Service | Microsoft Docs article | Related commit history on GitHub | Change details |
---|---|---|---|
active-directory-b2c | Conditional Access User Flow | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/conditional-access-user-flow.md | The following template can be used to create a Conditional Access policy with di Identity Protection can calculate what it believes is normal for a user's behavior and use that to base decisions for their risk. User risk is a calculation of probability that an identity has been compromised. B2C tenants with P2 licenses can create Conditional Access policies incorporating user risk. When a user is detected as at risk, you can require that they securely change their password to remediate the risk and gain access to their account. We highly recommend setting up a user risk policy to require a secure password change so users can self-remediate. -Learn more about [user risk in Identity Protection](../active-directory/identity-protection/concept-identity-protection-risks.md#user-linked-detections), taking into account the [limitations on Identity Protection detections for B2C](identity-protection-investigate-risk.md#service-limitations-and-considerations). +Learn more about [user risk in Identity Protection](../active-directory/identity-protection/concept-identity-protection-risks.md), taking into account the [limitations on Identity Protection detections for B2C](identity-protection-investigate-risk.md#service-limitations-and-considerations). Configure Conditional Access through Azure portal or Microsoft Graph APIs to enable a user risk-based Conditional Access policy requiring multifactor authentication (MFA) and password change when user risk is medium OR high. |
active-directory-b2c | Whats New Docs | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/whats-new-docs.md | Welcome to what's new in Azure Active Directory B2C documentation. This article ### Updated articles - [Tutorial: Create an Azure Active Directory B2C tenant](tutorial-create-tenant.md) - [Azure AD B2C] Azure AD B2C Go-Local opt-in feature-- [Tutorial: Configure security analytics for Azure Active Directory B2C data with Microsoft Sentinel](configure-security-analytics-sentinel.md) - Removing product name from filename and links. Exempt from Acrolinx by prior arrangement-- [Tutorial: Configure Azure Active Directory B2C with Azure Web Application Firewall](partner-web-application-firewall.md) - Removing product name from filename and links. Exempt from Acrolinx by prior arrangement+- [Tutorial: Configure security analytics for Azure Active Directory B2C data with Microsoft Sentinel](configure-security-analytics-sentinel.md) - Removing product name from filename and links. +- [Tutorial: Configure Azure Active Directory B2C with Azure Web Application Firewall](partner-web-application-firewall.md) - Removing product name from filename and links. - [Title not found in: #240919](azure-ad-external-identities-videos.md) - Delete azure-ad-external-identities-videos.md-- [Build a global identity solution with funnel-based approach](b2c-global-identity-funnel-based-design.md) - Removing product name from filename and links. Exempt from Acrolinx by prior arrangement-- [Azure Active Directory B2C global identity framework proof of concept for funnel-based configuration](b2c-global-identity-proof-of-concept-funnel.md) - Removing product name from filename and links. Exempt from Acrolinx by prior arrangement-- [Azure Active Directory B2C global identity framework proof of concept for region-based configuration](b2c-global-identity-proof-of-concept-regional.md) - Removing product name from filename and links. Exempt from Acrolinx by prior arrangement-- [Build a global identity solution with region-based approach](b2c-global-identity-region-based-design.md) - Removing product name from filename and links. Exempt from Acrolinx by prior arrangement-- [Azure Active Directory B2C global identity framework](b2c-global-identity-solutions.md) - Removing product name from filename and links. Exempt from Acrolinx by prior arrangement+- [Build a global identity solution with funnel-based approach](b2c-global-identity-funnel-based-design.md) - Removing product name from filename and links. +- [Azure Active Directory B2C global identity framework proof of concept for funnel-based configuration](b2c-global-identity-proof-of-concept-funnel.md) - Removing product name from filename and links. +- [Azure Active Directory B2C global identity framework proof of concept for region-based configuration](b2c-global-identity-proof-of-concept-regional.md) - Removing product name from filename and links. +- [Build a global identity solution with region-based approach](b2c-global-identity-region-based-design.md) - Removing product name from filename and links. +- [Azure Active Directory B2C global identity framework](b2c-global-identity-solutions.md) - Removing product name from filename and links. - [Azure Active Directory B2C: What's new](whats-new-docs.md) - [Azure AD B2C] What is new May 2023 - [Use the Azure portal to create and delete consumer users in Azure AD B2C](manage-users-portal.md) - [Azure AD B2C] Revoke user's session - [Monitor Azure AD B2C with Azure Monitor](azure-monitor.md) - Added steps to disable Azure monitor |
active-directory | Concept Authentication Methods | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/concept-authentication-methods.md | Administrators can view user authentication methods in the Azure portal. Usable Each authentication method can become non-usable for different reasons. For example, a Temporary Access Pass may expire, or FIDO2 security key may fail attestation. The portal will be updated to provide the reason for why the method is non-usable. +Authentication methods that are no longer available due to "Require re-register multifactor authentication" are also displayed here. + :::image type="content" border="true" source="media/concept-authentication-methods/non-usable.png" alt-text="Screenshot of non-usable authentication methods." ::: |
active-directory | Concept Mfa Licensing | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/concept-mfa-licensing.md | The following table details the different ways to get Azure AD Multi-Factor Auth | [Microsoft 365 Business Premium](https://www.microsoft.com/microsoft-365/business) and [EMS](https://www.microsoft.com/security/business/enterprise-mobility-security) or [Microsoft 365 E3 and E5](https://www.microsoft.com/microsoft-365/enterprise/compare-office-365-plans) | EMS E3, Microsoft 365 E3, and Microsoft 365 Business Premium includes Azure AD Premium P1. EMS E5 or Microsoft 365 E5 includes Azure AD Premium P2. You can use the same Conditional Access features noted in the following sections to provide multi-factor authentication to users. | | [Azure AD Premium P1](../fundamentals/active-directory-get-started-premium.md) | You can use [Azure AD Conditional Access](../conditional-access/howto-conditional-access-policy-all-users-mfa.md) to prompt users for multi-factor authentication during certain scenarios or events to fit your business requirements. | | [Azure AD Premium P2](../fundamentals/active-directory-get-started-premium.md) | Provides the strongest security position and improved user experience. Adds [risk-based Conditional Access](../conditional-access/howto-conditional-access-policy-risk.md) to the Azure AD Premium P1 features that adapts to user's patterns and minimizes multi-factor authentication prompts. |-| [All Microsoft 365 plans](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans) | Azure AD Multi-Factor Authentication can be enabled all users using [security defaults](../fundamentals/concept-fundamentals-security-defaults.md). Management of Azure AD Multi-Factor Authentication is through the Microsoft 365 portal. For an improved user experience, upgrade to Azure AD Premium P1 or P2 and use Conditional Access. For more information, see [secure Microsoft 365 resources with multi-factor authentication](/microsoft-365/admin/security-and-compliance/set-up-multi-factor-authentication). | +| [All Microsoft 365 plans](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans) | Azure AD Multi-Factor Authentication can be enabled for all users using [security defaults](../fundamentals/concept-fundamentals-security-defaults.md). Management of Azure AD Multi-Factor Authentication is through the Microsoft 365 portal. For an improved user experience, upgrade to Azure AD Premium P1 or P2 and use Conditional Access. For more information, see [secure Microsoft 365 resources with multi-factor authentication](/microsoft-365/admin/security-and-compliance/set-up-multi-factor-authentication). | | [Office 365 free](https://www.microsoft.com/microsoft-365/enterprise/compare-office-365-plans)<br>[Azure AD free](../verifiable-credentials/how-to-create-a-free-developer-account.md) | You can use [security defaults](../fundamentals/concept-fundamentals-security-defaults.md) to prompt users for multi-factor authentication as needed but you don't have granular control of enabled users or scenarios, but it does provide that additional security step.<br /> Even when security defaults aren't used to enable multi-factor authentication for everyone, users assigned the *Azure AD Global Administrator* role can be configured to use multi-factor authentication. This feature of the free tier makes sure the critical administrator accounts are protected by multi-factor authentication. | ## Feature comparison based on licenses -The following table provides a list of the features that are available in the various versions of Azure AD for Multi-Factor Authentication. Plan out your needs for securing user authentication, then determine which approach meets those requirements. For example, although Azure AD Free provides security defaults that provide Azure AD Multi-Factor Authentication, only the mobile authenticator app can be used for the authentication prompt, not a phone call or SMS. This approach may be a limitation if you can't ensure the mobile authentication app is installed on a user's personal device. See [Azure AD Free tier](#azure-ad-free-tier) later in this topic for more details. +The following table provides a list of the features that are available in the various versions of Azure AD for Multi-Factor Authentication. Plan out your needs for securing user authentication, then determine which approach meets those requirements. For example, although Azure AD Free provides security defaults that provide Azure AD Multi-Factor Authentication, only the mobile authenticator app can be used for the authentication prompt, including SMS and phone calls. This approach may be a limitation if you can't ensure the mobile authentication app is installed on a user's personal device. See [Azure AD Free tier](#azure-ad-free-tier) later in this topic for more details. | Feature | Azure AD Free - Security defaults (enabled for all users) | Azure AD Free - Global Administrators only | Office 365 | Azure AD Premium P1 | Azure AD Premium P2 | | |::|::|::|::|::| | Protect Azure AD tenant admin accounts with MFA | ΓùÅ | ΓùÅ (*Azure AD Global Administrator* accounts only) | ΓùÅ | ΓùÅ | ΓùÅ | | Mobile app as a second factor | ΓùÅ | ΓùÅ | ΓùÅ | ΓùÅ | ΓùÅ |-| Phone call as a second factor | | | ΓùÅ | ΓùÅ | ΓùÅ | -| SMS as a second factor | | ΓùÅ | ΓùÅ | ΓùÅ | ΓùÅ | +| Phone call as a second factor | ΓùÅ | | ΓùÅ | ΓùÅ | ΓùÅ | +| SMS as a second factor | ΓùÅ | ΓùÅ | ΓùÅ | ΓùÅ | ΓùÅ | | Admin control over verification methods | | ΓùÅ | ΓùÅ | ΓùÅ | ΓùÅ | | Fraud alert | | | | ΓùÅ | ΓùÅ | | MFA Reports | | | | ΓùÅ | ΓùÅ | Our recommended approach to enforce MFA is using [Conditional Access](../conditi | Configuration flexibility | | ΓùÅ | | | **Functionality** | | Exempt users from the policy | | ΓùÅ | ΓùÅ |-| Authenticate by phone call or SMS | | ΓùÅ | ΓùÅ | +| Authenticate by phone call or SMS | ΓùÅ | ΓùÅ | ΓùÅ | | Authenticate by Microsoft Authenticator and Software tokens | ΓùÅ | ΓùÅ | ΓùÅ | | Authenticate by FIDO2, Windows Hello for Business, and Hardware tokens | | ΓùÅ | ΓùÅ | | Blocks legacy authentication protocols | ΓùÅ | ΓùÅ | ΓùÅ | |
active-directory | Howto Mfa Mfasettings | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-mfa-mfasettings.md | Title: Configure Azure AD Multi-Factor Authentication -description: Learn how to configure settings for Azure AD Multi-Factor Authentication in the Azure portal +description: Learn how to configure settings for Azure AD Multi-Factor Authentication -To customize the end-user experience for Azure AD Multi-Factor Authentication, you can configure options for settings like account lockout thresholds or fraud alerts and notifications. Some settings are available directly in the Azure portal for Azure Active Directory (Azure AD), and some are in a separate Azure AD Multi-Factor Authentication portal. +To customize the end-user experience for Azure AD Multi-Factor Authentication, you can configure options for settings like account lockout thresholds or fraud alerts and notifications. -The following Azure AD Multi-Factor Authentication settings are available in the Azure portal: +The following Azure AD Multi-Factor Authentication settings are available: | Feature | Description | | - | -- | |
active-directory | Howto Mfa Nps Extension | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-mfa-nps-extension.md | To provide load-balancing capabilities or for redundancy, repeat these steps on .\AzureMfaNpsExtnConfigSetup.ps1 ``` -1. When prompted, sign in to Azure AD as an administrator. +1. When prompted, sign in to Azure AD as a Global administrator. 1. PowerShell prompts for your tenant ID. Use the *Tenant ID* GUID that you copied from the Azure portal in the prerequisites section. 1. A success message is shown when the script is finished. |
active-directory | Howto Mfa Userdevicesettings | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-mfa-userdevicesettings.md | If you're assigned the *Authentication Administrator* role, you can require user 1. On the left, select **Azure Active Directory** > **Users** > **All users**. 1. Choose the user you wish to perform an action on and select **Authentication methods**. At the top of the window, then choose one of the following options for the user: - **Reset Password** resets the user's password and assigns a temporary password that must be changed on the next sign-in.-- **Require Re-register MFA** deactivates the user's hardware OATH tokens and deletes the following authentication methods from this user: phone numbers, Microsoft Authenticator apps and software OATH tokens. If needed, the user is requested to set up a new MFA authentication method the next time they sign in.-+ - **Require Re-register MFA** makes it so that when the user signs in next time, they're requested to set up a new MFA authentication method. + > [!NOTE] + > The user's currently registered authentication methods aren't deleted when an admin requires re-registration for MFA. After a user re-registers for MFA, we recommend they review their security info and delete any previously registered authentication methods that are no longer usable. - **Revoke MFA Sessions** clears the user's remembered MFA sessions and requires them to perform MFA the next time it's required by the policy on the device. :::image type="content" source="media/howto-mfa-userdevicesettings/manage-authentication-methods-in-azure.png" alt-text="Manage authentication methods from the Azure portal"::: |
active-directory | Tutorial Enable Cloud Sync Sspr Writeback | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/tutorial-enable-cloud-sync-sspr-writeback.md | Try the following operations to validate scenarios using password writeback. All - If passwords for some user accounts aren't written back to the on-premises directory, make sure that inheritance isn't disabled for the account in the on-premises AD DS environment. Write permissions for passwords must be applied to descendant objects for the feature to work correctly. -- Password policies in the on-premises AD DS environment may prevent password resets from being correctly processed. If you are testing this feature and want to reset password for users more than once per day, the group policy for Minimum password age must be set to 0. This setting can be found under Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies within gpmc.msc. +- Password policies in the on-premises AD DS environment may prevent password resets from being correctly processed. If you are testing this feature and want to reset password for users more than once per day, the group policy for Minimum password age must be set to 0. This setting can be found under Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Password Policy within gpmc.msc. - If you update the group policy, wait for the updated policy to replicate, or use the gpupdate /force command. |
active-directory | Concept Conditional Access Conditions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/concept-conditional-access-conditions.md | For example, when accessing a sensitive application an administrator may factor ## Sign-in risk -For customers with access to [Identity Protection](../identity-protection/overview-identity-protection.md), sign-in risk can be evaluated as part of a Conditional Access policy. Sign-in risk represents the probability that a given authentication request isn't authorized by the identity owner. More information about sign-in risk can be found in the articles, [What is risk](../identity-protection/concept-identity-protection-risks.md#sign-in-risk) and [How To: Configure and enable risk policies](../identity-protection/howto-identity-protection-configure-risk-policies.md). +For customers with access to [Identity Protection](../identity-protection/overview-identity-protection.md), sign-in risk can be evaluated as part of a Conditional Access policy. Sign-in risk represents the probability that a given authentication request isn't authorized by the identity owner. More information about sign-in risk can be found in the articles, [What is risk](../identity-protection/concept-identity-protection-risks.md) and [How To: Configure and enable risk policies](../identity-protection/howto-identity-protection-configure-risk-policies.md). ## User risk -For customers with access to [Identity Protection](../identity-protection/overview-identity-protection.md), user risk can be evaluated as part of a Conditional Access policy. User risk represents the probability that a given identity or account is compromised. More information about user risk can be found in the articles, [What is risk](../identity-protection/concept-identity-protection-risks.md#user-linked-detections) and [How To: Configure and enable risk policies](../identity-protection/howto-identity-protection-configure-risk-policies.md). +For customers with access to [Identity Protection](../identity-protection/overview-identity-protection.md), user risk can be evaluated as part of a Conditional Access policy. User risk represents the probability that a given identity or account is compromised. More information about user risk can be found in the articles, [What is risk](../identity-protection/concept-identity-protection-risks.md) and [How To: Configure and enable risk policies](../identity-protection/howto-identity-protection-configure-risk-policies.md). ## Device platforms ThereΓÇÖs a new optional condition in Conditional Access called filter for devic ## Next steps - [Conditional Access: Grant](concept-conditional-access-grant.md)--- [Conditional Access common policies](concept-conditional-access-policy-common.md)--+- [Common Conditional Access policies](concept-conditional-access-policy-common.md) |
active-directory | Howto Conditional Access Policy Risk | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/howto-conditional-access-policy-risk.md | -A sign-in risk represents the probability that a given authentication request isn't authorized by the identity owner. Organizations with Azure AD Premium P2 licenses can create Conditional Access policies incorporating [Azure AD Identity Protection sign-in risk detections](../identity-protection/concept-identity-protection-risks.md#sign-in-risk). +A sign-in risk represents the probability that a given authentication request isn't authorized by the identity owner. Organizations with Azure AD Premium P2 licenses can create Conditional Access policies incorporating [Azure AD Identity Protection sign-in risk detections](../identity-protection/concept-identity-protection-risks.md). There are two locations where this policy may be configured, Conditional Access and Identity Protection. Configuration using a Conditional Access policy is the preferred method providing more context including enhanced diagnostic data, report-only mode integration, Graph API support, and the ability to utilize other Conditional Access attributes like sign-in frequency in the policy. |
active-directory | Howto Configure App Instance Property Locks | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/howto-configure-app-instance-property-locks.md | To configure an app instance lock using the Azure portal: | **Token Encryption KeyId** | Locks the ability to change the `tokenEncryptionKeyId` property. | 3. Select **Save** to save your changes.+++## Configure app instance lock using Microsoft Graph ++You manage the app instance lock feature through the **servicePrincipalLockConfiguration** property of the [application](/graph/api/resources/application) object of the multi-tenant app. For more information, see [Lock sensitive properties for service principals](/graph/tutorial-applications-basics#lock-sensitive-properties-for-service-principals). |
active-directory | Identity Platform Integration Checklist | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/identity-platform-integration-checklist.md | Use the following checklist to ensure that your application is effectively integ ## Branding -![checkbox](./medi). +![checkbox](./medi). ![checkbox](./medi). Make sure your name and logo are representative of your company/product so that users can make informed decisions. Ensure that you're not violating any trademarks. |
active-directory | V2 Protocols Oidc | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/v2-protocols-oidc.md | If ID tokens are not enabled for your app and one is requested, the Microsoft id > *The provided value for the input parameter 'response_type' isn't allowed for this client. Expected value is 'code'*. -Requesting an ID token by specifying a `response_type` of `code` is explained in [Send the sign-in request](#send-the-sign-in-request) later in the article. +Requesting an ID token by specifying a `response_type` of `id_token` is explained in [Send the sign-in request](#send-the-sign-in-request) later in the article. ## Fetch the OpenID configuration document The configuration metadata is returned in JSON format as shown in the following To authenticate a user and request an ID token for use in your application, direct their user-agent to the Microsoft identity platform's _/authorize_ endpoint. The request is similar to the first leg of the [OAuth 2.0 authorization code flow](v2-oauth2-auth-code-flow.md) but with these distinctions: * Include the `openid` scope in the `scope` parameter.-* Specify `code` in the `response_type` parameter. +* Specify `id_token` in the `response_type` parameter. * Include the `nonce` parameter. Example sign-in request (line breaks included only for readability): |
active-directory | One Time Passcode | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/one-time-passcode.md | Email one-time passcode guest users can also use application endpoints that incl You can also give email one-time passcode guest users a direct link to an application or resource by including your tenant information, for example `https://myapps.microsoft.com/signin/Twitter/<application ID?tenantId=<your tenant ID>`. +> [!NOTE] +> Email one-time passcode guest users can sign in to Microsoft Teams directly from the common endpoint without choosing **Sign-in options**. During the sign-in process to Microsoft Teams, the guest user can select a link to send a one-time passcode. + ## User experience for one-time passcode guest users When the email one-time passcode feature is enabled, newly invited users [who meet certain conditions](#when-does-a-guest-user-get-a-one-time-passcode) will use one-time passcode authentication. Guest users who redeemed an invitation before email one-time passcode was enabled will continue to use their same authentication method. |
active-directory | Whats New Archive | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/whats-new-archive.md | The What's new in Azure Active Directory? release notes provide information abou +## December 2022 ++### Public Preview - Windows 10+ Troubleshooter for Diagnostic Logs ++++**Type:** New feature +**Service category:** Audit +**Product capability:** Monitoring & Reporting ++This feature analyzes uploaded client-side logs, also known as diagnostic logs, from a Windows 10+ device that is having an issue(s) and suggests remediation steps to resolve the issue(s). Admins can work with end user to collect client-side logs, and then upload them to this troubleshooter in the Entra Portal. For more information, see: [Troubleshooting Windows devices in Azure AD](../devices/troubleshoot-device-windows-joined.md). +++++### General Availability - Multiple Password-less Phone Sign-ins for iOS Devices ++++**Type:** New feature +**Service category:** Authentications (Logins) +**Product capability:** User Authentication ++End users can now enable password-less phone sign-in for multiple accounts in the Authenticator App on any supported iOS device. Consultants, students, and others with multiple accounts in Azure AD can add each account to Microsoft Authenticator and use password-less phone sign-in for all of them from the same iOS device. The Azure AD accounts can be in the same tenant or different tenants. Guest accounts aren't supported for multiple account sign-ins from one device. +++End users aren't required to enable the optional telemetry setting in the Authenticator App. For more information, see: [Enable passwordless sign-in with Microsoft Authenticator](../authentication/howto-authentication-passwordless-phone.md). +++++### Public Preview(refresh) - Updates to Conditional Access templates ++++**Type:** Changed feature +**Service category:** Conditional Access +**Product capability:** Identity Security & Protection ++Conditional Access templates provide a convenient method to deploy new policies aligned with Microsoft recommendations. In total, there are 14 Conditional Access policy templates, filtered by five different scenarios; secure foundation, zero trust, remote work, protect administrators, and emerging threats. ++In this Public Preview refresh, we've enhanced the user experience with an updated design and added four new improvements: ++- Admins can create a Conditional Access policy by importing a JSON file. +- Admins can duplicate existing policy. +- Admins can view more detailed policy information. +- Admins can query templates programmatically via MSGraph API. +++For more information, see: [Conditional Access templates (Preview)](../conditional-access/concept-conditional-access-policy-common.md). ++++### Public Preview - Admins can restrict their users from creating tenants ++++**Type:** New feature +**Service category:** User Access Management +**Product capability:** User Management ++The ability for users to create tenants from the Manage Tenant overview has been present in Azure AD since almost the beginning of the Azure portal. This new capability in the User Settings option allows admins to restrict their users from being able to create new tenants. There's also a new [Tenant Creator](../roles/permissions-reference.md#tenant-creator) role to allow specific users to create tenants. For more information, see [Default user permissions](../fundamentals/users-default-permissions.md#restrict-member-users-default-permissions). +++++### General availability - Consolidated App launcher (My Apps) settings and new preview settings ++++**Type:** New feature +**Service category:** My Apps +**Product capability:** End User Experiences ++We have consolidated relevant app launcher settings in a new App launchers section in the Azure and Entra portals. The entry point can be found under Enterprise applications, where Collections used to be. You can find the Collections option by selecting App launchers. In addition, we've added a new App launchers Settings option. This option has some settings you may already be familiar with like the Microsoft 365 settings. The new Settings options also have controls for previews. As an admin, you can choose to try out new app launcher features while they are in preview. Enabling a preview feature means that the feature turns on for your organization. This enabled feature reflects in the My Apps portal, and other app launchers for all of your users. To learn more about the preview settings, see: [End-user experiences for applications](../manage-apps/end-user-experiences.md). +++++### Public preview - Converged Authentication Methods Policy ++++**Type:** New feature +**Service category:** MFA +**Product capability:** User Authentication ++The Converged Authentication Methods Policy enables you to manage all authentication methods used for MFA and SSPR in one policy. You can migrate off the legacy MFA and SSPR policies, and target authentication methods to groups of users instead of enabling them for all users in the tenant. For more information, see: [Manage authentication methods for Azure AD](../authentication/concept-authentication-methods-manage.md). +++++### General Availability - Administrative unit support for devices ++++**Type:** New feature +**Service category:** Directory Management +**Product capability:** AuthZ/Access Delegation ++You can now use administrative units to delegate management of specified devices in your tenant by adding devices to an administrative unit. You're also able to assign built-in, and custom device management roles, scoped to that administrative unit. For more information, see: [Device management](../roles/administrative-units.md#device-management). +++++### Public Preview - Frontline workers using shared devices can now use Microsoft Edge and Yammer apps on Android ++++**Type:** New feature +**Service category:** N/A +**Product capability:** SSO ++Companies often provide mobile devices to frontline workers that need are shared between shifts. MicrosoftΓÇÖs shared device mode allows frontline workers to easily authenticate by automatically signing users in and out of all the apps that have enabled this feature. In addition to Microsoft Teams and Managed Home Screen being generally available, we're excited to announce that Microsoft Edge and Yammer apps on Android are now in Public Preview. ++For more information on deploying frontline solutions, see: [frontline deployment documentation](https://aka.ms/frontlinewhitepaper). +++For more information on shared-device mode, see: [Azure Active Directory Shared Device Mode documentation](../develop/msal-android-shared-devices.md#microsoft-applications-that-support-shared-device-mode). +++For steps to set up shared device mode with Intune, see: [Intune setup blog](https://techcommunity.microsoft.com/t5/intune-customer-success/enroll-android-enterprise-dedicated-devices-into-azure-ad-shared/ba-p/1820093). +++++### Public preview - New provisioning connectors in the Azure AD Application Gallery - December 2022 ++++**Type:** New feature +**Service category:** App Provisioning +**Product capability:** 3rd Party Integration ++We've added the following new applications in our App gallery with Provisioning support. You can now automate creating, updating, and deleting of user accounts for these newly integrated apps: ++- [GHAE](../saas-apps/ghae-provisioning-tutorial.md) +++For more information about how to better secure your organization by using automated user account provisioning, see: [Automate user provisioning to SaaS applications with Azure AD](../app-provisioning/user-provisioning.md). +++++### General Availability - On-premises application provisioning ++++**Type:** Changed feature +**Service category:** Provisioning +**Product capability:** Outbound to On-premises Applications ++Azure AD supports provisioning users into applications hosted on-premises or in a virtual machine, without having to open up any firewalls. If your application supports [SCIM](https://techcommunity.microsoft.com/t5/identity-standards-blog/provisioning-with-scim-getting-started/ba-p/880010), or you've built a SCIM gateway to connect to your legacy application, you can use the Azure AD Provisioning agent to [directly connect](../app-provisioning/on-premises-scim-provisioning.md) with your application and automate provisioning and deprovisioning. If you have legacy applications that don't support SCIM and rely on an [LDAP](../app-provisioning/on-premises-ldap-connector-configure.md) user store, or a [SQL](../app-provisioning/tutorial-ecma-sql-connector.md) database, Azure AD can support those as well. +++++### General Availability - New Federated Apps available in Azure AD Application gallery - December 2022 ++++**Type:** New feature +**Service category:** Enterprise Apps +**Product capability:** 3rd Party Integration ++In December 2022 we've added the following 44 new applications in our App gallery with Federation support: ++[Bionexo IDM](https://login.bionexo.com/), [SMART Meeting Pro](https://www.smarttech.com/en/business/software/meeting-pro), [Venafi Control Plane ΓÇô Datacenter](../saas-apps/venafi-control-plane-tutorial.md), [HighQ](../saas-apps/highq-tutorial.md), [Drawboard PDF](https://pdf.drawboard.com/), [ETU Skillsims](../saas-apps/etu-skillsims-tutorial.md), [TencentCloud IDaaS](../saas-apps/tencent-cloud-idaas-tutorial.md), [TeamHeadquarters Email Agent OAuth](https://thq.entry.com/), [Verizon MDM](https://verizonmdm.vzw.com/), [QRadar SOAR](../saas-apps/qradar-soar-tutorial.md), [Tripwire Enterprise](../saas-apps/tripwire-enterprise-tutorial.md), [Cisco Unified Communications Manager](../saas-apps/cisco-unified-communications-manager-tutorial.md), [Howspace](https://login.in.howspace.com/), [Flipsnack SAML](../saas-apps/flipsnack-saml-tutorial.md), [Albert](http://www.albertinvent.com/), [Altinget.no](https://www.altinget.no/), [Coveo Hosted Services](../saas-apps/coveo-hosted-services-tutorial.md), [Cybozu(cybozu.com)](../saas-apps/cybozu-tutorial.md), [BombBomb](https://app.bombbomb.com/app), [VMware Identity Service](../saas-apps/vmware-identity-service-tutorial.md), [HexaSync](https://app-az.hexasync.com/login), [Trifecta Teams](https://app.trifectateams.net/), [VerosoftDesign](https://verosoft-design.vercel.app/), [Mazepay](https://app.mazepay.com/), [Wistia](../saas-apps/wistia-tutorial.md), [Begin.AI](https://app.begin.ai/), [WebCE](../saas-apps/webce-tutorial.md), [Dream Broker Studio](https://dreambroker.com/studio/login/), [PKSHA Chatbot](../saas-apps/pksha-chatbot-tutorial.md), [PGM-BCP](https://ups-pgm-bcp.4gfactor.com/azure/), [ChartDesk SSO](../saas-apps/chartdesk-sso-tutorial.md), [Elsevier SP](../saas-apps/elsevier-sp-tutorial.md), [GreenCommerce IdentityServer](https://identity.jem-id.nl/Account/Login), [Fullview](https://app.fullview.io/sign-in), [Aqua Platform](../saas-apps/aqua-platform-tutorial.md), [SpedTrack](../saas-apps/spedtrack-tutorial.md), [Pinpoint](https://pinpoint.ddiworld.com/psg2?sso=true), [Darzin Outlook Add-in](https://outlook.darzin.com/graph-login.html), [Simply Stakeholders Outlook Add-in](https://outlook.simplystakeholders.com/graph-login.html), [tesma](../saas-apps/tesma-tutorial.md), [Parkable](../saas-apps/parkable-tutorial.md), [Unite Us](../saas-apps/unite-us-tutorial.md) ++You can also find the documentation of all the applications from here https://aka.ms/AppsTutorial, ++For listing your application in the Azure AD app gallery, read the details here https://aka.ms/AzureADAppRequest ++++### ADAL End of Support Announcement ++**Type:** N/A +**Service category:** Other +**Product capability:** Developer Experience ++As part of our ongoing initiative to improve the developer experience, service reliability, and security of customer applications, we'll end support for the Azure Active Directory Authentication Library (ADAL). The final deadline to migrate your applications to Azure Active Directory Authentication Library (MSAL) has been extended to **June 30, 2023**. ++### Why are we doing this? ++As we consolidate and evolve the Microsoft Identity platform, we're also investing in making significant improvements to the developer experience and service features that make it possible to build secure, robust and resilient applications. To make these features available to our customers, we needed to update the architecture of our software development kits. As a result of this change, weΓÇÖve decided that the path forward requires us to sunset Azure Active Directory Authentication Library. This allows us to focus on developer experience investments with Azure Active Directory Authentication Library. ++### What happens? ++We recognize that changing libraries isn't an easy task, and can't be accomplished quickly. We're committed to helping customers plan their migrations to Microsoft Authentication Library and execute them with minimal disruption. ++- In June 2020, we [announced the 2-year end of support timeline for ADAL](https://devblogs.microsoft.com/microsoft365dev/end-of-support-timelines-for-azure-ad-authentication-library-adal-and-azure-ad-graph/). +- In December 2022, weΓÇÖve decided to extend the Azure Active Directory Authentication Library end of support to June 2023. +- Through the next six months (January 2023 ΓÇô June 2023) we continue informing customers about the upcoming end of support along with providing guidance on migration. +- On June 2023 we'll officially sunset Azure Active Directory Authentication Library, removing library documentation and archiving all GitHub repositories related to the project. ++### How to find out which applications in my tenant are using Azure Active Directory Authentication Library? ++Refer to our post on [Microsoft Q&A](/answers/questions/360928/information-how-to-find-apps-using-adal-in-your-te.html) for details on identifying Azure Active Directory Authentication Library apps with the help of [Azure Workbooks](../../azure-monitor/visualize/workbooks-overview.md). +### If IΓÇÖm using Azure Active Directory Authentication Library, what can I expect after the deadline? ++- There will be no new releases (security or otherwise) to the library after June 2023. +- We won't accept any incident reports or support requests for Azure Active Directory Authentication Library. Azure Active Directory Authentication Library to Microsoft Authentication Library migration support would continue. +- The underpinning services continue working and applications that depend on Azure Active Directory Authentication Library should continue working. Applications, and the resources they access, are at increased security and reliability risk due to not having the latest updates, service configuration, and enhancements made available through the Microsoft Identity platform. ++### What features can I only access with Microsoft Authentication Library? ++The number of features and capabilities that we're adding to Microsoft Authentication Library libraries are growing weekly. Some of them include: +- Support for Microsoft accounts (MSA) +- Support for Azure AD B2C accounts +- Handling throttling +- Proactive token refresh and token revocation based on policy or critical events for Microsoft Graph and other APIs that supportΓÇ»[Continuous Access Evaluation (CAE)](../develop/app-resilience-continuous-access-evaluation.md) +- Auth broker support with device-based conditional access policies +- Azure AD hardware-based certificate authentication (CBA) on mobile +- System browsers on mobile devices +And more. For an up-to-date list, refer to our [migration guide](../develop/msal-migration.md#how-to-migrate-to-msal). ++### How to migrate? ++To make the migration process easier, we published a [comprehensive guide](../develop/msal-migration.md#how-to-migrate-to-msal) that documents the migration paths across different platforms and programming languages. ++In addition to the Azure Active Directory Authentication Library to Microsoft Authentication Library update, we recommend migrating from Azure AD Graph API to Microsoft Graph. This change enables you to take advantage of the latest additions and enhancements, such as CAE, across the Microsoft service offering through a single, unified endpoint. You can read more in our [Migrate your apps from Azure AD Graph to Microsoft Graph](/graph/migrate-azure-ad-graph-overview) guide. You can post any questions to [Microsoft Q&A](/answers/topics/azure-active-directory.html) or [Stack Overflow](https://stackoverflow.com/questions/tagged/msal). +++ ## November 2022 ### General Availability - Use Web Sign-in on Windows for password-less recovery with Temporary Access Pass Azure AD access reviews reviewer recommendations now account for non-interactive The offline Azure AD Threat Intelligence risk detection can now have a risk reason that will help customers with the risk investigation. If a risk reason is available, it will show up as **Additional Info** in the risk details of that risk event. The information can be found in the Risk detections report. It will also be available through the additionalInfo property of the riskDetections API. [Learn more](../identity-protection/howto-identity-protection-investigate-risk.md). +++## December 2021 ++### Tenant enablement of combined security information registration for Azure Active Directory ++**Type:** Plan for change +**Service category:** MFA +**Product capability:** Identity Security & Protection + +We previously announced in April 2020, a new combined registration experience enabling users to register authentication methods for SSPR and multi-factor authentication at the same time was generally available for existing customer to opt in. Any Azure AD tenants created after August 2020 automatically have the default experience set to combined registration. Starting in 2022 Microsoft will be enabling the multi-factor authentication and SSPR combined registration experience for existing customers. [Learn more](../authentication/concept-registration-mfa-sspr-combined.md). + +++### Public Preview - Number Matching now available to reduce accidental notification approvals ++**Type:** New feature +**Service category:** Microsoft Authenticator App +**Product capability:** User Authentication + +To prevent accidental notification approvals, admins can now require users to enter the number displayed on the sign-in screen when approving a multi-factor authentication notification in the Authenticator app. This feature adds an extra security measure to the Microsoft Authenticator app. [Learn more](../authentication/how-to-mfa-number-match.md). + +++### Pre-authentication error events removed from Azure AD Sign-in Logs ++**Type:** Deprecated +**Service category:** Reporting +**Product capability:** Monitoring & Reporting + +We're no longer publishing sign-in logs with the following error codes because these events are pre-authentication events that occur before our service has authenticated a user. Because these events happen before authentication, our service isn't always able to correctly identify the user. If a user continues on to authenticate, the user sign-in will show up in your tenant Sign-in logs. These logs are no longer visible in the Azure portal UX, and querying these error codes in the Graph API will no longer return results. ++|Error code | Failure reason| +| | | +|50058| Session information isn't sufficient for single-sign-on.| +|16000| Either multiple user identities are available for the current request or selected account isn't supported for the scenario.| +|500581| Rendering JavaScript. Fetching sessions for single-sign-on on V2 with prompt=none requires JavaScript to verify if any MSA accounts are signed in.| +|81012| The user trying to sign in to Azure AD is different from the user signed into the device.| ++++++## November 2021 ++### Tenant enablement of combined security information registration for Azure Active Directory ++**Type:** Plan for change +**Service category:** MFA +**Product capability:** Identity Security & Protection + +We previously announced in April 2020, a new combined registration experience enabling users to register authentication methods for SSPR and multi-factor authentication at the same time was generally available for existing customer to opt in. Any Azure AD tenants created after August 2020 automatically have the default experience set to combined registration. Starting 2022, Microsoft will be enabling the MF). + +++### Windows users will see prompts more often when switching user accounts ++**Type:** Fixed +**Service category:** Authentications (Logins) +**Product capability:** User Authentication + +A problematic interaction between Windows and a local Active Directory Federation Services (ADFS) instance can result in users attempting to sign into another account, but be silently signed into their existing account instead, with no warning. For federated IdPs such as ADFS, that support the [prompt=login](/windows-server/identity/ad-fs/operations/ad-fs-prompt-login) pattern, Azure AD will now trigger a fresh sign-in at ADFS when a user is directed to ADFS with a sign-in hint. This ensures that the user is signed into the account they requested, rather than being silently signed into the account they're already signed in with. ++For more information, see the [change notice](../develop/reference-breaking-changes.md). + +++### Public preview - Conditional Access Overview Dashboard ++**Type:** New feature +**Service category:** Conditional Access +**Product capability:** Monitoring & Reporting + +The new Conditional Access overview dashboard enables all tenants to see insights about the impact of their Conditional Access policies without requiring an Azure Monitor subscription. This built-in dashboard provides tutorials to deploy policies, a summary of the policies in your tenant, a snapshot of your policy coverage, and security recommendations. [Learn more](../conditional-access/overview.md). + +++### Public preview - SSPR writeback is now available for disconnected forests using Azure AD Connect cloud sync ++**Type:** New feature +**Service category:** Azure AD Connect Cloud Sync +**Product capability:** Identity Lifecycle Management + +The Public Preview feature for Azure AD Connect Cloud Sync Password writeback provides customers the capability to write back a user's password changes in the cloud to the on-premises directory in real time using the lightweight Azure AD cloud provisioning agent.[Learn more](../authentication/tutorial-enable-cloud-sync-sspr-writeback.md). ++++### Public preview - Conditional Access for workload identities ++**Type:** New feature +**Service category:** Conditional Access for workload identities +**Product capability:** Identity Security & Protection + +Previously, Conditional Access policies applied only to users when they access apps and services like SharePoint online or the Azure portal. This preview adds support for Conditional Access policies applied to service principals owned by the organization. You can block service principals from accessing resources from outside trusted-named locations or Azure Virtual Networks. [Learn more](../conditional-access/workload-identity.md). ++++### Public preview - Extra attributes available as claims ++**Type:** Changed feature +**Service category:** Enterprise Apps +**Product capability:** SSO + +Several user attributes have been added to the list of attributes available to map to claims to bring attributes available in claims more in line with what is available on the user object in Microsoft Graph. New attributes include mobilePhone and ProxyAddresses. [Learn more](../develop/reference-claims-mapping-policy-type.md). + +++### Public preview - "Session Lifetime Policies Applied" property in the sign-in logs ++**Type:** New feature +**Service category:** Authentications (Logins) +**Product capability:** Identity Security & Protection + +We have recently added other property to the sign-in logs called "Session Lifetime Policies Applied". This property will list all the session lifetime policies that applied to the sign-in for example, Sign-in frequency, Remember multi-factor authentication and Configurable token lifetime. [Learn more](../reports-monitoring/concept-sign-ins.md#authentication-details). + +++### Public preview - Enriched reviews on access packages in entitlement management ++**Type:** New feature +**Service category:** User Access Management +**Product capability:** Entitlement Management + +Entitlement Management's enriched review experience allows even more flexibility on access packages reviews. Admins can now choose what happens to access if the reviewers don't respond, provide helper information to reviewers, or decide whether a justification is necessary. [Learn more](../governance/entitlement-management-access-reviews-create.md). + +++### General availability - randomString and redact provisioning functions ++**Type:** New feature +**Service category:** Provisioning +**Product capability:** Outbound to SaaS Applications + ++The Azure AD Provisioning service now supports two new functions, randomString() and Redact(): +- randomString - generate a string based on the length and characters you would like to include or exclude in your string. +- redact - remove the value of the attribute from the audit and provisioning logs. [Learn more](../app-provisioning/functions-for-customizing-application-data.md#randomstring). ++++### General availability - Now access review creators can select users and groups to receive notification on completion of reviews ++**Type:** New feature +**Service category:** Access Reviews +**Product capability:** Identity Governance + +Now access review creators can select users and groups to receive notification on completion of reviews. [Learn more](../governance/create-access-review.md). + ++ +### General availability - Azure AD users can now view and report suspicious sign-ins and manage their accounts within Microsoft Authenticator ++**Type:** New feature +**Service category:** Microsoft Authenticator App +**Product capability:** Identity Security & Protection + +This feature allows Azure AD users to manage their work or school accounts within the Microsoft Authenticator app. The management features will allow users to view sign-in history and sign-in activity. Users can also report any suspicious or unfamiliar activity, change their Azure AD account passwords, and update the account's security information. ++For more information on how to use this feature visit [View and search your recent sign-in activity from the My Sign-ins page](../user-help/my-account-portal-sign-ins-page.md). ++++### General availability - New Microsoft Authenticator app icon ++**Type:** New feature +**Service category:** Microsoft Authenticator App +**Product capability:** Identity Security & Protection + +New updates have been made to the Microsoft Authenticator app icon. To learn more about these updates, see the [Microsoft Authenticator app](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/microsoft-authenticator-app-easier-ways-to-add-or-manage/ba-p/2464408) blog post. ++++### General availability - Azure AD single sign-on and device-based Conditional Access support in Firefox on Windows 10/11 ++**Type:** New feature +**Service category:** Authentications (Logins) +**Product capability:** SSO + +We now support native single sign-on (SSO) support and device-based Conditional Access to Firefox browser on Windows 10 and Windows Server 2019 starting in Firefox version 91. [Learn more](../conditional-access/require-managed-devices.md#prerequisites). + +++### New provisioning connectors in the Azure AD Application Gallery - November 2021 ++**Type:** New feature +**Service category:** App Provisioning +**Product capability:** 3rd Party Integration + +You can now automate creating, updating, and deleting user accounts for these newly integrated apps: ++- [Appaegis Isolation Access Cloud](../saas-apps/appaegis-isolation-access-cloud-provisioning-tutorial.md) +- [BenQ IAM](../saas-apps/benq-iam-provisioning-tutorial.md) +- [BIC Cloud Design](../saas-apps/bic-cloud-design-provisioning-tutorial.md) +- [Chaos](../saas-apps/chaos-provisioning-tutorial.md) +- [directprint.io](../saas-apps/directprint-io-provisioning-tutorial.md) +- [Documo](../saas-apps/documo-provisioning-tutorial.md) +- [Facebook Work Accounts](../saas-apps/facebook-work-accounts-provisioning-tutorial.md) +- [introDus Pre and Onboarding Platform](../saas-apps/introdus-pre-and-onboarding-platform-provisioning-tutorial.md) +- [Kisi Physical Security](../saas-apps/kisi-physical-security-provisioning-tutorial.md) +- [Klaxoon](../saas-apps/klaxoon-provisioning-tutorial.md) +- [Klaxoon SAML](../saas-apps/klaxoon-saml-provisioning-tutorial.md) +- [MX3 Diagnostics](../saas-apps/mx3-diagnostics-connector-provisioning-tutorial.md) +- [Netpresenter](../saas-apps/netpresenter-provisioning-tutorial.md) +- [Peripass](../saas-apps/peripass-provisioning-tutorial.md) +- [Real Links](../saas-apps/real-links-provisioning-tutorial.md) +- [Sentry](../saas-apps/sentry-provisioning-tutorial.md) +- [Teamgo](../saas-apps/teamgo-provisioning-tutorial.md) +- [Zero](../saas-apps/zero-provisioning-tutorial.md) ++For more information about how to better secure your organization by using automated user account provisioning, see [Automate user provisioning to SaaS applications with Azure AD](../manage-apps/user-provisioning.md). + +++### New Federated Apps available in Azure AD Application gallery - November 2021 ++**Type:** New feature +**Service category:** Enterprise Apps +**Product capability:** 3rd Party Integration + +In November 2021, we have added following 32 new applications in our App gallery with Federation support: ++[Tide - Connector](https://gallery.ctinsuretech-tide.com/), [Virtual Risk Manager - USA](../saas-apps/virtual-risk-manager-usa-tutorial.md), [Xorlia Policy Management](https://app.xoralia.com/), [WorkPatterns](https://app.workpatterns.com/oauth2/login?data_source_type=office_365_account_calendar_workspace_sync&utm_source=azure_sso), [GHAE](../saas-apps/ghae-tutorial.md), [Nodetrax Project](../saas-apps/nodetrax-project-tutorial.md), [Touchstone Benchmarking](https://app.touchstonebenchmarking.com/), [SURFsecureID - Azure AD Multi-Factor Authentication](../saas-apps/surfsecureid-azure-mfa-tutorial.md), [AiDEA](https://truebluecorp.com/en/prodotti/aidea-en/),[R and D Tax Credit ++You can also find the documentation of all the applications [here](../saas-apps/tutorial-list.md). ++For listing your application in the Azure AD app gallery, read the details [here](../manage-apps/v2-howto-app-gallery-listing.md). ++++### Updated "switch organizations" user experience in My Account. ++**Type:** Changed feature +**Service category:** My Profile/Account +**Product capability:** End User Experiences + +Updated "switch organizations" user interface in My Account. This visually improves the UI and provides the end-user with clear instructions. Added a manage organizations link to blade per customer feedback. [Learn more](https://support.microsoft.com/account-billing/switch-organizations-in-your-work-or-school-account-portals-c54c32c9-2f62-4fad-8c23-2825ed49d146). + +++## October 2021 + +### Limits on the number of configured API permissions for an application registration will be enforced starting in October 2021 ++**Type:** Plan for change +**Service category:** Other +**Product capability:** Developer Experience + +Sometimes, application developers configure their apps to require more permissions than it's possible to grant. To prevent this from happening, a limit on the total number of required permissions that can be configured for an app registration will be enforced. ++The total number of required permissions for any single application registration mustn't exceed 400 permissions, across all APIs. The change to enforce this limit will begin rolling out mid-October 2021. Applications exceeding the limit can't increase the number of permissions they're configured for. The existing limit on the number of distinct APIs for which permissions are required remains unchanged and may not exceed 50 APIs. ++In the Azure portal, the required permissions are listed under API permissions for the application you wish to configure. Using Microsoft Graph or Microsoft Graph PowerShell, the required permissions are listed in the requiredResourceAccess property of an [application](/graph/api/resources/application) entity. [Learn more](../enterprise-users/directory-service-limits-restrictions.md). + +++### Email one-time passcode on by default change beginning rollout in November 2021 ++**Type:** Plan for change +**Service category:** B2B +**Product capability:** B2B/B2C + +Previously, we announced that starting October 31, 2021, Microsoft Azure Active Directory [email one-time passcode](../external-identities/one-time-passcode.md) authentication will become the default method for inviting accounts and tenants for B2B collaboration scenarios. However, because of deployment schedules, we'll begin rolling out on November 1, 2021. Most of the tenants will see the change rolled out in January 2022 to minimize disruptions during the holidays and deployment lock downs. After this change, Microsoft will no longer allow redemption of invitations using Azure Active Directory accounts that are unmanaged. [Learn more](../external-identities/one-time-passcode.md#frequently-asked-questions). + +++### Conditional Access Guest Access Blocking Screen ++**Type:** Fixed +**Service category:** Conditional Access +**Product capability:** End User Experiences + +If there's no trust relation between a home and resource tenant, a guest user would have previously been asked to re-register their device, which would break the previous registration. However, the user would end up in a registration loop because only home tenant device registration is supported. In this specific scenario, instead of this loop, we've created a new conditional access blocking page. The page tells the end user that they can't get access to conditional access protected resources as a guest user. [Learn more](../external-identities/b2b-quickstart-add-guest-users-portal.md#prerequisites). + +++### 50105 Errors will now result in a UX error message instead of an error response to the application ++**Type:** Fixed +**Service category:** Authentications (Logins) +**Product capability:** Developer Experience + +Azure AD has fixed a bug in an error response that occurs when a user isn't assigned to an app that requires a user assignment. Previously, Azure AD would return error 50105 with the OIDC error code "interaction_required" even during interactive authentication. This would cause well-coded applications to loop indefinitely, as they do interactive authentication and receive an error telling them to do interactive authentication, which they would then do. ++The bug has been fixed, so that during non-interactive auth an "interaction_required" error will still be returned. Also, during interactive authentication an error page will be directly displayed to the user. ++For greater details, see the change notices for [Azure AD protocols](../develop/reference-breaking-changes.md#error-50105-has-been-fixed-to-not-return-interaction_required-during-interactive-authentication). ++++### Public preview - New claims transformation capabilities ++**Type:** New feature +**Service category:** Enterprise Apps +**Product capability:** SSO + +The following new capabilities have been added to the claims transformations available for manipulating claims in tokens issued from Azure AD: + +- Join() on NameID. Used to be restricted to joining an email format address with a verified domain. Now Join() can be used on the NameID claim in the same way as any other claim, so NameID transforms can be used to create Windows account style NameIDs or any other string. For now if the result is an email address, the Azure AD will still validate that the domain is one that is verified in the tenant. +- Substring(). A new transformation in the claims configuration UI allows extraction of defined position substrings such as five characters starting at character three - substring(3,5) +- Claims transformations. These transformations can now be performed on Multi-valued attributes, and can emit multi-valued claims. Microsoft Graph can now be used to read/write multi-valued directory schema extension attributes. [Learn more](../develop/active-directory-saml-claims-customization.md). ++++### Public Preview ΓÇô Flagged Sign-ins ++**Type:** New feature +**Service category:** Reporting +**Product capability:** Monitoring & Reporting + +Flagged sign-ins are a feature that will increase the signal to noise ratio for user sign-ins where users need help. The functionality is intended to empower users to raise awareness about sign-in errors they want help with. Also to help admins and help desk workers find the right sign-in events quickly and efficiently. [Learn more](../reports-monitoring/overview-flagged-sign-ins.md). ++++### Public preview - Device overview ++**Type:** New feature +**Service category:** Device Registration and Management +**Product capability:** Device Lifecycle Management + +The new Device Overview feature provides actionable insights about devices in your tenant. [Learn more](../devices/device-management-azure-portal.md). + +++### Public preview - Azure Active Directory workload identity federation ++**Type:** New feature +**Service category:** Enterprise Apps +**Product capability:** Developer Experience + +Azure AD workload identity federation is a new capability that's in public preview. It frees developers from handling application secrets or certificates. This includes secrets in scenarios such as using GitHub Actions and building applications on Kubernetes. Rather than creating an application secret and using that to get tokens for that application, developers can instead use tokens provided by the respective platforms such as GitHub and Kubernetes without having to manage any secrets manually.[Learn more](../develop/workload-identity-federation.md). ++++### Public Preview - Updates to Sign-in Diagnostic ++**Type:** Changed feature +**Service category:** Reporting +**Product capability:** Monitoring & Reporting + +With this update, the diagnostic covers more scenarios and is made more easily available to admins. ++New scenarios covered when using the Sign-in Diagnostic: +- Pass Through Authentication sign-in failures +- Seamless Single-Sign On sign-in failures + +Other changes include: +- Flagged Sign-ins will automatically appear for investigation when using the Sign-in Diagnostic from Diagnose and Solve. +- Sign-in Diagnostic is now available from the Enterprise Apps Diagnose and Solve blade. +- The Sign-in Diagnostic is now available in the Basic Info tab of the Sign-in Log event view for all sign-in events. [Learn more](../reports-monitoring/concept-sign-in-diagnostics-scenarios.md#supported-scenarios). ++++### General Availability - Privileged Role Administrators can now create Azure AD access reviews on role-assignable groups ++**Type:** Fixed +**Service category:** Access Reviews +**Product capability:** Identity Governance + +Privileged Role Administrators can now create Azure AD access reviews on Azure AD role-assignable groups, in addition to Azure AD roles. [Learn more](../governance/deploy-access-reviews.md#who-will-create-and-manage-access-reviews). + +++### General Availability - Azure AD single sign-on and device-based Conditional Access support in Firefox on Windows 10/11 ++**Type:** New feature +**Service category:** Authentications (Logins) +**Product capability:** SSO + +We now support native single sign-on (SSO) support and device-based Conditional Access to Firefox browser on Windows 10 and Windows Server 2019 starting in Firefox version 91. [Learn more](../conditional-access/require-managed-devices.md#prerequisites). + +++### General Availability - New app indicator in My Apps ++**Type:** New feature +**Service category:** My Apps +**Product capability:** End User Experiences + +Apps that have been recently assigned to the user show up with a "new" indicator. When the app is launched or the page is refreshed, this indicator disappears. [Learn more](/azure/active-directory/user-help/my-apps-portal-end-user-access). + +++### General availability - Custom domain support in Azure AD B2C ++**Type:** New feature +**Service category:** B2C - Consumer Identity Management +**Product capability:** B2B/B2C + +Azure AD B2C customers can now enable custom domains so their end-users are redirected to a custom URL domain for authentication. This is done via integration with Azure Front Door's custom domains capability. [Learn more](../../active-directory-b2c/custom-domain.md?pivots=b2c-user-flow). + +++### General availability - Edge Administrator built-in role ++**Type:** New feature +**Service category:** RBAC +**Product capability:** Access Control + ++Users in this role can create and manage the enterprise site list required for Internet Explorer mode on Microsoft Edge. This role grants permissions to create, edit, and publish the site list and additionally allows access to manage support tickets. [Learn more](/deployedge/edge-ie-mode-cloud-site-list-mgmt) + +++### General availability - Windows 365 Administrator built-in role ++**Type:** New feature +**Service category:** RBAC +**Product capability:** Access Control + +Users with this role have global permissions on Windows 365 resources, when the service is present. Additionally, this role contains the ability to manage users and devices to associate a policy, and create and manage groups. [Learn more](../roles/permissions-reference.md) + +++### New Federated Apps available in Azure AD Application gallery - October 2021 ++**Type:** New feature +**Service category:** Enterprise Apps +**Product capability:** 3rd Party Integration + +In October 2021 we've added the following 10 new applications in our App gallery with Federation support: ++[Adaptive Shield](../saas-apps/adaptive-shield-tutorial.md), [SocialChorus Search](https://socialchorus.com/), [Hiretual-SSO](../saas-apps/hiretual-tutorial.md), [TeamSticker by Communitio](../saas-apps/teamsticker-by-communitio-tutorial.md), [embed signage](../saas-apps/embed-signage-tutorial.md), [JoinedUp](../saas-apps/joinedup-tutorial.md), [VECOS Releezme Locker management system](../saas-apps/vecos-releezme-locker-management-system-tutorial.md), [Altoura](../saas-apps/altoura-tutorial.md), [Dagster Cloud](../saas-apps/dagster-cloud-tutorial.md), [Qualaroo](../saas-apps/qualaroo-tutorial.md) ++You can also find the documentation of all the applications here: https://aka.ms/AppsTutorial ++For listing your application in the Azure AD app gallery, read the following article: https://aka.ms/AzureADAppRequest ++++### Continuous Access Evaluation migration with Conditional Access ++**Type:** Changed feature +**Service category:** Conditional Access +**Product capability:** User Authentication + +A new user experience is available for our CAE tenants. Tenants will now access CAE as part of Conditional Access. Any tenants that were previously using CAE for some (but not all) user accounts under the old UX or had previously disabled the old CAE UX will now be required to undergo a one time migration experience.[Learn more](../conditional-access/concept-continuous-access-evaluation.md#migration). + +++### Improved group list blade ++**Type:** Changed feature +**Service category:** Group Management +**Product capability:** Directory + +The new group list blade offers more sort and filtering capabilities, infinite scrolling, and better performance. [Learn more](../enterprise-users/groups-members-owners-search.md). + +++### General availability - Google deprecation of Gmail sign-in support on embedded webviews on September 30, 2021 ++**Type:** Changed feature +**Service category:** B2B +**Product capability:** B2B/B2C + +Google has deprecated Gmail sign-ins on Microsoft Teams mobile and custom apps that run Gmail authentications on embedded webviews on Sept. 30th, 2021. ++If you would like to request an extension, impacted customers with affected OAuth client ID(s) should have received an email from Google Developers with the following information regarding a one-time policy enforcement extension, which must be completed by Jan 31, 2022. ++To continue allowing your Gmail users to sign in and redeem, we strongly recommend that you refer toΓÇ»[Embedded vs System Web](../develop/msal-net-web-browsers.md#embedded-vs-system-web-ui) UIΓÇ»in the MSAL.NET documentation and modify your apps to use the system browser for sign-in. All MSAL SDKs use the system web-view by default. ++As a workaround, we're deploying the device sign-in flow by October 8. Between today and until then, it's likely that it may not be rolled out to all regions yet (in which case, end-users will be met with an error screen until it gets deployed to your region.) ++For more details on the device sign-in flow and details on requesting extension to Google, see [Add Google as an identity provider for B2B guest users](../external-identities/google-federation.md#deprecation-of-web-view-sign-in-support). + +++### Identity Governance Administrator can create and manage Azure AD access reviews of groups and applications ++**Type:** Changed feature +**Service category:** Access Reviews +**Product capability:** Identity Governance + +Identity Governance Administrator can create and manage Azure AD access reviews of groups and applications. [Learn more](../governance/deploy-access-reviews.md#who-will-create-and-manage-access-reviews). + ++++++## September 2021 ++### Limits on the number of configured API permissions for an application registration will be enforced starting in October 2021 ++**Type:** Plan for change +**Service category:** Other +**Product capability:** Developer Experience + +Occasionally, application developers configure their apps to require more permissions than it's possible to grant. To prevent this from happening, we're enforcing a limit on the total number of required permissions that can be configured for an app registration. ++The total number of required permissions for any single application registration must not exceed 400 permissions, across all APIs. The change to enforce this limit will begin rolling out no sooner than mid-October 2021. Applications exceeding the limit can't increase the number of permissions they're configured for. The existing limit on the number of distinct APIs for which permissions are required remains unchanged and can't exceed 50 APIs. ++In the Azure portal, the required permissions are listed under Azure Active Directory > Application registrations > (select an application) > API permissions. Using Microsoft Graph or Microsoft Graph PowerShell, the required permissions are listed in the requiredResourceAccess property of an application entity. [Learn more](../enterprise-users/directory-service-limits-restrictions.md). ++++### My Apps performance improvements ++**Type:** Fixed +**Service category:** My Apps +**Product capability:** End User Experiences + +The load time of My Apps has been improved. Users going to myapps.microsoft.com load My Apps directly, rather than being redirected through another service. [Learn more](../user-help/my-apps-portal-end-user-access.md). ++++### Single Page Apps using the `spa` redirect URI type must use a CORS enabled browser for auth ++**Type:** Known issue +**Service category:** Authentications (Logins) +**Product capability:** Developer Experience + +The modern Edge browser is now included in the requirement to provide an `Origin` header when redeeming a [single page app authorization code](../develop/v2-oauth2-auth-code-flow.md#redirect-uris-for-single-page-apps-spas). A compatibility fix accidentally exempted the modern Edge browser from CORS controls, and that bug is being fixed during October. A subset of applications depended on CORS being disabled in the browser, which has the side effect of removing the `Origin` header from traffic. This is an unsupported configuration for using Azure AD, and these apps that depended on disabling CORS can no longer use modern Edge as a security workaround. All modern browsers must now include the `Origin` header per HTTP spec, to ensure CORS is enforced. [Learn more](../develop/reference-breaking-changes.md#the-device-code-flow-ux-will-now-include-an-app-confirmation-prompt). ++++### General availability - On the My Apps portal, users can choose to view their apps in a list ++**Type:** New feature +**Service category:** My Apps +**Product capability:** End User Experiences + +By default, My Apps displays apps in a grid view. Users can now toggle their My Apps view to display apps in a list. [Learn more](../user-help/my-apps-portal-end-user-access.md). + +++### General availability - New and enhanced device-related audit logs ++**Type:** New feature +**Service category:** Audit +**Product capability:** Device Lifecycle Management + +Admins can now see various new and improved device-related audit logs. The new audit logs include the create and delete passwordless credentials (Phone sign-in, FIDO2 key, and Windows Hello for Business), register/unregister device and pre-create/delete pre-create device. Additionally, there have been minor improvements to existing device-related audit logs that include adding more device details. [Learn more](../reports-monitoring/concept-audit-logs.md). ++++### General availability - Azure AD users can now view and report suspicious sign-ins and manage their accounts within Microsoft Authenticator ++**Type:** New feature +**Service category:** Microsoft Authenticator App +**Product capability:** Identity Security & Protection + +This feature allows Azure AD users to manage their work or school accounts within the Microsoft Authenticator app. The management features will allow users to view sign-in history and sign-in activity. They can report any suspicious or unfamiliar activity based on the sign-in history and activity if necessary. Users also can change their Azure AD account passwords and update the account's security information. [Learn more](../user-help/my-account-portal-sign-ins-page.md). + +++### General availability - New MS Graph APIs for role management ++**Type:** New feature +**Service category:** RBAC +**Product capability:** Access Control + +New APIs for role management to MS Graph v1.0 endpoint are generally available. Instead of old [directory roles](/graph/api/resources/directoryrole?view=graph-rest-1.0&preserve-view=true), use [unifiedRoleDefinition](/graph/api/resources/unifiedroledefinition?view=graph-rest-1.0&preserve-view=true) and [unifiedRoleAssignment](/graph/api/resources/unifiedroleassignment?view=graph-rest-1.0&preserve-view=true). + +++### General availability - Access Packages can expire after number of hours ++**Type:** New feature +**Service category:** User Access Management +**Product capability:** Entitlement Management ++It's now possible in entitlement management to configure an access package that will expire in a matter of hours in addition to the previous support for days or specific dates. [Learn more](../governance/entitlement-management-access-package-create.md#lifecycle). + +++### New provisioning connectors in the Azure AD Application Gallery - September 2021 ++**Type:** New feature +**Service category:** App Provisioning +**Product capability:** 3rd Party Integration + +You can now automate creating, updating, and deleting user accounts for these newly integrated apps: ++- [BLDNG APP](../saas-apps/bldng-app-provisioning-tutorial.md) +- [Cato Networks](../saas-apps/cato-networks-provisioning-tutorial.md) +- [Rouse Sales](../saas-apps/rouse-sales-provisioning-tutorial.md) +- [SchoolStream ASA](../saas-apps/schoolstream-asa-provisioning-tutorial.md) +- [Taskize Connect](../saas-apps/taskize-connect-provisioning-tutorial.md) ++For more information about how to better secure your organization by using automated user account provisioning, see [Automate user provisioning to SaaS applications with Azure AD](../manage-apps/user-provisioning.md). + +++### New Federated Apps available in Azure AD Application gallery - September 2021 ++**Type:** New feature +**Service category:** Enterprise Apps +**Product capability:** 3rd Party Integration + +In September 2021, we have added following 44 new applications in our App gallery with Federation support ++[Studybugs](https://studybugs.com/signin), [Yello](https://yello.co/yello-for-microsoft-teams/), [LawVu](../saas-apps/lawvu-tutorial.md), [Formate eVo Mail](https://www.document-genetics.co.uk/formate-evo-erp-output-management), [Revenue Grid](https://app.revenuegrid.com/login), [Orbit for Office 365](https://azuremarketplace.microsoft.com/marketplace/apps/aad.orbitforoffice365?tab=overview), [Upmarket](https://app.upmarket.ai/), [Alinto Protect](https://protect.alinto.net/), [Cloud Concinnity](https://cloudconcinnity.com/), [Matlantis](https://matlantis.com/), [ModelGen for Visio (MG4V)](https://crecy.com.au/model-gen/), [NetRef: Classroom Management](https://oauth.net-ref.com/microsoft/sso), [VergeSense](../saas-apps/vergesense-tutorial.md), [SafetyCulture](../saas-apps/safety-culture-tutorial.md), [Secutraq](https://secutraq.net/login), [Active and Thriving](../saas-apps/active-and-thriving-tutorial.md), [Inova](https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize?client_id=1bacdba3-7a3b-410b-8753-5cc0b8125f81&response_type=code&redirect_uri=https:%2f%2fbroker.partneringplace.com%2fpartner-companion%2f&code_challenge_method=S256&code_challenge=YZabcdefghijklmanopqrstuvwxyz0123456789._-~&scope=1bacdba3-7a3b-410b-8753-5cc0b8125f81/.default), [TerraTrue](../saas-apps/terratrue-tutorial.md), [Beyond Identity Admin Console](../saas-apps/beyond-identity-admin-console-tutorial.md), [Visult](https://visult.app), [ENGAGE TAG](https://app.engagetag.com/), [Appaegis Isolation Access Cloud](../saas-apps/appaegis-isolation-access-cloud-tutorial.md), [CrowdStrike Falcon Platform](../saas-apps/crowdstrike-falcon-platform-tutorial.md), [MY Emergency Control](https://my-emergency.co.uk/app/auth/login), [AlexisHR](../saas-apps/alexishr-tutorial.md), [Teachme Biz](../saas-apps/teachme-biz-tutorial.md), [Zero Networks](../saas-apps/zero-networks-tutorial.md), [Mavim iMprove](https://improve.mavimcloud.com/), [Azumuta](https://app.azumuta.com/login?microsoft=true), [Frankli](https://beta.frankli.io/login), [Amazon Managed Grafana](../saas-apps/amazon-managed-grafana-tutorial.md), [Productive](../saas-apps/productive-tutorial.md), [Create!Webπâòπâ¡πâ╝](../saas-apps/createweb-tutorial.md), [Evercate](https://evercate.com/), [Ezra Coaching](../saas-apps/ezra-coaching-tutorial.md), [Baldwin Safety and Compliance](../saas-apps/baldwin-safety-&-compliance-tutorial.md), [Nulab Pass (Backlog,Cacoo,Typetalk)](../saas-apps/nulab-pass-tutorial.md), [Metatask](../saas-apps/metatask-tutorial.md), [Contrast Security](../saas-apps/contrast-security-tutorial.md), [Animaker](../saas-apps/animaker-tutorial.md), [Traction Guest](../saas-apps/traction-guest-tutorial.md), [True Office Learning - LIO](../saas-apps/true-office-learning-lio-tutorial.md), [Qiita Team](../saas-apps/qiita-team-tutorial.md) ++You can also find the documentation of all the applications here: https://aka.ms/AppsTutorial ++For listing your application in the Azure AD app gallery, read the details here: https://aka.ms/AzureADAppRequest ++++### Gmail users signing in on Microsoft Teams mobile and desktop clients will sign in with device sign-in flow starting September 30, 2021 ++**Type:** Changed feature +**Service category:** B2B +**Product capability:** B2B/B2C + +Starting on September 30 2021, Azure AD B2B guests and Azure AD B2C customers signing in with their self-service signed up or redeemed Gmail accounts will have an extra sign-in step. Users will now be prompted to enter a code in a separate browser window to finish signing in on Microsoft Teams mobile and desktop clients. If you haven't already done so, make sure to modify your apps to use the system browser for sign-in. SeeΓÇ»[Embedded vs System Web UIΓÇ»in the MSAL.NET](../develop/msal-net-web-browsers.md#embedded-vs-system-web-ui) documentation for more information. All MSAL SDKs use the system web-view by default. ++As the device sign-in flow will start September 30, 2021, it may not be available in your region immediately. If it's not available yet, your end-users will be met with the error screen shown in the doc until it gets deployed to your region.) For more details on the device sign-in flow and details on requesting extension to Google, see [Add Google as an identity provider for B2B guest users](../external-identities/google-federation.md#deprecation-of-web-view-sign-in-support). + +++### Improved Conditional Access Messaging for Non-compliant Device ++**Type:** Changed feature +**Service category:** Conditional Access +**Product capability:** End User Experiences + +The text and design on the Conditional Access blocking screen shown to users when their device is marked as non-compliant has been updated. Users will be blocked until they take the necessary actions to meet their company's device compliance policies. Additionally, we have streamlined the flow for a user to open their device management portal. These improvements apply to all conditional access supported OS platforms. [Learn more](https://support.microsoft.com/account-billing/troubleshooting-the-you-can-t-get-there-from-here-error-message-479a9c42-d9d1-4e44-9e90-24bbad96c251) +++++## August 2021 ++### New major version of AADConnect available ++**Type:** Fixed +**Service category:** AD Connect +**Product capability:** Identity Lifecycle Management + +We've released a new major version of Azure Active Directory Connect. This version contains several updates of foundational components to the latest versions and is recommended for all customers using Azure AD Connect. [Learn more](../hybrid/whatis-azure-ad-connect-v2.md). + +++### Public Preview - Azure AD single sign-on and device-based Conditional Access support in Firefox on Windows 10 ++**Type:** New feature +**Service category:** Authentications (Logins) +**Product capability:** SSO + ++We now support native single sign-on (SSO) support and device-based Conditional Access to the Firefox browser on Windows 10 and Windows Server 2019. Support is available in Firefox version 91. [Learn more](../conditional-access/require-managed-devices.md#prerequisites). + +++### Public preview - beta MS Graph APIs for Azure AD access reviews returns list of contacted reviewer names ++**Type:** New feature +**Service category:** Access Reviews +**Product capability:** Identity Governance + ++We've released beta MS Graph API for Azure AD access reviews. The API has methods to return a list of contacted reviewer names in addition to the reviewer type. [Learn more](/graph/api/resources/accessreviewinstance). + +++### General Availability - "Register or join devices" user action in Conditional Access ++**Type:** New feature +**Service category:** Conditional Access +**Product capability:** Identity Security & Protection + ++The "Register or join devices" user action is generally available in Conditional access. This user action allows you to control multi-factor authentication policies for Azure Active Directory (AD) device registration. Currently, this user action only allows you to enable multi-factor authentication as a control when users register or join devices to Azure AD. Other controls that are dependent on or not applicable to Azure AD device registration continue to be disabled with this user action. [Learn more](../conditional-access/concept-conditional-access-cloud-apps.md#user-actions). ++++### General Availability - customers can scope reviews of privileged roles to eligible or permanent assignments ++**Type:** New feature +**Service category:** Access Reviews +**Product capability:** Identity Governance + +Administrators can now create access reviews of only permanent or eligible assignments to privileged Azure AD or Azure resource roles. [Learn more](../privileged-identity-management/pim-create-azure-ad-roles-and-resource-roles-review.md). + + ++### General availability - assign roles to Azure Active Directory (AD) groups ++**Type:** New feature +**Service category:** RBAC +**Product capability:** Access Control + ++Assigning roles to Azure AD groups is now generally available. This feature can simplify the management of role assignments in Azure AD for Global Administrators and Privileged Role Administrators. [Learn more](../roles/groups-concept.md). + +++### New Federated Apps available in Azure AD Application gallery - Aug 2021 ++**Type:** New feature +**Service category:** Enterprise Apps +**Product capability:** 3rd Party Integration + +In August 2021, we have added following 46 new applications in our App gallery with Federation support: ++[Siriux Customer Dashboard](https://portal.siriux.tech/login), [STRUXI](https://struxi.app/), [Autodesk Construction Cloud - Meetings](https://acc.autodesk.com/), [Eccentex AppBase for Azure](../saas-apps/eccentex-appbase-for-azure-tutorial.md), [Bookado](https://adminportal.bookado.io/), [FilingRamp](https://app.filingramp.com/login), [BenQ IAM](../saas-apps/benq-iam-tutorial.md), [Rhombus Systems](../saas-apps/rhombus-systems-tutorial.md), [CorporateExperience](../saas-apps/corporateexperience-tutorial.md), [TutorOcean](../saas-apps/tutorocean-tutorial.md), [Bookado Device](https://adminportal.bookado.io/), [HiFives-AD-SSO](https://app.hifives.in/login/azure), [Darzin](https://au.darzin.com/), [Simply Stakeholders](https://au.simplystakeholders.com/), [KACTUS HCM - Smart People](https://kactusspc.digitalware.co/), [Five9 UC Adapter for Microsoft Teams V2](https://uc.five9.net/?vendor=msteams), [Automation Center](https://automationcenter.cognizantgoc.com/portal/boot/signon), [Cirrus Identity Bridge for Azure AD](../saas-apps/cirrus-identity-bridge-for-azure-ad-tutorial.md), [ShiftWizard SAML](../saas-apps/shiftwizard-saml-tutorial.md), [Safesend Returns](https://www.safesendwebsites.com/), [Brushup](../saas-apps/brushup-tutorial.md), [directprint.io Cloud Print Administration](../saas-apps/directprint-io-cloud-print-administration-tutorial.md), [plain-x](https://app.plain-x.com/#/login),[X-point Cloud](../saas-apps/x-point-cloud-tutorial.md), [SmartHub INFER](../saas-apps/smarthub-infer-tutorial.md), [Fresh Relevance](../saas-apps/fresh-relevance-tutorial.md), [FluentPro G.A. Suite](https://gas.fluentpro.com/Account/SSOLogin?provider=Microsoft), [Clockwork Recruiting](../saas-apps/clockwork-recruiting-tutorial.md), [WalkMe SAML2.0](../saas-apps/walkme-saml-tutorial.md), [Sideways 6](https://app.sideways6.com/account/login?ReturnUrl=/), [Kronos Workforce Dimensions](../saas-apps/kronos-workforce-dimensions-tutorial.md), [SysTrack Cloud Edition](https://cloud.lakesidesoftware.com/Cloud/Account/Login), [mailworx Dynamics CRM Connector](https://www.mailworx.info/), [Palo Alto Networks Cloud Identity Engine - Cloud Authentication Service](../saas-apps/palo-alto-networks-cloud-identity-enginecloud-authentication-service-tutorial.md), [Peripass](https://accounts.peripass.app/v1/sso/challenge), [JobDiva](https://www.jobssos.com/index_azad.jsp?SSO=AZURE&ID=1), [Sanebox For Office365](https://sanebox.com/login), [Tulip](../saas-apps/tulip-tutorial.md), [HP Wolf Security](https://www.hpwolf.com/), [Genesys Engage cloud Email](https://login.microsoftonline.com/common/oauth2/authorize?prompt=consent&accessType=offline&state=07e035a7-6fb0-4411-afd9-efa46c9602f9&resource=https://graph.microsoft.com/&response_type=code&redirect_uri=https://iwd.api01-westus2.dev.genazure.com/iwd/v3/emails/oauth2/microsoft/callback&client_id=36cd21ab-862f-47c8-abb6-79facad09dda), [Meta Wiki](https://meta.dunkel.eu/), [Palo Alto Networks Cloud Identity Engine Directory Sync](https://directory-sync.us.paloaltonetworks.com/directory?instance=L2qoLVONpBHgdJp1M5K9S08Z7NBXlpi54pW1y3DDu2gQqdwKbyUGA11EgeaDfZ1dGwn397S8eP7EwQW3uyE4XL), [Valarea](https://www.valarea.com/en/download), [LanSchool Air](../saas-apps/lanschool-air-tutorial.md), [Catalyst](https://www.catalyst.org/sso-login/), [Webcargo](../saas-apps/webcargo-tutorial.md) ++You can also find the documentation of all the applications here: https://aka.ms/AppsTutorial ++For listing your application in the Azure AD app gallery, read the details here: https://aka.ms/AzureADAppRequest ++++### New provisioning connectors in the Azure AD Application Gallery - August 2021 ++**Type:** New feature +**Service category:** App Provisioning +**Product capability:** 3rd Party Integration + +You can now automate creating, updating, and deleting user accounts for these newly integrated apps: ++- [Chatwork](../saas-apps/chatwork-provisioning-tutorial.md) +- [Freshservice](../saas-apps/freshservice-provisioning-tutorial.md) +- [InviteDesk](../saas-apps/invitedesk-provisioning-tutorial.md) +- [Maptician](../saas-apps/maptician-provisioning-tutorial.md) ++For more information about how to better secure your organization by using automated user account provisioning, see Automate user provisioning to SaaS applications with Azure AD. + +++### Multifactor fraud report ΓÇô new audit event ++**Type:** Changed feature +**Service category:** MFA +**Product capability:** Identity Security & Protection + ++To help administrators understand that their users are blocked for multi-factor authentication as a result of fraud report, we've added a new audit event. This audit event is tracked when the user reports fraud. The audit log is available in addition to the existing information in the sign-in logs about fraud report. To learn how to get the audit report, see [multi-factor authentication Fraud alert](../authentication/howto-mfa-mfasettings.md#report-suspicious-activity). ++++### Improved Low-Risk Detections ++**Type:** Changed feature +**Service category:** Identity Protection +**Product capability:** Identity Security & Protection ++To improve the quality of low risk alerts that Identity Protection issues, we've modified the algorithm to issue fewer low risk Risky sign-ins. Organizations may see a significant reduction in low risk sign-in in their environment. [Learn more](../identity-protection/concept-identity-protection-risks.md). + +++### Non-interactive risky sign-ins ++**Type:** Changed feature +**Service category:** Identity Protection +**Product capability:** Identity Security & Protection + +Identity Protection now emits risky sign-ins on non-interactive sign-ins. Admins can find these risky sign-ins using the **sign-in type** filter in the risky sign-ins report. [Learn more](../identity-protection/howto-identity-protection-investigate-risk.md). + +++### Change from User Administrator to Identity Governance Administrator in Entitlement Management ++**Type:** Changed feature +**Service category:** Roles +**Product capability:** Identity Governance + +The permissions assignments to manage access packages and other resources in Entitlement Management are moving from the User Administrator role to the Identity Governance administrator role. ++Users that have been assigned the User administrator role can longer create catalogs or manage access packages in a catalog they don't own. If users in your organization have been assigned the User administrator role to configure catalogs, access packages, or policies in entitlement management, they'll need a new assignment. You should instead assign these users the Identity Governance administrator role. [Learn more](../governance/entitlement-management-delegate.md) ++++### Microsoft Azure Active Directory connector is deprecated ++**Type:** Deprecated +**Service category:** Microsoft Identity Manager +**Product capability:** Identity Lifecycle Management + +The Microsoft Azure Active Directory Connector for FIM is at feature freeze and deprecated. The solution of using FIM and the Azure AD Connector has been replaced. Existing deployments should migrate to [Azure AD Connect](../hybrid/whatis-hybrid-identity.md), Azure AD Connect Sync, or the [Microsoft Graph Connector](/microsoft-identity-manager/microsoft-identity-manager-2016-connector-graph), as the internal interfaces used by the Azure AD Connector for FIM are being removed from Azure AD. [Learn more](/microsoft-identity-manager/microsoft-identity-manager-2016-deprecated-features). ++++### Retirement of older Azure AD Connect versions ++**Type:** Deprecated +**Service category:** AD Connect +**Product capability:** User Management + +Starting August 31 2022, all V1 versions of Azure AD Connect will be retired. If you haven't already done so, you need to update your server to Azure AD Connect V2.0. You need to make sure you're running a recent version of Azure AD Connect to receive an optimal support experience. ++If you run a retired version of Azure AD Connect, it may unexpectedly stop working. You may also not have the latest security fixes, performance improvements, troubleshooting, and diagnostic tools and service enhancements. Also, if you require support we can't provide you with the level of service your organization needs. ++See [Azure Active Directory Connect V2.0](../hybrid/whatis-azure-ad-connect-v2.md), what has changed in V2.0 and how this change impacts you. ++++### Retirement of support for installing MIM on Windows Server 2008 R2 or SQL Server 2008 R2 ++**Type:** Deprecated +**Service category:** Microsoft Identity Manager +**Product capability:** Identity Lifecycle Management + +Deploying MIM Sync, Service, Portal or CM on Windows Server 2008 R2, or using SQL Server 2008 R2 as the underlying database, is deprecated as these platforms are no longer in mainstream support. Installing MIM Sync and other components on Windows Server 2016 or later, and with SQL Server 2016 or later, is recommended. ++Deploying MIM for Privileged Access Management with a Windows Server 2012 R2 domain controller in the PRIV forest is deprecated. Use Windows Server 2016 or later Active Directory, with Windows Server 2016 functional level, for your PRIV forest domain. The Windows Server 2012 R2 functional level is still permitted for a CORP forest's domain. [Learn more](/microsoft-identity-manager/microsoft-identity-manager-2016-supported-platforms). ++++## July 2021 ++### New Google sign-in integration for Azure AD B2C and B2B self-service sign-up and invited external users will stop working starting July 12, 2021 ++**Type:** Plan for change +**Service category:** B2B +**Product capability:** B2B/B2C + +Previously we announced that [the exception for Embedded WebViews for Gmail authentication will expire in the second half of 2021](https://www.yammer.com/cepartners/threads/1188371962232832). ++On July 7, 2021, we learned from Google that some of these restrictions will apply starting **July 12, 2021**. Azure AD B2B and B2C customers who set up a new Google ID sign-in in their custom or line of business applications to invite external users or enable self-service sign-up will have the restrictions applied immediately. As a result, end-users will be met with an error screen that blocks their Gmail sign-in if the authentication is not moved to a system webview. See the docs linked below for details. ++Most apps use system web-view by default, and will not be impacted by this change. This only applies to customers using embedded webviews (the non-default setting.) We advise customers to move their application's authentication to system browsers instead, prior to creating any new Google integrations. To learn how to move to system browsers for Gmail authentications, read the Embedded vs System Web UI section in the [Using web browsers (MSAL.NET)](../develop/msal-net-web-browsers.md#embedded-vs-system-web-ui) documentation. All MSAL SDKs use the system web-view by default. [Learn more](../external-identities/google-federation.md#deprecation-of-web-view-sign-in-support). ++++### Google sign-in on embedded web-views expiring September 30, 2021 ++**Type:** Plan for change +**Service category:** B2B +**Product capability:** B2B/B2C + ++About two months ago we announced that the exception for Embedded WebViews for Gmail authentication will expire in the second half of 2021. ++Recently, Google has specified the date to be **September 30, 2021**. ++Rolling out globally beginning September 30, 2021, Azure AD B2B guests signing in with their Gmail accounts will now be prompted to enter a code in a separate browser window to finish signing in on Microsoft Teams mobile and desktop clients. This applies to invited guests and guests who signed up using Self-Service Sign-Up. ++Azure AD B2C customers who have set up embedded webview Gmail authentications in their custom/line of business apps or have existing Google integrations, will no longer can let their users sign in with Gmail accounts. To mitigate this, make sure to modify your apps to use the system browser for sign-in. For more information, read the Embedded vs System Web UI section in the [Using web browsers (MSAL.NET)](../develop/msal-net-web-browsers.md#embedded-vs-system-web-ui) documentation. All MSAL SDKs use the system web-view by default. ++As the device sign-in flow will start rolling out on September 30, 2021, it's likely that it may not be rolled out to your region yet (in which case, your end-users will be met with the error screen shown in the documentation until it gets deployed to your region.) ++For details on known impacted scenarios and what experience your users can expect, read [Add Google as an identity provider for B2B guest users](../external-identities/google-federation.md#deprecation-of-web-view-sign-in-support). ++++### Bug fixes in My Apps ++**Type:** Fixed +**Service category:** My Apps +**Product capability:** End User Experiences + +- Previously, the presence of the banner recommending the use of collections caused content to scroll behind the header. This issue has been resolved. +- Previously, there was another issue when adding apps to a collection, the order of apps in All Apps collection would get randomly reordered. This issue has also been resolved. ++For more information on My Apps, read [Sign in and start apps from the My Apps portal](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510). ++++### Public preview - Application authentication method policies ++**Type:** New feature +**Service category:** MS Graph +**Product capability:** Developer Experience + +Application authentication method policies in MS Graph which allow IT admins to enforce lifetime on application password secret credential or block the use of secrets altogether. Policies can be enforced for an entire tenant as a default configuration and it can be scoped to specific applications or service principals. [Learn more](/graph/api/resources/policy-overview). + +++### Public preview - Authentication Methods registration campaign to download Microsoft Authenticator ++**Type:** New feature +**Service category:** Microsoft Authenticator App +**Product capability:** User Authentication + +The Authenticator registration campaign helps admins to move their organizations to a more secure posture by prompting users to adopt the Microsoft Authenticator app. Prior to this feature, there was no way for an admin to push their users to set up the Authenticator app. ++The registration campaign comes with the ability for an admin to scope users and groups by including and excluding them from the registration campaign to ensure a smooth adoption across the organization. [Learn more](../authentication/how-to-mfa-registration-campaign.md) + +++### Public preview - Separation of duties check ++**Type:** New feature +**Service category:** User Access Management +**Product capability:** Entitlement Management + +In Azure AD entitlement management, an administrator can define that an access package is incompatible with another access package or with a group. Users who have the incompatible memberships will be then unable to request more access. [Learn more](../governance/entitlement-management-access-package-request-policy.md#prevent-requests-from-users-with-incompatible-access). + +++### Public preview - Identity Protection logs in Log Analytics, Storage Accounts, and Event Hubs ++**Type:** New feature +**Service category:** Identity Protection +**Product capability:** Identity Security & Protection + +You can now send the risky users and risk detections logs to Azure Monitor, Storage Accounts, or Log Analytics using the Diagnostic Settings in the Azure AD blade. [Learn more](../identity-protection/howto-export-risk-data.md). + +++### Public preview - Application Proxy API addition for backend SSL certificate validation ++**Type:** New feature +**Service category:** App Proxy +**Product capability:** Access Control + +The onPremisesPublishing resource type now includes the property, "isBackendCertificateValidationEnabled" which indicates whether backend SSL certificate validation is enabled for the application. For all new Application Proxy apps, the property will be set to true by default. For all existing apps, the property will be set to false. For more information, read the [onPremisesPublishing resource type](/graph/api/resources/onpremisespublishing?view=graph-rest-beta&preserve-view=true) api. + +++### General availability - Improved Authenticator setup experience for add Azure AD account in Microsoft Authenticator app by directly signing into the app. ++**Type:** New feature +**Service category:** Microsoft Authenticator App +**Product capability:** User Authentication + +Users can now use their existing authentication methods to directly sign into the Microsoft Authenticator app to set up their credential. Users don't need to scan a QR Code anymore and can use a Temporary Access Pass (TAP) or Password + SMS (or other authentication method) to configure their account in the Authenticator app. ++This improves the user credential provisioning process for the Microsoft Authenticator app and gives the end user a self-service method to provision the app. [Learn more](https://support.microsoft.com/account-billing/add-your-work-or-school-account-to-the-microsoft-authenticator-app-43a73ab5-b4e8-446d-9e54-2a4cb8e4e93c#sign-in-with-your-credentials). + +++### General availability - Set manager as reviewer in Azure AD entitlement management access packages ++**Type:** New feature +**Service category:** User Access Management +**Product capability:** Entitlement Management + +Access packages in Azure AD entitlement management now support setting the user's manager as the reviewer for regularly occurring access reviews. [Learn more](../governance/entitlement-management-access-reviews-create.md). ++++### General availability - Enable external users to self-service sign up in Azure Active Directory using MSA accounts ++**Type:** New feature +**Service category:** B2B +**Product capability:** B2B/B2C + +Users can now enable external users to self-service sign up in Azure Active Directory using Microsoft accounts. [Learn more](../external-identities/microsoft-account.md). + ++ +### General availability - External Identities Self-Service Sign-Up with Email One-time Passcode ++**Type:** New feature +**Service category:** B2B +**Product capability:** B2B/B2C + ++Now users can enable external users to self-service sign up in Azure Active Directory using their email and one-time passcode. [Learn more](../external-identities/one-time-passcode.md). + +++### General availability - Anomalous token ++**Type:** New feature +**Service category:** Identity Protection +**Product capability:** Identity Security & Protection + +Anomalous token detection is now available in Identity Protection. This feature can detect that there are abnormal characteristics in the token such as time active and authentication from unfamiliar IP address. [Learn more](../identity-protection/concept-identity-protection-risks.md). + +++### General availability - Register or join devices in Conditional Access ++**Type:** New feature +**Service category:** Conditional Access +**Product capability:** Identity Security & Protection + +The Register or join devices user action in Conditional access is now in general availability. This user action allows you to control multifactor authentication (MFA) policies for Azure AD device registration. ++Currently, this user action only allows you to enable multifactor authentication as a control when users register or join devices to Azure AD. Other controls that are dependent on or not applicable to Azure AD device registration continue to be disabled with this user action. [Learn more](../conditional-access/concept-conditional-access-cloud-apps.md#user-actions). ++++### New provisioning connectors in the Azure AD Application Gallery - July 2021 ++**Type:** New feature +**Service category:** App Provisioning +**Product capability:** 3rd Party Integration + +You can now automate creating, updating, and deleting user accounts for these newly integrated apps: ++- [Clebex](../saas-apps/clebex-provisioning-tutorial.md) +- [Exium](../saas-apps/exium-provisioning-tutorial.md) +- [SoSafe](../saas-apps/sosafe-provisioning-tutorial.md) +- [Talentech](../saas-apps/talentech-provisioning-tutorial.md) +- [Thrive LXP](../saas-apps/thrive-lxp-provisioning-tutorial.md) +- [Vonage](../saas-apps/vonage-provisioning-tutorial.md) +- [Zip](../saas-apps/zip-provisioning-tutorial.md) +- [TimeClock 365](../saas-apps/timeclock-365-provisioning-tutorial.md) ++For more information about how to better secure your organization by using automated user account provisioning, read [Automate user provisioning to SaaS applications with Azure AD](../app-provisioning/user-provisioning.md). ++++### Changes to security and Microsoft 365 group settings in Azure portal ++**Type:** Changed feature +**Service category:** Group Management +**Product capability:** Directory + ++In the past, users could create security groups and Microsoft 365 groups in the Azure portal. Now users will have the ability to create groups across Azure portals, PowerShell, and API. Customers are required to verify and update the new settings have been configured for their organization. [Learn More](../enterprise-users/groups-self-service-management.md#group-settings). + +++### "All Apps" collection has been renamed to "Apps" ++**Type:** Changed feature +**Service category:** My Apps +**Product capability:** End User Experiences + +In the My Apps portal, the collection that was called "All Apps" has been renamed to be called "Apps". As the product evolves, "Apps" is a more fitting name for this default collection. [Learn more](../manage-apps/my-apps-deployment-plan.md#plan-the-user-experience). + +++## June 2021 ++### Context panes to display risk details in Identity Protection Reports ++**Type:** Plan for change +**Service category:** Identity Protection +**Product capability:** Identity Security & Protection + +For the Risky users, Risky sign-ins, and Risk detections reports in Identity Protection, the risk details of a selected entry will be shown in a context pane appearing from the right of the page July 2021. The change only impacts the user interface and won't affect any existing functionalities. To learn more about the functionality of these features, refer to [How To: Investigate risk](../identity-protection/howto-identity-protection-investigate-risk.md). + +++### Public preview - create Azure AD access reviews of Service Principals that are assigned to privileged roles ++**Type:** New feature +**Service category:** Access Reviews +**Product capability:** Identity Governance + + You can use Azure AD access reviews to review service principal's access to privileged Azure AD and Azure resource roles. [Learn more](../privileged-identity-management/pim-create-azure-ad-roles-and-resource-roles-review.md#create-access-reviews). + +++### Public preview - group owners in Azure AD can create and manage Azure AD access reviews for their groups ++**Type:** New feature +**Service category:** Access Reviews +**Product capability:** Identity Governance + +Now group owners in Azure AD can create and manage Azure AD access reviews on their groups. This ability can be enabled by tenant administrators through Azure AD access review settings and is disabled by default. [Learn more](../governance/create-access-review.md#allow-group-owners-to-create-and-manage-access-reviews-of-their-groups). + +++### Public preview - customers can scope access reviews of privileged roles to just users with eligible or active access ++**Type:** New feature +**Service category:** Access Reviews +**Product capability:** Identity Governance + +When admins create access reviews of assignments to privileged roles, they can scope the reviews to only eligibly assigned users or only actively assigned users. [Learn more](../privileged-identity-management/pim-create-azure-ad-roles-and-resource-roles-review.md). + +++### Public preview - Microsoft Graph APIs for Mobility (MDM/MAM) management policies ++**Type:** New feature +**Service category:** Other +**Product capability:** Device Lifecycle Management + +Microsoft Graph support for the Mobility (MDM/MAM) configuration in Azure AD is in public preview. Administrators can configure user scope and URLs for MDM applications like Intune using Microsoft Graph v1.0. For more information, see [mobilityManagementPolicy resource type](/graph/api/resources/mobilitymanagementpolicy?view=graph-rest-beta&preserve-view=true) ++++### General availability - Custom questions in access package request flow in Azure Active Directory entitlement management ++**Type:** New feature +**Service category:** User Access Management +**Product capability:** Entitlement Management + +Azure AD entitlement management now supports the creation of custom questions in the access package request flow. This feature allows you to configure custom questions in the access package policy. These questions are shown to requestors who can input their answers as part of the access request process. These answers will be displayed to approvers, giving them helpful information that empowers them to make better decisions on the access request. [Learn more](../governance/entitlement-management-access-package-create.md). ++++### General availability - Multi-geo SharePoint sites as resources in Entitlement Management Access Packages ++**Type:** New feature +**Service category:** User Access Management +**Product capability:** Entitlement Management + +Access packages in Entitlement Management now support multi-geo SharePoint sites for customers who use the multi-geo capabilities in SharePoint Online. [Learn more](../governance/entitlement-management-catalog-create.md#add-a-multi-geo-sharepoint-site). + +++### General availability - Knowledge Admin and Knowledge Manager built-in roles ++**Type:** New feature +**Service category:** RBAC +**Product capability:** Access Control + +Two new roles, Knowledge Administrator and Knowledge Manager are now in general availability. ++- Users in the Knowledge Administrator role have full access to all Organizational knowledge settings in the Microsoft 365 admin center. They can create and manage content, like topics and acronyms. Additionally, these users can create content centers, monitor service health, and create service requests. [Learn more](../roles/permissions-reference.md#knowledge-administrator) +- Users in the Knowledge Manager role can create and manage content and are primarily responsible for the quality and structure of knowledge. They have full rights to topic management actions to confirm a topic, approve edits, or delete a topic. This role can also manage taxonomies as part of the term store management tool and create content centers. [Learn more](../roles/permissions-reference.md#knowledge-manager). ++++### General availability - Cloud App Security Administrator built-in role ++**Type:** New feature +**Service category:** RBAC +**Product capability:** Access Control + + Users with this role have full permissions in Cloud App Security. They can add administrators, add Microsoft Cloud App Security (MCAS) policies and settings, upload logs, and do governance actions. [Learn more](../roles/permissions-reference.md#cloud-app-security-administrator). + +++### General availability - Windows Update Deployment Administrator ++**Type:** New feature +**Service category:** RBAC +**Product capability:** Access Control + ++ Users in this role can create and manage all aspects of Windows Update deployments through the Windows Update for Business deployment service. The deployment service enables users to define settings for when and how updates are deployed. Also, users can specify which updates are offered to groups of devices in their tenant. It also allows users to monitor the update progress. [Learn more](../roles/permissions-reference.md#windows-update-deployment-administrator). + +++### General availability - multi-camera support for Windows Hello ++**Type:** New feature +**Service category:** Authentications (Logins) +**Product capability:** User Authentication + +Now with the Windows 10 21H1 update, Windows Hello supports multiple cameras. The update includes defaults to use the external camera when both built-in and outside cameras are present. [Learn more](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/it-tools-to-support-windows-10-version-21h1/ba-p/2365103). +++ +### General availability - Access Reviews MS Graph APIs now in v1.0 ++**Type:** New feature +**Service category:** Access Reviews +**Product capability:** Identity Governance + +Azure Active Directory access reviews MS Graph APIs are now in v1.0 support fully configurable access reviews features. [Learn more](/graph/api/resources/accessreviewsv2-overview?view=graph-rest-1.0&preserve-view=true). + +++### New provisioning connectors in the Azure AD Application Gallery - June 2021 ++**Type:** New feature +**Service category:** App Provisioning +**Product capability:** 3rd Party Integration + +You can now automate creating, updating, and deleting user accounts for these newly integrated apps: ++- [askSpoke](../saas-apps/askspoke-provisioning-tutorial.md) +- [Cloud Academy - SSO](../saas-apps/cloud-academy-sso-provisioning-tutorial.md) +- [CheckProof](../saas-apps/checkproof-provisioning-tutorial.md) +- [GoLinks](../saas-apps/golinks-provisioning-tutorial.md) +- [Holmes Cloud](../saas-apps/holmes-cloud-provisioning-tutorial.md) +- [H5mag](../saas-apps/h5mag-provisioning-tutorial.md) +- [LimbleCMMS](../saas-apps/limblecmms-provisioning-tutorial.md) +- [LogMeIn](../saas-apps/logmein-provisioning-tutorial.md) +- [SECURE DELIVER](../saas-apps/secure-deliver-provisioning-tutorial.md) +- [Sigma Computing](../saas-apps/sigma-computing-provisioning-tutorial.md) +- [Smallstep SSH](../saas-apps/smallstep-ssh-provisioning-tutorial.md) +- [Tribeloo](../saas-apps/tribeloo-provisioning-tutorial.md) +- [Twingate](../saas-apps/twingate-provisioning-tutorial.md) ++For more information, see [Automate user provisioning to SaaS applications with Azure AD](../app-provisioning/user-provisioning.md). + +++### New Federated Apps available in Azure AD Application gallery - June 2021 ++**Type:** New feature +**Service category:** Enterprise Apps +**Product capability:** 3rd Party Integration + +In June 2021, we have added following 42 new applications in our App gallery with Federation support ++[Taksel](https://help.ubuntu.com/community/Tasksel), [IDrive360](../saas-apps/idrive360-tutorial.md), [VIDA](../saas-apps/vida-tutorial.md), [ProProfs Classroom](../saas-apps/proprofs-classroom-tutorial.md), [WAN-Sign](../saas-apps/wan-sign-tutorial.md), [Citrix Cloud SAML SSO](../saas-apps/citrix-cloud-saml-sso-tutorial.md), [Fabric](../saas-apps/fabric-tutorial.md), [DssAD](https://cloudlicensing.deepseedsolutions.com/), [RICOH Creative Collaboration RICC](https://www.ricoh-europe.com/products/software-apps/collaboration-board-software/ricc/), [Styleflow](../saas-apps/styleflow-tutorial.md), [Chaos](https://accounts.chaosgroup.com/corporate_login), [Traced Connector](https://control.traced.app/signup), [Squarespace](https://account.squarespace.com/org/azure), [MX3 Diagnostics Connector](https://www.mx3diagnostics.com/), [Ten Spot](https://tenspot.co/api/v1/sso/azure/login/), [Finvari](../saas-apps/finvari-tutorial.md), [Mobile4ERP](https://play.google.com/store/apps/details?id=com.negevsoft.mobile4erp), [WalkMe US OpenID Connect](https://www.walkme.com/), [Neustar UltraDNS](../saas-apps/neustar-ultradns-tutorial.md), [cloudtamer.io](../saas-apps/cloudtamer-io-tutorial.md), [A Cloud Guru](../saas-apps/a-cloud-guru-tutorial.md), [PetroVue](../saas-apps/petrovue-tutorial.md), [Postman](../saas-apps/postman-tutorial.md), [ReadCube Papers](../saas-apps/readcube-papers-tutorial.md), [Peklostroj](https://app.peklostroj.cz/), [SynCloud](https://www.syncloud.org/apps.html), [Polymerhq.io](https://www.polymerhq.io/), [Bonos](../saas-apps/bonos-tutorial.md), [Astra Schedule](../saas-apps/astra-schedule-tutorial.md), [Draup](../saas-apps/draup-inc-tutorial.md), [Inc](../saas-apps/draup-inc-tutorial.md), [Applied Mental Health](../saas-apps/applied-mental-health-tutorial.md), [iHASCO Training](../saas-apps/ihasco-training-tutorial.md), [Nexsure](../saas-apps/nexsure-tutorial.md), [XEOX](https://login.xeox.com/), [Plandisc](https://create.plandisc.com/account/logon), [foundU](../saas-apps/foundu-tutorial.md), [Standard for Success Accreditation](../saas-apps/standard-for-success-accreditation-tutorial.md), [Penji Teams](https://web.penjiapp.com/), [CheckPoint Infinity Portal](../saas-apps/checkpoint-infinity-portal-tutorial.md), [Teamgo](../saas-apps/teamgo-tutorial.md), [Hopsworks.ai](../saas-apps/hopsworks-ai-tutorial.md), [HoloMeeting 2](https://backend2.holomeeting.io/) ++You can also find the documentation of all the applications here: https://aka.ms/AppsTutorial ++For listing your application in the Azure AD app gallery, read the details here: https://aka.ms/AzureADAppRequest + +++### Device code flow now includes an app verification prompt ++**Type:** Changed feature +**Service category:** Authentications (Logins) +**Product capability:** User Authentication + +The [device code flow](../develop/v2-oauth2-device-code.md) has been updated to include one extra user prompt. While signing in, the user will see a prompt asking them to validate the app they're signing into. The prompt ensures that they aren't subject to a phishing attack. [Learn more](../develop/reference-breaking-changes.md#the-device-code-flow-ux-will-now-include-an-app-confirmation-prompt). + +++### User last sign-in date and time is now available on Azure portal ++**Type:** Changed feature +**Service category:** User Management +**Product capability:** User Management + +You can now view your users' last sign-in date and time stamp on the Azure portal. The information is available for each user on the user profile page. This information helps you identify inactive users and effectively manage risky events. [Learn more](./active-directory-users-profile-azure-portal.md?context=%2fazure%2factive-directory%2fenterprise-users%2fcontext%2fugr-context). + +++### MIM BHOLD Suite impact of end of support for Microsoft Silverlight ++**Type:** Changed feature +**Service category:** Microsoft Identity Manager +**Product capability:** Identity Governance + +Microsoft Silverlight will reach its end of support on October 12, 2021. This change only impacts customers using the Microsoft BHOLD Suite, and doesn't impact other Microsoft Identity Manager scenarios. For more information, see [Silverlight End of Support](https://support.microsoft.com/windows/silverlight-end-of-support-0a3be3c7-bead-e203-2dfd-74f0a64f1788). ++Users who haven't installed Microsoft Silverlight in their browser can't use the BHOLD Suite modules, which require Silverlight. This includes the BHOLD Model Generator, BHOLD FIM Self-service integration, and BHOLD Analytics. Customers with an existing BHOLD deployment of one or more of those modules should plan to uninstall those modules from their BHOLD server computers by October 2021. Also, they should plan to uninstall Silverlight from any user computers that were previously interacting with that BHOLD deployment. + +++### My* experiences: End of support for Internet Explorer 11 ++**Type:** Deprecated +**Service category:** My Apps +**Product capability:** End User Experiences + ++Microsoft 365 and other apps are ending support for Internet Explorer 11 on August 21, 2021, and this includes the My* experiences. The My*s accessed via Internet Explorer won't receive bug fixes or any updates, which may lead to issues. These dates are being driven by the Edge team and may be subject to change. [Learn more](https://blogs.windows.com/windowsexperience/2021/05/19/the-future-of-internet-explorer-on-windows-10-is-in-microsoft-edge/). + +++### Planned deprecation - Malware linked IP address detection in Identity Protection ++**Type:** Deprecated +**Service category:** Identity Protection +**Product capability:** Identity Security & Protection + +Starting October 1, 2021, Azure AD Identity Protection will no longer generate the "Malware linked IP address" detection. No action is required and customers will remain protected by the other detections provided by Identity Protection. To learn more about protection policies, refer to [Identity Protection policies](../identity-protection/concept-identity-protection-policies.md). + +++## May 2021 ++### Public preview - Azure AD verifiable credentials ++**Type:** New feature +**Service category:** Other +**Product capability:** User Authentication + +Azure AD customers can now easily design and issue verifiable credentials. Verifiable credentials can be used to represent proof of employment, education, or any other claim while respecting privacy. Digitally validate any piece of information about anyone and any business. [Learn more](../verifiable-credentials/index.yml). ++++### Public preview - Device code flow now includes an app verification prompt ++**Type:** New feature +**Service category:** User Authentication +**Product capability:** Authentications (Logins) + +As a security improvement, the [device code flow](../develop/v2-oauth2-device-code.md) has been updated to include another prompt, which validates that the user is signing into the app they expect. The rollout is planned to start in June and expected to be complete by June 30. ++To help prevent phishing attacks where an attacker tricks the user into signing into a malicious application, the following prompt is being added: "Are you trying to sign in to [application display name]?". All users will see this prompt while signing in using the device code flow. As a security measure, it can't be removed or bypassed. [Learn more](../develop/reference-breaking-changes.md#the-device-code-flow-ux-will-now-include-an-app-confirmation-prompt). ++++### Public preview - build and test expressions for user provisioning ++**Type:** New feature +**Service category:** App Provisioning +**Product capability:** Identity Lifecycle Management + +The expression builder allows you to create and test expressions, without having to wait for the full sync cycle. [Learn more](../app-provisioning/functions-for-customizing-application-data.md). ++++### Public preview - enhanced audit logs for Conditional Access policy changes ++**Type:** New feature +**Service category:** Conditional Access +**Product capability:** Identity Security & Protection + +An important aspect of managing Conditional Access is understanding changes to your policies over time. Policy changes may cause disruptions for your end users, so maintaining a log of changes and enabling admins to revert to previous policy versions is critical. ++and showing who made a policy change and when, the audit logs will now also contain a modified properties value. This change gives admins greater visibility into what assignments, conditions, or controls changed. If you want to revert to a previous version of a policy, you can copy the JSON representation of the old version and use the Conditional Access APIs to change the policy to its previous state. [Learn more](../conditional-access/concept-conditional-access-policies.md). ++++### Public preview - Sign-in logs include authentication methods used during sign-in ++**Type:** New feature +**Service category:** MFA +**Product capability:** Monitoring & Reporting + ++Admins can now see the sequential steps users took to sign-in, including which authentication methods were used during sign-in. ++To access these details, go to the Azure AD sign-in logs, select a sign-in, and then navigate to the Authentication Method Details tab. Here we have included information such as which method was used, details about the method (for example, phone number, phone name), authentication requirement satisfied, and result details. [Learn more](../reports-monitoring/concept-sign-ins.md). ++++### Public preview - PIM adds support for ABAC conditions in Azure Storage roles ++**Type:** New feature +**Service category:** Privileged Identity Management +**Product capability:** Privileged Identity Management + +Along with the public preview of attributed-based access control (ABAC) for specific Azure roles, you can also add ABAC conditions inside Privileged Identity Management for your eligible assignments. [Learn more](../../role-based-access-control/conditions-overview.md#conditions-and-azure-ad-pim). ++++### General availability - Conditional Access and Identity Protection Reports in B2C ++**Type:** New feature +**Service category:** B2C - Consumer Identity Management +**Product capability:** B2B/B2C ++B2C now supports Conditional Access and Identity Protection for business-to-consumer (B2C) apps and users. This enables customers to protect their users with granular risk- and location-based access controls. With these features, customers can now look at the signals and create a policy to provide more security and access to your customers. [Learn more](../../active-directory-b2c/conditional-access-identity-protection-overview.md). ++++### General availability - KMSI and Password reset now in next generation of user flows ++**Type:** New feature +**Service category:** B2C - Consumer Identity Management +**Product capability:** B2B/B2C ++The next generation of B2C user flows now supports [keep me signed in (KMSI)](../../active-directory-b2c/session-behavior.md?pivots=b2c-custom-policy#enable-keep-me-signed-in-kmsi) and password reset. The KMSI functionality allows customers to extend the session lifetime for the users of their web and native applications by using a persistent cookie. This feature keeps the session active even when the user closes and reopens the browser. The session is revoked when the user signs out. Password reset allows users to reset their password from the "Forgot your password +' link. This also allows the admin to force reset the user's expired password in the Azure AD B2C directory. [Learn more](../../active-directory-b2c/add-password-reset-policy.md?pivots=b2c-user-flow). + +++### General availability - New Log Analytics workbook Application role assignment activity ++**Type:** New feature +**Service category:** User Access Management +**Product capability:** Entitlement Management + +A new workbook has been added for surfacing audit events for application role assignment changes. [Learn more](../governance/entitlement-management-logs-and-reporting.md). ++++### General availability - Next generation Azure AD B2C user flows ++**Type:** New feature +**Service category:** B2C - Consumer Identity Management +**Product capability:** B2B/B2C + +The new simplified user flow experience offers feature parity with preview features and is the home for all new features. Users can enable new features within the same user flow, reducing the need to create multiple versions with every new feature release. The new, user-friendly UX also simplifies the selection and creation of user flows. Refer to [Create user flows in Azure AD B2C](../../active-directory-b2c/tutorial-create-user-flows.md?pivots=b2c-user-flow) for guidance on using this feature. [Learn more](../../active-directory-b2c/user-flow-versions.md). ++++### General availability - Azure Active Directory threat intelligence for sign-in risk ++**Type:** New feature +**Service category:** Identity Protection +**Product capability:** Identity Security & Protection + +This new detection serves as an ad-hoc method to allow our security teams to notify you and protect your users by raising their session risk to a High risk when we observe an attack happening. The detection will also mark the associated sign-ins as risky. This detection follows the existing Azure Active Directory threat intelligence for user risk detection to provide complete coverage of the various attacks observed by Microsoft security teams. [Learn more](../identity-protection/concept-identity-protection-risks.md). + +++### General availability - Conditional Access named locations improvements ++**Type:** New feature +**Service category:** Conditional Access +**Product capability:** Identity Security & Protection + +IPv6 support in named locations is now generally available. Updates include: ++- Added the capability to define IPv6 address ranges +- Increased limit of named locations from 90 to 195 +- Increased limit of IP ranges per named location from 1200 to 2000 +- Added capabilities to search and sort named locations and filter by location type and trust type +- Added named locations a sign-in belonged to in the sign-in logs + +Additionally, to prevent admins from defining problematically named locations, extra checks have been added to reduce the chance of misconfiguration. [Learn more](../conditional-access/location-condition.md). ++++### General availability - Restricted guest access permissions in Azure AD ++**Type:** New feature +**Service category:** User Management +**Product capability:** Directory + +Directory level permissions for guest users have been updated. These permissions allow administrators to require extra restrictions and controls on external guest user access. ++Admins can now add more restrictions for external guests' access to user and groups' profile and membership information. Also, customers can manage external user access at scale by hiding group memberships, including restricting guest users from seeing memberships of the group(s) they are in. To learn more, see [Restrict guest access permissions in Azure Active Directory](../enterprise-users/users-restrict-guest-permissions.md). + +++### New Federated Apps available in Azure AD Application gallery - May 2021 ++**Type:** New feature +**Service category:** Enterprise Apps +**Product capability:** 3rd Party Integration + +You can now automate creating, updating, and deleting user accounts for these newly integrated apps: ++- [AuditBoard](../saas-apps/auditboard-provisioning-tutorial.md) +- [Cisco Umbrella User Management](../saas-apps/cisco-umbrella-user-management-provisioning-tutorial.md) +- [Insite LMS](../saas-apps/insite-lms-provisioning-tutorial.md) +- [kpifire](../saas-apps/kpifire-provisioning-tutorial.md) +- [UNIFI](../saas-apps/unifi-provisioning-tutorial.md) ++For more information about how to better secure your organization using automated user account provisioning, see [Automate user provisioning to SaaS applications with Azure AD](../app-provisioning/user-provisioning.md). ++++### New Federated Apps available in Azure AD Application gallery - May 2021 ++**Type:** New feature +**Service category:** Enterprise Apps +**Product capability:** 3rd Party Integration + +In May 2021, we have added following 29 new applications in our App gallery with Federation support ++[InviteDesk](https://app.invitedesk.com/login), [Webrecruit ATS](https://id-test.webrecruit.co.uk/), [Workshop](../saas-apps/workshop-tutorial.md), [Gravity Sketch](https://landingpad.me/), [JustLogin](../saas-apps/justlogin-tutorial.md), [Custellence](https://custellence.com/sso/), [WEVO](https://hello.wevoconversion.com/login), [AppTec360 MDM](https://www.apptec360.com/ms/autopilot.html), [Filemail](https://www.filemail.com/login),[Ardoq](../saas-apps/ardoq-tutorial.md), [Leadfamly](../saas-apps/leadfamly-tutorial.md), [Documo](../saas-apps/documo-tutorial.md), [Autodesk SSO](../saas-apps/autodesk-sso-tutorial.md), [Check Point Harmony Connect](../saas-apps/check-point-harmony-connect-tutorial.md), [BrightHire](https://app.brighthire.ai/), [Rescana](../saas-apps/rescana-tutorial.md), [Bluewhale](https://cloud.bluewhale.dk/), [AlacrityLaw](../saas-apps/alacritylaw-tutorial.md), [Equisolve](../saas-apps/equisolve-tutorial.md), [Zip](../saas-apps/zip-tutorial.md), [Cognician](../saas-apps/cognician-tutorial.md), [Acra](https://www.acrasuite.com/), [VaultMe](https://app.vaultme.com/#/signIn), [TAP App Security](../saas-apps/tap-app-security-tutorial.md), [Cavelo Office365 Cloud Connector](https://dashboard.prod.cavelodata.com/), [Clebex](../saas-apps/clebex-tutorial.md), [Banyan Command Center](../saas-apps/banyan-command-center-tutorial.md), [Check Point Remote Access VPN](../saas-apps/check-point-remote-access-vpn-tutorial.md), [LogMeIn](../saas-apps/logmein-tutorial.md) ++You can also find the documentation of all the applications from here https://aka.ms/AppsTutorial ++For listing your application in the Azure AD app gallery, read the details here https://aka.ms/AzureADAppRequest ++++### Improved Conditional Access Messaging for Android and iOS ++**Type:** Changed feature +**Service category:** Device Registration and Management +**Product capability:** End User Experiences + +We've updated the wording on the Conditional Access screen shown to users when they're blocked from accessing corporate resources. They'll be blocked until they enroll their device in Mobile Device Management. These improvements apply to the Android and iOS/iPadOS platforms. The following have been changed: ++- "Help us keep your device secure" has changed to "Set up your device to get access" +- "Your sign-in was successful but your admin requires your device to be managed by Microsoft to access this resource." to "[Organization's name] requires you to secure this device before you can access [organization's name] email, files, and data." +- "Enroll Now" to "Continue" ++The information in [Enroll your Android enterprise device](https://support.microsoft.com/topic/enroll-your-android-enterprise-device-d661c82d-fa28-5dfd-b711-6dff41ae83bb) is out of date. ++++### Azure Information Protection service will begin asking for consent ++**Type:** Changed feature +**Service category:** Authentications (Logins) +**Product capability:** User Authentication + +The Azure Information Protection service signs users into the tenant that encrypted the document as part of providing access to the document. Starting June, Azure AD will begin prompting the user for consent when this access is given across organizations. This ensures that the user understands that the organization that owns the document will collect some information about the user as part of the document access. [Learn more](/azure/information-protection/known-issues#sharing-external-doc-types-across-tenants). + +++### Provisioning logs schema change impacting Graph API and Azure Monitor integration ++**Type:** Changed feature +**Service category:** App Provisioning +**Product capability:** Monitoring & Reporting + +The attributes "Action" and "statusInfo" will be changed to "provisioningAction" and "provisoiningStatusInfo." Update any scripts that you have created using the [provisioning logs Graph API](/graph/api/resources/provisioningobjectsummary) or [Azure Monitor integrations](../app-provisioning/application-provisioning-log-analytics.md). + +++### New ARM API to manage PIM for Azure Resources and Azure AD roles ++**Type:** Changed feature +**Service category:** Privileged Identity Management +**Product capability:** Privileged Identity Management + +An updated version of the PIM API for Azure Resource role and Azure AD role has been released. The PIM API for Azure Resource role is now released under the ARM API standard, which aligns with the role management API for regular Azure role assignment. On the other hand, the PIM API for Azure AD roles is also released under graph API aligned with the unifiedRoleManagement APIs. Some of the benefits of this change include: ++- Alignment of the PIM API with objects in ARM and Graph for role managementReducing the need to call PIM to onboard new Azure resources. +- All Azure resources automatically work with new PIM API. +- Reducing the need to call PIM for role definition or keeping a PIM resource ID +- Supporting app-only API permissions in PIM for both Azure AD and Azure Resource roles ++A previous version of the PIM API under `/privilegedaccess` will continue to function but we recommend you to move to this new API going forward. [Learn more](../privileged-identity-management/pim-apis.md). + +++### Revision of roles in Azure AD entitlement management ++**Type:** Changed feature +**Service category:** Roles +**Product capability:** Entitlement Management + +A new role, Identity Governance Administrator, has recently been introduced. This role will be the replacement for the User Administrator role in managing catalogs and access packages in Azure AD entitlement management. If you have assigned administrators to the User Administrator role or have them activate this role to manage access packages in Azure AD entitlement management, switch to the Identity Governance Administrator role instead. The User Administrator role will no longer be providing administrative rights to catalogs or access packages. [Learn more](../governance/identity-governance-overview.md#appendixleast-privileged-roles-for-managing-in-identity-governance-features). +++## April 2021 ++### Bug fixed - Azure AD will no longer double-encode the state parameter in responses ++**Type:** Fixed +**Service category:** Authentications (Logins) +**Product capability:** User Authentication + +Azure AD has identified, tested, and released a fix for a bug in the `/authorize` response to a client application. Azure AD was incorrectly URL encoding the `state` parameter twice when sending responses back to the client. This can cause a client application to reject the request, due to a mismatch in state parameters. [Learn more](../develop/reference-breaking-changes.md#bug-fix-azure-ad-will-no-longer-url-encode-the-state-parameter-twice). ++++### Users can only create security and Microsoft 365 groups in Azure portal being deprecated ++**Type:** Plan for change +**Service category:** Group Management +**Product capability:** Directory + +Users will no longer be limited to create security and Microsoft 365 groups only in the Azure portal. The new setting will allow users to create security groups in the Azure portal, PowerShell, and API. Users will be required to verify and update the new setting. [Learn more](../enterprise-users/groups-self-service-management.md). ++++### Public preview - External Identities Self-Service Sign-up in Azure AD using Email One-Time Passcode accounts ++**Type:** New feature +**Service category:** B2B +**Product capability:** B2B/B2C + +External users can now use Email One-Time Passcode accounts to sign up or sign in to Azure AD 1st party and line-of-business applications. [Learn more](../external-identities/one-time-passcode.md). ++++### General availability - External Identities Self-Service Sign Up ++**Type:** New feature +**Service category:** B2B +**Product capability:** B2B/B2C + +Self-service sign-up for external users is now in general availability. With this new feature, external users can now self-service sign up to an application. ++You can create customized experiences for these external users, including collecting information about your users during the registration process and allowing external identity providers like Facebook and Google. You can also integrate with third-party cloud providers for various functionalities like identity verification or approval of users. [Learn more](../external-identities/self-service-sign-up-overview.md). + +++### General availability - Azure AD B2C Phone Sign-up and Sign-in using Built-in Policy ++**Type:** New feature +**Service category:** B2C - Consumer Identity Management +**Product capability:** B2B/B2C + +B2C Phone Sign-up and Sign-in using a built-in policy enable IT administrators and developers of organizations to allow their end-users to sign in and sign up using a phone number in user flows. With this feature, disclaimer links such as privacy policy and terms of use can be customized and shown on the page before the end-user proceeds to receive the one-time passcode via text message. [Learn more](../../active-directory-b2c/phone-authentication-user-flows.md). + +++### New Federated Apps available in Azure AD Application gallery - April 2021 ++**Type:** New feature +**Service category:** Enterprise Apps +**Product capability:** 3rd Party Integration ++In April 2021, we have added following 31 new applications in our App gallery with Federation support ++[Zii Travel Azure AD Connect](https://azuremarketplace.microsoft.com/marketplace/apps/aad.ziitravelazureadconnect?tab=Overview), [Cerby](../saas-apps/cerby-tutorial.md), [Selflessly](https://app.selflessly.io/sign-in), [Apollo CX](https://apollo.cxlabs.de/sso/aad), [Pedagoo](https://account.pedagoo.com/), [Measureup](https://account.measureup.com/), [ProcessUnity](../saas-apps/processunity-tutorial.md), [Cisco Intersight](../saas-apps/cisco-intersight-tutorial.md), [Codility](../saas-apps/codility-tutorial.md), [H5mag](https://account.h5mag.com/auth/request-access/ms365), [Check Point Identity Awareness](../saas-apps/check-point-identity-awareness-tutorial.md), [Jarvis](https://jarvis.live/login), [desknet's NEO](../saas-apps/desknets-neo-tutorial.md), [SDS & Chemical Information Management](../saas-apps/sds-chemical-information-management-tutorial.md), [W├║ru App](../saas-apps/wuru-app-tutorial.md), [Holmes](../saas-apps/holmes-tutorial.md), [Telenor](https://www.telenor.no/kundeservice/internett/wifi/administrere-ruter/), [Yooz US](https://us1.getyooz.com/?kc_idp_hint=microsoft), [Mooncamp](https://app.mooncamp.com/#/login), [inwise SSO](https://app.inwise.com/defaultsso.aspx), [Ecolab Digital Solutions](https://ecolabb2c.b2clogin.com/account.ecolab.com/oauth2/v2.0/authorize?p=B2C_1A_Connect_OIDC_SignIn&client_id=01281626-dbed-4405-a430-66457825d361&nonce=defaultNonce&redirect_uri=https://jwt.ms&scope=openid&response_type=id_token&prompt=login), [Taguchi Digital Marketing System](https://login.taguchi.com.au/), [XpressDox EU Cloud](https://test.xpressdox.com/Authentication/Login.aspx), [EZSSH Client](https://portal.ezssh.io/signup), [KPN Grip](https://www.grip-on-it.com/), [AddressLook](https://portal.bbsonlineservices.net/Manage/AddressLook), [Cornerstone Single Sign-On](../saas-apps/cornerstone-ondemand-tutorial.md) ++You can also find the documentation of all the applications here: https://aka.ms/AppsTutorial ++For listing your application in the Azure AD app gallery, read the details here: https://aka.ms/AzureADAppRequest ++++### New provisioning connectors in the Azure AD Application Gallery - April 2021 ++**Type:** New feature +**Service category:** App Provisioning +**Product capability:** 3rd Party Integration + +You can now automate creating, updating, and deleting user accounts for these newly integrated apps: ++- [Bentley - Automatic User Provisioning](../saas-apps/bentley-automatic-user-provisioning-tutorial.md) +- [Boxcryptor](../saas-apps/boxcryptor-provisioning-tutorial.md) +- [BrowserStack Single Sign-on](../saas-apps/browserstack-single-sign-on-provisioning-tutorial.md) +- [Eletive](../saas-apps/eletive-provisioning-tutorial.md) +- [Jostle](../saas-apps/jostle-provisioning-tutorial.md) +- [Olfeo SAAS](../saas-apps/olfeo-saas-provisioning-tutorial.md) +- [Proware](../saas-apps/proware-provisioning-tutorial.md) +- [Segment](../saas-apps/segment-provisioning-tutorial.md) ++For more information about how to better secure your organization with automated user account provisioning, see [Automate user provisioning to SaaS applications with Azure AD](../app-provisioning/user-provisioning.md). + +++### Introducing new versions of page layouts for B2C ++**Type:** Changed feature +**Service category:** B2C - Consumer Identity Management +**Product capability:** B2B/B2C + +The [page layouts](../../active-directory-b2c/page-layout.md) for B2C scenarios on the Azure AD B2C has been updated to reduce security risks by introducing the new versions of jQuery and Handlebars JS. + +++### Updates to Sign-in Diagnostic ++**Type:** Changed feature +**Service category:** Reporting +**Product capability:** Monitoring & Reporting + +The scenario coverage of the Sign-in Diagnostic tool has increased. ++With this update, the following event-related scenarios will now be included in the sign-in diagnosis results: +- Enterprise Applications configuration problem events. +- Enterprise Applications service provider (application-side) events. +- Incorrect credentials events. ++These results will show contextual and relevant details about the event and actions to take to resolve these problems. Also, for scenarios where we don't have deep contextual diagnostics, Sign-in Diagnostic will present more descriptive content about the error event. ++For more information, see [What is sign-in diagnostic in Azure AD?](../reports-monitoring/overview-sign-in-diagnostics.md) +++### Azure AD Connect cloud sync general availability refresh +**Type:** Changed feature +**Service category:** Azure AD Connect Cloud Sync +**Product capability:** Directory ++Azure AD connect cloud sync now has an updated agent (version# - 1.1.359). For more details on agent updates, including bug fixes, check out the [version history](../cloud-sync/reference-version-history.md). With the updated agent, cloud sync customers can use GMSA cmdlets to set and reset their gMSA permission at a granular level. In addition that, we've changed the limit of syncing members using group scope filtering from 1499 to 50,000 (50K) members. ++Check out the newly available [expression builder](../cloud-sync/how-to-expression-builder.md#deploy-the-expression) for cloud sync, which, helps you build complex expressions and simple expressions when you do transformations of attribute values from AD to Azure AD using attribute mapping. ++++## March 2021 ++### Guidance on how to enable support for TLS 1.2 in your environment, in preparation for upcoming Azure AD TLS 1.0/1.1 deprecation ++**Type:** Plan for change +**Service category:** N/A +**Product capability:** Standards ++Azure Active Directory will deprecate the following protocols in Azure Active Directory worldwide regions starting June 30, 2021: +++- TLS 1.0 +- TLS 1.1 +- 3DES cipher suite (TLS_RSA_WITH_3DES_EDE_CBC_SHA) ++Affected environments include: ++- Azure Commercial Cloud +- Office 365 GCC and WW ++For more information, see [Enable support for TLS 1.2 in your environment for Azure AD TLS 1.1 and 1.0 deprecation](/troubleshoot/azure/active-directory/enable-support-tls-environment). ++++### Public preview - Azure AD Entitlement management now supports multi-geo SharePoint Online ++**Type:** New feature +**Service category:** Other +**Product capability:** Entitlement Management + +For organizations using multi-geo SharePoint Online, you can now include sites from specific multi-geo environments to your Entitlement management access packages. [Learn more](../governance/entitlement-management-catalog-create.md#add-a-multi-geo-sharepoint-site). ++++### Public preview - Restore deleted apps from App registrations ++**Type:** New feature +**Service category:** Other +**Product capability:** Developer Experience + +Customers can now view, restore, and permanently remove deleted app registrations from the Azure portal. This applies only to applications associated to a directory, not applications from a personal Microsoft account. [Learn more](../develop/howto-restore-app.md). + +++### Public preview - New "User action" in Conditional Access for registering or joining devices ++**Type:** New feature +**Service category:** Conditional Access +**Product capability:** Identity Security & Protection + + A new user action called "Register or join devices" in Conditional access is available. This user action allows you to control Azure Active Directory Multi-Factor Authentication (MFA) policies for Azure AD device registration. ++Currently, this user action only allows you to enable Azure AD MFA as a control when users register or join devices to Azure AD. Other controls that are dependent on or not applicable to Azure AD device registration are disabled with this user action. [Learn more](../conditional-access/concept-conditional-access-cloud-apps.md#user-actions). + +++### Public preview - Optimize connector groups to use the closest Application Proxy cloud service ++**Type:** New feature +**Service category:** App Proxy +**Product capability:** Access Control + +With this new capability, connector groups can be assigned to the closest regional Application Proxy service an application is hosted in. This can improve app performance in scenarios where apps are hosted in regions other than the home tenant's region. [Learn more](../app-proxy/application-proxy-network-topology.md#optimize-connector-groups-to-use-closest-application-proxy-cloud-service). + +++### Public preview - External Identities Self-Service Sign up in Azure AD using Email One-Time Passcode accounts ++**Type:** New feature +**Service category:** B2B +**Product capability:** B2B/B2C ++External users will now be able to use Email One-Time Passcode accounts to sign up in to Azure AD 1st party and LOB apps. [Learn more](../external-identities/one-time-passcode.md). ++++### Public preview - Availability of AD FS sign-ins in Azure AD ++**Type:** New feature +**Service category:** Authentications (Logins) +**Product capability:** Monitoring & Reporting + +AD FS sign-in activity can now be integrated with Azure AD activity reporting, providing a unified view of hybrid identity infrastructure. Using the Azure AD sign-ins report, Log Analytics, and Azure Monitor Workbooks, it's possible to do in-depth analysis for both Azure AD and AD FS sign-in scenarios such as AD FS account lockouts, bad password attempts, and spikes of unexpected sign-in attempts. ++To learn more, visit [AD FS sign-ins in Azure AD with Connect Health](../hybrid/how-to-connect-health-ad-fs-sign-in.md). ++++### General availability - Staged rollout to cloud authentication ++**Type:** New feature +**Service category:** AD Connect +**Product capability:** User Authentication + +Staged rollout to cloud authentication is now generally available. The staged rollout feature allows you to selectively test groups of users with cloud authentication methods, such as Passthrough Authentication (PTA) or Password Hash Sync (PHS). Meanwhile, all other users in the federated domains continue to use federation services, such as AD FS or any other federation services to authenticate users. [Learn more](../hybrid/how-to-connect-staged-rollout.md). ++++### General availability - User Type attribute can now be updated in the Azure admin portal ++**Type:** New feature +**Service category:** User Experience and Management +**Product capability:** User Management + +Customers can now update the user type of Azure AD users when they update their user profile information from the Azure admin portal. The user type can be updated from Microsoft Graph also. To learn more, see [Add or update user profile information](active-directory-users-profile-azure-portal.md). + +++### General availability - Replica Sets for Azure Active Directory Domain Services ++**Type:** New feature +**Service category:** Azure AD Domain Services +**Product capability:** Azure AD Domain Services + +The capability of replica sets in Azure AD DS is now generally available. [Learn more](../../active-directory-domain-services/concepts-replica-sets.md). + +++### General availability - Collaborate with your partners using Email One-Time Passcode in the Azure Government cloud ++**Type:** New feature +**Service category:** B2B +**Product capability:** B2B/B2C + +Organizations in the Microsoft Azure Government cloud can now enable their guests to redeem invitations with Email One-Time Passcode. This ensures that any guest users with no Azure AD, Microsoft, or Gmail accounts in the Azure Government cloud can still collaborate with their partners by requesting and entering a temporary code to sign in to shared resources. [Learn more](../external-identities/one-time-passcode.md). ++++### New Federated Apps available in Azure AD Application gallery - March 2021 ++**Type:** New feature +**Service category:** Enterprise Apps +**Product capability:** 3rd Party Integration + +In March 2021 we have added following 37 new applications in our App gallery with Federation support: ++[Bambuser Live Video Shopping](https://lcx.bambuser.com/), [DeepDyve Inc](https://www.deepdyve.com/azure-sso), [Moqups](../saas-apps/moqups-tutorial.md), [RICOH Spaces Mobile](https://ricohspaces.app/welcome), [Flipgrid](https://auth.flipgrid.com/), [hCaptcha Enterprise](../saas-apps/hcaptcha-enterprise-tutorial.md), [SchoolStream ASA](https://www.ssk12.com/), [TransPerfect GlobalLink Dashboard](../saas-apps/transperfect-globallink-dashboard-tutorial.md), [SimplificaCI](https://app.simplificaci.com.br/), [Thrive LXP](../saas-apps/thrive-lxp-tutorial.md), [Lexonis TalentScape](../saas-apps/lexonis-talentscape-tutorial.md), [Exium](../saas-apps/exium-tutorial.md), [Sapient](../saas-apps/sapient-tutorial.md), [TrueChoice](../saas-apps/truechoice-tutorial.md), [RICOH Spaces](https://ricohspaces.app/welcome), [Saba Cloud](../saas-apps/learning-at-work-tutorial.md), [Acunetix 360](../saas-apps/acunetix-360-tutorial.md), [Exceed.ai](../saas-apps/exceed-ai-tutorial.md), [GitHub Enterprise Managed User](../saas-apps/github-enterprise-managed-user-tutorial.md), [Enterprise Vault.cloud for Outlook](https://login.microsoftonline.com/common/oauth2/v2.0/authorize?response_type=id_token&scope=openid%20profile%20User.Read&client_id=7176efe5-e954-4aed-b5c8-f5c85a980d3a&nonce=4b9e1981-1bcb-4938-a283-86f6931dc8cb), [Smartlook](../saas-apps/smartlook-tutorial.md), [Accenture Academy](../saas-apps/accenture-academy-tutorial.md), [Onshape](../saas-apps/onshape-tutorial.md), [Tradeshift](../saas-apps/tradeshift-tutorial.md), [JuriBlox](../saas-apps/juriblox-tutorial.md), [SecurityStudio](../saas-apps/securitystudio-tutorial.md), [ClicData](https://app.clicdata.com/), [Evergreen](../saas-apps/evergreen-tutorial.md), [Patchdeck](https://patchdeck.com/ad_auth/authenticate/), [FAX.PLUS](../saas-apps/fax-plus-tutorial.md), [ValidSign](../saas-apps/validsign-tutorial.md), [AWS Single Sign-on](../saas-apps/aws-single-sign-on-tutorial.md), [Nura Space](https://dashboard.nuraspace.com/login), [Broadcom DX SaaS](../saas-apps/broadcom-dx-saas-tutorial.md), [Interplay Learning](https://skilledtrades.interplaylearning.com/#login), [SendPro Enterprise](../saas-apps/sendpro-enterprise-tutorial.md), [FortiSASE SIA](../saas-apps/fortisase-sia-tutorial.md) ++You can also find the documentation of all the applications here: https://aka.ms/AppsTutorial ++For listing your application in the Azure AD app gallery, read the details here: https://aka.ms/AzureADAppRequest ++++### New provisioning connectors in the Azure AD Application Gallery - March 2021 ++**Type:** New feature +**Service category:** App Provisioning +**Product capability:** 3rd Party Integration ++You can now automate creating, updating, and deleting user accounts for these newly integrated apps: ++- [AWS Single Sign-on](../saas-apps/aws-single-sign-on-provisioning-tutorial.md) +- [Bpanda](../saas-apps/bpanda-provisioning-tutorial.md) +- [Britive](../saas-apps/britive-provisioning-tutorial.md) +- [GitHub Enterprise Managed User](../saas-apps/github-enterprise-managed-user-provisioning-tutorial.md) +- [Grammarly](../saas-apps/grammarly-provisioning-tutorial.md) +- [LogicGate](../saas-apps/logicgate-provisioning-tutorial.md) +- [SecureLogin](../saas-apps/secure-login-provisioning-tutorial.md) +- [TravelPerk](../saas-apps/travelperk-provisioning-tutorial.md) ++For more information about how to better secure your organization by using automated user account provisioning, see [Automate user provisioning to SaaS applications with Azure AD](../app-provisioning/user-provisioning.md). + +++### Introducing MS Graph API for Company Branding ++**Type:** Changed feature +**Service category:** MS Graph +**Product capability:** B2B/B2C ++[MS Graph API for the Company Branding](/graph/api/resources/organizationalbrandingproperties) is available for the Azure AD or Microsoft 365 sign-in experience to allow the management of the branding parameters programmatically. ++++### General availability - Header-based authentication SSO with Application Proxy ++**Type:** Changed feature +**Service category:** App Proxy +**Product capability:** Access Control + +Azure AD Application Proxy native support for header-based authentication is now in general availability. With this feature, you can configure the user attributes required as HTTP headers for the application without additional components needed to deploy. [Learn more](../app-proxy/application-proxy-configure-single-sign-on-with-headers.md). ++++### Two-way SMS for MFA Server is no longer supported ++**Type:** Deprecated +**Service category:** MFA +**Product capability:** Identity Security & Protection + ++Two-way SMS for MFA Server was originally deprecated in 2018, and won't be supported after February 24, 2021. Administrators should enable another method for users who still use two-way SMS. ++Email notifications and Azure portal Service Health notifications were sent to affected admins on December 8, 2020 and January 28, 2021. The alerts went to the Owner, Co-Owner, Admin, and Service Admin RBAC roles tied to the subscriptions. [Learn more](../authentication/how-to-authentication-two-way-sms-unsupported.md). + ++ +## February 2021 ++### Email one-time passcode authentication on by default starting October 2021 ++**Type:** Plan for change +**Service category:** B2B +**Product capability:** B2B/B2C + +Starting October 31, 2021, Microsoft Azure Active Directory [email one-time passcode authentication](../external-identities/one-time-passcode.md) will become the default method for inviting accounts and tenants for B2B collaboration scenarios. At this time, Microsoft will no longer allow the redemption of invitations using unmanaged Azure Active Directory accounts. ++++### Unrequested but consented permissions will no longer be added to tokens if they would trigger Conditional Access ++**Type:** Plan for change +**Service category:** Authentications (Logins) +**Product capability:** Platform + +Currently, applications using [dynamic permissions](../develop/v2-permissions-and-consent.md#requesting-individual-user-consent) are given all of the permissions they're consented to access. This includes applications that are unrequested and even if they trigger conditional access. For example, this can cause an app requesting only `user.read` that also has consent for `files.read`, to be forced to pass the Conditional Access assigned for the `files.read` permission. ++To reduce the number of unnecessary Conditional Access prompts, Azure AD is changing the way that unrequested scopes are provided to applications. Apps will only trigger conditional access for permission they explicitly request. For more information, read [What's new in authentication](../develop/reference-breaking-changes.md#conditional-access-will-only-trigger-for-explicitly-requested-scopes). + ++ +### Public preview - Use a Temporary Access Pass to register Passwordless credentials ++**Type:** New feature +**Service category:** MFA +**Product capability:** Identity Security & Protection ++Temporary Access Pass is a time-limited passcode that serves as strong credentials and allows onboarding of Passwordless credentials and recovery when a user has lost or forgotten their strong authentication factor (for example, FIDO2 security key or Microsoft Authenticator) app and needs to sign in to register new strong authentication methods. [Learn more](../authentication/howto-authentication-temporary-access-pass.md). ++++### Public preview - Keep me signed in (KMSI) in next generation of user flows ++**Type:** New feature +**Service category:** B2C - Consumer Identity Management +**Product capability:** B2B/B2C ++The next generation of B2C user flows now supports the [keep me signed in (KMSI)](../../active-directory-b2c/session-behavior.md?pivots=b2c-custom-policy#enable-keep-me-signed-in-kmsi) functionality that allows customers to extend the session lifetime for the users of their web and native applications by using a persistent cookie. feature keeps the session active even when the user closes and reopens the browser, and is revoked when the user signs out. ++++### Public preview - Reset redemption status for a guest user ++**Type:** New feature +**Service category:** B2B +**Product capability:** B2B/B2C + +Customers can now reinvite existing external guest users to reset their redemption status, which allows the guest user account to remain without them losing any access. [Learn more](../external-identities/reset-redemption-status.md). + +++### Public preview - /synchronization (provisioning) APIs now support application permissions ++**Type:** New feature +**Service category:** App Provisioning +**Product capability:** Identity Lifecycle Management + +Customers can now use application.readwrite.ownedby as an application permission to call the synchronization APIs. Note this is only supported for provisioning from Azure AD out into third-party applications (for example, AWS, Data Bricks, etc.). It's currently not supported for HR-provisioning (Workday / Successfactors) or Cloud Sync (AD to Azure AD). [Learn more](/graph/api/resources/provisioningobjectsummary). + +++### General availability - Authentication Policy Administrator built-in role ++**Type:** New feature +**Service category:** RBAC +**Product capability:** Access Control + +Users with this role can configure the authentication methods policy, tenant-wide MFA settings, and password protection policy. This role grants permission to manage Password Protection settings: smart lockout configurations and updating the custom banned passwords list. [Learn more](../roles/permissions-reference.md#authentication-policy-administrator). ++++### General availability - User collections on My Apps are available now! ++**Type:** New feature +**Service category:** My Apps +**Product capability:** End User Experiences + +Users can now create their own groupings of apps on the My Apps app launcher. They can also reorder and hide collections shared with them by their administrator. [Learn more](../user-help/my-apps-portal-user-collections.md). ++++### General availability - Autofill in Authenticator ++**Type:** New feature +**Service category:** Microsoft Authenticator App +**Product capability:** Identity Security & Protection + +Microsoft Authenticator provides multifactor authentication and account management capabilities, and now also will autofill passwords on sites and apps users visit on their mobile (iOS and Android). ++To use autofill on Authenticator, users need to add their personal Microsoft account to Authenticator and use it to sync their passwords. Work or school accounts can't be used to sync passwords at this time. [Learn more](../user-help/user-help-auth-app-faq.md#autofill-for-it-admins). ++++### General availability - Invite internal users to B2B collaboration ++**Type:** New feature +**Service category:** B2B +**Product capability:** B2B/B2C + +Customers can now invite internal guests to use B2B collaboration instead of sending an invitation to an existing internal account. This allows customers to keep that user's object ID, UPN, group memberships, and app assignments. [Learn more](../external-identities/invite-internal-users.md). ++++### General availability - Domain Name Administrator built-in role ++**Type:** New feature +**Service category:** RBAC +**Product capability:** Access Control + +Users with this role can manage (read, add, verify, update, and delete) domain names. They can also read directory information about users, groups, and applications, as these objects have domain dependencies. ++For on-premises environments, users with this role can configure domain names for federation so that associated users are always authenticated on-premises. These users can then sign into Azure AD-based services with their on-premises passwords via single sign-on. Federation settings need to be synced via Azure AD Connect, so users also have permissions to manage Azure AD Connect. [Learn more](../roles/permissions-reference.md#domain-name-administrator). + +++### New Federated Apps available in Azure AD Application gallery - February 2021 ++**Type:** New feature +**Service category:** Enterprise Apps +**Product capability:** 3rd Party Integration + +In February 2021 we have added following 37 new applications in our App gallery with Federation support: ++[Loop Messenger Extension](https://loopworks.com/loop-flow-messenger/), [Silverfort Azure AD Adapter](http://www.silverfort.com/), [Interplay Learning](https://skilledtrades.interplaylearning.com/#login), [Nura Space](https://dashboard.nuraspace.com/login), [Yooz EU](https://eu1.getyooz.com/?kc_idp_hint=microsoft), [UXPressia](https://uxpressia.com/users/sign-in), [introDus Pre- and Onboarding Platform](http://app.introdus.dk/login), [Happybot](https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize?client_id=34353e1e-dfe5-4d2f-bb09-2a5e376270c8&response_type=code&redirect_uri=https://api.happyteams.io/microsoft/integrate&response_mode=query&scope=offline_access%20User.Read%20User.Read.All), [LeaksID](https://leaksid.com/), [ShiftWizard](http://www.shiftwizard.com/), [PingFlow SSO](https://app.pingview.io/), [Swiftlane](https://admin.swiftlane.com/login), [Quasydoc SSO](https://www.quasydoc.eu/login), [Fenwick Gold Account](https://businesscentral.dynamics.com/), [SeamlessDesk](https://www.seamlessdesk.com/login), [Learnsoft LMS & TMS](http://www.learnsoft.com/), [P-TH+](https://p-th.jp/), [myViewBoard](https://api.myviewboard.com/auth/microsoft/), [Tartabit IoT Bridge](https://bridge-us.tartabit.com/), [AKASHI](../saas-apps/akashi-tutorial.md), [Rewatch](../saas-apps/rewatch-tutorial.md), [Zuddl](../saas-apps/zuddl-tutorial.md), [Parkalot - Car park management](../saas-apps/parkalot-car-park-management-tutorial.md), [HSB ThoughtSpot](../saas-apps/hsb-thoughtspot-tutorial.md), [IBMid](../saas-apps/ibmid-tutorial.md), [SharingCloud](../saas-apps/sharingcloud-tutorial.md), [PoolParty Semantic Suite](../saas-apps/poolparty-semantic-suite-tutorial.md), [GlobeSmart](../saas-apps/globesmart-tutorial.md), [Samsung Knox and Business Services](../saas-apps/samsung-knox-and-business-services-tutorial.md), [Penji](../saas-apps/penji-tutorial.md), [Kendis- Scaling Agile Platform](../saas-apps/kendis-scaling-agile-platform-tutorial.md), [Maptician](../saas-apps/maptician-tutorial.md), [Olfeo SAAS](../saas-apps/olfeo-saas-tutorial.md), [Sigma Computing](../saas-apps/sigma-computing-tutorial.md), [CloudKnox Permissions Management Platform](../saas-apps/cloudknox-permissions-management-platform-tutorial.md), [Klaxoon SAML](../saas-apps/klaxoon-saml-tutorial.md), [Enablon](../saas-apps/enablon-tutorial.md) ++You can also find the documentation of all the applications here: https://aka.ms/AppsTutorial ++For listing your application in the Azure AD app gallery, read the details here: https://aka.ms/AzureADAppRequest ++ ++### New provisioning connectors in the Azure AD Application Gallery - February 2021 ++**Type:** New feature +**Service category:** App Provisioning +**Product capability:** 3rd Party Integration + ++You can now automate creating, updating, and deleting user accounts for these newly integrated apps: ++- [Atea](../saas-apps/atea-provisioning-tutorial.md) +- [Getabstract](../saas-apps/getabstract-provisioning-tutorial.md) +- [HelloID](../saas-apps/helloid-provisioning-tutorial.md) +- [Hoxhunt](../saas-apps/hoxhunt-provisioning-tutorial.md) +- [Iris Intranet](../saas-apps/iris-intranet-provisioning-tutorial.md) +- [Preciate](../saas-apps/preciate-provisioning-tutorial.md) ++For more information, read [Automate user provisioning to SaaS applications with Azure AD](../app-provisioning/user-provisioning.md). ++++### General availability - 10 Azure Active Directory roles now renamed ++**Type:** Changed feature +**Service category:** RBAC +**Product capability:** Access Control + +10 Azure AD built-in roles have been renamed so that they're aligned across the [Microsoft 365 admin center](/microsoft-365/admin/microsoft-365-admin-center-preview), [Azure portal](https://portal.azure.com/), and [Microsoft Graph](https://developer.microsoft.com/graph/). To learn more about the new roles, refer to [Administrator role permissions in Azure Active Directory](../roles/permissions-reference.md#all-roles). ++![Table showing role names in MS Graph API and the Azure portal, and the proposed final name across API, Azure portal, and Mac.](media/whats-new/roles-table-rbac.png) ++++### New Company Branding in multifactor authentication (MFA)/SSPR Combined Registration ++**Type:** Changed feature +**Service category:** User Experience and Management +**Product capability:** End User Experiences + +In the past, company logos weren't used on Azure Active Directory sign-in pages. Company branding is now located to the top left of multifactor authentication (MFA)/SSPR Combined Registration. Company branding is also included on My sign-ins and the Security Info page. [Learn more](../fundamentals/customize-branding.md). ++++### General availability - Second level manager can be set as alternate approver ++**Type:** Changed feature +**Service category:** User Access Management +**Product capability:** Entitlement Management + +An extra option when you select approvers is now available in Entitlement Management. If you select "Manager as approver" for the First Approver, you'll have another option, "Second level manager as alternate approver", available to choose in the alternate approver field. If you select this option, you need to add a fallback approver to forward the request to in case the system can't find the second level manager. [Learn more](../governance/entitlement-management-access-package-approval-policy.md#alternate-approvers). + +++### Authentication Methods Activity Dashboard ++**Type:** Changed feature +**Service category:** Reporting +**Product capability:** Monitoring & Reporting + ++The refreshed Authentication Methods Activity dashboard gives admins an overview of authentication method registration and usage activity in their tenant. The report summarizes the number of users registered for each method, and also which methods are used during sign-in and password reset. [Learn more](../authentication/howto-authentication-methods-activity.md). + +++### Refresh and session token lifetimes configurability in Configurable Token Lifetime (CTL) are retired ++**Type:** Deprecated +**Service category:** Other +**Product capability:** User Authentication + +Refresh and session token lifetimes configurability in CTL are retired. Azure Active Directory no longer honors refresh and session token configuration in existing policies. [Learn more](../develop/configurable-token-lifetimes.md#token-lifetime-policies-for-refresh-tokens-and-session-tokens). + +++## January 2021 ++### Secret token will be a mandatory field when configuring provisioning ++**Type:** Plan for change +**Service category:** App Provisioning +**Product capability:** Identity Lifecycle Management ++In the past, the secret token field could be kept empty when setting up provisioning on the custom / BYOA application. This function was intended to solely be used for testing. We'll update the UI to make the field required. ++Customers can work around this requirement for testing purposes by using a feature flag in the browser URL. [Learn more](../app-provisioning/use-scim-to-provision-users-and-groups.md#authorization-to-provisioning-connectors-in-the-application-gallery). + +++### Public Preview - Customize and configure Android shared devices for frontline workers at scale ++**Type:** New feature +**Service category:** Device Registration and Management +**Product capability:** Identity Security & Protection + +Azure AD and Microsoft Intune teams have combined to bring the capability to customize, scale, and secure your frontline worker devices. ++The following preview capabilities will allow you to: +- Provision Android shared devices at scale with Microsoft Intune +- Secure your access for shift workers using device-based conditional access +- Customize sign-in experiences for the shift workers with Managed Home Screen ++To learn more, refer to [Customize and configure shared devices for frontline workers at scale](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/customize-and-configure-shared-devices-for-firstline-workers-at/ba-p/1751708). ++++### Public preview - Provisioning logs can now be downloaded as a CSV or JSON ++**Type:** New feature +**Service category:** App Provisioning +**Product capability:** Identity Lifecycle Management ++Customers can download the provisioning logs as a CSV or JSON file through the UI and via graph API. To learn more, refer to [Provisioning reports in the Azure portal](../reports-monitoring/concept-provisioning-logs.md). ++++### Public preview - Assign cloud groups to Azure AD custom roles and admin unit scoped roles ++**Type:** New feature +**Service category:** RBAC +**Product capability:** Access Control + +Customers can assign a cloud group to Azure AD custom roles or an admin unit scoped role. To learn how to use this feature, refer to [Use cloud groups to manage role assignments in Azure Active Directory](../roles/groups-concept.md). ++++### General Availability - Azure AD Connect cloud sync (previously known as cloud provisioning) ++**Type:** New feature +**Service category:** Azure AD Connect cloud sync +**Product capability:** Identity Lifecycle Management + +Azure AD Connect cloud sync is now generally available to all customers. ++Azure AD Connect cloud moves the heavy lifting of transform logic to the cloud, reducing your on-premises footprint. Additionally, multiple light-weight agent deployments are available for higher sync availability. [Learn more](https://aka.ms/cloudsyncGA). + ++### General Availability - Attack Simulation Administrator and Attack Payload Author built-in roles ++**Type:** New feature +**Service category:** RBAC +**Product capability:** Access Control + +Two new roles in Role-Based Access Control are available to assign to users, Attack simulation Administrator and Attack Payload author. ++Users in the [Attack Simulation Administrator](../roles/permissions-reference.md#attack-simulation-administrator) role have access for all simulations in the tenant and can: +- create and manage all aspects of attack simulation creation +- launch/scheduling of a simulation +- review simulation results. ++Users in the [Attack Payload Author](../roles/permissions-reference.md#attack-payload-author) role can create attack payloads but not actually launch or schedule them. Attack payloads are then available to all administrators in the tenant who can use them to create a simulation. ++++### General Availability - Usage Summary Reports Reader built-in role ++**Type:** New feature +**Service category:** RBAC +**Product capability:** Access Control + +Users with the Usage Summary Reports Reader role can access tenant level aggregated data and associated insights in Microsoft 365 Admin Center for Usage and Productivity Score. However, they can't access any user level details or insights. ++In the Microsoft 365 Admin Center for the two reports, we differentiate between tenant level aggregated data and user level details. This role adds an extra layer of protection to individual user identifiable data. [Learn more](../roles/permissions-reference.md#usage-summary-reports-reader). ++++### General availability - Require App protection policy grant in Azure AD Conditional Access ++**Type:** New Feature +**Service category:** Conditional Access +**Product capability:** Identity Security & Protection + +Azure AD Conditional Access grant for "Require App Protection policy" is now GA. ++The policy provides the following capabilities: +- Allows access only when using a mobile application that supports Intune App protection +- Allows access only when a user has an Intune app protection policy delivered to the mobile application ++Learn more on how to set up a conditional access policy for app protection [here](../conditional-access/app-protection-based-conditional-access.md). + +++### General availability - Email One-Time Passcode ++**Type:** New feature +**Service category:** B2B +**Product capability:** B2B/B2C + +Email OTP enables organizations around the world to collaborate with anyone by sending a link or invitation via email. Invited users can verify their identity with the one-time passcode sent to their email to access their partner's resources. [Learn more](../external-identities/one-time-passcode.md). + +++ ### New provisioning connectors in the Azure AD Application Gallery - January 2021 ++**Type:** New feature +**Service category:** App Provisioning +**Product capability:** 3rd Party Integration + +You can now automate creating, updating, and deleting user accounts for these newly integrated apps: +- [Fortes Change Cloud](../saas-apps/fortes-change-cloud-provisioning-tutorial.md) +- [Gtmhub](../saas-apps/gtmhub-provisioning-tutorial.md) +- [monday.com](../saas-apps/mondaycom-provisioning-tutorial.md) +- [Splashtop](../saas-apps/splashtop-provisioning-tutorial.md) +- [Templafy OpenID Connect](../saas-apps/templafy-openid-connect-provisioning-tutorial.md) +- [WEDO](../saas-apps/wedo-provisioning-tutorial.md) ++For more information, see [What is automated SaaS app user provisioning in Azure AD?](../app-provisioning/user-provisioning.md) ++++### New Federated Apps available in Azure AD Application gallery - January 2021 ++**Type:** New feature +**Service category:** Enterprise Apps +**Product capability:** 3rd Party Integration ++In January 2021 we have added following 29 new applications in our App gallery with Federation support: ++[mySCView](https://www.myscview.com/), [Talentech](https://talentech.com/contact/), [Bipsync](https://www.bipsync.com/), [OroTimesheet](https://app.orotimesheet.com/login.php), [Mio](https://app.m.io/auth/install/microsoft?scopetype=hub), Sovelto Easy, [Supportbench](https://account.supportbench.net/agent/login/),[Bienvenue Formation](https://formation.bienvenue.pro/login), [AIDA Healthcare SSO](https://aidaforparents.com/login/organizations), [International SOS Assistance Products](../saas-apps/international-sos-assistance-products-tutorial.md), [NAVEX One](../saas-apps/navex-one-tutorial.md), [LabLog](../saas-apps/lablog-tutorial.md), [Oktopost SAML](../saas-apps/oktopost-saml-tutorial.md), [EPHOTO DAM](../saas-apps/ephoto-dam-tutorial.md), [Notion](../saas-apps/notion-tutorial.md), [Syndio](../saas-apps/syndio-tutorial.md), [Yello Enterprise](../saas-apps/yello-enterprise-tutorial.md), [Timeclock 365 SAML](../saas-apps/timeclock-365-saml-tutorial.md), [Nalco E-data](https://www.ecolab.com/), [Vacancy Filler](https://app.vacancy-filler.co.uk/VFMVC/Account/Login), [Synerise AI Growth Ecosystem](../saas-apps/synerise-ai-growth-ecosystem-tutorial.md), [Imperva Data Security](../saas-apps/imperva-data-security-tutorial.md), [Illusive Networks](../saas-apps/illusive-networks-tutorial.md), [Proware](../saas-apps/proware-tutorial.md), [Splan Visitor](../saas-apps/splan-visitor-tutorial.md), [Aruba User Experience Insight](../saas-apps/aruba-user-experience-insight-tutorial.md), [Contentsquare SSO](../saas-apps/contentsquare-sso-tutorial.md), [Perimeter 81](../saas-apps/perimeter-81-tutorial.md), [Burp Suite Enterprise Edition](../saas-apps/burp-suite-enterprise-edition-tutorial.md) ++You can also find the documentation of all the applications from here https://aka.ms/AppsTutorial ++For listing your application in the Azure AD app gallery, read the details here https://aka.ms/AzureADAppRequest ++++### Public preview - Second level manager can be set as alternate approver ++**Type:** Changed feature +**Service category:** User Access Management +**Product capability:** Entitlement Management + +An extra option when you select approvers is now available in Entitlement Management. If you select "Manager as approver" for the First Approver, you'll have another option, "Second level manager as alternate approver", available to choose in the alternate approver field. If you select this option, you need to add a fallback approver to forward the request to in case the system can't find the second level manager. [Learn more](../governance/entitlement-management-access-package-approval-policy.md#alternate-approvers) + +++### General availability - Navigate to Teams directly from My Access portal ++**Type:** Changed feature +**Service category:** User Access Management +**Product capability:** Entitlement Management + +You can now launch Teams directly from the My Access portal. ++To do so, sign-in to My Access (https://myaccess.microsoft.com/), navigate to "Access packages", then go to the "Active" tab to see all of the access packages you already have access to. When you expand the selected access package and hover on Teams, you can launch it by clicking on the "Open" button. [Learn more](../governance/entitlement-management-request-access.md). + +++### Improved Logging & End-User Prompts for Risky Guest Users ++**Type:** Changed feature +**Service category:** Identity Protection +**Product capability:** Identity Security & Protection + ++The Logging and End-User Prompts for Risky Guest Users have been updated. Learn more in [Identity Protection and B2B users](../identity-protection/concept-identity-protection-b2b.md). + +++## December 2020 ++### Public preview - Azure AD B2C Phone Sign-up and Sign-in using Built-in Policy ++**Type:** New feature +**Service category:** B2C - Consumer Identity Management +**Product capability:** B2B/B2C + +B2C Phone Sign-up and Sign-in using Built-in Policy enable IT administrators and developers of organizations to allow their end-users to sign in and sign up using a phone number in user flows. Read [Set up phone sign-up and sign-in for user flows (preview)](../../active-directory-b2c/phone-authentication-user-flows.md) to learn more. ++++### General Availability - Security Defaults now enabled for all new tenants by default ++**Type:** New feature +**Service category:** Other +**Product capability:** Identity Security & Protection + +To protect user accounts, all new tenants created on or after November 12, 2020, will come with Security Defaults enabled. Security Defaults enforces multiple policies including: +- Requires all users and admins to register for multifactor authentication (MFA) using the Microsoft Authenticator App +- Requires critical admin roles to use multifactor authentication (MFA) every single time they sign-in. All other users will be prompted for multifactor authentication (MFA) whenever necessary. +- Legacy authentication will be blocked tenant wide. ++For more information, read [What are security defaults?](../fundamentals/concept-fundamentals-security-defaults.md) ++++### General availability - Support for groups with up to 250K members in AADConnect ++**Type:** Changed feature +**Service category:** AD Connect +**Product capability:** Identity Lifecycle Management + +Microsoft has deployed a new endpoint (API) for Azure AD Connect that improves the performance of the synchronization service operations to Azure Active Directory. When you use the new [V2 endpoint](../hybrid/how-to-connect-sync-endpoint-api-v2.md), you'll experience noticeable performance gains on export and import to Azure AD. This new endpoint supports the following scenarios: ++- Syncing groups with up to 250k members +- Performance gains on export and import to Azure AD ++++### General availability - Entitlement Management available for tenants in Azure China cloud ++**Type:** New feature +**Service category:** User Access Management +**Product capability:** Entitlement Management + ++The capabilities of Entitlement Management are now available for all tenants in the Azure China cloud. For information, visit our [Identity governance documentation](https://docs.azure.cn/zh-cn/active-directory/governance/) site. ++++### New provisioning connectors in the Azure AD Application Gallery - December 2020 ++**Type:** New feature +**Service category:** App Provisioning +**Product capability:** 3rd Party Integration ++You can now automate creating, updating, and deleting user accounts for these newly integrated apps: ++- [Bizagi Studio for Digital Process Automation](../saas-apps/bizagi-studio-for-digital-process-automation-provisioning-tutorial.md) +- [CybSafe](../saas-apps/cybsafe-provisioning-tutorial.md) +- [GroupTalk](../saas-apps/grouptalk-provisioning-tutorial.md) +- [PaperCut Cloud Print Management](../saas-apps/papercut-cloud-print-management-provisioning-tutorial.md) +- [Parsable](../saas-apps/parsable-provisioning-tutorial.md) +- [Shopify Plus](../saas-apps/shopify-plus-provisioning-tutorial.md) ++For more information about how to better secure your organization by using automated user account provisioning, see [Automate user provisioning to SaaS applications with Azure AD](../app-provisioning/user-provisioning.md). + +++### New Federated Apps available in Azure AD Application gallery - December 2020 ++**Type:** New feature +**Service category:** Enterprise Apps +**Product capability:** 3rd Party Integration + +In December 2020 we have added following 18 new applications in our App gallery with Federation support: ++[AwareGo](../saas-apps/awarego-tutorial.md), [HowNow SSO](https://gethownow.com/), [ZyLAB ONE Legal Hold](https://www.zylab.com/en/product/legal-hold), [Guider](http://www.guider-ai.com/), [Softcrisis](https://www.softcrisis.se/sv/), [Pims 365](https://www.omega365.com/products/omega-pims), [InformaCast](../saas-apps/informacast-tutorial.md), [RetrieverMediaDatabase](../saas-apps/retrievermediadatabase-tutorial.md), [vonage](../saas-apps/vonage-tutorial.md), [Count Me In - Operations Dashboard](../saas-apps/count-me-in-operations-dashboard-tutorial.md), [ProProfs Knowledge Base](../saas-apps/proprofs-knowledge-base-tutorial.md), [RightCrowd Workforce Management](../saas-apps/rightcrowd-workforce-management-tutorial.md), [JLL TRIRIGA](../saas-apps/jll-tririga-tutorial.md), [Shutterstock](../saas-apps/shutterstock-tutorial.md), [FortiWeb Web Application Firewall](../saas-apps/linkedin-talent-solutions-tutorial.md), [LinkedIn Talent Solutions](../saas-apps/linkedin-talent-solutions-tutorial.md), [Equinix Federation App](../saas-apps/equinix-federation-app-tutorial.md), [KFAdvance](../saas-apps/kfadvance-tutorial.md) ++You can also find the documentation of all the applications from here https://aka.ms/AppsTutorial ++For listing your application in the Azure AD app gallery, read the details here https://aka.ms/AzureADAppRequest ++++### Navigate to Teams directly from My Access portal ++**Type:** Changed feature +**Service category:** User Access Management +**Product capability:** Entitlement Management ++You can now launch Teams directly from My Access portal. To do so, sign-in to [My Access](https://myaccess.microsoft.com/), navigate to **Access packages**, then go to the **Active** Tab to see all access packages you already have access to. When you expand the access package and hover on Teams, you can launch it by clicking on the **Open** button. ++To learn more about using the My Access portal, go to [Request access to an access package in Azure AD entitlement management](../governance/entitlement-management-request-access.md#sign-in-to-the-my-access-portal). ++++### Public preview - Second level manager can be set as alternate approver ++**Type:** Changed feature +**Service category:** User Access Management +**Product capability:** Entitlement Management ++An extra option is now available in the approval process in Entitlement Management. If you select Manager as approver for the First Approver, you'll have another option, Second level manager as alternate approver, available to choose in the alternate approver field. When you select this option, you need to add a fallback approver to forward the request to in case the system can't find the second level manager. ++For more information, go to [Change approval settings for an access package in Azure AD entitlement management](../governance/entitlement-management-access-package-approval-policy.md#alternate-approvers). ++++## November 2020 ++### Azure Active Directory TLS 1.0, TLS 1.1, and 3DES deprecation ++**Type:** Plan for change +**Service category:** All Azure AD applications +**Product capability:** Standards ++Azure Active Directory will deprecate the following protocols in Azure Active Directory worldwide regions starting June 30, 2021: ++- TLS 1.0 +- TLS 1.1 +- 3DES cipher suite (TLS_RSA_WITH_3DES_EDE_CBC_SHA) ++Affected environments are: +- Azure Commercial Cloud +- Office 365 GCC and WW ++For guidance to remove deprecating protocols dependencies, please refer to [EEnable support for TLS 1.2 in your environment, in preparation for upcoming Azure AD TLS 1.0/1.1 deprecation](/troubleshoot/azure/active-directory/enable-support-tls-environment). ++++### New Federated Apps available in Azure AD Application gallery - November 2020 ++**Type:** New feature +**Service category:** Enterprise Apps +**Product capability:** 3rd Party Integration ++In November 2020 we have added following 52 new applications in our App gallery with Federation support: ++[Travel & Expense Management](https://app.expenseonce.com/Account/Login), [Tribeloo](../saas-apps/tribeloo-tutorial.md), [Itslearning File Picker](https://pmteam.itslearning.com/), [Crises Control](../saas-apps/crises-control-tutorial.md), [CourtAlert](https://www.courtalert.com/), [StealthMail](https://stealthmail.com/), [Edmentum - Study Island](https://app.studyisland.com/cfw/login/), [Virtual Risk Manager](../saas-apps/virtual-risk-manager-tutorial.md), [TIMU](../saas-apps/timu-tutorial.md), [Looker Analytics Platform](../saas-apps/looker-analytics-platform-tutorial.md), [Talview - Recruit](https://recruit.talview.com/login), Real Time Translator, [Klaxoon](https://access.klaxoon.com/login), [Podbean](../saas-apps/podbean-tutorial.md), [zcal](https://zcal.co/signup), [expensemanager](https://api.expense-manager.com/), [En-trak Tenant Experience Platform](https://portal.en-trak.app/), [Appian](../saas-apps/appian-tutorial.md), [Panorays](../saas-apps/panorays-tutorial.md), [Builterra](https://portal.builterra.com/), [EVA Check-in](https://my.evacheckin.com/organization), [HowNow WebApp SSO](../saas-apps/hownow-webapp-sso-tutorial.md), [Coupa Risk Assess](../saas-apps/coupa-risk-assess-tutorial.md), [Lucid (All Products)](../saas-apps/lucid-tutorial.md), [GoBright](https://portal.brightbooking.eu/), [SailPoint IdentityNow](../saas-apps/sailpoint-identitynow-tutorial.md),[Resource Central](../saas-apps/resource-central-tutorial.md), [UiPathStudioO365App](https://www.uipath.com/product/platform), [Jedox](../saas-apps/jedox-tutorial.md), [Cequence Application Security](../saas-apps/cequence-application-security-tutorial.md), [PerimeterX](../saas-apps/perimeterx-tutorial.md), [TrendMiner](../saas-apps/trendminer-tutorial.md), [Lexion](../saas-apps/lexion-tutorial.md), [WorkWare](../saas-apps/workware-tutorial.md), [ProdPad](../saas-apps/prodpad-tutorial.md), [AWS ClientVPN](../saas-apps/aws-clientvpn-tutorial.md), [AppSec Flow SSO](../saas-apps/appsec-flow-sso-tutorial.md), [Luum](../saas-apps/luum-tutorial.md), [Freight Measure](https://www.gpcsl.com/freight.html), [Terraform Cloud](../saas-apps/terraform-cloud-tutorial.md), [Nature Research](../saas-apps/nature-research-tutorial.md), [Play Digital Signage](https://login.playsignage.com/login), [RemotePC](../saas-apps/remotepc-tutorial.md), [Prolorus](../saas-apps/prolorus-tutorial.md), [Hirebridge ATS](../saas-apps/hirebridge-ats-tutorial.md), [Teamgage](https://teamgage.com), [Roadmunk](../saas-apps/roadmunk-tutorial.md), [Sunrise Software Relations CRM](https://cloud.relations-crm.com/), [Procaire](../saas-apps/procaire-tutorial.md), [Mentor® by eDriving: Business](https://www.edriving.com/), [Gradle Enterprise](https://gradle.com/) ++You can also find the documentation of all the applications from here https://aka.ms/AppsTutorial ++For listing your application in the Azure AD app gallery, read the details here https://aka.ms/AzureADAppRequest ++++### Public preview - Custom roles for enterprise apps ++**Type:** New feature +**Service category:** RBAC +**Product capability:** Access Control + + [Custom RBAC roles for delegated enterprise application management](../roles/custom-available-permissions.md) is now in public preview. These new permissions build on the custom roles for app registration management, which allows fine-grained control over what access your admins have. Over time, additional permissions to delegate management of Azure AD will be released. ++Some common delegation scenarios: +- assignment of user and groups that can access SAML based single sign-on applications +- the creation of Azure AD Gallery applications +- update and read of basic SAML Configurations for SAML based single sign-on applications +- management of signing certificates for SAML based single sign-on applications +- update of expiring sign-in certificates notification email addresses for SAML based single sign-on applications +- update of the SAML token signature and sign-in algorithm for SAML based single sign-on applications +- create, delete, and update of user attributes and claims for SAML-based single sign-on applications +- ability to turn on, off, and restart provisioning jobs +- updates to attribute mapping +- ability to read provisioning settings associated with the object +- ability to read provisioning settings associated with your service principal +- ability to authorize application access for provisioning ++++### Public preview - Azure AD Application Proxy natively supports single sign-on access to applications that use headers for authentication ++**Type:** New feature +**Service category:** App Proxy +**Product capability:** Access Control + +Azure Active Directory (Azure AD) Application Proxy natively supports single sign-on access to applications that use headers for authentication. You can configure header values required by your application in Azure AD. The header values will be sent down to the application via Application Proxy. To learn more, see [Header-based single sign-on for on-premises apps with Azure AD App Proxy](../app-proxy/application-proxy-configure-single-sign-on-with-headers.md) + +++### General Availability - Azure AD B2C Phone Sign-up and Sign-in using Custom Policy ++**Type:** New feature +**Service category:** B2C - Consumer Identity Management +**Product capability:** B2B/B2C ++With phone number sign-up and sign-in, developers and enterprises can allow their customers to sign up and sign in using a one-time password sent to the user's phone number via SMS. This feature also lets the customer change their phone number if they lose access to their phone. With the power of custom policies, allow developers and enterprises to communicate their brand through page customization. Find out how to [set up phone sign-up and sign-in with custom policies in Azure AD B2C](../../active-directory-b2c/phone-authentication-user-flows.md). + +++### New provisioning connectors in the Azure AD Application Gallery - November 2020 ++**Type:** New feature +**Service category:** App Provisioning +**Product capability:** 3rd Party Integration + +You can now automate creating, updating, and deleting user accounts for these newly integrated apps: ++- [Adobe Identity Management](../saas-apps/adobe-identity-management-provisioning-tutorial.md) +- [Blogin](../saas-apps/blogin-provisioning-tutorial.md) +- [Clarizen One](../saas-apps/clarizen-one-provisioning-tutorial.md) +- [Contentful](../saas-apps/contentful-provisioning-tutorial.md) +- [GitHub AE](../saas-apps/github-ae-provisioning-tutorial.md) +- [Playvox](../saas-apps/playvox-provisioning-tutorial.md) +- [PrinterLogic SaaS](../saas-apps/printer-logic-saas-provisioning-tutorial.md) +- [Tic - Tac Mobile](../saas-apps/tic-tac-mobile-provisioning-tutorial.md) +- [Visibly](../saas-apps/visibly-provisioning-tutorial.md) ++For more information, see [Automate user provisioning to SaaS applications with Azure AD](../app-provisioning/user-provisioning.md). + +++### Public Preview - Email Sign in with ProxyAddresses now deployable via Staged Rollout ++**Type:** New feature +**Service category:** Authentications (Logins) +**Product capability:** User Authentication + +Tenant administrators can now use Staged Rollout to deploy Email Sign-In with ProxyAddresses to specific Azure AD groups. This can help while trying out the feature before deploying it to the entire tenant via the Home Realm Discovery policy. Instructions for deploying Email Sign-In with ProxyAddresses via Staged Rollout are in the [documentation](../authentication/howto-authentication-use-email-signin.md). + +++### Limited Preview - Sign-in Diagnostic ++**Type:** New feature +**Service category:** Reporting +**Product capability:** Monitoring & Reporting + +With the initial preview release of the Sign-in Diagnostic, admins can now review user sign-ins. Admins can receive contextual, specific, and relevant details and guidance on what happened during a sign-in and how to fix problems. The diagnostic is available in both the Azure AD level, and Conditional Access Diagnose and Solve blades. The diagnostic scenarios covered in this release are Conditional Access, Azure Active Directory Multi-Factor Authentication, and successful sign-in. ++For more information, see [What is sign-in diagnostic in Azure AD?](../reports-monitoring/overview-sign-in-diagnostics.md). + +++### Improved Unfamiliar Sign-in Properties ++**Type:** Changed feature +**Service category:** Identity Protection +**Product capability:** Identity Security & Protection ++ Unfamiliar sign-in properties detections has been updated. Customers may notice more high-risk unfamiliar sign-in properties detections. For more information, see [What is risk?](../identity-protection/concept-identity-protection-risks.md) + +++### Public Preview refresh of Cloud Provisioning agent now available (Version: 1.1.281.0) ++**Type:** Changed feature +**Service category:** Azure AD Cloud Provisioning +**Product capability:** Identity Lifecycle Management + +Cloud provisioning agent has been released in public preview and is now available through the portal. This release contains several improvements including, support for GMSA for your domains, which provides better security, improved initial sync cycles, and support for large groups. Check out the release version [history](../app-provisioning/provisioning-agent-release-version-history.md) for more details. + +++### BitLocker recovery key API endpoint now under /informationProtection ++**Type:** Changed feature +**Service category:** Device Access Management +**Product capability:** Device Lifecycle Management + +Previously, you could recover BitLocker keys via the /bitlocker endpoint. We'll eventually be deprecating this endpoint, and customers should begin consuming the API that now falls under /informationProtection. ++See [BitLocker recovery API](/graph/api/resources/bitlockerrecoverykey) for updates to the documentation to reflect these changes. ++++### General Availability of Application Proxy support for Remote Desktop Services HTML5 Web Client ++**Type:** Changed feature +**Service category:** App Proxy +**Product capability:** Access Control + +Azure AD Application Proxy support for Remote Desktop Services (RDS) Web Client is now in General Availability. The RDS web client allows users to access Remote Desktop infrastructure through any HTLM5-capable browser such as Microsoft Edge, Internet Explorer 11, Google Chrome, and so on. Users can interact with remote apps or desktops like they would with a local device from anywhere. ++By using Azure AD Application Proxy, you can increase the security of your RDS deployment by enforcing pre-authentication and Conditional Access policies for all types of rich client apps. To learn more, see [Publish Remote Desktop with Azure AD Application Proxy](../app-proxy/application-proxy-integrate-with-remote-desktop-services.md) + +++### New enhanced Dynamic Group service is in Public Preview ++**Type:** Changed feature +**Service category:** Group Management +**Product capability:** Collaboration + +Enhanced dynamic group service is now in Public Preview. New customers that create dynamic groups in their tenants will be using the new service. The time required to create a dynamic group will be proportional to the size of the group that is being created instead of the size of the tenant. This update will improve performance for large tenants significantly when customers create smaller groups. ++The new service also aims to complete member addition and removal because of attribute changes within a few minutes. Also, single processing failures won't block tenant processing. To learn more about creating dynamic groups, see our [documentation](../enterprise-users/groups-create-rule.md). + +++## October 2020 ++### Azure AD on-premises Hybrid Agents Impacted by Azure TLS Certificate Changes ++**Type:** Plan for change +**Service category:** N/A +**Product capability:** Platform ++Microsoft is updating Azure services to use TLS certificates from a different set of Root Certificate Authorities (CAs). This update is due to the current CA certificates not complying with one of the CA/Browser Forum Baseline requirements. This change will impact Azure AD hybrid agents installed on-premises that have hardened environments with a fixed list of root certificates and will need to be updated to trust the new certificate issuers. ++This change will result in disruption of service if you don't take action immediately. These agents include [Application Proxy connectors](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/AppProxy) for remote access to on-premises, [Passthrough Authentication](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/AzureADConnect) agents that allow your users to sign in to applications using the same passwords, and [Cloud Provisioning Preview](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/AzureADConnect) agents that perform AD to Azure AD sync. ++If you have an environment with firewall rules set to allow outbound calls to only specific Certificate Revocation List (CRL) download, you'll need to allow the following CRL and OCSP URLs. For full details on the change and the CRL and OCSP URLs to enable access to, see [Azure TLS certificate changes](../../security/fundamentals/tls-certificate-changes.md). ++++### Provisioning events will be removed from audit logs and published solely to provisioning logs ++**Type:** Plan for change +**Service category:** Reporting +**Product capability:** Monitoring & Reporting + +Activity by the SCIM [provisioning service](../app-provisioning/user-provisioning.md) is logged in both the audit logs and provisioning logs. This includes activity such as the creation of a user in ServiceNow, group in GSuite, or import of a role from AWS. In the future, these events will only be published in the provisioning logs. This change is being implemented to avoid duplicate events across logs, and additional costs incurred by customers consuming the logs in log analytics. ++We'll provide an update when a date is completed. This deprecation isn't planned for the calendar year 2020. ++> [!NOTE] +> This does not impact any events in the audit logs outside of the synchronization events emitted by the provisioning service. Events such as the creation of an application, conditional access policy, a user in the directory, etc. will continue to be emitted in the audit logs. [Learn more](../reports-monitoring/concept-provisioning-logs.md?context=azure%2factive-directory%2fapp-provisioning%2fcontext%2fapp-provisioning-context). + ++++### Azure AD On-Premises Hybrid Agents Impacted by Azure Transport Layer Security (TLS) Certificate Changes ++**Type:** Plan for change +**Service category:** N/A +**Product capability:** Platform + +Microsoft is updating Azure services to use TLS certificates from a different set of Root Certificate Authorities (CAs). There will be an update because of the current CA certificates not following one of the CA/Browser Forum Baseline requirements. This change will impact Azure AD hybrid agents installed on-premises that have hardened environments with a fixed list of root certificates. These agents will need to be updated to trust the new certificate issuers. ++This change will result in disruption of service if you don't take action immediately. These agents include: +- [Application Proxy connectors](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/AppProxy) for remote access to on-premises +- [Passthrough Authentication](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/AzureADConnect) agents that allow your users to sign in to applications using the same passwords +- [Cloud Provisioning Preview](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/AzureADConnect) agents that do AD to Azure AD sync. ++If you have an environment with firewall rules set to allow outbound calls to only specific Certificate Revocation List (CRL) download, you'll need to allow CRL and OCSP URLs. For full details on the change and the CRL and OCSP URLs to enable access to, see [Azure TLS certificate changes](../../security/fundamentals/tls-certificate-changes.md). ++++[1305958](https://identitydivision.visualstudio.com/IAM/IXR/_queries?id=1305958&triage=true&fullScreen=false&_a=edit) ++### Azure Active Directory TLS 1.0 & 1.1, and 3DES Cipher Suite Deprecation ++**Type:** Plan for change +**Service category:** N/A +**Product capability:** Standards ++Azure Active Directory will deprecate the following protocols in Azure Active Directory worldwide regions starting on January 31, 2022 (This date has been postponed from 30th June 2021 to 31st Jan 2022, to give Administrators more time to remove the dependency on legacy TLS protocols and ciphers (TLS 1.0,1.1 and 3DES)): ++- TLS 1.0 +- TLS 1.1 +- 3DES cipher suite (TLS_RSA_WITH_3DES_EDE_CBC_SHA) ++Affected environments are: ++- Azure Commercial Cloud +- Office 365 GCC and WW ++Users, services, and applications that interact with Azure Active Directory and Microsoft Graph, should use TLS 1.2 and modern cipher suites to maintain a secure connection to Azure Active Directory for Azure, Office 365, and Microsoft 365 services. For additional guidance, refer to [Enable support for TLS 1.2 in your environment, in preparation for upcoming deprecation of Azure AD TLS 1.0/1.1](/troubleshoot/azure/active-directory/enable-support-tls-environment). ++++### Azure Active Directory TLS 1.0, TLS 1.1, and 3DES Deprecation in US Gov Cloud ++**Type:** Plan for change +**Service category:** All Azure AD applications +**Product capability:** Standards + +Azure Active Directory will deprecate the following protocols starting March 31, 2021: +- TLS 1.0 +- TLS 1.1 +- 3DES cipher suite (TLS_RSA_WITH_3DES_EDE_CBC_SHA) ++All client-server and browser-server combinations should use TLS 1.2 and modern cipher suites to maintain a secure connection to Azure Active Directory for Azure, Office 365, and Microsoft 365 services. ++Affected environments are: +- Azure US Gov +- [Office 365 GCC High & DoD](/microsoft-365/compliance/tls-1-2-in-office-365-gcc) ++For guidance to remove deprecating protocols dependencies, please refer to [Enable support for TLS 1.2 in your environment for Azure AD TLS 1.1 and 1.0 deprecation](/troubleshoot/azure/active-directory/enable-support-tls-environment). + +++### Assign applications to roles on administrative unit and object scope ++**Type:** New feature +**Service category:** RBAC +**Product capability:** Access Control + +This feature enables the ability to assign an application (SPN) to an administrator role on the administrative unit scope. To learn more, refer to [Assign scoped roles to an administrative unit](../roles/admin-units-assign-roles.md). ++++### Now you can disable and delete guest users when they're denied access to a resource ++**Type:** New feature +**Service category:** Access Reviews +**Product capability:** Identity Governance + +Disable and delete is an advanced control in Azure AD Access Reviews to help organizations better manage external guests in Groups and Apps. If guests are denied in an access review, **disable and delete** will automatically block them from signing in for 30 days. After 30 days, then they'll be removed from the tenant altogether. ++For more information about this feature, see [Disable and delete external identities with Azure AD Access Reviews](../governance/access-reviews-external-users.md#disable-and-delete-external-identities-with-azure-ad-access-reviews). + +++### Access Review creators can add custom messages in emails to reviewers ++**Type:** New feature +**Service category:** Access Reviews +**Product capability:** Identity Governance + +In Azure AD access reviews, administrators creating reviews can now write a custom message to the reviewers. Reviewers will see the message in the email they receive that prompts them to complete the review. To learn more about using this feature, see step 14 of the [Create a single-stage review](../governance/create-access-review.md#create-a-single-stage-access-review) section. ++++### New provisioning connectors in the Azure AD Application Gallery - October 2020 ++**Type:** New feature +**Service category:** App Provisioning +**Product capability:** 3rd Party Integration + +You can now automate creating, updating, and deleting user accounts for these newly integrated apps: ++- [Apple Business Manager](../saas-apps/apple-business-manager-provision-tutorial.md) +- [Apple School Manager](../saas-apps/apple-school-manager-provision-tutorial.md) +- [Code42](../saas-apps/code42-provisioning-tutorial.md) +- [AlertMedia](../saas-apps/alertmedia-provisioning-tutorial.md) +- [OpenText Directory Services](../saas-apps/open-text-directory-services-provisioning-tutorial.md) +- [Cinode](../saas-apps/cinode-provisioning-tutorial.md) +- [Global Relay Identity Sync](../saas-apps/global-relay-identity-sync-provisioning-tutorial.md) ++For more information about how to better secure your organization by using automated user account provisioning, see [Automate user provisioning to SaaS applications with Azure AD](../app-provisioning/user-provisioning.md). + +++### Integration assistant for Azure AD B2C ++**Type:** New feature +**Service category:** B2C - Consumer Identity Management +**Product capability:** B2B/B2C + +The Integration Assistant (preview) experience is now available for Azure AD B2C App registrations. This experience helps guide you in configuring your application for common scenarios.. Learn more about [Microsoft identity platform best practices and recommendations](../develop/identity-platform-integration-checklist.md). + +++### View role template ID in Azure portal UI ++**Type:** New feature +**Service category:** Azure roles +**Product capability:** Access Control + ++You can now view the template ID of each Azure AD role in the Azure portal. In Azure AD, select **description** of the selected role. ++It's recommended that customers use role template IDs in their PowerShell script and code, instead of the display name. Role template ID is supported for use to [directoryRoles](/graph/api/resources/directoryrole) and [roleDefinition](/graph/api/resources/unifiedroledefinition) objects. For more information on role template IDs, see [Azure AD built-in roles](../roles/permissions-reference.md). ++++### API connectors for Azure AD B2C sign-up user flows is now in public preview ++**Type:** New feature +**Service category:** B2C - Consumer Identity Management +**Product capability:** B2B/B2C + ++API connectors are now available for use with Azure Active Directory B2C. API connectors enable you to use web APIs to customize your sign-up user flows and integrate with external cloud systems. You can you can use API connectors to: ++- Integrate with custom approval workflows +- Validate user input data +- Overwrite user attributes +- Run custom business logic ++ Visit the [Use API connectors to customize and extend sign-up](../../active-directory-b2c/api-connectors-overview.md) documentation to learn more. ++++### State property for connected organizations in entitlement management ++**Type:** New feature +**Service category:** Directory Management +**Product capability:** Entitlement Management + ++ All connected organizations will now have an additional property called "State". The state will control how the connected organization will be used in policies that refer to "all configured connected organizations". The value will be either "configured" (meaning the organization is in the scope of policies that use the "all" clause) or "proposed" (meaning that the organization isn't in scope). ++Manually created connected organizations will have a default setting of "configured". Meanwhile, automatically created ones (created via policies that allow any user from the internet to request access) will default to "proposed." Any connected organizations created before September 9 2020 will be set to "configured." Admins can update this property as needed. [Learn more](../governance/entitlement-management-organization.md#managing-a-connected-organization-programmatically). + ++++### Azure Active Directory External Identities now has premium advanced security settings for B2C ++**Type:** New feature +**Service category:** B2C - Consumer Identity Management +**Product capability:** B2B/B2C + +Risk-based Conditional Access and risk detection features of Identity Protection are now available in [Azure AD B2C](../..//active-directory-b2c/conditional-access-identity-protection-overview.md). With these advanced security features, customers can now: +- Leverage intelligent insights to assess risk with B2C apps and end user accounts. Detections include atypical travel, anonymous IP addresses, malware-linked IP addresses, and Azure AD threat intelligence. Portal and API-based reports are also available. +- Automatically address risks by configuring adaptive authentication policies for B2C users. App developers and administrators can mitigate real-time risk by requiring Azure Active Directory Multi-Factor Authentication (MFA) or blocking access depending on the user risk level detected, with additional controls available based on location, group, and app. +- Integrate with Azure AD B2C user flows and custom policies. Conditions can be triggered from built-in user flows in Azure AD B2C or can be incorporated into B2C custom policies. As with other aspects of the B2C user flow, end user experience messaging can be customized. Customization is according to the organization's voice, brand, and mitigation alternatives. + +++### New Federated Apps available in Azure AD Application gallery - October 2020 ++**Type:** New feature +**Service category:** Enterprise Apps +**Product capability:** 3rd Party Integration + +In October 2020 we have added following 27 new applications in our App gallery with Federation support: ++[Sentry](../saas-apps/sentry-tutorial.md), [Bumblebee - Productivity Superapp](https://app.yellowmessenger.com/user/login), [ABBYY FlexiCapture Cloud](../saas-apps/abbyy-flexicapture-cloud-tutorial.md), [EAComposer](../saas-apps/eacomposer-tutorial.md), [Genesys Cloud Integration for Azure](https://apps.mypurecloud.com/msteams-integration/), [Zone Technologies Portal](https://portail.zonetechnologie.com/signin), [Beautiful.ai](../saas-apps/beautiful.ai-tutorial.md), [Datawiza Access Broker](https://console.datawiza.com/), [ZOKRI](https://app.zokri.com/), [CheckProof](../saas-apps/checkproof-tutorial.md), [Ecochallenge.org](https://events.ecochallenge.org/users/login), [atSpoke](https://www.atspoke.com/), [Appointment Reminder](https://app.appointmentreminder.co.nz/account/login), [Cloud.Market](https://cloud.market/), [TravelPerk](../saas-apps/travelperk-tutorial.md), [Greetly](https://app.greetly.com/), [OrgVitality SSO](../saas-apps/orgvitality-sso-tutorial.md), [Web Cargo Air](../saas-apps/web-cargo-air-tutorial.md), [Loop Flow CRM](../saas-apps/loop-flow-crm-tutorial.md), [Starmind](../saas-apps/starmind-tutorial.md), [Workstem](https://hrm.workstem.com/login), [Retail Zipline](../saas-apps/retail-zipline-tutorial.md), [Hoxhunt](../saas-apps/hoxhunt-tutorial.md), [MEVISIO](../saas-apps/mevisio-tutorial.md), [Samsara](../saas-apps/samsara-tutorial.md), [Nimbus](../saas-apps/nimbus-tutorial.md), [Pulse Secure virtual Traffic Manager](../saas-apps/pulse-secure-virtual-traffic-manager-tutorial.md) ++You can also find the documentation of all the applications from here https://aka.ms/AppsTutorial ++For listing your application in the Azure AD app gallery, read the details here https://aka.ms/AzureADAppRequest ++++### Provisioning logs can now be streamed to log analytics ++**Type:** New feature +**Service category:** Reporting +**Product capability:** Monitoring & Reporting + ++Publish your provisioning logs to log analytics in order to: +- Store provisioning logs for more than 30 days +- Define custom alerts and notifications +- Build dashboards to visualize the logs +- Execute complex queries to analyze the logs ++To learn how to use the feature, see [Understand how provisioning integrates with Azure Monitor logs](../app-provisioning/application-provisioning-log-analytics.md). + +++### Provisioning logs can now be viewed by application owners ++**Type:** Changed feature +**Service category:** Reporting +**Product capability:** Monitoring & Reporting + +You can now allow application owners to monitor activity by the provisioning service and troubleshoot issues without providing them a privileged role or making IT a bottleneck. [Learn more](../reports-monitoring/concept-provisioning-logs.md). + +++### Renaming 10 Azure Active Directory roles ++**Type:** Changed feature +**Service category:** Azure roles +**Product capability:** Access Control + +Some Azure Active Directory (AD) built-in roles have names that differ from those that appear in Microsoft 365 admin center, the Azure portal, and Microsoft Graph. This inconsistency can cause problems in automated processes. With this update, we're renaming 10 role names to make them consistent. The following table has the new role names: ++![Table showing role names in MS Graph API and the Azure portal, and the proposed new role name in M365 Admin Center, Azure portal, and API.](media/whats-new/azure-role.png) ++++### Azure AD B2C support for auth code flow for SPAs using MSAL JS 2.x ++**Type:** Changed feature +**Service category:** B2C - Consumer Identity Management +**Product capability:** B2B/B2C + +MSAL.js version 2.x now includes support for the authorization code flow for single-page web apps (SPAs). Azure AD B2C will now support the use of the SPA app type on the Azure portal and the use of MSAL.js authorization code flow with PKCE for single-page apps. This will allow SPAs using Azure AD B2C to maintain SSO with newer browsers and abide by newer authentication protocol recommendations. Get started with the [Register a single-page application (SPA) in Azure Active Directory B2C](../../active-directory-b2c/tutorial-register-spa.md) tutorial. ++++### Updates to Remember Azure Active Directory Multi-Factor Authentication (MFA) on a trusted device setting ++**Type:** Changed feature +**Service category:** MFA +**Product capability:** Identity Security & Protection + ++We've recently updated the [remember Azure Active Directory Multi-Factor Authentication (MFA)](../authentication/howto-mfa-mfasettings.md#remember-multi-factor-authentication) on a trusted device feature to extend authentication for up to 365 days. Azure Active Directory (Azure AD) Premium licenses, can also use the [Conditional Access ΓÇô Sign-in Frequency policy](../conditional-access/howto-conditional-access-session-lifetime.md#user-sign-in-frequency) that provides more flexibility for reauthentication settings. ++For the optimal user experience, we recommend using Conditional Access sign-in frequency to extend session lifetimes on trusted devices, locations, or low-risk sessions as an alternative to remember multifactor authentication (MFA) on a trusted device setting. To get started, review our [latest guidance on optimizing the reauthentication experience](../authentication/concepts-azure-multi-factor-authentication-prompts-session-lifetime.md). ++++## September 2020 ++### New provisioning connectors in the Azure AD Application Gallery - September 2020 ++**Type:** New feature +**Service category:** App Provisioning +**Product capability:** 3rd Party Integration + +You can now automate creating, updating, and deleting user accounts for these newly integrated apps: ++- [Coda](../saas-apps/coda-provisioning-tutorial.md) +- [Cofense Recipient Sync](../saas-apps/cofense-provision-tutorial.md) +- [InVision](../saas-apps/invision-provisioning-tutorial.md) +- [myday](../saas-apps/myday-provision-tutorial.md) +- [SAP Analytics Cloud](../saas-apps/sap-analytics-cloud-provisioning-tutorial.md) +- [Webroot Security Awareness](../saas-apps/webroot-security-awareness-training-provisioning-tutorial.md) ++For more information about how to better secure your organization by using automated user account provisioning, see [Automate user provisioning to SaaS applications with Azure AD](../app-provisioning/user-provisioning.md). + ++### Cloud Provisioning Public Preview Refresh ++**Type:** New feature +**Service category:** Azure AD Cloud Provisioning +**Product capability:** Identity Lifecycle Management + +Azure AD Connect Cloud Provisioning public preview refresh features two major enhancements developed from customer feedback: ++- Attribute Mapping Experience through Azure portal ++ With this feature, IT Admins can map user, group, or contact attributes from AD to Azure AD using various mapping types present today. Attribute mapping is a feature used for standardizing the values of the attributes that flow from Active Directory to Azure Active Directory. One can determine whether to directly map the attribute value as it is from AD to Azure AD or use expressions to transform the attribute values when provisioning users. [Learn more](../cloud-sync/how-to-attribute-mapping.md) ++- On-demand Provisioning or Test User experience ++ Once you have set up your configuration, you might want to test to see if the user transformation is working as expected before applying it to all your users in scope. With on-demand provisioning, IT Admins can enter the Distinguished Name (DN) of an AD user and see if they're getting synced as expected. On-demand provisioning provides a great way to ensure that the attribute mappings you did previously work as expected. [Learn More](../cloud-sync/how-to-on-demand-provision.md) + +++### Audited BitLocker Recovery in Azure AD - Public Preview ++**Type:** New feature +**Service category:** Device Access Management +**Product capability:** Device Lifecycle Management + +When IT admins or end users read BitLocker recovery key(s) they have access to, Azure Active Directory now generates an audit log that captures who accessed the recovery key. The same audit provides details of the device the BitLocker key was associated with. ++End users can [access their recovery keys via My Account](https://support.microsoft.com/account-billing/manage-your-work-or-school-account-connected-devices-from-the-devices-page-6b5a735d-0a7f-4e94-8cfd-f5da6bc13d4e#view-a-bitlocker-key). IT admins can access recovery keys via the [BitLocker recovery key API](/graph/api/resources/bitlockerrecoverykey) or via the Azure portal. To learn more, see [View or copy BitLocker keys in the Azure portal](../devices/device-management-azure-portal.md#view-or-copy-bitlocker-keys). ++++### Teams Devices Administrator built-in role ++**Type:** New feature +**Service category:** RBAC +**Product capability:** Access Control + +Users with the [Teams Devices Administrator](../roles/permissions-reference.md#teams-devices-administrator) role can manage [Teams-certified devices](https://www.microsoft.com/microsoft-365/microsoft-teams/across-devices/devices) from the Teams Admin Center. ++This role allows the user to view all devices at single glance, with the ability to search and filter devices. The user can also check the details of each device including logged-in account and the make and model of the device. The user can change the settings on the device and update the software versions. This role doesn't grant permissions to check Teams activity and call quality of the device. + +++### Advanced query capabilities for Directory Objects ++**Type:** New feature +**Service category:** MS Graph +**Product capability:** Developer Experience + +All the new query capabilities introduced for Directory Objects in Azure AD APIs are now available in the v1.0 endpoint and production-ready. Developers can Count, Search, Filter, and Sort Directory Objects and related links using the standard OData operators. ++To learn more, see the documentation [here](https://aka.ms/BlogPostMezzoGA), and you can also send feedback with this [brief survey](https://forms.office.com/Pages/ResponsePage.aspx?id=v4j5cvGGr0GRqy180BHbR_yN8EPoGo5OpR1hgmCp1XxUMENJRkNQTk5RQkpWTE44NEk2U0RIV0VZRy4u). + +++### Public preview: continuous access evaluation for tenants who configured Conditional Access policies ++**Type:** New feature +**Service category:** Authentications (Logins) +**Product capability:** Identity Security & Protection + +Continuous access evaluation (CAE) is now available in public preview for Azure AD tenants with Conditional Access policies. With CAE, critical security events and policies are evaluated in real time. This includes account disable, password reset, and location change. To learn more, see [Continuous access evaluation](../conditional-access/concept-continuous-access-evaluation.md). ++++### Public preview: ask users requesting an access package additional questions to improve approval decisions ++**Type:** New feature +**Service category:** User Access Management +**Product capability:** Entitlement Management + +Administrators can now require that users requesting an access package answer additional questions beyond just business justification in Azure AD Entitlement management's My Access portal. The users' answers will then be shown to the approvers to help them make a more accurate access approval decision. To learn more, see [Collect additional requestor information for approval](../governance/entitlement-management-access-package-approval-policy.md#collect-additional-requestor-information-for-approval). + +++### Public preview: Enhanced user management ++**Type:** New feature +**Service category:** User Management +**Product capability:** User Management + ++The Azure portal has been updated to make it easier to find users in the All users and Deleted users pages. Changes in the preview include: +- More visible user properties including object ID, directory sync status, creation type, and identity issuer. +- Search now allows combined search of names, emails, and object IDs. +- Enhanced filtering by user type (member, guest, and none), directory sync status, creation type, company name, and domain name. +- New sorting capabilities on properties like name, user principal name and deletion date. +- A new total users count that updates with any searches or filters. ++For more information, please see [User management enhancements (preview) in Azure Active Directory](../enterprise-users/users-search-enhanced.md). ++++### New notes field for Enterprise applications ++**Type:** New feature +**Service category:** Enterprise Apps +**Product capability:** SSO ++You can add free text notes to Enterprise applications. You can add any relevant information that will help manager applications under Enterprise applications. For more information, see [Quickstart: Configure properties for an application in your Azure Active Directory (Azure AD) tenant](../manage-apps/add-application-portal-configure.md). ++++### New Federated Apps available in Azure AD Application gallery - September 2020 ++**Type:** New feature +**Service category:** Enterprise Apps +**Product capability:** 3rd Party Integration ++In September 2020 we have added following 34 new applications in our App gallery with Federation support: ++[VMware Horizon - Unified Access Gateway](), [Pulse Secure PCS](../saas-apps/vmware-horizon-unified-access-gateway-tutorial.md), [Inventory360](../saas-apps/pulse-secure-pcs-tutorial.md), [Frontitude](https://services.enteksystems.de/sso/microsoft/signup), [BookWidgets](https://www.bookwidgets.com/sso/office365), [ZVD_Server](https://zaas.zenmutech.com/user/signin), [HashData for Business](https://hashdata.app/login.xhtml), [SecureLogin](https://securelogin.securelogin.nu/sso/azure/login), [CyberSolutions MAILBASE╬ú/CMSS](../saas-apps/cybersolutions-mailbase-tutorial.md), [CyberSolutions CYBERMAIL╬ú](../saas-apps/cybersolutions-cybermail-tutorial.md), [LimbleCMMS](https://auth.limblecmms.com/), [Glint Inc](../saas-apps/glint-inc-tutorial.md), [zeroheight](../saas-apps/zeroheight-tutorial.md), [Gender Fitness](https://app.genderfitness.com/), [Coeo Portal](https://my.coeo.com/), [Grammarly](../saas-apps/grammarly-tutorial.md), [Fivetran](../saas-apps/fivetran-tutorial.md), [Kumolus](../saas-apps/kumolus-tutorial.md), [RSA Archer Suite](../saas-apps/rsa-archer-suite-tutorial.md), [TeamzSkill](../saas-apps/teamzskill-tutorial.md), [raumf├╝rraum](../saas-apps/raumfurraum-tutorial.md), [Saviynt](../saas-apps/saviynt-tutorial.md), [BizMerlinHR](https://marketplace.bizmerlin.net/bmone/signup), [Mobile Locker](../saas-apps/mobile-locker-tutorial.md), [Zengine](../saas-apps/zengine-tutorial.md), [CloudCADI](https://cloudcadi.com/), [Simfoni Analytics](https://simfonianalytics.com/accounts/microsoft/login/), [Priva Identity & Access Management](https://my.priva.com/), [Nitro Pro](https://www.gonitro.com/nps/product-details/downloads), [Eventfinity](../saas-apps/eventfinity-tutorial.md), [Fexa](../saas-apps/fexa-tutorial.md), [Secured Signing Enterprise Portal](https://www.securedsigning.com/aad/Auth/ExternalLogin/AdminPortal), [Secured Signing Enterprise Portal AAD Setup](https://www.securedsigning.com/aad/Auth/ExternalLogin/AdminPortal), [Wistec Online](https://wisteconline.com/auth/oidc), [Oracle PeopleSoft - Protected by F5 BIG-IP APM](../saas-apps/oracle-peoplesoft-protected-by-f5-big-ip-apm-tutorial.md) ++You can also find the documentation of all the applications from here: https://aka.ms/AppsTutorial. ++For listing your application in the Azure AD app gallery, read the details here: https://aka.ms/AzureADAppRequest. ++++### New delegation role in Azure AD entitlement management: Access package assignment manager ++**Type:** New feature +**Service category:** User Access Management +**Product capability:** Entitlement Management + +A new Access Package Assignment Manager role has been added in Azure AD entitlement management to provide granular permissions to manage assignments. You can now delegate tasks to a user in this role, who can delegate assignments management of an access package to a business owner. However, an Access Package Assignment Manager can't alter the access package policies or other properties that are set by the administrators. ++With this new role, you benefit from the least privileges needed to delegate management of assignments and maintain administrative control on all other access package configurations. To learn more, see [Entitlement management roles](../governance/entitlement-management-delegate.md#entitlement-management-roles). + +++### Changes to Privileged Identity Management's onboarding flow ++**Type:** Changed feature +**Service category:** Privileged Identity Management +**Product capability:** Privileged Identity Management + +Previously, onboarding to Privileged Identity Management (PIM) required user consent and an onboarding flow in PIM's blade that included enrollment in Azure Active Directory Multi-Factor Authentication (MFA). With the recent integration of PIM experience into the Azure AD roles and administrators blade, we are removing this experience. Any tenant with valid P2 license will be auto-onboarded to PIM. ++Onboarding to PIM does not have any direct adverse effect on your tenant. You can expect the following changes: +- Additional assignment options such as active vs. eligible with start and end time when you make an assignment in either PIM or Azure AD roles and administrators blade. +- Additional scoping mechanisms, like Administrative Units and custom roles, introduced directly into the assignment experience. +- If you're a global administrator or privileged role administrator, you may start getting a few additional emails like the PIM weekly digest. +- You might also see ms-pim service principal in the audit log related to role assignment. This expected change shouldn't affect your regular workflow. ++ For more information, see [Start using Privileged Identity Management](../privileged-identity-management/pim-getting-started.md). ++++### Azure AD Entitlement Management: The Select pane of access package resources now shows by default the resources currently in the selected catalog ++**Type:** Changed feature +**Service category:** User Access Management +**Product capability:** Entitlement Management + ++In the access package creation flow, under the Resource roles tab, the Select pane behavior is changing. Currently, the default behavior is to show all resources that are owned by the user and resources added to the selected catalog. ++This experience will be changed to display only the resources currently added in the catalog by default, so that users can easily pick resources from the catalog. The update will help with discoverability of the resources to add to access packages, and reduce risk of inadvertently adding resources owned by the user that aren't part of the catalog. To learn more, see [Create a new access package in Azure AD entitlement management](../governance/entitlement-management-access-package-create.md#resource-roles). + +++## August 2020 + +### Updates to Azure Active Directory Multi-Factor Authentication Server firewall requirements ++**Type:** Plan for change +**Service category:** MFA +**Product capability:** Identity Security & Protection + +Starting 1 October 2020, Azure AD Multi-Factor Authentication (MFA) Server firewall requirements will require additional IP ranges. ++If you have outbound firewall rules in your organization, update the rules so that your multifactor authentication (MFA) servers can communicate with all the necessary IP ranges. The IP ranges are documented in [Azure Active Directory Multi-Factor Authentication Server firewall requirements](../authentication/howto-mfaserver-deploy.md#azure-multi-factor-authentication-server-firewall-requirements). ++++### Upcoming changes to user experience in Identity Secure Score ++**Type:** Plan for change +**Service category:** Identity Protection +**Product capability:** Identity Security & Protection ++We're updating the Identity Secure Score portal to align with the changes introduced in Microsoft Secure Score's [new release](/microsoft-365/security/mtp/microsoft-secure-score-whats-new). ++The preview version with the changes will be available at the beginning of September. The changes in the preview version include: +- "Identity Secure Score" renamed to "Secure Score for Identity" for brand alignment with Microsoft Secure Score +- Points normalized to standard scale and reported in percentages instead of points ++In this preview, customers can toggle between the existing experience and the new experience. This preview will last until the end of November 2020. After the preview, the customers will automatically be directed to the new UX experience. ++++### New Restricted Guest Access Permissions in Azure AD - Public Preview ++**Type:** New feature +**Service category:** Access Control +**Product capability:** User Management ++We've updated directory level permissions for guest users. These permissions allow administrators to require additional restrictions and controls on external guest user access. Admins can now add additional restrictions for external guests' access to user and groups' profile and membership information. With this public preview feature, customers can manage external user access at scale by obfuscating group memberships, including restricting guest users from seeing memberships of the group(s) they are in. ++To learn more, see [Restricted Guest Access Permissions](../enterprise-users/users-restrict-guest-permissions.md) and [Users Default Permissions](./users-default-permissions.md). + +++### General availability of delta queries for service principals ++**Type:** New feature +**Service category:** MS Graph +**Product capability:** Developer Experience + +Microsoft Graph Delta Query now supports the resource type in v1.0: +- Service Principal ++Now clients can track changes to those resources efficiently and provides the best solution to synchronize changes to those resources with a local data store. To learn how to configure these resources in a query, see [Use delta query to track changes in Microsoft Graph data](/graph/delta-query-overview). + +++### General availability of delta queries for oAuth2PermissionGrant ++**Type:** New feature +**Service category:** MS Graph +**Product capability:** Developer Experience ++Microsoft Graph Delta Query now supports the resource type in v1.0: +- OAuth2PermissionGrant ++Clients can now track changes to those resources efficiently and provides the best solution to synchronize changes to those resources with a local data store. To learn how to configure these resources in a query, see [Use delta query to track changes in Microsoft Graph data](/graph/delta-query-overview). ++++### New Federated Apps available in Azure AD Application gallery - August 2020 ++**Type:** New feature +**Service category:** Enterprise Apps +**Product capability:** 3rd Party Integration ++In August 2020 we have added following 25 new applications in our App gallery with Federation support: ++[Backup365](https://portal.backup365.io/login), [Soapbox](https://app.soapboxhq.com/create?step=auth&provider=azure-ad2-oauth2), [Enlyft Dynamics 365 Connector](http://enlyft.com/), [Serraview Space Utilization Software Solutions](../saas-apps/serraview-space-utilization-software-solutions-tutorial.md), [Uniq](https://web.uniq.app/), [Visibly](../saas-apps/visibly-tutorial.md), [Zylo](../saas-apps/zylo-tutorial.md), [Edmentum - Courseware Assessments Exact Path](https://auth.edmentum.com/elf/login), [CyberLAB](https://cyberlab.evolvesecurity.com/#/welcome), [Altamira HRM](../saas-apps/altamira-hrm-tutorial.md), [WireWheel](../saas-apps/wirewheel-tutorial.md), [Zix Compliance and Capture](https://sminstall.zixcorp.com/teams/teams.php?install_request=true&tenant_id=common), [Greenlight Enterprise Business Controls Platform](../saas-apps/greenlight-enterprise-business-controls-platform-tutorial.md), [Genetec Clearance](https://www.clearance.network/), [iSAMS](../saas-apps/isams-tutorial.md), [VeraSMART](../saas-apps/verasmart-tutorial.md), [Amiko](https://amiko.io/), [Twingate](https://auth.twingate.com/signup), [Funnel Leasing](https://nestiolistings.com/sso/oidc/azure/authorize/), [Scalefusion](https://scalefusion.com/users/sign_in/), [Bpanda](https://goto.bpanda.com/login), [Vivun Calendar Connect](https://app.vivun.com/dashboard/calendar/connect), [FortiGate SSL VPN](../saas-apps/fortigate-ssl-vpn-tutorial.md), [Wandera End User](https://www.wandera.com/) ++You can also find the documentation of all the applications from here https://aka.ms/AppsTutorial ++For listing your application in the Azure AD app gallery, read the details here https://aka.ms/AzureADAppRequest ++++### Resource Forests now available for Azure AD DS ++**Type:** New feature +**Service category:** Azure AD Domain Services +**Product capability:** Azure AD Domain Services + +The capability of resource forests in Azure AD Domain Services is now generally available. You can now enable authorization without password hash synchronization to use Azure AD Domain Services, including smart-card authorization. To learn more, see [Replica sets concepts and features for Azure Active Directory Domain Services (preview)](../../active-directory-domain-services/concepts-replica-sets.md). + +++### Regional replica support for Azure AD DS managed domains now available ++**Type:** New feature +**Service category:** Azure AD Domain Services +**Product capability:** Azure AD Domain Services + +You can expand a managed domain to have more than one replica set per Azure AD tenant. Replica sets can be added to any peered virtual network in any Azure region that supports Azure AD Domain Services. Additional replica sets in different Azure regions provide geographical disaster recovery for legacy applications if an Azure region goes offline. To learn more, see [Replica sets concepts and features for Azure Active Directory Domain Services (preview)](../../active-directory-domain-services/concepts-replica-sets.md). ++++### General Availability of Azure AD My sign-ins ++**Type:** New feature +**Service category:** Authentications (Logins) +**Product capability:** End User Experiences + +Azure AD My sign-ins is a new feature that allows enterprise users to review their sign-in history to check for any unusual activity. Additionally, this feature allows end users to report "This wasn't me" or "This was me" on suspicious activities. To learn more about using this feature, see [View and search your recent sign-in activity from the My sign-ins page](https://support.microsoft.com/account-billing/view-and-search-your-work-or-school-account-sign-in-activity-from-my-sign-ins-9e7d108c-8e3f-42aa-ac3a-bca892898972#confirm-unusual-activity). + +++### SAP SuccessFactors HR driven user provisioning to Azure AD is now generally available ++**Type:** New feature +**Service category:** App Provisioning +**Product capability:** Identity Lifecycle Management + +You can now integrate SAP SuccessFactors as the authoritative identity source with Azure AD and automate the end-to-end identity lifecycle using HR events like new hires and terminations to drive provisioning and de-provisioning of accounts in Azure AD. ++To learn more about how to configure SAP SuccessFactors inbound provisioning to Azure AD, refer to the tutorial [Configure SAP SuccessFactors to Active Directory user provisioning](../saas-apps/sap-successfactors-inbound-provisioning-tutorial.md). + +++### Custom Open ID Connect MS Graph API support for Azure AD B2C ++**Type:** New feature +**Service category:** B2C - Consumer Identity Management +**Product capability:** B2B/B2C + +Previously, Custom Open ID Connect providers could only be added or managed through the Azure portal. Now the Azure AD B2C customers can add and manage them through Microsoft Graph APIs beta version as well. To learn how to configure this resource with APIs, see [identityProvider resource type](/graph/api/resources/identityprovider). + +++### Assign Azure AD built-in roles to cloud groups ++**Type:** New feature +**Service category:** Azure AD roles +**Product capability:** Access Control ++You can now assign Azure AD built-in roles to cloud groups with this new feature. For example, you can assign the SharePoint Administrator role to Contoso_SharePoint_Admins group. You can also use PIM to make the group an eligible member of the role, instead of granting standing access. To learn how to configure this feature, see [Use cloud groups to manage role assignments in Azure Active Directory (preview)](../roles/groups-concept.md). + +++### Insights Business Leader built-in role now available ++**Type:** New feature +**Service category:** Azure AD roles +**Product capability:** Access Control + +Users in the Insights Business Leader role can access a set of dashboards and insights via the [Microsoft 365 Insights application](https://www.microsoft.com/microsoft-365/partners/workplaceanalytics). This includes full access to all dashboards and presented insights and data exploration functionality. However, users in this role don't have access to product configuration settings, which is the responsibility of the Insights Administrator role. To learn more about this role, see [Administrator role permissions in Azure Active Directory](../roles/permissions-reference.md#insights-business-leader) + +++### Insights Administrator built-in role now available ++**Type:** New feature +**Service category:** Azure AD roles +**Product capability:** Access Control + +Users in the Insights Administrator role can access the full set of administrative capabilities in the [Microsoft 365 Insights application](https://www.microsoft.com/microsoft-365/partners/workplaceanalytics). A user in this role can read directory information, monitor service health, file support tickets, and access the Insights administrator settings aspects. To learn more about this role, see [Administrator role permissions in Azure Active Directory](../roles/permissions-reference.md#insights-administrator) + + ++### Application Admin and Cloud Application Admin can manage extension properties of applications ++**Type:** Changed feature +**Service category:** Azure AD roles +**Product capability:** Access Control + +Previously, only the Global Administrator could manage the [extension property](/graph/api/application-post-extensionproperty). We're now enabling this capability for the Application Administrator and Cloud Application Administrator as well. + +++### MIM 2016 SP2 hotfix 4.6.263.0 and connectors 1.1.1301.0 ++**Type:** Changed feature +**Service category:** Microsoft Identity Manager +**Product capability:** Identity Lifecycle Management ++A [hotfix rollup package (build 4.6.263.0)](https://support.microsoft.com/help/4576473/hotfix-rollup-package-build-4-6-263-0-is-available-for-microsoft-ident) is available for Microsoft Identity Manager (MIM) 2016 Service Pack 2 (SP2). This rollup package contains updates for the MIM CM, MIM Synchronization Manager, and PAM components. In addition, the MIM generic connectors build 1.1.1301.0 includes updates for the Graph connector. ++++## July 2020 ++### As an IT Admin, I want to target client apps using Conditional Access ++**Type:** Plan for change +**Service category:** Conditional Access +**Product capability:** Identity Security & Protection + +With the GA release of the client apps condition in Conditional Access, new policies will now apply by default to all client applications. This includes legacy authentication clients. Existing policies will remain unchanged, but the *Configure Yes/No* toggle will be removed from existing policies to easily see which client apps are applied to by the policy. ++When creating a new policy, make sure to exclude users and service accounts that are still using legacy authentication; if you don't, they'll be blocked. [Learn more](../conditional-access/concept-conditional-access-conditions.md). + +++### Upcoming SCIM compliance fixes ++**Type:** Plan for change +**Service category:** App Provisioning +**Product capability:** Identity Lifecycle Management + +The Azure AD provisioning service uses the SCIM standard for integrating with applications. Our implementation of the SCIM standard is evolving, and we expect to make changes to our behavior around how we perform PATCH operations and set the property "active" on a resource. [Learn more](../app-provisioning/application-provisioning-config-problem-scim-compatibility.md). + +++### Group owner setting on Azure Admin portal will be changed ++**Type:** Plan for change +**Service category:** Group Management +**Product capability:** Collaboration ++Owner settings on Groups general setting page can be configured to restrict owner assignment privileges to a limited group of users in the Azure Admin portal and Access Panel. We'll soon have the ability to assign group owner privilege not only on these two UX portals but also enforce the policy on the backend to provide consistent behavior across endpoints, such as PowerShell and Microsoft Graph. ++We'll start to disable the current setting for the customers who aren't using it and will offer an option to scope users for group owner privilege in the next few months. For guidance on updating group settings, see Edit your group information using [Azure Active Directory](./active-directory-groups-settings-azure-portal.md?context=azure%2factive-directory%2fusers-groups-roles%2fcontext%2fugr-context). ++++### Azure Active Directory Registration Service is ending support for TLS 1.0 and 1.1 ++**Type:** Plan for change +**Service category:** Device Registration and Management +**Product capability:** Platform ++Transport layer security (TLS) 1.2 and update servers and clients will soon communicate with Azure Active Directory Device Registration Service. Support for TLS 1.0 and 1.1 for communication with Azure AD Device Registration service will retire: +- On August 31, 2020, in all sovereign clouds (GCC High, DoD, etc.) +- On October 30, 2020, in all commercial clouds ++[Learn more](../devices/reference-device-registration-tls-1-2.md) about TLS 1.2 for the Azure AD Registration Service. ++++### Windows Hello for Business Sign Ins visible in Azure AD Sign In Logs ++**Type:** Fixed +**Service category:** Reporting +**Product capability:** Monitoring & Reporting + +Windows Hello for Business allows end users to sign into Windows machines with a gesture (such as a PIN or biometric). Azure AD admins may want to differentiate Windows Hello for Business sign-ins from other Windows sign-ins as part of an organization's journey to passwordless authentication. ++Admins can now see whether a Windows authentication used Windows Hello for Business by checking the Authentication Details tab for a Windows sign-in event in the Azure AD sign-ins blade in the Azure portal. Windows Hello for Business authentications will include "WindowsHelloForBusiness" in the Authentication Method field. For more information on interpreting Sign-In Logs, please see the [Sign-In Logs documentation](../reports-monitoring/concept-sign-ins.md). + +++### Fixes to group deletion behavior and performance improvements ++**Type:** Fixed +**Service category:** App Provisioning +**Product capability:** Identity Lifecycle Management + +Previously, when a group changed from "in-scope" to "out-of-scope" and an admin clicked restart before the change was completed, the group object wasn't being deleted. Now the group object will be deleted from the target application when it goes out of scope (disabled, deleted, unassigned, or didn't pass scoping filter). [Learn more](../app-provisioning/how-provisioning-works.md#incremental-cycles). + +++### Public Preview: Admins can now add custom content in the email to reviewers when creating an access review ++**Type:** New feature +**Service category:** Access Reviews +**Product capability:** Identity Governance + +When a new access review is created, the reviewer receives an email requesting them to complete the access review. Many of our customers asked for the ability to add custom content to the email, such as contact information, or other additional supporting content to guide the reviewer. ++Now available in public preview, administrators can specify custom content in the email sent to reviewers by adding content in the "advanced" section of Azure AD Access Reviews. For guidance on creating access reviews, see [Create an access review of groups and applications in Azure AD access reviews](../governance/create-access-review.md). + +++### Authorization Code Flow for Single-page apps available ++**Type:** New feature +**Service category:** Authentications (Logins) +**Product capability:** Developer Experience + +Because of modern browser 3rd party cookie restrictions such as Safari ITP, SPAs will have to use the authorization code flow rather than the implicit flow to maintain SSO, and MSAL.js v 2.x will now support the authorization code flow. ++There are corresponding updates to the Azure portal so you can update your SPA to be type "spa" and use the auth code flow. See [Sign in users and get an access token in a JavaScript SPA using the auth code flow](../develop/quickstart-v2-javascript-auth-code.md) for further guidance. + +++### Azure AD Application Proxy now supports the Remote Desktop Services Web Client ++**Type:** New feature +**Service category:** App Proxy +**Product capability:** Access Control ++Azure AD Application Proxy now supports the Remote Desktop Services (RDS) Web Client. The RDS web client allows users to access Remote Desktop infrastructure through any HTLM5-capable browser such as Microsoft Edge, Internet Explorer 11, Google Chrome, etc. Users can interact with remote apps or desktops like they would with a local device from anywhere. By using Azure AD Application Proxy you can increase the security of your RDS deployment by enforcing pre-authentication and Conditional Access policies for all types of rich client apps. For guidance, see [Publish Remote Desktop with Azure AD Application Proxy](../app-proxy/application-proxy-integrate-with-remote-desktop-services.md). + +++### Next generation Azure AD B2C user flows in public preview ++**Type:** New feature +**Service category:** B2C - Consumer Identity Management +**Product capability:** B2B/B2C + +Simplified user flow experience offers feature parity with preview features and is the home for all new features. Users will be able to enable new features within the same user flow, reducing the need to create multiple versions with every new feature release. Lastly, the new, user-friendly UX simplifies the selection and creation of user flows. Try it now by [creating a user flow](../../active-directory-b2c/tutorial-create-user-flows.md). ++For more information about users flows, see [User flow versions in Azure Active Directory B2C](../../active-directory-b2c/user-flow-versions.md). ++++### New Federated Apps available in Azure AD Application gallery - July 2020 ++**Type:** New feature +**Service category:** Enterprise Apps +**Product capability:** 3rd Party Integration + +In July 2020 we have added following 55 new applications in our App gallery with Federation support: ++[Appreiz](https://microsoftteams.appreiz.com/), [Inextor Vault](https://inexto.com/inexto-suite/inextor), [Beekast](https://my.beekast.com/), [Templafy OpenID Connect](https://app.templafy.com/), [PeterConnects receptionist](https://msteams.peterconnects.com/), [AlohaCloud](https://www.alohacloud.com/), Control Tower, [Cocoom](https://start.cocoom.com/), [COINS Construction Cloud](https://sso.coinsconstructioncloud.com/#login/), [Medxnote MT](https://task.teamsmain.medx.im/authorization), [Reflekt](https://reflekt.konsolute.com/login), [Rever](https://app.reverscore.net/access), [MyCompanyArchive](https://login.mycompanyarchive.com/), [GReminders](https://app.greminders.com/o365-oauth), [Titanfile](../saas-apps/titanfile-tutorial.md), [Wootric](../saas-apps/wootric-tutorial.md), [SolarWinds Orion](https://support.solarwinds.com/SuccessCenter/s/orion-platform?language=en_US), [OpenText Directory Services](../saas-apps/opentext-directory-services-tutorial.md), [Datasite](../saas-apps/datasite-tutorial.md), [BlogIn](../saas-apps/blogin-tutorial.md), [IntSights](../saas-apps/intsights-tutorial.md), [kpifire](../saas-apps/kpifire-tutorial.md), [Textline](../saas-apps/textline-tutorial.md), [Cloud Academy - SSO](../saas-apps/cloud-academy-sso-tutorial.md), [Community Spark](../saas-apps/community-spark-tutorial.md), [Chatwork](../saas-apps/chatwork-tutorial.md), [CloudSign](../saas-apps/cloudsign-tutorial.md), [C3M Cloud Control](../saas-apps/c3m-cloud-control-tutorial.md), [SmartHR](https://smarthr.jp/), [NumlyEngage™](../saas-apps/numlyengage-tutorial.md), [Michigan Data Hub Single Sign-On](../saas-apps/michigan-data-hub-single-sign-on-tutorial.md), [Egress](../saas-apps/egress-tutorial.md), [SendSafely](../saas-apps/sendsafely-tutorial.md), [Eletive](https://app.eletive.com/), [Right-Hand Cybersecurity ADI](https://right-hand.ai/), [Fyde Enterprise Authentication](https://enterprise.fyde.com/), [Verme](../saas-apps/verme-tutorial.md), [Lenses.io](../saas-apps/lensesio-tutorial.md), [Momenta](../saas-apps/momenta-tutorial.md), [Uprise](https://app.uprise.co/sign-in), [Q](https://www.moduleq.com/), [CloudCords](../saas-apps/cloudcords-tutorial.md), [TellMe Bot](https://tellme365liteweb.azurewebsites.net/), [Inspire](https://app.inspiresoftware.com/), [Maverics Identity Orchestrator SAML Connector](https://www.strata.io/identity-fabric/), [Smartschool (School Management System)](https://smartschoolz.com/login), [Zepto - Intelligent timekeeping](https://user.zepto-ai.com/signin), [Studi.ly](https://studi.ly/), [Trackplan](http://www.trackplanfm.com/), [Skedda](../saas-apps/skedda-tutorial.md), [WhosOnLocation](../saas-apps/whos-on-location-tutorial.md), [Coggle](../saas-apps/coggle-tutorial.md), [Kemp LoadMaster](https://kemptechnologies.com/cloud-load-balancer/), [BrowserStack Single Sign-on](../saas-apps/browserstack-single-sign-on-tutorial.md) ++You can also find the documentation of all the applications from here https://aka.ms/AppsTutorial ++For listing your application in the Azure AD app gallery, please read the details here https://aka.ms/AzureADAppRequest ++++### View role assignments across all scopes and ability to download them to a csv file ++**Type:** Changed feature +**Service category:** Azure AD roles +**Product capability:** Access Control + +You can now view role assignments across all scopes for a role in the "Roles and administrators" tab in the Azure portal. You can also download those role assignments for each role into a CSV file. For guidance on viewing and adding role assignments, see [View and assign administrator roles in Azure Active Directory](../roles/manage-roles-portal.md). + +++### Azure Active Directory Multi-Factor Authentication Software Development (Azure MFA SDK) Deprecation ++**Type:** Deprecated +**Service category:** MFA +**Product capability:** Identity Security & Protection + +The Azure Active Directory Multi-Factor Authentication Software Development (Azure MFA SDK) reached the end of life on November 14th, 2018, as first announced in November 2017. Microsoft will be shutting down the SDK service effective on September 30th, 2020. Any calls made to the SDK will fail. ++If your organization is using the Azure MFA SDK, you need to migrate by September 30th, 2020: +- Azure MFA SDK for MIM: If you use the SDK with MIM, you should migrate to Azure AD Multi-Factor Authentication (MFA) Server and activate Privileged Access Management (PAM) following these [instructions](/microsoft-identity-manager/working-with-mfaserver-for-mim). +- Azure MFA SDK for customized apps: Consider integrating your app into Azure AD and use Conditional Access to enforce MFA. To get started, review this [page](../manage-apps/plan-an-application-integration.md). ++++## June 2020 ++### User risk condition in Conditional Access policy ++**Type:** Plan for change +**Service category:** Conditional Access +**Product capability:** Identity Security & Protection + ++User risk support in Azure AD Conditional Access policy allows you to create multiple user risk-based policies. Different minimum user risk levels can be required for different users and apps. Based on user risk, you can create policies to block access, require multifactor authentication, secure password change, or redirect to Microsoft Cloud App Security to enforce session policy, such as additional auditing. ++The user risk condition requires Azure AD Premium P2 because it uses Azure Identity Protection, which is a P2 offering. for more information about conditional access, refer to [Azure AD Conditional Access documentation](../conditional-access/index.yml). ++++### SAML SSO now supports apps that require SPNameQualifier to be set when requested ++**Type:** Fixed +**Service category:** Enterprise Apps +**Product capability:** SSO + +Some SAML applications require SPNameQualifier to be returned in the assertion subject when requested. Now Azure AD responds correctly when a SPNameQualifier is requested in the request NameID policy. This also works for SP initiated sign-in, and IdP initiated sign-in will follow. ++++### Azure AD B2B Collaboration supports inviting MSA and Google users in Azure Government tenants ++**Type:** New feature +**Service category:** B2B +**Product capability:** B2B/B2C + ++Azure Government tenants using the B2B collaboration features can now invite users that have a Microsoft or Google account. To find out if your tenant can use these capabilities, follow the instructions at [How can I tell if B2B collaboration is available in my Azure US Government tenant?](../external-identities/b2b-government-national-clouds.md#how-can-i-tell-if-b2b-collaboration-is-available-in-my-azure-us-government-tenant). ++ ++ +### User object in MS Graph v1 now includes externalUserState and externalUserStateChangedDateTime properties ++**Type:** New feature +**Service category:** B2B +**Product capability:** B2B/B2C + ++The externalUserState and externalUserStateChangedDateTime properties can be used to find invited B2B guests who have not accepted their invitations yet as well as build automation such as deleting users who haven't accepted their invitations after some number of days. These properties are now available in MS Graph v1. For guidance on using these properties, refer to [User resource type](/graph/api/resources/user). + +++### Manage authentication sessions in Azure AD Conditional Access is now generally available ++**Type:** New feature +**Service category:** Conditional Access +**Product capability:** Identity Security & Protection + +Authentication session management capabilities allow you to configure how often your users need to provide sign-in credentials and whether they need to provide credentials after closing and reopening browsers to offer more security and flexibility in your environment. + +Additionally, authentication session management used to only apply to the First Factor Authentication on Azure AD joined, Hybrid Azure AD joined, and Azure AD registered devices. Now authentication session management will apply to multifactor authentication (MFA) as well. For more information, see [Configure authentication session management with Conditional Access](../conditional-access/howto-conditional-access-session-lifetime.md). ++++### New Federated Apps available in Azure AD Application gallery - June 2020 ++**Type:** New feature +**Service category:** Enterprise Apps +**Product capability:** 3rd Party Integration + +In June 2020 we've added the following 29 new applications in our App gallery with Federation support: ++[Shopify Plus](../saas-apps/shopify-plus-tutorial.md), [Ekarda](../saas-apps/ekarda-tutorial.md), [MailGates](../saas-apps/mailgates-tutorial.md), [BullseyeTDP](../saas-apps/bullseyetdp-tutorial.md), [Raketa](../saas-apps/raketa-tutorial.md), [Segment](../saas-apps/segment-tutorial.md), [Ai Auditor](https://www.mindbridge.ai/products/ai-auditor/), [Pobuca Connect](https://app.pobu.c), [Smallstep SSH](https://smallstep.com/sso-ssh/) ++You can also find the documentation of all the applications from here https://aka.ms/AppsTutorial. +For listing your application in the Azure AD app gallery, please read the details here: https://aka.ms/AzureADAppRequest. ++++### API connectors for External Identities self-service sign-up are now in public preview ++**Type:** New feature +**Service category:** B2B +**Product capability:** B2B/B2C + +External Identities API connectors enable you to leverage web APIs to integrate self-service sign-up with external cloud systems. This means you can now invoke web APIs as specific steps in a sign-up flow to trigger cloud-based custom workflows. For example, you can use API connectors to: ++- Integrate with a custom approval workflows. +- Perform identity proofing +- Validate user input data +- Overwrite user attributes +- Run custom business logic ++For more information about all of the experiences possible with API connectors, see [Use API connectors to customize and extend self-service sign-up](../external-identities/api-connectors-overview.md), or [Customize External Identities self-service sign-up with web API integrations](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/customize-external-identities-self-service-sign-up-with-web-api/ba-p/1257364#.XvNz2fImuQg.linkedin). + +++### Provision on-demand and get users into your apps in seconds ++**Type:** New feature +**Service category:** App Provisioning +**Product capability:** Identity Lifecycle Management + +The Azure AD provisioning service currently operates on a cyclic basis. The service runs every 40 mins. The [on-demand provisioning capability](https://aka.ms/provisionondemand) allows you to pick a user and provision them in seconds. This capability allows you to quickly troubleshoot provisioning issues, without having to do a restart to force the provisioning cycle to start again. + +++### New permission for using Azure AD entitlement management in Graph ++**Type:** New feature +**Service category:** Other +**Product capability:** Entitlement Management + +A new delegated permission EntitlementManagement.Read.All is now available for use with the Entitlement Management API in Microsoft Graph beta. To find out more about the available APIs, see [Working with the Azure AD entitlement management API](/graph/api/resources/entitlementmanagement-overview). ++++### Identity Protection APIs available in v1.0 ++**Type:** New feature +**Service category:** Identity Protection +**Product capability:** Identity Security & Protection + +The riskyUsers and riskDetections Microsoft Graph APIs are now generally available. Now that they're available at the v1.0 endpoint, we invite you to use them in production. For more information, please check out the [Microsoft Graph docs](/graph/api/resources/identityprotectionroot). + +++### Sensitivity labels to apply policies to Microsoft 365 groups is now generally available ++**Type:** New feature +**Service category:** Group Management +**Product capability:** Collaboration + ++You can now create sensitivity labels and use the label settings to apply policies to Microsoft 365 groups, including privacy (Public or Private) and external user access policy. You can create a label with the privacy policy to be Private, and external user access policy to not allow to add guest users. When a user applies this label to a group, the group will be private, and no guest users are allowed to be added to the group. ++Sensitivity labels are important to protect your business-critical data and enable you to manage groups at scale, in a compliant and secure fashion. For guidance on using sensitivity labels, refer to [Assign sensitivity labels to Microsoft 365 groups in Azure Active Directory (preview)](../enterprise-users/groups-assign-sensitivity-labels.md). + +++### Updates to support for Microsoft Identity Manager for Azure AD Premium customers ++**Type:** Changed feature +**Service category:** Microsoft Identity Manager +**Product capability:** Identity Lifecycle Management + +Azure Support is now available for Azure AD integration components of Microsoft Identity Manager 2016, through the end of Extended Support for Microsoft Identity Manager 2016. Read more at [Support update for Azure AD Premium customers using Microsoft Identity Manager](/microsoft-identity-manager/support-update-for-azure-active-directory-premium-customers). ++++### The use of group membership conditions in SSO claims configuration is increased ++**Type:** Changed feature +**Service category:** Enterprise Apps +**Product capability:** SSO + +Previously, the number of groups you could use when you conditionally change claims based on group membership within any single application configuration was limited to 10. The use of group membership conditions in SSO claims configuration has now increased to a maximum of 50 groups. For more information on how to configure claims, refer to [Enterprise Applications SSO claims configuration](../develop/active-directory-saml-claims-customization.md). ++++### Enabling basic formatting on the Sign In Page Text component in Company Branding. ++**Type:** Changed feature +**Service category:** Authentications (Logins) +**Product capability:** User Authentication + +The Company Branding functionality on the Azure AD/Microsoft 365 login experience has been updated to allow the customer to add hyperlinks and simple formatting, including bold font, underline, and italics. For guidance on using this functionality, see [Add branding to your organization's Azure Active Directory sign-in page](./customize-branding.md). ++++### Provisioning performance improvements ++**Type:** Changed feature +**Service category:** App Provisioning +**Product capability:** Identity Lifecycle Management + +The provisioning service has been updated to reduce the time for an [incremental cycle](../app-provisioning/how-provisioning-works.md#incremental-cycles) to complete. This means that users and groups will be provisioned into their applications faster than they were previously. All new provisioning jobs created after 6/10/2020 will automatically benefit from the performance improvements. Any applications configured for provisioning before 6/10/2020 will need to restart once after 6/10/2020 to take advantage of the performance improvements. ++++### Announcing the deprecation of ADAL and MS Graph Parity ++**Type:** Deprecated +**Service category:** N/A +**Product capability:** Device Lifecycle Management ++Now that Microsoft Authentication Libraries (MSAL) is available, we'll no longer add new features to the Azure Active Directory Authentication Libraries (ADAL) and will end security patches on June 30th, 2022. For more information on how to migrate to MSAL, refer to [Migrate applications to Microsoft Authentication Library (MSAL)](../develop/msal-migration.md). ++Additionally, we've finished the work to make all Azure AD Graph functionality available through MS Graph. So, Azure AD Graph APIs will receive only bugfix and security fixes through June 30th, 2022. For more information, see [Update your applications to use Microsoft Authentication Library and Microsoft Graph API](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/update-your-applications-to-use-microsoft-authentication-library/ba-p/1257363) + ++## May 2020 ++### Retirement of properties in signIns, riskyUsers, and riskDetections APIs ++**Type:** Plan for change +**Service category:** Identity Protection +**Product capability:** Identity Security & Protection ++Currently, enumerated types are used to represent the riskType property in both the riskDetections API and riskyUserHistoryItem (in preview). Enumerated types are also used for the riskEventTypes property in the signIns API. Going forward we'll represent these properties as strings. ++Customers should transition to the riskEventType property in the beta riskDetections and riskyUserHistoryItem API, and to riskEventTypes_v2 property in the beta signIns API by September 9th, 2020. At that date, we'll be retiring the current riskType and riskEventTypes properties. For more information, refer to [Changes to risk event properties and Identity Protection APIs on Microsoft Graph](https://developer.microsoft.com/graph/blogs/changes-to-risk-event-properties-and-identity-protection-apis-on-microsoft-graph/). ++ ++### Deprecation of riskEventTypes property in signIns v1.0 API on Microsoft Graph ++**Type:** Plan for change +**Service category:** Reporting +**Product capability:** Identity Security & Protection ++Enumerated types will switch to string types when representing risk event properties in Microsoft Graph September 2020. In addition to impacting the preview APIs, this change will also impact the in-production signIns API. ++We have introduced a new riskEventsTypes_v2 (string) property to the signIns v1.0 API. We'll retire the current riskEventTypes (enum) property on June 11, 2022 in accordance with our Microsoft Graph deprecation policy. Customers should transition to the riskEventTypes_v2 property in the v1.0 signIns API by June 11, 2022. For more information, see [Deprecation of riskEventTypes property in signIns v1.0 API on Microsoft Graph](https://developer.microsoft.com/graph/blogs/deprecation-of-riskeventtypes-property-in-signins-v1-0-api-on-microsoft-graph//). ++ ++### Upcoming changes to multifactor authentication (MFA) email notifications ++**Type:** Plan for change +**Service category:** MFA +**Product capability:** Identity Security & Protection + ++We're making the following changes to the email notifications for cloud multifactor authentication (MFA): ++E-mail notifications will be sent from the following address: azure-noreply@microsoft.com and msonlineservicesteam@microsoftonline.com. We're updating the content of fraud alert emails to better indicate the required steps to unblock uses. ++++### New self-service sign up for users in federated domains who can't access Microsoft Teams because they aren't synced to Azure Active Directory. ++**Type:** Plan for change +**Service category:** Authentications (Logins) +**Product capability:** User Authentication + ++Currently, users who are in domains federated in Azure AD, but who aren't synced into the tenant, can't access Teams. Starting at the end of June, this new capability will enable them to do so by extending the existing email verified sign-up feature. This will allow users who can sign in to a federated IdP, but who don't yet have a user object in Azure ID, to have a user object created automatically and be authenticated for Teams. Their user object will be marked as "self-service sign-up." This is an extension of the existing capability to do email verified self-sign up that users in managed domains can do and can be controlled using the same flag. This change will complete rolling out during the following two months. Watch for documentation updates [here](../enterprise-users/directory-self-service-signup.md). + +++### Upcoming fix: The OIDC discovery document for the Azure Government cloud is being updated to reference the correct Graph endpoints. ++**Type:** Plan for change +**Service category:** Sovereign Clouds +**Product capability:** User Authentication + +Starting in June, the OIDC discovery document [Microsoft identity platform and OpenID Connect protocol](../develop/v2-protocols-oidc.md) on the [Azure Government cloud](../develop/authentication-national-cloud.md) endpoint (login.microsoftonline.us), will begin to return the correct [National cloud graph](/graph/deployments) endpoint (https://graph.microsoft.us or https://dod-graph.microsoft.us), based on the tenant provided. It currently provides the incorrect Graph endpoint (graph.microsoft.com) "msgraph_host" field. ++This bug fix will be rolled out gradually over approximately 2 months. ++++### Azure Government users will no longer be able to sign in on login.microsoftonline.com ++**Type:** Plan for Change +**Service category:** Sovereign Clouds +**Product capability:** User Authentication + +On 1 June 2018, the official Azure Active Directory (Azure AD) Authority for Azure Government changed from https://login-us.microsoftonline.com to https://login.microsoftonline.us. If you own an application within an Azure Government tenant, you must update your application to sign users in on the.us endpoint. ++Starting May 5th, Azure AD will begin enforcing the endpoint change, blocking Azure Government users from signing into apps hosted in Azure Government tenants using the public endpoint (microsoftonline.com). Impacted apps will begin seeing an error AADSTS900439 - USGClientNotSupportedOnPublicEndpoint. ++There will be a gradual rollout of this change with enforcement expected to be complete across all apps June 2020. For more details, please see the [Azure Government blog post](https://devblogs.microsoft.com/azuregov/azure-government-aad-authority-endpoint-update/). ++++### SAML Single Logout request now sends NameID in the correct format ++**Type:** Fixed +**Service category:** Authentications (Logins) +**Product capability:** User Authentication + +When a user clicks on sign-out (for example, in the MyApps portal), Azure AD sends a SAML Single Logout message to each app that is active in the user session and has a Logout URL configured. These messages contain a NameID in a persistent format. ++If the original SAML sign-in token used a different format for NameID (for example, email/UPN), then the SAML app cannot correlate the NameID in the logout message to an existing session (as the NameIDs used in both messages are different), which caused the logout message to be discarded by the SAML app and the user to stay logged in. This fix makes the sign-out message consistent with the NameID configured for the application. ++++### Hybrid Identity Administrator role is now available with Cloud Provisioning ++**Type:** New feature +**Service category:** Azure AD Cloud Provisioning +**Product capability:** Identity Lifecycle Management + +IT Admins can start using the new "Hybrid Admin" role as the least privileged role for setting up Azure AD Connect Cloud Provisioning. With this new role, you no longer have to use the Global Administrator role to set up and configure Cloud Provisioning. [Learn more](../roles/delegate-by-task.md#connect). + +++### New Federated Apps available in Azure AD Application gallery - May 2020 ++**Type:** New feature +**Service category:** Enterprise Apps +**Product capability:** 3rd Party Integration + +In May 2020, we've added the following 36 new applications in our App gallery with Federation support: ++[Moula](https://moula.com.au/pay/merchants), [Surveypal](https://www.surveypal.com/app), [Kbot365](https://www.konverso.ai/), [Powell Teams](https://powell-software.com/en/powell-teams-en/), [Talentsoft Assistant](https://msteams.talent-soft.com/), [ASC Recording Insights](https://teams.asc-recording.app/product), [GO1](https://www.go1.com/), [B-Engaged](https://b-engaged.se/), [Competella Contact Center Workgroup](http://www.competella.com/), [Asite](http://www.asite.com/), [ImageSoft Identity](https://identity.imagesoftinc.com/), [My IBISWorld](https://identity.imagesoftinc.com/), [insuite](../saas-apps/insuite-tutorial.md), [Change Process Management](../saas-apps/change-process-management-tutorial.md), [Cyara CX Assurance Platform](../saas-apps/cyara-cx-assurance-platform-tutorial.md), [Smart Global Governance](../saas-apps/smart-global-governance-tutorial.md), [Prezi](../saas-apps/prezi-tutorial.md), [Mapbox](../saas-apps/mapbox-tutorial.md), [Datava Enterprise Service Platform](../saas-apps/datava-enterprise-service-platform-tutorial.md), [Whimsical](../saas-apps/whimsical-tutorial.md), [Trelica](../saas-apps/trelica-tutorial.md), [EasySSO for Confluence](../saas-apps/easysso-for-confluence-tutorial.md), [EasySSO for BitBucket](../saas-apps/easysso-for-bitbucket-tutorial.md), [EasySSO for Bamboo](../saas-apps/easysso-for-bamboo-tutorial.md), [Torii](../saas-apps/torii-tutorial.md), [Axiad Cloud](../saas-apps/axiad-cloud-tutorial.md), [Humanage](../saas-apps/humanage-tutorial.md), [ColorTokens ZTNA](../saas-apps/colortokens-ztna-tutorial.md), [CCH Tagetik](../saas-apps/cch-tagetik-tutorial.md), [ShareVault](../saas-apps/sharevault-tutorial.md), [Vyond](../saas-apps/vyond-tutorial.md), [TextExpander](../saas-apps/textexpander-tutorial.md), [Anyone Home CRM](../saas-apps/anyone-home-crm-tutorial.md), [askSpoke](../saas-apps/askspoke-tutorial.md), [ice Contact Center](../saas-apps/ice-contact-center-tutorial.md) ++You can also find the documentation of all the applications from here https://aka.ms/AppsTutorial. ++For listing your application in the Azure AD app gallery, please read the details here https://aka.ms/AzureADAppRequest. ++++### Report-only mode for Conditional Access is now generally available ++**Type:** New feature +**Service category:** Conditional Access +**Product capability:** Identity Security & Protection ++[Report-only mode for Azure AD Conditional Access](../conditional-access/concept-conditional-access-report-only.md) lets you evaluate the result of a policy without enforcing access controls. You can test report-only policies across your organization and understand their impact before enabling them, making deployment safer and easier. Over the past few months, we've seen strong adoption of report-only modeΓÇöover 26M users are already in scope of a report-only policy. With the announcement today, new Azure AD Conditional Access policies will be created in report-only mode by default. This means you can monitor the impact of your policies from the moment they're created. And for those of you who use the MS Graph APIs, you can [manage report-only policies programmatically](/graph/api/resources/conditionalaccesspolicy) as well. ++++### Self-service sign up for guest users ++**Type:** New feature +**Service category:** B2B +**Product capability:** B2B/B2C + +With External Identities in Azure AD, you can allow people outside your organization to access your apps and resources while letting them sign in using whatever identity they prefer. When sharing an application with external users, you might not always know in advance who will need access to the application. With [self-service sign-up](../external-identities/self-service-sign-up-overview.md), you can enable guest users to sign up and gain a guest account for your line of business (LOB) apps. The sign-up flow can be created and customized to support Azure AD and social identities. You can also collect additional information about the user during sign-up. ++++ ### Conditional Access Insights and Reporting workbook is generally available ++**Type:** New feature +**Service category:** Conditional Access +**Product capability:** Identity Security & Protection ++The [insights and reporting workbook](../conditional-access/howto-conditional-access-insights-reporting.md) gives admins a summary view of Azure AD Conditional Access in their tenant. With the capability to select an individual policy, admins can better understand what each policy does and monitor any changes in real time. The workbook streams data stored in Azure Monitor, which you can set up in a few minutes [following these instructions](../reports-monitoring/howto-integrate-activity-logs-with-log-analytics.md). To make the dashboard more discoverable, we've moved it to the new insights and reporting tab within the Azure AD Conditional Access menu. ++++### Policy details blade for Conditional Access is in public preview ++**Type:** New feature +**Service category:** Conditional Access +**Product capability:** Identity Security & Protection ++The new [policy details blade](../conditional-access/troubleshoot-conditional-access.md) displays the assignments, conditions, and controls satisfied during conditional access policy evaluation. You can access the blade by selecting a row in the Conditional Access or Report-only tabs of the Sign-in details. ++++### New query capabilities for Directory Objects in Microsoft Graph are in Public Preview ++**Type:** New feature +**Service category:** MS Graph +**Product capability:** Developer Experience ++New capabilities are being introduced for Microsoft Graph Directory Objects APIs, enabling Count, Search, Filter, and Sort operations. This will give developers the ability to quickly query our Directory Objects without workarounds such as in-memory filtering and sorting. Find out more in this [blog post](https://aka.ms/CountFilterMSGraphAAD). ++We're currently in Public Preview, looking for feedback. Please send your comments with this [brief survey](https://aka.ms/MsGraphAADSurveyDocs). ++++### Configure SAML-based single sign-on using Microsoft Graph API (Beta) ++**Type:** New feature +**Service category:** Enterprise Apps +**Product capability:** SSO + +Support for creating and configuring an application from the Azure AD Gallery using MS Graph APIs in Beta is now available. +If you need to set up SAML-based single sign-on for multiple instances of an application, save time by using the Microsoft Graph APIs to [automate the configuration of SAML-based single sign-on](/graph/application-saml-sso-configure-api). + +++### New provisioning connectors in the Azure AD Application Gallery - May 2020 ++**Type:** New feature +**Service category:** App Provisioning +**Product capability:** 3rd Party Integration + +You can now automate creating, updating, and deleting user accounts for these newly integrated apps: ++* [8x8](../saas-apps/8x8-provisioning-tutorial.md) +* [Juno Journey](../saas-apps/juno-journey-provisioning-tutorial.md) +* [MediusFlow](../saas-apps/mediusflow-provisioning-tutorial.md) +* [New Relic by Organization](../saas-apps/new-relic-by-organization-provisioning-tutorial.md) +* [Oracle Cloud Infrastructure Console](../saas-apps/oracle-cloud-infrastructure-console-provisioning-tutorial.md) ++For more information about how to better secure your organization by using automated user account provisioning, see [Automate user provisioning to SaaS applications with Azure AD](../app-provisioning/user-provisioning.md). ++++### SAML Token Encryption is Generally Available ++**Type:** New feature +**Service category:** Enterprise Apps +**Product capability:** SSO + +[SAML token encryption](../manage-apps/howto-saml-token-encryption.md) allows applications to be configured to receive encrypted SAML assertions. The feature is now generally available in all clouds. + +++### Group name claims in application tokens is Generally Available ++**Type:** New feature +**Service category:** Enterprise Apps +**Product capability:** SSO + +The group claims issued in a token can now be limited to just those groups assigned to the application. This is especially important when users are members of large numbers of groups and there was a risk of exceeding token size limits. With this new capability in place, the ability to [add group names to tokens](../hybrid/how-to-connect-fed-group-claims.md) is generally available. + +++### Workday Writeback now supports setting work phone number attributes ++**Type:** New feature +**Service category:** App Provisioning +**Product capability:** Identity Lifecycle Management + +We have enhanced the Workday Writeback provisioning app to now support writeback of work phone number and mobile number attributes. In addition to email and username, you can now configure the Workday Writeback provisioning app to flow phone number values from Azure AD to Workday. For more details on how to configure phone number writeback, refer to the [Workday Writeback](../saas-apps/workday-writeback-tutorial.md) app tutorial. ++++### Publisher Verification (preview) ++**Type:** New feature +**Service category:** Other +**Product capability:** Developer Experience + +Publisher verification (preview) helps admins and end users understand the authenticity of application developers integrating with the Microsoft identity platform. For details, refer to [Publisher verification (preview)](../develop/publisher-verification-overview.md). + +++### Authorization Code Flow for Single-page apps ++**Type:** Changed feature +**Service category:** Authentication +**Product capability:** Developer Experience ++Because of modern browser [3rd party cookie restrictions such as Safari ITP](../develop/reference-third-party-cookies-spas.md), SPAs will have to use the authorization code flow rather than the implicit flow to maintain SSO; MSAL.js v 2.x will now support the authorization code flow. There as corresponding updates to the Azure portal so you can update your SPA to be type "spa" and use the auth code flow. For guidance, refer to [Quickstart: Sign in users and get an access token in a JavaScript SPA using the auth code flow](../develop/quickstart-v2-javascript-auth-code.md). ++++### Improved Filtering for Devices is in Public Preview ++**Type:** Changed Feature +**Service category:** Device Management +**Product capability:** Device Lifecycle Management + +Previously, the only filters you could use were "Enabled" and "Activity date." Now, you can [filter your list of devices on more properties](../devices/device-management-azure-portal.md#view-and-filter-your-devices-preview), including OS type, join type, compliance, and more. These additions should simplify locating a particular device. ++++### The new App registrations experience for Azure AD B2C is now generally available ++**Type:** Changed Feature +**Service category:** B2C - Consumer Identity Management +**Product capability:** Identity Lifecycle Management + +The new App registrations experience for Azure AD B2C is now generally available. ++Previously, you had to manage your B2C consumer-facing applications separately from the rest of your apps using the legacy 'Applications' experience. That meant different app creation experiences across different places in Azure. ++The new experience shows all B2C app registrations and Azure AD app registrations in one place and provides a consistent way to manage them. Whether you need to manage a customer-facing app or an app that has access to Microsoft Graph to programmatically manage Azure AD B2C resources, you only need to learn one way to do things. ++You can reach the new experience by navigating the Azure AD B2C service and selecting the App registrations blade. The experience is also accessible from the Azure Active Directory service. ++The Azure AD B2C App registrations experience is based on the general [App Registration experience](https://developer.microsoft.com/identity/blogs/new-app-registrations-experience-is-now-generally-available/) for Azure AD tenants but is tailored for Azure AD B2C. The legacy "Applications" experience will be deprecated in the future. ++For more information, visit [The New app registration experience for Azure AD B2C](../../active-directory-b2c/app-registrations-training-guide.md). +++## April 2020 ++### Combined security info registration experience is now generally available ++**Type:** New feature ++**Service category:** Authentications (Logins) ++**Product capability:** Identity Security & Protection ++The combined registration experience for Multi-Factor Authentication (MFA) and Self-Service Password Reset (SSPR) is now generally available. This new registration experience enables users to register for multifactor authentication (MFA) and SSPR in a single, step-by-step process. When you deploy the new experience for your organization, users can register in less time and with fewer hassles. Check out the blog post [here](https://bit.ly/3etiRyQ). ++++### Continuous Access Evaluation ++**Type:** New feature ++**Service category:** Authentications (Logins) ++**Product capability:** Identity Security & Protection ++Continuous Access Evaluation is a new security feature that enables near real-time enforcement of policies on relying parties consuming Azure AD Access Tokens when events happen in Azure AD (such as user account deletion). We're rolling this feature out first for Teams and Outlook clients. For more details, please read our [blog](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/moving-towards-real-time-policy-and-security-enforcement/ba-p/1276933) and [documentation](../conditional-access/concept-continuous-access-evaluation.md). ++++### SMS Sign-in: Firstline Workers can sign in to Azure AD-backed applications with their phone number and no password ++**Type:** New feature ++**Service category:** Authentications (Logins) ++**Product capability:** User Authentication ++Office is launching a series of mobile-first business apps that cater to non-traditional organizations, and to employees in large organizations that don't use email as their primary communication method. These apps target frontline employees, deskless workers, field agents, or retail employees that may not get an email address from their employer, have access to a computer, or to IT. This project will let these employees sign in to business applications by entering a phone number and roundtripping a code. For more details, please see our [admin documentation](../authentication/howto-authentication-sms-signin.md) and [end user documentation](https://support.microsoft.com/account-billing/set-up-sms-sign-in-as-a-phone-verification-method-0aa5b3b3-a716-4ff2-b0d6-31d2bcfbac42). ++++### Invite internal users to use B2B collaboration ++**Type:** New feature ++**Service category:** B2B ++**Product capability:** ++We're expanding B2B invitation capability to allow existing internal accounts to be invited to use B2B collaboration credentials going forward. This is done by passing the user object to the Invite API in addition to typical parameters like the invited email address. The user's object ID, UPN, group membership, app assignment, etc. remain intact, but going forward they'll use B2B to authenticate with their home tenant credentials rather than the internal credentials they used before the invitation. For details, see the [documentation](../external-identities/invite-internal-users.md). ++++### Report-only mode for Conditional Access is now generally available ++**Type:** New feature ++**Service category:** Conditional Access ++**Product capability:** Identity Security & Protection ++[Report-only mode for Azure AD Conditional Access](../conditional-access/concept-conditional-access-report-only.md) lets you evaluate the result of a policy without enforcing access controls. You can test report-only policies across your organization and understand their impact before enabling them, making deployment safer and easier. Over the past few months, we've seen strong adoption of report-only mode, with over 26M users already in scope of a report-only policy. With this announcement, new Azure AD Conditional Access policies will be created in report-only mode by default. This means you can monitor the impact of your policies from the moment they're created. And for those of you who use the MS Graph APIs, you can also [manage report-only policies programmatically](/graph/api/resources/conditionalaccesspolicy). ++++### Conditional Access insights and reporting workbook is generally available ++**Type:** New feature ++**Service category:** Conditional Access ++**Product capability:** Identity Security & Protection ++The Conditional Access [insights and reporting workbook](../conditional-access/howto-conditional-access-insights-reporting.md) gives admins a summary view of Azure AD Conditional Access in their tenant. With the capability to select an individual policy, admins can better understand what each policy does and monitor any changes in real time. The workbook streams data stored in Azure Monitor, which you can set up in a few minutes [following these instructions](../reports-monitoring/howto-integrate-activity-logs-with-log-analytics.md). To make the dashboard more discoverable, we've moved it to the new insights and reporting tab within the Azure AD Conditional Access menu. ++++### Policy details blade for Conditional Access is in public preview ++**Type:** New feature ++**Service category:** Conditional Access ++**Product capability:** Identity Security & Protection ++The new [policy details blade](../conditional-access/troubleshoot-conditional-access.md) displays which assignments, conditions, and controls were satisfied during conditional access policy evaluation. You can access the blade by selecting a row in the **Conditional Access** or **Report-only** tabs of the Sign-in details. ++++### New Federated Apps available in Azure AD App gallery - April 2020 ++**Type:** New feature ++**Service category:** Enterprise Apps ++**Product capability:** 3rd Party Integration ++In April 2020, we've added these 31 new apps with Federation support to the app gallery: ++[SincroPool Apps](https://www.sincropool.com/), [SmartDB](https://hibiki.dreamarts.co.jp/smartdb/trial/), [Float](../saas-apps/float-tutorial.md), [LMS365](https://lms.365.systems/), [IWT Procurement Suite](../saas-apps/iwt-procurement-suite-tutorial.md), [Lunni](https://lunni.fi/), [EasySSO for Jira](../saas-apps/easysso-for-jira-tutorial.md), [Virtual Training Academy](https://vta.c3p.c) ++For more information about the apps, see [SaaS application integration with Azure Active Directory](../saas-apps/tutorial-list.md). For more information about listing your application in the Azure AD app gallery, see [List your application in the Azure Active Directory application gallery](../manage-apps/v2-howto-app-gallery-listing.md). ++++### Microsoft Graph delta query support for oAuth2PermissionGrant available for Public Preview ++**Type:** New feature ++**Service category:** MS Graph ++**Product capability:** Developer Experience ++Delta query for oAuth2PermissionGrant is available for public preview! You can now track changes without having to continuously poll Microsoft Graph. [Learn more.](/graph/api/oAuth2PermissionGrant-delta?tabs=http&view=graph-rest-beta&preserve-view=true) ++++### Microsoft Graph delta query support for organizational contact generally available ++**Type:** New feature ++**Service category:** MS Graph ++**Product capability:** Developer Experience ++Delta query for organizational contacts is generally available! You can now track changes in production apps without having to continuously poll Microsoft Graph. Replace any existing code that continuously polls orgContact data by delta query to significantly improve performance. [Learn more.](/graph/api/orgcontact-delta?tabs=http) ++++### Microsoft Graph delta query support for application generally available ++**Type:** New feature ++**Service category:** MS Graph ++**Product capability:** Developer Experience ++Delta query for applications is generally available! You can now track changes in production apps without having to continuously poll Microsoft Graph. Replace any existing code that continuously polls application data by delta query to significantly improve performance. [Learn more.](/graph/api/application-delta) ++++### Microsoft Graph delta query support for administrative units available for Public Preview ++**Type:** New feature ++**Service category:** MS Graph ++**Product capability:** Developer Experience +Delta query for administrative units is available for public preview! You can now track changes without having to continuously poll Microsoft Graph. [Learn more.](/graph/api/administrativeunit-delta?tabs=http&view=graph-rest-beta&preserve-view=true) ++++### Manage authentication phone numbers and more in new Microsoft Graph beta APIs ++**Type:** New feature ++**Service category:** MS Graph ++**Product capability:** Developer Experience ++These APIs are a key tool for managing your users' authentication methods. Now you can programmatically pre-register and manage the authenticators used for multifactor authentication (MFA) and self-service password reset (SSPR). This has been one of the most-requested features in the Azure AD Multi-Factor Authentication (MFA), SSPR, and Microsoft Graph spaces. The new APIs we've released in this wave give you the ability to: ++- Read, add, update, and remove a user's authentication phones +- Reset a user's password +- Turn on and off SMS-sign-in ++For more information, see [Azure AD authentication methods API overview](/graph/api/resources/authenticationmethods-overview). ++++### Administrative Units Public Preview ++**Type:** New feature ++**Service category:** Azure AD roles ++**Product capability:** Access Control ++Administrative units allow you to grant admin permissions that are restricted to a department, region, or other segment of your organization that you define. You can use administrative units to delegate permissions to regional administrators or to set policy at a granular level. For example, a User account admin could update profile information, reset passwords, and assign licenses for users only in their administrative unit. ++Using administrative units, a central administrator could: ++- Create an administrative unit for decentralized management of resources +- Assign a role with administrative permissions over only Azure AD users in an administrative unit +- Populate the administrative units with users and groups as needed ++For more information, see [Administrative units management in Azure Active Directory (preview)](../roles/administrative-units.md). ++++### Printer Administrator and Printer Technician built-in roles ++**Type:** New feature ++**Service category:** Azure AD roles ++**Product capability:** Access Control ++**Printer Administrator**: Users with this roleΓÇ»can register printers and manage all aspects of all printer configurations in the Microsoft Universal Print solution, including the Universal Print Connector settings. They can consent to all delegated print permission requests. Printer Administrators also have access to print reports. ++**Printer Technician**: Users with this roleΓÇ»can register printers and manage printer status in the Microsoft Universal Print solution. They can also read all connector information. Key tasks a Printer Technician can't do are set user permissions on printers and sharing printers. [Learn more.](../roles/permissions-reference.md#printer-administrator) ++++### Hybrid Identity Admin built-in role ++**Type:** New feature ++**Service category:** Azure AD roles ++**Product capability:** Access Control ++Users in this role can enable, configure and manage services and settings related to enabling hybrid identity in Azure AD. This role grants the ability to configure Azure AD to one of the three supported authentication methods—Password hash synchronization (PHS), Pass-through authentication (PTA) or Federation (AD FS or 3rd party federation provider)—and to deploy related on-premises infrastructure to enable them. On-premises infrastructure includes Provisioning and PTA agents. This role grants the ability to enable seamless single sign-on (S-SSO) to enable seamless authentication on non-Windows 10 devices or non-Windows Server 2016 computers. In addition, this role grants the ability to see sign-in logs and to access health and analytics for monitoring and troubleshooting purposes. [Learn more.](../roles/permissions-reference.md#hybrid-identity-administrator) ++++### Network Administrator built-in role ++**Type:** New feature ++**Service category:** Azure AD roles ++**Product capability:** Access Control ++Users with this role can review network perimeter architecture recommendations from Microsoft that are based on network telemetry from their user locations. Network performance for Microsoft 365 relies on careful enterprise customer network perimeter architecture, which is generally user location-specific. This role allows for editing of discovered user locations and configuration of network parameters for those locations to facilitate improved telemetry measurements and design recommendations. [Learn more.](../roles/permissions-reference.md#network-administrator) ++++### Bulk activity and downloads in the Azure portal experience ++**Type:** New feature ++**Service category:** User Management ++**Product capability:** Directory ++Now you can perform bulk activities on users and groups in Azure AD by uploading a CSV file in the Azure portal experience. You can create users, delete users, and invite guest users. And you can add and remove members from a group. ++You can also download lists of Azure AD resources from the Azure portal experience. You can download the list of users in the directory, the list of groups in the directory, and the members of a particular group. ++For more information, check out the following: ++- [Create users](../enterprise-users/users-bulk-add.md) or [invite guest users](../external-identities/tutorial-bulk-invite.md) +- [Delete users](../enterprise-users/users-bulk-delete.md) or [restore deleted users](../enterprise-users/users-bulk-restore.md) +- [Download list of users](../enterprise-users/users-bulk-download.md) or [Download list of groups](../enterprise-users/groups-bulk-download.md) +- [Add (import) members](../enterprise-users/groups-bulk-import-members.md) or [remove members](../enterprise-users/groups-bulk-remove-members.md) or [Download list of members](../enterprise-users/groups-bulk-download-members.md) for a group ++++### My Staff delegated user management ++**Type:** New feature ++**Service category:** User Management ++**Product capability:** ++My Staff enables Firstline Managers, such as a store manager, to ensure that their staff members are able to access their Azure AD accounts. Instead of relying on a central helpdesk, organizations can delegate common tasks, such as resetting passwords or changing phone numbers, to a Firstline Manager. With My Staff, a user who can't access their account can re-gain access in just a couple of selections, with no helpdesk or IT staff required. For more information, see the [Manage your users with My Staff (preview)](../roles/my-staff-configure.md) and [Delegate user management with My Staff (preview)](https://support.microsoft.com/account-billing/manage-front-line-users-with-my-staff-c65b9673-7e1c-4ad6-812b-1a31ce4460bd). ++++### An upgraded end user experience in access reviews ++**Type:** Changed feature ++**Service category:** Access Reviews ++**Product capability:** Identity Governance ++We have updated the reviewer experience for Azure AD access reviews in the My Apps portal. At the end of April, your reviewers who are logged in to the Azure AD access reviews reviewer experience will see a banner that will allow them to try the updated experience in My Access. Note that the updated Access reviews experience offers the same functionality as the current experience, but with an improved user interface on top of new capabilities to enable your users to be productive. [You can learn more about the updated experience here](../governance/perform-access-review.md). This public preview will last until the end of July 2020. At the end of July, reviewers who haven't opted into the preview experience will be automatically directed to My Access to perform access reviews. If you wish to have your reviewers permanently switched over to the preview experience in My Access now, [please make a request here](https://forms.microsoft.com/Pages/ResponsePage.aspx?id=v4j5cvGGr0GRqy180BHbR5dv-S62099HtxdeKIcgO-NUOFJaRDFDWUpHRk8zQ1BWVU1MMTcyQ1FFUi4u). ++++### Workday inbound user provisioning and writeback apps now support the latest versions of Workday Web Services API ++**Type:** Changed feature ++**Service category:** App Provisioning ++**Product capability:** ++Based on customer feedback, we've now updated the Workday inbound user provisioning and writeback apps in the enterprise app gallery to support the latest versions of the Workday Web Services (WWS) API. With this change, customers can specify the WWS API version that they would like to use in the connection string. This gives customers the ability to retrieve more HR attributes available in the releases of Workday. The Workday Writeback app now uses the recommended Change_Work_Contact_Info Workday web service to overcome the limitations of Maintain_Contact_Info. ++If no version is specified in the connection string, by default, the Workday inbound provisioning apps will continue to use WWS v21.1 To switch to the latest Workday APIs for inbound user provisioning, customers need to update the connection string as documented [in the tutorial](../saas-apps/workday-inbound-tutorial.md#which-workday-apis-does-the-solution-use-to-query-and-update-workday-worker-profiles) and also update the XPATHs used for Workday attributes as documented in the [Workday attribute reference guide](../app-provisioning/workday-attribute-reference.md#xpath-values-for-workday-web-services-wws-api-v30). ++To use the new API for writeback, there are no changes required in the Workday Writeback provisioning app. On the Workday side, ensure that the Workday Integration System User (ISU) account has permissions to invoke the Change_Work_Contact business process as documented in the tutorial section, [Configure business process security policy permissions](../saas-apps/workday-inbound-tutorial.md#configuring-business-process-security-policy-permissions). ++We have updated our [tutorial guide](../saas-apps/workday-inbound-tutorial.md) to reflect the new API version support. ++++### Users with default access role are now in scope for provisioning ++**Type:** Changed feature ++**Service category:** App Provisioning ++**Product capability:** Identity Lifecycle Management ++Historically, users with the default access role have been out of scope for provisioning. We've heard feedback that customers want users with this role to be in scope for provisioning. As of April 16, 2020, all new provisioning configurations allow users with the default access role to be provisioned. Gradually we'll change the behavior for existing provisioning configurations to support provisioning users with this role. [Learn more.](../app-provisioning/application-provisioning-config-problem-no-users-provisioned.md) ++++### Updated provisioning UI ++**Type:** Changed feature ++**Service category:** App Provisioning ++**Product capability:** Identity Lifecycle Management ++We've refreshed our provisioning experience to create a more focused management view. When you navigate to the provisioning blade for an enterprise application that has already been configured, you'll be able to easily monitor the progress of provisioning and manage actions such as starting, stopping, and restarting provisioning. [Learn more.](../app-provisioning/configure-automatic-user-provisioning-portal.md) ++++### Dynamic Group rule validation is now available for Public Preview ++**Type:** Changed feature ++**Service category:** Group Management ++**Product capability:** Collaboration ++Azure Active Directory (Azure AD) now provides the means to validate dynamic group rules. On the **Validate rules** tab, you can validate your dynamic rule against sample group members to confirm the rule is working as expected. When creating or updating dynamic group rules, administrators want to know whether a user or a device will be a member of the group. This helps evaluate whether a user or device meets the rule criteria and aids in troubleshooting when membership is not expected. ++For more information, see [Validate a dynamic group membership rule (preview)](../enterprise-users/groups-dynamic-rule-validation.md). ++++### Identity Secure Score - Security Defaults and multifactor authentication (MFA) improvement action updates ++**Type:** Changed feature ++**Service category:** N/A ++**Product capability:** Identity Security & Protection ++**Supporting security defaults for Azure AD improvement actions:** Microsoft Secure Score will be updating improvement actions to support [security defaults in Azure AD](./concept-fundamentals-security-defaults.md), which make it easier to help protect your organization with pre-configured security settings for common attacks. This will affect the following improvement actions: ++- Ensure all users can complete multifactor authentication for secure access +- Require multi-factor authentication (MFA) for administrative roles +- Enable policy to block legacy authentication + +**Multifactor authentication (MFA) improvement action updates:** To reflect the need for businesses to ensure the upmost security while applying policies that work with their business, Microsoft Secure Score has removed three improvement actions centered around multifactor authentication and added two. ++Removed improvement actions: ++- Register all users for multifactor authentication +- Require multifactor authentication (MFA) for all users +- Require multifactor authentication (MFA) for Azure AD privileged roles ++Added improvement actions: ++- Ensure all users can complete multifactor authentication for secure access +- Require multifactor authentication (MFA) for administrative roles ++These new improvement actions require registering your users or admins for multifactor authentication (MFA) across your directory and establishing the right set of policies that fit your organizational needs. The main goal is to have flexibility while ensuring all your users and admins can authenticate with multiple factors or risk-based identity verification prompts. That can take the form of having multiple policies that apply scoped decisions, or setting security defaults (as of March 16th) that let Microsoft decide when to challenge users for multifactor authentication (MFA). [Read more about what's new in Microsoft Secure Score](/microsoft-365/security/mtp/microsoft-secure-score#whats-new). ++++## March 2020 ++### Unmanaged Azure Active Directory accounts in B2B update for March 2021 ++**Type:** Plan for change +**Service category:** B2B +**Product capability:** B2B/B2C + +**Beginning on March 31, 2021**, Microsoft will no longer support the redemption of invitations by creating unmanaged Azure Active Directory (Azure AD) accounts and tenants for B2B collaboration scenarios. In preparation for this, we encourage you to opt in to [email one-time passcode authentication](../external-identities/one-time-passcode.md). ++++### Users with the default access role will be in scope for provisioning ++**Type:** Plan for change +**Service category:** App Provisioning +**Product capability:** Identity Lifecycle Management + +Historically, users with the default access role have been out of scope for provisioning. We've heard feedback that customers want users with this role to be in scope for provisioning. We're working on deploying a change so that all new provisioning configurations will allow users with the default access role to be provisioned. Gradually, we'll change the behavior for existing provisioning configurations to support provisioning users with this role. No customer action is required. We'll post an update to our [documentation](../app-provisioning/application-provisioning-config-problem-no-users-provisioned.md) once this change is in place. ++++### Azure AD B2B collaboration will be available in Microsoft Azure operated by 21Vianet (Azure China 21Vianet) tenants ++**Type:** Plan for change +**Service category:** B2B +**Product capability:** B2B/B2C + +The Azure AD B2B collaboration capabilities will be made available in Microsoft Azure operated by 21Vianet (Azure China 21Vianet) tenants, enabling users in an Azure China 21Vianet tenant to collaborate seamlessly with users in other Azure China 21Vianet tenants. [Learn more about Azure AD B2B collaboration](/azure/active-directory/b2b/). +++ +### Azure AD B2B Collaboration invitation email redesign ++**Type:** Plan for change +**Service category:** B2B +**Product capability:** B2B/B2C + +The [emails](../external-identities/invitation-email-elements.md) that are sent by the Azure AD B2B collaboration invitation service to invite users to the directory will be redesigned to make the invitation information and the user's next steps clearer. ++++### HomeRealmDiscovery policy changes will appear in the audit logs ++**Type:** Fixed +**Service category:** Audit +**Product capability:** Monitoring & Reporting + +We fixed a bug where changes to the [HomeRealmDiscovery policy](../manage-apps/configure-authentication-for-federated-users-portal.md) weren't included in the audit logs. You'll now be able to see when and how the policy was changed, and by whom. ++++### New Federated Apps available in Azure AD App gallery - March 2020 ++**Type:** New feature +**Service category:** Enterprise Apps +**Product capability:** 3rd Party Integration + +In March 2020, we've added these 51 new apps with Federation support to the app gallery: ++[Cisco AnyConnect](../saas-apps/cisco-anyconnect.md), [Zoho One China](../saas-apps/zoho-one-china-tutorial.md), [PlusPlus](https://test.plusplus.app/auth/login/azuread-outlook/), [Profit.co SAML App](../saas-apps/profitco-saml-app-tutorial.md), [iPoint Service Provider](../saas-apps/ipoint-service-provider-tutorial.md), [contexxt.ai SPHERE](https://contexxt-sphere.com/login), [Wisdom By Invictus](../saas-apps/wisdom-by-invictus-tutorial.md), [Flare Digital Signage](https://pixelnebula.com/), [Logz.io - Cloud Observability for Engineers](../saas-apps/logzio-cloud-observability-for-engineers-tutorial.md), [SpectrumU](../saas-apps/spectrumu-tutorial.md), [BizzContact](https://www.bizzcontact.app/), [Elqano SSO](../saas-apps/elqano-sso-tutorial.md), [MarketSignShare](http://www.signshare.com/), [CrossKnowledge Learning Suite](../saas-apps/crossknowledge-learning-suite-tutorial.md), [Netvision Compas](../saas-apps/netvision-compas-tutorial.md), [FCM HUB](../saas-apps/fcm-hub-tutorial.md), [RIB ) ++For more information about the apps, see [SaaS application integration with Azure Active Directory](../saas-apps/tutorial-list.md). For more information about listing your application in the Azure AD app gallery, see [List your application in the Azure Active Directory application gallery](../manage-apps/v2-howto-app-gallery-listing.md). ++++### Azure AD B2B Collaboration available in Azure Government tenants ++**Type:** New feature +**Service category:** B2B +**Product capability:** B2B/B2C + +The Azure AD B2B collaboration features are now available between some Azure Government tenants. To find out if your tenant is able to use these capabilities, follow the instructions at [How can I tell if B2B collaboration is available in my Azure US Government tenant?](../external-identities/b2b-government-national-clouds.md#how-can-i-tell-if-b2b-collaboration-is-available-in-my-azure-us-government-tenant). ++++### Azure Monitor integration for Azure Logs is now available in Azure Government ++**Type:** New feature +**Service category:** Reporting +**Product capability:** Monitoring & Reporting + +Azure Monitor integration with Azure AD logs is now available in Azure Government. You can route Azure AD Logs (Audit and Sign-in Logs) to a storage account, event hub and Log Analytics. Please check out the [detailed documentation](../reports-monitoring/concept-activity-logs-azure-monitor.md) as well as [deployment plans for reporting and monitoring](../reports-monitoring/plan-monitoring-and-reporting.md) for Azure AD scenarios. ++++### Identity Protection Refresh in Azure Government ++**Type:** New feature +**Service category:** Identity Protection +**Product capability:** Identity Security & Protection ++We're excited to share that we've now rolled out the refreshed [Azure AD Identity Protection](../identity-protection/overview-identity-protection.md)ΓÇ»experience in the [Microsoft Azure Government portal](https://portal.azure.us/). For more information, see our [announcement blog post](https://techcommunity.microsoft.com/t5/public-sector-blog/identity-protection-refresh-in-microsoft-azure-government/ba-p/1223667). ++++### Disaster recovery: Download and store your provisioning configuration ++**Type:** New feature +**Service category:** App Provisioning +**Product capability:** Identity Lifecycle Management + +The Azure AD provisioning service provides a rich set of configuration capabilities. Customers need to be able to save their configuration so that they can refer to it later or roll back to a known good version. We've added the ability to download your provisioning configuration as a JSON file and upload it when you need it. [Learn more](../app-provisioning/export-import-provisioning-configuration.md). +++ +### SSPR (self-service password reset) now requires two gates for admins in Microsoft Azure operated by 21Vianet (Azure China 21Vianet) ++**Type:** Changed feature +**Service category:** Self-Service Password Reset +**Product capability:** Identity Security & Protection + +Previously in Microsoft Azure operated by 21Vianet (Azure China 21Vianet), admins using self-service password reset (SSPR) to reset their own passwords needed only one "gate" (challenge) to prove their identity. In public and other national clouds, admins generally must use two gates to prove their identity when using SSPR. But because we didn't support SMS or phone calls in Azure China 21Vianet, we allowed one-gate password reset by admins. ++We're creating SSPR feature parity between Azure China 21Vianet and the public cloud. Going forward, admins must use two gates when using SSPR. SMS, phone calls, and Authenticator app notifications and codes will be supported. [Learn more](../authentication/concept-sspr-policy.md#administrator-reset-policy-differences). ++++### Password length is limited to 256 characters ++**Type:** Changed feature +**Service category:** Authentications (Logins) +**Product capability:** User Authentication + +To ensure the reliability of the Azure AD service, user passwords are now limited in length to 256 characters. Users with passwords longer than this will be asked to change their password on subsequent login, either by contacting their admin or by using the self-service password reset feature. ++This change was enabled on March 13th, 2020, at 10AM PST (18:00 UTC), and the error is AADSTS 50052, InvalidPasswordExceedsMaxLength. See the [breaking change notice](../develop/reference-breaking-changes.md#user-passwords-will-be-restricted-to-256-characters) for more details. ++++### Azure AD sign-in logs are now available for all free tenants through the Azure portal ++**Type:** Changed feature +**Service category:** Reporting +**Product capability:** Monitoring & Reporting + +Starting now, customers who have free tenants can access the [Azure AD sign-in logs from the Azure portal](../reports-monitoring/concept-sign-ins.md) for up to 7 days. Previously, sign-in logs were available only for customers with Azure Active Directory Premium licenses. With this change, all tenants can access these logs through the portal. ++> [!NOTE] +> Customers still need a premium license (Azure Active Directory Premium P1 or P2) to access the sign-in logs through Microsoft Graph API and Azure Monitor. ++++### Deprecation of Directory-wide groups option from Groups General Settings on Azure portal ++**Type:** Deprecated +**Service category:** Group Management +**Product capability:** Collaboration ++To provide a more flexible way for customers to create directory-wide groups that best meet their needs, we've replaced the **Directory-wide Groups** option from the **Groups** > **General** settings in the Azure portal with a link to [dynamic group documentation](../enterprise-users/groups-dynamic-membership.md). We've improved our documentation to include more instructions so administrators can create all-user groups that include or exclude guest users. ++++## February 2020 ++### Upcoming changes to custom controls ++**Type:** Plan for change +**Service category:** MFA +**Product capability:** Identity Security & Protection + +We're planning to replace the current custom controls preview with an approach that allows partner-provided authentication capabilities to work seamlessly with the Azure Active Directory administrator and end user experiences. Today, partner multifactor authentication (MFA) solutions face the following limitations: they work only after a password has been entered; they don't serve as multifactor authentication (MFA) for step-up authentication in other key scenarios; and they don't integrate with end user or administrative credential management functions. The new implementation will allow partner-provided authentication factors to work alongside built-in factors for key scenarios, including registration, usage, multifactor authentication (MFA) claims, step up authentication, reporting, and logging. ++Custom controls will continue to be supported in preview alongside the new design until it reaches general availability. At that point, we'll give customers time to migrate to the new design. Because of the limitations of the current approach, we won't onboard new providers until the new design is available. We're working closely with customers and providers and will communicate the timeline as we get closer. [Learn more](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/upcoming-changes-to-custom-controls/ba-p/1144696#). ++++### Identity Secure Score - multifactor authentication (MFA) improvement action updates ++**Type:** Plan for change +**Service category:** MFA +**Product capability:** Identity Security & Protection + +To reflect the need for businesses to ensure the upmost security while applying policies that work with their business, Microsoft Secure Score is removing three improvement actions centered around multifactor authentication (MFA), and adding two. ++The following improvement actions will be removed: ++- Register all users for multifactor authentication (MFA) +- Require multifactor authentication (MFA) for all users +- Require multifactor authentication (MFA) for Azure AD privileged roles ++The following improvement actions will be added: ++- Ensure all users can complete multifactor authentication (MFA) for secure access +- Require multifactor authentication (MFA) for administrative roles ++These new improvement actions will require registering your users or admins for multifactor authentication (MFA) across your directory and establishing the right set of policies that fit your organizational needs. The main goal is to have flexibility while ensuring all your users and admins can authenticate with multiple factors or risk-based identity verification prompts. This can take the form of setting security defaults that let Microsoft decide when to challenge users for multifactor authentication (MFA), or having multiple policies that apply scoped decisions. As part of these improvement action updates, Baseline protection policies will no longer be included in scoring calculations. [Read more about what's coming in Microsoft Secure Score](/microsoft-365/security/mtp/microsoft-secure-score-whats-coming). ++++### Azure AD Domain Services SKU selection ++**Type:** New feature +**Service category:** Azure AD Domain Services +**Product capability:** Azure AD Domain Services + +We've heard feedback that Azure AD Domain Services customers want more flexibility in selecting performance levels for their instances. Starting on February 1, 2020, we switched from a dynamic model (where Azure AD determines the performance and pricing tier based on object count) to a self-selection model. Now customers can choose a performance tier that matches their environment. This change also allows us to enable new scenarios like Resource Forests, and Premium features like daily backups. The object count is now unlimited for all SKUs, but we'll continue to offer object count suggestions for each tier. ++**No immediate customer action is required.** For existing customers, the dynamic tier that was in use on February 1, 2020, determines the new default tier. There is no pricing or performance impact as the result of this change. Going forward, Azure AD DS customers will need to evaluate performance requirements as their directory size and workload characteristics change. Switching between service tiers will continue to be a no-downtime operation, and we'll no longer automatically move customers to new tiers based on the growth of their directory. Furthermore, there will be no price increases, and new pricing will align with our current billing model. For more information, see the [Azure AD DS SKUs documentation](../../active-directory-domain-services/administration-concepts.md#azure-ad-ds-skus) and the [Azure AD Domain Services pricing page](https://azure.microsoft.com/pricing/details/active-directory-ds/). +++ +### New Federated Apps available in Azure AD App gallery - February 2020 ++**Type:** New feature +**Service category:** Enterprise Apps +**Product capability:** 3rd Party Integration + +In February 2020, we've added these 31 new apps with Federation support to the app gallery: ++[IamIP Patent Platform](../saas-apps/iamip-patent-platform-tutorial.md), + [Experience Cloud](../saas-apps/experience-cloud-tutorial.md), + [NS1 SSO For Azure](../saas-apps/ns1-sso-azure-tutorial.md), + [Barracuda Email Security Service](https://ess.barracudanetworks.com/sso/azure), + [ABa Reporting](https://myaba.co.uk/client-access/signin/auth/msad), + [In Case of Crisis - Online Portal](../saas-apps/in-case-of-crisis-online-portal-tutorial.md), + [BIC Cloud Design](../saas-apps/bic-cloud-design-tutorial.md), + [Beekeeper Azure AD Data Connector](../saas-apps/beekeeper-azure-ad-data-connector-tutorial.md), + [Korn Ferry Assessments](https://www.kornferry.com/solutions/kf-digital/kf-assess), + [Verkada Command](../saas-apps/verkada-command-tutorial.md), + [Splashtop](../saas-apps/splashtop-tutorial.md), + [Syxsense](../saas-apps/syxsense-tutorial.md), + [EAB Navigate](../saas-apps/eab-navigate-tutorial.md), + [New Relic (Limited Release)](../saas-apps/new-relic-limited-release-tutorial.md), + [Thulium](https://admin.thulium.com/login/instance), + [Ticket Manager](../saas-apps/ticketmanager-tutorial.md), + [Template Chooser for Teams](https://links.officeatwork.com/templatechooser-download-teams), + [Beesy](https://www.beesy.me/index.php/site/login), + [Health Support System](../saas-apps/health-support-system-tutorial.md), + [MURAL](https://app.mural.co/signup), + [Hive](../saas-apps/hive-tutorial.md), + [LavaDo](https://appsource.microsoft.com/product/web-apps/lavaloon.lavado_standard?tab=Overview), + [Wakelet](https://wakelet.com/login), + [Firmex VDR](../saas-apps/firmex-vdr-tutorial.md), + [ThingLink for Teachers and Schools](https://www.thinglink.com/), + [Coda](../saas-apps/coda-tutorial.md), + [NearpodApp](https://nearpod.com/signup/?oc=Microsoft&utm_campaign=Microsoft&utm_medium=site&utm_source=product), + [WEDO](../saas-apps/wedo-tutorial.md), + [InvitePeople](https://invitepeople.com/login), + [Reprints Desk - Article Galaxy](../saas-apps/reprints-desk-article-galaxy-tutorial.md), + [TeamViewer](../saas-apps/teamviewer-tutorial.md) ++ +For more information about the apps, see [SaaS application integration with Azure Active Directory](../saas-apps/tutorial-list.md). For more information about listing your application in the Azure AD app gallery, see [List your application in the Azure Active Directory application gallery](../manage-apps/v2-howto-app-gallery-listing.md). +++ +### New provisioning connectors in the Azure AD Application Gallery - February 2020 ++**Type:** New feature +**Service category:** Enterprise Apps +**Product capability:** 3rd Party Integration + +You can now automate creating, updating, and deleting user accounts for these newly integrated apps: ++- [Mixpanel](../saas-apps/mixpanel-provisioning-tutorial.md) +- [TeamViewer](../saas-apps/teamviewer-provisioning-tutorial.md) +- [Azure Databricks](/azure/databricks/administration-guide/users-groups/scim/aad) +- [PureCloud by Genesys](../saas-apps/purecloud-by-genesys-provisioning-tutorial.md) +- [Zapier](../saas-apps/zapier-provisioning-tutorial.md) ++For more information about how to better secure your organization by using automated user account provisioning, see [Automate user provisioning to SaaS applications with Azure AD](../app-provisioning/user-provisioning.md). +++ +### Azure AD support for FIDO2 security keys in hybrid environments ++**Type:** New feature +**Service category:** Authentications (Logins) +**Product capability:** User Authentication + +We're announcing the public preview of Azure AD support for FIDO2 security keys in Hybrid environments. Users can now use FIDO2 security keys to sign in to their Hybrid Azure AD joined Windows 10 devices and get seamless sign-on to their on-premises and cloud resources. Support for Hybrid environments has been the top most-requested feature from our passwordless customers since we initially launched the public preview for FIDO2 support in Azure AD joined devices. Passwordless authentication using advanced technologies like biometrics and public/private key cryptography provide convenience and ease-of-use while being secure. With this public preview, you can now use modern authentication like FIDO2 security keys to access traditional Active Directory resources. For more information, go to [SSO to on-premises resources](../authentication/howto-authentication-passwordless-security-key-on-premises.md). ++To get started, visit [enable FIDO2 security keys for your tenant](../authentication/howto-authentication-passwordless-security-key.md) for step-by-step instructions. +++ +### The new My Account experience is now generally available ++**Type:** Changed feature +**Service category:** My Profile/Account +**Product capability:** End User Experiences + +My Account, the one stop shop for all end-user account management needs, is now generally available! End users can access this new site via URL, or in the header of the new My Apps experience. Learn more about all the self-service capabilities the new experience offers at [My Account Portal Overview](https://support.microsoft.com/account-billing/my-account-portal-for-work-or-school-accounts-eab41bfe-3b9e-441e-82be-1f6e568d65fd). +++ +### My Account site URL updating to myaccount.microsoft.com ++**Type:** Changed feature +**Service category:** My Profile/Account +**Product capability:** End User Experiences + +The new My Account end user experience will be updating its URL to `https://myaccount.microsoft.com` in the next month. Find more information about the experience and all the account self-service capabilities it offers to end users at [My Account portal help](https://support.microsoft.com/account-billing/my-account-portal-for-work-or-school-accounts-eab41bfe-3b9e-441e-82be-1f6e568d65fd). ++++## January 2020 + +### The new My Apps portal is now generally available ++**Type:** Plan for change +**Service category:** My Apps +**Product capability:** End User Experiences + +Upgrade your organization to the new My Apps portal that is now generally available! Find more information on the new portal and collections at [Create collections on the My Apps portal](../manage-apps/access-panel-collections.md). +++ +### Workspaces in Azure AD have been renamed to collections ++**Type:** Changed feature +**Service category:** My Apps +**Product capability:** End User Experiences + +Workspaces, the filters admins can configure to organize their users' apps, will now be referred to as collections. Find more info on how to configure them at [Create collections on the My Apps portal](../manage-apps/access-panel-collections.md). +++ +### Azure AD B2C Phone sign-up and sign-in using custom policy (Public Preview) ++**Type:** New feature +**Service category:** B2C - Consumer Identity Management +**Product capability:** B2B/B2C + +With phone number sign-up and sign-in, developers and enterprises can allow their customers to sign up and sign in using a one-time password sent to the user's phone number via SMS. This feature also lets the customer change their phone number if they lose access to their phone. With the power of custom policies and phone sign-up and sign-in, allows developers and enterprises to communicate their brand through page customization. Find out how to [set up phone sign-up and sign-in with custom policies in Azure AD B2C](../../active-directory-b2c/phone-authentication-user-flows.md). + ++ +### New provisioning connectors in the Azure AD Application Gallery - January 2020 ++**Type:** New feature +**Service category:** Enterprise Apps +**Product capability:** 3rd Party Integration + +You can now automate creating, updating, and deleting user accounts for these newly integrated apps: ++- [Promapp](../saas-apps/promapp-provisioning-tutorial.md) +- [Zscaler Private Access](../saas-apps/zscaler-private-access-provisioning-tutorial.md) ++For more information about how to better secure your organization by using automated user account provisioning, see [Automate user provisioning to SaaS applications with Azure AD](../app-provisioning/user-provisioning.md). +++ +### New Federated Apps available in Azure AD App gallery - January 2020 ++**Type:** New feature +**Service category:** Enterprise Apps +**Product capability:** 3rd Party Integration + +In January 2020, we've added these 33 new apps with Federation support to the app gallery: ++[JOSA](../saas-apps/josa-tutorial.md), [Fastly Edge Cloud](../saas-apps/fastly-edge-cloud-tutorial.md), [Terraform Enterprise](../saas-apps/terraform-enterprise-tutorial.md), [Spintr SSO](../saas-apps/spintr-sso-tutorial.md), [Abibot Netlogistik](https://azuremarketplace.microsoft.com/marketplace/apps/aad.abibotnetlogistik), [SkyKick](https://login.skykick.com/login?state=g6Fo2SBTd3M5Q0xBT0JMd3luS2JUTGlYN3pYTE1remJQZnR1c6N0aWTZIDhCSkwzYVQxX2ZMZjNUaWxNUHhCSXg2OHJzbllTcmYto2NpZNkgM0h6czk3ZlF6aFNJV1VNVWQzMmpHeFFDbDRIMkx5VEc&client=3Hzs97fQzhSIWUMUd32jGxQCl4H2LyTG&protocol=oauth2&audience=https://papi.skykick.com&response_type=code&redirect_uri=https://portal.skykick.com/callback&scope=openid%20profile%20offline_access), [Upshotly](../saas-apps/upshotly-tutorial.md), [LeaveBot](https://appsource.microsoft.com/en-us/product/office/WA200001175), [DataCamp](../saas-apps/datacamp-tutorial.md), [TripActions](../saas-apps/tripactions-tutorial.md), [SmartWork](https://www.intumit.com/teams-smartwork/), [Dotcom-Monitor](../saas-apps/dotcom-monitor-tutorial.md), [SSOGEN - Azure AD SSO Gateway for Oracle E-Business Suite - EBS, PeopleSoft, and JDE](../saas-apps/ssogen-tutorial.md), [Hosted MyCirqa SSO](../saas-apps/hosted-mycirqa-sso-tutorial.md), [Yuhu Property Management Platform](../saas-apps/yuhu-property-management-platform-tutorial.md), [LumApps](https://sites.lumapps.com/login), [Upwork Enterprise](../saas-apps/upwork-enterprise-tutorial.md), [Talentsoft](../saas-apps/talentsoft-tutorial.md), [SmartDB for Microsoft Teams](http://teams.smartdb.jp/login/), [PressPage](../saas-apps/presspage-tutorial.md), [ContractSafe Saml2 SSO](../saas-apps/contractsafe-saml2-sso-tutorial.md), [Maxient Conduct Manager Software](../saas-apps/maxient-conduct-manager-software-tutorial.md), [Helpshift](../saas-apps/helpshift-tutorial.md), [PortalTalk 365](https://www.portaltalk.com/), [CoreView](https://portal.coreview.com/), Squelch Cloud Office365 Connector, [PingFlow Authentication](https://app-staging.pingview.io/), [PrinterLogic SaaS](../saas-apps/printerlogic-saas-tutorial.md), [Taskize Connect](../saas-apps/taskize-connect-tutorial.md), [Sandwai](https://app.sandwai.com/), [EZRentOut](../saas-apps/ezrentout-tutorial.md), [AssetSonar](../saas-apps/assetsonar-tutorial.md), [Akari Virtual Assistant](https://akari.io/akari-virtual-assistant/) ++For more information about the apps, see [SaaS application integration with Azure Active Directory](../saas-apps/tutorial-list.md). For more information about listing your application in the Azure AD app gallery, see [List your application in the Azure Active Directory application gallery](../manage-apps/v2-howto-app-gallery-listing.md). ++++### Two new Identity Protection detections ++**Type:** New feature +**Service category:** Identity Protection +**Product capability:** Identity Security & Protection + +We've added two new sign-in linked detection types to Identity Protection: Suspicious inbox manipulation rules and Impossible travel. These offline detections are discovered by Microsoft Cloud App Security (MCAS) and influence the user and sign-in risk in Identity Protection. For more information on these detections, see our [sign-in risk types](../identity-protection/concept-identity-protection-risks.md). + ++ +### Breaking Change: URI Fragments will not be carried through the login redirect ++**Type:** Changed feature +**Service category:** Authentications (Logins) +**Product capability:** User Authentication + +Starting on February 8, 2020, when a request is sent to login.microsoftonline.com to sign in a user, the service will append an empty fragment to the request. This prevents a class of redirect attacks by ensuring that the browser wipes out any existing fragment in the request. No application should have a dependency on this behavior. For more information, see [Breaking changes](../develop/reference-breaking-changes.md#february-2020) in the Microsoft identity platform documentation. ++++## December 2019 ++### Integrate SAP SuccessFactors provisioning into Azure AD and on-premises AD (Public Preview) ++**Type:** New feature +**Service category:** App Provisioning +**Product capability:** Identity Lifecycle Management ++You can now integrate SAP SuccessFactors as an authoritative identity source in Azure AD. This integration helps you automate the end-to-end identity lifecycle, including using HR-based events, like new hires or terminations, to control provisioning of Azure AD accounts. ++For more information about how to set up SAP SuccessFactors inbound provisioning to Azure AD, see the [Configure SAP SuccessFactors automatic provisioning](../saas-apps/sap-successfactors-inbound-provisioning-tutorial.md) tutorial. ++++### Support for customized emails in Azure AD B2C (Public Preview) ++**Type:** New feature +**Service category:** B2C - Consumer Identity Management +**Product capability:** B2B/B2C ++You can now use Azure AD B2C to create customized emails when your users sign up to use your apps. By using DisplayControls (currently in preview) and a third-party email provider (such as, [SendGrid](https://sendgrid.com/), [SparkPost](https://sparkpost.com/), or a custom REST API), you can use your own email template, **From** address, and subject text, as well as support localization and custom one-time password (OTP) settings. ++For more information, see [Custom email verification in Azure Active Directory B2C](../../active-directory-b2c/custom-email-sendgrid.md). ++++### Replacement of baseline policies with security defaults ++**Type:** Changed feature +**Service category:** Other +**Product capability:** Identity Security and Protection ++As part of a secure-by-default model for authentication, we're removing the existing baseline protection policies from all tenants. This removal is targeted for completion at the end of February. The replacement for these baseline protection policies is security defaults. If you've been using baseline protection policies, you must plan to move to the new security defaults policy or to Conditional Access. If you haven't used these policies, there is no action for you to take. ++For more information about the new security defaults, see [What are security defaults?](./concept-fundamentals-security-defaults.md) For more information about Conditional Access policies, see [Common Conditional Access policies](../conditional-access/concept-conditional-access-policy-common.md). ++++## November 2019 ++### Support for the SameSite attribute and Chrome 80 ++**Type:** Plan for change +**Service category:** Authentications (Logins) +**Product capability:** User Authentication ++As part of a secure-by-default model for cookies, the Chrome 80 browser is changing how it treats cookies without the `SameSite` attribute. Any cookie that doesn't specify the `SameSite` attribute will be treated as though it was set to `SameSite=Lax`, which will result in Chrome blocking certain cross-domain cookie sharing scenarios that your app may depend on. To maintain the older Chrome behavior, you can use the `SameSite=None` attribute and add an additional `Secure` attribute, so cross-site cookies can only be accessed over HTTPS connections. Chrome is scheduled to complete this change by February 4, 2020. ++We recommend all our developers test their apps using this guidance: ++- Set the default value for the **Use Secure Cookie** setting to **Yes**. ++- Set the default value for the **SameSite** attribute to **None**. ++- Add an additional `SameSite` attribute of **Secure**. ++For more information, see [Upcoming SameSite Cookie Changes in ASP.NET and ASP.NET Core](https://devblogs.microsoft.com/aspnet/upcoming-samesite-cookie-changes-in-asp-net-and-asp-net-core/) and [Potential disruption to customer websites and Microsoft products and services in Chrome version 79 and later](https://support.microsoft.com/help/4522904/potential-disruption-to-microsoft-services-in-chrome-beta-version-79). ++++### New hotfix for Microsoft Identity Manager (MIM) 2016 Service Pack 2 (SP2) ++**Type:** Fixed +**Service category:** Microsoft Identity Manager +**Product capability:** Identity Lifecycle Management ++A hotfix rollup package (build 4.6.34.0) is available for Microsoft Identity Manager (MIM) 2016 Service Pack 2 (SP2). This rollup package resolves issues and adds improvements that are described in the "Issues fixed and improvements added in this update" section. ++For more information and to download the hotfix package, see [Microsoft Identity Manager 2016 Service Pack 2 (build 4.6.34.0) Update Rollup is available](https://support.microsoft.com/help/4512924/microsoft-identity-manager-2016-service-pack-2-build-4-6-34-0-update-r). ++++### New AD FS app activity report to help migrate apps to Azure AD (Public Preview) ++**Type:** New feature +**Service category:** Enterprise Apps +**Product capability:** SSO ++Use the new Active Directory Federation Services (AD FS) app activity report, in the Azure portal, to identify which of your apps are capable of being migrated to Azure AD. The report assesses all AD FS apps for compatibility with Azure AD, checks for any issues, and gives guidance about preparing individual apps for migration. ++For more information, see [Use the AD FS application activity report to migrate applications to Azure AD](../manage-apps/migrate-adfs-application-activity.md). ++++### New workflow for users to request administrator consent (Public Preview) ++**Type:** New feature +**Service category:** Enterprise Apps +**Product capability:** Access Control ++The new admin consent workflow gives admins a way to grant access to apps that require admin approval. If a user tries to access an app, but is unable to provide consent, they can now send a request for admin approval. The request is sent by email, and placed in a queue that's accessible from the Azure portal, to all the admins who have been designated as reviewers. After a reviewer takes action on a pending request, the requesting users are notified of the action. ++For more information, see [Configure the admin consent workflow (preview)](../manage-apps/configure-admin-consent-workflow.md). ++++### New Azure AD App Registrations Token configuration experience for managing optional claims (Public Preview) ++**Type:** New feature +**Service category:** Other +**Product capability:** Developer Experience ++The new **Azure AD App Registrations Token configuration** blade on the Azure portal now shows app developers a dynamic list of optional claims for their apps. This new experience helps to streamline Azure AD app migrations and to minimize optional claims misconfigurations. ++For more information, see [Provide optional claims to your Azure AD app](../develop/active-directory-optional-claims.md). ++++### New two-stage approval workflow in Azure AD entitlement management (Public Preview) ++**Type:** New feature +**Service category:** Other +**Product capability:** Entitlement Management ++We've introduced a new two-stage approval workflow that allows you to require two approvers to approve a user's request to an access package. For example, you can set it so the requesting user's manager must first approve, and then you can also require a resource owner to approve. If one of the approvers doesn't approve, access isn't granted. ++For more information, see [Change request and approval settings for an access package in Azure AD entitlement management](../governance/entitlement-management-access-package-request-policy.md). ++++### Updates to the My Apps page along with new workspaces (Public Preview) ++**Type:** New feature +**Service category:** My Apps +**Product capability:** 3rd Party Integration ++You can now customize the way your organization's users view and access the refreshed My Apps experience. This new experience also includes the new workspaces feature, which makes it easier for your users to find and organize apps. ++For more information about the new My Apps experience and creating workspaces, see [Create workspaces on the My Apps portal](../manage-apps/access-panel-collections.md). ++++### Google social ID support for Azure AD B2B collaboration (General Availability) ++**Type:** New feature +**Service category:** B2B +**Product capability:** User Authentication ++New support for using Google social IDs (Gmail accounts) in Azure AD helps to make collaboration simpler for your users and partners. There's no longer a need for your partners to create and manage a new Microsoft-specific account. Microsoft Teams now fully supports Google users on all clients and across the common and tenant-related authentication endpoints. ++For more information, see [Add Google as an identity provider for B2B guest users](../external-identities/google-federation.md). ++++### Microsoft Edge Mobile Support for Conditional Access and Single Sign-on (General Availability) ++**Type:** New feature +**Service category:** Conditional Access +**Product capability:** Identity Security & Protection ++Azure AD for Microsoft Edge on iOS and Android now supports Azure AD single sign-on and Conditional Access: ++- **Microsoft Edge single sign-on (SSO):** Single sign-on is now available across native clients (such as Microsoft Outlook and Microsoft Edge) for all Azure AD -connected apps. ++- **Microsoft Edge conditional access:** Through application-based conditional access policies, your users must use Microsoft Intune-protected browsers, such as Microsoft Edge. ++For more information about conditional access and SSO with Microsoft Edge, see the [Microsoft Edge Mobile Support for Conditional Access and single sign-on Now Generally Available](https://techcommunity.microsoft.com/t5/Intune-Customer-Success/Microsoft-Edge-Mobile-Support-for-Conditional-Access-and-Single/ba-p/988179) blog post. For more information about how to set up your client apps using [app-based conditional access](../conditional-access/app-based-conditional-access.md) or [device-based conditional access](../conditional-access/require-managed-devices.md), see [Manage web access using a Microsoft Intune policy-protected browser](/intune/apps/app-configuration-managed-browser). ++++### Azure AD entitlement management (General Availability) ++**Type:** New feature +**Service category:** Other +**Product capability:** Entitlement Management ++Azure AD entitlement management is a new identity governance feature, which helps organizations manage identity and access lifecycle at scale. This new feature helps by automating access request workflows, access assignments, reviews, and expiration across groups, apps, and SharePoint Online sites. ++With Azure AD entitlement management, you can more efficiently manage access both for employees and also for users outside your organization who need access to those resources. ++For more information, see [What is Azure AD entitlement management?](../governance/entitlement-management-overview.md#license-requirements) ++++### Automate user account provisioning for these newly supported SaaS apps ++**Type:** New feature +**Service category:** Enterprise Apps +**Product capability:** 3rd Party Integration ++You can now automate creating, updating, and deleting user accounts for these newly integrated apps: ++[SAP Cloud Platform Identity Authentication Service](../saas-apps/sap-hana-cloud-platform-identity-authentication-tutorial.md), [RingCentral](../saas-apps/ringcentral-provisioning-tutorial.md), [SpaceIQ](../saas-apps/spaceiq-provisioning-tutorial.md), [Miro](../saas-apps/miro-provisioning-tutorial.md), [Cloudgate](../saas-apps/soloinsight-cloudgate-sso-provisioning-tutorial.md), [Infor CloudSuite](../saas-apps/infor-cloudsuite-provisioning-tutorial.md), [OfficeSpace Software](../saas-apps/officespace-software-provisioning-tutorial.md), [Priority Matrix](../saas-apps/priority-matrix-provisioning-tutorial.md) ++For more information about how to better secure your organization by using automated user account provisioning, see [Automate user provisioning to SaaS applications with Azure AD](../app-provisioning/user-provisioning.md). ++++### New Federated Apps available in Azure AD App gallery - November 2019 ++**Type:** New feature +**Service category:** Enterprise Apps +**Product capability:** 3rd Party Integration ++In November 2019, we've added these 21 new apps with Federation support to the app gallery: ++[Airtable](../saas-apps/airtable-tutorial.md), [Hootsuite](../saas-apps/hootsuite-tutorial.md), [Blue Access for Members (BAM)](../saas-apps/blue-access-for-members-tutorial.md), [Bitly](../saas-apps/bitly-tutorial.md), [Riva](../saas-apps/riva-tutorial.md), [ResLife Portal](https://app.reslifecloud.com/hub5_signin/microsoft_azuread/?g=44BBB1F90915236A97502FF4BE2952CB&c=5&uid=0&ht=2&ref=), [NegometrixPortal Single Sign On (SSO)](../saas-apps/negometrixportal-tutorial.md), [TeamsChamp](https://login.microsoftonline.com/551f45da-b68e-4498-a7f5-a6e1efaeb41c/adminconsent?client_id=ca9bbfa4-1316-4c0f-a9ee-1248ac27f8ab&redirect_uri=https://admin.teamschamp.com/api/adminconsent&state=6883c143-cb59-42ee-a53a-bdb5faabf279), [Motus](../saas-apps/motus-tutorial.md), [MyAryaka](../saas-apps/myaryaka-tutorial.md), [BlueMail](https://loginself1.bluemail.me/), [Beedle](https://teams-web.beedle.co/#/), [Visma](../saas-apps/visma-tutorial.md), [OneDesk](../saas-apps/onedesk-tutorial.md), [Foko Retail](../saas-apps/foko-retail-tutorial.md), [Qmarkets Idea & Innovation Management](../saas-apps/qmarkets-idea-innovation-management-tutorial.md), [Netskope User Authentication](../saas-apps/netskope-user-authentication-tutorial.md), [uniFLOW Online](../saas-apps/uniflow-online-tutorial.md), [Claromentis](../saas-apps/claromentis-tutorial.md), [Jisc Student Voter Registration](../saas-apps/jisc-student-voter-registration-tutorial.md), [e4enable](https://portal.e4enable.com/) ++For more information about the apps, see [SaaS application integration with Azure Active Directory](../saas-apps/tutorial-list.md). For more information about listing your application in the Azure AD app gallery, see [List your application in the Azure Active Directory application gallery](../manage-apps/v2-howto-app-gallery-listing.md). ++++### New and improved Azure AD application gallery ++**Type:** Changed feature +**Service category:** Enterprise Apps +**Product capability:** SSO ++We've updated the Azure AD application gallery to make it easier for you to find pre-integrated apps that support provisioning, OpenID Connect, and SAML on your Azure Active Directory tenant. ++For more information, see [Add an application to your Azure Active Directory tenant](../manage-apps/add-application-portal.md). ++++### Increased app role definition length limit from 120 to 240 characters ++**Type:** Changed feature +**Service category:** Enterprise Apps +**Product capability:** SSO ++We've heard from customers that the length limit for the app role definition value in some apps and services is too short at 120 characters. In response, we've increased the maximum length of the role value definition to 240 characters. ++For more information about using application-specific role definitions, see [Add app roles in your application and receive them in the token](../develop/howto-add-app-roles-in-azure-ad-apps.md). ++++## October 2019 ++### Deprecation of the identityRiskEvent API for Azure AD Identity Protection risk detections ++**Type:** Plan for change +**Service category:** Identity Protection +**Product capability:** Identity Security & Protection ++In response to developer feedback, Azure AD Premium P2 subscribers can now perform complex queries on Azure AD Identity Protection's risk detection data by using the new riskDetection API for Microsoft Graph. The existing [identityRiskEvent](/graph/api/resources/identityprotection-root) API beta version will stop returning data around **January 10, 2020**. If your organization is using the identityRiskEvent API, you should transition to the new riskDetection API. ++For more information about the new riskDetection API, see the [Risk detection API reference documentation](/graph/api/resources/riskdetection). ++++### Application Proxy support for the SameSite Attribute and Chrome 80 ++**Type:** Plan for change +**Service category:** App Proxy +**Product capability:** Access Control ++A couple of weeks prior to the Chrome 80 browser release, we plan to update how Application Proxy cookies treat the **SameSite** attribute. With the release of Chrome 80, any cookie that doesn't specify the **SameSite** attribute will be treated as though it was set to `SameSite=Lax`. ++To help avoid potentially negative impacts due to this change, we're updating Application Proxy access and session cookies by: ++- Setting the default value for the **Use Secure Cookie** setting to **Yes**. ++- Setting the default value for the **SameSite** attribute to **None**. ++ >[!NOTE] + > Application Proxy access cookies have always been transmitted exclusively over secure channels. These changes only apply to session cookies. ++For more information about the Application Proxy cookie settings, see [Cookie settings for accessing on-premises applications in Azure Active Directory](../app-proxy/application-proxy-configure-cookie-settings.md). ++++### App registrations (legacy) and app management in the Application Registration Portal (apps.dev.microsoft.com) is no longer available ++**Type:** Plan for change +**Service category:** N/A +**Product capability:** Developer Experience ++Users with Azure AD accounts can no longer register or manage applications using the Application Registration Portal (apps.dev.microsoft.com), or register and manage applications in the App registrations (legacy) experience in the Azure portal. ++To learn more about the new App registrations experience, see the [App registrations in the Azure portal training guide](../develop/quickstart-register-app.md). ++++### Users are no longer required to re-register during migration from per-user multifactor authentication (MFA) to Conditional Access-based multifactor authentication (MFA) ++**Type:** Fixed +**Service category:** MFA +**Product capability:** Identity Security & Protection ++We've fixed a known issue whereby when users were required to re-register if they were disabled for per-user MultiFactor Authentication (MFA) and then enabled for multifactor authentication (MFA) through a Conditional Access policy. ++To require users to re-register, you can select the **Required re-register multifactor authentication (MFA)** option from the user's authentication methods in the Azure portal. ++++### New capabilities to transform and send claims in your SAML token ++**Type:** New feature +**Service category:** Enterprise Apps +**Product capability:** SSO ++We've added additional capabilities to help you to customize and send claims in your SAML token. These new capabilities include: ++- Additional claims transformation functions, helping you to modify the value you send in the claim. ++- Ability to apply multiple transformations to a single claim. ++- Ability to specify the claim source, based on the user type and the group to which the user belongs. ++For detailed information about these new capabilities, including how to use them, see [Customize claims issued in the SAML token for enterprise applications](../develop/active-directory-saml-claims-customization.md). ++++### New My Sign-ins page for end users in Azure AD ++**Type:** New feature +**Service category:** Authentications (Logins) +**Product capability:** Monitoring & Reporting ++We've added a new **My Sign-ins** page (https://mysignins.microsoft.com) to let your organization's users view their recent sign-in history to check for any unusual activity. This new page allows your users to see: ++- If anyone is attempting to guess their password. ++- If an attacker successfully signed in to their account and from what location. ++- What apps the attacker tried to access. ++For more information, see the [Users can now check their sign-in history for unusual activity](https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Users-can-now-check-their-sign-in-history-for-unusual-activity/ba-p/916066) blog. ++++### Migration of Azure AD Domain Services (Azure AD DS) from classic to Azure Resource Manager virtual networks ++**Type:** New feature +**Service category:** Azure AD Domain Services +**Product capability:** Azure AD Domain Services ++To our customers who have been stuck on classic virtual networks -- we have great news for you! You can now perform a one-time migration from a classic virtual network to an existing Resource Manager virtual network. After moving to the Resource Manager virtual network, you'll be able to take advantage of the additional and upgraded features such as, fine-grained password policies, email notifications, and audit logs. ++++### Updates to the Azure AD B2C page contract layout ++**Type:** New feature +**Service category:** B2C - Consumer Identity Management +**Product capability:** B2B/B2C ++We've introduced some new changes to version 1.2.0 of the page contract for Azure AD B2C. In this updated version, you can now control the load order for your elements, which can also help to stop the flicker that happens when the style sheet (CSS) is loaded. ++For a full list of the changes made to the page contract, see the [Version change log](../../active-directory-b2c/page-layout.md#other-pages-providerselection-claimsconsent-unifiedssd). ++++### Update to the My Apps page along with new workspaces (Public preview) ++**Type:** New feature +**Service category:** My Apps +**Product capability:** Access Control ++You can now customize the way your organization's users view and access the brand-new My Apps experience, including using the new workspaces feature to make it easier for them to find apps. The new workspaces functionality acts as a filter for the apps your organization's users already have access to. ++For more information on rolling out the new My Apps experience and creating workspaces, see [Create workspaces on the My Apps (preview) portal](../manage-apps/access-panel-collections.md). ++++### Support for the monthly active user-based billing model (General availability) ++**Type:** New feature +**Service category:** B2C - Consumer Identity Management +**Product capability:** B2B/B2C ++Azure AD B2C now supports monthly active users (MAU) billing. MAU billing is based on the number of unique users with authentication activity during a calendar month. Existing customers can switch to this new billing method at any time. ++Starting on November 1, 2019, all new customers will automatically be billed using this method. This billing method benefits customers through cost benefits and the ability to plan ahead. ++For more information, see [Upgrade to monthly active users billing model](../../active-directory-b2c/billing.md#switch-to-mau-billing-pre-november-2019-azure-ad-b2c-tenants). ++++### New Federated Apps available in Azure AD App gallery - October 2019 ++**Type:** New feature +**Service category:** Enterprise Apps +**Product capability:** 3rd Party Integration ++In October 2019, we've added these 35 new apps with Federation support to the app gallery: ++[In Case of Crisis ΓÇô Mobile](../saas-apps/in-case-of-crisis-mobile-tutorial.md), [Juno Journey](../saas-apps/juno-journey-tutorial.md), [ExponentHR](../saas-apps/exponenthr-tutorial.md), [Tact](https://www.tact.ai/products/tact-assistant), [OpusCapita Cash Management](https://appsource.microsoft.com/product/web-apps/opuscapitagroupoy-1036255.opuscapita-cm), [Salestim](https://www.salestim.com/), [Learnster](../saas-apps/learnster-tutorial.md), [Dynatrace](../saas-apps/dynatrace-tutorial.md), [HunchBuzz](https://login.hunchbuzz.com/integrations/azure/process), [Freshworks](../saas-apps/freshworks-tutorial.md), [eCornell](../saas-apps/ecornell-tutorial.md), [ShipHazmat](../saas-apps/shiphazmat-tutorial.md), [Netskope Cloud Security](../saas-apps/netskope-cloud-security-tutorial.md), [Contentful](../saas-apps/contentful-tutorial.md), [Bindtuning](https://bindtuning.com/login), [HireVue Coordinate ΓÇô Europe](https://www.hirevue.com/), [HireVue Coordinate - USOnly](https://www.hirevue.com/), [HireVue Coordinate - US](https://www.hirevue.com/), [WittyParrot Knowledge Box](https://wittyapi.wittyparrot.com/wittyparrot/api/provision/trail/signup), [Cloudmore](../saas-apps/cloudmore-tutorial.md), [Visit.org](../saas-apps/visitorg-tutorial.md), [Cambium Xirrus EasyPass Portal](https://login.xirrus.com/azure-signup), [Paylocity](../saas-apps/paylocity-tutorial.md), [Mail Luck!](../saas-apps/mail-luck-tutorial.md), [Teamie](https://theteamie.com/), [Velocity for Teams](https://velocity.peakup.org/teams/login), [SIGNL4](https://account.signl4.com/manage), [EAB Navigate IMPL](../saas-apps/eab-navigate-impl-tutorial.md), [ScreenMeet](https://console.screenmeet.com/), [Omega Point](https://pi.ompnt.com/), [Speaking Email for Intune (iPhone)](https://speaking.email/FAQ/98/email-access-via-microsoft-intune), [Speaking Email for Office 365 Direct (iPhone/Android)](https://speaking.email/FAQ/126/email-access-via-microsoft-office-365-direct), [ExactCare SSO](../saas-apps/exactcare-sso-tutorial.md), [iHealthHome Care Navigation System](https://ihealthnav.com/account/signin), [Qubie](https://www.qubie.app/) ++For more information about the apps, see [SaaS application integration with Azure Active Directory](../saas-apps/tutorial-list.md). For more information about listing your application in the Azure AD app gallery, see [List your application in the Azure Active Directory application gallery](../manage-apps/v2-howto-app-gallery-listing.md). ++++### Consolidated Security menu item in the Azure portal ++**Type:** Changed feature +**Service category:** Identity Protection +**Product capability:** Identity Security & Protection ++You can now access all of the available Azure AD security features from the new **Security** menu item, and from the **Search** bar, in the Azure portal. Additionally, the new **Security** landing page, called **Security - Getting started**, will provide links to our public documentation, security guidance, and deployment guides. ++The new **Security** menu includes: ++- Conditional Access +- Identity Protection +- Security Center +- Identity Secure Score +- Authentication methods +- Multifactor authentication (MFA) +- Risk reports - Risky users, Risky sign-ins, Risk detections +- And more... ++For more information, see [Security - Getting started](https://portal.azure.com/#blade/Microsoft_AAD_IAM/SecurityMenuBlade/GettingStarted). ++++### Office 365 groups expiration policy enhanced with autorenewal ++**Type:** Changed feature +**Service category:** Group Management +**Product capability:** Identity Lifecycle Management ++The Office 365 groups expiration policy has been enhanced to automatically renew groups that are actively in use by its members. Groups will be autorenewed based on user activity across all the Office 365 apps, including Outlook, SharePoint, and Teams. ++This enhancement helps to reduce your group expiration notifications and helps to make sure that active groups continue to be available. If you already have an active expiration policy for your Office 365 groups, you don't need to do anything to turn on this new functionality. ++For more information, see [Configure the expiration policy for Office 365 groups](../enterprise-users/groups-lifecycle.md). ++++### Updated Azure AD Domain Services (Azure AD DS) creation experience ++**Type:** Changed feature +**Service category:** Azure AD Domain Services +**Product capability:** Azure AD Domain Services ++We've updated Azure AD Domain Services (Azure AD DS) to include a new and improved creation experience, helping you to create a managed domain in just three clicks! In addition, you can now upload and deploy Azure AD DS from a template. ++For more information, see [Tutorial: Create and configure an Azure Active Directory Domain Services instance](../../active-directory-domain-services/tutorial-create-instance.md). ++++## September 2019 ++### Plan for change: Deprecation of the Power BI content packs ++**Type:** Plan for change +**Service category:** Reporting +**Product capability:** Monitoring & Reporting ++Starting on October 1, 2019, Power BI will begin to deprecate all content packs, including the Azure AD Power BI content pack. As an alternative to this content pack, you can use Azure AD Workbooks to gain insights into your Azure AD-related services. Additional workbooks are coming, including workbooks about Conditional Access policies in report-only mode, app consent-based insights, and more. ++For more information about the workbooks, see [How to use Azure Monitor workbooks for Azure Active Directory reports](../reports-monitoring/howto-use-azure-monitor-workbooks.md). For more information about the deprecation of the content packs, see the [Announcing Power BI template apps general availability](https://powerbi.microsoft.com/blog/announcing-power-bi-template-apps-general-availability/) blog post. ++++### My Profile is renaming and integrating with the Microsoft Office account page ++**Type:** Plan for change +**Service category:** My Profile/Account +**Product capability:** Collaboration ++Starting in October, the My Profile experience will become My Account. As part of that change, everywhere that currently says, **My Profile** will change to **My Account**. On top of the naming change and some design improvements, the updated experience will offer additional integration with the Microsoft Office account page. Specifically, you'll be able to access Office installations and subscriptions from the **Overview Account** page, along with Office-related contact preferences from the **Privacy** page. ++For more information about the My Profile (preview) experience, see [My Profile (preview) portal overview](https://support.microsoft.com/account-billing/my-account-portal-for-work-or-school-accounts-eab41bfe-3b9e-441e-82be-1f6e568d65fd). ++++### Bulk manage groups and members using CSV files in the Azure portal (Public Preview) ++**Type:** New feature +**Service category:** Group Management +**Product capability:** Collaboration ++We're pleased to announce public preview availability of the bulk group management experiences in the Azure portal. You can now use a CSV file and the Azure portal to manage groups and member lists, including: ++- Adding or removing members from a group. ++- Downloading the list of groups from the directory. ++- Downloading the list of group members for a specific group. ++For more information, see [Bulk add members](../enterprise-users/groups-bulk-import-members.md), [Bulk remove members](../enterprise-users/groups-bulk-remove-members.md), [Bulk download members list](../enterprise-users/groups-bulk-download-members.md), and [Bulk download groups list](../enterprise-users/groups-bulk-download.md). ++++### Dynamic consent is now supported through a new admin consent endpoint ++**Type:** New feature +**Service category:** Authentications (Logins) +**Product capability:** User Authentication ++We've created a new admin consent endpoint to support dynamic consent, which is helpful for apps that want to use the dynamic consent model on the Microsoft Identity platform. ++For more information about how to use this new endpoint, see [Using the admin consent endpoint](../develop/v2-admin-consent.md). ++++### New Federated Apps available in Azure AD App gallery - September 2019 ++**Type:** New feature +**Service category:** Enterprise Apps +**Product capability:** 3rd Party Integration ++In September 2019, we've added these 29 new apps with Federation support to the app gallery: ++[ScheduleLook](https://schedulelook.bbsonlineservices.net/), [MS Azure SSO Access for Ethidex Compliance Office™ - Single sign-on](../saas-apps/ms-azure-sso-access-for-ethidex-compliance-office-tutorial.md), [iServer Portal](../saas-apps/iserver-portal-tutorial.md), [SKYSITE](../saas-apps/skysite-tutorial.md), [Concur Travel and Expense](../saas-apps/concur-travel-and-expense-tutorial.md), [WorkBoard](../saas-apps/workboard-tutorial.md), `https://apps.yeeflow.com/`, [ARC Facilities](../saas-apps/arc-facilities-tutorial.md), [Luware Stratus Team](https://stratus.emea.luware.cloud/login), [Wide Ideas](https://wideideas.online/wideideas/), [Prisma Cloud](../saas-apps/prisma-cloud-tutorial.md), [RENRAKU](../saas-apps/renraku-tutorial.md), [SealPath Secure Browser](https://protection.sealpath.com/SealPathInterceptorWopiSaas/Open/InstallSealPathEditorOneDrive), [Prisma Cloud](../saas-apps/prisma-cloud-tutorial.md), `https://app.penneo.com/`, `https://app.testhtm.com/settings/email-integration`, [Cintoo Cloud](https://aec.cintoo.com/login), [Whitesource](../saas-apps/whitesource-tutorial.md), [Hosted Heritage Online SSO](../saas-apps/hosted-heritage-online-sso-tutorial.md), [IDC](../saas-apps/idc-tutorial.md), [CakeHR](../saas-apps/cakehr-tutorial.md), [BIS](../saas-apps/bis-tutorial.md), [Coo Kai Team Build](https://ms-contacts.coo-kai.jp/), [Sonarqube](../saas-apps/sonarqube-tutorial.md), [Adobe Identity Management](../saas-apps/tutorial-list.md), [Discovery Benefits SSO](../saas-apps/discovery-benefits-sso-tutorial.md), [Amelio](https://app.amelio.co/), `https://itask.yipinapp.com/` ++For more information about the apps, see [SaaS application integration with Azure Active Directory](../saas-apps/tutorial-list.md). For more information about listing your application in the Azure AD app gallery, see [List your application in the Azure Active Directory application gallery](../manage-apps/v2-howto-app-gallery-listing.md). ++++### New Azure AD Global Reader role ++**Type:** New feature +**Service category:** Azure AD roles +**Product capability:** Access Control ++Starting on September 24, 2019, we're going to start rolling out a new Azure Active Directory (AD) role called Global Reader. This rollout will start with production and Global cloud customers (GCC), finishing up worldwide in October. ++The Global Reader role is the read-only counterpart to Global Administrator. Users in this role can read settings and administrative information across Microsoft 365 services, but can't take management actions. We've created the Global Reader role to help reduce the number of Global Administrators in your organization. Because Global Administrator accounts are powerful and vulnerable to attack, we recommend that you have fewer than five Global Administrators. We recommend using the Global Reader role for planning, audits, or investigations. We also recommend using the Global Reader role in combination with other limited administrator roles, like Exchange Administrator, to help get work done without requiring the Global Administrator role. ++The Global Reader role works with the new Microsoft 365 Admin Center, Exchange Admin Center, Teams Admin Center, Security Center, Microsoft Purview compliance portal, Azure portal, and the Device Management Admin Center. ++>[!NOTE] +> At the start of public preview, the Global Reader role won't work with: SharePoint, Privileged Access Management, Customer Lockbox, sensitivity labels, Teams Lifecycle, Teams Reporting & Call Analytics, Teams IP Phone Device Management, and Teams App Catalog. ++For more information, see [Administrator role permissions in Azure Active Directory](../roles/permissions-reference.md). ++++### Access an on-premises Report Server from your Power BI Mobile app using Azure Active Directory Application Proxy ++**Type:** New feature +**Service category:** App Proxy +**Product capability:** Access Control ++New integration between the Power BI mobile app and Azure AD Application Proxy allows you to securely sign in to the Power BI mobile app and view any of your organization's reports hosted on the on-premises Power BI Report Server. ++For information about the Power BI Mobile app, including where to download the app, see the [Power BI site](https://powerbi.microsoft.com/mobile/). For more information about how to set up the Power BI mobile app with Azure AD Application Proxy, see [Enable remote access to Power BI Mobile with Azure AD Application Proxy](../app-proxy/application-proxy-integrate-with-power-bi.md). ++++### New version of the AzureADPreview PowerShell module is available ++**Type:** Changed feature +**Service category:** Other +**Product capability:** Directory ++New cmdlets were added to the AzureADPreview module, to help define and assign custom roles in Azure AD, including: ++- `Add-AzureADMSFeatureRolloutPolicyDirectoryObject` +- `Get-AzureADMSFeatureRolloutPolicy` +- `New-AzureADMSFeatureRolloutPolicy` +- `Remove-AzureADMSFeatureRolloutPolicy` +- `Remove-AzureADMSFeatureRolloutPolicyDirectoryObject` +- `Set-AzureADMSFeatureRolloutPolicy` ++++### New version of Azure AD Connect ++**Type:** Changed feature +**Service category:** Other +**Product capability:** Directory ++We've released an updated version of Azure AD Connect for auto-upgrade customers. This new version includes several new features, improvements, and bug fixes. ++++### Azure Active Directory Multi-Factor Authentication (MFA) Server, version 8.0.2 is now available ++**Type:** Fixed +**Service category:** MFA +**Product capability:** Identity Security & Protection ++If you're an existing customer, who activated Azure AD Multi-Factor Authentication (MFA) Server prior to July 1, 2019, you can now download the latest version of Azure AD Multi-Factor Authentication (MFA) Server (version 8.0.2). In this new version, we: ++- Fixed an issue so when Azure AD sync changes a user from Disabled to Enabled, an email is sent to the user. ++- Fixed an issue so customers can successfully upgrade, while continuing to use the Tags functionality. ++- Added the Kosovo (+383) country code. ++- Added one-time bypass audit logging to the MultiFactorAuthSvc.log. ++- Improved performance for the Web Service SDK. ++- Fixed other minor bugs. ++Starting July 1, 2019, Microsoft stopped offering multifactor authentication (MFA) Server for new deployments. New customers who require multifactor authentication should use cloud-based Azure AD Multi-Factor Authentication. For more information, see [Planning a cloud-based Azure AD Multi-Factor Authentication deployment](../authentication/howto-mfa-getstarted.md). ++++## August 2019 ++### Enhanced search, filtering, and sorting for groups is available in the Azure portal (Public Preview) ++**Type:** New feature +**Service category:** Group Management +**Product capability:** Collaboration ++We're pleased to announce public preview availability of the enhanced groups-related experiences in the Azure portal. These enhancements help you better manage groups and member lists, by providing: ++- Advanced search capabilities, such as substring search on groups lists. +- Advanced filtering and sorting options on member and owner lists. +- New search capabilities for member and owner lists. +- More accurate group counts for large groups. ++For more information, see [Manage groups in the Azure portal](./active-directory-groups-members-azure-portal.md?context=azure%2factive-directory%2fusers-groups-roles%2fcontext%2fugr-context). ++++### New custom roles are available for app registration management (Public Preview) ++**Type:** New feature +**Service category:** Azure AD roles +**Product capability:** Access Control ++Custom roles (available with an Azure AD P1 or P2 subscription) can now help provide you with fine-grained access, by letting you create role definitions with specific permissions and then to assign those roles to specific resources. Currently, you create custom roles by using permissions for managing app registrations and then assigning the role to a specific app. For more information about custom roles, see [Custom administrator roles in Azure Active Directory (preview)](../roles/custom-overview.md). ++If you need other permissions or resources supported, which you don't currently see, you can send feedback to our [Azure feedback site](https://feedback.azure.com/d365community/forum/22920db1-ad25-ec11-b6e6-000d3a4f0789) and we'll add your request to our update road map. ++++### New provisioning logs can help you monitor and troubleshoot your app provisioning deployment (Public Preview) ++**Type:** New feature +**Service category:** App Provisioning +**Product capability:** Identity Lifecycle Management ++New provisioning logs are available to help you monitor and troubleshoot the user and group provisioning deployment. These new log files include information about: ++- What groups were successfully created in [ServiceNow](../saas-apps/servicenow-provisioning-tutorial.md) +- What roles were imported from [AWS Single-Account Access](../saas-apps/amazon-web-service-tutorial.md#configure-and-test-azure-ad-sso-for-aws-single-account-access) +- What employees weren't imported from [Workday](../saas-apps/workday-inbound-tutorial.md) ++For more information, see [Provisioning reports in the Azure portal (preview)](../reports-monitoring/concept-provisioning-logs.md). ++++### New security reports for all Azure AD administrators (General Availability) ++**Type:** New feature +**Service category:** Identity Protection +**Product capability:** Identity Security & Protection ++By default, all Azure AD administrators will soon be able to access modern security reports within Azure AD. Until the end of September, you'll be able to use the banner at the top of the modern security reports to return to the old reports. ++The modern security reports will provide more capabilities from the older versions, including: ++- Advanced filtering and sorting +- Bulk actions, such as dismissing user risk +- Confirmation of compromised or safe entities +- Risk state, covering: At risk, Dismissed, Remediated, and Confirmed compromised +- New risk-related detections (available to Azure AD Premium subscribers) ++For more information, see [Risky users](../identity-protection/howto-identity-protection-investigate-risk.md#risky-users), [Risky sign-ins](../identity-protection/howto-identity-protection-investigate-risk.md#risky-sign-ins), and [Risk detections](../identity-protection/howto-identity-protection-investigate-risk.md#risk-detections). ++++### User-assigned managed identity is available for Virtual Machines and Virtual Machine Scale Sets (General Availability) ++**Type:** New feature +**Service category:** Managed identities for Azure resources +**Product capability:** Developer Experience ++User-assigned managed identities are now generally available for Virtual Machines and Virtual Machine Scale Sets. As part of this, Azure can create an identity in the Azure AD tenant that's trusted by the subscription in use, and can be assigned to one or more Azure service instances. For more information about user-assigned managed identities, see [What is managed identities for Azure resources?](../managed-identities-azure-resources/overview.md). ++++### Users can reset their passwords using a mobile app or hardware token (General Availability) ++**Type:** Changed feature +**Service category:** Self Service Password Reset +**Product capability:** User Authentication ++Users who have registered a mobile app with your organization can now reset their own password by approving a notification from the Microsoft Authenticator app or by entering a code from their mobile app or hardware token. ++For more information, see [How it works: Azure AD self-service password reset](../authentication/concept-sspr-howitworks.md). For more information about the user experience, see [Reset your own work or school password overview](https://support.microsoft.com/account-billing/register-the-password-reset-verification-method-for-a-work-or-school-account-47a55d4a-05b0-4f67-9a63-f39a43dbe20a). ++++### ADAL.NET ignores the MSAL.NET shared cache for on-behalf-of scenarios ++**Type:** Fixed +**Service category:** Authentications (Logins) +**Product capability:** User Authentication ++Starting with Azure AD authentication library (ADAL.NET) version 5.0.0-preview, app developers must [serialize one cache per account for web apps and web APIs](https://github.com/AzureAD/azure-activedirectory-library-for-dotnet/wiki/Token-cache-serialization#custom-token-cache-serialization-in-web-applications--web-api). Otherwise, some scenarios using the [on-behalf-of flow](../develop/scenario-web-api-call-api-app-configuration.md?tabs=java) for Java, along with some specific use cases of `UserAssertion`, may result in an elevation of privilege. To avoid this vulnerability, ADAL.NET now ignores the Microsoft Authentication Library for dotnet (MSAL.NET) shared cache for on-behalf-of scenarios. ++For more information about this issue, see [Azure Active Directory Authentication Library Elevation of Privilege Vulnerability](https://portal.msrc.microsoft.com/security-guidance/advisory/CVE-2019-1258). ++++### New Federated Apps available in Azure AD App gallery - August 2019 ++**Type:** New feature +**Service category:** Enterprise Apps +**Product capability:** 3rd Party Integration ++In August 2019, we've added these 26 new apps with Federation support to the app gallery: ++[Civic Platform](../saas-apps/civic-platform-tutorial.md), [Amazon Business](../saas-apps/amazon-business-tutorial.md), [ProNovos Ops Manager](../saas-apps/pronovos-ops-manager-tutorial.md), [Cognidox](../saas-apps/cognidox-tutorial.md), [Viareport's Inativ Portal (Europe)](../saas-apps/viareports-inativ-portal-europe-tutorial.md), [Azure Databricks](https://azure.microsoft.com/services/databricks), [Robin](../saas-apps/robin-tutorial.md), [Academy Attendance](../saas-apps/academy-attendance-tutorial.md), [Cousto MySpace](https://cousto.platformers.be/account/login), [Uploadcare](https://uploadcare.com/accounts/signup/), [Carbonite Endpoint Backup](../saas-apps/carbonite-endpoint-backup-tutorial.md), [CPQSync by Cincom](../saas-apps/cpqsync-by-cincom-tutorial.md), [Chargebee](../saas-apps/chargebee-tutorial.md), [deliver.media™ Portal](https://portal.deliver.media), [Frontline Education](../saas-apps/frontline-education-tutorial.md), [F5](https://www.f5.com/products/security/access-policy-manager), [stashcat AD connect](https://www.stashcat.com), [Blink](../saas-apps/blink-tutorial.md), [Vocoli](../saas-apps/vocoli-tutorial.md), [ProNovos Analytics](../saas-apps/pronovos-analytics-tutorial.md), [Sigstr](../saas-apps/sigstr-tutorial.md), [Darwinbox](../saas-apps/darwinbox-tutorial.md), [Watch by Colors](../saas-apps/watch-by-colors-tutorial.md), [Harness](../saas-apps/harness-tutorial.md), [EAB Navigate Strategic Care](../saas-apps/eab-navigate-strategic-care-tutorial.md) ++For more information about the apps, see [SaaS application integration with Azure Active Directory](../saas-apps/tutorial-list.md). For more information about listing your application in the Azure AD app gallery, see [List your application in the Azure Active Directory application gallery](../manage-apps/v2-howto-app-gallery-listing.md). ++++### New versions of the AzureAD PowerShell and AzureADPreview PowerShell modules are available ++**Type:** Changed feature +**Service category:** Other +**Product capability:** Directory ++New updates to the AzureAD and AzureAD Preview PowerShell modules are available: ++- A new `-Filter` parameter was added to the `Get-AzureADDirectoryRole` parameter in the AzureAD module. This parameter helps you filter on the directory roles returned by the cmdlet. +- New cmdlets were added to the AzureADPreview module, to help define and assign custom roles in Azure AD, including: ++ - `Get-AzureADMSRoleAssignment` + - `Get-AzureADMSRoleDefinition` + - `New-AzureADMSRoleAssignment` + - `New-AzureADMSRoleDefinition` + - `Remove-AzureADMSRoleAssignment` + - `Remove-AzureADMSRoleDefinition` + - `Set-AzureADMSRoleDefinition` ++++### Improvements to the UI of the dynamic group rule builder in the Azure portal ++**Type:** Changed feature +**Service category:** Group Management +**Product capability:** Collaboration ++We've made some UI improvements to the dynamic group rule builder, available in the Azure portal, to help you more easily set up a new rule, or change existing rules. This design improvement allows you to create rules with up to five expressions, instead of just one. We've also updated the device property list to remove deprecated device properties. ++For more information, see [Manage dynamic membership rules](../enterprise-users/groups-dynamic-membership.md). ++++### New Microsoft Graph app permission available for use with access reviews ++**Type:** Changed feature +**Service category:** Access Reviews +**Product capability:** Identity Governance ++We've introduced a new Microsoft Graph app permission, `AccessReview.ReadWrite.Membership`, which allows apps to automatically create and retrieve access reviews for group memberships and app assignments. This permission can be used by your scheduled jobs or as part of your automation, without requiring a logged-in user context. ++For more information, see the [Example how to create Azure AD access reviews using Microsoft Graph app permissions with PowerShell blog](https://techcommunity.microsoft.com/t5/Azure-Active-Directory/Example-how-to-create-Azure-AD-access-reviews-using-Microsoft/m-p/807241). ++++### Azure AD activity logs are now available for government cloud instances in Azure Monitor ++**Type:** Changed feature +**Service category:** Reporting +**Product capability:** Monitoring & Reporting ++We're excited to announce that Azure AD activity logs are now available for government cloud instances in Azure Monitor. You can now send Azure AD logs to your storage account or to an event hub to integrate with your SIEM tools, like [Sumologic](../reports-monitoring/howto-integrate-activity-logs-with-sumologic.md), [Splunk](../reports-monitoring/howto-integrate-activity-logs-with-splunk.md), and [ArcSight](../reports-monitoring/howto-integrate-activity-logs-with-arcsight.md). ++For more information about setting up Azure Monitor, see [Azure AD activity logs in Azure Monitor](../reports-monitoring/concept-activity-logs-azure-monitor.md#cost-considerations). ++++### Update your users to the new, enhanced security info experience ++**Type:** Changed feature +**Service category:** Authentications (Logins) +**Product capability:** User Authentication ++On September 25, 2019, we'll be turning off the old, non-enhanced security info experience for registering and managing user security info and only turning on the new, [enhanced version](https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Cool-enhancements-to-the-Azure-AD-combined-MFA-and-password/ba-p/354271). This means that your users will no longer be able to use the old experience. ++For more information about the enhanced security info experience, see our [admin documentation](../authentication/concept-registration-mfa-sspr-combined.md) and our [user documentation](https://support.microsoft.com/account-billing/set-up-your-security-info-from-a-sign-in-prompt-28180870-c256-4ebf-8bd7-5335571bf9a8). ++#### To turn on this new experience, you must: ++1. Sign in to the Azure portal as a Global Administrator or User Administrator. ++2. Go to **Azure Active Directory > User settings > Manage settings for access panel preview features**. ++3. In the **Users can use preview features for registering and managing security info - enhanced** area, select **Selected**, and then either choose a group of users or choose **All** to turn on this feature for all users in the tenant. ++4. In the **Users can use preview features for registering and managing security **info**** area, select **None**. ++5. Save your settings. ++ After you save your settings, you'll no longer have access to the old security info experience. ++>[!Important] +>If you don't complete these steps before September 25, 2019, your Azure Active Directory tenant will be automatically enabled for the enhanced experience. If you have questions, please contact us at registrationpreview@microsoft.com. ++++### Authentication requests using POST logins will be more strictly validated ++**Type:** Changed feature +**Service category:** Authentications (Logins) +**Product capability:** Standards ++Starting on September 2, 2019, authentication requests using the POST method will be more strictly validated against the HTTP standards. Specifically, spaces and double-quotes (") will no longer be removed from request form values. These changes aren't expected to break any existing clients, and will help to make sure that requests sent to Azure AD are reliably handled every time. ++For more information, see the [Azure AD breaking changes notices](../develop/reference-breaking-changes.md#post-form-semantics-will-be-enforced-more-strictlyspaces-and-quotes-will-be-ignored). ++++## July 2019 ++### Plan for change: Application Proxy service update to support only TLS 1.2 ++**Type:** Plan for change +**Service category:** App Proxy +**Product capability:** Access Control ++To help provide you with our strongest encryption, we're going to begin limiting Application Proxy service access to only TLS 1.2 protocols. This limitation will initially be rolled out to customers who are already using TLS 1.2 protocols, so you won't see the impact. Complete deprecation of the TLS 1.0 and TLS 1.1 protocols will be complete on August 31, 2019. Customers still using TLS 1.0 and TLS 1.1 will receive advanced notice to prepare for this change. ++To maintain the connection to the Application Proxy service throughout this change, we recommend that you make sure your client-server and browser-server combinations are updated to use TLS 1.2. We also recommend that you make sure to include any client systems used by your employees to access apps published through the Application Proxy service. ++For more information, see [Add an on-premises application for remote access through Application Proxy in Azure Active Directory](../app-proxy/application-proxy-add-on-premises-application.md). ++++### Plan for change: Design updates are coming for the Application Gallery ++**Type:** Plan for change +**Service category:** Enterprise Apps +**Product capability:** SSO ++New user interface changes are coming to the design of the **Add from the gallery** area of the **Add an application** blade. These changes will help you more easily find your apps that support automatic provisioning, OpenID Connect, Security Assertion Markup Language (SAML), and Password single sign-on (SSO). ++++### Plan for change: Removal of the multifactor authentication (MFA) server IP address from the Office 365 IP address ++**Type:** Plan for change +**Service category:** MFA +**Product capability:** Identity Security & Protection ++We're removing the multifactor authentication (MFA) server IP address from the [Office 365 IP Address and URL Web service](/office365/enterprise/office-365-ip-web-service). If you currently rely on these pages to update your firewall settings, you must make sure you're also including the list of IP addresses documented in the **Azure Active Directory Multi-Factor Authentication Server firewall requirements** section of the [Getting started with the Azure Active Directory Multi-Factor Authentication Server](../authentication/howto-mfaserver-deploy.md#azure-multi-factor-authentication-server-firewall-requirements) article. ++++### App-only tokens now require the client app to exist in the resource tenant ++**Type:** Fixed +**Service category:** Authentications (Logins) +**Product capability:** User Authentication ++On July 26, 2019, we changed how we provide app-only tokens through the [client credentials grant](../develop/v2-oauth2-client-creds-grant-flow.md). Previously, apps could get tokens to call other apps, regardless of whether the client app was in the tenant. We've updated this behavior so single-tenant resources, sometimes called Web APIs, can only be called by client apps that exist in the resource tenant. ++If your app isn't located in the resource tenant, you'll get an error message that says, `The service principal named <app_name> was not found in the tenant named <tenant_name>. This can happen if the application has not been installed by the administrator of the tenant.` To fix this problem, you must create the client app service principal in the tenant, using either the [admin consent endpoint](../develop/v2-permissions-and-consent.md#using-the-admin-consent-endpoint) or [through PowerShell](../develop/howto-authenticate-service-principal-powershell.md), which ensures your tenant has given the app permission to operate within the tenant. ++For more information, see [What's new for authentication?](../develop/reference-breaking-changes.md#app-only-tokens-for-single-tenant-applications-are-only-issued-if-the-client-app-exists-in-the-resource-tenant). ++> [!NOTE] +> Existing consent between the client and the API continues to not be required. Apps should still be doing their own authorization checks. ++++### New passwordless sign-in to Azure AD using FIDO2 security keys ++**Type:** New feature +**Service category:** Authentications (Logins) +**Product capability:** User Authentication ++Azure AD customers can now set policies to manage FIDO2 security keys for their organization's users and groups. End users can also self-register their security keys, use the keys to sign in to their Microsoft accounts on web sites while on FIDO-capable devices, and sign-in to their Azure AD-joined Windows 10 devices. ++For more information, see [Enable passwordless sign in for Azure AD (preview)](../authentication/concept-authentication-passwordless.md) for administrator-related information, and [Set up security info to use a security key (Preview)](https://support.microsoft.com/account-billing/set-up-a-security-key-as-your-verification-method-2911cacd-efa5-4593-ae22-e09ae14c6698) for end-user-related information. ++++### New Federated Apps available in Azure AD App gallery - July 2019 ++**Type:** New feature +**Service category:** Enterprise Apps +**Product capability:** 3rd Party Integration ++In July 2019, we've added these 18 new apps with Federation support to the app gallery: ++[Ungerboeck Software](../saas-apps/ungerboeck-software-tutorial.md), [Bright Pattern Omnichannel Contact Center](../saas-apps/bright-pattern-omnichannel-contact-center-tutorial.md), [Clever Nelly](../saas-apps/clever-nelly-tutorial.md), [AcquireIO](../saas-apps/acquireio-tutorial.md), [Looop](https://www.looop.co/schedule-a-demo/), [productboard](../saas-apps/productboard-tutorial.md), [MS Azure SSO Access for Ethidex Compliance Office™](../saas-apps/ms-azure-sso-access-for-ethidex-compliance-office-tutorial.md), [Hype](../saas-apps/hype-tutorial.md), [Abstract](../saas-apps/abstract-tutorial.md), [Ascentis](../saas-apps/ascentis-tutorial.md), [Flipsnack](https://www.flipsnack.com/accounts/sign-in-sso.html), [Wandera](../saas-apps/wandera-tutorial.md), [TwineSocial](https://twinesocial.com/), [Kallidus](../saas-apps/kallidus-tutorial.md), [HyperAnna](../saas-apps/hyperanna-tutorial.md), [PharmID WasteWitness](https://pharmid.com/), [i2B Connect](https://www.i2b-online.com/sign-up-to-use-i2b-connect-here-sso-access/), [JFrog Artifactory](../saas-apps/jfrog-artifactory-tutorial.md) ++For more information about the apps, see [SaaS application integration with Azure Active Directory](../saas-apps/tutorial-list.md). For more information about listing your application in the Azure AD app gallery, see [List your application in the Azure Active Directory application gallery](../manage-apps/v2-howto-app-gallery-listing.md). ++++### Automate user account provisioning for these newly supported SaaS apps ++**Type:** New feature +**Service category:** Enterprise Apps +**Product capability:** Monitoring & Reporting ++You can now automate creating, updating, and deleting user accounts for these newly integrated apps: ++- [Dialpad](../saas-apps/dialpad-provisioning-tutorial.md) ++- [Federated Directory](../saas-apps/federated-directory-provisioning-tutorial.md) ++- [Figma](../saas-apps/figma-provisioning-tutorial.md) ++- [Leapsome](../saas-apps/leapsome-provisioning-tutorial.md) ++- [Peakon](../saas-apps/peakon-provisioning-tutorial.md) ++- [Smartsheet](../saas-apps/smartsheet-provisioning-tutorial.md) ++For more information about how to better secure your organization by using automated user account provisioning, see [Automate user provisioning to SaaS applications with Azure AD](../app-provisioning/user-provisioning.md) ++++### New Azure AD Domain Services service tag for Network Security Group ++**Type:** New feature +**Service category:** Azure AD Domain Services +**Product capability:** Azure AD Domain Services ++If you're tired of managing long lists of IP addresses and ranges, you can use the new **AzureActiveDirectoryDomainServices** network service tag in your Azure network security group to help secure inbound traffic to your Azure AD Domain Services virtual network subnet. ++For more information about this new service tag, see [Network Security Groups for Azure AD Domain Services](../../active-directory-domain-services/network-considerations.md#network-security-groups-and-required-ports). ++++### New Security Audits for Azure AD Domain Services (Public Preview) ++**Type:** New feature +**Service category:** Azure AD Domain Services +**Product capability:** Azure AD Domain Services ++We're pleased to announce the release of Azure AD Domain Service Security Auditing to public preview. Security auditing helps provide you with critical insight into your authentication services by streaming security audit events to targeted resources, including Azure Storage, Azure Log Analytics workspaces, and Azure Event Hubs, using the Azure AD Domain Service portal. ++For more information, see [Enable Security Audits for Azure AD Domain Services (Preview)](../../active-directory-domain-services/security-audit-events.md). ++++### New Authentication methods usage & insights (Public Preview) ++**Type:** New feature +**Service category:** Self Service Password Reset +**Product capability:** Monitoring & Reporting ++The new Authentication methods usage & insights reports can help you to understand how features like Azure AD Multi-Factor Authentication and self-service password reset are being registered and used in your organization, including the number of registered users for each feature, how often self-service password reset is used to reset passwords, and by which method the reset happens. ++For more information, see [Authentication methods usage & insights (preview)](../authentication/howto-authentication-methods-activity.md). ++++### New security reports are available for all Azure AD administrators (Public Preview) ++**Type:** New feature +**Service category:** Identity Protection +**Product capability:** Identity Security & Protection ++All Azure AD administrators can now select the banner at the top of existing security reports, such as the **Users flagged for risk** report, to start using the new security experience as shown in the **Risky users** and the **Risky sign-ins** reports. Over time, all of the security reports will move from the older versions to the new versions, with the new reports providing you the following additional capabilities: ++- Advanced filtering and sorting ++- Bulk actions, such as dismissing user risk ++- Confirmation of compromised or safe entities ++- Risk state, covering: At risk, Dismissed, Remediated, and Confirmed compromised ++For more information, see [Risky users report](../identity-protection/howto-identity-protection-investigate-risk.md#risky-users) and [Risky sign-ins report](../identity-protection/howto-identity-protection-investigate-risk.md#risky-sign-ins). ++++### New Security Audits for Azure AD Domain Services (Public Preview) ++**Type:** New feature +**Service category:** Azure AD Domain Services +**Product capability:** Azure AD Domain Services ++We're pleased to announce the release of Azure AD Domain Service Security Auditing to public preview. Security auditing helps provide you with critical insight into your authentication services by streaming security audit events to targeted resources, including Azure Storage, Azure Log Analytics workspaces, and Azure Event Hubs, using the Azure AD Domain Service portal. ++For more information, see [Enable Security Audits for Azure AD Domain Services (Preview)](../../active-directory-domain-services/security-audit-events.md). ++++### New B2B direct federation using SAML/WS-Fed (Public Preview) ++**Type:** New feature +**Service category:** B2B +**Product capability:** B2B/B2C ++Direct federation helps to make it easier for you to work with partners whose IT-managed identity solution is not Azure AD, by working with identity systems that support the SAML or WS-Fed standards. After you set up a direct federation relationship with a partner, any new guest user you invite from that domain can collaborate with you using their existing organizational account, making the user experience for your guests more seamless. ++For more information, see [Direct federation with AD FS and third-party providers for guest users (preview)](../external-identities/direct-federation.md). ++++### Automate user account provisioning for these newly supported SaaS apps ++**Type:** New feature +**Service category:** Enterprise Apps +**Product capability:** Monitoring & Reporting ++You can now automate creating, updating, and deleting user accounts for these newly integrated apps: ++- [Dialpad](../saas-apps/dialpad-provisioning-tutorial.md) ++- [Federated Directory](../saas-apps/federated-directory-provisioning-tutorial.md) ++- [Figma](../saas-apps/figma-provisioning-tutorial.md) ++- [Leapsome](../saas-apps/leapsome-provisioning-tutorial.md) ++- [Peakon](../saas-apps/peakon-provisioning-tutorial.md) ++- [Smartsheet](../saas-apps/smartsheet-provisioning-tutorial.md) ++For more information about how to better secure your organization by using automated user account provisioning, see [Automate user provisioning to SaaS applications with Azure AD](../app-provisioning/user-provisioning.md). ++++### New check for duplicate group names in the Azure portal ++**Type:** New feature +**Service category:** Group Management +**Product capability:** Collaboration ++Now, when you create or update a group name from the Azure portal, we'll perform a check to see if you are duplicating an existing group name in your resource. If we determine that the name is already in use by another group, you'll be asked to modify your name. ++For more information, see [Manage groups in the Azure portal](./active-directory-groups-create-azure-portal.md?context=azure%2factive-directory%2fusers-groups-roles%2fcontext%2fugr-context). ++++### Azure AD now supports static query parameters in reply (redirect) URIs ++**Type:** New feature +**Service category:** Authentications (Logins) +**Product capability:** User Authentication ++Azure AD apps can now register and use reply (redirect) URIs with static query parameters (for example, `https://contoso.com/oauth2?idp=microsoft`) for OAuth 2.0 requests. The static query parameter is subject to string matching for reply URIs, just like any other part of the reply URI. If there's no registered string that matches the URL-decoded redirect-uri, the request is rejected. If the reply URI is found, the entire string is used to redirect the user, including the static query parameter. ++Dynamic reply URIs are still forbidden because they represent a security risk and can't be used to retain state information across an authentication request. For this purpose, use the `state` parameter. ++Currently, the app registration screens of the Azure portal still block query parameters. However, you can manually edit the app manifest to add and test query parameters in your app. For more information, see [What's new for authentication?](../develop/reference-breaking-changes.md#redirect-uris-can-now-contain-query-string-parameters). ++++### Activity logs (MS Graph APIs) for Azure AD are now available through PowerShell Cmdlets ++**Type:** New feature +**Service category:** Reporting +**Product capability:** Monitoring & Reporting ++We're excited to announce that Azure AD activity logs (Audit and Sign-ins reports) are now available through the Azure AD PowerShell module. Previously, you could create your own scripts using MS Graph API endpoints, and now we've extended that capability to PowerShell cmdlets. ++For more information about how to use these cmdlets, see [Azure AD PowerShell cmdlets for reporting](../reports-monitoring/reference-powershell-reporting.md). ++++### Updated filter controls for Audit and Sign-in logs in Azure AD ++**Type:** Changed feature +**Service category:** Reporting +**Product capability:** Monitoring & Reporting ++We've updated the Audit and Sign-in log reports so you can now apply various filters without having to add them as columns on the report screens. Additionally, you can now decide how many filters you want to show on the screen. These updates all work together to make your reports easier to read and more scoped to your needs. ++For more information about these updates, see [Filter audit logs](../reports-monitoring/concept-audit-logs.md#filtering-audit-logs) and [Filter sign-in activities](../reports-monitoring/concept-sign-ins.md#filter-sign-in-activities). ++++## June 2019 ++### New riskDetections API for Microsoft Graph (Public preview) ++**Type:** New feature +**Service category:** Identity Protection +**Product capability:** Identity Security & Protection ++We're pleased to announce the new riskDetections API for Microsoft Graph is now in public preview. You can use this new API to view a list of your organization's Identity Protection-related user and sign-in risk detections. You can also use this API to more efficiently query your risk detections, including details about the detection type, status, level, and more. ++For more information, see the [Risk detection API reference documentation](/graph/api/resources/riskdetection). ++++### New Federated Apps available in Azure AD app gallery - June 2019 ++**Type:** New feature +**Service category:** Enterprise Apps +**Product capability:** 3rd Party Integration ++In June 2019, we've added these 22 new apps with Federation support to the app gallery: ++[Azure AD SAML Toolkit](../saas-apps/saml-toolkit-tutorial.md), [Otsuka Shokai (σñºσíÜσòåΣ╝Ü)](../saas-apps/otsuka-shokai-tutorial.md), [ANAQUA](../saas-apps/anaqua-tutorial.md), [Azure VPN Client](https://portal.azure.com/), [ExpenseIn](../saas-apps/expensein-tutorial.md), [Helper Helper](../saas-apps/helper-helper-tutorial.md), [Costpoint](../saas-apps/costpoint-tutorial.md), [GlobalOne](../saas-apps/globalone-tutorial.md), [Mercedes-Benz In-Car Office](https://me.secure.mercedes-benz.com/), [Skore](https://app.justskore.it/), [Oracle Cloud Infrastructure Console](../saas-apps/oracle-cloud-tutorial.md), [CyberArk SAML Authentication](../saas-apps/cyberark-saml-authentication-tutorial.md), [Scrible Edu](https://www.scrible.com/sign-in/#/create-account), [PandaDoc](../saas-apps/pandadoc-tutorial.md), [Vtiger CRM (SAML)](../saas-apps/vtiger-crm-saml-tutorial.md), Oracle Access Manager for Oracle Retail Merchandising, Oracle Access Manager for Oracle E-Business Suite, Oracle IDCS for E-Business Suite, Oracle IDCS for PeopleSoft, Oracle IDCS for JD Edwards ++For more information about the apps, see [SaaS application integration with Azure Active Directory](../saas-apps/tutorial-list.md). For more information about listing your application in the Azure AD app gallery, see [List your application in the Azure Active Directory application gallery](../manage-apps/v2-howto-app-gallery-listing.md). ++++### Automate user account provisioning for these newly supported SaaS apps ++**Type:** New feature +**Service category:** Enterprise Apps +**Product capability:** Monitoring & Reporting ++You can now automate creating, updating, and deleting user accounts for these newly integrated apps: ++- [Zoom](../saas-apps/zoom-provisioning-tutorial.md) ++- [Envoy](../saas-apps/envoy-provisioning-tutorial.md) ++- [Proxyclick](../saas-apps/proxyclick-provisioning-tutorial.md) ++- [4me](../saas-apps/4me-provisioning-tutorial.md) ++For more information about how to better secure your organization by using automated user account provisioning, see [Automate user provisioning to SaaS applications with Azure AD](../app-provisioning/user-provisioning.md) ++++### View the real-time progress of the Azure AD provisioning service ++**Type:** Changed feature +**Service category:** App Provisioning +**Product capability:** Identity Lifecycle Management ++We've updated the Azure AD provisioning experience to include a new progress bar that shows you how far you are in the user provisioning process. This updated experience also provides information about the number of users provisioned during the current cycle, as well as how many users have been provisioned to date. ++For more information, see [Check the status of user provisioning](../app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user.md). ++++### Company branding now appears on sign out and error screens ++**Type:** Changed feature +**Service category:** Authentications (Logins) +**Product capability:** User Authentication ++We've updated Azure AD so that your company branding now appears on the sign out and error screens, as well as the sign-in page. You don't have to do anything to turn on this feature, Azure AD simply uses the assets you've already set up in the **Company branding** area of the Azure portal. ++For more information about setting up your company branding, see [Add branding to your organization's Azure Active Directory pages](./customize-branding.md). ++++### Azure Active Directory Multi-Factor Authentication (MFA) Server is no longer available for new deployments ++**Type:** Deprecated +**Service category:** MFA +**Product capability:** Identity Security & Protection ++As of July 1, 2019, Microsoft will no longer offer multifactor authentication (MFA) Server for new deployments. New customers who want to require multifactor authentication in their organization must now use cloud-based Azure AD Multi-Factor Authentication. Customers who activated multifactor authentication (MFA) Server prior to July 1 won't see a change. You'll still be able to download the latest version, get future updates, and generate activation credentials. ++For more information, see [Getting started with the Azure Active Directory Multi-Factor Authentication Server](../authentication/howto-mfaserver-deploy.md). For more information about cloud-based Azure AD Multi-Factor Authentication, see [Planning a cloud-based Azure AD Multi-Factor Authentication deployment](../authentication/howto-mfa-getstarted.md). ++++## May 2019 ++### Service change: Future support for only TLS 1.2 protocols on the Application Proxy service ++**Type:** Plan for change +**Service category:** App Proxy +**Product capability:** Access Control ++To help provide best-in-class encryption for our customers, we're limiting access to only TLS 1.2 protocols on the Application Proxy service. This change is gradually being rolled out to customers who are already only using TLS 1.2 protocols, so you shouldn't see any changes. ++Deprecation of TLS 1.0 and TLS 1.1 happens on August 31, 2019, but we'll provide additional advanced notice, so you'll have time to prepare for this change. To prepare for this change make sure your client-server and browser-server combinations, including any clients your users use to access apps published through Application Proxy, are updated to use the TLS 1.2 protocol to maintain the connection to the Application Proxy service. For more information, see [Add an on-premises application for remote access through Application Proxy in Azure Active Directory](../app-proxy/application-proxy-add-on-premises-application.md#prerequisites). ++++### Use the usage and insights report to view your app-related sign-in data ++**Type:** New feature +**Service category:** Enterprise Apps +**Product capability:** Monitoring & Reporting ++You can now use the usage and insights report, located in the **Enterprise applications** area of the Azure portal, to get an application-centric view of your sign-in data, including info about: ++- Top used apps for your organization ++- Apps with the most failed sign-ins ++- Top sign-in errors for each app ++For more information about this feature, see [Usage and insights report in the Azure portal](../reports-monitoring/concept-usage-insights-report.md) ++++### Automate your user provisioning to cloud apps using Azure AD ++**Type:** New feature +**Service category:** Enterprise Apps +**Product capability:** Monitoring & Reporting ++Follow these new tutorials to use the Azure AD Provisioning Service to automate the creation, deletion, and updating of user accounts for the following cloud-based apps: ++- [Comeet](../saas-apps/comeet-recruiting-software-provisioning-tutorial.md) ++- [DynamicSignal](../saas-apps/dynamic-signal-provisioning-tutorial.md) ++- [KeeperSecurity](../saas-apps/keeper-password-manager-digitalvault-provisioning-tutorial.md) ++You can also follow this new [Dropbox tutorial](../saas-apps/dropboxforbusiness-provisioning-tutorial.md), which provides info about how to provision group objects. ++For more information about how to better secure your organization through automated user account provisioning, see [Automate user provisioning to SaaS applications with Azure AD](../app-provisioning/user-provisioning.md). ++++### Identity secure score is now available in Azure AD (General availability) ++**Type:** New feature +**Service category:** N/A +**Product capability:** Identity Security & Protection ++You can now monitor and improve your identity security posture by using the identity secure score feature in Azure AD. The identity secure score feature uses a single dashboard to help you: ++- Objectively measure your identity security posture, based on a score between 1 and 223. ++- Plan for your identity security improvements ++- Review the success of your security improvements ++For more information about the identity security score feature, see [What is the identity secure score in Azure Active Directory?](./identity-secure-score.md). ++++### New App registrations experience is now available (General availability) ++**Type:** New feature +**Service category:** Authentications (Logins) +**Product capability:** Developer Experience ++The new [App registrations](https://aka.ms/appregistrations) experience is now in general availability. This new experience includes all the key features you're familiar with from the Azure portal and the Application Registration portal and improves upon them through: ++- **Better app management.** Instead of seeing your apps across different portals, you can now see all your apps in one location. ++- **Simplified app registration.** From the improved navigation experience to the revamped permission selection experience, it's now easier to register and manage your apps. ++- **More detailed information.** You can find more details about your app, including quickstart guides and more. ++For more information, see [Microsoft identity platform](../develop/index.yml) and the [App registrations experience is now generally available!](https://developer.microsoft.com/identity/blogs/new-app-registrations-experience-is-now-generally-available/) blog announcement. ++++### New capabilities available in the Risky Users API for Identity Protection ++**Type:** New feature +**Service category:** Identity Protection +**Product capability:** Identity Security & Protection ++We're pleased to announce that you can now use the Risky Users API to retrieve users' risk history, dismiss risky users, and to confirm users as compromised. This change helps you to more efficiently update the risk status of your users and understand their risk history. ++For more information, see the [Risky Users API reference documentation](/graph/api/resources/riskyuser). ++++### New Federated Apps available in Azure AD app gallery - May 2019 ++**Type:** New feature +**Service category:** Enterprise Apps +**Product capability:** 3rd Party Integration ++In May 2019, we've added these 21 new apps with Federation support to the app gallery: ++[Freedcamp](../saas-apps/freedcamp-tutorial.md), [Real Links](../saas-apps/real-links-tutorial.md), [Kianda](https://app.kianda.com/sso/OpenID/AzureAD/), [Simple Sign](../saas-apps/simple-sign-tutorial.md), [Braze](../saas-apps/braze-tutorial.md), [Displayr](../saas-apps/displayr-tutorial.md), [Templafy](../saas-apps/templafy-tutorial.md), [Marketo Sales Engage](https://toutapp.com/login), [ACLP](../saas-apps/aclp-tutorial.md), [OutSystems](../saas-apps/outsystems-tutorial.md), [Meta4 Global HR](../saas-apps/meta4-global-hr-tutorial.md), [Quantum Workplace](../saas-apps/quantum-workplace-tutorial.md), [Cobalt](../saas-apps/cobalt-tutorial.md), [webMethods API Cloud](../saas-apps/webmethods-integration-cloud-tutorial.md), [RedFlag](https://pocketstop.com/redflag/), [Whatfix](../saas-apps/whatfix-tutorial.md), [Control](../saas-apps/control-tutorial.md), [JOBHUB](../saas-apps/jobhub-tutorial.md), [NEOGOV](../saas-apps/neogov-tutorial.md), [Foodee](../saas-apps/foodee-tutorial.md), [MyVR](../saas-apps/myvr-tutorial.md) ++For more information about the apps, see [SaaS application integration with Azure Active Directory](../saas-apps/tutorial-list.md). For more information about listing your application in the Azure AD app gallery, see [List your application in the Azure Active Directory application gallery](../manage-apps/v2-howto-app-gallery-listing.md). ++++### Improved groups creation and management experiences in the Azure portal ++**Type:** New feature +**Service category:** Group Management +**Product capability:** Collaboration ++We've made improvements to the groups-related experiences in the Azure portal. These improvements allow administrators to better manage groups lists, members lists, and to provide additional creation options. ++Improvements include: ++- Basic filtering by membership type and group type. ++- Addition of new columns, such as Source and Email address. ++- Ability to multi-select groups, members, and owner lists for easy deletion. ++- Ability to choose an email address and add owners during group creation. ++For more information, see [Create a basic group and add members using Azure Active Directory](./active-directory-groups-create-azure-portal.md). ++++### Configure a naming policy for Office 365 groups in Azure portal (General availability) ++**Type:** Changed feature +**Service category:** Group Management +**Product capability:** Collaboration ++Administrators can now configure a naming policy for Office 365 groups, using the Azure portal. This change helps to enforce consistent naming conventions for Office 365 groups created or edited by users in your organization. ++You can configure naming policy for Office 365 groups in two different ways: ++- Define prefixes or suffixes, which are automatically added to a group name. ++- Upload a customized set of blocked words for your organization, which aren't allowed in group names (for example, "CEO, Payroll, HR"). ++For more information, see [Enforce a Naming Policy for Office 365 groups](../enterprise-users/groups-naming-policy.md). ++++### Microsoft Graph API endpoints are now available for Azure AD activity logs (General availability) ++**Type:** Changed feature +**Service category:** Reporting +**Product capability:** Monitoring & Reporting ++We're happy to announce general availability of Microsoft Graph API endpoints support for Azure AD activity logs. With this release, you can now use Version 1.0 of both the Azure AD audit logs, as well as the sign-in logs APIs. ++For more information, see [Azure AD audit log API overview](/graph/api/resources/azure-ad-auditlog-overview). ++++### Administrators can now use Conditional Access for the combined registration process (Public preview) ++**Type:** New feature +**Service category:** Conditional Access +**Product capability:** Identity Security & Protection ++Administrators can now create Conditional Access policies for use by the combined registration page. This includes applying policies to allow registration if: ++- Users are on a trusted network. ++- Users are a low sign-in risk. ++- Users are on a managed device. ++- Users agree to the organization's terms of use (TOU). ++For more information about Conditional Access and password reset, you can see the [Conditional Access for the Azure AD combined MFA and password reset registration experience blog post](https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Conditional-access-for-the-Azure-AD-combined-MFA-and-password/ba-p/566348). For more information about Conditional Access policies for the combined registration process, see [Conditional Access policies for combined registration](../authentication/howto-registration-mfa-sspr-combined.md#conditional-access-policies-for-combined-registration). For more information about the Azure AD terms of use feature, see [Azure Active Directory terms of use feature](../conditional-access/terms-of-use.md). ++++## April 2019 ++### New Azure AD threat intelligence detection is now available as part of Azure AD Identity Protection ++**Type:** New feature +**Service category:** Azure AD Identity Protection +**Product capability:** Identity Security & Protection ++Azure AD threat intelligence detection is now available as part of the updated Azure AD Identity Protection feature. This new functionality helps to indicate unusual user activity for a specific user or activity that's consistent with known attack patterns based on Microsoft's internal and external threat intelligence sources. ++For more information about the refreshed version of Azure AD Identity Protection, see the [Four major Azure AD Identity Protection enhancements are now in public preview](https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Four-major-Azure-AD-Identity-Protection-enhancements-are-now-in/ba-p/326935) blog and the [What is Azure Active Directory Identity Protection (refreshed)?](../identity-protection/overview-identity-protection.md) article. For more information about Azure AD threat intelligence detection, see the [Azure Active Directory Identity Protection risk detections](../identity-protection/concept-identity-protection-risks.md) article. ++++### Azure AD entitlement management is now available (Public preview) ++**Type:** New feature +**Service category:** Identity Governance +**Product capability:** Identity Governance ++Azure AD entitlement management, now in public preview, helps customers to delegate management of access packages, which defines how employees and business partners can request access, who must approve, and how long they have access. Access packages can manage membership in Azure AD and Office 365 groups, role assignments in enterprise applications, and role assignments for SharePoint Online sites. Read more about entitlement management at the [overview of Azure AD entitlement management](../governance/entitlement-management-overview.md). To learn more about the breadth of Azure AD Identity Governance features, including Privileged Identity Management, access reviews and terms of use, see [What is Azure AD Identity Governance?](../governance/identity-governance-overview.md). ++++### Configure a naming policy for Office 365 groups in Azure portal (Public preview) ++**Type:** New feature +**Service category:** Group Management +**Product capability:** Collaboration ++Administrators can now configure a naming policy for Office 365 groups, using the Azure portal. This change helps to enforce consistent naming conventions for Office 365 groups created or edited by users in your organization. ++You can configure naming policy for Office 365 groups in two different ways: ++- Define prefixes or suffixes, which are automatically added to a group name. ++- Upload a customized set of blocked words for your organization, which are not allowed in group names (for example, "CEO, Payroll, HR"). ++For more information, see [Enforce a Naming Policy for Office 365 groups](../enterprise-users/groups-naming-policy.md). ++++### Azure AD Activity logs are now available in Azure Monitor (General availability) ++**Type:** New feature +**Service category:** Reporting +**Product capability:** Monitoring & Reporting ++To help address your feedback about visualizations with the Azure AD Activity logs, we're introducing a new Insights feature in Log Analytics. This feature helps you gain insights about your Azure AD resources by using our interactive templates, called Workbooks. These pre-built Workbooks can provide details for apps or users, and include: ++- **Sign-ins.** Provides details for apps and users, including sign-in location, the in-use operating system or browser client and version, and the number of successful or failed sign-ins. ++- **Legacy authentication and Conditional Access.** Provides details for apps and users using legacy authentication, including multifactor authentication usage triggered by Conditional Access policies, apps using Conditional Access policies, and so on. ++- **Sign-in failure analysis.** Helps you to determine if your sign-in errors are occurring due to a user action, policy issues, or your infrastructure. ++- **Custom reports.** You can create new, or edit existing Workbooks to help customize the Insights feature for your organization. ++For more information, see [How to use Azure Monitor workbooks for Azure Active Directory reports](../reports-monitoring/howto-use-azure-monitor-workbooks.md). ++++### New Federated Apps available in Azure AD app gallery - April 2019 ++**Type:** New feature +**Service category:** Enterprise Apps +**Product capability:** 3rd Party Integration ++In April 2019, we've added these 21 new apps with Federation support to the app gallery: ++[SAP Fiori](../saas-apps/sap-fiori-tutorial.md), [HRworks Single Sign-On](../saas-apps/hrworks-single-sign-on-tutorial.md), [Percolate](../saas-apps/percolate-tutorial.md), [MobiControl](../saas-apps/mobicontrol-tutorial.md), [Citrix NetScaler](../saas-apps/citrix-netscaler-tutorial.md), [Shibumi](../saas-apps/shibumi-tutorial.md), [Benchling](../saas-apps/benchling-tutorial.md), [MileIQ](https://mileiq.onelink.me/991934284/7e980085), [PageDNA](../saas-apps/pagedna-tutorial.md), [EduBrite LMS](../saas-apps/edubrite-lms-tutorial.md), [RStudio Connect](../saas-apps/rstudio-connect-tutorial.md), [AMMS](../saas-apps/amms-tutorial.md), [Mitel Connect](../saas-apps/mitel-connect-tutorial.md), [Alibaba Cloud (Role-based SSO)](../saas-apps/alibaba-cloud-service-role-based-sso-tutorial.md), [Certent Equity Management](../saas-apps/certent-equity-management-tutorial.md), [Sectigo Certificate Manager](../saas-apps/sectigo-certificate-manager-tutorial.md), [GreenOrbit](../saas-apps/greenorbit-tutorial.md), [Workgrid](../saas-apps/workgrid-tutorial.md), [monday.com](../saas-apps/mondaycom-tutorial.md), [SurveyMonkey Enterprise](../saas-apps/surveymonkey-enterprise-tutorial.md), [Indiggo](https://indiggolead.com/) ++For more information about the apps, see [SaaS application integration with Azure Active Directory](../saas-apps/tutorial-list.md). For more information about listing your application in the Azure AD app gallery, see [List your application in the Azure Active Directory application gallery](../manage-apps/v2-howto-app-gallery-listing.md). ++++### New access reviews frequency option and multiple role selection ++**Type:** New feature +**Service category:** Access Reviews +**Product capability:** Identity Governance ++New updates in Azure AD access reviews allow you to: ++- Change the frequency of your access reviews to **semi-annually**, in addition to the previously existing options of weekly, monthly, quarterly, and annually. ++- Select multiple Azure AD and Azure resource roles when creating a single access review. In this situation, all roles are set up with the same settings and all reviewers are notified at the same time. ++For more information about how to create an access review, see [Create an access review of groups or applications in Azure AD access reviews](../governance/create-access-review.md). ++++### Azure AD Connect email alert system(s) are transitioning, sending new email sender information for some customers ++**Type:** Changed feature +**Service category:** AD Sync +**Product capability:** Platform ++Azure AD Connect is in the process of transitioning our email alert system(s), potentially showing some customers a new email sender. To address this, you must add `azure-noreply@microsoft.com` to your organization's allowlist or you won't be able to continue receiving important alerts from your Office 365, Azure, or your Sync services. ++++### UPN suffix changes are now successful between Federated domains in Azure AD Connect ++**Type:** Fixed +**Service category:** AD Sync +**Product capability:** Platform ++You can now successfully change a user's UPN suffix from one Federated domain to another Federated domain in Azure AD Connect. This fix means you should no longer experience the FederatedDomainChangeError error message during the synchronization cycle or receive a notification email stating, "Unable to update this object in Azure Active Directory, because the attribute [FederatedUser.UserPrincipalName], is not valid. Update the value in your local directory services". +++++### Increased security using the app protection-based Conditional Access policy in Azure AD (Public preview) ++**Type:** New feature +**Service category:** Conditional Access +**Product capability:** Identity Security & Protection ++App protection-based Conditional Access is now available by using the **Require app protection** policy. This new policy helps to increase your organization's security by helping to prevent: ++- Users gaining access to apps without a Microsoft Intune license. ++- Users being unable to get a Microsoft Intune app protection policy. ++- Users gaining access to apps without a configured Microsoft Intune app protection policy. ++For more information, see [How to Require app protection policy for cloud app access with Conditional Access](../conditional-access/app-protection-based-conditional-access.md). ++++### New support for Azure AD single sign-on and Conditional Access in Microsoft Edge (Public preview) ++**Type:** New feature +**Service category:** Conditional Access +**Product capability:** Identity Security & Protection ++We've enhanced our Azure AD support for Microsoft Edge, including providing new support for Azure AD single sign-on and Conditional Access. If you've previously used Microsoft Intune Managed Browser, you can now use Microsoft Edge instead. ++For more information about setting up and managing your devices and apps using Conditional Access, see [Require managed devices for cloud app access with Conditional Access](../conditional-access/require-managed-devices.md) and [Require approved client apps for cloud app access with Conditional Access](../conditional-access/app-based-conditional-access.md). For more information about how to manage access using Microsoft Edge with Microsoft Intune policies, see [Manage Internet access using a Microsoft Intune policy-protected browser](/intune/app-configuration-managed-browser). ++++## March 2019 ++### Identity Experience Framework and custom policy support in Azure Active Directory B2C is now available (GA) ++**Type:** New feature +**Service category:** B2C - Consumer Identity Management +**Product capability:** B2B/B2C ++You can now create custom policies in Azure AD B2C, including the following tasks, which are supported at-scale and under our Azure SLA: ++- Create and upload custom authentication user journeys by using custom policies. ++- Describe user journeys step-by-step as exchanges between claims providers. ++- Define conditional branching in user journeys. ++- Transform and map claims for use in real-time decisions and communications. ++- Use REST API-enabled services in your custom authentication user journeys. For example, with email providers, CRMs, and proprietary authorization systems. ++- Federate with identity providers who are compliant with the OpenIDConnect protocol. For example, with multi-tenant Azure AD, social account providers, or two-factor verification providers. ++For more information about creating custom policies, see [Developer notes for custom policies in Azure Active Directory B2C](../../active-directory-b2c/custom-policy-developer-notes.md) and read [Alex Simon's blog post, including case studies](https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Azure-AD-B2C-custom-policies-to-build-your-own-identity-journeys/ba-p/382791). ++++### New Federated Apps available in Azure AD app gallery - March 2019 ++**Type:** New feature +**Service category:** Enterprise Apps +**Product capability:** 3rd Party Integration ++In March 2019, we've added these 14 new apps with Federation support to the app gallery: ++[ISEC7 Mobile Exchange Delegate](https://www.isec7.com/english/), [MediusFlow](https://office365.cloudapp.mediusflow.com/), [ePlatform](../saas-apps/eplatform-tutorial.md), [Fulcrum](../saas-apps/fulcrum-tutorial.md), [ExcelityGlobal](../saas-apps/excelityglobal-tutorial.md), [Explanation-Based Auditing System](../saas-apps/explanation-based-auditing-system-tutorial.md), [Lean](../saas-apps/lean-tutorial.md), [Powerschool Performance Matters](../saas-apps/powerschool-performance-matters-tutorial.md), [Cinode](https://cinode.com/), [Iris Intranet](../saas-apps/iris-intranet-tutorial.md), [Empactis](../saas-apps/empactis-tutorial.md), [SmartDraw](../saas-apps/smartdraw-tutorial.md), [Confirmit Horizons](../saas-apps/confirmit-horizons-tutorial.md), [TAS](../saas-apps/tas-tutorial.md) ++For more information about the apps, see [SaaS application integration with Azure Active Directory](../saas-apps/tutorial-list.md). For more information about listing your application in the Azure AD app gallery, see [List your application in the Azure Active Directory application gallery](../manage-apps/v2-howto-app-gallery-listing.md). ++++### New Zscaler and Atlassian provisioning connectors in the Azure AD gallery - March 2019 ++**Type:** New feature +**Service category:** App Provisioning +**Product capability:** 3rd Party Integration ++Automate creating, updating, and deleting user accounts for the following apps: ++[Zscaler](../saas-apps/zscaler-provisioning-tutorial.md), [Zscaler Beta](../saas-apps/zscaler-beta-provisioning-tutorial.md), [Zscaler One](../saas-apps/zscaler-one-provisioning-tutorial.md), [Zscaler Two](../saas-apps/zscaler-two-provisioning-tutorial.md), [Zscaler Three](../saas-apps/zscaler-three-provisioning-tutorial.md), [Zscaler ZSCloud](../saas-apps/zscaler-zscloud-provisioning-tutorial.md), [Atlassian Cloud](../saas-apps/atlassian-cloud-provisioning-tutorial.md) ++For more information about how to better secure your organization through automated user account provisioning, see [Automate user provisioning to SaaS applications with Azure AD](../app-provisioning/user-provisioning.md). ++++### Restore and manage your deleted Office 365 groups in the Azure portal ++**Type:** New feature +**Service category:** Group Management +**Product capability:** Collaboration ++You can now view and manage your deleted Office 365 groups from the Azure portal. This change helps you to see which groups are available to restore, along with letting you permanently delete any groups that aren't needed by your organization. ++For more information, see [Restore expired or deleted groups](../enterprise-users/groups-restore-deleted.md#view-and-manage-the-deleted-microsoft-365-groups-that-are-available-to-restore). ++++### Single sign-on is now available for Azure AD SAML-secured on-premises apps through Application Proxy (public preview) ++**Type:** New feature +**Service category:** App Proxy +**Product capability:** Access Control ++You can now provide a single sign-on (SSO) experience for on-premises, SAML-authenticated apps, along with remote access to these apps through Application Proxy. For more information about how to set up SAML SSO with your on-premises apps, see [SAML single sign-on for on-premises applications with Application Proxy (Preview)](../app-proxy/application-proxy-configure-single-sign-on-on-premises-apps.md). ++++### Client apps in request loops will be interrupted to improve reliability and user experience ++**Type:** New feature +**Service category:** Authentications (Logins) +**Product capability:** User Authentication ++Client apps can incorrectly issue hundreds of the same login requests over a short period of time. These requests, whether they're successful or not, all contribute to a poor user experience and heightened workloads for the IDP, increasing latency for all users and reducing the availability of the IDP. ++This update sends an `invalid_grant` error: `AADSTS50196: The server terminated an operation because it encountered a loop while processing a request` to client apps that issue duplicate requests multiple times over a short period of time, beyond the scope of normal operation. Client apps that encounter this issue should show an interactive prompt, requiring the user to sign in again. For more information about this change and about how to fix your app if it encounters this error, see [What's new for authentication?](../develop/reference-breaking-changes.md#looping-clients-will-be-interrupted). ++++### New Audit Logs user experience now available ++**Type:** Changed feature +**Service category:** Reporting +**Product capability:** Monitoring & Reporting ++We've created a new Azure AD **Audit logs** page to help improve both readability and how you search for your information. To see the new **Audit logs** page, select **Audit logs** in the **Activity** section of Azure AD. ++![New Audit logs page, with sample info](media/whats-new/audit-logs-page.png) ++For more information about the new **Audit logs** page, see [Audit activity reports in the Azure portal](../reports-monitoring/concept-audit-logs.md). ++++### New warnings and guidance to help prevent accidental administrator lockout from misconfigured Conditional Access policies ++**Type:** Changed feature +**Service category:** Conditional Access +**Product capability:** Identity Security & Protection ++To help prevent administrators from accidentally locking themselves out of their own tenants through misconfigured Conditional Access policies, we've created new warnings and updated guidance in the Azure portal. For more information about the new guidance, see [What are service dependencies in Azure Active Directory Conditional Access](../conditional-access/service-dependencies.md). ++++### Improved end-user terms of use experiences on mobile devices ++**Type:** Changed feature +**Service category:** Terms of use +**Product capability:** Governance ++We've updated our existing terms of use experiences to help improve how you review and consent to terms of use on a mobile device. You can now zoom in and out, go back, download the information, and select hyperlinks. For more information about the updated terms of use, see [Azure Active Directory terms of use feature](../conditional-access/terms-of-use.md#what-terms-of-use-looks-like-for-users). ++++### New Azure AD Activity logs download experience available ++**Type:** Changed feature +**Service category:** Reporting +**Product capability:** Monitoring & Reporting ++You can now download large amounts of activity logs directly from the Azure portal. This update lets you: ++- Download up to 250,000 rows. ++- Get notified after the download completes. ++- Customize your file name. ++- Determine your output format, either JSON or CSV. ++For more information about this feature, see [Quickstart: Download an audit report using the Azure portal](../reports-monitoring/howto-download-logs.md) ++++### Breaking change: Updates to condition evaluation by Exchange ActiveSync (EAS) ++**Type:** Plan for change +**Service category:** Conditional Access +**Product capability:** Access Control ++We're in the process of updating how Exchange ActiveSync (EAS) evaluates the following conditions: ++- User location, based on country/region or IP address ++- Sign-in risk ++- Device platform ++If you've previously used these conditions in your Conditional Access policies, be aware that the condition behavior might change. For example, if you previously used the user location condition in a policy, you might find the policy now being skipped based on the location of your user. ++ |
active-directory | Whats New Sovereign Clouds | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/whats-new-sovereign-clouds.md | An IT admin can now add multiple domains to a single SAML/WS-Fed identity provid **Service category:** Conditional Access **Product capability:** Identity Security & Protection -This risk detection baselines normal administrative user behavior in Azure AD, and spots anomalous patterns of behavior like suspicious changes to the directory. The detection is triggered against the administrator making the change or the object that was changed. For more information, see: [User-linked detections](../identity-protection/concept-identity-protection-risks.md#user-linked-detections). +This risk detection baselines normal administrative user behavior in Azure AD, and spots anomalous patterns of behavior like suspicious changes to the directory. The detection is triggered against the administrator making the change or the object that was changed. For more information, see: [User-linked detections](../identity-protection/concept-identity-protection-risks.md). |
active-directory | Whats New | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/whats-new.md | The Entitlement Management service can now be targeted in the conditional access **Service category:** Azure Mobile App **Product capability:** End User Experiences -The Azure Mobile app now includes a section for Azure Active Directory. Within Azure Active Directory on mobile, user can search for and view more details about user and groups. Additionally, permitted users can invite guest users to their active tenant, assign group memberships and ownerships for users, and view user sign-in logs. For more information, see: [What is Azure Active Directory?](../fundamentals/active-directory-whatis.md). +The Azure Mobile app now includes a section for Azure Active Directory. Within Azure Active Directory on mobile, user can search for and view more details about user and groups. Additionally, permitted users can invite guest users to their active tenant, assign group memberships and ownerships for users, and view user sign-in logs. For more information, see: [Get the Azure mobile app](https://azure.microsoft.com/get-started/azure-portal/mobile-app/). The Azure AD on-premises application provisioning feature now supports both the **Service category:** Identity Protection **Product capability:** Identity Security & Protection -Identity Protection has added a new detection, using the Microsoft Threat Intelligence database, to detect sign-in's performed from IP addresses of known nation state and cyber-crime actors and allow customers to block these sign-in's by using risk-based conditional access policies. For more information, see: [Sign-in risk](../identity-protection/concept-identity-protection-risks.md#sign-in-risk). +Identity Protection has added a new detection, using the Microsoft Threat Intelligence database, to detect sign-ins performed from IP addresses of known nation state and cyber-crime actors and allow customers to block these sign-ins by using risk-based conditional access policies. For more information, see: [Sign-in risk](../identity-protection/concept-identity-protection-risks.md). Unfamiliar sign-in properties risk detection now provides risk reasons as to whi Identity Protection now surfaces the unfamiliar properties in the Azure portal on UX and in API as *Additional Info* with a user-friendly description explaining that *the following properties are unfamiliar for this sign-in of the given user*. -There's no additional work to enable this feature, the unfamiliar properties are shown by default. For more information, see: [Sign-in risk](../identity-protection/concept-identity-protection-risks.md#sign-in-risk). +There's no additional work to enable this feature, the unfamiliar properties are shown by default. For more information, see: [Sign-in risk](../identity-protection/concept-identity-protection-risks.md). |
active-directory | How To Connect Fed Group Claims | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/how-to-connect-fed-group-claims.md | You can configure group claim to include the group display name for the cloud-on ![Screenshot that shows the configuration to emit on-premises group attribute for synced groups and display name for cloud groups.](media/how-to-connect-fed-group-claims/group-claims-ui-9.png) +> [!Note] +> You can only add cloud-group names of assigned groups to an application. The restriction to `groups assigned to the application` is because a group name is not unique, and display names can only be emitted for groups explicitly assigned to the application to reduce the security risks. Otherwise, any user could create a group with duplicate name and gain access in the application side. ### Set advanced options |
active-directory | Whatis Phs | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/whatis-phs.md | Password hash synchronization helps by reducing the number of passwords, your us * Improve the productivity of your users. * Reduce your helpdesk costs. -Password Hash Sync also enables [leaked credential detection](../../identity-protection/concept-identity-protection-risks.md#user-linked-detections) for your hybrid accounts. Microsoft works alongside dark web researchers and law enforcement agencies to find publicly available username/password pairs. If any of these pairs match those of our users, the associated account is moved to high risk. +Password Hash Sync also enables [leaked credential detection](../../identity-protection/concept-identity-protection-risks.md#leaked-credentials) for your hybrid accounts. Microsoft works alongside dark web researchers and law enforcement agencies to find publicly available username/password pairs. If any of these pairs match those of our users, the associated account is moved to high risk. >[!NOTE] > Only new leaked credentials found after you enable PHS will be processed against your tenant. Verifying against previously found credential pairs is not performed. |
active-directory | Concept Identity Protection B2b | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/identity-protection/concept-identity-protection-b2b.md | Last updated 08/22/2022 -+ |
active-directory | Concept Identity Protection Policies | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/identity-protection/concept-identity-protection-policies.md | More information about Azure AD multifactor authentication can be found in the a ## Next steps -- [Enable Azure AD self-service password reset](../authentication/howto-sspr-deployment.md)-- [Enable Azure AD multifactor authentication](../authentication/howto-mfa-getstarted.md) - [Enable Azure AD multifactor authentication registration policy](howto-identity-protection-configure-mfa-policy.md) - [Enable sign-in and user risk policies](howto-identity-protection-configure-risk-policies.md) |
active-directory | Concept Identity Protection Risks | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/identity-protection/concept-identity-protection-risks.md | Title: What is risk? Azure AD Identity Protection + Title: What are risks in Azure AD Identity Protection description: Explaining risk in Azure AD Identity Protection Previously updated : 11/10/2022 Last updated : 06/14/2023 -# What is risk? +# What are risk detections? Risk detections in Azure AD Identity Protection include any identified suspicious actions related to user accounts in the directory. Risk detections (both user and sign-in linked) contribute to the overall user risk score that is found in the Risky Users report. Identity Protection provides organizations access to powerful resources to see a Risk can be detected at the **User** and **Sign-in** level and two types of detection or calculation **Real-time** and **Offline**. Some risks are considered premium available to Azure AD Premium P2 customers only, while others are available to Free and Azure AD Premium P1 customers. -A sign-in risk represents the probability that a given authentication request isn't authorized by the identity owner. Risky activity can be detected for a user that isn't linked to a specific malicious sign-in but to the user itself. +A sign-in risk represents the probability that a given authentication request isn't the authorized identity owner. Risky activity can be detected for a user that isn't linked to a specific malicious sign-in but to the user itself. Real-time detections may not show up in reporting for 5 to 10 minutes. Offline detections may not show up in reporting for 48 hours. Real-time detections may not show up in reporting for 5 to 10 minutes. Offline d > > Our system will dismiss the risk state and a risk detail of ΓÇ£AI confirmed sign-in safeΓÇ¥ will show and no longer contribute to the userΓÇÖs overall risk. -### Premium detections +### Sign-in risk detections -Premium detections are visible only to Azure AD Premium P2 customers. Customers without Azure AD Premium P2 licenses still receive the premium detections but they'll be titled "additional risk detected". +| Risk detection | Detection type | Type | +| | | | +| [Atypical travel](#atypical-travel) | Offline | Premium | +| [Anomalous Token](#anomalous-token) | Offline | Premium | +| [Token Issuer Anomaly](#token-issuer-anomaly) | Offline | Premium | +| [Malware linked IP address](#malware-linked-ip-address-deprecated) | Offline | Premium **[This detection has been deprecated](../fundamentals/whats-new-archive.md#planned-deprecationmalware-linked-ip-address-detection-in-identity-protection)**. | +| [Suspicious browser](#suspicious-browser) | Offline | Premium | +| [Unfamiliar sign-in properties](#unfamiliar-sign-in-properties) | Real-time | Premium | +| [Malicious IP address](#malicious-ip-address) | Offline | Premium | +| [Suspicious inbox manipulation rules](#suspicious-inbox-manipulation-rules) | Offline | Premium | +| [Password spray](#password-spray) | Offline | Premium | +| [Impossible travel](#impossible-travel) | Offline | Premium | +| [New country](#new-country) | Offline | Premium | +| [Activity from anonymous IP address](#activity-from-anonymous-ip-address) | Offline | Premium | +| [Suspicious inbox forwarding](#suspicious-inbox-forwarding) | Offline | Premium | +| [Mass Access to Sensitive Files](#mass-access-to-sensitive-files) | Offline | Premium | +| [Verified threat actor IP](#verified-threat-actor-ip) | Real-time | Premium | +| [Additional risk detected](#additional-risk-detected-sign-in) | Real-time or Offline | Nonpremium | +| [Anonymous IP address](#anonymous-ip-address) | Real-time | Nonpremium | +| [Admin confirmed user compromised](#admin-confirmed-user-compromised) | Offline | Nonpremium | +| [Azure AD threat intelligence](#azure-ad-threat-intelligence-sign-in) | Offline | Nonpremium | ++### User risk detections ++| Risk detection | Detection type | Type | +| | | | +| [Possible attempt to access Primary Refresh Token (PRT)](#possible-attempt-to-access-primary-refresh-token-prt) | Offline | Premium | +| [Anomalous user activity](#anomalous-user-activity) | Offline | Premium | +| [User reported suspicious activity](#user-reported-suspicious-activity) | Offline | Premium | +| [Additional risk detected](#additional-risk-detected-user) | Real-time or Offline | Nonpremium | +| [Leaked credentials](#leaked-credentials) | Offline | Nonpremium | +| [Azure AD threat intelligence](#azure-ad-threat-intelligence-user) | Offline | Nonpremium | -### Sign-in risk +## Premium detections -#### Premium sign-in risk detections +The following premium detections are visible only to Azure AD Premium P2 customers. -| Risk detection | Detection type | Description | -| | | | -| Atypical travel | Offline | This risk detection type identifies two sign-ins originating from geographically distant locations, where at least one of the locations may also be atypical for the user, given past behavior. The algorithm takes into account multiple factors including the time between the two sign-ins and the time it would have taken for the user to travel from the first location to the second. This risk may indicate that a different user is using the same credentials. <br><br> The algorithm ignores obvious "false positives" contributing to the impossible travel conditions, such as VPNs and locations regularly used by other users in the organization. The system has an initial learning period of the earliest of 14 days or 10 logins, during which it learns a new user's sign-in behavior. | -| Anomalous Token | Offline | This detection indicates that there are abnormal characteristics in the token such as an unusual token lifetime or a token that is played from an unfamiliar location. This detection covers Session Tokens and Refresh Tokens. <br><br> **NOTE:** Anomalous token is tuned to incur more noise than other detections at the same risk level. This tradeoff is chosen to increase the likelihood of detecting replayed tokens that may otherwise go unnoticed. Because this is a high noise detection, there's a higher than normal chance that some of the sessions flagged by this detection are false positives. We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user. If the location, application, IP address, User Agent, or other characteristics are unexpected for the user, the tenant admin should consider this risk as an indicator of potential token replay. | -| Token Issuer Anomaly | Offline |This risk detection indicates the SAML token issuer for the associated SAML token is potentially compromised. The claims included in the token are unusual or match known attacker patterns. | -| Malware linked IP address | Offline | This risk detection type indicates sign-ins from IP addresses infected with malware that is known to actively communicate with a bot server. This detection matches the IP addresses of the user's device against IP addresses that were in contact with a bot server while the bot server was active. <br><br> **This detection has been deprecated**. Identity Protection will no longer generate new "Malware linked IP address" detections. Customers who currently have "Malware linked IP address" detections in their tenant will still be able to view, remediate, or dismiss them until the 90-day detection retention time is reached.| -| Suspicious browser | Offline | Suspicious browser detection indicates anomalous behavior based on suspicious sign-in activity across multiple tenants from different countries in the same browser. | -| Unfamiliar sign-in properties | Real-time |This risk detection type considers past sign-in history to look for anomalous sign-ins. The system stores information about previous sign-ins, and triggers a risk detection when a sign-in occurs with properties that are unfamiliar to the user. These properties can include IP, ASN, location, device, browser, and tenant IP subnet. Newly created users will be in "learning mode" period where the unfamiliar sign-in properties risk detection will be turned off while our algorithms learn the user's behavior. The learning mode duration is dynamic and depends on how much time it takes the algorithm to gather enough information about the user's sign-in patterns. The minimum duration is five days. A user can go back into learning mode after a long period of inactivity. <br><br> We also run this detection for basic authentication (or legacy protocols). Because these protocols don't have modern properties such as client ID, there's limited telemetry to reduce false positives. We recommend our customers to move to modern authentication. <br><br> Unfamiliar sign-in properties can be detected on both interactive and non-interactive sign-ins. When this detection is detected on non-interactive sign-ins, it deserves increased scrutiny due to the risk of token replay attacks. | -| Malicious IP address | Offline | This detection indicates sign-in from a malicious IP address. An IP address is considered malicious based on high failure rates because of invalid credentials received from the IP address or other IP reputation sources. | -| Suspicious inbox manipulation rules | Offline | This detection is discovered by [Microsoft Defender for Cloud Apps](/cloud-app-security/anomaly-detection-policy#suspicious-inbox-manipulation-rules). This detection looks at your environment and triggers alerts when suspicious rules that delete or move messages or folders are set on a user's inbox. This detection may indicate: a user's account is compromised, messages are being intentionally hidden, and the mailbox is being used to distribute spam or malware in your organization. | -| Password spray | Offline | A password spray attack is where multiple usernames are attacked using common passwords in a unified brute force manner to gain unauthorized access. This risk detection is triggered when a password spray attack has been successfully performed. For example, the attacker is successfully authenticated, in the detected instance. | -| Impossible travel | Offline | This detection is discovered by [Microsoft Defender for Cloud Apps](/cloud-app-security/anomaly-detection-policy#impossible-travel). This detection identifies user activities (is a single or multiple sessions) originating from geographically distant locations within a time period shorter than the time it takes to travel from the first location to the second. This risk may indicate that a different user is using the same credentials. | -| New country | Offline | This detection is discovered by [Microsoft Defender for Cloud Apps](/cloud-app-security/anomaly-detection-policy#activity-from-infrequent-country). This detection considers past activity locations to determine new and infrequent locations. The anomaly detection engine stores information about previous locations used by users in the organization. | -| Activity from anonymous IP address | Offline | This detection is discovered by [Microsoft Defender for Cloud Apps](/cloud-app-security/anomaly-detection-policy#activity-from-anonymous-ip-addresses). This detection identifies that users were active from an IP address that has been identified as an anonymous proxy IP address. | -| Suspicious inbox forwarding | Offline | This detection is discovered by [Microsoft Defender for Cloud Apps](/cloud-app-security/anomaly-detection-policy#suspicious-inbox-forwarding). This detection looks for suspicious email forwarding rules, for example, if a user created an inbox rule that forwards a copy of all emails to an external address. | -| Mass Access to Sensitive Files | Offline | This detection is discovered by [Microsoft Defender for Cloud Apps](/defender-cloud-apps/investigate-anomaly-alerts#unusual-file-access-by-user). This detection looks at your environment and triggers alerts when users access multiple files from Microsoft SharePoint or Microsoft OneDrive. An alert is triggered only if the number of accessed files is uncommon for the user and the files might contain sensitive information| -| Verified threat actor IP | Real-time | This risk detection type indicates sign-in activity that is consistent with known IP addresses associated with nation state actors or cyber crime groups, based on Microsoft Threat Intelligence Center (MSTIC).| --#### Nonpremium sign-in risk detections --| Risk detection | Detection type | Description | -| | | | -| Additional risk detected | Real-time or Offline | This detection indicates that one of the premium detections was detected. Since the premium detections are visible only to Azure AD Premium P2 customers, they're titled "additional risk detected" for customers without Azure AD Premium P2 licenses. | -| Anonymous IP address | Real-time | This risk detection type indicates sign-ins from an anonymous IP address (for example, Tor browser or anonymous VPN). These IP addresses are typically used by actors who want to hide their sign-in information (IP address, location, device, and so on) for potentially malicious intent. | -| Admin confirmed user compromised | Offline | This detection indicates an admin has selected 'Confirm user compromised' in the Risky users UI or using riskyUsers API. To see which admin has confirmed this user compromised, check the user's risk history (via UI or API). | -| Azure AD threat intelligence | Offline | This risk detection type indicates user activity that is unusual for the user or consistent with known attack patterns. This detection is based on Microsoft's internal and external threat intelligence sources. | +### Premium sign-in risk detections -### User-linked detections +#### Atypical travel -#### Premium user risk detections +**Calculated offline**. This risk detection type identifies two sign-ins originating from geographically distant locations, where at least one of the locations may also be atypical for the user, given past behavior. The algorithm takes into account multiple factors including the time between the two sign-ins and the time it would have taken for the user to travel from the first location to the second. This risk may indicate that a different user is using the same credentials. -| Risk detection | Detection type | Description | -| | | | -| Possible attempt to access Primary Refresh Token (PRT) | Offline | This risk detection type is detected by Microsoft Defender for Endpoint (MDE). A Primary Refresh Token (PRT) is a key artifact of Azure AD authentication on Windows 10, Windows Server 2016, and later versions, iOS, and Android devices. A PRT is a JSON Web Token (JWT) that's specially issued to Microsoft first-party token brokers to enable single sign-on (SSO) across the applications used on those devices. Attackers can attempt to access this resource to move laterally into an organization or perform credential theft. This detection will move users to high risk and will only fire in organizations that have deployed MDE. This detection is low-volume and will be seen infrequently by most organizations. However, when it does occur it's high risk and users should be remediated. | -| Anomalous user activity | Offline | This risk detection baselines normal administrative user behavior in Azure AD, and spots anomalous patterns of behavior like suspicious changes to the directory. The detection is triggered against the administrator making the change or the object that was changed. | -| User reported suspicious activity | Offline | This risk detection is reported by a user who denied a multifactor authentication (MFA) prompt and [reported it as suspicious activity](../authentication/howto-mfa-mfasettings.md#report-suspicious-activity). An MFA prompt that wasn't initiated by the user may mean that the userΓÇÖs credentials have been compromised. | +The algorithm ignores obvious "false positives" contributing to the impossible travel conditions, such as VPNs and locations regularly used by other users in the organization. The system has an initial learning period of the earliest of 14 days or 10 logins, during which it learns a new user's sign-in behavior. +#### Anomalous token -#### Nonpremium user risk detections +**Calculated offline**. This detection indicates that there are abnormal characteristics in the token such as an unusual token lifetime or a token that is played from an unfamiliar location. This detection covers Session Tokens and Refresh Tokens. -| Risk detection | Detection type | Description | -| | | | -| Additional risk detected | Real-time or Offline | This detection indicates that one of the premium detections was detected. Since the premium detections are visible only to Azure AD Premium P2 customers, they're titled "additional risk detected" for customers without Azure AD Premium P2 licenses. | -| Leaked credentials | Offline | This risk detection type indicates that the user's valid credentials have been leaked. When cybercriminals compromise valid passwords of legitimate users, they often share those credentials. This sharing is typically done by posting publicly on the dark web, paste sites, or by trading and selling the credentials on the black market. When the Microsoft leaked credentials service acquires user credentials from the dark web, paste sites, or other sources, they're checked against Azure AD users' current valid credentials to find valid matches. For more information about leaked credentials, see [Common questions](#common-questions). | -| Azure AD threat intelligence | Offline | This risk detection type indicates user activity that is unusual for the user or consistent with known attack patterns. This detection is based on Microsoft's internal and external threat intelligence sources. | +> [!NOTE] +> Anomalous token is tuned to incur more noise than other detections at the same risk level. This tradeoff is chosen to increase the likelihood of detecting replayed tokens that may otherwise go unnoticed. Because this is a high noise detection, there's a higher than normal chance that some of the sessions flagged by this detection are false positives. We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user. If the location, application, IP address, User Agent, or other characteristics are unexpected for the user, the tenant admin should consider this risk as an indicator of potential token replay. ++#### Token issuer anomaly ++**Calculated offline**. This risk detection indicates the SAML token issuer for the associated SAML token is potentially compromised. The claims included in the token are unusual or match known attacker patterns. ++#### Malware linked IP address (deprecated) ++**Calculated offline**. This risk detection type indicates sign-ins from IP addresses infected with malware that is known to actively communicate with a bot server. This detection matches the IP addresses of the user's device against IP addresses that were in contact with a bot server while the bot server was active. **[This detection has been deprecated](../fundamentals/whats-new-archive.md#planned-deprecationmalware-linked-ip-address-detection-in-identity-protection)**. Identity Protection no longer generates new "Malware linked IP address" detections. Customers who currently have "Malware linked IP address" detections in their tenant will still be able to view, remediate, or dismiss them until the 90-day detection retention time is reached. ++#### Suspicious browser ++**Calculated offline**. Suspicious browser detection indicates anomalous behavior based on suspicious sign-in activity across multiple tenants from different countries in the same browser. ++#### Unfamiliar sign-in properties ++**Calculated in real-time**. This risk detection type considers past sign-in history to look for anomalous sign-ins. The system stores information about previous sign-ins, and triggers a risk detection when a sign-in occurs with properties that are unfamiliar to the user. These properties can include IP, ASN, location, device, browser, and tenant IP subnet. Newly created users are in "learning mode" period where the unfamiliar sign-in properties risk detection is turned off while our algorithms learn the user's behavior. The learning mode duration is dynamic and depends on how much time it takes the algorithm to gather enough information about the user's sign-in patterns. The minimum duration is five days. A user can go back into learning mode after a long period of inactivity. ++We also run this detection for basic authentication (or legacy protocols). Because these protocols don't have modern properties such as client ID, there's limited telemetry to reduce false positives. We recommend our customers to move to modern authentication. ++Unfamiliar sign-in properties can be detected on both interactive and non-interactive sign-ins. When this detection is detected on non-interactive sign-ins, it deserves increased scrutiny due to the risk of token replay attacks. ++Selecting an unfamiliar sign-in properties risk allows you to see **Additional Info** showing you more detail about why this risk triggered. The following screenshot shows an example of these details. +++#### Malicious IP address ++**Calculated offline**. This detection indicates sign-in from a malicious IP address. An IP address is considered malicious based on high failure rates because of invalid credentials received from the IP address or other IP reputation sources. ++#### Suspicious inbox manipulation rules ++**Calculated offline**. This detection is discovered using information provided by [Microsoft Defender for Cloud Apps](/cloud-app-security/anomaly-detection-policy#suspicious-inbox-manipulation-rules). This detection looks at your environment and triggers alerts when suspicious rules that delete or move messages or folders are set on a user's inbox. This detection may indicate: a user's account is compromised, messages are being intentionally hidden, and the mailbox is being used to distribute spam or malware in your organization. ++#### Password spray ++**Calculated offline**. A password spray attack is where multiple usernames are attacked using common passwords in a unified brute force manner to gain unauthorized access. This risk detection is triggered when a password spray attack has been successfully performed. For example, the attacker is successfully authenticated, in the detected instance. ++#### Impossible travel ++**Calculated offline**. This detection is discovered using information provided by [Microsoft Defender for Cloud Apps](/cloud-app-security/anomaly-detection-policy#impossible-travel). This detection identifies user activities (is a single or multiple sessions) originating from geographically distant locations within a time period shorter than the time it takes to travel from the first location to the second. This risk may indicate that a different user is using the same credentials. ++#### New country ++**Calculated offline**. This detection is discovered using information provided by [Microsoft Defender for Cloud Apps](/cloud-app-security/anomaly-detection-policy#activity-from-infrequent-country). This detection considers past activity locations to determine new and infrequent locations. The anomaly detection engine stores information about previous locations used by users in the organization. ++#### Activity from anonymous IP address ++**Calculated offline**. This detection is discovered using information provided by [Microsoft Defender for Cloud Apps](/cloud-app-security/anomaly-detection-policy#activity-from-anonymous-ip-addresses). This detection identifies that users were active from an IP address that has been identified as an anonymous proxy IP address. ++#### Suspicious inbox forwarding ++**Calculated offline**. This detection is discovered using information provided by [Microsoft Defender for Cloud Apps](/cloud-app-security/anomaly-detection-policy#suspicious-inbox-forwarding). This detection looks for suspicious email forwarding rules, for example, if a user created an inbox rule that forwards a copy of all emails to an external address. ++#### Mass access to sensitive files ++**Calculated offline**. This detection is discovered using information provided by [Microsoft Defender for Cloud Apps](/defender-cloud-apps/investigate-anomaly-alerts#unusual-file-access-by-user). This detection looks at your environment and triggers alerts when users access multiple files from Microsoft SharePoint or Microsoft OneDrive. An alert is triggered only if the number of accessed files is uncommon for the user and the files might contain sensitive information ++#### Verified threat actor IP ++**Calculated in real-time**. This risk detection type indicates sign-in activity that is consistent with known IP addresses associated with nation state actors or cyber crime groups, based on Microsoft Threat Intelligence Center (MSTIC). ++### Premium user risk detections ++#### Possible attempt to access Primary Refresh Token (PRT) ++**Calculated offline**. This risk detection type is discovered using information provided by Microsoft Defender for Endpoint (MDE). A Primary Refresh Token (PRT) is a key artifact of Azure AD authentication on Windows 10, Windows Server 2016, and later versions, iOS, and Android devices. A PRT is a JSON Web Token (JWT) that's specially issued to Microsoft first-party token brokers to enable single sign-on (SSO) across the applications used on those devices. Attackers can attempt to access this resource to move laterally into an organization or perform credential theft. This detection moves users to high risk and only fires in organizations that have deployed MDE. This detection is low-volume and is seen infrequently in most organizations. When this detection appears it's high risk, and users should be remediated. ++#### Anomalous user activity ++**Calculated offline**. This risk detection baselines normal administrative user behavior in Azure AD, and spots anomalous patterns of behavior like suspicious changes to the directory. The detection is triggered against the administrator making the change or the object that was changed. ++#### User reported suspicious activity ++**Calculated offline**. This risk detection is reported when a user denies a multifactor authentication (MFA) prompt and [reports it as suspicious activity](../authentication/howto-mfa-mfasettings.md#report-suspicious-activity). An MFA prompt not initiated by a user may mean their credentials are compromised. ++## Nonpremium detections ++Customers without Azure AD Premium P2 licenses receive detections titled "additional risk detected" without the detailed information regarding the detection that customers with P2 licenses do. ++### Nonpremium sign-in risk detections ++#### Additional risk detected (sign-in) ++**Calculated in real-time or offline**. This detection indicates that one of the premium detections was detected. Since the premium detections are visible only to Azure AD Premium P2 customers, they're titled "additional risk detected" for customers without Azure AD Premium P2 licenses. ++#### Anonymous IP address ++**Calculated in real-time**. This risk detection type indicates sign-ins from an anonymous IP address (for example, Tor browser or anonymous VPN). These IP addresses are typically used by actors who want to hide their sign-in information (IP address, location, device, and so on) for potentially malicious intent. ++#### Admin confirmed user compromised ++**Calculated offline**. This detection indicates an admin has selected 'Confirm user compromised' in the Risky users UI or using riskyUsers API. To see which admin has confirmed this user compromised, check the user's risk history (via UI or API). ++#### Azure AD threat intelligence (sign-in) ++**Calculated offline**. This risk detection type indicates user activity that is unusual for the user or consistent with known attack patterns. This detection is based on Microsoft's internal and external threat intelligence sources. ++### Nonpremium user risk detections ++#### Additional risk detected (user) ++**Calculated in real-time or offline**. This detection indicates that one of the premium detections was detected. Since the premium detections are visible only to Azure AD Premium P2 customers, they're titled "additional risk detected" for customers without Azure AD Premium P2 licenses. ++#### Leaked credentials ++**Calculated offline**. This risk detection type indicates that the user's valid credentials have been leaked. When cybercriminals compromise valid passwords of legitimate users, they often share these gathered credentials. This sharing is typically done by posting publicly on the dark web, paste sites, or by trading and selling the credentials on the black market. When the Microsoft leaked credentials service acquires user credentials from the dark web, paste sites, or other sources, they're checked against Azure AD users' current valid credentials to find valid matches. For more information about leaked credentials, see [Common questions](#common-questions). ++#### Azure AD threat intelligence (user) ++**Calculated offline**. This risk detection type indicates user activity that is unusual for the user or consistent with known attack patterns. This detection is based on Microsoft's internal and external threat intelligence sources. ## Common questions Risk detections like leaked credentials require the presence of password hashes Disabled user accounts can be re-enabled. If the credentials of a disabled account are compromised, and the account gets re-enabled, bad actors might use those credentials to gain access. Identity Protection generates risk detections for suspicious activities against disabled user accounts to alert customers about potential account compromise. If an account is no longer in use and wont be re-enabled, customers should consider deleting it to prevent compromise. No risk detections are generated for deleted accounts. -### Leaked credentials --#### Where does Microsoft find leaked credentials? +### Where does Microsoft find leaked credentials? Microsoft finds leaked credentials in various places, including: Microsoft finds leaked credentials in various places, including: - Law enforcement agencies. - Other groups at Microsoft doing dark web research. -#### Why am I not seeing any leaked credentials? +### Why am I not seeing any leaked credentials? -Leaked credentials are processed anytime Microsoft finds a new, publicly available batch. Because of the sensitive nature, the leaked credentials are deleted shortly after processing. Only new leaked credentials found after you enable password hash synchronization (PHS) will be processed against your tenant. Verifying against previously found credential pairs isn't done. +Leaked credentials are processed anytime Microsoft finds a new, publicly available batch. Because of the sensitive nature, the leaked credentials are deleted shortly after processing. Only new leaked credentials found after you enable password hash synchronization (PHS) are processed against your tenant. Verifying against previously found credential pairs isn't done. -#### I haven't seen any leaked credential risk events for quite some time? +### I haven't seen any leaked credential risk events for quite some time If you haven't seen any leaked credential risk events, it is because of the following reasons: - You don't have PHS enabled for your tenant. - Microsoft has not found any leaked credential pairs that match your users. -#### How often does Microsoft process new credentials? +### How often does Microsoft process new credentials? Credentials are processed immediately after they have been found, normally in multiple batches per day. ### Locations -Location in risk detections is determined by IP address lookup. +Location in risk detections is determined using IP address lookup. ## Next steps - [Policies available to mitigate risks](concept-identity-protection-policies.md) - [Investigate risk](howto-identity-protection-investigate-risk.md) - [Remediate and unblock users](howto-identity-protection-remediate-unblock.md)-- [Security overview](concept-identity-protection-security-overview.md)+- [Security overview](concept-identity-protection-security-overview.md) |
active-directory | Concept Identity Protection Security Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/identity-protection/concept-identity-protection-security-overview.md | Last updated 08/22/2022 -+ |
active-directory | Concept Identity Protection User Experience | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/identity-protection/concept-identity-protection-user-experience.md | Last updated 11/11/2022 -+ |
active-directory | Howto Export Risk Data | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/identity-protection/howto-export-risk-data.md | Last updated 01/24/2023 -+ |
active-directory | Howto Identity Protection Configure Mfa Policy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/identity-protection/howto-identity-protection-configure-mfa-policy.md | Last updated 01/03/2023 -+ |
active-directory | Howto Identity Protection Configure Notifications | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/identity-protection/howto-identity-protection-configure-notifications.md | Last updated 08/22/2022 -+ |
active-directory | Howto Identity Protection Graph Api | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/identity-protection/howto-identity-protection-graph-api.md | Last updated 09/13/2022 -+ |
active-directory | Howto Identity Protection Investigate Risk | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/identity-protection/howto-identity-protection-investigate-risk.md | Selecting individual entries expands a details window below the detections. The ## Risky users +The risky users report lists all users whose accounts are currently or were considered at risk of compromise. Risky users should be investigated and remediated to prevent unauthorized access to resources. ++### Why is a user at risk? ++A user becomes a risky user when: ++- They have one or more risky sign-ins. +- There are one or more [risks](concept-identity-protection-risks.md) detected on the userΓÇÖs account, like Leaked Credentials. ++### How to investigate risky users? ++To view and investigate a userΓÇÖs risky sign-ins, select the ΓÇ£Recent risky sign-insΓÇ¥ tab or the ΓÇ£Users risky sign-insΓÇ¥ link. ++To view and investigate risks on a userΓÇÖs account, select the ΓÇ£Detections not linked to a sign-inΓÇ¥ tab or the ΓÇ£UserΓÇÖs risk detectionsΓÇ¥ link. ++The Risk history tab also shows all the events that have led to a user risk change in the last 90 days. This list includes risk detections that increased the userΓÇÖs risk and admin remediation actions that lowered the userΓÇÖs risk. View it to understand how the userΓÇÖs risk has changed. + :::image type="content" source="media/howto-identity-protection-investigate-risk/risky-users-without-details.png" alt-text="Risky users report in the Azure portal" lightbox="media/howto-identity-protection-investigate-risk/risky-users-with-details.png"::: With the information provided by the risky users report, administrators can find: Administrators can then choose to take action on these events. Administrators ca - Confirm user compromise - Dismiss user risk - Block user from signing in-- Investigate further using Microsoft Defender for Identity+- [Investigate further using Microsoft Defender for Identity](#investigate-risk-with-microsoft-365-defender) ## Risky sign-ins Organizations may use the following frameworks to begin their investigation into 1. IP address 1. User agent string 1. If you have access to other security tools like [Microsoft Sentinel](../../sentinel/overview.md), check for corresponding alerts that might indicate a larger issue.+ 1. Organizations with access to [Microsoft 365 Defender](/defender-for-identity/understanding-security-alerts) can follow a user risk event through other related alerts and incidents and the MITRE ATT&CK chain. + 1. Select the user in the Risky users report. + 1. Select the **ellipsis (...)** in the toolbar then choose **Investigate with Microsoft 365 Defender**. 1. Reach out to the user to confirm if they recognize the sign-in. Methods such as email or Teams may be compromised. 1. Confirm the information you have such as: 1. Application If more information is shown for the detection: 1. Ranges of IPs/ASNs 1. Time and frequency of sign-ins +## Investigate risk with Microsoft 365 Defender ++Organizations who have deployed [Microsoft 365 Defender](/microsoft-365/security/defender/microsoft-365-defender) and [Microsoft Defender for Identity](/defender-for-identity/what-is) gain extra value from Identity Protection signals. This value comes in the form of enhanced correlation with other data from other parts of the organization and extra [automated investigation and response](/microsoft-365/security/defender/m365d-autoir). +++In Microsoft 365 Defender Security Professionals and Administrators can make connections to suspicious activity from areas like: ++- Alerts in Defender for Identity +- Microsoft Defender for Endpoint +- Microsoft Defender for Cloud +- Microsoft Defender for Cloud Apps + +For more information about how to investigate suspicious activity using Microsoft 365 Defender, see the articles [Investigate assets in Microsoft Defender for Identity](/defender-for-identity/investigate-assets#investigation-steps-for-suspicious-users) and [Investigate incidents in Microsoft 365 Defender](/microsoft-365/security/defender/investigate-incidents). ++For more information about these alerts and their structure, see the article [Understanding security alerts](/defender-for-identity/understanding-security-alerts). ++### Investigation status ++When security personnel investigate risks in Microsoft 365 Defender and Defender for Identity the following states and reasons are returned to Identity Protection in the portal and APIs. ++| Microsoft 365 Defender status | [Microsoft 365 Defender classification](/defender-for-identity/understanding-security-alerts#security-alert-classifications) | Azure AD Identity Protection risk state | Risk detail in Azure AD Identity Protection | +| | | | | +| New | False positive | Confirmed safe | `M365DAdminDismissedDetection` | +| New | Benign true positive | Confirmed safe | `M365DAdminDismissedDetection` | +| New | True positive | Confirmed compromised | `M365DAdminDismissedDetection` | +| In Progress | Not set | At risk | | +| In Progress | False positive | Confirmed safe | `M365DAdminDismissedDetection` | +| In Progress | Benign true positive | Confirmed safe | `M365DAdminDismissedDetection` | +| In Progress | True positive | Confirmed compromised | `M365DAdminDismissedDetection` | +| Resolved | Not set | Dismissed | `M365DAdminDismissedDetection` | +| Resolved | False positive | Confirmed safe | `M365DAdminDismissedDetection` | +| Resolved | Benign true positive | Confirmed safe | `M365DAdminDismissedDetection` | +| Resolved | True positive | Remediated | `M365DAdminDismissedDetection` | + ## Next steps - [Remediate and unblock users](howto-identity-protection-remediate-unblock.md)- - [Policies available to mitigate risks](concept-identity-protection-policies.md)- - [Enable sign-in and user risk policies](howto-identity-protection-configure-risk-policies.md) |
active-directory | Howto Identity Protection Remediate Unblock | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/identity-protection/howto-identity-protection-remediate-unblock.md | After completing your [investigation](howto-identity-protection-investigate-risk ## Risk remediation -All active risk detections contribute to the calculation of the user's risk level. The user risk level is an indicator (low, medium, high) of the probability that the user's account has been compromised. As an administrator, after thorough investigation on the risky users and the corresponding risky sign-ins and detections, you want to remediate the risky users so that they're no longer at risk and won't be blocked. +All active risk detections contribute to the calculation of the user's risk level. The user risk level is an indicator (low, medium, high) of the probability that the user's account has been compromised. As an administrator, after thorough investigation of the risky users and the corresponding risky sign-ins and detections, you want to remediate the risky users so that they're no longer at risk and won't be blocked. -Some risk detections and the corresponding risky sign-ins may be marked by Identity Protection as dismissed with risk state "Dismissed" and risk detail "Azure AD Identity Protection assessed sign-in safe" because those events were no longer determined to be risky. +Identity Protection marks some risk detections and the corresponding risky sign-ins as dismissed with risk state "Dismissed" and risk detail "Azure AD Identity Protection assessed sign-in safe". It takes this action, because those events were no longer determined to be risky. Administrators have the following options to remediate:-- Set up [risk-based policies](howto-identity-protection-configure-risk-policies.md) to allow users to self-remediate their risks-- Manual password reset-- Dismiss user risk++- Set up [risk-based policies](howto-identity-protection-configure-risk-policies.md) to allow users to self-remediate their risks. +- Manually reset their password. +- Dismiss their user risk. +- [Remediate in Microsoft Defender for Identity](/defender-for-identity/remediation-actions). ### Self-remediation with risk-based policy -You can allow users to self-remediate their sign-in risks and user risks by setting up [risk-based policies](howto-identity-protection-configure-risk-policies.md). If users pass the required access control, such as Azure AD multifactor authentication (MFA) or secure password change, then their risks are automatically remediated. The corresponding risk detections, risky sign-ins, and risky users will be reported with the risk state "Remediated" instead of "At risk". +You can allow users to self-remediate their sign-in risks and user risks by setting up [risk-based policies](howto-identity-protection-configure-risk-policies.md). If users pass the required access control, such as Azure AD Multifactor Authentication or secure password change, then their risks are automatically remediated. The corresponding risk detections, risky sign-ins, and risky users are reported with the risk state "Remediated" instead of "At risk". Here are the prerequisites on users before risk-based policies can be applied to them to allow self-remediation of risks:+ - To perform MFA to self-remediate a sign-in risk: - - The user must have registered for Azure AD MFA. + - The user must have registered for Azure AD Multi-Factor Authentication. - To perform secure password change to self-remediate a user risk:- - The user must have registered for Azure AD MFA. + - The user must have registered for Azure AD Multi-Factor Authentication. - For hybrid users that are synced from on-premises to cloud, password writeback must have been enabled on them. -If a risk-based policy is applied to a user during sign-in before the above prerequisites are met, then the user will be blocked because they aren't able to perform the required access control, and admin intervention will be required to unblock the user. +If a risk-based policy is applied to a user during sign-in before the above prerequisites are met, then the user is blocked. This block action is because they aren't able to perform the required access control, and admin intervention is required to unblock the user. -Risk-based policies are configured based on risk levels and will only apply if the risk level of the sign-in or user matches the configured level. Some detections may not raise risk to the level where the policy will apply, and administrators will need to handle those risky users manually. Administrators may determine that extra measures are necessary like [blocking access from locations](../conditional-access/howto-conditional-access-policy-location.md) or lowering the acceptable risk in their policies. +Risk-based policies are configured based on risk levels and only apply if the risk level of the sign-in or user matches the configured level. Some detections may not raise risk to the level where the policy applies, and administrators need to handle those risky users manually. Administrators may determine that extra measures are necessary like [blocking access from locations](../conditional-access/howto-conditional-access-policy-location.md) or lowering the acceptable risk in their policies. ### Self-remediation with self-service password reset If after investigation and confirming that the user account isn't at risk of bei To **Dismiss user risk**, search for and select **Azure AD Risky users** in the Azure portal or the Entra portal, select the affected user, and select **Dismiss user(s) risk**. -When you select **Dismiss user risk**, the user will no longer be at risk, and all the risky sign-ins of this user and corresponding risk detections will be dismissed as well. +When you select **Dismiss user risk**, the user is no longer at risk, and all the risky sign-ins of this user and corresponding risk detections are dismissed as well. Because this method doesn't have an impact on the user's existing password, it doesn't bring their identity back into a safe state. |
active-directory | Howto Identity Protection Risk Feedback | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/identity-protection/howto-identity-protection-risk-feedback.md | Last updated 08/23/2022 -+ |
active-directory | Howto Identity Protection Simulate Risk | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/identity-protection/howto-identity-protection-simulate-risk.md | Last updated 08/22/2022 -+ |
active-directory | Overview Identity Protection | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/identity-protection/overview-identity-protection.md | -Identity Protection allows organizations to accomplish three key tasks: +Azure AD Identity Protection helps organizations detect, investigate, and remediate identity-based risks. These identity-based risks can be further fed into tools like Conditional Access to make access decisions or fed back to a security information and event management (SIEM) tool for further investigation and correlation. -- [Automate the detection and remediation of identity-based risks](howto-identity-protection-configure-risk-policies.md).-- [Investigate risks](howto-identity-protection-investigate-risk.md) using data in the portal.-- [Export risk detection data to other tools](howto-export-risk-data.md). +## Detect risks -Identity Protection uses the learnings Microsoft has acquired from their position in organizations with Azure Active Directory, the consumer space with Microsoft Accounts, and in gaming with Xbox to protect your users. Microsoft analyses trillions of signals per day to identify and protect customers from threats. +Microsoft continually adds and updates detections in our catalog to protect organizations. These detections come from our learnings based on the analysis of trillions of signals each day from Active Directory, Microsoft Accounts, and in gaming with Xbox. This broad range of signals helps Identity Protection detect risky behaviors like: -The signals generated by and fed to Identity Protection, can be further fed into tools like Conditional Access to make access decisions, or fed back to a security information and event management (SIEM) tool for further investigation. +- Anonymous IP address usage +- Password spray attacks +- Leaked credentials +- and more... -## Why is automation important? +During each sign-in, Identity Protection runs all real-time sign-in detections generating a sign-in session risk level, indicating how likely the sign-in has been compromised. Based on this risk level, policies are then applied to protect the user and the organization. -In the blog post *[Cyber Signals: Defending against cyber threats with the latest research, insights, and trends](https://www.microsoft.com/security/blog/2022/02/03/cyber-signals-defending-against-cyber-threats-with-the-latest-research-insights-and-trends/)* dated February 3, 2022 we shared a threat intelligence brief including the following statistics: +For a full listing of risks and how they're detected, see the article [What is risk](concept-identity-protection-risks.md). -> * Analyzed ...24 trillion security signals combined with intelligence we track by monitoring more than 40 nation-state groups and over 140 threat groups... -> * ...From January 2021 through December 2021, we’ve blocked more than 25.6 billion Azure AD brute force authentication attacks... +## Investigate -The sheer scale of signals and attacks requires some level of automation to be able to keep up. +Any risks detected on an identity are tracked with reporting. Identity Protection provides three key reports for administrators to investigate risks and take action: -## Detect risk +- **Risk detections:** Each risk detected is reported as a risk detection. +- **Risky sign-ins:** A risky sign-in is reported when there are one or more risk detections reported for that sign-in. +- **Risky users:** A Risky user is reported when either or both of the following are true: + - The user has one or more Risky sign-ins. + - One or more risk detections have been reported. -Identity Protection detects [risks](concept-identity-protection-risks.md) of many types, including: +For more information about how to use the reports, see the article [How To: Investigate risk](howto-identity-protection-investigate-risk.md). -- Anonymous IP address use-- Atypical travel-- Malware linked IP address-- Unfamiliar sign-in properties-- Leaked credentials-- Password spray-- and more...+## Remediate risks -The risk signals can trigger remediation efforts such as requiring: perform multifactor authentication, reset their password using self-service password reset, or block access until an administrator takes action. +Why automation is critical in security? -More detail on these and other risks including how or when they're calculated can be found in the article, [What is risk](concept-identity-protection-risks.md). +In the blog post *[Cyber Signals: Defending against cyber threats with the latest research, insights, and trends](https://www.microsoft.com/security/blog/2022/02/03/cyber-signals-defending-against-cyber-threats-with-the-latest-research-insights-and-trends/)* dated February 3, 2022 Microsoft shared a threat intelligence brief including the following statistics: -## Investigate risk +> Analyzed ...24 trillion security signals combined with intelligence we track by monitoring more than 40 nation-state groups and over 140 threat groups... +> +> ...From January 2021 through December 2021, we’ve blocked more than 25.6 billion Azure AD brute force authentication attacks... -Administrators can review detections and take manual action on them if needed. There are three key reports that administrators use for investigations in Identity Protection: +The sheer scale of signals and attacks requires some level of automation just to keep up. -- Risky users-- Risky sign-ins-- Risk detections+### Automatic remediation -More information can be found in the article, [How To: Investigate risk](howto-identity-protection-investigate-risk.md). +[Risk-based Conditional Access policies](howto-identity-protection-configure-risk-policies.md) can be enabled to require access controls such as providing a strong authentication method, perform multifactor authentication, or perform a secure password reset based on the detected risk level. If the user successfully completes the access control, the risk is automatically remediated. -### Risk levels +### Manual remediation -Identity Protection categorizes risk into tiers: low, medium, and high. +When user remediation isn't enabled, an administrator must manually review them in the reports in the portal, through the API, or in Microsoft 365 Defender. Administrators can perform manual actions to dismiss, confirm safe, or confirm compromise on the risks. -Microsoft doesn't provide specific details about how risk is calculated. Each level of risk brings higher confidence that the user or sign-in is compromised. For example, something like one instance of unfamiliar sign-in properties for a user might not be as threatening as leaked credentials for another user. +## Making use of the data -## Make further use of risk information +Data from Identity Protection can be exported to other tools for archive, further investigation, and correlation. The Microsoft Graph based APIs allow organizations to collect this data for further processing in a tool such as their SIEM. Information about how to access the Identity Protection API can be found in the article, [Get started with Azure Active Directory Identity Protection and Microsoft Graph](howto-identity-protection-graph-api.md) -Data from Identity Protection can be exported to other tools for archive and further investigation and correlation. The Microsoft Graph based APIs allow organizations to collect this data for further processing in a tool such as their SIEM. Information about how to access the Identity Protection API can be found in the article, [Get started with Azure Active Directory Identity Protection and Microsoft Graph](howto-identity-protection-graph-api.md) +Information about integrating Identity Protection information with Microsoft Sentinel can be found in the article, [Connect data from Azure AD Identity Protection](../../sentinel/data-connectors-reference.md#microsoft). -Information about integrating Identity Protection information with Microsoft Sentinel can be found in the article, [Connect data from Azure AD Identity Protection](../../sentinel/data-connectors/azure-active-directory-identity-protection.md). --Organizations can choose to store data for longer periods by changing diagnostic settings in Azure AD. They can choose to send data to a Log Analytics workspace, archive data to a storage account, stream data to Event Hubs, or send data to a partner solution. Detailed information about how to do so can be found in the article, [How To: Export risk data](howto-export-risk-data.md). +Organizations may store data for longer periods by changing the diagnostic settings in Azure AD. They can choose to send data to a Log Analytics workspace, archive data to a storage account, stream data to Event Hubs, or send data to another solution. Detailed information about how to do so can be found in the article, [How To: Export risk data](howto-export-risk-data.md). ## Required roles Identity Protection requires users be a Security Reader, Security Operator, Secu | Role | Can do | Can't do | | | | |-| Global Administrator | Full access to Identity Protection | | -| Security Administrator | Full access to Identity Protection | Reset password for a user | -| Security Operator | View all Identity Protection reports and Overview <br><br> Dismiss user risk, confirm safe sign-in, confirm compromise | Configure or change policies <br><br> Reset password for a user <br><br> Configure alerts | -| Security Reader | View all Identity Protection reports and Overview | Configure or change policies <br><br> Reset password for a user <br><br> Configure alerts <br><br> Give feedback on detections | -| Global Reader | Read-only access to Identity Protection | | +| [Security Administrator](../roles/permissions-reference.md#security-administrator) | Full access to Identity Protection | Reset password for a user | +| [Security Operator](../roles/permissions-reference.md#security-operator) | View all Identity Protection reports and Overview <br><br> Dismiss user risk, confirm safe sign-in, confirm compromise | Configure or change policies <br><br> Reset password for a user <br><br> Configure alerts | +| [Security Reader](../roles/permissions-reference.md#security-reader) | View all Identity Protection reports and Overview | Configure or change policies <br><br> Reset password for a user <br><br> Configure alerts <br><br> Give feedback on detections | +| [Global Reader](../roles/permissions-reference.md#global-reader) | Read-only access to Identity Protection | | +| [Global Administrator](../roles/permissions-reference.md#global-administrator) | Full access to Identity Protection | | Currently, the Security Operator role can't access the Risky sign-ins report. More information on these rich reports can be found in the article, [How To: Inv ## Next steps -- [Plan an Identity Protection deployment](how-to-deploy-identity-protection.md)+- [Plan an Identity Protection deployment](how-to-deploy-identity-protection.md) |
active-directory | Reference Identity Protection Glossary | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/identity-protection/reference-identity-protection-glossary.md | Last updated 10/18/2019 -+ |
active-directory | Oneflow Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/oneflow-tutorial.md | Complete the following steps to enable Azure AD single sign-on in the Azure port 1. On the **Basic SAML Configuration** section, perform the following steps: - a. In the **Identifier** textbox, type the URL: - `https://app.oneflow.com/api/ext/ssosaml/metadata` + a. In the **Identifier** textbox, type a URL using the following pattern: + `https://app.oneflow.com/api/ext/ssosaml/metadata/<INSTANCE>` b. In the **Reply URL** textbox, type a URL using the following pattern: `https://app.oneflow.com/api/ext/ssosaml/acs/<INSTANCE>` 1. If you wish to configure the application in **SP** initiated mode, then perform the following step: - In the **Sign on URL** textbox, type the URL: - `https://app.oneflow.com/login` + In the **Sign on URL** textbox, type a URL using the following pattern: + `https://login.oneflow.com/<INSTANCE>` > [!NOTE]- > The Reply URL is not real. Update this value with the actual Reply URL. Contact [Oneflow support team](mailto:support@oneflow.com) to get the value. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal. + > These values are not real. Update these values with the actual Identifier, Reply URL and Sign on URL. Contact [Oneflow support team](mailto:support@oneflow.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal. 1. Oneflow application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes. |
aks | Quick Kubernetes Deploy Terraform | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/learn/quick-kubernetes-deploy-terraform.md | Title: 'Quickstart: Create an Azure Kubernetes Service (AKS) cluster by using Te description: In this article, you learn how to quickly create a Kubernetes cluster using Terraform and deploy an application in Azure Kubernetes Service (AKS) Last updated 06/13/2023-++content_well_notification: + - AI-contribution #Customer intent: As a developer or cluster operator, I want to quickly create an AKS cluster and deploy an application so that I can see how to run applications using the managed Kubernetes service in Azure. In this article, you learn how to: > * Create an AzAPI resource [azapi_resource](https://registry.terraform.io/providers/Azure/azapi/latest/docs/resources/azapi_resource). > * Create an AzAPI resource to generate an SSH key pair using [azapi_resource_action](https://registry.terraform.io/providers/Azure/azapi/latest/docs/resources/azapi_resource_action). - ## Prerequisites - [Install and configure Terraform](/azure/developer/terraform/quickstart-configure) |
aks | Node Problem Detector | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/node-problem-detector.md | Title: Node Problem Detector (NPD) in Azure Kubernetes Service (AKS) nodes -description: Learn about how AKS uses Node Problem detector to expose issues with the node. +description: Learn about how AKS uses Node Problem Detector to expose issues with the node. Last updated 05/31/2023 -# Node Problem Detector (NPD) +# Node Problem Detector (NPD) in Azure Kubernetes Service (AKS) nodes -[Node Problem Detector (NPD)](https://github.com/kubernetes/node-problem-detector) is an open source Kubernetes component that detects node-related problems and reports on them. It runs as a systemd serviced on each node in the cluster and collects various metrics and system information, such as CPU usage, disk usage, and network connectivity. When it detects a problem, it generates an Events and/or Node Conditions. NPD is used in AKS (Azure Kubernetes Service) to monitor and manage nodes in a Kubernetes cluster running on the Azure cloud platform. NPD is enabled by default as part of the AKS Linux Extension. +[Node Problem Detector (NPD)](https://github.com/kubernetes/node-problem-detector) is an open source Kubernetes component that detects node-related problems and reports on them. It runs as a systemd serviced on each node in the cluster and collects various metrics and system information, such as CPU usage, disk usage, and network connectivity. When it detects a problem, it generates *events and/or node conditions*. Azure Kubernetes Service (AKS) uses NPD to monitor and manage nodes in a Kubernetes cluster running on the Azure cloud platform. The AKS Linux extension enables NPD by default. ## Node conditions-AKS uses the following Node conditions from NPD to expose permanent problems on the node. In addition to these node conditions, corresponding kubernetes events are also emitted. Node conditions indicate a permanent problem that makes the node unavailable. ++Node conditions indicate a permanent problem that makes the node unavailable. AKS uses the following node conditions from NPD to expose permanent problems on the node. NPD also emits corresponding Kubernetes events. |Problem Daemon type| NodeCondition | Reason | -| | | | +| | | | |CustomPluginMonitor| FilesystemCorruptionProblem | FilesystemCorruptionDetected | |CustomPluginMonitor| KubeletProblem | KubeletIsDown | |CustomPluginMonitor| ContainerRuntimeProblem | ContainerRuntimeIsDown | AKS uses the following Node conditions from NPD to expose permanent problems on |SystemLogMonitor|KernelDeadlock|DockerHung| |SystemLogMonitor|ReadonlyFilesystem |FilesystemIsReadOnly| -## Events -In few temporary scenarios, Events are emitted with relevant information to be able to diagnose the underlying issue. +## Events ++NPD emits events with relevant information to help you diagnose underlying issues. -|Problem Daemon type| Reason | +|Problem Daemon type| Reason | ||| |CustomPluginMonitor|FilesystemCorruptionDetected| |CustomPluginMonitor|KubeletIsDown| In few temporary scenarios, Events are emitted with relevant information to be a |SystemLogMonitor|DockerStart| |SystemLogMonitor|ContainerdStart| -In certain instances, AKS will automatically cordon and drain the node to minimize disruption to workloads. You can learn more about the events and actions [here](/azure/aks/node-auto-repair#node-auto-drain). +In certain instances, AKS automatically cordons and drains the node to minimize disruption to workloads. For more information about the events and actions, see [Node auto-drain](/azure/aks/node-auto-repair#node-auto-drain). ## Check the node conditions and events - ```azurecli-interactive +* Check the node conditions and events using the `kubectl describe node` command. ++ ```azurecli-interactive kubectl describe node my-aks-node-``` -The output is clipped to only show the relevant parts -```output -... -... --Conditions: - Type Status LastHeartbeatTime LastTransitionTime Reason Message - - -- - - VMEventScheduled False Thu, 01 Jun 2023 19:14:25 +0000 Thu, 01 Jun 2023 03:57:41 +0000 NoVMEventScheduled VM has no scheduled event - FrequentContainerdRestart False Thu, 01 Jun 2023 19:14:25 +0000 Thu, 01 Jun 2023 03:57:41 +0000 NoFrequentContainerdRestart containerd is functioning properly - FrequentDockerRestart False Thu, 01 Jun 2023 19:14:25 +0000 Thu, 01 Jun 2023 03:57:41 +0000 NoFrequentDockerRestart docker is functioning properly - FilesystemCorruptionProblem False Thu, 01 Jun 2023 19:14:25 +0000 Thu, 01 Jun 2023 03:57:41 +0000 FilesystemIsOK Filesystem is healthy - FrequentUnregisterNetDevice False Thu, 01 Jun 2023 19:14:25 +0000 Thu, 01 Jun 2023 03:57:41 +0000 NoFrequentUnregisterNetDevice node is functioning properly - ContainerRuntimeProblem False Thu, 01 Jun 2023 19:14:25 +0000 Thu, 01 Jun 2023 03:57:40 +0000 ContainerRuntimeIsUp container runtime service is up - KernelDeadlock False Thu, 01 Jun 2023 19:14:25 +0000 Thu, 01 Jun 2023 03:57:41 +0000 KernelHasNoDeadlock kernel has no deadlock - FrequentKubeletRestart False Thu, 01 Jun 2023 19:14:25 +0000 Thu, 01 Jun 2023 03:57:41 +0000 NoFrequentKubeletRestart kubelet is functioning properly - KubeletProblem False Thu, 01 Jun 2023 19:14:25 +0000 Thu, 01 Jun 2023 03:57:41 +0000 KubeletIsUp kubelet service is up - ReadonlyFilesystem False Thu, 01 Jun 2023 19:14:25 +0000 Thu, 01 Jun 2023 03:57:41 +0000 FilesystemIsNotReadOnly Filesystem is not read-only - NetworkUnavailable False Thu, 01 Jun 2023 03:58:39 +0000 Thu, 01 Jun 2023 03:58:39 +0000 RouteCreated RouteController created a route - MemoryPressure True Thu, 01 Jun 2023 19:16:50 +0000 Thu, 01 Jun 2023 19:16:50 +0000 KubeletHasInsufficientMemory kubelet has insufficient memory available - DiskPressure False Thu, 01 Jun 2023 19:16:50 +0000 Thu, 01 Jun 2023 03:57:22 +0000 KubeletHasNoDiskPressure kubelet has no disk pressure - PIDPressure False Thu, 01 Jun 2023 19:16:50 +0000 Thu, 01 Jun 2023 03:57:22 +0000 KubeletHasSufficientPID kubelet has sufficient PID available - Ready True Thu, 01 Jun 2023 19:16:50 +0000 Thu, 01 Jun 2023 03:57:23 +0000 KubeletReady kubelet is posting ready status. AppArmor enabled -... -... -... -Events: - Type Reason Age From Message - - - - - - Normal NodeHasSufficientMemory 94s (x176 over 15h) kubelet Node aks-agentpool-40622340-vmss000009 status is now: NodeHasSufficientMemory + ``` ++ Your output should look similar to the following example condensed output: ++ ```output + ... + ... ++ Conditions: + Type Status LastHeartbeatTime LastTransitionTime Reason Message + - -- - + VMEventScheduled False Thu, 01 Jun 2023 19:14:25 +0000 Thu, 01 Jun 2023 03:57:41 +0000 NoVMEventScheduled VM has no scheduled event + FrequentContainerdRestart False Thu, 01 Jun 2023 19:14:25 +0000 Thu, 01 Jun 2023 03:57:41 +0000 NoFrequentContainerdRestart containerd is functioning properly + FrequentDockerRestart False Thu, 01 Jun 2023 19:14:25 +0000 Thu, 01 Jun 2023 03:57:41 +0000 NoFrequentDockerRestart docker is functioning properly + FilesystemCorruptionProblem False Thu, 01 Jun 2023 19:14:25 +0000 Thu, 01 Jun 2023 03:57:41 +0000 FilesystemIsOK Filesystem is healthy + FrequentUnregisterNetDevice False Thu, 01 Jun 2023 19:14:25 +0000 Thu, 01 Jun 2023 03:57:41 +0000 NoFrequentUnregisterNetDevice node is functioning properly + ContainerRuntimeProblem False Thu, 01 Jun 2023 19:14:25 +0000 Thu, 01 Jun 2023 03:57:40 +0000 ContainerRuntimeIsUp container runtime service is up + KernelDeadlock False Thu, 01 Jun 2023 19:14:25 +0000 Thu, 01 Jun 2023 03:57:41 +0000 KernelHasNoDeadlock kernel has no deadlock + FrequentKubeletRestart False Thu, 01 Jun 2023 19:14:25 +0000 Thu, 01 Jun 2023 03:57:41 +0000 NoFrequentKubeletRestart kubelet is functioning properly + KubeletProblem False Thu, 01 Jun 2023 19:14:25 +0000 Thu, 01 Jun 2023 03:57:41 +0000 KubeletIsUp kubelet service is up + ReadonlyFilesystem False Thu, 01 Jun 2023 19:14:25 +0000 Thu, 01 Jun 2023 03:57:41 +0000 FilesystemIsNotReadOnly Filesystem is not read-only + NetworkUnavailable False Thu, 01 Jun 2023 03:58:39 +0000 Thu, 01 Jun 2023 03:58:39 +0000 RouteCreated RouteController created a route + MemoryPressure True Thu, 01 Jun 2023 19:16:50 +0000 Thu, 01 Jun 2023 19:16:50 +0000 KubeletHasInsufficientMemory kubelet has insufficient memory available + DiskPressure False Thu, 01 Jun 2023 19:16:50 +0000 Thu, 01 Jun 2023 03:57:22 +0000 KubeletHasNoDiskPressure kubelet has no disk pressure + PIDPressure False Thu, 01 Jun 2023 19:16:50 +0000 Thu, 01 Jun 2023 03:57:22 +0000 KubeletHasSufficientPID kubelet has sufficient PID available + Ready True Thu, 01 Jun 2023 19:16:50 +0000 Thu, 01 Jun 2023 03:57:23 +0000 KubeletReady kubelet is posting ready status. AppArmor enabled + ... + ... + ... + Events: + Type Reason Age From Message + - - - - + Normal NodeHasSufficientMemory 94s (x176 over 15h) kubelet Node aks-agentpool-40622340-vmss000009 status is now: NodeHasSufficientMemory + ``` -``` These events are also available in [Container Insights](/azure/azure-monitor/containers/container-insights-overview) through [KubeEvents](/azure/azure-monitor/reference/tables/kubeevents). - ## Metrics -NPD also exposes Prometheus metrics based on the node problems which can be used for monitoring and alerting. These are exposed on port 20257 of the Node IP and can be scraped by Prometheus. Below is an example of a scrape config that can be used with the [Azure Managed Prometheus add on as a DaemonSet](/azure/azure-monitor/essentials/prometheus-metrics-scrape-configuration#advanced-setup-configure-custom-prometheus-scrape-jobs-for-the-daemonset) +NPD also exposes Prometheus metrics based on the node problems, which you can use for monitoring and alerting. These metrics are exposed on port 20257 of the Node IP and Prometheus can scrape them. ++The following example YAML shows a scrape config you can use with the [Azure Managed Prometheus add on as a DaemonSet](/azure/azure-monitor/essentials/prometheus-metrics-scrape-configuration#advanced-setup-configure-custom-prometheus-scrape-jobs-for-the-daemonset): ```yaml kind: ConfigMap data: - targets: ['$NODE_IP:20257'] ``` -Below is a sample of the metrics scraped +The following example shows the scraped metrics: -``` +```output problem_gauge{reason="UnregisterNetDevice",type="FrequentUnregisterNetDevice"} 0 problem_gauge{reason="VMEventScheduled",type="VMEventScheduled"} 0 ```++## Next steps ++For more information on NPD, see [kubernetes/node-problem-detector](https://github.com/kubernetes/node-problem-detector). |
analysis-services | Analysis Services Create Terraform | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/analysis-services/analysis-services-create-terraform.md | description: 'In this article, you create an Azure Analysis Services server usin Last updated 4/14/2023-+ +content_well_notification: + - AI-contribution # Quickstart: Create an Azure Analysis Services server using Terraform In this article, you learn how to: > * Create a random string for the Azure Analysis Services server name using [random_string](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) > * Create an Azure Analysis Services server using [azurerm_analysis_services_server](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/analysis_services_server) - ## Prerequisites - [Install and configure Terraform](/azure/developer/terraform/quickstart-configure) |
api-management | Developer Portal Extend Custom Functionality | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/developer-portal-extend-custom-functionality.md | This function returns all data passed to your custom widget from the developer p ### Add or remove custom properties -Custom properties let you adjust values in the custom widget's code from the administrative user interface of the developer portal, without changing the code or redeploying the custom widget. By default, input fields for four custom properties are defined. You can add or remove other custom properties as needed. +Custom properties let you adjust values in the custom widget's code from the administrative user interface of the developer portal, without changing the code or redeploying the custom widget. By default, input fields for four custom properties are defined. You can add or remove other custom properties as needed. ++> [!WARNING] +> Don't store secret or sensitive values in custom properties. To add a custom property: |
api-management | Quickstart Terraform | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/quickstart-terraform.md | description: 'In this article, you create an Azure API Management service using Last updated 4/14/2023-+ +content_well_notification: + - AI-contribution # Quickstart: Create an Azure API Management service using Terraform In this article, you learn how to: > * Create a random string for the Azure API Management service name using [random_string](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) > * Create an Azure API Management service using [azurerm_api_management](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management) - ## Prerequisites - [Install and configure Terraform](/azure/developer/terraform/quickstart-configure) |
app-service | Quickstart Dotnetcore | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/quickstart-dotnetcore.md | Follow these steps to create your App Service resources and publish your project ```azurecli az login ```++ - If the `az` command isn't recognized, ensure you have the Azure CLI installed as described in [Prerequisites](#prerequisites). 1. Deploy the code in your local *MyFirstAzureWebApp* directory using the [`az webapp up`](/cli/azure/webapp#az-webapp-up) command: Follow these steps to create your App Service resources and publish your project az webapp up --sku F1 --name <app-name> --os-type <os> ``` - - If the `az` command isn't recognized, ensure you have the Azure CLI installed as described in [Prerequisites](#prerequisites). - Replace `<app-name>` with a name that's unique across all of Azure (*valid characters are `a-z`, `0-9`, and `-`*). A good pattern is to use a combination of your company name and an app identifier. - The `--sku F1` argument creates the web app on the **Free** [pricing tier][app-service-pricing-tier]. Omit this argument to use a faster premium tier, which incurs an hourly cost. - Replace `<os>` with either `linux` or `windows`. |
application-gateway | Application Gateway Backend Health Troubleshooting | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/application-gateway/application-gateway-backend-health-troubleshooting.md | To increase the timeout value, follow these steps: 2. If you can resolve the IP address, there might be something wrong with the DNS configuration in the virtual network. 3. Check whether the virtual network is configured with a custom DNS server. If it is, check the DNS server about why it can't resolve to the IP address of the specified FQDN. 4. If you're using Azure default DNS, check with your domain name registrar about whether proper A record or CNAME record mapping has been completed.-5. If the domain is private or internal, try to resolve it from a VM in the same virtual network. If you can resolve it, restart Application Gateway and check again. To restart Application Gateway, you need to [stop](/powershell/module/azurerm.network/stop-azurermapplicationgateway) and [start](/powershell/module/azurerm.network/start-azurermapplicationgateway) by using the PowerShell commands described in these linked resources. +5. If the domain is private or internal, try to resolve it from a VM in the same virtual network. If you can resolve it, restart Application Gateway and check again. To restart Application Gateway, you need to [stop](/powershell/module/az.network/stop-azapplicationgateway) and [start](/powershell/module/az.network/start-azapplicationgateway) by using the PowerShell commands described in these linked resources. ### Updates to the DNS entries of the backend pool |
application-gateway | Application Gateway Troubleshooting 502 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/application-gateway/application-gateway-troubleshooting-502.md | As we know enabling HTTPS in the "Backed HTTP Setting" of the rule will make the If the backend servers do not have a TLS certificate issued for the CNAME www.contoso.com or *.contoso.com, the request will fail with **Server Error: 502 - Web server received an invalid response while acting as a gateway or proxy server** because the upstream SSL certificate (the certificate installed on the backend servers) will not match the hostname in the host header, and hence the TLS negotiation will fail. -www.contoso.com --> APP GW front end IP --> Listener with a rule that configures "Backend HTTP Settings" to use protocol HTTP --> Backend Pool --> Web server (needs to have a TLS certificate installed for www.contoso.com) +www.contoso.com --> APP GW front end IP --> Listener with a rule that configures "Backend HTTP Settings" to use protocol HTTPS rather than HTTP --> Backend Pool --> Web server (needs to have a TLS certificate installed for www.contoso.com) ## Solution |
application-gateway | Configuration Infrastructure | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/application-gateway/configuration-infrastructure.md | Subnet Size /24 = 256 IP addresses - 5 reserved from the platform = 251 availabl > It is possible to change the subnet of an existing Application Gateway within the same virtual network. You can do this using Azure PowerShell or Azure CLI. For more information, see [Frequently asked questions about Application Gateway](application-gateway-faq.yml#can-i-change-the-virtual-network-or-subnet-for-an-existing-application-gateway) ### DNS Servers for name resolution+ The virtual network resource supports [DNS server](../virtual-network/manage-virtual-network.md#view-virtual-networks-and-settings-using-the-azure-portal) configuration, allowing you to choose between Azure-provided default or Custom DNS servers. The instances of your application gateway also honor this DNS configuration for any name resolution. Thus, after you change this setting, you must restart ([Stop](/powershell/module/az.network/Stop-AzApplicationGateway) and [Start](/powershell/module/az.network/start-azapplicationgateway)) your application gateway for these changes to take effect on the instances. +> [!NOTE] +> If you use custom DNS servers in the Application Gateway VNet, the DNS server must be able to resolve public Internet names. This is required by Application Gateway. + ### Virtual network permission + Since the application gateway resource is deployed inside a virtual network, we also perform a check to verify the permission on the provided virtual network resource. This validation is performed during both creation and management operations. You should check your [Azure role-based access control](../role-based-access-control/role-assignments-list-portal.md) to verify the users (and service principals) that operate application gateways also have at least **Microsoft.Network/virtualNetworks/subnets/join/action** permission on the Virtual Network or Subnet. This validation also applies to the [Managed Identities for Application Gateway Ingress Controller](./tutorial-ingress-controller-add-on-new.md#deploy-an-aks-cluster-with-the-add-on-enabled). You may use the built-in roles, such as [Network contributor](../role-based-access-control/built-in-roles.md#network-contributor), which already support this permission. If a built-in role doesn't provide the right permission, you can [create and assign a custom role](../role-based-access-control/custom-roles-portal.md). Learn more about [managing subnet permissions](../virtual-network/virtual-network-manage-subnet.md#permissions). |
application-gateway | Http Response Codes | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/application-gateway/http-response-codes.md | For information about scenarios where 502 errors occur, and how to troubleshoot Azure application Gateway V2 SKU sent HTTP 504 errors if the backend response time exceeds the time-out value which is configured in the Backend Setting. +IIS ++If your backend server is IIS, see [Default Limits for Web Sites <limits>](/iis/configuration/system.applicationhost/sites/sitedefaults/limits#configuration) to set the timeout value. Refer to the `connectionTimeout` attribute for details. Ensure the connection timeout in IIS matches or does not exceed the timeout set in the backend setting. ++nginx ++If the backend server is nginx or nginx ingress controller, and if it has upstream servers, ensure the value of `nginx:proxy_read_timeout` matches or does not exceed with the timeout set in the backend setting. + ## Next steps If the information in this article doesn't help to resolve the issue, [submit a support ticket](https://azure.microsoft.com/support/options/). |
application-gateway | Tutorial Multiple Sites Cli | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/application-gateway/tutorial-multiple-sites-cli.md | In order to ensure that more specific rules are processed first, use the rule pr ```azurecli-interactive az network application-gateway rule create \ --gateway-name myAppGateway \- --name wccontosoRule \ + --name contosoRule \ --resource-group myResourceGroupAG \- --http-listener wccontosoListener \ + --http-listener contosoListener \ --rule-type Basic \ --priority 200 \- --address-pool wccontosoPool + --address-pool contosoPool az network application-gateway rule create \ --gateway-name myAppGateway \- --name shopcontosoRule \ + --name fabrikamRule \ --resource-group myResourceGroupAG \- --http-listener shopcontosoListener \ + --http-listener fabrikamListener \ --rule-type Basic \ --priority 100 \- --address-pool shopcontosoPool + --address-pool fabrikamPool ``` for i in `seq 1 2`; do --instance-count 2 \ --vnet-name myVNet \ --subnet myBackendSubnet \- --vm-sku Standard_DS2 \ + --vm-sku Standard_D1_v2 \ --upgrade-policy-mode Automatic \ --app-gateway myAppGateway \ --backend-pool-name $poolName |
automation | Enable From Portal | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automation/change-tracking/enable-from-portal.md | This article describes how you can enable [Change Tracking and Inventory](overvi The number of resource groups that you can use for managing your VMs is limited by the [Resource Manager deployment limits](../../azure-resource-manager/templates/deploy-to-resource-group.md). Resource Manager deployments are limited to five resource groups per deployment. Two of these resource groups are reserved to configure the Log Analytics workspace, Automation account, and related resources. This leaves you with three resource groups to select for management by Change Tracking and Inventory. This limit only applies to simultaneous setup, not the number of resource groups that can be managed by an Automation feature. > [!NOTE]-> When enabling Change Tracking and Inventory, only certain regions are supported for linking a Log Analytics workspace and an Automation Account. For a list of the supported mapping pairs, see [Region mapping for Automation Account and Log Analytics workspace](../how-to/region-mappings.md). +> When you enable Change Tracking and Inventory, only certain regions are supported for linking a Log Analytics workspace and an Automation Account. For a list of the supported mapping pairs, see [Region mapping for Automation Account and Log Analytics workspace](../how-to/region-mappings.md). ## Prerequisites |
azure-functions | Create First Function Cli Powershell | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/create-first-function-cli-powershell.md | Each binding requires a direction, a type, and a unique name. The HTTP trigger h # [Azure CLI](#tab/azure-cli) ```azurecli- az functionapp create --resource-group AzureFunctionsQuickstart-rg --consumption-plan-location <REGION> --runtime powershell --functions-version 3 --name <APP_NAME> --storage-account <STORAGE_NAME> + az functionapp create --resource-group AzureFunctionsQuickstart-rg --consumption-plan-location <REGION> --runtime powershell --functions-version 4 --name <APP_NAME> --storage-account <STORAGE_NAME> ``` The [az functionapp create](/cli/azure/functionapp#az-functionapp-create) command creates the function app in Azure. |
azure-functions | Durable Functions Storage Providers | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/durable/durable-functions-storage-providers.md | There are many significant tradeoffs between the various supported storage provi | [KEDA 2.0](https://keda.sh/) scaling support<br/>([more information](../functions-kubernetes-keda.md)) | ❌ Not supported | ❌ Not supported | ✅ Supported using the [MSSQL scaler](https://keda.sh/docs/scalers/mssql/) ([more information](https://microsoft.github.io/durabletask-mssql/#/scaling)) | | Support for [extension bundles](../functions-bindings-register.md#extension-bundles) (recommended for non-.NET apps) | ✅ Fully supported | ✅ Fully supported | ✅ Fully supported | | Price-performance configurable? | ❌ No | ✅ Yes (Event Hubs TUs and CUs) | ✅ Yes (SQL vCPUs) |-| Managed Identity Support | ✅ Fully supported | ❌ Not supported | ⚠️ Requires runtime-driven scaling | | Disconnected environment support | ❌ Azure connectivity required | ❌ Azure connectivity required | ✅ Fully supported |-| Identity-based connections | ✅ Yes (preview) |❌ No | ❌ No | +| Identity-based connections | ✅ Fully supported |❌ Not supported | ⚠️ Requires runtime-driven scaling | ## Next steps |
azure-functions | Functions Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/functions-overview.md | Functions also integrates with Azure Monitor and Azure Application Insights to p Functions provides a variety [hosting options](functions-scale.md#overview-of-plans) for your business needs and application workload. [Event-driven scaling hosting options](./event-driven-scaling.md) range from fully serverless, where you only pay for execution time (Consumption plan), to always warm instances kept ready for fastest response times (Premium plan). -When you have excess App Service hosting resources, you can host your functions an existing App Service plan. This kind of Dedicated hosting plan is also a good choice when you need predictable scaling behaviors and costs from your functions. +When you have excess App Service hosting resources, you can host your functions in an existing App Service plan. This kind of Dedicated hosting plan is also a good choice when you need predictable scaling behaviors and costs from your functions. If you want complete control over your functions runtime environment and dependencies, you can even deploy your functions in containers that you can fully customize. Your custom containers can be hosted by Functions, deployed as part of a microservices architecture in Azure Container Apps, or even self-hosted in Kubernetes. |
azure-maps | Map Add Line Layer | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-maps/map-add-line-layer.md | A line layer can be used to render `LineString` and `MultiLineString` features a > [!TIP] > Line layers by default will render the coordinates of polygons as well as lines in a data source. To limit the layer such that it only renders LineString features set the `filter` property of the layer to `['==', ['geometry-type'], 'LineString']` or `['any', ['==', ['geometry-type'], 'LineString'], ['==', ['geometry-type'], 'MultiLineString']]` if you want to include MultiLineString features as well. -The following code shows how to create a line. Add the line to a data source, then render it with a line layer using the [LineLayer](/javascript/api/azure-maps-control/atlas.layer.linelayer) class. +The following code shows how to create a line. Add the line to a data source, then render it with a line layer using the [LineLayer] class. ```javascript //Create a data source and add it to the map. The following screenshot shows a sample of the above functionality. </iframe> --> -Line layers can be styled using [LineLayerOptions](/javascript/api/azure-maps-control/atlas.linelayeroptions) and [Use data-driven style expressions](data-driven-style-expressions-web-sdk.md). +Line layers can be styled using [LineLayerOptions] and [Use data-driven style expressions]. ## Add symbols along a line -The following sample demonstrates how to add arrow icons along a line on the map. When using a symbol layer, set the "placement" option to "line". This option will render the symbols along the line and rotate the icons (0 degrees = right). +The following sample demonstrates how to add arrow icons along a line on the map. When using a symbol layer, set the `placement` option to `line`. This option renders the symbols along the line and rotates the icons (0 degrees = right). ```javascript function InitMap() function InitMap() } ``` -This code will create a map that appears as follows: +This code creates a map that appears as follows: :::image type="content" source="./media/map-add-line-layer/add-symbols-along-a-line.png"alt-text="A screenshot showing a line layer on an Azure Maps map with arrow symbols along the line."::: This code will create a map that appears as follows: --> > [!TIP]-> The Azure Maps web SDK provides several customizable image templates you can use with the symbol layer. For more information, see the [How to use image templates](how-to-use-image-templates-web-sdk.md) document. +> The Azure Maps web SDK provides several customizable image templates you can use with the symbol layer. For more information, see the [How to use image templates] document. <a name="line-stroke-gradient"></a> The Line layer has several styling options. For a fully functional sample that i Learn more about the classes and methods used in this article: > [!div class="nextstepaction"]-> [LineLayer](/javascript/api/azure-maps-control/atlas.layer.linelayer) +> [LineLayer] > [!div class="nextstepaction"]-> [LineLayerOptions](/javascript/api/azure-maps-control/atlas.linelayeroptions) +> [LineLayerOptions] See the following articles for more code samples to add to your maps: > [!div class="nextstepaction"]-> [Create a data source](create-data-source-web-sdk.md) +> [Create a data source] > [!div class="nextstepaction"]-> [Add a popup](map-add-popup.md) +> [Add a popup] > [!div class="nextstepaction"]-> [Use data-driven style expressions](data-driven-style-expressions-web-sdk.md) +> [Use data-driven style expressions] > [!div class="nextstepaction"]-> [How to use image templates](how-to-use-image-templates-web-sdk.md) +> [How to use image templates] > [!div class="nextstepaction"]-> [Add a polygon layer](map-add-shape.md) +> [Add a polygon layer] -[Line with Stroke Gradient]: https://samples.azuremaps.com/line-layer/line-with-stroke-gradient +[Add a polygon layer]: map-add-shape.md +[Add a popup]: map-add-popup.md [Azure Maps Samples]: https://samples.azuremaps.com+[Create a data source]: create-data-source-web-sdk.md +[How to use image templates]: how-to-use-image-templates-web-sdk.md +[Line Layer Options source code]: https://github.com/Azure-Samples/AzureMapsCodeSamples/blob/main/Samples/Line%20Layer/Line%20Layer%20Options/Line%20Layer%20Options.html [Line Layer Options]: https://samples.azuremaps.com/line-layer/line-layer-options- [Line with Stroke Gradient source code]: https://github.com/Azure-Samples/AzureMapsCodeSamples/blob/main/Samples/Line%20Layer/Line%20with%20Stroke%20Gradient/Line%20with%20Stroke%20Gradient.html-[Line Layer Options source code]: https://github.com/Azure-Samples/AzureMapsCodeSamples/blob/main/Samples/Line%20Layer/Line%20Layer%20Options/Line%20Layer%20Options.html +[Line with Stroke Gradient]: https://samples.azuremaps.com/line-layer/line-with-stroke-gradient +[LineLayer]: /javascript/api/azure-maps-control/atlas.layer.linelayer +[LineLayerOptions]: /javascript/api/azure-maps-control/atlas.linelayeroptions +[Use data-driven style expressions]: data-driven-style-expressions-web-sdk.md |
azure-maps | Map Add Pin | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-maps/map-add-pin.md | The maps image sprite manager loads custom images used by the symbol layer. It s Before you can add a symbol layer to the map, you need to take a couple of steps. First, create a data source, and add it to the map. Create a symbol layer. Then, pass in the data source to the symbol layer, to retrieve the data from the data source. Finally, add data into the data source, so that there's something to be rendered. -The code below demonstrates what should be added to the map after it has loaded. This sample renders a single point on the map using a symbol layer. +The following code demonstrates what should be added to the map after it has loaded. This sample renders a single point on the map using a symbol layer. ```javascript //Create a data source and add it to the map. function InitMap() -> > [!TIP]-> The Azure Maps web SDK provides several customizable image templates you can use with the symbol layer. For more information, see the [How to use image templates](how-to-use-image-templates-web-sdk.md) document. +> The Azure Maps web SDK provides several customizable image templates you can use with the symbol layer. For more information, see the [How to use image templates] document. ## Customize a symbol layer See the following articles for more code samples to add to your maps: > [Use data-driven style expressions](data-driven-style-expressions-web-sdk.md) > [!div class="nextstepaction"]-> [How to use image templates](how-to-use-image-templates-web-sdk.md) +> [How to use image templates] > [!div class="nextstepaction"] > [Add a line layer](map-add-line-layer.md) See the following articles for more code samples to add to your maps: [Symbol Layer Options]: https://samples.azuremaps.com/?search=symbol%20layer&sample=symbol-layer-options [Symbol Layer Options source code]: https://github.com/Azure-Samples/AzureMapsCodeSamples/blob/main/Samples/Symbol%20Layer/Symbol%20Layer%20Options/Symbol%20Layer%20Options.html+[How to use image templates]: how-to-use-image-templates-web-sdk.md |
azure-maps | Map Add Popup | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-maps/map-add-popup.md | This article shows you how to add a popup to a point on a map. ## Understand the code -The following code adds a point feature, that has `name` and `description` properties, to the map using a symbol layer. An instance of the [Popup class](/javascript/api/azure-maps-control/atlas.popup) is created but not displayed. Mouse events are added to the symbol layer to trigger opening and closing the popup. When the marker symbol is hovered, the popup's `position` property is updated with position of the marker, and the `content` option is updated with some HTML that wraps the `name` and `description` properties of the point feature being hovered. The popup is then displayed on the map using its `open` function. +The following code adds a point feature with `name` and `description` properties to the map using a symbol layer. An instance of the [Popup class] is created but not displayed. Mouse events are added to the symbol layer to trigger opening and closing the popup. When the marker symbol is hovered, the popup's `position` property is updated with position of the marker, and the `content` option is updated with some HTML that wraps the `name` and `description` properties of the point feature being hovered. The popup is then displayed on the map using its `open` function. ```javascript //Define an HTML template for a custom popup content laypout. map.events.add('mouseleave', symbolLayer, function (){ ## Reusing a popup with multiple points -There are cases in which the best approach is to create one popup and reuse it. For example, you may have a large number of points and want to show only one popup at a time. By reusing the popup, the number of DOM elements created by the application is greatly reduced, which can provide better performance. The following sample creates 3-point features. If you click on any of them, a popup will be displayed with the content for that point feature. +There are cases in which the best approach is to create one popup and reuse it. For example, you may have a large number of points and want to show only one popup at a time. By reusing the popup, the number of DOM elements created by the application is greatly reduced, which can provide better performance. The following sample creates 3-point features. If you select on any of them, a popup is displayed with the content for that point feature. For a fully functional sample that shows how to create one popup and reuse it rather than creating a popup for each point feature, see [Reusing Popup with Multiple Pins] in the [Azure Maps Samples]. For the source code for this sample, see [Reusing Popup with Multiple Pins source code]. For a fully functional sample that shows how to customize the look of a popup, s ## Add popup templates to the map -Popup templates make it easy to create data driven layouts for popups. The sections below demonstrates the use of various popup templates to generate formatted content using properties of features. +Popup templates make it easy to create data driven layouts for popups. The following sections demonstrate the use of various popup templates to generate formatted content using properties of features. > [!NOTE] > By default, all content rendered use the popup template will be sandboxed inside of an iframe as a security feature. However, there are limitations: Popup templates make it easy to create data driven layouts for popups. The secti The String template replaces placeholders with values of the feature properties. The properties of the feature don't have to be assigned a value of type String. For example, `value1` holds an integer. These values are then passed to the content property of the `popupTemplate`. -The `numberFormat` option specifies the format of the number to display. If the `numberFormat` isn't specified, then the code will use the popup templates date format. The `numberFormat` option formats numbers using the [Number.toLocaleString](https://developer.mozilla.org/docs/Web/JavaScript/Reference/Global_Objects/Number/toLocaleString) function. To format large numbers, consider using the `numberFormat` option with functions from [NumberFormat.format](https://developer.mozilla.org/docs/Web/JavaScript/Reference/Global_Objects/NumberFormat/format). For instance, the code snippet below uses `maximumFractionDigits` to limit the number of fraction digits to two. +The `numberFormat` option specifies the format of the number to display. If the `numberFormat` isn't specified, then the code uses the popup templates date format. The `numberFormat` option formats numbers using the [Number.toLocaleString] function. To format large numbers, consider using the `numberFormat` option with functions from [NumberFormat.format]. For instance, the code following snippet uses `maximumFractionDigits` to limit the number of fraction digits to two. > [!NOTE] > There's only one way in which the String template can render images. First, the String template needs to have an image tag in it. The value being passed to the image tag should be a URL to an image. Then, the String template needs to have `isImage` set to true in the `HyperLinkFormatOptions`. The `isImage` option specifies that the hyperlink is for an image, and the hyperlink will be loaded into an image tag. When the hyperlink is clicked, the image will open. var popup = new atlas.Popup({ ### PropertyInfo template -The PropertyInfo template displays available properties of the feature. The `label` option specifies the text to display to the user. If `label` isn't specified, then the hyperlink will be displayed. And, if the hyperlink is an image, the value assigned to the "alt" tag will be displayed. The `dateFormat` specifies the format of the date, and if the date format isn't specified, then the date will render as a string. The `hyperlinkFormat` option renders clickable links, similarly, the `email` option can be used to render clickable email addresses. +The PropertyInfo template displays available properties of the feature. The `label` option specifies the text to display to the user. If `label` isn't specified, then the hyperlink is displayed. And, if the hyperlink is an image, the value assigned to the "alt" tag is displayed. The `dateFormat` specifies the format of the date, and if the date format isn't specified, then the date renders as a string. The `hyperlinkFormat` option renders clickable links, similarly, the `email` option can be used to render clickable email addresses. -Before the PropertyInfo template display the properties to the end user, it recursively checks that the properties are indeed defined for that feature. It also ignores displaying style and title properties. For example, it won't display `color`, `size`, `anchor`, `strokeOpacity`, and `visibility`. So, once property path checking is complete in the back-end, the PropertyInfo template shows the content in a table format. +Before the PropertyInfo template display the properties to the end user, it recursively checks that the properties are indeed defined for that feature. It also ignores displaying style and title properties. For example, it doesn't display `color`, `size`, `anchor`, `strokeOpacity`, and `visibility`. So, once property path checking is complete in the back-end, the PropertyInfo template shows the content in a table format. ```javascript var templateOptions = { var popup = new atlas.Popup({ When the Popup template isn't defined to be a String template, a PropertyInfo template, or a combination of both, then it uses the default settings. When the `title` and `description` are the only assigned properties, the popup template shows a white background, a close button in the top-right corner. And, on small and medium screens, it shows an arrow at the bottom. The default settings show inside a table for all properties other than the `title` and the `description`. Even when falling back to the default settings, the popup template can still be manipulated programmatically. For example, users can turn off hyperlink detection and the default settings would still apply to other properties. -Once running, you can select the points on the map to see the popup. There is a point on the map for each of the following popup templates: String template, PropertyInfo template, and Multiple content template. There are also three points to show how templates render using the defaulting settings. +Once running, you can select the points on the map to see the popup. There's a point on the map for each of the following popup templates: String template, PropertyInfo template, and Multiple content template. There are also three points to show how templates render using the defaulting settings. ```javascript function InitMap() function InitMap() --> ## Reuse popup template -Similar to reusing a popup, you can reuse popup templates. This approach is useful when you only want to show one popup template at a time, for multiple points. By reusing the popup template, the number of DOM elements created by the application is reduced, which then improves your application performance. The following sample uses the same popup template for three points. If you click on any of them, a popup will be displayed with the content for that point feature. +Similar to reusing a popup, you can reuse popup templates. This approach is useful when you only want to show one popup template at a time, for multiple points. Reusing popup templates reduces the number of DOM elements created by the application, improving your applications performance. The following sample uses the same popup template for three points. If you select on any of them, a popup is displayed with the content for that point feature. For a fully functional sample that shows hot to reuse a single popup template with multiple features that share a common set of property fields, see [Reuse a popup template] in the [Azure Maps Samples]. For the source code for this sample, see [Reuse a popup template source code]. Popups can be opened, closed, and dragged. The popup class provides events to he For a fully functional sample that shows how to add events to popups, see [Popup events] in the [Azure Maps Samples]. For the source code for this sample, see [Popup events source code]. <!-- <iframe height="500" scrolling="no" title="Popup events" src="//codepen.io/azuremaps/embed/BXrpvB/?height=500&theme-id=0&default-tab=result" frameborder='no' loading="lazy" allowtransparency="true" allowfullscreen="true"> For a fully functional sample that shows how to add events to popups, see [Popup Learn more about the classes and methods used in this article: > [!div class="nextstepaction"]-> [Popup](/javascript/api/azure-maps-control/atlas.popup) +> [Popup] > [!div class="nextstepaction"]-> [PopupOptions](/javascript/api/azure-maps-control/atlas.popupoptions) +> [PopupOptions] > [!div class="nextstepaction"]-> [PopupTemplate](/javascript/api/azure-maps-control/atlas.popuptemplate) +> [PopupTemplate]) See the following great articles for full code samples: > [!div class="nextstepaction"]-> [Add a symbol layer](./map-add-pin.md) +> [Add a symbol layer] > [!div class="nextstepaction"]-> [Add an HTML marker](./map-add-custom-html.md) +> [Add an HTML marker] > [!div class="nextstepaction"]-> [Add a line layer](map-add-line-layer.md) +> [Add a line layer] > [!div class="nextstepaction"]-> [Add a polygon layer](map-add-shape.md) +> [Add a polygon layer] -[Reusing Popup with Multiple Pins]: https://samples.azuremaps.com/popups/reusing-popup-with-multiple-pins +[Add a line layer]: map-add-line-layer.md +[Add a polygon layer]: map-add-shape.md +[Add a symbol layer]: map-add-pin.md +[Add an HTML marker]: map-add-custom-html.md [Azure Maps Samples]: https://samples.azuremaps.com+[Customize a popup source code]: https://github.com/Azure-Samples/AzureMapsCodeSamples/blob/main/Samples/Popups/Customize%20a%20popup/Customize%20a%20popup.html [Customize a popup]: https://samples.azuremaps.com/popups/customize-a-popup-[Reuse a popup template]: https://samples.azuremaps.com/popups/reuse-a-popup-template +[Number.toLocaleString]: https://developer.mozilla.org/docs/Web/JavaScript/Reference/Global_Objects/Number/toLocaleString +[NumberFormat.format]: https://developer.mozilla.org/docs/Web/JavaScript/Reference/Global_Objects/NumberFormat/format +[Popup class]: /javascript/api/azure-maps-control/atlas.popup +[Popup events source code]: https://github.com/Azure-Samples/AzureMapsCodeSamples/blob/main/Samples/Popups/Popup%20events/Popup%20events.html [Popup events]: https://samples.azuremaps.com/popups/popup-events--[Reusing Popup with Multiple Pins source code]: https://github.com/Azure-Samples/AzureMapsCodeSamples/blob/main/Samples/Popups/Reusing%20Popup%20with%20Multiple%20Pins/Reusing%20Popup%20with%20Multiple%20Pins.html -[Customize a popup source code]: https://github.com/Azure-Samples/AzureMapsCodeSamples/blob/main/Samples/Popups/Customize%20a%20popup/Customize%20a%20popup.html +[Popup]: /javascript/api/azure-maps-control/atlas.popup +[PopupOptions]: /javascript/api/azure-maps-control/atlas.popupoptions +[PopupTemplate]: /javascript/api/azure-maps-control/atlas.popuptemplate [Reuse a popup template source code]: https://github.com/Azure-Samples/AzureMapsCodeSamples/blob/main/Samples/Popups/Reuse%20a%20popup%20template/Reuse%20a%20popup%20template.html-[Popup events source code]: https://github.com/Azure-Samples/AzureMapsCodeSamples/blob/main/Samples/Popups/Popup%20events/Popup%20events.html +[Reuse a popup template]: https://samples.azuremaps.com/popups/reuse-a-popup-template +[Reusing Popup with Multiple Pins source code]: https://github.com/Azure-Samples/AzureMapsCodeSamples/blob/main/Samples/Popups/Reusing%20Popup%20with%20Multiple%20Pins/Reusing%20Popup%20with%20Multiple%20Pins.html +[Reusing Popup with Multiple Pins]: https://samples.azuremaps.com/popups/reusing-popup-with-multiple-pins + |
azure-maps | Map Add Shape | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-maps/map-add-shape.md | Title: Add a polygon layer to a map | Microsoft Azure Maps + Title: Add a polygon layer to a map + description: Learn how to add polygons or circles to maps. See how to use the Azure Maps Web SDK to customize geometric shapes and make them easy to update and maintain. -This article shows you how to render the areas of `Polygon` and `MultiPolygon` feature geometries on the map using a polygon layer. The Azure Maps Web SDK also supports the creation of Circle geometries as defined in the [extended GeoJSON schema](extend-geojson.md#circle). These circles are transformed into polygons when rendered on the map. All feature geometries can easily be updated when wrapped with the [atlas.Shape](/javascript/api/azure-maps-control/atlas.shape) class. +This article shows you how to render the areas of `Polygon` and `MultiPolygon` feature geometries on the map using a polygon layer. The Azure Maps Web SDK also supports the creation of Circle geometries as defined in the [extended GeoJSON schema]. These circles are transformed into polygons when rendered on the map. All feature geometries can easily be updated when wrapped with the [atlas.Shape] class. ## Use a polygon layer -When a polygon layer is connected to a data source and loaded on the map, it renders the area with `Polygon` and `MultiPolygon` features. To create a polygon, add it to a data source, and render it with a polygon layer using the [PolygonLayer](/javascript/api/azure-maps-control/atlas.layer.polygonlayer) class. +When a polygon layer is connected to a data source and loaded on the map, it renders the area with `Polygon` and `MultiPolygon` features. To create a polygon, add it to a data source, and render it with a polygon layer using the [PolygonLayer] class. The following sample code demonstrates creating a polygon layer that covers New York City's Central Park with a red polygon. function InitMap() ``` <!---<iframe height='500' scrolling='no' title='Add a polygon to a map ' src='//codepen.io/azuremaps/embed/yKbOvZ/?height=500&theme-id=0&default-tab=js,result&embed-version=2&editable=true' frameborder='no' loading="lazy" allowtransparency='true' allowfullscreen='true'>See the Pen <a href='https://codepen.io/azuremaps/pen/yKbOvZ/'>Add a polygon to a map </a> by Azure Maps (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>. -</iframe> +<iframe height='500' scrolling='no' title='Add a polygon to a map ' src='//codepen.io/azuremaps/embed/yKbOvZ/?height=500&theme-id=0&default-tab=js,result&embed-version=2&editable=true' frameborder='no' loading="lazy" allowtransparency='true' allowfullscreen='true'>See the Pen <a href='https://codepen.io/azuremaps/pen/yKbOvZ/'>Add a polygon to a map </a> by Azure Maps (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.</iframe> -> ## Use a polygon and line layer together function InitMap() :::image type="content" source="./media/map-add-shape/polygon-line-layer.png" alt-text="A screenshot of a map of New York City demonstrating a mostly transparent polygon layer covering all of Central Park, bordered with a red line."::: <!-<iframe height='500' scrolling='no' title='Polygon and line layer to add polygon' src='//codepen.io/azuremaps/embed/aRyEPy/?height=500&theme-id=0&default-tab=js,result&embed-version=2&editable=true' frameborder='no' loading="lazy" allowtransparency='true' allowfullscreen='true'>See the Pen <a href='https://codepen.io/azuremaps/pen/aRyEPy/'>Polygon and line layer to add polygon</a> by Azure Maps (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>. -</iframe> +<iframe height='500' scrolling='no' title='Polygon and line layer to add polygon' src='//codepen.io/azuremaps/embed/aRyEPy/?height=500&theme-id=0&default-tab=js,result&embed-version=2&editable=true' frameborder='no' loading="lazy" allowtransparency='true' allowfullscreen='true'>See the Pen <a href='https://codepen.io/azuremaps/pen/aRyEPy/'>Polygon and line layer to add polygon</a> by Azure Maps (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.</iframe> > ## Fill a polygon with a pattern For a fully functional sample that shows how to use an image template as a fill <! <iframe height="500" scrolling="no" title="Polygon fill pattern" src="//codepen.io/azuremaps/embed/JzQpYX/?height=500&theme-id=0&default-tab=js,result" frameborder='no' loading="lazy" allowtransparency="true" allowfullscreen="true"> See the Pen <a href='https://codepen.io/azuremaps/pen/JzQpYX/'>Polygon fill pattern</a> by Azure Maps- (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>. -</iframe> + (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.</iframe> > > [!TIP]-> The Azure Maps web SDK provides several customizable image templates you can use as fill patterns. For more information, see the [How to use image templates](how-to-use-image-templates-web-sdk.md) document. +> The Azure Maps web SDK provides several customizable image templates you can use as fill patterns. For more information, see the [How to use image templates] document. ## Customize a polygon layer -The Polygon layer only has a few styling options. See the [Polygon Layer Options] sample map in the [Azure Maps Samples] to try them out. +The Polygon layer only has a few styling options. See the [Polygon Layer Options] sample map in the [Azure Maps Samples] to try them out. For the source code for this sample, see [Polygon Layer Options source code]. :::image type="content" source="./media/map-add-shape/polygon-layer-options.png" alt-text="A screenshot of the Polygon Layer Options tool."::: <!-<iframe height='700' scrolling='no' title='LXvxpg' src='//codepen.io/azuremaps/embed/LXvxpg/?height=700&theme-id=0&default-tab=result' frameborder='no' loading="lazy" allowtransparency='true' allowfullscreen='true'>See the Pen <a href='https://codepen.io/azuremaps/pen/LXvxpg/'>LXvxpg</a> by Azure Maps (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>. -</iframe> +<iframe height='700' scrolling='no' title='LXvxpg' src='//codepen.io/azuremaps/embed/LXvxpg/?height=700&theme-id=0&default-tab=result' frameborder='no' loading="lazy" allowtransparency='true' allowfullscreen='true'>See the Pen <a href='https://codepen.io/azuremaps/pen/LXvxpg/'>LXvxpg</a> by Azure Maps (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.</iframe> > <a id="addACircle"></a> ## Add a circle to the map -Azure Maps uses an extended version of the GeoJSON schema that provides a [definition for circles](extend-geojson.md#circle). A circle is rendered on the map by creating a `Point` feature. This `Point` has a `subType` property with a value of `"Circle"` and a `radius` property with a number that represents the radius in meters. +Azure Maps uses an extended version of the GeoJSON schema that provides a [definition for circles]. A circle is rendered on the map by creating a `Point` feature. This `Point` has a `subType` property with a value of `"Circle"` and a `radius` property with a number that represents the radius in meters. ```javascript { function InitMap() :::image type="content" source="./media/map-add-shape/add-circle-to-map.png" alt-text="A screenshot of a map showing a partially transparent green circle in New York City. This demonstrates adding a circle to a map."::: <!-<iframe height='500' scrolling='no' title='Add a circle to a map' src='//codepen.io/azuremaps/embed/PRmzJX/?height=500&theme-id=0&default-tab=js,result&embed-version=2&editable=true' frameborder='no' loading="lazy" allowtransparency='true' allowfullscreen='true'>See the Pen <a href='https://codepen.io/azuremaps/pen/PRmzJX/'>Add a circle to a map</a> by Azure Maps (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>. -</iframe> +<iframe height='500' scrolling='no' title='Add a circle to a map' src='//codepen.io/azuremaps/embed/PRmzJX/?height=500&theme-id=0&default-tab=js,result&embed-version=2&editable=true' frameborder='no' loading="lazy" allowtransparency='true' allowfullscreen='true'>See the Pen <a href='https://codepen.io/azuremaps/pen/PRmzJX/'>Add a circle to a map</a> by Azure Maps (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.</iframe> -> ## Make a geometry easy to update -A `Shape` class wraps a [Geometry](/javascript/api/azure-maps-control/atlas.data.geometry) or [Feature](/javascript/api/azure-maps-control/atlas.data.feature) and makes it easy to update and maintain these features. To instantiate a shape variable, pass a geometry or a set of properties to the shape constructor. +A `Shape` class wraps a [Geometry] or [Feature] and makes it easy to update and maintain these features. To instantiate a shape variable, pass a geometry or a set of properties to the shape constructor. ```javascript //Creating a shape by passing in a geometry and a object containing properties. The [Make a geometry easy to update] sample shows how to wrap a circle GeoJSON o :::image type="content" source="./media/map-add-shape/easy-to-update-geometry.png" alt-text="A screenshot of a map showing a red circle in New York City with a slider bar titled Circle Radius and as you slide the bar to the right or left, the value of the radius changes and the circle size adjusts automatically on the map."::: <!-<iframe height='500' scrolling='no' title='Update shape properties' src='//codepen.io/azuremaps/embed/ZqMeQY/?height=500&theme-id=0&default-tab=js,result&embed-version=2&editable=true' frameborder='no' loading="lazy" allowtransparency='true' allowfullscreen='true'>See the Pen <a href='https://codepen.io/azuremaps/pen/ZqMeQY/'>Update shape properties</a> by Azure Maps (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>. -</iframe> +<iframe height='500' scrolling='no' title='Update shape properties' src='//codepen.io/azuremaps/embed/ZqMeQY/?height=500&theme-id=0&default-tab=js,result&embed-version=2&editable=true' frameborder='no' loading="lazy" allowtransparency='true' allowfullscreen='true'>See the Pen <a href='https://codepen.io/azuremaps/pen/ZqMeQY/'>Update shape properties</a> by Azure Maps (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.</iframe> -> ## Next steps The [Make a geometry easy to update] sample shows how to wrap a circle GeoJSON o Learn more about the classes and methods used in this article: > [!div class="nextstepaction"]-> [Polygon](/javascript/api/azure-maps-control/atlas.data.polygon) +> [Polygon] > [!div class="nextstepaction"]-> [PolygonLayer](/javascript/api/azure-maps-control/atlas.layer.polygonlayer) +> [PolygonLayer] > [!div class="nextstepaction"]-> [PolygonLayerOptions](/javascript/api/azure-maps-control/atlas.polygonlayeroptions) +> [PolygonLayerOptions] For more code examples to add to your maps, see the following articles: > [!div class="nextstepaction"]-> [Create a data source](create-data-source-web-sdk.md) +> [Create a data source] > [!div class="nextstepaction"]-> [Add a popup](map-add-popup.md) +> [Add a popup] > [!div class="nextstepaction"]-> [Use data-driven style expressions](data-driven-style-expressions-web-sdk.md) +> [Use data-driven style expressions] > [!div class="nextstepaction"]-> [How to use image templates](how-to-use-image-templates-web-sdk.md) +> [How to use image templates] > [!div class="nextstepaction"]-> [Add a line layer](map-add-line-layer.md) +> [Add a line layer] -Additional resources: +More resources: > [!div class="nextstepaction"]-> [Azure Maps GeoJSON specification extension](extend-geojson.md#circle) +> [Azure Maps GeoJSON specification extension] -[Fill polygon with built-in icon template]: https://samples.azuremaps.com/?sample=fill-polygon-with-built-in-icon-template +[Add a line layer]: map-add-line-layer.md +[Add a popup]: map-add-popup.md +[atlas.Shape]: /javascript/api/azure-maps-control/atlas.shape +[Azure Maps GeoJSON specification extension]: extend-geojson.md#circle [Azure Maps Samples]: https://samples.azuremaps.com-[Make a geometry easy to update]: https://samples.azuremaps.com/?sample=make-a-geometry-easy-to-update +[Create a data source]: create-data-source-web-sdk.md +[definition for circles]: extend-geojson.md#circle +[extended GeoJSON schema]: extend-geojson.md#circle +[Feature]: /javascript/api/azure-maps-control/atlas.data.feature [Fill polygon with built-in icon template source code]: https://github.com/Azure-Samples/AzureMapsCodeSamples/blob/main/Samples/Polygons/Fill%20polygon%20with%20built-in%20icon%20template/Fill%20polygon%20with%20built-in%20icon%20template.html+[Fill polygon with built-in icon template]: https://samples.azuremaps.com/?sample=fill-polygon-with-built-in-icon-template +[Geometry]: /javascript/api/azure-maps-control/atlas.data.geometry +[How to use image templates]: how-to-use-image-templates-web-sdk.md [Make a geometry easy to update source code]: https://github.com/Azure-Samples/AzureMapsCodeSamples/blob/main/Samples/Polygons/Make%20a%20geometry%20easy%20to%20update/Make%20a%20geometry%20easy%20to%20update.html+[Make a geometry easy to update]: https://samples.azuremaps.com/?sample=make-a-geometry-easy-to-update +[Polygon Layer Options source code]: https://github.com/Azure-Samples/AzureMapsCodeSamples/blob/main/Samples/Polygons/Polygon%20Layer%20Options/Polygon%20Layer%20Options.html +[Polygon Layer Options]: https://samples.azuremaps.com/polygons/polygon-layer-options +[Polygon]: /javascript/api/azure-maps-control/atlas.data.polygon +[PolygonLayer]: /javascript/api/azure-maps-control/atlas.layer.polygonlayer +[PolygonLayerOptions]: /javascript/api/azure-maps-control/atlas.polygonlayeroptions +[Use data-driven style expressions]: data-driven-style-expressions-web-sdk.md |
azure-monitor | Azure Monitor Agent Health | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/agents/azure-monitor-agent-health.md | + + Title: View Azure Monitor Agent Health +description: Experience to view agent health at scale and troubleshoot issues related to data collection via agents +++ Last updated : 7/5/2023++++++# Azure Monitor Agent Health (Preview) ++The article provides an overview of the **Azure Monitor Agent Health** experience that enables an at scale solution for viewing the health of agents deployed across your organization. You can now monitor the health of your agents easily and seamlessly across Azure, on premises and other clouds using this interactive experience. Identify data collection problems before they start impacting your business, and troubleshoot faster by narrowing down the impact scope for a given problem. +It includes agents deployed across virtual machines, scale sets and [Arc-enabled servers](../../azure-arc/servers/overview.md) (on premise servers with Azure Arc installed), as well as the [data collection rules](../essentials/data-collection-rule-overview.md) managing the agents across all these resources. +++This will be available soon under Azure Monitor > Workbooks > Azure Monitor Essentials. Watch this space for an update shortly, or [reach out](mailto:obs-agent-pms@microsoft.com) if you have questions. |
azure-monitor | Activity Log | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/essentials/activity-log.md | Select **Download as CSV** to download the events in the current view. ### View change history -For some events, you can view the change history, which shows what changes happened during that event time. Select an event from the activity log you want to look at more deeply. Select the **Change history (Preview)** tab to view any associated changes with that event. +For some events, you can view the change history, which shows what changes happened during that event time. Select an event from the activity log you want to look at more deeply. Select the **Change history** tab to view any changes on the resource up to 30 minutes before and after the time of the operation. ![Screenshot that shows the Change history list for an event.](media/activity-log/change-history-event.png) -If any changes are associated with the event, you'll see a list of changes that you can select. Selecting a change opens the **Change history (Preview)** page. This page displays the changes to the resource. In the following example, you can see that the VM changed sizes. The page displays the VM size before the change and after the change. To learn more about change history, see [Get resource changes](../../governance/resource-graph/how-to/get-resource-changes.md). +If any changes are associated with the event, you'll see a list of changes that you can select. Selecting a change opens the **Change history** page. This page displays the changes to the resource. In the following example, you can see that the VM changed sizes. The page displays the VM size before the change and after the change. To learn more about change history, see [Get resource changes](../../governance/resource-graph/how-to/get-resource-changes.md). ![Screenshot that shows the Change history page showing differences.](media/activity-log/change-history-event-details.png) |
azure-monitor | Data Collection Rule Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/essentials/data-collection-rule-overview.md | The following resources describe different scenarios for creating DCRs. In some | Azure Monitor Agent | [Configure data collection for Azure Monitor Agent](../agents/data-collection-rule-azure-monitor-agent.md) | Use the Azure portal to create a DCR that specifies events and performance counters to collect from a machine with Azure Monitor Agent. Then apply that rule to one or more virtual machines. Azure Monitor Agent will be installed on any machines that don't currently have it. | | | [Use Azure Policy to install Azure Monitor Agent and associate with a DCR](../agents/azure-monitor-agent-manage.md#use-azure-policy) | Use Azure Policy to install Azure Monitor Agent and associate one or more DCRs with any virtual machines or virtual machine scale sets as they're created in your subscription. | Custom logs | [Configure custom logs by using the Azure portal](../logs/tutorial-logs-ingestion-portal.md)<br>[Configure custom logs by using Azure Resource Manager templates and the REST API](../logs/tutorial-logs-ingestion-api.md) | Send custom data by using a REST API. The API call connects to a data collection endpoint and specifies a DCR to use. The DCR specifies the target table and potentially includes a transformation that filters and modifies the data before it's stored in a Log Analytics workspace. |+| Azure Event Hubs | [Ingest events from Azure Event Hubs to Azure Monitor Logs](../logs/ingest-logs-event-hub.md)| Collect data from multiple sources to an event hub and ingest the data you need directly into tables in one or more Log Analytics workspaces. This is a highly scalable method of collecting data from a wide range of sources with minimum configuration.| | Workspace transformation | [Configure ingestion-time transformations by using the Azure portal](../logs/tutorial-workspace-transformations-portal.md)<br>[Configure ingestion-time transformations by using Azure Resource Manager templates and the REST API](../logs/tutorial-workspace-transformations-api.md) | Create a transformation for any supported table in a Log Analytics workspace. The transformation is defined in a DCR that's then associated with the workspace. It's applied to any data sent to that table from a legacy workload that doesn't use a DCR. | ## Work with data collection rules When you use programmatic methods to create DCRs and associations, you require t | Built-in role | Scopes | Reason | |:|:|:|-| [Monitoring Contributor](../../role-based-access-control/built-in-roles.md#monitoring-contributor) | <ul><li>Subscription and/or</li><li>Resource group and/or </li><li>An existing DCR</li></ul> | Create or edit DCRs, assign rules to the machine, deploy associations ). | +| [Monitoring Contributor](../../role-based-access-control/built-in-roles.md#monitoring-contributor) | <ul><li>Subscription and/or</li><li>Resource group and/or </li><li>An existing DCR</li></ul> | Create or edit DCRs, assign rules to the machine, deploy associations). | | [Virtual Machine Contributor](../../role-based-access-control/built-in-roles.md#virtual-machine-contributor)<br>[Azure Connected Machine Resource Administrator](../../role-based-access-control/built-in-roles.md#azure-connected-machine-resource-administrator)</li></ul> | <ul><li>Virtual machines, virtual machine scale sets</li><li>Azure Arc-enabled servers</li></ul> | Deploy agent extensions on the VM. | | Any role that includes the action *Microsoft.Resources/deployments/** | <ul><li>Subscription and/or</li><li>Resource group and/or </li><li>An existing DCR</li></ul> | Deploy Azure Resource Manager templates. | |
azure-monitor | Ingest Logs Event Hub | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/logs/ingest-logs-event-hub.md | + + Title: Ingest events from Azure Event Hubs into Azure Monitor Logs +description: Ingest logs from Event Hubs into Azure Monitor Logs +++++ Last updated : 09/20/2022+++# customer-intent: As a DevOps engineer, I want to ingest data from an event hub into a Log Analytics workspace so that I can monitor logs that I send to Azure Event Hubs. ++++# Tutorial: Ingest events from Azure Event Hubs into Azure Monitor Logs ++[Azure Event Hubs](../../event-hubs/event-hubs-about.md) is a big data streaming platform that collects events from multiple sources to be ingested by Azure and external services. This article explains how to ingest data directly from an event hub into a Log Analytics workspace. +++In this tutorial, you learn how to: ++> [!div class="checklist"] +> * Create a destination table for event hub data in your Log Analytics workspace +> * Create a data collection endpoint +> * Create a data collection rule +> * Grant the data collection rule permissions to the event hub +> * Associate the data collection rule with the event hub ++## Prerequisites ++To send events from Azure Event Hubs to Azure Monitor Logs, you need these resources, *all in the same region*: ++- [Log Analytics workspace](../logs/quick-create-workspace.md) where you have at least [contributor rights](../logs/manage-access.md#azure-rbac). +- Your Log Analytics workspace needs to be [linked to a dedicated cluster](../logs/logs-dedicated-clusters.md#link-a-workspace-to-a-cluster) or to have a [commitment tier](../logs/cost-logs.md#commitment-tiers). +- [Event Hubs namespace](/azure/event-hubs/event-hubs-features#namespace) that permits public network access. Private Link and Network Security Perimeters (NSP) are currently not supported. +- [Event hub](/azure/event-hubs/event-hubs-create) with events. You can send events to your event hub by following the steps in [Send and receive events in Azure Event Hubs tutorials](../../event-hubs/event-hubs-create.md#next-steps) or by [configuring the diagnostic settings of Azure resources](../essentials/diagnostic-settings.md#create-diagnostic-settings). ++## Supported regions ++Azure Monitor currently supports ingestion from Event Hubs in these regions: ++| Americas | Europe | Middle East | Africa | Asia Pacific | +| - | - | - | - | - | +| Brazil South | France Central | Qatar Central | South Africa North | Australia Central | +| Brazil Southeast | France South | UAE Central | South Africa West | Australia Central 2 | +| Canada Central | Germany North | UAE North | | Australia East | +| Canada East | Germany West Central | | | Central India | +| Central US | North Europe | | | East Asia | +| East US | Norway East | | | Japan East | +| East US 2 | Norway West | | | Japan West | +| North Central US | Poland Central | | | Jio India Central | +| South Central US | Sweden Central | | | Jio India West | +| West Central US | Sweden South | | | South India | +| West US | Switzerland North | | | | +| West US 2 | Switzerland West | | | | +| West US 3 | UK South | | | | +| | UK West | | | | +| | West Europe | | | | +++## Collect required information ++You need your subscription ID, resource group name, workspace name, workspace resource ID, and event hub resource ID in subsequent steps: ++1. Navigate to your workspace in the **Log Analytics workspaces** menu and select **Properties** and copy your **Subscription ID**, **Resource group**, and **Workspace name**. You'll need these details to create resources in this tutorial. ++ :::image type="content" source="media/ingest-logs-event-hub/create-custom-table-prepare.png" lightbox="media/ingest-logs-event-hub/create-custom-table-prepare.png" alt-text="Screenshot showing Log Analytics workspace overview screen with subscription ID, resource group name, and workspace name highlighted."::: ++1. Select **JSON** to open the **Resource JSON** screen and copy the workspace's **Resource ID**. You'll need the workspace resource ID to create a data collection rule. ++ :::image type="content" source="media/ingest-logs-event-hub/log-analytics-workspace-id.png" lightbox="media/ingest-logs-event-hub/log-analytics-workspace-id.png" alt-text="Screenshot showing the Resource JSON screen with the workspace resource ID highlighted."::: ++1. Navigate to your event hub instance, select **JSON** to open the **Resource JSON** screen, and copy the event hub's **Resource ID**. You'll need the event hub's resource ID to associate the data collection rule with the event hub. ++ :::image type="content" source="media/ingest-logs-event-hub/event-hub-resource-id.png" lightbox="media/ingest-logs-event-hub/event-hub-resource-id.png" alt-text="Screenshot showing the Resource JSON screen with the event hub resource ID highlighted."::: +## Create a destination table in your Log Analytics workspace ++Before you can ingest data, you need to set up a destination table. You can ingest data into custom tables and [supported Azure tables](../logs/logs-ingestion-api-overview.md#supported-tables). ++To create a custom table into which to ingest events, in the Azure portal: ++1. Select the **Cloud Shell** button and ensure the environment is set to **PowerShell**. ++ :::image type="content" source="media/ingest-logs-event-hub/create-custom-table-open-cloud-shell.png" lightbox="media/ingest-logs-event-hub/create-custom-table-open-cloud-shell.png" alt-text="Screenshot showing how to open Cloud Shell."::: +++1. Run this PowerShell command to create the table, providing the table name (`<table_name>`) in the JSON, and setting the `<subscription_id>`, `<resource_group_name>`, `<workspace_name>`, and `<table_name>` values in the `Invoke-AzRestMethod -Path` command: ++ ```PowerShell + $tableParams = @' + { + "properties": { + "schema": { + "name": "<table_name>", + "columns": [ + { + "name": "TimeGenerated", + "type": "datetime", + "description": "The time at which the data was ingested." + }, + { + "name": "RawData", + "type": "string", + "description": "Body of the event." + }, + { + "name": "Properties", + "type": "dynamic", + "description": "Additional message properties." + } + ] + } + } + } + '@ + + Invoke-AzRestMethod -Path "/subscriptions/<subscription_id>/resourcegroups/<resource_group_name>/providers/microsoft.operationalinsights/workspaces/<workspace_name>/tables/<table_name>?api-version=2021-12-01-preview" -Method PUT -payload $tableParams + ``` ++> [!IMPORTANT] +> - Column names must start with a letter and can consist of up to 45 alphanumeric characters and the characters `_` and `-`. +> - The following are reserved column names: `Type`, `TenantId`, `resource`, `resourceid`, `resourcename`, `resourcetype`, `subscriptionid`, `tenanted`. +> - Column names are case-sensitive. Make sure to use the correct case in your data collection rule. ++## Create a data collection endpoint ++To collect data with a data collection rule, you need a data collection endpoint: ++1. [Create a data collection endpoint](../essentials/data-collection-endpoint-overview.md#create-a-data-collection-endpoint). ++ > [!IMPORTANT] + > Create the data collection endpoint in the same region as your Log Analytics workspace. ++1. From the data collection endpoint's Overview screen, select **JSON View**. ++ :::image type="content" source="media/ingest-logs-event-hub/data-collection-endpoint-details.png" lightbox="media/ingest-logs-event-hub/data-collection-rule-details.png" alt-text="Screenshot that shows the data collection endpoint Overview screen."::: ++1. Copy the **Resource ID** for the data collection rule. You'll use this information in the next step. ++ :::image type="content" source="media/ingest-logs-event-hub/data-collection-rule-json-view.png" lightbox="media/ingest-logs-event-hub/data-collection-rule-json-view.png" alt-text="Screenshot that shows the data collection endpoint JSON view."::: + +## Create a data collection rule ++Azure Monitor uses [data collection rules](../essentials/data-collection-rule-overview.md) to define which data to collect, how to transform that data, and where to send the data. ++To create a data collection rule in the Azure portal: ++1. In the portal's search box, type in *template* and then select **Deploy a custom template**. ++ :::image type="content" source="media/tutorial-workspace-transformations-api/deploy-custom-template.png" lightbox="media/tutorial-workspace-transformations-api/deploy-custom-template.png" alt-text="Screenshot to deploy custom template."::: ++1. Select **Build your own template in the editor**. ++ :::image type="content" source="media/tutorial-workspace-transformations-api/build-custom-template.png" lightbox="media/tutorial-workspace-transformations-api/build-custom-template.png" alt-text="Screenshot to build template in the editor."::: ++1. Paste the Resource Manager template below into the editor and then select **Save**. ++ :::image type="content" source="media/tutorial-workspace-transformations-api/edit-template.png" lightbox="media/tutorial-workspace-transformations-api/edit-template.png" alt-text="Screenshot to edit Resource Manager template."::: ++ Notice the following details in the data collection rule below: ++ - `identity` - Defines which type of [managed identity](../../active-directory/managed-identities-azure-resources/overview.md) to use. In our example, we use system-assigned identity. You can also [configure user-assigned managed identity](#configure-user-assigned-managed-identity-optional). + + - `dataCollectionEndpointId` - Resource ID of the data collection endpoint. + - `streamDeclarations` - Defines which data to ingest from the event hub (incoming data). The stream declaration can't be modified. + + - `TimeGenerated` - The time at which the data was ingested from event hub to Azure Monitor Logs. + - `RawData` - Body of the event. For more information, see [Read events](../../event-hubs/event-hubs-features.md#read-events). + - `Properties` - User properties from the event. For more information, see [Read events](../../event-hubs/event-hubs-features.md#read-events). + + - `datasources` - Specifies the [event hub consumer group](../../event-hubs/event-hubs-features.md#consumer-groups) and the stream to which you ingest the data. + - `destinations` - Specifies all of the destinations where the data will be sent. You can [ingest data to one or more Log Analytics workspaces](../essentials/data-collection-transformations.md#). + - `dataFlows` - Matches the stream with the destination workspace and specifies the transformation query and the destination table. In our example, we ingest data to the custom table we created previously. You can also [ingest into a supported Azure table](#ingest-log-data-into-an-azure-table-optional). + - `transformKql` - Specifies a transformation to apply to the incoming data (stream declaration) before it's sent to the workspace. In our example, we set `transformKql` to `source`, which doesn't modify the data from the source in any way, because we're mapping incoming data to a custom table we've created specifically with the corresponding schema. If you're ingesting data to a table with a different schema or to filter data before ingestion, [define a data collection transformation](../essentials/data-collection-transformations.md#multiple-destinations). ++ ```json + { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "dataCollectionRuleName": { + "type": "string", + "metadata": { + "description": "Specifies the name of the data collection Rule to create." + } + }, + "workspaceResourceId": { + "type": "string", + "metadata": { + "description": "Specifies the Azure resource ID of the Log Analytics workspace to use." + } + }, + "endpointResourceId": { + "type": "string", + "metadata": { + "description": "Specifies the Azure resource ID of the data collection endpoint to use." + } + }, + "tableName": { + "type": "string", + "metadata": { + "description": "Specifies the name of the table in the workspace." + } + }, + "consumerGroup": { + "type": "string", + "metadata": { + "description": "Specifies the consumer group of event hub." + }, + "defaultValue": "$Default" + } + }, + "resources": [ + { + "type": "Microsoft.Insights/dataCollectionRules", + "name": "[parameters('dataCollectionRuleName')]", + "location": "[resourceGroup().location]", + "apiVersion": "2022-06-01", + "identity": { + "type": "systemAssigned" + }, + "properties": { + "dataCollectionEndpointId": "[parameters('endpointResourceId')]", + "streamDeclarations": { + "Custom-MyEventHubStream": { + "columns": [ + { + "name": "TimeGenerated", + "type": "datetime" + }, + { + "name": "RawData", + "type": "string" + }, + { + "name": "Properties", + "type": "dynamic" + } + ] + } + }, + "dataSources": { + "dataImports": { + "eventHub": { + "consumerGroup": "[parameters('consumerGroup')]", + "stream": "Custom-MyEventHubStream", + "name": "myEventHubDataSource1" + } + } + }, + "destinations": { + "logAnalytics": [ + { + "workspaceResourceId": "[parameters('workspaceResourceId')]", + "name": "MyDestination" + } + ] + }, + "dataFlows": [ + { + "streams": [ + "Custom-MyEventHubStream" + ], + "destinations": [ + "MyDestination" + ], + "transformKql": "source", + "outputStream": "[concat('Custom-', parameters('tableName'))]" + } + ] + } + } + ] + } + ``` +1. On the **Custom deployment** screen, specify a **Subscription** and **Resource group** to store the data collection rule and then provide values for the parameters defined in the template, including: ++ - **Region** - Region for the data collection rule. Populated automatically based on the resource group you select. + - **Data Collection Rule Name** - Give the rule a name. + - **Workspace Resource ID** - See [Collect required information](#collect-required-information). + - **Endpoint Resource ID** - Generated when you [create the data collection endpoint](#create-a-data-collection-endpoint). + - **Table Name** - The name of the destination table. In our example, and whenever you use a custom table, the table name must end with the suffix *_CL*. If you're ingesting data to an Azure table, enter the table name - for example, `Syslog` - without the suffix. + - **Consumer Group** - By default, the consumer group is set to `$Default`. If needed, change the value to a different [event hub consumer group](../../event-hubs/event-hubs-features.md#consumer-groups). ++ :::image type="content" source="media/ingest-logs-event-hub/data-collection-rule-custom-template-deployment.png" lightbox="media/ingest-logs-event-hub/data-collection-rule-custom-template-deployment.png" alt-text="Screenshot showing the Custom Template Deployment screen with the deployment values for the data collection rule set up in this tutorial."::: ++1. Select **Review + create** and then **Create** when you review the details. ++1. When the deployment is complete, expand the **Deployment details** box, and select your data collection rule to view its details. Select **JSON View**. ++ :::image type="content" source="media/ingest-logs-event-hub/data-collection-rule-details.png" lightbox="media/ingest-logs-event-hub/data-collection-rule-details.png" alt-text="Screenshot that shows the Data Collection Rule Overview screen."::: ++1. Copy the **Resource ID** for the data collection rule. You'll use this information in the next step. ++ :::image type="content" source="media/ingest-logs-event-hub/data-collection-rule-json-view.png" lightbox="media/ingest-logs-event-hub/data-collection-rule-json-view.png" alt-text="Screenshot that shows the data collection rule JSON view."::: ++### Configure user-assigned managed identity (optional) ++To configure your data collection rule to support [user-assigned identity](../../active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities.md), in the example above, replace: ++```json + "identity": { + "type": "systemAssigned" + }, +``` ++with: ++```json + "identity": { + "type": "userAssigned", + "userAssignedIdentities": { + "<identity_resource_Id>": { + } + } + }, +``` ++To find the `<identity_resource_Id>` value, navigate to your user-assigned managed identity resource in the Azure portal, select **JSON** to open the **Resource JSON** screen and copy the managed identity's **Resource ID**. +++### Ingest log data into an Azure table (optional) ++To ingest data into a [supported Azure table](../logs/logs-ingestion-api-overview.md#supported-tables): ++1. In the data collection rule, change `outputStream`: ++ From: `"outputStream": "[concat('Custom-', parameters('tableName'))]"` + + To: `"outputStream": "outputStream": "[concat(Microsoft-', parameters('tableName'))]"` + +1. In `transformKql`, [define a transformation](../essentials/data-collection-transformations-structure.md#transformation-structure) that sends the ingested data into the target columns in the destination Azure table. +## Grant the event hub permission to the data collection rule ++With [managed identity](../../active-directory/managed-identities-azure-resources/overview.md), you can give any event hub, or Event Hubs namespace, permission to send events to the data collection rule and data collection endpoint you created. When you grant the permissions to the Event Hubs namespace, all event hubs within the namespace inherit the permissions. ++1. From the event hub or Event Hubs namespace in the Azure portal, select **Access Control (IAM)** > **Add role assignment**. ++ :::image type="content" source="media/ingest-logs-event-hub/event-hub-add-role-assignment.png" lightbox="media/ingest-logs-event-hub/event-hub-add-role-assignment.png" alt-text="Screenshot that shows the Access control screen for the data collection rule."::: ++2. Select **Azure Event Hubs Data Receiver** and select **Next**. ++ :::image type="content" source="media/ingest-logs-event-hub/event-hub-data-receiver-role-assignment.png" lightbox="media/ingest-logs-event-hub/event-hub-data-receiver-role-assignment.png" alt-text="Screenshot that shows the Add Role Assignment screen for the event hub with the Azure Event Hubs Data Receiver role highlighted."::: ++3. Select **User, group, or service principal** for **Assign access to** and click **Select members**. Select your DCR and click **Select**. ++ :::image type="content" source="media/ingest-logs-event-hub/event-hub-add-role-assignment-select-member.png" lightbox="media/ingest-logs-event-hub/event-hub-add-role-assignment-select-member.png" alt-text="Screenshot that shows the Members tab of the Add Role Assignment screen."::: +++4. Select **Review + assign** and verify the details before saving your role assignment. ++ :::image type="content" source="media/ingest-logs-event-hub/event-hub-add-role-assignment-save.png" lightbox="media/ingest-logs-event-hub/event-hub-add-role-assignment-save.png" alt-text="Screenshot that shows the Review and Assign tab of the Add Role Assignment screen."::: +++## Associate the data collection rule with the event hub ++The final step is to associate the data collection rule to the event hub from which you want to collect events. ++You can associate a single data collection rule with multiple event hubs that share the same [consumer group](../../event-hubs/event-hubs-features.md#consumer-groups) and ingest data to the same stream. Alternatively, you can associate a unique data collection rule to each event hub. ++> [!IMPORTANT] +> You must associate at least one data collection rule to the event hub to ingest data from an event hub. When you delete all data collection rule associations related to the event hub, you'll stop ingesting data from the event hub. ++To create a data collection rule association in the Azure portal: ++1. In the Azure portal's search box, type in *template* and then select **Deploy a custom template**. ++1. Select **Build your own template in the editor**. ++1. Paste the Resource Manager template below into the editor and then select **Save**. ++ ```JSON + { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "eventHubResourceID": { + "type": "string", + "metadata": { + "description": "Specifies the Azure resource ID of the event hub to use." + } + }, + "associationName": { + "type": "string", + "metadata": { + "description": "The name of the association." + } + }, + "dataCollectionRuleID": { + "type": "string", + "metadata": { + "description": "The resource ID of the data collection rule." + } + } + }, + "resources": [ + { + "type": "Microsoft.Insights/dataCollectionRuleAssociations", + "apiVersion": "2021-09-01-preview", + "scope": "[parameters('eventHubResourceId')]", + "name": "[parameters('associationName')]", + "properties": { + "description": "Association of data collection rule. Deleting this association will break the data collection for this event hub.", + "dataCollectionRuleId": "[parameters('dataCollectionRuleId')]" + } + } + ] + } + ``` ++1. On the **Custom deployment** screen, specify a **Subscription** and **Resource group** to store the data collection rule association and then provide values for the parameters defined in the template, including: ++ - **Region** - Populated automatically based on the resource group you select. + - **Event Hub Resource ID** - See [Collect required information](#collect-required-information). + - **Association Name** - Give the association a name. + - **Data Collection Rule ID** - Generated when you [create the data collection rule](#create-a-data-collection-rule). + + :::image type="content" source="media/ingest-logs-event-hub/data-collection-rule-association-custom-template-deployment.png" lightbox="media/ingest-logs-event-hub/data-collection-rule-association-custom-template-deployment.png" alt-text="Screenshot showing the Custom Template Deployment screen with the deployment values for the data collection rule association set up in this tutorial."::: ++1. Select **Review + create** and then **Create** when you review the details. +++## Check your destination table for ingested events ++Now that you've associated the data collection rule with your event hub, Azure Monitor Logs will ingest all existing events whose [retention period](/azure/event-hubs/event-hubs-features#event-retention) hasn't expired and all new events. ++To check your destination table for ingested events: ++1. Navigate to your workspace and select **Logs**. +1. Write a simple query in the query editor and select **Run**: ++ ```kusto + <table_name> + ``` + + You should see events from your event hub. +` + :::image type="content" source="media/ingest-logs-event-hub/log-analytics-query-results-with-events.png" lightbox="media/ingest-logs-event-hub/log-analytics-query-results-with-events.png" alt-text="Screenshot showing the results of a simple query on a custom table. The results consist of events ingested from an event hub."::: ++## Clean up resources ++In this tutorial, you created the following resources: ++- Custom table +- Data collection endpoint +- Data collection rule +- Data collection rule association ++Evaluate whether you still need these resources. Delete the resources you don't need individually, or delete all of these resources at once by deleting the resource group. Resources you leave running can cost you money. ++To stop ingesting data from the event hub, [delete all data collection rule associations](/rest/api/monitor/data-collection-rule-associations/delete) related to the event hub, or [delete the data collection rules](/rest/api/monitor/data-collection-rules/delete) themselves. These actions also reset event hub [checkpointing](/azure/event-hubs/event-hubs-features#checkpointing). ++## Known issues and limitations ++- If you transfer a subscription between Azure AD directories, you need to follow the steps described in [Known issues with managed identities for Azure resources](/azure/active-directory/managed-identities-azure-resources/known-issues#transferring-a-subscription-between-azure-ad-directories) to continue ingesting data. +- You can ingest messages of up to 64 KB from Event Hubs to Azure Monitor Logs. ++## Next steps ++Learn more about to: ++- [Create a custom table](../logs/create-custom-table.md#create-a-custom-table). +- [Create a data collection endpoint](../essentials/data-collection-endpoint-overview.md#create-a-data-collection-endpoint). +- [Update an existing data collection rule](../essentials/data-collection-rule-edit.md). |
azure-monitor | Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/overview.md | Click on the picture to see a larger version of the data collection diagram in c |Internal| Data is automatically sent to a destination without user configuration. | |[Diagnostic settings](essentials/diagnostic-settings.md)|Use diagnostic settings to determine where to send resource log and activity log data on the data platform.| |[Azure Monitor REST API](logs/logs-ingestion-api-overview.md)|The Logs Ingestion API in Azure Monitor lets you send data to a Log Analytics workspace in Azure Monitor Logs. You can also send metrics into the Azure Monitor Metrics store using the custom metrics API.|+|[Azure Event Hubs](logs/ingest-logs-event-hub.md)|Azure Event Hubs is a big data streaming platform that can collect events from multiple sources. This is a highly scalable method of collecting data from a wide range of sources with minimum configuration. By setting a data collection rule, you can ingest data you need directly from an event hub into Azure Monitor Logs.| A common way to route monitoring data to other non-Microsoft tools is using *Event hubs*. See more in the [Integrate](#integrate) section below. |
azure-monitor | Whats New | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/whats-new.md | This article lists significant changes to Azure Monitor documentation. > Get notified when this page is updated by copying and pasting the following URL into your feed reader: > > !["An rss icon"](./media//whats-new/rss.png) https://aka.ms/azmon/rss++## June 2023 ++|Subservice| Article | Description | +|||| +General|[What's new in Azure Monitor documentation](whats-new.md)| Subscribe to "What's New" using the new RSS link| +Application-Insights|[Filter and preprocess telemetry in the Application Insights SDK](app/api-filtering-sampling.md)|An Azure Monitor Telemetry Data Types Reference has been added for quick reference.| +Application-Insights|[Add and modify OpenTelemetry](app/opentelemetry-add-modify.md)|We've simplified the OpenTelemetry onboarding process by moving instructions to add and modify telemetry in this new document.| +Application-Insights|[Application Map: Triage distributed applications](app/app-map.md)|Application Map Intelligent View has reached general availability. Enjoy this powerful tool that harnesses machine learning to aid in service health investigations.| +Application-Insights|[Usage analysis with Application Insights](app/usage-overview.md)|Code samples have been updated for the latest versions of .NET.| +Application-Insights|[Enable a framework extension for Application Insights JavaScript SDK](app/javascript-framework-extensions.md)|All JavaScript SDK documentation has been updated and simplified, including documentation for feature and framework extensions.| +Autoscale|[Use autoscale actions to send email and webhook alert notifications in Azure Monitor](autoscale/autoscale-webhook-email.md)|Article updated and refreshed| +Containers|[Query logs from Container insights](containers/container-insights-log-query.md#container-logs)|New section: Container logs, with sample queries| +Containers|[Authentication for Container Insights](containers/container-insights-authentication.md)|New article: Configure agent authentication for the Container Insights agent| +Essentials|[Azure monitoring REST API walkthrough](essentials/rest-api-walkthrough.md)|Added multi resource request examples| +Essentials|[Azure Monitor managed service for Prometheus rule groups](essentials/prometheus-rule-groups.md)| Added CLI & PowerShell reference and examples| +Logs|[Set up resources required to send data to Azure Monitor Logs using the Logs Ingestion API](logs/set-up-logs-ingestion-api-prerequisites.md)|New article. Run a PowerShell script to set up resources required to send data to Azure Monitor using the Logs Ingestion API.| +Logs|[Migrate from the HTTP Data Collector API to the Log Ingestion API to send data to Azure Monitor Logs](logs/custom-logs-migrate.md)|Updated guidance for migrating from the legacy Azure Monitor Data Collector API to the Log Ingestion API.| +Logs|[Detect and mitigate potential issues using AIOps and machine learning in Azure Monitor](logs/aiops-machine-learning.md)|New article. Lists Azure Monitor AIOps features and explains how to implement a machine learning pipeline on data in Azure Monitor Logs.| +Logs|[Tutorial: Analyze data in Azure Monitor Logs using a notebook](logs/notebooks-azure-monitor-logs.md)|New tutorial. Explains how to integrate a notebook with a Log Analytics workspace to create a machine learning pipeline or perform advanced analysis on data in Azure Monitor Logs. | +Virtual-Machines|[Tutorial: Create availability alert rule for multiple Azure virtual machines (preview)](vm/tutorial-monitor-vm-alert-availability.md)|New article with consolidated list of best practices for monitoring VMs organized by WAF pillar.| + ## May 2023 |Subservice| Article | Description | Alerts|[Monitor Azure AD B2C with Azure Monitor](https://learn.microsoft.com/azu Alerts|[Create a new alert rule](alerts/alerts-create-new-alert-rule.md)|Alert rules that use action groups support custom properties to add custom information to the alert notification payload.| Application-Insights|[Feature extensions for the Application Insights JavaScript SDK (Click Analytics)](app/javascript-feature-extensions.md)|Most of our JavaScript SDK documentation has been updated and overhauled.| Application-Insights|[Analyze product usage with HEART](app/usage-heart.md)|Updated and overhauled HEART framework documentation.|-Application-Insights|[Dependency tracking in Application Insights](app/asp-net-dependencies.md)|All new documentation supports the Azure Monitor OpenTelemetry Distro public preview release announced on May 10th, 2023. [Public Preview: Azure Monitor OpenTelemetry Distro for ASP.NET Core, JavaScript (Node.js), Python](https://azure.microsoft.com/updates/public-preview-azure-monitor-opentelemetry-distro-for-aspnet-core-javascript-nodejs-python)| +Application-Insights|[Dependency tracking in Application Insights](app/asp-net-dependencies.md)|All new documentation supports the Azure Monitor OpenTelemetry Distro public preview release announced on May 10, 2023. [Public Preview: Azure Monitor OpenTelemetry Distro for ASP.NET Core, JavaScript (Node.js), Python](https://azure.microsoft.com/updates/public-preview-azure-monitor-opentelemetry-distro-for-aspnet-core-javascript-nodejs-python)| Application-Insights|[Application Monitoring for Azure App Service and Java](app/azure-web-apps-java.md)|Added CATALINA_OPTS for Tomcat.| Essentials|[Configure remote write for Azure Monitor managed service for Prometheus using Microsoft Azure Active Directory pod identity (preview)](essentials/prometheus-remote-write-azure-ad-pod-identity.md)|New article: Configure remote write for Azure Monitor managed service for Prometheus using Microsoft Azure Active Directory pod identity| Essentials|[Use private endpoints for Managed Prometheus and Azure Monitor workspace](essentials/azure-monitor-workspace-private-endpoint.md)|New article: Use private endpoints for Managed Prometheus and Azure Monitor workspace| Containers|[Configure Container insights cost-optimization data collection rules |||| Agents|[Tutorial: Transform text logs during ingestion in Azure Monitor Logs](agents/azure-monitor-agent-transformation.md)|New tutorial: How to write a KQL query that transforms text log data and add the transformation to a data collection rule.| Agents|[Azure Monitor Agent overview](agents/agents-overview.md)|SQL Best Practices Assessment now available with Azure Monitor Agent.|-Alerts|[Create a new alert rule](alerts/alerts-create-new-alert-rule.md)|Streamlined alerts documentation, added the common schema definition to the common schema article, and moved sample Resource Manager templates for alerts to the "Samples" section.| +Alerts|[Create a new alert rule](alerts/alerts-create-new-alert-rule.md)|Streamlined alerts documentation added the common schema definition to the common schema article, and moved sample Resource Manager templates for alerts to the "Samples" section.| Alerts|[Non-common alert schema definitions for Test Action Group (preview)](alerts/alerts-non-common-schema-definitions.md)|Added a sample payload for the Actual Cost and Forecasted Budget schemas.| Application-Insights|[Live Metrics: Monitor and diagnose with 1-second latency](app/live-stream.md)|Updated Live Metrics "Troubleshooting" section.| Application-Insights|[Application Insights for Azure Virtual Machines and Azure Virtual Machine Scale Sets](app/azure-vm-vmss-apps.md)|Easily monitor your IIS-hosted .NET Framework and .NET Core applications running on Azure Virtual Machines and Azure Virtual Machine Scale Sets by using a new App Insights extension.| |
azure-netapp-files | Azure Netapp Files Cost Model | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/azure-netapp-files-cost-model.md | For cost model specific to cross-region replication, see [Cost model for cross-r Azure NetApp Files is billed on provisioned storage capacity, which is allocated by creating capacity pools. Capacity pools are billed monthly based on a set cost per allocated GiB per hour. Capacity pool allocation is measured hourly. -Capacity pools must be at least 4 TiB and can be increased or decreased in 1-TiB intervals. Capacity pools contain volumes that range in size from a minimum of 100 GiB to a maximum of 100 TiB. Volumes are assigned quotas that are subtracted from the capacity poolΓÇÖs provisioned size. For an active volume, capacity consumption against the quota is based on logical (effective) capacity, being active filesystem data or snapshot data. See [How Azure NetApp Files snapshots work](snapshots-introduction.md) for details. +Capacity pools must be at least 2 TiB and can be increased or decreased in 1-TiB intervals. Capacity pools contain volumes that range in size from a minimum of 100 GiB to a maximum of 100 TiB. Volumes are assigned quotas that are subtracted from the capacity poolΓÇÖs provisioned size. For an active volume, capacity consumption against the quota is based on logical (effective) capacity, being active filesystem data or snapshot data. See [How Azure NetApp Files snapshots work](snapshots-introduction.md) for details. ### Pricing examples The capacity consumption that is counted towards the volume quota for the active The following diagram illustrates the concepts. -* Assume a capacity pool with 40 TiB of provisioned capacity. The pool contains three volumes: - * Volume 1 is assigned a quota of 20 TiB and has 13 TiB (12 TiB active, 1-TiB snapshots) of consumption. - * Volume 2 is assigned a quota of 1 TiB and has 450 GiB of consumption. - * Volume 3 is assigned a quota of 14 TiB but has 8.8 TiB (8 TiB active, 800-GiB snapshots) of consumption. -* The capacity pool is metered for 40 TiB of capacity (the provisioned amount). 22.25 TiB of capacity is consumed (13 TiB, 450 GiB, and 8.8 TiB of quota from Volumes 1, 2, and 3). The capacity pool has 17.75 TiB of capacity remaining. +* Assume a capacity pool with 10 TiB of provisioned capacity. The pool contains three volumes: + * Volume 1 is assigned a quota of 5 TiB and has 3.5 TiB (3 TiB active, 500 GiB snapshots) of consumption. + * Volume 2 is assigned a quota of 900 GiB and has 400 GiB of consumption. + * Volume 3 is assigned a quota of 4 TiB but is full, with 4 TiB (3.5 TiB active, 500 GiB snapshots) of consumption. +* The capacity pool is metered (and billed) for 10 TiB of capacity (the _provisioned_ amount): + * 9.9 TiB of capacity is _allocated_ (5 TiB, 900 GiB, and 4 TiB of quota from Volumes 1, 2, and 3). + * 7.9 TiB of capacity is used (3.5 TiB, 400 GiB, 4 TiB in Volumes 1, 2, and 3). +* The capacity pool has 100 GiB of unprovisioned capacity remaining. -[ ![Diagram showing capacity pool with three volumes.](../media/azure-netapp-files/azure-netapp-files-capacity-pool-with-three-vols.png) ](../media/azure-netapp-files/azure-netapp-files-capacity-pool-with-three-vols.png#lightbox) ## Next steps |
azure-netapp-files | Azure Netapp Files Solution Architectures | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/azure-netapp-files-solution-architectures.md | This section provides references to SAP on Azure solutions. * [Attach Azure NetApp Files datastores to Azure VMware Solution hosts](../azure-vmware/attach-azure-netapp-files-to-azure-vmware-solution-hosts.md) * [Attach Azure NetApp Files to Azure VMware Solution VMs - Guest OS Mounts](../azure-vmware/netapp-files-with-azure-vmware-solution.md)-* [Disaster Recovery with Azure NetApp Files, JetStream DR and Azure VMware Solution](../azure-vmware/deploy-disaster-recovery-using-jetstream.md#disaster-recovery-with-azure-netapp-files-jetstream-dr-and-azure-vmware-solution) +* [Deploy disaster recovery using JetStream DR software](../azure-vmware/deploy-disaster-recovery-using-jetstream.md#disaster-recovery-with-azure-netapp-files-jetstream-dr-and-azure-vmware-solution) * [Disaster Recovery with Azure NetApp Files, JetStream DR and AVS (Azure VMware Solution)](https://www.jetstreamsoft.com/portal/jetstream-knowledge-base/disaster-recovery-with-azure-netapp-files-jetstream-dr-and-avs-azure-vmware-solution/) - Jetstream * [Enable App Volume Replication for Horizon VDI on Azure VMware Solution using Azure NetApp Files](https://techcommunity.microsoft.com/t5/azure-migration-and/enable-app-volume-replication-for-horizon-vdi-on-azure-vmware/ba-p/3798178) |
azure-netapp-files | Faq Nfs | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/faq-nfs.md | A grace period defines a period of special processing in which clients can try t Azure NetApp Files also supports [breaking file locks](troubleshoot-file-locks.md). +To learn more about file locking in Azure NetApp Files, see [file locking](understand-file-locks.md). + ## Why is the `.snapshot` directory not visible in an NFSv4.1 volume, but it's visible in an NFSv3 volume? By design, the .snapshot directory is never visible to NFSv4.1 clients. By default, the `.snapshot `directory is visible to NFSv3 clients. To hide the `.snapshot` directory from NFSv3 clients, edit the properties of the volume to [hide the snapshot path](snapshots-edit-hide-path.md). |
azure-netapp-files | Faq Smb | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/faq-smb.md | Azure NetApp Files also supports [`LOCK` response](/openspecs/windows_protocols/ Azure NetApp Files also supports [breaking file locks](troubleshoot-file-locks.md). +To learn more about file locking in Azure NetApp Files, see [file locking](understand-file-locks.md). + ## What network authentication methods are supported for SMB volumes in Azure NetApp Files? NTLMv2 and Kerberos network authentication methods are supported with SMB volumes in Azure NetApp Files. NTLMv1 and LanManager are disabled and are not supported. |
azure-netapp-files | Understand File Locks | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/understand-file-locks.md | + + Title: Understand file locking and lock types in Azure NetApp Files +description: Understand the concept of file locking and the different types of NFS locks. ++documentationcenter: '' +++editor: '' ++ms.assetid: +++ na + Last updated : 06/12/2023+++# Understand file locking and lock types in Azure NetApp Files ++In NAS environments, multiple clients access files in the same volume. The NAS volume isn't application aware, so to protect data against potential corruption when more than one client attempts to write to the same file at the same time, applications send lock requests to the NAS server to prevent other clients from making changes while the file is in use. With NFS, file locking mechanisms depend on the NFS version being used. ++## Lock types ++There are several types of NFS locks, which include: ++**Shared locks:** +Shared locks can be used by multiple processes at the same time and can only be issued if there are no exclusive locks on a file. These locks are intended for read-only work but can be used for writes (such as with a database). ++**Exclusive locks:** +Exclusive locks operate the same as exclusive locks in CIFS/SMB: only one process can use the file when there is an exclusive lock. If any other processes have locked the file, an exclusive lock can't be issued unless that process was [forked](http://linux.die.net/man/2/fork). ++**Delegations:** +Delegations are used only with NFSv4.x and are assigned when the NFS server options are enabled and the client supports NFSv4.x delegations. Delegations provide a way to cache operations on the client side by creating a ΓÇ£softΓÇ¥ lock to the file being used by a client. This improves the performance of specific workloads by reducing the number of calls between the client and server and are similar to SMB opportunistic locks. Azure NetApp Files currently doesn't support NFSv4.x delegations. ++**Byte-range locks:** +Rather than locking an entire file, byte-range locks only lock a portion of a file. ++Locking behavior is dependent on the type of lock, the client operating system version and the NFS version being used. Be sure to test locking in your environment to gauge the expected behavior. ++## NFSv3 locking ++NFSv3 uses ancillary protocols like Network Lock Manager (NLM) and Network Status Monitor (NSM) to coordinate file locks between the NFS client and server. These ancillary protocols are defined in [RFC-1813](https://www.ietf.org/rfc/rfc1813.txt), which Azure NetApp Files adheres to. ++NLM helps establish and release locks, while NSM notifies peers of server reboots. With NFSv3 locking, when a client reboots, the server must release the locks. When a server reboots, the client reminds the server of the locks it held ++> [!NOTE] +> In some cases, the NFS lock mechanisms donΓÇÖt communicate properly (such as in the event of a network outage), and stale locks are leftover on the server and must be manually cleared. For more information on this task, see [troubleshoot file locks](troubleshoot-file-locks.md). ++## NFSv4.x locking ++NFSv4.x uses a lease-based locking model that is integrated within the NFS protocol. This means there are no ancillary services to maintain or worry about; all the locking is encapsulated in the NFSv4.x communication. ++Azure NetApp Files supports the NFSv4.x file-locking mechanism, maintaining the state of all file locks under a lease-based model. In accordance with [RFC 8881](https://www.rfc-editor.org/rfc/rfc8881), Azure NetApp Files will "define a single lease period for all state held by an NFS client. If the client doesn't renew its lease within the defined period, all state associated with the client's lease may be released by the server." ++This means the client can renew its lease explicitly or implicitly by performing an operation, such as reading a file. In addition, Azure NetApp Files defines a grace period, which is a period of special processing in which clients attempt to reclaim their locking state during a server recovery. ++| Term | Definition | +|--| - | +|Lease | The time period in which Azure NetApp Files irrevocably grants a lock to a client.| +| Grace period | The time period in which clients attempt to reclaim their locking state during server recovery in the event of a server outage.| ++## How Azure NetApp Files handles NFSv4.x locks ++Locks are issued by Azure NetApp Files upon client request on a lease basis. The Azure NetApp Files server checks the lease on each client every 30 seconds for changes. In the case of a client reboot, the client can reclaim all the valid locks from the server after it has restarted. If the Azure NetApp Files server reboots, then upon restarting it doesn't issue any new locks to the clients for a grace period of 45 seconds. After that time, locks can be issued to the requesting clients. If the lock can't be re-established during the specified grace period, then the lock expires on its own. This behavior differs from NFSv3 locking, as there won't be stale locks that need to be manually broken. ++## Manually establishing locks on a client ++To test NFS locks, the client must tell the NFS server to establish a lock. However, not all applications use locks. For example, the application ΓÇ£viΓÇ¥ won't lock a file. It creates a hidden swap file, using a dot naming convention, in the same folder and then commits writes to that file when the application is closed. Then the old file is deleted and the swap file gets renamed to the filename. ++There are utilities to manually establish locks, however. For example, [flock](http://man7.org/linux/man-pages/man1/flock.1.html) can lock files. ++To establish a lock on a file, first run exec to assign a numeric ID. ++```# exec 4<>v4user_file``` ++Use flock to create a shared or exclusive lock on the file. ++```output +# flock ++Usage: + flock [options] <file|directory> <command> [command args] + flock [options] <file|directory> -c <command> + flock [options] <file descriptor number> ++Options: + -s --shared get a shared lock + -x --exclusive get an exclusive lock (default) + -u --unlock remove a lock + -n --nonblock fail rather than wait + -w --timeout <secs> wait for a limited amount of time + -E --conflict-exit-code <number> exit code after conflict or timeout + -o --close close file descriptor before running command + -c --command <command> run a single command string through the shell ++ -h, --help display this help and exit + -V, --version output version information and exit ++# flock -n 4 +``` ++To unlock the file. ++```# flock -u -n 4``` ++Manually locking files allows you to test file open and edit interactions and test the lock break functionality in Azure NetApp Files. ++## Next steps +* [NFS FAQs for Azure NetApp Files](faq-nfs.md) +* [SMB FAQs for Azure NetApp Files](faq-smb.md) +* [Troubleshoot file locks on an Azure NetApp Files volume](troubleshoot-file-locks.md) +* [Application resilience FAQs for Azure NetApp Files](faq-application-resilience.md) + |
azure-resource-manager | Bicep Cli | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/bicep/bicep-cli.md | bicep generate-params main.bicep --output-format bicepparam --include-params all The command creates a Bicep parameters file named _main.bicepparam_. The parameter file contains all parameters in the Bicep file, whether configured with default values or not. ```azurecli-bicep generate-params --file main.bicep --outfile main.parameters.json +bicep generate-params main.bicep --outfile main.parameters.json ``` The command creates a parameter file named _main.parameters.json_. The parameter file only contains the parameters without default values configured in the Bicep file. |
azure-resource-manager | Bicep Functions Lambda | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/bicep/bicep-functions-lambda.md | Namespace: [sys](bicep-functions.md#namespaces-for-functions). | Parameter | Required | Type | Description | |: |: |: |: | | inputArray |Yes |array |The array to filter.|-| lambda expression |Yes |expression |The lambda expression applied to each input array element. If false, the item will be filtered out of the output array.| +| lambda expression |Yes |expression |The lambda expression is applied to each input array element. If the result is true, the item will be included in the output array; otherwise, the item is discarded.| ### Return value |
azure-resource-manager | Delete Resource Group | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/management/delete-resource-group.md | Title: Delete resource group and resources description: Describes how to delete resource groups and resources. It describes how Azure Resource Manager orders the deletion of resources when a deleting a resource group. It describes the response codes and how Resource Manager handles them to determine if the deletion succeeded. Last updated 04/10/2023-++content_well_notification: + - AI-contribution # Azure Resource Manager resource group and resource deletion This article shows how to delete resource groups and resources. It describes how Azure Resource Manager orders the deletion of resources when you delete a resource group. - ## How order of deletion is determined When you delete a resource group, Resource Manager determines the order to delete resources. It uses the following order: |
azure-resource-manager | Lock Resources | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/management/lock-resources.md | Title: Protect your Azure resources with a lock description: You can safeguard Azure resources from updates or deletions by locking all users and roles. Last updated 04/06/2023-++content_well_notification: + - AI-contribution # Lock your resources to protect your infrastructure As an administrator, you can lock an Azure subscription, resource group, or resource to protect them from accidental user deletions and modifications. The lock overrides any user permissions. - You can set locks that prevent either deletions or modifications. In the portal, these locks are called **Delete** and **Read-only**. In the command line, these locks are called **CanNotDelete** and **ReadOnly**. - **CanNotDelete** means authorized users can read and modify a resource, but they can't delete it. |
azure-resource-manager | Manage Resources Python | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/management/manage-resources-python.md | Title: Manage resources - Python description: Use Python and Azure Resource Manager to manage your resources. Shows how to deploy and delete resources. Last updated 04/21/2023-++content_well_notification: + - AI-contribution # Manage Azure resources by using Python Learn how to use Azure Python with [Azure Resource Manager](overview.md) to manage your Azure resources. For managing resource groups, see [Manage Azure resource groups by using Python](manage-resource-groups-python.md). - ## Deploy resources to an existing resource group You can deploy Azure resources directly by using Python, or deploy an Azure Resource Manager template (ARM template) to create Azure resources. |
azure-resource-manager | Move Resource Group And Subscription | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/management/move-resource-group-and-subscription.md | Title: Move resources to a new subscription or resource group description: Use Azure Resource Manager to move resources to a new resource group or subscription. Last updated 04/24/2023-++content_well_notification: + - AI-contribution # Move resources to a new resource group or subscription If your move requires setting up new dependent resources, you'll experience an i Moving a resource only moves it to a new resource group or subscription. It doesn't change the location of the resource. - ## Changed resource ID When you move a resource, you change its resource ID. The standard format for a resource ID is `/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}`. When you move a resource to a new resource group or subscription, you change one or more values in that path. |
azure-resource-manager | Tag Resources Python | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/management/tag-resources-python.md | Title: Tag resources, resource groups, and subscriptions with Python description: Shows how to use Python to apply tags to Azure resources. Last updated 04/19/2023-++content_well_notification: + - AI-contribution # Apply tags with Python This article describes how to use Python to tag resources, resource groups, and subscriptions. For tag recommendations and limitations, see [Use tags to organize your Azure resources and management hierarchy](tag-resources.md). - ## Prerequisites * Python 3.7 or later installed. To install the latest, see [Python.org](https://www.python.org/downloads/) |
azure-resource-manager | Deploy Python | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/templates/deploy-python.md | Title: Deploy resources with Python and template description: Use Azure Resource Manager and Python to deploy resources to Azure. The resources are defined in an Azure Resource Manager template. Last updated 04/24/2023-++content_well_notification: + - AI-contribution # Deploy resources with ARM templates and Python This article explains how to use Python with Azure Resource Manager templates (ARM templates) to deploy your resources to Azure. If you aren't familiar with the concepts of deploying and managing your Azure solutions, see [template deployment overview](overview.md). - ## Prerequisites * A template to deploy. If you don't already have one, download and save an [example template](https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/quickstarts/microsoft.storage/storage-account-create/azuredeploy.json) from the Azure Quickstart templates repo. |
azure-video-indexer | Considerations When Use At Scale | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-video-indexer/considerations-when-use-at-scale.md | Starting August 1st 2021, Azure Video Indexer enabled [Reserved Units](/azure/me ## Respect throttling -Azure Video Indexer is built to deal with indexing at scale, and when you want to get the most out of it you should also be aware of the system's capabilities and design your integration accordingly. You don't want to send an upload request for a batch of videos just to discover that some of the movies didn't upload and you are receiving an HTTP 429 response code (too many requests). There is an API request limit of 120 requests per minute. - Azure Video Indexer adds a `retry-after` header in the HTTP response, the header specifies when you should attempt your next retry. Make sure you respect it before trying your next request. +Azure Video Indexer is built to deal with indexing at scale, and when you want to get the most out of it you should also be aware of the system's capabilities and design your integration accordingly. You don't want to send an upload request for a batch of videos just to discover that some of the movies didn't upload and you are receiving an HTTP 429 response code (too many requests). There is an API request limit of 10 requests per second and up to 120 requests per minute. ++Azure Video Indexer adds a `retry-after` header in the HTTP response, the header specifies when you should attempt your next retry. Make sure you respect it before trying your next request. :::image type="content" source="./media/considerations-when-use-at-scale/respect-throttling.jpg" alt-text="Design your integration well, respect throttling"::: |
azure-video-indexer | Release Notes | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-video-indexer/release-notes.md | To stay up-to-date with the most recent Azure Video Indexer developments, this a You can now redact faces with Azure Video Indexer API. For more information see [Redact faces with Azure Video Indexer API](face-redaction-with-api.md). -### Upload a video API request limit increase +### API request limit increase -An upload a video API request limit was increased from 60 to 120 requests per minute. +Video Indexer has increased the API request limit from 60 requests per minute to 120. ## June 2023 |
azure-video-indexer | Video Indexer Use Apis | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-video-indexer/video-indexer-use-apis.md | When you're uploading videos by using the API, you have the following options: * Upload your video from a URL (preferred). * Send the video file as a byte array in the request body. * Use existing an Azure Media Services asset by providing the [asset ID](/azure/media-services/latest/assets-concept). This option is supported in paid accounts only.-* There is an API request limit of 120 requests per minute. -+* There is an API request limit of 10 requests per second and up to 120 requests per minute. + ### Getting JSON output - When you call the API that gets video insights for the specified video, you get a detailed JSON output as the response content. [See details about the returned JSON in this article](video-indexer-output-json-v2.md). |
azure-vmware | Disaster Recovery Using Vmware Site Recovery Manager | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-vmware/disaster-recovery-using-vmware-site-recovery-manager.md | Title: Deploy disaster recovery with VMware Site Recovery Manager description: Deploy disaster recovery with VMware Site Recovery Manager (SRM) in your Azure VMware Solution private cloud. Previously updated : 4/12/2023 Last updated : 7/5/2023 -# Deploy disaster recovery with VMware Site Recovery Manager +# Deploy disaster recovery with VMware Site Recovery Manager (SRM) -This article explains how to implement disaster recovery for on-premises VMware virtual machines (VMs) or Azure VMware Solution-based VMs. The solution in this article uses [VMware Site Recovery Manager (SRM)](https://docs.vmware.com/en/Site-Recovery-Manager/https://docsupdatetracker.net/index.html) and vSphere Replication with Azure VMware Solution. Instances of SRM and replication servers are deployed at both the protected and the recovery sites. +This article explains how to implement disaster recovery for on-premises VMware vSphere virtual machines (VMs) or Azure VMware Solution-based VMs. The solution in this article uses [VMware Site Recovery Manager (SRM)](https://docs.vmware.com/en/Site-Recovery-Manager/https://docsupdatetracker.net/index.html) and vSphere Replication with Azure VMware Solution. Instances of VMware SRM and replication servers are deployed at both the protected and the recovery sites. -SRM is a disaster recovery solution designed to minimize downtime of the virtual machines in an Azure VMware Solution environment if there was a disaster. SRM automates and orchestrates failover and failback, ensuring minimal downtime in a disaster. Also, built-in non-disruptive testing ensures your recovery time objectives are met. Overall, SRM simplifies management through automation and ensures fast and highly predictable recovery times. +VMware SRM is a disaster recovery solution designed to minimize downtime of the virtual machines in an Azure VMware Solution environment if there was a disaster. VMware SRM automates and orchestrates failover and failback, ensuring minimal downtime in a disaster. Also, built-in non-disruptive testing ensures your recovery time objectives are met. Overall, VMware SRM simplifies management through automation and ensures fast and highly predictable recovery times. -vSphere Replication is VMware's hypervisor-based replication technology for vSphere VMs. It protects VMs from partial or complete site failures. In addition, it simplifies DR protection through storage-independent, VM-centric replication. vSphere Replication is configured on a per-VM basis, allowing more control over which VMs are replicated. +VMware vSphere Replication is VMware's hypervisor-based replication technology for VMware vSphere VMs. It protects VMs from partial or complete site failures. In addition, it simplifies DR protection through storage-independent, VM-centric replication. VMware vSphere Replication is configured on a per-VM basis, allowing more control over which VMs are replicated. -In this article, you'll implement disaster recovery for on-premises VMware virtual machines (VMs) or Azure VMware Solution-based VMs. +In this article, you'll implement disaster recovery for on-premises VMware vSphere virtual machines (VMs) or Azure VMware Solution-based VMs. ## Supported scenarios -SRM helps you plan, test, and run the recovery of VMs between a protected vCenter Server site and a recovery vCenter Server site. You can use SRM with Azure VMware Solution with the following two DR scenarios: +VMware SRM helps you plan, test, and run the recovery of VMs between a protected VMware vCenter Server site and a recovery VMware vCenter Server site. You can use VMware SRM with Azure VMware Solution with the following two DR scenarios: - On-premises VMware to Azure VMware Solution private cloud disaster recovery - Primary Azure VMware Solution to Secondary Azure VMware Solution private cloud disaster recovery The diagram shows the deployment of the primary Azure VMware Solution to secondary Azure VMware Solution scenario. -You can use SRM to implement different types of recovery, such as: +You can use VMware SRM to implement different types of recovery, such as: - **Planned migration** commences when both primary and secondary Azure VMware Solution sites are running and fully functional. It's an orderly migration of virtual machines from the protected site to the recovery site where no data loss is expected when migrating workloads in an orderly fashion. -- **Disaster recovery** using SRM can be invoked when the protected Azure VMware Solution site goes offline unexpectedly. Site Recovery Manager orchestrates the recovery process with the replication mechanisms to minimize data loss and system downtime.+- **Disaster recovery** using SRM can be invoked when the protected Azure VMware Solution site goes offline unexpectedly. VMware Site Recovery Manager orchestrates the recovery process with the replication mechanisms to minimize data loss and system downtime. - In Azure VMware Solution, only individual VMs can be protected on a host by using SRM in combination with vSphere Replication. + In Azure VMware Solution, only individual VMs can be protected on a host by using VMware SRM in combination with VMware vSphere Replication. -- **Bidirectional Protection** uses a single set of paired SRM sites to protect VMs in both directions. Each site can simultaneously be a protected site and a recovery site, but for a different set of VMs.+- **Bidirectional Protection** uses a single set of paired VMware SRM sites to protect VMs in both directions. Each site can simultaneously be a protected site and a recovery site, but for a different set of VMs. >[!IMPORTANT] >Azure VMware Solution doesn't support: > >- Array-based replication and storage policy protection groups ->- VVOLs Protection Groups ->- SRM IP customization using SRM command-line tools +>- vVOLs Protection Groups +>- VMware SRM IP customization using SRM command-line tools >- One-to-Many and Many-to-One topology ->- Custom SRM plug-in identifier or extension ID +>- Custom VMware SRM plug-in identifier or extension ID ## Deployment workflow The workflow diagram shows the Primary Azure VMware Solution to secondary workfl ## Prerequisites -Make sure you've explicitly provided the remote user the VRM administrator and SRM administrator roles in the remote vCenter Server. +Make sure you've explicitly provided the remote user the VMware VRM administrator and VMware SRM administrator roles in the remote vCenter Server. ### Scenario: On-premises to Azure VMware Solution - Azure VMware Solution private cloud deployed as a secondary region. -- [DNS resolution](configure-dns-azure-vmware-solution.md) to on-premises SRM and virtual cloud appliances.+- [DNS resolution](configure-dns-azure-vmware-solution.md) to on-premises VMware SRM and virtual cloud appliances. >[!NOTE] >For private clouds created on or after July 1, 2021, you can configure private DNS resolution. For private clouds created before July 1, 2021, that need a private DNS resolution, open a [support request](https://rc.portal.azure.com/#create/Microsoft.Support) to request **Private DNS configuration**. -- ExpressRoute connectivity between on-premises and Azure VMware Solution - 2 Gbps.+- ExpressRoute connectivity between on-premises VMware vSphere and Azure VMware Solution - 2 Gbps. ### Scenario: Primary Azure VMware Solution to secondary Make sure you've explicitly provided the remote user the VRM administrator and S ## Install SRM in Azure VMware Solution -1. In your on-premises datacenter, install VMware SRM and vSphere Replication. +1. In your on-premises data center, install VMware SRM and vSphere Replication. >[!NOTE] >Use the [Two-site Topology with one vCenter Server instance per PSC](https://docs.vmware.com/en/Site-Recovery-Manager/8.4/com.vmware.srm.install_config.doc/GUID-F474543A-88C5-4030-BB86-F7CC51DADE22.html) deployment model. Also, make sure that the [required vSphere Replication Network ports](https://kb.VMware.com/s/article/2087769) are opened. Make sure you've explicitly provided the remote user the VRM administrator and S ## Install the vSphere Replication appliance -After the SRM appliance installs successfully, you'll need to install the vSphere Replication appliances. Each replication server accommodates up to 200 protected VMs. Scale in or scale out as per your needs. +After the VMware SRM appliance installs successfully, you'll need to install the vSphere Replication appliances. Each replication server accommodates up to 200 protected VMs. Scale in or scale out as per your needs. 1. From the **Replication using** drop-down, on the **Disaster recovery** tab, select **vSphere Replication**. After the SRM appliance installs successfully, you'll need to install the vSpher :::image type="content" source="media/vmware-srm-vsphere-replication/vsphere-replication-2.png" alt-text="Screenshot showing how to increase or decrease the number of replication servers."::: -1. Once installed, verify that both SRM and the vSphere Replication appliances are installed. +1. Once installed, verify that both VMware SRM and the vSphere Replication appliances are installed. >[!TIP]- >The Uninstall button indicates that both SRM and the vSphere Replication appliances are currently installed. + >The Uninstall button indicates that both VMware SRM and the vSphere Replication appliances are currently installed. :::image type="content" source="media/vmware-srm-vsphere-replication/vsphere-replication-3.png" alt-text="Screenshot showing that both SRM and the replication appliance are installed."::: After the SRM appliance installs successfully, you'll need to install the vSpher After installing VMware SRM and vSphere Replication, you need to complete the configuration and site pairing in vCenter Server. -1. Sign in to vCenter Server as cloudadmin@vsphere.local. +1. Sign into the vSphere Client as cloudadmin@vsphere.local. 1. Navigate to **Site Recovery**, check the status of both vSphere Replication and VMware SRM, and then select **OPEN Site Recovery** to launch the client. After installing VMware SRM and vSphere Replication, you need to complete the co 1. Select **CONNECT** to accept the certificate for the remote vCenter Server. - At this point, the client should discover the VRM and SRM appliances on both sides as services to pair. + At this point, the client should discover the VMware VRM and VMware SRM appliances on both sides as services to pair. 1. Select the appliances to pair and then select **NEXT**. After installing VMware SRM and vSphere Replication, you need to complete the co :::image type=" content" source=" media/vmware-srm-vsphere-replication/pair-the-sites-summary.png" alt-text="Screenshot showing the site pair summary for Site Recovery Manager and vSphere Replication." border="true" lightbox="media/vmware-srm-vsphere-replication/pair-the-sites-summary.png"::: -## SRM protection, reprotection, and failback +## VMware SRM protection, reprotection, and failback After you've created the site pairing, follow the VMware documentation mentioned below for end-to-end protection of VMs from the Azure portal. After you've created the site pairing, follow the VMware documentation mentioned - [Perform a Failback (vmware.com)](https://docs.vmware.com/en/Site-Recovery-Manager/8.3/com.vmware.srm.admin.doc/GUID-556E84C0-F8B7-4F9F-AAB0-0891C084EDE4.html) >[!NOTE]- >If IP Customization Rules have been defined for network mappings between the AVS environment and the on-premises environment, these rules will not be applied on failback from the AVS environment to the on-premises environment due to a [known issue](https://docs.vmware.com/en/Site-Recovery-Manager/8.3/rn/srm-releasenotes-8-3.html#knownissues) with SRM 8.3.0. You can work around this limitation by removing protection from all VMs in the Protection Group and then reconfiguring protection on them prior to initiating the failback. + >If IP Customization Rules have been defined for network mappings between the Azure VMware Solution environment and the on-premises environment, these rules will not be applied on failback from the Azure VMware Solution environment to the on-premises environment due to a [known issue](https://docs.vmware.com/en/Site-Recovery-Manager/8.3/rn/srm-releasenotes-8-3.html#knownissues) with SRM 8.3.0. You can work around this limitation by removing protection from all VMs in the Protection Group and then reconfiguring protection on them prior to initiating the failback. -## Ongoing management of your SRM solution +## Ongoing management of your VMware SRM solution While Microsoft aims to simplify VMware SRM and vSphere Replication installation on an Azure VMware Solution private cloud, you are responsible for managing your license and the day-to-day operation of the disaster recovery solution. While Microsoft aims to simplify VMware SRM and vSphere Replication installation To learn about the limits for the VMware Site Recovery Manager Add-On with the Azure VMware Solution, check the [Azure subscription and service limits, quotas, and constraints.](../azure-resource-manager/management/azure-subscription-service-limits.md#azure-vmware-solution-limits) -## SRM licenses +## VMware SRM licenses You can install VMware SRM using an evaluation license or a production license. The evaluation license is valid for 60 days. After the evaluation period, you'll be required to obtain a production license of VMware SRM. You can't use pre-existing on-premises VMware SRM licenses for your Azure VMware Solution private cloud. Work with your sales teams and VMware to acquire a new term-based production license of VMware SRM. -Once a production license of SRM is acquired, you'll be able to use the Azure VMware Solution portal to update SRM with the new production license. +Once a production license of VMware SRM is acquired, you'll be able to use the Azure VMware Solution portal to update VMware SRM with the new production license. -## Uninstall SRM +## Uninstall VMware SRM -If you no longer require SRM, you must uninstall it in a clean manner. Before you uninstall SRM, you must remove all SRM configurations from both sites in the correct order. If you do not remove all configurations before uninstalling SRM, some SRM components, such as placeholder VMs, might remain in the Azure VMware Solution infrastructure. +If you no longer require VMware SRM, you must uninstall it in a clean manner. Before you uninstall VMware SRM, you must remove all VMware SRM configurations from both sites in the correct order. If you do not remove all configurations before uninstalling VMware SRM, some VMware SRM components, such as placeholder VMs, might remain in the Azure VMware Solution infrastructure. -1. In the vSphere Client or the vSphere Web Client, select **Site Recovery** > **Open Site Recovery**. +1. In the vSphere Client, select **Site Recovery** > **Open Site Recovery**. 2. On the **Site Recovery** home tab, select a site pair and select **View Details**. If you no longer require SRM, you must uninstall it in a clean manner. Before yo VMware Site Recovery Manager (SRM) is a Disaster Recovery solution from VMware. -Microsoft only supports install/uninstall of SRM and vSphere Replication Manager and scale up/down of vSphere Replication appliances within Azure VMware Solution. +Microsoft only supports install/uninstall of VMware SRM and vSphere Replication Manager and scale up/down of vSphere Replication appliances within Azure VMware Solution. For all other issues, such as configuration and replication, contact VMware for support. -VMware and Microsoft support teams will engage each other as needed to troubleshoot SRM issues on Azure VMware Solution. +VMware and Microsoft support teams will engage each other as needed to troubleshoot VMware SRM issues on Azure VMware Solution. ## References |
bastion | Kerberos Authentication Portal | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/bastion/kerberos-authentication-portal.md | This article shows you how to configure Azure Bastion to use Kerberos authentica * VMs migrated from on-premises to Azure are not currently supported for Kerberos.  * Cross-realm authentication is not currently supported for Kerberos.  * Changes to DNS server are not currently supported for Kerberos. After making any changes to DNS server, you will need to delete and re-create the Bastion resource.+* If additional DC (domain controllers) are added, Bastion will only recognize the first DC. +* If additional DCs are added for different domains, the added domains cannot successfully authenticate with Kerberos. ## Prerequisites |
batch | Quick Create Terraform | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/batch/quick-create-terraform.md | description: 'In this article, you create an Azure Batch account using Terraform Last updated 4/14/2023-+ +content_well_notification: + - AI-contribution # Quickstart: Create an Azure Batch account using Terraform In this article, you learn how to: > * Create an Azure Storage account using [azurerm_storage_account](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account) > * Create an Azure Batch account using [azurerm_batch_account](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/batch_account) - ## Prerequisites - [Install and configure Terraform](/azure/developer/terraform/quickstart-configure) |
cdn | Cdn App Dev Net | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cdn/cdn-app-dev-net.md | Our project is going to use some Azure libraries contained in NuGet packages. L ![Manage Nuget Packages](./media/cdn-app-dev-net/cdn-manage-nuget.png) 2. In the Package Manager Console, execute the following command to install the **Active Directory Authentication Library (ADAL)**: - `Install-Package Microsoft.IdentityModel.Clients.ActiveDirectory` + `Install-Package Microsoft.Identity.Client` 3. Execute the following to install the **Azure CDN Management Library**: `Install-Package Microsoft.Azure.Management.Cdn` Let's get the basic structure of our program written. using Microsoft.Azure.Management.Cdn.Models; using Microsoft.Azure.Management.Resources; using Microsoft.Azure.Management.Resources.Models;- using Microsoft.IdentityModel.Clients.ActiveDirectory; + using Microsoft.Identity.Client; using Microsoft.Rest; ``` 2. We need to define some constants our methods use. In the `Program` class, but before the `Main` method, add the following code blocks. Be sure to replace the placeholders, including the **<angle brackets>**, with your own values as needed. |
cdn | Create Profile Endpoint Terraform | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cdn/create-profile-endpoint-terraform.md | +content_well_notification: + - AI-contribution # Quickstart: Create an Azure CDN profile and endpoint using Terraform In this article, you learn how to: > * Create an Azure CDN profile using [azurerm_cdn_profile](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/cdn_profile) > * Create an Azure CDN endpoint using [azurerm_cdn_endpoint](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/cdn_endpoint) - ## Prerequisites - [Install and configure Terraform](/azure/developer/terraform/quickstart-configure) |
cognitive-services | Speech Container Howto | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/Speech-Service/speech-container-howto.md | The container will test for network connectivity to the billing endpoint. ## Run disconnected containers -Tu run disconnected containers (not connected to the internet), you must submit [this request form](https://aka.ms/csdisconnectedcontainers) and wait for approval. For more information about applying and purchasing a commitment plan to use containers in disconnected environments, see [Use containers in disconnected environments](../containers/disconnected-containers.md) in the Azure Cognitive Services documentation. +To run disconnected containers (not connected to the internet), you must submit [this request form](https://aka.ms/csdisconnectedcontainers) and wait for approval. For more information about applying and purchasing a commitment plan to use containers in disconnected environments, see [Use containers in disconnected environments](../containers/disconnected-containers.md) in the Azure Cognitive Services documentation. ## Next steps |
cognitive-services | Create Account Terraform | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/create-account-terraform.md | +content_well_notification: + - AI-contribution # Quickstart: Create an Azure Cognitive Services resource using Terraform In this article, you learn how to: > * Create a random string using [random_string](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) > * Create a Cognitive Services account using [azurerm_cognitive_account](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/cognitive_account) - ## Prerequisites - [Install and configure Terraform](/azure/developer/terraform/quickstart-configure) |
cognitive-services | Manage Resources | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/manage-resources.md | To recover a deleted cognitive service resource, use the following commands. Whe # [Azure portal](#tab/azure-portal) -If you need to recover a deleted resource, navigate to the hub of the cognitive services API type and select "Manage deleted resources" from the menu. For example, if you would like to recover an "Anomaly detector" resource, search for "Anomaly detector" in the search bar and select the service to get to the "Anomaly detector" hub which lists deleted resources. -+If you need to recover a deleted resource, navigate to the hub of the cognitive services API type and select "Manage deleted resources" from the menu. For example, if you would like to recover an "Anomaly detector" resource, search for "Anomaly detector" in the search bar and select the service. Then select **Manage deleted resources**. Select the subscription in the dropdown list to locate the deleted resource you would like to recover. Select one or more of the deleted resources and click **Recover**. To purge a deleted cognitive service resource, use the following commands. Where If you need to purge a deleted resource, the steps are similar to recovering a deleted resource. -Navigate to the hub of the cognitive services API type of your deleted resource. For example, if you would like to purge an "Anomaly detector" resource, search for "Anomaly detector" in the search bar. Select the service to get to the "Anomaly detector" hub which lists deleted resources. --Select **Manage deleted resources** from the menu. -+Navigate to the hub of the cognitive services API type of your deleted resource. For example, if you would like to purge an "Anomaly detector" resource, search for "Anomaly detector" in the search bar and select the service. Then select **Manage deleted resources** from the menu. Select the subscription in the dropdown list to locate the deleted resource you would like to purge. Select one or more deleted resources and click **Purge**. |
cognitive-services | Use Your Data | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/openai/concepts/use-your-data.md | One of the key features of Azure OpenAI on your data is its ability to retrieve ## Data source options -Azure OpenAI on your data uses an [Azure Cognitive Services](/azure/search/search-what-is-azure-search) index to determine what data to retrieve based on user inputs and provided conversation history. We recommend using Azure OpenAI Studio to create your index from a blob storage or local files. See the [quickstart article](../use-your-data-quickstart.md?pivots=programming-language-studio) for more information. +Azure OpenAI on your data uses an [Azure Cognitive Search](/azure/search/search-what-is-azure-search) index to determine what data to retrieve based on user inputs and provided conversation history. We recommend using Azure OpenAI Studio to create your index from a blob storage or local files. See the [quickstart article](../use-your-data-quickstart.md?pivots=programming-language-studio) for more information. ## Ingesting your data into Azure cognitive search |
communication-services | Closed Captions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/concepts/voice-video-calling/closed-captions.md | Closed Captions are supported in Private Preview only in ACS to ACS calls on all ## Next steps -- Get started with a [Closed Captions Quickstart](../../quickstarts/voice-video-calling/get-started-with-closed-captions.md?pivots=platform-iosBD)+- Get started with a [Closed Captions Quickstart](../../quickstarts/voice-video-calling/get-started-with-closed-captions.md?pivots=platform-iosBD) +- Learn more about using closed captions in [Teams interop](../interop/enable-closed-captions.md) scenarios. |
communication-services | Get Started With Closed Captions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/quickstarts/voice-video-calling/get-started-with-closed-captions.md | If you want to clean up and remove a Communication Services subscription, you ca ## Next steps For more information, see the following articles: +- Learn more about using closed captions in [Teams interop](../../concepts/interop/enable-closed-captions.md) scenarios. - Check out our [web calling sample](../../samples/web-calling-sample.md) - Learn about [Calling SDK capabilities](./getting-started-with-calling.md?pivots=platform-web) - Learn more about [how calling works](../../concepts/voice-video-calling/about-call-types.md) |
communication-services | Meeting Interop Features File Attachment | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/tutorials/chat-interop/meeting-interop-features-file-attachment.md | -The Chat SDK is designed to work with Microsoft Teams seamlessly. Specifically, Chat SDK provides a solution to receive file attachment sent by users from Microsoft Teams. Currently this feature is only available in the Chat SDK for JavaScript. +The Chat SDK is designed to work with Microsoft Teams seamlessly. Specifically, Chat SDK provides a solution to receive file attachments sent by users from Microsoft Teams. Currently this feature is only available in the Chat SDK for JavaScript. Please note that sending file attachments from ACS user to Teams user is not currently supported, see the current capabilities of [Teams Interop Chat](../../concepts/interop/guest/capabilities.md) for details. [!INCLUDE [Public Preview Notice](../../includes/public-preview-include.md)] |
communication-services | File Sharing Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/tutorials/file-sharing-tutorial.md | In this tutorial, we'll be configuring the Azure Communication Services UI Libra >[!IMPORTANT] >Azure Communication Services doesn't provide a file storage service. You will need to use your own file storage service for sharing files. For the pupose of this tutorial, we will be using Azure Blob Storage.**+> +> This tutorial is about file sharing between ACS users in an ACS Chat. For file sharing in a Teams interoperability chat, see the documentation in the [Storybook](https://azure.github.io/communication-ui-library/?path=/docs/examples-teamsinterop-filesharing--file-sharing). Note that for Teams Interoperability chat, we only support ACS users to receive file attachments from Teams users at this time. See [Web UI library use cases](../concepts/ui-library/ui-library-use-cases.md) for more information. ## Download code |
confidential-computing | Quick Create Confidential Vm Arm Amd | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/confidential-computing/quick-create-confidential-vm-arm-amd.md | Use this example to create a custom parameter file for a Linux-based confidentia az group create --name $resourceGroup --location $region ``` - 1. Create a key vault instance with a premium SKU in your preferred region. + 1. Create a key vault instance with a premium SKU and select your preferred region. The standard SKU is not supported. ```azurecli-interactive $KeyVault = <name of key vault> |
confidential-computing | Quick Create Confidential Vm Azure Cli Amd | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/confidential-computing/quick-create-confidential-vm-azure-cli-amd.md | Make a note of the `publicIpAddress` to use later. ## Create Confidential virtual machine using a Customer Managed Key -Create a confidential [disk encryption set](../virtual-machines/linux/disks-enable-customer-managed-keys-cli.md) using [Azure Key Vault](../key-vault/general/quick-create-cli.md) or [Azure Key Vault managed Hardware Security Module (HSM)](../key-vault/managed-hsm/quick-create-cli.md). Based on your security and compliance needs you can choose either option. The following example uses Azure Key Vault Premium. +To create a confidential [disk encryption set](../virtual-machines/linux/disks-enable-customer-managed-keys-cli.md), you have two options: Using [Azure Key Vault](../key-vault/general/quick-create-cli.md) or [Azure Key Vault managed Hardware Security Module (HSM)](../key-vault/managed-hsm/quick-create-cli.md). Based on your security and compliance needs you can choose either option. However, it is important to note that the standard SKU is not supported. The following example uses Azure Key Vault Premium. 1. Grant confidential VM Service Principal `Confidential VM Orchestrator` to tenant For this step you need to be a Global Admin or you need to have the User Access Administrator RBAC role. |
confidential-computing | Quick Create Confidential Vm Portal Amd | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/confidential-computing/quick-create-confidential-vm-portal-amd.md | To create a confidential VM in the Azure portal using an Azure Marketplace image 1. If **Confidential disk encryption with a customer-managed key** is selected, create a **Confidential disk encryption set** before creating your confidential VM. -1. (Optional) If necessary, create a **Confidential disk encryption set** as follows. +1. (Optional) If necessary, you need to create a **Confidential disk encryption set** as follows. - 1. [Create an Azure Key Vault](../key-vault/general/quick-create-portal.md). For the pricing tier, select **Premium (includes support for HSM backed keys)**. Or, create [create an Azure Key Vault managed Hardware Security Module (HSM)](../key-vault/managed-hsm/quick-create-cli.md). + 1. [Create an Azure Key Vault](../key-vault/general/quick-create-portal.md) selecting the **Premium** pricing tier that includes support for HSM-backed keys. Alternatively, you can create an [Azure Key Vault managed Hardware Security Module (HSM)](../key-vault/managed-hsm/quick-create-cli.md). 1. In the Azure portal, search for and select **Disk Encryption Sets**. |
container-instances | Container Instances Gpu | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-instances/container-instances-gpu.md | To run certain compute-intensive workloads on Azure Container Instances, deploy This article shows how to add GPU resources when you deploy a container group by using a [YAML file](container-instances-multi-container-yaml.md) or [Resource Manager template](container-instances-multi-container-group.md). You can also specify GPU resources when you deploy a container instance using the Azure portal. +> [!IMPORTANT] +> K80 and P100 GPU SKUs are retiring by August 31st, 2023. This is due to the retirement of the underlying VMs used: [NC Series](https://learn.microsoft.com/azure/virtual-machines/nc-series-retirement) and [NCv2 Series](https://learn.microsoft.com/azure/virtual-machines/ncv2-series-retirement) Although V100 SKUs will be available, it is receommended to use Azure Kubernetes Service instead. GPU resources are not fully supported and should not be used for production workloads. Use the following resources to migrate to AKS today: [How to Migrate to AKS](https://learn.microsoft.com/azure/aks/aks-migration). + > [!IMPORTANT] > This feature is currently in preview, and some [limitations apply](#preview-limitations). Previews are made available to you on the condition that you agree to the [supplemental terms of use][terms-of-use]. Some aspects of this feature may change prior to general availability (GA). |
container-instances | Container Instances Quickstart Terraform | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-instances/container-instances-quickstart-terraform.md | description: 'In this article, you create an Azure Container Instance with a pub Last updated 4/14/2023-+ +content_well_notification: + - AI-contribution # Quickstart: Create an Azure Container Instance with a public IP address using Terraform In this article, you learn how to: > * Create a random value for the container name using [random_string](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) > * Create an Azure container group using [azurerm_container_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/container_group) - ## Prerequisites - [Install and configure Terraform](/azure/developer/terraform/quickstart-configure) |
container-instances | Container Instances Resource And Quota Limits | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-instances/container-instances-resource-and-quota-limits.md | The following resources are available in all Azure Regions supported by Azure Co | 4 | 16 | 20 | Y | ## GPU Resources (Preview) -> **Warning** +> [!IMPORTANT] > K80 and P100 GPU SKUs are retiring by August 31st, 2023. This is due to the retirement of the underlying VMs used: [NC Series](../virtual-machines/nc-series-retirement.md) and [NCv2 Series](../virtual-machines/ncv2-series-retirement.md) Although V100 SKUs will be available, it is receommended to use Azure Kubernetes Service instead. GPU resources are not fully supported and should not be used for production workloads. Use the following resources to migrate to AKS today: [How to Migrate to AKS](../aks/aks-migration.md). -> **Note** +> [!NOTE] > Not all limit increase requests are guaranteed to be approved. > Deployments with GPU resources are not supported in an Azure virtual network deployment and are only available on Linux container groups. > Using GPU resources (preview) is not fully supported yet and any support is provided on a best-effort basis. |
container-registry | Tutorial Deploy Connected Registry Nested Iot Edge Cli | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-registry/tutorial-deploy-connected-registry-nested-iot-edge-cli.md | Use the `iotedge-config` tool to create and configure your hierarchy by followin 1. Download the configuration tool. ```bash- mkdir nestedIotEdgeTutorial - cd ~/nestedIotEdgeTutorial + mkdir nested_iot_edge_tutorial + cd ~/nested_iot_edge_tutorial wget -O iotedge_config.tar "https://github.com/Azure-Samples/iotedge_config_cli/releases/download/latest/iotedge_config_cli.tar.gz" tar -xvf iotedge_config.tar ``` - This step creates the `iotedge_config_cli_release` folder in your tutorial directory. The template file used to create your device hierarchy is the `iotedge_config.yaml` file found in `~/nestedIotEdgeTutorial/iotedge_config_cli_release/templates/tutorial`. In the same directory, there are two deployment manifests for top and lower layers: `deploymentTopLayer.json` and `deploymentLowerLayer.json` files. + This step creates the `iotedge_config_cli_release` folder in your tutorial directory. The template file used to create your device hierarchy is the `iotedge_config.yaml` file found in `~/nested_iot_edge_tutorial/iotedge_config_cli_release/templates/tutorial`. In the same directory, there are two deployment manifests for top and lower layers: `deploymentTopLayer.json` and `deploymentLowerLayer.json` files. 1. Edit `iotedge_config.yaml` with your information. Edit the `iothub_hostname`, `iot_name`, deployment manifest filenames for the top layer and lower layer, and the client token credentials you created to pull images from upstream from each layer. The following example is a sample configuration file: |
cost-management-billing | Ea Portal Administration | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cost-management-billing/manage/ea-portal-administration.md | Title: Azure EA portal administration description: This article explains the common tasks that an administrator accomplishes in the Azure EA portal. Previously updated : 04/10/2023 Last updated : 07/05/2023 -> [!NOTE] -> We recommend that both direct and indirect EA Azure customers use Cost Management + Billing in the Azure portal to manage their enrollment and billing instead of using the EA portal. For more information about enrollment management in the Azure portal, see [Get started with EA billing in the Azure portal](ea-direct-portal-get-started.md). -> -> As of February 20, 2023 indirect EA customers wonΓÇÖt be able to manage their billing account in the EA portal. Instead, they must use the Azure portal. -> -> This change doesnΓÇÖt affect Azure Government EA enrollments. They continue using the EA portal to manage their enrollment. +> [!IMPORTANT] +> The Azure EA portal is getting deprecated. Direct and indirect EA Azure customers now use Cost Management + Billing features in the Azure portal to manage their enrollment and billing *instead of using the EA portal*. For more information about enrollment management in the Azure portal, see [Get started with EA billing in the Azure portal](ea-direct-portal-get-started.md). ## Activate your enrollment |
cost-management-billing | Reservation Trade In | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cost-management-billing/savings-plan/reservation-trade-in.md | -If you find that your [Azure Virtual Machines](https://azure.microsoft.com/pricing/details/virtual-machines/windows/), [Dedicated Hosts](https://azure.microsoft.com/pricing/details/virtual-machines/dedicated-host/), or [Azure App Service](https://azure.microsoft.com/pricing/details/app-service/windows/) reservations, don't provide the necessary flexibility you require, you can trade these reservations for a savings plan. When you trade-in a reservation and purchase a savings plan, you can select a savings plan term of either one-year to three-year. +If your [Azure Virtual Machines](https://azure.microsoft.com/pricing/details/virtual-machines/windows/), [Dedicated Hosts](https://azure.microsoft.com/pricing/details/virtual-machines/dedicated-host/), or [Azure App Service](https://azure.microsoft.com/pricing/details/app-service/windows/) reservations, don't provide the necessary flexibility you need, you can trade them for a savings plan. When you trade-in a reservation and purchase a savings plan, you can select a savings plan term of either one-year to three-year. Although you can return the above offerings for a savings plan, you can't exchange a savings plan for them or for another savings plan. You can trade in up to 100 reservations as part of a savings plan purchase. -The following reservations aren't eligible to be traded in for savings plans: +Apart from [Azure Virtual Machines](https://azure.microsoft.com/pricing/details/virtual-machines/windows/), [Dedicated Hosts](https://azure.microsoft.com/pricing/details/virtual-machines/dedicated-host/), or [Azure App Service](https://azure.microsoft.com/pricing/details/app-service/windows/) reservations, no other reservations or prepurchase plans are eligible for trade-in. -- Azure Databricks reserved capacity-- Synapse Analytics Pre-purchase plan-- Azure VMware solution by CloudSimple-- Azure Red Hat Open Shift-- Red Hat plans-- SUSE Linux plans > [!NOTE] > Exchanges will be unavailable for all compute reservations - Azure Reserved Virtual Machine Instances, Azure Dedicated Host reservations, and Azure App Services reservations - purchased on or after **January 1, 2024**. Compute reservations purchased **prior to January 1, 2024** will reserve the right to **exchange one more time** after the policy change goes into effect. Azure savings plan for compute is designed to help you save broadly on predictable compute usage. The savings plan provides more flexibility needed to accommodate changes such as virtual machine series and regions. With savings plan providing the flexibility automatically, we’re adjusting our reservations exchange policy. You can continue to use instance size flexibility for VM sizes, but we'll no longer support exchanging instance series or regions for Azure Reserved Virtual Machine Instances, Azure Dedicated Host reservations, and Azure App Services reservations. |
data-factory | Control Flow Webhook Activity | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/control-flow-webhook-activity.md | A webhook activity can control the execution of pipelines through custom code. W To use a Webhook activity in a pipeline, complete the following steps: 1. Search for _Webhook_ in the pipeline Activities pane, and drag a Webhook activity to the pipeline canvas.-1. Select the new Fail activity on the canvas if it is not already selected, and its **Settings** tab, to edit its details. +1. Select the new webhook activity on the canvas if it is not already selected, and its **Settings** tab, to edit its details. :::image type="content" source="media/control-flow-webhook-activity/webhook-activity.png" alt-text="Shows the UI for a Webhook activity."::: |
ddos-protection | Manage Ddos Protection Terraform | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ddos-protection/manage-ddos-protection-terraform.md | +content_well_notification: + - AI-contribution # Quickstart: Create and configure Azure DDoS Network Protection using Terraform In this article, you learn how to: > * Create an Azure DDoS protection plan using [azurerm_network_ddos_protection_plan](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_ddos_protection_plan) > * Create an Azure virtual network using [azurerm_virtual_network](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/virtual_network) - ## Prerequisites - [Install and configure Terraform](/azure/developer/terraform/quickstart-configure) |
defender-for-cloud | Alert Validation | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/alert-validation.md | You can simulate alerts for both of the control plane, and workload alerts with **Prerequisites** - Ensure the Defender for Containers plan is enabled.-- **ARC only** - Ensure the Defender extension is installed.+- **Arc only** - Ensure the Defender extension is installed. - **EKS or GKE only** - Ensure the default audit log collection autoprovisioning options are enabled. **To simulate a Kubernetes control plane security alert**: |
defender-for-cloud | Concept Data Security Posture Prepare | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/concept-data-security-posture-prepare.md | Sensitive data discovery is available in the Defender CSPM and Defender for Stor The table summarizes support for data-aware posture management. -**Support** | **Details** - | -What Azure data resources can I discover? | [Block blob](../storage/blobs/storage-blobs-introduction.md) storage accounts in Azure Storage v1/v2<br/><br/> Azure Data Lake Storage Gen2<br/><br/>Storage accounts behind private networks are supported.<br/><br/> Storage accounts encrypted with a customer-managed server-side key are supported.<br/><br/> Accounts aren't supported if any of these settings are enabled: [Public network access is disabled](../storage/common/storage-network-security.md#change-the-default-network-access-rule); Storage account is defined as [Azure DNS Zone](https://techcommunity.microsoft.com/t5/azure-storage-blog/public-preview-create-additional-5000-azure-storage-accounts/ba-p/3465466); The storage account endpoint has a [custom domain mapped to it](../storage/blobs/storage-custom-domain-name.md). -What AWS data resources can I discover? | AWS S3 buckets<br/><br/> Defender for Cloud can discover KMS-encrypted data, but not data encrypted with a customer-managed key. -What permissions do I need for discovery? | Storage account: Subscription Owner<br/> **or**<br/> Microsoft.Authorization/roleAssignments/* (read, write, delete) **and** Microsoft.Security/pricings/* (read, write, delete) **and** Microsoft.Security/pricings/SecurityOperators (read, write)<br/><br/> Amazon S3 buckets: AWS account permission to run Cloud Formation (to create a role). -What file types are supported for sensitive data discovery? | Supported file types (you can't select a subset) - .doc, .docm, .docx, .dot, .gz, .odp, .ods, .odt, .pdf, .pot, .pps, .ppsx, .ppt, .pptm, .pptx, .xlc, .xls, .xlsb, .xlsm, .xlsx, .xlt, .csv, .json, .psv, .ssv, .tsv, .txt., xml, .parquet, .avro, .orc. -What Azure regions are supported? | You can discover Azure storage accounts in:<br/><br/> Australia Central; Australia Central 2; Australia East; Australia Southeast; Brazil South; Canada Central; Canada East; Central India; Central US; East Asia; East US; East US 2; France Central; Germany West Central; Japan East; Japan West: Jio India West: North Central US; North Europe; Norway East; South Africa North: South Central US; South India; Sweden Central; Switzerland North; UAE North; UK South; UK West: West Central US; West Europe; West US, West US3.<br/><br/> Discovery is done locally in the region. -What AWS regions are supported? | Asia Pacific (Mumbai); Asia Pacific (Singapore); Asia Pacific (Sydney); Asia Pacific (Tokyo); Canada (Central); Europe (Frankfurt); Europe (Ireland); Europe (London); Europe (Paris); South America (São Paulo); US East (Ohio); US East (N. Virginia); US West (N. California): US West (Oregon).<br/><br/> Discovery is done locally in the region. -Do I need to install an agent? | No, discovery is agentless. -What's the cost? | The feature is included with the Defender CSPM and Defender for Storage plans, and doesn’t include other costs except for the respective plan costs. -What permissions do I need to view/edit data sensitivity settings? | You need one of these permissions: Global Administrator, Compliance Administrator, Compliance Data Administrator, Security Administrator, Security Operator. -+|**Support** | **Details**| +| | | +|What Azure data resources can I discover? | [Block blob](../storage/blobs/storage-blobs-introduction.md) storage accounts in Azure Storage v1/v2<br/><br/> Azure Data Lake Storage Gen2<br/><br/>Storage accounts behind private networks are supported.<br/><br/> Storage accounts encrypted with a customer-managed server-side key are supported.<br/><br/> Accounts aren't supported if any of these settings are enabled: [Public network access is disabled](../storage/common/storage-network-security.md#change-the-default-network-access-rule); Storage account is defined as [Azure DNS Zone](https://techcommunity.microsoft.com/t5/azure-storage-blog/public-preview-create-additional-5000-azure-storage-accounts/ba-p/3465466); The storage account endpoint has a [custom domain mapped to it](../storage/blobs/storage-custom-domain-name.md).| +|What AWS data resources can I discover? | AWS S3 buckets<br/><br/> Defender for Cloud can discover KMS-encrypted data, but not data encrypted with a customer-managed key.| +|What permissions do I need for discovery? | Storage account: Subscription Owner<br/> **or**<br/> Microsoft.Authorization/roleAssignments/* (read, write, delete) **and** Microsoft.Security/pricings/* (read, write, delete) **and** Microsoft.Security/pricings/SecurityOperators (read, write)<br/><br/> Amazon S3 buckets: AWS account permission to run Cloud Formation (to create a role).| +|What file types are supported for sensitive data discovery? | Supported file types (you can't select a subset) - .doc, .docm, .docx, .dot, .gz, .odp, .ods, .odt, .pdf, .pot, .pps, .ppsx, .ppt, .pptm, .pptx, .xlc, .xls, .xlsb, .xlsm, .xlsx, .xlt, .csv, .json, .psv, .ssv, .tsv, .txt., xml, .parquet, .avro, .orc.| +|What Azure regions are supported? | You can discover Azure storage accounts in:<br/><br/> Australia Central; Australia Central 2; Australia East; Australia Southeast; Brazil South; Canada Central; Canada East; Central India; Central US; East Asia; East US; East US 2; France Central; Germany West Central; Japan East; Japan West: Jio India West: North Central US; North Europe; Norway East; South Africa North: South Central US; South India; Sweden Central; Switzerland North; UAE North; UK South; UK West: West Central US; West Europe; West US, West US3.<br/><br/> Discovery is done locally in the region.| +|What AWS regions are supported? | Asia Pacific (Mumbai); Asia Pacific (Singapore); Asia Pacific (Sydney); Asia Pacific (Tokyo); Canada (Central); Europe (Frankfurt); Europe (Ireland); Europe (London); Europe (Paris); South America (São Paulo); US East (Ohio); US East (N. Virginia); US West (N. California): US West (Oregon).<br/><br/> Discovery is done locally in the region.| +|Do I need to install an agent? | No, discovery is agentless.| +|What's the cost? | The feature is included with the Defender CSPM and Defender for Storage plans, and doesn’t include other costs except for the respective plan costs.| +|What permissions do I need to view/edit data sensitivity settings? | You need one of these Azure Active directory roles: Global Administrator, Compliance Administrator, Compliance Data Administrator, Security Administrator, Security Operator.| ## Configuring data sensitivity settings Defender CSPM attack paths and cloud security graph insights include information [Enable](data-security-posture-enable.md) data-aware security posture. + |
defender-for-cloud | Defender For Devops Introduction | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/defender-for-devops-introduction.md | Defender for DevOps uses a central console to empower security teams with the ab Defender for DevOps helps unify, strengthen and manage multi-pipeline DevOps security. ## Availability-- > [!Note] - > During the preview, the maximum number of GitHub repositories that can be onboarded to Microsoft Defender for Cloud is 2,000. If you try to connect more than 2,000 GitHub repositories, only the first 2,000 repositories, sorted alphabetically, will be onboarded. - > - > If your organization is interested in onboarding more than 2,000 GitHub repositories, please complete [this survey](https://aka.ms/dfd-forms/onboarding). - | Aspect | Details | |--|--| | Release state: | Preview<br>The [Azure Preview Supplemental Terms](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) include other legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability. | |
defender-for-cloud | Onboard Machines With Defender For Endpoint | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/onboard-machines-with-defender-for-endpoint.md | This tenant-level setting allows you to automatically and natively onboard any n | Release state | GA | | Supported operating systems | All [Windows](/microsoft-365/security/defender-endpoint/minimum-requirements#supported-windows-versions) and [Linux](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-linux#system-requirements) **Server** operating systems supported by Defender for Endpoint | | Required roles and permissions | To manage this setting, you need **Subscription Owner** (on the chosen subscription), and **AAD Global Administrator** or **AAD Security Administrator** |-| Environments | On-premises servers <br />Multicloud VMs ΓÇô limited support | -| Supported plans | Defender for Servers P1 <br />Defender for Servers P2 ΓÇô limited features | +| Environments | On-premises servers <br />Multicloud VMs ΓÇô limited support (see limitations section)| +| Supported plans | Defender for Servers P1 <br />Defender for Servers P2 ΓÇô limited features (see limitations section) | ## How it works Deploying the Defender for Endpoint agent on your on-premises Windows and Linux | Location | Deployment use case | | | |- | All | <u>Windows Server (all versions)</u> <br />Azure VMs or Azure Arc machines already onboarded and billed by Defender for Servers via an Azure subscription or Log Analytics workspace, running the Defender for Endpoint agent without the MDE.Windows or MDE.Linux Azure extensions. For such machines, you can enable Defender for Cloud integration with Defender for Endpoint to deploy the extensions. | + | All | <u>Windows Server (all versions)</u> <br />Azure VMs or Azure Arc machines already onboarded and billed by Defender for Servers via an Azure subscription or Log Analytics workspace, running the Defender for Endpoint agent without the MDE.Windows Azure extension. For such machines, you can enable Defender for Cloud integration with Defender for Endpoint to deploy the extension. | | On-premises (not running Azure Arc) | <u>Windows Server 2019</u>:<br />Servers already onboarded and billed by Defender for Servers P2 via the Log Analytics workspace<br /><br /><u>Windows Server 2012, 2016</u>: <br />Servers running the Defender for Endpoint modern unified agent, and already billed by Defender for Servers P2 via the Log Analytics workspace | | AWS, GCP (not running Azure Arc) | <u>Windows Server 2019</u>:<br />Servers already onboarded and billed by Defender for Servers via multicloud connectors, Log Analytics workspace, or both. <br /><br /><u>Windows Server 2012, 2016</u>: <br />AWS or GCP VMs using the modern unified Defender for Endpoint solution, already onboarded and billed by Defender for Servers via multicloud connectors, Log Analytics workspace, or both. | |
defender-for-cloud | Quickstart Onboard Aws | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/quickstart-onboard-aws.md | For a reference list of all the recommendations Defender for Cloud can provide f - (Optional) Select **Configure**, to edit the configuration as required. > [!NOTE]- > The respective Azure Arc servers for EC2 instances or GCP virtual machines that no longer exist (and the respective Azure Arc servers with a status of ["Disconnected" or "Expired"](/azure/azure-arc/servers/overview)) will be removed after 7 days. This process removes irrelevant Azure ARC entities, ensuring only Azure Arc servers related to existing instances are displayed. + > The respective Azure Arc servers for EC2 instances or GCP virtual machines that no longer exist (and the respective Azure Arc servers with a status of ["Disconnected" or "Expired"](/azure/azure-arc/servers/overview)) will be removed after 7 days. This process removes irrelevant Azure Arc entities, ensuring only Azure Arc servers related to existing instances are displayed. - By default the **Containers** plan is set to **On**. This is necessary to have Defender for Containers protect your AWS EKS clusters. Ensure you've fulfilled the [network requirements](./defender-for-containers-enable.md?pivots=defender-for-container-eks&source=docs&tabs=aks-deploy-portal%2ck8s-deploy-asc%2ck8s-verify-asc%2ck8s-remove-arc%2caks-removeprofile-api#network-requirements) for the Defender for Containers plan. |
defender-for-cloud | Quickstart Onboard Gcp | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/quickstart-onboard-gcp.md | To have full visibility to Microsoft Defender for Servers security content, ensu - **Manual installation** - You can manually connect your VM instances to Azure Arc for servers. Instances in projects with Defender for Servers plan enabled that aren't connected to Arc are surfaced by the recommendation `GCP VM instances should be connected to Azure Arc`. Select the **Fix** option in the recommendation to install Azure Arc on the selected machines. > [!NOTE]- > The respective Azure Arc servers for EC2 instances or GCP virtual machines that no longer exist (and the respective Azure Arc servers with a status of ["Disconnected" or "Expired"](/azure/azure-arc/servers/overview)) will be removed after 7 days. This process removes irrelevant Azure ARC entities, ensuring only Azure Arc servers related to existing instances are displayed. + > The respective Azure Arc servers for EC2 instances or GCP virtual machines that no longer exist (and the respective Azure Arc servers with a status of ["Disconnected" or "Expired"](/azure/azure-arc/servers/overview)) will be removed after 7 days. This process removes irrelevant Azure Arc entities, ensuring only Azure Arc servers related to existing instances are displayed. - Ensure you've fulfilled the [network requirements for Azure Arc](../azure-arc/servers/network-requirements.md?tabs=azure-cloud). |
defender-for-cloud | Quickstart Onboard Machines | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/quickstart-onboard-machines.md | Title: Connect your on-premises machine to Defender for Cloud + Title: Connect your on-premises machines to Defender for Cloud description: Learn how to connect your on-premises machines to Microsoft Defender for Cloud Last updated 06/29/2023 -# Connect your non-Azure machine to Microsoft Defender for Cloud +# Connect your non-Azure machines to Microsoft Defender for Cloud Defender for Cloud can monitor the security posture of your non-Azure computers, but first you need to connect them to Azure. |
defender-for-cloud | Release Notes | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/release-notes.md | For more information on compliance controls, see [Tutorial: Regulatory complianc June 11, 2023 -Now you can discover potential cost savings in security by applying Defender for Cloud within the context of an [Azure Migrate business case](/azure/migrate/how-to-build-a-business-case). +Now you can discover potential cost savings in security by applying Defender for Cloud within the context of an [Azure Migrate business case](/azure/migrate/concepts-business-case-calculation). ### Express configuration for vulnerability assessments in Defender for SQL is now Generally Available |
defender-for-cloud | Tutorial Enable App Service Plan | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/tutorial-enable-app-service-plan.md | Last updated 06/29/2023 # Protect your applications with Defender for App Service -Defender for App Service in Microsoft Defender for Cloud is a fully managed platform for building and hosting your web apps and APIs. It provides management, monitoring, and operational insights to meet enterprise-grade performance, security, and compliance requirements. For more information, see [Azure App Service](https://azure.microsoft.com/services/app-service/). +Azure App Service is a fully managed platform for building and hosting your web apps and APIs. It provides management, monitoring, and operational insights to meet enterprise-grade performance, security, and compliance requirements. For more information, see [Azure App Service](https://azure.microsoft.com/services/app-service/). **Microsoft Defender for App Service** uses the scale of the cloud to identify attacks targeting applications running over App Service. Attackers probe web applications to find and exploit weaknesses. Before being routed to specific environments, requests to applications running in Azure go through several gateways, where they're inspected and logged. The data is then used to identify exploits and attackers, and to learn new patterns that are used later. When you enable Microsoft Defender for App Service, you immediately benefit from - **Secure** - Defender for App Service assesses the resources covered by your App Service plan and generates security recommendations based on its findings. Use the detailed instructions in these recommendations to harden your App Service resources. - **Detect** - Defender for App Service detects a multitude of threats to your App Service resources by monitoring:- - the VM instance in which your App Service is running, and its management interface - - the requests and responses sent to and from your App Service apps - - the underlying sandboxes and VMs - - App Service internal logs - available thanks to the visibility that Azure has as a cloud provider + - the VM instance in which your App Service is running, and its management interface + - the requests and responses sent to and from your App Service apps + - the underlying sandboxes and VMs + - App Service internal logs - available thanks to the visibility that Azure has as a cloud provider As a cloud-native solution, Defender for App Service can identify attack methodologies applying to multiple targets. For example, from a single host it would be difficult to identify a distributed attack from a small subset of IPs, crawling to similar endpoints on multiple hosts. |
defender-for-cloud | Tutorial Enable Key Vault Plan | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/tutorial-enable-key-vault-plan.md | Title: Protect your key vault with the Defender for Key Vault plan - Microsoft Defender for Cloud + Title: Protect your key vaults with the Defender for Key Vault plan - Microsoft Defender for Cloud description: Learn how to enable the Defender for Key Vault plan on your Azure subscription for Microsoft Defender for Cloud. Last updated 06/29/2023 -# Protect your key vault with Defender for Key Vault +# Protect your key vaults with Defender for Key Vault -Defender for Key Vault in Microsoft Defender for Cloud is a cloud service that safeguards encryption keys and secrets like certificates, connection strings, and passwords. +Azure Key Vault is a cloud service that safeguards encryption keys and secrets like certificates, connection strings, and passwords. ++Enable Microsoft Defender for Key Vault for Azure-native, advanced threat protection for Azure Key Vault, providing an additional layer of security intelligence. Learn more about [Microsoft Defender for Key Vault](defender-for-key-vault-introduction.md). |
defender-for-cloud | Tutorial Enable Resource Manager Plan | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/tutorial-enable-resource-manager-plan.md | Last updated 06/29/2023 # Protect your resources with Defender for Resource Manager -Defender for Resource Manager in Microsoft Defender for Cloud is the deployment and management service for Azure. [Azure Resource Manager](../azure-resource-manager/management/overview.md) provides a management layer that enables you to create, update, and delete resources in your Azure account. You use management features, like access control, locks, and tags, to secure and organize your resources after deployment. +[Azure Resource Manager](../azure-resource-manager/management/overview.md) is the deployment and management service for Azure. It provides a management layer that enables you to create, update, and delete resources in your Azure account. You use management features, like access control, locks, and tags, to secure and organize your resources after deployment. ++Microsoft Defender for Resource Manager automatically monitors the resource management operations in your organization, whether they're performed through the Azure portal, Azure REST APIs, Azure CLI, or other Azure programmatic clients. Defender for Cloud runs advanced security analytics to detect threats and alerts you about suspicious activity. Learn more about [Microsoft Defender for Resource Manager](defender-for-resource-manager-introduction.md). |
defender-for-cloud | Tutorial Enable Servers Plan | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/tutorial-enable-servers-plan.md | Title: Protect servers with Defender for Servers - Microsoft Defender for Cloud + Title: Protect your servers with Defender for Servers - Microsoft Defender for Cloud description: Learn how to enable the Defender for Servers on your Azure subscription for Microsoft Defender for Cloud. Last updated 06/29/2023 -# Protect servers with Defender for Servers +# Protect your servers with Defender for Servers Defender for Servers in Microsoft Defender for Cloud brings threat detection and advanced defenses to your Windows and Linux machines that run in Azure, Amazon Web Services (AWS), Google Cloud Platform (GCP), and on-premises environments. This plan includes the integrated license for Microsoft Defender for Endpoint, security baselines and OS level assessments, vulnerability assessment scanning, adaptive application controls (AAC), file integrity monitoring (FIM), and more. |
defender-for-cloud | Tutorial Enable Storage Plan | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/tutorial-enable-storage-plan.md | Title: Protect your storage with the Defender for Storage plan - Microsoft Defender for Cloud + Title: Protect your storage accounts with the Defender for Storage plan - Microsoft Defender for Cloud description: Learn how to enable the Defender for Storage on your Azure subscription for Microsoft Defender for Cloud. Last updated 06/29/2023 -# Protect your storage with Defender for Storage +# Protect your storage accounts with Defender for Storage Defender for Storage in Microsoft Defender for Cloud is an Azure-native layer of security intelligence that detects unusual and potentially harmful attempts to access or exploit your storage accounts. It uses advanced threat detection capabilities and [Microsoft Threat Intelligence](https://go.microsoft.com/fwlink/?linkid=2128684) data to provide contextual security alerts. Those alerts also include steps to mitigate the detected threats and prevent future attacks. |
defender-for-iot | How To Create Risk Assessment Reports | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-iot/organizations/how-to-create-risk-assessment-reports.md | Enrich your sensor with extra data to provide fuller risk assessment reports: ### Import firewall rules to an OT sensor -Import firewall rules to your OT sensor for analysis in **Risk assessment** reports. Importing firewall rules is supported for Checkpoint, Fortinet, and Juniper firewalls. +Import firewall rules to your OT sensor for analysis in **Risk assessment** reports. Importing firewall rules is supported for the following firewalls: +- Checkpoint (firewall export to R77, *.zip file) +- Fortinet (configuration backup, *.conf file) +- Juniper (ScreenOS CLI configuration, *.txt file) **To import firewall rules**: Use an on-premises management console to view risk assessment reports for all co - [Sensor data mining queries](how-to-create-data-mining-queries.md) - [Create trends and statistics dashboards](how-to-create-trends-and-statistics-reports.md)- + |
devtest-labs | Add Artifact Vm | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/devtest-labs/add-artifact-vm.md | description: Learn how to add an artifact to a virtual machine in a lab in Azure Previously updated : 01/11/2022- Last updated : 06/30/2023+ # Add artifacts to DevTest Labs VMs To add artifacts during VM creation: 1. On the **Add artifacts** page, select the arrow next to each artifact you want to add to the VM. 1. On each **Add artifact** pane, enter any required and optional parameter values, and then select **OK**. The artifact appears under **Selected artifacts**, and the number of configured artifacts updates. - ![Screenshot that shows adding artifacts on the Add artifacts screen.](media/add-artifact-vm/devtestlab-add-artifacts-blade-selected-artifacts.png) + :::image type="content" source="./media/add-artifact-vm/devtestlab-add-artifacts-blade-selected-artifacts.png" alt-text="Screenshot that shows adding artifacts on the Add artifacts pane."::: 1. You can change the artifacts after adding them. To install artifacts on an existing VM: 1. On the VM page, select **Artifacts** in the top menu bar or left navigation. 1. On the **Artifacts** page, select **Apply artifacts**. - ![Screenshot that shows the Artifacts screen for an existing V M.](media/add-artifact-vm/artifacts.png) + :::image type="content" source="./media/add-artifact-vm/artifacts.png" alt-text="Screenshot that shows Artifacts pane for an existing V M."::: 1. On the **Add artifacts** page, select and configure artifacts the same as for a new VM. 1. When you're done adding artifacts, select **Install**. The artifacts install on the VM immediately. |
devtest-labs | Create Lab Windows Vm Terraform | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/devtest-labs/quickstarts/create-lab-windows-vm-terraform.md | Title: 'Quickstart: Create a lab in Azure DevTest Labs using Terraform' description: 'In this article, you create a Windows virtual machine in a lab within Azure DevTest Labs using Terraform' Last updated 4/14/2023-+ +content_well_notification: + - AI-contribution # Quickstart: Create a lab in Azure DevTest Labs using Terraform In this article, you learn how to: > * Create a virtual network within Azure DevTest Labs using [azurerm_dev_test_virtual_network](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/dev_test_virtual_network) > * Create a Windows virtual machine within Azure DevTest Labs using [azurerm_dev_test_windows_virtual_machine](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/dev_test_windows_virtual_machine) - ## Prerequisites - [Install and configure Terraform](/azure/developer/terraform/quickstart-configure) |
dns | Dns Get Started Terraform | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/dns/dns-get-started-terraform.md | description: 'In this article, you create an Azure DNS zone and record using Ter Last updated 4/14/2023-+ +content_well_notification: + - AI-contribution # Quickstart: Create an Azure DNS zone and record using Terraform In this article, you learn how to: > * Create an Azure DNS zone using [azurerm_dns_zone](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/dns_zone) > * Create an Azure DNS A record using [azurerm_dns_a_record](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/dns_a_record) - ## Prerequisites - [Install and configure Terraform](/azure/developer/terraform/quickstart-configure) |
event-hubs | Event Hubs Dedicated Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/event-hubs/event-hubs-dedicated-overview.md | With self-serve scalable clusters, you can purchase up to 10 CUs for a cluster i If you need a cluster larger than 10 CU, you can [submit a support request](event-hubs-dedicated-cluster-create-portal.md#submit-a-support-request) to scale up your cluster after its creation. > [!IMPORTANT] -> Self-serve scalable Dedicated can be deployed with [availability zones](../availability-zones/az-overview.md#azure-regions-with-availability-zones) enabled with 3 CUs but you won't be able to use the self-serve scaling capability to scale the cluster. You must instead [submit a support request](event-hubs-> Dedicated-cluster-create-portal.md#submit-a-support-request) to scale the AZ enabled cluster. +> Self-serve scalable Dedicated can be deployed with [availability zones](../availability-zones/az-overview.md#azure-regions-with-availability-zones) enabled with 3 CUs but you won't be able to use the self-serve scaling capability to scale the cluster. You must instead [submit a support request](event-hubs-dedicated-cluster-create-portal.md#submit-a-support-request) to scale the AZ enabled cluster. ### Legacy clusters Event Hubs Dedicated clusters created prior to the availability of self-serve scalable clusters are referred to as legacy clusters. |
event-hubs | Event Hubs Kafka Connect Debezium | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/event-hubs/event-hubs-kafka-connect-debezium.md | Last updated 10/18/2021 **Change Data Capture (CDC)** is a technique used to track row-level changes in database tables in response to create, update, and delete operations. [Debezium](https://debezium.io/) is a distributed platform that builds on top of Change Data Capture features available in different databases (for example, [logical decoding in PostgreSQL](https://www.postgresql.org/docs/current/static/logicaldecoding-explanation.html)). It provides a set of [Kafka Connect connectors](https://debezium.io/documentation/reference/1.2/connectors/https://docsupdatetracker.net/index.html) that tap into row-level changes in database table(s) and convert them into event streams that are then sent to [Apache Kafka](https://kafka.apache.org/). -> [!WARNING] -> Use of the Apache Kafka Connect framework as well as the Debezium platform and its connectors are **not eligible for product support through Microsoft Azure**. -> -> Apache Kafka Connect assumes for its dynamic configuration to be held in compacted topics with otherwise unlimited retention. Event Hubs [does not implement compaction as a broker feature](event-hubs-federation-overview.md#log-projections) and always imposes a time-based retention limit on retained events, rooting from the principle that Event Hubs is a real-time event streaming engine and not a long-term data or configuration store. -> -> While the Apache Kafka project might be comfortable with mixing these roles, Azure believes that such information is best managed in a proper database or configuration store. -> -> Many Apache Kafka Connect scenarios will be functional, but these conceptual differences between Apache Kafka's and Event Hubs' retention models may cause certain configurations not to work as expected. - This tutorial walks you through how to set up a change data capture based system on Azure using [Event Hubs](./event-hubs-about.md?WT.mc_id=devto-blog-abhishgu) (for Kafka), [Azure DB for PostgreSQL](../postgresql/overview.md) and Debezium. It will use the [Debezium PostgreSQL connector](https://debezium.io/documentation/reference/1.2/connectors/postgresql.html) to stream database modifications from PostgreSQL to Kafka topics in Event Hubs > [!NOTE] |
expressroute | Expressroute Troubleshooting Network Performance | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/expressroute/expressroute-troubleshooting-network-performance.md | Test setup: \* The latency to Brazil is a good example where the straight-line distance significantly differs from the fiber run distance. The expected latency would be in the neighborhood of 160 ms, but is actually 189 ms. The difference in latency would seem to indicate a network issue somewhere. But the reality is the fiber line doesn't go to Brazil in a straight line. So you should expect an extra 1,000 km or so of travel to get to Brazil from Seattle. +>[!NOTE] +>While these numbers should be taken into consideration, they were tested using AzureCT which is based in IPERF in Windows via PowerShell. In this scenario, IPERF does not honor default Windows TCP options for Scaling Factor and uses a much lower Shift Count for the TCP Window size. The numbers represented here were performed using default IPERF values and are for general reference only. By tuning IPERF commands with `-w` switch and a big TCP Window size, better throughput can be obtained over long distances, showing significantly better throughput figures. Also, to ensure an ExpressRoute is using the full bandwidth, it's ideal to run the IPERF in multi-threaded option from multiple machines simultaneously to ensure computing capacity is able to reach maximum link performance and is not limited by processing capacity of a single VM. + ## Next steps - Download the [Azure Connectivity Toolkit](https://aka.ms/AzCT) Test setup: [Performance Doc]: https://github.com/Azure/NetworkMonitoring/blob/master/AzureCT/PerformanceTesting.md [Availability Doc]: https://github.com/Azure/NetworkMonitoring/blob/master/AzureCT/AvailabilityTesting.md [Network Docs]: ../index.yml-[Ticket Link]: https://portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade/overview +[Ticket Link]: https://portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade/overview |
firewall | Firewall Preview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/firewall/firewall-preview.md | With the Azure Firewall Explicit proxy set on the outbound path, you can configu For more information, see [Azure Firewall Explicit proxy (preview)](explicit-proxy.md). +### Resource Health (preview) ++With the Azure Firewall Resource Health check, you can now diagnose and get support for service problems that affect your Azure Firewall resource. Resource Health allows IT teams to receive proactive notifications on potential health degradations, and recommended mitigation actions per each health event type. The resource health is also available in a dedicated page in the Azure portal resource page. +This preview is automatically enabled on all firewalls and no action is required to enable this functionality. +For more information, see [Resource Health overview](../service-health/resource-health-overview.md). ## Next steps |
healthcare-apis | Release Notes | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/healthcare-apis/release-notes.md | Per FHIR specification, metadata endpoint URL in capability statement needs to b The DICOM Change Feed API could previously return results that incorrectly skipped pending changes when the DICOM server was under load. Identical calls to the Change Feed resource could have resulted in new change events appearing in the middle of the result set. For example, if the first call returned sequence numbers `1`, `2`, `3`, and `5`, then the second identical call could have incorrectly returned `1`, `2`, `3`, `4`, and `5`. This behavior also impacted the DICOM events sent to Azure Event Grid System Topics, and could have resulted in missing events in downstream event handlers. For more details, see [#2611](https://github.com/microsoft/dicom-server/pull/2611). +#### MedTech service ++**Feature Enhancement: Encounter identifiers included in the device message** ++Customers can now include encounter identifiers in the device message so that they can look up the corresponding FHIR encounter and link it to the observation created in the FHIR transformation. This look up feature is supported in OSS and was an ask from customers for the PaaS MedTech service. + ## May 2023 #### Azure Health Data Services |
iot-edge | Production Checklist | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/iot-edge/production-checklist.md | If your networking setup requires that you explicitly permit connections made fr In all three cases, the fully qualified domain name (FQDN) would match the pattern `\*.azure-devices.net`. -Additionally, the **Container engine** makes calls to container registries over HTTPS. To retrieve the IoT Edge runtime container images, the FQDN is `mcr.microsoft.com`. The container engine connects to other registries as configured in the deployment. +#### Container registries ++The **Container engine** makes calls to container registries over HTTPS. To retrieve the IoT Edge runtime container images, the FQDN is `mcr.microsoft.com`. The container engine connects to other registries as configured in the deployment. This checklist is a starting point for firewall rules: You can enable dedicated data endpoints in your Azure Container registry to avoi If you don't want to configure your firewall to allow access to public container registries, you can store images in your private container registry, as described in [Store runtime containers in your private registry](#store-runtime-containers-in-your-private-registry). +#### Azure IoT Identity Service ++The [IoT Identity Service](https://azure.github.io/iot-identity-service/) provides provisioning and cryptographic services for Azure IoT devices. The identity service checks if the installed version is the latest version. The check uses the following FQDNs to verify the version. ++| FQDN | Outbound TCP Ports | Usage | +| - | | -- | +| `aka.ms` | 443 | Vanity URL that provides redirection to the version file | +| `raw.githubusercontent.com` | 443 | The identity service version file hosted in GitHub | + ### Configure communication through a proxy If your devices are going to be deployed on a network that uses a proxy server, they need to be able to communicate through the proxy to reach IoT Hub and container registries. For more information, see [Configure an IoT Edge device to communicate through a proxy server](how-to-configure-proxy-support.md). |
iot-edge | Tutorial Develop For Linux | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/iot-edge/tutorial-develop-for-linux.md | Last updated 05/02/2023 - zone_pivot_groups: iotedge-dev+content_well_notification: + - AI-contribution # Tutorial: Develop IoT Edge modules using Visual Studio Code [!INCLUDE [iot-edge-version-all-supported](includes/iot-edge-version-all-supported.md)] - This tutorial walks through developing and deploying your own code to an IoT Edge device. You can use Azure IoT Edge modules to deploy code that implements your business logic directly to your IoT Edge devices. In the [Deploy code to a Linux device](quickstart-linux.md) quickstart, you created an IoT Edge device and deployed a module from the Azure Marketplace. This article includes steps for two IoT Edge development tools. |
iot-edge | Tutorial Nested Iot Edge | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/iot-edge/tutorial-nested-iot-edge.md | Last updated 05/10/2023 -+content_well_notification: + - AI-contribution # Tutorial: Create a hierarchy of IoT Edge devices [!INCLUDE [iot-edge-version-1.4](includes/iot-edge-version-1.4.md)] - You can deploy Azure IoT Edge nodes across networks organized in hierarchical layers. Each layer in a hierarchy is a gateway device that handles messages and requests from devices in the layer beneath it. This configuration is also known as *nested edge*. You can structure a hierarchy of devices so that only the top layer has connectivity to the cloud, and the lower layers can only communicate with adjacent upstream and downstream layers. This network layering is the foundation of most industrial networks that follow the [ISA-95 standard](https://en.wikipedia.org/wiki/ANSI/ISA-95). |
key-vault | Quick Create Terraform | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/key-vault/keys/quick-create-terraform.md | description: 'In this article, you create an Azure key vault and key using Terra -+ Last updated 4/14/2023+content_well_notification: + - AI-contribution # Quickstart: Create an Azure key vault and key using Terraform In this article, you learn how to: > * Create an Azure key vault using [azurerm_key_vault](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault) > * Create an Azure key vault key using [azurerm_key_vault_key](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_key) - ## Prerequisites - [Install and configure Terraform](/azure/developer/terraform/quickstart-configure) |
load-balancer | Cross Region Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/load-balancer/cross-region-overview.md | Floating IP can be configured at both the global IP level and regional IP level. ### Health Probes -Azure cross-region Load Balancer utilizes the health of the backend regional load balancers when deciding where to distribute traffic to. Health checks by cross-region load balancer are done automatically every 20 seconds, given that a user has set up health probes on their regional load balancer.   +Azure cross-region Load Balancer utilizes the health of the backend regional load balancers when deciding where to distribute traffic to. Health checks by cross-region load balancer are done automatically every 5 seconds, given that a user has set up health probes on their regional load balancer.   ## Build cross region solution on existing Azure Load Balancer |
load-balancer | Load Balancer Custom Probe Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/load-balancer/load-balancer-custom-probe-overview.md | Health probes support multiple protocols. The availability of a specific health | **[Probe protocol](#probe-protocol)** | TCP, HTTP, HTTPS | TCP, HTTP | | **[Probe down behavior](#probe-down-behavior)** | All probes down, all TCP flows continue. | All probes down, all TCP flows expire. | +## Probe properties ++Health probes have the following properties: ++| Health Probe property name | Details| +| | | +| Name | Name of the health probe. This is a naame you get to define for your health probe | +| Protocol | Protocol of health probe. This is the protocol type you would like the health probe to leverage. Options are: TCP, HTTP, HTTPS | +| Port | Port of the health probe. The destination port you would like the health probe to use when it connects to the virtual machine to check it's health | +| Interval (seconds) | Interval of health probe. The amount of time (in seconds) between different probe two consecutive health check attemps to the virtual machine | +| Used by | The list of load balancer rules using this specific health probe. You should have at least one rule using the health probe for it to be effective | + ## Probe configuration Health probe configuration consists of the following elements: |
machine-learning | How To Deploy Mlflow Models Online Endpoints | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/how-to-deploy-mlflow-models-online-endpoints.md | MLflow models can be deployed to online endpoints without indicating a scoring s You will typically select this workflow when: > [!div class="checklist"]+> - The model doesn't have a `PyFunc` flavor on it. > - You need to customize the way the model is run, for instance, use an specific flavor to load it with `mlflow.<flavor>.load_model()`. > - You need to do pre/pos processing in your scoring routine when it is not done by the model itself. > - The output of the model can't be nicely represented in tabular data. For instance, it is a tensor representing an image. |
machine-learning | Reference Yaml Registry | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/reference-yaml-registry.md | The source JSON schema can be found at [https://azuremlschemasprod.azureedge.net | `tags` | object | Dictionary of tags for the registry. | | | | `location` | string | **Required.** The primary location of the registry. | | | | `replication_locations` | object | **Required.** List of locations where the associated resources of the registry will be replicated. The list must include the primary location of registry. | | |-| `publicNetworkAccess` | string | Whether public endpoint access is allowed if the registry will be using Private Link. | `enabled`, `disabled` | `disabled` | +| `public_network_access` | string | Whether public endpoint access is allowed if the registry will be using Private Link. | `enabled`, `disabled` | `enabled` | ## Remarks |
notification-hubs | Create Notification Hub Terraform | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/notification-hubs/create-notification-hub-terraform.md | description: In this article, you create an Azure notification hub using Terrafo -+ Last updated 4/14/2023+content_well_notification: + - AI-contribution # Quickstart: Create an Azure notification hub using Terraform In this article, you learn how to: > * Create a random value for the Azure Notification Hub name using [random_string](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string). > * Create an Azure Notification Hub using [azurerm_notification_hub](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/notification_hub). - ## Prerequisites - [Install and configure Terraform](/azure/developer/terraform/quickstart-configure) |
operator-nexus | Concepts Nexus Kubernetes Cluster | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/operator-nexus/concepts-nexus-kubernetes-cluster.md | to learn about Kubernetes. ## Nexus Kubernetes cluster -Nexus Kubernetes cluster is an Operator Nexus version of -[AKS-Hybrid](/azure/aks/hybrid/). Like AKS-Hybrid, Nexus Kubernetes -Cluster is an on-premises implementation of the Azure Kubernetes Service -orchestrator, which automates running containerized applications. Nexus -Kubernetes Cluster is optimized to automate creation of containers to +Nexus Kubernetes cluster (NAKS) is an Operator Nexus version of AKS for on-premises use. It is optimized to automate creation of containers to run tenant network function workloads. Like any Kubernetes cluster, Nexus Kubernetes cluster has two |
operator-nexus | Howto Kubernetes Cluster Aad Rbac | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/operator-nexus/howto-kubernetes-cluster-aad-rbac.md | + + Title: Role-based access control in Azure Operator Nexus Kubernetes clusters #Required; page title is displayed in search results. Include the brand. +description: Information about role-based access control in Azure Operator Nexus Kubernetes clusters #Required; article description that is displayed in search results. ++++ Last updated : 06/30/2023 #Required; mm/dd/yyyy format.++++# Role-based access control in Azure Operator Nexus Kubernetes clusters ++This article provides a comprehensive guide on how to manage access to Nexus Kubernetes clusters using Azure Active Directory (Azure AD). Specifically, we're focusing on role-based access control, which allows you to grant permissions to users based on their roles or responsibilities within your organization. ++## Before you begin ++1. To begin, create an Azure AD group for your cluster administrators and assign members to it. Azure AD allows access to be granted to the group as a whole, rather than managing permissions for each user individually. +2. Use the group ID you created as the value for 'adminGroupObjectIds' when creating the Nexus Kubernetes cluster to ensure that the members of the group get permissions to manage the cluster. Refer to the [QuickStart](./quickstarts-kubernetes-cluster-deployment-bicep.md) guide for instructions on how to create and access the Nexus Kubernetes cluster. ++## Administrator access to the cluster ++Nexus creates a Kubernetes cluster role binding with the default Kubernetes role ```cluster-admin``` and the Azure AD groups you specified as `adminGroupObjectIds`. The cluster administrators have full access to the cluster and can perform all operations on the cluster. The cluster administrators can also grant access to other users by assigning them to the appropriate Azure AD group. +++## Role-based access control +As an administrator, you can provide role-based access control to the cluster by creating a role binding with Azure AD group object ID. For users who only need 'view' permissions, you can accomplish the task by adding them to an Azure AD group that's tied to the 'view' role. ++1. Create an Azure AD group for users who need 'view' access, referring to the default Kubernetes role called `view`. This role is just an example, and if necessary, you can create custom roles and use them instead. For more information on user-facing roles in Kubernetes, you can refer to the official documentation at [Kubernetes roll-based access roles](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles). ++2. Take note of the Azure AD group object ID generated upon creation. ++3. Use the kubectl command to create a clusterrolebinding with the 'view' role and associate it with the Azure AD group. Replace `AZURE_AD_GROUP_OBJECT_ID` with the object ID of your Azure AD group. ++ ```bash + kubectl create clusterrolebinding nexus-read-only-users --clusterrole view --group=AZURE_AD_GROUP_OBJECT_ID + ``` + This command creates a cluster role binding named `nexus-read-only-users` that assigns the `view` role to the members of the specified Azure AD group. ++4. Verify that the role binding was created successfully. + ```bash + kubectl get clusterrolebinding nexus-read-only-users + ``` ++5. Now the users in the Azure AD group have 'view' access to the cluster. They can access the cluster using `az connectedk8s proxy` to view the resources, but can't make any changes +++## Next steps ++You can further fine-tune access control by creating custom roles with specific permissions. The creation of these roles involves Kubernetes native RoleBinding or ClusterRoleBinding resources. You can check the official [Kubernetes documentation](https://kubernetes.io/docs/reference/access-authn-authz/rbac/) for detailed guidance on creating more custom roles and role bindings as per your requirements. |
postgresql | Concepts Connectivity Architecture | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/postgresql/single-server/concepts-connectivity-architecture.md | The following table lists the gateway IP addresses of the Azure Database for Pos | Germany West Central | 51.116.152.0 | 51.116.152.32/29, 51.116.240.32/29, 51.116.248.32/29| | India Central || 104.211.86.32/29, 20.192.96.32/29| | India South | | 40.78.192.32/29, 40.78.193.32/29|-| India West | 104.211.160.80 | 104.211.144.32/29, 104.211.145.32/29 | +| India West | | 104.211.144.32/29, 104.211.145.32/29 | | Japan East | 40.79.192.23, 40.79.184.8 | 13.78.104.32/29, 40.79.184.32/29, 40.79.192.32/29 | | Japan West | | 40.74.96.32/29 | | Korea Central | 52.231.17.13 | 20.194.64.32/29,20.44.24.32/29, 52.231.16.32/29 | |
private-multi-access-edge-compute-mec | Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/private-multi-access-edge-compute-mec/overview.md | description: Learn about the Azure private multi-access edge compute (MEC) solut Previously updated : 06/16/2021 Last updated : 06/16/2023 |
sap | Cal S4h | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/workloads/cal-s4h.md | The online library is continuously updated with Appliances for demo, proof of co | [**SAP S/4HANA 2022 FPS01, Fully-Activated Appliance**](https://cal.sap.com/catalog?provider=208b780d-282b-40ca-9590-5dd5ad1e52e8#/applianceTemplates/3722f683-42af-4059-90db-4e6a52dc9f54) | April 20 2023 |This appliance contains SAP S/4HANA 2022 (FPS01) with pre-activated SAP Best Practices for SAP S/4HANA core functions, and further scenarios for Service, Master Data Governance (MDG), Portfolio Mgmt. (PPM), Human Capital Management (HCM), Analytics, and more. User access happens via SAP Fiori, SAP GUI, SAP HANA Studio, Windows remote desktop, or the backend operating system for full administrative access. | [Create Appliance](https://cal.sap.com/registration?sguid=3722f683-42af-4059-90db-4e6a52dc9f54&provider=208b780d-282b-40ca-9590-5dd5ad1e52e8) | | [**SAP S/4HANA 2022, Fully-Activated Appliance**]( https://cal.sap.com/catalog?provider=208b780d-282b-40ca-9590-5dd5ad1e52e8#/applianceTemplates/f4e6b3ba-ba8f-485f-813f-be27ed5c8311) | December 15 2022 |This appliance contains SAP S/4HANA 2022 (SP00) with pre-activated SAP Best Practices for SAP S/4HANA core functions, and further scenarios for Service, Master Data Governance (MDG), Portfolio Mgmt. (PPM), Human Capital Management (HCM), Analytics, and more. User access happens via SAP Fiori, SAP GUI, SAP HANA Studio, Windows remote desktop, or the backend operating system for full administrative access. | [Create Appliance](https://cal.sap.com/registration?sguid=f4e6b3ba-ba8f-485f-813f-be27ed5c8311&provider=208b780d-282b-40ca-9590-5dd5ad1e52e8) | [**SAP BW/4HANA 2021 SP04 Developer Edition**](https://cal.sap.com/catalog?provider=208b780d-282b-40ca-9590-5dd5ad1e52e8#/applianceTemplates/1b0ac659-a5b4-4d3b-b1ae-f1a1cb89c6db)| March 23 2023 | This solution offers you an insight of SAP BW/4HANA2021 SP04. SAP BW/4HANA is the next generation Data Warehouse optimized for SAP HANA. Beside the basic BW/4HANA options the solution offers a bunch of SAP HANA optimized BW/4HANA Content and the next step of Hybrid Scenarios with SAP Data Warehouse Cloud. | [Create Appliance](https://cal.sap.com/registration?sguid=1b0ac659-a5b4-4d3b-b1ae-f1a1cb89c6db&provider=208b780d-282b-40ca-9590-5dd5ad1e52e8) |-| [**SAP S/4HANA 2022 FPS01**]( https://cal.sap.com/catalog?provider=208b780d-282b-40ca-9590-5dd5ad1e52e8#/applianceTemplates/d6215ddc-67c6-4bdc-8df7-302367f8e016) | February 28 2023 | This solution comes as a standard S/4HANA system installation including a remote desktop for easy frontend access. It contains a pre-configured and activated SAP S/4HANA Fiori UI in client 100, with prerequisite components activated as per SAP note 3282460 - Composite SAP note: Rapid Activation for SAP Fiori in SAP S/4HANA 2022 FPS01. | [Create Appliance](https://cal.sap.com/registration?sguid=d6215ddc-67c6-4bdc-8df7-302367f8e016&provider=208b780d-282b-40ca-9590-5dd5ad1e52e8) | [**SAP ABAP Platform 1909, Developer Edition**](https://cal.sap.com/catalog?provider=208b780d-282b-40ca-9590-5dd5ad1e52e8#/applianceTemplates/5a830213-f0cb-423e-ab5f-f7736e57f5a1)| May 10 2023 | The SAP ABAP Platform on SAP HANA gives you access to your own copy of SAP ABAP Platform 1909 Developer Edition on SAP HANA. Note that this solution is preconfigured with many additional elements, including: SAP ABAP RESTful Application Programming Model, SAP Fiori launchpad, SAP gCTS, SAP ABAP Test Cockpit, and preconfigured frontend / backend connections, etc It also includes all the standard ABAP AS infrastructure: Transaction Management, database operations / persistence, Change and Transport System, SAP Gateway, interoperability with ABAP Development Toolkit and SAP WebIDE, and much more. | [Create Appliance](https://cal.sap.com/registration?sguid=5a830213-f0cb-423e-ab5f-f7736e57f5a1&provider=208b780d-282b-40ca-9590-5dd5ad1e52e8) |+| [**SAP Focused Run 4.0 FP01, unconfigured**](https://cal.sap.com/catalog?provider=208b780d-282b-40ca-9590-5dd5ad1e52e8#/applianceTemplates/2afd7a3e-ecf4-4a20-a975-ce05c4360e55) | June 29 2023 | SAP Focused Run is designed specifically for businesses that need high-volume system and application monitoring, alerting, and analytics. It's a powerful solution for service providers, who want to host all their customers in one central, scalable, safe, and automated environment. It also addresses customers with advanced needs regarding system management, user monitoring, integration monitoring, and configuration and security analytics.| [Create Appliance](https://cal.sap.com/registration?sguid=2afd7a3e-ecf4-4a20-a975-ce05c4360e55&provider=208b780d-282b-40ca-9590-5dd5ad1e52e8) | | [**SAP NetWeaver 7.5 SP15 on SAP ASE**](https://cal.sap.com/catalog?provider=208b780d-282b-40ca-9590-5dd5ad1e52e8#/solutions/69efd5d1-04de-42d8-a279-813b7a54c1f6) | January 3 2018 | SAP NetWeaver 7.5 SP15 on SAP ASE | [Create Appliance](https://cal.sap.com/registration?sguid=69efd5d1-04de-42d8-a279-813b7a54c1f6&provider=208b780d-282b-40ca-9590-5dd5ad1e52e8) | The following links highlight the Product stacks that you can quickly deploy on | -- | : | | **SAP S/4HANA 2022 FPS00 for Productive Deployments** | [Deploy System](https://cal.sap.com/registration?sguid=3b1dc287-c865-4f79-b9ed-d5ec2dc755e9&provider=208b780d-282b-40ca-9590-5dd5ad1e52e8&provType=pd) | |This solution comes as a standard S/4HANA system installation including High Availability capabilities to ensure higher system uptime for productive usage. The system parameters can be customized during initial provisioning according to the requirements for the target system. | [Details]( https://cal.sap.com/catalog?provider=208b780d-282b-40ca-9590-5dd5ad1e52e8#/products/3b1dc287-c865-4f79-b9ed-d5ec2dc755e9) |+| **SAP S/4HANA 2021 FPS04 for Productive Deployments** | [Deploy System](https://cal.sap.com/registration?sguid=29403c63-6504-4919-b5dd-319d7a99804e&provider=208b780d-282b-40ca-9590-5dd5ad1e52e8&provType=newInstallation) | +|This solution comes as a standard S/4HANA system installation including High Availability capabilities to ensure higher system uptime for productive usage. The system parameters can be customized during initial provisioning according to the requirements for the target system. | [Details]( https://cal.sap.com/catalog?provider=208b780d-282b-40ca-9590-5dd5ad1e52e8#/products/29403c63-6504-4919-b5dd-319d7a99804e) | | **SAP S/4HANA 2021 FPS03 for Productive Deployments** | [Deploy System](https://cal.sap.com/registration?sguid=6921f2f8-169b-45bb-9e0b-d89b4abee1f3&provider=208b780d-282b-40ca-9590-5dd5ad1e52e8&provType=pd) | |This solution comes as a standard S/4HANA system installation including High Availability capabilities to ensure higher system uptime for productive usage. The system parameters can be customized during initial provisioning according to the requirements for the target system. | [Details]( https://cal.sap.com/catalog?provider=208b780d-282b-40ca-9590-5dd5ad1e52e8#/products/6921f2f8-169b-45bb-9e0b-d89b4abee1f3) | | **SAP S/4HANA 2021 FPS02 for Productive Deployments** | [Deploy System](https://cal.sap.com/registration?sguid=4d5f19a7-d3cb-4d47-9f44-0a9e133b11de&provider=208b780d-282b-40ca-9590-5dd5ad1e52e8&provType=pd) | The following links highlight the Product stacks that you can quickly deploy on |This solution comes as a standard S/4HANA system installation including High Availability capabilities to ensure higher system uptime for productive usage. The system parameters can be customized during initial provisioning according to the requirements for the target system. | [Details](https://cal.sap.com/catalog?provider=208b780d-282b-40ca-9590-5dd5ad1e52e8#/products/1c796928-0617-490b-a87d-478568a49628)| | **SAP S/4HANA 2021 FPS00 for Productive Deployments** | [Deploy System](https://cal.sap.com/registration?sguid=108febf9-5e7b-4e47-a64d-231b6c4c821d&provider=208b780d-282b-40ca-9590-5dd5ad1e52e8&provType=pd) | |This solution comes as a standard S/4HANA system installation including High Availability capabilities to ensure higher system uptime for productive usage. The system parameters can be customized during initial provisioning according to the requirements for the target system. | [Details](https://cal.sap.com/catalog?provider=208b780d-282b-40ca-9590-5dd5ad1e52e8#/products/108febf9-5e7b-4e47-a64d-231b6c4c821d) |-| **SAP S/4HANA 2020 FPS04 for Productive Deployments** | [Deploy System](https://cal.sap.com/registration?sguid=615c5c18-5226-4dcb-b0ab-19d0141baf9b&provider=208b780d-282b-40ca-9590-5dd5ad1e52e8&provType=pd) | -|This solution comes as a standard S/4HANA system installation including High Availability capabilities to ensure higher system uptime for productive usage. The system parameters can be customized during initial provisioning according to the requirements for the target system. | [Details]( https://cal.sap.com/catalog?provider=208b780d-282b-40ca-9590-5dd5ad1e52e8#/products/615c5c18-5226-4dcb-b0ab-19d0141baf9b) | _Within a few hours, a healthy SAP S/4HANA appliance or product is deployed in Azure._ -If you bought an SAP CAL subscription, SAP fully supports deployments through SAP CAL on Azure. The support queue is BC-VCM-CAL. ----+If you bought an SAP CAL subscription, SAP fully supports deployments through SAP CAL on Azure. The support queue is BC-VCM-CAL. |
sap | Planning Guide Storage Azure Files | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/workloads/planning-guide-storage-azure-files.md | When you plan your deployment with Azure Files, consider the following important - Deploy a separate `sapmnt` share for each SAP system. - Don't use the `sapmnt` share for any other activity, such as interfaces. - Don't use the `saptrans` share for any other activity, such as interfaces.-- If your SAP system has a heavy load of batch jobs, you might have millions of job logs. If the SAP batch job logs are stored in the file system, pay special attention to the sizing of the `sapmnt` share. Reorganize the job log files regularly as per [SAP note 16083](https://launchpad.support.sap.com/#/notes/16083). As of SAP_BASIS 7.52, the default behavior for the batch job logs is to be stored in the database. For details, see [SAP note 2360818 | Job log in the database][https://launchpad.support.sap.com/#/notes/2360818].+- If your SAP system has a heavy load of batch jobs, you might have millions of job logs. If the SAP batch job logs are stored in the file system, pay special attention to the sizing of the `sapmnt` share. Reorganize the job log files regularly as per [SAP note 16083](https://launchpad.support.sap.com/#/notes/16083). As of SAP_BASIS 7.52, the default behavior for the batch job logs is to be stored in the database. For details, see [SAP note 2360818 | Job log in the database](https://launchpad.support.sap.com/#/notes/2360818). - Avoid consolidating the shares for too many SAP systems in a single storage account. There are also [scalability and performance targets for storage accounts](/azure/storage/files/storage-files-scale-targets#storage-account-scale-targets). Be careful to not exceed the limits for the storage account, too. - In general, don't consolidate the shares for more than *five* SAP systems in a single storage account. This guideline helps you avoid exceeding the storage account limits and simplifies performance analysis. - In general, avoid mixing shares like `sapmnt` for non-production and production SAP systems in the same storage account. |
search | Search Get Started Terraform | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/search/search-get-started-terraform.md | Title: 'Quickstart: Deploy using Terraform' description: 'In this article, you create an Azure Cognitive Search service using Terraform.' Last updated 4/14/2023-+ +content_well_notification: + - AI-contribution # Quickstart: Deploy Cognitive Search service using Terraform In this article, you learn how to: > * Create a random string using [random_string](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) > * Create an Azure Cognitive Search service using [azurerm_search_service](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/search_service) - ## Prerequisites - [Install and configure Terraform](/azure/developer/terraform/quickstart-configure) |
sentinel | Billing Monitor Costs | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/billing-monitor-costs.md | For information about assigning access to Azure Cost Management data, see [Assig ## View costs by using cost analysis--As you use Azure resources with Microsoft Sentinel, you incur costs. Azure resource usage unit costs vary by time intervals such as seconds, minutes, hours, and days, or by unit usage, like bytes and megabytes. As soon as Microsoft Sentinel use starts, it incurs costs, and you can see the costs in [cost analysis](../cost-management/quick-acm-cost-analysis.md?WT.mc_id=costmanagementcontent_docsacmhorizontal_-inproduct-learn). +As you use Azure resources with Microsoft Sentinel, you incur costs. Azure resource usage unit costs vary by time intervals such as seconds, minutes, hours, and days, or by unit usage, like bytes and megabytes. As soon as Microsoft Sentinel starts to analyze billable data, it incurs costs. View these costs by using cost analysis in the Azure portal. For more information, see [Start using cost analysis](../cost-management/quick-acm-cost-analysis.md?WT.mc_id=costmanagementcontent_docsacmhorizontal_-inproduct-learn). When you use cost analysis, you view Microsoft Sentinel costs in graphs and tables for different time intervals. Some examples are by day, current and prior month, and year. You also view costs against budgets and forecasted costs. Switching to longer views over time can help you identify spending trends. And you see where overspending might have occurred. If you've created budgets, you can also easily see where they're exceeded. For example, to see charts of your daily costs for a certain time frame: :::image type="content" source="media/billing-monitor-costs/cost-management.png" alt-text="Screenshot of a cost management + billing cost analysis screen." lightbox="media/billing-monitor-costs/cost-management.png"::: -You could also apply further controls. For example, to view only the costs associated with Microsoft Sentinel, select **Add filter**, select **Service name**, and then select the service names **Sentinel**, **log analytics**, and **azure monitor**. +You could also apply further controls. For example, to view only the costs associated with Microsoft Sentinel, select **Add filter**, select **Service name**, and then select the service names **Sentinel**, **Log Analytics**, and **Azure Monitor**. Microsoft Sentinel data ingestion volumes appear under **Security Insights** in some portal Usage Charts. -The Microsoft Sentinel pricing tiers don't include Log Analytics charges. To change your pricing tier commitment for Log Analytics, see [Change pricing tier for Log Analytics workspace](../azure-monitor/logs/change-pricing-tier.md). +The Microsoft Sentinel classic pricing tiers don't include Log Analytics charges, so you may see those charges billed separately. Microsoft Sentinel simplified pricing combines the two costs into one set of tiers. To learn more about Microsoft Sentinel's simplified pricing tiers, see [Simplified pricing tiers](billing.md#simplified-pricing-tiers). -For more information, see [Create budgets](#create-budgets) and [Reduce costs in Microsoft Sentinel](billing-monitor-costs.md). +For more information on reducing costs, see [Create budgets](#create-budgets) and [Reduce costs in Microsoft Sentinel](billing-monitor-costs.md). ## Using Azure Prepayment with Microsoft Sentinel The Microsoft Sentinel GitHub community provides the [`Send-IngestionCostAlert`] ## Define a data volume cap in Log Analytics > [!IMPORTANT]-> Starting September 18, 2023, the Log Analytics Daily Cap will no longer exclude the below set of data types from the daily cap, and all billable data types will -> be capped if the daily cap is met. This change improves your ability to fully contain costs from higher-than-expected data ingestion. -> If you have a Daily Cap set on your workspace which has [Microsoft Defender for Servers](/azure/defender-for-cloud/plan-defender-for-servers-select-plan) or Microsoft Sentinel, -> be sure that the cap is high enough to accomodate this change. Also, be sure to set an alert so that you are notified as soon as your Daily Cap is met, see [Set daily cap on Log Analytics workspace](../azure-monitor/logs/daily-cap.md). +> Starting September 18, 2023, the Log Analytics Daily Cap will no longer exclude the below set of data types from the daily cap, and all billable data types will be capped if the daily cap is met. This change improves your ability to fully contain costs from higher-than-expected data ingestion. +> If you have a Daily Cap set on your workspace which has [Microsoft Defender for Servers](/azure/defender-for-cloud/plan-defender-for-servers-select-plan) or Microsoft Sentinel, be sure that the cap is high enough to accommodate this change. Also, be sure to set an alert so that you are notified as soon as your Daily Cap is met, see [Set daily cap on Log Analytics workspace](../azure-monitor/logs/daily-cap.md). In Log Analytics, you can enable a daily volume cap that limits the daily ingestion for your workspace. The daily cap can help you manage unexpected increases in data volume, stay within your limit, and limit unplanned charges. |
sentinel | Billing Reduce Costs | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/billing-reduce-costs.md | Last updated 02/22/2022 Costs for Microsoft Sentinel are only a portion of the monthly costs in your Azure bill. Although this article explains how to reduce costs for Microsoft Sentinel, you're billed for all Azure services and resources your Azure subscription uses, including Partner services. ## Set or change pricing tier--To optimize for highest savings, monitor your ingestion volume to ensure you have the Commitment Tier that aligns most closely with your ingestion volume patterns. You can increase or decrease your Commitment Tier to align with changing data volumes. +To optimize for highest savings, monitor your ingestion volume to ensure you have the Commitment Tier that aligns most closely with your ingestion volume patterns. Consider increasing or decreasing your Commitment Tier to align with changing data volumes. You can increase your Commitment Tier anytime, which restarts the 31-day commitment period. However, to move back to Pay-As-You-Go or to a lower Commitment Tier, you must wait until after the 31-day commitment period finishes. Billing for Commitment Tiers is on a daily basis. To see your current Microsoft Sentinel pricing tier, select **Settings** in the To change your pricing tier commitment, select one of the other tiers on the pricing page, and then select **Apply**. You must have **Contributor** or **Owner** role in Microsoft Sentinel to change the pricing tier. -Microsoft Sentinel data ingestion volumes appear under **Security Insights** in some portal Usage Charts. +To learn more about how to monitor your costs, see [Manage and monitor costs for Microsoft Sentinel](billing-monitor-costs.md) -The Microsoft Sentinel pricing tiers don't include Log Analytics charges. To change your pricing tier commitment for Log Analytics, see [Change pricing tier](../azure-monitor/logs/change-pricing-tier.md). +For workspaces still using classic pricing tiers, the Microsoft Sentinel pricing tiers don't include Log Analytics charges. For more information, see [Simplified pricing tiers](billing.md#simplified-pricing-tiers). ## Separate non-security data in a different workspace Unlike analytics logs, [basic logs](../azure-monitor/logs/basic-logs-configure.m If you ingest at least 500 GB into your Microsoft Sentinel workspace or workspaces in the same region, consider moving to a Log Analytics dedicated cluster to decrease costs. A Log Analytics dedicated cluster Commitment Tier aggregates data volume across workspaces that collectively ingest a total of 500 GB or more. -Log Analytics dedicated clusters don't apply to Microsoft Sentinel Commitment Tiers. Microsoft Sentinel costs still apply per workspace in the dedicated cluster. +For more information on how this affects pricing, see [Simplified pricing tier for dedicated cluster](enroll-simplified-pricing-tier.md#simplified-pricing-tiers-for-dedicated-clusters). You can add multiple Microsoft Sentinel workspaces to a Log Analytics dedicated cluster. There are a couple of advantages to using a Log Analytics dedicated cluster for Microsoft Sentinel: |
sentinel | Billing | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/billing.md | -As you plan your Microsoft Sentinel deployment, you typically want to understand the Microsoft Sentinel pricing and billing models, so you can optimize your costs. Microsoft Sentinel security analytics data is stored in an Azure Monitor Log Analytics workspace. Billing is based on the volume of that data in Microsoft Sentinel and the Azure Monitor Log Analytics workspace storage. Learn more about [Microsoft Sentinel pricing](https://azure.microsoft.com/pricing/details/microsoft-sentinel/). +As you plan your Microsoft Sentinel deployment, you typically want to understand its pricing and billing models to optimize your costs. Microsoft Sentinel's security analytics data is stored in an Azure Monitor Log Analytics workspace. Billing is based on the volume of data *analyzed* in Microsoft Sentinel and *stored* in the Log Analytics workspace. The cost of both is combined in a simplified pricing tier. Learn more about the [simplified pricing tiers](#simplified-pricing-tiers) or learn more about [Microsoft Sentinel pricing](https://azure.microsoft.com/pricing/details/microsoft-sentinel/) in general. Before you add any resources for Microsoft Sentinel, use the [Azure pricing calculator](https://azure.microsoft.com/pricing/calculator/) to help estimate your costs. Costs for Microsoft Sentinel are only a portion of the monthly costs in your Azu ## Free trial -Try Microsoft Sentinel free for the first 31 days. Microsoft Sentinel can be enabled at no extra cost on an Azure Monitor Log Analytics workspace, subject to the limits stated below: --- **New Log Analytics workspaces** can ingest up to 10 GB/day of log data for the first 31-days at no cost. New workspaces include workspaces that are less than three days old.-- Both Log Analytics data ingestion and Microsoft Sentinel charges are waived during the 31-day trial period. This free trial is subject to a 20 workspace limit per Azure tenant. --- **Existing Log Analytics workspaces** can enable Microsoft Sentinel at no extra cost. Existing workspaces include any workspaces created more than three days ago.-- Only the Microsoft Sentinel charges are waived during the 31-day trial period. +Enable Microsoft Sentinel on an Azure Monitor Log Analytics workspace and the first 10 GB/day is free for 31 days. The cost for both Log Analytics data ingestion and Microsoft Sentinel analysis charges up to the 10 GB/day limit are waived during the 31-day trial period. This free trial is subject to a 20 workspace limit per Azure tenant. Usage beyond these limits will be charged per the pricing listed on the [Microsoft Sentinel pricing](https://azure.microsoft.com/pricing/details/azure-sentinel) page. Charges related to extra capabilities for [automation](automation.md) and [bring your own machine learning](bring-your-own-ml.md) are still applicable during the free trial. Identify the data sources you're ingesting or plan to ingest to your workspace i ## Estimate costs and billing before using Microsoft Sentinel -If you're not yet using Microsoft Sentinel, you can use the [Microsoft Sentinel pricing calculator](https://azure.microsoft.com/pricing/calculator/?service=azure-sentinel) to estimate potential costs. Enter *Microsoft Sentinel* in the Search box and select the resulting Microsoft Sentinel tile. The pricing calculator helps you estimate your likely costs based on your expected data ingestion and retention. +Use the [Microsoft Sentinel pricing calculator](https://azure.microsoft.com/pricing/calculator/?service=azure-sentinel) to estimate new or changing costs. Enter *Microsoft Sentinel* in the Search box and select the resulting Microsoft Sentinel tile. The pricing calculator helps you estimate your likely costs based on your expected data ingestion and retention. -For example, you can enter the GB of daily data you expect to ingest in Microsoft Sentinel, and the region for your workspace. The calculator provides the aggregate monthly cost across these components: +For example, enter the GB of daily data you expect to ingest in Microsoft Sentinel, and the region for your workspace. The calculator provides the aggregate monthly cost across these components: - Azure Monitor data ingestion: Analytics logs and basic logs-- Microsoft Sentinel data analytics: Analytics logs and basic logs-- Data retention-- Data archive (archived logs)-- Basic logs queries+- Microsoft Sentinel: Analytics logs and basic logs +- Azure Monitor: Retention +- Azure Monitor: Data Restore +- Azure Monitor: Search Queries and Search Jobs ## Understand the full billing model for Microsoft Sentinel -Microsoft Sentinel offers a flexible and predictable pricing model. For more information, see the [Microsoft Sentinel pricing page](https://azure.microsoft.com/pricing/details/azure-sentinel/). For the related Log Analytics charges, see [Azure Monitor Log Analytics pricing](https://azure.microsoft.com/pricing/details/log-analytics/). +Microsoft Sentinel offers a flexible and predictable pricing model. For more information, see the [Microsoft Sentinel pricing page](https://azure.microsoft.com/pricing/details/azure-sentinel/). Workspaces older than July 2023 might have Log Analytics workspace charges separate from Microsoft Sentinel in a classic pricing tier. For the related Log Analytics charges, see [Azure Monitor Log Analytics pricing](https://azure.microsoft.com/pricing/details/log-analytics/). Microsoft Sentinel runs on Azure infrastructure that accrues costs when you deploy new resources. It's important to understand that there could be other, extra infrastructure costs that might accrue. ### How you're charged for Microsoft Sentinel -Microsoft Sentinel offers flexible pricing based on the types of logs ingested into a workspace. Analytics logs typically make up most of your high security value logs. Basic logs tend to be verbose with low security value. It's important to note that billing is done per workspace on a daily basis for all log types and tiers. +Pricing is based on the types of logs ingested into a workspace. Analytics logs typically make up most of your high value security logs. Basic logs tend to be verbose with low security value. It's important to note that billing is done per workspace on a daily basis for all log types and tiers. #### Analytics logs There are two ways to pay for the analytics logs: **Pay-As-You-Go** and **Commitment Tiers**. -- **Pay-As-You-Go** is the default model, based on the actual data volume stored and optionally for data retention beyond 90 days. Data volume is measured in GB (10^9 bytes).+- **Pay-As-You-Go** is the default model, based on the actual data volume stored and optionally for data retention beyond 90 days. Data volume is measured in GB (10<sup>9</sup> bytes). -- Log Analytics and Microsoft Sentinel also have **Commitment Tier** pricing, formerly called Capacity Reservations, which is more predictable and saves as much as 65% compared to Pay-As-You-Go pricing.+- Log Analytics and Microsoft Sentinel have **Commitment Tier** pricing, formerly called Capacity Reservations. These pricing tiers are combined into simplified pricing tiers which are more predictable and offer substantial savings compared to **Pay-As-You-Go** p |