image type="content" source="media/how-to-manage-individual-sensors/updates-page.png" alt-text="Screenshot of the Updates page of Defender for IoT." lightbox="media/how-to-manage-individual-sensors/updates-page.png":::
+
+ Make sure you're downloading the correct file for the update you're performing. For more information, see [Legacy version updates vs. recent version updates](#legacy-version-updates-vs-recent-version-updates).
+
+1. On your on-premises management console, select **System Settings**, and identify the sensors that you want to update.
+
+1. For any sensors you want to update, make sure that the **Automatic Version Updates** option is selected.
+
+ Also make sure that sensors you *don't* want to update are *not* selected.
+
+ Save your changes when you're finished selecting sensors to update.
++
+ :::image type="content" source="media/how-to-manage-sensors-from-the-on-premises-management-console/automatic-updates.png" alt-text="Screenshot of on-premises management console with Automatic Version Updates selected." lightbox="media/how-to-manage-sensors-from-the-on-premises-management-console/automatic-updates.png":::
+
+ > [!IMPORTANT]
+ > If your **Automatic Version Updates** option is red, you have a update conflict. For example, an update conflict might occur if you have multiple sensors marked for automatic updates but the sensors currently have different software versions installed. Select the option to resolve the conflict.
+ >
+
+1. Scroll down and on the right, select the **+** in the **Sensor version update** box. Browse to and select the update file you'd downloaded from the Azure portal.
+
+ Updates start running on each sensor selected for automatic updates.
+
+1. Go to the **Site Management** page to view the update status and progress for each sensor.
+
+ If updates fail, a retry option appears with an option to download the failure log. Retry the update process or open a support ticket with the downloaded log files for assistance.
+++
+> [!NOTE]
+> After upgrading to version 22.1.x, the new upgrade log can be found at the following path, accessed via SSH and the *cyberx_host* user: `/opt/sensor/logs/legacy-upgrade.log`.
+>
++
+## Download and apply a new activation file
+
+**Relevant only when updating from a legacy version to version 22.x or higher**
+
+This procedure is relevant only if you're updating sensors from software versions earlier than 22.1.x. Such updates require a new activation file for each sensor, which you'll use to activate the sensor before you [update the software](#update-your-sensors).
+
+**To prepare your sensor for update**:
+
+1. In Defender for IoT on the Azure portal, select **Sites and sensors** on the left.
+
+1. Select the site where you want to update your sensor, and then browse to the sensor you want to update.
+
+1. Expand the row for your sensor, select the options **...** menu on the right of the row, and then select **Prepare to update to 22.x**.
+
+ :::image type="content" source="media/how-to-manage-sensors-on-the-cloud/prepare-to-update.png" alt-text="Screenshot of the Prepare to update option." lightbox="media/how-to-manage-sensors-on-the-cloud/prepare-to-update.png":::
+
+1. <a name="activation-file"></a>In the **Prepare to update sensor to version 22.X** message, select **Let's go**.
+
+ A new row in the grid is added for sensor you're upgrading. In that added row, select to download the activation file.
+
+1. Verify that the status showing in the new sensor row has switched to **Pending activation**.
++
+> [!NOTE]
+> The previous sensor is not automatically deleted after your update. After you've updated the sensor software, make sure to [remove the previous sensor from Defender for IoT](#remove-your-previous-sensor).
+
+**To apply your activation file**:
+
+If you're upgrading from a legacy version to version 22.x or higher, make sure to apply the new activation file to your sensor.
+
+1. On your sensor, select **System settings > Sensor management > Subscription & Mode Activation**.
+
+1. In the **Subscription & Mode Activation** pane that appears on the right, select **Select file**, and then browse to and select the activation file you'd downloaded [earlier](#activation-file).
+
+1. In Defender for IoT on the Azure portal, monitor your sensor's activation status. When the sensor is fully activated:
+
+ - The sensor's **Overview** page shows an activation status of **Valid**.
+ - In the Azure portal, on the **Sites and sensors** page, the sensor is listed as **OT cloud connected** and with the updated sensor version.
++
+## Remove your previous sensor
+
+Your previous sensors continue to appear in the **Sites and sensors** page until you delete them. After you've applied your new activation file and updated sensor software, make sure to delete any remaining, previous sensors from Defender for IoT.
+
+Delete a sensor from the **Sites and sensors** page in the Azure portal. For more information, see [Sensor management options from the Azure portal](how-to-manage-sensors-on-the-cloud.md#sensor-management-options-from-the-azure-portal).
+
+## Remove private IoT Hubs
+
+If you've updated from a version earlier than 22.1.x, you may no longer need the private IoT Hubs you'd previously used to connect sensors to Defender for IoT.
+
+In such cases:
+
+1. Review your IoT hubs to ensure that it's not being used by other services.
+
+1. Verify that your sensors are connected successfully.
+
+1. Delete any private IoT Hubs that are no longer needed. For more information, see the [IoT Hub documentation](/azure/iot-hub/iot-hub-create-through-portal).
+
+## Next steps
+
+For more information, see:
+
+- [Install OT system software](how-to-install-software.md)
+- [Manage individual sensors](how-to-manage-individual-sensors.md)
+- [Manage sensors from the management console](how-to-manage-sensors-from-the-on-premises-management-console.md)
+- [Manage sensors with Defender for IoT in the Azure portal](how-to-manage-sensors-on-the-cloud.md)
+- [Manage the on-premises management console](how-to-manage-the-on-premises-management-console.md)
+- [Troubleshoot the sensor and on-premises management console](how-to-troubleshoot-the-sensor-and-on-premises-management-console.md)
defender-for-iot Workbooks https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-iot/organizations/workbooks.md
Title: Use Azure Monitor workbooks in Microsoft Defender for IoT description: Learn how to view and create Azure Monitor workbooks for Defender for IoT data. Previously updated : 03/06/2022 Last updated : 06/02/2022
-# Use Azure Monitor workbooks in Microsoft Defender for IoT (Public preview)
-
-> [!IMPORTANT]
->
-> The **Workbooks** page is currently in **PREVIEW**. See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
+# Use Azure Monitor workbooks in Microsoft Defender for IoT
Azure Monitor workbooks provide graphs, charts, and dashboards that visually reflect data stored in your Azure Resource Graph subscriptions and are available directly in Microsoft Defender for IoT.
event-grid Concepts https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/event-grid/concepts.md
If Event Grid can't confirm that an event has been received by the subscriber's
When you use a custom topic, events must always be published in an array. This can be a batch of one for low-throughput scenarios, however, for high volume use cases, it's recommended that you batch several events together per publish to achieve higher efficiency. Batches can be up to 1 MB and the maximum size of an event is 1 MB.
+## Inline event type definitions
+Event Grid lets you define the types of events that will be published to a channel. With inline event type definitions, subscribers will be able to easily filter by event type when creating an event subscription.
## Next steps
event-grid Partner Events Overview For Partners https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/event-grid/partner-events-overview-for-partners.md
Registrations are global. That is, they aren't associated with a particular Azur
### Channel A Channel is a nested resource to a Partner Namespace. A channel has two main purposes:
- - It's the resource type that allows you to create partner resources on a customer's Azure subscription. When you create a channel of type `partner topic`, a partner topic is created on a customer's Azure subscription. A partner topic is the customer's resource where events from a partner system. Similarly, when a channel of type `partner destination` is created, a partner destination is created on a customer's Azure subscription. Partner destinations are resources that represent a partner system endpoint to where events are delivered. A channel along with partner topics and partner destinations enables bi-directional event integration.
-
+ - It's the resource type that allows you to create partner resources on a customer's Azure subscription. When you create a channel of type `partner topic`, a partner topic is created on a customer's Azure subscription. A partner topic is the customer's resource where events from a partner system. Similarly, when a channel of type `partner destination` is created, a partner destination is created on a customer's Azure subscription. Partner destinations are resources that represent a partner system endpoint to where events are delivered. A channel is the kind of resource, along with partner topics and partner destinations that enable bi-directional event integration.
+
A channel has the same lifecycle as its associated customer partner topic or destination. When a channel of type `partner topic` is deleted, for example, the associated customer's partner topic is deleted. Similarly, if the partner topic is deleted by the customer, the associated channel on your Azure subscription is deleted. - It's a resource that is used to route events. A channel of type ``partner topic`` is used to route events to a customer's partner topic. It supports two types of routing modes. - **Channel name routing**. With this kind of routing, you publish events using an http header called `aeg-channel-name` where you provide the name of the channel to which events should be routed. As channels are a partner's representation of partner topics, the events routed to the channel show on the customer's parter topic. This kind of routing is a new capability not present in `event channels`, which support only source-based routing. Channel name routing enables more use cases than the source-based routing and it's the recommended routing mode to choose. For example, with channel name routing a customer can request events that originate in different event sources to land on a single partner topic.
A Channel is a nested resource to a Partner Namespace. A channel has two main pu
A customer can use your partner destination to send your service any kind of events available to [Event Grid](overview.md).
+ - A channel can store definitions for event types. These definitions can be added during the creation of a channel or once the channel is created in the configuration. The event type definitions allow a customer to subscribe to these events when using partner topics. [Learn more](concepts.md#inline-event-type-definitions).
+
+ >[!IMPORTANT]
+ >Event types can be managed in the channel and once the values are updated, changes will be reflected immediately in the associated partner topic.
+ ### Partner namespace A partner namespace is a regional resource that has an endpoint to publish events to Azure Event Grid. Partner namespaces contain either channels or event channels (legacy resource). You must create partner namespaces in regions where customers request partner topics or destinations because channels and their corresponding partner resources must reside in the same region. You can't have a channel in a given region with its related partner topic, for example, located in a different region.
You have two options:
- [Partner topics onboarding form](https://aka.ms/gridpartnerform) - [Partner topics overview](partner-events-overview.md) - [Auth0 partner topic](auth0-overview.md)-- [How to use the Auth0 partner topic](auth0-how-to.md)
+- [How to use the Auth0 partner topic](auth0-how-to.md)
event-hubs Event Hubs Samples https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/event-hubs/event-hubs-samples.md
Title: Samples - Azure Event Hubs | Microsoft Docs description: This article provides a list of samples for Azure Event Hubs that are on GitHub. Previously updated : 09/15/2021 Last updated : 07/05/2022
You can find Event Hubs samples on [GitHub](https://github.com/Azure/azure-event
| - | - | | Azure.Messaging.EventHubs version 5 (latest) | [Event Hubs samples on GitHub](https://github.com/Azure/azure-sdk-for-net/tree/master/sdk/eventhub/Azure.Messaging.EventHubs/samples)<br/>[Event Hubs Processor samples on GitHub](https://github.com/Azure/azure-sdk-for-net/tree/master/sdk/eventhub/Azure.Messaging.EventHubs.Processor/samples) | | Microsoft.Azure.EventHubs version 4 (legacy) | [GitHub location](https://github.com/Azure/azure-event-hubs/tree/master/samples/DotNet/) |
+| Samples in the Azure Samples repository | [GitHub location](https://github.com/orgs/Azure-Samples/repositories?q=event-hubs&type=all&language=c%23) |
## Java samples
You can find Event Hubs samples on [GitHub](https://github.com/Azure/azure-event
| - | - | | azure-messaging-eventhubs version 5 (latest) | [GitHub location](https://github.com/Azure/azure-sdk-for-java/tree/master/sdk/eventhubs/azure-messaging-eventhubs/src/samples/java/com/azure/messaging/eventhubs) | | azure-eventhubs version 3 (legacy) | [GitHub location](https://github.com/Azure/azure-event-hubs/tree/master/samples/Java/) |
+| Samples in the Azure Samples repository | [GitHub location](https://github.com/orgs/Azure-Samples/repositories?q=event-hubs&type=all&language=java) |
## Python samples
expressroute Expressroute Faqs https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/expressroute/expressroute-faqs.md
No. We do not support layer 2 connectivity extensions into Azure.
### Can I have more than one ExpressRoute circuit in my subscription?
-Yes. You can have more than one ExpressRoute circuit in your subscription. The default limit is set to 10. You can contact Microsoft Support to increase the limit, if needed.
+Yes. You can have more than one ExpressRoute circuit in your subscription. The default limit is set to 50. You can contact Microsoft Support to increase the limit, if needed.
### Can I have ExpressRoute circuits from different service providers?
Vnet-to-Vnet connectivity over ExpressRoute is not recommended. To acheive this,
### Does the ExpressRoute service store customer data?
-No.
+No.
expressroute Expressroute Optimize Routing https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/expressroute/expressroute-optimize-routing.md
There are two solutions to the problem. The first one is that you simply adverti
The second solution is that you continue to advertise both of the prefixes on both ExpressRoute circuits, and in addition you give us a hint of which prefix is close to which one of your offices. Because we support BGP AS Path prepending, you can configure the AS Path for your prefix to influence routing. In this example, you can lengthen the AS PATH for 172.2.0.0/31 in US East so that we will prefer the ExpressRoute circuit in US West for traffic destined for this prefix (as our network will think the path to this prefix is shorter in the west). Similarly you can lengthen the AS PATH for 172.2.0.2/31 in US West so that we'll prefer the ExpressRoute circuit in US East. Routing is optimized for both offices. With this design, if one ExpressRoute circuit is broken, Exchange Online can still reach you via another ExpressRoute circuit and your WAN. > [!IMPORTANT]
-> We remove private AS numbers in the AS PATH for the prefixes received on Microsoft Peering and Private Peering when peering using a private AS number. You need to peer with a public AS and append public AS numbers in the AS PATH to influence routing for Microsoft Peering.
+> We remove private AS numbers in the AS PATH for the prefixes received on Microsoft Peering when peering using a private AS number. You need to peer with a public AS and append public AS numbers in the AS PATH to influence routing for Microsoft Peering.
> >
frontdoor Create Front Door Template https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/create-front-door-template.md
# Quickstart: Create a Front Door Standard/Premium using an ARM template
-This quickstart describes how to use an Azure Resource Manager template (ARM Template) to create an Azure Front Door Standard/Premium with a Web App as origin
+This quickstart describes how to use an Azure Resource Manager template (ARM Template) to create an Azure Front Door Standard/Premium with a Web App as origin.
[!INCLUDE [About Azure Resource Manager](../../includes/resource-manager-quickstart-introduction.md)]
In this quickstart, you'll create a Front Door Standard/Premium, an App Service,
:::code language="json" source="~/quickstart-templates/quickstarts/microsoft.cdn/front-door-standard-premium-app-service-public/azuredeploy.json":::
-One Azure resource is defined in the template:
+Multiple Azure resources are defined in the template:
* [**Microsoft.Network/frontDoors**](/azure/templates/microsoft.network/frontDoors)
+* [**Microsoft.Web/serverfarms**](/azure/templates/microsoft.web/serverfarms) (App service plan to host web apps)
+* [**Microsoft.Web/sites**](/azure/templates/microsoft.web/sites) (Web app origin servicing request for Front Door)
+*
## Deploy the template 1. Select **Try it** from the following code block to open Azure Cloud Shell, and then follow the instructions to sign in to Azure.
-> [!NOTE]
-> If you want to deploy Azure Front Door Premium instead of Standard substitute the value of the sku parameter with `Premium_AzureFrontDoor`. For detailed comparison, view [Azure Front Door tier comparison](standard-premium/tier-comparison.md).
+ > [!NOTE]
+ > If you want to deploy Azure Front Door Premium instead of Standard substitute the value of the sku parameter with `Premium_AzureFrontDoor`. For detailed comparison, view [Azure Front Door tier comparison](standard-premium/tier-comparison.md).
-```azurepowershell-interactive
-$projectName = Read-Host -Prompt "Enter a project name that is used for generating resource names"
-$location = Read-Host -Prompt "Enter the location (i.e. centralus)"
-$templateUri = "https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/quickstarts/microsoft.cdn/front-door-standard-premium-app-service-public/azuredeploy.json"
+ ```azurepowershell-interactive
+ $projectName = Read-Host -Prompt "Enter a project name that is used for generating resource names"
+ $location = Read-Host -Prompt "Enter the location (i.e. centralus)"
+ $templateUri = "https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/quickstarts/microsoft.cdn/front-door-standard-premium-app-service-public/azuredeploy.json"
-$resourceGroupName = "${projectName}rg"
+ $resourceGroupName = "${projectName}rg"
-New-AzResourceGroup -Name $resourceGroupName -Location "$location"
-New-AzResourceGroupDeployment -ResourceGroupName $resourceGroupName -TemplateUri $templateUri -frontDoorSkuName Standard_AzureFrontDoor
+ New-AzResourceGroup -Name $resourceGroupName -Location "$location"
+ New-AzResourceGroupDeployment -ResourceGroupName $resourceGroupName -TemplateUri $templateUri -frontDoorSkuName Standard_AzureFrontDoor
-Read-Host -Prompt "Press [ENTER] to continue ..."
-```
+ Read-Host -Prompt "Press [ENTER] to continue ..."
+ ```
-Wait until you see the prompt from the console.
+ Wait until you see the prompt from the console.
-2. Select **Copy** from the previous code block to copy the PowerShell script.
+1. Select **Copy** from the previous code block to copy the PowerShell script.
-3. Right-click the shell console pane and then select **Paste**.
+1. Right-click the shell console pane and then select **Paste**.
-4. Enter the values.
+1. Enter the values.
The template deployment creates a Front Door with a web app as origin
Azure PowerShell is used to deploy the template. In addition to Azure PowerShell
1. Sign in to the [Azure portal](https://portal.azure.com).
-2. Select **Resource groups** from the left pane.
+1. Select **Resource groups** from the left pane.
-3. Select the resource group that you created in the previous section. The default resource group name is the project name with **rg** appended.
+1. Select the resource group that you created in the previous section. The default resource group name is the project name with **rg** appended.
-4. Select the Front Door you created previously and you'll be able to see the endpoint hostname. Copy the hostname and paste it on to the address bar of a browser. Press enter and your request will automatically get routed to the web app.
+1. Select the Front Door you created previously and you'll be able to see the endpoint hostname. Copy the hostname and paste it on to the address bar of a browser. Press enter and your request will automatically get routed to the web app.
:::image type="content" source="./media/create-front-door-portal/front-door-web-app-origin-success.png" alt-text="Screenshot of the message: Your web app is running and waiting for your content.":::
Remove-AzResourceGroup -Name <your resource group name>
## Next steps
-In this quickstart, you created a Front Door.
+In this quickstart, you created a:
+
+* Front Door
+* App Service plan
+* Web App
To learn how to add a custom domain to your Front Door, continue to the Front Door tutorials.
frontdoor Front Door Http Headers Protocol https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/front-door-http-headers-protocol.md
Front Door includes headers for an incoming request unless they're removed becau
| X-Forwarded-Host | *X-Forwarded-Host: contoso.azurefd.net* </br> The X-Forwarded-Host HTTP header field is a common method used to identify the original host requested by the client in the Host HTTP request header. This is because the host name from Front Door may differ for the backend server handling the request. Any previous value will be overridden by Front Door. | | X-Forwarded-Proto | *X-Forwarded-Proto: http* </br> The X-Forwarded-Proto HTTP header field is often used to identify the originating protocol of an HTTP request. Front Door based on configuration might communicate with the backend by using HTTPS. This is true even if the request to the reverse proxy is HTTP. Any previous value will be overridden by Front Door. | | X-FD-HealthProbe | X-FD-HealthProbe HTTP header field is used to identify the health probe from Front Door. If this header is set to 1, the request is from the health probe. It can be used to restrict access from Front Door with a particular value for the X-Forwarded-Host header field. |
-| X-Azure-FDID | *X-Azure-FDID header: 437c82cd-360a-4a54-94c3-5ff707647783* </br> This field contains frontdoorID that can be used to identify which Front Door the incoming request is from. This field is populated by Front Door service. |
## Front Door to client
governance Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/overview.md
Title: Overview of Azure Policy description: Azure Policy is a service in Azure, that you use to create, assign and, manage policy definitions in your Azure environment. Previously updated : 06/22/2022 Last updated : 07/05/2022
to users who do not need them.
### Special permissions requirement for Azure Policy with Azure Virtual Network Manager (preview)
-[Azure Virtual Network Manager (preview)](../../virtual-network-manager/overview.md) enables you to apply consistent management and security policies to multiple Azure virtual networks (VNets) throughout your cloud infrastructure. Azure Virtual Network Manager dynamic groups use read-only Azure Policy definitions to evaluate VNet membership in those groups.
+[Azure Virtual Network Manager (preview)](../../virtual-network-manager/overview.md) enables you to apply consistent management and security policies to multiple Azure virtual networks (VNets) throughout your cloud infrastructure. Azure Virtual Network Manager dynamic groups use Azure Policy definitions to evaluate VNet membership in those groups.
-To create, edit, or delete Azure Virtual Network Manager dynamic group policies, you need not only appropriate read and write Azure Policy RBAC permissions as described previously, but also permissions to write on the network group.
+To create, edit, or delete Azure Virtual Network Manager dynamic group policies, you need not only appropriate read and write Azure Policy RBAC permissions as described previously, but also permissions to join the network group.
-Specifically, the required resource provider permissions are:
--- Microsoft.Network/networkManagerConnections/write-- Microsoft.Network/networkManagers/networkGroups/write-- Microsoft.Authorization/policyAssignments/write
+Specifically, the required resource provider permission is `Microsoft.Network/networkManagers/networkGroups/join/action`.
### Resources covered by Azure Policy
healthcare-apis Deploy Iot Connector In Azure https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/healthcare-apis/iot/deploy-iot-connector-in-azure.md
Title: Deploy the MedTech service in the Azure portal - Azure Health Data Services
-description: In this article, you'll learn how to deploy the MedTech service in the Azure portal.
+description: In this article, you'll learn how to deploy the MedTech service in the Azure portal using either a quickstart template or manually.
Previously updated : 06/30/2022 Last updated : 07/05/2022
In this quickstart, you'll learn how to deploy the MedTech service in the Azure
If you already have an active Azure account, you can use this [![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2Fquickstarts%2Fmicrosoft.healthcareapis%2Fworkspaces%2Fiotconnectors%2Fazuredeploy.json) button to deploy a MedTech service that will include the following resources and permissions:
- * An Azure Event Hubs Namespace and device message event hub (the event hub is named: **devicedata**).
+ * An Azure Event Hubs Namespace and device message Azure event hub (the event hub is named: **devicedata**).
+ * An Azure event hub consumer group (the consumer group is named: **$Default**).
* An Azure event hub sender role (the sender role is named: **devicedatasender**). * An Azure Health Data Services workspace. * An Azure Health Data Services FHIR service.
After a successful deployment, there will be remaining configurations that will
* Provide a working destination mapping file. For more information, see [How to use FHIR destination mappings](how-to-use-fhir-mappings.md). * Use the Shared access policies (SAS) key (**devicedatasender**) for connecting your device or application to the MedTech service device message event hub (**devicedata**). For more information, see [Connection string for a specific event hub in a namespace](../../event-hubs/event-hubs-get-connection-string.md#connection-string-for-a-specific-event-hub-in-a-namespace).
+> [!IMPORTANT]
+> If you're going to allow access from multiple services to the device message event hub, it is highly recommended that each service has its own event hub consumer group.
+>
+> Consumer groups enable multiple consuming applications to each have a separate view of the event stream, and to read the stream independently at their own pace and with their own offsets. For more information, see [Consumer groups](../../event-hubs/event-hubs-features.md#consumer-groups).
+>
+> Examples:
+>* Two MedTech services accessing the same device message event hub.
+>* A MedTech service and a storage writer application accessing the same device message event hub.
+ ## Deploy the MedTech service manually ## Prerequisites
It's important that you have the following prerequisites completed before you be
* [Workspace deployed in Azure Health Data Services](../healthcare-apis-quickstart.md) * [FHIR service deployed in Azure Health Data Services](../fhir/fhir-portal-quickstart.md)
-> [!IMPORTANT]
-> If you're going to allow access from multiple services to the device message event hub, it is highly recommended that each service has its own event hub consumer group.
->
-> Consumer groups enable multiple consuming applications to each have a separate view of the event stream, and to read the stream independently at their own pace and with their own offsets. For more information, see, [Consumer groups](../../event-hubs/event-hubs-features.md#consumer-groups).
->
-> Examples:
->* Two MedTech services accessing the same device message event hub.
->* A MedTech service and a storage writer application accessing the same device message event hub.
- 1. Sign in the [Azure portal](https://portal.azure.com), and then enter your Health Data Services workspace resource name in the **Search** bar field. ![Screenshot of entering the workspace resource name in the search bar field.](media/select-workspace-resource-group.png#lightbox)
Under the **Basics** tab, complete the required fields under **Instance details*
1. Enter the **MedTech service name**.
- The **MedTech service name** is a friendly name for MedTech service. Enter a unique name for your IoT connector. As an example, you can name it `healthdemo-iot`.
+ The **MedTech service name** is a friendly name for the MedTech service. Enter a unique name for your MedTech service. As an example, you can name it `healthdemo-iot`.
2. Enter the **Event Hub name**.
Under the **Basics** tab, complete the required fields under **Instance details*
![Screenshot of Consumer group name.](media/consumer-group-name.png#lightbox)
- For information about Consumer Groups, see [Features and terminology in Azure Event Hubs](../../event-hubs/event-hubs-features.md?WT.mc_id=Portal-Microsoft_Healthcare_APIs#event-consumers).
+> [!IMPORTANT]
+> If you're going to allow access from multiple services to the device message event hub, it is highly recommended that each service has its own event hub consumer group.
+>
+> Consumer groups enable multiple consuming applications to each have a separate view of the event stream, and to read the stream independently at their own pace and with their own offsets. For more information, see [Consumer groups](../../event-hubs/event-hubs-features.md#consumer-groups).
+>
+> Examples:
+>* Two MedTech services accessing the same device message event hub.
+>* A MedTech service and a storage writer application accessing the same device message event hub.
4. Enter the name of the **Fully Qualified Namespace**.
To ensure that your MedTech service works properly, it must have granted access
`<your workspace name>/iotconnectors/<your MedTech service name>`
- When you deploy a MedTech service, it creates a managed identity. The managed identify name is a concatenation of the workspace name, resource type (that's the MedTech service), and the name of the MedTech service.
+ When you deploy a MedTech service, it creates a system managed identity. The system managed identify name is a concatenation of the workspace name, resource type (that's the MedTech service), and the name of the MedTech service.
7. Select **Save**.
iot-develop Tutorial Configure Tsi https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/iot-develop/tutorial-configure-tsi.md
- Title: Tutorial - Use Azure Time Series Insights to store and analyze your Azure IoT Plug and Play device telemetry
-description: Tutorial - Set up a Time Series Insights environment and connect your IoT hub to view and analyze telemetry from your IoT Plug and Play devices.
--- Previously updated : 10/14/2020----
-# Customer intent: As an IoT solution builder, I want to historize and analyze data from my IoT Plug and Play devices by routing to Time Series Insights.
--
-# Tutorial: Create and configure a Time Series Insights Gen2 environment
-
-In this tutorial, you learn how to create and configure an [Azure Time Series Insights Gen2](../time-series-insights/overview-what-is-tsi.md) environment to integrate with your IoT Plug and Play solution. Use Time Series Insights to collect, process, store, query, and visualize time series data at the scale of Internet of Things (IoT).
-
-In this tutorial, you
-
-> [!div class="checklist"]
-> * Provision a Time Series Insights environment and connect your IoT hub as a streaming event source.
-> * Work through model synchronization to author your [Time Series Model](../time-series-insights/concepts-model-overview.md).
-> * Use the [Digital Twins Definition Language (DTDL)](https://github.com/Azure/opendigitaltwins-dtdl) sample model files that you used for the temperature controller and thermostat devices.
-
-> [!NOTE]
-> This integration between Time Series Insights and IoT Plug and Play is in preview. The way that DTDL device models map to the Time Series Insights Time Series Model might change.
-
-## Prerequisites
--
-At this point, you have:
-
-* An Azure IoT hub.
-* A Device Provisioning Service (DPS) instance linked to your IoT hub. The DPS instance should have an individual device enrollment for your IoT Plug and Play device.
-* A connection to your IoT hub from either a single-component device or a multiple-component device that streams simulated data.
-
-## Prepare your event source
-
-The IoT hub you created previously will be your Time Series Insights environment's [event source](../time-series-insights/concepts-streaming-ingestion-event-sources.md).
-
-> [!IMPORTANT]
-> Disable any existing IoT Hub routes. There's a known issue with using an IoT hub with [routing](../iot-hub/iot-hub-devguide-messages-d2c.md#routing-endpoints) configured. Temporarily disable any routing endpoints. When your IoT hub is connected to Time Series Insights, you can enable routing endpoints again.
-
-On your IoT hub, create a unique consumer group for Time Series Insights to consume. In the following example, replace `my-pnp-hub` with the name of the IoT hub you used previously.
-
-```azurecli-interactive
-az iot hub consumer-group create --hub-name my-pnp-hub --name tsi-consumer-group
-```
-
-## Choose a Time Series ID
-
-When you provision your Time Series Insights environment, you need to select a *Time Series ID*. It's important to select the appropriate Time Series ID. This property is immutable and can't be changed after it's set. A Time Series ID is like a database partition key. The Time Series ID acts as the primary key for your Time Series Model. For more information, see [Best practices for choosing a Time Series ID](../time-series-insights/how-to-select-tsid.md).
-
-As an IoT Plug and Play user, for your Time Series ID, specify a _composite key_ that consists of `iothub-connection-device-id` and `dt-subject`. The IoT hub adds these system properties that contain your IoT Plug and Play device ID and your device component names, respectively.
-
-Even if your IoT Plug and Play device models don't currently use components, you should include `dt-subject` as part of a composite key so that you can use components in the future. Because your Time Series ID is immutable, Microsoft recommends enabling this option in case you need it in the future.
-
-> [!NOTE]
-> The examples in this article are for the multiple-component `TemperatureController` device. But the concepts are the same for the no-component `Thermostat` device.
-
-## Provision your Time Series Insights environment
-
-This section describes how to provision your Azure Time Series Insights Gen2 environment.
-
-Run the following command to:
-
-* Create an Azure storage account for your environment's [cold store](../time-series-insights/concepts-storage.md#cold-store). This account is designed for long-term retention and analytics for historical data.
- * In your code, replace `mytsicoldstore` with a unique name for your cold storage account.
-* Create an Azure Time Series Insights Gen2 environment. The environment will be created with warm storage that has a retention period of seven days. The cold storage account will be attached for infinite retention.
- * In your code, replace `my-tsi-env` with a unique name for your Time Series Insights environment.
- * In your code, replace `my-pnp-resourcegroup` with the name of the resource group you used during setup.
- * Your Time Series ID property is `iothub-connection-device-id, dt-subject`.
-
-```azurecli-interactive
-storage=mytsicoldstore
-rg=my-pnp-resourcegroup
-az storage account create -g $rg -n $storage --https-only
-key=$(az storage account keys list -g $rg -n $storage --query [0].value --output tsv)
-az tsi environment gen2 create --name "my-tsi-env" --location eastus2 --resource-group $rg --sku name="L1" capacity=1 --time-series-id-properties name=iothub-connection-device-id type=String --time-series-id-properties name=dt-subject type=String --warm-store-configuration data-retention=P7D --storage-configuration account-name=$storage management-key=$key
-```
-
-Connect your IoT Hub event source. Replace `my-pnp-resourcegroup`, `my-pnp-hub`, and `my-tsi-env` with the values you chose. The following command references the consumer group for Time Series Insights that you created previously:
-
-```azurecli-interactive
-rg=my-pnp-resourcegroup
-iothub=my-pnp-hub
-env=my-tsi-env
-es_resource_id=$(az iot hub create -g $rg -n $iothub --query id --output tsv)
-shared_access_key=$(az iot hub policy list -g $rg --hub-name $iothub --query "[?keyName=='service'].primaryKey" --output tsv)
-az tsi event-source iothub create --event-source-name iot-hub-event-source --environment-name $env --resource-group $rg --location eastus2 --consumer-group-name tsi-consumer-group --key-name iothubowner --shared-access-key $shared_access_key --event-source-resource-id $es_resource_id --iot-hub-name $iothub
-```
-
-In the [Azure portal](https://portal.azure.com), go to your resource group, and then select your new Time Series Insights environment. Go to the **Time Series Insights Explorer URL** shown in the instance overview:
-
-![Screenshot of the portal overview page.](./media/tutorial-configure-tsi/view-environment.png)
-
-In the Explorer, you see three instances:
-
-* &lt;your pnp device ID&gt;, thermostat1
-* &lt;your pnp device ID&gt;, thermostat2
-* &lt;your pnp device ID&gt;, `null`
-
-> [!NOTE]
-> The third tag represents telemetry from the `TemperatureController` itself, such as the working set of device memory. Because this is a top-level property, the value for the component name is null. In a later step, you make this name more user-friendly.
-
-![Screenshot showing three instances in the Explorer.](./media/tutorial-configure-tsi/tsi-env-first-view.png)
-
-## Configure model translation
-
-Next, you translate your DTDL device model to the asset model in Azure Time Series Insights. In Time Series Insights, the Time Series Model is a semantic modeling tool for data contextualization. The model has three core components:
-
-* [Time Series Model instances](../time-series-insights/concepts-model-overview.md#time-series-model-instances) are virtual representations of the time series themselves. Instances are uniquely identified by your Time Series ID.
-* [Time Series Model hierarchies](../time-series-insights/concepts-model-overview.md#time-series-model-hierarchies) organize instances by specifying property names and their relationships.
-* [Time Series Model types](../time-series-insights/concepts-model-overview.md#time-series-model-types) help you define [variables](../time-series-insights/concepts-variables.md) or formulas for computations. Types are associated with a specific instance.
-
-### Define your types
-
-You can begin ingesting data into Azure Time Series Insights Gen2 without having predefined a model. When telemetry arrives, Time Series Insights attempts to automatically resolve time series instances based on your Time Series ID property values. All instances are assigned the *default type*. You need to manually create a new type to correctly categorize your instances.
-
-The following details outline the simplest method to synchronize your device DTDL models with your Time Series Model types:
-
-* Your digital twin model identifier becomes your type ID.
-* The type name can be either the model name or the display name.
-* The model description becomes the type's description.
-* At least one type variable is created for each telemetry that has a numeric schema.
- * Only numeric data types can be used for variables, but if a value is sent as another type that can be converted, `"0"` for example, you can use a [conversion](/rest/api/time-series-insights/reference-time-series-expression-syntax#conversion-functions) function such as `toDouble`.
-* The variable name can be either the telemetry name or the display name.
-* When you define the Time Series Expression variable, refer to the telemetry's name on the wire and to the telemetry's data type.
-
-| DTDL JSON | Time Series Model type JSON | Example value |
-|--||-|
-| `@id` | `id` | `dtmi:com:example:TemperatureController;1` |
-| `displayName` | `name` | `Temperature Controller` |
-| `description` | `description` | `Device with two thermostats and remote reboot.` |
-|`contents` (array)| `variables` (object) | See the following example.
-
-![Screenshot showing D T D L to Time Series Model type.](./media/tutorial-configure-tsi/dtdl-to-tsm-type-update.png)
-
-> [!NOTE]
-> This example shows three variables, but each type can have up to 100 variables. Different variables can reference the same telemetry value to do different calculations as needed. For the full list of filters, aggregates, and scalar functions, see [Time Series Insights Gen2 Time Series Expression syntax](/rest/api/time-series-insights/reference-time-series-expression-syntax).
-
-Open a text editor and save the following JSON to your local drive.
-
-```JSON
-{
- "put": [
- {
- "id": "dtmi:com:example:TemperatureController;1",
- "name": "Temperature Controller",
- "description": "Device with two thermostats and remote reboot.",
- "variables": {
- "workingSet": {
- "kind": "numeric",
- "value": {
- "tsx": "coalesce($event.workingSet.Long, toLong($event.workingSet.Double))"
- },
- "aggregation": {
- "tsx": "avg($value)"
- }
- },
- "temperature": {
- "kind": "numeric",
- "value": {
- "tsx": "coalesce($event.temperature.Long, toLong($event.temperature.Double))"
- },
- "aggregation": {
- "tsx": "avg($value)"
- }
- },
- "eventCount": {
- "kind": "aggregate",
- "aggregation": {
- "tsx": "count()"
- }
- }
- }
- }
- ]
-}
-```
-
-In the Time Series Insights Explorer, select the model icon on the left to open the **Model** tab. Select **Types** and then select **Upload JSON**:
-
-![Screenshot showing how to upload JSON.](./media/tutorial-configure-tsi/upload-type.png)
-
-Select **Choose file**, select the JSON you saved previously, and then select **Upload**.
-
-You see the newly defined **Temperature Controller** type.
-
-### Create a hierarchy
-
-Create a hierarchy to organize the tags under their `TemperatureController` parent. The following simple example has a single level, but IoT solutions commonly have many levels of nesting to contextualize tags within their physical and semantic position within an organization.
-
-Select **Hierarchies** and then select **Add hierarchy**. For the name, enter *Device Fleet*. Create one level called *Device Name*. Then select **Save**.
-
-![Screenshot showing how to add a hierarchy.](./media/tutorial-configure-tsi/add-hierarchy.png)
-
-### Assign your instances to the correct type
-
-Next you change the type of your instances and place them in the hierarchy.
-
-Select the **Instances** tab. Find the instance that represents the device's working set, and then select the **Edit** icon on the far right.
-
-![Screenshot showing how to edit an instance.](./media/tutorial-configure-tsi/edit-instance.png)
-
-Open the **Type** drop-down menu and then select **Temperature Controller**. Enter *defaultComponent, \<your device name\>* to update the name of the instance that represents all top-level tags associated with your device.
-
-![Screenshot showing how to change an instance type.](./media/tutorial-configure-tsi/change-type.png)
-
-Before you select **Save**, first select the **Instance Fields** tab, and then select **Device Fleet**. To group the telemetry together, enter *\<your device name\> - Temp Controller*. Then select **Save**.
-
-![Screenshot showing how to assign an instance to a hierarchy](./media/tutorial-configure-tsi/assign-to-hierarchy.png)
-
-Repeat the previous steps to assign your thermostat tags the correct type and hierarchy.
-
-## View your data
-
-Go back to the charting pane and expand **Device Fleet** > your device. Select **thermostat1**, select the **Temperature** variable, and then select **Add** to chart the value. Do the same for **thermostat2** and the **defaultComponent** **workingSet** value.
-
-![Screenshot showing how to change the instance type for thermostat2.](./media/tutorial-configure-tsi/charting-values.png)
-
-## Clean up resources
--
-## Next steps
-
-> [!div class="nextstepaction"]
-> To learn more about the various charting options, including interval sizing and y-axis controls, see [Azure Time Series Insights Explorer](../time-series-insights/concepts-ux-panels.md).
iot-edge How To Manage Device Certificates https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/iot-edge/how-to-manage-device-certificates.md
To learn more about the different types of certificates and their roles, see [Un
>[!NOTE] >The term "root CA" used throughout this article refers to the topmost authority public certificate of the certificate chain for your IoT solution. You do not need to use the certificate root of a syndicated certificate authority, or the root of your organization's certificate authority. In many cases, it is actually an intermediate CA public certificate.
+<!-- 1.2 -->
+
+## Changes in version 1.2
+
+* The **device CA certificate** was renamed as **edge CA certificate**.
+* The **workload CA certificate** was deprecated. Now the IoT Edge security manager generates the IoT Edge hub server certificate directly from the edge CA certificate, without the intermediate workload CA certificate between them.
+
+<!-- end-1.2 -->
+ ### Prerequisites * An IoT Edge device.
To learn more about the different types of certificates and their roles, see [Un
You should use your own certificate authority to create the following files:
+<!-- 1.2 -->
+* Root CA
+* Edge CA certificate
+* Edge CA private key
+<!-- end-1.2 -->
+
+<!-- 1.1 -->
* Root CA * Device CA certificate * Device CA private key
+<!-- end-1.1 -->
In this article, what we refer to as the *root CA* is not the topmost certificate authority for an organization. It's the topmost certificate authority for the IoT Edge scenario, which the IoT Edge hub module, user modules, and any downstream devices use to establish trust between each other.
In this article, what we refer to as the *root CA* is not the topmost certificat
> Currently, a limitation in libiothsm prevents the use of certificates that expire on or after January 1, 2038. :::moniker-end
+<!-- end-1.1 -->
To see an example of these certificates, review the scripts that create demo certificates in [Managing test CA certificates for samples and tutorials](https://github.com/Azure/iotedge/tree/master/tools/CACertificates).
Copy the three certificate and key files onto your IoT Edge device.
If you used the sample scripts to [create demo certificates](how-to-create-test-certificates.md), the three certificate and key files are located at the following paths:
+<!-- 1.2 -->
+* Edge CA certificate: `<WRKDIR>\certs\iot-edge-device-MyEdgeDeviceCA-full-chain.cert.pem`
+* Edge CA private key: `<WRKDIR>\private\iot-edge-device-MyEdgeDeviceCA.key.pem`
+* Root CA: `<WRKDIR>\certs\azure-iot-test-only.root.ca.cert.pem`
+<!-- end-1.2 -->
+
+<!-- 1.1 -->
* Device CA certificate: `<WRKDIR>\certs\iot-edge-device-MyEdgeDeviceCA-full-chain.cert.pem` * Device CA private key: `<WRKDIR>\private\iot-edge-device-MyEdgeDeviceCA.key.pem` * Root CA: `<WRKDIR>\certs\azure-iot-test-only.root.ca.cert.pem`
+<!-- end-1.1 -->
You can use a service like [Azure Key Vault](../key-vault/index.yml) or a function like [Secure copy protocol](https://www.ssh.com/ssh/scp/) to move the certificate files. If you generated the certificates on the IoT Edge device itself, you can skip this step and use the path to the working directory.
If you are using IoT Edge for Linux on Windows, you need to use the SSH key loca
```toml [edge_ca]
- cert = "file:///<path>/<device CA cert>"
- pk = "file:///<path>/<device CA key>"
+ cert = "file:///<path>/<edge CA cert>"
+ pk = "file:///<path>/<edge CA key>"
``` 1. Make sure that the service has read permissions for the directories holding the certificates and keys.
If you are using IoT Edge for Linux on Windows, you need to use the SSH key loca
* The certificate files should be owned by the **aziotcs** group. >[!TIP]
- >If your device CA certificate is read-only, meaning you created it and don't want the IoT Edge service to rotate it, set the private key file to mode 0440 and the certificate file to mode 0444. If you created the initial files and then configured the cert service to rotate the device CA certificate in the future, set the private key file to mode 0660 and the certificate file to mode 0664.
+ >If your edge CA certificate is read-only, meaning you created it and don't want the IoT Edge service to rotate it, set the private key file to mode 0440 and the certificate file to mode 0444. If you created the initial files and then configured the cert service to rotate the edge CA certificate in the future, set the private key file to mode 0660 and the certificate file to mode 0664.
1. If you've used any other certificates for IoT Edge on the device before, delete the files in the following directory. IoT Edge will recreate them with the new CA certificate you provided.
If you are using IoT Edge for Linux on Windows, you need to use the SSH key loca
IoT Edge automatically generates certificates on the device in several cases, including:
+<!-- 1.2 -->
+If you don't provide your own production certificates when you install and provision IoT Edge, the IoT Edge security manager automatically generates an **edge CA certificate**. This self-signed certificate is only meant for development and testing scenarios, not production. This certificate expires after 90 days.
+<!-- end 1.2 -->
+
+<!-- 1.1. -->
* If you don't provide your own production certificates when you install and provision IoT Edge, the IoT Edge security manager automatically generates a **device CA certificate**. This self-signed certificate is only meant for development and testing scenarios, not production. This certificate expires after 90 days. * The IoT Edge security manager also generates a **workload CA certificate** signed by the device CA certificate
+<!-- end 1.1 -->
For more information about the function of the different certificates on an IoT Edge device, see [Understand how Azure IoT Edge uses certificates](iot-edge-certs.md).
For these two automatically generated certificates, you have the option of setti
>[!NOTE] >There is a third auto-generated certificate that the IoT Edge security manager creates, the **IoT Edge hub server certificate**. This certificate always has a 30 day lifetime, but is automatically renewed before expiring. The auto-generated CA lifetime value set in the config file doesn't affect this certificate.
-Upon expiry after the specified number of days, IoT Edge has to be restarted to regenerate the device CA certificate. The device CA certificate won't be renewed automatically.
+<!-- 1.2 -->
+Upon expiry after the specified number of days, IoT Edge has to be restarted to regenerate the edge CA certificate. The edge CA certificate won't be renewed automatically.
+<!-- end 1.2 -->
<!-- 1.1. --> :::moniker range="iotedge-2018-06"
+Upon expiry after the specified number of days, IoT Edge has to be restarted to regenerate the device CA certificate. The device CA certificate won't be renewed automatically.
# [Linux containers](#tab/linux)
Upon expiry after the specified number of days, IoT Edge has to be restarted to
sudo iotedge check --verbose ```
- Check the output of the **production readiness: certificates** check, which lists the number of days until the automatically generated device CA certificates expire.
+ Check the output of the **production readiness: certificates** check, which lists the number of days until the automatically generated edge CA certificates expire.
:::moniker-end <!-- end 1.2 -->
iot-edge Iot Edge Certs https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/iot-edge/iot-edge-certs.md
This article explains how IoT Edge certificates can work in production, developm
* The **workload CA certificate** was deprecated. Now the IoT Edge security manager generates the IoT Edge hub server certificate directly from the edge CA certificate, without the intermediate workload CA certificate between them. :::moniker-end
+<!-- end-1.2 -->
## IoT Edge certificates There are two common scenarios for setting up certificates on an IoT Edge device. Sometimes the end user, or operator, of a device purchases a generic device made by a manufacturer then manages the certificates themselves. Other times, the manufacturer works under contract to build a custom device for the operator and does some initial certificate signing before handing off the device. The IoT Edge certificate design attempts to take both scenarios into account.
-The following figure illustrates IoT Edge's usage of certificates. There may be zero, one, or many intermediate signing certificates between the root CA certificate and the device CA certificate, depending on the number of entities involved. Here we show one case.
+The following figure illustrates IoT Edge's usage of certificates. There may be zero, one, or many intermediate signing certificates between the root CA certificate and the edge CA certificate, depending on the number of entities involved. Here we show one case.
<!--1.1--> :::moniker range="iotedge-2018-06"
machine-learning Concept Mlflow https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/concept-mlflow.md
With MLflow Tracking you can connect Azure Machine Learning as the backend of yo
Azure Machine Learning uses MLflow Tracking for metric logging and artifact storage for your experiments, whether you created the experiment via the Azure Machine Learning Python SDK, Azure Machine Learning CLI or the Azure Machine Learning studio. Learn more at [Track experiments with MLflow](how-to-use-mlflow-cli-runs.md).
+> [!IMPORTANT]
+> - MLflow in R support is limited to tracking experiment's metrics and parameters on Azure Machine Learning jobs. RStudio or Jupyter Notebooks with R kernels are not supported. View the following [R example about using the MLflow tracking client with Azure Machine Learning](https://github.com/Azure/azureml-examples/tree/main/cli/jobs/single-step/r).
+> - MLflow in Java support is limited to tracking experiment's metrics and parameters on Azure Machine Learning jobs. View the following [Java example about using the MLflow tracking client with the Azure Machine Learning](https://github.com/Azure/azureml-examples/tree/main/cli/jobs/single-step/java/iris).
+ ## Model Registries with MLflow Azure Machine Learning supports MLflow for model management. This represents a convenient way to support the entire model lifecycle for users familiar with the MLFlow client. The following article describes the different capabilities and how it compares with other options.
You can submit training jobs to Azure Machine Learning using [MLflow Projects](h
Learn more at [Train ML models with MLflow projects and Azure Machine Learning (preview)](how-to-train-mlflow-projects.md). - ## MLflow SDK, Azure ML v2 and Azure ML Studio capabilities The following table shows which operations are supported by each of the tools available in the ML lifecycle.
The following table shows which operations are supported by each of the tools av
| Submit training pipelines | | **&check;** | | | Manage experiments runs | **&check;**<sup>1</sup> | **&check;** | **&check;** | | Manage MLflow models | **&check;**<sup>3</sup> | **&check;** | **&check;** |
-| Manage non-MLflow models | **&check;**<sup>4</sup> | **&check;** | **&check;** |
-| Deploy MLflow models to Azure Machine Learning | **&check;**<sup>5</sup> | **&check;** | **&check;** |
+| Manage non-MLflow models | | **&check;** | **&check;** |
+| Deploy MLflow models to Azure Machine Learning | **&check;**<sup>4</sup> | **&check;** | **&check;** |
| Deploy non-MLflow models to Azure Machine Learning | | **&check;** | **&check;** | > [!NOTE] > - <sup>1</sup> View [Manage experiments and runs with MLflow](how-to-track-experiments-mlflow.md) for details. > - <sup>2</sup> Only artifacts and models can be downloaded. > - <sup>3</sup> View [Manage models registries in Azure Machine Learning with MLflow](how-to-manage-models-mlflow.md) for details.
-> - <sup>4</sup> Loading models using the syntax `models:/model-name/version` is not supported for non-MLflow models.
-> - <sup>5</sup> View [Deploy MLflow models to Azure Machine Learning](how-to-deploy-mlflow-models.md) for details. Deployment of MLflow models to batch inference using the MLflow SDK is not possible by the moment.
--
-## Next steps
-* [Track ML models with MLflow and Azure Machine Learning CLI v2](how-to-use-mlflow-cli-runs.md)
-* [Convert your custom model to MLflow model format for no code deployments](how-to-convert-custom-model-to-mlflow.md)
-* [Deploy MLflow models](how-to-deploy-mlflow-models.md)
+> - <sup>4</sup> View [Deploy MLflow models to Azure Machine Learning](how-to-deploy-mlflow-models.md) for details. Deployment of MLflow models to batch inference using the MLflow SDK is not possible by the moment.
+
+## Example notebooks
+
+If you are getting started with MLflow in Azure Machine Learning, we recommend you to explore the [notebooks examples about how to user MLflow](https://github.com/Azure/azureml-examples/blob/main/notebooks/using-mlflow/readme.md):
+
+* [Training and tracking a classifier with MLflow](https://github.com/Azure/azureml-examples/blob/main/notebooks/using-mlflow/train-with-mlflow/xgboost_classification_mlflow.ipynb): Demonstrates how to track experiments using MLflow, log models and combine multiple flavors into pipelines.
+* [Training and tracking a classifier with MLflow using Service Principal authentication](https://github.com/Azure/azureml-examples/blob/main/notebooks/using-mlflow/train-with-mlflow/xgboost_service_principal.ipynb): Demonstrate how to track experiments using MLflow from compute that is running outside Azure ML and how to authenticate against Azure ML services using a Service Principal.
+* [Hyper-parameters optimization using child runs with MLflow and HyperOpt optimizer](https://github.com/Azure/azureml-examples/blob/main/notebooks/using-mlflow/train-with-mlflow/xgboost_nested_runs.ipynb): Demonstrate how to use child runs in MLflow to do hyper-parameter optimization for models using the popular library HyperOpt. It shows how to transfer metrics, params and artifacts from child runs to parent runs.
+* [Logging models instead of assets with MLflow](https://github.com/Azure/azureml-examples/blob/main/notebooks/using-mlflow/logging-models/logging_model_with_mlflow.ipynb): Demonstrates how to use the concept of models instead of artifacts with MLflow, including how to construct custom models.
+* [Manage experiments and runs with MLflow](https://github.com/Azure/azureml-examples/blob/main/notebooks/using-mlflow/run-history/run_history.ipynb): Demonstrates how to query experiments, runs, metrics, parameters and artifacts from Azure ML using MLflow.
+* [Manage models registries with MLflow](https://github.com/Azure/azureml-examples/blob/main/notebooks/using-mlflow/model-management/model_management.ipynb): Demonstrates how to manage models in registries using MLflow.
+* [No-code deployment with MLflow](https://github.com/Azure/azureml-examples/blob/main/notebooks/using-mlflow/no-code-deployment/deploying_with_mlflow.ipynb): Demonstrates how to deploy models in MLflow format to the different deployment target in Azure ML.
+* [Training models in Azure Databricks and deploying them on Azure ML with MLflow](https://github.com/Azure/azureml-examples/blob/main/notebooks/using-mlflow/no-code-deployment/track_with_databricks_deploy_aml.ipynb): Demonstrates how to train models in Azure Databricks and deploy them in Azure ML. It also includes how to handle cases where you also want to track the experiments with the MLflow instance in Azure Databricks.
+* [Migrating models with scoring scripts to MLflow format](https://github.com/Azure/azureml-examples/blob/main/notebooks/using-mlflow/migrating-scoring-to-mlflow/scoring_to_mlmodel.ipynb): Demonstrates how to migrate models with scoring scripts to no-code-deployment with MLflow.
+* [Using MLflow REST with Azure ML](https://github.com/Azure/azureml-examples/blob/main/notebooks/using-mlflow/using-rest-api/using_mlflow_rest_api.ipynb): Demonstrates how to work with MLflow REST API when connected to Azure ML.
machine-learning How To Deploy Mlflow Models https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/how-to-deploy-mlflow-models.md
For no-code-deployment, Azure Machine Learning
> - Data type `mlflow.types.DataType.Binary` is not supported as column type in signatures. For models that work with images, we suggest you to use or (a) tensors inputs using the [TensorSpec input type](https://mlflow.org/docs/latest/python_api/mlflow.types.html#mlflow.types.TensorSpec), or (b) `Base64` encoding schemes with a `mlflow.types.DataType.String` column type, which is commonly used when there is a need to encode binary data that needs be stored and transferred over media. > - Signatures with tensors with unspecified shapes (`-1`) is only supported at the batch size by the moment. For instance, a signature with shape `(-1, -1, -1, 3)` is not supported but `(-1, 300, 300, 3)` is.
-For more information about how to specify requests to online endpoints, view [Considerations when deploying to real-time inference](#considerations-when-deploying-to-real-time-inference). FOr more information about the supported file types in batch endpoints, view [Considerations when deploying to batch inference](#considerations-when-deploying-to-batch-inference).
+For more information about how to specify requests to online endpoints, view [Considerations when deploying to real-time inference](#considerations-when-deploying-to-real-time-inference). For more information about the supported file types in batch endpoints, view [Considerations when deploying to batch inference](#considerations-when-deploying-to-batch-inference).
## Deployment tools
There are three workflows for deploying MLflow models to Azure Machine Learning:
- [Deploy using Azure ML CLI (v2)](#deploy-using-azure-ml-cli-v2) - [Deploy using Azure Machine Learning studio](#deploy-using-azure-machine-learning-studio)
-Each workflows has different capabilities, particularly around which type of compute they can target. The following table shows them:
+Each workflow has different capabilities, particularly around which type of compute they can target. The following table shows them:
| Scenario | MLflow SDK | Azure ML CLI/SDK v2 | Azure ML studio | | :- | :-: | :-: | :-: |
The MLflow plugin [azureml-mlflow](https://pypi.org/project/azureml-mlflow/) can
```python import json
- from mlflow.deployments import get_deploy_client
- # Create the deployment configuration.
deploy_config = {"computeType": "aks", "computeTargetName": "aks-mlflow" }
+
+ deployment_config_path = "deployment_config.json"
+ with open(deployment_config_path, "w") as outfile:
+ outfile.write(json.dumps(deploy_config))
``` # [ACI](#tab/aci) ```python import json
- from mlflow.deployments import get_deploy_client
- # Create the deployment configuration.
deploy_config = {"computeType": "aci"}
+
+ deployment_config_path = "deployment_config.json"
+ with open(deployment_config_path, "w") as outfile:
+ outfile.write(json.dumps(deploy_config))
``` 4. Create a deployment client using the Azure Machine Learning Tracking URI. ```python
+ from mlflow.deployments import get_deploy_client
+
# Set the tracking uri in the deployment client. client = get_deploy_client("<azureml-mlflow-tracking-url>") ```
This example shows how you can deploy an MLflow model to an online endpoint usin
:::code language="azurecli" source="~/azureml-examples-main/cli/deploy-managed-online-endpoint-mlflow.sh" ID="create_endpoint":::
-1. Create a YAML configuration file for the deployment. The following example configures a deployment of the `sklearn-diabetes` model to the endpoint created in the previous step:
-
- > [!IMPORTANT]
- > For MLflow no-code-deployment (NCD) to work, setting **`type`** to **`mlflow_model`** is required, `type: mlflow_modelΓÇï`. For more information, see [CLI (v2) model YAML schema](reference-yaml-model.md).
+1. Create a YAML configuration file for the deployment.
+
+ # [From a training job](#tab/fromjob)
+
+ The following example configures a deployment `sklearn-diabetes` to the endpoint created in the previous step. The model is registered from a job previously run:
+
+ a. Get the job name of the training job. In this example we are assuming the job you want is the last one submitted to the platform.
+
+ ```bash
+ JOB_NAME=$(az ml job list --query "[0].name" | tr -d '"')
+ ```
+
+ b. Register the model in the registry.
+
+ ```bash
+ az ml model create --name "mir-sample-sklearn-mlflow-model" \
+ --type "mlflow_model" \
+ --path "azureml://jobs/$JOB_NAME/outputs/artifacts/model"
+ ```
+
+ c. Create the deployment `YAML` file:
+
+ __sklearn-deployment.yaml__
+
+ ```yaml
+ $schema: https://azuremlschemas.azureedge.net/latest/managedOnlineDeployment.schema.json
+ name: sklearn-deployment
+ endpoint_name: my-endpoint
+ model: azureml:mir-sample-sklearn-mlflow-model@latest
+ instance_type: Standard_DS2_v2
+ instance_count: 1
+ ```
+
+ > [!IMPORTANT]
+ > For MLflow no-code-deployment (NCD) to work, setting **`type`** to **`mlflow_model`** is required, `type: mlflow_modelΓÇï`. For more information, see [CLI (v2) model YAML schema](reference-yaml-model.md).
+
+ # [From a local model](#tab/fromlocal)
+
+ The following example configures a deployment `sklearn-diabetes` to the endpoint created in the previous step using the local MLflow model:
__sklearn-deployment.yaml__ :::code language="yaml" source="~/azureml-examples-main/cli/endpoints/online/mlflow/sklearn-deployment.yaml":::
+
+ > [!IMPORTANT]
+ > For MLflow no-code-deployment (NCD) to work, setting **`type`** to **`mlflow_model`** is required, `type: mlflow_modelΓÇï`. For more information, see [CLI (v2) model YAML schema](reference-yaml-model.md).
1. To create the deployment using the YAML configuration, use the following command:
This example shows how you can deploy an MLflow model to an online endpoint usin
You can use [Azure Machine Learning studio](https://ml.azure.com) to deploy models to Managed Online Endpoints. > [!IMPORTANT]
-> Although deploying to ACI or AKS with [Azure Machine Learning studio](https://ml.azure.com) is possible. no-code deployment feature is not available for these compute targets. We recommend the use of [managed online endpoints](concept-endpoints.md) as it provides a superior set of features.
+> Although deploying to ACI or AKS with [Azure Machine Learning studio](https://ml.azure.com) is possible, no-code deployment feature is not available for these compute targets. We recommend the use of [managed online endpoints](concept-endpoints.md) as it provides a superior set of features.
1. Ensure your model is registered in the Azure Machine Learning registry. Deployment of unregistered models is not supported in Azure Machine Learning. You can register models from files in the local file system or from the output of a job:
machine-learning How To Use Batch Endpoint Sdk V2 https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/how-to-use-batch-endpoint-sdk-v2.md
In this article, you'll learn to:
* An Azure ML workspace with computer cluster to run your batch scoring job. * The [Azure Machine Learning SDK v2 for Python](/python/api/overview/azure/ml/installv2).
+### Clone examples repository
+
+To run the examples, first clone the examples repository and change into the `sdk` directory:
+
+```bash
+git clone --depth 1 https://github.com/Azure/azureml-examples
+cd azureml-examples/sdk
+```
+
+> [!TIP]
+> Use `--depth 1` to clone only the latest commit to the repository, which reduces time to complete the operation.
## Connect to Azure Machine Learning workspace
partner-solutions Dynatrace Troubleshoot https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/partner-solutions/dynatrace/dynatrace-troubleshoot.md
This article describes how to contact support when working with a Dynatrace for
## Contact support
-To contact support about the Azure Datadog integration, select **New Support request** in the left pane. Select the link to the Dynatrace support website.
+To contact support about the Azure Dynatrace integration, select **New Support request** in the left pane. Select the link to the Dynatrace support website.
:::image type="content" source="media/dynatrace-troubleshoot/dynatrace-support.png" alt-text="Screenshot showing new support request selected in resource menu.":::
This document contains information about troubleshooting your solutions that use
## Next steps -- Learn about [managing your instance](dynatrace-how-to-manage.md) of Dynatrace.
+- Learn about [managing your instance](dynatrace-how-to-manage.md) of Dynatrace.
partner-solutions Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/partner-solutions/overview.md
Partner solutions are available through the Marketplace.
| [Datadog](./datadog/overview.md) | Monitor your servers, clouds, metrics, and apps in one place. | | [Elastic](./elastic/overview.md) | Monitor the health and performance of your Azure environment. | | [Logz.io](./logzio/overview.md) | Monitor the health and performance of your Azure environment. |
-| [Dynatrace for Azure (preview)](./dynatrace/dynatrace-overview.md) | Use Dyntrace for Azure (preview) for monitoring your workflows using the Azure portal. |
+| [Dynatrace for Azure (preview)](./dynatrace/dynatrace-overview.md) | Use Dynatrace for Azure (preview) for monitoring your workflows using the Azure portal. |
| [NGINX for Azure (preview)](./nginx/nginx-overview.md) | Use NGINX for Azure (preview) as a reverse proxy within your Azure environment. |
postgresql Concepts Compare Single Server Flexible Server https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/postgresql/flexible-server/concepts-compare-single-server-flexible-server.md
Previously updated : 06/16/2022 Last updated : 07/05/2022 # Comparison chart - Azure Database for PostgreSQL Single Server and Flexible Server
The following table provides a list of high-level features and capabilities comp
| **General** | | | | General availability | GA since 2018 | GA since 2021| | PostgreSQL | Community | Community |
-| Supported versions | 10, 11 | 11, 12, 13 |
+| Supported versions | 10, 11 | 11, 12, 13, 14 |
| Underlying O/S | Windows | Linux | | AZ selection for application colocation | No | Yes | | Built-in connection pooler | No | Yes (PgBouncer)|
The following table provides a list of high-level features and capabilities comp
| Support for logical decoding | Yes | Yes | | Support for native logical replication | No | Yes | | Support for PgLogical extension | No | Yes |
-| Support logical replication with HA | N/A | Limited |
+| Support logical replication with HA | N/A | [Limited](concepts-high-availability.md#high-availabilitylimitations) |
| **Disaster Recovery** | | | | Cross region DR | Using read replicas, geo-redundant backup | Geo-redundant backup (Preview) in select regions| | DR using replica | Using async physical replication | N/A |
postgresql Concepts Supported Versions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/postgresql/flexible-server/concepts-supported-versions.md
Azure Database for PostgreSQL - Flexible Server currently supports the following
The current minor release is **14.3**. Refer to the [PostgreSQL documentation](https://www.postgresql.org/docs/14/static/release-14-3.html) to learn more about improvements and fixes in this release. New servers will be created with this minor version.
+>[!NOTE]
+> If you are deploying Postgres 14 in a Private Access (VNET), in some cases, your deployment may fail. This will be addressed shortly. Meanwhile, to explore Postgres 14, consider deploying in Public access.
+ ## PostgreSQL version 13 The current minor release is **13.7**. Refer to the [PostgreSQL documentation](https://www.postgresql.org/docs/13/static/release-13-7.html) to learn more about improvements and fixes in this release. New servers will be created with this minor version.
postgresql Reference Extensions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/postgresql/hyperscale/reference-extensions.md
Previously updated : 02/24/2022 Last updated : 07/05/2022 # PostgreSQL extensions in Azure Database for PostgreSQL ΓÇô Hyperscale (Citus)
The versions of each extension installed in a server group sometimes differ base
> [!div class="mx-tableFixed"] > | **Extension** | **Description** | **PG 11** | **PG 12** | **PG 13** | **PG 14** | > ||||||
-> | [citus](https://github.com/citusdata/citus) | Citus distributed database. | 9.5.10 | 10.0.6 | 10.2.4 | 10.2.4 |
+> | [citus](https://github.com/citusdata/citus) | Citus distributed database. | 9.5.11 | 10.0.7 | 10.2.6 | 10.2.6 |
### Data types extensions
The versions of each extension installed in a server group sometimes differ base
> | [intarray](https://www.postgresql.org/docs/current/static/intarray.html) | Provides functions and operators for manipulating null-free arrays of integers. | 1.2 | 1.2 | 1.3 | 1.5 | > | [moddatetime](https://www.postgresql.org/docs/current/contrib-spi.html#id-1.11.7.45.9) | Functions for tracking last modification time. | 1.0 | 1.0 | 1.0 | 1.0 | > | [pg\_partman](https://pgxn.org/dist/pg_partman/doc/pg_partman.html) | Manages partitioned tables by time or ID. | 4.6.0 | 4.6.0 | 4.6.0 | 4.6.0 |
+> | [pg\_surgery](https://www.postgresql.org/docs/current/pgsurgery.html) | Functions to perform surgery on a damaged relation. | | | | 1.0 |
> | [pg\_trgm](https://www.postgresql.org/docs/current/static/pgtrgm.html) | Provides functions and operators for determining the similarity of alphanumeric text based on trigram matching. | 1.4 | 1.4 | 1.5 | 1.6 | > | [pgcrypto](https://www.postgresql.org/docs/current/static/pgcrypto.html) | Provides cryptographic functions. | 1.3 | 1.3 | 1.3 | 1.3 | > | [refint](https://www.postgresql.org/docs/current/contrib-spi.html#id-1.11.7.45.5) | Functions for implementing referential integrity (obsolete). | 1.0 | 1.0 | 1.0 | 1.0 |
The versions of each extension installed in a server group sometimes differ base
> |||||| > | [amcheck](https://www.postgresql.org/docs/current/amcheck.html) | Functions for verifying relation integrity. | 1.1 | 1.2 | 1.2 | 1.3 | > | [dblink](https://www.postgresql.org/docs/current/dblink.html) | A module that supports connections to other PostgreSQL databases from within a database session. See the "dblink and postgres_fdw" section for information about this extension. | 1.2 | 1.2 | 1.2 | 1.2 |
+> | [old\_snapshot](https://www.postgresql.org/docs/current/oldsnapshot.html) | Allows inspection of the server state that is used to implement old_snapshot_threshold. | | | | 1.0 |
> | [pageinspect](https://www.postgresql.org/docs/current/pageinspect.html) | Inspect the contents of database pages at a low level. | 1.7 | 1.7 | 1.8 | 1.9 | > | [pg\_buffercache](https://www.postgresql.org/docs/current/static/pgbuffercache.html) | Provides a means for examining what's happening in the shared buffer cache in real time. | 1.3 | 1.3 | 1.3 | 1.3 | > | [pg\_cron](https://github.com/citusdata/pg_cron) | Job scheduler for PostgreSQL. | 1.4 | 1.4 | 1.4 | 1.4 |
The versions of each extension installed in a server group sometimes differ base
> [!div class="mx-tableFixed"] > | **Extension** | **Description** | **PG 11** | **PG 12** | **PG 13** | **PG 14** | > ||||||
-> | [PostGIS](https://www.postgis.net/) | Spatial and geographic objects for PostgreSQL. | 2.5.5 | 3.0.4 | 3.0.3 | 3.1.4 |
-> | address\_standardizer | Used to parse an address into constituent elements. Used to support geocoding address normalization step. | 2.5.5 | 3.0.4 | 3.0.4 | 3.1.4 |
-> | postgis\_sfcgal | PostGIS SFCGAL functions. | 2.5.5 | 3.0.4 | 3.0.4 | 3.1.4 |
-> | postgis\_topology | PostGIS topology spatial types and functions. | 2.5.5 | 3.0.4 | 3.0.4 | 3.1.4 |
+> | [PostGIS](https://www.postgis.net/) | Spatial and geographic objects for PostgreSQL. | 2.5.5 | 3.0.5 | 3.0.5 | 3.1.5 |
+> | address\_standardizer | Used to parse an address into constituent elements. Used to support geocoding address normalization step. | 2.5.5 | 3.0.5 | 3.0.5 | 3.1.5 |
+> | postgis\_sfcgal | PostGIS SFCGAL functions. | 2.5.5 | 3.0.5 | 3.0.5 | 3.1.5 |
+> | postgis\_topology | PostGIS topology spatial types and functions. | 2.5.5 | 3.0.5 | 3.0.5 | 3.1.5 |
## pg_stat_statements
private-link Private Link Service Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/private-link/private-link-service-overview.md
The following are the known limitations when using the Private Link service:
- Supported only on Standard Load Balancer where backend pool is configured by NIC when using VM/VMSS. - Supports IPv4 traffic only - Supports TCP and UDP traffic only
+- Private Link Service has an idle timeout of ~5 minutes (300 seconds). To avoid hitting this limit, applications connecting through Private Link Service must leverage TCP Keep Alives lower than that time.
## Next steps
purview Manage Integration Runtimes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/purview/manage-integration-runtimes.md
Installation of the self-hosted integration runtime on a domain controller isn't
- Self-hosted integration runtime requires a 64-bit Operating System with .NET Framework 4.7.2 or above. See [.NET Framework System Requirements](/dotnet/framework/get-started/system-requirements) for details. -- Ensure Visual C++ Redistributable for Visual Studio 2015 or higher is installed on the self-hosted integration runtime machine. If you don't have this update installed, [you can download it here](/windows/latest-supported-vc-redist#visual-studio-2015-2017-2019-and-2022).
+- Ensure Visual C++ Redistributable for Visual Studio 2015 or higher is installed on the self-hosted integration runtime machine. If you don't have this update installed, [you can download it here](/cpp/windows/latest-supported-vc-redist#visual-studio-2015-2017-2019-and-2022).
- The recommended minimum configuration for the self-hosted integration runtime machine is a 2-GHz processor with 4 cores, 8 GB of RAM, and 80 GB of available hard drive space. For the details of system requirements, see [Download](https://www.microsoft.com/download/details.aspx?id=39717). - If the host machine hibernates, the self-hosted integration runtime doesn't respond to data requests. Configure an appropriate power plan on the computer before you install the self-hosted integration runtime. If the machine is configured to hibernate, the self-hosted integration runtime installer prompts with a message.
When scanning Parquet files using the self-hosted IR, the service locates the Ja
- [Microsoft Purview network architecture and best practices](concept-best-practices-network.md) - [Use private endpoints with Microsoft Purview](catalog-private-link.md)-
remote-rendering Troubleshoot https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/remote-rendering/resources/troubleshoot.md
models
ΓööΓöÇΓöÇΓöÇOtherFiles myReallyLongFileName.txt <- Ignores files not under blobPrefix ```+
+## HoloLens2 'Take a Picture' (MRC) does not show any local or remote content
+
+This problem usually occurs if a project is updated from WMR to OpenXR and the project accessed the [HolographicViewConfiguration Class (Windows.Graphics.Holographic)](https://docs.microsoft.com/uwp/api/windows.graphics.holographic.holographicviewconfiguration?view=winrt-22621) settings. This API is not supported in OpenXR and must not be accessed.
+ ## Next steps * [System requirements](../overview/system-requirements.md)
search Cognitive Search Concept Image Scenarios https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/search/cognitive-search-concept-image-scenarios.md
Optionally, you can define projections to accept image-analyzed output into a [k
## Set up source files
-Image processing is indexer-driven, which means that the raw inputs must be a supported file type (as determined by the skills you choose) from a [supported data source](search-indexer-overview.md#supported-data-sources).
+Image processing is indexer-driven, which means that the raw inputs must be in a [supported data source](search-indexer-overview.md#supported-data-sources).
+ Image analysis supports JPEG, PNG, GIF, and BMP + OCR supports JPEG, PNG, BMP, and TIF Images are either standalone binary files or embedded in documents (PDF, RTF, and Microsoft application files). A maximum of 1000 images will be extracted from a given document. If there are more than 1000 images in a document, the first 1000 will be extracted and a warning will be generated.
-Azure Blob Storage is the most frequently used storage for image processing in Cognitive Search. There are three main tasks related to retrieving images from the source:
+Azure Blob Storage is the most frequently used storage for image processing in Cognitive Search. There are three main tasks related to retrieving images from a blob container:
-+ Access rights on the container. If you're using a full access connection string that includes a key, the key gives you access to the content. Alternatively, you can [authenticate using Azure Active Directory (Azure AD)](search-howto-managed-identities-data-sources.md) or [connect as a trusted service](search-indexer-howto-access-trusted-service-exception.md).
++ Enable access to content in the container. If you're using a full access connection string that includes a key, the key gives you permission to the content. Alternatively, you can [authenticate using Azure Active Directory (Azure AD)](search-howto-managed-identities-data-sources.md) or [connect as a trusted service](search-indexer-howto-access-trusted-service-exception.md). + [Create a data source](search-howto-indexing-azure-blob-storage.md) of type "azureblob" that connects to the blob container storing your files.
-+ Optionally, [set file type criteria](search-blob-storage-integration.md#PartsOfBlobToIndex) if the workload targets a specific file type. Blob indexer configuration includes file inclusion and exclusion settings. You can filter out files you don't want.
++ Review [service tier limits](search-limits-quotas-capacity.md) to make sure that your source data is under maximum size and quantity limits for indexers and enrichment. <a name="get-normalized-images"></a> ## Configure indexers for image processing
-Image extraction is the first step of indexer processing. Extracted images are queued for image processing. Extracted text is queued for text processing, if applicable.
+Extracting images from the source content files is the first step of indexer processing. Extracted images are queued for image processing. Extracted text is queued for text processing, if applicable.
-Image processing requires image normalization to make images more uniform for downstream processing. This step occurs automatically and is internal to indexer processing. As a developer, you enable image normalization by setting the `"imageAction"` parameter in indexer configuration.
+Image processing requires image normalization to make images more uniform for downstream processing. This second step occurs automatically and is internal to indexer processing. As a developer, you enable image normalization by setting the `"imageAction"` parameter in indexer configuration.
Image normalization includes the following operations:
Metadata adjustments are captured in a complex type created for each image. You
1. Set `"imageAction"` to enable the *normalized_images* node in an enrichment tree (required): + `"generateNormalizedImages"` to generate an array of normalized images as part of document cracking.
-
+ + `"generateNormalizedImagePerPage"` (applies to PDF only) to generate an array of normalized images where each page in the PDF is rendered to one output image. For non-PDF files, the behavior of this parameter is same as if you had set "generateNormalizedImages". 1. Optionally, adjust the width or height of the generated normalized images:
Metadata adjustments are captured in a complex type created for each image. You
The default of 2000 pixels for the normalized images maximum width and height is based on the maximum sizes supported by the [OCR skill](cognitive-search-skill-ocr.md) and the [image analysis skill](cognitive-search-skill-image-analysis.md). The [OCR skill](cognitive-search-skill-ocr.md) supports a maximum width and height of 4200 for non-English languages, and 10000 for English. If you increase the maximum limits, processing could fail on larger images depending on your skillset definition and the language of the documents. ++ Optionally, [set file type criteria](search-blob-storage-integration.md#PartsOfBlobToIndex) if the workload targets a specific file type. Blob indexer configuration includes file inclusion and exclusion settings. You can filter out files you don't want.+
+ ```json
+ {
+ "parameters" : {
+ "configuration" : {
+ "indexedFileNameExtensions" : ".pdf, .docx",
+ "excludedFileNameExtensions" : ".png, .jpeg"
+ }
+ }
+ }
+ ```
+ ### About normalized images When "imageAction" is set to a value other than "none", the new *normalized_images* field will contain an array of images. Each image is a complex type that has the following members:
This section supplements the [skill reference](cognitive-search-predefined-skill
1. If necessary, [include multi-service key](cognitive-search-attach-cognitive-services.md) in the Cognitive Services property of the skillset. Cognitive Search makes calls to a billable Azure Cognitive Services resource for OCR and image analysis for transactions that exceed the free limit (20 per indexer per day). Cognitive Services must be in the same region as your search service.
+1. If original images are embedded in PDF or application files like PPTX or DOCX, you'll need to add a Text Merge skill if you want image output and text output together. Working with embedded images is discussed further on in this article.
+ Once the basic framework of your skillset is created and Cognitive Services is configured, you can focus on each individual image skill, defining inputs and source context, and mapping outputs to fields in either an index or knowledge store. > [!NOTE]
Image analysis output is illustrated in the JSON below (search result). The skil
When the images you want to process are embedded in other files, such as PDF or DOCX, the enrichment pipeline will extract just the images and then pass them to OCR or image analysis for processing. Separation of image from text content occurs during the document cracking phase, and once the images are separated, they remain separate unless you explicitly merge the processed output back into the source text.
-[**Text Merge**](cognitive-search-skill-textmerger.md) is used to put image processing output back into the document. Although Text Merge is not a hard requirement, it's frequently invoked so that image output (OCR text, OCR layoutText, image tags, image captions) can be reintroduced into the document at the same location where the image was found. Essentially, the goal is to replace an embedded binary image with an in-place text equivalent.
+[**Text Merge**](cognitive-search-skill-textmerger.md) is used to put image processing output back into the document. Although Text Merge is not a hard requirement, it's frequently invoked so that image output (OCR text, OCR layoutText, image tags, image captions) can be reintroduced into the document. Depending on the skill, the image output replaces an embedded binary image with an in-place text equivalent. Image Analysis output can be merged at image location. OCR output always appears at the end of each page.
The following workflow outlines the process of image extraction, analysis, merging, and how to extend the pipeline to push image-processed output into other text-based skills such as Entity Recognition or Text Translation.
search Cognitive Search Concept Intro https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/search/cognitive-search-concept-intro.md
Because Azure Cognitive Search is a full text search solution, the purpose of AI enrichment is to improve the utility of your content in search-related scenarios:
-+ Machine translation and language detection, in support of multi-lingual search
++ Translation and language detection for multi-lingual search + Entity recognition extracts people, places, and other entities from large chunks of text + Key phrase extraction identifies and then outputs important terms + Optical Character Recognition (OCR) recognizes printed and handwritten text in binary files
search Cognitive Search Skill Ocr https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/search/cognitive-search-skill-ocr.md
In previous versions, there was a parameter called "textExtractionAlgorithm" to
| `text` | Plain text extracted from the image. | | `layoutText` | Complex type that describes the extracted text and the location where the text was found.| -
-The OCR skill always extracts images at the end of each page. This is by design.
-
+If you call OCR on images embedded in PDFs or other application files, the OCR output will be located at the bottom of the page, after any text that was extracted and processed.
## Sample definition
search Search What Is Azure Search https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/search/search-what-is-azure-search.md
Azure Cognitive Search ([formerly known as "Azure Search"](whats-new.md#new-service-name)) is a cloud search service that gives developers infrastructure, APIs, and tools for building a rich search experience over private, heterogeneous content in web, mobile, and enterprise applications.
-Search is foundational to any app that surfaces text content to users, with common scenarios including catalog or document search, online retail, or data exploration over proprietary content.
-
-When you create a search service, you'll work with the following capabilities:
+Search is foundational to any app that surfaces text content to users, with common scenarios including catalog or document search, online retail, or data exploration over proprietary content. When you create a search service, you'll work with the following capabilities:
+ A search engine for full text search over a search index containing your user-owned content
-+ Rich indexing, with [text analysis](search-analyzers.md) and [optional AI enrichment](cognitive-search-concept-intro.md) for advanced content extraction and transformation
++ Rich indexing, with [text analysis](search-analyzers.md) and [optional AI enrichment](cognitive-search-concept-intro.md) for content extraction and transformation + Rich query syntax that supplements free text search with filters, autocomplete, regex, geo-search and more + Programmability through REST APIs and client libraries in Azure SDKs for .NET, Python, Java, and JavaScript + Azure integration at the data layer, machine learning layer, and AI (Cognitive Services)
sentinel Automate Incident Handling With Automation Rules https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/automate-incident-handling-with-automation-rules.md
Title: Automate incident handling in Microsoft Sentinel | Microsoft Docs
-description: This article explains how to use automation rules to automate incident handling, in order to maximize your SOC's efficiency and effectiveness in response to security threats.
+ Title: Automate threat response in Microsoft Sentinel with automation rules | Microsoft Docs
+description: This article explains what Microsoft Sentinel automation rules are, and how to use them to implement your Security Orchestration, Automation and Response (SOAR) operations, increasing your SOC's effectiveness and saving you time and resources.
Previously updated : 11/09/2021 Last updated : 06/27/2022
-# Automate incident handling in Microsoft Sentinel with automation rules
+# Automate threat response in Microsoft Sentinel with automation rules
[!INCLUDE [Banner for top of topics](./includes/banner.md)]
This article explains what Microsoft Sentinel automation rules are, and how to u
## What are automation rules?
-Automation rules are a way to centrally manage the automation of incident handling, allowing you to perform simple automation tasks without using playbooks.
+Automation rules are a way to centrally manage automation in Microsoft Sentinel, by allowing you to define and coordinate a small set of rules that can apply across different scenarios.
-For example, automation rules allow you to automatically:
-- Suppress noisy incidents.-- Triage new incidents by changing their status from New to Active and assigning an owner.-- Tag incidents to classify them.-- Escalate an incident by assigning a new owner.-- Close resolved incidents, specifying a reason and adding comments.
+Automation rules apply to the following categories of use cases:
+
+- Perform basic automation tasks for incident handling without using playbooks. For example:
+ - Suppress noisy incidents.
+ - Triage new incidents by changing their status from New to Active and assigning an owner.
+ - Tag incidents to classify them.
+ - Escalate an incident by assigning a new owner.
+ - Close resolved incidents, specifying a reason and adding comments.
-Automation rules can also:
- Automate responses for multiple analytics rules at once.+ - Control the order of actions that are executed.-- Inspect the incident's contents (alerts, entities, and other properties) and take further action by calling a playbook.
-In short, automation rules streamline the use of automation in Microsoft Sentinel, enabling you to simplify complex workflows for your incident orchestration processes.
+- Inspect the contents of an incident (alerts, entities, and other properties) and take further action by calling a playbook.
+
+- Automation rules can also be [the mechanism by which you run a playbook](whats-new.md#automation-rules-for-alerts) in response to an **alert** *not associated with an incident*.
+
+ > [!IMPORTANT]
+ >
+ > **Automation rules for alerts** are currently in **PREVIEW**. See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
+++
+In short, automation rules streamline the use of automation in Microsoft Sentinel, enabling you to simplify complex workflows for your threat response orchestration processes.
## Components
Automation rules are made up of several components:
### Triggers
-Automation rules are triggered **when an incident is created or updated** (the update trigger is now in **Preview**). Recall that incidents are created from alerts by analytics rules, of which there are several types, as explained in [Detect threats with built-in analytics rules in Microsoft Sentinel](detect-threats-built-in.md).
+Automation rules are triggered **when an incident is created or updated** or **when an alert is created** (the **update** and **alert** triggers are now in **Preview**). Recall that incidents include alerts, and that both alerts and incidents are created by analytics rules, of which there are several types, as explained in [Detect threats with built-in analytics rules in Microsoft Sentinel](detect-threats-built-in.md).
-The following table shows the different possible ways that incidents can be created or updated that will cause an automation rule to run.
+The following table shows the different possible scenarios that will cause an automation rule to run.
| Trigger type | Events that cause the rule to run | | | | | **When incident is created** | - A new incident is created by an analytics rule.<br>- An incident is ingested from Microsoft 365 Defender.<br>- A new incident is created manually. | | **When incident is updated**<br>(Preview) | - An incident's status is changed (closed/reopened/triaged).<br>- An incident's owner is assigned or changed.<br>- An incident's severity is raised or lowered.<br>- Alerts are added to an incident.<br>- Comments, tags, or tactics are added to an incident. |
+| **When alert is created**<br>(Preview) | - An alert is created by a scheduled analytics rule.
+
+#### Incident-based or alert-based automation?
+
+Now that both incident automation and alert automation are handled centrally by automation rules as well as playbooks, how should you choose when to use which?
+
+For most use cases, **incident-triggered automation** is the preferable approach. In Microsoft Sentinel, an **incident** is a ΓÇ£case fileΓÇ¥ ΓÇô an aggregation of all the relevant evidence for a specific investigation. ItΓÇÖs a container for alerts, entities, comments, collaboration, and other artifacts. Unlike **alerts** which are single pieces of evidence, incidents are modifiable, have the most updated status, and can be enriched with comments, tags, and bookmarks. The incident allows you to track the attack story which keeps evolving with the addition of new alerts.
+
+For these reasons, it makes more sense to build your automation around incidents. So the most appropriate way to create playbooks is to base them on the Microsoft Sentinel incident trigger in Azure Logic Apps.
+
+The main reason to use **alert-triggered automation** is for responding to alerts generated by analytics rules which *do not create incidents* (that is, where incident creation has been *disabled* in the **Incident settings** tab of the [analytics rule wizard](detect-threats-custom.md#configure-the-incident-creation-settings)). A SOC might decide to do this if it wants to use its own logic to determine if and how incidents are created from alerts, as well as if and how alerts are grouped into incidents. For example:
+
+- A playbook can be triggered by an alert that doesnΓÇÖt have an associated incident, enrich the alert with information from other sources, and based on some external logic decide whether to create an incident or not.
+
+- A playbook can be triggered by an alert and, instead of creating an incident, look for an appropriate existing incident to add the alert to. Learn more about [incident expansion](relate-alerts-to-incidents.md).
+
+- A playbook can be triggered by an alert and notify SOC personnel of the alert, so the team can decide whether or not to create an incident.
+
+- A playbook can be triggered by an alert and send the alert to an external ticketing system for incident creation and management, creating a new ticket for each alert.
+
+> [!NOTE]
+> Alert-triggered automation is available only for [alerts](detect-threats-built-in.md) created by **Scheduled** analytics rules. Alerts created by **Microsoft Security** analytics rules are not supported.
### Conditions
-Complex sets of conditions can be defined to govern when actions (see below) should run. These conditions include the event that triggers the rule (incident created or updated), the states or values of the incident's properties and [entity properties](entities-reference.md), and also the analytics rule or rules that generated the incident.
+Complex sets of conditions can be defined to govern when actions (see below) should run. These conditions include the event that triggers the rule (incident created or updated, or alert created), the states or values of the incident's properties and [entity properties](entities-reference.md) (for incident trigger only), and also the analytics rule or rules that generated the incident or alert.
-When an automation rule is triggered, it checks the triggering incident against the conditions defined in the rule. The property-based conditions are evaluated according to **the current state** of the property at the moment the evaluation occurs, or according to **changes in the state** of the property (see below for details). Since a single incident creation or update event could trigger several automation rules, the **order** in which they run (see below) makes a difference in determining the outcome of the conditions' evaluation. The **actions** defined in the rule will run only if all the conditions are satisfied.
+When an automation rule is triggered, it checks the triggering incident or alert against the conditions defined in the rule. For incidents, the property-based conditions are evaluated according to **the current state** of the property at the moment the evaluation occurs, or according to **changes in the state** of the property (see below for details). Since a single incident creation or update event could trigger several automation rules, the **order** in which they run (see below) makes a difference in determining the outcome of the conditions' evaluation. The **actions** defined in the rule will run only if all the conditions are satisfied.
#### Incident create trigger
An incident property's value
- **starts with** or **does not start with** the value defined in the condition. - **ends with** or **does not end with** the value defined in the condition. -- The **current state** in this context refers to the moment the condition is evaluated - that is, the moment the automation rule runs. If more than one automation rule is defined to run in response to the creation of this incident, then changes made to the incident by an earlier-run automation rule are considered the current state for later-run rules. #### Incident update trigger
An incident property's value was
> > - If an incident triggers both create-trigger and update-trigger automation rules, the create-trigger rules will run first, according to their **[Order](#order)** numbers, and then the update-trigger rules will run, according to *their* **Order** numbers.
+#### Alert create trigger
+
+Currently the only condition that can be configured for the alert creation trigger is the set of analytics rules for which the automation rule will run.
### Actions
Actions can be defined to run when the conditions (see above) are met. You can d
- Adding a tag to an incident ΓÇô this is useful for classifying incidents by subject, by attacker, or by any other common denominator.
-Also, you can define an action to [**run a playbook**](tutorial-respond-threats-playbook.md), in order to take more complex response actions, including any that involve external systems. **Only** playbooks activated by the [**incident trigger**](automate-responses-with-playbooks.md#azure-logic-apps-basic-concepts) are available to be used in automation rules. You can define an action to include multiple playbooks, or combinations of playbooks and other actions, and the order in which they will run.
+Also, you can define an action to [**run a playbook**](tutorial-respond-threats-playbook.md), in order to take more complex response actions, including any that involve external systems. The playbooks available to be used in an automation rule depend on the [**trigger**](automate-responses-with-playbooks.md#azure-logic-apps-basic-concepts) on which the playbooks *and* the automation rule are based: Only incident-trigger playbooks can be run from incident-trigger automation rules, and only alert-trigger playbooks can be run from alert-trigger automation rules. You can define multiple actions that call playbooks, or combinations of playbooks and other actions. Actions will run in the order in which they are listed in the rule.
Playbooks using [either version of Logic Apps (Standard or Consumption)](automate-responses-with-playbooks.md#two-types-of-logic-apps) will be available to run from automation rules.
Rules based on the update trigger have their own separate order queue. If such r
## Common use cases and scenarios
-### Incident-triggered automation
+### Incident- and alert-triggered automation
-Before automation rules existed, only alerts could trigger an automated response, through the use of playbooks. With automation rules, incidents can now trigger automated response chains, which can include new incident-triggered playbooks ([special permissions are required](#permissions-for-automation-rules-to-run-playbooks)), when an incident is created.
+Automation rules can be triggered by the creation or updating of incidents and also (in Preview) by the creation of alerts. These occurrences can all trigger automated response chains, which can include playbooks ([special permissions are required](#permissions-for-automation-rules-to-run-playbooks)).
### Trigger playbooks for Microsoft providers
You can [create and manage automation rules](create-manage-use-automation-rules.
- **Analytics rule wizard**
- In the **Automated response** tab of the analytics rule wizard, under **Incident automation**, you can view, edit, and create automation rules that apply to the particular analytics rule being created or edited in the wizard.
+ In the **Automated response** tab of the analytics rule wizard, under **Automation rules (Preview)**, you can view, edit, and create automation rules that apply to the particular analytics rule being created or edited in the wizard.
You'll notice that when you create an automation rule from here, the **Create new automation rule** panel shows the **analytics rule** condition as unavailable, because this rule is already set to apply only to the analytics rule you're editing in the wizard. All the other configuration options are still available to you.
You can [create and manage automation rules](create-manage-use-automation-rules.
## Next steps
-In this document, you learned about how automation rules can help you to manage your Microsoft Sentinel incidents queue and implement some basic incident-handling automation.
+In this document, you learned about how automation rules can help you to centrally manage response automation for Microsoft Sentinel incidents and alerts.
- [Create and use Microsoft Sentinel automation rules to manage incidents](create-manage-use-automation-rules.md). - To learn more about advanced automation options, see [Automate threat response with playbooks in Microsoft Sentinel](automate-responses-with-playbooks.md).
sentinel Automate Responses With Playbooks https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/automate-responses-with-playbooks.md
There are many differences between these two resource types, some of which affec
See [Resource type and host environment differences](../logic-apps/logic-apps-overview.md#resource-type-and-host-environment-differences) in the Logic Apps documentation for a detailed summary of the two resource types.
-> [!IMPORTANT]
-> - While the **Logic App (Standard)** resource type is generally available, Microsoft Sentinel's support for this resource type is in **Preview**.
- > [!NOTE] > - You'll notice an indicator in Standard workflows that presents as either *stateful* or *stateless*. Microsoft Sentinel does not support stateless workflows at this time. Learn about the differences between [**stateful and stateless workflows**](../logic-apps/single-tenant-overview-compare.md#stateful-and-stateless-workflows). > - Logic Apps Standard does not currently support Playbook templates. This means that you can't create a Standard workflow from within Microsoft Sentinel. Rather, you must create it in Logic Apps, and once it's created, you'll see it in Microsoft Sentinel.
sentinel Best Practices https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/best-practices.md
Entity behavior in Microsoft Sentinel allows users to review and investigate act
- [Enable User and Entity Behavior Analytics (UEBA) in Microsoft Sentinel](enable-entity-behavior-analytics.md) - [Investigate incidents with UEBA data](investigate-with-ueba.md)-- [Microsoft Sentinel UEBA enrichments reference](ueba-enrichments.md)
+- [Microsoft Sentinel UEBA reference](ueba-reference.md)
### Handle incidents with watchlists and threat intelligence
sentinel Create Manage Use Automation Rules https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/create-manage-use-automation-rules.md
Title: Create and use Microsoft Sentinel automation rules to manage incidents | Microsoft Docs
+ Title: Create and use Microsoft Sentinel automation rules to manage response | Microsoft Docs
description: This article explains how to create and use automation rules in Microsoft Sentinel to manage and handle incidents, in order to maximize your SOC's efficiency and effectiveness in response to security threats.
Last updated 05/23/2022
-# Create and use Microsoft Sentinel automation rules to manage incidents
+# Create and use Microsoft Sentinel automation rules to manage response
[!INCLUDE [Banner for top of topics](./includes/banner.md)]
-This article explains how to create and use automation rules in Microsoft Sentinel to manage and handle incidents, in order to maximize your SOC's efficiency and effectiveness in response to security threats.
+This article explains how to create and use automation rules in Microsoft Sentinel to manage and orchestrate threat response, in order to maximize your SOC's efficiency and effectiveness.
In this article you'll learn how to define the triggers and conditions that will determine when your automation rule will run, the various actions that you can have the rule perform, and the remaining features and functionalities.
In this article you'll learn how to define the triggers and conditions that will
### Determine the scope
-The first step in designing and defining your automation rule is figuring out which incidents you want it to apply to. This determination will directly impact how you create the rule.
+The first step in designing and defining your automation rule is figuring out which incidents (or alerts, in preview) you want it to apply to. This determination will directly impact how you create the rule.
You also want to determine your use case. What are you trying to accomplish with this automation? Consider the following options:
You also want to determine your use case. What are you trying to accomplish with
- Escalate an incident by assigning a new owner. - Close resolved incidents, specifying a reason and adding comments. - Analyze the incident's contents (alerts, entities, and other properties) and take further action by calling a playbook.
+- (**Preview**) Handle or respond to an alert without an associated incident.
### Determine the trigger
-Do you want this automation to be activated when new incidents are created? Or any time an incident gets updated?
+Do you want this automation to be activated when new incidents (or alerts, in preview) are created? Or any time an incident gets updated?
-Automation rules are triggered **when an incident is created or updated** (the update trigger is now in **Preview**). Recall that incidents are created from alerts by analytics rules, of which there are several types, as explained in [Detect threats with built-in analytics rules in Microsoft Sentinel](detect-threats-built-in.md).
+Automation rules are triggered **when an incident is created or updated** (the update trigger is now in **Preview**) or **when an alert is created** (also in **Preview**). Recall that incidents include alerts, and that both alerts and incidents are created by analytics rules, of which there are several types, as explained in [Detect threats with built-in analytics rules in Microsoft Sentinel](detect-threats-built-in.md).
-The following table shows the different possible ways that incidents can be created or updated that will cause an automation rule to run.
+The following table shows the different possible scenarios that will cause an automation rule to run.
| Trigger type | Events that cause the rule to run | | | | | **When incident is created** | - A new incident is created by an analytics rule.<br>- An incident is ingested from Microsoft 365 Defender.<br>- A new incident is created manually. | | **When incident is updated**<br>(Preview) | - An incident's status is changed (closed/reopened/triaged).<br>- An incident's owner is assigned or changed.<br>- An incident's severity is raised or lowered.<br>- Alerts are added to an incident.<br>- Comments, tags, or tactics are added to an incident. |
+| **When alert is created**<br>(Preview) | - An alert is created by a scheduled analytics rule.
## Create your automation rule
Most of the following instructions apply to any and all use cases for which you'
### Choose your trigger
-From the **Trigger** drop-down, select **When incident is created** or **When incident is updated (Preview)** according to what you decided when designing your rule.
+From the **Trigger** drop-down, select **When incident is created**, **When incident is updated (Preview)**, or **When alert is created (Preview)**, according to what you decided when designing your rule.
:::image type="content" source="media/create-manage-use-automation-rules/select-trigger.png" alt-text="Screenshot of selecting the incident create or incident update trigger.":::
-### Add conditions
+### Add conditions (incidents only)
Add any other conditions you want this automation rule's activation to depend on. Select **+ Add condition** and choose conditions from the drop-down list. The list of conditions is populated by incident property and [entity property](entities-reference.md) fields.
Add any other conditions you want this automation rule's activation to depend on
Choose the actions you want this automation rule to take. Available actions include **Assign owner**, **Change status**, **Change severity**, **Add tags**, and **Run playbook**. You can add as many actions as you like.
+> [!NOTE]
+> Only the **Run playbook** action is available in automation rules using the **alert trigger**.
+ :::image type="content" source="media/create-manage-use-automation-rules/select-action.png" alt-text="Screenshot of list of actions to select in automation rule."::: If you add a **Run playbook** action, you will be prompted to choose from the drop-down list of available playbooks. -- Only playbooks that start with the **incident trigger** can be run from automation rules, so only they will appear in the list.
+- Only playbooks that start with the **incident trigger** can be run from automation rules using one of the incident triggers, so only they will appear in the list. Likewise, only playbooks that start with the **alert trigger** are available in automation rules using the alert trigger.
-- <a name="explicit-permissions"></a>Microsoft Sentinel must be granted explicit permissions in order to run playbooks based on the incident trigger. If a playbook appears "grayed out" in the drop-down list, it means Sentinel does not have permission to that playbook's resource group. Click the **Manage playbook permissions** link to assign permissions.
+- <a name="explicit-permissions"></a>Microsoft Sentinel must be granted explicit permissions in order to run playbooks. If a playbook appears "grayed out" in the drop-down list, it means Sentinel does not have permission to that playbook's resource group. Click the **Manage playbook permissions** link to assign permissions.
In the **Manage permissions** panel that opens up, mark the check boxes of the resource groups containing the playbooks you want to run, and click **Apply**. :::image type="content" source="./media/tutorial-respond-threats-playbook/manage-permissions.png" alt-text="Manage permissions":::
Playbook actions within an automation rule may be treated differently under some
| More than two minutes | Two minutes after playbook began running,<br>regardless of whether or not it was completed | ## Next steps
+In this document, you learned how to use automation rules to centrally manage response automation for Microsoft Sentinel incidents and alerts.
-In this document, you learned how to use automation rules to manage your Microsoft Sentinel incidents queue and implement some basic incident-handling automation.
-
+- To learn more about automation rules, see [Automate incident handling in Microsoft Sentinel with automation rules](automate-incident-handling-with-automation-rules.md)
- To learn more about advanced automation options, see [Automate threat response with playbooks in Microsoft Sentinel](automate-responses-with-playbooks.md).
+- To migrate alert-trigger playbooks to be invoked by automation rules, see [Migrate your Microsoft Sentinel alert-trigger playbooks to automation rules](migrate-playbooks-to-automation-rules.md)
- For help in implementing automation rules and playbooks, see [Tutorial: Use playbooks to automate threat responses in Microsoft Sentinel](tutorial-respond-threats-playbook.md).
sentinel Data Connectors Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/data-connectors-reference.md
Add http://localhost:8081/ under **Authorized redirect URIs** while creating [We
| **Log Analytics table(s)** | [CommonSecurityLog](/azure/azure-monitor/reference/tables/commonsecuritylog) | | **DCR support** | [Workspace transformation DCR](../azure-monitor/logs/tutorial-ingestion-time-transformations.md) | | **Kusto function alias:** | Morphisec |
-| **Kusto function URL** | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Morphisec/Parsers/Morphisec/Morphisec |
+| **Kusto function URL** | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Morphisec/Parsers/Morphisec/ |
| **Supported by** | [Morphisec](https://support.morphisec.com/support/home) |
sentinel Dns Normalization Schema https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/dns-normalization-schema.md
The following list mentions fields that have specific guidelines for DNS events:
#### All common fields
-Fields that appear in the table below are common to all ASIM schemas. Any guideline specified above overrides the general guidelines for the field. For example, a field might be optional in general, but mandatory for a specific schema. For further details on each field, refer to the [ASIM Common Fields](normalization-common-fields.md) article.
+Fields that appear in the table below are common to all ASIM schemas. Any guideline specified above overrides the general guidelines for the field. For example, a field might be optional in general, but mandatory for a specific schema. For further details on each field, see the [ASIM Common Fields](normalization-common-fields.md) article.
| **Class** | **Fields** | | | - |
Fields that appear in the table below are common to all ASIM schemas. Any guidel
| Optional | - [EventMessage](normalization-common-fields.md#eventmessage)<br> - [EventSubType](normalization-common-fields.md#eventsubtype)<br>- [EventOriginalUid](normalization-common-fields.md#eventoriginaluid)<br>- [EventOriginalType](normalization-common-fields.md#eventoriginaltype)<br>- [EventOriginalSubType](normalization-common-fields.md#eventoriginalsubtype)<br>- [EventOriginalResultDetails](normalization-common-fields.md#eventoriginalresultdetails)<br> - [EventOriginalSeverity](normalization-common-fields.md#eventoriginalseverity) <br> - [EventProductVersion](normalization-common-fields.md#eventproductversion)<br> - [EventReportUrl](normalization-common-fields.md#eventreporturl)<br>- [DvcMacAddr](normalization-common-fields.md#dvcmacaddr)<br>- [DvcOs](normalization-common-fields.md#dvcos)<br>- [DvcOsVersion](normalization-common-fields.md#dvchostname)<br>- [DvcOriginalAction](normalization-common-fields.md#dvcoriginalaction)<br>- [DvcInterface](normalization-common-fields.md#dvcinterface)<br>- [AdditionalFields](normalization-common-fields.md#additionalfields)<br>- [DvcDescription](normalization-common-fields.md#dvcdescription)|
-### DNS-specific fields
+### Source system fields
-The fields listed in this section are specific to DNS events, although many are similar to fields in other schemas and therefore follow the same naming convention.
-
-| **Field** | **Class** | **Type** | **Notes** |
-| | | | |
+| Field | Class | Type | Description |
+|-|-||-|
| <a name="src"></a>**Src** | Recommended | String | A unique identifier of the source device. <br><br>This field can alias the [SrcDvcId](#srcdvcid), [SrcHostname](#srchostname), or [SrcIpAddr](#srcipaddr) fields. <br><br>Example: `192.168.12.1` | | <a name="srcipaddr"></a>**SrcIpAddr** | Recommended | IP Address | The IP address of the client that sent the DNS request. For a recursive DNS request, this value would typically be the reporting device, and in most cases set to `127.0.0.1`. <br><br>Example: `192.168.12.1` | | **SrcPortNumber** | Optional | Integer | Source port of the DNS query.<br><br>Example: `54312` |
The fields listed in this section are specific to DNS events, although many are
| <a name="srcdvcid"></a>**SrcDvcId** | Optional | String | The ID of the source device as reported in the record.<br><br>For example: `ac7e9755-8eae-4ffc-8a02-50ed7a2216c3` | | **SrcDvcIdType** | Optional | Enumerated | The type of [SrcDvcId](#srcdvcid), if known. Possible values include:<br> - `AzureResourceId`<br>- `MDEid`<br><br>If multiple IDs are available, use the first one from the list, and store the others in the **SrcDvcAzureResourceId** and **SrcDvcMDEid**, respectively.<br><br>**Note**: This field is required if [SrcDvcId](#srcdvcid) is used. | | **SrcDeviceType** | Optional | Enumerated | The type of the source device. Possible values include:<br>- `Computer`<br>- `Mobile Device`<br>- `IOT Device`<br>- `Other` |++
+### Source user fields
+
+| Field | Class | Type | Description |
+|-|-||-|
| <a name="srcuserid"></a>**SrcUserId** | Optional | String | A machine-readable, alphanumeric, unique representation of the source user. Format and supported types include:<br>- **SID** (Windows): `S-1-5-21-1377283216-344919071-3415362939-500`<br>- **UID** (Linux): `4578`<br>- **AADID** (Azure Active Directory): `9267d02c-5f76-40a9-a9eb-b686f3ca47aa`<br>- **OktaId**: `00urjk4znu3BcncfY0h7`<br>- **AWSId**: `72643944673`<br><br>Store the ID type in the [SrcUserIdType](#srcuseridtype) field. <br><br>If other IDs are available, we recommend that you normalize the field names to **SrcUserSid**, **SrcUserUid**, **SrcUserAadId**, **SrcUserOktaId** and **UserAwsId**, respectively. For more information, see [The User entity](normalization-about-schemas.md#the-user-entity).<br><br>Example: `S-1-12` | | <a name="srcuseridtype"></a>**SrcUserIdType** | Optional | Enumerated | The type of the ID stored in the [SrcUserId](#srcuserid) field. Supported values include: `SID`, `UIS`, `AADID`, `OktaId`, and `AWSId`. | | <a name="srcusername"></a>**SrcUsername** | Optional | String | The Source username, including domain information when available. Use one of the following formats and in the following order of priority:<br>- **Upn/Email**: `johndow@contoso.com`<br>- **Windows**: `Contoso\johndow`<br>- **DN**: `CN=Jeff Smith,OU=Sales,DC=Fabrikam,DC=COM`<br>- **Simple**: `johndow`. Use the Simple form only if domain information is not available.<br><br>Store the Username type in the [SrcUsernameType](#srcusernametype) field. If other IDs are available, we recommend that you normalize the field names to **SrcUserUpn**, **SrcUserWindows** and **SrcUserDn**.<br><br>For more information, see [The User entity](normalization-about-schemas.md#the-user-entity).<br><br>Example: `AlbertE` |
The fields listed in this section are specific to DNS events, although many are
| <a name="srcusernametype"></a>**SrcUsernameType** | Optional | Enumerated | Specifies the type of the username stored in the [SrcUsername](#srcusername) field. Supported values are: `UPN`, `Windows`, `DN`, and `Simple`. For more information, see [The User entity](normalization-about-schemas.md#the-user-entity).<br><br>Example: `Windows` | | **SrcUserType** | Optional | Enumerated | The type of Actor. Allowed values are:<br>- `Regular`<br>- `Machine`<br>- `Admin`<br>- `System`<br>- `Application`<br>- `Service Principal`<br>- `Other`<br><br>**Note**: The value may be provided in the source record using different terms, which should be normalized to these values. Store the original value in the [EventOriginalUserType](#eventoriginalusertype) field. | | <a name="eventoriginalusertype"></a>**SrcOriginalUserType** | Optional | String | The original source user type, if provided by the source. |
-| **SrcUserDomain** | Optional | String | This field is kept for backward compatibility only. ASIM requires domain information, if available, to be part of the [SrcUsername](#srcusername) field. |
++
+### Source process fields
+
+| Field | Class | Type | Description |
+|-|-||-|
| <a name="srcprocessname"></a>**SrcProcessName** | Optional | String | The file name of the process that initiated the DNS request. This name is typically considered to be the process name. <br><br>Example: `C:\Windows\explorer.exe` | | <a name="process"></a>**Process** | Alias | | Alias to the [SrcProcessName](#srcprocessname) <br><br>Example: `C:\Windows\System32\rundll32.exe`| | **SrcProcessId**| Optional | String | The process ID (PID) of the process that initiated the DNS request.<br><br>Example: `48610176` <br><br>**Note**: The type is defined as *string* to support varying systems, but on Windows and Linux this value must be numeric. <br><br>If you are using a Windows or Linux machine and used a different type, make sure to convert the values. For example, if you used a hexadecimal value, convert it to a decimal value. | | **SrcProcessGuid** | Optional | String | A generated unique identifier (GUID) of the process that initiated the DNS request. <br><br> Example: `EF3BD0BD-2B74-60C5-AF5C-010000001E00` |+
+### Destination system fields
+
+| Field | Class | Type | Description |
+|-|-||-|
| <a name="dst"></a>**Dst** | Recommended | String | A unique identifier of the server that received the DNS request. <br><br>This field may alias the [DstDvcId](#dstdvcid), [DstHostname](#dsthostname), or [DstIpAddr](#dstipaddr) fields. <br><br>Example: `192.168.12.1` | | <a name="dstipaddr"></a>**DstIpAddr** | Optional | IP Address | The IP address of the server that received the DNS request. For a regular DNS request, this value would typically be the reporting device, and in most cases set to `127.0.0.1`.<br><br>Example: `127.0.0.1` | | **DstGeoCountry** | Optional | Country | The country associated with the destination IP address. For more information, see [Logical types](normalization-about-schemas.md#logical-types).<br><br>Example: `USA` |
The fields listed in this section are specific to DNS events, although many are
| <a name="dstdvcid"></a>**DstDvcId** | Optional | String | The ID of the destination device as reported in the record.<br><br>Example: `ac7e9755-8eae-4ffc-8a02-50ed7a2216c3` | | **DstDvcIdType** | Optional | Enumerated | The type of [DstDvcId](#dstdvcid), if known. Possible values include:<br> - `AzureResourceId`<br>- `MDEidIf`<br><br>If multiple IDs are available, use the first one from the list above, and store the others in the **DstDvcAzureResourceId** or **DstDvcMDEid** fields, respectively.<br><br>Required if **DstDeviceId** is used.| | **DstDeviceType** | Optional | Enumerated | The type of the destination device. Possible values include:<br>- `Computer`<br>- `Mobile Device`<br>- `IOT Device`<br>- `Other` |+
+### DNS protocol fields
+
+| Field | Class | Type | Description |
+|-|-||-|
| <a name=query></a>**DnsQuery** | Mandatory | String | The domain that the request tries to resolve. <br><br>**Notes**:<br> - Some sources send valid FQDN queries in a different format. For example, in the DNS protocol itself, the query includes a dot (**.**) at the end, which must be removed.<br>- While the DNS protocol limits the type of value in this field to an FQDN, most DNS servers allow any value, and this field is therefore not limited to FQDN values only. Most notably, DNS tunneling attacks may use invalid FQDN values in the query field.<br>- While the DNS protocol allows for multiple queries in a single request, this scenario is rare, if it's found at all. If the request has multiple queries, store the first one in this field, and then and optionally keep the rest in the [AdditionalFields](normalization-common-fields.md#additionalfields) field.<br><br>Example: `www.malicious.com` |
-| **Domain** | Alias | | Alias to [DnsQuery](#query). |
+| <a name="domain"></a>**Domain** | Alias | | Alias to [DnsQuery](#query). |
| **DnsQueryType** | Optional | Integer | The [DNS Resource Record Type codes](https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml). <br><br>Example: `28`|
-| **DnsQueryTypeName** | Recommended | Enumerated | The [DNS Resource Record Type](https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml) names. <br><br>**Notse**:<br> -IANA doesn't define the case for the values, so analytics must normalize the case as needed.<br>- The value `ANY` is supported for the response code 255.<br> - The value `TYPExxxx` is supported for unmapped response codes, where `xxxx` is the numerical value of the response code. This conforms to BIND's logging practice.<br> -If the source provides only a numerical query type code and not a query type name, the parser must include a lookup table to enrich with this value.<br><br>Example: `AAAA`|
+| **DnsQueryTypeName** | Recommended | Enumerated | The [DNS Resource Record Type](https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml) names. <br><br>**Notes**:<br> - IANA doesn't define the case for the values, so analytics must normalize the case as needed.<br>- The value `ANY` is supported for the response code 255.<br> - The value `TYPExxxx` is supported for unmapped response codes, where `xxxx` is the numerical value of the response code, as reported by the BIND DNS server.<br> -If the source provides only a numerical query type code and not a query type name, the parser must include a lookup table to enrich with this value.<br><br>Example: `AAAA`|
| <a name=responsename></a>**DnsResponseName** | Optional | String | The content of the response, as included in the record.<br> <br> The DNS response data is inconsistent across reporting devices, is complex to parse, and has less value for source-agnostic analytics. Therefore the information model doesn't require parsing and normalization, and Microsoft Sentinel uses an auxiliary function to provide response information. For more information, see [Handling DNS response](#handling-dns-response).| | <a name=responsecodename></a>**DnsResponseCodeName** | Alias | | Alias to [EventResultDetails](#eventresultdetails) | | **DnsResponseCode** | Optional | Integer | The [DNS numerical response code](https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml). <br><br>Example: `3`|
The fields listed in this section are specific to DNS events, although many are
| **NetworkProtocol** | Optional | Enumerated | The transport protocol used by the network resolution event. The value can be **UDP** or **TCP**, and is most commonly set to **UDP** for DNS. <br><br>Example: `UDP`| | **DnsQueryClass** | Optional | Integer | The [DNS class ID](https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml).<br> <br>In practice, only the **IN** class (ID 1) is used, and therefore this field is less valuable.| | **DnsQueryClassName** | Optional | String | The [DNS class name](https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml).<br> <br>In practice, only the **IN** class (ID 1) is used, and therefore this field is less valuable.<br><br>Example: `IN`|
-| <a name=flags></a>**DnsFlags** | Optional | List of strings | The flags field, as provided by the reporting device. If flag information is provided in multiple fields, concatenate them with comma as a separator. <br><br>Since DNS flags are complex to parse and are less often used by analytics, parsing and normalization aren't required. Microsoft Sentinel can use an auxiliary function to provide flags information. For more information, see [Handling DNS response](#handling-dns-response). <br><br>Example: `["DR"]`|
-| <a name=UrlCategory></a>**UrlCategory** | Optional | String | A DNS event source may also look up the category of the requested Domains. The field is called **_UrlCategory_** to align with the Microsoft Sentinel network schema. <br><br>**_DomainCategory_** is added as an alias that's fitting to DNS. <br><br>Example: `Educational \\ Phishing` |
-| **DomainCategory** | Optional | Alias | Alias to [UrlCategory](#UrlCategory). |
-| **ThreatCategory** | Optional | String | If a DNS event source also provides DNS security, it may also evaluate the DNS event. For example, it can search for the IP address or domain in a threat intelligence database, and assign the domain or IP address with a Threat Category. |
+| <a name=flags></a>**DnsFlags** | Optional | List of strings | The flags field, as provided by the reporting device. If flag information is provided in multiple fields, concatenate them with comma as a separator. <br><br>Since DNS flags are complex to parse and are less often used by analytics, parsing, and normalization aren't required. Microsoft Sentinel can use an auxiliary function to provide flags information. For more information, see [Handling DNS response](#handling-dns-response). <br><br>Example: `["DR"]`|
| <a name="dnsnetworkduration"></a>**DnsNetworkDuration** | Optional | Integer | The amount of time, in milliseconds, for the completion of DNS request.<br><br>Example: `1500` | | **Duration** | Alias | | Alias to [DnsNetworkDuration](#dnsnetworkduration) |
-| **DnsFlagsAuthenticated** | Optional | Boolean | The DNS `AD` flag, which is related to DNSSEC, indicates in a response that all data included in the answer and authority sections of the response have been verified by the server according to the policies of that server. see [RFC 3655 Section 6.1](https://tools.ietf.org/html/rfc3655#section-6.1) for more information. |
+| **DnsFlagsAuthenticated** | Optional | Boolean | The DNS `AD` flag, which is related to DNSSEC, indicates in a response that all data included in the answer and authority sections of the response have been verified by the server according to the policies of that server. For more information, see [RFC 3655 Section 6.1](https://tools.ietf.org/html/rfc3655#section-6.1) for more information. |
| **DnsFlagsAuthoritative** | Optional | Boolean | The DNS `AA` flag indicates whether the response from the server was authoritative |
-| **DnsFlagsCheckingDisabled** | Optional | Boolean | The DNS `CD` flag, which is related to DNSSEC, indicates in a query that non-verified data is acceptable to the system sending the query. see [RFC 3655 Section 6.1](https://tools.ietf.org/html/rfc3655#section-6.1) for more information. |
+| **DnsFlagsCheckingDisabled** | Optional | Boolean | The DNS `CD` flag, which is related to DNSSEC, indicates in a query that non-verified data is acceptable to the system sending the query. For more information, see [RFC 3655 Section 6.1](https://tools.ietf.org/html/rfc3655#section-6.1) for more information. |
| **DnsFlagsRecursionAvailable** | Optional | Boolean | The DNS `RA` flag indicates in a response that that server supports recursive queries. | | **DnsFlagsRecursionDesired** | Optional | Boolean | The DNS `RD` flag indicates in a request that that client would like the server to use recursive queries. | | **DnsFlagsTruncated** | Optional | Boolean | The DNS `TC` flag indicates that a response was truncated as it exceeded the maximum response size. | | **DnsFlagsZ** | Optional | Boolean | The DNS `Z` flag is a deprecated DNS flag, which might be reported by older DNS systems. |
-|<a name="dnssessionid"></a>**DnsSessionId** | Optional | string | The DNS session identifier as reported by the reporting device. Note that this value is different from [TransactionIdHex](#transactionidhex), the DNS query unique ID as assigned by the DNS client.<br><br>Example: `EB4BFA28-2EAD-4EF7-BC8A-51DF4FDF5B55` |
+|<a name="dnssessionid"></a>**DnsSessionId** | Optional | string | The DNS session identifier as reported by the reporting device. This value is different from [TransactionIdHex](#transactionidhex), the DNS query unique ID as assigned by the DNS client.<br><br>Example: `EB4BFA28-2EAD-4EF7-BC8A-51DF4FDF5B55` |
| **SessionId** | Alias | String | Alias to [DnsSessionId](#dnssessionid) |
+### Inspection fields
-### Deprecated aliases
-
-The following fields are aliases that are maintained for backwards compatibility. They were removed from the schema on December 31st, 2021.
+The following fields are used to represent an inspection, which a DNS security device performed. The threat related fields represent a single threat that is associated with either the source address, the destination address, one of the IP addresses in the response or the DNS query domain. If more than one threat was identified as a threat, information about other IP addresses can be stored in the field `AdditionalFields`.
-- Query (alias to DnsQuery)-- QueryType (alias to DnsQueryType)-- QueryTypeName (alias to DnsQueryTypeName)-- ResponseName (alias to DnsReasponseName)-- ResponseCodeName (alias to DnsResponseCodeName)-- ResponseCode (alias to DnsResponseCode)-- QueryClass (alias to DnsQueryClass)-- QueryClassName (alias to DnsQueryClassName)-- Flags (alias to DnsFlags)
+| Field | Class | Type | Description |
+|-|-||-|
+| <a name=UrlCategory></a>**UrlCategory** | Optional | String | A DNS event source may also look up the category of the requested Domains. The field is called **UrlCategory** to align with the Microsoft Sentinel network schema. <br><br>**DomainCategory** is added as an alias that's fitting to DNS. <br><br>Example: `Educational \\ Phishing` |
+| **DomainCategory** | Optional | Alias | Alias to [UrlCategory](#UrlCategory). |
+| **ThreatCategory** | Optional | String | If a DNS event source also provides DNS security, it may also evaluate the DNS event. For example, it can search for the IP address or domain in a threat intelligence database, and assign the domain or IP address with a Threat Category. |
+| **ThreatIpAddr** | Optional | IP Address | An IP address for which a threat was identified. The field [ThreatField](#threatfield) contains the name of the field **ThreatIpAddr** represents. If a threat is identified in the [Domain](#domain) field, this field should be empty. |
+| <a name="threatfield"></a>**ThreatField** | Optional | Enumerated | The field for which a threat was identified. The value is either `SrcIpAddr`, `DstIpAddr`, `Domain`, or `DnsResponseName`. |
+| **ThreatName** | Optional | String | The name of the threat identified, as reported by the reporting device. |
+| **ThreatConfidence** | Optional | Integer | The confidence level of the threat identified, normalized to a value between 0 and a 100.|
+| **ThreatOriginalConfidence** | Optional | String | The original confidence level of the threat identified, as reported by the reporting device.|
+| **ThreatRiskLevel** | Optional | Integer | The risk level associated with the threat identified, normalized to a value between 0 and a 100. |
+| **ThreatOriginalRiskLevel** | Optional | String | The original risk level associated with the threat identified, as reported by the reporting device. |
+| **ThreatIsActive** | Optional | Boolean | True ID the threat identified is considered an active threat. |
+| **ThreatFirstReportedTime** | Optional | datetime | The first time the IP address or domain were identified as a threat. |
+| **ThreatLastReportedTime** | Optional | datetime | The last time the IP address or domain were identified as a threat.|
++
+### Deprecated aliases and fields
+
+The following fields are aliases that are maintained for backwards compatibility. They were removed from the schema on December 31, 2021.
+
+- `Query` (alias to `DnsQuery`)
+- `QueryType` (alias to `DnsQueryType`)
+- `QueryTypeName` (alias to `DnsQueryTypeName`)
+- `ResponseName` (alias to `DnsReasponseName`)
+- `ResponseCodeName` (alias to `DnsResponseCodeName`)
+- `ResponseCode` (alias to `DnsResponseCode`)
+- `QueryClass` (alias to `DnsQueryClass`)
+- `QueryClassName` (alias to `DnsQueryClassName`)
+- `Flags` (alias to `DnsFlags`)
+- `SrcUserDomain`
### Schema updates The changes in version 0.1.2 of the schema are: - Added the field `EventSchema`.-- Added dedicated flag field which augments the combined **[Flags](#flags)** field: `DnsFlagsAuthoritative`, `DnsFlagsCheckingDisabled`, `DnsFlagsRecursionAvailable`, `DnsFlagsRecursionDesired`, `DnsFlagsTruncated`, and `DnsFlagsZ`.
+- Added dedicated flag field, which augments the combined **[Flags](#flags)** field: `DnsFlagsAuthoritative`, `DnsFlagsCheckingDisabled`, `DnsFlagsRecursionAvailable`, `DnsFlagsRecursionDesired`, `DnsFlagsTruncated`, and `DnsFlagsZ`.
The changes in version 0.1.3 of the schema are: - The schema now explicitly documents `Src*`, `Dst*`, `Process*` and `User*` fields.
The changes in version 0.1.3 of the schema are:
- Added optional `DnsNetworkDuration` and `Duration`, an alias to it. - Added optional Geo Location and Risk Level fields.
+The changes in version 0.1.4 of the schema are:
++ ## Source-specific discrepancies The goal of normalizing is to ensure that all sources provide consistent telemetry. A source that doesn't provide the required telemetry, such as mandatory schema fields, cannot be normalized. However, sources that typically provide all required telemetry, even if there are some discrepancies, can be normalized. Discrepancies may affect the completeness of query results.
sentinel Entities https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/entities.md
Entity pages are designed to be part of multiple usage scenarios, and can be acc
:::image type="content" source="./media/identify-threats-with-entity-behavior-analytics/entity-pages-use-cases.png" alt-text="Entity page use cases":::
-Entity page information is stored in the **BehaviorAnalytics** table, described in detail in the [Microsoft Sentinel UEBA enrichments reference](ueba-enrichments.md).
+Entity page information is stored in the **BehaviorAnalytics** table, described in detail in the [Microsoft Sentinel UEBA reference](ueba-reference.md).
## Next steps
sentinel Identify Threats With Entity Behavior Analytics https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/identify-threats-with-entity-behavior-analytics.md
Entity pages are designed to be part of multiple usage scenarios, and can be acc
:::image type="content" source="./media/identify-threats-with-entity-behavior-analytics/entity-pages-use-cases.png" alt-text="Entity page use cases":::
-Entity page information is stored in the **BehaviorAnalytics** table, described in detail in the [Microsoft Sentinel UEBA enrichments reference](ueba-enrichments.md).
+Entity page information is stored in the **BehaviorAnalytics** table, described in detail in the [Microsoft Sentinel UEBA reference](ueba-reference.md).
## Querying behavior analytics data
In this document, you learned about Microsoft Sentinel's entity behavior analyti
- [Investigate incidents with UEBA data](investigate-with-ueba.md). - [Hunt for security threats](./hunting.md).
-For more information, also see the [Microsoft Sentinel UEBA enrichments reference](ueba-enrichments.md).
+For more information, also see the [Microsoft Sentinel UEBA reference](ueba-reference.md).
sentinel Investigate With Ueba https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/investigate-with-ueba.md
For example:
| where GroupMembership !contains "Developers" ```
-The **IdentityInfo** table synchronizes with your Azure AD workspace to create a snapshot of your user profile data, such as user metadata, group information, and Azure AD roles assigned to each user. For more information, see [IdentityInfo table](ueba-enrichments.md#identityinfo-table-public-preview) in the UEBA enrichments reference.
+The **IdentityInfo** table synchronizes with your Azure AD workspace to create a snapshot of your user profile data, such as user metadata, group information, and Azure AD roles assigned to each user. For more information, see [IdentityInfo table](ueba-reference.md#identityinfo-table) in the UEBA enrichments reference.
## Identify password spray and spear phishing attempts
For example:
Learn more about UEBA, investigations, and hunting: - [Identify advanced threats with User and Entity Behavior Analytics (UEBA) in Microsoft Sentinel](identify-threats-with-entity-behavior-analytics.md)-- [Microsoft Sentinel UEBA enrichments reference](ueba-enrichments.md)
+- [Microsoft Sentinel UEBA reference](ueba-reference.md)
- [Tutorial: Investigate incidents with Microsoft Sentinel](investigate-cases.md) - [Hunt for threats with Microsoft Sentinel](hunting.md)
sentinel Migrate Playbooks To Automation Rules https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/migrate-playbooks-to-automation-rules.md
+
+ Title: Migrate your Microsoft Sentinel alert-trigger playbooks to automation rules | Microsoft Docs
+description: This article explains how (and why) to take your existing playbooks built on the alert trigger and migrate them from being invoked by analytics rules to being invoked by automation rules.
++ Last updated : 05/23/2022+++
+# Migrate your Microsoft Sentinel alert-trigger playbooks to automation rules
++
+This article explains how (and why) to take your existing playbooks built on the alert trigger and migrate them from being invoked by analytics rules to being invoked by automation rules.
+
+## Why to migrate
+
+If you have already created and built playbooks to respond to alerts (rather than incidents), and attached them to analytics rules, we strongly encourage you to move these playbooks to automation rules. Doing so will give you the following advantages:
+- Manage all your automations from a single display, regardless of type<br>(ΓÇ£single pane of glassΓÇ¥).
+
+- Define a single automation rule that can trigger playbooks for multiple analytics rules, instead of configuring each analytics rule independently.
+
+- Define the order in which alert playbooks will be executed.
+
+- Support scenarios that set an expiration date for running a playbook.
+
+It's important to understand that the playbook itself won't change at all. Only the mechanism that invokes it to run will change.
+
+## How to migrate
+
+- If youΓÇÖre migrating a playbook that's used by only one analytics rule, follow the instructions under [Create an automation rule from an analytics rule](#create-an-automation-rule-from-an-analytics-rule).
+
+- If youΓÇÖre migrating a playbook that's used by more than one analytics rule, follow the instructions under [Create a new automation rule from the Automation portal](#create-a-new-automation-rule-from-the-automation-portal).
+
+### Create an automation rule from an analytics rule
+
+1. From the main navigation menu, select **Analytics**.
+
+1. Under **Active rules**, find an analytics rule already configured to run a playbook.
+
+1. Select **Edit**.
+
+ :::image type="content" source="media/migrate-playbooks-to-automation-rules/find-analytics-rule.png" alt-text="Screenshot of finding and selecting an analytics rule.":::
+
+1. Select the **Automated response** tab.
+
+1. Playbooks directly configured to run from this analytics rule can be found under **Alert automation (classic)**.
+
+ :::image type="content" source="media/migrate-playbooks-to-automation-rules/see-playbooks.png" alt-text="Screenshot of automation rules and playbooks screen.":::
+
+1. Select **+ Add new** under **Automation rules (Preview)** (in the upper half of the screen) to create a new automation rule.
+
+1. In the **Create new automation rule** panel, under **Trigger**, select **When alert is created (Preview)**.
+
+ :::image type="content" source="media/migrate-playbooks-to-automation-rules/select-trigger.png" alt-text="Screenshot of creating automation rule in analytics rule screen.":::
+
+1. Under **Actions**, see that the **Run playbook** action, being the only type of action available, is automatically selected and grayed out. Select your playbook from those available in the drop-down list in the line below.
+
+ :::image type="content" source="media/migrate-playbooks-to-automation-rules/select-playbook.png" alt-text="Screenshot of selecting playbook as action in automation rule wizard.":::
+
+1. Click **Apply**. You will now see the new rule in the automation rules grid.
+
+1. Remove the playbook from the **Alert automation (classic)** section.
+
+1. **Review and update** the analytics rule to save your changes.
+
+### Create a new automation rule from the Automation portal
+
+1. From the main navigation menu, select **Automation**.
+
+1. From the top menu bar, select **Create -> Automation rule**.
+
+1. In the **Create new automation rule** panel, in the **Trigger** drop-down, select **When alert is created (preview)**.
+
+1. Under **Conditions**, select the analytics rules you want to run a particular playbook or a set of playbooks on.
+
+1. Under **Actions**, for each playbook you want this rule to invoke, select **+ Add action**. The **Run playbook** action will be automatically selected and grayed out. Select from the list of available playbooks in the drop-down list in the line below. Order the actions according to the order in which you want the playbooks to run.
+
+1. Select **Apply** to save the automation rule.
+
+1. Edit the analytics rule or rules that invoked these playbooks (the rules you specified under **Conditions**), removing the playbook from the **Alert automation (classic)** section of the **Automated response** tab.
+
+## Next steps
+In this document, you learned how to migrate playbooks based on the alert trigger from analytics rules to automation rules.
+
+- To learn more about automation rules, see [Automate threat response in Microsoft Sentinel with automation rules](automate-incident-handling-with-automation-rules.md)
+- To create automation rules, see [Create and use Microsoft Sentinel automation rules to manage response](create-manage-use-automation-rules.md)
+- To learn more about advanced automation options, see [Automate threat response with playbooks in Microsoft Sentinel](automate-responses-with-playbooks.md).
+- For help in implementing automation rules and playbooks, see [Tutorial: Use playbooks to automate threat responses in Microsoft Sentinel](tutorial-respond-threats-playbook.md).
sentinel Ueba Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/ueba-reference.md
+
+ Title: Microsoft Sentinel UEBA reference | Microsoft Docs
+description: This article displays the entity enrichments generated by Microsoft Sentinel's entity behavior analytics.
++ Last updated : 06/28/2022++++
+# Microsoft Sentinel UEBA reference
++
+This reference article lists the input data sources for the User and Entity Behavior Analytics service in Microsoft Sentinel. It also describes the enrichments that UEBA adds to entities, providing needed context to alerts and incidents.
+
+## UEBA data sources
+
+These are the data sources from which the UEBA engine collects and analyzes data to train its ML models and set behavioral baselines for users, devices, and other entities. UEBA then looks at data from these sources to find anomalies and glean insights.
+
+| Data source | Events |
+| -- | |
+| **Azure Active Directory**<br>Sign-in logs | All |
+| **Azure Active Directory**<br>Audit logs | ApplicationManagement<br>DirectoryManagement<br>GroupManagement<br>Device<br>RoleManagement<br>UserManagementCategory |
+| **Azure Activity logs** | Authorization<br>AzureActiveDirectory<br>Billing<br>Compute<br>Consumption<br>KeyVault<br>Devices<br>Network<br>Resources<br>Intune<br>Logic<br>Sql<br>Storage |
+| **Windows Security events** | 4624: An account was successfully logged on<br>4625: An account failed to log on<br>4648: A logon was attempted using explicit credentials<br>4672: Special privileges assigned to new logon<br>4688: A new process has been created |
+
+## UEBA enrichments
+
+This section describes the enrichments UEBA adds to Microsoft Sentinel entities, along with all their details, that you can use to focus and sharpen your security incident investigations. These enrichments are displayed on [entity pages](identify-threats-with-entity-behavior-analytics.md#how-to-use-entity-pages) and can be found in the following Log Analytics tables, the contents and schema of which are listed below:
+
+- The **BehaviorAnalytics** table is where UEBA's output information is stored.
+
+ The following three dynamic fields from the BehaviorAnalytics table are described in the [entity enrichments dynamic fields](#entity-enrichments-dynamic-fields) section below.
+
+ - The [UsersInsights](#usersinsights-field) and [DevicesInsights](#devicesinsights-field) fields contain entity information from Active Directory / Azure AD and Microsoft Threat Intelligence sources.
+
+ - The [ActivityInsights](#activityinsights-field) field contains entity information based on the behavioral profiles built by Microsoft Sentinel's entity behavior analytics.
+
+ <a name="baseline-explained"></a>User activities are analyzed against a baseline that is dynamically compiled each time it is used. Each activity has its defined lookback period from which the dynamic baseline is derived. The lookback period is specified in the [**Baseline**](#activityinsights-field) column in this table.
+
+- The **IdentityInfo** table is where identity information synchronized to UEBA from Azure Active Directory is stored.
+
+### BehaviorAnalytics table
+
+The following table describes the behavior analytics data displayed on each [entity details page](identify-threats-with-entity-behavior-analytics.md#how-to-use-entity-pages) in Microsoft Sentinel.
+
+| Field | Type | Description |
+| - | -- | |
+| **TenantId** | string | The unique ID number of the tenant. |
+| **SourceRecordId** | string | The unique ID number of the EBA event. |
+| **TimeGenerated** | datetime | The timestamp of the activity's occurrence. |
+| **TimeProcessed** | datetime | The timestamp of the activity's processing by the EBA engine. |
+| **ActivityType** | string | The high-level category of the activity. |
+| **ActionType** | string | The normalized name of the activity. |
+| **UserName** | string | The username of the user that initiated the activity. |
+| **UserPrincipalName** | string | The full username of the user that initiated the activity. |
+| **EventSource** | string | The data source that provided the original event. |
+| **SourceIPAddress** | string | The IP address from which activity was initiated. |
+| **SourceIPLocation** | string | The country from which activity was initiated, enriched from IP address. |
+| **SourceDevice** | string | The hostname of the device that initiated the activity. |
+| **DestinationIPAddress** | string | The IP address of the target of the activity. |
+| **DestinationIPLocation** | string | The country of the target of the activity, enriched from IP address. |
+| **DestinationDevice** | string | The name of the target device. |
+| **UsersInsights** | dynamic | The contextual enrichments of involved users ([details below](#usersinsights-field)). |
+| **DevicesInsights** | dynamic | The contextual enrichments of involved devices ([details below](#devicesinsights-field)). |
+| **ActivityInsights** | dynamic | The contextual analysis of activity based on our profiling ([details below](#activityinsights-field)). |
+| **InvestigationPriority** | int | The anomaly score, between 0-10 (0=benign, 10=highly anomalous). |
+++
+### Entity enrichments dynamic fields
+
+> [!NOTE]
+> The **Enrichment name** column in the tables in this section displays two rows of information.
+>
+> - The first, in **bold**, is the "friendly name" of the enrichment.
+> - The second *(in italics and parentheses)* is the field name of the enrichment as stored in the [**Behavior Analytics table**](#behavioranalytics-table).
+++
+#### UsersInsights field
+
+The following table describes the enrichments featured in the **UsersInsights** dynamic field in the BehaviorAnalytics table:
+
+| Enrichment name | Description | Sample value |
+| | | |
+| **Account display name**<br>*(AccountDisplayName)* | The account display name of the user. | Admin, Hayden Cook |
+| **Account domain**<br>*(AccountDomain)* | The account domain name of the user. | |
+| **Account object ID**<br>*(AccountObjectID)* | The account object ID of the user. | a58df659-5cab-446c-9dd0-5a3af20ce1c2 |
+| **Blast radius**<br>*(BlastRadius)* | The blast radius is calculated based on several factors: the position of the user in the org tree, and the user's Azure Active Directory roles and permissions. User must have *Manager* property populated in Azure Active Directory for *BlastRadius* to be calculated. | Low, Medium, High |
+| **Is dormant account**<br>*(IsDormantAccount)* | The account has not been used for the past 180 days. | True, False |
+| **Is local admin**<br>*(IsLocalAdmin)* | The account has local administrator privileges. | True, False |
+| **Is new account**<br>*(IsNewAccount)* | The account was created within the past 30 days. | True, False |
+| **On premises SID**<br>*(OnPremisesSID)* | The on-premises SID of the user related to the action. | S-1-5-21-1112946627-1321165628-2437342228-1103 |
+|
+
+#### DevicesInsights field
+
+The following table describes the enrichments featured in the **DevicesInsights** dynamic field in the BehaviorAnalytics table:
+
+| Enrichment name | Description | Sample value |
+| | | |
+| **Browser**<br>*(Browser)* | The browser used in the action. | Edge, Chrome |
+| **Device family**<br>*(DeviceFamily)* | The device family used in the action. | Windows |
+| **Device type**<br>*(DeviceType)* | The client device type used in the action | Desktop |
+| **ISP**<br>*(ISP)* | The internet service provider used in the action. | |
+| **Operating system**<br>*(OperatingSystem)* | The operating system used in the action. | Windows 10 |
+| **Threat intel indicator description**<br>*(ThreatIntelIndicatorDescription)* | Description of the observed threat indicator resolved from the IP address used in the action. | Host is member of botnet: azorult |
+| **Threat intel indicator type**<br>*(ThreatIntelIndicatorType)* | The type of the threat indicator resolved from the IP address used in the action. | Botnet, C2, CryptoMining, Darknet, Ddos, MaliciousUrl, Malware, Phishing, Proxy, PUA, Watchlist |
+| **User agent**<br>*(UserAgent)* | The user agent used in the action. | Microsoft Azure Graph Client Library 1.0,<br>ΓÇïSwagger-Codegen/1.4.0.0/csharp,<br>EvoSTS |
+| **User agent family**<br>*(UserAgentFamily)* | The user agent family used in the action. | Chrome, Edge, Firefox |
+|
+
+#### ActivityInsights field
+
+The following tables describe the enrichments featured in the **ActivityInsights** dynamic field in the BehaviorAnalytics table:
+
+##### Action performed
+
+| Enrichment name | [Baseline](#baseline-explained) (days) | Description | Sample value |
+| | | | |
+| **First time user performed action**<br>*(FirstTimeUserPerformedAction)* | 180 | The action was performed for the first time by the user. | True, False |
+| **Action uncommonly performed by user**<br>*(ActionUncommonlyPerformedByUser)* | 10 | The action is not commonly performed by the user. | True, False |
+| **Action uncommonly performed among peers**<br>*(ActionUncommonlyPerformedAmongPeers)* | 180 | The action is not commonly performed among user's peers. | True, False |
+| **First time action performed in tenant**<br>*(FirstTimeActionPerformedInTenant)* | 180 | The action was performed for the first time by anyone in the organization. | True, False |
+| **Action uncommonly performed in tenant**<br>*(ActionUncommonlyPerformedInTenant)* | 180 | The action is not commonly performed in the organization. | True, False |
+|
+
+##### App used
+
+| Enrichment name | [Baseline](#baseline-explained) (days) | Description | Sample value |
+| | | | |
+| **First time user used app**<br>*(FirstTimeUserUsedApp)* | 180 | The app was used for the first time by the user. | True, False |
+| **App uncommonly used by user**<br>*(AppUncommonlyUsedByUser)* | 10 | The app is not commonly used by the user. | True, False |
+| **App uncommonly used among peers**<br>*(AppUncommonlyUsedAmongPeers)* | 180 | The app is not commonly used among user's peers. | True, False |
+| **First time app observed in tenant**<br>*(FirstTimeAppObservedInTenant)* | 180 | The app was observed for the first time in the organization. | True, False |
+| **App uncommonly used in tenant**<br>*(AppUncommonlyUsedInTenant)* | 180 | The app is not commonly used in the organization. | True, False |
+|
+
+##### Browser used
+
+| Enrichment name | [Baseline](#baseline-explained) (days) | Description | Sample value |
+| | | | |
+| **First time user connected via browser**<br>*(FirstTimeUserConnectedViaBrowser)* | 30 | The browser was observed for the first time by the user. | True, False |
+| **Browser uncommonly used by user**<br>*(BrowserUncommonlyUsedByUser)* | 10 | The browser is not commonly used by the user. | True, False |
+| **Browser uncommonly used among peers**<br>*(BrowserUncommonlyUsedAmongPeers)* | 30 | The browser is not commonly used among user's peers. | True, False |
+| **First time browser observed in tenant**<br>*(FirstTimeBrowserObservedInTenant)* | 30 | The browser was observed for the first time in the organization. | True, False |
+| **Browser uncommonly used in tenant**<br>*(BrowserUncommonlyUsedInTenant)* | 30 | The browser is not commonly used in the organization. | True, False |
+|
+
+##### Country connected from
+
+| Enrichment name | [Baseline](#baseline-explained) (days) | Description | Sample value |
+| | | | |
+| **First time user connected from country**<br>*(FirstTimeUserConnectedFromCountry)* | 90 | The geo location, as resolved from the IP address, was connected from for the first time by the user. | True, False |
+| **Country uncommonly connected from by user**<br>*(CountryUncommonlyConnectedFromByUser)* | 10 | The geo location, as resolved from the IP address, is not commonly connected from by the user. | True, False |
+| **Country uncommonly connected from among peers**<br>*(CountryUncommonlyConnectedFromAmongPeers)* | 90 | The geo location, as resolved from the IP address, is not commonly connected from among user's peers. | True, False |
+| **First time connection from country observed in tenant**<br>*(FirstTimeConnectionFromCountryObservedInTenant)* | 90 | The country was connected from for the first time by anyone in the organization. | True, False |
+| **Country uncommonly connected from in tenant**<br>*(CountryUncommonlyConnectedFromInTenant)* | 90 | The geo location, as resolved from the IP address, is not commonly connected from in the organization. | True, False |
+|
+
+##### Device used to connect
+
+| Enrichment name | [Baseline](#baseline-explained) (days) | Description | Sample value |
+| | | | |
+| **First time user connected from device**<br>*(FirstTimeUserConnectedFromDevice)* | 30 | The source device was connected from for the first time by the user. | True, False |
+| **Device uncommonly used by user**<br>*(DeviceUncommonlyUsedByUser)* | 10 | The device is not commonly used by the user. | True, False |
+| **Device uncommonly used among peers**<br>*(DeviceUncommonlyUsedAmongPeers)* | 180 | The device is not commonly used among user's peers. | True, False |
+| **First time device observed in tenant**<br>*(FirstTimeDeviceObservedInTenant)* | 30 | The device was observed for the first time in the organization. | True, False |
+| **Device uncommonly used in tenant**<br>*(DeviceUncommonlyUsedInTenant)* | 180 | The device is not commonly used in the organization. | True, False |
+|
+
+##### Other device-related
+
+| Enrichment name | [Baseline](#baseline-explained) (days) | Description | Sample value |
+| | | | |
+| **First time user logged on to device**<br>*(FirstTimeUserLoggedOnToDevice)* | 180 | The destination device was connected to for the first time by the user. | True, False |
+| **Device family uncommonly used in tenant**<br>*(DeviceFamilyUncommonlyUsedInTenant)* | 30 | The device family is not commonly used in the organization. | True, False |
+|
+
+##### Internet Service Provider used to connect
+
+| Enrichment name | [Baseline](#baseline-explained) (days) | Description | Sample value |
+| | | | |
+| **First time user connected via ISP**<br>*(FirstTimeUserConnectedViaISP)* | 30 | The ISP was observed for the first time by the user. | True, False |
+| **ISP uncommonly used by user**<br>*(ISPUncommonlyUsedByUser)* | 10 | The ISP is not commonly used by the user. | True, False |
+| **ISP uncommonly used among peers**<br>*(ISPUncommonlyUsedAmongPeers)* | 30 | The ISP is not commonly used among user's peers. | True, False |
+| **First time connection via ISP in tenant**<br>*(FirstTimeConnectionViaISPInTenant)* | 30 | The ISP was observed for the first time in the organization. | True, False |
+| **ISP uncommonly used in tenant**<br>*(ISPUncommonlyUsedInTenant)* | 30 | The ISP is not commonly used in the organization. | True, False |
+|
+
+##### Resource accessed
+
+| Enrichment name | [Baseline](#baseline-explained) (days) | Description | Sample value |
+| | | | |
+| **First time user accessed resource**<br>*(FirstTimeUserAccessedResource)* | 180 | The resource was accessed for the first time by the user. | True, False |
+| **Resource uncommonly accessed by user**<br>*(ResourceUncommonlyAccessedByUser)* | 10 | The resource is not commonly accessed by the user. | True, False |
+| **Resource uncommonly accessed among peers**<br>*(ResourceUncommonlyAccessedAmongPeers)* | 180 | The resource is not commonly accessed among user's peers. | True, False |
+| **First time resource accessed in tenant**<br>*(FirstTimeResourceAccessedInTenant)* | 180 | The resource was accessed for the first time by anyone in the organization. | True, False |
+| **Resource uncommonly accessed in tenant**<br>*(ResourceUncommonlyAccessedInTenant)* | 180 | The resource is not commonly accessed in the organization. | True, False |
+|
+
+##### Miscellaneous
+
+| Enrichment name | [Baseline](#baseline-explained) (days) | Description | Sample value |
+| | | | |
+| **Last time user performed action**<br>*(LastTimeUserPerformedAction)* | 180 | Last time the user performed the same action. | \<Timestamp\> |
+| **Similar action wasn't performed in the past**<br>*(SimilarActionWasn'tPerformedInThePast)* | 30 | No action in the same resource provider was performed by the user. | True, False |
+| **Source IP location**<br>*(SourceIPLocation)* | *N/A* | The country resolved from the source IP of the action. | [Surrey, England] |
+| **Uncommon high volume of operations**<br>*(UncommonHighVolumeOfOperations)* | 7 | A user performed a burst of similar operations within the same provider | True, False |
+| **Unusual number of Azure AD conditional access failures**<br>*(UnusualNumberOfAADConditionalAccessFailures)* | 5 | An unusual number of users failed to authenticate due to conditional access | True, False |
+| **Unusual number of devices added**<br>*(UnusualNumberOfDevicesAdded)* | 5 | A user added an unusual number of devices. | True, False |
+| **Unusual number of devices deleted**<br>*(UnusualNumberOfDevicesDeleted)* | 5 | A user deleted an unusual number of devices. | True, False |
+| **Unusual number of users added to group**<br>*(UnusualNumberOfUsersAddedToGroup)* | 5 | A user added an unusual number of users to a group. | True, False |
+|
++
+### IdentityInfo table
+
+After you [enable UEBA](enable-entity-behavior-analytics.md) for your Microsoft Sentinel workspace, data from your Azure Active Directory is synchronized to the **IdentityInfo** table in Log Analytics for use in Microsoft Sentinel. You can embed user data synchronized from your Azure AD in your analytics rules to enhance your analytics to fit your use cases and reduce false positives.
+
+While the initial synchronization may take a few days, once the data is fully synchronized:
+
+- Changes made to your user profiles in Azure AD are updated in the **IdentityInfo** table within 15 minutes.
+
+- Group and role information is synchronized between the **IdentityInfo** table and Azure AD daily.
+
+- Every 14 days, Microsoft Sentinel re-synchronizes with your entire Azure AD to ensure that stale records are fully updated.
+
+- Default retention time in the **IdentityInfo** table is 30 days.
++
+> [!NOTE]
+> Currently, only built-in roles are supported.
+>
+> Data about deleted groups, where a user was removed from a group, is not currently supported.
+>
+
+The following table describes the user identity data included in the **IdentityInfo** table in Log Analytics.
+
+| Field | Type | Description |
+| - | -- | - |
+| **AccountCloudSID** | string | The Azure AD security identifier of the account. |
+| **AccountCreationTime** | datetime | The date the user account was created (UTC). |
+| **AccountDisplayName** | string | The display name of the user account. |
+| **AccountDomain** | string | The domain name of the user account. |
+| **AccountName** | string | The user name of the user account. |
+| **AccountObjectId** | string | The Azure Active Directory object ID for the user account. |
+| **AccountSID** | string | The on-premises security identifier of the user account. |
+| **AccountTenantId** | string | The Azure Active Directory tenant ID of the user account. |
+| **AccountUPN** | string | The user principal name of the user account. |
+| **AdditionalMailAddresses** | dynamic | The additional email addresses of the user. |
+| **AssignedRoles** | dynamic | The Azure AD roles the user account is assigned to. |
+| **City** | string | The city of the user account. |
+| **Country** | string | The country of the user account. |
+| **DeletedDateTime** | datetime | The date and time the user was deleted. |
+| **Department** | string | The department of the user account. |
+| **GivenName** | string | The given name of the user account. |
+| **GroupMembership** | dynamic | Azure AD Groups where the user account is a member. |
+| **IsAccountEnabled** | bool | An indication as to whether the user account is enabled in Azure AD or not. |
+| **JobTitle** | string | The job title of the user account. |
+| **MailAddress** | string | The primary email address of the user account. |
+| **Manager** | string | The manager alias of the user account. |
+| **OnPremisesDistinguishedName** | string | The Azure AD distinguished name (DN). A distinguished name is a sequence of relative distinguished names (RDN), connected by commas. |
+| **Phone** | string | The phone number of the user account. |
+| **SourceSystem** | string | The system where the user data originated. |
+| **State** | string | The geographical state of the user account. |
+| **StreetAddress** | string | The office street address of the user account. |
+| **Surname** | string | The surname of the user. account. |
+| **TenantId** | string | The tenant ID of the user. |
+| **TimeGenerated** | datetime | The time when the event was generated (UTC). |
+| **Type** | string | The name of the table. |
+| **UserState** | string | The current state of the user account in Azure AD (Active/Disabled/Dormant/Lockout). |
+| **UserStateChangedOn** | datetime | The date of the last time the account state was changed (UTC). |
+| **UserType** | string | The user type. |
++
+## Next steps
+
+This document described the Microsoft Sentinel entity behavior analytics table schema.
+
+- Learn more about [entity behavior analytics](identify-threats-with-entity-behavior-analytics.md).
+- [Put UEBA to use](investigate-with-ueba.md) in your investigations.
sentinel Whats New Archive https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/whats-new-archive.md
Now, having [UEBA enabled](enable-entity-behavior-analytics.md) in your Azure Se
Use the **IdentityInfo** table during investigations and when fine-tuning analytics rules for your organization to reduce false positives.
-For more information, see [IdentityInfo table](ueba-enrichments.md#identityinfo-table-public-preview) in the UEBA enrichments reference and [Use UEBA data to analyze false positives](investigate-with-ueba.md#use-ueba-data-to-analyze-false-positives).
+For more information, see [IdentityInfo table](ueba-reference.md#identityinfo-table) in the UEBA enrichments reference and [Use UEBA data to analyze false positives](investigate-with-ueba.md#use-ueba-data-to-analyze-false-positives).
### Enrich entities with geolocation data via API (Public preview)
Our collection of third-party integrations continues to grow, with thirty connec
The Azure Sentinel entity details pages provide an [Insights pane](identify-threats-with-entity-behavior-analytics.md#entity-insights), which displays behavioral insights on the entity and help to quickly identify anomalies and security threats.
-If you have [UEBA enabled](ueba-enrichments.md), and have selected a timeframe of at least four days, this Insights pane will now also include the following new sections for UEBA insights:
+If you have [UEBA enabled](ueba-reference.md), and have selected a timeframe of at least four days, this Insights pane will now also include the following new sections for UEBA insights:
|Section |Description | |||
sentinel Whats New https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/whats-new.md
If you're looking for items older than six months, you'll find them in the [Arch
> > You can also contribute! Join us in the [Microsoft Sentinel Threat Hunters GitHub community](https://github.com/Azure/Azure-Sentinel/wiki).
+## July 2022
+
+- [Automation rules for alerts](#automation-rules-for-alerts)
+
+### Automation rules for alerts
+
+In addition to their incident-management duties, [automation rules](automate-incident-handling-with-automation-rules.md) have a new, added function: they are the preferred mechanism for running playbooks built on the **alert trigger**.
+
+Previously, these playbooks could be automated only by attaching them to analytics rules on an individual basis. With the alert trigger for automation rules, a single automation rule can apply to any number of analytics rules, enabling you to centrally manage the running of playbooks for alerts as well as those for incidents.
+
+Learn more about [migrating your alert-trigger playbooks to be invoked by automation rules](migrate-playbooks-to-automation-rules.md).
+ ## June 2022 - [Microsoft Purview Data Loss Prevention (DLP) integration in Microsoft Sentinel (Preview)](#microsoft-purview-data-loss-prevention-dlp-integration-in-microsoft-sentinel-preview)
service-fabric Service Fabric Cluster Resource Manager Metrics https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/service-fabric/service-fabric-cluster-resource-manager-metrics.md
Metrics are configured on a per-named-service-instance basis when youΓÇÖre creat
Any metric has some properties that describe it: a name, a weight, and a default load. * Metric Name: The name of the metric. The metric name is a unique identifier for the metric within the cluster from the Resource ManagerΓÇÖs perspective.+
+> [!NOTE]
+> Custom metric Name should not be any of the system metric names i.e servicefabric:/_CpuCores or servicefabric:/_MemoryInMB as it can lead to undefined behavior. Starting with Service Fabric version 9.1, for existing services with these custom metric names, a health warning is issued to indicate that the metric name is incorrect.
+>
+ * Weight: Metric weight defines how important this metric is relative to the other metrics for this service. * Default Load: The default load is represented differently depending on whether the service is stateless or stateful. * For stateless services, each metric has a single property named DefaultLoad
service-fabric Service Fabric Resource Governance https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/service-fabric/service-fabric-resource-governance.md
Resource governance is supported in Service Fabric in accordance with the [servi
* *Memory* (metric name `servicefabric:/_MemoryInMB`): Memory is expressed in megabytes, and it maps to physical memory that is available on the machine.
-For these two metrics, [Cluster Resource Manager (CRM)][cluster-resource-manager-description-link] tracks total cluster capacity, the load on each node in the cluster, and the remaining resources in the cluster. These two metrics are equivalent to any other user or custom metric. All existing features can be used with them:
+For these two metrics, [Cluster Resource Manager (CRM)][cluster-resource-manager-description-link] tracks total cluster capacity, the load on each node in the cluster, and the remaining resources in the cluster. These two metrics are equivalent to any other user or custom metric.
+> [!NOTE]
+> Custom metric names should not be one of these two metric names as it will lead to undefined behavior.
+>
+
+All existing features can be used with them:
* The cluster can be [balanced](service-fabric-cluster-resource-manager-balancing.md) according to these two metrics (default behavior). * The cluster can be [defragmented](service-fabric-cluster-resource-manager-defragmentation-metrics.md) according to these two metrics. * When [describing a cluster][cluster-resource-manager-description-link], buffered capacity can be set for these two metrics.
spatial-anchors Get Started Unity Hololens https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spatial-anchors/quickstarts/get-started-unity-hololens.md
You'll learn how to:
To complete this quickstart: -- You need a HoloLens device with [developer mode](/windows/mixed-reality/using-visual-studio) enabled. [Windows 10 May 2020 Update or later](/windows/mixed-reality/whats-new/release-notes-may-2020) must be installed on the device. To update to the latest release on HoloLens, open the **Settings** app, go to **Update & Security**, and then select **Check for updates**.
+- You need a HoloLens device with [developer mode](/windows/mixed-reality/using-visual-studio) enabled. For HoloLens 2 the [Windows 10 May 2020 Update or later](/windows/mixed-reality/whats-new/release-notes-may-2020) must be installed on the device. To update to the latest release on HoloLens, open the **Settings** app, go to **Update & Security**, and then select **Check for updates**.
- You need a Windows computer with <a href="https://www.visualstudio.com/downloads/" target="_blank">Visual Studio 2019</a> or later installed. Your Visual Studio installation must include the **Universal Windows Platform development** workload and the **Windows 10 SDK (10.0.18362.0 or newer)** component. You must also install <a href="https://git-scm.com/download/win" target="_blank">Git for Windows</a> and <a href="https://git-lfs.github.com/">Git LFS</a>. - You need to have Unity installed. For supported versions and required capabilities, visit the [Unity project setup page](../how-tos/setup-unity-project.md).
static-web-apps Front Door Manual https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/static-web-apps/front-door-manual.md
Previously updated : 01/12/2022 Last updated : 07/05/2022
In this tutorial, you learn how to:
## Add Azure Front Door
+When creating an Azure Front Door profile, you must select an origin from the same subscription as the selected the Front Door.
+ 1. Navigate to the Azure home screen. 1. Select **Create a resource**. 1. Search for **Front Door**.
-1. Select **Front Door Standard/Premium**.
-
- Make sure to select the service labeled *Front Door Standard/Premium* and not the plain *Front Door* option.
+1. Select **Front Door and CDN profiles**.
1. Select **Create**.
In this tutorial, you learn how to:
| Endpoint name | Enter a unique name for your Front Door host. | | Origin type | Select **Custom**. | | Origin host name | Enter the hostname of your static web app that you set aside from the beginning of this tutorial. Make sure your value does not include a trailing slash or protocol. (For example, `desert-rain-04056.azurestaticapps.net`) |
+ | Origin type | Select **Custom**. |
+ | Origin host name | Enter the host name for your website. For example, `contoso.com`. |
| Caching | Check the **Enable caching** checkbox. |
- | Query string caching behavior | Select **Use Query string** from the dropdown. |
+ | WAF policy | Select **Create new** or select an existing Web Application Firewall policy from the dropdown if you want to enable this feature. |
1. Select **Review + create**.
In this tutorial, you learn how to:
1. Select **Go to resource**. ## Disable cache for auth workflow+ > [!NOTE]
->The cache expiration, cache key query string and origin group override actions are deprecated. These deprecated actions can still work normally, but your rule set >cannot be changed. You need to replace them with new route configuration override action before changing your rule set.
+> The cache expiration, cache key query string and origin group override actions are deprecated. These actions can still work normally, but your rule set can't change. Replace these overrides with new route configuration override actions before changing your rule set.
Add the following settings to disable Front Door's caching policies from trying to cache authentication and authorization-related pages.
synapse-analytics Concepts Data Factory Differences https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/synapse-analytics/data-integration/concepts-data-factory-differences.md
Check below table for features availability:
| | Integration Runtime Sharing | Γ£ô<br><small>*Can be shared across different data factories* | Γ£ù | | **Pipelines Activities** | SSIS Package Activity | Γ£ô | Γ£ô<br><small>*Public preview* | | | Support for Power Query Activity | Γ£ô | Γ£ù |
+| | Support for global parameters | Γ£ô | Γ£ù |
| **Template Gallery and Knowledge center** | Solution Templates | Γ£ô<br><small>*Azure Data Factory Template Gallery* | Γ£ô<br><small>*Synapse Workspace Knowledge center* | | **GIT Repository Integration** | GIT Integration | Γ£ô | Γ£ô | | **Monitoring** | Monitoring of Spark Jobs for Data Flow | Γ£ù | Γ£ô<br><small>*Leverage the Synapse Spark pools* |
synapse-analytics Tutorial Cognitive Services Sentiment https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/synapse-analytics/machine-learning/tutorial-cognitive-services-sentiment.md
Sign in to the [Azure portal](https://portal.azure.com/).
You'll need a Spark table for this tutorial.
-1. Download the [FabrikamComments.csv](https://github.com/Kaiqb/KaiqbRepo0731190208/blob/master/CognitiveServices/TextAnalytics/FabrikamComments.csv) file, which contains a dataset for text analytics.
+1. Download the [FabrikamComments.csv](https://github.com/aghonaim/datasets/blob/master/FabrikamComments.csv) file, which contains a dataset for text analytics.
1. Upload the file to your Azure Synapse storage account in Data Lake Storage Gen2.
synapse-analytics Synapse Workspace Synapse Rbac Roles https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/synapse-analytics/security/synapse-workspace-synapse-rbac-roles.md
The following table describes the built-in roles and the scopes at which they ca
|Synapse Artifact User|Read access to published code artifacts and their outputs. Can create new artifacts but can't publish changes or run code without additional permissions.|Workspace |Synapse Compute Operator |Submit Spark jobs and notebooks and view logs.  Includes canceling Spark jobs submitted by any user. Requires additional use credential permissions on the workspace system identity to run pipelines, view pipeline runs and outputs. </br></br>_Can submit and cancel jobs, including jobs submitted by others</br>Can view Spark pool logs_|Workspace</br>Spark pool</br>Integration runtime| |Synapse Monitoring Operator |Read published code artifacts, including logs and outputs for notebooks and pipeline runs. Includes ability to list and view details of serverless SQL pools, Apache Spark pools, Data Explorer pools, and Integration runtimes. Requires additional permissions to run/cancel pipelines, Spark notebooks, and Spark jobs.|Workspace |
-|Synapse Credential User|Runtime and configuration-time use of secrets within credentials and linked services in activities like pipeline runs. To run pipelines, this role is required, scoped to the workspace system identity. </br></br>_Scoped to a credential, permits access to data via a linked service that is protected by the credential (also requires compute use permission) </br>Allows execution of pipelines protected by the workspace system identity credential(with additional compute use permission)_|Workspace </br>Linked Service</br>Credential
+|Synapse Credential User|Runtime and configuration-time use of secrets within credentials and linked services in activities like pipeline runs. To run pipelines, this role is required, scoped to the workspace system identity. </br></br>_Scoped to a credential, permits access to data via a linked service that is protected by the credential (may also require compute use permission) </br>Allows execution of pipelines protected by the workspace system identity credential_|Workspace </br>Linked Service</br>Credential
|Synapse Linked Data Manager|Creation and management of managed private endpoints, linked services, and credentials. Can create managed private endpoints that use linked services protected by credentials|Workspace| |Synapse User|List and view details of SQL pools, Apache Spark pools, Integration runtimes, and published linked services and credentials. Doesn't include other published code artifacts.  Can create new artifacts but can't run or publish without additional permissions. </br></br>_Can list and read Spark pools, Integration runtimes._|Workspace, Spark pool</br>Linked service </br>Credential|
synapse-analytics Synapse Workspace Synapse Rbac https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/synapse-analytics/security/synapse-workspace-synapse-rbac.md
If a button or option is disabled, hovering over the button or option shows a to
## Who can assign Synapse RBAC roles?
-Only a Synapse Administrator can assign Synapse RBAC roles. A Synapse Administrator at the workspace level can grant access at any scope. A Synapse Administrator at a lower-level scope can only grant access at that scope.
+Synapse Administrators can assign Synapse RBAC roles. A Synapse Administrator at the workspace level can grant access at any scope. A Synapse Administrator at a lower-level scope can only grant access at that scope.
-When a new workspace is created, the creator is automatically given the Synapse Administrator role at workspace scope.
+When a new workspace is created, the creator is automatically given the Synapse Administrator role at workspace scope.
+
+To help you regain access to a workspace in the event that no Synapse Administrators are assigned or available to you, users with permissions to manage Azure RBAC role assignments on the workspace can also manage Synapse RBAC role assignments, allowing the addition of Synapse Administrator or other Synapse role assignments.
## Where do I manage Synapse RBAC?
Understand the built-in [Synapse RBAC roles](./synapse-workspace-synapse-rbac-ro
Learn [how to review Synapse RBAC role assignments](./how-to-review-synapse-rbac-role-assignments.md) for a workspace.
-Learn [how to assign Synapse RBAC roles](./how-to-manage-synapse-rbac-role-assignments.md)
+Learn [how to assign Synapse RBAC roles](./how-to-manage-synapse-rbac-role-assignments.md)
virtual-desktop Configure Automatic Updates https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-desktop/configure-automatic-updates.md
Title: Configure Microsoft Endpoint Configuration Manager - Azure
+ Title: Update session hosts using Microsoft Endpoint Configuration Manager to automatically deploy software updates to Azure Virtual Desktop session hosts - Azure
description: How to configure Microsoft Endpoint Configuration Manager to deploy software updates to Windows 10 Enterprise multi-session on Azure Virtual Desktop.-+ Previously updated : 06/12/2020- Last updated : 07/05/2022+
-# Configure Microsoft Endpoint Configuration Manager
+# Use Microsoft Endpoint Configuration Manager to automatically deploy software updates to Azure Virtual Desktop session hosts
-This article explains how to configure Microsoft Endpoint Configuration Manager to automatically apply updates to a Azure Virtual Desktop host running Windows 10 Enterprise multi-session.
+Azure Virtual Desktop session hosts running Windows 10 Enterprise multi-session and Windows 11 Enterprise multi-session can be grouped together in Microsoft Endpoint Configuration Manager to automatically apply updates. A collection is created based on a query which you can then use as the target collection for a servicing plan.
-## Prerequisites
-
-To configure this setting, you'll need the following things:
+You can update Windows 10 Enterprise multi-session and Windows 11 Enterprise multi-session with the corresponding Windows client updates. For example, you can update Windows 10 Enterprise multi-session, version 21H2 by installing the client updates for Windows 10, version 21H2.
- - Make sure you've installed the Microsoft Endpoint Configuration Manager Agent on your virtual machines.
- - Make sure your version of Microsoft Endpoint Configuration Manager is at least on branch level 1906. For best results, use branch level 1910 or higher.
-
-## Receiving updates for Windows 10 and 11 Enterprise multi-session
+## Prerequisites
-You can update Windows 10 Enterprise multi-session with the corresponding Windows 10 client updates. For example, you can update Windows 10 Enterprise multi-session, version 21H2 by installing the Windows 10, version 21H2 client updates.
+To create this query-based collection, you'll need to do the following:
-> [!NOTE]
-> Currently, you can't update Windows 10 Enterprise multi-session version 21H2 and Windows 11 Enterprise multi-session with their corresponding Windows client updates.
+ - Make sure you've installed the Microsoft Endpoint Configuration Manager Agent on your session host virtual machines (VMs) and they're assigned to a site in Configuration Manager.
+ - Make sure your version of Microsoft Endpoint Configuration Manager is at least on branch level 1910 for Windows 10, or 2107 for Windows 11.
## Create a query-based collection
-To create a collection of Windows 10 Enterprise multi-session virtual machines, a query-based collection can be used to identify the specific operating system SKU.
+You can use a query statement based on the specific operating system SKU to identify which of your devices managed by Configuration Manager are running Windows 10 Enterprise multi-session and Windows 11 Enterprise multi-session operating systems.
-To create a collection:
+> [!TIP]
+> The operating system SKU for Windows 10 Enterprise multi-session and Windows 11 Enterprise multi-session is **175**. You can use PowerShell to find the operating system SKU by running the following command:
+>
+> ```powershell
+> Get-WmiObject -Class Win32_OperatingSystem | FT Caption,OperatingSystemSKU
+> ```
-1. Select **Assets and Compliance**.
+To create the collection:
+
+1. In the Configuration Manager console, select **Assets and Compliance**.
2. Go to **Overview** > **Device Collections** and right-click **Device collections** and select **Create Device Collection** from the drop-down menu. 3. In the **General** tab of the menu that opens, enter a name that describes your collection in the **Name** field. In the **Comment** field, you can give additional information describing what the collection is. In **Limiting Collection**, define which machines you're including in the collection query. 4. In the **Membership Rules** tab, add a rule for your query by selecting **Add Rule**, then selecting **Query Rule**.
To create a collection:
6. Select **Show Query Statement**. 7. In the statement, enter the following string:
- ```syntax
+ ```WQL
select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_OPERATING_SYSTEM on
To create a collection:
8. Select **OK** to create the collection. 9. To check if you successfully created the collection, go to **Assets and Compliance** > **Overview** > **Device Collections**.+
+## Deploy software updates
+
+You can use an automatic deployment rule (ADR) in Microsoft Endpoint Configuration Manager to automatically approve and deploy software updates. You specify the collection you created above as the target collection for deployment to deploy these updates to your session host VMs.
+
+For more information about deploying software updates with Microsoft Endpoint Configuration Manager, see [Deploy software updates](/mem/configmgr/sum/deploy-use/deploy-software-updates). For the steps to create an ADR, see [Automatically deploy software updates](/mem/configmgr/sum/deploy-use/automatically-deploy-software-updates).
virtual-machines Ephemeral Os Disks https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/ephemeral-os-disks.md
For the same example above, if you create a standard Ephemeral OS disk VM you wo
> While using ephemeral disks for Trusted Launch VMs, keys and secrets generated or sealed by the vTPM after VM creation may not be persisted for operations like reimaging and platform events like service healing. > For more information on [how to deploy a trusted launch VM](trusted-launch-portal.md)+
+## Confidential VMs using Ephemeral OS disks (preview)
+AMD-based Confidential VMs cater to high security and confidentiality requirements of customers. These VMs provide a strong, hardware-enforced boundary to help meet your security needs. There are limitations to use Confidential VMs. Check the [region](../confidential-computing/confidential-vm-overview.md#regions), [size](../confidential-computing/confidential-vm-overview.md#size-support) and [OS supported](../confidential-computing/confidential-vm-overview.md#os-support) limitations for confidential VMs.
+Virtual machine guest state (VMGS) blob contains the security information of the confidential VM.
+Confidential VMs using Ephemeral OS disks by default **1 GiB** from the **OS cache** or **temp storage** based on the chosen placement option is reserved for VMGS.The lifecycle of the VMGS blob is tied to that of the OS Disk.
+> [!Important]
+>
+> When choosing a confidential VM with full OS disk encryption before VM deployment that uses a customer-managed key (CMK). [Updating a CMK key version](../storage/common/customer-managed-keys-overview.md#update-the-key-version) or [key rotation](../key-vault/keys/how-to-configure-key-rotation.md) is not supported with Ephemeral OS disk. Confidential VMs using Ephemeral OS disks need to be deleted before updating or rotating the keys and can be re-created subsequently.
+>
+For more information on [confidential VM](../confidential-computing/confidential-vm-overview.md)
## Next steps Create a VM with ephemeral OS disk using [Azure Portal/CLI/Powershell/ARM template](ephemeral-os-disks-deploy.md).
virtual-machines Extensions Rmpolicy Howto Cli https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/extensions/extensions-rmpolicy-howto-cli.md
Previously updated : 07/01/2022 Last updated : 07/05/2022
Copy and paste the following `.json` data into the file.
}, { "field": "Microsoft.Compute/virtualMachines/extensions/publisher",
- "equals": "Microsoft.Compute"
+ "equals": "Microsoft.OSTCExtensions"
}, { "field": "Microsoft.Compute/virtualMachines/extensions/type",
virtual-machines Image Builder Api Update Release Notes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/image-builder-api-update-release-notes.md
Title: What's new in Azure Image Builder
-description: Learn what is new with Azure Image Builder; such as the latest release notes, known issues, bug fixes, deprecated functionality, and upcoming changes.
+ Title: What's new in Azure VM Image Builder
+description: This article offers the latest release notes, known issues, bug fixes, deprecated functionality, and upcoming changes.
-# What's new in Azure Image Builder
+# What's new in Azure VM Image Builder
**Applies to:** :heavy_check_mark: Linux VMs :heavy_check_mark: Windows VMs :heavy_check_mark: Flexible scale sets :heavy_check_mark: Uniform scale sets
-This document contains all major API changes and feature updates for the Azure Image Builder service.
+This article contains all major API changes and feature updates for the Azure VM Image Builder service.
-## API Releases
+## API releases
-### 2022-02-14
+### Version 2022-02-14
-**Improvements**:
-- [Validation Support](./linux/image-builder-json.md#properties-validate)
- - Shell (Linux) - Script or Inline
- - PowerShell (Windows) - Script or Inline, run elevated, run as system
+**Improvements**
+- [Validation support](./linux/image-builder-json.md#properties-validate)
+ - Shell (Linux): Script or inline
+ - PowerShell (Windows): Script or inline, run elevated, run as system
- Source-Validation-Only mode - [Customized staging resource group support](./linux/image-builder-json.md#properties-stagingresourcegroup)
-### 2021-10-01
+### Version 2021-10-01
-**Breaking Change**:
+**Breaking change**
-Our 2021-10-01 API introduces a change to the error schema that will be part of every future API release. Any Azure Image Builder automations you may have need to take account the new error output when switching to 2021-10-01 or newer API versions (new schema shown below). We recommend that once customers switch to the new API version (2021-10-01 and beyond), they don't revert to older versions as they'll have to change their automation again to expect the older error schema. We don't anticipate changing the error schema again in future releases.
+API version 2021-10-01 introduces a change to the error schema that will be part of every future API release. If you have any Azure VM Image Builder automations, be aware of the [new error output](#error-output-for-version-2021-10-01-and-later) when you switch to API version 2021-10-01 or later. We recommend, after you've switched to the latest API version, that you don't revert to an earlier version, because you'll have to change your automation again to produce the earlier error schema. We don't anticipate that we'll change the error schema again in future releases.
-For API versions 2020-02-14 and older, the error output will look like the following messages:
+##### **Error output for version 2020-02-14 and earlier**
``` {
For API versions 2020-02-14 and older, the error output will look like the follo
} ``` -
-For API versions 2021-10-01 and newer, the error output will look like the following messages:
+##### **Error output for version 2021-10-01 and later**
``` {
For API versions 2021-10-01 and newer, the error output will look like the follo
} ```
-**Improvements**:
+**Improvements**
- Added support for [Build VM MSIs](linux/image-builder-json.md#user-assigned-identity-for-the-image-builder-build-vm). - Added support for Proxy VM size customization.
-### 2020-02-14
--
+### Version 2020-02-14
-**Improvements:**
+**Improvements**
- Added support for creating images from the following sources:
- - Managed Image
+ - Managed image
- Azure Compute Gallery - Platform Image Repository (including Platform Image Purchase Plan) - Added support for the following customizations:
- - Shell (Linux) - Script or Inline
- - PowerShell (Windows) - Script or Inline, run elevated, run as system
+ - Shell (Linux): Script or inline
+ - PowerShell (Windows): Script or inline, run elevated, run as system
- File (Linux and Windows) - Windows Restart (Windows)
- - Windows Update (Windows) (with search criteria, filters, and update limit)
+ - Windows Update (Windows): Search criteria, filters, and update limit
- Added support for the following distribution types:
- - VHD
- - Managed Image
+ - VHD (virtual hard disk)
+ - Managed image
- Azure Compute Gallery-- **Other Features**
- - Added support for customers to use their own VNet.
- - Added support for customers to customize the build VM (VM size, OS disk size).
- - Added support for user assigned MSI (for customize/distribute steps).
- - Added support for [Gen2 images.](image-builder-overview.md#hyper-v-generation)
+- Other features:
+ - Added support for customers to use their own virtual network
+ - Added support for customers to customize the build VM (VM size, operating system disk size)
+ - Added support for user-assigned Microsoft Windows Installer (MSI) (for customize/distribute steps)
+ - Added support for [Gen2 images](image-builder-overview.md#hyper-v-generation)
### Preview APIs The following APIs are deprecated, but still supported:-- 2019-05-01-preview
+- Version 2019-05-01-preview
## Next steps
-Learn more about [Image Builder](image-builder-overview.md).
+Learn more about [VM Image Builder](image-builder-overview.md).
virtual-machines Image Builder Devops Task https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/linux/image-builder-devops-task.md
Title: "Preview: Azure Image Builder Service DevOps Task"
-description: Azure DevOps task to inject build artifacts into a VM image so you can install and configure your application and OS.
+ Title: Azure VM Image Builder service DevOps task (preview)
+description: In this article, you use an Azure DevOps task to inject build artifacts into a VM image so that you can install and configure your application and operating system.
ms.devlang: azurecli
-# Azure Image Builder Service DevOps Task (preview)
+# Azure VM Image Builder service DevOps task (preview)
**Applies to:** :heavy_check_mark: Linux VMs :heavy_check_mark: Flexible scale sets
-This article shows you how to use an Azure DevOps task to inject build artifacts into a VM image so you can install and configure your application and OS.
+In this article, you learn how to use an Azure DevOps task to inject build artifacts into a virtual machine (VM) image, so that you can install and configure your application and operating system.
-## DevOps Task versions
-There are two Azure VM Image Builder (AIB) DevOps Tasks:
+## DevOps task versions
-* ['Stable' AIB Task](https://marketplace.visualstudio.com/items?itemName=AzureImageBuilder.devOps-task-for-azure-image-builder), this is the latest stable build that has been tested, and telemetry shows no issues.
+At this time, there are two Azure VM Image Builder DevOps tasks:
+* [*Stable* VM Image Builder task](https://marketplace.visualstudio.com/items?itemName=AzureImageBuilder.devOps-task-for-azure-image-builder): The latest stable build that's been tested, and reports no [General Data Protection Regulation (GDPR)](https://www.microsoft.com/trust-center/privacy/gdpr-overview) issues.
-* ['Unstable' AIB Task](https://marketplace.visualstudio.com/items?itemName=AzureImageBuilder.devOps-task-for-azure-image-builder-canary), this allows us to put in the latest updates and features, allow customers to test them, before we promote it to the 'stable' task. If there are no reported issues, and our telemetry shows no issues, approximately 1 week later, we will promote the task code to 'stable'.
+
+* [*Unstable* VM Image Builder task](https://marketplace.visualstudio.com/items?itemName=AzureImageBuilder.devOps-task-for-azure-image-builder-canary): We offer a so-called *unstable* task so that you can test the latest updates and features before we release the task code as *stable*. After about a week, if there are no customer-reported or telemetry issues, we promote the task code to *stable*.
## Prerequisites > [!NOTE]
-> The AIB task does not currently support Windows Restarts, running elevated commands as Administrator, which means it is not suitable for Azure Virtual Desktop scenarios or Windows customizations that require the above. If you wish to use DevOps with Image Builder, you should nest the template into an Azure Resource Manager task, use AZ CLI or PowerShell tasks.
+> The VM Image Builder task doesn't currently support Windows Restart or running elevated commands as Administrator. That is, the task isn't suitable for Azure Virtual Desktop scenarios or Windows customizations that require those features. To use DevOps with VM Image Builder, nest the template within an Azure Resource Manager task, and use Azure CLI or PowerShell tasks.
+
+Before you begin, you must:
+
+* Install [*Stable* DevOps task from Visual Studio Marketplace](https://marketplace.visualstudio.com/items?itemName=AzureImageBuilder.devOps-task-for-azure-image-builder).
-* Install the [Stable DevOps Task from Visual Studio Marketplace](https://marketplace.visualstudio.com/items?itemName=AzureImageBuilder.devOps-task-for-azure-image-builder).
-* You must have a VSTS DevOps account, and a Build Pipeline created
-* Register and enable the Image Builder feature requirements in the subscription used by the pipelines:
- * [Az PowerShell](../windows/image-builder-powershell.md#register-features)
- * [Az CLI](../windows/image-builder.md#register-the-features)
+* Have an Azure DevOps Services (formerly Visual Studio Team Services, or VSTS) account, and a Build Pipeline created.
+
+* Register and enable the VM Image Builder feature requirements in the subscription that's used by the pipelines:
+ * [Azure PowerShell](../windows/image-builder-powershell.md#register-features)
+ * [The Azure CLI](../windows/image-builder.md#register-the-features)
-* Create a Standard Azure Storage Account in the source image Resource Group, you can use other Resource Group/Storage accounts. The storage account is used transfer the build artifacts from the DevOps task to the image.
+* Create a standard Azure storage account in the source image resource group. You can use other resource groups or storage accounts. The storage account is used transfer the build artifacts from the DevOps task to the image.
```powerShell
- # Az PowerShell
+ # Azure PowerShell
$timeInt=$(get-date -UFormat "%s") $storageAccName="aibstorage"+$timeInt $location=westus
- # create storage account and blob in resource group
+ # Create a storage account and blob in the resource group
New-AzStorageAccount -ResourceGroupName $strResourceGroup -Name $storageAccName -Location $location -SkuName Standard_LRS ``` ```azurecli
- # Az CLI
+ # The Azure CLI
location=westus scriptStorageAcc=aibstordot$(date +'%s')
- # create storage account and blob in resource group
+ # Create a storage account and blob in the resource group
az storage account create -n $scriptStorageAcc -g $strResourceGroup -l $location --sku Standard_LRS ```
-## Add Task to Release Pipeline
+## Add a task to the release pipeline
+
+1. Select **Release Pipeline** > **Edit**.
-Select **Release Pipeline** > **Edit**
+1. On the User Agent, select the plus sign (+) to add and search for **Image Builder**.
-On the User Agent, select *+* to add then search for **Image Builder**. Select **Add**.
+1. Select **Add**.
-Set the following task properties:
+In the following sections, set the task properties.
-### Azure Subscription
+### Azure subscription
-Select from the drop-down menu which subscription you want the Image Builder to run. Use the same subscription where your source images are located and where the images are to be distributed. You need to authorize the image builder contributor access to the Subscription or Resource Group.
+In the dropdown list, select the subscription that you want VM Image Builder to run. Use the subscription where your source images are stored and the images are to be distributed. You need to grant the VM Image Builder contributor access to the subscription or resource group.
-### Resource Group
+### Resource group
-Use the resource group where the temporary image template artifact will be stored. When creating a template artifact, an additional temporary Image Builder resource group `IT_<DestinationResourceGroup>_<TemplateName>_guid` is created. The temporary resource group stores the image metadata, such as scripts. At the end of the task, the image template artifact and temporary Image Builder resource group is deleted.
+Use the resource group where the temporary image template artifact will be stored. When you create a template artifact, another temporary VM Image Builder resource group, `IT_<DestinationResourceGroup>_<TemplateName>_guid`, is created. The temporary resource group stores the image metadata, such as scripts. At the end of the task, the image template artifact and temporary VM Image Builder resource group is deleted.
### Location
-The location is the region where the Image Builder will run. Only a set number of [regions](../image-builder-overview.md#regions) are supported. The source images must be present in this location. For example, if you are using Azure Compute Gallery, a replica must exist in that region.
+The location is the region where VM Image Builder will run. Only a set number of [regions](../image-builder-overview.md#regions) are supported. The source images must be present in this location. For example, if you're using Azure Compute Gallery (formerly Shared Image Gallery), a replica must exist in that region.
-### Managed Identity (Required)
-Image Builder requires a Managed Identity, which it uses to read source custom images, connect to Azure Storage, and create custom images. See [Learn about Azure Image Builder](../image-builder-overview.md#permissions) for more details.
+### Managed identity (required)
+VM Image Builder requires a managed identity, which it uses to read source custom images, connect to Azure Storage, and create custom images. For more information, see [Learn about VM Image Builder](../image-builder-overview.md#permissions).
-### VNET Support
+### Virtual network support
-The VM that is created can be configured to be in a specific VNET.
-Provide the resource id of a pre-existing subnet in the 'VNet Configuration (Optional)' input field when configuring the task.
-Omit if no specific virtual network needs to be used. Review https://docs.microsoft.com/azure/virtual-machines/linux/image-builder-networking for more information.
+You can configure the created VM to be in a specific virtual network. When you configure the task, provide the resource ID of a pre-existing subnet in the **VNet Configuration (Optional)** input field. Omit the resource ID if no specific virtual network needs to be used. For more information, see [Azure VM Image Builder service networking options](image-builder-networking.md).
### Source
-The source images must be of the supported Image Builder OSs. You can choose existing custom images in the same region as Image Builder is running from:
-* Managed Image - You need to pass in the resourceId, for example:
+The source images must be of the supported VM Image Builder operating systems. You can choose existing custom images in the same region that VM Image Builder is running from:
+
+* Managed Image: Pass in the resource ID. For example:
```json /subscriptions/<subscriptionID>/resourceGroups/<rgName>/providers/Microsoft.Compute/images/<imageName> ```
-* Azure Azure Compute Gallery - You need to pass in the resourceId of the image version, for example:
+
+* Compute Gallery: Pass in the resource ID of the image version. For example:
```json /subscriptions/$subscriptionID/resourceGroups/$sigResourceGroup/providers/Microsoft.Compute/galleries/$sigName/images/$imageDefName/versions/<versionNumber> ```
- If you need to get the latest Azure Compute Gallery (formerly known as Shared Image Gallery) version, you can have an AZ PowerShell or AZ CLI task before that will get the latest version and set a DevOps variable. Use the variable in the AZ VM Image Builder DevOps task. For more information, see the [examples](https://github.com/danielsollondon/azvmimagebuilder/tree/master/solutions/8_Getting_Latest_SIG_Version_ResID#getting-the-latest-image-version-resourceid-from-shared-image-gallery).
+ If you need to get the latest Compute Gallery version, use an Azure PowerShell or Azure CLI task to get it and set a DevOps variable. Use the variable in the VM Image Builder DevOps task. For more information, see the examples in [Get the latest image version resource ID](https://github.com/danielsollondon/azvmimagebuilder/tree/master/solutions/8_Getting_Latest_SIG_Version_ResID#getting-the-latest-image-version-resourceid-from-shared-image-gallery).
-* (Marketplace) Base Image
- There is a drop-down list of popular images, these will always use the 'latest' version of the supported OS's.
+* (Marketplace) Base image: Use the dropdown list of popular images, which always uses the latest version of the supported operating systems.
- If the base image is not in the list, you can specify the exact image using `Publisher:Offer:Sku`.
+ If the base image isn't in the list, you can specify the exact image by using `Publisher:Offer:Sku`.
- Base Image Version (optional) - You can supply the version of the image you want to use, default is `latest`.
+ (Optional) Base image version: You can supply the version of the image that you want to use. The default version is `latest`.
### Customize
+The following sections discuss various ways to customize tasks.
+ #### Provisioner
-Initially, two customizers are supported - **Shell** and **PowerShell**. Only inline is supported. If you want to download scripts, then you can pass inline commands to do so.
+Initially, two customizers are supported, Shell and PowerShell. Only inline is supported. If you want to download scripts, you can pass inline commands to do so.
+
+For your operating system, select PowerShell or Shell.
-For your OS, select PowerShell or Shell.
+#### The Windows Update task
-#### Windows Update Task
+For Windows only, the task runs Windows Update at the end of the customizations. It also handles the required reboots.
-For Windows only, the task runs Windows Update at the end of the customizations. It handles the required reboots.
+The task runs the following Windows Update configuration:
-The following Windows Update configuration is executed:
```json "type": "WindowsUpdate", "searchCriteria": "IsInstalled=0",
The following Windows Update configuration is executed:
"exclude:$_.Title -like '*Preview*'", "include:$true" ```
-It installs important and recommended Windows Updates that are not preview.
+The task installs important and recommended Windows Updates that aren't *preview* versions.
-#### Handling Reboots
-Currently the DevOps task does not have support for rebooting Windows builds, if you try to reboot with PowerShell code, the build will fail. However, you can use code to reboot Linux builds.
+#### Handling reboots
-#### Build Path
+The DevOps task doesn't currently support rebooting Windows builds. If you try to reboot with PowerShell code, the build fails. However, you can use code to reboot Linux builds.
-The task is designed to be able to inject DevOps Build release artifacts into the image. To make this work, you need to set up a build pipeline. In the setup of the release pipeline, you must add the repo of the build artifacts.
+#### Build path
+The task is designed to be able to inject DevOps Build release artifacts into the image. To make this work, you need to set up a build pipeline. In the release pipeline setup, add the repo of the build artifacts.
-Select the **Build Path** button to choose the build folder you want to be placed on the image. The Image Builder task copies all files and directories within it. When the image is being created, Image Builder deploys the files and directories into different paths, depending on OS.
+
+Select the **Build Path** button to choose the build folder that you want to be placed on the image. The VM Image Builder task copies all the files and directories within it. When the image is being created, VM Image Builder deploys the files and directories into different paths, depending on the operating system.
> [!IMPORTANT]
-> When adding a repo artifact, you may find the directory is prefixed with an underscore *_*. The underscore can cause issues with the inline commands. Use the appropriate quotes in the commands.
+> When you're adding a repo artifact, you might find that the directory name is prefixed with an underscore character (_). The underscore can cause issues with the inline commands. Be sure to use the appropriate quotation marks in the commands.
> The following example explains how this works: -
-* Windows - Files exist in `C:\`. A directory named `buildArtifacts` is created which includes the `webapp` directory.
+* For Windows: Files exist in the *C:* drive. A directory named *buildArtifacts* is created, which includes the *webapp* directory.
-* Linux - Files exist in `/tmp`. The `webapp` directory is created which includes all files and directories. You must move the files from this directory. Otherwise, they will be deleted since it is in the temporary directory.
+* For Linux: Files exist in the */tmp* directory. The *webapp* directory is created, which includes all the files and directories. Because this is a temporary directory, you must move the files out of it. Otherwise, they'll be deleted.
#### Inline customization script
-* Windows - You can enter PowerShell inline commands separated by commas. If you want to run a script in your build directory, you can use:
+* For Windows: You can enter PowerShell inline commands, separated by commas. If you want to run a script in your build directory, you can use:
```PowerShell & 'c:\buildArtifacts\webapp\webconfig.ps1' ```
- You can reference multiple scripts, or add more commands, for example:
+ You can reference multiple scripts or add more commands. For example:
```PowerShell & 'c:\buildArtifacts\webapp\webconfig.ps1' & 'c:\buildArtifacts\webapp\installAgent.ps1' ```
-* Linux - On Linux systems the build artifacts are put into the `/tmp` directory. However, on many Linux OSs, on a reboot, the /tmp directory contents are deleted. If you want the artifacts to exist in the image, you must create another directory and copy them over. For example:
+* For Linux: The build artifacts are put into the */tmp* directory. However, on many Linux operating systems, on a reboot, the */tmp* directory contents are deleted. If you want the artifacts to exist in the image, you must create another directory and copy them over. For example:
```bash sudo mkdir /lib/buildArtifacts sudo cp -r "/tmp/_ImageBuilding/webapp" /lib/buildArtifacts/. ```
- If you are ok using the "/tmp" directory, then you can use the code below to execute the script.
+ If you're OK with using the */tmp* directory, you can run the script by using the following code:
```bash
- # grant execute permissions to execute scripts
+ # Grant execute permissions to run scripts
sudo chmod +x "/tmp/_ImageBuilding/webapp/coreConfig.sh" echo "running script" sudo . "/tmp/AppsAndImageBuilderLinux/_WebApp/coreConfig.sh"
The following example explains how this works:
#### What happens to the build artifacts after the image build? > [!NOTE]
-> Image Builder does not automatically remove the build artifacts, it is strongly suggested that you always have code to remove the build artifacts.
+> VM Image Builder doesn't automatically remove the build artifacts. We strongly suggest that you always use code to remove the build artifacts.
>
-* Windows - Image builder deploys files to the `c:\buildArtifacts` directory. The directory is persisted you must remove the directory. You can remove it in the script you execute. For example:
+* For Windows: VM Image Builder deploys files to the *C:\buildArtifacts* directory. Because the directory is persisted, you must remove it by running a script. For example:
```PowerShell # Clean up buildArtifacts directory
The following example explains how this works:
Remove-Item -Path "C:\buildArtifacts" -Force ```
-* Linux - The build artifacts are put into the `/tmp` directory. However, on many Linux OSs, on a reboot, the `/tmp` directory contents are deleted. It is suggested that you have code to remove the contents and not rely on the OS to remove the contents. For example:
+* For Linux: The build artifacts are put into the */tmp* directory. However, on many Linux operating systems, the */tmp* directory contents are deleted on reboot. We suggest that you use code to remove the contents and not rely on the operating system to remove the contents. For example:
```bash sudo rm -R "/tmp/AppsAndImageBuilderLinux"
The following example explains how this works:
#### Total length of image build
-Total length cannot be changed in the DevOps pipeline task yet. It uses the default of 240 minutes. If you want to increase the [buildTimeoutInMinutes](./image-builder-json.md#properties-buildtimeoutinminutes), then you can use an AZ CLI task in the Release Pipeline. Configure the task to copy a template and submit it. For an example, see this [solution](https://github.com/danielsollondon/azvmimagebuilder/tree/master/solutions/4_Using_ENV_Variables#using-environment-variables-and-parameters-with-image-builder), or use Az PowerShell.
+Total length can't be changed in the DevOps pipeline task yet. It uses the default of 240 minutes. If you want to increase the [buildTimeoutInMinutes](./image-builder-json.md#properties-buildtimeoutinminutes), you can use an Azure CLI task in the release pipeline. Configure the task to copy a template and submit it. For an example solution, see [Use environment variables and parameters with VM Image Builder](https://github.com/danielsollondon/azvmimagebuilder/tree/master/solutions/4_Using_ENV_Variables#using-environment-variables-and-parameters-with-image-builder), or use Azure PowerShell.
-#### Storage Account
+#### Storage account
-Select the storage account you created in the prerequisites. If you do not see it in the list, Image Builder does not have permissions to it.
+Select the storage account you created in the prerequisites. If you don't see it in the list, VM Image Builder doesn't have permissions to it.
-When the build starts, Image Builder will create a container called `imagebuilder-vststask`. The container is where the build artifacts from the repo are stored.
+When the build starts, VM Image Builder creates a container called *imagebuilder-vststask*, where the build artifacts from the repo are stored.
> [!NOTE] > You need to manually delete the storage account or container after each build.
When the build starts, Image Builder will create a container called `imagebuilde
### Distribute
-There are 3 distribute types supported.
+The following three distribute types are supported.
+
+#### Managed image
-#### Managed Image
+* Resource ID:
-* ResourceID:
```bash /subscriptions/<subscriptionID>/resourceGroups/<rgName>/providers/Microsoft.Compute/images/<imageName> ```
There are 3 distribute types supported.
#### Azure Compute Gallery
-The Azure Compute Gallery **must** already exist.
+The Compute Gallery must already exist.
+
+* Resource ID:
-* ResourceID:
```bash /subscriptions/<subscriptionID>/resourceGroups/<rgName>/providers/Microsoft.Compute/galleries/<galleryName>/images/<imageDefName> ```
-* Regions: list of regions, comma separated. For example, westus, eastus, centralus
+* Regions: A list of regions, comma separated. For example,`westus`, `eastus`, `centralus`.
+
+#### Virtual hard disk
-#### VHD
+You can't pass any values to this. VM Image Builder emits the virtual hard disk VHD to the temporary VM Image Builder resource group, `IT_<DestinationResourceGroup>_<TemplateName>`, in the *vhds* container. When you start the release build, VM Image Builder emits logs. When VM Image Builder has finished, it emits the VHD URL.
-You cannot pass any values to this, Image Builder will emit the VHD to the temporary Image Builder resource group, `IT_<DestinationResourceGroup>_<TemplateName>`, in the *vhds* container. When you start the release build, image builder emits logs. When it has finished, it will emit the VHD URL.
+### Optional settings
-### Optional Settings
+You can override the [VM size](image-builder-json.md#vmprofile) setting from its default size of *Standard_D1_v2*. You might want to do so to reduce total customization time. Or you might want to create images that depend on certain VM sizes, such as GPU (graphics processing unit), HPC (high-performance computing), and so on.
-* [VM Size](image-builder-json.md#vmprofile) - You can override the VM size, from the default of *Standard_D1_v2*. You may override to reduce total customization time, or because you want to create the images that depend on certain VM sizes, such as GPU / HPC etc.
+## How the task works
-## How it works
+When you create the release, the task creates a container in the storage account, named *imagebuilder-vststask*. It zips (compresses) and uploads your build artifacts and creates a shared access signature token for the zip file.
-When you create the release, the task creates a container in the storage account, named *imagebuilder-vststask*. It zips and uploads your build artifacts and creates a SAS Token for the zip file.
+The task uses the properties that are passed to the task to create the VM Image Builder template artifact. The task does the following:
-The task uses the properties passed to the task to create the Image Builder Template artifact. The task does the following:
-* Downloads the build artifact zip file and any other associated scripts. The files are saved in a storage account in the temporary Image Builder resource group `IT_<DestinationResourceGroup>_<TemplateName>`.
-* Creates a template prefixed *t_* and a 10-digit monotonic integer. The template is saved to the resource group you selected. The template exists for the duration of the build in the resource group.
+* Downloads the build artifact zip file and any other associated scripts. The files are saved in a storage account in the temporary VM Image Builder resource group `IT_<DestinationResourceGroup>_<TemplateName>`.
+
+* Creates a template that's prefixed with *t_* and a 10-digit monotonic integer. The template is saved to the resource group that you selected, and it exists for the duration of the build in the resource group.
Example output:
When the image build starts, the run status is reported in the release logs:
starting run template... ```
-When the image build completes, you see output similar to following text:
+When the image build finishes, the output is similar to following text:
```text 2019-05-06T12:49:52.0558229Z starting run template...
When the image build completes, you see output similar to following text:
2019-05-06T13:38:37.4884068Z delete template: Succeeded ```
-The image template and `IT_<DestinationResourceGroup>_<TemplateName>` is deleted.
+The image template and `IT_<DestinationResourceGroup>_<TemplateName>` are deleted.
+
+You can take the `$(imageUri)` Azure DevOps Services (formerly Visual Studio Team Services, or VSTS) variable and use it in the next task or just use the value and build a VM.
-You can take the '$(imageUri)' VSTS variable and use it in the next task or just use the value and build a VM.
+## Output DevOps variables
-## Output DevOps Variables
+Here are the publisher, offer, SKU, and version of the source marketplace image:
-Pub/offer/SKU/Version of the source marketplace image:
-* $(pirPublisher)
-* $(pirOffer)
-* $(pirSku)
-* $(pirVersion)
+* `$(pirPublisher)`
+* `$(pirOffer)`
+* `$(pirSku)`
+* `$(pirVersion)`
-Image URI - The ResourceID of the distributed image:
-* $(imageUri)
+Here's the image URI, which is the resource ID of the distributed image:
+
+* `$(imageUri)`
## FAQ
-### Can I use an existing image template I have already created, outside of DevOps?
+**Can I use an existing image template that I've already created, outside of DevOps?**
-Currently, not at this time.
+Not at this time.
-### Can I specify the image template name?
+**Can I specify the image template name?**
No. A unique template name is used and then deleted.
-### The image builder failed. How can I troubleshoot?
+**The VM Image Builder task failed. How can I troubleshoot the issue?**
-If there is a build failure, the DevOps task does not delete the staging resource group. You can access the staging resource group that contains the build customization log.
+If there's a build failure, the DevOps task doesn't delete the staging resource group. You can access the staging resource group that contains the build customization log.
-You will see an error in the DevOps log for the VM Image Builder task, and see the customization.log location. For example:
+You'll see an error in the DevOps log for the VM Image Builder task, and the message will contain the *customization.log* location. For example:
-For more information on troubleshooting, see [Troubleshoot Azure Image Builder Service](image-builder-troubleshoot.md).
+For more information, see [Troubleshoot the VM Image Builder service](image-builder-troubleshoot.md).
-After investigating the failure, you can delete the staging resource group. First, delete the Image Template Resource artifact. The artifact is prefixed with *t_* and can be found in the DevOps task build log:
+After you've investigated the failure, you can delete the staging resource group. First, delete the VM Image Builder template resource artifact. The artifact is prefixed with *t_*, and you can find it in the DevOps task build log:
```text ...
template name: t_1556938436xxx
```
-The Image Template resource artifact is in the resource group specified initially in the task. When you're done troubleshooting delete the artifact. If deleting using the Azure portal, within the resource group, select **Show Hidden Types**, to view the artifact.
+The VM Image Builder template resource artifact is in the resource group that was specified initially in the task. When you're done troubleshooting, delete the artifact. If you're deleting it by using the Azure portal, within the resource group, select **Show Hidden Types** to view the artifact.
## Next steps
-For more information, see [Azure Image Builder overview](../image-builder-overview.md).
-
+For more information, see [VM Image Builder overview](../image-builder-overview.md).
virtual-machines Image Builder Gallery Update Image Version https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/linux/image-builder-gallery-update-image-version.md
Title: Create a new VM image version from an existing image version using Azure Image Builder
-description: Create a new VM image version from an existing image version using Azure Image Builder in Linux.
+ Title: Create a new VM image version from an existing image version by using Azure VM Image Builder in Linux
+description: In this article, you'll learn how to create a new VM image version from an existing image version by using VM Image Builder in Linux.
-# Create a new VM image version from an existing image version using Azure Image Builder in Linux
+# Create a new VM image from an existing image by using Azure VM Image Builder in Linux
**Applies to:** :heavy_check_mark: Linux VMs :heavy_check_mark: Flexible scale sets
-This article shows you how to take an existing image version in an [Azure Compute Gallery](../shared-image-galleries.md) (formerly known as Shared Image Gallery), update it, and publish it as a new image version to the gallery.
-
-We will be using a sample .json template to configure the image. The .json file we are using is here: [helloImageTemplateforSIGfromSIG.json](https://raw.githubusercontent.com/azure/azvmimagebuilder/master/quickquickstarts/2_Creating_a_Custom_Linux_Shared_Image_Gallery_Image_from_SIG/helloImageTemplateforSIGfromSIG.json).
+In this article, you learn how to update an existing image version in an [Azure Compute Gallery](../shared-image-galleries.md) (formerly Shared Image Gallery) and publish it to the gallery as a new image version.
+To configure the image, you use a sample JSON template, [helloImageTemplateforSIGfromSIG.json](https://raw.githubusercontent.com/azure/azvmimagebuilder/master/quickquickstarts/2_Creating_a_Custom_Linux_Shared_Image_Gallery_Image_from_SIG/helloImageTemplateforSIGfromSIG.json).
## Register the features
-To use Azure Image Builder, you need to register the feature.
-Check your registration.
+To use VM Image Builder, you need to register the features.
-```azurecli-interactive
-az provider show -n Microsoft.VirtualMachineImages | grep registrationState
-az provider show -n Microsoft.KeyVault | grep registrationState
-az provider show -n Microsoft.Compute | grep registrationState
-az provider show -n Microsoft.Storage | grep registrationState
-az provider show -n Microsoft.Network | grep registrationState
-```
+1. Check your provider registrations. Make sure that each one returns *Registered*.
-If they do not say registered, run the following:
+ ```azurecli-interactive
+ az provider show -n Microsoft.VirtualMachineImages | grep registrationState
+ az provider show -n Microsoft.KeyVault | grep registrationState
+ az provider show -n Microsoft.Compute | grep registrationState
+ az provider show -n Microsoft.Storage | grep registrationState
+ az provider show -n Microsoft.Network | grep registrationState
+ ```
-```azurecli-interactive
-az provider register -n Microsoft.VirtualMachineImages
-az provider register -n Microsoft.Compute
-az provider register -n Microsoft.KeyVault
-az provider register -n Microsoft.Storage
-az provider register -n Microsoft.Network
-```
+1. If they don't return *Registered*, register the providers by running the following commands:
+ ```azurecli-interactive
+ az provider register -n Microsoft.VirtualMachineImages
+ az provider register -n Microsoft.Compute
+ az provider register -n Microsoft.KeyVault
+ az provider register -n Microsoft.Storage
+ az provider register -n Microsoft.Network
+ ```
## Set variables and permissions
-If you used [Create an image and distribute to an Azure Compute Gallery](image-builder-gallery.md) to create your Azure Compute Gallery, you've already created some of the variables we need. If not, please setup some variables to be used for this example.
--
-```console
-# Resource group name
-sigResourceGroup=ibLinuxGalleryRG
-# Gallery location
-location=westus2
-# Additional region to replicate the image version to
-additionalregion=eastus
-# Name of the Azure Compute Gallery
-sigName=myIbGallery
-# Name of the image definition to use
-imageDefName=myIbImageDef
-# image distribution metadata reference name
-runOutputName=aibSIGLinuxUpdate
-```
-
-Create a variable for your subscription ID.
-
-```console
-subscriptionID=$(az account show --query id --output tsv)
-```
-
-Get the image version that you want to update.
-
-```azurecli
-sigDefImgVersionId=$(az sig image-version list \
- -g $sigResourceGroup \
- --gallery-name $sigName \
- --gallery-image-definition $imageDefName \
- --subscription $subscriptionID --query [].'id' -o tsv)
-```
+If you've already created an Azure Compute Gallery by using [Create an image and distribute it to an Azure Compute Gallery](image-builder-gallery.md), you've already created some of the variables you need.
+
+1. If you haven't already created the variables, run the following commands:
+
+ ```console
+ # Resource group name
+ sigResourceGroup=ibLinuxGalleryRG
+ # Gallery location
+ location=westus2
+ # Additional region to replicate the image version to
+ additionalregion=eastus
+ # Name of the Azure Compute Gallery
+ sigName=myIbGallery
+ # Name of the image definition to use
+ imageDefName=myIbImageDef
+ # image distribution metadata reference name
+ runOutputName=aibSIGLinuxUpdate
+ ```
+
+1. Create a variable for your subscription ID:
+
+ ```console
+ subscriptionID=$(az account show --query id --output tsv)
+ ```
+
+1. Get the image version that you want to update:
+
+ ```azurecli
+ sigDefImgVersionId=$(az sig image-version list \
+ -g $sigResourceGroup \
+ --gallery-name $sigName \
+ --gallery-image-definition $imageDefName \
+ --subscription $subscriptionID --query [].'id' -o tsv)
+ ```
## Create a user-assigned identity and set permissions on the resource group
-As you had set the user-identity up in the previous example, you just need to get the Resource ID of it, this will then be appended to the template.
+
+You've set up the user identity in an earlier example, so now you need to get the resource ID, which will be appended to the template.
```azurecli-interactive #get identity used previously imgBuilderId=$(az identity list -g $sigResourceGroup --query "[?contains(name, 'aibBuiUserId')].id" -o tsv) ```
-If you already have your own Azure Compute Gallery, and did not follow the previous example, you will need to assign permissions for Image Builder to access the Resource Group, so it can access the gallery. Please review the steps in the [Create an image and distribute to an Azure Compute Gallery](image-builder-gallery.md) example.
+If you already have an Azure Compute Gallery but didn't set it up by following an earlier example, you need to assign permissions for VM Image Builder to access the resource group so that it can access the gallery. For more information, see [Create an image and distribute it to an Azure Compute Gallery](image-builder-gallery.md).
+## Modify the helloImage example
-## Modify helloImage example
-You can review the example we are about to use by opening the .json file here: [helloImageTemplateforSIGfromSIG.json](https://raw.githubusercontent.com/azure/azvmimagebuilder/master/quickquickstarts/2_Creating_a_Custom_Linux_Shared_Image_Gallery_Image_from_SIG/helloImageTemplateforSIGfromSIG.json) along with the [Image Builder template reference](image-builder-json.md).
+You can review the JSON example you're about to use at [helloImageTemplateforSIGfromSIG.json](https://raw.githubusercontent.com/azure/azvmimagebuilder/master/quickquickstarts/2_Creating_a_Custom_Linux_Shared_Image_Gallery_Image_from_SIG/helloImageTemplateforSIGfromSIG.json). For information about the JSON file, see [Create an Azure VM Image Builder template](image-builder-json.md).
+1. Download the JSON example, as shown in [Create a Linux image and distribute it to an Azure Compute Gallery by using the Azure CLI](image-builder.md).
-Download the .json example and configure it with your variables.
+1. Configure the JSON with your variables:
-```console
-curl https://raw.githubusercontent.com/azure/azvmimagebuilder/master/quickquickstarts/8_Creating_a_Custom_Linux_Shared_Image_Gallery_Image_from_SIG/helloImageTemplateforSIGfromSIG.json -o helloImageTemplateforSIGfromSIG.json
-sed -i -e "s/<subscriptionID>/$subscriptionID/g" helloImageTemplateforSIGfromSIG.json
-sed -i -e "s/<rgName>/$sigResourceGroup/g" helloImageTemplateforSIGfromSIG.json
-sed -i -e "s/<imageDefName>/$imageDefName/g" helloImageTemplateforSIGfromSIG.json
-sed -i -e "s/<sharedImageGalName>/$sigName/g" helloImageTemplateforSIGfromSIG.json
-sed -i -e "s%<sigDefImgVersionId>%$sigDefImgVersionId%g" helloImageTemplateforSIGfromSIG.json
-sed -i -e "s/<region1>/$location/g" helloImageTemplateforSIGfromSIG.json
-sed -i -e "s/<region2>/$additionalregion/g" helloImageTemplateforSIGfromSIG.json
-sed -i -e "s/<runOutputName>/$runOutputName/g" helloImageTemplateforSIGfromSIG.json
-sed -i -e "s%<imgBuilderId>%$imgBuilderId%g" helloImageTemplateforSIGfromSIG.json
-```
+ ```console
+ curl https://raw.githubusercontent.com/azure/azvmimagebuilder/master/quickquickstarts/8_Creating_a_Custom_Linux_Shared_Image_Gallery_Image_from_SIG/helloImageTemplateforSIGfromSIG.json -o helloImageTemplateforSIGfromSIG.json
+ sed -i -e "s/<subscriptionID>/$subscriptionID/g" helloImageTemplateforSIGfromSIG.json
+ sed -i -e "s/<rgName>/$sigResourceGroup/g" helloImageTemplateforSIGfromSIG.json
+ sed -i -e "s/<imageDefName>/$imageDefName/g" helloImageTemplateforSIGfromSIG.json
+ sed -i -e "s/<sharedImageGalName>/$sigName/g" helloImageTemplateforSIGfromSIG.json
+ sed -i -e "s%<sigDefImgVersionId>%$sigDefImgVersionId%g" helloImageTemplateforSIGfromSIG.json
+ sed -i -e "s/<region1>/$location/g" helloImageTemplateforSIGfromSIG.json
+ sed -i -e "s/<region2>/$additionalregion/g" helloImageTemplateforSIGfromSIG.json
+ sed -i -e "s/<runOutputName>/$runOutputName/g" helloImageTemplateforSIGfromSIG.json
+ sed -i -e "s%<imgBuilderId>%$imgBuilderId%g" helloImageTemplateforSIGfromSIG.json
+ ```
## Create the image
-Submit the image configuration to the VM Image Builder Service.
-
-```azurecli-interactive
-az resource create \
- --resource-group $sigResourceGroup \
- --properties @helloImageTemplateforSIGfromSIG.json \
- --is-full-object \
- --resource-type Microsoft.VirtualMachineImages/imageTemplates \
- -n helloImageTemplateforSIGfromSIG01
-```
+1. Submit the image configuration to the VM Image Builder service:
-Start the image build.
+ ```azurecli-interactive
+ az resource create \
+ --resource-group $sigResourceGroup \
+ --properties @helloImageTemplateforSIGfromSIG.json \
+ --is-full-object \
+ --resource-type Microsoft.VirtualMachineImages/imageTemplates \
+ -n helloImageTemplateforSIGfromSIG01
+ ```
-```azurecli-interactive
-az resource invoke-action \
- --resource-group $sigResourceGroup \
- --resource-type Microsoft.VirtualMachineImages/imageTemplates \
- -n helloImageTemplateforSIGfromSIG01 \
- --action Run
-```
+1. Start the image build:
-Wait until the image has been built and replication before moving on to the next step.
+ ```azurecli-interactive
+ az resource invoke-action \
+ --resource-group $sigResourceGroup \
+ --resource-type Microsoft.VirtualMachineImages/imageTemplates \
+ -n helloImageTemplateforSIGfromSIG01 \
+ --action Run
+ ```
+Wait for the image to be built and replicated before you move along to the next step.
## Create the VM
-```azurecli-interactive
-az vm create \
- --resource-group $sigResourceGroup \
- --name aibImgVm001 \
- --admin-username azureuser \
- --location $location \
- --image "/subscriptions/$subscriptionID/resourceGroups/$sigResourceGroup/providers/Microsoft.Compute/galleries/$sigName/images/$imageDefName/versions/latest" \
- --generate-ssh-keys
-```
+1. Create the VM by doing the following:
-Create an SSH connection to the VM using the public IP address of the VM.
+ ```azurecli-interactive
+ az vm create \
+ --resource-group $sigResourceGroup \
+ --name aibImgVm001 \
+ --admin-username azureuser \
+ --location $location \
+ --image "/subscriptions/$subscriptionID/resourceGroups/$sigResourceGroup/providers/Microsoft.Compute/galleries/$sigName/images/$imageDefName/versions/latest" \
+ --generate-ssh-keys
+ ```
-```console
-ssh azureuser@<pubIp>
-```
+1. Create a Secure Shell (SSH) connection to the VM by using the public IP address of the VM.
-You should see the image was customized with a "Message of the Day" as soon as your SSH connection is established.
+ ```console
+ ssh azureuser@<pubIp>
+ ```
-```output
-*******************************************************
-** This VM was built from the: **
-** !! AZURE VM IMAGE BUILDER Custom Image !! **
-** You have just been Customized :-) **
-*******************************************************
-```
+ After the SSH connection is established, you should receive a "Message of the Day" saying that the image was customized:
-Type `exit` to close the SSH connection.
+ ```output
+ *******************************************************
+ ** This VM was built from the: **
+ ** !! AZURE VM IMAGE BUILDER Custom Image !! **
+ ** You have just been Customized :-) **
+ *******************************************************
+ ```
-You can also list the image versions that are now available in your gallery.
+1. Type `exit` to close the SSH connection.
-```azurecli-interactive
-az sig image-version list -g $sigResourceGroup -r $sigName -i $imageDefName -o table
-```
+1. To list the image versions that are now available in your gallery, run:
+ ```azurecli-interactive
+ az sig image-version list -g $sigResourceGroup -r $sigName -i $imageDefName -o table
+ ```
## Next steps
-To learn more about the components of the .json file used in this article, see [Image builder template reference](../linux/image-builder-json.md).
+To learn more about the components of the JSON file that you used in this article, see [Create an Azure VM Image Builder template](../linux/image-builder-json.md).
+
virtual-machines Image Builder Troubleshoot https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/linux/image-builder-troubleshoot.md
Title: Troubleshoot Azure Image Builder Service
-description: Troubleshoot common problems and errors when using Azure VM Image Builder Service
+ Title: Troubleshoot Azure VM Image Builder
+description: This article helps you troubleshoot common problems and errors you might encounter when you're using Azure VM Image Builder.
-# Troubleshoot Azure Image Builder Service
+# Troubleshoot Azure VM Image Builder
**Applies to:** :heavy_check_mark: Linux VMs :heavy_check_mark: Flexible scale sets
-This article helps you troubleshoot and resolve common issues you may encounter when using Azure Image Builder Service.
+Use this article to troubleshoot and resolve common issues that you might encounter when you're using Azure VM Image Builder.
## Prerequisites
-When you're creating a build, please ensure your build meets the following prerequisites:
+
+When you're creating a build, do the following:
-- The Image Builder Service communicates to the build VM using WinRM or SSH, DO NOT disable these settings as part of the build.-- Image Builder will create resources as part of the build, please verify Azure Policy does not prevent AIB from creating or using necessary resources.
- - Create IT_ resource group
- - Create storage account without firewall
-- Verify Azure Policy does not install unintended features on the build VM such as Azure Extensions.-- Ensure Image Builder has the correct permissions to read/write images and to connect to Azure storage. Please review the permissions documentation for [CLI](./image-builder-permissions-cli.md) or [PowerShell](./image-builder-permissions-powershell.md).-- Image Builder will fail the build if the script(s)/in-line commands fails with errors (non-zero exit codes), ensure you have tested and verified custom scripts run without error (exit code 0) or require user input. For more info, see the following [documentation](../windows/image-builder-virtual-desktop.md#tips-for-building-windows-images).-
-AIB failures can happen in 2 areas:
-- Image Template submission-- Image Build
+- The VM Image Builder service communicates to the build VM by using WinRM or Secure Shell (SSH). Do *not* disable these settings as part of the build.
+- VM Image Builder creates resources as part of the build. Be sure to verify that Azure Policy doesn't prevent VM Image Builder from creating or using necessary resources.
+ - Create an IT_ resource group.
+ - Create a storage account without a firewall.
+- Verify that Azure Policy doesn't install unintended features on the build VM, such as Azure Extensions.
+- Ensure that VM Image Builder has the correct permissions to read/write images and to connect to the storage account. For more information, review the permissions documentation for the [Azure CLI](./image-builder-permissions-cli.md) or [Azure PowerShell](./image-builder-permissions-powershell.md).
+- VM Image Builder will fail the build if the scripts or inline commands fail with errors (non-zero exit codes). Ensure that you've tested the custom scripts and verified that they run without error (exit code 0) or require user input. For more information, see [Create an Azure Virtual Desktop image by using VM Image Builder and PowerShell](../windows/image-builder-virtual-desktop.md#tips-for-building-windows-images).
+
+VM Image Builder failures can happen in two areas:
+- During image template submission
+- During image building
## Troubleshoot image template submission errors
-Image template submission errors are returned at submission only. There isn't an error log for image template submission errors. If there was an error during submission, you can return the error by checking the status of the template, specifically reviewing the `ProvisioningState` and `ProvisioningErrorMessage`/`provisioningError`.
+Image template submission errors are returned at submission only. There isn't an error log for image template submission errors. If there's an error during submission, you can return the error by checking the status of the template, specifically by reviewing `ProvisioningState` and `ProvisioningErrorMessage`/`provisioningError`.
```azurecli az image builder show --name $imageTemplateName --resource-group $imageResourceGroup
az image builder show --name $imageTemplateName --resource-group $imageResource
Get-AzImageBuilderTemplate -ImageTemplateName <imageTemplateName> -ResourceGroupName <imageTemplateResourceGroup> | Select-Object ProvisioningState, ProvisioningErrorMessage ``` > [!NOTE]
-> For PowerShell, you will need to install the [Azure Image Builder PowerShell Modules](../windows/image-builder-powershell.md#prerequisites).
+> For PowerShell, you'll need to install the [VM Image Builder PowerShell modules](../windows/image-builder-powershell.md#prerequisites).
> [!IMPORTANT]
-> Our 2021-10-01 API introduces a change to the error schema that will be part of every future API release. Any customer that has automated our service needs to expect to receive a new error output when switching to 2021-10-01 or newer API versions (new schema shown below). We recommend that once customers switch to the new API version (2021-10-01 and beyond), they don't revert to older versions as they'll have to change their automation again to expect the older error schema. We do not anticipate changing the error schema again in future releases.
+> API version 2021-10-01 introduces a change to the error schema that will be part of every future API release. If you have any Azure VM Image Builder automations, be aware of the [new error output](#error-output-for-version-2021-10-01-and-later) when you switch to API version 2021-10-01 or later. We recommend, after you've switched to the latest API version, that you don't revert to an earlier version, because you'll have to change your automation again to produce the earlier error schema. We don't anticipate that we'll change the error schema again in future releases.
-For API versions 2020-02-14 and older, the error output will look like the following:
-```text
-{
+##### **Error output for version 2020-02-14 and earlier**
+
+```
+{
"code": "ValidationFailed",
- "message": "Validation failed: 'ImageTemplate.properties.source': Field 'imageId' has a bad value: '/subscriptions/subscriptionID/resourceGroups/resourceGroupName/providers/Microsoft.Compute//images//imageName'. Please review http://aka.ms/azvmimagebuildertmplref for details on fields requirements in the Image Builder Template."
-}
+ "message": "Validation failed: 'ImageTemplate.properties.source': Field 'imageId' has a bad value: '/subscriptions/subscriptionID/resourceGroups/resourceGroupName/providers/Microsoft.Compute/images/imageName'. Please review http://aka.ms/azvmimagebuildertmplref for details on fields requirements in the Image Builder Template."
+}
```
-For API versions 2021-10-01 and newer, the error output will look like the following:
-```text
-{
+##### **Error output for version 2021-10-01 and later**
+
+```
+{
"error": {
- "code": "ValidationFailed",
- "message": "Validation failed: 'ImageTemplate.properties.source': Field 'imageId' has a bad value: '/subscriptions/subscriptionID/resourceGroups/resourceGroupName/providers/Microsoft.Compute//images//imageName'. Please review http://aka.ms/azvmimagebuildertmplref for details on fields requirements in the Image Builder Template."
+ "code": "ValidationFailed",
+ "message": "Validation failed: 'ImageTemplate.properties.source': Field 'imageId' has a bad value: '/subscriptions/subscriptionID/resourceGroups/resourceGroupName/providers/Microsoft.Compute/images/imageName'. Please review http://aka.ms/azvmimagebuildertmplref for details on fields requirements in the Image Builder Template."
} } ```
-The following sections include problem resolution guidance for common image template submission errors.
+The following sections present problem resolution guidance for common image template submission errors.
-### Update/Upgrade of image templates is currently not supported
+### Update or upgrade of image templates is currently not supported
#### Error
The template already exists.
If you submit an image configuration template and the submission fails, a failed template artifact still exists. Delete the failed template.
-### The resource operation completed with terminal provisioning state 'Failed'
+### The resource operation finished with a terminal provisioning state of "Failed"
#### Error
Microsoft.VirtualMachineImages/imageTemplates 'helloImageTemplateforSIG01' faile
``` #### Cause
-In most cases, the resource deployment failure error occurs due to missing permissions.
+In most cases, the resource deployment failure error occurs because of missing permissions.
#### Solution
-Depending on your scenario, Azure Image Builder may need permissions to:
-- Source image or Azure Compute Gallery (formerly known as Shared Image Gallery) resource group-- Distribution image or Azure Compute Gallery resource-- The storage account, container, or blob that the File customizer is accessing.
+Depending on your scenario, VM Image Builder might need permissions to:
+- The source image or Azure Compute Gallery (formerly Shared Image Gallery) resource group.
+- The distribution image or Azure Compute Gallery resource.
+- The storage account, container, or blob that the `File` customizer is accessing.
-For more information on configuring permissions, see [Configure Azure Image Builder Service permissions using Azure CLI](image-builder-permissions-cli.md) or [Configure Azure Image Builder Service permissions using PowerShell](image-builder-permissions-powershell.md)
+For more information about configuring permissions, see [Configure VM Image Builder permissions by using the Azure CLI](image-builder-permissions-cli.md) or [Configure VM Image Builder permissions by using PowerShell](image-builder-permissions-powershell.md).
-### Error getting managed image
+### Error getting a managed image
#### Error ```text Build (Managed Image) step failed: Error getting Managed Image '/subscriptions/.../providers/Microsoft.Compute/images/mymanagedmg1': Error getting managed image (...): compute. ImagesClient#Get: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error.
-Status=403 Code="AuthorizationFailed" Message="The client '......' with object id '......' does not have authorization to perform action 'Microsoft.Compute/images/read' over scope
+Status=403 Code="AuthorizationFailed" Message="The client '......' with object id '......' doesn't have authorization to perform action 'Microsoft.Compute/images/read' over scope
``` #### Cause
Missing permissions.
#### Solution
-Depending on your scenario, Azure Image Builder may need permissions to:
-* Source image or Azure Compute Gallery resource group
-* Distribution image or Azure Compute Gallery resource
-* The storage account, container, or blob that the File customizer is accessing.
+Depending on your scenario, VM Image Builder might need permissions to:
+- The source image or Azure Compute Gallery resource group.
+- The distribution image or Azure Compute Gallery resource.
+- The storage account, container, or blob that the `File` customizer is accessing.
-For more information on configuring permissions, see [Configure Azure Image Builder Service permissions using Azure CLI](image-builder-permissions-cli.md) or [Configure Azure Image Builder Service permissions using PowerShell](image-builder-permissions-powershell.md)
+For more information about configuring permissions, see [Configure VM Image Builder permissions by using the Azure CLI](image-builder-permissions-cli.md) or [Configure VM Image Builder permissions by using PowerShell](image-builder-permissions-powershell.md).
-### Build step failed for image version
+### The build step failed for the image version
#### Error+ ```text Build (Shared Image Version) step failed for Image Version '/subscriptions/.../providers/Microsoft.Compute/galleries/.../images/... /versions/0.23768.4001': Error getting Image Version '/subscriptions/.../resourceGroups/<rgName>/providers/Microsoft.Compute/galleries/.../images/.../versions/0.23768.4001': Error getting image version '... :0.23768.4001': compute.GalleryImageVersionsClient#Get: Failure responding to request: StatusCode=404 -- Original Error: autorest/azure: Service returned an error. Status=404 Code="ResourceNotFound" Message="The Resource 'Microsoft.Compute/galleries/.../images/.../versions/0.23768.4001' under resource group '<rgName>' was not found." ```+ #### Cause
-Azure Image Builder cannot locate the source image.
+VM Image Builder can't locate the source image.
#### Solution
-Ensure the source image is correct and exists in the location of the Azure Image Builder Service.
+Ensure that the source image is correct and exists in the location of VM Image Builder.
-### Downloading external file to local file
+### Downloading an external file to a local file
#### Error
Downloading external file (<myFile>) to local file (xxxxx.0.customizer.fp) [atte
#### Cause
-The file name or location is incorrect, or the location is not reachable.
+The file name or location is incorrect, or the location isn't reachable.
#### Solution
-Ensure the file is reachable. Verify the name and location are correct.
+Ensure that the file is reachable. Verify that the name and location are correct.
## Troubleshoot build failures
-For image build failures, you can get the error from the `lastrunstatus`, and then review the details in the customization.log.
+For image build failures, get the error from the `lastrunstatus`, and then review the details in the *customization.log* file.
```azurecli
Get-AzImageBuilderTemplate -ImageTemplateName <imageTemplateName> -ResourceGrou
### Customization log
-When the image build is running, logs are created and stored in a storage account. Azure Image Builder creates the storage account in the temporary resource group when you create an image template artifact.
+When the image build is running, logs are created and stored in a storage account. VM Image Builder creates the storage account in the temporary resource group when you create an image template artifact.
-The storage account name uses the following pattern: **IT_\<ImageResourceGroupName\>_\<TemplateName\>_\<GUID\>**
+The storage account name uses the pattern IT_\<ImageResourceGroupName\>_\<TemplateName\>_\<GUID\> (for example, *IT_aibmdi_helloImageTemplateLinux01*).
-For example, *IT_aibmdi_helloImageTemplateLinux01*.
+To view the *customization.log* file in the resource group, select **Storage Account** > **Blobs** > `packerlogs`, select **directory**, and then select the *customization.log* file.
-You can view the customization.log in storage account in the resource group by selecting **Storage Account** > **Blobs** > `packerlogs`. Then select **directory > customization.log**.
+### Understand the customization log
-### Understanding the customization log
+The log is verbose. It covers the image build, including any issues with the image distribution, such as Azure Compute Gallery replication. These errors are surfaced in the error message of the image template status.
-The log is verbose. It covers the image build including any issues with the image distribution, such as Azure Compute Gallery replication. These errors are surfaced in the error message of the image template status.
+The *customization.log* file includes the following stages:
-The customization.log includes the following stages:
+1. *Deploy the build VM and dependencies by using ARM templates to the IT_ staging resource group* stage. This stage includes multiple POSTs to the VM Image Builder resource provider:
-1. Deploy the build VM and dependencies using ARM templates to the IT_ staging resource group stage. This stage includes multiple POSTs to the Azure Image Builder resource provider:
```text Azure request method="POST" request="https://management.azure.com/subscriptions/<subID>/resourceGroups/IT_aibImageRG200_window2019VnetTemplate01_dec33089-1cc3-cccc-cccc-ccccccc/providers/Microsoft.Storage/storageAccounts ..
The customization.log includes the following stages:
.. ```
-2. Status of the deployments stage. This stage includes status of each resource deployment:
+1. *Status of the deployments* stage. This stage includes the status of each resource deployment:
+ ```text PACKER ERR 2020/04/30 23:28:50 packer: 2020/04/30 23:28:50 Azure request method="GET" request="https://management.azure.com/subscriptions/<subID>/resourcegroups/IT_aibImageRG200_window2019VnetTemplate01_dec33089-1cc3-4505-ae28-6661e43fac48/providers/Microsoft.Resources/deployments/pkrdp51lc0339jg/operationStatuses/08586133176207523519?[REDACTED]" body="" ```
-3. Connect to the build VM stage.
+1. *Connect to the build VM* stage.
+
+ In Windows, VM Image Builder connects by using WinRM:
- If Windows, the Azure Image Builder Service connects using WinRM:
```text PACKER ERR 2020/04/30 23:30:50 packer: 2020/04/30 23:30:50 Waiting for WinRM, up to timeout: 10m0s .. PACKER OUT azure-arm: WinRM connected. ```
- If Linux, the Azure Image Builder Service will connect using SSH:
+ In Linux, VM Image Builder connects by using SSH:
+ ```text PACKER OUT ==> azure-arm: Waiting for SSH to become available... PACKER ERR 2019/12/10 17:20:51 packer: 2020/04/10 17:20:51 [INFO] Waiting for SSH, up to timeout: 20m0s PACKER OUT ==> azure-arm: Connected to SSH! ```
-4. Run customizations stage. When customizations run, you can identify them by reviewing the customization.log. Search for *(telemetry)*.
+1. *Run customizations* stage. When customizations run, you can identify them by reviewing the *customization.log* file. Search for *(telemetry)*.
+ ```text (telemetry) Starting provisioner windows-update (telemetry) ending windows-update
The customization.log includes the following stages:
(telemetry) Finalizing. - This means the build hasfinished ```
-5. De-provision stage. Azure Image Builder adds a hidden customizer. This de-provision step is responsible for preparing the VM for de-provisioning. It runs Windows Sysprep (using c:\DeprovisioningScript.ps1), or in Linux waagent deprovision (using /tmp/DeprovisioningScript.sh).
+1. *Deprovision* stage. VM Image Builder adds a hidden customizer. This deprovision step is responsible for preparing the VM for deprovisioning. In Windows, it runs `Sysprep` (by using *c:\DeprovisioningScript.ps1*). In Linux, it runs `waagent-deprovision` (by using /tmp/DeprovisioningScript.sh).
For example: ```text
The customization.log includes the following stages:
PACKER ERR 2020/03/04 23:05:04 packer: 2020/03/04 23:05:04 Found command: if( TEST-PATH c:\DeprovisioningScript.ps1 ){cat c:\DeprovisioningScript.ps1} else {echo "Deprovisioning script [c:\DeprovisioningScript.ps1] could not be found. Image build may fail or the VM created from the Image may not boot. Please make sure the deprovisioning script is not accidentally deleted by a Customizer in the Template."} ```
-6. Clean up stage. Once the build has completed, Azure Image Builder resources are deleted.
+1. *Cleanup* stage. After the build has finished, the VM Image Builder resources are deleted.
+ ```text PACKER ERR ==> azure-arm: Deleting individual resources ... ...
The customization.log includes the following stages:
... PACKER ERR ==> azure-arm: The resource group was not created by Packer, not deleting ... ```
-## Tips for troubleshooting script/inline customization
-- Test the code before supplying it to Image Builder-- Ensure Azure Policy's and Firewalls allow connectivity to remote resources.-- Output comments to the console, such as using `Write-Host` or `echo`, this will allow you to search the customization.log.
+## Tips for troubleshooting script or inline customization
+- Test the code before you supply it to VM Image Builder.
+- Ensure that Azure Policy and Firewall allow connectivity to remote resources.
+- Output comments to the console by using `Write-Host` or `echo`. Doing so lets you search the *customization.log* file.
## Troubleshoot common build errors
Customization failure.
#### Solution
-Review log to locate customizers failures. Search for *(telemetry)*.
+Review the log to locate customizer failures. Search for *(telemetry)*.
For example: ```text
For example:
(telemetry) Finalizing. - This means the build has finished ```
-### Timeout exceeded
+### Time-out exceeded
#### Error
Deployment failed. Correlation ID: xxxxx-xxxx-xxxx-xxxx-xxxxxxxxx. Failed in bui
#### Cause
-The build exceeded the build timeout. This error is seen in the 'lastrunstatus'.
+The build exceeded the build time-out. This error is seen in the 'lastrunstatus'.
#### Solution
-1. Review the customization.log. Identify the last customizer to run. Search for `(telemetry)` starting from the bottom of the log.
+1. Review the *customization.log* file. Identify the last customizer to run. Search for *(telemetry)*, starting from the bottom of the log.
-2. Check script customizations. The customizations may not be suppressing user interaction for commands, such as `quiet` options. For example, `apt-get install -y` results in the script execution waiting for user interaction.
+1. Check script customizations. The customizations might not be suppressing user interaction for commands, such as `quiet` options. For example, `apt-get install -y` results in the script execution waiting for user interaction.
-3. If you are using the `File` customizer to download artifacts greater than 20 MB, see workarounds section.
+1. If you're using the `File` customizer to download artifacts greater than 20 MB, see workarounds section.
-4. Review errors and dependencies in script that may cause the script to wait.
+1. Review errors and dependencies in script that might cause the script to wait.
-5. If you expect that the customizations need more time, increase [buildTimeoutInMinutes](image-builder-json.md). The default is four hours.
+1. If you expect that the customizations need more time, increase the value of [buildTimeoutInMinutes](image-builder-json.md). The default is 4 hours.
-6. If you have resource-intensive actions, such as downloading gigabytes of files, consider the underlying build VM size. The service uses a Standard_D1_v2 VM. The VM has, 1 vCPU and 3.5 GB of memory. If you are downloading 50 GB, this will likely exhaust the VM resources and cause communication failures between the Azure Image Builder Service and build VM. Retry the build with a larger memory VM, by setting the [VM_Size](image-builder-json.md#vmprofile).
+1. If you have resource-intensive actions, such as downloading gigabytes (GB) of files, consider the underlying build VM size. The service uses a Standard_D1_v2 VM. The VM has 1 vCPU and 3.5 GB of memory. If you're downloading 50 GB, you'll likely exhaust the VM resources and cause communication failures between VM Image Builder and the build VM. Retry the build with a larger-memory VM by setting the [VM_size](image-builder-json.md#vmprofile).
### Long file download time
myBigFile.zip 826000 B / 826000 B 100.00%
``` #### Cause
-File customizer is downloading a large file.
+`File` customizer is downloading a large file.
#### Solution
-The file customizer is only suitable for small file downloads less than 20 MB. For larger file downloads, use a script or inline command. For example, on Linux you can use `wget` or `curl`. On Windows, you can use`Invoke-WebRequest`.
+`File` customizer is suitable only for small (less than 20 MB) file downloads. For larger file downloads, use a script or inline command. For example, in Linux you can use `wget` or `curl`. In Windows, you can use `Invoke-WebRequest`.
### Error waiting on Azure Compute Gallery
Deployment failed. Correlation ID: XXXXXX-XXXX-XXXXXX-XXXX-XXXXXX. Failed in dis
#### Cause
-Image Builder timed out waiting for the image to be added and replicated to the Azure Compute Gallery. If the image is being injected into the SIG, it can be assumed the image build was successful. However, the overall process failed, because the image builder was waiting on Azure Compute Gallery to complete the replication. Even though the build has failed, the replication continues. You can get the properties of the image version by checking the distribution *runOutput*.
+VM Image Builder timed out waiting for the image to be added and replicated to Azure Compute Gallery. If the image is being injected into the gallery, you can assume that the image build was successful. However, the overall process failed because VM Image Builder was waiting on Azure Compute Gallery to complete the replication. Even though the build has failed, the replication continues. You can get the properties of the image version by checking the distribution *runOutput*.
```azurecli $runOutputName=<distributionRunOutput>
az resource show \
#### Solution
-Increase the **buildTimeoutInMinutes**.
+Increase the value of `buildTimeoutInMinutes`.
### Low Windows resource information events
Increase the **buildTimeoutInMinutes**.
``` #### Cause
-Resource exhaustion. This issue is commonly seen with Windows Update running using the default build VM size D1_V2.
+Resource exhaustion. This issue is commonly seen with Windows Update running with the default build VM size D1_V2.
#### Solution Increase the build VM size.
-### Builds finished but no artifacts were created
+### The build finished but no artifacts were created
#### Error
Done exporting Packer logs to Azure for Packer prefix: [a170b40d-2d77-4ac3-8719-
``` #### Cause
-Time out caused by waiting for required Azure resources to be created.
+The build timed out while it was waiting for the required Azure resources to be created.
#### Solution
Missing permissions.
#### Solution
-Recheck Azure Image Builder has all permissions it requires.
+Recheck to ensure that VM Image Builder has all the permissions it requires.
-For more information on configuring permissions, see [Configure Azure Image Builder Service permissions using Azure CLI](image-builder-permissions-cli.md) or [Configure Azure Image Builder Service permissions using PowerShell](image-builder-permissions-powershell.md)
+For more information about configuring permissions, see [Configure VM Image Builder permissions by using the Azure CLI](image-builder-permissions-cli.md) or [Configure VM Image Builder permissions by using PowerShell](image-builder-permissions-powershell.md).
-### Sysprep timing
+### `Sysprep` timing
#### Error
For more information on configuring permissions, see [Configure Azure Image Buil
``` #### Cause
-The cause may be a timing issue due to the D1_V2 VM size. If customizations are limited and execute in less than three seconds, sysprep commands are run by Azure Image Builder to de-provision. When Azure Image Builder de-provisions, the sysprep command checks for the *WindowsAzureGuestAgent*, which may not be fully installed causing the timing issue.
+The cause might be a timing issue because of the D1_V2 VM size. If customizations are limited and are run in less than three seconds, `Sysprep` commands are run by VM Image Builder to deprovision. When VM Image Builder deprovisions, the `Sysprep` command checks for the *WindowsAzureGuestAgent*, which might not be fully installed and might cause the timing issue.
#### Solution
-Increase the VM size. Or, you can add a 60-second PowerShell sleep customization to avoid the timing issue.
+To avoid the timing issue, you can increase the VM size or you can add a 60-second PowerShell sleep customization.
-### Cancelling builder after context cancellation context canceled
+### The build is canceled after the context cancelation context is canceled
#### Error ```text
PACKER ERR 2020/03/26 22:11:25 [INFO] RPC client: Communicator ended with: 23002
PACKER ERR 2020/03/26 22:11:25 [INFO] RPC endpoint: Communicator ended with: 2300218 ``` #### Cause
-Image Builder service uses port 22(Linux), or 5986(Windows)to connect to the build VM, this occurs when the service is disconnected from the build VM during an image build. Reasons for disconnection can vary, but enabling or configuring firewalls in script can block the ports above.
+
+VM Image Builder uses port 22 (Linux) or 5986 (Windows) to connect to the build VM. This occurs when the service is disconnected from the build VM during an image build. The reasons for the disconnection can vary, but enabling or configuring a firewall in the script can block the previously mentioned ports.
#### Solution
-Review your scripts for firewall changes/enablement, or changes to SSH or WinRM, and ensure any changes allow for constant connectivity between the service and build VM on the ports above. For more information on Image Builder networking, please review the [requirements](./image-builder-networking.md).
+Review your scripts for firewall changes or enablement, or changes to SSH or WinRM, and ensure that any changes allow for constant connectivity between the service and the build VM on the previously mentioned ports. For more information, see [VM Image Builder networking options](./image-builder-networking.md).
### JWT errors in log early in the build #### Error
-Early in the build process, the build fails and the log indicates a JWT error:
+Early in the build process, the build fails and the log indicates a JSON Web Token (JWT) error:
```text PACKER OUT Error: Failed to prepare build: "azure-arm"
PACKER OUT 1 error(s) occurred:
``` #### Cause
-The `buildTimeoutInMinutes` value in the template is set to between 1 and 5 minutes.
+
+The `buildTimeoutInMinutes` value in the template is set to from 1 to 5 minutes.
#### Solution
-As described in [Create an Azure Image Builder template](./image-builder-json.md), the timeout must be set to 0 to use the default or above 5 minutes to override the default. Change the timeout in your template to 0 to use the default or to a minimum of 6 minutes.
+As described in [Create an VM Image Builder template](./image-builder-json.md), the time-out must be set to 0 to use the default or set to more than 5 minutes to override the default. Change the time-out in your template to 0 to use the default or to a minimum of 6 minutes.
### Resource deletion errors #### Error
-Intermediate resources are cleaned up toward the end of the build and the customization log may show several resource deletion errors:
+Intermediate resources are cleaned up toward the end of the build, and the customization log might show several resource deletion errors:
```text PACKER OUT ==> azure-arm: Error deleting resource. Will retry.
PACKER ERR 2022/03/07 18:43:06 packer-plugin-azure plugin: 2022/03/07 18:43:06 R
``` #### Cause
-These error log messages are mostly harmless because resource deletions are retried several times and they, in general, eventually succeed. This can be verified by continuing to follow the deletion logs until a success message is observed. Alternatively, the staging resource group can be inspected to confirm if the resource has been deleted or not.
+These error log messages are mostly harmless, because resource deletions are retried several times and, ordinarily, they eventually succeed. You can verify this by continuing to follow the deletion logs until you observe a success message. Alternatively, you can inspect the staging resource group to confirm whether the resource has been deleted.
+
+Making these observations is especially important in build failures, where these error messages might lead you to conclude that they're the reason for the failures, even when the actual errors might be elsewhere.
+
+## DevOps tasks
-_[This is especially important in case of build failures where these error messages may cause the observer to conclude them to be the reason for failure while the actual error is elsewhere.]_
+### Troubleshoot the task
+The task fails only if an error occurs during customization. When this happens, the task reports the failure and leaves the staging resource group, with the logs, so that you can identify the issue.
-## DevOps task
+To locate the log, you need to know the template name. Go to **pipeline** > **failed build**, and then drill down into the VM Image Builder DevOps task.
-### Troubleshooting the task
-The task will only fail if an error occurs during customization, when this happens the task will report failure and leave the staging resource group, with the logs, so you can identify the issue.
+You'll see the log and a template name:
-To locate the log, you need to know the template name, go into pipeline > failed build > drill into the AIB DevOps task, then you will see the log and a template name:
```text start reading task parameters... found build at: /home/vsts/work/r1/a/_ImageBuilding/webapp
Source for image: { type: 'SharedImageVersion',
template name: t_1556938436xxx ```
-Go to the portal, search for the template name in resource group, then look for the resource group with IT_*.
-Go to the storage account > blobs > containers > logs.
+1. Go to the Azure portal, search for the template name in the resource group, and then search for the resource group by typing **IT_***.
+1. Select the storage account name > **blobs** > **containers** > **logs**.
-### Troubleshooting successful builds
-There maybe some cases where you need to investigate successful builds, and want to review the log. As mentioned, if the image build is successful, the staging resource group that contains the logs will be deleted as part of the clean up. However, what you can do, is introduce a sleep after the inline command, then get the logs as the build is paused. To do this follow these steps:
+### Troubleshoot successful builds
+
+You might occasionally need to investigate successful builds and review their logs. As mentioned earlier, if the image build is successful, the staging resource group that contains the logs will be deleted as part of the cleanup. To prevent an automatic cleanup, though, you can introduce a `sleep` after the inline command, and then view the logs as the build is paused. To do so, do the following:
-1. Update the inline command, and add:
-Write-Host / Echo ΓÇ£SleepΓÇ¥ ΓÇô this will allow you to search in the log
-2. Add a sleep for at least 10mins, you can use [Start-Sleep](/powershell/module/microsoft.powershell.utility/start-sleep), or `Sleep` Linux command.
-3. Use the method above to identify the log location, and then keep downloading/checking the log until it gets to the sleep.
+1. Update the inline command by adding **Write-Host / Echo ΓÇ£SleepΓÇ¥**. This gives you time to search in the log.
+1. Add a `sleep` value of at least 10 minutes by using a [Start-Sleep](/powershell/module/microsoft.powershell.utility/start-sleep) or `Sleep` Linux command.
+1. Use this method to identify the log location, and then keep downloading or checking the log until it gets to `sleep`.
### Operation was canceled
Write-Host / Echo ΓÇ£SleepΓÇ¥ ΓÇô this will allow you to search in the log
``` #### Cause
-If the build was not canceled by a user, it was canceled by Azure DevOps User Agent. Most likely the 1-hour timeout has occurred due to Azure DevOps capabilities. If you are using a private project and agent, you get 60 minutes of build time. If the build exceeds the timeout, DevOps cancels the running task.
+If the build wasn't canceled by a user, it was canceled by Azure DevOps User Agent. Most likely, the 1-hour time-out has occurred because of Azure DevOps capabilities. If you're using a private project and agent, you get 60 minutes of build time. If the build exceeds the time-out, DevOps cancels the running task.
-For more information on Azure DevOps capabilities and limitations, see [Microsoft-hosted agents](/azure/devops/pipelines/agents/hosted#capabilities-and-limitations)
+For more information about Azure DevOps capabilities and limitations, see [Microsoft-hosted agents](/azure/devops/pipelines/agents/hosted#capabilities-and-limitations).
#### Solution
-You can host your own DevOps agents, or look to reduce the time of your build. For example, if you are distributing to the Azure Compute Gallery, replicate to one region. If you want to replicate asynchronously.
+You can host your own DevOps agents or look to reduce the time of your build. For example, if you're distributing to Azure Compute Gallery, you can replicate them to one region or replicate them asynchronously.
-### Slow Windows Logon: 'Please wait for the Windows Modules Installer'
+### Slow Windows logon
#### Error
-After you create a Windows 10 image with Image Builder, then create a VM from the image, you RDP, and have to wait minutes at the first logon seeing a blue screen with the message:
+
+This error might occur when you create a Windows 10 image by using VM Image Builder, create a VM from the image, and then use Remote Desktop Protocol (RDP). You wait several minutes at the first logon screen, and then a blue screen displays the following message:
+ ```text Please wait for the Windows Modules Installer ``` #### Solution
-Firstly in the image build check that there are no outstanding reboots required by adding a Windows Restart customizer as the last customization, and that all software installation is complete. Lastly, add [/mode:vm](/windows-hardware/manufacture/desktop/sysprep-command-line-options) option to the default sysprep that AIB uses, see below, 'VMs created from AIB images do not create successfully' > 'Overriding the Commands'
+
+1. In the image build, check to ensure that:
+
+ * There are no outstanding reboots required by adding a Windows Restart customizer as the last customization.
+ * All software installation is complete.
+
+1. Add the [/mode:vm](/windows-hardware/manufacture/desktop/sysprep-command-line-options) option to the default `Sysprep` that VM Image Builder uses. For more information, go to the ["Override the commands"](#override-the-commands) section under "VMs created from VM Image Builder images aren't created successfully."
-## VMs created from AIB images do not create successfully
+## VMs created from VM Image Builder images aren't created successfully
-By default, the Azure Image Builder runs *de-provision* code at the end of each image customization phase to *generalize* the image. Generalize is a process where the image is set up to be reused to create multiple VMs and you can pass in VM settings, such as hostname, username, etc. For Windows, Azure Image Builder executes *Sysprep*, and for Linux Azure Image Builder runs `waagent -deprovision`.
+By default, VM Image Builder runs *deprovision* code at the end of each image customization phase to *generalize* the image. To generalize an image is to set it up to reuse to create multiple VMs. As part of the process, you can pass in VM settings, such as hostname, username, and so on. In Windows, VM Image Builder runs `Sysprep`, and in Linux, VM Image Builder runs `waagent -deprovision`.
-For Windows, Azure Image Builder uses a generic Sysprep command. However, this may not be suitable for every successful Windows generalization. Azure Image Builder allows you to customize the Sysprep command. Note Azure Image Builder is an image automation tool. It's responsible for running Sysprep command successfully. But, you may need different Sysprep commands to make your image reusable. For Linux, Azure Image Builder uses a generic `waagent -deprovision+user` command. For more information, see [Microsoft Azure Linux Agent documentation](https://github.com/Azure/WALinuxAgent#command-line-options).
+In Windows, VM Image Builder uses a generic `Sysprep` command. However, this command might not be suitable for every successful Windows generalization. With VM Image Builder, you can customize the `Sysprep` command. Note that VM Image Builder is an image automation tool that's responsible for running `Sysprep` command successfully. But you might need different `Sysprep` commands to make your image reusable. In Linux, VM Image Builder uses a generic `waagent -deprovision+user` command. For more information, see [Microsoft Azure Linux Agent documentation](https://github.com/Azure/WALinuxAgent#command-line-options).
-If you are migrating an existing customization and you are using different Sysprep/waagent commands, you can try the image builder generic commands. If the VM creation fails, use your previous Sysprep/waagent commands.
+If you're migrating an existing customization and you're using various `Sysprep` or `waagent` commands, you can try the VM Image Builder generic commands. If the VM creation fails, use your previous `Sysprep` or `waagent` commands.
-> [!NOTE]
-> If AIB creates a Windows custom image successfully, and you create a VM from it then find the VM will not create successfully (For example, the VM creation command does not complete/timeouts), you will need to review the Windows Server Sysprep documentation. Or, you can raise a support request with the Windows Server Sysprep Customer Services Support team, who can troubleshoot and advise on the correct Sysprep command.
+Let's suppose you've used VM Image Builder successfully to create a Windows custom image, but you've failed to create a VM successfully from the image. For example, the VM creation fails to finish or it times out. In this event, do either of the following:
+* Review the Windows Server Sysprep documentation.
+* Raise a support request with the Windows Server Sysprep Customer Services Support team. They can help troubleshoot your issue and advise you on the correct `Sysprep` command.
-### Command Locations and Filenames
+### Command locations and file names
-Windows:
+In Windows:
``` c:\DeprovisioningScript.ps1 ```
-Linux:
+In Linux:
```bash /tmp/DeprovisioningScript.sh ```
-### Sysprep Command: Windows
+### The `Sysprep` command: Windows
```PowerShell Write-Output '>>> Waiting for GA Service (RdAgent) to start ...'
while($true) {
Write-Output '>>> Sysprep complete ...' ```
-### Deprovision Command: Linux
+### The `-deprovision` command: Linux
```bash /usr/sbin/waagent -force -deprovision+user && export HISTSIZE=0 && sync ```
-### Overriding the Commands
+### Override the commands
-To override the commands, use the PowerShell or shell script provisioners to create the command files with the exact file name and put them in the directories listed previously. Azure Image Builder reads these commands and output is written to the *customization.log*.
+To override the commands, use the PowerShell or shell script provisioners to create the command files with the exact file name and put them in the previously listed directories. VM Image Builder reads these commands and writes output to the *customization.log* file.
-## Getting Support
-If you have referred to the guidance, and still cannot troubleshoot your issue, you can open a support case. When doing so, please select right product and support topic, doing this will engage the Azure VM Image Builder support team.
+## Get support
+If you've referred to the guidance and are still having problems, you can open a support case. Be sure to select the correct product and support topic. Doing so will ensure that you're connected with the Azure VM Image Builder support team.
Selecting the case product: ```bash
Support Subtopic: Azure Image Builder
## Next steps
-For more information, see [Azure Image Builder overview](../image-builder-overview.md).
+For more information, see [VM Image Builder overview](../image-builder-overview.md).
virtual-machines Image Builder User Assigned Identity https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/linux/image-builder-user-assigned-identity.md
Title: Create a Virtual Machine image and use a user-assigned managed identity to access files in Azure Storage
-description: Create virtual machine image using Azure Image Builder, that can access files stored in Azure Storage using user-assigned managed identity.
+ Title: Create a virtual machine image and use a user-assigned managed identity to access files in an Azure storage account
+description: In this article, you'll use Azure VM Image Builder to create a virtual machine image that can access files that are stored in Azure Storage with a user-assigned managed identity.
-# Create an image and use a user-assigned managed identity to access files in Azure Storage
+# Create an image and use a user-assigned managed identity to access files in an Azure storage account
**Applies to:** :heavy_check_mark: Linux VMs :heavy_check_mark: Flexible scale sets
-Azure Image Builder supports using scripts, or copying files from multiple locations, such as GitHub and Azure storage etc. To use these, they must have been externally accessible to Azure Image Builder.
+This article shows how to create a customized image by using Azure VM Image Builder. The service uses a [user-assigned managed identity](../../active-directory/managed-identities-azure-resources/overview.md) to access files in an Azure storage account, without your having to make the files publicly accessible.
-This article shows how to create a customized image using the Azure VM Image Builder, where the service will use a [User-assigned Managed Identity](../../active-directory/managed-identities-azure-resources/overview.md) to access files in Azure storage for the image customization, without you having to make the files publicly accessible.
+Azure VM Image Builder supports using scripts and copying files from GitHub, Azure storage accounts, and other locations. If you want to use the locations, they must be externally accessible to VM Image Builder.
-In the example below, you will create two resource groups, one will be used for the custom image, and the other will host an Azure Storage Account, that contains a script file. This simulates a real life scenario, where you may have build artifacts, or image files in different storage accounts, outside of Image Builder. You will create a user-assigned identity, then grant that read permissions on the script file, but you will not set any public access to that file. You will then use the Shell customizer to download and run that script from the storage account.
+In the following example, you'll create two resource groups, one for the custom image and the other to host an Azure storage account that contains a script file. This example simulates a real-life scenario, where you might have build artifacts or image files in various storage accounts. You'll create a user-assigned identity and then grant the identity read permissions on the script file, but you won't allow public access to the file. You'll then use the shell customizer to download and run a script from the storage account.
## Register the features
-To use Azure Image Builder, you need to register the feature.
-```azurecli-interactive
-az feature register --namespace Microsoft.VirtualMachineImages --name VirtualMachineTemplatePreview
-```
-
-Check the status of the feature registration.
+1. To use VM Image Builder, you need to register the feature:
-```azurecli-interactive
-az feature show --namespace Microsoft.VirtualMachineImages --name VirtualMachineTemplatePreview | grep state
-```
+ ```azurecli-interactive
+ az feature register --namespace Microsoft.VirtualMachineImages --name VirtualMachineTemplatePreview
+ ```
-Check your registration.
+2. Check the status of the feature registration:
+ ```azurecli-interactive
+ az feature show --namespace Microsoft.VirtualMachineImages --name VirtualMachineTemplatePreview | grep state
+ ```
-```azurecli-interactive
-az provider show -n Microsoft.VirtualMachineImages | grep registrationState
-az provider show -n Microsoft.KeyVault | grep registrationState
-az provider show -n Microsoft.Compute | grep registrationState
-az provider show -n Microsoft.Storage | grep registrationState
-az provider show -n Microsoft.Network | grep registrationState
-```
+3. Check your registration:
-If they do not say registered, run the following:
-```azurecli-interactive
-az provider register -n Microsoft.VirtualMachineImages
-az provider register -n Microsoft.Compute
-az provider register -n Microsoft.KeyVault
-az provider register -n Microsoft.Storage
-az provider register -n Microsoft.Network
-```
+ ```azurecli-interactive
+ az provider show -n Microsoft.VirtualMachineImages | grep registrationState
+ az provider show -n Microsoft.KeyVault | grep registrationState
+ az provider show -n Microsoft.Compute | grep registrationState
+ az provider show -n Microsoft.Storage | grep registrationState
+ az provider show -n Microsoft.Network | grep registrationState
+ ```
+4. If the output doesn't show your features as *Registered*, run the following commands:
-## Create a resource group
+ ```azurecli-interactive
+ az provider register -n Microsoft.VirtualMachineImages
+ az provider register -n Microsoft.Compute
+ az provider register -n Microsoft.KeyVault
+ az provider register -n Microsoft.Storage
+ az provider register -n Microsoft.Network
+ ```
-We will be using some pieces of information repeatedly, so we will create some variables to store that information.
+## Create a resource group
-```console
-# Image resource group name
-imageResourceGroup=aibmdimsi
-# storage resource group
-strResourceGroup=aibmdimsistor
-# Location
-location=WestUS2
-# name of the image to be created
-imageName=aibCustLinuxImgMsi01
-# image distribution metadata reference name
-runOutputName=u1804ManImgMsiro
-```
+1. Because you'll be using some pieces of information repeatedly, create some variables to store that information.
-Create a variable for your subscription ID.
-```console
-subscriptionID=$(az account show --query id --output tsv)
-```
+ ```console
+ # Image resource group name
+ imageResourceGroup=aibmdimsi
+ # Storage resource group
+ strResourceGroup=aibmdimsistor
+ # Location
+ location=WestUS2
+ # Name of the image to be created
+ imageName=aibCustLinuxImgMsi01
+ # Image distribution metadata reference name
+ runOutputName=u1804ManImgMsiro
+ ```
-Create the resource groups for both the image and the script storage.
+1. Create a variable for your subscription ID:
-```console
-# create resource group for image template
-az group create -n $imageResourceGroup -l $location
-# create resource group for the script storage
-az group create -n $strResourceGroup -l $location
-```
+ ```console
+ subscriptionID=$(az account show --query id --output tsv)
+ ```
-Create a user-assigned identity and set permissions on the resource group.
+1. Create resource groups for both the image and the script storage:
-Image Builder will use the [user-identity](../../active-directory/managed-identities-azure-resources/qs-configure-cli-windows-vm.md#user-assigned-managed-identity) provided to inject the image into the resource group. In this example, you will create an Azure role definition that has the granular actions to perform distributing the image. The role definition will then be assigned to the user-identity.
-
-```console
-# create user assigned identity for image builder to access the storage account where the script is located
-identityName=aibBuiUserId$(date +'%s')
-az identity create -g $imageResourceGroup -n $identityName
+ ```console
+ # Create a resource group for the image template
+ az group create -n $imageResourceGroup -l $location
+ # Create a resource group for the script storage
+ az group create -n $strResourceGroup -l $location
+ ```
-# get identity id
-imgBuilderCliId=$(az identity show -g $imageResourceGroup -n $identityName --query clientId -o tsv)
+1. Create a user-assigned identity, and set permissions on the resource group:
-# get the user identity URI, needed for the template
-imgBuilderId=/subscriptions/$subscriptionID/resourcegroups/$imageResourceGroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/$identityName
+ VM Image Builder uses the provided [user identity](../../active-directory/managed-identities-azure-resources/qs-configure-cli-windows-vm.md#user-assigned-managed-identity) to inject the image into the resource group. In this example, you create an Azure role definition with specific actions for distributing the image. The role definition is then assigned to the user identity.
-# download preconfigured role definition example
-curl https://raw.githubusercontent.com/azure/azvmimagebuilder/master/solutions/12_Creating_AIB_Security_Roles/aibRoleImageCreation.json -o aibRoleImageCreation.json
+ ```console
+ # Create a user-assigned identity for VM Image Builder to access the storage account where the script is located
+ identityName=aibBuiUserId$(date +'%s')
+ az identity create -g $imageResourceGroup -n $identityName
-# update the definition
-sed -i -e "s/<subscriptionID>/$subscriptionID/g" aibRoleImageCreation.json
-sed -i -e "s/<rgName>/$imageResourceGroup/g" aibRoleImageCreation.json
+ # Get an identity ID
+ imgBuilderCliId=$(az identity show -g $imageResourceGroup -n $identityName --query clientId -o tsv)
-# create role definitions
-az role definition create --role-definition ./aibRoleImageCreation.json
+ # Get the user-identity URI, which is needed for the template
+ imgBuilderId=/subscriptions/$subscriptionID/resourcegroups/$imageResourceGroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/$identityName
-# grant role definition to the user assigned identity
-az role assignment create \
- --assignee $imgBuilderCliId \
- --role "Azure Image Builder Service Image Creation Role" \
- --scope /subscriptions/$subscriptionID/resourceGroups/$imageResourceGroup
-```
+ # Download the preconfigured role definition example
+ curl https://raw.githubusercontent.com/azure/azvmimagebuilder/master/solutions/12_Creating_AIB_Security_Roles/aibRoleImageCreation.json -o aibRoleImageCreation.json
-Create the storage and copy the sample script into it from GitHub.
+ # Update the definition
+ sed -i -e "s/<subscriptionID>/$subscriptionID/g" aibRoleImageCreation.json
+ sed -i -e "s/<rgName>/$imageResourceGroup/g" aibRoleImageCreation.json
-```azurecli-interactive
-# script storage account
-scriptStorageAcc=aibstorscript$(date +'%s')
+ # Create role definitions
+ az role definition create --role-definition ./aibRoleImageCreation.json
-# script container
-scriptStorageAccContainer=scriptscont$(date +'%s')
+ # Grant the role definition to the user-assigned identity
+ az role assignment create \
+ --assignee $imgBuilderCliId \
+ --role "Azure Image Builder Service Image Creation Role" \
+ --scope /subscriptions/$subscriptionID/resourceGroups/$imageResourceGroup
+ ```
-# script url
-scriptUrl=https://$scriptStorageAcc.blob.core.windows.net/$scriptStorageAccContainer/customizeScript.sh
+1. Create the storage account, and copy the sample script into it from GitHub:
-# create storage account and blob in resource group
-az storage account create -n $scriptStorageAcc -g $strResourceGroup -l $location --sku Standard_LRS
+ ```azurecli-interactive
+ # Script storage account
+ scriptStorageAcc=aibstorscript$(date +'%s')
-az storage container create -n $scriptStorageAccContainer --fail-on-exist --account-name $scriptStorageAcc
+ # Script container
+ scriptStorageAccContainer=scriptscont$(date +'%s')
-# copy in an example script from the GitHub repo
-az storage blob copy start \
- --destination-blob customizeScript.sh \
- --destination-container $scriptStorageAccContainer \
- --account-name $scriptStorageAcc \
- --source-uri https://raw.githubusercontent.com/azure/azvmimagebuilder/master/quickquickstarts/customizeScript.sh
-```
+ # Script URL
+ scriptUrl=https://$scriptStorageAcc.blob.core.windows.net/$scriptStorageAccContainer/customizeScript.sh
-Give Image Builder permission to create resources in the image resource group. The `--assignee` value is the user-identity ID.
+ # Create the storage account and blob in the resource group
+ az storage account create -n $scriptStorageAcc -g $strResourceGroup -l $location --sku Standard_LRS
-```azurecli-interactive
-az role assignment create \
- --assignee $imgBuilderCliId \
- --role "Storage Blob Data Reader" \
- --scope /subscriptions/$subscriptionID/resourceGroups/$strResourceGroup/providers/Microsoft.Storage/storageAccounts/$scriptStorageAcc/blobServices/default/containers/$scriptStorageAccContainer
-```
+ az storage container create -n $scriptStorageAccContainer --fail-on-exist --account-name $scriptStorageAcc
+ # Copy in an example script from the GitHub repo
+ az storage blob copy start \
+ --destination-blob customizeScript.sh \
+ --destination-container $scriptStorageAccContainer \
+ --account-name $scriptStorageAcc \
+ --source-uri https://raw.githubusercontent.com/azure/azvmimagebuilder/master/quickquickstarts/customizeScript.sh
+ ```
+1. Give VM Image Builder permission to create resources in the image resource group. The `--assignee` value is the user-identity ID.
+ ```azurecli-interactive
+ az role assignment create \
+ --assignee $imgBuilderCliId \
+ --role "Storage Blob Data Reader" \
+ --scope /subscriptions/$subscriptionID/resourceGroups/$strResourceGroup/providers/Microsoft.Storage/storageAccounts/$scriptStorageAcc/blobServices/default/containers/$scriptStorageAccContainer
+ ```
## Modify the example
-Download the example .json file and configure it with the variables you created.
+Download the example JSON file and configure it with the variables you created earlier.
```console curl https://raw.githubusercontent.com/azure/azvmimagebuilder/master/quickquickstarts/7_Creating_Custom_Image_using_MSI_to_Access_Storage/helloImageTemplateMsi.json -o helloImageTemplateMsi.json
sed -i -e "s%<runOutputName>%$runOutputName%g" helloImageTemplateMsi.json
## Create the image
-Submit the image configuration to the Azure Image Builder service.
+1. Submit the image configuration to the VM Image Builder service:
-```azurecli-interactive
-az resource create \
- --resource-group $imageResourceGroup \
- --properties @helloImageTemplateMsi.json \
- --is-full-object \
- --resource-type Microsoft.VirtualMachineImages/imageTemplates \
- -n helloImageTemplateMsi01
-```
+ ```azurecli-interactive
+ az resource create \
+ --resource-group $imageResourceGroup \
+ --properties @helloImageTemplateMsi.json \
+ --is-full-object \
+ --resource-type Microsoft.VirtualMachineImages/imageTemplates \
+ -n helloImageTemplateMsi01
+ ```
-Start the image build.
+1. Start the image build:
-```azurecli-interactive
-az resource invoke-action \
- --resource-group $imageResourceGroup \
- --resource-type Microsoft.VirtualMachineImages/imageTemplates \
- -n helloImageTemplateMsi01 \
- --action Run
-```
+ ```azurecli-interactive
+ az resource invoke-action \
+ --resource-group $imageResourceGroup \
+ --resource-type Microsoft.VirtualMachineImages/imageTemplates \
+ -n helloImageTemplateMsi01 \
+ --action Run
+ ```
-Wait for the build to complete. This can take about 15 minutes.
+The build can take about 15 minutes to finish.
## Create a VM
-Create a VM from the image.
+1. Create a VM from the image:
-```azurecli
-az vm create \
- --resource-group $imageResourceGroup \
- --name aibImgVm00 \
- --admin-username aibuser \
- --image $imageName \
- --location $location \
- --generate-ssh-keys
-```
+ ```azurecli
+ az vm create \
+ --resource-group $imageResourceGroup \
+ --name aibImgVm00 \
+ --admin-username aibuser \
+ --image $imageName \
+ --location $location \
+ --generate-ssh-keys
+ ```
-After the VM has been created, start an SSH session with the VM.
+1. After the VM has been created, start a Secure Shell (SSH) session with it.
-```console
-ssh aibuser@<publicIp>
-```
+ ```console
+ ssh aibuser@<publicIp>
+ ```
-You should see the image was customized with a Message of the Day as soon as your SSH connection is established!
+After the SSH connection is established, you should receive a "Message of the Day" saying that the image was customized:
```output
You should see the image was customized with a Message of the Day as soon as you
******************************************************* ```
-## Clean up
+## Clean up your resources
-When you are finished, you can delete the resources if they are no longer needed.
+If you no longer need the resources that were created during this process, you can delete them by running the following code:
```azurecli-interactive
az group delete -n $strResourceGroup
## Next steps
-If you have any trouble working with Azure Image Builder, see [Troubleshooting](image-builder-troubleshoot.md?toc=%2fazure%2fvirtual-machines%context%2ftoc.json).
+If you have any problems using VM Image Builder, see [Troubleshoot Azure VM Image Builder](image-builder-troubleshoot.md?toc=%2fazure%2fvirtual-machines%context%2ftoc.json).
virtual-machines Nva10v5 Series https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/nva10v5-series.md
-# NVadsA10 v5-series (Preview)
+# NVadsA10 v5-series
**Applies to:** :heavy_check_mark: Linux VMs :heavy_check_mark: Windows VMs :heavy_check_mark: Flexible scale sets :heavy_check_mark: Uniform scale sets The NVadsA10v5-series virtual machines are powered by [NVIDIA A10](https://www.nvidia.com/en-us/data-center/products/a10-gpu/) GPUs and AMD EPYC 74F3V(Milan) CPUs with a base frequency of 3.2 GHz, all-cores peak frequency of 4.0 GHz. With NVadsA10v5-series Azure is introducing virtual machines with partial NVIDIA GPUs. Pick the right sized virtual machine for GPU accelerated graphics applications and virtual desktops starting at 1/6th of a GPU with 4-GiB frame buffer to a full A10 GPU with 24-GiB frame buffer.
-The preview is currently available in US South Central and West Europe regions. [Sign up for the preview](https://aka.ms/AzureNVadsA10v5Preview) to get early access to the NVadsA10v5-series.
+ <br>
The preview is currently available in US South Central and West Europe regions.
To take advantage of the GPU capabilities of Azure NVadsA10v5-series VMs, NVIDIA GPU drivers must be installed.
-During preview you need to manually install the NVIDIA GPU-P driver for [Linux](https://download.microsoft.com/download/4/3/9/439aea00-a02d-4875-8712-d1ab46cf6a73/NVIDIA-Linux-x86_64-510.47.03-grid-azure.run) and [Windows](https://download.microsoft.com/download/8/d/2/8d228f28-56e2-4e60-bdde-a1dccfe94869/511.65_grid_win10_win11_server2016_server2019_server2022_64bit_Azure_swl.exe). We'll release updated drivers before GA and include it in extensions and all the standard documentation pages.
-
-During preview we support the following guest operating systems.
-- Windows Server 2019(RS5)-- Windows 10 20H2-- Windows 11-- Ubuntu 18.04-- Ubuntu 20.04-- CentOS 7.9-- RHEL 7.9
+The [NVIDIA GPU Driver Extension](./extensions/hpccompute-gpu-windows.md) installs appropriate NVIDIA CUDA or GRID drivers on an N-series VM. Install or manage the extension using the Azure portal or tools such as Azure PowerShell or Azure Resource Manager templates. See the [NVIDIA GPU Driver Extension documentation](./extensions/hpccompute-gpu-windows.md) for supported operating systems and deployment steps. For general information about VM extensions, see [Azure virtual machine extensions and features](./extensions/overview.md).
+If you choose to install NVIDIA GPU drivers manually, see [N-series GPU driver setup for Windows](./windows/n-series-driver-setup.md) or [N-series GPU driver setup for Linux](./linux/n-series-driver-setup.md) for supported operating systems, drivers, installation, and verification steps.
[!INCLUDE [virtual-machines-common-sizes-table-defs](../../includes/virtual-machines-common-sizes-table-defs.md)]
virtual-machines Image Builder Gallery Update Image Version https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/windows/image-builder-gallery-update-image-version.md
Title: Create a new Windows image version from an existing image version using Azure Image Builder
-description: Create a new Windows VM image version from an existing image version using Azure Image Builder.
+ Title: Create a new Windows image version from an existing image version using Azure VM Image Builder
+description: Create a new Windows VM image version from an existing image version using Azure VM Image Builder.
-# Create a new Windows VM image version from an existing image version using Azure Image Builder
+
+# Create a new Windows VM image from an existing image by using Azure VM Image Builder
**Applies to:** :heavy_check_mark: Windows VMs
-This article shows you how to take an existing image version in an [Azure Compute Gallery](../shared-image-galleries.md) (formerly known as Shared Image Gallery), update it, and publish it as a new image version to the gallery.
+In this article, you learn how to update an existing Windows image version in an [Azure Compute Gallery](../shared-image-galleries.md) (formerly Shared Image Gallery) and publish it to the gallery as a new image version.
-We will be using a sample .json template to configure the image. The .json file we are using is here: [helloImageTemplateforSIGfromWinSIG.json](https://raw.githubusercontent.com/azure/azvmimagebuilder/master/quickquickstarts/2_Creating_a_Custom_Win_Shared_Image_Gallery_Image_from_SIG/helloImageTemplateforSIGfromWinSIG.json).
+To configure the image, you use a sample JSON template, [helloImageTemplateforSIGfromWinSIG.json](https://raw.githubusercontent.com/azure/azvmimagebuilder/master/quickquickstarts/2_Creating_a_Custom_Win_Shared_Image_Gallery_Image_from_SIG/helloImageTemplateforSIGfromWinSIG.json).
## Register the features
-To use Azure Image Builder, you need to register the feature.
-
-Check your registration.
-
-```azurecli-interactive
-az provider show -n Microsoft.VirtualMachineImages | grep registrationState
-az provider show -n Microsoft.KeyVault | grep registrationState
-az provider show -n Microsoft.Compute | grep registrationState
-az provider show -n Microsoft.Storage | grep registrationState
-az provider show -n Microsoft.Network | grep registrationState
-```
-If they do not say registered, run the following:
+To use VM Image Builder, you need to register the features.
-```azurecli-interactive
-az provider register -n Microsoft.VirtualMachineImages
-az provider register -n Microsoft.Compute
-az provider register -n Microsoft.KeyVault
-az provider register -n Microsoft.Storage
-az provider register -n Microsoft.Network
-```
+1. Check your provider registrations. Make sure that each one returns *Registered*.
+ ```azurecli-interactive
+ az provider show -n Microsoft.VirtualMachineImages | grep registrationState
+ az provider show -n Microsoft.KeyVault | grep registrationState
+ az provider show -n Microsoft.Compute | grep registrationState
+ az provider show -n Microsoft.Storage | grep registrationState
+ az provider show -n Microsoft.Network | grep registrationState
+ ```
-## Set variables and permissions
+1. If they don't return *Registered*, register the providers by running the following commands:
-If you used [Create an image and distribute to an Azure Compute Gallery](image-builder-gallery.md) to create your Azure Compute Gallery, you've already created the variables we need. If not, please setup some variables to be used for this example.
+ ```azurecli-interactive
+ az provider register -n Microsoft.VirtualMachineImages
+ az provider register -n Microsoft.Compute
+ az provider register -n Microsoft.KeyVault
+ az provider register -n Microsoft.Storage
+ az provider register -n Microsoft.Network
+ ```
-Image builder will only support creating custom images in the same Resource Group as the source managed image. Update the resource group name in this example to be the same resource group as your source managed image.
-
-```azurecli-interactive
-# Resource group name - we are using ibsigRG in this example
-sigResourceGroup=myIBWinRG
-# Datacenter location - we are using West US 2 in this example
-location=westus
-# Additional region to replicate the image to - we are using East US in this example
-additionalregion=eastus
-# name of the Azure Compute Gallery - in this example we are using myGallery
-sigName=my22stSIG
-# name of the image definition to be created - in this example we are using myImageDef
-imageDefName=winSvrimages
-# image distribution metadata reference name
-runOutputName=w2019SigRo
-# User name and password for the VM
-username="user name for the VM"
-vmpassword="password for the VM"
-```
-
-Create a variable for your subscription ID.
-
-```azurecli-interactive
-subscriptionID=$(az account show --query id --output tsv)
-```
-Get the image version that you want to update.
+## Set variables and permissions
-```azurecli-interactive
-sigDefImgVersionId=$(az sig image-version list \
- -g $sigResourceGroup \
- --gallery-name $sigName \
- --gallery-image-definition $imageDefName \
- --subscription $subscriptionID --query [].'id' -o tsv)
-```
+If you've already created an Azure Compute Gallery by using [Create an image and distribute it to an Azure Compute Gallery](image-builder-gallery.md), you've already created some of the variables you need.
+
+> [!NOTE]
+> VM Image Builder supports creating custom images only in the same resource group that the source-managed image is in. In the following example, update the resource group name, *ibsigRG*, with the name of resource group that your source-managed image is in.
+
+1. If you haven't already created the variables, run the following commands:
+
+ ```azurecli-interactive
+ # Resource group name - we are using ibsigRG in this example
+ sigResourceGroup=myIBWinRG
+ # Datacenter location - we are using West US 2 in this example
+ location=westus
+ # Additional region to replicate the image to - we are using East US in this example
+ additionalregion=eastus
+ # name of the Azure Compute Gallery - in this example we are using myGallery
+ sigName=my22stSIG
+ # name of the image definition to be created - in this example we are using myImageDef
+ imageDefName=winSvrimages
+ # image distribution metadata reference name
+ runOutputName=w2019SigRo
+ # User name and password for the VM
+ username="user name for the VM"
+ vmpassword="password for the VM"
+ ```
+
+1. Create a variable for your subscription ID:
+
+ ```azurecli-interactive
+ subscriptionID=$(az account show --query id --output tsv)
+ ```
+
+1. Get the image version that you want to update:
+
+ ```azurecli-interactive
+ sigDefImgVersionId=$(az sig image-version list \
+ -g $sigResourceGroup \
+ --gallery-name $sigName \
+ --gallery-image-definition $imageDefName \
+ --subscription $subscriptionID --query [].'id' -o tsv)
+ ```
## Create a user-assigned identity and set permissions on the resource group
-As you had set the user-identity up in the previous example, you just need to get the Resource ID of it, this will then be appended to the template.
+
+You've set up the user identity in an earlier example, so now you need to get the resource ID, which will be appended to the template.
```azurecli-interactive #get identity used previously imgBuilderId=$(az identity list -g $sigResourceGroup --query "[?contains(name, 'aibBuiUserId')].id" -o tsv) ```
-If you already have your own Azure Compute Gallery, and did not follow the previous example, you will need to assign permissions for Image Builder to access the Resource Group, so it can access the gallery. Please review the steps in the [Create an image and distribute to an Azure Compute Gallery](image-builder-gallery.md) example.
+If you already have an Azure Compute Gallery but didn't set it up by following an earlier example, you need to assign permissions for VM Image Builder to access the resource group so that it can access the gallery. For more information, see [Create an image and distribute it to an Azure Compute Gallery](image-builder-gallery.md).
-## Modify helloImage example
-You can review the example we are about to use by opening the .json file here: [helloImageTemplateforSIGfromSIG.json](https://raw.githubusercontent.com/azure/azvmimagebuilder/master/quickquickstarts/2_Creating_a_Custom_Linux_Shared_Image_Gallery_Image_from_SIG/helloImageTemplateforSIGfromSIG.json) along with the [Image Builder template reference](../linux/image-builder-json.md).
+## Modify the helloImage example
+You can review the JSON example you're about to use at [helloImageTemplateforSIGfromSIG.json](https://raw.githubusercontent.com/azure/azvmimagebuilder/master/quickquickstarts/8_Creating_a_Custom_Win_Shared_Image_Gallery_Image_from_SIG/helloImageTemplateforSIGfromWinSIG.json). For information about the JSON file, see [Create an Azure VM Image Builder template](../linux/image-builder-json.md).
-Download the .json example and configure it with your variables.
+1. Download the JSON example, as shown in [Create a user-assigned identity and set permissions on the resource group](image-builder.md).
-```azurecli-interactive
-curl https://raw.githubusercontent.com/azure/azvmimagebuilder/master/quickquickstarts/8_Creating_a_Custom_Win_Shared_Image_Gallery_Image_from_SIG/helloImageTemplateforSIGfromWinSIG.json -o helloImageTemplateforSIGfromWinSIG.json
-sed -i -e "s/<subscriptionID>/$subscriptionID/g" helloImageTemplateforSIGfromWinSIG.json
-sed -i -e "s/<rgName>/$sigResourceGroup/g" helloImageTemplateforSIGfromWinSIG.json
-sed -i -e "s/<imageDefName>/$imageDefName/g" helloImageTemplateforSIGfromWinSIG.json
-sed -i -e "s/<sharedImageGalName>/$sigName/g" helloImageTemplateforSIGfromWinSIG.json
-sed -i -e "s%<sigDefImgVersionId>%$sigDefImgVersionId%g" helloImageTemplateforSIGfromWinSIG.json
-sed -i -e "s/<region1>/$location/g" helloImageTemplateforSIGfromWinSIG.json
-sed -i -e "s/<region2>/$additionalregion/g" helloImageTemplateforSIGfromWinSIG.json
-sed -i -e "s/<runOutputName>/$runOutputName/g" helloImageTemplateforSIGfromWinSIG.json
-sed -i -e "s%<imgBuilderId>%$imgBuilderId%g" helloImageTemplateforSIGfromWinSIG.json
-```
+1. Configure the JSON with your variables:
+
+ ```azurecli-interactive
+ curl https://raw.githubusercontent.com/azure/azvmimagebuilder/master/quickquickstarts/8_Creating_a_Custom_Win_Shared_Image_Gallery_Image_from_SIG/helloImageTemplateforSIGfromWinSIG.json -o helloImageTemplateforSIGfromWinSIG.json
+ sed -i -e "s/<subscriptionID>/$subscriptionID/g" helloImageTemplateforSIGfromWinSIG.json
+ sed -i -e "s/<rgName>/$sigResourceGroup/g" helloImageTemplateforSIGfromWinSIG.json
+ sed -i -e "s/<imageDefName>/$imageDefName/g" helloImageTemplateforSIGfromWinSIG.json
+ sed -i -e "s/<sharedImageGalName>/$sigName/g" helloImageTemplateforSIGfromWinSIG.json
+ sed -i -e "s%<sigDefImgVersionId>%$sigDefImgVersionId%g" helloImageTemplateforSIGfromWinSIG.json
+ sed -i -e "s/<region1>/$location/g" helloImageTemplateforSIGfromWinSIG.json
+ sed -i -e "s/<region2>/$additionalregion/g" helloImageTemplateforSIGfromWinSIG.json
+ sed -i -e "s/<runOutputName>/$runOutputName/g" helloImageTemplateforSIGfromWinSIG.json
+ sed -i -e "s%<imgBuilderId>%$imgBuilderId%g" helloImageTemplateforSIGfromWinSIG.json
+ ```
## Create the image
-Submit the image configuration to the VM Image Builder Service.
+1. Submit the image configuration to the VM Image Builder service:
-```azurecli-interactive
-az resource create \
- --resource-group $sigResourceGroup \
- --location $location \
- --properties @helloImageTemplateforSIGfromWinSIG.json \
- --is-full-object \
- --resource-type Microsoft.VirtualMachineImages/imageTemplates \
- -n imageTemplateforSIGfromWinSIG01
-```
+ ```azurecli-interactive
+ az resource create \
+ --resource-group $sigResourceGroup \
+ --location $location \
+ --properties @helloImageTemplateforSIGfromWinSIG.json \
+ --is-full-object \
+ --resource-type Microsoft.VirtualMachineImages/imageTemplates \
+ -n imageTemplateforSIGfromWinSIG01
+ ```
-Start the image build.
+1. Start the image build:
-```azurecli-interactive
-az resource invoke-action \
- --resource-group $sigResourceGroup \
- --resource-type Microsoft.VirtualMachineImages/imageTemplates \
- -n imageTemplateforSIGfromWinSIG01 \
- --action Run
-```
+ ```azurecli-interactive
+ az resource invoke-action \
+ --resource-group $sigResourceGroup \
+ --resource-type Microsoft.VirtualMachineImages/imageTemplates \
+ -n imageTemplateforSIGfromWinSIG01 \
+ --action Run
+ ```
-Wait until the image has been built and replication before moving on to the next step.
+Wait for the image to be built and replicated before you move along to the next step.
## Create the VM
+Create the VM by doing the following:
+ ```azurecli-interactive az vm create \
- --resource-group $sigResourceGroup \
- --name aibImgWinVm002 \
- --admin-username $username \
- --admin-password $vmpassword \
- --image "/subscriptions/$subscriptionID/resourceGroups/$sigResourceGroup/providers/Microsoft.Compute/galleries/$sigName/images/$imageDefName/versions/latest" \
- --location $location
+--resource-group $sigResourceGroup \
+--name aibImgWinVm002 \
+--admin-username $username \
+--admin-password $vmpassword \
+--image "/subscriptions/$subscriptionID/resourceGroups/$sigResourceGroup/providers/Microsoft.Compute/galleries/$sigName/images/$imageDefName/versions/latest" \
+--location $location
``` ## Verify the customization
-Create a Remote Desktop connection to the VM using the username and password you set when you created the VM. Inside the VM, open a cmd prompt and type:
+
+Create a Remote Desktop connection to the VM by using the username and password you set when you created the VM. Inside the VM, open a Command Prompt window, and then run:
```console dir c:\ ``` You should now see two directories:-- `buildActions` that was created in the first image version.-- `buildActions2` that was created as part up updating the first image version to create the second image version.+
+- *buildActions*: Created in the first image version.
+- *buildActions2*: Created when you updated the first image version to create the second image version.
## Next steps
-To learn more about the components of the .json file used in this article, see [Image builder template reference](../linux/image-builder-json.md).
+To learn more about the components of the JSON file that you used in this article, see [Create an Azure VM Image Builder template](../linux/image-builder-json.md).
virtual-machines Image Builder Gallery https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/windows/image-builder-gallery.md
Title: Use Azure Image Builder with a gallery for Windows VMs
-description: Create Azure Shared Gallery image versions using Azure Image Builder and Azure PowerShell.
+ Title: Use Azure VM Image Builder with a gallery for Windows VMs
+description: Create Azure Shared Gallery image versions using VM Image Builder and Azure PowerShell.
**Applies to:** :heavy_check_mark: Windows VMs
-This article is to show you how you can use the Azure Image Builder, and Azure PowerShell, to create an image version in an [Azure Compute Gallery](../shared-image-galleries.md) (formerly known as Shared Image Gallery), then distribute the image globally. You can also do this using the [Azure CLI](../linux/image-builder-gallery.md).
+In this article, you learn how to use Azure VM Image Builder and Azure PowerShell to create an image version in an [Azure Compute Gallery](../shared-image-galleries.md) (formerly Shared Image Gallery) and then distribute the image globally. You can also do this by using the [Azure CLI](../linux/image-builder-gallery.md).
-We will be using a .json template to configure the image. The .json file we are using is here: [armTemplateWinSIG.json](https://raw.githubusercontent.com/azure/azvmimagebuilder/master/quickquickstarts/1_Creating_a_Custom_Win_Shared_Image_Gallery_Image/armTemplateWinSIG.json). We will be downloading and editing a local version of the template, so this article is written using local PowerShell session.
+To configure the image, this article uses a JSON template, which you can find at [armTemplateWinSIG.json](https://raw.githubusercontent.com/azure/azvmimagebuilder/master/quickquickstarts/1_Creating_a_Custom_Win_Shared_Image_Gallery_Image/armTemplateWinSIG.json). You'll download and edit a local version of the template, so you'll also use a local PowerShell session.
To distribute the image to an Azure Compute Gallery, the template uses [sharedImage](../linux/image-builder-json.md#distribute-sharedimage) as the value for the `distribute` section of the template.
-Azure Image Builder automatically runs sysprep to generalize the image, this is a generic sysprep command, which you can [override](../linux/image-builder-troubleshoot.md#vms-created-from-aib-images-do-not-create-successfully) if needed.
+VM Image Builder automatically runs `Sysprep` to generalize the image. The command is a generic `Sysprep` command, and you can [override](../linux/image-builder-troubleshoot.md#vms-created-from-vm-image-builder-images-arent-created-successfully) it if you need to.
-Be aware how many times you layer customizations. You can run the Sysprep command a limited number times on a single Windows image. After reaching the Sysprep limit, you must recreate your Windows image. For more information, see [Limits on how many times you can run Sysprep](/windows-hardware/manufacture/desktop/sysprep--generalize--a-windows-installation#limits-on-how-many-times-you-can-run-sysprep).
+Be aware of the number of times you layer customizations. You can run the `Sysprep` command a limited number of times on a single Windows image. After you've reached the `Sysprep` limit, you must re-create your Windows image. For more information, see [Limits on how many times you can run Sysprep](/windows-hardware/manufacture/desktop/sysprep--generalize--a-windows-installation#limits-on-how-many-times-you-can-run-sysprep).
## Register the features
-To use Azure Image Builder, you need to register the feature.
-Check your provider registrations. Make sure each returns `Registered`.
+To use VM Image Builder, you need to register the features.
-```powershell
-Get-AzResourceProvider -ProviderNamespace Microsoft.VirtualMachineImages | Format-table -Property ResourceTypes,RegistrationState
-Get-AzResourceProvider -ProviderNamespace Microsoft.Storage | Format-table -Property ResourceTypes,RegistrationState
-Get-AzResourceProvider -ProviderNamespace Microsoft.Compute | Format-table -Property ResourceTypes,RegistrationState
-Get-AzResourceProvider -ProviderNamespace Microsoft.KeyVault | Format-table -Property ResourceTypes,RegistrationState
-Get-AzResourceProvider -ProviderNamespace Microsoft.Network | Format-table -Property ResourceTypes,RegistrationState
-```
+1. Check your provider registrations. Make sure that each one returns *Registered*.
-If they do not return `Registered`, use the following to register the providers:
+ ```powershell
+ Get-AzResourceProvider -ProviderNamespace Microsoft.VirtualMachineImages | Format-table -Property ResourceTypes,RegistrationState
+ Get-AzResourceProvider -ProviderNamespace Microsoft.Storage | Format-table -Property ResourceTypes,RegistrationState
+ Get-AzResourceProvider -ProviderNamespace Microsoft.Compute | Format-table -Property ResourceTypes,RegistrationState
+ Get-AzResourceProvider -ProviderNamespace Microsoft.KeyVault | Format-table -Property ResourceTypes,RegistrationState
+ Get-AzResourceProvider -ProviderNamespace Microsoft.Network | Format-table -Property ResourceTypes,RegistrationState
+ ```
-```powershell
-Register-AzResourceProvider -ProviderNamespace Microsoft.VirtualMachineImages
-Register-AzResourceProvider -ProviderNamespace Microsoft.Storage
-Register-AzResourceProvider -ProviderNamespace Microsoft.Compute
-Register-AzResourceProvider -ProviderNamespace Microsoft.KeyVault
-Register-AzResourceProvider -ProviderNamespace Microsoft.Network
-```
+1. If they don't return *Registered*, register the providers by running the following commands:
-Install PowerShell Modules:
-```powerShell
-'Az.ImageBuilder', 'Az.ManagedServiceIdentity' | ForEach-Object {Install-Module -Name $_ -AllowPrerelease}
-```
+ ```powershell
+ Register-AzResourceProvider -ProviderNamespace Microsoft.VirtualMachineImages
+ Register-AzResourceProvider -ProviderNamespace Microsoft.Storage
+ Register-AzResourceProvider -ProviderNamespace Microsoft.Compute
+ Register-AzResourceProvider -ProviderNamespace Microsoft.KeyVault
+ Register-AzResourceProvider -ProviderNamespace Microsoft.Network
+ ```
+
+1. Install PowerShell modules:
+
+ ```powerShell
+ 'Az.ImageBuilder', 'Az.ManagedServiceIdentity' | ForEach-Object {Install-Module -Name $_ -AllowPrerelease}
+ ```
## Create variables
-We will be using some pieces of information repeatedly, so we will create some variables to store that information. Replace the values for the variables, like `username` and `vmpassword`, with your own information.
+Because you'll be using some pieces of information repeatedly, create some variables to store that information.
+
+Replace the values for the variables, such as `username` and `vmpassword`, with your own information.
```powershell # Get existing context
$imageTemplateName="helloImageTemplateWin02ps"
# This gives you the properties of the managed image on completion. $runOutputName="winclientR01"
-# Create a resource group for Image Template and Azure Compute Gallery
+# Create a resource group for the VM Image Builder template and Azure Compute Gallery
New-AzResourceGroup ` -Name $imageResourceGroup ` -Location $location
New-AzResourceGroup `
## Create a user-assigned identity and set permissions on the resource group
-Image Builder will use the [user-identity](../../active-directory/managed-identities-azure-resources/how-to-manage-ua-identity-powershell.md) provided to inject the image into the Azure Azure Compute Gallery (SIG). In this example, you will create an Azure role definition that has the granular actions to perform distributing the image to the SIG. The role definition will then be assigned to the user-identity.
+
+VM Image Builder uses the provided [user-identity](../../active-directory/managed-identities-azure-resources/how-to-manage-ua-identity-powershell.md) to inject the image into Azure Compute Gallery. In this example, you create an Azure role definition with specific actions for distributing the image. The role definition is then assigned to the user identity.
```powershell # setup role def names, these need to be unique
$timeInt=$(get-date -UFormat "%s")
$imageRoleDefName="Azure Image Builder Image Def"+$timeInt $identityName="aibIdentity"+$timeInt
-## Add AZ PS module to support AzUserAssignedIdentity
+## Add an Azure PowerShell module to support AzUserAssignedIdentity
Install-Module -Name Az.ManagedServiceIdentity
-# create identity
+# Create an identity
New-AzUserAssignedIdentity -ResourceGroupName $imageResourceGroup -Name $identityName $identityNameResourceId=$(Get-AzUserAssignedIdentity -ResourceGroupName $imageResourceGroup -Name $identityName).Id
$identityNamePrincipalId=$(Get-AzUserAssignedIdentity -ResourceGroupName $imageR
```
-### Assign permissions for identity to distribute images
+### Assign permissions for the identity to distribute the images
-This command will download an Azure role definition template, and update the template with the parameters specified earlier.
+Use this command to download an Azure role definition template, and then update it with the previously specified parameters.
```powershell $aibRoleImageCreationUrl="https://raw.githubusercontent.com/azure/azvmimagebuilder/master/solutions/12_Creating_AIB_Security_Roles/aibRoleImageCreation.json" $aibRoleImageCreationPath = "aibRoleImageCreation.json"
-# download config
+# Download the configuration
Invoke-WebRequest -Uri $aibRoleImageCreationUrl -OutFile $aibRoleImageCreationPath -UseBasicParsing ((Get-Content -path $aibRoleImageCreationPath -Raw) -replace '<subscriptionID>',$subscriptionID) | Set-Content -Path $aibRoleImageCreationPath ((Get-Content -path $aibRoleImageCreationPath -Raw) -replace '<rgName>', $imageResourceGroup) | Set-Content -Path $aibRoleImageCreationPath ((Get-Content -path $aibRoleImageCreationPath -Raw) -replace 'Azure Image Builder Service Image Creation Role', $imageRoleDefName) | Set-Content -Path $aibRoleImageCreationPath
-# create role definition
+# Create a role definition
New-AzRoleDefinition -InputFile ./aibRoleImageCreation.json
-# grant role definition to image builder service principal
+# Grant the role definition to the VM Image Builder service principal
New-AzRoleAssignment -ObjectId $identityNamePrincipalId -RoleDefinitionName $imageRoleDefName -Scope "/subscriptions/$subscriptionID/resourceGroups/$imageResourceGroup"-
-### NOTE: If you see this error: 'New-AzRoleDefinition: Role definition limit exceeded. No more role definitions can be created.' See this article to resolve:
-https://docs.microsoft.com/azure/role-based-access-control/troubleshooting
```
+> [!NOTE]
+> If you receive the error "New-AzRoleDefinition: Role definition limit exceeded. No more role definitions can be created," see [Troubleshoot Azure RBAC (role-based access control)](../../role-based-access-control/troubleshooting.md).
++
-## Create the Azure Compute Gallery
+## Create an Azure Compute Gallery
-To use Image Builder with an Azure Compute Gallery, you need to have an existing gallery and image definition. Image Builder will not create the gallery and image definition for you.
+To use VM Image Builder with an Azure Compute Gallery, you need to have an existing gallery and image definition. VM Image Builder doesn't create the gallery and image definition for you.
-If you don't already have a gallery and image definition to use, start by creating them. First, create a gallery.
+If you don't already have a gallery and image definition to use, start by creating them.
```powershell # Gallery name
$sigGalleryName= "myIBSIG"
# Image definition name $imageDefName ="winSvrimage"
-# additional replication region
+# Additional replication region
$replRegion2="eastus" # Create the gallery
New-AzGalleryImageDefinition `
-Sku 'WinSrv2019' ``` -- ## Download and configure the template
-Download the .json template and configure it with your variables.
+Download the JSON template and configure it with your variables.
```powershell
Invoke-WebRequest `
## Create the image version
-Your template must be submitted to the service, this will download any dependent artifacts, like scripts, and store them in the staging Resource Group, prefixed with *IT_*.
+Your template must be submitted to the service. The following commands will download any dependent artifacts, such as scripts, and store them in the staging resource group, which is prefixed with *IT_*.
```powershell New-AzResourceGroupDeployment `
New-AzResourceGroupDeployment `
-svclocation $location ```
-To build the image you need to invoke 'Run' on the template.
+To build the image, invoke 'Run' on the template.
```powershell Invoke-AzResourceAction `
Invoke-AzResourceAction `
-Action Run ```
-Creating the image and replicating it to both regions can take a while. Wait until this part is finished before moving on to creating a VM.
+Creating the image and replicating it to both regions can take a few moments. Before you begin creating a VM, wait until this part is finished.
-For information on options for automating getting the image build status, see the [Readme]
```powershell Get-AzImageBuilderTemplate -ImageTemplateName $imageTemplateName -ResourceGroupName $imageResourceGroup | Select-Object -Property Name, LastRunStatusRunState, LastRunStatusMessage, ProvisioningState
Get-AzImageBuilderTemplate -ImageTemplateName $imageTemplateName -ResourceGroupN
## Create the VM
-Create a VM from the image version that was created by Azure Image Builder.
-
-Get the image version you created.
-```powershell
-$imageVersion = Get-AzGalleryImageVersion `
- -ResourceGroupName $imageResourceGroup `
- -GalleryName $sigGalleryName `
- -GalleryImageDefinitionName $imageDefName
-```
-
-Create the VM in the second region that were the image was replicated.
-
-```powershell
-$vmResourceGroup = "myResourceGroup"
-$vmName = "myVMfromImage"
-
-# Create user object
-$cred = Get-Credential -Message "Enter a username and password for the virtual machine."
-
-# Create a resource group
-New-AzResourceGroup -Name $vmResourceGroup -Location $replRegion2
-
-# Network pieces
-$subnetConfig = New-AzVirtualNetworkSubnetConfig -Name mySubnet -AddressPrefix 192.168.1.0/24
-$vnet = New-AzVirtualNetwork -ResourceGroupName $vmResourceGroup -Location $replRegion2 `
- -Name MYvNET -AddressPrefix 192.168.0.0/16 -Subnet $subnetConfig
-$pip = New-AzPublicIpAddress -ResourceGroupName $vmResourceGroup -Location $replRegion2 `
- -Name "mypublicdns$(Get-Random)" -AllocationMethod Static -IdleTimeoutInMinutes 4
-$nsgRuleRDP = New-AzNetworkSecurityRuleConfig -Name myNetworkSecurityGroupRuleRDP -Protocol Tcp `
- -Direction Inbound -Priority 1000 -SourceAddressPrefix * -SourcePortRange * -DestinationAddressPrefix * `
- -DestinationPortRange 3389 -Access Deny
-$nsg = New-AzNetworkSecurityGroup -ResourceGroupName $vmResourceGroup -Location $replRegion2 `
- -Name myNetworkSecurityGroup -SecurityRules $nsgRuleRDP
-$nic = New-AzNetworkInterface -Name myNic -ResourceGroupName $vmResourceGroup -Location $replRegion2 `
- -SubnetId $vnet.Subnets[0].Id -PublicIpAddressId $pip.Id -NetworkSecurityGroupId $nsg.Id
-
-# Create a virtual machine configuration using $imageVersion.Id to specify the image
-$vmConfig = New-AzVMConfig -VMName $vmName -VMSize Standard_D1_v2 | `
-Set-AzVMOperatingSystem -Windows -ComputerName $vmName -Credential $cred | `
-Set-AzVMSourceImage -Id $imageVersion.Id | `
-Add-AzVMNetworkInterface -Id $nic.Id
-
-# Create a virtual machine
-New-AzVM -ResourceGroupName $vmResourceGroup -Location $replRegion2 -VM $vmConfig
-```
+Create a VM from the image version that you created with VM Image Builder.
+
+1. Get the image version that you created:
+
+ ```powershell
+ $imageVersion = Get-AzGalleryImageVersion `
+ -ResourceGroupName $imageResourceGroup `
+ -GalleryName $sigGalleryName `
+ -GalleryImageDefinitionName $imageDefName
+ ```
+
+1. Create the VM in the second region, where the image was replicated:
+
+ ```powershell
+ $vmResourceGroup = "myResourceGroup"
+ $vmName = "myVMfromImage"
+
+ # Create user object
+ $cred = Get-Credential -Message "Enter a username and password for the virtual machine."
+
+ # Create a resource group
+ New-AzResourceGroup -Name $vmResourceGroup -Location $replRegion2
+
+ # Network pieces
+ $subnetConfig = New-AzVirtualNetworkSubnetConfig -Name mySubnet -AddressPrefix 192.168.1.0/24
+ $vnet = New-AzVirtualNetwork -ResourceGroupName $vmResourceGroup -Location $replRegion2 `
+ -Name MYvNET -AddressPrefix 192.168.0.0/16 -Subnet $subnetConfig
+ $pip = New-AzPublicIpAddress -ResourceGroupName $vmResourceGroup -Location $replRegion2 `
+ -Name "mypublicdns$(Get-Random)" -AllocationMethod Static -IdleTimeoutInMinutes 4
+ $nsgRuleRDP = New-AzNetworkSecurityRuleConfig -Name myNetworkSecurityGroupRuleRDP -Protocol Tcp `
+ -Direction Inbound -Priority 1000 -SourceAddressPrefix * -SourcePortRange * -DestinationAddressPrefix * `
+ -DestinationPortRange 3389 -Access Deny
+ $nsg = New-AzNetworkSecurityGroup -ResourceGroupName $vmResourceGroup -Location $replRegion2 `
+ -Name myNetworkSecurityGroup -SecurityRules $nsgRuleRDP
+ $nic = New-AzNetworkInterface -Name myNic -ResourceGroupName $vmResourceGroup -Location $replRegion2 `
+ -SubnetId $vnet.Subnets[0].Id -PublicIpAddressId $pip.Id -NetworkSecurityGroupId $nsg.Id
+
+ # Create a virtual machine configuration using $imageVersion.Id to specify the image
+ $vmConfig = New-AzVMConfig -VMName $vmName -VMSize Standard_D1_v2 | `
+ Set-AzVMOperatingSystem -Windows -ComputerName $vmName -Credential $cred | `
+ Set-AzVMSourceImage -Id $imageVersion.Id | `
+ Add-AzVMNetworkInterface -Id $nic.Id
+
+ # Create a virtual machine
+ New-AzVM -ResourceGroupName $vmResourceGroup -Location $replRegion2 -VM $vmConfig
+ ```
## Verify the customization
-Create a Remote Desktop connection to the VM using the username and password you set when you created the VM. Inside the VM, open a cmd prompt and type:
+
+Create a Remote Desktop connection to the VM by using the username and password that you set when you created the VM. In the VM, open a Command Prompt window and run the following command:
```console dir c:\
dir c:\
You should see a directory named `buildActions` that was created during image customization.
-## Clean up resources
-If you want to now try re-customizing the image version to create a new version of the same image, **skip this step** and go on to [Use Azure Image Builder to create another image version](image-builder-gallery-update-image-version.md).
+## Clean up your resources
+> [!NOTE]
+> If you now want to try to recustomize the image version to create a new version of the same image, *skip the step outlined here* and go to [Use VM Image Builder to create another image version](image-builder-gallery-update-image-version.md).
-This will delete the image that was created, along with all of the other resource files. Make sure you are finished with this deployment before deleting the resources.
+If you no longer need the resources that you created as you followed the process in this article, you can delete them.
-Delete the resource group template first, otherwise the staging resource group (*IT_*) used by AIB will not be cleaned up.
+The following process deletes both the image that you created and all the other resource files. Make sure that you've finished this deployment before you delete the resources.
-Get ResourceID of the image template.
+Delete the resource group template first. Otherwise, the staging resource group (*IT_*) that VM Image Builder uses won't be cleaned up.
-```powerShell
-$resTemplateId = Get-AzResource -ResourceName $imageTemplateName -ResourceGroupName $imageResourceGroup -ResourceType Microsoft.VirtualMachineImages/imageTemplates -ApiVersion "2020-02-14"
-```
+1. Get the ResourceID of the image template.
-Delete image template.
+ ```powerShell
+ $resTemplateId = Get-AzResource -ResourceName $imageTemplateName -ResourceGroupName $imageResourceGroup -ResourceType Microsoft.VirtualMachineImages/imageTemplates -ApiVersion "2020-02-14"
+ ```
-```powerShell
-Remove-AzResource -ResourceId $resTemplateId.ResourceId -Force
-```
+1. Delete image template.
-Delete role assignment
+ ```powerShell
+ Remove-AzResource -ResourceId $resTemplateId.ResourceId -Force
+ ```
-```powerShell
-Remove-AzRoleAssignment -ObjectId $identityNamePrincipalId -RoleDefinitionName $imageRoleDefName -Scope "/subscriptions/$subscriptionID/resourceGroups/$imageResourceGroup"
-```
+1. Delete the role assignment.
-remove definitions
+ ```powerShell
+ Remove-AzRoleAssignment -ObjectId $identityNamePrincipalId -RoleDefinitionName $imageRoleDefName -Scope "/subscriptions/$subscriptionID/resourceGroups/$imageResourceGroup"
+ ```
-```powerShell
-Remove-AzRoleDefinition -Name "$identityNamePrincipalId" -Force -Scope "/subscriptions/$subscriptionID/resourceGroups/$imageResourceGroup"
-```
+1. Remove the definitions.
-delete identity
+ ```powerShell
+ Remove-AzRoleDefinition -Name "$identityNamePrincipalId" -Force -Scope "/subscriptions/$subscriptionID/resourceGroups/$imageResourceGroup"
+ ```
-```powerShell
-Remove-AzUserAssignedIdentity -ResourceGroupName $imageResourceGroup -Name $identityName -Force
-```
+1. Delete the identity.
-delete the resource group.
+ ```powerShell
+ Remove-AzUserAssignedIdentity -ResourceGroupName $imageResourceGroup -Name $identityName -Force
+ ```
-```powerShell
-Remove-AzResourceGroup $imageResourceGroup -Force
-```
+1. Delete the resource group.
+
+ ```powerShell
+ Remove-AzResourceGroup $imageResourceGroup -Force
+ ```
-## Next Steps
+## Next steps
-To learn how to update the image version you created, see [Use Azure Image Builder to create another image version](image-builder-gallery-update-image-version.md).
+To update the image version that you created in this article, see [Use VM Image Builder to create another image version](image-builder-gallery-update-image-version.md).
virtual-machines Image Builder https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/windows/image-builder.md
vi helloImageTemplateWin.json
``` > [!NOTE]
-> For the source image, always [specify a version](../linux/image-builder-troubleshoot.md#build-step-failed-for-image-version). You can't specify `latest` as the version.
+> For the source image, always [specify a version](../linux/image-builder-troubleshoot.md#the-build-step-failed-for-the-image-version). You can't specify `latest` as the version.
> > If you add or change the resource group that the image is distributed to, make sure that the [permissions are set](#create-a-user-assigned-identity-and-set-permissions-on-the-resource-group) on the resource group.
virtual-machines Sap Rise Integration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/workloads/sap/sap-rise-integration.md
See [SAP's documentation](https://help.sap.com/docs/PRIVATE_LINK) and a series o
Your SAP landscape runs within SAP RISE/ECS subscription, you can access the SAP system through available ports. Each application communicating with your SAP system might require different ports to access it.
-For SAP Fiori, standalone or embedded within the SAP S/4 HANA or NetWeaver system, the customer can connect applications through OData or Rest API. Both use https for incoming requests to the SAP system. Applications running on-premise or within the customerΓÇÖs own Azure subscription and vnet, use the established vnet peering or VPN vnet-to-vnet connection through a private IP address. Applications accessing a publicly available IP, exposed through SAP RISE managed Azure application gateway, are also able to contact the SAP system through https. For details and security for the application gateway and NSG open ports, contact SAP.
+For SAP Fiori, standalone or embedded within the SAP S/4 HANA or NetWeaver system, the customer can connect applications through OData or REST API. Both use https for incoming requests to the SAP system. Applications running on-premise or within the customerΓÇÖs own Azure subscription and vnet, use the established vnet peering or VPN vnet-to-vnet connection through a private IP address. Applications accessing a publicly available IP, exposed through SAP RISE managed Azure application gateway, are also able to contact the SAP system through https. For details and security for the application gateway and NSG open ports, contact SAP.
Applications using remote function calls (RFC) or direct database connections using JDBC/ODBC protocols are only possible through private networks and thus via the vnet peering or VPN from customerΓÇÖs vnet(s).
virtual-network-manager How To Block Network Traffic Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-network-manager/how-to-block-network-traffic-portal.md
Previously updated : 05/02/2022 Last updated : 07/01/2022
Before you start to configure security admin rules, confirm that you've done the
## Create a SecurityAdmin configuration
-1. Select **Configurations** under *Settings* and then select **+ Add a configuration**.
+1. Select **Configurations** under *Settings* and then select **+ Create**.
:::image type="content" source="./media/create-virtual-network-manager-portal/add-configuration.png" alt-text="Screenshot of add a security admin configuration.":::
-1. Select **SecurityAdmin** from the drop-down menu.
+1. Select **Security admin configuration** from the drop-down menu.
:::image type="content" source="./media/how-to-block-network-traffic-portal/security-admin-drop-down.png" alt-text="Screenshot of add a configuration drop-down.":::
Before you start to configure security admin rules, confirm that you've done the
| Action* | Select **Deny** to block traffic. For more information, see [Action](concept-security-admins.md#action) | Direction* | Select **Inbound** as you want to deny inbound traffic with this rule. | | Protocol* | Select the **TCP** protocol. HTTP and HTTPS are TCP ports. |
+ |**Source**| |
| Source type | Select the source type of either **IP address** or **Service tags**. | | Source IP addresses | This field will appear when you select the source type of *IP address*. Enter an IPv4 or IPv6 address or a range using CIDR notation. When defining more than one address or blocks of addresses separate using a comma. Leave blank for this example.| | Source service tag | This field will appear when you select the source type of *Service tag*. Select service tag(s) for services you want to specify as the source. See [Available service tags](../virtual-network/service-tags-overview.md#available-service-tags), for the list of supported tags. | | Source port | Enter a single port number or a port range such as (1024-65535). When defining more than one port or port ranges, separate them using a comma. To specify any port, enter *. Leave blank for this example.|
+ |**Desination**| |
| Destination type | Select the destination type of either **IP address** or **Service tags**. | | Destination IP addresses | This field will appear when you select the destination type of *IP address*. Enter an IPv4 or IPv6 address or a range using CIDR notation. When defining more than one address or blocks of addresses separate using a comma. | | Destination service tag | This field will appear when you select the destination type of *Service tag*. Select service tag(s) for services you want to specify as the destination. See [Available service tags](../virtual-network/service-tags-overview.md#available-service-tags), for the list of supported tags. |
Before you start to configure security admin rules, confirm that you've done the
If you just created a new security admin configuration, make sure to deploy this configuration to apply to virtual networks in the network group.
-1. Select **Deployments** under *Settings*, then select **Deploy a configuration**.
+1. Select **Deployments** under *Settings*, then select **Deploy configuration**.
:::image type="content" source="./media/how-to-block-network-traffic-portal/deploy-configuration.png" alt-text="Screenshot of deploy a configuration button.":::
-1. Select the configuration type of **Include security admin in your goal state** and the security configuration you created in the last section. Then choose the region(s) you would like to deploy this configuration to.
+1. Select the **Include security admin in your goal state** checkbox and choose the security configuration you created in the last section from the dropdown menu. Then choose the region(s) you would like to deploy this configuration to.
:::image type="content" source="./media/how-to-block-network-traffic-portal/deploy-security-configuration.png" alt-text="Screenshot of deploy a security configuration page.":::
virtual-network-manager How To View Applied Configurations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-network-manager/how-to-view-applied-configurations.md
Once your configuration has been deployed by Virtual Network Manager, you can vi
:::image type="content" source="./media/how-to-view-applied-configurations/vnet-connectivity.png" alt-text="Screenshot of connectivity configuration associated to a virtual network.":::
-2. Select the **SecurityAdmin** tab to see all the security rules currently applied to your virtual network.
+2. Select the **Security admin configurations** tab to see all the security rules currently applied to your virtual network.
:::image type="content" source="./media/how-to-view-applied-configurations/vnet-security.png" alt-text="Screenshot of security rules associated to a virtual network.":::
virtual-network-manager Tutorial Create Secured Hub And Spoke https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-network-manager/tutorial-create-secured-hub-and-spoke.md
In this tutorial, you learn how to:
## Prerequisite
+* An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
* Before you can complete steps in this tutorial, you must first [create an Azure Virtual Network Manager](create-virtual-network-manager-portal.md) instance. ## Create virtual networks
virtual-wan Openvpn Azure Ad Client https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-wan/openvpn-azure-ad-client.md
Title: 'VPN Gateway: VPN client for OpenVPN protocol P2S connections: Azure AD authentication'
+ Title: 'VPN client for OpenVPN protocol P2S connections: Azure AD authentication'
+ description: Learn how to use P2S VPN to connect to your VNet using Azure AD authentication.
virtual-wan Virtual Wan Point To Site Powershell https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-wan/virtual-wan-point-to-site-powershell.md
Previously updated : 04/11/2022 Last updated : 07/05/2022 # Create a P2S User VPN connection using Azure Virtual WAN - PowerShell
-This article shows you how to use Virtual WAN to connect to your resources in Azure. In this article, you create a point-to-site User VPN connection over OpenVPN or IPsec/IKE (IKEv2) using PowerShell. This type of connection requires the native VPN client to be configured on each connecting client computer.
+This article shows you how to use Virtual WAN to connect to your resources in Azure. In this article, you create a point-to-site User VPN connection over OpenVPN or IPsec/IKE (IKEv2) using PowerShell. This type of connection requires the native VPN client to be configured on each connecting client computer. Most of the steps in this article can be performed using Azure Cloud Shell, except for uploading certificates for certificate authentication.
:::image type="content" source="./media/virtual-wan-about/virtualwanp2s.png" alt-text="Virtual WAN diagram.":::
In the following steps, when selecting the authentication method, you have three
1. User VPN (point-to-site) connections can use certificates to authenticate. To create a self-signed root certificate and generate client certificates using PowerShell, see [Generate and export certificates](certificates-point-to-site.md).
-1. Once you've generated and exported the self-signed root certificate, you need to reference the location of the stored certificate. If you're using Cloud Shell in the Azure portal, you need to upload the certificate first.
+1. Once you've generated and exported the self-signed root certificate, you need to reference the location of the stored certificate. This step can't be completed using Azure Cloud Shell because you can't upload certificate files through the Cloud Shell interface. To perform the next steps in this section, you need to either install the Azure PowerShell cmdlets and use PowerShell locally, or use the [Azure portal](virtual-wan-point-to-site-portal.md#p2sconfig).
- ```azurepowershell-interactive
+ ```azurepowershell
$VpnServerConfigCertFilePath = Join-Path -Path /home/name -ChildPath "\P2SRootCert1.cer" $listOfCerts = New-Object "System.Collections.Generic.List[String]" $listOfCerts.Add($VpnServerConfigCertFilePath)
In the following steps, when selecting the authentication method, you have three
1. Create the User VPN Server Configuration. For the VPN protocol, you can choose IKEv2 VPN, OpenVPN, and OpenVPN and IKEv2, depending on your requirements.
- ```azurepowershell-interactive
+ ```azurepowershell
New-AzVpnServerConfiguration -Name testconfig -ResourceGroupName testRG -VpnProtocol IkeV2 -VpnAuthenticationType Certificate -VpnClientRootCertificateFilesList $listOfCerts -VpnClientRevokedCertificateFilesList $listOfCerts -Location westus ```
Delete the gateway entities following the below order for the point-to-site VPN
## Next steps
-Next, to learn more about Virtual WAN, see the [Virtual WAN FAQ](virtual-wan-faq.md).
+Next, to learn more about Virtual WAN, see the [Virtual WAN FAQ](virtual-wan-faq.md).